archive 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956
  1. #------------------------------------------------------------------------------
  2. # $File: archive,v 1.88 2014/08/16 10:42:17 christos Exp $
  3. # archive: file(1) magic for archive formats (see also "msdos" for self-
  4. # extracting compressed archives)
  5. #
  6. # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
  7. # pre-POSIX "tar" archives are handled in the C code.
  8. # POSIX tar archives
  9. 257 string ustar\0 POSIX tar archive
  10. !:mime application/x-tar # encoding: posix
  11. 257 string ustar\040\040\0 GNU tar archive
  12. !:mime application/x-tar # encoding: gnu
  13. # Incremental snapshot gnu-tar format from:
  14. # http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
  15. 0 string GNU\ tar- GNU tar incremental snapshot data
  16. >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
  17. # cpio archives
  18. #
  19. # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
  20. # The idea is to indicate archives produced on machines with the same
  21. # byte order as the machine running "file" with "cpio archive", and
  22. # to indicate archives produced on machines with the opposite byte order
  23. # from the machine running "file" with "byte-swapped cpio archive".
  24. #
  25. # The SVR4 "cpio(4)" hints that there are additional formats, but they
  26. # are defined as "short"s; I think all the new formats are
  27. # character-header formats and thus are strings, not numbers.
  28. 0 short 070707 cpio archive
  29. !:mime application/x-cpio
  30. 0 short 0143561 byte-swapped cpio archive
  31. !:mime application/x-cpio # encoding: swapped
  32. 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
  33. 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
  34. 0 string 070702 ASCII cpio archive (SVR4 with CRC)
  35. #
  36. # Various archive formats used by various versions of the "ar"
  37. # command.
  38. #
  39. #
  40. # Original UNIX archive formats.
  41. # They were written with binary values in host byte order, and
  42. # the magic number was a host "int", which might have been 16 bits
  43. # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
  44. # been ports to little-endian 16-bit-int or 32-bit-int platforms
  45. # (x86?) using some of those formats; if none existed, feel free
  46. # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
  47. # 32-bit. There might have been big-endian ports of that sort as
  48. # well.
  49. #
  50. 0 leshort 0177555 very old 16-bit-int little-endian archive
  51. 0 beshort 0177555 very old 16-bit-int big-endian archive
  52. 0 lelong 0177555 very old 32-bit-int little-endian archive
  53. 0 belong 0177555 very old 32-bit-int big-endian archive
  54. 0 leshort 0177545 old 16-bit-int little-endian archive
  55. >2 string __.SYMDEF random library
  56. 0 beshort 0177545 old 16-bit-int big-endian archive
  57. >2 string __.SYMDEF random library
  58. 0 lelong 0177545 old 32-bit-int little-endian archive
  59. >4 string __.SYMDEF random library
  60. 0 belong 0177545 old 32-bit-int big-endian archive
  61. >4 string __.SYMDEF random library
  62. #
  63. # From "pdp" (but why a 4-byte quantity?)
  64. #
  65. 0 lelong 0x39bed PDP-11 old archive
  66. 0 lelong 0x39bee PDP-11 4.0 archive
  67. #
  68. # XXX - what flavor of APL used this, and was it a variant of
  69. # some ar archive format? It's similar to, but not the same
  70. # as, the APL workspace magic numbers in pdp.
  71. #
  72. 0 long 0100554 apl workspace
  73. #
  74. # System V Release 1 portable(?) archive format.
  75. #
  76. 0 string =<ar> System V Release 1 ar archive
  77. !:mime application/x-archive
  78. #
  79. # Debian package; it's in the portable archive format, and needs to go
  80. # before the entry for regular portable archives, as it's recognized as
  81. # a portable archive whose first member has a name beginning with
  82. # "debian".
  83. #
  84. 0 string =!<arch>\ndebian
  85. >8 string debian-split part of multipart Debian package
  86. !:mime application/vnd.debian.binary-package
  87. >8 string debian-binary Debian binary package
  88. !:mime application/vnd.debian.binary-package
  89. >8 string !debian
  90. >68 string >\0 (format %s)
  91. # These next two lines do not work, because a bzip2 Debian archive
  92. # still uses gzip for the control.tar (first in the archive). Only
  93. # data.tar varies, and the location of its filename varies too.
  94. # file/libmagic does not current have support for ascii-string based
  95. # (offsets) as of 2005-09-15.
  96. #>81 string bz2 \b, uses bzip2 compression
  97. #>84 string gz \b, uses gzip compression
  98. #>136 ledate x created: %s
  99. #
  100. # MIPS archive; they're in the portable archive format, and need to go
  101. # before the entry for regular portable archives, as it's recognized as
  102. # a portable archive whose first member has a name beginning with
  103. # "__________E".
  104. #
  105. 0 string =!<arch>\n__________E MIPS archive
  106. !:mime application/x-archive
  107. >20 string U with MIPS Ucode members
  108. >21 string L with MIPSEL members
  109. >21 string B with MIPSEB members
  110. >19 string L and an EL hash table
  111. >19 string B and an EB hash table
  112. >22 string X -- out of date
  113. 0 search/1 -h- Software Tools format archive text
  114. #
  115. # BSD/SVR2-and-later portable archive formats.
  116. #
  117. 0 string =!<arch> current ar archive
  118. !:mime application/x-archive
  119. >8 string __.SYMDEF random library
  120. >68 string __.SYMDEF\ SORTED random library
  121. #
  122. # "Thin" archive, as can be produced by GNU ar.
  123. #
  124. 0 string =!<thin>\n thin archive with
  125. >68 belong 0 no symbol entries
  126. >68 belong 1 %d symbol entry
  127. >68 belong >1 %d symbol entries
  128. # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
  129. #
  130. # The first byte is the magic (0x1a), byte 2 is the compression type for
  131. # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
  132. # filename of the first file (null terminated). Since some types collide
  133. # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
  134. # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
  135. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
  136. !:mime application/x-arc
  137. 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
  138. !:mime application/x-arc
  139. 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
  140. !:mime application/x-arc
  141. 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
  142. !:mime application/x-arc
  143. 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
  144. !:mime application/x-arc
  145. 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
  146. !:mime application/x-arc
  147. # [JW] stuff taken from idarc, obviously ARC successors:
  148. 0 lelong&0x8080ffff 0x00000a1a PAK archive data
  149. !:mime application/x-arc
  150. 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
  151. !:mime application/x-arc
  152. 0 lelong&0x8080ffff 0x0000481a HYP archive data
  153. !:mime application/x-arc
  154. # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
  155. # I can't create either SPARK or ArcFS archives so I have not tested this stuff
  156. # [GRR: the original entries collide with ARC, above; replaced with combined
  157. # version (not tested)]
  158. #0 byte 0x1a RISC OS archive (spark format)
  159. 0 string \032archive RISC OS archive (ArcFS format)
  160. 0 string Archive\000 RISC OS archive (ArcFS format)
  161. # All these were taken from idarc, many could not be verified. Unfortunately,
  162. # there were many low-quality sigs, i.e. easy to trigger false positives.
  163. # Please notify me of any real-world fishy/ambiguous signatures and I'll try
  164. # to get my hands on the actual archiver and see if I find something better. [JW]
  165. # probably many can be enhanced by finding some 0-byte or control char near the start
  166. # idarc calls this Crush/Uncompressed... *shrug*
  167. 0 string CRUSH Crush archive data
  168. # Squeeze It (.sqz)
  169. 0 string HLSQZ Squeeze It archive data
  170. # SQWEZ
  171. 0 string SQWEZ SQWEZ archive data
  172. # HPack (.hpk)
  173. 0 string HPAK HPack archive data
  174. # HAP
  175. 0 string \x91\x33HF HAP archive data
  176. # MD/MDCD
  177. 0 string MDmd MDCD archive data
  178. # LIM
  179. 0 string LIM\x1a LIM archive data
  180. # SAR
  181. 3 string LH5 SAR archive data
  182. # BSArc/BS2
  183. 0 string \212\3SB\020\0 BSArc/BS2 archive data
  184. # Bethesda Softworks Archive (Oblivion)
  185. 0 string BSA\0 BSArc archive data
  186. >4 lelong x version %d
  187. # MAR
  188. 2 string =-ah MAR archive data
  189. # ACB
  190. #0 belong&0x00f800ff 0x00800000 ACB archive data
  191. # CPZ
  192. # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
  193. # JRC
  194. 0 string JRchive JRC archive data
  195. # Quantum
  196. 0 string DS\0 Quantum archive data
  197. # ReSOF
  198. 0 string PK\3\6 ReSOF archive data
  199. # QuArk
  200. 0 string 7\4 QuArk archive data
  201. # YAC
  202. 14 string YC YAC archive data
  203. # X1
  204. 0 string X1 X1 archive data
  205. 0 string XhDr X1 archive data
  206. # CDC Codec (.dqt)
  207. 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
  208. # AMGC
  209. 0 string \xad6" AMGC archive data
  210. # NuLIB
  211. 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
  212. # PakLeo
  213. 0 string LEOLZW PAKLeo archive data
  214. # ChArc
  215. 0 string SChF ChArc archive data
  216. # PSA
  217. 0 string PSA PSA archive data
  218. # CrossePAC
  219. 0 string DSIGDCC CrossePAC archive data
  220. # Freeze
  221. 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
  222. # KBoom
  223. 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
  224. # NSQ, must go after CDC Codec
  225. 0 string \x76\xff NSQ archive data
  226. # DPA
  227. 0 string Dirk\ Paehl DPA archive data
  228. # BA
  229. # TODO: idarc says "bytes 0-2 == bytes 3-5"
  230. # TTComp
  231. 0 string \0\6 TTComp archive data
  232. # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
  233. 0 string ESP ESP archive data
  234. # ZPack
  235. 0 string \1ZPK\1 ZPack archive data
  236. # Sky
  237. 0 string \xbc\x40 Sky archive data
  238. # UFA
  239. 0 string UFA UFA archive data
  240. # Dry
  241. 0 string =-H2O DRY archive data
  242. # FoxSQZ
  243. 0 string FOXSQZ FoxSQZ archive data
  244. # AR7
  245. 0 string ,AR7 AR7 archive data
  246. # PPMZ
  247. 0 string PPMZ PPMZ archive data
  248. # MS Compress
  249. 4 string \x88\xf0\x27 MS Compress archive data
  250. # updated by Joerg Jenderek
  251. >9 string \0
  252. >>0 string KWAJ
  253. >>>7 string \321\003 MS Compress archive data
  254. >>>>14 ulong >0 \b, original size: %d bytes
  255. >>>>18 ubyte >0x65
  256. >>>>>18 string x \b, was %.8s
  257. >>>>>(10.b-4) string x \b.%.3s
  258. # MP3 (archiver, not lossy audio compression)
  259. 0 string MP3\x1a MP3-Archiver archive data
  260. # ZET
  261. 0 string OZ\xc3\x9d ZET archive data
  262. # TSComp
  263. 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
  264. # ARQ
  265. 0 string gW\4\1 ARQ archive data
  266. # Squash
  267. 3 string OctSqu Squash archive data
  268. # Terse
  269. 0 string \5\1\1\0 Terse archive data
  270. # PUCrunch
  271. 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
  272. # UHarc
  273. 0 string UHA UHarc archive data
  274. # ABComp
  275. 0 string \2AB ABComp archive data
  276. 0 string \3AB2 ABComp archive data
  277. # CMP
  278. 0 string CO\0 CMP archive data
  279. # Splint
  280. 0 string \x93\xb9\x06 Splint archive data
  281. # InstallShield
  282. 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
  283. # Gather
  284. 1 string GTH Gather archive data
  285. # BOA
  286. 0 string BOA BOA archive data
  287. # RAX
  288. 0 string ULEB\xa RAX archive data
  289. # Xtreme
  290. 0 string ULEB\0 Xtreme archive data
  291. # Pack Magic
  292. 0 string @\xc3\xa2\1\0 Pack Magic archive data
  293. # BTS
  294. 0 belong&0xfeffffff 0x1a034465 BTS archive data
  295. # ELI 5750
  296. 0 string Ora\ ELI 5750 archive data
  297. # QFC
  298. 0 string \x1aFC\x1a QFC archive data
  299. 0 string \x1aQF\x1a QFC archive data
  300. # PRO-PACK
  301. 0 string RNC PRO-PACK archive data
  302. # 777
  303. 0 string 777 777 archive data
  304. # LZS221
  305. 0 string sTaC LZS221 archive data
  306. # HPA
  307. 0 string HPA HPA archive data
  308. # Arhangel
  309. 0 string LG Arhangel archive data
  310. # EXP1, uses bzip2
  311. 0 string 0123456789012345BZh EXP1 archive data
  312. # IMP
  313. 0 string IMP\xa IMP archive data
  314. # NRV
  315. 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
  316. # Squish
  317. 0 string \x73\xb2\x90\xf4 Squish archive data
  318. # Par
  319. 0 string PHILIPP Par archive data
  320. 0 string PAR Par archive data
  321. # HIT
  322. 0 string UB HIT archive data
  323. # SBX
  324. 0 belong&0xfffff000 0x53423000 SBX archive data
  325. # NaShrink
  326. 0 string NSK NaShrink archive data
  327. # SAPCAR
  328. 0 string #\ CAR\ archive\ header SAPCAR archive data
  329. 0 string CAR\ 2.00RG SAPCAR archive data
  330. # Disintegrator
  331. 0 string DST Disintegrator archive data
  332. # ASD
  333. 0 string ASD ASD archive data
  334. # InstallShield CAB
  335. 0 string ISc( InstallShield CAB
  336. # TOP4
  337. 0 string T4\x1a TOP4 archive data
  338. # BatComp left out: sig looks like COM executable
  339. # so TODO: get real 4dos batcomp file and find sig
  340. # BlakHole
  341. 0 string BH\5\7 BlakHole archive data
  342. # BIX
  343. 0 string BIX0 BIX archive data
  344. # ChiefLZA
  345. 0 string ChfLZ ChiefLZA archive data
  346. # Blink
  347. 0 string Blink Blink archive data
  348. # Logitech Compress
  349. 0 string \xda\xfa Logitech Compress archive data
  350. # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
  351. 1 string (C)\ STEPANYUK ARS-Sfx archive data
  352. # AKT/AKT32
  353. 0 string AKT32 AKT32 archive data
  354. 0 string AKT AKT archive data
  355. # NPack
  356. 0 string MSTSM NPack archive data
  357. # PFT
  358. 0 string \0\x50\0\x14 PFT archive data
  359. # SemOne
  360. 0 string SEM SemOne archive data
  361. # PPMD
  362. 0 string \x8f\xaf\xac\x84 PPMD archive data
  363. # FIZ
  364. 0 string FIZ FIZ archive data
  365. # MSXiE
  366. 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
  367. # DeepFreezer
  368. 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
  369. # DC
  370. 0 string =<DC- DC archive data
  371. # TPac
  372. 0 string \4TPAC\3 TPac archive data
  373. # Ai
  374. 0 string Ai\1\1\0 Ai archive data
  375. 0 string Ai\1\0\0 Ai archive data
  376. # Ai32
  377. 0 string Ai\2\0 Ai32 archive data
  378. 0 string Ai\2\1 Ai32 archive data
  379. # SBC
  380. 0 string SBC SBC archive data
  381. # Ybs
  382. 0 string YBS Ybs archive data
  383. # DitPack
  384. 0 string \x9e\0\0 DitPack archive data
  385. # DMS
  386. 0 string DMS! DMS archive data
  387. # EPC
  388. 0 string \x8f\xaf\xac\x8c EPC archive data
  389. # VSARC
  390. 0 string VS\x1a VSARC archive data
  391. # PDZ
  392. 0 string PDZ PDZ archive data
  393. # ReDuq
  394. 0 string rdqx ReDuq archive data
  395. # GCA
  396. 0 string GCAX GCA archive data
  397. # PPMN
  398. 0 string pN PPMN archive data
  399. # WinImage
  400. 3 string WINIMAGE WinImage archive data
  401. # Compressia
  402. 0 string CMP0CMP Compressia archive data
  403. # UHBC
  404. 0 string UHB UHBC archive data
  405. # WinHKI
  406. 0 string \x61\x5C\x04\x05 WinHKI archive data
  407. # WWPack data file
  408. 0 string WWP WWPack archive data
  409. # BSN (BSA, PTS-DOS)
  410. 0 string \xffBSG BSN archive data
  411. 1 string \xffBSG BSN archive data
  412. 3 string \xffBSG BSN archive data
  413. 1 string \0\xae\2 BSN archive data
  414. 1 string \0\xae\3 BSN archive data
  415. 1 string \0\xae\7 BSN archive data
  416. # AIN
  417. 0 string \x33\x18 AIN archive data
  418. 0 string \x33\x17 AIN archive data
  419. # XPA32
  420. 0 string xpa\0\1 XPA32 archive data
  421. # SZip (TODO: doesn't catch all versions)
  422. 0 string SZ\x0a\4 SZip archive data
  423. # XPack DiskImage
  424. 0 string jm XPack DiskImage archive data
  425. # XPack Data
  426. 0 string xpa XPack archive data
  427. # XPack Single Data
  428. 0 string \xc3\x8d\ jm XPack single archive data
  429. # TODO: missing due to unknown magic/magic at end of file:
  430. #DWC
  431. #ARG
  432. #ZAR
  433. #PC/3270
  434. #InstallIt
  435. #RKive
  436. #RK
  437. #XPack Diskimage
  438. # These were inspired by idarc, but actually verified
  439. # Dzip archiver (.dz)
  440. 0 string DZ Dzip archive data
  441. >2 byte x \b, version %i
  442. >3 byte x \b.%i
  443. # ZZip archiver (.zz)
  444. 0 string ZZ\ \0\0 ZZip archive data
  445. 0 string ZZ0 ZZip archive data
  446. # PAQ archiver (.paq)
  447. 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
  448. 0 string PAQ PAQ archive data
  449. >3 byte&0xf0 0x30
  450. >>3 byte x (v%c)
  451. # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
  452. 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
  453. 0 string JARCS JAR (ARJ Software, Inc.) archive data
  454. # ARJ archiver (jason@jarthur.Claremont.EDU)
  455. 0 leshort 0xea60 ARJ archive data
  456. !:mime application/x-arj
  457. >5 byte x \b, v%d,
  458. >8 byte &0x04 multi-volume,
  459. >8 byte &0x10 slash-switched,
  460. >8 byte &0x20 backup,
  461. >34 string x original name: %s,
  462. >7 byte 0 os: MS-DOS
  463. >7 byte 1 os: PRIMOS
  464. >7 byte 2 os: Unix
  465. >7 byte 3 os: Amiga
  466. >7 byte 4 os: Macintosh
  467. >7 byte 5 os: OS/2
  468. >7 byte 6 os: Apple ][ GS
  469. >7 byte 7 os: Atari ST
  470. >7 byte 8 os: NeXT
  471. >7 byte 9 os: VAX/VMS
  472. >3 byte >0 %d]
  473. # [JW] idarc says this is also possible
  474. 2 leshort 0xea60 ARJ archive data
  475. # HA archiver (Greg Roelofs, newt@uchicago.edu)
  476. # This is a really bad format. A file containing HAWAII will match this...
  477. #0 string HA HA archive data,
  478. #>2 leshort =1 1 file,
  479. #>2 leshort >1 %hu files,
  480. #>4 byte&0x0f =0 first is type CPY
  481. #>4 byte&0x0f =1 first is type ASC
  482. #>4 byte&0x0f =2 first is type HSC
  483. #>4 byte&0x0f =0x0e first is type DIR
  484. #>4 byte&0x0f =0x0f first is type SPECIAL
  485. # suggestion: at least identify small archives (<1024 files)
  486. 0 belong&0xffff00fc 0x48410000 HA archive data
  487. >2 leshort =1 1 file,
  488. >2 leshort >1 %u files,
  489. >4 byte&0x0f =0 first is type CPY
  490. >4 byte&0x0f =1 first is type ASC
  491. >4 byte&0x0f =2 first is type HSC
  492. >4 byte&0x0f =0x0e first is type DIR
  493. >4 byte&0x0f =0x0f first is type SPECIAL
  494. # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
  495. 0 string HPAK HPACK archive data
  496. # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
  497. 0 string \351,\001JAM\ JAM archive,
  498. >7 string >\0 version %.4s
  499. >0x26 byte =0x27 -
  500. >>0x2b string >\0 label %.11s,
  501. >>0x27 lelong x serial %08x,
  502. >>0x36 string >\0 fstype %.8s
  503. # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
  504. 2 string -lh0- LHarc 1.x/ARX archive data [lh0]
  505. !:mime application/x-lharc
  506. 2 string -lh1- LHarc 1.x/ARX archive data [lh1]
  507. !:mime application/x-lharc
  508. 2 string -lz4- LHarc 1.x archive data [lz4]
  509. !:mime application/x-lharc
  510. 2 string -lz5- LHarc 1.x archive data [lz5]
  511. !:mime application/x-lharc
  512. # [never seen any but the last; -lh4- reported in comp.compression:]
  513. 2 string -lzs- LHa/LZS archive data [lzs]
  514. !:mime application/x-lha
  515. 2 string -lh\40- LHa 2.x? archive data [lh ]
  516. !:mime application/x-lha
  517. 2 string -lhd- LHa 2.x? archive data [lhd]
  518. !:mime application/x-lha
  519. 2 string -lh2- LHa 2.x? archive data [lh2]
  520. !:mime application/x-lha
  521. 2 string -lh3- LHa 2.x? archive data [lh3]
  522. !:mime application/x-lha
  523. 2 string -lh4- LHa (2.x) archive data [lh4]
  524. !:mime application/x-lha
  525. 2 string -lh5- LHa (2.x) archive data [lh5]
  526. !:mime application/x-lha
  527. 2 string -lh6- LHa (2.x) archive data [lh6]
  528. !:mime application/x-lha
  529. 2 string -lh7- LHa (2.x)/LHark archive data [lh7]
  530. !:mime application/x-lha
  531. >20 byte x - header level %d
  532. # taken from idarc [JW]
  533. 2 string -lZ PUT archive data
  534. 2 string -lz LZS archive data
  535. 2 string -sw1- Swag archive data
  536. # RAR archiver (Greg Roelofs, newt@uchicago.edu)
  537. 0 string Rar! RAR archive data,
  538. !:mime application/x-rar
  539. >44 byte x v%0x,
  540. >10 byte >0 flags:
  541. >>10 byte &0x01 Archive volume,
  542. >>10 byte &0x02 Commented,
  543. >>10 byte &0x04 Locked,
  544. >>10 byte &0x08 Solid,
  545. >>10 byte &0x20 Authenticated,
  546. >35 byte 0 os: MS-DOS
  547. >35 byte 1 os: OS/2
  548. >35 byte 2 os: Win32
  549. >35 byte 3 os: Unix
  550. # some old version? idarc says:
  551. 0 string RE\x7e\x5e RAR archive data
  552. # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
  553. 0 string SQSH squished archive data (Acorn RISCOS)
  554. # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
  555. # [JW] see exe section for self-extracting version
  556. 0 string UC2\x1a UC2 archive data
  557. # PKZIP multi-volume archive
  558. 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
  559. !:mime application/zip
  560. # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  561. 0 string PK\005\006 Zip archive data (empty)
  562. 0 string PK\003\004
  563. # Specialised zip formats which start with a member named 'mimetype'
  564. # (stored uncompressed, with no 'extra field') containing the file's MIME type.
  565. # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
  566. # contents starting with "application/":
  567. >26 string \x8\0\0\0mimetypeapplication/
  568. # KOffice / OpenOffice & StarOffice / OpenDocument formats
  569. # From: Abel Cheung <abel@oaka.org>
  570. # KOffice (1.2 or above) formats
  571. # (mimetype contains "application/vnd.kde.<SUBTYPE>")
  572. >>50 string vnd.kde. KOffice (>=1.2)
  573. >>>58 string karbon Karbon document
  574. >>>58 string kchart KChart document
  575. >>>58 string kformula KFormula document
  576. >>>58 string kivio Kivio document
  577. >>>58 string kontour Kontour document
  578. >>>58 string kpresenter KPresenter document
  579. >>>58 string kspread KSpread document
  580. >>>58 string kword KWord document
  581. # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
  582. # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
  583. >>50 string vnd.sun.xml. OpenOffice.org 1.x
  584. >>>62 string writer Writer
  585. >>>>68 byte !0x2e document
  586. >>>>68 string .template template
  587. >>>>68 string .global global document
  588. >>>62 string calc Calc
  589. >>>>66 byte !0x2e spreadsheet
  590. >>>>66 string .template template
  591. >>>62 string draw Draw
  592. >>>>66 byte !0x2e document
  593. >>>>66 string .template template
  594. >>>62 string impress Impress
  595. >>>>69 byte !0x2e presentation
  596. >>>>69 string .template template
  597. >>>62 string math Math document
  598. >>>62 string base Database file
  599. # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
  600. # http://lists.oasis-open.org/archives/office/200505/msg00006.html
  601. # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
  602. >>50 string vnd.oasis.opendocument. OpenDocument
  603. >>>73 string text
  604. >>>>77 byte !0x2d Text
  605. !:mime application/vnd.oasis.opendocument.text
  606. >>>>77 string -template Text Template
  607. !:mime application/vnd.oasis.opendocument.text-template
  608. >>>>77 string -web HTML Document Template
  609. !:mime application/vnd.oasis.opendocument.text-web
  610. >>>>77 string -master Master Document
  611. !:mime application/vnd.oasis.opendocument.text-master
  612. >>>73 string graphics
  613. >>>>81 byte !0x2d Drawing
  614. !:mime application/vnd.oasis.opendocument.graphics
  615. >>>>81 string -template Template
  616. !:mime application/vnd.oasis.opendocument.graphics-template
  617. >>>73 string presentation
  618. >>>>85 byte !0x2d Presentation
  619. !:mime application/vnd.oasis.opendocument.presentation
  620. >>>>85 string -template Template
  621. !:mime application/vnd.oasis.opendocument.presentation-template
  622. >>>73 string spreadsheet
  623. >>>>84 byte !0x2d Spreadsheet
  624. !:mime application/vnd.oasis.opendocument.spreadsheet
  625. >>>>84 string -template Template
  626. !:mime application/vnd.oasis.opendocument.spreadsheet-template
  627. >>>73 string chart
  628. >>>>78 byte !0x2d Chart
  629. !:mime application/vnd.oasis.opendocument.chart
  630. >>>>78 string -template Template
  631. !:mime application/vnd.oasis.opendocument.chart-template
  632. >>>73 string formula
  633. >>>>80 byte !0x2d Formula
  634. !:mime application/vnd.oasis.opendocument.formula
  635. >>>>80 string -template Template
  636. !:mime application/vnd.oasis.opendocument.formula-template
  637. >>>73 string database Database
  638. !:mime application/vnd.oasis.opendocument.database
  639. >>>73 string image
  640. >>>>78 byte !0x2d Image
  641. !:mime application/vnd.oasis.opendocument.image
  642. >>>>78 string -template Template
  643. !:mime application/vnd.oasis.opendocument.image-template
  644. # EPUB (OEBPS) books using OCF (OEBPS Container Format)
  645. # http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
  646. # From: Ralf Brown <ralf.brown@gmail.com>
  647. >>50 string epub+zip EPUB document
  648. !:mime application/epub+zip
  649. # Catch other ZIP-with-mimetype formats
  650. # In a ZIP file, the bytes immediately after a member's contents are
  651. # always "PK". The 2 regex rules here print the "mimetype" member's
  652. # contents up to the first 'P'. Luckily, most MIME types don't contain
  653. # any capital 'P's. This is a kludge.
  654. # (mimetype contains "application/<OTHER>")
  655. >>50 string !epub+zip
  656. >>>50 string !vnd.oasis.opendocument.
  657. >>>>50 string !vnd.sun.xml.
  658. >>>>>50 string !vnd.kde.
  659. >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
  660. !:mime application/zip
  661. # (mimetype contents other than "application/*")
  662. >26 string \x8\0\0\0mimetype
  663. >>38 string !application/
  664. >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
  665. !:mime application/zip
  666. # Java Jar files
  667. >(26.s+30) leshort 0xcafe Java archive data (JAR)
  668. !:mime application/java-archive
  669. # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
  670. # Next line excludes specialized formats:
  671. >(26.s+30) leshort !0xcafe
  672. >>26 string !\x8\0\0\0mimetype Zip archive data
  673. !:mime application/zip
  674. >>>4 byte 0x09 \b, at least v0.9 to extract
  675. >>>4 byte 0x0a \b, at least v1.0 to extract
  676. >>>4 byte 0x0b \b, at least v1.1 to extract
  677. >>>4 byte 0x14 \b, at least v2.0 to extract
  678. >>>4 byte 0x2d \b, at least v3.0 to extract
  679. >>>0x161 string WINZIP \b, WinZIP self-extracting
  680. # StarView Metafile
  681. # From Pierre Ducroquet <pinaraf@pinaraf.info>
  682. 0 string VCLMTF StarView MetaFile
  683. >6 beshort x \b, version %d
  684. >8 belong x \b, size %d
  685. # Zoo archiver
  686. 20 lelong 0xfdc4a7dc Zoo archive data
  687. !:mime application/x-zoo
  688. >4 byte >48 \b, v%c.
  689. >>6 byte >47 \b%c
  690. >>>7 byte >47 \b%c
  691. >32 byte >0 \b, modify: v%d
  692. >>33 byte x \b.%d+
  693. >42 lelong 0xfdc4a7dc \b,
  694. >>70 byte >0 extract: v%d
  695. >>>71 byte x \b.%d+
  696. # Shell archives
  697. 10 string #\ This\ is\ a\ shell\ archive shell archive text
  698. !:mime application/octet-stream
  699. #
  700. # LBR. NB: May conflict with the questionable
  701. # "binary Computer Graphics Metafile" format.
  702. #
  703. 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
  704. #
  705. # PMA (CP/M derivative of LHA)
  706. #
  707. 2 string -pm0- PMarc archive data [pm0]
  708. 2 string -pm1- PMarc archive data [pm1]
  709. 2 string -pm2- PMarc archive data [pm2]
  710. 2 string -pms- PMarc SFX archive (CP/M, DOS)
  711. 5 string -pc1- PopCom compressed executable (CP/M)
  712. # From Rafael Laboissiere <rafael@laboissiere.net>
  713. # The Project Revision Control System (see
  714. # http://prcs.sourceforge.net) generates a packaged project
  715. # file which is recognized by the following entry:
  716. 0 leshort 0xeb81 PRCS packaged project
  717. # Microsoft cabinets
  718. # by David Necas (Yeti) <yeti@physics.muni.cz>
  719. #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
  720. #>25 byte x v%d
  721. #>24 byte x \b.%d
  722. # MPi: All CABs have version 1.3, so this is pointless.
  723. # Better magic in debian-additions.
  724. # GTKtalog catalogs
  725. # by David Necas (Yeti) <yeti@physics.muni.cz>
  726. 4 string gtktalog\ GTKtalog catalog data,
  727. >13 string 3 version 3
  728. >>14 beshort 0x677a (gzipped)
  729. >>14 beshort !0x677a (not gzipped)
  730. >13 string >3 version %s
  731. ############################################################################
  732. # Parity archive reconstruction file, the 'par' file format now used on Usenet.
  733. 0 string PAR\0 PARity archive data
  734. >48 leshort =0 - Index file
  735. >48 leshort >0 - file number %d
  736. # Felix von Leitner <felix-file@fefe.de>
  737. 0 string d8:announce BitTorrent file
  738. !:mime application/x-bittorrent
  739. # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
  740. 0 beshort 0x0e0f Atari MSA archive data
  741. >2 beshort x \b, %d sectors per track
  742. >4 beshort 0 \b, 1 sided
  743. >4 beshort 1 \b, 2 sided
  744. >6 beshort x \b, starting track: %d
  745. >8 beshort x \b, ending track: %d
  746. # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
  747. 0 string PK00PK\003\004 Zip archive data
  748. # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
  749. # by Stefan `Sec` Zehl <sec@42.org>
  750. 7 string **ACE** ACE archive data
  751. >15 byte >0 version %d
  752. >16 byte =0x00 \b, from MS-DOS
  753. >16 byte =0x01 \b, from OS/2
  754. >16 byte =0x02 \b, from Win/32
  755. >16 byte =0x03 \b, from Unix
  756. >16 byte =0x04 \b, from MacOS
  757. >16 byte =0x05 \b, from WinNT
  758. >16 byte =0x06 \b, from Primos
  759. >16 byte =0x07 \b, from AppleGS
  760. >16 byte =0x08 \b, from Atari
  761. >16 byte =0x09 \b, from Vax/VMS
  762. >16 byte =0x0A \b, from Amiga
  763. >16 byte =0x0B \b, from Next
  764. >14 byte x \b, version %d to extract
  765. >5 leshort &0x0080 \b, multiple volumes,
  766. >>17 byte x \b (part %d),
  767. >5 leshort &0x0002 \b, contains comment
  768. >5 leshort &0x0200 \b, sfx
  769. >5 leshort &0x0400 \b, small dictionary
  770. >5 leshort &0x0800 \b, multi-volume
  771. >5 leshort &0x1000 \b, contains AV-String
  772. >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
  773. >5 leshort &0x2000 \b, with recovery record
  774. >5 leshort &0x4000 \b, locked
  775. >5 leshort &0x8000 \b, solid
  776. # Date in MS-DOS format (whatever that is)
  777. #>18 lelong x Created on
  778. # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
  779. # <doj@cubic.org>
  780. 0x1A string sfArk sfArk compressed Soundfont
  781. >0x15 string 2
  782. >>0x1 string >\0 Version %s
  783. >>0x2A string >\0 : %s
  784. # DR-DOS 7.03 Packed File *.??_
  785. 0 string Packed\ File\ Personal NetWare Packed File
  786. >12 string x \b, was "%.12s"
  787. # EET archive
  788. # From: Tilman Sauerbeck <tilman@code-monkey.de>
  789. 0 belong 0x1ee7ff00 EET archive
  790. !:mime application/x-eet
  791. # rzip archives
  792. 0 string RZIP rzip compressed data
  793. >4 byte x - version %d
  794. >5 byte x \b.%d
  795. >6 belong x (%d bytes)
  796. # From: "Robert Dale" <robdale@gmail.com>
  797. 0 belong 123 dar archive,
  798. >4 belong x label "%.8x
  799. >>8 belong x %.8x
  800. >>>12 beshort x %.4x"
  801. >14 byte 0x54 end slice
  802. >14 beshort 0x4e4e multi-part
  803. >14 beshort 0x4e53 multi-part, with -S
  804. # Symbian installation files
  805. # http://www.thouky.co.uk/software/psifs/sis.html
  806. # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
  807. 8 lelong 0x10000419 Symbian installation file
  808. !:mime application/vnd.symbian.install
  809. >4 lelong 0x1000006D (EPOC release 3/4/5)
  810. >4 lelong 0x10003A12 (EPOC release 6)
  811. 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
  812. !:mime x-epoc/x-sisx-app
  813. # From "Nelson A. de Oliveira" <naoliv@gmail.com>
  814. 0 string MPQ\032 MoPaQ (MPQ) archive
  815. # From: Dirk Jagdmann <doj@cubic.org>
  816. # xar archive format: http://code.google.com/p/xar/
  817. 0 string xar! xar archive
  818. >6 beshort x - version %d
  819. # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
  820. # .kgb
  821. 0 string KGB_arch KGB Archiver file
  822. >10 string x with compression level %.1s
  823. # xar (eXtensible ARchiver) archive
  824. # From: "David Remahl" <dremahl@apple.com>
  825. 0 string xar! xar archive
  826. #>4 beshort x header size %d
  827. >6 beshort x version %d,
  828. #>8 quad x compressed TOC: %d,
  829. #>16 quad x uncompressed TOC: %d,
  830. >24 belong 0 no checksum
  831. >24 belong 1 SHA-1 checksum
  832. >24 belong 2 MD5 checksum
  833. # Type: Parity Archive
  834. # From: Daniel van Eeden <daniel_e@dds.nl>
  835. 0 string PAR2 Parity Archive Volume Set
  836. # Bacula volume format. (Volumes always start with a block header.)
  837. # URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
  838. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  839. 12 string BB02 Bacula volume
  840. >20 bedate x \b, started %s
  841. # ePub is XHTML + XML inside a ZIP archive. The first member of the
  842. # archive must be an uncompressed file called 'mimetype' with contents
  843. # 'application/epub+zip'
  844. # From: "Michael Gorny" <mgorny@gentoo.org>
  845. # ZPAQ: http://mattmahoney.net/dc/zpaq.html
  846. 0 string zPQ ZPAQ stream
  847. >3 byte x \b, level %d
  848. # BBeB ebook, unencrypted (LRF format)
  849. # URL: http://www.sven.de/librie/Librie/LrfFormat
  850. # From: Adam Buchbinder <adam.buchbinder@gmail.com>
  851. 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
  852. >8 beshort x \b, version %d
  853. >36 byte 1 \b, front-to-back
  854. >36 byte 16 \b, back-to-front
  855. >42 beshort x \b, (%dx,
  856. >44 beshort x %d)
  857. # Symantec GHOST image by Joerg Jenderek at May 2014
  858. # http://us.norton.com/ghost/
  859. # http://www.garykessler.net/library/file_sigs.html
  860. 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
  861. # *.GHO
  862. >2 ubyte&0x08 0x00 \b, first file
  863. # *.GHS or *.[0-9] with cns program option
  864. >2 ubyte&0x08 0x08 \b, split file
  865. # part of split index interesting for *.ghs
  866. >>4 ubyte x id=0x%x
  867. # compression tag minus one equals numeric compression command line switch z[1-9]
  868. >3 ubyte 0 \b, no compression
  869. >3 ubyte 2 \b, fast compression (Z1)
  870. >3 ubyte 3 \b, medium compression (Z2)
  871. >3 ubyte >3
  872. >>3 ubyte <11 \b, compression (Z%d-1)
  873. >2 ubyte&0x08 0x00
  874. # ~ 30 byte password field only for *.gho
  875. >>12 ubequad !0 \b, password protected
  876. >>44 ubyte !1
  877. # 1~Image All, sector-by-sector only for *.gho
  878. >>>10 ubyte 1 \b, sector copy
  879. # 1~Image Boot track only for *.gho
  880. >>>43 ubyte 1 \b, boot track
  881. # 1~Image Disc only for *.gho implies Image Boot track and sector copy
  882. >>44 ubyte 1 \b, disc sector copy
  883. # optional image description only *.gho
  884. >>0xff string >\0 "%-.254s"
  885. # look for DOS sector end sequence
  886. >0xE08 search/7776 \x55\xAA
  887. >>&-512 indirect x \b; contains