1 #------------------------------------------------------------------------------
2 # $File: archive,v 1.129 2019/05/09 18:58:02 christos Exp $
3 # archive: file(1) magic for archive formats (see also "msdos" for self-
4 # extracting compressed archives)
6 # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7 # pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c.
10 # URL: https://en.wikipedia.org/wiki/Tar_(computing)
11 # Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current
12 # header mainly padded with nul bytes
15 # filename or extended attribute printable strings in range space null til umlaut ue
18 # last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad
19 # at https://sourceforge.net/projects/s-tar/files/testscripts/
20 >>>508 ubelong&0x8B9E8DFF 0
21 # nul, space or ascii digit 0-7 at start of mode
23 >>>>>101 ubyte&0xC8 =0
24 # nul, space at end of check sum
25 >>>>>>155 ubyte&0xDF =0
26 # space or ascii digit 0 at start of check sum
27 >>>>>>>148 ubyte&0xEF =0x20
28 >>>>>>>>0 use tar-file
29 # minimal check and then display tar archive information which can also be
30 # embedded inside others like Android Backup, Clam AntiVirus database
33 # header padded with nuls
35 # GNU tar version 1.29 with non pax format option without refusing
36 # creates misleading V7 header for Long path, Multi-volume, Volume type
37 >>>156 ubyte 0x4c GNU tar archive
38 !:mime application/x-gtar
40 >>>156 ubyte 0x4d GNU tar archive
41 !:mime application/x-gtar
43 >>>156 ubyte 0x56 GNU tar archive
44 !:mime application/x-gtar
46 >>>156 default x tar archive (V7)
47 !:mime application/x-tar
49 # other stuff in padding
50 # some implementations add new fields to the blank area at the end of the header record
51 # created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option
52 >>257 ulong !0 tar archive (old)
53 !:mime application/x-tar
55 # magic in newer, GNU, posix variants
57 # 2 last char of magic and UStar version because string expression does not work
58 # 2 space characters followed by a null for GNU variant
59 >>261 ubelong =0x72202000 POSIX tar archive (GNU)
60 !:mime application/x-gtar
62 # UStar version with ASCII "00"
63 >>261 ubelong 0x72003030 POSIX
64 # gLOBAL and ExTENSION type only found in POSIX.1-2001 format
65 >>>156 ubyte 0x67 \b.1-2001
66 >>>156 ubyte 0x78 \b.1-2001
67 >>>156 ubyte x tar archive
68 !:mime application/x-ustar
70 # version with 2 binary nuls embedded in Android Backup like com.android.settings.ab
71 >>261 ubelong 0x72000000 tar archive (ustar)
72 !:mime application/x-ustar
74 # not seen ustar variant with garbish version
75 >>261 default x tar archive (unknown ustar)
76 !:mime application/x-ustar
78 # type flag of 1st tar archive member
79 #>156 ubyte x \b, %c-type
81 >>156 ubyte 0 \b, file
82 >>156 ubyte 0x30 \b, file
83 >>156 ubyte 0x31 \b, hard link
84 >>156 ubyte 0x32 \b, symlink
85 >>156 ubyte 0x33 \b, char device
86 >>156 ubyte 0x34 \b, block device
87 >>156 ubyte 0x35 \b, directory
88 >>156 ubyte 0x36 \b, fifo
89 >>156 ubyte 0x37 \b, reserved
90 >>156 ubyte 0x4c \b, long path
91 >>156 ubyte 0x4d \b, multi volume
92 >>156 ubyte 0x56 \b, volume
93 >>156 ubyte 0x67 \b, global
94 >>156 ubyte 0x78 \b, extension
95 >>156 default x \b, type
99 # mode mainly stored as an octal number in ASCII null or space terminated
100 >100 string >\0 \b, mode %-.7s
101 # user id mainly as octal numbers in ASCII null or space terminated
102 >108 string >\0 \b, uid %-.7s
103 # group id mainly as octal numbers in ASCII null or space terminated
104 >116 string >\0 \b, gid %-.7s
105 # size mainly as octal number in ASCII
107 >>124 string >\0 \b, size %-.12s
108 # coding indicated by setting the high-order bit of the leftmost byte
109 >124 ubyte >0xEF \b, size 0x
110 >>124 ubyte !0xff \b%2.2x
111 >>125 ubyte !0xff \b%2.2x
112 >>126 ubyte !0xff \b%2.2x
113 >>127 ubyte !0xff \b%2.2x
114 >>128 ubyte !0xff \b%2.2x
115 >>129 ubyte !0xff \b%2.2x
116 >>130 ubyte !0xff \b%2.2x
117 >>131 ubyte !0xff \b%2.2x
118 >>132 ubyte !0xff \b%2.2x
119 >>133 ubyte !0xff \b%2.2x
120 >>134 ubyte !0xff \b%2.2x
121 >>135 ubyte !0xff \b%2.2x
122 # seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated
123 >136 string >\0 \b, seconds %-.11s
124 # header checksum stored as an octal number in ASCII null or space terminated
125 #>148 string x \b, cksum %.7s
127 >157 string >\0 \b, linkname %-.40s
128 # additional fields for ustar
130 # owner user name null terminated
131 >>265 string >\0 \b, user %-.32s
132 # group name null terminated
133 >>297 string >\0 \b, group %-.32s
134 # device major minor if not zero
135 >>329 ubequad&0xCFCFCFCFcFcFcFdf !0
136 >>>329 string x \b, devmaj %-.7s
137 >>337 ubequad&0xCFCFCFCFcFcFcFdf !0
138 >>>337 string x \b, devmin %-.7s
140 >>345 string >\0 \b, prefix %-.155s
141 # old non ustar/POSIX tar
144 # padding[255] in old star
145 >>>257 string >\0 \b, padding: %-.40s
147 # padding[255] in old tar sometimes comment field
148 >>>257 string >\0 \b, comment: %-.40s
150 # Incremental snapshot gnu-tar format from:
151 # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
152 0 string GNU\ tar- GNU tar incremental snapshot data
153 >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
157 # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
158 # The idea is to indicate archives produced on machines with the same
159 # byte order as the machine running "file" with "cpio archive", and
160 # to indicate archives produced on machines with the opposite byte order
161 # from the machine running "file" with "byte-swapped cpio archive".
163 # The SVR4 "cpio(4)" hints that there are additional formats, but they
164 # are defined as "short"s; I think all the new formats are
165 # character-header formats and thus are strings, not numbers.
166 0 short 070707 cpio archive
167 !:mime application/x-cpio
168 0 short 0143561 byte-swapped cpio archive
169 !:mime application/x-cpio # encoding: swapped
170 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
171 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
172 0 string 070702 ASCII cpio archive (SVR4 with CRC)
175 # Various archive formats used by various versions of the "ar"
180 # Original UNIX archive formats.
181 # They were written with binary values in host byte order, and
182 # the magic number was a host "int", which might have been 16 bits
183 # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
184 # been ports to little-endian 16-bit-int or 32-bit-int platforms
185 # (x86?) using some of those formats; if none existed, feel free
186 # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
187 # 32-bit. There might have been big-endian ports of that sort as
190 0 leshort 0177555 very old 16-bit-int little-endian archive
191 0 beshort 0177555 very old 16-bit-int big-endian archive
192 0 lelong 0177555 very old 32-bit-int little-endian archive
193 0 belong 0177555 very old 32-bit-int big-endian archive
195 0 leshort 0177545 old 16-bit-int little-endian archive
196 >2 string __.SYMDEF random library
197 0 beshort 0177545 old 16-bit-int big-endian archive
198 >2 string __.SYMDEF random library
199 0 lelong 0177545 old 32-bit-int little-endian archive
200 >4 string __.SYMDEF random library
201 0 belong 0177545 old 32-bit-int big-endian archive
202 >4 string __.SYMDEF random library
205 # From "pdp" (but why a 4-byte quantity?)
207 0 lelong 0x39bed PDP-11 old archive
208 0 lelong 0x39bee PDP-11 4.0 archive
211 # XXX - what flavor of APL used this, and was it a variant of
212 # some ar archive format? It's similar to, but not the same
213 # as, the APL workspace magic numbers in pdp.
215 0 long 0100554 apl workspace
218 # System V Release 1 portable(?) archive format.
220 0 string =<ar> System V Release 1 ar archive
221 !:mime application/x-archive
224 # Debian package; it's in the portable archive format, and needs to go
225 # before the entry for regular portable archives, as it's recognized as
226 # a portable archive whose first member has a name beginning with
229 # Update: Joerg Jenderek
230 # URL: https://en.wikipedia.org/wiki/Deb_(file_format)
231 0 string =!<arch>\ndebian
232 # https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
233 >14 string -split part of multipart Debian package
234 !:mime application/vnd.debian.binary-package
235 # udeb is used for stripped down deb file
237 >14 string -binary Debian binary package
238 !:mime application/vnd.debian.binary-package
240 # This should not happen
241 >14 default x Unknown Debian package
242 # NL terminated version; for most Debian cases this is 2.0 or 2.1 for splitted
243 >68 string >\0 (format %s)
245 #>>68 string x (format %.3s)
247 # 2nd archive name=control archive name like control.tar.gz or control.tar.xz
248 >>72 string >\0 \b, with %.14s
249 # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
250 >>0 search/0x93e4f data.tar. \b, data compression
251 # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
252 # for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
254 # splitted debian package case
256 # dpkg-1.18.25/dpkg-split/info.c
257 # NL terminated ASCII package name like ckermit
259 # NL terminated package version like 302-5.3
261 # NL terminated MD5 checksum
262 >>>>&1 string x \b, MD5 %s
263 # NL terminated original package length
264 >>>>>&1 string x \b, unsplitted size %s
265 # NL terminated part length
266 >>>>>>&1 string x \b, part lenght %s
267 # NL terminated package part like n/m
268 >>>>>>>&1 string x \b, part %s
269 # NL terminated package architecture like armhf since dpkg 1.16.1 or later
270 >>>>>>>>&1 string x \b, %s
273 # MIPS archive; they're in the portable archive format, and need to go
274 # before the entry for regular portable archives, as it's recognized as
275 # a portable archive whose first member has a name beginning with
278 0 string =!<arch>\n__________E MIPS archive
279 !:mime application/x-archive
280 >20 string U with MIPS Ucode members
281 >21 string L with MIPSEL members
282 >21 string B with MIPSEB members
283 >19 string L and an EL hash table
284 >19 string B and an EB hash table
285 >22 string X -- out of date
288 # BSD/SVR2-and-later portable archive formats.
290 # Update: Joerg Jenderek
291 # URL: http://fileformats.archiveteam.org/wiki/AR
292 # Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/
293 # Note: Mach-O universal binary in ./cafebabe is dependent
294 # TODO: unify current ar archive, MIPS archive, Debian package
295 # distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;
296 # *.ar packages from *.a libraries. handle empty archive
297 0 string =!<arch>\n current ar archive
298 # print first and possibly second ar_name[16] for debugging purpose
299 #>8 string x \b, 1st "%.16s"
300 #>68 string x \b, 2nd "%.16s"
301 !:mime application/x-archive
302 # a in most case for libraries; lib for Microsoft libraries; ar else cases
304 >8 string __.SYMDEF random library
305 # first member with long marked name __.SYMDEF SORTED implies BSD library
306 >68 string __.SYMDEF\ SORTED random library
307 # Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf
308 # "archive file" entry moved from ./hp
309 # LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture
310 # LST header a_magic 0619h~relocatable library
311 >68 belong 0x020b0619 - PA-RISC1.0 relocatable library
312 >68 belong 0x02100619 - PA-RISC1.1 relocatable library
313 >68 belong 0x02110619 - PA-RISC1.2 relocatable library
314 >68 belong 0x02140619 - PA-RISC2.0 relocatable library
315 #EOF for common ar archives
318 # "Thin" archive, as can be produced by GNU ar.
320 0 string =!<thin>\n thin archive with
321 >68 belong 0 no symbol entries
322 >68 belong 1 %d symbol entry
323 >68 belong >1 %d symbol entries
325 0 search/1 -h- Software Tools format archive text
327 # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
329 # The first byte is the magic (0x1a), byte 2 is the compression type for
330 # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
331 # filename of the first file (null terminated). Since some types collide
332 # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
333 # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
334 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
335 !:mime application/x-arc
336 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
337 !:mime application/x-arc
338 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
339 !:mime application/x-arc
340 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
341 !:mime application/x-arc
342 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
343 !:mime application/x-arc
344 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
345 !:mime application/x-arc
346 # [JW] stuff taken from idarc, obviously ARC successors:
347 0 lelong&0x8080ffff 0x00000a1a PAK archive data
348 !:mime application/x-arc
349 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
350 !:mime application/x-arc
351 0 lelong&0x8080ffff 0x0000481a HYP archive data
352 !:mime application/x-arc
354 # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
355 # I can't create either SPARK or ArcFS archives so I have not tested this stuff
356 # [GRR: the original entries collide with ARC, above; replaced with combined
357 # version (not tested)]
358 #0 byte 0x1a RISC OS archive (spark format)
359 0 string \032archive RISC OS archive (ArcFS format)
360 0 string Archive\000 RISC OS archive (ArcFS format)
362 # All these were taken from idarc, many could not be verified. Unfortunately,
363 # there were many low-quality sigs, i.e. easy to trigger false positives.
364 # Please notify me of any real-world fishy/ambiguous signatures and I'll try
365 # to get my hands on the actual archiver and see if I find something better. [JW]
366 # probably many can be enhanced by finding some 0-byte or control char near the start
368 # idarc calls this Crush/Uncompressed... *shrug*
369 0 string CRUSH Crush archive data
371 0 string HLSQZ Squeeze It archive data
373 0 string SQWEZ SQWEZ archive data
375 0 string HPAK HPack archive data
377 0 string \x91\x33HF HAP archive data
379 0 string MDmd MDCD archive data
381 0 string LIM\x1a LIM archive data
383 3 string LH5 SAR archive data
385 0 string \212\3SB\020\0 BSArc/BS2 archive data
386 # Bethesda Softworks Archive (Oblivion)
387 0 string BSA\0 BSArc archive data
388 >4 lelong x version %d
390 2 string =-ah MAR archive data
392 #0 belong&0x00f800ff 0x00800000 ACB archive data
394 # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
396 0 string JRchive JRC archive data
398 0 string DS\0 Quantum archive data
400 0 string PK\3\6 ReSOF archive data
402 0 string 7\4 QuArk archive data
404 14 string YC YAC archive data
406 0 string X1 X1 archive data
407 0 string XhDr X1 archive data
409 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
411 0 string \xad6" AMGC archive data
413 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
415 0 string LEOLZW PAKLeo archive data
417 0 string SChF ChArc archive data
419 0 string PSA PSA archive data
421 0 string DSIGDCC CrossePAC archive data
423 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
425 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
426 # NSQ, must go after CDC Codec
427 0 string \x76\xff NSQ archive data
429 0 string Dirk\ Paehl DPA archive data
431 # TODO: idarc says "bytes 0-2 == bytes 3-5"
433 # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
434 # Update: Joerg Jenderek
435 # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
437 # look for first keyword of Panorama database *.pan
438 >12 search/261 DESIGN
439 # skip keyword with low entropy
440 >12 default x TTComp archive, binary, 4K dictionary
441 # (version 5.25) labeled the above entry as "TTComp archive data"
442 # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
443 0 string ESP ESP archive data
445 0 string \1ZPK\1 ZPack archive data
447 0 string \xbc\x40 Sky archive data
449 0 string UFA UFA archive data
451 0 string =-H2O DRY archive data
453 0 string FOXSQZ FoxSQZ archive data
455 0 string ,AR7 AR7 archive data
457 0 string PPMZ PPMZ archive data
459 # Update: Joerg Jenderek
460 # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
461 # Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html
462 # Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z
463 4 string \x88\xf0\x27
465 >0 string KWAJ MS Compress archive data, KWAJ variant
466 !:mime application/x-ms-compress-kwaj
467 # extension not working in version 5.32
468 # magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?'
469 # file: line 284: Bad magic entry ' ??_'
471 # compression method (0-4)
472 >>8 uleshort x \b, %u method
473 # offset of compressed data
474 >>10 uleshort x \b, 0x%x offset
476 #>>>&-6 string x \b, TEST extension %-.3s
477 # header flags to mark header extensions
478 >>12 uleshort >0 \b, 0x%x flags
479 # 4 bytes: decompressed length of file
481 >>>14 ulelong x \b, original size: %u bytes
482 # 2 bytes: unknown purpose
483 # 2 bytes: length of unknown data + mentioned bytes
484 # 1-9 bytes: null-terminated file name
485 # 1-4 bytes: null-terminated file extension
488 >>>>12 uleshort ^0x02
489 >>>>>12 uleshort ^0x04
490 >>>>>>12 uleshort ^0x10
491 >>>>>>>14 string x \b, %-.8s
492 >>>>>>12 uleshort &0x10
493 >>>>>>>14 string x \b, %-.8s
494 >>>>>>>>&1 string x \b.%-.3s
495 >>>>>12 uleshort &0x04
496 >>>>>>12 uleshort ^0x10
497 >>>>>>>(14.s) uleshort x
498 >>>>>>>>&14 string x \b, %-.8s
499 >>>>>>12 uleshort &0x10
500 >>>>>>>(14.s) uleshort x
501 >>>>>>>>&14 string x \b, %-.8s
502 >>>>>>>>>&1 string x \b.%-.3s
503 >>>>12 uleshort &0x02
504 >>>>>12 uleshort ^0x04
505 >>>>>>12 uleshort ^0x10
506 >>>>>>>16 string x \b, %-.8s
507 >>>>>>12 uleshort &0x10
508 >>>>>>>16 string x \b, %-.8s
509 >>>>>>>>&1 string x \b.%-.3s
510 >>>>>12 uleshort &0x04
511 >>>>>>12 uleshort ^0x10
512 >>>>>>>(16.s) uleshort x
513 >>>>>>>>&16 string x \b, %-.8s
514 >>>>>>12 uleshort &0x10
515 >>>>>>>(16.s) uleshort x
516 >>>>>>>&16 string x %-.8s
517 >>>>>>>>&1 string x \b.%-.3s
519 >>>>12 uleshort ^0x02
520 >>>>>12 uleshort ^0x04
521 >>>>>>12 uleshort ^0x10
522 >>>>>>>18 string x \b, %-.8s
523 >>>>>>12 uleshort &0x10
524 >>>>>>>18 string x \b, %-.8s
525 >>>>>>>>&1 string x \b.%-.3s
526 >>>>>12 uleshort &0x04
527 >>>>>>12 uleshort ^0x10
528 >>>>>>>(18.s) uleshort x
529 >>>>>>>>&18 string x \b, %-.8s
530 >>>>>>12 uleshort &0x10
531 >>>>>>>(18.s) uleshort x
532 >>>>>>>>&18 string x \b, %-.8s
533 >>>>>>>>>&1 string x \b.%-.3s
534 >>>>12 uleshort &0x02
535 >>>>>12 uleshort ^0x04
536 >>>>>>12 uleshort ^0x10
537 >>>>>>>20 string x \b, %-.8s
538 >>>>>>12 uleshort &0x10
539 >>>>>>>20 string x \b, %-.8s
540 >>>>>>>>&1 string x \b.%-.3s
541 >>>>>12 uleshort &0x04
542 >>>>>>12 uleshort ^0x10
543 >>>>>>>(20.s) uleshort x
544 >>>>>>>>&20 string x \b, %-.8s
545 >>>>>>12 uleshort &0x10
546 >>>>>>>(20.s) uleshort x
547 >>>>>>>>&20 string x \b, %-.8s
548 >>>>>>>>>&1 string x \b.%-.3s
549 # 2 bytes: length of data + mentioned bytes
551 # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ
552 >0 string SZDD MS Compress archive data, SZDD variant
553 !:mime application/x-ms-compress-szdd
555 # The character missing from the end of the filename (0=unknown)
556 >>9 string >\0 \b, %-.1s is last character of original name
557 # https://www.betaarchive.com/forum/viewtopic.php?t=26161
558 # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e
559 >>8 string !A \b, %-.1s method
560 >>10 ulelong >0 \b, original size: %u bytes
561 # QBasic SZDD variant
562 3 string \x88\xf0\x27
563 >0 string SZ\x20 MS Compress archive data, QBasic variant
564 !:mime application/x-ms-compress-sz
566 >>8 ulelong >0 \b, original size: %u bytes
568 # MP3 (archiver, not lossy audio compression)
569 0 string MP3\x1a MP3-Archiver archive data
571 0 string OZ\xc3\x9d ZET archive data
573 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
575 0 string gW\4\1 ARQ archive data
577 3 string OctSqu Squash archive data
579 0 string \5\1\1\0 Terse archive data
581 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
583 0 string UHA UHarc archive data
585 0 string \2AB ABComp archive data
586 0 string \3AB2 ABComp archive data
588 0 string CO\0 CMP archive data
590 0 string \x93\xb9\x06 Splint archive data
592 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
594 1 string GTH Gather archive data
596 0 string BOA BOA archive data
598 0 string ULEB\xa RAX archive data
600 0 string ULEB\0 Xtreme archive data
602 0 string @\xc3\xa2\1\0 Pack Magic archive data
604 0 belong&0xfeffffff 0x1a034465 BTS archive data
606 0 string Ora\ ELI 5750 archive data
608 0 string \x1aFC\x1a QFC archive data
609 0 string \x1aQF\x1a QFC archive data
611 0 string RNC PRO-PACK archive data
613 0 string 777 777 archive data
615 0 string sTaC LZS221 archive data
617 0 string HPA HPA archive data
619 0 string LG Arhangel archive data
621 0 string 0123456789012345BZh EXP1 archive data
623 0 string IMP\xa IMP archive data
625 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
627 0 string \x73\xb2\x90\xf4 Squish archive data
629 0 string PHILIPP Par archive data
630 0 string PAR Par archive data
632 0 string UB HIT archive data
634 0 belong&0xfffff000 0x53423000 SBX archive data
636 0 string NSK NaShrink archive data
638 0 string #\ CAR\ archive\ header SAPCAR archive data
639 0 string CAR\ 2.00RG SAPCAR archive data
641 0 string DST Disintegrator archive data
643 0 string ASD ASD archive data
645 0 string ISc( InstallShield CAB
647 0 string T4\x1a TOP4 archive data
648 # BatComp left out: sig looks like COM executable
649 # so TODO: get real 4dos batcomp file and find sig
651 0 string BH\5\7 BlakHole archive data
653 0 string BIX0 BIX archive data
655 0 string ChfLZ ChiefLZA archive data
657 0 string Blink Blink archive data
659 0 string \xda\xfa Logitech Compress archive data
660 # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
661 1 string (C)\ STEPANYUK ARS-Sfx archive data
663 0 string AKT32 AKT32 archive data
664 0 string AKT AKT archive data
666 0 string MSTSM NPack archive data
668 0 string \0\x50\0\x14 PFT archive data
670 0 string SEM SemOne archive data
672 0 string \x8f\xaf\xac\x84 PPMD archive data
674 0 string FIZ FIZ archive data
676 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
678 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
680 0 string =<DC- DC archive data
682 0 string \4TPAC\3 TPac archive data
684 0 string Ai\1\1\0 Ai archive data
685 0 string Ai\1\0\0 Ai archive data
687 0 string Ai\2\0 Ai32 archive data
688 0 string Ai\2\1 Ai32 archive data
690 0 string SBC SBC archive data
692 0 string YBS Ybs archive data
694 0 string \x9e\0\0 DitPack archive data
696 0 string DMS! DMS archive data
698 0 string \x8f\xaf\xac\x8c EPC archive data
700 0 string VS\x1a VSARC archive data
702 0 string PDZ PDZ archive data
704 0 string rdqx ReDuq archive data
706 0 string GCAX GCA archive data
708 0 string pN PPMN archive data
710 3 string WINIMAGE WinImage archive data
712 0 string CMP0CMP Compressia archive data
714 0 string UHB UHBC archive data
716 0 string \x61\x5C\x04\x05 WinHKI archive data
718 0 string WWP WWPack archive data
720 0 string \xffBSG BSN archive data
721 1 string \xffBSG BSN archive data
722 3 string \xffBSG BSN archive data
723 1 string \0\xae\2 BSN archive data
724 1 string \0\xae\3 BSN archive data
725 1 string \0\xae\7 BSN archive data
727 0 string \x33\x18 AIN archive data
728 0 string \x33\x17 AIN archive data
729 # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
730 # SZip (TODO: doesn't catch all versions)
731 0 string SZ\x0a\4 SZip archive data
733 # *.XDI updated by Joerg Jenderek Sep 2015
734 # ftp://ftp.sac.sk/pub/sac/pack/0index.txt
735 # GRR: this test is still too general as it catches also text files starting with jm
737 # only found examples with this additional characteristic 2 bytes
738 >2 string \x2\x4 Xpack DiskImage archive data
741 # *.xpa updated by Joerg Jenderek Sep 2015
742 # ftp://ftp.elf.stuba.sk/pub/pc/pack/
746 # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
747 # created by XPA32.EXE version 1.0.2 for Windows
748 >0 string xpa\0\1 \b32 archive data
749 # created by XPACK.COM version 1.67m or 1.67r with short 0x1800
750 >3 ubeshort !0x0001 \bck archive data
752 # changed by Joerg Jenderek Sep 2015 back to like in version 5.12
753 # letter 'I'+ acute accent is equivalent to \xcd
754 0 string \xcd\ jm Xpack single archive data
755 #!:mime application/x-xpa-compressed
758 # TODO: missing due to unknown magic/magic at end of file:
768 # These were inspired by idarc, but actually verified
769 # Dzip archiver (.dz)
770 # Update: Joerg Jenderek
771 # URL: http://speeddemosarchive.com/dzip/
772 # reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c
773 # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt
775 # latest version is 2.9 dated 7 may 2003
776 >2 byte <4 Dzip archive data
777 !:mime application/x-dzip
779 >>2 byte x \b, version %i
781 >>4 ulelong x \b, offset 0x%x
782 >>8 ulelong x \b, %u files
783 # ZZip archiver (.zz)
784 0 string ZZ\ \0\0 ZZip archive data
785 0 string ZZ0 ZZip archive data
786 # PAQ archiver (.paq)
787 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
788 0 string PAQ PAQ archive data
791 # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
792 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
793 0 string JARCS JAR (ARJ Software, Inc.) archive data
795 # ARJ archiver (jason@jarthur.Claremont.EDU)
796 0 leshort 0xea60 ARJ archive data
797 !:mime application/x-arj
799 >8 byte &0x04 multi-volume,
800 >8 byte &0x10 slash-switched,
801 >8 byte &0x20 backup,
802 >34 string x original name: %s,
807 >7 byte 4 os: Macintosh
809 >7 byte 6 os: Apple ][ GS
810 >7 byte 7 os: Atari ST
812 >7 byte 9 os: VAX/VMS
814 # [JW] idarc says this is also possible
815 2 leshort 0xea60 ARJ archive data
817 # HA archiver (Greg Roelofs, newt@uchicago.edu)
818 # This is a really bad format. A file containing HAWAII will match this...
819 #0 string HA HA archive data,
820 #>2 leshort =1 1 file,
821 #>2 leshort >1 %hu files,
822 #>4 byte&0x0f =0 first is type CPY
823 #>4 byte&0x0f =1 first is type ASC
824 #>4 byte&0x0f =2 first is type HSC
825 #>4 byte&0x0f =0x0e first is type DIR
826 #>4 byte&0x0f =0x0f first is type SPECIAL
827 # suggestion: at least identify small archives (<1024 files)
828 0 belong&0xffff00fc 0x48410000 HA archive data
829 >2 leshort =1 1 file,
830 >2 leshort >1 %u files,
831 >4 byte&0x0f =0 first is type CPY
832 >4 byte&0x0f =1 first is type ASC
833 >4 byte&0x0f =2 first is type HSC
834 >4 byte&0x0f =0x0e first is type DIR
835 >4 byte&0x0f =0x0f first is type SPECIAL
837 # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
838 0 string HPAK HPACK archive data
840 # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
841 0 string \351,\001JAM\ JAM archive,
842 >7 string >\0 version %.4s
844 >>0x2b string >\0 label %.11s,
845 >>0x27 lelong x serial %08x,
846 >>0x36 string >\0 fstype %.8s
848 # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
849 # Update: Joerg Jenderek
850 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
851 # Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
853 # check and display information of lharc (LHa,PMarc) file
855 # check 1st character of method id like -lz4- -lh5- or -pm2-
857 # check 5th character of method id
859 # check header level 0 1 2 3
861 # check 2nd, 3th and 4th character of method id
862 >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
863 !:mime application/x-lzh-compressed
864 # creator type "LHA "
866 # display archive type name like "LHa/LZS archive data" or "LArc archive"
869 # already known -lzs- -lz4- -lz5- with old names
870 >>>>>>2 string -lzs LHa/LZS archive data
871 >>>>>>3 regex \^lz[45] LHarc 1.x archive data
872 # missing -lz?- with wikipedia names
873 >>>>>>3 regex \^lz[2378] LArc archive
874 # display archive type name like "LHa (2.x) archive data"
876 # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
877 >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
878 # LHice archiver use ".ICE" as name extension instead usual one ".lzh"
879 # FOOBAR archiver use ".foo" as name extension instead usual one
880 # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment
881 >>>>>>>2 string -lh1 \b
883 >>>>>>3 regex \^lh[23d] LHa 2.x? archive data
884 >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
885 >>>>>>3 regex \^lh[456] LHa (2.x) archive data
886 >>>>>>>2 string -lh5 \b
887 # https://en.wikipedia.org/wiki/BIOS
888 # Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like
889 # bios.rom , kd7_v14.bin, 1010.004, ...
890 !:ext lha/lzh/rom/bin
891 # missing -lh?- variants (Joe Jared)
892 >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
894 >>>>>>2 string -lhx LHa (UNLHA32) archive
895 # lha archives with standard file name extensions ".lha" ".lzh"
896 >>>>>>3 regex !\^(lh1|lh5) \b
898 # this should not happen if all -lh variants are described
899 >>>>>>2 default x LHa (unknown) archive
902 >>>>>3 regex \^pm[012] PMarc archive data
904 # append method id without leading and trailing minus character
905 >>>>>3 string x [%3.3s]
906 >>>>>>0 use lharc-header
908 # check and display information of lharc header
910 # header size 0x4 , 0x1b-0x61
912 # compressed data size != compressed file size
913 #>7 ulelong x \b, data size %d
914 # attribute: 0x2~?? 0x10~symlink|target 0x20~normal
915 #>19 ubyte x \b, 19_0x%x
916 # level identifier 0 1 2 3
917 #>20 ubyte x \b, level %d
919 #>15 ubelong x DATE 0x%8.8x
922 # 0x20 types find for *.rom files
923 >>(21.b+24) ubyte <0x21 \b, 0x%x OS
924 # ascii type like M for MSDOS
925 >>(21.b+24) ubyte >0x20 \b, '%c' OS
928 #>>23 ubyte x \b, OS ID 0x%x
929 >>23 ubyte <0x21 \b, 0x%x OS
930 >>23 ubyte >0x20 \b, '%c' OS
931 # filename only for level 0 and 1
934 >>21 ubyte >0 \b, with
938 #2 string -lh0- LHarc 1.x/ARX archive data [lh0]
939 #!:mime application/x-lharc
942 #2 string -lh1- LHarc 1.x/ARX archive data [lh1]
943 #!:mime application/x-lharc
946 # NEW -lz2- ... -lz8-
959 # [never seen any but the last; -lh4- reported in comp.compression:]
960 #2 string -lzs- LHa/LZS archive data [lzs]
963 # According to wikipedia and others such a version does not exist
964 #2 string -lh\40- LHa 2.x? archive data [lh ]
965 #2 string -lhd- LHa 2.x? archive data [lhd]
968 #2 string -lh2- LHa 2.x? archive data [lh2]
971 #2 string -lh3- LHa 2.x? archive data [lh3]
974 #2 string -lh4- LHa (2.x) archive data [lh4]
977 #2 string -lh5- LHa (2.x) archive data [lh5]
980 #2 string -lh6- LHa (2.x) archive data [lh6]
983 #2 string -lh7- LHa (2.x)/LHark archive data [lh7]
985 # !:mime application/x-lha
986 # >20 byte x - header level %d
988 # NEW -lh8- ... -lhe- , -lhx-
1003 # taken from idarc [JW]
1004 2 string -lZ PUT archive data
1005 # already done by LHarc magics
1006 # this should never happen if all sub types of LZS archive are identified
1007 #2 string -lz LZS archive data
1008 2 string -sw1- Swag archive data
1010 0 name rar-file-header
1011 >24 byte 15 \b, v1.5
1012 >24 byte 20 \b, v2.0
1014 >15 byte 0 \b, os: MS-DOS
1015 >15 byte 1 \b, os: OS/2
1016 >15 byte 2 \b, os: Win32
1017 >15 byte 3 \b, os: Unix
1018 >15 byte 4 \b, os: Mac OS
1019 >15 byte 5 \b, os: BeOS
1021 0 name rar-archive-header
1022 >3 leshort&0x1ff >0 \b, flags:
1023 >>3 leshort &0x01 ArchiveVolume
1024 >>3 leshort &0x02 Commented
1025 >>3 leshort &0x04 Locked
1026 >>3 leshort &0x10 NewVolumeNaming
1027 >>3 leshort &0x08 Solid
1028 >>3 leshort &0x20 Authenticated
1029 >>3 leshort &0x40 RecoveryRecordPresent
1030 >>3 leshort &0x80 EncryptedBlockHeader
1031 >>3 leshort &0x100 FirstVolume
1033 # RAR (Roshal Archive) archive
1034 0 string Rar!\x1a\7\0 RAR archive data
1035 !:mime application/x-rar
1038 >(0xc.l+9) byte 0x74
1039 >>(0xc.l+7) use rar-file-header
1040 # subblock seems to share information with file header
1041 >(0xc.l+9) byte 0x7a
1042 >>(0xc.l+7) use rar-file-header
1044 >>7 use rar-archive-header
1046 0 string Rar!\x1a\7\1\0 RAR archive data, v5
1047 !:mime application/x-rar
1050 # Very old RAR archive
1051 # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
1052 0 string RE\x7e\x5e RAR archive data (<v1.5)
1053 !:mime application/x-rar
1056 # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
1057 0 string SQSH squished archive data (Acorn RISCOS)
1059 # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
1060 # [JW] see exe section for self-extracting version
1061 0 string UC2\x1a UC2 archive data
1063 # PKZIP multi-volume archive
1064 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
1065 !:mime application/zip
1068 # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
1069 0 string PK\005\006 Zip archive data (empty)
1070 !:mime application/zip
1076 # Specialised zip formats which start with a member named 'mimetype'
1077 # (stored uncompressed, with no 'extra field') containing the file's MIME type.
1078 # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
1079 # contents starting with "application/":
1080 >26 string \x8\0\0\0mimetypeapplication/
1082 # KOffice / OpenOffice & StarOffice / OpenDocument formats
1083 # From: Abel Cheung <abel@oaka.org>
1085 # KOffice (1.2 or above) formats
1086 # (mimetype contains "application/vnd.kde.<SUBTYPE>")
1087 >>50 string vnd.kde. KOffice (>=1.2)
1088 >>>58 string karbon Karbon document
1089 >>>58 string kchart KChart document
1090 >>>58 string kformula KFormula document
1091 >>>58 string kivio Kivio document
1092 >>>58 string kontour Kontour document
1093 >>>58 string kpresenter KPresenter document
1094 >>>58 string kspread KSpread document
1095 >>>58 string kword KWord document
1097 # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
1098 # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
1099 >>50 string vnd.sun.xml. OpenOffice.org 1.x
1100 >>>62 string writer Writer
1101 >>>>68 byte !0x2e document
1102 >>>>68 string .template template
1103 >>>>68 string .global global document
1104 >>>62 string calc Calc
1105 >>>>66 byte !0x2e spreadsheet
1106 >>>>66 string .template template
1107 >>>62 string draw Draw
1108 >>>>66 byte !0x2e document
1109 >>>>66 string .template template
1110 >>>62 string impress Impress
1111 >>>>69 byte !0x2e presentation
1112 >>>>69 string .template template
1113 >>>62 string math Math document
1114 >>>62 string base Database file
1116 # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
1117 # https://lists.oasis-open.org/archives/office/200505/msg00006.html
1118 # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
1119 >>50 string vnd.oasis.opendocument. OpenDocument
1121 >>>>77 byte !0x2d Text
1122 !:mime application/vnd.oasis.opendocument.text
1123 >>>>77 string -template Text Template
1124 !:mime application/vnd.oasis.opendocument.text-template
1125 >>>>77 string -web HTML Document Template
1126 !:mime application/vnd.oasis.opendocument.text-web
1127 >>>>77 string -master Master Document
1128 !:mime application/vnd.oasis.opendocument.text-master
1129 >>>73 string graphics
1130 >>>>81 byte !0x2d Drawing
1131 !:mime application/vnd.oasis.opendocument.graphics
1132 >>>>81 string -template Template
1133 !:mime application/vnd.oasis.opendocument.graphics-template
1134 >>>73 string presentation
1135 >>>>85 byte !0x2d Presentation
1136 !:mime application/vnd.oasis.opendocument.presentation
1137 >>>>85 string -template Template
1138 !:mime application/vnd.oasis.opendocument.presentation-template
1139 >>>73 string spreadsheet
1140 >>>>84 byte !0x2d Spreadsheet
1141 !:mime application/vnd.oasis.opendocument.spreadsheet
1142 >>>>84 string -template Template
1143 !:mime application/vnd.oasis.opendocument.spreadsheet-template
1145 >>>>78 byte !0x2d Chart
1146 !:mime application/vnd.oasis.opendocument.chart
1147 >>>>78 string -template Template
1148 !:mime application/vnd.oasis.opendocument.chart-template
1149 >>>73 string formula
1150 >>>>80 byte !0x2d Formula
1151 !:mime application/vnd.oasis.opendocument.formula
1152 >>>>80 string -template Template
1153 !:mime application/vnd.oasis.opendocument.formula-template
1154 >>>73 string database Database
1155 !:mime application/vnd.oasis.opendocument.database
1156 # Valid for LibreOffice Base 6.0.1.1 at least
1157 >>>73 string base Database
1158 !:mime application/vnd.oasis.opendocument.base
1160 >>>>78 byte !0x2d Image
1161 !:mime application/vnd.oasis.opendocument.image
1162 >>>>78 string -template Template
1163 !:mime application/vnd.oasis.opendocument.image-template
1165 # EPUB (OEBPS) books using OCF (OEBPS Container Format)
1166 # https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
1167 # From: Ralf Brown <ralf.brown@gmail.com>
1168 >>50 string epub+zip EPUB document
1169 !:mime application/epub+zip
1171 # Catch other ZIP-with-mimetype formats
1172 # In a ZIP file, the bytes immediately after a member's contents are
1173 # always "PK". The 2 regex rules here print the "mimetype" member's
1174 # contents up to the first 'P'. Luckily, most MIME types don't contain
1175 # any capital 'P's. This is a kludge.
1176 # (mimetype contains "application/<OTHER>")
1177 >>50 string !epub+zip
1178 >>>50 string !vnd.oasis.opendocument.
1179 >>>>50 string !vnd.sun.xml.
1180 >>>>>50 string !vnd.kde.
1181 >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
1182 !:mime application/zip
1183 # (mimetype contents other than "application/*")
1184 >26 string \x8\0\0\0mimetype
1185 >>38 string !application/
1186 >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
1187 !:mime application/zip
1190 >(26.s+30) leshort 0xcafe Java archive data (JAR)
1191 !:mime application/java-archive
1194 >(26.s+30) leshort !0xcafe
1195 >>26 string !\x8\0\0\0mimetype
1196 >>>30 string Payload/
1197 >>>>38 search/64 .app/ iOS App
1198 !:mime application/x-ios-app
1201 # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
1202 # Next line excludes specialized formats:
1203 >(26.s+30) leshort !0xcafe
1204 >>26 string !\x8\0\0\0mimetype Zip archive data
1205 !:mime application/zip
1206 >>>4 beshort x \b, at least
1208 >>>4 beshort x to extract
1209 >>>0x161 string WINZIP \b, WinZIP self-extracting
1212 # From Pierre Ducroquet <pinaraf@pinaraf.info>
1213 0 string VCLMTF StarView MetaFile
1214 >6 beshort x \b, version %d
1215 >8 belong x \b, size %d
1218 20 lelong 0xfdc4a7dc Zoo archive data
1219 !:mime application/x-zoo
1220 >4 byte >48 \b, v%c.
1223 >32 byte >0 \b, modify: v%d
1225 >42 lelong 0xfdc4a7dc \b,
1226 >>70 byte >0 extract: v%d
1230 10 string #\ This\ is\ a\ shell\ archive shell archive text
1231 !:mime application/octet-stream
1234 # LBR. NB: May conflict with the questionable
1235 # "binary Computer Graphics Metafile" format.
1237 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
1239 # PMA (CP/M derivative of LHA)
1240 # Update: Joerg Jenderek
1241 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
1243 #2 string -pm0- PMarc archive data [pm0]
1246 #2 string -pm1- PMarc archive data [pm1]
1249 #2 string -pm2- PMarc archive data [pm2]
1252 2 string -pms- PMarc SFX archive (CP/M, DOS)
1253 #!:mime application/x-foobar-exec
1255 5 string -pc1- PopCom compressed executable (CP/M)
1256 #!:mime application/x-
1259 # From Rafael Laboissiere <rafael@laboissiere.net>
1260 # The Project Revision Control System (see
1261 # http://prcs.sourceforge.net) generates a packaged project
1262 # file which is recognized by the following entry:
1263 0 leshort 0xeb81 PRCS packaged project
1265 # Microsoft cabinets
1266 # by David Necas (Yeti) <yeti@physics.muni.cz>
1267 #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
1270 # MPi: All CABs have version 1.3, so this is pointless.
1271 # Better magic in debian-additions.
1274 # by David Necas (Yeti) <yeti@physics.muni.cz>
1275 4 string gtktalog\ GTKtalog catalog data,
1276 >13 string 3 version 3
1277 >>14 beshort 0x677a (gzipped)
1278 >>14 beshort !0x677a (not gzipped)
1279 >13 string >3 version %s
1281 ############################################################################
1282 # Parity archive reconstruction file, the 'par' file format now used on Usenet.
1283 0 string PAR\0 PARity archive data
1284 >48 leshort =0 - Index file
1285 >48 leshort >0 - file number %d
1287 # Felix von Leitner <felix-file@fefe.de>
1288 0 string d8:announce BitTorrent file
1289 !:mime application/x-bittorrent
1290 # Durval Menezes, <jmgthbfile at durval dot com>
1291 0 string d13:announce-list BitTorrent file
1292 !:mime application/x-bittorrent
1294 # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
1295 0 beshort 0x0e0f Atari MSA archive data
1296 >2 beshort x \b, %d sectors per track
1297 >4 beshort 0 \b, 1 sided
1298 >4 beshort 1 \b, 2 sided
1299 >6 beshort x \b, starting track: %d
1300 >8 beshort x \b, ending track: %d
1302 # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
1303 0 string PK00PK\003\004 Zip archive data
1304 !:mime application/zip
1307 # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
1308 # by Stefan `Sec` Zehl <sec@42.org>
1309 7 string **ACE** ACE archive data
1310 >15 byte >0 version %d
1311 >16 byte =0x00 \b, from MS-DOS
1312 >16 byte =0x01 \b, from OS/2
1313 >16 byte =0x02 \b, from Win/32
1314 >16 byte =0x03 \b, from Unix
1315 >16 byte =0x04 \b, from MacOS
1316 >16 byte =0x05 \b, from WinNT
1317 >16 byte =0x06 \b, from Primos
1318 >16 byte =0x07 \b, from AppleGS
1319 >16 byte =0x08 \b, from Atari
1320 >16 byte =0x09 \b, from Vax/VMS
1321 >16 byte =0x0A \b, from Amiga
1322 >16 byte =0x0B \b, from Next
1323 >14 byte x \b, version %d to extract
1324 >5 leshort &0x0080 \b, multiple volumes,
1325 >>17 byte x \b (part %d),
1326 >5 leshort &0x0002 \b, contains comment
1327 >5 leshort &0x0200 \b, sfx
1328 >5 leshort &0x0400 \b, small dictionary
1329 >5 leshort &0x0800 \b, multi-volume
1330 >5 leshort &0x1000 \b, contains AV-String
1331 >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
1332 >5 leshort &0x2000 \b, with recovery record
1333 >5 leshort &0x4000 \b, locked
1334 >5 leshort &0x8000 \b, solid
1335 # Date in MS-DOS format (whatever that is)
1336 #>18 lelong x Created on
1338 # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
1340 0x1A string sfArk sfArk compressed Soundfont
1342 >>0x1 string >\0 Version %s
1343 >>0x2A string >\0 : %s
1345 # DR-DOS 7.03 Packed File *.??_
1346 0 string Packed\ File\ Personal NetWare Packed File
1347 >12 string x \b, was "%.12s"
1350 # From: Tilman Sauerbeck <tilman@code-monkey.de>
1351 0 belong 0x1ee7ff00 EET archive
1352 !:mime application/x-eet
1355 0 string RZIP rzip compressed data
1356 >4 byte x - version %d
1358 >6 belong x (%d bytes)
1360 # From: Joerg Jenderek
1361 # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php
1362 # reference: http://mark0.net/download/triddefs_xml.7z/
1363 # defs/f/fzip.trid.xml
1364 # Note: unknown compression; No "PK" zip magic; normally in directory like
1365 # "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"
1366 0 ubequad 0x2506781901010000 Foxit add-on/update
1367 !:mime application/x-fzip
1370 # From: "Robert Dale" <robdale@gmail.com>
1371 0 belong 123 dar archive,
1372 >4 belong x label "%.8x
1374 >>>12 beshort x %.4x"
1375 >14 byte 0x54 end slice
1376 >14 beshort 0x4e4e multi-part
1377 >14 beshort 0x4e53 multi-part, with -S
1379 # Symbian installation files
1380 # https://www.thouky.co.uk/software/psifs/sis.html
1381 # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
1382 8 lelong 0x10000419 Symbian installation file
1383 !:mime application/vnd.symbian.install
1384 >4 lelong 0x1000006D (EPOC release 3/4/5)
1385 >4 lelong 0x10003A12 (EPOC release 6)
1386 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
1387 !:mime x-epoc/x-sisx-app
1389 # From "Nelson A. de Oliveira" <naoliv@gmail.com>
1390 0 string MPQ\032 MoPaQ (MPQ) archive
1392 # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1394 0 string KGB_arch KGB Archiver file
1395 >10 string x with compression level %.1s
1397 # xar (eXtensible ARchiver) archive
1398 # URL: https://en.wikipedia.org/wiki/Xar_(archiver)
1399 # xar archive format: https://code.google.com/p/xar/
1400 # From: "David Remahl" <dremahl@apple.com>
1401 # Update: Joerg Jenderek
1402 # TODO: lzma compression; X509Data for pkg and xip
1403 # Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or
1404 # 7z t -txar Xcode_10.2_beta_4.xip`
1405 0 string xar! xar archive
1406 !:mime application/x-xar
1407 # pkg for Mac OSX installer package like FullBundleUpdate.pkg
1408 # xip for signed Apple software like Xcode_10.2_beta_4.xip
1410 # always 28 in older archives
1411 >4 ubeshort >28 \b, header size %u
1412 # currently there exit only version 1 since about 2014
1413 >6 ubeshort >1 version %u,
1414 >8 ubequad x compressed TOC: %llu,
1415 #>16 ubequad x uncompressed TOC: %llu,
1416 # cksum_alg 0-2 in older and also 3-4 in newer
1417 >24 belong 0 no checksum
1418 >24 belong 1 SHA-1 checksum
1419 >24 belong 2 MD5 checksum
1420 >24 belong 3 SHA-256 checksum
1421 >24 belong 4 SHA-512 checksum
1422 >24 belong >4 unknown 0x%x checksum
1423 #>24 belong >4 checksum
1424 # For no compression jump 0 bytes
1427 # jump more bytes forward by header size
1429 # jump more bytes forward by compressed table of contents size
1430 #>>>>&(8.Q) ubequad x \b, heap data 0x%llx
1432 # look for data by ./compress after message with 1 space at end
1433 >>>>>&-3 indirect x \b, contains
1434 # For SHA-1 jump 20 minus 2 bytes
1437 # jump more bytes forward by header size
1439 # jump more bytes forward by compressed table of contents size
1441 # data compressed by gzip, bzip, lzma or none
1442 >>>>>&-1 indirect x \b, contains
1443 # For SHA-256 jump 32 minus 2 bytes
1446 # jump more bytes forward by header size
1448 # jump more bytes forward by compressed table of contents size
1450 >>>>>&-1 indirect x \b, contains
1451 # For SHA-512 jump 64 minus 2 bytes
1454 # jump more bytes forward by header size
1456 # jump more bytes forward by compressed table of contents size
1458 >>>>>&-1 indirect x \b, contains
1460 # Type: Parity Archive
1461 # From: Daniel van Eeden <daniel_e@dds.nl>
1462 0 string PAR2 Parity Archive Volume Set
1464 # Bacula volume format. (Volumes always start with a block header.)
1465 # URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
1466 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
1467 12 string BB02 Bacula volume
1468 >20 bedate x \b, started %s
1470 # ePub is XHTML + XML inside a ZIP archive. The first member of the
1471 # archive must be an uncompressed file called 'mimetype' with contents
1472 # 'application/epub+zip'
1475 # From: "Michael Gorny" <mgorny@gentoo.org>
1476 # ZPAQ: http://mattmahoney.net/dc/zpaq.html
1477 0 string zPQ ZPAQ stream
1478 >3 byte x \b, level %d
1479 # From: Barry Carter <carter.barry@gmail.com>
1480 # https://encode.ru/threads/456-zpaq-updates/page32
1481 0 string 7kSt ZPAQ file
1483 # BBeB ebook, unencrypted (LRF format)
1484 # URL: https://www.sven.de/librie/Librie/LrfFormat
1485 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
1486 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
1487 >8 beshort x \b, version %d
1488 >36 byte 1 \b, front-to-back
1489 >36 byte 16 \b, back-to-front
1490 >42 beshort x \b, (%dx,
1493 # Symantec GHOST image by Joerg Jenderek at May 2014
1494 # https://us.norton.com/ghost/
1495 # https://www.garykessler.net/library/file_sigs.html
1496 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
1498 >2 ubyte&0x08 0x00 \b, first file
1499 # *.GHS or *.[0-9] with cns program option
1500 >2 ubyte&0x08 0x08 \b, split file
1501 # part of split index interesting for *.ghs
1503 # compression tag minus one equals numeric compression command line switch z[1-9]
1504 >3 ubyte 0 \b, no compression
1505 >3 ubyte 2 \b, fast compression (Z1)
1506 >3 ubyte 3 \b, medium compression (Z2)
1508 >>3 ubyte <11 \b, compression (Z%d-1)
1510 # ~ 30 byte password field only for *.gho
1511 >>12 ubequad !0 \b, password protected
1513 # 1~Image All, sector-by-sector only for *.gho
1514 >>>10 ubyte 1 \b, sector copy
1515 # 1~Image Boot track only for *.gho
1516 >>>43 ubyte 1 \b, boot track
1517 # 1~Image Disc only for *.gho implies Image Boot track and sector copy
1518 >>44 ubyte 1 \b, disc sector copy
1519 # optional image description only *.gho
1520 >>0xff string >\0 "%-.254s"
1521 # look for DOS sector end sequence
1522 >0xE08 search/7776 \x55\xAA
1523 >>&-512 indirect x \b; contains
1525 # Google Chrome extensions
1526 # https://developer.chrome.com/extensions/crx
1527 # https://developer.chrome.com/extensions/hosting
1528 0 string Cr24 Google Chrome extension
1529 !:mime application/x-chrome-extension
1530 >4 ulong x \b, version %u
1532 # SeqBox - Sequenced container
1534 # Marco Pontello marcopon@gmail.com
1535 # reference: https://github.com/MarcoPon/SeqBox
1536 0 string SBx SeqBox,
1537 >3 byte x version %d
1540 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive
1542 # From: Joerg Jenderek
1543 # URL: https://www.acronis.com/
1544 # Reference: https://en.wikipedia.org/wiki/TIB_(file_format)
1545 # Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110
1546 0 ubequad 0xce24b9a220000000 Acronis True Image backup
1547 !:mime application/x-acronis-tib
1550 #>20 ubelong x \b, at 20 0x%x
1552 #>28 ubelong x \b, at 28 0x%x
1553 # strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"
1555 # strings like "\Device\0000011e" "\Device\0000015a"
1556 #>0 search/0x6852300/cs \\Device\\
1557 #>>&-1 pstring x \b, %s
1558 # "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"
1559 #>>>&1 search/180/cs \\Device\\
1560 #>>>>&-1 pstring x \b, %s
1561 #>>>>>&0 search/29/cs \0\0\xc8\0
1563 #>>>>>>&10 lestring16 x \b, disk label %11.11s
1564 #>>>>>>&9 plestring16 x \b, disk label "%11.11s"
1565 #>>>>>>&10 ubequad x %16.16llx
1568 # Gentoo XPAK binary package
1569 # by Michal Gorny <mgorny@gentoo.org>
1570 # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5
1572 >-16 string XPAKSTOP Gentoo binary package (XPAK)
1574 # From: Joerg Jenderek
1575 # URL: https://kodi.wiki/view/TexturePacker
1576 # Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz
1577 # /xbmc-Krypton/xbmc/guilib/XBTF.h
1578 # /xbmc-Krypton/xbmc/guilib/XBTF.cpp
1580 # skip ASCII text by looking for terminating \0 of path
1581 >264 ubyte 0 XBMC texture package
1582 !:mime application/x-xbmc-xbt
1585 >>4 string !2 \b, version %-.1s
1586 # nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp
1587 >>5 ulelong x \b, %u file
1590 # path[CXBTFFile[MaximumPathLength=256]
1591 >>9 string x \b, 1st %s