From aa60f242e925b68c254ac38e99be3e4d24a4231e Mon Sep 17 00:00:00 2001 From: gordon Date: Sun, 17 Sep 2017 15:57:06 +0000 Subject: [PATCH] Vendor import of file 5.32. --- ChangeLog | 58 ++- aclocal.m4 | 2 +- config.guess | 144 +++--- config.sub | 52 +- configure | 20 +- configure.ac | 2 +- doc/file.man | 21 +- doc/libmagic.man | 13 +- doc/magic.man | 32 +- magic/Localstuff | 2 +- magic/Magdir/adventure | 15 +- magic/Magdir/amanda | 4 +- magic/Magdir/amigaos | 6 +- magic/Magdir/android | 12 +- magic/Magdir/animation | 41 +- magic/Magdir/apache | 28 ++ magic/Magdir/apple | 56 +-- magic/Magdir/archive | 115 +++-- magic/Magdir/att3b | 4 +- magic/Magdir/audio | 72 ++- magic/Magdir/bhl | 10 + magic/Magdir/blackberry | 4 +- magic/Magdir/blender | 6 +- magic/Magdir/c-lang | 61 ++- magic/Magdir/cad | 67 +-- magic/Magdir/cafebabe | 8 +- magic/Magdir/clipper | 8 +- magic/Magdir/coff | 12 +- magic/Magdir/commands | 6 +- magic/Magdir/compress | 6 +- magic/Magdir/console | 127 ++++- magic/Magdir/cups | 6 +- magic/Magdir/database | 214 +++++---- magic/Magdir/der | 16 +- magic/Magdir/diff | 14 +- magic/Magdir/dolby | 4 +- magic/Magdir/dump | 16 +- magic/Magdir/dyadic | 6 +- magic/Magdir/editors | 6 +- magic/Magdir/filesystems | 871 ++++++++++++++++++---------------- magic/Magdir/flash | 60 ++- magic/Magdir/fonts | 196 ++++++-- magic/Magdir/fsav | 24 +- magic/Magdir/games | 6 +- magic/Magdir/gconv | 10 + magic/Magdir/geo | 4 +- magic/Magdir/gnu | 4 +- magic/Magdir/gpt | 14 +- magic/Magdir/gpu | 28 ++ magic/Magdir/gringotts | 10 +- magic/Magdir/hitachi-sh | 18 +- magic/Magdir/ibm370 | 10 +- magic/Magdir/ibm6000 | 4 +- magic/Magdir/icc | 187 +++++++- magic/Magdir/images | 178 ++++--- magic/Magdir/intel | 6 +- magic/Magdir/isz | 4 +- magic/Magdir/jpeg | 10 +- magic/Magdir/kerberos | 4 +- magic/Magdir/kml | 6 +- magic/Magdir/linux | 14 +- magic/Magdir/lisp | 16 +- magic/Magdir/m4 | 5 +- magic/Magdir/macintosh | 20 +- magic/Magdir/make | 18 +- magic/Magdir/maple | 6 +- magic/Magdir/marc21 | 18 +- magic/Magdir/mathematica | 6 +- magic/Magdir/metastore | 4 +- magic/Magdir/meteorological | 4 +- magic/Magdir/microfocus | 4 +- magic/Magdir/mime | 4 +- magic/Magdir/misctools | 6 +- magic/Magdir/modem | 26 +- magic/Magdir/mozilla | 4 +- magic/Magdir/msdos | 284 +++++++---- magic/Magdir/msvc | 15 +- magic/Magdir/msx | 22 +- magic/Magdir/mup | 14 +- magic/Magdir/nasa | 2 +- magic/Magdir/netbsd | 22 +- magic/Magdir/netscape | 6 +- magic/Magdir/nitpicker | 4 +- magic/Magdir/os2 | 8 +- magic/Magdir/os9 | 4 +- magic/Magdir/pbf | 8 +- magic/Magdir/pc88 | 2 +- magic/Magdir/pc98 | 2 +- magic/Magdir/pdf | 7 +- magic/Magdir/pdp | 6 +- magic/Magdir/perl | 10 +- magic/Magdir/pgf | 4 +- magic/Magdir/pgp | 26 +- magic/Magdir/printer | 22 +- magic/Magdir/project | 4 +- magic/Magdir/psdbms | 4 +- magic/Magdir/python | 38 +- magic/Magdir/riff | 12 +- magic/Magdir/ruby | 37 +- magic/Magdir/sccs | 4 +- magic/Magdir/scientific | 6 +- magic/Magdir/sendmail | 12 +- magic/Magdir/sequent | 6 +- magic/Magdir/sgml | 22 +- magic/Magdir/sharc | 4 +- magic/Magdir/sketch | 4 +- magic/Magdir/sql | 8 +- magic/Magdir/ssl | 22 +- magic/Magdir/sysex | 4 +- magic/Magdir/terminfo | 51 +- magic/Magdir/vms | 4 +- magic/Magdir/vmware | 4 +- magic/Magdir/vorbis | 10 +- magic/Magdir/webassembly | 15 + magic/Magdir/windows | 158 +++--- magic/Magdir/xenix | 14 +- magic/Magdir/xilinx | 10 +- magic/Magdir/xwindows | 4 +- magic/Magdir/yara | 17 + magic/Makefile.am | 8 +- magic/Makefile.in | 8 +- python/magic.py | 68 +-- src/apprentice.c | 206 +++++--- src/cdf.c | 346 ++++++++------ src/cdf.h | 6 +- src/cdf_time.c | 4 +- src/compress.c | 17 +- src/der.c | 44 +- src/file.h | 16 +- src/fsmagic.c | 19 +- src/funcs.c | 10 +- src/is_tar.c | 37 +- src/magic.c | 17 +- src/magic.h.in | 30 ++ src/print.c | 4 +- src/readcdf.c | 10 +- src/readelf.c | 123 +++-- src/readelf.h | 34 +- src/softmagic.c | 31 +- src/vasprintf.c | 4 +- tests/Makefile.am | 4 +- tests/Makefile.in | 4 +- tests/hddrawcopytool.result | 1 + tests/hddrawcopytool.testfile | Bin 0 -> 1280 bytes tests/test.c | 3 +- 145 files changed, 3242 insertions(+), 1859 deletions(-) create mode 100755 magic/Magdir/apache create mode 100644 magic/Magdir/bhl create mode 100644 magic/Magdir/gconv create mode 100644 magic/Magdir/gpu create mode 100644 magic/Magdir/webassembly create mode 100644 magic/Magdir/yara create mode 100644 tests/hddrawcopytool.result create mode 100644 tests/hddrawcopytool.testfile diff --git a/ChangeLog b/ChangeLog index 2b6606d2979b..2063a23befed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,60 @@ +2017-09-02 11:53 Christos Zoulas + + * release 5.32 + +2017-08-28 16:37 Christos Zoulas + + * Always reset state in {file,buffer}_apprentice (Krzysztof Wilczynski) + +2017-08-27 03:55 Christos Zoulas + + * Fix always true condition (Thomas Jarosch) + +2017-05-24 17:30 Christos Zoulas + + * pickier parsing of numeric values in magic files. + +2017-05-23 17:55 Christos Zoulas + + * PR/615 add magic_getflags() + +2017-05-23 13:55 Christos Zoulas + + * release 5.31 + +2017-03-17 20:32 Christos Zoulas + + * remove trailing spaces from magic files + * refactor is_tar + * better bounds checks for cdf + +2017-02-10 12:24 Christos Zoulas + + * release 5.30 + +2017-02-07 23:27 Christos Zoulas + + * If we exceeded the offset in a search return no match + (Christoph Biedl) + * Be more lenient on corrupt CDF files (Christoph Biedl) + +2017-02-04 16:46 Christos Zoulas + + * pacify ubsan sign extension (oss-fuzz/524) + +2017-02-01 12:42 Christos Zoulas + + * off by one in cdf parsing (PR/593) + * report debugging sections in elf (PR/591) + +2016-11-06 10:52 Christos Zoulas + + * Allow @@@ in extensions + * Add missing overflow check in der magic (Jonas Wagner) + 2016-10-25 10:40 Christos Zoulas - * release 5.28 + * release 5.29 2016-10-24 11:20 Christos Zoulas @@ -387,7 +441,7 @@ ` 2013-11-06 14:40 Christos Zoulas - * fix erroneous non-zero exit code from non-existant file and message + * fix erroneous non-zero exit code from non-existent file and message 2013-10-29 14:25 Christos Zoulas diff --git a/aclocal.m4 b/aclocal.m4 index 4398374d8259..158e1494b339 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -21,7 +21,7 @@ If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) # visibility.m4 serial 5 (gettext-0.18.2) -dnl Copyright (C) 2005, 2008, 2010-2014 Free Software Foundation, Inc. +dnl Copyright (C) 2005, 2008, 2010-2016 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. diff --git a/config.guess b/config.guess index f7eb141e75a9..bbd48b60e88b 100755 --- a/config.guess +++ b/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2017 Free Software Foundation, Inc. -timestamp='2015-03-04' +timestamp='2017-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ timestamp='2015-03-04' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -186,9 +186,12 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. + # to ELF recently (or will in the future) and ABI. case "${UNAME_MACHINE_ARCH}" in - arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ @@ -221,7 +224,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: @@ -237,6 +240,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -249,6 +256,9 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; + *:Sortix:*:*) + echo ${UNAME_MACHINE}-unknown-sortix + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -265,42 +275,42 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -373,16 +383,16 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -407,7 +417,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -632,13 +642,13 @@ EOF sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -677,11 +687,11 @@ EOF exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -694,12 +704,12 @@ EOF # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -804,14 +814,14 @@ EOF echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -893,7 +903,7 @@ EOF exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -916,7 +926,7 @@ EOF EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -962,6 +972,9 @@ EOF ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -987,6 +1000,9 @@ EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; + mips64el:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; @@ -1019,6 +1035,9 @@ EOF ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; @@ -1038,7 +1057,7 @@ EOF echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} @@ -1117,7 +1136,7 @@ EOF # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1266,6 +1285,9 @@ EOF SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1279,9 +1301,9 @@ EOF UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in @@ -1303,7 +1325,7 @@ EOF exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1334,7 +1356,7 @@ EOF # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1376,7 +1398,7 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1387,23 +1409,25 @@ EOF x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp diff --git a/config.sub b/config.sub index 8f1229c6f7dd..7e792b4ae17b 100755 --- a/config.sub +++ b/config.sub @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2017 Free Software Foundation, Inc. -timestamp='2015-03-08' +timestamp='2017-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ timestamp='2015-03-08' # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,8 +53,7 @@ timestamp='2015-03-08' me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. @@ -68,7 +67,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2017 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -118,7 +117,7 @@ case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | \ + kopensolaris*-gnu* | cloudabi*-eabi* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` @@ -255,6 +254,7 @@ case $basic_machine in | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ + | ba \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ @@ -301,11 +301,12 @@ case $basic_machine in | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pru \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ @@ -376,6 +377,7 @@ case $basic_machine in | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ + | ba-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ @@ -427,13 +429,15 @@ case $basic_machine in | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ | pyramid-* \ + | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ @@ -518,7 +522,7 @@ case $basic_machine in basic_machine=i386-pc os=-aros ;; - asmjs) + asmjs) basic_machine=asmjs-unknown ;; aux) @@ -641,6 +645,14 @@ case $basic_machine in basic_machine=m68k-bull os=-sysv3 ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + os=$os"spe" + ;; ebmon29k) basic_machine=a29k-amd os=-ebmon @@ -1020,7 +1032,7 @@ case $basic_machine in ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppcle | powerpclittle | ppc-le | powerpc-little) + ppcle | powerpclittle) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) @@ -1030,7 +1042,7 @@ case $basic_machine in ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) + ppc64le | powerpc64little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) @@ -1376,18 +1388,18 @@ case $os in | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* | -cloudabi* \ + | -aos* | -aros* | -cloudabi* | -sortix* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ + | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ @@ -1396,7 +1408,8 @@ case $os in | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1528,6 +1541,8 @@ case $os in ;; -nacl*) ;; + -ios) + ;; -none) ;; *) @@ -1623,6 +1638,9 @@ case $basic_machine in sparc-* | *-sun) os=-sunos4.1.1 ;; + pru-*) + os=-elf + ;; *-be) os=-beos ;; diff --git a/configure b/configure index 47f7cbfb8587..eaf97ab0622e 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for file 5.29. +# Generated by GNU Autoconf 2.69 for file 5.32. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='file' PACKAGE_TARNAME='file' -PACKAGE_VERSION='5.29' -PACKAGE_STRING='file 5.29' +PACKAGE_VERSION='5.32' +PACKAGE_STRING='file 5.32' PACKAGE_BUGREPORT='christos@astron.com' PACKAGE_URL='' @@ -1328,7 +1328,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures file 5.29 to adapt to many kinds of systems. +\`configure' configures file 5.32 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1398,7 +1398,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of file 5.29:";; + short | recursive ) echo "Configuration of file 5.32:";; esac cat <<\_ACEOF @@ -1509,7 +1509,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -file configure 5.29 +file configure 5.32 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2165,7 +2165,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by file $as_me 5.29, which was +It was created by file $as_me 5.32, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3031,7 +3031,7 @@ fi # Define the identity of the package. PACKAGE='file' - VERSION='5.29' + VERSION='5.32' cat >>confdefs.h <<_ACEOF @@ -15075,7 +15075,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by file $as_me 5.29, which was +This file was extended by file $as_me 5.32, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15141,7 +15141,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -file config.status 5.29 +file config.status 5.32 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index da2fbbf5fbfa..946198be643d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([file],[5.29],[christos@astron.com]) +AC_INIT([file],[5.32],[christos@astron.com]) AM_INIT_AUTOMAKE([subdir-objects foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/doc/file.man b/doc/file.man index 94174c452349..1c66241c8c40 100644 --- a/doc/file.man +++ b/doc/file.man @@ -1,4 +1,4 @@ -.\" $File: file.man,v 1.124 2016/10/19 20:52:45 christos Exp $ +.\" $File: file.man,v 1.125 2017/01/03 11:24:46 christos Exp $ .Dd October 19, 2016 .Dt FILE __CSECTION__ .Os @@ -238,8 +238,8 @@ or at least one filename argument must be present; to test the standard input, use .Sq - as a filename argument. -Please note that -.Ar namefile +Please note that +.Ar namefile is unwrapped and the enclosed filenames are processed when this option is encountered and before any further options processing is done. This allows one to process multiple lists of files with different command line @@ -411,10 +411,10 @@ and .Fl h options. .Sh SEE ALSO -.Xr magic __FSECTION__ , .Xr hexdump 1 , .Xr od 1 , .Xr strings 1 , +.Xr magic __FSECTION__ .Sh STANDARDS CONFORMANCE This program is believed to exceed the System V Interface Definition of FILE(CMD), as near as one can determine from the vague language @@ -530,16 +530,15 @@ John Gilmore revised the code extensively, making it better than the first version. Geoff Collyer found several inadequacies and provided some magic file entries. -Contributions by the +Contributions of the .Sq \*[Am] operator by Rob McMahon, .Aq cudcv@warwick.ac.uk , 1989. .Pp -Guy Harris, +Guy Harris, .Aq guy@netapp.com , made many changes from 1993 to the present. -1989. .Pp Primary development and maintenance from 1990 to the present by Christos Zoulas @@ -587,7 +586,6 @@ program, and are not covered by the above license. .Nm returns 0 on success, and non-zero on error. .Sh BUGS -.Pp Please report bugs and send patches to the bug tracker at .Pa http://bugs.gw.com/ or the mailing list at @@ -596,7 +594,6 @@ or the mailing list at .Pa http://mx.gw.com/mailman/listinfo/file first to subscribe). .Sh TODO -.Pp Fix output so that tests for MIME and APPLE flags are not needed all over the place, and actual output is only done in one place. This needs a design. @@ -645,16 +642,16 @@ Fix .Dq name and .Dq use -to check for consistency at compile time (duplicate +to check for consistency at compile time (duplicate .Dq name , .Dq use pointing to undefined .Dq name ). -Make +Make .Dq name / -.Dq use +.Dq use more efficient by keeping a sorted list of names. Special-case ^ to flip endianness in the parser so that it does not have to be escaped, and document it. diff --git a/doc/libmagic.man b/doc/libmagic.man index a3de98139c21..4c7e42ff4f9c 100644 --- a/doc/libmagic.man +++ b/doc/libmagic.man @@ -1,4 +1,4 @@ -.\" $File: libmagic.man,v 1.40 2016/03/31 17:51:12 christos Exp $ +.\" $File: libmagic.man,v 1.41 2017/05/23 21:54:07 christos Exp $ .\" .\" Copyright (c) Christos Zoulas 2003. .\" All Rights Reserved. @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 11, 2015 +.Dd May 23, 2017 .Dt LIBMAGIC 3 .Os .Sh NAME @@ -35,6 +35,7 @@ .Nm magic_errno , .Nm magic_descriptor , .Nm magic_buffer , +.Nm magic_getflags , .Nm magic_setflags , .Nm magic_check , .Nm magic_compile , @@ -64,6 +65,8 @@ .Ft const char * .Fn magic_buffer "magic_t cookie" "const void *buffer" "size_t length" .Ft int +.Fn magic_getflags "magic_t cookie" +.Ft int .Fn magic_setflags "magic_t cookie" "int flags" .Ft int .Fn magic_check "magic_t cookie" "const char *filename" @@ -206,6 +209,12 @@ argument with bytes size. .Pp The +.Fn magic_getflags +functions returns a value representing current +.Ar flags +set. +.Pp +The .Fn magic_setflags function sets the .Ar flags diff --git a/doc/magic.man b/doc/magic.man index bc374040dc2f..4c69bca2ab24 100644 --- a/doc/magic.man +++ b/doc/magic.man @@ -1,5 +1,5 @@ -.\" $File: magic.man,v 1.88 2016/07/27 09:42:49 rrt Exp $ -.Dd July 20, 2016 +.\" $File: magic.man,v 1.91 2017/02/12 15:30:08 christos Exp $ +.Dd February 12, 2017 .Dt MAGIC __FSECTION__ .Os .\" install as magic.4 on USG, magic.5 on V7, Berkeley and Linux systems. @@ -7,7 +7,7 @@ .Nm magic .Nd file command's magic pattern file .Sh DESCRIPTION -This manual page documents the format of the magic file as +This manual page documents the format of magic files as used by the .Xr file __CSECTION__ command, version __VERSION__. @@ -17,13 +17,19 @@ command identifies the type of a file using, among other tests, a test for whether the file contains certain .Dq "magic patterns" . -The file -.Pa __MAGIC__ -specifies what patterns are to be tested for, what message or +The database of these +.Dq "magic patterns" +is usually located in a binary file in +.Pa __MAGIC__.mgc +or a directory of source text magic pattern fragment files in +.Pa __MAGIC__ . +The database specifies what patterns are to be tested for, what message or MIME type to print if a particular pattern is found, and additional information to extract from the file. .Pp -Each line of the file specifies a test to be performed. +The format of the source fragment files that are used to build this database +is as follows: +Each line of a fragment file specifies a test to be performed. A test compares the data starting at a particular offset in the file with a byte value, a string or a numeric value. If the test succeeds, a message is printed. @@ -98,13 +104,13 @@ The following modifiers are supported: .It B A byte length (default). .It H -A 2 byte big endian length. -.It h -A 2 byte big little length. -.It L A 4 byte big endian length. +.It h +A 2 byte big endian length. +.It L +A 4 byte little endian length. .It l -A 4 byte big little length. +A 2 byte little endian length. .It J The length includes itself in its count. .El @@ -651,7 +657,7 @@ start of the main indirect offset. \*[Gt]\*[Gt]\*[Gt]\*[Gt](\*[Am]0xe.l+(-4)) string PK\e3\e4 \eb, ZIP self-extracting archive .Ed .Pp -If you have a list of known avalues at a particular continuation level, +If you have a list of known values at a particular continuation level, and you want to provide a switch-like default case: .Bd -literal -offset indent # clear that continuation level match diff --git a/magic/Localstuff b/magic/Localstuff index 419855fb6220..aef809524b80 100644 --- a/magic/Localstuff +++ b/magic/Localstuff @@ -2,6 +2,6 @@ #------------------------------------------------------------------------------ # Localstuff: file(1) magic for locally observed files # -# $File: Localstuff,v 1.4 2003/03/23 04:17:27 christos Exp $ +# $File: Localstuff,v 1.5 2007/01/12 17:38:27 christos Exp $ # Add any locally observed files here. Remember: # text if readable, executable if runnable binary, data if unreadable. diff --git a/magic/Magdir/adventure b/magic/Magdir/adventure index 94835e11ed39..6fae85adfd40 100644 --- a/magic/Magdir/adventure +++ b/magic/Magdir/adventure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: adventure,v 1.15 2015/09/07 10:03:21 christos Exp $ +# $File: adventure,v 1.17 2017/07/03 16:03:40 christos Exp $ # adventure: file(1) magic for Adventure game files # # from Allen Garvin @@ -36,11 +36,12 @@ >0 ubyte <9 >>16 belong&0xfe00f0f0 0x3030 >>>0 ubyte < 10 ->>>>2 ubeshort < 10 +>>>>2 ubeshort x >>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9] ->>>>>>0 ubyte < 10 Infocom (Z-machine %d, ->>>>>>>2 ubeshort < 10 Release %d / ->>>>>>>>18 string >\0 Serial %.6s) +>>>>>>0 ubyte < 10 Infocom (Z-machine %d +>>>>>>>2 ubeshort x \b, Release %d +>>>>>>>>18 string >\0 \b, Serial %.6s +>>>>>>>>18 string x \b) !:strength + 40 !:mime application/x-zmachine @@ -78,7 +79,7 @@ !:mime application/x-tads # Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian # 2-byte length N, the N-char name of the game file *without* a NUL (darn!), -# "TADS2 save\n\r\032\0" and the interpreter version. +# "TADS2 save\n\r\032\0" and the interpreter version. 0 string TADS2\ save/g TADS >12 belong !0x0A0D1A00 saved game data, CORRUPTED >12 belong 0x0A0D1A00 @@ -109,7 +110,7 @@ # edited by David Griffith # Danny Milosavljevic # These are ADRIFT (adventure game standard) game files, extension .taf -# Checked from source at (http://www.adrift.co/) and various taf files +# Checked from source at (http://www.adrift.co/) and various taf files # found at the Interactive Fiction Archive (http://ifarchive.org/) 0 belong 0x3C423FC9 >4 belong 0x6A87C2CF Adrift game file version diff --git a/magic/Magdir/amanda b/magic/Magdir/amanda index 395ef545c2ba..e7fa53901388 100644 --- a/magic/Magdir/amanda +++ b/magic/Magdir/amanda @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $ +# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $ # amanda: file(1) magic for amanda file format # -0 string AMANDA:\ AMANDA +0 string AMANDA:\ AMANDA >8 string TAPESTART\ DATE tape header file, >>23 string X >>>25 string >\ Unused %s diff --git a/magic/Magdir/amigaos b/magic/Magdir/amigaos index 8fdf37662c57..d9330bd1493c 100644 --- a/magic/Magdir/amigaos +++ b/magic/Magdir/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $ +# $File: amigaos,v 1.16 2017/03/17 21:35:28 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -11,7 +11,7 @@ 0 belong 0x000003e7 AmigaOS object/library data # 0 beshort 0xe310 Amiga Workbench ->2 beshort 1 +>2 beshort 1 >>48 byte 1 disk icon >>48 byte 2 drawer icon >>48 byte 3 tool icon @@ -49,7 +49,7 @@ 0 string/c @database AmigaGuide file # Amiga disk types -# +# 0 string RDSK Rigid Disk Block >160 string x on %.24s 0 string DOS\0 Amiga DOS disk diff --git a/magic/Magdir/android b/magic/Magdir/android index f1340d53a38b..dca5c33482bf 100644 --- a/magic/Magdir/android +++ b/magic/Magdir/android @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: android,v 1.9 2016/01/11 21:19:18 christos Exp $ +# $File: android,v 1.10 2017/03/17 21:35:28 christos Exp $ # Various android related magic entries #------------------------------------------------------------ @@ -61,9 +61,9 @@ # http://forum.xda-developers.com/showthread.php?t=816449 # Partition Information Table for Samsung's smartphone with Android # used by flash software Odin -0 ulelong 0x12349876 +0 ulelong 0x12349876 # 1st pit entry marker ->0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # minimal 13 and maximal 18 PIT entries found >>4 ulelong <128 Partition Information Table for Samsung smartphone >>>4 ulelong x \b, %d entries @@ -109,9 +109,9 @@ 0 name PIT-entry # garbage value implies end of pit entries ->0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 +>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000 # skip empty partition name ->>0x24 ubyte !0 +>>0x24 ubyte !0 # partition name >>>0x24 string >\0 %-.32s # flags @@ -122,7 +122,7 @@ >>>0x08 ulelong x (0x%x) # filename >>>0x44 string >\0 "%-.64s" -#>>>0x18 ulelong >0 +#>>>0x18 ulelong >0 # blocksize in 512 byte units ? #>>>>0x18 ulelong x \b, %db # partition size in blocks ? diff --git a/magic/Magdir/animation b/magic/Magdir/animation index faa839e8783b..a6e50ff86b09 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.58 2016/07/03 14:13:11 christos Exp $ +# $File: animation,v 1.63 2017/05/26 14:33:07 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -34,14 +34,23 @@ !:mime image/jp2 # http://www.ftyps.com/ with local additions 4 string ftyp ISO Media +# http://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/ +>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec +>>96 string x \b, Audio "%.4s" +>>118 beshort x at %dHz +>>140 string x \b, Video "%.4s" +>>168 beshort x %d +>>170 beshort x \bx%d >8 string 3g2 \b, MPEG v4 system, 3GPP2 !:mime video/3gpp2 >>11 byte 4 \b v4 (H.263/AMR GSM 6.10) >>11 byte 5 \b v5 (H.263/AMR GSM 6.10) >>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10) ->>11 byte a \b C.S0050-0 V1.0 ->>11 byte b \b C.S0050-0-A V1.0.0 ->>11 byte c \b C.S0050-0-B V1.0 +# http://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf +# Section 8.1.1, corresponds to a, b, c +>>11 byte 0x61 \b C.S0050-0 V1.0 +>>11 byte 0x62 \b C.S0050-0-A V1.0.0 +>>11 byte 0x63 \b C.S0050-0-B V1.0 >8 string 3ge \b, MPEG v4 system, 3GPP !:mime video/3gpp >>11 byte 6 \b, Release 6 MBMS Extended Presentations @@ -186,13 +195,13 @@ # MPEG sequences # Scans for all common MPEG header start codes -0 belong 0x00000001 +0 belong 0x00000001 >4 byte&0x1F 0x07 JVT NAL sequence, H.264 video >>5 byte 66 \b, baseline >>5 byte 77 \b, main >>5 byte 88 \b, extended >>7 byte x \b @ L %u -0 belong&0xFFFFFF00 0x00000100 +0 belong&0xFFFFFF00 0x00000100 >3 byte 0xBA MPEG sequence !:mime video/mpeg >>4 byte &0x40 \b, v2, program multiplex @@ -493,8 +502,8 @@ # GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448 # GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE) # FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries -#0 beshort&0xFFFE 0xFFFE -#>2 ubyte&0xF0 >0x0F +#0 beshort&0xFFFE 0xFFFE +#>2 ubyte&0xF0 >0x0F #>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1 ## rate #>>>2 byte&0xF0 0x10 \b, 32 kbps @@ -566,9 +575,9 @@ # MP2, M2A 0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps ->2 byte&0xF0 0x20 \b, 16 kbps +>2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps >2 byte&0xF0 0x40 \b, 32 kbps >2 byte&0xF0 0x50 \b, 40 kbps @@ -636,7 +645,7 @@ # MP3, M25A 0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5 !:mime audio/mpeg -# rate +# rate >2 byte&0xF0 0x10 \b, 8 kbps >2 byte&0xF0 0x20 \b, 16 kbps >2 byte&0xF0 0x30 \b, 24 kbps @@ -855,10 +864,12 @@ # X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd] # From Michel Briand -0 string/t \20 search/1000/cw \20 search/1000/w \3 byte x version %d + +# ORC files +# Important information is in file footer, which we can't index to :( +0 string ORC Apache ORC + +# Parquet files +0 string PAR1 Apache Parquet + +# Hive RC files +0 string RCF Apache Hive RC file +>3 byte x version %d + +# Sequence files (and the careless first version of RC file) + +0 string SEQ +>3 byte <6 Apache Hadoop Sequence file version %d +>3 byte >6 Apache Hadoop Sequence file version %d +>3 byte =6 +>>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0 +>>3 default x Apache Hadoop Sequence file version 6 diff --git a/magic/Magdir/apple b/magic/Magdir/apple index ce03298f95f2..391205f265fc 100644 --- a/magic/Magdir/apple +++ b/magic/Magdir/apple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: apple,v 1.35 2016/08/17 09:45:13 christos Exp $ +# $File: apple,v 1.36 2017/03/17 21:35:28 christos Exp $ # apple: file(1) magic for Apple file formats # 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text @@ -67,15 +67,15 @@ # AppleWorks word processor: # URL: https://en.wikipedia.org/wiki/AppleWorks # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx -# Update: Joerg Jenderek +# Update: Joerg Jenderek # NOTE: # The "O" is really the magic number, but that's so common that it's # necessary to check the tab stops that follow it to avoid false positives. # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge # the newer AppleWorks is from claris with extension CWK -4 string O +4 string O # test for unused bits of zoom- , paginated-boolean bytes ->84 ubequad ^0x00Fe00000000Fe00 +>84 ubequad ^0x00Fe00000000Fe00 # look for tabstop definitions "=" no tab, "|" no tab # "<" left tab,"^" center tab,">" right tab, "." decimal tab, # unofficial "!" other , "\x8a" other @@ -92,9 +92,9 @@ !:ext awp # minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) >>>183 ubyte 30 3.0 ->>>183 ubyte !30 +>>>183 ubyte !30 >>>>183 ubyte !0 0x%x -# usual tabstop start sequence "=====<" +# usual tabstop start sequence "=====<" >>>5 string x \b, tabstop ruler "%6.6s" # tabstop ruler #>>>5 string >\0 \b, tabstops "%-79s" @@ -105,7 +105,7 @@ # contains any mail-merge commands >>>92 byte&0x01 >0 \b, with mail merge # left margin in 1/10 inches ( normally 0 or 10 ) ->>>91 ubyte >0 +>>>91 ubyte >0 >>>>91 ubyte x \b, %d/10 inch left margin # AppleWorks database: @@ -140,13 +140,13 @@ # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) #0 belong&0xff00ff 0x80000 Applesoft BASIC program data -0 belong&0x00ff00ff 0x00080000 +0 belong&0x00ff00ff 0x00080000 # assuming that line number must be positive >2 leshort >0 Applesoft BASIC program data, first line number %d #>2 leshort x \b, first line number %d # ORCA/EZ assembler: -# +# # This will not identify ORCA/M source files, since those have # some sort of date code instead of the two zero bytes at 6 and 7 # XXX Conflicts with ELF @@ -186,18 +186,18 @@ # From Johan Gade. # These entries are disabled for now until we fix the following issues. # -# Note there might be some problems with the "VAX COFF executable" -# entry. Note this entry should be placed before the mac filesystem section, +# Note there might be some problems with the "VAX COFF executable" +# entry. Note this entry should be placed before the mac filesystem section, # particularly the "Apple Partition data" entry. # -# The intended meaning of these tests is, that the file is only of the +# The intended meaning of these tests is, that the file is only of the # specified type if both of the lines are correct - i.e. if the first # line matches and the second doesn't then it is not of that type. # #0 long 0x7801730d #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) # -# Note that this entry is recognized correctly by the "Apple Partition +# Note that this entry is recognized correctly by the "Apple Partition # data" entry - however since this entry is more specific - this # information seems to be more useful. #0 long 0x45520200 @@ -288,7 +288,7 @@ # Apple disk partition stuff # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # "ER" is APPLE_DRVR_MAP_MAGIC signature 0 beshort 0x4552 # display Apple Driver Map (strength=50) after Syslinux bootloader (71) @@ -315,7 +315,7 @@ # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) >>10 ubeshort x \b, devid %u # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) ->>12 ubelong >0 +>>12 ubelong >0 >>>12 ubelong x \b, driver data %u # number of driver descriptors sbDrvrCount <= 61 # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) @@ -327,26 +327,26 @@ # >>500 use apple-driver-map # number of partitions is always same in every partition (map block count) #>>0x0204 ubelong x \b, %u partitions ->>0x0204 ubelong >0 \b, contains[@0x200]: +>>0x0204 ubelong >0 \b, contains[@0x200]: >>>0x0200 use apple-apm ->>0x0204 ubelong >1 \b, contains[@0x400]: +>>0x0204 ubelong >1 \b, contains[@0x400]: >>>0x0400 use apple-apm ->>0x0204 ubelong >2 \b, contains[@0x600]: +>>0x0204 ubelong >2 \b, contains[@0x600]: >>>0x0600 use apple-apm ->>0x0204 ubelong >3 \b, contains[@0x800]: +>>0x0204 ubelong >3 \b, contains[@0x800]: >>>0x0800 use apple-apm ->>0x0204 ubelong >4 \b, contains[@0xA00]: +>>0x0204 ubelong >4 \b, contains[@0xA00]: >>>0x0A00 use apple-apm ->>0x0204 ubelong >5 \b, contains[@0xC00]: +>>0x0204 ubelong >5 \b, contains[@0xC00]: >>>0x0C00 use apple-apm ->>0x0204 ubelong >6 \b, contains[@0xE00]: +>>0x0204 ubelong >6 \b, contains[@0xE00]: >>>0x0E00 use apple-apm ->>0x0204 ubelong >7 \b, contains[@0x1000]: +>>0x0204 ubelong >7 \b, contains[@0x1000]: >>>0x1000 use apple-apm # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 0 name apple-driver-map ->0 ubequad !0 -# descBlock first block of driver +>0 ubequad !0 +# descBlock first block of driver >>0 ubelong x \b, driver start block %u # descSize driver size in blocks >>4 ubeshort x \b, size %u @@ -355,11 +355,11 @@ # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map # Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the # magic stronger. # for apple partition map stored as a single file -0 belong 0x504d0000 +0 belong 0x504d0000 # to display Apple Partition Map (strength=70) after Syslinux bootloader (71) #!:strength +0 >0 use apple-apm @@ -417,7 +417,7 @@ 0 name appleworks >0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document >0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document ->0 default x +>0 default x >>0 belong x AppleWorks/ClarisWorks CWK Document >0 byte x \b, version %d >30 beshort x \b, %d diff --git a/magic/Magdir/archive b/magic/Magdir/archive index e737550c76a7..abecf7101f15 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $ +# $File: archive,v 1.108 2017/08/30 13:45:10 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -249,9 +249,9 @@ # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive # Update: Joerg Jenderek # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others -0 string \0\6 +0 string \0\6 # look for first keyword of Panorama database *.pan ->12 search/261 DESIGN +>12 search/261 DESIGN # skip keyword with low entropy >12 default x TTComp archive, binary, 4K dictionary # (version 5.25) labeled the above entry as "TTComp archive data" @@ -447,9 +447,9 @@ 0 string SZ\x0a\4 SZip archive data # XPack DiskImage # *.XDI updated by Joerg Jenderek Sep 2015 -# ftp://ftp.sac.sk/pub/sac/pack/0index.txt +# ftp://ftp.sac.sk/pub/sac/pack/0index.txt # GRR: this test is still too general as it catches also text files starting with jm -0 string jm +0 string jm # only found examples with this additional characteristic 2 bytes >2 string \x2\x4 Xpack DiskImage archive data #!:ext xdi @@ -462,7 +462,7 @@ # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip # created by XPA32.EXE version 1.0.2 for Windows >0 string xpa\0\1 \b32 archive data -# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 +# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 >3 ubeshort !0x0001 \bck archive data # XPack Single Data # changed by Joerg Jenderek Sep 2015 back to like in version 5.12 @@ -552,7 +552,7 @@ >>0x36 string >\0 fstype %.8s # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html # @@ -561,14 +561,14 @@ # check 1st character of method id like -lz4- -lh5- or -pm2- >2 string - # check 5th character of method id ->>6 string - +>>6 string - # check header level 0 1 2 3 ->>>20 ubyte <4 +>>>20 ubyte <4 # check 2nd, 3th and 4th character of method id >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b !:mime application/x-lzh-compressed # creator type "LHA " -!:apple ????LHA +!:apple ????LHA # display archive type name like "LHa/LZS archive data" or "LArc archive" >>>>>2 string -lz \b !:ext lzs @@ -578,7 +578,7 @@ # missing -lz?- with wikipedia names >>>>>>3 regex \^lz[2378] LArc archive # display archive type name like "LHa (2.x) archive data" ->>>>>2 string -lh \b +>>>>>2 string -lh \b # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data # LHice archiver use ".ICE" as name extension instead usual one ".lzh" @@ -614,28 +614,28 @@ # check and display information of lharc header 0 name lharc-header # header size 0x4 , 0x1b-0x61 ->0 ubyte x +>0 ubyte x # compressed data size != compressed file size #>7 ulelong x \b, data size %d -# attribute: 0x2~?? 0x10~symlink|target 0x20~normal +# attribute: 0x2~?? 0x10~symlink|target 0x20~normal #>19 ubyte x \b, 19_0x%x # level identifier 0 1 2 3 #>20 ubyte x \b, level %d # time stamp #>15 ubelong x DATE 0x%8.8x # OS ID for level 1 ->20 ubyte 1 +>20 ubyte 1 # 0x20 types find for *.rom files >>(21.b+24) ubyte <0x21 \b, 0x%x OS # ascii type like M for MSDOS >>(21.b+24) ubyte >0x20 \b, '%c' OS # OS ID for level 2 ->20 ubyte 2 +>20 ubyte 2 #>>23 ubyte x \b, OS ID 0x%x >>23 ubyte <0x21 \b, 0x%x OS >>23 ubyte >0x20 \b, '%c' OS # filename only for level 0 and 1 ->20 ubyte <2 +>20 ubyte <2 # length of filename >>21 ubyte >0 \b, with # filename @@ -643,73 +643,73 @@ # #2 string -lh0- LHarc 1.x/ARX archive data [lh0] #!:mime application/x-lharc -2 string -lh0- +2 string -lh0- >0 use lharc-file #2 string -lh1- LHarc 1.x/ARX archive data [lh1] #!:mime application/x-lharc -2 string -lh1- +2 string -lh1- >0 use lharc-file # NEW -lz2- ... -lz8- -2 string -lz2- +2 string -lz2- >0 use lharc-file -2 string -lz3- +2 string -lz3- >0 use lharc-file -2 string -lz4- +2 string -lz4- >0 use lharc-file -2 string -lz5- +2 string -lz5- >0 use lharc-file -2 string -lz7- +2 string -lz7- >0 use lharc-file -2 string -lz8- +2 string -lz8- >0 use lharc-file # [never seen any but the last; -lh4- reported in comp.compression:] #2 string -lzs- LHa/LZS archive data [lzs] -2 string -lzs- +2 string -lzs- >0 use lharc-file # According to wikipedia and others such a version does not exist #2 string -lh\40- LHa 2.x? archive data [lh ] #2 string -lhd- LHa 2.x? archive data [lhd] -2 string -lhd- +2 string -lhd- >0 use lharc-file #2 string -lh2- LHa 2.x? archive data [lh2] -2 string -lh2- +2 string -lh2- >0 use lharc-file #2 string -lh3- LHa 2.x? archive data [lh3] -2 string -lh3- +2 string -lh3- >0 use lharc-file #2 string -lh4- LHa (2.x) archive data [lh4] -2 string -lh4- +2 string -lh4- >0 use lharc-file #2 string -lh5- LHa (2.x) archive data [lh5] -2 string -lh5- +2 string -lh5- >0 use lharc-file #2 string -lh6- LHa (2.x) archive data [lh6] -2 string -lh6- +2 string -lh6- >0 use lharc-file #2 string -lh7- LHa (2.x)/LHark archive data [lh7] -2 string -lh7- +2 string -lh7- # !:mime application/x-lha # >20 byte x - header level %d >0 use lharc-file # NEW -lh8- ... -lhe- , -lhx- -2 string -lh8- +2 string -lh8- >0 use lharc-file -2 string -lh9- +2 string -lh9- >0 use lharc-file -2 string -lha- +2 string -lha- >0 use lharc-file -2 string -lhb- +2 string -lhb- >0 use lharc-file -2 string -lhc- +2 string -lhc- >0 use lharc-file -2 string -lhe- +2 string -lhe- >0 use lharc-file -2 string -lhx- +2 string -lhx- >0 use lharc-file # taken from idarc [JW] 2 string -lZ PUT archive data # already done by LHarc magics -# this should never happen if all sub types of LZS archive are identified +# this should never happen if all sub types of LZS archive are identified #2 string -lz LZS archive data 2 string -sw1- Swag archive data @@ -908,7 +908,17 @@ >>>4 byte 0x0a \b, at least v1.0 to extract >>>4 byte 0x0b \b, at least v1.1 to extract >>>4 byte 0x14 \b, at least v2.0 to extract +>>>4 byte 0x15 \b, at least v2.1 to extract +>>>4 byte 0x19 \b, at least v2.5 to extract +>>>4 byte 0x1b \b, at least v2.7 to extract >>>4 byte 0x2d \b, at least v4.5 to extract +>>>4 byte 0x2e \b, at least v4.6 to extract +>>>4 byte 0x32 \b, at least v5.0 to extract +>>>4 byte 0x33 \b, at least v5.1 to extract +>>>4 byte 0x34 \b, at least v5.2 to extract +>>>4 byte 0x3d \b, at least v6.1 to extract +>>>4 byte 0x3e \b, at least v6.2 to extract +>>>4 byte 0x3f \b, at least v6.3 to extract >>>0x161 string WINZIP \b, WinZIP self-extracting # StarView Metafile @@ -940,17 +950,17 @@ 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data # # PMA (CP/M derivative of LHA) -# Update: Joerg Jenderek +# Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/LHA_(file_format) # #2 string -pm0- PMarc archive data [pm0] -2 string -pm0- +2 string -pm0- >0 use lharc-file #2 string -pm1- PMarc archive data [pm1] -2 string -pm1- +2 string -pm1- >0 use lharc-file #2 string -pm2- PMarc archive data [pm2] -2 string -pm2- +2 string -pm2- >0 use lharc-file 2 string -pms- PMarc SFX archive (CP/M, DOS) #!:mime application/x-foobar-exec @@ -1145,12 +1155,12 @@ >3 ubyte 0 \b, no compression >3 ubyte 2 \b, fast compression (Z1) >3 ubyte 3 \b, medium compression (Z2) ->3 ubyte >3 +>3 ubyte >3 >>3 ubyte <11 \b, compression (Z%d-1) ->2 ubyte&0x08 0x00 +>2 ubyte&0x08 0x00 # ~ 30 byte password field only for *.gho >>12 ubequad !0 \b, password protected ->>44 ubyte !1 +>>44 ubyte !1 # 1~Image All, sector-by-sector only for *.gho >>>10 ubyte 1 \b, sector copy # 1~Image Boot track only for *.gho @@ -1160,8 +1170,8 @@ # optional image description only *.gho >>0xff string >\0 "%-.254s" # look for DOS sector end sequence ->0xE08 search/7776 \x55\xAA ->>&-512 indirect x \b; contains +>0xE08 search/7776 \x55\xAA +>>&-512 indirect x \b; contains # Google Chrome extensions # https://developer.chrome.com/extensions/crx @@ -1169,3 +1179,10 @@ 0 string Cr24 Google Chrome extension !:mime application/x-chrome-extension >4 ulong x \b, version %u + +# SeqBox - Sequenced container +# ext: sbx, seqbox +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/SeqBox +0 string SBx SeqBox, +>3 byte x version %d diff --git a/magic/Magdir/att3b b/magic/Magdir/att3b index a3ed9c0037a9..b83ae2ec08d8 100644 --- a/magic/Magdir/att3b +++ b/magic/Magdir/att3b @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: att3b,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $ # att3b: file(1) magic for AT&T 3B machines # # The `versions' should be un-commented if they work for you. @@ -36,6 +36,6 @@ #>18 beshort &00040000 and MAU hardware required #>22 beshort >0 - version %d # -# core file for 3b2 +# core file for 3b2 0 string \000\004\036\212\200 3b2 core file >364 string >\0 of '%s' diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 29442a51b3cf..0330bbfa8078 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.75 2016/02/08 17:30:11 christos Exp $ +# $File: audio,v 1.80 2017/08/13 00:21:47 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -300,7 +300,7 @@ >>5 byte &0x40 \b, extended header >>5 byte &0x20 \b, experimental >>5 byte &0x10 \b, footer present ->(6.I+10) indirect x \b, contains: +>(6.I+10) indirect x \b, contains: # NSF (NES sound file) magic 0 string NESM\x1a NES Sound File @@ -314,7 +314,7 @@ >122 byte&0x1 =0 NTSC # NSFE (Extended NES sound file) magic -# http://slickproductions.org/docs/NSF/nsfespec.txt +# http://slickproductions.org/docs/NSF/nsfespec.txt # From: David Pflug 0 string NSFE Extended NES Sound File >48 search/0x1000 auth @@ -469,6 +469,8 @@ >>20 byte&0xe 0xc \b, 7 channels >>20 byte&0xe 0xe \b, 8 channels # some common sample rates +>>17 belong&0xfffff0 0x2ee000 \b, 192 kHz +>>17 belong&0xfffff0 0x158880 \b, 88.2 kHz >>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz >>17 belong&0xfffff0 0x0bb800 \b, 48 kHz >>17 belong&0xfffff0 0x07d000 \b, 32 kHz @@ -658,7 +660,7 @@ # From Fabio R. Schmidlin # VGM music file -0 string Vgm\ +0 string Vgm\040 >9 ubyte >0 VGM Video Game Music dump v >>9 ubyte/16 >0 \b%d >>9 ubyte&0x0F x \b%d @@ -723,7 +725,7 @@ # URL: http://www.garmin.com/ # Reference: http://turboccc.wikispaces.com/share/view/28622555 # NOTE: there exist 2 other Garmin VPM formats -0 string AUDIMG +0 string AUDIMG # skip text files starting with string "AUDIMG" >13 ubyte <13 Garmin Voice Processing Module !:mime audio/x-vpm-wav-garmin @@ -743,16 +745,68 @@ # second of release (0-59) >>9 ubyte x \b:%.2d # if you select a language like german on your garmin device -# you can only select voice modules with correponding language byte ID like 1 +# you can only select voice modules with corresponding language byte ID like 1 >>18 ubyte x \b, language ID %d # pointer to 1st audio WAV sample ->>16 uleshort >0 +>>16 uleshort >0 >>>(16.s) ulelong >0 \b, at offset 0x%x # WAV length >>>>(16.s+4) ulelong >0 %d Bytes # look for magic ->>>>>(&-8.l) string RIFF +>>>>>(&-8.l) string RIFF # determine type by ./riff ->>>>>>&-4 indirect x \b +>>>>>>&-4 indirect x \b # 2 - ~ 131 WAV samples following same way +# From Martin Mueller Skarbiniks Pedersen +0 string GDM +>0x3 byte 0xFE General Digital Music. +>0x4 string >\0 title: "%s" +>0x24 string >\0 musician: "%s" +>>0x44 beshort 0x0D0A +>>>0x46 byte 0x1A +>>>>0x47 string GMFS Version +>>>>0x4B byte x %d. +>>>>0x4C byte x \b%02d +>>>>0x4D beshort 0x000 (2GDM v +>>>>0x4F byte x \b%d. +>>>>>0x50 byte x \b%d) + +0 string MTM Multitracker +>0x3 byte/16 x Version %d. +>0x3 byte&0x0F x \b%02d +>>0x4 string >\0 title: "%s" + +0 string HVL +>3 byte <2 Hively Tracker Song +>3 byte 0 1 module data +>3 byte 1 2 module data + +0 string MO3 +>3 ubyte <6 MOdule with MP3 +>>3 byte 0 Version 0 (With MP3 and lossless) +>>3 byte 1 Version 1 (With ogg and lossless) +>>3 byte 3 Version 2.2 +>>3 byte 4 (With no LAME header) +>>3 byte 5 Version 2.4 + +0 string ADRVPACK AProSys module + +# ftp://ftp.modland.com/pub/documents/format_documentation/\ +# Art%20Of%20Noise%20(.aon).txt +0 string AON +>4 string "ArtOfNoise by Bastian Spiegel(twice/lego)" +>0x2e string NAME Art of Noise Tracker Song +>3 string <9 +>3 string 4 (4 voices) +>3 string 8 (8 voices) +>>0x36 string >\0 Title: "%s" + +0 string FAR +>0x2c byte 0x0d +>0x2d byte 0x0a +>0x2e byte 0x1a +>>0x3 byte 0xFE Farandole Tracker Song +>>>0x31 byte/16 x Version %d. +>>>0x31 byte&0x0F x \b%02d +>>>>0x4 string >\0 \b, title: "%s" diff --git a/magic/Magdir/bhl b/magic/Magdir/bhl new file mode 100644 index 000000000000..6f57f0343395 --- /dev/null +++ b/magic/Magdir/bhl @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $ +# BlockHashLoc +# ext: bhl +# Marco Pontello marcopon@gmail.com +# reference: https://github.com/MarcoPon/BlockHashLoc +0 string BlockHashLoc\x1a BlockHashLoc recovery info, +>13 byte x version %d +!:ext bhl diff --git a/magic/Magdir/blackberry b/magic/Magdir/blackberry index 4a61d4e98cfa..2e38a54f42d6 100644 --- a/magic/Magdir/blackberry +++ b/magic/Magdir/blackberry @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $ +# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $ # blackberry: file(1) magic for BlackBerry file formats # -5 belong 0 +5 belong 0 >8 belong 010010010 BlackBerry RIM ETP file >>22 string x \b for %s diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 5b9c8556e521..09485702b15b 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: blender,v 1.6 2014/08/30 08:34:17 christos Exp $ +# $File: blender,v 1.7 2017/03/17 21:35:28 christos Exp $ # blender: file(1) magic for Blender 3D related files # -# Native format rule v1.2. For questions use the developers list +# Native format rule v1.2. For questions use the developers list # http://lists.blender.org/mailman/listinfo/bf-committers -# GLOB chunk was moved near start and provides subversion info since 2.42 +# GLOB chunk was moved near start and provides subversion info since 2.42 0 string =BLENDER Blender3D, >7 string =_ saved as 32-bits diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index bb594b069fc7..7b3f703ef3ec 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.24 2016/07/01 23:31:13 christos Exp $ +# $File: c-lang,v 1.26 2017/08/14 07:40:38 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -11,49 +11,72 @@ !:mime text/x-bcpl # C -0 regex \^#include C source text -!:strength +25 +# Check for class if include is found, otherwise class is beaten by include becouse of lowered strength +0 regex \^#include C +>0 regex \^class[[:space:]]+ +>>&0 regex \\{[\.\*]\\}(;)?$ \b++ +>&0 clear x source text +!:strength + 13 !:mime text/x-c -0 regex \^char[\ \t\n]+ C source text +0 regex \^#[[:space:]]*pragma C source text !:mime text/x-c -0 regex \^double[\ \t\n]+ C source text +0 regex \^#[[:space:]]*(if\|ifn)def +>&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c -0 regex \^extern[\ \t\n]+ C source text +0 regex \^#[[:space:]]*(if\|ifn)def +>&0 regex \^#[[:space:]]*define C source text !:mime text/x-c -0 regex \^float[\ \t\n]+ C source text +0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c -0 regex \^struct[\ \t\n]+ C source text +0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text !:mime text/x-c -0 regex \^union[\ \t\n]+ C source text +0 regex \^[[:space:]]*extern[[:space:]]+ C source text !:mime text/x-c -0 search/8192 main( C source text +0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text +!:mime text/x-c +0 regex \^struct[[:space:]]+ C source text +!:mime text/x-c +0 regex \^union[[:space:]]+ C source text +!:mime text/x-c +0 search/8192 main( +>&0 regex \\)[[:space:]]*\\{ C source text !:mime text/x-c # C++ # The strength of these rules is increased so they beat the C rules above -0 regex \^template[\ \t]+<.*>[\ \t\n]+ C++ source text +0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^virtual[\ \t\n]+ C++ source text +# using namespace [namespace] or using std::[lib] +0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^class[\ \t\n]+ C++ source text -# But class is reduced to avoid beating php (Jens Schleusener) +0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text +!:strength + 30 +!:mime text/x-c++ +0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text +!:strength + 30 +!:mime text/x-c++ +# But class alone is reduced to avoid beating php (Jens Schleusener) +0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text !:strength + 13 !:mime text/x-c++ -0 regex \^public: C++ source text +0 regex \^[[:space:]]*public: C++ source text !:strength + 30 !:mime text/x-c++ -0 regex \^private: C++ source text +0 regex \^[[:space:]]*private: C++ source text +!:strength + 30 +!:mime text/x-c++ +0 regex \^[[:space:]]*protected: C++ source text !:strength + 30 !:mime text/x-c++ # Objective-C -0 regex \^#import Objective-C source text -!:strength +25 +0 regex \^#import Objective-C source text +!:strength + 25 !:mime text/x-objective-c -# From: Mikhail Teterin +# From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will diff --git a/magic/Magdir/cad b/magic/Magdir/cad index 9b09fd7a1917..daafba9d444c 100644 --- a/magic/Magdir/cad +++ b/magic/Magdir/cad @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cad,v 1.13 2014/03/23 18:05:38 christos Exp $ +# $File: cad,v 1.15 2017/06/24 15:24:56 christos Exp $ # autocad: file(1) magic for cad files # @@ -9,7 +9,7 @@ # DGN is the default file extension of Microstation/Intergraph CAD files. # CIT is the proprietary raster format (similar to TIFF) used to attach # raster underlays to Microstation DGN (vector) drawings. -# +# # http://www.wotsit.org/search.asp # http://filext.com/detaillist.php?extdetail=DGN # http://filext.com/detaillist.php?extdetail=CIT @@ -42,7 +42,7 @@ >4 string \030\000\000 CITFile >4 string \030\000\003 CITFile -# AutoCAD +# AutoCAD # Merge of the different contributions and updates from http://en.wikipedia.org/wiki/Dwg # and http://www.iana.org/assignments/media-types/image/vnd.dwg 0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0 @@ -99,42 +99,42 @@ 0 string AC1027 DWG AutoDesk AutoCAD 2013/2014 !:mime image/vnd.dwg -# KOMPAS 2D drawing from ASCON +# KOMPAS 2D drawing from ASCON # This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor # gathered nor specification # ASCON http://ascon.net/main/ in English, # http://ascon.ru/ main site in Russian -# Extension is CDW for drawing and FRW for fragment of drawing +# Extension is CDW for drawing and FRW for fragment of drawing # Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru, # ICQ 358572321, http://vkontakte.ru/id16076543) # From: # http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292 # (in russian) and my experiments 0 string KF ->2 belong 0x4E00000C Kompas drawing 12.0 SP1 ->2 belong 0x4D00000C Kompas drawing 12.0 ->2 belong 0x3200000B Kompas drawing 11.0 SP1 ->2 belong 0x3100000B Kompas drawing 11.0 ->2 belong 0x2310000A Kompas drawing 10.0 SP1 ->2 belong 0x2110000A Kompas drawing 10.0 ->2 belong 0x08000009 Kompas drawing 9.0 SP1 ->2 belong 0x05000009 Kompas drawing 9.0 ->2 belong 0x33010008 Kompas drawing 8+ ->2 belong 0x1A000008 Kompas drawing 8.0 ->2 belong 0x2C010107 Kompas drawing 7+ ->2 belong 0x05000007 Kompas drawing 7.0 ->2 belong 0x32000006 Kompas drawing 6+ ->2 belong 0x09000006 Kompas drawing 6.0 ->2 belong 0x5C009005 Kompas drawing 5.11R03 ->2 belong 0x54009005 Kompas drawing 5.11R02 ->2 belong 0x51009005 Kompas drawing 5.11R01 ->2 belong 0x22009005 Kompas drawing 5.10R03 ->2 belong 0x22009005 Kompas drawing 5.10R02 mar ->2 belong 0x21009005 Kompas drawing 5.10R02 febr ->2 belong 0x19009005 Kompas drawing 5.10R01 ->2 belong 0xF4008005 Kompas drawing 5.9R01.003 ->2 belong 0x1C008005 Kompas drawing 5.9R01.002 ->2 belong 0x11008005 Kompas drawing 5.8R01.003 +>2 belong 0x4E00000C Kompas drawing 12.0 SP1 +>2 belong 0x4D00000C Kompas drawing 12.0 +>2 belong 0x3200000B Kompas drawing 11.0 SP1 +>2 belong 0x3100000B Kompas drawing 11.0 +>2 belong 0x2310000A Kompas drawing 10.0 SP1 +>2 belong 0x2110000A Kompas drawing 10.0 +>2 belong 0x08000009 Kompas drawing 9.0 SP1 +>2 belong 0x05000009 Kompas drawing 9.0 +>2 belong 0x33010008 Kompas drawing 8+ +>2 belong 0x1A000008 Kompas drawing 8.0 +>2 belong 0x2C010107 Kompas drawing 7+ +>2 belong 0x05000007 Kompas drawing 7.0 +>2 belong 0x32000006 Kompas drawing 6+ +>2 belong 0x09000006 Kompas drawing 6.0 +>2 belong 0x5C009005 Kompas drawing 5.11R03 +>2 belong 0x54009005 Kompas drawing 5.11R02 +>2 belong 0x51009005 Kompas drawing 5.11R01 +>2 belong 0x22009005 Kompas drawing 5.10R03 +>2 belong 0x22009005 Kompas drawing 5.10R02 mar +>2 belong 0x21009005 Kompas drawing 5.10R02 febr +>2 belong 0x19009005 Kompas drawing 5.10R01 +>2 belong 0xF4008005 Kompas drawing 5.9R01.003 +>2 belong 0x1C008005 Kompas drawing 5.9R01.002 +>2 belong 0x11008005 Kompas drawing 5.8R01.003 # CAD: file(1) magic for computer aided design files # Phillip Griffith @@ -147,8 +147,13 @@ >0x02 byte 0xfe >>0x04 beshort 0x1800 CIT raster CAD -# 3DS (3d Studio files) Conflicts with diff output 0x3d '=' -#16 beshort 0x3d3d image/x-3ds +# 3DS (3d Studio files) +0 leshort 0x4d4d +>6 leshort 0x2 +>>8 lelong 0xa +>>>16 leshort 0x3d3d 3D Studio model +!:mime image/x-3ds +!:extension 3ds # MegaCAD 2D/3D drawing (.prt) # http://megacad.de/ diff --git a/magic/Magdir/cafebabe b/magic/Magdir/cafebabe index 6d97cebc4fa1..6482858fc62c 100644 --- a/magic/Magdir/cafebabe +++ b/magic/Magdir/cafebabe @@ -1,14 +1,14 @@ #------------------------------------------------------------------------------ -# $File: cafebabe,v 1.21 2015/10/15 20:56:51 christos Exp $ +# $File: cafebabe,v 1.23 2017/05/25 20:07:23 christos Exp $ # Cafe Babes unite! # # Since Java bytecode and Mach-O universal binaries have the same magic number, # the test must be performed in the same "magic" sequence to get both right. # The long at offset 4 in a Mach-O universal binary tells the number of # architectures; the short at offset 4 in a Java bytecode file is the JVM minor -# version and the short at offset 6 is the JVM major version. Since there are only -# only 18 labeled Mach-O architectures at current, and the first released +# version and the short at offset 6 is the JVM major version. Since there are only +# only 18 labeled Mach-O architectures at current, and the first released # Java class format was version 43.0, we can safely choose any number # between 18 and 39 to test the number of architectures against # (and use as a hack). Let's not use 18, because the Mach-O people @@ -47,7 +47,7 @@ 0 name mach-o \b [ >0 use mach-o-cpu \b ->(8.L) indirect \b: +>(8.L) indirect x \b: >0 belong x \b] 0 belong 0xcafebabe diff --git a/magic/Magdir/clipper b/magic/Magdir/clipper index 98278ebf0615..2768b3af501d 100644 --- a/magic/Magdir/clipper +++ b/magic/Magdir/clipper @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: clipper,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $ # clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper. # # XXX - what byte order does the Clipper use? # # XXX - what's the "!" stuff: # -# >18 short !074000,000000 C1 R1 +# >18 short !074000,000000 C1 R1 # >18 short !074000,004000 C2 R1 # >18 short !074000,010000 C3 R1 # >18 short !074000,074000 TEST @@ -15,7 +15,7 @@ # I shall assume it's ANDing the field with the first value and # comparing it with the second, and rewrite it as: # -# >18 short&074000 000000 C1 R1 +# >18 short&074000 000000 C1 R1 # >18 short&074000 004000 C2 R1 # >18 short&074000 010000 C3 R1 # >18 short&074000 074000 TEST @@ -37,7 +37,7 @@ >12 long >0 not stripped >22 short >0 - version %d 0 short 0577 CLIPPER COFF executable ->18 short&074000 000000 C1 R1 +>18 short&074000 000000 C1 R1 >18 short&074000 004000 C2 R1 >18 short&074000 010000 C3 R1 >18 short&074000 074000 TEST diff --git a/magic/Magdir/coff b/magic/Magdir/coff index 02cbf9ce7413..b4addec58ffd 100644 --- a/magic/Magdir/coff +++ b/magic/Magdir/coff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: coff,v 1.1 2015/09/30 20:32:35 christos Exp $ +# $File: coff,v 1.2 2017/03/17 21:35:28 christos Exp $ # coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures # # COFF @@ -15,7 +15,7 @@ # mips,motorola,msdos,osf1,sharc,varied.out,vax 0 name display-coff # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 uleshort&0x8E80 0 +>18 uleshort&0x8E80 0 >>0 clear x # f_magic - magic number # DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel) @@ -25,7 +25,7 @@ # Hitachi SH little-endian COFF (./hitachi-sh) >>0 uleshort 0x0550 Hitachi SH little-endian # executable (RISC System/6000 V3.1) or obj module (./ibm6000) -#>>0 uleshort 0x01DF +#>>0 uleshort 0x01DF # TODO for other COFFs #>>0 uleshort 0xABCD COFF_TEMPLATE >>0 default x @@ -45,12 +45,12 @@ >>18 leshort &0x0008 \b, stripped >>18 leshort ^0x0008 \b, not stripped # flags in other COFF versions -#0x0010 F_FDPR_PROF +#0x0010 F_FDPR_PROF #0x0020 F_FDPR_OPTI #0x0040 F_DSA # F_AR32WR flag bit #>>>18 leshort &0x0100 \b, 32 bit little endian -#0x1000 F_DYNLOAD +#0x1000 F_DYNLOAD #0x2000 F_SHROBJ #0x4000 F_LOADONLY # f_nscns - number of sections @@ -62,7 +62,7 @@ >>8 ulelong >0 \b, symbol offset=0x%x # f_nsyms - number of symbols, only for not stripped >>12 ulelong >0 \b, %d symbols -# f_opthdr - optional header size +# f_opthdr - optional header size >>16 uleshort >0 \b, optional header size %d # at offset 20 can be optional header, extra bytes FILHSZ-20 because # do not rely on sizeof(FILHDR) to give the correct size for header. diff --git a/magic/Magdir/commands b/magic/Magdir/commands index 48d706358c0e..f6ad1c878a31 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.56 2016/07/14 19:01:12 christos Exp $ +# $File: commands,v 1.59 2017/08/14 07:40:38 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -56,7 +56,7 @@ !:mime text/x-awk 0 string/wt #!\ /usr/bin/awk awk script text executable !:mime text/x-awk -0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk or perl script text +0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text # AT&T Bell Labs' Plan 9 shell 0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable @@ -84,7 +84,7 @@ # PHP scripts # Ulf Harnhammar 0 search/1/c =(4.l+8) indirect +>(4.l+8) indirect x # Zstandard Dictionary ID subroutine 0 name zstd-dictionary-id @@ -310,7 +310,7 @@ # Zlib https://www.ietf.org/rfc/rfc6713.txt 0 string/b x ->0 beshort%31 =0 +>0 beshort%31 =0 >>0 byte&0xf =8 >>>0 byte&0x80 =0 zlib compressed data !:mime application/zlib diff --git a/magic/Magdir/console b/magic/Magdir/console index 2a1c9af7f035..66f5dbda294e 100644 --- a/magic/Magdir/console +++ b/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.26 2016/06/12 15:20:37 christos Exp $ +# $File: console,v 1.32 2017/08/13 00:21:47 christos Exp $ # Console game magic # Toby Deshane @@ -9,17 +9,19 @@ # References: # - http://wiki.nesdev.com/w/index.php/INES # - http://wiki.nesdev.com/w/index.php/NES_2.0 -0 string NES\x1A iNES ROM image + +# Common header for iNES, NES 2.0, and Wii U iNES. +0 name nes-rom-image-ines >7 byte&0x0C =0x8 (NES 2.0) >4 byte x \b: %ux16k PRG ->5 byte x \b, %ux16k CHR +>5 byte x \b, %ux8k CHR >6 byte&0x08 =0x8 [4-Scr] >6 byte&0x09 =0x0 [H-mirror] >6 byte&0x09 =0x1 [V-mirror] >6 byte&0x02 =0x2 [SRAM] >6 byte&0x04 =0x4 [Trainer] >7 byte&0x03 =0x2 [PC10] ->7 byte&0x03 =0x1 [VS +>7 byte&0x03 =0x1 [VS] >>7 byte&0x0C =0x8 # NES 2.0: VS PPU >>>13 byte&0x0F =0x0 \b, RP2C03B @@ -43,17 +45,24 @@ >>12 byte&0x03 =0x1 [PAL] >>12 byte&0x02 =0x2 [NTSC+PAL] +# Standard iNES ROM header. +0 string NES\x1A NES ROM image (iNES) +>0 use nes-rom-image-ines + +# Wii U Virtual Console iNES ROM header. +0 belong 0x4E455300 NES ROM image (Wii U Virtual Console) +>0 use nes-rom-image-ines + #------------------------------------------------------------------------------ # unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images # Reference: http://wiki.nesdev.com/w/index.php/UNIF # From: David Korth -# TODO commit on 2016/03/21 # # NOTE: The UNIF format uses chunks instead of a fixed header, # so most of the data isn't easily parseable. # 0 string UNIF ->4 lelong <16 UNIF v%d format NES ROM image +>4 lelong <16 NES ROM image (UNIF v%d format) #------------------------------------------------------------------------------ # fds: file(1) magic for Famciom Disk System disk images @@ -63,24 +72,39 @@ # Disk info block. (block 1) 0 name nintendo-fds-disk-info-block ->1 string *NINTENDO-HVC* Famicom Disk System disk image: >23 byte !1 FMC- >23 byte 1 FSC- >16 string x \b%.3s ->15 byte x \b, mfr 0x%02X +>15 byte x \b, mfr %02X >20 byte x (Rev.%02u) # Headered version. 0 string FDS\x1A ->0x11 string *NINTENDO-HVC* +>0x11 string *NINTENDO-HVC* Famicom Disk System disk image: >>0x10 use nintendo-fds-disk-info-block >4 byte 1 (%u side) >4 byte !1 (%u sides) # Unheadered version. -1 string *NINTENDO-HVC* +1 string *NINTENDO-HVC* Famicom Disk System disk image: >0 use nintendo-fds-disk-info-block +#------------------------------------------------------------------------------ +# tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images +# Used by Nintendo 3DS NES Virtual Console games. +# From: David Korth +# +0 string TNES NES ROM image (Nintendo 3DS Virtual Console) +>4 byte 100 \b: FDS, +>>0x2010 use nintendo-fds-disk-info-block +>4 byte !100 \b: TNES mapper %u +>>5 byte x \b, %ux8k PRG +>>6 byte x \b, %ux8k CHR +>>7 byte&0x08 =1 [WRAM] +>>8 byte&0x09 =1 [H-mirror] +>>8 byte&0x09 =2 [V-mirror] +>>8 byte&0x02 =3 [VRAM] + #------------------------------------------------------------------------------ # gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format # Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header @@ -389,6 +413,15 @@ >0x1E byte x \b, Rev.%02u) >0x12 byte 2 (DSi enhanced) >0x12 byte 3 (DSi only) +# Secure Area check. +>0x20 lelong <0x4000 (homebrew) +>0x20 lelong >0x3FFF +>>0x4000 lequad 0x0000000000000000 (multiboot) +>>0x4000 lequad !0x0000000000000000 +>>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted) +>>>0x4000 lequad !0xE7FFDEFFE7FFDEFF +>>>>0x1000 lequad 0x0000000000000000 (encrypted) +>>>>0x1000 lequad !0x0000000000000000 (mask ROM) #------------------------------------------------------------------------------ # nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot. @@ -412,7 +445,7 @@ #------------------------------------------------------------------------------ # msx: file(1) magic for MSX game cartridge dumps # Too simple - MPi -#0 beshort 0x4142 MSX game cartridge dump +#0 beshort 0x4142 MSX game cartridge dump #------------------------------------------------------------------------------ # Sony Playstation executables (Adam Sjoegren ) : @@ -467,7 +500,7 @@ # Double-check that the image type matches too, 0x8008 conflicts with # 8 character OMF-86 object file headers. -0 beshort 0x8008 +0 beshort 0x8008 >6 string BS93 Lynx homebrew cartridge >>2 beshort x \b, RAM start $%04x >6 string LYNX Lynx cartridge @@ -482,7 +515,7 @@ # is the offset 12 or the offset 16 correct? # GBS (Game Boy Sound) magic # ftp://ftp.modland.com/pub/documents/format_documentation/\ -# Gameboy%20Sound%20System%20(.gbs).txt +# Gameboy%20Sound%20System%20(.gbs).txt 0 string GBS Nintendo Gameboy Music/Audio Data #12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module >16 string >\0 ("%s" by @@ -491,6 +524,10 @@ >3 byte x version %d, >4 byte x %d tracks +# IPS Patch Files from: From: Thomas Klausner +# see http://zerosoft.zophar.net/ips.php +0 string PATCH IPS patch file + # Playstations Patch Files from: From: Thomas Klausner 0 string PPF30 Playstation Patch File version 3.0 >5 byte 0 \b, PPF 1.0 patch @@ -518,7 +555,7 @@ # SNES9x .smv "movie" file format. 0 string SMV\x1A SNES9x input recording >0x4 lelong x \b, version %d -# version 4 is latest so far +# version 4 is latest so far >0x4 lelong <5 >>0x8 ledate x \b, recorded at %s >>0xc lelong >0 \b, rerecorded %d times @@ -617,6 +654,52 @@ >0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format): >>0x200 use nintendo-gcn-disc-common +# Type: Nintendo GameCube/Wii disc image (CISO format) +# NOTE: This is NOT the same as Compact ISO or PSP CISO, +# though it has the same magic number. +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong 0x200000 +>>8 byte 1 +>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format): +>>>>0x8000 use nintendo-gcn-disc-common +>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format): +>>>>0x8000 use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (GCZ format) +# Due to zlib compression, we can't get the actual disc information. +0 lelong 0xB10BC001 +>4 lelong 0 Nintendo GameCube disc image (GCZ format) +>4 lelong 1 Nintendo Wii disc image (GCZ format) +>4 lelong >1 Nintendo GameCube/Wii disc image (GCZ format) + +# Type: Nintendo GameCube/Wii disc image (WDF format) +0 string WII\001DISC +>8 belong 1 +# WDFv1 +>>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format): +>>>0x38 use nintendo-gcn-disc-common +>>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format): +>>>0x38 use nintendo-gcn-disc-common +>8 belong 2 +# WDFv2 +>>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format): +>>>(12.L) use nintendo-gcn-disc-common +>>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format): +>>>(12.L) use nintendo-gcn-disc-common + +# Type: Nintendo GameCube/Wii disc image (WIA format) +0 string WIA\001 Nintendo +>0x48 belong 0 GameCube/Wii +>0x48 belong 1 GameCube +>0x48 belong 2 Wii +>0x48 belong >2 GameCube/Wii +>0x48 belong x disc image (WIA format): +>>0x58 use nintendo-gcn-disc-common + #------------------------------------------------------------------------------ # Nintendo 3DS file formats. # @@ -722,7 +805,7 @@ # Type: Nintendo 3DS Homebrew Application. # From: David Korth -# Refernece: https://3dbrew.org/wiki/3DSX_Format +# Reference: https://3dbrew.org/wiki/3DSX_Format 0 string 3DSX Nintendo 3DS Homebrew Application (3DSX) #------------------------------------------------------------------------------ @@ -750,3 +833,17 @@ # 0 string g\ GCE Vectrex ROM image >0x11 string >\0 \b: "%.16s" + +#------------------------------------------------------------------------------ +# amiibo: file(1) magic for Nintendo amiibo NFC dumps. +# From: David Korth +# Reference: https://www.3dbrew.org/wiki/Amiibo +0x00 byte 0x04 +>0x0A beshort 0x0FE0 +>>0x0C belong 0xF110FFEE +>>>0x208 beshort 0x0100 +>>>>0x020A byte 0x0F +>>>>>0x020C bequad 0x000000045F000000 +>>>>>>0x5B byte 0x02 +>>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X- +>>>>>>>0x58 belong x \b%08X diff --git a/magic/Magdir/cups b/magic/Magdir/cups index 4d0056bb4b57..a065de39637d 100644 --- a/magic/Magdir/cups +++ b/magic/Magdir/cups @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cups,v 1.4 2016/10/17 18:51:02 christos Exp $ +# $File: cups,v 1.5 2017/03/17 21:35:28 christos Exp $ # Cups: file(1) magic for the cups raster file format # From: Laurent Martelli # http://www.cups.org/documentation.php/spec-raster.html @@ -39,7 +39,7 @@ >404 lelong 20 ColorSpace=AdobeRGB # Cups Raster image format, Big Endian -0 string RaS +0 string RaS >3 string t Cups Raster version 1, Big Endian >3 string 2 Cups Raster version 2, Big Endian >3 string 3 Cups Raster version 3, Big Endian @@ -48,7 +48,7 @@ # Cups Raster image format, Little Endian -1 string SaR +1 string SaR >0 string t Cups Raster version 1, Little Endian >0 string 2 Cups Raster version 2, Little Endian >0 string 3 Cups Raster version 3, Little Endian diff --git a/magic/Magdir/database b/magic/Magdir/database index 15f94b1faab4..a0300ae772ce 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.49 2016/06/11 17:01:51 christos Exp $ +# $File: database,v 1.52 2017/08/13 00:21:47 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -84,7 +84,7 @@ # From Max Bowsher. 12 long 0x00040988 Berkeley DB >16 long >0 (Log, version %d, native byte-order) -12 belong 0x00040988 Berkeley DB +12 belong 0x00040988 Berkeley DB >16 belong >0 (Log, version %d, big-endian) 12 lelong 0x00040988 Berkeley DB >16 lelong >0 (Log, version %d, little-endian) @@ -103,7 +103,7 @@ >>>12 long !0 32bit aligned >>>>12 bedouble 8.642135e+130 big-endian >>>>>20 long 0 64bit long ->>>>>20 long !0 32bit long +>>>>>20 long !0 32bit long >>>>12 ledouble 8.642135e+130 little-endian >>>>>24 long 0 64bit long >>>>>24 long !0 32bit long (i386) @@ -128,22 +128,22 @@ # XXX: Weak magic. # Alex Ott ## Paradox file formats -#2 leshort 0x0800 Paradox -#>0x39 byte 3 v. 3.0 -#>0x39 byte 4 v. 3.5 -#>0x39 byte 9 v. 4.x -#>0x39 byte 10 v. 5.x -#>0x39 byte 11 v. 5.x -#>0x39 byte 12 v. 7.x -#>>0x04 byte 0 indexed .DB data file -#>>0x04 byte 1 primary index .PX file -#>>0x04 byte 2 non-indexed .DB data file -#>>0x04 byte 3 non-incrementing secondary index .Xnn file -#>>0x04 byte 4 secondary index .Ynn file -#>>0x04 byte 5 incrementing secondary index .Xnn file -#>>0x04 byte 6 non-incrementing secondary index .XGn file -#>>0x04 byte 7 secondary index .YGn file -#>>>0x04 byte 8 incrementing secondary index .XGn file +#2 leshort 0x0800 Paradox +#>0x39 byte 3 v. 3.0 +#>0x39 byte 4 v. 3.5 +#>0x39 byte 9 v. 4.x +#>0x39 byte 10 v. 5.x +#>0x39 byte 11 v. 5.x +#>0x39 byte 12 v. 7.x +#>>0x04 byte 0 indexed .DB data file +#>>0x04 byte 1 primary index .PX file +#>>0x04 byte 2 non-indexed .DB data file +#>>0x04 byte 3 non-incrementing secondary index .Xnn file +#>>0x04 byte 4 secondary index .Ynn file +#>>0x04 byte 5 incrementing secondary index .Xnn file +#>>0x04 byte 6 non-incrementing secondary index .XGn file +#>>0x04 byte 7 secondary index .YGn file +#>>>0x04 byte 8 incrementing secondary index .XGn file ## XBase database files # updated by Joerg Jenderek at Feb 2013 @@ -151,33 +151,33 @@ # http://www.clicketyclick.dk/databases/xbase/format/dbf.html # http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 -0 ubelong&0x0000FFFF <0x00000C20 +0 ubelong&0x0000FFFF <0x00000C20 # skip Infocom game Z-machine ->2 ubyte >0 +>2 ubyte >0 # skip Androids *.xml ->>3 ubyte >0 ->>>3 ubyte <32 +>>3 ubyte >0 +>>>3 ubyte <32 # 1 < version VV ->>>>0 ubyte >1 +>>>>0 ubyte >1 # skip HELP.CA3 by test for reserved byte ( NULL ) ->>>>>27 ubyte 0 +>>>>>27 ubyte 0 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF) #>>>>>30 ubeshort x 30NULL?%x -# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) ->>>>>>24 ubelong&0xffFFFFff >0x01302000 +# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>24 ubelong&0xffFFFFff >0x01302000 # .DBF or .MDX ->>>>>>24 ubelong&0xffFFFFff <0x01302001 +>>>>>>24 ubelong&0xffFFFFff <0x01302001 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user ->>>>>>>24 ubelong&0xffFFFFff =0 +>>>>>>>24 ubelong&0xffFFFFff =0 # test for 2 reserved NULL bytes,transaction and encryption byte flag ->>>>>>>>12 ubelong&0xFFFFfEfE 0 +>>>>>>>>12 ubelong&0xFFFFfEfE 0 # test for MDX flag ->>>>>>>>>28 ubyte x ->>>>>>>>>28 ubyte&0xf8 0 +>>>>>>>>>28 ubyte x +>>>>>>>>>28 ubyte&0xf8 0 # header size >= 32 ->>>>>>>>>>8 uleshort >31 +>>>>>>>>>>8 uleshort >31 # skip PIC15736.PCX by test for language driver name or field name ->>>>>>>>>>>32 ubyte >0 +>>>>>>>>>>>32 ubyte >0 #!:mime application/x-dbf; charset=unknown-8bit ?? #!:mime application/x-dbase >>>>>>>>>>>>0 use xbase-type @@ -202,22 +202,22 @@ >>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT >>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer # 1st record offset + 1 = header size ->>>>>>>>>>>>8 uleshort >0 ->>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>8 uleshort >0 +>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>8 uleshort >0 \b, at offset %d ->>>>>>>>>>>>>(8.s+1) ubyte >0 +>>>>>>>>>>>>>(8.s+1) ubyte >0 >>>>>>>>>>>>>>&-1 string >\0 1st record "%s" -# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) ->>>>>>>24 ubelong&0x0133f7ff >0 +# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) +>>>>>>>24 ubelong&0x0133f7ff >0 # test for reserved NULL byte ->>>>>>>>47 ubyte 0 +>>>>>>>>47 ubyte 0 # test for valid TAG key format (0x10 or 0) ->>>>>>>>>559 ubyte&0xeF 0 +>>>>>>>>>559 ubyte&0xeF 0 # test MM <= 12 ->>>>>>>>>>45 ubeshort <0x0C20 ->>>>>>>>>>>45 ubyte >0 ->>>>>>>>>>>>46 ubyte <32 ->>>>>>>>>>>>>46 ubyte >0 +>>>>>>>>>>45 ubeshort <0x0C20 +>>>>>>>>>>>45 ubyte >0 +>>>>>>>>>>>>46 ubyte <32 +>>>>>>>>>>>>>46 ubyte >0 #!:mime application/x-mdx >>>>>>>>>>>>>>0 use xbase-type >>>>>>>>>>>>>>0 ubyte x \b MDX @@ -236,11 +236,11 @@ # 2nd tag name #>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s" # -# Print the xBase names of different version variants +# Print the xBase names of different version variants 0 name xbase-type ->0 ubyte <2 +>0 ubyte <2 # 1 < version ->0 ubyte >1 +>0 ubyte >1 >>0 ubyte 0x02 FoxBase # FoxBase+/dBaseIII+, no memo >>0 ubyte 0x03 FoxBase+/dBase III @@ -293,7 +293,7 @@ # dBASE IV with SQL table, with memo .DBT >>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT !:mime application/x-dbf -# HiPer-Six format;Clipper SIX, with SMT memo file +# HiPer-Six format;Clipper SIX, with SMT memo file >>0 ubyte 0xE5 Clipper SIX with memo !:mime application/x-dbf # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx @@ -318,12 +318,12 @@ # test and print the date of xBase .DBF .MDX 0 name xbase-date # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31 ->0 ubelong x ->1 ubyte <13 ->>1 ubyte >0 ->>>2 ubyte >0 ->>>>2 ubyte <32 ->>>>>0 ubyte x +>0 ubelong x +>1 ubyte <13 +>>1 ubyte >0 +>>>2 ubyte >0 +>>>>2 ubyte <32 +>>>>>0 ubyte x # YY is interpreted as 20YY or 19YY >>>>>>0 ubyte <100 \b %.2d # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY @@ -333,56 +333,56 @@ # dBase memo files .DBT or .FPT # http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx -16 ubyte <4 ->16 ubyte !2 ->>16 ubyte !1 +16 ubyte <4 +>16 ubyte !2 +>>16 ubyte !1 # next free block index is positive ->>>0 ulelong >0 +>>>0 ulelong >0 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size ->>>>17 ubelong&0xFFfdFE00 0x00000000 +>>>>17 ubelong&0xFFfdFE00 0x00000000 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h ->>>>>20 ubelong&0xFF01209B 0x00000000 +>>>>>20 ubelong&0xFF01209B 0x00000000 # dBASE III ->>>>>>16 ubyte 3 +>>>>>>16 ubyte 3 # dBASE III DBT >>>>>>>0 use dbase3-memo-print # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage ->>>>>>16 ubyte 0 +>>>>>>16 ubyte 0 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF ->>>>>>>20 uleshort 0 +>>>>>>>20 uleshort 0 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage ->>>>>>>>8 ulong =0 ->>>>>>>>>6 ubeshort >0 +>>>>>>>>8 ulong =0 +>>>>>>>>>6 ubeshort >0 # skip emacs.PIF ->>>>>>>>>>4 ushort 0 +>>>>>>>>>>4 ushort 0 >>>>>>>>>>>0 use foxpro-memo-print # dBASE III DBT , garbage ->>>>>>>>>6 ubeshort 0 +>>>>>>>>>6 ubeshort 0 # skip MM*DD*.bin by test for for reserved NULL byte ->>>>>>>>>>510 ubeshort 0 +>>>>>>>>>>510 ubeshort 0 # skip TK-DOS11.img image by looking for memo text ->>>>>>>>>>>512 ubelong <0xfeffff03 +>>>>>>>>>>>512 ubelong <0xfeffff03 # skip EFI executables by looking for memo text ->>>>>>>>>>>>512 ubelong >0x1F202020 ->>>>>>>>>>>>>513 ubyte >0 +>>>>>>>>>>>>512 ubelong >0x1F202020 +>>>>>>>>>>>>>513 ubyte >0 # unusual dBASE III DBT like adressen.dbt >>>>>>>>>>>>>>0 use dbase3-memo-print # dBASE III DBT like angest.dbt, or garbage PCX DBF ->>>>>>>>8 ubelong !0 +>>>>>>>>8 ubelong !0 # skip PCX and some DBF by test for for reserved NULL bytes ->>>>>>>>>510 ubeshort 0 +>>>>>>>>>510 ubeshort 0 # skip some DBF by test of invalid version ->>>>>>>>>>0 ubyte >5 ->>>>>>>>>>>0 ubyte <48 +>>>>>>>>>>0 ubyte >5 +>>>>>>>>>>>0 ubyte <48 >>>>>>>>>>>>0 use dbase3-memo-print # dBASE IV DBT with positive block size ->>>>>>>20 uleshort >0 -# dBASE IV DBT with valid block length like 512, 1024 +>>>>>>>20 uleshort >0 +# dBASE IV DBT with valid block length like 512, 1024 # multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero ->>>>>>>>20 uleshort&0x800f 0 +>>>>>>>>20 uleshort&0x800f 0 >>>>>>>>>0 use dbase4-memo-print -# Print the information of dBase III DBT memo file +# Print the information of dBase III DBT memo file 0 name dbase3-memo-print >0 ubyte x dBase III DBT # instead 3 as version number 0 for unusual examples like biblio.dbt @@ -395,45 +395,45 @@ >20 uleshort !0 \b, block length %u # dBase III memo field terminated by \032\032 >512 string >\0 \b, 1st item "%s" -# Print the information of dBase IV DBT memo file +# Print the information of dBase IV DBT memo file 0 name dbase4-memo-print >0 lelong x dBase IV DBT !:mime application/x-dbt !:ext dbt # 8 character shorted main name of coresponding dBASE IV DBF file ->8 ubelong >0x20000000 +>8 ubelong >0x20000000 # skip unusual like for angest.dbt ->>20 uleshort >0 +>>20 uleshort >0 >>>8 string >\0 \b of %-.8s.DBF # value 0 implies 512 as size #>4 ulelong =0 \b, blocks size %u # size of blocks not reliable like 0x2020204C in angest.dbt ->4 ulelong !0 +>4 ulelong !0 >>4 ulelong&0x0000003f 0 \b, blocks size %u # dBase IV DBT with positive block length (found 512 , 1024) >20 uleshort >0 \b, block length %u # next available block #>0 lelong =0 \b, next free block index %u >0 lelong !0 \b, next free block index %u ->20 uleshort >0 ->>(20.s) ubelong x +>20 uleshort >0 +>>(20.s) ubelong x >>>&-4 use dbase4-memofield-print # unusual dBase IV DBT without block length (implies 512 as length) ->20 uleshort =0 ->>512 ubelong x +>20 uleshort =0 +>>512 ubelong x >>>&-4 use dbase4-memofield-print -# Print the information of dBase IV memo field +# Print the information of dBase IV memo field 0 name dbase4-memofield-print # free dBase IV memo field ->0 ubelong !0xFFFF0800 +>0 ubelong !0xFFFF0800 >>0 lelong x \b, next free block %u >>4 lelong x \b, next used block %u # used dBase IV memo field ->0 ubelong =0xFFFF0800 +>0 ubelong =0xFFFF0800 # length of memo field >>4 lelong x \b, field length %d >>>8 string >\0 \b, 1st used item "%s" -# Print the information of FoxPro FPT memo file +# Print the information of FoxPro FPT memo file 0 name foxpro-memo-print >0 belong x FoxPro FPT # Size of blocks for FoxPro ( 64,256 ) @@ -441,14 +441,14 @@ # next available block #>0 belong =0 \b, next free block index %u >0 belong !0 \b, next free block index %u -# field type ( 0~picture, 1~memo, 2~object ) +# field type ( 0~picture, 1~memo, 2~object ) >512 ubelong <3 \b, field type %u # length of memo field ->512 ubelong 1 +>512 ubelong 1 >>516 belong >0 \b, field length %d >>>520 string >\0 \b, 1st item "%s" -# TODO: +# TODO: # DBASE index file *.NDX # DBASE Compound Index file *.CDX # dBASE IV Printer Driver *.PRF @@ -465,9 +465,9 @@ # Reference: https://github.com/libyal/libesedb/archive/master.zip # libesedb-master/documentation/ # Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc -# Note: also known as "JET Blue". Used by numerous Windows components such as +# Note: also known as "JET Blue". Used by numerous Windows components such as # Windows Search, Mail, Exchange and Active Directory. -4 ubelong 0xefcdab89 +4 ubelong 0xefcdab89 # unknown1 >132 ubelong 0 Extensible storage engine !:mime application/x-ms-ese @@ -497,8 +497,8 @@ # From: Joerg Jenderek # URL: http://forensicswiki.org/wiki/Windows_Application_Compatibility # Note: files contain application compatibility fixes, application compatibility modes and application help messages. -8 string sdbf ->7 ubyte 0 +8 string sdbf +>7 ubyte 0 # TAG_TYPE_LIST+TAG_INDEXES >>12 uleshort 0x7802 Windows application compatibility Shim DataBase # version? 2 3 @@ -600,10 +600,10 @@ # Reference: http://www.provue.com/Panorama/ # From: Joerg Jenderek # NOTE: test only versions 4 and 6.0 with Windows -# length of Panorama database name -5 ubyte >0 +# length of Panorama database name +5 ubyte >0 # look after database name for "some" null bits ->(5.B+7) ubelong&0xF3ffF000 0 +>(5.B+7) ubelong&0xF3ffF000 0 # look for first keyword >>&1 search/2 DESIGN Panorama database #!:mime application/x-panorama-database @@ -622,3 +622,13 @@ # MUIbase Database Tool by Stefan A. Haubenthal 0 string MBSTV\040 MUIbase DB >6 string x version %s + +# +# CDB database +0 string NBCDB\012 NetBSD Constant Database +>7 byte x \b, version %d +>8 string x \b, for '%s' +>24 lelong x \b, datasize %d +>28 lelong x \b, entries %d +>32 lelong x \b, index %d +>36 lelong x \b, seed %#x diff --git a/magic/Magdir/der b/magic/Magdir/der index abfbf9b8c0a2..9c25f00cc611 100644 --- a/magic/Magdir/der +++ b/magic/Magdir/der @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: der,v 1.1 2016/01/19 15:07:45 christos Exp $ +# $File: der,v 1.2 2017/03/17 21:35:28 christos Exp $ # der: file(1) magic for DER encoded files # @@ -32,37 +32,37 @@ # Key Pairs 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int65=x >&0 der int3=010001 DER Encoded Key Pair, 512 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int129=x >&0 der int3=010001 DER Encoded Key Pair, 1024 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int257=x >&0 der int3=010001 DER Encoded Key Pair, 2048 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int513=x >&0 der int3=010001 DER Encoded Key Pair, 4096 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int1025=x >&0 der int3=010001 DER Encoded Key Pair, 8192 bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int2049=x >&0 der int3=010001 DER Encoded Key Pair, 16k bits 0 der seq ->&0 der int1=00 +>&0 der int1=00 >&0 der int4097=x >&0 der int3=010001 DER Encoded Key Pair, 32k bits diff --git a/magic/Magdir/diff b/magic/Magdir/diff index 59243801eb5a..cd530d345e32 100644 --- a/magic/Magdir/diff +++ b/magic/Magdir/diff @@ -1,15 +1,15 @@ #------------------------------------------------------------------------------ -# $File: diff,v 1.14 2012/09/16 23:08:54 christos Exp $ +# $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $ # diff: file(1) magic for diff(1) output # -0 search/1 diff\ diff output text +0 search/1 diff\040 diff output text !:mime text/x-diff -0 search/1 ***\ diff output text +0 search/1 ***\040 diff output text !:mime text/x-diff -0 search/1 Only\ in\ diff output text +0 search/1 Only\040in\040 diff output text !:mime text/x-diff -0 search/1 Common\ subdirectories:\ diff output text +0 search/1 Common\040subdirectories:\040 diff output text !:mime text/x-diff 0 search/1 Index: RCS/CVS diff output text @@ -20,9 +20,9 @@ # unified diff -0 search/4096 ---\ +0 search/4096 ---\040 >&0 search/1024 \n ->>&0 search/1 +++\ +>>&0 search/1 +++\040 >>>&0 search/1024 \n >>>>&0 search/1 @@ unified diff output text !:mime text/x-diff diff --git a/magic/Magdir/dolby b/magic/Magdir/dolby index 573398f347c8..8034eddc2a8f 100644 --- a/magic/Magdir/dolby +++ b/magic/Magdir/dolby @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $ +# $File: dolby,v 1.8 2017/03/17 21:35:28 christos Exp $ # ATSC A/53 aka AC-3 aka Dolby Digital # from http://www.atsc.org/standards/a_52a.pdf # corrections, additions, etc. are always welcome! @@ -23,7 +23,7 @@ >5 byte&0x07 = 0x04 \b, dialogue (D) >5 byte&0x07 = 0x05 \b, commentary (C) >5 byte&0x07 = 0x06 \b, emergency (E) ->5 beshort&0x07e0 0x0720 \b, voiceover (VO) +>5 beshort&0x07e0 0x0720 \b, voiceover (VO) >5 beshort&0x07e0 >0x0720 \b, karaoke # acmod >6 byte&0xe0 = 0x00 1+1 front, diff --git a/magic/Magdir/dump b/magic/Magdir/dump index 1a20ace29c4b..73de3dc87a0b 100644 --- a/magic/Magdir/dump +++ b/magic/Magdir/dump @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dump,v 1.13 2014/04/30 21:41:02 christos Exp $ +# $File: dump,v 1.16 2017/07/22 19:21:02 christos Exp $ # dump: file(1) magic for dump file format--for new and old dump filesystems # # We specify both byte orders in order to recognize byte-swapped dumps. @@ -62,23 +62,25 @@ >824 string >\0 Host %s, >888 belong >0 Flags %x -24 belong 60012 new-fs dump file (big endian), +24 belong 60012 new-fs dump file (big endian), >0 use new-dump-be -24 belong 60011 old-fs dump file (big endian), +24 belong 60011 old-fs dump file (big endian), >0 use old-dump-be -24 lelong 60012 new-fs dump file (little endian), +24 lelong 60012 new-fs dump file (little endian), +# to correctly recognize '*.mo' GNU message catalog (little endian) +!:strength - 15 >0 use \^new-dump-be -24 lelong 60011 old-fs dump file (little endian), +24 lelong 60011 old-fs dump file (little endian), >0 use \^old-dump-be -24 belong 0x19540119 new-fs dump file (ufs2, big endian), +24 belong 0x19540119 new-fs dump file (ufs2, big endian), >0 use ufs2-dump-be -24 lelong 0x19540119 new-fs dump file (ufs2, little endian), +24 lelong 0x19540119 new-fs dump file (ufs2, little endian), >0 use \^ufs2-dump-be 18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness), diff --git a/magic/Magdir/dyadic b/magic/Magdir/dyadic index ab7346586eab..185970e4ee00 100644 --- a/magic/Magdir/dyadic +++ b/magic/Magdir/dyadic @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: dyadic,v 1.7 2015/05/27 18:02:48 christos Exp $ +# $File: dyadic,v 1.8 2017/03/17 21:35:28 christos Exp $ # Dyadic: file(1) magic for Dyalog APL. # # updated by Joerg Jenderek at Oct 2013 @@ -10,9 +10,9 @@ # .DIN Dyalog APL Input Table # .DOT Dyalog APL Output Table # .DFT Dyalog APL Format File -0 ubeshort&0xFF60 0xaa00 +0 ubeshort&0xFF60 0xaa00 # skip biblio.dbt ->1 byte !4 +>1 byte !4 # real Dyalog APL have non zero version numbers like 7.3 or 13.4 >>2 ubeshort >0x0000 Dyalog APL >>>1 byte 0x00 aplcore diff --git a/magic/Magdir/editors b/magic/Magdir/editors index fa6cbc64c095..78f3a84056e6 100644 --- a/magic/Magdir/editors +++ b/magic/Magdir/editors @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: editors,v 1.10 2016/07/18 17:44:49 christos Exp $ -# T602 editor documents +# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $ +# T602 editor documents # by David Necas 0 string @CT\ T602 document data, >4 string 0 Kamenicky @@ -9,7 +9,7 @@ >4 string 2 KOI8-CS >4 string >2 unknown encoding -# Vi IMproved Encrypted file +# Vi IMproved Encrypted file # by David Necas 0 string VimCrypt~ Vim encrypted file data diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index b7c6e5b32fa7..48b74e04c8ff 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.114 2016/09/05 08:34:25 christos Exp $ +# $File: filesystems,v 1.122 2017/07/21 10:34:41 christos Exp $ # filesystems: file(1) magic for different filesystems # -0 name partid +0 name partid >0 ubyte 0x00 Unused >0 ubyte 0x01 12-bit FAT >0 ubyte 0x02 XENIX / @@ -187,7 +187,7 @@ 0 string \366\366\366\366 PC formatted floppy with no filesystem # Sun disk labels # From /usr/include/sun/dklabel.h: -0774 beshort 0xdabe +0774 beshort 0xdabe # modified by Joerg Jenderek, because original test # succeeds for Cabinet archive dao360.dl_ with negative blocks >0770 long >0 Sun disk label @@ -213,50 +213,50 @@ # (http://btmgr.sourceforge.net/docs/user-guide-3.html) 0 string SBMBAKUP_ Smart Boot Manager backup file >9 string x \b, version %-5.5s ->>14 string =_ +>>14 string =_ >>>15 string x %-.1s >>>>16 string =_ \b. >>>>>17 string x \b%-.1s >>>>>>18 string =_ \b. >>>>>>>19 string x \b%-.1s ->>>22 ubyte 0 +>>>22 ubyte 0 >>>>21 ubyte x \b, from drive 0x%x ->>>22 ubyte >0 +>>>22 ubyte >0 >>>>21 string x \b, from drive %s ->>>535 search/17 \x55\xAA ->>>>&-512 indirect x \b; contains +>>>535 search/17 \x55\xAA +>>>>&-512 indirect x \b; contains # updated by Joerg Jenderek at Nov 2012 # DOS Emulator image is 128 byte, null right padded header + harddisc image -0 string DOSEMU\0 ->0x27E leshort 0xAA55 +0 string DOSEMU\0 +>0x27E leshort 0xAA55 #offset is 128 ->>19 ubyte 128 +>>19 ubyte 128 >>>(19.b-1) ubyte 0x0 DOS Emulator image >>>>7 ulelong >0 \b, %u heads >>>>11 ulelong >0 \b, %d sectors/track >>>>15 ulelong >0 \b, %d cylinders ->>>>128 indirect x \b; contains +>>>>128 indirect x \b; contains # added by Joerg Jenderek at Nov 2012 # http://www.thenakedpc.com/articles/v04/08/0408-05.html # Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data 0 string PNCIHISK\0 Norton Utilities disc image data # real x86 boot sector with jump instruction ->509 search/1026 \x55\xAA\xeb ->>&-1 indirect x \b; contains +>509 search/1026 \x55\xAA\xeb +>>&-1 indirect x \b; contains # http://file-extension.net/seeker/file_extension_dat 0 string PNCIUNDO Norton Disk Doctor UnDo file # # DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013 # for any allowed sector sizes -30 search/481 \x55\xAA +30 search/481 \x55\xAA # to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111) # DOS BPB information (70) and after DOS floppy (120) like in previous file version !:strength +65 # for sector sizes < 512 Bytes ->11 uleshort <512 +>11 uleshort <512 >>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector # for sector sizes with 512 or more Bytes >0x1FE leshort 0xAA55 DOS/MBR boot sector @@ -270,18 +270,18 @@ >2 string OSBS OS/BS MBR # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/ # and http://en.wikipedia.org/wiki/Master_Boot_Record -# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by +# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by # characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00 >0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR # Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm ) # assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld ->>8 ubequad 0x8bf45007501ffbfc +>>8 ubequad 0x8bf45007501ffbfc # http://thestarman.pcministry.com/asm/mbr/200MBR.htm >>>0x16 ubyte 0xF3 \b,DOS 2 >>>>219 regex Author\ -\ Author: # found "David Litton" , "A Pehrsson " >>>>>&0 string x "%s" ->>>0x16 ubyte 0xF2 +>>>0x16 ubyte 0xF2 # NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm # assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz >>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3 @@ -316,7 +316,7 @@ >>>>>>(0x79.b) string >\0 "%s" # Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm) # assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b ->>8 ubequad 0x5007501ffcbe1b7c +>>8 ubequad 0x5007501ffcbe1b7c # assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04 >>>24 ubequad 0xf3a4cbbebe07b104 9M # "Invalid partition table" nn=0x10F for english version @@ -361,7 +361,7 @@ >>>>(0x1b7.b+0x100) string >\0 "%s" # Microsoft Windows Vista or 7 # assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00 ->>8 ubequad 0xc08ed8be007cbf00 +>>8 ubequad 0xc08ed8be007cbf00 # Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm) # assembler instructions: jnz 0729;cmp ebx,"TCPA" >>>0xEC ubequad 0x753b6681fb544350 Vista @@ -402,38 +402,38 @@ # http://en.wikipedia.org/wiki/MBR_disk_signature#ID >>0x1b8 ulelong >0 \b, disk signature 0x%-.4x # driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm ->>0xDA uleshort 0 +>>0xDA uleshort 0 >>>0xDC ulelong >0 \b, created # physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive >>>>0xDC ubyte x with driveID 0x%x -# hours, minutes and seconds +# hours, minutes and seconds >>>>0xDf ubyte x at %x >>>>0xDe ubyte x \b:%x >>>>0xDd ubyte x \b:%x # special case for Microsoft MS-DOS 3.21 spanish -# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov ->0 ubequad 0xfab830008ed0bc00 -# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov +# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov +>0 ubequad 0xfab830008ed0bc00 +# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov >>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish # Microsoft MBR IPL end # dr-dos with some upper-, lowercase variants ->0x9D string Invalid\ partition\ table$ ->>181 string No\ Operating\ System$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ Operating\ System$ >>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->0x9D string Invalid\ partition\ table$ ->>181 string No\ operating\ system$ +>0x9D string Invalid\ partition\ table$ +>>181 string No\ operating\ system$ >>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03 ->342 string Invalid\ partition\ table$ ->>366 string No\ operating\ system$ +>342 string Invalid\ partition\ table$ +>>366 string No\ operating\ system$ >>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03 ->295 string NEWLDR\0 ->>302 string Bad\ PT\ $ ->>>310 string No\ OS\ $ ->>>>317 string OS\ load\ err$ ->>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r ->>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ ->>>>>>>387 string Copyright\ (c)\ 1984,1998 +>295 string NEWLDR\0 +>>302 string Bad\ PT\ $ +>>>310 string No\ OS\ $ +>>>>317 string OS\ load\ err$ +>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r +>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$ +>>>>>>>387 string Copyright\ (c)\ 1984,1998 >>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR) # # tests for different MS-DOS Master Boot Records (MBR) moved and merged @@ -441,15 +441,15 @@ #>0x145 string Default:\ F \b, FREE-DOS MBR #>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR >0x145 search/7 Default:\ F \b, FREE-DOS MBR -#>>313 string F0\ .\ .\ . -#>>>322 string disk\ 1 -#>>>>382 string FAT3 ->64 string no\ active\ partition\ found +#>>313 string F0\ .\ .\ . +#>>>322 string disk\ 1 +#>>>>382 string FAT3 +>64 string no\ active\ partition\ found >>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR # Ranish Partition Manager http://www.ranish.com/part/ ->387 search/4 \0\ Error!\r ->>378 search/7 Virus! ->>>397 search/4 Booting\ +>387 search/4 \0\ Error!\r +>>378 search/7 Virus! +>>>397 search/4 Booting\040 >>>>408 search/4 HD1/\0 \b, Ranish MBR ( >>>>>416 string Writing\ changes... \b2.37 >>>>>>438 ubyte x \b,0x%x dots @@ -466,23 +466,23 @@ # # SYSLINUX MBR moved # http://www.acronis.de/ ->362 string MBR\ Error\ \0\r ->>376 string ress\ any\ key\ to\ +>362 string MBR\ Error\ \0\r +>>376 string ress\ any\ key\ to\040 >>>392 string boot\ from\ floppy...\0 \b, Acronis MBR # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ ->309 string No\ bootable\ partition\ found\r +>309 string No\ bootable\ partition\ found\r >>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR ->349 string No\ bootable\ partition\ found\r +>349 string No\ bootable\ partition\ found\r >>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR # bootloader, bootmanager ->0x40 string SBML +>0x40 string SBML # label with 11 characters of FAT 12 bit filesystem ->>43 string SMART\ BTMGR +>>43 string SMART\ BTMGR >>>430 string SBMK\ Bad!\r \b, Smart Boot Manager # OEM-ID not always "SBM" -#>>>>3 strings SBM +#>>>>3 strings SBM >>>>6 string >\0 \b, version %s >382 string XOSLLOADXCF \b, eXtended Operating System Loader >6 string LILO \b, LInux i386 boot LOader @@ -492,11 +492,11 @@ # variables according to grub-0.97/stage1/stage1.S or # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders ->342 search/60 \0Geom\0 +>342 search/60 \0Geom\0 #>0 ulelong x %x=0x009048EB , 0x2a9048EB 0 ->>0x41 ubyte <2 +>>0x41 ubyte <2 >>>0x3E ubyte >2 \b; GRand Unified Bootloader -# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 +# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90 >>>>0x3E ubyte x \b, stage1 version 0x%x #If it is 0xFF, use a drive passed by BIOS >>>>0x40 ubyte <0xFF \b, boot drive 0x%x @@ -521,497 +521,497 @@ >>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>>385 string GRUB\ \0 \b, GRUB version 0.97 # unknown version ->>>343 string Geom\0Read\0\ Error\0 +>>>343 string Geom\0Read\0\ Error\0 >>>>321 string Loading\ stage1.5 \b, GRUB version x.y >>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0 >>>>374 string GRUB\ \0 \b, GRUB version n.m # SYSLINUX bootloader moved >395 string chksum\0\ ERROR!\0 \b, Gujin bootloader # http://www.bcdwb.de/bcdw/index_e.htm ->3 string BCDL +>3 string BCDL >>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z) # mbr partition table entries updated by Joerg Jenderek at Sep 2013 # skip Norton Utilities disc image data ->3 string !IHISK +>3 string !IHISK # skip Linux style boot sector starting with assember instructions mov 0x7c0,ax; ->>0 belong !0xb8c0078e -# not Linux kernel ->>>514 string !HdrS +>>0 belong !0xb8c0078e +# not Linux kernel +>>>514 string !HdrS # not BeOS ->>>>422 string !Be\ Boot\ Loader -# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr ->>>>>0 ubelong&0xFD000000 =0xE9000000 +>>>>422 string !Be\ Boot\ Loader +# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr +>>>>>0 ubelong&0xFD000000 =0xE9000000 # AdvanceMAME mbr ->>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e +>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e >>>>>>>446 use partition-table # mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader ->>>>>0 ubelong&0xFD000000 !0xE9000000 +>>>>>0 ubelong&0xFD000000 !0xE9000000 # skip FSInfosector ->>>>>>0 string !RRaA +>>>>>>0 string !RRaA # skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX, # http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm ->>>>>>>0 ubequad !0xfa660fb64610668b +>>>>>>>0 ubequad !0xfa660fb64610668b # skip 13rd sector of MS x86 bootloader ->>>>>>>>0 ubequad !0x660fb64610668b4e +>>>>>>>>0 ubequad !0x660fb64610668b4e # skip sector starting with DOS new line ->>>>>>>>>0 string !\r\n +>>>>>>>>>0 string !\r\n # allowed active flag 0,80h-FFh ->>>>>>>>>>446 ubyte 0 +>>>>>>>>>>446 ubyte 0 >>>>>>>>>>>446 use partition-table ->>>>>>>>>>446 ubyte >0x7F +>>>>>>>>>>446 ubyte >0x7F >>>>>>>>>>>446 use partition-table # TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries # mbr partition table entries end # http://www.acronis.de/ #FAT label=ACRONIS\ SZ #OEM-ID=BOOTWIZ0 ->442 string Non-system\ disk,\ +>442 string Non-system\ disk,\040 >>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader # updated by Joerg Jenderek at Nov 2012, Sep 2013 # DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes # display 1 space ->>>447 ubyte x \b +>>>447 ubyte x \b >>>477 use DOS-filename # ->185 string FDBOOT\ Version\ ->>204 string \rNo\ Systemdisk.\ ->>>220 string Booting\ from\ harddisk.\n\r ->>>245 string Cannot\ load\ from\ harddisk.\n\r ->>>>273 string Insert\ Systemdisk\ +>185 string FDBOOT\ Version\040 +>>204 string \rNo\ Systemdisk.\040 +>>>220 string Booting\ from\ harddisk.\n\r +>>>245 string Cannot\ load\ from\ harddisk.\n\r +>>>>273 string Insert\ Systemdisk\040 >>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader >>>>>>200 string >\0 \b, version %-3s ->242 string Bootsector\ from\ C.H.\ Hochst\204 +>242 string Bootsector\ from\ C.H.\ Hochst\204 # http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c # updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string # skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut ->242 search/127 Bootsector\ from\ C.H.\ Hochst ->>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk +>242 search/127 Bootsector\ from\ C.H.\ Hochst +>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk # followed by variants with point,CR-NL or NL-CR ->>>208 search/261 Cannot\ load\ from\ harddisk. +>>>208 search/261 Cannot\ load\ from\ harddisk. # followed by variants CR-NL or NL-CR ->>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. +>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key. # followed by variants with point,CR-NL or NL-CR >>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader # followed by string like "6.50 (c) 1993-2004 Gilles Vollant" >>>>>>&0 string x \b, version %-4.4s ->(1.b+2) ubyte 0xe ->>(1.b+3) ubyte 0x1f ->>>(1.b+4) ubyte 0xbe +>(1.b+2) ubyte 0xe +>>(1.b+3) ubyte 0x1f +>>>(1.b+4) ubyte 0xbe # message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others ->>>>(1.b+5) ubyte&0xd3 0x53 ->>>>>(1.b+6) ubyte 0x7c +>>>>(1.b+5) ubyte&0xd3 0x53 +>>>>>(1.b+6) ubyte 0x7c # assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah, ->>>>>>(1.b+7) ubyte 0xac ->>>>>>>(1.b+8) ubyte 0x22 ->>>>>>>>(1.b+9) ubyte 0xc0 ->>>>>>>>>(1.b+10) ubyte 0x74 ->>>>>>>>>>(1.b+11) ubyte 0x0b ->>>>>>>>>>>(1.b+12) ubyte 0x56 +>>>>>>(1.b+7) ubyte 0xac +>>>>>>>(1.b+8) ubyte 0x22 +>>>>>>>>(1.b+9) ubyte 0xc0 +>>>>>>>>>(1.b+10) ubyte 0x74 +>>>>>>>>>>(1.b+11) ubyte 0x0b +>>>>>>>>>>>(1.b+12) ubyte 0x56 >>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display # FAT1X version ->>>>>>>>>>>>>(1.b+5) ubyte 0x5b +>>>>>>>>>>>>>(1.b+5) ubyte 0x5b >>>>>>>>>>>>>>0x5b string >\0 "%-s" # FAT32 version ->>>>>>>>>>>>>(1.b+5) ubyte 0x77 +>>>>>>>>>>>>>(1.b+5) ubyte 0x77 >>>>>>>>>>>>>>0x77 string >\0 "%-s" >214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display -#>>244 string from\ dosemu-freedos-*-bin.tgz\r -#>>>170 string Sorry,\ could\ not\ load\ an\ -#>>>>195 string operating\ system.\r\n +#>>244 string from\ dosemu-freedos-*-bin.tgz\r +#>>>170 string Sorry,\ could\ not\ load\ an\040 +#>>>>195 string operating\ system.\r\n # ->103 string This\ is\ not\ a\ bootable\ disk.\ ->>132 string Please\ insert\ a\ bootable\ ->>>157 string floppy\ and\r\n +>103 string This\ is\ not\ a\ bootable\ disk.\040 +>>132 string Please\ insert\ a\ bootable\040 +>>>157 string floppy\ and\r\n >>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display # ->66 string Solaris\ Boot\ Sector ->>99 string Incomplete\ MDBoot\ load. +>66 string Solaris\ Boot\ Sector +>>99 string Incomplete\ MDBoot\ load. >>>89 string Version \b, Sun Solaris Bootloader >>>>97 byte x version %c # ->408 string OS/2\ !!\ SYS01475\r\0 ->>429 string OS/2\ !!\ SYS02025\r\0 ->>>450 string OS/2\ !!\ SYS02027\r\0 +>408 string OS/2\ !!\ SYS01475\r\0 +>>429 string OS/2\ !!\ SYS02025\r\0 +>>>450 string OS/2\ !!\ SYS02027\r\0 >>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader # ->409 string OS/2\ !!\ SYS01475\r\0 ->>430 string OS/2\ !!\ SYS02025\r\0 ->>>451 string OS/2\ !!\ SYS02027\r\0 +>409 string OS/2\ !!\ SYS01475\r\0 +>>430 string OS/2\ !!\ SYS02025\r\0 +>>>451 string OS/2\ !!\ SYS02027\r\0 >>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader ->112 string This\ disk\ is\ not\ bootable\r ->>142 string If\ you\ wish\ to\ make\ it\ bootable ->>>176 string run\ the\ DOS\ program\ SYS\ ->>>200 string after\ the\r ->>>>216 string system\ has\ been\ loaded\r\n ->>>>>242 string Please\ insert\ a\ DOS\ diskette\ ->>>>>271 string into\r\n\ the\ drive\ and\ +>112 string This\ disk\ is\ not\ bootable\r +>>142 string If\ you\ wish\ to\ make\ it\ bootable +>>>176 string run\ the\ DOS\ program\ SYS\040 +>>>200 string after\ the\r +>>>>216 string system\ has\ been\ loaded\r\n +>>>>>242 string Please\ insert\ a\ DOS\ diskette\040 +>>>>>271 string into\r\n\ the\ drive\ and\040 >>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display # XP ->430 string NTLDR\ is\ missing\xFF\r\n ->>449 string Disk\ error\xFF\r\n +>430 string NTLDR\ is\ missing\xFF\r\n +>>449 string Disk\ error\xFF\r\n >>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader # DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ nicht\ gefunden\xFF\r\n ->>453 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ nicht\ gefunden\xFF\r\n +>>453 string Datentr\204gerfehler\xFF\r\n >>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # offset variant ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Datentr\204gerfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Datentr\204gerfehler\xFF\r\n >>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german) ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # variant ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # ->430 string NTLDR\ fehlt\xFF\r\n ->>444 string Medienfehler\xFF\r\n +>430 string NTLDR\ fehlt\xFF\r\n +>>444 string Medienfehler\xFF\r\n >>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german) ->>>>371 ubyte >0x20 ->>>>>368 ubyte&0xDF >0 +>>>>371 ubyte >0x20 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # ->430 string Datentr\204ger\ entfernen\xFF\r\n ->>454 string Medienfehler\xFF\r\n +>430 string Datentr\204ger\ entfernen\xFF\r\n +>>454 string Medienfehler\xFF\r\n >>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german) ->>>>379 string \0 ->>>>>368 ubyte&0xDF >0 +>>>>379 string \0 +>>>>>368 ubyte&0xDF >0 >>>>>>368 string x %-.5s ->>>>>>>373 ubyte&0xDF >0 +>>>>>>>373 ubyte&0xDF >0 >>>>>>>>373 string x \b%-.3s ->>>>>>376 ubyte&0xDF >0 +>>>>>>376 ubyte&0xDF >0 >>>>>>>376 string x \b.%-.3s # variant ->>>>417 ubyte&0xDF >0 +>>>>417 ubyte&0xDF >0 >>>>>417 string x %-.5s ->>>>>>422 ubyte&0xDF >0 +>>>>>>422 ubyte&0xDF >0 >>>>>>>422 string x \b%-.3s ->>>>>425 ubyte&0xDF >0 +>>>>>425 ubyte&0xDF >0 >>>>>>425 string >\ \b.%-.3s # -#>3 string NTFS\ \ \ \ ->389 string Fehler\ beim\ Lesen\ +#>3 string NTFS\ \ \ \040 +>389 string Fehler\ beim\ Lesen\040 >>407 string des\ Datentr\204gers ->>>426 string NTLDR\ fehlt +>>>426 string NTLDR\ fehlt >>>>440 string NTLDR\ ist\ komprimiert >>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german) -#>3 string NTFS\ \ \ \ +#>3 string NTFS\ \ \ \040 >313 string A\ disk\ read\ error\ occurred.\r ->>345 string A\ kernel\ file\ is\ missing\ ->>>370 string from\ the\ disk.\r ->>>>484 string NTLDR\ is\ compressed ->>>>>429 string Insert\ a\ system\ diskette\ +>>345 string A\ kernel\ file\ is\ missing\040 +>>>370 string from\ the\ disk.\r +>>>>484 string NTLDR\ is\ compressed +>>>>>429 string Insert\ a\ system\ diskette\040 >>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS # DOS loader variants different languages,offsets >472 ubyte&0xDF >0 ->>389 string Invalid\ system\ disk\xFF\r\n ->>>411 string Disk\ I/O\ error ->>>>428 string Replace\ the\ disk,\ and\ +>>389 string Invalid\ system\ disk\xFF\r\n +>>>411 string Disk\ I/O\ error +>>>>428 string Replace\ the\ disk,\ and\040 >>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader #IO.SYS ->>>>>>472 ubyte&0xDF >0 +>>>>>>472 ubyte&0xDF >0 >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Invalid\ system\ disk\xFF\r\n ->>>412 string Disk\ I/O\ error\xFF\r\n ->>>>429 string Replace\ the\ disk,\ and\ +>>390 string Invalid\ system\ disk\xFF\r\n +>>>412 string Disk\ I/O\ error\xFF\r\n +>>>>429 string Replace\ the\ disk,\ and\040 >>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader ->>388 string Ungueltiges\ System\ \xFF\r\n ->>>410 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>427 string Datentraeger\ wechseln\ und\ +>>388 string Ungueltiges\ System\ \xFF\r\n +>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>427 string Datentraeger\ wechseln\ und\040 >>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.5s ->>>>>>>>502 ubyte&0xDF >0 +>>>>>>>>502 ubyte&0xDF >0 >>>>>>>>>502 string x \b%-.1s ->>>>>>>>>>503 ubyte&0xDF >0 +>>>>>>>>>>503 ubyte&0xDF >0 >>>>>>>>>>>503 string x \b%-.1s ->>>>>>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.5s ->>>>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>>>479 string x \b%-.1s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>390 string Ungueltiges\ System\ \xFF\r\n ->>>412 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>429 string Datentraeger\ wechseln\ und\ +>>390 string Ungueltiges\ System\ \xFF\r\n +>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>429 string Datentraeger\ wechseln\ und\040 >>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German) #WINBOOT.SYS only not spaces (0xDF) ->>>>>>497 ubyte&0xDF >0 +>>>>>>497 ubyte&0xDF >0 >>>>>>>497 string x %-.7s ->>>>>>>>504 ubyte&0xDF >0 +>>>>>>>>504 ubyte&0xDF >0 >>>>>>>>>504 string x \b%-.1s ->>>>>>505 ubyte&0xDF >0 +>>>>>>505 ubyte&0xDF >0 >>>>>>>505 string x \b.%-.3s #IO.SYS >>>>>>472 ubyte&0xDF >0 or >>>>>>>472 string x \b %-.2s ->>>>>>>>474 ubyte&0xDF >0 +>>>>>>>>474 ubyte&0xDF >0 >>>>>>>>>474 string x \b%-.6s ->>>>>>>480 ubyte&0xDF >0 +>>>>>>>480 ubyte&0xDF >0 >>>>>>>>480 string x \b.%-.3s #MSDOS.SYS >>>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>>483 string x \b%-.5s ->>>>>>>>>488 ubyte&0xDF >0 +>>>>>>>>>488 ubyte&0xDF >0 >>>>>>>>>>488 string x \b%-.3s ->>>>>>>>491 ubyte&0xDF >0 +>>>>>>>>491 ubyte&0xDF >0 >>>>>>>>>491 string x \b.%-.3s # ->>389 string Ungueltiges\ System\ \xFF\r\n ->>>411 string E/A-Fehler\ \ \ \ \xFF\r\n ->>>>428 string Datentraeger\ wechseln\ und\ +>>389 string Ungueltiges\ System\ \xFF\r\n +>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n +>>>>428 string Datentraeger\ wechseln\ und\040 >>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN) # DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes >>>>>>472 string x %-.2s ->>>>>>>474 ubyte&0xDF >0 +>>>>>>>474 ubyte&0xDF >0 >>>>>>>>474 string x \b%-.5s ->>>>>>>>479 ubyte&0xDF >0 +>>>>>>>>479 ubyte&0xDF >0 >>>>>>>>>479 string x \b%-.1s ->>>>>>480 ubyte&0xDF >0 +>>>>>>480 ubyte&0xDF >0 >>>>>>>480 string x \b.%-.3s >>>>>>483 ubyte&0xDF >0 \b+ >>>>>>>483 string x \b%-.5s ->>>>>>>488 ubyte&0xDF >0 +>>>>>>>488 ubyte&0xDF >0 >>>>>>>>488 string x \b%-.2s ->>>>>>>>490 ubyte&0xDF >0 +>>>>>>>>490 ubyte&0xDF >0 >>>>>>>>>490 string x \b%-.1s ->>>>>>>491 ubyte&0xDF >0 +>>>>>>>491 ubyte&0xDF >0 >>>>>>>>491 string x \b.%-.3s >479 ubyte&0xDF >0 ->>416 string Kein\ System\ oder\ ->>>433 string Laufwerksfehler +>>416 string Kein\ System\ oder\040 +>>>433 string Laufwerksfehler >>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german) #IO.SYS >>>>>479 string x \b %-.2s ->>>>>>481 ubyte&0xDF >0 +>>>>>>481 ubyte&0xDF >0 >>>>>>>481 string x \b%-.6s ->>>>>487 ubyte&0xDF >0 +>>>>>487 ubyte&0xDF >0 >>>>>>487 string x \b.%-.3s #MSDOS.SYS >>>>>>490 ubyte&0xDF >0 \b+ >>>>>>>490 string x \b%-.5s ->>>>>>>>495 ubyte&0xDF >0 +>>>>>>>>495 ubyte&0xDF >0 >>>>>>>>>495 string x \b%-.3s ->>>>>>>498 ubyte&0xDF >0 +>>>>>>>498 ubyte&0xDF >0 >>>>>>>>498 string x \b.%-.3s # ->376 search/41 Non-System\ disk\ or\ ->>395 search/41 disk\ error\r ->>>407 search/41 Replace\ and\ +>376 search/41 Non-System\ disk\ or\040 +>>395 search/41 disk\ error\r +>>>407 search/41 Replace\ and\040 >>>>419 search/41 press\ \b, >>>>419 search/41 strike\ \b, old >>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader #449 Disk\ Boot\ failure\r MS 3.21 #466 Boot\ Failure\r MS 3.30 ->>>>>468 search/18 \0 +>>>>>468 search/18 \0 #IO.SYS,IBMBIO.COM >>>>>>&0 string x \b %-.2s ->>>>>>>&-20 ubyte&0xDF >0 +>>>>>>>&-20 ubyte&0xDF >0 >>>>>>>>&-1 string x \b%-.4s ->>>>>>>>>&-16 ubyte&0xDF >0 +>>>>>>>>>&-16 ubyte&0xDF >0 >>>>>>>>>>&-1 string x \b%-.2s >>>>>>&8 ubyte&0xDF >0 \b. >>>>>>>&-1 string x \b%-.3s #MSDOS.SYS,IBMDOS.COM >>>>>>&11 ubyte&0xDF >0 \b+ >>>>>>>&-1 string x \b%-.5s ->>>>>>>>&-6 ubyte&0xDF >0 +>>>>>>>>&-6 ubyte&0xDF >0 >>>>>>>>>&-1 string x \b%-.1s ->>>>>>>>>>&-5 ubyte&0xDF >0 +>>>>>>>>>>&-5 ubyte&0xDF >0 >>>>>>>>>>>&-1 string x \b%-.2s >>>>>>>&7 ubyte&0xDF >0 \b. >>>>>>>>&-1 string x \b%-.3s >441 string Cannot\ load\ from\ harddisk.\n\r ->>469 string Insert\ Systemdisk\ +>>469 string Insert\ Systemdisk\040 >>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader -#>43 string \224R-LOADER\ \ SYS =label +#>43 string \224R-LOADER\ \ SYS =label >54 string SYS >>324 string VASKK >>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS) # ->98 string Press\ a\ key\ to\ retry\0\r ->>120 string Cannot\ find\ file\ \0\r ->>>139 string Disk\ read\ error\0\r +>98 string Press\ a\ key\ to\ retry\0\r +>>120 string Cannot\ find\ file\ \0\r +>>>139 string Disk\ read\ error\0\r >>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader #DRBIOS.SYS ->>>>>44 ubyte&0xDF >0 +>>>>>44 ubyte&0xDF >0 >>>>>>44 string x \b %-.6s ->>>>>>>50 ubyte&0xDF >0 +>>>>>>>50 ubyte&0xDF >0 >>>>>>>>50 string x \b%-.2s ->>>>>>52 ubyte&0xDF >0 +>>>>>>52 ubyte&0xDF >0 >>>>>>>52 string x \b.%-.3s # ->70 string IBMBIO\ \ COM ->>472 string Cannot\ load\ DOS!\ +>70 string IBMBIO\ \ COM +>>472 string Cannot\ load\ DOS!\040 >>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader ->>471 string Cannot\ load\ DOS\ +>>471 string Cannot\ load\ DOS\040 >>487 string press\ key\ to\ retry \b, Open-DOS Bootloader #?? ->444 string KERNEL\ \ SYS +>444 string KERNEL\ \ SYS >>314 string BOOT\ error! \b, FREE-DOS Bootloader ->499 string KERNEL\ \ SYS +>499 string KERNEL\ \ SYS >>305 string BOOT\ err!\0 \b, Free-DOS Bootloader ->449 string KERNEL\ \ SYS +>449 string KERNEL\ \ SYS >>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader # ->449 string Loading\ FreeDOS +>449 string Loading\ FreeDOS >>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # >331 string Error!.0 \b, FREE-DOS 1.0 bootloader # ->125 string Loading\ FreeDOS...\r +>125 string Loading\ FreeDOS...\r >>311 string BOOT\ error!\r \b, FREE-DOS bootloader ->>>441 ubyte&0xDF >0 +>>>441 ubyte&0xDF >0 >>>>441 string x \b %-.6s ->>>>>447 ubyte&0xDF >0 +>>>>>447 ubyte&0xDF >0 >>>>>>447 string x \b%-.1s ->>>>>>>448 ubyte&0xDF >0 +>>>>>>>448 ubyte&0xDF >0 >>>>>>>>448 string x \b%-.1s ->>>>449 ubyte&0xDF >0 +>>>>449 ubyte&0xDF >0 >>>>>449 string x \b.%-.3s ->124 string FreeDOS\0 +>124 string FreeDOS\0 >>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader # DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s >>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s ->336 string Error!\ +>336 string Error!\040 >>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader ->>>497 ubyte&0xDF >0 +>>>497 ubyte&0xDF >0 >>>>497 string x \b %-.6s ->>>>>503 ubyte&0xDF >0 +>>>>>503 ubyte&0xDF >0 >>>>>>503 string x \b%-.1s ->>>>>>>504 ubyte&0xDF >0 +>>>>>>>504 ubyte&0xDF >0 >>>>>>>>504 string x \b%-.1s ->>>>505 ubyte&0xDF >0 +>>>>505 ubyte&0xDF >0 >>>>>505 string x \b.%-.3s # added by Joerg Jenderek # http://www.visopsys.org/ # http://partitionlogic.org.uk/ # OEM-ID=Visopsys ->478 ulelong 0 ->>(1.b+326) string I/O\ Error\ reading\ ->>>(1.b+344) string Visopsys\ loader\r +>478 ulelong 0 +>>(1.b+326) string I/O\ Error\ reading\040 +>>>(1.b+344) string Visopsys\ loader\r >>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader # http://alexfru.chat.ru/epm.html#bootprog ->494 ubyte >0x4D ->>495 string >E ->>>495 string 494 ubyte >0x4D +>>495 string >E +>>>495 string >>>3 string BootProg +>>>>3 string BootProg # It just looks for a program file name at the root directory # and loads corresponding file with following execution. # DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes ->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader +>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader >>>>>499 use DOS-filename #If the boot sector fails to read any other sector, #it prints a very short message ("RE") to the screen and hangs the computer. @@ -1025,23 +1025,23 @@ # added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO # and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector ->0 string RRaA +>0 string RRaA >>0x1E4 string rrAa \b, FSInfosector #>>0x1FC uleshort =0 SHOULD BE ZERO >>>0x1E8 ulelong <0xffffffff \b, %u free clusters >>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u # updated by Joerg Jenderek at Sep 2007 ->3 ubyte 0 +>3 ubyte 0 #no active flag ->>446 ubyte 0 +>>446 ubyte 0 # partition 1 not empty ->>>450 ubyte >0 +>>>450 ubyte >0 # partitions 3,4 empty ->>>>482 ubyte 0 ->>>>>498 ubyte 0 +>>>>482 ubyte 0 +>>>>>498 ubyte 0 # partition 2 ID=0,5,15 ->>>>>>466 ubyte <0x10 +>>>>>>466 ubyte <0x10 >>>>>>>466 ubyte 0x05 \b, extended partition table >>>>>>>466 ubyte 0x0F \b, extended partition table (LBA) >>>>>>>466 ubyte 0x0 \b, extended partition table (last) @@ -1054,35 +1054,35 @@ # Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension # like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS 0 name DOS-filename -# space=0x20 (00100000b) means empty ->0 ubyte&0xDF >0 +# space=0x20 (00100000b) means empty +>0 ubyte&0xDF >0 >>0 ubyte x \b%c ->>>1 ubyte&0xDF >0 +>>>1 ubyte&0xDF >0 >>>>1 ubyte x \b%c ->>>>>2 ubyte&0xDF >0 +>>>>>2 ubyte&0xDF >0 >>>>>>2 ubyte x \b%c ->>>>>>>3 ubyte&0xDF >0 +>>>>>>>3 ubyte&0xDF >0 >>>>>>>>3 ubyte x \b%c ->>>>>>>>>4 ubyte&0xDF >0 +>>>>>>>>>4 ubyte&0xDF >0 >>>>>>>>>>4 ubyte x \b%c ->>>>>>>>>>>5 ubyte&0xDF >0 +>>>>>>>>>>>5 ubyte&0xDF >0 >>>>>>>>>>>>5 ubyte x \b%c ->>>>>>>>>>>>>6 ubyte&0xDF >0 +>>>>>>>>>>>>>6 ubyte&0xDF >0 >>>>>>>>>>>>>>6 ubyte x \b%c ->>>>>>>>>>>>>>>7 ubyte&0xDF >0 +>>>>>>>>>>>>>>>7 ubyte&0xDF >0 >>>>>>>>>>>>>>>>7 ubyte x \b%c # DOS filename extension >>8 ubyte&0xDF >0 \b. >>>8 ubyte x \b%c ->>>>9 ubyte&0xDF >0 +>>>>9 ubyte&0xDF >0 >>>>>9 ubyte x \b%c ->>>>>>10 ubyte&0xDF >0 +>>>>>>10 ubyte&0xDF >0 >>>>>>>10 ubyte x \b%c # Print 2 following DOS filenames from directory entry form # like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com 0 name 2xDOS-filename # display 1 space ->0 ubyte x \b +>0 ubyte x \b >0 use DOS-filename >11 ubyte x \b+ >11 use DOS-filename @@ -1101,10 +1101,10 @@ # partition type ID > 0 >4 ubyte >0 # active flag 0 ->>0 ubyte 0 +>>0 ubyte 0 >>>0 use partition-entry -# active flag 0x80, 0x81, ... ->>0 ubyte >0x7F +# active flag 0x80, 0x81, ... +>>0 ubyte >0x7F >>>0 use partition-entry # Print entry of partition table 0 name partition-entry @@ -1136,7 +1136,7 @@ # sector >1 ubyte&0x3F x \b,%u -# FATX +# FATX 0 string FATX FATX filesystem data # romfs filesystems - Juan Cespedes @@ -1157,7 +1157,7 @@ # http://syslinux.zytor.com/iso.php # tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05 # assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop -0 ulequad&0x909000007cc0eafa 0x909000007c40eafa +0 ulequad&0x909000007cc0eafa 0x909000007c40eafa >631 search/689 ISOLINUX\ isolinux Loader >>&0 string x (version %-4.4s) # http://syslinux.zytor.com/pxe.php @@ -1174,88 +1174,88 @@ >11 string x (version %-4.4s) # syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX" -0 ulelong&0x80909bEB 0x009018EB +0 ulelong&0x80909bEB 0x009018EB # OEM-ID not always "SYSLINUX" ->434 search/47 Boot\ failed -# followed by \r\n\0 or :\ +>434 search/47 Boot\ failed +# followed by \r\n\0 or :\ >>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older) >>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9) ->459 search/30 Boot\ error\r\n\0 +>459 search/30 Boot\ error\r\n\0 >>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer) # SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012 # assembler instructions: mov di,0600h;mov cx,0100h -16 search/4 \xbf\x00\x06\xb9\x00\x01 +16 search/4 \xbf\x00\x06\xb9\x00\x01 # to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21) !:strength +36 ->94 search/249 Missing\ operating\ system +>94 search/249 Missing\ operating\ system # followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other # skip Ranish MBR ->>408 search/4 HD1/\0 ->>408 default x +>>408 search/4 HD1/\0 +>>408 default x >>>250 search/118 \0Operating\ system\ load SYSLINUX MBR # followed by "ing " or space ->>>>292 search/98 error +>>>>292 search/98 error >>>>>&0 string \r (version 3.35 or older) >>>>>&0 string .\r (version 3.52 or newer) >>>>>&0 default x (version 3.36-3.51 ) >368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR ->>156 search/10 \0Boot\ partition\ not\ found\r\n +>>156 search/10 \0Boot\ partition\ not\ found\r\n >>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older) ->>174 search/10 \0Missing\ OS\r\n +>>174 search/10 \0Missing\ OS\r\n >>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer) # SYSLINUX END # NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012 # assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax, -0 ubequad 0x31c08ed0bc007c8e +0 ubequad 0x31c08ed0bc007c8e # mbr_bootsel magic before partition table not reliable with small ipl fragments -#>444 uleshort 0xb5e1 ->0004 uleshort x +#>444 uleshort 0xb5e1 +>0004 uleshort x # ERRorTeXT >>181 search/166 Error\ \0\r\n NetBSD mbr # NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS >>>0x1B8 ubelong >0 \b,Serial 0x%-.8x # BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx >>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector -# BOOT_EXTENDED definitions contains assembler instructions: +# BOOT_EXTENDED definitions contains assembler instructions: # xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13 >>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended # COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al >>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO # not TERSE_ERROR ->>>196 search/106 No\ active\ partition\0 ->>>>&0 string Disk\ read\ error\0 +>>>196 search/106 No\ active\ partition\0 +>>>>&0 string Disk\ read\ error\0 >>>>>&0 string No\ operating\ system\0 \b,verbose # not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13 >>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS # not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13 >>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check # assembler instructions: movw nametab,bx ->>>0x26 search/21 \xBB\x94\x07 +>>>0x26 search/21 \xBB\x94\x07 # not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf ->>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 ->>>>>181 search/166 Error\ \0 +>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94 +>>>>>181 search/166 Error\ \0 # "a: disk" , "Fn: diskn" or "NetBSD MBR boot" >>>>>>&3 string x \b,"%s" >>>446 use partition-table # Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html # added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4 # assembler instructions: jmp short 0x58;nop;ASCII -0 ubequad&0xeb58908000000000 0xeb58900000000000 +0 ubequad&0xeb58908000000000 0xeb58900000000000 # assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss, ->(1.b+2) ubequad 0xfa31c08ed88ec08e +>(1.b+2) ubequad 0xfa31c08ed88ec08e # Error messages at end of code ->>376 string No\ operating\ system\r\n\0 ->>>398 string Disk\ error\r\n\0FDD\0HDD\0 +>>376 string No\ operating\ system\r\n\0 +>>>398 string Disk\ error\r\n\0FDD\0HDD\0 >>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr -# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ +# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/ # added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11 # for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI, # or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS, -0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC +0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC # pointer to the data starting with Neil Turton signature string ->(0x1BC.s) string NDTmbr +>(0x1BC.s) string NDTmbr >>&-14 string 1234F\0 Turton mbr ( # parameters also viewed by install-mbr --list >>>(0x1BC.s+7) ubyte x \b%u<= @@ -1269,23 +1269,23 @@ #0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot #>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x # for older versions ->>>(0x1BC.s+9) ubyte <2 +>>>(0x1BC.s+9) ubyte <2 #>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds >>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+13) ubyte >1 +>>>>(0x1BC.s+13) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x # not 1st hard disc >>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x # for version >= 2 maximal timeout can be 65534 ->>>(0x1BC.s+9) ubyte >1 +>>>(0x1BC.s+9) ubyte >1 #>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds >>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds # floppy A: or B: >>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x ->>>>(0x1BC.s+14) ubyte >1 +>>>>(0x1BC.s+14) ubyte >1 # 1st hard disc #>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x # not 1st hard disc @@ -1297,14 +1297,14 @@ # grub-1.94/kern/i386/pc/startup.S # http://www.gnu.org/software/grub/manual/grub.html#Embedded-data # usual values are marked with comments to get only informations of strange GRUB loaders -0x200 uleshort 0x70EA +0x200 uleshort 0x70EA # found only version 3.{1,2} ->0x206 ubeshort >0x0300 +>0x206 ubeshort >0x0300 # GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00" ->>0x212 ubyte >0x29 ->>>0x213 ubyte >0x29 +>>0x212 ubyte >0x29 +>>>0x213 ubyte >0x29 # not iso9660_stage1_5 -#>>>0 ulelong&0x00BE5652 0x00BE5652 +#>>>0 ulelong&0x00BE5652 0x00BE5652 >>>>0x213 ubyte >0x29 GRand Unified Bootloader # config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2" >>>>0x217 ubyte 0xFF stage1_5 @@ -1316,7 +1316,7 @@ #>>>>0x208 ulelong =0xffffff \b, %lu (default) >>>>0x208 ulelong >0xffffff \b, installed partition %u # GRUB 0.5.95 unofficial ->>>>0x20C ulelong&0x2E300000 0x2E300000 +>>>>0x20C ulelong&0x2E300000 0x2E300000 # 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs >>>>>0x20C ubyte x \b, identifier 0x%x #>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default) @@ -1324,17 +1324,17 @@ # GRUB version as string >>>>>0x20E string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>>0x215 ulong 0xffffffff +>>>>>>0x215 ulong 0xffffffff >>>>>>>0x219 string >\0 \b, configuration file %-s ->>>>>>0x215 ulong !0xffffffff +>>>>>>0x215 ulong !0xffffffff >>>>>>>0x215 string >\0 \b, configuration file %-s # newer GRUB versions ->>>>0x20C ulelong&0x2E300000 !0x2E300000 +>>>>0x20C ulelong&0x2E300000 !0x2E300000 ##>>>>>0x20C ulelong =0 \b, saved entry %d (usual) >>>>>0x20C ulelong >0 \b, saved entry %d # for 1.94 contains kernel image size # for 0.93,0.94,0.96,0.97 -# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 +# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2 >>>>>0x210 ubyte x \b, identifier 0x%x # The flag for LBA forcing is in most cases 0 #>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default) @@ -1342,9 +1342,9 @@ # GRUB version as string >>>>>0x212 string >\0 \b, GRUB version %-s # for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default ->>>>>0x217 ulong 0xffffffff +>>>>>0x217 ulong 0xffffffff >>>>>>0x21b string >\0 \b, configuration file %-s ->>>>>0x217 ulong !0xffffffff +>>>>>0x217 ulong !0xffffffff >>>>>>0x217 string >\0 \b, configuration file %-s # DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011 @@ -1360,13 +1360,13 @@ # mtools-3.9.8/msdos.h # usual values are marked with comments to get only informations of strange FAT systems # valid sectorsize must be a power of 2 from 32 to 32768 ->11 uleshort&0x001f 0 ->>11 uleshort <32769 ->>>11 uleshort >31 ->>>>21 ubyte&0xf0 0xF0 +>11 uleshort&0x001f 0 +>>11 uleshort <32769 +>>>11 uleshort >31 +>>>>21 ubyte&0xf0 0xF0 >>>>>0 ubyte 0xEB DOS/MBR boot sector >>>>>>1 ubyte x \b, code offset 0x%x+2 ->>>>>0 ubyte 0xE9 +>>>>>0 ubyte 0xE9 >>>>>>1 uleshort x \b, code offset 0x%x+3 >>>>>3 string >\0 \b, OEM-ID "%-.8s" #http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC @@ -1377,10 +1377,10 @@ >>>>>13 ubyte >1 \b, sectors/cluster %u #>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies) # for lazy FAT32 implementation like Transcend digital photo frame PF830 ->>>>>82 string/c fat32 +>>>>>82 string/c fat32 >>>>>>14 uleshort !32 \b, reserved sectors %u #>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32) ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>14 uleshort >1 \b, reserved sectors %u #>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16) #>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS) @@ -1390,7 +1390,7 @@ >>>>>16 ubyte >0 >>>>>17 uleshort >0 \b, root entries %u #>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32) ->>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) +>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB) #>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32) >>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x #>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy) @@ -1402,20 +1402,20 @@ #>>>>>26 ubyte =2 \b, heads %u (usual floppy) >>>>>26 ubyte =1 \b, heads %u # valid only for sector sizes with more then 32 Bytes ->>>>>11 uleshort >32 +>>>>>11 uleshort >32 # http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block # skip for values 2,2Ah,70h,73h,DFh # and continue for extended boot signature values 0,28h,29h,80h ->>>>>>38 ubyte&0x56 =0 +>>>>>>38 ubyte&0x56 =0 >>>>>>>28 ulelong >0 \b, hidden sectors %u #>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy) ->>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) +>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB) #>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB) -# FAT<32 bit specific ->>>>>>>82 string/c !fat32 +# FAT<32 bit specific +>>>>>>>82 string/c !fat32 #>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk) #>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>>>36 ubyte !0x80 +>>>>>>>>36 ubyte !0x80 >>>>>>>>>36 ubyte !0 \b, physical drive 0x%x # VGA-copy CRC or # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too @@ -1435,27 +1435,27 @@ # if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit, # otherwise FAT is 16 bit. # http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html ->>>>>82 string/c !fat32 +>>>>>82 string/c !fat32 >>>>>>54 string FAT12 \b, FAT (12 bit) >>>>>>54 string FAT16 \b, FAT (16 bit) ->>>>>>54 default x +>>>>>>54 default x # determinate FAT bit size by media descriptor # small floppies implies FAT12 >>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor) # with media descriptor F0h floppy or maybe superfloppy with FAT16 ->>>>>>>21 ubyte =0xF0 +>>>>>>>21 ubyte =0xF0 # superfloppy (many sectors) implies FAT16 >>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors) # no superfloppy with media descriptor F0h implies FAT12 >>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors) # with media descriptor F8h floppy or hard disc with FAT12 or FAT16 ->>>>>>>21 ubyte =0xF8 +>>>>>>>21 ubyte =0xF8 # 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry) # hard disc with FAT12 or FAT16 >>>>>>>>19 default x \b, FAT (1Y bit by descriptor) # with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc ->>>>>>>21 ubyte =0xFA +>>>>>>>21 ubyte =0xFA # 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12 >>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry) # RAM disc with FAT12 or FAT16 or Tandy hard disc @@ -1479,17 +1479,17 @@ # 0 or 0xFFFF instead of usual 6 means no backup sector >>>>>>50 uleshort =0xFFFF \b, no Backup boot sector >>>>>>50 uleshort =0 \b, no Backup boot sector -#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) ->>>>>>50 default x +#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual) +>>>>>>50 default x >>>>>>>50 uleshort x \b, Backup boot sector %u # corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO >>>>>>52 ulelong >0 \b, reserved1 0x%x >>>>>>56 ulelong >0 \b, reserved2 0x%x >>>>>>60 ulelong >0 \b, reserved3 0x%x -# same structure as FAT1X +# same structure as FAT1X #>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk) #>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy) ->>>>>>64 ubyte !0x80 +>>>>>>64 ubyte !0x80 >>>>>>>64 ubyte >0 \b, physical drive 0x%x # in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too >>>>>>65 ubyte >0 \b, reserved 0x%x @@ -1500,10 +1500,10 @@ >>>>>>>71 string >NO\ NAME \b, label: "%11.11s" >>>>>>>71 string =NO\ NAME \b, unlabeled # additional tests for floppy image added by Joerg Jenderek -# no fixed disk ->>>>>21 ubyte !0xF8 +# no fixed disk +>>>>>21 ubyte !0xF8 # floppy media with 12 bit FAT ->>>>>>54 string !FAT16 +>>>>>>54 string !FAT16 # test for FAT after bootsector >>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT # floppy image @@ -1511,11 +1511,11 @@ # NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm # and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html # 0 FATs ->>>>>16 ubyte =0 +>>>>>16 ubyte =0 # 0 root entries ->>>>>>17 uleshort =0 +>>>>>>17 uleshort =0 # 0 DOS sectors ->>>>>>>19 uleshort =0 +>>>>>>>19 uleshort =0 # 0 sectors/FAT # dos < 4.0 BootSector value found is 0x80 #38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x) @@ -1526,33 +1526,43 @@ >>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld >>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld # Values 0 to 127 represent MFT record sizes of 0 to 127 clusters. -# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. ->>>>>>>>>64 lelong <256 +# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes. +>>>>>>>>>64 lelong <256 >>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d >>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i) # Values 0 to 127 represent index block sizes of 0 to 127 clusters. # Values 128 to 255 represent index block sizes of 2^(256-N) byte ->>>>>>>>>68 ulelong <256 +>>>>>>>>>68 ulelong <256 >>>>>>>>>>68 ulelong <128 \b, clusters/index block %d #>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d) >>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i) >>>>>>>>>72 ulequad x \b, serial number 0%llx >>>>>>>>>80 ulelong >0 \b, checksum 0x%x #>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual) ->>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 ->>>>>>>>>>&-92 indirect x \b; contains +>>>>>>>>>0x258 ulelong&0x00009090 =0x00009090 +>>>>>>>>>>&-92 indirect x \b; contains # For 2nd NTFS sector added by Joerg Jenderek at Jan 2013 # http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm # unused assembler instructions JMP y2;NOP;NOP -0x056 ulelong&0xFFFF0FFF 0x909002EB +0x056 ulelong&0xFFFF0FFF 0x909002EB # unicode loadername terminated by CTRL-D ->(0.s*2) ulelong&0xFFFFFF00 0x00040000 +>(0.s*2) ulelong&0xFFFFFF00 0x00040000 # loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR >>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s ->>0x12 string $ +>>0x12 string $ >>>0x0c lestring16 x \b%-2.2s ### DOS,NTFS boot sectors end +# ntfsclone-image is a special save format for NTFS volumes, +# created and restored by the ntfsclone program +0 string \0ntfsclone-image ntfsclone image, +>0x10 byte x version %d. +>0x11 byte x \b%d, +>0x12 lelong x cluster size %d, +>0x16 lequad x device size %lld, +>0x1e lequad x %lld total clusters, +>0x26 lequad x %lld clusters in use + 9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian), >8404 string x last mounted on %s, #>9504 ledate x last checked at %s, @@ -1669,6 +1679,13 @@ >&-1248 belong 0 TIME optimization >&-1248 belong 1 SPACE optimization +0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian), +>0x90 lelong+1 x volume %d +>0x94 lelong x (of %d), +>0x50 string x name %s, +>0x98 ulelong x version %u, +>0xa0 ulelong x flags 0x%x + # ext2/ext3 filesystems - Andreas Dilger # ext4 filesystem - Eric Sandeen # volume label and UUID Russell Coker @@ -1818,7 +1835,7 @@ # FE 250K 8-inch, 1-sided, single-density # FD 500K 8-inch, 2-sided, single-density # FE 1.2 MB 8-inch, 2-sided, double-density -# F8 ----- Fixed disk +# F8 ----- Fixed disk # # FC xxxK Apricot 70x1x9 boot disk. # @@ -1846,7 +1863,7 @@ # all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013 # http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions # Too Weak. -#512 ubelong&0xE0ffff00 0xE0ffff00 +#512 ubelong&0xE0ffff00 0xE0ffff00 # without valid Media descriptor in place of BPB, cases with are done at other places #>21 ubyte <0xE5 floppy with old FAT filesystem # but valid Media descriptor at begin of FAT @@ -1858,61 +1875,61 @@ #>>512 ubyte =0xfb 640k #>>512 ubyte =0xfc 180k # look like an an old DOS directory entry -#>>>0xA0E ubequad 0 -#>>>>0xA00 ubequad !0 +#>>>0xA0E ubequad 0 +#>>>>0xA00 ubequad !0 #!:mime application/x-ima -#>>512 ubyte =0xfd +#>>512 ubyte =0xfd # look for 2nd FAT at different location to distinguish between 360k and 500k #>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k #>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k -#>>>0xA0E ubequad 0 +#>>>0xA0E ubequad 0 #!:mime application/x-ima -#>>512 ubyte =0xfe +#>>512 ubyte =0xfe #>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k -#>>>>0x60E ubequad 0 -#>>>>>0x600 ubequad !0 +#>>>>0x60E ubequad 0 +#>>>>>0x600 ubequad !0 #!:mime application/x-ima #>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k #>>512 ubyte =0xff 320k -#>>>0x60E ubequad 0 -#>>>>0x600 ubequad !0 +#>>>0x60E ubequad 0 +#>>>>0x600 ubequad !0 #!:mime application/x-ima #>>512 ubyte x \b, Media descriptor 0x%x # without x86 jump instruction -#>>0 ulelong&0x804000E9 !0x000000E9 -# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV +#>>0 ulelong&0x804000E9 !0x000000E9 +# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV #>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader # IOSYS.COM+MSDOS.COM #>>>>0xc4 use 2xDOS-filename -#>>0 ulelong&0x804000E9 =0x000000E9 +#>>0 ulelong&0x804000E9 =0x000000E9 # only x86 short jump instruction found #>>>0 ubyte =0xEB #>>>>1 ubyte x \b, code offset 0x%x+2 # http://thestarman.pcministry.com/DOS/ibm100/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 -#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0 +#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader # ibmbio.com+ibmdos.com #>>>>>0x176 use DOS-filename #>>>>>0x181 ubyte x \b+ #>>>>>0x182 use DOS-filename # http://thestarman.pcministry.com/DOS/ibm110/Boot.htm -# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV -#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader +# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV +#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader # ibmbio.com+ibmdos.com #>>>>>0x18b use DOS-filename #>>>>>0x196 ubyte x \b+ #>>>>>0x197 use DOS-filename # http://en.wikipedia.org/wiki/Zenith_Data_Systems -# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 +# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6 #>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x20 use 2xDOS-filename # http://en.wikipedia.org/wiki/Corona_Data_Systems -# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; +# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX; #>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader # IO.SYS+MSDOS.SYS #>>>>>0x69 use 2xDOS-filename -# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; +# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00; #>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader # defect IO.SYS+MSDOS.SYS ? #>>>>>0x162 use 2xDOS-filename @@ -1942,14 +1959,25 @@ 32769 string CD001 # mime line at that position does not work # to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51) -!:strength -11 +#!:strength -11 # to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51) -# does not work -#!:strength +33 ->0 use cdrom +!:strength +34 +>0 use cdrom # .cso files -0 string CISO Compressed ISO CD image +# Reference: http://pismotec.com/ciso/ciso.h +# NOTE: There are two other formats with the same magic but +# completely incompatible specifications: +# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h +# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h +0 string CISO +# Other fields are used to determine what type of CISO this is: +# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size) +# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size) +# - None of the above: Compact ISO. +>4 lelong !0 +>>4 lelong !0x200000 +>>>0x10 lelong !0x800 Compressed ISO CD image # cramfs filesystem - russell@coker.com.au 0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian @@ -2041,6 +2069,13 @@ >29 byte 16 \bBlackfin, >29 byte 17 \bAVR32, >29 byte 18 \bSTMicroelectronics ST200, +>29 byte 19 \bSandbox architecture, +>29 byte 20 \bANDES Technology NDS32, +>29 byte 21 \bOpenRISC 1000, +>29 byte 22 \bARM 64-bit, +>29 byte 23 \bDesignWare ARC, +>29 byte 24 \bx86_64, +>29 byte 25 \bXtensa, >30 byte 0 Invalid Image >30 byte 1 Standalone Program >30 byte 2 OS Kernel Image @@ -2114,7 +2149,7 @@ >>8 ledate x created: %s # AFS Dump Magic -# From: Ty Sarna +# From: Ty Sarna 0 string \x01\xb3\xa1\x13\x22 AFS Dump >&0 belong x (v%d) >>&0 byte 0x76 @@ -2229,7 +2264,7 @@ # From: "Nelson A. de Oliveira" 0 string *dvdisaster* dvdisaster error correction file -# xfs metadump image +# xfs metadump image # mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog # but can we do the << ? For now it's always 512 (0x200) anyway. 0 string XFSM @@ -2301,8 +2336,8 @@ 0 string td\000 floppy image data (TeleDisk, compressed) 0 string TD\000 floppy image data (TeleDisk) -0 string CQ\024 floppy image data (CopyQM, ->16 leshort x %d sectors, +0 string CQ\024 floppy image data (CopyQM, +>16 leshort x %d sectors, >18 leshort x %d heads.) 0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk) @@ -2352,3 +2387,13 @@ >>>>>>>>0x1B ubyte 0x30 \b, media=1D >>>>>>>>0x1B ubyte 0x40 \b, media=1DD >>>>>>>>0x1A ubyte 0x10 \b, write-protected + +# HDD Raw Copy Tool disk image, file extension: .imgc +# From Benjamin Vanheuverzwijn +0 pstring HDD\ Raw\ Copy\ Tool %s +>0x100 pstring x %s +>0x200 pstring x - HD model: %s +#>0x300 pstring x unknown %s +>0x400 pstring x serial: %s +#>0x500 pstring x unknown: %s +!:ext imgc diff --git a/magic/Magdir/flash b/magic/Magdir/flash index b06f879efcd5..b48abe968eb4 100644 --- a/magic/Magdir/flash +++ b/magic/Magdir/flash @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $ +# $File: flash,v 1.14 2017/05/25 20:09:55 christos Exp $ # flash: file(1) magic for Macromedia Flash file format # # See @@ -10,23 +10,45 @@ # en/devnet/swf/pdf/swf-file-format-spec.pdf page 27 # -0 name swf-details ->0 string F Macromedia Flash data -!:mime application/x-shockwave-flash ->0 string C Macromedia Flash data (compressed) -!:mime application/x-shockwave-flash ->0 string Z Macromedia Flash data (lzma compressed) -!:mime application/x-shockwave-flash ->3 byte x \b, version %d +0 name swf-details -1 string WS ->4 lelong !0 ->>3 byte 255 Suspicious ->>>0 use swf-details +>0 string F +>>8 byte&0xfd 0x08 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte&0xfe 0x10 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte 0x18 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 beshort&0xff87 0x2000 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 beshort&0xffe0 0x3000 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d +>>8 byte&0x7 0 +>>>8 ubyte >0x2f +>>>>9 ubyte <0x20 Macromedia Flash data +!:mime application/x-shockwave-flash +>>>>>3 byte x \b, version %d ->>3 ubyte <32 ->>>3 ubyte !0 ->>>>0 use swf-details +>0 string C +>>8 byte 0x78 Macromedia Flash data (compressed) +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d + +>0 string Z +>>8 byte 0x5d Macromedia Flash data (lzma compressed) +!:mime application/x-shockwave-flash +>>>3 byte x \b, version %d + + +1 string WS +>4 ulelong >14 +>>3 ubyte !0 +>>>0 use swf-details # From: Cal Peake 0 string FLV\x01 Macromedia Flash Video @@ -34,7 +56,7 @@ # # Yosu Gomez -0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document -0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document +0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document +0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document # From Dave Wilson -0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document +0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document diff --git a/magic/Magdir/fonts b/magic/Magdir/fonts index be489cba01e0..7e9b0da914df 100644 --- a/magic/Magdir/fonts +++ b/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.33 2016/09/14 01:26:26 christos Exp $ +# $File: fonts,v 1.37 2017/06/24 00:39:00 christos Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -19,17 +19,17 @@ # URL: https://en.wikipedia.org/wiki/PostScript_fonts # Reference: http://partners.adobe.com/public/developer/en/font/5178.PFM.pdf # Modified by: Joerg Jenderek -# Note: moved from ./msdos magic -# dfVersion 256=0100h -0 uleshort 0x0100 +# Note: moved from ./msdos magic +# dfVersion 256=0100h +0 uleshort 0x0100 # GRR: line above is too general as it catches also TrueType font, # raw G3 data FAX, WhatsApp encrypted and Panorama database # dfType 129=0081h ->66 uleshort 0x0081 +>66 uleshort 0x0081 # dfVertRes 300=012Ch not needed as additional test -#>>70 uleshort 0x012c +#>>70 uleshort 0x012c # dfHorizRes 300=012Ch -#>>>72 uleshort 0x012c +#>>>72 uleshort 0x012c # dfDriverInfo points to postscript information section >>(101.l) string/c Postscript Printer Font Metrics # above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID @@ -40,13 +40,13 @@ # dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking #>>>6 string >\060 - %-.60s # dfDriverInfo ->>>139 ulelong >0 +>>>139 ulelong >0 # often abbreviated and same as filename >>>>(139.l) string x %s # dfSize >>>2 ulelong x \b, %d bytes # dfFace 210=D2h 9Eh ->>>105 ulelong >0 +>>>105 ulelong >0 # Windows font name >>>>(105.l) string x \b, %s # dfItalic @@ -72,7 +72,7 @@ #>104 belong 00000004 X11 SNF font data, MSB first !:mime application/x-font-sfn # GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX -0 lelong 00000004 +0 lelong 00000004 >104 lelong 00000004 X11 SNF font data, LSB first !:mime application/x-font-sfn @@ -82,27 +82,29 @@ # From: Joerg Jenderek # URL: http://grub.gibibit.com/New_font_format # Reference: util/grub-mkfont.c -# include/grub/fontformat.h +# include/grub/fontformat.h # FONT_FORMAT_SECTION_NAMES_FILE -0 string FILE +0 string FILE # FONT_FORMAT_PFF2_MAGIC ->8 string PFF2 +>8 string PFF2 # leng 4 only at the moment ->>4 ubelong 4 +>>4 ubelong 4 # FONT_FORMAT_SECTION_NAMES_FONT_NAME >>>12 string NAME GRUB2 font !:mime application/x-font-pf2 !:ext pf2 # length of font_name ->>>>16 ubelong >0 +>>>>16 ubelong >0 # font_name >>>>>20 string >\0 "%-s" # X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com) # PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides) -0 string \001fcp X11 Portable Compiled Font data ->12 byte 0x02 \b, LSB first ->12 byte 0x0a \b, MSB first +0 string \001fcp X11 Portable Compiled Font data, +>12 lelong ^0x08 bit: LSB, +>12 lelong &0x08 bit: MSB, +>12 lelong ^0x04 byte: LSB first +>12 lelong &0x04 byte: MSB first 0 string D1.0\015 X11 Speedo font data #------------------------------------------------------------------------------ @@ -134,28 +136,166 @@ >4 beshort >0 version %d # True Type fonts -0 string \000\001\000\000\000 TrueType font data -!:mime application/x-font-ttf +# Modified by: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/TrueType +# Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/ +# +# sfnt version "typ1" used by some Apple, but no example found +0 string typ1 +>0 use sfnt-font +>0 use sfnt-names +# sfnt version "true" used by some Apple +0 string true +>0 use sfnt-font +>0 use sfnt-names +# GRR: below test is too general +# sfnt version often 0x00010000 +0 string \000\001\000\000 +>0 use sfnt-font +>0 use sfnt-names +# validate and display sfnt font data like number of tables +0 name sfnt-font +# file 5.30 version assumes 00FFh as maximal number of tables +#>4 ubeshort <0x0100 +# maximal 27 tables found like in Skia.ttf +# 46 different table names mentioned on Apple specification +# skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number +>4 ubeshort <47 +# skip bad examples with garbage table names like in a5.show HYPERC MAC +# tag names consist of up to four characters padded with spaces at end like +# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... +>>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] +#>>>0 ubelong x \b, sfnt version 0x%x +>>>0 ubelong !0x4f54544f TrueType +!:mime application/font-sfnt +#!:mime font/ttf +!:apple ????tfil +# .ttf for TrueType font +# EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe +!:ext ttf/tte +# sfnt version 4F54544Fh~OTTO +>>>0 ubelong =0x4f54544f OpenType +!:mime application/font-sfnt +#!:mime font/otf +!:apple ????OTTO +!:ext otf +>>>0 ubelong x Font data +# DSIG=44454947h table name implies a digitally signed font +# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432 +>>>12 search/432 DSIG \b, digitally signed +>>>4 ubeshort x \b, %d tables +# minimal 9 tables found like in NISC18030.ttf +#>>>4 ubeshort <10 TMIN +#>>>4 ubeshort >24 TBIG +# table directory entries +>>>12 string x \b, 1st "%4.4s" + +# search and display 1st name in sfnt font which is often copyright text +# does not work inside font collections +0 name sfnt-names +# search for naming table +>12 search/432/s name +# biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf +#>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET +>>&8 ubelong >0x00100000 +# offset of name table +>>>&-4 ubelong x \b, name offset 0x%x +# GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h +>>&8 ubelong <0x00100000 +>>>&-16 ubelong x +# name table +>>>>(&8.L) ubequad x +# invalid format selector +#>>>>>&-8 ubeshort !0 \b, invalid selector %x +# minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf +# maximal 1227 name records found like in Apple Chancery.ttf +#>>>>>&-6 ubeshort <0x4 mincount +#>>>>>&-6 ubeshort >130 maxcount +>>>>>&-6 ubeshort x \b, %d names +# offset to start of string storage from start of table +#>>>>>&-4 ubeshort x \b, record offset %d +# 1st name record +# string offset from start of storage area +#>>>>>&8 ubeshort x \b, string offset %d +# string length +#>>>>>&6 ubeshort x \b, string length %d +# minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf +# also found 0 like in SWZCONLN.TTF +#>>>>>&6 ubeshort <8 MIN STRING +# maximal name string 806 like in c:\Windows\Fonts\palabi.ttf +#>>>>>&6 ubeshort >805 MAX STRING +# platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft +#>>>>>&-2 ubeshort >3 BAD PLATFORM +>>>>>&-2 ubeshort 0 \b, Unicode +>>>>>&-2 ubeshort 1 \b, Macintosh +>>>>>&-2 ubeshort 3 \b, Microsoft +# languageID (0~english Macintosh, 0409h~english Microsoft, ...) +>>>>>&2 ubeshort >0 \b, language 0x%x +# name identifiers +# often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ... +>>>>>&4 ubeshort >0 \b, type %d string +# platform specific encoding: +# 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0 +#>>>>>&0 ubeshort x \b, %d encoding +>>>>>&0 ubeshort 0 +# handle only name string offset 0 because do not know how to add 2 relative offsets +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-18) ubyte !0 +# GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h +# often copyright string that starts like \251 2006 The Monotype Corporation +>>>>>>>>&-1 string x \b, %-11.96s +# test for unicode string +>>>>>>>&(&-14.S-18) ubyte 0 +>>>>>>>>&0 lestring16 x \b, %-11.96s +# unicode encoding +>>>>>&0 ubeshort >0 +>>>>>>&6 ubeshort 0 +>>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s 0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font 0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font # TrueType/OpenType font collections (.ttc) +# URL: https://en.wikipedia.org/wiki/OpenType # http://www.microsoft.com/typography/otspec/otff.htm -0 string ttcf TrueType font collection data ->4 belong 0x00010000 \b, 1.0 ->>8 belong >0 \b, %d fonts ->4 belong 0x00020000 \b, 2.0 ->>8 belong >0 \b, %d fonts +# Modified by: Joerg Jenderek +# Note: container for TrueType, OpenType font +0 string ttcf +# skip ASCII text +>4 ubyte 0 +# sfnt version often 0x00010000 of 1st table is TrueType +>>(12.L) ubelong !0x4f54544f TrueType +#!:mime font/ttf +!:apple ????tfil +!:ext ttc +# sfnt version 4F54544Fh~OTTO of 1st table is OpenType font +>>(12.L) ubelong =0x4f54544f OpenType +#!:mime font/otf +!:apple ????OTTO +# no example found for otc +!:ext ttc/otc +>>4 ubyte x font collection data +!:mime application/font-sfnt +#!:mime font/collection +# TCC version +>>4 belong 0x00010000 \b, 1.0 +>>4 belong 0x00020000 \b, 2.0 +>>8 ubelong >0 \b, %d fonts +# array offset size = fonts * offsetsize = fonts * 4 +>>(8.L*4) ubequad x # 0x44454947 = 'DSIG' ->>>16 belong 0x44534947 \b, digitally signed +>>>&4 belong 0x44534947 \b, digitally signed +# offset to 1st font +>>12 ubelong x \b, at 0x%x +# point to 1st font that starts with sfnt version +>>(12.L) use sfnt-font # Opentype font data from Avi Bercovich 0 string OTTO OpenType font data !:mime application/vnd.ms-opentype -# Gurkan Sengun , www.linuks.mine.nu -0 string SplineFontDB: Spline Font Database +# Gurkan Sengun , www.linuks.mine.nu +0 string SplineFontDB: Spline Font Database !:mime application/vnd.font-fontforge-sfd >14 string x version %s diff --git a/magic/Magdir/fsav b/magic/Magdir/fsav index ecdc4f654b7c..5714798e9131 100644 --- a/magic/Magdir/fsav +++ b/magic/Magdir/fsav @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $ +# $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $ # fsav: file(1) magic for datafellows fsav virus definition files # Anthon van der Neut (anthon@mnt.org) @@ -29,11 +29,11 @@ #>>>>10 byte 11 \b12- #>>>>9 ubyte >0 \b%02d) # ftp://ftp.f-prot.com/pub/sign2.zip -#0 ubyte 0x62 -#>1 ubyte 0xF5 -#>>2 ubyte 0x1 -#>>>3 ubyte 0x1 -#>>>>4 ubyte 0x0e +#0 ubyte 0x62 +#>1 ubyte 0xF5 +#>>2 ubyte 0x1 +#>>>3 ubyte 0x1 +#>>>>4 ubyte 0x0e #>>>>>13 ubyte >0 fsav virus signatures #>>>>>>11 ubyte x size 0x%02x #>>>>>>12 ubyte x \b%02x @@ -44,16 +44,16 @@ # .cvd files start with a 512 bytes colon separated header # ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime # + gzipped tarball files -0 string ClamAV-VDB: +0 string ClamAV-VDB: >11 string >\0 Clam AntiVirus database %-.23s ->>34 string : ->>>35 string !: \b, version +>>34 string : +>>>35 string !: \b, version >>>>35 string x \b%-.1s ->>>>>36 string !: +>>>>>36 string !: >>>>>>36 string x \b%-.1s ->>>>>>>37 string !: +>>>>>>>37 string !: >>>>>>>>37 string x \b%-.1s ->>>>>>>>>38 string !: +>>>>>>>>>38 string !: >>>>>>>>>>38 string x \b%-.1s >512 string \037\213 \b, gzipped >769 string ustar\0 \b, tarred diff --git a/magic/Magdir/games b/magic/Magdir/games index 779bc6cfd643..9f72661d82fb 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.14 2014/04/30 21:41:02 christos Exp $ +# $File: games,v 1.15 2017/03/17 21:35:28 christos Exp $ # games: file(1) for games # Fabio Bonelli @@ -39,7 +39,7 @@ #0 string -1\x0a Quake I demo #>30 string x version %.4s -#>61 string x level %s +#>61 string x level %s #0 string 5\x0a Quake I save @@ -240,7 +240,7 @@ # Summary: NetImmerse game engine file # Extension .nif # Created by: Abel Cheung -0 string NetImmerse\ File\ Format,\ Versio +0 string NetImmerse\ File\ Format,\ Versio >&0 string n\ NetImmerse game engine file >>&0 regex [0-9a-z.]+ \b, version %s diff --git a/magic/Magdir/gconv b/magic/Magdir/gconv new file mode 100644 index 000000000000..eec5ddcd7a57 --- /dev/null +++ b/magic/Magdir/gconv @@ -0,0 +1,10 @@ + +#------------------------------------------------------------------------------ +# $File: gconv +# gconv: file(1) magic for iconv/gconv module configuration cache +# +# Magic number defined in glibc/iconv/iconvconfig.h as GCONVCACHE_MAGIC +# +# From: Marek Cermak +# +0 lelong 0x20010324 gconv module configuration cache data diff --git a/magic/Magdir/geo b/magic/Magdir/geo index 9a765fed0c11..f93abd806c27 100644 --- a/magic/Magdir/geo +++ b/magic/Magdir/geo @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $ +# $File: geo,v 1.4 2017/03/17 21:35:28 christos Exp $ # Geo- files from Kurt Schwehr ###################################################################### @@ -57,7 +57,7 @@ 4 beshort 0x2002 GeoSwath RDF 0 string Start:- GeoSwatch auf text file -# Seabeam 2100 +# Seabeam 2100 # mbsystem code mb41 0 string SB2100 SeaBeam 2100 multibeam sonar 0 string SB2100DR SeaBeam 2100 DR multibeam sonar diff --git a/magic/Magdir/gnu b/magic/Magdir/gnu index 24609c16459c..8d5c9721588b 100644 --- a/magic/Magdir/gnu +++ b/magic/Magdir/gnu @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gnu,v 1.17 2016/07/16 22:17:04 christos Exp $ +# $File: gnu,v 1.18 2017/03/17 21:35:28 christos Exp $ # gnu: file(1) magic for various GNU tools # # GNU nlsutils message catalog file format @@ -71,7 +71,7 @@ # they will ordinarily reported as "compressed", but at least -z helps 39 string = +# From: James Youngman # gnu find magic 0 string \0LOCATE GNU findutils locate database data >7 string >\0 \b, format %s diff --git a/magic/Magdir/gpt b/magic/Magdir/gpt index c48a58f7fe63..76a223c3a030 100644 --- a/magic/Magdir/gpt +++ b/magic/Magdir/gpt @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gpt,v 1.3 2014/04/30 21:41:02 christos Exp $ +# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $ # # GPT Partition table patterns. # Author: Rogier Goossens (goossens.rogier@gmail.com) @@ -36,7 +36,7 @@ >>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(454.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -66,7 +66,7 @@ >>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(470.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -96,7 +96,7 @@ >>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(486.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -126,7 +126,7 @@ >>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table >>>>>>>>>>>>>>0 use gpt-mbr-type >>>>>>>>>>>>>>&-8 use gpt-table ->>>>>>>>>>>>>>0 ubyte x of 8192 bytes +>>>>>>>>>>>>>>0 ubyte x of 8192 bytes >>>>>>>>>>>>>(502.l*8192) string !EFI\ PART >>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table >>>>>>>>>>>>>>>0 use gpt-mbr-type @@ -166,7 +166,7 @@ ##>(8.l*8192) string EFI\ PART ##>>(8.l*8192) use gpt-mbr-type ##>>&-8 use gpt-table -##>>0 ubyte x of 8192 bytes +##>>0 ubyte x of 8192 bytes ##>(8.l*8192) string !EFI\ PART ##>>(8.l*4096) string EFI\ PART GPT partition table ##>>>0 use gpt-mbr-type @@ -212,7 +212,7 @@ >>486 ulelong !1 \b (nonstandard: not at LBA 1) # GPT with protective MBR entry in partition 4 >498 ubyte 0xee ->>502 ulelong 1 +>>502 ulelong 1 >>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR) >>502 ulelong !1 \b (nonstandard: not at LBA 1) diff --git a/magic/Magdir/gpu b/magic/Magdir/gpu new file mode 100644 index 000000000000..62e30d0f7a25 --- /dev/null +++ b/magic/Magdir/gpu @@ -0,0 +1,28 @@ + +#------------------------------------------------------------------------------ +# $File: gpu,v 1.2 2017/03/23 22:11:53 christos Exp $ +# gpu: file(1) magic for GPU input files + +# Standard Portable Intermediate Representation (SPIR) +# Documentation: https://www.khronos.org/spir +# Typical file extension: .spv + +0 belong 0x07230203 Khronos SPIR-V binary, big-endian +>4 belong x \b, version 0x%08x +>8 belong x \b, generator 0x%08x + +0 lelong 0x07230203 Khronos SPIR-V binary, little-endian +>4 lelong x \b, version 0x%08x +>8 lelong x \b, generator 0x%08x + +# Vulkan Trace file +# Documentation: +# https://github.com/LunarG/VulkanTools/blob/master/vktrace/vktrace_common/\ +# vktrace_trace_packet_identifiers.h +# Typical file extension: .vktrace + +8 lequad 0xABADD068ADEAFD0C Vulkan trace file, little-endian +>0 leshort x \b, version %d + +8 bequad 0xABADD068ADEAFD0C Vulkan trace file, big-endian +>0 beshort x \b, version %d diff --git a/magic/Magdir/gringotts b/magic/Magdir/gringotts index 2bfef1b7f7de..b67475406a7b 100644 --- a/magic/Magdir/gringotts +++ b/magic/Magdir/gringotts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $ +# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $ # gringotts: file(1) magic for Gringotts # http://devel.pluto.linux.it/projects/Gringotts/ # author: Germano Rizzo @@ -9,10 +9,10 @@ #file format 1 >3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9 #file format 2 ->3 string 2 v.2, MCRYPT S2K, +>3 string 2 v.2, MCRYPT S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, @@ -27,10 +27,10 @@ >>8 byte&0x03 0x02 lvl.6 >>8 byte&0x03 0x03 lvl.9 #file format 3 ->3 string 3 v.3, OpenPGP S2K, +>3 string 3 v.3, OpenPGP S2K, >>8 byte&0x70 0x00 RIJNDAEL-128 crypt, >>8 byte&0x70 0x10 SERPENT crypt, ->>8 byte&0x70 0x20 TWOFISH crypt, +>>8 byte&0x70 0x20 TWOFISH crypt, >>8 byte&0x70 0x30 CAST-256 crypt, >>8 byte&0x70 0x40 SAFER+ crypt, >>8 byte&0x70 0x50 LOKI97 crypt, diff --git a/magic/Magdir/hitachi-sh b/magic/Magdir/hitachi-sh index 1b615ae9256e..0238ed7ebc4e 100644 --- a/magic/Magdir/hitachi-sh +++ b/magic/Magdir/hitachi-sh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: hitachi-sh,v 1.7 2015/09/30 20:32:35 christos Exp $ +# $File: hitachi-sh,v 1.8 2017/03/17 21:35:28 christos Exp $ # hitach-sh: file(1) magic for Hitachi Super-H # # Super-H COFF @@ -9,20 +9,20 @@ # https://en.wikipedia.org/wiki/COFF # https://de.wikipedia.org/wiki/Common_Object_File_Format # http://www.delorie.com/djgpp/doc/coff/filhdr.html -# below test line conflicts with 2nd NTFS filesystem sector +# below test line conflicts with 2nd NTFS filesystem sector # 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR # and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/) -0 beshort 0x0500 +0 beshort 0x0500 # test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags ->18 ubeshort&0x8E80 0 +>18 ubeshort&0x8E80 0 # use big endian variant of subroutine to display name+variables+flags -# for common object formated files +# for common object formated files >>0 use \^display-coff -0 leshort 0x0550 +0 leshort 0x0550 # test for unused flag bits in f_flags ->18 uleshort&0x8E80 0 -# use little endian variant of subroutine to -# display name+variables+flags for common object formated files +>18 uleshort&0x8E80 0 +# use little endian variant of subroutine to +# display name+variables+flags for common object formated files >>0 use display-coff diff --git a/magic/Magdir/ibm370 b/magic/Magdir/ibm370 index 7887dc3c5c7a..a49b28f5db80 100644 --- a/magic/Magdir/ibm370 +++ b/magic/Magdir/ibm370 @@ -1,28 +1,28 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". # What the heck *is* "USS/370"? # AIX 4.1's "/etc/magic" has # -# 0 short 0535 370 sysV executable +# 0 short 0535 370 sysV executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format -# 0 short 0530 370 sysV pure executable +# 0 short 0530 370 sysV pure executable # >12 long >0 not stripped # >22 short >0 - version %d # >30 long >0 - 5.2 format # # instead of the "USS/370" versions of the same magic numbers. # -0 beshort 0537 370 XA sysV executable +0 beshort 0537 370 XA sysV executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format -0 beshort 0532 370 XA sysV pure executable +0 beshort 0532 370 XA sysV pure executable >12 belong >0 not stripped >22 beshort >0 - version %d >30 belong >0 - 5.2 format diff --git a/magic/Magdir/ibm6000 b/magic/Magdir/ibm6000 index 7f45072a187a..8b48f370eb79 100644 --- a/magic/Magdir/ibm6000 +++ b/magic/Magdir/ibm6000 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $ +# $File: ibm6000,v 1.13 2017/03/17 21:35:28 christos Exp $ # ibm6000: file(1) magic for RS/6000 and the RT PC. # 0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module @@ -21,7 +21,7 @@ 0 beshort 0x01f7 64-bit XCOFF executable or object module >20 belong 0 not stripped # GRR: this test is still too general as it catches also many FATs of DOS filesystems -4 belong &0x0feeddb0 +4 belong &0x0feeddb0 # real core dump could not be 32-bit and 64-bit together >7 byte&0x03 !3 AIX core file >>1 byte &0x01 fulldump diff --git a/magic/Magdir/icc b/magic/Magdir/icc index 37fa30e8cb8c..55583b7b4f26 100644 --- a/magic/Magdir/icc +++ b/magic/Magdir/icc @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: icc,v 1.1 2013/01/08 01:43:18 christos Exp $ +# $File: icc,v 1.5 2017/08/13 00:21:47 christos Exp $ # icc: file(1) magic for International Color Consortium file formats # @@ -11,41 +11,204 @@ # http://www.color.org/specification/ICC1v43_2010-12.pdf # # for Specification ICC.1:2010 (Profile version 4.3.0.0). +# URL: http://fileformats.archiveteam.org/wiki/ICC_profile +# Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf +# Update: Joerg Jenderek # # Bytes 36 to 39 contain a generic profile file signature of "acsp"; # bytes 40 to 43 "may be used to identify the primary platform/operating # system framework for which the profile was created". # -# There are other fields that might be worth dumping as well. -# +# check and display ICC/ICM color profile +0 name color-profile +>36 string acsp +# skip ASCII like Cognacspirit.txt by month <= 12 +>>26 ubeshort <13 +# platform/operating system. Only 5 mentioned +# # This appears to be what's used for Apple ColorSync profiles. # Instead of adding that, Apple just changed the generic "acsp" entry # to be for "ColorSync ICC Color Profile" rather than "Kodak Color # Management System, ICC Profile". # Yes, it's "APPL", not "AAPL"; see the spec. -36 string acspAPPL ColorSync ICC Profile -!:mime application/vnd.iccprofile +>>>40 string APPL ColorSync # Microsoft ICM color profile -36 string acspMSFT Microsoft ICM Color Profile -!:mime application/vnd.iccprofile +>>>40 string MSFT Microsoft # Yes, that's a blank after "SGI". -36 string acspSGI\ SGI ICC Profile -!:mime application/vnd.iccprofile +>>>40 string SGI\ SGI # XXX - is this what's used for the Sun KCMS or not? The standard file # uses just "acsp" for that, but Apple's file uses it for "ColorSync", # and there *is* an identified "primary platform" value of SUNW. -36 string acspSUNW Sun KCMS ICC Profile +>>>40 string SUNW Sun KCMS + +# 5th platform +>>>40 string TGNT Taligent + +# remaining "l" "e" of "color profile" printed later to avoid error +>>>40 string x color profi +#>>>40 string x (%.4s) !:mime application/vnd.iccprofile +# for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found +>>>8 ubyte =2 +# do not use empty message text to a avoid error like +# icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type +# file.exe: could not find any valid magic files! +>>>>9 ubyte !0 \ble +!:ext icc/icm +# minor version +>>>>9 ubyte =0 \bl +# Kodak colour management system +>>>>>4 string =KCMS \be +!:ext icc/icm/cc +>>>>>4 string !KCMS \be +!:ext icc/icm +>>>8 ubyte !2 \ble +!:ext icc +# Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h) +>>>8 ubyte x %u +>>>9 ubyte/16 x \b.%u +# reserved and shall be null but 205.205 in umx1220u.icm +>>>10 ubyte >0 \b.%u +>>>>11 ubyte >0 \b.%u +# preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF " +# skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm +>>>4 string >\ \b, type %.2s +>>>>6 string >\ \b%.1s +>>>>>7 string >\ \b%.1s +# colour space "XYZ " "Lab " "RGB " CMYK GRAY ... +>>>16 string x \b, %.3s +>>>19 string >\ \b%.1s +# Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes +# null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc +>>>20 string >\0 \b/%.3s +>>>>23 string >\ \b%.1s +# eleven device classes +>>>12 string x \b-%.4s device +# skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm +>>>52 string >\040 +# skip "none" model like in "Trinitron Compatible 9300K G2.2.icm" +>>>>52 ubelong !0x6e6f6e65 +# device manufacturer field like "HP " "IBM " EPSO +>>>>>48 string x \b, %.2s +>>>>>50 string >\ \b%.1s +>>>>>51 string >\ \b%.1s +# model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC +>>>>>52 string >\ \ \b/%.3s +>>>>>>55 string >\ \b%.1s +>>>>>52 string x model +# creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm +>>>80 string >\0 by %.2s +>>>>82 string >\ \b%.1s +>>>>>83 string >\ \b%.1s +# profile size +>>>0 ubelong x \b, %u bytes +# skip invalid date 0 like in linearSRGB.icc +>>>24 ubequad !0 +# datetime dd-mm-yyyy hh:mm:ss +>>>>28 ubeshort x \b, %u +# month <= 12 +>>>>26 ubeshort x \b-%u +# year +>>>>24 ubeshort x \b-%u +# do not display midnight time like in CNHP8308.ICC +>>>>30 ubequad&0xFFffFFffFFff0000 !0 +# hour <= 24 +>>>>>30 ubeshort x %u +# minutes <= 59 +>>>>>32 ubeshort x \b:%.2u +# seconds <= 59 +>>>>>34 ubeshort x \b:%.2u +# vendor specific flags like 2 in HPCLJ5.ICM +>>>44 ubeshort >0 \b, 0x%x vendor flags +# profile flags bits 0-2 of least 16 used by ICC +#>>>44 ubelong >0 \b, 0x%x flags +# icEmbeddedProfileTrue +>>>44 ubelong &1 \b, embedded +# icEmbeddedProfileFalse +#>>>44 ubelong ^1 \b, not embedded +# icUseWithEmbeddedDataOnly +>>>44 ubelong &2 \b, dependently +# icUseAnywhere +#>>>44 ubelong ^2 \b, independently +>>>44 ubelong &4 \b, MCS +#>>>44 ubelong ^4 \b, no MCS +# vendor specific device attributes 1~srgb.icc +# E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM +>>>56 ubelong >0 \b, 0x%x vendor attribute +# ICC device attributes bits 0-7 used +#>>>60 ubelong x \b, 0x%x attribute +# http://www.color.org/icc34.h +>>>60 ubelong &0x01 \b, transparent +#>>>60 ubelong ^0x01 \b, reflective +>>>60 ubelong &0x02 \b, matte +#>>>60 ubelong ^0x02 \b, glossy +>>>60 ubelong &0x04 \b, negative +#>>>60 ubelong ^0x04 \b, positive +>>>60 ubelong &0x08 \b, black&white +#>>>60 ubelong ^0x08 \b, colour +>>>60 ubelong &0x10 \b, non-paper +#>>>60 ubelong ^0x10 \b, paper +>>>60 ubelong &0x20 \b, non-textured +#>>>60 ubelong ^0x20 \b, textured +>>>60 ubelong &0x40 \b, non-isotropic +#>>>60 ubelong ^0x40 \b, isotropic +>>>60 ubelong &0x80 \b, self-luminous +#>>>60 ubelong ^0x80 \b, non-self-luminous +# rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM +>>>64 ubelong >3 \b, 0x%x rendering intent +#>>>64 ubelong =0 \b, perceptual +>>>64 ubelong =1 \b, relative colorimetric +>>>64 ubelong =2 \b, saturation +>>>64 ubelong =3 \b, absolute colorimetric +# PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d +>>>71 ubequad !0xd6000100000000d3 \b, PCS +# usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found +# often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm +>>>>68 ubelong !0x0000f6d5 X=0x%x +# usually Y=1.0~00010000h but Y=0 in brmsl07f.icm +>>>>72 ubelong !0x00010000 Y=0x%x +# usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found +# D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm +>>>>76 ubelong !0x0000d32d Z=0x%x +# Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321. +>>>84 ubequad >0 \b, 0x%llx MD5 +# reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD +#>>100 ubequad x \b 0x%llx reserved +# tag table +# 6 <= tags count <= 43 +#>>>128 ubelong >43 \b, %u tags +>>>128 ubelong x +# shall contain the profileDescriptionTag "desc" , copyrightTag "cprt" +# search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508 +>>>>132 search/508 cprt +# but no copyright tag in linearSRGB.icc +# beneath /System/Library/Frameworks/WebKit.framework/ +# Versions/A/Frameworks/WebCore.framework/Versions/A/Resources +>>>>132 default x \b, no copyright tag +# 1st tag +#>>>132 string x \b, 1st tag %.4s +#>>>136 ubelong x 0x%x offset +#>>>140 ubelong x 0x%x len +# 2nd tag,... +# look also for profileDescriptionTag "desc" +>>>132 search/508 desc +# look further for TextDescriptionType "desc" signature +>>>>(&0.L) string =desc +>>>>>&4 pstring/l x "%s" +# look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc +>>>>(&0.L) string =mluc +>>>>>&(&8.L) ubequad x +>>>>>>&4 bestring16 x '%s' # Any other profile. # XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles, # and use "acsp" for everything else and dump the "primary platform" # string in those cases? -36 string acsp ICC Profile -!:mime application/vnd.iccprofile +36 string acsp +>0 use color-profile diff --git a/magic/Magdir/images b/magic/Magdir/images index 3e9cd81f3198..f0d087b3b4b6 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.117 2016/07/05 19:12:21 christos Exp $ +# $File: images,v 1.126 2017/06/11 22:25:44 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -26,23 +26,28 @@ # test of Color Map Type 0~no 1~color map # and Image Type 1 2 3 9 10 11 32 33 # and Color Map Entry Size 0 15 16 24 32 -0 ubequad&0x00FeC400000000C0 0 +0 ubequad&0x00FeC400000000C0 0 # skip more garbage by looking for positive image type ->2 ubyte >0 +>2 ubyte >0 # skip some compiled terminfo by looking for image type less equal 33 ->>2 ubyte <34 +>>2 ubyte <34 # skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel sizes 15 16 24 32 ->>>16 ubyte <33 +>>>16 ubyte <33 # skip more by looking for pixel size 0Fh 10h 18h 20h ->>>>16 ubyte&0xC0 0x00 -# skip 260-16.ico by looking for no color map ->>>>>1 ubyte 0 -# implies no first map entry ->>>>>>3 uleshort 0 ->>>>>>>0 use tga-image +>>>>16 ubyte&0xC0 0x00 # Color Map ->>>>>1 ubyte >0 +>>>>>1 belong&0xfff7ffff 0x01010000 >>>>>>0 use tga-image +>>>>>1 belong&0xfff7ffff 0x00020000 +>>>>>>0 use tga-image +>>>>>1 belong&0xfff7ffff 0x00030000 +>>>>>>0 use tga-image +>>>>>1 default x +# skip 260-16.ico by looking for no color map +>>>>>>1 ubyte 0 +# implies no first map entry +>>>>>>>3 uleshort 0 +>>>>>>>>0 use tga-image # display tga bitmap image information 0 name tga-image >2 ubyte <34 Targa image data @@ -78,7 +83,7 @@ >14 uleshort =0 65536 # Image Pixel Size 15 16 24 32 >16 ubyte x x %d -# X origin of image. 0 normal +# X origin of image. 0 normal >8 uleshort >0 +%d # Y origin of image. 0 normal; positive for top >10 uleshort >0 +%d @@ -90,27 +95,27 @@ >17 ubyte &0x10 - right #>17 ubyte ^0x10 - left # some info say other bits 6-7 should be zero -# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm +# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm # 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved #>17 ubyte&0xC0 0x00 - no interleave >17 ubyte&0xC0 0x40 - interleave >17 ubyte&0xC0 0x80 - four way interleave >17 ubyte&0xC0 0xC0 - reserved -# positive length implies identification field ->0 ubyte >0 +# positive length implies identification field +>0 ubyte >0 >>18 string x "%s" # last 18 bytes of newer tga file footer signature ->18 search/4261301/s TRUEVISION-XFILE.\0 +>18 search/4261301/s TRUEVISION-XFILE.\0 # extension area offset if not 0 ->>&-8 ulelong >0 +>>&-8 ulelong >0 # length of the extension area. normal 495 for version 2.0 ->>>(&-4.l) uleshort 0x01EF +>>>(&-4.l) uleshort 0x01EF # AuthorName[41] >>>>&0 string >\0 - author "%-.40s" # Comment[324]=4 * 80 null terminated >>>>&41 string >\0 - comment "%-.80s" # date ->>>>&365 ubequad&0xffffFFFFffff0000 !0 +>>>>&365 ubequad&0xffffFFFFffff0000 !0 # Day >>>>>&-6 uleshort x %d # Month @@ -118,7 +123,7 @@ # Year >>>>>&-4 uleshort x \b-%d # time ->>>>&371 ubequad&0xffffFFFFffff0000 !0 +>>>>&371 ubequad&0xffffFFFFffff0000 !0 # hour >>>>>&-8 uleshort x %d # minutes @@ -128,14 +133,14 @@ # JobName[41] >>>>&377 string >\0 - job "%-.40s" # JobHour Jobminute Jobsecond ->>>>&418 ubequad&0xffffFFFFffff0000 !0 +>>>>&418 ubequad&0xffffFFFFffff0000 !0 >>>>>&-8 uleshort x %d >>>>>&-6 uleshort x \b:%.2d >>>>>&-4 uleshort x \b:%.2d # SoftwareId[41] >>>>&424 string >\0 - %-.40s # SoftwareVersionNumber ->>>>&424 ubyte >0 +>>>>&424 ubyte >0 >>>>>&40 uleshort/100 x %d >>>>>&40 uleshort%100 x \b.%d # VersionLetter @@ -143,16 +148,16 @@ # KeyColor >>>>&468 ulelong >0 - keycolor 0x%8.8x # Denominator of Pixel ratio. 0~no pixel aspect ->>>>&474 uleshort >0 +>>>>&474 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - aspect %d >>>>>&-2 uleshort x \b/%d # Denominator of Gamma ratio. 0~no Gamma value ->>>>&478 uleshort >0 +>>>>&478 uleshort >0 # Numerator >>>>>&-4 uleshort >0 - gamma %d >>>>>&-2 uleshort x \b/%d -# ColorOffset +# ColorOffset #>>>>&480 ulelong x - col offset 0x%8.8x # StampOffset #>>>>&484 ulelong x - stamp offset 0x%8.8x @@ -170,43 +175,43 @@ >>&0 regex =[0-9]{1,50} \b, size = %s x >>>&0 regex =[0-9]{1,50} \b %s -0 search/1 P1 ->0 regex/4 P1\\s +0 search/1 P1 +>0 regex/4 P1[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 search/1 P2 ->0 regex/4 P2\\s +0 search/1 P2 +>0 regex/4 P2[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, greymap !:strength + 45 !:mime image/x-portable-greymap 0 search/1 P3 ->0 regex/4 P3\\s +>0 regex/4 P3[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, pixmap !:strength + 45 !:mime image/x-portable-pixmap -0 string P4 ->0 regex/4 P4\\s +0 string P4 +>0 regex/4 P4[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, bitmap !:strength + 45 !:mime image/x-portable-bitmap -0 string P5 ->0 regex/4 P5\\s +0 string P5 +>0 regex/4 P5[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, greymap !:strength + 45 !:mime image/x-portable-greymap -0 string P6 ->0 regex/4 P6\\s +0 string P6 +>0 regex/4 P6[\040\t\f\r\n] >>0 use netpbm >>>0 string x \b, rawbits, pixmap !:strength + 45 @@ -303,7 +308,7 @@ >>>8 leshort 0x8765 \bJBIG >>>8 leshort 0x8798 \bJPEG2000 >>>8 leshort 0x8799 \bNikon NEF Compressed ->>>8 default x +>>>8 default x >>>>8 leshort x \b(unknown 0x%x) >>>12 use tiff_entry >0 leshort 0x106 \b, PhotometricIntepretation= @@ -414,21 +419,35 @@ # (Greg Roelofs, newt@uchicago.edu) # (Albert Cahalan, acahalan@cs.uml.edu) # -# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... +# 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ... # -0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data + +# IHDR parser +0 name png-ihdr +>0 belong x \b, %d x +>4 belong x %d, +>8 byte x %d-bit +>9 byte 0 grayscale, +>9 byte 2 \b/color RGB, +>9 byte 3 colormap, +>9 byte 4 gray+alpha, +>9 byte 6 \b/color RGBA, +#>10 byte 0 deflate/32K, +>12 byte 0 non-interlaced +>12 byte 1 interlaced + +# Standard PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data !:mime image/png ->16 belong x \b, %d x ->20 belong x %d, ->24 byte x %d-bit ->25 byte 0 grayscale, ->25 byte 2 \b/color RGB, ->25 byte 3 colormap, ->25 byte 4 gray+alpha, ->25 byte 6 \b/color RGBA, -#>26 byte 0 deflate/32K, ->28 byte 0 non-interlaced ->28 byte 1 interlaced +!:strength +10 +>16 use png-ihdr + +# Apple CgBI PNG image. +0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI +>24 string \x00\x00\x00\x0DIHDR PNG image data (CgBI) +!:mime image/png +!:strength +10 +>>32 use png-ihdr # possible GIF replacements; none yet released! # (Greg Roelofs, newt@uchicago.edu) @@ -438,13 +457,13 @@ !:mime image/x-unknown # # GRR 950115: this is Jeremy Wohl's Free Graphics Format (better): -# +# 0 string FGF95a FGF image (GIF+deflate beta) !:mime image/x-unknown # # GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal # (best; not yet implemented): -# +# 0 string PBF PBF image (deflate compression) !:mime image/x-unknown @@ -528,19 +547,19 @@ # http://www.blackfiveservices.co.uk/awbmtools.shtml # http://biosgfx.narod.ru/v3/ # http://biosgfx.narod.ru/abr-2/ -0 string AWBM +0 string AWBM >4 leshort <1981 Award BIOS bitmap !:mime image/x-award-bmp # image width is a multiple of 4 ->>4 leshort&0x0003 0 +>>4 leshort&0x0003 0 >>>4 leshort x \b, %d >>>6 leshort x x %d >>4 leshort&0x0003 >0 \b, ->>>4 leshort&0x0003 =1 +>>>4 leshort&0x0003 =1 >>>>4 leshort x %d+3 ->>>4 leshort&0x0003 =2 +>>>4 leshort&0x0003 =2 >>>>4 leshort x %d+2 ->>>4 leshort&0x0003 =3 +>>>4 leshort&0x0003 =3 >>>>4 leshort x %d+1 >>>6 leshort x x %d # at offset 8 starts imagedata followed by "RGB " marker @@ -764,11 +783,11 @@ # http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt # GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000 # test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT -0 ubelong&0xffF8fe00 0x0a000000 -# for PCX bit depth > 0 ->3 ubyte >0 +0 ubelong&0xffF8fe00 0x0a000000 +# for PCX bit depth > 0 +>3 ubyte >0 # test for valid versions ->>1 ubyte <6 +>>1 ubyte <6 >>>1 ubyte !1 PCX !:mime image/x-pcx #!:mime image/pcx @@ -828,29 +847,29 @@ # Update: Joerg Jenderek # See http://fileformats.archiveteam.org/wiki/GEM_Raster # For variations, also see: -# http://www.seasip.info/Gem/ff_img.html (Ventura) +# http://www.seasip.info/Gem/ff_img.html (Ventura) # http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT) # http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT) # http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG) 0 beshort 0x0001 # header_size ->2 beshort 0x0008 +>2 beshort 0x0008 >>0 use gem_info ->2 beshort 0x0009 +>2 beshort 0x0009 >>0 use gem_info # no example for NOSIG ->2 beshort 24 +>2 beshort 24 >>0 use gem_info # no example for HYPERPAINT ->2 beshort 25 +>2 beshort 25 >>0 use gem_info -16 string XIMG\0 +16 string XIMG\0 >0 use gem_info # no example -16 string STTT\0\x10 +16 string STTT\0\x10 >0 use gem_info # no example or description -16 string TIMG\0 +16 string TIMG\0 >0 use gem_info 0 name gem_info @@ -859,15 +878,15 @@ # http://www.snowstone.org.uk/riscos/mimeman/mimemap.txt !:mime image/x-gem # header_size 24 25 27 59 779 words for colored bitmaps ->>2 beshort >9 +>>2 beshort >9 >>>16 string STTT\0\x10 STTT >>>16 string TIMG\0 TIMG # HYPERPAINT or NOSIG variant ->>>16 string \0\x80 +>>>16 string \0\x80 >>>>2 beshort =24 NOSIG >>>>2 beshort !24 HYPERPAINT # NOSIG or XIMG variant ->>>16 default x +>>>16 default x >>>>16 string !XIMG\0 NOSIG >>16 string =XIMG\0 XIMG Image data !:ext img/ximg @@ -1177,7 +1196,7 @@ # updated by: Joerg Jenderek # URL: http://techmods.net/nuvi/ 0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file -# extension is also used for +# extension is also used for # Sony SRF raw image (image/x-sony-srf) # SRF map # Terragen Surface Map (http://www.planetside.co.uk/terragen) @@ -1318,7 +1337,7 @@ !:mime image/x-icns !:apple ????icns !:ext icns ->4 ubelong >0 +>4 ubelong >0 # file size >>4 ubelong x \b, %d bytes # icon type @@ -1451,3 +1470,12 @@ >0x10 string GVRT Sega GVR image: >>0x10 use sega-gvr-image-header >>0x08 belong x \b, global index = %u + +# Light Field Picture +# Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx +# Typical file extensions: .lfp .lfr .lfx + +0 belong 0x894C4650 +>4 belong 0x0D0A1A0A +>12 belong 0x00000000 Lytro Light Field Picture +>8 belong x \b, version %d diff --git a/magic/Magdir/intel b/magic/Magdir/intel index 3f96b758fdd4..c4f02544d638 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.14 2015/11/10 00:13:27 christos Exp $ +# $File: intel,v 1.15 2017/03/17 21:35:28 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -36,8 +36,8 @@ # ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file" # ./intel (version 5.25) label labeled the next entry as "80386 COFF executable" # SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan -0 leshort =0514 -# use subroutine to display name+flags+variables for common object formated files +0 leshort =0514 +# use subroutine to display name+flags+variables for common object formated files >0 use display-coff #>12 lelong >0 not stripped # no hint found, that at offset 22 is version diff --git a/magic/Magdir/isz b/magic/Magdir/isz index 3388a82a5b9d..af68db2b3e2e 100644 --- a/magic/Magdir/isz +++ b/magic/Magdir/isz @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: isz,v 1.3 2014/04/30 21:41:02 christos Exp $ -# ISO Zipped file format +# $File: isz,v 1.4 2017/03/17 21:35:28 christos Exp $ +# ISO Zipped file format # http://www.ezbsystems.com/isz/iszspec.txt 0 string IsZ! ISO Zipped file >4 byte x \b, header size %u diff --git a/magic/Magdir/jpeg b/magic/Magdir/jpeg index 2b49c21c6053..57adb1e546b0 100644 --- a/magic/Magdir/jpeg +++ b/magic/Magdir/jpeg @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: jpeg,v 1.30 2016/07/04 15:18:23 christos Exp $ +# $File: jpeg,v 1.31 2017/03/17 21:35:28 christos Exp $ # JPEG images # SunOS 5.5.1 had # @@ -53,14 +53,14 @@ >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC1 +>0 beshort 0xFFC1 >>(2.S+2) use jpeg_segment >>4 byte x \b, extended sequential, precision %d >>7 beshort x \b, %dx >>5 beshort x \b%d >>9 byte x \b, frames %d ->0 beshort 0xFFC2 +>0 beshort 0xFFC2 >>(2.S+2) use jpeg_segment >>4 byte x \b, progressive, precision %d >>7 beshort x \b, %dx @@ -71,11 +71,11 @@ >0 beshort 0xFFC4 >>(2.S+2) use jpeg_segment ->0 beshort 0xFFE1 +>0 beshort 0xFFE1 # Recursion handled by FFE0 #>>(2.S+2) use jpeg_segment >>4 string Exif \b, Exif Standard: [ ->>>10 indirect/r x +>>>10 indirect/r x >>>10 string x \b] # Application specific markers diff --git a/magic/Magdir/kerberos b/magic/Magdir/kerberos index cb07fedbe27f..93b8f79de99b 100644 --- a/magic/Magdir/kerberos +++ b/magic/Magdir/kerberos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: kerberos,v 1.1 2014/12/10 18:45:43 christos Exp $ +# $File: kerberos,v 1.2 2017/03/17 21:35:28 christos Exp $ # kerberos: MIT kerberos file binary formats # @@ -38,7 +38,7 @@ >>>>>&0 bedate x \b, date=%s >>>>>>&0 byte x \b, kvno=%u #>>>>>>>&0 pstring/H x -#>>>>>>>>&0 belong x +#>>>>>>>>&0 belong x #>>>>>>>>>>&0 use keytab_entry 0 belong 0x05020000 Kerberos Keytab file diff --git a/magic/Magdir/kml b/magic/Magdir/kml index ed0f42ed8533..d603ea806288 100644 --- a/magic/Magdir/kml +++ b/magic/Magdir/kml @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $ +# $File: kml,v 1.4 2017/03/17 21:35:28 christos Exp $ # Type: Google KML, formerly Keyhole Markup Language # Future development of this format has been handed # over to the Open Geospatial Consortium. # http://www.opengeospatial.org/standards/kml/ # From: Asbjoern Sloth Toennesen 0 string/t \20 search/400 \ xmlns= +>20 search/400 \ xmlns= >>&0 regex ['"]http://earth.google.com/kml Google KML document !:mime application/vnd.google-earth.kml+xml >>>&1 string 2.0' \b, version 2.0 @@ -25,7 +25,7 @@ >>>&1 string/t 2.2 \b, version 2.2 #------------------------------------------------------------------------------ -# Type: Google KML Archive (ZIP based) +# Type: Google KML Archive (ZIP based) # http://code.google.com/apis/kml/documentation/kml_tut.html # From: Asbjoern Sloth Toennesen 0 string PK\003\004 diff --git a/magic/Magdir/linux b/magic/Magdir/linux index c8cc0df5e50e..0630a8a7ce10 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $ +# $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -199,7 +199,7 @@ ############################################################################ # Linux 8086 executable 0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless ->5 string . +>5 string . >>4 string >\0 \b, libc version %s 0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable @@ -213,7 +213,7 @@ >2 byte&0x40 !0 \b, A_PURE >2 byte&0x80 !0 \b, A_TOVLY >28 long !0 \b, not stripped ->37 string . +>37 string . >>36 string >\0 \b, libc version %s # 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable @@ -241,7 +241,7 @@ >24 lelong x %d symbols >28 lelong x %d ocons -# Linux Logical Volume Manager (LVM) +# Linux Logical Volume Manager (LVM) # Emmanuel VARAGNAT # # System ID, UUID and volume group name are 128 bytes long @@ -301,7 +301,7 @@ >>&0x20 lequad x \b, size: %lld 0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager) ->&(&-12.l-0x21) byte x +>&(&-12.l-0x21) byte x # display UUID in LVM format + display all 32 bytes (instead of max string length: 31) >>&0x0 string >\x2f \b, UUID: %.6s >>&0x6 string >\x2f \b-%.4s @@ -340,7 +340,7 @@ # Summary: Xen saved domain file # Created by: Radek Vokal 0 string LinuxGuestRecord Xen saved domain ->20 search/256 (name +>20 search/256 (name >>&1 string x (name %s) # Type: Xen, the virtual machine monitor @@ -397,7 +397,7 @@ >>0x1046 ubeshort x \b%04x # Linux device tree: -# File format description can be found in the Linux kernel sources at +# File format description can be found in the Linux kernel sources at # Documentation/devicetree/booting-without-of.txt # From Christoph Biedl 0 belong 0xd00dfeed diff --git a/magic/Magdir/lisp b/magic/Magdir/lisp index db0592e730c7..43d102e1dd76 100644 --- a/magic/Magdir/lisp +++ b/magic/Magdir/lisp @@ -1,13 +1,13 @@ #------------------------------------------------------------------------------ -# $File: lisp,v 1.24 2015/11/30 20:54:26 christos Exp $ +# $File: lisp,v 1.25 2017/03/17 21:35:28 christos Exp $ # lisp: file(1) magic for lisp programs # # various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) # updated by Joerg Jenderek # GRR: This lot is too weak -#0 string ;; +#0 string ;; # windows INF files often begin with semicolon and use CRLF as line end # lisp files are mainly created on unix system with LF as line end #>2 search/4096 !\r Lisp/Scheme program text @@ -28,9 +28,9 @@ # URL: https://en.wikipedia.org/wiki/Emacs_Lisp # Reference: http://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Emacs 18 - this is always correct, but not very magical. -0 string \012( +0 string \012( # look for emacs lisp keywords # GRR: split regex because it is too long or get error like # lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|' @@ -50,13 +50,13 @@ # Emacs 19+ - ver. recognition added by Ian Springer # Also applies to XEmacs 19+ .elc files; could tell them apart with regexs # - Chris Chittleborough -# Update: Joerg Jenderek -0 string ;ELC +# Update: Joerg Jenderek +0 string ;ELC # version\0\0\0 >4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data # why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015 #>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data -!:mime application/x-elc +!:mime application/x-elc !:apple EMAxTEXT !:ext elc @@ -67,7 +67,7 @@ 0 long 0x70768BD2 CLISP memory image data 0 long 0xD28B7670 CLISP memory image data, other endian -#.com and .bin for MIT scheme +#.com and .bin for MIT scheme 0 string \372\372\372\372 MIT scheme (library?) # From: David Allouche diff --git a/magic/Magdir/m4 b/magic/Magdir/m4 index f6b5e52640f9..3a1c6d19f7db 100644 --- a/magic/Magdir/m4 +++ b/magic/Magdir/m4 @@ -1,6 +1,9 @@ #------------------------------------------------------------------------------ -# $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $ +# $File: m4,v 1.2 2017/08/14 07:40:38 christos Exp $ # make: file(1) magic for M4 scripts # 0 regex \^dnl\ M4 macro processor script text !:mime text/x-m4 +0 regex \^AC_DEFUN\\(\\[ M4 macro processor script text +!:strength + 15 +!:mime text/x-m4 diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh index d7f20f2027f1..e7c0e5e81da6 100644 --- a/magic/Magdir/macintosh +++ b/magic/Magdir/macintosh @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: macintosh,v 1.26 2015/11/25 00:36:02 christos Exp $ +# $File: macintosh,v 1.27 2017/03/17 21:35:28 christos Exp $ # macintosh description # # BinHex is the Macintosh ASCII-encoded file format (see also "apple") @@ -109,9 +109,9 @@ # the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will # have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, # and that 74 will be 0. So something like -# +# # 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data -# +# # >73 byte&0x01 0x01 \b, inited # >73 byte&0x02 0x02 \b, changed # >73 byte&0x04 0x04 \b, busy @@ -254,7 +254,7 @@ >0x9C string INDEX data file index >0x9C string VIEW data view -# spss magic for SPSS system and portable files, +# spss magic for SPSS system and portable files, # from Bruce Foster (bef@nwu.edu). 0 long 0xc1e2c3c9 SPSS Portable File @@ -273,7 +273,7 @@ # entries depend on the data arithmetic added after v.35 # There's also some Pascal strings in here, ditto... -# The boot block signature, according to IM:Files, is +# The boot block signature, according to IM:Files, is # "for HFS volumes, this field always contains the value 0x4C4B." # But if this is true for MFS or HFS+ volumes, I don't know. # Alternatively, the boot block is supposed to be zeroed if it's @@ -291,10 +291,10 @@ # *.hfs updated by Joerg Jenderek # http://en.wikipedia.org/wiki/Hierarchical_File_System # "BD" gives many false positives -0x400 beshort 0x4244 +0x400 beshort 0x4244 # ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h # first block of volume bit map (always 3) ->0x40e ubeshort 0x0003 +>0x40e ubeshort 0x0003 # maximal length of volume name is 27 >>0x424 ubyte <28 Macintosh HFS data !:mime application/x-apple-diskimage @@ -351,15 +351,15 @@ #>0x230 string x first type: %s, #>0x210 string x name: %s, #>0x254 belong x number of blocks: %d, -#>0x400 beshort 0x504D +#>0x400 beshort 0x504D #>>0x430 string x second type: %s, #>>0x410 string x name: %s, #>>0x454 belong x number of blocks: %d, -#>>0x800 beshort 0x504D +#>>0x800 beshort 0x504D #>>>0x830 string x third type: %s, #>>>0x810 string x name: %s, #>>>0x854 belong x number of blocks: %d, -#>>>0xa00 beshort 0x504D +#>>>0xa00 beshort 0x504D #>>>>0xa30 string x fourth type: %s, #>>>>0xa10 string x name: %s, #>>>>0xa54 belong x number of blocks: %d diff --git a/magic/Magdir/make b/magic/Magdir/make index f8509d6bdbcf..2895325a6e62 100644 --- a/magic/Magdir/make +++ b/magic/Magdir/make @@ -1,7 +1,8 @@ #------------------------------------------------------------------------------ -# $File: make,v 1.2 2015/08/25 07:34:06 christos Exp $ +# $File: make,v 1.3 2016/12/10 14:21:29 christos Exp $ # make: file(1) magic for makefiles # +# URL: https://en.wikipedia.org/wiki/Make_(software) 0 regex/100l \^CFLAGS makefile script text !:mime text/x-makefile 0 regex/100l \^VPATH makefile script text @@ -10,12 +11,19 @@ !:mime text/x-makefile 0 regex/100l \^all: makefile script text !:mime text/x-makefile -0 regex/100l \^\.PRECIOUS makefile script text +0 regex/100l \^\\.PRECIOUS makefile script text !:mime text/x-makefile -0 regex/100l \^\.BEGIN BSD makefile script text +# Update: Joerg Jenderek +# Reference: https://www.freebsd.org/cgi/man.cgi?make(1) +# exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST" +# by additional escaping point character +0 regex/100l \^\\.BEGIN BSD makefile script text with "%s" !:mime text/x-makefile -0 regex/100l \^\.include BSD makefile script text +!:ext /mk +# exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT" +# and NSIS script with "!include" by additional escaping point character +0 regex/100l \^\\.include BSD makefile script text with "%s" !:mime text/x-makefile - +!:ext /mk 0 regex/100l \^SUBDIRS automake makefile script text !:mime text/x-makefile diff --git a/magic/Magdir/maple b/magic/Magdir/maple index 05a8eaf298be..44ab2842b604 100644 --- a/magic/Magdir/maple +++ b/magic/Magdir/maple @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: maple,v 1.7 2013/01/11 16:45:23 christos Exp $ +# $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $ # maple: file(1) magic for maple files # "H. Nanosecond" # Maple V release 4, a multi-purpose math program @@ -13,7 +13,7 @@ # no magic for these :-( # they are compiled indexes for maple files -# .hdb +# .hdb 0 string \000\004\000\000 Maple help database # .mhp @@ -40,7 +40,7 @@ # from byte 4 it is either 'nul E' or 'soh R' # I think 'nul E' means a file that was saved as a different name # a sort of revision marking -# 'soh R' means new +# 'soh R' means new >4 string \000\105 An old revision >4 string \001\122 The latest save diff --git a/magic/Magdir/marc21 b/magic/Magdir/marc21 index 7e859a3893b9..fd509ec15245 100644 --- a/magic/Magdir/marc21 +++ b/magic/Magdir/marc21 @@ -2,27 +2,29 @@ # marc21: file(1) magic for MARC 21 Format # # Kevin Ford (kefo@loc.gov) -# +# # MARC21 formats are for the representation and communication # of bibliographic and related information in machine-readable # form. For more info, see http://www.loc.gov/marc/ # leader position 20-21 must be 45 -20 string 45 +# and 22-23 also 00 so far, but we check that later. +20 string 45 +>0 search/2048 \x1e # leader starts with 5 digits, followed by codes specific to MARC format ->0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic +>>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic !:mime application/marc ->0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority +>>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority !:mime application/marc ->0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings +>>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings !:mime application/marc -0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification +>>0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification !:mime application/marc ->0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community +>>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community !:mime application/marc # leader position 22-23, should be "00" but is it? ->0 regex/1l (^.{21})([^0]{2}) (non-conforming) +>>0 regex/1l (^.{21})([^0]{2}) (non-conforming) !:mime application/marc diff --git a/magic/Magdir/mathematica b/magic/Magdir/mathematica index a93899e83c2e..e76957eea43a 100644 --- a/magic/Magdir/mathematica +++ b/magic/Magdir/mathematica @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: mathematica,v 1.8 2015/04/09 20:01:40 christos Exp $ +# $File: mathematica,v 1.9 2017/03/17 21:35:28 christos Exp $ # mathematica: file(1) magic for mathematica files # "H. Nanosecond" # Mathematica a multi-purpose math program @@ -49,7 +49,7 @@ #0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file 0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file -#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 +#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000 # >71... is optional >88 string >\0 from %s @@ -59,7 +59,7 @@ 0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think) # .ml files These are menu resources I think -# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ +# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\ # how to put that into a magic rule? 4 string \ A~ MAthematica .ml file diff --git a/magic/Magdir/metastore b/magic/Magdir/metastore index 285c3cfa0cca..53f5b37c936a 100644 --- a/magic/Magdir/metastore +++ b/magic/Magdir/metastore @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $ +# $File: metastore,v 1.2 2017/03/17 21:35:28 christos Exp $ # metastore: file(1) magic for metastore files # From: Thomas Wissen # see http://david.hardeman.nu/software.php#metastore -0 string MeTaSt00r3 Metastore data file, +0 string MeTaSt00r3 Metastore data file, >10 bequad x version %0llx diff --git a/magic/Magdir/meteorological b/magic/Magdir/meteorological index 541bbbffb894..9e7a3f1bcca6 100644 --- a/magic/Magdir/meteorological +++ b/magic/Magdir/meteorological @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: meteorological,v 1.1 2014/08/04 06:26:16 christos Exp $ +# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $ # rinex: file(1) magic for RINEX files # http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt # ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf @@ -34,7 +34,7 @@ >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/meteorological ->80 search/256 XXRINEXN RINEX Data, Navigation +>80 search/256 XXRINEXN RINEX Data, Navigation >>&32 string x \b, date %15.15s >>5 string x \b, version %6.6s !:mime rinex/navigation diff --git a/magic/Magdir/microfocus b/magic/Magdir/microfocus index b2d204b1b0c3..e5b247cd3d90 100644 --- a/magic/Magdir/microfocus +++ b/magic/Magdir/microfocus @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: microfocus,v 1.1 2016/02/09 01:22:49 christos Exp $ -# Micro Focus COBOL data files. +# $File: microfocus,v 1.2 2017/03/17 21:35:28 christos Exp $ +# Micro Focus COBOL data files. # http://documentation.microfocus.com/help/index.jsp?topic=\ # %2FGUID-0E0191D8-C39A-44D1-BA4C-D67107BAF784%2FHRFLRHFILE05.html diff --git a/magic/Magdir/mime b/magic/Magdir/mime index 42ca52dc6b58..57b2dd557ba2 100644 --- a/magic/Magdir/mime +++ b/magic/Magdir/mime @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $ +# $File: mime,v 1.8 2017/03/17 22:20:22 christos Exp $ # mime: file(1) magic for MIME encoded files # -0 string/t Content-Type:\ +0 string/t Content-Type:\040 >14 string >\0 %s 0 string/t Content-Type: >13 string >\0 %s diff --git a/magic/Magdir/misctools b/magic/Magdir/misctools index eeb518d4f92a..3ce91b560bf7 100644 --- a/magic/Magdir/misctools +++ b/magic/Magdir/misctools @@ -1,6 +1,6 @@ #----------------------------------------------------------------------------- -# $File: misctools,v 1.16 2016/02/14 15:46:52 christos Exp $ +# $File: misctools,v 1.17 2017/03/17 21:35:28 christos Exp $ # misctools: file(1) magic for miscellaneous UNIX tools. # 0 search/1 %%!! X-Post-It-Note text @@ -14,7 +14,7 @@ #!:mime text/x-vcard !:mime text/vcard # VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere ->12 search/14000/c VERSION: +>12 search/14000/c VERSION: # VERSION 2.1 , 3.0 or 4.0 >>&0 string x \b, version %-.3s @@ -48,7 +48,7 @@ >12 ulelong !0x20 \b, 0x%8.8x RVA # CheckSum 0 >16 ulelong !0 \b, CheckSum 0x%8.8x -# Reserved or TimeDateStamp +# Reserved or TimeDateStamp >20 ledate x \b, %s # https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx # Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800 diff --git a/magic/Magdir/modem b/magic/Magdir/modem index e4decfda5195..d988e903bfcf 100644 --- a/magic/Magdir/modem +++ b/magic/Magdir/modem @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: modem,v 1.7 2016/01/08 00:56:42 christos Exp $ +# $File: modem,v 1.8 2017/03/17 21:35:28 christos Exp $ # modem: file(1) magic for modem programs # # From: Florian La Roche @@ -13,24 +13,24 @@ # URL: https://de.wikipedia.org/wiki/Fax # Reference: http://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm # GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others -0 short 0x0100 +0 short 0x0100 # 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 ->2 default x +>2 default x # skip IRCAM file (VAX big-endian) ./audio ->>0 belong !0x0001a364 +>>0 belong !0x0001a364 # skip GEM Image data ./images ->>>2 beshort !0x0008 +>>>2 beshort !0x0008 # look for first keyword of Panorama database *.pan ->>>>11 search/262 \x06DESIGN +>>>>11 search/262 \x06DESIGN # skip Panorama database ->>>>11 default x +>>>>11 default x # old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files ->>>>>27118 search/1864 DreamWorld ->>>>>27118 default x +>>>>>27118 search/1864 DreamWorld +>>>>>27118 default x # skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom ->>>>>>8 ubequad !0x2e01010454010203 +>>>>>>8 ubequad !0x2e01010454010203 # skip PICTUREH.SML found on Golden Orchard Apple II CD Rom >>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded # version 5.25 labeled the entry above "raw G3 data, byte-padded" @@ -39,9 +39,9 @@ !:ext g3 # unusual image starting with black pixel #0 short 0x1300 raw G3 (Group 3) FAX -0 short 0x1400 +0 short 0x1400 # 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom ->2 search/9 \0\0 +>2 search/9 \0\0 # maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3 >2 default x raw G3 (Group 3) FAX # version 5.25 labeled the above entry as "raw G3 data" diff --git a/magic/Magdir/mozilla b/magic/Magdir/mozilla index 173018c3fbb8..23288019f1aa 100644 --- a/magic/Magdir/mozilla +++ b/magic/Magdir/mozilla @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: mozilla,v 1.6 2015/01/25 16:20:46 christos Exp $ -# mozilla: file(1) magic for Mozilla XUL fastload files +# $File: mozilla,v 1.7 2017/03/17 21:35:28 christos Exp $ +# mozilla: file(1) magic for Mozilla XUL fastload files # (XUL.mfasl and XPC.mfasl) # URL: http://www.mozilla.org/ # From: Josh Triplett diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index 55ea3e83c3a7..6eb12c215774 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.111 2016/09/14 01:26:26 christos Exp $ +# $File: msdos,v 1.120 2017/08/13 00:21:47 christos Exp $ # msdos: file(1) magic for MS-DOS files # # .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) # updated by Joerg Jenderek at Oct 2008,Apr 2011 -0 string/t @ +0 string/t @ >1 string/cW \ echo\ off DOS batch file text !:mime text/x-msdos-batch >1 string/cW echo\ off DOS batch file text @@ -230,7 +230,7 @@ >>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender >>(8.s*16) string emx >>>&1 string x for DOS, Win or OS/2, emx %s ->>&(&0x42.l-3) byte x +>>&(&0x42.l-3) byte x >>>&0x26 string UPX \b, UPX compressed # and yet another guess: small .text, and after large .data is unusal, could be 32lite >>&0x2c search/0xa0 .text @@ -240,8 +240,8 @@ >(8.s*16) string $WdX \b, WDos/X DOS extender # By now an executable type should have been printed out. The executable -# may be a self-uncompressing archive, so look for evidence of that and -# print it out. +# may be a self-uncompressing archive, so look for evidence of that and +# print it out. # # Some signatures below from Greg Roelofs, newt@uchicago.edu. # @@ -283,8 +283,8 @@ # Skip to the end of the EXE. This will usually work fine in the PE case # because the MZ image is hardcoded into the toolchain and almost certainly # won't match any of these signatures. ->(4.s*512) long x ->>&(2.s-517) byte x +>(4.s*512) long x +>>&(2.s-517) byte x >>>&0 string PK\3\4 \b, ZIP self-extracting archive >>>&0 string Rar! \b, RAR self-extracting archive >>>&0 string =!\x11 \b, AIN 2.x self-extracting archive @@ -312,71 +312,77 @@ # only version=0x100 found >3 uleshort x \b, version 0x%x # length of string containing author,info and special characters ->6 ubyte >0 +>6 ubyte >0 #>>6 pstring x \b, name=%s >>7 string >\0 \b, author=%-.14s >>7 search/254 \xff \b, info= #>>>&0 string x \b%-s >>>&0 string x \b%-.15s -# for FreeDOS *.KL files +# for FreeDOS *.KL files 0 string/b KLF FreeDOS KEYBoard Layout file # only version=0x100 or 0x101 found >3 uleshort x \b, version 0x%x # stringlength ->5 ubyte >0 +>5 ubyte >0 >>8 string x \b, name=%-.2s -0 string \xffKEYB\ \ \ \0\0\0\0 +0 string \xffKEYB\ \ \ \0\0\0\0 >12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file -# DOS device driver updated by Joerg Jenderek at May 2011 -# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 -0 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( ->40 search/7 UPX! \bUPX compressed +# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 +# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 +0 ulequad&0x07a0ffffffff 0xffffffff +>0 use msdos-driver +0 name msdos-driver DOS executable ( +#!:mime application/octet-stream +!:mime application/x-dosdriver +# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN +!:ext sys/dev/bin +>40 search/7 UPX! \bUPX compressed # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver # character device >4 uleshort&0x8000 0x8000 \b ->>4 uleshort&0x0008 0x0008 \bclock +>>4 uleshort&0x0008 0x0008 \bclock # fast video output by int 29h ->>4 uleshort&0x0010 0x0010 \bfast +>>4 uleshort&0x0010 0x0010 \bfast # standard input/output device ->>4 uleshort&0x0003 >0 \bstandard +>>4 uleshort&0x0003 >0 \bstandard >>>4 uleshort&0x0001 0x0001 \binput >>>4 uleshort&0x0003 0x0003 \b/ ->>>4 uleshort&0x0002 0x0002 \boutput +>>>4 uleshort&0x0002 0x0002 \boutput >>4 uleshort&0x8000 0x8000 \bcharacter device driver ->0 ubyte x +>0 ubyte x # upx compressed device driver has garbage instead of real in name field of header ->>40 search/7 UPX! ->>40 default x +>>40 search/7 UPX! +>>40 default x # leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped ->>>12 ubyte >0x27 \b ->>>>10 ubyte >0x20 ->>>>>10 ubyte !0x2E +>>>12 ubyte >0x2E \b +>>>>10 ubyte >0x20 +>>>>>10 ubyte !0x2E >>>>>>10 ubyte !0x2A \b%c ->>>>11 ubyte >0x20 +>>>>11 ubyte >0x20 >>>>>11 ubyte !0x2E \b%c ->>>>12 ubyte >0x20 ->>>>>12 ubyte !0x39 +>>>>12 ubyte >0x20 +>>>>>12 ubyte !0x39 >>>>>>12 ubyte !0x2E \b%c ->>>13 ubyte >0x20 +>>>13 ubyte >0x20 >>>>13 ubyte !0x2E \b%c ->>>>14 ubyte >0x20 +>>>>14 ubyte >0x20 >>>>>14 ubyte !0x2E \b%c ->>>>15 ubyte >0x20 +>>>>15 ubyte >0x20 >>>>>15 ubyte !0x2E \b%c ->>>>16 ubyte >0x20 ->>>>>16 ubyte !0x2E +>>>>16 ubyte >0x20 +>>>>>16 ubyte !0x2E >>>>>>16 ubyte <0xCB \b%c ->>>>17 ubyte >0x20 ->>>>>17 ubyte !0x2E +>>>>17 ubyte >0x20 +>>>>>17 ubyte !0x2E >>>>>>17 ubyte <0x90 \b%c # some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field ->>>4 uleshort&0x8000 0x8000 ->>>>12 ubyte <0x2F +>>>12 ubyte <0x2F # they have their real name at offset 22 ->>>>>22 string >\0 \b%-.5s ->4 uleshort&0x8000 0x0000 +# also block device drivers like DUMBDRV.SYS +>>>>22 string >\056 %-.6s +>4 uleshort&0x8000 0x0000 # 32 bit sector addressing ( > 32 MB) for block devices >>4 uleshort&0x0002 0x0002 \b,32-bit sector- # support by driver functions 13h, 17h, 18h @@ -384,33 +390,42 @@ # open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh >4 uleshort&0x0800 0x0800 \b,close media- # output until busy support by int 10h for character device driver ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x2000 0x2000 \b,until busy- # direct read/write support by driver functions 03h,0Ch >4 uleshort&0x4000 0x4000 \b,control strings- ->4 uleshort&0x8000 0x8000 +>4 uleshort&0x8000 0x8000 >>4 uleshort&0x6840 >0 \bsupport ->4 uleshort&0x8000 0x0000 +>4 uleshort&0x8000 0x0000 >>4 uleshort&0x4842 >0 \bsupport >0 ubyte x \b) -# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header -# Too weak, matches files that only contain 0's -#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( -#>4 uleshort&0x8000 0x8000 \bcharacter device driver -#>>10 string x %-.8s -#>4 uleshort&0x4000 0x4000 \b,control strings-support) +# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header +0 ulequad 0x0513c00000000012 +>0 use msdos-driver +# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field +0 ulequad 0x32f28000ffff0016 +>0 use msdos-driver +0 ulequad 0x007f00000000ffff +>0 use msdos-driver +0 ulequad 0x001600000000ffff +>0 use msdos-driver +# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field +0 ulequad 0x0bf708c2ffffffff +>0 use msdos-driver +0 ulequad 0x07bd08c2ffffffff +>0 use msdos-driver # updated by Joerg Jenderek -# GRR: line below too general as it catches also +# GRR: line below too general as it catches also # rt.lib DYADISKS.PIC and many more # start with assembler instruction MOV -0 ubyte 0x8c +0 ubyte 0x8c # skip "AppleWorks word processor data" like ARTICLE.1 ./apple ->4 string !O==== +>4 string !O==== # skip some unknown basic binaries like RocketRnger.SHR ->>5 string !MAIN +>>5 string !MAIN # skip "GPG symmetrically encrypted data" ./gnu -# skip "PGP symmetric key encrypted data" ./pgp +# skip "PGP symmetric key encrypted data" ./pgp # openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type >>>4 ubyte >13 DOS executable (COM, 0x8C-variant) # the remaining files should be DOS *.COM executables @@ -428,7 +443,7 @@ # updated by Joerg Jenderek at Oct 2008 0 ulelong 0xffff10eb DR-DOS executable (COM) # byte 0xeb conflicts with "sequent" magic leshort 0xn2eb -0 ubeshort&0xeb8d >0xeb00 +0 ubeshort&0xeb8d >0xeb00 # DR-DOS STACKER.COM SCREATE.SYS missed 0 name msdos-com @@ -463,9 +478,9 @@ # updated by Joerg Jenderek at Oct 2008,2015 # following line is too general -0 ubyte 0xb8 +0 ubyte 0xb8 # skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux ->0 string !\xb8\xc0\x07\x8e +>0 string !\xb8\xc0\x07\x8e # modified by Joerg Jenderek # syslinux COM32 or COM32R executable >>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT @@ -496,8 +511,8 @@ #!:mime application/x-msdos-program !:ext com -0 string/b \x81\xfc ->4 string \x77\x02\xcd\x20\xb9 +0 string/b \x81\xfc +>4 string \x77\x02\xcd\x20\xb9 >>36 string UPX! FREE-DOS executable (COM), UPX compressed 252 string Must\ have\ DOS\ version DR-DOS executable (COM) # added by Joerg Jenderek at Oct 2008 @@ -514,10 +529,10 @@ #IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5 string \xcd\x21 COM executable for DOS #DELTMP.COm HASFAT32.cOM -7 string \xcd\x21 +7 string \xcd\x21 >0 byte !0xb8 COM executable for DOS #COMP.cOM MORE.COm -10 string \xcd\x21 +10 string \xcd\x21 >5 string !\xcd\x21 COM executable for DOS #comecho.com 13 string \xcd\x21 COM executable for DOS @@ -565,10 +580,23 @@ 0 string/b PO^Q` Microsoft Word 6.0 Document !:mime application/msword # -0 string/b \376\067\0\043 Microsoft Office Document +4 long 0 +>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 !:mime application/msword -0 string/b \333\245-\0\0\0 Microsoft Office Document +!:ext mcw +>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 !:mime application/msword +!:ext mcw +>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 +!:mime application/msword +!:ext mcw +>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 +!:mime application/msword +!:ext mcw + +0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document +!:mime application/msword +!:ext doc 512 string/b \354\245\301 Microsoft Word Document !:mime application/msword @@ -599,11 +627,11 @@ # Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf # Note: newer Lotus versions >2 use longer BOF record # record type (BeginningOfFile=0000h) + length (001Ah) -0 belong 0x00001a00 +0 belong 0x00001a00 # reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 -#>18 uleshort&0x73E0 0 +#>18 uleshort&0x73E0 0 # Lotus Multi Byte Character Set (LMBCS=1-31) ->20 ubyte >0 +>20 ubyte >0 >>20 ubyte <32 Lotus 1-2-3 #!:mime application/x-123 !:mime application/vnd.lotus-1-2-3 @@ -640,10 +668,10 @@ !:ext fXX # main revision number >>>>4 uleshort x \b, revision 0x%x ->>>6 uleshort =0x0004 \b, cell range +>>>6 uleshort =0x0004 \b, cell range # active cellcoord range (start row, page,column ; end row, page, column) # start values normally 0~1st sheet A1 ->>>>8 ulelong !0 +>>>>8 ulelong !0 >>>>>10 ubyte >0 \b%d* >>>>>8 uleshort x \b%d, >>>>>11 ubyte x \b%d- @@ -656,9 +684,9 @@ >>>>20 ubyte >1 \b, character set 0x%x # flags >>>>21 ubyte x \b, flags 0x%x ->>>6 uleshort !0x0004 +>>>6 uleshort !0x0004 # record type (FONTNAME=00AEh) ->>>>30 search/29 \0\xAE +>>>>30 search/29 \0\xAE # variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) >>>>>&4 string >\0 \b, 1st font "%s" # @@ -667,12 +695,12 @@ # Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT # Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x # record type (BeginningOfFile=0000h) + length (0002h) -0 belong 0x00000200 +0 belong 0x00000200 # GRR: line above is too general as it catches also MS Windows CURsor # to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) !:strength -1 # skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h ->7 ubyte 0 +>7 ubyte 0 # skip Windows cursors with image width 256 and keep Lotus with positiv opcode >>6 ubyte >0 Lotus # !:mime application/x-123 @@ -737,9 +765,9 @@ # check and then display Lotus worksheet cells range 0 name lotus-cells # look for type (RANGE=0006h) + length (0008h) at record begin ->0 ubelong 0x06000800 \b, cell range +>0 ubelong 0x06000800 \b, cell range # cell range (start column, row, end column, row) start values normally 0,0~A1 cell ->>4 ulong !0 +>>4 ulong !0 >>>4 uleshort x \b%d, >>>6 uleshort x \b%d- # end of cell range @@ -792,19 +820,19 @@ # Windows icons # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) -# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG +# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 0 belong 0x00000100 >9 byte 0 ->>0 byte x +>>0 byte x >>0 use cur-ico-dir >9 ubyte 0xff ->>0 byte x +>>0 byte x >>0 use cur-ico-dir # displays number of icons and information for icon or cursor 0 name cur-ico-dir # skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with # 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h ->18 ulelong &0x00000006 +>18 ulelong &0x00000006 # skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) >>(18.l) ulelong x MS Windows >>>0 ubelong 0x00000100 icon resource @@ -817,7 +845,7 @@ # 1st icon >>>>0x06 use ico-entry # 2nd icon ->>>>4 uleshort >1 +>>>>4 uleshort >1 >>>>>0x16 use ico-entry >>>0 ubelong 0x00000200 cursor resource #!:mime image/x-cur @@ -854,16 +882,16 @@ # offset of PNG or DIB image #>12 ulelong x \b, offset 0x%x # PNG header (\x89PNG) ->(12.l) ubelong =0x89504e47 ->>&-4 indirect x \b with +>(12.l) ubelong =0x89504e47 +>>&-4 indirect x \b with # DIB image ->(12.l) ubelong !0x89504e47 +>(12.l) ubelong !0x89504e47 #>>&-4 use dib-image # Windows non-animated cursors # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/CUR_(file_format) -# Note: similiar to Windows ICOn. container for BMP ( only DIB part) +# Note: similar to Windows ICOn. container for BMP ( only DIB part) # GRR: line below is too general as it catches also Lotus 1-2-3 files 0 belong 0x00000200 >9 byte 0 @@ -872,13 +900,13 @@ >>0 use cur-ico-dir # .chr files -0 string/b PK\010\010BGI Borland font +0 string/b PK\010\010BGI Borland font >4 string >\0 %s # then there is a copyright notice # .bgi files -0 string/b pk\010\010BGI Borland device +0 string/b pk\010\010BGI Borland device >4 string >\0 %s # then there is a copyright notice @@ -909,7 +937,7 @@ 0 lelong 0x08086b70 TurboC BGI file 0 lelong 0x08084b50 TurboC Font file -# Debian#712046: The magic below identifies "Delphi compiled form data". +# Debian#712046: The magic below identifies "Delphi compiled form data". # An additional source of information is available at: # http://www.woodmann.com/fravia/dafix_t1.htm 0 string TPF0 @@ -918,7 +946,7 @@ # tests for DBase files moved, updated and merged to database 0 string PMCC Windows 3.x .GRP file -1 string RDC-meg MegaDots +1 string RDC-meg MegaDots >8 byte >0x2F version %c >9 byte >0x2F \b.%c file 0 lelong 0x4C @@ -935,16 +963,16 @@ #>0x181 leshort x \b, offset %x #>0x183 leshort x \b, offsetdata %x #>0x185 leshort x \b, section length %x ->0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 ->>&0x5e ubyte >0 +>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 +>>&0x5e ubyte >0 >>>&-1 string >>&-1 string PIFMGR.DLL \b, icon=%s >>>&-1 string >PIFMGR.DLL \b, icon=%s ->>&0xF0 ubyte >0 +>>&0xF0 ubyte >0 >>>&-1 string >>&-1 string =Terminal \b, font=%.32s >>>&-1 string >Terminal \b, font=%.32s ->>&0x110 ubyte >0 +>>&0x110 ubyte >0 >>>&-1 string >>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s >>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s @@ -960,6 +988,7 @@ # DOS EPS Binary File Header # From: Ed Sznyter 0 belong 0xC5D0D3C6 DOS EPS Binary File +!:mime image/x-eps >4 long >0 Postscript starts at byte %d >>8 long >0 length %d >>>12 long >0 Metafile starts at byte %d @@ -967,15 +996,15 @@ >>>20 long >0 TIFF starts at byte %d >>>>24 long >0 length %d -# TNEF magic From "Joomy" +# TNEF magic From "Joomy" # Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) -0 leshort 0x223e9f78 TNEF +0 lelong 0x223e9f78 TNEF !:mime application/vnd.ms-tnef # Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C # of http://www.davep.org/norton-guides/ng2h-105.tgz # http://en.wikipedia.org/wiki/Norton_Guides -0 string NG\0\001 +0 string NG\0\001 # only value 0x100 found at offset 2 >2 ulelong 0x00000100 Norton Guide # Title[40] @@ -985,7 +1014,7 @@ >>48 string >\0 \b, %-.66s >>114 string >\0 %-.66s -# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS +# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS # of http://www.4dos.info/ # pointer,HelpID[8]=4DHnnnmm 0 ulelong 0x48443408 4DOS help file @@ -1033,7 +1062,7 @@ # Windows Enhanced Metafile (EMF) -# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp +# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp # for further information. 0 ulelong 1 >40 string \ EMF Windows Enhanced Metafile (EMF) image data @@ -1095,7 +1124,7 @@ 0 string/b MSWIM\000\000\000 Windows imaging (WIM) image 0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format -# The second byte of these signatures is a file version; I don't know what, +# The second byte of these signatures is a file version; I don't know what, # if anything, produced files with version numbers 0-2. # From: John Elliott 0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) @@ -1106,3 +1135,66 @@ 0 string MIOPEN Mallard BASIC Jetsam data 0 string Jetsam0 Mallard BASIC Jetsam index data +# DOS backup 2.0 to 3.2 + +# backupid.@@@ + +# plausibility check for date +0x3 ushort >1979 +>0x5 ubyte-1 <31 +>>0x6 ubyte-1 <12 +# actually 121 nul bytes +>>>0x7 string \0\0\0\0\0\0\0\0 +>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d +!:ext @@@ +>>>>0x0 ubyte 0xff \b, last disk + +# backed up file + +# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd +# by looking for trailing nul of maximal file name string +0x52 ubyte 0 +# test for flag byte: FFh~complete file, 00h~split file +# FFh -127 = -1 -127 = -128 +# 00h -127 = 0 -127 = -127 +>0 byte-127 <-126 +# plausibility check for file name length +>>0x53 ubyte-1 <78 +# looking for terminating nul of file name string +>>>(0x53.b+4) ubyte 0 +# looking if last char of string is valid DOS file name +>>>>(0x53.b+3) ubyte >0x1F +# actually 44 nul bytes +# but sometimes garbage according to Ralf Quint. So can not be used as test +#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 +# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator +# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE +>>>>>5 ubyte&0x8C 0x0C +# ./msdos (version 5.30) labeled the entry as +# "DOS 2.0 backed up file %s, split file, sequence %d" or +# "DOS 2.0 backed up file %s, complete file" +>>>>>>0 ubyte x DOS 2.0-3.2 backed up +#>>>>>>0 ubyte 0xff complete +>>>>>>0 ubyte 0 +>>>>>>>1 uleshort x sequence %d of +# full file name with path but without drive letter and colon stored from 0x05 til 0x52 +>>>>>>0x5 string x file %s +# backup name is original filename +#!:ext * +# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' +# file: line 1169: Bad magic entry ' *' +# after header original file content +>>>>>>128 indirect x \b; + + +# DOS backup 3.3 to 5.x + +# CONTROL.nnn files +0 string \x8bBACKUP\x20 +# actually 128 nul bytes +>0xa string \0\0\0\0\0\0\0\0 +>>0x9 ubyte x DOS 3.3 backup control file, sequence %d +>>0x8a ubyte 0xff \b, last disk + +# NB: The BACKUP.nnn files consist of the files backed up, +# concatenated. diff --git a/magic/Magdir/msvc b/magic/Magdir/msvc index bf4ab0ca6147..13f847fbb20e 100644 --- a/magic/Magdir/msvc +++ b/magic/Magdir/msvc @@ -1,10 +1,10 @@ #------------------------------------------------------------------------------ -# $File: msvc,v 1.6 2016/01/26 00:03:19 christos Exp $ +# $File: msvc,v 1.9 2017/08/02 08:15:20 christos Exp $ # msvc: file(1) magic for msvc # "H. Nanosecond" # Microsoft visual C -# +# # I have version 1.0 # .aps @@ -30,10 +30,10 @@ # Summary: Symbol Table / Debug info used by Microsoft compilers # URL: https://en.wikipedia.org/wiki/Program_database # Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86 # info does only applies partly for older files like msvbvm50.pdb about year 2001 -0 string Microsoft\ C/C++\ +0 string Microsoft\ C/C++\040 # "Microsoft Program DataBase" by TrID >24 search/14 \r\n\x1A MSVC program database !:mime application/x-ms-pdb @@ -42,18 +42,21 @@ >>16 regex \([0-9.]+\) ver %s #>>>0x38 search/128123456 /LinkInfo \b with linkinfo # "MSF 7.00" variant ->>0x1e leshort 0 +>>0x1e leshort 0 # PageSize 400h 1000h >>>0x20 lelong x \b, %d # Page Count >>>0x28 lelong x \b*%d bytes # "program database 2.00" variant ->>0x1e leshort !0 +>>0x1e leshort !0 # PageSize 400h >>>0x2c lelong x \b, %d # Page Count for msoo-dll.pdb 4379h >>>0x32 leshort x \b*%d bytes +# Reference: https://github.com/Microsoft/vstest/pull/856/commits/fdc7a9f074ca5a8dfeec83b1be9162bf0cf4000d +0 string/c bsjb\001\000\001\000\000\000\000\000\f\000\000\000pdb\ v1.0 Microsoft Rosyln C# debugging symbols version 1.0 + #.sbr 0 string \000\002\000\007\000 MSVC .sbr >5 string >\0 %s diff --git a/magic/Magdir/msx b/magic/Magdir/msx index ef2a7bb29891..69df6416fe7c 100644 --- a/magic/Magdir/msx +++ b/magic/Magdir/msx @@ -7,7 +7,7 @@ ############## MSX Music file formats ############## # Gigamix MGSDRV music file -0 string/b MGS MSX Gigamix MGSDRV3 music file, +0 string/b MGS MSX Gigamix MGSDRV3 music file, >6 ubeshort 0x0D0A >>3 byte x \bv%c >>4 byte x \b.%c @@ -35,7 +35,7 @@ >>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+) >>0xF byte&0x02 0x02 \b, soundchips: SN76489 >>>0xF byte&0x04 0x04 stereo ->>0xF byte&0x01 0x01 \b, +>>0xF byte&0x01 0x01 \b, >>>0xF byte&0x18 0x00 \bYM2413 >>>0xF byte&0x18 0x08 \bYM2413, Y8950 >>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo @@ -245,18 +245,18 @@ 0x4000 string/b AB >0x4002 uleshort >0x400F >>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>0x4002 uleshort x \b, init=0x%04x ->>0x4004 uleshort >0 \b, stahdl=0x%04x ->>0x4006 uleshort >0 \b, devhdl=0x%04x ->>0x4008 uleshort >0 \b, bas=0x%04x +>>>0x4002 uleshort x \b, init=0x%04x +>>>0x4004 uleshort >0 \b, stahdl=0x%04x +>>>0x4006 uleshort >0 \b, devhdl=0x%04x +>>>0x4008 uleshort >0 \b, bas=0x%04x 0x8000 string/b AB >0x8002 uleshort >0x400F >>0x800A string \0\0\0\0\0\0 MSX ROM with nonstandard page order ->>0x8002 uleshort x \b, init=0x%04x ->>0x8004 uleshort >0 \b, stahdl=0x%04x ->>0x8006 uleshort >0 \b, devhdl=0x%04x ->>0x8008 uleshort >0 \b, bas=0x%04x +>>>0x8002 uleshort x \b, init=0x%04x +>>>0x8004 uleshort >0 \b, stahdl=0x%04x +>>>0x8006 uleshort >0 \b, devhdl=0x%04x +>>>0x8008 uleshort >0 \b, bas=0x%04x 0x3C000 string/b AB @@ -296,7 +296,7 @@ 4 uleshort 0x0900 >0xF byte 1 >>0x14 byte 0 ->>>0x1E string \ \ \ +>>>0x1E string \040\040\040 >>>>0x23 byte 1 >>>>>0x25 byte 0 >>>>>>0x15 string >\x30 diff --git a/magic/Magdir/mup b/magic/Magdir/mup index 5060c01dd8bf..05b9471b0755 100644 --- a/magic/Magdir/mup +++ b/magic/Magdir/mup @@ -1,6 +1,6 @@ # ------------------------------------------------------------------------ -# $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $ # mup: file(1) magic for Mup (Music Publisher) input file. # # From: Abel Cheung @@ -12,13 +12,13 @@ # 0 search/1 //!Mup Mup music publication program input text >6 string -Arkkra (Arkkra) ->>13 string - ->>>16 string . +>>13 string - +>>>16 string . >>>>14 string x \b, need V%.4s ->>>15 string . +>>>15 string . >>>>14 string x \b, need V%.3s ->6 string - ->>9 string . +>6 string - +>>9 string . >>>7 string x \b, need V%.4s ->>8 string . +>>8 string . >>>7 string x \b, need V%.3s diff --git a/magic/Magdir/nasa b/magic/Magdir/nasa index 49673b32fb99..de3545f80800 100644 --- a/magic/Magdir/nasa +++ b/magic/Magdir/nasa @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# nasa: file(1) magic +# nasa: file(1) magic # From: Barry Carter 0 string DAF/SPK NASA SPICE file (binary format) diff --git a/magic/Magdir/netbsd b/magic/Magdir/netbsd index eb0847b67de4..5ee2d712d05f 100644 --- a/magic/Magdir/netbsd +++ b/magic/Magdir/netbsd @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netbsd,v 1.23 2015/11/29 01:55:14 christos Exp $ +# $File: netbsd,v 1.24 2017/03/17 21:35:28 christos Exp $ # netbsd: file(1) magic for NetBSD objects # # All new-style magic numbers are in network byte order. @@ -10,7 +10,7 @@ # 0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -32,7 +32,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -54,7 +54,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <4096 shared library >>20 belong =4096 dynamically linked executable >>20 belong >4096 dynamically linked executable @@ -76,7 +76,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -101,7 +101,7 @@ >12 string >\0 from '%s' 0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable @@ -123,7 +123,7 @@ >32 belong !0 (signal %d) 0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -145,7 +145,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -167,7 +167,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 lelong <4096 shared library >>20 lelong =4096 dynamically linked executable >>20 lelong >4096 dynamically linked executable @@ -189,7 +189,7 @@ >32 lelong !0 (signal %d) # NetBSD/alpha does not support (and has never supported) a.out objects, -# so no rules are provided for them. NetBSD/alpha ELF objects are +# so no rules are provided for them. NetBSD/alpha ELF objects are # dealt with in "elf". 0 lelong 0x00070185 ECOFF NetBSD/alpha binary >10 leshort 0x0001 not stripped @@ -199,7 +199,7 @@ >32 lelong !0 (signal %d) 0 belong&0377777777 043400413 a.out NetBSD/mips demand paged ->0 byte &0x80 +>0 byte &0x80 >>20 belong <8192 shared library >>20 belong =8192 dynamically linked executable >>20 belong >8192 dynamically linked executable diff --git a/magic/Magdir/netscape b/magic/Magdir/netscape index a9b43cdd5f1d..0e1ca61334cf 100644 --- a/magic/Magdir/netscape +++ b/magic/Magdir/netscape @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: netscape,v 1.7 2015/08/24 05:20:52 christos Exp $ +# $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $ # netscape: file(1) magic for Netscape files # "H. Nanosecond" # version 3 and 4 I think @@ -15,8 +15,8 @@ # .snm Caches 0 string #\ Netscape\ folder\ cache Netscape folder cache 0 string \000\036\204\220\000 Netscape folder cache -# .n2p -# Net 2 Phone +# .n2p +# Net 2 Phone #0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060 0 string SX961999 Net2phone diff --git a/magic/Magdir/nitpicker b/magic/Magdir/nitpicker index 2486dee037f4..48c3d63a288a 100644 --- a/magic/Magdir/nitpicker +++ b/magic/Magdir/nitpicker @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: nitpicker,v 1.6 2014/04/30 21:41:02 christos Exp $ +# $File: nitpicker,v 1.7 2017/03/17 21:35:28 christos Exp $ # nitpicker: file(1) magic for Flowfiles. # From: Christian Jachmann http://www.nitpicker.de -0 string NPFF NItpicker Flow File +0 string NPFF NItpicker Flow File >4 byte x V%d. >5 byte x %d >6 bedate x started: %s diff --git a/magic/Magdir/os2 b/magic/Magdir/os2 index 21c1c0019dfd..ace69cb34b23 100644 --- a/magic/Magdir/os2 +++ b/magic/Magdir/os2 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os2,v 1.9 2016/05/11 15:51:57 christos Exp $ +# $File: os2,v 1.10 2017/03/17 21:35:28 christos Exp $ # os2: file(1) magic for OS/2 files # @@ -25,7 +25,7 @@ #>5 string >\ (Local file) <%s> # >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com) -# Carl Hauser (chauser.parc@xerox.com) and +# Carl Hauser (chauser.parc@xerox.com) and # Marcus Groeber (marcusg@ph-cip.uni-koeln.de) # list the following header format in inf02a.doc: # @@ -35,11 +35,11 @@ # // bit 0: set if INF style file # // bit 4: set if HLP style file # // patching this byte allows reading HLP files -# // using the VIEW command, while help files +# // using the VIEW command, while help files # // seem to work with INF settings here as well. # int16 hdrsize; // total size of header # int16 unknown2; // unknown purpose -# +# 0 string HSP\x01\x9b\x00 OS/2 INF >107 string >0 (%s) 0 string HSP\x10\x9b\x00 OS/2 HLP diff --git a/magic/Magdir/os9 b/magic/Magdir/os9 index 52b04be3059c..74b47f358514 100644 --- a/magic/Magdir/os9 +++ b/magic/Magdir/os9 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $ +# $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $ # # Copyright (c) 1996 Ignatios Souvatzis. All rights reserved. # @@ -15,7 +15,7 @@ # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; diff --git a/magic/Magdir/pbf b/magic/Magdir/pbf index d133d12bf621..8de6db025047 100644 --- a/magic/Magdir/pbf +++ b/magic/Magdir/pbf @@ -1,11 +1,11 @@ #------------------------------------------------------------------------------ -# $File: pbf,v 1.1 2013/12/21 14:27:24 christos Exp $ +# $File: pbf,v 1.2 2017/01/18 16:16:21 christos Exp $ # file(1) magic(5) data for OpenStreetMap # OpenStreetMap Protocolbuffer Binary Format (.osm.pbf) # http://wiki.openstreetmap.org/wiki/PBF_Format # From: Markus Heidelberg -0 belong 0x0000000D ->4 beshort 0x0A09 ->>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format +0 belong&0xfffffff0 0 +>4 beshort 0x0A09 +>>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format diff --git a/magic/Magdir/pc88 b/magic/Magdir/pc88 index e604a3b478ec..03822f50279f 100644 --- a/magic/Magdir/pc88 +++ b/magic/Magdir/pc88 @@ -9,7 +9,7 @@ >>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 >>>0x1A ubyte&0xEF 0 >>>>0x1B ubyte&0x8F 0 ->>>>>0x1B ubyte&70 <0x40 +>>>>>0x1B ubyte&70 <0x40 >>>>>>0x1C ulelong >0x21 >>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s >>>>>>>>0x1B ubyte 0 \b, media=2D diff --git a/magic/Magdir/pc98 b/magic/Magdir/pc98 index 30f1ea386c46..3b995ed013d4 100644 --- a/magic/Magdir/pc98 +++ b/magic/Magdir/pc98 @@ -8,7 +8,7 @@ # http://www.jisyo.com/viewer/faq/maki_tech.htm 0 string/b MAKI01 Maki-chan v1. >6 ubyte|0x20 x \b%c image ->8 ubelong >0x40404040 \b, system ID: +>8 ubelong >0x40404040 \b, system ID: >>8 byte x %c >>9 byte x \b%c >>10 byte x \b%c diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf index b43a675cec0c..04b564dd56b6 100644 --- a/magic/Magdir/pdf +++ b/magic/Magdir/pdf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.8 2015/01/11 18:19:18 christos Exp $ +# $File: pdf,v 1.9 2017/05/24 17:35:20 christos Exp $ # pdf: file(1) magic for Portable Document Format # @@ -20,3 +20,8 @@ !:mime application/vnd.fdf >5 byte x \b, version %c >7 byte x \b.%c + +0 search/256 %PDF- PDF document +!:mime application/pdf +>&0 byte x \b, version %c +>&2 byte x \b.%c diff --git a/magic/Magdir/pdp b/magic/Magdir/pdp index 0afee0c9ba5c..2d18b62df595 100644 --- a/magic/Magdir/pdp +++ b/magic/Magdir/pdp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pdp,v 1.10 2014/04/30 21:41:02 christos Exp $ +# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $ # pdp: file(1) magic for PDP-11 executable/object and APL workspace # 0 lelong 0101555 PDP-11 single precision APL workspace @@ -14,8 +14,8 @@ # updated by Joerg Jenderek at Mar 2013 # GRR: line below too general as it catches also Windows precompiled setup information *.PNF -0 leshort 0401 -# skip *.PNF with WinDirPathOffset 58h +0 leshort 0401 +# skip *.PNF with WinDirPathOffset 58h >68 ulelong !0x00000058 PDP-11 UNIX/RT ldp # skip *.PNF with high byte of InfVersionDatumCount zero #>>15 byte !0 PDP-11 UNIX/RT ldp diff --git a/magic/Magdir/perl b/magic/Magdir/perl index 099a22d11298..c391d4a72036 100644 --- a/magic/Magdir/perl +++ b/magic/Magdir/perl @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: perl,v 1.25 2016/06/07 23:28:37 rrt Exp $ +# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $ # perl: file(1) magic for Larry Wall's perl language. # # The `eval' lines recognizes an outrageously clever hack. @@ -33,14 +33,14 @@ # by Dmitry V. Levin and Alexey Tourbin # check the first line -0 search/1024 package +0 search/8192 package >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text -!:strength + 10 +!:strength + 40 # not 'p', check other lines -0 search/1024 !p +0 search/8192 !p >0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; >>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text -!:strength + 10 +!:strength + 75 # Perl POD documents # From: Tom Hukins diff --git a/magic/Magdir/pgf b/magic/Magdir/pgf index 825f5f685690..b5a251efdf38 100644 --- a/magic/Magdir/pgf +++ b/magic/Magdir/pgf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgf,v 1.1 2013/04/22 15:19:49 christos Exp $ +# $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $ # pgf: file(1) magic for Progressive Graphics File (PGF) # # @@ -42,7 +42,7 @@ >>20 byte 19 RGB color 12, >>20 byte 20 RGB color 16, >>20 byte 255 unknown format, ->>20 default x format +>>20 default x format >>>20 byte x \b %d, >>21 byte x %d bpc # PGFPostHeader diff --git a/magic/Magdir/pgp b/magic/Magdir/pgp index 6e685fcfc979..585475dbb38c 100644 --- a/magic/Magdir/pgp +++ b/magic/Magdir/pgp @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.12 2016/10/07 20:22:12 christos Exp $ +# $File: pgp,v 1.14 2017/03/17 21:35:28 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy # see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -19,15 +19,15 @@ #>15 string SIGNED\040MESSAGE- signed message #>15 string PGP\040SIGNATURE- signature -2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block +2 string ---BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK- PGP public key block !:mime application/pgp-keys >10 search/100 \n\n >>&0 use pgp -0 string -----BEGIN\040PGP\40MESSAGE- PGP message +0 string -----BEGIN\040PGP\040MESSAGE- PGP message !:mime application/pgp >10 search/100 \n\n >>&0 use pgp -0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature +0 string -----BEGIN\040PGP\040SIGNATURE- PGP signature !:mime application/pgp-signature >10 search/100 \n\n >>&0 use pgp @@ -77,7 +77,7 @@ >0 byte 0x30 >>1 byte&0xc0 0x00 Unused [0%x] >>1 byte&0xc0 0x40 User Attribute ->>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data +>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data >>1 byte&0xc0 0xc0 Modification Detection Code # magic signatures to detect PGP crypto material (from stef) @@ -206,7 +206,7 @@ >0 byte 19 ECDSA >0 byte 20 ElGamal (Encrypt or Sign) >0 byte 21 Diffie-Hellman ->0 default x +>0 default x >>0 ubyte <22 unknown (pub %d) # this should never happen >>0 ubyte >21 invalid (%d) @@ -482,16 +482,16 @@ >1 use pgpkey 0 byte 0x97 PGP Secret Sub-key - >1 use pgpkey -0 byte 0x9d +0 byte 0x9d # Update: Joerg Jenderek # secret subkey packet (tag 7) with same structure as secret key packet (tag 5) # skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len ->1 ubeshort >0 +>1 ubeshort >0 #>1 ubeshort x \b, body length 0x%x # next packet type often 88h,89h~(tag 2)~Signature Packet #>>(1.S+3) ubyte x \b, next packet type 0x%x # skip Dragon.SHR DEMO.INIT by looking for positive version ->>3 ubyte >0 +>>3 ubyte >0 # skip BUISSON.13 GUITAR1 by looking for low version number >>>3 ubyte <5 PGP Secret Sub-key # sub-key are normally part of secret key. So it does not occur as standalone file @@ -500,7 +500,7 @@ >>>>3 ubyte x (v%d) >>>>3 ubyte x - # old versions 2 or 3 but no real example found ->>>>3 ubyte <4 +>>>>3 ubyte <4 # 2 byte for key bits in version 5.28 look >>>>>11 ubeshort x %db >>>>>4 beldate x created on %s - @@ -508,15 +508,15 @@ #>>>>>8 ubeshort x 0x%x # display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman >>>>>10 use key_algo ->>>>>(11.S/8) ubequad x +>>>>>(11.S/8) ubequad x # look after first key >>>>>>&5 use keyend # new version ->>>>3 ubyte >3 +>>>>3 ubyte >3 >>>>>9 ubeshort x %db >>>>>4 beldate x created on %s - # display key algorithm >>>>>8 use key_algo ->>>>>(9.S/8) ubequad x +>>>>>(9.S/8) ubequad x # look after first key for something like s2k >>>>>>&3 use keyend diff --git a/magic/Magdir/printer b/magic/Magdir/printer index 10168266c924..98fc1dfaad42 100644 --- a/magic/Magdir/printer +++ b/magic/Magdir/printer @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: printer,v 1.26 2014/04/12 14:51:52 christos Exp $ +# $File: printer,v 1.28 2017/03/17 22:20:22 christos Exp $ # printer: file(1) magic for printer-formatted files # @@ -13,7 +13,7 @@ >>>15 string EPS \b, type %s >>>15 string Query \b, type %s >>>15 string ExitServer \b, type %s ->>>15 search/1000 %%LanguageLevel:\ +>>>15 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s # Some PCs have the annoying habit of adding a ^D as a document separator 0 string \004%! PostScript document text @@ -24,7 +24,7 @@ >>>16 string EPS \b, type %s >>>16 string Query \b, type %s >>>16 string ExitServer \b, type %s ->>>16 search/1000 %%LanguageLevel:\ +>>>16 search/1000 %%LanguageLevel:\040 >>>>&0 string >\0 \b, Level %s 0 string \033%-12345X%!PS PostScript document @@ -49,18 +49,18 @@ # HP Printer Job Language 0 string \033%-12345X@PJL HP Printer Job Language data # HP Printer Job Language -# The header found on Win95 HP plot files is the "Silliest Thing possible" +# The header found on Win95 HP plot files is the "Silliest Thing possible" # (TM) # Every driver puts the language at some random position, with random case # (LANGUAGE and Language) # For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10 # From: Uwe Bonnes -# +# 0 string \033%-12345X@PJL HP Printer Job Language data ->&0 string >\0 %s ->>&0 string >\0 %s ->>>&0 string >\0 %s ->>>>&0 string >\0 %s +>&0 string >\0 %s +>>&0 string >\0 %s +>>>&0 string >\0 %s +>>>>&0 string >\0 %s #>15 string \ ENTER\ LANGUAGE\ = #>31 string PostScript PostScript @@ -143,8 +143,8 @@ #------------------------------------------------------------------------------ # HP LaserJet 1000 series downloadable firmware file -0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware +0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware # From: Paolo -# Epson ESC/Page, ESC/PageColor +# Epson ESC/Page, ESC/PageColor 0 string \x1b\x01@EJL Epson ESC/Page language printer data diff --git a/magic/Magdir/project b/magic/Magdir/project index efa5d40f7afe..9180b57d63e5 100644 --- a/magic/Magdir/project +++ b/magic/Magdir/project @@ -1,8 +1,8 @@ #------------------------------------------------------------------------------ -# $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $ +# $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $ # project: file(1) magic for Project management -# +# # Magic strings for ftnchek project files. Alexander Mai 0 string FTNCHEK_\ P project file for ftnchek >10 string 1 version 2.7 diff --git a/magic/Magdir/psdbms b/magic/Magdir/psdbms index 1d218c0b8548..3eec965731a6 100644 --- a/magic/Magdir/psdbms +++ b/magic/Magdir/psdbms @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: psdbms,v 1.7 2016/01/08 00:41:02 christos Exp $ +# $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $ # psdbms: file(1) magic for psdatabase # # Update: Joerg Jenderek # GRR: line below too general as it catches also some Panorama database *.pan , # AppleWorks word processor -0 belong&0xff00ffff 0x56000000 +0 belong&0xff00ffff 0x56000000 # assume version starts with digit >1 regex/s =^[0-9] ps database >>1 string >\0 version %s diff --git a/magic/Magdir/python b/magic/Magdir/python index 29dcc15a8519..f21ff659b453 100644 --- a/magic/Magdir/python +++ b/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.29 2016/07/27 09:42:16 rrt Exp $ +# $File: python,v 1.34 2017/08/14 07:40:38 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -24,7 +24,11 @@ 0 belong 0x6c0c0d0a python 3.2 byte-compiled 0 belong 0x9e0c0d0a python 3.3 byte-compiled 0 belong 0xee0c0d0a python 3.4 byte-compiled -0 belong 0x160d0d0a python 3.5 byte-compiled +0 belong 0x160d0d0a python 3.5.1- byte-compiled +0 belong 0x170d0d0a python 3.5.2+ byte-compiled +0 belong 0x330d0d0a python 3.6 byte-compiled +0 belong 0x3e0d0d0a python 3.7 byte-compiled + 0 search/1/w #!\ /usr/bin/python Python script text executable !:strength + 15 @@ -41,12 +45,25 @@ # from module.submodule import func1, func2 -0 regex \^from\\s+(\\w|\\.)+\\s+import.*$ Python script text executable +0 regex \^from[\040\t\f\r\n]+([A-Za-z0-9_]|\\.)+[\040\t\f\r\n]+import.*$ Python script text executable +!:strength + 15 !:mime text/x-python # def __init__ (self, ...): 0 search/4096 def\ __init__ >&0 search/64 self Python script text executable +!:strength + 15 +!:mime text/x-python + +# if __name__ == "__main__": +0 search/4096 if\ __name__ +>&0 search/64 '__main__' Python script text executable +>&0 search/64 "__main__" Python script text executable +!:strength + 15 +!:mime text/x-python + +# import module [as abrev] +0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable !:mime text/x-python # comments @@ -62,12 +79,19 @@ # except: or finally: # block 0 search/4096 try: ->&0 regex \^\\s*except.*: Python script text executable +>&0 regex \^[[:space:]]*except.*:$ Python script text executable +!:strength + 15 !:mime text/x-python >&0 search/4096 finally: Python script text executable !:mime text/x-python -# def name(args, args): -0 regex \^(\ |\\t){0,50}def\ {1,50}[a-zA-Z]{1,100} ->&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,255}\\):$ Python script text executable +# class name[(base classes,)]: [pass] +0 regex \^class\ [_[:alpha:]]+(\\(.*\\))?(\ )*:([\ \t]+pass)?$ Python script text executable +!:strength + 15 +!:mime text/x-python + +# def name(*args, **kwargs): +0 regex \^[[:space:]]{0,50}def\ {1,50}[_a-zA-Z]{1,100} +>&0 regex \\(([[:alpha:]*_,\ ]){0,255}\\):$ Python script text executable +!:strength + 15 !:mime text/x-python diff --git a/magic/Magdir/riff b/magic/Magdir/riff index 55cfb20b63f2..adf0fc9fb9ed 100644 --- a/magic/Magdir/riff +++ b/magic/Magdir/riff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.31 2015/02/14 17:30:03 christos Exp $ +# $File: riff,v 1.32 2017/03/17 21:35:28 christos Exp $ # riff: file(1) magic for RIFF format # See # @@ -75,7 +75,7 @@ >>18 leshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 leshort 12 \b, OS/2 1.x format >>>>34 leshort x \b, %d x >>>>36 leshort x %d @@ -226,9 +226,9 @@ >8 string sfbk SoundFont/Bank # MPEG-1 wrapped in a RIFF, apparently >8 string CDXA \b, wrapped MPEG-1 (CDXA) ->8 string 4XMV \b, 4X Movie file +>8 string 4XMV \b, 4X Movie file # AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV ->8 string AMV\040 \b, AMV +>8 string AMV\040 \b, AMV >8 string WEBP \b, Web/P image !:mime image/webp >>12 use riff-walk @@ -246,7 +246,7 @@ >>18 beshort x \b, %d entries # RIFF Device Independent Bitmap format >8 string RDIB \b, device-independent bitmap ->>16 string BM +>>16 string BM >>>30 beshort 12 \b, OS/2 1.x format >>>>34 beshort x \b, %d x >>>>36 beshort x %d @@ -284,7 +284,7 @@ #------------------------------------------------------------------------------ # Sony Wave64 # see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf -# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian +# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian 0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data # 128 bit + total file size (64 bits) so 24 bytes # then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A } diff --git a/magic/Magdir/ruby b/magic/Magdir/ruby index cc3abd0408ae..45a253cb5f69 100644 --- a/magic/Magdir/ruby +++ b/magic/Magdir/ruby @@ -1,32 +1,51 @@ #------------------------------------------------------------------------------ -# $File: ruby,v 1.6 2016/07/27 09:46:29 rrt Exp $ +# $File: ruby,v 1.7 2017/08/14 13:39:18 christos Exp $ # ruby: file(1) magic for Ruby scripting language # URL: http://www.ruby-lang.org/ # From: Reuben Thomas # Ruby scripts -0 search/1/w #!\ /usr/bin/ruby Ruby script text executable +0 search/1/w #!\ /usr/bin/ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby 0 search/1/w #!\ /usr/local/bin/ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby -0 search/1 #!/usr/bin/env\ ruby Ruby script text executable +0 search/1 #!/usr/bin/env\ ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby -0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable +0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable !:strength + 15 !:mime text/x-ruby # What looks like ruby, but does not have a shebang # (modules and such) # From: Lubomir Rintel -0 regex \^[\ \t]*require[\ \t]'[A-Za-z_/]+' ->0 regex include\ [A-Z]|def\ [a-z]|\ do$ ->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby script text +0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+' +>0 regex def\ [a-z]|\ do$ +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 !:mime text/x-ruby -0 regex \^[\ \t]*(class|module)[\ \t][A-Z] +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] >0 regex (modul|includ)e\ [A-Z]|def\ [a-z] ->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby module source text +>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 30 +!:mime text/x-ruby +# Classes with no modules or defs, beats simple ASCII +0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z] +>&0 regex \^[[:space:]]*end([[:space:]]+[;#if].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby +# Looks for function definition to balance python magic +# def name (args) +# end +0 regex \^[[:space:]]*def\ [a-z]|def\ [[:alpha:]]+::[a-z] +>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text +!:strength + 10 +!:mime text/x-ruby + +0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+' Ruby script text +!:mime text/x-ruby +0 regex \^[[:space:]]*include\ ([A-Z]+[a-z]*(::))+ Ruby script text !:mime text/x-ruby diff --git a/magic/Magdir/sccs b/magic/Magdir/sccs index 95b3a5db128d..4717948fdbfc 100644 --- a/magic/Magdir/sccs +++ b/magic/Magdir/sccs @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $ +# $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $ # sccs: file(1) magic for SCCS archives # # SCCS archive structure: @@ -17,6 +17,6 @@ # Maybe we should just switch everybody from SCCS to RCS! # Further, you can't just say '\001h0', because the five-digit number # is a checksum that could (presumably) have any leading digit, -# and we don't have regular expression matching yet. +# and we don't have regular expression matching yet. # Hence the following official kludge: 8 string \001s\ SCCS archive data diff --git a/magic/Magdir/scientific b/magic/Magdir/scientific index e39720cf8784..2e0cf49bee74 100644 --- a/magic/Magdir/scientific +++ b/magic/Magdir/scientific @@ -1,7 +1,7 @@ #------------------------------------------------------------------------------ -# $File: scientific,v 1.10 2015/08/24 05:18:55 christos Exp $ -# scientific: file(1) magic for scientific formats +# $File: scientific,v 1.12 2017/03/17 22:20:22 christos Exp $ +# scientific: file(1) magic for scientific formats # # From: Joe Krahn @@ -90,7 +90,7 @@ # format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and # uppercase letters. However, examples have been seen without the date string, # e.g., the example on the chemime site. -0 string HEADER\ \ \ \ +0 string HEADER\ \ \ \040 >&0 regex/1l \^.{40} >>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3} >>>&0 regex/1ls [A-Z0-9]{4}.{14}$ diff --git a/magic/Magdir/sendmail b/magic/Magdir/sendmail index 29004104d012..840859c56232 100644 --- a/magic/Magdir/sendmail +++ b/magic/Magdir/sendmail @@ -1,27 +1,27 @@ #------------------------------------------------------------------------------ -# $File: sendmail,v 1.8 2015/11/11 15:27:03 christos Exp $ +# $File: sendmail,v 1.10 2017/08/13 00:21:47 christos Exp $ # sendmail: file(1) magic for sendmail config files # # XXX - byte order? # -# Update: Joerg Jenderek +# Update: Joerg Jenderek # GRR: this test is too general as it catches also # READ.ME.FIRST.AWP Sendmail frozen configuration # - version ====|====|====|====|====|====|====|====|====|====|====|====|=== # Email_23_f217153422.ts Sendmail frozen configuration # - version \330jK\354 -0 byte 046 +0 byte 046 # http://www.sendmail.com/sm/open_source/docs/older_release_notes/ # freezed configuration file (dbm format?) created from sendmal.cf with -bz # by older sendmail. til version 8.6 support for frozen configuration files is removed -# valid version numbers look like "7.14.4" and should be simliar to output of commands -# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" +# valid version numbers look like "7.14.4" and should be similar to output of commands +# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf" >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration # normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc !:ext fc >>16 string >\0 - version %s -0 short 0x271c +0 short 0x271c # look for valid version number >16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration !:ext fc diff --git a/magic/Magdir/sequent b/magic/Magdir/sequent index 5137c0ed9af4..780d77e5d6ab 100644 --- a/magic/Magdir/sequent +++ b/magic/Magdir/sequent @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sequent,v 1.12 2014/08/16 16:07:12 christos Exp $ +# $File: sequent,v 1.13 2017/03/17 21:35:28 christos Exp $ # sequent: file(1) magic for Sequent machines # # Sequent information updated by Don Dwiggins . @@ -33,9 +33,9 @@ # http://en.wikipedia.org/wiki/Sequent_Computer_Systems # below test line conflicts with MS-DOS 2.11 floppies and Acronis loader #0 leshort 0x42eb SYMMETRY i386 standalone executable -0 leshort 0x42eb +0 leshort 0x42eb # skip unlike negative version ->124 lelong >-1 +>124 lelong >-1 # assuming version 28867614 is very low probable >>124 lelong !28867614 SYMMETRY i386 standalone executable >>>16 lelong >0 not stripped diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index e3dcc26c89b7..34edd3c30cdc 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -1,8 +1,10 @@ -#------------------------------------------------------------------------------ # $File: sgml,v 1.34 2016/09/11 13:56:42 christos Exp $ + +#------------------------------------------------------------------------------ +# $File: sgml,v 1.37 2017/07/23 08:23:33 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres -0 string \15 string >\0 +0 string \14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \>19 search/4096 \>19 search/4096 \ -0 string \15 string >\0 +0 string \14 regex ['"\ \t]*[0-9.]+['"\ \t]* >>19 search/4096 \ HTML document text !:mime text/html !:strength + 5 diff --git a/magic/Magdir/sharc b/magic/Magdir/sharc index b40e65234282..e54088bc8f75 100644 --- a/magic/Magdir/sharc +++ b/magic/Magdir/sharc @@ -1,9 +1,9 @@ #------------------------------------------------------------------------ -# $File: sharc,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $ # file(1) magic for sharc files # -# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by +# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by # FutureGroove Music (dsp@futuregroove.de) #------------------------------------------------------------------------ diff --git a/magic/Magdir/sketch b/magic/Magdir/sketch index 82dacb8f06dc..ee731ddd52f8 100644 --- a/magic/Magdir/sketch +++ b/magic/Magdir/sketch @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $ -# Sketch Drawings: http://sketch.sourceforge.net/ +# $File: sketch,v 1.5 2017/03/17 21:35:28 christos Exp $ +# Sketch Drawings: http://sketch.sourceforge.net/ # From: Edwin Mons 0 search/1 ##Sketch Sketch document text diff --git a/magic/Magdir/sql b/magic/Magdir/sql index b07350a6b474..acc452931084 100644 --- a/magic/Magdir/sql +++ b/magic/Magdir/sql @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sql,v 1.20 2016/07/05 19:49:59 christos Exp $ +# $File: sql,v 1.21 2017/03/17 21:35:28 christos Exp $ # sql: file(1) magic for SQL files # # From: "Marty Leisner" @@ -73,7 +73,7 @@ >>3 byte x Version %d #------------------------------------------------------------------------------ -# iRiver H Series database file +# iRiver H Series database file # From Ken Guest # As observed from iRivNavi.iDB and unencoded firmware # @@ -133,9 +133,9 @@ 0 string PSDB\0 Panasonic channel list DataBase !:ext db/bin #!:mime application/x-db-svl-panasonic ->126 string SQLite\ format\ 3 +>126 string SQLite\ format\ 3 #!:mime application/x-panasonic-sqlite3 ->>&-15 indirect x \b; contains +>>&-15 indirect x \b; contains # H2 Database from http://www.h2database.com/ 0 string --\ H2\ 0.5/B\ --\ \n H2 Database file diff --git a/magic/Magdir/ssl b/magic/Magdir/ssl index 5d5daeeaf30f..2094ef5e7c6f 100644 --- a/magic/Magdir/ssl +++ b/magic/Magdir/ssl @@ -1,8 +1,20 @@ + +#------------------------------------------------------------------------------ +# $File: ssl,v 1.4 2017/01/22 21:14:25 christos Exp $ +# ssl: file(1) magic for SSL file formats + # Type: OpenSSL certificates/key files # From: Nicolas Collignon -0 string -----BEGIN\ CERTIFICATE----- PEM certificate -0 string -----BEGIN\ CERTIFICATE\ REQ PEM certificate request -0 string -----BEGIN\ RSA\ PRIVATE PEM RSA private key -0 string -----BEGIN\ DSA\ PRIVATE PEM DSA private key -0 string -----BEGIN\ EC\ PRIVATE PEM EC private key +0 string -----BEGIN\040CERTIFICATE----- PEM certificate +0 string -----BEGIN\040CERTIFICATE\040REQ PEM certificate request +0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key +0 string -----BEGIN\040DSA\040PRIVATE PEM DSA private key +0 string -----BEGIN\040EC\040PRIVATE PEM EC private key +0 string -----BEGIN\040ECDSA\040PRIVATE PEM ECDSA private key + +# From Luc Gommans +# OpenSSL enc file (recognized by a magic string preceding the password's salt) +0 string Salted__ openssl enc'd data with salted password +# Using the -a or -base64 option, OpenSSL will base64-encode the data. +0 string U2FsdGVkX19 openssl enc'd data with salted password, base64 encoded diff --git a/magic/Magdir/sysex b/magic/Magdir/sysex index 97472e275548..fc9cbf4ed4a2 100644 --- a/magic/Magdir/sysex +++ b/magic/Magdir/sysex @@ -1,6 +1,6 @@ #------------------------------------------------------------------------ -# $File: sysex,v 1.8 2014/06/03 19:17:27 christos Exp $ +# $File: sysex,v 1.9 2017/03/17 21:35:28 christos Exp $ # sysex: file(1) magic for MIDI sysex files # # GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems @@ -256,7 +256,7 @@ >1 belong&0xffffff00 0x00011d00 Nemesys >1 belong&0xffffff00 0x00011e00 DBX >1 belong&0xffffff00 0x00011f00 Syndyne ->1 belong&0xffffff00 0x00012000 Bitheadz +>1 belong&0xffffff00 0x00012000 Bitheadz >1 belong&0xffffff00 0x00012100 Cakewalk >1 belong&0xffffff00 0x00012200 Staccato >1 belong&0xffffff00 0x00012300 National Semicon. diff --git a/magic/Magdir/terminfo b/magic/Magdir/terminfo index b201bcae5b7a..43e9d43179eb 100644 --- a/magic/Magdir/terminfo +++ b/magic/Magdir/terminfo @@ -1,24 +1,51 @@ #------------------------------------------------------------------------------ -# $File: terminfo,v 1.7 2016/03/17 21:02:29 christos Exp $ +# $File: terminfo,v 1.9 2017/04/28 16:28:58 christos Exp $ # terminfo: file(1) magic for terminfo # -# XXX - byte order for screen images? +# URL: http://invisible-island.net/ncurses/man/term.5.html +# URL: http://invisible-island.net/ncurses/man/scr_dump.5.html # -# URL: https://en.wikipedia.org/wiki/Terminfo -# Reference: ncurses-5.9/ncurses/tinfo/write_entry.c -# Update: Joerg Jenderek -# -# GRR: line below too general as it catches also +# Workaround for Targa image type by Joerg Jenderek +# GRR: line below too general as it catches also # Targa image type 1 with 26 long identification field # and HELP.DSK -0 string \032\001 +0 string \032\001 # 5th character of terminal name list, but not Targa image pixel size (15 16 24 32) ->16 ubyte >32 +>16 ubyte >32 # namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1" >>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s" !:mime application/x-terminfo # no extension -#!:ext -0 short 0433 Curses screen image -0 short 0434 Curses screen image +#!:ext +# +# While the compiled terminfo uses little-endian format irregardless of +# platform, SystemV screen dumps do not. They came later, and that detail was +# overlooked. +# +# AIX and HPUX use the SVr4 big-endian format +# Solaris uses the SVr3 formats (sparc and x86 differ endian-ness) +0 beshort 0433 SVr2 curses screen image, big-endian +0 beshort 0434 SVr3 curses screen image, big-endian +0 beshort 0435 SVr4 curses screen image, big-endian +# +0 leshort 0433 SVr2 curses screen image, little-endian +0 leshort 0434 SVr3 curses screen image, little-endian +0 leshort 0435 SVr4 curses screen image, little-endian +# +# Rather than SVr4, Solaris "xcurses" writes this header: +0 regex \^MAX=[0-9]+,[0-9]+$ +>1 regex \^BEG=[0-9]+,[0-9]+$ +>2 regex \^SCROLL=[0-9]+,[0-9]+$ +>3 regex \^VMIN=[0-9]+$ +>4 regex \^VTIME=[0-9]+$ +>5 regex \^FLAGS=0x[[:xdigit:]]+$ +>6 regex \^FG=[0-9],[0-9]+$ +>7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image +# +# ncurses5 (and before) did not use a magic number, making screen dumps "data". +# ncurses6 (2015) uses this format, ignoring byte-order +0 string \210\210\210\210ncurses ncurses6 screen image +# +# PDCurses added this in 2005 +0 string PDC\001 PDCurses screen image diff --git a/magic/Magdir/vms b/magic/Magdir/vms index 493930394865..56d57ae93280 100644 --- a/magic/Magdir/vms +++ b/magic/Magdir/vms @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vms,v 1.9 2014/08/17 13:47:59 christos Exp $ +# $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $ # vms: file(1) magic for VMS executables (experimental) # # VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu) @@ -25,6 +25,6 @@ # 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................ # # GRR this test is still too general as it catches example adressen.dbt -0 belong 0x03000000 +0 belong 0x03000000 >8 ubelong 0xec020000 VMS Alpha executable >>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption diff --git a/magic/Magdir/vmware b/magic/Magdir/vmware index b6b6a619b3ee..cd1a9d95765c 100644 --- a/magic/Magdir/vmware +++ b/magic/Magdir/vmware @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $ +# $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $ # VMware specific files (deducted from version 1.1 and log file entries) # Anthon van der Neut (anthon@mnt.org) -0 belong 0x4d52564e VMware nvram +0 belong 0x4d52564e VMware nvram diff --git a/magic/Magdir/vorbis b/magic/Magdir/vorbis index 3b5e51f5c8e8..5335ca8777c1 100644 --- a/magic/Magdir/vorbis +++ b/magic/Magdir/vorbis @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: vorbis,v 1.22 2015/03/28 15:14:55 christos Exp $ +# $File: vorbis,v 1.23 2017/03/17 21:35:28 christos Exp $ # vorbis: file(1) magic for Ogg/Vorbis files # # From Felix von Leitner @@ -95,7 +95,7 @@ # in a different place, so we must use an indirect offset. >>>(84.b+85) string \x03vorbis >>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I ->>>>>(84.b+120) string >00000000 +>>>>>(84.b+120) string >00000000 # Map to beta version numbers: >>>>>>(84.b+120) string <20000508 (>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2) @@ -117,7 +117,7 @@ >>>>>>(84.b+120) string >20011231 (pre-1.0 CVS) # For the 1.0 release, Xiphophorus is replaced by Xiph.Org >>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I ->>>>>(84.b+117) string >00000000 +>>>>>(84.b+117) string >00000000 >>>>>>(84.b+117) string <20020717 (pre-1.0 CVS) >>>>>>(84.b+117) string 20020717 (1.0) >>>>>>(84.b+117) string 20030909 (1.0.1) @@ -128,13 +128,13 @@ !:mime audio/ogg >>>36 ubyte >0x0F UNKNOWN VERSION %u, >>>36 ubyte &0x0F version 0.%d ->>>>46 ubyte >1 +>>>>46 ubyte >1 >>>>>46 ubyte !255 unknown channel mapping family %u, >>>>>37 ubyte x %u channels >>>>46 ubyte 0 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo ->>>>46 ubyte 1 +>>>>46 ubyte 1 >>>>>37 ubyte 1 mono >>>>>37 ubyte 2 stereo >>>>>37 ubyte 3 linear surround diff --git a/magic/Magdir/webassembly b/magic/Magdir/webassembly new file mode 100644 index 000000000000..8a4ce1b1a599 --- /dev/null +++ b/magic/Magdir/webassembly @@ -0,0 +1,15 @@ +#------------------------------------------------------------------------------ +# $File: webassembly,v 1.2 2017/05/02 14:05:29 christos Exp $ +# webassembly: file(1) magic for WebAssembly modules +# +# WebAssembly is a virtual architecture developed by a W3C Community +# Group at http://webassembly.org/. The file extension is .wasm, and +# the MIME type is application/wasm. +# +# http://webassembly.org/docs/binary-encoding/ is the main +# document describing the binary format. +# From: Pip Cet and Joel Martin + +0 string \0asm WebAssembly (wasm) binary module +>4 lelong =1 version %#x (MVP) +>4 lelong >1 version %#x diff --git a/magic/Magdir/windows b/magic/Magdir/windows index faaa7e290028..169d4f8d0976 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ +# $File: windows,v 1.16 2017/03/17 22:20:22 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -29,7 +29,7 @@ # Created by: Andreas Schuster (http://computer.forensikblog.de/) # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) -0 string PAGE +0 string PAGE >4 string DUMP MS Windows 32bit crash dump >>0x05c byte 0 \b, no PAE >>0x05c byte 1 \b, PAE @@ -66,13 +66,13 @@ # Summary: Old format help files # URL: https://en.wikipedia.org/wiki/WinHelp # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm -# Update: Joerg Jenderek +# Update: Joerg Jenderek # Created by: Dirk Jagdmann # # check and then display version and date inside MS Windows HeLP file fragment 0 name help-ver-date # look for Magic of SYSTEMHEADER ->0 leshort 0x036C +>0 leshort 0x036C # version Major 1 for right file fragment >>4 leshort 1 Windows # print non empty string above to avoid error message @@ -93,7 +93,7 @@ >>>6 ldate x \b, %s # # Magic for HeLP files -0 lelong 0x00035f3f +0 lelong 0x00035f3f # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" # file header magic 0x293B at DirectoryStart+9 >(4.l+9) uleshort 0x293B MS @@ -101,37 +101,37 @@ >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation !:mime application/x-winhelp !:ext ann ->>0xD4 string !\x62\x6D\x66\x01\x00 +>>0xD4 string !\x62\x6D\x66\x01\x00 # "GID Help index" by TrID >>>(4.l+0x65) string =|Pete Windows help Global Index !:mime application/x-winhelp !:ext gid # HeLP Bookmark or # "Windows HELP File" by TrID ->>>(4.l+0x65) string !|Pete +>>>(4.l+0x65) string !|Pete # maybe there exist a cleaner way to detect HeLP fragments # brute search for Magic 0x036C with matching Major maximal 7 iterations # discapp.hlp ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 >>>>>&0 use help-ver-date ->>>>>&4 leshort !1 +>>>>>&4 leshort !1 # putty.hlp ->>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>&0 search/0x69AF/s \x6c\x03 >>>>>>>&0 use help-ver-date ->>>>>>>&4 leshort !1 ->>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>&0 use help-ver-date ->>>>>>>>>&4 leshort !1 ->>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 >>>>>>>>>>>>>>>&0 use help-ver-date ->>>>>>>>>>>>>>>&4 leshort !1 ->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 # GCC.HLP is detected after 7 iterations >>>>>>>>>>>>>>>>>&0 use help-ver-date # this only happens if bigger hlp file is detected after used search iterations @@ -139,7 +139,7 @@ !:mime application/winhelp !:ext hlp # repeat search again or following default line does not work ->>>>16 search/0x49AF/s \x6c\x03 +>>>>16 search/0x49AF/s \x6c\x03 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) >>>>16 default x Windows help Bookmark !:mime application/x-winhelp @@ -180,21 +180,21 @@ #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx # start with colon or semicolon for comment line like Back2Life.cnt -0 regex \^(:|;) +0 regex \^(:|;) # look for first keyword Base ->0 search/45 :Base +>0 search/45 :Base >>&0 use cnt-name # only solution to search again from beginning , because relative offsets changes when use is called ->0 search/45 :Base ->0 default x +>0 search/45 :Base +>0 default x # look for other keyword Title like in putty.cnt ->>0 search/45 :Title +>>0 search/45 :Title >>>&0 use cnt-name # # display mime type and name of Windows help Content source 0 name cnt-name # skip space at beginning ->0 string \ +>0 string \040 # name without extension and greater character or name with hlp extension >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" !:mime text/plain @@ -210,10 +210,10 @@ # Summary: Hyper terminal # Extension: .ht # Created by: unknown -0 string HyperTerminal\ +0 string HyperTerminal\040 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile -# http://ithreats.files.wordpress.com/2009/05/\ +# http://ithreats.files.wordpress.com/2009/05/\040 # lnk_the_windows_shortcut_file_format.pdf # Summary: Windows shortcut # Extension: .lnk @@ -293,7 +293,7 @@ # Extension: .reg # Submitted by: Abel Cheung 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) -0 string Windows\ Registry\ Editor\ +0 string Windows\ Registry\ Editor\040 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 @@ -301,10 +301,10 @@ # PR/383: remove unicode BOM because it is not portable across regex impls 0 regex/s \\`(\\r\\n|;|[[]) # left bracket in section line ->&0 search/8192 [ +>&0 search/8192 [ # http://en.wikipedia.org/wiki/Autorun.inf # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx ->>&0 regex/c \^(autorun)]\r\n +>>&0 regex/c \^(autorun)]\r\n >>>&0 ubyte =0x5b INItialization configuration !:mime application/x-wine-extension-ini # From: Pal Tamas @@ -343,31 +343,31 @@ # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information >>&0 regex/c \^(boot\x20loader)] Windows boot.ini !:mime application/x-wine-extension-ini ->>>&0 ubyte x +>>>&0 ubyte x # http://en.wikipedia.org/wiki/CONFIG.SYS >>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS # http://support.microsoft.com/kb/118579/ >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS # VERS string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # STRI string unicoded case-independent ->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 +>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 # NGS] string unicoded case-independent ->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation +>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation !:mime application/x-setupscript # unknown keyword after opening bracket ->>&0 default x ->>>&0 search/8192 [ +>>&0 default x +>>>&0 search/8192 [ # version Strings FileIdentification ->>>>&0 string/c version Windows setup INFormation +>>>>&0 string/c version Windows setup INFormation !:mime application/x-setupscript # VERS string unicoded case-independent ->>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 +>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 # ION] string unicoded case-independent ->>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation +>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation !:mime application/x-setupscript # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other #>>>>&0 default x Generic INItialization configuration @@ -376,21 +376,21 @@ # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp -0 leshort&0xFeFe 0x0000 +0 leshort&0xFeFe 0x0000 !:strength -5 # test for unused null bits in PNF_FLAGs ->4 ulelong&0xFCffFe00 0x00000000 +>4 ulelong&0xFCffFe00 0x00000000 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure ->>68 ulelong >0x57 +>>68 ulelong >0x57 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF !:mime application/x-pnf # currently only found Major Version=1 and Minor Version=1 -#>>>>0 uleshort =0x0101 +#>>>>0 uleshort =0x0101 #>>>>>1 ubyte x \b, version %u #>>>>>0 ubyte x \b.%u ->>>>0 uleshort !0x0101 +>>>>0 uleshort !0x0101 >>>>>1 ubyte x \b, version %u >>>>>0 ubyte x \b.%u # 1 ,2 (windows 98 SE) @@ -416,10 +416,10 @@ #>>>>16 ulelong x \b, InfVersionDataSize 0x%x # only found positive values lower 0x00ffFFff for InfVersionDataOffset >>>>20 ulelong x \b, at 0x%x ->>>>4 ulelong&0x00000001 =0x00000001 -# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature +>>>>4 ulelong&0x00000001 =0x00000001 +# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature >>>>>(20.l) lestring16 x "%s" ->>>>4 ulelong&0x00000001 !0x00000001 +>>>>4 ulelong&0x00000001 !0x00000001 >>>>>(20.l) string x "%s" # FILETIME is number of 100-nanosecond intervals since 1 January 1601 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx @@ -435,23 +435,23 @@ #>>>>64 ulelong x \b, InfValueBlockSize 0x%x # WinDirPathOffset #>>>>68 ulelong x \b, at 0x%x ->>>>68 ulelong >0x57 ->>>>>4 ulelong&0x00000001 =0x00000001 ->>>>>>(68.l) ubequad =0x43003a005c005700 +>>>>68 ulelong >0x57 +>>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>>(68.l) ubequad =0x43003a005c005700 # normally unicoded C:\Windows #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>>(68.l) ubequad !0x43003a005c005700 +>>>>>>(68.l) ubequad !0x43003a005c005700 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # normally ASCII C:\WINDOWS #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" -# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF +# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF #>>>>72 ulelong >0 \b, at 0x%x >>>>72 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 # seldom C:\ instead empty >>>>>>(72.l) string x OsLoaderPath "%s" # 1fdh @@ -462,16 +462,16 @@ # InfSourcePathOffset often 0 #>>>>80 ulelong >0 \b, at 0x%x >>>>80 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(80.l) lestring16 x SourcePath "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(80.l) string >\0 SourcePath "%s" # OriginalInfNameOffset often 0 #>>>>84 ulelong >0 \b, at 0x%x >>>>84 ulelong >0 \b, ->>>>>4 ulelong&0x00000001 =0x00000001 +>>>>>4 ulelong&0x00000001 =0x00000001 >>>>>>(84.l) lestring16 x InfName "%s" ->>>>>4 ulelong&0x00000001 !0x00000001 +>>>>>4 ulelong&0x00000001 !0x00000001 >>>>>>(84.l) string >\0 InfName "%s" # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 @@ -480,13 +480,13 @@ # URL: http://en.wikipedia.org/wiki/NTBackup # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF # Descriptor BloCK name of Microsoft Tape Format -0 string TAPE +0 string TAPE # Format Logical Address is zero ->20 ulequad 0 +>20 ulequad 0 # Reserved for MBC is zero ->>28 uleshort 0 +>>28 uleshort 0 # Control Block ID is zero ->>>36 ulelong 0 +>>>36 ulelong 0 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive #!:mime application/x-ntbackup @@ -508,7 +508,7 @@ >>>>>4 ulelong&0x00000004 !0 \b, compressed # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit ->>>>>4 ulelong&0x00020000 0 +>>>>>4 ulelong&0x00020000 0 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape >>>>>>4 ulelong&0x00010000 !0 \b, with catalog # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present @@ -531,37 +531,37 @@ # Media Based Catalog Type (1,2) #>>>>>66 uleshort x \b, catalog type %4.4x # size of Media Name (66,68,6Eh) ->>>>>68 uleshort >0 +>>>>>68 uleshort >0 # offset of Media Name (5Eh) ->>>>>>70 uleshort >0 +>>>>>>70 uleshort >0 # 0~, 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 # size terminated ansi coded string normally followed by "MTF Media Label" >>>>>>>>(70.s) string >\0 \b, name: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # Not null, but size terminated unicoded string >>>>>>>>(70.s) lestring16 x \b, name: %s # size of Media Label (104h) ->>>>>72 uleshort >0 +>>>>>72 uleshort >0 # offset of Media Label (C4h,C6h,CCh) ->>>>>74 uleshort >0 ->>>>>>48 ubyte 1 +>>>>>74 uleshort >0 +>>>>>>48 ubyte 1 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields >>>>>>>(74.s) string >\0 \b, label: %s ->>>>>>48 ubyte 2 +>>>>>>48 ubyte 2 >>>>>>>(74.s) lestring16 x \b, label: %s # size of password name (0,1Ch) #>>>>>76 uleshort >0 \b, password size %4.4x # Software Vendor ID (CBEh) >>>>>86 uleshort x \b, software (0x%x) # size of Software Name (6Eh) ->>>>>80 uleshort >0 +>>>>>80 uleshort >0 # offset of Software Name (1C8h,1CAh,1D0h) ->>>>>>82 uleshort >0 +>>>>>>82 uleshort >0 # 1~ANSI, 2~UNICODE ->>>>>>>48 ubyte 1 +>>>>>>>48 ubyte 1 >>>>>>>>(82.s) string >\0 \b: %s ->>>>>>>48 ubyte 2 +>>>>>>>48 ubyte 2 # size terminated unicoded coded string normally followed by "SPAD" >>>>>>>>(82.s) lestring16 x \b: %s # Format Logical Block Size (512,1024) diff --git a/magic/Magdir/xenix b/magic/Magdir/xenix index 89de6033268c..fb83faa876ed 100644 --- a/magic/Magdir/xenix +++ b/magic/Magdir/xenix @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: xenix,v 1.10 2016/04/19 18:14:19 christos Exp $ +# $File: xenix,v 1.11 2017/03/17 21:35:28 christos Exp $ # xenix: file(1) magic for Microsoft Xenix # # "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small @@ -16,14 +16,14 @@ # Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf # Update: Joerg Jenderek # recordtype~TranslatorHEADerRecord -0 byte 0x80 +0 byte 0x80 # GRR: line above is too general as it catches also Extensible storage engine DataBase # skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3 ->1 uleshort <1022 +>1 uleshort <1022 # skip examples like GAME.PICTURE Strange.Pic by looking for positiv record length ->>1 uleshort >0 +>>1 uleshort >0 # skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positiv string length ->>>3 ubyte >0 +>>>3 ubyte >0 # skip examples like OMBRE.6 with "UUUUUU" by looking for filename like "hello.c" >>>>4 regex [a-zA-Z_/]{1,8}[.] 8086 relocatable (Microsoft) #!:mime application/octet-stream @@ -54,8 +54,8 @@ >0x1c byte &0x9 286 >0x1c byte &0xa 386 >0x1f byte <0x040 small model ->0x1f byte =0x048 large model ->0x1f byte =0x049 huge model +>0x1f byte =0x048 large model +>0x1f byte =0x049 huge model >0x1e leshort &0x1 executable >0x1e leshort ^0x1 object file >0x1e leshort &0x40 Large Text diff --git a/magic/Magdir/xilinx b/magic/Magdir/xilinx index 91e84d91d0ee..a5219778d390 100644 --- a/magic/Magdir/xilinx +++ b/magic/Magdir/xilinx @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: xilinx,v 1.7 2014/04/30 21:41:02 christos Exp $ +# $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $ # This is Aaron's attempt at a MAGIC file for Xilinx .bit files. # Xilinx-Magic@RevRagnarok.com # Got the info from FPGA-FAQ 0026 # -# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, -# fixes at least reading of bitfiles from Spartan 2, 3, 6. +# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth, +# fixes at least reading of bitfiles from Spartan 2, 3, 6. # http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm # # First there is the sync header and its length @@ -20,7 +20,7 @@ >>>>&0 pstring/H x - from %s # And then 'b' >>>>>&1 string b -# Then the model / part number: +# Then the model / part number: >>>>>>&0 pstring/H x - for %s # Then 'c' >>>>>>>&1 string c @@ -36,5 +36,5 @@ >>>>>>>>>>>>&0 belong x - data length 0x%x # Raw bitstream files -0 long 0xffffffff +0 long 0xffffffff >&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN) diff --git a/magic/Magdir/xwindows b/magic/Magdir/xwindows index eb208927f01e..85f64c8c36a4 100644 --- a/magic/Magdir/xwindows +++ b/magic/Magdir/xwindows @@ -1,9 +1,9 @@ #------------------------------------------------------------------------------ -# $File: xwindows,v 1.9 2014/04/30 21:41:02 christos Exp $ +# $File: xwindows,v 1.10 2017/03/17 21:35:28 christos Exp $ # xwindows: file(1) magic for various X/Window system file formats. -# Compiled X Keymap +# Compiled X Keymap # XKM (compiled X keymap) files (including version and byte ordering) 1 string mkx Compiled XKB Keymap: lsb, >0 byte >0 version %d diff --git a/magic/Magdir/yara b/magic/Magdir/yara new file mode 100644 index 000000000000..523a2d05f410 --- /dev/null +++ b/magic/Magdir/yara @@ -0,0 +1,17 @@ + + +#------------------------------------------------------------------------------ +# $File: yara,v 1.2 2017/05/25 20:07:23 christos Exp $ +# yara: file(1) magic for http://virustotal.github.io/yara/ +# + +0 string YARA +>4 lelong >2047 +>8 byte <20 YARA 3.x compiled rule set +# version +>>8 clear x +>>8 byte 6 created with version 3.3.0 +>>8 byte 8 created with version 3.4.0 +>>8 byte 11 created with version 3.5.0 +>>8 default x +>>>8 byte x development version 0x%02x diff --git a/magic/Makefile.am b/magic/Makefile.am index 19701ecd179b..5259a478368d 100644 --- a/magic/Makefile.am +++ b/magic/Makefile.am @@ -1,5 +1,5 @@ # -# $File: Makefile.am,v 1.120 2016/10/17 19:52:29 christos Exp $ +# $File: Makefile.am,v 1.126 2017/08/10 11:01:38 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic @@ -21,6 +21,7 @@ $(MAGIC_FRAGMENT_DIR)/amigaos \ $(MAGIC_FRAGMENT_DIR)/android \ $(MAGIC_FRAGMENT_DIR)/animation \ $(MAGIC_FRAGMENT_DIR)/aout \ +$(MAGIC_FRAGMENT_DIR)/apache \ $(MAGIC_FRAGMENT_DIR)/apl \ $(MAGIC_FRAGMENT_DIR)/apple \ $(MAGIC_FRAGMENT_DIR)/application \ @@ -34,6 +35,7 @@ $(MAGIC_FRAGMENT_DIR)/audio \ $(MAGIC_FRAGMENT_DIR)/basis \ $(MAGIC_FRAGMENT_DIR)/ber \ $(MAGIC_FRAGMENT_DIR)/bflt \ +$(MAGIC_FRAGMENT_DIR)/bhl \ $(MAGIC_FRAGMENT_DIR)/bioinformatics \ $(MAGIC_FRAGMENT_DIR)/blackberry \ $(MAGIC_FRAGMENT_DIR)/blcr \ @@ -97,6 +99,7 @@ $(MAGIC_FRAGMENT_DIR)/fsav \ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ +$(MAGIC_FRAGMENT_DIR)/gconv \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -104,6 +107,7 @@ $(MAGIC_FRAGMENT_DIR)/gnome \ $(MAGIC_FRAGMENT_DIR)/gnu \ $(MAGIC_FRAGMENT_DIR)/gnumeric \ $(MAGIC_FRAGMENT_DIR)/gpt \ +$(MAGIC_FRAGMENT_DIR)/gpu \ $(MAGIC_FRAGMENT_DIR)/grace \ $(MAGIC_FRAGMENT_DIR)/graphviz \ $(MAGIC_FRAGMENT_DIR)/gringotts \ @@ -275,6 +279,7 @@ $(MAGIC_FRAGMENT_DIR)/vorbis \ $(MAGIC_FRAGMENT_DIR)/vxl \ $(MAGIC_FRAGMENT_DIR)/warc \ $(MAGIC_FRAGMENT_DIR)/weak \ +$(MAGIC_FRAGMENT_DIR)/webassembly \ $(MAGIC_FRAGMENT_DIR)/windows \ $(MAGIC_FRAGMENT_DIR)/wireless \ $(MAGIC_FRAGMENT_DIR)/wordprocessors \ @@ -285,6 +290,7 @@ $(MAGIC_FRAGMENT_DIR)/xenix \ $(MAGIC_FRAGMENT_DIR)/xilinx \ $(MAGIC_FRAGMENT_DIR)/xo65 \ $(MAGIC_FRAGMENT_DIR)/xwindows \ +$(MAGIC_FRAGMENT_DIR)/yara \ $(MAGIC_FRAGMENT_DIR)/zfs \ $(MAGIC_FRAGMENT_DIR)/zilog \ $(MAGIC_FRAGMENT_DIR)/zyxel diff --git a/magic/Makefile.in b/magic/Makefile.in index 0de849d603bd..3555f9e6b332 100644 --- a/magic/Makefile.in +++ b/magic/Makefile.in @@ -273,7 +273,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ # -# $File: Makefile.am,v 1.120 2016/10/17 19:52:29 christos Exp $ +# $File: Makefile.am,v 1.126 2017/08/10 11:01:38 christos Exp $ # MAGIC_FRAGMENT_BASE = Magdir MAGIC_DIR = $(top_srcdir)/magic @@ -293,6 +293,7 @@ $(MAGIC_FRAGMENT_DIR)/amigaos \ $(MAGIC_FRAGMENT_DIR)/android \ $(MAGIC_FRAGMENT_DIR)/animation \ $(MAGIC_FRAGMENT_DIR)/aout \ +$(MAGIC_FRAGMENT_DIR)/apache \ $(MAGIC_FRAGMENT_DIR)/apl \ $(MAGIC_FRAGMENT_DIR)/apple \ $(MAGIC_FRAGMENT_DIR)/application \ @@ -306,6 +307,7 @@ $(MAGIC_FRAGMENT_DIR)/audio \ $(MAGIC_FRAGMENT_DIR)/basis \ $(MAGIC_FRAGMENT_DIR)/ber \ $(MAGIC_FRAGMENT_DIR)/bflt \ +$(MAGIC_FRAGMENT_DIR)/bhl \ $(MAGIC_FRAGMENT_DIR)/bioinformatics \ $(MAGIC_FRAGMENT_DIR)/blackberry \ $(MAGIC_FRAGMENT_DIR)/blcr \ @@ -369,6 +371,7 @@ $(MAGIC_FRAGMENT_DIR)/fsav \ $(MAGIC_FRAGMENT_DIR)/fusecompress \ $(MAGIC_FRAGMENT_DIR)/games \ $(MAGIC_FRAGMENT_DIR)/gcc \ +$(MAGIC_FRAGMENT_DIR)/gconv \ $(MAGIC_FRAGMENT_DIR)/geo \ $(MAGIC_FRAGMENT_DIR)/geos \ $(MAGIC_FRAGMENT_DIR)/gimp \ @@ -376,6 +379,7 @@ $(MAGIC_FRAGMENT_DIR)/gnome \ $(MAGIC_FRAGMENT_DIR)/gnu \ $(MAGIC_FRAGMENT_DIR)/gnumeric \ $(MAGIC_FRAGMENT_DIR)/gpt \ +$(MAGIC_FRAGMENT_DIR)/gpu \ $(MAGIC_FRAGMENT_DIR)/grace \ $(MAGIC_FRAGMENT_DIR)/graphviz \ $(MAGIC_FRAGMENT_DIR)/gringotts \ @@ -547,6 +551,7 @@ $(MAGIC_FRAGMENT_DIR)/vorbis \ $(MAGIC_FRAGMENT_DIR)/vxl \ $(MAGIC_FRAGMENT_DIR)/warc \ $(MAGIC_FRAGMENT_DIR)/weak \ +$(MAGIC_FRAGMENT_DIR)/webassembly \ $(MAGIC_FRAGMENT_DIR)/windows \ $(MAGIC_FRAGMENT_DIR)/wireless \ $(MAGIC_FRAGMENT_DIR)/wordprocessors \ @@ -557,6 +562,7 @@ $(MAGIC_FRAGMENT_DIR)/xenix \ $(MAGIC_FRAGMENT_DIR)/xilinx \ $(MAGIC_FRAGMENT_DIR)/xo65 \ $(MAGIC_FRAGMENT_DIR)/xwindows \ +$(MAGIC_FRAGMENT_DIR)/yara \ $(MAGIC_FRAGMENT_DIR)/zfs \ $(MAGIC_FRAGMENT_DIR)/zilog \ $(MAGIC_FRAGMENT_DIR)/zyxel diff --git a/python/magic.py b/python/magic.py index b0f7a1765e8f..662569e889d0 100644 --- a/python/magic.py +++ b/python/magic.py @@ -117,30 +117,43 @@ def close(self): """ _close(self._magic_t) + @staticmethod + def __tostr(s): + if s is None: + return None + if isinstance(s, str): + return s + try: # keep Python 2 compatibility + return str(s, 'utf-8') + except TypeError: + return str(s) + + @staticmethod + def __tobytes(b): + if b is None: + return None + if isinstance(b, bytes): + return b + try: # keep Python 2 compatibility + return bytes(b, 'utf-8') + except TypeError: + return bytes(b) + def file(self, filename): """ Returns a textual description of the contents of the argument passed as a filename or None if an error occurred and the MAGIC_ERROR flag - is set. A call to errno() will return the numeric error code. + is set. A call to errno() will return the numeric error code. """ - if isinstance(filename, bytes): - bi = filename - else: - try: # keep Python 2 compatibility - bi = bytes(filename, 'utf-8') - except TypeError: - bi = bytes(filename) - r = _file(self._magic_t, bi) - if isinstance(r, str): - return r - else: - return str(r, 'utf-8') + return Magic.__tostr(_file(self._magic_t, Magic.__tobytes(filename))) def descriptor(self, fd): """ - Like the file method, but the argument is a file descriptor. + Returns a textual description of the contents of the argument passed + as a file descriptor or None if an error occurred and the MAGIC_ERROR + flag is set. A call to errno() will return the numeric error code. """ - return _descriptor(self._magic_t, fd) + return Magic.__tostr(_descriptor(self._magic_t, fd)) def buffer(self, buf): """ @@ -148,22 +161,14 @@ def buffer(self, buf): as a buffer or None if an error occurred and the MAGIC_ERROR flag is set. A call to errno() will return the numeric error code. """ - r = _buffer(self._magic_t, buf, len(buf)) - if isinstance(r, str): - return r - else: - return str(r, 'utf-8') + return Magic.__tostr(_buffer(self._magic_t, buf, len(buf))) def error(self): """ Returns a textual explanation of the last error or None if there was no error. """ - e = _error(self._magic_t) - if isinstance(e, str): - return e - else: - return str(e, 'utf-8') + return Magic.__tostr(_error(self._magic_t)) def setflags(self, flags): """ @@ -184,35 +189,38 @@ def load(self, filename=None): Returns 0 on success and -1 on failure. """ - return _load(self._magic_t, filename) + return _load(self._magic_t, Magic.__tobytes(filename)) def compile(self, dbs): """ Compile entries in the colon separated list of database files passed as argument or the default database file if no argument. - Returns 0 on success and -1 on failure. The compiled files created are named from the basename(1) of each file argument with ".mgc" appended to it. + + Returns 0 on success and -1 on failure. """ - return _compile(self._magic_t, dbs) + return _compile(self._magic_t, Magic.__tobytes(dbs)) def check(self, dbs): """ Check the validity of entries in the colon separated list of database files passed as argument or the default database file if no argument. + Returns 0 on success and -1 on failure. """ - return _check(self._magic_t, dbs) + return _check(self._magic_t, Magic.__tobytes(dbs)) def list(self, dbs): """ Check the validity of entries in the colon separated list of database files passed as argument or the default database file if no argument. + Returns 0 on success and -1 on failure. """ - return _list(self._magic_t, dbs) + return _list(self._magic_t, Magic.__tobytes(dbs)) def errno(self): """ diff --git a/src/apprentice.c b/src/apprentice.c index f2622c081284..a7b4dd8f9115 100644 --- a/src/apprentice.c +++ b/src/apprentice.c @@ -32,7 +32,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: apprentice.c,v 1.255 2016/10/24 18:02:17 christos Exp $") +FILE_RCSID("@(#)$File: apprentice.c,v 1.262 2017/08/28 13:39:18 christos Exp $") #endif /* lint */ #include "magic.h" @@ -549,8 +549,10 @@ apprentice_unmap(struct magic_map *map) break; case MAP_TYPE_MALLOC: for (i = 0; i < MAGIC_SETS; i++) { - if ((char *)map->magic[i] >= (char *)map->p && - (char *)map->magic[i] <= (char *)map->p + map->len) + void *b = map->magic[i]; + void *p = map->p; + if (CAST(char *, b) >= CAST(char *, p) && + CAST(char *, b) <= CAST(char *, p) + map->len) continue; free(map->magic[i]); } @@ -610,8 +612,7 @@ buffer_apprentice(struct magic_set *ms, struct magic **bufs, if (nbufs == 0) return -1; - if (ms->mlist[0] != NULL) - file_reset(ms); + (void)file_reset(ms, 0); init_file_tables(); @@ -654,8 +655,7 @@ file_apprentice(struct magic_set *ms, const char *fn, int action) int file_err, errs = -1; size_t i; - if (ms->mlist[0] != NULL) - file_reset(ms); + (void)file_reset(ms, 0); if ((fn = magic_getpath(fn, action)) == NULL) return -1; @@ -777,6 +777,59 @@ nonmagic(const char *str) return rv == 0 ? 1 : rv; /* Return at least 1 */ } + +private size_t +typesize(int type) +{ + switch (type) { + case FILE_BYTE: + return 1; + + case FILE_SHORT: + case FILE_LESHORT: + case FILE_BESHORT: + return 2; + + case FILE_LONG: + case FILE_LELONG: + case FILE_BELONG: + case FILE_MELONG: + return 4; + + case FILE_DATE: + case FILE_LEDATE: + case FILE_BEDATE: + case FILE_MEDATE: + case FILE_LDATE: + case FILE_LELDATE: + case FILE_BELDATE: + case FILE_MELDATE: + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: + return 4; + + case FILE_QUAD: + case FILE_BEQUAD: + case FILE_LEQUAD: + case FILE_QDATE: + case FILE_LEQDATE: + case FILE_BEQDATE: + case FILE_QLDATE: + case FILE_LEQLDATE: + case FILE_BEQLDATE: + case FILE_QWDATE: + case FILE_LEQWDATE: + case FILE_BEQWDATE: + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: + return 8; + default: + return (size_t)~0; + } +} + /* * Get weight of this magic entry, for sorting purposes. */ @@ -784,7 +837,7 @@ private size_t apprentice_magic_strength(const struct magic *m) { #define MULT 10 - size_t v, val = 2 * MULT; /* baseline strength */ + size_t ts, v, val = 2 * MULT; /* baseline strength */ switch (m->type) { case FILE_DEFAULT: /* make sure this sorts last */ @@ -793,20 +846,43 @@ apprentice_magic_strength(const struct magic *m) return 0; case FILE_BYTE: - val += 1 * MULT; - break; - case FILE_SHORT: case FILE_LESHORT: case FILE_BESHORT: - val += 2 * MULT; - break; - case FILE_LONG: case FILE_LELONG: case FILE_BELONG: case FILE_MELONG: - val += 4 * MULT; + case FILE_DATE: + case FILE_LEDATE: + case FILE_BEDATE: + case FILE_MEDATE: + case FILE_LDATE: + case FILE_LELDATE: + case FILE_BELDATE: + case FILE_MELDATE: + case FILE_FLOAT: + case FILE_BEFLOAT: + case FILE_LEFLOAT: + case FILE_QUAD: + case FILE_BEQUAD: + case FILE_LEQUAD: + case FILE_QDATE: + case FILE_LEQDATE: + case FILE_BEQDATE: + case FILE_QLDATE: + case FILE_LEQLDATE: + case FILE_BEQLDATE: + case FILE_QWDATE: + case FILE_LEQWDATE: + case FILE_BEQWDATE: + case FILE_DOUBLE: + case FILE_BEDOUBLE: + case FILE_LEDOUBLE: + ts = typesize(m->type); + if (ts == (size_t)~0) + abort(); + val += ts * MULT; break; case FILE_PSTRING: @@ -828,38 +904,6 @@ apprentice_magic_strength(const struct magic *m) val += v * MAX(MULT / v, 1); break; - case FILE_DATE: - case FILE_LEDATE: - case FILE_BEDATE: - case FILE_MEDATE: - case FILE_LDATE: - case FILE_LELDATE: - case FILE_BELDATE: - case FILE_MELDATE: - case FILE_FLOAT: - case FILE_BEFLOAT: - case FILE_LEFLOAT: - val += 4 * MULT; - break; - - case FILE_QUAD: - case FILE_BEQUAD: - case FILE_LEQUAD: - case FILE_QDATE: - case FILE_LEQDATE: - case FILE_BEQDATE: - case FILE_QLDATE: - case FILE_LEQLDATE: - case FILE_BEQLDATE: - case FILE_QWDATE: - case FILE_LEQWDATE: - case FILE_BEQWDATE: - case FILE_DOUBLE: - case FILE_BEDOUBLE: - case FILE_LEDOUBLE: - val += 8 * MULT; - break; - case FILE_INDIRECT: case FILE_NAME: case FILE_USE: @@ -1314,6 +1358,8 @@ apprentice_load(struct magic_set *ms, const char *fn, int action) goto out; } while ((d = readdir(dir)) != NULL) { + if (d->d_name[0] == '.') + continue; if (asprintf(&mfn, "%s/%s", fn, d->d_name) < 0) { file_oomem(ms, strlen(fn) + strlen(d->d_name) + 2); @@ -2291,7 +2337,7 @@ parse_ext(struct magic_set *ms, struct magic_entry *me, const char *line) return parse_extra(ms, me, line, CAST(off_t, offsetof(struct magic, ext)), - sizeof(m->ext), "EXTENSION", ",!+-/", 0); + sizeof(m->ext), "EXTENSION", ",!+-/@", 0); } /* @@ -2352,6 +2398,8 @@ check_format_type(const char *ptr, int type, const char **estr) ptr++; if (*ptr == '.') ptr++; + if (*ptr == '#') + ptr++; #define CHECKLEN() do { \ for (len = cnt = 0; isdigit((unsigned char)*ptr); ptr++, cnt++) \ len = len * 10 + (*ptr - '0'); \ @@ -2617,9 +2665,46 @@ getvalue(struct magic_set *ms, struct magic *m, const char **p, int action) default: if (m->reln != 'x') { char *ep; + uint64_t ull; errno = 0; - m->value.q = file_signextend(ms, m, - (uint64_t)strtoull(*p, &ep, 0)); + ull = (uint64_t)strtoull(*p, &ep, 0); + m->value.q = file_signextend(ms, m, ull); + if (*p == ep) { + file_magwarn(ms, "Unparseable number `%s'", *p); + } else { + size_t ts = typesize(m->type); + uint64_t x; + const char *q; + + if (ts == (size_t)~0) { + file_magwarn(ms, "Expected numeric type got `%s'", + type_tbl[m->type].name); + } + for (q = *p; isspace((unsigned char)*q); q++) + continue; + if (*q == '-') + ull = -(int64_t)ull; + switch (ts) { + case 1: + x = ull & ~0xffULL; + break; + case 2: + x = ull & ~0xffffULL; + break; + case 4: + x = ull & ~0xffffffffULL; + break; + case 8: + x = 0; + break; + default: + abort(); + } + if (x) { + file_magwarn(ms, "Overflow for numeric type `%s' value %#" PRIx64, + type_tbl[m->type].name, ull); + } + } if (errno == 0) { *p = ep; eatsize(p); @@ -3271,22 +3356,35 @@ file_pstring_get_length(const struct magic *m, const char *ss) { size_t len = 0; const unsigned char *s = (const unsigned char *)ss; + unsigned int s3, s2, s1, s0; switch (m->str_flags & PSTRING_LEN) { case PSTRING_1_LE: len = *s; break; case PSTRING_2_LE: - len = (s[1] << 8) | s[0]; + s0 = s[0]; + s1 = s[1]; + len = (s1 << 8) | s0; break; case PSTRING_2_BE: - len = (s[0] << 8) | s[1]; + s0 = s[0]; + s1 = s[1]; + len = (s0 << 8) | s1; break; case PSTRING_4_LE: - len = (s[3] << 24) | (s[2] << 16) | (s[1] << 8) | s[0]; + s0 = s[0]; + s1 = s[1]; + s2 = s[2]; + s3 = s[3]; + len = (s3 << 24) | (s2 << 16) | (s1 << 8) | s0; break; case PSTRING_4_BE: - len = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; + s0 = s[0]; + s1 = s[1]; + s2 = s[2]; + s3 = s[3]; + len = (s0 << 24) | (s1 << 16) | (s2 << 8) | s3; break; default: abort(); /* Impossible */ diff --git a/src/cdf.c b/src/cdf.c index d38e793612fc..accfb325b999 100644 --- a/src/cdf.c +++ b/src/cdf.c @@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf.c,v 1.85 2016/10/24 18:02:17 christos Exp $") +FILE_RCSID("@(#)$File: cdf.c,v 1.106 2017/04/30 17:05:02 christos Exp $") #endif #include @@ -80,6 +80,34 @@ static union { CDF_TOLE8(CAST(uint64_t, x)))) #define CDF_GETUINT32(x, y) cdf_getuint32(x, y) +#define CDF_MALLOC(n) cdf_malloc(__FILE__, __LINE__, (n)) +#define CDF_REALLOC(p, n) cdf_realloc(__FILE__, __LINE__, (p), (n)) +#define CDF_CALLOC(n, u) cdf_calloc(__FILE__, __LINE__, (n), (u)) + + +static void * +cdf_malloc(const char *file __attribute__((__unused__)), + size_t line __attribute__((__unused__)), size_t n) +{ + DPRINTF(("%s,%zu: %s %zu\n", file, line, __func__, n)); + return malloc(n); +} + +static void * +cdf_realloc(const char *file __attribute__((__unused__)), + size_t line __attribute__((__unused__)), void *p, size_t n) +{ + DPRINTF(("%s,%zu: %s %zu\n", file, line, __func__, n)); + return realloc(p, n); +} + +static void * +cdf_calloc(const char *file __attribute__((__unused__)), + size_t line __attribute__((__unused__)), size_t n, size_t u) +{ + DPRINTF(("%s,%zu: %s %zu %zu\n", file, line, __func__, n, u)); + return calloc(n, u); +} /* * swap a short @@ -340,18 +368,18 @@ cdf_read_header(const cdf_info_t *info, cdf_header_t *h) cdf_unpack_header(h, buf); cdf_swap_header(h); if (h->h_magic != CDF_MAGIC) { - DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%" + DPRINTF(("Bad magic %#" INT64_T_FORMAT "x != %#" INT64_T_FORMAT "x\n", (unsigned long long)h->h_magic, (unsigned long long)CDF_MAGIC)); goto out; } if (h->h_sec_size_p2 > 20) { - DPRINTF(("Bad sector size 0x%u\n", h->h_sec_size_p2)); + DPRINTF(("Bad sector size %hu\n", h->h_sec_size_p2)); goto out; } if (h->h_short_sec_size_p2 > 20) { - DPRINTF(("Bad short sector size 0x%u\n", + DPRINTF(("Bad short sector size %hu\n", h->h_short_sec_size_p2)); goto out; } @@ -408,7 +436,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, cdf_sat_t *sat) if (h->h_master_sat[i] == CDF_SECID_FREE) break; -#define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss)) +#define CDF_SEC_LIMIT (UINT32_MAX / (8 * ss)) if ((nsatpersec > 0 && h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) || i > CDF_SEC_LIMIT) { @@ -421,7 +449,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, cdf_sat_t *sat) sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i; DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n", sat->sat_len, ss)); - if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss))) + if ((sat->sat_tab = CAST(cdf_secid_t *, CDF_CALLOC(sat->sat_len, ss))) == NULL) return -1; @@ -435,7 +463,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t *h, cdf_sat_t *sat) } } - if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL) + if ((msa = CAST(cdf_secid_t *, CDF_CALLOC(1, ss))) == NULL) goto out1; mid = h->h_secid_first_sector_in_master_sat; @@ -527,13 +555,16 @@ cdf_read_long_sector_chain(const cdf_info_t *info, const cdf_header_t *h, ssize_t nr; scn->sst_tab = NULL; scn->sst_len = cdf_count_chain(sat, sid, ss); - scn->sst_dirlen = len; + scn->sst_dirlen = MAX(h->h_min_size_standard_stream, len); scn->sst_ss = ss; + if (sid == CDF_SECID_END_OF_CHAIN || len == 0) + return cdf_zero_stream(scn); + if (scn->sst_len == (size_t)-1) goto out; - scn->sst_tab = calloc(scn->sst_len, ss); + scn->sst_tab = CDF_CALLOC(scn->sst_len, ss); if (scn->sst_tab == NULL) return cdf_zero_stream(scn); @@ -579,7 +610,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h, if (scn->sst_len == (size_t)-1) goto out; - scn->sst_tab = calloc(scn->sst_len, ss); + scn->sst_tab = CDF_CALLOC(scn->sst_len, ss); if (scn->sst_tab == NULL) return cdf_zero_stream(scn); @@ -637,11 +668,11 @@ cdf_read_dir(const cdf_info_t *info, const cdf_header_t *h, dir->dir_len = ns * nd; dir->dir_tab = CAST(cdf_directory_t *, - calloc(dir->dir_len, sizeof(dir->dir_tab[0]))); + CDF_CALLOC(dir->dir_len, sizeof(dir->dir_tab[0]))); if (dir->dir_tab == NULL) return -1; - if ((buf = CAST(char *, malloc(ss))) == NULL) { + if ((buf = CAST(char *, CDF_MALLOC(ss))) == NULL) { free(dir->dir_tab); return -1; } @@ -687,7 +718,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_header_t *h, if (ssat->sat_len == (size_t)-1) goto out; - ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss)); + ssat->sat_tab = CAST(cdf_secid_t *, CDF_CALLOC(ssat->sat_len, ss)); if (ssat->sat_tab == NULL) goto out1; @@ -808,13 +839,107 @@ cdf_find_stream(const cdf_dir_t *dir, const char *name, int type) == 0) break; if (i > 0) - return i; + return CAST(int, i); DPRINTF(("Cannot find type %d `%s'\n", type, name)); errno = ESRCH; return 0; } +#define CDF_SHLEN_LIMIT (UINT32_MAX / 8) +#define CDF_PROP_LIMIT (UINT32_MAX / (8 * sizeof(cdf_property_info_t))) + +static const void * +cdf_offset(const void *p, size_t l) +{ + return CAST(const void *, CAST(const uint8_t *, p) + l); +} + +static const uint8_t * +cdf_get_property_info_pos(const cdf_stream_t *sst, const cdf_header_t *h, + const uint8_t *p, const uint8_t *e, size_t i) +{ + size_t tail = (i << 1) + 1; + size_t ofs; + const uint8_t *q; + + if (p >= e) { + DPRINTF(("Past end %p < %p\n", e, p)); + return NULL; + } + if (cdf_check_stream_offset(sst, h, p, (tail + 1) * sizeof(uint32_t), + __LINE__) == -1) + return NULL; + ofs = CDF_GETUINT32(p, tail); + q = CAST(const uint8_t *, cdf_offset(CAST(const void *, p), + ofs - 2 * sizeof(uint32_t))); + + if (q < p) { + DPRINTF(("Wrapped around %p < %p\n", q, p)); + return NULL; + } + + if (q >= e) { + DPRINTF(("Ran off the end %p >= %p\n", q, e)); + return NULL; + } + return q; +} + +static cdf_property_info_t * +cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr) +{ + cdf_property_info_t *inp; + size_t newcount = *maxcount + incr; + + if (newcount > CDF_PROP_LIMIT) { + DPRINTF(("exceeded property limit %zu > %zu\n", + newcount, CDF_PROP_LIMIT)); + goto out; + } + inp = CAST(cdf_property_info_t *, + CDF_REALLOC(*info, newcount * sizeof(*inp))); + if (inp == NULL) + goto out; + + *info = inp; + *maxcount = newcount; + return inp; +out: + free(*info); + *maxcount = 0; + *info = NULL; + return NULL; +} + +static int +cdf_copy_info(cdf_property_info_t *inp, const void *p, const void *e, + size_t len) +{ + if (inp->pi_type & CDF_VECTOR) + return 0; + + if ((size_t)(CAST(const char *, e) - CAST(const char *, p)) < len) + return 0; + + (void)memcpy(&inp->pi_val, p, len); + + switch (len) { + case 2: + inp->pi_u16 = CDF_TOLE2(inp->pi_u16); + break; + case 4: + inp->pi_u32 = CDF_TOLE4(inp->pi_u32); + break; + case 8: + inp->pi_u64 = CDF_TOLE8(inp->pi_u64); + break; + default: + abort(); + } + return 1; +} + int cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount) @@ -822,92 +947,69 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, const cdf_section_header_t *shp; cdf_section_header_t sh; const uint8_t *p, *q, *e; - int16_t s16; - int32_t s32; - uint32_t u32; - int64_t s64; - uint64_t u64; - cdf_timestamp_t tp; - size_t i, o, o4, nelements, j; + size_t i, o4, nelements, j, slen, left; cdf_property_info_t *inp; if (offs > UINT32_MAX / 4) { errno = EFTYPE; goto out; } - shp = CAST(const cdf_section_header_t *, (const void *) - ((const char *)sst->sst_tab + offs)); + shp = CAST(const cdf_section_header_t *, + cdf_offset(sst->sst_tab, offs)); if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1) goto out; sh.sh_len = CDF_TOLE4(shp->sh_len); -#define CDF_SHLEN_LIMIT (UINT32_MAX / 8) if (sh.sh_len > CDF_SHLEN_LIMIT) { errno = EFTYPE; goto out; } - sh.sh_properties = CDF_TOLE4(shp->sh_properties); -#define CDF_PROP_LIMIT (UINT32_MAX / (4 * sizeof(*inp))) - if (sh.sh_properties > CDF_PROP_LIMIT) + + if (cdf_check_stream_offset(sst, h, shp, sh.sh_len, __LINE__) == -1) goto out; + + sh.sh_properties = CDF_TOLE4(shp->sh_properties); DPRINTF(("section len: %u properties %u\n", sh.sh_len, sh.sh_properties)); - if (*maxcount) { - if (*maxcount > CDF_PROP_LIMIT) - goto out; - *maxcount += sh.sh_properties; - inp = CAST(cdf_property_info_t *, - realloc(*info, *maxcount * sizeof(*inp))); - } else { - *maxcount = sh.sh_properties; - inp = CAST(cdf_property_info_t *, - malloc(*maxcount * sizeof(*inp))); - } + if (sh.sh_properties > CDF_PROP_LIMIT) + goto out; + inp = cdf_grow_info(info, maxcount, sh.sh_properties); if (inp == NULL) - goto out1; - *info = inp; + goto out; inp += *count; *count += sh.sh_properties; - p = CAST(const uint8_t *, (const void *) - ((const char *)(const void *)sst->sst_tab + - offs + sizeof(sh))); - e = CAST(const uint8_t *, (const void *) - (((const char *)(const void *)shp) + sh.sh_len)); - if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + p = CAST(const uint8_t *, cdf_offset(sst->sst_tab, offs + sizeof(sh))); + e = CAST(const uint8_t *, cdf_offset(shp, sh.sh_len)); + if (p >= e || cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) goto out; + for (i = 0; i < sh.sh_properties; i++) { - size_t tail = (i << 1) + 1; - size_t ofs; - if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), - __LINE__) == -1) + if ((q = cdf_get_property_info_pos(sst, h, p, e, i)) == NULL) goto out; - ofs = CDF_GETUINT32(p, tail); - q = (const uint8_t *)(const void *) - ((const char *)(const void *)p + ofs - - 2 * sizeof(uint32_t)); - if (q < p) { - DPRINTF(("Wrapped around %p < %p\n", q, p)); - goto out; - } - if (q > e) { - DPRINTF(("Ran of the end %p > %p\n", q, e)); - goto out; - } inp[i].pi_id = CDF_GETUINT32(p, i << 1); + left = CAST(size_t, e - q); + if (left < sizeof(uint32_t)) { + DPRINTF(("short info (no type)_\n")); + goto out; + } inp[i].pi_type = CDF_GETUINT32(q, 0); - DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", + DPRINTF(("%" SIZE_T_FORMAT "u) id=%#x type=%#x offs=%#tx,%#x\n", i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { + if (left < sizeof(uint32_t) * 2) { + DPRINTF(("missing CDF_VECTOR length\n")); + goto out; + } nelements = CDF_GETUINT32(q, 1); if (nelements == 0) { DPRINTF(("CDF_VECTOR with nelements == 0\n")); goto out; } - o = 2; + slen = 2; } else { nelements = 1; - o = 1; + slen = 1; } - o4 = o * sizeof(uint32_t); + o4 = slen * sizeof(uint32_t); if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED)) goto unknown; switch (inp[i].pi_type & CDF_TYPEMASK) { @@ -915,109 +1017,83 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, case CDF_EMPTY: break; case CDF_SIGNED16: - if (inp[i].pi_type & CDF_VECTOR) + if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int16_t))) goto unknown; - (void)memcpy(&s16, &q[o4], sizeof(s16)); - inp[i].pi_s16 = CDF_TOLE2(s16); break; case CDF_SIGNED32: - if (inp[i].pi_type & CDF_VECTOR) - goto unknown; - (void)memcpy(&s32, &q[o4], sizeof(s32)); - inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32); - break; case CDF_BOOL: case CDF_UNSIGNED32: - if (inp[i].pi_type & CDF_VECTOR) + case CDF_FLOAT: + if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int32_t))) goto unknown; - (void)memcpy(&u32, &q[o4], sizeof(u32)); - inp[i].pi_u32 = CDF_TOLE4(u32); break; case CDF_SIGNED64: - if (inp[i].pi_type & CDF_VECTOR) - goto unknown; - (void)memcpy(&s64, &q[o4], sizeof(s64)); - inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64); - break; case CDF_UNSIGNED64: - if (inp[i].pi_type & CDF_VECTOR) - goto unknown; - (void)memcpy(&u64, &q[o4], sizeof(u64)); - inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64); - break; - case CDF_FLOAT: - if (inp[i].pi_type & CDF_VECTOR) - goto unknown; - (void)memcpy(&u32, &q[o4], sizeof(u32)); - u32 = CDF_TOLE4(u32); - memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f)); - break; case CDF_DOUBLE: - if (inp[i].pi_type & CDF_VECTOR) + case CDF_FILETIME: + if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int64_t))) goto unknown; - (void)memcpy(&u64, &q[o4], sizeof(u64)); - u64 = CDF_TOLE8((uint64_t)u64); - memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d)); break; case CDF_LENGTH32_STRING: case CDF_LENGTH32_WSTRING: if (nelements > 1) { size_t nelem = inp - *info; - if (*maxcount > CDF_PROP_LIMIT - || nelements > CDF_PROP_LIMIT) - goto out; - *maxcount += nelements; - inp = CAST(cdf_property_info_t *, - realloc(*info, *maxcount * sizeof(*inp))); + inp = cdf_grow_info(info, maxcount, nelements); if (inp == NULL) - goto out1; - *info = inp; - inp = *info + nelem; + goto out; + inp += nelem; } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { - uint32_t l = CDF_GETUINT32(q, o); + uint32_t l; + + if (o4 + sizeof(uint32_t) > left) + goto out; + + l = CDF_GETUINT32(q, slen); + o4 += sizeof(uint32_t); + if (o4 + l > left) + goto out; + inp[i].pi_str.s_len = l; - inp[i].pi_str.s_buf = (const char *) - (const void *)(&q[o4 + sizeof(l)]); - DPRINTF(("l = %d, r = %" SIZE_T_FORMAT - "u, s = %s\n", l, - CDF_ROUND(l, sizeof(l)), + inp[i].pi_str.s_buf = CAST(const char *, + CAST(const void *, &q[o4])); + + DPRINTF(("o=%zu l=%d(%" SIZE_T_FORMAT + "u), t=%zu s=%s\n", o4, l, + CDF_ROUND(l, sizeof(l)), left, inp[i].pi_str.s_buf)); + if (l & 1) l++; - o += l >> 1; - if (q + o >= e) - goto out; - o4 = o * sizeof(uint32_t); + + slen += l >> 1; + o4 = slen * sizeof(uint32_t); } i--; break; - case CDF_FILETIME: - if (inp[i].pi_type & CDF_VECTOR) - goto unknown; - (void)memcpy(&tp, &q[o4], sizeof(tp)); - inp[i].pi_tp = CDF_TOLE8((uint64_t)tp); - break; case CDF_CLIPBOARD: if (inp[i].pi_type & CDF_VECTOR) goto unknown; break; default: unknown: - DPRINTF(("Don't know how to deal with %x\n", + memset(&inp[i].pi_val, 0, sizeof(inp[i].pi_val)); + DPRINTF(("Don't know how to deal with %#x\n", inp[i].pi_type)); break; } } return 0; out: - errno = EFTYPE; -out1: free(*info); + *info = NULL; + *count = 0; + *maxcount = 0; + errno = EFTYPE; return -1; } @@ -1065,7 +1141,7 @@ cdf_unpack_catalog(const cdf_header_t *h, const cdf_stream_t *sst, { size_t ss = cdf_check_stream(sst, h); const char *b = CAST(const char *, sst->sst_tab); - const char *eb = b + ss * sst->sst_len; + const char *nb, *eb = b + ss * sst->sst_len; size_t nr, i, j, k; cdf_catalog_entry_t *ce; uint16_t reclen; @@ -1084,7 +1160,7 @@ cdf_unpack_catalog(const cdf_header_t *h, const cdf_stream_t *sst, return -1; nr--; *cat = CAST(cdf_catalog_t *, - malloc(sizeof(cdf_catalog_t) + nr * sizeof(*ce))); + CDF_MALLOC(sizeof(cdf_catalog_t) + nr * sizeof(*ce))); if (*cat == NULL) return -1; ce = (*cat)->cat_e; @@ -1110,7 +1186,9 @@ cdf_unpack_catalog(const cdf_header_t *h, const cdf_stream_t *sst, cep->ce_namlen = rlen; np = CAST(const uint16_t *, CAST(const void *, (b + 16))); - if (RCAST(const char *, np + cep->ce_namlen) > eb) { + nb = CAST(const char *, CAST(const void *, + (np + cep->ce_namlen))); + if (nb > eb) { cep->ce_namlen = 0; break; } @@ -1169,7 +1247,7 @@ cdf_print_property_name(char *buf, size_t bufsiz, uint32_t p) for (i = 0; i < __arraycount(vn); i++) if (vn[i].v == p) return snprintf(buf, bufsiz, "%s", vn[i].n); - return snprintf(buf, bufsiz, "0x%x", p); + return snprintf(buf, bufsiz, "%#x", p); } int @@ -1228,7 +1306,7 @@ cdf_dump_header(const cdf_header_t *h) h->h_ ## b, 1 << h->h_ ## b) DUMP("%d", revision); DUMP("%d", version); - DUMP("0x%x", byte_order); + DUMP("%#x", byte_order); DUMP2("%d", sec_size_p2); DUMP2("%d", short_sec_size_p2); DUMP("%d", num_sectors_in_sat); @@ -1322,7 +1400,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_header_t *h, d->d_color ? "black" : "red"); (void)fprintf(stderr, "Left child: %d\n", d->d_left_child); (void)fprintf(stderr, "Right child: %d\n", d->d_right_child); - (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags); + (void)fprintf(stderr, "Flags: %#x\n", d->d_flags); cdf_timestamp_to_timespec(&ts, d->d_created); (void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec, buf)); cdf_timestamp_to_timespec(&ts, d->d_modified); @@ -1415,7 +1493,7 @@ cdf_dump_property_info(const cdf_property_info_t *info, size_t count) (void)fprintf(stderr, "CLIPBOARD %u\n", info[i].pi_u32); break; default: - DPRINTF(("Don't know how to deal with %x\n", + DPRINTF(("Don't know how to deal with %#x\n", info[i].pi_type)); break; } @@ -1434,7 +1512,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const cdf_stream_t *sst) (void)&h; if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1) return; - (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order); + (void)fprintf(stderr, "Endian: %#x\n", ssi.si_byte_order); (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff, ssi.si_os_version >> 8); (void)fprintf(stderr, "Os %d\n", ssi.si_os); diff --git a/src/cdf.h b/src/cdf.h index 0b345ab49615..f2df8306b17d 100644 --- a/src/cdf.h +++ b/src/cdf.h @@ -127,9 +127,9 @@ typedef struct { typedef struct { void *sst_tab; - size_t sst_len; - size_t sst_dirlen; - size_t sst_ss; + size_t sst_len; /* Number of sectors */ + size_t sst_dirlen; /* Directory sector size */ + size_t sst_ss; /* Sector size */ } cdf_stream_t; typedef struct { diff --git a/src/cdf_time.c b/src/cdf_time.c index 1e572de539f8..2bdcd2a7f7a8 100644 --- a/src/cdf_time.c +++ b/src/cdf_time.c @@ -27,7 +27,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf_time.c,v 1.15 2014/05/14 23:15:42 christos Exp $") +FILE_RCSID("@(#)$File: cdf_time.c,v 1.16 2017/03/29 15:57:48 christos Exp $") #endif #include @@ -171,7 +171,7 @@ cdf_ctime(const time_t *sec, char *buf) char *ptr = ctime_r(sec, buf); if (ptr != NULL) return buf; - (void)snprintf(buf, 26, "*Bad* 0x%16.16" INT64_T_FORMAT "x\n", + (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n", (long long)*sec); return buf; } diff --git a/src/compress.c b/src/compress.c index 95f095529da5..2f789cd2bc44 100644 --- a/src/compress.c +++ b/src/compress.c @@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: compress.c,v 1.100 2016/10/24 18:02:17 christos Exp $") +FILE_RCSID("@(#)$File: compress.c,v 1.105 2017/05/25 00:13:03 christos Exp $") #endif #include "magic.h" @@ -62,7 +62,7 @@ typedef void (*sig_t)(int); #if defined(HAVE_SYS_TIME_H) #include #endif -#if defined(HAVE_ZLIB_H) +#if defined(HAVE_ZLIB_H) && defined(ZLIBSUPPORT) #define BUILTIN_DECOMPRESS #include #endif @@ -83,6 +83,7 @@ int tty = -1; /* * The following python code is not really used because ZLIBSUPPORT is only * defined if we have a built-in zlib, and the built-in zlib handles that. + * That is not true for android where we have zlib.h and not -lz. */ static const char zlibcode[] = "import sys, zlib; sys.stdout.write(zlib.decompress(sys.stdin.read()))"; @@ -93,7 +94,7 @@ static int zlibcmp(const unsigned char *buf) { unsigned short x = 1; - unsigned char *s = (unsigned char *)&x; + unsigned char *s = CAST(unsigned char *, CAST(void *, &x)); if ((buf[0] & 0xf) != 8 || (buf[0] & 0x80) != 0) return 0; @@ -497,7 +498,7 @@ uncompresszlib(const unsigned char *old, unsigned char **newch, z.next_in = CCAST(Bytef *, old); z.avail_in = CAST(uint32_t, *n); z.next_out = *newch; - z.avail_out = bytes_max; + z.avail_out = CAST(unsigned int, bytes_max); z.zalloc = Z_NULL; z.zfree = Z_NULL; z.opaque = Z_NULL; @@ -632,7 +633,7 @@ filter_error(unsigned char *ubuf, ssize_t n) while (isspace((unsigned char)*p)) p++; n = strlen(p); - memmove(ubuf, p, n + 1); + memmove(ubuf, p, CAST(size_t, n + 1)); } DPRINTF("Filter error after[[[%s]]]\n", (char *)ubuf); if (islower(*ubuf)) @@ -688,7 +689,7 @@ uncompressbuf(int fd, size_t bytes_max, size_t method, const unsigned char *old, } for (i = 0; i < __arraycount(fdp); i++) - copydesc(i, fdp[i]); + copydesc(CAST(int, i), fdp[i]); (void)execvp(compr[method].argv[0], (char *const *)(intptr_t)compr[method].argv); @@ -748,9 +749,9 @@ uncompressbuf(int fd, size_t bytes_max, size_t method, const unsigned char *old, rv = makeerror(newch, n, "Wait failed, %s", strerror(errno)); DPRINTF("Child wait return %#x\n", status); } else if (!WIFEXITED(status)) { - DPRINTF("Child not exited (0x%x)\n", status); + DPRINTF("Child not exited (%#x)\n", status); } else if (WEXITSTATUS(status) != 0) { - DPRINTF("Child exited (0x%d)\n", WEXITSTATUS(status)); + DPRINTF("Child exited (%#x)\n", WEXITSTATUS(status)); } closefd(fdp[STDIN_FILENO], 0); diff --git a/src/der.c b/src/der.c index 8ae638fb9897..4e22caf41d4a 100644 --- a/src/der.c +++ b/src/der.c @@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: der.c,v 1.10 2016/10/24 18:02:17 christos Exp $") +FILE_RCSID("@(#)$File: der.c,v 1.12 2017/02/10 18:14:01 christos Exp $") #endif #endif @@ -159,31 +159,49 @@ gettag(const uint8_t *c, size_t *p, size_t l) return tag; } +/* + * Read the length of a DER tag from the input. + * + * `c` is the input, `p` is an output parameter that specifies how much of the + * input we consumed, and `l` is the maximum input length. + * + * Returns the length, or DER_BAD if the end of the input is reached or the + * length exceeds the remaining input. + */ static uint32_t getlength(const uint8_t *c, size_t *p, size_t l) { uint8_t digits, i; size_t len; + int is_onebyte_result; if (*p >= l) return DER_BAD; - digits = c[(*p)++]; - - if ((digits & 0x80) == 0) - return digits; - - digits &= 0x7f; - len = 0; - + /* + * Digits can either be 0b0 followed by the result, or 0b1 + * followed by the number of digits of the result. In either case, + * we verify that we can read so many bytes from the input. + */ + is_onebyte_result = (c[*p] & 0x80) == 0; + digits = c[(*p)++] & 0x7f; if (*p + digits >= l) return DER_BAD; + if (is_onebyte_result) + return digits; + + /* + * Decode len. We've already verified that we're allowed to read + * `digits` bytes. + */ + len = 0; for (i = 0; i < digits; i++) len = (len << 8) | c[(*p)++]; + if (*p + len >= l) return DER_BAD; - return len; + return CAST(uint32_t, len); } static const char * @@ -242,12 +260,12 @@ der_offs(struct magic_set *ms, struct magic *m, size_t nbytes) #endif if (m->cont_level != 0) { if (offs + tlen > nbytes) - return DER_BAD; - ms->c.li[m->cont_level - 1].off = offs + tlen; + return -1; + ms->c.li[m->cont_level - 1].off = CAST(int, offs + tlen); DPRINTF(("cont_level[%u] = %u\n", m->cont_level - 1, ms->c.li[m->cont_level - 1].off)); } - return offs; + return CAST(int32_t, offs); } int diff --git a/src/file.h b/src/file.h index 180efd3525ce..eb9c05421db6 100644 --- a/src/file.h +++ b/src/file.h @@ -27,7 +27,7 @@ */ /* * file.h - definitions for file(1) program - * @(#)$File: file.h,v 1.180 2016/07/20 11:27:08 christos Exp $ + * @(#)$File: file.h,v 1.183 2017/08/28 13:39:18 christos Exp $ */ #ifndef __file_h__ @@ -36,6 +36,10 @@ #ifdef HAVE_CONFIG_H #include #endif +#ifdef HAVE_STDINT_H +#ifndef __STDC_LIMIT_MACROS +#define __STDC_LIMIT_MACROS +#endif #ifdef WIN32 #ifdef _WIN64 @@ -50,16 +54,12 @@ #define INT64_T_FORMAT "ll" #define INTMAX_T_FORMAT "j" #endif +#include +#endif #include /* Include that here, to make sure __P gets defined */ #include #include /* For open and flags */ -#ifdef HAVE_STDINT_H -#ifndef __STDC_LIMIT_MACROS -#define __STDC_LIMIT_MACROS -#endif -#include -#endif #ifdef HAVE_INTTYPES_H #include #endif @@ -447,7 +447,7 @@ protected size_t file_printedlen(const struct magic_set *); protected int file_replace(struct magic_set *, const char *, const char *); protected int file_printf(struct magic_set *, const char *, ...) __attribute__((__format__(__printf__, 2, 3))); -protected int file_reset(struct magic_set *); +protected int file_reset(struct magic_set *, int); protected int file_tryelf(struct magic_set *, int, const unsigned char *, size_t); protected int file_trycdf(struct magic_set *, int, const unsigned char *, diff --git a/src/fsmagic.c b/src/fsmagic.c index 27f982a58348..c0a437a8f6d0 100644 --- a/src/fsmagic.c +++ b/src/fsmagic.c @@ -32,7 +32,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: fsmagic.c,v 1.76 2015/04/09 20:01:41 christos Exp $") +FILE_RCSID("@(#)$File: fsmagic.c,v 1.77 2017/05/24 19:17:50 christos Exp $") #endif /* lint */ #include "magic.h" @@ -104,14 +104,13 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) { int ret, did = 0; int mime = ms->flags & MAGIC_MIME; + int silent = ms->flags & (MAGIC_APPLE|MAGIC_EXTENSION); #ifdef S_IFLNK char buf[BUFSIZ+4]; ssize_t nch; struct stat tstatbuf; #endif - if (ms->flags & (MAGIC_APPLE|MAGIC_EXTENSION)) - return 0; if (fn == NULL) return 0; @@ -168,7 +167,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) } ret = 1; - if (!mime) { + if (!mime && !silent) { #ifdef S_ISUID if (sb->st_mode & S_ISUID) if (file_printf(ms, "%ssetuid", COMMA) == -1) @@ -191,6 +190,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "directory") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%sdirectory", COMMA) == -1) return -1; break; @@ -208,6 +208,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "chardevice") == -1) return -1; + } else if (silent) { } else { #ifdef HAVE_STRUCT_STAT_ST_RDEV # ifdef dv_unit @@ -242,6 +243,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "blockdevice") == -1) return -1; + } else if (silent) { } else { #ifdef HAVE_STRUCT_STAT_ST_RDEV # ifdef dv_unit @@ -270,6 +272,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "fifo") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%sfifo (named pipe)", COMMA) == -1) return -1; break; @@ -279,6 +282,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "door") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%sdoor", COMMA) == -1) return -1; break; @@ -294,6 +298,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "symlink") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%sunreadable symlink `%s' (%s)", COMMA, fn, strerror(errno)) == -1) @@ -323,6 +328,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (handle_mime(ms, mime, "x-path-too-long") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%spath too long: `%s'", COMMA, fn) == -1) @@ -352,6 +358,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "symlink") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%ssymbolic link to %s", COMMA, buf) == -1) return -1; @@ -364,6 +371,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "socket") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%ssocket", COMMA) == -1) return -1; break; @@ -386,6 +394,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) if (mime) { if (handle_mime(ms, mime, "x-empty") == -1) return -1; + } else if (silent) { } else if (file_printf(ms, "%sempty", COMMA) == -1) return -1; break; @@ -399,7 +408,7 @@ file_fsmagic(struct magic_set *ms, const char *fn, struct stat *sb) /*NOTREACHED*/ } - if (!mime && did && ret == 0) { + if (!silent && !mime && did && ret == 0) { if (file_printf(ms, " ") == -1) return -1; } diff --git a/src/funcs.c b/src/funcs.c index c8918a45963a..d7a18f451a7e 100644 --- a/src/funcs.c +++ b/src/funcs.c @@ -27,7 +27,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: funcs.c,v 1.90 2016/10/19 20:51:17 christos Exp $") +FILE_RCSID("@(#)$File: funcs.c,v 1.93 2017/08/28 13:39:18 christos Exp $") #endif /* lint */ #include "magic.h" @@ -76,7 +76,7 @@ file_vprintf(struct magic_set *ms, const char *fmt, va_list ap) ms->o.buf = buf; return 0; out: - file_error(ms, errno, "vasprintf failed"); + fprintf(stderr, "vasprintf failed (%s)", strerror(errno)); return -1; } @@ -328,9 +328,9 @@ file_buffer(struct magic_set *ms, int fd, const char *inname __attribute__ ((__u #endif protected int -file_reset(struct magic_set *ms) +file_reset(struct magic_set *ms, int checkloaded) { - if (ms->mlist[0] == NULL) { + if (checkloaded && ms->mlist[0] == NULL) { file_error(ms, 0, "no magic files loaded"); return -1; } @@ -509,6 +509,8 @@ file_regexec(file_regex_t *rx, const char *str, size_t nmatch, regmatch_t* pmatch, int eflags) { assert(rx->rc == 0); + /* XXX: force initialization because glibc does not always do this */ + memset(pmatch, 0, nmatch * sizeof(*pmatch)); return regexec(&rx->rx, str, nmatch, pmatch, eflags); } diff --git a/src/is_tar.c b/src/is_tar.c index a3e5dbf24c36..1953a7fc102e 100644 --- a/src/is_tar.c +++ b/src/is_tar.c @@ -40,7 +40,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: is_tar.c,v 1.38 2015/04/09 20:01:41 christos Exp $") +FILE_RCSID("@(#)$File: is_tar.c,v 1.39 2017/03/17 20:45:01 christos Exp $") #endif #include "magic.h" @@ -51,7 +51,7 @@ FILE_RCSID("@(#)$File: is_tar.c,v 1.38 2015/04/09 20:01:41 christos Exp $") #define isodigit(c) ( ((c) >= '0') && ((c) <= '7') ) private int is_tar(const unsigned char *, size_t); -private int from_oct(int, const char *); /* Decode octal number */ +private int from_oct(const char *, size_t); /* Decode octal number */ static const char tartype[][32] = { "tar archive", @@ -93,31 +93,35 @@ private int is_tar(const unsigned char *buf, size_t nbytes) { const union record *header = (const union record *)(const void *)buf; - int i; - int sum, recsum; - const unsigned char *p; + size_t i; + int sum, recsum; + const unsigned char *p, *ep; - if (nbytes < sizeof(union record)) + if (nbytes < sizeof(*header)) return 0; - recsum = from_oct(8, header->header.chksum); + recsum = from_oct(header->header.chksum, sizeof(header->header.chksum)); sum = 0; p = header->charptr; - for (i = sizeof(union record); --i >= 0;) + ep = header->charptr + sizeof(*header); + while (p < ep) sum += *p++; /* Adjust checksum to count the "chksum" field as blanks. */ - for (i = sizeof(header->header.chksum); --i >= 0;) + for (i = 0; i < sizeof(header->header.chksum); i++) sum -= header->header.chksum[i]; - sum += ' ' * sizeof header->header.chksum; + sum += ' ' * sizeof(header->header.chksum); if (sum != recsum) return 0; /* Not a tar archive */ - if (strcmp(header->header.magic, GNUTMAGIC) == 0) + if (strncmp(header->header.magic, GNUTMAGIC, + sizeof(header->header.magic)) == 0) return 3; /* GNU Unix Standard tar archive */ - if (strcmp(header->header.magic, TMAGIC) == 0) + + if (strncmp(header->header.magic, TMAGIC, + sizeof(header->header.magic)) == 0) return 2; /* Unix Standard tar archive */ return 1; /* Old fashioned tar archive */ @@ -130,19 +134,22 @@ is_tar(const unsigned char *buf, size_t nbytes) * Result is -1 if the field is invalid (all blank, or non-octal). */ private int -from_oct(int digs, const char *where) +from_oct(const char *where, size_t digs) { int value; + if (digs == 0) + return -1; + while (isspace((unsigned char)*where)) { /* Skip spaces */ where++; - if (--digs <= 0) + if (digs-- == 0) return -1; /* All blank field */ } value = 0; while (digs > 0 && isodigit(*where)) { /* Scan til non-octal */ value = (value << 3) | (*where++ - '0'); - --digs; + digs--; } if (digs > 0 && *where && !isspace((unsigned char)*where)) diff --git a/src/magic.c b/src/magic.c index b61ad29d7a5d..1448a69bcad5 100644 --- a/src/magic.c +++ b/src/magic.c @@ -33,7 +33,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: magic.c,v 1.100 2016/07/18 11:43:05 christos Exp $") +FILE_RCSID("@(#)$File: magic.c,v 1.102 2017/08/28 13:39:18 christos Exp $") #endif /* lint */ #include "magic.h" @@ -167,7 +167,7 @@ DllMain(HINSTANCE hinstDLL, DWORD fdwReason, { if (fdwReason == DLL_PROCESS_ATTACH) _w32_dll_instance = hinstDLL; - return TRUE; + return 1; } #endif @@ -409,7 +409,7 @@ file_or_fd(struct magic_set *ms, const char *inname, int fd) int ispipe = 0; off_t pos = (off_t)-1; - if (file_reset(ms) == -1) + if (file_reset(ms, 1) == -1) goto out; /* @@ -538,7 +538,7 @@ magic_buffer(struct magic_set *ms, const void *buf, size_t nb) { if (ms == NULL) return NULL; - if (file_reset(ms) == -1) + if (file_reset(ms, 1) == -1) return NULL; /* * The main work is done here! @@ -567,6 +567,15 @@ magic_errno(struct magic_set *ms) return (ms->event_flags & EVENT_HAD_ERR) ? ms->error : 0; } +public int +magic_getflags(struct magic_set *ms) +{ + if (ms == NULL) + return -1; + + return ms->flags; +} + public int magic_setflags(struct magic_set *ms, int flags) { diff --git a/src/magic.h.in b/src/magic.h.in index 3d6954a2a6d4..1134bdc886d4 100644 --- a/src/magic.h.in +++ b/src/magic.h.in @@ -73,6 +73,35 @@ 0 \ ) +#define MAGIC_SNPRINTB "\177\020\ +b\0debug\0\ +b\1symlink\0\ +b\2compress\0\ +b\3devices\0\ +b\4mime_type\0\ +b\5continue\0\ +b\6check\0\ +b\7preserve_atime\0\ +b\10raw\0\ +b\11error\0\ +b\12mime_encoding\0\ +b\13apple\0\ +b\14no_check_compress\0\ +b\15no_check_tar\0\ +b\16no_check_soft\0\ +b\17no_check_sapptype\0\ +b\20no_check_elf\0\ +b\21no_check_text\0\ +b\22no_check_cdf\0\ +b\23no_check_reserved0\0\ +b\24no_check_tokens\0\ +b\25no_check_encoding\0\ +b\26no_check_reserved1\0\ +b\27no_check_reserved2\0\ +b\30extension\0\ +b\31transp_compression\0\ +" + /* Defined for backwards compatibility (renamed) */ #define MAGIC_NO_CHECK_ASCII MAGIC_NO_CHECK_TEXT @@ -97,6 +126,7 @@ const char *magic_descriptor(magic_t, int); const char *magic_buffer(magic_t, const void *, size_t); const char *magic_error(magic_t); +int magic_getflags(magic_t); int magic_setflags(magic_t, int); int magic_version(void); diff --git a/src/print.c b/src/print.c index a0221b126ecb..0b918636bc5e 100644 --- a/src/print.c +++ b/src/print.c @@ -32,7 +32,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: print.c,v 1.81 2016/01/19 15:09:03 christos Exp $") +FILE_RCSID("@(#)$File: print.c,v 1.82 2017/02/10 18:14:01 christos Exp $") #endif /* lint */ #include @@ -238,7 +238,7 @@ file_fmttime(uint64_t v, int flags, char *buf) if (flags & FILE_T_WINDOWS) { struct timespec ts; - cdf_timestamp_to_timespec(&ts, v); + cdf_timestamp_to_timespec(&ts, CAST(cdf_timestamp_t, v)); t = ts.tv_sec; } else { // XXX: perhaps detect and print something if overflow diff --git a/src/readcdf.c b/src/readcdf.c index 20e631d6db6f..80c8d26e3fec 100644 --- a/src/readcdf.c +++ b/src/readcdf.c @@ -26,7 +26,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: readcdf.c,v 1.63 2016/10/18 22:25:42 christos Exp $") +FILE_RCSID("@(#)$File: readcdf.c,v 1.65 2017/04/08 20:58:03 christos Exp $") #endif #include @@ -152,7 +152,7 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, struct timespec ts; char buf[64]; const char *str = NULL; - const char *s; + const char *s, *e; int len; if (!NOTMIME(ms) && root_storage) @@ -199,7 +199,9 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, if (info[i].pi_type == CDF_LENGTH32_WSTRING) k++; s = info[i].pi_str.s_buf; - for (j = 0; j < sizeof(vbuf) && len--; s += k) { + e = info[i].pi_str.s_buf + len; + for (j = 0; s < e && j < sizeof(vbuf) + && len--; s += k) { if (*s == '\0') break; if (isprint((unsigned char)*s)) @@ -603,7 +605,7 @@ file_trycdf(struct magic_set *ms, int fd, const unsigned char *buf, if ((i = cdf_read_user_stream(&info, &h, &sat, &ssat, &sst, &dir, "FileHeader", &scn)) != -1) { #define HWP5_SIGNATURE "HWP Document File" - if (scn.sst_dirlen >= sizeof(HWP5_SIGNATURE) - 1 + if (scn.sst_len * scn.sst_ss >= sizeof(HWP5_SIGNATURE) - 1 && memcmp(scn.sst_tab, HWP5_SIGNATURE, sizeof(HWP5_SIGNATURE) - 1) == 0) { if (NOTMIME(ms)) { diff --git a/src/readelf.c b/src/readelf.c index 90dae392f699..5f425c974e76 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -27,7 +27,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: readelf.c,v 1.128 2016/10/04 21:43:10 christos Exp $") +FILE_RCSID("@(#)$File: readelf.c,v 1.138 2017/08/27 07:55:02 christos Exp $") #endif #ifdef BUILTIN_ELF @@ -310,16 +310,18 @@ private const char os_style_names[][8] = { "NetBSD", }; -#define FLAGS_DID_CORE 0x001 -#define FLAGS_DID_OS_NOTE 0x002 -#define FLAGS_DID_BUILD_ID 0x004 -#define FLAGS_DID_CORE_STYLE 0x008 -#define FLAGS_DID_NETBSD_PAX 0x010 -#define FLAGS_DID_NETBSD_MARCH 0x020 -#define FLAGS_DID_NETBSD_CMODEL 0x040 -#define FLAGS_DID_NETBSD_UNKNOWN 0x080 -#define FLAGS_IS_CORE 0x100 -#define FLAGS_DID_AUXV 0x200 +#define FLAGS_CORE_STYLE 0x003 + +#define FLAGS_DID_CORE 0x004 +#define FLAGS_DID_OS_NOTE 0x008 +#define FLAGS_DID_BUILD_ID 0x010 +#define FLAGS_DID_CORE_STYLE 0x020 +#define FLAGS_DID_NETBSD_PAX 0x040 +#define FLAGS_DID_NETBSD_MARCH 0x080 +#define FLAGS_DID_NETBSD_CMODEL 0x100 +#define FLAGS_DID_NETBSD_UNKNOWN 0x200 +#define FLAGS_IS_CORE 0x400 +#define FLAGS_DID_AUXV 0x800 private int dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off, @@ -509,7 +511,7 @@ do_bid_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, size_t noff, size_t doff, int *flags) { if (namesz == 4 && strcmp((char *)&nbuf[noff], "GNU") == 0 && - type == NT_GNU_BUILD_ID && (descsz >= 4 || descsz <= 20)) { + type == NT_GNU_BUILD_ID && (descsz >= 4 && descsz <= 20)) { uint8_t desc[20]; const char *btype; uint32_t i; @@ -709,32 +711,30 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, == -1) return 1; *flags |= FLAGS_DID_CORE_STYLE; + *flags |= os_style; } switch (os_style) { case OS_STYLE_NETBSD: if (type == NT_NETBSD_CORE_PROCINFO) { char sbuf[512]; - uint32_t signo; - /* - * Extract the program name. It is at - * offset 0x7c, and is up to 32-bytes, - * including the terminating NUL. - */ - if (file_printf(ms, ", from '%.31s'", + struct NetBSD_elfcore_procinfo pi; + memset(&pi, 0, sizeof(pi)); + memcpy(&pi, nbuf + doff, descsz); + + if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, " + "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)", file_printable(sbuf, sizeof(sbuf), - (const char *)&nbuf[doff + 0x7c])) == -1) - return 1; - - /* - * Extract the signal number. It is at - * offset 0x08. - */ - (void)memcpy(&signo, &nbuf[doff + 0x08], - sizeof(signo)); - if (file_printf(ms, " (signal %u)", - elf_getu32(swap, signo)) == -1) + CAST(char *, pi.cpi_name)), + elf_getu32(swap, pi.cpi_pid), + elf_getu32(swap, pi.cpi_euid), + elf_getu32(swap, pi.cpi_egid), + elf_getu32(swap, pi.cpi_nlwps), + elf_getu32(swap, pi.cpi_siglwp), + elf_getu32(swap, pi.cpi_signo), + elf_getu32(swap, pi.cpi_sigcode)) == -1) return 1; + *flags |= FLAGS_DID_CORE; return 1; } @@ -890,7 +890,7 @@ get_string_on_virtaddr(struct magic_set *ms, offset = get_offset_from_virtaddr(ms, swap, clazz, fd, ph_off, ph_num, fsize, virtaddr); - if ((buflen = pread(fd, buf, buflen, offset)) <= 0) { + if ((buflen = pread(fd, buf, CAST(size_t, buflen), offset)) <= 0) { file_badread(ms); return 0; } @@ -924,9 +924,29 @@ do_auxv_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type, int is_string; size_t nval; - if (type != NT_AUXV || (*flags & FLAGS_IS_CORE) == 0) + if ((*flags & (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE)) != + (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE)) return 0; + switch (*flags & FLAGS_CORE_STYLE) { + case OS_STYLE_SVR4: + if (type != NT_AUXV) + return 0; + break; +#ifdef notyet + case OS_STYLE_NETBSD: + if (type != NT_NETBSD_CORE_AUXV) + return 0; + break; + case OS_STYLE_FREEBSD: + if (type != NT_FREEBSD_PROCSTAT_AUXV) + return 0; + break; +#endif + default: + return 0; + } + *flags |= FLAGS_DID_AUXV; nval = 0; @@ -1031,13 +1051,13 @@ donote(struct magic_set *ms, void *vbuf, size_t offset, size_t size, } if (namesz & 0x80000000) { - (void)file_printf(ms, ", bad note name size 0x%lx", + (void)file_printf(ms, ", bad note name size %#lx", (unsigned long)namesz); return 0; } if (descsz & 0x80000000) { - (void)file_printf(ms, ", bad note description size 0x%lx", + (void)file_printf(ms, ", bad note description size %#lx", (unsigned long)descsz); return 0; } @@ -1185,12 +1205,12 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, { Elf32_Shdr sh32; Elf64_Shdr sh64; - int stripped = 1; + int stripped = 1, has_debug_info = 0; size_t nbadcap = 0; void *nbuf; off_t noff, coff, name_off; - uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */ - uint64_t cap_sf1 = 0; /* SunOS 5.x software capabilites */ + uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilities */ + uint64_t cap_sf1 = 0; /* SunOS 5.x software capabilities */ char name[50]; ssize_t namesize; @@ -1203,8 +1223,9 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, /* Read offset of name section to be able to read section names later */ if (pread(fd, xsh_addr, xsh_sizeof, CAST(off_t, (off + size * strtab))) < (ssize_t)xsh_sizeof) { - file_badread(ms); - return -1; + if (file_printf(ms, ", missing section headers") == -1) + return -1; + return 0; } name_off = xsh_offset; @@ -1215,8 +1236,10 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, return -1; } name[namesize] = '\0'; - if (strcmp(name, ".debug_info") == 0) + if (strcmp(name, ".debug_info") == 0) { + has_debug_info = 1; stripped = 0; + } if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) { file_badread(ms); @@ -1247,9 +1270,9 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, if ((uintmax_t)(xsh_size + xsh_offset) > (uintmax_t)fsize) { if (file_printf(ms, - ", note offset/size 0x%" INTMAX_T_FORMAT - "x+0x%" INTMAX_T_FORMAT "x exceeds" - " file size 0x%" INTMAX_T_FORMAT "x", + ", note offset/size %#" INTMAX_T_FORMAT + "x+%#" INTMAX_T_FORMAT "x exceeds" + " file size %#" INTMAX_T_FORMAT "x", (uintmax_t)xsh_offset, (uintmax_t)xsh_size, (uintmax_t)fsize) == -1) return -1; @@ -1353,7 +1376,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, default: if (file_printf(ms, ", with unknown capability " - "0x%" INT64_T_FORMAT "x = 0x%" + "%#" INT64_T_FORMAT "x = %#" INT64_T_FORMAT "x", (unsigned long long)xcap_tag, (unsigned long long)xcap_val) == -1) @@ -1370,6 +1393,10 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, } } + if (has_debug_info) { + if (file_printf(ms, ", with debug_info") == -1) + return -1; + } if (file_printf(ms, ", %sstripped", stripped ? "" : "not ") == -1) return -1; if (cap_hw1) { @@ -1403,13 +1430,13 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, } if (cap_hw1) if (file_printf(ms, - " unknown hardware capability 0x%" + " unknown hardware capability %#" INT64_T_FORMAT "x", (unsigned long long)cap_hw1) == -1) return -1; } else { if (file_printf(ms, - " hardware capability 0x%" INT64_T_FORMAT "x", + " hardware capability %#" INT64_T_FORMAT "x", (unsigned long long)cap_hw1) == -1) return -1; } @@ -1425,7 +1452,7 @@ doshn(struct magic_set *ms, int clazz, int swap, int fd, off_t off, int num, cap_sf1 &= ~SF1_SUNW_MASK; if (cap_sf1) if (file_printf(ms, - ", with unknown software capability 0x%" + ", with unknown software capability %#" INT64_T_FORMAT "x", (unsigned long long)cap_sf1) == -1) return -1; @@ -1479,7 +1506,7 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off, if (((align = xph_align) & 0x80000000UL) != 0 || align < 4) { if (file_printf(ms, - ", invalid note alignment 0x%lx", + ", invalid note alignment %#lx", (unsigned long)align) == -1) return -1; align = 4; diff --git a/src/readelf.h b/src/readelf.h index f443b298585c..ef880b9cbe22 100644 --- a/src/readelf.h +++ b/src/readelf.h @@ -141,7 +141,7 @@ typedef struct { #define SHT_SYMTAB 2 #define SHT_NOTE 7 #define SHT_DYNSYM 11 -#define SHT_SUNW_cap 0x6ffffff5 /* SunOS 5.x hw/sw capabilites */ +#define SHT_SUNW_cap 0x6ffffff5 /* SunOS 5.x hw/sw capabilities */ /* elf type */ #define ELFDATANONE 0 /* e_ident[EI_DATA] */ @@ -230,6 +230,33 @@ typedef struct { } Elf64_Shdr; #define NT_NETBSD_CORE_PROCINFO 1 +#define NT_NETBSD_CORE_AUXV 2 + +struct NetBSD_elfcore_procinfo { + /* Version 1 fields start here. */ + uint32_t cpi_version; /* our version */ + uint32_t cpi_cpisize; /* sizeof(this struct) */ + uint32_t cpi_signo; /* killing signal */ + uint32_t cpi_sigcode; /* signal code */ + uint32_t cpi_sigpend[4]; /* pending signals */ + uint32_t cpi_sigmask[4]; /* blocked signals */ + uint32_t cpi_sigignore[4]; /* ignored signals */ + uint32_t cpi_sigcatch[4]; /* caught signals */ + int32_t cpi_pid; /* process ID */ + int32_t cpi_ppid; /* parent process ID */ + int32_t cpi_pgrp; /* process group ID */ + int32_t cpi_sid; /* session ID */ + uint32_t cpi_ruid; /* real user ID */ + uint32_t cpi_euid; /* effective user ID */ + uint32_t cpi_svuid; /* saved user ID */ + uint32_t cpi_rgid; /* real group ID */ + uint32_t cpi_egid; /* effective group ID */ + uint32_t cpi_svgid; /* saved group ID */ + uint32_t cpi_nlwps; /* number of LWPs */ + int8_t cpi_name[32]; /* copy of p->p_comm */ + /* Add version 2 fields below here. */ + int32_t cpi_siglwp; /* LWP target of killing signal */ +}; /* Note header in a PT_NOTE section */ typedef struct elf_note { @@ -328,6 +355,11 @@ typedef struct { */ #define NT_NETBSD_CMODEL 6 +/* + * FreeBSD specific notes + */ +#define NT_FREEBSD_PROCSTAT_AUXV 16 + #if !defined(ELFSIZE) && defined(ARCH_ELFSIZE) #define ELFSIZE ARCH_ELFSIZE #endif diff --git a/src/softmagic.c b/src/softmagic.c index 0e9d433ddd99..b9e975374b40 100644 --- a/src/softmagic.c +++ b/src/softmagic.c @@ -32,7 +32,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: softmagic.c,v 1.238 2016/10/24 18:02:17 christos Exp $") +FILE_RCSID("@(#)$File: softmagic.c,v 1.249 2017/06/19 18:30:25 christos Exp $") #endif /* lint */ #include "magic.h" @@ -192,6 +192,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, while (magindex < nmagic - 1 && magic[magindex + 1].cont_level != 0) magindex++; + cont_level = 0; continue; /* Skip to next top-level test*/ } @@ -370,6 +371,7 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic, case -1: case 0: flush = 1; + cont_level--; break; default: break; @@ -1017,9 +1019,8 @@ private int mconvert(struct magic_set *ms, struct magic *m, int flip) { union VALUETYPE *p = &ms->ms_value; - uint8_t type; - switch (type = cvt_flip(m->type, flip)) { + switch (cvt_flip(m->type, flip)) { case FILE_BYTE: if (cvt_8(p, m) == -1) goto out; @@ -1184,7 +1185,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, case FILE_DER: case FILE_SEARCH: if (offset > nbytes) - offset = nbytes; + offset = CAST(uint32_t, nbytes); ms->search.s = RCAST(const char *, s) + offset; ms->search.s_len = nbytes - offset; ms->search.offset = offset; @@ -1198,7 +1199,7 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, const char *end; size_t lines, linecnt, bytecnt; - if (s == NULL) { + if (s == NULL || nbytes < offset) { ms->search.s_len = 0; ms->search.s = NULL; return 0; @@ -1260,7 +1261,8 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, if (*dst == '\0') { if (type == FILE_BESTRING16 ? *(src - 1) != '\0' : - *(src + 1) != '\0') + ((src + 1 < esrc) && + *(src + 1) != '\0')) *dst = ' '; } } @@ -1365,7 +1367,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m, return -1; if ((ms->flags & MAGIC_DEBUG) != 0) { - fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%" + fprintf(stderr, "mget(type=%d, flag=%#x, offset=%u, o=%" SIZE_T_FORMAT "u, " "nbytes=%" SIZE_T_FORMAT "u, il=%hu, nc=%hu)\n", m->type, m->flag, offset, o, nbytes, @@ -1632,6 +1634,7 @@ file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) */ const unsigned char *a = (const unsigned char *)s1; const unsigned char *b = (const unsigned char *)s2; + const unsigned char *eb = b + len; uint64_t v; /* @@ -1646,6 +1649,10 @@ file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) } else { /* combine the others */ while (len-- > 0) { + if (b >= eb) { + v = 1; + break; + } if ((flags & STRING_IGNORE_LOWERCASE) && islower(*a)) { if ((v = tolower(*b++) - *a++) != '\0') @@ -1661,7 +1668,7 @@ file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) a++; if (isspace(*b++)) { if (!isspace(*a)) - while (isspace(*b)) + while (b < eb && isspace(*b)) b++; } else { @@ -1672,7 +1679,7 @@ file_strncmp(const char *s1, const char *s2, size_t len, uint32_t flags) else if ((flags & STRING_COMPACT_OPTIONAL_WHITESPACE) && isspace(*a)) { a++; - while (isspace(*b)) + while (b < eb && isspace(*b)) b++; } else { @@ -1843,13 +1850,13 @@ magiccheck(struct magic_set *ms, struct magic *m) for (idx = 0; m->str_range == 0 || idx < m->str_range; idx++) { if (slen + idx > ms->search.s_len) - break; + return 0; v = file_strncmp(m->value.s, ms->search.s + idx, slen, m->str_flags); if (v == 0) { /* found match */ ms->search.offset += idx; - ms->search.rm_len = m->str_range - idx; + ms->search.rm_len = ms->search.s_len - idx; break; } } @@ -1887,7 +1894,7 @@ magiccheck(struct magic_set *ms, struct magic *m) copy[--slen] = '\0'; search = copy; } else { - search = ms->search.s; + search = CCAST(char *, ""); copy = NULL; } rc = file_regexec(&rx, (const char *)search, diff --git a/src/vasprintf.c b/src/vasprintf.c index 7a18bed763b6..ad1d3165534d 100644 --- a/src/vasprintf.c +++ b/src/vasprintf.c @@ -88,7 +88,7 @@ type: d i o u x X f e g E G c s p n The function needs to allocate memory to store the full text before to -actually writting it. i.e if you want to fnprintf() 1000 characters, the +actually writing it. i.e if you want to fnprintf() 1000 characters, the functions will allocate 1000 bytes. This behaviour can be modified: you have to customise the code to flush the internal buffer (writing to screen or file) when it reach a given size. Then @@ -108,7 +108,7 @@ you use strange formats. #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: vasprintf.c,v 1.13 2014/12/04 15:56:46 christos Exp $") +FILE_RCSID("@(#)$File: vasprintf.c,v 1.14 2017/08/13 00:21:47 christos Exp $") #endif /* lint */ #include diff --git a/tests/Makefile.am b/tests/Makefile.am index 46c02e820b9f..8bf4f27cef5d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -1,12 +1,14 @@ check_PROGRAMS = test test_LDADD = $(top_builddir)/src/libmagic.la -test_CPPFLAGS = -I$(top_srcdir)/src +test_CPPFLAGS = -I$(top_builddir)/src EXTRA_DIST = \ escapevel.result \ escapevel.testfile \ gedcom.result \ gedcom.testfile \ +hddrawcopytool.result \ +hddrawcopytool.testfile \ issue311docx.result \ issue311docx.testfile diff --git a/tests/Makefile.in b/tests/Makefile.in index 92f623e8454b..094034c69993 100644 --- a/tests/Makefile.in +++ b/tests/Makefile.in @@ -290,12 +290,14 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ test_LDADD = $(top_builddir)/src/libmagic.la -test_CPPFLAGS = -I$(top_srcdir)/src +test_CPPFLAGS = -I$(top_builddir)/src EXTRA_DIST = \ escapevel.result \ escapevel.testfile \ gedcom.result \ gedcom.testfile \ +hddrawcopytool.result \ +hddrawcopytool.testfile \ issue311docx.result \ issue311docx.testfile diff --git a/tests/hddrawcopytool.result b/tests/hddrawcopytool.result new file mode 100644 index 000000000000..0fe077dca388 --- /dev/null +++ b/tests/hddrawcopytool.result @@ -0,0 +1 @@ +HDD Raw Copy Tool 1.10 - HD model: ST500DM0 02-1BD142 serial: 51D20233A7C0 \ No newline at end of file diff --git a/tests/hddrawcopytool.testfile b/tests/hddrawcopytool.testfile new file mode 100644 index 0000000000000000000000000000000000000000..36ad7c64d14803054d25f296fc4a64496b2de695 GIT binary patch literal 1280 zcmWgiaB)!xN-S4!&M&A`2+7aSVHi<>#Zb@CU_|*C)w4puA*KcfF1`i|21dGuPA-Nf iMyLvgIgiBv2!^>I@p+HO)X>Gqz{uFx(cF0?h64a35)IS< literal 0 HcmV?d00001 diff --git a/tests/test.c b/tests/test.c index db91c62f2ece..330a357b3d4c 100644 --- a/tests/test.c +++ b/tests/test.c @@ -80,7 +80,8 @@ main(int argc, char **argv) return 10; } if (magic_load(ms, NULL) == -1) { - (void)fprintf(stderr, "ERROR loading with NULL file: %s\n", magic_error(ms)); + (void)fprintf(stderr, "ERROR loading with NULL file: %s\n", + magic_error(ms)); return 11; }