1#------------------------------------------------------------------------------ 2# $File: archive,v 1.145 2021/01/03 20:58:47 christos Exp $ 3# archive: file(1) magic for archive formats (see also "msdos" for self- 4# extracting compressed archives) 5# 6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. 7# pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c. 8 9# POSIX tar archives 10# URL: https://en.wikipedia.org/wiki/Tar_(computing) 11# Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current 12# header mainly padded with nul bytes 13500 quad 0 14!:strength /2 15# filename or extended attribute printable strings in range space null til umlaut ue 16>0 ubeshort >0x1F00 17>>0 ubeshort <0xFCFD 18# last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad 19# at https://sourceforge.net/projects/s-tar/files/testscripts/ 20>>>508 ubelong&0x8B9E8DFF 0 21# nul, space or ascii digit 0-7 at start of mode 22>>>>100 ubyte&0xC8 =0 23>>>>>101 ubyte&0xC8 =0 24# nul, space at end of check sum 25>>>>>>155 ubyte&0xDF =0 26# space or ascii digit 0 at start of check sum 27>>>>>>>148 ubyte&0xEF =0x20 28>>>>>>>>0 use tar-file 29# minimal check and then display tar archive information which can also be 30# embedded inside others like Android Backup, Clam AntiVirus database 310 name tar-file 32>257 string !ustar 33# header padded with nuls 34>>257 ulong =0 35# GNU tar version 1.29 with non pax format option without refusing 36# creates misleading V7 header for Long path, Multi-volume, Volume type 37>>>156 ubyte 0x4c GNU tar archive 38!:mime application/x-gtar 39!:ext tar/gtar 40>>>156 ubyte 0x4d GNU tar archive 41!:mime application/x-gtar 42!:ext tar/gtar 43>>>156 ubyte 0x56 GNU tar archive 44!:mime application/x-gtar 45!:ext tar/gtar 46>>>156 default x tar archive (V7) 47!:mime application/x-tar 48!:ext tar 49# other stuff in padding 50# some implementations add new fields to the blank area at the end of the header record 51# created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option 52>>257 ulong !0 tar archive (old) 53!:mime application/x-tar 54!:ext tar 55# magic in newer, GNU, posix variants 56>257 string =ustar 57# 2 last char of magic and UStar version because string expression does not work 58# 2 space characters followed by a null for GNU variant 59>>261 ubelong =0x72202000 POSIX tar archive (GNU) 60!:mime application/x-gtar 61!:ext tar/gtar 62# UStar version with ASCII "00" 63>>261 ubelong 0x72003030 POSIX 64# gLOBAL and ExTENSION type only found in POSIX.1-2001 format 65>>>156 ubyte 0x67 \b.1-2001 66>>>156 ubyte 0x78 \b.1-2001 67>>>156 ubyte x tar archive 68!:mime application/x-ustar 69!:ext tar/ustar 70# version with 2 binary nuls embedded in Android Backup like com.android.settings.ab 71>>261 ubelong 0x72000000 tar archive (ustar) 72!:mime application/x-ustar 73!:ext tar/ustar 74# not seen ustar variant with garbish version 75>>261 default x tar archive (unknown ustar) 76!:mime application/x-ustar 77!:ext tar/ustar 78# type flag of 1st tar archive member 79#>156 ubyte x \b, %c-type 80>156 ubyte x 81>>156 ubyte 0 \b, file 82>>156 ubyte 0x30 \b, file 83>>156 ubyte 0x31 \b, hard link 84>>156 ubyte 0x32 \b, symlink 85>>156 ubyte 0x33 \b, char device 86>>156 ubyte 0x34 \b, block device 87>>156 ubyte 0x35 \b, directory 88>>156 ubyte 0x36 \b, fifo 89>>156 ubyte 0x37 \b, reserved 90>>156 ubyte 0x4c \b, long path 91>>156 ubyte 0x4d \b, multi volume 92>>156 ubyte 0x56 \b, volume 93>>156 ubyte 0x67 \b, global 94>>156 ubyte 0x78 \b, extension 95>>156 default x \b, type 96>>>156 ubyte x '%c' 97# name[100] 98>0 string >\0 %-.60s 99# mode mainly stored as an octal number in ASCII null or space terminated 100>100 string >\0 \b, mode %-.7s 101# user id mainly as octal numbers in ASCII null or space terminated 102>108 string >\0 \b, uid %-.7s 103# group id mainly as octal numbers in ASCII null or space terminated 104>116 string >\0 \b, gid %-.7s 105# size mainly as octal number in ASCII 106>124 ubyte <0x38 107>>124 string >\0 \b, size %-.12s 108# coding indicated by setting the high-order bit of the leftmost byte 109>124 ubyte >0xEF \b, size 0x 110>>124 ubyte !0xff \b%2.2x 111>>125 ubyte !0xff \b%2.2x 112>>126 ubyte !0xff \b%2.2x 113>>127 ubyte !0xff \b%2.2x 114>>128 ubyte !0xff \b%2.2x 115>>129 ubyte !0xff \b%2.2x 116>>130 ubyte !0xff \b%2.2x 117>>131 ubyte !0xff \b%2.2x 118>>132 ubyte !0xff \b%2.2x 119>>133 ubyte !0xff \b%2.2x 120>>134 ubyte !0xff \b%2.2x 121>>135 ubyte !0xff \b%2.2x 122# seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated 123>136 string >\0 \b, seconds %-.11s 124# header checksum stored as an octal number in ASCII null or space terminated 125#>148 string x \b, cksum %.7s 126# linkname[100] 127>157 string >\0 \b, linkname %-.40s 128# additional fields for ustar 129>257 string =ustar 130# owner user name null terminated 131>>265 string >\0 \b, user %-.32s 132# group name null terminated 133>>297 string >\0 \b, group %-.32s 134# device major minor if not zero 135>>329 ubequad&0xCFCFCFCFcFcFcFdf !0 136>>>329 string x \b, devmaj %-.7s 137>>337 ubequad&0xCFCFCFCFcFcFcFdf !0 138>>>337 string x \b, devmin %-.7s 139# prefix[155] 140>>345 string >\0 \b, prefix %-.155s 141# old non ustar/POSIX tar 142>257 string !ustar 143>>508 string =tar\0 144# padding[255] in old star 145>>>257 string >\0 \b, padding: %-.40s 146>>508 default x 147# padding[255] in old tar sometimes comment field 148>>>257 string >\0 \b, comment: %-.40s 149 150# Incremental snapshot gnu-tar format from: 151# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html 1520 string GNU\ tar- GNU tar incremental snapshot data 153>&0 regex [0-9]\.[0-9]+-[0-9]+ version %s 154 155# cpio archives 156# 157# Yes, the top two "cpio archive" formats *are* supposed to just be "short". 158# The idea is to indicate archives produced on machines with the same 159# byte order as the machine running "file" with "cpio archive", and 160# to indicate archives produced on machines with the opposite byte order 161# from the machine running "file" with "byte-swapped cpio archive". 162# 163# The SVR4 "cpio(4)" hints that there are additional formats, but they 164# are defined as "short"s; I think all the new formats are 165# character-header formats and thus are strings, not numbers. 1660 short 070707 cpio archive 167!:mime application/x-cpio 1680 short 0143561 byte-swapped cpio archive 169!:mime application/x-cpio # encoding: swapped 1700 string 070707 ASCII cpio archive (pre-SVR4 or odc) 1710 string 070701 ASCII cpio archive (SVR4 with no CRC) 1720 string 070702 ASCII cpio archive (SVR4 with CRC) 173 174# 175# Various archive formats used by various versions of the "ar" 176# command. 177# 178 179# 180# Original UNIX archive formats. 181# They were written with binary values in host byte order, and 182# the magic number was a host "int", which might have been 16 bits 183# or 32 bits. We don't say "PDP-11" or "VAX", as there might have 184# been ports to little-endian 16-bit-int or 32-bit-int platforms 185# (x86?) using some of those formats; if none existed, feel free 186# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian 187# 32-bit. There might have been big-endian ports of that sort as 188# well. 189# 1900 leshort 0177555 very old 16-bit-int little-endian archive 1910 beshort 0177555 very old 16-bit-int big-endian archive 1920 lelong 0177555 very old 32-bit-int little-endian archive 1930 belong 0177555 very old 32-bit-int big-endian archive 194 1950 leshort 0177545 old 16-bit-int little-endian archive 196>2 string __.SYMDEF random library 1970 beshort 0177545 old 16-bit-int big-endian archive 198>2 string __.SYMDEF random library 1990 lelong 0177545 old 32-bit-int little-endian archive 200>4 string __.SYMDEF random library 2010 belong 0177545 old 32-bit-int big-endian archive 202>4 string __.SYMDEF random library 203 204# 205# From "pdp" (but why a 4-byte quantity?) 206# 2070 lelong 0x39bed PDP-11 old archive 2080 lelong 0x39bee PDP-11 4.0 archive 209 210# 211# XXX - what flavor of APL used this, and was it a variant of 212# some ar archive format? It's similar to, but not the same 213# as, the APL workspace magic numbers in pdp. 214# 2150 long 0100554 apl workspace 216 217# 218# System V Release 1 portable(?) archive format. 219# 2200 string =<ar> System V Release 1 ar archive 221!:mime application/x-archive 222 223# 224# Debian package; it's in the portable archive format, and needs to go 225# before the entry for regular portable archives, as it's recognized as 226# a portable archive whose first member has a name beginning with 227# "debian". 228# 229# Update: Joerg Jenderek 230# URL: https://en.wikipedia.org/wiki/Deb_(file_format) 2310 string =!<arch>\ndebian 232# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html 233>14 string -split part of multipart Debian package 234!:mime application/vnd.debian.binary-package 235# udeb is used for stripped down deb file 236!:ext deb/udeb 237>14 string -binary Debian binary package 238!:mime application/vnd.debian.binary-package 239# For ipk packager see also https://en.wikipedia.org/wiki/Opkg 240!:ext deb/udeb/ipk 241# This should not happen 242>14 default x Unknown Debian package 243# NL terminated version; for most Debian cases this is 2.0 or 2.1 for split 244>68 string >\0 (format %s) 245#>68 string !2.0\n 246#>>68 string x (format %.3s) 247>68 string =2.0\n 248# 2nd archive name=control archive name like control.tar.gz or control.tar.xz 249>>72 string >\0 \b, with %.14s 250# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma} 251>>0 search/0x93e4f data.tar. \b, data compression 252# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised 253# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb 254>>>&0 string x %.2s 255# skip space (0x20 BSD) and slash (0x2f System V) character marking end of name 256>>>&2 ubyte !0x20 257>>>>&-1 ubyte !0x2f 258# display 3rd character of file name extension like 2 of bz2 or m of lzma 259>>>>>&-1 ubyte x \b%c 260>>>>>>&0 ubyte !0x20 261>>>>>>>&-1 ubyte !0x2f 262# display 4th character of file name extension like a of lzma 263>>>>>>>>&-1 ubyte x \b%c 264# split debian package case 265>68 string =2.1\n 266# dpkg-1.18.25/dpkg-split/info.c 267# NL terminated ASCII package name like ckermit 268>>&0 string x \b, %s 269# NL terminated package version like 302-5.3 270>>>&1 string x %s 271# NL terminated MD5 checksum 272>>>>&1 string x \b, MD5 %s 273# NL terminated original package length 274>>>>>&1 string x \b, unsplitted size %s 275# NL terminated part length 276>>>>>>&1 string x \b, part length %s 277# NL terminated package part like n/m 278>>>>>>>&1 string x \b, part %s 279# NL terminated package architecture like armhf since dpkg 1.16.1 or later 280>>>>>>>>&1 string x \b, %s 281 282# 283# MIPS archive; they're in the portable archive format, and need to go 284# before the entry for regular portable archives, as it's recognized as 285# a portable archive whose first member has a name beginning with 286# "__________E". 287# 2880 string =!<arch>\n__________E MIPS archive 289!:mime application/x-archive 290>20 string U with MIPS Ucode members 291>21 string L with MIPSEL members 292>21 string B with MIPSEB members 293>19 string L and an EL hash table 294>19 string B and an EB hash table 295>22 string X -- out of date 296 297# 298# BSD/SVR2-and-later portable archive formats. 299# 300# Update: Joerg Jenderek 301# URL: http://fileformats.archiveteam.org/wiki/AR 302# Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/ 303# Note: Mach-O universal binary in ./cafebabe is dependent 304# TODO: unify current ar archive, MIPS archive, Debian package 305# distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR; 306# *.ar packages from *.a libraries. handle empty archive 3070 string =!<arch>\n current ar archive 308# print first and possibly second ar_name[16] for debugging purpose 309#>8 string x \b, 1st "%.16s" 310#>68 string x \b, 2nd "%.16s" 311!:mime application/x-archive 312# a in most case for libraries; lib for Microsoft libraries; ar else cases 313!:ext a/lib/ar 314>8 string __.SYMDEF random library 315# first member with long marked name __.SYMDEF SORTED implies BSD library 316>68 string __.SYMDEF\ SORTED random library 317# Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf 318# "archive file" entry moved from ./hp 319# LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture 320# LST header a_magic 0619h~relocatable library 321>68 belong 0x020b0619 - PA-RISC1.0 relocatable library 322>68 belong 0x02100619 - PA-RISC1.1 relocatable library 323>68 belong 0x02110619 - PA-RISC1.2 relocatable library 324>68 belong 0x02140619 - PA-RISC2.0 relocatable library 325#EOF for common ar archives 326 327# 328# "Thin" archive, as can be produced by GNU ar. 329# 3300 string =!<thin>\n thin archive with 331>68 belong 0 no symbol entries 332>68 belong 1 %d symbol entry 333>68 belong >1 %d symbol entries 334 3350 search/1 -h- Software Tools format archive text 336 337# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) 338# 339# The first byte is the magic (0x1a), byte 2 is the compression type for 340# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS 341# filename of the first file (null terminated). Since some types collide 342# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), 343# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 3440 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW 345!:mime application/x-arc 3460 lelong&0x8080ffff 0x0000091a ARC archive data, squashed 347!:mime application/x-arc 3480 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed 349!:mime application/x-arc 3500 lelong&0x8080ffff 0x0000031a ARC archive data, packed 351!:mime application/x-arc 3520 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed 353!:mime application/x-arc 3540 lelong&0x8080ffff 0x0000061a ARC archive data, crunched 355!:mime application/x-arc 356# [JW] stuff taken from idarc, obviously ARC successors: 3570 lelong&0x8080ffff 0x00000a1a PAK archive data 358!:mime application/x-arc 3590 lelong&0x8080ffff 0x0000141a ARC+ archive data 360!:mime application/x-arc 3610 lelong&0x8080ffff 0x0000481a HYP archive data 362!:mime application/x-arc 363 364# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) 365# I can't create either SPARK or ArcFS archives so I have not tested this stuff 366# [GRR: the original entries collide with ARC, above; replaced with combined 367# version (not tested)] 368#0 byte 0x1a RISC OS archive (spark format) 3690 string \032archive RISC OS archive (ArcFS format) 3700 string Archive\000 RISC OS archive (ArcFS format) 371 372# All these were taken from idarc, many could not be verified. Unfortunately, 373# there were many low-quality sigs, i.e. easy to trigger false positives. 374# Please notify me of any real-world fishy/ambiguous signatures and I'll try 375# to get my hands on the actual archiver and see if I find something better. [JW] 376# probably many can be enhanced by finding some 0-byte or control char near the start 377 378# idarc calls this Crush/Uncompressed... *shrug* 3790 string CRUSH Crush archive data 380# Squeeze It (.sqz) 3810 string HLSQZ Squeeze It archive data 382# SQWEZ 3830 string SQWEZ SQWEZ archive data 384# HPack (.hpk) 3850 string HPAK HPack archive data 386# HAP 3870 string \x91\x33HF HAP archive data 388# MD/MDCD 3890 string MDmd MDCD archive data 390# LIM 3910 string LIM\x1a LIM archive data 392# SAR 3933 string LH5 SAR archive data 394# BSArc/BS2 3950 string \212\3SB\020\0 BSArc/BS2 archive data 396# Bethesda Softworks Archive (Oblivion) 3970 string BSA\0 BSArc archive data 398>4 lelong x version %d 399# MAR 4002 string =-ah MAR archive data 401# ACB 402#0 belong&0x00f800ff 0x00800000 ACB archive data 403# CPZ 404# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data 405# JRC 4060 string JRchive JRC archive data 407# Quantum 4080 string DS\0 Quantum archive data 409# ReSOF 4100 string PK\3\6 ReSOF archive data 411# QuArk 4120 string 7\4 QuArk archive data 413# YAC 41414 string YC YAC archive data 415# X1 4160 string X1 X1 archive data 4170 string XhDr X1 archive data 418# CDC Codec (.dqt) 4190 belong&0xffffe000 0x76ff2000 CDC Codec archive data 420# AMGC 4210 string \xad6" AMGC archive data 422# NuLIB 4230 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data 424# PakLeo 4250 string LEOLZW PAKLeo archive data 426# ChArc 4270 string SChF ChArc archive data 428# PSA 4290 string PSA PSA archive data 430# CrossePAC 4310 string DSIGDCC CrossePAC archive data 432# Freeze 4330 string \x1f\x9f\x4a\x10\x0a Freeze archive data 434# KBoom 4350 string \xc2\xa8MP\xc2\xa8 KBoom archive data 436# NSQ, must go after CDC Codec 4370 string \x76\xff NSQ archive data 438# DPA 4390 string Dirk\ Paehl DPA archive data 440# BA 441# TODO: idarc says "bytes 0-2 == bytes 3-5" 442# TTComp 443# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive 444# Update: Joerg Jenderek 445# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others 4460 string \0\6 447# look for first keyword of Panorama database *.pan 448>12 search/261 DESIGN 449# skip keyword with low entropy 450>12 default x TTComp archive, binary, 4K dictionary 451# (version 5.25) labeled the above entry as "TTComp archive data" 452# From: Joerg Jenderek 453# URL: https://wiki.68kmla.org/DiskCopy_4.2_format_specification 454# reference: http://nulib.com/library/FTN.e00005.htm 4550x52 ubeshort 0x0100 456# test for disk image size equal or above 400k 457>0x40 ubelong >409599 458# test also for disk image size equal or below 1440k to skip 459# windows7en.mbr UNICODE.DAT 460>>0x40 ubelong <1474561 461# To skip Flags$StringJoiner.class with size 00106A61h test also for only 4 disk image sizes 462# 00064000 for 400k GCR disks 463# 000c8000 for 800k GCR disks 464# 000b4000 for 720k MFM disks 465# 00168000 for 1440k MFM disks 466>>>0x40 ubelong&0xffE03fFF 0 467>>>>0 use dc42-floppy 468# display information of Apple DiskCopy 4.2 floppy image 4690 name dc42-floppy 470# image pascal name padded with NULs like Microsoft Mail 471>00 pstring/B x Apple DiskCopy 4.2 image %s 472#!:mime application/octet-stream 473!:mime application/x-dc42-floppy-image 474!:apple dCpydImg 475!:ext image/dc42 476# data size in bytes like 409600 477>0x40 ubelong x \b, %u bytes 478# for debugging purpose size in hexadecimal 479#>0x40 ubelong x (0x%8.8x) 480# tag size in bytes 481>0x44 ubelong >0 \b, 0x%x tag size 482# data checksum 483#>0x48 ubelong x \b, 0x%x checksum 484# tag checksum 485#>0x4c ubelong x \b, 0x%x tag checksum 486# disk encoding 487>0x50 ubyte 0 \b, GCR CLV ssdd (400k) 488>0x50 ubyte 1 \b, GCR CLV dsdd (800k) 489>0x50 ubyte 2 \b, MFM CAV dsdd (720k) 490>0x50 ubyte 3 \b, MFM CAV dshd (1440k) 491>0x50 ubyte >3 \b, 0x%x encoding 492# format byte 493>0x51 ubyte x \b, 0x%x format 494#>0x54 ubequad x \b, data 0x%16.16llx 495# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 4960 string ESP ESP archive data 497# ZPack 4980 string \1ZPK\1 ZPack archive data 499# Sky 5000 string \xbc\x40 Sky archive data 501# UFA 5020 string UFA UFA archive data 503# Dry 5040 string =-H2O DRY archive data 505# FoxSQZ 5060 string FOXSQZ FoxSQZ archive data 507# AR7 5080 string ,AR7 AR7 archive data 509# PPMZ 5100 string PPMZ PPMZ archive data 511# MS Compress 512# Update: Joerg Jenderek 513# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression 514# Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html 515# Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z 5164 string \x88\xf0\x27 517# KWAJ variant 518>0 string KWAJ MS Compress archive data, KWAJ variant 519!:mime application/x-ms-compress-kwaj 520# extension not working in version 5.32 521# magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?' 522# file: line 284: Bad magic entry ' ??_' 523!:ext ??_ 524# compression method (0-4) 525>>8 uleshort x \b, %u method 526# offset of compressed data 527>>10 uleshort x \b, 0x%x offset 528#>>(10.s) uleshort x 529#>>>&-6 string x \b, TEST extension %-.3s 530# header flags to mark header extensions 531>>12 uleshort >0 \b, 0x%x flags 532# 4 bytes: decompressed length of file 533>>12 uleshort &0x01 534>>>14 ulelong x \b, original size: %u bytes 535# 2 bytes: unknown purpose 536# 2 bytes: length of unknown data + mentioned bytes 537# 1-9 bytes: null-terminated file name 538# 1-4 bytes: null-terminated file extension 539>>12 uleshort &0x08 540>>>12 uleshort ^0x01 541>>>>12 uleshort ^0x02 542>>>>>12 uleshort ^0x04 543>>>>>>12 uleshort ^0x10 544>>>>>>>14 string x \b, %-.8s 545>>>>>>12 uleshort &0x10 546>>>>>>>14 string x \b, %-.8s 547>>>>>>>>&1 string x \b.%-.3s 548>>>>>12 uleshort &0x04 549>>>>>>12 uleshort ^0x10 550>>>>>>>(14.s) uleshort x 551>>>>>>>>&14 string x \b, %-.8s 552>>>>>>12 uleshort &0x10 553>>>>>>>(14.s) uleshort x 554>>>>>>>>&14 string x \b, %-.8s 555>>>>>>>>>&1 string x \b.%-.3s 556>>>>12 uleshort &0x02 557>>>>>12 uleshort ^0x04 558>>>>>>12 uleshort ^0x10 559>>>>>>>16 string x \b, %-.8s 560>>>>>>12 uleshort &0x10 561>>>>>>>16 string x \b, %-.8s 562>>>>>>>>&1 string x \b.%-.3s 563>>>>>12 uleshort &0x04 564>>>>>>12 uleshort ^0x10 565>>>>>>>(16.s) uleshort x 566>>>>>>>>&16 string x \b, %-.8s 567>>>>>>12 uleshort &0x10 568>>>>>>>(16.s) uleshort x 569>>>>>>>&16 string x %-.8s 570>>>>>>>>&1 string x \b.%-.3s 571>>>12 uleshort &0x01 572>>>>12 uleshort ^0x02 573>>>>>12 uleshort ^0x04 574>>>>>>12 uleshort ^0x10 575>>>>>>>18 string x \b, %-.8s 576>>>>>>12 uleshort &0x10 577>>>>>>>18 string x \b, %-.8s 578>>>>>>>>&1 string x \b.%-.3s 579>>>>>12 uleshort &0x04 580>>>>>>12 uleshort ^0x10 581>>>>>>>(18.s) uleshort x 582>>>>>>>>&18 string x \b, %-.8s 583>>>>>>12 uleshort &0x10 584>>>>>>>(18.s) uleshort x 585>>>>>>>>&18 string x \b, %-.8s 586>>>>>>>>>&1 string x \b.%-.3s 587>>>>12 uleshort &0x02 588>>>>>12 uleshort ^0x04 589>>>>>>12 uleshort ^0x10 590>>>>>>>20 string x \b, %-.8s 591>>>>>>12 uleshort &0x10 592>>>>>>>20 string x \b, %-.8s 593>>>>>>>>&1 string x \b.%-.3s 594>>>>>12 uleshort &0x04 595>>>>>>12 uleshort ^0x10 596>>>>>>>(20.s) uleshort x 597>>>>>>>>&20 string x \b, %-.8s 598>>>>>>12 uleshort &0x10 599>>>>>>>(20.s) uleshort x 600>>>>>>>>&20 string x \b, %-.8s 601>>>>>>>>>&1 string x \b.%-.3s 602# 2 bytes: length of data + mentioned bytes 603# 604# SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ 605>0 string SZDD MS Compress archive data, SZDD variant 606!:mime application/x-ms-compress-szdd 607!:ext ??_ 608# The character missing from the end of the filename (0=unknown) 609>>9 string >\0 \b, %-.1s is last character of original name 610# https://www.betaarchive.com/forum/viewtopic.php?t=26161 611# Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e 612>>8 string !A \b, %-.1s method 613>>10 ulelong >0 \b, original size: %u bytes 614# QBasic SZDD variant 6153 string \x88\xf0\x27 616>0 string SZ\x20 MS Compress archive data, QBasic variant 617!:mime application/x-ms-compress-sz 618!:ext ??$ 619>>8 ulelong >0 \b, original size: %u bytes 620 621# MP3 (archiver, not lossy audio compression) 6220 string MP3\x1a MP3-Archiver archive data 623# ZET 6240 string OZ\xc3\x9d ZET archive data 625# TSComp 6260 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data 627# ARQ 6280 string gW\4\1 ARQ archive data 629# Squash 6303 string OctSqu Squash archive data 631# Terse 6320 string \5\1\1\0 Terse archive data 633# PUCrunch 6340 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data 635# UHarc 6360 string UHA UHarc archive data 637# ABComp 6380 string \2AB ABComp archive data 6390 string \3AB2 ABComp archive data 640# CMP 6410 string CO\0 CMP archive data 642# Splint 6430 string \x93\xb9\x06 Splint archive data 644# InstallShield 6450 string \x13\x5d\x65\x8c InstallShield Z archive Data 646# Gather 6471 string GTH Gather archive data 648# BOA 6490 string BOA BOA archive data 650# RAX 6510 string ULEB\xa RAX archive data 652# Xtreme 6530 string ULEB\0 Xtreme archive data 654# Pack Magic 6550 string @\xc3\xa2\1\0 Pack Magic archive data 656# BTS 6570 belong&0xfeffffff 0x1a034465 BTS archive data 658# ELI 5750 6590 string Ora\ ELI 5750 archive data 660# QFC 6610 string \x1aFC\x1a QFC archive data 6620 string \x1aQF\x1a QFC archive data 663# PRO-PACK 6640 string RNC PRO-PACK archive data 665# 777 6660 string 777 777 archive data 667# LZS221 6680 string sTaC LZS221 archive data 669# HPA 6700 string HPA HPA archive data 671# Arhangel 6720 string LG Arhangel archive data 673# EXP1, uses bzip2 6740 string 0123456789012345BZh EXP1 archive data 675# IMP 6760 string IMP\xa IMP archive data 677# NRV 6780 string \x00\x9E\x6E\x72\x76\xFF NRV archive data 679# Squish 6800 string \x73\xb2\x90\xf4 Squish archive data 681# Par 6820 string PHILIPP Par archive data 6830 string PAR Par archive data 684# HIT 6850 string UB HIT archive data 686# SBX 6870 belong&0xfffff000 0x53423000 SBX archive data 688# NaShrink 6890 string NSK NaShrink archive data 690# SAPCAR 6910 string #\ CAR\ archive\ header SAPCAR archive data 6920 string CAR\ 2.00RG SAPCAR archive data 693# Disintegrator 6940 string DST Disintegrator archive data 695# ASD 6960 string ASD ASD archive data 697# InstallShield CAB 6980 string ISc( InstallShield CAB 699# TOP4 7000 string T4\x1a TOP4 archive data 701# BatComp left out: sig looks like COM executable 702# so TODO: get real 4dos batcomp file and find sig 703# BlakHole 7040 string BH\5\7 BlakHole archive data 705# BIX 7060 string BIX0 BIX archive data 707# ChiefLZA 7080 string ChfLZ ChiefLZA archive data 709# Blink 7100 string Blink Blink archive data 711# Logitech Compress 7120 string \xda\xfa Logitech Compress archive data 713# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 7141 string (C)\ STEPANYUK ARS-Sfx archive data 715# AKT/AKT32 7160 string AKT32 AKT32 archive data 7170 string AKT AKT archive data 718# NPack 7190 string MSTSM NPack archive data 720# PFT 7210 string \0\x50\0\x14 PFT archive data 722# SemOne 7230 string SEM SemOne archive data 724# PPMD 7250 string \x8f\xaf\xac\x84 PPMD archive data 726# FIZ 7270 string FIZ FIZ archive data 728# MSXiE 7290 belong&0xfffff0f0 0x4d530000 MSXiE archive data 730# DeepFreezer 7310 belong&0xfffffff0 0x797a3030 DeepFreezer archive data 732# DC 7330 string =<DC- DC archive data 734# TPac 7350 string \4TPAC\3 TPac archive data 736# Ai 7370 string Ai\1\1\0 Ai archive data 7380 string Ai\1\0\0 Ai archive data 739# Ai32 7400 string Ai\2\0 Ai32 archive data 7410 string Ai\2\1 Ai32 archive data 742# SBC 7430 string SBC SBC archive data 744# Ybs 7450 string YBS Ybs archive data 746# DitPack 7470 string \x9e\0\0 DitPack archive data 748# DMS 7490 string DMS! DMS archive data 750# EPC 7510 string \x8f\xaf\xac\x8c EPC archive data 752# VSARC 7530 string VS\x1a VSARC archive data 754# PDZ 7550 string PDZ PDZ archive data 756# ReDuq 7570 string rdqx ReDuq archive data 758# GCA 7590 string GCAX GCA archive data 760# PPMN 7610 string pN PPMN archive data 762# WinImage 7633 string WINIMAGE WinImage archive data 764# Compressia 7650 string CMP0CMP Compressia archive data 766# UHBC 7670 string UHB UHBC archive data 768# WinHKI 7690 string \x61\x5C\x04\x05 WinHKI archive data 770# WWPack data file 7710 string WWP WWPack archive data 772# BSN (BSA, PTS-DOS) 7730 string \xffBSG BSN archive data 7741 string \xffBSG BSN archive data 7753 string \xffBSG BSN archive data 7761 string \0\xae\2 BSN archive data 7771 string \0\xae\3 BSN archive data 7781 string \0\xae\7 BSN archive data 779# AIN 7800 string \x33\x18 AIN archive data 7810 string \x33\x17 AIN archive data 782# XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015 783# SZip (TODO: doesn't catch all versions) 7840 string SZ\x0a\4 SZip archive data 785# XPack DiskImage 786# *.XDI updated by Joerg Jenderek Sep 2015 787# ftp://ftp.sac.sk/pub/sac/pack/0index.txt 788# GRR: this test is still too general as it catches also text files starting with jm 7890 string jm 790# only found examples with this additional characteristic 2 bytes 791>2 string \x2\x4 Xpack DiskImage archive data 792#!:ext xdi 793# XPack Data 794# *.xpa updated by Joerg Jenderek Sep 2015 795# ftp://ftp.elf.stuba.sk/pub/pc/pack/ 7960 string xpa XPA 797!:ext xpa 798# XPA32 799# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip 800# created by XPA32.EXE version 1.0.2 for Windows 801>0 string xpa\0\1 \b32 archive data 802# created by XPACK.COM version 1.67m or 1.67r with short 0x1800 803>3 ubeshort !0x0001 \bck archive data 804# XPack Single Data 805# changed by Joerg Jenderek Sep 2015 back to like in version 5.12 806# letter 'I'+ acute accent is equivalent to \xcd 8070 string \xcd\ jm Xpack single archive data 808#!:mime application/x-xpa-compressed 809!:ext xpa 810 811# TODO: missing due to unknown magic/magic at end of file: 812#DWC 813#ARG 814#ZAR 815#PC/3270 816#InstallIt 817#RKive 818#RK 819#XPack Diskimage 820 821# These were inspired by idarc, but actually verified 822# Dzip archiver (.dz) 823# Update: Joerg Jenderek 824# URL: http://speeddemosarchive.com/dzip/ 825# reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c 826# GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt 8270 string DZ 828# latest version is 2.9 dated 7 may 2003 829>2 byte <4 Dzip archive data 830!:mime application/x-dzip 831!:ext dz 832>>2 byte x \b, version %i 833>>3 byte x \b.%i 834>>4 ulelong x \b, offset 0x%x 835>>8 ulelong x \b, %u files 836# ZZip archiver (.zz) 8370 string ZZ\ \0\0 ZZip archive data 8380 string ZZ0 ZZip archive data 839# PAQ archiver (.paq) 8400 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 8410 string PAQ PAQ archive data 842>3 byte&0xf0 0x30 843>>3 byte x (v%c) 844# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 8450xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 8460 string JARCS JAR (ARJ Software, Inc.) archive data 847 848# ARJ archiver (jason@jarthur.Claremont.EDU) 8490 leshort 0xea60 ARJ archive data 850!:mime application/x-arj 851>5 byte x \b, v%d, 852>8 byte &0x04 multi-volume, 853>8 byte &0x10 slash-switched, 854>8 byte &0x20 backup, 855>34 string x original name: %s, 856>7 byte 0 os: MS-DOS 857>7 byte 1 os: PRIMOS 858>7 byte 2 os: Unix 859>7 byte 3 os: Amiga 860>7 byte 4 os: Macintosh 861>7 byte 5 os: OS/2 862>7 byte 6 os: Apple ][ GS 863>7 byte 7 os: Atari ST 864>7 byte 8 os: NeXT 865>7 byte 9 os: VAX/VMS 866>3 byte >0 %d] 867# [JW] idarc says this is also possible 8682 leshort 0xea60 ARJ archive data 869 870# HA archiver (Greg Roelofs, newt@uchicago.edu) 871# This is a really bad format. A file containing HAWAII will match this... 872#0 string HA HA archive data, 873#>2 leshort =1 1 file, 874#>2 leshort >1 %hu files, 875#>4 byte&0x0f =0 first is type CPY 876#>4 byte&0x0f =1 first is type ASC 877#>4 byte&0x0f =2 first is type HSC 878#>4 byte&0x0f =0x0e first is type DIR 879#>4 byte&0x0f =0x0f first is type SPECIAL 880# suggestion: at least identify small archives (<1024 files) 8810 belong&0xffff00fc 0x48410000 HA archive data 882>2 leshort =1 1 file, 883>2 leshort >1 %u files, 884>4 byte&0x0f =0 first is type CPY 885>4 byte&0x0f =1 first is type ASC 886>4 byte&0x0f =2 first is type HSC 887>4 byte&0x0f =0x0e first is type DIR 888>4 byte&0x0f =0x0f first is type SPECIAL 889 890# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 8910 string HPAK HPACK archive data 892 893# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net 8940 string \351,\001JAM\ JAM archive, 895>7 string >\0 version %.4s 896>0x26 byte =0x27 - 897>>0x2b string >\0 label %.11s, 898>>0x27 lelong x serial %08x, 899>>0x36 string >\0 fstype %.8s 900 901# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 902# Update: Joerg Jenderek 903# URL: https://en.wikipedia.org/wiki/LHA_(file_format) 904# Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html 905# 906# check and display information of lharc (LHa,PMarc) file 9070 name lharc-file 908# check 1st character of method id like -lz4- -lh5- or -pm2- 909>2 string - 910# check 5th character of method id 911>>6 string - 912# check header level 0 1 2 3 913>>>20 ubyte <4 914# check 2nd, 3th and 4th character of method id 915>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b 916!:mime application/x-lzh-compressed 917# creator type "LHA " 918!:apple ????LHA 919# display archive type name like "LHa/LZS archive data" or "LArc archive" 920>>>>>2 string -lz \b 921!:ext lzs 922# already known -lzs- -lz4- -lz5- with old names 923>>>>>>2 string -lzs LHa/LZS archive data 924>>>>>>3 regex \^lz[45] LHarc 1.x archive data 925# missing -lz?- with wikipedia names 926>>>>>>3 regex \^lz[2378] LArc archive 927# display archive type name like "LHa (2.x) archive data" 928>>>>>2 string -lh \b 929# already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names 930>>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data 931# LHice archiver use ".ICE" as name extension instead usual one ".lzh" 932# FOOBAR archiver use ".foo" as name extension instead usual one 933# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment 934>>>>>>>2 string -lh1 \b 935!:ext lha/lzh/ice 936>>>>>>3 regex \^lh[23d] LHa 2.x? archive data 937>>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data 938>>>>>>3 regex \^lh[456] LHa (2.x) archive data 939>>>>>>>2 string -lh5 \b 940# https://en.wikipedia.org/wiki/BIOS 941# Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like 942# bios.rom , kd7_v14.bin, 1010.004, ... 943!:ext lha/lzh/rom/bin 944# missing -lh?- variants (Joe Jared) 945>>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive 946# UNLHA32 2.67a 947>>>>>>2 string -lhx LHa (UNLHA32) archive 948# lha archives with standard file name extensions ".lha" ".lzh" 949>>>>>>3 regex !\^(lh1|lh5) \b 950!:ext lha/lzh 951# this should not happen if all -lh variants are described 952>>>>>>2 default x LHa (unknown) archive 953#!:ext lha 954# PMarc 955>>>>>3 regex \^pm[012] PMarc archive data 956!:ext pma 957# append method id without leading and trailing minus character 958>>>>>3 string x [%3.3s] 959>>>>>>0 use lharc-header 960# 961# check and display information of lharc header 9620 name lharc-header 963# header size 0x4 , 0x1b-0x61 964>0 ubyte x 965# compressed data size != compressed file size 966#>7 ulelong x \b, data size %d 967# attribute: 0x2~?? 0x10~symlink|target 0x20~normal 968#>19 ubyte x \b, 19_0x%x 969# level identifier 0 1 2 3 970#>20 ubyte x \b, level %d 971# time stamp 972#>15 ubelong x DATE 0x%8.8x 973# OS ID for level 1 974>20 ubyte 1 975# 0x20 types find for *.rom files 976>>(21.b+24) ubyte <0x21 \b, 0x%x OS 977# ascii type like M for MSDOS 978>>(21.b+24) ubyte >0x20 \b, '%c' OS 979# OS ID for level 2 980>20 ubyte 2 981#>>23 ubyte x \b, OS ID 0x%x 982>>23 ubyte <0x21 \b, 0x%x OS 983>>23 ubyte >0x20 \b, '%c' OS 984# filename only for level 0 and 1 985>20 ubyte <2 986# length of filename 987>>21 ubyte >0 \b, with 988# filename 989>>>21 pstring x "%s" 990# 991#2 string -lh0- LHarc 1.x/ARX archive data [lh0] 992#!:mime application/x-lharc 9932 string -lh0- 994>0 use lharc-file 995#2 string -lh1- LHarc 1.x/ARX archive data [lh1] 996#!:mime application/x-lharc 9972 string -lh1- 998>0 use lharc-file 999# NEW -lz2- ... -lz8- 10002 string -lz2- 1001>0 use lharc-file 10022 string -lz3- 1003>0 use lharc-file 10042 string -lz4- 1005>0 use lharc-file 10062 string -lz5- 1007>0 use lharc-file 10082 string -lz7- 1009>0 use lharc-file 10102 string -lz8- 1011>0 use lharc-file 1012# [never seen any but the last; -lh4- reported in comp.compression:] 1013#2 string -lzs- LHa/LZS archive data [lzs] 10142 string -lzs- 1015>0 use lharc-file 1016# According to wikipedia and others such a version does not exist 1017#2 string -lh\40- LHa 2.x? archive data [lh ] 1018#2 string -lhd- LHa 2.x? archive data [lhd] 10192 string -lhd- 1020>0 use lharc-file 1021#2 string -lh2- LHa 2.x? archive data [lh2] 10222 string -lh2- 1023>0 use lharc-file 1024#2 string -lh3- LHa 2.x? archive data [lh3] 10252 string -lh3- 1026>0 use lharc-file 1027#2 string -lh4- LHa (2.x) archive data [lh4] 10282 string -lh4- 1029>0 use lharc-file 1030#2 string -lh5- LHa (2.x) archive data [lh5] 10312 string -lh5- 1032>0 use lharc-file 1033#2 string -lh6- LHa (2.x) archive data [lh6] 10342 string -lh6- 1035>0 use lharc-file 1036#2 string -lh7- LHa (2.x)/LHark archive data [lh7] 10372 string -lh7- 1038# !:mime application/x-lha 1039# >20 byte x - header level %d 1040>0 use lharc-file 1041# NEW -lh8- ... -lhe- , -lhx- 10422 string -lh8- 1043>0 use lharc-file 10442 string -lh9- 1045>0 use lharc-file 10462 string -lha- 1047>0 use lharc-file 10482 string -lhb- 1049>0 use lharc-file 10502 string -lhc- 1051>0 use lharc-file 10522 string -lhe- 1053>0 use lharc-file 10542 string -lhx- 1055>0 use lharc-file 1056# taken from idarc [JW] 10572 string -lZ PUT archive data 1058# already done by LHarc magics 1059# this should never happen if all sub types of LZS archive are identified 1060#2 string -lz LZS archive data 10612 string -sw1- Swag archive data 1062 10630 name rar-file-header 1064>24 byte 15 \b, v1.5 1065>24 byte 20 \b, v2.0 1066>24 byte 29 \b, v4 1067>15 byte 0 \b, os: MS-DOS 1068>15 byte 1 \b, os: OS/2 1069>15 byte 2 \b, os: Win32 1070>15 byte 3 \b, os: Unix 1071>15 byte 4 \b, os: Mac OS 1072>15 byte 5 \b, os: BeOS 1073 10740 name rar-archive-header 1075>3 leshort&0x1ff >0 \b, flags: 1076>>3 leshort &0x01 ArchiveVolume 1077>>3 leshort &0x02 Commented 1078>>3 leshort &0x04 Locked 1079>>3 leshort &0x10 NewVolumeNaming 1080>>3 leshort &0x08 Solid 1081>>3 leshort &0x20 Authenticated 1082>>3 leshort &0x40 RecoveryRecordPresent 1083>>3 leshort &0x80 EncryptedBlockHeader 1084>>3 leshort &0x100 FirstVolume 1085 1086# RAR (Roshal Archive) archive 10870 string Rar!\x1a\7\0 RAR archive data 1088!:mime application/x-rar 1089!:ext rar/cbr 1090# file header 1091>(0xc.l+9) byte 0x74 1092>>(0xc.l+7) use rar-file-header 1093# subblock seems to share information with file header 1094>(0xc.l+9) byte 0x7a 1095>>(0xc.l+7) use rar-file-header 1096>9 byte 0x73 1097>>7 use rar-archive-header 1098 10990 string Rar!\x1a\7\1\0 RAR archive data, v5 1100!:mime application/x-rar 1101!:ext rar 1102 1103# Very old RAR archive 1104# https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf 11050 string RE\x7e\x5e RAR archive data (<v1.5) 1106!:mime application/x-rar 1107!:ext rar/cbr 1108 1109# SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 11100 string SQSH squished archive data (Acorn RISCOS) 1111 1112# UC2 archiver (Greg Roelofs, newt@uchicago.edu) 1113# [JW] see exe section for self-extracting version 11140 string UC2\x1a UC2 archive data 1115 1116# PKZIP multi-volume archive 11170 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract 1118!:mime application/zip 1119!:ext zip/cbz 1120 1121# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 11220 string PK\005\006 Zip archive data (empty) 1123!:mime application/zip 1124!:ext zip/cbz 1125!:strength +1 11260 string PK\003\004 1127!:strength +1 1128 1129# Specialised zip formats which start with a member named 'mimetype' 1130# (stored uncompressed, with no 'extra field') containing the file's MIME type. 1131# Check for have 8-byte name, 0-byte extra field, name "mimetype", and 1132# contents starting with "application/": 1133>26 string \x8\0\0\0mimetypeapplication/ 1134 1135# KOffice / OpenOffice & StarOffice / OpenDocument formats 1136# From: Abel Cheung <abel@oaka.org> 1137 1138# KOffice (1.2 or above) formats 1139# (mimetype contains "application/vnd.kde.<SUBTYPE>") 1140>>50 string vnd.kde. KOffice (>=1.2) 1141>>>58 string karbon Karbon document 1142>>>58 string kchart KChart document 1143>>>58 string kformula KFormula document 1144>>>58 string kivio Kivio document 1145>>>58 string kontour Kontour document 1146>>>58 string kpresenter KPresenter document 1147>>>58 string kspread KSpread document 1148>>>58 string kword KWord document 1149 1150# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) 1151# (mimetype contains "application/vnd.sun.xml.<SUBTYPE>") 1152# URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML 1153# reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML 1154>>50 string vnd.sun.xml. OpenOffice.org 1.x 1155>>>62 string writer Writer 1156>>>>68 byte !0x2e document 1157!:mime application/vnd.sun.xml.writer 1158!:ext sxw 1159>>>>68 string .template template 1160!:mime application/vnd.sun.xml.writer.template 1161!:ext stw 1162>>>>68 string .web Web template 1163!:mime application/vnd.sun.xml.writer.web 1164!:ext stw 1165>>>>68 string .global global document 1166!:mime application/vnd.sun.xml.writer.global 1167!:ext sxg 1168>>>62 string calc Calc 1169>>>>66 byte !0x2e spreadsheet 1170!:mime application/vnd.sun.xml.calc 1171!:ext sxc 1172>>>>66 string .template template 1173!:mime application/vnd.sun.xml.calc.template 1174!:ext stc 1175>>>62 string draw Draw 1176>>>>66 byte !0x2e document 1177!:mime application/vnd.sun.xml.draw 1178!:ext sxd 1179>>>>66 string .template template 1180!:mime application/vnd.sun.xml.draw.template 1181!:ext std 1182>>>62 string impress Impress 1183>>>>69 byte !0x2e presentation 1184!:mime application/vnd.sun.xml.impress 1185!:ext sxi 1186>>>>69 string .template template 1187!:mime application/vnd.sun.xml.impress.template 1188!:ext sti 1189>>>62 string math Math document 1190!:mime application/vnd.sun.xml.math 1191!:ext sxm 1192>>>62 string base Database file 1193!:mime application/vnd.sun.xml.base 1194!:ext sdb 1195 1196# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) 1197# URL: http://fileformats.archiveteam.org/wiki/OpenDocument 1198# https://lists.oasis-open.org/archives/office/200505/msg00006.html 1199# (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>") 1200>>50 string vnd.oasis.opendocument. OpenDocument 1201>>>73 string text 1202>>>>77 byte !0x2d Text 1203!:mime application/vnd.oasis.opendocument.text 1204!:ext odt 1205>>>>77 string -template Text Template 1206!:mime application/vnd.oasis.opendocument.text-template 1207!:ext ott 1208>>>>77 string -web HTML Document Template 1209!:mime application/vnd.oasis.opendocument.text-web 1210!:ext oth 1211>>>>77 string -master Master Document 1212!:mime application/vnd.oasis.opendocument.text-master 1213!:ext odm 1214>>>73 string graphics 1215>>>>81 byte !0x2d Drawing 1216!:mime application/vnd.oasis.opendocument.graphics 1217!:ext odg 1218>>>>81 string -template Drawing Template 1219!:mime application/vnd.oasis.opendocument.graphics-template 1220!:ext otg 1221>>>73 string presentation 1222>>>>85 byte !0x2d Presentation 1223!:mime application/vnd.oasis.opendocument.presentation 1224!:ext odp 1225>>>>85 string -template Presentation Template 1226!:mime application/vnd.oasis.opendocument.presentation-template 1227!:ext otp 1228>>>73 string spreadsheet 1229>>>>84 byte !0x2d Spreadsheet 1230!:mime application/vnd.oasis.opendocument.spreadsheet 1231!:ext ods 1232>>>>84 string -template Spreadsheet Template 1233!:mime application/vnd.oasis.opendocument.spreadsheet-template 1234!:ext ots 1235>>>73 string chart 1236>>>>78 byte !0x2d Chart 1237!:mime application/vnd.oasis.opendocument.chart 1238!:ext odc 1239>>>>78 string -template Chart Template 1240!:mime application/vnd.oasis.opendocument.chart-template 1241!:ext otc 1242>>>73 string formula 1243>>>>80 byte !0x2d Formula 1244!:mime application/vnd.oasis.opendocument.formula 1245!:ext odf 1246>>>>80 string -template Formula Template 1247!:mime application/vnd.oasis.opendocument.formula-template 1248!:ext otf 1249# https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml 1250>>>73 string database Database 1251!:mime application/vnd.oasis.opendocument.database 1252!:ext odb 1253# Valid for LibreOffice Base 6.0.1.1 at least 1254>>>73 string base Database 1255# https://bugs.documentfoundation.org/show_bug.cgi?id=45854 1256!:mime application/vnd.oasis.opendocument.database 1257#!:mime application/vnd.oasis.opendocument.base 1258!:ext odb 1259>>>73 string image 1260>>>>78 byte !0x2d Image 1261!:mime application/vnd.oasis.opendocument.image 1262!:ext odi 1263>>>>78 string -template Image Template 1264!:mime application/vnd.oasis.opendocument.image-template 1265!:ext oti 1266 1267# EPUB (OEBPS) books using OCF (OEBPS Container Format) 1268# https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4. 1269# From: Ralf Brown <ralf.brown@gmail.com> 1270>>50 string epub+zip EPUB document 1271!:mime application/epub+zip 1272 1273# From: Joerg Jenderek 1274# URL: http://en.wikipedia.org/wiki/CorelDRAW 1275# NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based 1276>>50 string x-vnd.corel. Corel 1277>>>62 string draw.document+zip Draw drawing, version 14-16 1278!:mime application/x-vnd.corel.draw.document+zip 1279!:ext cdr 1280>>>62 string draw.template+zip Draw template, version 14-16 1281!:mime application/x-vnd.corel.draw.template+zip 1282!:ext cdrt 1283>>>62 string zcf.draw.document+zip Draw drawing, version 17-22 1284!:mime application/x-vnd.corel.zcf.draw.document+zip 1285!:ext cdr 1286>>>62 string zcf.draw.template+zip Draw template, version 17-22 1287!:mime application/x-vnd.corel.zcf.draw.template+zip 1288!:ext cdt/cdrt 1289# URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html 1290>>>62 string zcf.pattern+zip Draw pattern, version 22 1291!:mime application/x-vnd.corel.zcf.pattern+zip 1292!:ext pat 1293# URL: https://en.wikipedia.org/wiki/Corel_Designer 1294# Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer 1295# Note: called by TrID "Corel DESIGN graphics" 1296>>>62 string designer.document+zip DESIGNER graphics, version 14-16 1297!:mime application/x-vnd.corel.designer.document+zip 1298!:ext des 1299>>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21 1300!:mime application/x-vnd.corel.zcf.designer.document+zip 1301!:ext des 1302# URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/ 1303# CorelDRAW-Corel-Symbol-Library-CSL.html 1304>>>62 string symbol.library+zip Symbol Library, version 6-16.3 1305!:mime application/x-vnd.corel.symbol.library+zip 1306!:ext csl 1307>>>62 string zcf.symbol.library+zip Symbol Library, version 17-22 1308!:mime application/x-vnd.corel.zcf.symbol.library+zip 1309!:ext csl 1310 1311# Catch other ZIP-with-mimetype formats 1312# In a ZIP file, the bytes immediately after a member's contents are 1313# always "PK". The 2 regex rules here print the "mimetype" member's 1314# contents up to the first 'P'. Luckily, most MIME types don't contain 1315# any capital 'P's. This is a kludge. 1316# (mimetype contains "application/<OTHER>") 1317>>50 default x Zip data 1318>>>38 regex [!-OQ-~]+ (MIME type "%s"?) 1319!:mime application/zip 1320# (mimetype contents other than "application/*") 1321>26 string \x8\0\0\0mimetype 1322>>38 string !application/ 1323>>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?) 1324!:mime application/zip 1325 1326# Java Jar files 1327>(26.s+30) leshort 0xcafe Java archive data (JAR) 1328!:mime application/java-archive 1329 1330# iOS App 1331>(26.s+30) leshort !0xcafe 1332>>26 string !\x8\0\0\0mimetype 1333>>>30 string Payload/ 1334>>>>38 search/64 .app/ iOS App 1335!:mime application/x-ios-app 1336 1337>30 search/100/b application/epub+zip EPUB document 1338!:mime application/epub+zip 1339 1340# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 1341# Next line excludes specialized formats: 1342>(26.s+30) leshort !0xcafe 1343>>30 search/100/b !application/epub+zip 1344>>>26 string !\x8\0\0\0mimetype Zip archive data 1345!:mime application/zip 1346>>>>4 beshort x \b, at least 1347>>>>4 use zipversion 1348>>>>4 beshort x to extract 1349>>>>8 beshort x \b, compression method= 1350>>>>8 use zipcompression 1351>>>>0x161 string WINZIP \b, WinZIP self-extracting 1352 1353# StarView Metafile 1354# From Pierre Ducroquet <pinaraf@pinaraf.info> 13550 string VCLMTF StarView MetaFile 1356>6 beshort x \b, version %d 1357>8 belong x \b, size %d 1358 1359# Zoo archiver 136020 lelong 0xfdc4a7dc Zoo archive data 1361!:mime application/x-zoo 1362>4 byte >48 \b, v%c. 1363>>6 byte >47 \b%c 1364>>>7 byte >47 \b%c 1365>32 byte >0 \b, modify: v%d 1366>>33 byte x \b.%d+ 1367>42 lelong 0xfdc4a7dc \b, 1368>>70 byte >0 extract: v%d 1369>>>71 byte x \b.%d+ 1370 1371# Shell archives 137210 string #\ This\ is\ a\ shell\ archive shell archive text 1373!:mime application/octet-stream 1374 1375# 1376# LBR. NB: May conflict with the questionable 1377# "binary Computer Graphics Metafile" format. 1378# 13790 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data 1380# 1381# PMA (CP/M derivative of LHA) 1382# Update: Joerg Jenderek 1383# URL: https://en.wikipedia.org/wiki/LHA_(file_format) 1384# 1385#2 string -pm0- PMarc archive data [pm0] 13862 string -pm0- 1387>0 use lharc-file 1388#2 string -pm1- PMarc archive data [pm1] 13892 string -pm1- 1390>0 use lharc-file 1391#2 string -pm2- PMarc archive data [pm2] 13922 string -pm2- 1393>0 use lharc-file 13942 string -pms- PMarc SFX archive (CP/M, DOS) 1395#!:mime application/x-foobar-exec 1396!:ext com 13975 string -pc1- PopCom compressed executable (CP/M) 1398#!:mime application/x- 1399#!:ext com 1400 1401# From Rafael Laboissiere <rafael@laboissiere.net> 1402# The Project Revision Control System (see 1403# http://prcs.sourceforge.net) generates a packaged project 1404# file which is recognized by the following entry: 14050 leshort 0xeb81 PRCS packaged project 1406 1407# Microsoft cabinets 1408# by David Necas (Yeti) <yeti@physics.muni.cz> 1409#0 string MSCF\0\0\0\0 Microsoft cabinet file data, 1410#>25 byte x v%d 1411#>24 byte x \b.%d 1412# MPi: All CABs have version 1.3, so this is pointless. 1413# Better magic in debian-additions. 1414 1415# GTKtalog catalogs 1416# by David Necas (Yeti) <yeti@physics.muni.cz> 14174 string gtktalog\ GTKtalog catalog data, 1418>13 string 3 version 3 1419>>14 beshort 0x677a (gzipped) 1420>>14 beshort !0x677a (not gzipped) 1421>13 string >3 version %s 1422 1423############################################################################ 1424# Parity archive reconstruction file, the 'par' file format now used on Usenet. 14250 string PAR\0 PARity archive data 1426>48 leshort =0 - Index file 1427>48 leshort >0 - file number %d 1428 1429# Felix von Leitner <felix-file@fefe.de> 14300 string d8:announce BitTorrent file 1431!:mime application/x-bittorrent 1432# Durval Menezes, <jmgthbfile at durval dot com> 14330 string d13:announce-list BitTorrent file 1434!:mime application/x-bittorrent 14350 string d7:comment BitTorrent file 1436!:mime application/x-bittorrent 14370 string d4:info BitTorrent file 1438!:mime application/x-bittorrent 1439 1440# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> 14410 beshort 0x0e0f Atari MSA archive data 1442>2 beshort x \b, %d sectors per track 1443>4 beshort 0 \b, 1 sided 1444>4 beshort 1 \b, 2 sided 1445>6 beshort x \b, starting track: %d 1446>8 beshort x \b, ending track: %d 1447 1448# Alternate ZIP string (amc@arwen.cs.berkeley.edu) 14490 string PK00PK\003\004 Zip archive data 1450!:mime application/zip 1451!:ext zip/cbz 1452 1453# ACE archive (from http://www.wotsit.org/download.asp?f=ace) 1454# by Stefan `Sec` Zehl <sec@42.org> 14557 string **ACE** ACE archive data 1456>15 byte >0 version %d 1457>16 byte =0x00 \b, from MS-DOS 1458>16 byte =0x01 \b, from OS/2 1459>16 byte =0x02 \b, from Win/32 1460>16 byte =0x03 \b, from Unix 1461>16 byte =0x04 \b, from MacOS 1462>16 byte =0x05 \b, from WinNT 1463>16 byte =0x06 \b, from Primos 1464>16 byte =0x07 \b, from AppleGS 1465>16 byte =0x08 \b, from Atari 1466>16 byte =0x09 \b, from Vax/VMS 1467>16 byte =0x0A \b, from Amiga 1468>16 byte =0x0B \b, from Next 1469>14 byte x \b, version %d to extract 1470>5 leshort &0x0080 \b, multiple volumes, 1471>>17 byte x \b (part %d), 1472>5 leshort &0x0002 \b, contains comment 1473>5 leshort &0x0200 \b, sfx 1474>5 leshort &0x0400 \b, small dictionary 1475>5 leshort &0x0800 \b, multi-volume 1476>5 leshort &0x1000 \b, contains AV-String 1477>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) 1478>5 leshort &0x2000 \b, with recovery record 1479>5 leshort &0x4000 \b, locked 1480>5 leshort &0x8000 \b, solid 1481# Date in MS-DOS format (whatever that is) 1482#>18 lelong x Created on 1483 1484# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann 1485# <doj@cubic.org> 14860x1A string sfArk sfArk compressed Soundfont 1487>0x15 string 2 1488>>0x1 string >\0 Version %s 1489>>0x2A string >\0 : %s 1490 1491# DR-DOS 7.03 Packed File *.??_ 1492# Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm 1493# Note: unpacked by PNUNPACK.EXE 14940 string Packed\ File\ 1495# by looking for Control-Z skip ASCII text starting with Packed File 1496>0x18 ubyte 0x1a Personal NetWare Packed File 1497!:mime application/x-novell-compress 1498!:ext ??_ 1499>>12 string x \b, was "%.12s" 1500# 1 or 2 1501#>>0x19 ubyte x \b, at 0x19 %u 1502>>0x1b ulelong x with %u bytes 1503 1504# EET archive 1505# From: Tilman Sauerbeck <tilman@code-monkey.de> 15060 belong 0x1ee7ff00 EET archive 1507!:mime application/x-eet 1508 1509# rzip archives 15100 string RZIP rzip compressed data 1511>4 byte x - version %d 1512>5 byte x \b.%d 1513>6 belong x (%d bytes) 1514 1515# From: Joerg Jenderek 1516# URL: https://help.foxitsoftware.com/kb/install-fzip-file.php 1517# reference: http://mark0.net/download/triddefs_xml.7z/ 1518# defs/f/fzip.trid.xml 1519# Note: unknown compression; No "PK" zip magic; normally in directory like 1520# "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install" 15210 ubequad 0x2506781901010000 Foxit add-on/update 1522!:mime application/x-fzip 1523!:ext fzip 1524 1525# From: "Robert Dale" <robdale@gmail.com> 15260 belong 123 dar archive, 1527>4 belong x label "%.8x 1528>>8 belong x %.8x 1529>>>12 beshort x %.4x" 1530>14 byte 0x54 end slice 1531>14 beshort 0x4e4e multi-part 1532>14 beshort 0x4e53 multi-part, with -S 1533 1534# Symbian installation files 1535# https://www.thouky.co.uk/software/psifs/sis.html 1536# http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf 15378 lelong 0x10000419 Symbian installation file 1538!:mime application/vnd.symbian.install 1539>4 lelong 0x1000006D (EPOC release 3/4/5) 1540>4 lelong 0x10003A12 (EPOC release 6) 15410 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x) 1542!:mime x-epoc/x-sisx-app 1543 1544# From "Nelson A. de Oliveira" <naoliv@gmail.com> 15450 string MPQ\032 MoPaQ (MPQ) archive 1546 1547# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1548# .kgb 15490 string KGB_arch KGB Archiver file 1550>10 string x with compression level %.1s 1551 1552# xar (eXtensible ARchiver) archive 1553# URL: https://en.wikipedia.org/wiki/Xar_(archiver) 1554# xar archive format: https://code.google.com/p/xar/ 1555# From: "David Remahl" <dremahl@apple.com> 1556# Update: Joerg Jenderek 1557# TODO: lzma compression; X509Data for pkg and xip 1558# Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or 1559# 7z t -txar Xcode_10.2_beta_4.xip` 15600 string xar! xar archive 1561!:mime application/x-xar 1562# pkg for Mac OSX installer package like FullBundleUpdate.pkg 1563# xip for signed Apple software like Xcode_10.2_beta_4.xip 1564!:ext xar/pkg/xip 1565# always 28 in older archives 1566>4 ubeshort >28 \b, header size %u 1567# currently there exit only version 1 since about 2014 1568>6 ubeshort >1 version %u, 1569>8 ubequad x compressed TOC: %llu, 1570#>16 ubequad x uncompressed TOC: %llu, 1571# cksum_alg 0-2 in older and also 3-4 in newer 1572>24 belong 0 no checksum 1573>24 belong 1 SHA-1 checksum 1574>24 belong 2 MD5 checksum 1575>24 belong 3 SHA-256 checksum 1576>24 belong 4 SHA-512 checksum 1577>24 belong >4 unknown 0x%x checksum 1578#>24 belong >4 checksum 1579# For no compression jump 0 bytes 1580>24 belong 0 1581>>0 ubyte x 1582# jump more bytes forward by header size 1583>>>&(4.S) ubyte x 1584# jump more bytes forward by compressed table of contents size 1585#>>>>&(8.Q) ubequad x \b, heap data 0x%llx 1586>>>>&(8.Q) ubyte x 1587# look for data by ./compress after message with 1 space at end 1588>>>>>&-3 indirect x \b, contains 1589# For SHA-1 jump 20 minus 2 bytes 1590>24 belong 1 1591>>18 ubyte x 1592# jump more bytes forward by header size 1593>>>&(4.S) ubyte x 1594# jump more bytes forward by compressed table of contents size 1595>>>>&(8.Q) ubyte x 1596# data compressed by gzip, bzip, lzma or none 1597>>>>>&-1 indirect x \b, contains 1598# For SHA-256 jump 32 minus 2 bytes 1599>24 belong 3 1600>>30 ubyte x 1601# jump more bytes forward by header size 1602>>>&(4.S) ubyte x 1603# jump more bytes forward by compressed table of contents size 1604>>>>&(8.Q) ubyte x 1605>>>>>&-1 indirect x \b, contains 1606# For SHA-512 jump 64 minus 2 bytes 1607>24 belong 4 1608>>62 ubyte x 1609# jump more bytes forward by header size 1610>>>&(4.S) ubyte x 1611# jump more bytes forward by compressed table of contents size 1612>>>>&(8.Q) ubyte x 1613>>>>>&-1 indirect x \b, contains 1614 1615# Type: Parity Archive 1616# From: Daniel van Eeden <daniel_e@dds.nl> 16170 string PAR2 Parity Archive Volume Set 1618 1619# Bacula volume format. (Volumes always start with a block header.) 1620# URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html 1621# From: Adam Buchbinder <adam.buchbinder@gmail.com> 162212 string BB02 Bacula volume 1623>20 bedate x \b, started %s 1624 1625# ePub is XHTML + XML inside a ZIP archive. The first member of the 1626# archive must be an uncompressed file called 'mimetype' with contents 1627# 'application/epub+zip' 1628 1629 1630# From: "Michael Gorny" <mgorny@gentoo.org> 1631# ZPAQ: http://mattmahoney.net/dc/zpaq.html 16320 string zPQ ZPAQ stream 1633>3 byte x \b, level %d 1634# From: Barry Carter <carter.barry@gmail.com> 1635# https://encode.ru/threads/456-zpaq-updates/page32 16360 string 7kSt ZPAQ file 1637 1638# BBeB ebook, unencrypted (LRF format) 1639# URL: https://www.sven.de/librie/Librie/LrfFormat 1640# From: Adam Buchbinder <adam.buchbinder@gmail.com> 16410 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted 1642>8 beshort x \b, version %d 1643>36 byte 1 \b, front-to-back 1644>36 byte 16 \b, back-to-front 1645>42 beshort x \b, (%dx, 1646>44 beshort x %d) 1647 1648# Symantec GHOST image by Joerg Jenderek at May 2014 1649# https://us.norton.com/ghost/ 1650# https://www.garykessler.net/library/file_sigs.html 16510 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image 1652# *.GHO 1653>2 ubyte&0x08 0x00 \b, first file 1654# *.GHS or *.[0-9] with cns program option 1655>2 ubyte&0x08 0x08 \b, split file 1656# part of split index interesting for *.ghs 1657>>4 ubyte x id=0x%x 1658# compression tag minus one equals numeric compression command line switch z[1-9] 1659>3 ubyte 0 \b, no compression 1660>3 ubyte 2 \b, fast compression (Z1) 1661>3 ubyte 3 \b, medium compression (Z2) 1662>3 ubyte >3 1663>>3 ubyte <11 \b, compression (Z%d-1) 1664>2 ubyte&0x08 0x00 1665# ~ 30 byte password field only for *.gho 1666>>12 ubequad !0 \b, password protected 1667>>44 ubyte !1 1668# 1~Image All, sector-by-sector only for *.gho 1669>>>10 ubyte 1 \b, sector copy 1670# 1~Image Boot track only for *.gho 1671>>>43 ubyte 1 \b, boot track 1672# 1~Image Disc only for *.gho implies Image Boot track and sector copy 1673>>44 ubyte 1 \b, disc sector copy 1674# optional image description only *.gho 1675>>0xff string >\0 "%-.254s" 1676# look for DOS sector end sequence 1677>0xE08 search/7776 \x55\xAA 1678>>&-512 indirect x \b; contains 1679 1680# Google Chrome extensions 1681# https://developer.chrome.com/extensions/crx 1682# https://developer.chrome.com/extensions/hosting 16830 string Cr24 Google Chrome extension 1684!:mime application/x-chrome-extension 1685>4 ulong x \b, version %u 1686 1687# SeqBox - Sequenced container 1688# ext: sbx, seqbox 1689# Marco Pontello marcopon@gmail.com 1690# reference: https://github.com/MarcoPon/SeqBox 16910 string SBx SeqBox, 1692>3 byte x version %d 1693 1694# LyNX archive 169556 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive 1696 1697# From: Joerg Jenderek 1698# URL: https://www.acronis.com/ 1699# Reference: https://en.wikipedia.org/wiki/TIB_(file_format) 1700# Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110 17010 ubequad 0xce24b9a220000000 Acronis True Image backup 1702!:mime application/x-acronis-tib 1703!:ext tib 1704# 01000000 1705#>20 ubelong x \b, at 20 0x%x 1706# 20000000 1707#>28 ubelong x \b, at 28 0x%x 1708# strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0" 1709# ??? 1710# strings like "\Device\0000011e" "\Device\0000015a" 1711#>0 search/0x6852300/cs \\Device\\ 1712#>>&-1 pstring x \b, %s 1713# "\Device\HarddiskVolume30" "\Device\HarddiskVolume39" 1714#>>>&1 search/180/cs \\Device\\ 1715#>>>>&-1 pstring x \b, %s 1716#>>>>>&0 search/29/cs \0\0\xc8\0 1717# disk label 1718#>>>>>>&10 lestring16 x \b, disk label %11.11s 1719#>>>>>>&9 plestring16 x \b, disk label "%11.11s" 1720#>>>>>>&10 ubequad x %16.16llx 1721 1722 1723# Gentoo XPAK binary package 1724# by Michal Gorny <mgorny@gentoo.org> 1725# https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5 1726-4 string STOP 1727>-16 string XPAKSTOP Gentoo binary package (XPAK) 1728 1729# From: Joerg Jenderek 1730# URL: https://kodi.wiki/view/TexturePacker 1731# Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz 1732# /xbmc-Krypton/xbmc/guilib/XBTF.h 1733# /xbmc-Krypton/xbmc/guilib/XBTF.cpp 17340 string XBTF 1735# skip ASCII text by looking for terminating \0 of path 1736>264 ubyte 0 XBMC texture package 1737!:mime application/x-xbmc-xbt 1738!:ext xbt 1739# XBTF_VERSION 2 1740>>4 string !2 \b, version %-.1s 1741# nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp 1742>>5 ulelong x \b, %u file 1743# plural s 1744>>5 ulelong >1 \bs 1745# path[CXBTFFile[MaximumPathLength=256] 1746>>9 string x \b, 1st %s 1747 1748# ALZIP archive 1749# by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com> 1750# http://kippler.com/win/unalz/ 1751# https://salsa.debian.org/l10n-korean-team/unalz 17520 string ALZ\001 ALZ archive data 1753!:ext alz 1754 1755# https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip 17560 string EGGA EGG archive data, 1757!:ext egg 1758>5 byte x version %u 1759>4 byte x \b.%u 1760>>0x0E ulelong =0x08E28222 1761>>0x0E ulelong =0x24F5A262 \b, split 1762>>0x0E ulelong =0x24E5A060 \b, solid 1763>>0x0E default x \b, unknown 1764 1765# PAQ9A archive 1766# URL: http://mattmahoney.net/dc/#paq9a 1767# Note: Line 1186 of paq9a.cpp gives the magic bytes 17680 string pQ9\001 PAQ9A archive 1769