1 #------------------------------------------------------------------------------
2 # $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $
3 # archive: file(1) magic for archive formats (see also "msdos" for self-
4 # extracting compressed archives)
6 # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7 # pre-POSIX "tar" archives are handled in the C code.
10 257 string ustar\0 POSIX tar archive
11 !:mime application/x-tar # encoding: posix
12 257 string ustar\040\040\0 GNU tar archive
13 !:mime application/x-tar # encoding: gnu
15 # Incremental snapshot gnu-tar format from:
16 # http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
17 0 string GNU\ tar- GNU tar incremental snapshot data
18 >&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
22 # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
23 # The idea is to indicate archives produced on machines with the same
24 # byte order as the machine running "file" with "cpio archive", and
25 # to indicate archives produced on machines with the opposite byte order
26 # from the machine running "file" with "byte-swapped cpio archive".
28 # The SVR4 "cpio(4)" hints that there are additional formats, but they
29 # are defined as "short"s; I think all the new formats are
30 # character-header formats and thus are strings, not numbers.
31 0 short 070707 cpio archive
32 !:mime application/x-cpio
33 0 short 0143561 byte-swapped cpio archive
34 !:mime application/x-cpio # encoding: swapped
35 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
36 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
37 0 string 070702 ASCII cpio archive (SVR4 with CRC)
40 # Various archive formats used by various versions of the "ar"
45 # Original UNIX archive formats.
46 # They were written with binary values in host byte order, and
47 # the magic number was a host "int", which might have been 16 bits
48 # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
49 # been ports to little-endian 16-bit-int or 32-bit-int platforms
50 # (x86?) using some of those formats; if none existed, feel free
51 # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
52 # 32-bit. There might have been big-endian ports of that sort as
55 0 leshort 0177555 very old 16-bit-int little-endian archive
56 0 beshort 0177555 very old 16-bit-int big-endian archive
57 0 lelong 0177555 very old 32-bit-int little-endian archive
58 0 belong 0177555 very old 32-bit-int big-endian archive
60 0 leshort 0177545 old 16-bit-int little-endian archive
61 >2 string __.SYMDEF random library
62 0 beshort 0177545 old 16-bit-int big-endian archive
63 >2 string __.SYMDEF random library
64 0 lelong 0177545 old 32-bit-int little-endian archive
65 >4 string __.SYMDEF random library
66 0 belong 0177545 old 32-bit-int big-endian archive
67 >4 string __.SYMDEF random library
70 # From "pdp" (but why a 4-byte quantity?)
72 0 lelong 0x39bed PDP-11 old archive
73 0 lelong 0x39bee PDP-11 4.0 archive
76 # XXX - what flavor of APL used this, and was it a variant of
77 # some ar archive format? It's similar to, but not the same
78 # as, the APL workspace magic numbers in pdp.
80 0 long 0100554 apl workspace
83 # System V Release 1 portable(?) archive format.
85 0 string =<ar> System V Release 1 ar archive
86 !:mime application/x-archive
89 # Debian package; it's in the portable archive format, and needs to go
90 # before the entry for regular portable archives, as it's recognized as
91 # a portable archive whose first member has a name beginning with
94 0 string =!<arch>\ndebian
95 >8 string debian-split part of multipart Debian package
96 !:mime application/vnd.debian.binary-package
97 >8 string debian-binary Debian binary package
98 !:mime application/vnd.debian.binary-package
100 >68 string >\0 (format %s)
101 # These next two lines do not work, because a bzip2 Debian archive
102 # still uses gzip for the control.tar (first in the archive). Only
103 # data.tar varies, and the location of its filename varies too.
104 # file/libmagic does not current have support for ascii-string based
105 # (offsets) as of 2005-09-15.
106 #>81 string bz2 \b, uses bzip2 compression
107 #>84 string gz \b, uses gzip compression
108 #>136 ledate x created: %s
111 # MIPS archive; they're in the portable archive format, and need to go
112 # before the entry for regular portable archives, as it's recognized as
113 # a portable archive whose first member has a name beginning with
116 0 string =!<arch>\n__________E MIPS archive
117 !:mime application/x-archive
118 >20 string U with MIPS Ucode members
119 >21 string L with MIPSEL members
120 >21 string B with MIPSEB members
121 >19 string L and an EL hash table
122 >19 string B and an EB hash table
123 >22 string X -- out of date
125 0 search/1 -h- Software Tools format archive text
128 # BSD/SVR2-and-later portable archive formats.
130 0 string =!<arch> current ar archive
131 !:mime application/x-archive
132 >8 string __.SYMDEF random library
133 >68 string __.SYMDEF\ SORTED random library
136 # "Thin" archive, as can be produced by GNU ar.
138 0 string =!<thin>\n thin archive with
139 >68 belong 0 no symbol entries
140 >68 belong 1 %d symbol entry
141 >68 belong >1 %d symbol entries
143 # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
145 # The first byte is the magic (0x1a), byte 2 is the compression type for
146 # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
147 # filename of the first file (null terminated). Since some types collide
148 # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
149 # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
150 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
151 !:mime application/x-arc
152 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
153 !:mime application/x-arc
154 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
155 !:mime application/x-arc
156 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
157 !:mime application/x-arc
158 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
159 !:mime application/x-arc
160 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
161 !:mime application/x-arc
162 # [JW] stuff taken from idarc, obviously ARC successors:
163 0 lelong&0x8080ffff 0x00000a1a PAK archive data
164 !:mime application/x-arc
165 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
166 !:mime application/x-arc
167 0 lelong&0x8080ffff 0x0000481a HYP archive data
168 !:mime application/x-arc
170 # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
171 # I can't create either SPARK or ArcFS archives so I have not tested this stuff
172 # [GRR: the original entries collide with ARC, above; replaced with combined
173 # version (not tested)]
174 #0 byte 0x1a RISC OS archive (spark format)
175 0 string \032archive RISC OS archive (ArcFS format)
176 0 string Archive\000 RISC OS archive (ArcFS format)
178 # All these were taken from idarc, many could not be verified. Unfortunately,
179 # there were many low-quality sigs, i.e. easy to trigger false positives.
180 # Please notify me of any real-world fishy/ambiguous signatures and I'll try
181 # to get my hands on the actual archiver and see if I find something better. [JW]
182 # probably many can be enhanced by finding some 0-byte or control char near the start
184 # idarc calls this Crush/Uncompressed... *shrug*
185 0 string CRUSH Crush archive data
187 0 string HLSQZ Squeeze It archive data
189 0 string SQWEZ SQWEZ archive data
191 0 string HPAK HPack archive data
193 0 string \x91\x33HF HAP archive data
195 0 string MDmd MDCD archive data
197 0 string LIM\x1a LIM archive data
199 3 string LH5 SAR archive data
201 0 string \212\3SB\020\0 BSArc/BS2 archive data
202 # Bethesda Softworks Archive (Oblivion)
203 0 string BSA\0 BSArc archive data
204 >4 lelong x version %d
206 2 string =-ah MAR archive data
208 #0 belong&0x00f800ff 0x00800000 ACB archive data
210 # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
212 0 string JRchive JRC archive data
214 0 string DS\0 Quantum archive data
216 0 string PK\3\6 ReSOF archive data
218 0 string 7\4 QuArk archive data
220 14 string YC YAC archive data
222 0 string X1 X1 archive data
223 0 string XhDr X1 archive data
225 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
227 0 string \xad6" AMGC archive data
229 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
231 0 string LEOLZW PAKLeo archive data
233 0 string SChF ChArc archive data
235 0 string PSA PSA archive data
237 0 string DSIGDCC CrossePAC archive data
239 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
241 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
242 # NSQ, must go after CDC Codec
243 0 string \x76\xff NSQ archive data
245 0 string Dirk\ Paehl DPA archive data
247 # TODO: idarc says "bytes 0-2 == bytes 3-5"
249 # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
250 # Update: Joerg Jenderek
251 # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
253 # look for first keyword of Panorama database *.pan
254 >12 search/261 DESIGN
255 # skip keyword with low entropy
256 >12 default x TTComp archive, binary, 4K dictionary
257 # (version 5.25) labeled the above entry as "TTComp archive data"
258 # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
259 0 string ESP ESP archive data
261 0 string \1ZPK\1 ZPack archive data
263 0 string \xbc\x40 Sky archive data
265 0 string UFA UFA archive data
267 0 string =-H2O DRY archive data
269 0 string FOXSQZ FoxSQZ archive data
271 0 string ,AR7 AR7 archive data
273 0 string PPMZ PPMZ archive data
275 4 string \x88\xf0\x27 MS Compress archive data
276 # updated by Joerg Jenderek
279 >>>7 string \321\003 MS Compress archive data
280 >>>>14 ulong >0 \b, original size: %d bytes
282 >>>>>18 string x \b, was %.8s
283 >>>>>(10.b-4) string x \b.%.3s
284 # MP3 (archiver, not lossy audio compression)
285 0 string MP3\x1a MP3-Archiver archive data
287 0 string OZ\xc3\x9d ZET archive data
289 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
291 0 string gW\4\1 ARQ archive data
293 3 string OctSqu Squash archive data
295 0 string \5\1\1\0 Terse archive data
297 0 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
299 0 string UHA UHarc archive data
301 0 string \2AB ABComp archive data
302 0 string \3AB2 ABComp archive data
304 0 string CO\0 CMP archive data
306 0 string \x93\xb9\x06 Splint archive data
308 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
310 1 string GTH Gather archive data
312 0 string BOA BOA archive data
314 0 string ULEB\xa RAX archive data
316 0 string ULEB\0 Xtreme archive data
318 0 string @\xc3\xa2\1\0 Pack Magic archive data
320 0 belong&0xfeffffff 0x1a034465 BTS archive data
322 0 string Ora\ ELI 5750 archive data
324 0 string \x1aFC\x1a QFC archive data
325 0 string \x1aQF\x1a QFC archive data
327 0 string RNC PRO-PACK archive data
329 0 string 777 777 archive data
331 0 string sTaC LZS221 archive data
333 0 string HPA HPA archive data
335 0 string LG Arhangel archive data
337 0 string 0123456789012345BZh EXP1 archive data
339 0 string IMP\xa IMP archive data
341 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
343 0 string \x73\xb2\x90\xf4 Squish archive data
345 0 string PHILIPP Par archive data
346 0 string PAR Par archive data
348 0 string UB HIT archive data
350 0 belong&0xfffff000 0x53423000 SBX archive data
352 0 string NSK NaShrink archive data
354 0 string #\ CAR\ archive\ header SAPCAR archive data
355 0 string CAR\ 2.00RG SAPCAR archive data
357 0 string DST Disintegrator archive data
359 0 string ASD ASD archive data
361 0 string ISc( InstallShield CAB
363 0 string T4\x1a TOP4 archive data
364 # BatComp left out: sig looks like COM executable
365 # so TODO: get real 4dos batcomp file and find sig
367 0 string BH\5\7 BlakHole archive data
369 0 string BIX0 BIX archive data
371 0 string ChfLZ ChiefLZA archive data
373 0 string Blink Blink archive data
375 0 string \xda\xfa Logitech Compress archive data
376 # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
377 1 string (C)\ STEPANYUK ARS-Sfx archive data
379 0 string AKT32 AKT32 archive data
380 0 string AKT AKT archive data
382 0 string MSTSM NPack archive data
384 0 string \0\x50\0\x14 PFT archive data
386 0 string SEM SemOne archive data
388 0 string \x8f\xaf\xac\x84 PPMD archive data
390 0 string FIZ FIZ archive data
392 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
394 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
396 0 string =<DC- DC archive data
398 0 string \4TPAC\3 TPac archive data
400 0 string Ai\1\1\0 Ai archive data
401 0 string Ai\1\0\0 Ai archive data
403 0 string Ai\2\0 Ai32 archive data
404 0 string Ai\2\1 Ai32 archive data
406 0 string SBC SBC archive data
408 0 string YBS Ybs archive data
410 0 string \x9e\0\0 DitPack archive data
412 0 string DMS! DMS archive data
414 0 string \x8f\xaf\xac\x8c EPC archive data
416 0 string VS\x1a VSARC archive data
418 0 string PDZ PDZ archive data
420 0 string rdqx ReDuq archive data
422 0 string GCAX GCA archive data
424 0 string pN PPMN archive data
426 3 string WINIMAGE WinImage archive data
428 0 string CMP0CMP Compressia archive data
430 0 string UHB UHBC archive data
432 0 string \x61\x5C\x04\x05 WinHKI archive data
434 0 string WWP WWPack archive data
436 0 string \xffBSG BSN archive data
437 1 string \xffBSG BSN archive data
438 3 string \xffBSG BSN archive data
439 1 string \0\xae\2 BSN archive data
440 1 string \0\xae\3 BSN archive data
441 1 string \0\xae\7 BSN archive data
443 0 string \x33\x18 AIN archive data
444 0 string \x33\x17 AIN archive data
445 # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
446 # SZip (TODO: doesn't catch all versions)
447 0 string SZ\x0a\4 SZip archive data
449 # *.XDI updated by Joerg Jenderek Sep 2015
450 # ftp://ftp.sac.sk/pub/sac/pack/0index.txt
451 # GRR: this test is still too general as it catches also text files starting with jm
453 # only found examples with this additional characteristic 2 bytes
454 >2 string \x2\x4 Xpack DiskImage archive data
457 # *.xpa updated by Joerg Jenderek Sep 2015
458 # ftp://ftp.elf.stuba.sk/pub/pc/pack/
462 # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
463 # created by XPA32.EXE version 1.0.2 for Windows
464 >0 string xpa\0\1 \b32 archive data
465 # created by XPACK.COM version 1.67m or 1.67r with short 0x1800
466 >3 ubeshort !0x0001 \bck archive data
468 # changed by Joerg Jenderek Sep 2015 back to like in version 5.12
469 # letter 'I'+ acute accent is equivalent to \xcd
470 0 string \xcd\ jm Xpack single archive data
471 #!:mime application/x-xpa-compressed
474 # TODO: missing due to unknown magic/magic at end of file:
484 # These were inspired by idarc, but actually verified
485 # Dzip archiver (.dz)
486 0 string DZ Dzip archive data
487 >2 byte x \b, version %i
489 # ZZip archiver (.zz)
490 0 string ZZ\ \0\0 ZZip archive data
491 0 string ZZ0 ZZip archive data
492 # PAQ archiver (.paq)
493 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
494 0 string PAQ PAQ archive data
497 # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
498 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
499 0 string JARCS JAR (ARJ Software, Inc.) archive data
501 # ARJ archiver (jason@jarthur.Claremont.EDU)
502 0 leshort 0xea60 ARJ archive data
503 !:mime application/x-arj
505 >8 byte &0x04 multi-volume,
506 >8 byte &0x10 slash-switched,
507 >8 byte &0x20 backup,
508 >34 string x original name: %s,
513 >7 byte 4 os: Macintosh
515 >7 byte 6 os: Apple ][ GS
516 >7 byte 7 os: Atari ST
518 >7 byte 9 os: VAX/VMS
520 # [JW] idarc says this is also possible
521 2 leshort 0xea60 ARJ archive data
523 # HA archiver (Greg Roelofs, newt@uchicago.edu)
524 # This is a really bad format. A file containing HAWAII will match this...
525 #0 string HA HA archive data,
526 #>2 leshort =1 1 file,
527 #>2 leshort >1 %hu files,
528 #>4 byte&0x0f =0 first is type CPY
529 #>4 byte&0x0f =1 first is type ASC
530 #>4 byte&0x0f =2 first is type HSC
531 #>4 byte&0x0f =0x0e first is type DIR
532 #>4 byte&0x0f =0x0f first is type SPECIAL
533 # suggestion: at least identify small archives (<1024 files)
534 0 belong&0xffff00fc 0x48410000 HA archive data
535 >2 leshort =1 1 file,
536 >2 leshort >1 %u files,
537 >4 byte&0x0f =0 first is type CPY
538 >4 byte&0x0f =1 first is type ASC
539 >4 byte&0x0f =2 first is type HSC
540 >4 byte&0x0f =0x0e first is type DIR
541 >4 byte&0x0f =0x0f first is type SPECIAL
543 # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
544 0 string HPAK HPACK archive data
546 # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
547 0 string \351,\001JAM\ JAM archive,
548 >7 string >\0 version %.4s
550 >>0x2b string >\0 label %.11s,
551 >>0x27 lelong x serial %08x,
552 >>0x36 string >\0 fstype %.8s
554 # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
555 # Update: Joerg Jenderek
556 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
557 # Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
559 # check and display information of lharc (LHa,PMarc) file
561 # check 1st character of method id like -lz4- -lh5- or -pm2-
563 # check 5th character of method id
565 # check header level 0 1 2 3
567 # check 2nd, 3th and 4th character of method id
568 >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
569 !:mime application/x-lzh-compressed
570 # creator type "LHA "
572 # display archive type name like "LHa/LZS archive data" or "LArc archive"
575 # already known -lzs- -lz4- -lz5- with old names
576 >>>>>>2 string -lzs LHa/LZS archive data
577 >>>>>>3 regex \^lz[45] LHarc 1.x archive data
578 # missing -lz?- with wikipedia names
579 >>>>>>3 regex \^lz[2378] LArc archive
580 # display archive type name like "LHa (2.x) archive data"
582 # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
583 >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
584 # LHice archiver use ".ICE" as name extension instead usual one ".lzh"
585 # FOOBAR archiver use ".foo" as name extension instead usual one
586 # "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment
587 >>>>>>>2 string -lh1 \b
589 >>>>>>3 regex \^lh[23d] LHa 2.x? archive data
590 >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
591 >>>>>>3 regex \^lh[456] LHa (2.x) archive data
592 >>>>>>>2 string -lh5 \b
593 # https://en.wikipedia.org/wiki/BIOS
594 # Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like
595 # bios.rom , kd7_v14.bin, 1010.004, ...
596 !:ext lha/lzh/rom/bin
597 # missing -lh?- variants (Joe Jared)
598 >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
600 >>>>>>2 string -lhx LHa (UNLHA32) archive
601 # lha archives with standard file name extensions ".lha" ".lzh"
602 >>>>>>3 regex !\^(lh1|lh5) \b
604 # this should not happen if all -lh variants are described
605 >>>>>>2 default x LHa (unknown) archive
608 >>>>>3 regex \^pm[012] PMarc archive data
610 # append method id without leading and trailing minus character
611 >>>>>3 string x [%3.3s]
612 >>>>>>0 use lharc-header
614 # check and display information of lharc header
616 # header size 0x4 , 0x1b-0x61
618 # compressed data size != compressed file size
619 #>7 ulelong x \b, data size %d
620 # attribute: 0x2~?? 0x10~symlink|target 0x20~normal
621 #>19 ubyte x \b, 19_0x%x
622 # level identifier 0 1 2 3
623 #>20 ubyte x \b, level %d
625 #>15 ubelong x DATE 0x%8.8x
628 # 0x20 types find for *.rom files
629 >>(21.b+24) ubyte <0x21 \b, 0x%x OS
630 # ascii type like M for MSDOS
631 >>(21.b+24) ubyte >0x20 \b, '%c' OS
634 #>>23 ubyte x \b, OS ID 0x%x
635 >>23 ubyte <0x21 \b, 0x%x OS
636 >>23 ubyte >0x20 \b, '%c' OS
637 # filename only for level 0 and 1
640 >>21 ubyte >0 \b, with
644 #2 string -lh0- LHarc 1.x/ARX archive data [lh0]
645 #!:mime application/x-lharc
648 #2 string -lh1- LHarc 1.x/ARX archive data [lh1]
649 #!:mime application/x-lharc
652 # NEW -lz2- ... -lz8-
665 # [never seen any but the last; -lh4- reported in comp.compression:]
666 #2 string -lzs- LHa/LZS archive data [lzs]
669 # According to wikipedia and others such a version does not exist
670 #2 string -lh\40- LHa 2.x? archive data [lh ]
671 #2 string -lhd- LHa 2.x? archive data [lhd]
674 #2 string -lh2- LHa 2.x? archive data [lh2]
677 #2 string -lh3- LHa 2.x? archive data [lh3]
680 #2 string -lh4- LHa (2.x) archive data [lh4]
683 #2 string -lh5- LHa (2.x) archive data [lh5]
686 #2 string -lh6- LHa (2.x) archive data [lh6]
689 #2 string -lh7- LHa (2.x)/LHark archive data [lh7]
691 # !:mime application/x-lha
692 # >20 byte x - header level %d
694 # NEW -lh8- ... -lhe- , -lhx-
709 # taken from idarc [JW]
710 2 string -lZ PUT archive data
711 # already done by LHarc magics
712 # this should never happen if all sub types of LZS archive are identified
713 #2 string -lz LZS archive data
714 2 string -sw1- Swag archive data
716 0 name rar-file-header
720 >15 byte 0 \b, os: MS-DOS
721 >15 byte 1 \b, os: OS/2
722 >15 byte 2 \b, os: Win32
723 >15 byte 3 \b, os: Unix
724 >15 byte 4 \b, os: Mac OS
725 >15 byte 5 \b, os: BeOS
727 0 name rar-archive-header
728 >3 leshort&0x1ff >0 \b, flags:
729 >>3 leshort &0x01 ArchiveVolume
730 >>3 leshort &0x02 Commented
731 >>3 leshort &0x04 Locked
732 >>3 leshort &0x10 NewVolumeNaming
733 >>3 leshort &0x08 Solid
734 >>3 leshort &0x20 Authenticated
735 >>3 leshort &0x40 RecoveryRecordPresent
736 >>3 leshort &0x80 EncryptedBlockHeader
737 >>3 leshort &0x100 FirstVolume
739 # RAR (Roshal Archive) archive
740 0 string Rar!\x1a\7\0 RAR archive data
741 !:mime application/x-rar
745 >>(0xc.l+7) use rar-file-header
746 # subblock seems to share information with file header
748 >>(0xc.l+7) use rar-file-header
750 >>7 use rar-archive-header
752 0 string Rar!\x1a\7\1\0 RAR archive data, v5
753 !:mime application/x-rar
756 # Very old RAR archive
757 # http://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
758 0 string RE\x7e\x5e RAR archive data (<v1.5)
759 !:mime application/x-rar
762 # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
763 0 string SQSH squished archive data (Acorn RISCOS)
765 # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
766 # [JW] see exe section for self-extracting version
767 0 string UC2\x1a UC2 archive data
769 # PKZIP multi-volume archive
770 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
771 !:mime application/zip
774 # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
775 0 string PK\005\006 Zip archive data (empty)
776 !:mime application/zip
780 # Specialised zip formats which start with a member named 'mimetype'
781 # (stored uncompressed, with no 'extra field') containing the file's MIME type.
782 # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
783 # contents starting with "application/":
784 >26 string \x8\0\0\0mimetypeapplication/
786 # KOffice / OpenOffice & StarOffice / OpenDocument formats
787 # From: Abel Cheung <abel@oaka.org>
789 # KOffice (1.2 or above) formats
790 # (mimetype contains "application/vnd.kde.<SUBTYPE>")
791 >>50 string vnd.kde. KOffice (>=1.2)
792 >>>58 string karbon Karbon document
793 >>>58 string kchart KChart document
794 >>>58 string kformula KFormula document
795 >>>58 string kivio Kivio document
796 >>>58 string kontour Kontour document
797 >>>58 string kpresenter KPresenter document
798 >>>58 string kspread KSpread document
799 >>>58 string kword KWord document
801 # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
802 # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
803 >>50 string vnd.sun.xml. OpenOffice.org 1.x
804 >>>62 string writer Writer
805 >>>>68 byte !0x2e document
806 >>>>68 string .template template
807 >>>>68 string .global global document
808 >>>62 string calc Calc
809 >>>>66 byte !0x2e spreadsheet
810 >>>>66 string .template template
811 >>>62 string draw Draw
812 >>>>66 byte !0x2e document
813 >>>>66 string .template template
814 >>>62 string impress Impress
815 >>>>69 byte !0x2e presentation
816 >>>>69 string .template template
817 >>>62 string math Math document
818 >>>62 string base Database file
820 # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
821 # http://lists.oasis-open.org/archives/office/200505/msg00006.html
822 # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
823 >>50 string vnd.oasis.opendocument. OpenDocument
825 >>>>77 byte !0x2d Text
826 !:mime application/vnd.oasis.opendocument.text
827 >>>>77 string -template Text Template
828 !:mime application/vnd.oasis.opendocument.text-template
829 >>>>77 string -web HTML Document Template
830 !:mime application/vnd.oasis.opendocument.text-web
831 >>>>77 string -master Master Document
832 !:mime application/vnd.oasis.opendocument.text-master
833 >>>73 string graphics
834 >>>>81 byte !0x2d Drawing
835 !:mime application/vnd.oasis.opendocument.graphics
836 >>>>81 string -template Template
837 !:mime application/vnd.oasis.opendocument.graphics-template
838 >>>73 string presentation
839 >>>>85 byte !0x2d Presentation
840 !:mime application/vnd.oasis.opendocument.presentation
841 >>>>85 string -template Template
842 !:mime application/vnd.oasis.opendocument.presentation-template
843 >>>73 string spreadsheet
844 >>>>84 byte !0x2d Spreadsheet
845 !:mime application/vnd.oasis.opendocument.spreadsheet
846 >>>>84 string -template Template
847 !:mime application/vnd.oasis.opendocument.spreadsheet-template
849 >>>>78 byte !0x2d Chart
850 !:mime application/vnd.oasis.opendocument.chart
851 >>>>78 string -template Template
852 !:mime application/vnd.oasis.opendocument.chart-template
854 >>>>80 byte !0x2d Formula
855 !:mime application/vnd.oasis.opendocument.formula
856 >>>>80 string -template Template
857 !:mime application/vnd.oasis.opendocument.formula-template
858 >>>73 string database Database
859 !:mime application/vnd.oasis.opendocument.database
861 >>>>78 byte !0x2d Image
862 !:mime application/vnd.oasis.opendocument.image
863 >>>>78 string -template Template
864 !:mime application/vnd.oasis.opendocument.image-template
866 # EPUB (OEBPS) books using OCF (OEBPS Container Format)
867 # http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
868 # From: Ralf Brown <ralf.brown@gmail.com>
869 >>50 string epub+zip EPUB document
870 !:mime application/epub+zip
872 # Catch other ZIP-with-mimetype formats
873 # In a ZIP file, the bytes immediately after a member's contents are
874 # always "PK". The 2 regex rules here print the "mimetype" member's
875 # contents up to the first 'P'. Luckily, most MIME types don't contain
876 # any capital 'P's. This is a kludge.
877 # (mimetype contains "application/<OTHER>")
878 >>50 string !epub+zip
879 >>>50 string !vnd.oasis.opendocument.
880 >>>>50 string !vnd.sun.xml.
881 >>>>>50 string !vnd.kde.
882 >>>>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
883 !:mime application/zip
884 # (mimetype contents other than "application/*")
885 >26 string \x8\0\0\0mimetype
886 >>38 string !application/
887 >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
888 !:mime application/zip
891 >(26.s+30) leshort 0xcafe Java archive data (JAR)
892 !:mime application/java-archive
895 >(26.s+30) leshort !0xcafe
896 >>26 string !\x8\0\0\0mimetype
897 >>>30 string Payload/
898 >>>>38 search/64 .app/ iOS App
899 !:mime application/x-ios-app
902 # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
903 # Next line excludes specialized formats:
904 >(26.s+30) leshort !0xcafe
905 >>26 string !\x8\0\0\0mimetype Zip archive data
906 !:mime application/zip
907 >>>4 byte 0x09 \b, at least v0.9 to extract
908 >>>4 byte 0x0a \b, at least v1.0 to extract
909 >>>4 byte 0x0b \b, at least v1.1 to extract
910 >>>4 byte 0x14 \b, at least v2.0 to extract
911 >>>4 byte 0x2d \b, at least v4.5 to extract
912 >>>0x161 string WINZIP \b, WinZIP self-extracting
915 # From Pierre Ducroquet <pinaraf@pinaraf.info>
916 0 string VCLMTF StarView MetaFile
917 >6 beshort x \b, version %d
918 >8 belong x \b, size %d
921 20 lelong 0xfdc4a7dc Zoo archive data
922 !:mime application/x-zoo
926 >32 byte >0 \b, modify: v%d
928 >42 lelong 0xfdc4a7dc \b,
929 >>70 byte >0 extract: v%d
933 10 string #\ This\ is\ a\ shell\ archive shell archive text
934 !:mime application/octet-stream
937 # LBR. NB: May conflict with the questionable
938 # "binary Computer Graphics Metafile" format.
940 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
942 # PMA (CP/M derivative of LHA)
943 # Update: Joerg Jenderek
944 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
946 #2 string -pm0- PMarc archive data [pm0]
949 #2 string -pm1- PMarc archive data [pm1]
952 #2 string -pm2- PMarc archive data [pm2]
955 2 string -pms- PMarc SFX archive (CP/M, DOS)
956 #!:mime application/x-foobar-exec
958 5 string -pc1- PopCom compressed executable (CP/M)
959 #!:mime application/x-
962 # From Rafael Laboissiere <rafael@laboissiere.net>
963 # The Project Revision Control System (see
964 # http://prcs.sourceforge.net) generates a packaged project
965 # file which is recognized by the following entry:
966 0 leshort 0xeb81 PRCS packaged project
969 # by David Necas (Yeti) <yeti@physics.muni.cz>
970 #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
973 # MPi: All CABs have version 1.3, so this is pointless.
974 # Better magic in debian-additions.
977 # by David Necas (Yeti) <yeti@physics.muni.cz>
978 4 string gtktalog\ GTKtalog catalog data,
979 >13 string 3 version 3
980 >>14 beshort 0x677a (gzipped)
981 >>14 beshort !0x677a (not gzipped)
982 >13 string >3 version %s
984 ############################################################################
985 # Parity archive reconstruction file, the 'par' file format now used on Usenet.
986 0 string PAR\0 PARity archive data
987 >48 leshort =0 - Index file
988 >48 leshort >0 - file number %d
990 # Felix von Leitner <felix-file@fefe.de>
991 0 string d8:announce BitTorrent file
992 !:mime application/x-bittorrent
993 # Durval Menezes, <jmgthbfile at durval dot com>
994 0 string d13:announce-list BitTorrent file
995 !:mime application/x-bittorrent
997 # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
998 0 beshort 0x0e0f Atari MSA archive data
999 >2 beshort x \b, %d sectors per track
1000 >4 beshort 0 \b, 1 sided
1001 >4 beshort 1 \b, 2 sided
1002 >6 beshort x \b, starting track: %d
1003 >8 beshort x \b, ending track: %d
1005 # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
1006 0 string PK00PK\003\004 Zip archive data
1008 # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
1009 # by Stefan `Sec` Zehl <sec@42.org>
1010 7 string **ACE** ACE archive data
1011 >15 byte >0 version %d
1012 >16 byte =0x00 \b, from MS-DOS
1013 >16 byte =0x01 \b, from OS/2
1014 >16 byte =0x02 \b, from Win/32
1015 >16 byte =0x03 \b, from Unix
1016 >16 byte =0x04 \b, from MacOS
1017 >16 byte =0x05 \b, from WinNT
1018 >16 byte =0x06 \b, from Primos
1019 >16 byte =0x07 \b, from AppleGS
1020 >16 byte =0x08 \b, from Atari
1021 >16 byte =0x09 \b, from Vax/VMS
1022 >16 byte =0x0A \b, from Amiga
1023 >16 byte =0x0B \b, from Next
1024 >14 byte x \b, version %d to extract
1025 >5 leshort &0x0080 \b, multiple volumes,
1026 >>17 byte x \b (part %d),
1027 >5 leshort &0x0002 \b, contains comment
1028 >5 leshort &0x0200 \b, sfx
1029 >5 leshort &0x0400 \b, small dictionary
1030 >5 leshort &0x0800 \b, multi-volume
1031 >5 leshort &0x1000 \b, contains AV-String
1032 >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
1033 >5 leshort &0x2000 \b, with recovery record
1034 >5 leshort &0x4000 \b, locked
1035 >5 leshort &0x8000 \b, solid
1036 # Date in MS-DOS format (whatever that is)
1037 #>18 lelong x Created on
1039 # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
1041 0x1A string sfArk sfArk compressed Soundfont
1043 >>0x1 string >\0 Version %s
1044 >>0x2A string >\0 : %s
1046 # DR-DOS 7.03 Packed File *.??_
1047 0 string Packed\ File\ Personal NetWare Packed File
1048 >12 string x \b, was "%.12s"
1051 # From: Tilman Sauerbeck <tilman@code-monkey.de>
1052 0 belong 0x1ee7ff00 EET archive
1053 !:mime application/x-eet
1056 0 string RZIP rzip compressed data
1057 >4 byte x - version %d
1059 >6 belong x (%d bytes)
1061 # From: "Robert Dale" <robdale@gmail.com>
1062 0 belong 123 dar archive,
1063 >4 belong x label "%.8x
1065 >>>12 beshort x %.4x"
1066 >14 byte 0x54 end slice
1067 >14 beshort 0x4e4e multi-part
1068 >14 beshort 0x4e53 multi-part, with -S
1070 # Symbian installation files
1071 # http://www.thouky.co.uk/software/psifs/sis.html
1072 # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
1073 8 lelong 0x10000419 Symbian installation file
1074 !:mime application/vnd.symbian.install
1075 >4 lelong 0x1000006D (EPOC release 3/4/5)
1076 >4 lelong 0x10003A12 (EPOC release 6)
1077 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
1078 !:mime x-epoc/x-sisx-app
1080 # From "Nelson A. de Oliveira" <naoliv@gmail.com>
1081 0 string MPQ\032 MoPaQ (MPQ) archive
1083 # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1085 0 string KGB_arch KGB Archiver file
1086 >10 string x with compression level %.1s
1088 # xar (eXtensible ARchiver) archive
1089 # xar archive format: http://code.google.com/p/xar/
1090 # From: "David Remahl" <dremahl@apple.com>
1091 0 string xar! xar archive
1092 !:mime application/x-xar
1093 #>4 beshort x header size %d
1094 >6 beshort x version %d,
1095 #>8 quad x compressed TOC: %d,
1096 #>16 quad x uncompressed TOC: %d,
1097 >24 belong 0 no checksum
1098 >24 belong 1 SHA-1 checksum
1099 >24 belong 2 MD5 checksum
1101 # Type: Parity Archive
1102 # From: Daniel van Eeden <daniel_e@dds.nl>
1103 0 string PAR2 Parity Archive Volume Set
1105 # Bacula volume format. (Volumes always start with a block header.)
1106 # URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
1107 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
1108 12 string BB02 Bacula volume
1109 >20 bedate x \b, started %s
1111 # ePub is XHTML + XML inside a ZIP archive. The first member of the
1112 # archive must be an uncompressed file called 'mimetype' with contents
1113 # 'application/epub+zip'
1116 # From: "Michael Gorny" <mgorny@gentoo.org>
1117 # ZPAQ: http://mattmahoney.net/dc/zpaq.html
1118 0 string zPQ ZPAQ stream
1119 >3 byte x \b, level %d
1120 # From: Barry Carter <carter.barry@gmail.com>
1121 # http://encode.ru/threads/456-zpaq-updates/page32
1122 0 string 7kSt ZPAQ file
1124 # BBeB ebook, unencrypted (LRF format)
1125 # URL: http://www.sven.de/librie/Librie/LrfFormat
1126 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
1127 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
1128 >8 beshort x \b, version %d
1129 >36 byte 1 \b, front-to-back
1130 >36 byte 16 \b, back-to-front
1131 >42 beshort x \b, (%dx,
1134 # Symantec GHOST image by Joerg Jenderek at May 2014
1135 # http://us.norton.com/ghost/
1136 # http://www.garykessler.net/library/file_sigs.html
1137 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
1139 >2 ubyte&0x08 0x00 \b, first file
1140 # *.GHS or *.[0-9] with cns program option
1141 >2 ubyte&0x08 0x08 \b, split file
1142 # part of split index interesting for *.ghs
1144 # compression tag minus one equals numeric compression command line switch z[1-9]
1145 >3 ubyte 0 \b, no compression
1146 >3 ubyte 2 \b, fast compression (Z1)
1147 >3 ubyte 3 \b, medium compression (Z2)
1149 >>3 ubyte <11 \b, compression (Z%d-1)
1151 # ~ 30 byte password field only for *.gho
1152 >>12 ubequad !0 \b, password protected
1154 # 1~Image All, sector-by-sector only for *.gho
1155 >>>10 ubyte 1 \b, sector copy
1156 # 1~Image Boot track only for *.gho
1157 >>>43 ubyte 1 \b, boot track
1158 # 1~Image Disc only for *.gho implies Image Boot track and sector copy
1159 >>44 ubyte 1 \b, disc sector copy
1160 # optional image description only *.gho
1161 >>0xff string >\0 "%-.254s"
1162 # look for DOS sector end sequence
1163 >0xE08 search/7776 \x55\xAA
1164 >>&-512 indirect x \b; contains
1166 # Google Chrome extensions
1167 # https://developer.chrome.com/extensions/crx
1168 # https://developer.chrome.com/extensions/hosting
1169 0 string Cr24 Google Chrome extension
1170 !:mime application/x-chrome-extension
1171 >4 ulong x \b, version %u