diff --git a/ChangeLog b/ChangeLog index d2dfbc14b77..e7ce3347eff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,36 @@ +2026-02-26 11:32 Christos Zoulas + + * release 5.47 + +2026-02-04 09:54 Christos Zoulas + * Better multi-compound document identification by following the + order of the directories entries. (Thomas Ledoux) + +2026-01-19 14:00 Christos Zoulas + * if stat fails, don't attempt to restore times (Steven Grubb) + +2025-05-28 15:20 Christos Zoulas + + PR/622: Odd_Bloke: Handle negative offsets in file_buffer(), + when fd is not available. + +2025-05-28 12:50 Christos Zoulas + + * PR/655: jsummers: Obey str_flags in strings like we do for search + and regex + * PR/659: Pitzl: Apply MAGIC_CONTINUE to annotations; i.e. print + only the first, unless -k is specified. + +2024-12-19 14:44 Christos Zoulas + + * PR/592: allow + in format strings + * PR/592: signed operations should be done in signed context + +2024-12-05 13:50 Christos Zoulas + + * PR/578: jsummers: Don't crash on cygwin when tm_mon == -1 + * PR/579: net147: Fix stack overrun. + 2024-11-27 14:44 Christos Zoulas * release 5.46 diff --git a/config.sub b/config.sub index f6564f2885d..83c4149b229 100755 --- a/config.sub +++ b/config.sub @@ -1724,7 +1724,7 @@ case $os in | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \ | sym* | plan9* | psp* | sim* | xray* | os68k* | v88r* \ | hiux* | abug | nacl* | netware* | windows* \ - | os9* | macos* | osx* | ios* \ + | os9* | macos* | osx* | ios* | illumos* \ | mpw* | magic* | mmixware* | mon960* | lnews* \ | amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \ | aos* | aros* | cloudabi* | sortix* | twizzler* \ diff --git a/configure b/configure index cdcdd746f56..3b72db77008 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for file 5.46. +# Generated by GNU Autoconf 2.72 for file 5.47. # # Report bugs to . # @@ -614,8 +614,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='file' PACKAGE_TARNAME='file' -PACKAGE_VERSION='5.46' -PACKAGE_STRING='file 5.46' +PACKAGE_VERSION='5.47' +PACKAGE_STRING='file 5.47' PACKAGE_BUGREPORT='christos@astron.com' PACKAGE_URL='' @@ -1370,7 +1370,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures file 5.46 to adapt to many kinds of systems. +'configure' configures file 5.47 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1441,7 +1441,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of file 5.46:";; + short | recursive ) echo "Configuration of file 5.47:";; esac cat <<\_ACEOF @@ -1567,7 +1567,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -file configure 5.46 +file configure 5.47 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. @@ -2153,7 +2153,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by file $as_me 5.46, which was +It was created by file $as_me 5.47, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw @@ -3452,7 +3452,7 @@ fi # Define the identity of the package. PACKAGE='file' - VERSION='5.46' + VERSION='5.47' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -16880,7 +16880,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by file $as_me 5.46, which was +This file was extended by file $as_me 5.47, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16948,7 +16948,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -file config.status 5.46 +file config.status 5.47 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 58a5f63657b..f48ccc36a47 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([file],[5.46],[christos@astron.com]) +AC_INIT([file],[5.47],[christos@astron.com]) AM_INIT_AUTOMAKE([subdir-objects foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/doc/file.man b/doc/file.man index 366e4c3ce84..eab3a1a0b54 100644 --- a/doc/file.man +++ b/doc/file.man @@ -1,5 +1,5 @@ -.\" $File: file.man,v 1.151 2024/04/07 21:27:35 christos Exp $ -.Dd April 7, 2024 +.\" $File: file.man,v 1.153 2025/07/23 18:52:08 christos Exp $ +.Dd June 17, 2025 .Dt FILE __CSECTION__ .Os .Sh NAME @@ -173,7 +173,7 @@ Causes the command to output the file type and creator code as used by older MacOS versions. The code consists of eight letters, -the first describing the file type, the latter the creator. +the first four describing the file type, the latter four the creator. This option works properly only for file formats that have the apple-style output defined. .It Fl b , Fl Fl brief @@ -348,7 +348,7 @@ Set various parameter limits. .It Li elf_shsize Ta 128MB Ta max ELF section size processed .It Li encoding Ta 65K Ta max number of bytes to determine encoding .It Li indir Ta 50 Ta recursion limit for indirect magic -.It Li name Ta 100 Ta use count limit for name/use magic +.It Li name Ta 150 Ta use count limit for name/use magic .It Li regex Ta 8K Ta length limit for regex searches .El .It Fl r , Fl Fl raw diff --git a/doc/magic.man b/doc/magic.man index 6916b7b211d..b2ae5484460 100644 --- a/doc/magic.man +++ b/doc/magic.man @@ -1,5 +1,5 @@ -.\" $File: magic.man,v 1.110 2024/11/27 15:37:00 christos Exp $ -.Dd November 27, 2024 +.\" $File: magic.man,v 1.115 2025/11/24 15:45:00 christos Exp $ +.Dd November 24, 2025 .Dt MAGIC __FSECTION__ .Os .\" install as magic.4 on USG, magic.5 on V7, Berkeley and Linux systems. @@ -73,7 +73,8 @@ A 64-bit double precision IEEE floating point number in this machine's native by .It Dv string A string of bytes. The string type specification can be optionally followed by a / -option and optionally followed by a set of flags /[bCcftTtWw]*. +option and optionally followed by a set of flags [bCcftTtWw]*. +Slash characters can be used to separate options for readability. The width limits the number of characters to be copied. Zero means all characters. The following flags are supported: @@ -85,24 +86,31 @@ Use upper case insensitive matching: upper case characters in the magic match both lower and upper case characters in the target, whereas lower case characters in the magic only match upper case characters in the target. +(not valid for regex) .It c Use lower case insensitive matching: lower case characters in the magic match both lower and upper case characters in the target, whereas upper case characters in the magic only match upper case characters in the target. +(not valid for regex) To do a complete case insensitive match, specify both .Dq c and .Dq C . .It f Require that the matched string is a full word, not a partial word match. +.It s +Don't include the match length in the offset computation. +(only valid for search and regex) .It T Trim the string, i.e. leading and trailing whitespace +is deleted before the string is printed. .It t Force text file test. .It W Compact whitespace in the target, which must contain at least one whitespace character. +(not valid for regex) If the magic has .Dv n consecutive blanks, the target needs at least @@ -110,7 +118,7 @@ consecutive blanks, the target needs at least consecutive blanks to match. .It w Treat every blank in the magic as an optional blank. -is deleted before the string is printed. +(not valid for regex) .El .It Dv pstring A Pascal-style string where the first byte/short/int is interpreted as the @@ -221,10 +229,10 @@ than UTC. An eight-byte value in little-endian byte order, interpreted as a Windows-style date. .It Dv lemsdosdate -A two-byte value in big-endian byte order, +A two-byte value in little-endian byte order, interpreted as FAT/DOS-style date. .It Dv lemsdostime -A two-byte value in big-endian byte order, +A two-byte value in little-endian byte order, interpreted as FAT/DOS-style time. .It Dv lestring16 A two-byte unicode (UCS16) string in little-endian byte order. @@ -253,7 +261,8 @@ magic entry, like a subroutine call. Named instance direct magic offsets are relative to the offset of the previous matched entry, but indirect offsets are relative to the beginning of the file as usual. -Named magic entries always match. +Named magic entries return true if there was a match in the evaluation +of the entry, or if there was a previous existing match. .It Dv use Recursively call the named magic starting from the current offset. If the name of the referenced begins with a @@ -459,11 +468,12 @@ matching a file, binary patterns are tried first; if no match is found, and the file looks like text, then its encoding is determined and the text patterns are tried. .Pp -The numeric types may optionally be followed by -.Dv \*[Am] +The numeric types may optionally be followed by an operand and a numeric value, -to specify that the value is to be AND'ed with the +to specify that the value is to be modified according to the operand and the numeric value before any comparisons are done. +The following operands are supported: +.Dv \*[Am], \*[Ba], \*[ua], +, -, \&*, /, %. Prepending a .Dv u to the type indicates that ordered comparisons should be unsigned. diff --git a/magic/Magdir/amigaos b/magic/Magdir/amigaos index fdd947fdf7f..1b8cacaf08e 100644 --- a/magic/Magdir/amigaos +++ b/magic/Magdir/amigaos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: amigaos,v 1.20 2021/09/20 00:42:19 christos Exp $ +# $File: amigaos,v 1.23 2026/02/05 18:49:06 christos Exp $ # amigaos: file(1) magic for AmigaOS binary formats: # @@ -36,7 +36,6 @@ 0 string COSO\0 Hippel-COSO Module sound file # Too simple (short, pure ASCII, deep), MPi #26 string V.3 Brian Postma's Soundmon Module sound file v3 -#26 string BPSM Brian Postma's Soundmon Module sound file v3 #26 string V.2 Brian Postma's Soundmon Module sound file v2 # The following are from: "Stefan A. Haubenthal" @@ -195,8 +194,7 @@ 0 string LZX LZX compressed archive (Amiga) # From: Przemek Kramarczyk -0 string .KEY AmigaDOS script -0 string .key AmigaDOS script +0 string/c .key AmigaDOS script # AMOS Basic file formats # https://www.exotica.org.uk/wiki/AMOS_file_formats @@ -216,3 +214,7 @@ >12 regex .{8} \b, type %s 0 string AmBs AMOS Basic memory banks >4 beshort x \b, %d banks + + +# https://github.com/alb42/Leu/blob/master/TCDReaderUnit.pas +3 string TURBOCALC TurboCalc spreadsheet diff --git a/magic/Magdir/animation b/magic/Magdir/animation index 0df435290a3..4a73e72d855 100644 --- a/magic/Magdir/animation +++ b/magic/Magdir/animation @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: animation,v 1.98 2024/09/01 15:51:51 christos Exp $ +# $File: animation,v 1.101 2025/05/28 19:54:08 christos Exp $ # animation: file(1) magic for animation/movie formats # # animation formats @@ -542,20 +542,23 @@ >>2 byte&0xF0 !0xF0 MPEG ADTS, layer III, v1 !:strength +20 !:mime audio/mpeg ->>>2 byte&0xF0 0x10 \b, 32 kbps ->>>2 byte&0xF0 0x20 \b, 40 kbps ->>>2 byte&0xF0 0x30 \b, 48 kbps ->>>2 byte&0xF0 0x40 \b, 56 kbps ->>>2 byte&0xF0 0x50 \b, 64 kbps ->>>2 byte&0xF0 0x60 \b, 80 kbps ->>>2 byte&0xF0 0x70 \b, 96 kbps ->>>2 byte&0xF0 0x80 \b, 112 kbps ->>>2 byte&0xF0 0x90 \b, 128 kbps ->>>2 byte&0xF0 0xA0 \b, 160 kbps ->>>2 byte&0xF0 0xB0 \b, 192 kbps ->>>2 byte&0xF0 0xC0 \b, 224 kbps ->>>2 byte&0xF0 0xD0 \b, 256 kbps ->>>2 byte&0xF0 0xE0 \b, 320 kbps +>>>2 search/100 Xing \b, variable bitrate +>>>2 search/100 VBRI \b, variable bitrate +>>>2 default x +>>>>2 byte&0xF0 0x10 \b, 32 kbps +>>>>2 byte&0xF0 0x20 \b, 40 kbps +>>>>2 byte&0xF0 0x30 \b, 48 kbps +>>>>2 byte&0xF0 0x40 \b, 56 kbps +>>>>2 byte&0xF0 0x50 \b, 64 kbps +>>>>2 byte&0xF0 0x60 \b, 80 kbps +>>>>2 byte&0xF0 0x70 \b, 96 kbps +>>>>2 byte&0xF0 0x80 \b, 112 kbps +>>>>2 byte&0xF0 0x90 \b, 128 kbps +>>>>2 byte&0xF0 0xA0 \b, 160 kbps +>>>>2 byte&0xF0 0xB0 \b, 192 kbps +>>>>2 byte&0xF0 0xC0 \b, 224 kbps +>>>>2 byte&0xF0 0xD0 \b, 256 kbps +>>>>2 byte&0xF0 0xE0 \b, 320 kbps # timing >>>2 byte&0x0C 0x00 \b, 44.1 kHz >>>2 byte&0x0C 0x04 \b, 48 kHz diff --git a/magic/Magdir/apache b/magic/Magdir/apache index d896b505512..099efb77da5 100755 --- a/magic/Magdir/apache +++ b/magic/Magdir/apache @@ -1,18 +1,28 @@ #------------------------------------------------------------------------------ -# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $ +# $File: apache,v 1.3 2025/05/30 13:25:13 christos Exp $ # apache: file(1) magic for Apache Big Data formats # Avro files -0 string Obj Apache Avro ->3 byte x version %d +0 string Obj\001 Apache Avro, version 1 # ORC files # Important information is in file footer, which we can't index to :( 0 string ORC Apache ORC -# Parquet files -0 string PAR1 Apache Parquet +# Apache arrow file format +# MIME: https://www.iana.org/assignments/media-types/application/vnd.apache.arrow.stream +# Description: https://arrow.apache.org/docs/format/Columnar.html +0 string ARROW1 Apache Arrow columnar file +!:mime application/vnd.apache.arrow.file +!:ext arrow/feather + +# Apache parquet file format +# MIME: https://www.iana.org/assignments/media-types/application/vnd.apache.parquet +# Description: https://parquet.apache.org/docs/file-format/ +0 string PAR1 Apache Parquet file +!:mime application/vnd.apache.parquet +!:ext parquet # Hive RC files 0 string RCF Apache Hive RC file diff --git a/magic/Magdir/archive b/magic/Magdir/archive index b920f9930f4..3aba947078b 100644 --- a/magic/Magdir/archive +++ b/magic/Magdir/archive @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: archive,v 1.207 2024/11/27 15:37:46 christos Exp $ +# $File: archive,v 1.218 2026/01/10 16:16:27 christos Exp $ # archive: file(1) magic for archive formats (see also "msdos" for self- # extracting compressed archives) # @@ -689,7 +689,7 @@ # TODO: idarc says "bytes 0-2 == bytes 3-5" # TTComp # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive -# Update: Joerg Jenderek +# Update: Joerg Jenderek, A Iooss # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others 0 string \0\6 # look for first keyword of Panorama database *.pan @@ -735,8 +735,27 @@ #>-4 ubelong x LAST_BYTES=%8.8x >-4 ubelong&0x00FFffFF !0 >>0 use ttcomp -# display information of TTComp archive +# match end of TTComp to reduce false positives +# see https://mark0.net/forum/index.php?topic=848 0 name ttcomp +>-2 string \x01\xff +>>+0 use ttcomp-display +>-2 string \x80\x7f +>>+0 use ttcomp-display +>-2 string \xc0\x3f +>>+0 use ttcomp-display +>-2 string \xe0\x1f +>>+0 use ttcomp-display +>-2 string \xf0\x0f +>>+0 use ttcomp-display +>-2 string \xf8\x07 +>>+0 use ttcomp-display +>-2 string \xfc\x03 +>>+0 use ttcomp-display +>-2 string \xfe\x01 +>>+0 use ttcomp-display +# display information of TTComp archive +0 name ttcomp-display # (version 5.25) labeled the entry as "TTComp archive data" >0 ubyte x TTComp archive data !:mime application/x-compress-ttcomp @@ -746,23 +765,10 @@ >0 ubyte 0 \b, binary >0 ubyte 1 \b, ASCII # size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes ->1 ubyte 4 \b, 1K ->1 ubyte 5 \b, 2K ->1 ubyte 6 \b, 4K ->1 ubyte x dictionary -# https://mark0.net/forum/index.php?topic=848 -# last 3 bytes probably have only 8 possible bit sequences -# xxxxxxxx 0000000x 11111111 ____FFh -# xxxxxxxx 10000000 01111111 __807Fh -# 0xxxxxxx 11000000 00111111 __C03Fh -# 00xxxxxx 11100000 00011111 __E01Fh -# 000xxxxx 11110000 00001111 __F00Fh -# 0000xxxx 11111000 00000111 __F807h -# 00000xxx 11111100 00000011 __FC03h -# 000000xx 11111110 00000001 __FE01h -# but for quickgif.__d 0A7DD4h -#>-3 ubyte x \b, last 3 bytes 0x%2.2x -#>-2 ubeshort x \b%4.4x +>1 ubyte 4 \b, 1K dictionary +>1 ubyte 5 \b, 2K dictionary +>1 ubyte 6 \b, 4K dictionary + # From: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Disk_Copy # reference: http://nulib.com/library/FTN.e00005.htm @@ -1231,6 +1237,8 @@ #>0x200 ubequad x \b, at 0x200 %#16.16llx # cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2 >16 ulelong !0 \b, descriptor size %#x +>(12.l+40) lelong x ]b, %u files + # TOP4 0 string T4\x1a TOP4 archive data # BatComp left out: sig looks like COM executable @@ -1491,22 +1499,18 @@ >>9 ubyte !2 \b, security version %u # file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel >0xA ubyte !2 \b, file type %u -# date+time when original archive was created in MS-DOS format via ./msdos ->0xC ulelong x \b, created ->0xC use dos-date -# or date and time by new internal function -#>0xE lemsdosdate x %s -#>0xC lemsdostime x %s +# date+time when original archive was created in MS-DOS format +>0xE lemsdosdate x \b, created %s +>0xC lemsdostime x %s +# Archive mod time, added in format v6 (ARJ 2.39c) +>5 ubyte >5 +>>0x10 ulelong >0 \b, modified +>>>0x12 lemsdosdate x %s +>>>0x10 lemsdostime x %s + # FOR DEBUGGING #>0x12 uleshort x RAW DATE %#4.4x #>0x10 uleshort x RAW TIME %#4.4x -# date+time when archive was last modified; sometimes nil or -# maybe wrong like in HP4DRVR.ARJ -#>0x10 ulelong >0 \b, modified -#>>0x10 use dos-date -# or date and time by new internal function -#>>0x12 lemsdosdate x %s -#>>0x10 lemsdostime x %s # archive size (currently used only for secured archives); MAYBE? #>0x14 ulelong !0 \b, file size %u # security envelope file position; MAYBE? @@ -1795,6 +1799,51 @@ !:ext zip/cbz +# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) +# Next line excludes specialized formats: +0 name zipgeneric +>4 beshort x Zip archive data, at least +!:mime application/zip +>4 use zipversion +>4 beshort x to extract +>8 beshort x \b, compression method= +>8 use zipcompression +>0x161 string WINZIP \b, WinZIP self-extracting + +# Zip archives that can be either APK or JAR. Checks for resources.arsc, classes.dex, etc. +0 name apk_or_jar +# Contains resources.arsc (near the end, in the central directory) +>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc +!:mime application/vnd.android.package-archive +!:ext apk +>>-22 string PK\005\006 +>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>-512 default x +# Contains classes.dex (near the end, in the central directory) +>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex +!:mime application/vnd.android.package-archive +!:ext apk +>>>-22 string PK\005\006 +>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>-512 default x +# Contains lib/armeabi (near the end, in the central directory) +>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib +!:mime application/vnd.android.package-archive +!:ext apk +>>>>-22 string PK\005\006 +>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +>>>-512 default x +# Contains drawables (near the end, in the central directory) +>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables +!:mime application/vnd.android.package-archive +!:ext apk +>>>>>-22 string PK\005\006 +>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block +# It may or may not be an APK file, but it's definitely a Java JAR file +>>>>-512 default x Java archive data (JAR) +!:mime application/java-archive +!:ext jar + 0 string PK\003\004 !:strength +1 # IOS/IPadOS IPA file (Zip archive) @@ -1830,40 +1879,14 @@ >>>-22 string PK\005\006 >>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block # Starts with META-INF/MANIFEST.MF (file name length = 20) -# NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files >26 uleshort 20 >>30 string META-INF/MANIFEST.MF -# Contains resources.arsc (near the end, in the central directory) ->>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc -!:mime application/vnd.android.package-archive -!:ext apk ->>>>-22 string PK\005\006 ->>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>-512 default x -# Contains classes.dex (near the end, in the central directory) ->>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>-22 string PK\005\006 ->>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>-512 default x -# Contains lib/armeabi (near the end, in the central directory) ->>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>-22 string PK\005\006 ->>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block ->>>>>-512 default x -# Contains drawables (near the end, in the central directory) ->>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables -!:mime application/vnd.android.package-archive -!:ext apk ->>>>>>>-22 string PK\005\006 ->>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block -# It may or may not be an APK file, but it's definitely a Java JAR file ->>>>>>-512 default x Java archive data (JAR) -!:mime application/java-archive -!:ext jar +>>>0 use apk_or_jar +# Starts with META-INF/ folder (file name length = 9) +>26 uleshort 9 +>>30 string META-INF/ +>>>0 use apk_or_jar + # Starts with zipflinger virtual entry (28 + 104 = 132 bytes) # See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230 >4 string \x00\x00\x00\x00\x00\x00 @@ -2132,17 +2155,11 @@ >>>>>>(-6.l) search/9000 kmp.json Keyman Compiled Package File !:mime application/vnd.keyman.kmp+zip !:ext kmp +>>>>>+4 default x +>>>>>>0 use zipgeneric -# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) -# Next line excludes specialized formats: >>>>+4 default x ->>>>>4 beshort x Zip archive data, at least -!:mime application/zip ->>>>>4 use zipversion ->>>>>4 beshort x to extract ->>>>>8 beshort x \b, compression method= ->>>>>8 use zipcompression ->>>>>0x161 string WINZIP \b, WinZIP self-extracting +>>>>>0 use zipgeneric # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 0 string PK\005\006 Zip archive data (empty) @@ -2810,3 +2827,55 @@ >>37 byte x \b:%02d >>38 byte x \b:%02d >>56 ulelong x \b, size: %u bytes + +# Stone archive file - Serpent OS moss package manager's native format +# https://github.com/serpent-os/tools, +# (Ikey Doherty) +0 string \0mos Stone archive +>28 belong 1 (format v%d) +>>27 byte 1 binary package +!:mime application/x-stone-binary +!:ext stone +>>27 byte 2 delta package +!:mime application/x-stone-delta +!:ext stone +>>27 byte 3 repository index +!:mime application/x-stone-repository +!:ext index +>>27 byte 4 build manifest +!:mime application/x-stone-manifest +!:ext bin + +# * VOS , +# * [encapsulated|not_encapsulated] = +# * [encoded|not_encoded|seq_encoded|base64_encoded] +0 string VOS\040 Stratus OpenVOS EFV archive +>4 regex [^[:space:]]+ \b, (%s) +>>&0 regex [^[:space:]]+ \b, %s +>>>&0 regex [^[:space:]]+ \b, record_size=%s +>>>>&0 regex [^[:space:]]+ \b, %s +>>>>>&0 regex [^[:space:]]+ \b, %s + + +# https://www.vm.ibm.com/devpages/bkw/vmarc.html magic in EBCDIC +0 string \x7a\xc3\xc6\xc6\x40\x40\x40\x40 VM Archive + +# https://pbs.proxmox.com/docs/file-formats.html +0 string \x42\xab\x38\x07\xbe\x83\x70\xa1 Proxmox Backup Server unencrypted uncompressed blob + +0 string \x31\xb9\x58\x42\x6f\xb6\xa3\x7f Proxmox Backup Server unencrypted compressed blob + +0 string \x7b\x67\x85\xbe\x22\x2d\x4c\xf0 Proxmox Backup Server encrypted uncompressed blob + +0 string \xe6\x59\x1b\xbf\x0b\xbf\xd8\x0b Proxmox Backup Server encrypted compressed blob + +0 string \x2f\x7f\x41\xed\x91\xfd\x0f\xcd Proxmox Backup Server fixed index + +0 string \x1c\x91\x4e\xa5\x19\xba\xb3\xcd Proxmox Backup Server dynamic index + +0 string \xef\xac\x88\xe5\x74\x64\x95\xd5 Proxmox File Archive Format v1 / pxar + +0 string \x0d\xa4\x16\xdf\x75\x6c\x0f\x73\x18\x00\x00\x00\x00\x00\x00\x00\x02 Proxmox File Archive Format v2+ / mpxar + +0 string \xd2\x4e\x4a\x19\xc2\x68\x4c\x83\x10 Proxmox File Archive Format payload stream / ppxar + diff --git a/magic/Magdir/audio b/magic/Magdir/audio index 991b7599960..e630663af86 100644 --- a/magic/Magdir/audio +++ b/magic/Magdir/audio @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: audio,v 1.133 2024/09/04 19:07:20 christos Exp $ +# $File: audio,v 1.136 2026/01/23 17:02:27 christos Exp $ # audio: file(1) magic for sound formats (see also "iff") # # Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com), @@ -957,7 +957,7 @@ >>3 byte 4 (With no LAME header) >>3 byte 5 Version 2.4 -0 string ADRVPACK AProSys module +0 string ADRVPACK AProSys module # ftp://ftp.modland.com/pub/documents/format_documentation/\ # Art%20Of%20Noise%20(.aon).txt @@ -1199,6 +1199,13 @@ >4 beshort 0xFEFF >>0 use \^nintendo-3ds-bcwav-fields + +# QOA Quite Okay Audio format +# https://qoaformat.org/qoa-specification.pdf +# added by alex myczko +0 string qoaf QOA audio data +>4 belong x \b, %d samples per channel + # Philips DSDIFF audio format (Direct Stream Digital Interchange File Format) # Used for DSD audio recordings and Super Audio CD (SACD) mastering annotations # https://dsd-guide.com/sites/default/files/white-papers/DSDIFF_1.5_Spec.pdf @@ -1338,3 +1345,6 @@ >50 leshort x \b, scaleX %d >52 byte 0 \b, percussive >52 byte 1 \b, melodic + +# https://pbat.ch/proj/protrekkr/ +0 string PROTREKT Protrekkr Module diff --git a/magic/Magdir/bgcode b/magic/Magdir/bgcode new file mode 100644 index 00000000000..407827916df --- /dev/null +++ b/magic/Magdir/bgcode @@ -0,0 +1,9 @@ +#------------------------------------------------------------------------------ +# $File: bgcode,v 1.1 2025/03/10 21:02:05 christos Exp $ + +# BGCode +0 string GCDE Binary G-code +!:ext bgcode,bgc +>4 ulelong x Version %u +>>8 uleshort 0 \b, no checksum +>>8 uleshort 1 \b, CRC32 checksum diff --git a/magic/Magdir/blender b/magic/Magdir/blender index 5a897113e09..456e3f33113 100644 --- a/magic/Magdir/blender +++ b/magic/Magdir/blender @@ -1,6 +1,5 @@ - #------------------------------------------------------------------------------ -# $File: blender,v 1.9 2022/12/21 15:53:27 christos Exp $ +# $File: blender,v 1.10 2026/01/10 14:38:14 christos Exp $ # blender: file(1) magic for Blender 3D related files # # Native format rule v1.2. For questions use the developers list @@ -13,13 +12,13 @@ # http://formats.kaitai.io/blender_blend/index.html # Note: called "Blender 3D data" by TrID # and gzip compressed variant handled by ./compress -0 string =BLENDER Blender3D, +0 string =BLENDER Blender3D #!:mime application/octet-stream !:mime application/x-blender !:ext blend # no sample found with extension blender #!:ext blend/blender ->7 string =_ saved as 32-bits +>7 string =_ pre-v5, saved as 32-bits >>8 string =v little endian >>>9 byte x with version %c. >>>10 byte x \b%c @@ -32,7 +31,7 @@ >>>11 byte x \b%c >>>0x40 string =GLOB \b. >>>>0x58 beshort x \b%.4d ->7 string =- saved as 64-bits +>7 string =- pre-v5, saved as 64-bits >>8 string =v little endian >>9 byte x with version %c. >>10 byte x \b%c @@ -46,5 +45,15 @@ >>>0x44 string =GLOB \b. >>>>0x60 beshort x \b%.4d +# Blender 5.0+ +>7 string =17 v5+, +>>10 byte x format version %c +>>>11 byte x \b%c +>>>>13 byte x app version %c +>>>>>14 byte x \b%c +>>>>>>15 byte x \b%c +>>>>>>>16 byte x \b%c +# + # Scripts that run in the embedded Python interpreter 0 string #!BPY Blender3D BPython script diff --git a/magic/Magdir/bytecode b/magic/Magdir/bytecode index dca961c2643..263f27e09c6 100644 --- a/magic/Magdir/bytecode +++ b/magic/Magdir/bytecode @@ -1,6 +1,6 @@ #------------------------------------------------------------ -# $File: bytecode,v 1.5 2023/02/20 16:25:05 christos Exp $ +# $File: bytecode,v 1.6 2026/02/16 14:39:53 christos Exp $ # magic for various bytecodes # From: Mikhail Gusarov @@ -34,8 +34,15 @@ # https://racket-lang.org/ # https://github.com/racket/racket/blob/master/racket/src/expander/compile/write-linklet.rkt 0 string #~ ->&0 pstring x ->>&0 pstring racket +>&0 pstring x +>>&0 pstring racket >>>0 string #~ Racket bytecode ->>>>&0 pstring x (version %s) +>>>>&0 pstring x (version %s) + + +# From: Marc Chantreux +# [MoarVM](https://www.moarvm.org/) bytecode file +0 string MOARVM\x0d\x0a MoarVM bytecode +!:ext mbc +>0x9 short >0 \b, version %u diff --git a/magic/Magdir/c-lang b/magic/Magdir/c-lang index 6e375a06a7e..4b203e6fddd 100644 --- a/magic/Magdir/c-lang +++ b/magic/Magdir/c-lang @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: c-lang,v 1.32 2023/06/16 19:57:19 christos Exp $ +# $File: c-lang,v 1.38 2025/05/30 13:36:08 christos Exp $ # c-lang: file(1) magic for C and related languages programs # # The strength is to beat standard HTML @@ -17,7 +17,7 @@ >>0 regex \^class[[:space:]]+ >>>&0 regex \\{[\.\*]\\}(;)?$ \b++ >>&0 clear x source text -!:strength + 15 +!:strength + 30 !:mime text/x-c 0 search/8192 pragma >0 regex \^#[[:space:]]*pragma C source text @@ -27,8 +27,7 @@ >>&0 regex \^#[[:space:]]*endif$ C source text !:mime text/x-c 0 search/8192 define ->0 regex \^#[[:space:]]*(if\|ifn)def ->>&0 regex \^#[[:space:]]*define C source text +>0 regex \^#[[:space:]]*define C source text !:mime text/x-c 0 search/8192 char >0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text @@ -58,21 +57,21 @@ # C++ # The strength of these rules is increased so they beat the C rules above 0 search/8192 namespace ->0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text -!:strength + 30 +>0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,20}[[:space:]]*\\{ C++ source text +!:strength + 45 !:mime text/x-c++ # using namespace [namespace] or using std::[lib] 0 search/8192 using >0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 template >0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 virtual >0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ # But class alone is reduced to avoid beating php (Jens Schleusener) 0 search/8192 class @@ -81,15 +80,15 @@ !:mime text/x-c++ 0 search/8192 public >0 regex \^[[:space:]]*public: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 private >0 regex \^[[:space:]]*private: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ 0 search/8192 protected >0 regex \^[[:space:]]*protected: C++ source text -!:strength + 30 +!:strength + 45 !:mime text/x-c++ # Objective-C @@ -98,13 +97,30 @@ !:strength + 25 !:mime text/x-objective-c + +# Typst +# https://github.com/typst/typst +0 regex \^[[:space:]]*#(import|include)[[:space:]]+"@[[:alnum:]-]+ Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ +0 regex \^[[:space:]]*#(import|include)[[:space:]]+"[[:alnum:]]+.typ" Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ +0 regex \^[[:space:]]*#(set|show|let) Typst source text +!:strength + 45 +!:mime text/vnd.typst +!:ext typ + + # From: Mikhail Teterin 0 string cscope cscope reference data >7 string x version %.2s # We skip the path here, because it is often long (so file will # truncate it) and mostly redundant. # The inverted index functionality was added some time between -# versions 11 and 15, so look for -q if version is above 14: +# versions 11 and 30, so look for -q if version is above 14: >7 string >14 >>10 search/100 \ -q\ with inverted index >10 search/100 \ -c\ text (non-compressed) diff --git a/magic/Magdir/cisco b/magic/Magdir/cisco index 0279bbb5b5a..e5ec85f5a2e 100644 --- a/magic/Magdir/cisco +++ b/magic/Magdir/cisco @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: cisco,v 1.4 2009/09/19 16:28:08 christos Exp $ +# $File: cisco,v 1.5 2025/05/28 14:02:37 christos Exp $ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code @@ -10,3 +10,8 @@ >7 string >\0 for '%s' 0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode >7 string >\0 for '%s' + +0 string/b MZIP Cisco IOS mzip compressed data +>0x4 belong x \b, version %d +>0x8 belong x \b, entry point %#x +!:ext bin diff --git a/magic/Magdir/commands b/magic/Magdir/commands index 88aa6920be8..4ce9776697d 100644 --- a/magic/Magdir/commands +++ b/magic/Magdir/commands @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: commands,v 1.77 2024/11/10 16:55:15 christos Exp $ +# $File: commands,v 1.82 2026/02/16 14:39:53 christos Exp $ # commands: file(1) magic for various shells and interpreters # #0 string/w : shell archive or script for antique kernel text @@ -20,13 +20,13 @@ 0 string/fwb #!\ /bin/ksh Korn shell script executable (binary data) !:mime text/x-shellscript -0 string/fwt #!\ /bin/tcsh Tenex C shell script text executable +0 string/fwt #!\ /bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/fwt #!\ /usr/local/tcsh Tenex C shell script text executable +0 string/fwt #!\ /usr/local/tcsh Tenex C shell script text executable !:mime text/x-shellscript -0 string/fwt #!\ /usr/local/bin/tcsh Tenex C shell script text executable +0 string/fwt #!\ /usr/local/bin/tcsh Tenex C shell script text executable !:mime text/x-shellscript # @@ -52,13 +52,13 @@ !:mime text/x-nawk 0 string/fwt #!\ /usr/bin/nawk new awk script text executable !:mime text/x-nawk -0 string/fwt #!\ /usr/local/bin/nawk new awk script text executable +0 string/fwt #!\ /usr/local/bin/nawk new awk script text executable !:mime text/x-nawk 0 string/fwt #!\ /bin/gawk GNU awk script text executable !:mime text/x-gawk 0 string/wt #!\ /usr/bin/gawk GNU awk script text executable !:mime text/x-gawk -0 string/fwt #!\ /usr/local/bin/gawk GNU awk script text executable +0 string/fwt #!\ /usr/local/bin/gawk GNU awk script text executable !:mime text/x-gawk # 0 string/fwt #!\ /bin/awk awk script text executable @@ -67,6 +67,15 @@ !:mime text/x-awk 0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text +0 string/fwt #!\ /bin/lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /usr/bin/lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /usr/bin/env\ lua Lua script text executable +!:mime text/x-lua +0 string/fwt #!\ /bin/env\ lua Lua script text executable +!:mime text/x-lua + # AT&T Bell Labs' Plan 9 shell 0 string/fwt #!\ /bin/rc Plan 9 rc shell script text executable @@ -83,9 +92,9 @@ !:mime text/x-shellscript 0 string/fwb #!\ /usr/local/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript -0 string/fwt #!\ /usr/local/bin/bash Bourne-Again shell script text executable +0 string/fwt #!\ /usr/local/bin/bash Bourne-Again shell script text executable !:mime text/x-shellscript -0 string/fwb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) +0 string/fwb #!\ /usr/local/bin/bash Bourne-Again shell script executable (binary data) !:mime text/x-shellscript 0 string/fwt #!\ /usr/bin/env\ bash Bourne-Again shell script text executable !:mime text/x-shellscript @@ -107,22 +116,33 @@ !:mime text/x-shellscript 0 search/1/fwt #!\ /usr/bin/tclsh Tcl/Tk script text executable -!:mime text/x-tcl +!:mime text/x-tcl 0 search/1/fwt #!\ /usr/bin/texlua LuaTex script text executable !:mime text/x-luatex +0 search/1/fwt #!\ /usr/bin/env\ texlua LuaTex script text executable +!:mime text/x-luatex +0 search/1/fwt #!\ /bin/env\ texlua LuaTex script text executable +!:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/luatex LuaTex script text executable !:mime text/x-luatex 0 search/1/fwt #!\ /usr/bin/stap Systemtap script text executable -!:mime text/x-systemtap +!:mime text/x-systemtap 0 search/1/fwt #!\ /sbin/openrc-run OpenRC script text executable -!:mime text/x-shellscript +!:mime text/x-shellscript + +# From: Marc Chantreux +# [Raku](https://raku.org/) script +0 string/fwt #!\ /bin/raku Raku (http://raku.org) script +!:mime text/x-raku +0 string/fwt #!\ /usr/bin/raku Raku (http://raku.org) script +!:mime text/x-raku # From: Kylie McClain # Type: execline scripts -# URL: https://skarnet.org/software/execline/ +# URL: https://skarnet.org/software/execline/ 0 string/fwt #!\ /command/execlineb execline script text executable !:mime text/x-execline 0 string/fwt #!\ /bin/execlineb execline script text executable @@ -142,17 +162,17 @@ # PHP scripts # Ulf Harnhammar 0 search/1/c = @@ -193,21 +213,21 @@ 0 string/t $! DCL command file # Type: Pdmenu -# URL: https://packages.debian.org/pdmenu +# URL: https://packages.debian.org/pdmenu # From: Edward Betts 0 string #!/usr/bin/pdmenu Pdmenu configuration file text # From Danny Weldon 0 string \x0b\x13\x08\x00 ->0x04 uleshort <4 ksh byte-code version %d +>0x04 uleshort <4 ksh byte-code version %d # From: arno # mozilla xpconnect typelib # see https://www.mozilla.org/scriptable/typelib_file.html -0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib ->0x10 byte x version %d ->>0x11 byte x \b.%d +0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib +>0x10 byte x version %d +>>0x11 byte x \b.%d 0 string/fwt #!\ /usr/bin/env\ runghc GHC script executable 0 string/fwt #!\ /usr/bin/env\ runhaskell Haskell script executable -0 string/fwt #!\ /usr/bin/env\ julia Julia script executable +0 string/fwt #!\ /usr/bin/env\ julia Julia script executable diff --git a/magic/Magdir/console b/magic/Magdir/console index 8fef21f73ab..a4357b3e7ac 100644 --- a/magic/Magdir/console +++ b/magic/Magdir/console @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: console,v 1.80 2024/11/09 23:55:02 christos Exp $ +# $File: console,v 1.81 2026/01/31 15:44:17 christos Exp $ # Console game magic # Toby Deshane @@ -1376,3 +1376,93 @@ >0x20 ubelong 1 PowerPC >>0xA4 ubelong 0x11 \b, Wii U mode >>0xA4 ubelong 0x12 \b, Wii mode + +# Type: WonderSwan raw ROM format +# (Also covers the WonderSwan WSR sound format, which is an extension thereof) +# From: Adrian Siekierka +# Reference: https://ws.nesdev.org/wiki/ROM_header +0 name wonderswan-maintenance +>0 ubyte&0x80 =128 \b, custom splash screen bypassed + +0 name wonderswan-version +>0 ubyte&0x7F x \b, rev. %d +>0 ubyte&0x80 =128 \b, internal EEPROM unlocked + +0 name wonderswan-rom-size +>0 byte 0x00 \b, ROM: 1Mbit +>0 byte 0x01 \b, ROM: 2Mbit +>0 byte 0x02 \b, ROM: 4Mbit +>0 byte 0x03 \b, ROM: 8Mbit +>0 byte 0x04 \b, ROM: 16Mbit +>0 byte 0x05 \b, ROM: 24Mbit +>0 byte 0x06 \b, ROM: 32Mbit +>0 byte 0x07 \b, ROM: 48Mbit +>0 byte 0x08 \b, ROM: 64Mbit +>0 byte 0x09 \b, ROM: 128Mbit +>0 byte 0x0A \b, ROM: 256Mbit +>0 byte 0x0B \b, ROM: 512Mbit + +0 name wonderswan-save-type +>0 ubyte&0x0F =1 \b, RAM: 256Kbit +>0 ubyte&0x0F =2 \b, RAM: 256Kbit +>0 ubyte&0x0F =3 \b, RAM: 1Mbit +>0 ubyte&0x0F =4 \b, RAM: 2Mbit +>0 ubyte&0x0F =5 \b, RAM: 4Mbit +>0 ubyte&0xF0 =16 \b, EEPROM: 1Kbit +>0 ubyte&0xF0 =32 \b, EEPROM: 16Kbit +>0 ubyte&0xF0 =80 \b, EEPROM: 8Kbit + +0 name wonderswan-flags +>0 ubyte&0x01 =0 \b, orientation: horizontal +>0 ubyte&0x01 =1 \b, orientation: vertical + +0 name wonderswan-rom-flags +>0 ubyte&0x04 =0 \b, bus: 8-bit +>0 ubyte&0x04 =4 \b, bus: 16-bit +>0 ubyte&0x08 =8 \b, slow + +0 name wonderswan-mapper +>0 ubyte&0x0F =0 \b, mapper: 2001 +>0 ubyte&0x0F =1 \b, mapper: 2003 + +-16 ubyte 0xEA +>-32 string WSRF\x00 WonderSwan WSR sound file, based on +>-11 ubyte&0x0F =0 +>>-9 ubyte&0x01 =0 WonderSwan ROM image +!:ext ws/pc2 +>>-9 ubyte&0x01 =1 WonderSwan Color ROM image +!:ext wsc +>>-11 use wonderswan-maintenance +>>-7 use wonderswan-version +>>-7 use wonderswan-rom-size +>>-4 use wonderswan-rom-flags +>>-7 use wonderswan-save-type +>>-4 use wonderswan-flags +>>-3 use wonderswan-mapper + +# Type: WonderWitch transfer file +# From: Adrian Siekierka +# Reference: https://ws.nesdev.org/wiki/WonderWitch_.fx_files +0 string #!ws\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff WonderWitch transfer file +!:ext fx/il +>64 string/16 x \b, name "%s" +>80 string/24 x \b, info "%s" +>108 ulelong x \b, %u bytes +>112 uleshort x \b (%d blocks) +>114 uleshort >0 \b, mode " +>>114 uleshort&0x80 >0 \bd +>>114 uleshort&0x40 >0 \bl +>>114 uleshort&0x20 >0 \bi +>>114 uleshort&0x10 >0 \bs +>>114 uleshort&0x08 >0 \bm +>>114 uleshort&0x04 >0 \br +>>114 uleshort&0x02 >0 \bw +>>114 uleshort&0x01 >0 \bx +>>114 uleshort >0 \b" +>124 lelong >0 \b, resource data after %d bytes + +# Type: Aquaplus P/ECE executable format +# From: Adrian Siekierka +0 uleshort 0x0258 P/ECE executable +>(0x04.s) string x \b: "%s" +!:ext pex diff --git a/magic/Magdir/creativeassembly b/magic/Magdir/creativeassembly new file mode 100644 index 00000000000..4183d58c60b --- /dev/null +++ b/magic/Magdir/creativeassembly @@ -0,0 +1,26 @@ + +#-------------------------------------------------------------- +# $File: creativeassembly,v 1.1 2026/02/01 16:25:09 christos Exp $ +# creativeassembly: file(1) magic for various Creative Assembly files +# +# Community file formats documentation: +# + +# Benedikt Radtke +# PFH4 Archive +0 lelong 0x34484650 Creative Assembly Archive version 4 + +# Benedikt Radtke +# PFH5 Archive +0 lelong 0x35484650 Creative Assembly Archive version 5 +>&0 lelong&0xf 0x00 \b, boot archive +>&0 lelong&0xf 0x01 \b, release archive +>&0 lelong&0xf 0x02 \b, patch archive +>&0 lelong&0xf 0x03 \b, mod archive +>&0 lelong&0xf 0x04 \b, movie archive +>&0 lelong&0x10 0x10 \b, data encrypted +>&0 lelong&0x40 0x40 \b, timestamped files +>&0 lelong&0x80 0x80 \b, index encrypted +>&0 lelong&0x100 0x100 \b, big header +>&0x0c lelong x \b, %d files +#>0x14 ledate x \b, created on %s diff --git a/magic/Magdir/database b/magic/Magdir/database index c4462f96675..788916f8d32 100644 --- a/magic/Magdir/database +++ b/magic/Magdir/database @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: database,v 1.73 2024/11/09 19:54:36 christos Exp $ +# $File: database,v 1.75 2025/11/10 16:06:19 christos Exp $ # database: file(1) magic for various databases # # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk) @@ -909,3 +909,103 @@ # so we check both to detect them also on hosts with differnet endianess 16 lelong 0xED0CDAED BoltDB database 16 belong 0xED0CDAED BoltDB database, big-endian + +# https://en.wikipedia.org/wiki/HCL_Notes +0 string \x1A\x00\x00\x03\x00\x00 Notes Storage Facility database + +# PostgreSQL WAL segment +# repo: https://git.postgresql.org/gitweb/?p=postgresql.git;a=summary +# file: src/include/access/xlog_internal.h +# header structure is XLogPageHeaderData+XLogLongPageHeaderData +# magic header numbers are defined in XLOG_PAGE_MAGIC +# The magic number is too short to safely identify a file; but since the +# WAL log pages repeat in a file, we can test the magic number on the +# headers of more than one page to make a safer match. Two is ok for now. + +0 short 0xd118 +(0x24.l) short 0xd118 PostgreSQL 18 +>0 use pgwal + +0 short 0xd116 +(0x24.l) short 0xd116 PostgreSQL 17 +>0 use pgwal + +0 short 0xd113 +(0x24.l) short 0xd113 PostgreSQL 16 +>0 use pgwal + +0 short 0xd110 +(0x24.l) short 0xd110 PostgreSQL 15 +>0 use pgwal + +0 short 0xd10d +(0x24.l) short 0xd10d PostgreSQL 14 +>0 use pgwal + +0 short 0xd106 +(0x24.l) short 0xd106 PostgreSQL 13 +>0 use pgwal + +0 short 0xd101 +(0x24.l) short 0xd101 PostgreSQL 12 +>0 use pgwal + +0 short 0xd098 +(0x24.l) short 0xd098 PostgreSQL 11 +>0 use pgwal + +0 short 0xd097 +(0x24.l) short 0xd097 PostgreSQL 10 +>0 use pgwal + +0 short 0xd093 +(0x24.l) short 0xd093 PostgreSQL 9.6 +>0 use pgwal + +0 short 0xd087 +(0x24.l) short 0xd087 PostgreSQL 9.5 +>0 use pgwal + +0 short 0xd07e +(0x24.l) short 0xd07e PostgreSQL 9.4 +>0 use pgwal + +0 short 0xd075 +(0x24.l) short 0xd075 PostgreSQL 9.3 +>0 use pgwal + +0 short 0xd071 +(0x24.l) short 0xd071 PostgreSQL 9.2 +>0 use pgwal + +0 short 0xd066 +(0x24.l) short 0xd066 PostgreSQL 9.1 +>0 use pgwal + +0 short 0xd064 +(0x24.l) short 0xd064 PostgreSQL 9.0 +>0 use pgwal + +0 short 0xd063 +(0x24.l) short 0xd063 PostgreSQL 8.4 +>0 use pgwal + +0 short 0xd062 +(0x24.l) short 0xd062 PostgreSQL 8.3 +>0 use pgwal + +0 short 0xd05e +(0x24.l) short 0xd05e PostgreSQL 8.2 +>0 use pgwal + +0 short 0xd05d +(0x24.l) short 0xd05d PostgreSQL 8.1 +>0 use pgwal + +0 short 0xd05c +(0x24.l) short 0xd05c PostgreSQL 8.0 +>0 use pgwal + +0 name pgwal WAL segment file +>0x18 quad x (System ID %lld, +>0x04 long x Timeline %d) diff --git a/magic/Magdir/filesystems b/magic/Magdir/filesystems index a15e5e74d97..427011f1598 100644 --- a/magic/Magdir/filesystems +++ b/magic/Magdir/filesystems @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: filesystems,v 1.165 2024/09/01 15:51:51 christos Exp $ +# $File: filesystems,v 1.169 2025/12/27 15:29:44 christos Exp $ # filesystems: file(1) magic for different filesystems # 0 name partid @@ -1950,8 +1950,23 @@ >36865 string BEA01 + >>36864 use extendedarea -37633 string CD001 ISO 9660 CD-ROM filesystem data (raw 2352 byte sectors) -!:mime application/x-iso9660-image +# ISO 9660 as part of various raw CD-ROM image formats. +# Usually the BIN file of a CUE/BIN pair or the IMG of a CCD/IMG/SUB triplet. + +# MODE1/2352 (2352*16 + 16 + 1) +37649 string CD001 ISO 9660 CD-ROM filesystem data +>0 default x (CD-ROM Mode 1 image, 2352 byte sectors) +!:ext bin/img + +# MODE2/2352 (2352*16 + 24 + 1) +37657 string CD001 ISO 9660 CD-ROM filesystem data +>0 default x (CD-ROM XA Mode 2 image, 2352 byte sectors) +!:ext bin/img + +# MODE2/2336 (2336*16 + 8 + 1) +37385 string CD001 ISO 9660 CD-ROM filesystem data +>0 default x (CD-ROM XA Mode 2 image, 2336 byte sectors) +!:ext bin # URL: http://fileformats.archiveteam.org/wiki/High_Sierra # Update: Joerg Jenderek @@ -2607,7 +2622,7 @@ >12 use next # bcachefs -# From: Thomas Weißschuh +# From: Thomas Weissschuh 0 name bcachefs-uuid >0 ubelong x \b%08x @@ -2654,7 +2669,8 @@ #>1060 lelong x \b, blocks=%d #>1064 lelong x \b, metadata@%#x #>1068 lelong x \b, xattr@%#x ->1072 guid x \b, uuid=%s +>1072 guid x \b, uuid= +>1072 use bcachefs-uuid >1088 string >0 \b, name=%s >1104 lelong >0 \b, incompat: >>1104 lelong &1 LZ4_0PADDING @@ -2763,3 +2779,8 @@ 0x0 string \x10\x00\x4e\x57\x20 >0x10000 string \x4e\x57\x00\x00\x01 >0x100A2 string \x4C\x00\x40 EldOS Corporation SolidFS, 64KiB page size + +# YBLOB mini object storage +# PIN-protected storage format based on the PIV application +# https://github.com/douzebis/yb +0 lelong 0xF2ED5F0B yblob object store image data diff --git a/magic/Magdir/firmware b/magic/Magdir/firmware index 21ba1ed591b..75a131138aa 100644 --- a/magic/Magdir/firmware +++ b/magic/Magdir/firmware @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: firmware,v 1.13 2024/09/04 19:04:03 christos Exp $ +# $File: firmware,v 1.17 2025/04/06 18:37:40 christos Exp $ # firmware: file(1) magic for firmware files # @@ -110,7 +110,7 @@ >>28 ulelong&0x1 1 \b, encrypted # ESP-IDF application image -# From: Alexandre Iooss +# From: A. Iooss # Update: Joerg Jenderek # URL: https://github.com/espressif/esp-idf/blob/v5.0/components/bootloader_support/include/esp_app_format.h # Reference: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/app_image_format.html @@ -134,13 +134,34 @@ >>12 uleshort 0x000D for ESP32-C6 >>12 uleshort 0x000E for ESP32-H2 Beta2 >>12 uleshort 0x0010 for ESP32-H2 ->>80 string/32 x \b, project name: "%s" ->>48 string/32 x \b, version %s +>>80 byte !0 +>>>80 string/32 x \b, project name: "%s" +>>48 byte !0 +>>>48 string/32 x \b, version %s >>128 string/16 x \b, compiled on %s >>>112 string/16 x %s >>144 string/32 x \b, IDF version: %s >>4 ulelong x \b, entry address: 0x%08X +# ESP8266/ESP32 firmware image +# Note: contain partition table entries and ESP-IDF application image +# From: A. Iooss +# Reference: https://docs.espressif.com/projects/esptool/en/latest/esp32/advanced-topics/firmware-image-format.html +0 byte 0xE9 +>2 byte <4 +>>7 byte 0x40 ESP firmware image +# ESP8266 does not have Extended File Header +>>>12 uleshort 0x0000 for ESP32 +>>>12 uleshort 0x0002 for ESP32-S2 +>>>12 uleshort 0x0005 for ESP32-C3 +>>>12 uleshort 0x0009 for ESP32-S3 +>>>12 uleshort 0x000A for ESP32-H2 Beta1 +>>>12 uleshort 0x000C for ESP32-C2 +>>>12 uleshort 0x000D for ESP32-C6 +>>>12 uleshort 0x000E for ESP32-H2 Beta2 +>>>12 uleshort 0x0010 for ESP32-H2 +>>>4 ulelong x \b, entry point 0x%08X + # AVR firmware # From: Alexandre Iooss # URL: https://microchipdeveloper.com/8avr:int @@ -174,7 +195,7 @@ # Reference: http://www.piclist.com/techref/fileext/hex/intel.htm # http://mark0.net/download/triddefs_xml.7z/defs/h/hex-intel.trid.xml # From: Joerg Jenderek -# Note: called "Intel Hexadecimal object format" by TrID, "Intel® hexadecimal object file" on Linux +# Note: called "Intel Hexadecimal object format" by TrID, "Intel(R) hexadecimal object file" on Linux # and "Intel HEX binary data" by Notepad++ # look for start code; 1 character, an ASCII colon ':'; all characters preceding this symbol should be ignored 0 ubyte 0x3A @@ -275,3 +296,117 @@ >-10 string \x1A\x01UFD >>-12 uleshort x \b, for device %04X: >>-14 uleshort x \b%04X + +# Allwinner eGON Boot Image +# Reference: https://linux-sunxi.org/EGON + +0 name egon-details +# ARM b instruction +>0 ulelong&0xff000000 0xea000000 (ARM) +# RISC-V jal instruction +>0 ulelong&0x00000fff 0x0000006f (RISC-V) +>16 ulelong x \b, size %u + +4 string eGON.BT0 Allwinner eGON.BT0 Boot Image +>0 use egon-details + +4 string eGON.BT1 Allwinner eGON.BT1 Boot Image +>0 use egon-details + +# Allwinner TOC0 Boot Image +# Reference: https://linux-sunxi.org/TOC0 +0 name toc0-item +>0 ulelong 0x010101 certificate +>0 ulelong 0x010202 firmware +>0 ulelong 0x010303 key +>4 ulelong x (offset 0x%x +>8 ulelong x \b, size 0x%x) + +8 ulelong 0x89119800 Allwinner TOC0 Boot Image +>24 ulelong x with %u items +# each item is 32 bytes +# item 0 +>24 ulelong >0 \b: +>>48 use toc0-item +# item 1 +>24 ulelong >1 \b, +>>80 use toc0-item +# item 2 +>24 ulelong >2 \b, +>>112 use toc0-item +# item 3 +>24 ulelong >3 \b, +>>144 use toc0-item +# item 4 +>24 ulelong >4 \b, +>>176 use toc0-item +# item 5+ +>24 ulelong >5 \b, ... + +# Allwinner TOC1 Boot Image +# Reference: https://lore.kernel.org/all/20211015040811.56856-2-samuel@sholland.org/T/ +0 name toc1-item +>0 string/64/T x %s +>64 ulelong x (offset 0x%x +>68 ulelong x \b, size 0x%x) + +16 ulelong 0x89119800 Allwinner TOC1 Boot Image +>0 string/16/T >\0 (name "%s") +>32 ulelong x with %u items +# each item is 368 bytes +# item 0 +>32 ulelong >0 \b: +>>64 use toc1-item +# item 1 +>32 ulelong >1 \b, +>>432 use toc1-item +# item 2 +>32 ulelong >2 \b, +>>800 use toc1-item +# item 3 +>32 ulelong >3 \b, +>>1168 use toc1-item +# item 4 +>32 ulelong >4 \b, +>>1536 use toc1-item +# item 5+ +>32 ulelong >5 \b, ... + +# https://github.com/o-gs/dji-firmware-tools/blob/master/dji_imah_fwsig.py#L404 +0 string IM*H DJI firmware update +>40 string/4 >\0 (auth %s, +>44 string/4 >\0 enc %s) +>44 string/4 =\0 no enc) + +# NXP i.MX RT firmware image +# From: A. Iooss +# Reference: Table 8-2 in MCU_Flashloader_Reference_Manual.pdf +# URL: https://github.com/tock/tock/blob/master/boards/teensy40/layout.ld +# Image starts with a NOR FlexSPI Configuration Block (FCB) of 3kB or 4kB +0 string FCFB +>7 string V NXP i.MX RT bootable image +!:ext bin +>>6 byte x \b, version %d +>>5 byte x \b.%d +>>4 byte x \b.%d +# then a Image Vector Table of 4kB +>>3072 ulelong&0xFCFFFFFF 0x402000D1 +>>>7168 use flexspi-fw +>>4096 ulelong&0xFDFFFFFF 0x402000D1 +>>>5120 use flexspi-fw +>>4096 ulelong&0xFDFFFFFF 0x412000D1 +>>>8192 use flexspi-fw +# then maybe a ARM Cortex-M program, but with vector table pointing to peripheral memory +0 name flexspi-fw +>3 byte 0x20 +>>4 ulelong&1 1 +>>>8 ulelong&1 1 +>>>>12 ulelong&1 1 +>>>>>44 ulelong&1 1 +>>>>>>56 ulelong&1 1 \b, ARM Cortex-M +>>>>>>>0 ulelong >0 \b, initial SP at 0x%08x +>>>>>>>4 ulelong^1 x \b, reset at 0x%08x +>>>>>>>8 ulelong^1 x \b, NMI at 0x%08x +>>>>>>>12 ulelong^1 x \b, HardFault at 0x%08x +>>>>>>>44 ulelong^1 x \b, SVCall at 0x%08x +>>>>>>>56 ulelong^1 x \b, PendSV at 0x%08x diff --git a/magic/Magdir/fonts b/magic/Magdir/fonts index e059ba56331..54b8c499dfd 100644 --- a/magic/Magdir/fonts +++ b/magic/Magdir/fonts @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: fonts,v 1.52 2024/11/09 23:52:53 christos Exp $ +# $File: fonts,v 1.54 2025/02/10 22:01:36 rrt Exp $ # fonts: file(1) magic for font data # 0 search/1 FONT ASCII vfont text @@ -276,14 +276,14 @@ # maximal 27 tables found like in Skia.ttf # 46 different table names mentioned on Apple specification # skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number ->4 ubeshort <47 +>4 ubeshort <48 # skip bad examples with garbage table names like in a5.show HYPERC MAC # tag names consist of up to four characters padded with spaces at end like -# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... ->>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ] +# BASE C2PA DSIG OS/2 Zapf acnt glyf cvt vmtx xref ... +>>12 regex/4l \^[A-Za-z][A-Za-z2][A-Za-z/][A-Za-z2\ ] #>>>0 ubelong x \b, sfnt version %#x >>>0 ubelong !0x4f54544f TrueType -!:mime font/sfnt +!:mime font/ttf !:apple ????tfil # .ttf for TrueType font # EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe @@ -295,8 +295,8 @@ !:ext otf >>>0 ubelong x Font data # DSIG=44454947h table name implies a digitally signed font -# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432 ->>>12 search/432 DSIG \b, digitally signed +# search range = number of tables * 16 =< maximal number of tables * 16 = 28 * 16 = 432 +>>>12 search/448 DSIG \b, digitally signed >>>4 ubeshort x \b, %d tables # minimal 9 tables found like in NISC18030.ttf #>>>4 ubeshort <10 TMIN diff --git a/magic/Magdir/games b/magic/Magdir/games index b8ead41b1db..2520b937f74 100644 --- a/magic/Magdir/games +++ b/magic/Magdir/games @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: games,v 1.35 2024/11/09 23:04:46 christos Exp $ +# $File: games,v 1.38 2025/05/31 15:42:06 christos Exp $ # games: file(1) for games # Fabio Bonelli @@ -245,14 +245,14 @@ # Type: SGF Smart Game Format # URL: https://www.red-bean.com/sgf/ # From: Eduardo Sabbatella -2 regex/c \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format ->2 regex/c GM\\[1\\] - Go Game ->2 regex/c GM\\[6\\] - BackGammon Game ->2 regex/c GM\\[11\\] - Hex Game ->2 regex/c GM\\[18\\] - Amazons Game ->2 regex/c GM\\[19\\] - Octi Game ->2 regex/c GM\\[20\\] - Gess Game ->2 regex/c GM\\[21\\] - twix Game +2 regex \\(;.*GM\\[[0-9]{1,2}\\] Smart Game Format +>2 regex GM\\[1\\] - Go Game +>2 regex GM\\[6\\] - BackGammon Game +>2 regex GM\\[11\\] - Hex Game +>2 regex GM\\[18\\] - Amazons Game +>2 regex GM\\[19\\] - Octi Game +>2 regex GM\\[20\\] - Gess Game +>2 regex GM\\[21\\] - twix Game # Epic Games/Unreal Engine Package # URL: https://docs.unrealengine.com/udk/Three/ContentCooking.html @@ -436,7 +436,7 @@ 0 uleshort 0x0469 GTA2 binary mission script (SCR), Industrial area (bil) 0 string v9.6\0\0 GTA2 replay file (REP), ->8 regex/30c [a-z0-9:\ ]+\0\0 created on %s +>8 regex/30 [a-z0-9:\ ]+\0\0 created on %s # GTA 3D-Era (III/VC/SA/LCS/VCS) - used by the RenderWare engine by Criterion Games @@ -664,3 +664,47 @@ >122 ubyte 0x01 pcxLib archive >>144 uleshort 0 \b, uncompressed >>144 uleshort !0 \b, compressed + +# RGSSAD asset archive used in RPG Maker XP, VX and VX Ace +0 string RGSSAD\0 +>7 byte x RPG Maker RGSSAD asset archive. version %u +!:ext rgssad/rgss2a/rgss3a + +# Panda3D BAM model format +# From: Derzsi Daniel +# URL: https://gist.github.com/rdb/13cb936f41e0339a9a9cf9651ea2b09f +0 string pbj\0\n\r Panda3D BAM file +>10 ubyte x version %u +>12 ubyte x \b.%u +# Version >= 5.0 has little-endian and big-endian formats +>10 ubyte >4 +>>14 ubyte 0 \b, big-endian vertex data +>>14 ubyte 1 \b, little-endian vertex data +>10 ubyte <5 \b, little-endian vertex data +# Version >= 6.27 has single-precision and double-precision floats +>10 ubyte =6 +>>12 ubyte >26 +>>>15 ubyte 0 \b, single-precision floats +>>>15 ubyte 1 \b, double-precision floats +>>12 ubyte <27 \b, single-precision floats +>10 ubyte >6 +>>15 ubyte 0 \b, single-precision floats +>>15 ubyte 1 \b, double-precision floats +>10 ubyte <6 \b, single-precision floats + +# Panda3D Multifile archive format +# From: Derzsi Daniel +# URL: https://tohka.us/p/exploring-encrypted-multifiles-a-technical-overview +0 string pmf\0\n\r Panda3D Multifile archive +>6 uleshort x version %u +>8 uleshort x \b.%u +# Version >= 1.1 has creation date information, missing if set to zero +>6 uleshort =1 +>>8 uleshort >0 +>>>14 uledate =0 \b, unknown creation date +>>>14 uledate !0 \b, created: %s +>>8 uleshort <1 \b, unknown creation date +>6 uleshort >1 +>>14 uledate =0 \b, unknown creation date +>>14 uledate !0 \b, created: %s +>6 uleshort <1 \b, unknown creation date diff --git a/magic/Magdir/gguf b/magic/Magdir/gguf new file mode 100644 index 00000000000..4becd6e114d --- /dev/null +++ b/magic/Magdir/gguf @@ -0,0 +1,23 @@ + +#------------------------------------------------------------------------------ +# $File: gguf,v 1.2 2025/03/10 20:50:40 christos Exp $ +# +# +# GGUF: magic file for GGUF-models +# URL: https://github.com/ggml-org/ggml/ +# From: Noah Peterson + +0 string GGUF GGUF file format +>4 byte x version %d +>8 quad x \b, %llu tensors +>16 quad >0 \b, %llu metadata entries +>&8 search/256 general.architecture +>>&12 regex ([A-Za-z0-9-]+) \b, Architecture: %s +>&8 search/256 general.name +>>&12 regex ([A-Za-z0-9\ -]+) \b, Name: %s +>&0 search/512 .block_count +>>&4 long x \b, Block Count: %u +>&0 search/512 context_length +>>&4 long x \b, Context Length: %u +>&0 search/512 embedding_length +>>&4 long x \b, Embedding Length: %u diff --git a/magic/Magdir/ibm370 b/magic/Magdir/ibm370 index 95f737128c9..bac449e04ef 100644 --- a/magic/Magdir/ibm370 +++ b/magic/Magdir/ibm370 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: ibm370,v 1.13 2024/06/19 16:52:57 christos Exp $ +# $File: ibm370,v 1.14 2026/01/10 15:49:11 christos Exp $ # ibm370: file(1) magic for IBM 370 and compatibles. # # "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable". @@ -56,3 +56,9 @@ # to 8 bytes. According to https://www.ibm.com/support/pages/apar/PK91585 # IEWPLMH is eyecatcher for "Binder Program Load Module Header" control block 0 string \xc9\xc5\xe6\xd7\xd3\xd4\xc8\x40 z/OS Program Object executable + + +# https://www.cbttape.org/awstape.htm +0 leshort >0 +>2 leshort 0x0000 +>>4 leshort 0x00a0 IBM AWS file diff --git a/magic/Magdir/images b/magic/Magdir/images index a3b972fb1ee..ecc3fb5ae47 100644 --- a/magic/Magdir/images +++ b/magic/Magdir/images @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: images,v 1.263 2024/11/10 20:44:30 christos Exp $ +# $File: images,v 1.267 2025/11/24 14:22:31 christos Exp $ # images: file(1) magic for image formats (see also "iff", and "c-lang" for # XPM bitmaps) # @@ -644,7 +644,8 @@ # GRR: with --keep-going option the line above gives duplicate messages 0 search/1/ts #FIG >&0 use image-xfig -# binary data variant with non ASCII text characters like Control-A or °C in thermostat.fig +# o +# binary data variant with non ASCII text characters like Control-A or C in thermostat.fig 0 search/1/bs #FIG >&0 use image-xfig # display XFIG image describing text, mime type, file name extension and version @@ -4565,6 +4566,7 @@ >24 ulelong 0 >>4 uleshort 0xA5E0 Aseprite asset file !:ext aseprite +!:mime image/x-aseprite >>>0 ulelong x \b, size %u >>>6 uleshort x \b, frames %u >>>8 uleshort x \b, size %ux @@ -4582,3 +4584,44 @@ >>>38 leshort x \b%d) >>>40 uleshort x \b, grid size %dx >>>42 uleshort x \b%d + +# Type: CIS/COD Bitmaps +# Documentation: https://cod.igada.de/ and http://fileformats.archiveteam.org/wiki/Lightning_Strike +# From: Robert Jäschke +0 string/b CIS +>4 ubyte 0x2e +>>3 ubyte >0x31 +>>>3 ubyte <0x34 CIS/COD image data +!:mime image/cis-cod +!:ext cod + +# versions 2.3 to 2.5 are different to version 3.0 +>>>>3 regex/4 2\\.[345] \b, version %s +>>>>>16 uleshort x \b, %u x +>>>>>18 uleshort x %u + +# so far we know more about version 3.0 +>>>>3 string/3 3.0 \b, version %s +# width and height +>>>>>16 uleshort x \b, %u x +>>>>>18 uleshort x %u x +>>>>>20 ubyte x %u + +# gray vs. color +>>>>>21 byte 0 \b, gray +>>>>>21 byte 1 \b, color +# encoder type +>>>>>24 byte 1 \b, lossy arithmetic encoder +>>>>>24 byte 2 \b, lossless arithmetic encoder +# compression type +>>>>>25 byte 1 \b, bi-wavelet compression +# quantizer type +>>>>>26 byte 1 \b, table quantization +# scb +>>>>>27 byte 1 \b, SISD +# color space +>>>>>28 byte 1 \b, YIQ RGB +>>>>>28 byte 2 \b, YUV RGB +>>>>>28 byte 3 \b, YCbCr RGB +# wavelet levels +>>>>>29 ubyte x \b, %u wavelet levels diff --git a/magic/Magdir/intel b/magic/Magdir/intel index 5177fea4578..fb32cac5f94 100644 --- a/magic/Magdir/intel +++ b/magic/Magdir/intel @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: intel,v 1.23 2022/10/31 13:22:26 christos Exp $ +# $File: intel,v 1.24 2025/01/30 19:02:08 christos Exp $ # intel: file(1) magic for x86 Unix # # Various flavors of x86 UNIX executable/object (other than Xenix, which @@ -308,3 +308,7 @@ # revision number of the ASL Compiler like: 20051117 20140724 20190703 20200110 ... >>>32 ulelong x %x +# data that can be parsed by dmidecode(8) from a dump +# or extracted from a bios image +0 string _SM3_ +>0x5 byte <0x3 SMBIOS 3.x file diff --git a/magic/Magdir/linux b/magic/Magdir/linux index 16aadca87d1..eb29069d566 100644 --- a/magic/Magdir/linux +++ b/magic/Magdir/linux @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: linux,v 1.91 2024/11/09 21:15:48 christos Exp $ +# $File: linux,v 1.95 2025/07/12 14:30:14 christos Exp $ # linux: file(1) magic for Linux files # # Values for Linux/i386 binaries, from Daniel Quinlan @@ -456,6 +456,8 @@ ############################################################################ # Linux S390 kernel image # Created by: Jan Kaluza +# Update: Jens Remus based on Vasily Gorbik +# Linux kernel: arch/s390/boot/head.S and arch/s390/include/asm/setup.h 8 string \x02\x00\x00\x18\x60\x00\x00\x50\x02\x00\x00\x68\x60\x00\x00\x50\x40\x40\x40\x40\x40\x40\x40\x40 Linux S390 >0x00010000 search/b/4096 \x00\x0a\x00\x00\x8b\xad\xcc\xcc # 64bit @@ -468,6 +470,12 @@ >>&0 string \x81\x00\xc8\x80\x00\x00\x00\x00 Z9-109 32bit kernel >>&0 string \x80\x00\x20\x00\x00\x00\x00\x00 Z990 32bit kernel >>&0 string \x80\x00\x00\x00\x00\x00\x00\x00 Z900 32bit kernel +# Linux kernel v3.2+ +>0x10008 string S390EP +# Linux kernel v5.3+ +>>0x10428 ubequad >0 +>>>(0x10428.Q) string >\0 \b, version %s + ############################################################################ # Linux ARM compressed kernel image @@ -521,6 +529,17 @@ >0x18 lelong &4 \b, 16K pages >0x18 lelong &6 \b, 32K pages +############################################################################ +# Linux kernel (arm64/riscv/loongarch) EFI executable (zstd/gzip) compressed zboot Image +# from: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/zboot-header.S +0 string MZ\0\0zimg +>0x40 string PE\0\0 Linux kernel +>>&0 leshort 0xAA64 ARM64 EFI executable +>>&0 leshort 0x5032 RISC-V32 EFI executable +>>&0 leshort 0x5064 RISC-V64 EFI executable +>>&0 leshort 0x6264 LoongArch64 EFI executable +>>0x18 string >0 %s compressed zboot Image + ############################################################################ # Linux RISC-V kernel image 0x38 string RSC\05 Linux kernel RISC-V boot executable Image @@ -968,3 +987,14 @@ 0 lequad 0x32454c4946524550 Linux perf recording, version 2. little endian 0 bequad 0x32454c4946524550 Linux perf recording, version 2. big endian + +# perf(1) (Performance analysis tools) command +# +# For file format details, see: +# +# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/\ +# tools/perf/Documentation/perf.data-file-format.txt + +# The file is normally called 'perf.data' but can take any name, +# so only check the eye catcher value. +0 string PERFILE2 perf(1) data diff --git a/magic/Magdir/lua b/magic/Magdir/lua index ab17374534d..859862a351f 100644 --- a/magic/Magdir/lua +++ b/magic/Magdir/lua @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: lua,v 1.8 2020/10/08 23:23:56 christos Exp $ +# $File: lua,v 1.9 2026/01/25 16:07:06 christos Exp $ # lua: file(1) magic for Lua scripting language # URL: https://www.lua.org/ # From: Reuben Thomas , Seo Sanghyeon @@ -29,3 +29,4 @@ >4 byte 0x52 version 5.2 >4 byte 0x53 version 5.3 >4 byte 0x54 version 5.4 +>4 byte 0x55 version 5.5 diff --git a/magic/Magdir/mail.news b/magic/Magdir/mail.news index 94f30898d5d..1cd1dffeab5 100644 --- a/magic/Magdir/mail.news +++ b/magic/Magdir/mail.news @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: mail.news,v 1.32 2024/11/10 16:59:38 christos Exp $ +# $File: mail.news,v 1.33 2025/02/28 19:28:01 christos Exp $ # mail.news: file(1) magic for mail and news # # Unfortunately, saved netnews also has From line added in some news software. @@ -32,7 +32,7 @@ !:mime message/rfc822 0 string/t To: news or mail text !:mime message/rfc822 -0 string/t Article saved news text +0 regex/t Article:[[:space:]]+[0-9]+ saved news text !:mime message/news # Reference: http://quimby.gnus.org/notes/BABYL # Update: Joerg Jenderek diff --git a/magic/Magdir/measure b/magic/Magdir/measure index 42e7186484c..a36547213c7 100644 --- a/magic/Magdir/measure +++ b/magic/Magdir/measure @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: measure,v 1.3 2021/03/25 17:30:10 christos Exp $ +# $File: measure,v 1.4 2026/01/23 16:41:32 christos Exp $ # measure: file(1) magic for measurement data # DIY-Thermocam raw data @@ -42,3 +42,10 @@ (0x02.l) string *IDENTIFICATION Becker & Hickl PMS Data File >0x12 short x (%d data blocks) !:ext sdt + +# https://www.asam.net/standards/detail/mdf/ +0 string MDF\x20\x20\x20\x20\x20 ASAM/MDF measurement file Version +>8 regex .\\... %s +>12 string \x20\x20\x20\x20 +>62 byte !0 (unfinalized) +>64 string ##HD diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos index 925901694c3..3e748eb1d6b 100644 --- a/magic/Magdir/msdos +++ b/magic/Magdir/msdos @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msdos,v 1.208 2024/08/27 18:50:57 christos Exp $ +# $File: msdos,v 1.214 2025/09/06 17:00:32 christos Exp $ # msdos: file(1) magic for MS-DOS files # @@ -24,9 +24,9 @@ # OS/2 batch files are REXX. the second regex is a bit generic, oh well # the matched commands seem to be common in REXX and uncommon elsewhere 100 search/0xffff rxfuncadd ->100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text +>100 regex =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 100 search/0xffff say ->100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text +>100 regex/ =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text # Tests for various EXE types. @@ -510,7 +510,7 @@ >>>>>>>(0x3c.l+0x2a) default x # Binaries with KERNEL, USER or GDI import library are for Windows # FIXME: names are prefixed by its length, but regex type does not support binary bytes ->>>>>>>>&(&0.s-0x29) regex/512/C KERNEL|USER|GDI for MS Windows 1.x/2.x +>>>>>>>>&(&0.s-0x29) regex/512 KERNEL|USER|GDI for MS Windows 1.x/2.x >>>>>>>>>(0x3c.l+0x37) byte&0x04 0 (real mode only) >>>>>>>>>(0x3c.l+0x37) byte&0x04 !0 (real+protected mode) # Binaries without any of those import library can be for any OS @@ -772,7 +772,13 @@ >>>0x40 search/0x80 STUB/32C \b, DOS/32A DOS extender (configurable stub) >>>0x40 search/0x80 DOS/32A \b, DOS/32A DOS extender (embedded) -# PX\0\0 signature for 32bit DOS Applications in DOS-PE Format (https://www.japheth.de/HX.html) +# PL\0\0 signature for 32-bit DOS Applications in Phar Lap TNT PE/PL Format +# Binaries can be created by TNT MARKPHAR.EXE or by 386LINK.EXE -markphar switch +# FULLSCR.EXE, GDEMO.EXE, MOUSE.EXE from MSVC32s SDK and from Phar Lap TNT SDK +>(0x3c.l) string PL\0\0 \b, PE32 executable for MS-DOS +>>(8.s*16) search/0x50 Phar\ Lap\ Software,\ Inc. \b, Phar Lap TNT DOS extender + +# PX\0\0 signature for 32/64-bit DOS Applications in DOS-PE Format (https://www.japheth.de/HX.html) # SHDPMI.EXE, DOSTEST.EXE, GETVMODE.EXE, RMINT.EXE >(0x3c.l) string PX\0\0 \b, PE32 >>(0x3c.l+24) leshort 0x020b \b+ @@ -793,6 +799,7 @@ # Skip already parsed binary types # If magic in the branch is not parsed then always jumps to mz-unrecognized >(0x3c.l) string PE\0\0 +>(0x3c.l) string PL\0\0 >(0x3c.l) string PX\0\0 >(0x3c.l) string LX >(0x3c.l) string NE @@ -2108,9 +2115,9 @@ # display shared information of cursor or icon entry 0 name cur-ico-entry >0 byte =0 \b, 256x ->0 byte !0 \b, %dx +>0 ubyte !0 \b, %dx >1 byte =0 \b256 ->1 byte !0 \b%d +>1 ubyte !0 \b%d # number of colors in palette >2 ubyte !0 \b, %d colors # reserved 0 FFh @@ -2516,7 +2523,7 @@ # URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format # http://fileformats.archiveteam.org/wiki/OneNote # Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml -# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor Öffnen.onetoc2" +# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor offnen.onetoc2" >>>>>&0 string/c one \b, OneNote Package !:mime application/msonenote !:ext onepkg @@ -2681,12 +2688,6 @@ # next archive member name if more files #>>&17 string >\0 \b, NEXT NAME %-.50s -# InstallShield Cabinet files -0 string/b ISc( InstallShield Cabinet archive data ->5 byte&0xf0 =0x60 version 6, ->5 byte&0xf0 !0x60 version 4/5, ->(12.l+40) lelong x %u files - # Windows CE package files 0 string/b MSCE\0\0\0\0 Microsoft WinCE install header >20 lelong 0 \b, architecture-independent @@ -2821,40 +2822,6 @@ # NB: The BACKUP.nnn files consist of the files backed up, # concatenated. -# From: Joerg Jenderek -# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time -# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime -# Note: DOS date+time format is different from formats such as Unix epoch -# bit encoded; uses year values relative to 1980 and 2 second precision -0 name dos-date -# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) -#>0 uleshort x RAW TIME [%#4.4x] -# hour part -#>0 uleshort/2048 x hour [%u] -# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) -#>2 uleshort x RAW DATE [%#4.4x] -# day part ->2 uleshort&0x001F x %u -#>2 uleshort/16 x MONTH PART [%#x] -# GRR: not working -#>2 uleshort/16 &0x000F MONTH [%u] -#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] ->2 uleshort&0x01E0 =0x0020 jan ->2 uleshort&0x01E0 =0x0040 feb ->2 uleshort&0x01E0 =0x0060 mar ->2 uleshort&0x01E0 =0x0080 apr ->2 uleshort&0x01E0 =0x00A0 may ->2 uleshort&0x01E0 =0x00C0 jun ->2 uleshort&0x01E0 =0x00E0 jul ->2 uleshort&0x01E0 =0x0100 aug ->2 uleshort&0x01E0 =0x0120 sep ->2 uleshort&0x01E0 =0x0140 oct ->2 uleshort&0x01E0 =0x0160 nov ->2 uleshort&0x01E0 =0x0180 dec -# year part ->2 uleshort/512 x 1980+%u -# - # ExcelBIFF2-8BOF.magic - Excel Binary Interchange File Format versions 2-8 # Beginning of File records # See https://www.gaia-gis.it/gaia-sins/freexl-1.0.6-doxy-doc/html/Format.html diff --git a/magic/Magdir/msooxml b/magic/Magdir/msooxml index 4dfb3a9fb62..274ce238df9 100644 --- a/magic/Magdir/msooxml +++ b/magic/Magdir/msooxml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: msooxml,v 1.23 2024/07/19 18:48:23 christos Exp $ +# $File: msooxml,v 1.24 2025/05/29 15:03:04 christos Exp $ # msooxml: file(1) magic for Microsoft Office XML # From: Ralf Brown @@ -26,6 +26,8 @@ !:mime application/vnd.ms-visio.drawing.main+xml >0 string AppManifest.xaml Microsoft Silverlight Application !:mime application/x-silverlight-app +>0 search/100 .nuspec NuGet package +!:mime application/vnd.nuget.package # start by checking for ZIP local file header signature 0 string PK\003\004 @@ -33,30 +35,30 @@ # make sure the first file is correct >0x1E use msooxml >0x1E default x ->>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps|customXml +>>0x1E regex \\[Content_Types\\]\\.xml|_rels/\\.rels|docProps|customXml|.*\\.md|.*\\.png # skip to the second local file header # since some documents include a 520-byte extra field following the file # header, we need to scan for the next header ->>>(18.l+49) search/6000 PK\003\004 +>>>&26 search/10000 PK\003\004 >>>>&26 use msooxml >>>>&26 default x # now skip to the *third* local file header; again, we need to scan due to a # 520-byte extra field following the file header ->>>>>&26 search/6000 PK\003\004 +>>>>>&26 search/10000 PK\003\004 # and check the subdirectory name to determine which type of OOXML # file we have. Correct the mimetype with the registered ones: # https://technet.microsoft.com/en-us/library/cc179224.aspx >>>>>>&26 use msooxml >>>>>>&26 default x # OpenOffice/Libreoffice orders ZIP entry differently, so check the 4th file ->>>>>>>&26 search/6000 PK\003\004 +>>>>>>>&26 search/10000 PK\003\004 >>>>>>>>&26 use msooxml # Some OOXML generators add an extra customXml directory. Check another file. >>>>>>>>&26 default x ->>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>&26 search/10000 PK\003\004 >>>>>>>>>>&26 use msooxml >>>>>>>>>>&26 default x ->>>>>>>>>>>&26 search/6000 PK\003\004 +>>>>>>>>>>>&26 search/10000 PK\003\004 >>>>>>>>>>>>&26 use msooxml >>>>>>>>>>>>&26 default x Microsoft OOXML >>>>>>>>>>>&26 default x Microsoft OOXML @@ -66,11 +68,11 @@ >>>>>>>&26 default x Microsoft OOXML >>>>>>&26 default x Microsoft OOXML >>0x1E regex \\[trash\\] ->>>&26 search/6000 PK\003\004 ->>>>&26 search/6000 PK\003\004 +>>>&26 search/10000 PK\003\004 +>>>>&26 search/10000 PK\003\004 >>>>>&26 use msooxml >>>>>&26 default x ->>>>>>&26 search/6000 PK\003\004 +>>>>>>&26 search/10000 PK\003\004 >>>>>>>&26 use msooxml >>>>>>>&26 default x Microsoft OOXML >>>>>>&26 default x Microsoft OOXML diff --git a/magic/Magdir/music b/magic/Magdir/music index f87fc12ef8b..045a62ae81e 100644 --- a/magic/Magdir/music +++ b/magic/Magdir/music @@ -1,5 +1,5 @@ #------------------------------------------------------------------------------ -# $File: music,v 1.2 2024/06/10 23:09:52 christos Exp $ +# $File: music,v 1.4 2026/02/07 21:56:41 rrt Exp $ # music: file(1) magic for music formats # BWW format used by Bagpipe Music Writer Gold by Robert MacNeil Musicworks @@ -15,3 +15,46 @@ >>>25 string : >>>>26 string >\0 (version %.3s) +# Bars & Pipes Professional +# https://wiki.amigaos.net/wiki/Bars_and_Pipes_Professional +# +0 string BRPP Bars & Pipes Professional + +# Sibelius music notation software (published by Sibelius Software, then Avid) +# http://fileformats.archiveteam.org/wiki/Sibelius +# +# These patterns cover the Windows and macOS versions of the software, not +# the older (confusingly-named) Sibelius 6 & 7 for Acorn RISC PC. +0 string \x0fSIBELIUS Sibelius +!:mime application/x-sibelius-score +>10 string \x00\x00\x00\x0e (version 1.2) +>10 string \x00\x08 (version 2.x) +>10 string \x00\x0a (version 3.x) +>10 string \x00\x1b (version 4.x) +>10 string \x00\x2d\x00\x03 (version 5.0) +>10 string \x00\x2d\x00\x0d (version 5.1) +>10 string \x00\x2d\x00\x10 (version 5.2) +>10 string \x00\x36\x00\x01 (version 6.0) +>10 string \x00\x36\x00\x17 (version 6.1) +>10 string \x00\x36\x00\x1e (version 6.2) +>10 string \x00\x39\x00\x0c (version 7.0) +>10 string \x00\x39\x00\x0e (version 7.0.1-7.0.2) +>10 string \x00\x39\x00\x13 (version 7.0.3) +>10 string \x00\x39\x00\x15 (version 7.1.0) +>10 string \x00\x39\x00\x16 (version 7.1.2-7.1.3) +>10 string \x00\x3d\x00\x0e (version 7.5) +>10 string \x00\x3d\x00\x10 (version 8.0) +>10 string \x00\x3e\x00\x00 (version 8.1) +>10 string \x00\x3e\x00\x01 (version 8.2) +>10 string \x00\x3e\x00\x02 (version 8.3) +>10 string \x00\x3e\x00\x06 (version 8.4) +>10 string \x00\x3e\x00\x07 (version 8.5) +>10 string \x00\x3f\x00\x00 (version 8.6-8.7.1) +>10 string \x00\x3f\x00\x01 (version 8.7.2) +>10 string \x00\x3f\x00 (version 8.8-2019.12) +>10 string \x00\x3f\x00\x0b (version 2020.1) +>10 string \x00\x40\x00 (version 2020.3-2022.5) +>10 string \x00\x41\x00 (version 2022.7-2022.11) +>10 string \x00\x42\x00 (version 2022.12-2023.3) +>10 string \x00\x43\x00 (version 2023.5-2023.8) +>10 string \x00\x44\x00 (version 2024) diff --git a/magic/Magdir/os2 b/magic/Magdir/os2 index cb43e999f6f..9705a28b9e3 100644 --- a/magic/Magdir/os2 +++ b/magic/Magdir/os2 @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: os2,v 1.14 2022/03/21 21:25:50 christos Exp $ +# $File: os2,v 1.16 2024/12/26 19:34:28 christos Exp $ # os2: file(1) magic for OS/2 files # @@ -167,20 +167,40 @@ !:mime application/x-os2-ini !:ext ini +# archive for the OS/2 WarpIN package manager # From: Joerg Jenderek # URL: http://warpin.netlabs.org/ # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-wpi.trid.xml # Note: called by TrID "WarpIN Installer" -# probably magic at the beginning -0 ubelong =0x770402BE WarpIN Installer +# Revised by: Anton Monroe December 2024 +# Reference: http://trac.netlabs.org/warpin/browser/trunk/include/wiarchive/wiarchive.h +# magic is 4 bytes at the beginning +0 ubelong =0x770402BE OS/2 WarpIN Archive #>4 ubelong =0x03000000 #!:mime application/octet-stream !:mime application/x-os2-wpi !:ext wpi -# creator program name like: "reserved" or "WIC x.y.z" ->0x106 string x \b, created by %s +# The compiler that created the archive: "WicPM" or "WIC ". +# A few early archives say "reserved" or "Test application" +>0x106 string x \b, created with %s # name like: "reserved" or "OS/2 Netlabs" >0x146 string x \b, '%s' # name like: "N/A" "http://warpin.netlabs.org" >0x186 string x \b, URL %s +# self-extracting archive for the OS/2 WarpIN package manager +# From: Anton Monroe December 2024 +# Reference: http://trac.netlabs.org/warpin/browser/trunk/include/wiarchive/wiarchive.h +# look for "WarpIN self-extracting archive EXE stub" which is +# usually somewhere between offset 40000 and 45000, but one was at 62000 +0 string/b MZ +>40000 search/25000 WarpIN\ self-extracting\ archive\ EXE\ stub +>>&3 ubelong =0x770402BE OS/2 WarpIN self-extracting archive +!:ext exe +>>>&0x102 string x \b, created with %s + +# EXTPROC script +# "extproc" is the OS/2 version of Unix "#!" +0 string/tc extproc\x20 EXTPROC script +>&0 string x executed by %s +!:ext cmd diff --git a/magic/Magdir/pdf b/magic/Magdir/pdf index 7a99d8d3cf3..9e39a9b011f 100644 --- a/magic/Magdir/pdf +++ b/magic/Magdir/pdf @@ -1,12 +1,12 @@ #------------------------------------------------------------------------------ -# $File: pdf,v 1.18 2023/07/17 15:57:18 christos Exp $ +# $File: pdf,v 1.20 2025/11/22 20:59:37 christos Exp $ # pdf: file(1) magic for Portable Document Format # 0 name pdf >8 search /Count ->>&0 regex [0-9]+ \b, %s page(s) +>>&0 regex [1-9]([0-9]+)? \b, %s page(s) >8 search/512 /Filter/FlateDecode/ (zip deflate encoded) 0 string %PDF- PDF document diff --git a/magic/Magdir/pgp b/magic/Magdir/pgp index d7d3ae95d85..f0a98f3dbaa 100644 --- a/magic/Magdir/pgp +++ b/magic/Magdir/pgp @@ -1,8 +1,15 @@ #------------------------------------------------------------------------------ -# $File: pgp,v 1.26 2024/09/01 15:51:51 christos Exp $ +# $File: pgp,v 1.27 2025/12/18 18:33:33 christos Exp $ # pgp: file(1) magic for Pretty Good Privacy +# Reference: https://www.iana.org/assignments/openpgp/openpgp.xhtml + +# PGP compressed data packet (RFC 4880, section 5.6) +0 beshort 0xa301 PGP compressed data (ZIP) +0 beshort 0xa302 PGP compressed data (ZLIB) +0 beshort 0xa303 PGP compressed data (BZIP2) + # Handling of binary PGP keys is in pgp-binary-keys. # see https://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html # @@ -101,6 +108,54 @@ # - symmetric encrypted packet header # - RSA (e=65537) secret (sub-)keys +# PGP ECC encrypted data +0 byte 0x84 +>2 byte 3 +>>11 byte 18 PGP ECDH Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 19 PGP ECDSA Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 22 PGP EdDSALegacy Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 25 PGP X25519 Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 26 PGP X448 Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 27 PGP Ed25519 Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +>>11 byte 28 PGP Ed448 Public-Key Encrypted Session Key - +>>>3 belong x keyid: %08X +>>>7 belong x %08X +0 byte 0x85 +>3 byte 3 +>>12 byte 18 PGP ECDH Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 19 PGP ECDSA Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 22 PGP EdDSALegacy Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 25 PGP X25519 Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 26 PGP X448 Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 27 PGP Ed25519 Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X +>>12 byte 28 PGP Ed448 Public-Key Encrypted Session Key - +>>>4 belong x keyid: %08X +>>>8 belong x %08X + # 1024b RSA encrypted data 0 string \x84\x8c\x03 PGP RSA encrypted session key - @@ -243,6 +298,9 @@ >0 byte 0x08 AES with 192-bit key >0 byte 0x09 AES with 256-bit key >0 byte 0x0a Twofish with 256-bit key +>0 byte 0x0b Camellia with 128-bit key +>0 byte 0x0c Camellia with 192-bit key +>0 byte 0x0d Camellia with 256-bit key # hash algo mapper @@ -254,6 +312,8 @@ >0 byte 0x09 SHA384 >0 byte 0x0a SHA512 >0 byte 0x0b SHA224 +>0 byte 0x0c SHA3-256 +>0 byte 0x0e SHA3-512 # display public key algorithms as human readable text 0 name key_algo @@ -263,14 +323,19 @@ >0 byte 0x03 RSA (Sign-Only) >0 byte 16 ElGamal (Encrypt-Only) >0 byte 17 DSA ->0 byte 18 Elliptic Curve +>0 byte 18 ECDH >0 byte 19 ECDSA >0 byte 20 ElGamal (Encrypt or Sign) >0 byte 21 Diffie-Hellman +>0 byte 22 EdDSALegacy +>0 byte 25 X25519 +>0 byte 26 X448 +>0 byte 27 Ed25519 +>0 byte 28 Ed448 >0 default x ->>0 ubyte <22 unknown (pub %d) +>>0 ubyte <29 unknown (pub %d) # this should never happen ->>0 ubyte >21 invalid (%d) +>>0 ubyte >28 invalid (%d) # pgp symmetric encrypted data diff --git a/magic/Magdir/python b/magic/Magdir/python index e00a087d8be..ede1b5baa1a 100644 --- a/magic/Magdir/python +++ b/magic/Magdir/python @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: python,v 1.47 2024/08/27 18:50:57 christos Exp $ +# $File: python,v 1.49 2025/06/17 21:14:40 christos Exp $ # python: file(1) magic for python # # Outlook puts """ too for urgent messages @@ -205,7 +205,7 @@ 2 string \x0d\x0a # extra check: only two bits of flag field are currently used >4 ulelong <0x4 -# \x0d as part of magic should suffice till Python 3.14 (magic 3600) +# \x0d as part of magic suffices up to Python 3.13 >>1 ubyte 0x0d Byte-compiled Python module for !:mime application/x-bytecode.python # now look at the magic number to determine the version @@ -220,10 +220,17 @@ >>>>>>>0 uleshort <3500 CPython 3.11 >>>>>>>0 default x >>>>>>>>0 uleshort <3550 CPython 3.12 ->>>>>>>>0 default x ->>>>>>>>>0 uleshort <3600 CPython 3.13 ->>>>>>>>>0 default x CPython 3.14 or newer +>>>>>>>>0 default x CPython 3.13 >>>0 use pyc-pep552 +# \x0e means Python 3.14 or newer +>>1 ubyte 0x0e Byte-compiled Python module for +!:mime application/x-bytecode.python +>>>0 uleshort <3650 CPython 3.14 +>>>0 default x +>>>>0 uleshort <3700 CPython 3.15 +>>>>0 default x CPython 3.16 or newer +>>>0 use pyc-pep552 +# PyPy magic numbers >>0 uleshort 240 Byte-compiled Python module for PyPy3.7 !:mime application/x-bytecode.python >>>0 use pyc-pep552 @@ -233,15 +240,21 @@ >>0 uleshort 336 Byte-compiled Python module for PyPy3.9 !:mime application/x-bytecode.python >>>0 use pyc-pep552 +>>0 uleshort 384 Byte-compiled Python module for PyPy3.10 +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 +>>0 uleshort 416 Byte-compiled Python module for PyPy3.11 +!:mime application/x-bytecode.python +>>>0 use pyc-pep552 0 search/1/w #!\040/usr/bin/python Python script text executable -!:strength + 15 +!:strength + 30 !:mime text/x-script.python 0 search/1/w #!\040/usr/local/bin/python Python script text executable -!:strength + 15 +!:strength + 30 !:mime text/x-script.python 0 search/10/w #!\040/usr/bin/env\040python Python script text executable -!:strength + 15 +!:strength + 30 !:mime text/x-script.python diff --git a/magic/Magdir/r b/magic/Magdir/r new file mode 100644 index 00000000000..3c393f70ab0 --- /dev/null +++ b/magic/Magdir/r @@ -0,0 +1,86 @@ + +#------------------------------------------------------------------------------ +# $File: r,v 1.1 2025/02/10 17:48:42 christos Exp $ +# file(1) magic for R's RDS and RData file formats +# Copyright (C) 2025 Gert Hulselmans +# +# URLS: +# https://cran.r-project.org/doc/manuals/r-release/R-ints.html#Serialization-Formats +# https://rdata.readthedocs.io/en/latest/_modules/rdata/parser/_parser.html +# +# Example files: +# https://github.com/vnmabus/rdata/tree/develop/rdata/tests/data +# +############################################################################### + + +############################################################################### +# RDS format +############################################################################### + +0 name RDS +# Check for RDS ASCII formats. +>0 string A\n2\n R RDS (ASCII format v2) +>0 string A\n3\n R RDS (ASCII format v3) +>0 string A\r\n2\r\n R RDS (ASCII CRLF format v2) +>0 string A\r\n3\r\n R RDS (ASCII CRLF format v3) +# Check for RDS binary formats with native word order. +>0 string B\n\0\0\0 R RDS (Native (big-endian) word order format +>>0 use RDS_binary_version_info +>0 string B\n\2\0\0 R RDS (Native (little-endian) word order format +>>0 use ^RDS_binary_version_info +>0 string B\n\3\0\0 R RDS (Native (little-endian) word order format +>>0 use ^RDS_binary_version_info +# Check for RDS XDR binary save format. +>0 string X\n\0\0\0 R RDS (XDR binary save format +>>0 use RDS_binary_version_info + + +# Parse version numbers from RDS if it was one of the binary versions. +0 name RDS_binary_version_info +>2 belong >-1 v%d) +>6 beshort >-1 \b, written by R v%d. +>8 byte >-1 \b%d. +>9 byte >-1 \b%d +>10 beshort >-1 \b, readable from R v%d. +>12 byte >-1 \b%d. +>13 byte >-1 \b%d +>2 belong >2 +>>14 pstring/L x \b, %s encoded + + +# Check if file is one of the RDS ASCII formats. +0 string A +>0 use RDS not_printed +!:ext rds + +# Check if file is RDS binary native format. +0 string B +>0 use RDS not_printed +!:ext rds + +# Check if file is RDS XDR binary save format. +0 string X +>0 use RDS not_printed +!:ext rds + + +############################################################################### +# RData file formats: magic bytes followed by RDS container. +############################################################################### + +0 string RDA2\n R RData version 2 (ASCII), +!:ext rda/rdata +>5 use RDS + +0 string RDA3\n R RData version 3 (ASCII), +!:ext rda/rdata +>5 use RDS + +0 string RDX2\n R RData version 2 (binary), +!:ext rda/rdata +>5 use RDS + +0 string RDX3\n R RData version 3 (binary), +!:ext rda/rdata +>5 use RDS diff --git a/magic/Magdir/riff b/magic/Magdir/riff index 664fef24d5e..0c6e066861c 100644 --- a/magic/Magdir/riff +++ b/magic/Magdir/riff @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: riff,v 1.50 2024/04/13 16:40:48 christos Exp $ +# $File: riff,v 1.52 2025/09/08 12:48:15 christos Exp $ # riff: file(1) magic for RIFF format # See # @@ -171,8 +171,13 @@ >>>8 byte &0x20 \b, ICC profile # TODO: These two values are off-by-one, for a 64x64 WebP they contain # 63x63 as there can be no 0x0 file. ->>>12 lelong&0xffffff x \b, %d+1 ->>>15 lelong&0xffffff x \bx%d+1 +# we only handle < 65536 so we don't have do print %d+1: +#>>>12 ulelong&0xffffff x \b, %d+1 +#>>>15 ulelong&0xffffff x \bx%d+1 +>>>12 ulelong&0xffffff <65536 +>>>>15 ulelong&0xffffff <65536 +>>>>>12 uleshort+1 x \b, %u +>>>>>15 uleshort+1 x \bx%u #>0 string x we got %s #>>&(4.l+4) use riff-walk @@ -237,6 +242,7 @@ # AVI section extended by Patrik Radman # 0 string RIFF RIFF (little-endian) data +!:strength +50 # RIFF Palette format # Update: Joerg Jenderek # URL: https://en.wikipedia.org/wiki/Resource_Interchange_File_Format diff --git a/magic/Magdir/rtf b/magic/Magdir/rtf index 48a1f28af46..e49c565d3dc 100644 --- a/magic/Magdir/rtf +++ b/magic/Magdir/rtf @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: rtf,v 1.9 2020/12/12 20:01:47 christos Exp $ +# $File: rtf,v 1.10 2025/03/21 17:11:56 christos Exp $ # rtf: file(1) magic for Rich Text Format (RTF) # # Duncan P. Simpson, D.P.Simpson@dcs.warwick.ac.uk @@ -92,3 +92,8 @@ !:ext pwd/psw/pwt >0 use rtf-info +# https://en.wikipedia.org/wiki/Rich_Text_Format_Directory +# https://developer.apple.com/documentation/uniformtypeidentifiers/uttype-swift.struct/rtfd +0 string rtfd\0\0\0\0 Rich Text Format Directory +!:ext rtfd + diff --git a/magic/Magdir/sf3 b/magic/Magdir/sf3 new file mode 100644 index 00000000000..10a49d5b7a7 --- /dev/null +++ b/magic/Magdir/sf3 @@ -0,0 +1,112 @@ + +#------------------------------------------------------------------------------ +# $File: sf3,v 1.1 2025/06/27 15:13:53 christos Exp $ +# sfr: SF3 [Simple File Format Family] files +# (Yukari Hafner, shinmera@tymoon.eu) +# +# Reference: https://shirakumo.org/docs/sf3 +# Samples: https://shirakumo.org/projects/sf3/tree/master/samples/ + +0 name SF3-archive +>0 ulequad x \b, %llu files +!:mime application/x.sf3-archive + +0 name SF3-audio +>0 ulelong >1 \b, %dHz +>4 ubyte >0 \b, %d channels +>5 byte 0x01 \b, A-law +>5 byte 0x02 \b, 16-bit signed PCM +>5 byte 0x04 \b, 32-bit signed PCM +>5 byte 0x08 \b, 64-bit signed PCM +>5 byte 0x11 \b, u-law +>5 byte 0x12 \b, 16-bit unsigned PCM +>5 byte 0x14 \b, 32-bit unsigned PCM +>5 byte 0x18 \b, 64-bit unsigned PCM +>5 byte 0x22 \b, half-float PCM +>5 byte 0x24 \b, single-float PCM +>5 byte 0x28 \b, double-float PCM +!:mime audio/x.sf3 + +0 name SF3-image +>0 ulelong >0 \b, %d +>4 ulelong >0 \bx%d +>8 ulelong >0 \bx%d +>12 byte 0x01 \b, grayscale +>12 byte 0x02 \b, grayscale-alpha +>12 byte 0x03 \b, RGB +>12 byte 0x04 \b, RGBA +>12 byte 0x12 \b, grayscale-alpha +>12 byte 0x13 \b, BGR +>12 byte 0x14 \b, ABGR +>12 byte 0x24 \b, ARGB +>12 byte 0x34 \b, BGRA +>12 byte 0x44 \b, CMYK +>12 byte 0x54 \b, KYMC +>13 byte 0x01 \b, 8-bit signed +>13 byte 0x02 \b, 16-bit signed +>13 byte 0x04 \b, 32-bit signed +>13 byte 0x08 \b, 64-bit signed +>13 byte 0x11 \b, 8-bit unsigned +>13 byte 0x12 \b, 16-bit unsigned +>13 byte 0x14 \b, 32-bit unsigned +>13 byte 0x18 \b, 64-bit unsigned +>13 byte 0x22 \b, half-float +>13 byte 0x24 \b, single-float +>13 byte 0x28 \b, double-float +!:mime image/x.sf3 + +0 name SF3-log +>0 leqdate x \b, from %s +>8 leqdate x \b, to %s +>16 uleshort x \b, %d chunks +!:mime application/x.sf3-log + +0 name SF3-model +>(2.l+22) ulelong x \b, %d face indices +>>&(&-20.l*4) ulelong x \b, %d vertex attributes +!:mime model/x.sf3 + +0 name SF3-physics-model +>0 lefloat x \b, %f kg +>40 uleshort x \b, %d shapes +!:mime model/x.sf3-physics + +0 name SF3-table +>0 uleshort x \b, %d columns +>10 ulequad x \b, %llu rows +!:mime application/x.sf3-table + +0 name SF3-text +>8 ulelong x \b, %d markup options +>(0.q+28) ulequad x \b, %llu bytes of text +!:mime application/x.sf3-text + +0 name SF3-vector-graphic +>0 ulelong >0 \b, %d +>4 ulelong >0 \bx%d +>8 ulelong x \b, %d instructions +!:mime image/x.sf3-vector + +# Generic SF3 Header +0 string \x81SF3\x00\xE0\xD0\x0D\x0A\x0A SF3 +>10 byte 0x01 archive +>>16 use SF3-archive +>10 byte 0x02 audio file +>>16 use SF3-audio +>10 byte 0x03 image file +>>16 use SF3-image +>10 byte 0x04 log file +>>16 use SF3-log +>10 byte 0x05 3D model +>>16 use SF3-model +>10 byte 0x06 physics model +>>16 use SF3-physics-model +>10 byte 0x07 table +>>16 use SF3-table +>10 byte 0x08 text file +>>16 use SF3-text +>10 byte 0x09 vector graphic +>>16 use SF3-vector-graphic +>10 byte >9 file of unknown type (%d) +!:mime application/x.sf3 +!:ext sf3 diff --git a/magic/Magdir/sgml b/magic/Magdir/sgml index f7327b45961..bb6d2adf975 100644 --- a/magic/Magdir/sgml +++ b/magic/Magdir/sgml @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: sgml,v 1.53 2024/11/10 14:48:55 christos Exp $ +# $File: sgml,v 1.55 2025/04/06 20:34:30 christos Exp $ # Type: SVG Vectorial Graphics # From: Noel Torres 0 string/bt \>19 search/4096 \>19 search/4096 application/x-qtskin QuickTime5 skinned movie +!:mime application/x-qtskin + 0 string/bt \14 regex ['"\ \t]*[0-9.]+['"\ \t]* + # Sitemap file >>19 search/4096 \ ->>19 search/4096 \>19 search/4096 \19 search/4096/cWbt \>15 string >\0 (version %.3s) -!:strength + 15 !:mime application/xhtml+xml - >19 search/4096/cWbt \>15 string >\0 (version %.3s) !:mime application/xhtml+xml @@ -57,14 +61,11 @@ # avoid misdetection as JavaScript 0 string/cWt \ HTML document text !:mime text/html -!:strength + 30 0 string/ct \