diff options
Diffstat (limited to 'magic/Magdir')
75 files changed, 4515 insertions, 648 deletions
diff --git a/magic/Magdir/algol68 b/magic/Magdir/algol68 index 77016778ad78..1ca1fad2113c 100644 --- a/magic/Magdir/algol68 +++ b/magic/Magdir/algol68 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: algol68,v 1.4 2021/08/15 06:00:55 christos Exp $ +# $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $ # algol68: file(1) magic for Algol 68 source # # URL: https://en.wikipedia.org/wiki/ALGOL_68 @@ -9,14 +9,8 @@ 0 search/8192 (input, >0 use algol_68 # graph_2d.a68 -0 regex/4006 \^PROC -#>&-4 string x \b, dBase or Algol "%s" -# most xBase scripts *.prg with PROCEDURE like: Areacode BarCount Def_mens Vendors -#>&-4 string =PROCEDURE \b, dBase PROCEDURE -# skip xBase program scripts *.prg with PROCEDURE keyword -# keyword proc probably followed by white space used to specify algol procedures ->&-4 string !PROCEDURE ->>0 use algol_68 +0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]= +>0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 0 regex/1024 \bMODE[\t\ ] diff --git a/magic/Magdir/android b/magic/Magdir/android index 63296d0ecfc5..8a2dedf3d2d9 100644 --- a/magic/Magdir/android +++ b/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ +# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -180,7 +180,9 @@ # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +# The strength is increased to avoid misidentifying as Targa image data 0 lelong 0x00080003 Android binary XML +!:strength +1 # Android cryptfs footer # From https://android.googlesource.com/\ @@ -207,3 +209,51 @@ >8 string >000 dex section version: %s, >12 lelong >0 number of dex files: %d, >16 lelong >0 verifier deps size: %d + +# Disassembled DEX files +0 string/t .class\x20 +>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) +!:ext smali + +# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileTranscoder.java +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileVersion.java +0 string pro\x00 +>0 regex pro\x000[0-9][0-9]\x00 Android ART profile +!:ext prof +>>4 string 001\x00 \b, version 001 N +>>4 string 005\x00 \b, version 005 O +>>4 string 009\x00 \b, version 009 O MR1 +>>4 string 010\x00 \b, version 010 P +>>4 string 015\x00 \b, version 015 S +0 string prm\x00 +>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata +!:ext profm +>>4 string 001\x00 \b, version 001 N +>>4 string 002\x00 \b, version 002 + +# Android package resource table (ARSC): resources.arsc +# Reference: https://android.googlesource.com/platform/tools/base/\ +# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ +# src/main/java/com/google/devrel/gmscore/tools/apk/arsc +# 00: resource table type = 0x0002 (2) + header size = 12 (2) +# 04: chunk size (4, skipped) +# 08: #packages (4) +0 ulelong 0x000c0002 Android package resource table (ARSC) +!:ext arsc +>8 ulelong !1 \b, %d packages +# 12: string pool type = 0x0001 (2) + header size = 28 (2) +# 16: chunk size (4, skipped) +# 20: #strings (4), #styles (4), flags (4) +>12 ulelong 0x001c0001 +>>20 ulelong !0 \b, %d string(s) +>>24 ulelong !0 \b, %d style(s) +>>28 ulelong &1 \b, sorted +>>28 ulelong &256 \b, utf8 + +# extracted APK Signing Block +-16 string APK\x20Sig\x20Block\x2042 APK Signing Block diff --git a/magic/Magdir/animation b/magic/Magdir/animation index 057346518193..aab93ca34a6f 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.90 2022/08/16 11:16:39 christos Exp $ +# $File: animation,v 1.94 2023/06/16 20:06:50 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -18,8 +18,8 @@ >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime -#4 string wide Apple QuickTime movie (unoptimized) -#!:mime video/quicktime +4 string wide Apple QuickTime movie (unoptimized) +!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) @@ -37,6 +37,7 @@ 4 string ftyp ISO Media # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +!:mime video/mp4 >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" @@ -938,6 +939,15 @@ !:mime video/MP2T !:ext ts +# Blu-ray disc Audio-Video MPEG-2 transport stream +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream +# Note: similar to ISO 13818.1 but with 4 extra bytes per packets +4 belong&0xFF5FFF10 =0x47400010 +>196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS) +!:mime video/MP2T +!:ext m2ts/mts + # DIF digital video file format <mpruett@sgi.com> 0 belong&0xffffff00 0x1f070000 DIF !:mime video/x-dv @@ -1185,3 +1195,12 @@ >30 lelong x \b, height: %d >34 lelong x \b, %d bit >38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames diff --git a/magic/Magdir/apple b/magic/Magdir/apple index 4b249bf8a327..547b0ac20aba 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.45 2021/04/26 15:56:00 christos Exp $ +# $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -11,26 +11,48 @@ 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file +# Type: Apple Emulator A2R format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/a2r2-reference/ +# Ref: https://applesaucefdc.com/a2r/ +0 string A2R +>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>8 string INFO +>>49 byte 01 \b, 5.25″ SS 40trk +>>49 byte 02 \b, 3.5″ DS 80trk +>>49 byte 03 \b, 5.25″ DS 80trk +>>49 byte 04 \b, 5.25″ DS 40trk +>>49 byte 05 \b, 3.5″ DS 80trk +>>49 byte 06 \b, 8″ DS +>>50 byte 01 \b, write protected +>>51 byte 01 \b, cross track synchronized +>>17 string/T x \b, %.32s + # Type: Apple Emulator WOZ format # From: Greg Wildman <greg@apple2.org.za> # Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference2/ -# -# Note: The following test are mostly identical. I would rather not -# use a regex to identify the WOZ format number. -0 string WOZ1 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +0 string WOZ +>3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s -0 string WOZ2 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image + +# Type: Apple Macintosh Emulator MOOF format +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://applesaucefdc.com/moof-reference/ +0 string MOOF +>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image >12 string INFO ->>21 byte 01 \b, 5.25 inch ->>21 byte 02 \b, 3.5 inch +>>21 byte 01 \b, SSDD GCR (400K) +>>21 byte 02 \b, DSDD GCR (800K) +>>21 byte 03 \b, DSHD MFM (1.44M) >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s @@ -43,29 +65,79 @@ >0x400 string \x00\x00\x03\x00 >>0x404 byte &0xF0 >>>0x405 string x \b, Volume /%s ->>>0x429 leshort x \b, %u Blocks +>>>0x429 uleshort x \b, %u Blocks # ProDOS ordered ? >0xb00 string \x00\x00\x03\x00 >>0xb04 byte &0xF0 >>>0xb05 string x \b, Volume /%s ->>>0xb29 leshort x \b, %u Blocks +>>>0xb29 uleshort x \b, %u Blocks # -# DOS3.3 boot loader? -0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B ->0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.2 ? ->0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.1 ? ->0x11001 string \x11\x0C\x01 ->>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image +# Proboot HD +0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# ProDOS formatted +0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# DOS3 boot loader +0 string \x01\xA5\x27\xC9\x09\xD0 +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Image +>>0x11006 ubyte x \b, Volume #%03u +>>0x11034 ubyte x \b, %u Tracks +>>0x11035 ubyte x \b, %u Sectors +>>0x11036 uleshort x \b, %u bytes per sector +# +# DOS3 uninitialized disk +0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image +>>>0x11006 ubyte x \b, Volume #%03u +>>>0x11034 ubyte x \b, %u Tracks +>>>0x11035 ubyte x \b, %u Sectors +>>>0x11036 uleshort x \b, %u bytes per sector # # Pascal boot loader? 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD @@ -112,9 +184,70 @@ >>0x440 string \x00\x00\x03\x00 >>>0x444 byte &0xF0 >>>>0x445 string x \b, Volume /%s ->>>>0x469 leshort x \b, %u Blocks +>>>>0x469 uleshort x \b, %u Blocks >0xc byte 02 \b, NIB data +# Type: Peter Ferrie QBoot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/qboot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image + +# Type: Peter Ferrie 0Boot +# From: Greg Wildman <greg@apple2.org.za> +# Ref: https://github.com/peterferrie/0boot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image + +# Different proprietary boot sectors +0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image +0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image +0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image +0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image +0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image +0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image +0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image +0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image +0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image +0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image +0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image +0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image +0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image +0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image +0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image + # magic for Newton PDA package formats # from Ruda Moura <ruda@helllabs.org> 0 string package0 Newton package, NOS 1.x, @@ -291,7 +424,13 @@ #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson <toby@apple.com> +# From https://www.nationalarchives.gov.uk/pronom/fmt/866 +0 string bplist00 +>8 search/500 WebMainResource Apple Safari Webarchive +!:mime application/x-webarchive +!:strength +50 0 string bplist00 Apple binary property list +!:mime application/x-bplist # Apple binary property list (bplist) # Assumes version bytes are hex. @@ -491,9 +630,107 @@ # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc +# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file +# https://en.wikipedia.org/wiki/Resource_fork +# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format +# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf +# https://formats.kaitai.io/resource_fork/ +# Update: Joerg Jenderek +# Note: verified often by command like `deark -m macrsrc Icon_.rsrc` +# offset of resource data; usually starts at offset 0x0100 0 string \000\000\001\000 ->4 leshort 0 ->>16 lelong 0 Apple HFS/HFS+ resource fork +# skip NPETraceSession.etl with invalid "low" map offset 0 +>4 ubelong >0xFF +# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length +>>12 ubelong <0x8001 +# most examples with zeroed system reserved field +>>>16 lelong =0 +>>>>0 use apple-rsr +# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont +>>>16 lelong !0 +# resource fork variant with not zeroed system reserved field and copy of header +>>>>(4.L) ubelong 0x100 +# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont) +>>>>>0 use apple-rsr +# data fork variant with not zeroed system reserved field and no copy of header +>>>>(4.L) ubelong 0 +>>>>>0 use apple-rsr +# Note: moved and merged from ./macintosh +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: https://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +# display information about Mac OSX datafork font DFONT +0 name apple-dfont +>(4.L+30) ubelong x Mac OSX datafork font, +# https://en.wikipedia.org/wiki/Datafork_TrueType +!:mime application/x-dfont +!:ext dfont +# https://exiftool.org/TagNames/RSRC.html +>(4.L+30) ubelong 0x73666e74 TrueType +>(4.L+30) ubelong 0x464f4e54 'FONT' +>(4.L+30) ubelong 0x4e464e54 'NFNT' +>(4.L+30) ubelong 0x504f5354 PostScript +>(4.L+30) ubelong 0x464f4e44 'FOND' +>(4.L+30) ubelong 0x76657273 'vers' +# display information about Macintosh resource +0 name apple-rsr +>(4.L+30) ubelong 0x73666e74 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x4e464e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x504f5354 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e44 +>>0 use apple-dfont +>(4.L+30) ubelong 0x76657273 +>>0 use apple-dfont +>(4.L+30) default x Apple HFS/HFS+ resource fork +#!:mime application/octet-stream +!:mime application/x-apple-rsr +!:ext rsrc/rsr +# offset to resource data; usually starts at offset 0x0100 +>0 ubelong !0x100 \b, data offset %#x +# offset to resource map; positive but not nil like in NPETraceSession.etl +>4 ubelong x \b, map offset %#x +# length of resource map; positive with 32K limitation but not +# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1 +>12 ubelong x \b, map length %#x +# length of resource data; positive but not nil like in NPETraceSession.etl +>8 ubelong x \b, data length %#x +# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont +>16 ubelong !0 \b, at 16 %#8.8x +# https://fontforge.org/docs/techref/macformats.html +# jump to resource map +# a copy of resource header or 16 bytes of zeros for data fork +#>(4.L) ubelong x \b, DATA offset %#x +#>(4.L+4) ubelong x \b, MAP offset %#x +#>(4.L+8) ubelong x \b, DATA length %#x +#>(4.L+12) ubelong x \b, MAP length %#x +# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+16) ubelong !0 \b, nextResourceMap %#x +# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+20) ubeshort !0 \b, fileRef %#x +# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero +>(4.L+22) ubeshort !0 \b, attributes %#x +# typeListOffset; offset from resource map to start of type list like: 1Ch +>(4.L+24) ubeshort x \b, list offset %#x +# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont) +>(4.L+26) ubeshort x \b, name offset %#x +# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF +>(4.L+28) beshort+1 >0 \b, %u type +# plural s +>>(4.L+28) beshort+1 >1 \bs +# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz +>>(4.L+30) ubelong x \b, %#x +>>(4.L+30) string x '%-.4s' +# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000 +>>(4.L+34) beshort+1 x * %d +# resourceListOffset; offset from type list to resource list like: Ah 12h DAh +>(4.L+36) ubeshort x resource offset %#x #https://en.wikipedia.org/wiki/AppleScript 0 string FasdUAS AppleScript compiled diff --git a/magic/Magdir/archive b/magic/Magdir/archive index 758c93ef8e17..6e1f9678e7ac 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.169 2022/09/12 13:13:28 christos Exp $ +# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -30,9 +30,11 @@ # check for 1st image main name with digits used for sorting # and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) -#foo >>>>>>>>>0 use tar-cbt -# if 1st member name without digits and without used image suffix then it is a TAR archive +# check for 1st member name with ovf suffix +>>>>>>>>0 regex \^.{1,96}[.](ovf) +>>>>>>>>>0 use tar-ova +# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive >>>>>>>>0 default x >>>>>>>>>0 use tar-file # minimal check and then display tar archive information which can also be @@ -168,6 +170,21 @@ # name[100] probably like: 19.jpg 0001.png 0002.png # or maybe like ComicInfo.xml >0 string >\0 \b, 1st image %-.60s +# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format +# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml +# Note: called "Open Virtualization Format package" by TrID +# assuming *.ovf comes first +0 name tar-ova +>0 string x Open Virtualization Format Archive +#!:mime application/x-ustar +# http://extension.nirsoft.net/ova +!:mime application/x-virtualbox-ova +!:ext ova +# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf +>0 string >\0 \b, with %-.60s # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html @@ -185,16 +202,88 @@ # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. -0 short 070707 cpio archive +# URL: http://fileformats.archiveteam.org/wiki/Cpio +# https://en.wikipedia.org/wiki/Cpio +# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt +# Update: Joerg Jenderek +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml +# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635 +0 short 070707 +# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry +>26 string >\0 cpio archive !:mime application/x-cpio +# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso +# boot/x86_64/loader/bootlogo +# message.cpi +!:ext /cpio/cpi +>>0 use cpio-bin +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml +# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped +# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio +!:ext cpio +>0 use cpio-bin-be +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml +# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012 +!:ext cpio/cpi/008/012 +# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio 0 string 070701 ASCII cpio archive (SVR4 with no CRC) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio +!:ext cpio +# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio 0 string 070702 ASCII cpio archive (SVR4 with CRC) !:mime application/x-cpio +# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz +# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia +!:ext /cpio +# display information of old binary cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio` +0 name cpio-bin +# c_dev; device number; WHAT IS THAT? +>2 uleshort x \b; device %u +# c_ino; truncated inode number; use `ls --inode` +>4 uleshort x \b, inode %u +# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l` +>6 uleshort x \b, mode %o +# c_uid; numeric user id; use `ls --numeric-uid-gid` +>8 uleshort x \b, uid %u +# c_gid; numeric group id +>10 uleshort x \b, gid %u +# c_nlink; links to this file; directories at least 2 +>12 uleshort >1 \b, %u links +# c_rdev; device number for block and character entries; zero for all other entries by writers +# like 0x0440 for /dev/ttyS0 +>14 uleshort >0 \b, device %#4.4x +# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first +>16 medate x \b, modified %s +# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544 +>22 melong x \b, %u bytes +# c_namesize; bytes in the pathname that follows the header like: 9 +#>20 uleshort x \b, namesize %u +# pathname of entry like: "clam.exe" +>26 string x "%s" +# display information of old binary byte swapped cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio` +0 name cpio-bin-be +>2 ubeshort x \b; device %u +>4 ubeshort x \b, inode %u +>6 ubeshort x \b, mode %o +>8 ubeshort x \b, uid %u +>10 ubeshort x \b, gid %u +>12 ubeshort >1 \b, %u links +>14 ubeshort >0 \b, device %#4.4x +>16 bedate x \b, modified %s +>22 ubelong x \b, %u bytes +#>20 ubeshort x \b, namesize %u +>26 string x "%s" # # Various archive formats used by various versions of the "ar" @@ -271,7 +360,8 @@ #>>68 string x (format %.3s) >68 string =2.0\n # 2nd archive name=control archive name like control.tar.gz or control.tar.xz ->>72 string >\0 \b, with %.14s +# or control.tar.zst +>>72 string >\0 \b, with %.15s # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} >>0 search/0x93e4f data.tar. \b, data compression # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised @@ -506,11 +596,12 @@ >>>>0 use ttcomp 0 string \1\4 # TODO: -# skip Commodore PET BASIC 4.0 program *.prg -# variant ASCII, 1K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? # skip shared library (strength=50) handled by ./ibm6000 !:strength -2 ->0 use ttcomp +# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset) +#>-4 ubelong x LAST_BYTES=%8.8x +>-4 ubelong&0x00FFffFF !0 +>>0 use ttcomp # display information of TTComp archive 0 name ttcomp # (version 5.25) labeled the entry as "TTComp archive data" @@ -753,6 +844,88 @@ !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes +# Summary: lzss compressed/EDI Pack +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file +# Note: called "EDI Install LZS compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1" +0 string EDILZSS +>7 string 1 +# look for point character before orginal file name extension +>>8 search/9/b . +# check suffix of possible orginal file anme +#>>>&0 ubelong x SUFFIX=%8.8x +# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS +>>>&0 ubyte <0x20 +>>>>0 use edi-lzs +# samples with valid character after point in original file name field +>>>&0 ubyte >0x1F +# check 2nd charcter of suffix +#>>>>&0 ubyte x 2ND_SUFFIX=%x +# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$ +>>>>&0 ubyte =0 +>>>>>0 use edi-pack +>>>>&0 ubyte >0x1F +# check 3rd charcter of suffix +#>>>>>&0 ubyte x 3RD_SUFFIX=%x +# no sample with 2 valid characters after point followed by \0 in original file name field +>>>>>&0 ubyte =0 +>>>>>>0 use edi-pack +# samples with valid 3rd character after point in original file name field +>>>>>&0 ubyte >0x1F +# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$ +>>>>>>&0 ubyte =0 +>>>>>>>0 use edi-pack +# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS +>>>>>>&0 ubyte !0 +>>>>>>>0 use edi-lzs +# no sample with invalid 3rd character after point in original file name field +>>>>>&0 default x +>>>>>>0 use edi-lzs +# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS +>>>>&0 default x +>>>>>0 use edi-lzs +# sample without point character in original file name field like GUNSHOT.LZS +>>8 default x +>>>0 use edi-lzs +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml +# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2" +>7 string 2 EDI LZSS2 packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/??_ +# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx +>>8 string x "%-0.13s" +# original file size, as a 4-byte integer. +>>21 ulelong x \b, %u bytes +# compressed data like: ff5249464606ec00 ff4d5aa601010000 +>>>25 ubequad x \b, data %#16.16llx... +0 name edi-pack +# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1" +# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe +# but not like \377Aloe.lzs\273 (HERBTEXT.LZS) +>8 string x EDI LZSS packed "%-.13s" +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/?$ +# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c +>21 ubequad x \b, data %#16.16llx... +# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib +# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib" +0 name edi-lzs +# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib" +# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273 +>8 string x EDI LZSSLib packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# The name of a compressed file ends with LZS suffix +!:ext lzs +# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a +>8 ubequad x \b, data %#16.16llx... + # Summary: CAZIP compressed file # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/CAZIP @@ -791,8 +964,6 @@ 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data -# PUCrunch -0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp @@ -821,8 +992,10 @@ # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data -# PRO-PACK -0 string RNC PRO-PACK archive data +# PRO-PACK https://www.segaretro.org/Rob_Northen_compression +0 string RNC +>3 byte 1 PRO-PACK archive data (compression 1) +>3 byte 2 PRO-PACK archive data (compression 2) # 777 0 string 777 777 archive data # LZS221 @@ -925,11 +1098,39 @@ # TPac 0 string \4TPAC\3 TPac archive data # Ai +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver 0 string Ai\1\1\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai 0 string Ai\1\0\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai # Ai32 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml +# Note: called "Ai Archivator compressed archive" by TrID 0 string Ai\2\0 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# according to TrID the next 3 bytes are nil +>5 ubyte !0 \b, at 5 %#x +>6 ubyte !0 \b, at 6 %#x +>7 ubyte !0 \b, at 7 %#x +# the fourth byte with value 0 is probably a flag for "non solid" mode +#>3 ubyte =0x00 \b, unsolid mode 0 string Ai\2\1 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default +>3 ubyte =0x01 \b, solid mode # SBC 0 string SBC SBC archive data # Ybs @@ -1234,7 +1435,7 @@ >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one -# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment +# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data @@ -1422,6 +1623,83 @@ !:mime application/zip !:ext zip/cbz +# Android APK file (Zip archive) +0 string PK\003\004 +!:strength +1 +# Starts with AndroidManifest.xml (file name length = 19) +>26 uleshort 19 +>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/com/android/build/gradle/app-metadata.properties +>26 uleshort 57 +>>30 string META-INF/com/android/build/gradle/ +>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with classes.dex (file name length = 11) +>26 uleshort 11 +>>30 string classes.dex Android package (APK), with classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/MANIFEST.MF (file name length = 20) +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files +>26 uleshort 20 +>>30 string META-INF/MANIFEST.MF +# Contains resources.arsc (near the end, in the central directory) +>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar +# Starts with zipflinger virtual entry (28 + 104 = 132 bytes) +# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 +>4 string \x00\x00\x00\x00\x00\x00 +>>&0 string \x21\x08\x21\x02 +>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# APK Signing Block +>0 default x +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\005\006 Zip archive data (empty) !:mime application/zip @@ -1524,9 +1802,13 @@ >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web !:ext oth ->>>>77 string -master Master Document +>>>>77 string -master +>>>>>84 byte !0x2d Master Document !:mime application/vnd.oasis.opendocument.text-master !:ext odm +>>>>>84 string -template Master Template +!:mime application/vnd.oasis.opendocument.text-master-template +!:ext otm >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics @@ -1569,8 +1851,7 @@ # Valid for LibreOffice Base 6.0.1.1 at least >>>73 string base Database # https://bugs.documentfoundation.org/show_bug.cgi?id=45854 -!:mime application/vnd.oasis.opendocument.database -#!:mime application/vnd.oasis.opendocument.base +!:mime application/vnd.oasis.opendocument.base !:ext odb >>>73 string image >>>>78 byte !0x2d Image @@ -1586,6 +1867,16 @@ >>50 string epub+zip EPUB document !:mime application/epub+zip +# From: Hajin Jang <jb6804@naver.com> +# hwpx (OWPML) document format follows OCF specification. +# Hangul Word Processor 2010+ supports HWPX format. +# URL: https://www.hancom.com/etc/hwpDownload.do +# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 +# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 +>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX +!:mime application/x-hwp+zip +!:ext hwpx + # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/CorelDRAW # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based @@ -1639,9 +1930,10 @@ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip -# Java Jar files +# Java Jar files (see also APK files above) >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive +!:ext jar # iOS App >(26.s+30) leshort !0xcafe @@ -1674,16 +1966,116 @@ >8 belong x \b, size %d # Zoo archiver -20 lelong 0xfdc4a7dc Zoo archive data +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Zoo_(file_format) +# http://fileformats.archiveteam.org/wiki/Zoo +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml +# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h +# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269 +# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO` +20 lelong 0xfdc4a7dc +# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive +>32 byte >0 Zoo archive data !:mime application/x-zoo ->4 byte >48 \b, v%c. ->>6 byte >47 \b%c ->>>7 byte >47 \b%c ->32 byte >0 \b, modify: v%d ->>33 byte x \b.%d+ ->42 lelong 0xfdc4a7dc \b, ->>70 byte >0 extract: v%d ->>>71 byte x \b.%d+ +# bak is extension of backup-ed zoo +!:ext zoo/bak +# version in text form like: 1.50 2.00 2.10 +>>4 byte >48 \b, v%c. +>>>6 byte >47 \b%c +>>>>7 byte >47 \b%c +# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything +>>8 string !\040Archive.\032 \b, at 8 +>>>8 string x text "%0.10s" +# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0 +>>32 byte >0 \b, modify: v%d +>>>33 byte x \b.%d+ +# major_ver.minor_ver; minimum version needed to extract after modify like in old versions +>>(24.l+28) ubyte x \b, extract: v%u +>>(24.l+29) ubyte x \b.%u+ +# with zoo 2.00 additional fields have been added in the archive header +>>32 byte >1 +# type; type of archive header like: 1 2 +>>>34 ubyte !1 \b, header type %u +# acmt_pos; position of archive comment like: 6258 30599 61369 149501 +>>>35 lelong >0 \b, at %d +# acmt_len; length of archive comment like: 258 +>>>>39 uleshort x %u bytes comment +#>>>>(35.l) ubequad x COMMENT=%16.16llx +# 1st character of comment maybe is CarriageReturn (0x0d) +>>>>(35.l) ubyte <040 +# 2nd character of comment maybe is LineFeed (0x0a) +>>>>>(35.l+1) ubyte <040 +# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by" +>>>>>>(35.l+2) string x %s +# next character of remaining comment maybe is CarriageReturn (0x0d) +>>>>>>>&0 ubyte <040 +>>>>>>>>&0 ubyte <040 +# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload +>>>>>>>>>&0 string >037 %s +# vdata; archive-level versioning byte like: 1 3 +>>>41 ubyte !1 \b, vdata %#x +# zoo_start; pointer to 1st entry header +>>24 lelong x \b; at %u +# zoo_minus; zoo_start -1 for consistency checking +#>>28 lelong x \b, zoo_minus %#x +# zoo_tag; tag for check +#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x +# type; type of directory entry like: 1 2 +>>(24.l+4) ubyte !2 type=%u +# packing_method; 0~no packing 1~normal LZW 2~lzh +>>(24.l+5) ubyte x method= +>>>(24.l+5) ubyte 0 \bnot-compressed +>>>(24.l+5) ubyte 1 \blzd +>>>(24.l+5) ubyte 2 \blzh +# next; position of next directory entry +>>(24.l+6) ulelong x \b, next entry at %u +# offset; position of file data for this entry +#>>(24.l+10) ulelong x \b, data at %u +# file_crc; CRC-16 of file data +>>(24.l+18) uleshort x \b, CRC %#4.4x +# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO) +>>(24.l+32) lelong >0 \b, at %#x +# cmt_size; if not 0 for none then length of entry comment like: 46 +>>>(24.l+36) uleshort >0 %u bytes comment +# entry comment itself like: "CGA .GL file showing menu input from keyboard" +>>>>(&-6.l) string x "%s" +# org_size; original size of file +>>(24.l+20) ulelong x \b, size %u +# size_now; compressed size of file +>>(24.l+24) ulelong x (%u compressed) +# major_ver.minor_ver; minimum version needed to extract already done +# deleted; will be 1 if deleted, 0 if not +>>(24.l+30) ubyte =1 \b, deleted +# struc; file structure if any; WHAT IS THAT? +>>(24.l+31) ubyte !0 \b, structured +# fname[13]; short/DOS file name like 12345678.012 +>>(24.l+38) string x \b, %0.13s +# for directory entry type 2 with variable part +>>(24.l+4) ubyte =2 +# var_dir_len; length of variable part of dir entry +>>>(24.l+51) uleshort >0 +#>>>(24.l+51) uleshort >0 \b, variable part length %u +# namlen; length of long filename +#>>>>(24.l+56) ubyte x \b, namlen %u +# dirlen; length of directory name +#>>>>(24.l+57) ubyte x \b, dirlen %u +# if file length positive then show long file name +>>>>(24.l+56) ubyte >0 +# lfname[256]; long file name \0-terminated +>>>>>(24.l+58) string x "%s" +# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name +>>>>(24.l+57) ubyte >0 +>>>>>(24.l+55) ubyte x +# dirname[256]; directory name \0-terminated +>>>>>>&(&0.b+2) string x in "%s" +# dir_crc; CRC of directory entry +#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x +# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC +>>>(24.l+53) byte !0x7f \b, time zone %d/4 +# date; last mod file date in DOS format +>>>(24.l+14) lemsdosdate x \b, modified %s +# time; last mod file time in DOS format +>>>(24.l+16) lemsdostime x %s # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text @@ -1789,6 +2181,19 @@ !:mime application/zip !:ext zip/cbz +# Recognize ZIP archives with prepended data by end-of-central-directory record +# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD) +# by Michal Gorny <mgorny@gentoo.org> +-2 uleshort 0 +>&-22 string PK\005\006 +# without #! +>>0 string !#! Zip archive, with extra data prepended +!:mime application/zip +!:ext zip/cbz +# with #! +>>0 string/w #!\ a +>>>&-1 string/T x %s script executable (Zip archive) + # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl <sec@42.org> 7 string **ACE** ACE archive data @@ -2033,7 +2438,28 @@ >3 byte x version %d # LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files # From: Joerg Jenderek # URL: https://www.acronis.com/ @@ -2066,6 +2492,7 @@ # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 -4 string STOP >-16 string XPAKSTOP Gentoo binary package (XPAK) +!:mime application/vnd.gentoo.xpak # From: Joerg Jenderek # URL: https://kodi.wiki/view/TexturePacker @@ -2110,3 +2537,71 @@ # From wof (wof@stachelkaktus.net) 0 string Unison\ archive\ format Unison archive format + +# https://ankiweb.net +30 string collection.anki2 Anki APKG file +#!:ext .apkg + +# Synology archive (DiskStation Manager 7.0+) +# From: Alexandre Iooss <erdnaxe@crans.org> +# Note: These archives are signed and encrypted. +0 ulelong&0xFFFFFF00 0xEFBEAD00 +# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes) +>8 ulelong&0x00FFFFFF 0x20C495 Synology archive +!:ext spk +# Extract some properties from MessagePack third item +>>43 search/0x10000 package= +>>>&0 string x \b, package %s +>>43 search/0x10000 arch= +>>>&0 string x %s +>>43 search/0x10000 version= +>>>&0 string x %s +>>43 search/0x10000 create_time= +>>>&0 string x \b, created on %s + +# MonoGame/XNA processed assets archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs +0 string XNB +# XNB must be version 4 or 5 +>4 byte <6 +>>4 byte >3 +# Size must be positive +>>>6 lelong >0 MonoGame/XNA processed assets +!:ext xnb +>>>>3 string =w \b, for Windows +>>>>3 string =x \b, for Xbox360 +>>>>3 string =i \b, for iOS +>>>>3 string =a \b, for Android +>>>>3 string =d \b, for DesktopGL +>>>>3 string =X \b, for MacOSX +>>>>3 string =W \b, for WindowsStoreApp +>>>>3 string =n \b, for NativeClient +>>>>3 string =M \b, for WindowsPhone8 +>>>>3 string =r \b, for RaspberryPi +>>>>3 string =P \b, for PlayStation4 +>>>>3 string =5 \b, for PlayStation5 +>>>>3 string =O \b, for XboxOne +>>>>3 string =S \b, for Nintendo Switch +>>>>3 string =G \b, for Google Stadia +>>>>3 string =b \b, for WebAssembly and Bridge.NET +>>>>3 string =m \b, for WindowsPhone7.0 (XNA) +>>>>3 string =p \b, for PlayStationMobile +>>>>3 string =v \b, for PSVita +>>>>3 string =g \b, for Windows (OpenGL) +>>>>3 string =l \b, for Linux +>>>>4 byte x \b, version %d +>>>>5 byte &0x80 \b, LZX compressed +>>>>>10 lelong x \b, decompressed size: %d bytes +>>>>5 byte &0x40 \b, LZ4 compressed +>>>>>10 lelong x \b, decompressed size: %d bytes + +# Electron ASAR archive +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/electron/asar +0 ulelong 4 +# Match JSON header start and end +>16 string {"files":{" +>>(12.l+12) string }}}} Electron ASAR archive +!:ext asar +>>>12 ulelong x \b, header length: %d bytes diff --git a/magic/Magdir/arm b/magic/Magdir/arm index b40f213cbfb4..c514320354e6 100644 --- a/magic/Magdir/arm +++ b/magic/Magdir/arm @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: arm,v 1.2 2021/07/14 17:40:31 christos Exp $ +# $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $ # arm: file(1) magic for ARM COFF # # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format @@ -39,3 +39,12 @@ # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 + +# ARM64EC +0 leshort 0xa641 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 diff --git a/magic/Magdir/asf b/magic/Magdir/asf index 9f274ede2ff8..744a0afc2ca9 100644 --- a/magic/Magdir/asf +++ b/magic/Magdir/asf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: asf,v 1.3 2022/04/25 17:33:13 christos Exp $ +# $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf @@ -21,7 +21,7 @@ # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 #>>56 lequad x Time Offset %lld -#>>64 lelong x Type-Specicic Data Length %d +#>>64 lelong x Type-Specific Data Length %d #>>68 lelong x Error Correction Data Length %d #>>72 leshort x Flags %#x #>>74 lelong x Reserved %x diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 0328f7ba5e44..55c5cd0ad20e 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.124 2022/08/28 08:58:20 christos Exp $ +# $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -183,42 +183,57 @@ 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module + +1080 string \!PM! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 276242eab02f..5a897113e092 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,13 +1,24 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ +# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # https://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 - +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/BLEND +# http://www.blender.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml +# http://formats.kaitai.io/blender_blend/index.html +# Note: called "Blender 3D data" by TrID +# and gzip compressed variant handled by ./compress 0 string =BLENDER Blender3D, +#!:mime application/octet-stream +!:mime application/x-blender +!:ext blend +# no sample found with extension blender +#!:ext blend/blender >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. diff --git a/magic/Magdir/bytecode b/magic/Magdir/bytecode index 94fb8b38cb03..dca961c26431 100644 --- a/magic/Magdir/bytecode +++ b/magic/Magdir/bytecode @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: bytecode,v 1.3 2022/03/24 15:48:58 christos Exp $ +# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ # magic for various bytecodes # From: Mikhail Gusarov <dottedmag@dottedmag.net> @@ -28,3 +28,14 @@ >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\\.. \b, bytecode v%s + +# Racket file magic +# From: Haelwenn (lanodan) Monnier <contact+libmagic@hacktivis.me> +# https://racket-lang.org/ +# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt +0 string #~ +>&0 pstring x +>>&0 pstring racket +>>>0 string #~ Racket bytecode +>>>>&0 pstring x (version %s) + diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index 6500d37822c1..6e375a06a7e6 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.30 2021/08/16 10:17:05 christos Exp $ +# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 13 +!:strength + 15 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -88,13 +88,13 @@ !:strength + 30 !:mime text/x-c++ 0 search/8192 protected ->0 regex \^[[:space:]]*protected: C++ source text +>0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C 0 search/8192 #import ->0 regex \^#import Objective-C source text +>0 regex \^#import[[:space:]]+["<] Objective-C source text !:strength + 25 !:mime text/x-objective-c diff --git a/magic/Magdir/c64 b/magic/Magdir/c64 index 9a635aedc978..6c8732090ff3 100644 --- a/magic/Magdir/c64 +++ b/magic/Magdir/c64 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: c64,v 1.12 2022/05/14 20:03:39 christos Exp $ +# $File: c64,v 1.14 2023/06/16 19:24:06 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann <doj@cubic.org> @@ -194,7 +194,356 @@ >100 byte >0 \b, %u subsong(s) # CBM BASIC (cc65 compiled) +# Summary: binary executable or Basic program for Commodore C64 computers +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file +# Reference: https://www.c64-wiki.com/wiki/BASIC_token +# https://github.com/thezerobit/bastext/blob/master/bastext.doc +# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml +# TODO: unify Commodore BASIC/program sub routines +# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe 0 leshort 0x0801 ->2 leshort 0x080b ->6 string \x9e CBM BASIC ->7 string >\0 \b, SYS %s +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 +# if first token is not SYS this implies BASIC program in most cases +>6 ubyte !0x9e +# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) +>>23 search/30 \323ELF-E\330TRACTING-\332IP +>>>0 use c64-exe +>>23 default x +>>>0 use c64-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use c64-exe +# display information about C64 binary executable (memory address, line number, token) +0 name c64-exe +>0 uleshort x Commodore C64 +# http://a1bert.kapsi.fi/Dev/pucrunch/ +# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061 +# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg +# and there exist PUCrunch archive for other machines like C16 with other magics +>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data +!:mime application/x-compress-pucrunch +!:ext prg/pck +>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg +>>23 search/30 \323ELF-E\330TRACTING-\332IP +# jump again from beginning +>>>(2.s-0x800) ubyte x +>>>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C64 BASIC program (memory address, line number, token) +0 name c64-prg +>0 uleshort x Commodore C64 BASIC program +!:mime application/x-commodore-basic +# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures. +# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions. +# BAS suffix is typically used for the BASIC source but also found in program pods.bas +!:ext prg/bas/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C128 computers +# URL: https://en.wikipedia.org/wiki/Commodore_128 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml +# From: Joerg Jenderek +# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses +0 leshort 0x1C01 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo +# probably skip SVr3 curses images with "invalid high" second line offset +>2 uleshort <0x1D02 +# skip foo with "invalid low" second line offset +>>2 uleshort >0x1C06 +# if first token is not SYS this implies BASIC program +>>>6 ubyte !0x9e +>>>>0 use c128-prg +# if first token is SYS this implies binary executable +>>>6 ubyte =0x9e +>>>>0 use c128-exe +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.1 extension by Rick Simon +# start adress 132Dh +#0 leshort 0x132D THIS_IS_C128_7.1 +#>0 use c128-prg +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled +# start adress 4001h +#0 leshort 0x4001 THIS_IS_C128_GRAPHIC +#>0 use c128-prg +# display information about tokenized C128 BASIC program (memory address, line number, token) +0 name c128-prg +>0 uleshort x Commodore C128 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about C128 program (memory address, line number, token) +0 name c128-exe +>0 uleshort x Commodore C128 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in Commodore executables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers +# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml +# defs/p/prg-plus4.trid.xml +# From: Joerg Jenderek +# Note: there exist VIC-20 variants with different start address +# GRR: line below is too generic because it matches Novell LANalyzer capture +# with regular trace header record handled by ./sniffer +0 leshort 0x1001 +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h +>6 ubyte >0x7F +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch +#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW +# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg) +#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +# valid second end of line separator implies BASIC program +>>>(2.s-0x1000) ubyte =0 +>>>>0 use c16-prg +# invalid second end of line separator !=0 implies binary executable like: Minefield.prg +>>>(2.s-0x1000) ubyte !0 +>>>>0 use c16-exe +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use c16-exe +# display information about C16 program (memory address, line number, token) +0 name c16-exe +>0 uleshort x Commodore C16/VIC-20/Plus4 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C16 BASIC program (memory address, line number, token) +0 name c16-prg +>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion +# URL: https://en.wikipedia.org/wiki/VIC-20 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml +# From: Joerg Jenderek +# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses +# start adress 1201h +0 leshort 0x1201 +# if first token is not SYS this implies BASIC program +>6 ubyte !0x9e +>>0 use vic-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use vic-exe +# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token) +0 name vic-prg +>0 uleshort x Commodore VIC-20 +8K BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1200) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore VIC-20 +8K program (memory address, line number, token) +0 name vic-exe +>0 uleshort x Commodore VIC-20 +8K program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore PET computers +# URL: https://en.wikipedia.org/wiki/Commodore_PET +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml +# From: Joerg Jenderek +# start adress 0401h +0 leshort 0x0401 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary +# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000 +# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h +>2 uleshort <0x0502 +# skip foo with "invalid low" second line offset +#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW +# skip bar with "invalid end of line" +#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +>>>0 use pet-prg +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use pet-exe +# display information about Commodore PET BASIC program (memory address, line number, token) +0 name pet-prg +>0 uleshort x Commodore PET BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore PET program (memory address, line number, token) +0 name pet-exe +>0 uleshort x Commodore PET program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized BASIC line (memory address, line number, Token) +0 name basic-line +# pointer to memory address of beginning of "next" BASIC line +# greater then previous offset but maximal 100h difference +>0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 +# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) +>>2 uleshort x \b, line %u +# https://www.c64-wiki.com/wiki/BASIC_token +# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators +>>4 ubyte x \b, token (%#x) +# https://www.c64-wiki.com/wiki/REM +>>4 string \x8f REM +# remark string like: ** SYNTHESIZER BY RICOCHET ** +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +# https://www.c64-wiki.com/wiki/PRINT +>>4 string \x99 PRINT +# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx +# https://www.c64-wiki.com/wiki/POKE +>>4 string \x97 POKE +# <Memory address>,<number> +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" +# https://www.c64-wiki.com/wiki/SYS 0x9e=\236 +>>4 string \x9e SYS +# SYS <Address> parameter is a 16-bit unsigned integer; in the range 0 - 65535 +>>>5 regex \^[0-9]{1,5} %s +# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg +# (\302(43)\252256\254\302(44)\25236) /T.L.R/ +#>>>5 string x SYS_STRING="%s" +# https://www.c64-wiki.com/wiki/GOSUB +>>4 string \x8d GOSUB +# <line> +>>>5 string >\0 %s diff --git a/magic/Magdir/cad b/magic/Magdir/cad index 46a35497c2f2..0bead6eeb483 100644 --- a/magic/Magdir/cad +++ b/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.29 2021/12/06 19:33:27 christos Exp $ +# $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $ # autocad: file(1) magic for cad files # @@ -301,18 +301,50 @@ # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # HSF_architecture.html # Stephane Charette <stephane.charette@gmail.com> -0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) ->7 regex/9 V[.0-9]{4,5}\020 %s +0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format) +>7 regex/9 V[.0-9]{4,5}\040 %s !:ext hsf # AutoCAD Drawing Exchange Format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DXF +# https://en.wikipedia.org/wiki/AutoCAD_DXF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/ +# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml +# Note: called "AutoCAD Drawing eXchange Format" by TrID and +# "Drawing Interchange File Format (ASCII)" by DROID +# GRR: some samples does not match 1st test like: abydos.dxf 0 regex \^[\ \t]*0\r?\000$ >1 regex \^[\ \t]*SECTION\r?$ >>2 regex \^[\ \t]*2\r?$ +# GRR: some samples without HEADER section like: airplan2.dxf >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format -!:mime application/x-dxf +#!:mime application/x-dxf +!:mime image/vnd.dxf !:ext dxf +# DROID PUID fmt/64 fmt-64-signature-id-99.dxf +>>>>&1 search/8192 MC0.0 \b, 1.0 +# DROID PUID fmt/65 fmt-65-signature-id-100.dxf +>>>>&1 search/8192 AC1.2 \b, 1.2 +# DROID PUID fmt/66 fmt-66-signature-id-101.dxf +>>>>&1 search/8192 AC1.3 \b, 1.3 +# DROID PUID fmt/67 fmt-67-signature-id-102.dxf +>>>>&1 search/8192 AC1.40 \b, 1.4 +# DROID PUID fmt/68 fmt-68-signature-id-103.dxf +>>>>&1 search/8192 AC1.50 \b, 2.0 +# DROID PUID fmt/69 fmt-69-signature-id-104.dxf +>>>>&1 search/8192 AC2.10 \b, 2.1 +# DROID PUID fmt/70 fmt-70-signature-id-105.dxf +>>>>&1 search/8192 AC2.21 \b, 2.2 +# DROID PUID fmt/71 fmt-71-signature-id-106.dxf +>>>>&1 search/8192 AC1002 \b, 2.5 +# DROID PUID fmt/72 fmt-72-signature-id-107.dxf +>>>>&1 search/8192 AC1003 \b, 2.6 +# DROID PUID fmt/73 fmt-73-signature-id-108.dxf +>>>>&1 search/8192 AC1004 \b, R9 >>>>&1 search/8192 AC1006 \b, R10 +# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf +#>>>>&1 search/8192 AC1008 \b, Rfoo >>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1012 \b, R13 >>>>&1 search/8192 AC1013 \b, R13c3 diff --git a/magic/Magdir/coff b/magic/Magdir/coff index 535187c2ce9e..5123b7213c4c 100644 --- a/magic/Magdir/coff +++ b/magic/Magdir/coff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ +# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF @@ -37,6 +37,7 @@ # ARM COFF (./arm) >>>>0 uleshort 0xaa64 Aarch64 >>>>0 uleshort 0x01c0 ARM +>>>>0 uleshort 0xa641 ARM64EC >>>>0 uleshort 0x01c2 ARM Thumb >>>>0 uleshort 0x01c4 ARMv7 Thumb # TODO for other COFFs diff --git a/magic/Magdir/commands b/magic/Magdir/commands index a257eb2b7a13..6ad87fd7578d 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.69 2022/04/20 21:14:23 christos Exp $ +# $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -8,6 +8,8 @@ !:mime text/x-shellscript 0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript +>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive +>>53 string x \b, Makeself %s 0 string/fwt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript @@ -97,9 +99,6 @@ 0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable !:mime text/x-shellscript -0 string/wt #!\ a ->&-1 string/T x %s script text executable - 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl @@ -189,3 +188,14 @@ # From Danny Weldon 0 string \x0b\x13\x08\x00 >0x04 uleshort <4 ksh byte-code version %d + +# From: arno <arenevier@fdn.fr> +# mozilla xpconnect typelib +# see https://www.mozilla.org/scriptable/typelib_file.html +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d + +0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable +0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/magic/Magdir/compress b/magic/Magdir/compress index a3dde1c1e33d..c3f93fa3bed1 100644 --- a/magic/Magdir/compress +++ b/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.83 2022/08/16 11:16:39 christos Exp $ +# $File: compress,v 1.91 2023/06/16 19:37:47 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -12,13 +12,14 @@ 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU +!:ext Z >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # URL: https://en.wikipedia.org/wiki/Gzip # Reference: https://tools.ietf.org/html/rfc1952 -# Update: Joerg Jenderek, Apr 2019 +# Update: Joerg Jenderek, Apr 2019, Dec 2022 # Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods @@ -61,20 +62,24 @@ !:mime application/gzip >>>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 +# TODO: check for GXD MCD cad the reported size >>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated # gzipped TAR or VirtualBox extension package #!:mime application/x-compressed-tar #!:mime application/x-virtualbox-vbox-extpack # https://www.w3.org/TR/SVG/mimereg.html -#!:mime image/image/svg+xml-compressed +#!:mime image/svg+xml-compressed # zlib.3.gz # microcode-20180312.tgz # tpz same as tgz # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack -!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz +# trees.blend http://fileformats.archiveteam.org/wiki/BLEND +# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html +# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format +# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software) +# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language) +!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text >3 byte&0x18 >0 gzip compressed data !:mime application/gzip @@ -83,12 +88,13 @@ #!:mime application/x-abiword-compressed #!:mime image/image/svg+xml-compressed # kleopatra_splashscreen.svgz gzipped .svg -!:ext gz/tgz/tpz/zabw/svgz +# RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html +# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF +!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz >>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 ->>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated +>>-4 ulelong x \b, original size modulo 2^32 %u # display information of gzip compressed files 0 name gzip-info #>2 byte x THIS iS GZIP @@ -125,6 +131,7 @@ # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream +!:ext z >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # @@ -159,6 +166,7 @@ # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip +!:ext lz >4 byte x \b, version: %d # squeeze and crunch @@ -194,6 +202,7 @@ # lzop from <markus.oberhumer@jk.uni-linz.ac.at> 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data +!:ext lzo >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, @@ -254,20 +263,24 @@ !:mime application/x-7z-compressed !:ext 7z/cb7 +0 name lzma LZMA compressed data, +!:mime application/x-lzma +!:ext lzma +>5 lequad =0xffffffffffffffff streamed +>5 lequad !0xffffffffffffffff non-streamed, size %lld + # Type: LZMA 0 lelong&0xffffff =0x5d ->12 leshort 0xff LZMA compressed data, -!:mime application/x-lzma ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld ->12 leshort 0 LZMA compressed data, ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld +>12 leshort 0xff +>>0 use lzma +>12 leshort 0 +>>0 use lzma # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data, checksum !:strength * 2 !:mime application/x-xz +!:ext xz >7 byte&0xf 0x0 NONE >7 byte&0xf 0x1 CRC32 >7 byte&0xf 0x4 CRC64 @@ -275,14 +288,15 @@ # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data +!:mime application/x-lrzip >4 byte x - version %d >5 byte x \b.%d >22 byte 1 \b, encrypted -!:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 +!:ext lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 @@ -319,19 +333,26 @@ # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md @@ -407,3 +428,34 @@ # http://www.shikadi.net/moddingwiki/PCX_Library 0 string/b pcxLib >0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm +0 uleshort 0x7c49 +>2 lelong 0x80 ORA FASTQ compressed file +>>6 ulelong x \b, DNA size %u +>>10 ulelong x \b, read names size %u +>>14 ulelong x \b, quality buffer 1 size %u +>>18 ulelong x \b, quality buffer 2 size %u +>>22 ulelong x \b, sequence buffer size %u +>>26 ulelong x \b, N-position buffer size %u +>>30 ulelong x \b, crypto buffer size %u +>>34 ulelong x \b, misc buffer 1 size %u +>>38 ulelong x \b, misc buffer 2 size %u +>>42 ulelong x \b, flags %#x +>>46 lelong x \b, read size %d +>>50 lelong x \b, number of reads %d +>>54 leshort x \b, version %d + +# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md +0 string/b BZ3v1 bzip3 compressed data +>5 ulelong x \b, blocksize %u + + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\ +# SW/ORA/ORAFormatSpecification.htm +# From Guillaume Rizk +0 short =0x7C49 DRAGEN ORA file, +>-261 short =0x7C49 with metadata: +>-125 u8 x NB reads: %llu, +>-109 u8 x NB bases: %llu. +>-219 u4&0x02 2 File contains interleaved paired reads diff --git a/magic/Magdir/console b/magic/Magdir/console index 367aeec36004..0ed53fe34d15 100644 --- a/magic/Magdir/console +++ b/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.68 2022/05/14 20:04:43 christos Exp $ +# $File: console,v 1.72 2023/06/16 19:24:06 christos Exp $ # Console game magic # Toby Deshane <hac@shoelace.digivill.net> @@ -68,7 +68,7 @@ !:mime application/x-nes-rom #------------------------------------------------------------------------------ -# fds: file(1) magic for Famciom Disk System disk images +# fds: file(1) magic for Famicom Disk System disk images # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth <gerbilsoft@gerbilsoft.com> # TODO: Check "Disk info block" and get info from that in addition to the optional header. @@ -544,6 +544,19 @@ 0 string CPE CPE executable >3 byte x (version %d) +# Sony PlayStation archive (PSARC) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC) +0 string PSAR Sony PlayStation Archive +!:ext psarc +>4 ubeshort x \b, version %d. +>6 ubeshort x \b%d +>8 string zlib \b, zlib compression +>8 string lzma \b, LZMA compression +>28 ubeshort&2 0 \b, relative paths +>28 ubeshort&2 2 \b, absolute paths +>28 ubeshort&1 1 \b, ignore case + #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytia <ehyytia@cc.hut.fi>) 0 string XBEH Microsoft Xbox executable @@ -684,12 +697,25 @@ >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID 0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom +!:ext lnx +# bank 0 page size like: 128 256 512 >4 leshort/4 >0 \b, bank 0 %dk >6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" >10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" >42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x # Opera file system that is used on the 3DO console # From: Serge van den Boom <svdb@stack.nl> @@ -760,6 +786,28 @@ >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s +# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive) +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://en.wikipedia.org/wiki/.CSO +# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image, +# though it has the same magic number. +0 string CISO +# Match CISO version 1 with ISO-9660 sector size +>20 ubyte <2 +>>16 ulelong =2048 CSO v1 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>8 ulequad x \b, original size %llu bytes +>>>16 ulelong x \b, datablock size %u bytes +# Match CISO version 2 +>20 ubyte =2 +>>22 uleshort =0 +>>>4 ulelong =24 CSO v2 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>>8 ulequad x \b, original size %llu bytes +>>>>16 ulelong x \b, datablock size %u bytes + # From: Daniel Dawson <ddawson@icehouse.net> # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording diff --git a/magic/Magdir/crypto b/magic/Magdir/crypto index 72a90ace2829..910df8dd497b 100644 --- a/magic/Magdir/crypto +++ b/magic/Magdir/crypto @@ -1,5 +1,49 @@ #------------------------------------------------------------------------------ -# $File: crypto,v 1.2 2021/03/27 20:15:53 christos Exp $ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ # crypto: file(1) magic for crypto formats # +# Bitcoin block files +0 lelong 0xD9B4BEF9 Bitcoin +>(4.l+40) lelong 0xD9B4BEF9 reverse block +>>4 lelong x \b, size %u +# normal block below +>0 default x block +>>4 lelong x \b, size %u +>>8 lelong&0xE0000000 0x20000000 +>>>8 lelong x \b, BIP9 0x%x +>>8 lelong&0xE0000000 !0x20000000 +>>>8 lelong x \b, version 0x%x +>>76 ledate x \b, %s UTC +# VarInt counter +>>88 ubyte <0xfd \b, txcount %u +>>88 ubyte 0xfd +>>>89 leshort x \b, txcount %u +>>88 ubyte 0xfe +>>>89 lelong x \b, txcount %u +>>88 ubyte 0xff +>>>89 lequad x \b, txcount %llu +!:ext dat +# option to find more blocks in the file +#>>(4.l+8) indirect x ; + +# LevelDB +-8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/magic/Magdir/database b/magic/Magdir/database index 171f7eb26353..03ac4235f735 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.67 2022/07/12 18:57:42 christos Exp $ +# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -387,8 +387,22 @@ >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 -# dBASE III DBT ->>>>>>>0 use dbase3-memo-print +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF @@ -410,8 +424,25 @@ >>>>>>>>>>513 ubyte >037 # skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 -# unusual dBASE III DBT like adressen.dbt ->>>>>>>>>>>>0 use dbase3-memo-print +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes @@ -424,7 +455,19 @@ >>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character >>>>>>>>>>>>>513 ubyte >037 ->>>>>>>>>>>>>>0 use dbase3-memo-print +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 @@ -446,11 +489,16 @@ # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u -# dBase III memo field terminated by \032\032 +# dBase III memo field terminated often by \032\032 # like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" # For DEBUGGING #>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print diff --git a/magic/Magdir/der b/magic/Magdir/der index e84282b5ca1a..3bc2e38aa950 100644 --- a/magic/Magdir/der +++ b/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.5 2022/07/30 18:07:34 christos Exp $ +# $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $ # der: file(1) magic for DER encoded files # @@ -137,3 +137,10 @@ >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Subject=%s + +# PKCS#7 Signed Data (e.g. JAR Signature Block File) +# OID 1.2.840.113549.1.7.2 (2a864886f70d010702) +# Reference: https://www.rfc-editor.org/rfc/rfc2315 +0 der seq +>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data +!:ext RSA/DSA/EC diff --git a/magic/Magdir/dsf b/magic/Magdir/dsf deleted file mode 100644 index e6c4b6e3e059..000000000000 --- a/magic/Magdir/dsf +++ /dev/null @@ -1,25 +0,0 @@ - -#------------------------------------------------------------ -# $File: dsf,v 1.1 2022/01/08 16:29:18 christos Exp $ -# dsf: file(1) magic for DSD Stream File -# URL: https://en.wikipedia.org/wiki/Direct_Stream_Digital -# Reference: https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf -0 string DSD\x20 DSD Stream File, ->0x30 leshort 1 mono, ->0x30 leshort 2 stereo, ->0x30 leshort 3 three-channel, ->0x30 leshort 4 quad-channel, ->0x30 leshort 5 3.1 4-channel, ->0x30 leshort 6 five-channel, ->0x30 leshort 7 5.1 surround, ->0x30 default x ->>0x30 leshort x unknown channel format (%d), ->0x38 lelong 2822400 simple-rate, ->0x38 lelong 5644800 double-rate, ->0x38 default x ->>0x38 lelong x %d Hz, ->0x3c leshort 1 1 bit, ->0x3c leshort 8 8 bit, ->0x3c default x ->>0x3c leshort x %d bit, ->0x40 lelong x %d samples diff --git a/magic/Magdir/dwarfs b/magic/Magdir/dwarfs new file mode 100644 index 000000000000..3700a33c5d7a --- /dev/null +++ b/magic/Magdir/dwarfs @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: dwarfs,v 1.2 2023/05/23 13:37:32 christos Exp $ +# dwarfs: file(1) magic for DwarFS File System Image files +# URL: https://github.com/mhx/dwarfs for details about DwarFS +# From: Marcus Holland-Moritz <github@mhxnet.de> + +#### DwarFS Version Macro +0 name dwarfsversion +>&0 byte x \b, version %d +>&1 byte x \b.%d + +#### DwarFS Compression Macro +0 name dwarfscompression +>&0 leshort =0 \b, uncompressed +>&0 leshort =1 \b, LZMA compression +>&0 leshort =2 \b, ZSTD compression +>&0 leshort =3 \b, LZ4 compression +>&0 leshort =4 \b, LZ4HC compression +>&0 leshort =5 \b, BROTLI compression + +#### DwarFS files without header +## We first check against a DWARFS magic at the start of the file, then +## validate by checking the block count / section type to be all zeros +## for the first block. Finally, we check that the *next* block also +## has the correct DWARFS magic. +0 string DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image +>>>&0 use dwarfsversion +>>&0 use dwarfscompression + +#### DwarFS files with header +## We search for a DWARFS magic in the first 64k of the file (images with +## headers longer than 64k won't be recognized), then validate by checking +## the block count / section type to be all zeros for the first block. +## Finally, we check that the *next* block also has the correct DWARFS magic. +## If we find a DWARFS magic that doesn't pass validation, we continue with +## an indirect match recursively. +1 search/65536/b DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image (with header) +>>>&0 use dwarfsversion +>>&0 use dwarfscompression +>&-1 indirect x diff --git a/magic/Magdir/elf b/magic/Magdir/elf index 93abdc380db9..d3ec0260af25 100644 --- a/magic/Magdir/elf +++ b/magic/Magdir/elf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: elf,v 1.87 2021/05/25 15:19:51 christos Exp $ +# $File: elf,v 1.88 2023/01/08 17:09:18 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -8,6 +8,8 @@ # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # +# https://www.sco.com/developers/gabi/latest/ch4.eheader.html +# # Created by: unknown # Modified by (1): Daniel Quinlan <quinlan@yggdrasil.com> # Modified by (2): Peter Tobias <tobias@server.et-inf.fho-emden.de> (core support) @@ -282,6 +284,12 @@ >18 leshort 216 Cognitive Smart Memory, >18 leshort 217 iCelero CoolEngine, >18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 219 CSR Kalimba architecture family +>18 leshort 220 Zilog Z80 +>18 leshort 221 Controls and Data Services VISIUMcore processor +>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture +>18 leshort 223 Moxie processor family +>18 leshort 224 AMD GPU architecture >18 leshort 243 UCB RISC-V, # only for 32-bit >>4 byte 1 diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index dad00db79570..cd7213051686 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.150 2022/07/04 16:40:33 christos Exp $ +# $File: filesystems,v 1.158 2023/05/21 17:19:08 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -1596,7 +1596,8 @@ >0x1e lequad x %lld total clusters, >0x26 lequad x %lld clusters in use -9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), + +0 name ffsv1 >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, @@ -1612,105 +1613,59 @@ >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization -42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization - -66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization +9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), +>0 use ffsv1 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, ->8404 string x last mounted on %s, -#>9504 bedate x last checked at %s, ->8224 bedate x last written at %s, ->8401 byte x clean flag %d, ->8228 belong x number of blocks %d, ->8232 belong x number of data blocks %d, ->8236 belong x number of cylinder groups %d, ->8240 belong x block size %d, ->8244 belong x fragment size %d, ->8252 belong x minimum percentage of free blocks %d, ->8256 belong x rotational delay %dms, ->8260 belong x disk rotational speed %drps, ->8320 belong 0 TIME optimization ->8320 belong 1 SPACE optimization +>0 use \^ffsv1 + +0 name ffsv2 +>212 string x last mounted on %s, +>680 string >\0 volume name %s, +>1072 leqldate x last written at %s, +>209 byte x clean flag %d, +>210 byte x readonly flag %d, +>1080 lequad x number of blocks %lld, +>1088 lequad x number of data blocks %lld, +>44 lelong x number of cylinder groups %d, +>48 lelong x block size %d, +>52 lelong x fragment size %d, +>1196 lelong x average file size %d, +>1200 lelong x average number of files in dir %d, +>1104 lequad x pending blocks to free %lld, +>1112 lelong x pending inodes to free %d, +>712 lequad x system-wide uuid %0llx, +>60 lelong x minimum percentage of free blocks %d, +>128 lelong 0 TIME optimization +>128 lelong 1 SPACE optimization + +42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use ffsv2 + +42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>40960 use ffsv2 + +42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use \^ffsv2 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>40960 use \^ffsv2 + +66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use ffsv2 + +66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>65536 use ffsv2 + +66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use \^ffsv2 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>65536 use \^ffsv2 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), >0x90 lelong+1 x volume %d @@ -2648,19 +2603,25 @@ >10 ubelong x \b-%08x >14 ubeshort x \b%04x -0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 bcachefs ->0x1068 lequad 8 \b, UUID= ->>0x1038 use bcachefs-uuid ->>0x1048 string >0 \b, label "%.32s" ->>0x1010 uleshort x \b, version %u ->>0x1012 uleshort x \b, min version %u ->>0x107a byte x \b, device %d +0 name bcachefs bcachefs +>0x68 lequad 8 \b, UUID= +>>0x38 use bcachefs-uuid +>>0x48 string >0 \b, label "%.32s" +>>0x10 uleshort x \b, version %u +>>0x12 uleshort x \b, min version %u +>>0x7a byte x \b, device %d # assumes the first field is the members field ->>0x12f4 ulelong 0x01 \b/UUID= ->>>0x12f0 default x ->>>&(0x107a.b*56) use bcachefs-uuid ->>0x107b byte x \b, %d devices ->>0x1090 byte ^0x02 \b (unclean) +>>0x2f4 ulelong 0x01 \b/UUID= +>>>0x2f0 default x +>>>&(0x07a.b*56) use bcachefs-uuid +>>0x07b byte x \b, %d devices +>>0x090 byte ^0x02 \b (unclean) + +0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 +>0x1000 use bcachefs + +0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef +>0x1000 use bcachefs # EROFS # https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\ @@ -2687,3 +2648,47 @@ >>1104 lelong &4 CHUNKED_FILE >>1104 lelong &8 DEVICE_TABLE >>1104 lelong &16 ZTAILPACKING + +# YAFFS +# The layout itself is undocumented, determined by the memory layout of the +# reference implementation. This signature is derived from the +# reference implementation code and generated test cases +# We recognize the start of an object header defined by yaffs_obj_hdr: +# (Note the values being encoded depending on platform endianess) + +# u32 type /* enum yaffs_obj_type, valid 1-5 */ +# u32 parent_obj_id; /* 1 for root objects we recognize */ +# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */ +# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1]; + +# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents +# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1 + +0 name yaffs +>0 ulelong 1 \b, type file +>0 ulelong 2 \b, type symlink +>0 ulelong 3 \b, type root or directory +>0 ulelong 4 \b, type hardlink +>0 ulelong 5 \b, type special +>0xA byte 0 \b, v1 root directory +>0xA byte !0 \b, object entry +>>0xA string x (name: "%s") + +# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF +>0 ulelong 0 +>0 ulelong >5 +>0 default x YAFFS filesystem root entry (little endian) +>>0 use yaffs + +# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x4 string \x00\x00\x00\x01\xFF\xFF +>0 string \x00\x00\x00 +>>0 ubelong 0 +>>0 ubelong >5 +>>0 default x YAFFS filesystem root entry (big endian) +>>>0 use \^yaffs diff --git a/magic/Magdir/firmware b/magic/Magdir/firmware new file mode 100644 index 000000000000..4835b12e8d04 --- /dev/null +++ b/magic/Magdir/firmware @@ -0,0 +1,133 @@ +#------------------------------------------------------------------------------ +# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ +# firmware: file(1) magic for firmware files +# + +# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure +# examples: https://github.com/cweiske/frontier-silicon-firmwares +0 lelong 0x00001176 +>4 lelong 0x7c Frontier Silicon firmware download +>>8 lelong x \b, MeOS version %x +>>12 string/32/T x \b, version %s +>>40 string/64/T x \b, customization %s + +# HPE iLO firmware update image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ +# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images +0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 +>16 ubeshort =0xCFDD HPE iLO2 firmware update image +>16 ubeshort =0x6444 HPE iLO1 firmware update image +# iLO3 images (ilo3_*.bin) start directly with image name +0 string iLO3\x20v\x20 HPE iLO3 firmware update image, +>7 string x version %s +# iLO4 images (ilo4_*.bin) start with a signature and a certificate +0 string --=</Begin\x20HP\x20Signed +>75 string label_HPBBatch +>>5828 string iLO\x204 +>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, +>>>6947 string x version %s +# iLO5 images (ilo5_*.bin) start with a signature +>75 string label_HPE-HPB-BMC-ILO5-4096 +>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, +>>944 string x version %s + +# IBM POWER Secure Boot Container +# from https://github.com/open-power/skiboot/blob/master/libstb/container.h +0 belong 0x17082011 POWER Secure Boot Container, +>4 beshort x version %u +>6 bequad x container size %llu +# These are always zero +# >14 bequad x target HRMOR %llx +# >22 bequad x stack pointer %llx +>4096 ustring \xFD7zXZ\x00 XZ compressed +0 belong 0x1bad1bad POWER boot firmware +>256 belong 0x48002030 (PHYP entry point) + +# ARM Cortex-M vector table +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties +# Match stack MSB +3 byte 0x20 +# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) +>4 ulelong&0xE0000001 1 +>>8 ulelong&0xE0000001 1 +>>>12 ulelong&0xE0000001 1 +>>>>44 ulelong&0xE0000001 1 +>>>>>56 ulelong&0xE0000001 1 +# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) +>>>>>>28 ulelong+1 <2 +>>>>>>>32 ulelong+1 <2 +>>>>>>>>36 ulelong+1 <2 +>>>>>>>>>40 ulelong+1 <2 +>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware +>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x + +# ESP-IDF partition table entry +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h +0 string \xAA\x50 +>2 ubyte <2 ESP-IDF partition table entry +>>12 string/16 x \b, label: "%s" +>>2 ubyte 0 +>>>3 ubyte 0x00 \b, factory app +>>>3 ubyte 0x10 \b, OTA_0 app +>>>3 ubyte 0x11 \b, OTA_1 app +>>>3 ubyte 0x12 \b, OTA_2 app +>>>3 ubyte 0x13 \b, OTA_3 app +>>>3 ubyte 0x14 \b, OTA_4 app +>>>3 ubyte 0x15 \b, OTA_5 app +>>>3 ubyte 0x16 \b, OTA_6 app +>>>3 ubyte 0x17 \b, OTA_7 app +>>>3 ubyte 0x18 \b, OTA_8 app +>>>3 ubyte 0x19 \b, OTA_9 app +>>>3 ubyte 0x1A \b, OTA_10 app +>>>3 ubyte 0x1B \b, OTA_11 app +>>>3 ubyte 0x1C \b, OTA_12 app +>>>3 ubyte 0x1D \b, OTA_13 app +>>>3 ubyte 0x1E \b, OTA_14 app +>>>3 ubyte 0x1F \b, OTA_15 app +>>>3 ubyte 0x20 \b, test app +>>2 ubyte 1 +>>>3 ubyte 0x00 \b, OTA selection data +>>>3 ubyte 0x01 \b, PHY init data +>>>3 ubyte 0x02 \b, NVS data +>>>3 ubyte 0x03 \b, coredump data +>>>3 ubyte 0x04 \b, NVS keys +>>>3 ubyte 0x05 \b, emulated eFuse data +>>>3 ubyte 0x06 \b, undefined data +>>>3 ubyte 0x80 \b, ESPHTTPD partition +>>>3 ubyte 0x81 \b, FAT partition +>>>3 ubyte 0x82 \b, SPIFFS partition +>>>3 ubyte 0xFF \b, any data +>>4 ulelong x \b, offset: 0x%X +>>8 ulelong x \b, size: 0x%X +>>28 ulelong&0x1 1 \b, encrypted + +# ESP-IDF application image +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h +# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t +# First segment contains esp_app_desc_t +0 ubyte 0xE9 +>32 ulelong 0xABCD5432 ESP-IDF application image +>>12 uleshort 0x0000 for ESP32 +>>12 uleshort 0x0002 for ESP32-S2 +>>12 uleshort 0x0005 for ESP32-C3 +>>12 uleshort 0x0009 for ESP32-S3 +>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>12 uleshort 0x000C for ESP32-C2 +>>12 uleshort 0x000D for ESP32-C6 +>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>12 uleshort 0x0010 for ESP32-H2 +>>80 string/32 x \b, project name: "%s" +>>48 string/32 x \b, version %s +>>128 string/16 x \b, compiled on %s +>>>112 string/16 x %s +>>144 string/32 x \b, IDF version: %s +>>4 ulelong x \b, entry address: 0x%08X diff --git a/magic/Magdir/games b/magic/Magdir/games index b5d4664c8891..0ccb4acff517 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.25 2022/05/31 18:40:20 christos Exp $ +# $File: games,v 1.31 2023/03/29 22:57:27 christos Exp $ # games: file(1) for games # Fabio Bonelli <fabiobonelli@libero.it> @@ -184,6 +184,15 @@ 0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %u +# MAME input recordings + +0 string MAMEINP\0 MAME input recording +>8 leqdate x at %s, +>16 leshort x format version %d. +>18 leshort x \b%d, +>20 string x %s driver, +>32 string x %s + # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data @@ -293,12 +302,92 @@ >2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package -# -0 lelong 0x9E2A83C1 Unreal Engine Package, ->4 leshort x version: %i ->12 lelong !0 \b, names: %i ->28 lelong !0 \b, imports: %i ->20 lelong !0 \b, exports: %i +# URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html +# https://eliotvu.com/page/unreal-package-file-format +# Little-endian version (such as x86 PC) +0 lelong 0x9E2A83C1 Unreal Engine package (little-endian) +!:ext xxx/tfc/upk/me1/u +>4 uleshort !0 \b, version %u +>>6 uleshort !0 \b/%03u +>>0 use upk_header +# Big-endian version (such as PS3) +0 belong 0x9E2A83C1 Unreal Engine package (big-endian) +!:ext xxx/tfc +>6 ubeshort !0 \b, version %u +>>4 ubeshort !0 \b/%03u +>>0 use \^upk_header + +0 name upk_header +# Identify game from version and licensee +>4 ulelong 0x000002b2 (Alice Madness Returns) +>4 ulelong 0x002f0313 (Aliens: Colonial Marines) +>4 ulelong 0x005b021b (Alpha Protocol) +>4 ulelong 0x0000032c (AntiChamber) +>4 ulelong 0x00200223 (APB: All Points Bulletin) +>4 ulelong 0x004b02d7 (Bioshock Infinite) +>4 ulelong 0x00380340 (Borderlands 2) +>4 ulelong 0x001d02e6 (Bulletstorm) +>4 ulelong 0x00050240 (CrimeCraft) +>4 ulelong 0x00000356 (Deadlight) +>4 ulelong 0x001e0321 (Dishonored) +>4 ulelong 0x000202a6 (Dungeon Defenders) +>4 ulelong 0x000901ea (Gears of War) +>4 ulelong 0x0000023f (Gears of War 2) +>4 ulelong 0x0000033c (Gears of War 3) +>4 ulelong 0x0000034e (Gears of War: Judgement) +>4 ulelong 0x0004035c (Hawken) +>4 ulelong 0x0001034a (Infinity Blade 2) +>4 ulelong 0x00000350 (InMomentum) +>4 ulelong 0x0015037D (Life Is Strange) +>4 ulelong 0x000b01a5 (Medal of Honor: Airborne) +>4 ulelong 0x002b0218 (Mirrors Edge) +>4 ulelong 0x0000027e (Monday Night Combat) +>4 ulelong 0x0000024b (MoonBase Alpha) +>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605) +>4 ulelong 0x0000035c (Painkiller HD) +>4 ulelong 0x0000034d (Q.U.B.E) +>4 ulelong 0x80660340 (Quantum Conundrum) +>4 ulelong 0x0000035b (Ravaged) +>4 ulelong 0x00150340 (Remember Me) +>4 ulelong 0x00060171 (Roboblitz) +>4 ulelong 0x00000325 (Rock of Ages) +>4 ulelong 0x0000032a (Sanctum) +>4 ulelong 0x00030248 (Saw) +>4 ulelong 0x007e0248 (Singularity) +>4 ulelong 0x00090388 (Soldier Front 2) +>4 ulelong 0x000701e6 (Stargate Worlds) +>4 ulelong 0x00000334 (Super Monday Night Combat) +>4 ulelong 0x000002c2 (The Ball) +>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA) +>4 ulelong 0x0000035b (The Five Cores) +>4 ulelong 0x00000349 (The Haunted: Hells Reach) +>4 ulelong 0x00000354 (Unmechanical) +>4 ulelong 0x035c0298 (Unreal Development Kit) +>4 ulelong 0x00000200 (Unreal Tournament 3) +>4 ulelong 0x0000032d (Waves) +>4 ulelong 0x003b034d (XCOM: Enemy Unknown) +# Newer versions insert more headers +>4 ulelong&0xFFFF <249 +>>12 lelong !0 \b, names: %d +>>28 lelong !0 \b, imports: %d +>>20 lelong !0 \b, exports: %d +>4 ulelong&0xFFFF >248 +>>12 belong&0xFF !0 +>>>12 string x \b, folder "%s" +>>>>&5 lelong !0 \b, names: %d +>>>>&21 lelong !0 \b, imports: %d +>>>>&13 lelong !0 \b, exports: %d +>>12 belong&0xFF 0 +>>>16 belong&0xFF !0 +>>>>16 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d +>>>16 belong&0xFF 0 +>>>>20 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d 0 string ESVG >4 lelong 0x00160000 @@ -510,3 +599,98 @@ >>0 ulelong&0xf =8 RDR 2, >>4 ulelong x %d bytes, >>>8 ulelong x %d entries + +# Blitz3D Model File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py +0 string BB3D +>4 lelong >0 +>>8 lelong >0 Blitz3D Model +!:ext b3d +>>>8 lelong x \b, version %d + +# Minetest Schematic File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h +0 string MTSM Minetest Schematic +!:ext mts +>4 ubeshort x \b, version %d +>6 ubeshort x \b, size [%d +>8 ubeshort x \b, %d +>10 ubeshort x \b, %d] + +# MagicaVoxel File Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt +# Note: This format is used in Veloren voxel RPG. +0 string VOX\x20 +>4 lelong >0 MagicaVoxel model +!:ext vox +>>4 lelong x \b, version %d + +# Wwise SoundBank +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk) +0 string BKHD +# Little-endian version (such as x86 PC) +>4 ulelong <0x100 Wwise SoundBank (little-endian) +!:ext bnk +>>0 use wwise_bkhd +# Big-endian version (such as PS3) +>4 ubelong <0x100 Wwise SoundBank (big-endian) +!:ext bnk +>>0 use \^wwise_bkhd + +0 name wwise_bkhd +>8 ulelong x \b, version %d +>12 ulelong x \b, id %08X +>16 ulelong =0x00 \b, SFX +>16 ulelong =0x01 \b, arabic +>16 ulelong =0x02 \b, bulgarian +>16 ulelong =0x03 \b, chinese (HK) +>16 ulelong =0x04 \b, chinese (PRC) +>16 ulelong =0x05 \b, chinese (Taiwan) +>16 ulelong =0x06 \b, czech +>16 ulelong =0x07 \b, danish +>16 ulelong =0x08 \b, dutch +>16 ulelong =0x09 \b, english (Australia) +>16 ulelong =0x0A \b, english (India) +>16 ulelong =0x0B \b, english (UK) +>16 ulelong =0x0C \b, english (US) +>16 ulelong =0x0D \b, finnish +>16 ulelong =0x0E \b, french (Canada) +>16 ulelong =0x0F \b, french (France) +>16 ulelong =0x10 \b, german +>16 ulelong =0x11 \b, greek +>16 ulelong =0x12 \b, hebrew +>16 ulelong =0x13 \b, hungarian +>16 ulelong =0x14 \b, indonesian +>16 ulelong =0x15 \b, italian +>16 ulelong =0x16 \b, japanese +>16 ulelong =0x17 \b, korean +>16 ulelong =0x18 \b, latin +>16 ulelong =0x19 \b, norwegian +>16 ulelong =0x1A \b, polish +>16 ulelong =0x1B \b, portuguese (Brazil) +>16 ulelong =0x1C \b, portuguese (Portugal) +>16 ulelong =0x1D \b, romanian +>16 ulelong =0x1E \b, russian +>16 ulelong =0x1F \b, slovenian +>16 ulelong =0x20 \b, spanish (Mexico) +>16 ulelong =0x21 \b, spanish (Spain) +>16 ulelong =0x22 \b, spanish (US) +>16 ulelong =0x23 \b, swedish +>16 ulelong =0x24 \b, turkish +>16 ulelong =0x25 \b, ukrainian +>16 ulelong =0x26 \b, vietnamese + +# Wwise Audio Package +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK +0 string AKPK +# Little-endian version (such as x86 PC) +>8 ulelong <0x100 Wwise Audio Package (little-endian) +!:ext pck +# Big-endian version (such as PS3) +>8 ubelong <0x100 Wwise Audio Package (big-endian) +!:ext pck diff --git a/magic/Magdir/gentoo b/magic/Magdir/gentoo index f1a91acfedc1..f988047ad400 100644 --- a/magic/Magdir/gentoo +++ b/magic/Magdir/gentoo @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: gentoo,v 1.2 2022/09/12 13:13:28 christos Exp $ +# $File: gentoo,v 1.5 2022/12/26 17:16:55 christos Exp $ # gentoo: file(1) magic for gentoo specific formats # # Summary: Gentoo ebuild Manifest files (GLEP 74) @@ -36,6 +36,7 @@ # (<tag>'s already been matched prior to calling) 0 name gentoo-manifest >&0 regex [[:space:]]+[[:print:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+[[:space:]]+[[:xdigit:]]{32} Gentoo Manifest (GLEP 74) +!:mime application/vnd.gentoo.manifest # Summary: Gentoo ebuild and eclass files # Reference: https://projects.gentoo.org/pms/8/pms.html @@ -43,16 +44,20 @@ 0 search/512 EAPI= >0 regex .*\n[\040\t]*EAPI=["']? Gentoo ebuild >>&0 regex [[:alnum:]+_.-]+ \b, EAPI %s +!:mime application/vnd.gentoo.ebuild 0 search/512 @ECLASS:\040 Gentoo eclass >&0 string x %s +!:mime application/vnd.gentoo.eclass # Summary: Gentoo supplementary package and category metadata files # Reference: https://www.gentoo.org/glep/glep-0068.html # Submitted by: Michal Gorny <mgorny@gentoo.org> 0 string \<?xml >0 search/512 \<catmetadata Gentoo category metadata file +!:mime application/vnd.gentoo.catmetadata+xml >0 search/512 \<pkgmetadata Gentoo package metadata file +!:mime application/vnd.gentoo.pkgmetadata+xml # Summary: Gentoo GLEP 78 binary package # Reference: https://www.gentoo.org/glep/glep-0078.html @@ -64,7 +69,7 @@ 257 string ustar >0 search/100 /gpkg-1\0 >>0 regex [^/]+ Gentoo GLEP 78 (GPKG) binary package for "%s" -!:mime application/x-tar +!:mime application/vnd.gentoo.gpkg !:ext tar # the logic below requires the gpkg-1 file to be empty >>>124 string 00000000000\0 diff --git a/magic/Magdir/geo b/magic/Magdir/geo index dda5f738311d..1fde25e57be2 100644 --- a/magic/Magdir/geo +++ b/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.8 2022/03/24 15:48:58 christos Exp $ +# $File: geo,v 1.10 2022/10/31 13:22:26 christos Exp $ # Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu> ###################################################################### @@ -54,7 +54,43 @@ ###################################################################### # GeoAcoustics - GeoSwath Plus -4 beshort 0x2002 GeoSwath RDF +# Update: Joerg Jenderek +# URL: https://www.mbari.org/products/research-software/mb-system/ +# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/ +# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf +# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB) +# raw_header_siz; file header size is 544 bytes +4 beshort 0x2002 +# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL +# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0 +>6 leshort >0 GeoSwath RDF +# skip foo samples with invalid "high" spare bytes +#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF +#!:mime application/octet-stream +!:mime application/x-geoswath-rdf +# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf +!:ext rdf +# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf" +>>8 string x "%-.512s" +# version[8]; recording software version number like: 3.16c +>>527 string x \b, version %-.8s +# creation; unsigned int file creation time; WHAT time format is this? +>>0 ulelong x \b, creation time %#8.8x +# raw_ping_header_size; size of ping header in bytes like: 64 +>>6 leshort !64 \b, ping header size %d +# frequency; system frequency in hertz like: 500000 +>>520 lelong x \b, frequency %d +# echo_type; Echosounder type index like: 1 +>>524 leshort x \b, echo type %#x +# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic) +>>526 ubyte !0 \b, file mode %#2.2x +# pps_mode; PPS synch mode like: 2 +>>535 byte x \b, pps mode %#x +# char spare[8]; apparently zeroed +>>536 ubequad !0 \b, spare %#16.16llx +# Ping_number; 1st ping number like: 4944 +>>544 lelong x \b, 1st ping number %d + 0 string Start:- GeoSwatch auf text file # Seabeam 2100 @@ -88,7 +124,7 @@ # ###################################################################### -# IVS - IVS3d.com Tagged Data Represetation +# IVS - IVS3d.com Tagged Data Representation 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm diff --git a/magic/Magdir/images b/magic/Magdir/images index 904a6a93856d..48e9f6dabfc2 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.227 2022/09/11 20:58:52 christos Exp $ +# $File: images,v 1.243 2023/07/17 16:49:09 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -179,7 +179,7 @@ # adding 65 to strength so that Netpbm images comes before "x86 boot sector" or # "DOS/MBR boot sector" identified by ./filesystems 0 name netpbm ->3 regex/s =[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data +>3 regex/s =\^[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s @@ -311,12 +311,12 @@ 0 string MM\x00\x2a TIFF image data, big-endian !:strength +70 !:mime image/tiff -!:ext tif,tiff +!:ext tif/tiff >(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff !:strength +70 -!:ext tif,tiff +!:ext tif/tiff >(4.l) use tiff_ifd 0 name tiff_ifd @@ -625,7 +625,7 @@ >>8 string x "%s" # should be point character (2Eh) of version string according to TrID #>6 ubyte !0x2E \b, at 6 %#x -# caret character (23h) at the beginning in most or probaly all exanples +# caret character (23h) at the beginning in most or probably all examples #>0 ubyte !0x23 \b, starting with character %#x # URL: http://fileformats.archiveteam.org/wiki/DeskMate_Draw # http://en.wikipedia.org/wiki/Deskmate @@ -652,7 +652,86 @@ >24 string SunGKS \b, SunGKS # CGM image files -0 string BEGMF clear text Computer Graphics Metafile +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CGM +# https://en.wikipedia.org/wiki/Computer_Graphics_Metafile +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-ct.trid.xml +# http://standards.iso.org/ittf/PubliclyAvailableStandards/c032381_ISO_IEC_8632-4_1999(E).zip +# Note: called "Computer Graphics Metafile (Clear Text)" by TrID and +# "Computer Graphics Metafile ASCII" by DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# According to TrID only letter B and M are always upcased and by DROID often only B is upcased for command BEGIN METAFILE +0 string/c begmf +# skip SOME DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>5 short !0 +# skip other versions of DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>>5 short !0xABab clear text Computer Graphics Metafile +# https://reposcope.com/mimetype/image/cgm +!:mime image/cgm +!:ext cgm +# SF:NAME like: 'metafile example'; +>>>5 string x %s +# look for command METAFILE VERSION (MFVERSION <SOFTSEP> <I:VERSION>) +>>>2 search/128/c mfversion +#>>>>&0 ubyte x SOFTSEP=%#x +# version like: 1 3 4 +>>>>&1 ubyte >0x31 \b, version %c +# Summary: Computer Graphics Metafile (binary) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-bin.trid.xml +# https://standards.iso.org/ittf/PubliclyAvailableStandards/c032380_ISO_IEC_8632-3_1999(E).zip +# Note: called "Computer Graphics Metafile (binary)" by TrID and DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# look for BEGIN METAFILE (element Class 0 and ID 1 and "random" Parameter) that is binary C C C C 0 0 0 0 0 0 1 P P P P P +0 ubeshort&0xFFe0 0x0020 +# skip SOME DROID fmt-303-signature-id-368.cgm fmt-304-signature-id-369.cgm fmt-305-signature-id-370.cgm fmt-306-signature-id-371.cgm +# with containing only 28 bytes +>28 ubyte x +# look for METAFILE VERSION (element class 1 and id 1 and parameter P1 with length 2) that is binary 0 0 0 1 i i i i i i 1 P P P 1 P +# with "low" version; 2nd worst case argentin.cgm with parameter length 56 +# worst MS.CGM +#>>2 search/73/b \x10\x22\0 binary Computer Graphics Metafile +>>2 search/128/b \x10\x22\0 binary Computer Graphics Metafile +!:mime image/cgm +!:ext cgm +# metafile 2 byte version number like: 1 (most) 2 3 4 +>>>&-1 ubeshort >1 \b, version %u +# length number of 1st parameter octets in range 0 to 30 implies short command +>>>0 ubeshort&0x001F <31 \b, parameter length %u +# length of string like: 8 9 10 11 12 29 +#>>>>2 ubyte x \b, %u BYTES (SHORT) +# string like: 'HiJaak 2' 'Example 1' 'sahara.cgm' 'MASTERCLIPS--Art Of Business ' +>>>>2 pstring >\0 '%s' +# after 1st short command with even parameter length comes 2nd command like: 1022h 0010h (EAF00010.CGM 'HiJaak 2' FLOPPY2.CGM TIGER.CGM 'B:\TIGER.CGM') +>>>>0 ubeshort&0x0001 =0 +>>>>>(2.b+3) ubeshort !0x1022 \b, 2nd command %#4.4x (short even) +# after 1st short command with odd parameter length comes nil padding byte followed 2nd command like: 1022h +>>>>0 ubeshort&0x0001 =1 +#>>>>>(2.b+3) ubyte !0 \b, PADDING %#x +>>>>>(2.b+4) ubeshort !0x1022 \b, 2nd command %#4.4x (short odd) +# 11111 binary (decimal 31) in the parameter field indicates that the command is in long-form +>>>0 ubeshort&0x001F =0x1F +# bit 15 is partition flag with 1 for 'not-last' partition and 0 for 'last' partition +>>>>2 ubeshort&0x8000 !0 \b, partition flag %#4.4x +# bits 0 to 14 is parameter list length; the number of following parameter octets; range 0 to 32767 +# length of 1st long command parameter like: 53 +>>>>2 ubeshort&0x7Fff x \b, parameter length %u (long) +# The two header words are then followed by lenghth of 1st string like: 52 +#>>>>4 ubyte x \b, %u BYTES +# string like: 'K:\PROJECTS\GRAPHICS\DWKS3.5\CLIPART\FLAGS\Italy.cgm' +>>>>4 pstring/B x '%s' +# odd long parameter length implies single null padding octet to start command on word boundary +>>>>2 ubeshort&0x0001 =1 +# after 1st long command with odd parameter length comes nil padding byte followed by 2nd command like: 1022h +#>>>>>(4.b+5) ubyte !0 \b, PADDING %#x +>>>>>(4.b+6) ubeshort !0x1022 \b, 2nd command %#4.4x (long odd) +# even long parameter length implies next command directly is following +>>>>2 ubeshort&0x0001 =0 +# after 1st long command with even parameter length comes 2nd command like: 1022h 0x1054 (MS.CGM) +>>>>>(4.b+5) ubeshort !0x1022 \b, 2nd command %#4.4x (long even) +# look for END METAFILE (element class 0 and id 2 and 0 parameter) that is binary 0 0 0 0 i i i i i 1 i P P P P P +>>>-2 ubeshort !0x0040 \b, NOT_FOUND_END_METAFILE # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned @@ -1138,7 +1217,7 @@ 0 string /*\040 # 9 byte c-comment "/* XPM */" not at the beginning like: mozicon16.xpm mozicon50.xpm (thunderbird) >0 search/0xCE /*\ XPM\ */ -# skip DROID x-fmt-208-signature-id-620.xpm by looking for char aray without explict length +# skip DROID x-fmt-208-signature-id-620.xpm by looking for char array without explict length # and match mh-logo.xpm (emacs) >>&0 search/1249 [] >>>0 use xpm-image @@ -1146,7 +1225,7 @@ >0 default x # words are separated by a white space which can be composed of space and tabulation characters >>0 search/0x52 static\040char\040 -# skip debug.c testmlc.c by looking for char aray without explict length +# skip debug.c testmlc.c by looking for char array without explict length # https://www.clamav.net/downloads/production/clamav-0.104.2.tar.gz # clamav-0.104.2\libclammspack\mspack\debug.c >>>&0 search/64 [] @@ -1459,22 +1538,22 @@ # skip g3test.g3 by test for unused bits of 2nd color entry >>4 ubeshort&0xF000 0 #>>>0 beshort x 1ST_VALUE=%x ->>>-0 offset x FILE_SIZE=%lld +#>>>-0 offset x FILE_SIZE=%lld # standard DEGAS low-res uncompressed bitmap *.pi1 with file size 32034 ->>>-0 offset =32034 VARIANT_STANDARD +>>>-0 offset =32034 #>>>>0 beshort x 1st_VALUE=%x # like: 8ball.pi1 teddy.pi1 sonic01.pi1 >>>>0 use degas-bitmap # about 61 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32066 ->>>-0 offset =32066 VARIANT_ELITE +>>>-0 offset =32066 # like: spider.pi1 pinkgirl.pi1 frog3.pi1 >>>>0 use degas-bitmap # about 55 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32128 ->>>-0 offset =32128 VARIANT_3 +>>>-0 offset =32128 # like: mountain.pi1 bigspid.pi1 alf33.pi1 >>>>0 use degas-bitmap # 1 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 44834 ->>>-0 offset =44834 VARIANT_4 +>>>-0 offset =44834 # like: kenshin.pi1 >>>>0 use degas-bitmap # DEGAS mid-res uncompressed bitmap *.pi2 (strength=50) after GEM Images like: @@ -1483,19 +1562,17 @@ #!:strength +0 # skip many control files like gnucash-4.8.setup.exe.aria2 by test for non black in 4 palette entries >2 quad !0 -# skip control file load-v0001.aria2 by test for unused bits of 5th color palette entry ->>10 ubeshort&0xF000 0 -# skip many GEM Image data like DANCER.IMG GAMEOVR4.IMG SHIP.IMG by test for unused bits of 8th color palette entry ->>>16 ubeshort&0xF000 0 -# skip many GEM Image data like BEETHVEN.IMG CABINETS.IMG MEMO.IMG by test for unused bits of 14th color palette entry ->>>>28 ubeshort&0xF000 0 -# skip few GEM Image data like CHURCH.IMG by test for unused bits of 15th color palette entry ->>>>>30 ubeshort&0xF000 0 -# skip many GEM Image data like TIGER.IMG TURKEY.IMG XMAS.IMG by test for unused bits of 16th color palette entry ->>>>>>32 ubeshort&0xF000 0 -# skip GEM Image data like clinton.img by test for existing bytes at the end ->>>>>>>32026 quad x ->>>>>>>>0 use degas-bitmap +# skip control file load-v0001.aria2 and many GEM Image data like +# GAMEOVR4.IMG BEETHVEN.IMG CHURCH.IMG TURKEY.IMG clinton.img +# by test for valid file sizes +# standard DEGAS mid-res uncompressed bitmap *.pi2 with file size 32034 +>>-0 offset =32034 +# (39/41) like: GEMINI03.PI2 ST_TOOLS.PI2 TBX_DEMO.PI2 +>>>0 use degas-bitmap +# few DEGAS Elite mid-res uncompressed bitmap *.pi2 with file size 32066 +>>-0 offset =32066 +# (2/41) like: medres.pi2 +>>>0 use degas-bitmap # DEGAS high-res uncompressed bitmap *.pi3 0 beshort 0x0002 # skip Intel ia64 COFF msvcrt.lib by test for unused bits of 1st atari color palette entry @@ -1515,8 +1592,12 @@ # 00000000 "LEREDACT.PI3" 03730773 "TBX_DEMO.PI3" #>>>>&8 ubelong x \b, LAST CHAR+NIL %8.8x >>>>&8 ubelong&0xff00ffFF !0 +# skip many Adobe Photoshop Color swatch (ANPA-Farben.aco TOYO-Farbsystem.aco) with invalid 3rd color entry (1319 2201 2206 21f5 2480 24db 25fd) +>>>>>6 ubeshort&0xF000 0 +# skip few Adobe Photoshop Color swatch (FOCOLTONE-Farben.aco "PANTONE process coated.aco") with invalid 4th color entry (ffff) +>>>>>>8 ubeshort&0xF000 0 # many DEGAS bitmap like: ARABDEMO.PI3 ELMRSESN.PI3 GEMVIEW.PI3 LEREDACT.PI3 PICCOLO.PI3 REPRO_JR.PI3 ST_TOOLS.PI3 TBX_DEMO.PI3 evgem7.pi3 ->>>>>0 use degas-bitmap +>>>>>>>0 use degas-bitmap # test for last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char >>>>&8 ubelong&0xff00ffFF =0 # select last DEGAS bitmaps by invalid last char of brush note like BASICNES.PI3 DB_HELP.PI3 DB_WRITR.PI3 LEREDACT.PI3 @@ -1528,13 +1609,23 @@ 0 beshort 0x8000 # skip lif files handled via ./lif by test for unused bits of 1st palette entry >2 ubeshort&0xF000 0 ->>0 use degas-bitmap +# skip CRI ADX ADPCM audio (R04HT.adx R03T-15552.adx) with 44100 Hz misinterpreted as 5th color entry value AC44h +>>10 ubeshort&0xF000 0 +# skip few (fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx) by test for 4 first non black colors in palette entries +>>>2 quad !0 +>>>>0 use degas-bitmap # DEGAS mid-res compressed bitmap *.pc2 like: abydos.pc2 ARTIS3.PC2 SMTHDRAW.PC2 STAR_2K.PC2 TX2_DEMO.PC2 0 beshort 0x8001 ->0 use degas-bitmap +# skip many (1274/1369) PostScript Type 1 font (DarkGardenMK.pfb coupbi.pfb MONOBOLD.PFB) with invalid 1st atari color palette entry 5506 5b06 6906 7906 7e06 fb15 +>2 ubeshort&0xF000 0 +# skip some (95/1369) PostScript Type 1 font (fmt-525-signature-id-816.pfb LUXEMBRG.PFB) with invalid 3rd atari color palette entry 2521 +>>6 ubeshort&0xF000 0 +>>>0 use degas-bitmap # DEGAS high-res compressed bitmap *.pc3 like: abydos.pc3 COYOTE.PC3 ELEPHANT.PC3 TX2_DEMO.PC3 SMTHDRAW.PC3 0 beshort 0x8002 ->0 use degas-bitmap +# skip some (36/212) Python Pickle (factor_cache.pickle environment.pickle) with invalid 1st atari color entry (2863 6363 7d71) +>2 ubeshort&0xF000 0 +>>0 use degas-bitmap # display information of Atari DEGAS and DEGAS Elite bitmap images 0 name degas-bitmap >0 ubyte x Atari DEGAS @@ -1621,6 +1712,19 @@ #>32058 ubequad !0 \b, channel delays %16.16llx # From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GED +# https://recoil.sourceforge.net/formats.html#Atari-8-bit +# Reference: https://sourceforge.net/projects/recoil/files/recoil/6.3.4/recoil-6.3.4.tar.gz +# recoil-6.3.4/recoil.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-ged.trid.xml +# Note: called "Atari GED bitmap" by TrID; file size 11302 +# and verified by RECOIL graphic tool +0 string \xFF\xFF0SO\x7F Atari GED bitmap, 160x200 +#!:mime application/octet-stream +!:mime image/x-atari-ged +!:ext ged + +# From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/ImageLab/PrintTechnic # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-b_w.trid.xml # Note: called "ImageLab bitmap" by TrID @@ -1741,6 +1845,113 @@ >>>6 belong x 0x%8.8x >>>6 beshort x \b%4.4x +# From: Joerg Jenderek +# URL: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# http://fileformats.archiveteam.org/wiki/Photoshop +# Reference: http://www.nomodes.com/aco.html +# Note: registers as Photoshop.SwatchesFile for Photoshop.exe on Windows +# check for valid versions like: 2 (newest) 1 (old) 0 (oldest no examples) +0 ubeshort <3 +# skip few Atari DEGAS med-res bitmap (DIAGRAM1.PI2) and many ISO 9660 CD-ROM by check for invalid low color numbers (0) +>2 ubeshort >0 +# skip few Targa (bmpsuite-15col.tga rgb24_top_left_colormap.tga) by check for invalid high color space ID (F0 1D) +>>4 ubeshort <16 +# skip many (69/327) Targa image *.TGA by check of accessing near the ending of first color space section (size=nc*5*2) +>>>(2.S*10) ubelong x +# RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort =0 +# skip many (220/327) Targa by check of for invalid high RGB color z value (hexadecimal 2 3 2e03 4600 5e04 7502 8002 8b05 c700) +>>>>>12 ubeshort =0 +# RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>>0 ubeshort <2 +>>>>>>>0 use adobe-aco +# RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>>0 ubeshort =2 +# skip many (74/176) Atari DEGAS hi-res bitmap (*.PI3) by check for invalid low color name length (0) +>>>>>>>16 ubeshort >0 +>>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort !0 +# non RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>0 ubeshort <2 +# skip many GEM Image (CHURCH.IMG TIGER.IMG) by check for invalid second high color space ID (55 114 143 157 256 288 450) +>>>>>>14 ubeshort <16 +>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>0 ubeshort =2 +# skip few Atari DEGAS hi-res bitmap (pal1wb-blue.pi3) and few ABR by check for invalid "high" nil bytes (7) before color name length +>>>>>>14 ubeshort =0 +>>>>>>>0 use adobe-aco +# display Adobe Photoshop Color swatch file information (version, number of colors, color spaces, coordinates, names) +0 name adobe-aco +>0 ubeshort x Adobe Photoshop Color swatch, version %u +#!:mime application/octet-stream +!:mime application/x-adobe-aco +!:apple ????8BCO +!:ext aco +>0 ubeshort <2 +>>(2.S*10) ubelong x +# version 2 section after version 1 section +>>>&0 ubeshort 2 and 2 +# nc; number of colors like: 20 50 86 88 126 204 300 1050 1137 1280 2092 3010 4096 +>2 ubeshort x \b, %u colors +# maybe last 4 bytes of first section (probably y z color value) like: 0 0x66660000 0xfe700000 0xffff0000 +#>(2.S*10) ubelong x 1ST_SECTION_END=%#8.8x +>0 ubeshort <2 \b; 1st +# first older Adobe Photoshop Color entry +>>4 use aco-color +>>>2 ubeshort >1 \b; 2nd +# second older Adobe Photoshop Color entry +>>>>14 use aco-color +>0 ubeshort =2 \b; 1st +# first new Adobe Photoshop Color entry +>>4 use aco-color-v2 +>>>2 ubeshort >1 \b; 2nd +# jump first color name length words +>>>>(16.S*2) ubequad x +# second new Adobe Photoshop Color entry +>>>>>&10 use aco-color-v2 +# display Adobe Photoshop Color entry (color space, color coordinates) +0 name aco-color +# each color spec entry occupies five words +# color space: 0~RGB 1~HSB 2~CMYK 3~Pantone 4~Focoltone 5~Trumatch 6~Toyo 7~Lab 8~Grayscale 9?~wideCMYK 10~HKS ... +#>0 ubeshort x COLOR_ENTRY +>0 ubeshort 0 RGB +>0 ubeshort 1 HSB +>0 ubeshort 2 CMYK +>0 ubeshort 3 Pantone +>0 ubeshort 4 Focoltone +>0 ubeshort 5 Trumatch +>0 ubeshort 6 Toyo +>0 ubeshort 7 Lab +>0 ubeshort 8 Grayscale +>0 ubeshort 9 wide CMYK +>0 ubeshort 10 HKS +# unofficial +# >0 ubeshort 12 foo +# >0 ubeshort 13 bar +# >0 ubeshort 14 FOO +# >0 ubeshort 15 BAR +>0 ubeshort x space (%u) +# color coordinate w +>2 ubeshort x \b, w %#x +# color coordinate x +>4 ubeshort x \b, x %#x +# color coordinate y +>6 ubeshort x \b, y %#x +# color coordinate z; zero for RGB space +>8 ubeshort x \b, z %#x +# display Adobe Photoshop Color entry version 2 (color space, color coordinates names) +0 name aco-color-v2 +>0 use aco-color +#>10 ubeshort x \b, NUL_BYTES %#x +# color name length plus one (len+1) like: 7 8 9 13 14 15 16 17 22 26 +#>>12 ubeshort x \b, LENGTH %u +>>12 ubeshort-1 x \b, %u chars +# len words; UTF-16 representation of the color name like: "DIC 1s" "PANTONE Process Yellow PC" +>>14 bestring16 x "%s" +# followed by nil word + # XV thumbnail indicator (ThMO) # URL: https://en.wikipedia.org/wiki/Xv_(software) # Reference: http://fileformats.archiveteam.org/wiki/XV_thumbnail @@ -2351,7 +2562,7 @@ # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data -#!mime image/vnd.radiance +!:mime image/vnd.radiance # From: Adam Buchbinder <adam.buchbinder@gmail.com> # URL: https://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf @@ -2537,6 +2748,7 @@ # BS encoded bitstreams 2 uleshort 0x3800 BS image, +# GRR: the above line is also true for binary Computer Graphics Metafile SAB00012.CGM with long parameter length 56 (=38h) >6 uleshort x Version %d, >4 uleshort x Quantization %d, >0 uleshort x (Decompresses to %d words) @@ -3720,6 +3932,29 @@ # display ICC/ICM color profile by ./icc #>>>0x154 use color-profile +# URL: http://fileformats.archiveteam.org/wiki/CorelDRAW +# https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-gen.trid.xml +# Note: called "CorelDRAW drawing (generic)" by TrID +# version til 2 WL-based; from version 3 til 13 handled by ./riff and from 14 zip based handled by ./archive +0 ubelong&0xFFffF7ff 0x574C6500 Corel Draw Picture +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +!:ext cdr +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-10.trid.xml +# Note: called "CorelDRAW drawing (v1.0)" by TrID and +# "CorelDraw Drawing" with version "1.0" by DROID via PUID fmt/467 +# only DROID fmt-467-signature-id-726.cdr example +>2 ubyte 0x65 \b, version 1.0 +#>>4 ubelong !0x45000000 \b, at 4 %#8.8x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-20.trid.xml +# Note: called "CorelDRAW drawing (v2.0)" by TrID and +# "CorelDraw Drawing" with version "2.0" by DROID via PUID fmt/466 +>2 ubyte 0x6D \b, version 2.0 +# According to DROID 0xed080000 or 0x25050000 +#>>4 ubelong !0xed080000 +#>>>4 ubelong !0x25050000 \b, at 4 %#8.8x + # Type: Crunch compressed texture. # From: David Korth <gerbilsoft@gerbilsoft.com> # References: @@ -3937,3 +4172,48 @@ #!:mime application/octet-stream !:mime image/x-idf !:ext idf + +# Type: ColoRIX VGA Paint Image File (.rix/.sci/.scX) +# From: Eddy Jansson <github.com/eloj> +# Reference: https://www.fileformat.info/format/rix/spec/ +# +0 name rix-header +>0 uleshort x \b, %u x +>2 uleshort x %u +# palette type: +# .. if direct color, low bits encode bpp +>4 ubyte&128 0 +>>4 ubyte&127 x \b %u bpp (direct color) +# .. else palette +>4 ubyte&128 128 +>>4 ubyte&7 0 \b x 2 +>>4 ubyte&7 1 \b x 4 +>>4 ubyte&7 2 \b x 8 +>>4 ubyte&7 3 \b x 16 +>>4 ubyte&7 4 \b x 32 +>>4 ubyte&7 5 \b x 64 +>>4 ubyte&7 6 \b x 128 +>>4 ubyte&7 7 \b x 256 +# storage type +#>5 ubyte&15 0 \b, Linear +>5 ubyte&15 1 \b, Planar (0213) +>5 ubyte&15 2 \b, Planar +>5 ubyte&15 3 \b, Text +>5 ubyte&15 4 \b, Planar lines +>5 ubyte&128 128 \b (compressed) +>5 ubyte&64 64 \b (extension) +>5 ubyte&32 32 \b (encrypted) + +0 string RIX3 ColoRIX Image +>4 use rix-header + +0 string RIX7 ColoRIX Slideshow + +# http://fileformats.archiveteam.org/wiki/PaperPort_(MAX) +0 string ViG Visioneer PaperPort +>3 string Ae 2 +>3 string Be 2 +>3 string Cj 3-4 +>3 string Em 5-7 +>3 string Fk 8-12 +>3 default x MAX diff --git a/magic/Magdir/intel b/magic/Magdir/intel index 2b57fd1b246a..5177fea45785 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.22 2022/04/02 14:47:42 christos Exp $ +# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -141,7 +141,7 @@ # e80d0fcbh PXE-Intel.rom # b8004875h orchid.bin >>3 ubelong x %#8.8x -# For misidetified raspberry pi pieeprom-*.bin like: 0xf00f +# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f #>2 ubeshort x \b, AT 2 %#4.4x ################################################################################ # new sections for BIOS (ia32) ROM Extension @@ -230,12 +230,12 @@ # PCI data structure length like: 24h 28h >>(24.s+0xA) uleshort >0x28 \b, length %u # PCI data structure revision like: 0 3 ->>(24.s+0xC) ubyte >0 \b, revison %u +>>(24.s+0xC) ubyte >0 \b, revision %u # image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 # Apparently this gives the same information as given by byte at offset 2 but as 16-bit #>>(24.s+0x10) uleshort x \b, length %u*512 # revision level of code/data like: 0 1 201h 502h ->>(24.s+0xC) ubyte >1 \b, code revison %#x +>>(24.s+0xC) ubyte >1 \b, code revision %#x # code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved >>(24.s+0x14) ubyte >0 \b, code type %#x # last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved diff --git a/magic/Magdir/java b/magic/Magdir/java index b9854e54c159..d36127553513 100644 --- a/magic/Magdir/java +++ b/magic/Magdir/java @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $ +# $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -43,3 +43,10 @@ >6 leshort >0x00 \b, version %d >4 leshort x \b.%d !:mime application/x-java-image + +# JAR Manifest & Signature File +# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html +0 string/t Manifest-Version:\x201.0 JAR Manifest +!:ext MF +0 string/t Signature-Version:\x201.0 JAR Signature File +!:ext SF diff --git a/magic/Magdir/javascript b/magic/Magdir/javascript index dcb5a93767fc..90a09cce46a2 100644 --- a/magic/Magdir/javascript +++ b/magic/Magdir/javascript @@ -1,20 +1,70 @@ #------------------------------------------------------------------------------ -# $File: javascript,v 1.4 2022/09/02 08:08:17 christos Exp $ +# $File: javascript,v 1.5 2023/01/12 00:02:16 christos Exp $ # javascript: magic for javascript and node.js scripts. # -0 string/w #!/bin/node Node.js script text executable +0 string/tw #!/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/node Node.js script text executable +0 string/tw #!/usr/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/bin/nodejs Node.js script text executable +0 string/tw #!/bin/nodejs Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/nodejs Node.js script text executable +0 string/tw #!/usr/bin/nodejs Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ node Node.js script text executable +0 string/t #!/usr/bin/env\ node Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ nodejs Node.js script text executable +0 string/t #!/usr/bin/env\ nodejs Node.js script executable !:mime application/javascript + +# JavaScript +# The strength is increased to beat the C++ & HTML rules +0 search "use\x20strict" JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 search 'use\x20strict' JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex module(\\.|\\[["'])exports.*= JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(const|var|let).*=.*require\\( JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \\((async\x20)?function[(\x20] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export).*\x20from\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export)\x20["']\\./ JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^require\\(["'] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex typeof.*[!=]== JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js + +# React Native minified JavaScript +0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript +!:strength +30 +!:mime application/javascript +!:ext bundle/jsbundle + # Hermes by Facebook https://hermesengine.dev/ # https://github.com/facebook/hermes/blob/master/include/hermes/\ # BCGen/HBC/BytecodeFileFormat.h#L24 diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg index 2a34a5fd347b..9cebadad70d5 100644 --- a/magic/Magdir/jpeg +++ b/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.37 2022/06/17 18:03:35 christos Exp $ +# $File: jpeg,v 1.38 2022/12/02 17:42:04 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -239,8 +239,7 @@ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml # Note: called by TrID "JPEG XL bitmap" 0 string \xff\x0a JPEG XL codestream -#!:mime image/jxl -!:mime image/x-jxl +!:mime image/jxl !:ext jxl # JPEG XL (transcoded JPEG file) @@ -249,6 +248,5 @@ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml # Note: called by TrID "JPEG XL bitmap (ISOBMFF)" 0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container -#!:mime image/jxl -!:mime image/x-jxl +!:mime image/jxl !:ext jxl diff --git a/magic/Magdir/lif b/magic/Magdir/lif index 89d7a8611624..3474a48d231e 100644 --- a/magic/Magdir/lif +++ b/magic/Magdir/lif @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lif,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan <quinlan@yggdrasil.com>) @@ -16,9 +16,9 @@ >14 beshort =0 # skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number >>20 ubeshort <0x0100 -# skip DEGAS MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for ASCII like volume name -#>>>2 ubelong >0x2020201F ->>>0 use lif-file +# skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name +>>>2 ubelong >0x2020201F +>>>>0 use lif-file 0 name lif-file # LIF ID >0 beshort x lif file @@ -27,6 +27,7 @@ !:ext lif/hpi/dat # volume label; A-Z 0-9 _ ; default are 6 spaces >2 string x "%.6s" +#>2 ubelong x LABEL=%8.8x # version number; 0 for systems without extensions or 1 for model 64000 >20 ubeshort x \b, version %u # LIF identifier; 010000 for system 3000 diff --git a/magic/Magdir/linux b/magic/Magdir/linux index c715de61b1b6..ae181148dfb9 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $ +# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com> @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -380,26 +380,96 @@ # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl> - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis <g2p.code@gmail.com> @@ -492,9 +562,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION + +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump -0 string KDUMP Kdump compressed dump +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -503,6 +576,12 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code diff --git a/magic/Magdir/llvm b/magic/Magdir/llvm index 2691ef1ac92f..6befe7a8bf0f 100644 --- a/magic/Magdir/llvm +++ b/magic/Magdir/llvm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: llvm,v 1.9 2019/04/19 00:42:27 christos Exp $ +# $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: https://llvm.org/docs/BitCodeFormat.html # From: Al Stone <ahs3@fc.hp.com> @@ -9,6 +9,7 @@ 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression +0 string CPCH LLVM Pre-compiled header file 0 lelong 0x0b17c0de LLVM bitcode, wrapper # Are these Mach-O ABI values? They appear to be. diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index 905e4d6e1500..a74aac487caa 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.32 2021/04/26 15:56:00 christos Exp $ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -95,7 +95,10 @@ # MacBinary format (Eric Fischer, enf@pobox.com) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary # Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. @@ -114,19 +117,19 @@ >>>>74 byte 0 # zero fill, must be zero for compatibility >>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 # MacBinary I test for valid version numbers ->>>>>>122 ubeshort 0 -# additional check for creation date after 1 Jan 1970 ~ 7C25B080h -#>>>>>>>91 ubelong >0x7c25b07F +>>>>>>>122 ubeshort 0 # additional check for undefined header fields in MacBinary I -#>>>>>>>101 ulong 0 ->>>>>>>0 use mac-bin +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin # MacBinary II the newer versions begins at 129 ->>>>>>122 ubeshort 0x8181 ->>>>>>>0 use mac-bin +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin # MacBinary III with MacBinary II to read ->>>>>122 ubeshort 0x8281 ->>>>>>0 use mac-bin +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin # display information of MacBinary file 0 name mac-bin @@ -139,7 +142,7 @@ !:mime application/x-macbinary !:apple PSPTBINA !:ext bin/macbin -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary #>1 ubyte >63 \b, name length %u too BIG! #>122 ubeshort x \b, version %#x # Finder flags if not 0 @@ -180,12 +183,16 @@ # 124 beshort # checksum #>124 ubeshort !0 \b, CRC %#x # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 ->91 beldate-0x7C25B080 x \b, %s -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow >91 ubelong <0x7c25b080 INVALID date -#>91 belong-0x7C25B080 x \b, DEBUG DATE %d +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u # last modified date ->95 beldate-0x7C25B080 x \b, modified %s +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s # Apple creator+typ if not null # file creator (normally expressed as four characters) >69 ulong !0 \b, creator @@ -197,6 +204,7 @@ # length of data segment >83 ubelong !0 \b, %u bytes # filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" >1 pstring x "%s" # print 1 space and then at offset 128 inspect data fork content if it has one >83 ubelong !0 \b @@ -447,7 +455,7 @@ >>>0x412 beshort x number of blocks: %d, >>>0x424 pstring x volume name: %s -0x400 beshort 0x482B Macintosh HFS Extended +0 name hfsplus >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) @@ -466,6 +474,11 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + ## AFAIK, only the signature is different # same as Apple Partition Map # GRR: This magic is too weak, it is just "TS" @@ -490,14 +503,3 @@ # From: Remi Mommsen <mommsen@slac.stanford.edu> 0 string BOMStore Mac OS X bill of materials (BOM) file -# From: Adam Buchbinder <adam.buchbinder@gmail.com> -# URL: https://en.wikipedia.org/wiki/Datafork_TrueType -# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is -# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I -# don't know what they mean. -0 belong 0x100 ->(0x4.L+24) beshort x ->>&4 belong 0x73666e74 Mac OSX datafork font, TrueType ->>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' ->>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' ->>&4 belong 0x504f5354 Mac OSX datafork font, PostScript diff --git a/magic/Magdir/magic b/magic/Magdir/magic index 0de332aa3bfb..c8aa054b722b 100644 --- a/magic/Magdir/magic +++ b/magic/Magdir/magic @@ -1,10 +1,71 @@ #------------------------------------------------------------------------------ -# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ +# $File: magic,v 1.11 2023/06/27 13:42:49 christos Exp $ # magic: file(1) magic for magic files # -0 string/t #\ Magic magic text file for file(1) cmd +# Update: Joerg Jenderek +# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller +0 string/t #\ Magic\ magic text file for file(1) cmd +#!:mime text/plain +!:mime text/x-file +# no suffix in ../Header +!:ext / +# +# some samples start with a comment line +0 ubyte =0x23 +# many samples start with separator line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st comment line and without seperator comment line +>4 default x +# few sample with 1st comment line and without seperator comment line and regular expression like: sisu +>>1 search/112 regex\x09 +>>>0 use magic-fragment +>>1 default x +# few samples with 1st comment line and without seperator comment line and string value like: +# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect +>>>1 search/471 string\x09 +>>>>0 use magic-fragment +>>>1 default x +# few samples with 1st comment line and without seperator comment line and short value like: +# (file 3.34) os9 osf1 +>>>>1 search/1716 short\x09 +>>>>>0 use magic-fragment +# but many samples start with an empty first line +0 ubyte =0x0A +# many samples sttart with separator comment line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st empty line and without seperator comment line like: biosig espressif +>4 default x +>>1 search/581 \041:mime +>>>0 use magic-fragment +# display information (lines) about magic text fragment +0 name magic-fragment +>0 string x magic text fragment for file(1) cmd +!:mime text/x-file +# most without suffix but mail.news varied.out varied.script +!:ext /news/out/script +# next lines are mainly for control reasons +# some (34/339) samples start comment line +>0 ubyte !0x0A +>>0 string x \b, 1st line "%s" +>>>&1 string x \b, 2nd line "%s" +# but most (305/339) samples start with an empty first line +>0 ubyte =0x0A +>>1 string x \b, 2nd line "%s" +>>>&1 string x \b, 3rd line "%s" +# +# URL: http://en.wikipedia.org/wiki/File_(command) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml +# Note: called "magic compiled data (LE)" by TrID 0 lelong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 belong x (version %d) (big endian) diff --git a/magic/Magdir/mail.news b/magic/Magdir/mail.news index ed6e7a6c4927..3ca3b405f613 100644 --- a/magic/Magdir/mail.news +++ b/magic/Magdir/mail.news @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: mail.news,v 1.29 2022/06/17 18:02:19 christos Exp $ +# $File: mail.news,v 1.30 2022/10/31 13:22:26 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -65,7 +65,7 @@ # other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h) >7 ubelong !0x06900800 \b, 1st id %#8.8x >7 ubelong =0x06900800 -# TnefVersion lenght like: 4 +# TnefVersion length like: 4 >>11 ulelong !4 \b, TnefVersion length %x # TNEFVersionData; TnefVersion data like: 00010000h >>15 ulelong !0x00010000h \b, version %#8.8x diff --git a/magic/Magdir/map b/magic/Magdir/map index 2e8d0797d319..2d56df015631 100644 --- a/magic/Magdir/map +++ b/magic/Magdir/map @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: map,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: map,v 1.10 2023/02/03 20:41:57 christos Exp $ # map: file(1) magic for Map data # @@ -406,3 +406,8 @@ >>>>5 byte x \b%d, >>>>6 leshort x product ID %04d) +# Garmin firmware: +# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf +# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html +0 string GARMIN +>6 uleshort 100 GARMIN firmware (version 1.0) diff --git a/magic/Magdir/mathematica b/magic/Magdir/mathematica index 1563e34ba21a..dda71e884edb 100644 --- a/magic/Magdir/mathematica +++ b/magic/Magdir/mathematica @@ -1,48 +1,59 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.14 2021/11/07 16:27:36 christos Exp $ +# $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" <aldomel@ix.netcom.com> # Mathematica a multi-purpose math program # versions 2.2 and 3.0 -#mathematica .mb -0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook -!:ext mb -0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook +0 name wolfram +>0 string x Mathematica notebook version 2.x !:ext mb +!:mime application/vnd.wolfram.mathematica + +#mathematica .mb +0 string \064\024\012\000\035\000\000\000 +>0 use wolfram +0 string \064\024\011\000\035\000\000\000 +>0 use wolfram + +# +0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x +!:ext nb +!:mime application/mathematica + # .ma # multiple possibilities: -0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook +0 string (*^\n\n::[\011frontEndVersion\ = #>41 string >\0 %s -!:ext mb +>0 use wolfram -#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x +#0 string (*^\n\n::[\011palette -#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x +#0 string (*^\n\n::[\011Information #>675 string >\0 %s #doesn't work well # there may be 'cr' instead of 'nl' in some does this matter? # generic: -0 string (*^\r\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\015 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n::[\011 Mathematica notebook version 2.x -!:ext mb +0 string (*^\r\r::[\011 +>0 use wolfram +0 string (*^\r\n\r\n::[\011 +>0 use wolfram +0 string (*^\015 +>0 use wolfram +0 string (*^\n\r\n\r::[\011 +>0 use wolfram +0 string (*^\r::[\011 +>0 use wolfram +0 string (*^\r\n::[\011 +>0 use wolfram +0 string (*^\n\n::[\011 +>0 use wolfram +0 string (*^\n::[\011 +>0 use wolfram # Mathematica .mx files @@ -132,14 +143,18 @@ >>>>0 ulelong <53 # skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4 >>>>>12 ulelong <2 -# no misidentfied little endian MATrix example with "short" matrix name +# no misidentified little endian MATrix example with "short" matrix name >>>>>>16 ulelong <3 ->>>>>>>0 use \^matlab4 +# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin +# by check for non zero matrix name length +>>>>>>>16 ubelong >0 +>>>>>>>>0 use \^matlab4 # little endian MATrix with "long" matrix name or some misidentified samples >>>>>>16 ulelong >2 # skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96 >>>>>>>21 ubyte >0x1F >>>>>>>>0 use \^matlab4 +# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550 # display information of Matlab v4 mat-file 0 name matlab4 Matlab v4 mat-file #!:mime application/octet-stream diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological index 9e7a3f1bcca6..725982f8d907 100644 --- a/magic/Magdir/meteorological +++ b/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ +# $File: meteorological,v 1.4 2022/12/09 18:02:09 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -45,5 +45,9 @@ # https://en.wikipedia.org/wiki/GRIB 0 string GRIB ->7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =1 Gridded binary (GRIB) version 1 +!:mime application/x-grib +!:ext grb/grib >7 byte =2 Gridded binary (GRIB) version 2 +!:mime application/x-grib2 +!:ext grb2/grib2 diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools index 4292e2b0401a..dc1542adacd7 100644 --- a/magic/Magdir/misctools +++ b/magic/Magdir/misctools @@ -1,11 +1,71 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.20 2021/05/25 15:13:55 christos Exp $ +# $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text -0 string/c BEGIN:VCALENDAR vCalendar calendar file -!:mime text/calendar +# URL: http://fileformats.archiveteam.org/wiki/ICalendar +# https://en.wikipedia.org/wiki/ICalendar +# Update: Joerg Jenderek +# Reference: https://www.rfc-editor.org/rfc/rfc5545 +# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml +# Note: called "iCalendar - vCalendar" by TrID +0 string/c BEGIN:vcalendar +# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics +# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A) +>15 ubyte&0xF8 =0x08 +# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics +>>0 search/188 VERSION +# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics +# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217 +# \n\040:2.0 like in import-real-world-2004-11-19.ics found at +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics +#>>>&0 string x AFTER_VERSION=%.15s +# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388 +# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant +>>>&0 search/81 :2.0 iCalendar calendar +# look for Free/Busy component +>>>>15 search/278 :VFREEBUSY file, with Free/Busy component +!:mime text/calendar +!:apple ????iFBf +# no real examples found but only example on Wikipedia page +!:ext ifb +# iCalendar calendar without Free/Busy component +>>>>15 default x +# look for ALARM component +>>>>>15 search/154 :VALARM file, with ALARM component +!:mime text/calendar +!:apple ????iCal +# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm +# no isc examples found +!:ext icsalarm/ics +# iCalendar calendar without Free/Busy component and ALARM component +>>>>>15 default x file +!:mime text/calendar +!:apple ????iCal +# no examples found with .ical .icalender suffix +!:ext ics +# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar +# URL: http://fileformats.archiveteam.org/wiki/VCalendar +# Note: called "VCalendar format" by DROID via fmt/387 +>>>&0 default x vCalendar calendar file +# deprecated +!:mime text/x-vcalendar +!:ext vcs +# GRR: without VERSION keyword violates specification but accepted by Thunderbird like +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics +>>0 default x vCalendar calendar file, without VERSION +!:mime text/x-vcalendar +#!:mime text/calendar +# no vcs example found +!:ext ics/vcs +# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird +# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export +# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo +>>15 ubeshort !0x0D0A \b, without CRLF + # updated by Joerg Jenderek at Apr 2015, May 2021 # https://en.wikipedia.org/wiki/VCard # URL: http://fileformats.archiveteam.org/wiki/VCard diff --git a/magic/Magdir/modem b/magic/Magdir/modem index 6eb21136e462..5d59401f6cb2 100644 --- a/magic/Magdir/modem +++ b/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche <florian@knorke.saar.de> @@ -11,6 +11,7 @@ # Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Modified by: Joerg Jenderek # URL: https://de.wikipedia.org/wiki/Fax +# http://fileformats.archiveteam.org/wiki/CCITT_Group_3 # Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others 0 short 0x0100 @@ -32,7 +33,10 @@ # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom >>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom ->>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded +>>>>>>>8 ubequad !0x5dee74ad1aa56394 +# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2) +# with file size 32034 +>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" !:mime image/g3fax #!:apple ????TIFF @@ -43,7 +47,9 @@ # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x raw G3 (Group 3) FAX +>2 default x +# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h +>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" !:mime image/g3fax !:ext g3 diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index b9ed3439cea6..aacf85946b09 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.158 2022/09/07 11:17:31 christos Exp $ +# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -49,29 +49,127 @@ # # Many of the compressed formats were extracted from IDARC 1.23 source code. # +# e_magic 0 string/b MZ -# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. ->0x18 leshort <0x40 MS-DOS executable +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# NE executable with low e_lfarlc like: WORD60.ICL +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l) string NE Windows Icons Library 16-bit +!:mime image/x-ms-icl +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX +>>>(0x3c.l) use lx-executable +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string PE +# not New Executable (NE) and not PE with low e_lfarlc like: +# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe +>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS !:mime application/x-dosexec # Windows and later versions of DOS will allow .EXEs to be named with a .COM # extension, mostly for compatibility's sake. +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM # URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM # Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml -!:ext exe/com/vlm +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler) # Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format >(0x3c.l) string PE\0\0 PE -!:mime application/x-dosexec +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) >>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x020b \b32+ executable +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x0107 ROM image >>(0x3c.l+24) default x Unknown PE signature >>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 ( +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS +# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0) +!:ext hxs +# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like: +# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/ +>>>(0x3c.l+6) uleshort !2 \bControl Panel Item) +!:ext cpl +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes >>(0x3c.l+92) leshort 1 # Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the # drivers in Windows/System32/drivers/*.sys. @@ -79,6 +177,7 @@ !:ext dll/sys >>>(0x3c.l+22) leshort&0x2000 0 (native) !:ext exe/sys +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem >>(0x3c.l+92) leshort 2 >>>(0x3c.l+22) leshort&0x2000 >0 (GUI) # These could probably be at least partially distinguished from one another by @@ -94,21 +193,72 @@ # Screen savers typically include code from the scrnsave.lib static library, but # that's not guaranteed. !:ext exe/scr +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem >>(0x3c.l+92) leshort 3 >>>(0x3c.l+22) leshort&0x2000 >0 (console) !:ext dll/cpl/tlb/ocx/acm/ax/ime >>>(0x3c.l+22) leshort&0x2000 0 (console) !:ext exe/com -# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format ->>(0x3c.l+92) leshort 7 (POSIX) ->>(0x3c.l+92) leshort 9 (Windows CE) +# NO Windows Subsystem number 4! +>>(0x3c.l+92) leshort 4 (Unknown subsystem 4) +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +>>(0x3c.l+92) leshort 5 (OS/2) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-os2 +# NO Windows Subsystem number 6! +>>(0x3c.l+92) leshort 6 (Unknown subsystem 6) +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 (POSIX +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: PAX.EXE +!:ext exe +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +>>(0x3c.l+92) leshort 8 (Win9x) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-win98 +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 (Windows CE +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: NNGStart.exe navigator.exe +!:ext exe +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application >>(0x3c.l+92) leshort 10 (EFI application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services >>(0x3c.l+92) leshort 11 (EFI boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi >>(0x3c.l+92) leshort 12 (EFI runtime driver) +# no sample found +!:ext efi +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image >>(0x3c.l+92) leshort 13 (EFI ROM) +# no sample found +!:ext efi +# 14~IMAGE_SUBSYSTEM_XBOX XBOX >>(0x3c.l+92) leshort 14 (XBOX) ->>(0x3c.l+92) leshort 15 (Windows boot application) ->>(0x3c.l+92) default x (Unknown subsystem +#!:ext foo-xbox +# NO Windows Subsystem number 15! +>>(0x3c.l+92) leshort 15 (Unknown subsystem 15) +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 (Windows boot application +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe +# GRR: the next 2 lines are not executed! +#>>(0x3c.l+92) default x (Unknown subsystem +#>>>&0 leshort x %#x) +>>(0x3c.l+92) leshort >16 (Unknown subsystem >>>&0 leshort x %#x) >>(0x3c.l+4) leshort 0x14c Intel 80386 >>(0x3c.l+4) leshort 0x166 MIPS R4000 @@ -136,10 +286,13 @@ >>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit >>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit >>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit +>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit +>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit >>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R >>(0x3c.l+4) leshort 0x8664 x86-64 >>(0x3c.l+4) leshort 0xaa64 Aarch64 >>(0x3c.l+4) leshort 0xc0ee MSIL +# GRR: the next 2 lines are not executed! >>(0x3c.l+4) default x Unknown processor type >>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) @@ -176,33 +329,134 @@ >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. ->0x18 leshort >0x3f +>0x18 uleshort >0x3f # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable -!:mime application/x-dosexec +#!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2 +# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE +# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2 >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# GRR: WHAT OS is this? +#>>>(0x3c.l+0x36) byte 6 for TARGET SIX +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2 +# like: CVP7.EXE +>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows >>>(0x3c.l+0x36) default x ->>>>(0x3c.l+0x36) byte x (unknown OS %x) ->>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender +>>>>(0x3c.l+0x36) ubyte x (unknown OS %#x) +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>(0x3c.l+0x3F) ubyte x (%u +>>>(0x3c.l+0x3E) ubyte x \b.%u) +# OS2EXEFlags; other EXE flags +# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area +#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h +#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x +# segrefthunksoff; offset to segment reference thunks or size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x >>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) # DRV: Driver # 3GR: Grabber device driver # CPL: Control Panel Item -# VBX: Visual Basic Extension -# FON: Bitmap font +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON # FOT: Font resource file +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data !:ext dll/drv/3gr/cpl/vbx/fon/fot >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) !:ext exe/scr @@ -228,8 +482,17 @@ >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE >>(0x3c.l) string W3 \b, W3 for MS Windows -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +!:ext vxd/exe +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd >>(0x3c.l) string LE\0\0 \b, LE executable !:mime application/x-dosexec @@ -268,11 +531,19 @@ !:ext exe/com # header data too small for extended executable >2 long !0 ->>0x18 leshort <0x40 +>>0x18 uleshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE ->>>>>&-2 string !BW \b, MZ for MS-DOS +>>>>>&-2 string !BW +#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s +# but some LX executable appear here also like: PCISCAN.EXE +>>>>>>(0x3c.l) string !LX +# because Portable Executable (PE) already done skip many here like: +# xcopy32.exe stinger64.exe WimUtil.exe +# NO such DOS examples found and +# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM +>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS !:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -386,6 +657,7 @@ >0x00 uleshort x executable #!:mime application/x-msdownload !:mime application/x-lx-executable +!:ext exe # byte order: 00h~little-endian non-zero=1~big-endian #>0x02 ubyte =0 (little-endian) >0x02 ubyte !0 (big-endian) @@ -420,7 +692,7 @@ >0x0a leshort 3 for DOS # http://www.ctyme.com/intr/rb-2939.htm#Table1610 # library by module type mask 00038000h (bits 15-17); -# 0h ~exectable Program module +# 0h ~executable Program module >0x10 ulelong&0x00038000 =0x00000000 (program) #!:ext exe # OSF_IS_DLL=8000h ~Library module (DLL) @@ -468,14 +740,18 @@ 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 # URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html -# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html 0 ulequad&0x07a0ffffffff 0xffffffff # skip OS/2 INI ./os2 >4 ubelong !0x14000000 ->>0 use msdos-driver +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver @@ -507,8 +783,8 @@ >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped -# 1 space char before device driver name to get phrase like "device driver PROTMAN$" ->>>12 ubyte >0x2E \b +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c @@ -602,11 +878,11 @@ 0 name msdos-com # URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) >0 byte x DOS executable ( -# DOS execuable with JuMP 16-bit instruction +# DOS executable with JuMP 16-bit instruction >0 byte =0xE9 # check for probably nil padding til offset 64 of Lotus driver name >>56 quad =0 -# check for "long" alpabetical Lotus driver name like: +# check for "long" alphabetic Lotus driver name like: # Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" >>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s !:mime application/x-dosexec @@ -616,7 +892,7 @@ >>>24 default x \bCOM) !:mime application/x-dosexec !:ext com -# DOS excutable with JuMP 16-bit and without nil padding +# DOS executable with JuMP 16-bit and without nil padding >>56 quad !0 # https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot # TODO: HOWTO distinguish COMboot from pure DOS executables? @@ -781,7 +1057,7 @@ >>1 default x # look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) >>>3 search/118 \xCD -# FOR DEBUGGING; possible hexadecimal interupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) # 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) #>>>>&0 ubyte x \b, INTERUPT %#x # few examples with interrupt 0x13 instruction @@ -791,7 +1067,7 @@ # skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems # by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax >>>>>3 ubequad !0x8ec0b8c0078ed88d -# few COM exectables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com # http://bootcd.narod.ru/bcdw150z_en.zip >>>>>>0 use msdos-com # few examples with interrupt 0x16 instruction like flashimg.img @@ -806,7 +1082,7 @@ #>>>>>&-1 ubyte x \b, INTERUPT %#x # like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com >>>>>0 use msdos-com -# few COM executables without interupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM # or some EUC-KR text files or one Ulead Imaginfo thumbnail >>>3 default x # FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) @@ -1213,15 +1489,82 @@ 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafile .WMF -0 string/b \327\315\306\232 Windows metafile -!:mime image/wmf -!:ext wmf +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF 0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes !:mime image/wmf !:ext wmf -0 string/b \001\000\011\000 Windows metafile -!:mime image/wmf -!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -1374,8 +1717,6 @@ 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file -0 lelong 0x4C ->4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 @@ -1411,17 +1752,6 @@ >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s -# DOS EPS Binary File Header -# From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File -!:mime image/x-eps ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d ->>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d - # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # https://en.wikipedia.org/wiki/Norton_Guides @@ -1575,6 +1905,12 @@ >0x2c default x # look for 1st member name >>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms # https://en.wikipedia.org/wiki/SNP_file_format >>>&-1 string/c _accrpt_.snp \b, Access report snapshot !:mime application/msaccess @@ -1598,14 +1934,20 @@ !:ext msu >>>&-1 default x # look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! >>>>&-1 search/255 . # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB ->>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go !:mime application/vnd.ms-powerpoint #!:mime application/mspowerpoint !:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack @@ -1653,6 +1995,16 @@ >>>>>>>>>30 uleshort !0x0000 \b, single !:mime application/vnd.ms-cab-compressed !:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab # TODO: additional extensions like # .xtp InfoPath Template Part # .lvf Logitech Video Effects Face Accessory @@ -1750,9 +2102,9 @@ # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) >8 uleshort >0 \b, iFolder %#x # date stamp for file -#>10 uleshort x \b, date %#x +>10 lemsdosdate x last modified %s # time stamp for file -#>12 uleshort x \b, time %#x +>12 lemsdostime x %s # attribs is attribute flags for file # define _A_RDONLY (0x01) file is read-only # define _A_HIDDEN (0x02) file is hidden diff --git a/magic/Magdir/msooxml b/magic/Magdir/msooxml index 2fc3a5640196..905017eb9123 100644 --- a/magic/Magdir/msooxml +++ b/magic/Magdir/msooxml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.18 2022/08/16 11:16:39 christos Exp $ +# $File: msooxml,v 1.19 2023/03/14 19:46:15 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown <ralf.brown@gmail.com> @@ -56,3 +56,13 @@ >>>>>>>>>&26 default x Microsoft OOXML >>>>>>>&26 default x Microsoft OOXML >>>>>&26 default x Microsoft OOXML +>>0x1E regex \\[trash\\] +>>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 +>>>>>&26 use msooxml +>>>>>&26 default x +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +>>>>>>>&26 default x Microsoft OOXML +>>>>>>&26 default x Microsoft OOXML +>>>>>&26 default x Microsoft OOXML diff --git a/magic/Magdir/ole2compounddocs b/magic/Magdir/ole2compounddocs index d52578128a5d..2c451a9ab578 100644 --- a/magic/Magdir/ole2compounddocs +++ b/magic/Magdir/ole2compounddocs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ole2compounddocs,v 1.19 2022/09/11 20:52:40 christos Exp $ +# $File: ole2compounddocs,v 1.26 2023/05/15 16:46:12 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # Additional tests for OLE 2 Compound Documents should be under this recipe. @@ -72,6 +72,7 @@ #>67 ubyte x \b, color %x # the DirIDs of the child nodes. Should both be -1 in the root storage entry #>68 bequad !0xffffffffffffffff \b, DirIDs %llx +# NEXT lines for DEBUGGING # second directory entry name like VisioDocument Control000 #>128 lestring16 x \b, 2nd %.20s # third directory entry like WordDocument @@ -201,6 +202,18 @@ !:ext nfo # # From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml +# Note: older versions til 13 about middle 2021 handled by ./windows +# called "Sysinternals Autoruns data (v14)" by TrID +# second, third and fourth directory entry name like Header Items 0 +>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14 +#!:mime application/x-ole-storage +!:mime application/x-ms-arn +# like: MyHOSTNAME.arn +!:ext arn +# +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Microsoft_Access # Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml # http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File @@ -249,9 +262,11 @@ !:ext tpl # # URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) +# https://www.hancom.com/etc/hwpDownload.do # Note: "HWP Document File" signature found in FileHeader +# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format. # Second directory entry name FileHeader hint for Thinkfree Office document ->>>>128 lestring16 FileHeader : Hangul (Korean) 5.0 Word Processor File +>>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0 #!:mime application/haansofthwp !:mime application/x-hwp # https://example-files.online-convert.com/document/hwp/example.hwp @@ -305,62 +320,93 @@ # THIS WORKS PARTLY! >>>>>>&0 indirect x # remaining null clsid ->>>>128 default x : UNKNOWN -# second directory entry name like VisioDocument Control000 ->>>>>128 lestring16 x with names %.20s -# third directory entry like WordDocument ->>>>>256 lestring16 x %.20s -# forth ->>>>>384 lestring16 x %.20s -!:mime application/x-ole-storage -# according to file version 5.41 with -e soft option -#!:mime application/CDFV2 -#!:ext ??? +>>>>128 default x +>>>>>0 use ole2-unknown +# look for CLSID where "second" part is 0 +>>>80 ubequad !0x0 +# +# Summary: Family Tree Maker +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker +# https://en.wikipedia.org/wiki/Family_Tree_Maker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml +# Note called "Family Tree Maker Family Tree" by TrID and +# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352 +# tested only with version 2.0 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw` +# newer versions are SQLite based and handled by ./sql +# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB +>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4 +# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB +#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION +# GRR: jump to version value like 2 does not work! +#>>>>>>&-8 ubyte x %u +#!:mime application/x-ole-storage +!:mime application/x-fmt +# FBK is used for backup of FTW +!:ext ftw/fbk +# +>>>>80 default x +>>>>>0 use ole2-unknown # look for known clsid GUID # - Visio documents # URL: http://fileformats.archiveteam.org/wiki/Visio # Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek ->>88 ubequad 0xc000000000000046 : Microsoft ->>>80 ubequad 0x131a020000000000 Visio 2000-2002 Document, stencil or template +>>88 ubequad 0xc000000000000046 +>>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template !:mime application/vnd.visio # VSD~Drawing VSS~Stencil VST~Template !:ext vsd/vss/vst ->>>80 ubequad 0x141a020000000000 Visio 2003-2010 Document, stencil or template +>>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template !:mime application/vnd.visio !:ext vsd/vss/vst # # URL: http://fileformats.archiveteam.org/wiki/Windows_Installer ->>>80 ubequad 0x84100c0000000000 Windows Installer Package +# https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation +# Update: Joerg Jenderek +# Windows Installer Package *.MSI or validation module *.CUB +>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module !:mime application/x-msi #!:mime application/x-ms-win-installer -!:ext msi ->>>80 ubequad 0x86100c0000000000 Windows Installer Patch +# https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices +# cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub +#!:mime application/x-ms-cub +!:ext msi/cub +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Windows_Installer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml +# called "Windows SDK Setup Transform script" by TrID +>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script +#!:mime application/x-ole-storage +!:mime application/x-ms-mst +!:ext mst +>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch # ?? !:mime application/x-wine-extension-msp #!:mime application/x-ms-msp !:ext msp # # URL: http://fileformats.archiveteam.org/wiki/DOC ->>>80 ubequad 0x0009020000000000 Word 6-95 document or template +>>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template !:mime application/msword # for template MSWDW8TN !:apple MSWDWDBN !:ext doc/dot ->>>80 ubequad 0x0609020000000000 Word 97-2003 document or template +>>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template !:mime application/msword !:apple MSWDWDBN # dot for template; no extension on Macintosh !:ext doc/dot/ # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor ->>>80 ubequad 0x0213020000000000 Works 3-4 document or template +>>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template !:mime application/vnd.ms-works !:apple ????AWWP # ps for template https://filext.com/file-extension/PS bps for backup !:ext wps/ps/bps # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database ->>>80 ubequad 0x0313020000000000 Works 3-4 database or template +>>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template !:mime application/vnd.ms-works-db # https://www.macdisk.com/macsigen.php !:apple ????AWDB @@ -368,14 +414,14 @@ !:ext wdb/db/bdb # # URL: https://en.wikipedia.org/wiki/Microsoft_Excel ->>>80 ubequad 0x1008020000000000 Excel 5-95 worksheet, addin or template +>>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php !:apple ????XLS5 # worksheet/addin/template/no extension on Macintosh !:ext xls/xla/xlt/ # ->>>80 ubequad 0x2008020000000000 Excel 97-2003 +>>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003 !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php XLS5 for Excel 5 !:apple ????XLS9 @@ -391,23 +437,36 @@ #!:ext xls/xlt/ # # URL: http://fileformats.archiveteam.org/wiki/OLE2 ->>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 item -#>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 Message +>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item +#>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message #!:mime application/vnd.ms-outlook !:mime application/x-ms-msg !:ext msg # URL: https://wiki.fileformat.com/email/oft/ ->>>80 ubequad 0x46f0060000000000 Outlook 97-2003 item template +>>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template #!:mime application/vnd.ms-outlook !:mime application/x-ms-oft !:ext oft # # URL: http://fileformats.archiveteam.org/wiki/PPT ->>>80 ubequad 0x5148040000000000 PowerPoint 4.0 presentation +>>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation !:mime application/vnd.ms-powerpoint # https://www.macdisk.com/macsigen.php !:apple ????PPT3 !:ext ppt +# Summary: "newer" Greenstreet Art drawing +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GST_ART +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml +# Note: called like "Greenstreet Art drawing" by TrID +# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART` +>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing +#!:mime application/x-ole-storage +!:mime image/x-greenstreet-art +!:ext art +>>>80 default x +>>>>0 use ole2-unknown #?? # URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ >>88 ubequad 0xa29a00aa004a1a72 : Microsoft @@ -547,6 +606,19 @@ !:apple ????WPC9 !:ext wpg # +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CorelCAD +# https://en.wikipedia.org/wiki/CorelCAD +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml +# Note: called "CorelCAD Drawing" by TrID and CorelCAD +# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo +>>88 ubequad 0xbe26db67235e2689 : Corel +>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template +#!:mime application/x-ole-storage +!:mime application/x-corel-cad +# CCT for CorelCAD Template +!:ext ccd/cct +# # URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats >>88 ubequad 0x996104021c007002 : StarOffice >>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template @@ -661,13 +733,28 @@ #!:ext max/chr # remaining non null clsid >>88 default x -# GRR: check again for non null clsid because wrong when called by indirect directive ->>>88 ubequad !0 : UNKNOWN +>>>0 use ole2-unknown +# display information about directory for not detected CDF files +0 name ole2-unknown +>80 ubequad x : UNKNOWN # https://reposcope.com/mimetype/application/x-ole-storage !:mime application/x-ole-storage # according to file version 5.41 with -e soft option #!:mime application/CDFV2 #!:ext ??? ->>>>80 ubequad !0 \b, clsid %#16.16llx ->>>>88 ubequad x \b%16.16llx - +>80 ubequad !0 \b, clsid %#16.16llx +>>88 ubequad x \b%16.16llx +# converted hexadecimal format to standard GUUID notation +>>80 guid x {%s} +# second directory entry name like VisioDocument Control000 +>128 lestring16 x with names %.20s +# third directory entry like WordDocument Preview.dib +>256 lestring16 x %.20s +# forth like \005SummaryInformation +>384 lestring16 x %.25s +# 5th +>512 lestring16 x %.10s +# 6th +>640 lestring16 x %.10s +# 7th +>768 lestring16 x %.10s diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf index 38de3cff9b9f..7a99d8d3cf3d 100644 --- a/magic/Magdir/pdf +++ b/magic/Magdir/pdf @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.16 2021/07/30 11:47:07 christos Exp $ +# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 name pdf >8 search /Count ->>&0 regex [0-9]+ \b, %s pages +>>&0 regex [0-9]+ \b, %s page(s) >8 search/512 /Filter/FlateDecode/ (zip deflate encoded) 0 string %PDF- PDF document @@ -42,7 +42,7 @@ >5 byte x \b, version %c >7 byte x \b.%c -0 search/256 %PDF- PDF document +0 search/1024 %PDF- PDF document !:mime application/pdf !:strength +60 !:ext pdf diff --git a/magic/Magdir/perl b/magic/Magdir/perl index c391d4a72036..4a3756a483e1 100644 --- a/magic/Magdir/perl +++ b/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ +# $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -34,12 +34,12 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/8192 package ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text !:strength + 40 # not 'p', check other lines 0 search/8192 !p ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; ->>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; +>>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text !:strength + 75 # Perl POD documents diff --git a/magic/Magdir/playdate b/magic/Magdir/playdate new file mode 100644 index 000000000000..77f8c689378d --- /dev/null +++ b/magic/Magdir/playdate @@ -0,0 +1,57 @@ + +#------------------------------------------------------------------------------ +# $File: playdate,v 1.1 2022/11/04 13:34:48 christos Exp $ +# +# Various native file formats for the Playdate portable video game console. +# +# These are unofficially documented at +# https://github.com/jaames/playdate-reverse-engineering +# +# The SDK is a source for many test files, and can be used to +# create others. https://play.date/dev/ + + +# pdi: static image +0 string Playdate\ IMG Playdate image data +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d +>12 belong&0x80 0x00 (uncompressed) +>>16 leshort x %d x +>>18 leshort x %d + +# pdt: multiple static images +0 string Playdate\ IMT Playdate image data set +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d, +>>28 lelong x %d cells +>12 belong&0x80 0x00 (uncompressed) +>>20 lelong x tile grid %d x +>>24 lelong x %d + +# pds: string tables +0 string Playdate\ STR Playdate localization strings +>12 belong&0x80 0x80 (compressed) +>12 belong&0x80 0x00 (uncompressed) + +# pda: audio +0 string Playdate\ AUD Playdate audio file +>12 lelong&0xffffff x %d Hz, +>15 byte 0 unsigned, 8-bit PCM, 1 channel +>15 byte 1 unsigned, 8-bit PCM, 2 channel +>15 byte 2 signed, 16-bit little-endian PCM, 1 channel +>15 byte 3 signed, 16-bit little-endian PCM, 1 channel +>15 byte 4 4-bit ADPCM, 1 channel +>15 byte 5 4-bit ADPCM, 2 channel + +# pda: video +0 string Playdate\ VID Playdate video file +>24 leshort x %d x +>26 leshort x %d, +>16 leshort x %d frames, +>20 lefloat x %.2f FPS + +# pdz: executable package +# Not a lot we can do, as it's a stream of entries with no summary information. +0 string Playdate\ PDZ Playdate executable package diff --git a/magic/Magdir/printer b/magic/Magdir/printer index e8fccd279717..b45a2025ec8a 100644 --- a/magic/Magdir/printer +++ b/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.29 2019/04/19 00:42:27 christos Exp $ +# $File: printer,v 1.34 2023/06/16 19:27:12 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -30,13 +30,42 @@ # DOS EPS Binary File Header # From: Ed Sznyter <ews@Black.Market.NET> -0 belong 0xC5D0D3C6 DOS EPS Binary File ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml +# Note: called "Encapsulated PostScript binary" by TrID and +# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview) +0 belong 0xC5D0D3C6 +# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps +# by looking for content after header +# GRR: in version 5.44 unequal and not endian variant not working! +>32 ulelong >0 DOS EPS Binary File +!:mime image/x-eps +# TODO: check that "long" is false on big endian machines +# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828 +>>4 long >0 at byte %d +# 1 space char after length value to get phrase like "length 263893 PostScript document text" +>>>8 long >0 length %d +# PostScript document text handled by ./printer +>>>>(4.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml +# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID +# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp +>>>>12 long >0 at byte %d +!:ext eps +# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile" >>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d +# Windows metafile data handled by ./msdos +>>>>>(12.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml +# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID +>>>>20 long >0 at byte %d +# For the variant with the TIFF preview image sometimes the file extension ept is used +!:ext eps/ept +# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data," +>>>>>24 long >0 length %d +# TIFF image data handled by ./images +>>>>>>(20.l) indirect x # Summary: Adobe's PostScript Printer Description File # Extension: .ppd @@ -45,6 +74,8 @@ # 0 string *PPD-Adobe:\x20 PPD file >&0 string x \b, version %s +!:ext ppd +!:mime application/vnd.cups-ppd # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data @@ -82,7 +113,16 @@ >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS - +# Summary: Hewlett-Packard printer firmware update +# From: Joerg Jenderek +# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513 +# Note: firmware update tested with ENVY 6000 All-in-One Printer +0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update +#!:mime application/octet-stream +#!:mime application/x-hp-firmware +# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe +# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2 +!:ext ful2 # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data @@ -148,3 +188,91 @@ # From: Paolo <oopla@users.sf.net> # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data + +# Summary: Hewlett-Packard Graphics Language +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HP-GL +# https://en.wikipedia.org/wiki/HPGL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml +# Note: called "Hewlett-Packard Graphics Language" by TrID and +# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and +# HPGL by XnView command `nconvert -info *` +# initialize, start a plotting job +0 string IN; +>0 use hpgl +# fill.plt +0 string INPS +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl +0 string DF; +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl +# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6 +0 string SP +# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note +# by checking for valid Pen number +>2 regex \^([0-9]{1,5}) +#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s +>>0 use hpgl +# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions +0 string IP0 +>0 use hpgl +# ci.hp +0 string CO\040 +>0 use hpgl +# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg +0 string PS\040 +>0 use hpgl +# thick.hp +0 string PS9 +>0 use hpgl +# ul.hp +0 string PS4 +>0 use hpgl +# la.hp +0 string BP +>0 use hpgl +# miter.hp +# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000; +0 string PA +# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU +# by checking for valid x coordinate +>2 regex \^([-]{0,1}[0-9]{1,5}) +#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s +>>0 use hpgl +# pw.hpg number of pens x +0 string NP +>0 use hpgl +# win_1.hp +#0 string \003INCA WHAT_IS_THAT +#>0 use hpgl +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml +# Note: called "Hewlett-Packard Graphics Language 2" by TrID +0 string \033%-1B Hewlett-Packard Graphics Language 2 +!:mime application/vnd.hp-HPGL +# like: dt.plt +!:ext plt +#!:ext plt/gl2/hpg2/spl +# remaining part after escsape sequnce +>5 string x with "%-.10s" +# display Hewlett-Packard Graphics Language vector graphic information +0 name hpgl +>0 string x Hewlett-Packard Graphics Language +#!:mime vector/x-hpgl +# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL +!:mime application/vnd.hp-HPGL +# no example with HPL suffix found +!:ext hpgl/hpg/hp/plt +# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800," +# "CO Concentric circles drawn with different linewidths;" +>0 string x \b, starting with "%-.54s" +# continue but not for 1 long line without CR or LF +>>&0 ubyte <0x0E +#>>&0 ubyte <0x0E TERMINATOR=%x +# second line after 1 terminator character +>>>&0 string >\r with "%-.10s" +# next character again CR or LF +>>>&0 ubyte <0x0E +#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x +# second line after 2 terminator characters +>>>>&0 string >\r with "%-.10s" diff --git a/magic/Magdir/qt b/magic/Magdir/qt index 83aa124cfd3d..68085f2892f9 100644 --- a/magic/Magdir/qt +++ b/magic/Magdir/qt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: qt,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $ # qt: file(1) magic for Qt # https://doc.qt.io/qt-5/resources.html @@ -17,3 +17,14 @@ # src/corelib/kernel/qtranslator.cpp#L62 0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 >8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + + +# Qt V4 Javascript engine compiled unit +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h +0 string qv4cdata QV4 compiled unit +!:ext qmlc +>8 ulelong x \b, version %d +>12 byte x \b, Qt %d +>13 byte x \b.%d +>14 byte x \b.%d diff --git a/magic/Magdir/rst b/magic/Magdir/rst index aadfad20b01c..0df15b8fa5dd 100644 --- a/magic/Magdir/rst +++ b/magic/Magdir/rst @@ -1,11 +1,13 @@ #------------------------------------------------------------------------------ -# $File: rst,v 1.3 2020/04/27 01:50:36 christos Exp $ +# $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $ # rst: ReStructuredText http://docutils.sourceforge.net/rst.html 0 search/256 \=\= !:strength + 30 >&0 regex/256 \^[\=]+$ ->>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 \012Authors: ReStructuredText file +>>&0 search/512 \012Author: ReStructuredText file >>&0 default x >>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file !:ext rst diff --git a/magic/Magdir/rust b/magic/Magdir/rust new file mode 100644 index 000000000000..b1bbd9d9702c --- /dev/null +++ b/magic/Magdir/rust @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: rust,v 1.2 2022/11/18 15:58:15 christos Exp $ +# Magic for Rust and related languages programs +# + +# Rust compiler metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_metadata/src/rmeta/mod.rs +0 string rust\x00\x00\x00 +>12 string \014rustc\x20 Rust compiler metadata +!:ext rmeta +>>7 byte x \b, version %d + +# Rust incremental compilation metadata +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_incremental/src/persist/file_format.rs +0 string RSIC +>4 uleshort =0 Rust incremental compilation metadata +!:ext bin +>>6 pstring x \b, rustc %s diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index 0e78712fcab3..d52d6aeb0124 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.13 2019/04/19 00:42:27 christos Exp $ +# $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn <krahn@niehs.nih.gov> @@ -62,15 +62,48 @@ # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEDCOM +# https://en.wikipedia.org/wiki/GEDCOM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/ +# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml +# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851 0 search/1/c 0\ HEAD GEDCOM genealogy text +#!:mime text/plain +#!:mime application/x-gedcom +# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom +!:mime text/vnd.familysearch.gedcom +!:ext ged +# no gedcom sample found and ged suffix also used for other formats +#!:ext ged/gedcom >&0 search 1\ GEDC >>&0 search 2\ VERS version +# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version >>>&1 string >\0 %s # From: Phil Endecott <phil05@chezphil.org> -0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data -0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data +# 0\040HEAD as UTF-16 big endian without BOM +0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 big endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&2 bestring16 x %s +>>0 string x \b, UTF-16 (without BOM) big-endian text +# 0\040HEAD as UTF-16 little endian without BOM +0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 lttle endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&3 lestring16 x %s +>>2 string x \b, UTF-16 (without BOM) little-endian text +# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text" +# 0\040HEAD as UTF-16 big endian with BOM +#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data +# 0\040HEAD as UTF-16 little endian with BOM +#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data # PDB: Protein Data Bank files # Adam Buchbinder <adam.buchbinder@gmail.com> diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail index 54028fdfe227..6808dbfd33aa 100644 --- a/magic/Magdir/sendmail +++ b/magic/Magdir/sendmail @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? @@ -13,7 +13,7 @@ # - version \330jK\354 0 byte 046 # https://www.sendmail.com/sm/open_source/docs/older_release_notes/ -# freezed configuration file (dbm format?) created from sendmal.cf with -bz +# freezed configuration file (dbm format?) created from sendmail.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be similar to output of commands # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index 71e2dab56488..fb698a54a616 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.46 2022/08/16 11:16:39 christos Exp $ +# $File: sgml,v 1.48 2023/01/18 16:10:21 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres <tecnico@ejerciciosresueltos.com> 0 string \<?xml\ version= @@ -50,6 +50,17 @@ !:mime text/html !:strength + 5 +# avoid misdetection as JavaScript +0 string/cWt \<!doctype\ html HTML document text +!:mime text/html +0 string/ct \<html> HTML document text +!:mime text/html +0 string/ct \<!-- +>&0 search/4096/cWt \<!doctype\ html HTML document text +!:mime text/html +>&0 search/4096/ct \<html> HTML document text +!:mime text/html + # SVG document # https://www.w3.org/TR/SVG/single-page.html 0 search/4096/cWbt \<!doctype\ svg SVG XML document diff --git a/magic/Magdir/sniffer b/magic/Magdir/sniffer index caf584300b30..751d19737662 100644 --- a/magic/Magdir/sniffer +++ b/magic/Magdir/sniffer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sniffer,v 1.32 2022/07/30 16:46:56 christos Exp $ +# $File: sniffer,v 1.34 2022/12/14 18:27:36 christos Exp $ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) @@ -327,14 +327,79 @@ # # Novell LANalyzer capture files. -# -0 leshort 0x1001 Novell LANalyzer capture file -0 leshort 0x1007 Novell LANalyzer capture file +# URL: http://www.blacksheepnetworks.com/security/info/nw/lan/trace.txt +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/lanalyzer.c +# Update: Joerg Jenderek +# +# regular trace header record (RT_HeaderRegular) +0 leshort 0x1001 +# GRR: line above is too generic because it matches Commodore Plus/4 BASIC V3.5 +# and VIC-20 BASIC V2 program +# skip many Commodore Basic program (Microzodiac.prg Minefield.prg Vic-tac-toe.prg breakvic_joy.prg) +# with invalid second record type 0 instead of "Trace receive channel name record" +>(2.s+4) leshort =0x1006h +>>0 use novell-lanalyzer +# cyclic trace header record (RT_HeaderCyclic) +0 leshort 0x1007 +>0 use novell-lanalyzer +0 name novell-lanalyzer +>0 leshort x Novell LANalyzer capture file +# https://reposcope.com/mimetype/application/x-lanalyzer +!:mime application/x-lanalyzer +# maybe also TR2 .. TR9 TRA .. TRZ +!:ext tr1 +# version like: 1.5 +>4 ubyte x \b, version %u +# minor version; one byte identifying the trace file minor version number +>5 ubyte x \b.%u +# Trace header record type like: 1001~regular or 1007~cyclic +>0 leshort !0x1001 \b, record type %4.4x +# record_length[2] is the length of the data part of 1st reorcd (without "type" and "length" fields) like: 4Ch +>2 leshort x \b, record length %#x +# second record type like: 1006h~Trace receive channel name record +>(2.s+4) leshort !0x1006h \b, 2nd record type %#4.4x +>(2.s+6) leshort x \b, 2nd record length %#x +# each channel name is a null-terminated, eight-byte ASCII string like: Channel1 +>(2.s+8) string x \b, names %.9s +# 2nd channel name like: Channel2 +>(2.s+17) string x %.9s ... # # HP-UX "nettl" capture files. -# +# URL: https://nixdoc.net/man-pages/HP-UX/man1m/nettl.1m.html +# Reference: https://github.com/wireshark/wireshark/blob/master/wiretap/nettl.c +# Update: Joerg Jenderek +# Note: Wireshark fills "meta information header fields" with "dummy" values +# nettl_magic_hpux9[12]; for HP-UX 9.x not tested +0 string \x00\x00\x00\x01\x00\x00\x00\x00\x00\x07\xD0\x00 HP/UX 9.x nettl capture file +!:mime application/x-nettl +!:ext trc0/trc1 +# nettl_magic_hpux10[12]; for HP-UX 10.x and 11.x 0 string \x54\x52\x00\x64\x00 HP/UX nettl capture file +# https://reposcope.com/mimetype/application/x-nettl +!:mime application/x-nettl +# maybe also TRC000 TRC001 TRC002 ... +!:ext trc0/trc1 +# file_name[56]; maybe also like /tmp/raw.tr.TRC000 +>12 string !/tmp/wireshark.TRC000 +>>12 string x "%-.56s" +# tz[20]; like UTC +>68 string !UTC \b, tz +>>68 string x %-.20s +# host_name[9]; +>88 string >\0 \b, host %-.9s +# os_vers[9]; like B.11.11 +>97 string !B.11.11 \b, os +>>97 string x %-.9s +# os_v; like 55h +>>106 ubyte x (%#x) +# xxa[8]; like 0 +>107 ubequad !0 \b, xxa=%#16.16llx +# model[11] like: 9000/800 +>115 string !9000/800 \b, model +>>115 string x %-.11s +# unknown; probably just padding to 128 bytes like: 0406h +>126 ubeshort !0x0406h \b, at 126 %#4.4x # # RADCOM WAN/LAN Analyzer capture files. diff --git a/magic/Magdir/softquad b/magic/Magdir/softquad index 06c1f018f8cb..28f03b9b78cb 100644 --- a/magic/Magdir/softquad +++ b/magic/Magdir/softquad @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: softquad,v 1.13 2009/09/19 16:28:12 christos Exp $ +# $File: softquad,v 1.14 2022/10/28 17:19:54 christos Exp $ # softquad: file(1) magic for SoftQuad Publishing Software +# URL: https://en.wikipedia.org/wiki/SoftQuad_Software # # Author/Editor and RulesBuilder # @@ -17,8 +18,10 @@ 0 short 0xc0da Compiled PSI (v2) data >3 string >\0 (%s) # Binary sqtroff font/desc files... -0 short 0125252 SoftQuad DESC or font file binary ->2 short >0 - version %d +# GRR: the line below is also true for 5View capture file handled by ./sniffer +0 short 0125252 +# skip 5View capture file with "invalid" version AAAAh +>2 short >0 SoftQuad DESC or font file binary - version %d # Bitmaps... 0 search/1 SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data diff --git a/magic/Magdir/spectrum b/magic/Magdir/spectrum index f295979ac48d..cf14551b4d6b 100644 --- a/magic/Magdir/spectrum +++ b/magic/Magdir/spectrum @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: spectrum,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: spectrum,v 1.10 2023/05/08 01:33:36 christos Exp $ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott <jce@seasip.demon.co.uk> @@ -22,21 +22,125 @@ # # Update: Sanity-check string contents to be printable. # -Adam Buchbinder <adam.buchbinder@gmail.com> +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TAP_(ZX_Spectrum) +# Reference: http://web.archive.org/web/20110711141601/http://www.zxmodules.de/fileformats/tapformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-zx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TAP (ZX Spectrum)" by DROID via PUID fmt/801 +# verified by fuse-emulator-utils `tzxlist EXAMPLES.TAP` # +# headers length 19=023 and flag byte 0 indicating a standard ROM loading header 0 string \023\000\000 >4 string >\0 ->>4 string <\177 Spectrum .TAP data "%-10.10s" ->>>3 byte 0 - BASIC program ->>>3 byte 1 - number array ->>>3 byte 2 - character array ->>>3 byte 3 - memory block ->>>>14 belong 0x001B0040 (screen) +# skip {85CEE8D6-0F90-4492-B484-98E38862B28D}.2.ver0x0000000000000004.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db +# inside c:\ProgramData\Microsoft\Windows\Caches according to TrID and DROID +>>23 ubyte =0xFF +# skip DROID fmt-801-signature-id-1166.tap with invalid name \253\253\253\253\253\253\253\253\253\253 +# which looks like: "TF COPY II" "screen " "\023\001TF" " 1943 " +>>>4 string <\177 Spectrum .TAP data "%-10.10s" +#!:mime application/octet-stream +!:mime application/x-spectrum-tap +!:ext tap +>>>>3 byte 0 - BASIC program +# autostart line; 0..9999 are valid; 32768 means "no auto-loading" +>>>>>16 uleshort x \b, autostart line %u +# program length; length of BASIC program +>>>>>18 uleshort x \b, program length %u +>>>>3 byte 1 - number array +>>>>3 byte 2 - character array +>>>>3 byte 3 - memory block +# length of the following data 1B00h=6912 and start address 4000h=16384 in case of a SCREEN$ header +>>>>>14 belong 0x001B0040 (screen) +# unused 32768=8000h +>>>>>18 uleshort !32768 \b, unused %u +# zxlength; length of the following data after the header +>>>>14 uleshort x \b, data length %u +#>>14 uleshort x \b, data length %#x +# checksum byte; simply all bytes (including flag byte) XORed +#>>>>20 ubyte x \b, checksum %#x # The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images +# Update: Joerg Jenderek 2023 May +# URL: http://fileformats.archiveteam.org/wiki/TZX +# Reference: https://worldofspectrum.net/TZXformat.html +# http://mark0.net/download/triddefs_xml.7z/defs/t/tzx.trid.xml +# Note: called "ZX Spectrum Tape image" by TrID and "TZX Format" by DROID via PUID fmt/1000 0 string ZXTape!\x1a Spectrum .TZX data +#!:mime application/octet-stream +!:mime application/x-spectrum-tzx +# CDT is used for Amstrad tapes +!:ext tzx/cdt >8 byte x version %d >9 byte x \b.%d +# ID of first block +>10 ubyte x \b; ID %#x +# turbo speed data block +>10 ubyte =0x11 (turbo) +# length of PILOT tone (number of pulses) +>>21 uleshort x \b, %u pilot pulses +# length of PILOT pulse +>>11 uleshort x with %u tstates +# length of SYNC first pulse +>>13 uleshort x \b, %u and +# length of SYNC second pulse +>>15 uleshort x %u sync tstates +# length of ZERO bit pulse +>>17 uleshort x \b, %u zero tstates +# length of ONE bit pulse +>>19 uleshort x \b, %u one tstates +# used bits in the last byte +>>23 ubyte x \b, use %u bit +# plural s +>>23 ubyte >1 \bs +# pause after this block in milliseconds +>>24 uleshort x \b, %u ms pause +# BYTE[3]; length of data that follow +>>26 ulelong&0x00FFffFF x \b, %u data bytes +>10 ubyte =0x20 (pause) +# pause duration in milliseconds +>>11 uleshort x %u ms +# text description +>10 ubyte =0x30 (text) +# length of the text description +#>>11 ubyte x L=%u +>>11 pstring x "%s" +# archive text description in ASCII format +>10 ubyte =0x32 (archive info) +# length of archive text +>>11 uleshort x \b, %#x bytes +# number of text strings +>>13 ubyte x with %u (type) text parts +# text type identification byte: 0~title 1~publisher 2~author 3~year 4~language 5~type 6~price 7~protection 8~origin ff~comment +>>14 byte <9 (%d) +>>>14 byte >-2 +# length of text string +#>>>>15 ubyte x L=%u +>>>>15 pstring x %s +# 2nd possible text description +>>>>>&0 byte <9 (%d) +>>>>>>&-1 byte >-2 +>>>>>>>&0 pstring x %s +# 3rd possible text description +>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>&0 pstring x %s +# 4th possible text description +>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>&0 pstring x %s +# 5th possible text description +>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>&0 pstring x %s +# 6th possible text description +>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>&0 pstring x %s +# 7th possible text description +>>>>>>>>>>>>>>>>>>>>&0 byte <9 (%d) +>>>>>>>>>>>>>>>>>>>>>&-1 byte >-2 +>>>>>>>>>>>>>>>>>>>>>>&0 pstring x %s # RZX input recording files 0 string RZX! Spectrum .RZX data diff --git a/magic/Magdir/sql b/magic/Magdir/sql index caa670dcab2f..00f36179f8a5 100644 --- a/magic/Magdir/sql +++ b/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.24 2022/07/17 15:32:48 christos Exp $ +# $File: sql,v 1.26 2023/04/29 17:26:58 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" <mleisner@eng.mc.xerox.com> @@ -88,8 +88,14 @@ # Version 1 used GDBM internally; its files cannot be distinguished # from other GDBM files. # +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/sqlite-2x.trid.xml +# Note: called "SQLite 2.x database" by TrID and "SQLite Database File Format" version 2 by DROID via PUID fmt/1135 # Version 2 used this format: 0 string **\ This\ file\ contains\ an\ SQLite SQLite 2.x database +!:mime application/x-sqlite2 +# FileAttributesStore.db test.sqlite2 +!:ext sqlite/sqlite2/db # URL: https://en.wikipedia.org/wiki/SQLite # Reference: https://www.sqlite.org/fileformat.html @@ -201,6 +207,63 @@ 0 belong&0xfffffffe 0x377f0682 SQLite Write-Ahead Log, !:ext sqlite-wal/db-wal >4 belong x version %d +# Summary: SQLite Write-Ahead-Log index (shared memory) +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/SQLite +# Reference: http://www.sqlite.org/draft/walformat.html#walidxfmt +# iVersion; WAL-index format version number; always 3007000=2DE218h +0 ulelong 0x002DE218 +>0 use shm-le +# big endian variant not tested +0 ubelong 0x002DE218 +>0 use \^shm-le +# show information about SQLite Write-Ahead-Log shared memory +0 name shm-le +>0 ulelong x SQLite Write-Ahead Log shared memory +#!:mime application/octet-stream +!:mime application/vnd.sqlite3 +# db3-shm Acronis BackupAndRecovery F4CEEE47-042C-4828-95A0-DE44EC267A28.db3-shm +# dbx-shm probably Dropbox filecache.dbx-shm +# aup3-shm Audacity project tada.aup3-shm +# srd-shm Microsoft Windows StateRepository service StateRepository-Deployment.srd-shm StateRepository-Machine.srd-shm: +!:ext sqlite-shm/db-shm/db3-shm/dbx-shm/aup3-shm/srd-shm +# unused padding space; must be zero +>4 ulelong !0 \b, unused %x +# iChange; unsigned integer counter, incremented with each transaction +>8 ulelong x \b, counter %u +# isInit; the "isInit" flag; 1 when the shm file has been initialized +>12 ubyte !1 \b, not initialized %u +# bigEndCksum; true if the WAL file uses big-ending checksums; 0 if the WAL uses little-endian checksums +>13 ubyte !0 \b, checksum type %u +# szPage; database page size in bytes, or 1 if the page size is 65536 +>14 uleshort !1 \b, page size %u +>14 uleshort =1 \b, page size 65536 +# mxFrame; number of valid and committed frames in the WAL file +>16 ulelong x \b, %u frames +# nPage; size of the database file in pages +>20 ulelong x \b, %u pages +# aFrameCksum; checksum of the last frame in the WAL file +>24 ulelong x \b, frame checksum %#x +# aSalt; two salt value copied from the WAL file header in the byte-order of the WAL file; might be different from machine byte-order +>32 ulequad x \b, salt %#llx +# aCksum; checksum over bytes 0 through 39 of this header +>40 ulelong x \b, header checksum %#x +# a copy of bytes 0 through 47 of header +>48 ulelong !3007000 \b, iversion %u +# nBackfill; number of WAL frames that have already been backfilled into the database by prior checkpoints +>96 ulelong !0 \b, %u backfilled +# nBackfillAttempted; number of WAL frames that have attempted to be backfilled +>>128 ulelong x (%u attempts) +# read-mark[0..4]; five "read marks"; each read mark is a 32-bit unsigned integer +>100 ulelong !0 \b, read-mark[0] %#x +>104 ulelong x \b, read-mark[1] %#x +>108 ulelong !0xffffffff \b, read-mark[2] %#x +>112 ulelong !0xffffffff \b, read-mark[3] %#x +>116 ulelong !0xffffffff \b, read-mark[4] %#x +# unused space set aside for 8 file locks +>120 ulequad !0 \b, space %#llx +# unused space reserved for further expansion +>132 ulelong !0 \b, reserved %#x # SQLite Rollback Journal # https://www.sqlite.org/fileformat.html#rollbackjournal diff --git a/magic/Magdir/ssh b/magic/Magdir/ssh index 441f3b4a8e55..56b28a8488ea 100644 --- a/magic/Magdir/ssh +++ b/magic/Magdir/ssh @@ -1,12 +1,15 @@ # Type: OpenSSH key files # From: Nicolas Collignon <tsointsoin@gmail.com> -0 string SSH\ PRIVATE\ KEY OpenSSH RSA1 private key, +0 string SSH\040PRIVATE\040KEY OpenSSH RSA1 private key, >28 string >\0 version %s -0 string -----BEGIN\ OPENSSH\ PRIVATE\ KEY----- OpenSSH private key +0 string -----BEGIN\040OPENSSH\040PRIVATE\040KEY----- OpenSSH private key +# https://www.rfc-editor.org/rfc/rfc5958 +0 string -----BEGIN\040PRIVATE\040KEY----- OpenSSH private key (no password) +0 string -----BEGIN\040ENCRYPTED\040PRIVATE\040KEY----- OpenSSH private key (with password) -0 string ssh-dss\ OpenSSH DSA public key -0 string ssh-rsa\ OpenSSH RSA public key +0 string ssh-dss\040 OpenSSH DSA public key +0 string ssh-rsa\040 OpenSSH RSA public key 0 string ecdsa-sha2-nistp256 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp384 OpenSSH ECDSA public key 0 string ecdsa-sha2-nistp521 OpenSSH ECDSA public key diff --git a/magic/Magdir/svf b/magic/Magdir/svf new file mode 100644 index 000000000000..b0d5c980f944 --- /dev/null +++ b/magic/Magdir/svf @@ -0,0 +1,5 @@ +# $File: svf,v 1.2 2023/05/23 13:37:32 christos Exp $ +# +# file(1) magic(5) data for SmartVersion files with the .svf extension. + +0 string DFS\ File\x0D\x0Ahttp://www.difstream.com\x0D\x0A SmartVersion binary patch file diff --git a/magic/Magdir/sysex b/magic/Magdir/sysex index 0065ad17e432..d02389d9a457 100644 --- a/magic/Magdir/sysex +++ b/magic/Magdir/sysex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.11 2022/01/17 17:16:51 christos Exp $ +# $File: sysex,v 1.12 2022/10/31 13:22:26 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems @@ -10,8 +10,8 @@ 0 ubeshort&0xFF80 0xF000 # MIDI System Exclusive (SysEx) messages (strength=50) after Microsoft Visual C library (strength=70) #!:strength +0 -# skip Microsoft Visual C library with page size 16 misidentifed as ADA and -# page size 32 misidentifed as Inventronics by looking for terminating End Of eXclusive byte (EOX) +# skip Microsoft Visual C library with page size 16 misidentified as ADA and +# page size 32 misidentified as Inventronics by looking for terminating End Of eXclusive byte (EOX) >2 search/12 \xF7 >>0 use midi-sysex # display information about MIDI System Exclusive (SysEx) messages diff --git a/magic/Magdir/terminfo b/magic/Magdir/terminfo index 1b036935b6e0..41704eb55946 100644 --- a/magic/Magdir/terminfo +++ b/magic/Magdir/terminfo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.12 2021/02/23 00:51:10 christos Exp $ +# $File: terminfo,v 1.13 2022/11/21 22:25:37 christos Exp $ # terminfo: file(1) magic for terminfo # # URL: https://invisible-island.net/ncurses/man/term.5.html @@ -37,6 +37,7 @@ # AIX and HPUX use the SVr4 big-endian format # Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) 0 beshort 0433 SVr2 curses screen image, big-endian +# GRR: line below too general as it catches Commodore C128 program (crc32.prg XLINK.PRG) with start address 1C01h handled by ./c64 0 beshort 0434 SVr3 curses screen image, big-endian 0 beshort 0435 SVr4 curses screen image, big-endian # diff --git a/magic/Magdir/tex b/magic/Magdir/tex index aaeae169f336..e66f8ffdcecb 100644 --- a/magic/Magdir/tex +++ b/magic/Magdir/tex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: tex,v 1.21 2019/04/19 00:42:27 christos Exp $ +# $File: tex,v 1.22 2022/12/21 16:50:04 christos Exp $ # tex: file(1) magic for TeX files # # XXX - needs byte-endian stuff (big-endian and little-endian DVI?) @@ -10,13 +10,15 @@ # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] -0 string \367\002 TeX DVI file +0 string \367\002 +>(14.b+15) string \213 +>>14 pstring >\0 TeX DVI file (%s) !:mime application/x-dvi ->16 string >\0 (%s) 0 string \367\203 TeX generic font data 0 string \367\131 TeX packed font data >3 string >\0 (%s) -0 string \367\312 TeX virtual font data +0 string \367\312 +>(2.b+11) string \363 TeX virtual font data 0 search/1 This\ is\ TeX, TeX transcript text 0 search/1 This\ is\ METAFONT, METAFONT transcript text diff --git a/magic/Magdir/tplink b/magic/Magdir/tplink index 971f428103ba..1b4ef0f3369f 100644 --- a/magic/Magdir/tplink +++ b/magic/Magdir/tplink @@ -1,25 +1,32 @@ #------------------------------------------------------------------------------ -# $File: tplink,v 1.7 2021/04/26 15:56:00 christos Exp $ +# $File: tplink,v 1.8 2023/05/15 16:41:02 christos Exp $ # tplink: File magic for openwrt firmware files # URL: https://wiki.openwrt.org/doc/techref/header # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bin-tplink-v1.trid.xml +# Note: called "TP-Link router firmware (v1)" by TrID # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 -# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor +# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor name >>>4 ubelong >0x1F000000 # skip user.dbt by looking for positive hardware id >>>>0x40 ubeshort >0 ->>>>>0 use firmware-tplink +# skip cversions.1.db cversions.2.db cversions.3.db inside +# c:\ProgramData\Microsoft\Windows\Caches +# with invalid vendor names \240\0\0\0 \140\0\0\0 \040\0\0\0 +>>>>>5 short !0 +>>>>>>0 use firmware-tplink 0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin +# like: TL-WR1043ND-V1-FW0.0.3-stripped.bin gluon-ffrefugee-0.9.2-tp-link-archer-c5-v1-sysupgrade.bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x diff --git a/magic/Magdir/troff b/magic/Magdir/troff index 5b8af64ce881..301a40bc34da 100644 --- a/magic/Magdir/troff +++ b/magic/Magdir/troff @@ -1,24 +1,30 @@ #------------------------------------------------------------------------------ -# $File: troff,v 1.13 2020/05/30 23:12:34 christos Exp $ +# $File: troff,v 1.14 2023/06/01 16:00:46 christos Exp $ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 search/1 .\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 '.\\" troff or preprocessor input text +!:strength +12 !:mime text/troff 0 search/1 \\" troff or preprocessor input text +!:strength +12 !:mime text/troff #0 search/1 ''' troff or preprocessor input text #!:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9][\ \t] troff or preprocessor input text +!:strength +12 !:mime text/troff 0 regex/20l \^\\.[A-Za-z][A-Za-z0-9]$ troff or preprocessor input text +!:strength +12 !:mime text/troff # ditroff intermediate output text diff --git a/magic/Magdir/uterus b/magic/Magdir/uterus index a8be8a880d28..4b9e768b6424 100644 --- a/magic/Magdir/uterus +++ b/magic/Magdir/uterus @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: uterus,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: uterus,v 1.4 2022/10/31 13:22:26 christos Exp $ # file(1) magic for uterus files # http://freecode.com/projects/uterus # @@ -11,6 +11,6 @@ >7 byte x \b%c >8 string \<\> \b, big-endian >>16 belong >0 \b, slut size %u ->8 string \>\< \b, litte-endian +>8 string \>\< \b, little-endian >>16 lelong >0 \b, slut size %u >10 byte &8 \b, compressed diff --git a/magic/Magdir/varied.script b/magic/Magdir/varied.script index ff893882b01e..74b1b2276c51 100644 --- a/magic/Magdir/varied.script +++ b/magic/Magdir/varied.script @@ -1,59 +1,21 @@ #------------------------------------------------------------------------------ -# $File: varied.script,v 1.13 2019/10/11 14:35:29 christos Exp $ +# $File: varied.script,v 1.15 2022/10/18 13:01:30 christos Exp $ # varied.script: file(1) magic for various interpreter scripts -0 string/t #!\ / a ->3 string >\0 %s script text executable -!:strength / 2 +0 string/wt #!\ a +>&-1 string/T x %s script text executable +!:strength / 3 -0 string/b #!\ / a ->3 string >\0 %s script executable (binary data) -!:strength / 2 +0 string/wb #!\ a +>&-1 string/T x %s script executable (binary data) +!:strength / 3 -0 string/t #!\t/ a ->3 string >\0 %s script text executable -!:strength / 2 - -0 string/b #!\t/ a ->3 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!/ a ->2 string >\0 %s script text executable -!:strength / 2 - -0 string/b #!/ a ->2 string >\0 %s script executable (binary data) -!:strength / 2 - -0 string/t #!\ script text executable ->3 string >\0 for %s -!:strength / 2 - -0 string/b #!\ script executable ->3 string >\0 for %s (binary data) -!:strength / 2 # using env -0 string/t #!/usr/bin/env a ->15 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!/usr/bin/env a ->15 string/b >\0 %s script executable (binary data) -!:strength / 10 - -0 string/t #!\ /usr/bin/env a ->16 string/t >\0 %s script text executable -!:strength / 10 - -0 string/b #!\ /usr/bin/env a ->16 string/b >\0 %s script executable (binary data) -!:strength / 10 +0 string/wt #!\ /usr/bin/env a +>15 string/T >\0 %s script text executable +!:strength / 6 -# From: arno <arenevier@fdn.fr> -# mozilla xpconnect typelib -# see https://www.mozilla.org/scriptable/typelib_file.html -0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib ->0x10 byte x version %d ->>0x11 byte x \b.%d +0 string/wb #!\ /usr/bin/env a +>15 string/T >\0 %s script executable (binary data) +!:strength / 6 diff --git a/magic/Magdir/web b/magic/Magdir/web index ca8d812365e5..a0d26e67fb9c 100644 --- a/magic/Magdir/web +++ b/magic/Magdir/web @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: web,v 1.1 2020/05/17 19:14:28 christos Exp $ +# $File: web,v 1.2 2022/10/29 16:02:37 christos Exp $ # http://www.rdfhdt.org/ # From Christoph Biedl @@ -10,3 +10,9 @@ 0 string $HDT\x01 HDT file (binary compressed indexed RDF triples) type 1 !:mime application/vnd.hdt !:ext hdt + +0 string [Adblock\040Plus Adblock Plus +>&1 regex [0-9.]+ %s +>1 string x rules file +>10 search/100 Version: +>>&1 regex [0-9]+ \b, version %s diff --git a/magic/Magdir/windows b/magic/Magdir/windows index d6eba4388201..f58ce3e5a511 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.46 2022/07/02 17:46:09 christos Exp $ +# $File: windows,v 1.63 2023/07/17 16:56:13 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -95,30 +95,175 @@ >>40 lestring16 x "%s" # Summary: Windows crash dump -# Extension: .dmp # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html +# https://web.archive.org/web/20101125060849/https://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) +# Modified by (2): Joerg Jenderek (addtional fields, extension, URL) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp.trid.xml +# https://gitlab.com/qemu-project/qemu/-/blob/master/include/qemu/win_dump_defs.h +# Note: called "Windows memory dump" by TrID +# and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp` +# and partly by NirSoft `BlueScreenView.exe 043022-18703-01.dmp` +# char Signature[4] 0 string PAGE +# char ValidDump[4] >4 string DUMP MS Windows 32bit crash dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: Mini111013-01.dmp +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 2600 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 709000 +#>>16 ulelong x \b, DirectoryTableBase %#x +# PfnDatabase like: 805620c8 +#>>20 ulelong x \b, PfnDatabase %#x +# PsLoadedModuleList like: 8055d720 +#>>24 ulelong x \b, PsLoadedModuleList %#x +# PsActiveProcessHead like:805638b8 +#>>28 ulelong x \b, PsActiveProcessHead %#x +# MachineImageType like: 14c (intel x86) +>>32 ulelong !0x14c \b, MachineImageType %#x +# NumberProcessors like: 2 +>>36 ulelong x \b, %u processors +# BugcheckCode like: e2 +#>>40 ulelong x \b, BugcheckCode %#x +# BugcheckParameter1 like: 0 +#>>44 ulelong x \b, BugcheckParameter1 %#x +# BugcheckParameter2 like: 0 +#>>48 ulelong x \b, BugcheckParameter2 %#x +# BugcheckParameter3 like: 0 +#>>52 ulelong x \b, BugcheckParameter3 %#x +# BugcheckParameter4 like: 0 +#>>56 ulelong x \b, BugcheckParameter4 %#x +# VersionUser[32]; like "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>60 string x \b, VersionUser "%.32s" +# uint32_t reserved0 like: 45474101 +#>>92 ulelong x \b, reserved0 %#x >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE +# KdDebuggerDataBlock like: 8054d2e0 +#>>96 ulelong x \b, KdDebuggerDataBlock %#x +# uint8_t PhysicalMemoryBlockBuffer[700] +# WinDumpPhyMemDesc32 NumberOfRuns like: 45474150 +#>>100 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +#>>104 ulelong x \b, NumberOfPages %#x +# WinDumpPhyMemRun32 Run[86]; 688 bytes +#>>108 ulelong x \b, BasePage %#x +#>>112 ulelong x \b, PageCount %#x +# uint8_t reserved1[3200] +#>>800 string x \b, reserved "%s" +#>>4000 ulelong x \b, RequiredDumpSpace %#x +# uint8_t reserved2[92]; +#>>4004 string x \b, reserved2 "%s" >>0xf88 lelong 1 \b, full dump >>0xf88 lelong 2 \b, kernel dump >>0xf88 lelong 3 \b, small dump +# like: 4 +>>0xf88 lelong >3 \b, dump type (%#x) +# WinDumpPhyMemDesc32 uint32_t NumberOfPages like: 1162297680 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! +#>>104 ulelong x \b, NumberOfPages %#x >>0x068 lelong x \b, %d pages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dmp-64.trid.xml113o +# Note: called "Windows 64bit Memory Dump" by TrID +# char ValidDump[4] >4 string DU64 MS Windows 64bit crash dump ->>0xf98 lelong 1 \b, full dump ->>0xf98 lelong 2 \b, kernel dump ->>0xf98 lelong 3 \b, small dump +#!:mime application/octet-stream +!:mime application/x-ms-dmp +# like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP +!:ext dmp +# major version like: 15 +>>8 ulelong x \b, version %u +# minor version like: 9600 19041 22621 +>>12 ulelong x \b.%u +# DirectoryTableBase like: 001ab000 +#>>16 ulequad x \b, DirectoryTableBase %#llx +# PfnDatabase like: fffffa8000000000 +#>>24 ulequad x \b, PfnDatabase %#llx +# PsLoadedModuleList like: fffff800c553f650 +#>>32 ulequad x \b, PsLoadedModuleList %#llx +# PsActiveProcessHead like: fffff800c5525400 +#>>40 ulequad x \b, PsActiveProcessHead %#llx +# MachineImageType like: 00008664 +>>48 ulelong !0x8664 \b, MachineImageType %#x +# NumberProcessors like: 2 4 +>>52 ulelong x \b, %u processors +# BugcheckCode like: 1000007e +#>>56 ulelong x \b, BugcheckCode %#x +# unused0 +#>>60 ulelong x \b, unused0 %#x +# BugcheckParameter1 like: ffffffffc0000005 +#>>64 ulequad x \b, BugcheckParameter1 %#llx +# BugcheckParameter2 like: fffff801abb2158f +#>>72 ulequad x \b, BugcheckParameter2 %#llx +# BugcheckParameter3 like: ffffd000290d4288 +#>>80 ulequad x \b, BugcheckParameter3 %#llx +# BugcheckParameter4 like: ffffd000290d3aa0 +#>>88 ulequad x \b, BugcheckParameter4 %#llx +# VersionUser[32]; like "" "PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE" "" +#>>96 string x \b, VersionUser "%.32s" +# KdDebuggerDataBlock like: fffff800c550c530 +#>>128 ulequad x \b, KdDebuggerDataBlock %#llx +# uint8_t PhysicalMemoryBlockBuffer[704] +# WinDumpPhyMemDesc64 NumberOfRuns like: 6 7 0x45474150 +#>>136 ulelong x \b, NumberOfRuns %#x +# WinDumpPhyMemDesc64 unused like: 0 0x45474150 +#>>140 ulelong x \b, unused %#x +# WinDumpPhyMemRun64 Run[43] BasePage like: 1 +#>>152 ulequad x \b, BasePage %#llx +# WinDumpPhyMemRun64 Run[43] PageCount like: 57h +#>>160 ulequad x \b, PageCount %#llx +# uint8_t ContextBuffer[3000] like: "" "\001" "\0207J\266\001\340\377\377&8\007\312" +#>>840 string x \b, ContextBuffer "%s" +# WinDumpExceptionRecord ExceptionCode +#>>3840 ulelong x \b, ExceptionCode %#x +# WinDumpExceptionRecord ExceptionFlags +#>>3844 ulelong x \b, ExceptionFlags %#x +# WinDumpExceptionRecord ExceptionRecord +#>>3848 ulequad x \b, ExceptionRecord %#llx +# WinDumpExceptionRecord ExceptionAddress +#>>3856 ulequad x \b, ExceptionAddress %#llx +# WinDumpExceptionRecord NumberParameters +#>>3864 ulelong x \b, NumberParameters %#x +# WinDumpExceptionRecord unused +#>>3868 ulelong x \b, unsed %#x +# WinDumpExceptionRecord ExceptionInformation[15] +#>>3872 ulequad x \b, ExceptionInformation[0] %#llx +# https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options +# but DumpType like: 4~small 5~full (MEMORY.DMP) 6~kernel (MEMORY.DMP) +>>0xf98 ulelong x \b, +>>>0xf98 lelong 5 full dump +>>>0xf98 lelong 6 kernel dump +>>>0xf98 lelong 4 small dump +# This probably never occur +>>>0xf98 default x DumpType +>>>>0xf98 ulelong x (%#x) +# WinDumpPhyMemDesc64 uint64_t NumberOfPages like: 3142425 8341923 8366500 1162297680 4992030524978970960 +# GRR: IS THIS TRUE? VALUE IS SOMETIMES VERY HIGH! >>0x090 lequad x \b, %lld pages - # Summary: Vista Event Log -# Extension: .evtx # Created by: Andreas Schuster (https://computer.forensikblog.de/) -# Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html -0 string ElfFile\0 MS Windows Vista Event Log +# Update: Joerg Jenderek +# URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EVTX).asciidoc +# Reference (1): https://web.archive.org/web/20110803085000/ +# https://computer.forensikblog.de/en/2007/05/some_magic.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/evtx.trid.xml +# Note: called "Vista Event Log" by TrID and "Event Log" by Windows +# verified partly by `wevtutil.exe gli /lf:true dumpfile.evtx` +0 string ElfFile\0 MS Windows +#!:mime application/octet-stream +!:mime application/x-ms-evtx +!:ext evtx +# Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later +>0x24 ulelong =0x00030001 Vista-8.1 Event Log +>0x24 ulelong !0x00030001 10-11 Event Log, version +>>0x26 uleshort x %u +>>0x24 uleshort x \b.%u >0x2a leshort x \b, %d chunks >>0x10 lelong x \b (no. %d in use) >0x18 lelong >1 \b, next record no. %d @@ -126,6 +271,32 @@ >0x78 lelong &1 \b, DIRTY >0x78 lelong &2 \b, FULL +# Summary: Windows Event Trace Log +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/ETL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/etl.trid.xml +# https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm +# Note: called "Window tracing/diagnostic binary log" by TrID +# verified by `tracerpt.EXE Wifi.etl -of EVTX` +# and by etl-parser `etl2xml --input AMSITrace.etl --output AMSITrace.xml` +# Every ETL file begins with a WMI_BUFFER_HEADER, a SYSTEM_TRACE_HEADER and a TRACE_LOGFILE_HEADER +0 ubyte 0 +# look for corresponding encoded as UTF-16 file name extension like in: boot_BASE+CSWITCH_1.etl +>0 search/0x699087/b .\0e\0t\0l\0\0\0 +# GRR: line above only works if in ../../src/file.h FILE_BYTES_MAX is raised above 699086h (6,59 MiB) +>>0 use trace-etl +# display information of Windows Performance Analyzer Trace File (file name) +0 name trace-etl +>0 ubyte x Windows Event Trace Log +#!:mime application/x-ms-etl +# http://extension.nirsoft.net/etl +!:mime application/etl +!:ext etl +# look for DOS drive letter part of log file name like: PhotosAppTracing_startedInBGMode.etl +>0 search/0x2b4/sb :\0\x5c\0 +# like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl" +>>&-2 lestring16 x "%s" + # Summary: Windows System Deployment Image # Created by: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/System_Deployment_Image @@ -440,62 +611,248 @@ >16 string >\0 for "%s" # Summary: Hyper terminal -# Extension: .ht # Created by: unknown +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/HyperACCESS +# https://www.hilgraeve.com/hyperterminal/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/ht.trid.xml +# Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows 0 string HyperTerminal\040 ->15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +>14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile +#!:mime application/octet-stream +!:mime application/x-ms-ht +!:ext ht # https://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut -# Extension: .lnk # Created by: unknown +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut +# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml +# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf +# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158) +# partly verified by command like `lnkinfo AOL.lnk` # 'L' + GUUID +# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut !:mime application/x-ms-shortcut !:ext lnk +# LinkFlags +# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present >20 lelong&1 1 \b, Item id list present +# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present >20 lelong&2 2 \b, Points to a file or directory >20 lelong&4 4 \b, Has Description string >20 lelong&8 8 \b, Has Relative path >20 lelong&16 16 \b, Has Working directory >20 lelong&32 32 \b, Has command line arguments >20 lelong&64 64 \b, Icon +# IconIndex >>56 lelong x \b number=%d +# IsUnicode; If set then StringData section contains Unicode-encoded strings +>20 lelong&128 128 \b, Unicoded +# ForceNoLinkInfo; LinkInfo structure is ignored +>20 lelong&256 256 \b, NoLinkInfo +# HasExpString; with an EnvironmentVariableDataBlock +>20 lelong&512 512 \b, HasEnvironment +# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h +>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded +# like: "%windir%\system32\calc.exe" +>>>&260 lestring16 x "%s" +# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found +>20 lelong&1024 1024 \b, RunInSeparateProcess +# Unused1; undefined and MUST be ignored +#>20 lelong&2048 2048 \b, Unused1 +# HasDarwinID; with a DarwinDataBlock +>20 lelong&4096 4096 \b, HasDarwinID +# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h +>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0 +# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored +#>>>&0 string x '%s' +# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded +>>>&260 lestring16 x "%s" +# RunAsUser; target application is run as a different user +>20 lelong&8192 8192 \b, RunAsUser +# HasExpIcon; with an IconEnvironmentDataBlock +>20 lelong&16384 16384 \b, HasExpIcon +# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h +>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0 +# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page +#>>>&0 string x '%s' +# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded +# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico" +>>>&260 lestring16 x "%s" +# NoPidlAlias; represented in the shell namespace; no examples found +>20 lelong&32768 32768 \b, NoPidlAlias +# Unused2; undefined and MUST be ignored +#>20 lelong&65536 65536 \b, Unused2 +# RunWithShimLayer; with a ShimDataBlock; no examples found +>20 lelong&131072 131072 \b, RunWithShimLayer +# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found +>20 lelong&262144 262144 \b, ForceNoLinkTrack +>20 lelong&262144 0 +# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0 +>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0 +# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine +>>>&0 string x \b, MachineID %0.16s +# Droid (32 bytes) +# +# DroidBirth (32 bytes) +# +# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock +>20 lelong&524288 524288 \b, EnableTargetMetadata +# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h +#>>76 search/1972 \x00\x00\x09\x00\x00\xa0 +# PropertyStore (variable) +# +# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found +>20 lelong&1048576 1048576 \b, DisableLinkPathTracking +# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved +>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking +>20 lelong&2097152 0 +# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh +>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0 +# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places +# KnownFolderID specifies the folder GUID ID +# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A +# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E +>>>&0 guid x KnownFolderID %s +# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found +>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias +# AllowLinkToLink; link that references another link is enabled; no examples found +>20 lelong&8388608 8388608 \b, AllowLinkToLink +# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found +>20 lelong&16777216 16777216 \b, UnaliasOnSave +# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used +>20 lelong&33554432 33554432 \b, PreferEnvironmentPath +# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found +>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget +# FileAttributes >24 lelong&1 1 \b, Read-Only >24 lelong&2 2 \b, Hidden >24 lelong&4 4 \b, System ->24 lelong&8 8 \b, Volume Label +# Reserved1; MUST be zero +>24 lelong&8 8 \b, Reserved1 >24 lelong&16 16 \b, Directory >24 lelong&32 32 \b, Archive ->24 lelong&64 64 \b, Encrypted +# Reserved2; MUST be zero +>24 lelong&64 64 \b, Reserved2 >24 lelong&128 128 \b, Normal >24 lelong&256 256 \b, Temporary +# no examples found >24 lelong&512 512 \b, Sparse +# no examples found >24 lelong&1024 1024 \b, Reparse point >24 lelong&2048 2048 \b, Compressed >24 lelong&4096 4096 \b, Offline ->28 leqwdate x \b, ctime=%s ->36 leqwdate x \b, mtime=%s ->44 leqwdate x \b, atime=%s +# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed +>24 lelong&8192 8192 \b, NeedIndexed +# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted +>24 lelong&16384 16384 \b, Encrypted +# value zero means there is no time set on the target +>28 leqwdate !0 \b, ctime=%s +# Access time of target in UTC +>36 leqwdate !0 \b, atime=%s +# write time of target in UTC +>44 leqwdate !0 \b, mtime=%s +# FileSize; 32 bit size of target in bytes >52 lelong x \b, length=%u, window= ->60 lelong&1 1 \bhide ->60 lelong&2 2 \bnormal ->60 lelong&4 4 \bshowminimized ->60 lelong&8 8 \bshowmaximized ->60 lelong&16 16 \bshownoactivate ->60 lelong&32 32 \bminimize ->60 lelong&64 64 \bshowminnoactive ->60 lelong&128 128 \bshowna ->60 lelong&256 256 \brestore ->60 lelong&512 512 \bshowdefault -#>20 lelong&1 0 -#>>20 lelong&2 2 -#>>>(72.l-64) pstring/h x \b [%s] -#>20 lelong&1 1 -#>>20 lelong&2 2 -#>>>(72.s) leshort x -#>>>&75 pstring/h x \b [%s] +# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL +#>60 lelong x ShowCommand=%#x +>60 lelong x +>>60 lelong 3 \bshowmaximized +>>60 lelong 7 \bshowminnoactive +>>60 default x \bnormal +# Hotkey +>64 uleshort >0 \b, hot key +# 41h~A 42h~B ... +>>64 ubyte x %c +# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT +>>65 ubyte&1 1 \b+SHIFT +>>65 ubyte&2 2 \b+CONTROL +>>65 ubyte&4 4 \b+ALT +# Reserved; MUST be zero +#>66 uleshort !0 \b, reserved %#x +# Reserved2; MUST be zero +#>68 ulelong !0 \b, reserved2 %#x +# Reserved3; MUST be zero +#>72 ulelong !0 \b, reserved3 %#x +# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set +>20 lelong&1 1 +# IDListSize; size of IDList +>>76 uleshort x \b, IDListSize %#4.4x +# 1st item +>>78 use lnk-item +# 2nd possible item +>>(78.s+78) uleshort >0 +>>>(78.s+78) use lnk-item +# 3rd possible item +>>>&(&-2.s-2) uleshort >0 +>>>>&-2 use lnk-item +# 4th possible item +>>>>&(&-2.s-2) uleshort >0 +>>>>>&-2 use lnk-item +# Because HasLinkInfo is set, a LinkInfo structure follows +>20 lelong&2 2 +# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found +>>20 lelong&1 =0 +>>>76 use lnk-info +# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes +>>20 lelong&1 =1 +>>>76 uleshort >0 +#>>>>(76.s+78) use lnk-info +>>>>(76.s+78) ubelong x +# move pointer to beginnig of LinkInfo structure +>>>>>&-8 ubelong x +#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x +>>>>>>&(&16.l) string x \b, LocalBasePath "%s" +# check and then display link item (size,data) +0 name lnk-item +# size value 0x0000 means TerminalID; indicates the end of the item IDs list +>0 uleshort >0 +#>>0 uleshort x \b, ItemIDSize %#4.4x +# item Data +#>>2 ubequad x \b, Item data=%#16.16llx +#>>2 ubyte x \b, Item type=%#x +>>2 ubyte =0x1f \b, Root folder +# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel +# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer +# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer +>>>4 guid x "%s" +>>2 ubyte =0x2f \b, Volume +# like: "C:\" "D:\" +>>>3 string x "%s" +# Control panel category +#>>2 ubyte foo \b, Control panel category +# display LinkInfo structure (size,flags,offsets) +0 name lnk-info +# LinkInfoSize; size of the LinkInfo structure +>0 ulelong x \b, LinkInfoSize %#x +# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified +>4 ulelong x \b, LinkInfoHeaderSize %#x +# LinkInfoFlags; +#>8 ulelong x \b, LinkInfoFlags=%#x +>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath +# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure +>>12 ulelong x \b, VolumeIDOffset %#x +# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure +>>16 ulelong x \b, LocalBasePathOffset %#x +# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure +>>4 ulelong >23 +>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x +>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix +# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure +>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x +# CommonPathSuffixOffset; location of CommonPathSuffix field +>24 ulelong x \b, CommonPathSuffixOffset %#x +# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure +>4 ulelong >23 +>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x # Summary: Outlook Personal Folders # Created by: unknown @@ -752,6 +1109,27 @@ # like: 12510866.CPX !:ext cpx # From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/File_Explorer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-exp.trid.xml,scf-exp-old.trid.xml +# Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Windows via SHCmdFile +>>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File +#!:mime text/plain +!:mime text/x-ms-scf +# like: channels.scf desktop.scf explorer.scf "Desktop anzeigen.scf" +!:ext scf +# look for icon file directive maybe pointing to malicious file +>>>1 search/128 IconFile= \b, icon +>>>>&0 string x "%s" +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/VIA_Technologies +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/scf-via.trid.xml +# Note: called "VIA setup configuration file" by TrID +>>&0 regex/c \^SCF]\r\n VIA setup configuration +#!:mime text/plain +!:mime text/x-via-scf +# like: SETUP.SCF +!:ext scf +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/InstallShield # Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lid-is.trid.xml # Note: contain also 3 keywords like: count Default key0 @@ -770,6 +1148,23 @@ !:mime text/x-ms-tag # like: DATA.TAG !:ext tag +# URL: https://en.wikipedia.org/wiki/Flatpak +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/flatpakref.trid.xml +# Note: called "Flatpack Reference" by TrID +>>&0 string Flatpak\ Ref] Flatpak repository reference +#!:mime text/plain +# https://reposcope.com/mimetype/application/vnd.flatpak.ref +!:mime application/vnd.flatpak.ref +!:ext flatpakref +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/CloneCD +# Reference: https://en.wikipedia.org/wiki/CloneCD_Control_File +# http://mark0.net/download/triddefs_xml.7z/defs/c/cdimage-clonecd-cue.trid.xml +# Note: called "CloneCD CDImage (description)" by TrID and "CloneCD Control File" by DROID via PUID fmt/1760 +>>&0 string CloneCD] CloneCD CD-image Description +#!:mime text/plain +!:mime text/x-ccd +!:ext ccd # unknown keyword after opening bracket >>&0 default x #>>>&0 string/c x UNKNOWN [%s @@ -779,6 +1174,12 @@ >>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript !:ext inf +# From: Joerg Jenderek +# URL: https://cdrtfe.sourceforge.io/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cfp-cdrtfe.trid.xml +>>>>&0 string FileExplorer] cdrtfe Project +!:mime text/x-cfp +!:ext cfp # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other >>>>&0 default x >>>>>&0 ubyte x @@ -790,6 +1191,10 @@ !:mime application/x-wine-extension-ini #!:mime text/plain !:ext ini/inf +# samples with only 1 and unknown section name +# XXX: matches a file containing '[1] 2' +#>>>&0 default x Generic INItialization configuration +#>>>>0 string x \b, 1st line "%s" # UTF-16 BOM 0 ubeshort =0xFFFE # look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml) @@ -871,21 +1276,24 @@ >>>2 uleshort <3 # look for colon in WinDirPath after PNF header #>>>>0x59 search/18 : ->>>>0 use PreCompiledInf +# skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some +# Targa image (money-256.tga XING_B_UCM8.tga x-fmt-367-signature-id-604.tga) with "invalid low section name" \0 +>>>>(20.l) ubelong >0x40004000 +>>>>>0 use PreCompiledInf 0 name PreCompiledInf >0 uleshort x Windows Precompiled iNF !:mime application/x-pnf !:ext pnf # major version 1 for older Windows like XP and 3 since about Windows Vista -# 101h~98-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362 +# 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11 >1 ubyte x \b, version %u >0 ubyte x \b.%u >0 uleshort =0x0101 (Windows ->>4 ulelong&0x00000001 !0x00000001 98) +>>4 ulelong&0x00000001 !0x00000001 95-98) >>4 ulelong&0x00000001 =0x00000001 XP) >0 uleshort =0x0301 (Windows Vista-8.1) >0 uleshort =0x0302 (Windows 10 older) ->0 uleshort =0x0303 (Windows 10) +>0 uleshort =0x0303 (Windows 10-11) # 1 ,2 (windows 98 SE) >2 uleshort !2 \b, InfStyle %u # PNF_FLAG_IS_UNICODE 0x00000001 @@ -927,7 +1335,7 @@ >>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>24 ulequad x \b, InfVersionLastWriteTime %16.16llx -#>24 foodate-0xbar x \b, InfVersionLastWriteTime %s +>24 qwdate x \b, InfVersionLastWriteTime %s # for Windows 98, XP >0 uleshort <0x0102 # only found values lower 0x00ffFFff @@ -965,6 +1373,7 @@ >>>>>(72.l) string x OsLoaderPath "%s" # 1fdh #>>>76 uleshort x \b, StringTableHashBucketCount %#x +# https://docs.microsoft.com/en-us/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a # only 407h found >>>78 uleshort !0x409 \b, LanguageID %x #>>>78 uleshort =0x409 \b, LanguageID %x @@ -1342,7 +1751,7 @@ # 5000010021083f00 50000100b0335600 50000100cbfdf800 50000100dfbc4700 #>4 ubequad x \b, at 4 %#16.16llx # copyright text like: "Stirling Technologies, Inc. (c) 1990-1994" -# "InstallSHIELD Software Coporation (c) 1990-1997" +# "InstallSHIELD Software Corporation (c) 1990-1997" >13 pstring/h x "%s" # look for specific ASCII variable names >1 search/0x121/s SRCDIR \b, variable names: @@ -1370,3 +1779,44 @@ # ... LOGHANDLE >0 ubelong x ... # + +# Summary: Microsoft Remote Desktop Protocol connection +# From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp-files +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/r/rdp.trid.xml +# Note: called "Remote Desktop Connection Settings" by TrID +0 string screen\040mode\040id:i: Remote Desktop Protocol connection +#!:mime text/plain +!:mime text/x-ms-rdp +!:ext rdp +# Screen mode: 1~session appear in a window 2~session appear full screen +>17 string 1 \b, window mode +>17 string 2 \b, full screen mode + +0 guid 7B5C52E4-D88C-4DA7-AEB1-5378D02996D3 Microsoft OneNote +!:ext one +!:mime application/onenote +0 guid 43FF2FA1-EFD9-4C76-9EE2-10EA5722765F Microsoft OneNote Revision Store File + +# Microsoft XAML Binary Format +# From: Alexandre Iooss <erdnaxe@crans.org> +# URL: https://github.com/WalkingCat/XbfDump/blob/8832d2ffcaa738434d803fefa2ba99d3af37ed29/xbf_data.h +0 string XBF\0 +>12 ulelong <0xFF +>>16 ulelong <0xFF Microsoft XAML Binary Format +!:ext xbf +>>>12 ulelong x %d +>>>16 ulelong x \b.%d +>>>4 ulelong x \b, metadata size: %d bytes +>>>8 ulelong x \b, node size: %d bytes + +# Metaswitch MetaView Service Assurance Server exports +0 string MetaView\x20Service\x20Assurance\x20Export\x20File MetaView SAS export +>39 string Version\x20 +>>47 byte x \b, version %c + +# Active Directory Group Policy Registry Policy File Format +# From: Yuuta Liang <yuuta@yuuta.moe> +# URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-file-format +0 string PReg +>4 lelong x Group Policy Registry Policy, Version=%d diff --git a/magic/Magdir/wordprocessors b/magic/Magdir/wordprocessors index 73a9dd9adef4..3a2e1ceaa8ca 100644 --- a/magic/Magdir/wordprocessors +++ b/magic/Magdir/wordprocessors @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: wordprocessors,v 1.31 2022/08/31 08:00:53 christos Exp $ +# $File: wordprocessors,v 1.34 2023/01/24 20:13:40 christos Exp $ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: @@ -288,7 +288,65 @@ >>9 default x >>>9 byte x Corel WordPerfect Office: Unknown filetype %d # Corel DrawPerfect +# URL: http://fileformats.archiveteam.org/wiki/Corel_Presentations +# Update: Joerg Jenderek >8 byte 15 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-2.trid.xml +# Note: called "WordPerfect Presentations (v2)" by TrID and +# "Corel Presentation" with version "7-8-9" by DROID via PUID fmt/877 +>>9 byte 10 WordPerfect Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: BENEFITS.SHW chartbar.shw chartbul.shw chartgal.shw chartorg.shw fig-demo.shw figurgal.shw mastrgal.shw scuba.shw tutorial.shw +!:ext shw +# pointer to document area like: 10h +>>>4 ulelong !0x10 \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# search for embedded WP file like in tutorial.shw +#>>>16 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/s/shw-wp-3.trid.xml +# Note: called "WordPerfect/Corel Presentations (v3)" by TrID and +# "Corel Presentation" with version "3" by DROID via PUID fmt/878 +>>9 byte 15 Corel Presentation +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-drawperfect-shw +# like: FIG_ANIM.SHW presenta.shw +!:ext shw +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +# according to TrID this is nil +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file like in foo +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains +# embedded inside Compound Document variant handled by ./ole2compounddocs +>>9 byte 16 Corel Presentation (embeded) +#!:mime application/octet-stream +#!:mime application/vnd.wordperfect +!:mime application/x-corelpresentations +# like: PerfectOffice_MAIN +!:ext / +# pointer to document area like: 1ah +>>>4 ulelong !0x1a \b, at %#x document area +>>>12 ulelong !0 \b, at 0xC %#x +# reserved like: 3 +>>>16 ulelong !0x3 \b, at 0x10 %#x +# file size, not including pad characters at EOF +>>>0x14 ulelong x \b, %u bytes +# search for embedded WP file +#>>>24 search/638/sb \xffWPC WPC_MAGIC_FOUND +# GRR: indirect call leads to recursion! WHY? +#>>>>&0 indirect x \b; contains >>9 default x >>>9 byte x Corel DrawPerfect: Unknown filetype %d # Corel LetterPerfect @@ -378,11 +436,17 @@ >>8 byte x Unknown Corel/Wordperfect product %d, >>>9 byte x file type %d >10 byte 0 \b, v5. +# version of WP file; 2.1~WP 8.0 +# major version of WP file like: 1 2 >10 byte !0 \b, v%d. +# minor version of WP file like: 0 1 >11 byte x \b%d -# Hangul (Korean) Word Processor File -0 string HWP\ Document\ File Hangul (Korean) Word Processor File 3.0 +# Hancom HWP (Hangul Word Processor) +# Hangul Word Processor 3.0 through 97 used HWP 3.0 format. +# URL: https://www.hancom.com/etc/hwpDownload.do +0 string HWP\ Document\ File Hancom HWP (Hangul Word Processor) file, version 3.0 +!:ext hwp # CosmicBook, from Benoit Rouits 0 string CSBK Ted Neslson's CosmicBook hypertext file @@ -430,7 +494,7 @@ >110 uleshort/256 =0 document # https://www.macdisk.com/macsigen.php !:apple ALB3ALD3 -# PT3 for template and no example for PageMaker document/publiction with PM3 extension +# PT3 for template and no example for PageMaker document/publication with PM3 extension !:ext pm3/pt3 >110 uleshort/256 =4 document !:apple ALD4ALB4 diff --git a/magic/Magdir/xenix b/magic/Magdir/xenix index 01d894ca9d98..fc8027b74687 100644 --- a/magic/Magdir/xenix +++ b/magic/Magdir/xenix @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.14 2021/04/26 15:56:00 christos Exp $ +# $File: xenix,v 1.15 2022/10/19 20:15:16 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -28,20 +28,23 @@ # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positive string length >>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" name by looking for valid high second record type ->>>>(1.s+3) ubyte >0x6D 8086 relocatable (Microsoft) +>>>>(1.s+3) ubyte >0x6D +# skip few Atari DEGAS bitmap TPDEMO.PC2 RECIPE.PC2 with invalid "high" second record type FEh FFh +>>>>>(1.s+3) ubyte <0xF2 8086 relocatable (Microsoft) #!:mime application/octet-stream !:mime application/x-object !:ext obj/o/a # T-module name often source name like "hello.c" or "jmppm32.asm" in JMPPM32.OBJ or # "kbhit" in KBHITS.OBJ or "CAUSEWAY_KERNAL" in CWAPI.OBJ ->>>>>3 pstring x \b, "%s" +>>>>>>3 pstring x \b, "%s" # data length probably lower 256 according to TrID obj_omf.trid.xml ->>>>>1 uleshort x \b, 1st record data length %u +>>>>>>1 uleshort x \b, 1st record data length %u # checksum -#>>>>>(3.b+4) ubyte x \b, checksum %#2.2x +#>>>>>>(3.b+4) ubyte x \b, checksum %#2.2x # second recordtype: 96h~LNAMES 88h~COMENT 8CH~EXTDEF ->>>>>(1.s+3) ubyte x \b, 2nd record type %#x ->>>>>(1.s+4) uleshort x \b, 2nd record data length %u +# highest F1h~Library End Record +>>>>>>(1.s+3) ubyte x \b, 2nd record type %#x +>>>>>>(1.s+4) uleshort x \b, 2nd record data length %u 0 leshort 0xff65 x.out >2 string __.SYMDEF randomized >0 byte x archive @@ -100,3 +103,4 @@ >0x1e leshort &0x102 Huge Objects Enabled 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model +# GRR: line above is too general as it catches also all 8086 relocatable (Microsoft) with 1st record data length 5 C0M.OBJ C0T.OBJ C0S.OBJ diff --git a/magic/Magdir/xilinx b/magic/Magdir/xilinx index b5443cbfd278..fd1467813cbc 100644 --- a/magic/Magdir/xilinx +++ b/magic/Magdir/xilinx @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: xilinx,v 1.10 2022/12/18 14:59:32 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 @@ -38,3 +38,21 @@ # Raw bitstream files 0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) + +# AXLF (xclbin) files used by AMD/Xilinx accelerators. +# The file format is defined by XRT source tree: +# https://github.com/Xilinx/XRT/blob/master/src/runtime_src/core/include/xclbin.h +# Display file size, creation date, accelerator shell name, xclbin uuid and +# number of sections. + +0 string xclbin2 AMD/Xilinx accelerator AXLF (xclbin) file +>0x130 lequad x \b, %lld bytes +>0x138 leqdate x \b, created %s +>0x160 string >0 \b, shell "%.64s" +>0x1a0 ubelong x \b, uuid %08x +>0x1a4 ubeshort x \b-%04x +>0x1a6 ubeshort x \b-%04x +>0x1a8 ubeshort x \b-%04x +>0x1aa ubelong x \b-%08x +>0x1ae ubeshort x \b%04x +>0x1c0 lelong x \b, %d sections
\ No newline at end of file |