diff --git a/file b/file index 64e1d2d6..6403d2b3 160000 --- a/file +++ b/file @@ -1 +1 @@ -Subproject commit 64e1d2d6a37ffe309e07347cb3e70512153f643c +Subproject commit 6403d2b35b266adf6f4344f96d3ac92eebac7633 diff --git a/polyfile/magic.py b/polyfile/magic.py index 396635b2..a0ecb879 100644 --- a/polyfile/magic.py +++ b/polyfile/magic.py @@ -64,11 +64,11 @@ def get_resource_contents(package): return (resource.name for resource in resources.files(package).iterdir() if resource.is_file()) -MAGIC_DEFS: List[Path] = [ +MAGIC_DEFS: List[Path] = sorted([ get_resource_path(resource_name) for resource_name in get_resource_contents(magic_defs) if resource_name not in ("COPYING", "magic.mgc", "__pycache__") and not resource_name.startswith(".") -] +], key=lambda p: p.name) WHITESPACE: bytes = b" \r\t\n\v\f" @@ -266,6 +266,14 @@ class Endianness(Enum): PDP = "me" +class StrengthOp(Enum): + NONE = "" + PLUS = "+" + MINUS = "-" + TIMES = "*" + DIV = "/" + + def parse_numeric(text: Union[str, bytes]) -> int: if isinstance(text, bytes): text = text.decode("utf-8") @@ -733,6 +741,8 @@ def __init__( self.source_info: Optional[SourceInfo] = None self.comments: Tuple[Comment, ...] = tuple(comments) self._type: TestType = TestType.UNKNOWN + self.strength_op: StrengthOp = StrengthOp.NONE + self.strength_factor: int = 0 def __init_subclass__(cls, **kwargs): if cls.AUTO_REGISTER_TEST: @@ -783,6 +793,23 @@ def test_type(self, value: TestType): def subtest_type(self) -> TestType: raise NotImplementedError() + def base_strength(self) -> int: + """Computes the base strength value before applying !:strength modifier.""" + return 20 + + def compute_strength(self) -> int: + """Computes the test strength for sorting, mimicking libmagic's algorithm.""" + val = self.base_strength() + if self.strength_op == StrengthOp.PLUS: + val += self.strength_factor + elif self.strength_op == StrengthOp.MINUS: + val -= self.strength_factor + elif self.strength_op == StrengthOp.TIMES: + val *= self.strength_factor + elif self.strength_op == StrengthOp.DIV and self.strength_factor != 0: + val //= self.strength_factor + return val + @property def parent(self) -> Optional["MagicTest"]: return self._parent @@ -1087,10 +1114,16 @@ def parse(fmt: str) -> "DataType": return TYPES_BY_NAME[fmt] elif fmt.startswith("string") or fmt.startswith("ustring"): dt = StringType.parse(fmt) - elif fmt == "lestring16": - dt = UTF16Type(endianness=Endianness.LITTLE) - elif fmt == "bestring16": - dt = UTF16Type(endianness=Endianness.BIG) + elif fmt == "lestring16" or fmt.startswith("lestring16/"): + num_bytes = None + if fmt.startswith("lestring16/"): + num_bytes = int(fmt[11:]) + dt = UTF16Type(endianness=Endianness.LITTLE, num_bytes=num_bytes) + elif fmt == "bestring16" or fmt.startswith("bestring16/"): + num_bytes = None + if fmt.startswith("bestring16/"): + num_bytes = int(fmt[11:]) + dt = UTF16Type(endianness=Endianness.BIG, num_bytes=num_bytes) elif fmt.startswith("pstring"): dt = PascalStringType.parse(fmt) elif fmt.startswith("search"): @@ -1150,14 +1183,15 @@ def match(self, data: bytes, expected: Union[UUID, UUIDWildcard]) -> DataTypeMat class UTF16Type(DataType[bytes]): - def __init__(self, endianness: Endianness): - if endianness == Endianness.LITTLE: - super().__init__("lestring16") - elif endianness == Endianness.BIG: - super().__init__("bestring16") - else: + def __init__(self, endianness: Endianness, num_bytes: Optional[int] = None): + name = "lestring16" if endianness == Endianness.LITTLE else "bestring16" + if num_bytes is not None: + name = f"{name}/{num_bytes}" + if endianness not in (Endianness.LITTLE, Endianness.BIG): raise ValueError(f"UTF16 strings only support big and little endianness, not {endianness!r}") + super().__init__(name) self.endianness: Endianness = endianness + self.num_bytes: Optional[int] = num_bytes def is_text(self, value: bytes) -> bool: return True @@ -1170,6 +1204,8 @@ def parse_expected(self, specification: str) -> bytes: return specification.encode("utf-16-be") def match(self, data: bytes, expected: bytes) -> DataTypeMatch: + if self.num_bytes is not None: + data = data[:self.num_bytes] if data.startswith(expected): if self.endianness == Endianness.LITTLE: return DataTypeMatch(expected, expected.decode("utf-16-le")) @@ -1218,7 +1254,6 @@ def parse(specification: str, optional_blanks: bool = False, full_word_match: bool = False, num_bytes: Optional[int] = None) -> "StringTest": - original_spec = specification if specification.strip() == "x": return StringWildcard(trim=trim, compact_whitespace=compact_whitespace, num_bytes=num_bytes) if specification.startswith("!"): @@ -1235,9 +1270,6 @@ def parse(specification: str, num_bytes=num_bytes, ) else: - if num_bytes is not None: - raise ValueError(f"Invalid string match specification: {original_spec!r}: a string length limiter " - f"cannot be combined with an explicit string match") if specification.startswith("="): specification = specification[1:] test = StringMatch( @@ -1247,7 +1279,8 @@ def parse(specification: str, case_insensitive_lower=case_insensitive_lower, case_insensitive_upper=case_insensitive_upper, optional_blanks=optional_blanks, - full_word_match=full_word_match + full_word_match=full_word_match, + num_bytes=num_bytes ) if negate: return NegatedStringTest(test) @@ -1355,9 +1388,10 @@ def __init__(self, case_insensitive_lower: bool = False, case_insensitive_upper: bool = False, optional_blanks: bool = False, - full_word_match: bool = False + full_word_match: bool = False, + num_bytes: Optional[int] = None ): - super().__init__(trim=trim, compact_whitespace=compact_whitespace) + super().__init__(trim=trim, compact_whitespace=compact_whitespace, num_bytes=num_bytes) self.raw_pattern: str = to_match self.string: bytes = unescape(to_match) self.case_insensitive_lower: bool = case_insensitive_lower @@ -1442,12 +1476,16 @@ def is_always_text(self) -> bool: return self._is_always_text def matches(self, data: bytes) -> DataTypeMatch: + if self.num_bytes is not None: + data = data[:self.num_bytes] m = self.pattern.match(data) if m: return self.post_process(bytes(m.group(0))) return DataTypeMatch.INVALID def search(self, data: bytes) -> DataTypeMatch: + if self.num_bytes is not None: + data = data[:self.num_bytes] m = self.pattern.search(data) if m: return self.post_process(bytes(m.group(0)), initial_offset=m.start()) @@ -1678,9 +1716,14 @@ def match(self, data: bytes, expected: StringTest) -> DataTypeMatch: length -= self.byte_length if len(data) < self.byte_length + length: return DataTypeMatch.INVALID - m = expected.matches(data[self.byte_length:self.byte_length + length]) + content = data[self.byte_length:self.byte_length + length] + m = expected.matches(content) if m: - m.raw_match = data[:self.byte_length + length] + # Use strlen (excluding null terminator) for match length to match libmagic behavior + # for relative offset calculations + null_pos = content.find(b'\x00') + effective_len = null_pos if null_pos != -1 else length + m.raw_match = data[:self.byte_length + effective_len] return m PSTRING_TYPE_FORMAT: Pattern[str] = re.compile(r"^pstring(/J?[BHhLl]?J?)?$") @@ -1816,19 +1859,24 @@ def match(self, data: bytes, expected: Pattern[bytes]) -> DataTypeMatch: else: return DataTypeMatch.INVALID - REGEX_TYPE_FORMAT: Pattern[str] = re.compile(r"^regex(/(?P\d+)?(?P[cslT]*)(b\d*)?)?$") + REGEX_TYPE_FORMAT: Pattern[str] = re.compile( + r"^regex(/(?P\d+)?(?P[cslTt]*)(/(?P[cslTt]*))?(b\d*)?)?$" + ) # NOTE: some specification files like `cad` use `regex/b`, which is undocumented, and it's unclear from the libmagic - # source code whether it is simply ignored or if it has a purpuse. We ignore it here. + # source code whether it is simply ignored or if it has a purpose. We ignore it here. + # NOTE: the `t` flag (force text) is also supported but currently ignored as it's a hint for output formatting. + # NOTE: flags can appear either after length directly (regex/31cs) or with a slash (regex/31/cs). @classmethod def parse(cls, format_str: str) -> "RegexType": m = cls.REGEX_TYPE_FORMAT.match(format_str) if not m: raise ValueError(f"Invalid regex type declaration: {format_str!r}") - if m.group("flags") is None: - options: Iterable[str] = () - else: - options = m.group("flags") + options: str = "" + if m.group("flags1") is not None: + options += m.group("flags1") + if m.group("flags2") is not None: + options += m.group("flags2") if m.group("length") is None: length: Optional[int] = None else: @@ -1858,13 +1906,32 @@ def utc_date(ms_since_epoch: int) -> str: return strftime(DATETIME_FORMAT, gmtime(ms_since_epoch / 1000.0)) +MSDOS_DATE_FORMAT: str = "%b %d %Y" + + def msdos_date(value: int) -> str: - day = (value & 0b11111) + 1 + day = value & 0b11111 value >>= 5 - month = (value & 0b1111) + 1 + # MS-DOS stores month as 1-12, convert to 0-11 for datetime + month_raw = value & 0b1111 + month = month_raw - 1 value >>= 4 year = 1980 + (value & 0b1111111) - return strftime(DATE_FORMAT, datetime(year, month, day).timetuple()) + # Sanity check: clamp invalid months to 0 (January), matching libmagic behavior + if month < 0 or month > 11: + month = 0 + # Clamp invalid day to valid range + if day < 1: + day = 1 + if day > 31: + day = 31 + # Convert back to 1-based month for datetime + month += 1 + try: + return strftime(MSDOS_DATE_FORMAT, datetime(year, month, day).timetuple()) + except ValueError: + # Handle invalid date combinations (e.g., Feb 31) + return f"{year}-{month:02d}-{day:02d}" def msdos_time(value: int) -> str: @@ -2195,17 +2262,24 @@ def __init__( mime: Optional[str] = None, extensions: Iterable[str] = (), message: str = "", - parent: Optional["MagicTest"] = None + parent: Optional["MagicTest"] = None, + subtraction: int = 0, + modulo: int = 0 ): super().__init__(offset=offset, mime=mime, extensions=extensions, message=message, parent=parent) self.value: IntegerValue = value + self.subtraction: int = subtraction + self.modulo: int = modulo def subtest_type(self) -> TestType: return TestType.UNKNOWN def test(self, data: bytes, absolute_offset: int, parent_match: Optional[TestResult]) -> TestResult: - if self.value.test(absolute_offset, unsigned=True, num_bytes=8): - return MatchedTest(self, offset=0, length=absolute_offset, value=absolute_offset, parent=parent_match) + computed_value = absolute_offset - self.subtraction + if self.modulo != 0: + computed_value = computed_value % self.modulo + if self.value.test(computed_value, unsigned=True, num_bytes=8): + return MatchedTest(self, offset=0, length=absolute_offset, value=computed_value, parent=parent_match) else: return FailedTest( test=self, @@ -2922,10 +2996,25 @@ def parse_test( if parent is None: raise NotImplementedError("TODO: Add support for clear tests at level 0") test = ClearTest(offset=offset, message=message, parent=parent) - elif data_type == "offset": - expected_value = IntegerValue.parse(test_str, num_bytes=8) + elif data_type == "offset" or data_type.startswith("offset-") or data_type.startswith("offset%"): + subtraction = 0 + modulo = 0 + if data_type.startswith("offset-"): + try: + subtraction = parse_numeric(data_type[7:]) + except ValueError: + raise ValueError(f"{def_file!s} line {line_number}: Invalid offset type: {data_type!r}") + elif data_type.startswith("offset%"): + try: + modulo = parse_numeric(data_type[7:]) + except ValueError: + raise ValueError(f"{def_file!s} line {line_number}: Invalid offset type: {data_type!r}") + if test_str.strip() == "x": + expected_value: NumericValue = NumericWildcard() + else: + expected_value = IntegerValue.parse(test_str, num_bytes=8) test = OffsetMatchTest(offset=offset, value=expected_value, message=message, - parent=parent) + parent=parent, subtraction=subtraction, modulo=modulo) elif data_type == "json": test = JSONTest(offset=offset, message=message, parent=parent) elif data_type == "csv": @@ -3018,8 +3107,29 @@ def _parse_file( except UnicodeDecodeError: pass continue - elif raw_line.startswith(b"!:apple") or raw_line.startswith(b"!:strength"): - # ignore these directives for now + elif raw_line.startswith(b"!:apple"): + continue + elif raw_line.startswith(b"!:strength"): + if current_test is not None: + strength_spec = raw_line[10:].strip().decode("utf-8") + if strength_spec: + op = strength_spec[0] + factor_str = strength_spec[1:].strip() + if op == '+': + current_test.strength_op = StrengthOp.PLUS + elif op == '-': + current_test.strength_op = StrengthOp.MINUS + elif op == '*': + current_test.strength_op = StrengthOp.TIMES + elif op == '/': + current_test.strength_op = StrengthOp.DIV + else: + factor_str = strength_spec + current_test.strength_op = StrengthOp.PLUS + try: + current_test.strength_factor = int(factor_str) + except ValueError: + pass continue try: line = raw_line.decode("utf-8") @@ -3090,6 +3200,8 @@ def parse(*def_files: Union[str, Path]) -> "MagicMatcher": assert test.can_match_mime for ancestor in test.ancestors(): ancestor.can_be_indirect = True + # Sort tests by strength (descending) for proper priority matching like libmagic + zero_level_tests.sort(key=lambda t: t.compute_strength(), reverse=True) for test in zero_level_tests: matcher.add(test) return matcher diff --git a/polyfile/magic_defs/acorn b/polyfile/magic_defs/acorn index 37a4ed79..427f8159 100644 --- a/polyfile/magic_defs/acorn +++ b/polyfile/magic_defs/acorn @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: acorn,v 1.8 2021/04/26 15:56:00 christos Exp $ +# $File: acorn,v 1.9 2024/08/30 17:29:28 christos Exp $ # acorn: file(1) magic for files found on Acorn systems # @@ -67,36 +67,3 @@ >>8 byte x version %d, >>10 leshort =1 1 pattern >>10 leshort !1 %d patterns - -# From: Joerg Jenderek -# URL: https://www.kyzer.me.uk/pack/xad/#PackDir -# reference: https://www.kyzer.me.uk/pack/xad/xad_PackDir.lha/PackDir.c -# GRR: line below is too general as it matches also "Git pack" in ./revision -0 string PACK\0 -# check for valid compression method 0-4 ->5 ulelong <5 -# https://www.riscosopen.org/wiki/documentation/show/Introduction%20To%20Filing%20Systems -# To skip "Git pack" version 0 test for root directory object like -# ADFS::RPC.$.websitezip.FONTFIX ->>9 string >ADFS\ PackDir archive (RISC OS) -# TrID labels above as "Acorn PackDir compressed Archive" -# compression mode y (0 - 4) for GIF LZW with a maximum n bits -# (y~n,0~12,1~13,2~14,3~15,4~16) ->>>5 ulelong+12 x \b, LZW %u-bits compression -# https://www.filebase.org.uk/filetypes -# !Packdir compressed archive has three hexadecimal digits code 68E -!:mime application/x-acorn-68E -!:ext pkd/bin -# null terminated root directory object like IDEFS::IDE-4.$.Apps.GRAPHICS.!XFMPdemo ->>>9 string x \b, root "%s" -# load address 0xFFFtttdd, ttt is the object filetype and dddddddddd is time ->>>>&1 ulelong x \b, load address %#x -# execution address 0xdddddddd dddddddddd is 40 bit unsigned centiseconds since 1.1.1900 UTC ->>>>&5 ulelong x \b, exec address %#x -# attributes (bits: 0~owner read,1~owner write,3~no delete,4~public read,5~public write) ->>>>&9 ulelong x \b, attributes %#x -# number of entries in this directory. for root dir 0 -#>>>&13 ulelong x \b, entries %#x -# the entries start here with object name ->>>>&17 string x \b, 1st object "%s" - diff --git a/polyfile/magic_defs/adventure b/polyfile/magic_defs/adventure index bd7f863b..fdf60a3f 100644 --- a/polyfile/magic_defs/adventure +++ b/polyfile/magic_defs/adventure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: adventure,v 1.18 2019/04/19 00:42:27 christos Exp $ +# $File: adventure,v 1.19 2023/12/02 13:48:56 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin @@ -10,6 +10,8 @@ # ALAN # I assume there are other, lower versions, but these are the only ones I # saw in the archive. +# +# FIXME: Conflicts with Microsoft x.out big-endian and PDP-11 binaries (./xenix) 0 beshort 0x0206 ALAN game data >2 byte <10 version 2.6%d diff --git a/polyfile/magic_defs/algol68 b/polyfile/magic_defs/algol68 index 1ca1fad2..81086dd5 100644 --- a/polyfile/magic_defs/algol68 +++ b/polyfile/magic_defs/algol68 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: algol68,v 1.6 2022/11/06 18:36:55 christos Exp $ +# $File: algol68,v 1.7 2024/08/27 18:50:56 christos Exp $ # algol68: file(1) magic for Algol 68 source # # URL: https://en.wikipedia.org/wiki/ALGOL_68 @@ -13,8 +13,6 @@ >0 use algol_68 0 regex/1024 \bMODE[\t\ ] >0 use algol_68 -0 regex/1024 \bMODE[\t\ ] ->0 use algol_68 0 regex/1024 \bREF[\t\ ] >0 use algol_68 0 regex/1024 \bFLEX[\t\ ]\*\\[ diff --git a/polyfile/magic_defs/amigaos b/polyfile/magic_defs/amigaos index fdd947fd..1b8cacaf 100644 --- a/polyfile/magic_defs/amigaos +++ b/polyfile/magic_defs/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.20 2021/09/20 00:42:19 christos Exp $ +# $File: amigaos,v 1.23 2026/02/05 18:49:06 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -36,7 +36,6 @@ 0 string COSO\0 Hippel-COSO Module sound file # Too simple (short, pure ASCII, deep), MPi #26 string V.3 Brian Postma's Soundmon Module sound file v3 -#26 string BPSM Brian Postma's Soundmon Module sound file v3 #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" @@ -195,8 +194,7 @@ 0 string LZX LZX compressed archive (Amiga) # From: Przemek Kramarczyk -0 string .KEY AmigaDOS script -0 string .key AmigaDOS script +0 string/c .key AmigaDOS script # AMOS Basic file formats # https://www.exotica.org.uk/wiki/AMOS_file_formats @@ -216,3 +214,7 @@ >12 regex .{8} \b, type %s 0 string AmBs AMOS Basic memory banks >4 beshort x \b, %d banks + + +# https://github.com/alb42/Leu/blob/master/TCDReaderUnit.pas +3 string TURBOCALC TurboCalc spreadsheet diff --git a/polyfile/magic_defs/android b/polyfile/magic_defs/android index 8a2dedf3..c081ebc7 100644 --- a/polyfile/magic_defs/android +++ b/polyfile/magic_defs/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.24 2023/02/20 16:51:59 christos Exp $ +# $File: android,v 1.26 2024/09/04 19:06:11 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -9,11 +9,11 @@ # Fixed to avoid regexec 17 errors on some dex files # From "Tim Strazzere" 0 string dex\n ->0 regex dex\n[0-9]{2}\0 Dalvik dex file ->4 string >000 version %s +>0 regex dex\n[0-9]{2} Dalvik dex file +>>4 string >000 version %s 0 string dey\n ->0 regex dey\n[0-9]{2}\0 Dalvik dex file (optimized for host) ->4 string >000 version %s +>0 regex dey\n[0-9]{2} Dalvik dex file (optimized for host) +>>4 string >000 version %s # Android bootimg format # From https://android.googlesource.com/\ @@ -223,7 +223,7 @@ # +/refs/heads/androidx-main/profileinstaller/profileinstaller/\ # src/main/java/androidx/profileinstaller/ProfileVersion.java 0 string pro\x00 ->0 regex pro\x000[0-9][0-9]\x00 Android ART profile +>4 regex 0[0-9][0-9] Android ART profile !:ext prof >>4 string 001\x00 \b, version 001 N >>4 string 005\x00 \b, version 005 O @@ -231,7 +231,7 @@ >>4 string 010\x00 \b, version 010 P >>4 string 015\x00 \b, version 015 S 0 string prm\x00 ->0 regex prm\x000[0-9][0-9]\x00 Android ART profile metadata +>0 regex 0[0-9][0-9] Android ART profile metadata !:ext profm >>4 string 001\x00 \b, version 001 N >>4 string 002\x00 \b, version 002 diff --git a/polyfile/magic_defs/animation b/polyfile/magic_defs/animation index d62db637..4a73e72d 100644 --- a/polyfile/magic_defs/animation +++ b/polyfile/magic_defs/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.93 2023/05/21 17:13:19 christos Exp $ +# $File: animation,v 1.101 2025/05/28 19:54:08 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -542,36 +542,39 @@ >>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1 !:strength +20 !:mime audio/mpeg ->2 byte&0xF0 0x10 \b, 32 kbps ->2 byte&0xF0 0x20 \b, 40 kbps ->2 byte&0xF0 0x30 \b, 48 kbps ->2 byte&0xF0 0x40 \b, 56 kbps ->2 byte&0xF0 0x50 \b, 64 kbps ->2 byte&0xF0 0x60 \b, 80 kbps ->2 byte&0xF0 0x70 \b, 96 kbps ->2 byte&0xF0 0x80 \b, 112 kbps ->2 byte&0xF0 0x90 \b, 128 kbps ->2 byte&0xF0 0xA0 \b, 160 kbps ->2 byte&0xF0 0xB0 \b, 192 kbps ->2 byte&0xF0 0xC0 \b, 224 kbps ->2 byte&0xF0 0xD0 \b, 256 kbps ->2 byte&0xF0 0xE0 \b, 320 kbps +>>>2 search/100 Xing \b, variable bitrate +>>>2 search/100 VBRI \b, variable bitrate +>>>2 default x +>>>>2 byte&0xF0 0x10 \b, 32 kbps +>>>>2 byte&0xF0 0x20 \b, 40 kbps +>>>>2 byte&0xF0 0x30 \b, 48 kbps +>>>>2 byte&0xF0 0x40 \b, 56 kbps +>>>>2 byte&0xF0 0x50 \b, 64 kbps +>>>>2 byte&0xF0 0x60 \b, 80 kbps +>>>>2 byte&0xF0 0x70 \b, 96 kbps +>>>>2 byte&0xF0 0x80 \b, 112 kbps +>>>>2 byte&0xF0 0x90 \b, 128 kbps +>>>>2 byte&0xF0 0xA0 \b, 160 kbps +>>>>2 byte&0xF0 0xB0 \b, 192 kbps +>>>>2 byte&0xF0 0xC0 \b, 224 kbps +>>>>2 byte&0xF0 0xD0 \b, 256 kbps +>>>>2 byte&0xF0 0xE0 \b, 320 kbps # timing ->2 byte&0x0C 0x00 \b, 44.1 kHz ->2 byte&0x0C 0x04 \b, 48 kHz ->2 byte&0x0C 0x08 \b, 32 kHz +>>>2 byte&0x0C 0x00 \b, 44.1 kHz +>>>2 byte&0x0C 0x04 \b, 48 kHz +>>>2 byte&0x0C 0x08 \b, 32 kHz # channels/options ->3 byte&0xC0 0x00 \b, Stereo ->3 byte&0xC0 0x40 \b, JntStereo ->3 byte&0xC0 0x80 \b, 2x Monaural ->3 byte&0xC0 0xC0 \b, Monaural -#>1 byte ^0x01 \b, Data Verify -#>2 byte &0x02 \b, Packet Pad -#>2 byte &0x01 \b, Custom Flag -#>3 byte &0x08 \b, Copyrighted -#>3 byte &0x04 \b, Original Source -#>3 byte&0x03 1 \b, NR: 50/15 ms -#>3 byte&0x03 3 \b, NR: CCIT J.17 +>>>3 byte&0xC0 0x00 \b, Stereo +>>>3 byte&0xC0 0x40 \b, JntStereo +>>>3 byte&0xC0 0x80 \b, 2x Monaural +>>>3 byte&0xC0 0xC0 \b, Monaural +#>>>1 byte ^0x01 \b, Data Verify +#>>>2 byte &0x02 \b, Packet Pad +#>>>2 byte &0x01 \b, Custom Flag +#>>>3 byte &0x08 \b, Copyrighted +#>>>3 byte &0x04 \b, Original Source +#>>>3 byte&0x03 1 \b, NR: 50/15 ms +#>>>3 byte&0x03 3 \b, NR: CCIT J.17 # MP2, M1A 0 beshort&0xFFFE 0xFFFC MPEG ADTS, layer II, v1 @@ -855,7 +858,7 @@ # Live MPEG-4 audio streams (instead of RTP FlexMux) 0 beshort&0xFFE0 0x56E0 MPEG-4 LOAS !:mime audio/x-mp4a-latm -#>1 beshort&0x1FFF x \b, %hu byte packet +#>1 beshort&0x1FFF x \b, %u byte packet >3 byte&0xE0 0x40 >>4 byte&0x3C 0x04 \b, single stream >>4 byte&0x3C 0x08 \b, 2 streams @@ -927,15 +930,12 @@ # # from Oskar Schirmer Feb 3, 2001 (ISO 13818.1) # syncbyte 8 bit 0x47 -# error_ind 1 bit - -# payload_start 1 bit 1 -# priority 1 bit - -# PID 13 bit 0x0000 -# scrambling 2 bit - -# adaptfld_ctrl 2 bit 1 or 3 -# conti_count 4 bit - -0 belong&0xFF5FFF10 0x47400010 ->188 byte 0x47 MPEG transport stream data +# 188 bytes per packet +0 byte 0x47 +>188 byte 0x47 +>>376 byte 0x47 +>>>564 byte 0x47 +>>>>752 byte 0x47 MPEG transport stream data !:mime video/MP2T !:ext ts @@ -943,8 +943,11 @@ # From: Alexandre Iooss # URL: https://en.wikipedia.org/wiki/MPEG_transport_stream # Note: similar to ISO 13818.1 but with 4 extra bytes per packets -4 belong&0xFF5FFF10 =0x47400010 ->196 byte =0x47 BDAV MPEG-2 Transport Stream (M2TS) +4 byte 0x47 +>196 byte 0x47 +>>388 byte 0x47 +>>>580 byte 0x47 +>>>>772 byte 0x47 BDAV MPEG-2 Transport Stream (M2TS) !:mime video/MP2T !:ext m2ts/mts @@ -1195,3 +1198,56 @@ >30 lelong x \b, height: %d >34 lelong x \b, %d bit >38 lelong x \b, frames: %d + +# https://wiki.multimedia.cx/index.php/Duck_IVF +0 string DKIF Duck IVF video file +!:mime video/x-ivf +>4 leshort >0 \b, version %d +>8 string x \b, codec %s +>12 leshort x \b, %d +>14 leshort x \bx%d +>24 lelong >0 \b, %d frames + + +# libplacebo cache file +# https://libplacebo.org +0 string pl_cache libplacebo cache +>8 ulelong x \b, version %u +>12 ulelong =0 \b, empty +>12 ulelong =1 \b, 1 entry +>12 ulelong >1 \b, %u entries + +>4 byte 1 \b, version 3.00.00 +>4 byte 2 \b, version 3.03.00 +>4 byte 3 \b, version 4.00.00 +>4 byte 4 \b, version 4.02.00 +>4 byte 5 \b, version 5.00.00 + +# live2d: file(1) magic for Live2D Cubism file formats +# https://www.live2d.com/en/ +0 string/4 MOC3 Live2D Cubism MOC3 +>4 byte 0 \b, SDK version invalid/unknown (%d) +>4 byte 1 \b, SDK version 3.0.00 - 3.2.07 (%d) +>4 byte 2 \b, SDK version 3.3.00 - 3.3.03 (%d) +>4 byte 3 \b, SDK version 4.0.00 - 4.1.05 (%d) +>4 byte 4 \b, SDK version 4.2.00 - 4.2.02 (%d) +>4 byte 5 \b, SDK version 5.0.00 (%d) +>4 byte >5 \b, SDK version unknown (%d) +>5 byte 0 \b, little endian +>5 byte >0 \b, big endian +!:mime application/x-moc3-data +!:ext moc3 + +0 string/4 CAFF Live2D Cubism archive +>4 ubyte x version %d +>&0 ubyte x \b.%d +>&1 ubyte x \b.%d +>7 string/4 =---- \b, standard format +>7 string/4 !---- \b, unknown format (%.4s) +>11 ubyte x version %d +>&0 ubyte x \b.%d +>&1 ubyte x \b.%d +>14 belong =0 \b, no obfuscation +>14 belong !0 \b, XOR obfuscation key %d +!:mime application/x-cubism-archive +!:ext cmo3/can3 diff --git a/polyfile/magic_defs/apache b/polyfile/magic_defs/apache index d896b505..099efb77 100755 --- a/polyfile/magic_defs/apache +++ b/polyfile/magic_defs/apache @@ -1,18 +1,28 @@ #------------------------------------------------------------------------------ -# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ +# $File: apache,v 1.3 2025/05/30 13:25:13 christos Exp $ # apache: file(1) magic for Apache Big Data formats # Avro files -0 string Obj Apache Avro ->3 byte x version %d +0 string Obj\001 Apache Avro, version 1 # ORC files # Important information is in file footer, which we can't index to :( 0 string ORC Apache ORC -# Parquet files -0 string PAR1 Apache Parquet +# Apache arrow file format +# MIME: https://www.iana.org/assignments/media-types/application/vnd.apache.arrow.stream +# Description: https://arrow.apache.org/docs/format/Columnar.html +0 string ARROW1 Apache Arrow columnar file +!:mime application/vnd.apache.arrow.file +!:ext arrow/feather + +# Apache parquet file format +# MIME: https://www.iana.org/assignments/media-types/application/vnd.apache.parquet +# Description: https://parquet.apache.org/docs/file-format/ +0 string PAR1 Apache Parquet file +!:mime application/vnd.apache.parquet +!:ext parquet # Hive RC files 0 string RCF Apache Hive RC file diff --git a/polyfile/magic_defs/apple b/polyfile/magic_defs/apple index 547b0ac2..72e665f4 100644 --- a/polyfile/magic_defs/apple +++ b/polyfile/magic_defs/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.48 2023/05/01 14:20:21 christos Exp $ +# $File: apple,v 1.51 2024/09/04 19:06:12 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -17,8 +17,13 @@ # Ref: https://applesaucefdc.com/a2r/ 0 string A2R >3 string \x31\xFF\x0A\x0D\x0A Applesauce A2R 1.x Disk Image +>>0 use applesauce >3 string \x32\xFF\x0A\x0D\x0A Applesauce A2R 2.x Disk Image +>>0 use applesauce >3 string \x33\xFF\x0A\x0D\x0A Applesauce A2R 3.x Disk Image +>>0 use applesauce + +0 name applesauce >8 string INFO >>49 byte 01 \b, 5.25″ SS 40trk >>49 byte 02 \b, 3.5″ DS 80trk @@ -36,7 +41,11 @@ # Ref: https://applesaucefdc.com/woz/reference2/ 0 string WOZ >3 string \x31\xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image +>>0 use applewoz >3 string \x32\xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image +>>0 use applewoz + +0 name applewoz >12 string INFO >>21 byte 01 \b, 5.25 inch >>21 byte 02 \b, 3.5 inch @@ -49,13 +58,13 @@ # Ref: https://applesaucefdc.com/moof-reference/ 0 string MOOF >4 string \xFF\x0A\x0D\x0A Apple Macintosh MOOF Disk Image ->12 string INFO ->>21 byte 01 \b, SSDD GCR (400K) ->>21 byte 02 \b, DSDD GCR (800K) ->>21 byte 03 \b, DSHD MFM (1.44M) ->>22 byte 01 \b, write protected ->>23 byte 01 \b, cross track synchronized ->>25 string/T x \b, %.32s +>>12 string INFO +>>>21 byte 01 \b, SSDD GCR (400K) +>>>21 byte 02 \b, DSDD GCR (800K) +>>>21 byte 03 \b, DSHD MFM (1.44M) +>>>22 byte 01 \b, write protected +>>>23 byte 01 \b, cross track synchronized +>>>25 string/T x \b, %.32s # Type: Apple Emulator disk images # From: Greg Wildman @@ -192,11 +201,9 @@ # Ref: https://github.com/peterferrie/qboot 0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 >8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ QBoot Image - # Type: Peter Ferrie 0Boot # From: Greg Wildman # Ref: https://github.com/peterferrie/0boot -0 string \x01\x4A\xA8\x69\x0F\x85\x27\xC9 >8 string \x12\xF0\x10\xE6\x3D\x86\xDA\x8A Apple ][ 0Boot Image # Different proprietary boot sectors @@ -438,22 +445,22 @@ # object is the first object (true for CoreFoundation implementation). # From: David Remahl 0 string bplist ->6 byte x \bCoreFoundation binary property list data, version %#c +>6 byte x CoreFoundation binary property list data, version %#c >>7 byte x \b%c ->6 string 00 \b ->>8 byte&0xF0 0x00 \b ->>>8 byte&0x0F 0x00 \b, root type: null ->>>8 byte&0x0F 0x08 \b, root type: false boolean ->>>8 byte&0x0F 0x09 \b, root type: true boolean ->>8 byte&0xF0 0x10 \b, root type: integer ->>8 byte&0xF0 0x20 \b, root type: real ->>8 byte&0xF0 0x30 \b, root type: date ->>8 byte&0xF0 0x40 \b, root type: data ->>8 byte&0xF0 0x50 \b, root type: ascii string ->>8 byte&0xF0 0x60 \b, root type: unicode string ->>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) ->>8 byte&0xF0 0xa0 \b, root type: array ->>8 byte&0xF0 0xd0 \b, root type: dictionary +>>6 string 00 \b +>>>8 byte&0xF0 0x00 \b +>>>>8 byte&0x0F 0x00 \b, root type: null +>>>>8 byte&0x0F 0x08 \b, root type: false boolean +>>>>8 byte&0x0F 0x09 \b, root type: true boolean +>>>8 byte&0xF0 0x10 \b, root type: integer +>>>8 byte&0xF0 0x20 \b, root type: real +>>>8 byte&0xF0 0x30 \b, root type: date +>>>8 byte&0xF0 0x40 \b, root type: data +>>>8 byte&0xF0 0x50 \b, root type: ascii string +>>>8 byte&0xF0 0x60 \b, root type: unicode string +>>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) +>>>8 byte&0xF0 0xa0 \b, root type: array +>>>8 byte&0xF0 0xd0 \b, root type: dictionary # Apple/NeXT typedstream data # Serialization format used by NeXT and Apple for various @@ -478,7 +485,6 @@ # 0 string caff CoreAudio Format audio file >4 beshort <10 version %d ->6 beshort x #------------------------------------------------------------------------------ diff --git a/polyfile/magic_defs/archive b/polyfile/magic_defs/archive index 8968f284..3aba9470 100644 --- a/polyfile/magic_defs/archive +++ b/polyfile/magic_defs/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.191 2023/05/08 01:31:46 christos Exp $ +# $File: archive,v 1.218 2026/01/10 16:16:27 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -25,6 +25,11 @@ >>>>>>155 ubyte&0xDF =0 # space or ascii digit 0 at start of check sum >>>>>>>148 ubyte&0xEF =0x20 +# check for specific 1st member name that indicates other mime type and file name suffix +>>>>>>>>0 string TpmEmuTpms/permall +# maybe also look for 2nd tar member efi/nvram containing UEFI variables part +#>>>>>>>>>512 search/0x1800 efi/nvram\0 EFI_PART_FOUND +>>>>>>>>>0 use tar-nvram # FOR DEBUGGING: #>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s" # check for 1st image main name with digits used for sorting @@ -34,9 +39,35 @@ # check for 1st member name with ovf suffix >>>>>>>>0 regex \^.{1,96}[.](ovf) >>>>>>>>>0 use tar-ova -# if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive +# look for relative directory ./var/ or ./lte/ as 1st member name that indicates AVM firmware with other file name suffix +>>>>>>>>0 ubequad&0xFFffE5eaE8ffFFff 0x2e2f6460602f0000 +>>>>>>>>>0 use tar-avm +# maybe look for AVM specific 2nd name entry +# >>>>>>>>>517 string /content\0 content~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /install\0 install~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /chksum\0 chksum~ +# >>>>>>>>>>0 use tar-avm +# >>>>>>>>>517 string /modfw.nfo\0 modfw~ +# >>>>>>>>>>0 use tar-avm +# most (419/429) *.WBM (71/71) *.WBT with user name jcameron of Webmin developer Jamie Cameron in first tar archive member +>>>>>>>>265 string jcameron +>>>>>>>>>0 use tar-webmin +# if 1st member name without digits and without used image suffix, without *.ovf, +# ./var/ , ./lte/ and TpmEmuTpms/ then it is a pure TAR archive or Webmin without jcameron user name >>>>>>>>0 default x ->>>>>>>>>0 use tar-file +# few (10/429) *.WBM without user name jcameron in 1st tar member but with WBM module.info name like: +# apcupsd-0.81-2.wbm csavupdate.wbm cwmail.wbm dac960.wbm etcupdate.wbm logviewer.wbm memcached.wbm rinetd.wbm shoutcast.wbm vacationadmin-webmin-module-1.1.2.wbm +# few (10/95) *.WBT without user name jcameron in 1st tar member but with WBT theme.info name like: +# authentic-theme-21.09.5.wbt Mozilla-Modern.wbt virtual-server-theme-2.7.wbt fkn-webmintheme.0.6.0.wbt +>>>>>>>>>512 search/210965/s e.info\0 +>>>>>>>>>>0 use tar-webmin +# pure TAR +>>>>>>>>>0 default x +>>>>>>>>>>0 use tar-file +# Note: called "TAR - Tape ARchive" by TrID, "Tape Archive Format" by DROID via PUID x-fmt/265 +# and "Tar archive" by shared MIME-info database from freedesktop.org # minimal check and then display tar archive information which can also be # embedded inside others like Android Backup, Clam AntiVirus database 0 name tar-file @@ -86,7 +117,11 @@ >>261 default x tar archive (unknown ustar) !:mime application/x-ustar !:ext tar/ustar -# type flag of 1st tar archive member +# show information for 1st tar archive member +>0 use tar-entry +# display information of tar archive member (file type, name, permissions, user, group) +0 name tar-entry +# type flag of tar archive member #>156 ubyte x \b, %c-type >156 ubyte x >>156 ubyte 0 \b, file @@ -142,7 +177,7 @@ >>265 string >\0 \b, user %-.32s # group name null terminated >>297 string >\0 \b, group %-.32s -# device major minor if not zero +# device major minor if not zero (binary or ASCII) >>329 ubequad&0xCFCFCFCFcFcFcFdf !0 >>>329 string x \b, devmaj %-.7s >>337 ubequad&0xCFCFCFCFcFcFcFdf !0 @@ -157,6 +192,25 @@ >>508 default x # padding[255] in old tar sometimes comment field >>>257 string >\0 \b, comment: %-.40s +# Summary: VirtualBox NvramFile with UEFI variables packed inside TAR archive +# URL: hhttps://www.virtualbox.org/manual/ch08.html#vboxmanage-modifynvram +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/n/nvram-virtualbox-tar.trid.xml +# Note: called "VirtualBox saved (U)EFI BIOS settings (TAR) by TrID and +# verified by 7-Zip `7z l -ttar Mint-21.1.nvram` and +# VirtualBox `VBoxManage modifynvram "Mint-21.1" listvars` +0 name tar-nvram +# +>0 string x VirtualBox NVRAM file +#!:mime application/x-gtar +!:mime application/x-virtualbox-nvram +!:ext nvram +# first name[100] like: TpmEmuTpms/permall +>0 use tar-entry +# 2nd tar member efi/nvram contains UEFI variables part described by ./virtual +>512 search/0x1800/s efi/nvram\0 +>>&0 use tar-entry +# 2nd tar member efi/nvram content could be described by ./virtual +#>>&512 indirect x # Summary: Comic Book Archive *.CBT with TAR format # URL: https://en.wikipedia.org/wiki/Comic_book_archive # http://fileformats.archiveteam.org/wiki/Comic_Book_Archive @@ -169,7 +223,8 @@ !:ext cbt # name[100] probably like: 19.jpg 0001.png 0002.png # or maybe like ComicInfo.xml ->0 string >\0 \b, 1st image %-.60s +#>0 string >\0 \b, 1st image %-.60s +>0 use tar-entry # Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format @@ -184,7 +239,85 @@ !:mime application/x-virtualbox-ova !:ext ova # assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf ->0 string >\0 \b, with %-.60s +#>0 string >\0 \b, with %-.60s +>0 use tar-entry +# Summary: AVM firmware (FRITZ!OS) for the FRITZ!Box (router) +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Fritz!Box +# https://www.redteam-pentesting.de/de/advisories/rt-sa-2014-010/-avm-fritz-box-firmware-signature-bypass +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/i/image-avm.trid.xml +# Note: verified by 7-Zip `7z l -ttar FRITZ.Box_4040-07.57.image` +0 name tar-avm +>0 string x AVM FRITZ!Box firmware +#!:mime application/x-gtar +!:mime application/x-avm-image +!:ext image +# tar member ./var/content starts with line like "Product=Fritz_Box_HW227 (FRITZ!Box 4040)" +>>1024 search/512 Product=Fritz_Box_ +>>>&0 string x %s +# version string like: 07.57 07.58 +>>>1044 search Version= \b, version +>>>>&0 string x %s +# product phrase too far behind (dozen MB) in many samples like: FRITZ.Box_4040-07.12.image FRITZ.Box_6820v3_LTE-07.57.image +# so try to look for other characteristic foo +# >>1024 default x OTHER_PATTERN! +# >>>1023 search AVM_PATTERN PATTERNfound +# first name[100] like: ./var/ ./lte/ +>0 use tar-entry +# if 1st entry is directory then show 2nd entry +>156 ubyte 0x35 +# 2nd tar member name like: ./var/content (often ) ./var/install ./var/chksum ./lte/modfw.nfo +>>512 use tar-entry +# Summary: Webmin Module or Theme +# From: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/Webmin +# https://webmin.com/docs/development/creating-modules/ +# https://webmin.com/docs/development/creating-themes/ +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/w/wbm.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/w/wbt-gif.trid.xml +# Note: called "Webmin Module" "Webmin Theme" by TrID +# most verfied by 7-Zip `7z l -ttar *.wbm | grep "\module.info"` and +# `7z l -ttar *.wbt | grep "\theme.info"` +0 name tar-webmin +>0 string x Webmin +# Webmin module or theme +>>512 search/1767941/s /module.info Module +!:mime application/x-webmin-module +!:ext wbm +# According to documentation module.info is mandatory but instead theme.info is found in +# old-blue-theme.wbm old-blue-theme-1.0.wbm old-mscstyle3.wbm virtual-server-mobile.wbm +# GRR: maybe here wrong file name suffix WBM instead of WBT +>>512 default x +>>>512 search/3149333/s /theme.info Theme +!:mime application/x-webmin-theme +!:ext wbt +# next 3 lines should not happen +>>>512 default x Module or Theme +!:mime application/x-webmin +!:ext wbm/wbt +# GNU or POSIX tar +>257 string =ustar ( +# 2 space characters followed by a null for GNU variant for most (428/429) WBM samples +>>261 ubelong =0x72202000 \bGNU tar) +#!:mime application/x-gtar +# UStar version variant with ASCII "00" as in few (1/429) samples like cwmail.wbm +>>261 ubelong 0x72003030 \bPOSIX tar) +#!:mime application/x-ustar +#>>>156 ubyte x tar archive +# Apparently first archive member name[100] is directory like: dynbind/ ssh/ virtualmin-powerdns/ virtual-server-mobile/ vnc/ +>>0 use tar-entry +# look for characteristic WBM module info name starting with "module.info" for language variant like in: ssh2.wbm +>>512 search/1767941/s /module.info +# look for TAR magic of WBM archive module info +>>>&0 search/257/s ustar +# show details for WBM archive member module info +>>>>&-257 use tar-entry +# look for characteristic WBT theme info name with "theme.info" like in: authentic-theme-21.09.5.wbt +>>512 search/3149333/s /theme.info\0 +# look for TAR magic of WBT archive theme info +>>>&0 search/257/s ustar +>>>>&-257 use tar-entry # Incremental snapshot gnu-tar format from: # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html @@ -556,7 +689,7 @@ # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive -# Update: Joerg Jenderek +# Update: Joerg Jenderek, A Iooss # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others 0 string \0\6 # look for first keyword of Panorama database *.pan @@ -602,8 +735,27 @@ #>-4 ubelong x LAST_BYTES=%8.8x >-4 ubelong&0x00FFffFF !0 >>0 use ttcomp -# display information of TTComp archive +# match end of TTComp to reduce false positives +# see https://mark0.net/forum/index.php?topic=848 0 name ttcomp +>-2 string \x01\xff +>>+0 use ttcomp-display +>-2 string \x80\x7f +>>+0 use ttcomp-display +>-2 string \xc0\x3f +>>+0 use ttcomp-display +>-2 string \xe0\x1f +>>+0 use ttcomp-display +>-2 string \xf0\x0f +>>+0 use ttcomp-display +>-2 string \xf8\x07 +>>+0 use ttcomp-display +>-2 string \xfc\x03 +>>+0 use ttcomp-display +>-2 string \xfe\x01 +>>+0 use ttcomp-display +# display information of TTComp archive +0 name ttcomp-display # (version 5.25) labeled the entry as "TTComp archive data" >0 ubyte x TTComp archive data !:mime application/x-compress-ttcomp @@ -613,23 +765,10 @@ >0 ubyte 0 \b, binary >0 ubyte 1 \b, ASCII # size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes ->1 ubyte 4 \b, 1K ->1 ubyte 5 \b, 2K ->1 ubyte 6 \b, 4K ->1 ubyte x dictionary -# https://mark0.net/forum/index.php?topic=848 -# last 3 bytes probably have only 8 possible bit sequences -# xxxxxxxx 0000000x 11111111 ____FFh -# xxxxxxxx 10000000 01111111 __807Fh -# 0xxxxxxx 11000000 00111111 __C03Fh -# 00xxxxxx 11100000 00011111 __E01Fh -# 000xxxxx 11110000 00001111 __F00Fh -# 0000xxxx 11111000 00000111 __F807h -# 00000xxx 11111100 00000011 __FC03h -# 000000xx 11111110 00000001 __FE01h -# but for quickgif.__d 0A7DD4h -#>-3 ubyte x \b, last 3 bytes 0x%2.2x -#>-2 ubeshort x \b%4.4x +>1 ubyte 4 \b, 1K dictionary +>1 ubyte 5 \b, 2K dictionary +>1 ubyte 6 \b, 4K dictionary + # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Disk_Copy # reference: http://nulib.com/library/FTN.e00005.htm @@ -765,7 +904,7 @@ >>>>>>>(16.s) uleshort x >>>>>>>>&16 string x \b, %-.8s >>>>>>12 uleshort &0x10 ->>>>>>>(16.s) uleshort x +#>>>>>>>(16.s) uleshort x >>>>>>>&16 string x %-.8s >>>>>>>>&1 string x \b.%-.3s >>>12 uleshort &0x01 @@ -957,7 +1096,45 @@ # ZET 0 string OZ\xc3\x9d ZET archive data # TSComp -0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data +# Update: Joerg Jenderek 2023 Nov +# URL: http://fileformats.archiveteam.org/wiki/TSComp +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tscomp.trid.xml +# https://entropymine.com/deark/releases/deark-1.6.5.tar.gz +# deark-1.6.5/modules/installshld.c +# Note: called "TSComp compressed data" by TrID +# verified by command like `deark -m tscomp -l -d2 MAKERRES.DL$` +# The "13" might be a version number. The "8c" is a mystery +0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive +#!:mime application/octet-stream +!:mime application/x-tscomp-compressed +# filename style: 0~old version 1~without wildcard 2~with wildcard +#>0x08 ubyte x \b, filename style %u +>0x08 ubyte 0 data, filename style 0 +# no example found +!:ext ??$ +#>0x08 ubyte 1 data, without wildcard +>0x08 ubyte 1 data +# for single-file archives, often the last letter of the filename extension is changed to "$"; but also name like: BUILD3.BM! +!:ext ??$/??! +>0x08 ubyte 2 data, with wildcard +# for multi-file archives common extensions seem to be .lib and .cmp, but also names like: SAMPMIF$ OTDATA.$$$ TWOFILES.TSC WIN.PAK +!:ext /lib/cmp/$$$/tsc/pak +# fnlen; pascal string length; original 1st file name like: CHFORMAT.MML +>0x1c pstring x \b, %s +# md->fi->timestamp +>0x16 lemsdosdate x \b, modified %s +>0x18 lemsdostime x %s +# 1st compressed size: like 180 (SAMPMML$$) +>0x0E ulelong x \b, compressed size %u +# de_dbg_indent(c, 1): like: 12h +#>0x0d ubyte x b, at 0xD %#x +# like: 0 +#>0x1A ubeshort x \b, at 0x1A %#x +# 2nd member offset +#>0x12 ulelong x \b, next offset %#x +>0x12 ulelong >0 +# original 2nd archive member name like: FORMATS.MML +>>(0x12.l+15) pstring x \b, %s ... # ARQ 0 string gW\4\1 ARQ archive data # Squash @@ -1060,6 +1237,8 @@ #>0x200 ubequad x \b, at 0x200 %#16.16llx # cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2 >16 ulelong !0 \b, descriptor size %#x +>(12.l+40) lelong x ]b, %u files + # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable @@ -1320,22 +1499,18 @@ >>9 ubyte !2 \b, security version %u # file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel >0xA ubyte !2 \b, file type %u -# date+time when original archive was created in MS-DOS format via ./msdos ->0xC ulelong x \b, created ->0xC use dos-date -# or date and time by new internal function -#>0xE lemsdosdate x %s -#>0xC lemsdostime x %s +# date+time when original archive was created in MS-DOS format +>0xE lemsdosdate x \b, created %s +>0xC lemsdostime x %s +# Archive mod time, added in format v6 (ARJ 2.39c) +>5 ubyte >5 +>>0x10 ulelong >0 \b, modified +>>>0x12 lemsdosdate x %s +>>>0x10 lemsdostime x %s + # FOR DEBUGGING #>0x12 uleshort x RAW DATE %#4.4x #>0x10 uleshort x RAW TIME %#4.4x -# date+time when archive was last modified; sometimes nil or -# maybe wrong like in HP4DRVR.ARJ -#>0x10 ulelong >0 \b, modified -#>>0x10 use dos-date -# or date and time by new internal function -#>>0x12 lemsdosdate x %s -#>>0x10 lemsdostime x %s # archive size (currently used only for secured archives); MAYBE? #>0x14 ulelong !0 \b, file size %u # security envelope file position; MAYBE? @@ -1376,7 +1551,7 @@ # This is a really bad format. A file containing HAWAII will match this... #0 string HA HA archive data, #>2 leshort =1 1 file, -#>2 leshort >1 %hu files, +#>2 leshort >1 %u files, #>4 byte&0x0f =0 first is type CPY #>4 byte&0x0f =1 first is type ASC #>4 byte&0x0f =2 first is type HSC @@ -1466,7 +1641,7 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +#>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d # attribute: 0x2~?? 0x10~symlink|target 0x20~normal @@ -1590,7 +1765,7 @@ # RAR (Roshal Archive) archive 0 string Rar!\x1a\7\0 RAR archive data -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar/cbr # file header >(0xc.l+9) byte 0x74 @@ -1602,13 +1777,13 @@ >>7 use rar-archive-header 0 string Rar!\x1a\7\1\0 RAR archive data, v5 -!:mime application/x-rar +!:mime application/vnd.rar !:ext rar # Very old RAR archive # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf 0 string RE\x7e\x5e RAR archive data (4 beshort x Zip archive data, at least +!:mime application/zip +>4 use zipversion +>4 beshort x to extract +>8 beshort x \b, compression method= +>8 use zipcompression +>0x161 string WINZIP \b, WinZIP self-extracting + +# Zip archives that can be either APK or JAR. Checks for resources.arsc, classes.dex, etc. +0 name apk_or_jar +# Contains resources.arsc (near the end, in the central directory) +>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar + 0 string PK\003\004 !:strength +1 +# IOS/IPadOS IPA file (Zip archive) +# Starts with Payload (file name length = 19) +>26 uleshort 8 +>>30 string Payload IOS/iPadOS IPA file +>>>&26 search/6000 PK\003\004 +>>>>&34 string x containing %s +!:mime application/x-ios-app +!:ext ipa + +# Android APK file (Zip archive) # Starts with AndroidManifest.xml (file name length = 19) >26 uleshort 19 >>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml @@ -1649,40 +1879,14 @@ >>>-22 string PK\005\006 >>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block # Starts with META-INF/MANIFEST.MF (file name length = 20) -# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files >26 uleshort 20 >>30 string META-INF/MANIFEST.MF -# Contains resources.arsc (near the end, in the central directory) ->>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc -!:mime application/vnd.android.package-archive -!:ext apk ->>>>-22 string PK\005\006 ->>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>-512 default x -# Contains classes.dex (near the end, in the central directory) ->>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>-22 string PK\005\006 ->>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>-512 default x -# Contains lib/armeabi (near the end, in the central directory) ->>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>-22 string PK\005\006 ->>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>>-512 default x -# Contains drawables (near the end, in the central directory) ->>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>>-22 string PK\005\006 ->>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block -# It may or may not be an APK file, but it's definitely a Java JAR file ->>>>>>-512 default x Java archive data (JAR) -!:mime application/java-archive -!:ext jar +>>>0 use apk_or_jar +# Starts with META-INF/ folder (file name length = 9) +>26 uleshort 9 +>>30 string META-INF/ +>>>0 use apk_or_jar + # Starts with zipflinger virtual entry (28 + 104 = 132 bytes) # See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 >4 string \x00\x00\x00\x00\x00\x00 @@ -1693,20 +1897,7 @@ !:ext apk >>>>>-22 string PK\005\006 >>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block -# APK Signing Block ->0 default x ->>-22 string PK\005\006 ->>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block -!:mime application/vnd.android.package-archive -!:ext apk -# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -0 string PK\005\006 Zip archive data (empty) -!:mime application/zip -!:ext zip/cbz -!:strength +1 -0 string PK\003\004 -!:strength +1 # Specialised zip formats which start with a member named 'mimetype' # (stored uncompressed, with no 'extra field') containing the file's MIME type. @@ -1874,7 +2065,7 @@ # https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101 # https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331 >>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX -!:mime application/hwp+zip +!:mime application/x-hwp+zip !:ext hwpx # From: Joerg Jenderek @@ -1946,18 +2137,35 @@ #>30 search/100/b application/epub+zip EPUB document #!:mime application/epub+zip -# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -# Next line excludes specialized formats: +# APK Signing Block >(26.s+30) leshort !0xcafe >>30 search/100/b !application/epub+zip ->>>26 string !\x8\0\0\0mimetype Zip archive data -!:mime application/zip ->>>>4 beshort x \b, at least ->>>>4 use zipversion ->>>>4 beshort x to extract ->>>>8 beshort x \b, compression method= ->>>>8 use zipcompression ->>>>0x161 string WINZIP \b, WinZIP self-extracting +>>>26 string !\x8\0\0\0mimetype +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block +!:mime application/vnd.android.package-archive +!:ext apk + +# Keyman Compiled Package File (keyman.com) +# https://help.keyman.com/developer/current-version/reference/file-types/kmp +# Find start of central directory +>>>>>(-6.l) string PK\001\002 +# Scan central directory for string 'kmp.json', will suffice for a +# package containing about 150 files +>>>>>>(-6.l) search/9000 kmp.json Keyman Compiled Package File +!:mime application/vnd.keyman.kmp+zip +!:ext kmp +>>>>>+4 default x +>>>>>>0 use zipgeneric + +>>>>+4 default x +>>>>>0 use zipgeneric + +# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +0 string PK\005\006 Zip archive data (empty) +!:mime application/zip +!:ext zip/cbz +!:strength +1 # StarView Metafile # From Pierre Ducroquet @@ -2252,12 +2460,6 @@ 0 belong 0x1ee7ff00 EET archive !:mime application/x-eet -# rzip archives -0 string RZIP rzip compressed data ->4 byte x - version %d ->5 byte x \b.%d ->6 belong x (%d bytes) - # From: Joerg Jenderek # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php # reference: http://mark0.net/download/triddefs_xml.7z/ @@ -2438,7 +2640,28 @@ >3 byte x version %d # LyNX archive +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Lynx_archive +# Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT +# http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml +# Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64 +# TODO: merge and unify with Commodore C64 BASIC program 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive +# display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64 +#!:strength +0 +#!:mime application/octet-stream +!:mime application/x-commodore-lnx +!:ext lnx +# afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn +>86 search/10 \x8910\0\0\0\r \b, +# for DEBUGGING +#>>&0 string x STRING="%s" +# number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5 +>>&0 regex [0-9]{1,5} %s directory blocks +# signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*" +>>>&2 regex [^\r]{1,24} \b, signature "%s" +# number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?) +>>>>&1 regex [0-9]{1,3} \b, %s files # From: Joerg Jenderek # URL: https://www.acronis.com/ @@ -2584,3 +2807,75 @@ >>(12.l+12) string }}}} Electron ASAR archive !:ext asar >>>12 ulelong x \b, header length: %d bytes + +# Wasay ImageIt DataPack +# From: Alexandre Iooss +# URL: https://www.neowin.net/forum/topic/615151-anyone-know-what-program-opens-dsi-and-wsi-files/ +# Note: Used in Acer eRecovery and Lenovo OneKey Recovery (OKR) +4 string WSVD +# bytes 3-4 are the checksum or the first 32 bytes of the file +>0 uleshort 0x40 Wasay ImageIt DataPack +>>8 uleshort x v%u +>>10 uleshort x \b.%u +>>16 lestring16/8 x \b, "%s" +>>12 uleshort x (%u) +>>32 byte x \b, created on %02d +>>33 byte x \b%02d +>>34 byte x \b/%02d +>>35 byte x \b/%02d +>>36 byte x %02d +>>37 byte x \b:%02d +>>38 byte x \b:%02d +>>56 ulelong x \b, size: %u bytes + +# Stone archive file - Serpent OS moss package manager's native format +# https://github.com/serpent-os/tools, +# (Ikey Doherty) +0 string \0mos Stone archive +>28 belong 1 (format v%d) +>>27 byte 1 binary package +!:mime application/x-stone-binary +!:ext stone +>>27 byte 2 delta package +!:mime application/x-stone-delta +!:ext stone +>>27 byte 3 repository index +!:mime application/x-stone-repository +!:ext index +>>27 byte 4 build manifest +!:mime application/x-stone-manifest +!:ext bin + +# * VOS , +# * [encapsulated|not_encapsulated] = +# * [encoded|not_encoded|seq_encoded|base64_encoded] +0 string VOS\040 Stratus OpenVOS EFV archive +>4 regex [^[:space:]]+ \b, (%s) +>>&0 regex [^[:space:]]+ \b, %s +>>>&0 regex [^[:space:]]+ \b, record_size=%s +>>>>&0 regex [^[:space:]]+ \b, %s +>>>>>&0 regex [^[:space:]]+ \b, %s + + +# https://www.vm.ibm.com/devpages/bkw/vmarc.html magic in EBCDIC +0 string \x7a\xc3\xc6\xc6\x40\x40\x40\x40 VM Archive + +# https://pbs.proxmox.com/docs/file-formats.html +0 string \x42\xab\x38\x07\xbe\x83\x70\xa1 Proxmox Backup Server unencrypted uncompressed blob + +0 string \x31\xb9\x58\x42\x6f\xb6\xa3\x7f Proxmox Backup Server unencrypted compressed blob + +0 string \x7b\x67\x85\xbe\x22\x2d\x4c\xf0 Proxmox Backup Server encrypted uncompressed blob + +0 string \xe6\x59\x1b\xbf\x0b\xbf\xd8\x0b Proxmox Backup Server encrypted compressed blob + +0 string \x2f\x7f\x41\xed\x91\xfd\x0f\xcd Proxmox Backup Server fixed index + +0 string \x1c\x91\x4e\xa5\x19\xba\xb3\xcd Proxmox Backup Server dynamic index + +0 string \xef\xac\x88\xe5\x74\x64\x95\xd5 Proxmox File Archive Format v1 / pxar + +0 string \x0d\xa4\x16\xdf\x75\x6c\x0f\x73\x18\x00\x00\x00\x00\x00\x00\x00\x02 Proxmox File Archive Format v2+ / mpxar + +0 string \xd2\x4e\x4a\x19\xc2\x68\x4c\x83\x10 Proxmox File Archive Format payload stream / ppxar + diff --git a/polyfile/magic_defs/aria b/polyfile/magic_defs/aria index c3a6bf57..eb0a6114 100644 --- a/polyfile/magic_defs/aria +++ b/polyfile/magic_defs/aria @@ -1,5 +1,7 @@ #------------------------------------------------------------------------------ +# $File: aria,v 1.2 2024/06/10 23:09:52 christos Exp $ +# aria: file(1) magic for download manager aria # URL: https://de.wikipedia.org/wiki/Aria_(Software) # Reference: https://github.com/aria2/aria2/blob/master/doc/manual-src/en/technical-notes.rst # From: Joerg Jenderek diff --git a/polyfile/magic_defs/arm b/polyfile/magic_defs/arm index c5143203..fd018031 100644 --- a/polyfile/magic_defs/arm +++ b/polyfile/magic_defs/arm @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: arm,v 1.3 2022/10/31 14:35:39 christos Exp $ +# $File: arm,v 1.4 2024/02/18 14:15:22 christos Exp $ # arm: file(1) magic for ARM COFF # # https://docs.microsoft.com/en-us/windows/win32/debug/pe-format @@ -40,6 +40,15 @@ >>0 use display-coff !:strength -10 +# ARM64 Compiled Hybrid PE X86 +0 leshort 0x3a64 +# test for unused flag bits in f_flags +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formatted files +>>0 use display-coff +!:strength -10 + # ARM64EC 0 leshort 0xa641 # test for unused flag bits in f_flags diff --git a/polyfile/magic_defs/asf b/polyfile/magic_defs/asf index 744a0afc..e4c3dd95 100644 --- a/polyfile/magic_defs/asf +++ b/polyfile/magic_defs/asf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: asf,v 1.4 2022/10/31 13:22:26 christos Exp $ +# $File: asf,v 1.5 2024/09/04 19:06:12 christos Exp $ # asf: file(1) magic for Microsoft Advanced Systems Format (ASF) files # http://www.staroceans.org/e-book/ASF_Specification.pdf @@ -10,13 +10,13 @@ #>16 lequad >0 #>>(16.q) use asf-object # ASF_Simple_Index_Object ->0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB +#>0 guid 33000890-E5B1-11CF-89F4-00A0C90349CB >0 guid D6E229D3-35DA-11D1-9034-00A0C90349BE ASF_Index_Object >0 guid FEB103F8-12AD-4C64-840F-2A1D2F7AD48C ASF_Media_Object_Index_Object >0 guid 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C ASF_Timecode_Index_Object # ASF_File_Properties_Object ->0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 +#>0 guid 8CABDCA1-A947-11CF-8EE4-00C00C205365 # ASF_Stream_Properties_Object >0 guid B7DC0791-A9B7-11CF-8EE6-00C00C205365 @@ -52,15 +52,15 @@ >>40 use asf-name >>0 lelong x \b) #ASF_Header_Extension_Object ->0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 +#>0 guid 5FBF03B5-A92E-11CF-8EE3-00C00C205365 # ASF_Codec_List_Object ->0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 +#>0 guid 86D15240-311D-11D0-A3A4-00A0C90348F6 >0 guid 1EFB1A30-0B62-11D0-A39B-00A0C90348F6 ASF_Script_Command_Object >0 guid F487CD01-A951-11CF-8EE6-00C00C205365 ASF_Marker_Object >0 guid D6E229DC-35DA-11D1-9034-00A0C90349BE ASF_Bitrate_Mutual_Exclusion_Object >0 guid 75B22635-668E-11CF-A6D9-00AA0062CE6C ASF_Error_Correction_Object # ASF_Content_Description_Object ->0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C +#>0 guid 75B22633-668E-11CF-A6D9-00AA0062CE6C #>>24 leshort title length %d #>>26 leshort author length %d #>>28 leshort copyright length %d @@ -73,7 +73,7 @@ >0 guid 298AE614-2622-4C17-B935-DAE07EE9289C ASF_Extended_Content_Encryption_Object >0 guid 2211B3FC-BD23-11D2-B4B7-00A0C955FC6E ASF_Digital_Signature_Object # ASF_Padding_Object ->0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 +#>0 guid 1806D474-CADF-4509-A4BA-9AABCB96AAE8 >0 guid 14E6A5CB-C672-4332-8399-A96952065B5A ASF_Extended_Stream_Properties_Object >0 guid A08649CF-4775-4670-8A16-6E35357566CD ASF_Advanced_Mutual_Exclusion_Object >0 guid D1465A40-5A79-4338-B71B-E36B8FD6C249 ASF_Group_Mutual_Exclusion_Object diff --git a/polyfile/magic_defs/audio b/polyfile/magic_defs/audio index 55c5cd0a..e630663a 100644 --- a/polyfile/magic_defs/audio +++ b/polyfile/magic_defs/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.127 2023/03/05 20:15:49 christos Exp $ +# $File: audio,v 1.136 2026/01/23 17:02:27 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -99,8 +99,8 @@ !:mime audio/x-unknown # is this next line right? it came this way... >19 byte 0x1A ->23 byte >0 - version %d ->22 byte >0 \b.%d +>>23 byte >0 - version %d +>>22 byte >0 \b.%d # first entry is also the string "NTRK" 0 belong 0x4e54524b MultiTrack sound data @@ -276,13 +276,12 @@ # http://www-mmsp.ece.mcgill.ca/documents/AudioFormats/IRCAM/IRCAM.html 0 belong 0x64a30100 IRCAM file (VAX little-endian) 0 belong 0x0001a364 IRCAM file (VAX big-endian) -0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x0002a364 IRCAM file (Sun little-endian) +0 belong 0x64a30200 IRCAM file (Sun big-endian) 0 belong 0x64a30300 IRCAM file (MIPS little-endian) 0 belong 0x0003a364 IRCAM file (MIPS big-endian) -0 belong 0x64a30400 IRCAM file (NeXT big-endian) -0 belong 0x64a30400 IRCAM file (NeXT big-endian) 0 belong 0x0004a364 IRCAM file (NeXT little-endian) +0 belong 0x64a30400 IRCAM file (NeXT big-endian) # NIST SPHERE 0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file @@ -487,7 +486,7 @@ # Sharp Jisaku Melody format for PDC 0 string \001Sharp\040JisakuMelody SHARP Cell-Phone ringing Melody >20 string Ver01.00 Ver. 1.00 ->>32 byte x , %d tracks +>>32 byte x \b, %d tracks # Free lossless audio codec # From: Przemyslaw Augustyniak @@ -644,6 +643,7 @@ 0 string [Equalizer\ preset] XMMS equalizer preset # .m3u 0 search/1 #EXTM3U M3U playlist text +!:mime audio/x-mpegurl # .pls 0 search/1 [playlist] PLS playlist text # licq.conf @@ -713,10 +713,36 @@ # Type: Adaptive Multi-Rate Codec # URL: http://filext.com/detaillist.php?extdetail=AMR +# http://fileformats.archiveteam.org/wiki/Adaptive_Multi-Rate_Audio +# Reference: https://datatracker.ietf.org/doc/html/rfc4867 +# http://mark0.net/download/triddefs_xml.7z/defs/a/audio-amr.trid.xml +# Update: Joerg Jenderek # From: Russell Coker -0 string #!AMR Adaptive Multi-Rate Codec (GSM telephony) -!:mime audio/amr +# Note: called "AMR (Adaptive Multi Rate) encoded audio" by TrID and +# "Adaptive Multi-Rate Audio" by DROID via PUID fmt/356 and +# "AMR" "AMR audio" or "Adaptive Multi-Rate" by shared MIME-info database from freedesktop.org +0 string #!AMR Adaptive Multi-Rate Codec +# Adaptive Multi-Rate Codec (strength=80) before wrong "a AMR script executable (binary data)" (strength=20=60/3) by ./varied.script +#!:strength +0 +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/audio-awb.trid.xml +# Note: called "Adaptive Multi-Rate Wideband ACELP codec" by TrID and +# "Adaptive Multi-Rate Wideband Audio" bY DROID via PUID fmt/954 and +# "AMR-WB" "AMR-WB audio" or "Adaptive Multi-Rate Wideband" by shared MIME-info database from freedesktop.org +>5 string -WB (Wideband) +# https://www.iana.org/assignments/media-types/audio/AMR-WB +!:mime audio/AMR-WB +#!:mime audio/amr-wb-encrypted +!:apple ????amrw +!:ext awb +# variant without Wideband +>5 default x (GSM telephony) +# https://www.iana.org/assignments/media-types/audio/AMR +!:mime audio/AMR +# last character in type code is space +!:apple ????amr !:ext amr +# GRR: maybe also 3ga suffix? https://telparia.com/fileFormatSamples/audio/amr/example.3ga +#!:ext amr/3ga # Type: SuperCollider 3 Synth Definition File Format # From: Mario Lang @@ -907,16 +933,16 @@ # From Martin Mueller Skarbiniks Pedersen 0 string GDM >0x3 byte 0xFE General Digital Music. ->0x4 string >\0 title: "%s" ->0x24 string >\0 musician: "%s" ->>0x44 beshort 0x0D0A ->>>0x46 byte 0x1A ->>>>0x47 string GMFS Version ->>>>0x4B byte x %d. ->>>>0x4C byte x \b%02d ->>>>0x4D beshort 0x000 (2GDM v ->>>>0x4F byte x \b%d. ->>>>>0x50 byte x \b%d) +>>0x4 string >\0 title: "%s" +>>0x24 string >\0 musician: "%s" +>>>0x44 beshort 0x0D0A +>>>>0x46 byte 0x1A +>>>>>0x47 string GMFS Version +>>>>>0x4B byte x %d. +>>>>>0x4C byte x \b%02d +>>>>>0x4D beshort 0x000 (2GDM v +>>>>>0x4F byte x \b%d. +>>>>>>0x50 byte x \b%d) 0 string MTM Multitracker >0x3 byte/16 x Version %d. @@ -931,7 +957,7 @@ >>3 byte 4 (With no LAME header) >>3 byte 5 Version 2.4 -0 string ADRVPACK AProSys module +0 string ADRVPACK AProSys module # ftp://ftp.modland.com/pub/documents/format_documentation/\ # Art%20Of%20Noise%20(.aon).txt @@ -939,18 +965,18 @@ >4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" >0x2e string NAME Art of Noise Tracker Song >3 string <9 ->3 string 4 (4 voices) ->3 string 8 (8 voices) +>>3 string 4 (4 voices) +>>3 string 8 (8 voices) >>0x36 string >\0 Title: "%s" 0 string FAR >0x2c byte 0x0d ->0x2d byte 0x0a ->0x2e byte 0x1a ->>0x3 byte 0xFE Farandole Tracker Song ->>>0x31 byte/16 x Version %d. ->>>0x31 byte&0x0F x \b%02d ->>>>0x4 string >\0 \b, title: "%s" +>>0x2d byte 0x0a +>>>0x2e byte 0x1a +>>>>0x3 byte 0xFE Farandole Tracker Song +>>>>>0x31 byte/16 x Version %d. +>>>>>0x31 byte&0x0F x \b%02d +>>>>>0x4 string >\0 \b, title: "%s" # magic for Klystrack, https://kometbomb.github.io/klystrack/ # from Alex Myczko @@ -1034,25 +1060,37 @@ # Added by David Korth 0 string PSF >3 byte 0x01 +>>0 use portable_sound_format >3 byte 0x02 +>>0 use portable_sound_format >3 byte 0x11 +>>0 use portable_sound_format >3 byte 0x12 +>>0 use portable_sound_format >3 byte 0x13 +>>0 use portable_sound_format >3 byte 0x21 +>>0 use portable_sound_format >3 byte 0x22 +>>0 use portable_sound_format >3 byte 0x23 +>>0 use portable_sound_format >3 byte 0x41 ->>0 string PSF Portable Sound Format +>>0 use portable_sound_format + + +0 name portable_sound_format +>0 string PSF Portable Sound Format !:mime audio/x-psf ->>>3 byte 0x01 (Sony PlayStation) ->>>3 byte 0x02 (Sony PlayStation 2) ->>>3 byte 0x11 (Sega Saturn) ->>>3 byte 0x12 (Sega Dreamcast) ->>>3 byte 0x13 (Sega Mega Drive) ->>>3 byte 0x21 (Nintendo 64) ->>>3 byte 0x22 (Game Boy Advance) ->>>3 byte 0x23 (Super NES) ->>>3 byte 0x41 (Capcom QSound) +>>3 byte 0x01 (Sony PlayStation) +>>3 byte 0x02 (Sony PlayStation 2) +>>3 byte 0x11 (Sega Saturn) +>>3 byte 0x12 (Sega Dreamcast) +>>3 byte 0x13 (Sega Mega Drive) +>>3 byte 0x21 (Nintendo 64) +>>3 byte 0x22 (Game Boy Advance) +>>3 byte 0x23 (Super NES) +>>3 byte 0x41 (Capcom QSound) # Atari 8-bit SAP audio format # http://asap.sourceforge.net/sap-format.html @@ -1161,6 +1199,13 @@ >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcwav-fields + +# QOA Quite Okay Audio format +# https://qoaformat.org/qoa-specification.pdf +# added by alex myczko +0 string qoaf QOA audio data +>4 belong x \b, %d samples per channel + # Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) # Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations # https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf @@ -1289,3 +1334,17 @@ # version > 1 or 0 >>&0 default x \b, unknown version + +# https://moddingwiki.shikadi.net/wiki/ROL_Format +4 string \\roll\\default AdLib Visual Composer ROL file +>0 leshort x \b, version %d. +>2 leshort x \b%d +>44 leshort x \b, tickBeat %d +>46 leshort x \b, beatMeasure %d +>48 leshort x \b, scaleY %d +>50 leshort x \b, scaleX %d +>52 byte 0 \b, percussive +>52 byte 1 \b, melodic + +# https://pbat.ch/proj/protrekkr/ +0 string PROTREKT Protrekkr Module diff --git a/polyfile/magic_defs/ber b/polyfile/magic_defs/ber index 15288c68..8afd23d4 100644 --- a/polyfile/magic_defs/ber +++ b/polyfile/magic_defs/ber @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ber,v 1.2 2019/04/19 00:42:27 christos Exp $ +# $File: ber,v 1.3 2024/09/01 13:49:15 christos Exp $ # ber: file(1) magic for several BER formats used in the mobile # telecommunications industry (Georg Sauthoff) @@ -41,7 +41,6 @@ # NRT Files # NRT a.k.a. NRTRDE -0 byte 0x61 # 2 block >&1 search/b8 \x5f\x29\x01\x02\x5f\x25\x01 >>&0 byte x NRT 2.%d (TD.35, Near Real Time Roaming Data Exchange) diff --git a/polyfile/magic_defs/bgcode b/polyfile/magic_defs/bgcode new file mode 100644 index 00000000..40782791 --- /dev/null +++ b/polyfile/magic_defs/bgcode @@ -0,0 +1,9 @@ +#------------------------------------------------------------------------------ +# $File: bgcode,v 1.1 2025/03/10 21:02:05 christos Exp $ + +# BGCode +0 string GCDE Binary G-code +!:ext bgcode,bgc +>4 ulelong x Version %u +>>8 uleshort 0 \b, no checksum +>>8 uleshort 1 \b, CRC32 checksum diff --git a/polyfile/magic_defs/biosig b/polyfile/magic_defs/biosig index 7d41713f..dc99773e 100644 --- a/polyfile/magic_defs/biosig +++ b/polyfile/magic_defs/biosig @@ -1,7 +1,7 @@ -############################################################################## -# -# Magic ids for biomedical signal file formats +#------------------------------------------------------------------------------ +# $File: biosig,v 1.4 2024/06/10 23:09:52 christos Exp $ +# file(1) magic for biomedical signal file formats # Copyright (C) 2018 Alois Schloegl # # The list has been derived from biosig projects diff --git a/polyfile/magic_defs/blender b/polyfile/magic_defs/blender index 5a897113..456e3f33 100644 --- a/polyfile/magic_defs/blender +++ b/polyfile/magic_defs/blender @@ -1,6 +1,5 @@ - #------------------------------------------------------------------------------ -# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ +# $File: blender,v 1.10 2026/01/10 14:38:14 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list @@ -13,13 +12,13 @@ # http://formats.kaitai.io/blender_blend/index.html # Note: called "Blender 3D data" by TrID # and gzip compressed variant handled by ./compress -0 string =BLENDER Blender3D, +0 string =BLENDER Blender3D #!:mime application/octet-stream !:mime application/x-blender !:ext blend # no sample found with extension blender #!:ext blend/blender ->7 string =_ saved as 32-bits +>7 string =_ pre-v5, saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. >>>10 byte x \b%c @@ -32,7 +31,7 @@ >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 beshort x \b%.4d ->7 string =- saved as 64-bits +>7 string =- pre-v5, saved as 64-bits >>8 string =v little endian >>9 byte x with version %c. >>10 byte x \b%c @@ -46,5 +45,15 @@ >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d +# Blender 5.0+ +>7 string =17 v5+, +>>10 byte x format version %c +>>>11 byte x \b%c +>>>>13 byte x app version %c +>>>>>14 byte x \b%c +>>>>>>15 byte x \b%c +>>>>>>>16 byte x \b%c +# + # Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script diff --git a/polyfile/magic_defs/bsdi b/polyfile/magic_defs/bsdi index 8499b0c9..d2fa6002 100644 --- a/polyfile/magic_defs/bsdi +++ b/polyfile/magic_defs/bsdi @@ -1,21 +1,26 @@ #------------------------------------------------------------------------------ -# $File: bsdi,v 1.7 2014/03/29 15:40:34 christos Exp $ +# $File: bsdi,v 1.9 2024/03/31 15:06:56 christos Exp $ # bsdi: file(1) magic for BSD/OS (from BSDI) objects # Some object/executable formats use the same magic numbers as are used # in other OSes; those are handled by entries in aout. # -0 lelong 0314 386 compact demand paged pure executable +0 lelong 0314 i386 compact demand paged pure executable >16 lelong >0 not stripped >32 byte 0x6a (uses shared libs) +# Update: Joerg Jenderek # same as in SunOS 4.x, except for static shared libraries +# Note: was also called "a.out SunOS SPARC demand paged" by ./sun v 1.28 0 belong&077777777 0600413 SPARC demand paged >0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable +#!:mime application/x-foo-executable +# typically no file name suffix for executables +!:ext / >0 byte ^0x80 executable >16 belong >0 not stripped >36 belong 0xb4100001 (uses shared libs) diff --git a/polyfile/magic_defs/c-lang b/polyfile/magic_defs/c-lang index 7ea4c95f..4b203e6f 100644 --- a/polyfile/magic_defs/c-lang +++ b/polyfile/magic_defs/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.31 2022/12/01 22:04:33 christos Exp $ +# $File: c-lang,v 1.38 2025/05/30 13:36:08 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 13 +!:strength + 30 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -27,8 +27,7 @@ >>&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c 0 search/8192 define ->0 regex \^#[[:space:]]*(if\|ifn)def ->>&0 regex \^#[[:space:]]*define C source text +>0 regex \^#[[:space:]]*define C source text !:mime text/x-c 0 search/8192 char >0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text @@ -58,21 +57,21 @@ # C++ # The strength of these rules is increased so they beat the C rules above 0 search/8192 namespace ->0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text -!:strength + 30 +>0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,20}[[:space:]]*\\{ C++ source text +!:strength + 45 !:mime text/x-c++ # using namespace [namespace] or using std::[lib] 0 search/8192 using >0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 template >0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 virtual >0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ # But class alone is reduced to avoid beating php (Jens Schleusener) 0 search/8192 class @@ -81,15 +80,15 @@ !:mime text/x-c++ 0 search/8192 public >0 regex \^[[:space:]]*public: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 private >0 regex \^[[:space:]]*private: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 protected >0 regex \^[[:space:]]*protected: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ # Objective-C @@ -98,13 +97,30 @@ !:strength + 25 !:mime text/x-objective-c + +# Typst +# https://github.com/typst/typst +0 regex \^[[:space:]]*#(import|include)[[:space:]]+"@[[:alnum:]-]+ Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ +0 regex \^[[:space:]]*#(import|include)[[:space:]]+"[[:alnum:]]+.typ" Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ +0 regex \^[[:space:]]*#(set|show|let) Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ + + # From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time between -# versions 11 and 15, so look for -q if version is above 14: +# versions 11 and 30, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index >10 search/100 \ -c\ text (non-compressed) diff --git a/polyfile/magic_defs/c64 b/polyfile/magic_defs/c64 index c91d7ded..36f30ab3 100644 --- a/polyfile/magic_defs/c64 +++ b/polyfile/magic_defs/c64 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: c64,v 1.13 2022/11/21 22:25:37 christos Exp $ +# $File: c64,v 1.16 2024/03/07 22:30:21 christos Exp $ # c64: file(1) magic for various commodore 64 related files # # From: Dirk Jagdmann @@ -12,13 +12,32 @@ # C64 (and other CBM) cartridges # Extended by David Korth +# Update: Joerg Jenderek # Reference: https://vice-emu.sourceforge.io/vice_17.html#SEC391 +# http://ist.uwaterloo.ca/~schepers/formats/CRT.TTX +# http://mark0.net/download/triddefs_xml.7z/defs/c/crt-c64.trid.xml +# Note: called "C64 Cartridge image" by TrID and +# "CRT C64 Cartridge Image Format" by DROID via PUID fmt/822 -0 string C64\40CARTRIDGE Commodore 64 cartridge +0 string C64\40CARTRIDGE +# skip DROID fmt-822-signature-id-1179.crt with missing packet length +>0x44 ubelong >0x10 +>>0 use c64-crt +# display Commodore 64 cartridge information +0 name c64-crt +>0 string x Commodore 64 cartridge +#!:mime application/octet-stream +!:mime application/x-commodore-crt +!:ext crt +# http://mark0.net/download/triddefs_xml.7z/defs/c/car-ccs64.trid.xml +#!:ext crt/car >0x20 ubyte 0 \b, >0x20 ubyte !0 +# 32-byte null padded cartridge name like: "BUGS BUNNY" "CART64" "EasyFlash" "FINAL CARTRIDGE" "Magic Desk" "VICE CART" >>0x20 string/T x \b: "%.32s", +# cartridge hardware type >0x16 beshort 0 +# cartridge port EXROM line status >>0x18 beshort 0x0000 16 KB game >>0x18 beshort 0x0001 8 KB game >>0x18 beshort 0x0100 UltiMax mode @@ -59,6 +78,7 @@ >0x16 beshort 34 Capture >0x16 beshort 35 Action Replay 3 >0x16 beshort 36 +# cartridge Hardware Revision/Subtype (usually 0) (added in v1.01) >>0x1A ubyte 1 Nordic Replay >>0x1A ubyte !1 Retro Replay >0x16 beshort 37 MMC64 @@ -104,6 +124,24 @@ >0x16 beshort 75 IEEE Flash! 64 >0x16 beshort 76 Turtle Graphics II >0x16 beshort 77 Freeze Frame MK2 +>0x16 beshort 78 Partner 64 +# cartridge hardware type: (0-78) +>0x16 ubeshort >78 unknown type %#x +# Cartridge Hardware Revision/Subtype (usually 0 added in v1.01) +>>0x1A ubyte >0 revision %#x +# padded with 3 space characters for CRT but for CCS64 Cartridge (*.CAR) maybe different according to TrID +>14 ubeshort !0x2020 \b, at 14 %#x +# file header length like: 20h (reported wrong) 40h (default and minimum) +>0x10 ubelong !0x40 \b, header length %#x +# cartridge version like: 1.0 1.1 (adds CRT sub type/hardware revision) 2.0 (introduces VIC20, PLUS4, C128, CBM2) +>0x14 ubeshort !0x0100 +>>0x14 ubyte x \b, version %u +>>0x15 ubyte x \b.%u +# cartridge content start with ROM signature which must be CHIP +>0x40 ubelong !0x43484950 \b, invalid ROM signature +>>0x40 string x "%0.4s" +# total packet length (length of ROM image size and header combined) like: 2010h 4010h +>0x44 ubelong x \b, packet length %#x 0 string C128\40CARTRIDGE Commodore 128 cartridge >0x20 ubyte 0 \b, @@ -164,26 +202,112 @@ 0 belong 0xFF424CFF WRAptor packer (c64) -0 string C64S\x20tape\x20file T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s - -0 string C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s - -0 string C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 T64 tape Image ->32 leshort x Version:%#x ->36 leshort !0 Entries:%i ->40 string x Name:%.24s +# URL: http://fileformats.archiveteam.org/wiki/T64 +# Reference: http://ist.uwaterloo.ca/~schepers/formats/T64.TXT +# https://vice-emu.sourceforge.io/vice_16.html#SEC394 +# https://www.infinite-loop.at/Power64/Documentation/Power64-ReadMe/AE-File_Formats.html +# http://mark0.net/download/triddefs_xml.7z/defs/e/emu-t64.trid.xml +# Note: called "Commodore 64 Tape container" by TrID, "T64 Tape Image Format" by DROID via PUID fmt/820 and +# "T64 tape Image" by ./c64,v 1.14 +# verified by command like `deark -m t64 -l -d2 Caitan_the_Demo.t64` and +# `cbmconvert -v2 -t -D4 ironmanoffroad.d64 ironmanoffroad.t64` +# 32 byte signature starting like C64S\x20tape\x20file +# C64\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 +# C64S\x20tape\x20image\x20file\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0 +0 string/b C64 +# skip raw Commodore TAPe by check for unsed areas (\0 filled) and valid low (40h+m*20h; m=0-FFffh) offset +>0x46 ubequad&0xFFff1F00C0ffFFff 0 Commodore Tape image +#!:mime application/octet-stream +#!:mime application/x-commodore-tape +!:ext t64 +# version like: 0100h (examples found) 0101h 0200h (no examples) +>>32 leshort x Version:%#x +#>>32 leshort !0x0100 Version:%#x +# number of used directory entries like: 0 1 2 5 +>>36 leshort !0 Entries:%i +# tape container name, 24 characters (padded with 20h but with A0h for DirMaster created samples) like: +# ->ZYRON'S PD<- IMAGETAPE MY-T64-TEST\240\240\240 OPERATIONWOLF+3-711.T64 +>>40 string/24/Tb >\040 Name:%.24s +# MaxFiles; maximal directory entries like: 0 1 2 5 30 (=1Eh some emulators expect exactly this value) 31 32 +>>34 uleshort x MaxFiles:%u +# 1st C64 filetype: 0~free 1~normal tape file 2~tape file with header 3~memory snapshot 4~tape block 5~digitized stream 6-255~reserved +>>0x40 ubyte !1 \b, C64 file type %#x +# 1st start address or load address of first entry like: 0000 (empty|snapshot) 04a0h (ironmanoffroad.t64) 0801h (typically) 1201h (3501_quizmaster_program_s1.t64) +>>0x42 uleshort !0x0801 \b, load address %#4.4x +# 1st actual end address in memory +>>0x44 uleshort x \b, end address %#4.4x +# reserved; must be 0 +>>0x26 ubeshort !0 \b, at +0x26 %#x +# not used like: 0 (examples found and according to TrID) +>>0x46 ubeshort !0 \b, at 0x46 %#4.4x +# not used like: 0 (examples found and according to TrID) +>>0x4c ubelong !0 \b, at 0x4C %#8.8x +# offset (=64+32*m) into 1st container file like: 0 (empty) 60h 80h E0h 400h 440h ... +>>0x48 ulelong >0 \b, at %#x +# 1st filename (in PETASCII, padded with 20h, not A0h) like: "DRILLINSTR. /HTL" "WIZBALL+ " ... +>>>0x50 string/16/bT x "%0.16s" +# https://www.lyonlabs.org/commodore/onrequest/Inside_Commodore_Dos.pdf +# file type like: 0~Scratched 1~SEQunclosed 81h~SEQ 82h~PRG C2h~PRGlocked ... +>>>0x41 ubyte x +>>>>0x41 ubyte =0x00 Scratched type +>>>>0x41 ubyte =0x01 SEQ unclosed type +#>>>>0x41 ubyte =0x44 foo type +>>>>0x41 ubyte =0x80 DEL type +>>>>0x41 ubyte =0x81 SEQ type +>>>>0x41 ubyte =0x82 PRG type +>>>>0x41 ubyte =0x83 USR type +>>>>0x41 ubyte =0x84 REL type +>>>>0x41 ubyte =0xC2 PRG locked type +# other unusual file type +>>>>0x41 default x +>>>>>0x41 ubyte x %#2.2x type +# inspect 1st entry content (often Commodore C64 BASIC program *.PRG) without load adress +#>>(0x48.l) ubequad x \b, 1st data %16.16llx... # Raw tape file format (.tap files) # Esa Hyyti -0 string C64-TAPE-RAW C64 Raw Tape File (.tap), +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Tap_file +# https://vice-emu.sourceforge.io/vice_16.html#SEC392 +# Reference: http://ist.uwaterloo.ca/~schepers/formats/TAP.TXT +# Note: called "TAP (Commodore 64)" by DROID via PUID fmt/802 +# a variant starting with C16-TAPE-RAW should exist, but no examples found +0 string/b C64-TAPE-RAW Commodore raw Tape image (platform +#0 string C64-TAPE-RAW C64 Raw Tape File (.tap), +#!:mime application/octet-stream +!:mime application/x-commodore-tape +!:ext tap +# According to TrID als raw suffix, but no such samples found +#!:ext tap/raw +# computer platform like: 0~C64 1~VIC-20 2~C16 Plus/4 3~PET 4~C5x0 5~C6x0 C7x0 +>0xD ubyte 0 C64 +>0xD ubyte 1 VIC-20 +>0xD ubyte 2 C16 Plus/4 +>0xD ubyte 3 PET +>0xD ubyte 4 C5x0 +>0xD ubyte 5 C6x0 C7x0 +# this should not happen! +>0xD ubyte >5 %#2.2x +>0xD ubyte x \b), +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/t/tap.trid.xml +# http://mark0.net/download/triddefs_xml.7z/defs/t/tap-1.trid.xml +# Note: called "C64 Tape image format" (v0-original) (v1-updated)" by TrID +# TAP version like: 0~OriginalLayout 1~Updated (often) >0x0c byte x Version:%u, +# file data size (not including header) >0x10 lelong x Length:%u cycles +# video standard like: 0~PAL 1~NTSC 2~OLD NTSC 3~PALN +>0xE ubyte x \b, video +>0xE ubyte 0 PAL +>0xE ubyte 1 NTSC +>0xE ubyte 2 old NTSC +>0xE ubyte 3 PALN +# this should not happen! +>0xE ubyte >3 %#2.2x +# reserved for future expansion like: 0 +>0xF ubyte !0 \b, at 0xF %#2.2x +# file data +#>014 ubequad x \b, data %16.16llx # magic for Goattracker2, http://covertbitops.c64.org/ # from Alex Myczko @@ -203,6 +327,8 @@ # TODO: unify Commodore BASIC/program sub routines # Note: "PUCrunch archive data" moved from ./archive and merged with c64-exe 0 leshort 0x0801 +# display Commodore C64 BASIC program (strength=50) after "Lynx archive" (strength=330) handled by ./archive +#!:strength +0 # if first token is not SYS this implies BASIC program in most cases >6 ubyte !0x9e # but sELF-ExTRACTING-zIP executable unzp6420.prg contains SYS token at end of second BASIC line (at 0x35) @@ -499,33 +625,49 @@ # pointer to memory address of beginning of "next" BASIC line # greater then previous offset but maximal 100h difference >0 uleshort x \b, offset %#4.4x +# offset 0x0000 indicates the end of BASIC program; so bytes afterwards may be some other data +>0 uleshort 0 +# not line number but first 2 data bytes +>>2 ubeshort x \b, data %#4.4x +# not token but next 2 data bytes +>>4 ubeshort x \b%4.4x +# not token arguments but next data bytes +>>6 ubequad x \b%16.16llx +>>14 ubequad x \b%16.16llx... +# like 0x0d20352020204c594e5820495820204259205749 "\r 5 LYNX IX BY WILL CORLEY" for LyNX archive Darkon.lnx handled by ./archive +#>>3 string x "%-0.30s" +>0 uleshort >0 # BASIC line number with range from 0 to 65520; practice to increment numbers by some value (5, 10 or 100) ->2 uleshort x \b, line %u +>>2 uleshort x \b, line %u # https://www.c64-wiki.com/wiki/BASIC_token # The "high-bit" bytes from #128-#254 stood for the various BASIC commands and mathematical operators ->4 ubyte x \b, token (%#x) +>>4 ubyte x \b, token (%#x) # https://www.c64-wiki.com/wiki/REM ->4 string \x8f REM +>>4 string \x8f REM # remark string like: ** SYNTHESIZER BY RICOCHET ** ->>5 string >\0 %s -#>>>&1 uleshort x \b, NEXT OFFSET %#4.4x +>>>5 string >\0 %s +#>>>>&1 uleshort x \b, NEXT OFFSET %#4.4x # https://www.c64-wiki.com/wiki/PRINT ->4 string \x99 PRINT +>>4 string \x99 PRINT # string like: "Hello world" "\021 \323ELF-E\330TRACTING-\332IP (64 ONLY)\016\231":\2362141 ->>5 string x %s -#>>>&0 ubequad x AFTER_PRINT=%#16.16llx +>>>5 string x %s +#>>>>&0 ubequad x AFTER_PRINT=%#16.16llx # https://www.c64-wiki.com/wiki/POKE ->4 string \x97 POKE +>>4 string \x97 POKE # , ->>5 regex \^[0-9,\040]+ %s +>>>5 regex \^[0-9,\040]+ %s +# BASIC command delimiter colon (:=3Ah) +>>>>&-2 ubyte =0x3A +# after BASIC command delimiter colon remaining (<255) other tokenized BASIC commands +>>>>>&0 string x "%s" # https://www.c64-wiki.com/wiki/SYS 0x9e=\236 ->4 string \x9e SYS +>>4 string \x9e SYS # SYS
parameter is a 16-bit unsigned integer; in the range 0 - 65535 ->>5 regex \^[0-9]{1,5} %s +>>>5 regex \^[0-9]{1,5} %s # maybe followed by spaces, "control-characters" or colon (:) followed by next commnds or in victracker.prg # (\302(43)\252256\254\302(44)\25236) /T.L.R/ -#>>5 string x SYS_STRING="%s" +#>>>5 string x SYS_STRING="%s" # https://www.c64-wiki.com/wiki/GOSUB ->4 string \x8d GOSUB +>>4 string \x8d GOSUB # ->>5 string >\0 %s +>>>5 string >\0 %s diff --git a/polyfile/magic_defs/cafebabe b/polyfile/magic_defs/cafebabe index 4f97cc03..eb28a4b2 100644 --- a/polyfile/magic_defs/cafebabe +++ b/polyfile/magic_defs/cafebabe @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.28 2022/07/01 23:24:47 christos Exp $ +# $File: cafebabe,v 1.31 2024/08/30 16:53:22 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, @@ -14,10 +14,47 @@ # (and use as a hack). Let's not use 18, because the Mach-O people # might add another one or two as time goes by... # + +### MACH-O START ### +# URL: https://en.wikipedia.org/wiki/Mach-O + +0 name mach-o \b [ +# for debugging purpose CPU type as hexadecimal +#>0 ubequad x CPU=%16.16llx +# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... +>0 use mach-o-cpu \b +# for debugging purpose print offset to 1st mach_header like: +# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h +#>8 ubelong x at %#x offset +>(8.L) indirect x \b: +>0 belong x \b] + +# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ +# include/mach-o/fat.h +# include/mach/machine.h +0 belong 0xcafebabe +>4 belong 1 Mach-O universal binary with 1 architecture: +!:mime application/x-mach-binary +>>8 use mach-o \b +# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 +>4 ubelong >1 +>>4 ubelong <20 Mach-O universal binary with %d architectures: +!:mime application/x-mach-binary +>>>8 use mach-o \b +>>>4 ubelong >1 +>>>>28 use mach-o \b +>>>4 ubelong >2 +>>>>48 use mach-o \b +>>>4 ubelong >3 +>>>>68 use mach-o \b +>>>4 ubelong >4 +>>>>88 use mach-o \b +>>>4 ubelong >5 +>>>>108 use mach-o \b +### MACH-O END ### ### JAVA START ### # Reference: http://en.wikipedia.org/wiki/Java_class_file # Update: Joerg Jenderek -0 belong 0xcafebabe >4 ubelong >30 compiled Java class data, !:mime application/x-java-applet #!:mime application/java-byte-code @@ -50,58 +87,20 @@ >>4 belong 0x003E (Java SE 18) >>4 belong 0x003F (Java SE 19) >>4 belong 0x0040 (Java SE 20) +>>4 belong 0x0041 (Java SE 21) +>>4 belong 0x0042 (Java SE 22) +>>4 belong 0x0043 (Java SE 23) +>>4 belong 0x0044 (Java SE 24) +>>4 belong 0x0045 (Java SE 25) +>>4 belong 0x0046 (Java SE 26) # pool count unequal zero #>>8 beshort x \b, pool count %#x # pool table #>>10 ubequad x \b, pool %#16.16llx... -0 belong 0xcafed00d JAR compressed with pack200, ->5 byte x version %d. ->4 byte x \b%d -!:mime application/x-java-pack200 - - 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d !:mime application/x-java-pack200 ### JAVA END ### -### MACH-O START ### -# URL: https://en.wikipedia.org/wiki/Mach-O - -0 name mach-o \b [ -# for debugging purpose CPU type as hexadecimal -#>0 ubequad x CPU=%16.16llx -# display CPU type as string like: i386 x86_64 ... armv7 armv7k ... ->0 use mach-o-cpu \b -# for debugging purpose print offset to 1st mach_header like: -# 1000h 4000h seldom 2d000h 88000h 5b000h 10e000 h -#>8 ubelong x at %#x offset ->(8.L) indirect x \b: ->0 belong x \b] - -# Reference: https://opensource.apple.com/source/cctools/cctools-949.0.1/ -# include/mach-o/fat.h -# include/mach/machine.h -0 belong 0xcafebabe ->4 belong 1 Mach-O universal binary with 1 architecture: -!:mime application/x-mach-binary ->>8 use mach-o \b -# nfat_arch; number of CPU architectures; highest is 18 for CPU_TYPE_POWERPC in 2020 ->4 ubelong >1 ->>4 ubelong <20 Mach-O universal binary with %d architectures: -!:mime application/x-mach-binary ->>>8 use mach-o \b ->>>4 ubelong >1 ->>>>28 use mach-o \b ->>>4 ubelong >2 ->>>>48 use mach-o \b ->>>4 ubelong >3 ->>>>68 use mach-o \b ->>>4 ubelong >4 ->>>>88 use mach-o \b ->>>4 ubelong >5 ->>>>108 use mach-o \b - -### MACH-O END ### diff --git a/polyfile/magic_defs/cbor b/polyfile/magic_defs/cbor index c780dc65..75c09a1c 100644 --- a/polyfile/magic_defs/cbor +++ b/polyfile/magic_defs/cbor @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cbor,v 1.1 2015/01/28 01:05:21 christos Exp $ +# $File: cbor,v 1.2 2024/09/04 19:06:12 christos Exp $ # cbor: file(1) magic for CBOR files as defined in RFC 7049 0 string \xd9\xd9\xf7 Concise Binary Object Representation (CBOR) container @@ -13,7 +13,7 @@ >3 ubyte <0x80 >>3 ubyte >0x5f (text string) >3 ubyte <0xa0 ->3 ubyte >0x7f (array) +>>3 ubyte >0x7f (array) >3 ubyte <0xc0 >>3 ubyte >0x9f (map) >3 ubyte <0xe0 diff --git a/polyfile/magic_defs/cisco b/polyfile/magic_defs/cisco index 0279bbb5..e5ec85f5 100644 --- a/polyfile/magic_defs/cisco +++ b/polyfile/magic_defs/cisco @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: cisco,v 1.5 2025/05/28 14:02:37 christos Exp $ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code @@ -10,3 +10,8 @@ >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' + +0 string/b MZIP Cisco IOS mzip compressed data +>0x4 belong x \b, version %d +>0x8 belong x \b, entry point %#x +!:ext bin diff --git a/polyfile/magic_defs/claris b/polyfile/magic_defs/claris index 6a1b68fb..3230bda2 100644 --- a/polyfile/magic_defs/claris +++ b/polyfile/magic_defs/claris @@ -1,8 +1,10 @@ #------------------------------------------------------------------------------ -# $File: claris,v 1.8 2016/07/18 19:23:38 christos Exp $ +# $File: claris,v 1.9 2024/07/07 14:36:49 christos Exp $ # claris: file(1) magic for claris # "H. Nanosecond" +# Update: Joerg Jenderek 2024 May +# URL: https://en.wikipedia.org/wiki/AppleWorks # Claris Works a word processor, etc. # Version 3.0 @@ -12,8 +14,14 @@ #0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000 #null to byte 1000 octal 514 string \377\377\377\377\000 +# https://sembiance.com/fileFormatSamples/image/pict/ +# Claris clip art (strength=80) after few Macintosh QuickDraw (strength=81=70+11 ./images) with corner coordinates -1/-1 and Y=0x00?? like PICT_2012.pict +#!:strength +0 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art 514 string \377\377\377\377\001 +# https://sembiance.com/fileFormatSamples/image/pict/ +# Claris clip art (strength=80) after few Macintosh QuickDraw (strength=81=70+11 ./images) with corner coordinates -1/-1 and Y=0x01?? like PICT_129.pict +#!:strength +0 >0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 Claris clip art # Claris works files diff --git a/polyfile/magic_defs/coff b/polyfile/magic_defs/coff index 5123b721..d42b9ebe 100644 --- a/polyfile/magic_defs/coff +++ b/polyfile/magic_defs/coff @@ -1,49 +1,92 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.7 2022/11/21 22:30:22 christos Exp $ +# $File: coff,v 1.15 2024/11/10 18:54:33 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF # -# by Joerg Jenderek at Oct 2015, Feb 2021 +# by Joerg Jenderek at Oct 2015, Feb 2021, Mar 2024 # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html +# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image +# https://formats.kaitai.io/uefi_te/index.html + +# Display COFF processor type, including MS COFF and PE/COFF +0 name display-coff-processor +# PE/COFF, DJGPP, i386 COFF executable, MS Windows COFF Intel i386 object file (./intel) +>0 uleshort 0x014c Intel i386 +>0 uleshort 0x014d Intel i860 +>0 uleshort 0x0160 MIPS R3000 (big-endian) +>0 uleshort 0x0162 MIPS R3000 +>0 uleshort 0x0166 MIPS R4000 +>0 uleshort 0x0168 MIPS R10000 +>0 uleshort 0x0169 MIPS WCE v2 +>0 uleshort 0x0184 Alpha 32-bit +>0 uleshort 0x01a2 Hitachi SH3 +>0 uleshort 0x01a3 Hitachi SH3 DSP +>0 uleshort 0x01a4 Hitachi SH4E +>0 uleshort 0x01a6 Hitachi SH4 +>0 uleshort 0x01a8 Hitachi SH5 +>0 uleshort 0x01c0 ARMv4 +>0 uleshort 0x01c2 ARMv4T +>0 uleshort 0x01c4 ARMv7 +>0 uleshort 0x01d3 Matsushita AM33 +# executable (RISC System/6000 V3.1) or obj module (./ibm6000 v 1.15), not PE/COFF +>0 uleshort 0x01df RISC System/6000 +>0 uleshort 0x01f0 PowerPC 32-bit (little-endian) +>0 uleshort 0x01f1 PowerPC 32-bit with FPU (little-endian) +>0 uleshort 0x01f2 PowerPC 64-bit (big-endian) +>0 uleshort 0x0200 Intel Itanium +>0 uleshort 0x0266 MIPS16 +>0 uleshort 0x0268 Motorola 68000 +>0 uleshort 0x0284 Alpha 64-bit +>0 uleshort 0x0290 PA-RISC +>0 uleshort 0x0366 MIPS with FPU +>0 uleshort 0x0466 MIPS16 with FPU +# Hitachi SH big-endian COFF (./hitachi-sh), not PE/COFF +>0 uleshort 0x0500 Hitachi SH (big-endian) +>0 uleshort 0x0520 Tricore +# Hitachi SH little-endian COFF (./hitachi-sh), not PE/COFF +>0 uleshort 0x0550 Hitachi SH (little-endian) +>0 uleshort 0x0601 PowerPC 32-bit (big-endian) +# Windows CE 3.0 Common Executable Format, created by linkcef.exe with /MACHINE:CEF flag +# https://web.archive.org/web/20000819035046/http://microsoft.com/windows/embedded/ce/downloads/cef.asp +# https://web.archive.org/web/20000914080342/http://microsoft.com/windows/embedded/ce/developer/applications/appdevelopment/cef2.asp +# https://web.archive.org/web/20021022055906/http://msdn.microsoft.com/library/en-us/dnce30/html/cef2.asp +>0 uleshort 0x0cef Common Executable Format +>0 uleshort 0x0ebc EFI byte code +>0 uleshort 0x3a64 ARM64 (i386 ABI) +>0 uleshort 0x5032 RISC-V 32-bit +>0 uleshort 0x5064 RISC-V 64-bit +>0 uleshort 0x5128 RISC-V 128-bit +>0 uleshort 0x6232 LoongArch 32-bit +>0 uleshort 0x6264 LoongArch 64-bit +>0 uleshort 0x8664 x86-64 +>0 uleshort 0x9041 Mitsubishi M32R +>0 uleshort 0xa641 ARM64 (x86-64 ABI) +>0 uleshort 0xa64e ARM64 (classic + x86-64 ABI) +# PE/COFF ARM64 classic ABI, ARM COFF (./arm) +>0 uleshort 0xaa64 ARM64 +>0 uleshort 0xace1 OMNI VM (omniprox.dll) +# Processor type CEE can be only in object files (created by older ilasm.exe with /OBJECT flag), not in PE executables +>0 uleshort 0xc0ee COM+ Execution Engine +>0 default x Unknown processor +>>0 uleshort x 0x%04x # display name+variables+flags of Common Object Files Format (32bit) # Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel, # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff -# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 uleshort&0x8E80 0 +# test for unused flag bits (0x8000,x0080) in f_flags +# flag bits (0x0800,0x0400,0x0200) now seems to be used in RISC System/6000 V3.1 +>18 uleshort&0x8080 0 # skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections >>2 uleshort >0 # skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections >>>2 uleshort <4207 ->>>>0 clear x # f_magic - magic number -# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) ->>>>0 uleshort 0x014C Intel 80386 -# Hitachi SH big-endian COFF (./hitachi-sh) ->>>>0 uleshort 0x0500 Hitachi SH big-endian -# Hitachi SH little-endian COFF (./hitachi-sh) ->>>>0 uleshort 0x0550 Hitachi SH little-endian -# executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>>>0 uleshort 0x01DF -# MS Windows COFF Intel Itanium, AMD64 -# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx ->>>>0 uleshort 0x0200 Intel ia64 ->>>>0 uleshort 0x8664 Intel amd64 -# ARM COFF (./arm) ->>>>0 uleshort 0xaa64 Aarch64 ->>>>0 uleshort 0x01c0 ARM ->>>>0 uleshort 0xa641 ARM64EC ->>>>0 uleshort 0x01c2 ARM Thumb ->>>>0 uleshort 0x01c4 ARMv7 Thumb -# TODO for other COFFs -#>>>>0 uleshort 0xABCD COFF_TEMPLATE ->>>>0 default x ->>>>>0 uleshort x type %#04x +>>>>0 use display-coff-processor >>>>0 uleshort x COFF # F_EXEC flag bit >>>>18 leshort ^0x0002 object file @@ -53,6 +96,9 @@ #!:ext cof/o/obj/lib >>>>18 leshort &0x0002 executable #!:mime application/x-coffexec +!:mime application/x-coff-executable +# typically no file name suffix for executables +!:ext / # F_RELFLG flag bit,static object >>>>18 leshort &0x0001 \b, no relocation info # F_LNNO flag bit @@ -79,16 +125,39 @@ # like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546 >>>>12 ulelong >0 \b, %d symbols # f_opthdr - optional header size. An object file should have a value of 0 +# like: 72 (IBM\HH\HYPERHLP) >>>>16 uleshort >0 \b, optional header size %u -# f_timdat - file time & date stamp only for little endian +# f_timdat - file time & date stamp >>>>4 ledate >0 \b, created %s # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. # or first section header # additional variables for other COFF files >>>>16 uleshort =0 -# first section name s_name[8] like: .text .data .debug$S .drectve .testseg ->>>>>20 string x \b, 1st section name "%.8s" +# most section names start with point character except samples created by "exotic" compilers +# first section name s_name[8] like: .text .data .debug$S .drectve .testseg .rsrc .rsrc$01 .pad +>>>>>(16.s+20) string x \b, 1st section name "%.8s" +# physical address s_paddr like: 0 +#>>>>>(16.s+28) lelong !0 \b, s_paddr %#8.8x +# virtual address s_vaddr like: 0 +#>>>>>(16.s+32) lelong !0 \b, s_vaddr %#8.8x +# section size s_size +#>>>>>(16.s+36) lelong x \b, s_size %#8.8x +# file ptr to raw data for section s_scnpt +#>>>>>(16.s+40) lelong x \b, s_scnpt %#8.8x +# file ptr to relocation s_relptr like: 0 +#>>>>>(16.s+44) lelong !0 \b, s_relptr %#8.8x +# file ptr to gp histogram s_lnnoptr like: 0 +#>>>>>(16.s+48) lelong !0 \b, s_lnnoptr %#8.8x +# number of relocation entries s_nreloc like: 0 1 2 5 6 8 19h 26h 27h 38h 50h 5Fh 89h Dh 1Ch 69h A9h 1DCh 651h +#>>>>>(16.s+52) uleshort x \b, s_nreloc %#4.4x +# number of gp histogram entries s_nlnno like: 0 +#>>>>>(16.s+54) uleshort !0 \b, s_nlnno %#4.4x +# flags s_flags +#>>>>>(16.s+56) lelong x \b, s_flags %#8.8x +# second section name s_name[8] like: .bss .data .debug$S .rsrc$01 +>>>>2 uleshort >1 +>>>>>(16.s+60) string x \b, 2nd section name "%.8s" # >20 beshort 0407 (impure) # >20 beshort 0410 (pure) # >20 beshort 0413 (demand paged) @@ -96,3 +165,53 @@ # >22 leshort >0 - version %d # >168 string .lowmem Apple toolbox +# PowerPC COFF object file or executable +0 leshort 0x01f0 +>16 leshort 0 +>>0 use display-coff +# can be created by: LINK.EXE /MACHINE:powerpc /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x010b +>>>>0 use display-coff +0 leshort 0x01f1 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x01f2 +>16 leshort 0 +>>0 use display-coff +0 leshort 0x0601 +>16 leshort 0 +>>0 use display-coff +# can be created by: LINK.EXE /MACHINE:MPPC /ROM +>16 leshort !0 +>>18 leshort &0x0002 +>>>20 leshort 0x010b +>>>>0 use display-coff + +0 name display-subsystem +>0 ubyte 0 unknown +>0 ubyte 1 native +>0 ubyte 2 windows_gui +>0 ubyte 3 windows_cui +>0 ubyte 7 posix_cui +>0 ubyte 9 windows_ce_gui +>0 ubyte 10 efi_application +>0 ubyte 11 efi_boot_service_driver +>0 ubyte 12 efi_runtime_driver +>0 ubyte 13 efi_rom +>0 ubyte 14 xbox +>0 ubyte 16 windows_boot-application +>0 default x Unknown subsystem +>>0 ubyte x %#x + + +# https://formats.kaitai.io/uefi_te/index.html +0 string VZ TE (Terse Executable) file +>2 use display-coff-processor +>4 byte x \b, sections %d +>5 use display-subsystem +>6 uleshort x \b, stripped-size %u +>8 ulelong x \b, entry %#x +>12 ulelong x \b, base_of_code %#x +>16 ulequad x \b, image_base %#llx diff --git a/polyfile/magic_defs/commands b/polyfile/magic_defs/commands index 6ad87fd7..29289775 100644 --- a/polyfile/magic_defs/commands +++ b/polyfile/magic_defs/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.73 2022/11/06 18:39:23 christos Exp $ +# $File: commands,v 1.81 2025/05/30 13:55:02 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -67,6 +67,15 @@ !:mime text/x-awk 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text +0 string/fwt #!\ /bin/lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /usr/bin/lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /usr/bin/env\ lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /bin/env\ lua Lua script text executable +!:mime text/x-lua + # AT&T Bell Labs' Plan 9 shell 0 string/fwt #!\ /bin/rc Plan 9 rc shell script text executable @@ -89,6 +98,13 @@ !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable !:mime text/x-shellscript +0 string/fwt #!\ /bin/env\ bash Bourne-Again shell script text executable +!:mime text/x-shellscript + +0 string/fwt #!\ /bin/dash Dash shell script text executable +!:mime text/x-shellscript +0 string/fwt #!\ /usr/bin/dash Dash shell script text executable +!:mime text/x-shellscript # Fish shell magic # From: Benjamin Lowry @@ -104,12 +120,18 @@ 0 search/1/fwt #!\ /usr/bin/texlua LuaTex script text executable !:mime text/x-luatex +0 search/1/fwt #!\ /usr/bin/env\ texlua LuaTex script text executable +!:mime text/x-luatex +0 search/1/fwt #!\ /bin/env\ texlua LuaTex script text executable +!:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/luatex LuaTex script text executable !:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable !:mime text/x-systemtap +0 search/1/fwt #!\ /sbin/openrc-run OpenRC script text executable +!:mime text/x-shellscript # From: Kylie McClain # Type: execline scripts @@ -127,20 +149,23 @@ >0 regex \^#!.*/bin/execlineb([[:space:]].*)*$ execline script text executable !:mime text/x-execline +0 string #!/nix/store/ +>&-11 string/T x a %s script text executable + # PHP scripts # Ulf Harnhammar 0 search/1/c = diff --git a/polyfile/magic_defs/compress b/polyfile/magic_defs/compress index 97a51939..78395c52 100644 --- a/polyfile/magic_defs/compress +++ b/polyfile/magic_defs/compress @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: compress,v 1.90 2023/04/24 17:26:56 christos Exp $ +# $File: compress,v 1.96 2024/11/09 23:47:04 christos Exp $ # compress: file(1) magic for pure-compression formats (no archives) # # compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc. @@ -203,6 +203,7 @@ # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data !:ext lzo +!:mime application/x-lzop >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, @@ -288,10 +289,10 @@ # https://github.com/ckolivas/lrzip/blob/master/doc/magic.header.txt 0 string LRZI LRZIP compressed data +!:mime application/x-lrzip >4 byte x - version %d >5 byte x \b.%d >22 byte 1 \b, encrypted -!:mime application/x-lrzip # https://fastcompression.blogspot.fi/2013/04/lz4-streaming-format-final.html 0 lelong 0x184d2204 LZ4 compressed data (v1.4+) @@ -376,18 +377,15 @@ 0 string ArC\x01 FreeArc archive -# Type: DACT compressed files -0 long 0x444354C3 DACT compressed data ->4 byte >-1 (version %i. ->5 byte >-1 %i. ->6 byte >-1 %i) ->7 long >0 , original size: %i bytes ->15 long >30 , block size: %i bytes - # Valve Pack (VPK) files +# https://developer.valvesoftware.com/wiki/VPK_(file_format)#File_Format 0 lelong 0x55aa1234 Valve Pak file >0x4 lelong x \b, version %u ->0x8 lelong x \b, %u entries +>0x8 lelong x \b, tree size %u +>0x12 lelong x \b, file data size %u +>0x16 lelong x \b, archive MD5 size %u +>0x20 lelong x \b, other MD5 size %u +>0x24 lelong x \b, signature size %u # Snappy framing format # https://code.google.com/p/snappy/source/browse/trunk/framing_format.txt @@ -424,11 +422,6 @@ 0 string bvx2 lzfse compressed, compressed tables 0 string bvxn lzfse encoded, lzvn compressed -# pcxLib.exe compression program -# http://www.shikadi.net/moddingwiki/PCX_Library -0 string/b pcxLib ->0x0A string/b Copyright\020(c)\020Genus\020Microprogramming,\020Inc. pcxLib compressed - # https://support-docs.illumina.com/SW/ORA_Format_Specification/Content/SW/ORA/ORAFormatSpecification.htm 0 uleshort 0x7c49 >2 lelong 0x80 ORA FASTQ compressed file @@ -459,3 +452,7 @@ >-125 u8 x NB reads: %llu, >-109 u8 x NB bases: %llu. >-219 u4&0x02 2 File contains interleaved paired reads + +# https://github.com/xamarin/xamarin-android/pull/4686 +0 string XALZ Xamarin LZ4-compressed assembly +>8 ulelong x \b, uncompressed size %u diff --git a/polyfile/magic_defs/console b/polyfile/magic_defs/console index b14c4e8d..a4357b3e 100644 --- a/polyfile/magic_defs/console +++ b/polyfile/magic_defs/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.71 2022/12/24 22:31:58 christos Exp $ +# $File: console,v 1.81 2026/01/31 15:44:17 christos Exp $ # Console game magic # Toby Deshane @@ -115,17 +115,18 @@ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header # -0x104 bequad 0xCEED6666CC0D000B Game Boy ROM image -# TODO: application/x-gameboy-color-rom for GBC. -!:mime application/x-gameboy-rom + +# Title (16 chars for GB; 15 chars for CGB) +0 name gameboy-title >0x143 byte&0x80 0x80 >>0x134 string >\0 \b: "%.15s" >0x143 byte&0x80 !0x80 >>0x134 string >\0 \b: "%.16s" >0x14c byte x (Rev.%02u) -# Machine type. (SGB, CGB, SGB+CGB) +# Machine type (SGB, CGB, SGB+CGB) # Old licensee code 0x33 is required for SGB, but not CGB. +0 name gameboy-machine-type >0x14b byte 0x33 >>0x146 byte 0x03 >>>0x143 byte&0x80 0x80 [SGB+CGB] @@ -137,53 +138,78 @@ >>0x143 byte&0xC0 0x80 [CGB] >>0x143 byte&0xC0 0xC0 [CGB ONLY] -# Mapper. ->0x147 byte 0x00 [ROM ONLY] ->0x147 byte 0x01 [MBC1] ->0x147 byte 0x02 [MBC1+RAM] ->0x147 byte 0x03 [MBC1+RAM+BATT] ->0x147 byte 0x05 [MBC2] ->0x147 byte 0x06 [MBC2+BATTERY] ->0x147 byte 0x08 [ROM+RAM] ->0x147 byte 0x09 [ROM+RAM+BATTERY] ->0x147 byte 0x0B [MMM01] ->0x147 byte 0x0C [MMM01+SRAM] ->0x147 byte 0x0D [MMM01+SRAM+BATT] ->0x147 byte 0x0F [MBC3+TIMER+BATT] ->0x147 byte 0x10 [MBC3+TIMER+RAM+BATT] ->0x147 byte 0x11 [MBC3] ->0x147 byte 0x12 [MBC3+RAM] ->0x147 byte 0x13 [MBC3+RAM+BATT] ->0x147 byte 0x19 [MBC5] ->0x147 byte 0x1A [MBC5+RAM] ->0x147 byte 0x1B [MBC5+RAM+BATT] ->0x147 byte 0x1C [MBC5+RUMBLE] ->0x147 byte 0x1D [MBC5+RUMBLE+SRAM] ->0x147 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] ->0x147 byte 0xFC [Pocket Camera] ->0x147 byte 0xFD [Bandai TAMA5] ->0x147 byte 0xFE [Hudson HuC-3] ->0x147 byte 0xFF [Hudson HuC-1] - -# ROM size. ->0x148 byte 0 \b, ROM: 256Kbit ->0x148 byte 1 \b, ROM: 512Kbit ->0x148 byte 2 \b, ROM: 1Mbit ->0x148 byte 3 \b, ROM: 2Mbit ->0x148 byte 4 \b, ROM: 4Mbit ->0x148 byte 5 \b, ROM: 8Mbit ->0x148 byte 6 \b, ROM: 16Mbit ->0x148 byte 7 \b, ROM: 32Mbit ->0x148 byte 0x52 \b, ROM: 9Mbit ->0x148 byte 0x53 \b, ROM: 10Mbit ->0x148 byte 0x54 \b, ROM: 12Mbit - -# RAM size. ->0x149 byte 1 \b, RAM: 16Kbit ->0x149 byte 2 \b, RAM: 64Kbit ->0x149 byte 3 \b, RAM: 256Kbit ->0x149 byte 4 \b, RAM: 1Mbit ->0x149 byte 5 \b, RAM: 512Kbit +# Mapper +0 name gameboy-mapper +>0 byte 0x00 [ROM ONLY] +>0 byte 0x01 [MBC1] +>0 byte 0x02 [MBC1+RAM] +>0 byte 0x03 [MBC1+RAM+BATT] +>0 byte 0x05 [MBC2] +>0 byte 0x06 [MBC2+BATTERY] +>0 byte 0x08 [ROM+RAM] +>0 byte 0x09 [ROM+RAM+BATTERY] +>0 byte 0x0B [MMM01] +>0 byte 0x0C [MMM01+SRAM] +>0 byte 0x0D [MMM01+SRAM+BATT] +>0 byte 0x0F [MBC3+TIMER+BATT] +>0 byte 0x10 [MBC3+TIMER+RAM+BATT] +>0 byte 0x11 [MBC3] +>0 byte 0x12 [MBC3+RAM] +>0 byte 0x13 [MBC3+RAM+BATT] +>0 byte 0x19 [MBC5] +>0 byte 0x1A [MBC5+RAM] +>0 byte 0x1B [MBC5+RAM+BATT] +>0 byte 0x1C [MBC5+RUMBLE] +>0 byte 0x1D [MBC5+RUMBLE+SRAM] +>0 byte 0x1E [MBC5+RUMBLE+SRAM+BATT] +>0 byte 0xFC [Pocket Camera] +>0 byte 0xFD [Bandai TAMA5] +>0 byte 0xFE [Hudson HuC-3] +>0 byte 0xFF [Hudson HuC-1] + +# ROM size +0 name gameboy-rom-size +>0 byte 0 \b, ROM: 256Kbit +>0 byte 1 \b, ROM: 512Kbit +>0 byte 2 \b, ROM: 1Mbit +>0 byte 3 \b, ROM: 2Mbit +>0 byte 4 \b, ROM: 4Mbit +>0 byte 5 \b, ROM: 8Mbit +>0 byte 6 \b, ROM: 16Mbit +>0 byte 7 \b, ROM: 32Mbit +>0 byte 0x52 \b, ROM: 9Mbit +>0 byte 0x53 \b, ROM: 10Mbit +>0 byte 0x54 \b, ROM: 12Mbit + +# RAM size +0 name gameboy-ram-size +>0 byte 1 \b, RAM: 16Kbit +>0 byte 2 \b, RAM: 64Kbit +>0 byte 3 \b, RAM: 256Kbit +>0 byte 4 \b, RAM: 1Mbit +>0 byte 5 \b, RAM: 512Kbit + +# Game Boy (Color) +0x104 bequad 0xCEED6666CC0D000B +>0x143 byte&0x80 0x80 Game Boy Color ROM image +!:mime application/x-gameboy-color-rom +>0x143 byte&0x80 !0x80 Game Boy ROM image +!:mime application/x-gameboy-rom +>0 use gameboy-title +>0 use gameboy-machine-type +>0x147 use gameboy-mapper +>0x148 use gameboy-rom-size +>0x149 use gameboy-ram-size + +# Analogue Pocket +0x104 bequad 0x0110CEEF000044AA +>0 byte x Analogue Pocket ROM image +!:mime application/x-analogue-pocket-rom +>0 use gameboy-title +>0 use gameboy-machine-type +>0x147 use gameboy-mapper +>0x148 use gameboy-rom-size +>0x149 use gameboy-ram-size #------------------------------------------------------------------------------ # genesis: file(1) magic for various Sega Mega Drive / Genesis ROM image and disc formats @@ -210,45 +236,45 @@ # TODO: Check for 32X CD? # Sega Mega CD disc images: 2048-byte sectors. -0 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +0 string SEGADISCSYSTEM\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors -0 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +0 string SEGABOOTDISC\040\040\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0 use sega-mega-drive-header >0 byte x \b, 2048-byte sectors # Sega Mega CD disc images: 2352-byte sectors. -0x10 string SEGADISCSYSTEM\ \ Sega Mega CD disc image +0x10 string SEGADISCSYSTEM\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors -0x10 string SEGABOOTDISC\ \ \ \ Sega Mega CD disc image +0x10 string SEGABOOTDISC\040\040\040\040 Sega Mega CD disc image !:mime application/x-sega-cd-rom >0x10 use sega-mega-drive-header >0 byte x \b, 2352-byte sectors # Sega Mega Drive: Identify the system ID. 0x100 string SEGA ->0x3C0 string MARS\ CHECK\ MODE Sega 32X ROM image +>0x3C0 string MARS\040CHECK\040MODE Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header ->0x104 string \ PICO Sega Pico ROM image +>0x104 string \040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string TOYS\ PICO Sega Pico ROM image +>0x104 string TOYS\040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ TOYS\ PICO Sega Pico ROM image +>0x104 string \040TOYS\040PICO Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ IAC Sega Pico ROM image +>0x104 string \040IAC Sega Pico ROM image !:mime application/x-sega-pico-rom >>0 use sega-mega-drive-header ->0x104 string \ TERA68K Sega Teradrive (68K) ROM image +>0x104 string \040TERA68K Sega Teradrive (68K) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header ->0x104 string \ TERA286 Sega Teradrive (286) ROM image +>0x104 string \040TERA286 Sega Teradrive (286) ROM image !:mime application/x-sega-teradrive-rom >>0 use sega-mega-drive-header >0x180 string BR Sega Mega CD Boot ROM image @@ -259,23 +285,23 @@ >>0 use sega-mega-drive-header # Sega Mega Drive: Some ROMs have "SEGA" at 0x101, not 0x100. -0x100 string \ SEGA Sega Mega Drive / Genesis ROM image +0x100 string \040SEGA Sega Mega Drive / Genesis ROM image >0 use sega-mega-drive-header # Sega Pico ROMs that don't start with "SEGA". -0x100 string SAMSUNG\ PICO Samsung Pico ROM image +0x100 string SAMSUNG\040PICO Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header -0x100 string IMA\ IKUNOUJYUKU Samsung Pico ROM image +0x100 string IMA\040IKUNOUJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header -0x100 string IMA IKUNOJYUKU Samsung Pico ROM image +0x100 string IMA\040IKUNOJYUKU Samsung Pico ROM image !:mime application/x-sega-pico-rom >0 use sega-mega-drive-header # Sega Picture Magic (modified 32X) -0x100 string Picture\ Magic ->0x3C0 string PICTURE MAGIC-01 Sega 32X ROM image +0x100 string Picture\040Magic +>0x3C0 string PICTURE\040MAGIC-01 Sega 32X ROM image !:mime application/x-genesis-32x-rom >>0 use sega-mega-drive-header @@ -314,59 +340,59 @@ # The SMS boot ROM checks the header at three locations. 0 name sega-master-system-rom-header # Machine type. ->0x0F byte&0xF0 0x30 Sega Master System +>0x0F ubyte&0xF0 0x30 Sega Master System !:mime application/x-sms-rom ->0x0F byte&0xF0 0x40 Sega Master System +>0x0F ubyte&0xF0 0x40 Sega Master System !:mime application/x-sms-rom ->0x0F byte&0xF0 0x50 Sega Game Gear +>0x0F ubyte&0xF0 0x50 Sega Game Gear !:mime application/x-gamegear-rom ->0x0F byte&0xF0 0x60 Sega Game Gear +>0x0F ubyte&0xF0 0x60 Sega Game Gear !:mime application/x-gamegear-rom ->0x0F byte&0xF0 0x70 Sega Game Gear +>0x0F ubyte&0xF0 0x70 Sega Game Gear !:mime application/x-gamegear-rom >0x0F default x Sega Master System / Game Gear !:mime application/x-sms-rom >0 byte x ROM image: # Product code. ->0x0E byte&0xF0 0x10 1 ->0x0E byte&0xF0 0x20 2 ->0x0E byte&0xF0 0x30 3 ->0x0E byte&0xF0 0x40 4 ->0x0E byte&0xF0 0x50 5 ->0x0E byte&0xF0 0x60 6 ->0x0E byte&0xF0 0x70 7 ->0x0E byte&0xF0 0x80 8 ->0x0E byte&0xF0 0x90 9 ->0x0E byte&0xF0 0xA0 10 ->0x0E byte&0xF0 0xB0 11 ->0x0E byte&0xF0 0xC0 12 ->0x0E byte&0xF0 0xD0 13 ->0x0E byte&0xF0 0xE0 14 ->0x0E byte&0xF0 0xF0 15 +>0x0E ubyte&0xF0 0x10 1 +>0x0E ubyte&0xF0 0x20 2 +>0x0E ubyte&0xF0 0x30 3 +>0x0E ubyte&0xF0 0x40 4 +>0x0E ubyte&0xF0 0x50 5 +>0x0E ubyte&0xF0 0x60 6 +>0x0E ubyte&0xF0 0x70 7 +>0x0E ubyte&0xF0 0x80 8 +>0x0E ubyte&0xF0 0x90 9 +>0x0E ubyte&0xF0 0xA0 10 +>0x0E ubyte&0xF0 0xB0 11 +>0x0E ubyte&0xF0 0xC0 12 +>0x0E ubyte&0xF0 0xD0 13 +>0x0E ubyte&0xF0 0xE0 14 +>0x0E ubyte&0xF0 0xF0 15 # If the product code is 5 digits, we'll need to backspace here. ->0x0E byte&0xF0 !0 ->>0x0C leshort x \b%04x ->0x0E byte&0xF0 0 ->>0x0C leshort x %04x +>0x0E ubyte&0xF0 !0 +>>0x0C uleshort x \b%04x +>0x0E ubyte&0xF0 0 +>>0x0C uleshort x %04x # Revision. ->0x0E byte&0x0F x (Rev.%02d) +>0x0E ubyte&0x0F x (Rev.%02d) # ROM size. (Used for the boot ROM checksum routine.) ->0x0F byte&0x0F 0x0A (8 KB) ->0x0F byte&0x0F 0x0B (16 KB) ->0x0F byte&0x0F 0x0C (32 KB) ->0x0F byte&0x0F 0x0D (48 KB) ->0x0F byte&0x0F 0x0E (64 KB) ->0x0F byte&0x0F 0x0F (128 KB) ->0x0F byte&0x0F 0x00 (256 KB) ->0x0F byte&0x0F 0x01 (512 KB) ->0x0F byte&0x0F 0x02 (1 MB) +>0x0F ubyte&0x0F 0x0A (8 KB) +>0x0F ubyte&0x0F 0x0B (16 KB) +>0x0F ubyte&0x0F 0x0C (32 KB) +>0x0F ubyte&0x0F 0x0D (48 KB) +>0x0F ubyte&0x0F 0x0E (64 KB) +>0x0F ubyte&0x0F 0x0F (128 KB) +>0x0F ubyte&0x0F 0x00 (256 KB) +>0x0F ubyte&0x0F 0x01 (512 KB) +>0x0F ubyte&0x0F 0x02 (1 MB) # SMS/GG header locations. -0x7FF0 string TMR\ SEGA +0x7FF0 string TMR\040SEGA >0x7FF0 use sega-master-system-rom-header -0x3FF0 string TMR\ SEGA +0x3FF0 string TMR\040SEGA >0x3FF0 use sega-master-system-rom-header -0x1FF0 string TMR\ SEGA +0x1FF0 string TMR\040SEGA >0x1FF0 use sega-master-system-rom-header #------------------------------------------------------------------------------ @@ -384,12 +410,12 @@ >>0x2A byte 0 \b) # 2048-byte sector version. -0 string SEGA\ SEGASATURN\ Sega Saturn disc image +0 string SEGA\040SEGASATURN\040 Sega Saturn disc image !:mime application/x-saturn-rom >0 use sega-saturn-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. -0x10 string SEGA\ SEGASATURN\ Sega Saturn disc image +0x10 string SEGA\040SEGASATURN\040 Sega Saturn disc image !:mime application/x-saturn-rom >0x10 use sega-saturn-disc-header >0 byte x (2352-byte sectors) @@ -410,12 +436,12 @@ >>0x4A byte 0 \b) # 2048-byte sector version. -0 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +0 string SEGA\040SEGAKATANA\040 Sega Dreamcast disc image !:mime application/x-dc-rom >0 use sega-dreamcast-disc-header >0 byte x (2048-byte sectors) # 2352-byte sector version. -0x10 string SEGA\ SEGAKATANA\ Sega Dreamcast disc image +0x10 string SEGA\040SEGAKATANA\040 Sega Dreamcast disc image !:mime application/x-dc-rom >0x10 use sega-dreamcast-disc-header >0 byte x (2352-byte sectors) @@ -509,7 +535,7 @@ # - https://neogpc.googlecode.com/svn-history/r10/trunk/src/core/neogpc.cpp # - https://www.devrs.com/ngp/files/ngpctech.txt # -0x0A string BY\ SNK\ CORPORATION Neo Geo Pocket +0x0A string BY\040SNK\040CORPORATION Neo Geo Pocket !:mime application/x-neo-geo-pocket-rom >0x23 byte 0x10 Color >0 byte x ROM image @@ -524,7 +550,7 @@ #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : -0 string PS-X\ EXE Sony Playstation executable +0 string PS-X\040EXE Sony Playstation executable >16 lelong x PC=%#08x, >20 lelong !0 GP=%#08x, >24 lelong !0 .text=[%#08x, @@ -697,12 +723,25 @@ >6 string BS93 Lynx homebrew cartridge !:mime application/x-atari-lynx-rom >>2 beshort x \b, RAM start $%04x +# Update: Joerg Jenderek +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnx.trid.xml +# Note: called "Atari Lynx ROM" by TrID 0 string LYNX Lynx cartridge !:mime application/x-atari-lynx-rom +!:ext lnx +# bank 0 page size like: 128 256 512 >4 leshort/4 >0 \b, bank 0 %dk >6 leshort/4 >0 \b, bank 1 %dk +# 32 bytes cart name like: "jconnort.lyx" "viking~1.lyx" "Eye of the Beholder" "C:\EMU\LYNX\ROMS\ULTCHESS.LYX" >10 string >\0 \b, "%.32s" +# 16 bytes manufacturer like: "Atari" "NuFX Inc." "Matthias Domin" >42 string >\0 \b, "%.16s" +# version number +#>8 leshort !1 \b, version number %u +# rotation: 1~left Lexis (NA).lnx 2~right Centipede (Prototype).lnx +>58 ubyte >0 \b, rotation %u +# spare +#>59 lelong !0 \b, spare %#x # Opera file system that is used on the 3DO console # From: Serge van den Boom @@ -710,17 +749,54 @@ # From: Alex Myczko # From: David Pflug +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Game_Boy_Sound +# http://en.wikipedia.org/wiki/Game_Boy_Sound_System +# Reference: http://mark0.net/download/triddefs_xml.7z/defs/g/gbs.trid.xml +# Note: called "GameBoy Sound System dump" by TrID, +# "Gameboy GBS rom image" by X11 Gameboy sound player xgbsplay and +# verified by gbsplay `LANG=C gbsinfo /usr/share/doc/gbsplay/examples/nightmode.gbs` # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic -# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# http://ftp.modland.com/pub/documents/format_documentation/\ # Gameboy%20Sound%20System%20(.gbs).txt -0 string GBS Nintendo Gameboy Music/Audio Data -#12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module +# skip Grand Theft Auto 2 Style data (*.sty via sty-gta2.trid.xml) and Opera (*.patch) by check for valid "low" version +0 string GBS\001 Nintendo Gameboy Music/Audio Data +!:mime audio/x-nintendo-gbs +# by gbsplay or xgbsplay tools +#!:mime audio/gbs +#!:mime audio/prs.gbs +!:ext gbs +# fields are right null-filled; no terminating \0 if all bytes are used; if field unknown, should be set to a single ? +# title string like: "Blues Brothers" "Bugs Bunny Crazy Castle 3" +#12 string GameBoy\040Music\040Module Nintendo Gameboy Music Module >16 string >\0 ("%.32s" by +# author string like: , by Laxity, Justin Muir, 1993 Ocean >48 string >\0 %.32s, copyright ->80 string >\0 %.32s), ->3 byte x version %u, ->4 byte x %u tracks +# copyright string like: empty "1991 Titus" "2001 Imagineer/KT.Kodansha/P&B" "2000 Newline, Ubisoft, D. Eclip." +>80 string >\0 %.32s +# GBSVersion; 1 +#>3 byte !1 version %u, +# number of songs (1-255) +>4 ubyte x \b), %u track +# plural s +>4 ubyte >1 \bs +# default subsong; like: 1 (often) 2 29 60 79 82 +>5 ubyte !1 \b, %u first +# load address (400h-7fffh) +>6 uleshort x \b, load address %#4.4x +# init address (400h-7fffh) +>8 uleshort x \b, init address %#4.4x +# play address (400-7fffh) +>10 uleshort x \b, play address %#4.4x +# stack pointer; like: FFFEh (default) CFFFh DCFEh DDFEh DDFFh DEFFh E000h FFF4h +>12 uleshort x \b, stack pointer %#4.4x +# timer modulo; often 0 +>14 ubyte !0 \b, timer modulo %#x +# timer control; often 0 +>15 ubyte !0 \b, timer control %#x +# code and Data (see RST VECTORS) +#>0x70 ubequad x \b, data %#16.16llx... # IPS Patch Files from: From: Thomas Klausner # see https://zerosoft.zophar.net/ips.php @@ -794,6 +870,37 @@ !:ext ciso/cso >>>>8 ulequad x \b, original size %llu bytes >>>>16 ulelong x \b, datablock size %u bytes +# Type: Nintendo GameCube/Wii disc image (CISO format) +# NOTE: This is NOT the same as Compact ISO or PSP CISO, +# though it has the same magic number. +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong 0x200000 +>>8 byte 1 +>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): +!:mime application/x-wii-rom +>>>>0x8000 use nintendo-gcn-disc-common +# .cso files +# Reference: https://pismotec.com/ciso/ciso.h +# NOTE: There are two other formats with the same magic but +# completely incompatible specifications: +# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h +# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - 0x10 == 0x00004000: For >2GB files using maxcso... +# https://github.com/unknownbrackets/maxcso/issues/26 +# - None of the above: Compact ISO. +>4 lelong !0 +>>4 lelong !0x200000 +>>>16 lelong !0x800 +>>>>16 lelong !0x4000 Compressed ISO CD image # From: Daniel Dawson # SNES9x .smv "movie" file format. @@ -905,22 +1012,6 @@ !:mime application/x-wii-rom >>0x200 use nintendo-gcn-disc-common -# Type: Nintendo GameCube/Wii disc image (CISO format) -# NOTE: This is NOT the same as Compact ISO or PSP CISO, -# though it has the same magic number. -0 string CISO -# Other fields are used to determine what type of CISO this is: -# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) -# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) -# - None of the above: Compact ISO. ->4 lelong 0x200000 ->>8 byte 1 ->>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): -!:mime application/x-wii-rom ->>>>0x8000 use nintendo-gcn-disc-common ->>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): -!:mime application/x-wii-rom ->>>>0x8000 use nintendo-gcn-disc-common # Type: Nintendo GameCube/Wii disc image (GCZ format) # Due to zlib compression, we can't get the actual disc information. @@ -1120,7 +1211,7 @@ # The header is terminated with a 0, so that will # terminate the title as well. # -0 string g\ GCE Vectrex ROM image +0 string g\040GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s" #------------------------------------------------------------------------------ @@ -1200,8 +1291,8 @@ # From: David Korth # References: # - https://problemkaputt.de/fullsnes.htm#snescartsufamiturbominicartridgeadaptor -0 string BANDAI\ SFC-ADX ->0x10 string !SFC-ADX\ BACKUP Sufami Turbo ROM image: +0 string BANDAI\040SFC-ADX +>0x10 string !SFC-ADX\040BACKUP Sufami Turbo ROM image: >>0x10 string/T x "%.14s" >>0x30 byte x \b, ID %02X >>0x31 byte x \b%02X @@ -1211,3 +1302,167 @@ >>0x34 ubyte 1 [FastROM] >>0x35 ubyte 1 [SRAM] >>0x35 ubyte 3 [Special] + +#------------------------------------------------------------------------------ +# Type: Super NES ROM image +# From: Alexandre Iooss +# Reference: https://snes.nesdev.org/wiki/ROM_header +0 name snes-rom-hdr +# cartridge title is encoded in JIS X 0201, 21 chars padded with spaces +>0 ubyte-0x20 <0xC0 +>>1 ubyte-0x20 <0xC0 +>>>2 ubyte-0x20 <0xC0 +>>>>3 ubyte-0x20 <0xC0 +>>>>>4 ubyte-0x20 <0xC0 +>>>>>>5 ubyte-0x20 <0xC0 +>>>>>>>6 ubyte-0x20 <0xC0 +>>>>>>>>7 ubyte-0x20 <0xC0 +>>>>>>>>>8 ubyte-0x20 <0xC0 +>>>>>>>>>>9 ubyte-0x20 <0xC0 +>>>>>>>>>>>10 ubyte-0x20 <0xC0 +>>>>>>>>>>>>21 ubyte-0x20 <0xC0 Super NES ROM image +>>>>>>>>>>>>>0 string/21/T x "%s" +>>>>>>>>>>>>>25 byte 0 (Japan) +>>>>>>>>>>>>>25 byte 1 (USA) +>>>>>>>>>>>>>25 byte 2 (Europe) +>>>>>>>>>>>>>25 byte 6 (France) +>>>>>>>>>>>>>25 byte 7 (Netherlands) +>>>>>>>>>>>>>25 byte 9 (Germany) +>>>>>>>>>>>>>25 byte 10 (Brazil) +>>>>>>>>>>>>>27 byte >0 (Rev.%02u) +>>>>>>>>>>>>>21 byte&0xF 0x0 \b, LoROM +>>>>>>>>>>>>>21 byte&0xF 0x1 \b, HiROM +>>>>>>>>>>>>>21 byte&0x10 0x10 \b, FastROM +>>>>>>>>>>>>>23 byte 8 \b, ROM size: 256KB +>>>>>>>>>>>>>23 byte 9 \b, ROM size: 512KB +>>>>>>>>>>>>>23 byte 10 \b, ROM size: 1024KB +>>>>>>>>>>>>>23 byte 11 \b, ROM size: 2048KB +>>>>>>>>>>>>>23 byte 12 \b, ROM size: 4096KB +>>>>>>>>>>>>>24 byte 0 \b, RAM size: 1KB +>>>>>>>>>>>>>24 byte 1 \b, RAM size: 2KB +>>>>>>>>>>>>>24 byte 2 \b, RAM size: 4KB +>>>>>>>>>>>>>24 byte 3 \b, RAM size: 8KB +>>>>>>>>>>>>>24 byte 4 \b, RAM size: 16KB +>>>>>>>>>>>>>24 byte 5 \b, RAM size: 32KB +>>>>>>>>>>>>>24 byte 6 \b, RAM size: 64KB + +# header position for LoROM: $007FC0 +32725 ubyte&0xEF 0x20 +# ROM is <=4096KB, RAM is <=64KB and country<=10 +>32727 ubyte <13 +>>32728 ubyte <7 +>>>32729 ubyte <11 +>>>>32704 use snes-rom-hdr + +# HiROM header at $00FFC0 +65493 ubyte&0xEF 0x21 +# ROM is <=4096KB, RAM is <=64KB and country<=10 +>65495 ubyte <13 +>>65496 ubyte <7 +>>>65497 ubyte <11 +>>>>65472 use snes-rom-hdr + +#------------------------------------------------------------------------------ +# ancast: file(1) magic for Wii U firmware images, aka "ancast" images. +# From: David Korth +# References: +# - https://wiiubrew.org/wiki/Ancast_image +0 ubelong 0xEFA282D9 Wii U firmware image: +>0x20 ubelong 2 ARM +>>0x1A4 ubelong 0x21 \b, NAND boot +>>0x1A4 ubelong 0x22 \b, SD boot +>>0x1A8 ubelong 1 \b, for devkits +>>0x1A8 ubelong 2 \b, for retail +>0x20 ubelong 1 PowerPC +>>0xA4 ubelong 0x11 \b, Wii U mode +>>0xA4 ubelong 0x12 \b, Wii mode + +# Type: WonderSwan raw ROM format +# (Also covers the WonderSwan WSR sound format, which is an extension thereof) +# From: Adrian Siekierka +# Reference: https://ws.nesdev.org/wiki/ROM_header +0 name wonderswan-maintenance +>0 ubyte&0x80 =128 \b, custom splash screen bypassed + +0 name wonderswan-version +>0 ubyte&0x7F x \b, rev. %d +>0 ubyte&0x80 =128 \b, internal EEPROM unlocked + +0 name wonderswan-rom-size +>0 byte 0x00 \b, ROM: 1Mbit +>0 byte 0x01 \b, ROM: 2Mbit +>0 byte 0x02 \b, ROM: 4Mbit +>0 byte 0x03 \b, ROM: 8Mbit +>0 byte 0x04 \b, ROM: 16Mbit +>0 byte 0x05 \b, ROM: 24Mbit +>0 byte 0x06 \b, ROM: 32Mbit +>0 byte 0x07 \b, ROM: 48Mbit +>0 byte 0x08 \b, ROM: 64Mbit +>0 byte 0x09 \b, ROM: 128Mbit +>0 byte 0x0A \b, ROM: 256Mbit +>0 byte 0x0B \b, ROM: 512Mbit + +0 name wonderswan-save-type +>0 ubyte&0x0F =1 \b, RAM: 256Kbit +>0 ubyte&0x0F =2 \b, RAM: 256Kbit +>0 ubyte&0x0F =3 \b, RAM: 1Mbit +>0 ubyte&0x0F =4 \b, RAM: 2Mbit +>0 ubyte&0x0F =5 \b, RAM: 4Mbit +>0 ubyte&0xF0 =16 \b, EEPROM: 1Kbit +>0 ubyte&0xF0 =32 \b, EEPROM: 16Kbit +>0 ubyte&0xF0 =80 \b, EEPROM: 8Kbit + +0 name wonderswan-flags +>0 ubyte&0x01 =0 \b, orientation: horizontal +>0 ubyte&0x01 =1 \b, orientation: vertical + +0 name wonderswan-rom-flags +>0 ubyte&0x04 =0 \b, bus: 8-bit +>0 ubyte&0x04 =4 \b, bus: 16-bit +>0 ubyte&0x08 =8 \b, slow + +0 name wonderswan-mapper +>0 ubyte&0x0F =0 \b, mapper: 2001 +>0 ubyte&0x0F =1 \b, mapper: 2003 + +-16 ubyte 0xEA +>-32 string WSRF\x00 WonderSwan WSR sound file, based on +>-11 ubyte&0x0F =0 +>>-9 ubyte&0x01 =0 WonderSwan ROM image +!:ext ws/pc2 +>>-9 ubyte&0x01 =1 WonderSwan Color ROM image +!:ext wsc +>>-11 use wonderswan-maintenance +>>-7 use wonderswan-version +>>-7 use wonderswan-rom-size +>>-4 use wonderswan-rom-flags +>>-7 use wonderswan-save-type +>>-4 use wonderswan-flags +>>-3 use wonderswan-mapper + +# Type: WonderWitch transfer file +# From: Adrian Siekierka +# Reference: https://ws.nesdev.org/wiki/WonderWitch_.fx_files +0 string #!ws\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff WonderWitch transfer file +!:ext fx/il +>64 string/16 x \b, name "%s" +>80 string/24 x \b, info "%s" +>108 ulelong x \b, %u bytes +>112 uleshort x \b (%d blocks) +>114 uleshort >0 \b, mode " +>>114 uleshort&0x80 >0 \bd +>>114 uleshort&0x40 >0 \bl +>>114 uleshort&0x20 >0 \bi +>>114 uleshort&0x10 >0 \bs +>>114 uleshort&0x08 >0 \bm +>>114 uleshort&0x04 >0 \br +>>114 uleshort&0x02 >0 \bw +>>114 uleshort&0x01 >0 \bx +>>114 uleshort >0 \b" +>124 lelong >0 \b, resource data after %d bytes + +# Type: Aquaplus P/ECE executable format +# From: Adrian Siekierka +0 uleshort 0x0258 P/ECE executable +>(0x04.s) string x \b: "%s" +!:ext pex diff --git a/polyfile/magic_defs/creativeassembly b/polyfile/magic_defs/creativeassembly new file mode 100644 index 00000000..4183d58c --- /dev/null +++ b/polyfile/magic_defs/creativeassembly @@ -0,0 +1,26 @@ + +#-------------------------------------------------------------- +# $File: creativeassembly,v 1.1 2026/02/01 16:25:09 christos Exp $ +# creativeassembly: file(1) magic for various Creative Assembly files +# +# Community file formats documentation: +# + +# Benedikt Radtke +# PFH4 Archive +0 lelong 0x34484650 Creative Assembly Archive version 4 + +# Benedikt Radtke +# PFH5 Archive +0 lelong 0x35484650 Creative Assembly Archive version 5 +>&0 lelong&0xf 0x00 \b, boot archive +>&0 lelong&0xf 0x01 \b, release archive +>&0 lelong&0xf 0x02 \b, patch archive +>&0 lelong&0xf 0x03 \b, mod archive +>&0 lelong&0xf 0x04 \b, movie archive +>&0 lelong&0x10 0x10 \b, data encrypted +>&0 lelong&0x40 0x40 \b, timestamped files +>&0 lelong&0x80 0x80 \b, index encrypted +>&0 lelong&0x100 0x100 \b, big header +>&0x0c lelong x \b, %d files +#>0x14 ledate x \b, created on %s diff --git a/polyfile/magic_defs/crypto b/polyfile/magic_defs/crypto index ee51eaba..910df8dd 100644 --- a/polyfile/magic_defs/crypto +++ b/polyfile/magic_defs/crypto @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: crypto,v 1.3 2022/12/26 19:20:56 christos Exp $ +# $File: crypto,v 1.4 2023/07/17 16:41:48 christos Exp $ # crypto: file(1) magic for crypto formats # # Bitcoin block files @@ -29,3 +29,21 @@ # LevelDB -8 lequad 0xdb4775248b80fb57 LevelDB table data + +# http://www.tarsnap.com/scrypt.html +# see scryptenc_setup() in lib/scryptenc/scryptenc.c +0 string scrypt\0 scrypt encrypted file +>7 byte x \b, N=2**%d +>8 belong x \b, r=%d +>12 belong x \b, p=%d + +# https://age-encryption.org/ +# Only the first recipient is printed in detail to prevent repetitive output +# in extreme cases ("ssh-rsa, ssh-rsa, ssh-rsa, ..."). +0 string age-encryption.org/v1\n age encrypted file +>25 regex/128 \^[^\040]+ \b, %s recipient +>>25 string scrypt +>>>&0 regex/64 [0-9]+\$ (N=2**%s) +>>&0 search/256 \n->\040 \b, among others + +0 string -----BEGIN\040AGE\040ENCRYPTED\040FILE----- age encrypted file, ASCII armored diff --git a/polyfile/magic_defs/ctf b/polyfile/magic_defs/ctf index d91684d1..0134b70b 100644 --- a/polyfile/magic_defs/ctf +++ b/polyfile/magic_defs/ctf @@ -1,5 +1,6 @@ #-------------------------------------------------------------- +# $File: ctf,v 1.5 2024/06/10 23:09:52 christos Exp $ # ctf: file(1) magic for CTF (Common Trace Format) trace files # # Specs. available here: diff --git a/polyfile/magic_defs/database b/polyfile/magic_defs/database index 03ac4235..788916f8 100644 --- a/polyfile/magic_defs/database +++ b/polyfile/magic_defs/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.69 2023/01/12 00:14:04 christos Exp $ +# $File: database,v 1.75 2025/11/10 16:06:19 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -740,13 +740,6 @@ >32 lelong 0x2601196D version 6, little-endian >>36 lelong x hash size %d bytes -# SE Linux policy database -0 lelong 0xf97cff8c SE Linux policy ->16 lelong x v%d ->20 lelong 1 MLS ->24 lelong x %d symbols ->28 lelong x %d ocons - # ICE authority file data (Wolfram Kleff) 2 string ICE ICE authority data @@ -820,7 +813,9 @@ 0 string ZEC3 Zope Object Database Client Cache File (data) # IDA (Interactive Disassembler) database +0 string IDA0 IDA (Interactive Disassembler) database 0 string IDA1 IDA (Interactive Disassembler) database +0 string IDA2 IDA (Interactive Disassembler) database # Hopper (reverse engineering tool) https://www.hopperapp.com/ 0 string hopperdb Hopper database @@ -871,8 +866,31 @@ # Used by older versions of Mozilla Suite and Firefox, # and current versions of Thunderbird. # From: David Korth +# Update: Joerg Jenderek +# URL: http://fileformats.archiveteam.org/wiki/Mork +# https://en.wikipedia.org/wiki/Mork_(file_format) +# Note: called "Mork" by DROID via fmt/612 0 string //\