From 72d4668c77f014e21af1db10648768e4843ce5d2 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Sat, 9 Sep 2023 21:50:07 -0700 Subject: [PATCH] Vendor import of file 5.45. --- ChangeLog | 64 +- README.md | 3 +- acinclude.m4 | 5 +- config.guess | 2 + config.h.in | 21 + config.sub | 1 + configure | 184 +++++- configure.ac | 40 +- doc/file.man | 21 +- doc/libmagic.man | 26 +- doc/magic.man | 92 +-- libmagic.pc.in | 1 + magic/Magdir/algol68 | 12 +- magic/Magdir/android | 52 +- magic/Magdir/animation | 25 +- magic/Magdir/apple | 299 +++++++++- magic/Magdir/archive | 547 +++++++++++++++++- magic/Magdir/arm | 11 +- magic/Magdir/asf | 4 +- magic/Magdir/audio | 17 +- magic/Magdir/blender | 15 +- magic/Magdir/bytecode | 13 +- magic/Magdir/c-lang | 8 +- magic/Magdir/c64 | 357 +++++++++++- magic/Magdir/cad | 40 +- magic/Magdir/coff | 3 +- magic/Magdir/commands | 18 +- magic/Magdir/compress | 88 ++- magic/Magdir/console | 52 +- magic/Magdir/crypto | 46 +- magic/Magdir/database | 62 +- magic/Magdir/der | 9 +- magic/Magdir/dsf | 25 - magic/Magdir/dwarfs | 45 ++ magic/Magdir/elf | 10 +- magic/Magdir/filesystems | 211 +++---- magic/Magdir/firmware | 133 +++++ magic/Magdir/games | 198 ++++++- magic/Magdir/gentoo | 9 +- magic/Magdir/geo | 42 +- magic/Magdir/images | 342 ++++++++++- magic/Magdir/intel | 8 +- magic/Magdir/java | 9 +- magic/Magdir/javascript | 64 +- magic/Magdir/jpeg | 8 +- magic/Magdir/lif | 9 +- magic/Magdir/linux | 99 +++- magic/Magdir/llvm | 3 +- magic/Magdir/macintosh | 56 +- magic/Magdir/magic | 65 ++- magic/Magdir/mail.news | 4 +- magic/Magdir/map | 7 +- magic/Magdir/mathematica | 69 ++- magic/Magdir/meteorological | 8 +- magic/Magdir/misctools | 66 ++- magic/Magdir/modem | 12 +- magic/Magdir/msdos | 460 +++++++++++++-- magic/Magdir/msooxml | 12 +- magic/Magdir/ole2compounddocs | 155 +++-- magic/Magdir/pdf | 6 +- magic/Magdir/perl | 8 +- magic/Magdir/playdate | 57 ++ magic/Magdir/printer | 144 ++++- magic/Magdir/qt | 13 +- magic/Magdir/rst | 6 +- magic/Magdir/rust | 21 + magic/Magdir/scientific | 43 +- magic/Magdir/sendmail | 4 +- magic/Magdir/sgml | 13 +- magic/Magdir/sniffer | 75 ++- magic/Magdir/softquad | 9 +- magic/Magdir/spectrum | 118 +++- magic/Magdir/sql | 65 ++- magic/Magdir/ssh | 11 +- magic/Magdir/svf | 5 + magic/Magdir/sysex | 6 +- magic/Magdir/terminfo | 3 +- magic/Magdir/tex | 10 +- magic/Magdir/tplink | 13 +- magic/Magdir/troff | 8 +- magic/Magdir/uterus | 4 +- magic/Magdir/varied.script | 64 +- magic/Magdir/web | 8 +- magic/Magdir/windows | 532 +++++++++++++++-- magic/Magdir/wordprocessors | 72 ++- magic/Magdir/xenix | 18 +- magic/Magdir/xilinx | 20 +- magic/Makefile.am | 8 +- magic/Makefile.in | 8 +- src/Makefile.am | 8 +- src/Makefile.in | 23 +- src/apprentice.c | 275 ++++----- src/apptype.c | 8 +- src/ascmagic.c | 38 +- src/asctime_r.c | 4 +- src/asprintf.c | 2 +- src/buffer.c | 11 +- src/cdf.c | 2 +- src/cdf_time.c | 6 +- src/compress.c | 395 +++++++++---- src/ctime_r.c | 4 +- src/der.c | 12 +- src/dprintf.c | 2 +- src/encoding.c | 40 +- src/file.c | 133 +++-- src/file.h | 197 ++++--- src/file_opts.h | 4 +- src/fmtcheck.c | 2 +- src/fsmagic.c | 8 +- src/funcs.c | 120 ++-- src/getline.c | 4 +- src/getopt_long.c | 2 +- src/gmtime_r.c | 4 +- src/is_csv.c | 12 +- src/is_json.c | 6 +- src/is_simh.c | 209 +++++++ src/is_tar.c | 14 +- src/localtime_r.c | 4 +- src/magic.c | 60 +- src/magic.h.in | 9 +- src/memtest.c | 3 +- src/pread.c | 2 +- src/print.c | 30 +- src/readcdf.c | 26 +- src/readelf.c | 72 +-- src/seccomp.c | 3 +- src/softmagic.c | 252 ++++---- src/strlcat.c | 2 +- src/strlcpy.c | 2 +- src/tar.h | 4 +- src/vasprintf.c | 7 +- tests/CVE-2014-1943.result | 2 +- tests/HWP2016.hwp.result | 1 + tests/HWP2016.hwp.testfile | Bin 0 -> 9216 bytes tests/HWP2016.hwpx.zip.result | 1 + tests/HWP2016.hwpx.zip.testfile | Bin 0 -> 14377 bytes tests/HWP97.hwp.result | 1 + tests/HWP97.hwp.testfile | Bin 0 -> 8975 bytes tests/JW07022A.mp3.result | 2 +- tests/Makefile.am | 70 ++- tests/Makefile.in | 70 ++- tests/android-vdex-1.result | 2 +- tests/android-vdex-2.result | 2 +- tests/arj.result | 2 +- tests/bcachefs.result | 2 +- tests/bcachefs2.result | 1 + tests/bcachefs2.testfile | Bin 0 -> 8192 bytes tests/cl8m8ocofedso.result | 2 +- tests/cmd1.result | 1 + tests/cmd1.testfile | 1 + tests/cmd2.result | 1 + tests/cmd2.testfile | 1 + tests/cmd3.result | 1 + tests/cmd3.testfile | 2 + tests/cmd4.result | 1 + tests/cmd4.testfile | 2 + tests/dsd64-dff.result | 2 +- tests/dsd64-dsf.result | 2 +- tests/escapevel.result | 2 +- tests/ext4.result | 2 +- tests/fit-map-data.result | 2 +- tests/gedcom.result | 2 +- tests/hddrawcopytool.result | 2 +- tests/hello-racket_rkt.result | 1 + tests/hello-racket_rkt.testfile | Bin 0 -> 1664 bytes tests/issue311docx.result | 2 +- tests/issue359xlsx.result | 2 +- tests/jpeg-text.result | 1 + tests/jpeg-text.testfile | 1 + tests/json1.result | 2 +- tests/json2.result | 2 +- tests/json3.result | 2 +- tests/json4.result | 2 +- tests/json5.result | 2 +- tests/json6.result | 2 +- tests/json7.result | 2 +- tests/json8.result | 2 +- tests/jsonlines1.result | 2 +- tests/matilde.arm.result | 2 +- tests/multiple-A.magic | 2 + tests/multiple-B.magic | 2 + tests/multiple.flags | 1 + tests/multiple.result | 1 + tests/multiple.testfile | 1 + tests/pcjr.result | 2 +- tests/pgp-binary-key-v2-phil.result | 2 +- tests/pgp-binary-key-v3-lutz.result | 2 +- tests/pgp-binary-key-v4-dsa.result | 2 +- ...-binary-key-v4-ecc-no-userid-secret.result | 2 +- tests/pgp-binary-key-v4-ecc-secret-key.result | 2 +- tests/pgp-binary-key-v4-rsa-key.result | 2 +- ...-binary-key-v4-rsa-no-userid-secret.result | 2 +- tests/pgp-binary-key-v4-rsa-secret-key.result | 2 +- tests/pnm1.result | 1 + tests/pnm1.testfile | 5 + tests/pnm2.result | 1 + tests/pnm2.testfile | Bin 0 -> 15 bytes tests/pnm3.result | 1 + tests/pnm3.testfile | 5 + tests/regex-eol.result | 2 +- tests/registry-pol.result | 1 + tests/registry-pol.testfile | Bin 0 -> 7094 bytes tests/test.c | 70 ++- tests/uf2.result | 2 +- tests/xclbin.result | 1 + tests/xclbin.testfile | Bin 0 -> 512 bytes tests/zstd-3-skippable-frames.result | 2 +- tests/zstd-dictionary-0.result | 2 +- tests/zstd-dictionary-1.result | 2 +- tests/zstd-dictionary-2.result | 2 +- tests/zstd-skippable-frame-0.result | 2 +- tests/zstd-skippable-frame-4.result | 2 +- tests/zstd-skippable-frame-8.result | 2 +- tests/zstd-skippable-frame-C.result | 2 +- tests/zstd-v0.2-FF.result | 2 +- tests/zstd-v0.3-FF.result | 2 +- tests/zstd-v0.4-FF.result | 2 +- tests/zstd-v0.5-FF.result | 2 +- tests/zstd-v0.6-FF.result | 2 +- tests/zstd-v0.7-00.result | 2 +- tests/zstd-v0.7-21.result | 2 +- tests/zstd-v0.7-22.result | 2 +- tests/zstd-v0.8-00.result | 2 +- tests/zstd-v0.8-01.result | 2 +- tests/zstd-v0.8-02.result | 2 +- tests/zstd-v0.8-03.result | 2 +- tests/zstd-v0.8-16.result | 2 +- tests/zstd-v0.8-20.result | 2 +- tests/zstd-v0.8-21.result | 2 +- tests/zstd-v0.8-22.result | 2 +- tests/zstd-v0.8-23.result | 2 +- tests/zstd-v0.8-F4.result | 2 +- tests/zstd-v0.8-FF.result | 2 +- 233 files changed, 6470 insertions(+), 1567 deletions(-) delete mode 100644 magic/Magdir/dsf create mode 100644 magic/Magdir/dwarfs create mode 100644 magic/Magdir/firmware create mode 100644 magic/Magdir/playdate create mode 100644 magic/Magdir/rust create mode 100644 magic/Magdir/svf create mode 100644 src/is_simh.c create mode 100644 tests/HWP2016.hwp.result create mode 100644 tests/HWP2016.hwp.testfile create mode 100644 tests/HWP2016.hwpx.zip.result create mode 100644 tests/HWP2016.hwpx.zip.testfile create mode 100644 tests/HWP97.hwp.result create mode 100644 tests/HWP97.hwp.testfile create mode 100644 tests/bcachefs2.result create mode 100644 tests/bcachefs2.testfile create mode 100644 tests/cmd1.result create mode 100644 tests/cmd1.testfile create mode 100644 tests/cmd2.result create mode 100644 tests/cmd2.testfile create mode 100644 tests/cmd3.result create mode 100644 tests/cmd3.testfile create mode 100644 tests/cmd4.result create mode 100644 tests/cmd4.testfile create mode 100644 tests/hello-racket_rkt.result create mode 100644 tests/hello-racket_rkt.testfile create mode 100644 tests/jpeg-text.result create mode 100644 tests/jpeg-text.testfile create mode 100644 tests/multiple-A.magic create mode 100644 tests/multiple-B.magic create mode 100644 tests/multiple.flags create mode 100644 tests/multiple.result create mode 100644 tests/multiple.testfile create mode 100644 tests/pnm1.result create mode 100644 tests/pnm1.testfile create mode 100644 tests/pnm2.result create mode 100644 tests/pnm2.testfile create mode 100644 tests/pnm3.result create mode 100644 tests/pnm3.testfile create mode 100644 tests/registry-pol.result create mode 100644 tests/registry-pol.testfile create mode 100644 tests/xclbin.result create mode 100644 tests/xclbin.testfile diff --git a/ChangeLog b/ChangeLog index dd95543fe64..fdf1cff6e2d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,63 @@ +2023-07-27 15:45 Christos Zoulas + + * release 5.45 + +2023-07-17 11:53 Christos Zoulas + + * PR/465: psrok1: Avoid muslc asctime_r crash + +2023-05-21 13:05 Christos Zoulas + + * add SIMH tape format support + +2023-02-09 12:50 Christos Zoulas + + * bump the max size of the elf section notes to be read to 128K + and make it configurable + +2023-01-08 1:08 Christos Zoulas + + * PR/415: Fix decompression with program returning empty + +2022-12-26 1:47 Christos Zoulas + + * PR/408: fix -p with seccomp + * PR/412: fix MinGW compilation + +2022-12-26 12:26 Christos Zoulas + + * release 5.44 + +2022-12-14 9:24 Christos Zoulas + + * Handle nan's so that we don't get internal floating point exceptions + when they are enabled (Vincent Mihalkovic) + +2022-10-23 10:21 Christos Zoulas + + * PR/397: Restore the ability to process files from stdin immediately. + +2022-09-20 17:12 Christos Zoulas + + * fixed various clustefuzz issues + +2022-09-19 15:54 Christos Zoulas + + * Fix error detection for decompression code (Vincent Mihalkovic) + +2022-09-15 13:50 Christos Zoulas + + * Add MAGIC_NO_COMPRESS_FORK and use it to produce a more + meaningful error message if we are sandboxing. + +2022-09-15 10:45 Christos Zoulas + + * Add built-in lzip decompression support (Michal Gorny) + +2022-09-14 10:35 Christos Zoulas + + * Add built-in zstd decompression support (Martin Rodriguez Reboredo) + 2022-09-13 14:55 Christos Zoulas * release 5.43 @@ -229,7 +289,7 @@ 2019-12-15 22:13 Christos Zoulas Document changes since the previous release: - Always accept -S (no sandbox) even if we don't support sandboxing - - More syscalls elided for sandboxiing + - More syscalls elided for sandboxing - For ELF dynamic means having an interpreter not just PT_DYNAMIC - Check for large ELF session header offset - When saving and restoring a locale, keep the locale name in our @@ -1759,7 +1819,7 @@ * Magic format checks (Dr. Werner Fink) - * Magic format function improvent (Karl Chen) + * Magic format function improvement (Karl Chen) 2006-05-03 11:11 Christos Zoulas diff --git a/README.md b/README.md index 37a3b17856c..26e38045812 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## README for file(1) Command and the libmagic(3) library ## - @(#) $File: README.md,v 1.4 2021/10/21 01:51:31 christos Exp $ + @(#) $File: README.md,v 1.5 2023/05/28 13:59:47 christos Exp $ - Bug Tracker: - Build Status: @@ -91,6 +91,7 @@ COPYING - read this first. * `src/gmtime_r.c` - replacement for OS's that don't have it. * `src/is_csv.c` - knows about Comma Separated Value file format (RFC 4180). * `src/is_json.c` - knows about JavaScript Object Notation format (RFC 8259). +* `src/is_simh.c` - knows about SIMH tape file format. * `src/is_tar.c, tar.h` - knows about Tape ARchive format (courtesy John Gilmore). * `src/localtime_r.c` - replacement for OS's that don't have it. * `src/magic.h.in` - source file for magic.h diff --git a/acinclude.m4 b/acinclude.m4 index e0811dd899a..30242712bad 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -39,11 +39,12 @@ AC_CHECK_DECLS([daylight], , , [#include #include ]) AC_CACHE_CHECK(for daylight, ac_cv_var_daylight, [AC_LINK_IFELSE( -[AC_LANG_PROGRAM([#include ], +[AC_LANG_PROGRAM([#include +#include ], [#if !HAVE_DECL_DAYLIGHT extern int daylight; #endif -atoi(daylight);])], ac_cv_var_daylight=yes, ac_cv_var_daylight=no)]) +daylight = atoi("1");])], ac_cv_var_daylight=yes, ac_cv_var_daylight=no)]) if test $ac_cv_var_daylight = yes; then AC_DEFINE(HAVE_DAYLIGHT,1,[HAVE_DAYLIGHT]) fi diff --git a/config.guess b/config.guess index 5d222e2ed59..cd4dbf7293f 100755 --- a/config.guess +++ b/config.guess @@ -210,6 +210,8 @@ case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in aarch64eb) machine=aarch64_be-unknown ;; armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; + mipsn64eb) machine=mips64-unknown ;; + mipsn64el) machine=mips64el-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; diff --git a/config.h.in b/config.h.in index 8bf5e7ce661..5ae30c61edd 100644 --- a/config.h.in +++ b/config.h.in @@ -89,6 +89,9 @@ /* Define to 1 if you have the `gnurx' library (-lgnurx). */ #undef HAVE_LIBGNURX +/* Define to 1 if you have the `lz' library (-llz). */ +#undef HAVE_LIBLZ + /* Define to 1 if you have the `lzma' library (-llzma). */ #undef HAVE_LIBLZMA @@ -98,9 +101,15 @@ /* Define to 1 if you have the `z' library (-lz). */ #undef HAVE_LIBZ +/* Define to 1 if you have the `zstd' library (-lzstd). */ +#undef HAVE_LIBZSTD + /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R +/* Define to 1 if you have the header file. */ +#undef HAVE_LZLIB_H + /* Define to 1 if you have the header file. */ #undef HAVE_LZMA_H @@ -276,9 +285,18 @@ /* Define to 1 if you have the header file. */ #undef HAVE_ZLIB_H +/* Define to 1 if you have the header file. */ +#undef HAVE_ZSTD_ERRORS_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_ZSTD_H + /* Define to the sub-directory where libtool stores uninstalled libraries. */ #undef LT_OBJDIR +/* Enable lzlib compression support */ +#undef LZLIBSUPPORT + /* Define to 1 if `major', `minor', and `makedev' are declared in . */ #undef MAJOR_IN_MKDEV @@ -425,6 +443,9 @@ /* Enable zlib compression support */ #undef ZLIBSUPPORT +/* Enable zstdlib compression support */ +#undef ZSTDLIBSUPPORT + /* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS diff --git a/config.sub b/config.sub index d74fb6deac9..f6564f2885d 100755 --- a/config.sub +++ b/config.sub @@ -1219,6 +1219,7 @@ case $cpu-$vendor in | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ + | mipsn64eb | mipsn64el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa32r3 | mipsisa32r3el \ diff --git a/configure b/configure index 143ccc5bbac..8043072f56f 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for file 5.43. +# Generated by GNU Autoconf 2.71 for file 5.45. # # Report bugs to . # @@ -621,8 +621,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='file' PACKAGE_TARNAME='file' -PACKAGE_VERSION='5.43' -PACKAGE_STRING='file 5.43' +PACKAGE_VERSION='5.45' +PACKAGE_STRING='file 5.45' PACKAGE_BUGREPORT='christos@astron.com' PACKAGE_URL='' @@ -800,6 +800,8 @@ enable_elf_core enable_zlib enable_bzlib enable_xzlib +enable_zstdlib +enable_lzlib enable_libseccomp enable_fsect_man5 enable_dependency_tracking @@ -1371,7 +1373,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures file 5.43 to adapt to many kinds of systems. +\`configure' configures file 5.45 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1442,7 +1444,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of file 5.43:";; + short | recursive ) echo "Configuration of file 5.45:";; esac cat <<\_ACEOF @@ -1458,6 +1460,9 @@ Optional Features: --disable-bzlib disable bz2lib compression support [default=auto] --disable-xzlib disable liblzma/xz compression support [default=auto] + --disable-zstdlib disable zstdlib compression support [default=auto] + --disable-lzlib disable liblz (lzip) compression support + [default=auto] --disable-libseccomp disable libseccomp sandboxing [default=auto] --enable-fsect-man5 enable file formats in man section 5 --enable-dependency-tracking @@ -1562,7 +1567,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -file configure 5.43 +file configure 5.45 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2129,7 +2134,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by file $as_me 5.43, which was +It was created by file $as_me 5.45, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3405,7 +3410,7 @@ fi # Define the identity of the package. PACKAGE='file' - VERSION='5.43' + VERSION='5.45' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3641,6 +3646,28 @@ fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_xzlib" >&5 printf "%s\n" "$enable_xzlib" >&6; } +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for zstdlib support" >&5 +printf %s "checking for zstdlib support... " >&6; } +# Check whether --enable-zstdlib was given. +if test ${enable_zstdlib+y} +then : + enableval=$enable_zstdlib; +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_zstdlib" >&5 +printf "%s\n" "$enable_zstdlib" >&6; } + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for lzlib support" >&5 +printf %s "checking for lzlib support... " >&6; } +# Check whether --enable-lzlib was given. +if test ${enable_lzlib+y} +then : + enableval=$enable_lzlib; +fi + +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_lzlib" >&5 +printf "%s\n" "$enable_lzlib" >&6; } + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libseccomp support" >&5 printf %s "checking for libseccomp support... " >&6; } # Check whether --enable-libseccomp was given. @@ -13665,6 +13692,30 @@ then : fi +fi +if test "$enable_zstdlib" != "no"; then + ac_fn_c_check_header_compile "$LINENO" "zstd.h" "ac_cv_header_zstd_h" "$ac_includes_default" +if test "x$ac_cv_header_zstd_h" = xyes +then : + printf "%s\n" "#define HAVE_ZSTD_H 1" >>confdefs.h + +fi +ac_fn_c_check_header_compile "$LINENO" "zstd_errors.h" "ac_cv_header_zstd_errors_h" "$ac_includes_default" +if test "x$ac_cv_header_zstd_errors_h" = xyes +then : + printf "%s\n" "#define HAVE_ZSTD_ERRORS_H 1" >>confdefs.h + +fi + +fi +if test "$enable_lzlib" != "no"; then + ac_fn_c_check_header_compile "$LINENO" "lzlib.h" "ac_cv_header_lzlib_h" "$ac_includes_default" +if test "x$ac_cv_header_lzlib_h" = xyes +then : + printf "%s\n" "#define HAVE_LZLIB_H 1" >>confdefs.h + +fi + fi ac_fn_c_check_type "$LINENO" "sig_t" "ac_cv_type_sig_t" "#include " @@ -14037,13 +14088,14 @@ else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include +#include int main (void) { #if !HAVE_DECL_DAYLIGHT extern int daylight; #endif -atoi(daylight); +daylight = atoi("1"); ; return 0; } @@ -15459,6 +15511,96 @@ then : fi +fi +if test "$enable_zstdlib" != "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ZSTD_createDStream in -lzstd" >&5 +printf %s "checking for ZSTD_createDStream in -lzstd... " >&6; } +if test ${ac_cv_lib_zstd_ZSTD_createDStream+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lzstd $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char ZSTD_createDStream (); +int +main (void) +{ +return ZSTD_createDStream (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_zstd_ZSTD_createDStream=yes +else $as_nop + ac_cv_lib_zstd_ZSTD_createDStream=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_zstd_ZSTD_createDStream" >&5 +printf "%s\n" "$ac_cv_lib_zstd_ZSTD_createDStream" >&6; } +if test "x$ac_cv_lib_zstd_ZSTD_createDStream" = xyes +then : + printf "%s\n" "#define HAVE_LIBZSTD 1" >>confdefs.h + + LIBS="-lzstd $LIBS" + +fi + +fi +if test "$enable_lzlib" != "no"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for LZ_decompress_open in -llz" >&5 +printf %s "checking for LZ_decompress_open in -llz... " >&6; } +if test ${ac_cv_lib_lz_LZ_decompress_open+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-llz $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char LZ_decompress_open (); +int +main (void) +{ +return LZ_decompress_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_lz_LZ_decompress_open=yes +else $as_nop + ac_cv_lib_lz_LZ_decompress_open=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lz_LZ_decompress_open" >&5 +printf "%s\n" "$ac_cv_lib_lz_LZ_decompress_open" >&6; } +if test "x$ac_cv_lib_lz_LZ_decompress_open" = xyes +then : + printf "%s\n" "#define HAVE_LIBLZ 1" >>confdefs.h + + LIBS="-llz $LIBS" + +fi + fi if test "$enable_libseccomp" != "no"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 @@ -15591,6 +15733,26 @@ if test "$ac_cv_header_lzma_h$ac_cv_lib_lzma_lzma_stream_decoder" = "yesyes"; t printf "%s\n" "#define XZLIBSUPPORT 1" >>confdefs.h +fi +if test "$enable_zstdlib" = "yes"; then + if test "$ac_cv_header_zstd_h$ac_cv_lib_zstd_ZSTD_createDStream" != "yesyes"; then + as_fn_error $? "zstdlib support requested but not found" "$LINENO" 5 + fi +fi +if test "$ac_cv_header_zstd_h$ac_cv_lib_zstd_ZSTD_createDStream" = "yesyes"; then + +printf "%s\n" "#define ZSTDLIBSUPPORT 1" >>confdefs.h + +fi +if test "$enable_lzlib" = "yes"; then + if test "$ac_cv_header_lzlib_h$ac_cv_lib_lz_LZ_decompress_open" != "yesyes"; then + as_fn_error $? "lzlib support requested but not found" "$LINENO" 5 + fi +fi +if test "$ac_cv_header_lzlib_h$ac_cv_lib_lz_LZ_decompress_open" = "yesyes"; then + +printf "%s\n" "#define LZLIBSUPPORT 1" >>confdefs.h + fi ac_config_files="$ac_config_files Makefile src/Makefile magic/Makefile tests/Makefile doc/Makefile python/Makefile libmagic.pc" @@ -16131,7 +16293,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by file $as_me 5.43, which was +This file was extended by file $as_me 5.45, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16199,7 +16361,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -file config.status 5.43 +file config.status 5.45 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 6629300fd02..aa728badb1b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([file],[5.43],[christos@astron.com]) +AC_INIT([file],[5.45],[christos@astron.com]) AM_INIT_AUTOMAKE([subdir-objects foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) @@ -49,6 +49,16 @@ AC_ARG_ENABLE([xzlib], [AS_HELP_STRING([--disable-xzlib], [disable liblzma/xz compression support @<:@default=auto@:>@])]) AC_MSG_RESULT($enable_xzlib) +AC_MSG_CHECKING(for zstdlib support) +AC_ARG_ENABLE([zstdlib], +[AS_HELP_STRING([--disable-zstdlib], [disable zstdlib compression support @<:@default=auto@:>@])]) +AC_MSG_RESULT($enable_zstdlib) + +AC_MSG_CHECKING(for lzlib support) +AC_ARG_ENABLE([lzlib], +[AS_HELP_STRING([--disable-lzlib], [disable liblz (lzip) compression support @<:@default=auto@:>@])]) +AC_MSG_RESULT($enable_lzlib) + AC_MSG_CHECKING(for libseccomp support) AC_ARG_ENABLE([libseccomp], [AS_HELP_STRING([--disable-libseccomp], [disable libseccomp sandboxing @<:@default=auto@:>@])]) @@ -112,6 +122,12 @@ fi if test "$enable_xzlib" != "no"; then AC_CHECK_HEADERS(lzma.h) fi +if test "$enable_zstdlib" != "no"; then + AC_CHECK_HEADERS(zstd.h zstd_errors.h) +fi +if test "$enable_lzlib" != "no"; then + AC_CHECK_HEADERS(lzlib.h) +fi AC_CHECK_TYPE([sig_t],[AC_DEFINE([HAVE_SIG_T],1,[Have sig_t type])],,[#include ]) dnl Checks for typedefs, structures, and compiler characteristics. @@ -180,6 +196,12 @@ fi if test "$enable_xzlib" != "no"; then AC_CHECK_LIB(lzma, lzma_stream_decoder) fi +if test "$enable_zstdlib" != "no"; then + AC_CHECK_LIB(zstd, ZSTD_createDStream) +fi +if test "$enable_lzlib" != "no"; then + AC_CHECK_LIB(lz, LZ_decompress_open) +fi if test "$enable_libseccomp" != "no"; then AC_CHECK_LIB(seccomp, seccomp_init) fi @@ -215,6 +237,22 @@ fi if test "$ac_cv_header_lzma_h$ac_cv_lib_lzma_lzma_stream_decoder" = "yesyes"; then AC_DEFINE([XZLIBSUPPORT], 1, [Enable xzlib compression support]) fi +if test "$enable_zstdlib" = "yes"; then + if test "$ac_cv_header_zstd_h$ac_cv_lib_zstd_ZSTD_createDStream" != "yesyes"; then + AC_MSG_ERROR([zstdlib support requested but not found]) + fi +fi +if test "$ac_cv_header_zstd_h$ac_cv_lib_zstd_ZSTD_createDStream" = "yesyes"; then + AC_DEFINE([ZSTDLIBSUPPORT], 1, [Enable zstdlib compression support]) +fi +if test "$enable_lzlib" = "yes"; then + if test "$ac_cv_header_lzlib_h$ac_cv_lib_lz_LZ_decompress_open" != "yesyes"; then + AC_MSG_ERROR([lzlib support requested but not found]) + fi +fi +if test "$ac_cv_header_lzlib_h$ac_cv_lib_lz_LZ_decompress_open" = "yesyes"; then + AC_DEFINE([LZLIBSUPPORT], 1, [Enable lzlib compression support]) +fi AC_CONFIG_FILES([Makefile src/Makefile magic/Makefile tests/Makefile doc/Makefile python/Makefile libmagic.pc]) AC_OUTPUT diff --git a/doc/file.man b/doc/file.man index c0f1ad937c2..bf78c0c707f 100644 --- a/doc/file.man +++ b/doc/file.man @@ -1,5 +1,5 @@ -.\" $File: file.man,v 1.146 2022/10/26 16:56:14 christos Exp $ -.Dd October 26, 2022 +.\" $File: file.man,v 1.150 2023/05/21 17:08:34 christos Exp $ +.Dd May 21, 2023 .Dt FILE __CSECTION__ .Os .Sh NAME @@ -224,6 +224,8 @@ elf magic is found. Examines JSON (RFC-7159) files by parsing them for compliance. .It soft Consults magic files. +.It simh +Examines SIMH tape files. .It tar Examines tar files by verifying the checksum of the 512 byte tar header. Excluding this test can provide more detailed content description by using @@ -337,16 +339,17 @@ attempt to preserve the access time of files analyzed, to pretend that never read them. .It Fl P , Fl Fl parameter Ar name=value Set various parameter limits. -.Bl -column "elf_phnum" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXX" -offset indent +.Bl -column "elf_phnum" "Default" "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" .It Sy "Name" Ta Sy "Default" Ta Sy "Explanation" -.It Li bytes Ta 1048576 Ta max number of bytes to read from file +.It Li bytes Ta 1M Ta max number of bytes to read from file .It Li elf_notes Ta 256 Ta max ELF notes processed -.It Li elf_phnum Ta 2048 Ta max ELF program sections processed -.It Li elf_shnum Ta 32768 Ta max ELF sections processed -.It Li encoding Ta 65536 Ta max number of bytes to scan for encoding evaluation +.It Li elf_phnum Ta 2K Ta max ELF program sections processed +.It Li elf_shnum Ta 32K Ta max ELF sections processed +.It Li elf_shsize Ta 128MB Ta max ELF section size processed +.It Li encoding Ta 65K Ta max number of bytes to determine encoding .It Li indir Ta 50 Ta recursion limit for indirect magic .It Li name Ta 50 Ta use count limit for name/use magic -.It Li regex Ta 8192 Ta length limit for regex searches +.It Li regex Ta 8K Ta length limit for regex searches .El .It Fl r , Fl Fl raw Don't translate unprintable characters to \eooo. @@ -727,7 +730,7 @@ variable in file.h), then we don't seek to that offset, but we give up. It would be better if buffer managements was done when the file descriptor is available so we can seek around the file. One must be careful though because this has performance and thus security -considerations, because one can slow down things by repeateadly seeking. +considerations, because one can slow down things by repeatedly seeking. .Pp There is support now for keeping separate buffers and having offsets from the end of the file, but the internal buffer management still needs an diff --git a/doc/libmagic.man b/doc/libmagic.man index b0cf0339f19..e89c6ee0bfa 100644 --- a/doc/libmagic.man +++ b/doc/libmagic.man @@ -1,6 +1,6 @@ -.\" $File: libmagic.man,v 1.45 2019/06/08 22:16:24 christos Exp $ +.\" $File: libmagic.man,v 1.49 2023/07/20 14:32:07 christos Exp $ .\" -.\" Copyright (c) Christos Zoulas 2003, 2018. +.\" Copyright (c) Christos Zoulas 2003, 2018, 2022 .\" All Rights Reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd June 8, 2019 +.Dd June 16, 2023 .Dt LIBMAGIC 3 .Os .Sh NAME @@ -84,6 +84,8 @@ .Fn magic_setparam "magic_t cookie" "int param" "const void *value" .Ft int .Fn magic_version "void" +.Ft const char * +.Fn magic_getpath "const char *magicfile" "int action" .Sh DESCRIPTION These functions operate on the magic database file @@ -143,6 +145,8 @@ Don't report on compression, only report about the uncompressed data. Don't check for .Dv EMX application type (only on EMX). +.It Dv MAGIC_NO_COMPRESS_FORK +Don't allow decompressors that use fork. .It Dv MAGIC_NO_CHECK_CDF Don't get extra information on MS Composite Document Files. .It Dv MAGIC_NO_CHECK_COMPRESS @@ -163,6 +167,8 @@ Don't look for known tokens inside ascii files. Don't examine JSON files. .It Dv MAGIC_NO_CHECK_CSV Don't examine CSV files. +.It Dv MAGIC_NO_CHECK_SIMH +Don't examine SIMH tape files. .El .Pp The @@ -343,6 +349,20 @@ from .In magic.h . This can be used by client programs to verify that the version they compile against is the same as the version that they run against. +.Pp +The +.Fn magic_getpath +command returns the colon separated list of magic database locations. +If the +.Fa filename +is non-NULL, then it is returned. +Otherwise, if the +.Dv MAGIC +environment variable is defined, then it is returned. +Otherwise, if +.Fa action +is 0 (meaning "file load"), then any user-specific magic database file is included. +Otherwise, only the system default magic database path is included. .Sh RETURN VALUES The function .Fn magic_open diff --git a/doc/magic.man b/doc/magic.man index d38b0e0b401..af4bfa89c6b 100644 --- a/doc/magic.man +++ b/doc/magic.man @@ -1,5 +1,5 @@ -.\" $File: magic.man,v 1.100 2022/09/10 13:19:26 christos Exp $ -.Dd September 10, 2022 +.\" $File: magic.man,v 1.103 2023/07/20 14:32:07 christos Exp $ +.Dd Arpil 18, 2023 .Dt MAGIC __FSECTION__ .Os .\" install as magic.4 on USG, magic.5 on V7, Berkeley and Linux systems. @@ -68,54 +68,52 @@ A 32-bit single precision IEEE floating point number in this machine's native by A 64-bit double precision IEEE floating point number in this machine's native byte order. .It Dv string A string of bytes. -The string type specification can be optionally followed -by /[WwcCtbTf]*. -The -.Dq W -flag compacts whitespace in the target, which must +The string type specification can be optionally followed by a / +option and optionally followed by a set of flags /[bCcftTtWw]*. +The width limits the number of characters to be copied. +Zero means all characters. +The following flags are supported: +.Bl -tag -width B -compact -offset XXXX +.It b +Force binary file test. +.It C +Use upper case insensitive matching: upper case +characters in the magic match both lower and upper case characters in the +target, whereas lower case characters in the magic only match upper case +characters in the target. +.It c +Use lower case insensitive matching: lower case +characters in the magic match both lower and upper case characters in the +target, whereas upper case characters in the magic only match upper case +characters in the target. +To do a complete case insensitive match, specify both +.Dq c +and +.Dq C . +.It f +Require that the matched string is a full word, not a partial word match. +.It T +Trim the string, i.e. leading and trailing whitespace +.It t +Force text file test. +.It W +Compact whitespace in the target, which must contain at least one whitespace character. If the magic has .Dv n consecutive blanks, the target needs at least .Dv n consecutive blanks to match. -The -.Dq w -flag treats every blank in the magic as an optional blank. -The -.Dq f -flags requires that the matched string is a full word, not a partial word match. -The -.Dq c -flag specifies case insensitive matching: lower case -characters in the magic match both lower and upper case characters in the -target, whereas upper case characters in the magic only match upper case -characters in the target. -The -.Dq C -flag specifies case insensitive matching: upper case -characters in the magic match both lower and upper case characters in the -target, whereas lower case characters in the magic only match upper case -characters in the target. -To do a complete case insensitive match, specify both -.Dq c -and -.Dq C . -The -.Dq t -flag forces the test to be done for text files, while the -.Dq b -flag forces the test to be done for binary files. -The -.Dq T -flag causes the string to be trimmed, i.e. leading and trailing whitespace +.It w +Treat every blank in the magic as an optional blank. is deleted before the string is printed. +.El .It Dv pstring A Pascal-style string where the first byte/short/int is interpreted as the unsigned length. The length defaults to byte and can be specified as a modifier. The following modifiers are supported: -.Bl -tag -compact -width B +.Bl -tag -width B -compact -offset XXXX .It B A byte length (default). .It H @@ -544,6 +542,20 @@ An APPLE 4+4 character APPLE creator and type can be specified as: !:apple CREATYPE .Ed .Pp +A slash-separated list of commonly found filename extensions can be specified +as: +.Bd -literal -offset indent +!:ext ext[/ext...] +.Ed +.Pp +i.e. the literal string +.Dq !:ext +followed by a slash-separated list of commonly found extensions; for example +for JPEG images: +.Bd -literal -offset indent +!:ext jpeg/jpg/jpe/jfif +.Ed +.Pp A MIME type is given on a separate line, which must be the next non-blank or comment line after the magic line that identifies the file type, and has the following format: @@ -776,8 +788,8 @@ and .Dv long on the platform, even though the Single .Ux -Specification implies that they do. However, as OS X Mountain Lion has -passed the Single +Specification implies that they do. +However, as OS X Mountain Lion has passed the Single .Ux Specification validation suite, and supplies a version of .Xr file __CSECTION__ diff --git a/libmagic.pc.in b/libmagic.pc.in index 3ad1290be39..140d70a1def 100644 --- a/libmagic.pc.in +++ b/libmagic.pc.in @@ -8,3 +8,4 @@ Description: Magic number recognition library Version: @VERSION@ Libs: -L${libdir} -lmagic Libs.private: @LIBS@ +Cflags: -I${includedir} diff --git a/magic/Magdir/algol68 b/magic/Magdir/algol68 index 77016778ad7..1ca1fad2113 100644 --- a/magic/Magdir/algol68 +++ b/magic/Magdir/algol68 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: algol68,v 1.4 2021/08/15 06:00:55 christos Exp $ +# $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $ # algol68: file(1) magic for Algol 68 source # # URL: https://en.wikipedia.org/wiki/ALGOL_68 @@ -9,14 +9,8 @@ 0 search/8192 (input, >0 use algol_68 # graph_2d.a68 -0 regex/4006 \^PROC -#>&-4 string x \b, dBase or Algol "%s" -# most xBase scripts *.prg with PROCEDURE like: Areacode BarCount Def_mens Vendors -#>&-4 string =PROCEDURE \b, dBase PROCEDURE -# skip xBase program scripts *.prg with PROCEDURE keyword -# keyword proc probably followed by white space used to specify algol procedures ->&-4 string !PROCEDURE ->>0 use algol_68 +0 regex/4006 \^PROC[[:space:]][a-zA-Z0-9_[:space:]]*[[:space:]]= +>0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 0 regex/1024 \bMODE[\t\ ] diff --git a/magic/Magdir/android b/magic/Magdir/android index 63296d0ecfc..8a2dedf3d2d 100644 --- a/magic/Magdir/android +++ b/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.19 2021/04/26 15:56:00 christos Exp $ +# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -180,7 +180,9 @@ # In include/androidfw/ResourceTypes.h: # RES_XML_TYPE = 0x0003 followed by the size of the header (ResXMLTree_header), # which is 8 bytes (2 bytes type + 2 bytes header size + 4 bytes size). +# The strength is increased to avoid misidentifying as Targa image data 0 lelong 0x00080003 Android binary XML +!:strength +1 # Android cryptfs footer # From https://android.googlesource.com/\ @@ -207,3 +209,51 @@ >8 string >000 dex section version: %s, >12 lelong >0 number of dex files: %d, >16 lelong >0 verifier deps size: %d + +# Disassembled DEX files +0 string/t .class\x20 +>&0 regex/512 \^\\.super\x20L.*;$ disassembled Android DEX Java class (smali/baksmali) +!:ext smali + +# Android ART (baseline) profile + metadata: baseline.prof, baseline.profm +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileTranscoder.java +# Reference: https://android.googlesource.com/platform/frameworks/support/\ +# +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ +# src/main/java/androidx/profileinstaller/ProfileVersion.java +0 string pro\x00 +>0 regex pro\x000[0-9][0-9]\x00 Android ART profile +!:ext prof +>>4 string 001\x00 \b, version 001 N +>>4 string 005\x00 \b, version 005 O +>>4 string 009\x00 \b, version 009 O MR1 +>>4 string 010\x00 \b, version 010 P +>>4 string 015\x00 \b, version 015 S +0 string prm\x00 +>0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata +!:ext profm +>>4 string 001\x00 \b, version 001 N +>>4 string 002\x00 \b, version 002 + +# Android package resource table (ARSC): resources.arsc +# Reference: https://android.googlesource.com/platform/tools/base/\ +# +/refs/heads/mirror-goog-studio-main/apkparser/binary-resources/\ +# src/main/java/com/google/devrel/gmscore/tools/apk/arsc +# 00: resource table type = 0x0002 (2) + header size = 12 (2) +# 04: chunk size (4, skipped) +# 08: #packages (4) +0 ulelong 0x000c0002 Android package resource table (ARSC) +!:ext arsc +>8 ulelong !1 \b, %d packages +# 12: string pool type = 0x0001 (2) + header size = 28 (2) +# 16: chunk size (4, skipped) +# 20: #strings (4), #styles (4), flags (4) +>12 ulelong 0x001c0001 +>>20 ulelong !0 \b, %d string(s) +>>24 ulelong !0 \b, %d style(s) +>>28 ulelong &1 \b, sorted +>>28 ulelong &256 \b, utf8 + +# extracted APK Signing Block +-16 string APK\x20Sig\x20Block\x2042 APK Signing Block diff --git a/magic/Magdir/animation b/magic/Magdir/animation index 05734651819..aab93ca34a6 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.90 2022/08/16 11:16:39 christos Exp $ +# $File: animation,v 1.94 2023/06/16 20:06:50 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -18,8 +18,8 @@ >12 string rmra \b multiple URLs 4 string mdat Apple QuickTime movie (unoptimized) !:mime video/quicktime -#4 string wide Apple QuickTime movie (unoptimized) -#!:mime video/quicktime +4 string wide Apple QuickTime movie (unoptimized) +!:mime video/quicktime #4 string skip Apple QuickTime movie (modified) #!:mime video/quicktime #4 string free Apple QuickTime movie (modified) @@ -37,6 +37,7 @@ 4 string ftyp ISO Media # https://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ >8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +!:mime video/mp4 >>96 string x \b, Audio "%.4s" >>118 beshort x at %dHz >>140 string x \b, Video "%.4s" @@ -938,6 +939,15 @@ !:mime video/MP2T !:ext ts +# Blu-ray disc Audio-Video MPEG-2 transport stream +# From: Alexandre Iooss +# URL: https://en.wikipedia.org/wiki/MPEG_transport_stream +# Note: similar to ISO 13818.1 but with 4 extra bytes per packets +4 belong&0xFF5FFF10 =0x47400010 +>196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS) +!:mime video/MP2T +!:ext m2ts/mts + # DIF digital video file format 0 belong&0xffffff00 0x1f070000 DIF !:mime video/x-dv @@ -1185,3 +1195,12 @@ >30 lelong x \b, height: %d >34 lelong x \b, %d bit >38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames diff --git a/magic/Magdir/apple b/magic/Magdir/apple index 4b249bf8a32..547b0ac20ab 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.45 2021/04/26 15:56:00 christos Exp $ +# $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -11,26 +11,48 @@ 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file +# Type: Apple Emulator A2R format +# From: Greg Wildman +# Ref: https://applesaucefdc.com/a2r2-reference/ +# Ref: https://applesaucefdc.com/a2r/ +0 string A2R +>3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>8 string INFO +>>49 byte 01 \b, 5.25″ SS 40trk +>>49 byte 02 \b, 3.5″ DS 80trk +>>49 byte 03 \b, 5.25″ DS 80trk +>>49 byte 04 \b, 5.25″ DS 40trk +>>49 byte 05 \b, 3.5″ DS 80trk +>>49 byte 06 \b, 8″ DS +>>50 byte 01 \b, write protected +>>51 byte 01 \b, cross track synchronized +>>17 string/T x \b, %.32s + # Type: Apple Emulator WOZ format # From: Greg Wildman # Ref: https://applesaucefdc.com/woz/reference/ # Ref: https://applesaucefdc.com/woz/reference2/ -# -# Note: The following test are mostly identical. I would rather not -# use a regex to identify the WOZ format number. -0 string WOZ1 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +0 string WOZ +>3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s -0 string WOZ2 ->4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image + +# Type: Apple Macintosh Emulator MOOF format +# From: Greg Wildman +# Ref: https://applesaucefdc.com/moof-reference/ +0 string MOOF +>4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image >12 string INFO ->>21 byte 01 \b, 5.25 inch ->>21 byte 02 \b, 3.5 inch +>>21 byte 01 \b, SSDD GCR (400K) +>>21 byte 02 \b, DSDD GCR (800K) +>>21 byte 03 \b, DSHD MFM (1.44M) >>22 byte 01 \b, write protected >>23 byte 01 \b, cross track synchronized >>25 string/T x \b, %.32s @@ -43,29 +65,79 @@ >0x400 string \x00\x00\x03\x00 >>0x404 byte &0xF0 >>>0x405 string x \b, Volume /%s ->>>0x429 leshort x \b, %u Blocks +>>>0x429 uleshort x \b, %u Blocks # ProDOS ordered ? >0xb00 string \x00\x00\x03\x00 >>0xb04 byte &0xF0 >>>0xb05 string x \b, Volume /%s ->>>0xb29 leshort x \b, %u Blocks +>>>0xb29 uleshort x \b, %u Blocks # -# DOS3.3 boot loader? -0 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B ->0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.2 ? ->0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image ->>0x11006 byte x \b, Volume %u ->>0x11034 byte x \b, %u Tracks ->>0x11035 byte x \b, %u Sectors ->>0x11036 leshort x \b, %u bytes per sector -# DOS3.1 ? ->0x11001 string \x11\x0C\x01 ->>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image +# Proboot HD +0 string \x01\x8A\x48\xD8\x2C\x82\xC0\x8D\x0E\xC0\x8D\x0C Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\xA8\x8A\x20\x7B\xF8\x29\x07\x09\xC0\x99\x30 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x4A\xD0\x34\xE6\x3D\x8A\x20\x7B\xF8\x09\xC0 Apple ProDOS ProBoot Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# ProDOS formatted +0 string \x01\xBD\x88\xC0\x20\x2F\xFB\x20\x58\xFC\x20\x40 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +0 string \x01\x38\xB0\x03\x4C\x1C\x09\x78\x86\x43\xC9\x03 Apple ProDOS Unbootable Image +>0x400 string \x00\x00\x03\x00 +>>0x404 byte &0xF0 +>>>0x405 string x \b, Volume /%s +>>>0x429 uleshort x \b, %u Blocks +>0xb00 string \x00\x00\x03\x00 +>>0xb04 byte &0xF0 +>>>0xb05 string x \b, Volume /%s +>>>0xb29 uleshort x \b, %u Blocks +# +# DOS3 boot loader +0 string \x01\xA5\x27\xC9\x09\xD0 +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Image +>>0x11006 ubyte x \b, Volume #%03u +>>0x11034 ubyte x \b, %u Tracks +>>0x11035 ubyte x \b, %u Sectors +>>0x11036 uleshort x \b, %u bytes per sector +# +# DOS3 uninitialized disk +0 string \x01\xA6\x2B\xBD\x88\xC0\x8A\x4A\x4A +>0x11001 byte 0x11 +>>0x11003 ubyte x Apple DOS 3.%u Unbootable Image +>>>0x11006 ubyte x \b, Volume #%03u +>>>0x11034 ubyte x \b, %u Tracks +>>>0x11035 ubyte x \b, %u Sectors +>>>0x11036 uleshort x \b, %u bytes per sector # # Pascal boot loader? 0 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD @@ -112,9 +184,70 @@ >>0x440 string \x00\x00\x03\x00 >>>0x444 byte &0xF0 >>>>0x445 string x \b, Volume /%s ->>>>0x469 leshort x \b, %u Blocks +>>>>0x469 uleshort x \b, %u Blocks >0xc byte 02 \b, NIB data +# Type: Peter Ferrie QBoot +# From: Greg Wildman +# Ref: https://github.com/peterferrie/qboot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image + +# Type: Peter Ferrie 0Boot +# From: Greg Wildman +# Ref: https://github.com/peterferrie/0boot +0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 +>8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image + +# Different proprietary boot sectors +0 string \x01\x0F\x21\x74\x00\x01\x6B\x00\x02\x30\x81\x5D Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xA2\x00\x8E\x78\x04\x8E\xF4\x03 Apple ][ Disk Image +0 string \x01\x20\x58\xFC\xAD\x51\xC0\xAD\x54\xC0\xA6\x2B Apple ][ Disk Image +0 string \x01\x20\x89\xFE\x20\x93\xFE\xA6\x2B\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x25\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x20\x93\xFE\x20\x89\xFE\x4C\x2D\x08\x68\x85 Apple ][ Disk Image +0 string \x01\x38\x90\x2A\xC9\x01\xF0\x33\xA8\xC8\xC0\x10 Apple ][ Disk Image +0 string \x01\x38\xB0\x03\x4C\x32\xA1\x87\x43\xC9\x03\x08 Apple ][ Disk Image +0 string \x01\x4C\x04\x08\xA9\x2A\x8D\x02\x08\x86\x2B\xEE Apple ][ Disk Image +0 string \x01\x4C\x60\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x4C\x92\x08\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\x4C\xB3\x08\x09\xD0\x18\xA5\x2B\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\x8D\xFB\x03\x8E\xFC\x03\x8C\xFD\x03\x8A\x29 Apple ][ Disk Image +0 string \x01\xA2\xFF\x9A\xD8\x20\x20\x08\x20\x34\x08\xAD Apple ][ Disk Image +0 string \x01\xA5\x27\xBD\x88\xC0\x2C\x10\xC0\xA2\x00\xA9 Apple ][ Disk Image +0 string \x01\xA5\x2B\xAE\x51\xC0\xEA\xAA\xBD\x88\xC0\x20 Apple ][ Disk Image +0 string \x01\xA6\x27\xBD\x0B\x08\x48\xBD\x0A\x08\x48\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x01\x85 Apple ][ Disk Image +0 string \x01\xA6\x2B\xBD\x88\xC0\x20\x58\xFC\xA9\x25\x85 Apple ][ Disk Image +0 string \x01\xA8\xC0\x0F\x90\x16\xF0\x12\xA0\xFF\x18\xAD Apple ][ Disk Image +0 string \x01\xA9\x00\x85\xF0\xA9\x04\x85\xF1\xA0\x00\xA9 Apple ][ Disk Image +0 string \x01\xA9\x5C\x8D\xF2\x03\xA9\xC6\x8D\xF3\x03\x49 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x2F\xFB\x20\x58\xFC Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x20\x49\x08\xA9\x0A\x85 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x2C\x82\xC0\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\x86\x43\x8A\x4A\x4A\x4A Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\x86\xFF\xB5\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA2\x00\xB5\x00\x9D\x00 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xB2\x8D\xF2\x03\xA9 Apple ][ Disk Image +0 string \x01\xA9\x60\x8D\x01\x08\xA9\xFF\x8D\xF3\x03\x8D Apple ][ Disk Image +0 string \x01\xAC\x00\x08\xF0\x19\xB9\x30\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAC\x23\x08\x30\x2E\xB9\x24\x08\x85\x3D\xCE Apple ][ Disk Image +0 string \x01\xAD\x00\x08\xC9\x09\xB0\x20\x69\x02\x8D\x00 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\x86\x2B\x8A\x4A Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3C\x8D\x02\x08\xA9\xF5\x8D\xF2 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x3F\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xB0\x00\xA9\x48\x8D\x02\x08\x86\x2B\x8E\xF4 Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x09\xC0\x8D Apple ][ Disk Image +0 string \x01\xBD\x88\xC0\x8A\x4A\x4A\x4A\x4A\x8D\x2F\x08 Apple ][ Disk Image +0 string \x01\xD8\x2C\x81\xC0\xA9\x60\x4D\x58\xFF\xD0\xFE Apple ][ Disk Image +0 string \x01\xD8\x78\xBD\x88\xC0\xA9\xFD\x85\x37\x85\x39 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\x16\x09\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xCB\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEE\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x60\xF0\x03\x4C\xEF\x08\xAD\x00\x08\xC9 Apple ][ Disk Image +0 string \x01\xE0\x70\xB0\x04\xE0\x40\xB0\x39\xBD\x88\xC0 Apple ][ Disk Image +0 string \x01\xEA\x8D\xF4\x03\xA9\x60\x9D\x88\xC0\x8D\x51 Apple ][ Disk Image + # magic for Newton PDA package formats # from Ruda Moura 0 string package0 Newton package, NOS 1.x, @@ -291,7 +424,13 @@ #>0x410 string disk\ image UDIF read/write image (UDRW) # From: Toby Peterson +# From https://www.nationalarchives.gov.uk/pronom/fmt/866 +0 string bplist00 +>8 search/500 WebMainResource Apple Safari Webarchive +!:mime application/x-webarchive +!:strength +50 0 string bplist00 Apple binary property list +!:mime application/x-bplist # Apple binary property list (bplist) # Assumes version bytes are hex. @@ -491,9 +630,107 @@ # Usually not in separate files, but have either filename rsrc with # no extension, or a filename corresponding to another file, with # extensions rsr/rsrc +# URL: http://fileformats.archiveteam.org/wiki/Macintosh_resource_file +# https://en.wikipedia.org/wiki/Resource_fork +# Reference: https://github.com/kreativekorp/ksfl/wiki/Macintosh-Resource-File-Format +# http://developer.apple.com/legacy/mac/library/documentation/mac/pdf/MoreMacintoshToolbox.pdf +# https://formats.kaitai.io/resource_fork/ +# Update: Joerg Jenderek +# Note: verified often by command like `deark -m macrsrc Icon_.rsrc` +# offset of resource data; usually starts at offset 0x0100 0 string \000\000\001\000 ->4 leshort 0 ->>16 lelong 0 Apple HFS/HFS+ resource fork +# skip NPETraceSession.etl with invalid "low" map offset 0 +>4 ubelong >0xFF +# skip few Atari DEGAS Elite bitmap (eil2.pi1 nastro.pi1) with ivalid "high" 0x6550766 0x7510763 map length +>>12 ubelong <0x8001 +# most examples with zeroed system reserved field +>>>16 lelong =0 +>>>>0 use apple-rsr +# few samples with not zeroed system reserved field like: Empty.rsrc.rsr OpenSans-CondBold.dfont +>>>16 lelong !0 +# resource fork variant with not zeroed system reserved field and copy of header +>>>>(4.L) ubelong 0x100 +# GRR: the line above only works if in ../../src/file.h FILE_BYTES_MAX is raised from 1 MiB above 0x6ab0f4 (HelveticaNeue.dfont) +>>>>>0 use apple-rsr +# data fork variant with not zeroed system reserved field and no copy of header +>>>>(4.L) ubelong 0 +>>>>>0 use apple-rsr +# Note: moved and merged from ./macintosh +# From: Adam Buchbinder +# URL: https://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +# display information about Mac OSX datafork font DFONT +0 name apple-dfont +>(4.L+30) ubelong x Mac OSX datafork font, +# https://en.wikipedia.org/wiki/Datafork_TrueType +!:mime application/x-dfont +!:ext dfont +# https://exiftool.org/TagNames/RSRC.html +>(4.L+30) ubelong 0x73666e74 TrueType +>(4.L+30) ubelong 0x464f4e54 'FONT' +>(4.L+30) ubelong 0x4e464e54 'NFNT' +>(4.L+30) ubelong 0x504f5354 PostScript +>(4.L+30) ubelong 0x464f4e44 'FOND' +>(4.L+30) ubelong 0x76657273 'vers' +# display information about Macintosh resource +0 name apple-rsr +>(4.L+30) ubelong 0x73666e74 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x4e464e54 +>>0 use apple-dfont +>(4.L+30) ubelong 0x504f5354 +>>0 use apple-dfont +>(4.L+30) ubelong 0x464f4e44 +>>0 use apple-dfont +>(4.L+30) ubelong 0x76657273 +>>0 use apple-dfont +>(4.L+30) default x Apple HFS/HFS+ resource fork +#!:mime application/octet-stream +!:mime application/x-apple-rsr +!:ext rsrc/rsr +# offset to resource data; usually starts at offset 0x0100 +>0 ubelong !0x100 \b, data offset %#x +# offset to resource map; positive but not nil like in NPETraceSession.etl +>4 ubelong x \b, map offset %#x +# length of resource map; positive with 32K limitation but not +# nil like in NPETraceSession.etl or high like 0x7510763 in nastro.pi1 +>12 ubelong x \b, map length %#x +# length of resource data; positive but not nil like in NPETraceSession.etl +>8 ubelong x \b, data length %#x +# reserved 112 bytes for system use; apparently often nil, but 8fd20000h in Empty.rsrc.rsr and 0x00768c2b in OpenSans-CondBold.dfont +>16 ubelong !0 \b, at 16 %#8.8x +# https://fontforge.org/docs/techref/macformats.html +# jump to resource map +# a copy of resource header or 16 bytes of zeros for data fork +#>(4.L) ubelong x \b, DATA offset %#x +#>(4.L+4) ubelong x \b, MAP offset %#x +#>(4.L+8) ubelong x \b, DATA length %#x +#>(4.L+12) ubelong x \b, MAP length %#x +# nextResourceMap; handle to next resource map; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+16) ubelong !0 \b, nextResourceMap %#x +# fileRef; file reference number; used by the Resource Manager for internal bookkeeping; should be zero +>(4.L+20) ubeshort !0 \b, fileRef %#x +# attributes; Resource fork attributes (80h~read-only 40h~compression needed 20h~changed); other bits are reserved and should be zero +>(4.L+22) ubeshort !0 \b, attributes %#x +# typeListOffset; offset from resource map to start of type list like: 1Ch +>(4.L+24) ubeshort x \b, list offset %#x +# nameListOffset; offset from esource map to start of name list like: 32h 46h 56h (XLISP.RSR XLISPTIN.RSR) 13Eh (HelveticaNeue.dfont) +>(4.L+26) ubeshort x \b, name offset %#x +# typeCount; number of types in the map minus 1; If there are no resources, this is 0xFFFF +>(4.L+28) beshort+1 >0 \b, %u type +# plural s +>>(4.L+28) beshort+1 >1 \bs +# resource type list array; 1st resource type like: ALRT CODE FOND MPSR icns scsz +>>(4.L+30) ubelong x \b, %#x +>>(4.L+30) string x '%-.4s' +# resourceCount; number of this type resources minus one. If there is one resource of this type, this is 0x0000 +>>(4.L+34) beshort+1 x * %d +# resourceListOffset; offset from type list to resource list like: Ah 12h DAh +>(4.L+36) ubeshort x resource offset %#x #https://en.wikipedia.org/wiki/AppleScript 0 string FasdUAS AppleScript compiled diff --git a/magic/Magdir/archive b/magic/Magdir/archive index 758c93ef8e1..6e1f9678e7a 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.169 2022/09/12 13:13:28 christos Exp $ +# $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -30,9 +30,11 @@ # check for 1st image main name with digits used for sorting # and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) -#foo >>>>>>>>>0 use tar-cbt -# if 1st member name without digits and without used image suffix then it is a TAR archive +# check for 1st member name with ovf suffix +>>>>>>>>0 regex \^.{1,96}[.](ovf) +>>>>>>>>>0 use tar-ova +# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive >>>>>>>>0 default x >>>>>>>>>0 use tar-file # minimal check and then display tar archive information which can also be @@ -168,6 +170,21 @@ # name[100] probably like: 19.jpg 0001.png 0002.png # or maybe like ComicInfo.xml >0 string >\0 \b, 1st image %-.60s +# Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format +# http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml +# Note: called "Open Virtualization Format package" by TrID +# assuming *.ovf comes first +0 name tar-ova +>0 string x Open Virtualization Format Archive +#!:mime application/x-ustar +# http://extension.nirsoft.net/ova +!:mime application/x-virtualbox-ova +!:ext ova +# assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf +>0 string >\0 \b, with %-.60s # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html @@ -185,16 +202,88 @@ # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. -0 short 070707 cpio archive +# URL: http://fileformats.archiveteam.org/wiki/Cpio +# https://en.wikipedia.org/wiki/Cpio +# Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt +# Update: Joerg Jenderek +# +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml +# Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635 +0 short 070707 +# skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry +>26 string >\0 cpio archive !:mime application/x-cpio +# https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso +# boot/x86_64/loader/bootlogo +# message.cpi +!:ext /cpio/cpi +>>0 use cpio-bin +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml +# Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip 0 short 0143561 byte-swapped cpio archive !:mime application/x-cpio # encoding: swapped +# https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio +!:ext cpio +>0 use cpio-bin-be +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml +# Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012 +!:ext cpio/cpi/008/012 +# Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio 0 string 070701 ASCII cpio archive (SVR4 with no CRC) !:mime application/x-cpio +# https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio +!:ext cpio +# Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio 0 string 070702 ASCII cpio archive (SVR4 with CRC) !:mime application/x-cpio +# http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz +# https://telparia.com/fileFormatSamples/archive/cpio/pcmcia +!:ext /cpio +# display information of old binary cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio` +0 name cpio-bin +# c_dev; device number; WHAT IS THAT? +>2 uleshort x \b; device %u +# c_ino; truncated inode number; use `ls --inode` +>4 uleshort x \b, inode %u +# c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l` +>6 uleshort x \b, mode %o +# c_uid; numeric user id; use `ls --numeric-uid-gid` +>8 uleshort x \b, uid %u +# c_gid; numeric group id +>10 uleshort x \b, gid %u +# c_nlink; links to this file; directories at least 2 +>12 uleshort >1 \b, %u links +# c_rdev; device number for block and character entries; zero for all other entries by writers +# like 0x0440 for /dev/ttyS0 +>14 uleshort >0 \b, device %#4.4x +# c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first +>16 medate x \b, modified %s +# c_filesize[2]; size of pathname; most-significant 16 bits first like: 544 +>22 melong x \b, %u bytes +# c_namesize; bytes in the pathname that follows the header like: 9 +#>20 uleshort x \b, namesize %u +# pathname of entry like: "clam.exe" +>26 string x "%s" +# display information of old binary byte swapped cpio archive +# Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and +# `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio` +0 name cpio-bin-be +>2 ubeshort x \b; device %u +>4 ubeshort x \b, inode %u +>6 ubeshort x \b, mode %o +>8 ubeshort x \b, uid %u +>10 ubeshort x \b, gid %u +>12 ubeshort >1 \b, %u links +>14 ubeshort >0 \b, device %#4.4x +>16 bedate x \b, modified %s +>22 ubelong x \b, %u bytes +#>20 ubeshort x \b, namesize %u +>26 string x "%s" # # Various archive formats used by various versions of the "ar" @@ -271,7 +360,8 @@ #>>68 string x (format %.3s) >68 string =2.0\n # 2nd archive name=control archive name like control.tar.gz or control.tar.xz ->>72 string >\0 \b, with %.14s +# or control.tar.zst +>>72 string >\0 \b, with %.15s # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} >>0 search/0x93e4f data.tar. \b, data compression # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised @@ -506,11 +596,12 @@ >>>>0 use ttcomp 0 string \1\4 # TODO: -# skip Commodore PET BASIC 4.0 program *.prg -# variant ASCII, 1K dictionary (strength=48=50-2). With strength=49 wrong order! WHY? # skip shared library (strength=50) handled by ./ibm6000 !:strength -2 ->0 use ttcomp +# skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset) +#>-4 ubelong x LAST_BYTES=%8.8x +>-4 ubelong&0x00FFffFF !0 +>>0 use ttcomp # display information of TTComp archive 0 name ttcomp # (version 5.25) labeled the entry as "TTComp archive data" @@ -753,6 +844,88 @@ !:ext ??$ >>8 ulelong >0 \b, original size: %u bytes +# Summary: lzss compressed/EDI Pack +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file +# Note: called "EDI Install LZS compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1" +0 string EDILZSS +>7 string 1 +# look for point character before orginal file name extension +>>8 search/9/b . +# check suffix of possible orginal file anme +#>>>&0 ubelong x SUFFIX=%8.8x +# samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS +>>>&0 ubyte <0x20 +>>>>0 use edi-lzs +# samples with valid character after point in original file name field +>>>&0 ubyte >0x1F +# check 2nd charcter of suffix +#>>>>&0 ubyte x 2ND_SUFFIX=%x +# sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$ +>>>>&0 ubyte =0 +>>>>>0 use edi-pack +>>>>&0 ubyte >0x1F +# check 3rd charcter of suffix +#>>>>>&0 ubyte x 3RD_SUFFIX=%x +# no sample with 2 valid characters after point followed by \0 in original file name field +>>>>>&0 ubyte =0 +>>>>>>0 use edi-pack +# samples with valid 3rd character after point in original file name field +>>>>>&0 ubyte >0x1F +# sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$ +>>>>>>&0 ubyte =0 +>>>>>>>0 use edi-pack +# sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS +>>>>>>&0 ubyte !0 +>>>>>>>0 use edi-lzs +# no sample with invalid 3rd character after point in original file name field +>>>>>&0 default x +>>>>>>0 use edi-lzs +# sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS +>>>>&0 default x +>>>>>0 use edi-lzs +# sample without point character in original file name field like GUNSHOT.LZS +>>8 default x +>>>0 use edi-lzs +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml +# Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by +# command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2" +>7 string 2 EDI LZSS2 packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/??_ +# original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx +>>8 string x "%-0.13s" +# original file size, as a 4-byte integer. +>>21 ulelong x \b, %u bytes +# compressed data like: ff5249464606ec00 ff4d5aa601010000 +>>>25 ubequad x \b, data %#16.16llx... +0 name edi-pack +# Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1" +# original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe +# but not like \377Aloe.lzs\273 (HERBTEXT.LZS) +>8 string x EDI LZSS packed "%-.13s" +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# the name of a compressed file often ends in character '$' or '_' +!:ext ??$/?$ +# compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c +>21 ubequad x \b, data %#16.16llx... +# URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib +# Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib" +0 name edi-lzs +# Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib" +# no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273 +>8 string x EDI LZSSLib packed +#!:mime application/octet-stream +!:mime application/x-edi-pack-lzss +# The name of a compressed file ends with LZS suffix +!:ext lzs +# compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a +>8 ubequad x \b, data %#16.16llx... + # Summary: CAZIP compressed file # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/CAZIP @@ -791,8 +964,6 @@ 3 string OctSqu Squash archive data # Terse 0 string \5\1\1\0 Terse archive data -# PUCrunch -0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data # UHarc 0 string UHA UHarc archive data # ABComp @@ -821,8 +992,10 @@ # QFC 0 string \x1aFC\x1a QFC archive data 0 string \x1aQF\x1a QFC archive data -# PRO-PACK -0 string RNC PRO-PACK archive data +# PRO-PACK https://www.segaretro.org/Rob_Northen_compression +0 string RNC +>3 byte 1 PRO-PACK archive data (compression 1) +>3 byte 2 PRO-PACK archive data (compression 2) # 777 0 string 777 777 archive data # LZS221 @@ -925,11 +1098,39 @@ # TPac 0 string \4TPAC\3 TPac archive data # Ai +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver 0 string Ai\1\1\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai 0 string Ai\1\0\0 Ai archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai # Ai32 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml +# Note: called "Ai Archivator compressed archive" by TrID 0 string Ai\2\0 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# according to TrID the next 3 bytes are nil +>5 ubyte !0 \b, at 5 %#x +>6 ubyte !0 \b, at 6 %#x +>7 ubyte !0 \b, at 7 %#x +# the fourth byte with value 0 is probably a flag for "non solid" mode +#>3 ubyte =0x00 \b, unsolid mode 0 string Ai\2\1 Ai32 archive data +#!:mime application/octet-stream +!:mime application/x-compress-ai +!:ext ai +# original file name +>8 pstring/h x "%s" +# the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default +>3 ubyte =0x01 \b, solid mode # SBC 0 string SBC SBC archive data # Ybs @@ -1234,7 +1435,7 @@ >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" # FOOBAR archiver use ".foo" as name extension instead usual one -# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment +# "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment >>>>>>>2 string -lh1 \b !:ext lha/lzh/ice >>>>>>3 regex \^lh[23d] LHa 2.x? archive data @@ -1422,6 +1623,83 @@ !:mime application/zip !:ext zip/cbz +# Android APK file (Zip archive) +0 string PK\003\004 +!:strength +1 +# Starts with AndroidManifest.xml (file name length = 19) +>26 uleshort 19 +>>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/com/android/build/gradle/app-metadata.properties +>26 uleshort 57 +>>30 string META-INF/com/android/build/gradle/ +>>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with classes.dex (file name length = 11) +>26 uleshort 11 +>>30 string classes.dex Android package (APK), with classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# Starts with META-INF/MANIFEST.MF (file name length = 20) +# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files +>26 uleshort 20 +>>30 string META-INF/MANIFEST.MF +# Contains resources.arsc (near the end, in the central directory) +>>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>-22 string PK\005\006 +>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>>>-22 string PK\005\006 +>>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar +# Starts with zipflinger virtual entry (28 + 104 = 132 bytes) +# See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 +>4 string \x00\x00\x00\x00\x00\x00 +>>&0 string \x21\x08\x21\x02 +>>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +>>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# APK Signing Block +>0 default x +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\005\006 Zip archive data (empty) !:mime application/zip @@ -1524,9 +1802,13 @@ >>>>77 string -web HTML Document Template !:mime application/vnd.oasis.opendocument.text-web !:ext oth ->>>>77 string -master Master Document +>>>>77 string -master +>>>>>84 byte !0x2d Master Document !:mime application/vnd.oasis.opendocument.text-master !:ext odm +>>>>>84 string -template Master Template +!:mime application/vnd.oasis.opendocument.text-master-template +!:ext otm >>>73 string graphics >>>>81 byte !0x2d Drawing !:mime application/vnd.oasis.opendocument.graphics @@ -1569,8 +1851,7 @@ # Valid for LibreOffice Base 6.0.1.1 at least >>>73 string base Database # https://bugs.documentfoundation.org/show_bug.cgi?id=45854 -!:mime application/vnd.oasis.opendocument.database -#!:mime application/vnd.oasis.opendocument.base +!:mime application/vnd.oasis.opendocument.base !:ext odb >>>73 string image >>>>78 byte !0x2d Image @@ -1586,6 +1867,16 @@ >>50 string epub+zip EPUB document !:mime application/epub+zip +# From: Hajin Jang +# hwpx (OWPML) document format follows OCF specification. +# Hangul Word Processor 2010+ supports HWPX format. +# URL: https://www.hancom.com/etc/hwpDownload.do +# https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 +# https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 +>>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX +!:mime application/x-hwp+zip +!:ext hwpx + # From: Joerg Jenderek # URL: http://en.wikipedia.org/wiki/CorelDRAW # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based @@ -1639,9 +1930,10 @@ >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) !:mime application/zip -# Java Jar files +# Java Jar files (see also APK files above) >(26.s+30) leshort 0xcafe Java archive data (JAR) !:mime application/java-archive +!:ext jar # iOS App >(26.s+30) leshort !0xcafe @@ -1674,16 +1966,116 @@ >8 belong x \b, size %d # Zoo archiver -20 lelong 0xfdc4a7dc Zoo archive data +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Zoo_(file_format) +# http://fileformats.archiveteam.org/wiki/Zoo +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml +# http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h +# Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269 +# verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO` +20 lelong 0xfdc4a7dc +# skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive +>32 byte >0 Zoo archive data !:mime application/x-zoo ->4 byte >48 \b, v%c. ->>6 byte >47 \b%c ->>>7 byte >47 \b%c ->32 byte >0 \b, modify: v%d ->>33 byte x \b.%d+ ->42 lelong 0xfdc4a7dc \b, ->>70 byte >0 extract: v%d ->>>71 byte x \b.%d+ +# bak is extension of backup-ed zoo +!:ext zoo/bak +# version in text form like: 1.50 2.00 2.10 +>>4 byte >48 \b, v%c. +>>>6 byte >47 \b%c +>>>>7 byte >47 \b%c +# ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything +>>8 string !\040Archive.\032 \b, at 8 +>>>8 string x text "%0.10s" +# major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0 +>>32 byte >0 \b, modify: v%d +>>>33 byte x \b.%d+ +# major_ver.minor_ver; minimum version needed to extract after modify like in old versions +>>(24.l+28) ubyte x \b, extract: v%u +>>(24.l+29) ubyte x \b.%u+ +# with zoo 2.00 additional fields have been added in the archive header +>>32 byte >1 +# type; type of archive header like: 1 2 +>>>34 ubyte !1 \b, header type %u +# acmt_pos; position of archive comment like: 6258 30599 61369 149501 +>>>35 lelong >0 \b, at %d +# acmt_len; length of archive comment like: 258 +>>>>39 uleshort x %u bytes comment +#>>>>(35.l) ubequad x COMMENT=%16.16llx +# 1st character of comment maybe is CarriageReturn (0x0d) +>>>>(35.l) ubyte <040 +# 2nd character of comment maybe is LineFeed (0x0a) +>>>>>(35.l+1) ubyte <040 +# comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by" +>>>>>>(35.l+2) string x %s +# next character of remaining comment maybe is CarriageReturn (0x0d) +>>>>>>>&0 ubyte <040 +>>>>>>>>&0 ubyte <040 +# 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload +>>>>>>>>>&0 string >037 %s +# vdata; archive-level versioning byte like: 1 3 +>>>41 ubyte !1 \b, vdata %#x +# zoo_start; pointer to 1st entry header +>>24 lelong x \b; at %u +# zoo_minus; zoo_start -1 for consistency checking +#>>28 lelong x \b, zoo_minus %#x +# zoo_tag; tag for check +#>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x +# type; type of directory entry like: 1 2 +>>(24.l+4) ubyte !2 type=%u +# packing_method; 0~no packing 1~normal LZW 2~lzh +>>(24.l+5) ubyte x method= +>>>(24.l+5) ubyte 0 \bnot-compressed +>>>(24.l+5) ubyte 1 \blzd +>>>(24.l+5) ubyte 2 \blzh +# next; position of next directory entry +>>(24.l+6) ulelong x \b, next entry at %u +# offset; position of file data for this entry +#>>(24.l+10) ulelong x \b, data at %u +# file_crc; CRC-16 of file data +>>(24.l+18) uleshort x \b, CRC %#4.4x +# comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO) +>>(24.l+32) lelong >0 \b, at %#x +# cmt_size; if not 0 for none then length of entry comment like: 46 +>>>(24.l+36) uleshort >0 %u bytes comment +# entry comment itself like: "CGA .GL file showing menu input from keyboard" +>>>>(&-6.l) string x "%s" +# org_size; original size of file +>>(24.l+20) ulelong x \b, size %u +# size_now; compressed size of file +>>(24.l+24) ulelong x (%u compressed) +# major_ver.minor_ver; minimum version needed to extract already done +# deleted; will be 1 if deleted, 0 if not +>>(24.l+30) ubyte =1 \b, deleted +# struc; file structure if any; WHAT IS THAT? +>>(24.l+31) ubyte !0 \b, structured +# fname[13]; short/DOS file name like 12345678.012 +>>(24.l+38) string x \b, %0.13s +# for directory entry type 2 with variable part +>>(24.l+4) ubyte =2 +# var_dir_len; length of variable part of dir entry +>>>(24.l+51) uleshort >0 +#>>>(24.l+51) uleshort >0 \b, variable part length %u +# namlen; length of long filename +#>>>>(24.l+56) ubyte x \b, namlen %u +# dirlen; length of directory name +#>>>>(24.l+57) ubyte x \b, dirlen %u +# if file length positive then show long file name +>>>>(24.l+56) ubyte >0 +# lfname[256]; long file name \0-terminated +>>>>>(24.l+58) string x "%s" +# if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name +>>>>(24.l+57) ubyte >0 +>>>>>(24.l+55) ubyte x +# dirname[256]; directory name \0-terminated +>>>>>>&(&0.b+2) string x in "%s" +# dir_crc; CRC of directory entry +#>>>(24.l+54) uleshort x \b, entry CRC %#4.4x +# tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC +>>>(24.l+53) byte !0x7f \b, time zone %d/4 +# date; last mod file date in DOS format +>>>(24.l+14) lemsdosdate x \b, modified %s +# time; last mod file time in DOS format +>>>(24.l+16) lemsdostime x %s # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text @@ -1789,6 +2181,19 @@ !:mime application/zip !:ext zip/cbz +# Recognize ZIP archives with prepended data by end-of-central-directory record +# https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD) +# by Michal Gorny +-2 uleshort 0 +>&-22 string PK\005\006 +# without #! +>>0 string !#! Zip archive, with extra data prepended +!:mime application/zip +!:ext zip/cbz +# with #! +>>0 string/w #!\ a +>>>&-1 string/T x %s script executable (Zip archive) + # ACE archive (from http://www.wotsit.org/download.asp?f=ace) # by Stefan `Sec` Zehl 7 string **ACE** ACE archive data @@ -2033,7 +2438,28 @@ >3 byte x version %d # LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files # From: Joerg Jenderek # URL: https://www.acronis.com/ @@ -2066,6 +2492,7 @@ # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 -4 string STOP >-16 string XPAKSTOP Gentoo binary package (XPAK) +!:mime application/vnd.gentoo.xpak # From: Joerg Jenderek # URL: https://kodi.wiki/view/TexturePacker @@ -2110,3 +2537,71 @@ # From wof (wof@stachelkaktus.net) 0 string Unison\ archive\ format Unison archive format + +# https://ankiweb.net +30 string collection.anki2 Anki APKG file +#!:ext .apkg + +# Synology archive (DiskStation Manager 7.0+) +# From: Alexandre Iooss +# Note: These archives are signed and encrypted. +0 ulelong&0xFFFFFF00 0xEFBEAD00 +# MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes) +>8 ulelong&0x00FFFFFF 0x20C495 Synology archive +!:ext spk +# Extract some properties from MessagePack third item +>>43 search/0x10000 package= +>>>&0 string x \b, package %s +>>43 search/0x10000 arch= +>>>&0 string x %s +>>43 search/0x10000 version= +>>>&0 string x %s +>>43 search/0x10000 create_time= +>>>&0 string x \b, created on %s + +# MonoGame/XNA processed assets archive +# From: Alexandre Iooss +# URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs +0 string XNB +# XNB must be version 4 or 5 +>4 byte <6 +>>4 byte >3 +# Size must be positive +>>>6 lelong >0 MonoGame/XNA processed assets +!:ext xnb +>>>>3 string =w \b, for Windows +>>>>3 string =x \b, for Xbox360 +>>>>3 string =i \b, for iOS +>>>>3 string =a \b, for Android +>>>>3 string =d \b, for DesktopGL +>>>>3 string =X \b, for MacOSX +>>>>3 string =W \b, for WindowsStoreApp +>>>>3 string =n \b, for NativeClient +>>>>3 string =M \b, for WindowsPhone8 +>>>>3 string =r \b, for RaspberryPi +>>>>3 string =P \b, for PlayStation4 +>>>>3 string =5 \b, for PlayStation5 +>>>>3 string =O \b, for XboxOne +>>>>3 string =S \b, for Nintendo Switch +>>>>3 string =G \b, for Google Stadia +>>>>3 string =b \b, for WebAssembly and Bridge.NET +>>>>3 string =m \b, for WindowsPhone7.0 (XNA) +>>>>3 string =p \b, for PlayStationMobile +>>>>3 string =v \b, for PSVita +>>>>3 string =g \b, for Windows (OpenGL) +>>>>3 string =l \b, for Linux +>>>>4 byte x \b, version %d +>>>>5 byte &0x80 \b, LZX compressed +>>>>>10 lelong x \b, decompressed size: %d bytes +>>>>5 byte &0x40 \b, LZ4 compressed +>>>>>10 lelong x \b, decompressed size: %d bytes + +# Electron ASAR archive +# From: Alexandre Iooss +# URL: https://github.com/electron/asar +0 ulelong 4 +# Match JSON header start and end +>16 string {"files":{" +>>(12.l+12) string }}}} Electron ASAR archive +!:ext asar +>>>12 ulelong x \b, header length: %d bytes diff --git a/magic/Magdir/arm b/magic/Magdir/arm index b40f213cbfb..c514320354e 100644 --- a/magic/Magdir/arm +++ b/magic/Magdir/arm @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: arm,v 1.2 2021/07/14 17:40:31 christos Exp $ +# $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $ # arm: file(1) magic for ARM COFF # # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format @@ -39,3 +39,12 @@ # display name+variables+flags for common object formatted files >>0 use display-coff !:strength -10 + +# ARM64EC +0 leshort 0xa641 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 diff --git a/magic/Magdir/asf b/magic/Magdir/asf index 9f274ede2ff..744a0afc2ca 100644 --- a/magic/Magdir/asf +++ b/magic/Magdir/asf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: asf,v 1.3 2022/04/25 17:33:13 christos Exp $ +# $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf @@ -21,7 +21,7 @@ # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 #>>56 lequad x Time Offset %lld -#>>64 lelong x Type-Specicic Data Length %d +#>>64 lelong x Type-Specific Data Length %d #>>68 lelong x Error Correction Data Length %d #>>72 leshort x Flags %#x #>>74 lelong x Reserved %x diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 0328f7ba5e4..55c5cd0ad20 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.124 2022/08/28 08:58:20 christos Exp $ +# $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -183,42 +183,57 @@ 21 string BMOD2STM Screamtracker 2 module sound data !:mime audio/x-mod #audio/x-screamtracker-module + +1080 string \!PM! 4-channel Protracker module sound data +!:mime audio/x-mod +#audio/x-protracker-module +>0 string >\0 Title: "%s" + 1080 string M.K. 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string M!K! 4-channel Protracker module sound data !:mime audio/x-mod #audio/x-protracker-module >0 string >\0 Title: "%s" + 1080 string FLT4 4-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string FLT8 8-channel Startracker module sound data !:mime audio/x-mod #audio/x-startracker-module >0 string >\0 Title: "%s" + 1080 string 4CHN 4-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 6CHN 6-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string 8CHN 8-channel Fasttracker module sound data !:mime audio/x-mod #audio/x-fasttracker-module >0 string >\0 Title: "%s" + 1080 string CD81 8-channel Octalyser module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + 1080 string OKTA 8-channel Octalyzer module sound data !:mime audio/x-mod #audio/x-octalysertracker-module >0 string >\0 Title: "%s" + # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 276242eab02..5a897113e09 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,13 +1,24 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.8 2019/04/19 00:42:27 christos Exp $ +# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list # https://lists.blender.org/mailman/listinfo/bf-committers # GLOB chunk was moved near start and provides subversion info since 2.42 - +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/BLEND +# http://www.blender.org/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/blend.trid.xml +# http://formats.kaitai.io/blender_blend/index.html +# Note: called "Blender 3D data" by TrID +# and gzip compressed variant handled by ./compress 0 string =BLENDER Blender3D, +#!:mime application/octet-stream +!:mime application/x-blender +!:ext blend +# no sample found with extension blender +#!:ext blend/blender >7 string =_ saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. diff --git a/magic/Magdir/bytecode b/magic/Magdir/bytecode index 94fb8b38cb0..dca961c2643 100644 --- a/magic/Magdir/bytecode +++ b/magic/Magdir/bytecode @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: bytecode,v 1.3 2022/03/24 15:48:58 christos Exp $ +# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ # magic for various bytecodes # From: Mikhail Gusarov @@ -28,3 +28,14 @@ >11 string 4 \b, 32bit >11 string 8 \b, 64bit >13 regex .\\.. \b, bytecode v%s + +# Racket file magic +# From: Haelwenn (lanodan) Monnier +# https://racket-lang.org/ +# https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt +0 string #~ +>&0 pstring x +>>&0 pstring racket +>>>0 string #~ Racket bytecode +>>>>&0 pstring x (version %s) + diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index 6500d37822c..6e375a06a7e 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.30 2021/08/16 10:17:05 christos Exp $ +# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 13 +!:strength + 15 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -88,13 +88,13 @@ !:strength + 30 !:mime text/x-c++ 0 search/8192 protected ->0 regex \^[[:space:]]*protected: C++ source text +>0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C 0 search/8192 #import ->0 regex \^#import Objective-C source text +>0 regex \^#import[[:space:]]+["<] Objective-C source text !:strength + 25 !:mime text/x-objective-c diff --git a/magic/Magdir/c64 b/magic/Magdir/c64 index 9a635aedc97..6c8732090ff 100644 --- a/magic/Magdir/c64 +++ b/magic/Magdir/c64 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: c64,v 1.12 2022/05/14 20:03:39 christos Exp $ +# $File: c64,v 1.14 2023/06/16 19:24:06 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann @@ -194,7 +194,356 @@ >100 byte >0 \b, %u subsong(s) # CBM BASIC (cc65 compiled) +# Summary: binary executable or Basic program for Commodore C64 computers +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Commodore_BASIC_tokenized_file +# Reference: https://www.c64-wiki.com/wiki/BASIC_token +# https://github.com/thezerobit/bastext/blob/master/bastext.doc +# http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c64.trid.xml +# TODO: unify Commodore BASIC/program sub routines +# Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe 0 leshort 0x0801 ->2 leshort 0x080b ->6 string \x9e CBM BASIC ->7 string >\0 \b, SYS %s +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 +# if first token is not SYS this implies BASIC program in most cases +>6 ubyte !0x9e +# but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) +>>23 search/30 \323ELF-E\330TRACTING-\332IP +>>>0 use c64-exe +>>23 default x +>>>0 use c64-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use c64-exe +# display information about C64 binary executable (memory address, line number, token) +0 name c64-exe +>0 uleshort x Commodore C64 +# http://a1bert.kapsi.fi/Dev/pucrunch/ +# start address 0801h; next offset 080bh; BASIC line number is 239=00EFh; BASIC instruction is SYS 2061 +# the above combination appartly also occur for other Commodore programs like: gunzip111.c64.prg +# and there exist PUCrunch archive for other machines like C16 with other magics +>0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program, probably PUCrunch archive data +!:mime application/x-compress-pucrunch +!:ext prg/pck +>0 string !\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# valid 2nd BASIC fragment found only in sELF-ExTRACTING-zIP executable unzp6420.prg +>>23 search/30 \323ELF-E\330TRACTING-\332IP +# jump again from beginning +>>>(2.s-0x800) ubyte x +>>>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C64 BASIC program (memory address, line number, token) +0 name c64-prg +>0 uleshort x Commodore C64 BASIC program +!:mime application/x-commodore-basic +# Tokenized BASIC programs were stored by Commodore as file type program "PRG" in separate field in directory structures. +# So file name can have no suffix like in saveroms; When transferring to other platforms, they are often saved with .prg extensions. +# BAS suffix is typically used for the BASIC source but also found in program pods.bas +!:ext prg/bas/ +# start address like: 801h +>0 uleshort !0x0801 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0800) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C128 computers +# URL: https://en.wikipedia.org/wiki/Commodore_128 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-c128.trid.xml +# From: Joerg Jenderek +# Note: Commodore 128 BASIC 7.0 variant; there exist varaints with different start addresses +0 leshort 0x1C01 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches SVr3 curses screen image, big-endian with strength (50) handled by ./terminfo +# probably skip SVr3 curses images with "invalid high" second line offset +>2 uleshort <0x1D02 +# skip foo with "invalid low" second line offset +>>2 uleshort >0x1C06 +# if first token is not SYS this implies BASIC program +>>>6 ubyte !0x9e +>>>>0 use c128-prg +# if first token is SYS this implies binary executable +>>>6 ubyte =0x9e +>>>>0 use c128-exe +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.1 extension by Rick Simon +# start adress 132Dh +#0 leshort 0x132D THIS_IS_C128_7.1 +#>0 use c128-prg +# Summary: binary executable or Basic program for Commodore C128 computers +# Note: Commodore 128 BASIC 7.0 saved with graphics mode enabled +# start adress 4001h +#0 leshort 0x4001 THIS_IS_C128_GRAPHIC +#>0 use c128-prg +# display information about tokenized C128 BASIC program (memory address, line number, token) +0 name c128-prg +>0 uleshort x Commodore C128 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about C128 program (memory address, line number, token) +0 name c128-exe +>0 uleshort x Commodore C128 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1C01h +>0 uleshort !0x1C01 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1C00) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in Commodore executables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore C16/VIC-20/Plus4 computers +# URL: https://en.wikipedia.org/wiki/Commodore_Plus/4 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20.trid.xml +# defs/p/prg-plus4.trid.xml +# From: Joerg Jenderek +# Note: there exist VIC-20 variants with different start address +# GRR: line below is too generic because it matches Novell LANalyzer capture +# with regular trace header record handled by ./sniffer +0 leshort 0x1001 +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" token value 54h +>6 ubyte >0x7F +# skip regular Novell LANalyzer capture (novell-2.tr1 novell-lanalyzer.tr1 novell-win10.tr1) with "invalid low" second line offset 4Ch +#>>2 uleshort >0x1006 OFFSET_NOT_TOO_LOW +# skip foo with "invalid high" second line offset but not for 0x123b (Minefield.prg) +#>>>2 uleshort <0x1102 OFFSET_NOT_TOO_HIGH +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +# valid second end of line separator implies BASIC program +>>>(2.s-0x1000) ubyte =0 +>>>>0 use c16-prg +# invalid second end of line separator !=0 implies binary executable like: Minefield.prg +>>>(2.s-0x1000) ubyte !0 +>>>>0 use c16-exe +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use c16-exe +# display information about C16 program (memory address, line number, token) +0 name c16-exe +>0 uleshort x Commodore C16/VIC-20/Plus4 program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized C16 BASIC program (memory address, line number, token) +0 name c16-prg +>0 uleshort x Commodore C16/VIC-20/Plus4 BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1001h +>0 uleshort !0x1001 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1000) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore VIC-20 computer with 8K RAM expansion +# URL: https://en.wikipedia.org/wiki/VIC-20 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-vic20-8k.trid.xml +# From: Joerg Jenderek +# Note: Basic v2.0 with Basic v4.0 extension (VIC20); there exist VIC-20 variants with different start addresses +# start adress 1201h +0 leshort 0x1201 +# if first token is not SYS this implies BASIC program +>6 ubyte !0x9e +>>0 use vic-prg +# if first token is SYS this implies binary executable +>6 ubyte =0x9e +>>0 use vic-exe +# display information about Commodore VIC-20 BASIC+8K program (memory address, line number, token) +0 name vic-prg +>0 uleshort x Commodore VIC-20 +8K BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x1200) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# 2nd BASIC fragment +>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore VIC-20 +8K program (memory address, line number, token) +0 name vic-exe +>0 uleshort x Commodore VIC-20 +8K program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 1201h +>0 uleshort !0x1201 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# Summary: binary executable or Basic program for Commodore PET computers +# URL: https://en.wikipedia.org/wiki/Commodore_PET +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/p/prg-pet.trid.xml +# From: Joerg Jenderek +# start adress 0401h +0 leshort 0x0401 +!:strength +1 +# GRR: line above with strength 51 (50+1) is too generic because it matches TTComp archive data, ASCII, 1K dictionary +# (strength=48=50-2) handled by ./archive and shared library (strength=50) handled by ./ibm6000 +# skip TTComp archive data, ASCII, 1K dictionary ttcomp-ascii-1k.bin with "invalid high" second line offset 4162h +>2 uleshort <0x0502 +# skip foo with "invalid low" second line offset +#>>2 uleshort >0x0406 OFFSET_NOT_TOO_LOW +# skip bar with "invalid end of line" +#>>>(2.s-0x0400) ubyte =0 END_OF_LINE_OK +# if first token is not SYS this implies BASIC program +>>6 ubyte !0x9e +>>>0 use pet-prg +# if first token is SYS this implies binary executable +>>6 ubyte =0x9e +>>>0 use pet-exe +# display information about Commodore PET BASIC program (memory address, line number, token) +0 name pet-prg +>0 uleshort x Commodore PET BASIC program +!:mime application/x-commodore-basic +!:ext prg +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +# 2nd BASIC fragment +>>&0 use basic-line +# zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about Commodore PET program (memory address, line number, token) +0 name pet-exe +>0 uleshort x Commodore PET program +!:mime application/x-commodore-exec +!:ext prg/ +# start address like: 0401h +>0 uleshort !0x0401 \b, start address %#4.4x +# 1st BASIC fragment +>2 use basic-line +# jump to 1 byte before next BASIC fragment; this must be zero-byte marking the end of line +>(2.s-0x0400) ubyte x +>>&-1 ubyte !0 \b, no EOL=%#x +# no valid 2nd BASIC fragment in excutables +#>>&0 use basic-line +# Zero-byte marking the end of the BASIC line +>-3 ubyte !0 \b, 3 last bytes %#2.2x +# Two zero-bytes in place of the pointer to next BASIC line indicates the end of the program +>>-2 ubeshort x \b%4.4x +# display information about tokenized BASIC line (memory address, line number, Token) +0 name basic-line +# pointer to memory address of beginning of "next" BASIC line +# greater then previous offset but maximal 100h difference +>0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 +# BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) +>>2 uleshort x \b, line %u +# https://www.c64-wiki.com/wiki/BASIC_token +# The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators +>>4 ubyte x \b, token (%#x) +# https://www.c64-wiki.com/wiki/REM +>>4 string \x8f REM +# remark string like: ** SYNTHESIZER BY RICOCHET ** +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +# https://www.c64-wiki.com/wiki/PRINT +>>4 string \x99 PRINT +# string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx +# https://www.c64-wiki.com/wiki/POKE +>>4 string \x97 POKE +# , +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" +# https://www.c64-wiki.com/wiki/SYS 0x9e=\236 +>>4 string \x9e SYS +# SYS
parameter is a 16-bit unsigned integer; in the range 0 - 65535 +>>>5 regex \^[0-9]{1,5} %s +# maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg +# (\302(43)\252256\254\302(44)\25236) /T.L.R/ +#>>>5 string x SYS_STRING="%s" +# https://www.c64-wiki.com/wiki/GOSUB +>>4 string \x8d GOSUB +# +>>>5 string >\0 %s diff --git a/magic/Magdir/cad b/magic/Magdir/cad index 46a35497c2f..0bead6eeb48 100644 --- a/magic/Magdir/cad +++ b/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.29 2021/12/06 19:33:27 christos Exp $ +# $File: cad,v 1.31 2022/12/09 15:36:23 christos Exp $ # autocad: file(1) magic for cad files # @@ -301,18 +301,50 @@ # https://docs.techsoft3d.com/visualize/3df/latest/build/general/hsf/\ # HSF_architecture.html # Stephane Charette -0 string ;;\020HSF\020V OpenHSF (Hoops Stream Format) ->7 regex/9 V[.0-9]{4,5}\020 %s +0 string ;;\040HSF\040V OpenHSF (Hoops Stream Format) +>7 regex/9 V[.0-9]{4,5}\040 %s !:ext hsf # AutoCAD Drawing Exchange Format +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/DXF +# https://en.wikipedia.org/wiki/AutoCAD_DXF +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/ +# dxf-var0.trid.xml dxf-var0u.trid.xml dxf-var2.trid.xml dxf-var2u.trid.xml +# Note: called "AutoCAD Drawing eXchange Format" by TrID and +# "Drawing Interchange File Format (ASCII)" by DROID +# GRR: some samples does not match 1st test like: abydos.dxf 0 regex \^[\ \t]*0\r?\000$ >1 regex \^[\ \t]*SECTION\r?$ >>2 regex \^[\ \t]*2\r?$ +# GRR: some samples without HEADER section like: airplan2.dxf >>>3 regex \^[\ \t]*HEADER\r?$ AutoCAD Drawing Exchange Format -!:mime application/x-dxf +#!:mime application/x-dxf +!:mime image/vnd.dxf !:ext dxf +# DROID PUID fmt/64 fmt-64-signature-id-99.dxf +>>>>&1 search/8192 MC0.0 \b, 1.0 +# DROID PUID fmt/65 fmt-65-signature-id-100.dxf +>>>>&1 search/8192 AC1.2 \b, 1.2 +# DROID PUID fmt/66 fmt-66-signature-id-101.dxf +>>>>&1 search/8192 AC1.3 \b, 1.3 +# DROID PUID fmt/67 fmt-67-signature-id-102.dxf +>>>>&1 search/8192 AC1.40 \b, 1.4 +# DROID PUID fmt/68 fmt-68-signature-id-103.dxf +>>>>&1 search/8192 AC1.50 \b, 2.0 +# DROID PUID fmt/69 fmt-69-signature-id-104.dxf +>>>>&1 search/8192 AC2.10 \b, 2.1 +# DROID PUID fmt/70 fmt-70-signature-id-105.dxf +>>>>&1 search/8192 AC2.21 \b, 2.2 +# DROID PUID fmt/71 fmt-71-signature-id-106.dxf +>>>>&1 search/8192 AC1002 \b, 2.5 +# DROID PUID fmt/72 fmt-72-signature-id-107.dxf +>>>>&1 search/8192 AC1003 \b, 2.6 +# DROID PUID fmt/73 fmt-73-signature-id-108.dxf +>>>>&1 search/8192 AC1004 \b, R9 >>>>&1 search/8192 AC1006 \b, R10 +# http://cd.textfiles.com/amigaenv/DXF/OBJEKTE/LASTMINUTE/apple.dxf +#>>>>&1 search/8192 AC1008 \b, Rfoo >>>>&1 search/8192 AC1009 \b, R11/R12 >>>>&1 search/8192 AC1012 \b, R13 >>>>&1 search/8192 AC1013 \b, R13c3 diff --git a/magic/Magdir/coff b/magic/Magdir/coff index 535187c2ce9..5123b7213c4 100644 --- a/magic/Magdir/coff +++ b/magic/Magdir/coff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $ +# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF @@ -37,6 +37,7 @@ # ARM COFF (./arm) >>>>0 uleshort 0xaa64 Aarch64 >>>>0 uleshort 0x01c0 ARM +>>>>0 uleshort 0xa641 ARM64EC >>>>0 uleshort 0x01c2 ARM Thumb >>>>0 uleshort 0x01c4 ARMv7 Thumb # TODO for other COFFs diff --git a/magic/Magdir/commands b/magic/Magdir/commands index a257eb2b7a1..6ad87fd7578 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.69 2022/04/20 21:14:23 christos Exp $ +# $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -8,6 +8,8 @@ !:mime text/x-shellscript 0 string/fwb #!\ /bin/sh POSIX shell script executable (binary data) !:mime text/x-shellscript +>10 string #\040This\040script\040was\040generated\040using\040Makeself \b, self-executable archive +>>53 string x \b, Makeself %s 0 string/fwt #!\ /bin/csh C shell script text executable !:mime text/x-shellscript @@ -97,9 +99,6 @@ 0 string/fwt #!\ /usr/bin/env\ fish fish shell script text executable !:mime text/x-shellscript -0 string/wt #!\ a ->&-1 string/T x %s script text executable - 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable !:mime text/x-tcl @@ -189,3 +188,14 @@ # From Danny Weldon 0 string \x0b\x13\x08\x00 >0x04 uleshort <4 ksh byte-code version %d + +# From: arno +# mozilla xpconnect typelib +# see https://www.mozilla.org/scriptable/typelib_file.html +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d + +0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable +0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/magic/Magdir/compress b/magic/Magdir/compress index a3dde1c1e33..c3f93fa3bed 100644 --- a/magic/Magdir/compress +++ b/magic/Magdir/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.83 2022/08/16 11:16:39 christos Exp $ +# $File: compress,v 1.91 2023/06/16 19:37:47 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -12,13 +12,14 @@ 0 string \037\235 compress'd data !:mime application/x-compress !:apple LZIVZIVU +!:ext Z >2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # URL: https://en.wikipedia.org/wiki/Gzip # Reference: https://tools.ietf.org/html/rfc1952 -# Update: Joerg Jenderek, Apr 2019 +# Update: Joerg Jenderek, Apr 2019, Dec 2022 # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods @@ -61,20 +62,24 @@ !:mime application/gzip >>>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 +# TODO: check for GXD MCD cad the reported size >>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated # gzipped TAR or VirtualBox extension package #!:mime application/x-compressed-tar #!:mime application/x-virtualbox-vbox-extpack # https://www.w3.org/TR/SVG/mimereg.html -#!:mime image/image/svg+xml-compressed +#!:mime image/svg+xml-compressed # zlib.3.gz # microcode-20180312.tgz # tpz same as tgz # lua-md5_1.2-1_i386_i486.ipk https://en.wikipedia.org/wiki/Opkg # Oracle_VM_VirtualBox_Extension_Pack-5.0.12-104815.vbox-extpack -!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz +# trees.blend http://fileformats.archiveteam.org/wiki/BLEND +# 2020-07-19-Note-16-24.xoj https://xournal.sourceforge.net/manual.html +# MYgnucash-gz.gnucash https://wiki.gnucash.org/wiki/GnuCash_XML_format +# text-rotate.dia https://en.wikipedia.org/wiki/Dia_(software) +# MYrdata.RData https://en.wikipedia.org/wiki/R_(programming_language) +!:ext gz/tgz/tpz/ipk/vbox-extpack/svgz/blend/dia/gnucash/rdata/xoj # FNAME/FCOMMENT bit implies file name/comment as iso-8859-1 text >3 byte&0x18 >0 gzip compressed data !:mime application/gzip @@ -83,12 +88,13 @@ #!:mime application/x-abiword-compressed #!:mime image/image/svg+xml-compressed # kleopatra_splashscreen.svgz gzipped .svg -!:ext gz/tgz/tpz/zabw/svgz +# RSI-Mega-Demo_Disk1.adz gzipped .adf http://fileformats.archiveteam.org/wiki/ADF_(Amiga) +# PostbankTest.kmy gzipped XML https://docs.kde.org/stable5/en/kmymoney/kmymoney/details.formats.compressed.html +# Logo.xcfgz gzipped .xcf http://fileformats.archiveteam.org/wiki/XCF +!:ext gz/tgz/tpz/zabw/svgz/adz/kmy/xcfgz >>0 use gzip-info # size of the original (uncompressed) input data modulo 2^32 ->>-0 offset >48 ->>>-4 ulelong x \b, original size modulo 2^32 %u ->>-0 offset <48 \b, truncated +>>-4 ulelong x \b, original size modulo 2^32 %u # display information of gzip compressed files 0 name gzip-info #>2 byte x THIS iS GZIP @@ -125,6 +131,7 @@ # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data !:mime application/octet-stream +!:ext z >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # @@ -159,6 +166,7 @@ # lzip 0 string LZIP lzip compressed data !:mime application/x-lzip +!:ext lz >4 byte x \b, version: %d # squeeze and crunch @@ -194,6 +202,7 @@ # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data +!:ext lzo >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, @@ -254,20 +263,24 @@ !:mime application/x-7z-compressed !:ext 7z/cb7 +0 name lzma LZMA compressed data, +!:mime application/x-lzma +!:ext lzma +>5 lequad =0xffffffffffffffff streamed +>5 lequad !0xffffffffffffffff non-streamed, size %lld + # Type: LZMA 0 lelong&0xffffff =0x5d ->12 leshort 0xff LZMA compressed data, -!:mime application/x-lzma ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld ->12 leshort 0 LZMA compressed data, ->>5 lequad =0xffffffffffffffff streamed ->>5 lequad !0xffffffffffffffff non-streamed, size %lld +>12 leshort 0xff +>>0 use lzma +>12 leshort 0 +>>0 use lzma # http://tukaani.org/xz/xz-file-format.txt 0 ustring \xFD7zXZ\x00 XZ compressed data, checksum !:strength * 2 !:mime application/x-xz +!:ext xz >7 byte&0xf 0x0 NONE >7 byte&0xf 0x1 CRC32 >7 byte&0xf 0x4 CRC64 @@ -275,14 +288,15 @@ # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data +!:mime application/x-lrzip >4 byte x - version %d >5 byte x \b.%d >22 byte 1 \b, encrypted -!:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) !:mime application/x-lz4 +!:ext lz4 # Added by osm0sis@xda-developers.com 0 lelong 0x184c2103 LZ4 compressed data (v1.0-v1.3) !:mime application/x-lz4 @@ -319,19 +333,26 @@ # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md 0 lelong 0xFD2FB522 Zstandard compressed data (v0.2) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB523 Zstandard compressed data (v0.3) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB524 Zstandard compressed data (v0.4) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB525 Zstandard compressed data (v0.5) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB526 Zstandard compressed data (v0.6) !:mime application/zstd +!:ext zst 0 lelong 0xFD2FB527 Zstandard compressed data (v0.7) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id 0 lelong 0xFD2FB528 Zstandard compressed data (v0.8+) !:mime application/zstd +!:ext zst >4 use zstd-dictionary-id # https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md @@ -407,3 +428,34 @@ # http://www.shikadi.net/moddingwiki/PCX_Library 0 string/b pcxLib >0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm +0 uleshort 0x7c49 +>2 lelong 0x80 ORA FASTQ compressed file +>>6 ulelong x \b, DNA size %u +>>10 ulelong x \b, read names size %u +>>14 ulelong x \b, quality buffer 1 size %u +>>18 ulelong x \b, quality buffer 2 size %u +>>22 ulelong x \b, sequence buffer size %u +>>26 ulelong x \b, N-position buffer size %u +>>30 ulelong x \b, crypto buffer size %u +>>34 ulelong x \b, misc buffer 1 size %u +>>38 ulelong x \b, misc buffer 2 size %u +>>42 ulelong x \b, flags %#x +>>46 lelong x \b, read size %d +>>50 lelong x \b, number of reads %d +>>54 leshort x \b, version %d + +# https://github.com/kspalaiologos/bzip3/blob/master/doc/file_format.md +0 string/b BZ3v1 bzip3 compressed data +>5 ulelong x \b, blocksize %u + + +# https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/\ +# SW/ORA/ORAFormatSpecification.htm +# From Guillaume Rizk +0 short =0x7C49 DRAGEN ORA file, +>-261 short =0x7C49 with metadata: +>-125 u8 x NB reads: %llu, +>-109 u8 x NB bases: %llu. +>-219 u4&0x02 2 File contains interleaved paired reads diff --git a/magic/Magdir/console b/magic/Magdir/console index 367aeec3600..0ed53fe34d1 100644 --- a/magic/Magdir/console +++ b/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.68 2022/05/14 20:04:43 christos Exp $ +# $File: console,v 1.72 2023/06/16 19:24:06 christos Exp $ # Console game magic # Toby Deshane @@ -68,7 +68,7 @@ !:mime application/x-nes-rom #------------------------------------------------------------------------------ -# fds: file(1) magic for Famciom Disk System disk images +# fds: file(1) magic for Famicom Disk System disk images # Reference: https://wiki.nesdev.com/w/index.php/Family_Computer_Disk_System#.FDS_format # From: David Korth # TODO: Check "Disk info block" and get info from that in addition to the optional header. @@ -544,6 +544,19 @@ 0 string CPE CPE executable >3 byte x (version %d) +# Sony PlayStation archive (PSARC) +# From: Alexandre Iooss +# URL: https://www.psdevwiki.com/ps3/PlayStation_archive_(PSARC) +0 string PSAR Sony PlayStation Archive +!:ext psarc +>4 ubeshort x \b, version %d. +>6 ubeshort x \b%d +>8 string zlib \b, zlib compression +>8 string lzma \b, LZMA compression +>28 ubeshort&2 0 \b, relative paths +>28 ubeshort&2 2 \b, absolute paths +>28 ubeshort&1 1 \b, ignore case + #------------------------------------------------------------------------------ # Microsoft Xbox executables .xbe (Esa Hyytia ) 0 string XBEH Microsoft Xbox executable @@ -684,12 +697,25 @@ >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID 0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom +!:ext lnx +# bank 0 page size like: 128 256 512 >4 leshort/4 >0 \b, bank 0 %dk >6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" >10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" >42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x # Opera file system that is used on the 3DO console # From: Serge van den Boom @@ -760,6 +786,28 @@ >5 byte 0 \b, Simple Encoding >6 string x \b, description: %s +# Compressed ISO disc image (used mostly by PSP, PS2 and MegaDrive) +# From: Alexandre Iooss +# URL: https://en.wikipedia.org/wiki/.CSO +# NOTE: This is NOT the same as Compact ISO or GameCube/Wii disc image, +# though it has the same magic number. +0 string CISO +# Match CISO version 1 with ISO-9660 sector size +>20 ubyte <2 +>>16 ulelong =2048 CSO v1 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>8 ulequad x \b, original size %llu bytes +>>>16 ulelong x \b, datablock size %u bytes +# Match CISO version 2 +>20 ubyte =2 +>>22 uleshort =0 +>>>4 ulelong =24 CSO v2 disk image +!:mime application/x-compressed-iso +!:ext ciso/cso +>>>>8 ulequad x \b, original size %llu bytes +>>>>16 ulelong x \b, datablock size %u bytes + # From: Daniel Dawson # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording diff --git a/magic/Magdir/crypto b/magic/Magdir/crypto index 72a90ace282..910df8dd497 100644 --- a/magic/Magdir/crypto +++ b/magic/Magdir/crypto @@ -1,5 +1,49 @@ #------------------------------------------------------------------------------ -# $File: crypto,v 1.2 2021/03/27 20:15:53 christos Exp $ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ # crypto: file(1) magic for crypto formats # +# Bitcoin block files +0 lelong 0xD9B4BEF9 Bitcoin +>(4.l+40) lelong 0xD9B4BEF9 reverse block +>>4 lelong x \b, size %u +# normal block below +>0 default x block +>>4 lelong x \b, size %u +>>8 lelong&0xE0000000 0x20000000 +>>>8 lelong x \b, BIP9 0x%x +>>8 lelong&0xE0000000 !0x20000000 +>>>8 lelong x \b, version 0x%x +>>76 ledate x \b, %s UTC +# VarInt counter +>>88 ubyte <0xfd \b, txcount %u +>>88 ubyte 0xfd +>>>89 leshort x \b, txcount %u +>>88 ubyte 0xfe +>>>89 lelong x \b, txcount %u +>>88 ubyte 0xff +>>>89 lequad x \b, txcount %llu +!:ext dat +# option to find more blocks in the file +#>>(4.l+8) indirect x ; + +# LevelDB +-8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/magic/Magdir/database b/magic/Magdir/database index 171f7eb2635..03ac4235f73 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.67 2022/07/12 18:57:42 christos Exp $ +# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -387,8 +387,22 @@ >>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III >>>>>>16 ubyte 3 -# dBASE III DBT ->>>>>>>0 use dbase3-memo-print +# skip with invalid "low" 1st item "\0\0\0\0" StateRepository-Deployment.srd-shm "\001\010\0\0" gcry_cast5.mod +>>>>>>>512 ubyte >040 +# skip with valid 1st item "rintf" keylayouts.mod +# by looking for valid terminating character Ctrl-Z like in test.dbt +>>>>>>>>513 search/3308 \032 +# skip GRUB plan9.mod with invalid second terminating character 007 +# by checking second terminating character Ctrl-Z like in test.dbt +>>>>>>>>>&0 ubyte 032 +# dBASE III DBT with two Ctr-Z terminating characters +>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in dbase-memo.dbt or GRUB nativedisk.mod +>>>>>>>>>&0 ubyte 0 +# skip GRUB nativedisk.mod with grub_mod_init\0grub_mod_fini\0grub_fs_autoload_hook\0 +>>>>>>>>>>0x1ad string !grub_mod_init +# like dbase-memo.dbt +>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage >>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF @@ -410,8 +424,25 @@ >>>>>>>>>>513 ubyte >037 # skip DOS executables CPQ0TD.DRV E30ODI.COM IBM0MONO.DRV by looking for printable 1st character of 1st memo item >>>>>>>>>>>512 ubyte >037 -# unusual dBASE III DBT like adressen.dbt ->>>>>>>>>>>>0 use dbase3-memo-print +# skip few (14/758) Microsoft Event Trace Logs (boot_BASE+CSWITCH_1.etl DlTel-Merge.etl UpdateUx.006.etl) with invalid "high" 1st item \377\377 +>>>>>>>>>>>>512 ubyte <0377 +# skip some Commodore 64 Art Studio (Deep_Strike.aas dragon's_lair_ii.aas), some Atari DEGAS Elite bitmap (ELEPHANT.PC3 ST.PC2) +# some probably old GRUB modules (part_sun.mod) and virtual-boy-wario-land.vb. +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>513 search/523 \032 +# Atari DEGAS bitmap ST.PC2 with 0370 as second terminating character +#>>>>>>>>>>>>>>&0 ubyte x 2ND_CHAR_IS=%o +# dBASE III DBT with two Ctr-Z terminating characters like dbase3dbt0_1.dbt dbase_83.dbt +>>>>>>>>>>>>>>&0 ubyte 032 +>>>>>>>>>>>>>>>0 use dbase3-memo-print +# second terminating character \0 like in pcidump.mod or fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>&0 ubyte 0 +# look for old GRUB module pcidump.mod with specific content "pcidump\0Show raw dump of the PCI configuration space" +>>>>>>>>>>>>>>>514 search/0x11E pcidump\0Show +# dBASE III DBT with Ctr-Z + \0 terminating characters like fsadress.dbt +>>>>>>>>>>>>>>>514 default x +# unusual dBASE III DBT like fsadress.dbt umlaut-dbf-cmd.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF >>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes @@ -424,7 +455,19 @@ >>>>>>>>>>>>512 ubyte <0200 # skip gluon-ffhat-1.0-tp-link-tl-wr1043n-nd-v2-sysupgrade.bin by printable 2nd character >>>>>>>>>>>>>513 ubyte >037 ->>>>>>>>>>>>>>0 use dbase3-memo-print +# skip few (8/758) Microsoft Event Trace Logs (WBEngine.3.etl Wifi.etl) with valid 1st item like +# "9600.20369.amd64fre.winblue_ltsb_escrow.220427-1727" +# "9600.19846.amd64fre.winblue_ltsb_escrow.200923-1735" +# "10586.494.amd64fre.th2_release_sec.160630-1736" +# by looking for valid terminating character Ctrl-Z +>>>>>>>>>>>>>>513 search/0x11E \032 +# followed by second character Ctrl-Z implies typical DBT +>>>>>>>>>>>>>>>&0 ubyte 032 +# examples like: angest.dbt +>>>>>>>>>>>>>>>>0 use dbase3-memo-print +>>>>>>>>>>>>>>>&0 ubyte 0 +# no example found here with terminating sequence CTRL-Z + \0 +>>>>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size >>>>>>>20 uleshort >0 # dBASE IV DBT with valid block length like 512, 1024 @@ -446,11 +489,16 @@ # no positive block length #>20 uleshort =0 \b, block length %u >20 uleshort !0 \b, block length %u -# dBase III memo field terminated by \032\032 +# dBase III memo field terminated often by \032\032 # like: "WHAT IS XBASE" test.dbt "Borges, Malte" biblio.dbt "First memo\032\032" T2.DBT >512 string >\0 \b, 1st item "%s" # For DEBUGGING #>512 ubelong x \b, 1ST item %#8.8x +#>513 search/0x225 \032 FOUND_TERMINATOR +#>>&0 ubyte 032 2xCTRL_Z +# fsadress.dbt has 1 Ctrl-Z terminator followed by nil byte +#>>&0 ubyte 0 1xCTRL_Z + # https://www.clicketyclick.dk/databases/xbase/format/dbt.html # Print the information of dBase IV DBT memo file 0 name dbase4-memo-print diff --git a/magic/Magdir/der b/magic/Magdir/der index e84282b5ca1..3bc2e38aa95 100644 --- a/magic/Magdir/der +++ b/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.5 2022/07/30 18:07:34 christos Exp $ +# $File: der,v 1.6 2023/01/11 23:59:49 christos Exp $ # der: file(1) magic for DER encoded files # @@ -137,3 +137,10 @@ >>>>&0 der seq >>>>>&0 der obj_id3=550403 >>>>>&0 der utf8_str=x \b, Subject=%s + +# PKCS#7 Signed Data (e.g. JAR Signature Block File) +# OID 1.2.840.113549.1.7.2 (2a864886f70d010702) +# Reference: https://www.rfc-editor.org/rfc/rfc2315 +0 der seq +>&0 der obj_id9=2a864886f70d010702 DER Encoded PKCS#7 Signed Data +!:ext RSA/DSA/EC diff --git a/magic/Magdir/dsf b/magic/Magdir/dsf deleted file mode 100644 index e6c4b6e3e05..00000000000 --- a/magic/Magdir/dsf +++ /dev/null @@ -1,25 +0,0 @@ - -#------------------------------------------------------------ -# $File: dsf,v 1.1 2022/01/08 16:29:18 christos Exp $ -# dsf: file(1) magic for DSD Stream File -# URL: https://en.wikipedia.org/wiki/Direct_Stream_Digital -# Reference: https://dsd-guide.com/sites/default/files/white-papers/DSFFileFormatSpec_E.pdf -0 string DSD\x20 DSD Stream File, ->0x30 leshort 1 mono, ->0x30 leshort 2 stereo, ->0x30 leshort 3 three-channel, ->0x30 leshort 4 quad-channel, ->0x30 leshort 5 3.1 4-channel, ->0x30 leshort 6 five-channel, ->0x30 leshort 7 5.1 surround, ->0x30 default x ->>0x30 leshort x unknown channel format (%d), ->0x38 lelong 2822400 simple-rate, ->0x38 lelong 5644800 double-rate, ->0x38 default x ->>0x38 lelong x %d Hz, ->0x3c leshort 1 1 bit, ->0x3c leshort 8 8 bit, ->0x3c default x ->>0x3c leshort x %d bit, ->0x40 lelong x %d samples diff --git a/magic/Magdir/dwarfs b/magic/Magdir/dwarfs new file mode 100644 index 00000000000..3700a33c5d7 --- /dev/null +++ b/magic/Magdir/dwarfs @@ -0,0 +1,45 @@ + +#------------------------------------------------------------------------------ +# $File: dwarfs,v 1.2 2023/05/23 13:37:32 christos Exp $ +# dwarfs: file(1) magic for DwarFS File System Image files +# URL: https://github.com/mhx/dwarfs for details about DwarFS +# From: Marcus Holland-Moritz + +#### DwarFS Version Macro +0 name dwarfsversion +>&0 byte x \b, version %d +>&1 byte x \b.%d + +#### DwarFS Compression Macro +0 name dwarfscompression +>&0 leshort =0 \b, uncompressed +>&0 leshort =1 \b, LZMA compression +>&0 leshort =2 \b, ZSTD compression +>&0 leshort =3 \b, LZ4 compression +>&0 leshort =4 \b, LZ4HC compression +>&0 leshort =5 \b, BROTLI compression + +#### DwarFS files without header +## We first check against a DWARFS magic at the start of the file, then +## validate by checking the block count / section type to be all zeros +## for the first block. Finally, we check that the *next* block also +## has the correct DWARFS magic. +0 string DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image +>>>&0 use dwarfsversion +>>&0 use dwarfscompression + +#### DwarFS files with header +## We search for a DWARFS magic in the first 64k of the file (images with +## headers longer than 64k won't be recognized), then validate by checking +## the block count / section type to be all zeros for the first block. +## Finally, we check that the *next* block also has the correct DWARFS magic. +## If we find a DWARFS magic that doesn't pass validation, we continue with +## an indirect match recursively. +1 search/65536/b DWARFS +>&0x2A string/b \0\0\0\0\0\0 +>>&(&0x02.q+0x0A) string DWARFS DwarFS File System Image (with header) +>>>&0 use dwarfsversion +>>&0 use dwarfscompression +>&-1 indirect x diff --git a/magic/Magdir/elf b/magic/Magdir/elf index 93abdc380db..d3ec0260af2 100644 --- a/magic/Magdir/elf +++ b/magic/Magdir/elf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: elf,v 1.87 2021/05/25 15:19:51 christos Exp $ +# $File: elf,v 1.88 2023/01/08 17:09:18 christos Exp $ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the @@ -8,6 +8,8 @@ # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # +# https://www.sco.com/developers/gabi/latest/ch4.eheader.html +# # Created by: unknown # Modified by (1): Daniel Quinlan # Modified by (2): Peter Tobias (core support) @@ -282,6 +284,12 @@ >18 leshort 216 Cognitive Smart Memory, >18 leshort 217 iCelero CoolEngine, >18 leshort 218 Nanoradio Optimized RISC, +>18 leshort 219 CSR Kalimba architecture family +>18 leshort 220 Zilog Z80 +>18 leshort 221 Controls and Data Services VISIUMcore processor +>18 leshort 222 FTDI Chip FT32 high performance 32-bit RISC architecture +>18 leshort 223 Moxie processor family +>18 leshort 224 AMD GPU architecture >18 leshort 243 UCB RISC-V, # only for 32-bit >>4 byte 1 diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index dad00db7957..cd721305168 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.150 2022/07/04 16:40:33 christos Exp $ +# $File: filesystems,v 1.158 2023/05/21 17:19:08 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -1596,7 +1596,8 @@ >0x1e lequad x %lld total clusters, >0x26 lequad x %lld clusters in use -9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), + +0 name ffsv1 >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, @@ -1612,105 +1613,59 @@ >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization -42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization - -66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 leqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 lequad x number of blocks %lld, ->&-288 lequad x number of data blocks %lld, ->&-1332 lelong x number of cylinder groups %d, ->&-1328 lelong x block size %d, ->&-1324 lelong x fragment size %d, ->&-180 lelong x average file size %d, ->&-176 lelong x average number of files in dir %d, ->&-272 lequad x pending blocks to free %lld, ->&-264 lelong x pending inodes to free %d, ->&-664 lequad x system-wide uuid %0llx, ->&-1316 lelong x minimum percentage of free blocks %d, ->&-1248 lelong 0 TIME optimization ->&-1248 lelong 1 SPACE optimization +9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), +>0 use ffsv1 9564 belong 0x00011954 Unix Fast File system [v1] (big-endian), >7168 belong 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, ->8404 string x last mounted on %s, -#>9504 bedate x last checked at %s, ->8224 bedate x last written at %s, ->8401 byte x clean flag %d, ->8228 belong x number of blocks %d, ->8232 belong x number of data blocks %d, ->8236 belong x number of cylinder groups %d, ->8240 belong x block size %d, ->8244 belong x fragment size %d, ->8252 belong x minimum percentage of free blocks %d, ->8256 belong x rotational delay %dms, ->8260 belong x disk rotational speed %drps, ->8320 belong 0 TIME optimization ->8320 belong 1 SPACE optimization +>0 use \^ffsv1 + +0 name ffsv2 +>212 string x last mounted on %s, +>680 string >\0 volume name %s, +>1072 leqldate x last written at %s, +>209 byte x clean flag %d, +>210 byte x readonly flag %d, +>1080 lequad x number of blocks %lld, +>1088 lequad x number of data blocks %lld, +>44 lelong x number of cylinder groups %d, +>48 lelong x block size %d, +>52 lelong x fragment size %d, +>1196 lelong x average file size %d, +>1200 lelong x average number of files in dir %d, +>1104 lequad x pending blocks to free %lld, +>1112 lelong x pending inodes to free %d, +>712 lequad x system-wide uuid %0llx, +>60 lelong x minimum percentage of free blocks %d, +>128 lelong 0 TIME optimization +>128 lelong 1 SPACE optimization + +42332 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use ffsv2 + +42332 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>40960 use ffsv2 + +42332 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>40960 use \^ffsv2 42332 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>40960 use \^ffsv2 + +66908 lelong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use ffsv2 + +66908 lelong 0x19540119 Unix Fast File system [v2] (little-endian) +>65536 use ffsv2 + +66908 belong 0x19012038 Unix Fast File system [v2ea] (little-endian) +>65536 use \^ffsv2 66908 belong 0x19540119 Unix Fast File system [v2] (big-endian) ->&-1164 string x last mounted on %s, ->&-696 string >\0 volume name %s, ->&-304 beqldate x last written at %s, ->&-1167 byte x clean flag %d, ->&-1168 byte x readonly flag %d, ->&-296 bequad x number of blocks %lld, ->&-288 bequad x number of data blocks %lld, ->&-1332 belong x number of cylinder groups %d, ->&-1328 belong x block size %d, ->&-1324 belong x fragment size %d, ->&-180 belong x average file size %d, ->&-176 belong x average number of files in dir %d, ->&-272 bequad x pending blocks to free %lld, ->&-264 belong x pending inodes to free %d, ->&-664 bequad x system-wide uuid %0llx, ->&-1316 belong x minimum percentage of free blocks %d, ->&-1248 belong 0 TIME optimization ->&-1248 belong 1 SPACE optimization +>65536 use \^ffsv2 0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), >0x90 lelong+1 x volume %d @@ -2648,19 +2603,25 @@ >10 ubelong x \b-%08x >14 ubeshort x \b%04x -0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 bcachefs ->0x1068 lequad 8 \b, UUID= ->>0x1038 use bcachefs-uuid ->>0x1048 string >0 \b, label "%.32s" ->>0x1010 uleshort x \b, version %u ->>0x1012 uleshort x \b, min version %u ->>0x107a byte x \b, device %d +0 name bcachefs bcachefs +>0x68 lequad 8 \b, UUID= +>>0x38 use bcachefs-uuid +>>0x48 string >0 \b, label "%.32s" +>>0x10 uleshort x \b, version %u +>>0x12 uleshort x \b, min version %u +>>0x7a byte x \b, device %d # assumes the first field is the members field ->>0x12f4 ulelong 0x01 \b/UUID= ->>>0x12f0 default x ->>>&(0x107a.b*56) use bcachefs-uuid ->>0x107b byte x \b, %d devices ->>0x1090 byte ^0x02 \b (unclean) +>>0x2f4 ulelong 0x01 \b/UUID= +>>>0x2f0 default x +>>>&(0x07a.b*56) use bcachefs-uuid +>>0x07b byte x \b, %d devices +>>0x090 byte ^0x02 \b (unclean) + +0x1018 string \xc6\x85\x73\xf6\x4e\x1a\x45\xca\x82\x65\xf5\x7f\x48\xba\x6d\x81 +>0x1000 use bcachefs + +0x1018 string \xc6\x85\x73\xf6\x66\xce\x90\xa9\xd9\x6a\x60\xcf\x80\x3d\xf7\xef +>0x1000 use bcachefs # EROFS # https://kernel.googlesource.com/pub/scm/linux/kernel/git/xiang/erofs-utils/\ @@ -2687,3 +2648,47 @@ >>1104 lelong &4 CHUNKED_FILE >>1104 lelong &8 DEVICE_TABLE >>1104 lelong &16 ZTAILPACKING + +# YAFFS +# The layout itself is undocumented, determined by the memory layout of the +# reference implementation. This signature is derived from the +# reference implementation code and generated test cases +# We recognize the start of an object header defined by yaffs_obj_hdr: +# (Note the values being encoded depending on platform endianess) + +# u32 type /* enum yaffs_obj_type, valid 1-5 */ +# u32 parent_obj_id; /* 1 for root objects we recognize */ +# u16 sum_no_longer_used; /* checksum of name. Not used by YAFFS and memset to 0xFF */ +# YCHAR name[YAFFS_MAX_NAME_LENGTH + 1]; + +# mkyaffsimage always writes a root directory with empty name, then processing the target directory contents +# mkyaffs2image directly proceeds to writing entries with the appropriate u32 YAFFS_OBJECT_TYPE (1-5 valid), each with parent id 1 + +0 name yaffs +>0 ulelong 1 \b, type file +>0 ulelong 2 \b, type symlink +>0 ulelong 3 \b, type root or directory +>0 ulelong 4 \b, type hardlink +>0 ulelong 5 \b, type special +>0xA byte 0 \b, v1 root directory +>0xA byte !0 \b, object entry +>>0xA string x (name: "%s") + +# Little Endian: XX 00 00 00 01 00 00 00 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x1 string \x00\x00\x00\x01\x00\x00\x00\xFF\xFF +>0 ulelong 0 +>0 ulelong >5 +>0 default x YAFFS filesystem root entry (little endian) +>>0 use yaffs + +# Big Endian: 00 00 00 XX 00 00 00 01 FF FF YY +# XX: 01 - 05 (object type) +# YY: 00 for version 1 root directory, > 00 for version 2 (name data) +0x4 string \x00\x00\x00\x01\xFF\xFF +>0 string \x00\x00\x00 +>>0 ubelong 0 +>>0 ubelong >5 +>>0 default x YAFFS filesystem root entry (big endian) +>>>0 use \^yaffs diff --git a/magic/Magdir/firmware b/magic/Magdir/firmware new file mode 100644 index 00000000000..4835b12e8d0 --- /dev/null +++ b/magic/Magdir/firmware @@ -0,0 +1,133 @@ +#------------------------------------------------------------------------------ +# $File: firmware,v 1.7 2023/03/11 18:52:03 christos Exp $ +# firmware: file(1) magic for firmware files +# + +# https://github.com/MatrixEditor/frontier-smart-api/blob/main/docs/firmware-2.0.md#11-header-structure +# examples: https://github.com/cweiske/frontier-silicon-firmwares +0 lelong 0x00001176 +>4 lelong 0x7c Frontier Silicon firmware download +>>8 lelong x \b, MeOS version %x +>>12 string/32/T x \b, version %s +>>40 string/64/T x \b, customization %s + +# HPE iLO firmware update image +# From: Alexandre Iooss +# URL: https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ +# iLO1 (ilo1*.bin) or iLO2 (ilo2_*.bin) images +0 string \x20\x36\xc1\xce\x60\x37\x62\xf0\x3f\x06\xde\x00\x00\x03\x7f\x00 +>16 ubeshort =0xCFDD HPE iLO2 firmware update image +>16 ubeshort =0x6444 HPE iLO1 firmware update image +# iLO3 images (ilo3_*.bin) start directly with image name +0 string iLO3\x20v\x20 HPE iLO3 firmware update image, +>7 string x version %s +# iLO4 images (ilo4_*.bin) start with a signature and a certificate +0 string --=75 string label_HPBBatch +>>5828 string iLO\x204 +>>>5732 string HPIMAGE\x00 HPE iLO4 firmware update image, +>>>6947 string x version %s +# iLO5 images (ilo5_*.bin) start with a signature +>75 string label_HPE-HPB-BMC-ILO5-4096 +>>880 string HPIMAGE\x00 HPE iLO5 firmware update image, +>>944 string x version %s + +# IBM POWER Secure Boot Container +# from https://github.com/open-power/skiboot/blob/master/libstb/container.h +0 belong 0x17082011 POWER Secure Boot Container, +>4 beshort x version %u +>6 bequad x container size %llu +# These are always zero +# >14 bequad x target HRMOR %llx +# >22 bequad x stack pointer %llx +>4096 ustring \xFD7zXZ\x00 XZ compressed +0 belong 0x1bad1bad POWER boot firmware +>256 belong 0x48002030 (PHYP entry point) + +# ARM Cortex-M vector table +# From: Alexandre Iooss +# URL: https://developer.arm.com/documentation/100701/0200/Exception-properties +# Match stack MSB +3 byte 0x20 +# Function pointers must be in Thumb-mode and before 0x20000000 (4*5 bits match) +>4 ulelong&0xE0000001 1 +>>8 ulelong&0xE0000001 1 +>>>12 ulelong&0xE0000001 1 +>>>>44 ulelong&0xE0000001 1 +>>>>>56 ulelong&0xE0000001 1 +# Match Cortex-M reserved sections (0x00000000 or 0xFFFFFFFF) +>>>>>>28 ulelong+1 <2 +>>>>>>>32 ulelong+1 <2 +>>>>>>>>36 ulelong+1 <2 +>>>>>>>>>40 ulelong+1 <2 +>>>>>>>>>>52 ulelong+1 <2 ARM Cortex-M firmware +>>>>>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x + +# ESP-IDF partition table entry +# From: Alexandre Iooss +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/esp_partition/include/esp_partition.h +0 string \xAA\x50 +>2 ubyte <2 ESP-IDF partition table entry +>>12 string/16 x \b, label: "%s" +>>2 ubyte 0 +>>>3 ubyte 0x00 \b, factory app +>>>3 ubyte 0x10 \b, OTA_0 app +>>>3 ubyte 0x11 \b, OTA_1 app +>>>3 ubyte 0x12 \b, OTA_2 app +>>>3 ubyte 0x13 \b, OTA_3 app +>>>3 ubyte 0x14 \b, OTA_4 app +>>>3 ubyte 0x15 \b, OTA_5 app +>>>3 ubyte 0x16 \b, OTA_6 app +>>>3 ubyte 0x17 \b, OTA_7 app +>>>3 ubyte 0x18 \b, OTA_8 app +>>>3 ubyte 0x19 \b, OTA_9 app +>>>3 ubyte 0x1A \b, OTA_10 app +>>>3 ubyte 0x1B \b, OTA_11 app +>>>3 ubyte 0x1C \b, OTA_12 app +>>>3 ubyte 0x1D \b, OTA_13 app +>>>3 ubyte 0x1E \b, OTA_14 app +>>>3 ubyte 0x1F \b, OTA_15 app +>>>3 ubyte 0x20 \b, test app +>>2 ubyte 1 +>>>3 ubyte 0x00 \b, OTA selection data +>>>3 ubyte 0x01 \b, PHY init data +>>>3 ubyte 0x02 \b, NVS data +>>>3 ubyte 0x03 \b, coredump data +>>>3 ubyte 0x04 \b, NVS keys +>>>3 ubyte 0x05 \b, emulated eFuse data +>>>3 ubyte 0x06 \b, undefined data +>>>3 ubyte 0x80 \b, ESPHTTPD partition +>>>3 ubyte 0x81 \b, FAT partition +>>>3 ubyte 0x82 \b, SPIFFS partition +>>>3 ubyte 0xFF \b, any data +>>4 ulelong x \b, offset: 0x%X +>>8 ulelong x \b, size: 0x%X +>>28 ulelong&0x1 1 \b, encrypted + +# ESP-IDF application image +# From: Alexandre Iooss +# URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h +# Note: Concatenation of esp_image_header_t, esp_image_segment_header_t and esp_app_desc_t +# First segment contains esp_app_desc_t +0 ubyte 0xE9 +>32 ulelong 0xABCD5432 ESP-IDF application image +>>12 uleshort 0x0000 for ESP32 +>>12 uleshort 0x0002 for ESP32-S2 +>>12 uleshort 0x0005 for ESP32-C3 +>>12 uleshort 0x0009 for ESP32-S3 +>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>12 uleshort 0x000C for ESP32-C2 +>>12 uleshort 0x000D for ESP32-C6 +>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>12 uleshort 0x0010 for ESP32-H2 +>>80 string/32 x \b, project name: "%s" +>>48 string/32 x \b, version %s +>>128 string/16 x \b, compiled on %s +>>>112 string/16 x %s +>>144 string/32 x \b, IDF version: %s +>>4 ulelong x \b, entry address: 0x%08X diff --git a/magic/Magdir/games b/magic/Magdir/games index b5d4664c889..0ccb4acff51 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.25 2022/05/31 18:40:20 christos Exp $ +# $File: games,v 1.31 2023/03/29 22:57:27 christos Exp $ # games: file(1) for games # Fabio Bonelli @@ -184,6 +184,15 @@ 0 string MComprHD MAME CHD compressed hard disk image, >12 belong x version %u +# MAME input recordings + +0 string MAMEINP\0 MAME input recording +>8 leqdate x at %s, +>16 leshort x format version %d. +>18 leshort x \b%d, +>20 string x %s driver, +>32 string x %s + # doom - submitted by Jon Dowland 0 string =IWAD doom main IWAD data @@ -293,12 +302,92 @@ >2 regex/c GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package -# -0 lelong 0x9E2A83C1 Unreal Engine Package, ->4 leshort x version: %i ->12 lelong !0 \b, names: %i ->28 lelong !0 \b, imports: %i ->20 lelong !0 \b, exports: %i +# URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html +# https://eliotvu.com/page/unreal-package-file-format +# Little-endian version (such as x86 PC) +0 lelong 0x9E2A83C1 Unreal Engine package (little-endian) +!:ext xxx/tfc/upk/me1/u +>4 uleshort !0 \b, version %u +>>6 uleshort !0 \b/%03u +>>0 use upk_header +# Big-endian version (such as PS3) +0 belong 0x9E2A83C1 Unreal Engine package (big-endian) +!:ext xxx/tfc +>6 ubeshort !0 \b, version %u +>>4 ubeshort !0 \b/%03u +>>0 use \^upk_header + +0 name upk_header +# Identify game from version and licensee +>4 ulelong 0x000002b2 (Alice Madness Returns) +>4 ulelong 0x002f0313 (Aliens: Colonial Marines) +>4 ulelong 0x005b021b (Alpha Protocol) +>4 ulelong 0x0000032c (AntiChamber) +>4 ulelong 0x00200223 (APB: All Points Bulletin) +>4 ulelong 0x004b02d7 (Bioshock Infinite) +>4 ulelong 0x00380340 (Borderlands 2) +>4 ulelong 0x001d02e6 (Bulletstorm) +>4 ulelong 0x00050240 (CrimeCraft) +>4 ulelong 0x00000356 (Deadlight) +>4 ulelong 0x001e0321 (Dishonored) +>4 ulelong 0x000202a6 (Dungeon Defenders) +>4 ulelong 0x000901ea (Gears of War) +>4 ulelong 0x0000023f (Gears of War 2) +>4 ulelong 0x0000033c (Gears of War 3) +>4 ulelong 0x0000034e (Gears of War: Judgement) +>4 ulelong 0x0004035c (Hawken) +>4 ulelong 0x0001034a (Infinity Blade 2) +>4 ulelong 0x00000350 (InMomentum) +>4 ulelong 0x0015037D (Life Is Strange) +>4 ulelong 0x000b01a5 (Medal of Honor: Airborne) +>4 ulelong 0x002b0218 (Mirrors Edge) +>4 ulelong 0x0000027e (Monday Night Combat) +>4 ulelong 0x0000024b (MoonBase Alpha) +>4 ulelong 0x002e01d8 (Mortal Kombat Komplete Edition 2605) +>4 ulelong 0x0000035c (Painkiller HD) +>4 ulelong 0x0000034d (Q.U.B.E) +>4 ulelong 0x80660340 (Quantum Conundrum) +>4 ulelong 0x0000035b (Ravaged) +>4 ulelong 0x00150340 (Remember Me) +>4 ulelong 0x00060171 (Roboblitz) +>4 ulelong 0x00000325 (Rock of Ages) +>4 ulelong 0x0000032a (Sanctum) +>4 ulelong 0x00030248 (Saw) +>4 ulelong 0x007e0248 (Singularity) +>4 ulelong 0x00090388 (Soldier Front 2) +>4 ulelong 0x000701e6 (Stargate Worlds) +>4 ulelong 0x00000334 (Super Monday Night Combat) +>4 ulelong 0x000002c2 (The Ball) +>4 ulelong 0x000e0262 (The Exiled Realm of Arborea or TERA) +>4 ulelong 0x0000035b (The Five Cores) +>4 ulelong 0x00000349 (The Haunted: Hells Reach) +>4 ulelong 0x00000354 (Unmechanical) +>4 ulelong 0x035c0298 (Unreal Development Kit) +>4 ulelong 0x00000200 (Unreal Tournament 3) +>4 ulelong 0x0000032d (Waves) +>4 ulelong 0x003b034d (XCOM: Enemy Unknown) +# Newer versions insert more headers +>4 ulelong&0xFFFF <249 +>>12 lelong !0 \b, names: %d +>>28 lelong !0 \b, imports: %d +>>20 lelong !0 \b, exports: %d +>4 ulelong&0xFFFF >248 +>>12 belong&0xFF !0 +>>>12 string x \b, folder "%s" +>>>>&5 lelong !0 \b, names: %d +>>>>&21 lelong !0 \b, imports: %d +>>>>&13 lelong !0 \b, exports: %d +>>12 belong&0xFF 0 +>>>16 belong&0xFF !0 +>>>>16 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d +>>>16 belong&0xFF 0 +>>>>20 string x \b, folder "%s" +>>>>>&5 lelong !0 \b, names: %d +>>>>>&21 lelong !0 \b, imports: %d +>>>>>&13 lelong !0 \b, exports: %d 0 string ESVG >4 lelong 0x00160000 @@ -510,3 +599,98 @@ >>0 ulelong&0xf =8 RDR 2, >>4 ulelong x %d bytes, >>>8 ulelong x %d entries + +# Blitz3D Model File Format +# From: Alexandre Iooss +# URL: https://github.com/minetest/B3DExport/blob/master/B3DExport.py +0 string BB3D +>4 lelong >0 +>>8 lelong >0 Blitz3D Model +!:ext b3d +>>>8 lelong x \b, version %d + +# Minetest Schematic File Format +# From: Alexandre Iooss +# URL: https://github.com/minetest/minetest/blob/5.6.1/src/mapgen/mg_schematic.h +0 string MTSM Minetest Schematic +!:ext mts +>4 ubeshort x \b, version %d +>6 ubeshort x \b, size [%d +>8 ubeshort x \b, %d +>10 ubeshort x \b, %d] + +# MagicaVoxel File Format +# From: Alexandre Iooss +# URL: https://github.com/ephtracy/voxel-model/blob/ee2216c28a78ebb68691dc6cfa9c4ba429117ea2/MagicaVoxel-file-format-vox.txt +# Note: This format is used in Veloren voxel RPG. +0 string VOX\x20 +>4 lelong >0 MagicaVoxel model +!:ext vox +>>4 lelong x \b, version %d + +# Wwise SoundBank +# From: Alexandre Iooss +# URL: https://wiki.xentax.com/index.php/Wwise_SoundBank_(*.bnk) +0 string BKHD +# Little-endian version (such as x86 PC) +>4 ulelong <0x100 Wwise SoundBank (little-endian) +!:ext bnk +>>0 use wwise_bkhd +# Big-endian version (such as PS3) +>4 ubelong <0x100 Wwise SoundBank (big-endian) +!:ext bnk +>>0 use \^wwise_bkhd + +0 name wwise_bkhd +>8 ulelong x \b, version %d +>12 ulelong x \b, id %08X +>16 ulelong =0x00 \b, SFX +>16 ulelong =0x01 \b, arabic +>16 ulelong =0x02 \b, bulgarian +>16 ulelong =0x03 \b, chinese (HK) +>16 ulelong =0x04 \b, chinese (PRC) +>16 ulelong =0x05 \b, chinese (Taiwan) +>16 ulelong =0x06 \b, czech +>16 ulelong =0x07 \b, danish +>16 ulelong =0x08 \b, dutch +>16 ulelong =0x09 \b, english (Australia) +>16 ulelong =0x0A \b, english (India) +>16 ulelong =0x0B \b, english (UK) +>16 ulelong =0x0C \b, english (US) +>16 ulelong =0x0D \b, finnish +>16 ulelong =0x0E \b, french (Canada) +>16 ulelong =0x0F \b, french (France) +>16 ulelong =0x10 \b, german +>16 ulelong =0x11 \b, greek +>16 ulelong =0x12 \b, hebrew +>16 ulelong =0x13 \b, hungarian +>16 ulelong =0x14 \b, indonesian +>16 ulelong =0x15 \b, italian +>16 ulelong =0x16 \b, japanese +>16 ulelong =0x17 \b, korean +>16 ulelong =0x18 \b, latin +>16 ulelong =0x19 \b, norwegian +>16 ulelong =0x1A \b, polish +>16 ulelong =0x1B \b, portuguese (Brazil) +>16 ulelong =0x1C \b, portuguese (Portugal) +>16 ulelong =0x1D \b, romanian +>16 ulelong =0x1E \b, russian +>16 ulelong =0x1F \b, slovenian +>16 ulelong =0x20 \b, spanish (Mexico) +>16 ulelong =0x21 \b, spanish (Spain) +>16 ulelong =0x22 \b, spanish (US) +>16 ulelong =0x23 \b, swedish +>16 ulelong =0x24 \b, turkish +>16 ulelong =0x25 \b, ukrainian +>16 ulelong =0x26 \b, vietnamese + +# Wwise Audio Package +# From: Alexandre Iooss +# URL: https://wiki.xentax.com/index.php/Wwise_Audio_PCK +0 string AKPK +# Little-endian version (such as x86 PC) +>8 ulelong <0x100 Wwise Audio Package (little-endian) +!:ext pck +# Big-endian version (such as PS3) +>8 ubelong <0x100 Wwise Audio Package (big-endian) +!:ext pck diff --git a/magic/Magdir/gentoo b/magic/Magdir/gentoo index f1a91acfedc..f988047ad40 100644 --- a/magic/Magdir/gentoo +++ b/magic/Magdir/gentoo @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: gentoo,v 1.2 2022/09/12 13:13:28 christos Exp $ +# $File: gentoo,v 1.5 2022/12/26 17:16:55 christos Exp $ # gentoo: file(1) magic for gentoo specific formats # # Summary: Gentoo ebuild Manifest files (GLEP 74) @@ -36,6 +36,7 @@ # ('s already been matched prior to calling) 0 name gentoo-manifest >&0 regex [[:space:]]+[[:print:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[[:alnum:]]+[[:space:]]+[[:xdigit:]]{32} Gentoo Manifest (GLEP 74) +!:mime application/vnd.gentoo.manifest # Summary: Gentoo ebuild and eclass files # Reference: https://projects.gentoo.org/pms/8/pms.html @@ -43,16 +44,20 @@ 0 search/512 EAPI= >0 regex .*\n[\040\t]*EAPI=["']? Gentoo ebuild >>&0 regex [[:alnum:]+_.-]+ \b, EAPI %s +!:mime application/vnd.gentoo.ebuild 0 search/512 @ECLASS:\040 Gentoo eclass >&0 string x %s +!:mime application/vnd.gentoo.eclass # Summary: Gentoo supplementary package and category metadata files # Reference: https://www.gentoo.org/glep/glep-0068.html # Submitted by: Michal Gorny 0 string \0 search/512 \0 search/512 \0 search/100 /gpkg-1\0 >>0 regex [^/]+ Gentoo GLEP 78 (GPKG) binary package for "%s" -!:mime application/x-tar +!:mime application/vnd.gentoo.gpkg !:ext tar # the logic below requires the gpkg-1 file to be empty >>>124 string 00000000000\0 diff --git a/magic/Magdir/geo b/magic/Magdir/geo index dda5f738311..1fde25e57be 100644 --- a/magic/Magdir/geo +++ b/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.8 2022/03/24 15:48:58 christos Exp $ +# $File: geo,v 1.10 2022/10/31 13:22:26 christos Exp $ # Geo- files from Kurt Schwehr ###################################################################### @@ -54,7 +54,43 @@ ###################################################################### # GeoAcoustics - GeoSwath Plus -4 beshort 0x2002 GeoSwath RDF +# Update: Joerg Jenderek +# URL: https://www.mbari.org/products/research-software/mb-system/ +# Reference: http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/ +# GS%2B-6063-BB-GS%2B-Broadcast-Raw-Data-File-Format-Command-Specification.pdf +# Note: All data is written using Intel 80x86 byte ordering (LSB to MSB) +# raw_header_siz; file header size is 544 bytes +4 beshort 0x2002 +# GRR: line above is too general as it matches also some Microsoft Event Trace Logs *.ETL +# skip many (63/753) Microsoft Event Trace Logs (AMSITrace.etl lxcore_kernel.etl NotificationUxBroker.052.etl WindowsBackup.4.etl) with invalid "low" ping header size 0 +>6 leshort >0 GeoSwath RDF +# skip foo samples with invalid "high" spare bytes +#>>536 ulequad =0 OK_THIS_IS_GeoSwath_RDF +#!:mime application/octet-stream +!:mime application/x-geoswath-rdf +# http://ccom.unh.edu/sites/default/files/news-and-events/conferences/auv-bootcamp/060116342.rdf +!:ext rdf +# filename; original file name like: "C:\GS+\Projects\Default\Raw Data Files\060116342.rdf" +>>8 string x "%-.512s" +# version[8]; recording software version number like: 3.16c +>>527 string x \b, version %-.8s +# creation; unsigned int file creation time; WHAT time format is this? +>>0 ulelong x \b, creation time %#8.8x +# raw_ping_header_size; size of ping header in bytes like: 64 +>>6 leshort !64 \b, ping header size %d +# frequency; system frequency in hertz like: 500000 +>>520 lelong x \b, frequency %d +# echo_type; Echosounder type index like: 1 +>>524 leshort x \b, echo type %#x +# file_mode; file mode mask (0x00 bathy & sidescan, 0x80 bathy, 0x40 sidescan, 0x20 seismic) +>>526 ubyte !0 \b, file mode %#2.2x +# pps_mode; PPS synch mode like: 2 +>>535 byte x \b, pps mode %#x +# char spare[8]; apparently zeroed +>>536 ubequad !0 \b, spare %#16.16llx +# Ping_number; 1st ping number like: 4944 +>>544 lelong x \b, 1st ping number %d + 0 string Start:- GeoSwatch auf text file # Seabeam 2100 @@ -88,7 +124,7 @@ # ###################################################################### -# IVS - IVS3d.com Tagged Data Represetation +# IVS - IVS3d.com Tagged Data Representation 0 string %%\ TDR\ 2.0 IVS Fledermaus TDR file # http://www.ecma-international.org/publications/standards/Ecma-363.htm diff --git a/magic/Magdir/images b/magic/Magdir/images index 904a6a93856..48e9f6dabfc 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.227 2022/09/11 20:58:52 christos Exp $ +# $File: images,v 1.243 2023/07/17 16:49:09 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -179,7 +179,7 @@ # adding 65 to strength so that Netpbm images comes before "x86 boot sector" or # "DOS/MBR boot sector" identified by ./filesystems 0 name netpbm ->3 regex/s =[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data +>3 regex/s =\^[0-9]{1,50}[\040\t\f\r\n]+[0-9]{1,50} Netpbm image data >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s @@ -311,12 +311,12 @@ 0 string MM\x00\x2a TIFF image data, big-endian !:strength +70 !:mime image/tiff -!:ext tif,tiff +!:ext tif/tiff >(4.L) use \^tiff_ifd 0 string II\x2a\x00 TIFF image data, little-endian !:mime image/tiff !:strength +70 -!:ext tif,tiff +!:ext tif/tiff >(4.l) use tiff_ifd 0 name tiff_ifd @@ -625,7 +625,7 @@ >>8 string x "%s" # should be point character (2Eh) of version string according to TrID #>6 ubyte !0x2E \b, at 6 %#x -# caret character (23h) at the beginning in most or probaly all exanples +# caret character (23h) at the beginning in most or probably all examples #>0 ubyte !0x23 \b, starting with character %#x # URL: http://fileformats.archiveteam.org/wiki/DeskMate_Draw # http://en.wikipedia.org/wiki/Deskmate @@ -652,7 +652,86 @@ >24 string SunGKS \b, SunGKS # CGM image files -0 string BEGMF clear text Computer Graphics Metafile +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CGM +# https://en.wikipedia.org/wiki/Computer_Graphics_Metafile +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-ct.trid.xml +# http://standards.iso.org/ittf/PubliclyAvailableStandards/c032381_ISO_IEC_8632-4_1999(E).zip +# Note: called "Computer Graphics Metafile (Clear Text)" by TrID and +# "Computer Graphics Metafile ASCII" by DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# According to TrID only letter B and M are always upcased and by DROID often only B is upcased for command BEGIN METAFILE +0 string/c begmf +# skip SOME DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>5 short !0 +# skip other versions of DROID fmt-301-signature-id-359.cgm fmt-301-signature-id-361.cgm fmt-302-signature-id-364.cgm +# fmt-302-signature-id-365.cgm x-fmt-142-signature-id-350.cgm x-fmt-142-signature-id-351.cgm +>>5 short !0xABab clear text Computer Graphics Metafile +# https://reposcope.com/mimetype/image/cgm +!:mime image/cgm +!:ext cgm +# SF:NAME like: 'metafile example'; +>>>5 string x %s +# look for command METAFILE VERSION (MFVERSION ) +>>>2 search/128/c mfversion +#>>>>&0 ubyte x SOFTSEP=%#x +# version like: 1 3 4 +>>>>&1 ubyte >0x31 \b, version %c +# Summary: Computer Graphics Metafile (binary) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cgm-bin.trid.xml +# https://standards.iso.org/ittf/PubliclyAvailableStandards/c032380_ISO_IEC_8632-3_1999(E).zip +# Note: called "Computer Graphics Metafile (binary)" by TrID and DROID or CGM by XnView +# verified by LibreOffice and partly by XnView `nconvert -info *.CGM` +# look for BEGIN METAFILE (element Class 0 and ID 1 and "random" Parameter) that is binary C C C C 0 0 0 0 0 0 1 P P P P P +0 ubeshort&0xFFe0 0x0020 +# skip SOME DROID fmt-303-signature-id-368.cgm fmt-304-signature-id-369.cgm fmt-305-signature-id-370.cgm fmt-306-signature-id-371.cgm +# with containing only 28 bytes +>28 ubyte x +# look for METAFILE VERSION (element class 1 and id 1 and parameter P1 with length 2) that is binary 0 0 0 1 i i i i i i 1 P P P 1 P +# with "low" version; 2nd worst case argentin.cgm with parameter length 56 +# worst MS.CGM +#>>2 search/73/b \x10\x22\0 binary Computer Graphics Metafile +>>2 search/128/b \x10\x22\0 binary Computer Graphics Metafile +!:mime image/cgm +!:ext cgm +# metafile 2 byte version number like: 1 (most) 2 3 4 +>>>&-1 ubeshort >1 \b, version %u +# length number of 1st parameter octets in range 0 to 30 implies short command +>>>0 ubeshort&0x001F <31 \b, parameter length %u +# length of string like: 8 9 10 11 12 29 +#>>>>2 ubyte x \b, %u BYTES (SHORT) +# string like: 'HiJaak 2' 'Example 1' 'sahara.cgm' 'MASTERCLIPS--Art Of Business ' +>>>>2 pstring >\0 '%s' +# after 1st short command with even parameter length comes 2nd command like: 1022h 0010h (EAF00010.CGM 'HiJaak 2' FLOPPY2.CGM TIGER.CGM 'B:\TIGER.CGM') +>>>>0 ubeshort&0x0001 =0 +>>>>>(2.b+3) ubeshort !0x1022 \b, 2nd command %#4.4x (short even) +# after 1st short command with odd parameter length comes nil padding byte followed 2nd command like: 1022h +>>>>0 ubeshort&0x0001 =1 +#>>>>>(2.b+3) ubyte !0 \b, PADDING %#x +>>>>>(2.b+4) ubeshort !0x1022 \b, 2nd command %#4.4x (short odd) +# 11111 binary (decimal 31) in the parameter field indicates that the command is in long-form +>>>0 ubeshort&0x001F =0x1F +# bit 15 is partition flag with 1 for 'not-last' partition and 0 for 'last' partition +>>>>2 ubeshort&0x8000 !0 \b, partition flag %#4.4x +# bits 0 to 14 is parameter list length; the number of following parameter octets; range 0 to 32767 +# length of 1st long command parameter like: 53 +>>>>2 ubeshort&0x7Fff x \b, parameter length %u (long) +# The two header words are then followed by lenghth of 1st string like: 52 +#>>>>4 ubyte x \b, %u BYTES +# string like: 'K:\PROJECTS\GRAPHICS\DWKS3.5\CLIPART\FLAGS\Italy.cgm' +>>>>4 pstring/B x '%s' +# odd long parameter length implies single null padding octet to start command on word boundary +>>>>2 ubeshort&0x0001 =1 +# after 1st long command with odd parameter length comes nil padding byte followed by 2nd command like: 1022h +#>>>>>(4.b+5) ubyte !0 \b, PADDING %#x +>>>>>(4.b+6) ubeshort !0x1022 \b, 2nd command %#4.4x (long odd) +# even long parameter length implies next command directly is following +>>>>2 ubeshort&0x0001 =0 +# after 1st long command with even parameter length comes 2nd command like: 1022h 0x1054 (MS.CGM) +>>>>>(4.b+5) ubeshort !0x1022 \b, 2nd command %#4.4x (long even) +# look for END METAFILE (element class 0 and id 2 and 0 parameter) that is binary 0 0 0 0 i i i i i 1 i P P P P P +>>>-2 ubeshort !0x0040 \b, NOT_FOUND_END_METAFILE # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) 0 string yz MGR bitmap, modern format, 8-bit aligned @@ -1138,7 +1217,7 @@ 0 string /*\040 # 9 byte c-comment "/* XPM */" not at the beginning like: mozicon16.xpm mozicon50.xpm (thunderbird) >0 search/0xCE /*\ XPM\ */ -# skip DROID x-fmt-208-signature-id-620.xpm by looking for char aray without explict length +# skip DROID x-fmt-208-signature-id-620.xpm by looking for char array without explict length # and match mh-logo.xpm (emacs) >>&0 search/1249 [] >>>0 use xpm-image @@ -1146,7 +1225,7 @@ >0 default x # words are separated by a white space which can be composed of space and tabulation characters >>0 search/0x52 static\040char\040 -# skip debug.c testmlc.c by looking for char aray without explict length +# skip debug.c testmlc.c by looking for char array without explict length # https://www.clamav.net/downloads/production/clamav-0.104.2.tar.gz # clamav-0.104.2\libclammspack\mspack\debug.c >>>&0 search/64 [] @@ -1459,22 +1538,22 @@ # skip g3test.g3 by test for unused bits of 2nd color entry >>4 ubeshort&0xF000 0 #>>>0 beshort x 1ST_VALUE=%x ->>>-0 offset x FILE_SIZE=%lld +#>>>-0 offset x FILE_SIZE=%lld # standard DEGAS low-res uncompressed bitmap *.pi1 with file size 32034 ->>>-0 offset =32034 VARIANT_STANDARD +>>>-0 offset =32034 #>>>>0 beshort x 1st_VALUE=%x # like: 8ball.pi1 teddy.pi1 sonic01.pi1 >>>>0 use degas-bitmap # about 61 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32066 ->>>-0 offset =32066 VARIANT_ELITE +>>>-0 offset =32066 # like: spider.pi1 pinkgirl.pi1 frog3.pi1 >>>>0 use degas-bitmap # about 55 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 32128 ->>>-0 offset =32128 VARIANT_3 +>>>-0 offset =32128 # like: mountain.pi1 bigspid.pi1 alf33.pi1 >>>>0 use degas-bitmap # 1 DEGAS Elite low-res uncompressed bitmap *.pi1 with file size 44834 ->>>-0 offset =44834 VARIANT_4 +>>>-0 offset =44834 # like: kenshin.pi1 >>>>0 use degas-bitmap # DEGAS mid-res uncompressed bitmap *.pi2 (strength=50) after GEM Images like: @@ -1483,19 +1562,17 @@ #!:strength +0 # skip many control files like gnucash-4.8.setup.exe.aria2 by test for non black in 4 palette entries >2 quad !0 -# skip control file load-v0001.aria2 by test for unused bits of 5th color palette entry ->>10 ubeshort&0xF000 0 -# skip many GEM Image data like DANCER.IMG GAMEOVR4.IMG SHIP.IMG by test for unused bits of 8th color palette entry ->>>16 ubeshort&0xF000 0 -# skip many GEM Image data like BEETHVEN.IMG CABINETS.IMG MEMO.IMG by test for unused bits of 14th color palette entry ->>>>28 ubeshort&0xF000 0 -# skip few GEM Image data like CHURCH.IMG by test for unused bits of 15th color palette entry ->>>>>30 ubeshort&0xF000 0 -# skip many GEM Image data like TIGER.IMG TURKEY.IMG XMAS.IMG by test for unused bits of 16th color palette entry ->>>>>>32 ubeshort&0xF000 0 -# skip GEM Image data like clinton.img by test for existing bytes at the end ->>>>>>>32026 quad x ->>>>>>>>0 use degas-bitmap +# skip control file load-v0001.aria2 and many GEM Image data like +# GAMEOVR4.IMG BEETHVEN.IMG CHURCH.IMG TURKEY.IMG clinton.img +# by test for valid file sizes +# standard DEGAS mid-res uncompressed bitmap *.pi2 with file size 32034 +>>-0 offset =32034 +# (39/41) like: GEMINI03.PI2 ST_TOOLS.PI2 TBX_DEMO.PI2 +>>>0 use degas-bitmap +# few DEGAS Elite mid-res uncompressed bitmap *.pi2 with file size 32066 +>>-0 offset =32066 +# (2/41) like: medres.pi2 +>>>0 use degas-bitmap # DEGAS high-res uncompressed bitmap *.pi3 0 beshort 0x0002 # skip Intel ia64 COFF msvcrt.lib by test for unused bits of 1st atari color palette entry @@ -1515,8 +1592,12 @@ # 00000000 "LEREDACT.PI3" 03730773 "TBX_DEMO.PI3" #>>>>&8 ubelong x \b, LAST CHAR+NIL %8.8x >>>>&8 ubelong&0xff00ffFF !0 +# skip many Adobe Photoshop Color swatch (ANPA-Farben.aco TOYO-Farbsystem.aco) with invalid 3rd color entry (1319 2201 2206 21f5 2480 24db 25fd) +>>>>>6 ubeshort&0xF000 0 +# skip few Adobe Photoshop Color swatch (FOCOLTONE-Farben.aco "PANTONE process coated.aco") with invalid 4th color entry (ffff) +>>>>>>8 ubeshort&0xF000 0 # many DEGAS bitmap like: ARABDEMO.PI3 ELMRSESN.PI3 GEMVIEW.PI3 LEREDACT.PI3 PICCOLO.PI3 REPRO_JR.PI3 ST_TOOLS.PI3 TBX_DEMO.PI3 evgem7.pi3 ->>>>>0 use degas-bitmap +>>>>>>>0 use degas-bitmap # test for last character of Adobe PhotoShop Brush UTF16-LE string and terminating nul char >>>>&8 ubelong&0xff00ffFF =0 # select last DEGAS bitmaps by invalid last char of brush note like BASICNES.PI3 DB_HELP.PI3 DB_WRITR.PI3 LEREDACT.PI3 @@ -1528,13 +1609,23 @@ 0 beshort 0x8000 # skip lif files handled via ./lif by test for unused bits of 1st palette entry >2 ubeshort&0xF000 0 ->>0 use degas-bitmap +# skip CRI ADX ADPCM audio (R04HT.adx R03T-15552.adx) with 44100 Hz misinterpreted as 5th color entry value AC44h +>>10 ubeshort&0xF000 0 +# skip few (fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx) by test for 4 first non black colors in palette entries +>>>2 quad !0 +>>>>0 use degas-bitmap # DEGAS mid-res compressed bitmap *.pc2 like: abydos.pc2 ARTIS3.PC2 SMTHDRAW.PC2 STAR_2K.PC2 TX2_DEMO.PC2 0 beshort 0x8001 ->0 use degas-bitmap +# skip many (1274/1369) PostScript Type 1 font (DarkGardenMK.pfb coupbi.pfb MONOBOLD.PFB) with invalid 1st atari color palette entry 5506 5b06 6906 7906 7e06 fb15 +>2 ubeshort&0xF000 0 +# skip some (95/1369) PostScript Type 1 font (fmt-525-signature-id-816.pfb LUXEMBRG.PFB) with invalid 3rd atari color palette entry 2521 +>>6 ubeshort&0xF000 0 +>>>0 use degas-bitmap # DEGAS high-res compressed bitmap *.pc3 like: abydos.pc3 COYOTE.PC3 ELEPHANT.PC3 TX2_DEMO.PC3 SMTHDRAW.PC3 0 beshort 0x8002 ->0 use degas-bitmap +# skip some (36/212) Python Pickle (factor_cache.pickle environment.pickle) with invalid 1st atari color entry (2863 6363 7d71) +>2 ubeshort&0xF000 0 +>>0 use degas-bitmap # display information of Atari DEGAS and DEGAS Elite bitmap images 0 name degas-bitmap >0 ubyte x Atari DEGAS @@ -1620,6 +1711,19 @@ # channel_delay[4]; 128 - channel delay, timebase 1/60 s #>32058 ubequad !0 \b, channel delays %16.16llx +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GED +# https://recoil.sourceforge.net/formats.html#Atari-8-bit +# Reference: https://sourceforge.net/projects/recoil/files/recoil/6.3.4/recoil-6.3.4.tar.gz +# recoil-6.3.4/recoil.c +# http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-ged.trid.xml +# Note: called "Atari GED bitmap" by TrID; file size 11302 +# and verified by RECOIL graphic tool +0 string \xFF\xFF0SO\x7F Atari GED bitmap, 160x200 +#!:mime application/octet-stream +!:mime image/x-atari-ged +!:ext ged + # From: Joerg Jenderek # URL: http://fileformats.archiveteam.org/wiki/ImageLab/PrintTechnic # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-b_w.trid.xml @@ -1741,6 +1845,113 @@ >>>6 belong x 0x%8.8x >>>6 beshort x \b%4.4x +# From: Joerg Jenderek +# URL: https://www.adobe.com/devnet-apps/photoshop/fileformatashtml/ +# http://fileformats.archiveteam.org/wiki/Photoshop +# Reference: http://www.nomodes.com/aco.html +# Note: registers as Photoshop.SwatchesFile for Photoshop.exe on Windows +# check for valid versions like: 2 (newest) 1 (old) 0 (oldest no examples) +0 ubeshort <3 +# skip few Atari DEGAS med-res bitmap (DIAGRAM1.PI2) and many ISO 9660 CD-ROM by check for invalid low color numbers (0) +>2 ubeshort >0 +# skip few Targa (bmpsuite-15col.tga rgb24_top_left_colormap.tga) by check for invalid high color space ID (F0 1D) +>>4 ubeshort <16 +# skip many (69/327) Targa image *.TGA by check of accessing near the ending of first color space section (size=nc*5*2) +>>>(2.S*10) ubelong x +# RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort =0 +# skip many (220/327) Targa by check of for invalid high RGB color z value (hexadecimal 2 3 2e03 4600 5e04 7502 8002 8b05 c700) +>>>>>12 ubeshort =0 +# RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>>0 ubeshort <2 +>>>>>>>0 use adobe-aco +# RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>>0 ubeshort =2 +# skip many (74/176) Atari DEGAS hi-res bitmap (*.PI3) by check for invalid low color name length (0) +>>>>>>>16 ubeshort >0 +>>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch +>>>>4 ubeshort !0 +# non RGB branch for Adobe Photoshop Color swatch for older versions +>>>>>0 ubeshort <2 +# skip many GEM Image (CHURCH.IMG TIGER.IMG) by check for invalid second high color space ID (55 114 143 157 256 288 450) +>>>>>>14 ubeshort <16 +>>>>>>>0 use adobe-aco +# non RGB branch for Adobe Photoshop Color swatch for newer version 2 +>>>>>0 ubeshort =2 +# skip few Atari DEGAS hi-res bitmap (pal1wb-blue.pi3) and few ABR by check for invalid "high" nil bytes (7) before color name length +>>>>>>14 ubeshort =0 +>>>>>>>0 use adobe-aco +# display Adobe Photoshop Color swatch file information (version, number of colors, color spaces, coordinates, names) +0 name adobe-aco +>0 ubeshort x Adobe Photoshop Color swatch, version %u +#!:mime application/octet-stream +!:mime application/x-adobe-aco +!:apple ????8BCO +!:ext aco +>0 ubeshort <2 +>>(2.S*10) ubelong x +# version 2 section after version 1 section +>>>&0 ubeshort 2 and 2 +# nc; number of colors like: 20 50 86 88 126 204 300 1050 1137 1280 2092 3010 4096 +>2 ubeshort x \b, %u colors +# maybe last 4 bytes of first section (probably y z color value) like: 0 0x66660000 0xfe700000 0xffff0000 +#>(2.S*10) ubelong x 1ST_SECTION_END=%#8.8x +>0 ubeshort <2 \b; 1st +# first older Adobe Photoshop Color entry +>>4 use aco-color +>>>2 ubeshort >1 \b; 2nd +# second older Adobe Photoshop Color entry +>>>>14 use aco-color +>0 ubeshort =2 \b; 1st +# first new Adobe Photoshop Color entry +>>4 use aco-color-v2 +>>>2 ubeshort >1 \b; 2nd +# jump first color name length words +>>>>(16.S*2) ubequad x +# second new Adobe Photoshop Color entry +>>>>>&10 use aco-color-v2 +# display Adobe Photoshop Color entry (color space, color coordinates) +0 name aco-color +# each color spec entry occupies five words +# color space: 0~RGB 1~HSB 2~CMYK 3~Pantone 4~Focoltone 5~Trumatch 6~Toyo 7~Lab 8~Grayscale 9?~wideCMYK 10~HKS ... +#>0 ubeshort x COLOR_ENTRY +>0 ubeshort 0 RGB +>0 ubeshort 1 HSB +>0 ubeshort 2 CMYK +>0 ubeshort 3 Pantone +>0 ubeshort 4 Focoltone +>0 ubeshort 5 Trumatch +>0 ubeshort 6 Toyo +>0 ubeshort 7 Lab +>0 ubeshort 8 Grayscale +>0 ubeshort 9 wide CMYK +>0 ubeshort 10 HKS +# unofficial +# >0 ubeshort 12 foo +# >0 ubeshort 13 bar +# >0 ubeshort 14 FOO +# >0 ubeshort 15 BAR +>0 ubeshort x space (%u) +# color coordinate w +>2 ubeshort x \b, w %#x +# color coordinate x +>4 ubeshort x \b, x %#x +# color coordinate y +>6 ubeshort x \b, y %#x +# color coordinate z; zero for RGB space +>8 ubeshort x \b, z %#x +# display Adobe Photoshop Color entry version 2 (color space, color coordinates names) +0 name aco-color-v2 +>0 use aco-color +#>10 ubeshort x \b, NUL_BYTES %#x +# color name length plus one (len+1) like: 7 8 9 13 14 15 16 17 22 26 +#>>12 ubeshort x \b, LENGTH %u +>>12 ubeshort-1 x \b, %u chars +# len words; UTF-16 representation of the color name like: "DIC 1s" "PANTONE Process Yellow PC" +>>14 bestring16 x "%s" +# followed by nil word + # XV thumbnail indicator (ThMO) # URL: https://en.wikipedia.org/wiki/Xv_(software) # Reference: http://fileformats.archiveteam.org/wiki/XV_thumbnail @@ -2351,7 +2562,7 @@ # URL: http://local.wasp.uwa.edu.au/~pbourke/dataformats/pic/ # Radiance HDR; usually has .pic or .hdr extension. 0 string #?RADIANCE\n Radiance HDR image data -#!mime image/vnd.radiance +!:mime image/vnd.radiance # From: Adam Buchbinder # URL: https://www.mpi-inf.mpg.de/resources/pfstools/pfs_format_spec.pdf @@ -2537,6 +2748,7 @@ # BS encoded bitstreams 2 uleshort 0x3800 BS image, +# GRR: the above line is also true for binary Computer Graphics Metafile SAB00012.CGM with long parameter length 56 (=38h) >6 uleshort x Version %d, >4 uleshort x Quantization %d, >0 uleshort x (Decompresses to %d words) @@ -3720,6 +3932,29 @@ # display ICC/ICM color profile by ./icc #>>>0x154 use color-profile +# URL: http://fileformats.archiveteam.org/wiki/CorelDRAW +# https://en.wikipedia.org/wiki/CorelDRAW +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-gen.trid.xml +# Note: called "CorelDRAW drawing (generic)" by TrID +# version til 2 WL-based; from version 3 til 13 handled by ./riff and from 14 zip based handled by ./archive +0 ubelong&0xFFffF7ff 0x574C6500 Corel Draw Picture +#!:mime image/x-coreldraw +!:mime application/vnd.corel-draw +!:ext cdr +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-10.trid.xml +# Note: called "CorelDRAW drawing (v1.0)" by TrID and +# "CorelDraw Drawing" with version "1.0" by DROID via PUID fmt/467 +# only DROID fmt-467-signature-id-726.cdr example +>2 ubyte 0x65 \b, version 1.0 +#>>4 ubelong !0x45000000 \b, at 4 %#8.8x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/cdr-corel-20.trid.xml +# Note: called "CorelDRAW drawing (v2.0)" by TrID and +# "CorelDraw Drawing" with version "2.0" by DROID via PUID fmt/466 +>2 ubyte 0x6D \b, version 2.0 +# According to DROID 0xed080000 or 0x25050000 +#>>4 ubelong !0xed080000 +#>>>4 ubelong !0x25050000 \b, at 4 %#8.8x + # Type: Crunch compressed texture. # From: David Korth # References: @@ -3937,3 +4172,48 @@ #!:mime application/octet-stream !:mime image/x-idf !:ext idf + +# Type: ColoRIX VGA Paint Image File (.rix/.sci/.scX) +# From: Eddy Jansson +# Reference: https://www.fileformat.info/format/rix/spec/ +# +0 name rix-header +>0 uleshort x \b, %u x +>2 uleshort x %u +# palette type: +# .. if direct color, low bits encode bpp +>4 ubyte&128 0 +>>4 ubyte&127 x \b %u bpp (direct color) +# .. else palette +>4 ubyte&128 128 +>>4 ubyte&7 0 \b x 2 +>>4 ubyte&7 1 \b x 4 +>>4 ubyte&7 2 \b x 8 +>>4 ubyte&7 3 \b x 16 +>>4 ubyte&7 4 \b x 32 +>>4 ubyte&7 5 \b x 64 +>>4 ubyte&7 6 \b x 128 +>>4 ubyte&7 7 \b x 256 +# storage type +#>5 ubyte&15 0 \b, Linear +>5 ubyte&15 1 \b, Planar (0213) +>5 ubyte&15 2 \b, Planar +>5 ubyte&15 3 \b, Text +>5 ubyte&15 4 \b, Planar lines +>5 ubyte&128 128 \b (compressed) +>5 ubyte&64 64 \b (extension) +>5 ubyte&32 32 \b (encrypted) + +0 string RIX3 ColoRIX Image +>4 use rix-header + +0 string RIX7 ColoRIX Slideshow + +# http://fileformats.archiveteam.org/wiki/PaperPort_(MAX) +0 string ViG Visioneer PaperPort +>3 string Ae 2 +>3 string Be 2 +>3 string Cj 3-4 +>3 string Em 5-7 +>3 string Fk 8-12 +>3 default x MAX diff --git a/magic/Magdir/intel b/magic/Magdir/intel index 2b57fd1b246..5177fea4578 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.22 2022/04/02 14:47:42 christos Exp $ +# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -141,7 +141,7 @@ # e80d0fcbh PXE-Intel.rom # b8004875h orchid.bin >>3 ubelong x %#8.8x -# For misidetified raspberry pi pieeprom-*.bin like: 0xf00f +# For misidentified raspberry pi pieeprom-*.bin like: 0xf00f #>2 ubeshort x \b, AT 2 %#4.4x ################################################################################ # new sections for BIOS (ia32) ROM Extension @@ -230,12 +230,12 @@ # PCI data structure length like: 24h 28h >>(24.s+0xA) uleshort >0x28 \b, length %u # PCI data structure revision like: 0 3 ->>(24.s+0xC) ubyte >0 \b, revison %u +>>(24.s+0xC) ubyte >0 \b, revision %u # image length (hexadecimal) in multiple of 512 bytes like: 54 56 68 6a 76 78 7c 7d 7e 7f 80 81 83 # Apparently this gives the same information as given by byte at offset 2 but as 16-bit #>>(24.s+0x10) uleshort x \b, length %u*512 # revision level of code/data like: 0 1 201h 502h ->>(24.s+0xC) ubyte >1 \b, code revison %#x +>>(24.s+0xC) ubyte >1 \b, code revision %#x # code type: 0~Intel x86/PC-AT compatible 1~Open firmware standard for PCI42 FF~Reserved >>(24.s+0x14) ubyte >0 \b, code type %#x # last image indicator; bit 7 indicates "last image"; bits 0-6 are reserved diff --git a/magic/Magdir/java b/magic/Magdir/java index b9854e54c15..d3612755351 100644 --- a/magic/Magdir/java +++ b/magic/Magdir/java @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $ +# $File: java,v 1.22 2023/01/11 23:59:49 christos Exp $ # Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the # same magic number, 0xcafebabe, so they are both handled # in the entry called "cafebabe". @@ -43,3 +43,10 @@ >6 leshort >0x00 \b, version %d >4 leshort x \b.%d !:mime application/x-java-image + +# JAR Manifest & Signature File +# Reference: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html +0 string/t Manifest-Version:\x201.0 JAR Manifest +!:ext MF +0 string/t Signature-Version:\x201.0 JAR Signature File +!:ext SF diff --git a/magic/Magdir/javascript b/magic/Magdir/javascript index dcb5a93767f..90a09cce46a 100644 --- a/magic/Magdir/javascript +++ b/magic/Magdir/javascript @@ -1,20 +1,70 @@ #------------------------------------------------------------------------------ -# $File: javascript,v 1.4 2022/09/02 08:08:17 christos Exp $ +# $File: javascript,v 1.5 2023/01/12 00:02:16 christos Exp $ # javascript: magic for javascript and node.js scripts. # -0 string/w #!/bin/node Node.js script text executable +0 string/tw #!/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/node Node.js script text executable +0 string/tw #!/usr/bin/node Node.js script executable !:mime application/javascript -0 string/w #!/bin/nodejs Node.js script text executable +0 string/tw #!/bin/nodejs Node.js script executable !:mime application/javascript -0 string/w #!/usr/bin/nodejs Node.js script text executable +0 string/tw #!/usr/bin/nodejs Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ node Node.js script text executable +0 string/t #!/usr/bin/env\ node Node.js script executable !:mime application/javascript -0 string #!/usr/bin/env\ nodejs Node.js script text executable +0 string/t #!/usr/bin/env\ nodejs Node.js script executable !:mime application/javascript + +# JavaScript +# The strength is increased to beat the C++ & HTML rules +0 search "use\x20strict" JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 search 'use\x20strict' JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex module(\\.|\\[["'])exports.*= JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(const|var|let).*=.*require\\( JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^export\x20(function|class|default|const|var|let|async)\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \\((async\x20)?function[(\x20] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export).*\x20from\x20 JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^(import|export)\x20["']\\./ JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex \^require\\(["'] JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js +0 regex typeof.*[!=]== JavaScript source +!:strength +30 +!:mime application/javascript +!:ext js + +# React Native minified JavaScript +0 search/128 __BUNDLE_START_TIME__= React Native minified JavaScript +!:strength +30 +!:mime application/javascript +!:ext bundle/jsbundle + # Hermes by Facebook https://hermesengine.dev/ # https://github.com/facebook/hermes/blob/master/include/hermes/\ # BCGen/HBC/BytecodeFileFormat.h#L24 diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg index 2a34a5fd347..9cebadad70d 100644 --- a/magic/Magdir/jpeg +++ b/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.37 2022/06/17 18:03:35 christos Exp $ +# $File: jpeg,v 1.38 2022/12/02 17:42:04 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -239,8 +239,7 @@ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl.trid.xml # Note: called by TrID "JPEG XL bitmap" 0 string \xff\x0a JPEG XL codestream -#!:mime image/jxl -!:mime image/x-jxl +!:mime image/jxl !:ext jxl # JPEG XL (transcoded JPEG file) @@ -249,6 +248,5 @@ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/b/bitmap-jxl-iso.trid.xml # Note: called by TrID "JPEG XL bitmap (ISOBMFF)" 0 string \x00\x00\x00\x0cJXL\x20\x0d\x0a\x87\x0a JPEG XL container -#!:mime image/jxl -!:mime image/x-jxl +!:mime image/jxl !:ext jxl diff --git a/magic/Magdir/lif b/magic/Magdir/lif index 89d7a861162..3474a48d231 100644 --- a/magic/Magdir/lif +++ b/magic/Magdir/lif @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lif,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: lif,v 1.11 2022/10/19 20:15:16 christos Exp $ # lif: file(1) magic for lif # # (Daniel Quinlan ) @@ -16,9 +16,9 @@ >14 beshort =0 # skip MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for low version number >>20 ubeshort <0x0100 -# skip DEGAS MUNCHIE.PC1 BOARD.PC1 ENEMIES.PC1 by test for ASCII like volume name -#>>>2 ubelong >0x2020201F ->>>0 use lif-file +# skip DROID fmt-840-signature-id-1195.adx fmt-840-signature-id-1199.adx by test for ASCII like volume name +>>>2 ubelong >0x2020201F +>>>>0 use lif-file 0 name lif-file # LIF ID >0 beshort x lif file @@ -27,6 +27,7 @@ !:ext lif/hpi/dat # volume label; A-Z 0-9 _ ; default are 6 spaces >2 string x "%.6s" +#>2 ubelong x LABEL=%8.8x # version number; 0 for systems without extensions or 1 for model 64000 >20 ubeshort x \b, version %u # LIF identifier; 010000 for system 3000 diff --git a/magic/Magdir/linux b/magic/Magdir/linux index c715de61b1b..ae181148dfb 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.82 2022/09/07 11:23:44 christos Exp $ +# $File: linux,v 1.85 2023/07/17 14:40:09 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -67,8 +67,8 @@ >16 lelong x %d characters, >12 lelong&0x01 0 no directory, >12 lelong&0x01 !0 Unicode directory, ->24 lelong x %d ->28 lelong x \bx%d +>28 lelong x %d +>24 lelong x \bx%d # Linux swap and hibernate files # Linux kernel: include/linux/swap.h @@ -380,26 +380,96 @@ # Systemd journald files # See https://www.freedesktop.org/wiki/Software/systemd/journal-files/. # From: Zbigniew Jedrzejewski-Szmek - -# check magic +# Update: Joerg Jenderek +# URL: https://systemd.io/JOURNAL_FILE_FORMAT/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/j/journal-sysd.trid.xml +# Note: called "systemd journal" by TrID +# verified by `journalctl --file=user-1000.journal` +# check magic signature[8] 0 string LPKSHHRH # check that state is one of known values +# STATE_OFFLINE~0 STATE_ONLINE~1 STATE_ARCHIVED~2 >16 ubyte&252 0 # check that each half of three unique id128s is non-zero +# file_id >>24 ubequad >0 >>>32 ubequad >0 +# machine_id >>>>40 ubequad >0 >>>>>48 ubequad >0 +# boot_id; last writer >>>>>>56 ubequad >0 >>>>>>>64 ubequad >0 Journal file -!:mime application/octet-stream +#!:mime application/octet-stream +!:mime application/x-linux-journal # provide more info +# head_entry_realtime; contains a POSIX timestamp stored in microseconds +>>>>>>>>184 leqdate/1000000 !0 \b, %s >>>>>>>>184 leqdate 0 empty ->>>>>>>>16 ubyte 0 \b, offline ->>>>>>>>16 ubyte 1 \b, online +# If a file is closed after writing the state field should be set to STATE_OFFLINE +>>>>>>>>16 ubyte 0 \b, +# for offline and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 offline +# https://man7.org/linux/man-pages/man8/systemd-journald.service.8.html +# GRR: add char ~ inside parse_ext in ../../src/apprentice.c to avoid in file version 5.44 error like: +# Magdir/linux, 463: Warning: EXTENSION type ` journal~' has bad char '~' +!:ext journal~ +# for offline and non empty often *.journal~ but also user-1001.journal +>>>>>>>>>184 leqdate !0 offline +!:ext journal/journal~ +# if a file is opened for writing the state field should be set to STATE_ONLINE +>>>>>>>>16 ubyte 1 \b, +# for online and empty only journal~ extension found +>>>>>>>>>184 leqdate 0 online +# system@0005febee06e2ff2-f7ea54d10e4346ff.journal~ +!:ext journal~ +# for online and non empty only journal extension found +>>>>>>>>>184 leqdate !0 online +# system.journal user-1000.journal +!:ext journal +# after a file has been rotated it should be set to STATE_ARCHIVED >>>>>>>>16 ubyte 2 \b, archived +!:ext journal +# no *.journal~ found +#!:ext journal/journal~ +# compatible_flags >>>>>>>>8 ulelong&1 1 \b, sealed +# incompatible_flags; COMPRESSED_XZ~1 COMPRESSED_LZ4~2 KEYED_HASH~4 COMPRESSED_ZSTD~8 COMPACT~16 +#>>>>>>>>12 ulelong x FLAGS=%#x >>>>>>>>12 ulelong&1 1 \b, compressed +>>>>>>>>12 ulelong&2 !0 \b, compressed lz4 +>>>>>>>>12 ulelong&4 !0 \b, keyed hash siphash24 +>>>>>>>>12 ulelong&8 !0 \b, compressed zstd +>>>>>>>>12 ulelong&16 !0 \b, compact +# uint8_t reserved[7]; apparently nil +#>>17 long !0 \b, reserved %#8.8x +# seqnum_id; like: 0 e623691afec94b5aa968ae2d726c49cc f98b2af481924b29 8d6816ca3639edc6 +#>>>>>>>>72 ubequad x \b, seqnum_id %#16.16llx +#>>>>>>>>80 ubequad x b%16.16llx +# header_size like: 100h +>>>>>>>>88 ulequad !0x100h \b, header size %#llx +# arena_size like: 0 7fff00h ffff00h 17fff00h +#>>>>>>>>96 ulequad >0 \b, arena size %#llx +# data_hash_table_offset like: 0 15f0h 15f0h +#>>>>>>>>104 ulequad >0 \b, hash table offset %#llx +# data_hash_table_size like: 0 38e380h +#>>>>>>>>112 ulequad >0 \b, hash table size %#llx +# field_hash_table_offset like: 0 110h +#>>>>>>>>120 ulequad >0 \b, field hash table offset %#llx +# field_hash_table_size like: 0 14d0h +#>>>>>>>>128 ulequad >0 \b, field hash table size %#llx +# tail_object_offset like: 0 43edd8h 511278h c68968h d487d0h efaa98h +#>>>>>>>>136 ulequad >0 \b, tail object offset %#llx +# n_objects like: 0 1032h 5a2eh 92bdh a8b5h aa75h 112adh 40c23h 4714eh +#>>>>>>>>144 ulequad >0 \b, objects %#llx +# n_entries like: 0 3aeh 235ah 2dc4h 3125h 16129h 187a1h +>>>>>>>>152 ulequad >0 \b, entries %#llx +# tail_entry_seqnum like: 0 1988h 16249h 24c12h 24c12h 41e64h 9fefdh +#>>>>>>>>160 ulequad >0 \b, tail entry seqnum %#llx +# head_entry_seqnum like: 0 1h 15dbh 6552h 213bfh 213bfh 3e672h 9a28ah +#>>>>>>>>168 ulequad >0 \b, head entry seqnum %#llx +# entry_array_offset like: 0 390058h 3909d8h 3909e0h +#>>>>>>>>176 ulequad >0 \b, entry array offset %#llx # BCache backing and cache devices # From: Gabriel de Perthuis @@ -492,9 +562,12 @@ 0 lelong 0x58313116 CRIU inventory # Kdump compressed dump files -# https://sourceforge.net/p/makedumpfile/code/ci/master/tree/IMPLEMENTATION +# https://github.com/makedumpfile/makedumpfile/blob/master/IMPLEMENTATION -0 string KDUMP Kdump compressed dump +0 string KDUMP\x20\x20\x20 Kdump compressed dump +>0 use kdump-compressed-dump + +0 name kdump-compressed-dump >8 long x v%d >12 string >\0 \b, system %s >77 string >\0 \b, node %s @@ -503,6 +576,12 @@ >272 string >\0 \b, machine %s >337 string >\0 \b, domain %s +# Flattened format +0 string makedumpfile +>16 bequad 1 +>>0x1010 string KDUMP\x20\x20\x20 Flattened kdump compressed dump +>>>0x1010 use kdump-compressed-dump + # Device Tree files 0 search/1024 /dts-v1/ Device Tree File (v1) # beat c code diff --git a/magic/Magdir/llvm b/magic/Magdir/llvm index 2691ef1ac92..6befe7a8bf0 100644 --- a/magic/Magdir/llvm +++ b/magic/Magdir/llvm @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: llvm,v 1.9 2019/04/19 00:42:27 christos Exp $ +# $File: llvm,v 1.10 2023/03/11 17:54:17 christos Exp $ # llvm: file(1) magic for LLVM byte-codes # URL: https://llvm.org/docs/BitCodeFormat.html # From: Al Stone @@ -9,6 +9,7 @@ 0 string llvc0 LLVM byte-codes, null compression 0 string llvc1 LLVM byte-codes, gzip compression 0 string llvc2 LLVM byte-codes, bzip2 compression +0 string CPCH LLVM Pre-compiled header file 0 lelong 0x0b17c0de LLVM bitcode, wrapper # Are these Mach-O ABI values? They appear to be. diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index 905e4d6e150..a74aac487ca 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.32 2021/04/26 15:56:00 christos Exp $ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -95,7 +95,10 @@ # MacBinary format (Eric Fischer, enf@pobox.com) # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary # Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` # # Unfortunately MacBinary doesn't really have a magic number prior # to the MacBinary III format. @@ -114,19 +117,19 @@ >>>>74 byte 0 # zero fill, must be zero for compatibility >>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 # MacBinary I test for valid version numbers ->>>>>>122 ubeshort 0 -# additional check for creation date after 1 Jan 1970 ~ 7C25B080h -#>>>>>>>91 ubelong >0x7c25b07F +>>>>>>>122 ubeshort 0 # additional check for undefined header fields in MacBinary I -#>>>>>>>101 ulong 0 ->>>>>>>0 use mac-bin +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin # MacBinary II the newer versions begins at 129 ->>>>>>122 ubeshort 0x8181 ->>>>>>>0 use mac-bin +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin # MacBinary III with MacBinary II to read ->>>>>122 ubeshort 0x8281 ->>>>>>0 use mac-bin +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin # display information of MacBinary file 0 name mac-bin @@ -139,7 +142,7 @@ !:mime application/x-macbinary !:apple PSPTBINA !:ext bin/macbin -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified as MacBinary +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary #>1 ubyte >63 \b, name length %u too BIG! #>122 ubeshort x \b, version %#x # Finder flags if not 0 @@ -180,12 +183,16 @@ # 124 beshort # checksum #>124 ubeshort !0 \b, CRC %#x # creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 ->91 beldate-0x7C25B080 x \b, %s -# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidetified or time overflow +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow >91 ubelong <0x7c25b080 INVALID date -#>91 belong-0x7C25B080 x \b, DEBUG DATE %d +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u # last modified date ->95 beldate-0x7C25B080 x \b, modified %s +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s # Apple creator+typ if not null # file creator (normally expressed as four characters) >69 ulong !0 \b, creator @@ -197,6 +204,7 @@ # length of data segment >83 ubelong !0 \b, %u bytes # filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" >1 pstring x "%s" # print 1 space and then at offset 128 inspect data fork content if it has one >83 ubelong !0 \b @@ -447,7 +455,7 @@ >>>0x412 beshort x number of blocks: %d, >>>0x424 pstring x volume name: %s -0x400 beshort 0x482B Macintosh HFS Extended +0 name hfsplus >&0 beshort x version %d data >0 beshort 0x4C4B (bootable) >0x404 belong ^0x00000100 (mounted) @@ -466,6 +474,11 @@ >&42 belong x number of blocks: %d, >&46 belong x free blocks: %d +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + ## AFAIK, only the signature is different # same as Apple Partition Map # GRR: This magic is too weak, it is just "TS" @@ -490,14 +503,3 @@ # From: Remi Mommsen 0 string BOMStore Mac OS X bill of materials (BOM) file -# From: Adam Buchbinder -# URL: https://en.wikipedia.org/wiki/Datafork_TrueType -# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is -# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I -# don't know what they mean. -0 belong 0x100 ->(0x4.L+24) beshort x ->>&4 belong 0x73666e74 Mac OSX datafork font, TrueType ->>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' ->>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' ->>&4 belong 0x504f5354 Mac OSX datafork font, PostScript diff --git a/magic/Magdir/magic b/magic/Magdir/magic index 0de332aa3bf..c8aa054b722 100644 --- a/magic/Magdir/magic +++ b/magic/Magdir/magic @@ -1,10 +1,71 @@ #------------------------------------------------------------------------------ -# $File: magic,v 1.10 2010/11/25 15:00:12 christos Exp $ +# $File: magic,v 1.11 2023/06/27 13:42:49 christos Exp $ # magic: file(1) magic for magic files # -0 string/t #\ Magic magic text file for file(1) cmd +# Update: Joerg Jenderek +# skip Magicsee_R1.cfg found on retropie starting with # Magicsee R1 one-handed controller +0 string/t #\ Magic\ magic text file for file(1) cmd +#!:mime text/plain +!:mime text/x-file +# no suffix in ../Header +!:ext / +# +# some samples start with a comment line +0 ubyte =0x23 +# many samples start with separator line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st comment line and without seperator comment line +>4 default x +# few sample with 1st comment line and without seperator comment line and regular expression like: sisu +>>1 search/112 regex\x09 +>>>0 use magic-fragment +>>1 default x +# few samples with 1st comment line and without seperator comment line and string value like: +# blcr bsi selinux ssh (file 3.34) digital gnu wordperfect +>>>1 search/471 string\x09 +>>>>0 use magic-fragment +>>>1 default x +# few samples with 1st comment line and without seperator comment line and short value like: +# (file 3.34) os9 osf1 +>>>>1 search/1716 short\x09 +>>>>>0 use magic-fragment +# but many samples start with an empty first line +0 ubyte =0x0A +# many samples sttart with separator comment line +>4 string -------- +>>0 use magic-fragment +# few samples with 1st empty line and without seperator comment line like: biosig espressif +>4 default x +>>1 search/581 \041:mime +>>>0 use magic-fragment +# display information (lines) about magic text fragment +0 name magic-fragment +>0 string x magic text fragment for file(1) cmd +!:mime text/x-file +# most without suffix but mail.news varied.out varied.script +!:ext /news/out/script +# next lines are mainly for control reasons +# some (34/339) samples start comment line +>0 ubyte !0x0A +>>0 string x \b, 1st line "%s" +>>>&1 string x \b, 2nd line "%s" +# but most (305/339) samples start with an empty first line +>0 ubyte =0x0A +>>1 string x \b, 2nd line "%s" +>>>&1 string x \b, 3rd line "%s" +# +# URL: http://en.wikipedia.org/wiki/File_(command) +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mgc.trid.xml +# Note: called "magic compiled data (LE)" by TrID 0 lelong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 lelong x (version %d) (little endian) 0 belong 0xF11E041C magic binary file for file(1) cmd +#!:mime application/octet-stream +!:mime application/x-file +!:ext mgc >4 belong x (version %d) (big endian) diff --git a/magic/Magdir/mail.news b/magic/Magdir/mail.news index ed6e7a6c492..3ca3b405f61 100644 --- a/magic/Magdir/mail.news +++ b/magic/Magdir/mail.news @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: mail.news,v 1.29 2022/06/17 18:02:19 christos Exp $ +# $File: mail.news,v 1.30 2022/10/31 13:22:26 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -65,7 +65,7 @@ # other ID (like 02900000h) or TnefVersion ID (idTnefVersion=06900800h) >7 ubelong !0x06900800 \b, 1st id %#8.8x >7 ubelong =0x06900800 -# TnefVersion lenght like: 4 +# TnefVersion length like: 4 >>11 ulelong !4 \b, TnefVersion length %x # TNEFVersionData; TnefVersion data like: 00010000h >>15 ulelong !0x00010000h \b, version %#8.8x diff --git a/magic/Magdir/map b/magic/Magdir/map index 2e8d0797d31..2d56df01563 100644 --- a/magic/Magdir/map +++ b/magic/Magdir/map @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: map,v 1.9 2021/04/26 15:56:00 christos Exp $ +# $File: map,v 1.10 2023/02/03 20:41:57 christos Exp $ # map: file(1) magic for Map data # @@ -406,3 +406,8 @@ >>>>5 byte x \b%d, >>>>6 leshort x product ID %04d) +# Garmin firmware: +# https://www.memotech.franken.de/FileFormats/Garmin_GCD_Format.pdf +# https://www.gpsrchive.com/GPSMAP/GPSMAP%2066sr/Firmware.html +0 string GARMIN +>6 uleshort 100 GARMIN firmware (version 1.0) diff --git a/magic/Magdir/mathematica b/magic/Magdir/mathematica index 1563e34ba21..dda71e884ed 100644 --- a/magic/Magdir/mathematica +++ b/magic/Magdir/mathematica @@ -1,48 +1,59 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.14 2021/11/07 16:27:36 christos Exp $ +# $File: mathematica,v 1.17 2023/06/16 19:33:58 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" # Mathematica a multi-purpose math program # versions 2.2 and 3.0 +0 name wolfram +>0 string x Mathematica notebook version 2.x +!:ext mb +!:mime application/vnd.wolfram.mathematica + #mathematica .mb -0 string \064\024\012\000\035\000\000\000 Mathematica version 2 notebook -!:ext mb -0 string \064\024\011\000\035\000\000\000 Mathematica version 2 notebook -!:ext mb +0 string \064\024\012\000\035\000\000\000 +>0 use wolfram +0 string \064\024\011\000\035\000\000\000 +>0 use wolfram + +# +0 search/1000 Content-type:\040application/mathematica Mathematica notebook version 2.x +!:ext nb +!:mime application/mathematica + # .ma # multiple possibilities: -0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook +0 string (*^\n\n::[\011frontEndVersion\ = #>41 string >\0 %s -!:ext mb +>0 use wolfram -#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x +#0 string (*^\n\n::[\011palette -#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x +#0 string (*^\n\n::[\011Information #>675 string >\0 %s #doesn't work well # there may be 'cr' instead of 'nl' in some does this matter? # generic: -0 string (*^\r\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\015 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\r\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n\n::[\011 Mathematica notebook version 2.x -!:ext mb -0 string (*^\n::[\011 Mathematica notebook version 2.x -!:ext mb +0 string (*^\r\r::[\011 +>0 use wolfram +0 string (*^\r\n\r\n::[\011 +>0 use wolfram +0 string (*^\015 +>0 use wolfram +0 string (*^\n\r\n\r::[\011 +>0 use wolfram +0 string (*^\r::[\011 +>0 use wolfram +0 string (*^\r\n::[\011 +>0 use wolfram +0 string (*^\n\n::[\011 +>0 use wolfram +0 string (*^\n::[\011 +>0 use wolfram # Mathematica .mx files @@ -132,14 +143,18 @@ >>>>0 ulelong <53 # skip tokens.dat and some Netwfw*.dat by check for valid imaginary flag value of MAT version 4 >>>>>12 ulelong <2 -# no misidentfied little endian MATrix example with "short" matrix name +# no misidentified little endian MATrix example with "short" matrix name >>>>>>16 ulelong <3 ->>>>>>>0 use \^matlab4 +# skip radeon firmware BONAIRE_sdma.bin HAWAII_sdma.bin KABINI_sdma.bin KAVERI_sdma.bin MULLINS_sdma.bin +# by check for non zero matrix name length +>>>>>>>16 ubelong >0 +>>>>>>>>0 use \^matlab4 # little endian MATrix with "long" matrix name or some misidentified samples >>>>>>16 ulelong >2 # skip TileCacheLogo-*.dat with invalid 2nd character \001 of matrix name with length 96 >>>>>>>21 ubyte >0x1F >>>>>>>>0 use \^matlab4 +# Note: called "MATLAB Mat File" with version "Level 4" by DROID via PUID fmt/1550 # display information of Matlab v4 mat-file 0 name matlab4 Matlab v4 mat-file #!:mime application/octet-stream diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological index 9e7a3f1bcca..725982f8d90 100644 --- a/magic/Magdir/meteorological +++ b/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ +# $File: meteorological,v 1.4 2022/12/09 18:02:09 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -45,5 +45,9 @@ # https://en.wikipedia.org/wiki/GRIB 0 string GRIB ->7 byte =1 Gridded binary (GRIB) version 1 +>7 byte =1 Gridded binary (GRIB) version 1 +!:mime application/x-grib +!:ext grb/grib >7 byte =2 Gridded binary (GRIB) version 2 +!:mime application/x-grib2 +!:ext grb2/grib2 diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools index 4292e2b0401..dc1542adacd 100644 --- a/magic/Magdir/misctools +++ b/magic/Magdir/misctools @@ -1,11 +1,71 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.20 2021/05/25 15:13:55 christos Exp $ +# $File: misctools,v 1.21 2023/02/03 20:43:48 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text -0 string/c BEGIN:VCALENDAR vCalendar calendar file -!:mime text/calendar +# URL: http://fileformats.archiveteam.org/wiki/ICalendar +# https://en.wikipedia.org/wiki/ICalendar +# Update: Joerg Jenderek +# Reference: https://www.rfc-editor.org/rfc/rfc5545 +# http://mark0.net/download/triddefs_xml.7z/defs/v/vcs.trid.xml +# Note: called "iCalendar - vCalendar" by TrID +0 string/c BEGIN:vcalendar +# skip DROID fmt-387-signature-id-572.vcs fmt-388-signature-id-573.ics +# with invalid separator 0x0 or 0xAB instead of CarriageReturn (0x0D) or LineFeed (0x0A) +>15 ubyte&0xF8 =0x08 +# look for VERSION keyword often on second line but sometimes later as in holidays_NRW_2014.ics +>>0 search/188 VERSION +# after VERSION keword :1.0 or often :2.0 but sometimes also ;VALUE=TEXT:2.0 like in Jewish religious Juish.ics +# http://www.webcal.guru/de-DE/kalender_herunterladen?calendar_instance_id=217 +# \n\040:2.0 like in import-real-world-2004-11-19.ics found at +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-real-world-2004-11-19.ics +#>>>&0 string x AFTER_VERSION=%.15s +# Note: called "Internet Calendar and Scheduling format" by DROID via PUID fmt/388 +# skip optional verparam=;other-param like ;VALUE=TEXT and look for version 2.0 that implies iCalendar variant +>>>&0 search/81 :2.0 iCalendar calendar +# look for Free/Busy component +>>>>15 search/278 :VFREEBUSY file, with Free/Busy component +!:mime text/calendar +!:apple ????iFBf +# no real examples found but only example on Wikipedia page +!:ext ifb +# iCalendar calendar without Free/Busy component +>>>>15 default x +# look for ALARM component +>>>>>15 search/154 :VALARM file, with ALARM component +!:mime text/calendar +!:apple ????iCal +# found on macOS beneath /Users/$USER/Library/Calendars/ as EventAllDayAlarms.icsalarm or EventTimedAlarms.icsalarm +# no isc examples found +!:ext icsalarm/ics +# iCalendar calendar without Free/Busy component and ALARM component +>>>>>15 default x file +!:mime text/calendar +!:apple ????iCal +# no examples found with .ical .icalender suffix +!:ext ics +# if no VERSION 2.0 is found then assume it is VERSION 1.0, that is older vCalendar +# URL: http://fileformats.archiveteam.org/wiki/VCalendar +# Note: called "VCalendar format" by DROID via fmt/387 +>>>&0 default x vCalendar calendar file +# deprecated +!:mime text/x-vcalendar +!:ext vcs +# GRR: without VERSION keyword violates specification but accepted by Thunderbird like +# https://ftp.gnu.org/gnu/emacs/emacs-28.1.tar.xz +# emacs-28.1/test/lisp/calendar/icalendar-resources/import-with-timezone.ics +>>0 default x vCalendar calendar file, without VERSION +!:mime text/x-vcalendar +#!:mime text/calendar +# no vcs example found +!:ext ics/vcs +# GRR: According to newest specification CarriageReturn (0xD) and LineFeed (0xA) should be used as separator but others accepted by Thunderbird +# like CRLF,LF in Sport Today.vcs created by calendar plugin of TV-Browser https://enwiki.tvbrowser.org/index.php/Calendar_Export +# or LF like https://www.schulferien.org/media/ical/deutschland/ferien_nordrhein-westfalen_2023.ics?k=foo +>>15 ubeshort !0x0D0A \b, without CRLF + # updated by Joerg Jenderek at Apr 2015, May 2021 # https://en.wikipedia.org/wiki/VCard # URL: http://fileformats.archiveteam.org/wiki/VCard diff --git a/magic/Magdir/modem b/magic/Magdir/modem index 6eb21136e46..5d59401f6cb 100644 --- a/magic/Magdir/modem +++ b/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.10 2021/04/26 15:56:00 christos Exp $ +# $File: modem,v 1.11 2022/10/19 20:15:16 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche @@ -11,6 +11,7 @@ # Summary: CCITT Group 3 Facsimile in "raw" form (i.e. no header). # Modified by: Joerg Jenderek # URL: https://de.wikipedia.org/wiki/Fax +# http://fileformats.archiveteam.org/wiki/CCITT_Group_3 # Reference: https://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others 0 short 0x0100 @@ -32,7 +33,10 @@ # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom >>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom ->>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded +>>>>>>>8 ubequad !0x5dee74ad1aa56394 +# skip few (5/41) DEGAS mid-res bitmap (GEMINI01.PI2 GEMINI02.PI2 GEMINI03.PI2 CODE_RAM.PI2 TBX_DEMO.PI2) +# with file size 32034 +>>>>>>>>-0 offset !32034 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" !:mime image/g3fax #!:apple ????TIFF @@ -43,7 +47,9 @@ # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom >2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x raw G3 (Group 3) FAX +>2 default x +# skip some (84/1246) MacBinary II/III (Cyberdog2.068k.smi.bin FileMakerPro4.img.bin Hypercard1.25.image.bin UsbStorage1.3.5.smi.bin) with "non random" numbers by versions values 81h/82h + 81h +>>122 ubeshort&0xFcFf !0x8081 raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" !:mime image/g3fax !:ext g3 diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index b9ed3439cea..aacf85946b0 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.158 2022/09/07 11:17:31 christos Exp $ +# $File: msdos,v 1.169 2023/04/17 16:39:19 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -49,29 +49,127 @@ # # Many of the compressed formats were extracted from IDARC 1.23 source code. # +# e_magic 0 string/b MZ -# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. ->0x18 leshort <0x40 MS-DOS executable +# TODO +# FLT: Syntrillium CoolEdit Filter https://en.wikipedia.org/wiki/Adobe_Audition +# FMX64:FileMaker Pro 64-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FMX: FileMaker Pro 32-bit plug-in https://en.wikipedia.org/wiki/FileMaker +# FOD: WIFE Font Driver +# GAU: MS Flight Simulator Gauge +# IFS: OS/2 Installable File System https://en.wikipedia.org/wiki/OS/2 +# MEXW32:MATLAB Windows 32bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MEXW64:MATLAB Windows 64bit compiled function https://en.wikipedia.org/wiki/MATLAB +# MLL: Maya plug-in (generic) http://en.wikipedia.org/wiki/Autodesk_Maya +# PFL: PhotoFilter plugin http://photofiltre.free.fr +# 8*: PhotoShop plug-in (generic) http://www.adobe.com/products/photoshop/main.html +# PLG: Aston Shell plugin http://www.astonshell.com/ +# QLB: Microsoft Basic Quick library https://en.wikipedia.org/wiki/QuickBASIC +# SKL: WinLIFT skin http://www.zapsolution.com/winlift/index.htm +# TBK: Asymetrix ToolBook application http://www.toolbook.com +# TBP: The Bat! plugin http://www.ritlabs.com +# UPC: Ultimate Paint Graphics Editor plugin http://ultimatepaint.j-t-l.com +# XFM: Syntrillium Cool Edit Transform Effect bad http://www.cooledit.com +# XPL: X-Plane plugin http://www.xsquawkbox.net/xpsdk/ +# ZAP: ZoneLabs Zone Alarm data http://www.zonelabs.com +# +# NEXT LINES FOR DEBUGGING! +# e_cblp; bytes on last page of file +# e_cp; pages in file +#>4 uleshort x \b, e_cp 0x%x +# e_lfanew; file address of new exe header +#>0x3c ulelong x \b, e_lfanew 0x%x +# e_lfarlc; address of relocation table +#>0x18 uleshort x \b, e_lfarlc=0x%x +# e_ovno; overlay number. If zero, this is the main executable foo +#>0x1a uleshort !0 \b, e_ovno 0x%x +#>0x1C ubequad !0 \b, e_res 0x%16.16llx +# e_oemid; often 0 +#>0x24 uleshort !0 \b, e_oemid 0x%x +# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV) +# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV) +#>0x26 uleshort !0 \b, e_oeminfo 0x%x +# e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe +# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE +#>0x28 ubequad !0 \b, e_res2 0x%16.16llx +# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593 +# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs +# new exe header magic like: PE NE LE LX W3 W4 +# no examples found for ZM DL MP P2 P3 +#>(0x3c.l) string x \b, at [0x3c] %.2s +#>(0x3c.l) ubelong x \b, at [0x3c] %#8.8x +#>(0x3c.l+4) ubelong x \b, at [0x3c+4] %#8.8x +# +# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file. +# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe e_lfarlc=0x8ead +# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE e_lfarlc=0x1c +# some EFI apps Shell_Full.efi ext4_x64_signed.efi e_lfarlc=0 +# Icon library WORD60.ICL e_lfarlc=0 +# Microsoft compiled help format 2.0 WINWORD.DEV.HXS e_lfarlc=0 +>0x18 uleshort <0x40 +# check magic of new second header +# NE executable with low e_lfarlc like: WORD60.ICL +# ICL: Icons Library 16-bit http://fileformats.archiveteam.org/wiki/Icon_library +>>(0x3c.l) string NE Windows Icons Library 16-bit +!:mime image/x-ms-icl +!:ext icl +# handle LX executable with low e_lfarlc like: PCISCAN.EXE +>>(0x3c.l) string LX +>>>(0x3c.l) use lx-executable +# skip Portable Executable (PE) with low e_lfarlc here, because handled later +# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS +>>(0x3c.l) string PE +# not New Executable (NE) and not PE with low e_lfarlc like: +# MACCNV55.EXE WORK_RTF.EXE TELE200.EXE NDD.EXE iflash.exe +>>(0x3c.l) default x MS-DOS executable, MZ for MS-DOS !:mime application/x-dosexec # Windows and later versions of DOS will allow .EXEs to be named with a .COM # extension, mostly for compatibility's sake. +# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM # URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM # Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml -!:ext exe/com/vlm +# also like: BGISRV.DRV +!:ext exe/com/vlm/drv # These traditional tests usually work but not always. When test quality support is # implemented these can be turned on. #>>0x18 leshort 0x1c (Borland compiler) #>>0x18 leshort 0x1e (MS compiler) # Maybe it's a PE? +# URL: http://fileformats.archiveteam.org/wiki/Portable_Executable +# Reference: https://docs.microsoft.com/de-de/windows/win32/debug/pe-format >(0x3c.l) string PE\0\0 PE -!:mime application/x-dosexec +!:mime application/vnd.microsoft.portable-executable +# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics +# DLL Characteristics +#>>(0x3c.l+22) uleshort x \b, CHARACTERISTICS %#4.4x, +# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file +# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program. +# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL) >>(0x3c.l+24) leshort 0x010b \b32 executable +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x020b \b32+ executable +#>>>(0x3c.l+92) leshort x \b, SUBSYSTEM %u >>(0x3c.l+24) leshort 0x0107 ROM image >>(0x3c.l+24) default x Unknown PE signature >>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x2000 >0 (DLL) +# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem +>>(0x3c.l+92) leshort 0 ( +# Summary: Microsoft compiled help *.HXS format 2.0 +# URL: https://en.wikipedia.org/wiki/Microsoft_Help_2 +# Reference: http://www.russotto.net/chm/itolitlsformat.html +# https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml +# Note: 2 PE sections (.rsrc, .its) implies Microsoft compiled help format; the .its section contains the help content ITOLITLS +# verified by command like `pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS` +>>>(0x3c.l+6) uleshort =2 \bMicrosoft compiled help format 2.0) +!:ext hxs +# 3 PE sections (.text, .reloc, .rsrc) implies some Control Panel Item like: +# CPL: Control Panel item for WINE 1.7.28 https://www.winehq.org/ +>>>(0x3c.l+6) uleshort !2 \bControl Panel Item) +!:ext cpl +# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes >>(0x3c.l+92) leshort 1 # Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the # drivers in Windows/System32/drivers/*.sys. @@ -79,6 +177,7 @@ !:ext dll/sys >>>(0x3c.l+22) leshort&0x2000 0 (native) !:ext exe/sys +# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI The Windows graphical user interface (GUI) subsystem >>(0x3c.l+92) leshort 2 >>>(0x3c.l+22) leshort&0x2000 >0 (GUI) # These could probably be at least partially distinguished from one another by @@ -94,21 +193,72 @@ # Screen savers typically include code from the scrnsave.lib static library, but # that's not guaranteed. !:ext exe/scr +# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI The Windows character subsystem >>(0x3c.l+92) leshort 3 >>>(0x3c.l+22) leshort&0x2000 >0 (console) !:ext dll/cpl/tlb/ocx/acm/ax/ime >>>(0x3c.l+22) leshort&0x2000 0 (console) !:ext exe/com -# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format ->>(0x3c.l+92) leshort 7 (POSIX) ->>(0x3c.l+92) leshort 9 (Windows CE) +# NO Windows Subsystem number 4! +>>(0x3c.l+92) leshort 4 (Unknown subsystem 4) +# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem +>>(0x3c.l+92) leshort 5 (OS/2) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-os2 +# NO Windows Subsystem number 6! +>>(0x3c.l+92) leshort 6 (Unknown subsystem 6) +# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem +>>(0x3c.l+92) leshort 7 (POSIX +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: PSXDLL.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: PAX.EXE +!:ext exe +# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver +>>(0x3c.l+92) leshort 8 (Win9x) +# GRR: No examples found by Joerg Jenderek +#!:ext foo-exe-win98 +# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE +>>(0x3c.l+92) leshort 9 (Windows CE +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: NNGStart.exe navigator.exe +!:ext exe +# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application >>(0x3c.l+92) leshort 10 (EFI application) +# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi +!:ext efi +# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services >>(0x3c.l+92) leshort 11 (EFI boot service driver) +# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi +!:ext efi >>(0x3c.l+92) leshort 12 (EFI runtime driver) +# no sample found +!:ext efi +# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image >>(0x3c.l+92) leshort 13 (EFI ROM) +# no sample found +!:ext efi +# 14~IMAGE_SUBSYSTEM_XBOX XBOX >>(0x3c.l+92) leshort 14 (XBOX) ->>(0x3c.l+92) leshort 15 (Windows boot application) ->>(0x3c.l+92) default x (Unknown subsystem +#!:ext foo-xbox +# NO Windows Subsystem number 15! +>>(0x3c.l+92) leshort 15 (Unknown subsystem 15) +# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application +>>(0x3c.l+92) leshort 16 (Windows boot application +>>>(0x3c.l+22) leshort&0x2000 >0 \b) +# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll +!:ext dll +>>>(0x3c.l+22) leshort&0x2000 0 \b) +# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll +!:ext efi/exe +# GRR: the next 2 lines are not executed! +#>>(0x3c.l+92) default x (Unknown subsystem +#>>>&0 leshort x %#x) +>>(0x3c.l+92) leshort >16 (Unknown subsystem >>>&0 leshort x %#x) >>(0x3c.l+4) leshort 0x14c Intel 80386 >>(0x3c.l+4) leshort 0x166 MIPS R4000 @@ -136,10 +286,13 @@ >>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit >>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit >>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit +>>(0x3c.l+4) leshort 0x6232 LoongArch 32-bit +>>(0x3c.l+4) leshort 0x6264 LoongArch 64-bit >>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R >>(0x3c.l+4) leshort 0x8664 x86-64 >>(0x3c.l+4) leshort 0xaa64 Aarch64 >>(0x3c.l+4) leshort 0xc0ee MSIL +# GRR: the next 2 lines are not executed! >>(0x3c.l+4) default x Unknown processor type >>>&0 leshort x %#x >>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) @@ -176,33 +329,134 @@ >>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) >>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive >>0x30 string Inno \b, InnoSetup self-extracting archive +# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc. +# PE used as container have less sections +>>(0x3c.l+6) leshort >1 \b, %u sections +# do not display for 1 section to get output like in version 5.43 and to keep output columns low +#>>(0x3c.l+6) leshort =1 \b, %u section # If the relocation table is 0x40 or more bytes into the file, it's definitely # not a DOS EXE. ->0x18 leshort >0x3f +>0x18 uleshort >0x3f # Hmm, not a PE but the relocation table is too high for a traditional DOS exe, # must be one of the unusual subformats. >>(0x3c.l) string !PE\0\0 MS-DOS executable -!:mime application/x-dosexec +#!:mime application/x-dosexec >>(0x3c.l) string NE \b, NE -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-ne-executable +# FOR DEBUGGING! +# Reference: https://wiki.osdev.org/NE +# ProgFlags; Program flags, bitmapped +#>>>(0x3c.l+0x0C) ubyte x \b, ProgFlags 0x%2.2x +# >>>(0x3c.l+0x0c) ubyte&0x03 =0 \b, none +# >>>(0x3c.l+0x0c) ubyte&0x03 =1 \b, single shared +# >>>(0x3c.l+0x0c) ubyte&0x03 =2 \b, multiple +# >>>(0x3c.l+0x0c) ubyte&0x03 =3 \b, (null) +# >>>(0x3c.l+0x0c) ubyte &0x04 \b, Global initialization +# >>>(0x3c.l+0x0c) ubyte &0x08 \b, Protected mode only +# >>>(0x3c.l+0x0c) ubyte &0x10 \b, 8086 instructions +# >>>(0x3c.l+0x0c) ubyte &0x20 \b, 80286 instructions +# >>>(0x3c.l+0x0c) ubyte &0x40 \b, 80386 instructions +# >>>(0x3c.l+0x0c) ubyte &0x80 \b, 80x87 instructions +# ApplFlags; Application flags, bitmapped +# https://www.fileformat.info/format/exe/corion-ne.htm +#>>>(0x3c.l+0x0D) ubyte x \b, ApplFlags 0x%2.2x +# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API) +# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =1 \b, Full screen +#>>>(0x3c.l+0x0D) ubyte&0x07 =2 \b, Compatible with Windows/P.M. API +#>>>(0x3c.l+0x0D) ubyte&0x07 =3 \b, use Windows/P.M. API +# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle +#>>>(0x3c.l+0x0D) ubyte &0x80 \b, DLL or driver +# AutoDataSegIndex; automatic data segment index like: 0 2 3 22 +# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared +#>>>(0x3c.l+0x0e) uleshort x \b, AutoDataSegIndex %u +# InitHeapSize; intial local heap size like; 0 400h 1400h +# zero if there is no local allocation +#>>>(0x3c.l+0x10) uleshort !0 \b, InitHeapSize 0x%x +# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h +# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h +# 6D60h 8000h 40000h +# zero if the SS register value does not equal the DS register value +#>>>(0x3c.l+0x12) uleshort !0 \b, InitStackSize 0x%x +# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h +#>>>(0x3c.l+0x14) ulelong !0 \b, EntryPoint 0x%x +# InitStack; specifies the segment offset value of stack pointer SS:SP +# like: 0 20000h 160000h +#>>>(0x3c.l+0x18) ulelong !0 \b, InitStack 0x%x +# SegCount; number of segments in segment table like: 0 1 2 3 16h +#>>>(0x3c.l+0x1C) uleshort x \b, SegCount 0x%x +# ModRefs; number of module references (DLLs) like; 0 1 3 +#>>>(0x3c.l+0x1E) uleshort !0 \b, ModRefs %u +# NoResNamesTabSiz; size in bytes of non-resident names table +# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh +#>>>(0x3c.l+0x20) uleshort x \b, NoResNamesTabSiz 0x%x +# SegTableOffset; offset of Segment table like: 40h +#>>>(0x3c.l+0x22) uleshort !0x40 \b, SegTableOffset 0x%x +# ResTableOffset; offset of resources table like: 40h 50h 58h F0h +# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON +#>>>(0x3c.l+0x24) uleshort x \b, ResTableOffset 0x%x +# ResidNamTable; offset of resident names table +# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h +#>>>(0x3c.l+0x26) uleshort x \b, ResidNamTable 0x%x +# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h) +# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh +#>>>(0x3c.l+0x2a) uleshort x \b, ImportNameTable 0x%x +# OffStartNonResTab; offset from start of file to non-resident names table +# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h +#>>>(0x3c.l+0x2c) ulelong x \b, OffStartNonResTab 0x%x +# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446 +#>>>(0x3c.l+0x30) uleshort !0 \b, MovEntryCount %u +# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default) +#>>>(0x3c.l+0x32) uleshort !9 \b, FileAlnSzShftCnt %u +# nResTabEntries; number of resource table entries like: 0 2 +#>>>(0x3c.l+0x34) uleshort !0 \b, nResTabEntries %u +# targOS; Target OS; 0~unknown~OS/2 1.0 or MS Windows 1-2 +# OS/2 1.0 like: DTM.DLL SHELL11F.EXE HELPMSG.EXE CREATEDD.EXE +# or Windows 1.03 - 2.1 like: MSDOSD.EXE KARTEI.EXE KALENDER.EXE +#>>>(0x3c.l+0x36) byte x TARGOS %x +>>>(0x3c.l+0x36) byte 0 for OS/2 1.0 or MS Windows 1-2 >>>(0x3c.l+0x36) byte 1 for OS/2 1.x >>>(0x3c.l+0x36) byte 2 for MS Windows 3.x >>>(0x3c.l+0x36) byte 3 for MS-DOS >>>(0x3c.l+0x36) byte 4 for Windows 386 >>>(0x3c.l+0x36) byte 5 for Borland Operating System Services +# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip +# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE +# GRR: WHAT OS is this? +#>>>(0x3c.l+0x36) byte 6 for TARGET SIX +# https://en.wikipedia.org/wiki/Phar_Lap_(company) +>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender, OS/2 +# like: CVP7.EXE +>>>(0x3c.l+0x36) byte 0x82 for MS-DOS, Phar Lap DOS extender, Windows >>>(0x3c.l+0x36) default x ->>>>(0x3c.l+0x36) byte x (unknown OS %x) ->>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender +>>>>(0x3c.l+0x36) ubyte x (unknown OS %#x) +# expctwinver; expected Windows version (minor first) like: +# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR +>>>(0x3c.l+0x3F) ubyte x (%u +>>>(0x3c.l+0x3E) ubyte x \b.%u) +# OS2EXEFlags; other EXE flags +# 0~Long filename support 1~2.x protected mode 4~2.x proportional fonts 8~Executable has gangload area +#>>>(0x3c.l+0x37) byte !0 \b, OS2EXEFlags 0x%x +# retThunkOffset; offset to return thunks or start of gangload area like: 0 34h 58h 246h +#>>>(0x3c.l+0x38) uleshort !0 \b, retThunkOffset 0x%x +# segrefthunksoff; offset to segment reference thunks or size of gangload area +# like: 0 33Eh 39Ah AEEh +#>>>(0x3c.l+0x3A) uleshort !0 \b, segrefthunksoff 0x%x +# mincodeswap; minimum code swap area size like 0 620Ch +#>>>(0x3c.l+0x3C) uleshort !0 \b, mincodeswap 0x%x >>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) # DRV: Driver # 3GR: Grabber device driver # CPL: Control Panel Item -# VBX: Visual Basic Extension -# FON: Bitmap font +# VBX: Visual Basic Extension https://en.wikipedia.org/wiki/Visual_Basic +# FON: Bitmap font http://fileformats.archiveteam.org/wiki/FON # FOT: Font resource file +# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE +# CNV: Microsoft Word text conversion https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data !:ext dll/drv/3gr/cpl/vbx/fon/fot >>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) !:ext exe/scr @@ -228,8 +482,17 @@ >>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive # MS Windows system file, supposedly a collection of LE executables +# like vmm32.vxd WIN386.EXE >>(0x3c.l) string W3 \b, W3 for MS Windows -!:mime application/x-dosexec +#!:mime application/x-dosexec +!:mime application/x-ms-w3-executable +!:ext vxd/exe +# W4 executable +>>(0x3c.l) string W4 \b, W4 for MS Windows +#!:mime application/x-dosexec +!:mime application/x-ms-w4-executable +# windows 98 VMM32.VXD +!:ext vxd >>(0x3c.l) string LE\0\0 \b, LE executable !:mime application/x-dosexec @@ -268,11 +531,19 @@ !:ext exe/com # header data too small for extended executable >2 long !0 ->>0x18 leshort <0x40 +>>0x18 uleshort <0x40 >>>(4.s*512) leshort !0x014c >>>>&(2.s-514) string !LE ->>>>>&-2 string !BW \b, MZ for MS-DOS +>>>>>&-2 string !BW +#>>>>>>(0x3c.l) string x \b, 2ND MAGIC %.2s +# but some LX executable appear here also like: PCISCAN.EXE +>>>>>>(0x3c.l) string !LX +# because Portable Executable (PE) already done skip many here like: +# xcopy32.exe stinger64.exe WimUtil.exe +# NO such DOS examples found and +# DOS examples seems to be already handled by e_lfarlc <0x40 like: CMD8086.COM CMD-FR.COM +>>>>>>>(0x3c.l) string !PE \b, MZ for MS-DOS !:mime application/x-dosexec >>>>&(2.s-514) string LE \b, LE >>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender @@ -386,6 +657,7 @@ >0x00 uleshort x executable #!:mime application/x-msdownload !:mime application/x-lx-executable +!:ext exe # byte order: 00h~little-endian non-zero=1~big-endian #>0x02 ubyte =0 (little-endian) >0x02 ubyte !0 (big-endian) @@ -420,7 +692,7 @@ >0x0a leshort 3 for DOS # http://www.ctyme.com/intr/rb-2939.htm#Table1610 # library by module type mask 00038000h (bits 15-17); -# 0h ~exectable Program module +# 0h ~executable Program module >0x10 ulelong&0x00038000 =0x00000000 (program) #!:ext exe # OSF_IS_DLL=8000h ~Library module (DLL) @@ -468,14 +740,18 @@ 0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023 # URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html -# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +# http://www.o3one.org/hwdocs/bios_doc/dosref22.html 0 ulequad&0x07a0ffffffff 0xffffffff # skip OS/2 INI ./os2 >4 ubelong !0x14000000 ->>0 use msdos-driver +#>>10 ubequad x MAYBE_DRIVER_NAME=%16.16llx +# https://bugs.astron.com/view.php?id=434 +# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like" +>>10 ubequad !0 +>>>0 use msdos-driver 0 name msdos-driver DOS executable ( #!:mime application/octet-stream !:mime application/x-dosdriver @@ -507,8 +783,8 @@ >>40 search/7 UPX! >>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped -# 1 space char before device driver name to get phrase like "device driver PROTMAN$" ->>>12 ubyte >0x2E \b +# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE" +>>>12 ubyte >0x23 \b >>>>10 ubyte >0x20 >>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c @@ -602,11 +878,11 @@ 0 name msdos-com # URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) >0 byte x DOS executable ( -# DOS execuable with JuMP 16-bit instruction +# DOS executable with JuMP 16-bit instruction >0 byte =0xE9 # check for probably nil padding til offset 64 of Lotus driver name >>56 quad =0 -# check for "long" alpabetical Lotus driver name like: +# check for "long" alphabetic Lotus driver name like: # Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" >>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s !:mime application/x-dosexec @@ -616,7 +892,7 @@ >>>24 default x \bCOM) !:mime application/x-dosexec !:ext com -# DOS excutable with JuMP 16-bit and without nil padding +# DOS executable with JuMP 16-bit and without nil padding >>56 quad !0 # https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot # TODO: HOWTO distinguish COMboot from pure DOS executables? @@ -781,7 +1057,7 @@ >>1 default x # look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) >>>3 search/118 \xCD -# FOR DEBUGGING; possible hexadecimal interupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) +# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) # 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) #>>>>&0 ubyte x \b, INTERUPT %#x # few examples with interrupt 0x13 instruction @@ -791,7 +1067,7 @@ # skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems # by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax >>>>>3 ubequad !0x8ec0b8c0078ed88d -# few COM exectables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com +# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com # http://bootcd.narod.ru/bcdw150z_en.zip >>>>>>0 use msdos-com # few examples with interrupt 0x16 instruction like flashimg.img @@ -806,7 +1082,7 @@ #>>>>>&-1 ubyte x \b, INTERUPT %#x # like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com >>>>>0 use msdos-com -# few COM executables without interupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM +# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM # or some EUC-KR text files or one Ulead Imaginfo thumbnail >>>3 default x # FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) @@ -1213,15 +1489,82 @@ 0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in # Windows Metafile .WMF -0 string/b \327\315\306\232 Windows metafile -!:mime image/wmf -!:ext wmf +# URL: http://fileformats.archiveteam.org/wiki/Windows_Metafile +# http://en.wikipedia.org/wiki/Windows_Metafile +# Reference: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf +# http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml +# Note: called "Windows Metafile" by TrID and +# verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File) +# META_PLACEABLE Record (Aldus Placeable Metafile signature) +0 string/b \327\315\306\232 +# Note: called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119 +# and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile" +# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h +# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300 +>26 uleshort&0xFDff =0x0100 Windows metafile +# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0 +# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf +>>4 uleshort !0 \b, resource handle %#x +# BoundingBox; the rectangle in the playback context measured in logical units for displaying +# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024) +# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589) +#>>6 ubequad x \b, bounding box %#16.16llx +# Left; x-coordinate of the upper-left corner of the rectangle +>>6 leshort x \b, bounding box (%d +# Top; y-coordinate upper-left corner +>>8 leshort x \b,%d +# Right; x-coordinate lower-right corner +>>10 leshort x / %d +# Bottom; y-coordinate lower-right corner +>>12 leshort x \b,%d) +# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540 +>>14 uleshort x \b, dpi %u +# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf +>>16 ulelong !0 \b, reserved %#x +# Checksum; checksum for the previous 10 words +>>20 uleshort x \b, checksum %#x +# META_HEADER Record after META_PLACEABLE Record +>>22 use wmf-head +# GRR: no example for type 2 (DISKMETAFILE) variant found under few thousands WMF 0 string/b \002\000\011\000 Windows metafile +>0 use wmf-head +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml +# Note: called "Windows Metafile (old Win 3.x format)" by TrID and +# "Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119 +# verified by XnView `nconvert -info *.wmf` as Windows metafile +# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9 +0 string/b \001\000\011\000 +# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011) +>18 ulelong >0 Windows metafile +# GRR: in version 5.44 unequal and not endian variant not working! +#>18 ulelong !0 THIS_SHOULD_NOT_HAPPEN +#>18 long !0 THIS_SHOULD_NOT_HAPPEN +>>0 use wmf-head +# display information of Windows metafile header (type, size, objects) +0 name wmf-head +# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk +>0 uleshort !0x0001 \b, type %#x +# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes) +>2 uleshort*2 !18 \b, header size %u +# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported +# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf +>4 uleshort =0x0100 \b, DIBs not supported +>4 uleshort =0x0300 +#>4 uleshort =0x0300 \b, DIBs supported +# this should not happen! +>4 default x \b, version +>>4 uleshort x %#x +# Size; the number of WORDs in the entire metafile +>6 ulelong x \b, size %u words +#>6 ulelong*2 x \b, size %u bytes !:mime image/wmf !:ext wmf -0 string/b \001\000\011\000 Windows metafile -!:mime image/wmf -!:ext wmf +# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF +>10 uleshort x \b, %u objects +# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h +>12 ulelong x \b, largest record size %#x +# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf +>16 uleshort !0 \b, %u members #tz3 files whatever that is (MS Works files) 0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file @@ -1374,8 +1717,6 @@ 1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file -0 lelong 0x4C ->4 lelong 0x00021401 Windows shortcut file # .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm # only for windows versions equal or greater 3.0 @@ -1411,17 +1752,6 @@ >0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT #>>&06 string x \b:%s -# DOS EPS Binary File Header -# From: Ed Sznyter -0 belong 0xC5D0D3C6 DOS EPS Binary File -!:mime image/x-eps ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d ->>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d - # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # https://en.wikipedia.org/wiki/Norton_Guides @@ -1575,6 +1905,12 @@ >0x2c default x # look for 1st member name >>(16.l+16) ubyte x +# From: Joerg Jenderek +# URL: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml +>>>&-1 string PackageInfo.xml \b, Device Metadata Package +!:mime application/vnd.ms-cab-compressed +!:ext devicemetadata-ms # https://en.wikipedia.org/wiki/SNP_file_format >>>&-1 string/c _accrpt_.snp \b, Access report snapshot !:mime application/msaccess @@ -1598,14 +1934,20 @@ !:ext msu >>>&-1 default x # look at point character of 1st archive member name for file name extension +# GRR: search range is maybe too large and match point else where like in EN600x64.cab! >>>>&-1 search/255 . # http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm # PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 # packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB ->>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go +>>>>>&0 string/c ppt\0 +>>>>>>28 uleshort >1 \b, PowerPoint Packed and Go !:mime application/vnd.ms-powerpoint #!:mime application/mspowerpoint !:ext ppz +# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386 +>>>>>>28 uleshort =1 \b, one packed PowerPoint +!:mime application/vnd.ms-cab-compressed +!:ext pp_ # https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx # first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack # or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack @@ -1653,6 +1995,16 @@ >>>>>>>>>30 uleshort !0x0000 \b, single !:mime application/vnd.ms-cab-compressed !:ext cab +# first archive name without point character +>>>>&-1 default x +>>>>>28 uleshort =1 \b, single +!:mime application/vnd.ms-cab-compressed +# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._ +!:ext _ +>>>>>28 uleshort >1 \b, many +!:mime application/vnd.ms-cab-compressed +# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab +!:ext cab # TODO: additional extensions like # .xtp InfoPath Template Part # .lvf Logitech Video Effects Face Accessory @@ -1750,9 +2102,9 @@ # define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) >8 uleshort >0 \b, iFolder %#x # date stamp for file -#>10 uleshort x \b, date %#x +>10 lemsdosdate x last modified %s # time stamp for file -#>12 uleshort x \b, time %#x +>12 lemsdostime x %s # attribs is attribute flags for file # define _A_RDONLY (0x01) file is read-only # define _A_HIDDEN (0x02) file is hidden diff --git a/magic/Magdir/msooxml b/magic/Magdir/msooxml index 2fc3a564019..905017eb912 100644 --- a/magic/Magdir/msooxml +++ b/magic/Magdir/msooxml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.18 2022/08/16 11:16:39 christos Exp $ +# $File: msooxml,v 1.19 2023/03/14 19:46:15 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown @@ -56,3 +56,13 @@ >>>>>>>>>&26 default x Microsoft OOXML >>>>>>>&26 default x Microsoft OOXML >>>>>&26 default x Microsoft OOXML +>>0x1E regex \\[trash\\] +>>>&26 search/6000 PK\003\004 +>>>>&26 search/6000 PK\003\004 +>>>>>&26 use msooxml +>>>>>&26 default x +>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 use msooxml +>>>>>>>&26 default x Microsoft OOXML +>>>>>>&26 default x Microsoft OOXML +>>>>>&26 default x Microsoft OOXML diff --git a/magic/Magdir/ole2compounddocs b/magic/Magdir/ole2compounddocs index d52578128a5..2c451a9ab57 100644 --- a/magic/Magdir/ole2compounddocs +++ b/magic/Magdir/ole2compounddocs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ole2compounddocs,v 1.19 2022/09/11 20:52:40 christos Exp $ +# $File: ole2compounddocs,v 1.26 2023/05/15 16:46:12 christos Exp $ # Microsoft OLE 2 Compound Documents : file(1) magic for Microsoft Structured # storage (https://en.wikipedia.org/wiki/Compound_File_Binary_Format) # Additional tests for OLE 2 Compound Documents should be under this recipe. @@ -72,6 +72,7 @@ #>67 ubyte x \b, color %x # the DirIDs of the child nodes. Should both be -1 in the root storage entry #>68 bequad !0xffffffffffffffff \b, DirIDs %llx +# NEXT lines for DEBUGGING # second directory entry name like VisioDocument Control000 #>128 lestring16 x \b, 2nd %.20s # third directory entry like WordDocument @@ -201,6 +202,18 @@ !:ext nfo # # From: Joerg Jenderek +# URL: https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/arn-autoruns-v14.trid.xml +# Note: older versions til 13 about middle 2021 handled by ./windows +# called "Sysinternals Autoruns data (v14)" by TrID +# second, third and fourth directory entry name like Header Items 0 +>>>>128 lestring16 Header : Microsoft sysinternals AutoRuns data, version 14 +#!:mime application/x-ole-storage +!:mime application/x-ms-arn +# like: MyHOSTNAME.arn +!:ext arn +# +# From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Microsoft_Access # Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mdz.trid.xml # http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File @@ -249,9 +262,11 @@ !:ext tpl # # URL: https://en.wikipedia.org/wiki/Hangul_(word_processor) +# https://www.hancom.com/etc/hwpDownload.do # Note: "HWP Document File" signature found in FileHeader +# Hangul Word Processor WORDIAN, 2002 and later is using HWP 5.0 format. # Second directory entry name FileHeader hint for Thinkfree Office document ->>>>128 lestring16 FileHeader : Hangul (Korean) 5.0 Word Processor File +>>>>128 lestring16 FileHeader : Hancom HWP (Hangul Word Processor) file, version 5.0 #!:mime application/haansofthwp !:mime application/x-hwp # https://example-files.online-convert.com/document/hwp/example.hwp @@ -305,62 +320,93 @@ # THIS WORKS PARTLY! >>>>>>&0 indirect x # remaining null clsid ->>>>128 default x : UNKNOWN -# second directory entry name like VisioDocument Control000 ->>>>>128 lestring16 x with names %.20s -# third directory entry like WordDocument ->>>>>256 lestring16 x %.20s -# forth ->>>>>384 lestring16 x %.20s -!:mime application/x-ole-storage -# according to file version 5.41 with -e soft option -#!:mime application/CDFV2 -#!:ext ??? +>>>>128 default x +>>>>>0 use ole2-unknown +# look for CLSID where "second" part is 0 +>>>80 ubequad !0x0 +# +# Summary: Family Tree Maker +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Family_Tree_Maker +# https://en.wikipedia.org/wiki/Family_Tree_Maker +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/ftw.trid.xml +# Note called "Family Tree Maker Family Tree" by TrID and +# "FamilyTree Maker Database" with version "1-4" by DROID via PUID fmt/1352 +# tested only with version 2.0 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe my.ftw` +# newer versions are SQLite based and handled by ./sql +# directory names like: IND.DB AUX.DB GENERAL.DB NAME.NDX BIRTH.NDX EXTRA.DB +>>>>80 ubequad 0x5702000000000000 : Family Tree Maker Windows database, version 1-4 +# look for "File Format (C) Copyright 1993 Banner Blue Software Inc. - All Rights Reserved" in GENERAL.DB +#>>>>>0 search/0x5460c/s F\0i\0l\0e\0\040\0F\0o\0r\0m\0a\0t\0\040\0(\0C\0)\0 \b, VERSION +# GRR: jump to version value like 2 does not work! +#>>>>>>&-8 ubyte x %u +#!:mime application/x-ole-storage +!:mime application/x-fmt +# FBK is used for backup of FTW +!:ext ftw/fbk +# +>>>>80 default x +>>>>>0 use ole2-unknown # look for known clsid GUID # - Visio documents # URL: http://fileformats.archiveteam.org/wiki/Visio # Last update on 10/23/2006 by Lester Hightower, 07/20/2019 by Joerg Jenderek ->>88 ubequad 0xc000000000000046 : Microsoft ->>>80 ubequad 0x131a020000000000 Visio 2000-2002 Document, stencil or template +>>88 ubequad 0xc000000000000046 +>>>80 ubequad 0x131a020000000000 : Microsoft Visio 2000-2002 Document, stencil or template !:mime application/vnd.visio # VSD~Drawing VSS~Stencil VST~Template !:ext vsd/vss/vst ->>>80 ubequad 0x141a020000000000 Visio 2003-2010 Document, stencil or template +>>>80 ubequad 0x141a020000000000 : Microsoft Visio 2003-2010 Document, stencil or template !:mime application/vnd.visio !:ext vsd/vss/vst # # URL: http://fileformats.archiveteam.org/wiki/Windows_Installer ->>>80 ubequad 0x84100c0000000000 Windows Installer Package +# https://en.wikipedia.org/wiki/Windows_Installer#ICE_validation +# Update: Joerg Jenderek +# Windows Installer Package *.MSI or validation module *.CUB +>>>80 ubequad 0x84100c0000000000 : Microsoft Windows Installer Package or validation module !:mime application/x-msi #!:mime application/x-ms-win-installer -!:ext msi ->>>80 ubequad 0x86100c0000000000 Windows Installer Patch +# https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices +# cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub +#!:mime application/x-ms-cub +!:ext msi/cub +# From: Joerg Jenderek +# URL: http://en.wikipedia.org/wiki/Windows_Installer +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml +# called "Windows SDK Setup Transform script" by TrID +>>>80 ubequad 0x82100c0000000000 : Microsoft Windows Installer transform script +#!:mime application/x-ole-storage +!:mime application/x-ms-mst +!:ext mst +>>>80 ubequad 0x86100c0000000000 : Microsoft Windows Installer Patch # ?? !:mime application/x-wine-extension-msp #!:mime application/x-ms-msp !:ext msp # # URL: http://fileformats.archiveteam.org/wiki/DOC ->>>80 ubequad 0x0009020000000000 Word 6-95 document or template +>>>80 ubequad 0x0009020000000000 : Microsoft Word 6-95 document or template !:mime application/msword # for template MSWDW8TN !:apple MSWDWDBN !:ext doc/dot ->>>80 ubequad 0x0609020000000000 Word 97-2003 document or template +>>>80 ubequad 0x0609020000000000 : Microsoft Word 97-2003 document or template !:mime application/msword !:apple MSWDWDBN # dot for template; no extension on Macintosh !:ext doc/dot/ # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Word_Processor ->>>80 ubequad 0x0213020000000000 Works 3-4 document or template +>>>80 ubequad 0x0213020000000000 : Microsoft Works 3-4 document or template !:mime application/vnd.ms-works !:apple ????AWWP # ps for template https://filext.com/file-extension/PS bps for backup !:ext wps/ps/bps # # URL: http://fileformats.archiveteam.org/wiki/Microsoft_Works_Database ->>>80 ubequad 0x0313020000000000 Works 3-4 database or template +>>>80 ubequad 0x0313020000000000 : Microsoft Works 3-4 database or template !:mime application/vnd.ms-works-db # https://www.macdisk.com/macsigen.php !:apple ????AWDB @@ -368,14 +414,14 @@ !:ext wdb/db/bdb # # URL: https://en.wikipedia.org/wiki/Microsoft_Excel ->>>80 ubequad 0x1008020000000000 Excel 5-95 worksheet, addin or template +>>>80 ubequad 0x1008020000000000 : Microsoft Excel 5-95 worksheet, addin or template !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php !:apple ????XLS5 # worksheet/addin/template/no extension on Macintosh !:ext xls/xla/xlt/ # ->>>80 ubequad 0x2008020000000000 Excel 97-2003 +>>>80 ubequad 0x2008020000000000 : Microsoft Excel 97-2003 !:mime application/vnd.ms-excel # https://www.macdisk.com/macsigen.php XLS5 for Excel 5 !:apple ????XLS9 @@ -391,23 +437,36 @@ #!:ext xls/xlt/ # # URL: http://fileformats.archiveteam.org/wiki/OLE2 ->>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 item -#>>>80 ubequad 0x0b0d020000000000 Outlook 97-2003 Message +>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 item +#>>>80 ubequad 0x0b0d020000000000 : Microsoft Outlook 97-2003 Message #!:mime application/vnd.ms-outlook !:mime application/x-ms-msg !:ext msg # URL: https://wiki.fileformat.com/email/oft/ ->>>80 ubequad 0x46f0060000000000 Outlook 97-2003 item template +>>>80 ubequad 0x46f0060000000000 : Microsoft Outlook 97-2003 item template #!:mime application/vnd.ms-outlook !:mime application/x-ms-oft !:ext oft # # URL: http://fileformats.archiveteam.org/wiki/PPT ->>>80 ubequad 0x5148040000000000 PowerPoint 4.0 presentation +>>>80 ubequad 0x5148040000000000 : Microsoft PowerPoint 4.0 presentation !:mime application/vnd.ms-powerpoint # https://www.macdisk.com/macsigen.php !:apple ????PPT3 !:ext ppt +# Summary: "newer" Greenstreet Art drawing +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GST_ART +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/art-gst-docfile.trid.xml +# Note: called like "Greenstreet Art drawing" by TrID +# Note: CONTENT stream contains binary part of older versions with phrase GST:ART at offset 16 +# verified by Michal Mutl Structured Storage Viewer `SSView.exe BCARD2.ART` +>>>80 ubequad 0x602c020000000000 : Greenstreet Art drawing +#!:mime application/x-ole-storage +!:mime image/x-greenstreet-art +!:ext art +>>>80 default x +>>>>0 use ole2-unknown #?? # URL: http://www.checkfilename.com/view-details/Microsoft-Works/RespageIndex/0/sTab/2/ >>88 ubequad 0xa29a00aa004a1a72 : Microsoft @@ -547,6 +606,19 @@ !:apple ????WPC9 !:ext wpg # +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/CorelCAD +# https://en.wikipedia.org/wiki/CorelCAD +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/ccd-corelcad.trid.xml +# Note: called "CorelCAD Drawing" by TrID and CorelCAD +# directory entry names like Contents ViewInfo CustomViewDescriptions LayerInfo +>>88 ubequad 0xbe26db67235e2689 : Corel +>>>80 ubequad 0x20f414de1cacce11 \bCAD Drawing or Template +#!:mime application/x-ole-storage +!:mime application/x-corel-cad +# CCT for CorelCAD Template +!:ext ccd/cct +# # URL: http://fileformats.archiveteam.org/wiki/StarOffice_binary_formats >>88 ubequad 0x996104021c007002 : StarOffice >>>80 ubequad 0x407e5cdc5cb31b10 StarWriter 3.0 document or template @@ -661,13 +733,28 @@ #!:ext max/chr # remaining non null clsid >>88 default x -# GRR: check again for non null clsid because wrong when called by indirect directive ->>>88 ubequad !0 : UNKNOWN +>>>0 use ole2-unknown +# display information about directory for not detected CDF files +0 name ole2-unknown +>80 ubequad x : UNKNOWN # https://reposcope.com/mimetype/application/x-ole-storage !:mime application/x-ole-storage # according to file version 5.41 with -e soft option #!:mime application/CDFV2 #!:ext ??? ->>>>80 ubequad !0 \b, clsid %#16.16llx ->>>>88 ubequad x \b%16.16llx - +>80 ubequad !0 \b, clsid %#16.16llx +>>88 ubequad x \b%16.16llx +# converted hexadecimal format to standard GUUID notation +>>80 guid x {%s} +# second directory entry name like VisioDocument Control000 +>128 lestring16 x with names %.20s +# third directory entry like WordDocument Preview.dib +>256 lestring16 x %.20s +# forth like \005SummaryInformation +>384 lestring16 x %.25s +# 5th +>512 lestring16 x %.10s +# 6th +>640 lestring16 x %.10s +# 7th +>768 lestring16 x %.10s diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf index 38de3cff9b9..7a99d8d3cf3 100644 --- a/magic/Magdir/pdf +++ b/magic/Magdir/pdf @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.16 2021/07/30 11:47:07 christos Exp $ +# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 name pdf >8 search /Count ->>&0 regex [0-9]+ \b, %s pages +>>&0 regex [0-9]+ \b, %s page(s) >8 search/512 /Filter/FlateDecode/ (zip deflate encoded) 0 string %PDF- PDF document @@ -42,7 +42,7 @@ >5 byte x \b, version %c >7 byte x \b.%c -0 search/256 %PDF- PDF document +0 search/1024 %PDF- PDF document !:mime application/pdf !:strength +60 !:ext pdf diff --git a/magic/Magdir/perl b/magic/Magdir/perl index c391d4a7203..4a3756a483e 100644 --- a/magic/Magdir/perl +++ b/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ +# $File: perl,v 1.27 2023/07/17 16:01:36 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -34,12 +34,12 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line 0 search/8192 package ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; Perl5 module source text !:strength + 40 # not 'p', check other lines 0 search/8192 !p ->0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; ->>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text +>0 regex \^package[[:space:]]+[0-9A-Za-z_:]+[[:space:]]*([[:space:]]v?[0-9][0-9.]*)?[[:space:]]*; +>>0 regex \^1[[:space:]]*;|\^(use|sub|my)[[:space:]].*[(;{=] Perl5 module source text !:strength + 75 # Perl POD documents diff --git a/magic/Magdir/playdate b/magic/Magdir/playdate new file mode 100644 index 00000000000..77f8c689378 --- /dev/null +++ b/magic/Magdir/playdate @@ -0,0 +1,57 @@ + +#------------------------------------------------------------------------------ +# $File: playdate,v 1.1 2022/11/04 13:34:48 christos Exp $ +# +# Various native file formats for the Playdate portable video game console. +# +# These are unofficially documented at +# https://github.com/jaames/playdate-reverse-engineering +# +# The SDK is a source for many test files, and can be used to +# create others. https://play.date/dev/ + + +# pdi: static image +0 string Playdate\ IMG Playdate image data +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d +>12 belong&0x80 0x00 (uncompressed) +>>16 leshort x %d x +>>18 leshort x %d + +# pdt: multiple static images +0 string Playdate\ IMT Playdate image data set +>12 belong&0x80 0x80 (compressed) +>>20 lelong x %d x +>>24 lelong x %d, +>>28 lelong x %d cells +>12 belong&0x80 0x00 (uncompressed) +>>20 lelong x tile grid %d x +>>24 lelong x %d + +# pds: string tables +0 string Playdate\ STR Playdate localization strings +>12 belong&0x80 0x80 (compressed) +>12 belong&0x80 0x00 (uncompressed) + +# pda: audio +0 string Playdate\ AUD Playdate audio file +>12 lelong&0xffffff x %d Hz, +>15 byte 0 unsigned, 8-bit PCM, 1 channel +>15 byte 1 unsigned, 8-bit PCM, 2 channel +>15 byte 2 signed, 16-bit little-endian PCM, 1 channel +>15 byte 3 signed, 16-bit little-endian PCM, 1 channel +>15 byte 4 4-bit ADPCM, 1 channel +>15 byte 5 4-bit ADPCM, 2 channel + +# pda: video +0 string Playdate\ VID Playdate video file +>24 leshort x %d x +>26 leshort x %d, +>16 leshort x %d frames, +>20 lefloat x %.2f FPS + +# pdz: executable package +# Not a lot we can do, as it's a stream of entries with no summary information. +0 string Playdate\ PDZ Playdate executable package diff --git a/magic/Magdir/printer b/magic/Magdir/printer index e8fccd27971..b45a2025ec8 100644 --- a/magic/Magdir/printer +++ b/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.29 2019/04/19 00:42:27 christos Exp $ +# $File: printer,v 1.34 2023/06/16 19:27:12 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -30,13 +30,42 @@ # DOS EPS Binary File Header # From: Ed Sznyter -0 belong 0xC5D0D3C6 DOS EPS Binary File ->4 long >0 Postscript starts at byte %d ->>8 long >0 length %d ->>>12 long >0 Metafile starts at byte %d +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Encapsulated_PostScript +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/eps-adobe.trid.xml +# Note: called "Encapsulated PostScript binary" by TrID and +# verified partly by ImageMagick `identify -verbose *` as EPT (Encapsulated PostScript with TIFF preview) +0 belong 0xC5D0D3C6 +# skip DROID fmt-122-signature-id-174.eps fmt-123-signature-id-178.eps fmt-124-signature-id-180.eps +# by looking for content after header +# GRR: in version 5.44 unequal and not endian variant not working! +>32 ulelong >0 DOS EPS Binary File +!:mime image/x-eps +# TODO: check that "long" is false on big endian machines +# Postscript often (850/857) comes after header; so values like: 30 32 or 2788 10644 43350 71828 +>>4 long >0 at byte %d +# 1 space char after length value to get phrase like "length 263893 PostScript document text" +>>>8 long >0 length %d +# PostScript document text handled by ./printer +>>>>(4.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-wmf.trid.xml +# Note: called "Encapsulated PostScript binary (with WMF preview)" by TrID +# verified partly by XnView `nconvert -info *.EP?` as TIFF epsp +>>>>12 long >0 at byte %d +!:ext eps +# GRR: in file version 5.44 calling indirect of ./msdos produce phrase like "length 452\012- Windows metafile" >>>>16 long >0 length %d ->>>20 long >0 TIFF starts at byte %d ->>>>24 long >0 length %d +# Windows metafile data handled by ./msdos +>>>>>(12.l) indirect x +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/eps-tiff.trid.xml +# Note: called "Encapsulated PostScript binary (with TIFF preview)" by TrID +>>>>20 long >0 at byte %d +# For the variant with the TIFF preview image sometimes the file extension ept is used +!:ext eps/ept +# GRR: in file version 5.44 calling indirect of ./images produce phrase like "length 43320\012- TIFF image data," +>>>>>24 long >0 length %d +# TIFF image data handled by ./images +>>>>>>(20.l) indirect x # Summary: Adobe's PostScript Printer Description File # Extension: .ppd @@ -45,6 +74,8 @@ # 0 string *PPD-Adobe:\x20 PPD file >&0 string x \b, version %s +!:ext ppd +!:mime application/vnd.cups-ppd # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data @@ -82,7 +113,16 @@ >0 search/10000 @PJL\ ENTER\ LANGUAGE=QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE\ =\ QPDL - Samsung QPDL >0 search/10000 @PJL\ ENTER\ LANGUAGE=ZJS - HP ZJS - +# Summary: Hewlett-Packard printer firmware update +# From: Joerg Jenderek +# URL: https://support.hp.com/us-en/drivers/selfservice/hp-envy-6000e-all-in-one-printer-series/2100187505/model/2100187513 +# Note: firmware update tested with ENVY 6000 All-in-One Printer +0 string @PJL\ ENTER\ LANGUAGE=FWUPDATE2 HP Printer firmware update +#!:mime application/octet-stream +#!:mime application/x-hp-firmware +# https://ftp.hp.com/pub/softlib/software13/printers/en6000/2214/EN6000_2214B.exe +# vasari_base_dist_pp1_001.2214B_nonassert_appsigned_lbi_rootfs_secure_signed.ful2 +!:ext ful2 # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) 0 string \033E\033 HP PCL printer data @@ -148,3 +188,91 @@ # From: Paolo # Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data + +# Summary: Hewlett-Packard Graphics Language +# From: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/HP-GL +# https://en.wikipedia.org/wiki/HPGL +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpg.trid.xml +# Note: called "Hewlett-Packard Graphics Language" by TrID and +# "Hewlett Packard Graphics Language" by DROID via PUID x-fmt/293 and +# HPGL by XnView command `nconvert -info *` +# initialize, start a plotting job +0 string IN; +>0 use hpgl +# fill.plt +0 string INPS +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test1.hpgl +0 string DF; +>0 use hpgl +# http://ftp.funet.fi/index/graphics/packages/hpgl2ps/hpgl2ps.tar.Z/hpgl2ps/test3.hpgl +# Select Pen n; If no pen number or 0, the controller performs an end of file command; n in range between -32767 and 32768 like: 6 +0 string SP +# skip text Linux-syscall-note inside qemu sources starting with SPDX-Exception-Identifier: Linux-syscall-note +# by checking for valid Pen number +>2 regex \^([0-9]{1,5}) +#>2 regex \^([0-9]{1,5}) PEN_NUMBER=%s +>>0 use hpgl +# charsize.hp pages.hp set the scaling points (P1 and P2) to their default positions +0 string IP0 +>0 use hpgl +# ci.hp +0 string CO\040 +>0 use hpgl +# iw.hp 286x192.5_lh.hpg 286x192.5_lq.hpg +0 string PS\040 +>0 use hpgl +# thick.hp +0 string PS9 +>0 use hpgl +# ul.hp +0 string PS4 +>0 use hpgl +# la.hp +0 string BP +>0 use hpgl +# miter.hp +# Plot Absolute x,y{,x,y{...}}; x and y in range between -32767 and 32768 like: PA4000,3000; +0 string PA +# skip shell scripts test_msa_run_32r5eb.sh test_msa_run_32r5eb.sh with variable PATH_TO_QEMU +# by checking for valid x coordinate +>2 regex \^([-]{0,1}[0-9]{1,5}) +#>2 regex \^([-]{0,1}[0-9]{1,5}) COORDINATE=%s +>>0 use hpgl +# pw.hpg number of pens x +0 string NP +>0 use hpgl +# win_1.hp +#0 string \003INCA WHAT_IS_THAT +#>0 use hpgl +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/h/hpgl2.trid.xml +# Note: called "Hewlett-Packard Graphics Language 2" by TrID +0 string \033%-1B Hewlett-Packard Graphics Language 2 +!:mime application/vnd.hp-HPGL +# like: dt.plt +!:ext plt +#!:ext plt/gl2/hpg2/spl +# remaining part after escsape sequnce +>5 string x with "%-.10s" +# display Hewlett-Packard Graphics Language vector graphic information +0 name hpgl +>0 string x Hewlett-Packard Graphics Language +#!:mime vector/x-hpgl +# https://www.iana.org/assignments/media-types/application/vnd.hp-HPGL +!:mime application/vnd.hp-HPGL +# no example with HPL suffix found +!:ext hpgl/hpg/hp/plt +# like: "IN;" "DF;IN;LT;PU1000,1000;PD2000,10" "SP6;DI0,1;SR0.70,1.90;SC0,800," +# "CO Concentric circles drawn with different linewidths;" +>0 string x \b, starting with "%-.54s" +# continue but not for 1 long line without CR or LF +>>&0 ubyte <0x0E +#>>&0 ubyte <0x0E TERMINATOR=%x +# second line after 1 terminator character +>>>&0 string >\r with "%-.10s" +# next character again CR or LF +>>>&0 ubyte <0x0E +#>>>&0 ubyte <0x0E 2ND_CHARACTER=%x +# second line after 2 terminator characters +>>>>&0 string >\r with "%-.10s" diff --git a/magic/Magdir/qt b/magic/Magdir/qt index 83aa124cfd3..68085f2892f 100644 --- a/magic/Magdir/qt +++ b/magic/Magdir/qt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: qt,v 1.3 2019/04/19 00:42:27 christos Exp $ +# $File: qt,v 1.4 2022/11/11 14:50:23 christos Exp $ # qt: file(1) magic for Qt # https://doc.qt.io/qt-5/resources.html @@ -17,3 +17,14 @@ # src/corelib/kernel/qtranslator.cpp#L62 0 string \x3c\xb8\x64\x18\xca\xef\x9c\x95 >8 string \xcd\x21\x1c\xbf\x60\xa1\xbd\xdd Qt Translation file + + +# Qt V4 Javascript engine compiled unit +# From: Alexandre Iooss +# URL: https://github.com/qt/qtdeclarative/blob/v6.4.0/src/qml/common/qv4compileddata_p.h +0 string qv4cdata QV4 compiled unit +!:ext qmlc +>8 ulelong x \b, version %d +>12 byte x \b, Qt %d +>13 byte x \b.%d +>14 byte x \b.%d diff --git a/magic/Magdir/rst b/magic/Magdir/rst index aadfad20b01..0df15b8fa5d 100644 --- a/magic/Magdir/rst +++ b/magic/Magdir/rst @@ -1,11 +1,13 @@ #------------------------------------------------------------------------------ -# $File: rst,v 1.3 2020/04/27 01:50:36 christos Exp $ +# $File: rst,v 1.4 2023/07/27 18:26:32 christos Exp $ # rst: ReStructuredText http://docutils.sourceforge.net/rst.html 0 search/256 \=\= !:strength + 30 >&0 regex/256 \^[\=]+$ ->>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 :Author: ReStructuredText file +>>&0 search/512 \012Authors: ReStructuredText file +>>&0 search/512 \012Author: ReStructuredText file >>&0 default x >>>&0 regex/512 \^\\.\\.[A-Za-z] ReStructuredText file !:ext rst diff --git a/magic/Magdir/rust b/magic/Magdir/rust new file mode 100644 index 00000000000..b1bbd9d9702 --- /dev/null +++ b/magic/Magdir/rust @@ -0,0 +1,21 @@ + +#------------------------------------------------------------------------------ +# $File: rust,v 1.2 2022/11/18 15:58:15 christos Exp $ +# Magic for Rust and related languages programs +# + +# Rust compiler metadata +# From: Alexandre Iooss +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_metadata/src/rmeta/mod.rs +0 string rust\x00\x00\x00 +>12 string \014rustc\x20 Rust compiler metadata +!:ext rmeta +>>7 byte x \b, version %d + +# Rust incremental compilation metadata +# From: Alexandre Iooss +# URL: https://github.com/rust-lang/rust/blob/1.64.0/compiler/rustc_incremental/src/persist/file_format.rs +0 string RSIC +>4 uleshort =0 Rust incremental compilation metadata +!:ext bin +>>6 pstring x \b, rustc %s diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index 0e78712fcab..d52d6aeb012 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.13 2019/04/19 00:42:27 christos Exp $ +# $File: scientific,v 1.14 2023/04/29 17:28:09 christos Exp $ # scientific: file(1) magic for scientific formats # # From: Joe Krahn @@ -62,15 +62,48 @@ # Type: GEDCOM genealogical (family history) data # From: Giuseppe Bilotta +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/GEDCOM +# https://en.wikipedia.org/wiki/GEDCOM +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/ +# ged.trid.xml ged-utf8.trid.xml ged-utf16.trid.xml +# Note: called "GEDCOM Family History" by TrID and "Genealogical Data Communication (GEDCOM) Format" by DROID via PUID fmt/851 0 search/1/c 0\ HEAD GEDCOM genealogy text +#!:mime text/plain +#!:mime application/x-gedcom +# https://www.iana.org/assignments/media-types/text/vnd.familysearch.gedcom +!:mime text/vnd.familysearch.gedcom +!:ext ged +# no gedcom sample found and ged suffix also used for other formats +#!:ext ged/gedcom >&0 search 1\ GEDC >>&0 search 2\ VERS version +# 4 5.0 5.3 5.4 5.5 5.5.1 5.5.5 5.6 7.0 or no version >>>&1 string >\0 %s # From: Phil Endecott -0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data -0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data -0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data +# 0\040HEAD as UTF-16 big endian without BOM +0 string \000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 big endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&2 bestring16 x %s +>>0 string x \b, UTF-16 (without BOM) big-endian text +# 0\040HEAD as UTF-16 little endian without BOM +0 string \060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM genealogy text +!:mime text/vnd.familysearch.gedcom +!:ext ged +# look for VERS tag encoded as UTF-16 lttle endian +>12 search/0x65 V\0E\0R\0S version +# version like: 5.5.1 +>>&3 lestring16 x %s +>>2 string x \b, UTF-16 (without BOM) little-endian text +# Note: UTF-16 with BOM variants already described above by first test as "GEDCOM genealogy text" +# 0\040HEAD as UTF-16 big endian with BOM +#0 string \376\377\000\060\000\040\000\110\000\105\000\101\000\104 GEDCOM data +# 0\040HEAD as UTF-16 little endian with BOM +#0 string \377\376\060\000\040\000\110\000\105\000\101\000\104\000 GEDCOM data # PDB: Protein Data Bank files # Adam Buchbinder diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail index 54028fdfe22..6808dbfd33a 100644 --- a/magic/Magdir/sendmail +++ b/magic/Magdir/sendmail @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.11 2019/04/19 00:42:27 christos Exp $ +# $File: sendmail,v 1.12 2022/10/31 13:22:26 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? @@ -13,7 +13,7 @@ # - version \330jK\354 0 byte 046 # https://www.sendmail.com/sm/open_source/docs/older_release_notes/ -# freezed configuration file (dbm format?) created from sendmal.cf with -bz +# freezed configuration file (dbm format?) created from sendmail.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed # valid version numbers look like "7.14.4" and should be similar to output of commands # "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index 71e2dab5648..fb698a54a61 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.46 2022/08/16 11:16:39 christos Exp $ +# $File: sgml,v 1.48 2023/01/18 16:10:21 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres 0 string \ HTML document text +!:mime text/html +0 string/ct \