# XMagic # XMagic (transitional) data for FTimes. # Based on file-4.17 magic. #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # # $Id: Localstuff,v 1.4 2003/03/23 04:17:27 christos Exp $ # Add any locally observed files here. Remember: # text if readable, executable if runnable binary, data if unreadable. #------------------------------------------------------------------------------ # acorn: file(1) magic for files found on Acorn systems # # RISC OS Chunk File Format # From RISC OS Programmer's Reference Manual, Appendix D # We guess the file type from the type of the first chunk. 0 lelong = 0xc3cbc6c5 RISC OS Chunk data >12 string = OBJ_ \b, AOF object >12 string = LIB_ \b, ALF library # RISC OS AIF, contains "SWI OS_Exit" at offset 16. 16 lelong = 0xef000011 RISC OS AIF executable # RISC OS Draw files # From RISC OS Programmer's Reference Manual, Appendix E 0 string = Draw RISC OS Draw file data # RISC OS new format font files # From RISC OS Programmer's Reference Manual, Appendix E 0 string = FONT\0 RISC OS outline font data, >5 byte x - version %d 0 string = FONT\1 RISC OS 1bpp font data, >5 byte x - version %d 0 string = FONT\4 RISC OS 4bpp font data >5 byte x - version %d # RISC OS Music files # From RISC OS Programmer's Reference Manual, Appendix E 0 string = Maestro\r RISC OS music file >8 byte x - version %d #------------------------------------------------------------------------------ # adi: file(1) magic for ADi's objects # From Gregory McGarry # 0 leshort = 0x521c COFF DSP21k >18 lelong & 02 executable, >18 lelong ^ 02 >>18 lelong & 01 static object, >>18 lelong ^ 01 relocatable object, >18 lelong & 010 stripped >18 lelong ^ 010 not stripped #------------------------------------------------------------------------------ # adventure: file(1) magic for Adventure game files # # from Allen Garvin # Edited by Dave Chapeskie Jun 28, 1998 # Edited by Chris Chittleborough , March 2002 # # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. 0 beshort = 0x0206 ALAN game data >2 byte < 10 version 2.6%d # Infocom (see z-machine) #------------------------------------------------------------------------------ # Z-machine: file(1) magic for Z-machine binaries. # # This will match ${TEX_BASE}/texmf/omega/ocp/char2uni/inbig5.ocp which # appears to be a version-0 Z-machine binary. # # The (false match) message is to correct that behavior. Perhaps it is # not needed. # 16 belong&0xfe00f0f0 = 0x3030 Infocom game data >0 byte = 0 (false match) >0 byte > 0 (Z-machine %d, >>2 beshort x - Release %d / >>18 string > \0 Serial %.6s) #------------------------------------------------------------------------------ # Glulx: file(1) magic for Glulx binaries. # # I haven't checked for false matches yet. # 0 string = Glul Glulx game data >4 beshort x - (Version %d >>6 byte x - \b.%d >>8 byte x - \b.%d) >36 string = Info Compiled by Inform # For Quetzal and blorb magic see iff # TADS (Text Adventure Development System) # All files are machine-independent (games compile to byte-code) and are tagged # with a version string of the form "V2..\0" (but TADS 3 is # on the way). # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string = TADS2\ bin TADS >9 belong != 0x0A0D1A00 game data, CORRUPTED >9 belong = 0x0A0D1A00 >>13 string > \0 %s game data # Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. 0 string = TADS2\ rsc TADS >9 belong != 0x0A0D1A00 resource data, CORRUPTED >9 belong = 0x0A0D1A00 >>13 string > \0 %s resource data # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), # "TADS2 save\n\r\032\0" and the interpreter version. 0 string = TADS2\ save/g TADS >12 belong != 0x0A0D1A00 saved game data, CORRUPTED >12 belong = 0x0A0D1A00 >>(16.s+32) string > \0 %s saved game data # Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter # version. 0 string = TADS2\ save TADS >10 belong != 0x0A0D1A00 saved game data, CORRUPTED >10 belong = 0x0A0D1A00 >>14 string > \0 %s saved game data #------------------------------------------------------------------------------ # allegro: file(1) magic for Allegro datafiles # Toby Deshane # 0 belong = 0x736C6821 Allegro datafile (packed) 0 belong = 0x736C682E Allegro datafile (not packed/autodetect) 0 belong = 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived # instruction set, the "short" should probably become "beshort" and the # "long" should probably become "belong". # If it's the i860-based one, they should probably become either the # big-endian or little-endian versions, depending on the mode they ran # the 860 in.... # 0 short = 0420 0420 Alliant virtual executable >2 short & 0x0020 common library >16 long > 0 not stripped 0 short = 0421 0421 Alliant compact executable >2 short & 0x0020 common library >16 long > 0 not stripped #------------------------------------------------------------------------------ # alpha architecture description # 0 leshort = 0603 COFF format alpha >22 leshort&030000 != 020000 executable >24 leshort = 0410 pure >24 leshort = 0413 paged >22 leshort&020000 != 0 dynamically linked >16 lelong != 0 not stripped >16 lelong = 0 stripped >22 leshort&030000 = 020000 shared library >24 leshort = 0407 object >27 byte x - - version %d >26 byte x - .%d >28 byte x - -%d # Basic recognition of Digital UNIX core dumps - Mike Bremford # # The actual magic number is just "Core", followed by a 2-byte version # number; however, treating any file that begins with "Core" as a Digital # UNIX core dump file may produce too many false hits, so we include one # byte of the version number as well; DU 5.0 appears only to be up to # version 2. # 0 string = Core\001 Alpha COFF format core dump (Digital UNIX) >24 string > \0 \b, from '%s' 0 string = Core\002 Alpha COFF format core dump (Digital UNIX) >24 string > \0 \b, from '%s' #------------------------------------------------------------------------------ # amanda: file(1) magic for amanda file format # 0 string = AMANDA:\ AMANDA >8 string = TAPESTART\ DATE tape header file, >>23 string = X >>>25 string > \ Unused %s >>23 string > \ DATE %s >8 string = FILE\ dump file, >>13 string > \ DATE %s #------------------------------------------------------------------------------ # amigaos: file(1) magic for AmigaOS binary formats: # # From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) # 0 belong = 0x000003fa AmigaOS shared library 0 belong = 0x000003f3 AmigaOS loadseg()ble executable/binary 0 belong = 0x000003e7 AmigaOS object/library data # 0 beshort = 0xe310 Amiga Workbench >2 beshort = 1 >>48 byte = 1 disk icon >>48 byte = 2 drawer icon >>48 byte = 3 tool icon >>48 byte = 4 project icon >>48 byte = 5 garbage icon >>48 byte = 6 device icon >>48 byte = 7 kickstart icon >>48 byte = 8 workbench application icon >2 beshort > 1 icon, vers. %d # # various sound formats from the Amiga # G=F6tz Waschk # 0 string = FC14 Future Composer 1.4 Module sound file 0 string = SMOD Future Composer 1.3 Module sound file 0 string = AON4artofnoise Art Of Noise Module sound file 1 string = MUGICIAN/SOFTEYES Mugician Module sound file 58 string = SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file 0 string = Synth4.0 Synthesis Module sound file 0 string = ARP. The Holy Noise Module sound file 0 string = BeEp\0 JamCracker Module sound file 0 string = COSO\0 Hippel-COSO Module sound file # Too simple (short, pure ASCII, deep), MPi #26 string V.3 Brian Postma's Soundmon Module sound file v3 #26 string BPSM Brian Postma's Soundmon Module sound file v3 #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" 0 beshort = 0x0f00 AmigaOS bitmap font 0 beshort = 0x0f03 AmigaOS outline font 0 belong = 0x80001001 AmigaOS outline tag 0 string = ##\ version catalog translation 0 string = EMOD\0 Amiga E module 8 string = ECXM\0 ECX module 0 regexp =~ (?i)(@database) AmigaGuide file # Amiga disk types # 0 string = RDSK Rigid Disk Block >160 string x - on %.24s 0 string = DOS\0 Amiga DOS disk 0 string = DOS\1 Amiga FFS disk 0 string = DOS\2 Amiga Inter DOS disk 0 string = DOS\3 Amiga Inter FFS disk 0 string = DOS\4 Amiga Fastdir DOS disk 0 string = DOS\5 Amiga Fastdir FFS disk 0 string = KICK Kickstart disk # From: Alex Beregszaszi 0 string = LZX LZX compressed archive (Amiga) #------------------------------------------------------------------------------ # animation: file(1) magic for animation/movie formats # # animation formats # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) # SGI and Apple formats 0 string = MOVI Silicon Graphics movie file 4 string = moov Apple QuickTime >12 string = mvhd \b movie (fast start) >12 string = mdra \b URL >12 string = cmov \b movie (fast start, compressed header) >12 string = rmra \b multiple URLs 4 string = mdat Apple QuickTime movie (unoptimized) 4 string = wide Apple QuickTime movie (unoptimized) 4 string = skip Apple QuickTime movie (modified) 4 string = free Apple QuickTime movie (modified) 4 string = idsc Apple QuickTime image (fast start) 4 string = idat Apple QuickTime image (unoptimized) 4 string = pckg Apple QuickTime compressed archive #FIXME FTimes -- The '/B' is not supported, but it's not required for # the test to work because any spaces are tacked on to # the end of the subject string. #4 string/B = jP JPEG 2000 image 4 string = jP JPEG 2000 image 4 string = ftyp ISO Media >8 string = isom \b, MPEG v4 system, version 1 >8 string = iso2 \b, MPEG v4 system, part 12 revision >8 string = mp41 \b, MPEG v4 system, version 1 >8 string = mp42 \b, MPEG v4 system, version 2 >8 string = mp7t \b, MPEG v4 system, MPEG v7 XML >8 string = mp7b \b, MPEG v4 system, MPEG v7 binary XML #FIXME FTimes -- The '/B' is not supported, but it's not required for # the test to work because any spaces are tacked on to # the end of the subject string. #>8 string/B = jp2 \b, JPEG 2000 >8 string = jp2 \b, JPEG 2000 >8 string = 3gp \b, MPEG v4 system, 3GPP >>11 byte = 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte = 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte = 6 \b v6 (ITU H.264/AMR GSM 6.10) >8 string = mmp4 \b, MPEG v4 system, 3GPP Mobile >8 string = avc1 \b, MPEG v4 system, 3GPP JVT AVC #FIXME FTimes -- The '/B' is not supported, but it's not required for # the test to work because any spaces are tacked on to # the end of the subject string. #>8 string/B = M4A \b, MPEG v4 system, iTunes AAC-LC #>8 string/B = M4P \b, MPEG v4 system, iTunes AES encrypted #>8 string/B = M4B \b, MPEG v4 system, iTunes bookmarked #>8 string/B = qt \b, Apple QuickTime movie >8 string = M4A \b, MPEG v4 system, iTunes AAC-LC >8 string = M4P \b, MPEG v4 system, iTunes AES encrypted >8 string = M4B \b, MPEG v4 system, iTunes bookmarked >8 string = qt \b, Apple QuickTime movie # MPEG sequences # Scans for all common MPEG header start codes 0 belong = 0x00000001 JVT NAL sequence >4 byte&0x1F = 0x07 \b, H.264 video >>5 byte = 66 \b, baseline >>5 byte = 77 \b, main >>5 byte = 88 \b, extended >>7 byte x - \b @ L %u 0 belong&0xFFFFFF00 = 0x00000100 MPEG sequence >3 byte = 0xBA >>4 byte & 0x40 \b, v2, program multiplex >>4 byte ^ 0x40 \b, v1, system multiplex >3 byte = 0xBB \b, v1/2, multiplex (missing pack header) >3 byte&0x1F = 0x07 \b, H.264 video >>4 byte = 66 \b, baseline >>4 byte = 77 \b, main >>4 byte = 88 \b, extended >>6 byte x - \b @ L %u >3 byte = 0xB0 \b, v4 >>5 belong = 0x000001B5 >>>9 byte & 0x80 >>>>10 byte&0xF0 = 16 \b, video >>>>10 byte&0xF0 = 32 \b, still texture >>>>10 byte&0xF0 = 48 \b, mesh >>>>10 byte&0xF0 = 64 \b, face >>>9 byte&0xF8 = 8 \b, video >>>9 byte&0xF8 = 16 \b, still texture >>>9 byte&0xF8 = 24 \b, mesh >>>9 byte&0xF8 = 32 \b, face >>4 byte = 1 \b, simple @ L1 >>4 byte = 2 \b, simple @ L2 >>4 byte = 3 \b, simple @ L3 >>4 byte = 4 \b, simple @ L0 >>4 byte = 17 \b, simple scalable @ L1 >>4 byte = 18 \b, simple scalable @ L2 >>4 byte = 33 \b, core @ L1 >>4 byte = 34 \b, core @ L2 >>4 byte = 50 \b, main @ L2 >>4 byte = 51 \b, main @ L3 >>4 byte = 53 \b, main @ L4 >>4 byte = 66 \b, n-bit @ L2 >>4 byte = 81 \b, scalable texture @ L1 >>4 byte = 97 \b, simple face animation @ L1 >>4 byte = 98 \b, simple face animation @ L2 >>4 byte = 99 \b, simple face basic animation @ L1 >>4 byte = 100 \b, simple face basic animation @ L2 >>4 byte = 113 \b, basic animation text @ L1 >>4 byte = 114 \b, basic animation text @ L2 >>4 byte = 129 \b, hybrid @ L1 >>4 byte = 130 \b, hybrid @ L2 >>4 byte = 145 \b, advanced RT simple @ L! >>4 byte = 146 \b, advanced RT simple @ L2 >>4 byte = 147 \b, advanced RT simple @ L3 >>4 byte = 148 \b, advanced RT simple @ L4 >>4 byte = 161 \b, core scalable @ L1 >>4 byte = 162 \b, core scalable @ L2 >>4 byte = 163 \b, core scalable @ L3 >>4 byte = 177 \b, advanced coding efficiency @ L1 >>4 byte = 178 \b, advanced coding efficiency @ L2 >>4 byte = 179 \b, advanced coding efficiency @ L3 >>4 byte = 180 \b, advanced coding efficiency @ L4 >>4 byte = 193 \b, advanced core @ L1 >>4 byte = 194 \b, advanced core @ L2 >>4 byte = 209 \b, advanced scalable texture @ L1 >>4 byte = 210 \b, advanced scalable texture @ L2 >>4 byte = 211 \b, advanced scalable texture @ L3 >>4 byte = 225 \b, simple studio @ L1 >>4 byte = 226 \b, simple studio @ L2 >>4 byte = 227 \b, simple studio @ L3 >>4 byte = 228 \b, simple studio @ L4 >>4 byte = 229 \b, core studio @ L1 >>4 byte = 230 \b, core studio @ L2 >>4 byte = 231 \b, core studio @ L3 >>4 byte = 232 \b, core studio @ L4 >>4 byte = 240 \b, advanced simple @ L0 >>4 byte = 241 \b, advanced simple @ L1 >>4 byte = 242 \b, advanced simple @ L2 >>4 byte = 243 \b, advanced simple @ L3 >>4 byte = 244 \b, advanced simple @ L4 >>4 byte = 245 \b, advanced simple @ L5 >>4 byte = 247 \b, advanced simple @ L3b >>4 byte = 248 \b, FGS @ L0 >>4 byte = 249 \b, FGS @ L1 >>4 byte = 250 \b, FGS @ L2 >>4 byte = 251 \b, FGS @ L3 >>4 byte = 252 \b, FGS @ L4 >>4 byte = 253 \b, FGS @ L5 >3 byte = 0xB5 \b, v4 >>4 byte & 0x80 >>>5 byte&0xF0 = 16 \b, video (missing profile header) >>>5 byte&0xF0 = 32 \b, still texture (missing profile header) >>>5 byte&0xF0 = 48 \b, mesh (missing profile header) >>>5 byte&0xF0 = 64 \b, face (missing profile header) >>4 byte&0xF8 = 8 \b, video (missing profile header) >>4 byte&0xF8 = 16 \b, still texture (missing profile header) >>4 byte&0xF8 = 24 \b, mesh (missing profile header) >>4 byte&0xF8 = 32 \b, face (missing profile header) >3 byte = 0xB3 >>12 belong = 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong = 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>12 belong = 0x000001B5 \b, v2, >>>16 byte&0x0F = 1 \b HP >>>16 byte&0x0F = 2 \b Spt >>>16 byte&0x0F = 3 \b SNR >>>16 byte&0x0F = 4 \b MP >>>16 byte&0x0F = 5 \b SP >>>17 byte&0xF0 = 64 \b@HL >>>17 byte&0xF0 = 96 \b@H-14 >>>17 byte&0xF0 = 128 \b@ML >>>17 byte&0xF0 = 160 \b@LL >>>17 byte & 0x08 \b progressive >>>17 byte ^ 0x08 \b interlaced >>>17 byte&0x06 = 2 \b Y'CbCr 4:2:0 video >>>17 byte&0x06 = 4 \b Y'CbCr 4:2:2 video >>>17 byte&0x06 = 6 \b Y'CbCr 4:4:4 video >>11 byte & 0x02 >>>75 byte & 0x01 >>>>140 belong = 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong = 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>>>140 belong = 0x000001B5 \b, v2, >>>>>144 byte&0x0F = 1 \b HP >>>>>144 byte&0x0F = 2 \b Spt >>>>>144 byte&0x0F = 3 \b SNR >>>>>144 byte&0x0F = 4 \b MP >>>>>144 byte&0x0F = 5 \b SP >>>>>145 byte&0xF0 = 64 \b@HL >>>>>145 byte&0xF0 = 96 \b@H-14 >>>>>145 byte&0xF0 = 128 \b@ML >>>>>145 byte&0xF0 = 160 \b@LL >>>>>145 byte & 0x08 \b progressive >>>>>145 byte ^ 0x08 \b interlaced >>>>>145 byte&0x06 = 2 \b Y'CbCr 4:2:0 video >>>>>145 byte&0x06 = 4 \b Y'CbCr 4:2:2 video >>>>>145 byte&0x06 = 6 \b Y'CbCr 4:4:4 video >>76 belong = 0x000001B8 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong = 0x000001B2 \b, v1, progressive Y'CbCr 4:2:0 video >>76 belong = 0x000001B5 \b, v2, >>>80 byte&0x0F = 1 \b HP >>>80 byte&0x0F = 2 \b Spt >>>80 byte&0x0F = 3 \b SNR >>>80 byte&0x0F = 4 \b MP >>>80 byte&0x0F = 5 \b SP >>>81 byte&0xF0 = 64 \b@HL >>>81 byte&0xF0 = 96 \b@H-14 >>>81 byte&0xF0 = 128 \b@ML >>>81 byte&0xF0 = 160 \b@LL >>>81 byte & 0x08 \b progressive >>>81 byte ^ 0x08 \b interlaced >>>81 byte&0x06 = 2 \b Y'CbCr 4:2:0 video >>>81 byte&0x06 = 4 \b Y'CbCr 4:2:2 video >>>81 byte&0x06 = 6 \b Y'CbCr 4:4:4 video >>4 belong&0xFFFFFF00 = 0x78043800 \b, HD-TV 1920P >>>7 byte&0xF0 = 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 = 0x50002D00 \b, SD-TV 1280I >>>7 byte&0xF0 = 0x10 \b, 16:9 >>4 belong&0xFFFFFF00 = 0x30024000 \b, PAL Capture >>>7 byte&0xF0 = 0x10 \b, 4:3 >>4 beshort&0xFFF0 = 0x2C00 \b, 4CIF >>>5 beshort&0x0FFF = 0x01E0 \b NTSC >>>5 beshort&0x0FFF = 0x0240 \b PAL >>>7 byte&0xF0 = 0x20 \b, 4:3 >>>7 byte&0xF0 = 0x30 \b, 16:9 >>>7 byte&0xF0 = 0x40 \b, 11:5 >>>7 byte&0xF0 = 0x80 \b, PAL 4:3 >>>7 byte&0xF0 = 0xC0 \b, NTSC 4:3 >>4 belong&0xFFFFFF00 = 0x2801E000 \b, LD-TV 640P >>>7 byte&0xF0 = 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 = 0x1400F000 \b, 320x240 >>>7 byte&0xF0 = 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 = 0x0F00A000 \b, 240x160 >>>7 byte&0xF0 = 0x10 \b, 4:3 >>4 belong&0xFFFFFF00 = 0x0A007800 \b, 160x120 >>>7 byte&0xF0 = 0x10 \b, 4:3 >>4 beshort&0xFFF0 = 0x1600 \b, CIF >>>5 beshort&0x0FFF = 0x00F0 \b NTSC >>>5 beshort&0x0FFF = 0x0120 \b PAL >>>7 byte&0xF0 = 0x20 \b, 4:3 >>>7 byte&0xF0 = 0x30 \b, 16:9 >>>7 byte&0xF0 = 0x40 \b, 11:5 >>>7 byte&0xF0 = 0x80 \b, PAL 4:3 >>>7 byte&0xF0 = 0xC0 \b, NTSC 4:3 >>>5 beshort&0x0FFF = 0x0240 \b PAL 625 >>>>7 byte&0xF0 = 0x20 \b, 4:3 >>>>7 byte&0xF0 = 0x30 \b, 16:9 >>>>7 byte&0xF0 = 0x40 \b, 11:5 >>4 beshort&0xFFF0 = 0x2D00 \b, CCIR/ITU >>>5 beshort&0x0FFF = 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF = 0x0240 \b PAL 625 >>>7 byte&0xF0 = 0x20 \b, 4:3 >>>7 byte&0xF0 = 0x30 \b, 16:9 >>>7 byte&0xF0 = 0x40 \b, 11:5 >>4 beshort&0xFFF0 = 0x1E00 \b, SVCD >>>5 beshort&0x0FFF = 0x01E0 \b NTSC 525 >>>5 beshort&0x0FFF = 0x0240 \b PAL 625 >>>7 byte&0xF0 = 0x20 \b, 4:3 >>>7 byte&0xF0 = 0x30 \b, 16:9 >>>7 byte&0xF0 = 0x40 \b, 11:5 >>7 byte&0x0F = 1 \b, 23.976 fps >>7 byte&0x0F = 2 \b, 24 fps >>7 byte&0x0F = 3 \b, 25 fps >>7 byte&0x0F = 4 \b, 29.97 fps >>7 byte&0x0F = 5 \b, 30 fps >>7 byte&0x0F = 6 \b, 50 fps >>7 byte&0x0F = 7 \b, 59.94 fps >>7 byte&0x0F = 8 \b, 60 fps >>11 byte & 0x04 \b, Constrained #FIXME FTimes -- Inserted MFL magic to stop false positives with the # MPA magic that follows. Refer to the following URL: # http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/featusability/wmigloba.mspx # 0 string = \xff\xfe\x23\x00\x70\x00\x72\x00\x61\x00\x67\x00\x6d\x00\x61\x00 MFL file # MPEG ADTS Audio (*.mpx/mxa/aac) # from dreesen@math.fu-berlin.de # modified to fully support MPEG ADTS # MP3, M1A 0 beshort&0xFFFE = 0xFFFA MPEG ADTS, layer III, v1 # rates >2 byte&0xF0 = 0x10 \b, 32 kBits >2 byte&0xF0 = 0x20 \b, 40 kBits >2 byte&0xF0 = 0x30 \b, 48 kBits >2 byte&0xF0 = 0x40 \b, 56 kBits >2 byte&0xF0 = 0x50 \b, 64 kBits >2 byte&0xF0 = 0x60 \b, 80 kBits >2 byte&0xF0 = 0x70 \b, 96 kBits >2 byte&0xF0 = 0x80 \b, 112 kBits >2 byte&0xF0 = 0x90 \b, 128 kBits >2 byte&0xF0 = 0xA0 \b, 160 kBits >2 byte&0xF0 = 0xB0 \b, 192 kBits >2 byte&0xF0 = 0xC0 \b, 224 kBits >2 byte&0xF0 = 0xD0 \b, 256 kBits >2 byte&0xF0 = 0xE0 \b, 320 kBits # timing >2 byte&0x0C = 0x00 \b, 44.1 kHz >2 byte&0x0C = 0x04 \b, 48 kHz >2 byte&0x0C = 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A 0 beshort&0xFFFE = 0xFFFC MPEG ADTS, layer II, v1 # rates >2 byte&0xF0 = 0x10 \b, 32 kBits >2 byte&0xF0 = 0x20 \b, 48 kBits >2 byte&0xF0 = 0x30 \b, 56 kBits >2 byte&0xF0 = 0x40 \b, 64 kBits >2 byte&0xF0 = 0x50 \b, 80 kBits >2 byte&0xF0 = 0x60 \b, 96 kBits >2 byte&0xF0 = 0x70 \b, 112 kBits >2 byte&0xF0 = 0x80 \b, 128 kBits >2 byte&0xF0 = 0x90 \b, 160 kBits >2 byte&0xF0 = 0xA0 \b, 192 kBits >2 byte&0xF0 = 0xB0 \b, 224 kBits >2 byte&0xF0 = 0xC0 \b, 256 kBits >2 byte&0xF0 = 0xD0 \b, 320 kBits >2 byte&0xF0 = 0xE0 \b, 384 kBits # timing >2 byte&0x0C = 0x00 \b, 44.1 kHz >2 byte&0x0C = 0x04 \b, 48 kHz >2 byte&0x0C = 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 #FIXME FTimes -- The beshort test at offset 0 produces false positives # when testing MS-DOS .sys files, which typically begin # with 0xffffffff. # MPA, M1A # modified by Joerg Jenderek # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 #0 beshort&0xFFFE = 0xFFFE #>2 byte&0xF0 > 0x0F #>>2 byte&0xF0 < 0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 = 0x10 \b, 32 kBits #>>>2 byte&0xF0 = 0x20 \b, 64 kBits #>>>2 byte&0xF0 = 0x30 \b, 96 kBits #>>>2 byte&0xF0 = 0x40 \b, 128 kBits #>>>2 byte&0xF0 = 0x50 \b, 160 kBits #>>>2 byte&0xF0 = 0x60 \b, 192 kBits #>>>2 byte&0xF0 = 0x70 \b, 224 kBits #>>>2 byte&0xF0 = 0x80 \b, 256 kBits #>>>2 byte&0xF0 = 0x90 \b, 288 kBits #>>>2 byte&0xF0 = 0xA0 \b, 320 kBits #>>>2 byte&0xF0 = 0xB0 \b, 352 kBits #>>>2 byte&0xF0 = 0xC0 \b, 384 kBits #>>>2 byte&0xF0 = 0xD0 \b, 416 kBits #>>>2 byte&0xF0 = 0xE0 \b, 448 kBits ## timing #>>>2 byte&0x0C = 0x00 \b, 44.1 kHz #>>>2 byte&0x0C = 0x04 \b, 48 kHz #>>>2 byte&0x0C = 0x08 \b, 32 kHz ## channels/options #>>>3 byte&0xC0 = 0x00 \b, Stereo #>>>3 byte&0xC0 = 0x40 \b, JntStereo #>>>3 byte&0xC0 = 0x80 \b, 2x Monaural #>>>3 byte&0xC0 = 0xC0 \b, Monaural ##>1 byte ^0x01 \b, Data Verify ##>2 byte &0x02 \b, Packet Pad ##>2 byte &0x01 \b, Custom Flag ##>3 byte &0x08 \b, Copyrighted ##>3 byte &0x04 \b, Original Source ##>3 byte&0x03 1 \b, NR: 50/15 ms ##>3 byte&0x03 3 \b, NR: CCIT J.17 #FIXME FTimes -- This is a reworked version of the above. 0 belong&0xFFFEF000 = 0xFFFE1000 MPEG ADTS, layer I, v1 32 kBits 0 belong&0xFFFEF000 = 0xFFFE2000 MPEG ADTS, layer I, v1 64 kBits 0 belong&0xFFFEF000 = 0xFFFE3000 MPEG ADTS, layer I, v1 96 kBits 0 belong&0xFFFEF000 = 0xFFFE4000 MPEG ADTS, layer I, v1 128 kBits 0 belong&0xFFFEF000 = 0xFFFE5000 MPEG ADTS, layer I, v1 160 kBits 0 belong&0xFFFEF000 = 0xFFFE6000 MPEG ADTS, layer I, v1 192 kBits 0 belong&0xFFFEF000 = 0xFFFE7000 MPEG ADTS, layer I, v1 224 kBits 0 belong&0xFFFEF000 = 0xFFFE8000 MPEG ADTS, layer I, v1 256 kBits 0 belong&0xFFFEF000 = 0xFFFE9000 MPEG ADTS, layer I, v1 288 kBits 0 belong&0xFFFEF000 = 0xFFFEA000 MPEG ADTS, layer I, v1 320 kBits 0 belong&0xFFFEF000 = 0xFFFEB000 MPEG ADTS, layer I, v1 352 kBits 0 belong&0xFFFEF000 = 0xFFFEC000 MPEG ADTS, layer I, v1 384 kBits 0 belong&0xFFFEF000 = 0xFFFED000 MPEG ADTS, layer I, v1 416 kBits 0 belong&0xFFFEF000 = 0xFFFEE000 MPEG ADTS, layer I, v1 448 kBits # timing >2 byte&0x0C = 0x00 \b, 44.1 kHz >2 byte&0x0C = 0x04 \b, 48 kHz >2 byte&0x0C = 0x08 \b, 32 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural # MP3, M2A 0 beshort&0xFFFE = 0xFFF2 MPEG ADTS, layer III, v2 # rate >2 byte&0xF0 = 0x10 \b, 8 kBits >2 byte&0xF0 = 0x20 \b, 16 kBits >2 byte&0xF0 = 0x30 \b, 24 kBits >2 byte&0xF0 = 0x40 \b, 32 kBits >2 byte&0xF0 = 0x50 \b, 40 kBits >2 byte&0xF0 = 0x60 \b, 48 kBits >2 byte&0xF0 = 0x70 \b, 56 kBits >2 byte&0xF0 = 0x80 \b, 64 kBits >2 byte&0xF0 = 0x90 \b, 80 kBits >2 byte&0xF0 = 0xA0 \b, 96 kBits >2 byte&0xF0 = 0xB0 \b, 112 kBits >2 byte&0xF0 = 0xC0 \b, 128 kBits >2 byte&0xF0 = 0xD0 \b, 144 kBits >2 byte&0xF0 = 0xE0 \b, 160 kBits # timing >2 byte&0x0C = 0x00 \b, 22.05 kHz >2 byte&0x0C = 0x04 \b, 24 kHz >2 byte&0x0C = 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M2A 0 beshort&0xFFFE = 0xFFF4 MPEG ADTS, layer II, v2 # rate >2 byte&0xF0 = 0x10 \b, 8 kBits >2 byte&0xF0 = 0x20 \b, 16 kBits >2 byte&0xF0 = 0x30 \b, 24 kBits >2 byte&0xF0 = 0x40 \b, 32 kBits >2 byte&0xF0 = 0x50 \b, 40 kBits >2 byte&0xF0 = 0x60 \b, 48 kBits >2 byte&0xF0 = 0x70 \b, 56 kBits >2 byte&0xF0 = 0x80 \b, 64 kBits >2 byte&0xF0 = 0x90 \b, 80 kBits >2 byte&0xF0 = 0xA0 \b, 96 kBits >2 byte&0xF0 = 0xB0 \b, 112 kBits >2 byte&0xF0 = 0xC0 \b, 128 kBits >2 byte&0xF0 = 0xD0 \b, 144 kBits >2 byte&0xF0 = 0xE0 \b, 160 kBits # timing >2 byte&0x0C = 0x00 \b, 22.05 kHz >2 byte&0x0C = 0x04 \b, 24 kHz >2 byte&0x0C = 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MPA, M2A 0 beshort&0xFFFE = 0xFFF6 MPEG ADTS, layer I, v2 # rate >2 byte&0xF0 = 0x10 \b, 32 kBits >2 byte&0xF0 = 0x20 \b, 48 kBits >2 byte&0xF0 = 0x30 \b, 56 kBits >2 byte&0xF0 = 0x40 \b, 64 kBits >2 byte&0xF0 = 0x50 \b, 80 kBits >2 byte&0xF0 = 0x60 \b, 96 kBits >2 byte&0xF0 = 0x70 \b, 112 kBits >2 byte&0xF0 = 0x80 \b, 128 kBits >2 byte&0xF0 = 0x90 \b, 144 kBits >2 byte&0xF0 = 0xA0 \b, 160 kBits >2 byte&0xF0 = 0xB0 \b, 176 kBits >2 byte&0xF0 = 0xC0 \b, 192 kBits >2 byte&0xF0 = 0xD0 \b, 224 kBits >2 byte&0xF0 = 0xE0 \b, 256 kBits # timing >2 byte&0x0C = 0x00 \b, 22.05 kHz >2 byte&0x0C = 0x04 \b, 24 kHz >2 byte&0x0C = 0x08 \b, 16 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # MP3, M25A 0 beshort&0xFFFE = 0xFFE2 MPEG ADTS, layer III, v2.5 # rate >2 byte&0xF0 = 0x10 \b, 8 kBits >2 byte&0xF0 = 0x20 \b, 16 kBits >2 byte&0xF0 = 0x30 \b, 24 kBits >2 byte&0xF0 = 0x40 \b, 32 kBits >2 byte&0xF0 = 0x50 \b, 40 kBits >2 byte&0xF0 = 0x60 \b, 48 kBits >2 byte&0xF0 = 0x70 \b, 56 kBits >2 byte&0xF0 = 0x80 \b, 64 kBits >2 byte&0xF0 = 0x90 \b, 80 kBits >2 byte&0xF0 = 0xA0 \b, 96 kBits >2 byte&0xF0 = 0xB0 \b, 112 kBits >2 byte&0xF0 = 0xC0 \b, 128 kBits >2 byte&0xF0 = 0xD0 \b, 144 kBits >2 byte&0xF0 = 0xE0 \b, 160 kBits # timing >2 byte&0x0C = 0x00 \b, 11.025 kHz >2 byte&0x0C = 0x04 \b, 12 kHz >2 byte&0x0C = 0x08 \b, 8 kHz # channels/options >3 byte&0xC0 = 0x00 \b, Stereo >3 byte&0xC0 = 0x40 \b, JntStereo >3 byte&0xC0 = 0x80 \b, 2x Monaural >3 byte&0xC0 = 0xC0 \b, Monaural #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Packet Pad #>2 byte &0x01 \b, Custom Flag #>3 byte &0x08 \b, Copyrighted #>3 byte &0x04 \b, Original Source #>3 byte&0x03 1 \b, NR: 50/15 ms #>3 byte&0x03 3 \b, NR: CCIT J.17 # AAC (aka MPEG-2 NBC audio) and MPEG-4 audio # Stored AAC streams (instead of the MP4 format) 0 string = ADIF MPEG ADIF, AAC >4 byte & 0x80 >>13 byte & 0x10 \b, VBR >>13 byte ^ 0x10 \b, CBR >>16 byte&0x1E = 0x02 \b, single stream >>16 byte&0x1E = 0x04 \b, 2 streams >>16 byte&0x1E = 0x06 \b, 3 streams >>16 byte & 0x08 \b, 4 or more streams >>16 byte & 0x10 \b, 8 or more streams >>4 byte & 0x80 \b, Copyrighted >>13 byte & 0x40 \b, Original Source >>13 byte & 0x20 \b, Home Flag >4 byte ^ 0x80 >>4 byte & 0x10 \b, VBR >>4 byte ^ 0x10 \b, CBR >>7 byte&0x1E = 0x02 \b, single stream >>7 byte&0x1E = 0x04 \b, 2 streams >>7 byte&0x1E = 0x06 \b, 3 streams >>7 byte & 0x08 \b, 4 or more streams >>7 byte & 0x10 \b, 8 or more streams >>4 byte & 0x40 \b, Original Stream(s) >>4 byte & 0x20 \b, Home Source # Live or stored single AAC stream (used with MPEG-2 systems) 0 beshort&0xFFF6 = 0xFFF0 MPEG ADTS, AAC >1 byte & 0x08 \b, v2 >1 byte ^ 0x08 \b, v4 # profile >>2 byte & 0xC0 \b LTP >2 byte&0xc0 = 0x00 \b Main >2 byte&0xc0 = 0x40 \b LC >2 byte&0xc0 = 0x80 \b SSR # timing >2 byte&0x3c = 0x00 \b, 96 kHz >2 byte&0x3c = 0x04 \b, 88.2 kHz >2 byte&0x3c = 0x08 \b, 64 kHz >2 byte&0x3c = 0x0c \b, 48 kHz >2 byte&0x3c = 0x10 \b, 44.1 kHz >2 byte&0x3c = 0x14 \b, 32 kHz >2 byte&0x3c = 0x18 \b, 24 kHz >2 byte&0x3c = 0x1c \b, 22.05 kHz >2 byte&0x3c = 0x20 \b, 16 kHz >2 byte&0x3c = 0x24 \b, 12 kHz >2 byte&0x3c = 0x28 \b, 11.025 kHz >2 byte&0x3c = 0x2c \b, 8 kHz # channels >2 beshort&0x01c0 = 0x0040 \b, monaural >2 beshort&0x01c0 = 0x0080 \b, stereo >2 beshort&0x01c0 = 0x00c0 \b, stereo + center >2 beshort&0x01c0 = 0x0100 \b, stereo+center+LFE >2 beshort&0x01c0 = 0x0140 \b, surround >2 beshort&0x01c0 = 0x0180 \b, surround + LFE >2 beshort & 0x01C0 \b, surround + side #>1 byte ^0x01 \b, Data Verify #>2 byte &0x02 \b, Custom Flag #>3 byte &0x20 \b, Original Stream #>3 byte &0x10 \b, Home Source #>3 byte &0x08 \b, Copyrighted # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 = 0x56E0 MPEG-4 LOAS #>1 beshort&0x1FFF x \b, %u byte packet >3 byte&0xE0 = 0x40 >>4 byte&0x3C = 0x04 \b, single stream >>4 byte&0x3C = 0x08 \b, 2 streams >>4 byte&0x3C = 0x0C \b, 3 streams >>4 byte & 0x08 \b, 4 or more streams >>4 byte & 0x20 \b, 8 or more streams >3 byte&0xC0 = 0 >>4 byte&0x78 = 0x08 \b, single stream >>4 byte&0x78 = 0x10 \b, 2 streams >>4 byte&0x78 = 0x18 \b, 3 streams >>4 byte & 0x20 \b, 4 or more streams >>4 byte & 0x40 \b, 8 or more streams 0 beshort = 0x4DE1 MPEG-4 LO-EP audio stream # FLI animation format 4 leshort = 0xAF11 FLI file >6 leshort x - - %d frames, >8 leshort x - width=%d pixels, >10 leshort x - height=%d pixels, >12 leshort x - depth=%d, >16 leshort x - ticks/frame=%d # FLC animation format 4 leshort = 0xAF12 FLC file >6 leshort x - - %d frames >8 leshort x - width=%d pixels, >10 leshort x - height=%d pixels, >12 leshort x - depth=%d, >16 leshort x - ticks/frame=%d # DL animation format # XXX - collision with most `mips' magic # # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, so be # careful! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! The DL format is really bad. # #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) #>42 byte x - %d screens, #>43 byte x %d commands #0 byte 2 DL version 2 #>1 byte 1 - large format (320x200,1 image/screen), #>1 byte 2 - medium format (160x100,4 images/screen), #>1 byte >2 - unknown format, #>42 byte x %d screens, #>43 byte x %d commands # Based on empirical evidence, DL version 3 have several nulls following the # \003. Most of them start with non-null values at hex offset 0x34 or so. #0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 # iso 13818 transport stream # # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) # (the following is a little bit restrictive and works fine for a stream # that starts with PAT properly. it won't work for stream data, that is # cut from an input device data right in the middle, but this shouldn't # disturb) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 # priority 1 bit - # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 # conti_count 4 bit 0 0 belong&0xFF5FFF1F = 0x47400010 MPEG transport stream data >188 byte != 0x47 CORRUPTED # DIF digital video file format 0 belong&0xffffff00 = 0x1f070000 DIF >4 byte & 0x01 (DVCPRO) movie file >4 byte ^ 0x01 (DV) movie file >3 byte & 0x80 (PAL) >3 byte ^ 0x80 (NTSC) # Microsoft Advanced Streaming Format (ASF) 0 belong = 0x3026b275 Microsoft ASF # MNG Video Format, 0 string = \x8aMNG MNG video data, >4 belong != 0x0d0a1a0a CORRUPTED, >4 belong = 0x0d0a1a0a >>16 belong x - %ld x >>20 belong x - %ld # JNG Video Format, 0 string = \x8bJNG JNG video data, >4 belong != 0x0d0a1a0a CORRUPTED, >4 belong = 0x0d0a1a0a >>16 belong x - %ld x >>20 belong x - %ld # Vivo video (Wolfram Kleff) 3 string = \x0D\x0AVersion:Vivo Vivo video data # VRML (Virtual Reality Modelling Language) #FIXME FTimes -- Replaced string tests with an equivalent regexp test. #0 string/b = #VRML\ V1.0\ ascii VRML 1 file #0 string/b = #VRML\ V2.0\ utf8 ISO/IEC 14772 VRML 97 file 0 regexp =~ #VRML[\x20]+V1.0[\x20]+ascii VRML 1 file 0 regexp =~ #VRML[\x20]+V2.0[\x20]+utf8 ISO/IEC 14772 VRML 97 file #--------------------------------------------------------------------------- # HVQM4: compressed movie format designed by Hudson for Nintendo GameCube # From Mark Sheppard , 2002-10-03 # 0 string = HVQM4 %s >6 string > \0 v%s >0 byte x - GameCube movie, >0x34 beshort x - %d x >0x36 beshort x - %d, >0x26 beshort x - %dµs, >0x42 beshort = 0 no audio >0x42 beshort > 0 %dHz audio # From: "Stefan A. Haubenthal" 0 string = DVDVIDEO-VTS Video title set, >0x21 byte x - v%x 0 string = DVDVIDEO-VMG Video manager, >0x21 byte x - v%x #------------------------------------------------------------------------------ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long = 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------ # apple: file(1) magic for Apple file formats # 0 string = FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string = \x0aGL Binary II (apple ][) data 0 string = \x76\xff Squeezed (apple ][) data 0 string = NuFile NuFile archive (apple ][) data 0 string = N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 0 belong = 0x00051600 AppleSingle encoded Macintosh file 0 belong = 0x00051607 AppleDouble encoded Macintosh file # magic for Newton PDA package formats # from Ruda Moura 0 string = package0 Newton package, NOS 1.x, >12 belong & 0x80000000 AutoRemove, >12 belong & 0x40000000 CopyProtect, >12 belong & 0x10000000 NoCompression, >12 belong & 0x04000000 Relocation, >12 belong & 0x02000000 UseFasterCompression, >16 belong x - version %d 0 string = package1 Newton package, NOS 2.x, >12 belong & 0x80000000 AutoRemove, >12 belong & 0x40000000 CopyProtect, >12 belong & 0x10000000 NoCompression, >12 belong & 0x04000000 Relocation, >12 belong & 0x02000000 UseFasterCompression, >16 belong x - version %d 0 string = package4 Newton package, >8 byte = 8 NOS 1.x, >8 byte = 9 NOS 2.x, >12 belong & 0x80000000 AutoRemove, >12 belong & 0x40000000 CopyProtect, >12 belong & 0x10000000 NoCompression, # The following entries for the Apple II are for files that have # been transferred as raw binary data from an Apple, without having # been encapsulated by any of the above archivers. # # In general, Apple II formats are hard to identify because Apple DOS # and especially Apple ProDOS have strong typing in the file system and # therefore programmers never felt much need to include type information # in the files themselves. # # Eric Fischer # AppleWorks word processor: # # This matches the standard tab stops for an AppleWorks file, but if # a file has a tab stop set in the first four columns this will fail. # # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. 4 string = O==== AppleWorks word processor data >85 byte&0x01 > 0 \b, zoomed >90 byte&0x01 > 0 \b, paginated >92 byte&0x01 > 0 \b, with mail merge #>91 byte x \b, left margin %d # AppleWorks database: # # This isn't really a magic number, but it's the closest thing to one # that I could find. The 1 and 2 really mean "order in which you defined # categories" and "left to right, top to bottom," respectively; the D and R # mean that the cursor should move either down or right when you press Return. #30 string \x01D AppleWorks database data #30 string \x02D AppleWorks database data #30 string \x01R AppleWorks database data #30 string \x02R AppleWorks database data # AppleWorks spreadsheet: # # Likewise, this isn't really meant as a magic number. The R or C means # row- or column-order recalculation; the A or M means automatic or manual # recalculation. #131 string RA AppleWorks spreadsheet data #131 string RM AppleWorks spreadsheet data #131 string CA AppleWorks spreadsheet data #131 string CM AppleWorks spreadsheet data # Applesoft BASIC: # # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. 0 belong&0xff00ff = 0x80000 Applesoft BASIC program data #>2 leshort x \b, first line number %d # ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data #>5 byte x \b, build number %d # Broderbund Fantavision # # I don't know what these values really mean, but they seem to recur. # Will they cause too many conflicts? # Probably :-) #2 belong&0xFF00FF 0x040008 Fantavision movie data # Some attempts at images. # # These are actually just bit-for-bit dumps of the frame buffer, so # there's really no reasonably way to distinguish them except for their # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 # or, occasionally, 8184. # # Nevertheless this will manage to catch a lot of images that happen # to have a solid-colored line at the bottom of the screen. 8144 string = \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background 8144 string = \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background 8144 string = \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background 8144 string = \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background 8144 string = \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background # Beagle Bros. Apple Mechanic fonts 0 belong&0xFF00FFFF = 0x6400D000 Apple Mechanic font # Apple Universal Disk Image Format (UDIF) - dmg files. # From Johan Gade. # These entries are disabled for now until we fix the following issues. # # Note there might be some problems with the "VAX COFF executable" # entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # # The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # # Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson 0 string = bplist00 Apple binary property list # Apple binary property list (bplist) # Assumes version bytes are hex. # Provides content hints for version 0 files. Assumes that the root # object is the first object (true for CoreFoundation implementation). # From: David Remahl 0 string = bplist >6 byte x - \bCoreFoundation binary property list data, version 0x%c >>7 byte x - \b%c >6 string = 00 \b >>8 byte&0xF0 = 0x00 \b >>>8 byte&0x0F = 0x00 \b, root type: null >>>8 byte&0x0F = 0x08 \b, root type: false boolean >>>8 byte&0x0F = 0x09 \b, root type: true boolean >>8 byte&0xF0 = 0x10 \b, root type: integer >>8 byte&0xF0 = 0x20 \b, root type: real >>8 byte&0xF0 = 0x30 \b, root type: date >>8 byte&0xF0 = 0x40 \b, root type: data >>8 byte&0xF0 = 0x50 \b, root type: ascii string >>8 byte&0xF0 = 0x60 \b, root type: unicode string >>8 byte&0xF0 = 0x80 \b, root type: uid (CORRUPT) >>8 byte&0xF0 = 0xa0 \b, root type: array >>8 byte&0xF0 = 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various # purposes in YellowStep/Cocoa, including some nib files. # From: David Remahl 2 string = typedstream NeXT/Apple typedstream data, big endian >0 byte x - \b, version %hhd >0 byte < 5 \b >>13 byte = 0x81 \b >>>14 beshort x - \b, system %hd 2 string = streamtyped NeXT/Apple typedstream data, little endian >0 byte x - \b, version %hhd >0 byte < 5 \b >>13 byte = 0x81 \b >>>14 leshort x - \b, system %hd #------------------------------------------------------------------------------ # applix: file(1) magic for Applixware # From: Peter Soos # 0 string = *BEGIN Applixware >7 string = WORDS Words Document >7 string = GRAPHICS Graphic >7 string = RASTER Bitmap >7 string = SPREADSHEETS Spreadsheet >7 string = MACRO Macro >7 string = BUILDER Builder Object #------------------------------------------------------------------------------ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. # pre-POSIX "tar" archives are handled in the C code. # POSIX tar archives 257 string = ustar\0 POSIX tar archive 257 string = ustar\040\040\0 GNU tar archive # cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". # The idea is to indicate archives produced on machines with the same # byte order as the machine running "file" with "cpio archive", and # to indicate archives produced on machines with the opposite byte order # from the machine running "file" with "byte-swapped cpio archive". # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. 0 short = 070707 cpio archive 0 short = 0143561 byte-swapped cpio archive 0 string = 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string = 070701 ASCII cpio archive (SVR4 with no CRC) 0 string = 070702 ASCII cpio archive (SVR4 with CRC) # Debian package (needs to go before regular portable archives) # 0 string = !\ndebian >8 string = debian-split part of multipart Debian package >8 string = debian-binary Debian binary package >68 string > \0 (format %s) # These next two lines do not work, because a bzip2 Debian archive # still uses gzip for the control.tar (first in the archive). Only # data.tar varies, and the location of its filename varies too. # file/libmagic does not current have support for ascii-string based # (offsets) as of 2005-09-15. #>81 string bz2 \b, uses bzip2 compression #>84 string gz \b, uses gzip compression #>136 ledate x created: %s # other archives 0 long = 0177555 very old archive 0 short = 0177555 very old PDP-11 archive 0 long = 0177545 old archive 0 short = 0177545 old PDP-11 archive 0 long = 0100554 apl workspace 0 string = archive # MIPS archive (needs to go before regular portable archives) # 0 string = !\n__________E MIPS archive >20 string = U with MIPS Ucode members >21 string = L with MIPSEL members >21 string = B with MIPSEB members >19 string = L and an EL hash table >19 string = B and an EB hash table >22 string = X -- out of date 0 string = -h- Software Tools format archive text # # XXX - why are there multiple thingies? Note that 0x213c6172 is # "! current ar archive # 0 long 0x213c6172 archive file # # and for SVR1 archives, we have: # # 0 string \ System V Release 1 ar archive # 0 string = archive # # XXX - did Aegis really store shared libraries, breakpointed modules, # and absolute code program modules in the same format as new-style # "ar" archives? # 0 string = ! current ar archive >8 string = __.SYMDEF random library >0 belong = 65538 - pre SR9.5 >0 belong = 65539 - post SR9.5 >0 beshort = 2 - object archive >0 beshort = 3 - shared library module >0 beshort = 4 - debug break-pointed module >0 beshort = 5 - absolute code program module 0 string = \ System V Release 1 ar archive 0 string = archive # # XXX - from "vax", which appears to collect a bunch of byte-swapped # thingies, to help you recognize VAX files on big-endian machines; # with "leshort", "lelong", and "string", that's no longer necessary.... # 0 belong = 0x65ff0000 VAX 3.0 archive 0 belong = 0x3c61723e VAX 5.0 archive # 0 long = 0x213c6172 archive file 0 lelong = 0177555 very old VAX archive 0 leshort = 0177555 very old PDP-11 archive # # XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus # be a random library (it said 0xff65 rather than 0177545). # 0 lelong = 0177545 old VAX archive >8 string = __.SYMDEF random library 0 leshort = 0177545 old PDP-11 archive >8 string = __.SYMDEF random library # # From "pdp" (but why a 4-byte quantity?) # 0 lelong = 0x39bed PDP-11 old archive 0 lelong = 0x39bee PDP-11 4.0 archive # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # # The first byte is the magic (0x1a), byte 2 is the compression type for # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS # filename of the first file (null terminated). Since some types collide # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 0 lelong&0x8080ffff = 0x0000081a ARC archive data, dynamic LZW 0 lelong&0x8080ffff = 0x0000091a ARC archive data, squashed 0 lelong&0x8080ffff = 0x0000021a ARC archive data, uncompressed 0 lelong&0x8080ffff = 0x0000031a ARC archive data, packed 0 lelong&0x8080ffff = 0x0000041a ARC archive data, squeezed 0 lelong&0x8080ffff = 0x0000061a ARC archive data, crunched # [JW] stuff taken from idarc, obviously ARC successors: 0 lelong&0x8080ffff = 0x00000a1a PAK archive data 0 lelong&0x8080ffff = 0x0000141a ARC+ archive data 0 lelong&0x8080ffff = 0x0000481a HYP archive data # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) # I can't create either SPARK or ArcFS archives so I have not tested this stuff # [GRR: the original entries collide with ARC, above; replaced with combined # version (not tested)] #0 byte 0x1a RISC OS archive (spark format) 0 string = \032archive RISC OS archive (ArcFS format) 0 string = Archive\000 RISC OS archive (ArcFS format) # All these were taken from idarc, many could not be verified. Unfortunately, # there were many low-quality sigs, i.e. easy to trigger false positives. # Please notify me of any real-world fishy/ambiguous signatures and I'll try # to get my hands on the actual archiver and see if I find something better. [JW] # probably many can be enhanced by finding some 0-byte or control char near the start # idarc calls this Crush/Uncompressed... *shrug* 0 string = CRUSH Crush archive data # Squeeze It (.sqz) 0 string = HLSQZ Squeeze It archive data # SQWEZ 0 string = SQWEZ SQWEZ archive data # HPack (.hpk) 0 string = HPAK HPack archive data # HAP 0 string = \x91\x33HF HAP archive data # MD/MDCD 0 string = MDmd MDCD archive data # LIM 0 string = LIM\x1a LIM archive data # SAR 3 string = LH5 SAR archive data # BSArc/BS2 0 string = \212\3SB \0 BSArc/BS2 archive data # MAR 2 string = -ah MAR archive data # ACB 0 belong&0x00f800ff = 0x00800000 ACB archive data # CPZ # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data # JRC 0 string = JRchive JRC archive data # Quantum 0 string = DS\0 Quantum archive data # ReSOF 0 string = PK\3\6 ReSOF archive data # QuArk 0 string = 7\4 QuArk archive data # YAC 14 string = YC YAC archive data # X1 0 string = X1 X1 archive data 0 string = XhDr X1 archive data # CDC Codec (.dqt) 0 belong&0xffffe000 = 0x76ff2000 CDC Codec archive data # AMGC 0 string = \xad6" AMGC archive data # NuLIB 0 string = NõFélå NuLIB archive data # PakLeo 0 string = LEOLZW PAKLeo archive data # ChArc 0 string = SChF ChArc archive data # PSA 0 string = PSA PSA archive data # CrossePAC 0 string = DSIGDCC CrossePAC archive data # Freeze 0 string = \x1f\x9f\x4a\x10\x0a Freeze archive data # KBoom 0 string = ¨MP¨ KBoom archive data # NSQ, must go after CDC Codec 0 string = \x76\xff NSQ archive data # DPA 0 string = Dirk\ Paehl DPA archive data # BA # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp 0 string = \0\6 TTComp archive data # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 0 string = ESP ESP archive data # ZPack 0 string = \1ZPK\1 ZPack archive data # Sky 0 string = \xbc\x40 Sky archive data # UFA 0 string = UFA UFA archive data # Dry 0 string = -H2O DRY archive data # FoxSQZ 0 string = FOXSQZ FoxSQZ archive data # AR7 0 string = ,AR7 AR7 archive data # PPMZ 0 string = PPMZ PPMZ archive data # MS Compress 4 string = \x88\xf0\x27 MS Compress archive data # updated by Joerg Jenderek >9 string = \0 >>0 string = KWAJ >>>7 string = \321\003 MS Compress archive data >>>>14 long > 0 \b, original size: %ld bytes >>>>18 byte > 0x65 >>>>>18 string x - \b, was %.8s >>>>>(10.b-4) string x - \b.%.3s # MP3 (archiver, not lossy audio compression) 0 string = MP3\x1a MP3-Archiver archive data # ZET 0 string = OZÝ ZET archive data # TSComp 0 string = \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data # ARQ 0 string = gW\4\1 ARQ archive data # Squash 3 string = OctSqu Squash archive data # Terse 0 string = \5\1\1\0 Terse archive data # PUCrunch 0 string = \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string = UHA UHarc archive data # ABComp 0 string = \2AB ABComp archive data 0 string = \3AB2 ABComp archive data # CMP 0 string = CO\0 CMP archive data # Splint 0 string = \x93\xb9\x06 Splint archive data # InstallShield 0 string = \x13\x5d\x65\x8c InstallShield Z archive Data # Gather 1 string = GTH Gather archive data # BOA 0 string = BOA BOA archive data # RAX 0 string = ULEB\xa RAX archive data # Xtreme 0 string = ULEB\0 Xtreme archive data # Pack Magic 0 string = @â\1\0 Pack Magic archive data # BTS 0 belong&0xfeffffff = 0x1a034465 BTS archive data # ELI 5750 0 string = Ora\ ELI 5750 archive data # QFC 0 string = \x1aFC\x1a QFC archive data 0 string = \x1aQF\x1a QFC archive data # PRO-PACK 0 string = RNC PRO-PACK archive data # 777 0 string = 777 777 archive data # LZS221 0 string = sTaC LZS221 archive data # HPA 0 string = HPA HPA archive data # Arhangel 0 string = LG Arhangel archive data # EXP1, uses bzip2 0 string = 0123456789012345BZh EXP1 archive data # IMP 0 string = IMP\xa IMP archive data # NRV 0 string = \x00\x9E\x6E\x72\x76\xFF NRV archive data # Squish 0 string = \x73\xb2\x90\xf4 Squish archive data # Par 0 string = PHILIPP Par archive data 0 string = PAR Par archive data # HIT 0 string = UB HIT archive data # SBX 0 belong&0xfffff000 = 0x53423000 SBX archive data # NaShrink 0 string = NSK NaShrink archive data # SAPCAR 0 string = #\ CAR\ archive\ header SAPCAR archive data 0 string = CAR\ 2.00RG SAPCAR archive data # Disintegrator 0 string = DST Disintegrator archive data # ASD 0 string = ASD ASD archive data # InstallShield CAB 0 string = ISc( InstallShield CAB # TOP4 0 string = T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable # so TODO: get real 4dos batcomp file and find sig # BlakHole 0 string = BH\5\7 BlakHole archive data # BIX 0 string = BIX0 BIX archive data # ChiefLZA 0 string = ChfLZ ChiefLZA archive data # Blink 0 string = Blink Blink archive data # Logitech Compress 0 string = \xda\xfa Logitech Compress archive data # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 1 string = (C)\ STEPANYUK ARS-Sfx archive data # AKT/AKT32 0 string = AKT32 AKT32 archive data 0 string = AKT AKT archive data # NPack 0 string = MSTSM NPack archive data # PFT 0 string = \0\x50\0\x14 PFT archive data # SemOne 0 string = SEM SemOne archive data # PPMD 0 string = \x8f\xaf\xac\x84 PPMD archive data # FIZ 0 string = FIZ FIZ archive data # MSXiE 0 belong&0xfffff0f0 = 0x4d530000 MSXiE archive data # DeepFreezer 0 belong&0xfffffff0 = 0x797a3030 DeepFreezer archive data # DC 0 string = 2 byte x - \b, version %i >3 byte x - \b.%i # ZZip archiver (.zz) 0 string = ZZ\ \0\0 ZZip archive data 0 string = ZZ0 ZZip archive data # PAQ archiver (.paq) 0 string = \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 0 string = PAQ PAQ archive data >3 byte&0xf0 = 0x30 >>3 byte x - (v%c) # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 0xe string = \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 0 string = JARCS JAR (ARJ Software, Inc.) archive data # ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort = 0xea60 ARJ archive data >5 byte x - \b, v%d, >8 byte & 0x04 multi-volume, >8 byte & 0x10 slash-switched, >8 byte & 0x20 backup, >34 string x - original name: %s, >7 byte = 0 os: MS-DOS >7 byte = 1 os: PRIMOS >7 byte = 2 os: Unix >7 byte = 3 os: Amiga >7 byte = 4 os: Macintosh >7 byte = 5 os: OS/2 >7 byte = 6 os: Apple ][ GS >7 byte = 7 os: Atari ST >7 byte = 8 os: NeXT >7 byte = 9 os: VAX/VMS >3 byte > 0 %d] # [JW] idarc says this is also possible 2 leshort = 0xea60 ARJ archive data # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, #>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC #>4 byte&0x0f =0x0e first is type DIR #>4 byte&0x0f =0x0f first is type SPECIAL # suggestion: at least identify small archives (<1024 files) 0 belong&0xffff00fc = 0x48410000 HA archive data >2 leshort = 1 1 file, >2 leshort > 1 %u files, >4 byte&0x0f = 0 first is type CPY >4 byte&0x0f = 1 first is type ASC >4 byte&0x0f = 2 first is type HSC >4 byte&0x0f = 0x0e first is type DIR >4 byte&0x0f = 0x0f first is type SPECIAL # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string = HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string = \351,\001JAM\ JAM archive, >7 string > \0 version %.4s >0x26 byte = 0x27 - >>0x2b string > \0 label %.11s, >>0x27 lelong x - serial %08x, >>0x36 string > \0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 2 string = -lh0- LHarc 1.x/ARX archive data [lh0] 2 string = -lh1- LHarc 1.x/ARX archive data [lh1] 2 string = -lz4- LHarc 1.x archive data [lz4] 2 string = -lz5- LHarc 1.x archive data [lz5] # [never seen any but the last; -lh4- reported in comp.compression:] 2 string = -lzs- LHa/LZS archive data [lzs] 2 string = -lh\40- LHa 2.x? archive data [lh ] 2 string = -lhd- LHa 2.x? archive data [lhd] 2 string = -lh2- LHa 2.x? archive data [lh2] 2 string = -lh3- LHa 2.x? archive data [lh3] 2 string = -lh4- LHa (2.x) archive data [lh4] 2 string = -lh5- LHa (2.x) archive data [lh5] 2 string = -lh6- LHa (2.x) archive data [lh6] 2 string = -lh7- LHa (2.x)/LHark archive data [lh7] >20 byte x - - header level %d # taken from idarc [JW] 2 string = -lZ PUT archive data 2 string = -lz LZS archive data 2 string = -sw1- Swag archive data # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string = Rar! RAR archive data, >44 byte x - v%0x, >35 byte = 0 os: MS-DOS >35 byte = 1 os: OS/2 >35 byte = 2 os: Win32 >35 byte = 3 os: Unix # some old version? idarc says: 0 string = RE\x7e\x5e RAR archive data # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 0 string = SQSH squished archive data (Acorn RISCOS) # UC2 archiver (Greg Roelofs, newt@uchicago.edu) # [JW] see exe section for self-extracting version 0 string = UC2\x1a UC2 archive data # ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) # NOTE: Revised on 2008/04/15 by klm. #0 string = PK\003\004 #>4 byte = 0x09 \bZip archive data, at least v0.9 to extract #>4 byte = 0x0a \bZip archive data, at least v1.0 to extract #>4 byte = 0x0b \bZip archive data, at least v1.1 to extract #>4 byte = 0x14 \b #>>30 belong != 0x6d696d65 \bZip archive data, at least v2.0 to extract 0 string = PK\x03\x04 Zip archive >4 byte = 0x09 (at least v0.9 to extract) >4 byte = 0x0a (at least v1.0 to extract) >4 byte = 0x0b (at least v1.1 to extract) >4 byte = 0x14 (at least v2.0 to extract) >4 byte = 0x15 (at least v2.1 to extract) # OpenOffice.org / KOffice / StarOffice documents # From: Abel Cheung # Listed here because they are basically zip files >>30 string = mimetype # KOffice (1.2 or above) formats >>>50 string = vnd.kde. KOffice (>=1.2) >>>>58 string = karbon Karbon document >>>>58 string = kchart KChart document >>>>58 string = kformula KFormula document >>>>58 string = kivio Kivio document >>>>58 string = kontour Kontour document >>>>58 string = kpresenter KPresenter document >>>>58 string = kspread KSpread document >>>>58 string = kword KWord document # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) >>>50 string = vnd.sun.xml. OpenOffice.org 1.x >>>>62 string = writer Writer >>>>>68 byte != 0x2e document >>>>>68 string = .template template >>>>>68 string = .global global document >>>>62 string = calc Calc >>>>>66 byte != 0x2e spreadsheet >>>>>66 string = .template template >>>>62 string = draw Draw >>>>>66 byte != 0x2e document >>>>>66 string = .template template >>>>62 string = impress Impress >>>>>69 byte != 0x2e presentation >>>>>69 string = .template template >>>>62 string = math Math document # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) # http://lists.oasis-open.org/archives/office/200505/msg00006.html >>>50 string = vnd.oasis.opendocument. OpenDocument >>>>73 string = text >>>>>77 byte != 0x2d Text >>>>>77 string = -template Text Template >>>>>77 string = -web HTML Document Template >>>>>77 string = -master Master Document >>>>73 string = graphics Drawing >>>>>81 string = -template Template >>>>73 string = presentation Presentation >>>>>85 string = -template Template >>>>73 string = spreadsheet Spreadsheet >>>>>84 string = -template Template >>>>73 string = chart Chart >>>>>78 string = -template Template >>>>73 string = formula Formula >>>>>80 string = -template Template >>>>73 string = database Database >>>>73 string = image Image # Zoo archiver 20 lelong = 0xfdc4a7dc Zoo archive data >4 byte > 48 \b, v%c. >>6 byte > 47 \b%c >>>7 byte > 47 \b%c >32 byte > 0 \b, modify: v%d >>33 byte x - \b.%d+ >42 lelong = 0xfdc4a7dc \b, >>70 byte > 0 extract: v%d >>>71 byte x - \b.%d+ # Shell archives 10 string = #\ This\ is\ a\ shell\ archive shell archive text # # LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string = \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) # 2 string = -pm0- PMarc archive data [pm0] 2 string = -pm1- PMarc archive data [pm1] 2 string = -pm2- PMarc archive data [pm2] 2 string = -pms- PMarc SFX archive (CP/M, DOS) 5 string = -pc1- PopCom compressed executable (CP/M) # From Rafael Laboissiere # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project # file which is recognized by the following entry: 0 leshort = 0xeb81 PRCS packaged project # Microsoft cabinets # by David Necas (Yeti) #0 string MSCF\0\0\0\0 Microsoft cabinet file data, #>25 byte x v%d #>24 byte x \b.%d # MPi: All CABs have version 1.3, so this is pointless. # Better magic in debian-additions. # GTKtalog catalogs # by David Necas (Yeti) 4 string = gtktalog\ GTKtalog catalog data, >13 string = 3 version 3 >>14 beshort = 0x677a (gzipped) >>14 beshort != 0x677a (not gzipped) >13 string > 3 version %s ############################################################################ # Parity archive reconstruction file, the 'par' file format now used on Usenet. 0 string = PAR\0 PARity archive data >48 leshort = 0 - Index file >48 leshort > 0 - file number %d # Felix von Leitner 0 string = d8:announce BitTorrent file # Atari MSA archive - Teemu Hukkanen 0 beshort = 0x0e0f Atari MSA archive data >2 beshort x - \b, %d sectors per track >4 beshort = 0 \b, 1 sided >4 beshort = 1 \b, 2 sided >6 beshort x - \b, starting track: %d >8 beshort x - \b, ending track: %d # Alternate ZIP string (amc@arwen.cs.berkeley.edu) 0 string = PK00PK\003\004 Zip archive data # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl 7 string = **ACE** ACE archive data >15 byte > 0 version %d >16 byte = 0x00 \b, from MS-DOS >16 byte = 0x01 \b, from OS/2 >16 byte = 0x02 \b, from Win/32 >16 byte = 0x03 \b, from Unix >16 byte = 0x04 \b, from MacOS >16 byte = 0x05 \b, from WinNT >16 byte = 0x06 \b, from Primos >16 byte = 0x07 \b, from AppleGS >16 byte = 0x08 \b, from Atari >16 byte = 0x09 \b, from Vax/VMS >16 byte = 0x0A \b, from Amiga >16 byte = 0x0B \b, from Next >14 byte x - \b, version %d to extract >5 leshort & 0x0080 \b, multiple volumes, >>17 byte x - \b (part %d), >5 leshort & 0x0002 \b, contains comment >5 leshort & 0x0200 \b, sfx >5 leshort & 0x0400 \b, small dictionary >5 leshort & 0x0800 \b, multi-volume >5 leshort & 0x1000 \b, contains AV-String >>30 string = \x16*UNREGISTERED\x20VERSION* (unregistered) >5 leshort & 0x2000 \b, with recovery record >5 leshort & 0x4000 \b, locked >5 leshort & 0x8000 \b, solid # Date in MS-DOS format (whatever that is) #>18 lelong x Created on # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann # 0x1A string = sfArk sfArk compressed Soundfont >0x15 string = 2 >>0x1 string > \0 Version %s >>0x2A string > \0 : %s # DR-DOS 7.03 Packed File *.??_ 0 string = Packed\ File\ Personal NetWare Packed File >12 string x - \b, was "%.12s" # EET archive # From: Tilman Sauerbeck 0 belong = 0x1ee7ff00 EET archive #------------------------------------------------------------------------------ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) # 0 string = *STA Aster*x >7 string = WORD Words Document >7 string = GRAP Graphic >7 string = SPRE Spreadsheet >7 string = MACR Macro 0 string = 2278 Aster*x Version 2 >29 byte = 0x36 Words Document >29 byte = 0x35 Graphic >29 byte = 0x32 Spreadsheet >29 byte = 0x38 Macro #------------------------------------------------------------------------------ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # # 3B20 # # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped #>22 beshort >0 - version %ld #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped #>22 beshort >0 - version %ld # # WE32K # 0 beshort = 0560 WE32000 COFF >18 beshort ^ 00000020 object >18 beshort & 00000020 executable >12 belong > 0 not stripped >18 beshort ^ 00010000 N/A on 3b2/300 w/paging >18 beshort & 00020000 32100 required >18 beshort & 00040000 and MAU hardware required >20 beshort = 0407 (impure) >20 beshort = 0410 (pure) >20 beshort = 0413 (demand paged) >20 beshort = 0443 (target shared library) >22 beshort > 0 - version %ld 0 beshort = 0561 WE32000 COFF executable (TV) >12 belong > 0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %ld # # core file for 3b2 0 string = \000\004\036\212\200 3b2 core file >364 string > \0 of '%s' #------------------------------------------------------------------------------ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), # and others # # Sun/NeXT audio data 0 string = .snd Sun/NeXT audio data: >12 belong = 1 8-bit ISDN mu-law, >12 belong = 2 8-bit linear PCM [REF-PCM], >12 belong = 3 16-bit linear PCM, >12 belong = 4 24-bit linear PCM, >12 belong = 5 32-bit linear PCM, >12 belong = 6 32-bit IEEE floating point, >12 belong = 7 64-bit IEEE floating point, >12 belong = 8 Fragmented sample data, >12 belong = 10 DSP program, >12 belong = 11 8-bit fixed point, >12 belong = 12 16-bit fixed point, >12 belong = 13 24-bit fixed point, >12 belong = 14 32-bit fixed point, >12 belong = 18 16-bit linear with emphasis, >12 belong = 19 16-bit linear compressed, >12 belong = 20 16-bit linear with emphasis and compression, >12 belong = 21 Music kit DSP commands, >12 belong = 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice data encoding), >12 belong = 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong = 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong = 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong = 27 8-bit A-law (CCITT G.711), >20 belong = 1 mono, >20 belong = 2 stereo, >20 belong = 4 quad, >16 belong > 0 %d Hz # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number 0 lelong = 0x0064732E DEC audio data: >12 lelong = 1 8-bit ISDN mu-law, >12 lelong = 2 8-bit linear PCM [REF-PCM], >12 lelong = 3 16-bit linear PCM, >12 lelong = 4 24-bit linear PCM, >12 lelong = 5 32-bit linear PCM, >12 lelong = 6 32-bit IEEE floating point, >12 lelong = 7 64-bit IEEE floating point, >12 belong = 8 Fragmented sample data, >12 belong = 10 DSP program, >12 belong = 11 8-bit fixed point, >12 belong = 12 16-bit fixed point, >12 belong = 13 24-bit fixed point, >12 belong = 14 32-bit fixed point, >12 belong = 18 16-bit linear with emphasis, >12 belong = 19 16-bit linear compressed, >12 belong = 20 16-bit linear with emphasis and compression, >12 belong = 21 Music kit DSP commands, >12 lelong = 23 8-bit ISDN mu-law compressed (CCITT G.721 ADPCM voice data encoding), >12 belong = 24 compressed (8-bit CCITT G.722 ADPCM) >12 belong = 25 compressed (3-bit CCITT G.723.3 ADPCM), >12 belong = 26 compressed (5-bit CCITT G.723.5 ADPCM), >12 belong = 27 8-bit A-law (CCITT G.711), >20 lelong = 1 mono, >20 lelong = 2 stereo, >20 lelong = 4 quad, >16 lelong > 0 %d Hz # Creative Labs AUDIO stuff 0 string = MThd Standard MIDI data >8 beshort x - (format %d) >10 beshort x - using %d track >10 beshort > 1 \bs >12 beshort&0x7fff x - at 1/%d >12 beshort&0x8000 > 0 SMPTE 0 string = CTMF Creative Music (CMF) data 0 string = SBI SoundBlaster instrument data 0 string = Creative\ Voice\ File Creative Labs voice data # is this next line right? it came this way... >19 byte = 0x1A >23 byte > 0 - version %d >22 byte > 0 \b.%d # first entry is also the string "NTRK" 0 belong = 0x4e54524b MultiTrack sound data >4 belong x - - version %ld # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] 0 string = EMOD Extended MOD sound data, >4 byte&0xf0 x - version %d >4 byte&0x0f x - \b.%d, >45 byte x - %d instruments >83 byte = 0 (module) >83 byte = 1 (song) # Real Audio (Magic .ra\0375) 0 belong = 0x2e7261fd RealAudio sound file 0 string = .RMF RealMedia file # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] # Oct 31, 1995 # fixed by 2003-06-24 # Too short... #0 string MTM MultiTracker Module sound file #0 string if Composer 669 Module sound data #0 string JN Composer 669 Module sound data (extended format) 0 string = MAS_U ULT(imate) Module sound data #0 string FAR Module sound data #>4 string >\15 Title: "%s" 0x2c string = SCRM ScreamTracker III Module sound data >0 string > \0 Title: "%s" # Gravis UltraSound patches # From 0 string = GF1PATCH110\0ID#000002\0 GUS patch 0 string = GF1PATCH100\0ID#000002\0 Old GUS patch # # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) # added title printing on 2003-06-24 0 string = MAS_UTrack_V00 >14 string > /0 ultratracker V1.%.1s module sound data 0 string = UN05 MikMod UNI format module sound data 0 string = Extended\ Module: Fasttracker II module sound data >17 string > \0 Title: "%s" #FIXME FTimes -- Confirm that '!' is part of the string. 21 regexp =~ (?i)(!SCREAM!) Screamtracker 2 module sound data 21 string = BMOD2STM Screamtracker 2 module sound data 1080 string = M.K. 4-channel Protracker module sound data >0 string > \0 Title: "%s" 1080 string = M!K! 4-channel Protracker module sound data >0 string > \0 Title: "%s" 1080 string = FLT4 4-channel Startracker module sound data >0 string > \0 Title: "%s" 1080 string = FLT8 8-channel Startracker module sound data >0 string > \0 Title: "%s" 1080 string = 4CHN 4-channel Fasttracker module sound data >0 string > \0 Title: "%s" 1080 string = 6CHN 6-channel Fasttracker module sound data >0 string > \0 Title: "%s" 1080 string = 8CHN 8-channel Fasttracker module sound data >0 string > \0 Title: "%s" 1080 string = CD81 8-channel Octalyser module sound data >0 string > \0 Title: "%s" 1080 string = OKTA 8-channel Oktalyzer module sound data >0 string > \0 Title: "%s" # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data 1080 string = 16CN 16-channel Taketracker module sound data >0 string > \0 Title: "%s" 1080 string = 32CN 32-channel Taketracker module sound data >0 string > \0 Title: "%s" # TOC sound files -Trevor Johnson # 0 string = TOC TOC sound file # sidfiles # added name,author,(c) and new RSID type by 2003-06-24 0 string = SIDPLAY\ INFOFILE Sidplay info file 0 string = PSID PlaySID v2.2+ (AMIGA) sidtune >4 beshort > 0 w/ header v%d, >14 beshort = 1 single song, >14 beshort > 1 %d songs, >16 beshort > 0 default song: %d >0x16 string > \0 name: "%s" >0x36 string > \0 author: "%s" >0x56 string > \0 copyright: "%s" 0 string = RSID RSID sidtune PlaySID compatible >4 beshort > 0 w/ header v%d, >14 beshort = 1 single song, >14 beshort > 1 %d songs, >16 beshort > 0 default song: %d >0x16 string > \0 name: "%s" >0x36 string > \0 author: "%s" >0x56 string > \0 copyright: "%s" # IRCAM # VAX and MIPS files are little-endian; Sun and NeXT are big-endian 0 belong = 0x64a30100 IRCAM file (VAX) 0 belong = 0x64a30200 IRCAM file (Sun) 0 belong = 0x64a30300 IRCAM file (MIPS little-endian) 0 belong = 0x64a30400 IRCAM file (NeXT) # NIST SPHERE 0 string = NIST_1A\n\ \ \ 1024\n NIST SPHERE file # Sample Vision 0 string = SOUND\ SAMPLE\ DATA\ Sample Vision file # Audio Visual Research 0 string = 2BIT Audio Visual Research file, >12 beshort = 0 mono, >12 beshort = -1 stereo, >14 beshort x - %d bits >16 beshort = 0 unsigned, >16 beshort = -1 signed, >22 belong&0x00ffffff x - %d Hz, >18 beshort = 0 no loop, >18 beshort = -1 loop, #FIXME FTimes - Replaced '<=127' with '<128'. #>21 byte <=127 note %d, >21 byte < 128 note %d, >22 byte = 0 replay 5.485 KHz >22 byte = 1 replay 8.084 KHz >22 byte = 2 replay 10.971 Khz >22 byte = 3 replay 16.168 Khz >22 byte = 4 replay 21.942 KHz >22 byte = 5 replay 32.336 KHz >22 byte = 6 replay 43.885 KHz >22 byte = 7 replay 47.261 KHz # SGI SoundTrack 0 string = _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags 0 string = ID3 MP3 file with ID3 version 2. >3 byte < 0xff \b%d. >4 byte < 0xff \b%d tag # NSF (NES sound file) magic 0 string = NESM\x1a NES Sound File >14 string > \0 ("%s" by >46 string > \0 %s, copyright >78 string > \0 %s), >5 byte x - version %d, >6 byte x - %d tracks, >122 byte&0x2 = 1 dual PAL/NTSC >122 byte&0x1 = 1 PAL >122 byte&0x1 = 0 NTSC # Impulse tracker module (audio/x-it) 0 string = IMPM Impulse Tracker module sound data - >4 string > \0 "%s" >40 leshort != 0 compatible w/ITv%x >42 leshort != 0 created w/ITv%x # Imago Orpheus module (audio/x-imf) 60 string = IM10 Imago Orpheus module sound data - >0 string > \0 "%s" # From # These are the /etc/magic entries to decode modules, instruments, and # samples in Impulse Tracker's native format. 0 string = IMPS Impulse Tracker Sample >18 byte & 2 16 bit >18 byte ^ 2 8 bit >18 byte & 4 stereo >18 byte ^ 4 mono 0 string = IMPI Impulse Tracker Instrument >28 leshort != 0 ITv%x >30 byte != 0 %d samples # Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files # From 0 string = LM8953 Yamaha TX Wave >22 byte = 0x49 looped >22 byte = 0xC9 non-looped >23 byte = 1 33kHz >23 byte = 2 50kHz >23 byte = 3 16kHz # scream tracker: file(1) magic for Scream Tracker sample files # # From 76 string = SCRS Scream Tracker Sample >0 byte = 1 sample >0 byte = 2 adlib melody >0 byte > 2 adlib drum >31 byte & 2 stereo >31 byte ^ 2 mono >31 byte & 4 16bit little endian >31 byte ^ 4 8bit >30 byte = 0 unpacked >30 byte = 1 packed # audio # From: Cory Dikkers 0 string = MMD0 MED music file, version 0 0 string = MMD1 OctaMED Pro music file, version 1 0 string = MMD3 OctaMED Soundstudio music file, version 3 0 string = OctaMEDCmpr OctaMED Soundstudio compressed file 0 string = MED MED_Song 0 string = SymM Symphonie SymMOD music file # 0 string = THX AHX version >3 byte = 0 1 module data >3 byte = 1 2 module data # 0 string = OKTASONG Oktalyzer module data # 0 string = DIGI\ Booster\ module\0 %s >20 byte > 0 %c >>21 byte > 0 \b%c >>>22 byte > 0 \b%c >>>>23 byte > 0 \b%c >610 string > \0 \b, "%s" # 0 string = DBM0 DIGI Booster Pro Module >4 byte > 0 V%X. >>5 byte x - \b%02X >16 string > \0 \b, "%s" # 0 string = FTMN FaceTheMusic module >16 string > \0d \b, "%s" # From: 2003-06-24 0 string = AMShdr\32 Velvet Studio AMS Module v2.2 0 string = Extreme Extreme Tracker AMS Module v1.3 0 string = DDMF Xtracker DMF Module >4 byte x - v%i >0xD string > \0 Title: "%s" >0x2B string > \0 Composer: "%s" 0 string = DSM\32 Dynamic Studio Module DSM 0 string = SONG DigiTrekker DTM Module 0 string = DMDL DigiTrakker MDL Module 0 string = PSM\32 Protracker Studio PSM Module 44 string = PTMF Poly Tracker PTM Module >0 string > \32 Title: "%s" 0 string = MT20 MadTracker 2.0 Module MT2 0 string = RAD\40by\40REALiTY!! RAD Adlib Tracker Module RAD 0 string = RTMM RTM Module 0x426 string = MaDoKaN96 XMS Adlib Module >0 string > \0 Composer: "%s" 0 string = AMF AMF Module >4 string > \0 Title: "%s" 0 string = MODINFO1 Open Cubic Player Module Inforation MDZ 0 string = Extended\40Instrument: Fast Tracker II Instrument # From: Takeshi Hamasaki # NOA Nancy Codec file 0 string = \210NOA\015\012\032 NOA Nancy Codec Movie file # Yamaha SMAF format 0 string = MMMD Yamaha SMAF file # Sharp Jisaku Melody format for PDC 0 string = \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string = Ver01.00 Ver. 1.00 >>32 byte x - , %d tracks # Free lossless audio codec # From: Przemyslaw Augustyniak 0 string = fLaC FLAC audio bitstream data >4 byte&0x7f > 0 \b, unknown version >4 byte&0x7f = 0 \b # some common bits/sample values >>20 beshort&0x1f0 = 0x030 \b, 4 bit >>20 beshort&0x1f0 = 0x050 \b, 6 bit >>20 beshort&0x1f0 = 0x070 \b, 8 bit >>20 beshort&0x1f0 = 0x0b0 \b, 12 bit >>20 beshort&0x1f0 = 0x0f0 \b, 16 bit >>20 beshort&0x1f0 = 0x170 \b, 24 bit >>20 byte&0xe = 0x0 \b, mono >>20 byte&0xe = 0x2 \b, stereo >>20 byte&0xe = 0x4 \b, 3 channels >>20 byte&0xe = 0x6 \b, 4 channels >>20 byte&0xe = 0x8 \b, 5 channels >>20 byte&0xe = 0xa \b, 6 channels >>20 byte&0xe = 0xc \b, 7 channels >>20 byte&0xe = 0xe \b, 8 channels # some common sample rates >>17 belong&0xfffff0 = 0x0ac440 \b, 44.1 kHz >>17 belong&0xfffff0 = 0x0bb800 \b, 48 kHz >>17 belong&0xfffff0 = 0x07d000 \b, 32 kHz >>17 belong&0xfffff0 = 0x056220 \b, 22.05 kHz >>17 belong&0xfffff0 = 0x05dc00 \b, 24 kHz >>17 belong&0xfffff0 = 0x03e800 \b, 16 kHz >>17 belong&0xfffff0 = 0x02b110 \b, 11.025 kHz >>17 belong&0xfffff0 = 0x02ee00 \b, 12 kHz >>17 belong&0xfffff0 = 0x01f400 \b, 8 kHz >>17 belong&0xfffff0 = 0x177000 \b, 96 kHz >>17 belong&0xfffff0 = 0x0fa000 \b, 64 kHz >>21 byte&0xf > 0 \b, >4G samples >>21 byte&0xf = 0 \b >>>22 belong > 0 \b, %u samples >>>22 belong = 0 \b, length unknown # (ISDN) VBOX voice message file (Wolfram Kleff) 0 string = VBOX VBOX voice message data # ReBorn Song Files (.rbs) # David J. Singer 8 string = RB40 RBS Song file >29 string = ReBorn created by ReBorn >37 string = Propellerhead created by ReBirth # Synthesizer Generator and Kimwitu share their file format 0 string = A#S#C#S#S#L#V#3 Synthesizer Generator or Kimwitu data # Kimwitu++ uses a slightly different magic 0 string = A#S#C#S#S#L#HUB Kimwitu++ data # From "Simon Hosie 0 string = TFMX-SONG TFMX module sound data # Monkey's Audio compressed audio format (.ape) # From danny.milo@gmx.net (Danny Milosavljevic) # New version from Abel Cheung 0 string = MAC\040 Monkey's Audio compressed format >4 leshort > 0x0F8B version %d >>(0x08.l) leshort = 1000 with fast compression >>(0x08.l) leshort = 2000 with normal compression >>(0x08.l) leshort = 3000 with high compression >>(0x08.l) leshort = 4000 with extra high compression >>(0x08.l) leshort = 5000 with insane compression >>(0x08.l+18) leshort = 1 \b, mono >>(0x08.l+18) leshort = 2 \b, stereo >>(0x08.l+20) lelong x - \b, sample rate %d >4 leshort < 0x0F8C version %d >>6 leshort = 1000 with fast compression >>6 leshort = 2000 with normal compression >>6 leshort = 3000 with high compression >>6 leshort = 4000 with extra high compression >>6 leshort = 5000 with insane compression >>10 leshort = 1 \b, mono >>10 leshort = 2 \b, stereo >>12 lelong x - \b, sample rate %d # adlib sound files # From Gürkan Sengün , http://www.linuks.mine.nu 0 string = RAWADATA RdosPlay RAW 1068 string = RoR AMUSIC Adlib Tracker 0 string = JCH EdLib 0 string = mpu401tr MPU-401 Trakker 0 string = SAdT Surprise! Adlib Tracker >4 byte x - Version %d 0 string = XAD! eXotic ADlib 0 string = ofTAZ! eXtra Simple Music # Spectrum 128 tunes (.ay files). # From: Emanuel Haupt 0 string = ZXAYEMUL Spectrum 128 tune # From: Alex Beregszaszi 0 string = MP+ Musepack >3 byte&0x0f x - SV%d 0 string = \0BONK BONK, #>5 byte x version %d >14 byte x - %d channel(s), >15 byte = 1 lossless, >15 byte = 0 lossy, >16 byte x - mid-side 384 string = LockStream LockStream Embedded file (mostly MP3 on old Nokia phones) # format VQF (proprietary codec for sound) # some infos on the header file available at : # http://www.twinvq.org/english/technology_format.html 0 string = TWIN97012000 VQF data >27 short = 0 \b, Mono >27 short = 1 \b, Stereo >31 short > 0 \b, %d kbit/s >35 short > 0 \b, %d kHz # Nelson A. de Oliveira (naoliv@gmail.com) # .eqf 0 string = Winamp\ EQ\ library\ file %s # it will match only versions like v. # Since I saw only eqf files with version v1.1 I think that it's OK >23 string x - \b%.4s # .preset 0 string = \[Equalizer\ preset\] XMMS equalizer preset # .m3u 0 string = \#EXTM3U M3U playlist # .pls 0 string = \[playlist\] PLS playlist # licq.conf 1 string = \[licq\] LICQ configuration file #---------------------------------------------------------------- # basis: file(1) magic for BBx/Pro5-files # Oliver Dammer 2005/11/07 # http://www.basis.com business-basic-files. # 0 string = \074\074bbx\076\076 BBx >7 string = \000 indexed file >7 string = \001 serial file >7 string = \002 keyed file >>13 short = 0 (sort) >7 string = \004 program >>18 byte x - (LEVEL %d) >>>23 string > \000 psaved >7 string = \006 mkeyed file >>13 short = 0 (sort) >>8 string = \000 (mkey) #------------------------------------------------------------------------------ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # 0 string = bFLT BFLT executable >4 belong x - - version %ld >4 belong = 4 >>36 belong&0x1 = 0x1 ram >>36 belong&0x2 = 0x2 gotpic >>36 belong&0x4 = 0x4 gzip >>36 belong&0x8 = 0x8 gzdata #------------------------------------------------------------------------------ # blender: file(1) magic for Blender 3D data files # # Coded by Guillermo S. Romero using the # data from Ton Roosendaal . Ton or his company do not # support the rule, so mail GSR if problems with it. Rule version: 1.1. # You can get latest version with comments and details about the format # at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender 0 string = BLENDER Blender3D, >7 string = _ saved as 32-bits >7 string = - saved as 64-bits >8 string = v little endian >8 string = V big endian >9 byte x - with version %c. >10 byte x - \b%c >11 byte x - \b%c #------------------------------------------------------------------------------ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... # # XXX - should this be redone with "be" and "le", so that it works on # little-endian machines as well? If so, what's the deal with # "VAX-order" and "VAX-order2"? # #0 long 0407 68K Blit (standalone) executable #0 short 0407 VAX-order2 68K Blit (standalone) executable 0 short = 03401 VAX-order 68K Blit (standalone) executable 0 long = 0406 68k Blit mpx/mux executable 0 short = 0406 VAX-order2 68k Blit mpx/mux executable 0 short = 03001 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable # # i80960 b.out objects and archives # 0 long = 0x10d i960 b.out relocatable object >16 long > 0 not stripped # # b.out archive (hp-rt on i960) 0 string = ! b.out archive >8 string = __.SYMDEF random library #------------------------------------------------------------------------------ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # 0 lelong = 0314 386 compact demand paged pure executable >16 lelong > 0 not stripped >32 byte = 0x6a (uses shared libs) 0 lelong = 0407 386 executable >16 lelong > 0 not stripped >32 byte = 0x6a (uses shared libs) 0 lelong = 0410 386 pure executable >16 lelong > 0 not stripped >32 byte = 0x6a (uses shared libs) 0 lelong = 0413 386 demand paged pure executable >16 lelong > 0 not stripped >32 byte = 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries 0 belong&077777777 = 0600413 sparc demand paged >0 byte & 0x80 >>20 belong < 4096 shared library >>20 belong = 4096 dynamically linked executable >>20 belong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped >36 belong = 0xb4100001 (uses shared libs) 0 belong&077777777 = 0600410 sparc pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped >36 belong = 0xb4100001 (uses shared libs) 0 belong&077777777 = 0600407 sparc >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped >36 belong = 0xb4100001 (uses shared libs) #------------------------------------------------------------------------------ # BTSnoop: file(1) magic for BTSnoop files # # From 0 string = btsnoop\0 BTSnoop >8 belong x - version %d, >12 belong = 1001 Unencapsulated HCI >12 belong = 1002 HCI UART (H4) >12 belong = 1003 HCI BCSP >12 belong = 1004 HCI Serial (H5) >>12 belong x - type %d #------------------------------------------------------------------------------ # autocad: file(1) magic for cad files # # AutoCAD DWG versions R13/R14 (www.autodesk.com) # Written December 01, 2003 by Lester Hightower # Based on the DWG File Format Specifications at http://www.opendwg.org/ 0 string = \101\103\061\060\061 AutoCAD >5 string = \062\000\000\000\000 DWG ver. R13 >5 string = \064\000\000\000\000 DWG ver. R14 # Microstation DGN/CIT Files (www.bentley.com) # Last updated July 29, 2005 by Lester Hightower # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. # # http://www.wotsit.org/search.asp # http://filext.com/detaillist.php?extdetail=DGN # http://filext.com/detaillist.php?extdetail=CIT # # http://www.bentley.com/products/default.cfm?objectid=97F351F5-9C35-4E5E-89C2 # 3F86C928&method=display&p_objectid=97F351F5-9C35-4E5E-89C280A93F86C928 # http://www.bentley.com/products/default.cfm?objectid=A5C2FD43-3AC9-4C71-B682 # 721C479F&method=display&p_objectid=A5C2FD43-3AC9-4C71-B682C7BE721C479F 0 string = \010\011\376 Microstation >3 string = \002 >>30 string = \026\105 DGNFile >>30 string = \034\105 DGNFile >>30 string = \073\107 DGNFile >>30 string = \073\110 DGNFile >>30 string = \106\107 DGNFile >>30 string = \110\103 DGNFile >>30 string = \120\104 DGNFile >>30 string = \172\104 DGNFile >>30 string = \172\105 DGNFile >>30 string = \234\106 DGNFile >>30 string = \273\105 DGNFile >>30 string = \306\106 DGNFile >>30 string = \310\104 DGNFile >>30 string = \341\104 DGNFile >>30 string = \372\103 DGNFile >>30 string = \372\104 DGNFile >>30 string = \372\106 DGNFile >>30 string = \376\103 DGNFile >4 string = \030\000\000 CITFile >4 string = \030\000\003 CITFile # AutoCad, from Nahuel Greco # AutoCAD DWG versions R12/R13/R14 (www.autodesk.com) 0 string = AC1012 AutoCad (release 12) 0 string = AC1013 AutoCad (release 13) 0 string = AC1014 AutoCad (release 14) #------------------------------------------------------------------------------ # c-lang: file(1) magic for C programs (or REXX) # # XPM icons (Greg Roelofs, newt@uchicago.edu) # if you uncomment "/*" for C/REXX below, also uncomment this entry #0 string /*\ XPM\ */ X pixmap image data # this first will upset you if you're a PL/1 shop... # in which case rm it; ascmagic will catch real C programs #0 string /* C or REXX program text #0 string // C++ program text # From: Mikhail Teterin 0 string = cscope cscope reference data >7 string x - version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time betwen # versions 11 and 15, so look for -q if version is above 14: >7 string > 14 #FIXME FTimes -- Converted from regex to regexp. #>>10 regex = .+\ -q\ with inverted index #>10 regex = .+\ -c\ text (non-compressed) >>10 regexp =~ .+[\x20]-q[\x20] with inverted index >10 regexp =~ .+[\x20]-c[\x20] text (non-compressed) #------------------------------------------------------------------------------ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann 0x16500 belong = 0x12014100 D64 Image 0x16500 belong = 0x12014180 D71 Image 0x61800 belong = 0x28034400 D81 Image 0 string = C64\40CARTRIDGE CCS C64 Emultar Cartridge Image 0 belong = 0x43154164 X64 Image 0 string = GCR-1541 GCR Image >8 byte x - version: %i >9 byte x - tracks: %i 9 string = PSUR ARC archive (c64) 2 string = -LH1- LHA archive (c64) 0 string = C64File PC64 Emulator file >8 string > \0 "%s" 0 string = C64Image PC64 Freezer Image 0 beshort = 0x38CD C64 PCLink Image 0 string = CBM\144\0\0 Power 64 C64 Emulator Snapshot 0 belong = 0xFF424CFF WRAptor packer (c64) 0 string = C64S\x20tape\x20file T64 tape Image >32 leshort x - Version:0x%x >36 leshort != 0 Entries:%i >40 string x - Name:%.24s 0 string = C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x - Version:0x%x >36 leshort != 0 Entries:%i >40 string x - Name:%.24s 0 string = C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image >32 leshort x - Version:0x%x >36 leshort != 0 Entries:%i >40 string x - Name:%.24s #------------------------------------------------------------------------------ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From # # This is the /etc/magic entry to decode datafiles as used by # CDDB-enabled CD player applications. # #FIXME FTimes -- Replaced string test with an equivalent regexp test. #0 string/b = #\040xmcd CDDB(tm) format CD text data 0 regexp =~ ^#[\x20]+xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter # File format is actually free, but many distributed files begin with `{title' # 0 string = {title Chord text file #------------------------------------------------------------------------------ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 belong&0xffffff00 = 0x85011400 cisco IOS microcode >7 string > \0 for '%s' 0 belong&0xffffff00 = 0x8501cb00 cisco IOS experimental microcode >7 string > \0 for '%s' #------------------------------------------------------------------------------ # citrus locale declaration # 0 string = RuneCT Citrus locale declaration for LC_CTYPE #------------------------------------------------------------------------------ # claris: file(1) magic for claris # "H. Nanosecond" # Claris Works a word processor, etc. # Version 3.0 # .pct claris works clip art files #0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 #* #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string = \377\377\377\377\000 Claris clip art? >0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. 514 string = \377\377\377\377\001 Claris clip art? >0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. # Claris works files # .cwk 0 string = \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt 0 string = \020\341\000\000\010\010 Claris Works pallete files .plt # .msp a dictionary file I am not sure about this I have only one .msp file 0 string = \002\271\262\000\040\002\000\164 Claris works dictionary # .usp are user dictionary bits # I am not sure about a magic header: #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 # soh S p f 8 U D sp ^ S cr nl p o d i #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 # a t r i s t sp ^ S cr nl d i v sp # # .mth Thesaurus # starts with \0 but no magic header # .chy Hyphenation file # I am not sure: 000 210 034 000 000 # other claris files #./windows/claris/useng.ndx: data #./windows/claris/xtndtran.l32: data #./windows/claris/xtndtran.lst: data #./windows/claris/clworks.lbl: data #./windows/claris/clworks.prf: data #./windows/claris/userd.spl: data #------------------------------------------------------------------------------ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # # >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST # # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # # >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST # # as SVR3.1's "file" doesn't support anything of the "!074000,000000" # sort, nor does SunOS 4.x, so either it's something Intergraph added # in CLIX, or something AT&T added in SVR3.2 or later, or something # somebody else thought was a good idea; it's not documented in the # man page for this version of "magic", nor does it appear to be # implemented (at least not after I blew off the bogus code to turn # old-style "&"s into new-style "&"s, which just didn't work at all). # 0 short = 0575 CLIPPER COFF executable (VAX #) >20 short = 0407 (impure) >20 short = 0410 (5.2 compatible) >20 short = 0411 (pure) >20 short = 0413 (demand paged) >20 short = 0443 (target shared library) >12 long > 0 not stripped >22 short > 0 - version %ld 0 short = 0577 CLIPPER COFF executable >18 short&074000 = 000000 C1 R1 >18 short&074000 = 004000 C2 R1 >18 short&074000 = 010000 C3 R1 >18 short&074000 = 074000 TEST >20 short = 0407 (impure) >20 short = 0410 (pure) >20 short = 0411 (separate I&D) >20 short = 0413 (paged) >20 short = 0443 (target shared library) >12 long > 0 not stripped >22 short > 0 - version %ld >48 long&01 = 01 alignment trap enabled >52 byte = 1 -Ctnc >52 byte = 2 -Ctsw >52 byte = 3 -Ctpw >52 byte = 4 -Ctcb >53 byte = 1 -Cdnc >53 byte = 2 -Cdsw >53 byte = 3 -Cdpw >53 byte = 4 -Cdcb >54 byte = 1 -Csnc >54 byte = 2 -Cssw >54 byte = 3 -Cspw >54 byte = 4 -Cscb 4 string = pipe CLIPPER instruction trace 4 string = prof CLIPPER instruction profile #------------------------------------------------------------------------------ # cracklib: file (1) magic for cracklib v2.7 0 lelong = 0x70775631 Cracklib password index, little endian >4 long > 0 (%i words) >4 long = 0 ("64-bit") >>8 long > -1 (%i words) 0 belong = 0x70775631 Cracklib password index, big endian >4 belong > -1 (%i words) # really bellong 0x0000000070775631 4 belong = 0x70775631 Cracklib password index, big endian ("64-bit") >12 belong > 0 (%i words) #------------------------------------------------------------------------------ # spec: file(1) magic for SPEC raw results (*.raw, *.rsf) # # Cloyce D. Spradling 0 string = spec SPEC >4 string = .cpu CPU >>8 string < : \b%.4s >>12 string = . raw result text 17 string = version=SPECjbb SPECjbb >32 string < : \b%.4s >>37 string < : v%.4s raw result text 0 string = BEGIN\040SPECWEB SPECweb >13 string < : \b%.2s >>15 string = _SSL \b_SSL >>>20 string < : v%.4s raw result text >>16 string < : v%.4s raw result text #------------------------------------------------------------------------------ # commands: file(1) magic for various shells and interpreters # #FIXME FTimes -- Weak magic. #0 string = : shell archive or script for antique kernel text #FIXME FTimes -- Replaced string tests with an equivalent regexp test. # We lose the full script name in the process, but it's # superfluous anyway. #0 string/b = #!\ /bin/sh Bourne shell script text executable #0 string/b = #!\ /bin/csh C shell script text executable ## korn shell magic, sent by George Wu, gwu@clyde.att.com #0 string/b = #!\ /bin/ksh Korn shell script text executable #0 string/b = #!\ /bin/tcsh Tenex C shell script text executable #0 string/b = #!\ /usr/local/tcsh Tenex C shell script text executable #0 string/b = #!\ /usr/local/bin/tcsh Tenex C shell script text executable # ## ## zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) #0 string/b = #!\ /bin/zsh Paul Falstad's zsh script text executable #0 string/b = #!\ /usr/bin/zsh Paul Falstad's zsh script text executable #0 string/b = #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable #0 string/b = #!\ /usr/local/bin/ash Neil Brown's ash script text executable #0 string/b = #!\ /usr/local/bin/ae Neil Brown's ae script text executable #0 string/b = #!\ /bin/nawk new awk script text executable #0 string/b = #!\ /usr/bin/nawk new awk script text executable #0 string/b = #!\ /usr/local/bin/nawk new awk script text executable #0 string/b = #!\ /bin/gawk GNU awk script text executable #0 string/b = #!\ /usr/bin/gawk GNU awk script text executable #0 string/b = #!\ /usr/local/bin/gawk GNU awk script text executable ## #0 string/b = #!\ /bin/awk awk script text executable #0 string/b = #!\ /usr/bin/awk awk script text executable #FIXME FTimes -- This test will be referred to as "script magic". 0 regexp =~ ^#![\x20\t]*((?:/usr(?:/local)?)?/bin/(?:ae|(?:[ackz]|ba|tc|wi)?sh|[gn]?awk|perl|php|python|rc)) %s script # update to distinguish from *.vcf files #FIXME FTimes -- Converted from regex to regexp. #0 regex = BEGIN[[:space:]]*[{] awk script text 0 regexp =~ BEGIN\s*[{] awk script text # AT&T Bell Labs' Plan 9 shell #FIXME FTimes -- This is covered by script magic. #0 string/b = #!\ /bin/rc Plan 9 rc shell script text executable #FIXME FTimes -- This is covered by script magic. ## bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) #0 string/b = #!\ /bin/bash Bourne-Again shell script text executable #0 string/b = #!\ /usr/local/bin/bash Bourne-Again shell script text executable # using env 0 string = #!/usr/bin/env a >15 string > \0 %s script text executable 0 string = #!\ /usr/bin/env a >16 string > \0 %s script text executable # PHP scripts # Ulf Harnhammar 0 regexp =~ (?i)(. 0 string = $Suite TTCN Abstract Test Suite >&1 string = $SuiteId >>&1 string > \n %s >&2 string = $SuiteId >>&1 string > \n %s >&3 string = $SuiteId >>&1 string > \n %s # MSC (message sequence charts) are a formal description technique, # described in ITU-T Z.120, mainly used for communication protocols. # Added by W. Borgert . 0 string = mscdocument Message Sequence Chart (document) 0 string = msc Message Sequence Chart (chart) 0 string = submsc Message Sequence Chart (subchart) #------------------------------------------------------------------------------ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. # # Formats for various forms of compressed data # Formats for "compress" proper have been moved into "compress.c", # because it tries to uncompress it to figure out what's inside. # standard unix compress 0 string = \037\235 compress'd data >2 byte&0x80 > 0 block compressed >2 byte&0x1f x - %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string = \037\213 gzip compressed data >2 byte < 8 \b, reserved method >2 byte > 8 \b, unknown method >3 byte & 0x01 \b, ASCII >3 byte & 0x02 \b, has CRC >3 byte & 0x04 \b, extra field >3 byte&0xC = 0x08 >>10 string x - \b, was "%s" >3 byte & 0x10 \b, has comment >9 byte = 0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte = 0x01 \b, from Amiga >9 byte = 0x02 \b, from VMS >9 byte = 0x03 \b, from Unix >9 byte = 0x04 \b, from VM/CMS >9 byte = 0x05 \b, from Atari >9 byte = 0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte = 0x07 \b, from MacOS >9 byte = 0x08 \b, from Z-System >9 byte = 0x09 \b, from CP/M >9 byte = 0x0A \b, from TOPS/20 >9 byte = 0x0B \b, from NTFS filesystem (NT) >9 byte = 0x0C \b, from QDOS >9 byte = 0x0D \b, from Acorn RISCOS >3 byte & 0x10 \b, comment >3 byte & 0x20 \b, encrypted >4 ledate > 0 \b, last modified: %s >8 byte = 2 \b, max compression >8 byte = 4 \b, max speed # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string = \037\036 packed data >2 belong > 1 \b, %d characters originally >2 belong = 1 \b, %d character originally # # This magic number is byte-order-independent. 0 short = 0x1f1f old packed data # XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # 0 short = 0x1fff compacted data # This string is valid for SunOS (BE) and a matching "short" is listed # in the Ultrix (LE) magic file. 0 string = \377\037 compacted data 0 short = 0145405 huf output # bzip2 0 string = BZh bzip2 compressed data >3 byte > 47 \b, block size = %c00k # squeeze and crunch # Michael Haardt 0 beshort = 0x76FF squeezed data, >4 string x - original name %s 0 beshort = 0x76FE crunched data, >2 string x - original name %s 0 beshort = 0x76FD LZH compressed data, >2 string x - original name %s # Freeze 0 string = \037\237 frozen file 2.1 0 string = \037\236 frozen file 1.0 (or gzip 0.5) # SCO compress -H (LZH) 0 string = \037\240 SCO compress -H (LZH) data # European GSM 06.10 is a provisional standard for full-rate speech # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse # excitation/long term prediction) coding at 13 kbit/s. # # There's only a magic nibble (4 bits); that nibble repeats every 33 # bytes. This isn't suited for use, but maybe we can use it someday. # # This will cause very short GSM files to be declared as data and # mismatches to be declared as data too! #0 byte&0xF0 0xd0 data #>33 byte&0xF0 0xd0 #>66 byte&0xF0 0xd0 #>99 byte&0xF0 0xd0 #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio # bzip a block-sorting file compressor # by Julian Seward and others # 0 string = BZ bzip compressed data >2 byte x - \b, version: %c >3 string = 1 \b, compression block size 100k >3 string = 2 \b, compression block size 200k >3 string = 3 \b, compression block size 300k >3 string = 4 \b, compression block size 400k >3 string = 5 \b, compression block size 500k >3 string = 6 \b, compression block size 600k >3 string = 7 \b, compression block size 700k >3 string = 8 \b, compression block size 800k >3 string = 9 \b, compression block size 900k # lzop from 0 string = \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort < 0x0940 >>9 byte&0xf0 = 0x00 - version 0. >>9 beshort&0x0fff x - \b%03x, >>13 byte = 1 LZO1X-1, >>13 byte = 2 LZO1X-1(15), >>13 byte = 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte = 0x00 os: MS-DOS >>14 byte = 0x01 os: Amiga >>14 byte = 0x02 os: VMS >>14 byte = 0x03 os: Unix >>14 byte = 0x05 os: Atari >>14 byte = 0x06 os: OS/2 >>14 byte = 0x07 os: MacOS >>14 byte = 0x0A os: Tops/20 >>14 byte = 0x0B os: WinNT >>14 byte = 0x0E os: Win32 >9 beshort > 0x0939 >>9 byte&0xf0 = 0x00 - version 0. >>9 byte&0xf0 = 0x10 - version 1. >>9 byte&0xf0 = 0x20 - version 2. >>9 beshort&0x0fff x - \b%03x, >>15 byte = 1 LZO1X-1, >>15 byte = 2 LZO1X-1(15), >>15 byte = 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte = 0x00 os: MS-DOS >>17 byte = 0x01 os: Amiga >>17 byte = 0x02 os: VMS >>17 byte = 0x03 os: Unix >>17 byte = 0x05 os: Atari >>17 byte = 0x06 os: OS/2 >>17 byte = 0x07 os: MacOS >>17 byte = 0x0A os: Tops/20 >>17 byte = 0x0B os: WinNT >>17 byte = 0x0E os: Win32 # 4.3BSD-Quasijarus Strong Compression # http://minnie.tuhs.org/Quasijarus/compress.html 0 string = \037\241 Quasijarus strong compressed data # From: Cory Dikkers 0 string = XPKF Amiga xpkf.library compressed data 0 string = PP11 Power Packer 1.1 compressed data 0 string = PP20 Power Packer 2.0 compressed data, >4 belong = 0x09090909 fast compression >4 belong = 0x090A0A0A mediocre compression >4 belong = 0x090A0B0B good compression >4 belong = 0x090A0C0C very good compression >4 belong = 0x090A0C0D best compression # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string = 7z\274\257\047\034 7-zip archive data, >6 byte x - version %d >7 byte x - \b.%d # AFX compressed files (Wolfram Kleff) 2 string = -afx- AFX compressed file data # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string = RZIP rzip compressed data >4 byte x - - version %d >5 byte x - \b.%d >6 belong x - (%d bytes) #------------------------------------------------------------------------------ # Console game magic # Toby Deshane # ines: file(1) magic for Marat's iNES Nintendo Entertainment System # ROM dump format 0 string = NES\032 iNES ROM dump, >4 byte x - %dx16k PRG >5 byte x - \b, %dx8k CHR >6 byte&0x01 = 0x1 \b, [Vert.] >6 byte&0x01 = 0x0 \b, [Horiz.] >6 byte&0x02 = 0x2 \b, [SRAM] >6 byte&0x04 = 0x4 \b, [Trainer] >6 byte&0x04 = 0x8 \b, [4-Scr] #------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # 0x104 belong = 0xCEED6666 Gameboy ROM: >0x134 string > \0 "%.16s" >0x146 byte = 0x03 \b,[SGB] >0x147 byte = 0x00 \b, [ROM ONLY] >0x147 byte = 0x01 \b, [ROM+MBC1] >0x147 byte = 0x02 \b, [ROM+MBC1+RAM] >0x147 byte = 0x03 \b, [ROM+MBC1+RAM+BATT] >0x147 byte = 0x05 \b, [ROM+MBC2] >0x147 byte = 0x06 \b, [ROM+MBC2+BATTERY] >0x147 byte = 0x08 \b, [ROM+RAM] >0x147 byte = 0x09 \b, [ROM+RAM+BATTERY] >0x147 byte = 0x0B \b, [ROM+MMM01] >0x147 byte = 0x0C \b, [ROM+MMM01+SRAM] >0x147 byte = 0x0D \b, [ROM+MMM01+SRAM+BATT] >0x147 byte = 0x0F \b, [ROM+MBC3+TIMER+BATT] >0x147 byte = 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT] >0x147 byte = 0x11 \b, [ROM+MBC3] >0x147 byte = 0x12 \b, [ROM+MBC3+RAM] >0x147 byte = 0x13 \b, [ROM+MBC3+RAM+BATT] >0x147 byte = 0x19 \b, [ROM+MBC5] >0x147 byte = 0x1A \b, [ROM+MBC5+RAM] >0x147 byte = 0x1B \b, [ROM+MBC5+RAM+BATT] >0x147 byte = 0x1C \b, [ROM+MBC5+RUMBLE] >0x147 byte = 0x1D \b, [ROM+MBC5+RUMBLE+SRAM] >0x147 byte = 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT] >0x147 byte = 0x1F \b, [Pocket Camera] >0x147 byte = 0xFD \b, [Bandai TAMA5] >0x147 byte = 0xFE \b, [Hudson HuC-3] >0x147 byte = 0xFF \b, [Hudson HuC-1] >0x148 byte = 0 \b, ROM: 256Kbit >0x148 byte = 1 \b, ROM: 512Kbit >0x148 byte = 2 \b, ROM: 1Mbit >0x148 byte = 3 \b, ROM: 2Mbit >0x148 byte = 4 \b, ROM: 4Mbit >0x148 byte = 5 \b, ROM: 8Mbit >0x148 byte = 6 \b, ROM: 16Mbit >0x148 byte = 0x52 \b, ROM: 9Mbit >0x148 byte = 0x53 \b, ROM: 10Mbit >0x148 byte = 0x54 \b, ROM: 12Mbit >0x149 byte = 1 \b, RAM: 16Kbit >0x149 byte = 2 \b, RAM: 64Kbit >0x149 byte = 3 \b, RAM: 128Kbit >0x149 byte = 4 \b, RAM: 1Mbit #>0x14e long x \b, CRC: %x #------------------------------------------------------------------------------ # genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format # 0x100 string = SEGA Sega MegaDrive/Genesis raw ROM dump >0x120 string > \0 Name: "%.16s" >0x110 string > \0 %.16s >0x1B0 string = RA with SRAM #------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format # 0x280 string = EAGN Super MagicDrive ROM dump >0 byte x - %dx16k blocks >2 byte = 0 \b, last in series or standalone >2 byte > 0 \b, split ROM >8 byte = 0xAA >9 byte = 0xBB #------------------------------------------------------------------------------ # genesis: file(1) alternate magic for the Super MegaDrive ROM dump format # 0x280 string = EAMG Super MagicDrive ROM dump >0 byte x - %dx16k blocks >2 byte x - \b, last in series or standalone >8 byte = 0xAA >9 byte = 0xBB #------------------------------------------------------------------------------ # smsgg: file(1) magic for Sega Master System and Game Gear ROM dumps # # Does not detect all images. Very preliminary guesswork. Need more data # on format. # # FIXME: need a little more info...;P # #0 byte 0xF3 #>1 byte 0xED Sega Master System/Game Gear ROM dump #>1 byte 0x31 Sega Master System/Game Gear ROM dump #>1 byte 0xDB Sega Master System/Game Gear ROM dump #>1 byte 0xAF Sega Master System/Game Gear ROM dump #>1 byte 0xC3 Sega Master System/Game Gear ROM dump #------------------------------------------------------------------------------ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format # 0 belong = 0x21068028 Sega Dreamcast VMU game image 0 string = LCDi Dream Animator file #------------------------------------------------------------------------------ # v64: file(1) uncertain magic for the V64 format N64 ROM dumps # 0 belong = 0x37804012 V64 Nintendo 64 ROM dump #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi #0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : 0 string = PS-X\ EXE Sony Playstation executable # Area: >113 string x - (%s) #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytiä ) 0 string = XBEH XBE, Microsoft Xbox executable # probabilistic checks whether signed or not >0x0004 lelong = 0x0 >>&2 lelong = 0x0 >>>&2 lelong = 0x0 \b, not signed >0x0004 lelong > 0 >>&2 lelong > 0 >>>&2 lelong > 0 \b, signed # expect base address of 0x10000 >0x0104 lelong = 0x10000 >>(0x0118-0x0FF60) lelong&0x80000007 = 0x80000007 \b, all regions >>(0x0118-0x0FF60) lelong&0x80000007 != 0x80000007 >>>(0x0118-0x0FF60) lelong > 0 (regions: >>>>(0x0118-0x0FF60) lelong & 0x00000001 NA >>>>(0x0118-0x0FF60) lelong & 0x00000002 Japan >>>>(0x0118-0x0FF60) lelong & 0x00000004 Rest_of_World >>>>(0x0118-0x0FF60) lelong & 0x80000000 Manufacturer >>>(0x0118-0x0FF60) lelong > 0 \b) # -------------------------------- # Microsoft Xbox data file formats 0 string = XIP0 XIP, Microsoft Xbox data 0 string = XTF0 XTF, Microsoft Xbox data # Atari Lynx cartridge dump (EXE/BLL header) # From: "Stefan A. Haubenthal" 0 beshort = 0x8008 Lynx cartridge, >2 beshort x - RAM start $%04x >6 string = BS93 # Opera file system that is used on the 3DO console # From: Serge van den Boom 0 string = \x01ZZZZZ\x01 3DO "Opera" file system #------------------------------------------------------------------------------ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. # # /*\ # * Below are the magic numbers and tests added for Convex. # * Added at beginning, because they are expected to be used most. # \*/ 0 belong = 0507 Convex old-style object >16 belong > 0 not stripped 0 belong = 0513 Convex old-style demand paged executable >16 belong > 0 not stripped 0 belong = 0515 Convex old-style pre-paged executable >16 belong > 0 not stripped 0 belong = 0517 Convex old-style pre-paged, non-swapped executable >16 belong > 0 not stripped 0 belong = 0x011257 Core file # # The following are a series of dump format magic numbers. Each one # corresponds to a drastically different dump format. The first on is # the original dump format on a 4.1 BSD or earlier file system. The # second marks the change between the 4.1 file system and the 4.2 file # system. The Third marks the changing of the block size from 1K # to 2K to be compatible with an IDC file system. The fourth indicates # a dump that is dependent on Convex Storage Manager, because data in # secondary storage is not physically contained within the dump. # The restore program uses these number to determine how the data is # to be extracted. # 24 belong = 60011 dump format, 4.1 BSD or earlier 24 belong = 60012 dump format, 4.2 or 4.3 BSD without IDC 24 belong = 60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong = 60014 dump format, Convex Storage Manager by-reference dump # # what follows is a bunch of bit-mask checks on the flags field of the opthdr. # If there is no `=' sign, assume just checking for whether the bit is set? # 0 belong = 0601 Convex SOFF >88 belong&0x000f0000 = 0x00000000 c1 >88 belong & 0x00010000 c2 >88 belong & 0x00020000 c2mp >88 belong & 0x00040000 parallel >88 belong & 0x00080000 intrinsic >88 belong & 0x00000001 demand paged >88 belong & 0x00000002 pre-paged >88 belong & 0x00000004 non-swapped >88 belong & 0x00000008 POSIX # >84 belong & 0x80000000 executable >84 belong & 0x40000000 object >84 belong&0x20000000 = 0 not stripped >84 belong&0x18000000 = 0x00000000 native fpmode >84 belong&0x18000000 = 0x10000000 ieee fpmode >84 belong&0x18000000 = 0x18000000 undefined fpmode # 0 belong = 0605 Convex SOFF core # 0 belong = 0607 Convex SOFF checkpoint >88 belong&0x000f0000 = 0x00000000 c1 >88 belong & 0x00010000 c2 >88 belong & 0x00020000 c2mp >88 belong & 0x00040000 parallel >88 belong & 0x00080000 intrinsic >88 belong & 0x00000008 POSIX # >84 belong&0x18000000 = 0x00000000 native fpmode >84 belong&0x18000000 = 0x10000000 ieee fpmode >84 belong&0x18000000 = 0x18000000 undefined fpmode # ---------------------------------------------------------------------------- # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai 0 string = !_TAG Exuberant Ctags tag file text #------------------------------------------------------------------------------ # dact: file(1) magic for DACT compressed files # 0 long = 0x444354C3 DACT compressed data >4 byte > -1 (version %i. >5 byte > -1 $BS%i. >6 byte > -1 $BS%i) >7 long > 0 $BS, original size: %i bytes >15 long > 30 $BS, block size: %i bytes #------------------------------------------------------------------------------ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # 0 belong = 0x13579ace GNU dbm 1.x or ndbm database, big endian 0 lelong = 0x13579ace GNU dbm 1.x or ndbm database, little endian 0 string = GDBM GNU dbm 2.x database # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long = 0x00061561 Berkeley DB >8 belong = 4321 >>4 belong > 2 1.86 >>4 belong < 3 1.85 >>4 belong > 0 (Hash, version %d, native byte-order) >8 belong = 1234 >>4 belong > 2 1.86 >>4 belong < 3 1.85 >>4 belong > 0 (Hash, version %d, little-endian) 0 belong = 0x00061561 Berkeley DB >8 belong = 4321 >>4 belong > 2 1.86 >>4 belong < 3 1.85 >>4 belong > 0 (Hash, version %d, big-endian) >8 belong = 1234 >>4 belong > 2 1.86 >>4 belong < 3 1.85 >>4 belong > 0 (Hash, version %d, native byte-order) 0 long = 0x00053162 Berkeley DB 1.85/1.86 >4 long > 0 (Btree, version %d, native byte-order) 0 belong = 0x00053162 Berkeley DB 1.85/1.86 >4 belong > 0 (Btree, version %d, big-endian) 0 lelong = 0x00053162 Berkeley DB 1.85/1.86 >4 lelong > 0 (Btree, version %d, little-endian) 12 long = 0x00061561 Berkeley DB >16 long > 0 (Hash, version %d, native byte-order) 12 belong = 0x00061561 Berkeley DB >16 belong > 0 (Hash, version %d, big-endian) 12 lelong = 0x00061561 Berkeley DB >16 lelong > 0 (Hash, version %d, little-endian) 12 long = 0x00053162 Berkeley DB >16 long > 0 (Btree, version %d, native byte-order) 12 belong = 0x00053162 Berkeley DB >16 belong > 0 (Btree, version %d, big-endian) 12 lelong = 0x00053162 Berkeley DB >16 lelong > 0 (Btree, version %d, little-endian) 12 long = 0x00042253 Berkeley DB >16 long > 0 (Queue, version %d, native byte-order) 12 belong = 0x00042253 Berkeley DB >16 belong > 0 (Queue, version %d, big-endian) 12 lelong = 0x00042253 Berkeley DB >16 lelong > 0 (Queue, version %d, little-endian) # From Max Bowsher. 12 long = 0x00040988 Berkeley DB >16 long > 0 (Log, version %d, native byte-order) 12 belong = 0x00040988 Berkeley DB >16 belong > 0 (Log, version %d, big-endian) 12 lelong = 0x00040988 Berkeley DB >16 lelong > 0 (Log, version %d, little-endian) # # # Round Robin Database Tool by Tobias Oetiker 0 string = RRD RRDTool DB >4 string x - version %s #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string = root\0 ROOT file >4 belong x - Version %d >33 belong x - (Compression: %d) # XXX: Weak magic. # Alex Ott ## Paradox file formats #2 leshort 0x0800 Paradox #>0x39 byte 3 v. 3.0 #>0x39 byte 4 v. 3.5 #>0x39 byte 9 v. 4.x #>0x39 byte 10 v. 5.x #>0x39 byte 11 v. 5.x #>0x39 byte 12 v. 7.x #>>0x04 byte 0 indexed .DB data file #>>0x04 byte 1 primary index .PX file #>>0x04 byte 2 non-indexed .DB data file #>>0x04 byte 3 non-incrementing secondary index .Xnn file #>>0x04 byte 4 secondary index .Ynn file #>>0x04 byte 5 incrementing secondary index .Xnn file #>>0x04 byte 6 non-incrementing secondary index .XGn file #>>0x04 byte 7 secondary index .YGn file #>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files #0 byte 0x02 #>8 leshort >0 #>>12 leshort 0 FoxBase #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x03 #>8 leshort >0 #>>12 leshort 0 FoxBase+, FoxPro, dBaseIII+, dBaseIV, no memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x04 #>8 leshort >0 #>>12 leshort 0 dBASE IV no memo file #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x05 #>8 leshort >0 #>>12 leshort 0 dBASE V no memo file #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x30 #>8 leshort >0 #>>12 leshort 0 Visual FoxPro #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x43 #>8 leshort >0 #>>12 leshort 0 FlagShip with memo var size #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x7b #>8 leshort >0 #>>12 leshort 0 dBASEIV with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x83 #>8 leshort >0 #>>12 leshort 0 FoxBase+, dBaseIII+ with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x8b #>8 leshort >0 #>>12 leshort 0 dBaseIV with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0x8e #>8 leshort >0 #>>12 leshort 0 dBaseIV with SQL Table #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0xb3 #>8 leshort >0 #>>12 leshort 0 FlagShip with .dbt memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 byte 0xf5 #>8 leshort >0 #>>12 leshort 0 FoxPro with memo #>>>0x04 lelong 0 (no records) #>>>0x04 lelong >0 (%ld records) # #0 leshort 0x0006 DBase 3 index file # MS Access database 4 string = Standard\ Jet\ DB Microsoft Access Database # TDB database from Samba et al - Martin Pool 0 string = TDB\ file TDB database >32 lelong = 0x2601196D version 6, little-endian >>36 lelong x - hash size %d bytes # SE Linux policy database 0 lelong = 0xf97cff8c SE Linux policy >16 lelong x - v%d >20 lelong = 1 MLS >24 lelong x - %d symbols >28 lelong x - %d ocons # ICE authority file data (Wolfram Kleff) 2 string = ICE ICE authority data # X11 Xauthority file (Wolfram Kleff) 10 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 11 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 12 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 13 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 14 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 15 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 16 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 17 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data 18 string = MIT-MAGIC-COOKIE-1 X11 Xauthority data # SQLite (Ty Sarna) 0 string = **\ This\ file\ contains\ an\ SQLite SQLite Database #FIXME FTimes -- Converted from regex to regexp. #>&1 regex = [^\ ]+ Version %s >&1 regexp =~ ([^\x20]+) Version %s #------------------------------------------------------------------------------ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... # # XXX - I think it was either renamed Slate, or replaced by Slate.... # # The full deal is too long... #0 string \n Diamond Multimedia Document 0 string = \n\n________64E Alpha archive >22 string = X -- out of date # # Alpha COFF Based Executables # The stripped stuff really needs to be an 8 byte (64 bit) compare, # but this works 0 leshort = 0x183 COFF format alpha >22 leshort&020000 & 010000 sharable library, >22 leshort&020000 ^ 010000 dynamically linked, >24 leshort = 0410 pure >24 leshort = 0413 demand paged >8 lelong > 0 executable or object module, not stripped >8 lelong = 0 >>12 lelong = 0 executable or object module, stripped >>12 lelong > 0 executable or object module, not stripped >27 byte > 0 - version %d. >26 byte > 0 %d- >28 leshort > 0 %d # # The next is incomplete, we could tell more about this format, # but its not worth it. 0 leshort = 0x188 Alpha compressed COFF 0 leshort = 0x18f Alpha u-code object # # # Some other interesting Digital formats, 0 string = \377\377\177 ddis/ddif 0 string = \377\377\174 ddis/dots archive 0 string = \377\377\176 ddis/dtif table data 0 string = \033c\033 LN03 output 0 long = 04553207 X image # 0 string = !!\n profiling data file # # Locale data tables (MIPS and Alpha). # 0 short = 0x0501 locale data table >6 short = 0x24 for MIPS >6 short = 0x40 for Alpha # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! # # syncword 0 beshort = 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, # fscod >4 byte&0xc0 = 0x00 48 kHz, >4 byte&0xc0 = 0x40 44.1 kHz, >4 byte&0xc0 = 0x80 32 kHz, # is this one used for 96 kHz? >4 byte&0xc0 = 0xc0 reserved frequency, # >5 byte&7 = 0 \b, complete main (CM) >5 byte&7 = 1 \b, music and effects (ME) >5 byte&7 = 2 \b, visually impaired (VI) >5 byte&7 = 3 \b, hearing impaired (HI) >5 byte&7 = 4 \b, dialogue (D) >5 byte&7 = 5 \b, commentary (C) >5 byte&7 = 6 \b, emergency (E) # acmod >6 byte&0xe0 = 0x00 1+1 front, >6 byte&0xe0 = 0x20 1 front/0 rear, >6 byte&0xe0 = 0x40 2 front/0 rear, >6 byte&0xe0 = 0x60 3 front/0 rear, >6 byte&0xe0 = 0x80 2 front/1 rear, >6 byte&0xe0 = 0xa0 3 front/1 rear, >6 byte&0xe0 = 0xc0 2 front/2 rear, >6 byte&0xe0 = 0xe0 3 front/2 rear, # lfeon (these may be incorrect) >7 byte&0x40 = 0x00 LFE off, >7 byte&0x40 = 0x40 LFE on, # >4 byte&0x3e = 0x00 \b, 32 kbit/s >4 byte&0x3e = 0x02 \b, 40 kbit/s >4 byte&0x3e = 0x04 \b, 48 kbit/s >4 byte&0x3e = 0x06 \b, 56 kbit/s >4 byte&0x3e = 0x08 \b, 64 kbit/s >4 byte&0x3e = 0x0a \b, 80 kbit/s >4 byte&0x3e = 0x0c \b, 96 kbit/s >4 byte&0x3e = 0x0e \b, 112 kbit/s >4 byte&0x3e = 0x10 \b, 128 kbit/s >4 byte&0x3e = 0x12 \b, 160 kbit/s >4 byte&0x3e = 0x14 \b, 192 kbit/s >4 byte&0x3e = 0x16 \b, 224 kbit/s >4 byte&0x3e = 0x18 \b, 256 kbit/s >4 byte&0x3e = 0x1a \b, 320 kbit/s >4 byte&0x3e = 0x1c \b, 384 kbit/s >4 byte&0x3e = 0x1e \b, 448 kbit/s >4 byte&0x3e = 0x20 \b, 512 kbit/s >4 byte&0x3e = 0x22 \b, 576 kbit/s >4 byte&0x3e = 0x24 \b, 640 kbit/s # dsurmod (these may be incorrect) >6 beshort&0x0180 = 0x0000 Dolby Surround not indicated >6 beshort&0x0180 = 0x0080 not Dolby Surround encoded >6 beshort&0x0180 = 0x0100 Dolby Surround encoded >6 beshort&0x0180 = 0x0180 reserved Dolby Surround mode #------------------------------------------------------------------------------ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. # 24 belong = 60012 new-fs dump file (big endian), >4 bedate x - Previous dump %s, >8 bedate x - This dump %s, >12 belong > 0 Volume %ld, >692 belong = 0 Level zero, type: >692 belong > 0 Level %d, type: >0 belong = 1 tape header, >0 belong = 2 beginning of file record, >0 belong = 3 map of inodes on tape, >0 belong = 4 continuation of file record, >0 belong = 5 end of volume, >0 belong = 6 map of inodes deleted, >0 belong = 7 end of medium (for floppy), >676 string > \0 Label %s, >696 string > \0 Filesystem %s, >760 string > \0 Device %s, >824 string > \0 Host %s, >888 belong > 0 Flags %x 24 belong = 60011 old-fs dump file (big endian), #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, >12 belong > 0 Volume %ld, >692 belong = 0 Level zero, type: >692 belong > 0 Level %d, type: >0 belong = 1 tape header, >0 belong = 2 beginning of file record, >0 belong = 3 map of inodes on tape, >0 belong = 4 continuation of file record, >0 belong = 5 end of volume, >0 belong = 6 map of inodes deleted, >0 belong = 7 end of medium (for floppy), >676 string > \0 Label %s, >696 string > \0 Filesystem %s, >760 string > \0 Device %s, >824 string > \0 Host %s, >888 belong > 0 Flags %x 24 lelong = 60012 new-fs dump file (little endian), >4 ledate x - This dump %s, >8 ledate x - Previous dump %s, >12 lelong > 0 Volume %ld, >692 lelong = 0 Level zero, type: >692 lelong > 0 Level %d, type: >0 lelong = 1 tape header, >0 lelong = 2 beginning of file record, >0 lelong = 3 map of inodes on tape, >0 lelong = 4 continuation of file record, >0 lelong = 5 end of volume, >0 lelong = 6 map of inodes deleted, >0 lelong = 7 end of medium (for floppy), >676 string > \0 Label %s, >696 string > \0 Filesystem %s, >760 string > \0 Device %s, >824 string > \0 Host %s, >888 lelong > 0 Flags %x 24 lelong = 60011 old-fs dump file (little endian), #>4 ledate x Previous dump %s, #>8 ledate x This dump %s, >12 lelong > 0 Volume %ld, >692 lelong = 0 Level zero, type: >692 lelong > 0 Level %d, type: >0 lelong = 1 tape header, >0 lelong = 2 beginning of file record, >0 lelong = 3 map of inodes on tape, >0 lelong = 4 continuation of file record, >0 lelong = 5 end of volume, >0 lelong = 6 map of inodes deleted, >0 lelong = 7 end of medium (for floppy), >676 string > \0 Label %s, >696 string > \0 Filesystem %s, >760 string > \0 Device %s, >824 string > \0 Host %s, >888 lelong > 0 Flags %x 18 leshort = 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), #FIXME FTimes -- Disabled until we have medate support. #>2 medate x Previous dump %s, #>6 medate x This dump %s, >10 leshort > 0 Volume %ld, >0 leshort = 1 tape header. >0 leshort = 2 beginning of file record. >0 leshort = 3 map of inodes on tape. >0 leshort = 4 continuation of file record. >0 leshort = 5 end of volume. >0 leshort = 6 map of inodes deleted. >0 leshort = 7 end of medium (for floppy). #------------------------------------------------------------------------------ # T602 editor documents # by David Necas 0 string = @CT\ T602 document data, >4 string = 0 Kamenicky >4 string = 1 CP 852 >4 string = 2 KOI8-CS >4 string > 2 unknown encoding # Vi IMproved Encrypted file # by David Necas 0 string = VimCrypt~ Vim encrypted file data #------------------------------------------------------------------------------ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string = \177ELF ELF >4 byte = 0 invalid class >4 byte = 1 32-bit >4 byte = 2 64-bit >5 byte = 0 invalid byte order >5 byte = 1 LSB >>16 leshort = 0 no file type, >>16 leshort = 1 relocatable, >>16 leshort = 2 executable, >>16 leshort = 3 shared object, # Core handling from Peter Tobias # corrections by Christian 'Dr. Disk' Hechelmann >>16 leshort = 4 core file # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort & 0xff00 processor-specific, >>18 leshort = 0 no machine, >>18 leshort = 1 AT&T WE32100 - invalid byte order, >>18 leshort = 2 SPARC - invalid byte order, >>18 leshort = 3 Intel 80386, >>18 leshort = 4 Motorola >>>36 lelong & 0x01000000 68000 - invalid byte order, >>>36 lelong & 0x00810000 CPU32 - invalid byte order, >>>36 lelong = 0 68020 - invalid byte order, >>18 leshort = 5 Motorola 88000 - invalid byte order, >>18 leshort = 6 Intel 80486, >>18 leshort = 7 Intel 80860, # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. >>18 leshort = 8 MIPS, >>>36 lelong & 0x20 N32 >>18 leshort = 10 MIPS, >>>36 lelong & 0x20 N32 >>18 leshort = 8 # only for 32-bit >>>4 byte = 1 >>>>36 lelong&0xf0000000 = 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 = 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 = 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 = 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 = 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 = 0x60000000 MIPS32 >>>>36 lelong&0xf0000000 = 0x70000000 MIPS64 >>>>36 lelong&0xf0000000 = 0x80000000 MIPS32 rel2 >>>>36 lelong&0xf0000000 = 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte = 2 >>>>48 lelong&0xf0000000 = 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 = 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 = 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 = 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 = 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 = 0x60000000 MIPS32 >>>>48 lelong&0xf0000000 = 0x70000000 MIPS64 >>>>48 lelong&0xf0000000 = 0x80000000 MIPS32 rel2 >>>>48 lelong&0xf0000000 = 0x90000000 MIPS64 rel2 >>18 leshort = 9 Amdahl - invalid byte order, >>18 leshort = 10 MIPS (deprecated), >>18 leshort = 11 RS6000 - invalid byte order, >>18 leshort = 15 PA-RISC - invalid byte order, >>>50 leshort = 0x0214 2.0 >>>48 leshort & 0x0008 (LP64), >>18 leshort = 16 nCUBE, >>18 leshort = 17 Fujitsu VPP500, >>18 leshort = 18 SPARC32PLUS, >>18 leshort = 20 PowerPC, >>18 leshort = 22 IBM S/390, >>18 leshort = 36 NEC V800, >>18 leshort = 37 Fujitsu FR20, >>18 leshort = 38 TRW RH-32, >>18 leshort = 39 Motorola RCE, >>18 leshort = 40 ARM, >>18 leshort = 41 Alpha, >>18 leshort = 0xa390 IBM S/390 (obsolete), >>18 leshort = 42 Hitachi SH, >>18 leshort = 43 SPARC V9 - invalid byte order, >>18 leshort = 44 Siemens Tricore Embedded Processor, >>18 leshort = 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort = 46 Hitachi H8/300, >>18 leshort = 47 Hitachi H8/300H, >>18 leshort = 48 Hitachi H8S, >>18 leshort = 49 Hitachi H8/500, >>18 leshort = 50 IA-64, >>18 leshort = 51 Stanford MIPS-X, >>18 leshort = 52 Motorola Coldfire, >>18 leshort = 53 Motorola M68HC12, >>18 leshort = 62 AMD x86-64, >>18 leshort = 75 Digital VAX, >>18 leshort = 88 Renesas M32R, >>18 leshort = 97 NatSemi 32k, >>18 leshort = 0x9026 Alpha (unofficial), >>20 lelong = 0 invalid version >>20 lelong = 1 version 1 >>36 lelong = 1 MathCoPro/FPU/MAU Required >5 byte = 2 MSB >>16 beshort = 0 no file type, >>16 beshort = 1 relocatable, >>16 beshort = 2 executable, >>16 beshort = 3 shared object, >>16 beshort = 4 core file, #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) belong >0 (signal %d), >>16 beshort & 0xff00 processor-specific, >>18 beshort = 0 no machine, >>18 beshort = 1 AT&T WE32100, >>18 beshort = 2 SPARC, >>18 beshort = 3 Intel 80386 - invalid byte order, >>18 beshort = 4 Motorola >>>36 belong & 0x01000000 68000, >>>36 belong & 0x00810000 CPU32, >>>36 belong = 0 68020, >>18 beshort = 5 Motorola 88000, >>18 beshort = 6 Intel 80486 - invalid byte order, >>18 beshort = 7 Intel 80860, # only for MIPS - see comment in little-endian section above. >>18 beshort = 8 MIPS, >>>36 belong & 0x20 N32 >>18 beshort = 10 MIPS, >>>36 belong & 0x20 N32 >>18 beshort = 8 # only for 32-bit >>>4 byte = 1 >>>>36 belong&0xf0000000 = 0x00000000 MIPS-I >>>>36 belong&0xf0000000 = 0x10000000 MIPS-II >>>>36 belong&0xf0000000 = 0x20000000 MIPS-III >>>>36 belong&0xf0000000 = 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 = 0x40000000 MIPS-V >>>>36 belong&0xf0000000 = 0x60000000 MIPS32 >>>>36 belong&0xf0000000 = 0x70000000 MIPS64 >>>>36 belong&0xf0000000 = 0x80000000 MIPS32 rel2 >>>>36 belong&0xf0000000 = 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte = 2 >>>>48 belong&0xf0000000 = 0x00000000 MIPS-I >>>>48 belong&0xf0000000 = 0x10000000 MIPS-II >>>>48 belong&0xf0000000 = 0x20000000 MIPS-III >>>>48 belong&0xf0000000 = 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 = 0x40000000 MIPS-V >>>>48 belong&0xf0000000 = 0x60000000 MIPS32 >>>>48 belong&0xf0000000 = 0x70000000 MIPS64 >>>>48 belong&0xf0000000 = 0x80000000 MIPS32 rel2 >>>>48 belong&0xf0000000 = 0x90000000 MIPS64 rel2 >>18 beshort = 9 Amdahl, >>18 beshort = 10 MIPS (deprecated), >>18 beshort = 11 RS6000, >>18 beshort = 15 PA-RISC >>>50 beshort = 0x0214 2.0 >>>48 beshort & 0x0008 (LP64) >>18 beshort = 16 nCUBE, >>18 beshort = 17 Fujitsu VPP500, >>18 beshort = 18 SPARC32PLUS, >>>36 belong&0xffff00 & 0x000100 V8+ Required, >>>36 belong&0xffff00 & 0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 & 0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 & 0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort = 20 PowerPC or cisco 4500, >>18 beshort = 21 cisco 7500, >>18 beshort = 22 IBM S/390, >>18 beshort = 24 cisco SVIP, >>18 beshort = 25 cisco 7200, >>18 beshort = 36 NEC V800 or cisco 12000, >>18 beshort = 37 Fujitsu FR20, >>18 beshort = 38 TRW RH-32, >>18 beshort = 39 Motorola RCE, >>18 beshort = 40 ARM, >>18 beshort = 41 Alpha, >>18 beshort = 42 Hitachi SH, >>18 beshort = 43 SPARC V9, >>18 beshort = 44 Siemens Tricore Embedded Processor, >>18 beshort = 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort = 46 Hitachi H8/300, >>18 beshort = 47 Hitachi H8/300H, >>18 beshort = 48 Hitachi H8S, >>18 beshort = 49 Hitachi H8/500, >>18 beshort = 50 IA-64, >>18 beshort = 51 Stanford MIPS-X, >>18 beshort = 52 Motorola Coldfire, >>18 beshort = 53 Motorola M68HC12, >>18 beshort = 73 Cray NV1, >>18 beshort = 75 Digital VAX, >>18 beshort = 88 Renesas M32R, >>18 beshort = 97 NatSemi 32k, >>18 beshort = 0x9026 Alpha (unofficial), >>18 beshort = 0xa390 IBM S/390 (obsolete), >>20 belong = 0 invalid version >>20 belong = 1 version 1 >>36 belong = 1 MathCoPro/FPU/MAU Required # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # like proper ELF, but extracting the string had bad results. >4 byte < 0x80 >>8 string > \0 (%s) >8 string = \0 >>7 byte = 0 (SYSV) >>7 byte = 1 (HP-UX) >>7 byte = 2 (NetBSD) >>7 byte = 3 (GNU/Linux) >>7 byte = 4 (GNU/Hurd) >>7 byte = 5 (86Open) >>7 byte = 6 (Solaris) >>7 byte = 7 (Monterey) >>7 byte = 8 (IRIX) >>7 byte = 9 (FreeBSD) >>7 byte = 10 (Tru64) >>7 byte = 11 (Novell Modesto) >>7 byte = 12 (OpenBSD) >>7 byte = 97 (ARM) >>7 byte = 255 (embedded) #------------------------------------------------------------------------------ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, # dunno whether they run the 88K in little-endian mode or not). # 0 short = 0x154 Encore >20 short = 0x107 executable >20 short = 0x108 pure executable >20 short = 0x10b demand-paged executable >20 short = 0x10f unsupported executable >12 long > 0 not stripped >22 short > 0 - version %ld >22 short = 0 - #>4 date x stamp %s 0 short = 0x155 Encore unsupported executable >12 long > 0 not stripped >22 short > 0 - version %ld >22 short = 0 - #>4 date x stamp %s #------------------------------------------------------------------------------ # Epoc 32 : file(1) magic for Epoc Documents [psion/osaris # Stefan Praszalowicz (hpicollo@worldnet.fr) #0 lelong 0x10000037 Epoc32 >4 lelong = 0x1000006D >>8 lelong = 0x1000007F Word >>8 lelong = 0x10000088 Sheet >>8 lelong = 0x1000007D Sketch >>8 lelong = 0x10000085 TextEd #------------------------------------------------------------------------------ # ESRI Shapefile format (.shp .shx .dbf=DBaseIII) # Based on info from # 0 belong = 9994 ESRI Shapefile >4 belong = 0 >8 belong = 0 >12 belong = 0 >16 belong = 0 >20 belong = 0 >28 lelong x - version %d >24 belong x - length %d >32 lelong = 0 type Null Shape >32 lelong = 1 type Point >32 lelong = 3 type PolyLine >32 lelong = 5 type Polygon >32 lelong = 8 type MultiPoint >32 lelong = 11 type PointZ >32 lelong = 13 type PolyLineZ >32 lelong = 15 type PolygonZ >32 lelong = 18 type MultiPointZ >32 lelong = 21 type PointM >32 lelong = 23 type PolyLineM >32 lelong = 25 type PolygonM >32 lelong = 28 type MultiPointM >32 lelong = 31 type MultiPatch #------------------------------------------------------------------------------ # fcs: file(1) magic for FCS (Flow Cytometry Standard) data files # From Roger Leigh 0 string = FCS1.0 Flow Cytometry Standard (FCS) data, version 1.0 0 string = FCS2.0 Flow Cytometry Standard (FCS) data, version 2.0 0 string = FCS3.0 Flow Cytometry Standard (FCS) data, version 3.0 #------------------------------------------------------------------------------ # filesystems: file(1) magic for different filesystems # 0 string = \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: 0774 beshort = 0xdabe Sun disk label >0 string x - '%s >>31 string > \0 \b%s >>>63 string > \0 \b%s >>>>95 string > \0 \b%s >0 string x - \b' >0734 short > 0 %d rpm, >0736 short > 0 %d phys cys, >0740 short > 0 %d alts/cyl, >0746 short > 0 %d interleave, >0750 short > 0 %d data cyls, >0752 short > 0 %d alt cyls, >0754 short > 0 %d heads/partition, >0756 short > 0 %d sectors/track, >0764 long > 0 start cyl %ld, >0770 long x - %ld blocks # Is there a boot block written 1 sector in? >512 belong&077777777 = 0600407 \b, boot block present # Joerg Jenderek: Smart Boot Manager backup file is 41 byte header + first sectors of disc # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string = SBMBAKUP_ Smart Boot Manager backup file >9 string x - \b, version %-5.5s >>14 string = _ >>>15 string x - %-.1s >>>>16 string = _ \b. >>>>>17 string x - \b%-.1s >>>>>>18 string = _ \b. >>>>>>>19 string x - \b%-.1s >>>22 byte = 0 >>>>21 byte x - \b, from drive 0x%x >>>22 byte > 0 >>>>21 string x - \b, from drive %s # Joerg Jenderek # DOS Emulator image is 128 byte, null right padded header + harddisc image 0 string = DOSEMU\0 >0x27E leshort = 0xAA55 #offset is 128 >>19 byte = 128 >>>(19.b-1) byte = 0x0 DOS Emulator image >>>>7 lelong > 0 \b, %u heads >>>>11 lelong > 0 \b, %d sectors/track >>>>15 lelong > 0 \b, %d cylinders 0x1FE leshort = 0xAA55 x86 boot sector >2 string = OSBS \b, OS/BS MBR # J\xf6rg Jenderek >0x8C string = Invalid\ partition\ table \b, MS-DOS MBR # dr-dos with some upper-, lowercase variants >0x9D string = Invalid\ partition\ table$ >>181 string = No\ Operating\ System$ >>>201 string = Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >0x9D string = Invalid\ partition\ table$ >>181 string = No\ operating\ system$ >>>201 string = Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 >342 string = Invalid\ partition\ table$ >>366 string = No\ operating\ system$ >>>386 string = Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 >295 string = NEWLDR\0 >>302 string = Bad\ PT\ $ >>>310 string = No\ OS\ $ >>>>317 string = OS\ load\ err$ >>>>>329 string = Moved\ or\ missing\ IBMBIO.LDR\n\r >>>>>>358 string = Press\ any\ key\ to\ continue.\n\r$ >>>>>>>387 string = Copyright\ (c)\ 1984,1998 >>>>>>>>411 string = Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) >0x10F string = Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222 >>0x1B8 belong > 0 \b, Serial 0x%-.4x >0x8B string = Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950 >271 string = Invalid\ partition\ table\0 >>295 string = Error\ loading\ operating\ system\0 >>>326 string = Missing\ operating\ system\0 \b, mbr # >139 string = Invalid\ partition\ table\0 >>163 string = Error\ loading\ operating\ system\0 >>>194 string = Missing\ operating\ system\0 \b, Microsoft Windows XP mbr # http://www.heise.de/ct/05/09/006/ page 184 #HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\DosDevices\?:=Serial4Bytes+8Bytes >>>>0x1B8 lelong > 0 \b,Serial 0x%-.4x >300 string = Invalid\ partition\ table\0 >>324 string = Error\ loading\ operating\ system\0 >>>355 string = Missing\ operating\ system\0 \b, Microsoft Windows XP MBR #??>>>389 string Invalid\ system\ disk >>>>0x1B8 lelong > 0 \b, Serial 0x%-.4x >300 string = Ung\201ltige\ Partitionstabelle #split string to avoid error: String too long >>328 string = Fehler\ beim\ Laden\ >>>346 string = des\ Betriebssystems >>>>366 string = Betriebssystem\ nicht\ vorhanden \b, Microsoft Windows XP MBR (german) >>>>>0x1B8 lelong > 0 \b, Serial 0x%-.4x >0x145 string = Default:\ F \b, FREE-DOS MBR >64 string = no\ active\ partition\ found >>96 string = read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR >271 string = Operating\ system\ loading >>296 string = error\r \b, SYSLINUX MBR (2.10) # bootloader, bootmanager >43 string = SMART\ BTMGRFAT12\ \ \ >>430 string = SBMK\ Bad!\r >>>3 string = SBM \b, Smart Boot Manager >>>>6 string > \0 \b, version %s >382 string = XOSLLOADXCF \b, eXtended Operating System Loader >6 string = LILO \b, LInux i386 boot LOader >>120 string = LILO \b, version 22.3.4 SuSe >>172 string = LILO \b, version 22.5.8 Debian >402 string = Geom\0Hard\ Disk\0Read\0\ Error\0 >>394 string = stage1 \b, GRand Unified Bootloader (0.5.95) >343 string = Geom\0Read\0\ Error\0 >>321 string = Loading\ stage1.5 \b, Grand Unified Bootloader >380 string = Geom\0Hard\ Disk\0Read\0\ Error\0 >>374 string = GRUB\ \0 \b, GRand Unified Bootloader >382 string = Geom\0Hard\ Disk\0Read\0\ Error\0 >>376 string = GRUB\ \0 \b, GRand Unified Bootloader (0.93) >383 string = Geom\0Hard\ Disk\0Read\0\ Error\0 >>377 string = GRUB\ \0 \b, GRand Unified Bootloader (0.94) >385 string = Geom\0Hard\ Disk\0Read\0\ Error\0 >>379 string = GRUB\ \0 \b, GRand Unified Bootloader (0.95) >480 string = Boot\ failed\r >>495 string = LDLINUX\ SYS \b, SYSLINUX bootloader (2.06) >395 string = chksum\0\ ERROR!\0 \b, Gujin bootloader # mbr partion table entries, if not fat boot secor, activ flag 0 or 0x80 and type > 0 >3 string = !MS >>3 string = !SYSLINUX >>>82 string = !FAT32 >>>>446 byte < 0x81 >>>>>446 byte&0x7F = 0 >>>>>>450 byte > 0 \b; partition 1: ID=0x%x >>>>>>>446 byte = 0x80 \b, active >>>>>>>447 byte x - \b, starthead %u #>>>>>>>448 byte x \b, start C_S: 0x%x #>>>>>>448 beshort&1023 x \b, startcylinder? %d >>>>>>>454 lelong x - \b, startsector %u >>>>>>>458 lelong x - \b, %u sectors # >>>>462 byte < 0x81 >>>>>462 byte&0x7F = 0 >>>>>>466 byte > 0 \b; partition 2: ID=0x%x >>>>>>>462 byte = 0x80 \b, active >>>>>>>463 byte x - \b, starthead %u #>>>>>>>464 byte x \b, start C_S: 0x%x #>>>>>>>464 beshort&1023 x \b, startcylinder? %d >>>>>>>470 lelong x - \b, startsector %u >>>>>>>474 lelong x - \b, %u sectors # >>>>478 byte < 0x81 >>>>>478 byte&0x7F = 0 >>>>>>482 byte > 0 \b; partition 3: ID=0x%x >>>>>>>478 byte = 0x80 \b, active >>>>>>>479 byte x - \b, starthead %u #>>>>>>>480 byte x \b, start C_S: 0x%x #>>>>>>>481 byte x \b, start C2S: 0x%x #>>>>>>>480 beshort&1023 x \b, startcylinder? %d >>>>>>>486 lelong x - \b, startsector %u >>>>>>>490 lelong x - \b, %u sectors # >>>>494 byte < 0x81 >>>>>494 byte&0x7F = 0 >>>>>>498 byte > 0 \b; partition 4: ID=0x%x >>>>>>>494 byte = 0x80 \b, active >>>>>>>495 byte x - \b, starthead %u #>>>>>>>496 byte x \b, start C_S: 0x%x #>>>>>>>496 beshort&1023 x \b, startcylinder? %d >>>>>>>502 lelong x - \b, startsector %u >>>>>>>506 lelong x - \b, %u sectors # mbr partion table entries end >185 string = FDBOOT\ Version\ >>204 string = \rNo\ Systemdisk.\ >>>220 string = Booting\ from\ harddisk.\n\r >>>245 string = Cannot\ load\ from\ harddisk.\n\r >>>>273 string = Insert\ Systemdisk\ >>>>>291 string = and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string > \0 \b, version %-3s >242 string = Bootsector\ from\ C.H.\ Hochst\204 >>278 string = No\ Systemdisk.\ >>>293 string = Booting\ from\ harddisk.\n\r >>>441 string = Cannot\ load\ from\ harddisk.\n\r >>>>469 string = Insert\ Systemdisk\ >>>>>487 string = and\ press\ any\ key.\n\r \b, WinImage harddisk Bootloader >>>>>>209 string > \0 \b, version %-4.4s >(1.b+2) byte = 0xe >>(1.b+3) byte = 0x1f >>>(1.b+4) byte = 0xbe >>>>(1.b+5) byte = 0x77 >>>>(1.b+6) byte = 0x7c >>>>>(1.b+7) byte = 0xac >>>>>>(1.b+8) byte = 0x22 >>>>>>>(1.b+9) byte = 0xc0 >>>>>>>>(1.b+10) byte = 0x74 >>>>>>>>>(1.b+11) byte = 0xb >>>>>>>>>>(1.b+12) byte = 0x56 >>>>>>>>>>(1.b+13) byte = 0xb4 \b, mkdosfs boot message display >103 string = This\ is\ not\ a\ bootable\ disk.\ >>132 string = Please\ insert\ a\ bootable\ >>>157 string = floppy\ and\r\n >>>>169 string = press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # >66 string = Solaris\ Boot\ Sector >>99 string = Incomplete\ MDBoot\ load. >>>89 string = Version \b, Sun Solaris Bootloader >>>>97 byte x - version %c # >408 string = OS/2\ !!\ SYS01475\r\0 >>429 string = OS/2\ !!\ SYS02025\r\0 >>>450 string = OS/2\ !!\ SYS02027\r\0 >>>469 string = OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # >409 string = OS/2\ !!\ SYS01475\r\0 >>430 string = OS/2\ !!\ SYS02025\r\0 >>>451 string = OS/2\ !!\ SYS02027\r\0 >>>470 string = OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader >112 string = This\ disk\ is\ not\ bootable\r >>142 string = If\ you\ wish\ to\ make\ it\ bootable >>>176 string = run\ the\ DOS\ program\ SYS\ >>>200 string = after\ the\r >>>>216 string = system\ has\ been\ loaded\r\n >>>>>242 string = Please\ insert\ a\ DOS\ diskette\ >>>>>271 string = into\r\n\ the\ drive\ and\ >>>>>>292 string = strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP >430 string = NTLDR\ is\ missing\xFF\r\n >>449 string = Disk\ error\xFF\r\n >>>462 string = Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes >>>>417 byte&0xDF > 0 >>>>>417 string x - %-.5s >>>>>>422 byte&0xDF > 0 >>>>>>>422 string x - \b%-.3s >>>>>425 byte&0xDF > 0 >>>>>>425 string > \ \b.%-.3s # >>>>371 byte > 0x20 >>>>>368 byte&0xDF > 0 >>>>>>368 string x - %-.5s >>>>>>>373 byte&0xDF > 0 >>>>>>>>373 string x - \b%-.3s >>>>>>376 byte&0xDF > 0 >>>>>>>376 string x - \b.%-.3s # >430 string = NTLDR\ nicht\ gefunden\xFF\r\n >>453 string = Datentr\204gerfehler\xFF\r\n >>>473 string = Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) >>>>417 byte&0xDF > 0 >>>>>417 string x - %-.5s >>>>>>422 byte&0xDF > 0 >>>>>>>422 string x - \b%-.3s >>>>>425 byte&0xDF > 0 >>>>>>425 string > \ \b.%-.3s # >>>>368 byte&0xDF > 0 >>>>>368 string x - %-.5s >>>>>>373 byte&0xDF > 0 >>>>>>>373 string x - \b%-.3s >>>>>376 byte&0xDF > 0 >>>>>>376 string x - \b.%-.3s # >430 string = NTLDR\ fehlt\xFF\r\n >>444 string = Datentr\204gerfehler\xFF\r\n >>>464 string = Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) >>>>417 byte&0xDF > 0 >>>>>417 string x - %-.5s >>>>>>422 byte&0xDF > 0 >>>>>>>422 string x - \b%-.3s >>>>>425 byte&0xDF > 0 >>>>>>425 string > \ \b.%-.3s # variant >>>>371 byte > 0x20 >>>>>368 byte&0xDF > 0 >>>>>>368 string x - %-.5s >>>>>>>373 byte&0xDF > 0 >>>>>>>>373 string x - \b%-.3s >>>>>>376 byte&0xDF > 0 >>>>>>>376 string x - \b.%-.3s # >430 string = NTLDR\ fehlt\xFF\r\n >>444 string = Medienfehler\xFF\r\n >>>459 string = Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) >>>>371 byte > 0x20 >>>>>368 byte&0xDF > 0 >>>>>>368 string x - %-.5s >>>>>>>373 byte&0xDF > 0 >>>>>>>>373 string x - \b%-.3s >>>>>>376 byte&0xDF > 0 >>>>>>>376 string x - \b.%-.3s # variant >>>>417 byte&0xDF > 0 >>>>>417 string x - %-.5s >>>>>>422 byte&0xDF > 0 >>>>>>>422 string x - \b%-.3s >>>>>425 byte&0xDF > 0 >>>>>>425 string > \ \b.%-.3s # >430 string = Datentr\204ger\ entfernen\xFF\r\n >>454 string = Medienfehler\xFF\r\n >>>469 string = Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) >>>>368 byte&0xDF > 0 >>>>>368 string x - %-.5s >>>>>>373 byte&0xDF > 0 >>>>>>>373 string x - \b%-.3s >>>>>376 byte&0xDF > 0 >>>>>>376 string x - \b.%-.3s #>3 string NTFS\ \ \ \ >389 string = Fehler\ beim\ Lesen\ >>407 string = des\ Datentr\204gers >>>426 string = NTLDR\ fehlt >>>>440 string = NTLDR\ ist\ komprimiert >>>>>464 string = Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) #>3 string NTFS\ \ \ \ >313 string = A\ disk\ read\ error\ occurred.\r >>345 string = A\ kernel\ file\ is\ missing\ >>>370 string = from\ the\ disk.\r >>>>484 string = NTLDR\ is\ compressed >>>>>429 string = Insert\ a\ system\ diskette\ >>>>>>454 string = and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 byte&0xDF > 0 >>389 string = Invalid\ system\ disk\xFF\r\n >>>411 string = Disk\ I/O\ error >>>>428 string = Replace\ the\ disk,\ and\ >>>>>455 string = press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS >>>>>>472 byte&0xDF > 0 >>>>>>>472 string x - \b %-.2s >>>>>>>>474 byte&0xDF > 0 >>>>>>>>>474 string x - \b%-.5s >>>>>>>>>>479 byte&0xDF > 0 >>>>>>>>>>>479 string x - \b%-.1s >>>>>>>480 byte&0xDF > 0 >>>>>>>>480 string x - \b.%-.3s #MSDOS.SYS >>>>>>>483 byte&0xDF > 0 \b+ >>>>>>>>483 string x - \b%-.5s >>>>>>>>>488 byte&0xDF > 0 >>>>>>>>>>488 string x - \b%-.3s >>>>>>>>491 byte&0xDF > 0 >>>>>>>>>491 string x - \b.%-.3s # >>390 string = Invalid\ system\ disk\xFF\r\n >>>412 string = Disk\ I/O\ error\xFF\r\n >>>>429 string = Replace\ the\ disk,\ and\ >>>>>451 string = then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader >>388 string = Ungueltiges\ System\ \xFF\r\n >>>410 string = E/A-Fehler\ \ \ \ \xFF\r\n >>>>427 string = Datentraeger\ wechseln\ und\ >>>>>453 string = Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 byte&0xDF > 0 >>>>>>>497 string x - %-.5s >>>>>>>>502 byte&0xDF > 0 >>>>>>>>>502 string x - \b%-.1s >>>>>>>>>>503 byte&0xDF > 0 >>>>>>>>>>>503 string x - \b%-.1s >>>>>>>>>>>>504 byte&0xDF > 0 >>>>>>>>>>>>>504 string x - \b%-.1s >>>>>>505 byte&0xDF > 0 >>>>>>>505 string x - \b.%-.3s #IO.SYS >>>>>>472 byte&0xDF > 0 or >>>>>>>472 string x - \b %-.2s >>>>>>>>474 byte&0xDF > 0 >>>>>>>>>474 string x - \b%-.5s >>>>>>>>>>479 byte&0xDF > 0 >>>>>>>>>>>479 string x - \b%-.1s >>>>>>>480 byte&0xDF > 0 >>>>>>>>480 string x - \b.%-.3s #MSDOS.SYS >>>>>>>483 byte&0xDF > 0 \b+ >>>>>>>>483 string x - \b%-.5s >>>>>>>>>488 byte&0xDF > 0 >>>>>>>>>>488 string x - \b%-.3s >>>>>>>>491 byte&0xDF > 0 >>>>>>>>>491 string x - \b.%-.3s # >>390 string = Ungueltiges\ System\ \xFF\r\n >>>412 string = E/A-Fehler\ \ \ \ \xFF\r\n >>>>429 string = Datentraeger\ wechseln\ und\ >>>>>455 string = Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) >>>>>>497 byte&0xDF > 0 >>>>>>>497 string x - %-.7s >>>>>>>>504 byte&0xDF > 0 >>>>>>>>>504 string x - \b%-.1s >>>>>>505 byte&0xDF > 0 >>>>>>>505 string x - \b.%-.3s #IO.SYS >>>>>>472 byte&0xDF > 0 or >>>>>>>472 string x - \b %-.2s >>>>>>>>474 byte&0xDF > 0 >>>>>>>>>474 string x - \b%-.6s >>>>>>>480 byte&0xDF > 0 >>>>>>>>480 string x - \b.%-.3s #MSDOS.SYS >>>>>>>483 byte&0xDF > 0 \b+ >>>>>>>>483 string x - \b%-.5s >>>>>>>>>488 byte&0xDF > 0 >>>>>>>>>>488 string x - \b%-.3s >>>>>>>>491 byte&0xDF > 0 >>>>>>>>>491 string x - \b.%-.3s # >>389 string = Ungueltiges\ System\ \xFF\r\n >>>411 string = E/A-Fehler\ \ \ \ \xFF\r\n >>>>428 string = Datentraeger\ wechseln\ und\ >>>>>454 string = Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x - %-.2s >>>>>>>474 byte&0xDF > 0 >>>>>>>>474 string x - \b%-.5s >>>>>>>>479 byte&0xDF > 0 >>>>>>>>>479 string x - \b%-.1s >>>>>>480 byte&0xDF > 0 >>>>>>>480 string x - \b.%-.3s >>>>>>483 byte&0xDF > 0 \b+ >>>>>>>483 string x - \b%-.5s >>>>>>>488 byte&0xDF > 0 >>>>>>>>488 string x - \b%-.2s >>>>>>>>490 byte&0xDF > 0 >>>>>>>>>490 string x - \b%-.1s >>>>>>>491 byte&0xDF > 0 >>>>>>>>491 string x - \b.%-.3s >479 byte&0xDF > 0 >>416 string = Kein\ System\ oder\ >>>433 string = Laufwerksfehler >>>>450 string = Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x - \b %-.2s >>>>>>481 byte&0xDF > 0 >>>>>>>481 string x - \b%-.6s >>>>>487 byte&0xDF > 0 >>>>>>487 string x - \b.%-.3s #MSDOS.SYS >>>>>>490 byte&0xDF > 0 \b+ >>>>>>>490 string x - \b%-.5s >>>>>>>>495 byte&0xDF > 0 >>>>>>>>>495 string x - \b%-.3s >>>>>>>498 byte&0xDF > 0 >>>>>>>>498 string x - \b.%-.3s # >486 byte&0xDF > 0 >>416 string = Non-System\ disk\ or\ >>>435 string = disk\ error\r >>>>447 string = Replace\ and\ press\ any\ key\ >>>>>473 string = when\ ready\r \b, Microsoft DOS Bootloader >480 byte&0xDF > 0 >>393 string = Non-System\ disk\ or\ >>>412 string = disk\ error\r >>>>424 string = Replace\ and\ press\ any\ key\ >>>>>450 string = when\ ready\r \b, Microsoft DOS bootloader #IO.SYS >>>>>480 string x - \b %-.2s >>>>>>482 byte&0xDF > 0 >>>>>>>48 string x - \b%-.6s >>>>>488 byte&0xDF > 0 >>>>>>488 string x - \b.%-.3s #MSDOS.SYS >>>>>>491 byte&0xDF > 0 \b+ >>>>>>>491 string x - \b%-.5s >>>>>>>>496 byte&0xDF > 0 >>>>>>>>>496 string x - \b%-.3s >>>>>>>499 byte&0xDF > 0 >>>>>>>>499 string x - \b.%-.3s #>43 string \224R-LOADER\ \ SYS =label >54 string = SYS >>324 string = VASKK >>>495 string = NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # >70 string = IBMBIO\ \ COM >>472 string = Cannot\ load\ DOS!\ >>>489 string = Any\ key\ to\ retry \b, DR-DOS Bootloader >>471 string = Cannot\ load\ DOS\ >>487 string = press\ key\ to\ retry \b, Open-DOS Bootloader >444 string = KERNEL\ \ SYS >>314 string = BOOT\ error! \b, FREE-DOS Bootloader >499 string = KERNEL\ \ SYS >>305 string = BOOT\ err!\0 \b, Free-DOS Bootloader >449 string = KERNEL\ \ SYS >>319 string = BOOT\ error! \b, FREE-DOS 0.5 Bootloader >125 string = Loading\ FreeDOS...\r >>311 string = BOOT\ error!\r \b, FREE-DOS bootloader >>>441 byte&0xDF > 0 >>>>441 string x - \b %-.6s >>>>>447 byte&0xDF > 0 >>>>>>447 string x - \b%-.1s >>>>>>>448 byte&0xDF > 0 >>>>>>>>448 string x - \b%-.1s >>>>449 byte&0xDF > 0 >>>>>449 string x - \b.%-.3s >124 string = FreeDOS\0 >>331 string = \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes >>>497 byte&0xDF > 0 >>>>497 string x - \b %-.6s >>>>>503 byte&0xDF > 0 >>>>>>503 string x - \b%-.1s >>>>>>>504 byte&0xDF > 0 >>>>>>>>504 string x - \b%-.1s >>>>505 byte&0xDF > 0 >>>>>505 string x - \b.%-.3s >>333 string = \ err\0 \b, FREE-DOS BEta 0.9 Bootloader >>>497 byte&0xDF > 0 >>>>497 string x - \b %-.6s >>>>>503 byte&0xDF > 0 >>>>>>503 string x - \b%-.1s >>>>>>>504 byte&0xDF > 0 >>>>>>>>504 string x - \b%-.1s >>>>505 byte&0xDF > 0 >>>>>505 string x - \b.%-.3s >>334 string = \ err\0 \b, FREE-DOS Beta 0.9 Bootloader >>>497 byte&0xDF > 0 >>>>497 string x - \b %-.6s >>>>>503 byte&0xDF > 0 >>>>>>503 string x - \b%-.1s >>>>>>>504 byte&0xDF > 0 >>>>>>>>504 string x - \b%-.1s >>>>505 byte&0xDF > 0 >>>>>505 string x - \b.%-.3s >336 string = Error!\ >>343 string = Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader >>>497 byte&0xDF > 0 >>>>497 string x - \b %-.6s >>>>>503 byte&0xDF > 0 >>>>>>503 string x - \b%-.1s >>>>>>>504 byte&0xDF > 0 >>>>>>>>504 string x - \b%-.1s >>>>505 byte&0xDF > 0 >>>>>505 string x - \b.%-.3s # loader end # Joerg Jenderek >446 byte = 0 >>450 byte > 0 >>>482 byte = 0 >>>>498 byte = 0 >>>>466 byte = 0x05 \b, extended partition table >>>>466 byte = 0x0F \b, extended partition table (LBA) >>>>466 byte = 0x0 \b, extended partition table (last) # JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 # older drives may use E9 xx xx >0 lelong&0x009000EB = 0x009000EB >0 lelong&0x000000E9 = 0x000000E9 >>1 byte > 37 \b, code offset 0x%x # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize are from 32 to 2048 >>>11 leshort < 2049 >>>>11 leshort > 31 >>>>>3 string > \0 \b, OEM-ID "%8.8s" >>>>>11 leshort > 512 \b, Bytes/sector %u #>>>>>11 leshort =512 \b, Bytes/sector %u=512 (usual) >>>>>11 leshort < 512 \b, Bytes/sector %u >>>>>13 byte > 1 \b, sectors/cluster %u #>>>>>13 byte =1 \b, sectors/cluster %u (usual on Floppies) >>>>>14 leshort > 32 \b, reserved sectors %u #>>>>>14 leshort =32 \b, reserved sectors %u (usual Fat32) #>>>>>14 leshort >1 \b, reserved sectors %u #>>>>>14 leshort =1 \b, reserved sectors %u (usual FAT12,FAT16) >>>>>14 leshort < 1 \b, reserved sectors %u >>>>>16 byte > 2 \b, FATs %u #>>>>>16 byte =2 \b, FATs %u (usual) >>>>>16 byte = 1 \b, FAT %u >>>>>16 byte > 0 >>>>>17 leshort > 0 \b, root entries %u #>>>>>17 leshort =0 \b, root entries %u=0 (usual Fat32) >>>>>19 leshort > 0 \b, sectors %u (volumes <=32 MB) #>>>>>19 leshort =0 \b, sectors %u=0 (usual Fat32) >>>>>21 byte > 0xF0 \b, Media descriptor 0x%x #>>>>>21 byte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>21 byte < 0xF0 \b, Media descriptor 0x%x >>>>>22 leshort > 0 \b, sectors/FAT %u #>>>>>22 leshort =0 \b, sectors/FAT %u=0 (usual Fat32) >>>>>26 byte > 2 \b, heads %u #>>>>>26 byte =2 \b, heads %u (usual floppy) >>>>>26 byte = 1 \b, heads %u >>>>>28 lelong > 0 \b, hidden sectors %u #>>>>>28 lelong =0 \b, hidden sectors %u (usual floppy) >>>>>32 lelong > 0 \b, sectors %u (volumes > 32 MB) #>>>>>32 lelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 specific # NOT le FAT3=NOT 3TAF=0xCCABBEB9 >>>>>82 lelong&0xCCABBEB9 > 0 >>>>>>36 byte > 0x80 \b, physical drive 0x%x #>>>>>>36 byte =0x80 \b, physical drive 0x%x=0x80 (usual harddisk) >>>>>>36 byte&0x7F > 0 \b, physical drive 0x%x #>>>>>>36 byte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>37 byte > 0 \b, reserved 0x%x #>>>>>>37 byte =0 \b, reserved 0x%x >>>>>>38 byte > 0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>38 byte < 0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>38 byte = 0x29 >>>>>>>39 lelong x - \b, serial number 0x%x >>>>>>>43 string < NO\ NAME \b, label: "%11.11s" >>>>>>>43 string > NO\ NAME \b, label: "%11.11s" >>>>>>>43 string = NO\ NAME \b, unlabeled >>>>>>54 string = FAT \b, FAT >>>>>>>54 string = FAT12 \b (12 bit) >>>>>>>54 string = FAT16 \b (16 bit) # FAT32 specific >>>>>82 string = FAT32 \b, FAT (32 bit) >>>>>>36 lelong x - \b, sectors/FAT %u >>>>>>40 leshort > 0 \b, extension flags %u #>>>>>>40 leshort =0 \b, extension flags %u >>>>>>42 leshort > 0 \b, fsVersion %u #>>>>>>42 leshort =0 \b, fsVersion %u (usual) >>>>>>44 lelong > 2 \b, rootdir cluster %u #>>>>>>44 lelong =2 \b, rootdir cluster %u #>>>>>>44 lelong =1 \b, rootdir cluster %u >>>>>>48 leshort > 1 \b, infoSector %u #>>>>>>48 leshort =1 \b, infoSector %u (usual) >>>>>>48 leshort < 1 \b, infoSector %u >>>>>>50 leshort > 6 \b, Backup boot sector %u #>>>>>>50 leshort =6 \b, Backup boot sector %u (usual) >>>>>>50 leshort < 6 \b, Backup boot sector %u >>>>>>54 lelong > 0 \b, reserved1 0x%x >>>>>>58 lelong > 0 \b, reserved2 0x%x >>>>>>62 lelong > 0 \b, reserved3 0x%x # same structure as FAT1X >>>>>>64 byte > 0x80 \b, physical drive 0x%x #>>>>>>64 byte =0x80 \b, physical drive 0x%x=80 (usual harddisk) >>>>>>64 byte&0x7F > 0 \b, physical drive 0x%x #>>>>>>64 byte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>65 byte > 0 \b, reserved 0x%x >>>>>>66 byte > 0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>66 byte < 0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>66 byte = 0x29 >>>>>>>67 lelong x - \b, serial number 0x%x >>>>>>>71 string < NO\ NAME \b, label: "%11.11s" >>>>>>71 string > NO\ NAME \b, label: "%11.11s" >>>>>>71 string = NO\ NAME \b, unlabeled ### FATs end >0x200 lelong = 0x82564557 \b, BSD disklabel # FATX 0 string = FATX FATX filesystem data # Minix filesystems - Juan Cespedes 0x410 leshort = 0x137f Minix filesystem 0x410 beshort = 0x137f Minix filesystem (big endian), >0x402 beshort != 0 \b, %d zones >0x1e string = minix \b, bootable 0x410 leshort = 0x138f Minix filesystem, 30 char names 0x410 leshort = 0x2468 Minix filesystem, version 2 0x410 leshort = 0x2478 Minix filesystem, version 2, 30 char names # romfs filesystems - Juan Cespedes 0 string = -rom1fs-\0 romfs filesystem, version 1 >8 belong x - %d bytes, >16 string x - named %s. # netboot image - Juan Cespedes #FIXME FTimes - Dropped the 'L' as it is not needed. #0 lelong 0x1b031336L Netboot image, 0 lelong = 0x1b031336 Netboot image, >4 lelong&0xFFFFFF00 = 0 >>4 lelong&0x100 = 0x000 mode 2 >>4 lelong&0x100 = 0x100 mode 3 >4 lelong&0xFFFFFF00 != 0 unknown mode 0x18b string = OS/2 OS/2 Boot Manager 9564 lelong = 0x00011954 Unix Fast File system (little-endian), >8404 string x - last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x - last written at %s, >8401 byte x - clean flag %d, >8228 lelong x - number of blocks %d, >8232 lelong x - number of data blocks %d, >8236 lelong x - number of cylinder groups %d, >8240 lelong x - block size %d, >8244 lelong x - fragment size %d, >8252 lelong x - minimum percentage of free blocks %d, >8256 lelong x - rotational delay %dms, >8260 lelong x - disk rotational speed %drps, >8320 lelong = 0 TIME optimization >8320 lelong = 1 SPACE optimization 9564 belong = 0x00011954 Unix Fast File system (big-endian), >7168 long = 0x4c41424c Apple UFS Volume >>7186 string x - named %s, >>7176 belong x - volume label version %d, >>7180 bedate x - created on %s, >8404 string x - last mounted on %s, #>9504 bedate x last checked at %s, >8224 bedate x - last written at %s, >8401 byte x - clean flag %d, >8228 belong x - number of blocks %d, >8232 belong x - number of data blocks %d, >8236 belong x - number of cylinder groups %d, >8240 belong x - block size %d, >8244 belong x - fragment size %d, >8252 belong x - minimum percentage of free blocks %d, >8256 belong x - rotational delay %dms, >8260 belong x - disk rotational speed %drps, >8320 belong = 0 TIME optimization >8320 belong = 1 SPACE optimization # ext2/ext3 filesystems - Andreas Dilger 0x438 leshort = 0xEF53 Linux >0x44c lelong x - rev %d >0x43e leshort x - \b.%d >0x45c lelong ^ 0x0000004 ext2 filesystem data >>0x43a leshort ^ 0x0000001 (mounted or unclean) >0x45c lelong & 0x0000004 ext3 filesystem data >>0x460 lelong & 0x0000004 (needs journal recovery) >0x43a leshort & 0x0000002 (errors) >0x460 lelong & 0x0000001 (compressed) #>0x460 lelong &0x0000002 (filetype) #>0x464 lelong &0x0000001 (sparse_super) >0x464 lelong & 0x0000002 (large files) # SGI disk labels - Nathan Scott 0 belong = 0x0BE5A941 SGI disk label (volume header) # SGI XFS filesystem - Nathan Scott 0 belong = 0x58465342 SGI XFS filesystem data >0x4 belong x - (blksz %d, >0x68 beshort x - inosz %d, >0x64 beshort ^ 0x2004 v1 dirs) >0x64 beshort & 0x2004 v2 dirs) ############################################################################ # Minix-ST kernel floppy 0x800 belong = 0x46fc2700 Atari-ST Minix kernel image >19 string = \240\5\371\5\0\011\0\2\0 \b, 720k floppy >19 string = \320\2\370\5\0\011\0\1\0 \b, 360k floppy ############################################################################ # Hmmm, is this a better way of detecting _standard_ floppy images ? 19 string = \320\2\360\3\0\011\0\1\0 DOS floppy 360k >0x1FE leshort = 0xAA55 \b, x86 hard disk boot sector 19 string = \240\5\371\3\0\011\0\2\0 DOS floppy 720k >0x1FE leshort = 0xAA55 \b, x86 hard disk boot sector 19 string = \100\013\360\011\0\022\0\2\0 DOS floppy 1440k >0x1FE leshort = 0xAA55 \b, x86 hard disk boot sector 19 string = \240\5\371\5\0\011\0\2\0 DOS floppy 720k, IBM >0x1FE leshort = 0xAA55 \b, x86 hard disk boot sector 19 string = \100\013\371\5\0\011\0\2\0 DOS floppy 1440k, mkdosfs >0x1FE leshort = 0xAA55 \b, x86 hard disk boot sector 19 string = \320\2\370\5\0\011\0\1\0 Atari-ST floppy 360k 19 string = \240\5\371\5\0\011\0\2\0 Atari-ST floppy 720k # Valid media descriptor bytes for MS-DOS: # # Byte Capacity Media Size and Type # ------------------------------------------------- # # F0 2.88 MB 3.5-inch, 2-sided, 36-sector # F0 1.44 MB 3.5-inch, 2-sided, 18-sector # F9 720K 3.5-inch, 2-sided, 9-sector # F9 1.2 MB 5.25-inch, 2-sided, 15-sector # FD 360K 5.25-inch, 2-sided, 9-sector # FF 320K 5.25-inch, 2-sided, 8-sector # FC 180K 5.25-inch, 1-sided, 9-sector # FE 160K 5.25-inch, 1-sided, 8-sector # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density # F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # # Originally a bitmap: # xxxxxxx0 Not two sided # xxxxxxx1 Double sided # xxxxxx0x Not 8 SPT # xxxxxx1x 8 SPT # xxxxx0xx Not Removable drive # xxxxx1xx Removable drive # 11111xxx Must be one. # # But now it's rather random: # 111111xx Low density disk # 00 SS, Not 8 SPT # 01 DS, Not 8 SPT # 10 SS, 8 SPT # 11 DS, 8 SPT # # 11111001 Double density 3 floppy disk, high density 5 # 11110000 High density 3 floppy disk # 11111000 Hard disk any format # # CDROM Filesystems 32769 string = CD001 ISO 9660 CD-ROM filesystem data # "application id" which appears to be used as a volume label >32808 string > \0 '%s' >34816 string = \000CD001\001EL\ TORITO\ SPECIFICATION (bootable) 37633 string = CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) 32776 string = CDROM High Sierra CD-ROM filesystem data # cramfs filesystem - russell@coker.com.au 0 lelong = 0x28cd3d45 Linux Compressed ROM File System data, little endian >4 lelong x - size %d >8 lelong & 1 version #2 >8 lelong & 2 sorted_dirs >8 lelong & 4 hole_support >32 lelong x - CRC 0x%x, >36 lelong x - edition %d, >40 lelong x - %d blocks, >44 lelong x - %d files 0 belong = 0x28cd3d45 Linux Compressed ROM File System data, big endian >4 belong x - size %d >8 belong & 1 version #2 >8 belong & 2 sorted_dirs >8 belong & 4 hole_support >32 belong x - CRC 0x%x, >36 belong x - edition %d, >40 belong x - %d blocks, >44 belong x - %d files # reiserfs - russell@coker.com.au 0x10034 string = ReIsErFs ReiserFS V3.5 0x10034 string = ReIsEr2Fs ReiserFS V3.6 >0x1002c leshort x - block size %d >0x10032 leshort & 2 (mounted or unclean) >0x10000 lelong x - num blocks %d >0x10040 lelong = 1 tea hash >0x10040 lelong = 2 yura hash >0x10040 lelong = 3 r5 hash # JFFS - russell@coker.com.au 0 lelong = 0x34383931 Linux Journalled Flash File system, little endian 0 belong = 0x34383931 Linux Journalled Flash File system, big endian # EST flat binary format (which isn't, but anyway) # From: Mark Brown 0 string = ESTFBINR EST flat binary # Aculab VoIP firmware # From: Mark Brown 0 string = VoIP\ Startup\ and Aculab VoIP firmware >35 string x - format %s # PPCBoot image file # From: Mark Brown 0 belong = 0x27051956 PPCBoot image >4 string = PPCBoot >>12 string x - version %s # JFFS2 file system 0 leshort = 0x1984 Linux old jffs2 filesystem data little endian 0 lelong = 0xe0011985 Linux jffs2 filesystem data little endian # Squashfs 0 string = sqsh Squashfs filesystem, big endian, >28 beshort x - version %d. >30 beshort x - \b%d, >8 belong x - %d bytes, >4 belong x - %d inodes, >28 beshort < 2 >>32 beshort x - blocksize: %d bytes, >28 beshort > 1 >>51 belong x - blocksize: %d bytes, >39 bedate x - created: %s 0 string = hsqs Squashfs filesystem, little endian, >28 leshort x - version %d. >30 leshort x - \b%d, >8 lelong x - %d bytes, >4 lelong x - %d inodes, >28 leshort < 2 >>32 leshort x - blocksize: %d bytes, >28 leshort > 1 >>51 lelong x - blocksize: %d bytes, >39 ledate x - created: %s # AFS Dump Magic # From: Ty Sarna 0 string = \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x - (v%d) >>&0 byte = 0x76 >>>&0 belong x - Vol %d, >>>>&0 byte = 0x6e >>>>>&0 string x - %s >>>>>>&1 byte = 0x74 >>>>>>>&0 beshort = 2 >>>>>>>>&4 bedate x - on: %s >>>>>>>>&0 bedate = 0 full dump >>>>>>>>&0 bedate != 0 incremental since: %s #------------------------------------------------------------------------------ # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ # 0 string = FWS Macromedia Flash data, >3 byte x - version %d 0 string = CWS Macromedia Flash data (compressed), >3 byte x - version %d # From: Cal Peake 0 string = FLV Macromedia Flash Video # # From Dave Wilson 0 string = AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document #------------------------------------------------------------------------------ # fonts: file(1) magic for font data # 0 string = FONT ASCII vfont text 0 short = 0436 Berkeley vfont data 0 short = 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com 0 string = %!PS-AdobeFont-1. PostScript Type 1 font text >20 string > \0 (%s) 6 string = %!PS-AdobeFont-1. PostScript Type 1 font program data # X11 font files in SNF (Server Natural Format) format 0 belong = 00000004 X11 SNF font data, MSB first 0 lelong = 00000004 X11 SNF font data, LSB first # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string = STARTFONT\040 X11 BDF font text # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) 0 string = \001fcp X11 Portable Compiled Font data >12 byte = 0x02 \b, LSB first >12 byte = 0x0a \b, MSB first 0 string = D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------ # FIGlet fonts and controlfiles # From figmagic supplied with Figlet version 2.2 # "David E. O'Brien" 0 string = flf FIGlet font >3 string > 2a version %-2.2s 0 string = flc FIGlet controlfile >3 string > 2a version %-2.2s # libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) # Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ 0 belong = 0x14025919 libGrx font data, >8 leshort x - %dx >10 leshort x - \b%d >40 string x - %s # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) 0 belong = 0xff464f4e DOS code page font data collection 7 belong = 0x00454741 DOS code page font data 7 belong = 0x00564944 DOS code page font data (from Linux?) 4098 string = DOSFONT DOSFONT2 encrypted font data # downloadable fonts for browser (prints type) anthon@mnt.org 0 string = PFR1 PFR1 font >102 string > 0 \b: %s # True Type fonts 0 string = \000\001\000\000\000 TrueType font data 0 string = \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string = \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font # Opentype font data from Avi Bercovich 0 string = OTTO OpenType font data #------------------------------------------------------------------------------ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # 0 string = \11 string = 5.5 (5.5 >11 string = 5.0 (5.0 >11 string = 4.0 (4.0 >11 string = 3.0 (3.0 >11 string = 2.0 (2.0 >11 string = 1.0 (1.0 >14 byte x - %c) 0 string = \9 string = 4.0 (4.0) >9 string = 3.0 (3.0) >9 string = 2.0 (2.0) >9 string = 1.0 (1.x) 0 string = \17 string = 3.0 (3.0) >17 string = 2.0 (2.0) >17 string = 1.0 (1.x) 0 string = \17 string = 1.01 (%s) 0 string = \10 string = 3.0 (3.0 >10 string = 2.0 (2.0 >10 string = 1.0 (1.0 >13 byte x - %c) # XXX - this book entry should be verified, if you find one, uncomment this #0 string \6 string 3.0 (3.0) #>6 string 2.0 (2.0) #>6 string 1.0 (1.0) 0 string = \= 4096 (or >4095, same thing), then it's # an executable, and is dynamically-linked if the "has run-time # loader information" bit is set. # # On x86, NetBSD says: # # If it's neither pure nor demand-paged: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable; # # if it doesn't have that bit set, then: # # if it has the "is position-independent" bit set, it's # position-independent; # # if the entry point is non-zero, it's an executable, otherwise # it's an object file. # # If it's pure: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable, otherwise it's just an # executable. # # If it's demand-paged: # # if it has the "has run-time loader information" bit set, # then: # # if the entry point is < 4096, it's a shared library; # # if the entry point is = 4096 or > 4096 (i.e., >= 4096), # it's a dynamically-linked executable); # # if it doesn't have the "has run-time loader information" bit # set, then it's just an executable. # # (On non-x86, NetBSD does much the same thing, except that it uses # 8192 on 68K - except for "68k4k", which is presumably "68K with 4K # pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's # had 8K pages; dunno about MIPS.) # # I suspect the two will differ only in perverse and uninteresting cases # ("shared" libraries that aren't demand-paged and whose pages probably # won't actually be shared, executables with entry points <4096). # # I leave it to those more familiar with FreeBSD and NetBSD to figure out # what the right answer is (although using ">4095", FreeBSD-style, is # probably better than separately checking for "=4096" and ">4096", # NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged # executables using the NetBSD technique.) # 0 lelong&0377777777 = 041400407 FreeBSD/i386 >20 lelong < 4096 >>3 byte&0xC0 & 0x80 shared library >>3 byte&0xC0 = 0x40 PIC object >>3 byte&0xC0 = 0x00 object >20 lelong > 4095 >>3 byte&0x80 = 0x80 dynamically linked executable >>3 byte&0x80 = 0x00 executable >16 lelong > 0 not stripped 0 lelong&0377777777 = 041400410 FreeBSD/i386 pure >20 lelong < 4096 >>3 byte&0xC0 & 0x80 shared library >>3 byte&0xC0 = 0x40 PIC object >>3 byte&0xC0 = 0x00 object >20 lelong > 4095 >>3 byte&0x80 = 0x80 dynamically linked executable >>3 byte&0x80 = 0x00 executable >16 lelong > 0 not stripped 0 lelong&0377777777 = 041400413 FreeBSD/i386 demand paged >20 lelong < 4096 >>3 byte&0xC0 & 0x80 shared library >>3 byte&0xC0 = 0x40 PIC object >>3 byte&0xC0 = 0x00 object >20 lelong > 4095 >>3 byte&0x80 = 0x80 dynamically linked executable >>3 byte&0x80 = 0x00 executable >16 lelong > 0 not stripped 0 lelong&0377777777 = 041400314 FreeBSD/i386 compact demand paged >20 lelong < 4096 >>3 byte&0xC0 & 0x80 shared library >>3 byte&0xC0 = 0x40 PIC object >>3 byte&0xC0 = 0x00 object >20 lelong > 4095 >>3 byte&0x80 = 0x80 dynamically linked executable >>3 byte&0x80 = 0x00 executable >16 lelong > 0 not stripped # XXX gross hack to identify core files # cores start with a struct tss; we take advantage of the following: # byte 7: highest byte of the kernel stack pointer, always 0xfe # 8/9: kernel (ring 0) ss value, always 0x0010 # 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 # 28: low order byte of the current PTD entry, always 0 since the # PTD is page-aligned # 7 string = \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file >1039 string > \0 from '%s' #FIXME FTimes - Disabled because we don't do signed compares, and we # don't know what the equivalent test should be. ## /var/run/ld.so.hints ## What are you laughing about? #0 lelong 011421044151 ld.so hints file (Little Endian #>4 lelong >0 \b, version %d) #>4 belong <=0 \b) #0 belong 011421044151 ld.so hints file (Big Endian #>4 belong >0 \b, version %d) #>4 belong <=0 \b) # # Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities # 0 string = SCRSHOT_ scrshot(1) screenshot, >8 byte x - version %d, >9 byte = 2 %d bytes in header, >>10 byte x - %d chars wide by >>11 byte x - %d chars high #------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) # ftp://ftp.f-prot.com/pub/{macrdef2.zip,nomacro.def} 0 beshort = 0x1575 fsav macro virus signatures >8 leshort > 0 (%d- >11 byte > 0 \b%02d- >10 byte > 0 \b%02d) # ftp://ftp.f-prot.com/pub/sign.zip #10 byte <12 #>9 byte <32 #>>8 byte 0x0a #>>>12 byte 0x07 #>>>>11 leshort >0 fsav DOS/Windows virus signatures (%d- #>>>>10 byte 0 \b01- #>>>>10 byte 1 \b02- #>>>>10 byte 2 \b03- #>>>>10 byte 3 \b04- #>>>>10 byte 4 \b05- #>>>>10 byte 5 \b06- #>>>>10 byte 6 \b07- #>>>>10 byte 7 \b08- #>>>>10 byte 8 \b09- #>>>>10 byte 9 \b10- #>>>>10 byte 10 \b11- #>>>>10 byte 11 \b12- #>>>>9 byte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip #0 byte 0x62 #>1 byte 0xF5 #>>2 byte 0x1 #>>>3 byte 0x1 #>>>>4 byte 0x0e #>>>>>13 byte >0 fsav virus signatures #>>>>>>11 byte x size 0x%02x #>>>>>>12 byte x \b%02x #>>>>>>13 byte x \b%02x bytes # Joerg Jenderek: joerg dot jenderek at web dot de # http://www.clamav.net/doc/latest/html/node45.html # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files 0 string = ClamAV-VDB: >11 string > \0 Clam AntiVirus database %-.23s >>34 string = : #FIXME FTimes -- Converted from regex to regexp. #>>>35 regex = [^:]+ \b, version >>>35 regexp =~ [^:]+ \b, version >>>>35 string x - \b%-.1s >>>>>36 string = !: >>>>>>36 string x - \b%-.1s >>>>>>>37 string = !: >>>>>>>>37 string x - \b%-.1s >>>>>>>>>38 string = !: >>>>>>>>>>38 string x - \b%-.1s >>>>512 string = \037\213 \b, gzipped >>>>769 string = ustar\0 \b, tared >512 string = \037\213 \b, gzipped >769 string = ustar\0 \b, tared #------------------------------------------------------------------------------ # games: file(1) for games # Thomas M. Ott (ThMO) 1 string = WAD DOOM data, >0 string = I main wad >0 string = P patch wad >0 byte x - unknown junk # Fabio Bonelli # Quake II - III data files 0 string = IDP2 Quake II 3D Model file, >20 long x - %lu skin(s), >8 long x - (%lu x >12 long x - %lu), >40 long x - %lu frame(s), >16 long x - Frame size %lu bytes, >24 long x - %lu vertices/frame, >28 long x - %lu texture coordinates, >32 long x - %lu triangles/frame 0 string = IBSP Quake >4 long = 0x26 II Map file (BSP) >4 long = 0x2E III Map file (BSP) 0 string = IDS2 Quake II SP2 sprite file #--------------------------------------------------------------------------- # Doom and Quake # submitted by Nicolas Patrois # DOOM 0 string = IWAD DOOM or DOOM ][ world 0 string = PWAD DOOM or DOOM ][ extension world 0 string = \xcb\x1dBoom\xe6\xff\x03\x01 Boom or linuxdoom demo # some doom lmp files don't match, I've got one beginning with \x6d\x02\x01\x01 24 string = LxD\ 203 Linuxdoom save >0 string x - , name=%s >44 string x - , world=%s # Quake 0 string = PACK Quake I or II world or extension #0 string -1\x0a Quake I demo #>30 string x version %.4s #>61 string x level %s #0 string 5\x0a Quake I save # The levels # Quake 1 0 string = 5\x0aIntroduction Quake I save: start Introduction 0 string = 5\x0athe_Slipgate_Complex Quake I save: e1m1 The slipgate complex 0 string = 5\x0aCastle_of_the_Damned Quake I save: e1m2 Castle of the damned 0 string = 5\x0athe_Necropolis Quake I save: e1m3 The necropolis 0 string = 5\x0athe_Grisly_Grotto Quake I save: e1m4 The grisly grotto 0 string = 5\x0aZiggurat_Vertigo Quake I save: e1m8 Ziggurat vertigo (secret) 0 string = 5\x0aGloom_Keep Quake I save: e1m5 Gloom keep 0 string = 5\x0aThe_Door_To_Chthon Quake I save: e1m6 The door to Chthon 0 string = 5\x0aThe_House_of_Chthon Quake I save: e1m7 The house of Chthon 0 string = 5\x0athe_Installation Quake I save: e2m1 The installation 0 string = 5\x0athe_Ogre_Citadel Quake I save: e2m2 The ogre citadel 0 string = 5\x0athe_Crypt_of_Decay Quake I save: e2m3 The crypt of decay (dopefish lives!) 0 string = 5\x0aUnderearth Quake I save: e2m7 Underearth (secret) 0 string = 5\x0athe_Ebon_Fortress Quake I save: e2m4 The ebon fortress 0 string = 5\x0athe_Wizard's_Manse Quake I save: e2m5 The wizard's manse 0 string = 5\x0athe_Dismal_Oubliette Quake I save: e2m6 The dismal oubliette 0 string = 5\x0aTermination_Central Quake I save: e3m1 Termination central 0 string = 5\x0aVaults_of_Zin Quake I save: e3m2 Vaults of Zin 0 string = 5\x0athe_Tomb_of_Terror Quake I save: e3m3 The tomb of terror 0 string = 5\x0aSatan's_Dark_Delight Quake I save: e3m4 Satan's dark delight 0 string = 5\x0athe_Haunted_Halls Quake I save: e3m7 The haunted halls (secret) 0 string = 5\x0aWind_Tunnels Quake I save: e3m5 Wind tunnels 0 string = 5\x0aChambers_of_Torment Quake I save: e3m6 Chambers of torment 0 string = 5\x0athe_Sewage_System Quake I save: e4m1 The sewage system 0 string = 5\x0aThe_Tower_of_Despair Quake I save: e4m2 The tower of despair 0 string = 5\x0aThe_Elder_God_Shrine Quake I save: e4m3 The elder god shrine 0 string = 5\x0athe_Palace_of_Hate Quake I save: e4m4 The palace of hate 0 string = 5\x0aHell's_Atrium Quake I save: e4m5 Hell's atrium 0 string = 5\x0athe_Nameless_City Quake I save: e4m8 The nameless city (secret) 0 string = 5\x0aThe_Pain_Maze Quake I save: e4m6 The pain maze 0 string = 5\x0aAzure_Agony Quake I save: e4m7 Azure agony 0 string = 5\x0aShub-Niggurath's_Pit Quake I save: end Shub-Niggurath's pit # Quake DeathMatch levels 0 string = 5\x0aPlace_of_Two_Deaths Quake I save: dm1 Place of two deaths 0 string = 5\x0aClaustrophobopolis Quake I save: dm2 Claustrophobopolis 0 string = 5\x0aThe_Abandoned_Base Quake I save: dm3 The abandoned base 0 string = 5\x0aThe_Bad_Place Quake I save: dm4 The bad place 0 string = 5\x0aThe_Cistern Quake I save: dm5 The cistern 0 string = 5\x0aThe_Dark_Zone Quake I save: dm6 The dark zone # Scourge of Armagon 0 string = 5\x0aCommand_HQ Quake I save: start Command HQ 0 string = 5\x0aThe_Pumping_Station Quake I save: hip1m1 The pumping station 0 string = 5\x0aStorage_Facility Quake I save: hip1m2 Storage facility 0 string = 5\x0aMilitary_Complex Quake I save: hip1m5 Military complex (secret) 0 string = 5\x0athe_Lost_Mine Quake I save: hip1m3 The lost mine 0 string = 5\x0aResearch_Facility Quake I save: hip1m4 Research facility 0 string = 5\x0aAncient_Realms Quake I save: hip2m1 Ancient realms 0 string = 5\x0aThe_Gremlin's_Domain Quake I save: hip2m6 The gremlin's domain (secret) 0 string = 5\x0aThe_Black_Cathedral Quake I save: hip2m2 The black cathedral 0 string = 5\x0aThe_Catacombs Quake I save: hip2m3 The catacombs 0 string = 5\x0athe_Crypt__ Quake I save: hip2m4 The crypt 0 string = 5\x0aMortum's_Keep Quake I save: hip2m5 Mortum's keep 0 string = 5\x0aTur_Torment Quake I save: hip3m1 Tur torment 0 string = 5\x0aPandemonium Quake I save: hip3m2 Pandemonium 0 string = 5\x0aLimbo Quake I save: hip3m3 Limbo 0 string = 5\x0athe_Edge_of_Oblivion Quake I save: hipdm1 The edge of oblivion (secret) 0 string = 5\x0aThe_Gauntlet Quake I save: hip3m4 The gauntlet 0 string = 5\x0aArmagon's_Lair Quake I save: hipend Armagon's lair # Malice 0 string = 5\x0aThe_Academy Quake I save: start The academy 0 string = 5\x0aThe_Lab Quake I save: d1 The lab 0 string = 5\x0aArea_33 Quake I save: d1b Area 33 0 string = 5\x0aSECRET_MISSIONS Quake I save: d3b Secret missions 0 string = 5\x0aThe_Hospital Quake I save: d10 The hospital (secret) 0 string = 5\x0aThe_Genetics_Lab Quake I save: d11 The genetics lab (secret) 0 string = 5\x0aBACK_2_MALICE Quake I save: d4b Back to Malice 0 string = 5\x0aArea44 Quake I save: d1c Area 44 0 string = 5\x0aTakahiro_Towers Quake I save: d2 Takahiro towers 0 string = 5\x0aA_Rat's_Life Quake I save: d3 A rat's life 0 string = 5\x0aInto_The_Flood Quake I save: d4 Into the flood 0 string = 5\x0aThe_Flood Quake I save: d5 The flood 0 string = 5\x0aNuclear_Plant Quake I save: d6 Nuclear plant 0 string = 5\x0aThe_Incinerator_Plant Quake I save: d7 The incinerator plant 0 string = 5\x0aThe_Foundry Quake I save: d7b The foundry 0 string = 5\x0aThe_Underwater_Base Quake I save: d8 The underwater base 0 string = 5\x0aTakahiro_Base Quake I save: d9 Takahiro base 0 string = 5\x0aTakahiro_Laboratories Quake I save: d12 Takahiro laboratories 0 string = 5\x0aStayin'_Alive Quake I save: d13 Stayin' alive 0 string = 5\x0aB.O.S.S._HQ Quake I save: d14 B.O.S.S. HQ 0 string = 5\x0aSHOWDOWN! Quake I save: d15 Showdown! # Malice DeathMatch levels 0 string = 5\x0aThe_Seventh_Precinct Quake I save: ddm1 The seventh precinct 0 string = 5\x0aSub_Station Quake I save: ddm2 Sub station 0 string = 5\x0aCrazy_Eights! Quake I save: ddm3 Crazy eights! 0 string = 5\x0aEast_Side_Invertationa Quake I save: ddm4 East side invertationa 0 string = 5\x0aSlaughterhouse Quake I save: ddm5 Slaughterhouse 0 string = 5\x0aDOMINO Quake I save: ddm6 Domino 0 string = 5\x0aSANDRA'S_LADDER Quake I save: ddm7 Sandra's ladder 0 string = MComprHD MAME CHD compressed hard disk image, >12 belong x - version %lu #------------------------------------------------------------------------------ # GEOS files (Vidar Madsen, vidar@gimp.org) # semi-commonly used in embedded and handheld systems. 0 belong = 0xc745c153 GEOS >40 byte = 1 executable >40 byte = 2 VMFile >40 byte = 3 binary >40 byte = 4 directory label >40 byte < 1 unknown >40 byte > 4 unknown >4 string > \0 \b, name "%s" #>44 short x \b, version %d #>46 short x \b.%d #>48 short x \b, rev %d #>50 short x \b.%d #>52 short x \b, proto %d #>54 short x \br%d #>168 string >\0 \b, copyright "%s" #------------------------------------------------------------------------------ # gcc: file(1) magic for GCC special files # 0 string = gpch GCC precompiled header # The version field is annoying. It's 3 characters, not zero-terminated. >5 byte x - (version %c >6 byte x - \b%c >7 byte x - \b%c) # 67 = 'C', 111 = 'o', 43 = '+', 79 = 'O' >4 byte = 67 for C >4 byte = 111 for Objective C >4 byte = 43 for C++ >4 byte = 79 for Objective C++ #------------------------------------------------------------------------------ # GIMP Gradient: file(1) magic for the GIMP's gradient data files # by Federico Mena 0 string = GIMP\ Gradient GIMP gradient data #------------------------------------------------------------------------------ # XCF: file(1) magic for the XCF image format used in the GIMP developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 0 string = gimp\ xcf GIMP XCF image data, >9 string = file version 0, >9 string = v version >>10 string > \0 %s, >14 belong x - %lu x >18 belong x - %lu, >22 belong = 0 RGB Color >22 belong = 1 Greyscale >22 belong = 2 Indexed Color >22 belong > 2 Unknown Image Type. #------------------------------------------------------------------------------ # XCF: file(1) magic for the patterns used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string = GPAT GIMP pattern data, >24 string x - %s #------------------------------------------------------------------------------ # XCF: file(1) magic for the brushes used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string = GIMP GIMP brush data #------------------------------------------------------------------------------ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format # 0 string = \336\22\4\225 GNU message catalog (little endian), >4 lelong x - revision %d, >8 lelong x - %d messages 0 string = \225\4\22\336 GNU message catalog (big endian), >4 belong x - revision %d, >8 belong x - %d messages # message catalogs, from Mitchum DSouza 0 string = *nazgul* Nazgul style compiled message catalog >8 lelong > 0 \b, version %ld # GnuPG # The format is very similar to pgp 0 string = \001gpg GPG key trust database >4 byte x - version %d 0 beshort = 0x8502 GPG encrypted data # This magic is not particularly good, as the keyrings don't have true # magic. Nevertheless, it covers many keyrings. 0 beshort = 0x9901 GPG key public ring # Gnumeric spreadsheet # This entry is only semi-helpful, as Gnumeric compresses its files, so # they will ordinarily reported as "compressed", but at least -z helps 39 string = # gnu find magic 0 string = \0LOCATE GNU findutils locate database data >7 string > \0 \b, format %s >7 string = 02 \b (frcode) #------------------------------------------------------------------------------ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE # # ACE/gr binary 0 string = \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\0000\000\000\0000\000\000\0003 old ACE/gr binary file >39 byte > 0 - version %c # ACE/gr ascii 0 string = #\ xvgr\ parameter\ file ACE/gr ascii file 0 string = #\ xmgr\ parameter\ file ACE/gr ascii file 0 string = #\ ACE/gr\ parameter\ file ACE/gr ascii file # Grace projects 0 string = #\ Grace\ project\ file Grace project file >23 string = @version\ (version >>32 byte > 0 %c >>33 string > \0 \b.%.2s >>35 string > \0 \b.%.2s) # ACE/gr fit description files 0 string = #\ ACE/gr\ fit\ description\ ACE/gr fit description file # end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE #------------------------------------------------------------------------------ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo #GRG3????Y 0 string = GRG Gringotts data file #file format 1 >3 string = 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 >3 string = 2 v.2, MCRYPT S2K, >>8 byte&0x70 = 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 = 0x10 SERPENT crypt, >>8 byte&0x70 = 0x20 TWOFISH crypt, >>8 byte&0x70 = 0x30 CAST-256 crypt, >>8 byte&0x70 = 0x40 SAFER+ crypt, >>8 byte&0x70 = 0x50 LOKI97 crypt, >>8 byte&0x70 = 0x60 3DES crypt, >>8 byte&0x70 = 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 = 0x00 SHA1 hash, >>8 byte&0x08 = 0x08 RIPEMD-160 hash, >>8 byte&0x04 = 0x00 ZLib >>8 byte&0x04 = 0x04 BZip2 >>8 byte&0x03 = 0x00 lvl.0 >>8 byte&0x03 = 0x01 lvl.3 >>8 byte&0x03 = 0x02 lvl.6 >>8 byte&0x03 = 0x03 lvl.9 #file format 3 >3 string = 3 v.3, OpenPGP S2K, >>8 byte&0x70 = 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 = 0x10 SERPENT crypt, >>8 byte&0x70 = 0x20 TWOFISH crypt, >>8 byte&0x70 = 0x30 CAST-256 crypt, >>8 byte&0x70 = 0x40 SAFER+ crypt, >>8 byte&0x70 = 0x50 LOKI97 crypt, >>8 byte&0x70 = 0x60 3DES crypt, >>8 byte&0x70 = 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 = 0x00 SHA1 hash, >>8 byte&0x08 = 0x08 RIPEMD-160 hash, >>8 byte&0x04 = 0x00 ZLib >>8 byte&0x04 = 0x04 BZip2 >>8 byte&0x03 = 0x00 lvl.0 >>8 byte&0x03 = 0x01 lvl.3 >>8 byte&0x03 = 0x02 lvl.6 >>8 byte&0x03 = 0x03 lvl.9 #file format >3 >3 string > 3 v.%.1s (unknown details) #------------------------------------------------------------------------------ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # 0 beshort = 0x0500 Hitachi SH big-endian COFF >18 beshort&0x0002 = 0x0000 object >18 beshort&0x0002 = 0x0002 executable >18 beshort&0x0008 = 0x0008 \b, stripped >18 beshort&0x0008 = 0x0000 \b, not stripped # 0 leshort = 0x0550 Hitachi SH little-endian COFF >18 leshort&0x0002 = 0x0000 object >18 leshort&0x0002 = 0x0002 executable >18 leshort&0x0008 = 0x0008 \b, stripped >18 leshort&0x0008 = 0x0000 \b, not stripped #------------------------------------------------------------------------------ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be # applied to the "TML" stuff; I'm assuming the Apollo stuff is # big-endian as it was mostly 68K-based. # # I think the 500 series was the old stack-based machines, running a # UNIX environment atop the "SUN kernel"; dunno whether it was # big-endian or little-endian. # # Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; # hp300 are 68020+68881 based; hp400 are also 68k. The following basic # HP magic is useful for reference, but using "long" magic is a better # practice in order to avoid collisions. # # Guy Harris (guy@netapp.com): some additions to this list came from # HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1, # 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 # "/etc/magic", though, except for the "archive file relocatable library" # stuff, and the 68030 and 68040 stuff isn't there at all - are they not # used in executables, or have they just not yet updated "/etc/magic" # completely? # # 0 beshort 200 hp200 (68010) BSD binary # 0 beshort 300 hp300 (68020+68881) BSD binary # 0 beshort 0x20c hp200/300 HP-UX binary # 0 beshort 0x20d hp400 (68030) HP-UX binary # 0 beshort 0x20e hp400 (68040?) HP-UX binary # 0 beshort 0x20b PA-RISC1.0 HP-UX binary # 0 beshort 0x210 PA-RISC1.1 HP-UX binary # 0 beshort 0x211 PA-RISC1.2 HP-UX binary # 0 beshort 0x214 PA-RISC2.0 HP-UX binary # # The "misc" stuff needs a byte order; the archives look suspiciously # like the old 177545 archives (0xff65 = 0177545). # #### Old Apollo stuff 0 beshort = 0627 Apollo m68k COFF executable >18 beshort ^ 040000 not stripped >22 beshort > 0 - version %ld 0 beshort = 0624 apollo a88k COFF executable >18 beshort ^ 040000 not stripped >22 beshort > 0 - version %ld 0 long = 01203604016 TML 0123 byte-order format 0 long = 01702407010 TML 1032 byte-order format 0 long = 01003405017 TML 2301 byte-order format 0 long = 01602007412 TML 3210 byte-order format #### PA-RISC 1.1 0 belong = 0x02100106 PA-RISC1.1 relocatable object 0 belong = 0x02100107 PA-RISC1.1 executable >168 belong & 0x00000004 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x02100108 PA-RISC1.1 shared executable >168 belong&0x4 = 0x4 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x0210010b PA-RISC1.1 demand-load executable >168 belong&0x4 = 0x4 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x0210010e PA-RISC1.1 shared library >96 belong > 0 - not stripped 0 belong = 0x0210010d PA-RISC1.1 dynamic load library >96 belong > 0 - not stripped #### PA-RISC 2.0 0 belong = 0x02140106 PA-RISC2.0 relocatable object 0 belong = 0x02140107 PA-RISC2.0 executable >168 belong & 0x00000004 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x02140108 PA-RISC2.0 shared executable >168 belong & 0x00000004 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x0214010b PA-RISC2.0 demand-load executable >168 belong & 0x00000004 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x0214010e PA-RISC2.0 shared library >96 belong > 0 - not stripped 0 belong = 0x0214010d PA-RISC2.0 dynamic load library >96 belong > 0 - not stripped #### 800 0 belong = 0x020b0106 PA-RISC1.0 relocatable object 0 belong = 0x020b0107 PA-RISC1.0 executable >168 belong&0x4 = 0x4 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x020b0108 PA-RISC1.0 shared executable >168 belong&0x4 = 0x4 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x020b010b PA-RISC1.0 demand-load executable >168 belong&0x4 = 0x4 dynamically linked >(144) belong = 0x054ef630 dynamically linked >96 belong > 0 - not stripped 0 belong = 0x020b010e PA-RISC1.0 shared library >96 belong > 0 - not stripped 0 belong = 0x020b010d PA-RISC1.0 dynamic load library >96 belong > 0 - not stripped 0 belong = 0x213c6172 archive file >68 belong = 0x020b0619 - PA-RISC1.0 relocatable library >68 belong = 0x02100619 - PA-RISC1.1 relocatable library >68 belong = 0x02110619 - PA-RISC1.2 relocatable library >68 belong = 0x02140619 - PA-RISC2.0 relocatable library #### 500 0 long = 0x02080106 HP s500 relocatable executable >16 long > 0 - version %ld 0 long = 0x02080107 HP s500 executable >16 long > 0 - version %ld 0 long = 0x02080108 HP s500 pure executable >16 long > 0 - version %ld #### 200 0 belong = 0x020c0108 HP s200 pure executable >4 beshort > 0 - version %ld >8 belong & 0x80000000 save fp regs >8 belong & 0x40000000 dynamically linked >8 belong & 0x20000000 debuggable >36 belong > 0 not stripped 0 belong = 0x020c0107 HP s200 executable >4 beshort > 0 - version %ld >8 belong & 0x80000000 save fp regs >8 belong & 0x40000000 dynamically linked >8 belong & 0x20000000 debuggable >36 belong > 0 not stripped 0 belong = 0x020c010b HP s200 demand-load executable >4 beshort > 0 - version %ld >8 belong & 0x80000000 save fp regs >8 belong & 0x40000000 dynamically linked >8 belong & 0x20000000 debuggable >36 belong > 0 not stripped 0 belong = 0x020c0106 HP s200 relocatable executable >4 beshort > 0 - version %ld >6 beshort > 0 - highwater %d >8 belong & 0x80000000 save fp regs >8 belong & 0x20000000 debuggable >8 belong & 0x10000000 PIC 0 belong = 0x020a0108 HP s200 (2.x release) pure executable >4 beshort > 0 - version %ld >36 belong > 0 not stripped 0 belong = 0x020a0107 HP s200 (2.x release) executable >4 beshort > 0 - version %ld >36 belong > 0 not stripped 0 belong = 0x020c010e HP s200 shared library >4 beshort > 0 - version %ld >6 beshort > 0 - highwater %d >36 belong > 0 not stripped 0 belong = 0x020c010d HP s200 dynamic load library >4 beshort > 0 - version %ld >6 beshort > 0 - highwater %d >36 belong > 0 not stripped #### MISC 0 long = 0x0000ff65 HP old archive 0 long = 0x020aff65 HP s200 old archive 0 long = 0x020cff65 HP s200 old archive 0 long = 0x0208ff65 HP s500 old archive 0 long = 0x015821a6 HP core file 0 long = 0x4da7eee8 HP-WINDOWS font >8 byte > 0 - version %ld 0 string = Bitmapfile HP Bitmapfile 0 string = IMGfile CIS compimg HP Bitmapfile # XXX - see "lif" #0 short 0x8000 lif file 0 long = 0x020c010c compiled Lisp 0 string = msgcat01 HP NLS message catalog, >8 long > 0 %d messages # addendum to /etc/magic with HP-48sx file-types by phk@data.fls.dk 1jan92 0 string = HPHP48- HP48 binary >7 byte > 0 - Rev %c >8 beshort = 0x1129 (ADR) >8 beshort = 0x3329 (REAL) >8 beshort = 0x5529 (LREAL) >8 beshort = 0x7729 (COMPLX) >8 beshort = 0x9d29 (LCOMPLX) >8 beshort = 0xbf29 (CHAR) >8 beshort = 0xe829 (ARRAY) >8 beshort = 0x0a2a (LNKARRAY) >8 beshort = 0x2c2a (STRING) >8 beshort = 0x4e2a (HXS) >8 beshort = 0x742a (LIST) >8 beshort = 0x962a (DIR) >8 beshort = 0xb82a (ALG) >8 beshort = 0xda2a (UNIT) >8 beshort = 0xfc2a (TAGGED) >8 beshort = 0x1e2b (GROB) >8 beshort = 0x402b (LIB) >8 beshort = 0x622b (BACKUP) >8 beshort = 0x882b (LIBDATA) >8 beshort = 0x9d2d (PROG) >8 beshort = 0xcc2d (CODE) >8 beshort = 0x482e (GNAME) >8 beshort = 0x6d2e (LNAME) >8 beshort = 0x922e (XLIB) 0 string = %%HP: HP48 text >6 string = T(0) - T(0) >6 string = T(1) - T(1) >6 string = T(2) - T(2) >6 string = T(3) - T(3) >10 string = A(D) A(D) >10 string = A(R) A(R) >10 string = A(G) A(G) >14 string = F(.) F(.); >14 string = F(,) F(,); # hpBSD magic numbers 0 beshort = 200 hp200 (68010) BSD >2 beshort = 0407 impure binary >2 beshort = 0410 read-only binary >2 beshort = 0413 demand paged binary 0 beshort = 300 hp300 (68020+68881) BSD >2 beshort = 0407 impure binary >2 beshort = 0410 read-only binary >2 beshort = 0413 demand paged binary # # From David Gero # HP-UX 10.20 core file format from /usr/include/sys/core.h # Unfortunately, HP-UX uses corehead blocks without specifying the order # There are four we care about: # CORE_KERNEL, which starts with the string "HP-UX" # CORE_EXEC, which contains the name of the command # CORE_PROC, which contains the signal number that caused the core dump # CORE_FORMAT, which contains the version of the core file format (== 1) # The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC # but we include all 6 variations of the order of the first 3, and # assume that PROC will always be last # Order 1: KERNEL, EXEC, FORMAT, PROC 0x10 string = HP-UX >0 belong = 2 >>0xC belong = 0x3C >>>0x4C belong = 0x100 >>>>0x58 belong = 0x44 >>>>>0xA0 belong = 1 >>>>>>0xAC belong = 4 >>>>>>>0xB0 belong = 1 >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0x90 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # Order 2: KERNEL, FORMAT, EXEC, PROC >>>0x4C belong = 1 >>>>0x58 belong = 4 >>>>>0x5C belong = 1 >>>>>>0x60 belong = 0x100 >>>>>>>0x6C belong = 0x44 >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0xA4 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # Order 3: FORMAT, KERNEL, EXEC, PROC 0x24 string = HP-UX >0 belong = 1 >>0xC belong = 4 >>>0x10 belong = 1 >>>>0x14 belong = 2 >>>>>0x20 belong = 0x3C >>>>>>0x60 belong = 0x100 >>>>>>>0x6C belong = 0x44 >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0xA4 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # Order 4: EXEC, KERNEL, FORMAT, PROC 0x64 string = HP-UX >0 belong = 0x100 >>0xC belong = 0x44 >>>0x54 belong = 2 >>>>0x60 belong = 0x3C >>>>>0xA0 belong = 1 >>>>>>0xAC belong = 4 >>>>>>>0xB0 belong = 1 >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0x44 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # Order 5: FORMAT, EXEC, KERNEL, PROC 0x78 string = HP-UX >0 belong = 1 >>0xC belong = 4 >>>0x10 belong = 1 >>>>0x14 belong = 0x100 >>>>>0x20 belong = 0x44 >>>>>>0x68 belong = 2 >>>>>>>0x74 belong = 0x3C >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0x58 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # Order 6: EXEC, FORMAT, KERNEL, PROC >0 belong = 0x100 >>0xC belong = 0x44 >>>0x54 belong = 1 >>>>0x60 belong = 4 >>>>>0x64 belong = 1 >>>>>>0x68 belong = 2 >>>>>>>0x74 belong = 0x2C >>>>>>>>0xB4 belong = 4 core file >>>>>>>>>0x44 string > \0 from '%s' >>>>>>>>>0xC4 belong = 3 - received SIGQUIT >>>>>>>>>0xC4 belong = 4 - received SIGILL >>>>>>>>>0xC4 belong = 5 - received SIGTRAP >>>>>>>>>0xC4 belong = 6 - received SIGABRT >>>>>>>>>0xC4 belong = 7 - received SIGEMT >>>>>>>>>0xC4 belong = 8 - received SIGFPE >>>>>>>>>0xC4 belong = 10 - received SIGBUS >>>>>>>>>0xC4 belong = 11 - received SIGSEGV >>>>>>>>>0xC4 belong = 12 - received SIGSYS >>>>>>>>>0xC4 belong = 33 - received SIGXCPU >>>>>>>>>0xC4 belong = 34 - received SIGXFSZ # From: AMAKAWA Shuhei 0 string = HPHP49- HP49 binary #------------------------------------------------------------------------------ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats # Magic too short! #0 string HU Human68k #>68 string LZX LZX compressed #>>72 string >\0 (version %s) #>(8.L+74) string LZX LZX compressed #>>(8.L+78) string >\0 (version %s) #>60 belong >0 binded #>(8.L+66) string #HUPAIR hupair #>0 string HU X executable #>(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 #>4 belong >0 - base address 0x%x #>28 belong >0 not stripped #>32 belong >0 with debug information #0 beshort 0x601a Human68k Z executable #0 beshort 0x6000 Human68k object file #0 belong 0xd1000000 Human68k ar binary archive #0 belong 0xd1010000 Human68k ar ascii archive #0 beshort 0x0068 Human68k lib archive #4 string LZX Human68k LZX compressed #>8 string >\0 (version %s) #>4 string LZX R executable #2 string #HUPAIR Human68k hupair R executable #------------------------------------------------------------------------------ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # # 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # 0 beshort = 0537 370 XA sysV executable >12 belong > 0 not stripped >22 beshort > 0 - version %d >30 belong > 0 - 5.2 format 0 beshort = 0532 370 XA sysV pure executable >12 belong > 0 not stripped >22 beshort > 0 - version %d >30 belong > 0 - 5.2 format 0 beshort = 054001 370 sysV pure executable >12 belong > 0 not stripped 0 beshort = 055001 370 XA sysV pure executable >12 belong > 0 not stripped 0 beshort = 056401 370 sysV executable >12 belong > 0 not stripped 0 beshort = 057401 370 XA sysV executable >12 belong > 0 not stripped 0 beshort = 0531 SVR2 executable (Amdahl-UTS) >12 belong > 0 not stripped >24 belong > 0 - version %ld 0 beshort = 0534 SVR2 pure executable (Amdahl-UTS) >12 belong > 0 not stripped >24 belong > 0 - version %ld 0 beshort = 0530 SVR2 pure executable (USS/370) >12 belong > 0 not stripped >24 belong > 0 - version %ld 0 beshort = 0535 SVR2 executable (USS/370) >12 belong > 0 not stripped >24 belong > 0 - version %ld #------------------------------------------------------------------------------ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort = 0x01df executable (RISC System/6000 V3.1) or obj module >12 belong > 0 not stripped # Breaks sun4 statically linked execs. #0 beshort 0x0103 executable (RT Version 2) or obj module #>2 byte 0x50 pure #>28 belong >0 not stripped #>6 beshort >0 - version %ld 0 beshort = 0x0104 shared library 0 beshort = 0x0105 ctab data 0 beshort = 0xfe04 structured file 0 string = 0xabcdef AIX message catalog 0 belong = 0x000001f9 AIX compiled message catalog 0 string = \ archive 0 string = \ archive (big format) #------------------------------------------------------------------------------ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic # Arts for file interchange. It has also been used by Apple, SGI, and # especially Commodore-Amiga. # # IFF files begin with an 8 byte FORM header, followed by a 4 character # FORM type, which is followed by the first chunk in the FORM. 0 string = FORM IFF data #>4 belong x \b, FORM is %d bytes long # audio formats >8 string = AIFF \b, AIFF audio >8 string = AIFC \b, AIFF-C compressed audio >8 string = 8SVX \b, 8SVX 8-bit sampled sound voice >8 string = 16SV \b, 16SV 16-bit sampled sound voice >8 string = SAMP \b, SAMP sampled audio >8 string = MAUD \b, MAUD MacroSystem audio >8 string = SMUS \b, SMUS simple music >8 string = CMUS \b, CMUS complex music # image formats >8 string = ILBMBMHD \b, ILBM interleaved image >>20 beshort x - \b, %d x >>22 beshort x - %d >8 string = RGBN \b, RGBN 12-bit RGB image >8 string = RGB8 \b, RGB8 24-bit RGB image >8 string = DEEP \b, DEEP TVPaint/XiPaint image >8 string = DR2D \b, DR2D 2-D object >8 string = TDDD \b, TDDD 3-D rendering >8 string = LWOB \b, LWOB 3-D object >8 string = LWO2 \b, LWO2 3-D object, v2 >8 string = LWLO \b, LWLO 3-D layered object >8 string = REAL \b, REAL Real3D rendering >8 string = MC4D \b, MC4D MaxonCinema4D rendering >8 string = ANIM \b, ANIM animation >8 string = YAFA \b, YAFA animation >8 string = SSA\ \b, SSA super smooth animation >8 string = ACBM \b, ACBM continuous image >8 string = FAXX \b, FAXX fax image # other formats >8 string = FTXT \b, FTXT formatted text >8 string = CTLG \b, CTLG message catalog >8 string = PREF \b, PREF preferences >8 string = DTYP \b, DTYP datatype description >8 string = PTCH \b, PTCH binary patch >8 string = AMFF \b, AMFF AmigaMetaFile format >8 string = WZRD \b, WZRD StormWIZARD resource >8 string = DOC\ \b, DOC desktop publishing document # These go at the end of the iff rules # # I don't see why these might collide with anything else. # # Interactive Fiction related formats # >8 string = IFRS \b, Blorb Interactive Fiction >>24 string = Exec with executable chunk >8 string = IFZS \b, Z-machine or Glulx saved game file (Quetzal) #------------------------------------------------------------------------------ # images: file(1) magic for image formats (see also "iff") # # originally from jef@helios.ee.lbl.gov (Jef Poskanzer), # additions by janl@ifi.uio.no as well as others. Jan also suggested # merging several one- and two-line files into here. # # little magic: PCX (first byte is 0x0a) # Targa - matches `povray', `ppmtotga' and `xv' outputs # by Philippe De Muyter # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise # at 3, leshort Index is 0 for povray, ppmtotga and xv outputs # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) 1 belong&0xfff7ffff = 0x01010000 Targa image data - Map >2 byte&8 = 8 - RLE >12 leshort > 0 %hd x >14 leshort > 0 %hd 1 belong&0xfff7ffff = 0x00020000 Targa image data - RGB >2 byte&8 = 8 - RLE >12 leshort > 0 %hd x >14 leshort > 0 %hd 1 belong&0xfff7ffff = 0x00030000 Targa image data - Mono >2 byte&8 = 8 - RLE >12 leshort > 0 %hd x >14 leshort > 0 %hd # PBMPLUS images # The next byte following the magic is always whitespace. 0 string = P1 Netpbm PBM image text 0 string = P2 Netpbm PGM image text 0 string = P3 Netpbm PPM image text 0 string = P4 Netpbm PBM "rawbits" image data 0 string = P5 Netpbm PGM "rawbits" image data 0 string = P6 Netpbm PPM "rawbits" image data 0 string = P7 Netpbm PAM image file # From: bryanh@giraffe-data.com (Bryan Henderson) 0 string = \117\072 Solitaire Image Recorder format >4 string = \013 MGI Type 11 >4 string = \021 MGI Type 17 0 string = .MDA MicroDesign data >21 byte = 48 version 2 >21 byte = 51 version 3 0 string = .MDP MicroDesign page data >21 byte = 48 version 2 >21 byte = 51 version 3 # NIFF (Navy Interchange File Format, a modification of TIFF) images 0 string = IIN1 NIFF image data # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string = MM\x00\x2a TIFF image data, big-endian 0 string = II\x2a\x00 TIFF image data, little-endian # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 0 string = \x89PNG PNG image data, >4 belong != 0x0d0a1a0a CORRUPTED, >4 belong = 0x0d0a1a0a >>16 belong x - %ld x >>20 belong x - %ld, >>24 byte x - %d-bit >>25 byte = 0 grayscale, >>25 byte = 2 \b/color RGB, >>25 byte = 3 colormap, >>25 byte = 4 gray+alpha, >>25 byte = 6 \b/color RGBA, #>>26 byte 0 deflate/32K, >>28 byte = 0 non-interlaced >>28 byte = 1 interlaced 1 string = PNG PNG image data, CORRUPTED # GIF 0 string = GIF8 GIF image data >4 string = 7a \b, version 8%s, >4 string = 9a \b, version 8%s, >6 leshort > 0 %hd x >8 leshort > 0 %hd #>10 byte &0x80 color mapped, #>10 byte&0x07 =0x00 2 colors #>10 byte&0x07 =0x01 4 colors #>10 byte&0x07 =0x02 8 colors #>10 byte&0x07 =0x03 16 colors #>10 byte&0x07 =0x04 32 colors #>10 byte&0x07 =0x05 64 colors #>10 byte&0x07 =0x06 128 colors #>10 byte&0x07 =0x07 256 colors # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, # 1 plane, no encoding. 0 string = \361\0\100\273 CMU window manager raster image data >4 lelong > 0 %d x >8 lelong > 0 %d, >12 lelong > 0 %d-bit # Magick Image File Format 0 string = id=ImageMagick MIFF image data # Artisan 0 long = 1123028772 Artisan image data >4 long = 1 \b, rectangular 24-bit >4 long = 2 \b, rectangular 8-bit with colormap >4 long = 3 \b, rectangular 32-bit (24-bit with matte) # FIG (Facility for Interactive Generation of figures), an object-based format 0 string = #FIG FIG image text >5 string x - \b, version %.3s # PHIGS 0 string = ARF_BEGARF PHIGS clear text archive 0 string = @(#)SunPHIGS SunPHIGS # version number follows, in the form m.n >40 string = SunBin binary >32 string = archive archive # GKS (Graphics Kernel System) 0 string = GKSM GKS Metafile >24 string = SunGKS \b, SunGKS # CGM image files 0 string = BEGMF clear text Computer Graphics Metafile # XXX - questionable magic 0 beshort&0xffe0 = 0x0020 binary Computer Graphics Metafile 0 beshort = 0x3020 character Computer Graphics Metafile # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string = yz MGR bitmap, modern format, 8-bit aligned 0 string = zz MGR bitmap, old format, 1-bit deep, 16-bit aligned 0 string = xz MGR bitmap, old format, 1-bit deep, 32-bit aligned 0 string = yx MGR bitmap, modern format, squeezed # Fuzzy Bitmap (FBM) images 0 string = %bitmap\0 FBM image data >30 long = 0x31 \b, mono >30 long = 0x33 \b, color # facsimile data 1 string = PC\ Research,\ Inc group 3 fax data >29 byte = 0 \b, normal resolution (204x98 DPI) >29 byte = 1 \b, fine resolution (204x196 DPI) # From: Herbert Rosmanith 0 string = Sfff structured fax file # PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu) 0 string = BM PC bitmap data >14 leshort = 12 \b, OS/2 1.x format >>18 leshort x - \b, %d x >>20 leshort x - %d >14 leshort = 64 \b, OS/2 2.x format >>18 leshort x - \b, %d x >>20 leshort x - %d >14 leshort = 40 \b, Windows 3.x format >>18 lelong x - \b, %d x >>22 lelong x - %d x >>28 leshort x - %d # Too simple - MPi #0 string IC PC icon data #0 string PI PC pointer image data #0 string CI PC color icon data #0 string CP PC color pointer image data # Conflicts with other entries [BABYL] #0 string BA PC bitmap array data # XPM icons (Greg Roelofs, newt@uchicago.edu) # note possible collision with C/REXX entry in c-lang; currently commented out 0 string = /*\ XPM\ */ X pixmap image text # Utah Raster Toolkit RLE images (janl@ifi.uio.no) 0 leshort = 0xcc52 RLE image data, >6 leshort x - %d x >8 leshort x - %d >2 leshort > 0 \b, lower left corner: %d >4 leshort > 0 \b, lower right corner: %d >10 byte&0x1 = 0x1 \b, clear first >10 byte&0x2 = 0x2 \b, no background >10 byte&0x4 = 0x4 \b, alpha channel >10 byte&0x8 = 0x8 \b, comment >11 byte > 0 \b, %d color channels >12 byte > 0 \b, %d bits per pixel >13 byte > 0 \b, %d color map channels # image file format (Robert Potter, potter@cs.rochester.edu) 0 string = Imagefile\ version- iff image data # this adds the whole header (inc. version number), informative but longish >10 string > \0 %s # Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) 0 belong = 0x59a66a95 Sun raster image data >4 belong > 0 \b, %d x >8 belong > 0 %d, >12 belong > 0 %d-bit, #>16 belong >0 %d bytes long, >20 belong = 0 old format, #>20 belong 1 standard, >20 belong = 2 compressed, >20 belong = 3 RGB, >20 belong = 4 TIFF, >20 belong = 5 IFF, >20 belong = 0xffff reserved for testing, >24 belong = 0 no colormap >24 belong = 1 RGB colormap >24 belong = 2 raw colormap #>28 belong >0 colormap is %d bytes long # SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) # # See # http://reality.sgi.com/grafica/sgiimage.html # 0 beshort = 474 SGI image data #>2 byte 0 \b, verbatim >2 byte = 1 \b, RLE #>3 byte 1 \b, normal precision >3 byte = 2 \b, high precision >4 beshort x - \b, %d-D >6 beshort x - \b, %d x >8 beshort x - %d >10 beshort x - \b, %d channel >10 beshort != 1 \bs >80 string > 0 \b, "%s" 0 string = IT01 FIT image data >4 belong x - \b, %d x >8 belong x - %d x >12 belong x - %d # 0 string = IT02 FIT image data >4 belong x - \b, %d x >8 belong x - %d x >12 belong x - %d # 2048 string = PCD_IPI Kodak Photo CD image pack file >0xe02 byte&0x03 = 0x00 , landscape mode >0xe02 byte&0x03 = 0x01 , portrait mode >0xe02 byte&0x03 = 0x02 , landscape mode >0xe02 byte&0x03 = 0x03 , portrait mode 0 string = PCD_OPA Kodak Photo CD overview pack file # FITS format. Jeff Uphoff # FITS is the Flexible Image Transport System, the de facto standard for # data and image transfer, storage, etc., for the astronomical community. # (FITS floating point formats are big-endian.) 0 string = SIMPLE\ \ = FITS image data >109 string = 8 \b, 8-bit, character or unsigned binary integer >108 string = 16 \b, 16-bit, two's complement binary integer >107 string = \ 32 \b, 32-bit, two's complement binary integer >107 string = -32 \b, 32-bit, floating point, single precision >107 string = -64 \b, 64-bit, floating point, double precision # other images 0 string = This\ is\ a\ BitMap\ file Lisp Machine bit-array-file 0 string = !! Bennet Yee's "face" format # From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image # stuff. # 0 beshort = 0x1010 PEX Binary Archive # Visio drawings 03000 string = Visio\ (TM)\ Drawing %s # Tgif files 0 string = \%TGIF\ x Tgif file version %s # DICOM medical imaging data 128 string = DICM DICOM medical imaging data # XWD - X Window Dump file. # As described in /usr/X11R6/include/X11/XWDFile.h # used by the xwd program. # Bradford Castalia, idaeim, 1/01 4 belong = 7 XWD X Window Dump image data >100 string > \0 \b, "%s" >16 belong x - \b, %dx >20 belong x - \b%dx >12 belong x - \b%d # PDS - Planetary Data System # These files use Parameter Value Language in the header section. # Unfortunately, there is no certain magic, but the following # strings have been found to be most likely. 0 string = NJPL1I00 PDS (JPL) image data 2 string = NJPL1I PDS (JPL) image data 0 string = CCSD3ZF PDS (CCSD) image data 2 string = CCSD3Z PDS (CCSD) image data 0 string = PDS_ PDS image data 0 string = LBLSIZE= PDS (VICAR) image data # pM8x: ATARI STAD compressed bitmap format # # from Oskar Schirmer Feb 2, 2001 # p M 8 5/6 xx yy zz data... # Atari ST STAD bitmap is always 640x400, bytewise runlength compressed. # bytes either run horizontally (pM85) or vertically (pM86). yy is the # most frequent byte, xx and zz are runlength escape codes, where xx is # used for runs of yy. # 0 string = pM85 Atari ST STAD bitmap image data (hor) >5 byte = 0x00 (white background) >5 byte = 0xFF (black background) 0 string = pM86 Atari ST STAD bitmap image data (vert) >5 byte = 0x00 (white background) >5 byte = 0xFF (black background) # XXX: # This is bad magic 0x5249 == 'RI' conflicts with RIFF and other # magic. # SGI RICE image file #0 beshort 0x5249 RICE image #>2 beshort x v%d #>4 beshort x (%d x #>6 beshort x %d) #>8 beshort 0 8 bit #>8 beshort 1 10 bit #>8 beshort 2 12 bit #>8 beshort 3 13 bit #>10 beshort 0 4:2:2 #>10 beshort 1 4:2:2:4 #>10 beshort 2 4:4:4 #>10 beshort 3 4:4:4:4 #>12 beshort 1 RGB #>12 beshort 2 CCIR601 #>12 beshort 3 RP175 #>12 beshort 4 YUV #------------------------------------------------------------------------------ # # Marco Schmidt (marcoschmidt@users.sourceforge.net) -- an image file format # for the EPOC operating system, which is used with PDAs like those from Psion # # see http://huizen.dds.nl/~frodol/psiconv/html/Index.html for a description # of various EPOC file formats 0 string = \x37\x00\x00\x10\x42\x00\x00\x10\x00\x00\x00\x00\x39\x64\x39\x47 EPOC MBM image file # PCX image files # From: Dan Fandrich 0 beshort = 0x0a00 PCX ver. 2.5 image data 0 beshort = 0x0a02 PCX ver. 2.8 image data, with palette 0 beshort = 0x0a03 PCX ver. 2.8 image data, without palette 0 beshort = 0x0a04 PCX for Windows image data 0 beshort = 0x0a05 PCX ver. 3.0 image data >4 leshort x - bounding box [%hd, >6 leshort x - %hd] - >8 leshort x - [%hd, >10 leshort x - %hd], >65 byte > 1 %d planes each of >3 byte x - %hhd-bit >68 byte = 0 image, >68 byte = 1 colour, >68 byte = 2 grayscale, >68 byte > 2 image, >68 byte < 0 image, >12 leshort > 0 %hd x >>14 leshort x - %hd dpi, >2 byte = 0 uncompressed >2 byte = 1 RLE compressed # Adobe Photoshop 0 string = 8BPS Adobe Photoshop Image # XV thumbnail indicator (ThMO) 0 string = P7\ 332 XV thumbnail image data # NITF is defined by United States MIL-STD-2500A 0 string = NITF National Imagery Transmission Format >25 string > \0 dated %.14s # GEM Image: Version 1, Headerlen 8 (Wolfram Kleff) 0 belong = 0x00010008 GEM Image data >12 beshort x - %d x >14 beshort x - %d, >4 beshort x - %d planes, >8 beshort x - %d x >10 beshort x - %d pixelsize # GEM Metafile (Wolfram Kleff) 0 lelong = 0x0018FFFF GEM Metafile data >4 leshort x - version %d # # SMJPEG. A custom Motion JPEG format used by Loki Entertainment # Software Torbjorn Andersson . # 0 string = \0\nSMJPEG SMJPEG >8 belong x - %d.x data # According to the specification you could find any number of _TXT # headers here, but I can't think of any way of handling that. None of # the SMJPEG files I tried it on used this feature. Even if such a # file is encountered the output should still be reasonable. >16 string = _SND \b, >>24 beshort > 0 %d Hz >>26 byte = 8 8-bit >>26 byte = 16 16-bit >>28 string = NONE uncompressed # >>28 string APCM ADPCM compressed >>27 byte = 1 mono >>28 byte = 2 stereo # Help! Isn't there any way to avoid writing this part twice? >>32 string = _VID \b, # >>>48 string JFIF JPEG >>>40 belong > 0 %d frames >>>44 beshort > 0 (%d x >>>46 beshort > 0 %d) >16 string = _VID \b, # >>32 string JFIF JPEG >>24 belong > 0 %d frames >>28 beshort > 0 (%d x >>30 beshort > 0 %d) 0 string = Paint\ Shop\ Pro\ Image\ File Paint Shop Pro Image File # "thumbnail file" (icon) # descended from "xv", but in use by other applications as well (Wolfram Kleff) 0 string = P7\ 332 XV "thumbnail file" (icon) data # taken from fkiss: ( ?) 0 string = KiSS KISS/GS >4 byte = 16 color >>5 byte x - %d bit >>8 leshort x - %d colors >>10 leshort x - %d groups >4 byte = 32 cell >>5 byte x - %d bit >>8 leshort x - %d x >>10 leshort x - %d >>12 leshort x - +%d >>14 leshort x - +%d # Webshots (www.webshots.com), by John Harrison 0 string = C\253\221g\230\0\0\0 Webshots Desktop .wbz file # Hercules DASD image files # From Jan Jaeger 0 string = CKD_P370 Hercules CKD DASD image file >8 long x - \b, %d heads per cylinder >12 long x - \b, track size %d bytes >16 byte x - \b, device type 33%2.2X 0 string = CKD_C370 Hercules compressed CKD DASD image file >8 long x - \b, %d heads per cylinder >12 long x - \b, track size %d bytes >16 byte x - \b, device type 33%2.2X 0 string = CKD_S370 Hercules CKD DASD shadow file >8 long x - \b, %d heads per cylinder >12 long x - \b, track size %d bytes >16 byte x - \b, device type 33%2.2X # Squeak images and - etoffi@softhome.net 0 string = \146\031\0\0 Squeak image data 0 string = 'From\040Squeak Squeak program text # partimage: file(1) magic for PartImage files (experimental, incomplete) # Author: Hans-Joachim Baader 0 string = PaRtImAgE-VoLuMe PartImage >0x0020 string = 0.6.1 file version %s >>0x0060 lelong > -1 volume %ld #>>0x0064 8 byte identifier #>>0x007c reserved >>0x0200 string > \0 type %s >>0x1400 string > \0 device %s, >>0x1600 string > \0 original filename %s, # Some fields omitted >>0x2744 lelong = 0 not compressed >>0x2744 lelong = 1 gzip compressed >>0x2744 lelong = 2 bzip2 compressed >>0x2744 lelong > 2 compressed with unknown algorithm >0x0020 string > 0.6.1 file version %s >0x0020 string < 0.6.1 file version %s # DCX is multi-page PCX, using a simple header of up to 1024 # offsets for the respective PCX components. # From: Joerg Wunsch 0 lelong = 987654321 DCX multi-page PCX image data # Simon Walton # Kodak Cineon format for scanned negatives # http://www.kodak.com/US/en/motion/support/dlad/ 0 lelong = 0xd75f2a80 Cineon image data >200 belong > 0 \b, %ld x >204 belong > 0 %ld # Bio-Rad .PIC is an image format used by microscope control systems # and related image processing software used by biologists. # From: Vebjorn Ljosa 54 leshort = 12345 Bio-Rad .PIC Image File >0 leshort > 0 %hd x >2 leshort > 0 %hd, >4 leshort = 1 1 image in file >4 leshort > 1 %hd images in file # From Jan "Yenya" Kasprzak # The description of *.mrw format can be found at # http://www.dalibor.cz/minolta/raw_file_format.htm 0 string = \000MRM Minolta Dimage camera raw image data # From: stephane.loeuillet@tiscali.f # http://www.djvuzone.org/ 0 string = AT&TFORM DjVu Image file # From: Jason Bacon 0 beshort = 0x3020 character Computer Graphics Metafile # From Marc Espie 0 lelong = 20000630 OpenEXR image data # From: Tom Hilinski # http://www.unidata.ucar.edu/packages/netcdf/ 0 string = CDF\001 NetCDF Data Format data #----------------------------------------------------------------------- # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ 0 belong = 0x0e031301 Hierarchical Data Format (version 4) data 0 string = \211HDF\r\n\032 Hierarchical Data Format (version 5) data #------------------------------------------------------------------------------ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which # is in "microsoft"). DOS is in "msdos"; the ambitious soul can do # Windows as well. # # Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and # whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere # as well, if, as, and when IBM makes it portable. # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # 0 leshort = 0502 basic-16 executable >12 lelong > 0 not stripped #>22 leshort >0 - version %ld 0 leshort = 0503 basic-16 executable (TV) >12 lelong > 0 not stripped #>22 leshort >0 - version %ld 0 leshort = 0510 x86 executable >12 lelong > 0 not stripped 0 leshort = 0511 x86 executable (TV) >12 lelong > 0 not stripped 0 leshort = 0512 iAPX 286 executable small model (COFF) >12 lelong > 0 not stripped #>22 leshort >0 - version %ld 0 leshort = 0522 iAPX 286 executable large model (COFF) >12 lelong > 0 not stripped #>22 leshort >0 - version %ld # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan 0 leshort = 0514 80386 COFF executable >12 lelong > 0 not stripped >22 leshort > 0 - version %ld # rom: file(1) magic for BIOS ROM Extensions found in intel machines # mapped into memory between 0xC0000 and 0xFFFFF # From Gürkan Sengün , www.linuks.mine.nu 0 beshort = 0x55AA BIOS (ia32) ROM Ext. >5 string = USB USB >7 string = LDR UNDI image >30 string = IBM IBM comp. Video >26 string = Adaptec Adaptec >28 string = Adaptec Adaptec >42 string = PROMISE Promise >2 byte x - (%d*512) #------------------------------------------------------------------------------ # interleaf: file(1) magic for InterLeaf TPS: # 0 string = \210OPS Interleaf saved data 0 string = 5 string = ,\ Version\ = \b, version >>17 string > \0 %.3s #------------------------------------------------------------------------------ # island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 # "/etc/magic": # From: guy@netapp.com (Guy Harris) # 4 string = pgscriptver IslandWrite document 13 string = DrawFile IslandDraw document #------------------------------------------------------------------------------ # ispell: file(1) magic for ispell # # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic # will match 0x9600 through 0x9603 in *both* little endian and big endian. # (No other current magic entries collide.) # # Updated by Daniel Quinlan (quinlan@yggdrasil.com) # 0 leshort&0xFFFC = 0x9600 little endian ispell >0 byte = 0 hash file (?), >0 byte = 1 3.0 hash file, >0 byte = 2 3.1 hash file, >0 byte = 3 hash file (?), >2 leshort = 0x00 8-bit, no capitalization, 26 flags >2 leshort = 0x01 7-bit, no capitalization, 26 flags >2 leshort = 0x02 8-bit, capitalization, 26 flags >2 leshort = 0x03 7-bit, capitalization, 26 flags >2 leshort = 0x04 8-bit, no capitalization, 52 flags >2 leshort = 0x05 7-bit, no capitalization, 52 flags >2 leshort = 0x06 8-bit, capitalization, 52 flags >2 leshort = 0x07 7-bit, capitalization, 52 flags >2 leshort = 0x08 8-bit, no capitalization, 128 flags >2 leshort = 0x09 7-bit, no capitalization, 128 flags >2 leshort = 0x0A 8-bit, capitalization, 128 flags >2 leshort = 0x0B 7-bit, capitalization, 128 flags >2 leshort = 0x0C 8-bit, no capitalization, 256 flags >2 leshort = 0x0D 7-bit, no capitalization, 256 flags >2 leshort = 0x0E 8-bit, capitalization, 256 flags >2 leshort = 0x0F 7-bit, capitalization, 256 flags >4 leshort > 0 and %d string characters 0 beshort&0xFFFC = 0x9600 big endian ispell >1 byte = 0 hash file (?), >1 byte = 1 3.0 hash file, >1 byte = 2 3.1 hash file, >1 byte = 3 hash file (?), >2 beshort = 0x00 8-bit, no capitalization, 26 flags >2 beshort = 0x01 7-bit, no capitalization, 26 flags >2 beshort = 0x02 8-bit, capitalization, 26 flags >2 beshort = 0x03 7-bit, capitalization, 26 flags >2 beshort = 0x04 8-bit, no capitalization, 52 flags >2 beshort = 0x05 7-bit, no capitalization, 52 flags >2 beshort = 0x06 8-bit, capitalization, 52 flags >2 beshort = 0x07 7-bit, capitalization, 52 flags >2 beshort = 0x08 8-bit, no capitalization, 128 flags >2 beshort = 0x09 7-bit, no capitalization, 128 flags >2 beshort = 0x0A 8-bit, capitalization, 128 flags >2 beshort = 0x0B 7-bit, capitalization, 128 flags >2 beshort = 0x0C 8-bit, no capitalization, 256 flags >2 beshort = 0x0D 7-bit, no capitalization, 256 flags >2 beshort = 0x0E 8-bit, capitalization, 256 flags >2 beshort = 0x0F 7-bit, capitalization, 256 flags >4 beshort > 0 and %d string characters # ispell 4.0 hash files kromJx # Ispell 4.0 0 string = ISPL ispell >4 long x - hash file version %d, >8 long x - lexletters %d, >12 long x - lexsize %d, >16 long x - hashsize %d, >20 long x - stblsize %d #------------------------------------------------------------ # Java ByteCode # From Larry Schwimmer (schwim@cs.stanford.edu) # Handled in Mach now #0 belong 0xcafebabe compiled Java class data, #>6 beshort x version %d. #>4 beshort x \b%d #------------------------------------------------------------ # Java serialization # From Martin Pool (m.pool@pharos.com.au) 0 beshort = 0xaced Java serialization data >2 beshort > 0x0004 \b, version %d #------------------------------------------------------------------------------ # JPEG images # SunOS 5.5.1 had # # 0 string \377\330\377\340 JPEG file # 0 string \377\330\377\356 JPG file # # both of which turn into "JPEG image data" here. # 0 beshort = 0xffd8 JPEG image data >6 string = JFIF \b, JFIF standard # The following added by Erik Rossen 1999-09-06 # in a vain attempt to add image size reporting for JFIF. Note that these # tests are not fool-proof since some perfectly valid JPEGs are currently # impossible to specify in magic(4) format. # First, a little JFIF version info: >>11 byte x - \b %d. >>12 byte x - \b%02d # Next, the resolution or aspect ratio of the image: #>>13 byte 0 \b, aspect ratio #>>13 byte 1 \b, resolution (DPI) #>>13 byte 2 \b, resolution (DPCM) #>>4 beshort x \b, segment length %d # Next, show thumbnail info, if it exists: >>18 byte != 0 \b, thumbnail %dx >>>19 byte x - \b%d # EXIF moved down here to avoid reporting a bogus version number, # and EXIF version number printing added. # - Patrik R=E5dman >6 string = Exif \b, EXIF standard # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # All possible combinations of entries have to be enumerated, since no looping # is possible. And both endians are possible... # The combinations included below are from real-world JPEGs. # Little-endian >>12 string = II # IFD 0 Entry #5: >>>70 leshort = 0x8769 # EXIF IFD Entry #1: >>>>(78.l+14) leshort = 0x9000 >>>>>(78.l+23) byte x - %c >>>>>(78.l+24) byte x - \b.%c >>>>>(78.l+25) byte != 0x30 \b%c # IFD 0 Entry #9: >>>118 leshort = 0x8769 # EXIF IFD Entry #3: >>>>(126.l+38) leshort = 0x9000 >>>>>(126.l+47) byte x - %c >>>>>(126.l+48) byte x - \b.%c >>>>>(126.l+49) byte != 0x30 \b%c # IFD 0 Entry #10 >>>130 leshort = 0x8769 # EXIF IFD Entry #3: >>>>(138.l+38) leshort = 0x9000 >>>>>(138.l+47) byte x - %c >>>>>(138.l+48) byte x - \b.%c >>>>>(138.l+49) byte != 0x30 \b%c # EXIF IFD Entry #4: >>>>(138.l+50) leshort = 0x9000 >>>>>(138.l+59) byte x - %c >>>>>(138.l+60) byte x - \b.%c >>>>>(138.l+61) byte != 0x30 \b%c # EXIF IFD Entry #5: >>>>(138.l+62) leshort = 0x9000 >>>>>(138.l+71) byte x - %c >>>>>(138.l+72) byte x - \b.%c >>>>>(138.l+73) byte != 0x30 \b%c # IFD 0 Entry #11 >>>142 leshort = 0x8769 # EXIF IFD Entry #3: >>>>(150.l+38) leshort = 0x9000 >>>>>(150.l+47) byte x - %c >>>>>(150.l+48) byte x - \b.%c >>>>>(150.l+49) byte != 0x30 \b%c # EXIF IFD Entry #4: >>>>(150.l+50) leshort = 0x9000 >>>>>(150.l+59) byte x - %c >>>>>(150.l+60) byte x - \b.%c >>>>>(150.l+61) byte != 0x30 \b%c # EXIF IFD Entry #5: >>>>(150.l+62) leshort = 0x9000 >>>>>(150.l+71) byte x - %c >>>>>(150.l+72) byte x - \b.%c >>>>>(150.l+73) byte != 0x30 \b%c # Big-endian >>12 string = MM # IFD 0 Entry #9: >>>118 beshort = 0x8769 # EXIF IFD Entry #1: >>>>(126.L+14) beshort = 0x9000 >>>>>(126.L+23) byte x - %c >>>>>(126.L+24) byte x - \b.%c >>>>>(126.L+25) byte != 0x30 \b%c # EXIF IFD Entry #3: >>>>(126.L+38) beshort = 0x9000 >>>>>(126.L+47) byte x - %c >>>>>(126.L+48) byte x - \b.%c >>>>>(126.L+49) byte != 0x30 \b%c # IFD 0 Entry #10 >>>130 beshort = 0x8769 # EXIF IFD Entry #3: >>>>(138.L+38) beshort = 0x9000 >>>>>(138.L+47) byte x - %c >>>>>(138.L+48) byte x - \b.%c >>>>>(138.L+49) byte != 0x30 \b%c # EXIF IFD Entry #5: >>>>(138.L+62) beshort = 0x9000 >>>>>(138.L+71) byte x - %c >>>>>(138.L+72) byte x - \b.%c >>>>>(138.L+73) byte != 0x30 \b%c # IFD 0 Entry #11 >>>142 beshort = 0x8769 # EXIF IFD Entry #4: >>>>(150.L+50) beshort = 0x9000 >>>>>(150.L+59) byte x - %c >>>>>(150.L+60) byte x - \b.%c >>>>>(150.L+61) byte != 0x30 \b%c # Here things get sticky. We can do ONE MORE marker segment with # indirect addressing, and that's all. It would be great if we could # do pointer arithemetic like in an assembler language. Christos? # And if there was some sort of looping construct to do searches, plus a few # named accumulators, it would be even more effective... # At least we can show a comment if no other segments got inserted before: >(4.S+5) byte = 0xFE >>(4.S+8) string > \0 \b, comment: "%s" #>(4.S+5) byte 0xFE \b, comment #>>(4.S+6) beshort x \b length=%d #>>(4.S+8) string >\0 \b, "%s" # Or, we can show the encoding type (I've included only the three most common) # and image dimensions if we are lucky and the SOFn (image segment) is here: >(4.S+5) byte = 0xC0 \b, baseline >>(4.S+6) byte x - \b, precision %d >>(4.S+7) beshort x - \b, %dx >>(4.S+9) beshort x - \b%d >(4.S+5) byte = 0xC1 \b, extended sequential >>(4.S+6) byte x - \b, precision %d >>(4.S+7) beshort x - \b, %dx >>(4.S+9) beshort x - \b%d >(4.S+5) byte = 0xC2 \b, progressive >>(4.S+6) byte x - \b, precision %d >>(4.S+7) beshort x - \b, %dx >>(4.S+9) beshort x - \b%d # I've commented-out quantisation table reporting. I doubt anyone cares yet. #>(4.S+5) byte 0xDB \b, quantisation table #>>(4.S+6) beshort x \b length=%d #>14 beshort x \b, %d x #>16 beshort x \b %d # HSI is Handmade Software's proprietary JPEG encoding scheme 0 string = hsi1 JPEG image data, HSI proprietary # From: David Santinoli 0 string = \x00\x00\x00\x0C\x6A\x50\x20\x20\x0D\x0A\x87\x0A JPEG 2000 image data #------------------------------------------------------------------------------ # karma: file(1) magic for Karma data files # # From 0 string = KarmaRHD Version Karma Data Structure Version >16 belong x - %lu #------------------------------------------------------------------------------ # DEC SRC Virtual Paper: Lectern files # Karl M. Hegbloom 0 string = lect DEC SRC Virtual Paper Lectern file #------------------------------------------------------------------------------ # lex: file(1) magic for lex # # derived empirically, your offsets may vary! 53 string = yyprevious C program text (from lex) >3 string > \0 for %s # C program text from GNU flex, from Daniel Quinlan 21 string = generated\ by\ flex C program text (from flex) # lex description file, from Daniel Quinlan 0 string = %{ lex description text #------------------------------------------------------------------------------ # lif: file(1) magic for lif # # (Daniel Quinlan ) # 0 beshort = 0x8000 lif file #------------------------------------------------------------------------------ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan # The following basic Linux magic is useful for reference, but using # "long" magic is a better practice in order to avoid collisions. # # 2 leshort 100 Linux/i386 # >0 leshort 0407 impure executable (OMAGIC) # >0 leshort 0410 pure executable (NMAGIC) # >0 leshort 0413 demand-paged executable (ZMAGIC) # >0 leshort 0314 demand-paged executable (QMAGIC) # 0 lelong = 0x00640107 Linux/i386 impure executable (OMAGIC) >16 lelong = 0 \b, stripped 0 lelong = 0x00640108 Linux/i386 pure executable (NMAGIC) >16 lelong = 0 \b, stripped 0 lelong = 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) >16 lelong = 0 \b, stripped 0 lelong = 0x006400cc Linux/i386 demand-paged executable (QMAGIC) >16 lelong = 0 \b, stripped # 0 string = \007\001\000 Linux/i386 object file >20 lelong > 0x1020 \b, DLL library # Linux-8086 stuff: 0 string = \01\03\020\04 Linux-8086 impure executable >28 long != 0 not stripped 0 string = \01\03\040\04 Linux-8086 executable >28 long != 0 not stripped # 0 string = \243\206\001\0 Linux-8086 object file # 0 string = \01\03\020\20 Minix-386 impure executable >28 long != 0 not stripped 0 string = \01\03\040\20 Minix-386 executable >28 long != 0 not stripped # core dump file, from Bill Reynolds 216 lelong = 0421 Linux/i386 core file >220 string > \0 of '%s' >200 lelong > 0 (signal %d) # # LILO boot/chain loaders, from Daniel Quinlan # this can be overridden by the DOS executable (COM) entry 2 string = LILO Linux/i386 LILO boot/chain loader # # PSF fonts, from H. Peter Anvin 0 leshort = 0x0436 Linux/i386 PC Screen Font data, >2 byte = 0 256 characters, no directory, >2 byte = 1 512 characters, no directory, >2 byte = 2 256 characters, Unicode directory, >2 byte = 3 512 characters, Unicode directory, >3 byte > 0 8x%d # Linux swap file, from Daniel Quinlan 4086 string = SWAP-SPACE Linux/i386 swap file # From: Jeff Bailey # Linux swap file with swsusp1 image, from Jeff Bailey 4076 string = SWAPSPACE2S1SUSPEND Linux/i386 swap file (new style) with SWSUSP1 image # according to man page of mkswap (8) March 1999 4086 string = SWAPSPACE2 Linux/i386 swap file (new style) >0x400 long x - %d (4K pages) >0x404 long x - size %d pages >>4086 string = SWAPSPACE2 >>>1052 string > \0 Label %s # ECOFF magic for OSF/1 and Linux (only tested under Linux though) # # from Erik Troan (ewt@redhat.com) examining od dumps, so this # could be wrong # updated by David Mosberger (davidm@azstarnet.com) based on # GNU BFD and MIPS info found below. # 0 leshort = 0x0183 ECOFF alpha >24 leshort = 0407 executable >24 leshort = 0410 pure >24 leshort = 0413 demand paged >8 long > 0 not stripped >8 long = 0 stripped >23 leshort > 0 - version %ld. # # Linux kernel boot images, from Albert Cahalan # and others such as Axel Kohlmeyer # and Nicols Lichtmaier # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # Linux kernel boot images (i386 arch) (Wolfram Kleff) 514 string = HdrS Linux kernel >510 leshort = 0xAA55 x86 boot executable #FIXME FTimes - Replaced '>=0x200' with '>0x1FF'. #>>518 leshort >=0x200 >>518 leshort > 0x1FF >>529 byte = 0 zImage, >>>529 byte = 1 bzImage, >>>(526.s+0x200) string > \0 version %s, >>498 leshort = 1 RO-rootFS, >>498 leshort = 0 RW-rootFS, >>508 leshort > 0 root_dev 0x%X, >>502 leshort > 0 swap_dev 0x%X, >>504 leshort > 0 RAMdisksize %u KB, >>506 leshort = 0xFFFF Normal VGA >>506 leshort = 0xFFFE Extended VGA >>506 leshort = 0xFFFD Prompt for Videomode >>506 leshort > 0 Video mode %d # This also matches new kernels, which were caught above by "HdrS". 0 belong = 0xb8c0078e Linux kernel >0x1e3 string = Loading version 1.3.79 or older >0x1e9 string = Loading from prehistoric times # System.map files - Nicols Lichtmaier 8 string = \ A\ _text Linux kernel symbol map text # LSM entries - Nicols Lichtmaier 0 string = Begin3 Linux Software Map entry text 0 string = Begin4 Linux Software Map entry text (new format) # From Matt Zimmerman 0 belong = 0x4f4f4f4d User-mode Linux COW file >4 belong x - \b, version %d >8 string > \0 \b, backing file %s ############################################################################ # Linux kernel versions 0 string = \xb8\xc0\x07\x8e\xd8\xb8\x00\x90 Linux >497 leshort = 0 x86 boot sector >>514 belong = 0x8e of a kernel from the dawn of time! >>514 belong = 0x908ed8b4 version 0.99-1.1.42 >>514 belong = 0x908ed8b8 for memtest86 >497 leshort != 0 x86 kernel >>504 leshort > 0 RAMdisksize=%u KB >>502 leshort > 0 swap=0x%X >>508 leshort > 0 root=0x%X >>>498 leshort = 1 \b-ro >>>498 leshort = 0 \b-rw >>506 leshort = 0xFFFF vga=normal >>506 leshort = 0xFFFE vga=extended >>506 leshort = 0xFFFD vga=ask >>506 leshort > 0 vga=%d >>514 belong = 0x908ed881 version 1.1.43-1.1.45 >>514 belong = 0x15b281cd >>>0xa8e belong = 0x55AA5a5a version 1.1.46-1.2.13,1.3.0 >>>0xa99 belong = 0x55AA5a5a version 1.3.1,2 >>>0xaa3 belong = 0x55AA5a5a version 1.3.3-1.3.30 >>>0xaa6 belong = 0x55AA5a5a version 1.3.31-1.3.41 >>>0xb2b belong = 0x55AA5a5a version 1.3.42-1.3.45 >>>0xaf7 belong = 0x55AA5a5a version 1.3.46-1.3.72 >>514 string = HdrS >>>518 leshort > 0x1FF >>>>529 byte = 0 \b, zImage >>>>529 byte = 1 \b, bzImage >>>>(526.s+0x200) string > \0 \b, version %s # Linux boot sector thefts. 0 belong = 0xb8c0078e Linux >0x1e6 belong = 0x454c4b53 ELKS Kernel >0x1e6 belong != 0x454c4b53 style boot sector ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF = 0xC30000E9 Linux-Dev86 executable, headerless >5 string = . >>4 string > \0 \b, libc version %s 0 lelong&0xFF00FFFF = 0x4000301 Linux-8086 executable >2 byte&0x01 != 0 \b, unmapped zero page >2 byte&0x20 = 0 \b, impure >2 byte&0x20 != 0 >>2 byte&0x10 != 0 \b, A_EXEC >2 byte&0x02 != 0 \b, A_PAL >2 byte&0x04 != 0 \b, A_NSYM >2 byte&0x08 != 0 \b, A_STAND >2 byte&0x40 != 0 \b, A_PURE >2 byte&0x80 != 0 \b, A_TOVLY >28 long != 0 \b, not stripped >37 string = . >>36 string > \0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable # 0 lelong&0xFF00FFFF 0xB000301 ld86 M68K executable # 0 lelong&0xFF00FFFF 0xC000301 ld86 NS16K executable # 0 lelong&0xFF00FFFF 0x17000301 ld86 SPARC executable # SYSLINUX boot logo files (from 'ppmtolss16' sources) # http://syslinux.zytor.com/ # 0 lelong = 0x1413f33d SYSLINUX' LSS16 image data >4 leshort x - \b, width %d >6 leshort x - \b, height %d 0 string = OOOM User-Mode-Linux's Copy-On-Write disk image >4 belong x - version %d # SE Linux policy database # From: Mike Frysinger 0 lelong = 0xf97cff8c SE Linux policy >16 lelong x - v%d >20 lelong = 1 MLS >24 lelong x - %d symbols >28 lelong x - %d ocons # Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # # System ID, UUID and volume group name are 128 bytes long # but they should never be full and initialized with zeros... # # LVM1 # 0x0 string = HM\001 LVM1 (Linux Logical Volume Manager), version 1 >0x12c string > \0 , System ID: %s 0x0 string = HM\002 LVM1 (Linux Logical Volume Manager), version 2 >0x12c string > \0 , System ID: %s # LVM2 # # It seems that the label header can be in one the four first sector # of the disk... (from _find_labeller in lib/label/label.c of LVM2) # # 0x200 seems to be the common case 0x218 string = LVM2\ 001 LVM2 (Linux Logical Volume Manager) # read the offset to add to the start of the header, and the header # start in 0x200 >(0x214.l+0x200) string > \0 , UUID: %s 0x018 string = LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x014.l) string > \0 , UUID: %s 0x418 string = LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x414.l+0x400) string > \0 , UUID: %s 0x618 string = LVM2\ 001 LVM2 (Linux Logical Volume Manager) >(0x614.l+0x600) string > \0 , UUID: %s #------------------------------------------------------------------------------ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) #FIXME FTimes -- Weak magic. ## updated by Joerg Jenderek #0 string = ;; ## windows INF files often begin with semicolon and use CRLF as line end ## lisp files are mainly created on unix system with LF as line end #>2 search/2048 = !\r Lisp/Scheme program text #>2 search/2048 = \r Windows INF file 0 string = ( >1 string = if\ Lisp/Scheme program text >1 string = setq\ Lisp/Scheme program text >1 string = defvar\ Lisp/Scheme program text >1 string = autoload\ Lisp/Scheme program text >1 string = custom-set-variables Lisp/Scheme program text # Emacs 18 - this is always correct, but not very magical. 0 string = \012( Emacs v18 byte-compiled Lisp data # Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart if we had regexp # support or similar - Chris Chittleborough 0 string = ;ELC >4 byte > 19 >4 byte < 32 Emacs/XEmacs v%d byte-compiled Lisp data # Files produced by CLISP Common Lisp From: Bruno Haible 0 string = (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program text 0 long = 0x70768BD2 CLISP memory image data 0 long = 0xD28B7670 CLISP memory image data, other endian # Files produced by GNU gettext 0 long = 0xDE120495 GNU-format message catalog data 0 long = 0x950412DE GNU-format message catalog data #.com and .bin for MIT scheme 0 string = \372\372\372\372 MIT scheme (library?) # From: David Allouche 0 string = \4 belong > 19 \bcompiled Java class data, >>6 beshort x - version %d. >>4 beshort x - \b%d >4 belong = 1 Mach-O fat file with 1 architecture >4 belong > 1 # The following is necessary to support java class files. >>4 belong < 20 Mach-O fat file with %ld architectures #>>4 belong <0xffff Mach-O fat file with %ld architectures # 0 lelong&0xfeffffff = 0xfeedface Mach-O >0 byte = 0xcf 64-bit >12 lelong = 1 object >12 lelong = 2 executable >12 lelong = 3 fixed virtual memory shared library >12 lelong = 4 core >12 lelong = 5 preload executable >12 lelong = 6 dynamically linked shared library >12 lelong = 7 dynamic linker >12 lelong = 8 bundle >12 lelong = 9 dynamically linked shared library stub >12 lelong > 9 >>12 lelong x - filetype=%ld >4 lelong < 0 >>4 lelong x - architecture=%ld >4 lelong = 1 vax >4 lelong = 2 romp >4 lelong = 3 architecture=3 >4 lelong = 4 ns32032 >4 lelong = 5 ns32332 >4 lelong = 6 m68k >4 lelong = 7 i386 >4 lelong = 8 mips >4 lelong = 9 ns32532 >4 lelong = 10 architecture=10 >4 lelong = 11 hppa >4 lelong = 12 acorn >4 lelong = 13 m88k >4 lelong = 14 sparc >4 lelong = 15 i860-big >4 lelong = 16 i860 >4 lelong = 17 rs6000 >4 lelong = 18 ppc >4 lelong = 16777234 ppc64 >4 lelong > 16777234 >>4 lelong x - architecture=%ld # 0 belong&0xfffffffe = 0xfeedface Mach-O >3 byte = 0xcf 64-bit >12 belong = 1 object >12 belong = 2 executable >12 belong = 3 fixed virtual memory shared library >12 belong = 4 core >12 belong = 5 preload executable >12 belong = 6 dynamically linked shared library >12 belong = 7 dynamic linker >12 belong = 8 bundle >12 belong = 9 dynamically linked shared library stub >12 belong > 9 >>12 belong x - filetype=%ld >4 belong < 0 >>4 belong x - architecture=%ld >4 belong = 1 vax >4 belong = 2 romp >4 belong = 3 architecture=3 >4 belong = 4 ns32032 >4 belong = 5 ns32332 >4 belong = 6 for m68k architecture # from NeXTstep 3.0 # i.e. mc680x0_all, ignore # >>8 belong 1 (mc68030) >>8 belong = 2 (mc68040) >>8 belong = 3 (mc68030 only) >4 belong = 7 i386 >4 belong = 8 mips >4 belong = 9 ns32532 >4 belong = 10 architecture=10 >4 belong = 11 hppa >4 belong = 12 acorn >4 belong = 13 m88k >4 belong = 14 sparc >4 belong = 15 i860-big >4 belong = 16 i860 >4 belong = 17 rs6000 >4 belong = 18 ppc >4 belong = 16777234 ppc64 >4 belong > 16777234 >>4 belong x - architecture=%ld #------------------------------------------------------------------------------ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 string = must\ be\ converted\ with\ BinHex BinHex binary text >41 string x - \b, version %.3s # Stuffit archives are the de facto standard of compression for Macintosh # files obtained from most archives. (franklsm@tuns.ca) 0 string = SIT! StuffIt Archive (data) >2 string x - : %s 0 string = SITD StuffIt Deluxe (data) >2 string x - : %s 0 string = Seg StuffIt Deluxe Segment (data) >2 string x - : %s # Newer StuffIt archives (grant@netbsd.org) 0 string = StuffIt StuffIt Archive #>162 string >0 : %s # Macintosh Applications and Installation binaries (franklsm@tuns.ca) 0 string = APPL Macintosh Application (data) >2 string x - \b: %s # Macintosh System files (franklsm@tuns.ca) 0 string = zsys Macintosh System File (data) 0 string = FNDR Macintosh Finder (data) 0 string = libr Macintosh Library (data) >2 string x - : %s 0 string = shlb Macintosh Shared Library (data) >2 string x - : %s 0 string = cdev Macintosh Control Panel (data) >2 string x - : %s 0 string = INIT Macintosh Extension (data) >2 string x - : %s 0 string = FFIL Macintosh Truetype Font (data) >2 string x - : %s 0 string = LWFN Macintosh Postscript Font (data) >2 string x - : %s # Additional Macintosh Files (franklsm@tuns.ca) 0 string = PACT Macintosh Compact Pro Archive (data) >2 string x - : %s 0 string = ttro Macintosh TeachText File (data) >2 string x - : %s 0 string = TEXT Macintosh TeachText File (data) >2 string x - : %s 0 string = PDF Macintosh PDF File (data) >2 string x - : %s # MacBinary format (Eric Fischer, enf@pobox.com) # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. The checksum is really the way to # do it, but the magic file format isn't up to the challenge. # # 0 byte 0 # 1 byte # filename length # 2 string # filename # 65 string # file type # 69 string # file creator # 73 byte # Finder flags # 74 byte 0 # 75 beshort # vertical posn in window # 77 beshort # horiz posn in window # 79 beshort # window or folder ID # 81 byte # protected? # 82 byte 0 # 83 belong # length of data segment # 87 belong # length of resource segment # 91 belong # file creation date # 95 belong # file modification date # 99 beshort # length of comment after resource # 101 byte # new Finder flags # 102 string mBIN # (only in MacBinary III) # 106 byte # char. code of file name # 107 byte # still more Finder flags # 116 belong # total file length # 120 beshort # length of add'l header # 122 byte 129 # for MacBinary II # 122 byte 130 # for MacBinary III # 123 byte 129 # minimum version that can read fmt # 124 beshort # checksum # # This attempts to use the version numbers as a magic number, requiring # that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second # be 0x81. This works for the files I have, but maybe not for everyone's. # Unfortunately, this magic is quite weak - MPi #122 beshort&0xFCFF 0x8081 Macintosh MacBinary data # MacBinary I doesn't have the version number field at all, but MacBinary II # has been in use since 1987 so I hope there aren't many really old files # floating around that this will miss. The original spec calls for using # the nulls in 0, 74, and 82 as the magic number. # # Another possibility, that would also work for MacBinary I, is to use # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, # and that 74 will be 0. So something like # # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data # # >73 byte&0x01 0x01 \b, inited # >73 byte&0x02 0x02 \b, changed # >73 byte&0x04 0x04 \b, busy # >73 byte&0x08 0x08 \b, bozo # >73 byte&0x10 0x10 \b, system # >73 byte&0x10 0x20 \b, bundle # >73 byte&0x10 0x40 \b, invisible # >73 byte&0x10 0x80 \b, locked #>65 string x \b, type "%4.4s" #>65 string 8BIM (PhotoShop) #>65 string ALB3 (PageMaker 3) #>65 string ALB4 (PageMaker 4) #>65 string ALT3 (PageMaker 3) #>65 string APPL (application) #>65 string AWWP (AppleWorks word processor) #>65 string CIRC (simulated circuit) #>65 string DRWG (MacDraw) #>65 string EPSF (Encapsulated PostScript) #>65 string FFIL (font suitcase) #>65 string FKEY (function key) #>65 string FNDR (Macintosh Finder) #>65 string GIFf (GIF image) #>65 string Gzip (GNU gzip) #>65 string INIT (system extension) #>65 string LIB\ (library) #>65 string LWFN (PostScript font) #>65 string MSBC (Microsoft BASIC) #>65 string PACT (Compact Pro archive) #>65 string PDF\ (Portable Document Format) #>65 string PICT (picture) #>65 string PNTG (MacPaint picture) #>65 string PREF (preferences) #>65 string PROJ (Think C project) #>65 string QPRJ (Think Pascal project) #>65 string SCFL (Defender scores) #>65 string SCRN (startup screen) #>65 string SITD (StuffIt Deluxe) #>65 string SPn3 (SuperPaint) #>65 string STAK (HyperCard stack) #>65 string Seg\ (StuffIt segment) #>65 string TARF (Unix tar archive) #>65 string TEXT (ASCII) #>65 string TIFF (TIFF image) #>65 string TOVF (Eudora table of contents) #>65 string WDBN (Microsoft Word word processor) #>65 string WORD (MacWrite word processor) #>65 string XLS\ (Microsoft Excel) #>65 string ZIVM (compress (.Z)) #>65 string ZSYS (Pre-System 7 system file) #>65 string acf3 (Aldus FreeHand) #>65 string cdev (control panel) #>65 string dfil (Desk Acessory suitcase) #>65 string libr (library) #>65 string nX^d (WriteNow word processor) #>65 string nX^w (WriteNow dictionary) #>65 string rsrc (resource) #>65 string scbk (Scrapbook) #>65 string shlb (shared library) #>65 string ttro (SimpleText read-only) #>65 string zsys (system file) #>69 string x \b, creator "%4.4s" # Somewhere, Apple has a repository of registered Creator IDs. These are # just the ones that I happened to have files from and was able to identify. #>69 string 8BIM (Adobe Photoshop) #>69 string ALD3 (PageMaker 3) #>69 string ALD4 (PageMaker 4) #>69 string ALFA (Alpha editor) #>69 string APLS (Apple Scanner) #>69 string APSC (Apple Scanner) #>69 string BRKL (Brickles) #>69 string BTFT (BitFont) #>69 string CCL2 (Common Lisp 2) #>69 string CCL\ (Common Lisp) #>69 string CDmo (The Talking Moose) #>69 string CPCT (Compact Pro) #>69 string CSOm (Eudora) #>69 string DMOV (Font/DA Mover) #>69 string DSIM (DigSim) #>69 string EDIT (Macintosh Edit) #>69 string ERIK (Macintosh Finder) #>69 string EXTR (self-extracting archive) #>69 string Gzip (GNU gzip) #>69 string KAHL (Think C) #>69 string LWFU (LaserWriter Utility) #>69 string LZIV (compress) #>69 string MACA (MacWrite) #>69 string MACS (Macintosh operating system) #>69 string MAcK (MacKnowledge terminal emulator) #>69 string MLND (Defender) #>69 string MPNT (MacPaint) #>69 string MSBB (Microsoft BASIC (binary)) #>69 string MSWD (Microsoft Word) #>69 string NCSA (NCSA Telnet) #>69 string PJMM (Think Pascal) #>69 string PSAL (Hunt the Wumpus) #>69 string PSI2 (Apple File Exchange) #>69 string R*ch (BBEdit) #>69 string RMKR (Resource Maker) #>69 string RSED (Resource Editor) #>69 string Rich (BBEdit) #>69 string SIT! (StuffIt) #>69 string SPNT (SuperPaint) #>69 string Unix (NeXT Mac filesystem) #>69 string VIM! (Vim editor) #>69 string WILD (HyperCard) #>69 string XCEL (Microsoft Excel) #>69 string aCa2 (Fontographer) #>69 string aca3 (Aldus FreeHand) #>69 string dosa (Macintosh MS-DOS file system) #>69 string movr (Font/DA Mover) #>69 string nX^n (WriteNow) #>69 string pdos (Apple ProDOS file system) #>69 string scbk (Scrapbook) #>69 string ttxt (SimpleText) #>69 string ufox (Foreign File Access) # Just in case... 102 string = mBIN MacBinary III data with surprising version number # sas magic from Bruce Foster (bef@nwu.edu) # #0 string SAS SAS #>8 string x %s 0 string = SAS SAS >24 string = DATA data file >24 string = CATALOG catalog >24 string = INDEX data file index >24 string = VIEW data view # sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) # 0x54 string = SAS SAS 7+ >0x9C string = DATA data file >0x9C string = CATALOG catalog >0x9C string = INDEX data file index >0x9C string = VIEW data view # spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu). 0 long = 0xc1e2c3c9 SPSS Portable File >40 string x - %s 0 string = $FL2 SPSS System File >24 string x - %s # Macintosh filesystem data # From "Tom N Harris" # Fixed HFS+ and Partition map magic: Ethan Benson # The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto... # The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's # unused, so a simply >0 should suffice. 0x400 beshort = 0xD2D7 Macintosh MFS data >0 beshort = 0x4C4B (bootable) >0x40a beshort & 0x8000 (locked) #FIXME FTimes -- Need to add support for the '-' operator on the type. #>0x402 beldate-0x7C25B080 x created: %s, #FIXME FTimes -- Need to add support for the '-' operator on the type. #>0x406 beldate-0x7C25B080 >0 last backup: %s, >0x414 belong x - block size: %d, >0x412 beshort x - number of blocks: %d, #FIXME FTimes - Replaced pstring with string. #>0x424 pstring x volume name: %s >0x424 string x - volume name: %s # "BD" is has many false positives #0x400 beshort 0x4244 Macintosh HFS data #>0 beshort 0x4C4B (bootable) #>0x40a beshort &0x8000 (locked) #>0x40a beshort ^0x0100 (mounted) #>0x40a beshort &0x0200 (spared blocks) #>0x40a beshort &0x0800 (unclean) #>0x47C beshort 0x482B (Embedded HFS+ Volume) #>0x402 beldate-0x7C25B080 x created: %s, #>0x406 beldate-0x7C25B080 x last modified: %s, #>0x440 beldate-0x7C25B080 >0 last backup: %s, #>0x414 belong x block size: %d, #>0x412 beshort x number of blocks: %d, #>0x424 pstring x volume name: %s 0x400 beshort = 0x482B Macintosh HFS Extended >&0 beshort x - version %d data >0 beshort = 0x4C4B (bootable) >0x404 belong ^ 0x00000100 (mounted) >&2 belong & 0x00000200 (spared blocks) >&2 belong & 0x00000800 (unclean) >&2 belong & 0x00008000 (locked) >&6 string x - last mounted by: '%.4s', # really, that should be treated as a belong and we print a string # based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" #FIXME FTimes -- Need to add support for the '-' operator on the type. #>&14 beldate-0x7C25B080 x created: %s, # only the creation date is local time, all other timestamps in HFS+ are UTC. #FIXME FTimes -- Need to add support for the '-' operator on the type. #>&18 bedate-0x7C25B080 x last modified: %s, #FIXME FTimes -- Need to add support for the '-' operator on the type. #>&22 bedate-0x7C25B080 >0 last backup: %s, #FIXME FTimes -- Need to add support for the '-' operator on the type. #>&26 bedate-0x7C25B080 >0 last checked: %s, >&38 belong x - block size: %d, >&42 belong x - number of blocks: %d, >&46 belong x - free blocks: %d # I don't think this is really necessary since it doesn't do much and # anything with a valid driver descriptor will also have a valid # partition map #0 beshort 0x4552 Apple Device Driver data #>&24 beshort =1 \b, MacOS # Is that the partition type a cstring or a pstring? Well, IM says "strings # shorter than 32 bytes must be terminated with NULL" so I'll treat it as a # cstring. Of course, partitions can contain more than four entries, but # what're you gonna do? 0x200 beshort = 0x504D Apple Partition data >0x2 beshort x - block size: %d, >0x230 string x - first type: %s, >0x210 string x - name: %s, >0x254 belong x - number of blocks: %d, >0x400 beshort = 0x504D >>0x430 string x - second type: %s, >>0x410 string x - name: %s, >>0x454 belong x - number of blocks: %d, >>0x800 beshort = 0x504D >>>0x830 string x - third type: %s, >>>0x810 string x - name: %s, >>>0x854 belong x - number of blocks: %d, >>>0xa00 beshort = 0x504D >>>>0xa30 string x - fourth type: %s, >>>>0xa10 string x - name: %s, >>>>0xa54 belong x - number of blocks: %d # AFAIK, only the signature is different 0x200 beshort = 0x5453 Apple Old Partition data >0x2 beshort x - block size: %d, >0x230 string x - first type: %s, >0x210 string x - name: %s, >0x254 belong x - number of blocks: %d, >0x400 beshort = 0x504D >>0x430 string x - second type: %s, >>0x410 string x - name: %s, >>0x454 belong x - number of blocks: %d, >>0x800 beshort = 0x504D >>>0x830 string x - third type: %s, >>>0x810 string x - name: %s, >>>0x854 belong x - number of blocks: %d, >>>0xa00 beshort = 0x504D >>>>0xa30 string x - fourth type: %s, >>>>0xa10 string x - name: %s, >>>>0xa54 belong x - number of blocks: %d # From: Remi Mommsen 0 string = BOMStore Mac OS X bill of materials (BOM) fil #------------------------------------------------------------------------------ # magic: file(1) magic for magic files # 0 string = #\ Magic magic text file for file(1) cmd 0 lelong = 0xF11E041C magic binary file for file(1) cmd >4 lelong x - (version %d) (little endian) 0 belong = 0xF11E041C magic binary file for file(1) cmd >4 belong x - (version %d) (big endian) #------------------------------------------------------------------------------ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. #0 string From mail text # There are tests to ascmagic.c to cope with mail and news. 0 string = Relay-Version: old news text 0 string = #!\ rnews batched news text 0 string = N#!\ rnews mailed, batched news text 0 string = Forward\ to mail forwarding text 0 string = Pipe\ to mail piping text 0 string = Return-Path: smtp mail text 0 string = Path: news text 0 string = Xref: news text 0 string = From: news or mail text 0 string = Article saved news text 0 string = BABYL Emacs RMAIL text 0 string = Received: RFC 822 mail text 0 string = MIME-Version: MIME entity text #0 string Content- MIME entity text # TNEF files... 0 lelong = 0x223E9F78 Transport Neutral Encapsulation Format # From: Kevin Sullivan 0 string = *mbx* MBX mail folder # From: Simon Matter 0 string = \241\002\213\015skiplist\ file\0\0\0 Cyrus skiplist DB # JAM(mbp) Fidonet message area databases # JHR file 0 string = JAM\0 JAM message area header file >12 leshort > 0 (%d messages) # Squish Fidonet message area databases # SQD file (requires at least one message in the area) # XXX: Weak magic #256 leshort 0xAFAE4453 Squish message area data file #>4 leshort >0 (%d messages) #------------------------------------------------------------------------------ # maple: file(1) magic for maple files # "H. Nanosecond" # Maple V release 4, a multi-purpose math program # # maple library .lib 0 string = \000MVR4\nI MapleVr4 library # .ind # no magic for these :-( # they are compiled indexes for maple files # .hdb 0 string = \000\004\000\000 Maple help database # .mhp # this has the form 0 string = \9 string > \0 version %.1s. #FIXME FTimes - Missing a level (i.e., '>>'). #>>>11 string >\0 %.1s # .mps 0 string = \0\0\001$ Maple something # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking # 'soh R' means new >4 string = \000\105 An old revision >4 string = \001\122 The latest save # .mpl # some of these are the same as .mps above #0000000 000 000 001 044 000 105 same as .mps #0000000 000 000 001 044 001 122 same as .mps 0 string = #\n##\ Maple something anomalous. #------------------------------------------------------------------------------ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" # Mathematica a multi-purpose math program # versions 2.2 and 3.0 #mathematica .mb 0 string = \064\024\012\000\035\000\000\000 Mathematica version 2 notebook 0 string = \064\024\011\000\035\000\000\000 Mathematica version 2 notebook # .ma # multiple possibilites: 0 string = (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook #>41 string >\0 %s #0 string (*^\n\n::[\011palette Mathematica notebook version 2.x #0 string (*^\n\n::[\011Information Mathematica notebook version 2.x #>675 string >\0 %s #doesn't work well # there may be 'cr' instread of 'nl' in some does this matter? # generic: 0 string = (*^\r\r::[\011 Mathematica notebook version 2.x 0 string = \(\*\^\r\n\r\n\:\:\[\011 Mathematica notebook version 2.x 0 string = (*^\015 Mathematica notebook version 2.x 0 string = (*^\n\r\n\r::[\011 Mathematica notebook version 2.x 0 string = (*^\r::[\011 Mathematica notebook version 2.x 0 string = (*^\r\n::[\011 Mathematica notebook version 2.x 0 string = (*^\n\n::[\011 Mathematica notebook version 2.x 0 string = (*^\n::[\011 Mathematica notebook version 2.x # Mathematica .mx files #0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file 0 string = (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file #>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 # >71... is optional >88 string > \0 from %s # Mathematica files PBF: # 115 115 101 120 102 106 000 001 000 000 000 203 000 001 000 0 string = MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) # .ml files These are menu resources I think # these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string = \ A~ MAthematica .ml file # .nb files #too long 0 string (***********************************************************************\n\n\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ Mathematica-Compatible Notebook Mathematica 3.0 notebook 0 string = (*********************** Mathematica 3.0 notebook # other (* matches it is a comment start in these langs 0 string = (* Mathematica, or Pascal, Modula-2 or 3 code text ######################### # MatLab v5 0 string = MATLAB Matlab v5 mat-file >126 short = 0x494d (big endian) >>124 beshort x - version 0x%04x >126 short = 0x4d49 (little endian) >>124 leshort x - version 0x%04x #------------------------------------------------------------------------------ # matroska: file(1) magic for Matroska files # # See http://www.matroska.org/ # # EBML id: 0 belong = 0x1a45dfa3 # DocType id: >5 beshort = 0x4282 # DocType contents: >>8 string = matroska Matroska data #------------------------------------------------------------------------------ # Mavroyanopoulos Nikos # mcrypt: file(1) magic for mcrypt 2.2.x; 0 string = \0m\3 mcrypt 2.5 encrypted data, >4 string > \0 algorithm: %s, >>&1 leshort > 0 keysize: %d bytes, >>>&0 string > \0 mode: %s, 0 string = \0m\2 mcrypt 2.2 encrypted data, >3 byte = 0 algorithm: blowfish-448, >3 byte = 1 algorithm: DES, >3 byte = 2 algorithm: 3DES, >3 byte = 3 algorithm: 3-WAY, >3 byte = 4 algorithm: GOST, >3 byte = 6 algorithm: SAFER-SK64, >3 byte = 7 algorithm: SAFER-SK128, >3 byte = 8 algorithm: CAST-128, >3 byte = 9 algorithm: xTEA, >3 byte = 10 algorithm: TWOFISH-128, >3 byte = 11 algorithm: RC2, >3 byte = 12 algorithm: TWOFISH-192, >3 byte = 13 algorithm: TWOFISH-256, >3 byte = 14 algorithm: blowfish-128, >3 byte = 15 algorithm: blowfish-192, >3 byte = 16 algorithm: blowfish-256, >3 byte = 100 algorithm: RC6, >3 byte = 101 algorithm: IDEA, >4 byte = 0 mode: CBC, >4 byte = 1 mode: ECB, >4 byte = 2 mode: CFB, >4 byte = 3 mode: OFB, >4 byte = 4 mode: nOFB, >5 byte = 0 keymode: 8bit >5 byte = 1 keymode: 4bit >5 byte = 2 keymode: SHA-1 hash >5 byte = 3 keymode: MD5 hash #------------------------------------------------------------------------------ # mime: file(1) magic for MIME encoded files # 0 string = Content-Type:\ >14 string > \0 %s 0 string = Content-Type: >13 string > \0 %s #------------------------------------------------------------------------------ # mips: file(1) magic for Silicon Graphics (MIPS, IRIS, IRIX, etc.) # Dec Ultrix (MIPS) # all of SGI's *current* machines and OSes run in big-endian mode on the # MIPS machines, as far as I know. # # XXX - what is the blank "-" line? # # kbd file definitions 0 string = kbd!map kbd map file >8 byte > 0 Ver %d: >10 short > 0 with %d table(s) 0 belong = 0407 old SGI 68020 executable 0 belong = 0410 old SGI 68020 pure executable 0 beshort = 0x8765 disk quotas file 0 beshort = 0x0506 IRIS Showcase file >2 byte = 0x49 - >3 byte x - - version %ld 0 beshort = 0x0226 IRIS Showcase template >2 byte = 0x63 - >3 byte x - - version %ld 0 belong = 0x5343464d IRIS Showcase file >4 byte x - - version %ld 0 belong = 0x5443464d IRIS Showcase template >4 byte x - - version %ld 0 belong = 0xdeadbabe IRIX Parallel Arena >8 belong > 0 - version %ld # 0 beshort = 0x0160 MIPSEB ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >22 byte x - - version %ld >23 byte x - .%ld # 0 beshort = 0x0162 MIPSEL-BE ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %d >22 byte x - .%ld # 0 beshort = 0x6001 MIPSEB-LE ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %d >22 byte x - .%ld # 0 beshort = 0x6201 MIPSEL ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %ld >22 byte x - .%ld # # MIPS 2 additions # 0 beshort = 0x0163 MIPSEB MIPS-II ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >22 byte x - - version %ld >23 byte x - .%ld # 0 beshort = 0x0166 MIPSEL-BE MIPS-II ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >22 byte x - - version %ld >23 byte x - .%ld # 0 beshort = 0x6301 MIPSEB-LE MIPS-II ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %ld >22 byte x - .%ld # 0 beshort = 0x6601 MIPSEL MIPS-II ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %ld >22 byte x - .%ld # # MIPS 3 additions # 0 beshort = 0x0140 MIPSEB MIPS-III ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >22 byte x - - version %ld >23 byte x - .%ld # 0 beshort = 0x0142 MIPSEL-BE MIPS-III ECOFF executable >20 beshort = 0407 (impure) >20 beshort = 0410 (swapped) >20 beshort = 0413 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >22 byte x - - version %ld >23 byte x - .%ld # 0 beshort = 0x4001 MIPSEB-LE MIPS-III ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %ld >22 byte x - .%ld # 0 beshort = 0x4201 MIPSEL MIPS-III ECOFF executable >20 beshort = 03401 (impure) >20 beshort = 04001 (swapped) >20 beshort = 05401 (paged) >8 belong > 0 not stripped >8 belong = 0 stripped >23 byte x - - version %ld >22 byte x - .%ld # 0 beshort = 0x180 MIPSEB Ucode 0 beshort = 0x182 MIPSEL-BE Ucode # 32bit core file 0 belong = 0xdeadadb0 IRIX core dump >4 belong = 1 of >16 string > \0 '%s' # 64bit core file 0 belong = 0xdeadad40 IRIX 64-bit core dump >4 belong = 1 of >16 string > \0 '%s' # N32bit core file 0 belong = 0xbabec0bb IRIX N32 core dump >4 belong = 1 of >16 string > \0 '%s' # New style crash dump file 0 string = \x43\x72\x73\x68\x44\x75\x6d\x70 IRIX vmcore dump of >36 string > \0 '%s' # Trusted IRIX info 0 string = SGIAUDIT SGI Audit file >8 byte x - - version %d >9 byte x - .%ld # 0 string = WNGZWZSC Wingz compiled script 0 string = WNGZWZSS Wingz spreadsheet 0 string = WNGZWZHP Wingz help file # 0 string = \#Inventor V IRIS Inventor 1.0 file 0 string = \#Inventor V2 Open Inventor 2.0 file # GLF is OpenGL stream encoding 0 string = glfHeadMagic(); GLF_TEXT 4 belong = 0x7d000000 GLF_BINARY_LSB_FIRST 4 belong = 0x0000007d GLF_BINARY_MSB_FIRST # GLS is OpenGL stream encoding; GLS is the successor of GLF 0 string = glsBeginGLS( GLS_TEXT 4 belong = 0x10000000 GLS_BINARY_LSB_FIRST 4 belong = 0x00000010 GLS_BINARY_MSB_FIRST #------------------------------------------------------------------------------ # mirage: file(1) magic for Mirage executables # # XXX - byte order? # 0 long = 31415 Mirage Assembler m.out executable #----------------------------------------------------------------------------- # misctools: file(1) magic for miscelanous UNIX tools. # 0 string = %%!! X-Post-It-Note text 0 string = BEGIN:VCALENDAR vCalendar calendar file 0 string = BEGIN:VCARD vCard visiting card # From: Alex Beregszaszi 4 string = gtktalog GNOME Catalogue (gtktalog) >13 string > \0 version %s #------------------------------------------------------------------------------ # mkid: file(1) magic for mkid(1) databases # # ID is the binary tags database produced by mkid(1). # # XXX - byte order? # 0 string = \311\304 ID tags data >2 short > 0 version %d #------------------------------------------------------------------------------ # mlssa: file(1) magic for MLSSA datafiles # 0 lelong = 0xffffabcd MLSSA datafile, >4 leshort x - algorithm %d, >10 lelong x - %d samples #------------------------------------------------------------------------------ # mmdf: file(1) magic for MMDF mail files # 0 string = \001\001\001\001 MMDF mailbox #------------------------------------------------------------------------------ # modem: file(1) magic for modem programs # # From: Florian La Roche 4 string = Research, Digifax-G3-File >29 byte = 1 , fine resolution >29 byte = 0 , normal resolution 0 short = 0x0100 raw G3 data, byte-padded 0 short = 0x1400 raw G3 data # # Magic data for vgetty voice formats # (Martin Seine & Marc Eberhard) # # raw modem data version 1 # 0 string = RMD1 raw modem data >4 string > \0 (%s / >20 short > 0 compression type 0x%04x) # # portable voice format 1 # 0 string = PVF1\n portable voice format >5 string > \0 (binary %s) # # portable voice format 2 # 0 string = PVF2\n portable voice format >5 string > \0 (ascii %s) #------------------------------------------------------------------------------ # motorola: file(1) magic for Motorola 68K and 88K binaries # # 68K # 0 beshort = 0520 mc68k COFF >18 beshort ^ 00000020 object >18 beshort & 00000020 executable >12 belong > 0 not stripped >168 string = .lowmem Apple toolbox >20 beshort = 0407 (impure) >20 beshort = 0410 (pure) >20 beshort = 0413 (demand paged) >20 beshort = 0421 (standalone) 0 beshort = 0521 mc68k executable (shared) >12 belong > 0 not stripped 0 beshort = 0522 mc68k executable (shared demand paged) >12 belong > 0 not stripped # # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) # 0 beshort = 0554 68K BCS executable # # 88K # # Motorola/88Open BCS # 0 beshort = 0555 88K BCS executable # # Motorola S-Records, from Gerd Truschinski 0 string = S0 Motorola S-Record; binary data in text format # ATARI ST relocatable PRG # # from Oskar Schirmer Feb 3, 2001 # (according to Roland Waldi, Oct 21, 1987) # besides the magic 0x601a, the text segment size is checked to be # not larger than 1 MB (which is a lot on ST). # The additional 0x601b distinction I took from Doug Lee's magic. 0 belong&0xFFFFFFF0 = 0x601A0000 Atari ST M68K contiguous executable >2 belong x - (txt=%ld, >6 belong x - dat=%ld, >10 belong x - bss=%ld, >14 belong x - sym=%ld) 0 belong&0xFFFFFFF0 = 0x601B0000 Atari ST M68K non-contig executable >2 belong x - (txt=%ld, >6 belong x - dat=%ld, >10 belong x - bss=%ld, >14 belong x - sym=%ld) # Atari ST/TT... program format (sent by Wolfram Kleff ) 0 beshort = 0x601A Atari 68xxx executable, >2 belong x - text len %lu, >6 belong x - data len %lu, >10 belong x - BSS len %lu, >14 belong x - symboltab len %lu, >18 belong = 0 >22 belong & 0x01 fastload flag, >22 belong & 0x02 may be loaded to alternate RAM, >22 belong & 0x04 malloc may be from alternate RAM, >22 belong x - flags: 0x%lX, >26 beshort = 0 no relocation tab >26 beshort != 0 + relocation tab >30 string = SFX [Self-Extracting LZH SFX archive] >38 string = SFX [Self-Extracting LZH SFX archive] >44 string = ZIP! [Self-Extracting ZIP SFX archive] 0 beshort = 0x0064 Atari 68xxx CPX file >8 beshort x - (version %04lx) #------------------------------------------------------------------------------ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek #FIXME FTimes -- Replaced string tests with an equivalent regexp test. #0 string = @ #>1 string/cB = \ echo\ off MS-DOS batch file text #>1 string/cB = echo\ off MS-DOS batch file text #>1 string/cB = rem\ MS-DOS batch file text #>1 string/cB = set\ MS-DOS batch file text 0 regexp =~ ^(?i)[\x20\t]*@[\x20\t]*echo[\x20\t]+off MS-DOS batch file text # OS/2 batch files are REXX. the second regex is a bit generic, oh well # the matched commands seem to be common in REXX and uncommon elsewhere #FIXME FTimes -- Replaced regex tests with equivalent regexp tests. #100 regex/c = ^\\s*call\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text #100 regex/c = ^\\s*say\ ['"] OS/2 REXX batch file text 100 regexp =~ ^\s*call\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text 100 regexp =~ ^\s*say\x20['"] OS/2 REXX batch file text 0 leshort = 0x14c MS Windows COFF Intel 80386 object file #>4 ledate x stamp %s 0 leshort = 0x166 MS Windows COFF MIPS R4000 object file #>4 ledate x stamp %s 0 leshort = 0x184 MS Windows COFF Alpha object file #>4 ledate x stamp %s 0 leshort = 0x268 MS Windows COFF Motorola 68000 object file #>4 ledate x stamp %s 0 leshort = 0x1f0 MS Windows COFF PowerPC object file #>4 ledate x stamp %s 0 leshort = 0x290 MS Windows COFF PA-RISC object file #>4 ledate x stamp %s #FIXME FTimes - This is short-term fix until the newer MZ/PE tests can # be supported. # Microsoft MZ and PE executables 0 string = MZ MS #FIXME FTimes - If the PE offset is too large, we could end up with a # value that is beyond the end of the read buffer. # Therefore, we'll impose a hard limit here as a # temporary solution. FTimes' default read buffer size # is 0x4000 bytes -- but it is variable, so if the user # specifies a smaller size, this test could fail. >0x3c lelong >= 0x00004000 \b-DOS MZ (or unknown) executable >0x3c lelong < 0x00004000 >>(0x3c.l) regexp:4 !~ ^PE\x00\x00 \b-DOS MZ executable >>(0x3c.l) regexp:4 =~ ^PE\x00\x00 \b-Windows PE >>>&22 leshort&0x2000 = 0 executable >>>&22 leshort&0x2000 > 0 DLL >>>&20 leshort > 27 >>>>&72 leshort = 0 (unknown subsystem) >>>>&72 leshort = 1 (native) >>>>&72 leshort = 2 (GUI) >>>>&72 leshort = 3 (console) >>>>&72 leshort = 7 (POSIX) >>>&4 leshort = 0x0 unknown processor >>>&4 leshort = 0x14c Intel 80386 >>>&4 leshort = 0x166 MIPS R4000 >>>&4 leshort = 0x184 Alpha >>>&4 leshort = 0x268 Motorola 68000 >>>&4 leshort = 0x1f0 PowerPC >>>&4 leshort = 0x290 PA-RISC >>>&22 leshort&0x0100 > 0 32-bit >>>&22 leshort&0x1000 > 0 system file # .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) # Uncommenting only the first two lines will cover about 2/3 of COM files, # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". 0 byte = 0xe9 DOS executable (COM) >0x1FE leshort = 0xAA55 \b, boot code >6 string = SFX\ of\ LHarc (%s) 0 belong = 0xffffffff DOS executable (device driver) #CMD640X2.SYS #FIMXE FTimes -- Modified tests to use bytes instead of strings # because '!' is not a supported string operator. #>10 string > \x23 #>>10 string ! \x2e #>>>17 string < \x5B #>>>>10 string x - \b, name: %.8s >10 byte > 0x23 >>10 byte != 0x2e >>>17 byte < 0x5b >>>>10 regexp:8 =~ ([\x20-\x7f]+) \b, name: %s #UDMA.SYS KEYB.SYS CMD640X2.SYS #FIMXE FTimes -- Modified tests to use bytes instead of strings for # consistency with the previous tests. #>10 string < \x41 #>>12 string > \x40 #>>>10 string = !$ #>>>>12 string x - \b, name: %.8s >10 byte < 0x41 >>12 byte > 0x40 >>>10 byte != 0x24 >>>>12 regexp:8 =~ ([\x20-\x7f]+) \b, name: %s #BTCDROM.SYS ASPICD.SYS #FIMXE FTimes -- Modified tests to use bytes instead of strings for # consistency with the previous tests. #>22 string > \x40 #>>22 string < \x5B #>>>23 string < \x5B #>>>>22 string x - \b, name: %.8s >22 byte > 0x40 >>22 byte < 0x5b >>>23 byte < 0x5b >>>>22 regexp:8 =~ ([\x20-\x7f]+) \b, name: %s #ATAPICD.SYS #FIMXE FTimes -- Modified tests to use bytes instead of strings for # consistency with the previous tests. #>76 string = \0 #>>77 string > \x40 #>>>77 string < \x5B #>>>>77 string x - \b, name: %.8s >76 byte = 0x00 >>77 byte > 0x40 >>>77 byte < 0x5b >>>>77 regexp:8 =~ ([\x20-\x7f]+) \b, name: %s 0 byte = 0x8c DOS executable (COM) # 0xeb conflicts with "sequent" magic 0 byte = 0xeb DOS executable (COM) >0x1FE leshort = 0xAA55 \b, boot code >85 string = UPX \b, UPX compressed >4 string = \ $ARX \b, ARX self-extracting archive >4 string = \ $LHarc \b, LHarc self-extracting archive >0x20e string = SFX\ by\ LARC \b, LARC self-extracting archive 0 byte = 0xb8 COM executable # modified by Joerg Jenderek >1 lelong != 0x21cd4cff for DOS # http://syslinux.zytor.com/comboot.php # (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode # start with assembler instructions mov eax,21cd4cffh >1 lelong = 0x21cd4cff (32-bit COMBOOT) 0 string = \x81\xfc >4 string = \x77\x02\xcd\x20\xb9 >>36 string = UPX! FREE-DOS executable (COM), UPX compressed 252 string = Must\ have\ DOS\ version DR-DOS executable (COM) # GRR search is not working #2 search/28 \xcd\x21 COM executable for MS-DOS #WHICHFAT.cOM 2 string = \xcd\x21 COM executable for DOS #DELTREE.cOM DELTREE2.cOM 4 string = \xcd\x21 COM executable for DOS #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5 string = \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM 7 string = \xcd\x21 >0 byte != 0xb8 COM executable for DOS #COMP.cOM MORE.COm 10 string = \xcd\x21 >5 string = !\xcd\x21 COM executable for DOS #comecho.com 13 string = \xcd\x21 COM executable for DOS #HELP.COm EDIT.coM 18 string = \xcd\x21 COM executable for MS-DOS #NWRPLTRM.COm 23 string = \xcd\x21 COM executable for MS-DOS #LOADFIX.cOm LOADFIX.cOm 30 string = \xcd\x21 COM executable for MS-DOS #syslinux.com 3.11 70 string = \xcd\x21 COM executable for DOS # many compressed/converted COMs start with a copy loop instead of a jump #FIXME FTimes -- Replaced string tests with equivalent regexp tests. #0x6 search/0xa = \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS #0x6 search/0xa = \xfc\x57\xf3\xa4\xc3 COM executable for DOS #>0x18 search/0x10 = \x50\xa4\xff\xd5\x73 \b, aPack compressed 0x6 regexp:10 =~ \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 0x6 regexp:10 =~ \xfc\x57\xf3\xa4\xc3 COM executable for DOS >0x18 regexp:16 =~ \x50\xa4\xff\xd5\x73 \b, aPack compressed 0x3c string = W\ Collis\0\0 COM executable for MS-DOS, Compack compressed # FIXME: missing diet .com compression # miscellaneous formats 0 string = LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data # # # Windows Registry files. # updated by Joerg Jenderek 0 string = regf Windows NT/XP registry file 0 string = CREG Windows 95/98/ME registry file 0 string = SHCC3 Windows 3.1 registry file # AAF files: # Stuart Cunningham 0 string = \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage >30 byte = 9 (512B sectors) >30 byte = 12 (4kB sectors) 0 string = \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage >30 byte = 9 (512B sectors) >30 byte = 12 (4kB sectors) # Popular applications 2080 string = Microsoft\ Word\ 6.0\ Document %s 2080 string = Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data # Pawel Wiecek (for polish Word) 2112 string = MSWordDoc Microsoft Word document data # 0 belong = 0x31be0000 Microsoft Word Document # 0 string = PO^Q` Microsoft Word 6.0 Document # 0 string = \376\067\0\043 Microsoft Office Document 0 string = \320\317\021\340\241\261\032\341 Microsoft Office Document 0 string = \333\245-\0\0\0 Microsoft Office Document # 2080 string = Microsoft\ Excel\ 5.0\ Worksheet %s 2080 string = Foglio\ di\ lavoro\ Microsoft\ Exce %s # # Pawel Wiecek (for polish Excel) 2114 string = Biff5 Microsoft Excel 5.0 Worksheet # Italian MS-Excel 2121 string = Biff5 Microsoft Excel 5.0 Worksheet 0 string = \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet # 0 belong = 0x00001a00 Lotus 1-2-3 >4 belong = 0x00100400 wk3 document data >4 belong = 0x02100400 wk4 document data >4 belong = 0x07800100 fm3 or fmb document data >4 belong = 0x07800000 fm3 or fmb document data # 0 belong = 0x00000200 Lotus 1-2-3 >4 belong = 0x06040600 wk1 document data >4 belong = 0x06800200 fmt document data # Help files 0 string = ?_\3\0 MS Windows Help Data # DeIsL1.isu what this is I don't know 0 string = \161\250\000\000\001\002 DeIsL1.isu whatever that is # Winamp .avs #0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 0 string = Nullsoft\ AVS\ Preset\ Winamp plug in # Hyper terminal: 0 string = HyperTerminal\ hyperterm >15 string = 1.0\ --\ HyperTerminal\ data\ file MS-windows Hyperterminal # Windows Metafont .WMF 0 string = \327\315\306\232 ms-windows metafont .wmf 0 string = \002\000\011\000 ms-windows metafont .wmf 0 string = \001\000\011\000 ms-windows metafont .wmf #tz3 files whatever that is (MS Works files) 0 string = \003\001\001\004\070\001\000\000 tz3 ms-works file 0 string = \003\002\001\004\070\001\000\000 tz3 ms-works file 0 string = \003\003\001\004\070\001\000\000 tz3 ms-works file # PGP sig files .sig #0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 0 string = \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig # windows zips files .dmf 0 string = MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file # Windows help file FTG FTS 0 string = \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache # grp old windows 3.1 group files 0 string = \120\115\103\103 MS Windows 3.1 group files # lnk files windows symlinks 0 string = \114\000\000\000\001\024\002\000\000\000\000\000\300\000\000\000\000\000\000\106 MS Windows shortcut #ico files 0 string = \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows # Windows icons (Ian Springer ) 0 string = \000\000\001\000 MS Windows icon resource >4 byte = 1 - 1 icon >4 byte > 1 - %d icons >>6 byte > 0 \b, %dx >>>7 byte > 0 \b%d >>8 byte = 0 \b, 256-colors >>8 byte > 0 \b, %d-colors # .chr files 0 string = PK\010\010BGI Borland font >4 string > \0 %s # then there is a copyright notice # .bgi files 0 string = pk\010\010BGI Borland device >4 string > \0 %s # then there is a copyright notice # recycled/info the windows trash bin index 9 string = \000\000\000\030\001\000\000\000 MS Windows recycled bin info ##### put in Either Magic/font or Magic/news # Acroread or something files wrongly identified as G3 .pfm # these have the form \000 \001 any? \002 \000 \000 # or \000 \001 any? \022 \000 \000 #0 string \000\001 pfm? #>3 string \022\000\000Copyright\ yes #>3 string \002\000\000Copyright\ yes #>3 string >\0 oops, not a font file. Cancel that. #it clashes with ttf files so put it lower down. # From Doug Lee via a FreeBSD pr 9 string = GERBILDOC First Choice document 9 string = GERBILDB First Choice database 9 string = GERBILCLIP First Choice database 0 string = GERBIL First Choice device file 9 string = RABBITGRAPH RabbitGraph file 0 string = DCU1 Borland Delphi .DCU file 0 string = ! MKS Spell hash list (old format) 0 string = ! MKS Spell hash list # Too simple - MPi #0 string AH Halo(TM) bitmapped font file 0 lelong = 0x08086b70 TurboC BGI file 0 lelong = 0x08084b50 TurboC Font file # WARNING: below line conflicts with Infocom game data Z-machine 3 0 byte = 0x03 DBase 3 data file >0x04 lelong = 0 (no records) >0x04 lelong > 0 (%ld records) 0 byte = 0x83 DBase 3 data file with memo(s) >0x04 lelong = 0 (no records) >0x04 lelong > 0 (%ld records) 0 leshort = 0x0006 DBase 3 index file 0 string = PMCC Windows 3.x .GRP file 1 string = RDC-meg MegaDots >8 byte > 0x2F version %c >9 byte > 0x2F \b.%c file 0 lelong = 0x4C >4 lelong = 0x00021401 Windows shortcut file # DOS EPS Binary File Header # From: Ed Sznyter 0 belong = 0xC5D0D3C6 DOS EPS Binary File >4 long > 0 Postscript starts at byte %d >>8 long > 0 length %d >>>12 long > 0 Metafile starts at byte %d >>>>16 long > 0 length %d >>>20 long > 0 TIFF starts at byte %d >>>>24 long > 0 length %d # TNEF magic From "Joomy" 0 leshort = 0x223e9f78 TNEF # HtmlHelp files (.chm) 0 string = ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data # GFA-BASIC (Wolfram Kleff) 2 string = GFA-BASIC3 GFA-BASIC 3 data #------------------------------------------------------------------------------ # From Stuart Caie (developer of cabextract) # Microsoft Cabinet files 0 string = MSCF\0\0\0\0 Microsoft Cabinet archive data >8 lelong x - \b, %u bytes >28 leshort = 1 \b, 1 file >28 leshort > 1 \b, %u files # InstallShield Cabinet files 0 string = ISc( InstallShield Cabinet archive data >5 byte&0xf0 = 0x60 version 6, >5 byte&0xf0 != 0x60 version 4/5, >(12.l+40) lelong x - %u files # Windows CE package files 0 string = MSCE\0\0\0\0 Microsoft WinCE install header >20 lelong = 0 \b, architecture-independent >20 lelong = 103 \b, Hitachi SH3 >20 lelong = 104 \b, Hitachi SH4 >20 lelong = 0xA11 \b, StrongARM >20 lelong = 4000 \b, MIPS R4000 >20 lelong = 10003 \b, Hitachi SH3 >20 lelong = 10004 \b, Hitachi SH3E >20 lelong = 10005 \b, Hitachi SH4 >20 lelong = 70001 \b, ARM 7TDMI >52 leshort = 1 \b, 1 file >52 leshort > 1 \b, %u files >56 leshort = 1 \b, 1 registry entry >56 leshort > 1 \b, %u registry entries # Outlook Personal Folders 0 lelong = 0x4E444221 Microsoft Outlook binary email folder # From: Dirk Jagdmann 0 lelong = 0x00035f3f Windows 3.x help file # Christophe Monniez 0 string = Client\ UrlCache\ MMF Microsoft Internet Explorer Cache File >20 string > \0 Version %s 0 string = \xCF\xAD\x12\xFE Microsoft Outlook Express DBX File >4 byte = 0xC5 Message database >4 byte = 0xC6 Folder database >4 byte = 0xC7 Accounts informations >4 byte = 0x30 Offline database # Windows Enhanced Metafile (EMF) # See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. Note that "0 lelong 1" should be true i.e. # the first double word in the file should be 1. With the extended # syntax available by some file commands you could write: # 0 lelong 1 # &40 lelong 0x464D4520 Windows Enhanced Metafile (EMF) image data 40 lelong = 0x464D4520 Windows Enhanced Metafile (EMF) image data >44 lelong x - version 0x%x. # If the description has a length greater than zero, it exists and is # found at offset (*64). >64 lelong > 0 Description available at offset 0x%x >>60 lelong > 0 (length 0x%x) # Note it would be better to print out the description, which is found # as below. Unfortunately the following only prints out the first couple # of characters instead of all the "description length" # number of characters -- indicated by the lelong at offset 60. #FIXME FTimes - This type is not yet supported. #>>(64.l) lestring16 >0 Description: %15.15s # From: Alex Beregszaszi 0 string = COWD VMWare3 disk image >12 belong x - %d bytes 0 string = VMDK VMware4 disk image 0 belong = 0x514649fb QEMU Copy-On-Write disk image >4 belong x - version %d, >24 belong x - size %d + >28 belong x - %d 0 string = QEVM QEMU's suspend to disk image 0 string = Bochs\ Virtual\ HD\ Image Bochs disk image, >32 string x - type %s, >48 string x - subtype %s 0 lelong = 0x02468ace Bochs Sparse disk image #------------------------------------------------------------------------------ # msvc: file(1) magic for msvc # "H. Nanosecond" # Microsoft visual C # # I have version 1.0 # .aps 0 string = HWB\000\377\001\000\000\000 Microsoft Visual C .APS file # .ide #too long 0 string \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157\152\145\143\164\040\106\151\154\145\012\000\032\000\002\000\262\000\272\276\372\316 MSVC .ide 0 string = \102\157\162\154\141\156\144\040\103\053\053\040\120\162\157 MSVC .ide # .res 0 string = \000\000\000\000\040\000\000\000\377 MSVC .res 0 string = \377\003\000\377\001\000\020\020\350 MSVC .res 0 string = \377\003\000\377\001\000\060\020\350 MSVC .res #.lib 0 string = \360\015\000\000 Microsoft Visual C library 0 string = \360\075\000\000 Microsoft Visual C library 0 string = \360\175\000\000 Microsoft Visual C library #.pch 0 string = DTJPCH0\000\022\103\006\200 Microsoft Visual C .pch # .pdb # too long 0 string Microsoft\ C/C++\ program\ database\ 0 string = Microsoft\ C/C++\ MSVC program database >18 string = program\ database\ >33 string > \0 ver %s #.sbr 0 string = \000\002\000\007\000 MSVC .sbr >5 string > \0 %s #.bsc 0 string = \002\000\002\001 MSVC .bsc #.wsp 0 string = 1.00\ .0000.0000\000\003 MSVC .wsp version 1.0000.0000 # these seem to start with the version and contain menus # ------------------------------------------------------------------------ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung # # NOTE: This header is mainly proposed in the Arkkra mailing list, # and is not a mandatory header because of old mup input file # compatibility. Noteedit also use mup format, but is not forcing # user to use any header as well. # 0 string = //!Mup Mup music publication program input text >6 string = -Arkkra (Arkkra) >>13 string = - >>>16 string = . >>>>14 string x - \b, need V%.4s >>>15 string = . >>>>14 string x - \b, need V%.3s >6 string = - >>9 string = . >>>7 string x - \b, need V%.4s >>8 string = . >>>7 string x - \b, need V%.3s #----------------------------------------------------------------------------- # natinst: file(1) magic for National Instruments Code Files # # From Enrique Gmez-Flores # version 1 # Many formats still missing, we use, for the moment LabVIEW # We guess VXI format file. VISA, LabWindowsCVI, BridgeVIEW, etc, are missing # 0 string = RSRC National Instruments, # Check if it's a LabVIEW File >8 string = LV LabVIEW File, # Check wich kind of file is >>10 string = SB Code Resource File, data >>10 string = IN Virtual Instrument Program, data >>10 string = AR VI Library, data # This is for Menu Libraries >8 string = LMNULBVW Portable File Names, data # This is for General Resources >8 string = rsc Resources File, data # This is for VXI Package 0 string = VMAP National Instruments, VXI File, data #------------------------------------------------------------------------------ # ncr: file(1) magic for NCR Tower objects # # contributed by # Michael R. Wayne *** TMC & Associates *** INTERNET: wayne@ford-vax.arpa # uucp: {philabs | pyramid} !fmsrl7!wayne OR wayne@fmsrl7.UUCP # 0 beshort = 000610 Tower/XP rel 2 object >12 belong > 0 not stripped >20 beshort = 0407 executable >20 beshort = 0410 pure executable >22 beshort > 0 - version %ld 0 beshort = 000615 Tower/XP rel 2 object >12 belong > 0 not stripped >20 beshort = 0407 executable >20 beshort = 0410 pure executable >22 beshort > 0 - version %ld 0 beshort = 000620 Tower/XP rel 3 object >12 belong > 0 not stripped >20 beshort = 0407 executable >20 beshort = 0410 pure executable >22 beshort > 0 - version %ld 0 beshort = 000625 Tower/XP rel 3 object >12 belong > 0 not stripped >20 beshort = 0407 executable >20 beshort = 0410 pure executable >22 beshort > 0 - version %ld 0 beshort = 000630 Tower32/600/400 68020 object >12 belong > 0 not stripped >20 beshort = 0407 executable >20 beshort = 0410 pure executable >22 beshort > 0 - version %ld 0 beshort = 000640 Tower32/800 68020 >18 beshort & 020000 w/68881 object >18 beshort & 040000 compatible object >18 beshort & 060000 object >20 beshort = 0407 executable >20 beshort = 0413 pure executable >12 belong > 0 not stripped >22 beshort > 0 - version %ld 0 beshort = 000645 Tower32/800 68010 >18 beshort & 040000 compatible object >18 beshort & 060000 object >20 beshort = 0407 executable >20 beshort = 0413 pure executable >12 belong > 0 not stripped >22 beshort > 0 - version %ld #------------------------------------------------------------------------------ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. # 0 lelong = 000000407 a.out NetBSD little-endian object file >16 lelong > 0 not stripped 0 belong = 000000407 a.out NetBSD big-endian object file >16 belong > 0 not stripped 0 belong&0377777777 = 041400413 a.out NetBSD/i386 demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 041400410 a.out NetBSD/i386 pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 041400407 a.out NetBSD/i386 >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped 0 belong&0377777777 = 041400507 a.out NetBSD/i386 core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) 0 belong&0377777777 = 041600413 a.out NetBSD/m68k demand paged >0 byte & 0x80 >>20 belong < 8192 shared library >>20 belong = 8192 dynamically linked executable >>20 belong > 8192 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 041600410 a.out NetBSD/m68k pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 041600407 a.out NetBSD/m68k >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 belong != 0 executable >>20 belong = 0 object file >16 belong > 0 not stripped 0 belong&0377777777 = 041600507 a.out NetBSD/m68k core >12 string > \0 from '%s' >32 belong != 0 (signal %d) 0 belong&0377777777 = 042000413 a.out NetBSD/m68k4k demand paged >0 byte & 0x80 >>20 belong < 4096 shared library >>20 belong = 4096 dynamically linked executable >>20 belong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 042000410 a.out NetBSD/m68k4k pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 042000407 a.out NetBSD/m68k4k >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 belong != 0 executable >>20 belong = 0 object file >16 belong > 0 not stripped 0 belong&0377777777 = 042000507 a.out NetBSD/m68k4k core >12 string > \0 from '%s' >32 belong != 0 (signal %d) 0 belong&0377777777 = 042200413 a.out NetBSD/ns32532 demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 042200410 a.out NetBSD/ns32532 pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 042200407 a.out NetBSD/ns32532 >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped 0 belong&0377777777 = 042200507 a.out NetBSD/ns32532 core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) 0 belong&0377777777 = 045200507 a.out NetBSD/powerpc core >12 string > \0 from '%s' 0 belong&0377777777 = 042400413 a.out NetBSD/sparc demand paged >0 byte & 0x80 >>20 belong < 8192 shared library >>20 belong = 8192 dynamically linked executable >>20 belong > 8192 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 042400410 a.out NetBSD/sparc pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 042400407 a.out NetBSD/sparc >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 belong != 0 executable >>20 belong = 0 object file >16 belong > 0 not stripped 0 belong&0377777777 = 042400507 a.out NetBSD/sparc core >12 string > \0 from '%s' >32 belong != 0 (signal %d) 0 belong&0377777777 = 042600413 a.out NetBSD/pmax demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 042600410 a.out NetBSD/pmax pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 042600407 a.out NetBSD/pmax >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped 0 belong&0377777777 = 042600507 a.out NetBSD/pmax core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) 0 belong&0377777777 = 043000413 a.out NetBSD/vax 1k demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 043000410 a.out NetBSD/vax 1k pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 043000407 a.out NetBSD/vax 1k >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped 0 belong&0377777777 = 043000507 a.out NetBSD/vax 1k core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) 0 belong&0377777777 = 045400413 a.out NetBSD/vax 4k demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 045400410 a.out NetBSD/vax 4k pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 045400407 a.out NetBSD/vax 4k >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped 0 belong&0377777777 = 045400507 a.out NetBSD/vax 4k core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) # NetBSD/alpha does not support (and has never supported) a.out objects, # so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong = 0x00070185 ECOFF NetBSD/alpha binary >10 leshort = 0x0001 not stripped >10 leshort = 0x0000 stripped 0 belong&0377777777 = 043200507 a.out NetBSD/alpha core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) 0 belong&0377777777 = 043400413 a.out NetBSD/mips demand paged >0 byte & 0x80 >>20 belong < 8192 shared library >>20 belong = 8192 dynamically linked executable >>20 belong > 8192 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 043400410 a.out NetBSD/mips pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&0377777777 = 043400407 a.out NetBSD/mips >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 belong != 0 executable >>20 belong = 0 object file >16 belong > 0 not stripped 0 belong&0377777777 = 043400507 a.out NetBSD/mips core >12 string > \0 from '%s' >32 belong != 0 (signal %d) 0 belong&0377777777 = 043600413 a.out NetBSD/arm32 demand paged >0 byte & 0x80 >>20 lelong < 4096 shared library >>20 lelong = 4096 dynamically linked executable >>20 lelong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 043600410 a.out NetBSD/arm32 pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 lelong > 0 not stripped 0 belong&0377777777 = 043600407 a.out NetBSD/arm32 >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 >>0 byte & 0x40 position independent >>20 lelong != 0 executable >>20 lelong = 0 object file >16 lelong > 0 not stripped # NetBSD/arm26 has always used ELF objects, but it shares a core file # format with NetBSD/arm32. 0 belong&0377777777 = 043600507 a.out NetBSD/arm core >12 string > \0 from '%s' >32 lelong != 0 (signal %d) #------------------------------------------------------------------------------ # netscape: file(1) magic for Netscape files # "H. Nanosecond" # version 3 and 4 I think # # Netscape Address book .nab 0 string = \000\017\102\104\000\000\000\000\000\000\001\000\000\000\000\002\000\000\000\002\000\000\004\000 Netscape Address book # Netscape Communicator address book 0 string = \000\017\102\111 Netscape Communicator address book # .snm Caches 0 string = #\ Netscape\ folder\ cache Netscape folder cache 0 string = \000\036\204\220\000 Netscape folder cache # .n2p # Net 2 Phone #0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 0 string = SX961999 Net2phone # #This is files ending in .art, FIXME add more rules 0 string = JG\004\016\0\0\0\0 ART #------------------------------------------------------------------------------ # news: file(1) magic for SunOS NeWS fonts (not "news" as in "netnews") # 0 string = StartFontMetrics ASCII font metrics 0 string = StartFont ASCII font bits 0 belong = 0x137A2944 NeWS bitmap font 0 belong = 0x137A2947 NeWS font family 0 belong = 0x137A2950 scalable OpenFont binary 0 belong = 0x137A2951 encrypted scalable OpenFont binary 8 belong = 0x137A2B45 X11/NeWS bitmap font 8 belong = 0x137A2B48 X11/NeWS font family #------------------------------------------------------------------------------ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann http://www.nitpicker.de 0 string = NPFF NItpicker Flow File >4 byte x - V%d. >5 byte x - %d >6 bedate x - started: %s >10 bedate x - stopped: %s >14 belong x - Bytes: %u >18 belong x - Bytes1: %u >22 belong x - Flows: %u >26 belong x - Pkts: %u #------------------------------------------------------------------------------ # ocaml: file(1) magic for Objective Caml files. 0 string = Caml1999 Objective caml >8 string = X exec file >8 string = I interface file (.cmi) >8 string = O object file (.cmo) >8 string = A library file (.cma) >8 string = Y native object file (.cmx) >8 string = Z native library file (.cmxa) >8 string = M abstract syntax tree implementation file >8 string = N abstract syntax tree interface file >9 string > \0 (Version %3.3s). #------------------------------------------------------------------------------ # octave binary data file(1) magic, from Dirk Eddelbuettel 0 string = Octave-1-L Octave binary data (little endian) 0 string = Octave-1-B Octave binary data (big endian) #------------------------------------------------------------------------------ # olf: file(1) magic for OLF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # MIPS R3000 may also be for MIPS R2000. # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # Created by Erik Theisen # Based on elf from Daniel Quinlan 0 string = \177OLF OLF >4 byte = 0 invalid class >4 byte = 1 32-bit >4 byte = 2 64-bit >7 byte = 0 invalid os >7 byte = 1 OpenBSD >7 byte = 2 NetBSD >7 byte = 3 FreeBSD >7 byte = 4 4.4BSD >7 byte = 5 Linux >7 byte = 6 SVR4 >7 byte = 7 esix >7 byte = 8 Solaris >7 byte = 9 Irix >7 byte = 10 SCO >7 byte = 11 Dell >7 byte = 12 NCR >5 byte = 0 invalid byte order >5 byte = 1 LSB >>16 leshort = 0 no file type, >>16 leshort = 1 relocatable, >>16 leshort = 2 executable, >>16 leshort = 3 shared object, # Core handling from Peter Tobias # corrections by Christian 'Dr. Disk' Hechelmann >>16 leshort = 4 core file >>>(0x38+0xcc) string > \0 of '%s' >>>(0x38+0x10) lelong > 0 (signal %d), >>16 leshort & 0xff00 processor-specific, >>18 leshort = 0 no machine, >>18 leshort = 1 AT&T WE32100 - invalid byte order, >>18 leshort = 2 SPARC - invalid byte order, >>18 leshort = 3 Intel 80386, >>18 leshort = 4 Motorola 68000 - invalid byte order, >>18 leshort = 5 Motorola 88000 - invalid byte order, >>18 leshort = 6 Intel 80486, >>18 leshort = 7 Intel 80860, >>18 leshort = 8 MIPS R3000_BE - invalid byte order, >>18 leshort = 9 Amdahl - invalid byte order, >>18 leshort = 10 MIPS R3000_LE, >>18 leshort = 11 RS6000 - invalid byte order, >>18 leshort = 15 PA-RISC - invalid byte order, >>18 leshort = 16 nCUBE, >>18 leshort = 17 VPP500, >>18 leshort = 18 SPARC32PLUS, >>18 leshort = 20 PowerPC, >>18 leshort = 0x9026 Alpha, >>20 lelong = 0 invalid version >>20 lelong = 1 version 1 >>36 lelong = 1 MathCoPro/FPU/MAU Required >8 string > \0 (%s) >5 byte = 2 MSB >>16 beshort = 0 no file type, >>16 beshort = 1 relocatable, >>16 beshort = 2 executable, >>16 beshort = 3 shared object, >>16 beshort = 4 core file, >>>(0x38+0xcc) string > \0 of '%s' >>>(0x38+0x10) belong > 0 (signal %d), >>16 beshort & 0xff00 processor-specific, >>18 beshort = 0 no machine, >>18 beshort = 1 AT&T WE32100, >>18 beshort = 2 SPARC, >>18 beshort = 3 Intel 80386 - invalid byte order, >>18 beshort = 4 Motorola 68000, >>18 beshort = 5 Motorola 88000, >>18 beshort = 6 Intel 80486 - invalid byte order, >>18 beshort = 7 Intel 80860, >>18 beshort = 8 MIPS R3000_BE, >>18 beshort = 9 Amdahl, >>18 beshort = 10 MIPS R3000_LE - invalid byte order, >>18 beshort = 11 RS6000, >>18 beshort = 15 PA-RISC, >>18 beshort = 16 nCUBE, >>18 beshort = 17 VPP500, >>18 beshort = 18 SPARC32PLUS, >>18 beshort = 20 PowerPC or cisco 4500, >>18 beshort = 21 cisco 7500, >>18 beshort = 24 cisco SVIP, >>18 beshort = 25 cisco 7200, >>18 beshort = 36 cisco 12000, >>18 beshort = 0x9026 Alpha, >>20 belong = 0 invalid version >>20 belong = 1 version 1 >>36 belong = 1 MathCoPro/FPU/MAU Required #------------------------------------------------------------------------------ # os2: file(1) magic for OS/2 files # # Provided 1998/08/22 by # David Mediavilla 1 string = InternetShortcut MS Windows 95 Internet shortcut text >24 string > \ (URL=<%s>) # OS/2 URL objects # Provided 1998/08/22 by # David Mediavilla #0 string http: OS/2 URL object text #>5 string >\ (WWW) #0 string mailto: OS/2 URL object text #>7 string >\ (email) <%s> #0 string news: OS/2 URL object text #>5 string >\ (Usenet) <%s> #0 string ftp: OS/2 URL object text #>4 string >\ (FTP) #0 string file: OS/2 URL object text #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) # Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # # int16 ID; // ID magic word (5348h = "HS") # int8 unknown1; // unknown purpose, could be third letter of ID # int8 flags; // probably a flag word... # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files # // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose # 0 string = HSP\x01\x9b\x00 OS/2 INF >107 string > 0 (%s) 0 string = HSP\x10\x9b\x00 OS/2 HLP >107 string > 0 (%s) # OS/2 INI (this is a guess) 0 string = \xff\xff\xff\xff\x14\0\0\0 OS/2 INI # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # 3. All advertising materials mentioning features or use of this software # must display the following acknowledgement: # This product includes software developed by Ignatios Souvatzis for # the NetBSD project. # 4. The name of the author may not be used to endorse or promote products # derived from this software without specific prior written permission. # # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # # OS9/6809 module descriptions: # 0 beshort = 0x87CD OS9/6809 module: # >6 byte&0x0f = 0x00 non-executable >6 byte&0x0f = 0x01 machine language >6 byte&0x0f = 0x02 BASIC I-code >6 byte&0x0f = 0x03 Pascal P-code >6 byte&0x0f = 0x04 C I-code >6 byte&0x0f = 0x05 COBOL I-code >6 byte&0x0f = 0x06 Fortran I-code # >6 byte&0xf0 = 0x10 program executable >6 byte&0xf0 = 0x20 subroutine >6 byte&0xf0 = 0x30 multi-module >6 byte&0xf0 = 0x40 data module # >6 byte&0xf0 = 0xC0 system module >6 byte&0xf0 = 0xD0 file manager >6 byte&0xf0 = 0xE0 device driver >6 byte&0xf0 = 0xF0 device descriptor # # OS9/m68k stuff (to be continued) # 0 beshort = 0x4AFC OS9/68K module: # # attr >0x14 byte&0x80 = 0x80 re-entrant >0x14 byte&0x40 = 0x40 ghost >0x14 byte&0x20 = 0x20 system-state # # lang: # >0x13 byte = 1 machine language >0x13 byte = 2 BASIC I-code >0x13 byte = 3 Pascal P-code >0x13 byte = 4 C I-code >0x13 byte = 5 COBOL I-code >0x13 byte = 6 Fortran I-code # # # type: # >0x12 byte = 1 program executable >0x12 byte = 2 subroutine >0x12 byte = 3 multi-module >0x12 byte = 4 data module >0x12 byte = 11 trap library >0x12 byte = 12 system module >0x12 byte = 13 file manager >0x12 byte = 14 device driver >0x12 byte = 15 device descriptor # # Mach magic number info # 0 long = 0xefbe OSF/Rose object # I386 magic number info # 0 short = 0565 i386 COFF object #------------------------------------------------------------------------------ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks # # Brian Lalor # appl 60 belong = 0x6170706c PalmOS application >0 string > \0 "%s" # TEXt 60 belong = 0x54455874 AportisDoc file >0 string > \0 "%s" # HACK 60 belong = 0x4841434b HackMaster hack >0 string > \0 "%s" # Variety of PalmOS document types # Michael-John Turner # Thanks to Hasan Umit Ezerce for his DocType 60 string = BVokBDIC BDicty PalmOS document >0 string > \0 "%s" 60 string = DB99DBOS DB PalmOS document >0 string > \0 "%s" 60 string = vIMGView FireViewer/ImageViewer PalmOS document >0 string > \0 "%s" 60 string = PmDBPmDB HanDBase PalmOS document >0 string > \0 "%s" 60 string = InfoINDB InfoView PalmOS document >0 string > \0 "%s" 60 string = ToGoToGo iSilo PalmOS document >0 string > \0 "%s" 60 string = JfDbJBas JFile PalmOS document >0 string > \0 "%s" 60 string = JfDbJFil JFile Pro PalmOS document >0 string > \0 "%s" 60 string = DATALSdb List PalmOS document >0 string > \0 "%s" 60 string = Mdb1Mdb1 MobileDB PalmOS document >0 string > \0 "%s" 60 string = PNRdPPrs PeanutPress PalmOS document >0 string > \0 "%s" 60 string = DataPlkr Plucker PalmOS document >0 string > \0 "%s" 60 string = DataSprd QuickSheet PalmOS document >0 string > \0 "%s" 60 string = SM01SMem SuperMemo PalmOS document >0 string > \0 "%s" 60 string = DataTlPt TealDoc PalmOS document >0 string > \0 "%s" 60 string = InfoTlIf TealInfo PalmOS document >0 string > \0 "%s" 60 string = DataTlMl TealMeal PalmOS document >0 string > \0 "%s" 60 string = DataTlPt TealPaint PalmOS document >0 string > \0 "%s" 60 string = dataTDBP ThinkDB PalmOS document >0 string > \0 "%s" 60 string = TdatTide Tides PalmOS document >0 string > \0 "%s" 60 string = ToRaTRPW TomeRaider PalmOS document >0 string > \0 "%s" # A GutenPalm zTXT etext for use on Palm Pilots (http://gutenpalm.sf.net) # For version 1.xx zTXTs, outputs version and numbers of bookmarks and # annotations. # For other versions, just outputs version. # 60 string = zTXT A GutenPalm zTXT e-book >0 string > \0 "%s" >(0x4E.L) byte = 0 >>(0x4E.L+1) byte x - (v0.%02d) >(0x4E.L) byte = 1 >>(0x4E.L+1) byte x - (v1.%02d) >>>(0x4E.L+10) beshort > 0 >>>>(0x4E.L+10) beshort < 2 - 1 bookmark >>>>(0x4E.L+10) beshort > 1 - %d bookmarks >>>(0x4E.L+14) beshort > 0 >>>>(0x4E.L+14) beshort < 2 - 1 annotation >>>>(0x4E.L+14) beshort > 1 - %d annotations >(0x4E.L) byte > 1 (v%d. >>(0x4E.L+1) byte x - %02d) # Palm OS .prc file types 60 string = libr Palm OS dynamic library data >0 string > \0 "%s" 60 string = ptch Palm OS operating system patch data >0 string > \0 "%s" # Mobipocket (www.mobipocket.com), donated by Carl Witty 60 string = BOOKMOBI Mobipocket E-book >0 string > \0 "%s" #------------------------------------------------------------------------------ # # Parix COFF executables # From: Ignatios Souvatzis # 0 beshort&0xfff = 0xACE PARIX >0 byte&0xf0 = 0x80 T800 >0 byte&0xf0 = 0x90 T9000 >19 byte&0x02 = 0x02 executable >19 byte&0x02 = 0x00 object >19 byte&0x0c = 0x00 not stripped #------------------------------------------------------------------------------ # pbm: file(1) magic for Portable Bitmap files # # XXX - byte order? # 0 short = 0x2a17 "compact bitmap" format (Poskanzer) #------------------------------------------------------------------------------ # pdf: file(1) magic for Portable Document Format # 0 string = %PDF- PDF document >5 byte x - \b, version %c >7 byte x - \b.%c #------------------------------------------------------------------------------ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong = 0101555 PDP-11 single precision APL workspace 0 lelong = 0101554 PDP-11 double precision APL workspace # # PDP-11 a.out # 0 leshort = 0407 PDP-11 executable >8 leshort > 0 not stripped >15 byte > 0 - version %ld 0 leshort = 0401 PDP-11 UNIX/RT ldp 0 leshort = 0405 PDP-11 old overlay 0 leshort = 0410 PDP-11 pure executable >8 leshort > 0 not stripped >15 byte > 0 - version %ld 0 leshort = 0411 PDP-11 separate I&D executable >8 leshort > 0 not stripped >15 byte > 0 - version %ld 0 leshort = 0437 PDP-11 kernel overlay # These last three are derived from 2.11BSD file(1) 0 leshort = 0413 PDP-11 demand-paged pure executable >8 leshort > 0 not stripped 0 leshort = 0430 PDP-11 overlaid pure executable >8 leshort > 0 not stripped 0 leshort = 0431 PDP-11 overlaid separate executable >8 leshort > 0 not stripped #------------------------------------------------------------------------------ # perl: file(1) magic for Larry Wall's perl language. # # The ``eval'' line recognizes an outrageously clever hack for USG systems. # Keith Waclena # Send additions to #FIXME FTimes -- This is covered by script magic. #0 string/b = #!\ /bin/perl perl script text executable 0 string = eval\ "exec\ /bin/perl perl script text #FIXME FTimes -- This is covered by script magic. #0 string/b = #!\ /usr/bin/perl perl script text executable 0 string = eval\ "exec\ /usr/bin/perl perl script text #FIXME FTimes -- This is covered by script magic. #0 string/b = #!\ /usr/local/bin/perl perl script text 0 string = eval\ "exec\ /usr/local/bin/perl perl script text executable 0 string = eval\ '(exit\ $?0)'\ &&\ eval\ 'exec perl script text # a couple more, by me # XXX: christos matches #0 regex package Perl5 module source text (via regex) 0 string = package Perl5 module source text # Perl POD documents # From: Tom Hukins #FIXME FTimes -- Replaced string tests with an equivalent regexp test. #0 string/B = \=pod\n Perl POD document #0 string/B = \n\=pod\n Perl POD document #0 string/B = \=head1\ Perl POD document #0 string/B = \n\=head1\ Perl POD document #0 string/B = \=head2\ Perl POD document #0 string/B = \n\=head2\ Perl POD document 0 regexp =~ ^\n?=(?:pod\n|head[12]) Perl POD document # Perl Storable data files. 0 string = perl-store perl Storable(v0.6) data >4 byte > 0 (net-order %d) >>4 byte & 01 (network-ordered) >>4 byte = 3 (major 1) >>4 byte = 2 (major 1) 0 string = pst0 perl Storable(v0.7) data >4 byte > 0 >>4 byte & 01 (network-ordered) >>4 byte = 5 (major 2) >>4 byte = 4 (major 2) >>5 byte > 0 (minor %d) #------------------------------------------------------------------------------ # pgp: file(1) magic for Pretty Good Privacy # 0 beshort = 0x9900 PGP key public ring 0 beshort = 0x9501 PGP key security ring 0 beshort = 0x9500 PGP key security ring 0 beshort = 0xa600 PGP encrypted data 0 string = -----BEGIN\040PGP PGP armored data >15 string = PUBLIC\040KEY\040BLOCK- public key block >15 string = MESSAGE- message >15 string = SIGNED\040MESSAGE- signed message >15 string = PGP\040SIGNATURE- signature #------------------------------------------------------------------------------ # pkgadd: file(1) magic for SysV R4 PKG Datastreams # 0 string = #\ PaCkAgE\ DaTaStReAm pkg Datastream (SVR4) #------------------------------------------------------------------------------ # plan9: file(1) magic for AT&T Bell Labs' Plan 9 executables # From: "Stefan A. Haubenthal" # 0 belong = 0x00000107 Plan 9 executable, Motorola 68k 0 belong = 0x000001EB Plan 9 executable, Intel 386 0 belong = 0x00000247 Plan 9 executable, Intel 960 0 belong = 0x000002AB Plan 9 executable, SPARC 0 belong = 0x00000407 Plan 9 executable, MIPS R3000 0 belong = 0x0000048B Plan 9 executable, AT&T DSP 3210 0 belong = 0x00000517 Plan 9 executable, MIPS R4000 BE 0 belong = 0x000005AB Plan 9 executable, AMD 29000 0 belong = 0x00000647 Plan 9 executable, ARM 7-something 0 belong = 0x000006EB Plan 9 executable, PowerPC 0 belong = 0x00000797 Plan 9 executable, MIPS R4000 LE 0 belong = 0x0000084B Plan 9 executable, DEC Alpha #------------------------------------------------------------------------------ # plus5: file(1) magic for Plus Five's UNIX MUMPS # # XXX - byte order? Paging Hokey.... # 0 short = 0x259 mumps avl global >2 byte > 0 (V%d) >6 byte > 0 with %d byte name >7 byte > 0 and %d byte data cells 0 short = 0x25a mumps blt global >2 byte > 0 (V%d) >8 short > 0 - %d byte blocks >15 byte = 0x00 - P/D format >15 byte = 0x01 - P/K/D format >15 byte = 0x02 - K/D format >15 byte > 0x02 - Bad Flags #------------------------------------------------------------------------------ # printer: file(1) magic for printer-formatted files # # PostScript, updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string = %! PostScript document text >2 string = PS-Adobe- conforming >>11 string > \0 at level %.3s >>>15 string = EPS - type %s >>>15 string = Query - type %s >>>15 string = ExitServer - type %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string = \004%! PostScript document text >3 string = PS-Adobe- conforming >>12 string > \0 at level %.3s >>>16 string = EPS - type %s >>>16 string = Query - type %s >>>16 string = ExitServer - type %s 0 string = \033%-12345X%!PS PostScript document # DOS EPS Binary File Header # From: Ed Sznyter 0 belong = 0xC5D0D3C6 DOS EPS Binary File >4 long > 0 Postscript starts at byte %d >>8 long > 0 length %d >>>12 long > 0 Metafile starts at byte %d >>>>16 long > 0 length %d >>>20 long > 0 TIFF starts at byte %d >>>>24 long > 0 length %d # Adobe's PostScript Printer Description (PPD) files # Yves Arrouye # 0 string = *PPD-Adobe: PPD file >13 string x - \b, ve # HP Printer Job Language 0 string = \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language # The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes # 0 string = \033%-12345X@PJL HP Printer Job Language data >&0 string > \0 %s >>&0 string > \0 %s >>>&0 string > \0 %s >>>>&0 string > \0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string = \033E\033 HP PCL printer data >3 string = \&l0A - default page size >3 string = \&l1A - US executive page size >3 string = \&l2A - US letter page size >3 string = \&l3A - US legal page size >3 string = \&l26A - A4 page size >3 string = \&l80A - Monarch envelope size >3 string = \&l81A - No. 10 envelope size >3 string = \&l90A - Intl. DL envelope size >3 string = \&l91A - Intl. C5 envelope size >3 string = \&l100A - Intl. B5 envelope size >3 string = \&l-81A - No. 10 envelope size (landscape) >3 string = \&l-90A - Intl. DL envelope size (landscape) # IMAGEN printer-ready files: 0 string = @document( Imagen printer # this only works if "language xxx" is first item in Imagen header. >10 string = language\ impress (imPRESS data) >10 string = language\ daisy (daisywheel text) >10 string = language\ diablo (daisywheel text) >10 string = language\ printer (line printer emulation) >10 string = language\ tektronix (Tektronix 4014 emulation) # Add any other languages that your Imagen uses - remember # to keep the word `text' if the file is human-readable. # [GRR 950115: missing "postscript" or "ultrascript" (whatever it was called)] # # Now magic for IMAGEN font files... 0 string = Rast RST-format raster font data >45 string > 0 face %s # From Jukka Ukkonen 0 string = \033[K\002\0\0\017\033(a\001\0\001\033(g Canon Bubble Jet BJC formatted data # From # These are the /etc/magic entries to decode data sent to an Epson printer. 0 string = \x1B\x40\x1B\x28\x52\x08\x00\x00REMOTE1P Epson Stylus Color 460 data #------------------------------------------------------------------------------ # zenographics: file(1) magic for Zenographics ZjStream printer data # Rick Richardson rickr@mn.rr.com 0 string = JZJZ >0x12 string = ZZ Zenographics ZjStream printer data (big-endian) 0 string = ZJZJ >0x12 string = ZZ Zenographics ZjStream printer data (little-endian) #------------------------------------------------------------------------------ # Oak Technologies printer stream # Rick Richardson 0 string = OAK >0x07 byte = 0 >0x0b byte = 0 Oak Technologies printer stream # This would otherwise be recognized as PostScript - nick@debian.org 0 string = %!VMF SunClock's Vector Map Format data #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file 0 string = \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From: Paolo # Epson ESC/Page, ESC/PageColor 0 string = \x1b\x01@EJL Epson ESC/Page language printer data #------------------------------------------------------------------------------ # project: file(1) magic for Project management # # Magic strings for ftnchek project files. Alexander Mai 0 string = FTNCHEK_\ P project file for ftnchek >10 string = 1 version 2.7 >10 string = 2 version 2.8 to 2.10 >10 string = 3 version 2.11 or later #------------------------------------------------------------------------------ # psdbms: file(1) magic for psdatabase # 0 belong&0xff00ffff = 0x56000000 ps database >1 string > \0 version %s >4 string > \0 from kernel %s #------------------------------------------------------------------------------ # psion: file(1) magic for Psion handhelds data # from: Peter Breitenlohner # 0 lelong = 0x10000037 Psion Series 5 >4 lelong = 0x10000039 font file >4 lelong = 0x1000003A printer driver >4 lelong = 0x1000003B clipboard >4 lelong = 0x10000042 multi-bitmap image >4 lelong = 0x1000006A application information file >4 lelong = 0x1000006D >>8 lelong = 0x1000007D sketch image >>8 lelong = 0x1000007E voice note >>8 lelong = 0x1000007F word file >>8 lelong = 0x10000085 OPL program >>8 lelong = 0x10000088 sheet file >>8 lelong = 0x100001C4 EasyFax initialisation file >4 lelong = 0x10000073 OPO module >4 lelong = 0x10000074 OPL application >4 lelong = 0x1000008A exported multi-bitmap image 0 lelong = 0x10000041 Psion Series 5 ROM multi-bitmap image 0 lelong = 0x10000050 Psion Series 5 >4 lelong = 0x1000006D database >4 lelong = 0x100000E4 ini file 0 lelong = 0x10000079 Psion Series 5 binary: >4 lelong = 0x00000000 DLL >4 lelong = 0x10000049 comms hardware library >4 lelong = 0x1000004A comms protocol library >4 lelong = 0x1000005D OPX >4 lelong = 0x1000006C application >4 lelong = 0x1000008D DLL >4 lelong = 0x100000AC logical device driver >4 lelong = 0x100000AD physical device driver >4 lelong = 0x100000E5 file transfer protocol >4 lelong = 0x100000E5 file transfer protocol >4 lelong = 0x10000140 printer definition >4 lelong = 0x10000141 printer definition 0 lelong = 0x1000007A Psion Series 5 executable #------------------------------------------------------------------------------ # pulsar: file(1) magic for Pulsar POP3 daemon binary files # # http://pulsar.sourceforge.net # mailto:rok.papez@lugos.si # 0 belong = 0x1ee7f11e Pulsar POP3 daemon mailbox cache file. >4 belong x - Version: %d. >8 belong x - \b%d #------------------------------------------------------------------------------ # pyramid: file(1) magic for Pyramids # # XXX - byte order? # 0 long = 0x50900107 Pyramid 90x family executable 0 long = 0x50900108 Pyramid 90x family pure executable >16 long > 0 not stripped 0 long = 0x5090010b Pyramid 90x family demand paged pure executable >16 long > 0 not stripped #------------------------------------------------------------------------------ # python: file(1) magic for python # # From: David Necas # often the module starts with a multiline string 0 string = """ a python script text executable # MAGIC as specified in Python/import.c (1.5 to 2.3.0a) # 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by "\r\n" 0 belong = 0x994e0d0a python 1.5/1.6 byte-compiled 0 belong = 0x87c60d0a python 2.0 byte-compiled 0 belong = 0x2aeb0d0a python 2.1 byte-compiled 0 belong = 0x2ded0d0a python 2.2 byte-compiled 0 belong = 0x3bf20d0a python 2.3 byte-compiled 0 belong = 0x6df20d0a python 2.4 byte-compiled #FIXME FTimes -- This is covered by script magic. #0 string/b = #!\ /usr/bin/python python script text executable #------------------------------------------------------------------------------ # file(1) magic for revision control files # From Hendrik Scholz 0 string = /1\ :pserver: cvs password text file #------------------------------------------------------------------------------ # riff: file(1) magic for RIFF format # See # # http://www.seanet.com/users/matts/riffmci/riffmci.htm # # AVI section extended by Patrik Rdman # 0 string = RIFF RIFF (little-endian) data # RIFF Palette format >8 string = PAL \b, palette >>16 leshort x - \b, version %d >>18 leshort x - \b, %d entries # RIFF Device Independent Bitmap format >8 string = RDIB \b, device-independent bitmap >>16 string = BM >>>30 leshort = 12 \b, OS/2 1.x format >>>>34 leshort x - \b, %d x >>>>36 leshort x - %d >>>30 leshort = 64 \b, OS/2 2.x format >>>>34 leshort x - \b, %d x >>>>36 leshort x - %d >>>30 leshort = 40 \b, Windows 3.x format >>>>34 lelong x - \b, %d x >>>>38 lelong x - %d x >>>>44 leshort x - %d # RIFF MIDI format >8 string = RMID \b, MIDI # RIFF Multimedia Movie File format >8 string = RMMP \b, multimedia movie # Microsoft WAVE format (*.wav) >8 string = WAVE \b, WAVE audio >>20 leshort = 1 \b, Microsoft PCM >>>34 leshort > 0 \b, %d bit >>20 leshort = 2 \b, Microsoft ADPCM >>20 leshort = 6 \b, ITU G.711 A-law >>20 leshort = 7 \b, ITU G.711 mu-law >>20 leshort = 17 \b, IMA ADPCM >>20 leshort = 20 \b, ITU G.723 ADPCM (Yamaha) >>20 leshort = 49 \b, GSM 6.10 >>20 leshort = 64 \b, ITU G.721 ADPCM >>20 leshort = 80 \b, MPEG >>20 leshort = 85 \b, MPEG Layer 3 >>22 leshort = 1 \b, mono >>22 leshort = 2 \b, stereo >>22 leshort > 2 \b, %d channels >>24 lelong > 0 %d Hz # Corel Draw Picture >8 string = CDRA \b, Corel Draw Picture # AVI == Audio Video Interleave >8 string = AVI\040 \b, AVI >>12 string = LIST >>>20 string = hdrlavih >>>>&36 lelong x - \b, %lu x >>>>&40 lelong x - %lu, >>>>&4 lelong > 1000000 <1 fps, >>>>&4 lelong = 1000000 1.00 fps, >>>>&4 lelong = 500000 2.00 fps, >>>>&4 lelong = 333333 3.00 fps, >>>>&4 lelong = 250000 4.00 fps, >>>>&4 lelong = 200000 5.00 fps, >>>>&4 lelong = 166667 6.00 fps, >>>>&4 lelong = 142857 7.00 fps, >>>>&4 lelong = 125000 8.00 fps, >>>>&4 lelong = 111111 9.00 fps, >>>>&4 lelong = 100000 10.00 fps, # ]9.9,10.1[ >>>>&4 lelong < 101010 >>>>>&-4 lelong > 99010 >>>>>>&-4 lelong != 100000 ~10 fps, >>>>&4 lelong = 83333 12.00 fps, # ]11.9,12.1[ >>>>&4 lelong < 84034 >>>>>&-4 lelong > 82645 >>>>>>&-4 lelong != 83333 ~12 fps, >>>>&4 lelong = 66667 15.00 fps, # ]14.9,15.1[ >>>>&4 lelong < 67114 >>>>>&-4 lelong > 66225 >>>>>>&-4 lelong != 66667 ~15 fps, >>>>&4 lelong = 50000 20.00 fps, >>>>&4 lelong = 41708 23.98 fps, >>>>&4 lelong = 41667 24.00 fps, # ]23.9,24.1[ >>>>&4 lelong < 41841 >>>>>&-4 lelong > 41494 >>>>>>&-4 lelong != 41708 >>>>>>>&-4 lelong != 41667 ~24 fps, >>>>&4 lelong = 40000 25.00 fps, # ]24.9,25.1[ >>>>&4 lelong < 40161 >>>>>&-4 lelong > 39841 >>>>>>&-4 lelong != 40000 ~25 fps, >>>>&4 lelong = 33367 29.97 fps, >>>>&4 lelong = 33333 30.00 fps, # ]29.9,30.1[ >>>>&4 lelong < 33445 >>>>>&-4 lelong > 33223 >>>>>>&-4 lelong != 33367 >>>>>>>&-4 lelong != 33333 ~30 fps, >>>>&4 lelong < 32224 >30 fps, ##>>>>&4 lelong x (%lu) ##>>>>&20 lelong x %lu frames, # Note: The tests below assume that the AVI has 1 or 2 streams, # "vids" optionally followed by "auds". # (Should cover 99.9% of all AVIs.) # assuming avih length = 56 >>>88 string = LIST >>>>96 string = strlstrh >>>>>108 string = vids video: >>>>>>&0 lelong = 0 uncompressed # skip past vids strh >>>>>>(104.l+108) string = strf >>>>>>>(104.l+132) lelong = 1 RLE 8bpp >>>>>>>(104.l+132) regexp =~ (?i)(cvid) Cinepak >>>>>>>(104.l+132) regexp =~ (?i)(i263) Intel I.263 >>>>>>>(104.l+132) regexp =~ (?i)(iv32) Indeo 3.2 >>>>>>>(104.l+132) regexp =~ (?i)(iv41) Indeo 4.1 >>>>>>>(104.l+132) regexp =~ (?i)(iv50) Indeo 5.0 >>>>>>>(104.l+132) regexp =~ (?i)(mp42) Microsoft MPEG-4 v2 >>>>>>>(104.l+132) regexp =~ (?i)(mp43) Microsoft MPEG-4 v3 >>>>>>>(104.l+132) regexp =~ (?i)(mjpg) Motion JPEG >>>>>>>(104.l+132) regexp =~ (?i)(div3) DivX 3 >>>>>>>>112 regexp =~ (?i)(div3) Low-Motion >>>>>>>>112 regexp =~ (?i)(div4) Fast-Motion >>>>>>>(104.l+132) regexp =~ (?i)(divx) DivX 4 >>>>>>>(104.l+132) regexp =~ (?i)(dx50) DivX 5 >>>>>>>(104.l+132) regexp =~ (?i)(xvid) XviD >>>>>>>(104.l+132) regexp =~ (?i)(h264) X.264 >>>>>>>(104.l+132) lelong = 0 ##>>>>>>>(104.l+132) string x (%.4s) # skip past first (video) LIST >>>>(92.l+96) string = LIST >>>>>(92.l+104) string = strlstrh >>>>>>(92.l+116) string = auds \b, audio: # auds strh length = 56: >>>>>>>(92.l+172) string = strf >>>>>>>>(92.l+180) leshort = 0x0001 uncompressed PCM >>>>>>>>(92.l+180) leshort = 0x0002 ADPCM >>>>>>>>(92.l+180) leshort = 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+180) leshort = 0x2000 Dolby AC3 >>>>>>>>(92.l+180) leshort = 0x0161 DivX ##>>>>>>>>(92.l+180) leshort x (0x%.4x) >>>>>>>>(92.l+182) leshort = 1 (mono, >>>>>>>>(92.l+182) leshort = 2 (stereo, >>>>>>>>(92.l+182) leshort > 2 (%d channels, >>>>>>>>(92.l+184) lelong x - %d Hz) # auds strh length = 64: >>>>>>>(92.l+180) string = strf >>>>>>>>(92.l+188) leshort = 0x0001 uncompressed PCM >>>>>>>>(92.l+188) leshort = 0x0002 ADPCM >>>>>>>>(92.l+188) leshort = 0x0055 MPEG-1 Layer 3 >>>>>>>>(92.l+188) leshort = 0x2000 Dolby AC3 >>>>>>>>(92.l+188) leshort = 0x0161 DivX ##>>>>>>>>(92.l+188) leshort x (0x%.4x) >>>>>>>>(92.l+190) leshort = 1 (mono, >>>>>>>>(92.l+190) leshort = 2 (stereo, >>>>>>>>(92.l+190) leshort > 2 (%d channels, >>>>>>>>(92.l+192) lelong x - %d Hz) # Animated Cursor format >8 string = ACON \b, animated cursor # SoundFont 2 >8 string = sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string = CDXA \b, wrapped MPEG-1 (CDXA) >8 string = 4XMV \b, 4X Movie file # # XXX - some of the below may only appear in little-endian form. # # Also "MV93" appears to be for one form of Macromedia Director # files, and "GDMF" appears to be another multimedia format. # 0 string = RIFX RIFF (big-endian) data # RIFF Palette format >8 string = PAL \b, palette >>16 beshort x - \b, version %d >>18 beshort x - \b, %d entries # RIFF Device Independent Bitmap format >8 string = RDIB \b, device-independent bitmap >>16 string = BM >>>30 beshort = 12 \b, OS/2 1.x format >>>>34 beshort x - \b, %d x >>>>36 beshort x - %d >>>30 beshort = 64 \b, OS/2 2.x format >>>>34 beshort x - \b, %d x >>>>36 beshort x - %d >>>30 beshort = 40 \b, Windows 3.x format >>>>34 belong x - \b, %d x >>>>38 belong x - %d x >>>>44 beshort x - %d # RIFF MIDI format >8 string = RMID \b, MIDI # RIFF Multimedia Movie File format >8 string = RMMP \b, multimedia movie # Microsoft WAVE format (*.wav) >8 string = WAVE \b, WAVE audio >>20 leshort = 1 \b, Microsoft PCM >>>34 leshort > 0 \b, %d bit >>22 beshort = 1 \b, mono >>22 beshort = 2 \b, stereo >>22 beshort > 2 \b, %d channels >>24 belong > 0 %d Hz # Corel Draw Picture >8 string = CDRA \b, Corel Draw Picture # AVI == Audio Video Interleave >8 string = AVI\040 \b, AVI # Animated Cursor format >8 string = ACON \b, animated cursor # Notation Interchange File Format (big-endian only) >8 string = NIFF \b, Notation Interchange File Format # SoundFont 2 >8 string = sfbk SoundFont/Bank #------------------------------------------------------------------------------ # # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) # 0 beshort = 0xedab >2 beshort = 0xeedb RPM >>4 byte x - v%d >>6 beshort = 0 bin >>6 beshort = 1 src >>8 beshort = 1 i386 >>8 beshort = 2 Alpha >>8 beshort = 3 Sparc >>8 beshort = 4 MIPS >>8 beshort = 5 PowerPC >>8 beshort = 6 68000 >>8 beshort = 7 SGI >>8 beshort = 8 RS6000 >>8 beshort = 9 IA64 >>8 beshort = 10 Sparc64 >>8 beshort = 11 MIPSel >>8 beshort = 12 ARM >>10 string x - %s #------------------------------------------------------------------------------ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk # 0 string = {\\rtf Rich Text Format data, >5 byte x - version %c, >6 string = \\ansi ANSI >6 string = \\mac Apple Macintosh >6 string = \\pc IBM PC, code page 437 >6 string = \\pca IBM PS/2, code page 850 #------------------------------------------------------------------------------ # sc: file(1) magic for "sc" spreadsheet # 38 string = Spreadsheet sc spreadsheet file #------------------------------------------------------------------------------ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: # \001h01207 # \001s 00276/00000/00000 # \001d D 1.1 87/09/23 08:09:20 ian 1 0 # \001c date and time created 87/09/23 08:09:20 by ian # \001e # \001u # \001U # ... etc. # Now '\001h' happens to be the same as the 3B20's a.out magic number (0550). # *Sigh*. And these both came from various parts of the USG. # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, # and we don't have regular expression matching yet. # Hence the following official kludge: 8 string = \001s\ SCCS archive data #------------------------------------------------------------------------------ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # 0 byte = 046 Sendmail frozen configuration >16 string > \0 - version %s 0 short = 0x271c Sendmail frozen configuration >16 string > \0 - version %s #------------------------------------------------------------------------------ # sendmail: file(1) magic for sendmail m4(1) files # # From Hendrik Scholz # i.e. files in /usr/share/sendmail/cf/ # 0 string = divert(-1)\n sendmail m4 text file #------------------------------------------------------------------------------ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins . # For Sequent's multiprocessor systems (incomplete). 0 lelong = 0x00ea BALANCE NS32000 .o >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 lelong = 0x10ea BALANCE NS32000 executable (0 @ 0) >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 lelong = 0x20ea BALANCE NS32000 executable (invalid @ 0) >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 lelong = 0x30ea BALANCE NS32000 standalone executable >16 lelong > 0 not stripped >124 lelong > 0 version %ld # # Symmetry information added by Jason Merrill . # Symmetry magic nums will not be reached if DOS COM comes before them; # byte 0xeb is matched before these get a chance. 0 leshort = 0x12eb SYMMETRY i386 .o >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 leshort = 0x22eb SYMMETRY i386 executable (0 @ 0) >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 leshort = 0x32eb SYMMETRY i386 executable (invalid @ 0) >16 lelong > 0 not stripped >124 lelong > 0 version %ld 0 leshort = 0x42eb SYMMETRY i386 standalone executable >16 lelong > 0 not stripped >124 lelong > 0 version %ld #------------------------------------------------------------------------------ # sgi: file(1) magic for Silicon Graphics applications # # # Performance Co-Pilot file types 0 string = PmNs PCP compiled namespace (V.0) 0 string = PmN PCP compiled namespace >3 string > \0 (V.%1.1s) 3 lelong = 0x84500526 PCP archive >7 byte x - (V.%d) >20 lelong = -2 temporal index >20 lelong = -1 metadata >20 lelong = 0 log volume #0 >20 lelong > 0 log volume #%ld >24 string > \0 host: %s 0 string = PCPFolio PCP >9 string = Version: Archive Folio >18 string > \0 (V.%s) 0 string = #pmchart PCP pmchart view >9 string = Version >17 string > \0 (V%-3.3s) 0 string = pmview PCP pmview config >7 string = Version >15 string > \0 (V%-3.3s) 0 string = #pmlogger PCP pmlogger config >10 string = Version >18 string > \0 (V%1.1s) 0 string = PcPh PCP Help >4 string = 1 Index >4 string = 2 Text >5 string > \0 (V.%1.1s) 0 string = #pmieconf-rules PCP pmieconf rules >16 string > \0 (V.%1.1s) 3 string = pmieconf-pmie PCP pmie config >17 string > \0 (V.%1.1s) # SpeedShop data files 0 lelong = 0x13130303 SpeedShop data file # mdbm files 0 lelong = 0x01023962 mdbm file, version 0 (obsolete) 0 string = mdbm mdbm file, >5 byte x - version %d, >6 byte x - 2^%d pages, >7 byte x - pagesize 2^%d, >17 byte x - hash %d, >11 byte x - dataformat %d # Alias Maya files 0 string = //Maya ASCII Alias Maya Ascii File, >13 string > \0 version %s 8 string = MAYAFOR4 Alias Maya Binary File, >32 string > \0 version %s scene 8 string = MayaFOR4 Alias Maya Binary File, >32 string > \0 version %s scene 8 string = CIMG Alias Maya Image File 8 string = DEEP Alias Maya Image File #------------------------------------------------------------------------------ # sgml: file(1) magic for Standard Generalized Markup Language # HyperText Markup Language (HTML) is an SGML document type, # from Daniel Quinlan (quinlan@yggdrasil.com) # adapted to string extenstions by Anthon van der Neut 0 string = #\ HTTP\ Cookie\ File Web browser cookie text 0 string = #\ Netscape\ HTTP\ Cookie\ File Netscape cookie text 0 string = #\ KDE\ Cookie\ File Konqueror cookie text #------------------------------------------------------------------------ # file(1) magic for sharc files # # SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by # FutureGroove Music (dsp@futuregroove.de) #------------------------------------------------------------------------ 0 string = Draw RiscOS Drawfile 0 string = PACK RiscOS PackdDir archive #------------------------------------------------------------------------ # SHARC DSP stuff (based on the FGM SHARC DSP SDK) 0 string = ! Assembler source 0 string = Analog ADi asm listing file 0 string = .SYSTEM SHARC architecture file 0 string = .system SHARC architecture file 0 leshort = 0x521C SHARC COFF binary >2 leshort > 1 , %hd sections >>12 lelong > 0 , not stripped #------------------------------------------------------------------------------ # sinclair: file(1) sinclair QL # additions to /etc/magic by Thomas M. Ott (ThMO) # Sinclair QL floppy disk formats (ThMO) 0 string = QL5 QL disk dump data, >3 string = A 720 KB, >3 string = B 1.44 MB, >3 string = C 3.2 MB, >4 string > \0 label:%.10s # Sinclair QL OS dump (ThMO) # (NOTE: if `file' would be able to use indirect references in a endian format # differing from the natural host format, this could be written more # reliably and faster...) # # we *can't* lookup QL OS code dumps, because `file' is UNABLE to read more # than the first 8K of a file... #-( # #0 belong =0x30000 #>49124 belong <47104 #>>49128 belong <47104 #>>>49132 belong <47104 #>>>>49136 belong <47104 QL OS dump data, #>>>>>49148 string >\0 type %.3s, #>>>>>49142 string >\0 version %.4s # Sinclair QL firmware executables (ThMO) 0 string = NqNqNq`\004 QL firmware executable (BCPL) # Sinclair QL libraries (was ThMO) 0 beshort = 0xFB01 QDOS object #FIXME FTimes - Replaced pstring with string. #>2 pstring x '%s' >2 string x - '%s' # Sinclair QL executables (was ThMO) 4 belong = 0x4AFB QDOS executable #FIXME FTimes - Replaced pstring with string. #>9 pstring x '%s' >9 string x - '%s' # Sinclair QL ROM (ThMO) 0 belong = 0x4AFB0001 QL plugin-ROM data, #FIXME FTimes - Replaced pstring with string. #>9 pstring =\0 un-named >9 string = \0 un-named #FIXME FTimes - Replaced pstring with string. #>9 pstring >\0 named: %s >9 string > \0 named: %s #------------------------------------------------------------------------------ # Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons 0 string = ##Sketch Sketch document text #----------------------------------------------- # GNU Smalltalk image, starting at version 1.6.2 # From: catull_us@yahoo.com # 0 string = GSTIm\0\0 GNU SmallTalk # little-endian >7 byte&1 = 0 LE image version >>10 byte x - %d. >>9 byte x - \b%d. >>8 byte x - \b%d #>>12 lelong x , data: %ld #>>16 lelong x , table: %ld #>>20 lelong x , memory: %ld # big-endian >7 byte&1 = 1 BE image version >>8 byte x - %d. >>9 byte x - \b%d. >>10 byte x - \b%d #>>12 belong x , data: %ld #>>16 belong x , table: %ld #>>20 belong x , memory: %ld #------------------------------------------------------------------------------ # sniffer: file(1) magic for packet capture files # # From: guy@alum.mit.edu (Guy Harris) # # # Microsoft Network Monitor 1.x capture files. # 0 string = RTSS NetMon capture file >5 byte x - - version %d >4 byte x - \b.%d >6 leshort = 0 (Unknown) >6 leshort = 1 (Ethernet) >6 leshort = 2 (Token Ring) >6 leshort = 3 (FDDI) >6 leshort = 4 (ATM) # # Microsoft Network Monitor 2.x capture files. # 0 string = GMBU NetMon capture file >5 byte x - - version %d >4 byte x - \b.%d >6 leshort = 0 (Unknown) >6 leshort = 1 (Ethernet) >6 leshort = 2 (Token Ring) >6 leshort = 3 (FDDI) >6 leshort = 4 (ATM) # # Network General Sniffer capture files. # Sorry, make that "Network Associates Sniffer capture files." # Sorry, make that "Network General old DOS Sniffer capture files." # 0 string = TRSNIFF\ data\ \ \ \ \032 Sniffer capture file >33 byte = 2 (compressed) >23 leshort x - - version %d >25 leshort x - \b.%d >32 byte = 0 (Token Ring) >32 byte = 1 (Ethernet) >32 byte = 2 (ARCNET) >32 byte = 3 (StarLAN) >32 byte = 4 (PC Network broadband) >32 byte = 5 (LocalTalk) >32 byte = 6 (Znet) >32 byte = 7 (Internetwork Analyzer) >32 byte = 9 (FDDI) >32 byte = 10 (ATM) # # Cinco Networks NetXRay capture files. # Sorry, make that "Network General Sniffer Basic capture files." # Sorry, make that "Network Associates Sniffer Basic capture files." # Sorry, make that "Network Associates Sniffer Basic, and Windows # Sniffer Pro", capture files." # Sorry, make that "Network General Sniffer capture files." # 0 string = XCP\0 NetXRay capture file >4 string > \0 - version %s >44 leshort = 0 (Ethernet) >44 leshort = 1 (Token Ring) >44 leshort = 2 (FDDI) >44 leshort = 3 (WAN) >44 leshort = 8 (ATM) >44 leshort = 9 (802.11) # # "libpcap" capture files. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is # the main program that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 belong = 0xa1b2c3d4 tcpdump capture file (big-endian) >4 beshort x - - version %d >6 beshort x - \b.%d >20 belong = 0 (No link-layer encapsulation >20 belong = 1 (Ethernet >20 belong = 2 (3Mb Ethernet >20 belong = 3 (AX.25 >20 belong = 4 (ProNET >20 belong = 5 (CHAOS >20 belong = 6 (Token Ring >20 belong = 7 (BSD ARCNET >20 belong = 8 (SLIP >20 belong = 9 (PPP >20 belong = 10 (FDDI >20 belong = 11 (RFC 1483 ATM >20 belong = 12 (raw IP >20 belong = 13 (BSD/OS SLIP >20 belong = 14 (BSD/OS PPP >20 belong = 19 (Linux ATM Classical IP >20 belong = 50 (PPP or Cisco HDLC >20 belong = 51 (PPP-over-Ethernet >20 belong = 99 (Symantec Enterprise Firewall >20 belong = 100 (RFC 1483 ATM >20 belong = 101 (raw IP >20 belong = 102 (BSD/OS SLIP >20 belong = 103 (BSD/OS PPP >20 belong = 104 (BSD/OS Cisco HDLC >20 belong = 105 (802.11 >20 belong = 106 (Linux Classical IP over ATM >20 belong = 107 (Frame Relay >20 belong = 108 (OpenBSD loopback >20 belong = 109 (OpenBSD IPsec encrypted >20 belong = 112 (Cisco HDLC >20 belong = 113 (Linux "cooked" >20 belong = 114 (LocalTalk >20 belong = 117 (OpenBSD PFLOG >20 belong = 119 (802.11 with Prism header >20 belong = 122 (RFC 2625 IP over Fibre Channel >20 belong = 123 (SunATM >20 belong = 127 (802.11 with radiotap header >20 belong = 129 (Linux ARCNET >20 belong = 138 (Apple IP over IEEE 1394 >20 belong = 140 (MTP2 >20 belong = 141 (MTP3 >20 belong = 143 (DOCSIS >20 belong = 144 (IrDA >20 belong = 147 (Private use 0 >20 belong = 148 (Private use 1 >20 belong = 149 (Private use 2 >20 belong = 150 (Private use 3 >20 belong = 151 (Private use 4 >20 belong = 152 (Private use 5 >20 belong = 153 (Private use 6 >20 belong = 154 (Private use 7 >20 belong = 155 (Private use 8 >20 belong = 156 (Private use 9 >20 belong = 157 (Private use 10 >20 belong = 158 (Private use 11 >20 belong = 159 (Private use 12 >20 belong = 160 (Private use 13 >20 belong = 161 (Private use 14 >20 belong = 162 (Private use 15 >20 belong = 163 (802.11 with AVS header >16 belong x - \b, capture length %d) 0 lelong = 0xa1b2c3d4 tcpdump capture file (little-endian) >4 leshort x - - version %d >6 leshort x - \b.%d >20 lelong = 0 (No link-layer encapsulation >20 lelong = 1 (Ethernet >20 lelong = 2 (3Mb Ethernet >20 lelong = 3 (AX.25 >20 lelong = 4 (ProNET >20 lelong = 5 (CHAOS >20 lelong = 6 (Token Ring >20 lelong = 7 (ARCNET >20 lelong = 8 (SLIP >20 lelong = 9 (PPP >20 lelong = 10 (FDDI >20 lelong = 11 (RFC 1483 ATM >20 lelong = 12 (raw IP >20 lelong = 13 (BSD/OS SLIP >20 lelong = 14 (BSD/OS PPP >20 lelong = 19 (Linux ATM Classical IP >20 lelong = 50 (PPP or Cisco HDLC >20 lelong = 51 (PPP-over-Ethernet >20 lelong = 99 (Symantec Enterprise Firewall >20 lelong = 100 (RFC 1483 ATM >20 lelong = 101 (raw IP >20 lelong = 102 (BSD/OS SLIP >20 lelong = 103 (BSD/OS PPP >20 lelong = 104 (BSD/OS Cisco HDLC >20 lelong = 105 (802.11 >20 lelong = 106 (Linux Classical IP over ATM >20 lelong = 107 (Frame Relay >20 lelong = 108 (OpenBSD loopback >20 lelong = 109 (OpenBSD IPsec encrypted >20 lelong = 112 (Cisco HDLC >20 lelong = 113 (Linux "cooked" >20 lelong = 114 (LocalTalk >20 lelong = 117 (OpenBSD PFLOG >20 lelong = 119 (802.11 with Prism header >20 lelong = 122 (RFC 2625 IP over Fibre Channel >20 lelong = 123 (SunATM >20 lelong = 127 (802.11 with radiotap header >20 lelong = 129 (Linux ARCNET >20 lelong = 138 (Apple IP over IEEE 1394 >20 lelong = 140 (MTP2 >20 lelong = 141 (MTP3 >20 lelong = 143 (DOCSIS >20 lelong = 144 (IrDA >20 lelong = 147 (Private use 0 >20 lelong = 148 (Private use 1 >20 lelong = 149 (Private use 2 >20 lelong = 150 (Private use 3 >20 lelong = 151 (Private use 4 >20 lelong = 152 (Private use 5 >20 lelong = 153 (Private use 6 >20 lelong = 154 (Private use 7 >20 lelong = 155 (Private use 8 >20 lelong = 156 (Private use 9 >20 lelong = 157 (Private use 10 >20 lelong = 158 (Private use 11 >20 lelong = 159 (Private use 12 >20 lelong = 160 (Private use 13 >20 lelong = 161 (Private use 14 >20 lelong = 162 (Private use 15 >20 lelong = 163 (802.11 with AVS header >16 lelong x - \b, capture length %d) # # "libpcap"-with-Alexey-Kuznetsov's-patches capture files. # (We call them "tcpdump capture file(s)" for now, as "tcpdump" is # the main program that uses that format, but there are other programs # that use "libpcap", or that use the same capture file format.) # 0 belong = 0xa1b2cd34 extended tcpdump capture file (big-endian) >4 beshort x - - version %d >6 beshort x - \b.%d >20 belong = 0 (No link-layer encapsulation >20 belong = 1 (Ethernet >20 belong = 2 (3Mb Ethernet >20 belong = 3 (AX.25 >20 belong = 4 (ProNET >20 belong = 5 (CHAOS >20 belong = 6 (Token Ring >20 belong = 7 (ARCNET >20 belong = 8 (SLIP >20 belong = 9 (PPP >20 belong = 10 (FDDI >20 belong = 11 (RFC 1483 ATM >20 belong = 12 (raw IP >20 belong = 13 (BSD/OS SLIP >20 belong = 14 (BSD/OS PPP >16 belong x - \b, capture length %d) 0 lelong = 0xa1b2cd34 extended tcpdump capture file (little-endian) >4 leshort x - - version %d >6 leshort x - \b.%d >20 lelong = 0 (No link-layer encapsulation >20 lelong = 1 (Ethernet >20 lelong = 2 (3Mb Ethernet >20 lelong = 3 (AX.25 >20 lelong = 4 (ProNET >20 lelong = 5 (CHAOS >20 lelong = 6 (Token Ring >20 lelong = 7 (ARCNET >20 lelong = 8 (SLIP >20 lelong = 9 (PPP >20 lelong = 10 (FDDI >20 lelong = 11 (RFC 1483 ATM >20 lelong = 12 (raw IP >20 lelong = 13 (BSD/OS SLIP >20 lelong = 14 (BSD/OS PPP >16 lelong x - \b, capture length %d) # # AIX "iptrace" capture files. # 0 string = iptrace\ 1.0 "iptrace" capture file 0 string = iptrace\ 2.0 "iptrace" capture file # # Novell LANalyzer capture files. # 0 leshort = 0x1001 LANalyzer capture file 0 leshort = 0x1007 LANalyzer capture file # # HP-UX "nettl" capture files. # 0 string = \x54\x52\x00\x64\x00 "nettl" capture file # # RADCOM WAN/LAN Analyzer capture files. # 0 string = \x42\xd2\x00\x34\x12\x66\x22\x88 RADCOM WAN/LAN Analyzer capture file # # NetStumbler log files. Not really packets, per se, but about as # close as you can get. These are log files from NetStumbler, a # Windows program, that scans for 802.11b networks. # 0 string = NetS NetStumbler log file >8 lelong x - \b, %d stations found # # EtherPeek/AiroPeek "version 9" capture files. # 0 string = \177ver EtherPeek/AiroPeek capture file # # Visual Networks traffic capture files. # 0 string = \x05VNF Visual Networks traffic capture file # # Network Instruments Observer capture files. # 0 string = ObserverPktBuffe Network Instruments Observer capture file # # Files from Accellent Group's 5View products. # 0 string = \xaa\xaa\xaa\xaa 5View capture file #------------------------------------------------------------------------------ # Dyadic: file(1) magic for Dyalog APL. # 0 byte = 0xaa >1 byte < 4 Dyalog APL >>1 byte = 0x00 incomplete workspace >>1 byte = 0x01 component file >>1 byte = 0x02 external variable >>1 byte = 0x03 workspace >>2 byte x - version %d >>3 byte x - .%d #------------------------------------------------------------------------------ # scientific: file(1) magic for scientific formats # # From: Joe Krahn ######################################################## # CCP4 data and plot files: 0 string = MTZ\040 MTZ reflection file 92 string = PLOT%%84 Plot84 plotting file >52 byte = 1 , Little-endian >55 byte = 1 , Big-endian ######################################################## # Electron density MAP/MASK formats 0 string = EZD_MAP NEWEZD Electron Density Map 109 string = MAP\040( Old EZD Electron Density Map #FIXME FTimes -- Replaced string test with an equivalent regexp test. #0 string/c = :-)\040Origin BRIX Electron Density Map 0 regexp =~ (?i):-\)\x20Origin BRIX Electron Density Map >170 string > 0 , Sigma:%.12s #>4 string >0 %.178s #>4 addr x %.178s 7 string = 18\040!NTITLE XPLOR ASCII Electron Density Map 9 string = \040!NTITLE\012\040REMARK CNS ASCII electron density map 208 string = MAP\040 CCP4 Electron Density Map # Assumes same stamp for float and double (normal case) >212 byte = 17 \b, Big-endian >212 byte = 34 \b, VAX format >212 byte = 68 \b, Little-endian >212 byte = 85 \b, Convex native ############################################################ # X-Ray Area Detector images 0 string = R-AXIS4\ \ \ R-Axis Area Detector Image: >796 lelong < 20 Little-endian, IP #%d, >>768 lelong > 0 Size=%dx >>772 lelong > 0 \b%d >796 belong < 20 Big-endian, IP #%d, >>768 belong > 0 Size=%dx >>772 belong > 0 \b%d 0 string = RAXIS\ \ \ \ \ R-Axis Area Detector Image, Win32: >796 lelong < 20 Little-endian, IP #%d, >>768 lelong > 0 Size=%dx >>772 lelong > 0 \b%d >796 belong < 20 Big-endian, IP #%d, >>768 belong > 0 Size=%dx >>772 belong > 0 \b%d 1028 string = MMX\000\000\000\000\000\000\000\000\000\000\000\000\000 MAR Area Detector Image, >1072 long > 1 Compressed(%d), >1100 long > 1 %d headers, >1104 long > 0 %d x >1108 long > 0 %d, >1120 long > 0 %d bits/pixel #------------------------------------------------------------------------------ # softquad: file(1) magic for SoftQuad Publishing Software # # Author/Editor and RulesBuilder # # XXX - byte order? # 0 string = \ Compiled SGML rules file >9 string > \0 Type %s 0 string = \ A/E SGML Document binary >9 string > \0 Type %s 0 string = \ A/E SGML binary styles file >9 string > \0 Type %s 0 short = 0xc0de Compiled PSI (v1) data 0 short = 0xc0da Compiled PSI (v2) data >3 string > \0 (%s) # Binary sqtroff font/desc files... 0 short = 0125252 SoftQuad DESC or font file binary >2 short > 0 - version %d # Bitmaps... 0 string = SQ\ BITMAP1 SoftQuad Raster Format text #0 string SQ\ BITMAP2 SoftQuad Raster Format data # sqtroff intermediate language (replacement for ditroff int. lang.) 0 string = X\ SoftQuad troff Context intermediate >2 string = 495 for AT&T 495 laser printer >2 string = hp for Hewlett-Packard LaserJet >2 string = impr for IMAGEN imPRESS >2 string = ps for PostScript #------------------------------------------------------------------------------ # spectrum: file(1) magic for Spectrum emulator files. # # John Elliott # # Spectrum +3DOS header # 0 string = PLUS3DOS\032 Spectrum +3 data >15 byte = 0 - BASIC program >15 byte = 1 - number array >15 byte = 2 - character array >15 byte = 3 - memory block >>16 belong = 0x001B0040 (screen) >15 byte = 4 - Tasword document >15 string = TAPEFILE - ZXT tapefile # # Tape file. This assumes the .TAP starts with a Spectrum-format header, # which nearly all will. # 0 string = \023\000\000 Spectrum .TAP data >4 string x - "%-10.10s" >3 byte = 0 - BASIC program >3 byte = 1 - number array >3 byte = 2 - character array >3 byte = 3 - memory block >>14 belong = 0x001B0040 (screen) # The following three blocks are from pak21-spectrum@srcf.ucam.org # TZX tape images 0 string = ZXTape!\x1a Spectrum .TZX data >8 byte x - version %d >9 byte x - .%d # RZX input recording files 0 string = RZX! Spectrum .RZX data >4 byte x - version %d >5 byte x - .%d # And three sorts of disk image 0 string = MV\ -\ CPCEMU\ Disk-Fil Amstrad/Spectrum .DSK data 0 string = MV\ -\ CPC\ format\ Dis Amstrad/Spectrum DU54 .DSK data 0 string = EXTENDED\ CPC\ DSK\ Fil Amstrad/Spectrum Extended .DSK data #------------------------------------------------------------------------------ # sql: file(1) magic for SQL files # # From: "Marty Leisner" # Recognize some MySQL files. # 0 beshort = 0xfe01 MySQL table definition file >2 byte x - Version %d 0 belong&0xffffff00 = 0xfefe0300 MySQL MISAM index file >3 byte x - Version %d 0 belong&0xffffff00 = 0xfefe0700 MySQL MISAM compressed data file >3 byte x - Version %d 0 belong&0xffffff00 = 0xfefe0500 MySQL ISAM index file >3 byte x - Version %d 0 belong&0xffffff00 = 0xfefe0600 MySQL ISAM compressed data file >3 byte x - Version %d 0 string = \376bin MySQL replication log #------------------------------------------------------------------------------ # iRiver H Series database file # From Ken Guest # As observed from iRivNavi.iDB and unencoded firmware # 0 string = iRivDB iRiver Database file >11 string > \0 Version %s >39 string = iHP-100 [H Series] #------------------------------------------------------------------------------ # SQLite database file # From Ken Guest # 0 string = SQLite SQLite database >14 string > \0 (Version %s) #------------------------------------------------------------------------------ # sun: file(1) magic for Sun machines # # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x # releases. (5.x uses ELF.) # 0 belong&077777777 = 0600413 sparc demand paged >0 byte & 0x80 >>20 belong < 4096 shared library >>20 belong = 4096 dynamically linked executable >>20 belong > 4096 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0600410 sparc pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0600407 sparc >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0400413 mc68020 demand paged >0 byte & 0x80 >>20 belong < 4096 shared library >>20 belong = 4096 dynamically linked executable >>20 belong > 4096 dynamically linked executable >16 belong > 0 not stripped 0 belong&077777777 = 0400410 mc68020 pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0400407 mc68020 >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0200413 mc68010 demand paged >0 byte & 0x80 >>20 belong < 4096 shared library >>20 belong = 4096 dynamically linked executable >>20 belong > 4096 dynamically linked executable >16 belong > 0 not stripped 0 belong&077777777 = 0200410 mc68010 pure >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped 0 belong&077777777 = 0200407 mc68010 >0 byte & 0x80 dynamically linked executable >0 byte ^ 0x80 executable >16 belong > 0 not stripped # reworked these to avoid anything beginning with zero becoming "old sun-2" 0 belong = 0407 old sun-2 executable >16 belong > 0 not stripped 0 belong = 0410 old sun-2 pure executable >16 belong > 0 not stripped 0 belong = 0413 old sun-2 demand paged executable >16 belong > 0 not stripped # # Core files. "SPARC 4.x BCP" means "core file from a SunOS 4.x SPARC # binary executed in compatibility mode under SunOS 5.x". # 0 belong = 0x080456 SunOS core file >4 belong = 432 (SPARC) >>132 string > \0 from '%s' >>116 belong = 3 (quit) >>116 belong = 4 (illegal instruction) >>116 belong = 5 (trace trap) >>116 belong = 6 (abort) >>116 belong = 7 (emulator trap) >>116 belong = 8 (arithmetic exception) >>116 belong = 9 (kill) >>116 belong = 10 (bus error) >>116 belong = 11 (segmentation violation) >>116 belong = 12 (bad argument to system call) >>116 belong = 29 (resource lost) >>120 belong x - (T=%dK, >>124 belong x - D=%dK, >>128 belong x - S=%dK) >4 belong = 826 (68K) >>128 string > \0 from '%s' >4 belong = 456 (SPARC 4.x BCP) >>152 string > \0 from '%s' # Sun SunPC 0 long = 0xfa33c08e SunPC 4.0 Hard Disk 0 string = #SUNPC_CONFIG SunPC 4.0 Properties Values # Sun snoop (see RFC 1761, which describes the capture file format). # 0 string = snoop Snoop capture file >8 belong > 0 - version %ld >12 belong = 0 (IEEE 802.3) >12 belong = 1 (IEEE 802.4) >12 belong = 2 (IEEE 802.5) >12 belong = 3 (IEEE 802.6) >12 belong = 4 (Ethernet) >12 belong = 5 (HDLC) >12 belong = 6 (Character synchronous) >12 belong = 7 (IBM channel-to-channel adapter) >12 belong = 8 (FDDI) >12 belong = 9 (Unknown) # Microsoft ICM color profile 36 string = acspMSFT Microsoft ICM Color Profile # Sun KCMS 36 string = acsp Kodak Color Management System, ICC Profile #--------------------------------------------------------------------------- # The following entries have been tested by Duncan Laurie (a # lead Sun/Cobalt developer) who agrees that they are good and worthy of # inclusion. # Boot ROM images for Sun/Cobalt Linux server appliances 0 string = Cobalt\ Networks\ Inc.\nFirmware\ v Paged COBALT boot rom >38 string x - V%.4s # New format for Sun/Cobalt boot ROMs is annoying, it stores the version code # at the very end where file(1) can't get it. 0 string = CRfs COBALT boot rom data (Flat boot rom or file system) #------------------------------------------------------------------------ # sysex: file(1) magic for MIDI sysex files # # 0 byte = 0xF0 SysEx File - # North American Group >1 byte = 0x01 Sequential >1 byte = 0x02 IDP >1 byte = 0x03 OctavePlateau >1 byte = 0x04 Moog >1 byte = 0x05 Passport >1 byte = 0x06 Lexicon >1 byte = 0x07 Kurzweil >1 byte = 0x08 Fender >1 byte = 0x09 Gulbransen >1 byte = 0x0a AKG >1 byte = 0x0b Voyce >1 byte = 0x0c Waveframe >1 byte = 0x0d ADA >1 byte = 0x0e Garfield >1 byte = 0x0f Ensoniq >1 byte = 0x10 Oberheim >1 byte = 0x11 Apple >1 byte = 0x12 GreyMatter >1 byte = 0x14 PalmTree >1 byte = 0x15 JLCooper >1 byte = 0x16 Lowrey >1 byte = 0x17 AdamsSmith >1 byte = 0x18 E-mu >1 byte = 0x19 Harmony >1 byte = 0x1a ART >1 byte = 0x1b Baldwin >1 byte = 0x1c Eventide >1 byte = 0x1d Inventronics >1 byte = 0x1f Clarity # European Group >1 byte = 0x21 SIEL >1 byte = 0x22 Synthaxe >1 byte = 0x24 Hohner >1 byte = 0x25 Twister >1 byte = 0x26 Solton >1 byte = 0x27 Jellinghaus >1 byte = 0x28 Southworth >1 byte = 0x29 PPG >1 byte = 0x2a JEN >1 byte = 0x2b SSL >1 byte = 0x2c AudioVertrieb >1 byte = 0x2f ELKA >>3 byte = 0x09 EK-44 >1 byte = 0x30 Dynacord >1 byte = 0x33 Clavia >1 byte = 0x39 Soundcraft >1 byte = 0x3e Waldorf >>3 byte = 0x7f Microwave I # Japanese Group >1 byte = 0x40 Kawai >>3 byte = 0x20 K1 >>3 byte = 0x22 K4 >1 byte = 0x41 Roland >>3 byte = 0x14 D-50 >>3 byte = 0x2b U-220 >>3 byte = 0x02 TR-707 >1 byte = 0x42 Korg >>3 byte = 0x19 M1 >1 byte = 0x43 Yamaha >1 byte = 0x44 Casio >1 byte = 0x46 Kamiya >1 byte = 0x47 Akai >1 byte = 0x48 Victor >1 byte = 0x49 Mesosha >1 byte = 0x4b Fujitsu >1 byte = 0x4c Sony >1 byte = 0x4e Teac >1 byte = 0x50 Matsushita >1 byte = 0x51 Fostex >1 byte = 0x52 Zoom >1 byte = 0x54 Matsushita >1 byte = 0x57 Acoustic tech. lab. >1 belong&0xffffff00 = 0x00007400 Ta Horng >1 belong&0xffffff00 = 0x00007500 e-Tek >1 belong&0xffffff00 = 0x00007600 E-Voice >1 belong&0xffffff00 = 0x00007700 Midisoft >1 belong&0xffffff00 = 0x00007800 Q-Sound >1 belong&0xffffff00 = 0x00007900 Westrex >1 belong&0xffffff00 = 0x00007a00 Nvidia* >1 belong&0xffffff00 = 0x00007b00 ESS >1 belong&0xffffff00 = 0x00007c00 Mediatrix >1 belong&0xffffff00 = 0x00007d00 Brooktree >1 belong&0xffffff00 = 0x00007e00 Otari >1 belong&0xffffff00 = 0x00007f00 Key Electronics >1 belong&0xffffff00 = 0x00010000 Shure >1 belong&0xffffff00 = 0x00010100 AuraSound >1 belong&0xffffff00 = 0x00010200 Crystal >1 belong&0xffffff00 = 0x00010300 Rockwell >1 belong&0xffffff00 = 0x00010400 Silicon Graphics >1 belong&0xffffff00 = 0x00010500 Midiman >1 belong&0xffffff00 = 0x00010600 PreSonus >1 belong&0xffffff00 = 0x00010800 Topaz >1 belong&0xffffff00 = 0x00010900 Cast Lightning >1 belong&0xffffff00 = 0x00010a00 Microsoft >1 belong&0xffffff00 = 0x00010b00 Sonic Foundry >1 belong&0xffffff00 = 0x00010c00 Line 6 >1 belong&0xffffff00 = 0x00010d00 Beatnik Inc. >1 belong&0xffffff00 = 0x00010e00 Van Koerving >1 belong&0xffffff00 = 0x00010f00 Altech Systems >1 belong&0xffffff00 = 0x00011000 S & S Research >1 belong&0xffffff00 = 0x00011100 VLSI Technology >1 belong&0xffffff00 = 0x00011200 Chromatic >1 belong&0xffffff00 = 0x00011300 Sapphire >1 belong&0xffffff00 = 0x00011400 IDRC >1 belong&0xffffff00 = 0x00011500 Justonic Tuning >1 belong&0xffffff00 = 0x00011600 TorComp >1 belong&0xffffff00 = 0x00011700 Newtek Inc. >1 belong&0xffffff00 = 0x00011800 Sound Sculpture >1 belong&0xffffff00 = 0x00011900 Walker Technical >1 belong&0xffffff00 = 0x00011a00 Digital Harmony >1 belong&0xffffff00 = 0x00011b00 InVision >1 belong&0xffffff00 = 0x00011c00 T-Square >1 belong&0xffffff00 = 0x00011d00 Nemesys >1 belong&0xffffff00 = 0x00011e00 DBX >1 belong&0xffffff00 = 0x00011f00 Syndyne >1 belong&0xffffff00 = 0x00012000 Bitheadz >1 belong&0xffffff00 = 0x00012100 Cakewalk >1 belong&0xffffff00 = 0x00012200 Staccato >1 belong&0xffffff00 = 0x00012300 National Semicon. >1 belong&0xffffff00 = 0x00012400 Boom Theory >1 belong&0xffffff00 = 0x00012500 Virtual DSP Corp >1 belong&0xffffff00 = 0x00012600 Antares >1 belong&0xffffff00 = 0x00012700 Angel Software >1 belong&0xffffff00 = 0x00012800 St Louis Music >1 belong&0xffffff00 = 0x00012900 Lyrrus dba G-VOX >1 belong&0xffffff00 = 0x00012a00 Ashley Audio >1 belong&0xffffff00 = 0x00012b00 Vari-Lite >1 belong&0xffffff00 = 0x00012c00 Summit Audio >1 belong&0xffffff00 = 0x00012d00 Aureal Semicon. >1 belong&0xffffff00 = 0x00012e00 SeaSound >1 belong&0xffffff00 = 0x00012f00 U.S. Robotics >1 belong&0xffffff00 = 0x00013000 Aurisis >1 belong&0xffffff00 = 0x00013100 Nearfield Multimedia >1 belong&0xffffff00 = 0x00013200 FM7 Inc. >1 belong&0xffffff00 = 0x00013300 Swivel Systems >1 belong&0xffffff00 = 0x00013400 Hyperactive >1 belong&0xffffff00 = 0x00013500 MidiLite >1 belong&0xffffff00 = 0x00013600 Radical >1 belong&0xffffff00 = 0x00013700 Roger Linn >1 belong&0xffffff00 = 0x00013800 Helicon >1 belong&0xffffff00 = 0x00013900 Event >1 belong&0xffffff00 = 0x00013a00 Sonic Network >1 belong&0xffffff00 = 0x00013b00 Realtime Music >1 belong&0xffffff00 = 0x00013c00 Apogee Digital >1 belong&0xffffff00 = 0x00202b00 Medeli Electronics >1 belong&0xffffff00 = 0x00202c00 Charlie Lab >1 belong&0xffffff00 = 0x00202d00 Blue Chip Music >1 belong&0xffffff00 = 0x00202e00 BEE OH Corp >1 belong&0xffffff00 = 0x00202f00 LG Semicon America >1 belong&0xffffff00 = 0x00203000 TESI >1 belong&0xffffff00 = 0x00203100 EMAGIC >1 belong&0xffffff00 = 0x00203200 Behringer >1 belong&0xffffff00 = 0x00203300 Access Music >1 belong&0xffffff00 = 0x00203400 Synoptic >1 belong&0xffffff00 = 0x00203500 Hanmesoft Corp >1 belong&0xffffff00 = 0x00203600 Terratec >1 belong&0xffffff00 = 0x00203700 Proel SpA >1 belong&0xffffff00 = 0x00203800 IBK MIDI >1 belong&0xffffff00 = 0x00203900 IRCAM >1 belong&0xffffff00 = 0x00203a00 Propellerhead Software >1 belong&0xffffff00 = 0x00203b00 Red Sound Systems >1 belong&0xffffff00 = 0x00203c00 Electron ESI AB >1 belong&0xffffff00 = 0x00203d00 Sintefex Audio >1 belong&0xffffff00 = 0x00203e00 Music and More >1 belong&0xffffff00 = 0x00203f00 Amsaro >1 belong&0xffffff00 = 0x00204000 CDS Advanced Technology >1 belong&0xffffff00 = 0x00204100 Touched by Sound >1 belong&0xffffff00 = 0x00204200 DSP Arts >1 belong&0xffffff00 = 0x00204300 Phil Rees Music >1 belong&0xffffff00 = 0x00204400 Stamer Musikanlagen GmbH >1 belong&0xffffff00 = 0x00204500 Soundart >1 belong&0xffffff00 = 0x00204600 C-Mexx Software >1 belong&0xffffff00 = 0x00204700 Klavis Tech. >1 belong&0xffffff00 = 0x00204800 Noteheads AB 0 string = T707 Roland TR-707 Data #------------------------------------------------------------------------------ # teapot: file(1) magic for "teapot" spreadsheet # 0 string = #!teapot\012xdr teapot work sheet (XDR format) #------------------------------------------------------------------------------ # terminfo: file(1) magic for terminfo # # XXX - byte order for screen images? # 0 string = \032\001 Compiled terminfo entry 0 short = 0433 Curses screen image 0 short = 0434 Curses screen image #------------------------------------------------------------------------------ # tex: file(1) magic for TeX files # # From # Although we may know the offset of certain text fields in TeX DVI # and font files, we can't use them reliably because they are not # zero terminated. [but we do anyway, christos] 0 string = \367\002 TeX DVI file >16 string > \0 (%s) 0 string = \367\203 TeX generic font data 0 string = \367\131 TeX packed font data >3 string > \0 (%s) 0 string = \367\312 TeX virtual font data 0 string = This\ is\ TeX, TeX transcript text 0 string = This\ is\ METAFONT, METAFONT transcript text # There is no way to detect TeX Font Metric (*.tfm) files without # breaking them apart and reading the data. The following patterns # match most *.tfm files generated by METAFONT or afm2tfm. 2 string = \000\021 TeX font metric data >33 string > \0 (%s) 2 string = \000\022 TeX font metric data >33 string > \0 (%s) # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string = \\input\ texinfo Texinfo source text 0 string = This\ is\ Info\ file GNU Info text # TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string = \\input TeX document text 0 string = \\section LaTeX document text 0 string = \\setlength LaTeX document text 0 string = \\documentstyle LaTeX document text 0 string = \\chapter LaTeX document text 0 string = \\documentclass LaTeX 2e document text 0 string = \\relax LaTeX auxiliary file 0 string = \\contentsline LaTeX table of contents 0 string = %\ -*-latex-*- LaTeX document text # Tex document, from Hendrik Scholz 0 string = \\ifx TeX document text # Index and glossary files 0 string = \\indexentry LaTeX raw index file 0 string = \\begin{theindex} LaTeX sorted index 0 string = \\glossaryentry LaTeX raw glossary 0 string = \\begin{theglossary} LaTeX sorted glossary 0 string = This\ is\ makeindex Makeindex log file # End of TeX #------------------------------------------------------------------------------ # file(1) magic for BibTex text files # From Hendrik Scholz #FIXME FTimes -- Replaced string tests with an equivalent regexp test. #0 string/c = @article{ BibTeX text file #0 string/c = @book{ BibTeX text file #0 string/c = @inbook{ BibTeX text file #0 string/c = @incollection{ BibTeX text file #0 string/c = @inproceedings{ BibTeX text file #0 string/c = @manual{ BibTeX text file #0 string/c = @misc{ BibTeX text file #0 string/c = @preamble{ BibTeX text file #0 string/c = @phdthesis{ BibTeX text file #0 string/c = @techreport{ BibTeX text file #0 string/c = @unpublished{ BibTeX text file 0 regexp =~ (?i)@(?:article|book|inbook|incollection|inproceedings|manual|misc|preamble|phdthesis|techreport|unpublished)[{] BibTeX text file 73 string = %%%\ \ BibTeX-file{ BibTex text file (with full header) 73 string = %%%\ \ @BibTeX-style-file{ BibTeX style text file (with full header) 0 string = %\ BibTeX\ standard\ bibliography\ BibTeX standard bibliography style text file 0 string = %\ BibTeX\ ` BibTeX custom bibliography style text file 0 string = @c\ @mapfile{ TeX font aliases text file #------------------------------------------------------------------------------ # file(1) magic for tgif(1) files # From Hendrik Scholz 0 string = %TGIF\ 4 tgif version 4 object file # ------------------------------------------------------------------------ # ti-8x: file(1) magic for the TI-8x and TI-9x Graphing Calculators. # # From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). # # Update: Romain Lievin (roms@lpg.ticalc.org). # # NOTE: This list is not complete. # Files for the TI-80 and TI-81 are pretty rare. I'm not going to put the # program/group magic numbers in here because I cannot find any. 0 string = **TI80** TI-80 Graphing Calculator File. 0 string = **TI81** TI-81 Graphing Calculator File. # # Magic Numbers for the TI-73 # 0 string = **TI73** TI-73 Graphing Calculator >0x00003B byte = 0x00 (real number) >0x00003B byte = 0x01 (list) >0x00003B byte = 0x02 (matrix) >0x00003B byte = 0x03 (equation) >0x00003B byte = 0x04 (string) >0x00003B byte = 0x05 (program) >0x00003B byte = 0x06 (assembly program) >0x00003B byte = 0x07 (picture) >0x00003B byte = 0x08 (gdb) >0x00003B byte = 0x0C (complex number) >0x00003B byte = 0x0F (window settings) >0x00003B byte = 0x10 (zoom) >0x00003B byte = 0x11 (table setup) >0x00003B byte = 0x13 (backup) # Magic Numbers for the TI-82 # 0 string = **TI82** TI-82 Graphing Calculator >0x00003B byte = 0x00 (real) >0x00003B byte = 0x01 (list) >0x00003B byte = 0x02 (matrix) >0x00003B byte = 0x03 (Y-variable) >0x00003B byte = 0x05 (program) >0x00003B byte = 0x06 (protected prgm) >0x00003B byte = 0x07 (picture) >0x00003B byte = 0x08 (gdb) >0x00003B byte = 0x0B (window settings) >0x00003B byte = 0x0C (window settings) >0x00003B byte = 0x0D (table setup) >0x00003B byte = 0x0E (screenshot) >0x00003B byte = 0x0F (backup) # # Magic Numbers for the TI-83 # 0 string = **TI83** TI-83 Graphing Calculator >0x00003B byte = 0x00 (real) >0x00003B byte = 0x01 (list) >0x00003B byte = 0x02 (matrix) >0x00003B byte = 0x03 (Y-variable) >0x00003B byte = 0x04 (string) >0x00003B byte = 0x05 (program) >0x00003B byte = 0x06 (protected prgm) >0x00003B byte = 0x07 (picture) >0x00003B byte = 0x08 (gdb) >0x00003B byte = 0x0B (window settings) >0x00003B byte = 0x0C (window settings) >0x00003B byte = 0x0D (table setup) >0x00003B byte = 0x0E (screenshot) >0x00003B byte = 0x13 (backup) # # Magic Numbers for the TI-83+ # 0 string = **TI83F* TI-83+ Graphing Calculator >0x00003B byte = 0x00 (real number) >0x00003B byte = 0x01 (list) >0x00003B byte = 0x02 (matrix) >0x00003B byte = 0x03 (equation) >0x00003B byte = 0x04 (string) >0x00003B byte = 0x05 (program) >0x00003B byte = 0x06 (assembly program) >0x00003B byte = 0x07 (picture) >0x00003B byte = 0x08 (gdb) >0x00003B byte = 0x0C (complex number) >0x00003B byte = 0x0F (window settings) >0x00003B byte = 0x10 (zoom) >0x00003B byte = 0x11 (table setup) >0x00003B byte = 0x13 (backup) >0x00003B byte = 0x15 (application variable) >0x00003B byte = 0x17 (group of variable) # # Magic Numbers for the TI-85 # 0 string = **TI85** TI-85 Graphing Calculator >0x00003B byte = 0x00 (real number) >0x00003B byte = 0x01 (complex number) >0x00003B byte = 0x02 (real vector) >0x00003B byte = 0x03 (complex vector) >0x00003B byte = 0x04 (real list) >0x00003B byte = 0x05 (complex list) >0x00003B byte = 0x06 (real matrix) >0x00003B byte = 0x07 (complex matrix) >0x00003B byte = 0x08 (real constant) >0x00003B byte = 0x09 (complex constant) >0x00003B byte = 0x0A (equation) >0x00003B byte = 0x0C (string) >0x00003B byte = 0x0D (function GDB) >0x00003B byte = 0x0E (polar GDB) >0x00003B byte = 0x0F (parametric GDB) >0x00003B byte = 0x10 (diffeq GDB) >0x00003B byte = 0x11 (picture) >0x00003B byte = 0x12 (program) >0x00003B byte = 0x13 (range) >0x00003B byte = 0x17 (window settings) >0x00003B byte = 0x18 (window settings) >0x00003B byte = 0x19 (window settings) >0x00003B byte = 0x1A (window settings) >0x00003B byte = 0x1B (zoom) >0x00003B byte = 0x1D (backup) >0x00003B byte = 0x1E (unknown) >0x00003B byte = 0x2A (equation) >0x000032 string = ZS4 - ZShell Version 4 File. >0x000032 string = ZS3 - ZShell Version 3 File. # # Magic Numbers for the TI-86 # 0 string = **TI86** TI-86 Graphing Calculator >0x00003B byte = 0x00 (real number) >0x00003B byte = 0x01 (complex number) >0x00003B byte = 0x02 (real vector) >0x00003B byte = 0x03 (complex vector) >0x00003B byte = 0x04 (real list) >0x00003B byte = 0x05 (complex list) >0x00003B byte = 0x06 (real matrix) >0x00003B byte = 0x07 (complex matrix) >0x00003B byte = 0x08 (real constant) >0x00003B byte = 0x09 (complex constant) >0x00003B byte = 0x0A (equation) >0x00003B byte = 0x0C (string) >0x00003B byte = 0x0D (function GDB) >0x00003B byte = 0x0E (polar GDB) >0x00003B byte = 0x0F (parametric GDB) >0x00003B byte = 0x10 (diffeq GDB) >0x00003B byte = 0x11 (picture) >0x00003B byte = 0x12 (program) >0x00003B byte = 0x13 (range) >0x00003B byte = 0x17 (window settings) >0x00003B byte = 0x18 (window settings) >0x00003B byte = 0x19 (window settings) >0x00003B byte = 0x1A (window settings) >0x00003B byte = 0x1B (zoom) >0x00003B byte = 0x1D (backup) >0x00003B byte = 0x1E (unknown) >0x00003B byte = 0x2A (equation) # # Magic Numbers for the TI-89 # 0 string = **TI89** TI-89 Graphing Calculator >0x000048 byte = 0x00 (expression) >0x000048 byte = 0x04 (list) >0x000048 byte = 0x06 (matrix) >0x000048 byte = 0x0A (data) >0x000048 byte = 0x0B (text) >0x000048 byte = 0x0C (string) >0x000048 byte = 0x0D (graphic data base) >0x000048 byte = 0x0E (figure) >0x000048 byte = 0x10 (picture) >0x000048 byte = 0x12 (program) >0x000048 byte = 0x13 (function) >0x000048 byte = 0x14 (macro) >0x000048 byte = 0x1C (zipped) >0x000048 byte = 0x21 (assembler) # # Magic Numbers for the TI-92 # 0 string = **TI92** TI-92 Graphing Calculator >0x000048 byte = 0x00 (expression) >0x000048 byte = 0x04 (list) >0x000048 byte = 0x06 (matrix) >0x000048 byte = 0x0A (data) >0x000048 byte = 0x0B (text) >0x000048 byte = 0x0C (string) >0x000048 byte = 0x0D (graphic data base) >0x000048 byte = 0x0E (figure) >0x000048 byte = 0x10 (picture) >0x000048 byte = 0x12 (program) >0x000048 byte = 0x13 (function) >0x000048 byte = 0x14 (macro) >0x000048 byte = 0x1D (backup) # # Magic Numbers for the TI-92+/V200 # 0 string = **TI92P* TI-92+/V200 Graphing Calculator >0x000048 byte = 0x00 (expression) >0x000048 byte = 0x04 (list) >0x000048 byte = 0x06 (matrix) >0x000048 byte = 0x0A (data) >0x000048 byte = 0x0B (text) >0x000048 byte = 0x0C (string) >0x000048 byte = 0x0D (graphic data base) >0x000048 byte = 0x0E (figure) >0x000048 byte = 0x10 (picture) >0x000048 byte = 0x12 (program) >0x000048 byte = 0x13 (function) >0x000048 byte = 0x14 (macro) >0x000048 byte = 0x1C (zipped) >0x000048 byte = 0x21 (assembler) # # Magic Numbers for the TI-73/83+/89/92+/V200 FLASH upgrades # 0x0000016 string = Advanced TI-XX Graphing Calculator (FLASH) 0 string = **TIFL** TI-XX Graphing Calculator (FLASH) >8 byte > 0 - Revision %d >>9 byte x - \b.%d, >12 byte > 0 Revision date %02x >>13 byte x - \b/%02x >>14 beshort x - \b/%04x, >17 string > /0 name: '%s', >48 byte = 0x74 device: TI-73, >48 byte = 0x73 device: TI-83+, >48 byte = 0x98 device: TI-89, >48 byte = 0x88 device: TI-92+, >49 byte = 0x23 type: OS upgrade, >49 byte = 0x24 type: application, >49 byte = 0x25 type: certificate, >49 byte = 0x3e type: license, >74 lelong > 0 size: %ld bytes # VTi & TiEmu skins (TI Graphing Calculators). # From: Romain Lievin (roms@lpg.ticalc.org). # Magic Numbers for the VTi skins 0 string = VTI Virtual TI skin >3 string = v - Version >>4 byte > 0 \b %c >>6 byte x - \b.%c # Magic Numbers for the TiEmu skins 0 string = TiEmu TiEmu skin >6 string = v - Version >>7 byte > 0 \b %c >>9 byte x - \b.%c >>10 byte x - \b%c #------------------------------------------------------------------------------ # timezone: file(1) magic for timezone data # # from Daniel Quinlan (quinlan@yggdrasil.com) # this should work on Linux, SunOS, and maybe others # Added new official magic number for recent versions of the Olson code 0 string = TZif timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0 old timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\2\0 old timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0 old timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0 old timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0 old timezone data 0 string = \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0 old timezone data #------------------------------------------------------------------------------ # troff: file(1) magic for *roff # # updated by Daniel Quinlan (quinlan@yggdrasil.com) # troff input 0 string = .\\" troff or preprocessor input text 0 string = '\\" troff or preprocessor input text 0 string = '.\\" troff or preprocessor input text 0 string = \\" troff or preprocessor input text 0 string = ''' troff or preprocessor input text # ditroff intermediate output text 0 string = x\ T ditroff output text >4 string = cat for the C/A/T phototypesetter >4 string = ps for PostScript >4 string = dvi for DVI >4 string = ascii for ASCII >4 string = lj4 for LaserJet 4 >4 string = latin1 for ISO 8859-1 (Latin 1) >4 string = X75 for xditview at 75dpi >>7 string = -12 (12pt) >4 string = X100 for xditview at 100dpi >>8 string = -12 (12pt) # output data formats 0 string = \100\357 very old (C/A/T) troff output data # #------------------------------------------------------------------------------ # tuxedo: file(1) magic for BEA TUXEDO data files # # from Ian Springer # 0 string = \0\0\1\236\0\0\0\0\0\0\0\0\0\0\0\0 BEA TUXEDO DES mask data #------------------------------------------------------------------------------ # typeset: file(1) magic for other typesetting # 0 string = Interpress/Xerox Xerox InterPress data >16 string = / (version >>17 string > \0 %s) #------------------------------------------------------------------------------ # unknown: file(1) magic for unknown machines # # XXX - this probably should be pruned, as it'll match PDP-11 and # VAX image formats. # # 0x107 is 0407; 0x108 is 0410; both are PDP-11 (executable and pure, # respectively). # # 0x109 is 0411; that's PDP-11 split I&D, but the PDP-11 version doesn't # have the "version %ld", which may be a bogus COFFism (I don't think # there ever was COFF for the PDP-11). # # 0x10B is 0413; that's VAX demand-paged, but this is a short, not a # long, as it would be on a VAX. # # 0x10C is 0414 and 0x10E is 416; those *are* unknown. # 0 short = 0x107 unknown machine executable >8 short > 0 not stripped >15 byte > 0 - version %ld 0 short = 0x108 unknown pure executable >8 short > 0 not stripped >15 byte > 0 - version %ld 0 short = 0x109 PDP-11 separate I&D >8 short > 0 not stripped >15 byte > 0 - version %ld 0 short = 0x10b unknown pure executable >8 short > 0 not stripped >15 byte > 0 - version %ld 0 long = 0x10c unknown demand paged pure executable >16 long > 0 not stripped 0 long = 0x10e unknown readable demand paged pure executable #------------------------------------------------------------------------------ # uuencode: file(1) magic for ASCII-encoded files # # GRR: the first line of xxencoded files is identical to that in uuencoded # files, but the first character in most subsequent lines is 'h' instead of # 'M'. (xxencoding uses lowercase letters in place of most of uuencode's # punctuation and survives BITNET gateways better.) If regular expressions # were supported, this entry could possibly be split into two with # "begin\040\.\*\012M" or "begin\040\.\*\012h" (where \. and \* are REs). 0 string = begin\040 uuencoded or xxencoded text # btoa(1) is an alternative to uuencode that requires less space. 0 string = xbtoa\ Begin btoa'd text # ship(1) is another, much cooler alternative to uuencode. # Greg Roelofs, newt@uchicago.edu 0 string = $\012ship ship'd binary text # bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) # Greg Roelofs, newt@uchicago.edu 0 string = Decode\ the\ following\ with\ bdeco bencoded News text # BinHex is the Macintosh ASCII-encoded file format (see also "apple") # Daniel Quinlan, quinlan@yggdrasil.com 11 string = must\ be\ converted\ with\ BinHex BinHex binary text >41 string x - \b, version %.3s # GRR: is MIME BASE64 encoding handled somewhere? #------------------------------------------------------------------------------ # varied.out: file(1) magic for various USG systems # # Herewith many of the object file formats used by USG systems. # Most have been moved to files for a particular processor, # and deleted if they duplicate other entries. # 0 short = 0610 Perkin-Elmer executable # AMD 29K 0 beshort = 0572 amd 29k coff noprebar executable 0 beshort = 01572 amd 29k coff prebar executable 0 beshort = 0160007 amd 29k coff archive # Cray 6 beshort = 0407 unicos (cray) executable # Ultrix 4.3 596 string = \130\337\377\377 Ultrix core file >600 string > \0 from '%s' # BeOS and MAcOS PEF executables # From: hplus@zilker.net (Jon Watte) 0 string = Joy!peffpwpc header for PowerPC PEF executable # # ava assembler/linker Uros Platise 0 string = avaobj AVR assembler object code >7 string > \0 version '%s' # gnu gmon magic From: Eugen Dedu 0 string = gmon GNU prof performance data >4 long x - - version %ld # From: Dave Pearson # Harbour HRB files. 0 string = \xc0HRB Harbour HRB file >4 short x - version %d # From: Alex Beregszaszi # 0 string exec BugOS executable # 0 string pack BugOS archive #------------------------------------------------------------------------------ # varied.script: file(1) magic for various interpreter scripts 0 string = #!\ / a >3 string > \0 %s script text executable 0 string = #!\ / a >3 string > \0 %s script text executable 0 string = #!/ a >2 string > \0 %s script text executable 0 string = #!\ script text executable >3 string > \0 for %s #------------------------------------------------------------------------------ # vax: file(1) magic for VAX executable/object and APL workspace # 0 lelong = 0101557 VAX single precision APL workspace 0 lelong = 0101556 VAX double precision APL workspace # # VAX a.out (32V, BSD) # 0 lelong = 0407 VAX executable >16 lelong > 0 not stripped 0 lelong = 0410 VAX pure executable >16 lelong > 0 not stripped 0 lelong = 0413 VAX demand paged pure executable >16 lelong > 0 not stripped 0 lelong = 0420 VAX demand paged (first page unmapped) pure executable >16 lelong > 0 not stripped # # VAX COFF # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # 0 leshort = 0570 VAX COFF executable >12 lelong > 0 not stripped >22 leshort > 0 - version %ld 0 leshort = 0575 VAX COFF pure executable >12 lelong > 0 not stripped >22 leshort > 0 - version %ld #------------------------------------------------------------------------------ # vicar: file(1) magic for VICAR files. # # From: Ossama Othman 32 string = BYTE \b, 8 bits = VAX byte >32 string = HALF \b, 16 bits = VAX word = Fortran INTEGER*2 >32 string = FULL \b, 32 bits = VAX longword = Fortran INTEGER*4 >32 string = REAL \b, 32 bits = VAX longword = Fortran REAL*4 >32 string = DOUB \b, 64 bits = VAX quadword = Fortran REAL*8 >32 string = COMPLEX \b, 64 bits = VAX quadword = Fortran COMPLEX*8 # VICAR label file 43 string = SFDU_LABEL VICAR label file #------------------------------------------------------------------------------ # Virtutech Compressed Random Access File Format # # From 0 string = \211\277\036\203 Virtutech CRAFF >4 belong x - v%d >20 belong = 0 uncompressed >20 belong = 1 bzipp2ed >20 belong = 2 gzipped >24 belong = 0 not clean #------------------------------------------------------------------------------ # visx: file(1) magic for Visx format files # 0 short = 0x5555 VISX image file >2 byte = 0 (zero) >2 byte = 1 (unsigned char) >2 byte = 2 (short integer) >2 byte = 3 (float 32) >2 byte = 4 (float 64) >2 byte = 5 (signed char) >2 byte = 6 (bit-plane) >2 byte = 7 (classes) >2 byte = 8 (statistics) >2 byte = 10 (ascii text) >2 byte = 15 (image segments) >2 byte = 100 (image set) >2 byte = 101 (unsigned char vector) >2 byte = 102 (short integer vector) >2 byte = 103 (float 32 vector) >2 byte = 104 (float 64 vector) >2 byte = 105 (signed char vector) >2 byte = 106 (bit plane vector) >2 byte = 121 (feature vector) >2 byte = 122 (feature vector library) >2 byte = 124 (chain code) >2 byte = 126 (bit vector) >2 byte = 130 (graph) >2 byte = 131 (adjacency graph) >2 byte = 132 (adjacency graph library) >2 string = .VISIX (ascii text) #------------------------------------------------------------------------------ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) # GRR 950122: I'm just guessing on these, based on inspection of the headers # of three executables each for Alpha and VAX architectures. The VAX files # all had headers similar to this: # # 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 # 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ # 0 string = \xb0\0\x30\0 VMS VAX executable >44032 string = PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # # The AXP files all looked like this, except that the byte at offset 0x22 # was 06 in some of them and 07 in others: # # 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ # 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... # 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # 0 belong = 0x03000000 VMS Alpha executable >75264 string = PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption # ----------------------------------------------------------- # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) 0 belong = 0x4d52564e VMware nvram 0 belong = 0x434f5744 VMware >4 byte = 3 virtual disk >>32 lelong x - (%d/ >>36 lelong x - \b%d/ >>40 lelong x - \b%d) >4 byte = 2 undoable disk >>32 string > \0 (%s) #------------------------------------------------------------------------------ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner # Extended by Beni Cherniavsky # Further extended by Greg Wooledge # # Most (everything but the number of channels and bitrate) is commented # out with `##' as it's not interesting to the average user. The most # probable things advanced users would want to uncomment are probably # the number of comments and the encoder version. # # --- Ogg Framing --- 0 string = OggS Ogg data >4 byte != 0 UNKNOWN REVISION %u ##>4 byte 0 revision 0 >4 byte = 0 ##>>14 lelong x (Serial %lX) # non-Vorbis content: FLAC (Free Lossless Audio Codec, http://flac.sourceforge.net) >>28 string = fLaC \b, FLAC audio # non-Vorbis content: Theora >>28 string = \x80theora \b, Theora video # non-Vorbis content: Speex >>28 string = Speex\ \ \ \b, Speex audio # non-Vorbis content: OGM >>28 string = \x01video\0\0\0 \b, OGM video #FIXME FTimes -- Replaced string tests with an equivalent regexp test. #>>>37 string/c = div3 (DivX 3) #>>>37 string/c = divx (DivX 4) #>>>37 string/c = dx50 (DivX 5) #>>>37 string/c = xvid (XviD) >>>37 regexp =~ (?i)div3 (DivX 3) >>>37 regexp =~ (?i)divx (DivX 4) >>>37 regexp =~ (?i)dx50 (DivX 5) >>>37 regexp =~ (?i)xvid (XviD) # --- First vorbis packet - general header --- >>28 string = \x01vorbis \b, Vorbis audio, >>>35 lelong != 0 UNKNOWN VERSION %lu, ##>>>35 lelong 0 version 0, >>>35 lelong = 0 >>>>39 byte = 1 mono, >>>>39 byte = 2 stereo, >>>>39 byte > 2 %u channels, >>>>40 lelong x - %lu Hz # Minimal, nominal and maximal bitrates specified when encoding >>>>48 string < \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff \b, # The above tests if at least one of these is specified: >>>>>52 lelong != -1 # Vorbis RC2 has a bug which puts -1000 in the min/max bitrate fields # instead of -1. # Vorbis 1.0 uses 0 instead of -1. >>>>>>52 lelong != 0 >>>>>>>52 lelong != -1000 >>>>>>>>52 lelong x - <%lu >>>>>48 lelong != -1 >>>>>>48 lelong x - ~%lu >>>>>44 lelong != -1 >>>>>>44 lelong != -1000 >>>>>>>44 lelong != 0 >>>>>>>>44 lelong x - >%lu >>>>>48 string < \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff bps # -- Second vorbis header packet - the comments # A kludge to read the vendor string. It's a counted string, not a # zero-terminated one, so file(1) can't read it in a generic way. # libVorbis is the only one existing currently, so I detect specifically # it. The interesting value is the cvs date (8 digits decimal). # Post-RC1 Ogg files have the second header packet (and thus the version) # in a different place, so we must use an indirect offset. >>>(84.b+85) string = \x03vorbis #FIXME FTimes -- Replaced string test with an equivalent regexp test. #>>>>(84.b+96) string/c = Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I >>>>(84.b+96) regexp =~ (?i)Xiphophorus\x20libVorbis\x20I \b, created by: Xiphophorus libVorbis I >>>>>(84.b+120) string > 00000000 # Map to beta version numbers: >>>>>>(84.b+120) string < 20000508 (>>>>>(84.b+120) string = 20000508 (1.0 beta 1 or beta 2) >>>>>>(84.b+120) string > 20000508 >>>>>>>(84.b+120) string < 20001031 (beta2-3) >>>>>>(84.b+120) string = 20001031 (1.0 beta 3) >>>>>>(84.b+120) string > 20001031 >>>>>>>(84.b+120) string < 20010225 (beta3-4) >>>>>>(84.b+120) string = 20010225 (1.0 beta 4) >>>>>>(84.b+120) string > 20010225 >>>>>>>(84.b+120) string < 20010615 (beta4-RC1) >>>>>>(84.b+120) string = 20010615 (1.0 RC1) >>>>>>(84.b+120) string = 20010813 (1.0 RC2) >>>>>>(84.b+120) string = 20010816 (RC2 - Garf tuned v1) >>>>>>(84.b+120) string = 20011014 (RC2 - Garf tuned v2) >>>>>>(84.b+120) string = 20011217 (1.0 RC3) >>>>>>(84.b+120) string = 20011231 (1.0 RC3) # Some pre-1.0 CVS snapshots still had "Xiphphorus"... >>>>>>(84.b+120) string > 20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org #FIXME FTimes -- Replaced string test with an equivalent regexp test. #>>>>(84.b+96) string/c = Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I >>>>(84.b+96) regexp =~ Xiph.Org\x20libVorbis\x20I \b, created by: Xiph.Org libVorbis I >>>>>(84.b+117) string > 00000000 >>>>>>(84.b+117) string < 20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string = 20020717 (1.0) >>>>>>(84.b+117) string = 20030909 (1.0.1) >>>>>>(84.b+117) string = 20040629 (1.1.0 RC1) #------------------------------------------------------------------------------ # VXL: file(1) magic for VXL binary IO data files # # from Ian Scott # # VXL is a collection of C++ libraries for Computer Vision. # See the vsl chapter in the VXL Book for more info # http://www.isbe.man.ac.uk/public_vxl_doc/books/vxl/book.html # http:/vxl.sf.net 2 lelong = 0x472b2c4e VXL data file, >0 leshort > 0 schema version no %d #------------------------------------------------------------------------------ # wordprocessors: file(1) magic fo word processors. # ####### PWP file format used on Smith Corona Personal Word Processors: 2 string = \040\040\040\040\040\040\040\040\040\040\040ML4D\040\'92 Smith Corona PWP >24 byte = 2 \b, single spaced >24 byte = 3 \b, 1.5 spaced >24 byte = 4 \b, double spaced >25 byte = 0x42 \b, letter >25 byte = 0x54 \b, legal >26 byte = 0x46 \b, A4 #WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE 0 string = \377WPC\020\000\000\000\022\012\001\001\000\000\000\000 (WP) loadable text >15 byte = 0 Optimized for Intel >15 byte = 1 Optimized for Non-Intel 1 string = WPC (Corel/WP) >8 short = 257 WordPerfect macro >8 short = 258 WordPerfect help file >8 short = 259 WordPerfect keyboard file >8 short = 266 WordPerfect document >8 short = 267 WordPerfect dictionary >8 short = 268 WordPerfect thesaurus >8 short = 269 WordPerfect block >8 short = 270 WordPerfect rectangular block >8 short = 271 WordPerfect column block >8 short = 272 WordPerfect printer data >8 short = 275 WordPerfect printer data >8 short = 276 WordPerfect driver resource data >8 short = 279 WordPerfect hyphenation code >8 short = 280 WordPerfect hyphenation data >8 short = 281 WordPerfect macro resource data >8 short = 283 WordPerfect hyphenation lex >8 short = 285 WordPerfect wordlist >8 short = 286 WordPerfect equation resource data >8 short = 289 WordPerfect spell rules >8 short = 290 WordPerfect dictionary rules >8 short = 295 WordPerfect spell rules (Microlytics) >8 short = 299 WordPerfect settings file >8 short = 301 WordPerfect 4.2 document >8 short = 325 WordPerfect dialog file >8 short = 332 WordPerfect button bar >8 short = 513 Shell macro >8 short = 522 Shell definition >8 short = 769 Notebook macro >8 short = 770 Notebook help file >8 short = 771 Notebook keyboard file >8 short = 778 Notebook definition >8 short = 1026 Calculator help file >8 short = 1538 Calendar help file >8 short = 1546 Calendar data file >8 short = 1793 Editor macro >8 short = 1794 Editor help file >8 short = 1795 Editor keyboard file >8 short = 1817 Editor macro resource file >8 short = 2049 Macro editor macro >8 short = 2050 Macro editor help file >8 short = 2051 Macro editor keyboard file >8 short = 2305 PlanPerfect macro >8 short = 2306 PlanPerfect help file >8 short = 2307 PlanPerfect keyboard file >8 short = 2314 PlanPerfect worksheet >8 short = 2319 PlanPerfect printer definition >8 short = 2322 PlanPerfect graphic definition >8 short = 2323 PlanPerfect data >8 short = 2324 PlanPerfect temporary printer >8 short = 2329 PlanPerfect macro resource data >8 byte = 11 Mail >8 short = 2818 help file >8 short = 2821 distribution list >8 short = 2826 out box >8 short = 2827 in box >8 short = 2836 users archived mailbox >8 short = 2837 archived message database >8 short = 2838 archived attachments >8 short = 3083 Printer temporary file >8 short = 3330 Scheduler help file >8 short = 3338 Scheduler in file >8 short = 3339 Scheduler out file >8 short = 3594 GroupWise settings file >8 short = 3601 GroupWise directory services >8 short = 3627 GroupWise settings file >8 short = 4362 Terminal resource data >8 short = 4363 Terminal resource data >8 short = 4395 Terminal resource data >8 short = 4619 GUI loadable text >8 short = 4620 graphics resource data >8 short = 4621 printer settings file >8 short = 4622 port definition file >8 short = 4623 print queue parameters >8 short = 4624 compressed file >8 short = 5130 Network service msg file >8 short = 5131 Network service msg file >8 short = 5132 Async gateway login msg >8 short = 5134 GroupWise message file >8 short = 7956 GroupWise admin domain database >8 short = 7957 GroupWise admin host database >8 short = 7959 GroupWise admin remote host database >8 short = 7960 GroupWise admin ADS deferment data file >8 short = 8458 IntelliTAG (SGML) compiled DTD >8 long = 18219264 WordPerfect graphic image (1.0) >8 long = 18219520 WordPerfect graphic image (2.0) #end of WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE # Hangul (Korean) Word Processor File 0 string = HWP\ Document\ File Hangul (Korean) Word Processor File # CosmicBook, from Benot Rouits 0 string = CSBK Ted Neslson's CosmicBook hypertext file 2 string = EYWR AmigaWriter file # chi: file(1) magic for ChiWriter files 0 string = \\1cw\ ChiWriter file >5 string > \0 version %s 0 string = \\1cw ChiWriter file #------------------------------------------------------------------------------ # file(1) magic(5) data for xdelta Josh MacDonald # 0 string = %XDELTA% XDelta binary patch file 0.14 0 string = %XDZ000% XDelta binary patch file 0.18 0 string = %XDZ001% XDelta binary patch file 0.20 0 string = %XDZ002% XDelta binary patch file 1.0 0 string = %XDZ003% XDelta binary patch file 1.0.4 0 string = %XDZ004% XDelta binary patch file 1.1 #------------------------------------------------------------------------------ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small # model" lifted from "magic.xenix", with comment "derived empirically; # treat as folklore until proven" # # "small model", "large model", "huge model" stuff lifted from XXX # # XXX - "x.out" collides with PDP-11 archives # 0 string = core core file (Xenix) 0 byte = 0x80 8086 relocatable (Microsoft) 0 leshort = 0xff65 x.out >2 string = __.SYMDEF randomized >0 byte x - archive 0 leshort = 0x206 Microsoft a.out >8 leshort = 1 Middle model >0x1e leshort & 0x10 overlay >0x1e leshort & 0x2 separate >0x1e leshort & 0x4 pure >0x1e leshort & 0x800 segmented >0x1e leshort & 0x400 standalone >0x1e leshort & 0x8 fixed-stack >0x1c byte & 0x80 byte-swapped >0x1c byte & 0x40 word-swapped >0x10 lelong > 0 not-stripped >0x1e leshort ^ 0xc000 pre-SysV >0x1e leshort & 0x4000 V2.3 >0x1e leshort & 0x8000 V3.0 >0x1c byte & 0x4 86 >0x1c byte & 0xb 186 >0x1c byte & 0x9 286 >0x1c byte & 0xa 386 >0x1f byte < 0x040 small model >0x1f byte = 0x048 large model >0x1f byte = 0x049 huge model >0x1e leshort & 0x1 executable >0x1e leshort ^ 0x1 object file >0x1e leshort & 0x40 Large Text >0x1e leshort & 0x20 Large Data >0x1e leshort & 0x120 Huge Objects Enabled >0x10 lelong > 0 not stripped 0 leshort = 0x140 old Microsoft 8086 x.out >0x3 byte & 0x4 separate >0x3 byte & 0x2 pure >0 byte & 0x1 executable >0 byte ^ 0x1 relocatable >0x14 lelong > 0 not stripped 0 lelong = 0x206 b.out >0x1e leshort & 0x10 overlay >0x1e leshort & 0x2 separate >0x1e leshort & 0x4 pure >0x1e leshort & 0x800 segmented >0x1e leshort & 0x400 standalone >0x1e leshort & 0x1 executable >0x1e leshort ^ 0x1 object file >0x1e leshort & 0x4000 V2.3 >0x1e leshort & 0x8000 V3.0 >0x1c byte & 0x4 86 >0x1c byte & 0xb 186 >0x1c byte & 0x9 286 >0x1c byte & 0x29 286 >0x1c byte & 0xa 386 >0x1e leshort & 0x4 Large Text >0x1e leshort & 0x2 Large Data >0x1e leshort & 0x102 Huge Objects Enabled 0 leshort = 0x580 XENIX 8086 relocatable or 80286 small model #------------------------------------------------------------------------------ # xo65 object files # From: "Ullrich von Bassewitz" # 0 string = \x55\x7A\x6E\x61 xo65 object, >4 leshort x - version %d, >6 leshort&0x0001 = 0x0001 with debug info >6 leshort&0x0001 = 0x0000 no debug info # xo65 library files 0 string = \x6E\x61\x55\x7A xo65 library, >4 leshort x - version %d # o65 object files 0 string = \x01\x00\x6F\x36\x35 o65 >6 leshort&0x1000 = 0x0000 executable, >6 leshort&0x1000 = 0x1000 object, >5 byte x - version %d, >6 leshort&0x8000 = 0x8000 65816, >6 leshort&0x8000 = 0x0000 6502, >6 leshort&0x2000 = 0x2000 32 bit, >6 leshort&0x2000 = 0x0000 16 bit, >6 leshort&0x4000 = 0x4000 page reloc, >6 leshort&0x4000 = 0x0000 byte reloc, >6 leshort&0x0003 = 0x0000 alignment 1 >6 leshort&0x0003 = 0x0001 alignment 2 >6 leshort&0x0003 = 0x0002 alignment 4 >6 leshort&0x0003 = 0x0003 alignment 256 #------------------------------------------------------------------------------ # xwindows: file(1) magic for various X/Window system file formats. # Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string = mkx Compiled XKB Keymap: lsb, >0 byte > 0 version %d >0 byte = 0 obsolete 0 string = xkm Compiled XKB Keymap: msb, >3 byte > 0 version %d >0 byte = 0 obsolete # xfsdump archive 0 string = xFSdump0 xfsdump archive >8 long x - (version %d) # Jaleo XFS files 0 long = 395726 Jaleo XFS file >4 long x - - version %ld >8 long x - - [%ld - >20 long x - %ldx >24 long x - %ldx >28 long = 1008 YUV422] >28 long = 1000 RGB24] #------------------------------------------------------------------------------ # zilog: file(1) magic for Zilog Z8000. # # Was it big-endian or little-endian? My Product Specification doesn't # say. # 0 long = 0xe807 object file (z8000 a.out) 0 long = 0xe808 pure object file (z8000 a.out) 0 long = 0xe809 separate object file (z8000 a.out) 0 long = 0xe805 overlay object file (z8000 a.out) #------------------------------------------------------------------------------ # zyxel: file(1) magic for ZyXEL modems # # From # These are the /etc/magic entries to decode datafiles as used for the # ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a # ZyXEL-defined standard) 0 string = ZyXEL\002 ZyXEL voice data >10 byte = 0 - CELP encoding >10 byte&0x0B = 1 - ADPCM2 encoding >10 byte&0x0B = 2 - ADPCM3 encoding >10 byte&0x0B = 3 - ADPCM4 encoding >10 byte&0x0B = 8 - New ADPCM3 encoding >10 byte&0x04 = 4 with resync