"# Magic \ # Magic data for file(1) command. \ # Machine-generated from src/cmd/file/magdir/*; edit there only! \ # Format is described in magic(files), where: \ # files is 5 on V7 and BSD, 4 on SV, and ?? in the SVID. \ \ #------------------------------------------------------------------------------ \ # Localstuff: file(1) magic for locally observed files \ # \ # $Id: Localstuff,v 1.1.1.1 2001/10/16 18:05:11 provos Exp $ \ # Add any locally observed files here. Remember: \ # text if readable, executable if runnable binary, data if unreadable. \ \ #------------------------------------------------------------------------------ \ # adi: file(1) magic for ADi's objects \ # From Gregory McGarry \ # \ 0 leshort 0x521c COFF DSP21k \ >18 lelong &02 executable, \ >18 lelong ^02 \ >>18 lelong &01 static object, \ >>18 lelong ^01 relocatable object, \ >18 lelong &010 stripped \ >18 lelong ^010 not stripped \ \ #------------------------------------------------------------------------------ \ # adventure: file(1) magic for Adventure game files \ # \ # from Allen Garvin \ # Edited by Dave Chapeskie Jun 28, 1998 \ # \ # ALAN \ # I assume there are other, lower versions, but these are the only ones I \ # saw in the archive. \ 0 beshort 0x0206 ALAN text adventure code data \ >2 byte <10 version 2.6%d \ \ # Conflicts with too much other stuff! \ # Infocom \ # (Note: to avoid false matches Z-machine version 1 and 2 are not \ # recognized since only the oldest Zork I and II used them. Similarly \ # there are 4 Infocom games that use verion 4 that are not recognized.) \ #0 byte 3 Infocom game data (Z-machine 3, \ #>2 beshort <0x7fff Release %3d, \ #>26 beshort >0 Size %d*2 \ #>18 string >\\0 Serial %.6s) \ #0 byte 5 Infocom game data (Z-machine 5, \ #>2 beshort <0x7fff Release %3d, \ #>26 beshort >0 Size %d*4 \ #>18 string >\\0 Serial %.6s) \ #0 byte 6 Infocom game data (Z-machine 6, \ #>2 beshort <0x7fff Release %3d, \ #>26 beshort >0 Size %d*8 \ #>18 string >\\0 Serial %.6s) \ #0 byte 8 Infocom game data (Z-machine 8, \ #>2 beshort <0x7fff Release %3d, \ #>26 beshort >0 Size %d*8 \ #>18 string >\\0 Serial %.6s) \ \ # TADS (Text Adventure Development System) \ 0 string TADS TADS game data \ >13 string >\\0 (ver. %.6s, \ >22 string >\\0 date %s) \ #------------------------------------------------------------------------------ \ # allegro: file(1) magic for Allegro datafiles \ # Toby Deshane \ # \ 0 belong 0x736C6821 Allegro datafile (packed) \ 0 belong 0x736C682E Allegro datafile (not packed/autodetect) \ 0 belong 0x736C682B Allegro datafile (appended exe data) \ \ #------------------------------------------------------------------------------ \ # alliant: file(1) magic for Alliant FX series a.out files \ # \ # If the FX series is the one that had a processor with a 68K-derived \ # instruction set, the \"short\" should probably become \"beshort\" and the \ # \"long\" should probably become \"belong\". \ # If it's the i860-based one, they should probably become either the \ # big-endian or little-endian versions, depending on the mode they ran \ # the 860 in.... \ # \ 0 short 0420 0420 Alliant virtual executable \ >2 short &0x0020 common library \ >16 long >0 not stripped \ 0 short 0421 0421 Alliant compact executable \ >2 short &0x0020 common library \ >16 long >0 not stripped \ #------------------------------------------------------------------------------ \ # alpha architecture description \ # \ \ 0 leshort 0603 COFF format alpha \ >22 leshort&030000 !020000 executable \ >24 leshort 0410 pure \ >24 leshort 0413 paged \ >22 leshort&020000 !0 dynamically linked \ >16 lelong !0 not stripped \ >16 lelong 0 stripped \ >22 leshort&030000 020000 shared library \ >24 leshort 0407 object \ >27 byte x - version %d \ >26 byte x .%d \ >28 byte x -%d \ \ # Basic recognition of Digital UNIX core dumps - Mike Bremford \ # \ # The actual magic number is just \"Core\", followed by a 2-byte version \ # number; however, treating any file that begins with \"Core\" as a Digital \ # UNIX core dump file may produce too many false hits, so we include one \ # byte of the version number as well; DU 5.0 appears only to be up to \ # version 2. \ # \ 0 string Core\\001 Alpha COFF format core dump (Digital UNIX) \ >24 string >\\0 \\b, from '%s' \ 0 string Core\\002 Alpha COFF format core dump (Digital UNIX) \ >24 string >\\0 \\b, from '%s' \ \ #------------------------------------------------------------------------------ \ # amanda: file(1) magic for amanda file format \ # \ 0 string AMANDA:\\ AMANDA \ >8 string TAPESTART\\ DATE tape header file, \ >>23 string X \ >>>25 string >\\ Unused %s \ >>23 string >\\ DATE %s \ >8 string FILE\\ dump file, \ >>13 string >\\ DATE %s \ #------------------------------------------------------------------------------ \ # amigaos: file(1) magic for AmigaOS binary formats: \ \ # \ # From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) \ # Some formats are still missing: AmigaOS special IFF's, e.g.: FORM....CTLG \ # (the others should be separate, anyway) \ # \ 0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary \ 0 belong 0x000003e7 AmigaOS object/library data \ \ #------------------------------------------------------------------------------ \ # animation: file(1) magic for animation/movie formats \ # \ # animation formats \ # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) \ # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) \ \ # MPEG animation format \ 0 belong 0x000001b3 MPEG video stream data \ #>4 beshort&0xfff0 x (%d x \ #>5 beshort&0x0fff x %d) \ 0 belong 0x000001ba MPEG system stream data \ \ # MPEG Audio (*.mpx) \ # from dreesen@math.fu-berlin.de \ \ # XXX \ # This conflicts with the FF FE signature for UTF-16-encoded Unicode \ # text, which will be identified as an MP3 file. I don't have any MP3s \ # so I don't know how to (or even if it's possible to) change this to \ # tell the two apart. enf@pobox.com \ \ 0 beshort &0xfff0 MP \ # MPEG 1.0 \ >1 byte&0x08 =0x08 \\b \ # Layer 3 \ >>1 byte &0x02 \\b3 \ >>>2 byte&0xf0 =0x10 \\b, 32 kBits \ >>>2 byte&0xf0 =0x20 \\b, 40 kBits \ >>>2 byte&0xf0 =0x30 \\b, 48 kBits \ >>>2 byte&0xf0 =0x40 \\b, 56 kBits \ >>>2 byte&0xf0 =0x50 \\b, 64 kBits \ >>>2 byte&0xf0 =0x60 \\b, 80 kBits \ >>>2 byte&0xf0 =0x70 \\b, 96 kBits \ >>>2 byte&0xf0 =0x80 \\b, 112 kBits \ >>>2 byte&0xf0 =0x90 \\b, 128 kBits \ >>>2 byte&0xf0 =0xA0 \\b, 160 kBits \ >>>2 byte&0xf0 =0xB0 \\b, 192 kBits \ >>>2 byte&0xf0 =0xC0 \\b, 224 kBits \ >>>2 byte&0xf0 =0xD0 \\b, 256 kBits \ >>>2 byte&0xf0 =0xE0 \\b, 320 kBits \ # Layer 2 \ >>1 byte &0x04 \\b2 \ >>>2 byte&0xf0 =0x10 \\b, 32 kBits \ >>>2 byte&0xf0 =0x20 \\b, 48 kBits \ >>>2 byte&0xf0 =0x30 \\b, 56 kBits \ >>>2 byte&0xf0 =0x40 \\b, 64 kBits \ >>>2 byte&0xf0 =0x50 \\b, 80 kBits \ >>>2 byte&0xf0 =0x60 \\b, 96 kBits \ >>>2 byte&0xf0 =0x70 \\b, 112 kBits \ >>>2 byte&0xf0 =0x80 \\b, 128 kBits \ >>>2 byte&0xf0 =0x90 \\b, 160 kBits \ >>>2 byte&0xf0 =0xA0 \\b, 192 kBits \ >>>2 byte&0xf0 =0xB0 \\b, 224 kBits \ >>>2 byte&0xf0 =0xC0 \\b, 256 kBits \ >>>2 byte&0xf0 =0xD0 \\b, 320 kBits \ >>>2 byte&0xf0 =0xE0 \\b, 384 kBits \ # freq \ >>2 byte&0x0C =0x00 \\b, 44.1 kHz \ >>2 byte&0x0C =0x04 \\b, 48 kHz \ >>2 byte&0x0C =0x08 \\b, 32 kHz \ # MPEG 2.0 \ >1 byte&0x08 =0x00 \\b \ # Layer 3 \ >>1 byte &0x02 \\b3 \ # Layer 2 \ >>1 byte &0x04 \\b2 \ >>2 byte&0xf0 =0x10 \\b, 8 kBits \ >>2 byte&0xf0 =0x20 \\b, 16 kBits \ >>2 byte&0xf0 =0x30 \\b, 24 kBits \ >>2 byte&0xf0 =0x40 \\b, 32 kBits \ >>2 byte&0xf0 =0x50 \\b, 40 kBits \ >>2 byte&0xf0 =0x60 \\b, 48 kBits \ >>2 byte&0xf0 =0x70 \\b, 56 kBits \ >>2 byte&0xf0 =0x80 \\b, 64 kBits \ >>2 byte&0xf0 =0x90 \\b, 80 kBits \ >>2 byte&0xf0 =0xA0 \\b, 96 kBits \ >>2 byte&0xf0 =0xB0 \\b, 112 kBits \ >>2 byte&0xf0 =0xC0 \\b, 128 kBits \ >>2 byte&0xf0 =0xD0 \\b, 144 kBits \ >>2 byte&0xf0 =0xE0 \\b, 160 kBits \ # freq \ >>2 byte&0x0C =0x00 \\b, 22.05 kHz \ >>2 byte&0x0C =0x04 \\b, 24 kHz \ >>2 byte&0x0C =0x08 \\b, 16 kHz \ # misc \ >3 byte&0xC0 =0x00 \\b, Stereo \ >3 byte&0xC0 =0x40 \\b, JStereo \ >3 byte&0xC0 =0x80 \\b, Dual-Ch \ >3 byte&0xC0 =0xC0 \\b, Mono \ #>1 byte&0x01 =0x00 \\b, Error Protection \ #>2 byte&0x02 =0x02 \\b, Padding \ #>2 byte&0x01 =0x01 \\b, Private \ #>3 byte&0x08 =0x08 \\b, Copyright \ #>3 byte&0x04 =0x04 \\b, Original \ #>3 byte&0x03 1 \\b, Emphasis 5 \ #>3 byte&0x03 3 \\b, Emphasis c \ \ # FLI animation format \ 4 leshort 0xAF11 FLI file \ >6 leshort x - %d frames, \ >8 leshort x width=%d pixels, \ >10 leshort x height=%d pixels, \ >12 leshort x depth=%d, \ >16 leshort x ticks/frame=%d \ # FLC animation format \ 4 leshort 0xAF12 FLC file \ >6 leshort x - %d frames \ >8 leshort x width=%d pixels, \ >10 leshort x height=%d pixels, \ >12 leshort x depth=%d, \ >16 leshort x ticks/frame=%d \ \ # DL animation format \ # XXX - collision with most `mips' magic \ # \ # I couldn't find a real magic number for these, however, this \ # -appears- to work. Note that it might catch other files, too, so be \ # careful! \ # \ # Note that title and author appear in the two 20-byte chunks \ # at decimal offsets 2 and 22, respectively, but they are XOR'ed with \ # 255 (hex FF)! The DL format is really bad. \ # \ #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) \ #>42 byte x - %d screens, \ #>43 byte x %d commands \ #0 byte 2 DL version 2 \ #>1 byte 1 - large format (320x200,1 image/screen), \ #>1 byte 2 - medium format (160x100,4 images/screen), \ #>1 byte >2 - unknown format, \ #>42 byte x %d screens, \ #>43 byte x %d commands \ # Based on empirical evidence, DL version 3 have several nulls following the \ # \\003. Most of them start with non-null values at hex offset 0x34 or so. \ #0 string \\3\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0 DL version 3 \ \ # SGI and Apple formats \ 0 string MOVI Silicon Graphics movie file \ 4 string moov Apple QuickTime movie file (moov) \ 4 string mdat Apple QuickTime movie file (mdat) \ \ # iso 13818 transport stream \ # \ # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) \ # (the following is a little bit restrictive and works fine for a stream \ # that starts with PAT properly. it won't work for stream data, that is \ # cut from an input device data right in the middle, but this shouldn't \ # disturb) \ # syncbyte 8 bit 0x47 \ # error_ind 1 bit - \ # payload_start 1 bit 1 \ # priority 1 bit - \ # PID 13 bit 0x0000 \ # scrambling 2 bit - \ # adaptfld_ctrl 2 bit 1 or 3 \ # conti_count 4 bit 0 \ 0 belong&0xFF5FFF1F 0x47400010 MPEG transport stream data \ >188 byte !0x47 CORRUPTED \ \ # DIF digital video file format \ 0 belong&0xffffff00 0x1f070000 DIF \ >4 byte &0x01 (DVCPRO) movie file \ >4 byte ^0x01 (DV) movie file \ >3 byte &0x80 (PAL) \ >3 byte ^0x80 (NTSC) \ \ # Microsoft Advanced Streaming Format (ASF) \ 0 belong 0x3026b275 Microsoft ASF \ \ #------------------------------------------------------------------------------ \ # apl: file(1) magic for APL (see also \"pdp\" and \"vax\" for other APL \ # workspaces) \ # \ 0 long 0100554 APL workspace (Ken's original?) \ \ #------------------------------------------------------------------------------ \ # apple: file(1) magic for Apple file formats \ # \ 0 string FiLeStArTfIlEsTaRt binscii (apple ][) text \ 0 string \\x0aGL Binary II (apple ][) data \ 0 string \\x76\\xff Squeezed (apple ][) data \ 0 string NuFile NuFile archive (apple ][) data \ 0 string N\\xf5F\\xe9l\\xe5 NuFile archive (apple ][) data \ 0 belong 0x00051600 AppleSingle encoded Macintosh file \ 0 belong 0x00051607 AppleDouble encoded Macintosh file \ \ # magic for Newton PDA package formats \ # from Ruda Moura \ 0 string package0 Newton package, NOS 1.x, \ >12 belong &0x80000000 AutoRemove, \ >12 belong &0x40000000 CopyProtect, \ >12 belong &0x10000000 NoCompression, \ >12 belong &0x04000000 Relocation, \ >12 belong &0x02000000 UseFasterCompression, \ >16 belong x version %d \ \ 0 string package1 Newton package, NOS 2.x, \ >12 belong &0x80000000 AutoRemove, \ >12 belong &0x40000000 CopyProtect, \ >12 belong &0x10000000 NoCompression, \ >12 belong &0x04000000 Relocation, \ >12 belong &0x02000000 UseFasterCompression, \ >16 belong x version %d \ \ # The following entries for the Apple II are for files that have \ # been transferred as raw binary data from an Apple, without having \ # been encapsulated by any of the above archivers. \ # \ # In general, Apple II formats are hard to identify because Apple DOS \ # and especially Apple ProDOS have strong typing in the file system and \ # therefore programmers never felt much need to include type information \ # in the files themselves. \ # \ # Eric Fischer \ \ # AppleWorks word processor: \ # \ # This matches the standard tab stops for an AppleWorks file, but if \ # a file has a tab stop set in the first four columns this will fail. \ # \ # The \"O\" is really the magic number, but that's so common that it's \ # necessary to check the tab stops that follow it to avoid false positives. \ \ 4 string O==== AppleWorks word processor data \ >85 byte&0x01 >0 \\b, zoomed \ >90 byte&0x01 >0 \\b, paginated \ >92 byte&0x01 >0 \\b, with mail merge \ #>91 byte x \\b, left margin %d \ \ # AppleWorks database: \ # \ # This isn't really a magic number, but it's the closest thing to one \ # that I could find. The 1 and 2 really mean \"order in which you defined \ # categories\" and \"left to right, top to bottom,\" respectively; the D and R \ # mean that the cursor should move either down or right when you press Return. \ \ #30 string \\x01D AppleWorks database data \ #30 string \\x02D AppleWorks database data \ #30 string \\x01R AppleWorks database data \ #30 string \\x02R AppleWorks database data \ \ # AppleWorks spreadsheet: \ # \ # Likewise, this isn't really meant as a magic number. The R or C means \ # row- or column-order recalculation; the A or M means automatic or manual \ # recalculation. \ \ #131 string RA AppleWorks spreadsheet data \ #131 string RM AppleWorks spreadsheet data \ #131 string CA AppleWorks spreadsheet data \ #131 string CM AppleWorks spreadsheet data \ \ # Applesoft BASIC: \ # \ # This is incredibly sloppy, but will be true if the program was \ # written at its usual memory location of 2048 and its first line \ # number is less than 256. Yuck. \ \ 0 belong&0xff00ff 0x80000 Applesoft BASIC program data \ #>2 leshort x \\b, first line number %d \ \ # ORCA/EZ assembler: \ # \ # This will not identify ORCA/M source files, since those have \ # some sort of date code instead of the two zero bytes at 6 and 7 \ # XXX Conflicts with ELF \ #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data \ #>5 byte x \\b, build number %d \ \ # Broderbund Fantavision \ # \ # I don't know what these values really mean, but they seem to recur. \ # Will they cause too many conflicts? \ \ # Probably :-) \ #2 belong&0xFF00FF 0x040008 Fantavision movie data \ \ # Some attempts at images. \ # \ # These are actually just bit-for-bit dumps of the frame buffer, so \ # there's really no reasonably way to distinguish them except for their \ # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 \ # or, occasionally, 8184. \ # \ # Nevertheless this will manage to catch a lot of images that happen \ # to have a solid-colored line at the bottom of the screen. \ \ 8144 string \\x7F\\x7F\\x7F\\x7F\\x7F\\x7F\\x7F\\x7F Apple II image with white background \ 8144 string \\x55\\x2A\\x55\\x2A\\x55\\x2A\\x55\\x2A Apple II image with purple background \ 8144 string \\x2A\\x55\\x2A\\x55\\x2A\\x55\\x2A\\x55 Apple II image with green background \ 8144 string \\xD5\\xAA\\xD5\\xAA\\xD5\\xAA\\xD5\\xAA Apple II image with blue background \ 8144 string \\xAA\\xD5\\xAA\\xD5\\xAA\\xD5\\xAA\\xD5 Apple II image with orange background \ \ # Beagle Bros. Apple Mechanic fonts \ \ 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font \ \ #------------------------------------------------------------------------------ \ # applix: file(1) magic for Applixware \ # From: Peter Soos \ # \ 0 string *BEGIN Applixware \ >7 string WORDS Words Document \ >7 string GRAPHICS Graphic \ >7 string RASTER Bitmap \ >7 string SPREADSHEETS Spreadsheet \ >7 string MACRO Macro \ >7 string BUILDER Builder Object \ \ #------------------------------------------------------------------------------ \ # archive: file(1) magic for archive formats (see also \"msdos\" for self- \ # extracting compressed archives) \ # \ # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. \ # pre-POSIX \"tar\" archives are handled in the C code. \ \ # POSIX tar archives \ 257 string ustar\\0 POSIX tar archive \ 257 string ustar\\040\\040\\0 GNU tar archive \ \ # cpio archives \ # \ # Yes, the top two \"cpio archive\" formats *are* supposed to just be \"short\". \ # The idea is to indicate archives produced on machines with the same \ # byte order as the machine running \"file\" with \"cpio archive\", and \ # to indicate archives produced on machines with the opposite byte order \ # from the machine running \"file\" with \"byte-swapped cpio archive\". \ # \ # The SVR4 \"cpio(4)\" hints that there are additional formats, but they \ # are defined as \"short\"s; I think all the new formats are \ # character-header formats and thus are strings, not numbers. \ 0 short 070707 cpio archive \ 0 short 0143561 byte-swapped cpio archive \ 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) \ 0 string 070701 ASCII cpio archive (SVR4 with no CRC) \ 0 string 070702 ASCII cpio archive (SVR4 with CRC) \ \ # Debian package (needs to go before regular portable archives) \ # \ 0 string !\\ndebian \ >8 string debian-split part of multipart Debian package \ >8 string debian-binary Debian binary package \ >68 string >\\n (format %s) \ >136 ledate x created: %s \ \ # other archives \ #0 long 0177555 very old archive \ #0 short 0177555 very old PDP-11 archive \ #0 long 0177545 old archive \ #0 short 0177545 old PDP-11 archive \ #0 long 0100554 apl workspace \ 0 string = archive \ \ # MIPS archive (needs to go before regular portable archives) \ # \ 0 string !\\n__________E MIPS archive \ >20 string U with MIPS Ucode members \ >21 string L with MIPSEL members \ >21 string B with MIPSEB members \ >19 string L and an EL hash table \ >19 string B and an EB hash table \ >22 string X -- out of date \ \ 0 string -h- Software Tools format archive text \ \ # \ # XXX - why are there multiple thingies? Note that 0x213c6172 is \ # \"! current ar archive \ # 0 long 0x213c6172 archive file \ # \ # and for SVR1 archives, we have: \ # \ # 0 string \\ System V Release 1 ar archive \ # 0 string = archive \ # \ # XXX - did Aegis really store shared libraries, breakpointed modules, \ # and absolute code program modules in the same format as new-style \ # \"ar\" archives? \ # \ 0 string ! current ar archive \ >8 string __.SYMDEF random library \ >0 belong =65538 - pre SR9.5 \ >0 belong =65539 - post SR9.5 \ >0 beshort 2 - object archive \ >0 beshort 3 - shared library module \ >0 beshort 4 - debug break-pointed module \ >0 beshort 5 - absolute code program module \ 0 string \\ System V Release 1 ar archive \ 0 string = archive \ # \ # XXX - from \"vax\", which appears to collect a bunch of byte-swapped \ # thingies, to help you recognize VAX files on big-endian machines; \ # with \"leshort\", \"lelong\", and \"string\", that's no longer necessary.... \ # \ #0 belong 0x65ff0000 VAX 3.0 archive \ #0 belong 0x3c61723e VAX 5.0 archive \ # \ #0 long 0x213c6172 archive file \ #0 lelong 0177555 very old VAX archive \ #0 leshort 0177555 very old PDP-11 archive \ # \ # XXX - \"pdp\" claims that 0177545 can have an __.SYMDEF member and thus \ # be a random library (it said 0xff65 rather than 0177545). \ # \ 0 lelong 0177545 old VAX archive \ >8 string __.SYMDEF random library \ 0 leshort 0177545 old PDP-11 archive \ >8 string __.SYMDEF random library \ # \ # From \"pdp\" (but why a 4-byte quantity?) \ # \ 0 lelong 0x39bed PDP-11 old archive \ 0 lelong 0x39bee PDP-11 4.0 archive \ \ # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) \ # \ # The first byte is the magic (0x1a), byte 2 is the compression type for \ # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS \ # filename of the first file (null terminated). Since some types collide \ # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), \ # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. \ 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW \ 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed \ 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed \ 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed \ 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed \ 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched \ \ # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) \ # I can't create either SPARK or ArcFS archives so I have not tested this stuff \ # [GRR: the original entries collide with ARC, above; replaced with combined \ # version (not tested)] \ #0 byte 0x1a RISC OS archive \ #>1 string archive (ArcFS format) \ 0 string \\032archive RISC OS archive (ArcFS format) \ \ # ARJ archiver (jason@jarthur.Claremont.EDU) \ 0 leshort 0xea60 ARJ archive data \ >5 byte x \\b, v%d, \ >8 byte &0x04 multi-volume, \ >8 byte &0x10 slash-switched, \ >8 byte &0x20 backup, \ >34 string x original name: %s, \ >7 byte 0 os: MS-DOS \ >7 byte 1 os: PRIMOS \ >7 byte 2 os: Unix \ >7 byte 3 os: Amiga \ >7 byte 4 os: Macintosh \ >7 byte 5 os: OS/2 \ >7 byte 6 os: Apple ][ GS \ >7 byte 7 os: Atari ST \ >7 byte 8 os: NeXT \ >7 byte 9 os: VAX/VMS \ >3 byte >0 %d] \ \ # HA archiver (Greg Roelofs, newt@uchicago.edu) \ # This is a really bad format. A file containing HAWAII will match this... \ #0 string HA HA archive data, \ #>2 leshort =1 1 file, \ #>2 leshort >1 %u files, \ #>4 byte&0x0f =0 first is type CPY \ #>4 byte&0x0f =1 first is type ASC \ #>4 byte&0x0f =2 first is type HSC \ #>4 byte&0x0f =0x0e first is type DIR \ #>4 byte&0x0f =0x0f first is type SPECIAL \ \ # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) \ 0 string HPAK HPACK archive data \ \ # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net \ 0 string \\351,\\001JAM\\ JAM archive, \ >7 string >\\0 version %.4s \ >0x26 byte =0x27 - \ >>0x2b string >\\0 label %.11s, \ >>0x27 lelong x serial %08x, \ >>0x36 string >\\0 fstype %.8s \ \ # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) \ 2 string -lh0- LHarc 1.x archive data [lh0] \ 2 string -lh1- LHarc 1.x archive data [lh1] \ 2 string -lz4- LHarc 1.x archive data [lz4] \ 2 string -lz5- LHarc 1.x archive data [lz5] \ # [never seen any but the last; -lh4- reported in comp.compression:] \ 2 string -lzs- LHa 2.x? archive data [lzs] \ 2 string -lh\\40- LHa 2.x? archive data [lh ] \ 2 string -lhd- LHa 2.x? archive data [lhd] \ 2 string -lh2- LHa 2.x? archive data [lh2] \ 2 string -lh3- LHa 2.x? archive data [lh3] \ 2 string -lh4- LHa (2.x) archive data [lh4] \ 2 string -lh5- LHa (2.x) archive data [lh5] \ 2 string -lh6- LHa (2.x) archive data [lh6] \ 2 string -lh7- LHa (2.x) archive data [lh7] \ >20 byte x - header level %d \ \ # RAR archiver (Greg Roelofs, newt@uchicago.edu) \ 0 string Rar! RAR archive data \ \ # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) \ 0 string SQSH squished archive data (Acorn RISCOS) \ \ # UC2 archiver (Greg Roelofs, newt@uchicago.edu) \ # I can't figure out the self-extracting form of these buggers... \ 0 string UC2\\x1a UC2 archive data \ \ # ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) \ 0 string PK\\003\\004 Zip archive data \ >4 byte 0x09 \\b, at least v0.9 to extract \ >4 byte 0x0a \\b, at least v1.0 to extract \ >4 byte 0x0b \\b, at least v1.1 to extract \ >4 byte 0x14 \\b, at least v2.0 to extract \ \ # Zoo archiver \ 20 lelong 0xfdc4a7dc Zoo archive data \ >4 byte >48 \\b, v%c. \ >>6 byte >47 \\b%c \ >>>7 byte >47 \\b%c \ >32 byte >0 \\b, modify: v%d \ >>33 byte x \\b.%d+ \ >42 lelong 0xfdc4a7dc \\b, \ >>70 byte >0 extract: v%d \ >>>71 byte x \\b.%d+ \ \ # Shell archives \ 10 string #\\ This\\ is\\ a\\ shell\\ archive shell archive text \ \ # \ # LBR. NB: May conflict with the questionable \ # \"binary Computer Graphics Metafile\" format. \ # \ 0 string \\0\\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\0\\0 LBR archive data \ # \ # PMA (CP/M derivative of LHA) \ # \ 2 string -pm0- PMarc archive data [pm0] \ 2 string -pm1- PMarc archive data [pm1] \ 2 string -pm2- PMarc archive data [pm2] \ 2 string -pms- PMarc SFX archive (CP/M, DOS) \ 5 string -pc1- PopCom compressed executable (CP/M) \ \ # From rafael@icp.inpg.fr (Rafael Laboissiere) \ # The Project Revision Control System (see \ # http://www.XCF.Berkeley.EDU/~jmacd/prcs.html) generates a packaged project \ # file which is recognized by the following entry: \ 0 leshort 0xeb81 PRCS packaged project \ \ # Microsoft cabinets \ # by David Necas (Yeti) \ 0 string MSCF\\0\\0\\0\\0 Microsoft cabinet file data, \ >25 byte x v%d \ >24 byte x \\b.%d \ \ # GTKtalog catalogs \ # by David Necas (Yeti) \ 4 string gtktalog\\ GTKtalog catalog data, \ >13 string 3 version 3 \ >>14 beshort 0x677a (gzipped) \ >>14 beshort !0x677a (not gzipped) \ >13 string >3 version %s \ \ #------------------------------------------------------------------------------ \ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character \ # strings as \"long\" - we assume they're just strings: \ # From: guy@netapp.com (Guy Harris) \ # \ 0 string *STA Aster*x \ >7 string WORD Words Document \ >7 string GRAP Graphic \ >7 string SPRE Spreadsheet \ >7 string MACR Macro \ 0 string 2278 Aster*x Version 2 \ >29 byte 0x36 Words Document \ >29 byte 0x35 Graphic \ >29 byte 0x32 Spreadsheet \ >29 byte 0x38 Macro \ \ \ #------------------------------------------------------------------------------ \ # att3b: file(1) magic for AT&T 3B machines \ # \ # The `versions' should be un-commented if they work for you. \ # (Was the problem just one of endianness?) \ # \ # 3B20 \ # \ # The 3B20 conflicts with SCCS. \ #0 beshort 0550 3b20 COFF executable \ #>12 belong >0 not stripped \ #>22 beshort >0 - version %ld \ #0 beshort 0551 3b20 COFF executable (TV) \ #>12 belong >0 not stripped \ #>22 beshort >0 - version %ld \ # \ # WE32K \ # \ 0 beshort 0560 WE32000 COFF \ >18 beshort ^00000020 object \ >18 beshort &00000020 executable \ >12 belong >0 not stripped \ >18 beshort ^00010000 N/A on 3b2/300 w/paging \ >18 beshort &00020000 32100 required \ >18 beshort &00040000 and MAU hardware required \ >20 beshort 0407 (impure) \ >20 beshort 0410 (pure) \ >20 beshort 0413 (demand paged) \ >20 beshort 0443 (target shared library) \ >22 beshort >0 - version %ld \ 0 beshort 0561 WE32000 COFF executable (TV) \ >12 belong >0 not stripped \ #>18 beshort &00020000 - 32100 required \ #>18 beshort &00040000 and MAU hardware required \ #>22 beshort >0 - version %ld \ # \ # core file for 3b2 \ 0 string \\000\\004\\036\\212\\200 3b2 core file \ >364 string >\\0 of '%s' \ \ #------------------------------------------------------------------------------ \ # audio: file(1) magic for sound formats (see also \"iff\") \ # \ # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), \ # and others \ # \ \ # Sun/NeXT audio data \ 0 string .snd Sun/NeXT audio data: \ >12 belong 1 8-bit ISDN u-law, \ >12 belong 2 8-bit linear PCM [REF-PCM], \ >12 belong 3 16-bit linear PCM, \ >12 belong 4 24-bit linear PCM, \ >12 belong 5 32-bit linear PCM, \ >12 belong 6 32-bit IEEE floating point, \ >12 belong 7 64-bit IEEE floating point, \ >12 belong 23 8-bit ISDN u-law compressed (CCITT G.721 ADPCM voice data encoding), \ >12 belong 24 compressed (8-bit G.722 ADPCM) \ >12 belong 25 compressed (3-bit G.723 ADPCM), \ >12 belong 26 compressed (5-bit G.723 ADPCM), \ >12 belong 27 8-bit A-law, \ >20 belong 1 mono, \ >20 belong 2 stereo, \ >20 belong 4 quad, \ >16 belong >0 %d Hz \ \ # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format \ # that uses little-endian encoding and has a different magic number \ 0 lelong 0x0064732E DEC audio data: \ >12 lelong 1 8-bit ISDN u-law, \ >12 lelong 2 8-bit linear PCM [REF-PCM], \ >12 lelong 3 16-bit linear PCM, \ >12 lelong 4 24-bit linear PCM, \ >12 lelong 5 32-bit linear PCM, \ >12 lelong 6 32-bit IEEE floating point, \ >12 lelong 7 64-bit IEEE floating point, \ >12 lelong 23 8-bit ISDN u-law compressed (CCITT G.721 ADPCM voice data encoding), \ >20 lelong 1 mono, \ >20 lelong 2 stereo, \ >20 lelong 4 quad, \ >16 lelong >0 %d Hz \ \ # Creative Labs AUDIO stuff \ 0 string MThd Standard MIDI data \ >9 byte >0 (format %d) \ >11 byte >1 using %d tracks \ 0 string CTMF Creative Music (CMF) data \ 0 string SBI SoundBlaster instrument data \ 0 string Creative\\ Voice\\ File Creative Labs voice data \ # is this next line right? it came this way... \ >19 byte 0x1A \ >23 byte >0 - version %d \ >22 byte >0 \\b.%d \ \ # first entry is also the string \"NTRK\" \ 0 belong 0x4e54524b MultiTrack sound data \ >4 belong x - version %ld \ \ # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED \ # [based on posting 940824 by \"Dirk/Elastik\", husberg@lehtori.cc.tut.fi] \ 0 string EMOD Extended MOD sound data, \ >4 byte&0xf0 x version %d \ >4 byte&0x0f x \\b.%d, \ >45 byte x %d instruments \ >83 byte 0 (module) \ >83 byte 1 (song) \ \ # Real Audio (Magic .ra\\0375) \ 0 belong 0x2e7261fd RealAudio sound file \ 0 string .RMF RealMedia file \ \ # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] \ # Oct 31, 1995 \ 0 string MTM MultiTracker Module sound file \ #0 string if Composer 669 Module sound data \ 0 string FAR Module sound data \ 0 string MAS_U ULT(imate) Module sound data \ 0x2c string SCRM ScreamTracker III Module sound data \ 0 string Extended Module Extended Module sound data \ \ # Gravis UltraSound patches \ # From \ \ 0 string GF1PATCH110\\0ID#000002\\0 GUS patch \ 0 string GF1PATCH100\\0ID#000002\\0 Old GUS patch \ \ # \ # Taken from loader code from mikmod version 2.14 \ # by Steve McIntyre (stevem@chiark.greenend.org.uk) \ 0 string JN extended 669 module data \ 0 string MAS_UTrack_V00 \ >14 string >/0 ultratracker V1.%.1s module sound data \ 0 string UN05 MikMod UNI format module sound data \ 0 string Extended\\ Module: Fasttracker II module sound data \ 21 string !SCREAM! Screamtracker 2 module sound data \ 1080 string M.K. 4-channel Protracker module sound data \ 1080 string M!K! 4-channel Protracker module sound data \ 1080 string FLT4 4-channel Startracker module sound data \ 1080 string 4CHN 4-channel Fasttracker module sound data \ 1080 string 6CHN 6-channel Fasttracker module sound data \ 1080 string 8CHN 8-channel Fasttracker module sound data \ 1080 string CD81 8-channel Oktalyzer module sound data \ 1080 string OKTA 8-channel Oktalyzer module sound data \ # Not good enough. \ #1082 string CH \ #>1080 string >/0 %.2s-channel Fasttracker \"oktalyzer\" module sound data \ 1080 string 16CN 16-channel Taketracker module sound data \ 1080 string 32CN 32-channel Taketracker module sound data \ \ # TOC sound files -Trevor Johnson \ # \ 0 string TOC TOC sound file \ \ # sidfiles \ 0 string SIDPLAY\\ INFOFILE Sidplay info file \ 0 string PSID PlaySID v2.2+ (AMIGA) sidtune \ >4 beshort >0 w/ header v%d, \ >14 beshort =1 single song, \ >14 beshort >1 %d songs, \ >16 beshort >0 default song: %d \ \ # IRCAM \ # VAX and MIPS files are little-endian; Sun and NeXT are big-endian \ 0 belong 0x64a30100 IRCAM file (VAX) \ 0 belong 0x64a30200 IRCAM file (Sun) \ 0 belong 0x64a30300 IRCAM file (MIPS little-endian) \ 0 belong 0x64a30400 IRCAM file (NeXT) \ \ # NIST SPHERE \ 0 string NIST_1A\\n\\ \\ \\ 1024\\n NIST SPHERE file \ \ # Sample Vision \ 0 string SOUND\\ SAMPLE\\ DATA\\ Sample Vision file \ \ # Audio Visual Research \ 0 string 2BIT Audio Visual Research file \ \ # From Felix von Leitner \ 0 string OggS Ogg-Vorbis compressed sound file \ \ # SGI SoundTrack \ 0 string _SGI_SoundTrack SGI SoundTrack project file \ 0 string ID3 mp3 file with ID3 2.0 tag \ #------------------------------------------------------------------------------ \ # blender: file(1) magic for Blender 3D data files \ # \ # Coded by Guillermo S. Romero using the \ # data from Ton Roosendaal . Ton or his company do not \ # support the rule, so mail GSR if problems with it. Rule version: 1.1. \ # You can get latest version with comments and details about the format \ # at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender \ \ 0 string =BLENDER Blender3D, \ >7 string =_ saved as 32-bits \ >7 string =- saved as 64-bits \ >8 string =v little endian \ >8 string =V big endian \ >9 byte x with version %c. \ >10 byte x \\b%c \ >11 byte x \\b%c \ \ #------------------------------------------------------------------------------ \ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine \ # \ # Note that this 0407 conflicts with several other a.out formats... \ # \ # XXX - should this be redone with \"be\" and \"le\", so that it works on \ # little-endian machines as well? If so, what's the deal with \ # \"VAX-order\" and \"VAX-order2\"? \ # \ #0 long 0407 68K Blit (standalone) executable \ #0 short 0407 VAX-order2 68K Blit (standalone) executable \ 0 short 03401 VAX-order 68K Blit (standalone) executable \ 0 long 0406 68k Blit mpx/mux executable \ 0 short 0406 VAX-order2 68k Blit mpx/mux executable \ 0 short 03001 VAX-order 68k Blit mpx/mux executable \ # Need more values for WE32 DMD executables. \ # Note that 0520 is the same as COFF \ #0 short 0520 tty630 layers executable \ #------------------------------------------------------------------------------ \ # bsdi: file(1) magic for BSD/OS (from BSDI) objects \ # \ \ 0 lelong 0314 386 compact demand paged pure executable \ >16 lelong >0 not stripped \ >32 byte 0x6a (uses shared libs) \ \ 0 lelong 0407 386 executable \ >16 lelong >0 not stripped \ >32 byte 0x6a (uses shared libs) \ \ 0 lelong 0410 386 pure executable \ >16 lelong >0 not stripped \ >32 byte 0x6a (uses shared libs) \ \ 0 lelong 0413 386 demand paged pure executable \ >16 lelong >0 not stripped \ >32 byte 0x6a (uses shared libs) \ \ # same as in SunOS 4.x, except for static shared libraries \ 0 belong&077777777 0600413 sparc demand paged \ >0 byte &0x80 \ >>20 belong <4096 shared library \ >>20 belong =4096 dynamically linked executable \ >>20 belong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ >36 belong 0xb4100001 (uses shared libs) \ \ 0 belong&077777777 0600410 sparc pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ >36 belong 0xb4100001 (uses shared libs) \ \ 0 belong&077777777 0600407 sparc \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ >36 belong 0xb4100001 (uses shared libs) \ \ #------------------------------------------------------------------------------ \ # c-lang: file(1) magic for C programs (or REXX) \ # \ \ # XPM icons (Greg Roelofs, newt@uchicago.edu) \ # if you uncomment \"/*\" for C/REXX below, also uncomment this entry \ #0 string /*\\ XPM\\ */ X pixmap image data \ \ # this first will upset you if you're a PL/1 shop... \ # in which case rm it; ascmagic will catch real C programs \ #0 string /* C or REXX program text \ 0 string // C++ program text \ \ #------------------------------------------------------------------------------ \ # chi: file(1) magic for ChiWriter files \ # \ 0 string \\\\1cw\\ ChiWriter file \ >5 string >\\0 version %s \ 0 string \\\\1cw ChiWriter file \ #------------------------------------------------------------------------------ \ # cisco: file(1) magic for cisco Systems routers \ # \ # Most cisco file-formats are covered by the generic elf code \ # \ # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. \ 0 belong&0xffffff00 0x85011400 cisco IOS microcode \ >7 string >\\0 for '%s' \ 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode \ >7 string >\\0 for '%s' \ \ #------------------------------------------------------------------------------ \ # claris: file(1) magic for claris \ # \"H. Nanosecond\" \ # Claris Works a word processor, etc. \ # Version 3.0 \ \ # .pct claris works clip art files \ #0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 \ #* \ #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 \ #null to byte 1000 octal \ 514 string \\377\\377\\377\\377\\000 Claris clip art? \ >0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0 yes. \ 514 string \\377\\377\\377\\377\\001 Claris clip art? \ >0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0 yes. \ \ # Claris works files \ # .cwk \ 0 string \\002\\000\\210\\003\\102\\117\\102\\117\\000\\001\\206 Claris works document \ # .plt \ 0 string \\020\\341\\000\\000\\010\\010 Claris Works pallete files .plt \ \ # .msp a dictionary file I am not sure about this I have only one .msp file \ 0 string \\002\\271\\262\\000\\040\\002\\000\\164 Claris works dictionary \ \ # .usp are user dictionary bits \ # I am not sure about a magic header: \ #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 \ # soh S p f 8 U D sp ^ S cr nl p o d i \ #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 \ # a t r i s t sp ^ S cr nl d i v sp # \ \ # .mth Thesaurus \ # statrts with \\0 but no magic header \ \ # .chy Hyphenation file \ # I am not sure: 000 210 034 000 000 \ \ # other claris files \ #./windows/claris/useng.ndx: data \ #./windows/claris/xtndtran.l32: data \ #./windows/claris/xtndtran.lst: data \ #./windows/claris/clworks.lbl: data \ #./windows/claris/clworks.prf: data \ #./windows/claris/userd.spl: data \ \ #------------------------------------------------------------------------------ \ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. \ # \ # XXX - what byte order does the Clipper use? \ # \ # XXX - what's the \"!\" stuff: \ # \ # >18 short !074000,000000 C1 R1 \ # >18 short !074000,004000 C2 R1 \ # >18 short !074000,010000 C3 R1 \ # >18 short !074000,074000 TEST \ # \ # I shall assume it's ANDing the field with the first value and \ # comparing it with the second, and rewrite it as: \ # \ # >18 short&074000 000000 C1 R1 \ # >18 short&074000 004000 C2 R1 \ # >18 short&074000 010000 C3 R1 \ # >18 short&074000 074000 TEST \ # \ # as SVR3.1's \"file\" doesn't support anything of the \"!074000,000000\" \ # sort, nor does SunOS 4.x, so either it's something Intergraph added \ # in CLIX, or something AT&T added in SVR3.2 or later, or something \ # somebody else thought was a good idea; it's not documented in the \ # man page for this version of \"magic\", nor does it appear to be \ # implemented (at least not after I blew off the bogus code to turn \ # old-style \"&\"s into new-style \"&\"s, which just didn't work at all). \ # \ 0 short 0575 CLIPPER COFF executable (VAX #) \ >20 short 0407 (impure) \ >20 short 0410 (5.2 compatible) \ >20 short 0411 (pure) \ >20 short 0413 (demand paged) \ >20 short 0443 (target shared library) \ >12 long >0 not stripped \ >22 short >0 - version %ld \ 0 short 0577 CLIPPER COFF executable \ >18 short&074000 000000 C1 R1 \ >18 short&074000 004000 C2 R1 \ >18 short&074000 010000 C3 R1 \ >18 short&074000 074000 TEST \ >20 short 0407 (impure) \ >20 short 0410 (pure) \ >20 short 0411 (separate I&D) \ >20 short 0413 (paged) \ >20 short 0443 (target shared library) \ >12 long >0 not stripped \ >22 short >0 - version %ld \ >48 long&01 01 alignment trap enabled \ >52 byte 1 -Ctnc \ >52 byte 2 -Ctsw \ >52 byte 3 -Ctpw \ >52 byte 4 -Ctcb \ >53 byte 1 -Cdnc \ >53 byte 2 -Cdsw \ >53 byte 3 -Cdpw \ >53 byte 4 -Cdcb \ >54 byte 1 -Csnc \ >54 byte 2 -Cssw \ >54 byte 3 -Cspw \ >54 byte 4 -Cscb \ 4 string pipe CLIPPER instruction trace \ 4 string prof CLIPPER instruction profile \ \ #------------------------------------------------------------------------------ \ # commands: file(1) magic for various shells and interpreters \ # \ #0 string : shell archive or script for antique kernel text \ 0 string/b #!\\ /bin/sh Bourne shell script text executable \ 0 string/b #!\\ /bin/csh C shell script text executable \ # korn shell magic, sent by George Wu, gwu@clyde.att.com \ 0 string/b #!\\ /bin/ksh Korn shell script text executable \ 0 string/b #!\\ /bin/tcsh Tenex C shell script text executable \ 0 string/b #!\\ /usr/local/tcsh Tenex C shell script text executable \ 0 string/b #!\\ /usr/local/bin/tcsh Tenex C shell script text executable \ \ # \ # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) \ 0 string/b #!\\ /usr/local/bin/zsh Paul Falstad's zsh script text executable \ 0 string/b #!\\ /usr/local/bin/ash Neil Brown's ash script text executable \ 0 string/b #!\\ /usr/local/bin/ae Neil Brown's ae script text executable \ 0 string/b #!\\ /bin/nawk new awk script text executable \ 0 string/b #!\\ /usr/bin/nawk new awk script text executable \ 0 string/b #!\\ /usr/local/bin/nawk new awk script text executable \ 0 string/b #!\\ /bin/gawk GNU awk script text executable \ 0 string/b #!\\ /usr/bin/gawk GNU awk script text executable \ 0 string/b #!\\ /usr/local/bin/gawk GNU awk script text executable \ # \ 0 string/b #!\\ /bin/awk awk script text executable \ 0 string/b #!\\ /usr/bin/awk awk script text executable \ 0 string BEGIN awk script text \ \ # For Larry Wall's perl language. The ``eval'' line recognizes an \ # outrageously clever hack for USG systems. \ # Keith Waclena \ 0 string/b #!\\ /bin/perl perl script text executable \ 0 string eval\\ \"exec\\ /bin/perl perl script text \ 0 string/b #!\\ /usr/bin/perl perl script text executable \ 0 string eval\\ \"exec\\ /usr/bin/perl perl script text \ 0 string/b #!\\ /usr/local/bin/perl perl script text \ 0 string eval\\ \"exec\\ /usr/local/bin/perl perl script text executable \ \ # AT&T Bell Labs' Plan 9 shell \ 0 string/b #!\\ /bin/rc Plan 9 rc shell script text executable \ \ # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) \ 0 string/b #!\\ /bin/bash Bourne-Again shell script text executable \ 0 string/b #!\\ /usr/local/bin/bash Bourne-Again shell script text executable \ \ # using env \ 0 string #!/usr/bin/env a \ >15 string >\\0 %s script text executable \ 0 string #!\\ /usr/bin/env a \ >16 string >\\0 %s script text executable \ \ \ # generic shell magic \ 0 string #!\\ / a \ >3 string >\\0 %s script text executable \ 0 string #!\\ / a \ >3 string >\\0 %s script text executable \ 0 string #!/ a \ >2 string >\\0 %s script text executable \ 0 string #!\\ script text executable \ >3 string >\\0 for %s \ \ #------------------------------------------------------------------------------ \ # compress: file(1) magic for pure-compression formats (no archives) \ # \ # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. \ # \ # Formats for various forms of compressed data \ # Formats for \"compress\" proper have been moved into \"compress.c\", \ # because it tries to uncompress it to figure out what's inside. \ \ # standard unix compress \ 0 string \\037\\235 compress'd data \ >2 byte&0x80 >0 block compressed \ >2 byte&0x1f x %d bits \ \ # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) \ 0 string \\037\\213 gzip compressed data \ >2 byte <8 \\b, reserved method, \ >2 byte 8 \\b, deflated, \ >3 byte &0x01 ASCII, \ >3 byte &0x02 continuation, \ >3 byte &0x04 extra field, \ >3 byte &0x08 original filename, \ >>10 string x `%s', \ >3 byte &0x10 comment, \ >3 byte &0x20 encrypted, \ >4 ledate x last modified: %s, \ >8 byte 2 max compression, \ >8 byte 4 max speed, \ >9 byte =0x00 os: MS-DOS \ >9 byte =0x01 os: Amiga \ >9 byte =0x02 os: VMS \ >9 byte =0x03 os: Unix \ >9 byte =0x05 os: Atari \ >9 byte =0x06 os: OS/2 \ >9 byte =0x07 os: MacOS \ >9 byte =0x0A os: Tops/20 \ >9 byte =0x0B os: Win/32 \ \ # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis \ 0 string \\037\\036 packed data \ >2 belong >1 \\b, %d characters originally \ >2 belong =1 \\b, %d character originally \ # \ # This magic number is byte-order-independent. XXX - Does that mean this \ # is big-endian, little-endian, either, or that you can't tell? \ # this short is valid for SunOS \ 0 short 017437 old packed data \ \ # XXX - why *two* entries for \"compacted data\", one of which is \ # byte-order independent, and one of which is byte-order dependent? \ # \ 0 short 0x1fff compacted data \ # This string is valid for SunOS (BE) and a matching \"short\" is listed \ # in the Ultrix (LE) magic file. \ 0 string \\377\\037 compacted data \ 0 short 0145405 huf output \ \ # bzip2 \ 0 string BZh bzip2 compressed data \ >3 byte >47 \\b, block size = %c00k \ \ # squeeze and crunch \ # Michael Haardt \ 0 beshort 0x76FF squeezed data, \ >4 string x original name %s \ 0 beshort 0x76FE crunched data, \ >2 string x original name %s \ 0 beshort 0x76FD LZH compressed data, \ >2 string x original name %s \ \ # Freeze \ 0 string \\037\\237 frozen file 2.1 \ 0 string \\037\\236 frozen file 1.0 (or gzip 0.5) \ \ # SCO compress -H (LZH) \ 0 string \\037\\240 SCO compress -H (LZH) data \ \ # European GSM 06.10 is a provisional standard for full-rate speech \ # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse \ # excitation/long term prediction) coding at 13 kbit/s. \ # \ # There's only a magic nibble (4 bits); that nibble repeats every 33 \ # bytes. This isn't suited for use, but maybe we can use it someday. \ # \ # This will cause very short GSM files to be declared as data and \ # mismatches to be declared as data too! \ #0 byte&0xF0 0xd0 data \ #>33 byte&0xF0 0xd0 \ #>66 byte&0xF0 0xd0 \ #>99 byte&0xF0 0xd0 \ #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio \ \ # bzip a block-sorting file compressor \ # by Julian Seward and others \ # \ 0 string BZ bzip compressed data \ >2 byte x \\b, version: %c \ >3 string =1 \\b, compression block size 100k \ >3 string =2 \\b, compression block size 200k \ >3 string =3 \\b, compression block size 300k \ >3 string =4 \\b, compression block size 400k \ >3 string =5 \\b, compression block size 500k \ >3 string =6 \\b, compression block size 600k \ >3 string =7 \\b, compression block size 700k \ >3 string =8 \\b, compression block size 800k \ >3 string =9 \\b, compression block size 900k \ \ # lzop from \ 0 string \\x89\\x4c\\x5a\\x4f\\x00\\x0d\\x0a\\x1a\\x0a lzop compressed data \ >9 beshort <0x0940 \ >>9 byte&0xf0 =0x00 - version 0. \ >>9 beshort&0x0fff x \\b%03x, \ >>13 byte 1 LZO1X-1, \ >>13 byte 2 LZO1X-1(15), \ >>13 byte 3 LZO1X-999, \ ## >>22 bedate >0 last modified: %s, \ >>14 byte =0x00 os: MS-DOS \ >>14 byte =0x01 os: Amiga \ >>14 byte =0x02 os: VMS \ >>14 byte =0x03 os: Unix \ >>14 byte =0x05 os: Atari \ >>14 byte =0x06 os: OS/2 \ >>14 byte =0x07 os: MacOS \ >>14 byte =0x0A os: Tops/20 \ >>14 byte =0x0B os: WinNT \ >>14 byte =0x0E os: Win32 \ >9 beshort >0x0939 \ >>9 byte&0xf0 =0x00 - version 0. \ >>9 byte&0xf0 =0x10 - version 1. \ >>9 byte&0xf0 =0x20 - version 2. \ >>9 beshort&0x0fff x \\b%03x, \ >>15 byte 1 LZO1X-1, \ >>15 byte 2 LZO1X-1(15), \ >>15 byte 3 LZO1X-999, \ ## >>25 bedate >0 last modified: %s, \ >>17 byte =0x00 os: MS-DOS \ >>17 byte =0x01 os: Amiga \ >>17 byte =0x02 os: VMS \ >>17 byte =0x03 os: Unix \ >>17 byte =0x05 os: Atari \ >>17 byte =0x06 os: OS/2 \ >>17 byte =0x07 os: MacOS \ >>17 byte =0x0A os: Tops/20 \ >>17 byte =0x0B os: WinNT \ >>17 byte =0x0E os: Win32 \ #------------------------------------------------------------------------------ \ # Console game magic \ # Toby Deshane \ # ines: file(1) magic for Marat's iNES Nintendo Entertainment System \ # ROM dump format \ \ 0 string NES\\032 iNES ROM dump, \ >4 byte x %dx16k PRG \ >5 byte x \\b, %dx8k CHR \ >6 byte&0x01 =0x1 \\b, [Vert.] \ >6 byte&0x01 =0x0 \\b, [Horiz.] \ >6 byte&0x02 =0x2 \\b, [SRAM] \ >6 byte&0x04 =0x4 \\b, [Trainer] \ >6 byte&0x04 =0x8 \\b, [4-Scr] \ \ #------------------------------------------------------------------------------ \ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format \ # \ 0x104 belong 0xCEED6666 Gameboy ROM: \ >0x134 string >\\0 \"%.16s\" \ >0x146 byte 0x03 \\b,[SGB] \ >0x147 byte 0x00 \\b, [ROM ONLY] \ >0x147 byte 0x01 \\b, [ROM+MBC1] \ >0x147 byte 0x02 \\b, [ROM+MBC1+RAM] \ >0x147 byte 0x03 \\b, [ROM+MBC1+RAM+BATT] \ >0x147 byte 0x05 \\b, [ROM+MBC2] \ >0x147 byte 0x06 \\b, [ROM+MBC2+BATTERY] \ >0x147 byte 0x08 \\b, [ROM+RAM] \ >0x147 byte 0x09 \\b, [ROM+RAM+BATTERY] \ >0x147 byte 0x0B \\b, [ROM+MMM01] \ >0x147 byte 0x0C \\b, [ROM+MMM01+SRAM] \ >0x147 byte 0x0D \\b, [ROM+MMM01+SRAM+BATT] \ >0x147 byte 0x0F \\b, [ROM+MBC3+TIMER+BATT] \ >0x147 byte 0x10 \\b, [ROM+MBC3+TIMER+RAM+BATT] \ >0x147 byte 0x11 \\b, [ROM+MBC3] \ >0x147 byte 0x12 \\b, [ROM+MBC3+RAM] \ >0x147 byte 0x13 \\b, [ROM+MBC3+RAM+BATT] \ >0x147 byte 0x19 \\b, [ROM+MBC5] \ >0x147 byte 0x1A \\b, [ROM+MBC5+RAM] \ >0x147 byte 0x1B \\b, [ROM+MBC5+RAM+BATT] \ >0x147 byte 0x1C \\b, [ROM+MBC5+RUMBLE] \ >0x147 byte 0x1D \\b, [ROM+MBC5+RUMBLE+SRAM] \ >0x147 byte 0x1E \\b, [ROM+MBC5+RUMBLE+SRAM+BATT] \ >0x147 byte 0x1F \\b, [Pocket Camera] \ >0x147 byte 0xFD \\b, [Bandai TAMA5] \ >0x147 byte 0xFE \\b, [Hudson HuC-3] \ >0x147 byte 0xFF \\b, [Hudson HuC-1] \ \ >0x148 byte 0 \\b, ROM: 256Kbit \ >0x148 byte 1 \\b, ROM: 512Kbit \ >0x148 byte 2 \\b, ROM: 1Mbit \ >0x148 byte 3 \\b, ROM: 2Mbit \ >0x148 byte 4 \\b, ROM: 4Mbit \ >0x148 byte 5 \\b, ROM: 8Mbit \ >0x148 byte 6 \\b, ROM: 16Mbit \ >0x148 byte 0x52 \\b, ROM: 9Mbit \ >0x148 byte 0x53 \\b, ROM: 10Mbit \ >0x148 byte 0x54 \\b, ROM: 12Mbit \ \ >0x149 byte 1 \\b, RAM: 16Kbit \ >0x149 byte 2 \\b, RAM: 64Kbit \ >0x149 byte 3 \\b, RAM: 128Kbit \ >0x149 byte 4 \\b, RAM: 1Mbit \ \ #>0x14e long x \\b, CRC: %x \ \ #------------------------------------------------------------------------------ \ # genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format \ # \ 0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump \ >0x120 string >\\0 Name: \"%.16s\" \ >0x110 string >\\0 %.16s \ >0x1B0 string RA with SRAM \ \ #------------------------------------------------------------------------------ \ # genesis: file(1) magic for the Super MegaDrive ROM dump format \ # \ 0x280 string EAGN Super MagicDrive ROM dump \ >0 byte x %dx16k blocks \ >2 byte 0 \\b, last in series or standalone \ >2 byte >0 \\b, split ROM \ >8 byte 0xAA \ >9 byte 0xBB \ \ #------------------------------------------------------------------------------ \ # genesis: file(1) alternate magic for the Super MegaDrive ROM dump format \ # \ 0x280 string EAMG Super MagicDrive ROM dump \ >0 byte x %dx16k blocks \ >2 byte x \\b, last in series or standalone \ >8 byte 0xAA \ >9 byte 0xBB \ \ #------------------------------------------------------------------------------ \ # smsgg: file(1) magic for Sega Master System and Game Gear ROM dumps \ # \ # Does not detect all images. Very preliminary guesswork. Need more data \ # on format. \ # \ # FIXME: need a little more info...;P \ # \ #0 byte 0xF3 \ #>1 byte 0xED Sega Master System/Game Gear ROM dump \ #>1 byte 0x31 Sega Master System/Game Gear ROM dump \ #>1 byte 0xDB Sega Master System/Game Gear ROM dump \ #>1 byte 0xAF Sega Master System/Game Gear ROM dump \ #>1 byte 0xC3 Sega Master System/Game Gear ROM dump \ \ #------------------------------------------------------------------------------ \ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format \ # \ 0 belong 0x21068028 Sega Dreamcast VMU game image \ 0 string LCDi Dream Animator file \ \ #------------------------------------------------------------------------------ \ # v64: file(1) uncertain magic for the V64 format N64 ROM dumps \ # \ 0 belong 0x37804012 V64 Nintendo 64 ROM dump \ \ #------------------------------------------------------------------------------ \ # msx: file(1) magic for MSX game cartridge dumps \ 0 beshort 0x4142 MSX game cartridge dump \ #------------------------------------------------------------------------------ \ # convex: file(1) magic for Convex boxes \ # \ # Convexes are big-endian. \ # \ # /*\\ \ # * Below are the magic numbers and tests added for Convex. \ # * Added at beginning, because they are expected to be used most. \ # \\*/ \ 0 belong 0507 Convex old-style object \ >16 belong >0 not stripped \ 0 belong 0513 Convex old-style demand paged executable \ >16 belong >0 not stripped \ 0 belong 0515 Convex old-style pre-paged executable \ >16 belong >0 not stripped \ 0 belong 0517 Convex old-style pre-paged, non-swapped executable \ >16 belong >0 not stripped \ 0 belong 0x011257 Core file \ # \ # The following are a series of dump format magic numbers. Each one \ # corresponds to a drastically different dump format. The first on is \ # the original dump format on a 4.1 BSD or earlier file system. The \ # second marks the change between the 4.1 file system and the 4.2 file \ # system. The Third marks the changing of the block size from 1K \ # to 2K to be compatible with an IDC file system. The fourth indicates \ # a dump that is dependent on Convex Storage Manager, because data in \ # secondary storage is not physically contained within the dump. \ # The restore program uses these number to determine how the data is \ # to be extracted. \ # \ 24 belong =60011 dump format, 4.1 BSD or earlier \ 24 belong =60012 dump format, 4.2 or 4.3 BSD without IDC \ 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) \ 24 belong =60014 dump format, Convex Storage Manager by-reference dump \ # \ # what follows is a bunch of bit-mask checks on the flags field of the opthdr. \ # If there is no `=' sign, assume just checking for whether the bit is set? \ # \ 0 belong 0601 Convex SOFF \ >88 belong&0x000f0000 =0x00000000 c1 \ >88 belong &0x00010000 c2 \ >88 belong &0x00020000 c2mp \ >88 belong &0x00040000 parallel \ >88 belong &0x00080000 intrinsic \ >88 belong &0x00000001 demand paged \ >88 belong &0x00000002 pre-paged \ >88 belong &0x00000004 non-swapped \ >88 belong &0x00000008 POSIX \ # \ >84 belong &0x80000000 executable \ >84 belong &0x40000000 object \ >84 belong&0x20000000 =0 not stripped \ >84 belong&0x18000000 =0x00000000 native fpmode \ >84 belong&0x18000000 =0x10000000 ieee fpmode \ >84 belong&0x18000000 =0x18000000 undefined fpmode \ # \ 0 belong 0605 Convex SOFF core \ # \ 0 belong 0607 Convex SOFF checkpoint \ >88 belong&0x000f0000 =0x00000000 c1 \ >88 belong &0x00010000 c2 \ >88 belong &0x00020000 c2mp \ >88 belong &0x00040000 parallel \ >88 belong &0x00080000 intrinsic \ >88 belong &0x00000008 POSIX \ # \ >84 belong&0x18000000 =0x00000000 native fpmode \ >84 belong&0x18000000 =0x10000000 ieee fpmode \ >84 belong&0x18000000 =0x18000000 undefined fpmode \ \ #------------------------------------------------------------------------------ \ # database: file(1) magic for various databases \ # \ # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) \ # \ # \ # GDBM magic numbers \ # Will be maintained as part of the GDBM distribution in the future. \ # \ 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian \ 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian \ 0 string GDBM GNU dbm 2.x database \ # \ # Berkeley DB \ # \ # Ian Darwin's file /etc/magic files: big/little-endian version. \ # \ # Hash 1.85/1.86 databases store metadata in network byte order. \ # Btree 1.85/1.86 databases store the metadata in host byte order. \ # Hash and Btree 2.X and later databases store the metadata in host byte order. \ \ 0 long 0x00061561 Berkeley DB \ >8 belong 4321 \ >>4 belong >2 1.86 \ >>4 belong <3 1.85 \ >>4 belong >0 (Hash, version %d, native byte-order) \ >8 belong 1234 \ >>4 belong >2 1.86 \ >>4 belong <3 1.85 \ >>4 belong >0 (Hash, version %d, little-endian) \ \ 0 belong 0x00061561 Berkeley DB \ >8 belong 4321 \ >>4 belong >2 1.86 \ >>4 belong <3 1.85 \ >>4 belong >0 (Hash, version %d, big-endian) \ >8 belong 1234 \ >>4 belong >2 1.86 \ >>4 belong <3 1.85 \ >>4 belong >0 (Hash, version %d, native byte-order) \ \ 0 long 0x00053162 Berkeley DB 1.85/1.86 \ >4 long >0 (Btree, version %d, native byte-order) \ 0 belong 0x00053162 Berkeley DB 1.85/1.86 \ >4 belong >0 (Btree, version %d, big-endian) \ 0 lelong 0x00053162 Berkeley DB 1.85/1.86 \ >4 lelong >0 (Btree, version %d, little-endian) \ \ 12 long 0x00061561 Berkeley DB \ >16 long >0 (Hash, version %d, native byte-order) \ 12 belong 0x00061561 Berkeley DB \ >16 belong >0 (Hash, version %d, big-endian) \ 12 lelong 0x00061561 Berkeley DB \ >16 lelong >0 (Hash, version %d, little-endian) \ \ 12 long 0x00053162 Berkeley DB \ >16 long >0 (Btree, version %d, native byte-order) \ 12 belong 0x00053162 Berkeley DB \ >16 belong >0 (Btree, version %d, big-endian) \ 12 lelong 0x00053162 Berkeley DB \ >16 lelong >0 (Btree, version %d, little-endian) \ \ 12 long 0x00042253 Berkeley DB \ >16 long >0 (Queue, version %d, native byte-order) \ 12 belong 0x00042253 Berkeley DB \ >16 belong >0 (Queue, version %d, big-endian) \ 12 lelong 0x00042253 Berkeley DB \ >16 lelong >0 (Queue, version %d, little-endian) \ # \ # \ # Round Robin Database Tool by Tobias Oetiker \ 0 string RRD RRDTool DB \ >4 string x version %s \ \ #------------------------------------------------------------------------------ \ # diamond: file(1) magic for Diamond system \ # \ # ... diamond is a multi-media mail and electronic conferencing system.... \ # \ # XXX - I think it was either renamed Slate, or replaced by Slate.... \ # \ # The full deal is too long... \ #0 string \\n Diamond Multimedia Document \ 0 string =\\n4 string >% version %.3s \ # Digital UNIX - Info \ # \ 0 string !\\n________64E Alpha archive \ >22 string X -- out of date \ # \ # Alpha COFF Based Executables \ # The stripped stuff really needs to be an 8 byte (64 bit) compare, \ # but this works \ 0 leshort 0x183 COFF format alpha \ >22 leshort&020000 &010000 sharable library, \ >22 leshort&020000 ^010000 dynamically linked, \ >24 leshort 0410 pure \ >24 leshort 0413 demand paged \ >8 lelong >0 executable or object module, not stripped \ >8 lelong 0 \ >>12 lelong 0 executable or object module, stripped \ >>12 lelong >0 executable or object module, not stripped \ >27 byte >0 - version %d. \ >26 byte >0 %d- \ >28 leshort >0 %d \ # \ # The next is incomplete, we could tell more about this format, \ # but its not worth it. \ 0 leshort 0x188 Alpha compressed COFF \ 0 leshort 0x18f Alpha u-code object \ # \ # \ # Some other interesting Digital formats, \ 0 string \\377\\377\\177 ddis/ddif \ 0 string \\377\\377\\174 ddis/dots archive \ 0 string \\377\\377\\176 ddis/dtif table data \ 0 string \\033c\\033 LN03 output \ 0 long 04553207 X image \ # \ 0 string !!\\n profiling data file \ # \ # Locale data tables (MIPS and Alpha). \ # \ 0 short 0x0501 locale data table \ >6 short 0x24 for MIPS \ >6 short 0x40 for Alpha \ \ #------------------------------------------------------------------------------ \ # dump: file(1) magic for dump file format--for new and old dump filesystems \ # \ # We specify both byte orders in order to recognize byte-swapped dumps. \ # \ 24 belong 60012 new-fs dump file (big endian), \ >4 bedate x Previous dump %s, \ >8 bedate x This dump %s, \ >12 belong >0 Volume %ld, \ >692 belong 0 Level zero, type: \ >692 belong >0 Level %d, type: \ >0 belong 1 tape header, \ >0 belong 2 beginning of file record, \ >0 belong 3 map of inodes on tape, \ >0 belong 4 continuation of file record, \ >0 belong 5 end of volume, \ >0 belong 6 map of inodes deleted, \ >0 belong 7 end of medium (for floppy), \ >676 string >\\0 Label %s, \ >696 string >\\0 Filesystem %s, \ >760 string >\\0 Device %s, \ >824 string >\\0 Host %s, \ >888 belong >0 Flags %x \ \ 24 belong 60011 old-fs dump file (big endian), \ #>4 bedate x Previous dump %s, \ #>8 bedate x This dump %s, \ >12 belong >0 Volume %ld, \ >692 belong 0 Level zero, type: \ >692 belong >0 Level %d, type: \ >0 belong 1 tape header, \ >0 belong 2 beginning of file record, \ >0 belong 3 map of inodes on tape, \ >0 belong 4 continuation of file record, \ >0 belong 5 end of volume, \ >0 belong 6 map of inodes deleted, \ >0 belong 7 end of medium (for floppy), \ >676 string >\\0 Label %s, \ >696 string >\\0 Filesystem %s, \ >760 string >\\0 Device %s, \ >824 string >\\0 Host %s, \ >888 belong >0 Flags %x \ \ 24 lelong 60012 new-fs dump file (little endian), \ >4 ledate x This dump %s, \ >8 ledate x Previous dump %s, \ >12 lelong >0 Volume %ld, \ >692 lelong 0 Level zero, type: \ >692 lelong >0 Level %d, type: \ >0 lelong 1 tape header, \ >0 lelong 2 beginning of file record, \ >0 lelong 3 map of inodes on tape, \ >0 lelong 4 continuation of file record, \ >0 lelong 5 end of volume, \ >0 lelong 6 map of inodes deleted, \ >0 lelong 7 end of medium (for floppy), \ >676 string >\\0 Label %s, \ >696 string >\\0 Filesystem %s, \ >760 string >\\0 Device %s, \ >824 string >\\0 Host %s, \ >888 lelong >0 Flags %x \ \ 24 lelong 60011 old-fs dump file (little endian), \ #>4 ledate x Previous dump %s, \ #>8 ledate x This dump %s, \ >12 lelong >0 Volume %ld, \ >692 lelong 0 Level zero, type: \ >692 lelong >0 Level %d, type: \ >0 lelong 1 tape header, \ >0 lelong 2 beginning of file record, \ >0 lelong 3 map of inodes on tape, \ >0 lelong 4 continuation of file record, \ >0 lelong 5 end of volume, \ >0 lelong 6 map of inodes deleted, \ >0 lelong 7 end of medium (for floppy), \ >676 string >\\0 Label %s, \ >696 string >\\0 Filesystem %s, \ >760 string >\\0 Device %s, \ >824 string >\\0 Host %s, \ >888 lelong >0 Flags %x \ \ #------------------------------------------------------------------------------ \ # elf: file(1) magic for ELF executables \ # \ # We have to check the byte order flag to see what byte order all the \ # other stuff in the header is in. \ # \ # MIPS R3000 may also be for MIPS R2000. \ # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? \ # \ # updated by Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string \\177ELF ELF \ >4 byte 0 invalid class \ >4 byte 1 32-bit \ # only for MIPS \ >>18 beshort 8 \ >>18 beshort 10 \ >>>36 belong &0x20 N32 \ >4 byte 2 64-bit \ >5 byte 0 invalid byte order \ >5 byte 1 LSB \ # only for MIPS R3000_BE \ >>18 leshort 8 \ # only for 32-bit \ >>>4 byte 1 \ >>>>36 lelong&0xf0000000 0x00000000 mips-1 \ >>>>36 lelong&0xf0000000 0x10000000 mips-2 \ >>>>36 lelong&0xf0000000 0x20000000 mips-3 \ >>>>36 lelong&0xf0000000 0x30000000 mips-4 \ >>>>36 lelong&0xf0000000 0x40000000 mips-5 \ >>>>36 lelong&0xf0000000 0x50000000 mips-6 \ # only for 64-bit \ >>>4 byte 2 \ >>>>48 lelong&0xf0000000 0x00000000 mips-1 \ >>>>48 lelong&0xf0000000 0x10000000 mips-2 \ >>>>48 lelong&0xf0000000 0x20000000 mips-3 \ >>>>48 lelong&0xf0000000 0x30000000 mips-4 \ >>>>48 lelong&0xf0000000 0x40000000 mips-5 \ >>>>48 lelong&0xf0000000 0x50000000 mips-6 \ >>16 leshort 0 no file type, \ >>16 leshort 1 relocatable, \ >>16 leshort 2 executable, \ >>16 leshort 3 shared object, \ # Core handling from Peter Tobias \ # corrections by Christian 'Dr. Disk' Hechelmann \ >>16 leshort 4 core file \ >>>(0x38+0xcc) string >\\0 of '%s' \ >>>(0x38+0x10) lelong >0 (signal %d), \ >>16 leshort &0xff00 processor-specific, \ >>18 leshort 0 no machine, \ >>18 leshort 1 AT&T WE32100 - invalid byte order, \ >>18 leshort 2 SPARC - invalid byte order, \ >>18 leshort 3 Intel 80386, \ >>18 leshort 4 Motorola 68000 - invalid byte order, \ >>18 leshort 5 Motorola 88000 - invalid byte order, \ >>18 leshort 6 Intel 80486, \ >>18 leshort 7 Intel 80860, \ # \"officially\" big endian, but binutils bfd only emits magic #8 for MIPS. \ >>18 leshort 8 MIPS R3000_LE [bfd bug], \ >>18 leshort 9 Amdahl - invalid byte order, \ >>18 leshort 10 MIPS R3000_LE, \ >>18 leshort 11 RS6000 - invalid byte order, \ >>18 leshort 15 PA-RISC - invalid byte order, \ >>>50 leshort 0x0214 2.0 \ >>>48 leshort &0x0008 (LP64), \ >>18 leshort 16 nCUBE, \ >>18 leshort 17 Fujitsu VPP500, \ >>18 leshort 18 SPARC32PLUS, \ >>18 leshort 20 PowerPC, \ >>18 leshort 36 NEC V800, \ >>18 leshort 37 Fujitsu FR20, \ >>18 leshort 38 TRW RH-32, \ >>18 leshort 39 Motorola RCE, \ >>18 leshort 40 ARM, \ >>18 leshort 41 Alpha, \ >>18 leshort 42 Hitachi SH, \ >>18 leshort 43 SPARC V9 - invalid byte order, \ >>18 leshort 44 Siemens Tricore Embedded Processor, \ >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., \ >>18 leshort 46 Hitachi H8/300, \ >>18 leshort 47 Hitachi H8/300H, \ >>18 leshort 48 Hitachi H8S, \ >>18 leshort 49 Hitachi H8/500, \ >>18 leshort 50 IA-64 (Intel 64 bit architecture) \ >>18 leshort 51 Stanford MIPS-X, \ >>18 leshort 52 Motorola Coldfire, \ >>18 leshort 53 Motorola M68HC12, \ >>18 leshort 62 AMD x86-64, \ >>18 leshort 75 Digital VAX, \ >>18 leshort 0x9026 Alpha (unofficial), \ >>20 lelong 0 invalid version \ >>20 lelong 1 version 1 \ >>36 lelong 1 MathCoPro/FPU/MAU Required \ >5 byte 2 MSB \ # only for MIPS R3000_BE \ >>18 beshort 8 \ # only for 32-bit \ >>>4 byte 1 \ >>>>36 belong&0xf0000000 0x00000000 mips-1 \ >>>>36 belong&0xf0000000 0x10000000 mips-2 \ >>>>36 belong&0xf0000000 0x20000000 mips-3 \ >>>>36 belong&0xf0000000 0x30000000 mips-4 \ >>>>36 belong&0xf0000000 0x40000000 mips-5 \ >>>>36 belong&0xf0000000 0x50000000 mips-6 \ # only for 64-bit \ >>>4 byte 2 \ >>>>48 belong&0xf0000000 0x00000000 mips-1 \ >>>>48 belong&0xf0000000 0x10000000 mips-2 \ >>>>48 belong&0xf0000000 0x20000000 mips-3 \ >>>>48 belong&0xf0000000 0x30000000 mips-4 \ >>>>48 belong&0xf0000000 0x40000000 mips-5 \ >>>>48 belong&0xf0000000 0x50000000 mips-6 \ >>16 beshort 0 no file type, \ >>16 beshort 1 relocatable, \ >>16 beshort 2 executable, \ >>16 beshort 3 shared object, \ >>16 beshort 4 core file, \ >>>(0x38+0xcc) string >\\0 of '%s' \ >>>(0x38+0x10) belong >0 (signal %d), \ >>16 beshort &0xff00 processor-specific, \ >>18 beshort 0 no machine, \ >>18 beshort 1 AT&T WE32100, \ >>18 beshort 2 SPARC, \ >>18 beshort 3 Intel 80386 - invalid byte order, \ >>18 beshort 4 Motorola 68000, \ >>18 beshort 5 Motorola 88000, \ >>18 beshort 6 Intel 80486 - invalid byte order, \ >>18 beshort 7 Intel 80860, \ >>18 beshort 8 MIPS R3000_BE, \ >>18 beshort 9 Amdahl, \ >>18 beshort 10 MIPS R3000_LE - invalid byte order, \ >>18 beshort 11 RS6000, \ >>18 beshort 15 PA-RISC \ >>>50 beshort 0x0214 2.0 \ >>>48 beshort &0x0008 (LP64) \ >>18 beshort 16 nCUBE, \ >>18 beshort 17 Fujitsu VPP500, \ >>18 beshort 18 SPARC32PLUS, \ >>>36 belong&0xffff00 &0x000100 V8+ Required, \ >>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, \ >>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, \ >>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, \ >>18 beshort 20 PowerPC or cisco 4500, \ >>18 beshort 21 cisco 7500, \ >>18 beshort 24 cisco SVIP, \ >>18 beshort 25 cisco 7200, \ >>18 beshort 36 NEC V800 or cisco 12000, \ >>18 beshort 37 Fujitsu FR20, \ >>18 beshort 38 TRW RH-32, \ >>18 beshort 39 Motorola RCE, \ >>18 beshort 40 ARM, \ >>18 beshort 41 Alpha, \ >>18 beshort 42 Hitachi SH, \ >>18 beshort 43 SPARC V9, \ >>18 beshort 44 Siemens Tricore Embedded Processor, \ >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., \ >>18 beshort 46 Hitachi H8/300, \ >>18 beshort 47 Hitachi H8/300H, \ >>18 beshort 48 Hitachi H8S, \ >>18 beshort 49 Hitachi H8/500, \ >>18 beshort 50 Intel Merced Processor, \ >>18 beshort 51 Stanford MIPS-X, \ >>18 beshort 52 Motorola Coldfire, \ >>18 beshort 53 Motorola M68HC12, \ >>18 beshort 73 Cray NV1, \ >>18 beshort 75 Digital VAX, \ >>18 beshort 0x9026 Alpha (unofficial), \ >>20 belong 0 invalid version \ >>20 belong 1 version 1 \ >>36 belong 1 MathCoPro/FPU/MAU Required \ >8 string >\\0 (%s) \ >8 string \\0 \ >>7 byte 0 (SYSV) \ >>7 byte 1 (HP-UX) \ >>7 byte 2 (NetBSD) \ >>7 byte 3 (GNU/Linux) \ >>7 byte 4 (GNU/Hurd) \ >>7 byte 5 (86Open) \ >>7 byte 6 (Solaris) \ >>7 byte 7 (Monterey) \ >>7 byte 8 (IRIX) \ >>7 byte 9 (FreeBSD) \ >>7 byte 10 (Tru64) \ >>7 byte 11 (Novell Modesto) \ >>7 byte 12 (OpenBSD) \ >>7 byte 97 (ARM) \ >>7 byte 255 (embedded) \ \ #------------------------------------------------------------------------------ \ # encore: file(1) magic for Encore machines \ # \ # XXX - needs to have the byte order specified (NS32K was little-endian, \ # dunno whether they run the 88K in little-endian mode or not). \ # \ 0 short 0x154 Encore \ >20 short 0x107 executable \ >20 short 0x108 pure executable \ >20 short 0x10b demand-paged executable \ >20 short 0x10f unsupported executable \ >12 long >0 not stripped \ >22 short >0 - version %ld \ >22 short 0 - \ #>4 date x stamp %s \ 0 short 0x155 Encore unsupported executable \ >12 long >0 not stripped \ >22 short >0 - version %ld \ >22 short 0 - \ #>4 date x stamp %s \ \ #------------------------------------------------------------------------------ \ # Epoc 32 : file(1) magic for Epoc Documents [psion/osaris \ # Stefan Praszalowicz (hpicollo@worldnet.fr) \ #0 lelong 0x10000037 Epoc32 \ >4 lelong 0x1000006D \ >>8 lelong 0x1000007F Word \ >>8 lelong 0x10000088 Sheet \ >>8 lelong 0x1000007D Sketch \ >>8 lelong 0x10000085 TextEd \ \ #------------------------------------------------------------------------------ \ # filesystems: file(1) magic for different filesystems \ # \ 0 string \\366\\366\\366\\366 PC formatted floppy with no filesystem \ # Sun disk labels \ # From /usr/include/sun/dklabel.h: \ 0774 beshort 0xdabe Sun disk label \ >0 string x '%s \ >>31 string >\\0 \\b%s \ >>>63 string >\\0 \\b%s \ >>>>95 string >\\0 \\b%s \ >0 string x \\b' \ >0734 short >0 %d rpm, \ >0736 short >0 %d phys cys, \ >0740 short >0 %d alts/cyl, \ >0746 short >0 %d interleave, \ >0750 short >0 %d data cyls, \ >0752 short >0 %d alt cyls, \ >0754 short >0 %d heads/partition, \ >0756 short >0 %d sectors/track, \ >0764 long >0 start cyl %ld, \ >0770 long x %ld blocks \ # Is there a boot block written 1 sector in? \ >512 belong&077777777 0600407 \\b, boot block present \ 0x1FE leshort 0xAA55 x86 boot sector \ >2 string OSBS \\b, OS/BS MBR \ >0x8C string Invalid\\ partition\\ table \\b, MS-DOS MBR \ >0 string \\0\\0\\0\\0 \\b, extended partition table \ >0 leshort 0x3CEB \\b, system \ >>3 string >\\0 %s \ >>0x36 string FAT \\b, %s \ >>>0x39 string 12 (%s bit) \ >>>0x39 string 16 (%s bit) \ >0x52 string FAT32 \\b, FAT (32 bit) \ >>>43 string >NO\\ NAME label: %.11s, \ >>>43 string >>43 string NO\\ NAME unlabeled, \ >>>19 leshort >0 %d sectors \ >>>19 leshort 0 \ >>>>32 lelong x %d sectors \ >0x200 lelong 0x82564557 \\b, BSD disklabel \ \ # Minix filesystems - Juan Cespedes \ 0x410 leshort 0x137f Minix filesystem \ 0x410 leshort 0x138f Minix filesystem, 30 char names \ 0x410 leshort 0x2468 Minix filesystem, version 2 \ 0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names \ \ # romfs filesystems - Juan Cespedes \ 0 string -rom1fs-\\0 romfs filesystem, version 1 \ >8 belong x %d bytes, \ >16 string x named %s. \ \ # netboot image - Juan Cespedes \ 0 lelong 0x1b031336L Netboot image, \ >4 lelong&0xFFFFFF00 0 \ >>4 lelong&0x100 0x000 mode 2 \ >>4 lelong&0x100 0x100 mode 3 \ >4 lelong&0xFFFFFF00 !0 unknown mode \ \ 0x18b string OS/2 OS/2 Boot Manager \ \ 9564 lelong 0x00011954 Unix Fast File system (little-endian), \ >8404 string x last mounted on %s, \ #>9504 ledate x last checked at %s, \ >8224 ledate x last written at %s, \ >8401 byte x clean flag %d, \ >8228 lelong x number of blocks %d, \ >8232 lelong x number of data blocks %d, \ >8236 lelong x number of cylinder groups %d, \ >8240 lelong x block size %d, \ >8244 lelong x fragment size %d, \ >8252 lelong x minimum percentage of free blocks %d, \ >8256 lelong x rotational delay %dms, \ >8260 lelong x disk rotational speed %drps, \ >8320 lelong 0 TIME optimization \ >8320 lelong 1 SPACE optimization \ \ 9564 belong 0x00011954 Unix Fast File system (big-endian), \ >8404 string x last mounted on %s, \ #>9504 bedate x last checked at %s, \ >8224 bedate x last written at %s, \ >8401 byte x clean flag %d, \ >8228 belong x number of blocks %d, \ >8232 belong x number of data blocks %d, \ >8236 belong x number of cylinder groups %d, \ >8240 belong x block size %d, \ >8244 belong x fragment size %d, \ >8252 belong x minimum percentage of free blocks %d, \ >8256 belong x rotational delay %dms, \ >8260 belong x disk rotational speed %drps, \ >8320 belong 0 TIME optimization \ >8320 belong 1 SPACE optimization \ \ # ext2/ext3 filesystems - Andreas Dilger \ 0x438 leshort 0xEF53 Linux \ >0x44c lelong x rev %d \ >0x43e leshort x \\b.%d \ >0x45c lelong ^0x0000004 ext2 filesystem data \ >>0x43a leshort ^0x0000001 (mounted or unclean) \ >0x45c lelong &0x0000004 ext3 filesystem data \ >>0x460 lelong &0x0000004 (needs journal recovery) \ >0x43a leshort &0x0000002 (errors) \ >0x460 lelong &0x0000001 (compressed) \ #>0x460 lelong &0x0000002 (filetype) \ #>0x464 lelong &0x0000001 (sparse_super) \ >0x464 lelong &0x0000002 (large files) \ \ # SGI disk labels - Nathan Scott \ 0 belong 0x0BE5A941 SGI disk label (volume header) \ \ # SGI XFS filesystem - Nathan Scott \ 0 belong 0x58465342 SGI XFS filesystem data \ >0x4 belong x (blksz=3D%d, \ >0x68 beshort x inosz=3D%d, \ >0x64 beshort ^0x2004 v1 dirs) \ >0x64 beshort &0x2004 v2 dirs) \ \ #------------------------------------------------------------------------------ \ # flash: file(1) magic for Macromedia Flash file format \ # \ # See \ # \ # http://www.macromedia.com/software/flash/open/ \ # \ 0 string FWS Macromedia Flash data, \ >3 byte x version %d \ \ #------------------------------------------------------------------------------ \ # fonts: file(1) magic for font data \ # \ 0 string FONT ASCII vfont text \ 0 short 0436 Berkeley vfont data \ 0 short 017001 byte-swapped Berkeley vfont data \ \ # PostScript fonts (must precede \"printer\" entries), quinlan@yggdrasil.com \ 0 string %!PS-AdobeFont-1.0 PostScript Type 1 font text \ >20 string >\\0 (%s) \ 6 string %!PS-AdobeFont-1.0 PostScript Type 1 font program data \ \ # X11 font files in SNF (Server Natural Format) format \ 0 belong 00000004 X11 SNF font data, MSB first \ 0 lelong 00000004 X11 SNF font data, LSB first \ \ # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string STARTFONT\\040 X11 BDF font text \ \ # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) \ # PCF must come before SGI additions (\"MIPSEL MIPS-II COFF\" collides) \ 0 string \\001fcp X11 Portable Compiled Font data \ >12 byte 0x02 \\b, LSB first \ >12 byte 0x0a \\b, MSB first \ 0 string D1.0\\015 X11 Speedo font data \ \ #------------------------------------------------------------------------------ \ # FIGlet fonts and controlfiles \ # From figmagic supplied with Figlet version 2.2 \ # \"David E. O'Brien\" \ 0 string flf FIGlet font \ >3 string >2a version %-2.2s \ 0 string flc FIGlet controlfile \ >3 string >2a version %-2.2s \ \ # libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) \ # Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ \ 0 belong 0x14025919 libGrx font data, \ >8 leshort x %dx \ >10 leshort x \\b%d \ >40 string x %s \ # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) \ 0 belong 0xff464f4e DOS code page font data collection \ 7 belong 0x00454741 DOS code page font data \ 7 belong 0x00564944 DOS code page font data (from Linux?) \ 4098 string DOSFONT DOSFONT2 encrypted font data \ \ # downloadable fonts for browser (prints type) anthon@mnt.org \ 0 string PFR1 PFR1 font \ >102 string >0 \\b: %s \ \ #------------------------------------------------------------------------------ \ # frame: file(1) magic for FrameMaker files \ # \ # This stuff came on a FrameMaker demo tape, most of which is \ # copyright, but this file is \"published\" as witness the following: \ # \ 0 string \\11 string 5.5 (5.5 \ >11 string 5.0 (5.0 \ >11 string 4.0 (4.0 \ >11 string 3.0 (3.0 \ >11 string 2.0 (2.0 \ >11 string 1.0 (1.0 \ >14 byte x %c) \ 0 string \\9 string 4.0 (4.0) \ >9 string 3.0 (3.0) \ >9 string 2.0 (2.0) \ >9 string 1.0 (1.x) \ 0 string \\17 string 3.0 (3.0) \ >17 string 2.0 (2.0) \ >17 string 1.0 (1.x) \ 0 string \\17 string 1.01 (%s) \ 0 string \\10 string 3.0 (3.0 \ >10 string 2.0 (2.0 \ >10 string 1.0 (1.0 \ >13 byte x %c) \ # XXX - this book entry should be verified, if you find one, uncomment this \ #0 string \\6 string 3.0 (3.0) \ #>6 string 2.0 (2.0) \ #>6 string 1.0 (1.0) \ 0 string \\= 4096 (or >4095, same thing), then it's \ # an executable, and is dynamically-linked if the \"has run-time \ # loader information\" bit is set. \ # \ # On x86, NetBSD says: \ # \ # If it's neither pure nor demand-paged: \ # \ # if it has the \"has run-time loader information\" bit set, it's \ # a dynamically-linked executable; \ # \ # if it doesn't have that bit set, then: \ # \ # if it has the \"is position-independent\" bit set, it's \ # position-independent; \ # \ # if the entry point is non-zero, it's an executable, otherwise \ # it's an object file. \ # \ # If it's pure: \ # \ # if it has the \"has run-time loader information\" bit set, it's \ # a dynamically-linked executable, otherwise it's just an \ # executable. \ # \ # If it's demand-paged: \ # \ # if it has the \"has run-time loader information\" bit set, \ # then: \ # \ # if the entry point is < 4096, it's a shared library; \ # \ # if the entry point is = 4096 or > 4096 (i.e., >= 4096), \ # it's a dynamically-linked executable); \ # \ # if it doesn't have the \"has run-time loader information\" bit \ # set, then it's just an executable. \ # \ # (On non-x86, NetBSD does much the same thing, except that it uses \ # 8192 on 68K - except for \"68k4k\", which is presumably \"68K with 4K \ # pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's \ # had 8K pages; dunno about MIPS.) \ # \ # I suspect the two will differ only in perverse and uninteresting cases \ # (\"shared\" libraries that aren't demand-paged and whose pages probably \ # won't actually be shared, executables with entry points <4096). \ # \ # I leave it to those more familiar with FreeBSD and NetBSD to figure out \ # what the right answer is (although using \">4095\", FreeBSD-style, is \ # probably better than separately checking for \"=4096\" and \">4096\", \ # NetBSD-style). (The old \"netbsd\" file analyzed FreeBSD demand paged \ # executables using the NetBSD technique.) \ # \ 0 lelong&0377777777 041400407 FreeBSD/i386 \ >20 lelong <4096 \ >>3 byte&0xC0 &0x80 shared library \ >>3 byte&0xC0 0x40 PIC object \ >>3 byte&0xC0 0x00 object \ >20 lelong >4095 \ >>3 byte&0x80 0x80 dynamically linked executable \ >>3 byte&0x80 0x00 executable \ >16 lelong >0 not stripped \ \ 0 lelong&0377777777 041400410 FreeBSD/i386 pure \ >20 lelong <4096 \ >>3 byte&0xC0 &0x80 shared library \ >>3 byte&0xC0 0x40 PIC object \ >>3 byte&0xC0 0x00 object \ >20 lelong >4095 \ >>3 byte&0x80 0x80 dynamically linked executable \ >>3 byte&0x80 0x00 executable \ >16 lelong >0 not stripped \ \ 0 lelong&0377777777 041400413 FreeBSD/i386 demand paged \ >20 lelong <4096 \ >>3 byte&0xC0 &0x80 shared library \ >>3 byte&0xC0 0x40 PIC object \ >>3 byte&0xC0 0x00 object \ >20 lelong >4095 \ >>3 byte&0x80 0x80 dynamically linked executable \ >>3 byte&0x80 0x00 executable \ >16 lelong >0 not stripped \ \ 0 lelong&0377777777 041400314 FreeBSD/i386 compact demand paged \ >20 lelong <4096 \ >>3 byte&0xC0 &0x80 shared library \ >>3 byte&0xC0 0x40 PIC object \ >>3 byte&0xC0 0x00 object \ >20 lelong >4095 \ >>3 byte&0x80 0x80 dynamically linked executable \ >>3 byte&0x80 0x00 executable \ >16 lelong >0 not stripped \ \ # XXX gross hack to identify core files \ # cores start with a struct tss; we take advantage of the following: \ # byte 7: highest byte of the kernel stack pointer, always 0xfe \ # 8/9: kernel (ring 0) ss value, always 0x0010 \ # 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 \ # 28: low order byte of the current PTD entry, always 0 since the \ # PTD is page-aligned \ # \ 7 string \\357\\020\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0 FreeBSD/i386 a.out core file \ >1039 string >\\0 from '%s' \ \ # /var/run/ld.so.hints \ # What are you laughing about? \ 0 lelong 011421044151 ld.so hints file (Little Endian \ >4 lelong >0 \\b, version %d) \ >4 belong <=0 \\b) \ 0 belong 011421044151 ld.so hints file (Big Endian \ >4 belong >0 \\b, version %d) \ >4 belong <=0 \\b) \ \ # \ # Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities \ # \ 0 string SCRSHOT_ scrshot(1) screenshot, \ >8 byte x version %d, \ >9 byte 2 %d bytes in header, \ >>10 byte x %d chars wide by \ >>11 byte x %d chars high \ \ #------------------------------------------------------------------------------ \ # fsav: file(1) magic for datafellows fsav virus definition files \ # Anthon van der Neut (anthon@mnt.org) \ 0 beshort 0x1575 fsav (linux) macro virus \ >8 leshort >0 (%d- \ >11 byte >0 \\b%02d- \ >10 byte >0 \\b%02d) \ \ # comment this out for now because it regognizes every file where \ # the eighth character is \\n \ #8 byte 0x0a \ #>12 byte 0x07 \ #>11 leshort >0 fsav (linux) virus (%d- \ #>10 byte 0 \\b01- \ #>10 byte 1 \\b02- \ #>10 byte 2 \\b03- \ #>10 byte 3 \\b04- \ #>10 byte 4 \\b05- \ #>10 byte 5 \\b06- \ #>10 byte 6 \\b07- \ #>10 byte 7 \\b08- \ #>10 byte 8 \\b08- \ #>10 byte 9 \\b10- \ #>10 byte 10 \\b11- \ #>10 byte 11 \\b12- \ #>9 byte >0 \\b%02d) \ #------------------------------------------------------------------------------ \ # GIMP Gradient: file(1) magic for the GIMP's gradient data files \ # by Federico Mena \ \ 0 string GIMP\\ Gradient GIMP gradient data \ \ #------------------------------------------------------------------------------ \ # XCF: file(1) magic for the XCF image format used in the GIMP developed \ # by Spencer Kimball and Peter Mattis \ # ('Bucky' LaDieu, nega@vt.edu) \ \ 0 string gimp\\ xcf GIMP XCF image data, \ >9 string file version 0, \ >9 string v version \ >>10 string >\\0 %s, \ >14 belong x %lu x \ >18 belong x %lu, \ >22 belong 0 RGB Color \ >22 belong 1 Greyscale \ >22 belong 2 Indexed Color \ >22 belong >2 Unknown Image Type. \ \ #------------------------------------------------------------------------------ \ # XCF: file(1) magic for the patterns used in the GIMP, developed \ # by Spencer Kimball and Peter Mattis \ # ('Bucky' LaDieu, nega@vt.edu) \ \ 20 string GPAT GIMP pattern data, \ >24 string x %s \ \ #------------------------------------------------------------------------------ \ # XCF: file(1) magic for the brushes used in the GIMP, developed \ # by Spencer Kimball and Peter Mattis \ # ('Bucky' LaDieu, nega@vt.edu) \ \ 20 string GIMP GIMP brush data \ # \ # GNU nlsutils message catalog file format \ # \ 0 string \\336\\22\\4\\225 GNU message catalog (little endian), \ >4 lelong x revision %d, \ >8 lelong x %d messages \ 0 string \\225\\4\\22\\336 GNU message catalog (big endian), \ >4 belong x revision %d, \ >8 belong x %d messages \ # message catalogs, from Mitchum DSouza \ 0 string *nazgul* Nazgul style compiled message catalog \ >8 lelong >0 \\b, version %ld \ \ #------------------------------------------------------------------------------ \ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE \ # \ # ACE/gr binary \ 0 string \\000\\000\\0001\\000\\000\\0000\\000\\000\\0000\\000\\000\\0002\\000\\000\\0000\\000\\000\\0000\\000\\000\\0003 old ACE/gr binary file \ >39 byte >0 - version %c \ # ACE/gr ascii \ 0 string #\\ xvgr\\ parameter\\ file ACE/gr ascii file \ 0 string #\\ xmgr\\ parameter\\ file ACE/gr ascii file \ 0 string #\\ ACE/gr\\ parameter\\ file ACE/gr ascii file \ # Grace projects \ 0 string #\\ Grace\\ project\\ file Grace project file \ >23 string @version\\ (version \ >>32 byte >0 %c \ >>33 string >\\0 \\b.%.2s \ >>35 string >\\0 \\b.%.2s) \ # ACE/gr fit description files \ 0 string #\\ ACE/gr\\ fit\\ description\\ ACE/gr fit description file \ # end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE \ \ #------------------------------------------------------------------------------ \ # hp: file(1) magic for Hewlett Packard machines (see also \"printer\") \ # \ # XXX - somebody should figure out whether any byte order needs to be \ # applied to the \"TML\" stuff; I'm assuming the Apollo stuff is \ # big-endian as it was mostly 68K-based. \ # \ # I think the 500 series was the old stack-based machines, running a \ # UNIX environment atop the \"SUN kernel\"; dunno whether it was \ # big-endian or little-endian. \ # \ # Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; \ # hp300 are 68020+68881 based; hp400 are also 68k. The following basic \ # HP magic is useful for reference, but using \"long\" magic is a better \ # practice in order to avoid collisions. \ # \ # Guy Harris (guy@netapp.com): some additions to this list came from \ # HP-UX 10.0's \"/usr/include/sys/unistd.h\" (68030, 68040, PA-RISC 1.1, \ # 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 \ # \"/etc/magic\", though, except for the \"archive file relocatable library\" \ # stuff, and the 68030 and 68040 stuff isn't there at all - are they not \ # used in executables, or have they just not yet updated \"/etc/magic\" \ # completely? \ # \ # 0 beshort 200 hp200 (68010) BSD binary \ # 0 beshort 300 hp300 (68020+68881) BSD binary \ # 0 beshort 0x20c hp200/300 HP-UX binary \ # 0 beshort 0x20d hp400 (68030) HP-UX binary \ # 0 beshort 0x20e hp400 (68040?) HP-UX binary \ # 0 beshort 0x20b PA-RISC1.0 HP-UX binary \ # 0 beshort 0x210 PA-RISC1.1 HP-UX binary \ # 0 beshort 0x211 PA-RISC1.2 HP-UX binary \ # 0 beshort 0x214 PA-RISC2.0 HP-UX binary \ \ # \ # The \"misc\" stuff needs a byte order; the archives look suspiciously \ # like the old 177545 archives (0xff65 = 0177545). \ # \ #### Old Apollo stuff \ #0 beshort 0627 Apollo m68k COFF executable \ #>18 beshort ^040000 not stripped \ #>22 beshort >0 - version %ld \ #0 beshort 0624 apollo a88k COFF executable \ #>18 beshort ^040000 not stripped \ #>22 beshort >0 - version %ld \ #0 long 01203604016 TML 0123 byte-order format \ #0 long 01702407010 TML 1032 byte-order format \ #0 long 01003405017 TML 2301 byte-order format \ #0 long 01602007412 TML 3210 byte-order format \ #### PA-RISC 1.1 \ 0 belong 0x02100106 PA-RISC1.1 relocatable object \ 0 belong 0x02100107 PA-RISC1.1 executable \ >168 belong &0x00000004 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x02100108 PA-RISC1.1 shared executable \ >168 belong&0x4 0x4 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x0210010b PA-RISC1.1 demand-load executable \ >168 belong&0x4 0x4 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x0210010e PA-RISC1.1 shared library \ >96 belong >0 - not stripped \ \ 0 belong 0x0210010d PA-RISC1.1 dynamic load library \ >96 belong >0 - not stripped \ \ #### PA-RISC 2.0 \ 0 belong 0x02140106 PA-RISC2.0 relocatable object \ \ 0 belong 0x02140107 PA-RISC2.0 executable \ >168 belong &0x00000004 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x02140108 PA-RISC2.0 shared executable \ >168 belong &0x00000004 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x0214010b PA-RISC2.0 demand-load executable \ >168 belong &0x00000004 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x0214010e PA-RISC2.0 shared library \ >96 belong >0 - not stripped \ \ 0 belong 0x0214010d PA-RISC2.0 dynamic load library \ >96 belong >0 - not stripped \ \ #### 800 \ 0 belong 0x020b0106 PA-RISC1.0 relocatable object \ \ 0 belong 0x020b0107 PA-RISC1.0 executable \ >168 belong&0x4 0x4 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x020b0108 PA-RISC1.0 shared executable \ >168 belong&0x4 0x4 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x020b010b PA-RISC1.0 demand-load executable \ >168 belong&0x4 0x4 dynamically linked \ >(144) belong 0x054ef630 dynamically linked \ >96 belong >0 - not stripped \ \ 0 belong 0x020b010e PA-RISC1.0 shared library \ >96 belong >0 - not stripped \ \ 0 belong 0x020b010d PA-RISC1.0 dynamic load library \ >96 belong >0 - not stripped \ \ 0 belong 0x213c6172 archive file \ >68 belong 0x020b0619 - PA-RISC1.0 relocatable library \ >68 belong 0x02100619 - PA-RISC1.1 relocatable library \ >68 belong 0x02110619 - PA-RISC1.2 relocatable library \ >68 belong 0x02140619 - PA-RISC2.0 relocatable library \ \ #### 500 \ 0 long 0x02080106 HP s500 relocatable executable \ >16 long >0 - version %ld \ \ 0 long 0x02080107 HP s500 executable \ >16 long >0 - version %ld \ \ 0 long 0x02080108 HP s500 pure executable \ >16 long >0 - version %ld \ \ #### 200 \ 0 belong 0x020c0108 HP s200 pure executable \ >4 beshort >0 - version %ld \ >8 belong &0x80000000 save fp regs \ >8 belong &0x40000000 dynamically linked \ >8 belong &0x20000000 debuggable \ >36 belong >0 not stripped \ \ 0 belong 0x020c0107 HP s200 executable \ >4 beshort >0 - version %ld \ >8 belong &0x80000000 save fp regs \ >8 belong &0x40000000 dynamically linked \ >8 belong &0x20000000 debuggable \ >36 belong >0 not stripped \ \ 0 belong 0x020c010b HP s200 demand-load executable \ >4 beshort >0 - version %ld \ >8 belong &0x80000000 save fp regs \ >8 belong &0x40000000 dynamically linked \ >8 belong &0x20000000 debuggable \ >36 belong >0 not stripped \ \ 0 belong 0x020c0106 HP s200 relocatable executable \ >4 beshort >0 - version %ld \ >6 beshort >0 - highwater %d \ >8 belong &0x80000000 save fp regs \ >8 belong &0x20000000 debuggable \ >8 belong &0x10000000 PIC \ \ 0 belong 0x020a0108 HP s200 (2.x release) pure executable \ >4 beshort >0 - version %ld \ >36 belong >0 not stripped \ \ 0 belong 0x020a0107 HP s200 (2.x release) executable \ >4 beshort >0 - version %ld \ >36 belong >0 not stripped \ \ 0 belong 0x020c010e HP s200 shared library \ >4 beshort >0 - version %ld \ >6 beshort >0 - highwater %d \ >36 belong >0 not stripped \ \ 0 belong 0x020c010d HP s200 dynamic load library \ >4 beshort >0 - version %ld \ >6 beshort >0 - highwater %d \ >36 belong >0 not stripped \ \ #### MISC \ 0 long 0x0000ff65 HP old archive \ 0 long 0x020aff65 HP s200 old archive \ 0 long 0x020cff65 HP s200 old archive \ 0 long 0x0208ff65 HP s500 old archive \ \ 0 long 0x015821a6 HP core file \ \ 0 long 0x4da7eee8 HP-WINDOWS font \ >8 byte >0 - version %ld \ 0 string Bitmapfile HP Bitmapfile \ \ 0 string IMGfile CIS compimg HP Bitmapfile \ # XXX - see \"lif\" \ #0 short 0x8000 lif file \ 0 long 0x020c010c compiled Lisp \ \ 0 string msgcat01 HP NLS message catalog, \ >8 long >0 %d messages \ \ # addendum to /etc/magic with HP-48sx file-types by phk@data.fls.dk 1jan92 \ 0 string HPHP48- HP48 binary \ >7 byte >0 - Rev %c \ >8 beshort 0x1129 (ADR) \ >8 beshort 0x3329 (REAL) \ >8 beshort 0x5529 (LREAL) \ >8 beshort 0x7729 (COMPLX) \ >8 beshort 0x9d29 (LCOMPLX) \ >8 beshort 0xbf29 (CHAR) \ >8 beshort 0xe829 (ARRAY) \ >8 beshort 0x0a2a (LNKARRAY) \ >8 beshort 0x2c2a (STRING) \ >8 beshort 0x4e2a (HXS) \ >8 beshort 0x742a (LIST) \ >8 beshort 0x962a (DIR) \ >8 beshort 0xb82a (ALG) \ >8 beshort 0xda2a (UNIT) \ >8 beshort 0xfc2a (TAGGED) \ >8 beshort 0x1e2b (GROB) \ >8 beshort 0x402b (LIB) \ >8 beshort 0x622b (BACKUP) \ >8 beshort 0x882b (LIBDATA) \ >8 beshort 0x9d2d (PROG) \ >8 beshort 0xcc2d (CODE) \ >8 beshort 0x482e (GNAME) \ >8 beshort 0x6d2e (LNAME) \ >8 beshort 0x922e (XLIB) \ 0 string %%HP: HP48 text \ >6 string T(0) - T(0) \ >6 string T(1) - T(1) \ >6 string T(2) - T(2) \ >6 string T(3) - T(3) \ >10 string A(D) A(D) \ >10 string A(R) A(R) \ >10 string A(G) A(G) \ >14 string F(.) F(.); \ >14 string F(,) F(,); \ \ # hpBSD magic numbers \ #0 beshort 200 hp200 (68010) BSD \ #>2 beshort 0407 impure binary \ #>2 beshort 0410 read-only binary \ #>2 beshort 0413 demand paged binary \ #0 beshort 300 hp300 (68020+68881) BSD \ #>2 beshort 0407 impure binary \ #>2 beshort 0410 read-only binary \ #>2 beshort 0413 demand paged binary \ # \ # From David Gero \ # HP-UX 10.20 core file format from /usr/include/sys/core.h \ # Unfortunately, HP-UX uses corehead blocks without specifying the order \ # There are four we care about: \ # CORE_KERNEL, which starts with the string \"HP-UX\" \ # CORE_EXEC, which contains the name of the command \ # CORE_PROC, which contains the signal number that caused the core dump \ # CORE_FORMAT, which contains the version of the core file format (== 1) \ # The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC \ # but we include all 6 variations of the order of the first 3, and \ # assume that PROC will always be last \ # Order 1: KERNEL, EXEC, FORMAT, PROC \ 0x10 string HP-UX \ >0 belong 2 \ >>0xC belong 0x3C \ >>>0x4C belong 0x100 \ >>>>0x58 belong 0x44 \ >>>>>0xA0 belong 1 \ >>>>>>0xAC belong 4 \ >>>>>>>0xB0 belong 1 \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0x90 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ # Order 2: KERNEL, FORMAT, EXEC, PROC \ >>>0x4C belong 1 \ >>>>0x58 belong 4 \ >>>>>0x5C belong 1 \ >>>>>>0x60 belong 0x100 \ >>>>>>>0x6C belong 0x44 \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0xA4 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ # Order 3: FORMAT, KERNEL, EXEC, PROC \ 0x24 string HP-UX \ >0 belong 1 \ >>0xC belong 4 \ >>>0x10 belong 1 \ >>>>0x14 belong 2 \ >>>>>0x20 belong 0x3C \ >>>>>>0x60 belong 0x100 \ >>>>>>>0x6C belong 0x44 \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0xA4 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ # Order 4: EXEC, KERNEL, FORMAT, PROC \ 0x64 string HP-UX \ >0 belong 0x100 \ >>0xC belong 0x44 \ >>>0x54 belong 2 \ >>>>0x60 belong 0x3C \ >>>>>0xA0 belong 1 \ >>>>>>0xAC belong 4 \ >>>>>>>0xB0 belong 1 \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0x44 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ # Order 5: FORMAT, EXEC, KERNEL, PROC \ 0x78 string HP-UX \ >0 belong 1 \ >>0xC belong 4 \ >>>0x10 belong 1 \ >>>>0x14 belong 0x100 \ >>>>>0x20 belong 0x44 \ >>>>>>0x68 belong 2 \ >>>>>>>0x74 belong 0x3C \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0x58 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ # Order 6: EXEC, FORMAT, KERNEL, PROC \ >0 belong 0x100 \ >>0xC belong 0x44 \ >>>0x54 belong 1 \ >>>>0x60 belong 4 \ >>>>>0x64 belong 1 \ >>>>>>0x68 belong 2 \ >>>>>>>0x74 belong 0x2C \ >>>>>>>>0xB4 belong 4 core file \ >>>>>>>>>0x44 string >\\0 from '%s' \ >>>>>>>>>0xC4 belong 3 - received SIGQUIT \ >>>>>>>>>0xC4 belong 4 - received SIGILL \ >>>>>>>>>0xC4 belong 5 - received SIGTRAP \ >>>>>>>>>0xC4 belong 6 - received SIGABRT \ >>>>>>>>>0xC4 belong 7 - received SIGEMT \ >>>>>>>>>0xC4 belong 8 - received SIGFPE \ >>>>>>>>>0xC4 belong 10 - received SIGBUS \ >>>>>>>>>0xC4 belong 11 - received SIGSEGV \ >>>>>>>>>0xC4 belong 12 - received SIGSYS \ >>>>>>>>>0xC4 belong 33 - received SIGXCPU \ >>>>>>>>>0xC4 belong 34 - received SIGXFSZ \ \ #------------------------------------------------------------------------------ \ # ibm370: file(1) magic for IBM 370 and compatibles. \ # \ # \"ibm370\" said that 0x15d == 0535 was \"ibm 370 pure executable\". \ # What the heck *is* \"USS/370\"? \ # AIX 4.1's \"/etc/magic\" has \ # \ # 0 short 0535 370 sysV executable \ # >12 long >0 not stripped \ # >22 short >0 - version %d \ # >30 long >0 - 5.2 format \ # 0 short 0530 370 sysV pure executable \ # >12 long >0 not stripped \ # >22 short >0 - version %d \ # >30 long >0 - 5.2 format \ # \ # instead of the \"USS/370\" versions of the same magic numbers. \ # \ 0 beshort 0537 370 XA sysV executable \ >12 belong >0 not stripped \ >22 beshort >0 - version %d \ >30 belong >0 - 5.2 format \ 0 beshort 0532 370 XA sysV pure executable \ >12 belong >0 not stripped \ >22 beshort >0 - version %d \ >30 belong >0 - 5.2 format \ 0 beshort 054001 370 sysV pure executable \ >12 belong >0 not stripped \ 0 beshort 055001 370 XA sysV pure executable \ >12 belong >0 not stripped \ 0 beshort 056401 370 sysV executable \ >12 belong >0 not stripped \ 0 beshort 057401 370 XA sysV executable \ >12 belong >0 not stripped \ 0 beshort 0531 SVR2 executable (Amdahl-UTS) \ >12 belong >0 not stripped \ >24 belong >0 - version %ld \ 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) \ >12 belong >0 not stripped \ >24 belong >0 - version %ld \ 0 beshort 0530 SVR2 pure executable (USS/370) \ >12 belong >0 not stripped \ >24 belong >0 - version %ld \ 0 beshort 0535 SVR2 executable (USS/370) \ >12 belong >0 not stripped \ >24 belong >0 - version %ld \ \ #------------------------------------------------------------------------------ \ # ibm6000: file(1) magic for RS/6000 and the RT PC. \ # \ 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module \ >12 belong >0 not stripped \ # Breaks sun4 statically linked execs. \ #0 beshort 0x0103 executable (RT Version 2) or obj module \ #>2 byte 0x50 pure \ #>28 belong >0 not stripped \ #>6 beshort >0 - version %ld \ 0 beshort 0x0104 shared library \ 0 beshort 0x0105 ctab data \ 0 beshort 0xfe04 structured file \ 0 string 0xabcdef AIX message catalog \ 0 belong 0x000001f9 AIX compiled message catalog \ 0 string \\ archive \ \ #------------------------------------------------------------------------------ \ # iff: file(1) magic for Interchange File Format (see also \"audio\" & \"images\") \ # \ # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic \ # Arts for file interchange. It has also been used by Apple, SGI, and \ # especially Commodore-Amiga. \ # \ # IFF files begin with an 8 byte FORM header, followed by a 4 character \ # FORM type, which is followed by the first chunk in the FORM. \ \ 0 string FORM IFF data \ #>4 belong x \\b, FORM is %d bytes long \ # audio formats \ >8 string AIFF \\b, AIFF audio \ >8 string AIFC \\b, AIFF-C compressed audio \ >8 string 8SVX \\b, 8SVX 8-bit sampled sound voice \ >8 string SAMP \\b, SAMP sampled audio \ # image formats \ >8 string ILBMBMHD \\b, ILBM interleaved image \ >>20 beshort x \\b, %d x \ >>22 beshort x %d \ >8 string RGBN \\b, RGBN 12-bit RGB image \ >8 string RGB8 \\b, RGB8 24-bit RGB image \ >8 string DR2D \\b, DR2D 2-D object \ >8 string TDDD \\b, TDDD 3-D rendering \ # other formats \ >8 string FTXT \\b, FTXT formatted text \ \ #------------------------------------------------------------------------------ \ # images: file(1) magic for image formats (see also \"iff\") \ # \ # originally from jef@helios.ee.lbl.gov (Jef Poskanzer), \ # additions by janl@ifi.uio.no as well as others. Jan also suggested \ # merging several one- and two-line files into here. \ # \ # little magic: PCX (first byte is 0x0a) \ \ # Targa - matches `povray', `ppmtotga' and `xv' outputs \ # by Philippe De Muyter \ # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 \ # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise \ # at 3, leshort Index is 0 for povray, ppmtotga and xv outputs \ # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) \ # `tgatoppm' recognizes a superset (Index may be anything) \ 1 belong&0xfff7ffff 0x01010000 Targa image data - Map \ >2 byte&8 8 - RLE \ 1 belong&0xfff7ffff 0x00020000 Targa image data - RGB \ >2 byte&8 8 - RLE \ 1 belong&0xfff7ffff 0x00030000 Targa image data - Mono \ >2 byte&8 8 - RLE \ \ # PBMPLUS images \ # The next byte following the magic is always whitespace. \ 0 string P1 Netpbm PBM image text \ 0 string P2 Netpbm PGM image text \ 0 string P3 Netpbm PPM image text \ 0 string P4 Netpbm PBM \"rawbits\" image data \ 0 string P5 Netpbm PGM \"rawbits\" image data \ 0 string P6 Netpbm PPM \"rawbits\" image data \ 0 string P7 Netpbm PAM image file \ \ # From: bryanh@giraffe-data.com (Bryan Henderson) \ 0 string \\117\\072 Solitaire Image Recorder format \ >4 string \\013 MGI Type 11 \ >4 string \\021 MGI Type 17 \ 0 string .MDA MicroDesign data \ >21 byte 48 version 2 \ >21 byte 51 version 3 \ 0 string .MDP MicroDesign page data \ >21 byte 48 version 2 \ >21 byte 51 version 3 \ \ # NIFF (Navy Interchange File Format, a modification of TIFF) images \ 0 string IIN1 NIFF image data \ \ # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) \ # The second word of TIFF files is the TIFF version number, 42, which has \ # never changed. The TIFF specification recommends testing for it. \ 0 string MM\\x00\\x2a TIFF image data, big-endian \ 0 string II\\x2a\\x00 TIFF image data, little-endian \ \ # PNG [Portable Network Graphics, or \"PNG's Not GIF\"] images \ # (Greg Roelofs, newt@uchicago.edu) \ # (Albert Cahalan, acahalan@cs.uml.edu) \ # \ # 137 P N G \\r \\n ^Z \\n [4-byte length] H E A D [HEAD data] [HEAD crc] ... \ # \ 0 string \\x89PNG PNG image data, \ >4 belong !0x0d0a1a0a CORRUPTED, \ >4 belong 0x0d0a1a0a \ >>16 belong x %ld x \ >>20 belong x %ld, \ >>24 byte x %d-bit \ >>25 byte 0 grayscale, \ >>25 byte 2 \\b/color RGB, \ >>25 byte 3 colormap, \ >>25 byte 4 gray+alpha, \ >>25 byte 6 \\b/color RGBA, \ #>>26 byte 0 deflate/32K, \ >>28 byte 0 non-interlaced \ >>28 byte 1 interlaced \ 1 string PNG PNG image data, CORRUPTED \ \ # GIF \ 0 string GIF8 GIF image data \ >4 string 7a \\b, version 8%s, \ >4 string 9a \\b, version 8%s, \ >6 leshort >0 %hd x \ >8 leshort >0 %hd, \ #>10 byte &0x80 color mapped, \ #>10 byte&0x07 =0x00 2 colors \ #>10 byte&0x07 =0x01 4 colors \ #>10 byte&0x07 =0x02 8 colors \ #>10 byte&0x07 =0x03 16 colors \ #>10 byte&0x07 =0x04 32 colors \ #>10 byte&0x07 =0x05 64 colors \ #>10 byte&0x07 =0x06 128 colors \ #>10 byte&0x07 =0x07 256 colors \ \ # ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster, \ # 1 plane, no encoding. \ 0 string \\361\\0\\100\\273 CMU window manager raster image data \ >4 lelong >0 %d x \ >8 lelong >0 %d, \ >12 lelong >0 %d-bit \ \ # Magick Image File Format \ 0 string id=ImageMagick MIFF image data \ \ # Artisan \ 0 long 1123028772 Artisan image data \ >4 long 1 \\b, rectangular 24-bit \ >4 long 2 \\b, rectangular 8-bit with colormap \ >4 long 3 \\b, rectangular 32-bit (24-bit with matte) \ \ # FIG (Facility for Interactive Generation of figures), an object-based format \ 0 string #FIG FIG image text \ >5 string x \\b, version %.3s \ \ # PHIGS \ 0 string ARF_BEGARF PHIGS clear text archive \ 0 string @(#)SunPHIGS SunPHIGS \ # version number follows, in the form m.n \ >40 string SunBin binary \ >32 string archive archive \ \ # GKS (Graphics Kernel System) \ 0 string GKSM GKS Metafile \ >24 string SunGKS \\b, SunGKS \ \ # CGM image files \ 0 string BEGMF clear text Computer Graphics Metafile \ # XXX - questionable magic \ 0 beshort&0xffe0 0x0020 binary Computer Graphics Metafile \ 0 beshort 0x3020 character Computer Graphics Metafile \ \ # MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de) \ 0 string yz MGR bitmap, modern format, 8-bit aligned \ 0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned \ 0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned \ 0 string yx MGR bitmap, modern format, squeezed \ \ # Fuzzy Bitmap (FBM) images \ 0 string %bitmap\\0 FBM image data \ >30 long 0x31 \\b, mono \ >30 long 0x33 \\b, color \ \ # facsimile data \ 1 string PC\\ Research,\\ Inc group 3 fax data \ >29 byte 0 \\b, normal resolution (204x98 DPI) \ >29 byte 1 \\b, fine resolution (204x196 DPI) \ \ # PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu) \ 0 string BM PC bitmap data \ >14 leshort 12 \\b, OS/2 1.x format \ >>18 leshort x \\b, %d x \ >>20 leshort x %d \ >14 leshort 64 \\b, OS/2 2.x format \ >>18 leshort x \\b, %d x \ >>20 leshort x %d \ >14 leshort 40 \\b, Windows 3.x format \ >>18 lelong x \\b, %d x \ >>22 lelong x %d x \ >>28 leshort x %d \ 0 string IC PC icon data \ 0 string PI PC pointer image data \ 0 string CI PC color icon data \ 0 string CP PC color pointer image data \ # Conflicts with other entries [BABYL] \ #0 string BA PC bitmap array data \ \ # XPM icons (Greg Roelofs, newt@uchicago.edu) \ # note possible collision with C/REXX entry in c-lang; currently commented out \ 0 string /*\\ XPM\\ */ X pixmap image text \ \ # Utah Raster Toolkit RLE images (janl@ifi.uio.no) \ 0 leshort 0xcc52 RLE image data, \ >6 leshort x %d x \ >8 leshort x %d \ >2 leshort >0 \\b, lower left corner: %d \ >4 leshort >0 \\b, lower right corner: %d \ >10 byte&0x1 =0x1 \\b, clear first \ >10 byte&0x2 =0x2 \\b, no background \ >10 byte&0x4 =0x4 \\b, alpha channel \ >10 byte&0x8 =0x8 \\b, comment \ >11 byte >0 \\b, %d color channels \ >12 byte >0 \\b, %d bits per pixel \ >13 byte >0 \\b, %d color map channels \ \ # image file format (Robert Potter, potter@cs.rochester.edu) \ 0 string Imagefile\\ version- iff image data \ # this adds the whole header (inc. version number), informative but longish \ >10 string >\\0 %s \ \ # Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com) \ 0 belong 0x59a66a95 Sun raster image data \ >4 belong >0 \\b, %d x \ >8 belong >0 %d, \ >12 belong >0 %d-bit, \ #>16 belong >0 %d bytes long, \ >20 belong 0 old format, \ #>20 belong 1 standard, \ >20 belong 2 compressed, \ >20 belong 3 RGB, \ >20 belong 4 TIFF, \ >20 belong 5 IFF, \ >20 belong 0xffff reserved for testing, \ >24 belong 0 no colormap \ >24 belong 1 RGB colormap \ >24 belong 2 raw colormap \ #>28 belong >0 colormap is %d bytes long \ \ # SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com) \ # \ # See \ # http://reality.sgi.com/grafica/sgiimage.html \ # \ 0 beshort 474 SGI image data \ #>2 byte 0 \\b, verbatim \ >2 byte 1 \\b, RLE \ #>3 byte 1 \\b, normal precision \ >3 byte 2 \\b, high precision \ >4 beshort x \\b, %d-D \ >6 beshort x \\b, %d x \ >8 beshort x %d \ >10 beshort x \\b, %d channel \ >10 beshort !1 \\bs \ >80 string >0 \\b, \"%s\" \ \ 0 string IT01 FIT image data \ >4 belong x \\b, %d x \ >8 belong x %d x \ >12 belong x %d \ # \ 0 string IT02 FIT image data \ >4 belong x \\b, %d x \ >8 belong x %d x \ >12 belong x %d \ # \ 2048 string PCD_IPI Kodak Photo CD image pack file \ >0xe02 byte&0x03 0x00 , landscape mode \ >0xe02 byte&0x03 0x01 , portrait mode \ >0xe02 byte&0x03 0x02 , landscape mode \ >0xe02 byte&0x03 0x03 , portrait mode \ 0 string PCD_OPA Kodak Photo CD overview pack file \ \ # FITS format. Jeff Uphoff \ # FITS is the Flexible Image Transport System, the de facto standard for \ # data and image transfer, storage, etc., for the astronomical community. \ # (FITS floating point formats are big-endian.) \ 0 string SIMPLE\\ \\ = FITS image data \ >109 string 8 \\b, 8-bit, character or unsigned binary integer \ >108 string 16 \\b, 16-bit, two's complement binary integer \ >107 string \\ 32 \\b, 32-bit, two's complement binary integer \ >107 string -32 \\b, 32-bit, floating point, single precision \ >107 string -64 \\b, 64-bit, floating point, double precision \ \ # other images \ 0 string This\\ is\\ a\\ BitMap\\ file Lisp Machine bit-array-file \ 0 string !! Bennet Yee's \"face\" format \ \ # From SunOS 5.5.1 \"/etc/magic\" - appeared right before Sun raster image \ # stuff. \ # \ 0 beshort 0x1010 PEX Binary Archive \ \ # Visio drawings \ 03000 string Visio\\ (TM)\\ Drawing %s \ \ # Tgif files \ 0 string \\%TGIF\\ x Tgif file version %s \ \ # DICOM medical imaging data \ 128 string DICM DICOM medical imaging data \ \ # XWD - X-Windows Dump file. \ # As described in /usr/X11R6/include/X11/XWDFile.h \ # used by the xwd program. \ # Bradford Castalia, idaeim, 1/01 \ 4 belong 7 XWD X-Windows Dump image data \ >100 string >\\0 \\b, \"%s\" \ >16 belong x \\b, %dx \ >20 belong x \\b%dx \ >12 belong x \\b%d \ \ # PDS - Planetary Data System \ # These files use Parameter Value Language in the header section. \ # Unfortunately, there is no certain magic, but the following \ # strings have been found to be most likely. \ 0 string NJPL1I00 PDS (JPL) image data \ 2 string NJPL1I PDS (JPL) image data \ 0 string CCSD3ZF PDS (CCSD) image data \ 2 string CCSD3Z PDS (CCSD) image data \ 0 string PDS_ PDS image data \ 0 string LBLSIZE= PDS (VICAR) image data \ \ # pM8x: ATARI STAD compressed bitmap format \ # \ # from Oskar Schirmer Feb 2, 2001 \ # p M 8 5/6 xx yy zz data... \ # Atari ST STAD bitmap is always 640x400, bytewise runlength compressed. \ # bytes either run horizontally (pM85) or vertically (pM86). yy is the \ # most frequent byte, xx and zz are runlength escape codes, where xx is \ # used for runs of yy. \ # \ 0 string pM85 Atari ST STAD bitmap image data (hor) \ >5 byte 0x00 (white background) \ >5 byte 0xFF (black background) \ 0 string pM86 Atari ST STAD bitmap image data (vert) \ >5 byte 0x00 (white background) \ >5 byte 0xFF (black background) \ \ # XXX: \ # This is bad magic 0x5249 == 'RI' conflicts with RIFF and other \ # magic. \ # SGI RICE image file \ #0 beshort 0x5249 RICE image \ #>2 beshort x v%d \ #>4 beshort x (%d x \ #>6 beshort x %d) \ #>8 beshort 0 8 bit \ #>8 beshort 1 10 bit \ #>8 beshort 2 12 bit \ #>8 beshort 3 13 bit \ #>10 beshort 0 4:2:2 \ #>10 beshort 1 4:2:2:4 \ #>10 beshort 2 4:4:4 \ #>10 beshort 3 4:4:4:4 \ #>12 beshort 1 RGB \ #>12 beshort 2 CCIR601 \ #>12 beshort 3 RP175 \ #>12 beshort 4 YUV \ \ #------------------------------------------------------------------------------ \ # \ # Marco Schmidt (marcoschmidt@users.sourceforge.net) -- an image file format \ # for the EPOC operating system, which is used with PDAs like those from Psion \ # \ # see http://huizen.dds.nl/~frodol/psiconv/html/Index.html for a description \ # of various EPOC file formats \ \ 0 string \\x37\\x00\\x00\\x10\\x42\\x00\\x00\\x10\\x00\\x00\\x00\\x00\\x39\\x64\\x39\\x47 EPOC MBM image file \ \ #------------------------------------------------------------------------------ \ # intel: file(1) magic for x86 Unix \ # \ # Various flavors of x86 UNIX executable/object (other than Xenix, which \ # is in \"microsoft\"). DOS is in \"msdos\"; the ambitious soul can do \ # Windows as well. \ # \ # Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and \ # whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere \ # as well, if, as, and when IBM makes it portable. \ # \ # The `versions' should be un-commented if they work for you. \ # (Was the problem just one of endianness?) \ # \ 0 leshort 0502 basic-16 executable \ >12 lelong >0 not stripped \ #>22 leshort >0 - version %ld \ 0 leshort 0503 basic-16 executable (TV) \ >12 lelong >0 not stripped \ #>22 leshort >0 - version %ld \ 0 leshort 0510 x86 executable \ >12 lelong >0 not stripped \ 0 leshort 0511 x86 executable (TV) \ >12 lelong >0 not stripped \ 0 leshort =0512 iAPX 286 executable small model (COFF) \ >12 lelong >0 not stripped \ #>22 leshort >0 - version %ld \ 0 leshort =0522 iAPX 286 executable large model (COFF) \ >12 lelong >0 not stripped \ #>22 leshort >0 - version %ld \ # SGI labeled the next entry as \"iAPX 386 executable\" --Dan Quinlan \ 0 leshort =0514 80386 COFF executable \ >12 lelong >0 not stripped \ >22 leshort >0 - version %ld \ \ #------------------------------------------------------------------------------ \ # interleaf: file(1) magic for InterLeaf TPS: \ # \ 0 string =\\210OPS Interleaf saved data \ 0 string =5 string ,\\ Version\\ = \\b, version \ >>17 string >\\0 %.3s \ \ #------------------------------------------------------------------------------ \ # island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1 \ # \"/etc/magic\": \ # From: guy@netapp.com (Guy Harris) \ # \ 4 string pgscriptver IslandWrite document \ 13 string DrawFile IslandDraw document \ \ \ #------------------------------------------------------------------------------ \ # ispell: file(1) magic for ispell \ # \ # Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic \ # will match 0x9600 through 0x9603 in *both* little endian and big endian. \ # (No other current magic entries collide.) \ # \ # Updated by Daniel Quinlan (quinlan@yggdrasil.com) \ # \ 0 leshort&0xFFFC 0x9600 little endian ispell \ >0 byte 0 hash file (?), \ >0 byte 1 3.0 hash file, \ >0 byte 2 3.1 hash file, \ >0 byte 3 hash file (?), \ >2 leshort 0x00 8-bit, no capitalization, 26 flags \ >2 leshort 0x01 7-bit, no capitalization, 26 flags \ >2 leshort 0x02 8-bit, capitalization, 26 flags \ >2 leshort 0x03 7-bit, capitalization, 26 flags \ >2 leshort 0x04 8-bit, no capitalization, 52 flags \ >2 leshort 0x05 7-bit, no capitalization, 52 flags \ >2 leshort 0x06 8-bit, capitalization, 52 flags \ >2 leshort 0x07 7-bit, capitalization, 52 flags \ >2 leshort 0x08 8-bit, no capitalization, 128 flags \ >2 leshort 0x09 7-bit, no capitalization, 128 flags \ >2 leshort 0x0A 8-bit, capitalization, 128 flags \ >2 leshort 0x0B 7-bit, capitalization, 128 flags \ >2 leshort 0x0C 8-bit, no capitalization, 256 flags \ >2 leshort 0x0D 7-bit, no capitalization, 256 flags \ >2 leshort 0x0E 8-bit, capitalization, 256 flags \ >2 leshort 0x0F 7-bit, capitalization, 256 flags \ >4 leshort >0 and %d string characters \ 0 beshort&0xFFFC 0x9600 big endian ispell \ >1 byte 0 hash file (?), \ >1 byte 1 3.0 hash file, \ >1 byte 2 3.1 hash file, \ >1 byte 3 hash file (?), \ >2 beshort 0x00 8-bit, no capitalization, 26 flags \ >2 beshort 0x01 7-bit, no capitalization, 26 flags \ >2 beshort 0x02 8-bit, capitalization, 26 flags \ >2 beshort 0x03 7-bit, capitalization, 26 flags \ >2 beshort 0x04 8-bit, no capitalization, 52 flags \ >2 beshort 0x05 7-bit, no capitalization, 52 flags \ >2 beshort 0x06 8-bit, capitalization, 52 flags \ >2 beshort 0x07 7-bit, capitalization, 52 flags \ >2 beshort 0x08 8-bit, no capitalization, 128 flags \ >2 beshort 0x09 7-bit, no capitalization, 128 flags \ >2 beshort 0x0A 8-bit, capitalization, 128 flags \ >2 beshort 0x0B 7-bit, capitalization, 128 flags \ >2 beshort 0x0C 8-bit, no capitalization, 256 flags \ >2 beshort 0x0D 7-bit, no capitalization, 256 flags \ >2 beshort 0x0E 8-bit, capitalization, 256 flags \ >2 beshort 0x0F 7-bit, capitalization, 256 flags \ >4 beshort >0 and %d string characters \ # ispell 4.0 hash files kromJx \ # Ispell 4.0 \ 0 string ISPL ispell \ >4 long x hash file version %d, \ >8 long x lexletters %d, \ >12 long x lexsize %d, \ >16 long x hashsize %d, \ >20 long x stblsize %d \ #------------------------------------------------------------ \ # Java ByteCode \ # From Larry Schwimmer (schwim@cs.stanford.edu) \ 0 belong 0xcafebabe compiled Java class data, \ >6 beshort x version %d. \ >4 beshort x \\b%d \ #------------------------------------------------------------ \ # Java serialization \ # From Martin Pool (m.pool@pharos.com.au) \ 0 beshort 0xaced Java serialization data \ >2 beshort >0x0004 \\b, version %d \ \ #------------------------------------------------------------------------------ \ # JPEG images \ # SunOS 5.5.1 had \ # \ # 0 string \\377\\330\\377\\340 JPEG file \ # 0 string \\377\\330\\377\\356 JPG file \ # \ # both of which turn into \"JPEG image data\" here. \ # \ 0 beshort 0xffd8 JPEG image data \ >6 string JFIF \\b, JFIF standard \ >6 string Exif \\b, EXIF standard \ # The following added by Erik Rossen 1999-09-06 \ # in a vain attempt to add image size reporting for JFIF. Note that these \ # tests are not fool-proof since some perfectly valid JPEGs are currently \ # impossible to specify in magic(4) format. \ # First, a little JFIF version info: \ >11 byte x \\b %d. \ >12 byte x \\b%02d \ # Next, the resolution or aspect ratio of the image: \ >13 byte 0 \\b, aspect ratio \ >13 byte 1 \\b, resolution (DPI) \ >13 byte 2 \\b, resolution (DPCM) \ #>4 beshort x \\b, segment length %d \ # Next, show thumbnail info, if it exists: \ >18 byte !0 \\b, thumbnail %dx \ >>19 byte x \\b%d \ # Here things get sticky. We can do ONE MORE marker segment with \ # indirect addressing, and that's all. It would be great if we could \ # do pointer arithemetic like in an assembler language. Christos? \ # And if there was some sort of looping construct to do searches, plus a few \ # named accumulators, it would be even more effective... \ # At least we can show a comment if no other segments got inserted before: \ >(4.S+5) byte 0xFE \ >>(4.S+8) string >\\0 \\b, \"%s\" \ #>(4.S+5) byte 0xFE \\b, comment \ #>>(4.S+6) beshort x \\b length=%d \ #>>(4.S+8) string >\\0 \\b, \"%s\" \ # Or, we can show the encoding type (I've included only the three most common) \ # and image dimensions if we are lucky and the SOFn (image segment) is here: \ >(4.S+5) byte 0xC0 \\b, baseline \ >>(4.S+6) byte x \\b, precision %d \ >>(4.S+7) beshort x \\b, %dx \ >>(4.S+9) beshort x \\b%d \ >(4.S+5) byte 0xC1 \\b, extended sequential \ >>(4.S+6) byte x \\b, precision %d \ >>(4.S+7) beshort x \\b, %dx \ >>(4.S+9) beshort x \\b%d \ >(4.S+5) byte 0xC2 \\b, progressive \ >>(4.S+6) byte x \\b, precision %d \ >>(4.S+7) beshort x \\b, %dx \ >>(4.S+9) beshort x \\b%d \ # I've commented-out quantisation table reporting. I doubt anyone cares yet. \ #>(4.S+5) byte 0xDB \\b, quantisation table \ #>>(4.S+6) beshort x \\b length=%d \ >14 beshort x \\b, %d x \ >16 beshort x \\b %d \ \ # HSI is Handmade Software's proprietary JPEG encoding scheme \ 0 string hsi1 JPEG image data, HSI proprietary \ \ #------------------------------------------------------------------------------ \ # karma: file(1) magic for Karma data files \ # \ # From \ \ 0 string KarmaRHD Version Karma Data Structure Version \ >16 belong x %lu \ #------------------------------------------------------------------------------ \ # DEC SRC Virtual Paper: Lectern files \ # Karl M. Hegbloom \ 0 string lect DEC SRC Virtual Paper Lectern file \ \ #------------------------------------------------------------------------------ \ # lex: file(1) magic for lex \ # \ # derived empirically, your offsets may vary! \ 53 string yyprevious C program text (from lex) \ >3 string >\\0 for %s \ # C program text from GNU flex, from Daniel Quinlan \ 21 string generated\\ by\\ flex C program text (from flex) \ # lex description file, from Daniel Quinlan \ 0 string %{ lex description text \ \ #------------------------------------------------------------------------------ \ # lif: file(1) magic for lif \ # \ # (Daniel Quinlan ) \ # \ 0 beshort 0x8000 lif file \ \ #------------------------------------------------------------------------------ \ # linux: file(1) magic for Linux files \ # \ # Values for Linux/i386 binaries, from Daniel Quinlan \ # The following basic Linux magic is useful for reference, but using \ # \"long\" magic is a better practice in order to avoid collisions. \ # \ # 2 leshort 100 Linux/i386 \ # >0 leshort 0407 impure executable (OMAGIC) \ # >0 leshort 0410 pure executable (NMAGIC) \ # >0 leshort 0413 demand-paged executable (ZMAGIC) \ # >0 leshort 0314 demand-paged executable (QMAGIC) \ # \ 0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC) \ >16 lelong 0 \\b, stripped \ 0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC) \ >16 lelong 0 \\b, stripped \ 0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAGIC) \ >16 lelong 0 \\b, stripped \ 0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAGIC) \ >16 lelong 0 \\b, stripped \ # \ 0 string \\007\\001\\000 Linux/i386 object file \ >20 lelong >0x1020 \\b, DLL library \ # Linux-8086 stuff: \ 0 string \\01\\03\\020\\04 Linux-8086 impure executable \ >28 long !0 not stripped \ 0 string \\01\\03\\040\\04 Linux-8086 executable \ >28 long !0 not stripped \ # \ 0 string \\243\\206\\001\\0 Linux-8086 object file \ # \ 0 string \\01\\03\\020\\20 Minix-386 impure executable \ >28 long !0 not stripped \ 0 string \\01\\03\\040\\20 Minix-386 executable \ >28 long !0 not stripped \ # core dump file, from Bill Reynolds \ 216 lelong 0421 Linux/i386 core file \ >220 string >\\0 of '%s' \ >200 lelong >0 (signal %d) \ # \ # LILO boot/chain loaders, from Daniel Quinlan \ # this can be overridden by the DOS executable (COM) entry \ 2 string LILO Linux/i386 LILO boot/chain loader \ # \ # Debian Packages, from Peter Tobias \ 0 string 0.9 \ >8 byte 0x0a old Debian Binary Package \ >>3 byte >0 \\b, created by dpkg 0.9%c \ >>4 byte >0 pl%c \ # PSF fonts, from H. Peter Anvin \ 0 leshort 0x0436 Linux/i386 PC Screen Font data, \ >2 byte 0 256 characters, no directory, \ >2 byte 1 512 characters, no directory, \ >2 byte 2 256 characters, Unicode directory, \ >2 byte 3 512 characters, Unicode directory, \ >3 byte >0 8x%d \ # Linux swap file, from Daniel Quinlan \ 4086 string SWAP-SPACE Linux/i386 swap file \ # ECOFF magic for OSF/1 and Linux (only tested under Linux though) \ # \ # from Erik Troan (ewt@redhat.com) examining od dumps, so this \ # could be wrong \ # updated by David Mosberger (davidm@azstarnet.com) based on \ # GNU BFD and MIPS info found below. \ # \ 0 leshort 0x0183 ECOFF alpha \ >24 leshort 0407 executable \ >24 leshort 0410 pure \ >24 leshort 0413 demand paged \ >8 long >0 not stripped \ >8 long 0 stripped \ >23 leshort >0 - version %ld. \ # \ # Linux kernel boot images, from Albert Cahalan \ # and others such as Axel Kohlmeyer \ # and Nicolás Lichtmaier \ # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 \ 514 string HdrS Linux kernel \ >518 leshort >0 \ >>529 byte 0 zImage data, \ >>529 byte 1 bzImage data, \ >0x048c byte 0x31 \ >>0x048c string x version %s \ >0x0493 byte 0x31 \ >>0x0493 string x version %s \ >0x048c byte 0x32 \ >>0x048c string x version %s \ >0x0493 byte 0x32 \ >>0x0493 string x version %s \ >0x04df byte 0x32 \ >>0x04df string x version %s \ >0x04fb byte 0x32 \ >>0x04fb string x version %s \ # This also matches new kernels, which were caught above by \"HdrS\". \ 0 belong 0xb8c0078e Linux kernel \ >0x1e3 string Loading version 1.3.79 or older \ >0x1e9 string Loading from prehistoric times \ # LSM entries - Nicolás Lichtmaier \ 0 string Begin3 Linux Software Map entry text \ \ #------------------------------------------------------------------------------ \ # lisp: file(1) magic for lisp programs \ # \ # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string ;; Lisp/Scheme program text \ # Emacs 18 - this is always correct, but not very magical. \ 0 string \\012( byte-compiled Emacs-Lisp program data \ # Emacs 19+ - ver. recognition added by Ian Springer \ 0 string ;ELC byte-compiled Emacs-Lisp program data, \ >4 byte >0 version %d \ # \ # Files produced by CLISP Common Lisp From: Bruno Haible \ 0 string (SYSTEM::VERSION\\040' CLISP byte-compiled Lisp program text \ 0 long 0x70768BD2 CLISP memory image data \ 0 long 0xD28B7670 CLISP memory image data, other endian \ # Files produced by GNU gettext \ 0 long 0xDE120495 GNU-format message catalog data \ 0 long 0x950412DE GNU-format message catalog data \ \ #.com and .bin for MIT scheme \ 0 string \\372\\372\\372\\372 MIT scheme (library?) \ #------------------------------------------------------------------------------ \ # mach file description \ # \ 0 belong 0xcafebabe Mach-O fat file \ >4 belong 1 with 1 architecture \ >4 belong >1 \ >>4 belong x with %ld architectures \ # \ 0 belong 0xfeedface Mach-O \ >12 belong 1 object \ >12 belong 2 executable \ >12 belong 3 shared library \ >12 belong 4 core \ >12 belong 5 preload executable \ >12 belong >5 \ >>12 belong x filetype=%ld \ >4 belong <0 \ >>4 belong x architecture=%ld \ >4 belong 1 vax \ >4 belong 2 romp \ >4 belong 3 architecture=3 \ >4 belong 4 ns32032 \ >4 belong 5 ns32332 \ >4 belong 6 for m68k architecture \ # from NeXTstep 3.0 \ # i.e. mc680x0_all, ignore \ # >>8 belong 1 (mc68030) \ >>8 belong 2 (mc68040) \ >>8 belong 3 (mc68030 only) \ >4 belong 7 i386 \ >4 belong 8 mips \ >4 belong 9 ns32532 \ >4 belong 10 architecture=10 \ >4 belong 11 hp pa-risc \ >4 belong 12 acorn \ >4 belong 13 m88k \ >4 belong 14 sparc \ >4 belong 15 i860-big \ >4 belong 16 i860 \ >4 belong 17 rs6000 \ >4 belong 18 powerPC \ >4 belong >18 \ >>4 belong x architecture=%ld \ \ #------------------------------------------------------------------------------ \ # macintosh description \ # \ # BinHex is the Macintosh ASCII-encoded file format (see also \"apple\") \ # Daniel Quinlan, quinlan@yggdrasil.com \ 11 string must\\ be\\ converted\\ with\\ BinHex BinHex binary text \ >41 string x \\b, version %.3s \ \ # Stuffit archives are the de facto standard of compression for Macintosh \ # files obtained from most archives. (franklsm@tuns.ca) \ 0 string SIT! StuffIt Archive (data) \ >2 string x : %s \ 0 string SITD StuffIt Deluxe (data) \ >2 string x : %s \ 0 string Seg StuffIt Deluxe Segment (data) \ >2 string x : %s \ \ # Macintosh Applications and Installation binaries (franklsm@tuns.ca) \ 0 string APPL Macintosh Application (data) \ >2 string x \\b: %s \ \ # Macintosh System files (franklsm@tuns.ca) \ 0 string zsys Macintosh System File (data) \ 0 string FNDR Macintosh Finder (data) \ 0 string libr Macintosh Library (data) \ >2 string x : %s \ 0 string shlb Macintosh Shared Library (data) \ >2 string x : %s \ 0 string cdev Macintosh Control Panel (data) \ >2 string x : %s \ 0 string INIT Macintosh Extension (data) \ >2 string x : %s \ 0 string FFIL Macintosh Truetype Font (data) \ >2 string x : %s \ 0 string LWFN Macintosh Postscript Font (data) \ >2 string x : %s \ \ # Additional Macintosh Files (franklsm@tuns.ca) \ 0 string PACT Macintosh Compact Pro Archive (data) \ >2 string x : %s \ 0 string ttro Macintosh TeachText File (data) \ >2 string x : %s \ 0 string TEXT Macintosh TeachText File (data) \ >2 string x : %s \ 0 string PDF Macintosh PDF File (data) \ >2 string x : %s \ \ # MacBinary format (Eric Fischer, enf@pobox.com) \ # \ # Unfortunately MacBinary doesn't really have a magic number prior \ # to the MacBinary III format. The checksum is really the way to \ # do it, but the magic file format isn't up to the challenge. \ # \ # 0 byte 0 \ # 1 byte # filename length \ # 2 string # filename \ # 65 string # file type \ # 69 string # file creator \ # 73 byte # Finder flags \ # 74 byte 0 \ # 75 beshort # vertical posn in window \ # 77 beshort # horiz posn in window \ # 79 beshort # window or folder ID \ # 81 byte # protected? \ # 82 byte 0 \ # 83 belong # length of data segment \ # 87 belong # length of resource segment \ # 91 belong # file creation date \ # 95 belong # file modification date \ # 99 beshort # length of comment after resource \ # 101 byte # new Finder flags \ # 102 string mBIN # (only in MacBinary III) \ # 106 byte # char. code of file name \ # 107 byte # still more Finder flags \ # 116 belong # total file length \ # 120 beshort # length of add'l header \ # 122 byte 129 # for MacBinary II \ # 122 byte 130 # for MacBinary III \ # 123 byte 129 # minimum version that can read fmt \ # 124 beshort # checksum \ # \ # This attempts to use the version numbers as a magic number, requiring \ # that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second \ # be 0x81. This works for the files I have, but maybe not for everyone's. \ \ 122 beshort&0xFCFF 0x8081 Macintosh MacBinary data \ \ # MacBinary I doesn't have the version number field at all, but MacBinary II \ # has been in use since 1987 so I hope there aren't many really old files \ # floating around that this will miss. The original spec calls for using \ # the nulls in 0, 74, and 82 as the magic number. \ # \ # Another possibility, that would also work for MacBinary I, is to use \ # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will \ # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, \ # and that 74 will be 0. So something like \ # \ # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data \ # \ # >73 byte&0x01 0x01 \\b, inited \ # >73 byte&0x02 0x02 \\b, changed \ # >73 byte&0x04 0x04 \\b, busy \ # >73 byte&0x08 0x08 \\b, bozo \ # >73 byte&0x10 0x10 \\b, system \ # >73 byte&0x10 0x20 \\b, bundle \ # >73 byte&0x10 0x40 \\b, invisible \ # >73 byte&0x10 0x80 \\b, locked \ \ >65 string x \\b, type \"%4.4s\" \ \ >65 string 8BIM (PhotoShop) \ >65 string ALB3 (PageMaker 3) \ >65 string ALB4 (PageMaker 4) \ >65 string ALT3 (PageMaker 3) \ >65 string APPL (application) \ >65 string AWWP (AppleWorks word processor) \ >65 string CIRC (simulated circuit) \ >65 string DRWG (MacDraw) \ >65 string EPSF (Encapsulated PostScript) \ >65 string FFIL (font suitcase) \ >65 string FKEY (function key) \ >65 string FNDR (Macintosh Finder) \ >65 string GIFf (GIF image) \ >65 string Gzip (GNU gzip) \ >65 string INIT (system extension) \ >65 string LIB\\ (library) \ >65 string LWFN (PostScript font) \ >65 string MSBC (Microsoft BASIC) \ >65 string PACT (Compact Pro archive) \ >65 string PDF\\ (Portable Document Format) \ >65 string PICT (picture) \ >65 string PNTG (MacPaint picture) \ >65 string PREF (preferences) \ >65 string PROJ (Think C project) \ >65 string QPRJ (Think Pascal project) \ >65 string SCFL (Defender scores) \ >65 string SCRN (startup screen) \ >65 string SITD (StuffIt Deluxe) \ >65 string SPn3 (SuperPaint) \ >65 string STAK (HyperCard stack) \ >65 string Seg\\ (StuffIt segment) \ >65 string TARF (Unix tar archive) \ >65 string TEXT (ASCII) \ >65 string TIFF (TIFF image) \ >65 string TOVF (Eudora table of contents) \ >65 string WDBN (Microsoft Word word processor) \ >65 string WORD (MacWrite word processor) \ >65 string XLS\\ (Microsoft Excel) \ >65 string ZIVM (compress (.Z)) \ >65 string ZSYS (Pre-System 7 system file) \ >65 string acf3 (Aldus FreeHand) \ >65 string cdev (control panel) \ >65 string dfil (Desk Acessory suitcase) \ >65 string libr (library) \ >65 string nX^d (WriteNow word processor) \ >65 string nX^w (WriteNow dictionary) \ >65 string rsrc (resource) \ >65 string scbk (Scrapbook) \ >65 string shlb (shared library) \ >65 string ttro (SimpleText read-only) \ >65 string zsys (system file) \ \ >69 string x \\b, creator \"%4.4s\" \ \ # Somewhere, Apple has a repository of registered Creator IDs. These are \ # just the ones that I happened to have files from and was able to identify. \ \ >69 string 8BIM (Adobe Photoshop) \ >69 string ALD3 (PageMaker 3) \ >69 string ALD4 (PageMaker 4) \ >69 string ALFA (Alpha editor) \ >69 string APLS (Apple Scanner) \ >69 string APSC (Apple Scanner) \ >69 string BRKL (Brickles) \ >69 string BTFT (BitFont) \ >69 string CCL2 (Common Lisp 2) \ >69 string CCL\\ (Common Lisp) \ >69 string CDmo (The Talking Moose) \ >69 string CPCT (Compact Pro) \ >69 string CSOm (Eudora) \ >69 string DMOV (Font/DA Mover) \ >69 string DSIM (DigSim) \ >69 string EDIT (Macintosh Edit) \ >69 string ERIK (Macintosh Finder) \ >69 string EXTR (self-extracting archive) \ >69 string Gzip (GNU gzip) \ >69 string KAHL (Think C) \ >69 string LWFU (LaserWriter Utility) \ >69 string LZIV (compress) \ >69 string MACA (MacWrite) \ >69 string MACS (Macintosh operating system) \ >69 string MAcK (MacKnowledge terminal emulator) \ >69 string MLND (Defender) \ >69 string MPNT (MacPaint) \ >69 string MSBB (Microsoft BASIC (binary)) \ >69 string MSWD (Microsoft Word) \ >69 string NCSA (NCSA Telnet) \ >69 string PJMM (Think Pascal) \ >69 string PSAL (Hunt the Wumpus) \ >69 string PSI2 (Apple File Exchange) \ >69 string R*ch (BBEdit) \ >69 string RMKR (Resource Maker) \ >69 string RSED (Resource Editor) \ >69 string Rich (BBEdit) \ >69 string SIT! (StuffIt) \ >69 string SPNT (SuperPaint) \ >69 string Unix (NeXT Mac filesystem) \ >69 string VIM! (Vim editor) \ >69 string WILD (HyperCard) \ >69 string XCEL (Microsoft Excel) \ >69 string aCa2 (Fontographer) \ >69 string aca3 (Aldus FreeHand) \ >69 string dosa (Macintosh MS-DOS file system) \ >69 string movr (Font/DA Mover) \ >69 string nX^n (WriteNow) \ >69 string pdos (Apple ProDOS file system) \ >69 string scbk (Scrapbook) \ >69 string ttxt (SimpleText) \ >69 string ufox (Foreign File Access) \ \ # Just in case... \ \ 102 string mBIN MacBinary III data with surprising version number \ \ # sas magic from Bruce Foster (bef@nwu.edu) \ # \ #0 string SAS SAS \ #>8 string x %s \ 0 string SAS SAS \ >24 string DATA data file \ >24 string CATALOG catalog \ >24 string INDEX data file index \ >24 string VIEW data view \ # spss magic for SPSS system and portable files, \ # from Bruce Foster (bef@nwu.edu). \ \ 0 long 0xc1e2c3c9 SPSS Portable File \ >40 string x %s \ \ 0 string $FL2 SPSS System File \ >24 string x %s \ \ # Macintosh filesystem data \ # From \"Tom N Harris\" \ # The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these \ # entries depend on the data arithmetic added after v.35 \ # There's also some Pascal strings in here, ditto... \ \ # The boot block signature, according to IM:Files, is \ # \"for HFS volumes, this field always contains the value 0x4C4B.\" \ # But if this is true for MFS or HFS+ volumes, I don't know. \ # Alternatively, the boot block is supposed to be zeroed if it's \ # unused, so a simply >0 should suffice. \ \ 0x400 beshort 0xD2D7 Macintosh MFS data \ >0 beshort 0x4C4B (bootable) \ >0x40a beshort &0x8000 (locked) \ >0x402 beldate-0x7C25B080 x created: %s, \ >0x406 beldate-0x7C25B080 >0 last backup: %s, \ >0x414 belong x block size: %d, \ >0x412 beshort x number of blocks: %d, \ >0x424 pstring x volume name: %s \ \ 0x400 beshort 0x4244 Macintosh HFS data \ >0 beshort 0x4C4B (bootable) \ >0x40a beshort &0x8000 (locked) \ >0x40a beshort ^0x0100 (mounted) \ >0x40a beshort &0x0800 (unclean) \ >0x402 beldate-0x7C25B080 x created: %s, \ >0x406 beldate-0x7C25B080 x last modified: %s, \ >0x440 beldate-0x7C25B080 >0 last backup: %s, \ >0x414 belong x block size: %d, \ >0x412 beshort x number of blocks: %d, \ >0x424 pstring x volume name: %s \ #>0x480 beshort =0x482B Embedded HFS+ Volume: \ #>>((0x482*(0x414))+(0x41c*512)) x \\b \ # Well, this is (theoretically) how we could do this. But it occurs to \ # me that we likely don't read in a large enough chunk. I don't have any \ # HFS+ volumes to see what a typical offset would be. \ \ 0x400 beshort 0x482B Macintosh HFS Extended \ >&2 beshort x version %d data \ >0 beshort 0x4C4B (bootable) \ >&4 belong ^0x00000100 (mounted) \ >&4 belong &0x00000800 (unclean) \ >&4 belong &0x00008000 (locked) \ >&8 string x last mounted by: '%.4s', \ # really, that should be treated as a belong and we print a string \ # based on the value. TN1150 only mentions '8.10' for \"MacOS 8.1\" \ >&16 beldate-0x7C25B080 x created: %s, \ >&20 beldate-0x7C25B080 x last modified: %s, \ >&24 beldate-0x7C25B080 >0 last backup: %s, \ >&28 beldate-0x7C25B080 >0 last checked: %s, \ >&40 belong x block size: %d, \ >&44 belong x number of blocks: %d, \ >&48 belong x free blocks: %d \ \ # I don't think this is really necessary since it doesn't do much and \ # anything with a valid driver descriptor will also have a valid \ # partition map \ #0 beshort 0x4552 Apple Device Driver data \ #>&24 beshort =1 \\b, MacOS \ \ # Is that the partition type a cstring or a pstring? Well, IM says \"strings \ # shorter than 32 bytes must be terminated with NULL\" so I'll treat it as a \ # cstring. Of course, partitions can contain more than four entries, but \ # what're you gonna do? \ 0x200 beshort 0x504D Apple Partition data \ >&2 beshort x block size: %d \ >&48 string x first type: %s, \ >&12 belong x number of blocks: %d, \ >(&0x2.S) beshort 0x504D \ >>&48 string x second type: %s \ >>&12 belong x number of blocks: %d, \ >>(&0x2.S) beshort 0x504D \ >>>&48 string x third type: %s \ >>>&12 belong x number of blocks: %d, \ >>>(&0x2.S) beshort 0x504D \ >>>>&48 string x fourth type: %s \ >>>>&12 belong x number of blocks: %d, \ # AFAIK, only the signature is different \ 0x200 beshort 0x5453 Apple Old Partition data \ >&2 beshort x block size: %d \ >&48 string x first type: %s, \ >&12 belong x number of blocks: %d, \ >(&0x2.S) beshort 0x504D \ >>&48 string x second type: %s \ >>&12 belong x number of blocks: %d, \ >>(&0x2.S) beshort 0x504D \ >>>&48 string x third type: %s \ >>>&12 belong x number of blocks: %d, \ >>>(&0x2.S) beshort 0x504D \ >>>>&48 string x fourth type: %s \ >>>>&12 belong x number of blocks: %d, \ \ #------------------------------------------------------------------------------ \ # magic: file(1) magic for magic files \ # \ 0 string #\\ Magic magic text file for file(1) cmd \ 0 lelong 0xF11E041C magic binary file for file(1) cmd \ >4 lelong x (version %d) (little endian) \ 0 belong 0xF11E041C magic binary file for file(1) cmd \ >4 belong x (version %d) (big endian) \ \ #------------------------------------------------------------------------------ \ # mail.news: file(1) magic for mail and news \ # \ # Unfortunately, saved netnews also has From line added in some news software. \ #0 string From mail text \ # There are tests to ascmagic.c to cope with mail and news. \ 0 string Relay-Version: old news text \ 0 string #!\\ rnews batched news text \ 0 string N#!\\ rnews mailed, batched news text \ 0 string Forward\\ to mail forwarding text \ 0 string Pipe\\ to mail piping text \ 0 string Return-Path: smtp mail text \ 0 string Path: news text \ 0 string Xref: news text \ 0 string From: news or mail text \ 0 string Article saved news text \ 0 string BABYL Emacs RMAIL text \ 0 string Received: RFC 822 mail text \ 0 string MIME-Version: MIME entity text \ #0 string Content- MIME entity text \ \ # TNEF files... \ 0 lelong 0x223E9F78 Transport Neutral Encapsulation Format \ \ # From: Kevin Sullivan \ 0 string *mbx* MBX mail folder \ \ \ #------------------------------------------------------------------------------ \ # maple: file(1) magic for maple files \ # \"H. Nanosecond\" \ # Maple V release 4, a multi-purpose math program \ # \ \ # maple library .lib \ 0 string \\000MVR4\\nI MapleVr4 library \ \ # .ind \ # no magic for these :-( \ # they are compiled indexes for maple files \ \ # .hdb \ 0 string \\000\\004\\000\\000 Maple help database \ \ # .mhp \ # this has the form \ 0 string \\9 string >\\0 version %.1s. \ >>10 string \ >>>11 string >\\0 %.1s \ \ # .mps \ 0 string \\0\\0\\001$ Maple something \ # from byte 4 it is either 'nul E' or 'soh R' \ # I think 'nul E' means a file that was saved as a different name \ # a sort of revision marking \ # 'soh R' means new \ >4 string \\000\\105 An old revision \ >4 string \\001\\122 The latest save \ \ # .mpl \ # some of these are the same as .mps above \ #0000000 000 000 001 044 000 105 same as .mps \ #0000000 000 000 001 044 001 122 same as .mps \ \ 0 string #\\n##\\ Maple something anomalous. \ \ #------------------------------------------------------------------------------ \ # mathematica: file(1) magic for mathematica files \ # \"H. Nanosecond\" \ # Mathematica a multi-purpose math program \ # versions 2.2 and 3.0 \ \ #mathematica .mb \ 0 string \\064\\024\\012\\000\\035\\000\\000\\000 Mathematica version 2 notebook \ 0 string \\064\\024\\011\\000\\035\\000\\000\\000 Mathematica version 2 notebook \ \ # .ma \ # multiple possibilites: \ \ 0 string (*^\\n\\n::[\\011frontEndVersion\\ =\\ Mathematica notebook \ #>41 string >\\0 %s \ \ #0 string (*^\\n\\n::[\\011palette Mathematica notebook version 2.x \ \ #0 string (*^\\n\\n::[\\011Information Mathematica notebook version 2.x \ #>675 string >\\0 %s #doesn't work well \ \ # there may be 'cr' instread of 'nl' in some does this matter? \ \ # generic: \ 0 string (*^\\r\\r::[\\011 Mathematica notebook version 2.x \ 0 string \\(\\*\\^\\r\\n\\r\\n\\:\\:\\[\\011 Mathematica notebook version 2.x \ 0 string (*^\\015 Mathematica notebook version 2.x \ 0 string (*^\\n\\r\\n\\r::[\\011 Mathematica notebook version 2.x \ 0 string (*^\\r::[\\011 Mathematica notebook version 2.x \ 0 string (*^\\r\\n::[\\011 Mathematica notebook version 2.x \ 0 string (*^\\n\\n::[\\011 Mathematica notebook version 2.x \ 0 string (*^\\n::[\\011 Mathematica notebook version 2.x \ \ \ # Mathematica .mx files \ \ #0 string (*This\\ is\\ a\\ Mathematica\\ binary\\ dump\\ file.\\ It\\ can\\ be\\ loaded\\ with\\ Get.*) Mathematica binary file \ 0 string (*This\\ is\\ a\\ Mathematica\\ binary\\ Mathematica binary file \ #>71 string \\000\\010\\010\\010\\010\\000\\000\\000\\000\\000\\000\\010\\100\\010\\000\\000\\000 \ # >71... is optional \ >88 string >\\0 from %s \ \ \ # Mathematica files PBF: \ # 115 115 101 120 102 106 000 001 000 000 000 203 000 001 000 \ 0 string MMAPBF\\000\\001\\000\\000\\000\\203\\000\\001\\000 Mathematica PBF (fonts I think) \ \ # .ml files These are menu resources I think \ # these start with \"[0-9][0-9][0-9]\\ A~[0-9][0-9][0-9]\\ \ # how to put that into a magic rule? \ 4 string \\ A~ MAthematica .ml file \ \ # .nb files \ #too long 0 string (***********************************************************************\\n\\n\\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ Mathematica-Compatible Notebook Mathematica 3.0 notebook \ 0 string (*********************** Mathematica 3.0 notebook \ \ # other (* matches it is a comment start in these langs \ 0 string (* Mathematica, or Pascal, Modula-2 or 3 code \ #------------------------------------------------------------------------------ \ # Mavroyanopoulos Nikos \ # mcrypt: file(1) magic for mcrypt 2.2.x; \ 0 string \\0m\\2 mcrypt 2.2 encrypted data, \ >3 byte 0 algorithm: blowfish-448, \ >3 byte 1 algorithm: DES, \ >3 byte 2 algorithm: 3DES, \ >3 byte 3 algorithm: 3-WAY, \ >3 byte 4 algorithm: GOST, \ >3 byte 6 algorithm: SAFER-SK64, \ >3 byte 7 algorithm: SAFER-SK128, \ >3 byte 8 algorithm: CAST-128, \ >3 byte 9 algorithm: xTEA, \ >3 byte 10 algorithm: TWOFISH-128, \ >3 byte 11 algorithm: RC2, \ >3 byte 12 algorithm: TWOFISH-192, \ >3 byte 13 algorithm: TWOFISH-256, \ >3 byte 14 algorithm: blowfish-128, \ >3 byte 15 algorithm: blowfish-192, \ >3 byte 16 algorithm: blowfish-256, \ >3 byte 100 algorithm: RC6, \ >3 byte 101 algorithm: IDEA, \ >4 byte 0 mode: CBC, \ >4 byte 1 mode: ECB, \ >4 byte 2 mode: CFB, \ >4 byte 3 mode: OFB, \ >4 byte 4 mode: nOFB, \ >5 byte 0 keymode: 8bit \ >5 byte 1 keymode: 4bit \ >5 byte 2 keymode: SHA-1 hash \ >5 byte 3 keymode: MD5 hash \ #------------------------------------------------------------------------------ \ # mime: file(1) magic for MIME encoded files \ # \ 0 string Content-Type:\\ \ >14 string >\\0 %s \ 0 string Content-Type: \ >13 string >\\0 %s \ \ #------------------------------------------------------------------------------ \ # mips: file(1) magic for Silicon Graphics (MIPS, IRIS, IRIX, etc.) \ # Dec Ultrix (MIPS) \ # all of SGI's *current* machines and OSes run in big-endian mode on the \ # MIPS machines, as far as I know. \ # \ # XXX - what is the blank \"-\" line? \ # \ # kbd file definitions \ 0 string kbd!map kbd map file \ >8 byte >0 Ver %d: \ >10 short >0 with %d table(s) \ 0 belong 0407 old SGI 68020 executable \ 0 belong 0410 old SGI 68020 pure executable \ 0 beshort 0x8765 disk quotas file \ 0 beshort 0x0506 IRIS Showcase file \ >2 byte 0x49 - \ >3 byte x - version %ld \ 0 beshort 0x0226 IRIS Showcase template \ >2 byte 0x63 - \ >3 byte x - version %ld \ 0 belong 0x5343464d IRIS Showcase file \ >4 byte x - version %ld \ 0 belong 0x5443464d IRIS Showcase template \ >4 byte x - version %ld \ 0 belong 0xdeadbabe IRIX Parallel Arena \ >8 belong >0 - version %ld \ # \ 0 beshort 0x0160 MIPSEB ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >22 byte x - version %ld \ >23 byte x .%ld \ # \ 0 beshort 0x0162 MIPSEL-BE ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %d \ >22 byte x .%ld \ # \ 0 beshort 0x6001 MIPSEB-LE ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %d \ >22 byte x .%ld \ # \ 0 beshort 0x6201 MIPSEL ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %ld \ >22 byte x .%ld \ # \ # MIPS 2 additions \ # \ 0 beshort 0x0163 MIPSEB MIPS-II ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >22 byte x - version %ld \ >23 byte x .%ld \ # \ 0 beshort 0x0166 MIPSEL-BE MIPS-II ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >22 byte x - version %ld \ >23 byte x .%ld \ # \ 0 beshort 0x6301 MIPSEB-LE MIPS-II ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %ld \ >22 byte x .%ld \ # \ 0 beshort 0x6601 MIPSEL MIPS-II ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %ld \ >22 byte x .%ld \ # \ # MIPS 3 additions \ # \ 0 beshort 0x0140 MIPSEB MIPS-III ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >22 byte x - version %ld \ >23 byte x .%ld \ # \ 0 beshort 0x0142 MIPSEL-BE MIPS-III ECOFF executable \ >20 beshort 0407 (impure) \ >20 beshort 0410 (swapped) \ >20 beshort 0413 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >22 byte x - version %ld \ >23 byte x .%ld \ # \ 0 beshort 0x4001 MIPSEB-LE MIPS-III ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %ld \ >22 byte x .%ld \ # \ 0 beshort 0x4201 MIPSEL MIPS-III ECOFF executable \ >20 beshort 03401 (impure) \ >20 beshort 04001 (swapped) \ >20 beshort 05401 (paged) \ >8 belong >0 not stripped \ >8 belong 0 stripped \ >23 byte x - version %ld \ >22 byte x .%ld \ # \ 0 beshort 0x180 MIPSEB Ucode \ 0 beshort 0x182 MIPSEL-BE Ucode \ # 32bit core file \ 0 belong 0xdeadadb0 IRIX core dump \ >4 belong 1 of \ >16 string >\\0 '%s' \ # 64bit core file \ 0 belong 0xdeadad40 IRIX 64-bit core dump \ >4 belong 1 of \ >16 string >\\0 '%s' \ # N32bit core file \ 0 belong 0xbabec0bb IRIX N32 core dump \ >4 belong 1 of \ >16 string >\\0 '%s' \ # New style crash dump file \ 0 string \\x43\\x72\\x73\\x68\\x44\\x75\\x6d\\x70 IRIX vmcore dump of \ >36 string >\\0 '%s' \ # Trusted IRIX info \ 0 string SGIAUDIT SGI Audit file \ >8 byte x - version %d \ >9 byte x .%ld \ # \ 0 string WNGZWZSC Wingz compiled script \ 0 string WNGZWZSS Wingz spreadsheet \ 0 string WNGZWZHP Wingz help file \ # \ 0 string \\#Inventor V IRIS Inventor 1.0 file \ 0 string \\#Inventor V2 Open Inventor 2.0 file \ # GLF is OpenGL stream encoding \ 0 string glfHeadMagic(); GLF_TEXT \ 4 belong 0x7d000000 GLF_BINARY_LSB_FIRST \ 4 belong 0x0000007d GLF_BINARY_MSB_FIRST \ # GLS is OpenGL stream encoding; GLS is the successor of GLF \ 0 string glsBeginGLS( GLS_TEXT \ 4 belong 0x10000000 GLS_BINARY_LSB_FIRST \ 4 belong 0x00000010 GLS_BINARY_MSB_FIRST \ \ #------------------------------------------------------------------------------ \ # mirage: file(1) magic for Mirage executables \ # \ # XXX - byte order? \ # \ 0 long 31415 Mirage Assembler m.out executable \ \ #------------------------------------------------------------------------------ \ # mkid: file(1) magic for mkid(1) databases \ # \ # ID is the binary tags database produced by mkid(1). \ # \ # XXX - byte order? \ # \ 0 string \\311\\304 ID tags data \ >2 short >0 version %d \ \ #------------------------------------------------------------------------------ \ # mmdf: file(1) magic for MMDF mail files \ # \ 0 string \\001\\001\\001\\001 MMDF mailbox \ #------------------------------------------------------------------------------ \ # modem: file(1) magic for modem programs \ # \ # From: Florian La Roche \ 4 string Research, Digifax-G3-File \ >29 byte 1 , fine resolution \ >29 byte 0 , normal resolution \ \ 0 short 0x0100 raw G3 data, byte-padded \ 0 short 0x1400 raw G3 data \ # \ # Magic data for vgetty voice formats \ # (Martin Seine & Marc Eberhard) \ \ # \ # raw modem data version 1 \ # \ 0 string RMD1 raw modem data \ >4 string >\\0 (%s / \ >20 short >0 compression type 0x%04x) \ \ # \ # portable voice format 1 \ # \ 0 string PVF1\\n portable voice format \ >5 string >\\0 (binary %s) \ \ # \ # portable voice format 2 \ # \ 0 string PVF2\\n portable voice format \ >5 string >\\0 (ascii %s) \ \ \ #------------------------------------------------------------------------------ \ # motorola: file(1) magic for Motorola 68K and 88K binaries \ # \ # 68K \ # \ 0 beshort 0520 mc68k COFF \ >18 beshort ^00000020 object \ >18 beshort &00000020 executable \ >12 belong >0 not stripped \ >168 string .lowmem Apple toolbox \ >20 beshort 0407 (impure) \ >20 beshort 0410 (pure) \ >20 beshort 0413 (demand paged) \ >20 beshort 0421 (standalone) \ 0 beshort 0521 mc68k executable (shared) \ >12 belong >0 not stripped \ 0 beshort 0522 mc68k executable (shared demand paged) \ >12 belong >0 not stripped \ # \ # Motorola/UniSoft 68K Binary Compatibility Standard (BCS) \ # \ 0 beshort 0554 68K BCS executable \ # \ # 88K \ # \ # Motorola/88Open BCS \ # \ 0 beshort 0555 88K BCS executable \ # \ # Motorola S-Records, from Gerd Truschinski \ 0 string S0 Motorola S-Record; binary data in text format \ \ # ATARI ST relocatable PRG \ # \ # from Oskar Schirmer Feb 3, 2001 \ # (according to Roland Waldi, Oct 21, 1987) \ # besides the magic 0x601a, the text segment size is checked to be \ # not larger than 1 MB (which is a lot on ST). \ # The additional 0x601b distinction I took from Doug Lee's magic. \ 0 belong&0xFFFFFFF0 0x601A0000 Atari ST M68K contiguous executable \ >2 belong x (txt=%ld, \ >6 belong x dat=%ld, \ >10 belong x bss=%ld, \ >14 belong x sym=%ld) \ 0 belong&0xFFFFFFF0 0x601B0000 Atari ST M68K non-contig executable \ >2 belong x (txt=%ld, \ >6 belong x dat=%ld, \ >10 belong x bss=%ld, \ >14 belong x sym=%ld) \ \ #------------------------------------------------------------------------------ \ # msdos: file(1) magic for MS-DOS files \ # \ \ # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) \ 0 string @echo\\ off MS-DOS batch file text \ \ # XXX - according to Microsoft's spec, at an offset of 0x3c in a \ # PE-format executable is the offset in the file of the PE header; \ # unfortunately, that's a little-endian offset, and there's no way \ # to specify an indirect offset with a specified byte order. \ # So, for now, we assume the standard MS-DOS stub, which puts the \ # PE header at 0x80 = 128. \ # \ # Required OS version and subsystem version were 4.0 on some NT 3.51 \ # executables built with Visual C++ 4.0, so it's not clear that \ # they're interesting. The user version was 0.0, but there's \ # probably some linker directive to set it. The linker version was \ # 3.0, except for one \".exe\" which had it as 4.20 (same damn linker!). \ # \ 128 string PE\\0\\0 MS Windows PE \ >150 leshort&0x0100 >0 32-bit \ >132 leshort 0x0 unknown processor \ >132 leshort 0x14c Intel 80386 \ >132 leshort 0x166 MIPS R4000 \ >132 leshort 0x184 Alpha \ >132 leshort 0x268 Motorola 68000 \ >132 leshort 0x1f0 PowerPC \ >132 leshort 0x290 PA-RISC \ >148 leshort >27 \ >>220 leshort 0 unknown subsystem \ >>220 leshort 1 native \ >>220 leshort 2 GUI \ >>220 leshort 3 console \ >>220 leshort 7 POSIX \ >150 leshort&0x2000 =0 executable \ #>>136 ledate x stamp %s, \ >>150 leshort&0x0001 >0 not relocatable \ #>>150 leshort&0x0004 =0 with line numbers, \ #>>150 leshort&0x0008 =0 with local symbols, \ #>>150 leshort&0x0200 =0 with debug symbols, \ >>150 leshort&0x1000 >0 system file \ #>>148 leshort >0 \ #>>>154 byte x linker %d \ #>>>155 byte x \\b.%d, \ #>>148 leshort >27 \ #>>>192 leshort x requires OS %d \ #>>>194 leshort x \\b.%d, \ #>>>196 leshort x user version %d \ #>>>198 leshort x \\b.%d, \ #>>>200 leshort x subsystem version %d \ #>>>202 leshort x \\b.%d, \ >150 leshort&0x2000 >0 DLL \ #>>136 ledate x stamp %s, \ >>150 leshort&0x0001 >0 not relocatable \ #>>150 leshort&0x0004 =0 with line numbers, \ #>>150 leshort&0x0008 =0 with local symbols, \ #>>150 leshort&0x0200 =0 with debug symbols, \ >>150 leshort&0x1000 >0 system file \ #>>148 leshort >0 \ #>>>154 byte x linker %d \ #>>>155 byte x \\b.%d, \ #>>148 leshort >27 \ #>>>192 leshort x requires OS %d \ #>>>194 leshort x \\b.%d, \ #>>>196 leshort x user version %d \ #>>>198 leshort x \\b.%d, \ #>>>200 leshort x subsystem version %d \ #>>>202 leshort x \\b.%d, \ 0 leshort 0x14c MS Windows COFF Intel 80386 object file \ #>4 ledate x stamp %s \ 0 leshort 0x166 MS Windows COFF MIPS R4000 object file \ #>4 ledate x stamp %s \ 0 leshort 0x184 MS Windows COFF Alpha object file \ #>4 ledate x stamp %s \ 0 leshort 0x268 MS Windows COFF Motorola 68000 object file \ #>4 ledate x stamp %s \ 0 leshort 0x1f0 MS Windows COFF PowerPC object file \ #>4 ledate x stamp %s \ 0 leshort 0x290 MS Windows COFF PA-RISC object file \ #>4 ledate x stamp %s \ \ # .EXE formats (Greg Roelofs, newt@uchicago.edu) \ # \ 0 string MZ MS-DOS executable (EXE) \ >24 string @ \\b, OS/2 or MS Windows \ >>0xe7 string LH/2\\ Self-Extract \\b, %s \ >>0xe9 string PKSFX2 \\b, %s \ >>122 string Windows\\ self-extracting\\ ZIP \\b, %s \ >0x1c string RJSX\\xff\\xff \\b, ARJ SFX \ >0x1c string diet\\xf9\\x9c \\b, diet compressed \ >0x1e string Copyright\\ 1989-1990\\ PKWARE\\ Inc. \\b, PKSFX \ # JM: 0x1e \"PKLITE Copr. 1990-92 PKWARE Inc. All Rights Reserved\\7\\0\\0\\0\" \ >0x1e string PKLITE\\ Copr. \\b, %.6s compressed \ >0x24 string LHa's\\ SFX \\b, %.15s \ >0x24 string LHA's\\ SFX \\b, %.15s \ >1638 string -lh5- \\b, LHa SFX archive v2.13S \ >7195 string Rar! \\b, RAR self-extracting archive \ # \ # [GRR 950118: file 3.15 has a buffer-size limitation; offsets bigger than \ # 8161 bytes are ignored. To make the following entries work, increase \ # HOWMANY in file.h to 32K at least, and maybe to 70K or more for OS/2, \ # NT/Win32 and VMS.] \ # [GRR: some company sells a self-extractor/displayer for image data(!)] \ # \ >11696 string PK\\003\\004 \\b, PKZIP SFX archive v1.1 \ >13297 string PK\\003\\004 \\b, PKZIP SFX archive v1.93a \ >15588 string PK\\003\\004 \\b, PKZIP2 SFX archive v1.09 \ >15770 string PK\\003\\004 \\b, PKZIP SFX archive v2.04g \ >28374 string PK\\003\\004 \\b, PKZIP2 SFX archive v1.02 \ # \ # Info-ZIP self-extractors \ # these are the DOS versions: \ >25115 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 \ >26331 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 w/decryption \ # these are the OS/2 versions (OS/2 is flagged above): \ >47031 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 \ >49845 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 w/decryption \ # this is the NT/Win32 version: \ >69120 string PK\\003\\004 \\b, Info-ZIP NT SFX archive v5.12 w/decryption \ # \ # TELVOX Teleinformatica CODEC self-extractor for OS/2: \ >49801 string \\x79\\xff\\x80\\xff\\x76\\xff \\b, CODEC archive v3.21 \ >>49824 leshort =1 \\b, 1 file \ >>49824 leshort >1 \\b, %u files \ \ # .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) \ # Uncommenting only the first two lines will cover about 2/3 of COM files, \ # but it isn't feasible to match all COM files since there must be at least \ # two dozen different one-byte \"magics\". \ #0 byte 0xe9 MS-DOS executable (COM) \ #>6 string SFX\\ of\\ LHarc (%s) \ #0 byte 0x8c MS-DOS executable (COM) \ # 0xeb conflicts with \"sequent\" magic \ #0 byte 0xeb MS-DOS executable (COM) \ #0 byte 0xb8 MS-DOS executable (COM) \ \ # miscellaneous formats \ 0 string LZ MS-DOS executable (built-in) \ #0 byte 0xf0 MS-DOS program library data \ # \ \ # \ # Windows NT Registry files. \ # \ 0 string regf Windows NT Registry file \ \ # Popular applications \ 2080 string Microsoft\\ Word\\ 6.0\\ Document %s \ 2080 string Documento\\ Microsoft\\ Word\\ 6 Spanish Microsoft Word 6 document data \ # Pawel Wiecek (for polish Word) \ 2112 string MSWordDoc Microsoft Word document data \ # \ 0 belong 0x31be0000 Microsoft Word Document \ # \ 0 string PO^Q` Microsoft Word 6.0 Document \ # \ 0 string \\376\\067\\0\\043 Microsoft Office Document \ 0 string \\320\\317\\021\\340\\241\\261 Microsoft Office Document \ 0 string \\333\\245-\\0\\0\\0 Microsoft Office Document \ # \ 2080 string Microsoft\\ Excel\\ 5.0\\ Worksheet %s \ # \ # Pawel Wiecek (for polish Excel) \ 2114 string Biff5 Microsoft Excel 5.0 Worksheet \ # \ 0 belong 0x00001a00 Lotus 1-2-3 \ >4 belong 0x00100400 wk3 document data \ >4 belong 0x02100400 wk4 document data \ >4 belong 0x07800100 fm3 or fmb document data \ >4 belong 0x07800000 fm3 or fmb document data \ # \ 0 belong 0x00000200 Lotus 1-2-3 \ >4 belong 0x06040600 wk1 document data \ >4 belong 0x06800200 fmt document data \ \ # Help files \ 0 string ?_\\3\\0 MS Windows Help Data \ \ # Microsoft CAB distribution format Dale Worley \ 0 string MSCF\\000\\000\\000\\000 Microsoft CAB file \ \ # DeIsL1.isu what this is I don't know \ 0 string \\161\\250\\000\\000\\001\\002 DeIsL1.isu whatever that is \ \ # Winamp .avs \ #0 string Nullsoft\\ AVS\\ Preset\\ \\060\\056\\061\\032 A plug in for Winamp ms-windows Freeware media player \ 0 string Nullsoft\\ AVS\\ Preset\\ Winamp plug in \ \ # Hyper terminal: \ 0 string HyperTerminal\\ hyperterm \ >15 string 1.0\\ --\\ HyperTerminal\\ data\\ file MS-windows Hyperterminal \ \ # Windows Metafont .WMF \ 0 string \\327\\315\\306\\232\\000\\000\\000\\000\\000\\000 ms-windows metafont .wmf \ \ #tz3 files whatever that is (MS Works files) \ 0 string \\003\\001\\001\\004\\070\\001\\000\\000 tz3 ms-works file \ 0 string \\003\\002\\001\\004\\070\\001\\000\\000 tz3 ms-works file \ 0 string \\003\\003\\001\\004\\070\\001\\000\\000 tz3 ms-works file \ \ # PGP sig files .sig \ #0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127 065 to \\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127\\065\\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127\\066\\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127\\067\\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127\\070\\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\077\\003\\005\\000\\063\\237\\127\\071\\027\\266\\151\\064\\005\\045\\101\\233\\021\\002 PGP sig \ 0 string \\211\\000\\225\\003\\005\\000\\062\\122\\207\\304\\100\\345\\042 PGP sig \ \ # windows zips files .dmf \ 0 string MDIF\\032\\000\\010\\000\\000\\000\\372\\046\\100\\175\\001\\000\\001\\036\\001\\000 Ms-windows special zipped file \ \ \ # Windows help file FTG FTS \ 0 string \\164\\146\\115\\122\\012\\000\\000\\000\\001\\000\\000\\000 ms-windows help cache \ \ # grp old windows 3.1 group files \ 0 string \\120\\115\\103\\103 Ms-windows 3.1 group files \ \ \ # lnk files windows symlinks \ 0 string \\114\\000\\000\\000\\001\\024\\002\\000\\000\\000\\000\\000\\300\\000\\000\\000\\000\\000\\000\\106 ms-Windows shortcut \ \ #ico files \ 0 string \\102\\101\\050\\000\\000\\000\\056\\000\\000\\000\\000\\000\\000\\000 Icon for ms-windows \ \ # Windows icons (Ian Springer ) \ 0 string \\000\\000\\001\\000 ms-windows icon resource \ >4 byte 1 - 1 icon \ >4 byte >1 - %d icons \ >>6 byte >0 \\b, %dx \ >>>7 byte >0 \\b%d \ >>8 byte 0 \\b, 256-colors \ >>8 byte >0 \\b, %d-colors \ \ \ # True Type fonts currently misidentified as raw G3 data \ \ 0 string \\000\\001\\000\\000\\000 MS-Windows true type font .ttf \ \ \ # .chr files \ 0 string PK\\010\\010BGI Borland font \ >4 string >\\0 %s \ # then there is a copyright notice \ \ \ # .bgi files \ 0 string pk\\010\\010BGI Borland device \ >4 string >\\0 %s \ # then there is a copyright notice \ \ \ # recycled/info the windows trash bin index \ 9 string \\000\\000\\000\\030\\001\\000\\000\\000 ms-windows recycled bin info \ \ \ ##### put in Either Magic/font or Magic/news \ # Acroread or something files wrongly identified as G3 .pfm \ # these have the form \\000 \\001 any? \\002 \\000 \\000 \ # or \\000 \\001 any? \\022 \\000 \\000 \ 0 string \\000\\001 pfm? \ >3 string \\022\\000\\000Copyright\\ yes \ >3 string \\002\\000\\000Copyright\\ yes \ #>3 string >\\0 oops, not a font file. Cancel that. \ #it clashes with ttf files so put it lower down. \ \ # From Doug Lee via a FreeBSD pr \ 9 string GERBILDOC First Choice document \ 9 string GERBILDB First Choice database \ 9 string GERBILCLIP First Choice database \ 0 string GERBIL First Choice device file \ 9 string RABBITGRAPH RabbitGraph file \ 0 string DCU1 Borland Delphi .DCU file \ 0 string ! MKS Spell hash list (old format) \ 0 string ! MKS Spell hash list \ 0 string AH Halo(TM) bitmapped font file \ 0 lelong 0x08086b70 TurboC BGI file \ 0 lelong 0x08084b50 TurboC Font file \ \ # WARNING: below line conflicts with Infocom game data Z-machine 3 \ # XXX - removed because stegbeak \ #0 byte 0x03 DBase 3 data file \ #>0x04 lelong 0 (no records) \ #>0x04 lelong >0 (%ld records) \ #0 byte 0x83 DBase 3 data file with memo(s) \ #>0x04 lelong 0 (no records) \ #>0x04 lelong >0 (%ld records) \ 0 leshort 0x0006 DBase 3 index file \ 0 string PMCC Windows 3.x .GRP file \ 1 string RDC-meg MegaDots \ >8 byte >0x2F version %c \ >9 byte >0x2F \\b.%c file \ 0 lelong 0x4C \ >4 lelong 0x00021401 Windows shortcut file \ \ # DOS EPS Binary File Header \ # From: Ed Sznyter \ 0 belong 0xC5D0D3C6 DOS EPS Binary File \ >4 long >0 Postscript starts at byte %d \ >>8 long >0 length %d \ >>>12 long >0 Metafile starts at byte %d \ >>>>16 long >0 length %d \ >>>20 long >0 TIFF starts at byte %d \ >>>>24 long >0 length %d \ \ # TNEF magic From \"Joomy\" \ 0 leshort 0x223e9f78 TNEF \ \ #------------------------------------------------------------------------------ \ # msvc: file(1) magic for msvc \ # \"H. Nanosecond\" \ # Microsoft visual C \ # \ # I have version 1.0 \ \ # .aps \ 0 string HWB\\000\\377\\001\\000\\000\\000 Microsoft Visual C .APS file \ \ # .ide \ #too long 0 string \\102\\157\\162\\154\\141\\156\\144\\040\\103\\053\\053\\040\\120\\162\\157\\152\\145\\143\\164\\040\\106\\151\\154\\145\\012\\000\\032\\000\\002\\000\\262\\000\\272\\276\\372\\316 MSVC .ide \ 0 string \\102\\157\\162\\154\\141\\156\\144\\040\\103\\053\\053\\040\\120\\162\\157 MSVC .ide \ \ # .res \ 0 string \\000\\000\\000\\000\\040\\000\\000\\000\\377 MSVC .res \ 0 string \\377\\003\\000\\377\\001\\000\\020\\020\\350 MSVC .res \ 0 string \\377\\003\\000\\377\\001\\000\\060\\020\\350 MSVC .res \ \ #.lib \ 0 string \\360\\015\\000\\000 Microsoft Visual C library \ 0 string \\360\\075\\000\\000 Microsoft Visual C library \ 0 string \\360\\175\\000\\000 Microsoft Visual C library \ \ #.pch \ 0 string DTJPCH0\\000\\022\\103\\006\\200 Microsoft Visual C .pch \ \ # .pdb \ # too long 0 string Microsoft\\ C/C++\\ program\\ database\\ \ 0 string Microsoft\\ C/C++\\ MSVC program database \ >18 string program\\ database\\ \ >33 string >\\0 ver %s \ \ #.sbr \ 0 string \\000\\002\\000\\007\\000 MSVC .sbr \ >5 string >\\0 %s \ \ #.bsc \ 0 string \\002\\000\\002\\001 MSVC .bsc \ \ #.wsp \ 0 string 1.00\\ .0000.0000\\000\\003 MSVC .wsp version 1.0000.0000 \ # these seem to start with the version and contain menus \ \ #------------------------------------------------------------------------------ \ # ncr: file(1) magic for NCR Tower objects \ # \ # contributed by \ # Michael R. Wayne *** TMC & Associates *** INTERNET: wayne@ford-vax.arpa \ # uucp: {philabs | pyramid} !fmsrl7!wayne OR wayne@fmsrl7.UUCP \ # \ 0 beshort 000610 Tower/XP rel 2 object \ >12 belong >0 not stripped \ >20 beshort 0407 executable \ >20 beshort 0410 pure executable \ >22 beshort >0 - version %ld \ 0 beshort 000615 Tower/XP rel 2 object \ >12 belong >0 not stripped \ >20 beshort 0407 executable \ >20 beshort 0410 pure executable \ >22 beshort >0 - version %ld \ 0 beshort 000620 Tower/XP rel 3 object \ >12 belong >0 not stripped \ >20 beshort 0407 executable \ >20 beshort 0410 pure executable \ >22 beshort >0 - version %ld \ 0 beshort 000625 Tower/XP rel 3 object \ >12 belong >0 not stripped \ >20 beshort 0407 executable \ >20 beshort 0410 pure executable \ >22 beshort >0 - version %ld \ 0 beshort 000630 Tower32/600/400 68020 object \ >12 belong >0 not stripped \ >20 beshort 0407 executable \ >20 beshort 0410 pure executable \ >22 beshort >0 - version %ld \ 0 beshort 000640 Tower32/800 68020 \ >18 beshort &020000 w/68881 object \ >18 beshort &040000 compatible object \ >18 beshort &~060000 object \ >20 beshort 0407 executable \ >20 beshort 0413 pure executable \ >12 belong >0 not stripped \ >22 beshort >0 - version %ld \ 0 beshort 000645 Tower32/800 68010 \ >18 beshort &040000 compatible object \ >18 beshort &~060000 object \ >20 beshort 0407 executable \ >20 beshort 0413 pure executable \ >12 belong >0 not stripped \ >22 beshort >0 - version %ld \ \ #------------------------------------------------------------------------------ \ # netbsd: file(1) magic for NetBSD objects \ # \ # All new-style magic numbers are in network byte order. \ # \ \ 0 lelong 000000407 NetBSD little-endian object file \ >16 lelong >0 not stripped \ 0 belong 000000407 NetBSD big-endian object file \ >16 belong >0 not stripped \ \ 0 belong&0377777777 041400413 NetBSD/i386 demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 041400410 NetBSD/i386 pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 041400407 NetBSD/i386 \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ 0 belong&0377777777 041400507 NetBSD/i386 core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ 0 belong&0377777777 041600413 NetBSD/m68k demand paged \ >0 byte &0x80 \ >>20 belong <8192 shared library \ >>20 belong =8192 dynamically linked executable \ >>20 belong >8192 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 041600410 NetBSD/m68k pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 041600407 NetBSD/m68k \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 belong !0 executable \ >>20 belong =0 object file \ >16 belong >0 not stripped \ 0 belong&0377777777 041600507 NetBSD/m68k core \ >12 string >\\0 from '%s' \ >32 belong !0 (signal %d) \ \ 0 belong&0377777777 042000413 NetBSD/m68k4k demand paged \ >0 byte &0x80 \ >>20 belong <4096 shared library \ >>20 belong =4096 dynamically linked executable \ >>20 belong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 042000410 NetBSD/m68k4k pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 042000407 NetBSD/m68k4k \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 belong !0 executable \ >>20 belong =0 object file \ >16 belong >0 not stripped \ 0 belong&0377777777 042000507 NetBSD/m68k4k core \ >12 string >\\0 from '%s' \ >32 belong !0 (signal %d) \ \ 0 belong&0377777777 042200413 NetBSD/ns32532 demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 042200410 NetBSD/ns32532 pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 042200407 NetBSD/ns32532 \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ 0 belong&0377777777 042200507 NetBSD/ns32532 core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ 0 belong&0377777777 045200507 NetBSD/powerpc core \ >12 string >\\0 from '%s' \ \ 0 belong&0377777777 042400413 NetBSD/sparc demand paged \ >0 byte &0x80 \ >>20 belong <8192 shared library \ >>20 belong =8192 dynamically linked executable \ >>20 belong >8192 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 042400410 NetBSD/sparc pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 042400407 NetBSD/sparc \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 belong !0 executable \ >>20 belong =0 object file \ >16 belong >0 not stripped \ 0 belong&0377777777 042400507 NetBSD/sparc core \ >12 string >\\0 from '%s' \ >32 belong !0 (signal %d) \ \ 0 belong&0377777777 042600413 NetBSD/pmax demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 042600410 NetBSD/pmax pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 042600407 NetBSD/pmax \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ 0 belong&0377777777 042600507 NetBSD/pmax core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ 0 belong&0377777777 043000413 NetBSD/vax 1k demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 043000410 NetBSD/vax 1k pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 043000407 NetBSD/vax 1k \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ 0 belong&0377777777 043000507 NetBSD/vax 1k core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ 0 belong&0377777777 045400413 NetBSD/vax 4k demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 045400410 NetBSD/vax 4k pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 045400407 NetBSD/vax 4k \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ 0 belong&0377777777 045400507 NetBSD/vax 4k core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ # NetBSD/alpha does not support (and has never supported) a.out objects, \ # so no rules are provided for them. NetBSD/alpha ELF objects are \ # dealt with in \"elf\". \ 0 lelong 0x00070185 ECOFF NetBSD/alpha binary \ >10 leshort 0x0001 not stripped \ >10 leshort 0x0000 stripped \ 0 belong&0377777777 043200507 NetBSD/alpha core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ 0 belong&0377777777 043400413 NetBSD/mips demand paged \ >0 byte &0x80 \ >>20 belong <8192 shared library \ >>20 belong =8192 dynamically linked executable \ >>20 belong >8192 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 043400410 NetBSD/mips pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&0377777777 043400407 NetBSD/mips \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 belong !0 executable \ >>20 belong =0 object file \ >16 belong >0 not stripped \ 0 belong&0377777777 043400507 NetBSD/mips core \ >12 string >\\0 from '%s' \ >32 belong !0 (signal %d) \ \ 0 belong&0377777777 043600413 NetBSD/arm32 demand paged \ >0 byte &0x80 \ >>20 lelong <4096 shared library \ >>20 lelong =4096 dynamically linked executable \ >>20 lelong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 043600410 NetBSD/arm32 pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 lelong >0 not stripped \ 0 belong&0377777777 043600407 NetBSD/arm32 \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 \ >>0 byte &0x40 position independent \ >>20 lelong !0 executable \ >>20 lelong =0 object file \ >16 lelong >0 not stripped \ # NetBSD/arm26 has always used ELF objects, but it shares a core file \ # format with NetBSD/arm32. \ 0 belong&0377777777 043600507 NetBSD/arm core \ >12 string >\\0 from '%s' \ >32 lelong !0 (signal %d) \ \ #------------------------------------------------------------------------------ \ # netscape: file(1) magic for Netscape files \ # \"H. Nanosecond\" \ # version 3 and 4 I think \ # \ \ # Netscape Address book .nab \ 0 string \\000\\017\\102\\104\\000\\000\\000\\000\\000\\000\\001\\000\\000\\000\\000\\002\\000\\000\\000\\002\\000\\000\\004\\000 Netscape Address book \ \ # .snm Caches \ 0 string #\\ Netscape\\ folder\\ cache Netscape folder cache \ 0 string \\000\\036\\204\\220\\000 Netscape folder cache \ # .n2p \ # Net 2 Phone \ #0 string 123\\130\\071\\066\\061\\071\\071\\071\\060\\070\\061\\060\\061\\063\\060 \ 0 string SX961999 Net2phone \ \ # \ #This is files ending in .art, FIXME add more rules \ 0 string JG\\004\\016\\0\\0\\0\\0 ART \ \ #------------------------------------------------------------------------------ \ # news: file(1) magic for SunOS NeWS fonts (not \"news\" as in \"netnews\") \ # \ 0 string StartFontMetrics ASCII font metrics \ 0 string StartFont ASCII font bits \ 0 belong 0x137A2944 NeWS bitmap font \ 0 belong 0x137A2947 NeWS font family \ 0 belong 0x137A2950 scalable OpenFont binary \ 0 belong 0x137A2951 encrypted scalable OpenFont binary \ 8 belong 0x137A2B45 X11/NeWS bitmap font \ 8 belong 0x137A2B48 X11/NeWS font family \ #------------------------------------------------------------------------------ \ # octave binary data file(1) magic, from Dirk Eddelbuettel \ 0 string Octave-1-L Octave binary data (little endian) \ 0 string Octave-1-B Octave binary data (big endian) \ \ #------------------------------------------------------------------------------ \ # olf: file(1) magic for OLF executables \ # \ # We have to check the byte order flag to see what byte order all the \ # other stuff in the header is in. \ # \ # MIPS R3000 may also be for MIPS R2000. \ # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? \ # \ # Created by Erik Theisen \ # Based on elf from Daniel Quinlan \ 0 string \\177OLF OLF \ >4 byte 0 invalid class \ >4 byte 1 32-bit \ >4 byte 2 64-bit \ >7 byte 0 invalid os \ >7 byte 1 OpenBSD \ >7 byte 2 NetBSD \ >7 byte 3 FreeBSD \ >7 byte 4 4.4BSD \ >7 byte 5 Linux \ >7 byte 6 SVR4 \ >7 byte 7 esix \ >7 byte 8 Solaris \ >7 byte 9 Irix \ >7 byte 10 SCO \ >7 byte 11 Dell \ >7 byte 12 NCR \ >5 byte 0 invalid byte order \ >5 byte 1 LSB \ >>16 leshort 0 no file type, \ >>16 leshort 1 relocatable, \ >>16 leshort 2 executable, \ >>16 leshort 3 shared object, \ # Core handling from Peter Tobias \ # corrections by Christian 'Dr. Disk' Hechelmann \ >>16 leshort 4 core file \ >>>(0x38+0xcc) string >\\0 of '%s' \ >>>(0x38+0x10) lelong >0 (signal %d), \ >>16 leshort &0xff00 processor-specific, \ >>18 leshort 0 no machine, \ >>18 leshort 1 AT&T WE32100 - invalid byte order, \ >>18 leshort 2 SPARC - invalid byte order, \ >>18 leshort 3 Intel 80386, \ >>18 leshort 4 Motorola 68000 - invalid byte order, \ >>18 leshort 5 Motorola 88000 - invalid byte order, \ >>18 leshort 6 Intel 80486, \ >>18 leshort 7 Intel 80860, \ >>18 leshort 8 MIPS R3000_BE - invalid byte order, \ >>18 leshort 9 Amdahl - invalid byte order, \ >>18 leshort 10 MIPS R3000_LE, \ >>18 leshort 11 RS6000 - invalid byte order, \ >>18 leshort 15 PA-RISC - invalid byte order, \ >>18 leshort 16 nCUBE, \ >>18 leshort 17 VPP500, \ >>18 leshort 18 SPARC32PLUS, \ >>18 leshort 20 PowerPC, \ >>18 leshort 0x9026 Alpha, \ >>20 lelong 0 invalid version \ >>20 lelong 1 version 1 \ >>36 lelong 1 MathCoPro/FPU/MAU Required \ >8 string >\\0 (%s) \ >5 byte 2 MSB \ >>16 beshort 0 no file type, \ >>16 beshort 1 relocatable, \ >>16 beshort 2 executable, \ >>16 beshort 3 shared object, \ >>16 beshort 4 core file, \ >>>(0x38+0xcc) string >\\0 of '%s' \ >>>(0x38+0x10) belong >0 (signal %d), \ >>16 beshort &0xff00 processor-specific, \ >>18 beshort 0 no machine, \ >>18 beshort 1 AT&T WE32100, \ >>18 beshort 2 SPARC, \ >>18 beshort 3 Intel 80386 - invalid byte order, \ >>18 beshort 4 Motorola 68000, \ >>18 beshort 5 Motorola 88000, \ >>18 beshort 6 Intel 80486 - invalid byte order, \ >>18 beshort 7 Intel 80860, \ >>18 beshort 8 MIPS R3000_BE, \ >>18 beshort 9 Amdahl, \ >>18 beshort 10 MIPS R3000_LE - invalid byte order, \ >>18 beshort 11 RS6000, \ >>18 beshort 15 PA-RISC, \ >>18 beshort 16 nCUBE, \ >>18 beshort 17 VPP500, \ >>18 beshort 18 SPARC32PLUS, \ >>18 beshort 20 PowerPC or cisco 4500, \ >>18 beshort 21 cisco 7500, \ >>18 beshort 24 cisco SVIP, \ >>18 beshort 25 cisco 7200, \ >>18 beshort 36 cisco 12000, \ >>18 beshort 0x9026 Alpha, \ >>20 belong 0 invalid version \ >>20 belong 1 version 1 \ >>36 belong 1 MathCoPro/FPU/MAU Required \ \ #------------------------------------------------------------------------------ \ # os2: file(1) magic for OS/2 files \ # \ \ # Provided 1998/08/22 by \ # David Mediavilla \ 1 string InternetShortcut MS Windows 95 Internet shortcut text \ >24 string >\\ (URL=<%s>) \ \ # OS/2 URL objects \ # Provided 1998/08/22 by \ # David Mediavilla \ 0 string http: OS/2 URL object text \ >5 string >\\ (WWW) \ 0 string mailto: OS/2 URL object text \ >7 string >\\ (email) <%s> \ 0 string news: OS/2 URL object text \ >5 string >\\ (Usenet) <%s> \ 0 string ftp: OS/2 URL object text \ >4 string >\\ (FTP) \ 0 string file: OS/2 URL object text \ >5 string >\\ (Local file) <%s> \ \ # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) \ # Carl Hauser (chauser.parc@xerox.com) and \ # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) \ # list the following header format in inf02a.doc: \ # \ # int16 ID; // ID magic word (5348h = \"HS\") \ # int8 unknown1; // unknown purpose, could be third letter of ID \ # int8 flags; // probably a flag word... \ # // bit 0: set if INF style file \ # // bit 4: set if HLP style file \ # // patching this byte allows reading HLP files \ # // using the VIEW command, while help files \ # // seem to work with INF settings here as well. \ # int16 hdrsize; // total size of header \ # int16 unknown2; // unknown purpose \ # \ 0 string HSP\\x01\\x9b\\x00 OS/2 INF \ >107 string >0 (%s) \ 0 string HSP\\x10\\x9b\\x00 OS/2 HLP \ >107 string >0 (%s) \ \ # OS/2 INI (this is a guess) \ 0 string \\xff\\xff\\xff\\xff\\x14\\0\\0\\0 OS/2 INI \ # \ # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. \ # \ # Redistribution and use in source and binary forms, with or without \ # modification, are permitted provided that the following conditions \ # are met: \ # 1. Redistributions of source code must retain the above copyright \ # notice, this list of conditions and the following disclaimer. \ # 2. Redistributions in binary form must reproduce the above copyright \ # notice, this list of conditions and the following disclaimer in the \ # documentation and/or other materials provided with the distribution. \ # 3. All advertising materials mentioning features or use of this software \ # must display the following acknowledgement: \ # This product includes software developed by Ignatios Souvatzis for \ # the NetBSD project. \ # 4. The name of the author may not be used to endorse or promote products \ # derived from this software without specific prior written permission. \ # \ # \ # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR \ # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES \ # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. \ # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \ # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, \ # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; \ # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \ # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR \ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF \ # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \ # \ # \ # \ # OS9/6809 module descriptions: \ # \ 0 beshort 0x87CD OS9/6809 module: \ # \ >6 byte&0x0f 0x00 non-executable \ >6 byte&0x0f 0x01 machine language \ >6 byte&0x0f 0x02 BASIC I-code \ >6 byte&0x0f 0x03 P-code \ >6 byte&0x0f 0x04 C I-code \ >6 byte&0x0f 0x05 COBOL I-code \ >6 byte&0x0f 0x06 FORTRAN I-code \ # \ >6 byte&0xf0 0x10 program executable \ >6 byte&0xf0 0x20 subroutine \ >6 byte&0xf0 0x30 multi-module \ >6 byte&0xf0 0x40 data module \ # \ >6 byte&0xf0 0xC0 system module \ >6 byte&0xf0 0xD0 file manager \ >6 byte&0xf0 0xE0 device driver \ >6 byte&0xf0 0xF0 device descriptor \ # \ # OS9/m68k stuff (to be continued) \ # \ 0 beshort 0x4AFC OS9/68K module: \ # \ # attr \ >14 byte&0x80 0x80 re-entrant \ >14 byte&0x40 0x40 ghost \ >14 byte&0x20 0x20 system-state \ # \ # lang: \ # \ >13 byte 1 machine language \ >13 byte 2 BASIC I-code \ >13 byte 3 P-code \ >13 byte 4 C I-code \ >13 byte 5 COBOL I-code \ >13 byte 6 Fortran I-code \ # \ # \ # type: \ # \ >12 byte 1 program executable \ >12 byte 2 subroutine \ >12 byte 3 multi-module \ >12 byte 4 data module \ >12 byte 11 trap library \ >12 byte 12 system module \ >12 byte 13 file manager \ >12 byte 14 device driver \ >12 byte 15 device descriptor \ # \ # Mach magic number info \ # \ 0 long 0xefbe OSF/Rose object \ # I386 magic number info \ # \ 0 short 0565 i386 COFF object \ \ #------------------------------------------------------------------------------ \ # palm: file(1) magic for PalmOS {.prc,.pdb}: applications, docfiles, and hacks \ # \ # Brian Lalor \ \ # appl \ 60 belong 0x6170706c PalmOS application \ >0 string >\\0 \"%s\" \ # TEXt \ 60 belong 0x54455874 AportisDoc file \ >0 string >\\0 \"%s\" \ # HACK \ 60 belong 0x4841434b HackMaster hack \ >0 string >\\0 \"%s\" \ \ #------------------------------------------------------------------------------ \ # pbm: file(1) magic for Portable Bitmap files \ # \ # XXX - byte order? \ # \ 0 short 0x2a17 \"compact bitmap\" format (Poskanzer) \ #------------------------------------------------------------------------------ \ # pdf: file(1) magic for Portable Document Format \ # \ \ 0 string %PDF- PDF document \ >5 byte x \\b, version %c \ >7 byte x \\b.%c \ \ #------------------------------------------------------------------------------ \ # pdp: file(1) magic for PDP-11 executable/object and APL workspace \ # \ 0 lelong 0101555 PDP-11 single precision APL workspace \ 0 lelong 0101554 PDP-11 double precision APL workspace \ # \ # PDP-11 a.out \ # \ #0 leshort 0407 PDP-11 executable \ #>8 leshort >0 not stripped \ #>15 byte >0 - version %ld \ \ #0 leshort 0401 PDP-11 UNIX/RT ldp \ #0 leshort 0405 PDP-11 old overlay \ \ #0 leshort 0410 PDP-11 pure executable \ #>8 leshort >0 not stripped \ #>15 byte >0 - version %ld \ \ #0 leshort 0411 PDP-11 separate I&D executable \ #>8 leshort >0 not stripped \ #>15 byte >0 - version %ld \ \ #0 leshort 0437 PDP-11 kernel overlay \ \ # These last three are derived from 2.11BSD file(1) \ #0 leshort 0413 PDP-11 demand-paged pure executable \ #>8 leshort >0 not stripped \ \ #0 leshort 0430 PDP-11 overlaid pure executable \ #>8 leshort >0 not stripped \ \ #0 leshort 0431 PDP-11 overlaid separate executable \ #>8 leshort >0 not stripped \ \ #------------------------------------------------------------------------------ \ # pgp: file(1) magic for Pretty Good Privacy \ # \ 0 beshort 0x9900 PGP key public ring \ 0 beshort 0x9501 PGP key security ring \ 0 beshort 0x9500 PGP key security ring \ 0 beshort 0xa600 PGP encrypted data \ 0 string -----BEGIN\\040PGP PGP armored data \ >15 string PUBLIC\\040KEY\\040BLOCK- public key block \ >15 string MESSAGE- message \ >15 string SIGNED\\040MESSAGE- signed message \ >15 string PGP\\040SIGNATURE- signature \ \ #------------------------------------------------------------------------------ \ # pkgadd: file(1) magic for SysV R4 PKG Datastreams \ # \ 0 string #\\ PaCkAgE\\ DaTaStReAm pkg Datastream (SVR4) \ \ #------------------------------------------------------------------------------ \ # plus5: file(1) magic for Plus Five's UNIX MUMPS \ # \ # XXX - byte order? Paging Hokey.... \ # \ 0 short 0x259 mumps avl global \ >2 byte >0 (V%d) \ >6 byte >0 with %d byte name \ >7 byte >0 and %d byte data cells \ 0 short 0x25a mumps blt global \ >2 byte >0 (V%d) \ >8 short >0 - %d byte blocks \ >15 byte 0x00 - P/D format \ >15 byte 0x01 - P/K/D format \ >15 byte 0x02 - K/D format \ >15 byte >0x02 - Bad Flags \ \ #------------------------------------------------------------------------------ \ # printer: file(1) magic for printer-formatted files \ # \ \ # PostScript, updated by Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string %! PostScript document text \ >2 string PS-Adobe- conforming \ >>11 string >\\0 at level %.3s \ >>>15 string EPS - type %s \ >>>15 string Query - type %s \ >>>15 string ExitServer - type %s \ # Some PCs have the annoying habit of adding a ^D as a document separator \ 0 string \\004%! PostScript document text \ >3 string PS-Adobe- conforming \ >>12 string >\\0 at level %.3s \ >>>16 string EPS - type %s \ >>>16 string Query - type %s \ >>>16 string ExitServer - type %s \ 0 string \\033%-12345X%!PS PostScript document \ \ \ # DOS EPS Binary File Header \ # From: Ed Sznyter \ 0 belong 0xC5D0D3C6 DOS EPS Binary File \ >4 long >0 Postscript starts at byte %d \ >>8 long >0 length %d \ >>>12 long >0 Metafile starts at byte %d \ >>>>16 long >0 length %d \ >>>20 long >0 TIFF starts at byte %d \ >>>>24 long >0 length %d \ \ # Adobe's PostScript Printer Description (PPD) files \ # Yves Arrouye \ # \ 0 string *PPD-Adobe: PPD file \ >13 string x \\b, ve \ \ # HP Printer Job Language \ 0 string \\033%-12345X@PJL HP Printer Job Language data \ # HP Printer Job Language \ # The header found on Win95 HP plot files is the \"Silliest Thing possible\" \ # (TM) \ # Every driver puts the language at some random position, with random case \ # (LANGUAGE and Language) \ # For example the LaserJet 5L driver puts the \"PJL ENTER LANGUAGE\" in line 10 \ # From: Uwe Bonnes \ # \ 0 string \\033%-12345X@PJL HP Printer Job Language data \ >&0 string >\\0 %s \ >>&0 string >\\0 %s \ >>>&0 string >\\0 %s \ >>>>&0 string >\\0 %s \ #>15 string \\ ENTER\\ LANGUAGE\\ = \ #>31 string PostScript PostScript \ \ # HP Printer Control Language, Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string \\033E\\033 HP PCL printer data \ >3 string \\&l0A - default page size \ >3 string \\&l1A - US executive page size \ >3 string \\&l2A - US letter page size \ >3 string \\&l3A - US legal page size \ >3 string \\&l26A - A4 page size \ >3 string \\&l80A - Monarch envelope size \ >3 string \\&l81A - No. 10 envelope size \ >3 string \\&l90A - Intl. DL envelope size \ >3 string \\&l91A - Intl. C5 envelope size \ >3 string \\&l100A - Intl. B5 envelope size \ >3 string \\&l-81A - No. 10 envelope size (landscape) \ >3 string \\&l-90A - Intl. DL envelope size (landscape) \ \ # IMAGEN printer-ready files: \ 0 string @document( Imagen printer \ # this only works if \"language xxx\" is first item in Imagen header. \ >10 string language\\ impress (imPRESS data) \ >10 string language\\ daisy (daisywheel text) \ >10 string language\\ diablo (daisywheel text) \ >10 string language\\ printer (line printer emulation) \ >10 string language\\ tektronix (Tektronix 4014 emulation) \ # Add any other languages that your Imagen uses - remember \ # to keep the word `text' if the file is human-readable. \ # [GRR 950115: missing \"postscript\" or \"ultrascript\" (whatever it was called)] \ # \ # Now magic for IMAGEN font files... \ 0 string Rast RST-format raster font data \ >45 string >0 face % \ # From Jukka Ukkonen \ 0 string \\033[K\\002\\0\\0\\017\\033(a\\001\\0\\001\\033(g Canon Bubble Jet BJC formatted data \ \ #------------------------------------------------------------------------------ \ # project: file(1) magic for Project management \ # \ # Magic strings for ftnchek project files. Alexander Mai \ 0 string FTNCHEK_\\ P project file for ftnchek \ >10 string 1 version 2.7 \ >10 string 2 version 2.8 to 2.10 \ >10 string 3 version 2.11 or later \ \ #------------------------------------------------------------------------------ \ # psdbms: file(1) magic for psdatabase \ # \ 0 belong&0xff00ffff 0x56000000 ps database \ >1 string >\\0 version %s \ >4 string >\\0 from kernel %s \ \ #------------------------------------------------------------------------------ \ # pyramid: file(1) magic for Pyramids \ # \ # XXX - byte order? \ # \ 0 long 0x50900107 Pyramid 90x family executable \ 0 long 0x50900108 Pyramid 90x family pure executable \ >16 long >0 not stripped \ 0 long 0x5090010b Pyramid 90x family demand paged pure executable \ >16 long >0 not stripped \ # often the module starts with a multiline string \ 0 string \"\"\" a python script text executable \ # MAGIC as specified in Python/import.c (1.5.2/1.6) \ # 20121 ( YEAR - 1995 ) + MONTH + DAY (little endian followed by \"\\r\\n\" \ 0 belong 0x994e0d0a python compiled \ \ #------------------------------------------------------------------------------ \ # riff: file(1) magic for RIFF format \ # See \ # \ # http://www.seanet.com/users/matts/riffmci/riffmci.htm \ # \ # and \ # \ # http://www.ora.com/centers/gff/formats/micriff/index.htm \ # \ # and \ # \ # http://www.jtauber.com/music/encoding/niff/spec/ \ # \ 0 string RIFF RIFF (little-endian) data \ # RIFF Palette format \ >8 string PAL \\b, palette \ >>16 leshort x \\b, version %d \ >>18 leshort x \\b, %d entries \ # RIFF Device Independent Bitmap format \ >8 string RDIB \\b, device-independent bitmap \ >>16 string BM \ >>>30 leshort 12 \\b, OS/2 1.x format \ >>>>34 leshort x \\b, %d x \ >>>>36 leshort x %d \ >>>30 leshort 64 \\b, OS/2 2.x format \ >>>>34 leshort x \\b, %d x \ >>>>36 leshort x %d \ >>>30 leshort 40 \\b, Windows 3.x format \ >>>>34 lelong x \\b, %d x \ >>>>38 lelong x %d x \ >>>>44 leshort x %d \ # RIFF MIDI format \ >8 string RMID \\b, MIDI \ # RIFF Multimedia Movie File format \ >8 string RMMP \\b, multimedia movie \ # Microsoft WAVE format (*.wav) \ >8 string WAVE \\b, WAVE audio \ >>20 leshort 1 \\b, Microsoft PCM \ >>>34 leshort >0 \\b, %d bit \ >>20 leshort 2 \\b, Microsoft ADPCM \ >>20 leshort 6 \\b, ITU G.711 a-law \ >>20 leshort 7 \\b, ITU G.711 u-law \ >>20 leshort 17 \\b, IMA ADPCM \ >>20 leshort 20 \\b, ITU G.723 ADPCM (Yamaha) \ >>20 leshort 49 \\b, GSM 6.10 \ >>20 leshort 64 \\b, ITU G.721 ADPCM \ >>20 leshort 80 \\b, MPEG \ >>20 leshort 85 \\b, MPEG Layer 3 \ >>22 leshort =1 \\b, mono \ >>22 leshort =2 \\b, stereo \ >>22 leshort >2 \\b, %d channels \ >>24 lelong >0 %d Hz \ # AVI == Audio Video Interleave \ >8 string AVI\\ \\b, AVI \ # Animated Cursor format \ >8 string ACON \\b, animated cursor \ \ # \ # XXX - some of the below may only appear in little-endian form. \ # \ # Also \"MV93\" appears to be for one form of Macromedia Director \ # files, and \"GDMF\" appears to be another multimedia format. \ # \ 0 string RIFX RIFF (big-endian) data \ # RIFF Palette format \ >8 string PAL \\b, palette \ >>16 beshort x \\b, version %d \ >>18 beshort x \\b, %d entries \ # RIFF Device Independent Bitmap format \ >8 string RDIB \\b, device-independent bitmap \ >>16 string BM \ >>>30 beshort 12 \\b, OS/2 1.x format \ >>>>34 beshort x \\b, %d x \ >>>>36 beshort x %d \ >>>30 beshort 64 \\b, OS/2 2.x format \ >>>>34 beshort x \\b, %d x \ >>>>36 beshort x %d \ >>>30 beshort 40 \\b, Windows 3.x format \ >>>>34 belong x \\b, %d x \ >>>>38 belong x %d x \ >>>>44 beshort x %d \ # RIFF MIDI format \ >8 string RMID \\b, MIDI \ # RIFF Multimedia Movie File format \ >8 string RMMP \\b, multimedia movie \ # Microsoft WAVE format (*.wav) \ >8 string WAVE \\b, WAVE audio \ >>20 leshort 1 \\b, Microsoft PCM \ >>>34 leshort >0 \\b, %d bit \ >>22 beshort =1 \\b, mono \ >>22 beshort =2 \\b, stereo \ >>22 beshort >2 \\b, %d channels \ >>24 belong >0 %d Hz \ # AVI == Audio Video Interleave \ >8 string AVI\\ \\b, AVI \ # Animated Cursor format \ >8 string ACON \\b, animated cursor \ # Notation Interchange File Format (big-endian only) \ >8 string NIFF \\b, Notation Interchange File Format \ \ # SoundFont 2 \ >8 string sfbk SoundFont 2 \ #------------------------------------------------------------------------------ \ # \ # RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) \ # \ 0 beshort 0xedab \ >2 beshort 0xeedb RPM \ >>4 byte x v%d \ >>6 beshort 0 bin \ >>6 beshort 1 src \ >>8 beshort 1 i386 \ >>8 beshort 2 Alpha \ >>8 beshort 3 Sparc \ >>8 beshort 4 MIPS \ >>8 beshort 5 PowerPC \ >>8 beshort 6 68000 \ >>8 beshort 7 SGI \ >>10 string x %s \ \ #------------------------------------------------------------------------------ \ # rtf: file(1) magic for Rich Text Format (RTF) \ # \ # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk \ # \ 0 string {\\\\rtf Rich Text Format data, \ >5 byte x version %c, \ >6 string \\\\ansi ANSI \ >6 string \\\\mac Apple Macintosh \ >6 string \\\\pc IBM PC, code page 437 \ >6 string \\\\pca IBM PS/2, code page 850 \ \ #------------------------------------------------------------------------------ \ # sc: file(1) magic for \"sc\" spreadsheet \ # \ 38 string Spreadsheet sc spreadsheet file \ \ #------------------------------------------------------------------------------ \ # sccs: file(1) magic for SCCS archives \ # \ # SCCS archive structure: \ # \\001h01207 \ # \\001s 00276/00000/00000 \ # \\001d D 1.1 87/09/23 08:09:20 ian 1 0 \ # \\001c date and time created 87/09/23 08:09:20 by ian \ # \\001e \ # \\001u \ # \\001U \ # ... etc. \ # Now '\\001h' happens to be the same as the 3B20's a.out magic number (0550). \ # *Sigh*. And these both came from various parts of the USG. \ # Maybe we should just switch everybody from SCCS to RCS! \ # Further, you can't just say '\\001h0', because the five-digit number \ # is a checksum that could (presumably) have any leading digit, \ # and we don't have regular expression matching yet. \ # Hence the following official kludge: \ 8 string \\001s\\ SCCS archive data \ \ #------------------------------------------------------------------------------ \ # sequent: file(1) magic for Sequent machines \ # \ # Sequent information updated by Don Dwiggins . \ # For Sequent's multiprocessor systems (incomplete). \ 0 lelong 0x00ea BALANCE NS32000 .o \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 lelong 0x10ea BALANCE NS32000 executable (0 @ 0) \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 lelong 0x20ea BALANCE NS32000 executable (invalid @ 0) \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 lelong 0x30ea BALANCE NS32000 standalone executable \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ # \ # Symmetry information added by Jason Merrill . \ # Symmetry magic nums will not be reached if DOS COM comes before them; \ # byte 0xeb is matched before these get a chance. \ 0 leshort 0x12eb SYMMETRY i386 .o \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 leshort 0x22eb SYMMETRY i386 executable (0 @ 0) \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 leshort 0x32eb SYMMETRY i386 executable (invalid @ 0) \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ 0 leshort 0x42eb SYMMETRY i386 standalone executable \ >16 lelong >0 not stripped \ >124 lelong >0 version %ld \ \ #------------------------------------------------------------------------------ \ # sgml: file(1) magic for Standard Generalized Markup Language \ # HyperText Markup Language (HTML) is an SGML document type, \ # from Daniel Quinlan (quinlan@yggdrasil.com) \ # adapted to string extenstions by Anthon van der Neut \ 0 string ##Sketch Sketch document text \ \ #------------------------------------------------------------------------------ \ # sniffer: file(1) magic for packet capture files \ # \ # From: guy@alum.mit.edu (Guy Harris) \ # \ \ # \ # Microsoft Network Monitor 1.x capture files. \ # \ 0 string RTSS NetMon capture file \ >4 byte x - version %d \ >5 byte x \\b.%d \ >6 leshort 0 (Unknown) \ >6 leshort 1 (Ethernet) \ >6 leshort 2 (Token Ring) \ >6 leshort 3 (FDDI) \ \ # \ # Microsoft Network Monitor 2.x capture files. \ # \ 0 string GMBU NetMon capture file \ >4 byte x - version %d \ >5 byte x \\b.%d \ >6 leshort 0 (Unknown) \ >6 leshort 1 (Ethernet) \ >6 leshort 2 (Token Ring) \ >6 leshort 3 (FDDI) \ \ # \ # Network General Sniffer capture files. \ # Sorry, make that \"Network Associates Sniffer capture files.\" \ # \ 0 string TRSNIFF\\ data\\ \\ \\ \\ \\032 Sniffer capture file \ >33 byte 2 (compressed) \ >23 leshort x - version %d \ >25 leshort x \\b.%d \ >32 byte 0 (Token Ring) \ >32 byte 1 (Ethernet) \ >32 byte 2 (ARCNET) \ >32 byte 3 (StarLAN) \ >32 byte 4 (PC Network broadband) \ >32 byte 5 (LocalTalk) \ >32 byte 6 (Znet) \ >32 byte 7 (Internetwork Analyzer) \ >32 byte 9 (FDDI) \ >32 byte 10 (ATM) \ \ # \ # Cinco Networks NetXRay capture files. \ # Sorry, make that \"Network General Sniffer Basic capture files.\" \ # Sorry, make that \"Network Associates Sniffer Basic capture files.\" \ # Sorry, make that \"Network Associates Sniffer Basic, and Windows \ # Sniffer Pro\", capture files.\" \ # \ 0 string XCP\\0 NetXRay capture file \ >4 string >\\0 - version %s \ >44 leshort 0 (Ethernet) \ >44 leshort 1 (Token Ring) \ >44 leshort 2 (FDDI) \ \ # \ # \"libpcap\" capture files. \ # (We call them \"tcpdump capture file(s)\" for now, as \"tcpdump\" is \ # the main program that uses that format, but there are other programs \ # that use \"libpcap\", or that use the same capture file format.) \ # \ 0 ubelong 0xa1b2c3d4 tcpdump capture file (big-endian) \ >4 beshort x - version %d \ >6 beshort x \\b.%d \ >20 belong 0 (No link-layer encapsulation \ >20 belong 1 (Ethernet \ >20 belong 2 (3Mb Ethernet \ >20 belong 3 (AX.25 \ >20 belong 4 (ProNET \ >20 belong 5 (CHAOS \ >20 belong 6 (Token Ring \ >20 belong 7 (ARCNET \ >20 belong 8 (SLIP \ >20 belong 9 (PPP \ >20 belong 10 (FDDI \ >20 belong 11 (RFC 1483 ATM \ >20 belong 12 (raw IP \ >20 belong 13 (BSD/OS SLIP \ >20 belong 14 (BSD/OS PPP \ >20 belong 50 (PPP or Cisco HDLC \ >20 belong 51 (PPP-over-Ethernet \ >20 belong 100 (RFC 1483 ATM \ >20 belong 101 (raw IP \ >20 belong 102 (BSD/OS SLIP \ >20 belong 103 (BSD/OS PPP \ >20 belong 104 (BSD/OS Cisco HDLC \ >20 belong 105 (802.11 \ >20 belong 106 (Linux Classical IP over ATM \ >20 belong 108 (OpenBSD loopback \ >20 belong 109 (OpenBSD IPSEC encrypted \ >20 belong 113 (Linux \"cooked\" \ >20 belong 114 (LocalTalk \ >16 belong x \\b, capture length %d) \ 0 ulelong 0xa1b2c3d4 tcpdump capture file (little-endian) \ >4 leshort x - version %d \ >6 leshort x \\b.%d \ >20 lelong 0 (No link-layer encapsulation \ >20 lelong 1 (Ethernet \ >20 lelong 2 (3Mb Ethernet \ >20 lelong 3 (AX.25 \ >20 lelong 4 (ProNET \ >20 lelong 5 (CHAOS \ >20 lelong 6 (Token Ring \ >20 lelong 7 (ARCNET \ >20 lelong 8 (SLIP \ >20 lelong 9 (PPP \ >20 lelong 10 (FDDI \ >20 lelong 11 (RFC 1483 ATM \ >20 lelong 12 (raw IP \ >20 lelong 13 (BSD/OS SLIP \ >20 lelong 14 (BSD/OS PPP \ >20 lelong 50 (PPP or Cisco HDLC \ >20 lelong 51 (PPP-over-Ethernet \ >20 lelong 100 (RFC 1483 ATM \ >20 lelong 101 (raw IP \ >20 lelong 102 (BSD/OS SLIP \ >20 lelong 103 (BSD/OS PPP \ >20 lelong 104 (BSD/OS Cisco HDLC \ >20 lelong 105 (802.11 \ >20 lelong 106 (Linux Classical IP over ATM \ >20 lelong 108 (OpenBSD loopback \ >20 lelong 109 (OpenBSD IPSEC encrypted \ >20 lelong 113 (Linux \"cooked\" \ >20 lelong 114 (LocalTalk \ >16 lelong x \\b, capture length %d) \ \ # \ # \"libpcap\"-with-Alexey-Kuznetsov's-patches capture files. \ # (We call them \"tcpdump capture file(s)\" for now, as \"tcpdump\" is \ # the main program that uses that format, but there are other programs \ # that use \"libpcap\", or that use the same capture file format.) \ # \ 0 ubelong 0xa1b2cd34 extended tcpdump capture file (big-endian) \ >4 beshort x - version %d \ >6 beshort x \\b.%d \ >20 belong 0 (No link-layer encapsulation \ >20 belong 1 (Ethernet \ >20 belong 2 (3Mb Ethernet \ >20 belong 3 (AX.25 \ >20 belong 4 (ProNET \ >20 belong 5 (CHAOS \ >20 belong 6 (Token Ring \ >20 belong 7 (ARCNET \ >20 belong 8 (SLIP \ >20 belong 9 (PPP \ >20 belong 10 (FDDI \ >20 belong 11 (RFC 1483 ATM \ >20 belong 12 (raw IP \ >20 belong 13 (BSD/OS SLIP \ >20 belong 14 (BSD/OS PPP \ >16 belong x \\b, capture length %d) \ 0 ulelong 0xa1b2cd34 extended tcpdump capture file (little-endian) \ >4 leshort x - version %d \ >6 leshort x \\b.%d \ >20 lelong 0 (No link-layer encapsulation \ >20 lelong 1 (Ethernet \ >20 lelong 2 (3Mb Ethernet \ >20 lelong 3 (AX.25 \ >20 lelong 4 (ProNET \ >20 lelong 5 (CHAOS \ >20 lelong 6 (Token Ring \ >20 lelong 7 (ARCNET \ >20 lelong 8 (SLIP \ >20 lelong 9 (PPP \ >20 lelong 10 (FDDI \ >20 lelong 11 (RFC 1483 ATM \ >20 lelong 12 (raw IP \ >20 lelong 13 (BSD/OS SLIP \ >20 lelong 14 (BSD/OS PPP \ >16 lelong x \\b, capture length %d) \ \ # \ # AIX \"iptrace\" capture files. \ # \ 0 string iptrace\\ 2.0 \"iptrace\" capture file \ \ # \ # Novell LANalyzer capture files. \ # \ 0 leshort 0x1001 LANalyzer capture file \ 0 leshort 0x1007 LANalyzer capture file \ \ # \ # HP-UX \"nettl\" capture files. \ # \ 0 string \\x54\\x52\\x00\\x64\\x00 \"nettl\" capture file \ \ # \ # RADCOM WAN/LAN Analyzer capture files. \ # \ 0 string \\x42\\xd2\\x00\\x34\\x12\\x66\\x22\\x88 RADCOM WAN/LAN Analyzer capture file \ \ # \ # NetStumbler log files. Not really packets, per se, but about as \ # close as you can get. These are log files from NetStumbler, a \ # Windows program, that scans for 802.11b networks. \ # \ 0 string NetS NetStumbler log file \ >8 lelong x \\b, %d stations found \ \ #------------------------------------------------------------------------------ \ # softquad: file(1) magic for SoftQuad Publishing Software \ # \ # Author/Editor and RulesBuilder \ # \ # XXX - byte order? \ # \ 0 string \\ Compiled SGML rules file \ >9 string >\\0 Type %s \ 0 string \\ A/E SGML Document binary \ >9 string >\\0 Type %s \ 0 string \\ A/E SGML binary styles file \ >9 string >\\0 Type %s \ 0 short 0xc0de Compiled PSI (v1) data \ 0 short 0xc0da Compiled PSI (v2) data \ >3 string >\\0 (%s) \ # Binary sqtroff font/desc files... \ 0 short 0125252 SoftQuad DESC or font file binary \ >2 short >0 - version %d \ # Bitmaps... \ 0 string SQ\\ BITMAP1 SoftQuad Raster Format text \ #0 string SQ\\ BITMAP2 SoftQuad Raster Format data \ # sqtroff intermediate language (replacement for ditroff int. lang.) \ 0 string X\\ SoftQuad troff Context intermediate \ >2 string 495 for AT&T 495 laser printer \ >2 string hp for Hewlett-Packard LaserJet \ >2 string impr for IMAGEN imPRESS \ >2 string ps for PostScript \ \ #------------------------------------------------------------------------------ \ # spectrum: file(1) magic for Spectrum emulator files. \ # \ # John Elliott \ \ # \ # Spectrum +3DOS header \ # \ 0 string PLUS3DOS\\032 Spectrum +3 data \ >15 byte 0 - BASIC program \ >15 byte 1 - number array \ >15 byte 2 - character array \ >15 byte 3 - memory block \ >>16 belong 0x001B0040 (screen) \ >15 byte 4 - Tasword document \ >15 string TAPEFILE - ZXT tapefile \ # \ # Tape file. This assumes the .TAP starts with a Spectrum-format header, \ # which nearly all will. \ # \ 0 string \\023\\000\\000 Spectrum .TAP data \ >4 string x \"%-10.10s\" \ >3 byte 0 - BASIC program \ >3 byte 1 - number array \ >3 byte 2 - character array \ >3 byte 3 - memory block \ >>14 belong 0x001B0040 (screen) \ \ #------------------------------------------------------------------------------ \ # sun: file(1) magic for Sun machines \ # \ # Values for big-endian Sun (MC680x0, SPARC) binaries on pre-5.x \ # releases. (5.x uses ELF.) \ # \ 0 belong&077777777 0600413 sparc demand paged \ >0 byte &0x80 \ >>20 belong <4096 shared library \ >>20 belong =4096 dynamically linked executable \ >>20 belong >4096 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&077777777 0600410 sparc pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&077777777 0600407 sparc \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ \ 0 belong&077777777 0400413 mc68020 demand paged \ >0 byte &0x80 \ >>20 belong <4096 shared library \ >>20 belong =4096 dynamically linked executable \ >>20 belong >4096 dynamically linked executable \ >16 belong >0 not stripped \ 0 belong&077777777 0400410 mc68020 pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&077777777 0400407 mc68020 \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ \ 0 belong&077777777 0200413 mc68010 demand paged \ >0 byte &0x80 \ >>20 belong <4096 shared library \ >>20 belong =4096 dynamically linked executable \ >>20 belong >4096 dynamically linked executable \ >16 belong >0 not stripped \ 0 belong&077777777 0200410 mc68010 pure \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ 0 belong&077777777 0200407 mc68010 \ >0 byte &0x80 dynamically linked executable \ >0 byte ^0x80 executable \ >16 belong >0 not stripped \ \ # reworked these to avoid anything beginning with zero becoming \"old sun-2\" \ 0 belong 0407 old sun-2 executable \ >16 belong >0 not stripped \ 0 belong 0410 old sun-2 pure executable \ >16 belong >0 not stripped \ 0 belong 0413 old sun-2 demand paged executable \ >16 belong >0 not stripped \ \ # \ # Core files. \"SPARC 4.x BCP\" means \"core file from a SunOS 4.x SPARC \ # binary executed in compatibility mode under SunOS 5.x\". \ # \ 0 belong 0x080456 SunOS core file \ >4 belong 432 (SPARC) \ >>132 string >\\0 from '%s' \ >>116 belong =3 (quit) \ >>116 belong =4 (illegal instruction) \ >>116 belong =5 (trace trap) \ >>116 belong =6 (abort) \ >>116 belong =7 (emulator trap) \ >>116 belong =8 (arithmetic exception) \ >>116 belong =9 (kill) \ >>116 belong =10 (bus error) \ >>116 belong =11 (segmentation violation) \ >>116 belong =12 (bad argument to system call) \ >>116 belong =29 (resource lost) \ >>120 belong x (T=%dK, \ >>124 belong x D=%dK, \ >>128 belong x S=%dK) \ >4 belong 826 (68K) \ >>128 string >\\0 from '%s' \ >4 belong 456 (SPARC 4.x BCP) \ >>152 string >\\0 from '%s' \ # Sun SunPC \ 0 long 0xfa33c08e SunPC 4.0 Hard Disk \ 0 string #SUNPC_CONFIG SunPC 4.0 Properties Values \ # Sun snoop (see RFC 1761, which describes the capture file format). \ # \ 0 string snoop Snoop capture file \ >8 belong >0 - version %ld \ >12 belong 0 (IEEE 802.3) \ >12 belong 1 (IEEE 802.4) \ >12 belong 2 (IEEE 802.5) \ >12 belong 3 (IEEE 802.6) \ >12 belong 4 (Ethernet) \ >12 belong 5 (HDLC) \ >12 belong 6 (Character synchronous) \ >12 belong 7 (IBM channel-to-channel adapter) \ >12 belong 8 (FDDI) \ >12 belong 9 (Unknown) \ # Sun KCMS \ 36 string acsp Kodak Color Management System, ICC Profile \ \ \ #------------------------------------------------------------------------------ \ # teapot: file(1) magic for \"teapot\" spreadsheet \ # \ 0 string #!teapot\\012xdr teapot work sheet (XDR format) \ \ #------------------------------------------------------------------------------ \ # terminfo: file(1) magic for terminfo \ # \ # XXX - byte order for screen images? \ # \ 0 string \\032\\001 Compiled terminfo entry \ 0 short 0433 Curses screen image \ 0 short 0434 Curses screen image \ \ #------------------------------------------------------------------------------ \ # tex: file(1) magic for TeX files \ # \ # From \ \ # Although we may know the offset of certain text fields in TeX DVI \ # and font files, we can't use them reliably because they are not \ # zero terminated. [but we do anyway, christos] \ 0 string \\367\\002 TeX DVI file \ >16 string >\\0 (%s) \ 0 string \\367\\203 TeX generic font data \ 0 string \\367\\131 TeX packed font data \ >3 string >\\0 (%s) \ 0 string \\367\\312 TeX virtual font data \ 0 string This\\ is\\ TeX, TeX transcript text \ 0 string This\\ is\\ METAFONT, METAFONT transcript text \ \ # There is no way to detect TeX Font Metric (*.tfm) files without \ # breaking them apart and reading the data. The following patterns \ # match most *.tfm files generated by METAFONT or afm2tfm. \ 2 string \\000\\021 TeX font metric data \ >33 string >\\0 (%s) \ 2 string \\000\\022 TeX font metric data \ >33 string >\\0 (%s) \ \ # Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string \\\\input\\ texinfo Texinfo source text \ 0 string This\\ is\\ Info\\ file GNU Info text \ \ # TeX documents, from Daniel Quinlan (quinlan@yggdrasil.com) \ 0 string \\\\input TeX document text \ 0 string \\\\section LaTeX document text \ 0 string \\\\setlength LaTeX document text \ 0 string \\\\documentstyle LaTeX document text \ 0 string \\\\chapter LaTeX document text \ 0 string \\\\documentclass LaTeX 2e document text \ 0 string \\\\relax LaTeX auxiliary file \ 0 string \\\\contentsline LaTeX table of contents \ \ # Index and glossary files \ 0 string \\\\indexentry LaTeX raw index file \ 0 string \\\\begin{theindex} LaTeX sorted index \ 0 string \\\\glossaryentry LaTeX raw glossary \ 0 string \\\\begin{theglossary} LaTeX sorted glossary \ 0 string This\\ is\\ makeindex Makeindex log file \ # End of TeX \ # ------------------------------------------------------------------------ \ # ti-8x: file(1) magic for the TI-8x and TI-92 Graphing Calculators. \ # \ # From: Ryan McGuire (rmcguire@freenet.columbus.oh.us). \ # \ # NOTE: This list is not complete. \ # \ # Magic Numbers for the TI-82 \ # \ 0 string **TI82** TI-82 Graphing Calculator \ >0x000037 byte 0x0B TI-BASIC Group/Program File. \ # \ # Magic Numbers for the TI-83 \ # \ 0 string **TI83** TI-83 Graphing Calculator \ >0x000037 byte 0x0B TI-BASIC Group/Program File. \ # \ # Magic Numbers for the TI-85 \ # \ 0 string **TI85** TI-85 Graphing Calculator \ >11 string Backup Backup File. \ >0x000032 string ZS4 - ZShell Version 4 File. \ >0x000032 string ZS3 - ZShell Version 3 File. \ >0x00000B string GDatabase Graphics Database. \ >0x00003B byte 0x12 TI-BASIC Group/Program File. \ # \ # Magic Numbers for the TI-92 \ # \ 0 string **TI92** TI-92 Graphing Calculator \ >0x000058 byte 0x12 TI-BASIC Group File. \ >0x000012 string Function Function. \ >0x000048 byte 0x12 TI-BASIC Program. \ # Files for the TI-80 and TI-81 are pretty rare. I'm not going to put the \ # program/group magic numbers in here because I cannot find any. \ 0 string **TI80** TI-80 Graphing Calculator File. \ 0 string **TI81** TI-81 Graphing Calculator File. \ \ #------------------------------------------------------------------------------ \ # timezone: file(1) magic for timezone data \ # \ # from Daniel Quinlan (quinlan@yggdrasil.com) \ # this should work on Linux, SunOS, and maybe others \ # Added new official magic number for recent versions of the Olson code \ 0 string TZif timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\1\\0 old timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0 old timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0 old timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\4\\0 old timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\5\\0 old timezone data \ 0 string \\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\6\\0 old timezone data \ \ #------------------------------------------------------------------------------ \ # troff: file(1) magic for *roff \ # \ # updated by Daniel Quinlan (quinlan@yggdrasil.com) \ \ # troff input \ 0 string .\\\\\" troff or preprocessor input text \ 0 string '\\\\\" troff or preprocessor input text \ 0 string '.\\\\\" troff or preprocessor input text \ 0 string \\\\\" troff or preprocessor input text \ 0 string ''' troff or preprocessor input text \ \ # ditroff intermediate output text \ 0 string x\\ T ditroff output text \ >4 string cat for the C/A/T phototypesetter \ >4 string ps for PostScript \ >4 string dvi for DVI \ >4 string ascii for ASCII \ >4 string lj4 for LaserJet 4 \ >4 string latin1 for ISO 8859-1 (Latin 1) \ >4 string X75 for xditview at 75dpi \ >>7 string -12 (12pt) \ >4 string X100 for xditview at 100dpi \ >>8 string -12 (12pt) \ \ # output data formats \ 0 string \\100\\357 very old (C/A/T) troff output data \ \ #------------------------------------------------------------------------------ \ # typeset: file(1) magic for other typesetting \ # \ 0 string Interpress/Xerox Xerox InterPress data \ >16 string / (version \ >>17 string >\\0 %s) \ \ #------------------------------------------------------------------------------ \ # unknown: file(1) magic for unknown machines \ # \ # XXX - this probably should be pruned, as it'll match PDP-11 and \ # VAX image formats. \ # \ # 0x107 is 0407; 0x108 is 0410; both are PDP-11 (executable and pure, \ # respectively). \ # \ # 0x109 is 0411; that's PDP-11 split I&D, but the PDP-11 version doesn't \ # have the \"version %ld\", which may be a bogus COFFism (I don't think \ # there ever was COFF for the PDP-11). \ # \ # 0x10B is 0413; that's VAX demand-paged, but this is a short, not a \ # long, as it would be on a VAX. \ # \ # 0x10C is 0414, 0x10D is 0415, and 0x10E is 416; those *are* unknown. \ # \ 0 short 0x107 unknown machine executable \ >8 short >0 not stripped \ >15 byte >0 - version %ld \ 0 short 0x108 unknown pure executable \ >8 short >0 not stripped \ >15 byte >0 - version %ld \ 0 short 0x109 PDP-11 separate I&D \ >8 short >0 not stripped \ >15 byte >0 - version %ld \ 0 short 0x10b unknown pure executable \ >8 short >0 not stripped \ >15 byte >0 - version %ld \ 0 long 0x10c unknown demand paged pure executable \ >16 long >0 not stripped \ 0 long 0x10d unknown demand paged pure executable \ >16 long >0 not stripped \ 0 long 0x10e unknown readable demand paged pure executable \ \ #------------------------------------------------------------------------------ \ # uuencode: file(1) magic for ASCII-encoded files \ # \ \ # GRR: the first line of xxencoded files is identical to that in uuencoded \ # files, but the first character in most subsequent lines is 'h' instead of \ # 'M'. (xxencoding uses lowercase letters in place of most of uuencode's \ # punctuation and survives BITNET gateways better.) If regular expressions \ # were supported, this entry could possibly be split into two with \ # \"begin\\040\\.\\*\\012M\" or \"begin\\040\\.\\*\\012h\" (where \\. and \\* are REs). \ 0 string begin\\040 uuencoded or xxencoded text \ \ # btoa(1) is an alternative to uuencode that requires less space. \ 0 string xbtoa\\ Begin btoa'd text \ \ # ship(1) is another, much cooler alternative to uuencode. \ # Greg Roelofs, newt@uchicago.edu \ 0 string $\\012ship ship'd binary text \ \ # bencode(8) is used to encode compressed news batches (Bnews/Cnews only?) \ # Greg Roelofs, newt@uchicago.edu \ 0 string Decode\\ the\\ following\\ with\\ bdeco bencoded News text \ \ # BinHex is the Macintosh ASCII-encoded file format (see also \"apple\") \ # Daniel Quinlan, quinlan@yggdrasil.com \ 11 string must\\ be\\ converted\\ with\\ BinHex BinHex binary text \ >41 string x \\b, version %.3s \ \ # GRR: is MIME BASE64 encoding handled somewhere? \ \ #------------------------------------------------------------------------------ \ # varied.out: file(1) magic for various USG systems \ # \ # Herewith many of the object file formats used by USG systems. \ # Most have been moved to files for a particular processor, \ # and deleted if they duplicate other entries. \ # \ 0 short 0610 Perkin-Elmer executable \ # AMD 29K \ 0 beshort 0572 amd 29k coff noprebar executable \ 0 beshort 01572 amd 29k coff prebar executable \ 0 beshort 0160007 amd 29k coff archive \ # Cray \ 6 beshort 0407 unicos (cray) executable \ # Ultrix 4.3 \ 596 string \\130\\337\\377\\377 Ultrix core file \ >600 string >\\0 from '%s' \ # BeOS and MAcOS PEF executables \ # From: hplus@zilker.net (Jon Watte) \ 0 string Joy!peffpwpc header for PowerPC PEF executable \ # \ # ava assembler/linker Uros Platise \ 0 string avaobj AVR assembler object code \ >7 string >\\0 version '%s' \ # gnu gmon magic From: Eugen Dedu \ 0 string gmon GNU prof performance data \ >4 long x - version %ld \ \ #------------------------------------------------------------------------------ \ # vax: file(1) magic for VAX executable/object and APL workspace \ # \ 0 lelong 0101557 VAX single precision APL workspace \ 0 lelong 0101556 VAX double precision APL workspace \ \ # \ # VAX a.out (32V, BSD) \ # \ 0 lelong 0407 VAX executable \ >16 lelong >0 not stripped \ \ 0 lelong 0410 VAX pure executable \ >16 lelong >0 not stripped \ \ 0 lelong 0413 VAX demand paged pure executable \ >16 lelong >0 not stripped \ \ 0 lelong 0420 VAX demand paged (first page unmapped) pure executable \ >16 lelong >0 not stripped \ \ # \ # VAX COFF \ # \ # The `versions' should be un-commented if they work for you. \ # (Was the problem just one of endianness?) \ # \ 0 leshort 0570 VAX COFF executable \ >12 lelong >0 not stripped \ >22 leshort >0 - version %ld \ 0 leshort 0575 VAX COFF pure executable \ >12 lelong >0 not stripped \ >22 leshort >0 - version %ld \ \ #------------------------------------------------------------------------------ \ # vicar: file(1) magic for VICAR files. \ # \ # From: Ossama Othman 32 string BYTE \\b, 8 bits = VAX byte \ >32 string HALF \\b, 16 bits = VAX word = Fortran INTEGER*2 \ >32 string FULL \\b, 32 bits = VAX longword = Fortran INTEGER*4 \ >32 string REAL \\b, 32 bits = VAX longword = Fortran REAL*4 \ >32 string DOUB \\b, 64 bits = VAX quadword = Fortran REAL*8 \ >32 string COMPLEX \\b, 64 bits = VAX quadword = Fortran COMPLEX*8 \ # VICAR label file \ 43 string SFDU_LABEL VICAR label file \ \ #------------------------------------------------------------------------------ \ # visx: file(1) magic for Visx format files \ # \ 0 short 0x5555 VISX image file \ >2 byte 0 (zero) \ >2 byte 1 (unsigned char) \ >2 byte 2 (short integer) \ >2 byte 3 (float 32) \ >2 byte 4 (float 64) \ >2 byte 5 (signed char) \ >2 byte 6 (bit-plane) \ >2 byte 7 (classes) \ >2 byte 8 (statistics) \ >2 byte 10 (ascii text) \ >2 byte 15 (image segments) \ >2 byte 100 (image set) \ >2 byte 101 (unsigned char vector) \ >2 byte 102 (short integer vector) \ >2 byte 103 (float 32 vector) \ >2 byte 104 (float 64 vector) \ >2 byte 105 (signed char vector) \ >2 byte 106 (bit plane vector) \ >2 byte 121 (feature vector) \ >2 byte 122 (feature vector library) \ >2 byte 124 (chain code) \ >2 byte 126 (bit vector) \ >2 byte 130 (graph) \ >2 byte 131 (adjacency graph) \ >2 byte 132 (adjacency graph library) \ >2 string .VISIX (ascii text) \ \ #------------------------------------------------------------------------------ \ # vms: file(1) magic for VMS executables (experimental) \ # \ # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) \ \ # GRR 950122: I'm just guessing on these, based on inspection of the headers \ # of three executables each for Alpha and VAX architectures. The VAX files \ # all had headers similar to this: \ # \ # 00000 b0 00 30 00 44 00 60 00 00 00 00 00 30 32 30 35 ..0.D.`.....0205 \ # 00010 01 01 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 ................ \ # \ 0 string \\xb0\\0\\x30\\0 VMS VAX executable \ >44032 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 w/decryption \ # \ # The AXP files all looked like this, except that the byte at offset 0x22 \ # was 06 in some of them and 07 in others: \ # \ # 00000 03 00 00 00 00 00 00 00 ec 02 00 00 10 01 00 00 ................ \ # 00010 68 00 00 00 98 00 00 00 b8 00 00 00 00 00 00 00 h............... \ # 00020 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ \ # 00030 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ \ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ \ # \ 0 belong 0x03000000 VMS Alpha executable \ >75264 string PK\\003\\004 \\b, Info-ZIP SFX archive v5.12 w/decryption \ \ # ----------------------------------------------------------- \ # VMware specific files (deducted from version 1.1 and log file entries) \ # Anthon van der Neut (anthon@mnt.org) \ 0 belong 0x4d52564e VMware nvram \ 0 belong 0x434f5744 \ >8 byte 3 VMware virtual disk \ >>32 lelong x (%d/ \ >>36 lelong x \\b%d/ \ >>40 lelong x \\b%d) \ >8 byte 2 VMware undoable disk \ >>32 string >\\0 (%s) \ #WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE \ 0 string \\377WPC\\020\\000\\000\\000\\022\\012\\001\\001\\000\\000\\000\\000 (WP) loadable text \ >15 byte 0 Optimized for Intel \ >15 byte 1 Optimized for Non-Intel \ 1 string WPC (Corel/WP) \ >8 short 257 WordPerfect macro \ >8 short 258 WordPerfect help file \ >8 short 259 WordPerfect keyboard file \ >8 short 266 WordPerfect document \ >8 short 267 WordPerfect dictionary \ >8 short 268 WordPerfect thesaurus \ >8 short 269 WordPerfect block \ >8 short 270 WordPerfect rectangular block \ >8 short 271 WordPerfect column block \ >8 short 272 WordPerfect printer data \ >8 short 275 WordPerfect printer data \ >8 short 276 WordPerfect driver resource data \ >8 short 279 WordPerfect hyphenation code \ >8 short 280 WordPerfect hyphenation data \ >8 short 281 WordPerfect macro resource data \ >8 short 283 WordPerfect hyphenation lex \ >8 short 285 WordPerfect wordlist \ >8 short 286 WordPerfect equation resource data \ >8 short 289 WordPerfect spell rules \ >8 short 290 WordPerfect dictionary rules \ >8 short 295 WordPerfect spell rules (Microlytics) \ >8 short 299 WordPerfect settings file \ >8 short 301 WordPerfect 4.2 document \ >8 short 325 WordPerfect dialog file \ >8 short 332 WordPerfect button bar \ >8 short 513 Shell macro \ >8 short 522 Shell definition \ >8 short 769 Notebook macro \ >8 short 770 Notebook help file \ >8 short 771 Notebook keyboard file \ >8 short 778 Notebook definition \ >8 short 1026 Calculator help file \ >8 short 1538 Calendar help file \ >8 short 1546 Calendar data file \ >8 short 1793 Editor macro \ >8 short 1794 Editor help file \ >8 short 1795 Editor keyboard file \ >8 short 1817 Editor macro resource file \ >8 short 2049 Macro editor macro \ >8 short 2050 Macro editor help file \ >8 short 2051 Macro editor keyboard file \ >8 short 2305 PlanPerfect macro \ >8 short 2306 PlanPerfect help file \ >8 short 2307 PlanPerfect keyboard file \ >8 short 2314 PlanPerfect worksheet \ >8 short 2319 PlanPerfect printer definition \ >8 short 2322 PlanPerfect graphic definition \ >8 short 2323 PlanPerfect data \ >8 short 2324 PlanPerfect temporary printer \ >8 short 2329 PlanPerfect macro resource data \ >8 byte 11 Mail \ >8 short 2818 help file \ >8 short 2821 distribution list \ >8 short 2826 out box \ >8 short 2827 in box \ >8 short 2836 users archived mailbox \ >8 short 2837 archived message database \ >8 short 2838 archived attachments \ >8 short 3083 Printer temporary file \ >8 short 3330 Scheduler help file \ >8 short 3338 Scheduler in file \ >8 short 3339 Scheduler out file \ >8 short 3594 GroupWise settings file \ >8 short 3601 GroupWise directory services \ >8 short 3627 GroupWise settings file \ >8 short 4362 Terminal resource data \ >8 short 4363 Terminal resource data \ >8 short 4395 Terminal resource data \ >8 short 4619 GUI loadable text \ >8 short 4620 graphics resource data \ >8 short 4621 printer settings file \ >8 short 4622 port definition file \ >8 short 4623 print queue parameters \ >8 short 4624 compressed file \ >8 short 5130 Network service msg file \ >8 short 5131 Network service msg file \ >8 short 5132 Async gateway login msg \ >8 short 5134 GroupWise message file \ >8 short 7956 GroupWise admin domain database \ >8 short 7957 GroupWise admin host database \ >8 short 7959 GroupWise admin remote host database \ >8 short 7960 GroupWise admin ADS deferment data file \ >8 short 8458 IntelliTAG (SGML) compiled DTD \ >8 long 18219264 WordPerfect graphic image (1.0) \ >8 long 18219520 WordPerfect graphic image (2.0) \ #end of WordPerfect type files Version 1.6 - PLEASE DO NOT REMOVE THIS LINE \ \ #------------------------------------------------------------------------------ \ # file(1) magic(5) data for xdelta Josh MacDonald \ # \ 0 string %XDELTA% XDelta binary patch file 0.14 \ 0 string %XDZ000% XDelta binary patch file 0.18 \ 0 string %XDZ001% XDelta binary patch file 0.20 \ 0 string %XDZ002% XDelta binary patch file 1.0 \ 0 string %XDZ003% XDelta binary patch file 1.0.4 \ 0 string %XDZ004% XDelta binary patch file 1.1 \ \ #------------------------------------------------------------------------------ \ # xenix: file(1) magic for Microsoft Xenix \ # \ # \"Middle model\" stuff, and \"Xenix 8086 relocatable or 80286 small \ # model\" lifted from \"magic.xenix\", with comment \"derived empirically; \ # treat as folklore until proven\" \ # \ # \"small model\", \"large model\", \"huge model\" stuff lifted from XXX \ # \ # XXX - \"x.out\" collides with PDP-11 archives \ # \ 0 string core core file (Xenix) \ # XXX - stegbreak \ #0 byte 0x80 8086 relocatable (Microsoft) \ 0 leshort 0xff65 x.out \ >2 string __.SYMDEF randomized \ >0 byte x archive \ 0 leshort 0x206 Microsoft a.out \ >8 leshort 1 Middle model \ >0x1e leshort &0x10 overlay \ >0x1e leshort &0x2 separate \ >0x1e leshort &0x4 pure \ >0x1e leshort &0x800 segmented \ >0x1e leshort &0x400 standalone \ >0x1e leshort &0x8 fixed-stack \ >0x1c byte &0x80 byte-swapped \ >0x1c byte &0x40 word-swapped \ >0x10 lelong >0 not-stripped \ >0x1e leshort ^0xc000 pre-SysV \ >0x1e leshort &0x4000 V2.3 \ >0x1e leshort &0x8000 V3.0 \ >0x1c byte &0x4 86 \ >0x1c byte &0xb 186 \ >0x1c byte &0x9 286 \ >0x1c byte &0xa 386 \ >0x1f byte <0x040 small model \ >0x1f byte =0x048 large model \ >0x1f byte =0x049 huge model \ >0x1e leshort &0x1 executable \ >0x1e leshort ^0x1 object file \ >0x1e leshort &0x40 Large Text \ >0x1e leshort &0x20 Large Data \ >0x1e leshort &0x120 Huge Objects Enabled \ >0x10 lelong >0 not stripped \ \ 0 leshort 0x140 old Microsoft 8086 x.out \ >0x3 byte &0x4 separate \ >0x3 byte &0x2 pure \ >0 byte &0x1 executable \ >0 byte ^0x1 relocatable \ >0x14 lelong >0 not stripped \ \ 0 lelong 0x206 b.out \ >0x1e leshort &0x10 overlay \ >0x1e leshort &0x2 separate \ >0x1e leshort &0x4 pure \ >0x1e leshort &0x800 segmented \ >0x1e leshort &0x400 standalone \ >0x1e leshort &0x1 executable \ >0x1e leshort ^0x1 object file \ >0x1e leshort &0x4000 V2.3 \ >0x1e leshort &0x8000 V3.0 \ >0x1c byte &0x4 86 \ >0x1c byte &0xb 186 \ >0x1c byte &0x9 286 \ >0x1c byte &0x29 286 \ >0x1c byte &0xa 386 \ >0x1e leshort &0x4 Large Text \ >0x1e leshort &0x2 Large Data \ >0x1e leshort &0x102 Huge Objects Enabled \ \ 0 leshort 0x580 XENIX 8086 relocatable or 80286 small model \ \ #------------------------------------------------------------------------------ \ # zilog: file(1) magic for Zilog Z8000. \ # \ # Was it big-endian or little-endian? My Product Specification doesn't \ # say. \ # \ 0 long 0xe807 object file (z8000 a.out) \ 0 long 0xe808 pure object file (z8000 a.out) \ 0 long 0xe809 separate object file (z8000 a.out) \ 0 long 0xe805 overlay object file (z8000 a.out) \ \ #------------------------------------------------------------------------------ \ # zyxel: file(1) magic for ZyXEL modems \ # \ # From \ # These are the /etc/magic entries to decode datafiles as used for the \ # ZyXEL U-1496E DATA/FAX/VOICE modems. (This header conforms to a \ # ZyXEL-defined standard) \ \ 0 string ZyXEL\\002 ZyXEL voice data \ >10 byte 0 - CELP encoding \ >10 byte&0x0B 1 - ADPCM2 encoding \ >10 byte&0x0B 2 - ADPCM3 encoding \ >10 byte&0x0B 3 - ADPCM4 encoding \ >10 byte&0x0B 8 - New ADPCM3 encoding \ >10 byte&0x04 4 with resync \ "