archive 37 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171
  1. #------------------------------------------------------------------------------
  2. # $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $
  3. # archive: file(1) magic for archive formats (see also "msdos" for self-
  4. # extracting compressed archives)
  5. #
  6. # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
  7. # pre-POSIX "tar" archives are handled in the C code.
  8. # POSIX tar archives
  9. 257 string ustar\0 POSIX tar archive
  10. !:mime application/x-tar # encoding: posix
  11. 257 string ustar\040\040\0 GNU tar archive
  12. !:mime application/x-tar # encoding: gnu
  13. # Incremental snapshot gnu-tar format from:
  14. # http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
  15. 0 string GNU\ tar- GNU tar incremental snapshot data
  16. >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
  17. # cpio archives
  18. #
  19. # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
  20. # The idea is to indicate archives produced on machines with the same
  21. # byte order as the machine running "file" with "cpio archive", and
  22. # to indicate archives produced on machines with the opposite byte order
  23. # from the machine running "file" with "byte-swapped cpio archive".
  24. #
  25. # The SVR4 "cpio(4)" hints that there are additional formats, but they
  26. # are defined as "short"s; I think all the new formats are
  27. # character-header formats and thus are strings, not numbers.
  28. 0 short 070707 cpio archive
  29. !:mime application/x-cpio
  30. 0 short 0143561 byte-swapped cpio archive
  31. !:mime application/x-cpio # encoding: swapped
  32. 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
  33. 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
  34. 0 string 070702 ASCII cpio archive (SVR4 with CRC)
  35. #
  36. # Various archive formats used by various versions of the "ar"
  37. # command.
  38. #
  39. #
  40. # Original UNIX archive formats.
  41. # They were written with binary values in host byte order, and
  42. # the magic number was a host "int", which might have been 16 bits
  43. # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
  44. # been ports to little-endian 16-bit-int or 32-bit-int platforms
  45. # (x86?) using some of those formats; if none existed, feel free
  46. # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
  47. # 32-bit. There might have been big-endian ports of that sort as
  48. # well.
  49. #
  50. 0 leshort 0177555 very old 16-bit-int little-endian archive
  51. 0 beshort 0177555 very old 16-bit-int big-endian archive
  52. 0 lelong 0177555 very old 32-bit-int little-endian archive
  53. 0 belong 0177555 very old 32-bit-int big-endian archive
  54. 0 leshort 0177545 old 16-bit-int little-endian archive
  55. >2 string __.SYMDEF random library
  56. 0 beshort 0177545 old 16-bit-int big-endian archive
  57. >2 string __.SYMDEF random library
  58. 0 lelong 0177545 old 32-bit-int little-endian archive
  59. >4 string __.SYMDEF random library
  60. 0 belong 0177545 old 32-bit-int big-endian archive
  61. >4 string __.SYMDEF random library
  62. #
  63. # From "pdp" (but why a 4-byte quantity?)
  64. #
  65. 0 lelong 0x39bed PDP-11 old archive
  66. 0 lelong 0x39bee PDP-11 4.0 archive
  67. #
  68. # XXX - what flavor of APL used this, and was it a variant of
  69. # some ar archive format? It's similar to, but not the same
  70. # as, the APL workspace magic numbers in pdp.
  71. #
  72. 0 long 0100554 apl workspace
  73. #
  74. # System V Release 1 portable(?) archive format.
  75. #
  76. 0 string =<ar> System V Release 1 ar archive
  77. !:mime application/x-archive
  78. #
  79. # Debian package; it's in the portable archive format, and needs to go
  80. # before the entry for regular portable archives, as it's recognized as
  81. # a portable archive whose first member has a name beginning with
  82. # "debian".
  83. #
  84. 0 string =!<arch>\ndebian
  85. >8 string debian-split part of multipart Debian package
  86. !:mime application/vnd.debian.binary-package
  87. >8 string debian-binary Debian binary package
  88. !:mime application/vnd.debian.binary-package
  89. >8 string !debian
  90. >68 string >\0 (format %s)
  91. # These next two lines do not work, because a bzip2 Debian archive
  92. # still uses gzip for the control.tar (first in the archive). Only
  93. # data.tar varies, and the location of its filename varies too.
  94. # file/libmagic does not current have support for ascii-string based
  95. # (offsets) as of 2005-09-15.
  96. #>81 string bz2 \b, uses bzip2 compression
  97. #>84 string gz \b, uses gzip compression
  98. #>136 ledate x created: %s
  99. #
  100. # MIPS archive; they're in the portable archive format, and need to go
  101. # before the entry for regular portable archives, as it's recognized as
  102. # a portable archive whose first member has a name beginning with
  103. # "__________E".
  104. #
  105. 0 string =!<arch>\n__________E MIPS archive
  106. !:mime application/x-archive
  107. >20 string U with MIPS Ucode members
  108. >21 string L with MIPSEL members
  109. >21 string B with MIPSEB members
  110. >19 string L and an EL hash table
  111. >19 string B and an EB hash table
  112. >22 string X -- out of date
  113. 0 search/1 -h- Software Tools format archive text
  114. #
  115. # BSD/SVR2-and-later portable archive formats.
  116. #
  117. 0 string =!<arch> current ar archive
  118. !:mime application/x-archive
  119. >8 string __.SYMDEF random library
  120. >68 string __.SYMDEF\ SORTED random library
  121. #
  122. # "Thin" archive, as can be produced by GNU ar.
  123. #
  124. 0 string =!<thin>\n thin archive with
  125. >68 belong 0 no symbol entries
  126. >68 belong 1 %d symbol entry
  127. >68 belong >1 %d symbol entries
  128. # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
  129. #
  130. # The first byte is the magic (0x1a), byte 2 is the compression type for
  131. # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
  132. # filename of the first file (null terminated). Since some types collide
  133. # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
  134. # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
  135. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
  136. !:mime application/x-arc
  137. 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
  138. !:mime application/x-arc
  139. 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
  140. !:mime application/x-arc
  141. 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
  142. !:mime application/x-arc
  143. 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
  144. !:mime application/x-arc
  145. 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
  146. !:mime application/x-arc
  147. # [JW] stuff taken from idarc, obviously ARC successors:
  148. 0 lelong&0x8080ffff 0x00000a1a PAK archive data
  149. !:mime application/x-arc
  150. 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
  151. !:mime application/x-arc
  152. 0 lelong&0x8080ffff 0x0000481a HYP archive data
  153. !:mime application/x-arc
  154. # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
  155. # I can't create either SPARK or ArcFS archives so I have not tested this stuff
  156. # [GRR: the original entries collide with ARC, above; replaced with combined
  157. # version (not tested)]
  158. #0 byte 0x1a RISC OS archive (spark format)
  159. 0 string \032archive RISC OS archive (ArcFS format)
  160. 0 string Archive\000 RISC OS archive (ArcFS format)
  161. # All these were taken from idarc, many could not be verified. Unfortunately,
  162. # there were many low-quality sigs, i.e. easy to trigger false positives.
  163. # Please notify me of any real-world fishy/ambiguous signatures and I'll try
  164. # to get my hands on the actual archiver and see if I find something better. [JW]
  165. # probably many can be enhanced by finding some 0-byte or control char near the start
  166. # idarc calls this Crush/Uncompressed... *shrug*
  167. 0 string CRUSH Crush archive data
  168. # Squeeze It (.sqz)
  169. 0 string HLSQZ Squeeze It archive data
  170. # SQWEZ
  171. 0 string SQWEZ SQWEZ archive data
  172. # HPack (.hpk)
  173. 0 string HPAK HPack archive data
  174. # HAP
  175. 0 string \x91\x33HF HAP archive data
  176. # MD/MDCD
  177. 0 string MDmd MDCD archive data
  178. # LIM
  179. 0 string LIM\x1a LIM archive data
  180. # SAR
  181. 3 string LH5 SAR archive data
  182. # BSArc/BS2
  183. 0 string \212\3SB\020\0 BSArc/BS2 archive data
  184. # Bethesda Softworks Archive (Oblivion)
  185. 0 string BSA\0 BSArc archive data
  186. >4 lelong x version %d
  187. # MAR
  188. 2 string =-ah MAR archive data
  189. # ACB
  190. #0 belong&0x00f800ff 0x00800000 ACB archive data
  191. # CPZ
  192. # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
  193. # JRC
  194. 0 string JRchive JRC archive data
  195. # Quantum
  196. 0 string DS\0 Quantum archive data
  197. # ReSOF
  198. 0 string PK\3\6 ReSOF archive data
  199. # QuArk
  200. 0 string 7\4 QuArk archive data
  201. # YAC
  202. 14 string YC YAC archive data
  203. # X1
  204. 0 string X1 X1 archive data
  205. 0 string XhDr X1 archive data
  206. # CDC Codec (.dqt)
  207. 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
  208. # AMGC
  209. 0 string \xad6" AMGC archive data
  210. # NuLIB
  211. 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
  212. # PakLeo
  213. 0 string LEOLZW PAKLeo archive data
  214. # ChArc
  215. 0 string SChF ChArc archive data
  216. # PSA
  217. 0 string PSA PSA archive data
  218. # CrossePAC
  219. 0 string DSIGDCC CrossePAC archive data
  220. # Freeze
  221. 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
  222. # KBoom
  223. 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
  224. # NSQ, must go after CDC Codec
  225. 0 string \x76\xff NSQ archive data
  226. # DPA
  227. 0 string Dirk\ Paehl DPA archive data
  228. # BA
  229. # TODO: idarc says "bytes 0-2 == bytes 3-5"
  230. # TTComp
  231. # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
  232. # Update: Joerg Jenderek
  233. # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
  234. 0 string \0\6
  235. # look for first keyword of Panorama database *.pan
  236. >12 search/261 DESIGN
  237. # skip keyword with low entropy
  238. >12 default x TTComp archive, binary, 4K dictionary
  239. # (version 5.25) labeled the above entry as "TTComp archive data"
  240. # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
  241. 0 string ESP ESP archive data
  242. # ZPack
  243. 0 string \1ZPK\1 ZPack archive data
  244. # Sky
  245. 0 string \xbc\x40 Sky archive data
  246. # UFA
  247. 0 string UFA UFA archive data
  248. # Dry
  249. 0 string =-H2O DRY archive data
  250. # FoxSQZ
  251. 0 string FOXSQZ FoxSQZ archive data
  252. # AR7
  253. 0 string ,AR7 AR7 archive data
  254. # PPMZ
  255. 0 string PPMZ PPMZ archive data
  256. # MS Compress
  257. 4 string \x88\xf0\x27 MS Compress archive data
  258. # updated by Joerg Jenderek
  259. >9 string \0
  260. >>0 string KWAJ
  261. >>>7 string \321\003 MS Compress archive data
  262. >>>>14 ulong >0 \b, original size: %d bytes
  263. >>>>18 ubyte >0x65
  264. >>>>>18 string x \b, was %.8s
  265. >>>>>(10.b-4) string x \b.%.3s
  266. # MP3 (archiver, not lossy audio compression)
  267. 0 string MP3\x1a MP3-Archiver archive data
  268. # ZET
  269. 0 string OZ\xc3\x9d ZET archive data
  270. # TSComp
  271. 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
  272. # ARQ
  273. 0 string gW\4\1 ARQ archive data
  274. # Squash
  275. 3 string OctSqu Squash archive data
  276. # Terse
  277. 0 string \5\1\1\0 Terse archive data
  278. # PUCrunch
  279. 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
  280. # UHarc
  281. 0 string UHA UHarc archive data
  282. # ABComp
  283. 0 string \2AB ABComp archive data
  284. 0 string \3AB2 ABComp archive data
  285. # CMP
  286. 0 string CO\0 CMP archive data
  287. # Splint
  288. 0 string \x93\xb9\x06 Splint archive data
  289. # InstallShield
  290. 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
  291. # Gather
  292. 1 string GTH Gather archive data
  293. # BOA
  294. 0 string BOA BOA archive data
  295. # RAX
  296. 0 string ULEB\xa RAX archive data
  297. # Xtreme
  298. 0 string ULEB\0 Xtreme archive data
  299. # Pack Magic
  300. 0 string @\xc3\xa2\1\0 Pack Magic archive data
  301. # BTS
  302. 0 belong&0xfeffffff 0x1a034465 BTS archive data
  303. # ELI 5750
  304. 0 string Ora\ ELI 5750 archive data
  305. # QFC
  306. 0 string \x1aFC\x1a QFC archive data
  307. 0 string \x1aQF\x1a QFC archive data
  308. # PRO-PACK
  309. 0 string RNC PRO-PACK archive data
  310. # 777
  311. 0 string 777 777 archive data
  312. # LZS221
  313. 0 string sTaC LZS221 archive data
  314. # HPA
  315. 0 string HPA HPA archive data
  316. # Arhangel
  317. 0 string LG Arhangel archive data
  318. # EXP1, uses bzip2
  319. 0 string 0123456789012345BZh EXP1 archive data
  320. # IMP
  321. 0 string IMP\xa IMP archive data
  322. # NRV
  323. 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
  324. # Squish
  325. 0 string \x73\xb2\x90\xf4 Squish archive data
  326. # Par
  327. 0 string PHILIPP Par archive data
  328. 0 string PAR Par archive data
  329. # HIT
  330. 0 string UB HIT archive data
  331. # SBX
  332. 0 belong&0xfffff000 0x53423000 SBX archive data
  333. # NaShrink
  334. 0 string NSK NaShrink archive data
  335. # SAPCAR
  336. 0 string #\ CAR\ archive\ header SAPCAR archive data
  337. 0 string CAR\ 2.00RG SAPCAR archive data
  338. # Disintegrator
  339. 0 string DST Disintegrator archive data
  340. # ASD
  341. 0 string ASD ASD archive data
  342. # InstallShield CAB
  343. 0 string ISc( InstallShield CAB
  344. # TOP4
  345. 0 string T4\x1a TOP4 archive data
  346. # BatComp left out: sig looks like COM executable
  347. # so TODO: get real 4dos batcomp file and find sig
  348. # BlakHole
  349. 0 string BH\5\7 BlakHole archive data
  350. # BIX
  351. 0 string BIX0 BIX archive data
  352. # ChiefLZA
  353. 0 string ChfLZ ChiefLZA archive data
  354. # Blink
  355. 0 string Blink Blink archive data
  356. # Logitech Compress
  357. 0 string \xda\xfa Logitech Compress archive data
  358. # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
  359. 1 string (C)\ STEPANYUK ARS-Sfx archive data
  360. # AKT/AKT32
  361. 0 string AKT32 AKT32 archive data
  362. 0 string AKT AKT archive data
  363. # NPack
  364. 0 string MSTSM NPack archive data
  365. # PFT
  366. 0 string \0\x50\0\x14 PFT archive data
  367. # SemOne
  368. 0 string SEM SemOne archive data
  369. # PPMD
  370. 0 string \x8f\xaf\xac\x84 PPMD archive data
  371. # FIZ
  372. 0 string FIZ FIZ archive data
  373. # MSXiE
  374. 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
  375. # DeepFreezer
  376. 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
  377. # DC
  378. 0 string =<DC- DC archive data
  379. # TPac
  380. 0 string \4TPAC\3 TPac archive data
  381. # Ai
  382. 0 string Ai\1\1\0 Ai archive data
  383. 0 string Ai\1\0\0 Ai archive data
  384. # Ai32
  385. 0 string Ai\2\0 Ai32 archive data
  386. 0 string Ai\2\1 Ai32 archive data
  387. # SBC
  388. 0 string SBC SBC archive data
  389. # Ybs
  390. 0 string YBS Ybs archive data
  391. # DitPack
  392. 0 string \x9e\0\0 DitPack archive data
  393. # DMS
  394. 0 string DMS! DMS archive data
  395. # EPC
  396. 0 string \x8f\xaf\xac\x8c EPC archive data
  397. # VSARC
  398. 0 string VS\x1a VSARC archive data
  399. # PDZ
  400. 0 string PDZ PDZ archive data
  401. # ReDuq
  402. 0 string rdqx ReDuq archive data
  403. # GCA
  404. 0 string GCAX GCA archive data
  405. # PPMN
  406. 0 string pN PPMN archive data
  407. # WinImage
  408. 3 string WINIMAGE WinImage archive data
  409. # Compressia
  410. 0 string CMP0CMP Compressia archive data
  411. # UHBC
  412. 0 string UHB UHBC archive data
  413. # WinHKI
  414. 0 string \x61\x5C\x04\x05 WinHKI archive data
  415. # WWPack data file
  416. 0 string WWP WWPack archive data
  417. # BSN (BSA, PTS-DOS)
  418. 0 string \xffBSG BSN archive data
  419. 1 string \xffBSG BSN archive data
  420. 3 string \xffBSG BSN archive data
  421. 1 string \0\xae\2 BSN archive data
  422. 1 string \0\xae\3 BSN archive data
  423. 1 string \0\xae\7 BSN archive data
  424. # AIN
  425. 0 string \x33\x18 AIN archive data
  426. 0 string \x33\x17 AIN archive data
  427. # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
  428. # SZip (TODO: doesn't catch all versions)
  429. 0 string SZ\x0a\4 SZip archive data
  430. # XPack DiskImage
  431. # *.XDI updated by Joerg Jenderek Sep 2015
  432. # ftp://ftp.sac.sk/pub/sac/pack/0index.txt
  433. # GRR: this test is still too general as it catches also text files starting with jm
  434. 0 string jm
  435. # only found examples with this additional characteristic 2 bytes
  436. >2 string \x2\x4 Xpack DiskImage archive data
  437. #!:ext xdi
  438. # XPack Data
  439. # *.xpa updated by Joerg Jenderek Sep 2015
  440. # ftp://ftp.elf.stuba.sk/pub/pc/pack/
  441. 0 string xpa XPA
  442. !:ext xpa
  443. # XPA32
  444. # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
  445. # created by XPA32.EXE version 1.0.2 for Windows
  446. >0 string xpa\0\1 \b32 archive data
  447. # created by XPACK.COM version 1.67m or 1.67r with short 0x1800
  448. >3 ubeshort !0x0001 \bck archive data
  449. # XPack Single Data
  450. # changed by Joerg Jenderek Sep 2015 back to like in version 5.12
  451. # letter 'I'+ acute accent is equivalent to \xcd
  452. 0 string \xcd\ jm Xpack single archive data
  453. #!:mime application/x-xpa-compressed
  454. !:ext xpa
  455. # TODO: missing due to unknown magic/magic at end of file:
  456. #DWC
  457. #ARG
  458. #ZAR
  459. #PC/3270
  460. #InstallIt
  461. #RKive
  462. #RK
  463. #XPack Diskimage
  464. # These were inspired by idarc, but actually verified
  465. # Dzip archiver (.dz)
  466. 0 string DZ Dzip archive data
  467. >2 byte x \b, version %i
  468. >3 byte x \b.%i
  469. # ZZip archiver (.zz)
  470. 0 string ZZ\ \0\0 ZZip archive data
  471. 0 string ZZ0 ZZip archive data
  472. # PAQ archiver (.paq)
  473. 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
  474. 0 string PAQ PAQ archive data
  475. >3 byte&0xf0 0x30
  476. >>3 byte x (v%c)
  477. # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
  478. 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
  479. 0 string JARCS JAR (ARJ Software, Inc.) archive data
  480. # ARJ archiver (jason@jarthur.Claremont.EDU)
  481. 0 leshort 0xea60 ARJ archive data
  482. !:mime application/x-arj
  483. >5 byte x \b, v%d,
  484. >8 byte &0x04 multi-volume,
  485. >8 byte &0x10 slash-switched,
  486. >8 byte &0x20 backup,
  487. >34 string x original name: %s,
  488. >7 byte 0 os: MS-DOS
  489. >7 byte 1 os: PRIMOS
  490. >7 byte 2 os: Unix
  491. >7 byte 3 os: Amiga
  492. >7 byte 4 os: Macintosh
  493. >7 byte 5 os: OS/2
  494. >7 byte 6 os: Apple ][ GS
  495. >7 byte 7 os: Atari ST
  496. >7 byte 8 os: NeXT
  497. >7 byte 9 os: VAX/VMS
  498. >3 byte >0 %d]
  499. # [JW] idarc says this is also possible
  500. 2 leshort 0xea60 ARJ archive data
  501. # HA archiver (Greg Roelofs, newt@uchicago.edu)
  502. # This is a really bad format. A file containing HAWAII will match this...
  503. #0 string HA HA archive data,
  504. #>2 leshort =1 1 file,
  505. #>2 leshort >1 %hu files,
  506. #>4 byte&0x0f =0 first is type CPY
  507. #>4 byte&0x0f =1 first is type ASC
  508. #>4 byte&0x0f =2 first is type HSC
  509. #>4 byte&0x0f =0x0e first is type DIR
  510. #>4 byte&0x0f =0x0f first is type SPECIAL
  511. # suggestion: at least identify small archives (<1024 files)
  512. 0 belong&0xffff00fc 0x48410000 HA archive data
  513. >2 leshort =1 1 file,
  514. >2 leshort >1 %u files,
  515. >4 byte&0x0f =0 first is type CPY
  516. >4 byte&0x0f =1 first is type ASC
  517. >4 byte&0x0f =2 first is type HSC
  518. >4 byte&0x0f =0x0e first is type DIR
  519. >4 byte&0x0f =0x0f first is type SPECIAL
  520. # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
  521. 0 string HPAK HPACK archive data
  522. # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
  523. 0 string \351,\001JAM\ JAM archive,
  524. >7 string >\0 version %.4s
  525. >0x26 byte =0x27 -
  526. >>0x2b string >\0 label %.11s,
  527. >>0x27 lelong x serial %08x,
  528. >>0x36 string >\0 fstype %.8s
  529. # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
  530. # Update: Joerg Jenderek
  531. # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
  532. # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
  533. #
  534. # check and display information of lharc (LHa,PMarc) file
  535. 0 name lharc-file
  536. # check 1st character of method id like -lz4- -lh5- or -pm2-
  537. >2 string -
  538. # check 5th character of method id
  539. >>6 string -
  540. # check header level 0 1 2 3
  541. >>>20 ubyte <4
  542. # check 2nd, 3th and 4th character of method id
  543. >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
  544. !:mime application/x-lzh-compressed
  545. # creator type "LHA "
  546. !:apple ????LHA
  547. # display archive type name like "LHa/LZS archive data" or "LArc archive"
  548. >>>>>2 string -lz \b
  549. !:ext lzs
  550. # already known -lzs- -lz4- -lz5- with old names
  551. >>>>>>2 string -lzs LHa/LZS archive data
  552. >>>>>>3 regex \^lz[45] LHarc 1.x archive data
  553. # missing -lz?- with wikipedia names
  554. >>>>>>3 regex \^lz[2378] LArc archive
  555. # display archive type name like "LHa (2.x) archive data"
  556. >>>>>2 string -lh \b
  557. # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
  558. >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
  559. # LHice archiver use ".ICE" as name extension instead usual one ".lzh"
  560. # FOOBAR archiver use ".foo" as name extension instead usual one
  561. # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment
  562. >>>>>>>2 string -lh1 \b
  563. !:ext lha/lzh/ice
  564. >>>>>>3 regex \^lh[23d] LHa 2.x? archive data
  565. >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
  566. >>>>>>3 regex \^lh[456] LHa (2.x) archive data
  567. >>>>>>>2 string -lh5 \b
  568. # https://en.wikipedia.org/wiki/BIOS
  569. # Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like
  570. # bios.rom , kd7_v14.bin, 1010.004, ...
  571. !:ext lha/lzh/rom/bin
  572. # missing -lh?- variants (Joe Jared)
  573. >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
  574. # UNLHA32 2.67a
  575. >>>>>>2 string -lhx LHa (UNLHA32) archive
  576. # lha archives with standard file name extensions ".lha" ".lzh"
  577. >>>>>>3 regex !\^(lh1|lh5) \b
  578. !:ext lha/lzh
  579. # this should not happen if all -lh variants are described
  580. >>>>>>2 default x LHa (unknown) archive
  581. #!:ext lha
  582. # PMarc
  583. >>>>>3 regex \^pm[012] PMarc archive data
  584. !:ext pma
  585. # append method id without leading and trailing minus character
  586. >>>>>3 string x [%3.3s]
  587. >>>>>>0 use lharc-header
  588. #
  589. # check and display information of lharc header
  590. 0 name lharc-header
  591. # header size 0x4 , 0x1b-0x61
  592. >0 ubyte x
  593. # compressed data size != compressed file size
  594. #>7 ulelong x \b, data size %d
  595. # attribute: 0x2~?? 0x10~symlink|target 0x20~normal
  596. #>19 ubyte x \b, 19_0x%x
  597. # level identifier 0 1 2 3
  598. #>20 ubyte x \b, level %d
  599. # time stamp
  600. #>15 ubelong x DATE 0x%8.8x
  601. # OS ID for level 1
  602. >20 ubyte 1
  603. # 0x20 types find for *.rom files
  604. >>(21.b+24) ubyte <0x21 \b, 0x%x OS
  605. # ascii type like M for MSDOS
  606. >>(21.b+24) ubyte >0x20 \b, '%c' OS
  607. # OS ID for level 2
  608. >20 ubyte 2
  609. #>>23 ubyte x \b, OS ID 0x%x
  610. >>23 ubyte <0x21 \b, 0x%x OS
  611. >>23 ubyte >0x20 \b, '%c' OS
  612. # filename only for level 0 and 1
  613. >20 ubyte <2
  614. # length of filename
  615. >>21 ubyte >0 \b, with
  616. # filename
  617. >>>21 pstring x "%s"
  618. #
  619. #2 string -lh0- LHarc 1.x/ARX archive data [lh0]
  620. #!:mime application/x-lharc
  621. 2 string -lh0-
  622. >0 use lharc-file
  623. #2 string -lh1- LHarc 1.x/ARX archive data [lh1]
  624. #!:mime application/x-lharc
  625. 2 string -lh1-
  626. >0 use lharc-file
  627. # NEW -lz2- ... -lz8-
  628. 2 string -lz2-
  629. >0 use lharc-file
  630. 2 string -lz3-
  631. >0 use lharc-file
  632. 2 string -lz4-
  633. >0 use lharc-file
  634. 2 string -lz5-
  635. >0 use lharc-file
  636. 2 string -lz7-
  637. >0 use lharc-file
  638. 2 string -lz8-
  639. >0 use lharc-file
  640. # [never seen any but the last; -lh4- reported in comp.compression:]
  641. #2 string -lzs- LHa/LZS archive data [lzs]
  642. 2 string -lzs-
  643. >0 use lharc-file
  644. # According to wikipedia and others such a version does not exist
  645. #2 string -lh\40- LHa 2.x? archive data [lh ]
  646. #2 string -lhd- LHa 2.x? archive data [lhd]
  647. 2 string -lhd-
  648. >0 use lharc-file
  649. #2 string -lh2- LHa 2.x? archive data [lh2]
  650. 2 string -lh2-
  651. >0 use lharc-file
  652. #2 string -lh3- LHa 2.x? archive data [lh3]
  653. 2 string -lh3-
  654. >0 use lharc-file
  655. #2 string -lh4- LHa (2.x) archive data [lh4]
  656. 2 string -lh4-
  657. >0 use lharc-file
  658. #2 string -lh5- LHa (2.x) archive data [lh5]
  659. 2 string -lh5-
  660. >0 use lharc-file
  661. #2 string -lh6- LHa (2.x) archive data [lh6]
  662. 2 string -lh6-
  663. >0 use lharc-file
  664. #2 string -lh7- LHa (2.x)/LHark archive data [lh7]
  665. 2 string -lh7-
  666. # !:mime application/x-lha
  667. # >20 byte x - header level %d
  668. >0 use lharc-file
  669. # NEW -lh8- ... -lhe- , -lhx-
  670. 2 string -lh8-
  671. >0 use lharc-file
  672. 2 string -lh9-
  673. >0 use lharc-file
  674. 2 string -lha-
  675. >0 use lharc-file
  676. 2 string -lhb-
  677. >0 use lharc-file
  678. 2 string -lhc-
  679. >0 use lharc-file
  680. 2 string -lhe-
  681. >0 use lharc-file
  682. 2 string -lhx-
  683. >0 use lharc-file
  684. # taken from idarc [JW]
  685. 2 string -lZ PUT archive data
  686. # already done by LHarc magics
  687. # this should never happen if all sub types of LZS archive are identified
  688. #2 string -lz LZS archive data
  689. 2 string -sw1- Swag archive data
  690. 0 name rar-file-header
  691. >24 byte 15 \b, v1.5
  692. >24 byte 20 \b, v2.0
  693. >24 byte 29 \b, v4
  694. >15 byte 0 \b, os: MS-DOS
  695. >15 byte 1 \b, os: OS/2
  696. >15 byte 2 \b, os: Win32
  697. >15 byte 3 \b, os: Unix
  698. >15 byte 4 \b, os: Mac OS
  699. >15 byte 5 \b, os: BeOS
  700. 0 name rar-archive-header
  701. >3 leshort&0x1ff >0 \b, flags:
  702. >>3 leshort &0x01 ArchiveVolume
  703. >>3 leshort &0x02 Commented
  704. >>3 leshort &0x04 Locked
  705. >>3 leshort &0x10 NewVolumeNaming
  706. >>3 leshort &0x08 Solid
  707. >>3 leshort &0x20 Authenticated
  708. >>3 leshort &0x40 RecoveryRecordPresent
  709. >>3 leshort &0x80 EncryptedBlockHeader
  710. >>3 leshort &0x100 FirstVolume
  711. # RAR (Roshal Archive) archive
  712. 0 string Rar!\x1a\7\0 RAR archive data
  713. !:mime application/x-rar
  714. !:ext rar/cbr
  715. # file header
  716. >(0xc.l+9) byte 0x74
  717. >>(0xc.l+7) use rar-file-header
  718. # subblock seems to share information with file header
  719. >(0xc.l+9) byte 0x7a
  720. >>(0xc.l+7) use rar-file-header
  721. >9 byte 0x73
  722. >>7 use rar-archive-header
  723. 0 string Rar!\x1a\7\1\0 RAR archive data, v5
  724. !:mime application/x-rar
  725. !:ext rar
  726. # Very old RAR archive
  727. # http://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
  728. 0 string RE\x7e\x5e RAR archive data (<v1.5)
  729. !:mime application/x-rar
  730. !:ext rar/cbr
  731. # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
  732. 0 string SQSH squished archive data (Acorn RISCOS)
  733. # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
  734. # [JW] see exe section for self-extracting version
  735. 0 string UC2\x1a UC2 archive data
  736. # PKZIP multi-volume archive
  737. 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
  738. !:mime application/zip
  739. !:ext zip/cbz
  740. # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  741. 0 string PK\005\006 Zip archive data (empty)
  742. !:mime application/zip
  743. !:ext zip/cbz
  744. 0 string PK\003\004
  745. # Specialised zip formats which start with a member named 'mimetype'
  746. # (stored uncompressed, with no 'extra field') containing the file's MIME type.
  747. # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
  748. # contents starting with "application/":
  749. >26 string \x8\0\0\0mimetypeapplication/
  750. # KOffice / OpenOffice & StarOffice / OpenDocument formats
  751. # From: Abel Cheung <abel@oaka.org>
  752. # KOffice (1.2 or above) formats
  753. # (mimetype contains "application/vnd.kde.<SUBTYPE>")
  754. >>50 string vnd.kde. KOffice (>=1.2)
  755. >>>58 string karbon Karbon document
  756. >>>58 string kchart KChart document
  757. >>>58 string kformula KFormula document
  758. >>>58 string kivio Kivio document
  759. >>>58 string kontour Kontour document
  760. >>>58 string kpresenter KPresenter document
  761. >>>58 string kspread KSpread document
  762. >>>58 string kword KWord document
  763. # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
  764. # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
  765. >>50 string vnd.sun.xml. OpenOffice.org 1.x
  766. >>>62 string writer Writer
  767. >>>>68 byte !0x2e document
  768. >>>>68 string .template template
  769. >>>>68 string .global global document
  770. >>>62 string calc Calc
  771. >>>>66 byte !0x2e spreadsheet
  772. >>>>66 string .template template
  773. >>>62 string draw Draw
  774. >>>>66 byte !0x2e document
  775. >>>>66 string .template template
  776. >>>62 string impress Impress
  777. >>>>69 byte !0x2e presentation
  778. >>>>69 string .template template
  779. >>>62 string math Math document
  780. >>>62 string base Database file
  781. # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
  782. # http://lists.oasis-open.org/archives/office/200505/msg00006.html
  783. # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
  784. >>50 string vnd.oasis.opendocument. OpenDocument
  785. >>>73 string text
  786. >>>>77 byte !0x2d Text
  787. !:mime application/vnd.oasis.opendocument.text
  788. >>>>77 string -template Text Template
  789. !:mime application/vnd.oasis.opendocument.text-template
  790. >>>>77 string -web HTML Document Template
  791. !:mime application/vnd.oasis.opendocument.text-web
  792. >>>>77 string -master Master Document
  793. !:mime application/vnd.oasis.opendocument.text-master
  794. >>>73 string graphics
  795. >>>>81 byte !0x2d Drawing
  796. !:mime application/vnd.oasis.opendocument.graphics
  797. >>>>81 string -template Template
  798. !:mime application/vnd.oasis.opendocument.graphics-template
  799. >>>73 string presentation
  800. >>>>85 byte !0x2d Presentation
  801. !:mime application/vnd.oasis.opendocument.presentation
  802. >>>>85 string -template Template
  803. !:mime application/vnd.oasis.opendocument.presentation-template
  804. >>>73 string spreadsheet
  805. >>>>84 byte !0x2d Spreadsheet
  806. !:mime application/vnd.oasis.opendocument.spreadsheet
  807. >>>>84 string -template Template
  808. !:mime application/vnd.oasis.opendocument.spreadsheet-template
  809. >>>73 string chart
  810. >>>>78 byte !0x2d Chart
  811. !:mime application/vnd.oasis.opendocument.chart
  812. >>>>78 string -template Template
  813. !:mime application/vnd.oasis.opendocument.chart-template
  814. >>>73 string formula
  815. >>>>80 byte !0x2d Formula
  816. !:mime application/vnd.oasis.opendocument.formula
  817. >>>>80 string -template Template
  818. !:mime application/vnd.oasis.opendocument.formula-template
  819. >>>73 string database Database
  820. !:mime application/vnd.oasis.opendocument.database
  821. >>>73 string image
  822. >>>>78 byte !0x2d Image
  823. !:mime application/vnd.oasis.opendocument.image
  824. >>>>78 string -template Template
  825. !:mime application/vnd.oasis.opendocument.image-template
  826. # EPUB (OEBPS) books using OCF (OEBPS Container Format)
  827. # http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
  828. # From: Ralf Brown <ralf.brown@gmail.com>
  829. >>50 string epub+zip EPUB document
  830. !:mime application/epub+zip
  831. # Catch other ZIP-with-mimetype formats
  832. # In a ZIP file, the bytes immediately after a member's contents are
  833. # always "PK". The 2 regex rules here print the "mimetype" member's
  834. # contents up to the first 'P'. Luckily, most MIME types don't contain
  835. # any capital 'P's. This is a kludge.
  836. # (mimetype contains "application/<OTHER>")
  837. >>50 string !epub+zip
  838. >>>50 string !vnd.oasis.opendocument.
  839. >>>>50 string !vnd.sun.xml.
  840. >>>>>50 string !vnd.kde.
  841. >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
  842. !:mime application/zip
  843. # (mimetype contents other than "application/*")
  844. >26 string \x8\0\0\0mimetype
  845. >>38 string !application/
  846. >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
  847. !:mime application/zip
  848. # Java Jar files
  849. >(26.s+30) leshort 0xcafe Java archive data (JAR)
  850. !:mime application/java-archive
  851. # iOS App
  852. >(26.s+30) leshort !0xcafe
  853. >>26 string !\x8\0\0\0mimetype
  854. >>>30 string Payload/
  855. >>>>38 search/64 .app/ iOS App
  856. !:mime application/x-ios-app
  857. # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  858. # Next line excludes specialized formats:
  859. >(26.s+30) leshort !0xcafe
  860. >>26 string !\x8\0\0\0mimetype Zip archive data
  861. !:mime application/zip
  862. >>>4 byte 0x09 \b, at least v0.9 to extract
  863. >>>4 byte 0x0a \b, at least v1.0 to extract
  864. >>>4 byte 0x0b \b, at least v1.1 to extract
  865. >>>4 byte 0x14 \b, at least v2.0 to extract
  866. >>>4 byte 0x2d \b, at least v4.5 to extract
  867. >>>0x161 string WINZIP \b, WinZIP self-extracting
  868. # StarView Metafile
  869. # From Pierre Ducroquet <pinaraf@pinaraf.info>
  870. 0 string VCLMTF StarView MetaFile
  871. >6 beshort x \b, version %d
  872. >8 belong x \b, size %d
  873. # Zoo archiver
  874. 20 lelong 0xfdc4a7dc Zoo archive data
  875. !:mime application/x-zoo
  876. >4 byte >48 \b, v%c.
  877. >>6 byte >47 \b%c
  878. >>>7 byte >47 \b%c
  879. >32 byte >0 \b, modify: v%d
  880. >>33 byte x \b.%d+
  881. >42 lelong 0xfdc4a7dc \b,
  882. >>70 byte >0 extract: v%d
  883. >>>71 byte x \b.%d+
  884. # Shell archives
  885. 10 string #\ This\ is\ a\ shell\ archive shell archive text
  886. !:mime application/octet-stream
  887. #
  888. # LBR. NB: May conflict with the questionable
  889. # "binary Computer Graphics Metafile" format.
  890. #
  891. 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
  892. #
  893. # PMA (CP/M derivative of LHA)
  894. # Update: Joerg Jenderek
  895. # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
  896. #
  897. #2 string -pm0- PMarc archive data [pm0]
  898. 2 string -pm0-
  899. >0 use lharc-file
  900. #2 string -pm1- PMarc archive data [pm1]
  901. 2 string -pm1-
  902. >0 use lharc-file
  903. #2 string -pm2- PMarc archive data [pm2]
  904. 2 string -pm2-
  905. >0 use lharc-file
  906. 2 string -pms- PMarc SFX archive (CP/M, DOS)
  907. #!:mime application/x-foobar-exec
  908. !:ext com
  909. 5 string -pc1- PopCom compressed executable (CP/M)
  910. #!:mime application/x-
  911. #!:ext com
  912. # From Rafael Laboissiere <rafael@laboissiere.net>
  913. # The Project Revision Control System (see
  914. # http://prcs.sourceforge.net) generates a packaged project
  915. # file which is recognized by the following entry:
  916. 0 leshort 0xeb81 PRCS packaged project
  917. # Microsoft cabinets
  918. # by David Necas (Yeti) <yeti@physics.muni.cz>
  919. #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
  920. #>25 byte x v%d
  921. #>24 byte x \b.%d
  922. # MPi: All CABs have version 1.3, so this is pointless.
  923. # Better magic in debian-additions.
  924. # GTKtalog catalogs
  925. # by David Necas (Yeti) <yeti@physics.muni.cz>
  926. 4 string gtktalog\ GTKtalog catalog data,
  927. >13 string 3 version 3
  928. >>14 beshort 0x677a (gzipped)
  929. >>14 beshort !0x677a (not gzipped)
  930. >13 string >3 version %s
  931. ############################################################################
  932. # Parity archive reconstruction file, the 'par' file format now used on Usenet.
  933. 0 string PAR\0 PARity archive data
  934. >48 leshort =0 - Index file
  935. >48 leshort >0 - file number %d
  936. # Felix von Leitner <felix-file@fefe.de>
  937. 0 string d8:announce BitTorrent file
  938. !:mime application/x-bittorrent
  939. # Durval Menezes, <jmgthbfile at durval dot com>
  940. 0 string d13:announce-list BitTorrent file
  941. !:mime application/x-bittorrent
  942. # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
  943. 0 beshort 0x0e0f Atari MSA archive data
  944. >2 beshort x \b, %d sectors per track
  945. >4 beshort 0 \b, 1 sided
  946. >4 beshort 1 \b, 2 sided
  947. >6 beshort x \b, starting track: %d
  948. >8 beshort x \b, ending track: %d
  949. # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
  950. 0 string PK00PK\003\004 Zip archive data
  951. # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
  952. # by Stefan `Sec` Zehl <sec@42.org>
  953. 7 string **ACE** ACE archive data
  954. >15 byte >0 version %d
  955. >16 byte =0x00 \b, from MS-DOS
  956. >16 byte =0x01 \b, from OS/2
  957. >16 byte =0x02 \b, from Win/32
  958. >16 byte =0x03 \b, from Unix
  959. >16 byte =0x04 \b, from MacOS
  960. >16 byte =0x05 \b, from WinNT
  961. >16 byte =0x06 \b, from Primos
  962. >16 byte =0x07 \b, from AppleGS
  963. >16 byte =0x08 \b, from Atari
  964. >16 byte =0x09 \b, from Vax/VMS
  965. >16 byte =0x0A \b, from Amiga
  966. >16 byte =0x0B \b, from Next
  967. >14 byte x \b, version %d to extract
  968. >5 leshort &0x0080 \b, multiple volumes,
  969. >>17 byte x \b (part %d),
  970. >5 leshort &0x0002 \b, contains comment
  971. >5 leshort &0x0200 \b, sfx
  972. >5 leshort &0x0400 \b, small dictionary
  973. >5 leshort &0x0800 \b, multi-volume
  974. >5 leshort &0x1000 \b, contains AV-String
  975. >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
  976. >5 leshort &0x2000 \b, with recovery record
  977. >5 leshort &0x4000 \b, locked
  978. >5 leshort &0x8000 \b, solid
  979. # Date in MS-DOS format (whatever that is)
  980. #>18 lelong x Created on
  981. # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
  982. # <doj@cubic.org>
  983. 0x1A string sfArk sfArk compressed Soundfont
  984. >0x15 string 2
  985. >>0x1 string >\0 Version %s
  986. >>0x2A string >\0 : %s
  987. # DR-DOS 7.03 Packed File *.??_
  988. 0 string Packed\ File\ Personal NetWare Packed File
  989. >12 string x \b, was "%.12s"
  990. # EET archive
  991. # From: Tilman Sauerbeck <tilman@code-monkey.de>
  992. 0 belong 0x1ee7ff00 EET archive
  993. !:mime application/x-eet
  994. # rzip archives
  995. 0 string RZIP rzip compressed data
  996. >4 byte x - version %d
  997. >5 byte x \b.%d
  998. >6 belong x (%d bytes)
  999. # From: "Robert Dale" <robdale@gmail.com>
  1000. 0 belong 123 dar archive,
  1001. >4 belong x label "%.8x
  1002. >>8 belong x %.8x
  1003. >>>12 beshort x %.4x"
  1004. >14 byte 0x54 end slice
  1005. >14 beshort 0x4e4e multi-part
  1006. >14 beshort 0x4e53 multi-part, with -S
  1007. # Symbian installation files
  1008. # http://www.thouky.co.uk/software/psifs/sis.html
  1009. # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
  1010. 8 lelong 0x10000419 Symbian installation file
  1011. !:mime application/vnd.symbian.install
  1012. >4 lelong 0x1000006D (EPOC release 3/4/5)
  1013. >4 lelong 0x10003A12 (EPOC release 6)
  1014. 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
  1015. !:mime x-epoc/x-sisx-app
  1016. # From "Nelson A. de Oliveira" <naoliv@gmail.com>
  1017. 0 string MPQ\032 MoPaQ (MPQ) archive
  1018. # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
  1019. # .kgb
  1020. 0 string KGB_arch KGB Archiver file
  1021. >10 string x with compression level %.1s
  1022. # xar (eXtensible ARchiver) archive
  1023. # xar archive format: http://code.google.com/p/xar/
  1024. # From: "David Remahl" <dremahl@apple.com>
  1025. 0 string xar! xar archive
  1026. !:mime application/x-xar
  1027. #>4 beshort x header size %d
  1028. >6 beshort x version %d,
  1029. #>8 quad x compressed TOC: %d,
  1030. #>16 quad x uncompressed TOC: %d,
  1031. >24 belong 0 no checksum
  1032. >24 belong 1 SHA-1 checksum
  1033. >24 belong 2 MD5 checksum
  1034. # Type: Parity Archive
  1035. # From: Daniel van Eeden <daniel_e@dds.nl>
  1036. 0 string PAR2 Parity Archive Volume Set
  1037. # Bacula volume format. (Volumes always start with a block header.)
  1038. # URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
  1039. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  1040. 12 string BB02 Bacula volume
  1041. >20 bedate x \b, started %s
  1042. # ePub is XHTML + XML inside a ZIP archive. The first member of the
  1043. # archive must be an uncompressed file called 'mimetype' with contents
  1044. # 'application/epub+zip'
  1045. # From: "Michael Gorny" <mgorny@gentoo.org>
  1046. # ZPAQ: http://mattmahoney.net/dc/zpaq.html
  1047. 0 string zPQ ZPAQ stream
  1048. >3 byte x \b, level %d
  1049. # From: Barry Carter <carter.barry@gmail.com>
  1050. # http://encode.ru/threads/456-zpaq-updates/page32
  1051. 0 string 7kSt ZPAQ file
  1052. # BBeB ebook, unencrypted (LRF format)
  1053. # URL: http://www.sven.de/librie/Librie/LrfFormat
  1054. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  1055. 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
  1056. >8 beshort x \b, version %d
  1057. >36 byte 1 \b, front-to-back
  1058. >36 byte 16 \b, back-to-front
  1059. >42 beshort x \b, (%dx,
  1060. >44 beshort x %d)
  1061. # Symantec GHOST image by Joerg Jenderek at May 2014
  1062. # http://us.norton.com/ghost/
  1063. # http://www.garykessler.net/library/file_sigs.html
  1064. 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
  1065. # *.GHO
  1066. >2 ubyte&0x08 0x00 \b, first file
  1067. # *.GHS or *.[0-9] with cns program option
  1068. >2 ubyte&0x08 0x08 \b, split file
  1069. # part of split index interesting for *.ghs
  1070. >>4 ubyte x id=0x%x
  1071. # compression tag minus one equals numeric compression command line switch z[1-9]
  1072. >3 ubyte 0 \b, no compression
  1073. >3 ubyte 2 \b, fast compression (Z1)
  1074. >3 ubyte 3 \b, medium compression (Z2)
  1075. >3 ubyte >3
  1076. >>3 ubyte <11 \b, compression (Z%d-1)
  1077. >2 ubyte&0x08 0x00
  1078. # ~ 30 byte password field only for *.gho
  1079. >>12 ubequad !0 \b, password protected
  1080. >>44 ubyte !1
  1081. # 1~Image All, sector-by-sector only for *.gho
  1082. >>>10 ubyte 1 \b, sector copy
  1083. # 1~Image Boot track only for *.gho
  1084. >>>43 ubyte 1 \b, boot track
  1085. # 1~Image Disc only for *.gho implies Image Boot track and sector copy
  1086. >>44 ubyte 1 \b, disc sector copy
  1087. # optional image description only *.gho
  1088. >>0xff string >\0 "%-.254s"
  1089. # look for DOS sector end sequence
  1090. >0xE08 search/7776 \x55\xAA
  1091. >>&-512 indirect x \b; contains
  1092. # Google Chrome extensions
  1093. # https://developer.chrome.com/extensions/crx
  1094. # https://developer.chrome.com/extensions/hosting
  1095. 0 string Cr24 Google Chrome extension
  1096. !:mime application/x-chrome-extension
  1097. >4 ulong x \b, version %u