# Magic # Magic data for file(1) command. # Machine-generated from src/cmd/file/magdir/*; edit there only! # Format is described in magic(files), where: # files is 5 on V7 and BSD, 4 on SV, and ?? in the SVID. #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # # $Id: Localstuff,v 1.1 2003/07/02 18:00:17 eseidel Exp $ # Add any locally observed files here. Remember: # text if readable, executable if runnable binary, data if unreadable. #------------------------------------------------------------------------------ # acorn: file(1) magic for files found on Acorn systems # # RISC OS Chunk File Format # From RISC OS Programmer's Reference Manual, Appendix D # We guess the file type from the type of the first chunk. 0 lelong 0xc3cbc6c5 RISC OS Chunk data >12 string OBJ_ \b, AOF object >12 string LIB_ \b, ALF library # RISC OS AIF, contains "SWI OS_Exit" at offset 16. 16 lelong 0xef000011 RISC OS AIF executable # RISC OS Draw files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Draw RISC OS Draw file data # RISC OS new format font files # From RISC OS Programmer's Reference Manual, Appendix E 0 string FONT\0 RISC OS outline font data, >5 byte x version %d 0 string FONT\1 RISC OS 1bpp font data, >5 byte x version %d 0 string FONT\4 RISC OS 4bpp font data >5 byte x version %d # RISC OS Music files # From RISC OS Programmer's Reference Manual, Appendix E 0 string Maestro\r RISC OS music file >8 byte x version %d #------------------------------------------------------------------------------ # adi: file(1) magic for ADi's objects # From Gregory McGarry # 0 leshort 0x521c COFF DSP21k >18 lelong &02 executable, >18 lelong ^02 >>18 lelong &01 static object, >>18 lelong ^01 relocatable object, >18 lelong &010 stripped >18 lelong ^010 not stripped #------------------------------------------------------------------------------ # adventure: file(1) magic for Adventure game files # # from Allen Garvin # Edited by Dave Chapeskie Jun 28, 1998 # Edited by Chris Chittleborough , March 2002 # # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d # Conflicts with too much other stuff! # Infocom # (Note: to avoid false matches Z-machine version 1 and 2 are not # recognized since only the oldest Zork I and II used them. Similarly # there are 4 Infocom games that use verion 4 that are not recognized.) #0 byte 3 Infocom game data (Z-machine 3, #>2 beshort <0x7fff Release %3d, #>26 beshort >0 Size %d*2 #>18 string >\0 Serial %.6s) #0 byte 5 Infocom game data (Z-machine 5, #>2 beshort <0x7fff Release %3d, #>26 beshort >0 Size %d*4 #>18 string >\0 Serial %.6s) #0 byte 6 Infocom game data (Z-machine 6, #>2 beshort <0x7fff Release %3d, #>26 beshort >0 Size %d*8 #>18 string >\0 Serial %.6s) #0 byte 8 Infocom game data (Z-machine 8, #>2 beshort <0x7fff Release %3d, #>26 beshort >0 Size %d*8 #>18 string >\0 Serial %.6s) # TADS (Text Adventure Development System) # All files are machine-independent (games compile to byte-code) and are tagged # with a version string of the form "V2..\0" (but TADS 3 is # on the way). # Game files start with "TADS2 bin\n\r\032\0" then the compiler version. 0 string TADS2\ bin TADS >9 belong !0x0A0D1A00 game data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s game data # Resource files start with "TADS2 rsc\n\r\032\0" then the compiler version. 0 string TADS2\ rsc TADS >9 belong !0x0A0D1A00 resource data, CORRUPTED >9 belong 0x0A0D1A00 >>13 string >\0 %s resource data # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), # "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 >>(16.s+32) string >\0 %s saved game data # Other saved game files start with "TADS2 save\n\r\032\0" and the interpreter # version. 0 string TADS2\ save TADS >10 belong !0x0A0D1A00 saved game data, CORRUPTED >10 belong 0x0A0D1A00 >>14 string >\0 %s saved game data #------------------------------------------------------------------------------ # allegro: file(1) magic for Allegro datafiles # Toby Deshane # 0 belong 0x736C6821 Allegro datafile (packed) 0 belong 0x736C682E Allegro datafile (not packed/autodetect) 0 belong 0x736C682B Allegro datafile (appended exe data) #------------------------------------------------------------------------------ # alliant: file(1) magic for Alliant FX series a.out files # # If the FX series is the one that had a processor with a 68K-derived # instruction set, the "short" should probably become "beshort" and the # "long" should probably become "belong". # If it's the i860-based one, they should probably become either the # big-endian or little-endian versions, depending on the mode they ran # the 860 in.... # 0 short 0420 0420 Alliant virtual executable >2 short &0x0020 common library >16 long >0 not stripped 0 short 0421 0421 Alliant compact executable >2 short &0x0020 common library >16 long >0 not stripped #------------------------------------------------------------------------------ # alpha architecture description # 0 leshort 0603 COFF format alpha >22 leshort&030000 !020000 executable >24 leshort 0410 pure >24 leshort 0413 paged >22 leshort&020000 !0 dynamically linked >16 lelong !0 not stripped >16 lelong 0 stripped >22 leshort&030000 020000 shared library >24 leshort 0407 object >27 byte x - version %d >26 byte x .%d >28 byte x -%d # Basic recognition of Digital UNIX core dumps - Mike Bremford # # The actual magic number is just "Core", followed by a 2-byte version # number; however, treating any file that begins with "Core" as a Digital # UNIX core dump file may produce too many false hits, so we include one # byte of the version number as well; DU 5.0 appears only to be up to # version 2. # 0 string Core\001 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' 0 string Core\002 Alpha COFF format core dump (Digital UNIX) >24 string >\0 \b, from '%s' #------------------------------------------------------------------------------ # amanda: file(1) magic for amanda file format # 0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s >>23 string >\ DATE %s >8 string FILE\ dump file, >>13 string >\ DATE %s #------------------------------------------------------------------------------ # amigaos: file(1) magic for AmigaOS binary formats: # # From ignatios@cs.uni-bonn.de (Ignatios Souvatzis) # Some formats are still missing: AmigaOS special IFF's, e.g.: FORM....CTLG # (the others should be separate, anyway) # 0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench >2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon >>48 byte 4 project icon >>48 byte 5 garbage icon >>48 byte 6 device icon >>48 byte 7 kickstart icon >>48 byte 8 workbench application icon >2 beshort >1 icon, vers. %d # # various sound formats from the Amiga # G=F6tz Waschk # 0 string FC14 Future Composer 1.4 Module sound file 0 string SMOD Future Composer 1.3 Module sound file 0 string AON4artofnoise Art Of Noise Module sound file 1 string MUGICIAN/SOFTEYES Mugician Module sound file 58 string SIDMON\ II\ -\ THE Sidmon 2.0 Module sound file 0 string Synth4.0 Synthesis Module sound file 0 string ARP. The Holy Noise Module sound file 0 string BeEp\0 JamCracker Module sound file 0 string COSO\0 Hippel-COSO Module sound file 26 string V.3 Brian Postma's Soundmon Module sound file v3 26 string BPSM Brian Postma's Soundmon Module sound file v3 26 string V.2 Brian Postma's Soundmon Module sound file v2 #------------------------------------------------------------------------------ # animation: file(1) magic for animation/movie formats # # animation formats # MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8) # FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com) # MPEG animation format 0 belong 0x000001b3 MPEG video stream data #>4 beshort&0xfff0 x (%d x #>5 beshort&0x0fff x %d) 0 belong 0x000001ba MPEG system stream data # MPEG Audio (*.mpx) # from dreesen@math.fu-berlin.de # MPEG 1.0 Layer 3 0 beshort&0xfffe =0xfffa \bMP3 >2 byte&0xf0 =0x10 \b, 32 kBits >2 byte&0xf0 =0x20 \b, 40 kBits >2 byte&0xf0 =0x30 \b, 48 kBits >2 byte&0xf0 =0x40 \b, 56 kBits >2 byte&0xf0 =0x50 \b, 64 kBits >2 byte&0xf0 =0x60 \b, 80 kBits >2 byte&0xf0 =0x70 \b, 96 kBits >2 byte&0xf0 =0x80 \b, 112 kBits >2 byte&0xf0 =0x90 \b, 128 kBits >2 byte&0xf0 =0xA0 \b, 160 kBits >2 byte&0xf0 =0xB0 \b, 192 kBits >2 byte&0xf0 =0xC0 \b, 224 kBits >2 byte&0xf0 =0xD0 \b, 256 kBits >2 byte&0xf0 =0xE0 \b, 320 kBits # freq >2 byte&0x0C =0x00 \b, 44.1 kHz >2 byte&0x0C =0x04 \b, 48 kHz >2 byte&0x0C =0x08 \b, 32 kHz # misc >3 byte&0xC0 =0x00 \b, Stereo >3 byte&0xC0 =0x40 \b, JStereo >3 byte&0xC0 =0x80 \b, Dual-Ch >3 byte&0xC0 =0xC0 \b, Mono #>1 byte&0x01 =0x00 \b, Error Protection #>2 byte&0x02 =0x02 \b, Padding #>2 byte&0x01 =0x01 \b, Private #>3 byte&0x08 =0x08 \b, Copyright #>3 byte&0x04 =0x04 \b, Original #>3 byte&0x03 1 \b, Emphasis 5 #>3 byte&0x03 3 \b, Emphasis c # MPEG 1.0 Layer 2 0 beshort&0xfffe =0xfffc \bMP2 >2 byte&0xf0 =0x10 \b, 32 kBits >2 byte&0xf0 =0x20 \b, 48 kBits >2 byte&0xf0 =0x30 \b, 56 kBits >2 byte&0xf0 =0x40 \b, 64 kBits >2 byte&0xf0 =0x50 \b, 80 kBits >2 byte&0xf0 =0x60 \b, 96 kBits >2 byte&0xf0 =0x70 \b, 112 kBits >2 byte&0xf0 =0x80 \b, 128 kBits >2 byte&0xf0 =0x90 \b, 160 kBits >2 byte&0xf0 =0xA0 \b, 192 kBits >2 byte&0xf0 =0xB0 \b, 224 kBits >2 byte&0xf0 =0xC0 \b, 256 kBits >2 byte&0xf0 =0xD0 \b, 320 kBits >2 byte&0xf0 =0xE0 \b, 384 kBits # freq >2 byte&0x0C =0x00 \b, 44.1 kHz >2 byte&0x0C =0x04 \b, 48 kHz >2 byte&0x0C =0x08 \b, 32 kHz # misc >3 byte&0xC0 =0x00 \b, Stereo >3 byte&0xC0 =0x40 \b, JStereo >3 byte&0xC0 =0x80 \b, Dual-Ch >3 byte&0xC0 =0xC0 \b, Mono #>1 byte&0x01 =0x00 \b, Error Protection #>2 byte&0x02 =0x02 \b, Padding #>2 byte&0x01 =0x01 \b, Private #>3 byte&0x08 =0x08 \b, Copyright #>3 byte&0x04 =0x04 \b, Original #>3 byte&0x03 1 \b, Emphasis 5 #>3 byte&0x03 3 \b, Emphasis c # MPEG 2.0 0 beshort&0xfff8 =0xfff0 MP # Layer 3 >1 byte &0x02 \b3 # Layer 2 >1 byte &0x04 \b2 >2 byte&0xf0 =0x10 \b, 8 kBits >2 byte&0xf0 =0x20 \b, 16 kBits >2 byte&0xf0 =0x30 \b, 24 kBits >2 byte&0xf0 =0x40 \b, 32 kBits >2 byte&0xf0 =0x50 \b, 40 kBits >2 byte&0xf0 =0x60 \b, 48 kBits >2 byte&0xf0 =0x70 \b, 56 kBits >2 byte&0xf0 =0x80 \b, 64 kBits >2 byte&0xf0 =0x90 \b, 80 kBits >2 byte&0xf0 =0xA0 \b, 96 kBits >2 byte&0xf0 =0xB0 \b, 112 kBits >2 byte&0xf0 =0xC0 \b, 128 kBits >2 byte&0xf0 =0xD0 \b, 144 kBits >2 byte&0xf0 =0xE0 \b, 160 kBits # freq >2 byte&0x0C =0x00 \b, 22.05 kHz >2 byte&0x0C =0x04 \b, 24 kHz >2 byte&0x0C =0x08 \b, 16 kHz # misc >3 byte&0xC0 =0x00 \b, Stereo >3 byte&0xC0 =0x40 \b, JStereo >3 byte&0xC0 =0x80 \b, Dual-Ch >3 byte&0xC0 =0xC0 \b, Mono #>1 byte&0x01 =0x00 \b, Error Protection #>2 byte&0x02 =0x02 \b, Padding #>2 byte&0x01 =0x01 \b, Private #>3 byte&0x08 =0x08 \b, Copyright #>3 byte&0x04 =0x04 \b, Original #>3 byte&0x03 1 \b, Emphasis 5 #>3 byte&0x03 3 \b, Emphasis c # FLI animation format 4 leshort 0xAF11 FLI file >6 leshort x - %d frames, >8 leshort x width=%d pixels, >10 leshort x height=%d pixels, >12 leshort x depth=%d, >16 leshort x ticks/frame=%d # FLC animation format 4 leshort 0xAF12 FLC file >6 leshort x - %d frames >8 leshort x width=%d pixels, >10 leshort x height=%d pixels, >12 leshort x depth=%d, >16 leshort x ticks/frame=%d # DL animation format # XXX - collision with most `mips' magic # # I couldn't find a real magic number for these, however, this # -appears- to work. Note that it might catch other files, too, so be # careful! # # Note that title and author appear in the two 20-byte chunks # at decimal offsets 2 and 22, respectively, but they are XOR'ed with # 255 (hex FF)! The DL format is really bad. # #0 byte 1 DL version 1, medium format (160x100, 4 images/screen) #>42 byte x - %d screens, #>43 byte x %d commands #0 byte 2 DL version 2 #>1 byte 1 - large format (320x200,1 image/screen), #>1 byte 2 - medium format (160x100,4 images/screen), #>1 byte >2 - unknown format, #>42 byte x %d screens, #>43 byte x %d commands # Based on empirical evidence, DL version 3 have several nulls following the # \003. Most of them start with non-null values at hex offset 0x34 or so. #0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3 # SGI and Apple formats 0 string MOVI Silicon Graphics movie file 4 string moov Apple QuickTime movie file (moov) 4 string mdat Apple QuickTime movie file (mdat) # iso 13818 transport stream # # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) # (the following is a little bit restrictive and works fine for a stream # that starts with PAT properly. it won't work for stream data, that is # cut from an input device data right in the middle, but this shouldn't # disturb) # syncbyte 8 bit 0x47 # error_ind 1 bit - # payload_start 1 bit 1 # priority 1 bit - # PID 13 bit 0x0000 # scrambling 2 bit - # adaptfld_ctrl 2 bit 1 or 3 # conti_count 4 bit 0 0 belong&0xFF5FFF1F 0x47400010 MPEG transport stream data >188 byte !0x47 CORRUPTED # DIF digital video file format 0 belong&0xffffff00 0x1f070000 DIF >4 byte &0x01 (DVCPRO) movie file >4 byte ^0x01 (DV) movie file >3 byte &0x80 (PAL) >3 byte ^0x80 (NTSC) # Microsoft Advanced Streaming Format (ASF) 0 belong 0x3026b275 Microsoft ASF # MNG Video Format, 0 string \x8aMNG MNG video data, >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a #------------------------------------------------------------------------------ # apl: file(1) magic for APL (see also "pdp" and "vax" for other APL # workspaces) # 0 long 0100554 APL workspace (Ken's original?) #------------------------------------------------------------------------------ # apple: file(1) magic for Apple file formats # 0 string FiLeStArTfIlEsTaRt binscii (apple ][) text 0 string \x0aGL Binary II (apple ][) data 0 string \x76\xff Squeezed (apple ][) data 0 string NuFile NuFile archive (apple ][) data 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 0 belong 0x00051600 AppleSingle encoded Macintosh file 0 belong 0x00051607 AppleDouble encoded Macintosh file # magic for Newton PDA package formats # from Ruda Moura 0 string package0 Newton package, NOS 1.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d 0 string package1 Newton package, NOS 2.x, >12 belong &0x80000000 AutoRemove, >12 belong &0x40000000 CopyProtect, >12 belong &0x10000000 NoCompression, >12 belong &0x04000000 Relocation, >12 belong &0x02000000 UseFasterCompression, >16 belong x version %d # The following entries for the Apple II are for files that have # been transferred as raw binary data from an Apple, without having # been encapsulated by any of the above archivers. # # In general, Apple II formats are hard to identify because Apple DOS # and especially Apple ProDOS have strong typing in the file system and # therefore programmers never felt much need to include type information # in the files themselves. # # Eric Fischer # AppleWorks word processor: # # This matches the standard tab stops for an AppleWorks file, but if # a file has a tab stop set in the first four columns this will fail. # # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. 4 string O==== AppleWorks word processor data >85 byte&0x01 >0 \b, zoomed >90 byte&0x01 >0 \b, paginated >92 byte&0x01 >0 \b, with mail merge #>91 byte x \b, left margin %d # AppleWorks database: # # This isn't really a magic number, but it's the closest thing to one # that I could find. The 1 and 2 really mean "order in which you defined # categories" and "left to right, top to bottom," respectively; the D and R # mean that the cursor should move either down or right when you press Return. #30 string \x01D AppleWorks database data #30 string \x02D AppleWorks database data #30 string \x01R AppleWorks database data #30 string \x02R AppleWorks database data # AppleWorks spreadsheet: # # Likewise, this isn't really meant as a magic number. The R or C means # row- or column-order recalculation; the A or M means automatic or manual # recalculation. #131 string RA AppleWorks spreadsheet data #131 string RM AppleWorks spreadsheet data #131 string CA AppleWorks spreadsheet data #131 string CM AppleWorks spreadsheet data # Applesoft BASIC: # # This is incredibly sloppy, but will be true if the program was # written at its usual memory location of 2048 and its first line # number is less than 256. Yuck. 0 belong&0xff00ff 0x80000 Applesoft BASIC program data #>2 leshort x \b, first line number %d # ORCA/EZ assembler: # # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data #>5 byte x \b, build number %d # Broderbund Fantavision # # I don't know what these values really mean, but they seem to recur. # Will they cause too many conflicts? # Probably :-) #2 belong&0xFF00FF 0x040008 Fantavision movie data # Some attempts at images. # # These are actually just bit-for-bit dumps of the frame buffer, so # there's really no reasonably way to distinguish them except for their # address (if preserved) -- 8192 or 16384 -- and their length -- 8192 # or, occasionally, 8184. # # Nevertheless this will manage to catch a lot of images that happen # to have a solid-colored line at the bottom of the screen. 8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background 8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background 8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background 8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background 8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background # Beagle Bros. Apple Mechanic fonts 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font #------------------------------------------------------------------------------ # applix: file(1) magic for Applixware # From: Peter Soos # 0 string *BEGIN Applixware >7 string WORDS Words Document >7 string GRAPHICS Graphic >7 string RASTER Bitmap >7 string SPREADSHEETS Spreadsheet >7 string MACRO Macro >7 string BUILDER Builder Object #------------------------------------------------------------------------------ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. # pre-POSIX "tar" archives are handled in the C code. # POSIX tar archives 257 string ustar\0 POSIX tar archive 257 string ustar\040\040\0 GNU tar archive # cpio archives # # Yes, the top two "cpio archive" formats *are* supposed to just be "short". # The idea is to indicate archives produced on machines with the same # byte order as the machine running "file" with "cpio archive", and # to indicate archives produced on machines with the opposite byte order # from the machine running "file" with "byte-swapped cpio archive". # # The SVR4 "cpio(4)" hints that there are additional formats, but they # are defined as "short"s; I think all the new formats are # character-header formats and thus are strings, not numbers. 0 short 070707 cpio archive 0 short 0143561 byte-swapped cpio archive 0 string 070707 ASCII cpio archive (pre-SVR4 or odc) 0 string 070701 ASCII cpio archive (SVR4 with no CRC) 0 string 070702 ASCII cpio archive (SVR4 with CRC) # Debian package (needs to go before regular portable archives) # 0 string !\ndebian >8 string debian-split part of multipart Debian package >8 string debian-binary Debian binary package >68 string >\n (format %s) >136 ledate x created: %s # other archives 0 long 0177555 very old archive 0 short 0177555 very old PDP-11 archive 0 long 0177545 old archive 0 short 0177545 old PDP-11 archive 0 long 0100554 apl workspace 0 string = archive # MIPS archive (needs to go before regular portable archives) # 0 string !\n__________E MIPS archive >20 string U with MIPS Ucode members >21 string L with MIPSEL members >21 string B with MIPSEB members >19 string L and an EL hash table >19 string B and an EB hash table >22 string X -- out of date 0 string -h- Software Tools format archive text # # XXX - why are there multiple thingies? Note that 0x213c6172 is # "! current ar archive # 0 long 0x213c6172 archive file # # and for SVR1 archives, we have: # # 0 string \ System V Release 1 ar archive # 0 string = archive # # XXX - did Aegis really store shared libraries, breakpointed modules, # and absolute code program modules in the same format as new-style # "ar" archives? # 0 string ! current ar archive >8 string __.SYMDEF random library >0 belong =65538 - pre SR9.5 >0 belong =65539 - post SR9.5 >0 beshort 2 - object archive >0 beshort 3 - shared library module >0 beshort 4 - debug break-pointed module >0 beshort 5 - absolute code program module 0 string \ System V Release 1 ar archive 0 string = archive # # XXX - from "vax", which appears to collect a bunch of byte-swapped # thingies, to help you recognize VAX files on big-endian machines; # with "leshort", "lelong", and "string", that's no longer necessary.... # 0 belong 0x65ff0000 VAX 3.0 archive 0 belong 0x3c61723e VAX 5.0 archive # 0 long 0x213c6172 archive file 0 lelong 0177555 very old VAX archive 0 leshort 0177555 very old PDP-11 archive # # XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus # be a random library (it said 0xff65 rather than 0177545). # 0 lelong 0177545 old VAX archive >8 string __.SYMDEF random library 0 leshort 0177545 old PDP-11 archive >8 string __.SYMDEF random library # # From "pdp" (but why a 4-byte quantity?) # 0 lelong 0x39bed PDP-11 old archive 0 lelong 0x39bee PDP-11 4.0 archive # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) # # The first byte is the magic (0x1a), byte 2 is the compression type for # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS # filename of the first file (null terminated). Since some types collide # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) # I can't create either SPARK or ArcFS archives so I have not tested this stuff # [GRR: the original entries collide with ARC, above; replaced with combined # version (not tested)] #0 byte 0x1a RISC OS archive #>1 string archive (ArcFS format) 0 string \032archive RISC OS archive (ArcFS format) # ARJ archiver (jason@jarthur.Claremont.EDU) 0 leshort 0xea60 ARJ archive data >5 byte x \b, v%d, >8 byte &0x04 multi-volume, >8 byte &0x10 slash-switched, >8 byte &0x20 backup, >34 string x original name: %s, >7 byte 0 os: MS-DOS >7 byte 1 os: PRIMOS >7 byte 2 os: Unix >7 byte 3 os: Amiga >7 byte 4 os: Macintosh >7 byte 5 os: OS/2 >7 byte 6 os: Apple ][ GS >7 byte 7 os: Atari ST >7 byte 8 os: NeXT >7 byte 9 os: VAX/VMS >3 byte >0 %d] # HA archiver (Greg Roelofs, newt@uchicago.edu) # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, #>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC #>4 byte&0x0f =0x0e first is type DIR #>4 byte&0x0f =0x0f first is type SPECIAL # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 0 string \351,\001JAM\ JAM archive, >7 string >\0 version %.4s >0x26 byte =0x27 - >>0x2b string >\0 label %.11s, >>0x27 lelong x serial %08x, >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 2 string -lh0- LHarc 1.x archive data [lh0] 2 string -lh1- LHarc 1.x archive data [lh1] 2 string -lz4- LHarc 1.x archive data [lz4] 2 string -lz5- LHarc 1.x archive data [lz5] # [never seen any but the last; -lh4- reported in comp.compression:] 2 string -lzs- LHa 2.x? archive data [lzs] 2 string -lh\40- LHa 2.x? archive data [lh ] 2 string -lhd- LHa 2.x? archive data [lhd] 2 string -lh2- LHa 2.x? archive data [lh2] 2 string -lh3- LHa 2.x? archive data [lh3] 2 string -lh4- LHa (2.x) archive data [lh4] 2 string -lh5- LHa (2.x) archive data [lh5] 2 string -lh6- LHa (2.x) archive data [lh6] 2 string -lh7- LHa (2.x) archive data [lh7] >20 byte x - header level %d # RAR archiver (Greg Roelofs, newt@uchicago.edu) 0 string Rar! RAR archive data # SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 0 string SQSH squished archive data (Acorn RISCOS) # UC2 archiver (Greg Roelofs, newt@uchicago.edu) # I can't figure out the self-extracting form of these buggers... 0 string UC2\x1a UC2 archive data # ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\003\004 Zip archive data >4 byte 0x09 \b, at least v0.9 to extract >4 byte 0x0a \b, at least v1.0 to extract >4 byte 0x0b \b, at least v1.1 to extract >4 byte 0x14 \b, at least v2.0 to extract # Zoo archiver 20 lelong 0xfdc4a7dc Zoo archive data >4 byte >48 \b, v%c. >>6 byte >47 \b%c >>>7 byte >47 \b%c >32 byte >0 \b, modify: v%d >>33 byte x \b.%d+ >42 lelong 0xfdc4a7dc \b, >>70 byte >0 extract: v%d >>>71 byte x \b.%d+ # Shell archives 10 string #\ This\ is\ a\ shell\ archive shell archive text # # LBR. NB: May conflict with the questionable # "binary Computer Graphics Metafile" format. # 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) # 2 string -pm0- PMarc archive data [pm0] 2 string -pm1- PMarc archive data [pm1] 2 string -pm2- PMarc archive data [pm2] 2 string -pms- PMarc SFX archive (CP/M, DOS) 5 string -pc1- PopCom compressed executable (CP/M) # From Rafael Laboissiere # The Project Revision Control System (see # http://prcs.sourceforge.net) generates a packaged project # file which is recognized by the following entry: 0 leshort 0xeb81 PRCS packaged project # Microsoft cabinets # by David Necas (Yeti) 0 string MSCF\0\0\0\0 Microsoft cabinet file data, >25 byte x v%d >24 byte x \b.%d # GTKtalog catalogs # by David Necas (Yeti) 4 string gtktalog\ GTKtalog catalog data, >13 string 3 version 3 >>14 beshort 0x677a (gzipped) >>14 beshort !0x677a (not gzipped) >13 string >3 version %s ############################################################################ # Parity archive reconstruction file, the 'par' file format now used on Usenet. 0 string PAR\0 PARity archive data >48 leshort =0 - Index file >48 leshort >0 - file number %d #------------------------------------------------------------------------------ # asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character # strings as "long" - we assume they're just strings: # From: guy@netapp.com (Guy Harris) # 0 string *STA Aster*x >7 string WORD Words Document >7 string GRAP Graphic >7 string SPRE Spreadsheet >7 string MACR Macro 0 string 2278 Aster*x Version 2 >29 byte 0x36 Words Document >29 byte 0x35 Graphic >29 byte 0x32 Spreadsheet >29 byte 0x38 Macro #------------------------------------------------------------------------------ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. # (Was the problem just one of endianness?) # # 3B20 # # The 3B20 conflicts with SCCS. #0 beshort 0550 3b20 COFF executable #>12 belong >0 not stripped #>22 beshort >0 - version %ld #0 beshort 0551 3b20 COFF executable (TV) #>12 belong >0 not stripped #>22 beshort >0 - version %ld # # WE32K # 0 beshort 0560 WE32000 COFF >18 beshort ^00000020 object >18 beshort &00000020 executable >12 belong >0 not stripped >18 beshort ^00010000 N/A on 3b2/300 w/paging >18 beshort &00020000 32100 required >18 beshort &00040000 and MAU hardware required >20 beshort 0407 (impure) >20 beshort 0410 (pure) >20 beshort 0413 (demand paged) >20 beshort 0443 (target shared library) >22 beshort >0 - version %ld 0 beshort 0561 WE32000 COFF executable (TV) >12 belong >0 not stripped #>18 beshort &00020000 - 32100 required #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %ld # # core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' #------------------------------------------------------------------------------ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), # and others # # Sun/NeXT audio data 0 string .snd Sun/NeXT audio data: >12 belong 1 8-bit ISDN u-law, >12 belong 2 8-bit linear PCM [REF-PCM], >12 belong 3 16-bit linear PCM, >12 belong 4 24-bit linear PCM, >12 belong 5 32-bit linear PCM, >12 belong 6 32-bit IEEE floating point, >12 belong 7 64-bit IEEE floating point, >12 belong 23 8-bit ISDN u-law compressed (CCITT G.721 ADPCM voice data encoding), >12 belong 24 compressed (8-bit G.722 ADPCM) >12 belong 25 compressed (3-bit G.723 ADPCM), >12 belong 26 compressed (5-bit G.723 ADPCM), >12 belong 27 8-bit A-law, >20 belong 1 mono, >20 belong 2 stereo, >20 belong 4 quad, >16 belong >0 %d Hz # DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format # that uses little-endian encoding and has a different magic number 0 lelong 0x0064732E DEC audio data: >12 lelong 1 8-bit ISDN u-law, >12 lelong 2 8-bit linear PCM [REF-PCM], >12 lelong 3 16-bit linear PCM, >12 lelong 4 24-bit linear PCM, >12 lelong 5 32-bit linear PCM, >12 lelong 6 32-bit IEEE floating point, >12 lelong 7 64-bit IEEE floating point, >12 lelong 23 8-bit ISDN u-law compressed (CCITT G.721 ADPCM voice data encoding), >20 lelong 1 mono, >20 lelong 2 stereo, >20 lelong 4 quad, >16 lelong >0 %d Hz # Creative Labs AUDIO stuff 0 string MThd Standard MIDI data >9 byte >0 (format %d) >11 byte >1 using %d tracks 0 string CTMF Creative Music (CMF) data 0 string SBI SoundBlaster instrument data 0 string Creative\ Voice\ File Creative Labs voice data # is this next line right? it came this way... >19 byte 0x1A >23 byte >0 - version %d >22 byte >0 \b.%d # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data >4 belong x - version %ld # Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED # [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi] 0 string EMOD Extended MOD sound data, >4 byte&0xf0 x version %d >4 byte&0x0f x \b.%d, >45 byte x %d instruments >83 byte 0 (module) >83 byte 1 (song) # Real Audio (Magic .ra\0375) 0 belong 0x2e7261fd RealAudio sound file 0 string .RMF RealMedia file # MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net] # Oct 31, 1995 0 string MTM MultiTracker Module sound file #0 string if Composer 669 Module sound data 0 string FAR Module sound data 0 string MAS_U ULT(imate) Module sound data 0x2c string SCRM ScreamTracker III Module sound data 0 string Extended Module Extended Module sound data # Gravis UltraSound patches # From 0 string GF1PATCH110\0ID#000002\0 GUS patch 0 string GF1PATCH100\0ID#000002\0 Old GUS patch # # Taken from loader code from mikmod version 2.14 # by Steve McIntyre (stevem@chiark.greenend.org.uk) 0 string JN extended 669 module data 0 string MAS_UTrack_V00 >14 string >/0 ultratracker V1.%.1s module sound data 0 string UN05 MikMod UNI format module sound data 0 string Extended\ Module: Fasttracker II module sound data 21 string !SCREAM! Screamtracker 2 module sound data 1080 string M.K. 4-channel Protracker module sound data 1080 string M!K! 4-channel Protracker module sound data 1080 string FLT4 4-channel Startracker module sound data 1080 string 4CHN 4-channel Fasttracker module sound data 1080 string 6CHN 6-channel Fasttracker module sound data 1080 string 8CHN 8-channel Fasttracker module sound data 1080 string CD81 8-channel Oktalyzer module sound data 1080 string OKTA 8-channel Oktalyzer module sound data # Not good enough. #1082 string CH #>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data 1080 string 16CN 16-channel Taketracker module sound data 1080 string 32CN 32-channel Taketracker module sound data # TOC sound files -Trevor Johnson # 0 string TOC TOC sound file # sidfiles 0 string SIDPLAY\ INFOFILE Sidplay info file 0 string PSID PlaySID v2.2+ (AMIGA) sidtune >4 beshort >0 w/ header v%d, >14 beshort =1 single song, >14 beshort >1 %d songs, >16 beshort >0 default song: %d # IRCAM # VAX and MIPS files are little-endian; Sun and NeXT are big-endian 0 belong 0x64a30100 IRCAM file (VAX) 0 belong 0x64a30200 IRCAM file (Sun) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) 0 belong 0x64a30400 IRCAM file (NeXT) # NIST SPHERE 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file # Sample Vision 0 string SOUND\ SAMPLE\ DATA\ Sample Vision file # Audio Visual Research 0 string 2BIT Audio Visual Research file # SGI SoundTrack 0 string _SGI_SoundTrack SGI SoundTrack project file # ID3 version 2 tags 0 string ID3 MP3 file with ID3 version 2. >3 ubyte <0xff \b%d. >4 ubyte <0xff \b%d tag # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File >14 string >\0 ("%s" by >46 string >\0 %s, copyright >78 string >\0 %s), >5 byte x version %d, >6 byte x %d tracks, >122 byte&0x2 =1 dual PAL/NTSC >122 byte&0x1 =1 PAL >122 byte&0x1 =0 NTSC # Impuse tracker module (audio/x-it) 0 string IMPM Impulse Tracker module sound data - >4 string >\0 "%s" >40 leshort !0 compatible w/ITv%x >42 leshort !0 created w/ITv%x # Imago Orpheus module (audio/x-imf) 60 string IM10 Imago Orpheus module sound data - >0 string >\0 "%s" # From # These are the /etc/magic entries to decode modules, instruments, and # samples in Impulse Tracker's native format. 0 string IMPS Impulse Tracker Sample >18 byte &2 16 bit >18 byte ^2 8 bit >18 byte &4 stereo >18 byte ^4 mono 0 string IMPI Impulse Tracker Instrument >28 leshort !0 ITv%x >30 byte !0 %d samples # Yamaha TX Wave: file(1) magic for Yamaha TX Wave audio files # From 0 string LM8953 Yamaha TX Wave >22 byte 0x49 looped >22 byte 0xC9 non-looped >23 byte 1 33kHz >23 byte 2 50kHz >23 byte 3 16kHz # scream tracker: file(1) magic for Scream Tracker sample files # # From 76 string SCRS Scream Tracker Sample >0 byte 1 sample >0 byte 2 adlib melody >0 byte >2 adlib drum >31 byte &2 stereo >31 byte ^2 mono >31 byte &4 16bit little endian >31 byte ^4 8bit >30 byte 0 unpacked >30 byte 1 packed # audio # From: Cory Dikkers 0 string MMD0 MED music file, version 0 0 string MMD1 OctaMED Pro music file, version 1 0 string MMD3 OctaMED Soundstudio music file, version 3 0 string OctaMEDCmpr OctaMED Soundstudio compressed file 0 string MED MED_Song 0 string SymM Symphonie SymMOD music file # 0 string THX AHX version >3 byte =0 1 module data >3 byte =1 2 module data # 0 string OKTASONG Oktalyzer module data # 0 string DIGI\ Booster\ module\0 %s >20 byte >0 %c >>21 byte >0 \b%c >>>22 byte >0 \b%c >>>>23 byte >0 \b%c >610 string >\0 \b, "%s" # 0 string DBM0 DIGI Booster Pro Module >4 byte >0 V%X. >>5 byte x \b%02X >16 string >\0 \b, "%s" # 0 string FTMN FaceTheMusic module >16 string >\0d \b, "%s" # From: Takeshi Hamasaki # NOA Nancy Codec file 0 string \210NOA\015\012\032 NOA Nancy Codec Movie file # Yamaha SMAF format 0 string MMMD Yamaha SMAF file # Sharp Jisaku Melody format for PDC 0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string Ver01.00 Ver. 1.00 >>32 byte x , %d tracks # FLAC audio stream # From: Dan Fandrich 0 string fLaC FLAC audio stream data #------------------------------------------------------------------------------ # bFLT: file(1) magic for BFLT uclinux binary files # # From Philippe De Muyter # 0 string bFLT BFLT executable >4 belong x - version %ld >4 belong 4 >>36 belong&0x1 0x1 ram >>36 belong&0x2 0x2 gotpic >>36 belong&0x4 0x4 gzip >>36 belong&0x8 0x8 gzdata #------------------------------------------------------------------------------ # blender: file(1) magic for Blender 3D data files # # Coded by Guillermo S. Romero using the # data from Ton Roosendaal . Ton or his company do not # support the rule, so mail GSR if problems with it. Rule version: 1.1. # You can get latest version with comments and details about the format # at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits >7 string =- saved as 64-bits >8 string =v little endian >8 string =V big endian >9 byte x with version %c. >10 byte x \b%c >11 byte x \b%c #------------------------------------------------------------------------------ # blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine # # Note that this 0407 conflicts with several other a.out formats... # # XXX - should this be redone with "be" and "le", so that it works on # little-endian machines as well? If so, what's the deal with # "VAX-order" and "VAX-order2"? # #0 long 0407 68K Blit (standalone) executable #0 short 0407 VAX-order2 68K Blit (standalone) executable 0 short 03401 VAX-order 68K Blit (standalone) executable 0 long 0406 68k Blit mpx/mux executable 0 short 0406 VAX-order2 68k Blit mpx/mux executable 0 short 03001 VAX-order 68k Blit mpx/mux executable # Need more values for WE32 DMD executables. # Note that 0520 is the same as COFF #0 short 0520 tty630 layers executable # # i80960 b.out objects and archives # 0 long 0x10d i960 b.out relocatable object >16 long >0 not stripped # # b.out archive (hp-rt on i960) 0 string ! b.out archive >8 string __.SYMDEF random library #------------------------------------------------------------------------------ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # 0 lelong 0314 386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0407 386 executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0410 386 pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) 0 lelong 0413 386 demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) # same as in SunOS 4.x, except for static shared libraries 0 belong&077777777 0600413 sparc demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600410 sparc pure >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) 0 belong&077777777 0600407 sparc >0 byte &0x80 dynamically linked executable >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) #------------------------------------------------------------------------------ # c-lang: file(1) magic for C programs (or REXX) # # XPM icons (Greg Roelofs, newt@uchicago.edu) # if you uncomment "/*" for C/REXX below, also uncomment this entry #0 string /*\ XPM\ */ X pixmap image data # this first will upset you if you're a PL/1 shop... # in which case rm it; ascmagic will catch real C programs #0 string /* C or REXX program text 0 string // C++ program text # From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time betwen # versions 11 and 15, so look for -q if version is above 14: >7 string >14 >>10 regex .+\ -q\ with inverted index >10 regex .+\ -c\ text (non-compressed) #------------------------------------------------------------------------------ # CDDB: file(1) magic for CDDB(tm) format CD text data files # # From # # This is the /etc/magic entry to decode datafiles as used by # CDDB-enabled CD player applications. # 0 string/b #\040xmcd CDDB(tm) format CD text data #------------------------------------------------------------------------------ # chi: file(1) magic for ChiWriter files # 0 string \\1cw\ ChiWriter file >5 string >\0 version %s 0 string \\1cw ChiWriter file #------------------------------------------------------------------------------ # chord: file(1) magic for Chord music sheet typesetting utility input files # # From Philippe De Muyter # File format is actually free, but many distributed files begin with `{title' # 0 string {title Chord text file #------------------------------------------------------------------------------ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code # # Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha. 0 belong&0xffffff00 0x85011400 cisco IOS microcode >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' #------------------------------------------------------------------------------ # citrus locale declaration # 0 string RuneCT Citrus locale declaration for LC_CTYPE #------------------------------------------------------------------------------ # claris: file(1) magic for claris # "H. Nanosecond" # Claris Works a word processor, etc. # Version 3.0 # .pct claris works clip art files #0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 #* #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string \377\377\377\377\000 Claris clip art? >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. 514 string \377\377\377\377\001 Claris clip art? >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes. # Claris works files # .cwk 0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works document # .plt 0 string \020\341\000\000\010\010 Claris Works pallete files .plt # .msp a dictionary file I am not sure about this I have only one .msp file 0 string \002\271\262\000\040\002\000\164 Claris works dictionary # .usp are user dictionary bits # I am not sure about a magic header: #0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151 # soh S p f 8 U D sp ^ S cr nl p o d i #0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043 # a t r i s t sp ^ S cr nl d i v sp # # .mth Thesaurus # statrts with \0 but no magic header # .chy Hyphenation file # I am not sure: 000 210 034 000 000 # other claris files #./windows/claris/useng.ndx: data #./windows/claris/xtndtran.l32: data #./windows/claris/xtndtran.lst: data #./windows/claris/clworks.lbl: data #./windows/claris/clworks.prf: data #./windows/claris/userd.spl: data #------------------------------------------------------------------------------ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # # >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST # # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # # >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST # # as SVR3.1's "file" doesn't support anything of the "!074000,000000" # sort, nor does SunOS 4.x, so either it's something Intergraph added # in CLIX, or something AT&T added in SVR3.2 or later, or something # somebody else thought was a good idea; it's not documented in the # man page for this version of "magic", nor does it appear to be # implemented (at least not after I blew off the bogus code to turn # old-style "&"s into new-style "&"s, which just didn't work at all). # 0 short 0575 CLIPPER COFF executable (VAX #) >20 short 0407 (impure) >20 short 0410 (5.2 compatible) >20 short 0411 (pure) >20 short 0413 (demand paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %ld 0 short 0577 CLIPPER COFF executable >18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST >20 short 0407 (impure) >20 short 0410 (pure) >20 short 0411 (separate I&D) >20 short 0413 (paged) >20 short 0443 (target shared library) >12 long >0 not stripped >22 short >0 - version %ld >48 long&01 01 alignment trap enabled >52 byte 1 -Ctnc >52 byte 2 -Ctsw >52 byte 3 -Ctpw >52 byte 4 -Ctcb >53 byte 1 -Cdnc >53 byte 2 -Cdsw >53 byte 3 -Cdpw >53 byte 4 -Cdcb >54 byte 1 -Csnc >54 byte 2 -Cssw >54 byte 3 -Cspw >54 byte 4 -Cscb 4 string pipe CLIPPER instruction trace 4 string prof CLIPPER instruction profile #------------------------------------------------------------------------------ # commands: file(1) magic for various shells and interpreters # 0 string : shell archive or script for antique kernel text 0 string/b #!\ /bin/sh Bourne shell script text executable 0 string/b #!\ /bin/csh C shell script text executable # korn shell magic, sent by George Wu, gwu@clyde.att.com 0 string/b #!\ /bin/ksh Korn shell script text executable 0 string/b #!\ /bin/tcsh Tenex C shell script text executable 0 string/b #!\ /usr/local/tcsh Tenex C shell script text executable 0 string/b #!\ /usr/local/bin/tcsh Tenex C shell script text executable # # zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) 0 string/b #!\ /bin Paul Falstad's zsh script text executable 0 string/b #!\ /usr/bin Paul Falstad's zsh script text executable 0 string/b #!\ /usr/local/bin/zsh Paul Falstad's zsh script text executable 0 string/b #!\ /usr/local/bin/ash Neil Brown's ash script text executable 0 string/b #!\ /usr/local/bin/ae Neil Brown's ae script text executable 0 string/b #!\ /bin/nawk new awk script text executable 0 string/b #!\ /usr/bin/nawk new awk script text executable 0 string/b #!\ /usr/local/bin/nawk new awk script text executable 0 string/b #!\ /bin/gawk GNU awk script text executable 0 string/b #!\ /usr/bin/gawk GNU awk script text executable 0 string/b #!\ /usr/local/bin/gawk GNU awk script text executable # 0 string/b #!\ /bin/awk awk script text executable 0 string/b #!\ /usr/bin/awk awk script text executable 0 string BEGIN awk script text # AT&T Bell Labs' Plan 9 shell 0 string/b #!\ /bin/rc Plan 9 rc shell script text executable # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string/b #!\ /bin/bash Bourne-Again shell script text executable 0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text executable # using env 0 string #!/usr/bin/env a >15 string >\0 %s script text executable 0 string #!\ /usr/bin/env a >16 string >\0 %s script text executable # generic shell magic 0 string #!\ / a >3 string >\0 %s script text executable 0 string #!\ / a >3 string >\0 %s script text executable 0 string #!/ a >2 string >\0 %s script text executable 0 string #!\ script text executable >3 string >\0 for %s # PHP scripts # Ulf Harnhammar 0 string/c =2 byte&0x80 >0 block compressed >2 byte&0x1f x %d bits # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). 0 string \037\213 gzip compressed data >2 byte <8 \b, reserved method >2 byte >8 \b, unknown method >3 byte &0x01 \b, ASCII >3 byte &0x02 \b, continuation >3 byte &0x04 \b, extra field >3 byte&0xC =0x08 >>10 string x \b, was "%s" >9 byte =0x00 \b, from MS-DOS >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from OS/2 >9 byte =0x07 \b, from MacOS >9 byte =0x0A \b, from Tops/20 >9 byte =0x0B \b, from Win/32 >3 byte &0x10 \b, comment >3 byte &0x20 \b, encrypted ### >4 ledate x last modified: %s, >8 byte 2 \b, max compression >8 byte 4 \b, max speed # packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis 0 string \037\036 packed data >2 belong >1 \b, %d characters originally >2 belong =1 \b, %d character originally # # This magic number is byte-order-independent. XXX - Does that mean this # is big-endian, little-endian, either, or that you can't tell? # this short is valid for SunOS 0 short 017437 old packed data # XXX - why *two* entries for "compacted data", one of which is # byte-order independent, and one of which is byte-order dependent? # 0 short 0x1fff compacted data # This string is valid for SunOS (BE) and a matching "short" is listed # in the Ultrix (LE) magic file. 0 string \377\037 compacted data 0 short 0145405 huf output # bzip2 0 string BZh bzip2 compressed data >3 byte >47 \b, block size = %c00k # squeeze and crunch # Michael Haardt 0 beshort 0x76FF squeezed data, >4 string x original name %s 0 beshort 0x76FE crunched data, >2 string x original name %s 0 beshort 0x76FD LZH compressed data, >2 string x original name %s # Freeze 0 string \037\237 frozen file 2.1 0 string \037\236 frozen file 1.0 (or gzip 0.5) # SCO compress -H (LZH) 0 string \037\240 SCO compress -H (LZH) data # European GSM 06.10 is a provisional standard for full-rate speech # transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse # excitation/long term prediction) coding at 13 kbit/s. # # There's only a magic nibble (4 bits); that nibble repeats every 33 # bytes. This isn't suited for use, but maybe we can use it someday. # # This will cause very short GSM files to be declared as data and # mismatches to be declared as data too! #0 byte&0xF0 0xd0 data #>33 byte&0xF0 0xd0 #>66 byte&0xF0 0xd0 #>99 byte&0xF0 0xd0 #>132 byte&0xF0 0xd0 GSM 06.10 compressed audio # bzip a block-sorting file compressor # by Julian Seward and others # 0 string BZ bzip compressed data >2 byte x \b, version: %c >3 string =1 \b, compression block size 100k >3 string =2 \b, compression block size 200k >3 string =3 \b, compression block size 300k >3 string =4 \b, compression block size 400k >3 string =5 \b, compression block size 500k >3 string =6 \b, compression block size 600k >3 string =7 \b, compression block size 700k >3 string =8 \b, compression block size 800k >3 string =9 \b, compression block size 900k # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, ## >>22 bedate >0 last modified: %s, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, ## >>25 bedate >0 last modified: %s, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # 4.3BSD-Quasijarus Strong Compression # http://minnie.tuhs.org/Quasijarus/compress.html 0 string \037\241 Quasijarus strong compressed data # From: Cory Dikkers 0 string XPKF Amiga xpkf.library compressed data 0 string PP11 Power Packer 1.1 compressed data 0 string PP20 Power Packer 2.0 compressed data, >4 belong 0x09090909 fast compression >4 belong 0x090A0A0A mediocre compression >4 belong 0x090A0B0B good compression >4 belong 0x090A0C0C very good compression >4 belong 0x090A0C0D best compression # 7z archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7z archive data, >6 byte x version %d >7 byte x \b.%d #------------------------------------------------------------------------------ # Console game magic # Toby Deshane # ines: file(1) magic for Marat's iNES Nintendo Entertainment System # ROM dump format 0 string NES\032 iNES ROM dump, >4 byte x %dx16k PRG >5 byte x \b, %dx8k CHR >6 byte&0x01 =0x1 \b, [Vert.] >6 byte&0x01 =0x0 \b, [Horiz.] >6 byte&0x02 =0x2 \b, [SRAM] >6 byte&0x04 =0x4 \b, [Trainer] >6 byte&0x04 =0x8 \b, [4-Scr] #------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # 0x104 belong 0xCEED6666 Gameboy ROM: >0x134 string >\0 "%.16s" >0x146 byte 0x03 \b,[SGB] >0x147 byte 0x00 \b, [ROM ONLY] >0x147 byte 0x01 \b, [ROM+MBC1] >0x147 byte 0x02 \b, [ROM+MBC1+RAM] >0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT] >0x147 byte 0x05 \b, [ROM+MBC2] >0x147 byte 0x06 \b, [ROM+MBC2+BATTERY] >0x147 byte 0x08 \b, [ROM+RAM] >0x147 byte 0x09 \b, [ROM+RAM+BATTERY] >0x147 byte 0x0B \b, [ROM+MMM01] >0x147 byte 0x0C \b, [ROM+MMM01+SRAM] >0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT] >0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT] >0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT] >0x147 byte 0x11 \b, [ROM+MBC3] >0x147 byte 0x12 \b, [ROM+MBC3+RAM] >0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT] >0x147 byte 0x19 \b, [ROM+MBC5] >0x147 byte 0x1A \b, [ROM+MBC5+RAM] >0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT] >0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE] >0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM] >0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT] >0x147 byte 0x1F \b, [Pocket Camera] >0x147 byte 0xFD \b, [Bandai TAMA5] >0x147 byte 0xFE \b, [Hudson HuC-3] >0x147 byte 0xFF \b, [Hudson HuC-1] >0x148 byte 0 \b, ROM: 256Kbit >0x148 byte 1 \b, ROM: 512Kbit >0x148 byte 2 \b, ROM: 1Mbit >0x148 byte 3 \b, ROM: 2Mbit >0x148 byte 4 \b, ROM: 4Mbit >0x148 byte 5 \b, ROM: 8Mbit >0x148 byte 6 \b, ROM: 16Mbit >0x148 byte 0x52 \b, ROM: 9Mbit >0x148 byte 0x53 \b, ROM: 10Mbit >0x148 byte 0x54 \b, ROM: 12Mbit >0x149 byte 1 \b, RAM: 16Kbit >0x149 byte 2 \b, RAM: 64Kbit >0x149 byte 3 \b, RAM: 128Kbit >0x149 byte 4 \b, RAM: 1Mbit #>0x14e long x \b, CRC: %x #------------------------------------------------------------------------------ # genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format # 0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump >0x120 string >\0 Name: "%.16s" >0x110 string >\0 %.16s >0x1B0 string RA with SRAM #------------------------------------------------------------------------------ # genesis: file(1) magic for the Super MegaDrive ROM dump format # 0x280 string EAGN Super MagicDrive ROM dump >0 byte x %dx16k blocks >2 byte 0 \b, last in series or standalone >2 byte >0 \b, split ROM >8 byte 0xAA >9 byte 0xBB #------------------------------------------------------------------------------ # genesis: file(1) alternate magic for the Super MegaDrive ROM dump format # 0x280 string EAMG Super MagicDrive ROM dump >0 byte x %dx16k blocks >2 byte x \b, last in series or standalone >8 byte 0xAA >9 byte 0xBB #------------------------------------------------------------------------------ # smsgg: file(1) magic for Sega Master System and Game Gear ROM dumps # # Does not detect all images. Very preliminary guesswork. Need more data # on format. # # FIXME: need a little more info...;P # #0 byte 0xF3 #>1 byte 0xED Sega Master System/Game Gear ROM dump #>1 byte 0x31 Sega Master System/Game Gear ROM dump #>1 byte 0xDB Sega Master System/Game Gear ROM dump #>1 byte 0xAF Sega Master System/Game Gear ROM dump #>1 byte 0xC3 Sega Master System/Game Gear ROM dump #------------------------------------------------------------------------------ # dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format # 0 belong 0x21068028 Sega Dreamcast VMU game image 0 string LCDi Dream Animator file #------------------------------------------------------------------------------ # v64: file(1) uncertain magic for the V64 format N64 ROM dumps # 0 belong 0x37804012 V64 Nintendo 64 ROM dump #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps 0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # convex: file(1) magic for Convex boxes # # Convexes are big-endian. # # /*\ # * Below are the magic numbers and tests added for Convex. # * Added at beginning, because they are expected to be used most. # \*/ 0 belong 0507 Convex old-style object >16 belong >0 not stripped 0 belong 0513 Convex old-style demand paged executable >16 belong >0 not stripped 0 belong 0515 Convex old-style pre-paged executable >16 belong >0 not stripped 0 belong 0517 Convex old-style pre-paged, non-swapped executable >16 belong >0 not stripped 0 belong 0x011257 Core file # # The following are a series of dump format magic numbers. Each one # corresponds to a drastically different dump format. The first on is # the original dump format on a 4.1 BSD or earlier file system. The # second marks the change between the 4.1 file system and the 4.2 file # system. The Third marks the changing of the block size from 1K # to 2K to be compatible with an IDC file system. The fourth indicates # a dump that is dependent on Convex Storage Manager, because data in # secondary storage is not physically contained within the dump. # The restore program uses these number to determine how the data is # to be extracted. # 24 belong =60011 dump format, 4.1 BSD or earlier 24 belong =60012 dump format, 4.2 or 4.3 BSD without IDC 24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible) 24 belong =60014 dump format, Convex Storage Manager by-reference dump # # what follows is a bunch of bit-mask checks on the flags field of the opthdr. # If there is no `=' sign, assume just checking for whether the bit is set? # 0 belong 0601 Convex SOFF >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000001 demand paged >88 belong &0x00000002 pre-paged >88 belong &0x00000004 non-swapped >88 belong &0x00000008 POSIX # >84 belong &0x80000000 executable >84 belong &0x40000000 object >84 belong&0x20000000 =0 not stripped >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode # 0 belong 0605 Convex SOFF core # 0 belong 0607 Convex SOFF checkpoint >88 belong&0x000f0000 =0x00000000 c1 >88 belong &0x00010000 c2 >88 belong &0x00020000 c2mp >88 belong &0x00040000 parallel >88 belong &0x00080000 intrinsic >88 belong &0x00000008 POSIX # >84 belong&0x18000000 =0x00000000 native fpmode >84 belong&0x18000000 =0x10000000 ieee fpmode >84 belong&0x18000000 =0x18000000 undefined fpmode # ---------------------------------------------------------------------------- # ctags: file (1) magic for Exuberant Ctags files # From: Alexander Mai 0 string !_TAG Exuberant Ctags tag file text #------------------------------------------------------------------------------ # file(1) magic for cvs(1) files # From Hendrik Scholz 0 string /1\ :pserver: cvs password text file #------------------------------------------------------------------------------ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) # # # GDBM magic numbers # Will be maintained as part of the GDBM distribution in the future. # 0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian 0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian 0 string GDBM GNU dbm 2.x database # # Berkeley DB # # Ian Darwin's file /etc/magic files: big/little-endian version. # # Hash 1.85/1.86 databases store metadata in network byte order. # Btree 1.85/1.86 databases store the metadata in host byte order. # Hash and Btree 2.X and later databases store the metadata in host byte order. 0 long 0x00061561 Berkeley DB >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, little-endian) 0 belong 0x00061561 Berkeley DB >8 belong 4321 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, big-endian) >8 belong 1234 >>4 belong >2 1.86 >>4 belong <3 1.85 >>4 belong >0 (Hash, version %d, native byte-order) 0 long 0x00053162 Berkeley DB 1.85/1.86 >4 long >0 (Btree, version %d, native byte-order) 0 belong 0x00053162 Berkeley DB 1.85/1.86 >4 belong >0 (Btree, version %d, big-endian) 0 lelong 0x00053162 Berkeley DB 1.85/1.86 >4 lelong >0 (Btree, version %d, little-endian) 12 long 0x00061561 Berkeley DB >16 long >0 (Hash, version %d, native byte-order) 12 belong 0x00061561 Berkeley DB >16 belong >0 (Hash, version %d, big-endian) 12 lelong 0x00061561 Berkeley DB >16 lelong >0 (Hash, version %d, little-endian) 12 long 0x00053162 Berkeley DB >16 long >0 (Btree, version %d, native byte-order) 12 belong 0x00053162 Berkeley DB >16 belong >0 (Btree, version %d, big-endian) 12 lelong 0x00053162 Berkeley DB >16 lelong >0 (Btree, version %d, little-endian) 12 long 0x00042253 Berkeley DB >16 long >0 (Queue, version %d, native byte-order) 12 belong 0x00042253 Berkeley DB >16 belong >0 (Queue, version %d, big-endian) 12 lelong 0x00042253 Berkeley DB >16 lelong >0 (Queue, version %d, little-endian) # # # Round Robin Database Tool by Tobias Oetiker 0 string RRD RRDTool DB >4 string x version %s #---------------------------------------------------------------------- # ROOT: file(1) magic for ROOT databases # 0 string root\0 ROOT file >4 belong x Version %d >33 belong x (Compression: %d) #------------------------------------------------------------------------------ # diamond: file(1) magic for Diamond system # # ... diamond is a multi-media mail and electronic conferencing system.... # # XXX - I think it was either renamed Slate, or replaced by Slate.... # # The full deal is too long... #0 string \n Diamond Multimedia Document 0 string =\n4 string >% version %.3s # Digital UNIX - Info # 0 string !\n________64E Alpha archive >22 string X -- out of date # # Alpha COFF Based Executables # The stripped stuff really needs to be an 8 byte (64 bit) compare, # but this works 0 leshort 0x183 COFF format alpha >22 leshort&020000 &010000 sharable library, >22 leshort&020000 ^010000 dynamically linked, >24 leshort 0410 pure >24 leshort 0413 demand paged >8 lelong >0 executable or object module, not stripped >8 lelong 0 >>12 lelong 0 executable or object module, stripped >>12 lelong >0 executable or object module, not stripped >27 byte >0 - version %d. >26 byte >0 %d- >28 leshort >0 %d # # The next is incomplete, we could tell more about this format, # but its not worth it. 0 leshort 0x188 Alpha compressed COFF 0 leshort 0x18f Alpha u-code object # # # Some other interesting Digital formats, 0 string \377\377\177 ddis/ddif 0 string \377\377\174 ddis/dots archive 0 string \377\377\176 ddis/dtif table data 0 string \033c\033 LN03 output 0 long 04553207 X image # 0 string !!\n profiling data file # # Locale data tables (MIPS and Alpha). # 0 short 0x0501 locale data table >6 short 0x24 for MIPS >6 short 0x40 for Alpha # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! # # syncword 0 beshort 0x0b77 ATSC A/52 aka AC-3 aka Dolby Digital stream, # fscod >4 byte&0xc0 0x00 48 kHz, >4 byte&0xc0 0x40 44.1 kHz, >4 byte&0xc0 0x80 32 kHz, # is this one used for 96 kHz? >4 byte&0xc0 0xc0 reserved frequency, # >5 byte&7 = 0 \b, complete main (CM) >5 byte&7 = 1 \b, music and effects (ME) >5 byte&7 = 2 \b, visually impaired (VI) >5 byte&7 = 3 \b, hearing impaired (HI) >5 byte&7 = 4 \b, dialogue (D) >5 byte&7 = 5 \b, commentary (C) >5 byte&7 = 6 \b, emergency (E) # acmod >6 byte&0xe0 0x00 1+1 front, >6 byte&0xe0 0x20 1 front/0 rear, >6 byte&0xe0 0x40 2 front/0 rear, >6 byte&0xe0 0x60 3 front/0 rear, >6 byte&0xe0 0x80 2 front/1 rear, >6 byte&0xe0 0xa0 3 front/1 rear, >6 byte&0xe0 0xc0 2 front/2 rear, >6 byte&0xe0 0xe0 3 front/2 rear, # lfeon (these may be incorrect) >7 byte&0x40 0x00 LFE off, >7 byte&0x40 0x40 LFE on, # >4 byte&0x3e = 0x00 \b, 32 kbit/s >4 byte&0x3e = 0x02 \b, 40 kbit/s >4 byte&0x3e = 0x04 \b, 48 kbit/s >4 byte&0x3e = 0x06 \b, 56 kbit/s >4 byte&0x3e = 0x08 \b, 64 kbit/s >4 byte&0x3e = 0x0a \b, 80 kbit/s >4 byte&0x3e = 0x0c \b, 96 kbit/s >4 byte&0x3e = 0x0e \b, 112 kbit/s >4 byte&0x3e = 0x10 \b, 128 kbit/s >4 byte&0x3e = 0x12 \b, 160 kbit/s >4 byte&0x3e = 0x14 \b, 192 kbit/s >4 byte&0x3e = 0x16 \b, 224 kbit/s >4 byte&0x3e = 0x18 \b, 256 kbit/s >4 byte&0x3e = 0x1a \b, 320 kbit/s >4 byte&0x3e = 0x1c \b, 384 kbit/s >4 byte&0x3e = 0x1e \b, 448 kbit/s >4 byte&0x3e = 0x20 \b, 512 kbit/s >4 byte&0x3e = 0x22 \b, 576 kbit/s >4 byte&0x3e = 0x24 \b, 640 kbit/s # dsurmod (these may be incorrect) >6 beshort&0x0180 0x0000 Dolby Surround not indicated >6 beshort&0x0180 0x0080 not Dolby Surround encoded >6 beshort&0x0180 0x0100 Dolby Surround encoded >6 beshort&0x0180 0x0180 reserved Dolby Surround mode #------------------------------------------------------------------------------ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. # 24 belong 60012 new-fs dump file (big endian), >4 bedate x Previous dump %s, >8 bedate x This dump %s, >12 belong >0 Volume %ld, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, >0 belong 2 beginning of file record, >0 belong 3 map of inodes on tape, >0 belong 4 continuation of file record, >0 belong 5 end of volume, >0 belong 6 map of inodes deleted, >0 belong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 belong >0 Flags %x 24 belong 60011 old-fs dump file (big endian), #>4 bedate x Previous dump %s, #>8 bedate x This dump %s, >12 belong >0 Volume %ld, >692 belong 0 Level zero, type: >692 belong >0 Level %d, type: >0 belong 1 tape header, >0 belong 2 beginning of file record, >0 belong 3 map of inodes on tape, >0 belong 4 continuation of file record, >0 belong 5 end of volume, >0 belong 6 map of inodes deleted, >0 belong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 belong >0 Flags %x 24 lelong 60012 new-fs dump file (little endian), >4 ledate x This dump %s, >8 ledate x Previous dump %s, >12 lelong >0 Volume %ld, >692 lelong 0 Level zero, type: >692 lelong >0 Level %d, type: >0 lelong 1 tape header, >0 lelong 2 beginning of file record, >0 lelong 3 map of inodes on tape, >0 lelong 4 continuation of file record, >0 lelong 5 end of volume, >0 lelong 6 map of inodes deleted, >0 lelong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 lelong >0 Flags %x 24 lelong 60011 old-fs dump file (little endian), #>4 ledate x Previous dump %s, #>8 ledate x This dump %s, >12 lelong >0 Volume %ld, >692 lelong 0 Level zero, type: >692 lelong >0 Level %d, type: >0 lelong 1 tape header, >0 lelong 2 beginning of file record, >0 lelong 3 map of inodes on tape, >0 lelong 4 continuation of file record, >0 lelong 5 end of volume, >0 lelong 6 map of inodes deleted, >0 lelong 7 end of medium (for floppy), >676 string >\0 Label %s, >696 string >\0 Filesystem %s, >760 string >\0 Device %s, >824 string >\0 Host %s, >888 lelong >0 Flags %x #------------------------------------------------------------------------------ # Dyadic: file(1) magic for Dyalog APL. # 0 byte 0xaa >1 byte <4 Dyalog APL >>1 byte 0x00 incomplete workspace >>1 byte 0x01 component file >>1 byte 0x02 external variable >>1 byte 0x03 workspace >>2 byte x version %d >>3 byte x .%d #------------------------------------------------------------------------------ # T602 editor documents # by David Necas 0 string @CT\ T602 document data, >4 string 0 Kamenicky >4 string 1 CP 852 >4 string 2 KOI8-CS >4 string >2 unknown encoding # Vi IMproved Encrypted file # by David Necas 0 string VimCrypt~ Vim encrypted file data #------------------------------------------------------------------------------ # elf: file(1) magic for ELF executables # # We have to check the byte order flag to see what byte order all the # other stuff in the header is in. # # What're the correct byte orders for the nCUBE and the Fujitsu VPP500? # # updated by Daniel Quinlan (quinlan@yggdrasil.com) 0 string \177ELF ELF >4 byte 0 invalid class >4 byte 1 32-bit # only for MIPS - in the future, the ABI field of e_flags should be used. >>18 beshort 8 >>18 beshort 10 >>>36 belong &0x20 N32 >4 byte 2 64-bit >5 byte 0 invalid byte order >5 byte 1 LSB # The official e_machine number for MIPS is now #8, regardless of endianness. # The second number (#10) will be deprecated later. For now, we still # say something if #10 is encountered, but only gory details for #8. >>18 leshort 8 # only for 32-bit >>>4 byte 1 >>>>36 lelong&0xf0000000 0x00000000 MIPS-I >>>>36 lelong&0xf0000000 0x10000000 MIPS-II >>>>36 lelong&0xf0000000 0x20000000 MIPS-III >>>>36 lelong&0xf0000000 0x30000000 MIPS-IV >>>>36 lelong&0xf0000000 0x40000000 MIPS-V >>>>36 lelong&0xf0000000 0x60000000 MIPS32 >>>>36 lelong&0xf0000000 0x70000000 MIPS64 >>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 lelong&0xf0000000 0x00000000 MIPS-I >>>>48 lelong&0xf0000000 0x10000000 MIPS-II >>>>48 lelong&0xf0000000 0x20000000 MIPS-III >>>>48 lelong&0xf0000000 0x30000000 MIPS-IV >>>>48 lelong&0xf0000000 0x40000000 MIPS-V >>>>48 lelong&0xf0000000 0x60000000 MIPS32 >>>>48 lelong&0xf0000000 0x70000000 MIPS64 >>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2 >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, # Core handling from Peter Tobias # corrections by Christian 'Dr. Disk' Hechelmann >>16 leshort 4 core file # Core file detection is not reliable. #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) lelong >0 (signal %d), >>16 leshort &0xff00 processor-specific, >>18 leshort 0 no machine, >>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 2 SPARC - invalid byte order, >>18 leshort 3 Intel 80386, >>18 leshort 4 Motorola >>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong 0 68020 - invalid byte order, >>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 6 Intel 80486, >>18 leshort 7 Intel 80860, >>18 leshort 8 MIPS, >>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 10 MIPS (deprecated), >>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 15 PA-RISC - invalid byte order, >>>50 leshort 0x0214 2.0 >>>48 leshort &0x0008 (LP64), >>18 leshort 16 nCUBE, >>18 leshort 17 Fujitsu VPP500, >>18 leshort 18 SPARC32PLUS, >>18 leshort 20 PowerPC, >>18 leshort 36 NEC V800, >>18 leshort 37 Fujitsu FR20, >>18 leshort 38 TRW RH-32, >>18 leshort 39 Motorola RCE, >>18 leshort 40 ARM, >>18 leshort 41 Alpha, >>18 leshort 42 Hitachi SH, >>18 leshort 43 SPARC V9 - invalid byte order, >>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 46 Hitachi H8/300, >>18 leshort 47 Hitachi H8/300H, >>18 leshort 48 Hitachi H8S, >>18 leshort 49 Hitachi H8/500, >>18 leshort 50 IA-64 (Intel 64 bit architecture) >>18 leshort 51 Stanford MIPS-X, >>18 leshort 52 Motorola Coldfire, >>18 leshort 53 Motorola M68HC12, >>18 leshort 62 AMD x86-64, >>18 leshort 75 Digital VAX, >>18 leshort 97 NatSemi 32k, >>18 leshort 0x9026 Alpha (unofficial), >>20 lelong 0 invalid version >>20 lelong 1 version 1 >>36 lelong 1 MathCoPro/FPU/MAU Required >5 byte 2 MSB # only for MIPS - see comment in little-endian section above. >>18 beshort 8 # only for 32-bit >>>4 byte 1 >>>>36 belong&0xf0000000 0x00000000 MIPS-I >>>>36 belong&0xf0000000 0x10000000 MIPS-II >>>>36 belong&0xf0000000 0x20000000 MIPS-III >>>>36 belong&0xf0000000 0x30000000 MIPS-IV >>>>36 belong&0xf0000000 0x40000000 MIPS-V >>>>36 belong&0xf0000000 0x60000000 MIPS32 >>>>36 belong&0xf0000000 0x70000000 MIPS64 >>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2 # only for 64-bit >>>4 byte 2 >>>>48 belong&0xf0000000 0x00000000 MIPS-I >>>>48 belong&0xf0000000 0x10000000 MIPS-II >>>>48 belong&0xf0000000 0x20000000 MIPS-III >>>>48 belong&0xf0000000 0x30000000 MIPS-IV >>>>48 belong&0xf0000000 0x40000000 MIPS-V >>>>48 belong&0xf0000000 0x60000000 MIPS32 >>>>48 belong&0xf0000000 0x70000000 MIPS64 >>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2 >>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2 >>16 beshort 0 no file type, >>16 beshort 1 relocatable, >>16 beshort 2 executable, >>16 beshort 3 shared object, >>16 beshort 4 core file, #>>>(0x38+0xcc) string >\0 of '%s' #>>>(0x38+0x10) belong >0 (signal %d), >>16 beshort &0xff00 processor-specific, >>18 beshort 0 no machine, >>18 beshort 1 AT&T WE32100, >>18 beshort 2 SPARC, >>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 4 Motorola >>>36 belong &0x01000000 68000, >>>36 belong &0x00810000 CPU32, >>>36 belong 0 68020, >>18 beshort 5 Motorola 88000, >>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 7 Intel 80860, >>18 beshort 8 MIPS, >>18 beshort 9 Amdahl, >>18 beshort 10 MIPS (deprecated), >>18 beshort 11 RS6000, >>18 beshort 15 PA-RISC >>>50 beshort 0x0214 2.0 >>>48 beshort &0x0008 (LP64) >>18 beshort 16 nCUBE, >>18 beshort 17 Fujitsu VPP500, >>18 beshort 18 SPARC32PLUS, >>>36 belong&0xffff00 &0x000100 V8+ Required, >>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required, >>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required, >>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required, >>18 beshort 20 PowerPC or cisco 4500, >>18 beshort 21 cisco 7500, >>18 beshort 24 cisco SVIP, >>18 beshort 25 cisco 7200, >>18 beshort 36 NEC V800 or cisco 12000, >>18 beshort 37 Fujitsu FR20, >>18 beshort 38 TRW RH-32, >>18 beshort 39 Motorola RCE, >>18 beshort 40 ARM, >>18 beshort 41 Alpha, >>18 beshort 42 Hitachi SH, >>18 beshort 43 SPARC V9, >>18 beshort 44 Siemens Tricore Embedded Processor, >>18 beshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 beshort 46 Hitachi H8/300, >>18 beshort 47 Hitachi H8/300H, >>18 beshort 48 Hitachi H8S, >>18 beshort 49 Hitachi H8/500, >>18 beshort 50 Intel Merced Processor, >>18 beshort 51 Stanford MIPS-X, >>18 beshort 52 Motorola Coldfire, >>18 beshort 53 Motorola M68HC12, >>18 beshort 73 Cray NV1, >>18 beshort 75 Digital VAX, >>18 beshort 97 NatSemi 32k, >>18 beshort 0x9026 Alpha (unofficial), >>20 belong 0 invalid version >>20 belong 1 version 1 >>36 belong 1 MathCoPro/FPU/MAU Required >8 string >\0 (%s) >8 string \0 >>7 byte 0 (SYSV) >>7 byte 1 (HP-UX) >>7 byte 2 (NetBSD) >>7 byte 3 (GNU/Linux) >>7 byte 4 (GNU/Hurd) >>7 byte 5 (86Open) >>7 byte 6 (Solaris) >>7 byte 7 (Monterey) >>7 byte 8 (IRIX) >>7 byte 9 (FreeBSD) >>7 byte 10 (Tru64) >>7 byte 11 (Novell Modesto) >>7 byte 12 (OpenBSD) >>7 byte 97 (ARM) >>7 byte 255 (embedded) #------------------------------------------------------------------------------ # encore: file(1) magic for Encore machines # # XXX - needs to have the byte order specified (NS32K was little-endian, # dunno whether they run the 88K in little-endian mode or not). # 0 short 0x154 Encore >20 short 0x107 executable >20 short 0x108 pure executable >20 short 0x10b demand-paged executable >20 short 0x10f unsupported executable >12 long >0 not stripped >22 short >0 - version %ld >22 short 0 - #>4 date x stamp %s 0 short 0x155 Encore unsupported executable >12 long >0 not stripped >22 short >0 - version %ld >22 short 0 - #>4 date x stamp %s #------------------------------------------------------------------------------ # Epoc 32 : file(1) magic for Epoc Documents [psion/osaris # Stefan Praszalowicz (hpicollo@worldnet.fr) #0 lelong 0x10000037 Epoc32 >4 lelong 0x1000006D >>8 lelong 0x1000007F Word >>8 lelong 0x10000088 Sheet >>8 lelong 0x1000007D Sketch >>8 lelong 0x10000085 TextEd #------------------------------------------------------------------------------ # filesystems: file(1) magic for different filesystems # 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: 0774 beshort 0xdabe Sun disk label >0 string x '%s >>31 string >\0 \b%s >>>63 string >\0 \b%s >>>>95 string >\0 \b%s >0 string x \b' >0734 short >0 %d rpm, >0736 short >0 %d phys cys, >0740 short >0 %d alts/cyl, >0746 short >0 %d interleave, >0750 short >0 %d data cyls, >0752 short >0 %d alt cyls, >0754 short >0 %d heads/partition, >0756 short >0 %d sectors/track, >0764 long >0 start cyl %ld, >0770 long x %ld blocks # Is there a boot block written 1 sector in? >512 belong&077777777 0600407 \b, boot block present 0x1FE leshort 0xAA55 x86 boot sector >2 string OSBS \b, OS/BS MBR # J\xf6rg Jenderek >0x8C string Invalid\ partition\ table \b, MS-DOS MBR >0x9D string Invalid\ partition\ table \b, DR-DOS MBR, version 7.01 to 7.03 >0x10F string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222 >0x8B string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950 >0x145 string Default:\ F \b, FREE-DOS MBR >0 string \0\0\0\0 \b, extended partition table # JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90 # older drives may use E9 xx xx >0 lelong&0x009000EB 0x009000EB >0 lelong&0x000000E9 0x000000E9 >>1 ubyte >37 \b, code offset 0x%x # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize are from 32 to 2048 >>>11 uleshort <2049 >>>>11 uleshort >31 >>>>>3 string >\0 \b, OEM-ID "%8.8s" >>>>>11 uleshort >512 \b, Bytes/sector %u #>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual) >>>>>11 uleshort <512 \b, Bytes/sector %u >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) >>>>>14 uleshort >32 \b, reserved sectors %u #>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) #>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) >>>>>14 uleshort <1 \b, reserved sectors %u >>>>>16 ubyte >2 \b, FATs %u #>>>>>16 ubyte =2 \b, FATs %u (usual) >>>>>16 ubyte =1 \b, FAT %u >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u #>>>>>17 uleshort =0 \b, root entries %u=0 (usual Fat32) >>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %u=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) >>>>>21 ubyte <0xF0 \b, Media descriptor 0x%x >>>>>22 uleshort >0 \b, sectors/FAT %u #>>>>>22 uleshort =0 \b, sectors/FAT %u=0 (usual Fat32) >>>>>26 ubyte >2 \b, heads %u #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u >>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) >>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) # FAT<32 specific # NOT le FAT3=NOT 3TAF=0xCCABBEB9 >>>>>82 ulelong&0xCCABBEB9 >0 >>>>>>36 ubyte >0x80 \b, physical drive 0x%x #>>>>>>36 ubyte =0x80 \b, physical drive 0x%x=0x80 (usual harddisk) >>>>>>36 ubyte&0x7F >0 \b, physical drive 0x%x #>>>>>>36 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>37 ubyte >0 \b, reserved 0x%x #>>>>>>37 ubyte =0 \b, reserved 0x%x >>>>>>38 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>38 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>38 ubyte =0x29 >>>>>>>39 ulelong x \b, serial number 0x%x >>>>>>>43 string >>>>>>43 string >NO\ NAME \b, label: "%11.11s" >>>>>>>43 string =NO\ NAME \b, unlabeled >>>>>>54 string FAT1 \b, FAT >>>>>>>54 string FAT12 \b (12 bit) >>>>>>>54 string FAT16 \b (16 bit) # FAT32 specific >>>>>82 string FAT32 \b, FAT (32 bit) >>>>>>36 ulelong x \b, sectors/FAT %u >>>>>>40 uleshort >0 \b, extension flags %u #>>>>>>40 uleshort =0 \b, extension flags %u >>>>>>42 uleshort >0 \b, fsVersion %u #>>>>>>42 uleshort =0 \b, fsVersion %u (usual) >>>>>>44 ulelong >2 \b, rootdir cluster %u #>>>>>>44 ulelong =2 \b, rootdir cluster %u #>>>>>>44 ulelong =1 \b, rootdir cluster %u >>>>>>48 uleshort >1 \b, infoSector %u #>>>>>>48 uleshort =1 \b, infoSector %u (usual) >>>>>>48 uleshort <1 \b, infoSector %u >>>>>>50 uleshort >6 \b, Backup boot sector %u #>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) >>>>>>50 uleshort <6 \b, Backup boot sector %u >>>>>>54 ulelong >0 \b, reserved1 0x%x >>>>>>58 ulelong >0 \b, reserved2 0x%x >>>>>>62 ulelong >0 \b, reserved3 0x%x # same structure as FAT1X >>>>>>64 ubyte >0x80 \b, physical drive 0x%x #>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) >>>>>>64 ubyte&0x7F >0 \b, physical drive 0x%x #>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) >>>>>>65 ubyte >0 \b, reserved 0x%x >>>>>>66 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>66 ubyte <0x29 \b, dos < 4.0 BootSector (0x%x) >>>>>>66 ubyte =0x29 >>>>>>>67 ulelong x \b, serial number 0x%x >>>>>>>71 string >>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>71 string =NO\ NAME \b, unlabeled ### FATs end >0x200 lelong 0x82564557 \b, BSD disklabel # Minix filesystems - Juan Cespedes 0x410 leshort 0x137f Minix filesystem 0x410 beshort 0x137f Minix filesystem (big endian), >0x402 beshort !0 \b, %d zones >0x1e string minix \b, bootable 0x410 leshort 0x138f Minix filesystem, 30 char names 0x410 leshort 0x2468 Minix filesystem, version 2 0x410 leshort 0x2478 Minix filesystem, version 2, 30 char names # romfs filesystems - Juan Cespedes 0 string -rom1fs-\0 romfs filesystem, version 1 >8 belong x %d bytes, >16 string x named %s. # netboot image - Juan Cespedes 0 lelong 0x1b031336L Netboot image, >4 lelong&0xFFFFFF00 0 >>4 lelong&0x100 0x000 mode 2 >>4 lelong&0x100 0x100 mode 3 >4 lelong&0xFFFFFF00 !0 unknown mode 0x18b string OS/2 OS/2 Boot Manager 9564 lelong 0x00011954 Unix Fast File system (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, >8224 ledate x last written at %s, >8401 byte x clean flag %d, >8228 lelong x number of blocks %d, >8232 lelong x number of data blocks %d, >8236 lelong x number of cylinder groups %d, >8240 lelong x block size %d, >8244 lelong x fragment size %d, >8252 lelong x minimum percentage of free blocks %d, >8256 lelong x rotational delay %dms, >8260 lelong x disk rotational speed %drps, >8320 lelong 0 TIME optimization >8320 lelong 1 SPACE optimization 9564 belong 0x00011954 Unix Fast File system (big-endian), >7168 long 0x4c41424c Apple UFS Volume >>7186 string x named %s, >>7176 belong x volume label version %d, >>7180 bedate x created on %s, >8404 string x last mounted on %s, #>9504 bedate x last checked at %s, >8224 bedate x last written at %s, >8401 byte x clean flag %d, >8228 belong x number of blocks %d, >8232 belong x number of data blocks %d, >8236 belong x number of cylinder groups %d, >8240 belong x block size %d, >8244 belong x fragment size %d, >8252 belong x minimum percentage of free blocks %d, >8256 belong x rotational delay %dms, >8260 belong x disk rotational speed %drps, >8320 belong 0 TIME optimization >8320 belong 1 SPACE optimization # ext2/ext3 filesystems - Andreas Dilger 0x438 leshort 0xEF53 Linux >0x44c lelong x rev %d >0x43e leshort x \b.%d >0x45c lelong ^0x0000004 ext2 filesystem data >>0x43a leshort ^0x0000001 (mounted or unclean) >0x45c lelong &0x0000004 ext3 filesystem data >>0x460 lelong &0x0000004 (needs journal recovery) >0x43a leshort &0x0000002 (errors) >0x460 lelong &0x0000001 (compressed) #>0x460 lelong &0x0000002 (filetype) #>0x464 lelong &0x0000001 (sparse_super) >0x464 lelong &0x0000002 (large files) # SGI disk labels - Nathan Scott 0 belong 0x0BE5A941 SGI disk label (volume header) # SGI XFS filesystem - Nathan Scott 0 belong 0x58465342 SGI XFS filesystem data >0x4 belong x (blksz=3D%d, >0x68 beshort x inosz=3D%d, >0x64 beshort ^0x2004 v1 dirs) >0x64 beshort &0x2004 v2 dirs) ############################################################################ # Minix-ST kernel floppy 0x800 belong 0x46fc2700 Atari-ST Minix kernel image >19 string \240\5\371\5\0\011\0\2\0 \b, 720k floppy >19 string \320\2\370\5\0\011\0\1\0 \b, 360k floppy ############################################################################ # Hmmm, is this a better way of detecting _standard_ floppy images ? 19 string \320\2\360\3\0\011\0\1\0 DOS floppy 360k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \240\5\371\3\0\011\0\2\0 DOS floppy 720k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \100\013\360\011\0\022\0\2\0 DOS floppy 1440k >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \240\5\371\5\0\011\0\2\0 DOS floppy 720k, IBM >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \100\013\371\5\0\011\0\2\0 DOS floppy 1440k, mkdosfs >0x1FE leshort 0xAA55 \b, x86 hard disk boot sector 19 string \320\2\370\5\0\011\0\1\0 Atari-ST floppy 360k 19 string \240\5\371\5\0\011\0\2\0 Atari-ST floppy 720k # Valid media descriptor bytes for MS-DOS: # # Byte Capacity Media Size and Type # ------------------------------------------------- # # F0 2.88 MB 3.5-inch, 2-sided, 36-sector # F0 1.44 MB 3.5-inch, 2-sided, 18-sector # F9 720K 3.5-inch, 2-sided, 9-sector # F9 1.2 MB 5.25-inch, 2-sided, 15-sector # FD 360K 5.25-inch, 2-sided, 9-sector # FF 320K 5.25-inch, 2-sided, 8-sector # FC 180K 5.25-inch, 1-sided, 9-sector # FE 160K 5.25-inch, 1-sided, 8-sector # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density # F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # # Originally a bitmap: # xxxxxxx0 Not two sided # xxxxxxx1 Double sided # xxxxxx0x Not 8 SPT # xxxxxx1x 8 SPT # xxxxx0xx Not Removable drive # xxxxx1xx Removable drive # 11111xxx Must be one. # # But now it's rather random: # 111111xx Low density disk # 00 SS, Not 8 SPT # 01 DS, Not 8 SPT # 10 SS, 8 SPT # 11 DS, 8 SPT # # 11111001 Double density 3½ floppy disk, high density 5¼ # 11110000 High density 3½ floppy disk # 11111000 Hard disk any format # # CDROM Filesystems 32769 string CD001 ISO 9660 CD-ROM filesystem data 37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) 32776 string CDROM High Sierra CD-ROM filesystem data #------------------------------------------------------------------------------ # flash: file(1) magic for Macromedia Flash file format # # See # # http://www.macromedia.com/software/flash/open/ # 0 string FWS Macromedia Flash data, >3 byte x version %d # # From Dave Wilson 0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document #------------------------------------------------------------------------------ # fonts: file(1) magic for font data # 0 string FONT ASCII vfont text 0 short 0436 Berkeley vfont data 0 short 017001 byte-swapped Berkeley vfont data # PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com 0 string %!PS-AdobeFont-1.0 PostScript Type 1 font text >20 string >\0 (%s) 6 string %!PS-AdobeFont-1.0 PostScript Type 1 font program data # X11 font files in SNF (Server Natural Format) format 0 belong 00000004 X11 SNF font data, MSB first 0 lelong 00000004 X11 SNF font data, LSB first # X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com) 0 string STARTFONT\040 X11 BDF font text # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) 0 string \001fcp X11 Portable Compiled Font data >12 byte 0x02 \b, LSB first >12 byte 0x0a \b, MSB first 0 string D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------ # FIGlet fonts and controlfiles # From figmagic supplied with Figlet version 2.2 # "David E. O'Brien" 0 string flf FIGlet font >3 string >2a version %-2.2s 0 string flc FIGlet controlfile >3 string >2a version %-2.2s # libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu) # Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++ 0 belong 0x14025919 libGrx font data, >8 leshort x %dx >10 leshort x \b%d >40 string x %s # Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu) 0 belong 0xff464f4e DOS code page font data collection 7 belong 0x00454741 DOS code page font data 7 belong 0x00564944 DOS code page font data (from Linux?) 4098 string DOSFONT DOSFONT2 encrypted font data # downloadable fonts for browser (prints type) anthon@mnt.org 0 string PFR1 PFR1 font >102 string >0 \b: %s #------------------------------------------------------------------------------ # frame: file(1) magic for FrameMaker files # # This stuff came on a FrameMaker demo tape, most of which is # copyright, but this file is "published" as witness the following: # 0 string \11 string 5.5 (5.5 >11 string 5.0 (5.0 >11 string 4.0 (4.0 >11 string 3.0 (3.0 >11 string 2.0 (2.0 >11 string 1.0 (1.0 >14 byte x %c) 0 string \9 string 4.0 (4.0) >9 string 3.0 (3.0) >9 string 2.0 (2.0) >9 string 1.0 (1.x) 0 string \17 string 3.0 (3.0) >17 string 2.0 (2.0) >17 string 1.0 (1.x) 0 string \17 string 1.01 (%s) 0 string \10 string 3.0 (3.0 >10 string 2.0 (2.0 >10 string 1.0 (1.0 >13 byte x %c) # XXX - this book entry should be verified, if you find one, uncomment this #0 string \6 string 3.0 (3.0) #>6 string 2.0 (2.0) #>6 string 1.0 (1.0) 0 string \= 4096 (or >4095, same thing), then it's # an executable, and is dynamically-linked if the "has run-time # loader information" bit is set. # # On x86, NetBSD says: # # If it's neither pure nor demand-paged: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable; # # if it doesn't have that bit set, then: # # if it has the "is position-independent" bit set, it's # position-independent; # # if the entry point is non-zero, it's an executable, otherwise # it's an object file. # # If it's pure: # # if it has the "has run-time loader information" bit set, it's # a dynamically-linked executable, otherwise it's just an # executable. # # If it's demand-paged: # # if it has the "has run-time loader information" bit set, # then: # # if the entry point is < 4096, it's a shared library; # # if the entry point is = 4096 or > 4096 (i.e., >= 4096), # it's a dynamically-linked executable); # # if it doesn't have the "has run-time loader information" bit # set, then it's just an executable. # # (On non-x86, NetBSD does much the same thing, except that it uses # 8192 on 68K - except for "68k4k", which is presumably "68K with 4K # pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's # had 8K pages; dunno about MIPS.) # # I suspect the two will differ only in perverse and uninteresting cases # ("shared" libraries that aren't demand-paged and whose pages probably # won't actually be shared, executables with entry points <4096). # # I leave it to those more familiar with FreeBSD and NetBSD to figure out # what the right answer is (although using ">4095", FreeBSD-style, is # probably better than separately checking for "=4096" and ">4096", # NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged # executables using the NetBSD technique.) # 0 lelong&0377777777 041400407 FreeBSD/i386 >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400410 FreeBSD/i386 pure >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400413 FreeBSD/i386 demand paged >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped 0 lelong&0377777777 041400314 FreeBSD/i386 compact demand paged >20 lelong <4096 >>3 byte&0xC0 &0x80 shared library >>3 byte&0xC0 0x40 PIC object >>3 byte&0xC0 0x00 object >20 lelong >4095 >>3 byte&0x80 0x80 dynamically linked executable >>3 byte&0x80 0x00 executable >16 lelong >0 not stripped # XXX gross hack to identify core files # cores start with a struct tss; we take advantage of the following: # byte 7: highest byte of the kernel stack pointer, always 0xfe # 8/9: kernel (ring 0) ss value, always 0x0010 # 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0 # 28: low order byte of the current PTD entry, always 0 since the # PTD is page-aligned # 7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/i386 a.out core file >1039 string >\0 from '%s' # /var/run/ld.so.hints # What are you laughing about? 0 lelong 011421044151 ld.so hints file (Little Endian >4 lelong >0 \b, version %d) >4 belong <=0 \b) 0 belong 011421044151 ld.so hints file (Big Endian >4 belong >0 \b, version %d) >4 belong <=0 \b) # # Files generated by FreeBSD scrshot(1)/vidcontrol(1) utilities # 0 string SCRSHOT_ scrshot(1) screenshot, >8 byte x version %d, >9 byte 2 %d bytes in header, >>10 byte x %d chars wide by >>11 byte x %d chars high #------------------------------------------------------------------------------ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) 0 beshort 0x1575 fsav (linux) macro virus >8 leshort >0 (%d- >11 byte >0 \b%02d- >10 byte >0 \b%02d) # comment this out for now because it regognizes every file where # the eighth character is \n #8 byte 0x0a #>12 byte 0x07 #>11 leshort >0 fsav (linux) virus (%d- #>10 byte 0 \b01- #>10 byte 1 \b02- #>10 byte 2 \b03- #>10 byte 3 \b04- #>10 byte 4 \b05- #>10 byte 5 \b06- #>10 byte 6 \b07- #>10 byte 7 \b08- #>10 byte 8 \b08- #>10 byte 9 \b10- #>10 byte 10 \b11- #>10 byte 11 \b12- #>9 byte >0 \b%02d) #------------------------------------------------------------------------------ # GIMP Gradient: file(1) magic for the GIMP's gradient data files # by Federico Mena 0 string GIMP\ Gradient GIMP gradient data #------------------------------------------------------------------------------ # XCF: file(1) magic for the XCF image format used in the GIMP developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 0 string gimp\ xcf GIMP XCF image data, >9 string file version 0, >9 string v version >>10 string >\0 %s, >14 belong x %lu x >18 belong x %lu, >22 belong 0 RGB Color >22 belong 1 Greyscale >22 belong 2 Indexed Color >22 belong >2 Unknown Image Type. #------------------------------------------------------------------------------ # XCF: file(1) magic for the patterns used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string GPAT GIMP pattern data, >24 string x %s #------------------------------------------------------------------------------ # XCF: file(1) magic for the brushes used in the GIMP, developed # by Spencer Kimball and Peter Mattis # ('Bucky' LaDieu, nega@vt.edu) 20 string GIMP GIMP brush data # # GNU nlsutils message catalog file format # 0 string \336\22\4\225 GNU message catalog (little endian), >4 lelong x revision %d, >8 lelong x %d messages 0 string \225\4\22\336 GNU message catalog (big endian), >4 belong x revision %d, >8 belong x %d messages # message catalogs, from Mitchum DSouza 0 string *nazgul* Nazgul style compiled message catalog >8 lelong >0 \b, version %ld #------------------------------------------------------------------------------ # ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE # # ACE/gr binary 0 string \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\0000\000\000\0000\000\000\0003 old ACE/gr binary file >39 byte >0 - version %c # ACE/gr ascii 0 string #\ xvgr\ parameter\ file ACE/gr ascii file 0 string #\ xmgr\ parameter\ file ACE/gr ascii file 0 string #\ ACE/gr\ parameter\ file ACE/gr ascii file # Grace projects 0 string #\ Grace\ project\ file Grace project file >23 string @version\ (version >>32 byte >0 %c >>33 string >\0 \b.%.2s >>35 string >\0 \b.%.2s) # ACE/gr fit description files 0 string #\ ACE/gr\ fit\ description\ ACE/gr fit description file # end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE #------------------------------------------------------------------------------ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo #GRG3????Y 0 string GRG Gringotts data file #file format 1 >3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 >3 string 2 v.2, MCRYPT S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, >>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, >>8 byte&0x70 0x60 3DES crypt, >>8 byte&0x70 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 0x00 SHA1 hash, >>8 byte&0x08 0x08 RIPEMD-160 hash, >>8 byte&0x04 0x00 ZLib >>8 byte&0x04 0x04 BZip2 >>8 byte&0x03 0x00 lvl.0 >>8 byte&0x03 0x01 lvl.3 >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format 3 >3 string 3 v.3, OpenPGP S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, >>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, >>8 byte&0x70 0x60 3DES crypt, >>8 byte&0x70 0x70 RIJNDAEL-256 crypt, >>8 byte&0x08 0x00 SHA1 hash, >>8 byte&0x08 0x08 RIPEMD-160 hash, >>8 byte&0x04 0x00 ZLib >>8 byte&0x04 0x04 BZip2 >>8 byte&0x03 0x00 lvl.0 >>8 byte&0x03 0x01 lvl.3 >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format >3 >3 string >3 v.%.1s (unknown details) #------------------------------------------------------------------------------ # Hierarchical Data Format, used to facilitate scientific data exchange # specifications at http://hdf.ncsa.uiuc.edu/ 0 belong 0x0e031301 Hierarchical Data Format (version 4) data 0 string \211HDF\r\n\032 Hierarchical Data Format (version 5) data #------------------------------------------------------------------------------ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF # 0 beshort 0x0500 Hitachi SH big-endian COFF >18 beshort&0x0002 =0x0000 object >18 beshort&0x0002 =0x0002 executable >18 beshort&0x0008 =0x0008 \b, stripped >18 beshort&0x0008 =0x0000 \b, not stripped # 0 leshort 0x0550 Hitachi SH little-endian COFF >18 leshort&0x0002 =0x0000 object >18 leshort&0x0002 =0x0002 executable >18 leshort&0x0008 =0x0008 \b, stripped >18 leshort&0x0008 =0x0000 \b, not stripped #------------------------------------------------------------------------------ # hp: file(1) magic for Hewlett Packard machines (see also "printer") # # XXX - somebody should figure out whether any byte order needs to be # applied to the "TML" stuff; I'm assuming the Apollo stuff is # big-endian as it was mostly 68K-based. # # I think the 500 series was the old stack-based machines, running a # UNIX environment atop the "SUN kernel"; dunno whether it was # big-endian or little-endian. # # Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based; # hp300 are 68020+68881 based; hp400 are also 68k. The following basic # HP magic is useful for reference, but using "long" magic is a better # practice in order to avoid collisions. # # Guy Harris (guy@netapp.com): some additions to this list came from # HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1, # 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0 # "/etc/magic", though, except for the "archive file relocatable library" # stuff, and the 68030 and 68040 stuff isn't there at all - are they not # used in executables, or have they just not yet updated "/etc/magic" # completely? # # 0 beshort 200 hp200 (68010) BSD binary # 0 beshort 300 hp300 (68020+68881) BSD binary # 0 beshort 0x20c hp200/300 HP-UX binary # 0 beshort 0x20d hp400 (68030) HP-UX binary # 0 beshort 0x20e hp400 (68040?) HP-UX binary # 0 beshort 0x20b PA-RISC1.0 HP-UX binary # 0 beshort 0x210 PA-RISC1.1 HP-UX binary # 0 beshort 0x211 PA-RISC1.2 HP-UX binary # 0 beshort 0x214 PA-RISC2.0 HP-UX binary # # The "misc" stuff needs a byte order; the archives look suspiciously # like the old 177545 archives (0xff65 = 0177545). # #### Old Apollo stuff 0 beshort 0627 Apollo m68k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %ld 0 beshort 0624 apollo a88k COFF executable >18 beshort ^040000 not stripped >22 beshort >0 - version %ld 0 long 01203604016 TML 0123 byte-order format 0 long 01702407010 TML 1032 byte-order format 0 long 01003405017 TML 2301 byte-order format 0 long 01602007412 TML 3210 byte-order format #### PA-RISC 1.1 0 belong 0x02100106 PA-RISC1.1 relocatable object 0 belong 0x02100107 PA-RISC1.1 executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x02100108 PA-RISC1.1 shared executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0210010b PA-RISC1.1 demand-load executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0210010e PA-RISC1.1 shared library >96 belong >0 - not stripped 0 belong 0x0210010d PA-RISC1.1 dynamic load library >96 belong >0 - not stripped #### PA-RISC 2.0 0 belong 0x02140106 PA-RISC2.0 relocatable object 0 belong 0x02140107 PA-RISC2.0 executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x02140108 PA-RISC2.0 shared executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0214010b PA-RISC2.0 demand-load executable >168 belong &0x00000004 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x0214010e PA-RISC2.0 shared library >96 belong >0 - not stripped 0 belong 0x0214010d PA-RISC2.0 dynamic load library >96 belong >0 - not stripped #### 800 0 belong 0x020b0106 PA-RISC1.0 relocatable object 0 belong 0x020b0107 PA-RISC1.0 executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b0108 PA-RISC1.0 shared executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b010b PA-RISC1.0 demand-load executable >168 belong&0x4 0x4 dynamically linked >(144) belong 0x054ef630 dynamically linked >96 belong >0 - not stripped 0 belong 0x020b010e PA-RISC1.0 shared library >96 belong >0 - not stripped 0 belong 0x020b010d PA-RISC1.0 dynamic load library >96 belong >0 - not stripped 0 belong 0x213c6172 archive file >68 belong 0x020b0619 - PA-RISC1.0 relocatable library >68 belong 0x02100619 - PA-RISC1.1 relocatable library >68 belong 0x02110619 - PA-RISC1.2 relocatable library >68 belong 0x02140619 - PA-RISC2.0 relocatable library #### 500 0 long 0x02080106 HP s500 relocatable executable >16 long >0 - version %ld 0 long 0x02080107 HP s500 executable >16 long >0 - version %ld 0 long 0x02080108 HP s500 pure executable >16 long >0 - version %ld #### 200 0 belong 0x020c0108 HP s200 pure executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0107 HP s200 executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c010b HP s200 demand-load executable >4 beshort >0 - version %ld >8 belong &0x80000000 save fp regs >8 belong &0x40000000 dynamically linked >8 belong &0x20000000 debuggable >36 belong >0 not stripped 0 belong 0x020c0106 HP s200 relocatable executable >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >8 belong &0x80000000 save fp regs >8 belong &0x20000000 debuggable >8 belong &0x10000000 PIC 0 belong 0x020a0108 HP s200 (2.x release) pure executable >4 beshort >0 - version %ld >36 belong >0 not stripped 0 belong 0x020a0107 HP s200 (2.x release) executable >4 beshort >0 - version %ld >36 belong >0 not stripped 0 belong 0x020c010e HP s200 shared library >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >36 belong >0 not stripped 0 belong 0x020c010d HP s200 dynamic load library >4 beshort >0 - version %ld >6 beshort >0 - highwater %d >36 belong >0 not stripped #### MISC 0 long 0x0000ff65 HP old archive 0 long 0x020aff65 HP s200 old archive 0 long 0x020cff65 HP s200 old archive 0 long 0x0208ff65 HP s500 old archive 0 long 0x015821a6 HP core file 0 long 0x4da7eee8 HP-WINDOWS font >8 byte >0 - version %ld 0 string Bitmapfile HP Bitmapfile 0 string IMGfile CIS compimg HP Bitmapfile # XXX - see "lif" #0 short 0x8000 lif file 0 long 0x020c010c compiled Lisp 0 string msgcat01 HP NLS message catalog, >8 long >0 %d messages # addendum to /etc/magic with HP-48sx file-types by phk@data.fls.dk 1jan92 0 string HPHP48- HP48 binary >7 byte >0 - Rev %c >8 beshort 0x1129 (ADR) >8 beshort 0x3329 (REAL) >8 beshort 0x5529 (LREAL) >8 beshort 0x7729 (COMPLX) >8 beshort 0x9d29 (LCOMPLX) >8 beshort 0xbf29 (CHAR) >8 beshort 0xe829 (ARRAY) >8 beshort 0x0a2a (LNKARRAY) >8 beshort 0x2c2a (STRING) >8 beshort 0x4e2a (HXS) >8 beshort 0x742a (LIST) >8 beshort 0x962a (DIR) >8 beshort 0xb82a (ALG) >8 beshort 0xda2a (UNIT) >8 beshort 0xfc2a (TAGGED) >8 beshort 0x1e2b (GROB) >8 beshort 0x402b (LIB) >8 beshort 0x622b (BACKUP) >8 beshort 0x882b (LIBDATA) >8 beshort 0x9d2d (PROG) >8 beshort 0xcc2d (CODE) >8 beshort 0x482e (GNAME) >8 beshort 0x6d2e (LNAME) >8 beshort 0x922e (XLIB) 0 string %%HP: HP48 text >6 string T(0) - T(0) >6 string T(1) - T(1) >6 string T(2) - T(2) >6 string T(3) - T(3) >10 string A(D) A(D) >10 string A(R) A(R) >10 string A(G) A(G) >14 string F(.) F(.); >14 string F(,) F(,); # hpBSD magic numbers 0 beshort 200 hp200 (68010) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary 0 beshort 300 hp300 (68020+68881) BSD >2 beshort 0407 impure binary >2 beshort 0410 read-only binary >2 beshort 0413 demand paged binary # # From David Gero # HP-UX 10.20 core file format from /usr/include/sys/core.h # Unfortunately, HP-UX uses corehead blocks without specifying the order # There are four we care about: # CORE_KERNEL, which starts with the string "HP-UX" # CORE_EXEC, which contains the name of the command # CORE_PROC, which contains the signal number that caused the core dump # CORE_FORMAT, which contains the version of the core file format (== 1) # The only observed order in real core files is KERNEL, EXEC, FORMAT, PROC # but we include all 6 variations of the order of the first 3, and # assume that PROC will always be last # Order 1: KERNEL, EXEC, FORMAT, PROC 0x10 string HP-UX >0 belong 2 >>0xC belong 0x3C >>>0x4C belong 0x100 >>>>0x58 belong 0x44 >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x90 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 2: KERNEL, FORMAT, EXEC, PROC >>>0x4C belong 1 >>>>0x58 belong 4 >>>>>0x5C belong 1 >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 3: FORMAT, KERNEL, EXEC, PROC 0x24 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 2 >>>>>0x20 belong 0x3C >>>>>>0x60 belong 0x100 >>>>>>>0x6C belong 0x44 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0xA4 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 4: EXEC, KERNEL, FORMAT, PROC 0x64 string HP-UX >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 2 >>>>0x60 belong 0x3C >>>>>0xA0 belong 1 >>>>>>0xAC belong 4 >>>>>>>0xB0 belong 1 >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 5: FORMAT, EXEC, KERNEL, PROC 0x78 string HP-UX >0 belong 1 >>0xC belong 4 >>>0x10 belong 1 >>>>0x14 belong 0x100 >>>>>0x20 belong 0x44 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x3C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x58 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # Order 6: EXEC, FORMAT, KERNEL, PROC >0 belong 0x100 >>0xC belong 0x44 >>>0x54 belong 1 >>>>0x60 belong 4 >>>>>0x64 belong 1 >>>>>>0x68 belong 2 >>>>>>>0x74 belong 0x2C >>>>>>>>0xB4 belong 4 core file >>>>>>>>>0x44 string >\0 from '%s' >>>>>>>>>0xC4 belong 3 - received SIGQUIT >>>>>>>>>0xC4 belong 4 - received SIGILL >>>>>>>>>0xC4 belong 5 - received SIGTRAP >>>>>>>>>0xC4 belong 6 - received SIGABRT >>>>>>>>>0xC4 belong 7 - received SIGEMT >>>>>>>>>0xC4 belong 8 - received SIGFPE >>>>>>>>>0xC4 belong 10 - received SIGBUS >>>>>>>>>0xC4 belong 11 - received SIGSEGV >>>>>>>>>0xC4 belong 12 - received SIGSYS >>>>>>>>>0xC4 belong 33 - received SIGXCPU >>>>>>>>>0xC4 belong 34 - received SIGXFSZ # From: AMAKAWA Shuhei 0 string HPHP49- HP49 binary #------------------------------------------------------------------------------ # human68k: file(1) magic for Human68k (X680x0 DOS) binary formats 0 string HU Human68k >68 string LZX LZX compressed >>72 string >\0 (version %s) >(8.L+74) string LZX LZX compressed >>(8.L+78) string >\0 (version %s) >60 belong >0 binded >(8.L+66) string #HUPAIR hupair >0 string HU X executable >(8.L+74) string #LIBCV1 - linked PD LIBC ver 1 >4 belong >0 - base address 0x%x >28 belong >0 not stripped >32 belong >0 with debug information 0 beshort 0x601a Human68k Z executable 0 beshort 0x6000 Human68k object file 0 belong 0xd1000000 Human68k ar binary archive 0 belong 0xd1010000 Human68k ar ascii archive 0 beshort 0x0068 Human68k lib archive 4 string LZX Human68k LZX compressed >8 string >\0 (version %s) >4 string LZX R executable 2 string #HUPAIR Human68k hupair R executable #------------------------------------------------------------------------------ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # # 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # 0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format 0 beshort 054001 370 sysV pure executable >12 belong >0 not stripped 0 beshort 055001 370 XA sysV pure executable >12 belong >0 not stripped 0 beshort 056401 370 sysV executable >12 belong >0 not stripped 0 beshort 057401 370 XA sysV executable >12 belong >0 not stripped 0 beshort 0531 SVR2 executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0534 SVR2 pure executable (Amdahl-UTS) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0530 SVR2 pure executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %ld 0 beshort 0535 SVR2 executable (USS/370) >12 belong >0 not stripped >24 belong >0 - version %ld #------------------------------------------------------------------------------ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module >12 belong >0 not stripped # Breaks sun4 statically linked execs. #0 beshort 0x0103 executable (RT Version 2) or obj module #>2 byte 0x50 pure #>28 belong >0 not stripped #>6 beshort >0 - version %ld 0 beshort 0x0104 shared library 0 beshort 0x0105 ctab data 0 beshort 0xfe04 structured file 0 string 0xabcdef AIX message catalog 0 belong 0x000001f9 AIX compiled message catalog 0 string \ archive #------------------------------------------------------------------------------ # iff: file(1) magic for Interchange File Format (see also "audio" & "images") # # Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic # Arts for file interchange. It has also been used by Apple, SGI, and # especially Commodore-Amiga. # # IFF files begin with an 8 byte FORM header, followed by a 4 character # FORM type, which is followed by the first chunk in the FORM. 0 string FORM IFF data #>4 belong x \b, FORM is %d bytes long # audio formats >8 string AIFF \b, AIFF audio >8 string AIFC \b, AIFF-C compressed audio >8 string 8SVX \b, 8SVX 8-bit sampled sound voice >8 string SAMP \b, SAMP sampled audio # image formats >8 string ILBMBMHD \b, ILBM interleaved image >>20 beshort x \b, %d x >>22 beshort x %d >8 string RGBN \b, RGBN 12-bit RGB image >8 string RGB8 \b, RGB8 24-bit RGB image >8 string DR2D \b, DR2D 2-D object >8 string TDDD \b, TDDD 3-D rendering # other formats >8 string FTXT \b, FTXT formatted text #------------------------------------------------------------------------------ # images: file(1) magic for image formats (see also "iff") # # originally from jef@helios.ee.lbl.gov (Jef Poskanzer), # additions by janl@ifi.uio.no as well as others. Jan also suggested # merging several one- and two-line files into here. # # little magic: PCX (first byte is 0x0a) # Targa - matches `povray', `ppmtotga' and `xv' outputs # by Philippe De Muyter # at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11 # at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise # at 3, leshort Index is 0 for povray, ppmtotga and xv outputs # `xv' recognizes only a subset of the following (RGB with pixelsize = 24) # `tgatoppm' recognizes a superset (Index may be anything) 1 belong&0xfff7ffff 0x01010000 Targa image data - Map >2 byte&8 8 - RLE 1 belong&0xfff7ffff 0x00020000 Targa image data - RGB >2 byte&8 8 - RLE 1 belong&0xfff7ffff 0x00030000 Targa image data - Mono >2 byte&8 8 - RLE # PBMPLUS images # The next byte following the magic is always whitespace. 0 string P1 Netpbm PBM image text 0 string P2 Netpbm PGM image text 0 string P3 Netpbm PPM image text 0 string P4 Netpbm PBM "rawbits" image data 0 string P5 Netpbm PGM "rawbits" image data 0 string P6 Netpbm PPM "rawbits" image data 0 string P7 Netpbm PAM image file # From: bryanh@giraffe-data.com (Bryan Henderson) 0 string \117\072 Solitaire Image Recorder format >4 string \013 MGI Type 11 >4 string \021 MGI Type 17 0 string .MDA MicroDesign data >21 byte 48 version 2 >21 byte 51 version 3 0 string .MDP MicroDesign page data >21 byte 48 version 2 >21 byte 51 version 3 # NIFF (Navy Interchange File Format, a modification of TIFF) images 0 string IIN1 NIFF image data # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. 0 string MM\x00\x2a TIFF image data, big-endian 0 string II\x2a\x00 TIFF image data, little-endian # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 0 string \x89PNG PNG image data, >4 belong !0x0d0a1a0a CORRUPTED, >4 belong 0x0d0a1a0a >>16 belong x %ld x >>20 belong x %ld, >>24 byte x %d-bit >>25 byte 0 grayscale, >>25 byte 2 \b/color RGB, >>25 byte 3 colormap, >>25 byte 4 gray+alpha, >>25 byte 6 \b/color RGBA, #>>26 byte 0 deflate/32K, >>28 byte 0 non-interlaced >>28 byte 1 interlaced 1 string PNG PNG image data, CORRUPTED # GIF 0 string GIF8 GIF image data >4 string 7a \b, version 8%s, >4 string 9a \b, version 8%s, >6 leshort >0 %hd x >8 leshort >0 %hd #>10 byte &0x80 co