archive 71 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112
  1. #------------------------------------------------------------------------------
  2. # $File: archive,v 1.169 2022/09/12 13:13:28 christos Exp $
  3. # archive: file(1) magic for archive formats (see also "msdos" for self-
  4. # extracting compressed archives)
  5. #
  6. # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
  7. # pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c.
  8. # POSIX tar archives
  9. # URL: https://en.wikipedia.org/wiki/Tar_(computing)
  10. # Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current
  11. # header mainly padded with nul bytes
  12. 500 quad 0
  13. !:strength /2
  14. # filename or extended attribute printable strings in range space null til umlaut ue
  15. >0 ubeshort >0x1F00
  16. >>0 ubeshort <0xFCFD
  17. # last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad
  18. # at https://sourceforge.net/projects/s-tar/files/testscripts/
  19. >>>508 ubelong&0x8B9E8DFF 0
  20. # nul, space or ascii digit 0-7 at start of mode
  21. >>>>100 ubyte&0xC8 =0
  22. >>>>>101 ubyte&0xC8 =0
  23. # nul, space at end of check sum
  24. >>>>>>155 ubyte&0xDF =0
  25. # space or ascii digit 0 at start of check sum
  26. >>>>>>>148 ubyte&0xEF =0x20
  27. # FOR DEBUGGING:
  28. #>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s"
  29. # check for 1st image main name with digits used for sorting
  30. # and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP
  31. >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp)
  32. #foo
  33. >>>>>>>>>0 use tar-cbt
  34. # if 1st member name without digits and without used image suffix then it is a TAR archive
  35. >>>>>>>>0 default x
  36. >>>>>>>>>0 use tar-file
  37. # minimal check and then display tar archive information which can also be
  38. # embedded inside others like Android Backup, Clam AntiVirus database
  39. 0 name tar-file
  40. >257 string !ustar
  41. # header padded with nuls
  42. >>257 ulong =0
  43. # GNU tar version 1.29 with non pax format option without refusing
  44. # creates misleading V7 header for Long path, Multi-volume, Volume type
  45. >>>156 ubyte 0x4c GNU tar archive
  46. !:mime application/x-gtar
  47. !:ext tar/gtar
  48. >>>156 ubyte 0x4d GNU tar archive
  49. !:mime application/x-gtar
  50. !:ext tar/gtar
  51. >>>156 ubyte 0x56 GNU tar archive
  52. !:mime application/x-gtar
  53. !:ext tar/gtar
  54. >>>156 default x tar archive (V7)
  55. !:mime application/x-tar
  56. !:ext tar
  57. # other stuff in padding
  58. # some implementations add new fields to the blank area at the end of the header record
  59. # created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option
  60. >>257 ulong !0 tar archive (old)
  61. !:mime application/x-tar
  62. !:ext tar
  63. # magic in newer, GNU, posix variants
  64. >257 string =ustar
  65. # 2 last char of magic and UStar version because string expression does not work
  66. # 2 space characters followed by a null for GNU variant
  67. >>261 ubelong =0x72202000 POSIX tar archive (GNU)
  68. !:mime application/x-gtar
  69. !:ext tar/gtar
  70. # UStar version with ASCII "00"
  71. >>261 ubelong 0x72003030 POSIX
  72. # gLOBAL and ExTENSION type only found in POSIX.1-2001 format
  73. >>>156 ubyte 0x67 \b.1-2001
  74. >>>156 ubyte 0x78 \b.1-2001
  75. >>>156 ubyte x tar archive
  76. !:mime application/x-ustar
  77. !:ext tar/ustar
  78. # version with 2 binary nuls embedded in Android Backup like com.android.settings.ab
  79. >>261 ubelong 0x72000000 tar archive (ustar)
  80. !:mime application/x-ustar
  81. !:ext tar/ustar
  82. # not seen ustar variant with garbish version
  83. >>261 default x tar archive (unknown ustar)
  84. !:mime application/x-ustar
  85. !:ext tar/ustar
  86. # type flag of 1st tar archive member
  87. #>156 ubyte x \b, %c-type
  88. >156 ubyte x
  89. >>156 ubyte 0 \b, file
  90. >>156 ubyte 0x30 \b, file
  91. >>156 ubyte 0x31 \b, hard link
  92. >>156 ubyte 0x32 \b, symlink
  93. >>156 ubyte 0x33 \b, char device
  94. >>156 ubyte 0x34 \b, block device
  95. >>156 ubyte 0x35 \b, directory
  96. >>156 ubyte 0x36 \b, fifo
  97. >>156 ubyte 0x37 \b, reserved
  98. >>156 ubyte 0x4c \b, long path
  99. >>156 ubyte 0x4d \b, multi volume
  100. >>156 ubyte 0x56 \b, volume
  101. >>156 ubyte 0x67 \b, global
  102. >>156 ubyte 0x78 \b, extension
  103. >>156 default x \b, type
  104. >>>156 ubyte x '%c'
  105. # name[100]
  106. >0 string >\0 %-.60s
  107. # mode mainly stored as an octal number in ASCII null or space terminated
  108. >100 string >\0 \b, mode %-.7s
  109. # user id mainly as octal numbers in ASCII null or space terminated
  110. >108 string >\0 \b, uid %-.7s
  111. # group id mainly as octal numbers in ASCII null or space terminated
  112. >116 string >\0 \b, gid %-.7s
  113. # size mainly as octal number in ASCII
  114. >124 ubyte <0x38
  115. >>124 string >\0 \b, size %-.12s
  116. # coding indicated by setting the high-order bit of the leftmost byte
  117. >124 ubyte >0xEF \b, size 0x
  118. >>124 ubyte !0xff \b%2.2x
  119. >>125 ubyte !0xff \b%2.2x
  120. >>126 ubyte !0xff \b%2.2x
  121. >>127 ubyte !0xff \b%2.2x
  122. >>128 ubyte !0xff \b%2.2x
  123. >>129 ubyte !0xff \b%2.2x
  124. >>130 ubyte !0xff \b%2.2x
  125. >>131 ubyte !0xff \b%2.2x
  126. >>132 ubyte !0xff \b%2.2x
  127. >>133 ubyte !0xff \b%2.2x
  128. >>134 ubyte !0xff \b%2.2x
  129. >>135 ubyte !0xff \b%2.2x
  130. # seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated
  131. >136 string >\0 \b, seconds %-.11s
  132. # header checksum stored as an octal number in ASCII null or space terminated
  133. #>148 string x \b, cksum %.7s
  134. # linkname[100]
  135. >157 string >\0 \b, linkname %-.40s
  136. # additional fields for ustar
  137. >257 string =ustar
  138. # owner user name null terminated
  139. >>265 string >\0 \b, user %-.32s
  140. # group name null terminated
  141. >>297 string >\0 \b, group %-.32s
  142. # device major minor if not zero
  143. >>329 ubequad&0xCFCFCFCFcFcFcFdf !0
  144. >>>329 string x \b, devmaj %-.7s
  145. >>337 ubequad&0xCFCFCFCFcFcFcFdf !0
  146. >>>337 string x \b, devmin %-.7s
  147. # prefix[155]
  148. >>345 string >\0 \b, prefix %-.155s
  149. # old non ustar/POSIX tar
  150. >257 string !ustar
  151. >>508 string =tar\0
  152. # padding[255] in old star
  153. >>>257 string >\0 \b, padding: %-.40s
  154. >>508 default x
  155. # padding[255] in old tar sometimes comment field
  156. >>>257 string >\0 \b, comment: %-.40s
  157. # Summary: Comic Book Archive *.CBT with TAR format
  158. # URL: https://en.wikipedia.org/wiki/Comic_book_archive
  159. # http://fileformats.archiveteam.org/wiki/Comic_Book_Archive
  160. # Note: there exist also RAR, ZIP, ACE and 7Z packed variants
  161. 0 name tar-cbt
  162. >0 string x Comic Book archive, tar archive
  163. #!:mime application/x-tar
  164. !:mime application/vnd.comicbook
  165. #!:mime application/vnd.comicbook+tar
  166. !:ext cbt
  167. # name[100] probably like: 19.jpg 0001.png 0002.png
  168. # or maybe like ComicInfo.xml
  169. >0 string >\0 \b, 1st image %-.60s
  170. # Incremental snapshot gnu-tar format from:
  171. # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
  172. 0 string GNU\ tar- GNU tar incremental snapshot data
  173. >&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s
  174. # cpio archives
  175. #
  176. # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
  177. # The idea is to indicate archives produced on machines with the same
  178. # byte order as the machine running "file" with "cpio archive", and
  179. # to indicate archives produced on machines with the opposite byte order
  180. # from the machine running "file" with "byte-swapped cpio archive".
  181. #
  182. # The SVR4 "cpio(4)" hints that there are additional formats, but they
  183. # are defined as "short"s; I think all the new formats are
  184. # character-header formats and thus are strings, not numbers.
  185. 0 short 070707 cpio archive
  186. !:mime application/x-cpio
  187. 0 short 0143561 byte-swapped cpio archive
  188. !:mime application/x-cpio # encoding: swapped
  189. 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
  190. !:mime application/x-cpio
  191. 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
  192. !:mime application/x-cpio
  193. 0 string 070702 ASCII cpio archive (SVR4 with CRC)
  194. !:mime application/x-cpio
  195. #
  196. # Various archive formats used by various versions of the "ar"
  197. # command.
  198. #
  199. #
  200. # Original UNIX archive formats.
  201. # They were written with binary values in host byte order, and
  202. # the magic number was a host "int", which might have been 16 bits
  203. # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
  204. # been ports to little-endian 16-bit-int or 32-bit-int platforms
  205. # (x86?) using some of those formats; if none existed, feel free
  206. # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
  207. # 32-bit. There might have been big-endian ports of that sort as
  208. # well.
  209. #
  210. 0 leshort 0177555 very old 16-bit-int little-endian archive
  211. 0 beshort 0177555 very old 16-bit-int big-endian archive
  212. 0 lelong 0177555 very old 32-bit-int little-endian archive
  213. 0 belong 0177555 very old 32-bit-int big-endian archive
  214. 0 leshort 0177545 old 16-bit-int little-endian archive
  215. >2 string __.SYMDEF random library
  216. 0 beshort 0177545 old 16-bit-int big-endian archive
  217. >2 string __.SYMDEF random library
  218. 0 lelong 0177545 old 32-bit-int little-endian archive
  219. >4 string __.SYMDEF random library
  220. 0 belong 0177545 old 32-bit-int big-endian archive
  221. >4 string __.SYMDEF random library
  222. #
  223. # From "pdp" (but why a 4-byte quantity?)
  224. #
  225. 0 lelong 0x39bed PDP-11 old archive
  226. 0 lelong 0x39bee PDP-11 4.0 archive
  227. #
  228. # XXX - what flavor of APL used this, and was it a variant of
  229. # some ar archive format? It's similar to, but not the same
  230. # as, the APL workspace magic numbers in pdp.
  231. #
  232. 0 long 0100554 apl workspace
  233. #
  234. # System V Release 1 portable(?) archive format.
  235. #
  236. 0 string =<ar> System V Release 1 ar archive
  237. !:mime application/x-archive
  238. #
  239. # Debian package; it's in the portable archive format, and needs to go
  240. # before the entry for regular portable archives, as it's recognized as
  241. # a portable archive whose first member has a name beginning with
  242. # "debian".
  243. #
  244. # Update: Joerg Jenderek
  245. # URL: https://en.wikipedia.org/wiki/Deb_(file_format)
  246. 0 string =!<arch>\ndebian
  247. # https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
  248. >14 string -split part of multipart Debian package
  249. !:mime application/vnd.debian.binary-package
  250. # udeb is used for stripped down deb file
  251. !:ext deb/udeb
  252. >14 string -binary Debian binary package
  253. !:mime application/vnd.debian.binary-package
  254. # For ipk packager see also https://en.wikipedia.org/wiki/Opkg
  255. !:ext deb/udeb/ipk
  256. # This should not happen
  257. >14 default x Unknown Debian package
  258. # NL terminated version; for most Debian cases this is 2.0 or 2.1 for split
  259. >68 string >\0 (format %s)
  260. #>68 string !2.0\n
  261. #>>68 string x (format %.3s)
  262. >68 string =2.0\n
  263. # 2nd archive name=control archive name like control.tar.gz or control.tar.xz
  264. >>72 string >\0 \b, with %.14s
  265. # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
  266. >>0 search/0x93e4f data.tar. \b, data compression
  267. # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
  268. # for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
  269. >>>&0 string x %.2s
  270. # skip space (0x20 BSD) and slash (0x2f System V) character marking end of name
  271. >>>&2 ubyte !0x20
  272. >>>>&-1 ubyte !0x2f
  273. # display 3rd character of file name extension like 2 of bz2 or m of lzma
  274. >>>>>&-1 ubyte x \b%c
  275. >>>>>>&0 ubyte !0x20
  276. >>>>>>>&-1 ubyte !0x2f
  277. # display 4th character of file name extension like a of lzma
  278. >>>>>>>>&-1 ubyte x \b%c
  279. # split debian package case
  280. >68 string =2.1\n
  281. # dpkg-1.18.25/dpkg-split/info.c
  282. # NL terminated ASCII package name like ckermit
  283. >>&0 string x \b, %s
  284. # NL terminated package version like 302-5.3
  285. >>>&1 string x %s
  286. # NL terminated MD5 checksum
  287. >>>>&1 string x \b, MD5 %s
  288. # NL terminated original package length
  289. >>>>>&1 string x \b, unsplitted size %s
  290. # NL terminated part length
  291. >>>>>>&1 string x \b, part length %s
  292. # NL terminated package part like n/m
  293. >>>>>>>&1 string x \b, part %s
  294. # NL terminated package architecture like armhf since dpkg 1.16.1 or later
  295. >>>>>>>>&1 string x \b, %s
  296. #
  297. # MIPS archive; they're in the portable archive format, and need to go
  298. # before the entry for regular portable archives, as it's recognized as
  299. # a portable archive whose first member has a name beginning with
  300. # "__________E".
  301. #
  302. 0 string =!<arch>\n__________E MIPS archive
  303. !:mime application/x-archive
  304. >20 string U with MIPS Ucode members
  305. >21 string L with MIPSEL members
  306. >21 string B with MIPSEB members
  307. >19 string L and an EL hash table
  308. >19 string B and an EB hash table
  309. >22 string X -- out of date
  310. #
  311. # BSD/SVR2-and-later portable archive formats.
  312. #
  313. # Update: Joerg Jenderek
  314. # URL: http://fileformats.archiveteam.org/wiki/AR
  315. # Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/
  316. # Note: Mach-O universal binary in ./cafebabe is dependent
  317. # TODO: unify current ar archive, MIPS archive, Debian package
  318. # distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;
  319. # *.ar packages from *.a libraries. handle empty archive
  320. 0 string =!<arch>\n current ar archive
  321. # print first and possibly second ar_name[16] for debugging purpose
  322. #>8 string x \b, 1st "%.16s"
  323. #>68 string x \b, 2nd "%.16s"
  324. !:mime application/x-archive
  325. # a in most case for libraries; lib for Microsoft libraries; ar else cases
  326. !:ext a/lib/ar
  327. >8 string __.SYMDEF random library
  328. # first member with long marked name __.SYMDEF SORTED implies BSD library
  329. >68 string __.SYMDEF\ SORTED random library
  330. # Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf
  331. # "archive file" entry moved from ./hp
  332. # LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture
  333. # LST header a_magic 0619h~relocatable library
  334. >68 belong 0x020b0619 - PA-RISC1.0 relocatable library
  335. >68 belong 0x02100619 - PA-RISC1.1 relocatable library
  336. >68 belong 0x02110619 - PA-RISC1.2 relocatable library
  337. >68 belong 0x02140619 - PA-RISC2.0 relocatable library
  338. #EOF for common ar archives
  339. #
  340. # "Thin" archive, as can be produced by GNU ar.
  341. #
  342. 0 string =!<thin>\n thin archive with
  343. >68 belong 0 no symbol entries
  344. >68 belong 1 %d symbol entry
  345. >68 belong >1 %d symbol entries
  346. 0 search/1 -h- Software Tools format archive text
  347. # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
  348. #
  349. # The first byte is the magic (0x1a), byte 2 is the compression type for
  350. # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
  351. # filename of the first file (null terminated). Since some types collide
  352. # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
  353. # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
  354. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
  355. !:mime application/x-arc
  356. 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
  357. !:mime application/x-arc
  358. 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
  359. !:mime application/x-arc
  360. 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
  361. !:mime application/x-arc
  362. 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
  363. !:mime application/x-arc
  364. 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
  365. !:mime application/x-arc
  366. # [JW] stuff taken from idarc, obviously ARC successors:
  367. 0 lelong&0x8080ffff 0x00000a1a PAK archive data
  368. !:mime application/x-arc
  369. 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
  370. !:mime application/x-arc
  371. 0 lelong&0x8080ffff 0x0000481a HYP archive data
  372. !:mime application/x-arc
  373. # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
  374. # I can't create either SPARK or ArcFS archives so I have not tested this stuff
  375. # [GRR: the original entries collide with ARC, above; replaced with combined
  376. # version (not tested)]
  377. #0 byte 0x1a RISC OS archive (spark format)
  378. 0 string \032archive RISC OS archive (ArcFS format)
  379. 0 string Archive\000 RISC OS archive (ArcFS format)
  380. # All these were taken from idarc, many could not be verified. Unfortunately,
  381. # there were many low-quality sigs, i.e. easy to trigger false positives.
  382. # Please notify me of any real-world fishy/ambiguous signatures and I'll try
  383. # to get my hands on the actual archiver and see if I find something better. [JW]
  384. # probably many can be enhanced by finding some 0-byte or control char near the start
  385. # idarc calls this Crush/Uncompressed... *shrug*
  386. 0 string CRUSH Crush archive data
  387. # Squeeze It (.sqz)
  388. 0 string HLSQZ Squeeze It archive data
  389. # SQWEZ
  390. 0 string SQWEZ SQWEZ archive data
  391. # HPack (.hpk)
  392. 0 string HPAK HPack archive data
  393. # HAP
  394. 0 string \x91\x33HF HAP archive data
  395. # MD/MDCD
  396. 0 string MDmd MDCD archive data
  397. # LIM
  398. 0 string LIM\x1a LIM archive data
  399. # SAR
  400. 3 string LH5 SAR archive data
  401. # BSArc/BS2
  402. 0 string \212\3SB\020\0 BSArc/BS2 archive data
  403. # Bethesda Softworks Archive (Oblivion)
  404. 0 string BSA\0 BSArc archive data
  405. >4 lelong x version %d
  406. # MAR
  407. 2 string =-ah MAR archive data
  408. # ACB
  409. #0 belong&0x00f800ff 0x00800000 ACB archive data
  410. # CPZ
  411. # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
  412. # JRC
  413. 0 string JRchive JRC archive data
  414. # Quantum
  415. 0 string DS\0 Quantum archive data
  416. # ReSOF
  417. 0 string PK\3\6 ReSOF archive data
  418. # QuArk
  419. 0 string 7\4 QuArk archive data
  420. # YAC
  421. 14 string YC YAC archive data
  422. # X1
  423. 0 string X1 X1 archive data
  424. 0 string XhDr X1 archive data
  425. # CDC Codec (.dqt)
  426. 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
  427. # AMGC
  428. 0 string \xad6" AMGC archive data
  429. # NuLIB
  430. 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
  431. # PakLeo
  432. 0 string LEOLZW PAKLeo archive data
  433. # ChArc
  434. 0 string SChF ChArc archive data
  435. # PSA
  436. 0 string PSA PSA archive data
  437. # CrossePAC
  438. 0 string DSIGDCC CrossePAC archive data
  439. # Freeze
  440. 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
  441. # KBoom
  442. 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
  443. # NSQ, must go after CDC Codec
  444. 0 string \x76\xff NSQ archive data
  445. # DPA
  446. 0 string Dirk\ Paehl DPA archive data
  447. # BA
  448. # TODO: idarc says "bytes 0-2 == bytes 3-5"
  449. # TTComp
  450. # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
  451. # Update: Joerg Jenderek
  452. # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
  453. 0 string \0\6
  454. # look for first keyword of Panorama database *.pan
  455. >12 search/261 DESIGN
  456. # skip keyword with low entropy
  457. >12 default x
  458. # skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos
  459. >>8 quad !0
  460. >>>0 use ttcomp
  461. # variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
  462. 0 string \1\6
  463. # TODO:
  464. # skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit
  465. !:strength -2
  466. >0 use ttcomp
  467. 0 string \0\5
  468. # skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos
  469. >8 quad !0
  470. >>0 use ttcomp
  471. 0 string \1\5
  472. # TODO:
  473. # variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
  474. # skip ctab data (strength=50) handled by ./ibm6000
  475. # skip locale data table (strength=50) handled by ./digital
  476. !:strength -2
  477. >0 use ttcomp
  478. 0 string \0\4
  479. # skip many Maple help database *.hdb with version tag handled by ./maple
  480. >1028 string !version
  481. # skip veclib maple.hdb by looking for Mable keyword
  482. >>4 search/1091 Maple\040
  483. #>4 search/34090 Maple\040
  484. >>4 default x
  485. # skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos
  486. # skip xBASE Compound Index file *.CDX with many nils
  487. >>>0x54 quad !0
  488. >>>>0 use ttcomp
  489. 0 string \1\4
  490. # TODO:
  491. # skip Commodore PET BASIC 4.0 program *.prg
  492. # variant ASCII, 1K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
  493. # skip shared library (strength=50) handled by ./ibm6000
  494. !:strength -2
  495. >0 use ttcomp
  496. # display information of TTComp archive
  497. 0 name ttcomp
  498. # (version 5.25) labeled the entry as "TTComp archive data"
  499. >0 ubyte x TTComp archive data
  500. !:mime application/x-compress-ttcomp
  501. # PBACKSCR.PI1
  502. !:ext $xe/$ts/pi1/__d
  503. # compression type: 0~binary compression 1~ASCII compression
  504. >0 ubyte 0 \b, binary
  505. >0 ubyte 1 \b, ASCII
  506. # size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes
  507. >1 ubyte 4 \b, 1K
  508. >1 ubyte 5 \b, 2K
  509. >1 ubyte 6 \b, 4K
  510. >1 ubyte x dictionary
  511. # https://mark0.net/forum/index.php?topic=848
  512. # last 3 bytes probably have only 8 possible bit sequences
  513. # xxxxxxxx 0000000x 11111111 ____FFh
  514. # xxxxxxxx 10000000 01111111 __807Fh
  515. # 0xxxxxxx 11000000 00111111 __C03Fh
  516. # 00xxxxxx 11100000 00011111 __E01Fh
  517. # 000xxxxx 11110000 00001111 __F00Fh
  518. # 0000xxxx 11111000 00000111 __F807h
  519. # 00000xxx 11111100 00000011 __FC03h
  520. # 000000xx 11111110 00000001 __FE01h
  521. # but for quickgif.__d 0A7DD4h
  522. #>-3 ubyte x \b, last 3 bytes 0x%2.2x
  523. #>-2 ubeshort x \b%4.4x
  524. # From: Joerg Jenderek
  525. # URL: https://en.wikipedia.org/wiki/Disk_Copy
  526. # reference: http://nulib.com/library/FTN.e00005.htm
  527. 0x52 ubeshort 0x0100
  528. # test for disk image size equal or above 400k
  529. >0x40 ubelong >409599
  530. # test also for disk image size equal or below 1440k to skip
  531. # windows7en.mbr UNICODE.DAT
  532. #>>0x40 ubelong <1474561
  533. # test now for "low" disk image size equal or below 64 MiB to skip
  534. # windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h)
  535. >>0x40 ubelong <0x04000001
  536. # To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes
  537. # 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml
  538. # 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml
  539. # 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml
  540. # 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml
  541. # https://lisaem.sunder.net/LisaProjectDocs.txt
  542. # 00500000 05M available
  543. # 00A00000 10M available
  544. # 01800000 24M possible
  545. # 02000000 32M uncertain
  546. # 04000000 64M uncertain
  547. >>>0x40 ubelong&0xf8003fFF 0
  548. # skip samples with invalid disk name length like:
  549. # 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT)
  550. >>>>0x0 ubyte <64
  551. >>>>>0 use dc42-floppy
  552. # display information of Apple DiskCopy 4.2 floppy image
  553. 0 name dc42-floppy
  554. # disk name length; maximal 63
  555. #>0 ubyte x DISK NAME LENGTH %u
  556. # ASCII image pascal (maximal 63 bytes) name padded with NULs like:
  557. # "Microsoft Mail" "Disquette 2" "IIe Installer Disk"
  558. # "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml)
  559. >00 pstring/B x Apple DiskCopy 4.2 image %s
  560. #!:mime application/octet-stream
  561. !:mime application/x-dc42-floppy-image
  562. !:apple dCpydImg
  563. # probably also img like: "Utilitaires 2.img" "Installation 7.img"
  564. !:ext image/dc42/img
  565. # data size in bytes like: 409600 737280 819200 1474560
  566. >0x40 ubelong x \b, %u bytes
  567. # for debugging purpose size in hexadecimal
  568. #>0x40 ubelong x (%#8.8x)
  569. # tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image)
  570. >0x44 ubelong >0 \b, %#x tag size
  571. # data checksum
  572. #>0x48 ubelong x \b, %#x checksum
  573. # tag checksum
  574. #>0x4c ubelong x \b, %#x tag checksum
  575. # disk encoding like: 0 1 2 3 (PUID: fmt/625)
  576. >0x50 ubyte 0 \b, GCR CLV ssdd (400k)
  577. >0x50 ubyte 1 \b, GCR CLV dsdd (800k)
  578. >0x50 ubyte 2 \b, MFM CAV dsdd (720k)
  579. >0x50 ubyte 3 \b, MFM CAV dshd (1440k)
  580. >0x50 ubyte >3 \b, %#x encoding
  581. # format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk)
  582. # 2 (Mac 400k "Disquette Installation 13.image")
  583. # 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image")
  584. >0x51 ubyte x \b, %#x format
  585. #>0x54 ubequad x \b, data %#16.16llx
  586. # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
  587. 0 string ESP ESP archive data
  588. # ZPack
  589. 0 string \1ZPK\1 ZPack archive data
  590. # Sky
  591. 0 string \xbc\x40 Sky archive data
  592. # UFA
  593. 0 string UFA UFA archive data
  594. # Dry
  595. 0 string =-H2O DRY archive data
  596. # FoxSQZ
  597. 0 string FOXSQZ FoxSQZ archive data
  598. # AR7
  599. 0 string ,AR7 AR7 archive data
  600. # PPMZ
  601. 0 string PPMZ PPMZ archive data
  602. # MS Compress
  603. # Update: Joerg Jenderek
  604. # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
  605. # Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html
  606. # Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z
  607. 4 string \x88\xf0\x27
  608. # KWAJ variant
  609. >0 string KWAJ MS Compress archive data, KWAJ variant
  610. !:mime application/x-ms-compress-kwaj
  611. # extension not working in version 5.32
  612. # magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?'
  613. # file: line 284: Bad magic entry ' ??_'
  614. !:ext ??_
  615. # compression method (0-4)
  616. >>8 uleshort x \b, %u method
  617. # offset of compressed data
  618. >>10 uleshort x \b, %#x offset
  619. #>>(10.s) uleshort x
  620. #>>>&-6 string x \b, TEST extension %-.3s
  621. # header flags to mark header extensions
  622. >>12 uleshort >0 \b, %#x flags
  623. # 4 bytes: decompressed length of file
  624. >>12 uleshort &0x01
  625. >>>14 ulelong x \b, original size: %u bytes
  626. # 2 bytes: unknown purpose
  627. # 2 bytes: length of unknown data + mentioned bytes
  628. # 1-9 bytes: null-terminated file name
  629. # 1-4 bytes: null-terminated file extension
  630. >>12 uleshort &0x08
  631. >>>12 uleshort ^0x01
  632. >>>>12 uleshort ^0x02
  633. >>>>>12 uleshort ^0x04
  634. >>>>>>12 uleshort ^0x10
  635. >>>>>>>14 string x \b, %-.8s
  636. >>>>>>12 uleshort &0x10
  637. >>>>>>>14 string x \b, %-.8s
  638. >>>>>>>>&1 string x \b.%-.3s
  639. >>>>>12 uleshort &0x04
  640. >>>>>>12 uleshort ^0x10
  641. >>>>>>>(14.s) uleshort x
  642. >>>>>>>>&14 string x \b, %-.8s
  643. >>>>>>12 uleshort &0x10
  644. >>>>>>>(14.s) uleshort x
  645. >>>>>>>>&14 string x \b, %-.8s
  646. >>>>>>>>>&1 string x \b.%-.3s
  647. >>>>12 uleshort &0x02
  648. >>>>>12 uleshort ^0x04
  649. >>>>>>12 uleshort ^0x10
  650. >>>>>>>16 string x \b, %-.8s
  651. >>>>>>12 uleshort &0x10
  652. >>>>>>>16 string x \b, %-.8s
  653. >>>>>>>>&1 string x \b.%-.3s
  654. >>>>>12 uleshort &0x04
  655. >>>>>>12 uleshort ^0x10
  656. >>>>>>>(16.s) uleshort x
  657. >>>>>>>>&16 string x \b, %-.8s
  658. >>>>>>12 uleshort &0x10
  659. >>>>>>>(16.s) uleshort x
  660. >>>>>>>&16 string x %-.8s
  661. >>>>>>>>&1 string x \b.%-.3s
  662. >>>12 uleshort &0x01
  663. >>>>12 uleshort ^0x02
  664. >>>>>12 uleshort ^0x04
  665. >>>>>>12 uleshort ^0x10
  666. >>>>>>>18 string x \b, %-.8s
  667. >>>>>>12 uleshort &0x10
  668. >>>>>>>18 string x \b, %-.8s
  669. >>>>>>>>&1 string x \b.%-.3s
  670. >>>>>12 uleshort &0x04
  671. >>>>>>12 uleshort ^0x10
  672. >>>>>>>(18.s) uleshort x
  673. >>>>>>>>&18 string x \b, %-.8s
  674. >>>>>>12 uleshort &0x10
  675. >>>>>>>(18.s) uleshort x
  676. >>>>>>>>&18 string x \b, %-.8s
  677. >>>>>>>>>&1 string x \b.%-.3s
  678. >>>>12 uleshort &0x02
  679. >>>>>12 uleshort ^0x04
  680. >>>>>>12 uleshort ^0x10
  681. >>>>>>>20 string x \b, %-.8s
  682. >>>>>>12 uleshort &0x10
  683. >>>>>>>20 string x \b, %-.8s
  684. >>>>>>>>&1 string x \b.%-.3s
  685. >>>>>12 uleshort &0x04
  686. >>>>>>12 uleshort ^0x10
  687. >>>>>>>(20.s) uleshort x
  688. >>>>>>>>&20 string x \b, %-.8s
  689. >>>>>>12 uleshort &0x10
  690. >>>>>>>(20.s) uleshort x
  691. >>>>>>>>&20 string x \b, %-.8s
  692. >>>>>>>>>&1 string x \b.%-.3s
  693. # 2 bytes: length of data + mentioned bytes
  694. #
  695. # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ
  696. # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
  697. # Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html
  698. # http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml
  699. # Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID
  700. # verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ
  701. # `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura"
  702. >0 string SZDD MS Compress archive data, SZDD variant
  703. # 2nd part of signature
  704. #>>4 ubelong 0x88F02733 \b, SIGNATURE OK
  705. !:mime application/x-ms-compress-szdd
  706. !:ext ??_
  707. # The character missing from the end of the filename (0=unknown)
  708. >>9 string >\0 \b, %-.1s is last character of original name
  709. # https://www.betaarchive.com/forum/viewtopic.php?t=26161
  710. # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e
  711. >>8 string !A \b, %-.1s method
  712. >>10 ulelong >0 \b, original size: %u bytes
  713. # Summary: InstallShield archive with SZDD compressed
  714. # URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647
  715. # From: Joerg Jenderek
  716. 1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive
  717. #!:mime application/octet-stream
  718. !:mime application/x-installshield-compress-szdd
  719. !:ext ibt
  720. # name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_
  721. >0 string x %s
  722. # name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL
  723. >>&1 string x (%s)
  724. # probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618
  725. >>>&1 string x \b, version %s
  726. # SZDD member length like: 168048 169333 181842
  727. >>>>&1 string x \b, %s bytes
  728. # MS Compress archive data
  729. #>&0 string SZDD \b, SIGNATURE FOUND
  730. >&0 indirect x
  731. # QBasic SZDD variant
  732. 3 string \x88\xf0\x27
  733. >0 string SZ\x20 MS Compress archive data, QBasic variant
  734. !:mime application/x-ms-compress-sz
  735. !:ext ??$
  736. >>8 ulelong >0 \b, original size: %u bytes
  737. # Summary: CAZIP compressed file
  738. # From: Joerg Jenderek
  739. # URL: http://fileformats.archiveteam.org/wiki/CAZIP
  740. # Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml
  741. # Note: Format is distinct from CAZIPXP compressed
  742. 0 string \x0D\x0A\x1ACAZIP CAZIP compressed file
  743. #!:mime application/octet-stream
  744. !:mime application/x-compress-cazip
  745. # like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_
  746. !:ext ??_/?_/_
  747. # Summary: FTCOMP compressed archive
  748. # From: Joerg Jenderek
  749. # URL: http://fileformats.archiveteam.org/wiki/FTCOMP
  750. # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml
  751. # Note: called by TrID "FTCOMP compressed archive"
  752. # extracted by `unpack seahelp.hl_`
  753. 24 string/b FTCOMP FTCOMP compressed archive
  754. #!:mime application/octet-stream
  755. !:mime application/x-compress-ftcomp
  756. !:ext ??_/??@/dll/drv/pk2/
  757. # probably A596FDFF magic at the beginning
  758. >0 ubelong !0xA596FDFF \b, at beginning %#x
  759. # probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE
  760. >41 string x "%s"
  761. # MP3 (archiver, not lossy audio compression)
  762. 0 string MP3\x1a MP3-Archiver archive data
  763. # ZET
  764. 0 string OZ\xc3\x9d ZET archive data
  765. # TSComp
  766. 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
  767. # ARQ
  768. 0 string gW\4\1 ARQ archive data
  769. # Squash
  770. 3 string OctSqu Squash archive data
  771. # Terse
  772. 0 string \5\1\1\0 Terse archive data
  773. # PUCrunch
  774. 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
  775. # UHarc
  776. 0 string UHA UHarc archive data
  777. # ABComp
  778. 0 string \2AB ABComp archive data
  779. 0 string \3AB2 ABComp archive data
  780. # CMP
  781. 0 string CO\0 CMP archive data
  782. # Splint
  783. 0 string \x93\xb9\x06 Splint archive data
  784. # InstallShield
  785. 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
  786. # Gather
  787. 1 string GTH Gather archive data
  788. # BOA
  789. 0 string BOA BOA archive data
  790. # RAX
  791. 0 string ULEB\xa RAX archive data
  792. # Xtreme
  793. 0 string ULEB\0 Xtreme archive data
  794. # Pack Magic
  795. 0 string @\xc3\xa2\1\0 Pack Magic archive data
  796. # BTS
  797. 0 belong&0xfeffffff 0x1a034465 BTS archive data
  798. # ELI 5750
  799. 0 string Ora\ ELI 5750 archive data
  800. # QFC
  801. 0 string \x1aFC\x1a QFC archive data
  802. 0 string \x1aQF\x1a QFC archive data
  803. # PRO-PACK
  804. 0 string RNC PRO-PACK archive data
  805. # 777
  806. 0 string 777 777 archive data
  807. # LZS221
  808. 0 string sTaC LZS221 archive data
  809. # HPA
  810. 0 string HPA HPA archive data
  811. # Arhangel
  812. 0 string LG Arhangel archive data
  813. # EXP1, uses bzip2
  814. 0 string 0123456789012345BZh EXP1 archive data
  815. # IMP
  816. 0 string IMP\xa IMP archive data
  817. # NRV
  818. 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
  819. # Squish
  820. 0 string \x73\xb2\x90\xf4 Squish archive data
  821. # Par
  822. 0 string PHILIPP Par archive data
  823. 0 string PAR Par archive data
  824. # HIT
  825. 0 string UB HIT archive data
  826. # SBX
  827. 0 belong&0xfffff000 0x53423000 SBX archive data
  828. # NaShrink
  829. 0 string NSK NaShrink archive data
  830. # SAPCAR
  831. 0 string #\ CAR\ archive\ header SAPCAR archive data
  832. 0 string CAR\ 2.00 SAPCAR archive data
  833. 0 string CAR\ 2.01 SAPCAR archive data
  834. #!:mime application/octet-stream
  835. !:mime application/vnd.sar
  836. !:ext sar
  837. # Disintegrator
  838. 0 string DST Disintegrator archive data
  839. # ASD
  840. 0 string ASD ASD archive data
  841. # InstallShield CAB
  842. # Update: Joerg Jenderek at Nov 2021
  843. # URL: https://en.wikipedia.org/wiki/InstallShield
  844. # Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h
  845. # Note: Not compatible with Microsoft CAB files
  846. # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml
  847. # CAB_SIGNATURE 0x28635349
  848. 0 string ISc( InstallShield
  849. #!:mime application/octet-stream
  850. !:mime application/x-installshield
  851. # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml
  852. >16 ulelong !0 setup header
  853. # like: _SYS1.HDR _USER1.HDR data1.hdr
  854. !:ext hdr
  855. >16 ulelong =0 CAB
  856. # like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab
  857. !:ext cab
  858. # https://github.com/twogood/unshield/blob/master/lib/helper.c
  859. # version like: 0x1005201 0x100600c 0x1007000 0x1009500
  860. # 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834
  861. >4 ulelong x \b, version %#x
  862. # volume_info like: 0
  863. >8 ulelong !0 \b, volume_info %#x
  864. # cab_descriptor_offset like: 0x200
  865. >12 ulelong !0x200 \b, offset %#x
  866. #>0x200 ubequad x \b, at 0x200 %#16.16llx
  867. # cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2
  868. >16 ulelong !0 \b, descriptor size %#x
  869. # TOP4
  870. 0 string T4\x1a TOP4 archive data
  871. # BatComp left out: sig looks like COM executable
  872. # so TODO: get real 4dos batcomp file and find sig
  873. # BlakHole
  874. 0 string BH\5\7 BlakHole archive data
  875. # BIX
  876. 0 string BIX0 BIX archive data
  877. # ChiefLZA
  878. 0 string ChfLZ ChiefLZA archive data
  879. # Blink
  880. 0 string Blink Blink archive data
  881. # Logitech Compress
  882. 0 string \xda\xfa Logitech Compress archive data
  883. # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
  884. 1 string (C)\ STEPANYUK ARS-Sfx archive data
  885. # AKT/AKT32
  886. 0 string AKT32 AKT32 archive data
  887. 0 string AKT AKT archive data
  888. # NPack
  889. 0 string MSTSM NPack archive data
  890. # PFT
  891. 0 string \0\x50\0\x14 PFT archive data
  892. # SemOne
  893. 0 string SEM SemOne archive data
  894. # PPMD
  895. 0 string \x8f\xaf\xac\x84 PPMD archive data
  896. # FIZ
  897. 0 string FIZ FIZ archive data
  898. # MSXiE
  899. 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
  900. # DeepFreezer
  901. 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
  902. # DC
  903. 0 string =<DC- DC archive data
  904. # TPac
  905. 0 string \4TPAC\3 TPac archive data
  906. # Ai
  907. 0 string Ai\1\1\0 Ai archive data
  908. 0 string Ai\1\0\0 Ai archive data
  909. # Ai32
  910. 0 string Ai\2\0 Ai32 archive data
  911. 0 string Ai\2\1 Ai32 archive data
  912. # SBC
  913. 0 string SBC SBC archive data
  914. # Ybs
  915. 0 string YBS Ybs archive data
  916. # DitPack
  917. 0 string \x9e\0\0 DitPack archive data
  918. # DMS
  919. 0 string DMS! DMS archive data
  920. # EPC
  921. 0 string \x8f\xaf\xac\x8c EPC archive data
  922. # VSARC
  923. 0 string VS\x1a VSARC archive data
  924. # PDZ
  925. 0 string PDZ PDZ archive data
  926. # ReDuq
  927. 0 string rdqx ReDuq archive data
  928. # GCA
  929. 0 string GCAX GCA archive data
  930. # PPMN
  931. 0 string pN PPMN archive data
  932. # WinImage
  933. 3 string WINIMAGE WinImage archive data
  934. # Compressia
  935. 0 string CMP0CMP Compressia archive data
  936. # UHBC
  937. 0 string UHB UHBC archive data
  938. # WinHKI
  939. 0 string \x61\x5C\x04\x05 WinHKI archive data
  940. # WWPack data file
  941. 0 string WWP WWPack archive data
  942. # BSN (BSA, PTS-DOS)
  943. 0 string \xffBSG BSN archive data
  944. 1 string \xffBSG BSN archive data
  945. 3 string \xffBSG BSN archive data
  946. 1 string \0\xae\2 BSN archive data
  947. 1 string \0\xae\3 BSN archive data
  948. 1 string \0\xae\7 BSN archive data
  949. # AIN
  950. 0 string \x33\x18 AIN archive data
  951. 0 string \x33\x17 AIN archive data
  952. # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
  953. # SZip (TODO: doesn't catch all versions)
  954. 0 string SZ\x0a\4 SZip archive data
  955. # XPack DiskImage
  956. # *.XDI updated by Joerg Jenderek Sep 2015
  957. # ftp://ftp.sac.sk/pub/sac/pack/0index.txt
  958. # GRR: this test is still too general as it catches also text files starting with jm
  959. 0 string jm
  960. # only found examples with this additional characteristic 2 bytes
  961. >2 string \x2\x4 Xpack DiskImage archive data
  962. #!:ext xdi
  963. # XPack Data
  964. # *.xpa updated by Joerg Jenderek Sep 2015
  965. # ftp://ftp.elf.stuba.sk/pub/pc/pack/
  966. 0 string xpa XPA
  967. !:ext xpa
  968. # XPA32
  969. # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
  970. # created by XPA32.EXE version 1.0.2 for Windows
  971. >0 string xpa\0\1 \b32 archive data
  972. # created by XPACK.COM version 1.67m or 1.67r with short 0x1800
  973. >3 ubeshort !0x0001 \bck archive data
  974. # XPack Single Data
  975. # changed by Joerg Jenderek Sep 2015 back to like in version 5.12
  976. # letter 'I'+ acute accent is equivalent to \xcd
  977. 0 string \xcd\ jm Xpack single archive data
  978. #!:mime application/x-xpa-compressed
  979. !:ext xpa
  980. # TODO: missing due to unknown magic/magic at end of file:
  981. #DWC
  982. #ARG
  983. #ZAR
  984. #PC/3270
  985. #InstallIt
  986. #RKive
  987. #RK
  988. #XPack Diskimage
  989. # These were inspired by idarc, but actually verified
  990. # Dzip archiver (.dz)
  991. # Update: Joerg Jenderek
  992. # URL: http://speeddemosarchive.com/dzip/
  993. # reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c
  994. # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt
  995. 0 string DZ
  996. # latest version is 2.9 dated 7 may 2003
  997. >2 byte <4 Dzip archive data
  998. !:mime application/x-dzip
  999. !:ext dz
  1000. >>2 byte x \b, version %i
  1001. >>3 byte x \b.%i
  1002. >>4 ulelong x \b, offset %#x
  1003. >>8 ulelong x \b, %u files
  1004. # ZZip archiver (.zz)
  1005. 0 string ZZ\ \0\0 ZZip archive data
  1006. 0 string ZZ0 ZZip archive data
  1007. # PAQ archiver (.paq)
  1008. 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
  1009. 0 string PAQ PAQ archive data
  1010. >3 byte&0xf0 0x30
  1011. >>3 byte x (v%c)
  1012. # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
  1013. # Update: Joerg Jenderek
  1014. # URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software)
  1015. # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml
  1016. # https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC
  1017. # Note: called "JAR compressed archive" by TrID
  1018. 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
  1019. #!:mime application/octet-stream
  1020. !:mime application/x-compress-j
  1021. >0 ulelong x \b, CRC32 %#x
  1022. # standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990
  1023. !:ext j/j01/j02
  1024. # URL: http://fileformats.archiveteam.org/wiki/JARCS
  1025. # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml
  1026. # Note: called "JARCS compressed archive" by TrID
  1027. 0 string JARCS JAR (ARJ Software, Inc.) archive data
  1028. #!:mime application/octet-stream
  1029. !:mime application/x-compress-jar
  1030. !:ext jar
  1031. # ARJ archiver (jason@jarthur.Claremont.EDU)
  1032. # URL: http://fileformats.archiveteam.org/wiki/ARJ
  1033. # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml
  1034. # https://github.com/FarGroup/FarManager/
  1035. # blob/master/plugins/multiarc/arc.doc/arj.txt
  1036. # Note: called "ARJ compressed archive" by TrID and
  1037. # "ARJ File Format" by DROID via PUID fmt/610
  1038. # verified by `7z l -tarj PHRACK1.ARJ` and
  1039. # `arj.exe l TEST-hk9.ARJ`
  1040. 0 leshort 0xea60
  1041. # skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header
  1042. >0xA ubyte 2
  1043. >>0 use arj-archive
  1044. 0 name arj-archive
  1045. >0 leshort x ARJ archive
  1046. !:mime application/x-arj
  1047. # look for terminating 0-character of filename
  1048. >0x26 search/1024 \0
  1049. # file name extension is normally .arj but not for parts of multi volume
  1050. #>>&-5 string x extension %.4s
  1051. >>&-5 string/c .arj data
  1052. !:ext arj
  1053. >>&-5 default x
  1054. # for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ...
  1055. >>>8 byte &0x04 data
  1056. !:ext a01/a02
  1057. # for SFX first name is archive.exe then following parts archive.e01 archive.e02 ...
  1058. >>>8 byte ^0x04 data, SFX multi-volume
  1059. !:ext e01/e02
  1060. # basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7
  1061. #>2 uleshort x basic header size %#4.4x
  1062. # next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9
  1063. #>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx
  1064. # first_hdr_size; seems to be same as basic header size
  1065. #>2 uleshort x 1st header size %#x
  1066. # archiver version number like: 3 4 6 11 102
  1067. >5 byte x \b, v%d
  1068. # minimum archiver version to extract like: 1
  1069. >6 ubyte !1 \b, minimum %u to extract
  1070. # FOR DEBUGGING
  1071. #>8 byte x \b, FLAGS %#x
  1072. # GARBLED_FLAG1; garble with password; g switch
  1073. >8 byte &0x01 \b, password-protected
  1074. # encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST
  1075. >>0x20 ubyte x (v%u)
  1076. #>8 byte &0x02 \b, secured
  1077. # ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch
  1078. >8 byte &0x02 \b, ANSI codepage
  1079. # VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX
  1080. >8 byte &0x04 \b, multi-volume
  1081. #>8 byte &0x08 \b, file-offset
  1082. # ARJPROT_FLAG; build with data protection record; hk switch
  1083. >8 byte &0x08 \b, recoverable
  1084. # arj protection factor; maximal 10; switch hky -> factor=y+1
  1085. >>0x22 byte x (factor %u)
  1086. >8 byte &0x10 \b, slash-switched
  1087. # BACKUP_FLAG; obsolete
  1088. >8 byte &0x20 \b, backup
  1089. # SECURED_FLAG;
  1090. >8 byte &0x40 \b, secured,
  1091. # ALTNAME_FLAG; indicates dual-name archive
  1092. >8 byte &0x80 \b, dual-name
  1093. # security version; 0~old 2~current
  1094. >9 ubyte !0
  1095. >>9 ubyte !2 \b, security version %u
  1096. # file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel
  1097. >0xA ubyte !2 \b, file type %u
  1098. # date+time when original archive was created in MS-DOS format via ./msdos
  1099. >0xC ulelong x \b, created
  1100. >0xC use dos-date
  1101. # or date and time by new internal function
  1102. #>0xE lemsdosdate x %s
  1103. #>0xC lemsdostime x %s
  1104. # FOR DEBUGGING
  1105. #>0x12 uleshort x RAW DATE %#4.4x
  1106. #>0x10 uleshort x RAW TIME %#4.4x
  1107. # date+time when archive was last modified; sometimes nil or
  1108. # maybe wrong like in HP4DRVR.ARJ
  1109. #>0x10 ulelong >0 \b, modified
  1110. #>>0x10 use dos-date
  1111. # or date and time by new internal function
  1112. #>>0x12 lemsdosdate x %s
  1113. #>>0x10 lemsdostime x %s
  1114. # archive size (currently used only for secured archives); MAYBE?
  1115. #>0x14 ulelong !0 \b, file size %u
  1116. # security envelope file position; MAYBE?
  1117. #>0x18 ulelong !0 \b, at %#x security envelope
  1118. # filespec position in filename; WHAT IS THAT?
  1119. #>0x1C uleshort >0 \b, filespec position %#x
  1120. # length in bytes of security envelope data like: 2CAh 301h 364h 471h
  1121. >0x1E uleshort !0 \b, security envelope length %#x
  1122. # last chapter like: 0 1
  1123. >0x21 ubyte !0 \b, last chapter %u
  1124. # filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data
  1125. >34 byte x \b, original name:
  1126. # with extras data
  1127. >34 byte <0x0B
  1128. >>38 string x %s
  1129. # without extras data
  1130. >34 byte >0x0A
  1131. >>34 string x %s
  1132. # host OS: 0~MSDOS ... 11~WIN32
  1133. >7 byte 0 \b, os: MS-DOS
  1134. >7 byte 1 \b, os: PRIMOS
  1135. >7 byte 2 \b, os: Unix
  1136. >7 byte 3 \b, os: Amiga
  1137. >7 byte 4 \b, os: Macintosh
  1138. >7 byte 5 \b, os: OS/2
  1139. >7 byte 6 \b, os: Apple ][ GS
  1140. >7 byte 7 \b, os: Atari ST
  1141. >7 byte 8 \b, os: NeXT
  1142. >7 byte 9 \b, os: VAX/VMS
  1143. >7 byte 10 \b, os: WIN95
  1144. >7 byte 11 \b, os: WIN32
  1145. # [JW] idarc says this is also possible
  1146. 2 leshort 0xea60 ARJ archive data
  1147. #2 leshort 0xea60
  1148. #>2 use arj-archive
  1149. # HA archiver (Greg Roelofs, newt@uchicago.edu)
  1150. # This is a really bad format. A file containing HAWAII will match this...
  1151. #0 string HA HA archive data,
  1152. #>2 leshort =1 1 file,
  1153. #>2 leshort >1 %hu files,
  1154. #>4 byte&0x0f =0 first is type CPY
  1155. #>4 byte&0x0f =1 first is type ASC
  1156. #>4 byte&0x0f =2 first is type HSC
  1157. #>4 byte&0x0f =0x0e first is type DIR
  1158. #>4 byte&0x0f =0x0f first is type SPECIAL
  1159. # suggestion: at least identify small archives (<1024 files)
  1160. 0 belong&0xffff00fc 0x48410000 HA archive data
  1161. >2 leshort =1 1 file,
  1162. >2 leshort >1 %u files,
  1163. >4 byte&0x0f =0 first is type CPY
  1164. >4 byte&0x0f =1 first is type ASC
  1165. >4 byte&0x0f =2 first is type HSC
  1166. >4 byte&0x0f =0x0e first is type DIR
  1167. >4 byte&0x0f =0x0f first is type SPECIAL
  1168. # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
  1169. 0 string HPAK HPACK archive data
  1170. # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
  1171. 0 string \351,\001JAM\ JAM archive,
  1172. >7 string >\0 version %.4s
  1173. >0x26 byte =0x27 -
  1174. >>0x2b string >\0 label %.11s,
  1175. >>0x27 lelong x serial %08x,
  1176. >>0x36 string >\0 fstype %.8s
  1177. # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
  1178. # Update: Joerg Jenderek
  1179. # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
  1180. # Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
  1181. #
  1182. # check and display information of lharc (LHa,PMarc) file
  1183. 0 name lharc-file
  1184. # check 1st character of method id like -lz4- -lh5- or -pm2-
  1185. >2 string -
  1186. # check 5th character of method id
  1187. >>6 string -
  1188. # check header level 0 1 2 3
  1189. >>>20 ubyte <4
  1190. # check 2nd, 3th and 4th character of method id
  1191. >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
  1192. !:mime application/x-lzh-compressed
  1193. # creator type "LHA "
  1194. !:apple ????LHA
  1195. # display archive type name like "LHa/LZS archive data" or "LArc archive"
  1196. >>>>>2 string -lz \b
  1197. !:ext lzs
  1198. # already known -lzs- -lz4- -lz5- with old names
  1199. >>>>>>2 string -lzs LHa/LZS archive data
  1200. >>>>>>3 regex \^lz[45] LHarc 1.x archive data
  1201. # missing -lz?- with wikipedia names
  1202. >>>>>>3 regex \^lz[2378] LArc archive
  1203. # display archive type name like "LHa (2.x) archive data"
  1204. >>>>>2 string -lh \b
  1205. # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
  1206. >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
  1207. # LHice archiver use ".ICE" as name extension instead usual one ".lzh"
  1208. # FOOBAR archiver use ".foo" as name extension instead usual one
  1209. # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment
  1210. >>>>>>>2 string -lh1 \b
  1211. !:ext lha/lzh/ice
  1212. >>>>>>3 regex \^lh[23d] LHa 2.x? archive data
  1213. >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
  1214. >>>>>>3 regex \^lh[456] LHa (2.x) archive data
  1215. >>>>>>>2 string -lh5 \b
  1216. # https://en.wikipedia.org/wiki/BIOS
  1217. # Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like
  1218. # bios.rom , kd7_v14.bin, 1010.004, ...
  1219. !:ext lha/lzh/rom/bin
  1220. # missing -lh?- variants (Joe Jared)
  1221. >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
  1222. # UNLHA32 2.67a
  1223. >>>>>>2 string -lhx LHa (UNLHA32) archive
  1224. # lha archives with standard file name extensions ".lha" ".lzh"
  1225. >>>>>>3 regex !\^(lh1|lh5) \b
  1226. !:ext lha/lzh
  1227. # this should not happen if all -lh variants are described
  1228. >>>>>>2 default x LHa (unknown) archive
  1229. #!:ext lha
  1230. # PMarc
  1231. >>>>>3 regex \^pm[012] PMarc archive data
  1232. !:ext pma
  1233. # append method id without leading and trailing minus character
  1234. >>>>>3 string x [%3.3s]
  1235. >>>>>>0 use lharc-header
  1236. #
  1237. # check and display information of lharc header
  1238. 0 name lharc-header
  1239. # header size 0x4 , 0x1b-0x61
  1240. >0 ubyte x
  1241. # compressed data size != compressed file size
  1242. #>7 ulelong x \b, data size %d
  1243. # attribute: 0x2~?? 0x10~symlink|target 0x20~normal
  1244. #>19 ubyte x \b, 19_%#x
  1245. # level identifier 0 1 2 3
  1246. #>20 ubyte x \b, level %d
  1247. # time stamp
  1248. #>15 ubelong x DATE %#8.8x
  1249. # OS ID for level 1
  1250. >20 ubyte 1
  1251. # 0x20 types find for *.rom files
  1252. >>(21.b+24) ubyte <0x21 \b, %#x OS
  1253. # ascii type like M for MSDOS
  1254. >>(21.b+24) ubyte >0x20 \b, '%c' OS
  1255. # OS ID for level 2
  1256. >20 ubyte 2
  1257. #>>23 ubyte x \b, OS ID %#x
  1258. >>23 ubyte <0x21 \b, %#x OS
  1259. >>23 ubyte >0x20 \b, '%c' OS
  1260. # filename only for level 0 and 1
  1261. >20 ubyte <2
  1262. # length of filename
  1263. >>21 ubyte >0 \b, with
  1264. # filename
  1265. >>>21 pstring x "%s"
  1266. #
  1267. #2 string -lh0- LHarc 1.x/ARX archive data [lh0]
  1268. #!:mime application/x-lharc
  1269. 2 string -lh0-
  1270. >0 use lharc-file
  1271. #2 string -lh1- LHarc 1.x/ARX archive data [lh1]
  1272. #!:mime application/x-lharc
  1273. 2 string -lh1-
  1274. >0 use lharc-file
  1275. # NEW -lz2- ... -lz8-
  1276. 2 string -lz2-
  1277. >0 use lharc-file
  1278. 2 string -lz3-
  1279. >0 use lharc-file
  1280. 2 string -lz4-
  1281. >0 use lharc-file
  1282. 2 string -lz5-
  1283. >0 use lharc-file
  1284. 2 string -lz7-
  1285. >0 use lharc-file
  1286. 2 string -lz8-
  1287. >0 use lharc-file
  1288. # [never seen any but the last; -lh4- reported in comp.compression:]
  1289. #2 string -lzs- LHa/LZS archive data [lzs]
  1290. 2 string -lzs-
  1291. >0 use lharc-file
  1292. # According to wikipedia and others such a version does not exist
  1293. #2 string -lh\40- LHa 2.x? archive data [lh ]
  1294. #2 string -lhd- LHa 2.x? archive data [lhd]
  1295. 2 string -lhd-
  1296. >0 use lharc-file
  1297. #2 string -lh2- LHa 2.x? archive data [lh2]
  1298. 2 string -lh2-
  1299. >0 use lharc-file
  1300. #2 string -lh3- LHa 2.x? archive data [lh3]
  1301. 2 string -lh3-
  1302. >0 use lharc-file
  1303. #2 string -lh4- LHa (2.x) archive data [lh4]
  1304. 2 string -lh4-
  1305. >0 use lharc-file
  1306. #2 string -lh5- LHa (2.x) archive data [lh5]
  1307. 2 string -lh5-
  1308. >0 use lharc-file
  1309. #2 string -lh6- LHa (2.x) archive data [lh6]
  1310. 2 string -lh6-
  1311. >0 use lharc-file
  1312. #2 string -lh7- LHa (2.x)/LHark archive data [lh7]
  1313. 2 string -lh7-
  1314. # !:mime application/x-lha
  1315. # >20 byte x - header level %d
  1316. >0 use lharc-file
  1317. # NEW -lh8- ... -lhe- , -lhx-
  1318. 2 string -lh8-
  1319. >0 use lharc-file
  1320. 2 string -lh9-
  1321. >0 use lharc-file
  1322. 2 string -lha-
  1323. >0 use lharc-file
  1324. 2 string -lhb-
  1325. >0 use lharc-file
  1326. 2 string -lhc-
  1327. >0 use lharc-file
  1328. 2 string -lhe-
  1329. >0 use lharc-file
  1330. 2 string -lhx-
  1331. >0 use lharc-file
  1332. # taken from idarc [JW]
  1333. 2 string -lZ PUT archive data
  1334. # already done by LHarc magics
  1335. # this should never happen if all sub types of LZS archive are identified
  1336. #2 string -lz LZS archive data
  1337. 2 string -sw1- Swag archive data
  1338. 0 name rar-file-header
  1339. >24 byte 15 \b, v1.5
  1340. >24 byte 20 \b, v2.0
  1341. >24 byte 29 \b, v4
  1342. >15 byte 0 \b, os: MS-DOS
  1343. >15 byte 1 \b, os: OS/2
  1344. >15 byte 2 \b, os: Win32
  1345. >15 byte 3 \b, os: Unix
  1346. >15 byte 4 \b, os: Mac OS
  1347. >15 byte 5 \b, os: BeOS
  1348. 0 name rar-archive-header
  1349. >3 leshort&0x1ff >0 \b, flags:
  1350. >>3 leshort &0x01 ArchiveVolume
  1351. >>3 leshort &0x02 Commented
  1352. >>3 leshort &0x04 Locked
  1353. >>3 leshort &0x10 NewVolumeNaming
  1354. >>3 leshort &0x08 Solid
  1355. >>3 leshort &0x20 Authenticated
  1356. >>3 leshort &0x40 RecoveryRecordPresent
  1357. >>3 leshort &0x80 EncryptedBlockHeader
  1358. >>3 leshort &0x100 FirstVolume
  1359. # RAR (Roshal Archive) archive
  1360. 0 string Rar!\x1a\7\0 RAR archive data
  1361. !:mime application/x-rar
  1362. !:ext rar/cbr
  1363. # file header
  1364. >(0xc.l+9) byte 0x74
  1365. >>(0xc.l+7) use rar-file-header
  1366. # subblock seems to share information with file header
  1367. >(0xc.l+9) byte 0x7a
  1368. >>(0xc.l+7) use rar-file-header
  1369. >9 byte 0x73
  1370. >>7 use rar-archive-header
  1371. 0 string Rar!\x1a\7\1\0 RAR archive data, v5
  1372. !:mime application/x-rar
  1373. !:ext rar
  1374. # Very old RAR archive
  1375. # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
  1376. 0 string RE\x7e\x5e RAR archive data (<v1.5)
  1377. !:mime application/x-rar
  1378. !:ext rar/cbr
  1379. # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
  1380. 0 string SQSH squished archive data (Acorn RISCOS)
  1381. # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
  1382. # [JW] see exe section for self-extracting version
  1383. 0 string UC2\x1a UC2 archive data
  1384. # PKZIP multi-volume archive
  1385. 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
  1386. !:mime application/zip
  1387. !:ext zip/cbz
  1388. # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  1389. 0 string PK\005\006 Zip archive data (empty)
  1390. !:mime application/zip
  1391. !:ext zip/cbz
  1392. !:strength +1
  1393. 0 string PK\003\004
  1394. !:strength +1
  1395. # Specialised zip formats which start with a member named 'mimetype'
  1396. # (stored uncompressed, with no 'extra field') containing the file's MIME type.
  1397. # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
  1398. # contents starting with "application/":
  1399. >26 string \x8\0\0\0mimetypeapplication/
  1400. # KOffice / OpenOffice & StarOffice / OpenDocument formats
  1401. # From: Abel Cheung <abel@oaka.org>
  1402. # KOffice (1.2 or above) formats
  1403. # (mimetype contains "application/vnd.kde.<SUBTYPE>")
  1404. >>50 string vnd.kde. KOffice (>=1.2)
  1405. >>>58 string karbon Karbon document
  1406. >>>58 string kchart KChart document
  1407. >>>58 string kformula KFormula document
  1408. >>>58 string kivio Kivio document
  1409. >>>58 string kontour Kontour document
  1410. >>>58 string kpresenter KPresenter document
  1411. >>>58 string kspread KSpread document
  1412. >>>58 string kword KWord document
  1413. # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
  1414. # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
  1415. # URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML
  1416. # reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML
  1417. >>50 string vnd.sun.xml. OpenOffice.org 1.x
  1418. >>>62 string writer Writer
  1419. >>>>68 byte !0x2e document
  1420. !:mime application/vnd.sun.xml.writer
  1421. !:ext sxw
  1422. >>>>68 string .template template
  1423. !:mime application/vnd.sun.xml.writer.template
  1424. !:ext stw
  1425. >>>>68 string .web Web template
  1426. !:mime application/vnd.sun.xml.writer.web
  1427. !:ext stw
  1428. >>>>68 string .global global document
  1429. !:mime application/vnd.sun.xml.writer.global
  1430. !:ext sxg
  1431. >>>62 string calc Calc
  1432. >>>>66 byte !0x2e spreadsheet
  1433. !:mime application/vnd.sun.xml.calc
  1434. !:ext sxc
  1435. >>>>66 string .template template
  1436. !:mime application/vnd.sun.xml.calc.template
  1437. !:ext stc
  1438. >>>62 string draw Draw
  1439. >>>>66 byte !0x2e document
  1440. !:mime application/vnd.sun.xml.draw
  1441. !:ext sxd
  1442. >>>>66 string .template template
  1443. !:mime application/vnd.sun.xml.draw.template
  1444. !:ext std
  1445. >>>62 string impress Impress
  1446. >>>>69 byte !0x2e presentation
  1447. !:mime application/vnd.sun.xml.impress
  1448. !:ext sxi
  1449. >>>>69 string .template template
  1450. !:mime application/vnd.sun.xml.impress.template
  1451. !:ext sti
  1452. >>>62 string math Math document
  1453. !:mime application/vnd.sun.xml.math
  1454. !:ext sxm
  1455. >>>62 string base Database file
  1456. !:mime application/vnd.sun.xml.base
  1457. !:ext sdb
  1458. # URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format
  1459. # From: Joerg Jenderek
  1460. # Note: only few OXT samples are detected here by mimetype member
  1461. # is used by OpenOffice and LibreOffice and probably also NeoOffice
  1462. # verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt`
  1463. >>50 string vnd.openofficeorg. OpenOffice
  1464. >>>68 string extension \b/LibreOffice Extension
  1465. # http://extension.nirsoft.net/oxt
  1466. !:mime application/vnd.openofficeorg.extension
  1467. # like: Gallery-Puzzle.2.1.0.1.oxt
  1468. !:ext oxt
  1469. # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
  1470. # URL: http://fileformats.archiveteam.org/wiki/OpenDocument
  1471. # https://lists.oasis-open.org/archives/office/200505/msg00006.html
  1472. # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
  1473. >>50 string vnd.oasis.opendocument. OpenDocument
  1474. >>>73 string text
  1475. >>>>77 byte !0x2d Text
  1476. !:mime application/vnd.oasis.opendocument.text
  1477. !:ext odt
  1478. >>>>77 string -template Text Template
  1479. !:mime application/vnd.oasis.opendocument.text-template
  1480. !:ext ott
  1481. >>>>77 string -web HTML Document Template
  1482. !:mime application/vnd.oasis.opendocument.text-web
  1483. !:ext oth
  1484. >>>>77 string -master Master Document
  1485. !:mime application/vnd.oasis.opendocument.text-master
  1486. !:ext odm
  1487. >>>73 string graphics
  1488. >>>>81 byte !0x2d Drawing
  1489. !:mime application/vnd.oasis.opendocument.graphics
  1490. !:ext odg
  1491. >>>>81 string -template Drawing Template
  1492. !:mime application/vnd.oasis.opendocument.graphics-template
  1493. !:ext otg
  1494. >>>73 string presentation
  1495. >>>>85 byte !0x2d Presentation
  1496. !:mime application/vnd.oasis.opendocument.presentation
  1497. !:ext odp
  1498. >>>>85 string -template Presentation Template
  1499. !:mime application/vnd.oasis.opendocument.presentation-template
  1500. !:ext otp
  1501. >>>73 string spreadsheet
  1502. >>>>84 byte !0x2d Spreadsheet
  1503. !:mime application/vnd.oasis.opendocument.spreadsheet
  1504. !:ext ods
  1505. >>>>84 string -template Spreadsheet Template
  1506. !:mime application/vnd.oasis.opendocument.spreadsheet-template
  1507. !:ext ots
  1508. >>>73 string chart
  1509. >>>>78 byte !0x2d Chart
  1510. !:mime application/vnd.oasis.opendocument.chart
  1511. !:ext odc
  1512. >>>>78 string -template Chart Template
  1513. !:mime application/vnd.oasis.opendocument.chart-template
  1514. !:ext otc
  1515. >>>73 string formula
  1516. >>>>80 byte !0x2d Formula
  1517. !:mime application/vnd.oasis.opendocument.formula
  1518. !:ext odf
  1519. >>>>80 string -template Formula Template
  1520. !:mime application/vnd.oasis.opendocument.formula-template
  1521. !:ext otf
  1522. # https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml
  1523. >>>73 string database Database
  1524. !:mime application/vnd.oasis.opendocument.database
  1525. !:ext odb
  1526. # Valid for LibreOffice Base 6.0.1.1 at least
  1527. >>>73 string base Database
  1528. # https://bugs.documentfoundation.org/show_bug.cgi?id=45854
  1529. !:mime application/vnd.oasis.opendocument.database
  1530. #!:mime application/vnd.oasis.opendocument.base
  1531. !:ext odb
  1532. >>>73 string image
  1533. >>>>78 byte !0x2d Image
  1534. !:mime application/vnd.oasis.opendocument.image
  1535. !:ext odi
  1536. >>>>78 string -template Image Template
  1537. !:mime application/vnd.oasis.opendocument.image-template
  1538. !:ext oti
  1539. # EPUB (OEBPS) books using OCF (OEBPS Container Format)
  1540. # https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
  1541. # From: Ralf Brown <ralf.brown@gmail.com>
  1542. >>50 string epub+zip EPUB document
  1543. !:mime application/epub+zip
  1544. # From: Joerg Jenderek
  1545. # URL: http://en.wikipedia.org/wiki/CorelDRAW
  1546. # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based
  1547. >>50 string x-vnd.corel. Corel
  1548. >>>62 string draw.document+zip Draw drawing, version 14-16
  1549. !:mime application/x-vnd.corel.draw.document+zip
  1550. !:ext cdr
  1551. >>>62 string draw.template+zip Draw template, version 14-16
  1552. !:mime application/x-vnd.corel.draw.template+zip
  1553. !:ext cdrt
  1554. >>>62 string zcf.draw.document+zip Draw drawing, version 17-22
  1555. !:mime application/x-vnd.corel.zcf.draw.document+zip
  1556. !:ext cdr
  1557. >>>62 string zcf.draw.template+zip Draw template, version 17-22
  1558. !:mime application/x-vnd.corel.zcf.draw.template+zip
  1559. !:ext cdt/cdrt
  1560. # URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html
  1561. >>>62 string zcf.pattern+zip Draw pattern, version 22
  1562. !:mime application/x-vnd.corel.zcf.pattern+zip
  1563. !:ext pat
  1564. # URL: https://en.wikipedia.org/wiki/Corel_Designer
  1565. # Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer
  1566. # Note: called by TrID "Corel DESIGN graphics"
  1567. >>>62 string designer.document+zip DESIGNER graphics, version 14-16
  1568. !:mime application/x-vnd.corel.designer.document+zip
  1569. !:ext des
  1570. >>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21
  1571. !:mime application/x-vnd.corel.zcf.designer.document+zip
  1572. !:ext des
  1573. # URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/
  1574. # CorelDRAW-Corel-Symbol-Library-CSL.html
  1575. >>>62 string symbol.library+zip Symbol Library, version 6-16.3
  1576. !:mime application/x-vnd.corel.symbol.library+zip
  1577. !:ext csl
  1578. >>>62 string zcf.symbol.library+zip Symbol Library, version 17-22
  1579. !:mime application/x-vnd.corel.zcf.symbol.library+zip
  1580. !:ext csl
  1581. # Catch other ZIP-with-mimetype formats
  1582. # In a ZIP file, the bytes immediately after a member's contents are
  1583. # always "PK". The 2 regex rules here print the "mimetype" member's
  1584. # contents up to the first 'P'. Luckily, most MIME types don't contain
  1585. # any capital 'P's. This is a kludge.
  1586. # (mimetype contains "application/<OTHER>")
  1587. >>50 default x Zip data
  1588. >>>38 regex [!-OQ-~]+ (MIME type "%s"?)
  1589. !:mime application/zip
  1590. # (mimetype contents other than "application/*")
  1591. >26 string \x8\0\0\0mimetype
  1592. >>38 string !application/
  1593. >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
  1594. !:mime application/zip
  1595. # Java Jar files
  1596. >(26.s+30) leshort 0xcafe Java archive data (JAR)
  1597. !:mime application/java-archive
  1598. # iOS App
  1599. >(26.s+30) leshort !0xcafe
  1600. >>26 string !\x8\0\0\0mimetype
  1601. >>>30 string Payload/
  1602. >>>>38 search/64 .app/ iOS App
  1603. !:mime application/x-ios-app
  1604. # Dup, see above.
  1605. #>30 search/100/b application/epub+zip EPUB document
  1606. #!:mime application/epub+zip
  1607. # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  1608. # Next line excludes specialized formats:
  1609. >(26.s+30) leshort !0xcafe
  1610. >>30 search/100/b !application/epub+zip
  1611. >>>26 string !\x8\0\0\0mimetype Zip archive data
  1612. !:mime application/zip
  1613. >>>>4 beshort x \b, at least
  1614. >>>>4 use zipversion
  1615. >>>>4 beshort x to extract
  1616. >>>>8 beshort x \b, compression method=
  1617. >>>>8 use zipcompression
  1618. >>>>0x161 string WINZIP \b, WinZIP self-extracting
  1619. # StarView Metafile
  1620. # From Pierre Ducroquet <pinaraf@pinaraf.info>
  1621. 0 string VCLMTF StarView MetaFile
  1622. >6 beshort x \b, version %d
  1623. >8 belong x \b, size %d
  1624. # Zoo archiver
  1625. 20 lelong 0xfdc4a7dc Zoo archive data
  1626. !:mime application/x-zoo
  1627. >4 byte >48 \b, v%c.
  1628. >>6 byte >47 \b%c
  1629. >>>7 byte >47 \b%c
  1630. >32 byte >0 \b, modify: v%d
  1631. >>33 byte x \b.%d+
  1632. >42 lelong 0xfdc4a7dc \b,
  1633. >>70 byte >0 extract: v%d
  1634. >>>71 byte x \b.%d+
  1635. # Shell archives
  1636. 10 string #\ This\ is\ a\ shell\ archive shell archive text
  1637. !:mime application/octet-stream
  1638. #
  1639. # LBR. NB: May conflict with the questionable
  1640. # "binary Computer Graphics Metafile" format.
  1641. #
  1642. 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
  1643. #
  1644. # PMA (CP/M derivative of LHA)
  1645. # Update: Joerg Jenderek
  1646. # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
  1647. #
  1648. #2 string -pm0- PMarc archive data [pm0]
  1649. 2 string -pm0-
  1650. >0 use lharc-file
  1651. #2 string -pm1- PMarc archive data [pm1]
  1652. 2 string -pm1-
  1653. >0 use lharc-file
  1654. #2 string -pm2- PMarc archive data [pm2]
  1655. 2 string -pm2-
  1656. >0 use lharc-file
  1657. 2 string -pms- PMarc SFX archive (CP/M, DOS)
  1658. #!:mime application/x-foobar-exec
  1659. !:ext com
  1660. 5 string -pc1- PopCom compressed executable (CP/M)
  1661. #!:mime application/x-
  1662. #!:ext com
  1663. # From Rafael Laboissiere <rafael@laboissiere.net>
  1664. # The Project Revision Control System (see
  1665. # http://prcs.sourceforge.net) generates a packaged project
  1666. # file which is recognized by the following entry:
  1667. 0 leshort 0xeb81 PRCS packaged project
  1668. # Microsoft cabinets
  1669. # by David Necas (Yeti) <yeti@physics.muni.cz>
  1670. #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
  1671. #>25 byte x v%d
  1672. #>24 byte x \b.%d
  1673. # MPi: All CABs have version 1.3, so this is pointless.
  1674. # Better magic in debian-additions.
  1675. # GTKtalog catalogs
  1676. # by David Necas (Yeti) <yeti@physics.muni.cz>
  1677. 4 string gtktalog\ GTKtalog catalog data,
  1678. >13 string 3 version 3
  1679. >>14 beshort 0x677a (gzipped)
  1680. >>14 beshort !0x677a (not gzipped)
  1681. >13 string >3 version %s
  1682. ############################################################################
  1683. # Parity archive reconstruction file, the 'par' file format now used on Usenet.
  1684. 0 string PAR\0 PARity archive data
  1685. >48 leshort =0 - Index file
  1686. >48 leshort >0 - file number %d
  1687. # Felix von Leitner <felix-file@fefe.de>
  1688. 0 string d8:announce BitTorrent file
  1689. !:mime application/x-bittorrent
  1690. !:ext torrent
  1691. # Durval Menezes, <jmgthbfile at durval dot com>
  1692. 0 string d13:announce-list BitTorrent file
  1693. !:mime application/x-bittorrent
  1694. !:ext torrent
  1695. 0 string d7:comment BitTorrent file
  1696. !:mime application/x-bittorrent
  1697. !:ext torrent
  1698. 0 string d4:info BitTorrent file
  1699. !:mime application/x-bittorrent
  1700. !:ext torrent
  1701. # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
  1702. # URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver)
  1703. # Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf
  1704. # http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml
  1705. # Update: Joerg Jenderek
  1706. # Note: called by TrID "Atari MSA Disk Image" and verified by
  1707. # command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image"
  1708. # GRR: line below is too general as it matches setup.skin
  1709. 0 beshort 0x0e0f
  1710. # skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value
  1711. >4 ubeshort <2 Atari MSA archive data
  1712. #!:mime application/octet-stream
  1713. !:mime application/x-atari-msa
  1714. !:ext msa
  1715. # sectors per track like: 9 10
  1716. >>2 beshort x \b, %d sectors per track
  1717. # sides (0 or 1; add 1 to this to get correct number of sides)
  1718. >>4 beshort 0 \b, 1 sided
  1719. >>4 beshort 1 \b, 2 sided
  1720. # starting track like: 0
  1721. >>6 beshort x \b, starting track: %d
  1722. # ending track like: 39 79 80 81
  1723. >>8 beshort x \b, ending track: %d
  1724. # tracks content
  1725. #>>10 ubequad x \b, track content %#16.16llx
  1726. # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
  1727. 0 string PK00PK\003\004 Zip archive data
  1728. !:mime application/zip
  1729. !:ext zip/cbz
  1730. # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
  1731. # by Stefan `Sec` Zehl <sec@42.org>
  1732. 7 string **ACE** ACE archive data
  1733. !:mime application/x-ace-compressed
  1734. !:ext ace
  1735. >15 byte >0 version %d
  1736. >16 byte =0x00 \b, from MS-DOS
  1737. >16 byte =0x01 \b, from OS/2
  1738. >16 byte =0x02 \b, from Win/32
  1739. >16 byte =0x03 \b, from Unix
  1740. >16 byte =0x04 \b, from MacOS
  1741. >16 byte =0x05 \b, from WinNT
  1742. >16 byte =0x06 \b, from Primos
  1743. >16 byte =0x07 \b, from AppleGS
  1744. >16 byte =0x08 \b, from Atari
  1745. >16 byte =0x09 \b, from Vax/VMS
  1746. >16 byte =0x0A \b, from Amiga
  1747. >16 byte =0x0B \b, from Next
  1748. >14 byte x \b, version %d to extract
  1749. >5 leshort &0x0080 \b, multiple volumes,
  1750. >>17 byte x \b (part %d),
  1751. >5 leshort &0x0002 \b, contains comment
  1752. >5 leshort &0x0200 \b, sfx
  1753. >5 leshort &0x0400 \b, small dictionary
  1754. >5 leshort &0x0800 \b, multi-volume
  1755. >5 leshort &0x1000 \b, contains AV-String
  1756. >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
  1757. >5 leshort &0x2000 \b, with recovery record
  1758. >5 leshort &0x4000 \b, locked
  1759. >5 leshort &0x8000 \b, solid
  1760. # Date in MS-DOS format (whatever that is)
  1761. #>18 lelong x Created on
  1762. # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
  1763. # <doj@cubic.org>
  1764. 0x1A string sfArk sfArk compressed Soundfont
  1765. >0x15 string 2
  1766. >>0x1 string >\0 Version %s
  1767. >>0x2A string >\0 : %s
  1768. # DR-DOS 7.03 Packed File *.??_
  1769. # Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
  1770. # Note: unpacked by PNUNPACK.EXE
  1771. 0 string Packed\ File\
  1772. # by looking for Control-Z skip ASCII text starting with Packed File
  1773. >0x18 ubyte 0x1a Personal NetWare Packed File
  1774. !:mime application/x-novell-compress
  1775. !:ext ??_
  1776. >>12 string x \b, was "%.12s"
  1777. # 1 or 2
  1778. #>>0x19 ubyte x \b, at 0x19 %u
  1779. >>0x1b ulelong x with %u bytes
  1780. # EET archive
  1781. # From: Tilman Sauerbeck <tilman@code-monkey.de>
  1782. 0 belong 0x1ee7ff00 EET archive
  1783. !:mime application/x-eet
  1784. # rzip archives
  1785. 0 string RZIP rzip compressed data
  1786. >4 byte x - version %d
  1787. >5 byte x \b.%d
  1788. >6 belong x (%d bytes)
  1789. # From: Joerg Jenderek
  1790. # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php
  1791. # reference: http://mark0.net/download/triddefs_xml.7z/
  1792. # defs/f/fzip.trid.xml
  1793. # Note: unknown compression; No "PK" zip magic; normally in directory like
  1794. # "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"
  1795. 0 ubequad 0x2506781901010000 Foxit add-on/update
  1796. !:mime application/x-fzip
  1797. !:ext fzip
  1798. # From: "Robert Dale" <robdale@gmail.com>
  1799. 0 belong 123 dar archive,
  1800. >4 belong x label "%.8x
  1801. >>8 belong x %.8x
  1802. >>>12 beshort x %.4x"
  1803. >14 byte 0x54 end slice
  1804. >14 beshort 0x4e4e multi-part
  1805. >14 beshort 0x4e53 multi-part, with -S
  1806. # Symbian installation files
  1807. # https://www.thouky.co.uk/software/psifs/sis.html
  1808. # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
  1809. 8 lelong 0x10000419 Symbian installation file
  1810. !:mime application/vnd.symbian.install
  1811. >4 lelong 0x1000006D (EPOC release 3/4/5)
  1812. >4 lelong 0x10003A12 (EPOC release 6)
  1813. 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
  1814. !:mime x-epoc/x-sisx-app
  1815. # From "Nelson A. de Oliveira" <naoliv@gmail.com>
  1816. 0 string MPQ\032 MoPaQ (MPQ) archive
  1817. # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
  1818. # .kgb
  1819. 0 string KGB_arch KGB Archiver file
  1820. >10 string x with compression level %.1s
  1821. # xar (eXtensible ARchiver) archive
  1822. # URL: https://en.wikipedia.org/wiki/Xar_(archiver)
  1823. # xar archive format: https://code.google.com/p/xar/
  1824. # From: "David Remahl" <dremahl@apple.com>
  1825. # Update: Joerg Jenderek
  1826. # TODO: lzma compression; X509Data for pkg and xip
  1827. # Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or
  1828. # 7z t -txar Xcode_10.2_beta_4.xip`
  1829. 0 string xar! xar archive
  1830. !:mime application/x-xar
  1831. # pkg for Mac OSX installer package like FullBundleUpdate.pkg
  1832. # xip for signed Apple software like Xcode_10.2_beta_4.xip
  1833. !:ext xar/pkg/xip
  1834. # always 28 in older archives
  1835. >4 ubeshort >28 \b, header size %u
  1836. # currently there exit only version 1 since about 2014
  1837. >6 ubeshort >1 version %u,
  1838. >8 ubequad x compressed TOC: %llu,
  1839. #>16 ubequad x uncompressed TOC: %llu,
  1840. # cksum_alg 0-2 in older and also 3-4 in newer
  1841. >24 belong 0 no checksum
  1842. >24 belong 1 SHA-1 checksum
  1843. >24 belong 2 MD5 checksum
  1844. >24 belong 3 SHA-256 checksum
  1845. >24 belong 4 SHA-512 checksum
  1846. >24 belong >4 unknown %#x checksum
  1847. #>24 belong >4 checksum
  1848. # For no compression jump 0 bytes
  1849. >24 belong 0
  1850. >>0 ubyte x
  1851. # jump more bytes forward by header size
  1852. >>>&(4.S) ubyte x
  1853. # jump more bytes forward by compressed table of contents size
  1854. #>>>>&(8.Q) ubequad x \b, heap data %#llx
  1855. >>>>&(8.Q) ubyte x
  1856. # look for data by ./compress after message with 1 space at end
  1857. >>>>>&-3 indirect x \b, contains
  1858. # For SHA-1 jump 20 minus 2 bytes
  1859. >24 belong 1
  1860. >>18 ubyte x
  1861. # jump more bytes forward by header size
  1862. >>>&(4.S) ubyte x
  1863. # jump more bytes forward by compressed table of contents size
  1864. >>>>&(8.Q) ubyte x
  1865. # data compressed by gzip, bzip, lzma or none
  1866. >>>>>&-1 indirect x \b, contains
  1867. # For SHA-256 jump 32 minus 2 bytes
  1868. >24 belong 3
  1869. >>30 ubyte x
  1870. # jump more bytes forward by header size
  1871. >>>&(4.S) ubyte x
  1872. # jump more bytes forward by compressed table of contents size
  1873. >>>>&(8.Q) ubyte x
  1874. >>>>>&-1 indirect x \b, contains
  1875. # For SHA-512 jump 64 minus 2 bytes
  1876. >24 belong 4
  1877. >>62 ubyte x
  1878. # jump more bytes forward by header size
  1879. >>>&(4.S) ubyte x
  1880. # jump more bytes forward by compressed table of contents size
  1881. >>>>&(8.Q) ubyte x
  1882. >>>>>&-1 indirect x \b, contains
  1883. # Type: Parity Archive
  1884. # From: Daniel van Eeden <daniel_e@dds.nl>
  1885. 0 string PAR2 Parity Archive Volume Set
  1886. # Bacula volume format. (Volumes always start with a block header.)
  1887. # URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
  1888. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  1889. 12 string BB02 Bacula volume
  1890. >20 bedate x \b, started %s
  1891. # ePub is XHTML + XML inside a ZIP archive. The first member of the
  1892. # archive must be an uncompressed file called 'mimetype' with contents
  1893. # 'application/epub+zip'
  1894. # From: "Michael Gorny" <mgorny@gentoo.org>
  1895. # ZPAQ: http://mattmahoney.net/dc/zpaq.html
  1896. 0 string zPQ ZPAQ stream
  1897. >3 byte x \b, level %d
  1898. # From: Barry Carter <carter.barry@gmail.com>
  1899. # https://encode.ru/threads/456-zpaq-updates/page32
  1900. 0 string 7kSt ZPAQ file
  1901. # BBeB ebook, unencrypted (LRF format)
  1902. # URL: https://www.sven.de/librie/Librie/LrfFormat
  1903. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  1904. 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
  1905. >8 beshort x \b, version %d
  1906. >36 byte 1 \b, front-to-back
  1907. >36 byte 16 \b, back-to-front
  1908. >42 beshort x \b, (%dx,
  1909. >44 beshort x %d)
  1910. # Symantec GHOST image by Joerg Jenderek at May 2014
  1911. # https://us.norton.com/ghost/
  1912. # https://www.garykessler.net/library/file_sigs.html
  1913. 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
  1914. # *.GHO
  1915. >2 ubyte&0x08 0x00 \b, first file
  1916. # *.GHS or *.[0-9] with cns program option
  1917. >2 ubyte&0x08 0x08 \b, split file
  1918. # part of split index interesting for *.ghs
  1919. >>4 ubyte x id=%#x
  1920. # compression tag minus one equals numeric compression command line switch z[1-9]
  1921. >3 ubyte 0 \b, no compression
  1922. >3 ubyte 2 \b, fast compression (Z1)
  1923. >3 ubyte 3 \b, medium compression (Z2)
  1924. >3 ubyte >3
  1925. >>3 ubyte <11 \b, compression (Z%d-1)
  1926. >2 ubyte&0x08 0x00
  1927. # ~ 30 byte password field only for *.gho
  1928. >>12 ubequad !0 \b, password protected
  1929. >>44 ubyte !1
  1930. # 1~Image All, sector-by-sector only for *.gho
  1931. >>>10 ubyte 1 \b, sector copy
  1932. # 1~Image Boot track only for *.gho
  1933. >>>43 ubyte 1 \b, boot track
  1934. # 1~Image Disc only for *.gho implies Image Boot track and sector copy
  1935. >>44 ubyte 1 \b, disc sector copy
  1936. # optional image description only *.gho
  1937. >>0xff string >\0 "%-.254s"
  1938. # look for DOS sector end sequence
  1939. >0xE08 search/7776 \x55\xAA
  1940. >>&-512 indirect x \b; contains
  1941. # Google Chrome extensions
  1942. # https://developer.chrome.com/extensions/crx
  1943. # https://developer.chrome.com/extensions/hosting
  1944. 0 string Cr24 Google Chrome extension
  1945. !:mime application/x-chrome-extension
  1946. >4 ulong x \b, version %u
  1947. # SeqBox - Sequenced container
  1948. # ext: sbx, seqbox
  1949. # Marco Pontello marcopon@gmail.com
  1950. # reference: https://github.com/MarcoPon/SeqBox
  1951. 0 string SBx SeqBox,
  1952. >3 byte x version %d
  1953. # LyNX archive
  1954. 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive
  1955. # From: Joerg Jenderek
  1956. # URL: https://www.acronis.com/
  1957. # Reference: https://en.wikipedia.org/wiki/TIB_(file_format)
  1958. # Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110
  1959. 0 ubequad 0xce24b9a220000000 Acronis True Image backup
  1960. !:mime application/x-acronis-tib
  1961. !:ext tib
  1962. # 01000000
  1963. #>20 ubelong x \b, at 20 %#x
  1964. # 20000000
  1965. #>28 ubelong x \b, at 28 %#x
  1966. # strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"
  1967. # ???
  1968. # strings like "\Device\0000011e" "\Device\0000015a"
  1969. #>0 search/0x6852300/cs \\Device\\
  1970. #>>&-1 pstring x \b, %s
  1971. # "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"
  1972. #>>>&1 search/180/cs \\Device\\
  1973. #>>>>&-1 pstring x \b, %s
  1974. #>>>>>&0 search/29/cs \0\0\xc8\0
  1975. # disk label
  1976. #>>>>>>&10 lestring16 x \b, disk label %11.11s
  1977. #>>>>>>&9 plestring16 x \b, disk label "%11.11s"
  1978. #>>>>>>&10 ubequad x %16.16llx
  1979. # Gentoo XPAK binary package
  1980. # by Michal Gorny <mgorny@gentoo.org>
  1981. # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5
  1982. -4 string STOP
  1983. >-16 string XPAKSTOP Gentoo binary package (XPAK)
  1984. # From: Joerg Jenderek
  1985. # URL: https://kodi.wiki/view/TexturePacker
  1986. # Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz
  1987. # /xbmc-Krypton/xbmc/guilib/XBTF.h
  1988. # /xbmc-Krypton/xbmc/guilib/XBTF.cpp
  1989. 0 string XBTF
  1990. # skip ASCII text by looking for terminating \0 of path
  1991. >264 ubyte 0 XBMC texture package
  1992. !:mime application/x-xbmc-xbt
  1993. !:ext xbt
  1994. # XBTF_VERSION 2
  1995. >>4 string !2 \b, version %-.1s
  1996. # nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp
  1997. >>5 ulelong x \b, %u file
  1998. # plural s
  1999. >>5 ulelong >1 \bs
  2000. # path[CXBTFFile[MaximumPathLength=256]
  2001. >>9 string x \b, 1st %s
  2002. # ALZIP archive
  2003. # by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com>
  2004. # http://kippler.com/win/unalz/
  2005. # https://salsa.debian.org/l10n-korean-team/unalz
  2006. 0 string ALZ\001 ALZ archive data
  2007. !:ext alz
  2008. # https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip
  2009. 0 string EGGA EGG archive data,
  2010. !:ext egg
  2011. >5 byte x version %u
  2012. >4 byte x \b.%u
  2013. >>0x0E ulelong =0x08E28222
  2014. >>0x0E ulelong =0x24F5A262 \b, split
  2015. >>0x0E ulelong =0x24E5A060 \b, solid
  2016. >>0x0E default x \b, unknown
  2017. # PAQ9A archive
  2018. # URL: http://mattmahoney.net/dc/#paq9a
  2019. # Note: Line 1186 of paq9a.cpp gives the magic bytes
  2020. 0 string pQ9\001 PAQ9A archive
  2021. # From wof (wof@stachelkaktus.net)
  2022. 0 string Unison\ archive\ format Unison archive format