1 #------------------------------------------------------------------------------
2 # $File: archive,v 1.193 2023/07/27 17:55:58 christos Exp $
3 # archive: file(1) magic for archive formats (see also "msdos" for self-
4 # extracting compressed archives)
6 # cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7 # pre-POSIX "tar" archives are also handled in the C code ../../src/is_tar.c.
10 # URL: https://en.wikipedia.org/wiki/Tar_(computing)
11 # Reference: https://www.freebsd.org/cgi/man.cgi?query=tar&sektion=5&manpath=FreeBSD+8-current
12 # header mainly padded with nul bytes
15 # filename or extended attribute printable strings in range space null til umlaut ue
18 # last 4 header bytes often null but tar\0 in gtarfail2.tar gtarfail.tar-bad
19 # at https://sourceforge.net/projects/s-tar/files/testscripts/
20 >>>508 ubelong&0x8B9E8DFF 0
21 # nul, space or ascii digit 0-7 at start of mode
23 >>>>>101 ubyte&0xC8 =0
24 # nul, space at end of check sum
25 >>>>>>155 ubyte&0xDF =0
26 # space or ascii digit 0 at start of check sum
27 >>>>>>>148 ubyte&0xEF =0x20
29 #>>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp) NAME "%s"
30 # check for 1st image main name with digits used for sorting
31 # and for name extension case insensitive like: PNG JPG JPEG TIF TIFF GIF BMP
32 >>>>>>>>0 regex \^[0-9]{2,4}[.](png|jpg|jpeg|tif|tiff|gif|bmp)
33 >>>>>>>>>0 use tar-cbt
34 # check for 1st member name with ovf suffix
35 >>>>>>>>0 regex \^.{1,96}[.](ovf)
36 >>>>>>>>>0 use tar-ova
37 # if 1st member name without digits and without used image suffix and without *.ovf then it is a TAR archive
39 >>>>>>>>>0 use tar-file
40 # minimal check and then display tar archive information which can also be
41 # embedded inside others like Android Backup, Clam AntiVirus database
44 # header padded with nuls
46 # GNU tar version 1.29 with non pax format option without refusing
47 # creates misleading V7 header for Long path, Multi-volume, Volume type
48 >>>156 ubyte 0x4c GNU tar archive
49 !:mime application/x-gtar
51 >>>156 ubyte 0x4d GNU tar archive
52 !:mime application/x-gtar
54 >>>156 ubyte 0x56 GNU tar archive
55 !:mime application/x-gtar
57 >>>156 default x tar archive (V7)
58 !:mime application/x-tar
60 # other stuff in padding
61 # some implementations add new fields to the blank area at the end of the header record
62 # created for example by DOS TAR 3.20g 1994 Tim V.Shapore with -j option
63 >>257 ulong !0 tar archive (old)
64 !:mime application/x-tar
66 # magic in newer, GNU, posix variants
68 # 2 last char of magic and UStar version because string expression does not work
69 # 2 space characters followed by a null for GNU variant
70 >>261 ubelong =0x72202000 POSIX tar archive (GNU)
71 !:mime application/x-gtar
73 # UStar version with ASCII "00"
74 >>261 ubelong 0x72003030 POSIX
75 # gLOBAL and ExTENSION type only found in POSIX.1-2001 format
76 >>>156 ubyte 0x67 \b.1-2001
77 >>>156 ubyte 0x78 \b.1-2001
78 >>>156 ubyte x tar archive
79 !:mime application/x-ustar
81 # version with 2 binary nuls embedded in Android Backup like com.android.settings.ab
82 >>261 ubelong 0x72000000 tar archive (ustar)
83 !:mime application/x-ustar
85 # not seen ustar variant with garbish version
86 >>261 default x tar archive (unknown ustar)
87 !:mime application/x-ustar
89 # type flag of 1st tar archive member
90 #>156 ubyte x \b, %c-type
92 >>156 ubyte 0 \b, file
93 >>156 ubyte 0x30 \b, file
94 >>156 ubyte 0x31 \b, hard link
95 >>156 ubyte 0x32 \b, symlink
96 >>156 ubyte 0x33 \b, char device
97 >>156 ubyte 0x34 \b, block device
98 >>156 ubyte 0x35 \b, directory
99 >>156 ubyte 0x36 \b, fifo
100 >>156 ubyte 0x37 \b, reserved
101 >>156 ubyte 0x4c \b, long path
102 >>156 ubyte 0x4d \b, multi volume
103 >>156 ubyte 0x56 \b, volume
104 >>156 ubyte 0x67 \b, global
105 >>156 ubyte 0x78 \b, extension
106 >>156 default x \b, type
110 # mode mainly stored as an octal number in ASCII null or space terminated
111 >100 string >\0 \b, mode %-.7s
112 # user id mainly as octal numbers in ASCII null or space terminated
113 >108 string >\0 \b, uid %-.7s
114 # group id mainly as octal numbers in ASCII null or space terminated
115 >116 string >\0 \b, gid %-.7s
116 # size mainly as octal number in ASCII
118 >>124 string >\0 \b, size %-.12s
119 # coding indicated by setting the high-order bit of the leftmost byte
120 >124 ubyte >0xEF \b, size 0x
121 >>124 ubyte !0xff \b%2.2x
122 >>125 ubyte !0xff \b%2.2x
123 >>126 ubyte !0xff \b%2.2x
124 >>127 ubyte !0xff \b%2.2x
125 >>128 ubyte !0xff \b%2.2x
126 >>129 ubyte !0xff \b%2.2x
127 >>130 ubyte !0xff \b%2.2x
128 >>131 ubyte !0xff \b%2.2x
129 >>132 ubyte !0xff \b%2.2x
130 >>133 ubyte !0xff \b%2.2x
131 >>134 ubyte !0xff \b%2.2x
132 >>135 ubyte !0xff \b%2.2x
133 # seconds since 0:0:0 1 jan 1970 UTC as octal number mainly in ASCII null or space terminated
134 >136 string >\0 \b, seconds %-.11s
135 # header checksum stored as an octal number in ASCII null or space terminated
136 #>148 string x \b, cksum %.7s
138 >157 string >\0 \b, linkname %-.40s
139 # additional fields for ustar
141 # owner user name null terminated
142 >>265 string >\0 \b, user %-.32s
143 # group name null terminated
144 >>297 string >\0 \b, group %-.32s
145 # device major minor if not zero
146 >>329 ubequad&0xCFCFCFCFcFcFcFdf !0
147 >>>329 string x \b, devmaj %-.7s
148 >>337 ubequad&0xCFCFCFCFcFcFcFdf !0
149 >>>337 string x \b, devmin %-.7s
151 >>345 string >\0 \b, prefix %-.155s
152 # old non ustar/POSIX tar
155 # padding[255] in old star
156 >>>257 string >\0 \b, padding: %-.40s
158 # padding[255] in old tar sometimes comment field
159 >>>257 string >\0 \b, comment: %-.40s
160 # Summary: Comic Book Archive *.CBT with TAR format
161 # URL: https://en.wikipedia.org/wiki/Comic_book_archive
162 # http://fileformats.archiveteam.org/wiki/Comic_Book_Archive
163 # Note: there exist also RAR, ZIP, ACE and 7Z packed variants
165 >0 string x Comic Book archive, tar archive
166 #!:mime application/x-tar
167 !:mime application/vnd.comicbook
168 #!:mime application/vnd.comicbook+tar
170 # name[100] probably like: 19.jpg 0001.png 0002.png
171 # or maybe like ComicInfo.xml
172 >0 string >\0 \b, 1st image %-.60s
173 # Summary: Open Virtualization Format *.OVF with disk images and more packed as TAR archive *.OVA
174 # From: Joerg Jenderek
175 # URL: https://en.wikipedia.org/wiki/Open_Virtualization_Format
176 # http://fileformats.archiveteam.org/wiki/OVF_(Open_Virtualization_Format)
177 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/o/ova.trid.xml
178 # Note: called "Open Virtualization Format package" by TrID
179 # assuming *.ovf comes first
181 >0 string x Open Virtualization Format Archive
182 #!:mime application/x-ustar
183 # http://extension.nirsoft.net/ova
184 !:mime application/x-virtualbox-ova
186 # assuming name[100] like: DOS-0.9.ovf FreeDOS_1.ovf Win98SE_DE.ovf
187 >0 string >\0 \b, with %-.60s
189 # Incremental snapshot gnu-tar format from:
190 # https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
191 0 string GNU\ tar- GNU tar incremental snapshot data
192 >&0 regex [0-9]\\.[0-9]+-[0-9]+ version %s
196 # Yes, the top two "cpio archive" formats *are* supposed to just be "short".
197 # The idea is to indicate archives produced on machines with the same
198 # byte order as the machine running "file" with "cpio archive", and
199 # to indicate archives produced on machines with the opposite byte order
200 # from the machine running "file" with "byte-swapped cpio archive".
202 # The SVR4 "cpio(4)" hints that there are additional formats, but they
203 # are defined as "short"s; I think all the new formats are
204 # character-header formats and thus are strings, not numbers.
205 # URL: http://fileformats.archiveteam.org/wiki/Cpio
206 # https://en.wikipedia.org/wiki/Cpio
207 # Reference: https://people.freebsd.org/~kientzle/libarchive/man/cpio.5.txt
208 # Update: Joerg Jenderek
210 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin.trid.xml
211 # Note: called "CPIO archive (binary)" by TrID, "cpio/Binary LE" by 7-Zip and "CPIO" by DROID via PUID fmt/635
213 # skip DROID fmt-635-signature-id-960.cpio by looking for pathname of 1st entry
214 >26 string >\0 cpio archive
215 !:mime application/x-cpio
216 # https://download.opensuse.org/distribution/leap/15.4/iso/openSUSE-Leap-15.4-NET-x86_64-Media.iso
217 # boot/x86_64/loader/bootlogo
221 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio-bin-sw.trid.xml
222 # Note: called "CPIO archive (byte swapped binary)" by TrID and "Cpio/Binary BE" by 7-Zip
223 0 short 0143561 byte-swapped cpio archive
224 !:mime application/x-cpio # encoding: swapped
225 # https://telparia.com/fileFormatSamples/archive/cpio/skeleton2.cpio
228 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cpio.trid.xml
229 # Note: called "CPIO archive (portable)" by TrID, "cpio/Portable ASCII" by 7-Zip and "cpio/odc" by GNU cpio
230 0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
231 !:mime application/x-cpio
232 # https://telparia.com/fileFormatSamples/archive/cpio/ pthreads-1.60B5.osr5src.cpio cinema.cpi VOL.000.008 VOL.000.012
233 !:ext cpio/cpi/008/012
234 # Note: called "CPIO archive (portable)" by TrID, "cpio/New ASCII" by 7-Zip and "cpio/newc" by GNU cpio
235 0 string 070701 ASCII cpio archive (SVR4 with no CRC)
236 !:mime application/x-cpio
237 # https://telparia.com/fileFormatSamples/archive/cpio/MainActor-2.06.3.cpio
239 # Note: called "CPIO archive (portable)" by TrID, "cpio/New CRC" by 7-Zip and "cpio/crc" by GNU cpio
240 0 string 070702 ASCII cpio archive (SVR4 with CRC)
241 !:mime application/x-cpio
242 # http://ftp.gnu.org/gnu/tar/tar-1.27.cpio.gz
243 # https://telparia.com/fileFormatSamples/archive/cpio/pcmcia
245 # display information of old binary cpio archive
246 # Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and
247 # `cpio -ivt --numeric-uid-gid --file=clam.bin-le.cpio`
249 # c_dev; device number; WHAT IS THAT?
250 >2 uleshort x \b; device %u
251 # c_ino; truncated inode number; use `ls --inode`
252 >4 uleshort x \b, inode %u
253 # c_mode; mode specifies permissions and file type like: ?622~?rw-r--r-- by `ls -l`
254 >6 uleshort x \b, mode %o
255 # c_uid; numeric user id; use `ls --numeric-uid-gid`
256 >8 uleshort x \b, uid %u
257 # c_gid; numeric group id
258 >10 uleshort x \b, gid %u
259 # c_nlink; links to this file; directories at least 2
260 >12 uleshort >1 \b, %u links
261 # c_rdev; device number for block and character entries; zero for all other entries by writers
262 # like 0x0440 for /dev/ttyS0
263 >14 uleshort >0 \b, device %#4.4x
264 # c_mtime[2]; modification time in seconds since 1 January 1970; most-significant 16 bits first
265 >16 medate x \b, modified %s
266 # c_filesize[2]; size of pathname; most-significant 16 bits first like: 544
267 >22 melong x \b, %u bytes
268 # c_namesize; bytes in the pathname that follows the header like: 9
269 #>20 uleshort x \b, namesize %u
270 # pathname of entry like: "clam.exe"
272 # display information of old binary byte swapped cpio archive
273 # Note: verfied by 7-Zip `7z l -tcpio -slt *.cpio` and
274 # `LANGUAGE=C cpio -ivt --numeric-uid-gid --file=clam.bin-be.cpio`
276 >2 ubeshort x \b; device %u
277 >4 ubeshort x \b, inode %u
278 >6 ubeshort x \b, mode %o
279 >8 ubeshort x \b, uid %u
280 >10 ubeshort x \b, gid %u
281 >12 ubeshort >1 \b, %u links
282 >14 ubeshort >0 \b, device %#4.4x
283 >16 bedate x \b, modified %s
284 >22 ubelong x \b, %u bytes
285 #>20 ubeshort x \b, namesize %u
289 # Various archive formats used by various versions of the "ar"
294 # Original UNIX archive formats.
295 # They were written with binary values in host byte order, and
296 # the magic number was a host "int", which might have been 16 bits
297 # or 32 bits. We don't say "PDP-11" or "VAX", as there might have
298 # been ports to little-endian 16-bit-int or 32-bit-int platforms
299 # (x86?) using some of those formats; if none existed, feel free
300 # to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
301 # 32-bit. There might have been big-endian ports of that sort as
304 0 leshort 0177555 very old 16-bit-int little-endian archive
305 0 beshort 0177555 very old 16-bit-int big-endian archive
306 0 lelong 0177555 very old 32-bit-int little-endian archive
307 0 belong 0177555 very old 32-bit-int big-endian archive
309 0 leshort 0177545 old 16-bit-int little-endian archive
310 >2 string __.SYMDEF random library
311 0 beshort 0177545 old 16-bit-int big-endian archive
312 >2 string __.SYMDEF random library
313 0 lelong 0177545 old 32-bit-int little-endian archive
314 >4 string __.SYMDEF random library
315 0 belong 0177545 old 32-bit-int big-endian archive
316 >4 string __.SYMDEF random library
319 # From "pdp" (but why a 4-byte quantity?)
321 0 lelong 0x39bed PDP-11 old archive
322 0 lelong 0x39bee PDP-11 4.0 archive
325 # XXX - what flavor of APL used this, and was it a variant of
326 # some ar archive format? It's similar to, but not the same
327 # as, the APL workspace magic numbers in pdp.
329 0 long 0100554 apl workspace
332 # System V Release 1 portable(?) archive format.
334 0 string =<ar> System V Release 1 ar archive
335 !:mime application/x-archive
338 # Debian package; it's in the portable archive format, and needs to go
339 # before the entry for regular portable archives, as it's recognized as
340 # a portable archive whose first member has a name beginning with
343 # Update: Joerg Jenderek
344 # URL: https://en.wikipedia.org/wiki/Deb_(file_format)
345 0 string =!<arch>\ndebian
346 # https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
347 >14 string -split part of multipart Debian package
348 !:mime application/vnd.debian.binary-package
349 # udeb is used for stripped down deb file
351 >14 string -binary Debian binary package
352 !:mime application/vnd.debian.binary-package
353 # For ipk packager see also https://en.wikipedia.org/wiki/Opkg
355 # This should not happen
356 >14 default x Unknown Debian package
357 # NL terminated version; for most Debian cases this is 2.0 or 2.1 for split
358 >68 string >\0 (format %s)
360 #>>68 string x (format %.3s)
362 # 2nd archive name=control archive name like control.tar.gz or control.tar.xz
364 >>72 string >\0 \b, with %.15s
365 # look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
366 >>0 search/0x93e4f data.tar. \b, data compression
367 # the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
368 # for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
370 # skip space (0x20 BSD) and slash (0x2f System V) character marking end of name
373 # display 3rd character of file name extension like 2 of bz2 or m of lzma
374 >>>>>&-1 ubyte x \b%c
376 >>>>>>>&-1 ubyte !0x2f
377 # display 4th character of file name extension like a of lzma
378 >>>>>>>>&-1 ubyte x \b%c
379 # split debian package case
381 # dpkg-1.18.25/dpkg-split/info.c
382 # NL terminated ASCII package name like ckermit
384 # NL terminated package version like 302-5.3
386 # NL terminated MD5 checksum
387 >>>>&1 string x \b, MD5 %s
388 # NL terminated original package length
389 >>>>>&1 string x \b, unsplitted size %s
390 # NL terminated part length
391 >>>>>>&1 string x \b, part length %s
392 # NL terminated package part like n/m
393 >>>>>>>&1 string x \b, part %s
394 # NL terminated package architecture like armhf since dpkg 1.16.1 or later
395 >>>>>>>>&1 string x \b, %s
398 # MIPS archive; they're in the portable archive format, and need to go
399 # before the entry for regular portable archives, as it's recognized as
400 # a portable archive whose first member has a name beginning with
403 0 string =!<arch>\n__________E MIPS archive
404 !:mime application/x-archive
405 >20 string U with MIPS Ucode members
406 >21 string L with MIPSEL members
407 >21 string B with MIPSEB members
408 >19 string L and an EL hash table
409 >19 string B and an EB hash table
410 >22 string X -- out of date
413 # BSD/SVR2-and-later portable archive formats.
415 # Update: Joerg Jenderek
416 # URL: http://fileformats.archiveteam.org/wiki/AR
417 # Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/
418 # Note: Mach-O universal binary in ./cafebabe is dependent
419 # TODO: unify current ar archive, MIPS archive, Debian package
420 # distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;
421 # *.ar packages from *.a libraries. handle empty archive
422 0 string =!<arch>\n current ar archive
423 # print first and possibly second ar_name[16] for debugging purpose
424 #>8 string x \b, 1st "%.16s"
425 #>68 string x \b, 2nd "%.16s"
426 !:mime application/x-archive
427 # a in most case for libraries; lib for Microsoft libraries; ar else cases
429 >8 string __.SYMDEF random library
430 # first member with long marked name __.SYMDEF SORTED implies BSD library
431 >68 string __.SYMDEF\ SORTED random library
432 # Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf
433 # "archive file" entry moved from ./hp
434 # LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture
435 # LST header a_magic 0619h~relocatable library
436 >68 belong 0x020b0619 - PA-RISC1.0 relocatable library
437 >68 belong 0x02100619 - PA-RISC1.1 relocatable library
438 >68 belong 0x02110619 - PA-RISC1.2 relocatable library
439 >68 belong 0x02140619 - PA-RISC2.0 relocatable library
440 #EOF for common ar archives
443 # "Thin" archive, as can be produced by GNU ar.
445 0 string =!<thin>\n thin archive with
446 >68 belong 0 no symbol entries
447 >68 belong 1 %d symbol entry
448 >68 belong >1 %d symbol entries
450 0 search/1 -h- Software Tools format archive text
452 # ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
454 # The first byte is the magic (0x1a), byte 2 is the compression type for
455 # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
456 # filename of the first file (null terminated). Since some types collide
457 # we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
458 # 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
459 0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
460 !:mime application/x-arc
461 0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
462 !:mime application/x-arc
463 0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
464 !:mime application/x-arc
465 0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
466 !:mime application/x-arc
467 0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
468 !:mime application/x-arc
469 0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
470 !:mime application/x-arc
471 # [JW] stuff taken from idarc, obviously ARC successors:
472 0 lelong&0x8080ffff 0x00000a1a PAK archive data
473 !:mime application/x-arc
474 0 lelong&0x8080ffff 0x0000141a ARC+ archive data
475 !:mime application/x-arc
476 0 lelong&0x8080ffff 0x0000481a HYP archive data
477 !:mime application/x-arc
479 # Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
480 # I can't create either SPARK or ArcFS archives so I have not tested this stuff
481 # [GRR: the original entries collide with ARC, above; replaced with combined
482 # version (not tested)]
483 #0 byte 0x1a RISC OS archive (spark format)
484 0 string \032archive RISC OS archive (ArcFS format)
485 0 string Archive\000 RISC OS archive (ArcFS format)
487 # All these were taken from idarc, many could not be verified. Unfortunately,
488 # there were many low-quality sigs, i.e. easy to trigger false positives.
489 # Please notify me of any real-world fishy/ambiguous signatures and I'll try
490 # to get my hands on the actual archiver and see if I find something better. [JW]
491 # probably many can be enhanced by finding some 0-byte or control char near the start
493 # idarc calls this Crush/Uncompressed... *shrug*
494 0 string CRUSH Crush archive data
496 0 string HLSQZ Squeeze It archive data
498 0 string SQWEZ SQWEZ archive data
500 0 string HPAK HPack archive data
502 0 string \x91\x33HF HAP archive data
504 0 string MDmd MDCD archive data
506 0 string LIM\x1a LIM archive data
508 3 string LH5 SAR archive data
510 0 string \212\3SB\020\0 BSArc/BS2 archive data
511 # Bethesda Softworks Archive (Oblivion)
512 0 string BSA\0 BSArc archive data
513 >4 lelong x version %d
515 2 string =-ah MAR archive data
517 #0 belong&0x00f800ff 0x00800000 ACB archive data
519 # TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
521 0 string JRchive JRC archive data
523 0 string DS\0 Quantum archive data
525 0 string PK\3\6 ReSOF archive data
527 0 string 7\4 QuArk archive data
529 14 string YC YAC archive data
531 0 string X1 X1 archive data
532 0 string XhDr X1 archive data
534 0 belong&0xffffe000 0x76ff2000 CDC Codec archive data
536 0 string \xad6" AMGC archive data
538 0 string N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
540 0 string LEOLZW PAKLeo archive data
542 0 string SChF ChArc archive data
544 0 string PSA PSA archive data
546 0 string DSIGDCC CrossePAC archive data
548 0 string \x1f\x9f\x4a\x10\x0a Freeze archive data
550 0 string \xc2\xa8MP\xc2\xa8 KBoom archive data
551 # NSQ, must go after CDC Codec
552 0 string \x76\xff NSQ archive data
554 0 string Dirk\ Paehl DPA archive data
556 # TODO: idarc says "bytes 0-2 == bytes 3-5"
558 # URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
559 # Update: Joerg Jenderek
560 # GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
562 # look for first keyword of Panorama database *.pan
563 >12 search/261 DESIGN
564 # skip keyword with low entropy
566 # skip DOS 2.0 backup id file, sequence 6 with many nils like BACKUPID_xx6.@@@ handled by ./msdos
569 # variant ASCII, 4K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
572 # skip VAX-order 68k Blit mpx/mux executable (strength=50) handled by ./blit
576 # skip some DOS 2.0 backup id file, sequence 5 with many nils like BACKUPID_075.@@@ handled by ./msdos
581 # variant ASCII, 2K dictionary (strength=48=50-2). With strength=49 wrong order! WHY?
582 # skip ctab data (strength=50) handled by ./ibm6000
583 # skip locale data table (strength=50) handled by ./digital
587 # skip many Maple help database *.hdb with version tag handled by ./maple
588 >1028 string !version
589 # skip veclib maple.hdb by looking for Mable keyword
590 >>4 search/1091 Maple\040
591 #>4 search/34090 Maple\040
593 # skip DOS 2.0-3.2 backed up sequence 4 with many nils like LOTUS5.RAR handled by ./msdos
594 # skip xBASE Compound Index file *.CDX with many nils
599 # skip shared library (strength=50) handled by ./ibm6000
601 # skip Commodore PET BASIC programs (Mastermind.prg) with last 3 nil bytes (\0~end of line followed by 0000h line offset)
602 #>-4 ubelong x LAST_BYTES=%8.8x
603 >-4 ubelong&0x00FFffFF !0
605 # display information of TTComp archive
607 # (version 5.25) labeled the entry as "TTComp archive data"
608 >0 ubyte x TTComp archive data
609 !:mime application/x-compress-ttcomp
611 !:ext $xe/$ts/pi1/__d
612 # compression type: 0~binary compression 1~ASCII compression
613 >0 ubyte 0 \b, binary
615 # size of the dictionary: 4~1024 bytes 5~2048 bytes 6~4096 bytes
619 >1 ubyte x dictionary
620 # https://mark0.net/forum/index.php?topic=848
621 # last 3 bytes probably have only 8 possible bit sequences
622 # xxxxxxxx 0000000x 11111111 ____FFh
623 # xxxxxxxx 10000000 01111111 __807Fh
624 # 0xxxxxxx 11000000 00111111 __C03Fh
625 # 00xxxxxx 11100000 00011111 __E01Fh
626 # 000xxxxx 11110000 00001111 __F00Fh
627 # 0000xxxx 11111000 00000111 __F807h
628 # 00000xxx 11111100 00000011 __FC03h
629 # 000000xx 11111110 00000001 __FE01h
630 # but for quickgif.__d 0A7DD4h
631 #>-3 ubyte x \b, last 3 bytes 0x%2.2x
632 #>-2 ubeshort x \b%4.4x
633 # From: Joerg Jenderek
634 # URL: https://en.wikipedia.org/wiki/Disk_Copy
635 # reference: http://nulib.com/library/FTN.e00005.htm
637 # test for disk image size equal or above 400k
638 >0x40 ubelong >409599
639 # test also for disk image size equal or below 1440k to skip
640 # windows7en.mbr UNICODE.DAT
641 #>>0x40 ubelong <1474561
642 # test now for "low" disk image size equal or below 64 MiB to skip
643 # windows7en.mbr (B441BBAAh) UNICODE.DAT (0400AF05h)
644 >>0x40 ubelong <0x04000001
645 # To skip Flags$StringJoiner.class with size 00106A61h test also for valid disk image sizes
646 # 00064000 for 400k GCR disks dc42-400k-gcr.trid.xml
647 # 000c8000 for 800k GCR disks dc42-800k-gcr.trid.xml
648 # 000b4000 for 720k MFM disks dc42-720k-mfm.trid.xml
649 # 00168000 for 1440k MFM disks dc42-1440k-mfm.trid.xml
650 # https://lisaem.sunder.net/LisaProjectDocs.txt
651 # 00500000 05M available
652 # 00A00000 10M available
653 # 01800000 24M possible
654 # 02000000 32M uncertain
655 # 04000000 64M uncertain
656 >>>0x40 ubelong&0xf8003fFF 0
657 # skip samples with invalid disk name length like:
658 # 181 (biosmd80.rom) 202 (Flags$StringJoiner.class) 90 (UNICODE.DAT)
660 >>>>>0 use dc42-floppy
661 # display information of Apple DiskCopy 4.2 floppy image
663 # disk name length; maximal 63
664 #>0 ubyte x DISK NAME LENGTH %u
665 # ASCII image pascal (maximal 63 bytes) name padded with NULs like:
666 # "Microsoft Mail" "Disquette 2" "IIe Installer Disk"
667 # "-lisaem.sunder.net hd-" (dc42-lisaem.trid.xml) "-not a Macintosh disk" (dc42-nonmac.trid.xml)
668 >00 pstring/B x Apple DiskCopy 4.2 image %s
669 #!:mime application/octet-stream
670 !:mime application/x-dc42-floppy-image
672 # probably also img like: "Utilitaires 2.img" "Installation 7.img"
674 # data size in bytes like: 409600 737280 819200 1474560
675 >0x40 ubelong x \b, %u bytes
676 # for debugging purpose size in hexadecimal
677 #>0x40 ubelong x (%#8.8x)
678 # tag size in bytes like: 0 (often) 2580h (PUID fmt/625) 4B00h (Microsoft Mail.image)
679 >0x44 ubelong >0 \b, %#x tag size
681 #>0x48 ubelong x \b, %#x checksum
683 #>0x4c ubelong x \b, %#x tag checksum
684 # disk encoding like: 0 1 2 3 (PUID: fmt/625)
685 >0x50 ubyte 0 \b, GCR CLV ssdd (400k)
686 >0x50 ubyte 1 \b, GCR CLV dsdd (800k)
687 >0x50 ubyte 2 \b, MFM CAV dsdd (720k)
688 >0x50 ubyte 3 \b, MFM CAV dshd (1440k)
689 >0x50 ubyte >3 \b, %#x encoding
690 # format byte like: 12h (Lisa 400K) 24h (400K Macintosh) 96h (800K Apple II disk)
691 # 2 (Mac 400k "Disquette Installation 13.image")
692 # 22h (double-sided MFM or Mac 800k "Disco 12.image" "IIe Installer Disk.image")
693 >0x51 ubyte x \b, %#x format
694 #>0x54 ubequad x \b, data %#16.16llx
695 # ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
696 0 string ESP ESP archive data
698 0 string \1ZPK\1 ZPack archive data
700 0 string \xbc\x40 Sky archive data
702 0 string UFA UFA archive data
704 0 string =-H2O DRY archive data
706 0 string FOXSQZ FoxSQZ archive data
708 0 string ,AR7 AR7 archive data
710 0 string PPMZ PPMZ archive data
712 # Update: Joerg Jenderek
713 # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
714 # Reference: https://hwiegman.home.xs4all.nl/fileformats/compress/szdd_kwaj_format.html
715 # Note: use correct version of extracting tool like EXPAND, UNPACK, DECOMP or 7Z
716 4 string \x88\xf0\x27
718 >0 string KWAJ MS Compress archive data, KWAJ variant
719 !:mime application/x-ms-compress-kwaj
720 # extension not working in version 5.32
721 # magic/Magdir/archive, 284: Warning: EXTENSION type ` ??_' has bad char '?'
722 # file: line 284: Bad magic entry ' ??_'
724 # compression method (0-4)
725 >>8 uleshort x \b, %u method
726 # offset of compressed data
727 >>10 uleshort x \b, %#x offset
729 #>>>&-6 string x \b, TEST extension %-.3s
730 # header flags to mark header extensions
731 >>12 uleshort >0 \b, %#x flags
732 # 4 bytes: decompressed length of file
734 >>>14 ulelong x \b, original size: %u bytes
735 # 2 bytes: unknown purpose
736 # 2 bytes: length of unknown data + mentioned bytes
737 # 1-9 bytes: null-terminated file name
738 # 1-4 bytes: null-terminated file extension
741 >>>>12 uleshort ^0x02
742 >>>>>12 uleshort ^0x04
743 >>>>>>12 uleshort ^0x10
744 >>>>>>>14 string x \b, %-.8s
745 >>>>>>12 uleshort &0x10
746 >>>>>>>14 string x \b, %-.8s
747 >>>>>>>>&1 string x \b.%-.3s
748 >>>>>12 uleshort &0x04
749 >>>>>>12 uleshort ^0x10
750 >>>>>>>(14.s) uleshort x
751 >>>>>>>>&14 string x \b, %-.8s
752 >>>>>>12 uleshort &0x10
753 >>>>>>>(14.s) uleshort x
754 >>>>>>>>&14 string x \b, %-.8s
755 >>>>>>>>>&1 string x \b.%-.3s
756 >>>>12 uleshort &0x02
757 >>>>>12 uleshort ^0x04
758 >>>>>>12 uleshort ^0x10
759 >>>>>>>16 string x \b, %-.8s
760 >>>>>>12 uleshort &0x10
761 >>>>>>>16 string x \b, %-.8s
762 >>>>>>>>&1 string x \b.%-.3s
763 >>>>>12 uleshort &0x04
764 >>>>>>12 uleshort ^0x10
765 >>>>>>>(16.s) uleshort x
766 >>>>>>>>&16 string x \b, %-.8s
767 >>>>>>12 uleshort &0x10
768 >>>>>>>(16.s) uleshort x
769 >>>>>>>&16 string x %-.8s
770 >>>>>>>>&1 string x \b.%-.3s
772 >>>>12 uleshort ^0x02
773 >>>>>12 uleshort ^0x04
774 >>>>>>12 uleshort ^0x10
775 >>>>>>>18 string x \b, %-.8s
776 >>>>>>12 uleshort &0x10
777 >>>>>>>18 string x \b, %-.8s
778 >>>>>>>>&1 string x \b.%-.3s
779 >>>>>12 uleshort &0x04
780 >>>>>>12 uleshort ^0x10
781 >>>>>>>(18.s) uleshort x
782 >>>>>>>>&18 string x \b, %-.8s
783 >>>>>>12 uleshort &0x10
784 >>>>>>>(18.s) uleshort x
785 >>>>>>>>&18 string x \b, %-.8s
786 >>>>>>>>>&1 string x \b.%-.3s
787 >>>>12 uleshort &0x02
788 >>>>>12 uleshort ^0x04
789 >>>>>>12 uleshort ^0x10
790 >>>>>>>20 string x \b, %-.8s
791 >>>>>>12 uleshort &0x10
792 >>>>>>>20 string x \b, %-.8s
793 >>>>>>>>&1 string x \b.%-.3s
794 >>>>>12 uleshort &0x04
795 >>>>>>12 uleshort ^0x10
796 >>>>>>>(20.s) uleshort x
797 >>>>>>>>&20 string x \b, %-.8s
798 >>>>>>12 uleshort &0x10
799 >>>>>>>(20.s) uleshort x
800 >>>>>>>>&20 string x \b, %-.8s
801 >>>>>>>>>&1 string x \b.%-.3s
802 # 2 bytes: length of data + mentioned bytes
804 # SZDD variant Haruhiko Okumura's LZSS or 7z type MsLZ
805 # URL: http://fileformats.archiveteam.org/wiki/MS-DOS_installation_compression
806 # Reference: http://www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html
807 # http://mark0.net/download/triddefs_xml.7z/defs/s/szdd.trid.xml
808 # Note: called "Microsoft SZDD compressed (Haruhiko Okumura's LZSS)" by TrID
809 # verfied by 7-Zip `7z l -tMsLZ -slt *.??_` as MsLZ
810 # `deark -l -m lzss_oku -d2 setup-1-41.bin` as "LZSS.C by Haruhiko Okumura"
811 >0 string SZDD MS Compress archive data, SZDD variant
812 # 2nd part of signature
813 #>>4 ubelong 0x88F02733 \b, SIGNATURE OK
814 !:mime application/x-ms-compress-szdd
816 # The character missing from the end of the filename (0=unknown)
817 >>9 string >\0 \b, %-.1s is last character of original name
818 # https://www.betaarchive.com/forum/viewtopic.php?t=26161
819 # Compression mode: "A" (0x41) found but sometimes "B" in Windows 3.1 builds 026 and 034e
820 >>8 string !A \b, %-.1s method
821 >>10 ulelong >0 \b, original size: %u bytes
822 # Summary: InstallShield archive with SZDD compressed
823 # URL: https://community.flexera.com/t5/InstallShield-Knowledge-Base/InstallShield-Redistributable-Files/ta-p/5647
824 # From: Joerg Jenderek
825 1 search/48/bs SZDD\x88\xF0\x27\x33 InstallShield archive
826 #!:mime application/octet-stream
827 !:mime application/x-installshield-compress-szdd
829 # name of compressed archive member like: setup.dl_ _setup7int.dl_ _setup2k.dl_ _igdi.dl_ cabinet.dl_
831 # name of uncompressed archive member like: setup.dll _Setup.dll IGdi.dll CABINET.DLL
833 # probably version like: 9.0.0.333 9.1.0.429 11.50.0.42618
834 >>>&1 string x \b, version %s
835 # SZDD member length like: 168048 169333 181842
836 >>>>&1 string x \b, %s bytes
837 # MS Compress archive data
838 #>&0 string SZDD \b, SIGNATURE FOUND
840 # QBasic SZDD variant
841 3 string \x88\xf0\x27
842 >0 string SZ\x20 MS Compress archive data, QBasic variant
843 !:mime application/x-ms-compress-sz
845 >>8 ulelong >0 \b, original size: %u bytes
847 # Summary: lzss compressed/EDI Pack
848 # From: Joerg Jenderek
849 # URL: http://fileformats.archiveteam.org/wiki/EDI_Install_packed_file
850 # Note: called "EDI Install LZS compressed data" by TrID and verified by
851 # command like `deark -l -m edi_pack -d2 BOOK01A.IC$` as "EDI Pack LZSS1"
854 # look for point character before orginal file name extension
856 # check suffix of possible orginal file anme
857 #>>>&0 ubelong x SUFFIX=%8.8x
858 # samples without valid character after point in original file name field like: FENNEL.LZS PLANTAIN.LZS
861 # samples with valid character after point in original file name field
863 # check 2nd charcter of suffix
864 #>>>>&0 ubyte x 2ND_SUFFIX=%x
865 # sample with one valid character after point followed by \0 in original file name field like: SPELMATE.H$
869 # check 3rd charcter of suffix
870 #>>>>>&0 ubyte x 3RD_SUFFIX=%x
871 # no sample with 2 valid characters after point followed by \0 in original file name field
874 # samples with valid 3rd character after point in original file name field
876 # sample with 3 valid character after point followed by \0 in original file name field like: BOOK01A.IC$ CTL3D.DL$
878 >>>>>>>0 use edi-pack
879 # sample with 3 valid character after point followed by no \0 in original file name field like: HERBTEXT.LZS
882 # no sample with invalid 3rd character after point in original file name field
885 # sample with invalid 2nd character after point in original file name field like: LACERATE.LZS SPLINTER.LZS
888 # sample without point character in original file name field like GUNSHOT.LZS
891 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/e/edi-lzss2.trid.xml
892 # Note: called "EDI Install Pro LZSS2 compressed data" by TrID and verified by
893 # command like `deark -l -m edi_pack -d2 4WAY.WA$` as "EDI Pack LZSS2"
894 >7 string 2 EDI LZSS2 packed
895 #!:mime application/octet-stream
896 !:mime application/x-edi-pack-lzss
897 # the name of a compressed file often ends in character '$' or '_'
899 # original filename, NUL-terminated, padded to 13 bytes like: mci.vbx 4way.wav skymap.exe cmdialog.vbx
900 >>8 string x "%-0.13s"
901 # original file size, as a 4-byte integer.
902 >>21 ulelong x \b, %u bytes
903 # compressed data like: ff5249464606ec00 ff4d5aa601010000
904 >>>25 ubequad x \b, data %#16.16llx...
906 # Note: verified by command like `deark -l -d2 SPELMATE.H$` as "EDI Pack LZSS1"
907 # original filename, NUL-terminated, padded to 13 bytes like: ctl3d.dll spelmate.h filemenu.rc owl.def index-it.exe
908 # but not like \377Aloe.lzs\273 (HERBTEXT.LZS)
909 >8 string x EDI LZSS packed "%-.13s"
910 #!:mime application/octet-stream
911 !:mime application/x-edi-pack-lzss
912 # the name of a compressed file often ends in character '$' or '_'
914 # compressed data like: f7000001eff02020 ff4d5aa900020000 ff2f2a207370656c
915 >21 ubequad x \b, data %#16.16llx...
916 # URL: http://fileformats.archiveteam.org/wiki/EDI_LZSSLib
917 # Note: verified partly by command like `deark -l -m edi_pack -d2 GUNSHOT.LZS` as "EDI LZSSLib"
919 # Note: verified by command like `deark -l -d2 GUNSHOT.LZS` as "EDI LZSSLib"
920 # no original filename looks like: \277BM\226.\0 \277BM.n\001 \277BM\226.\0 \277BM.g\001 \377Aloe.lzs\273
921 >8 string x EDI LZSSLib packed
922 #!:mime application/octet-stream
923 !:mime application/x-edi-pack-lzss
924 # The name of a compressed file ends with LZS suffix
926 # compressed data like: bf424df6e10100f3 ff416c6f652e6c7a ff416c6f652e6c7a
927 >8 ubequad x \b, data %#16.16llx...
929 # Summary: CAZIP compressed file
930 # From: Joerg Jenderek
931 # URL: http://fileformats.archiveteam.org/wiki/CAZIP
932 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/c/caz.trid.xml
933 # Note: Format is distinct from CAZIPXP compressed
934 0 string \x0D\x0A\x1ACAZIP CAZIP compressed file
935 #!:mime application/octet-stream
936 !:mime application/x-compress-cazip
937 # like: BLINKER.WR_ CLIPDEFS._ CAOSETUP.EX_ CLIPPER.EX_ FILEIO.C_
940 # Summary: FTCOMP compressed archive
941 # From: Joerg Jenderek
942 # URL: http://fileformats.archiveteam.org/wiki/FTCOMP
943 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ftcomp.trid.xml
944 # Note: called by TrID "FTCOMP compressed archive"
945 # extracted by `unpack seahelp.hl_`
946 24 string/b FTCOMP FTCOMP compressed archive
947 #!:mime application/octet-stream
948 !:mime application/x-compress-ftcomp
949 !:ext ??_/??@/dll/drv/pk2/
950 # probably A596FDFF magic at the beginning
951 >0 ubelong !0xA596FDFF \b, at beginning %#x
952 # probably original file name with directory like: \OS2\unpack.exe \SYSTEM\8514.DRV MAHJONGG.EXE
955 # MP3 (archiver, not lossy audio compression)
956 0 string MP3\x1a MP3-Archiver archive data
958 0 string OZ\xc3\x9d ZET archive data
960 0 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
962 0 string gW\4\1 ARQ archive data
964 3 string OctSqu Squash archive data
966 0 string \5\1\1\0 Terse archive data
968 0 string UHA UHarc archive data
970 0 string \2AB ABComp archive data
971 0 string \3AB2 ABComp archive data
973 0 string CO\0 CMP archive data
975 0 string \x93\xb9\x06 Splint archive data
977 0 string \x13\x5d\x65\x8c InstallShield Z archive Data
979 1 string GTH Gather archive data
981 0 string BOA BOA archive data
983 0 string ULEB\xa RAX archive data
985 0 string ULEB\0 Xtreme archive data
987 0 string @\xc3\xa2\1\0 Pack Magic archive data
989 0 belong&0xfeffffff 0x1a034465 BTS archive data
991 0 string Ora\ ELI 5750 archive data
993 0 string \x1aFC\x1a QFC archive data
994 0 string \x1aQF\x1a QFC archive data
995 # PRO-PACK https://www.segaretro.org/Rob_Northen_compression
997 >3 byte 1 PRO-PACK archive data (compression 1)
998 >3 byte 2 PRO-PACK archive data (compression 2)
1000 0 string 777 777 archive data
1002 0 string sTaC LZS221 archive data
1004 0 string HPA HPA archive data
1006 0 string LG Arhangel archive data
1008 0 string 0123456789012345BZh EXP1 archive data
1010 0 string IMP\xa IMP archive data
1012 0 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
1014 0 string \x73\xb2\x90\xf4 Squish archive data
1016 0 string PHILIPP Par archive data
1017 0 string PAR Par archive data
1019 0 string UB HIT archive data
1021 0 belong&0xfffff000 0x53423000 SBX archive data
1023 0 string NSK NaShrink archive data
1025 0 string #\ CAR\ archive\ header SAPCAR archive data
1026 0 string CAR\ 2.00 SAPCAR archive data
1027 0 string CAR\ 2.01 SAPCAR archive data
1028 #!:mime application/octet-stream
1029 !:mime application/vnd.sar
1032 0 string DST Disintegrator archive data
1034 0 string ASD ASD archive data
1036 # Update: Joerg Jenderek at Nov 2021
1037 # URL: https://en.wikipedia.org/wiki/InstallShield
1038 # Reference: https://github.com/twogood/unshield/blob/master/lib/cabfile.h
1039 # Note: Not compatible with Microsoft CAB files
1040 # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield.trid.xml
1041 # CAB_SIGNATURE 0x28635349
1042 0 string ISc( InstallShield
1043 #!:mime application/octet-stream
1044 !:mime application/x-installshield
1045 # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-cab-ishield-hdr.trid.xml
1046 >16 ulelong !0 setup header
1047 # like: _SYS1.HDR _USER1.HDR data1.hdr
1050 # like: _SYS1.CAB _USER1.CAB DATA1.CAB data2.cab
1052 # https://github.com/twogood/unshield/blob/master/lib/helper.c
1053 # version like: 0x1005201 0x100600c 0x1007000 0x1009500
1054 # 0x2000578 0x20005dc 0x2000640 0x40007d0 0x4000834
1055 >4 ulelong x \b, version %#x
1056 # volume_info like: 0
1057 >8 ulelong !0 \b, volume_info %#x
1058 # cab_descriptor_offset like: 0x200
1059 >12 ulelong !0x200 \b, offset %#x
1060 #>0x200 ubequad x \b, at 0x200 %#16.16llx
1061 # cab_descriptor_size like: 0 (*.cab) BD5 C8B DA5 E2A E36 116C 251D 4DA9 56F0 5CC2 6E4B 777D 779E 1F7C2
1062 >16 ulelong !0 \b, descriptor size %#x
1064 0 string T4\x1a TOP4 archive data
1065 # BatComp left out: sig looks like COM executable
1066 # so TODO: get real 4dos batcomp file and find sig
1068 0 string BH\5\7 BlakHole archive data
1070 0 string BIX0 BIX archive data
1072 0 string ChfLZ ChiefLZA archive data
1074 0 string Blink Blink archive data
1076 0 string \xda\xfa Logitech Compress archive data
1077 # ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
1078 1 string (C)\ STEPANYUK ARS-Sfx archive data
1080 0 string AKT32 AKT32 archive data
1081 0 string AKT AKT archive data
1083 0 string MSTSM NPack archive data
1085 0 string \0\x50\0\x14 PFT archive data
1087 0 string SEM SemOne archive data
1089 0 string \x8f\xaf\xac\x84 PPMD archive data
1091 0 string FIZ FIZ archive data
1093 0 belong&0xfffff0f0 0x4d530000 MSXiE archive data
1095 0 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
1097 0 string =<DC- DC archive data
1099 0 string \4TPAC\3 TPac archive data
1101 # Update: Joerg Jenderek
1102 # URL: http://fileformats.archiveteam.org/wiki/Ai_Archiver
1103 0 string Ai\1\1\0 Ai archive data
1104 #!:mime application/octet-stream
1105 !:mime application/x-compress-ai
1107 0 string Ai\1\0\0 Ai archive data
1108 #!:mime application/octet-stream
1109 !:mime application/x-compress-ai
1112 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-ai.trid.xml
1113 # Note: called "Ai Archivator compressed archive" by TrID
1114 0 string Ai\2\0 Ai32 archive data
1115 #!:mime application/octet-stream
1116 !:mime application/x-compress-ai
1118 # original file name
1120 # according to TrID the next 3 bytes are nil
1121 >5 ubyte !0 \b, at 5 %#x
1122 >6 ubyte !0 \b, at 6 %#x
1123 >7 ubyte !0 \b, at 7 %#x
1124 # the fourth byte with value 0 is probably a flag for "non solid" mode
1125 #>3 ubyte =0x00 \b, unsolid mode
1126 0 string Ai\2\1 Ai32 archive data
1127 #!:mime application/octet-stream
1128 !:mime application/x-compress-ai
1130 # original file name
1132 # the fourth byte with value 0x01 is probably a flag for "solid" mode; this is not the default
1133 >3 ubyte =0x01 \b, solid mode
1135 0 string SBC SBC archive data
1137 0 string YBS Ybs archive data
1139 0 string \x9e\0\0 DitPack archive data
1141 0 string DMS! DMS archive data
1143 0 string \x8f\xaf\xac\x8c EPC archive data
1145 0 string VS\x1a VSARC archive data
1147 0 string PDZ PDZ archive data
1149 0 string rdqx ReDuq archive data
1151 0 string GCAX GCA archive data
1153 0 string pN PPMN archive data
1155 3 string WINIMAGE WinImage archive data
1157 0 string CMP0CMP Compressia archive data
1159 0 string UHB UHBC archive data
1161 0 string \x61\x5C\x04\x05 WinHKI archive data
1163 0 string WWP WWPack archive data
1164 # BSN (BSA, PTS-DOS)
1165 0 string \xffBSG BSN archive data
1166 1 string \xffBSG BSN archive data
1167 3 string \xffBSG BSN archive data
1168 1 string \0\xae\2 BSN archive data
1169 1 string \0\xae\3 BSN archive data
1170 1 string \0\xae\7 BSN archive data
1172 0 string \x33\x18 AIN archive data
1173 0 string \x33\x17 AIN archive data
1174 # XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
1175 # SZip (TODO: doesn't catch all versions)
1176 0 string SZ\x0a\4 SZip archive data
1178 # *.XDI updated by Joerg Jenderek Sep 2015
1179 # ftp://ftp.sac.sk/pub/sac/pack/0index.txt
1180 # GRR: this test is still too general as it catches also text files starting with jm
1182 # only found examples with this additional characteristic 2 bytes
1183 >2 string \x2\x4 Xpack DiskImage archive data
1186 # *.xpa updated by Joerg Jenderek Sep 2015
1187 # ftp://ftp.elf.stuba.sk/pub/pc/pack/
1191 # ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
1192 # created by XPA32.EXE version 1.0.2 for Windows
1193 >0 string xpa\0\1 \b32 archive data
1194 # created by XPACK.COM version 1.67m or 1.67r with short 0x1800
1195 >3 ubeshort !0x0001 \bck archive data
1197 # changed by Joerg Jenderek Sep 2015 back to like in version 5.12
1198 # letter 'I'+ acute accent is equivalent to \xcd
1199 0 string \xcd\ jm Xpack single archive data
1200 #!:mime application/x-xpa-compressed
1203 # TODO: missing due to unknown magic/magic at end of file:
1213 # These were inspired by idarc, but actually verified
1214 # Dzip archiver (.dz)
1215 # Update: Joerg Jenderek
1216 # URL: http://speeddemosarchive.com/dzip/
1217 # reference: http://speeddemosarchive.com/dzip/dz29src.zip/main.c
1218 # GRR: line below is too general as it matches also ASCII texts like Doszip commander help dz.txt
1220 # latest version is 2.9 dated 7 may 2003
1221 >2 byte <4 Dzip archive data
1222 !:mime application/x-dzip
1224 >>2 byte x \b, version %i
1226 >>4 ulelong x \b, offset %#x
1227 >>8 ulelong x \b, %u files
1228 # ZZip archiver (.zz)
1229 0 string ZZ\ \0\0 ZZip archive data
1230 0 string ZZ0 ZZip archive data
1231 # PAQ archiver (.paq)
1232 0 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
1233 0 string PAQ PAQ archive data
1236 # JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
1237 # Update: Joerg Jenderek
1238 # URL: http://fileformats.archiveteam.org/wiki/JAR_(ARJ_Software)
1239 # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jar.trid.xml
1240 # https://www.sac.sk/download/pack/jar102x.exe/TECHNOTE.DOC
1241 # Note: called "JAR compressed archive" by TrID
1242 0xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
1243 #!:mime application/octet-stream
1244 !:mime application/x-compress-j
1245 >0 ulelong x \b, CRC32 %#x
1246 # standard suffix is ".j"; for multi volumes following order j01 j02 ... j99 100 ... 990
1248 # URL: http://fileformats.archiveteam.org/wiki/JARCS
1249 # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-jarcs.trid.xml
1250 # Note: called "JARCS compressed archive" by TrID
1251 0 string JARCS JAR (ARJ Software, Inc.) archive data
1252 #!:mime application/octet-stream
1253 !:mime application/x-compress-jar
1256 # ARJ archiver (jason@jarthur.Claremont.EDU)
1257 # URL: http://fileformats.archiveteam.org/wiki/ARJ
1258 # reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-arj.trid.xml
1259 # https://github.com/FarGroup/FarManager/
1260 # blob/master/plugins/multiarc/arc.doc/arj.txt
1261 # Note: called "ARJ compressed archive" by TrID and
1262 # "ARJ File Format" by DROID via PUID fmt/610
1263 # verified by `7z l -tarj PHRACK1.ARJ` and
1264 # `arj.exe l TEST-hk9.ARJ`
1266 # skip DROID fmt-610-signature-id-946.arj by check for valid file type of main header
1270 >0 leshort x ARJ archive
1271 !:mime application/x-arj
1272 # look for terminating 0-character of filename
1273 >0x26 search/1024 \0
1274 # file name extension is normally .arj but not for parts of multi volume
1275 #>>&-5 string x extension %.4s
1276 >>&-5 string/c .arj data
1279 # for multi volume first name is archive.arj then following parts archive.a01 archive.a02 ...
1280 >>>8 byte &0x04 data
1282 # for SFX first name is archive.exe then following parts archive.e01 archive.e02 ...
1283 >>>8 byte ^0x04 data, SFX multi-volume
1285 # basic header size like: 0x002b 0x002c 0x04e0 0x04e3 0x04e7
1286 #>2 uleshort x basic header size %#4.4x
1287 # next fragment content like: 0x0a200a003a8fc713 0x524a000010bb3471 0x524a0000c73c70f9
1288 #>(2.s) ubequad x NEXT FRAGMENT CONTENT %#16.16llx
1289 # first_hdr_size; seems to be same as basic header size
1290 #>2 uleshort x 1st header size %#x
1291 # archiver version number like: 3 4 6 11 102
1293 # minimum archiver version to extract like: 1
1294 >6 ubyte !1 \b, minimum %u to extract
1296 #>8 byte x \b, FLAGS %#x
1297 # GARBLED_FLAG1; garble with password; g switch
1298 >8 byte &0x01 \b, password-protected
1299 # encryption version: 0~old 1~old 2~new 3~reserved 4~40 bit key GOST
1300 >>0x20 ubyte x (v%u)
1301 #>8 byte &0x02 \b, secured
1302 # ANSIPAGE_FLAG; indicates ANSI codepage used by ARJ32; hy switch
1303 >8 byte &0x02 \b, ANSI codepage
1304 # VOLUME_FLAG indicates presence of succeeding volume; but apparently not for SFX
1305 >8 byte &0x04 \b, multi-volume
1306 #>8 byte &0x08 \b, file-offset
1307 # ARJPROT_FLAG; build with data protection record; hk switch
1308 >8 byte &0x08 \b, recoverable
1309 # arj protection factor; maximal 10; switch hky -> factor=y+1
1310 >>0x22 byte x (factor %u)
1311 >8 byte &0x10 \b, slash-switched
1312 # BACKUP_FLAG; obsolete
1313 >8 byte &0x20 \b, backup
1315 >8 byte &0x40 \b, secured,
1316 # ALTNAME_FLAG; indicates dual-name archive
1317 >8 byte &0x80 \b, dual-name
1318 # security version; 0~old 2~current
1320 >>9 ubyte !2 \b, security version %u
1321 # file type; 2 in main header; 0~binary 1~7-bitText 2~comment 3~directory 4~VolumeLabel 5=ChapterLabel
1322 >0xA ubyte !2 \b, file type %u
1323 # date+time when original archive was created in MS-DOS format via ./msdos
1324 >0xC ulelong x \b, created
1326 # or date and time by new internal function
1327 #>0xE lemsdosdate x %s
1328 #>0xC lemsdostime x %s
1330 #>0x12 uleshort x RAW DATE %#4.4x
1331 #>0x10 uleshort x RAW TIME %#4.4x
1332 # date+time when archive was last modified; sometimes nil or
1333 # maybe wrong like in HP4DRVR.ARJ
1334 #>0x10 ulelong >0 \b, modified
1335 #>>0x10 use dos-date
1336 # or date and time by new internal function
1337 #>>0x12 lemsdosdate x %s
1338 #>>0x10 lemsdostime x %s
1339 # archive size (currently used only for secured archives); MAYBE?
1340 #>0x14 ulelong !0 \b, file size %u
1341 # security envelope file position; MAYBE?
1342 #>0x18 ulelong !0 \b, at %#x security envelope
1343 # filespec position in filename; WHAT IS THAT?
1344 #>0x1C uleshort >0 \b, filespec position %#x
1345 # length in bytes of security envelope data like: 2CAh 301h 364h 471h
1346 >0x1E uleshort !0 \b, security envelope length %#x
1347 # last chapter like: 0 1
1348 >0x21 ubyte !0 \b, last chapter %u
1349 # filename (null-terminated string); sometimes at 0x26 when 4 bytes for extra data
1350 >34 byte x \b, original name:
1354 # without extras data
1357 # host OS: 0~MSDOS ... 11~WIN32
1358 >7 byte 0 \b, os: MS-DOS
1359 >7 byte 1 \b, os: PRIMOS
1360 >7 byte 2 \b, os: Unix
1361 >7 byte 3 \b, os: Amiga
1362 >7 byte 4 \b, os: Macintosh
1363 >7 byte 5 \b, os: OS/2
1364 >7 byte 6 \b, os: Apple ][ GS
1365 >7 byte 7 \b, os: Atari ST
1366 >7 byte 8 \b, os: NeXT
1367 >7 byte 9 \b, os: VAX/VMS
1368 >7 byte 10 \b, os: WIN95
1369 >7 byte 11 \b, os: WIN32
1370 # [JW] idarc says this is also possible
1371 2 leshort 0xea60 ARJ archive data
1375 # HA archiver (Greg Roelofs, newt@uchicago.edu)
1376 # This is a really bad format. A file containing HAWAII will match this...
1377 #0 string HA HA archive data,
1378 #>2 leshort =1 1 file,
1379 #>2 leshort >1 %hu files,
1380 #>4 byte&0x0f =0 first is type CPY
1381 #>4 byte&0x0f =1 first is type ASC
1382 #>4 byte&0x0f =2 first is type HSC
1383 #>4 byte&0x0f =0x0e first is type DIR
1384 #>4 byte&0x0f =0x0f first is type SPECIAL
1385 # suggestion: at least identify small archives (<1024 files)
1386 0 belong&0xffff00fc 0x48410000 HA archive data
1387 >2 leshort =1 1 file,
1388 >2 leshort >1 %u files,
1389 >4 byte&0x0f =0 first is type CPY
1390 >4 byte&0x0f =1 first is type ASC
1391 >4 byte&0x0f =2 first is type HSC
1392 >4 byte&0x0f =0x0e first is type DIR
1393 >4 byte&0x0f =0x0f first is type SPECIAL
1395 # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
1396 0 string HPAK HPACK archive data
1398 # JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
1399 0 string \351,\001JAM\ JAM archive,
1400 >7 string >\0 version %.4s
1402 >>0x2b string >\0 label %.11s,
1403 >>0x27 lelong x serial %08x,
1404 >>0x36 string >\0 fstype %.8s
1406 # LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
1407 # Update: Joerg Jenderek
1408 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
1409 # Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
1411 # check and display information of lharc (LHa,PMarc) file
1413 # check 1st character of method id like -lz4- -lh5- or -pm2-
1415 # check 5th character of method id
1417 # check header level 0 1 2 3
1419 # check 2nd, 3th and 4th character of method id
1420 >>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
1421 !:mime application/x-lzh-compressed
1422 # creator type "LHA "
1424 # display archive type name like "LHa/LZS archive data" or "LArc archive"
1425 >>>>>2 string -lz \b
1427 # already known -lzs- -lz4- -lz5- with old names
1428 >>>>>>2 string -lzs LHa/LZS archive data
1429 >>>>>>3 regex \^lz[45] LHarc 1.x archive data
1430 # missing -lz?- with wikipedia names
1431 >>>>>>3 regex \^lz[2378] LArc archive
1432 # display archive type name like "LHa (2.x) archive data"
1433 >>>>>2 string -lh \b
1434 # already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
1435 >>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
1436 # LHice archiver use ".ICE" as name extension instead usual one ".lzh"
1437 # FOOBAR archiver use ".foo" as name extension instead usual one
1438 # "Florian Orjanov's and Olga Bachetska's ARchiver" not found at the moment
1439 >>>>>>>2 string -lh1 \b
1441 >>>>>>3 regex \^lh[23d] LHa 2.x? archive data
1442 >>>>>>3 regex \^lh[7] LHa (2.x)/LHark archive data
1443 >>>>>>3 regex \^lh[456] LHa (2.x) archive data
1444 >>>>>>>2 string -lh5 \b
1445 # https://en.wikipedia.org/wiki/BIOS
1446 # Some mainboard BIOS like Award use LHa compression. So archives with unusual extension are found like
1447 # bios.rom , kd7_v14.bin, 1010.004, ...
1448 !:ext lha/lzh/rom/bin
1449 # missing -lh?- variants (Joe Jared)
1450 >>>>>>3 regex \^lh[89a-ce] LHa (Joe Jared) archive
1452 >>>>>>2 string -lhx LHa (UNLHA32) archive
1453 # lha archives with standard file name extensions ".lha" ".lzh"
1454 >>>>>>3 regex !\^(lh1|lh5) \b
1456 # this should not happen if all -lh variants are described
1457 >>>>>>2 default x LHa (unknown) archive
1460 >>>>>3 regex \^pm[012] PMarc archive data
1462 # append method id without leading and trailing minus character
1463 >>>>>3 string x [%3.3s]
1464 >>>>>>0 use lharc-header
1466 # check and display information of lharc header
1468 # header size 0x4 , 0x1b-0x61
1470 # compressed data size != compressed file size
1471 #>7 ulelong x \b, data size %d
1472 # attribute: 0x2~?? 0x10~symlink|target 0x20~normal
1473 #>19 ubyte x \b, 19_%#x
1474 # level identifier 0 1 2 3
1475 #>20 ubyte x \b, level %d
1477 #>15 ubelong x DATE %#8.8x
1480 # 0x20 types find for *.rom files
1481 >>(21.b+24) ubyte <0x21 \b, %#x OS
1482 # ascii type like M for MSDOS
1483 >>(21.b+24) ubyte >0x20 \b, '%c' OS
1486 #>>23 ubyte x \b, OS ID %#x
1487 >>23 ubyte <0x21 \b, %#x OS
1488 >>23 ubyte >0x20 \b, '%c' OS
1489 # filename only for level 0 and 1
1491 # length of filename
1492 >>21 ubyte >0 \b, with
1494 >>>21 pstring x "%s"
1496 #2 string -lh0- LHarc 1.x/ARX archive data [lh0]
1497 #!:mime application/x-lharc
1500 #2 string -lh1- LHarc 1.x/ARX archive data [lh1]
1501 #!:mime application/x-lharc
1504 # NEW -lz2- ... -lz8-
1517 # [never seen any but the last; -lh4- reported in comp.compression:]
1518 #2 string -lzs- LHa/LZS archive data [lzs]
1521 # According to wikipedia and others such a version does not exist
1522 #2 string -lh\40- LHa 2.x? archive data [lh ]
1523 #2 string -lhd- LHa 2.x? archive data [lhd]
1526 #2 string -lh2- LHa 2.x? archive data [lh2]
1529 #2 string -lh3- LHa 2.x? archive data [lh3]
1532 #2 string -lh4- LHa (2.x) archive data [lh4]
1535 #2 string -lh5- LHa (2.x) archive data [lh5]
1538 #2 string -lh6- LHa (2.x) archive data [lh6]
1541 #2 string -lh7- LHa (2.x)/LHark archive data [lh7]
1543 # !:mime application/x-lha
1544 # >20 byte x - header level %d
1546 # NEW -lh8- ... -lhe- , -lhx-
1561 # taken from idarc [JW]
1562 2 string -lZ PUT archive data
1563 # already done by LHarc magics
1564 # this should never happen if all sub types of LZS archive are identified
1565 #2 string -lz LZS archive data
1566 2 string -sw1- Swag archive data
1568 0 name rar-file-header
1569 >24 byte 15 \b, v1.5
1570 >24 byte 20 \b, v2.0
1572 >15 byte 0 \b, os: MS-DOS
1573 >15 byte 1 \b, os: OS/2
1574 >15 byte 2 \b, os: Win32
1575 >15 byte 3 \b, os: Unix
1576 >15 byte 4 \b, os: Mac OS
1577 >15 byte 5 \b, os: BeOS
1579 0 name rar-archive-header
1580 >3 leshort&0x1ff >0 \b, flags:
1581 >>3 leshort &0x01 ArchiveVolume
1582 >>3 leshort &0x02 Commented
1583 >>3 leshort &0x04 Locked
1584 >>3 leshort &0x10 NewVolumeNaming
1585 >>3 leshort &0x08 Solid
1586 >>3 leshort &0x20 Authenticated
1587 >>3 leshort &0x40 RecoveryRecordPresent
1588 >>3 leshort &0x80 EncryptedBlockHeader
1589 >>3 leshort &0x100 FirstVolume
1591 # RAR (Roshal Archive) archive
1592 0 string Rar!\x1a\7\0 RAR archive data
1593 !:mime application/x-rar
1596 >(0xc.l+9) byte 0x74
1597 >>(0xc.l+7) use rar-file-header
1598 # subblock seems to share information with file header
1599 >(0xc.l+9) byte 0x7a
1600 >>(0xc.l+7) use rar-file-header
1602 >>7 use rar-archive-header
1604 0 string Rar!\x1a\7\1\0 RAR archive data, v5
1605 !:mime application/x-rar
1608 # Very old RAR archive
1609 # https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
1610 0 string RE\x7e\x5e RAR archive data (<v1.5)
1611 !:mime application/x-rar
1614 # SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
1615 0 string SQSH squished archive data (Acorn RISCOS)
1617 # UC2 archiver (Greg Roelofs, newt@uchicago.edu)
1618 # [JW] see exe section for self-extracting version
1619 0 string UC2\x1a UC2 archive data
1621 # PKZIP multi-volume archive
1622 0 string PK\x07\x08PK\x03\x04 Zip multi-volume archive data, at least PKZIP v2.50 to extract
1623 !:mime application/zip
1626 # Android APK file (Zip archive)
1629 # Starts with AndroidManifest.xml (file name length = 19)
1631 >>30 string AndroidManifest.xml Android package (APK), with AndroidManifest.xml
1632 !:mime application/vnd.android.package-archive
1634 >>>-22 string PK\005\006
1635 >>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1636 # Starts with META-INF/com/android/build/gradle/app-metadata.properties
1638 >>30 string META-INF/com/android/build/gradle/
1639 >>>&0 string app-metadata.properties Android package (APK), with gradle app-metadata.properties
1640 !:mime application/vnd.android.package-archive
1642 >>>>-22 string PK\005\006
1643 >>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1644 # Starts with classes.dex (file name length = 11)
1646 >>30 string classes.dex Android package (APK), with classes.dex
1647 !:mime application/vnd.android.package-archive
1649 >>>-22 string PK\005\006
1650 >>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1651 # Starts with META-INF/MANIFEST.MF (file name length = 20)
1652 # NB: checks for resources.arsc, classes.dex, etc. as well to avoid matching JAR files
1654 >>30 string META-INF/MANIFEST.MF
1655 # Contains resources.arsc (near the end, in the central directory)
1656 >>>-512 search resources.arsc Android package (APK), with MANIFEST.MF and resources.arsc
1657 !:mime application/vnd.android.package-archive
1659 >>>>-22 string PK\005\006
1660 >>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1662 # Contains classes.dex (near the end, in the central directory)
1663 >>>>-512 search classes.dex Android package (APK), with MANIFEST.MF and classes.dex
1664 !:mime application/vnd.android.package-archive
1666 >>>>>-22 string PK\005\006
1667 >>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1669 # Contains lib/armeabi (near the end, in the central directory)
1670 >>>>>-512 search lib/armeabi Android package (APK), with MANIFEST.MF and armeabi lib
1671 !:mime application/vnd.android.package-archive
1673 >>>>>>-22 string PK\005\006
1674 >>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1676 # Contains drawables (near the end, in the central directory)
1677 >>>>>>-512 search res/drawable Android package (APK), with MANIFEST.MF and drawables
1678 !:mime application/vnd.android.package-archive
1680 >>>>>>>-22 string PK\005\006
1681 >>>>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1682 # It may or may not be an APK file, but it's definitely a Java JAR file
1683 >>>>>>-512 default x Java archive data (JAR)
1684 !:mime application/java-archive
1686 # Starts with zipflinger virtual entry (28 + 104 = 132 bytes)
1687 # See https://github.com/obfusk/apksigcopier/blob/666f5b7/apksigcopier/__init__.py#L230
1688 >4 string \x00\x00\x00\x00\x00\x00
1689 >>&0 string \x21\x08\x21\x02
1690 >>>&0 string \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
1691 >>>>&0 string \x00\x00 Android package (APK), with zipflinger virtual entry
1692 !:mime application/vnd.android.package-archive
1694 >>>>>-22 string PK\005\006
1695 >>>>>>(-6.l-16) string APK\x20Sig\x20Block\x2042 \b, with APK Signing Block
1698 >>-22 string PK\005\006
1699 >>>(-6.l-16) string APK\x20Sig\x20Block\x2042 Android package (APK), with APK Signing Block
1700 !:mime application/vnd.android.package-archive
1703 # Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
1704 0 string PK\005\006 Zip archive data (empty)
1705 !:mime application/zip
1711 # Specialised zip formats which start with a member named 'mimetype'
1712 # (stored uncompressed, with no 'extra field') containing the file's MIME type.
1713 # Check for have 8-byte name, 0-byte extra field, name "mimetype", and
1714 # contents starting with "application/":
1715 >26 string \x8\0\0\0mimetypeapplication/
1717 # KOffice / OpenOffice & StarOffice / OpenDocument formats
1718 # From: Abel Cheung <abel@oaka.org>
1720 # KOffice (1.2 or above) formats
1721 # (mimetype contains "application/vnd.kde.<SUBTYPE>")
1722 >>50 string vnd.kde. KOffice (>=1.2)
1723 >>>58 string karbon Karbon document
1724 >>>58 string kchart KChart document
1725 >>>58 string kformula KFormula document
1726 >>>58 string kivio Kivio document
1727 >>>58 string kontour Kontour document
1728 >>>58 string kpresenter KPresenter document
1729 >>>58 string kspread KSpread document
1730 >>>58 string kword KWord document
1732 # OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
1733 # (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
1734 # URL: https://en.wikipedia.org/wiki/OpenOffice.org_XML
1735 # reference: http://fileformats.archiveteam.org/wiki/OpenOffice.org_XML
1736 >>50 string vnd.sun.xml. OpenOffice.org 1.x
1737 >>>62 string writer Writer
1738 >>>>68 byte !0x2e document
1739 !:mime application/vnd.sun.xml.writer
1741 >>>>68 string .template template
1742 !:mime application/vnd.sun.xml.writer.template
1744 >>>>68 string .web Web template
1745 !:mime application/vnd.sun.xml.writer.web
1747 >>>>68 string .global global document
1748 !:mime application/vnd.sun.xml.writer.global
1750 >>>62 string calc Calc
1751 >>>>66 byte !0x2e spreadsheet
1752 !:mime application/vnd.sun.xml.calc
1754 >>>>66 string .template template
1755 !:mime application/vnd.sun.xml.calc.template
1757 >>>62 string draw Draw
1758 >>>>66 byte !0x2e document
1759 !:mime application/vnd.sun.xml.draw
1761 >>>>66 string .template template
1762 !:mime application/vnd.sun.xml.draw.template
1764 >>>62 string impress Impress
1765 >>>>69 byte !0x2e presentation
1766 !:mime application/vnd.sun.xml.impress
1768 >>>>69 string .template template
1769 !:mime application/vnd.sun.xml.impress.template
1771 >>>62 string math Math document
1772 !:mime application/vnd.sun.xml.math
1774 >>>62 string base Database file
1775 !:mime application/vnd.sun.xml.base
1778 # URL: https://wiki.openoffice.org/wiki/Documentation/DevGuide/Extensions/File_Format
1779 # From: Joerg Jenderek
1780 # Note: only few OXT samples are detected here by mimetype member
1781 # is used by OpenOffice and LibreOffice and probably also NeoOffice
1782 # verified by `unzip -Zv *.oxt` or `7z l -slt *.oxt`
1783 >>50 string vnd.openofficeorg. OpenOffice
1784 >>>68 string extension \b/LibreOffice Extension
1785 # http://extension.nirsoft.net/oxt
1786 !:mime application/vnd.openofficeorg.extension
1787 # like: Gallery-Puzzle.2.1.0.1.oxt
1790 # OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
1791 # URL: http://fileformats.archiveteam.org/wiki/OpenDocument
1792 # https://lists.oasis-open.org/archives/office/200505/msg00006.html
1793 # (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
1794 >>50 string vnd.oasis.opendocument. OpenDocument
1796 >>>>77 byte !0x2d Text
1797 !:mime application/vnd.oasis.opendocument.text
1799 >>>>77 string -template Text Template
1800 !:mime application/vnd.oasis.opendocument.text-template
1802 >>>>77 string -web HTML Document Template
1803 !:mime application/vnd.oasis.opendocument.text-web
1805 >>>>77 string -master
1806 >>>>>84 byte !0x2d Master Document
1807 !:mime application/vnd.oasis.opendocument.text-master
1809 >>>>>84 string -template Master Template
1810 !:mime application/vnd.oasis.opendocument.text-master-template
1812 >>>73 string graphics
1813 >>>>81 byte !0x2d Drawing
1814 !:mime application/vnd.oasis.opendocument.graphics
1816 >>>>81 string -template Drawing Template
1817 !:mime application/vnd.oasis.opendocument.graphics-template
1819 >>>73 string presentation
1820 >>>>85 byte !0x2d Presentation
1821 !:mime application/vnd.oasis.opendocument.presentation
1823 >>>>85 string -template Presentation Template
1824 !:mime application/vnd.oasis.opendocument.presentation-template
1826 >>>73 string spreadsheet
1827 >>>>84 byte !0x2d Spreadsheet
1828 !:mime application/vnd.oasis.opendocument.spreadsheet
1830 >>>>84 string -template Spreadsheet Template
1831 !:mime application/vnd.oasis.opendocument.spreadsheet-template
1834 >>>>78 byte !0x2d Chart
1835 !:mime application/vnd.oasis.opendocument.chart
1837 >>>>78 string -template Chart Template
1838 !:mime application/vnd.oasis.opendocument.chart-template
1840 >>>73 string formula
1841 >>>>80 byte !0x2d Formula
1842 !:mime application/vnd.oasis.opendocument.formula
1844 >>>>80 string -template Formula Template
1845 !:mime application/vnd.oasis.opendocument.formula-template
1847 # https://www.loc.gov/preservation/digital/formats/fdd/fdd000441.shtml
1848 >>>73 string database Database
1849 !:mime application/vnd.oasis.opendocument.database
1851 # Valid for LibreOffice Base 6.0.1.1 at least
1852 >>>73 string base Database
1853 # https://bugs.documentfoundation.org/show_bug.cgi?id=45854
1854 !:mime application/vnd.oasis.opendocument.base
1857 >>>>78 byte !0x2d Image
1858 !:mime application/vnd.oasis.opendocument.image
1860 >>>>78 string -template Image Template
1861 !:mime application/vnd.oasis.opendocument.image-template
1864 # EPUB (OEBPS) books using OCF (OEBPS Container Format)
1865 # https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
1866 # From: Ralf Brown <ralf.brown@gmail.com>
1867 >>50 string epub+zip EPUB document
1868 !:mime application/epub+zip
1870 # From: Hajin Jang <jb6804@naver.com>
1871 # hwpx (OWPML) document format follows OCF specification.
1872 # Hangul Word Processor 2010+ supports HWPX format.
1873 # URL: https://www.hancom.com/etc/hwpDownload.do
1874 # https://standard.go.kr/KSCI/standardIntro/getStandardSearchView.do?menuId=503&topMenuId=502&ksNo=KSX6101
1875 # https://e-ks.kr/streamdocs/view/sd;streamdocsId=72059197557727331
1876 >>50 string hwp+zip Hancom HWP (Hangul Word Processor) file, HWPX
1877 !:mime application/x-hwp+zip
1880 # From: Joerg Jenderek
1881 # URL: http://en.wikipedia.org/wiki/CorelDRAW
1882 # NOTE: version; til 2 WL-based; from 3 til 13 by ./riff; from 14 zip based
1883 >>50 string x-vnd.corel. Corel
1884 >>>62 string draw.document+zip Draw drawing, version 14-16
1885 !:mime application/x-vnd.corel.draw.document+zip
1887 >>>62 string draw.template+zip Draw template, version 14-16
1888 !:mime application/x-vnd.corel.draw.template+zip
1890 >>>62 string zcf.draw.document+zip Draw drawing, version 17-22
1891 !:mime application/x-vnd.corel.zcf.draw.document+zip
1893 >>>62 string zcf.draw.template+zip Draw template, version 17-22
1894 !:mime application/x-vnd.corel.zcf.draw.template+zip
1896 # URL: http://product.corel.com/help/CorelDRAW/540240626/Main/EN/Doc/CorelDRAW-Other-file-formats.html
1897 >>>62 string zcf.pattern+zip Draw pattern, version 22
1898 !:mime application/x-vnd.corel.zcf.pattern+zip
1900 # URL: https://en.wikipedia.org/wiki/Corel_Designer
1901 # Reference: http://fileformats.archiveteam.org/wiki/Corel_Designer
1902 # Note: called by TrID "Corel DESIGN graphics"
1903 >>>62 string designer.document+zip DESIGNER graphics, version 14-16
1904 !:mime application/x-vnd.corel.designer.document+zip
1906 >>>62 string zcf.designer.document+zip DESIGNER graphics, version 17-21
1907 !:mime application/x-vnd.corel.zcf.designer.document+zip
1909 # URL: http://product.corel.com/help/CorelDRAW/540223850/Main/EN/Documentation/
1910 # CorelDRAW-Corel-Symbol-Library-CSL.html
1911 >>>62 string symbol.library+zip Symbol Library, version 6-16.3
1912 !:mime application/x-vnd.corel.symbol.library+zip
1914 >>>62 string zcf.symbol.library+zip Symbol Library, version 17-22
1915 !:mime application/x-vnd.corel.zcf.symbol.library+zip
1918 # Catch other ZIP-with-mimetype formats
1919 # In a ZIP file, the bytes immediately after a member's contents are
1920 # always "PK". The 2 regex rules here print the "mimetype" member's
1921 # contents up to the first 'P'. Luckily, most MIME types don't contain
1922 # any capital 'P's. This is a kludge.
1923 # (mimetype contains "application/<OTHER>")
1924 >>50 default x Zip data
1925 >>>38 regex [!-OQ-~]+ (MIME type "%s"?)
1926 !:mime application/zip
1927 # (mimetype contents other than "application/*")
1928 >26 string \x8\0\0\0mimetype
1929 >>38 string !application/
1930 >>>38 regex [!-OQ-~]+ Zip data (MIME type "%s"?)
1931 !:mime application/zip
1933 # Java Jar files (see also APK files above)
1934 >(26.s+30) leshort 0xcafe Java archive data (JAR)
1935 !:mime application/java-archive
1939 >(26.s+30) leshort !0xcafe
1940 >>26 string !\x8\0\0\0mimetype
1941 >>>30 string Payload/
1942 >>>>38 search/64 .app/ iOS App
1943 !:mime application/x-ios-app
1946 #>30 search/100/b application/epub+zip EPUB document
1947 #!:mime application/epub+zip
1949 # Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
1950 # Next line excludes specialized formats:
1951 >(26.s+30) leshort !0xcafe
1952 >>30 search/100/b !application/epub+zip
1953 >>>26 string !\x8\0\0\0mimetype Zip archive data
1954 !:mime application/zip
1955 >>>>4 beshort x \b, at least
1956 >>>>4 use zipversion
1957 >>>>4 beshort x to extract
1958 >>>>8 beshort x \b, compression method=
1959 >>>>8 use zipcompression
1960 >>>>0x161 string WINZIP \b, WinZIP self-extracting
1963 # From Pierre Ducroquet <pinaraf@pinaraf.info>
1964 0 string VCLMTF StarView MetaFile
1965 >6 beshort x \b, version %d
1966 >8 belong x \b, size %d
1969 # Update: Joerg Jenderek
1970 # URL: https://en.wikipedia.org/wiki/Zoo_(file_format)
1971 # http://fileformats.archiveteam.org/wiki/Zoo
1972 # Reference: http://mark0.net/download/triddefs_xml.7z/defs/a/ark-zoo-strict.trid.xml
1973 # http://distcache.freebsd.org/ports-distfiles/zoo-2.10pl1.tar.gz/zoo.h
1974 # Note: called "ZOO compressed archive (strict)" by TrID and "ZOO Compressed Archive" by DROID via PUID x-fmt/269
1975 # verified by command like `deark -m zoo -l -d2 WHRCGA.ZOO`
1976 20 lelong 0xfdc4a7dc
1977 # skip DROID x-fmt-269-signature-id-621.zoo by looking for valid major version to manipulate archive
1978 >32 byte >0 Zoo archive data
1979 !:mime application/x-zoo
1980 # bak is extension of backup-ed zoo
1982 # version in text form like: 1.50 2.00 2.10
1983 >>4 byte >48 \b, v%c.
1986 # ZOO files typically start with "ZOO ?.?? Archive.", followed by the bytes 0x1a 0x0 0x0; not used by Zoo and they may be anything
1987 >>8 string !\040Archive.\032 \b, at 8
1988 >>>8 string x text "%0.10s"
1989 # major_ver.minor_ver; minimum version needed to manipulate archive like: 1.0 2.0
1990 >>32 byte >0 \b, modify: v%d
1992 # major_ver.minor_ver; minimum version needed to extract after modify like in old versions
1993 >>(24.l+28) ubyte x \b, extract: v%u
1994 >>(24.l+29) ubyte x \b.%u+
1995 # with zoo 2.00 additional fields have been added in the archive header
1997 # type; type of archive header like: 1 2
1998 >>>34 ubyte !1 \b, header type %u
1999 # acmt_pos; position of archive comment like: 6258 30599 61369 149501
2000 >>>35 lelong >0 \b, at %d
2001 # acmt_len; length of archive comment like: 258
2002 >>>>39 uleshort x %u bytes comment
2003 #>>>>(35.l) ubequad x COMMENT=%16.16llx
2004 # 1st character of comment maybe is CarriageReturn (0x0d)
2005 >>>>(35.l) ubyte <040
2006 # 2nd character of comment maybe is LineFeed (0x0a)
2007 >>>>>(35.l+1) ubyte <040
2008 # comment string after CRLF like "Anonymous ftp site garbo.uwasa.fi 128.214.87.1 moderated by"
2009 >>>>>>(35.l+2) string x %s
2010 # next character of remaining comment maybe is CarriageReturn (0x0d)
2011 >>>>>>>&0 ubyte <040
2012 >>>>>>>>&0 ubyte <040
2013 # 2nd comment part like: Timo Salmi ts@chyde.uwasa.fi PC directories and uploads\015\012Harri Valkama hv@chyde.uwasa.fi PC, Mac, Unix files, and upload
2014 >>>>>>>>>&0 string >037 %s
2015 # vdata; archive-level versioning byte like: 1 3
2016 >>>41 ubyte !1 \b, vdata %#x
2017 # zoo_start; pointer to 1st entry header
2018 >>24 lelong x \b; at %u
2019 # zoo_minus; zoo_start -1 for consistency checking
2020 #>>28 lelong x \b, zoo_minus %#x
2021 # zoo_tag; tag for check
2022 #>>(24.l+0) ulelong !0xfdc4a7dc \b, zoo_tag=%8.8x
2023 # type; type of directory entry like: 1 2
2024 >>(24.l+4) ubyte !2 type=%u
2025 # packing_method; 0~no packing 1~normal LZW 2~lzh
2026 >>(24.l+5) ubyte x method=
2027 >>>(24.l+5) ubyte 0 \bnot-compressed
2028 >>>(24.l+5) ubyte 1 \blzd
2029 >>>(24.l+5) ubyte 2 \blzh
2030 # next; position of next directory entry
2031 >>(24.l+6) ulelong x \b, next entry at %u
2032 # offset; position of file data for this entry
2033 #>>(24.l+10) ulelong x \b, data at %u
2034 # file_crc; CRC-16 of file data
2035 >>(24.l+18) uleshort x \b, CRC %#4.4x
2036 # comment; zero if none or points to entry comment like ADD9h (WHRCGA.ZOO)
2037 >>(24.l+32) lelong >0 \b, at %#x
2038 # cmt_size; if not 0 for none then length of entry comment like: 46
2039 >>>(24.l+36) uleshort >0 %u bytes comment
2040 # entry comment itself like: "CGA .GL file showing menu input from keyboard"
2041 >>>>(&-6.l) string x "%s"
2042 # org_size; original size of file
2043 >>(24.l+20) ulelong x \b, size %u
2044 # size_now; compressed size of file
2045 >>(24.l+24) ulelong x (%u compressed)
2046 # major_ver.minor_ver; minimum version needed to extract already done
2047 # deleted; will be 1 if deleted, 0 if not
2048 >>(24.l+30) ubyte =1 \b, deleted
2049 # struc; file structure if any; WHAT IS THAT?
2050 >>(24.l+31) ubyte !0 \b, structured
2051 # fname[13]; short/DOS file name like 12345678.012
2052 >>(24.l+38) string x \b, %0.13s
2053 # for directory entry type 2 with variable part
2055 # var_dir_len; length of variable part of dir entry
2056 >>>(24.l+51) uleshort >0
2057 #>>>(24.l+51) uleshort >0 \b, variable part length %u
2058 # namlen; length of long filename
2059 #>>>>(24.l+56) ubyte x \b, namlen %u
2060 # dirlen; length of directory name
2061 #>>>>(24.l+57) ubyte x \b, dirlen %u
2062 # if file length positive then show long file name
2063 >>>>(24.l+56) ubyte >0
2064 # lfname[256]; long file name \0-terminated
2065 >>>>>(24.l+58) string x "%s"
2066 # if directory length positive then jump before file name field and then jump this addtional length plus 2 (\0-terminator + dirlen field) to following directory name
2067 >>>>(24.l+57) ubyte >0
2068 >>>>>(24.l+55) ubyte x
2069 # dirname[256]; directory name \0-terminated
2070 >>>>>>&(&0.b+2) string x in "%s"
2071 # dir_crc; CRC of directory entry
2072 #>>>(24.l+54) uleshort x \b, entry CRC %#4.4x
2073 # tz; timezone where file was archived; 7Fh~unknown 4~1.00hoursWestOfUTC 12 16 20~5.00hoursWestOfUTC -107~26.75hoursEastOfUTC -4~1.00hoursEastOfUTC
2074 >>>(24.l+53) byte !0x7f \b, time zone %d/4
2075 # date; last mod file date in DOS format
2076 >>>(24.l+14) lemsdosdate x \b, modified %s
2077 # time; last mod file time in DOS format
2078 >>>(24.l+16) lemsdostime x %s
2081 10 string #\ This\ is\ a\ shell\ archive shell archive text
2082 !:mime application/octet-stream
2085 # LBR. NB: May conflict with the questionable
2086 # "binary Computer Graphics Metafile" format.
2088 0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
2090 # PMA (CP/M derivative of LHA)
2091 # Update: Joerg Jenderek
2092 # URL: https://en.wikipedia.org/wiki/LHA_(file_format)
2094 #2 string -pm0- PMarc archive data [pm0]
2097 #2 string -pm1- PMarc archive data [pm1]
2100 #2 string -pm2- PMarc archive data [pm2]
2103 2 string -pms- PMarc SFX archive (CP/M, DOS)
2104 #!:mime application/x-foobar-exec
2106 5 string -pc1- PopCom compressed executable (CP/M)
2107 #!:mime application/x-
2110 # From Rafael Laboissiere <rafael@laboissiere.net>
2111 # The Project Revision Control System (see
2112 # http://prcs.sourceforge.net) generates a packaged project
2113 # file which is recognized by the following entry:
2114 0 leshort 0xeb81 PRCS packaged project
2116 # Microsoft cabinets
2117 # by David Necas (Yeti) <yeti@physics.muni.cz>
2118 #0 string MSCF\0\0\0\0 Microsoft cabinet file data,
2121 # MPi: All CABs have version 1.3, so this is pointless.
2122 # Better magic in debian-additions.
2125 # by David Necas (Yeti) <yeti@physics.muni.cz>
2126 4 string gtktalog\ GTKtalog catalog data,
2127 >13 string 3 version 3
2128 >>14 beshort 0x677a (gzipped)
2129 >>14 beshort !0x677a (not gzipped)
2130 >13 string >3 version %s
2132 ############################################################################
2133 # Parity archive reconstruction file, the 'par' file format now used on Usenet.
2134 0 string PAR\0 PARity archive data
2135 >48 leshort =0 - Index file
2136 >48 leshort >0 - file number %d
2138 # Felix von Leitner <felix-file@fefe.de>
2139 0 string d8:announce BitTorrent file
2140 !:mime application/x-bittorrent
2142 # Durval Menezes, <jmgthbfile at durval dot com>
2143 0 string d13:announce-list BitTorrent file
2144 !:mime application/x-bittorrent
2146 0 string d7:comment BitTorrent file
2147 !:mime application/x-bittorrent
2149 0 string d4:info BitTorrent file
2150 !:mime application/x-bittorrent
2153 # Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
2154 # URL: http://fileformats.archiveteam.org/wiki/MSA_(Magic_Shadow_Archiver)
2155 # Reference: http://info-coach.fr/atari/documents/_mydoc/FD_Image_File_Format.pdf
2156 # http://mark0.net/download/triddefs_xml.7z/defs/m/msa.trid.xml
2157 # Update: Joerg Jenderek
2158 # Note: called by TrID "Atari MSA Disk Image" and verified by
2159 # command like `deark -l -m msa -d2 PDATS578.msa` as " Atari ST floppy disk image"
2160 # GRR: line below is too general as it matches setup.skin
2162 # skip foo setup.skin with unrealistic high number 52255 of sides by check for valid "low" value
2163 >4 ubeshort <2 Atari MSA archive data
2164 #!:mime application/octet-stream
2165 !:mime application/x-atari-msa
2167 # sectors per track like: 9 10
2168 >>2 beshort x \b, %d sectors per track
2169 # sides (0 or 1; add 1 to this to get correct number of sides)
2170 >>4 beshort 0 \b, 1 sided
2171 >>4 beshort 1 \b, 2 sided
2172 # starting track like: 0
2173 >>6 beshort x \b, starting track: %d
2174 # ending track like: 39 79 80 81
2175 >>8 beshort x \b, ending track: %d
2177 #>>10 ubequad x \b, track content %#16.16llx
2179 # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
2180 0 string PK00PK\003\004 Zip archive data
2181 !:mime application/zip
2184 # Recognize ZIP archives with prepended data by end-of-central-directory record
2185 # https://en.wikipedia.org/wiki/ZIP_(file_format)#End_of_central_directory_record_(EOCD)
2186 # by Michal Gorny <mgorny@gentoo.org>
2188 >&-22 string PK\005\006
2190 >>0 string !#! Zip archive, with extra data prepended
2191 !:mime application/zip
2195 >>>&-1 string/T x %s script executable (Zip archive)
2197 # ACE archive (from http://www.wotsit.org/download.asp?f=ace)
2198 # by Stefan `Sec` Zehl <sec@42.org>
2199 7 string **ACE** ACE archive data
2200 !:mime application/x-ace-compressed
2202 >15 byte >0 version %d
2203 >16 byte =0x00 \b, from MS-DOS
2204 >16 byte =0x01 \b, from OS/2
2205 >16 byte =0x02 \b, from Win/32
2206 >16 byte =0x03 \b, from Unix
2207 >16 byte =0x04 \b, from MacOS
2208 >16 byte =0x05 \b, from WinNT
2209 >16 byte =0x06 \b, from Primos
2210 >16 byte =0x07 \b, from AppleGS
2211 >16 byte =0x08 \b, from Atari
2212 >16 byte =0x09 \b, from Vax/VMS
2213 >16 byte =0x0A \b, from Amiga
2214 >16 byte =0x0B \b, from Next
2215 >14 byte x \b, version %d to extract
2216 >5 leshort &0x0080 \b, multiple volumes,
2217 >>17 byte x \b (part %d),
2218 >5 leshort &0x0002 \b, contains comment
2219 >5 leshort &0x0200 \b, sfx
2220 >5 leshort &0x0400 \b, small dictionary
2221 >5 leshort &0x0800 \b, multi-volume
2222 >5 leshort &0x1000 \b, contains AV-String
2223 >>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
2224 >5 leshort &0x2000 \b, with recovery record
2225 >5 leshort &0x4000 \b, locked
2226 >5 leshort &0x8000 \b, solid
2227 # Date in MS-DOS format (whatever that is)
2228 #>18 lelong x Created on
2230 # sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
2232 0x1A string sfArk sfArk compressed Soundfont
2234 >>0x1 string >\0 Version %s
2235 >>0x2A string >\0 : %s
2237 # DR-DOS 7.03 Packed File *.??_
2238 # Reference: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
2239 # Note: unpacked by PNUNPACK.EXE
2240 0 string Packed\ File\
2241 # by looking for Control-Z skip ASCII text starting with Packed File
2242 >0x18 ubyte 0x1a Personal NetWare Packed File
2243 !:mime application/x-novell-compress
2245 >>12 string x \b, was "%.12s"
2247 #>>0x19 ubyte x \b, at 0x19 %u
2248 >>0x1b ulelong x with %u bytes
2251 # From: Tilman Sauerbeck <tilman@code-monkey.de>
2252 0 belong 0x1ee7ff00 EET archive
2253 !:mime application/x-eet
2256 0 string RZIP rzip compressed data
2257 >4 byte x - version %d
2259 >6 belong x (%d bytes)
2261 # From: Joerg Jenderek
2262 # URL: https://help.foxitsoftware.com/kb/install-fzip-file.php
2263 # reference: http://mark0.net/download/triddefs_xml.7z/
2264 # defs/f/fzip.trid.xml
2265 # Note: unknown compression; No "PK" zip magic; normally in directory like
2266 # "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"
2267 0 ubequad 0x2506781901010000 Foxit add-on/update
2268 !:mime application/x-fzip
2271 # From: "Robert Dale" <robdale@gmail.com>
2272 0 belong 123 dar archive,
2273 >4 belong x label "%.8x
2275 >>>12 beshort x %.4x"
2276 >14 byte 0x54 end slice
2277 >14 beshort 0x4e4e multi-part
2278 >14 beshort 0x4e53 multi-part, with -S
2280 # Symbian installation files
2281 # https://www.thouky.co.uk/software/psifs/sis.html
2282 # http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
2283 8 lelong 0x10000419 Symbian installation file
2284 !:mime application/vnd.symbian.install
2285 >4 lelong 0x1000006D (EPOC release 3/4/5)
2286 >4 lelong 0x10003A12 (EPOC release 6)
2287 0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
2288 !:mime x-epoc/x-sisx-app
2290 # From "Nelson A. de Oliveira" <naoliv@gmail.com>
2291 0 string MPQ\032 MoPaQ (MPQ) archive
2293 # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
2295 0 string KGB_arch KGB Archiver file
2296 >10 string x with compression level %.1s
2298 # xar (eXtensible ARchiver) archive
2299 # URL: https://en.wikipedia.org/wiki/Xar_(archiver)
2300 # xar archive format: https://code.google.com/p/xar/
2301 # From: "David Remahl" <dremahl@apple.com>
2302 # Update: Joerg Jenderek
2303 # TODO: lzma compression; X509Data for pkg and xip
2304 # Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or
2305 # 7z t -txar Xcode_10.2_beta_4.xip`
2306 0 string xar! xar archive
2307 !:mime application/x-xar
2308 # pkg for Mac OSX installer package like FullBundleUpdate.pkg
2309 # xip for signed Apple software like Xcode_10.2_beta_4.xip
2311 # always 28 in older archives
2312 >4 ubeshort >28 \b, header size %u
2313 # currently there exit only version 1 since about 2014
2314 >6 ubeshort >1 version %u,
2315 >8 ubequad x compressed TOC: %llu,
2316 #>16 ubequad x uncompressed TOC: %llu,
2317 # cksum_alg 0-2 in older and also 3-4 in newer
2318 >24 belong 0 no checksum
2319 >24 belong 1 SHA-1 checksum
2320 >24 belong 2 MD5 checksum
2321 >24 belong 3 SHA-256 checksum
2322 >24 belong 4 SHA-512 checksum
2323 >24 belong >4 unknown %#x checksum
2324 #>24 belong >4 checksum
2325 # For no compression jump 0 bytes
2328 # jump more bytes forward by header size
2330 # jump more bytes forward by compressed table of contents size
2331 #>>>>&(8.Q) ubequad x \b, heap data %#llx
2333 # look for data by ./compress after message with 1 space at end
2334 >>>>>&-3 indirect x \b, contains
2335 # For SHA-1 jump 20 minus 2 bytes
2338 # jump more bytes forward by header size
2340 # jump more bytes forward by compressed table of contents size
2342 # data compressed by gzip, bzip, lzma or none
2343 >>>>>&-1 indirect x \b, contains
2344 # For SHA-256 jump 32 minus 2 bytes
2347 # jump more bytes forward by header size
2349 # jump more bytes forward by compressed table of contents size
2351 >>>>>&-1 indirect x \b, contains
2352 # For SHA-512 jump 64 minus 2 bytes
2355 # jump more bytes forward by header size
2357 # jump more bytes forward by compressed table of contents size
2359 >>>>>&-1 indirect x \b, contains
2361 # Type: Parity Archive
2362 # From: Daniel van Eeden <daniel_e@dds.nl>
2363 0 string PAR2 Parity Archive Volume Set
2365 # Bacula volume format. (Volumes always start with a block header.)
2366 # URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
2367 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
2368 12 string BB02 Bacula volume
2369 >20 bedate x \b, started %s
2371 # ePub is XHTML + XML inside a ZIP archive. The first member of the
2372 # archive must be an uncompressed file called 'mimetype' with contents
2373 # 'application/epub+zip'
2376 # From: "Michael Gorny" <mgorny@gentoo.org>
2377 # ZPAQ: http://mattmahoney.net/dc/zpaq.html
2378 0 string zPQ ZPAQ stream
2379 >3 byte x \b, level %d
2380 # From: Barry Carter <carter.barry@gmail.com>
2381 # https://encode.ru/threads/456-zpaq-updates/page32
2382 0 string 7kSt ZPAQ file
2384 # BBeB ebook, unencrypted (LRF format)
2385 # URL: https://www.sven.de/librie/Librie/LrfFormat
2386 # From: Adam Buchbinder <adam.buchbinder@gmail.com>
2387 0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
2388 >8 beshort x \b, version %d
2389 >36 byte 1 \b, front-to-back
2390 >36 byte 16 \b, back-to-front
2391 >42 beshort x \b, (%dx,
2394 # Symantec GHOST image by Joerg Jenderek at May 2014
2395 # https://us.norton.com/ghost/
2396 # https://www.garykessler.net/library/file_sigs.html
2397 0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
2399 >2 ubyte&0x08 0x00 \b, first file
2400 # *.GHS or *.[0-9] with cns program option
2401 >2 ubyte&0x08 0x08 \b, split file
2402 # part of split index interesting for *.ghs
2404 # compression tag minus one equals numeric compression command line switch z[1-9]
2405 >3 ubyte 0 \b, no compression
2406 >3 ubyte 2 \b, fast compression (Z1)
2407 >3 ubyte 3 \b, medium compression (Z2)
2409 >>3 ubyte <11 \b, compression (Z%d-1)
2411 # ~ 30 byte password field only for *.gho
2412 >>12 ubequad !0 \b, password protected
2414 # 1~Image All, sector-by-sector only for *.gho
2415 >>>10 ubyte 1 \b, sector copy
2416 # 1~Image Boot track only for *.gho
2417 >>>43 ubyte 1 \b, boot track
2418 # 1~Image Disc only for *.gho implies Image Boot track and sector copy
2419 >>44 ubyte 1 \b, disc sector copy
2420 # optional image description only *.gho
2421 >>0xff string >\0 "%-.254s"
2422 # look for DOS sector end sequence
2423 >0xE08 search/7776 \x55\xAA
2424 >>&-512 indirect x \b; contains
2426 # Google Chrome extensions
2427 # https://developer.chrome.com/extensions/crx
2428 # https://developer.chrome.com/extensions/hosting
2429 0 string Cr24 Google Chrome extension
2430 !:mime application/x-chrome-extension
2431 >4 ulong x \b, version %u
2433 # SeqBox - Sequenced container
2435 # Marco Pontello marcopon@gmail.com
2436 # reference: https://github.com/MarcoPon/SeqBox
2437 0 string SBx SeqBox,
2438 >3 byte x version %d
2441 # Update: Joerg Jenderek
2442 # URL: http://fileformats.archiveteam.org/wiki/Lynx_archive
2443 # Reference: http://ist.uwaterloo.ca/~schepers/formats/LNX.TXT
2444 # http://mark0.net/download/triddefs_xml.7z/defs/a/ark-lnx.trid.xml
2445 # Note: called "Lynx archive" by TrID and "Commodore C64 BASIC program" with "POKE 53280" by ./c64
2446 # TODO: merge and unify with Commodore C64 BASIC program
2447 56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive
2448 # display "Lynx archive" (strength=330) before Commodore C64 BASIC program (strength=50) handled by ./c64
2450 #!:mime application/octet-stream
2451 !:mime application/x-commodore-lnx
2453 # afterwards look for BASIC tokenized GOTO (89h) 10, line terminator \0, end of programm tag \0\0 and CarriageReturn
2454 >86 search/10 \x8910\0\0\0\r \b,
2456 #>>&0 string x STRING="%s"
2457 # number in ASCII of directory blocks with spaces on both sides like: 1 2 3 5
2458 >>&0 regex [0-9]{1,5} %s directory blocks
2459 # signature like: "*LYNX XII BY WILL CORLEY" " LYNX IX BY WILL CORLEY" "*LYNX BY CBMCONVERT 2.0*"
2460 >>>&2 regex [^\r]{1,24} \b, signature "%s"
2461 # number of files in ASCII surrounded by spaces and delimited by CR like: 2 3 6 13 69 144 (maximum?)
2462 >>>>&1 regex [0-9]{1,3} \b, %s files
2464 # From: Joerg Jenderek
2465 # URL: https://www.acronis.com/
2466 # Reference: https://en.wikipedia.org/wiki/TIB_(file_format)
2467 # Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110
2468 0 ubequad 0xce24b9a220000000 Acronis True Image backup
2469 !:mime application/x-acronis-tib
2472 #>20 ubelong x \b, at 20 %#x
2474 #>28 ubelong x \b, at 28 %#x
2475 # strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"
2477 # strings like "\Device\0000011e" "\Device\0000015a"
2478 #>0 search/0x6852300/cs \\Device\\
2479 #>>&-1 pstring x \b, %s
2480 # "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"
2481 #>>>&1 search/180/cs \\Device\\
2482 #>>>>&-1 pstring x \b, %s
2483 #>>>>>&0 search/29/cs \0\0\xc8\0
2485 #>>>>>>&10 lestring16 x \b, disk label %11.11s
2486 #>>>>>>&9 plestring16 x \b, disk label "%11.11s"
2487 #>>>>>>&10 ubequad x %16.16llx
2490 # Gentoo XPAK binary package
2491 # by Michal Gorny <mgorny@gentoo.org>
2492 # https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5
2494 >-16 string XPAKSTOP Gentoo binary package (XPAK)
2495 !:mime application/vnd.gentoo.xpak
2497 # From: Joerg Jenderek
2498 # URL: https://kodi.wiki/view/TexturePacker
2499 # Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz
2500 # /xbmc-Krypton/xbmc/guilib/XBTF.h
2501 # /xbmc-Krypton/xbmc/guilib/XBTF.cpp
2503 # skip ASCII text by looking for terminating \0 of path
2504 >264 ubyte 0 XBMC texture package
2505 !:mime application/x-xbmc-xbt
2508 >>4 string !2 \b, version %-.1s
2509 # nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp
2510 >>5 ulelong x \b, %u file
2513 # path[CXBTFFile[MaximumPathLength=256]
2514 >>9 string x \b, 1st %s
2517 # by Hyungjun Park <hyungjun.park@worksmobile.com>, Hajin Jang <hajin_jang@worksmobile.com>
2518 # http://kippler.com/win/unalz/
2519 # https://salsa.debian.org/l10n-korean-team/unalz
2520 0 string ALZ\001 ALZ archive data
2523 # https://cf-aldn.altools.co.kr/setup/EGG_Specification.zip
2524 0 string EGGA EGG archive data,
2526 >5 byte x version %u
2528 >>0x0E ulelong =0x08E28222
2529 >>0x0E ulelong =0x24F5A262 \b, split
2530 >>0x0E ulelong =0x24E5A060 \b, solid
2531 >>0x0E default x \b, unknown
2534 # URL: http://mattmahoney.net/dc/#paq9a
2535 # Note: Line 1186 of paq9a.cpp gives the magic bytes
2536 0 string pQ9\001 PAQ9A archive
2538 # From wof (wof@stachelkaktus.net)
2539 0 string Unison\ archive\ format Unison archive format
2541 # https://ankiweb.net
2542 30 string collection.anki2 Anki APKG file
2545 # Synology archive (DiskStation Manager 7.0+)
2546 # From: Alexandre Iooss <erdnaxe@crans.org>
2547 # Note: These archives are signed and encrypted.
2548 0 ulelong&0xFFFFFF00 0xEFBEAD00
2549 # MessagePack header (fixarray of 5 elements starting with a bin of 32 bytes)
2550 >8 ulelong&0x00FFFFFF 0x20C495 Synology archive
2552 # Extract some properties from MessagePack third item
2553 >>43 search/0x10000 package=
2554 >>>&0 string x \b, package %s
2555 >>43 search/0x10000 arch=
2557 >>43 search/0x10000 version=
2559 >>43 search/0x10000 create_time=
2560 >>>&0 string x \b, created on %s
2562 # MonoGame/XNA processed assets archive
2563 # From: Alexandre Iooss <erdnaxe@crans.org>
2564 # URL: https://github.com/MonoGame/MonoGame/blob/v3.8.1/MonoGame.Framework/Content/ContentManager.cs
2566 # XNB must be version 4 or 5
2569 # Size must be positive
2570 >>>6 lelong >0 MonoGame/XNA processed assets
2572 >>>>3 string =w \b, for Windows
2573 >>>>3 string =x \b, for Xbox360
2574 >>>>3 string =i \b, for iOS
2575 >>>>3 string =a \b, for Android
2576 >>>>3 string =d \b, for DesktopGL
2577 >>>>3 string =X \b, for MacOSX
2578 >>>>3 string =W \b, for WindowsStoreApp
2579 >>>>3 string =n \b, for NativeClient
2580 >>>>3 string =M \b, for WindowsPhone8
2581 >>>>3 string =r \b, for RaspberryPi
2582 >>>>3 string =P \b, for PlayStation4
2583 >>>>3 string =5 \b, for PlayStation5
2584 >>>>3 string =O \b, for XboxOne
2585 >>>>3 string =S \b, for Nintendo Switch
2586 >>>>3 string =G \b, for Google Stadia
2587 >>>>3 string =b \b, for WebAssembly and Bridge.NET
2588 >>>>3 string =m \b, for WindowsPhone7.0 (XNA)
2589 >>>>3 string =p \b, for PlayStationMobile
2590 >>>>3 string =v \b, for PSVita
2591 >>>>3 string =g \b, for Windows (OpenGL)
2592 >>>>3 string =l \b, for Linux
2593 >>>>4 byte x \b, version %d
2594 >>>>5 byte &0x80 \b, LZX compressed
2595 >>>>>10 lelong x \b, decompressed size: %d bytes
2596 >>>>5 byte &0x40 \b, LZ4 compressed
2597 >>>>>10 lelong x \b, decompressed size: %d bytes
2599 # Electron ASAR archive
2600 # From: Alexandre Iooss <erdnaxe@crans.org>
2601 # URL: https://github.com/electron/asar
2603 # Match JSON header start and end
2604 >16 string {"files":{"
2605 >>(12.l+12) string }}}} Electron ASAR archive
2607 >>>12 ulelong x \b, header length: %d bytes