While preparing my own table of magic numbers, Bill Kuhns, Information Technology Specialist at the Vermont Manufacturing Extension Center, reminded me about the Linux file command, one function of which is to indicate a file's type — which it determines from information in the magic file.
Bill notes:
The author of 'file' is Christos Zoulas, and Eric Raymond has a discussion from 1996 about the subject at http://www.tuxedo.org/~esr/magic-numbers/index.html. Per the online help (man page):
You can obtain the original author's latest version by anonymous FTP on ftp.astron.com
in the directory /pub/file/file-X.YY.tar.gz.
The file below is a copy of /usr/share/magic from a Red Hat Linux system:
# Magic
# Magic data for file(1) command.
# Machine-generated from src/cmd/file/magdir/*; edit there only!
# Format is described in magic(files), where:
# files is 5 on V7 and BSD, 4 on SV, and ?? in the SVID.
#------------------------------------------------------------------------------
# Localstuff: file(1) magic for locally observed files
#
# $Id: Localstuff,v 1.3 1995/01/21 21:09:00 christos Exp $
# Add any locally observed files here. Remember:
# text if readable, executable if runnable binary, data if unreadable.
# XXX promoted from tex so that *.tfm is not mis-identified as mc68k file.
# There is no way to detect TeX Font Metric (*.tfm) files without
# breaking them apart and reading the data. The following patterns
# match most *.tfm files generated by METAFONT or afm2tfm.
2 string \000\021 TeX font metric data
>33 string >\0 (%s)
2 string \000\022 TeX font metric data
>33 string >\0 (%s)
#------------------------------------------------------------------------------
# adventure: file(1) magic for Adventure game files
#
# from Allen Garvin
# Edited by Dave Chapeskie Jun 28, 1998
#
# ALAN
# I assume there are other, lower versions, but these are the only ones I
# saw in the archive.
0 beshort 0x0206 ALAN text adventure code data
>2 byte <10 version 2.6%d
# Conflicts with too much other stuff!
# Infocom
# (Note: to avoid false matches Z-machine version 1 and 2 are not
# recognized since only the oldest Zork I and II used them. Similarly
# there are 4 Infocom games that use verion 4 that are not recognized.)
#0 byte 3 Infocom game data (Z-machine 3,
#>2 beshort <0x7fff Release %3d,
#>26 beshort >0 Size %d*2
#>18 string >\0 Serial %.6s)
#0 byte 5 Infocom game data (Z-machine 5,
#>2 beshort <0x7fff Release %3d,
#>26 beshort >0 Size %d*4
#>18 string >\0 Serial %.6s)
#0 byte 6 Infocom game data (Z-machine 6,
#>2 beshort <0x7fff Release %3d,
#>26 beshort >0 Size %d*8
#>18 string >\0 Serial %.6s)
#0 byte 8 Infocom game data (Z-machine 8,
#>2 beshort <0x7fff Release %3d,
#>26 beshort >0 Size %d*8
#>18 string >\0 Serial %.6s)
# TADS (Text Adventure Development System)
0 string TADS TADS game data
>13 string >\0 (ver. %.6s,
>22 string >\0 date %s)
#------------------------------------------------------------------------------
# allegro: file(1) magic for Allegro datafiles
# Toby Deshane
#
0 belong 0x736C6821 Allegro datafile (packed)
0 belong 0x736C682E Allegro datafile (not packed/autodetect)
0 belong 0x736C682B Allegro datafile (appended exe data)
#------------------------------------------------------------------------------
# alliant: file(1) magic for Alliant FX series a.out files
#
# If the FX series is the one that had a processor with a 68K-derived
# instruction set, the "short" should probably become "beshort" and the
# "long" should probably become "belong".
# If it's the i860-based one, they should probably become either the
# big-endian or little-endian versions, depending on the mode they ran
# the 860 in....
#
0 short 0420 0420 Alliant virtual executable
>2 short &0x0020 common library
>16 long >0 not stripped
0 short 0421 0421 Alliant compact executable
>2 short &0x0020 common library
>16 long >0 not stripped
#------------------------------------------------------------------------------
# alpha architecture description
#
0 leshort 0603 COFF format alpha
>22 leshort&030000 !020000 executable
>24 leshort 0410 pure
>24 leshort 0413 paged
>22 leshort&020000 !0 dynamically linked
>16 lelong !0 not stripped
>16 lelong 0 stripped
>22 leshort&030000 020000 shared library
>24 leshort 0407 object
>27 byte x - version %d
>26 byte x �.%d
>28 byte x �-%d
# Basic recognition of Digital UNIX core dumps - Mike Bremford
#
# The actual magic number is just "Core", followed by a 2-byte version
# number; however, treating any file that begins with "Core" as a Digital
# UNIX core dump file may produce too many false hits, so we include one
# byte of the version number as well; DU 5.0 appears only to be up to
# version 2.
#
0 string Core\001 Alpha COFF format core dump (Digital UNIX)
>24 string >\0 \b, from '%s'
0 string Core\002 Alpha COFF format core dump (Digital UNIX)
>24 string >\0 \b, from '%s'
#------------------------------------------------------------------------------
# amanda: file(1) magic for amanda file format
#
0 string AMANDA:\ AMANDA
>8 string TAPESTART\ DATE tape header file,
>>23 string X
>>>25 string >\ Unused %s
>>23 string >\ DATE %s
>8 string FILE\ dump file,
>>13 string >\ DATE %s
#------------------------------------------------------------------------------
# amigaos: file(1) magic for AmigaOS binary formats:
#
# From ignatios@cs.uni-bonn.de (Ignatios Souvatzis)
# Some formats are still missing: AmigaOS special IFF's, e.g.: FORM....CTLG
# (the others should be seperate, anyway)
#
0 belong 0x000003f3 AmigaOS loadseg()ble executable/binary
0 belong 0x000003e7 AmigaOS object/library data
#------------------------------------------------------------------------------
# animation: file(1) magic for animation/movie formats
#
# animation formats
# MPEG, FLI, DL originally from vax@ccwf.cc.utexas.edu (VaX#n8)
# FLC, SGI, Apple originally from Daniel Quinlan (quinlan@yggdrasil.com)
# MPEG animation format
0 belong 0x000001b3 MPEG video stream data
#>4 beshort&0xfff0 x (%d x
#>5 beshort&0x0fff x %d)
0 belong 0x000001ba MPEG system stream data
# MPEG Audio (*.mpx)
# from dreesen@math.fu-berlin.de
# XXX
# This conflicts with the FF FE signature for UTF-16-encoded Unicode
# text, which will be identified as an MP3 file. I don't have any MP3s
# so I don't know how to (or even if it's possible to) change this to
# tell the two apart. enf@pobox.com
0 beshort &0xfff0 MP
# MPEG 1.0
>1 byte&0x08 =0x08 \b
# Layer 3
>>1 byte &0x02 \b3
>>>2 byte&0xf0 =0x10 \b, 32 kBits
>>>2 byte&0xf0 =0x20 \b, 40 kBits
>>>2 byte&0xf0 =0x30 \b, 48 kBits
>>>2 byte&0xf0 =0x40 \b, 56 kBits
>>>2 byte&0xf0 =0x50 \b, 64 kBits
>>>2 byte&0xf0 =0x60 \b, 80 kBits
>>>2 byte&0xf0 =0x70 \b, 96 kBits
>>>2 byte&0xf0 =0x80 \b, 112 kBits
>>>2 byte&0xf0 =0x90 \b, 128 kBits
>>>2 byte&0xf0 =0xA0 \b, 160 kBits
>>>2 byte&0xf0 =0xB0 \b, 192 kBits
>>>2 byte&0xf0 =0xC0 \b, 224 kBits
>>>2 byte&0xf0 =0xD0 \b, 256 kBits
>>>2 byte&0xf0 =0xE0 \b, 320 kBits
# Layer 2
>>1 byte &0x04 \b2
>>>2 byte&0xf0 =0x10 \b, 32 kBits
>>>2 byte&0xf0 =0x20 \b, 48 kBits
>>>2 byte&0xf0 =0x30 \b, 56 kBits
>>>2 byte&0xf0 =0x40 \b, 64 kBits
>>>2 byte&0xf0 =0x50 \b, 80 kBits
>>>2 byte&0xf0 =0x60 \b, 96 kBits
>>>2 byte&0xf0 =0x70 \b, 112 kBits
>>>2 byte&0xf0 =0x80 \b, 128 kBits
>>>2 byte&0xf0 =0x90 \b, 160 kBits
>>>2 byte&0xf0 =0xA0 \b, 192 kBits
>>>2 byte&0xf0 =0xB0 \b, 224 kBits
>>>2 byte&0xf0 =0xC0 \b, 256 kBits
>>>2 byte&0xf0 =0xD0 \b, 320 kBits
>>>2 byte&0xf0 =0xE0 \b, 384 kBits
# freq
>>2 byte&0x0C =0x00 \b, 44.1 kHz
>>2 byte&0x0C =0x04 \b, 48 kHz
>>2 byte&0x0C =0x08 \b, 32 kHz
# MPEG 2.0
>1 byte&0x08 =0x00 \b
# Layer 3
>>1 byte &0x02 \b3
# Layer 2
>>1 byte &0x04 \b2
>>2 byte&0xf0 =0x10 \b, 8 kBits
>>2 byte&0xf0 =0x20 \b, 16 kBits
>>2 byte&0xf0 =0x30 \b, 24 kBits
>>2 byte&0xf0 =0x40 \b, 32 kBits
>>2 byte&0xf0 =0x50 \b, 40 kBits
>>2 byte&0xf0 =0x60 \b, 48 kBits
>>2 byte&0xf0 =0x70 \b, 56 kBits
>>2 byte&0xf0 =0x80 \b, 64 kBits
>>2 byte&0xf0 =0x90 \b, 80 kBits
>>2 byte&0xf0 =0xA0 \b, 96 kBits
>>2 byte&0xf0 =0xB0 \b, 112 kBits
>>2 byte&0xf0 =0xC0 \b, 128 kBits
>>2 byte&0xf0 =0xD0 \b, 144 kBits
>>2 byte&0xf0 =0xE0 \b, 160 kBits
# freq
>>2 byte&0x0C =0x00 \b, 22.05 kHz
>>2 byte&0x0C =0x04 \b, 24 kHz
>>2 byte&0x0C =0x08 \b, 16 kHz
# misc
>3 byte&0xC0 =0x00 \b, Stereo
>3 byte&0xC0 =0x40 \b, JStereo
>3 byte&0xC0 =0x80 \b, Dual-Ch
>3 byte&0xC0 =0xC0 \b, Mono
#>1 byte&0x01 =0x00 \b, Error Protection
#>2 byte&0x02 =0x02 \b, Padding
#>2 byte&0x01 =0x01 \b, Private
#>3 byte&0x08 =0x08 \b, Copyright
#>3 byte&0x04 =0x04 \b, Original
#>3 byte&0x03 1 \b, Emphasis 5
#>3 byte&0x03 3 \b, Emphasis c
# FLI animation format
4 leshort 0xAF11 FLI file
>6 leshort x - %d frames,
>8 leshort x width=%d pixels,
>10 leshort x height=%d pixels,
>12 leshort x depth=%d,
>16 leshort x ticks/frame=%d
# FLC animation format
4 leshort 0xAF12 FLC file
>6 leshort x - %d frames
>8 leshort x width=%d pixels,
>10 leshort x height=%d pixels,
>12 leshort x depth=%d,
>16 leshort x ticks/frame=%d
# DL animation format
# XXX - collision with most `mips' magic
#
# I couldn't find a real magic number for these, however, this
# -appears- to work. Note that it might catch other files, too, so be
# careful!
#
# Note that title and author appear in the two 20-byte chunks
# at decimal offsets 2 and 22, respectively, but they are XOR'ed with
# 255 (hex FF)! The DL format is really bad.
#
#0 byte 1 DL version 1, medium format (160x100, 4 images/screen)
#>42 byte x - %d screens,
#>43 byte x %d commands
#0 byte 2 DL version 2
#>1 byte 1 - large format (320x200,1 image/screen),
#>1 byte 2 - medium format (160x100,4 images/screen),
#>1 byte >2 - unknown format,
#>42 byte x %d screens,
#>43 byte x %d commands
# Based on empirical evidence, DL version 3 have several nulls following the
# \003. Most of them start with non-null values at hex offset 0x34 or so.
#0 string \3\0\0\0\0\0\0\0\0\0\0\0 DL version 3
# SGI and Apple formats
0 string MOVI Silicon Graphics movie file
4 string moov Apple QuickTime movie file (moov)
4 string mdat Apple QuickTime movie file (mdat)
#------------------------------------------------------------------------------
# apl: file(1) magic for APL (see also "pdp" and "vax" for other APL
# workspaces)
#
0 long 0100554 APL workspace (Ken's original?)
#------------------------------------------------------------------------------
# apple: file(1) magic for Apple file formats
#
0 string FiLeStArTfIlEsTaRt binscii (apple ][) text
0 string \x0aGL Binary II (apple ][) data
0 string \x76\xff Squeezed (apple ][) data
0 string NuFile NuFile archive (apple ][) data
0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data
0 belong 0x00051600 AppleSingle encoded Macintosh fi
le
0 belong 0x00051607 AppleDouble encoded Macintosh fi
le
# magic for Newton PDA package formats
# from Ruda Moura
0 string package Newton package,
>7 byte 48 NOS 1.x,
>7 byte 49 NOS 2.x,
>12 belong &0x80000000 AutoRemove,
>12 belong &0x40000000 CopyProtect,
>12 belong &0x10000000 NoCompression,
>12 belong &0x04000000 Relocation,
>12 belong &0x02000000 UseFasterCompression,
>16 belong x version %d
# The following entries for the Apple II are for files that have
# been transferred as raw binary data from an Apple, without having
# been encapsulated by any of the above archivers.
#
# In general, Apple II formats are hard to identify because Apple DOS
# and especially Apple ProDOS have strong typing in the file system and
# therefore programmers never felt much need to include type information
# in the files themselves.
#
# Eric Fischer
# AppleWorks word processor:
#
# This matches the standard tab stops for an AppleWorks file, but if
# a file has a tab stop set in the first four columns this will fail.
#
# The "O" is really the magic number, but that's so common that it's
# necessary to check the tab stops that follow it to avoid false positives.
4 string O==== AppleWorks word processor data
>85 byte&0x01 >0 \b, zoomed
>90 byte&0x01 >0 \b, paginated
>92 byte&0x01 >0 \b, with mail merge
#>91 byte x \b, left margin %d
# AppleWorks database:
#
# This isn't really a magic number, but it's the closest thing to one
# that I could find. The 1 and 2 really mean "order in which you defined
# categories" and "left to right, top to bottom," respectively; the D and R
# mean that the cursor should move either down or right when you press Return.
30 string \x01D AppleWorks database data
30 string \x02D AppleWorks database data
30 string \x01R AppleWorks database data
30 string \x02R AppleWorks database data
# AppleWorks spreadsheet:
#
# Likewise, this isn't really meant as a magic number. The R or C means
# row- or column-order recalculation; the A or M means automatic or manual
# recalculation.
131 string RA AppleWorks spreadsheet data
131 string RM AppleWorks spreadsheet data
131 string CA AppleWorks spreadsheet data
131 string CM AppleWorks spreadsheet data
# Applesoft BASIC:
#
# This is incredibly sloppy, but will be true if the program was
# written at its usual memory location of 2048 and its first line
# number is less than 256. Yuck.
0 belong&0xff00ff 0x80000 Applesoft BASIC program data
#>2 leshort x \b, first line number %d
# ORCA/EZ assembler:
#
# This will not identify ORCA/M source files, since those have
# some sort of date code instead of the two zero bytes at 6 and 7
# XXX Conflicts with ELF
#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data
#>5 byte x \b, build number %d
# Broderbund Fantavision
#
# I don't know what these values really mean, but they seem to recur.
# Will they cause too many conflicts?
# Probably :-)
#2 belong&0xFF00FF 0x040008 Fantavision movie data
# Some attempts at images.
#
# These are actually just bit-for-bit dumps of the frame buffer, so
# there's really no reasonably way to distinguish them except for their
# address (if preserved) -- 8192 or 16384 -- and their length -- 8192
# or, occasionally, 8184.
#
# Nevertheless this will manage to catch a lot of images that happen
# to have a solid-colored line at the bottom of the screen.
8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with whit
e background
8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purp
le background
8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with gree
n background
8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue
background
8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with oran
ge background
# Beagle Bros. Apple Mechanic fonts
0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
#------------------------------------------------------------------------------
# applix: file(1) magic for Applixware
# From: Peter Soos
#
0 string *BEGIN Applixware
>7 string WORDS Words Document
>7 string GRAPHICS Graphic
>7 string RASTER Bitmap
>7 string SPREADSHEETS Spreadsheet
>7 string MACRO Macro
>7 string BUILDER Builder Object
#------------------------------------------------------------------------------
# archive: file(1) magic for archive formats (see also "msdos" for self-
# extracting compressed archives)
#
# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
# pre-POSIX "tar" archives are handled in the C code.
# POSIX tar archives
257 string ustar\0 POSIX tar archive
257 string ustar\040\040\0 GNU tar archive
# cpio archives
#
# Yes, the top two "cpio archive" formats *are* supposed to just be "short".
# The idea is to indicate archives produced on machines with the same
# byte order as the machine running "file" with "cpio archive", and
# to indicate archives produced on machines with the opposite byte order
# from the machine running "file" with "byte-swapped cpio archive".
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
0 short 070707 cpio archive
0 short 0143561 byte-swapped cpio archive
0 string 070707 ASCII cpio archive (pre-SVR4 or odc)
0 string 070701 ASCII cpio archive (SVR4 with no CRC)
0 string 070702 ASCII cpio archive (SVR4 with CRC)
# Debian package (needs to go before regular portable archives)
#
0 string !\ndebian
>8 string debian-split part of multipart Debian package
>8 string debian-binary Debian binary package
>68 string >\n (format %s)
>136 ledate x created: %s
# other archives
0 long 0177555 very old archive
0 short 0177555 very old PDP-11 archive
0 long 0177545 old archive
0 short 0177545 old PDP-11 archive
0 long 0100554 apl workspace
0 string = archive
# MIPS archive (needs to go before regular portable archives)
#
0 string !\n__________E MIPS archive
>20 string U with MIPS Ucode members
>21 string L with MIPSEL members
>21 string B with MIPSEB members
>19 string L and an EL hash table
>19 string B and an EB hash table
>22 string X -- out of date
0 string -h- Software Tools format archive text
#
# XXX - why are there multiple thingies? Note that 0x213c6172 is
# "! current ar archive
# 0 long 0x213c6172 archive file
#
# and for SVR1 archives, we have:
#
# 0 string \ System V Release 1 ar archive
# 0 string = archive
#
# XXX - did Aegis really store shared libraries, breakpointed modules,
# and absolute code program modules in the same format as new-style
# "ar" archives?
#
0 string ! current ar archive
>8 string __.SYMDEF random library
>0 belong =65538 - pre SR9.5
>0 belong =65539 - post SR9.5
>0 beshort 2 - object archive
>0 beshort 3 - shared library module
>0 beshort 4 - debug break-pointed module
>0 beshort 5 - absolute code program module
0 string \ System V Release 1 ar archive
0 string = archive
#
# XXX - from "vax", which appears to collect a bunch of byte-swapped
# thingies, to help you recognize VAX files on big-endian machines;
# with "leshort", "lelong", and "string", that's no longer necessary....
#
0 belong 0x65ff0000 VAX 3.0 archive
0 belong 0x3c61723e VAX 5.0 archive
#
0 long 0x213c6172 archive file
0 lelong 0177555 very old VAX archive
0 leshort 0177555 very old PDP-11 archive
#
# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus
# be a random library (it said 0xff65 rather than 0177545).
#
0 lelong 0177545 old VAX archive
>8 string __.SYMDEF random library
0 leshort 0177545 old PDP-11 archive
>8 string __.SYMDEF random library
#
# From "pdp" (but why a 4-byte quantity?)
#
0 lelong 0x39bed PDP-11 old archive
0 lelong 0x39bee PDP-11 4.0 archive
# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
#
# The first byte is the magic (0x1a), byte 2 is the compression type for
# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
# filename of the first file (null terminated). Since some types collide
# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
0 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
0 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
0 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
0 lelong&0x8080ffff 0x0000031a ARC archive data, packed
0 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
0 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
# I can't create either SPARK or ArcFS archives so I have not tested this stuff
# [GRR: the original entries collide with ARC, above; replaced with combined
# version (not tested)]
#0 byte 0x1a RISC OS archive
#>1 string archive (ArcFS format)
0 string \032archive RISC OS archive (ArcFS format)
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 leshort 0xea60 ARJ archive data
>5 byte x \b, v%d,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
>34 string x original name: %s,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
>7 byte 2 os: Unix
>7 byte 3 os: Amiga
>7 byte 4 os: Macintosh
>7 byte 5 os: OS/2
>7 byte 6 os: Apple ][ GS
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
>3 byte >0 %d]
# HA archiver (Greg Roelofs, newt@uchicago.edu)
# This is a really bad format. A file containing HAWAII will match this...
#0 string HA HA archive data,
#>2 leshort =1 1 file,
#>2 leshort >1 %u files,
#>4 byte&0x0f =0 first is type CPY
#>4 byte&0x0f =1 first is type ASC
#>4 byte&0x0f =2 first is type HSC
#>4 byte&0x0f =0x0e first is type DIR
#>4 byte&0x0f =0x0f first is type SPECIAL
# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0 string HPAK HPACK archive data
# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0 string \351,\001JAM\ JAM archive,
>7 string >\0 version %.4s
>0x26 byte =0x27 -
>>0x2b string >\0 label %.11s,
>>0x27 lelong x serial %08x,
>>0x36 string >\0 fstype %.8s
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
2 string -lh0- LHarc 1.x archive data [lh0]
2 string -lh1- LHarc 1.x archive data [lh1]
2 string -lz4- LHarc 1.x archive data [lz4]
2 string -lz5- LHarc 1.x archive data [lz5]
# [never seen any but the last; -lh4- reported in comp.compression:]
2 string -lzs- LHa 2.x? archive data [lzs]
2 string -lh\40- LHa 2.x? archive data [lh ]
2 string -lhd- LHa 2.x? archive data [lhd]
2 string -lh2- LHa 2.x? archive data [lh2]
2 string -lh3- LHa 2.x? archive data [lh3]
2 string -lh4- LHa (2.x) archive data [lh4]
2 string -lh5- LHa (2.x) archive data [lh5]
>20 byte x - header level %d
# RAR archiver (Greg Roelofs, newt@uchicago.edu)
0 string Rar! RAR archive data
# SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
0 string SQSH squished archive data (Acorn RISCOS)
# UC2 archiver (Greg Roelofs, newt@uchicago.edu)
# I can't figure out the self-extracting form of these buggers...
0 string UC2\x1a UC2 archive data
# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0 string PK\003\004 Zip archive data
>4 byte 0x09 \b, at least v0.9 to extract
>4 byte 0x0a \b, at least v1.0 to extract
>4 byte 0x0b \b, at least v1.1 to extract
>4 byte 0x14 \b, at least v2.0 to extract
# Zoo archiver
20 lelong 0xfdc4a7dc Zoo archive data
>4 byte >48 \b, v%c.
>>6 byte >47 \b%c
>>>7 byte >47 \b%c
>32 byte >0 \b, modify: v%d
>>33 byte x \b.%d+
>42 lelong 0xfdc4a7dc \b,
>>70 byte >0 extract: v%d
>>>71 byte x \b.%d+
# Shell archives
10 string #\ This\ is\ a\ shell\ archive shell archive text
#
# LBR. NB: May conflict with the questionable
# "binary Computer Graphics Metafile" format.
#
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
#
# PMA (CP/M derivative of LHA)
#
2 string -pm0- PMarc archive data [pm0]
2 string -pm1- PMarc archive data [pm1]
2 string -pm2- PMarc archive data [pm2]
2 string -pms- PMarc SFX archive (CP/M, DOS)
5 string -pc1- PopCom compressed executable (CP/M)
# From rafael@icp.inpg.fr (Rafael Laboissiere)
# The Project Revision Control System (see
# http://www.XCF.Berkeley.EDU/~jmacd/prcs.html) generates a packaged project
# file which is recognized by the following entry:
0 leshort 0xeb81 PRCS packaged project
#------------------------------------------------------------------------------
# asterix: file(1) magic for Aster*x; SunOS 5.5.1 gave the 4-character
# strings as "long" - we assume they're just strings:
# From: guy@netapp.com (Guy Harris)
#
0 string *STA Aster*x
>7 string WORD Words Document
>7 string GRAP Graphic
>7 string SPRE Spreadsheet
>7 string MACR Macro
0 string 2278 Aster*x Version 2
>29 byte 0x36 Words Document
>29 byte 0x35 Graphic
>29 byte 0x32 Spreadsheet
>29 byte 0x38 Macro
#------------------------------------------------------------------------------
# att3b: file(1) magic for AT&T 3B machines
#
# The `versions' should be un-commented if they work for you.
# (Was the problem just one of endianness?)
#
# 3B20
#
# The 3B20 conflicts with SCCS.
#0 beshort 0550 3b20 COFF executable
#>12 belong >0 not stripped
#>22 beshort >0 - version %ld
#0 beshort 0551 3b20 COFF executable (TV)
#>12 belong >0 not stripped
#>22 beshort >0 - version %ld
#
# WE32K
#
0 beshort 0560 WE32000 COFF
>18 beshort ^00000020 object
>18 beshort &00000020 executable
>12 belong >0 not stripped
>18 beshort ^00010000 N/A on 3b2/300 w/paging
>18 beshort &00020000 32100 required
>18 beshort &00040000 and MAU hardware required
>20 beshort 0407 (impure)
>20 beshort 0410 (pure)
>20 beshort 0413 (demand paged)
>20 beshort 0443 (target shared library)
>22 beshort >0 - version %ld
0 beshort 0561 WE32000 COFF executable (TV)
>12 belong >0 not stripped
#>18 beshort &00020000 - 32100 required
#>18 beshort &00040000 and MAU hardware required
#>22 beshort >0 - version %ld
#
# core file for 3b2
0 string \000\004\036\212\200 3b2 core file
>364 string >\0 of '%s'
#------------------------------------------------------------------------------
# audio: file(1) magic for sound formats (see also "iff")
#
# Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com),
# and others
#
# Sun/NeXT audio data
0 string .snd Sun/NeXT audio data:
>12 belong 1 8-bit ISDN u-law,
>12 belong 2 8-bit linear PCM [REF-PCM],
>12 belong 3 16-bit linear PCM,
>12 belong 4 24-bit linear PCM,
>12 belong 5 32-bit linear PCM,
>12 belong 6 32-bit IEEE floating point,
>12 belong 7 64-bit IEEE floating point,
>12 belong 23 8-bit ISDN u-law compressed (CCITT G.721
ADPCM voice data encoding),
>12 belong 24 compressed (8-bit G.722 ADPCM)
>12 belong 25 compressed (3-bit G.723 ADPCM),
>12 belong 26 compressed (5-bit G.723 ADPCM),
>12 belong 27 8-bit A-law,
>20 belong 1 mono,
>20 belong 2 stereo,
>20 belong 4 quad,
>16 belong >0 %d Hz
# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format
# that uses little-endian encoding and has a different magic number
0 lelong 0x0064732E DEC audio data:
>12 lelong 1 8-bit ISDN u-law,
>12 lelong 2 8-bit linear PCM [REF-PCM],
>12 lelong 3 16-bit linear PCM,
>12 lelong 4 24-bit linear PCM,
>12 lelong 5 32-bit linear PCM,
>12 lelong 6 32-bit IEEE floating point,
>12 lelong 7 64-bit IEEE floating point,
>12 lelong 23 8-bit ISDN u-law compressed (CCITT G.721
ADPCM voice data encoding),
>20 lelong 1 mono,
>20 lelong 2 stereo,
>20 lelong 4 quad,
>16 lelong >0 %d Hz
# Creative Labs AUDIO stuff
0 string MThd Standard MIDI data
>9 byte >0 (format %d)
>11 byte >1 using %d tracks
0 string CTMF Creative Music (CMF) data
0 string SBI SoundBlaster instrument data
0 string Creative\ Voice\ File Creative Labs voice data
# is this next line right? it came this way...
>19 byte 0x1A
>23 byte >0 - version %d
>22 byte >0 \b.%d
# first entry is also the string "NTRK"
0 belong 0x4e54524b MultiTrack sound data
>4 belong x - version %ld
# Extended MOD format (*.emd) (Greg Roelofs, newt@uchicago.edu); NOT TESTED
# [based on posting 940824 by "Dirk/Elastik", husberg@lehtori.cc.tut.fi]
0 string EMOD Extended MOD sound data,
>4 byte&0xf0 x version %d
>4 byte&0x0f x \b.%d,
>45 byte x %d instruments
>83 byte 0 (module)
>83 byte 1 (song)
# Real Audio (Magic .ra\0375)
0 belong 0x2e7261fd RealAudio sound file
0 string .RMF RealMedia file
# MTM/669/FAR/S3M/ULT/XM format checking [Aaron Eppert, aeppert@dialin.ind.net]
# Oct 31, 1995
0 string MTM MultiTracker Module sound file
#0 string if Composer 669 Module sound data
0 string FAR Module sound data
0 string MAS_U ULT(imate) Module sound data
0x2c string SCRM ScreamTracker III Module sound data
0 string Extended Module Extended Module sound data
# Gravis UltraSound patches
# From
0 string GF1PATCH110\0ID#000002\0 GUS patch
0 string GF1PATCH100\0ID#000002\0 Old GUS patch
#
# Taken from loader code from mikmod version 2.14
# by Steve McIntyre (stevem@chiark.greenend.org.uk)
0 string JN extended 669 module data
0 string MAS_UTrack_V00
>14 string >/0 ultratracker V1.%.1s module sound data
0 string UN05 MikMod UNI format module sound data
0 string Extended\ Module: Fasttracker II module sound data
21 string !SCREAM! Screamtracker 2 module sound data
1080 string M.K. 4-channel Protracker module sound data
1080 string M!K! 4-channel Protracker module sound data
1080 string FLT4 4-channel Startracker module sound data
1080 string 4CHN 4-channel Fasttracker module sound data
1080 string 6CHN 6-channel Fasttracker module sound data
1080 string 8CHN 8-channel Fasttracker module sound data
1080 string CD81 8-channel Oktalyzer module sound data
1080 string OKTA 8-channel Oktalyzer module sound data
# Not good enough.
#1082 string CH
#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module soun
d data
1080 string 16CN 16-channel Taketracker module sound data
1080 string 32CN 32-channel Taketracker module sound data
# TOC sound files -Trevor Johnson
#
0 string TOC TOC sound file
# sidfiles
0 string SIDPLAY\ INFOFILE Sidplay info file
0 string PSID PlaySID v2.2+ (AMIGA) sidtune
>4 beshort >0 w/ header v%d,
>14 beshort =1 single song,
>14 beshort >1 %d songs,
>16 beshort >0 default song: %d
# IRCAM
0 belong 0x64a30400 IRCAM file (NeXT)
0 belong 0x64a30200 IRCAM file (Sun)
0 belong 0x64a30300 IRCAM file (MIPS little-endian)
0 belong 0x0001a364 IRCAM file
# NIST SPHERE
0 string NIST_1A\n\ \ \ 1024\n NIST SPHERE file
# Sample Vision
0 string SOUND\ SAMPLE\ DATA\ Sample Vision file
# Audio Visual Research
0 string 2BIT Audio Visual Research file
# From Felix von Leitner
0 string OggS Ogg-Vorbis compressed sound file
#------------------------------------------------------------------------------
# blender: file(1) magic for Blender 3D data files
#
# Coded by Guillermo S. Romero using the
# data from Ton Roosendaal . Ton or his company do not
# support the rule, so mail GSR if problems with it. Rule version: 1.1.
# You can get latest version with comments and details about the format
# at http://acd.asoc.euitt.upm.es/~gsromero/3d/blender/magic.blender
0 string =BLENDER Blender3D,
>7 string =_ saved as 32-bits
>7 string =- saved as 64-bits
>8 string =v little endian
>8 string =V big endian
>9 byte x with version %c.
>10 byte x \b%c
>11 byte x \b%c
#------------------------------------------------------------------------------
# blit: file(1) magic for 68K Blit stuff as seen from 680x0 machine
#
# Note that this 0407 conflicts with several other a.out formats...
#
# XXX - should this be redone with "be" and "le", so that it works on
# little-endian machines as well? If so, what's the deal with
# "VAX-order" and "VAX-order2"?
#
#0 long 0407 68K Blit (standalone) executable
#0 short 0407 VAX-order2 68K Blit (standalone) executa
ble
0 short 03401 VAX-order 68K Blit (standalone) executab
le
0 long 0406 68k Blit mpx/mux executable
0 short 0406 VAX-order2 68k Blit mpx/mux executable
0 short 03001 VAX-order 68k Blit mpx/mux executable
# Need more values for WE32 DMD executables.
# Note that 0520 is the same as COFF
#0 short 0520 tty630 layers executable
#------------------------------------------------------------------------------
# bsdi: file(1) magic for BSD/OS (from BSDI) objects
#
0 lelong 0314 386 compact demand paged pure executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses shared libs)
0 lelong 0407 386 executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses shared libs)
0 lelong 0410 386 pure executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses shared libs)
0 lelong 0413 386 demand paged pure executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses shared libs)
# same as in SunOS 4.x, except for static shared libraries
0 belong&077777777 0600413 sparc demand paged
>0 byte &0x80
>>20 belong <4096 shared library
>>20 belong =4096 dynamically linked executable
>>20 belong >4096 dynamically linked executable
>0 byte ^0x80 executable
>16 belong >0 not stripped
>36 belong 0xb4100001 (uses shared libs)
0 belong&077777777 0600410 sparc pure
>0 byte &0x80 dynamically linked executable
>0 byte ^0x80 executable
>16 belong >0 not stripped
>36 belong 0xb4100001 (uses shared libs)
0 belong&077777777 0600407 sparc
>0 byte &0x80 dynamically linked executable
>0 byte ^0x80 executable
>16 belong >0 not stripped
>36 belong 0xb4100001 (uses shared libs)
#------------------------------------------------------------------------------
# c-lang: file(1) magic for C programs (or REXX)
#
# XPM icons (Greg Roelofs, newt@uchicago.edu)
# if you uncomment "/*" for C/REXX below, also uncomment this entry
#0 string /*\ XPM\ */ X pixmap image data
# this first will upset you if you're a PL/1 shop...
# in which case rm it; ascmagic will catch real C programs
#0 string /* C or REXX program text
0 string // C++ program text
#------------------------------------------------------------------------------
# chi: file(1) magic for ChiWriter files
#
0 string \\1cw\ ChiWriter file
>5 string >\0 version %s
0 string \\1cw ChiWriter file
#------------------------------------------------------------------------------
# cisco: file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
#
# Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha.
0 belong&0xffffff00 0x85011400 cisco IOS microcode
>7 string >\0 for '%s'
0 belong&0xffffff00 0x8501cb00 cisco IOS experimental microcode
>7 string >\0 for '%s'
#------------------------------------------------------------------------------
# claris: file(1) magic for claris
# "H. Nanosecond"
# Claris Works a word processor, etc.
# Version 3.0
# .pct claris works clip art files
#0000000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
#*
#0001000 #010 250 377 377 377 377 000 213 000 230 000 021 002 377 014 000
#null to byte 1000 octal
514 string \377\377\377\377\000 Claris clip art?
>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes.
514 string \377\377\377\377\001 Claris clip art?
>0 string \0\0\0\0\0\0\0\0\0\0\0\0\0 yes.
# Claris works files
# .cwk
0 string \002\000\210\003\102\117\102\117\000\001\206 Claris works docume
nt
# .plt
0 string \020\341\000\000\010\010 Claris Works pallete files .plt
# .msp a dictionary file I am not sure about this I have only one .msp file
0 string \002\271\262\000\040\002\000\164 Claris works dictionary
# .usp are user dictionary bits
# I am not sure about a magic header:
#0000000 001 123 160 146 070 125 104 040 136 123 015 012 160 157 144 151
# soh S p f 8 U D sp ^ S cr nl p o d i
#0000020 141 164 162 151 163 164 040 136 123 015 012 144 151 166 040 043
# a t r i s t sp ^ S cr nl d i v sp #
# .mth Thesaurus
# statrts with \0 but no magic header
# .chy Hyphenation file
# I am not sure: 000 210 034 000 000
# other claris files
#./windows/claris/useng.ndx: data
#./windows/claris/xtndtran.l32: data
#./windows/claris/xtndtran.lst: data
#./windows/claris/clworks.lbl: data
#./windows/claris/clworks.prf: data
#./windows/claris/userd.spl: data
#------------------------------------------------------------------------------
# clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper.
#
# XXX - what byte order does the Clipper use?
#
# XXX - what's the "!" stuff:
#
# >18 short !074000,000000 C1 R1
# >18 short !074000,004000 C2 R1
# >18 short !074000,010000 C3 R1
# >18 short !074000,074000 TEST
#
# I shall assume it's ANDing the field with the first value and
# comparing it with the second, and rewrite it as:
#
# >18 short&074000 000000 C1 R1
# >18 short&074000 004000 C2 R1
# >18 short&074000 010000 C3 R1
# >18 short&074000 074000 TEST
#
# as SVR3.1's "file" doesn't support anything of the "!074000,000000"
# sort, nor does SunOS 4.x, so either it's something Intergraph added
# in CLIX, or something AT&T added in SVR3.2 or later, or something
# somebody else thought was a good idea; it's not documented in the
# man page for this version of "magic", nor does it appear to be
# implemented (at least not after I blew off the bogus code to turn
# old-style "&"s into new-style "&"s, which just didn't work at all).
#
0 short 0575 CLIPPER COFF executable (VAX #)
>20 short 0407 (impure)
>20 short 0410 (5.2 compatible)
>20 short 0411 (pure)
>20 short 0413 (demand paged)
>20 short 0443 (target shared library)
>12 long >0 not stripped
>22 short >0 - version %ld
0 short 0577 CLIPPER COFF executable
>18 short&074000 000000 C1 R1
>18 short&074000 004000 C2 R1
>18 short&074000 010000 C3 R1
>18 short&074000 074000 TEST
>20 short 0407 (impure)
>20 short 0410 (pure)
>20 short 0411 (separate I&D)
>20 short 0413 (paged)
>20 short 0443 (target shared library)
>12 long >0 not stripped
>22 short >0 - version %ld
>48 long&01 01 alignment trap enabled
>52 byte 1 -Ctnc
>52 byte 2 -Ctsw
>52 byte 3 -Ctpw
>52 byte 4 -Ctcb
>53 byte 1 -Cdnc
>53 byte 2 -Cdsw
>53 byte 3 -Cdpw
>53 byte 4 -Cdcb
>54 byte 1 -Csnc
>54 byte 2 -Cssw
>54 byte 3 -Cspw
>54 byte 4 -Cscb
4 string pipe CLIPPER instruction trace
4 string prof CLIPPER instruction profile
#------------------------------------------------------------------------------
# commands: file(1) magic for various shells and interpreters
#
0 string :\ shell archive or script for antique kernel text
0 string/b #!\ /bin/sh Bourne shell script text executa
ble
0 string/b #!\ /bin/csh C shell script text executable
# korn shell magic, sent by George Wu, gwu@clyde.att.com
0 string/b #!\ /bin/ksh Korn shell script text executabl
e
0 string/b #!\ /bin/tcsh Tenex C shell script text execut
able
0 string/b #!\ /usr/local/tcsh Tenex C shell script text execut
able
0 string/b #!\ /usr/local/bin/tcsh Tenex C shell script text execut
able
#
# zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson)
0 string/b #!\ /usr/local/bin/zsh Paul Falstad's zsh script text e
xecutable
0 string/b #!\ /usr/local/bin/ash Neil Brown's ash script text exe
cutable
0 string/b #!\ /usr/local/bin/ae Neil Brown's ae script text exec
utable
0 string/b #!\ /bin/nawk new awk script text executable
0 string/b #!\ /usr/bin/nawk new awk script text executable
0 string/b #!\ /usr/local/bin/nawk new awk script text executable
0 string/b #!\ /bin/gawk GNU awk script text executable
0 string/b #!\ /usr/bin/gawk GNU awk script text executable
0 string/b #!\ /usr/local/bin/gawk GNU awk script text executable
#
0 string/b #!\ /bin/awk awk script text executable
0 string/b #!\ /usr/bin/awk awk script text executable
0 string BEGIN awk script text
# For Larry Wall's perl language. The ``eval'' line recognizes an
# outrageously clever hack for USG systems.
# Keith Waclena
0 string/b #!\ /bin/perl perl script text executa
ble
0 string eval\ "exec\ /bin/perl perl script text
0 string/b #!\ /usr/bin/perl perl script text executa
ble
0 string eval\ "exec\ /usr/bin/perl perl script text
0 string/b #!\ /usr/local/bin/perl perl script text
0 string eval\ "exec\ /usr/local/bin/perl perl script text
executable
# AT&T Bell Labs' Plan 9 shell
0 string/b #!\ /bin/rc Plan 9 rc shell script text executable
# bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de)
0 string/b #!\ /bin/bash Bourne-Again shell script text executabl
e
0 string/b #!\ /usr/local/bin/bash Bourne-Again shell script text e
xecutable
# using env
0 string #!/usr/bin/env a
>15 string >\0 %s script text executable
0 string #!\ /usr/bin/env a
>16 string >\0 %s script text executable
# generic shell magic
0 string #!\ / a
>3 string >\0 %s script text executable
0 string #!\ / a
>3 string >\0 %s script text executable
0 string #!/ a
>2 string >\0 %s script text executable
0 string #!\ script text executable
>3 string >\0 for %s
#------------------------------------------------------------------------------
# compress: file(1) magic for pure-compression formats (no archives)
#
# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc.
#
# Formats for various forms of compressed data
# Formats for "compress" proper have been moved into "compress.c",
# because it tries to uncompress it to figure out what's inside.
# standard unix compress
0 string \037\235 compress'd data
>2 byte&0x80 >0 block compressed
>2 byte&0x1f x %d bits
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
0 string \037\213 gzip compressed data
>2 byte <8 \b, reserved method,
>2 byte 8 \b, deflated,
>3 byte &0x01 ASCII,
>3 byte &0x02 continuation,
>3 byte &0x04 extra field,
>3 byte &0x08 original filename,
>>10 string x `%s',
>3 byte &0x10 comment,
>3 byte &0x20 encrypted,
>4 ledate x last modified: %s,
>8 byte 2 max compression,
>8 byte 4 max speed,
>9 byte =0x00 os: MS-DOS
>9 byte =0x01 os: Amiga
>9 byte =0x02 os: VMS
>9 byte =0x03 os: Unix
>9 byte =0x05 os: Atari
>9 byte =0x06 os: OS/2
>9 byte =0x07 os: MacOS
>9 byte =0x0A os: Tops/20
>9 byte =0x0B os: Win/32
# packed data, Huffman (minimum redundancy) codes on a byte-by-byte basis
0 string \037\036 packed data
>2 belong >1 \b, %d characters originally
>2 belong =1 \b, %d character originally
#
# This magic number is byte-order-independent. XXX - Does that mean this
# is big-endian, little-endian, either, or that you can't tell?
# this short is valid for SunOS
0 short 017437 old packed data
# XXX - why *two* entries for "compacted data", one of which is
# byte-order independent, and one of which is byte-order dependent?
#
0 short 0x1fff compacted data
# This string is valid for SunOS (BE) and a matching "short" is listed
# in the Ultrix (LE) magic file.
0 string \377\037 compacted data
0 short 0145405 huf output
# bzip2
0 string BZh bzip2 compressed data
>3 byte >47 \b, block size = %c00k
# squeeze and crunch
# Michael Haardt
0 beshort 0x76FF squeezed data,
>4 string x original name %s
0 beshort 0x76FE crunched data,
>2 string x original name %s
0 beshort 0x76FD LZH compressed data,
>2 string x original name %s
# Freeze
0 string \037\237 frozen file 2.1
0 string \037\236 frozen file 1.0 (or gzip 0.5)
# SCO compress -H (LZH)
0 string \037\240 SCO compress -H (LZH) data
# European GSM 06.10 is a provisional standard for full-rate speech
# transcoding, prI-ETS 300 036, which uses RPE/LTP (residual pulse
# excitation/long term prediction) coding at 13 kbit/s.
#
# There's only a magic nibble (4 bits); that nibble repeats every 33
# bytes. This isn't suited for use, but maybe we can use it someday.
#
# This will cause very short GSM files to be declared as data and
# mismatches to be declared as data too!
#0 byte&0xF0 0xd0 data
#>33 byte&0xF0 0xd0
#>66 byte&0xF0 0xd0
#>99 byte&0xF0 0xd0
#>132 byte&0xF0 0xd0 GSM 06.10 compressed audio
# bzip a block-sorting file compressor
# by Julian Seward and others
#
0 string BZ bzip compressed data
>2 byte x \b, version: %c
>3 string =1 \b, compression block size 100k
>3 string =2 \b, compression block size 200k
>3 string =3 \b, compression block size 300k
>3 string =4 \b, compression block size 400k
>3 string =5 \b, compression block size 500k
>3 string =6 \b, compression block size 600k
>3 string =7 \b, compression block size 700k
>3 string =8 \b, compression block size 800k
>3 string =9 \b, compression block size 900k
# lzop from
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed
data
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
#------------------------------------------------------------------------------
# Console game magic
# Toby Deshane
# ines: file(1) magic for Marat's iNES Nintendo Entertainment System
# ROM dump format
0 string NES\032 iNES ROM dump,
>4 byte x %dx16k PRG
>5 byte x \b, %dx8k CHR
>6 byte&0x01 =0x1 \b, [Vert.]
>6 byte&0x01 =0x0 \b, [Horiz.]
>6 byte&0x02 =0x2 \b, [SRAM]
>6 byte&0x04 =0x4 \b, [Trainer]
>6 byte&0x04 =0x8 \b, [4-Scr]
#------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
#
0x104 belong 0xCEED6666 Gameboy ROM:
>0x134 string >\0 "%.16s"
>0x146 byte 0x03 \b,[SGB]
>0x147 byte 0x00 \b, [ROM ONLY]
>0x147 byte 0x01 \b, [ROM+MBC1]
>0x147 byte 0x02 \b, [ROM+MBC1+RAM]
>0x147 byte 0x03 \b, [ROM+MBC1+RAM+BATT]
>0x147 byte 0x05 \b, [ROM+MBC2]
>0x147 byte 0x06 \b, [ROM+MBC2+BATTERY]
>0x147 byte 0x08 \b, [ROM+RAM]
>0x147 byte 0x09 \b, [ROM+RAM+BATTERY]
>0x147 byte 0x0B \b, [ROM+MMM01]
>0x147 byte 0x0C \b, [ROM+MMM01+SRAM]
>0x147 byte 0x0D \b, [ROM+MMM01+SRAM+BATT]
>0x147 byte 0x0F \b, [ROM+MBC3+TIMER+BATT]
>0x147 byte 0x10 \b, [ROM+MBC3+TIMER+RAM+BATT]
>0x147 byte 0x11 \b, [ROM+MBC3]
>0x147 byte 0x12 \b, [ROM+MBC3+RAM]
>0x147 byte 0x13 \b, [ROM+MBC3+RAM+BATT]
>0x147 byte 0x19 \b, [ROM+MBC5]
>0x147 byte 0x1A \b, [ROM+MBC5+RAM]
>0x147 byte 0x1B \b, [ROM+MBC5+RAM+BATT]
>0x147 byte 0x1C \b, [ROM+MBC5+RUMBLE]
>0x147 byte 0x1D \b, [ROM+MBC5+RUMBLE+SRAM]
>0x147 byte 0x1E \b, [ROM+MBC5+RUMBLE+SRAM+BATT]
>0x147 byte 0x1F \b, [Pocket Camera]
>0x147 byte 0xFD \b, [Bandai TAMA5]
>0x147 byte 0xFE \b, [Hudson HuC-3]
>0x147 byte 0xFF \b, [Hudson HuC-1]
>0x148 byte 0 \b, ROM: 256Kbit
>0x148 byte 1 \b, ROM: 512Kbit
>0x148 byte 2 \b, ROM: 1Mbit
>0x148 byte 3 \b, ROM: 2Mbit
>0x148 byte 4 \b, ROM: 4Mbit
>0x148 byte 5 \b, ROM: 8Mbit
>0x148 byte 6 \b, ROM: 16Mbit
>0x148 byte 0x52 \b, ROM: 9Mbit
>0x148 byte 0x53 \b, ROM: 10Mbit
>0x148 byte 0x54 \b, ROM: 12Mbit
>0x149 byte 1 \b, RAM: 16Kbit
>0x149 byte 2 \b, RAM: 64Kbit
>0x149 byte 3 \b, RAM: 128Kbit
>0x149 byte 4 \b, RAM: 1Mbit
#>0x14e long x \b, CRC: %x
#------------------------------------------------------------------------------
# genesis: file(1) magic for the Sega MegaDrive/Genesis raw ROM format
#
0x100 string SEGA Sega MegaDrive/Genesis raw ROM dump
>0x120 string >\0 Name: "%.16s"
>0x110 string >\0 %.16s
>0x1B0 string RA with SRAM
#------------------------------------------------------------------------------
# genesis: file(1) magic for the Super MegaDrive ROM dump format
#
0x280 string EAGN Super MagicDrive ROM dump
>0 byte x %dx16k blocks
>2 byte 0 \b, last in series or standalone
>2 byte >0 \b, split ROM
>8 byte 0xAA
>9 byte 0xBB
#------------------------------------------------------------------------------
# genesis: file(1) alternate magic for the Super MegaDrive ROM dump format
#
0x280 string EAMG Super MagicDrive ROM dump
>0 byte x %dx16k blocks
>2 byte x \b, last in series or standalone
>8 byte 0xAA
>9 byte 0xBB
#------------------------------------------------------------------------------
# smsgg: file(1) magic for Sega Master System and Game Gear ROM dumps
#
# Does not detect all images. Very preliminary guesswork. Need more data
# on format.
#
# FIXME: need a little more info...;P
#
#0 byte 0xF3
#>1 byte 0xED Sega Master System/Game Gear ROM dump
#>1 byte 0x31 Sega Master System/Game Gear ROM dump
#>1 byte 0xDB Sega Master System/Game Gear ROM dump
#>1 byte 0xAF Sega Master System/Game Gear ROM dump
#>1 byte 0xC3 Sega Master System/Game Gear ROM dump
#------------------------------------------------------------------------------
# dreamcast: file(1) uncertain magic for the Sega Dreamcast VMU image format
#
0 belong 0x21068028 Sega Dreamcast VMU game image
0 string LCDi Dream Animator file
#------------------------------------------------------------------------------
# v64: file(1) uncertain magic for the V64 format N64 ROM dumps
#
0 belong 0x37804012 V64 Nintendo 64 ROM dump
#------------------------------------------------------------------------------
# msx: file(1) magic for MSX game cartridge dumps
0 beshort 0x4142 MSX game cartridge dump
#------------------------------------------------------------------------------
# convex: file(1) magic for Convex boxes
#
# Convexes are big-endian.
#
# /*\
# * Below are the magic numbers and tests added for Convex.
# * Added at beginning, because they are expected to be used most.
# \*/
0 belong 0507 Convex old-style object
>16 belong >0 not stripped
0 belong 0513 Convex old-style demand paged executable
>16 belong >0 not stripped
0 belong 0515 Convex old-style pre-paged executable
>16 belong >0 not stripped
0 belong 0517 Convex old-style pre-paged, non-swapped executable
>16 belong >0 not stripped
0 belong 0x011257 Core file
#
# The following are a series of dump format magic numbers. Each one
# corresponds to a drastically different dump format. The first on is
# the original dump format on a 4.1 BSD or earlier file system. The
# second marks the change between the 4.1 file system and the 4.2 file
# system. The Third marks the changing of the block size from 1K
# to 2K to be compatible with an IDC file system. The fourth indicates
# a dump that is dependent on Convex Storage Manager, because data in
# secondary storage is not physically contained within the dump.
# The restore program uses these number to determine how the data is
# to be extracted.
#
24 belong =60011 dump format, 4.1 BSD or earlier
24 belong =60012 dump format, 4.2 or 4.3 BSD without IDC
24 belong =60013 dump format, 4.2 or 4.3 BSD (IDC compatible)
24 belong =60014 dump format, Convex Storage Manager by-reference dump
#
# what follows is a bunch of bit-mask checks on the flags field of the opthdr.
# If there is no `=' sign, assume just checking for whether the bit is set?
#
0 belong 0601 Convex SOFF
>88 belong&0x000f0000 =0x00000000 c1
>88 belong &0x00010000 c2
>88 belong &0x00020000 c2mp
>88 belong &0x00040000 parallel
>88 belong &0x00080000 intrinsic
>88 belong &0x00000001 demand paged
>88 belong &0x00000002 pre-paged
>88 belong &0x00000004 non-swapped
>88 belong &0x00000008 POSIX
#
>84 belong &0x80000000 executable
>84 belong &0x40000000 object
>84 belong&0x20000000 =0 not stripped
>84 belong&0x18000000 =0x00000000 native fpmode
>84 belong&0x18000000 =0x10000000 ieee fpmode
>84 belong&0x18000000 =0x18000000 undefined fpmode
#
0 belong 0605 Convex SOFF core
#
0 belong 0607 Convex SOFF checkpoint
>88 belong&0x000f0000 =0x00000000 c1
>88 belong &0x00010000 c2
>88 belong &0x00020000 c2mp
>88 belong &0x00040000 parallel
>88 belong &0x00080000 intrinsic
>88 belong &0x00000008 POSIX
#
>84 belong&0x18000000 =0x00000000 native fpmode
>84 belong&0x18000000 =0x10000000 ieee fpmode
>84 belong&0x18000000 =0x18000000 undefined fpmode
#------------------------------------------------------------------------------
# database: file(1) magic for various databases
#
# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
#
#
# GDBM magic numbers
# Will be maintained as part of the GDBM distribution in the future.
#
0 belong 0x13579ace GNU dbm 1.x or ndbm database, big endian
0 lelong 0x13579ace GNU dbm 1.x or ndbm database, little endian
0 string GDBM GNU dbm 2.x database
#
# Berkeley DB
#
# Ian Darwin's file /etc/magic files: big/little-endian version.
#
# Hash 1.85/1.86 databases store metadata in network byte order.
# Btree 1.85/1.86 databases store the metadata in host byte order.
# Hash and Btree 2.X and later databases store the metadata in host byte order.
0 long 0x00061561 Berkeley DB
>8 belong 4321
>>4 belong >2 1.86
>>4 belong <3 1.85
>>4 belong >0 (Hash, version %d, native byte-order)
>8 belong 1234
>>4 belong >2 1.86
>>4 belong <3 1.85
>>4 belong >0 (Hash, version %d, little-endian)
0 belong 0x00061561 Berkeley DB
>8 belong 4321
>>4 belong >2 1.86
>>4 belong <3 1.85
>>4 belong >0 (Hash, version %d, big-endian)
>8 belong 1234
>>4 belong >2 1.86
>>4 belong <3 1.85
>>4 belong >0 (Hash, version %d, native byte-order)
0 long 0x00053162 Berkeley DB 1.85/1.86
>4 long >0 (Btree, version %d, native byte-order)
0 belong 0x00053162 Berkeley DB 1.85/1.86
>4 belong >0 (Btree, version %d, big-endian)
0 lelong 0x00053162 Berkeley DB 1.85/1.86
>4 lelong >0 (Btree, version %d, little-endian)
12 long 0x00061561 Berkeley DB
>16 long >0 (Hash, version %d, native byte-order)
12 belong 0x00061561 Berkeley DB
>16 belong >0 (Hash, version %d, big-endian)
12 lelong 0x00061561 Berkeley DB
>16 lelong >0 (Hash, version %d, little-endian)
12 long 0x00053162 Berkeley DB
>16 long >0 (Btree, version %d, native byte-order)
12 belong 0x00053162 Berkeley DB
>16 belong >0 (Btree, version %d, big-endian)
12 lelong 0x00053162 Berkeley DB
>16 lelong >0 (Btree, version %d, little-endian)
12 long 0x00042253 Berkeley DB
>16 long >0 (Queue, version %d, native byte-order)
12 belong 0x00042253 Berkeley DB
>16 belong >0 (Queue, version %d, big-endian)
12 lelong 0x00042253 Berkeley DB
>16 lelong >0 (Queue, version %d, little-endian)
#------------------------------------------------------------------------------
# diamond: file(1) magic for Diamond system
#
# ... diamond is a multi-media mail and electronic conferencing system....
#
# XXX - I think it was either renamed Slate, or replaced by Slate....
#
# The full deal is too long...
#0 string \n Diamond Multimed
ia Document
0 string =\n4 string >% version %.3s
# Digital UNIX - Info
#
0 string !\n________64E Alpha archive
>22 string X -- out of date
#
# Alpha COFF Based Executables
# The stripped stuff really needs to be an 8 byte (64 bit) compare,
# but this works
0 leshort 0x183 COFF format alpha
>22 leshort&020000 &010000 sharable library,
>22 leshort&020000 ^010000 dynamically linked,
>24 leshort 0410 pure
>24 leshort 0413 demand paged
>8 lelong >0 executable or object module, not strippe
d
>8 lelong 0
>>12 lelong 0 executable or object module, stripped
>>12 lelong >0 executable or object module, not strippe
d
>27 byte >0 - version %d.
>26 byte >0 %d-
>28 leshort >0 %d
#
# The next is incomplete, we could tell more about this format,
# but its not worth it.
0 leshort 0x188 Alpha compressed COFF
0 leshort 0x18f Alpha u-code object
#
#
# Some other interesting Digital formats,
0 string \377\377\177 ddis/ddif
0 string \377\377\174 ddis/dots archive
0 string \377\377\176 ddis/dtif table data
0 string \033c\033 LN03 output
0 long 04553207 X image
#
0 string !!\n profiling data file
#
# Locale data tables (MIPS and Alpha).
#
0 short 0x0501 locale data table
>6 short 0x24 for MIPS
>6 short 0x40 for Alpha
#------------------------------------------------------------------------------
# dump: file(1) magic for dump file format--for new and old dump filesystems
#
# We specify both byte orders in order to recognize byte-swapped dumps.
#
24 belong 60012 new-fs dump file (big endian),
>4 bedate x Previous dump %s,
>8 bedate x This dump %s,
>12 belong >0 Volume %ld,
>692 belong 0 Level zero, type:
>692 belong >0 Level %d, type:
>0 belong 1 tape header,
>0 belong 2 beginning of file record,
>0 belong 3 map of inodes on tape,
>0 belong 4 continuation of file record,
>0 belong 5 end of volume,
>0 belong 6 map of inodes deleted,
>0 belong 7 end of medium (for floppy),
>676 string >\0 Label %s,
>696 string >\0 Filesystem %s,
>760 string >\0 Device %s,
>824 string >\0 Host %s,
>888 belong >0 Flags %x
24 belong 60011 old-fs dump file (big endian),
#>4 bedate x Previous dump %s,
#>8 bedate x This dump %s,
>12 belong >0 Volume %ld,
>692 belong 0 Level zero, type:
>692 belong >0 Level %d, type:
>0 belong 1 tape header,
>0 belong 2 beginning of file record,
>0 belong 3 map of inodes on tape,
>0 belong 4 continuation of file record,
>0 belong 5 end of volume,
>0 belong 6 map of inodes deleted,
>0 belong 7 end of medium (for floppy),
>676 string >\0 Label %s,
>696 string >\0 Filesystem %s,
>760 string >\0 Device %s,
>824 string >\0 Host %s,
>888 belong >0 Flags %x
24 lelong 60012 new-fs dump file (little endian),
>4 ledate x This dump %s,
>8 ledate x Previous dump %s,
>12 lelong >0 Volume %ld,
>692 lelong 0 Level zero, type:
>692 lelong >0 Level %d, type:
>0 lelong 1 tape header,
>0 lelong 2 beginning of file record,
>0 lelong 3 map of inodes on tape,
>0 lelong 4 continuation of file record,
>0 lelong 5 end of volume,
>0 lelong 6 map of inodes deleted,
>0 lelong 7 end of medium (for floppy),
>676 string >\0 Label %s,
>696 string >\0 Filesystem %s,
>760 string >\0 Device %s,
>824 string >\0 Host %s,
>888 lelong >0 Flags %x
24 lelong 60011 old-fs dump file (little endian),
#>4 ledate x Previous dump %s,
#>8 ledate x This dump %s,
>12 lelong >0 Volume %ld,
>692 lelong 0 Level zero, type:
>692 lelong >0 Level %d, type:
>0 lelong 1 tape header,
>0 lelong 2 beginning of file record,
>0 lelong 3 map of inodes on tape,
>0 lelong 4 continuation of file record,
>0 lelong 5 end of volume,
>0 lelong 6 map of inodes deleted,
>0 lelong 7 end of medium (for floppy),
>676 string >\0 Label %s,
>696 string >\0 Filesystem %s,
>760 string >\0 Device %s,
>824 string >\0 Host %s,
>888 lelong >0 Flags %x
#------------------------------------------------------------------------------
# elf: file(1) magic for ELF executables
#
# We have to check the byte order flag to see what byte order all the
# other stuff in the header is in.
#
# MIPS R3000 may also be for MIPS R2000.
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF
>4 byte 0 invalid class
>4 byte 1 32-bit
# only for MIPS
>>18 beshort 8
>>18 beshort 10
>>>36 belong &0x20 N32
>4 byte 2 64-bit
>5 byte 0 invalid byte order
>5 byte 1 LSB
# only for MIPS R3000_BE
>>18 leshort 8
# only for 32-bit
>>>4 byte 1
>>>>36 lelong&0xf0000000 0x00000000 mips-1
>>>>36 lelong&0xf0000000 0x10000000 mips-2
>>>>36 lelong&0xf0000000 0x20000000 mips-3
>>>>36 lelong&0xf0000000 0x30000000 mips-4
>>>>36 lelong&0xf0000000 0x40000000 mips-5
>>>>36 lelong&0xf0000000 0x50000000 mips-6
# only for 64-bit
>>>4 byte 2
>>>>48 lelong&0xf0000000 0x00000000 mips-1
>>>>48 lelong&0xf0000000 0x10000000 mips-2
>>>>48 lelong&0xf0000000 0x20000000 mips-3
>>>>48 lelong&0xf0000000 0x30000000 mips-4
>>>>48 lelong&0xf0000000 0x40000000 mips-5
>>>>48 lelong&0xf0000000 0x50000000 mips-6
>>16 leshort 0 no file type,
>>16 leshort 1 relocatable,
>>16 leshort 2 executable,
>>16 leshort 3 shared object,
# Core handling from Peter Tobias
# corrections by Christian 'Dr. Disk' Hechelmann
>>16 leshort 4 core file
>>>(0x38+0xcc) string >\0 of '%s'
>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - invalid byte order,
>>18 leshort 2 SPARC - invalid byte order,
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola 68000 - invalid byte order,
>>18 leshort 5 Motorola 88000 - invalid byte order,
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
# "officially" big endian, but binutils bfd only emits magic #8 for MIPS.
>>18 leshort 8 MIPS R3000_LE [bfd bug],
>>18 leshort 9 Amdahl - invalid byte order,
>>18 leshort 10 MIPS R3000_LE,
>>18 leshort 11 RS6000 - invalid byte order,
>>18 leshort 15 PA-RISC - invalid byte order,
>>18 leshort 16 nCUBE,
>>18 leshort 17 Fujitsu VPP500,
>>18 leshort 18 SPARC32PLUS,
>>18 leshort 20 PowerPC,
>>18 leshort 36 NEC V800,
>>18 leshort 37 Fujitsu FR20,
>>18 leshort 38 TRW RH-32,
>>18 leshort 39 Motorola RCE,
>>18 leshort 40 Advanced RISC Machines ARM,
>>18 leshort 41 Alpha,
>>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - invalid byte order,
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologie
s Inc.,
>>18 leshort 46 Hitachi H8/300,
>>18 leshort 47 Hitachi H8/300H,
>>18 leshort 48 Hitachi H8S,
>>18 leshort 49 Hitachi H8/500,
>>18 leshort 50 IA-64,
>>18 leshort 51 Stanford MIPS-X,
>>18 leshort 52 Motorola Coldfire,
>>18 leshort 53 Motorola M68HC12,
>>18 leshort 75 Digital VAX,
>>18 leshort 0x9026 Alpha (unofficial),
>>20 lelong 0 invalid version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>8 string >\0 (%s)
>5 byte 2 MSB
# only for MIPS R3000_BE
>>18 beshort 8
# only for 32-bit
>>>4 byte 1
>>>>36 belong&0xf0000000 0x00000000 mips-1
>>>>36 belong&0xf0000000 0x10000000 mips-2
>>>>36 belong&0xf0000000 0x20000000 mips-3
>>>>36 belong&0xf0000000 0x30000000 mips-4
>>>>36 belong&0xf0000000 0x40000000 mips-5
>>>>36 belong&0xf0000000 0x50000000 mips-6
# only for 64-bit
>>>4 byte 2
>>>>48 belong&0xf0000000 0x00000000 mips-1
>>>>48 belong&0xf0000000 0x10000000 mips-2
>>>>48 belong&0xf0000000 0x20000000 mips-3
>>>>48 belong&0xf0000000 0x30000000 mips-4
>>>>48 belong&0xf0000000 0x40000000 mips-5
>>>>48 belong&0xf0000000 0x50000000 mips-6
>>16 beshort 0 no file type,
>>16 beshort 1 relocatable,
>>16 beshort 2 executable,
>>16 beshort 3 shared object,
>>16 beshort 4 core file,
>>>(0x38+0xcc) string >\0 of '%s'
>>>(0x38+0x10) belong >0 (signal %d),
>>16 beshort &0xff00 processor-specific,
>>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC,
>>18 beshort 3 Intel 80386 - invalid byte order,
>>18 beshort 4 Motorola 68000,
>>18 beshort 5 Motorola 88000,
>>18 beshort 6 Intel 80486 - invalid byte order,
>>18 beshort 7 Intel 80860,
>>18 beshort 8 MIPS R3000_BE,
>>18 beshort 9 Amdahl,
>>18 beshort 10 MIPS R3000_LE - invalid byte order,
>>18 beshort 11 RS6000,
>>18 beshort 15 PA-RISC,
>>18 beshort 16 nCUBE,
>>18 beshort 17 Fujitsu VPP500,
>>18 beshort 18 SPARC32PLUS,
>>>36 belong&0xffff00 &0x000100 V8+ Required,
>>>36 belong&0xffff00 &0x000200 Sun UltraSPARC1 Extensions Required,
>>>36 belong&0xffff00 &0x000400 HaL R1 Extensions Required,
>>>36 belong&0xffff00 &0x000800 Sun UltraSPARC3 Extensions Required,
>>18 beshort 20 PowerPC or cisco 4500,
>>18 beshort 21 cisco 7500,
>>18 beshort 24 cisco SVIP,
>>18 beshort 25 cisco 7200,
>>18 beshort 36 NEC V800 or cisco 12000,
>>18 beshort 37 Fujitsu FR20,
>>18 beshort 38 TRW RH-32,
>>18 beshort 39 Motorola RCE,
>>18 beshort 40 Advanced RISC Machines ARM,
>>18 beshort 41 Alpha,
>>18 beshort 42 Hitachi SH,
>>18 beshort 43 SPARC V9,
>>18 beshort 44 Siemens Tricore Embedded Processor,
>>18 beshort 45 Argonaut RISC Core, Argonaut Technologie
s Inc.,
>>18 beshort 46 Hitachi H8/300,
>>18 beshort 47 Hitachi H8/300H,
>>18 beshort 48 Hitachi H8S,
>>18 beshort 49 Hitachi H8/500,
>>18 beshort 50 IA-64,
>>18 beshort 51 Stanford MIPS-X,
>>18 beshort 52 Motorola Coldfire,
>>18 beshort 53 Motorola M68HC12,
>>18 beshort 75 Digital VAX,
>>18 beshort 0x9026 Alpha (unofficial),
>>20 belong 0 invalid version
>>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required
#------------------------------------------------------------------------------
# encore: file(1) magic for Encore machines
#
# XXX - needs to have the byte order specified (NS32K was little-endian,
# dunno whether they run the 88K in little-endian mode or not).
#
0 short 0x154 Encore
>20 short 0x107 executable
>20 short 0x108 pure executable
>20 short 0x10b demand-paged executable
>20 short 0x10f unsupported executable
>12 long >0 not stripped
>22 short >0 - version %ld
>22 short 0 -
#>4 date x stamp %s
0 short 0x155 Encore unsupported executable
>12 long >0 not stripped
>22 short >0 - version %ld
>22 short 0 -
#>4 date x stamp %s
#------------------------------------------------------------------------------
# Epoc 32 : file(1) magic for Epoc Documents [psion/osaris
# Stefan Praszalowicz (hpicollo@worldnet.fr)
#0 lelong 0x10000037 Epoc32
>4 lelong 0x1000006D
>>8 lelong 0x1000007F Word
>>8 lelong 0x10000088 Sheet
>>8 lelong 0x1000007D Sketch
>>8 lelong 0x10000085 TextEd
#------------------------------------------------------------------------------
# filesystems: file(1) magic for different filesystems
#
0 string \366\366\366\366 PC formatted floppy with no filesystem
# Sun disk labels
# From /usr/include/sun/dklabel.h:
0774 beshort 0xdabe Sun disk label
>0 string x '%s
>>31 string >\0 \b%s
>>>63 string >\0 \b%s
>>>>95 string >\0 \b%s
>0 string x \b'
>0734 short >0 %d rpm,
>0736 short >0 %d phys cys,
>0740 short >0 %d alts/cyl,
>0746 short >0 %d interleave,
>0750 short >0 %d data cyls,
>0752 short >0 %d alt cyls,
>0754 short >0 %d heads/partition,
>0756 short >0 %d sectors/track,
>0764 long >0 start cyl %ld,
>0770 long x %ld blocks
# Is there a boot block written 1 sector in?
>512 belong&077777777 0600407 \b, boot block present
0x1FE leshort 0xAA55 x86 boot sector
>2 string OSBS \b, OS/BS MBR
>0x8C string Invalid\ partition\ table \b, MS-DOS MBR
>0 string \0\0\0\0 \b, extended partition table
>0 leshort 0x3CEB \b, system
>>3 string >\0 %s
>>0x36 string FAT \b, %s
>>>0x39 string 12 (%s bit)
>>>0x39 string 16 (%s bit)
>0x52 string FAT32 \b, FAT (32 bit)
>>>43 string >NO\ NAME label: %.11s,
>>>43 string >>43 string NO\ NAME unlabeled,
>>>19 leshort >0 %d sectors
>>>19 leshort 0
>>>>32 lelong x %d sectors
>0x200 lelong 0x82564557 \b, BSD disklabel
# Minix filesystems - Juan Cespedes
0x410 leshort 0x137f Minix filesystem
0x410 leshort 0x138f Minix filesystem, 30 char names
0x410 leshort 0x2468 Minix filesystem, version 2
0x410 leshort 0x2478 Minix filesystem, version 2, 30 char nam
es
# romfs filesystems - Juan Cespedes
0 string -rom1fs-\0 romfs filesystem, version 1
>8 belong x %d bytes,
>16 string x named %s.
# netboot image - Juan Cespedes
0 lelong 0x1b031336L Netboot image,
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
>4 lelong&0xFFFFFF00 !0 unknown mode
0x18b string OS/2 OS/2 Boot Manager
9564 lelong 0x00011954 Unix Fast File system,
>8404 string x last mounted on %s,
>9504 ledate x last checkd at %s,
>8224 ledate x last writen at %s,
>8228 lelong x number of blocks %d,
>8232 lelong x number of data blocks %d,
>8236 lelong x number of cylinder groups %d,
>8240 lelong x number of basic blocks %d,
>8244 lelong x number of fragment blocks %d,
>8248 lelong x minimum percentage of free blocks %d,
>8252 lelong x rotational delay %dms,
>8256 lelong x disk rotational speed %drps,
>8320 lelong 0 TIME optimization
>8320 lelong 1 SPACE optimization
# ext2/ext3 filesystems - Andreas Dilger
0x438 leshort 0xEF53 Linux
>0x44c lelong x rev %d
>0x43e leshort x \b.%d
>0x45c lelong ^0x0000004 ext2 filesystem data
>>0x43a leshort ^0x0000001 (mounted or unclean)
>0x45c lelong &0x0000004 ext3 filesystem data
>>0x460 lelong &0x0000004 (needs journal recovery)
>0x43a leshort &0x0000002 (errors)
>0x460 lelong &0x0000001 (compressed)
#>0x460 lelong &0x0000002 (filetype)
#>0x464 lelong &0x0000001 (sparse_super)
>0x464 lelong &0x0000002 (large files)
#------------------------------------------------------------------------------
# flash: file(1) magic for Macromedia Flash file format
#
# See
#
# http://www.macromedia.com/software/flash/open/
#
0 string FWS Macromedia Flash data,
>3 byte x version %d
#------------------------------------------------------------------------------
# fonts: file(1) magic for font data
#
0 string FONT ASCII vfont text
0 short 0436 Berkeley vfont data
0 short 017001 byte-swapped Berkeley vfont data
# PostScript fonts (must precede "printer" entries), quinlan@yggdrasil.com
0 string %!PS-AdobeFont-1.0 PostScript Type 1 font text
>20 string >\0 (%s)
6 string %!PS-AdobeFont-1.0 PostScript Type 1 font program d
ata
# X11 font files in SNF (Server Natural Format) format
0 belong 00000004 X11 SNF font data, MSB first
0 lelong 00000004 X11 SNF font data, LSB first
# X11 Bitmap Distribution Format, from Daniel Quinlan (quinlan@yggdrasil.com)
0 string STARTFONT\040 X11 BDF font text
# X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com)
# PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides)
0 string \001fcp X11 Portable Compiled Font data
>12 byte 0x02 \b, LSB first
>12 byte 0x0a \b, MSB first
0 string D1.0\015 X11 Speedo font data
#------------------------------------------------------------------------------
# FIGlet fonts and controlfiles
# From figmagic supplied with Figlet version 2.2
# "David E. O'Brien"
0 string flf FIGlet font
>3 string >2a version %-2.2s
0 string flc FIGlet controlfile
>3 string >2a version %-2.2s
# libGrx graphics lib fonts, from Albert Cahalan (acahalan@cs.uml.edu)
# Used with djgpp (DOS Gnu C++), sometimes Linux or Turbo C++
0 belong 0x14025919 libGrx font data,
>8 leshort x %dx
>10 leshort x \b%d
>40 string x %s
# Misc. DOS VGA fonts, from Albert Cahalan (acahalan@cs.uml.edu)
0 belong 0xff464f4e DOS code page font data collection
7 belong 0x00454741 DOS code page font data
7 belong 0x00564944 DOS code page font data (from Linux?)
4098 string DOSFONT DOSFONT2 encrypted font data
# downloadable fonts for browser (prints type) anthon@mnt.org
0 string PFR1 PFR1 font
>102 string >0 \b: %s
#------------------------------------------------------------------------------
# frame: file(1) magic for FrameMaker files
#
# This stuff came on a FrameMaker demo tape, most of which is
# copyright, but this file is "published" as witness the following:
#
0 string \11 string 5.5 (5.5
>11 string 5.0 (5.0
>11 string 4.0 (4.0
>11 string 3.0 (3.0
>11 string 2.0 (2.0
>11 string 1.0 (1.0
>14 byte x %c)
0 string \9 string 4.0 (4.0)
>9 string 3.0 (3.0)
>9 string 2.0 (2.0)
>9 string 1.0 (1.x)
0 string \17 string 3.0 (3.0)
>17 string 2.0 (2.0)
>17 string 1.0 (1.x)
0 string \17 string 1.01 (%s)
0 string \10 string 3.0 (3.0
>10 string 2.0 (2.0
>10 string 1.0 (1.0
>13 byte x %c)
# XXX - this book entry should be verified, if you find one, uncomment this
#0 string \6 string 3.0 (3.0)
#>6 string 2.0 (2.0)
#>6 string 1.0 (1.0)
0 string \= 4096 (or >4095, same thing), then it's
# an executable, and is dynamically-linked if the "has run-time
# loader information" bit is set.
#
# On x86, NetBSD says:
#
# If it's neither pure nor demand-paged:
#
# if it has the "has run-time loader information" bit set, it's
# a dynamically-linked executable;
#
# if it doesn't have that bit set, then:
#
# if it has the "is position-independent" bit set, it's
# position-independent;
#
# if the entry point is non-zero, it's an executable, otherwise
# it's an object file.
#
# If it's pure:
#
# if it has the "has run-time loader information" bit set, it's
# a dynamically-linked executable, otherwise it's just an
# executable.
#
# If it's demand-paged:
#
# if it has the "has run-time loader information" bit set,
# then:
#
# if the entry point is < 4096, it's a shared library;
#
# if the entry point is = 4096 or > 4096 (i.e., >= 4096),
# it's a dynamically-linked executable);
#
# if it doesn't have the "has run-time loader information" bit
# set, then it's just an executable.
#
# (On non-x86, NetBSD does much the same thing, except that it uses
# 8192 on 68K - except for "68k4k", which is presumably "68K with 4K
# pages - SPARC, and MIPS, presumably because Sun-3's and Sun-4's
# had 8K pages; dunno about MIPS.)
#
# I suspect the two will differ only in perverse and uninteresting cases
# ("shared" libraries that aren't demand-paged and whose pages probably
# won't actually be shared, executables with entry points <4096).
#
# I leave it to those more familiar with FreeBSD and NetBSD to figure out
# what the right answer is (although using ">4095", FreeBSD-style, is
# probably better than separately checking for "=4096" and ">4096",
# NetBSD-style). (The old "netbsd" file analyzed FreeBSD demand paged
# executables using the NetBSD technique.)
#
0 lelong&0377777777 041400407 FreeBSD/i386
>20 lelong <4096
>>3 byte&0xC0 &0x80 shared library
>>3 byte&0xC0 0x40 PIC object
>>3 byte&0xC0 0x00 object
>20 lelong >4095
>>3 byte&0x80 0x80 dynamically linked executable
>>3 byte&0x80 0x00 executable
>16 lelong >0 not stripped
0 lelong&0377777777 041400410 FreeBSD/i386 pure
>20 lelong <4096
>>3 byte&0xC0 &0x80 shared library
>>3 byte&0xC0 0x40 PIC object
>>3 byte&0xC0 0x00 object
>20 lelong >4095
>>3 byte&0x80 0x80 dynamically linked executable
>>3 byte&0x80 0x00 executable
>16 lelong >0 not stripped
0 lelong&0377777777 041400413 FreeBSD/i386 demand paged
>20 lelong <4096
>>3 byte&0xC0 &0x80 shared library
>>3 byte&0xC0 0x40 PIC object
>>3 byte&0xC0 0x00 object
>20 lelong >4095
>>3 byte&0x80 0x80 dynamically linked executable
>>3 byte&0x80 0x00 executable
>16 lelong >0 not stripped
0 lelong&0377777777 041400314 FreeBSD/i386 compact demand page
d
>20 lelong <4096
>>3 byte&0xC0 &0x80 shared library
>>3 byte&0xC0 0x40 PIC object
>>3 byte&0xC0 0x00 object
>20 lelong >4095
>>3 byte&0x80 0x80 dynamically linked executable
>>3 byte&0x80 0x00 executable
>16 lelong >0 not stripped
# XXX gross hack to identify core files
# cores start with a struct tss; we take advantage of the following:
# byte 7: highest byte of the kernel stack pointer, always 0xfe
# 8/9: kernel (ring 0) ss value, always 0x0010
# 10 - 27: ring 1 and 2 ss/esp, unused, thus always 0
# 28: low order byte of the current PTD entry, always 0 since the
# PTD is page-aligned
#
7 string \357\020\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 FreeBSD/
i386 a.out core file
>1039 string >\0 from '%s'
# /var/run/ld.so.hints
# What are you laughing about?
0 lelong 011421044151 ld.so hints file
>4 lelong >0 (version %d)
#------------------------------------------------------------------------------
# fsav: file(1) magic for datafellows fsav virus definition files
# Anthon van der Neut (anthon@mnt.org)
0 beshort 0x1575 fsav (linux) macro virus
>8 leshort >0 (%d-
>11 byte >0 \b%02d-
>10 byte >0 \b%02d)
# comment this out for now because it regognizes every file where
# the eighth character is \n
#8 byte 0x0a
#>12 byte 0x07
#>11 leshort >0 fsav (linux) virus (%d-
#>10 byte 0 \b01-
#>10 byte 1 \b02-
#>10 byte 2 \b03-
#>10 byte 3 \b04-
#>10 byte 4 \b05-
#>10 byte 5 \b06-
#>10 byte 6 \b07-
#>10 byte 7 \b08-
#>10 byte 8 \b08-
#>10 byte 9 \b10-
#>10 byte 10 \b11-
#>10 byte 11 \b12-
#>9 byte >0 \b%02d)
#------------------------------------------------------------------------------
# GIMP Gradient: file(1) magic for the GIMP's gradient data files
# by Federico Mena
0 string GIMP\ Gradient GIMP gradient data
#------------------------------------------------------------------------------
# XCF: file(1) magic for the XCF image format used in the GIMP developed
# by Spencer Kimball and Peter Mattis
# ('Bucky' LaDieu, nega@vt.edu)
0 string gimp\ xcf GIMP XCF image data,
>9 string file version 0,
>9 string v version
>>10 string >\0 %s,
>14 belong x %lu x
>18 belong x %lu,
>22 belong 0 RGB Color
>22 belong 1 Greyscale
>22 belong 2 Indexed Color
>22 belong >2 Unknown Image Type.
#------------------------------------------------------------------------------
# XCF: file(1) magic for the patterns used in the GIMP, developed
# by Spencer Kimball and Peter Mattis
# ('Bucky' LaDieu, nega@vt.edu)
20 string GPAT GIMP pattern data,
>24 string x %s
#------------------------------------------------------------------------------
# XCF: file(1) magic for the brushes used in the GIMP, developed
# by Spencer Kimball and Peter Mattis
# ('Bucky' LaDieu, nega@vt.edu)
20 string GIMP GIMP brush data
#
# GNU nlsutils message catalog file format
#
0 string \336\22\4\225 GNU message catalog (little endian),
>4 lelong x revision %d,
>8 lelong x %d messages
0 string \225\4\22\336 GNU message catalog (big endian),
>4 belong x revision %d,
>8 belong x %d messages
# message catalogs, from Mitchum DSouza
0 string *nazgul* Nazgul style compiled message catalog
>8 lelong >0 \b, version %ld
#------------------------------------------------------------------------------
# ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE
#
# ACE/gr binary
0 string \000\000\0001\000\000\0000\000\000\0000\000\000\0002\000\000\000
0\000\000\0000\000\000\0003 old ACE/gr binary file
>39 byte >0 - version %c
# ACE/gr ascii
0 string #\ xvgr\ parameter\ file ACE/gr ascii file
0 string #\ xmgr\ parameter\ file ACE/gr ascii file
0 string #\ ACE/gr\ parameter\ file ACE/gr ascii file
# Grace projects
0 string #\ Grace\ project\ file Grace project file
>23 string @version\ (version
>>32 byte >0 %c
>>33 string >\0 \b.%.2s
>>35 string >\0 \b.%.2s)
# ACE/gr fit description files
0 string #\ ACE/gr\ fit\ description\ ACE/gr fit description file
# end of ACE/gr and Grace type files - PLEASE DO NOT REMOVE THIS LINE
#------------------------------------------------------------------------------
# hp: file(1) magic for Hewlett Packard machines (see also "printer")
#
# XXX - somebody should figure out whether any byte order needs to be
# applied to the "TML" stuff; I'm assuming the Apollo stuff is
# big-endian as it was mostly 68K-based.
#
# I think the 500 series was the old stack-based machines, running a
# UNIX environment atop the "SUN kernel"; dunno whether it was
# big-endian or little-endian.
#
# Daniel Quinlan (quinlan@yggdrasil.com): hp200 machines are 68010 based;
# hp300 are 68020+68881 based; hp400 are also 68k. The following basic
# HP magic is useful for reference, but using "long" magic is a better
# practice in order to avoid collisions.
#
# Guy Harris (guy@netapp.com): some additions to this list came from
# HP-UX 10.0's "/usr/include/sys/unistd.h" (68030, 68040, PA-RISC 1.1,
# 1.2, and 2.0). The 1.2 and 2.0 stuff isn't in the HP-UX 10.0
# "/etc/magic", though, except for the "archive file relocatable library"
# stuff, and the 68030 and 68040 stuff isn't there at all - are they not
# used in executables, or have they just not yet updated "/etc/magic"
# completely?
#
# 0 beshort 200 hp200 (68010) BSD binary
# 0 beshort 300 hp300 (68020+68881) BSD binary
# 0 beshort 0x20c hp200/300 HP-UX binary
# 0 beshort 0x20d hp400 (68030) HP-UX binary
# 0 beshort 0x20e hp400 (68040?) HP-UX binary
# 0 beshort 0x20b PA-RISC1.0 HP-UX binary
# 0 beshort 0x210 PA-RISC1.1 HP-UX binary
# 0 beshort 0x211 PA-RISC1.2 HP-UX binary
# 0 beshort 0x214 PA-RISC2.0 HP-UX binary
#
# The "misc" stuff needs a byte order; the archives look suspiciously
# like the old 177545 archives (0xff65 = 0177545).
#
#### Old Apollo stuff
0 beshort 0627 Apollo m68k COFF executable
>18 beshort ^040000 not stripped
>22 beshort >0 - version %ld
0 beshort 0624 apollo a88k COFF executable
>18 beshort ^040000 not stripped
>22 beshort >0 - version %ld
0 long 01203604016 TML 0123 byte-order format
0 long 01702407010 TML 1032 byte-order format
0 long 01003405017 TML 2301 byte-order format
0 long 01602007412 TML 3210 byte-order format
#### PA-RISC 1.1
0 belong 0x02100106 PA-RISC1.1 relocatable object
0 belong 0x02100107 PA-RISC1.1 executable
>168 belong &0x00000004 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x02100108 PA-RISC1.1 shared executable
>168 belong&0x4 0x4 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x0210010b PA-RISC1.1 demand-load executable
>168 belong&0x4 0x4 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x0210010e PA-RISC1.1 shared library
>96 belong >0 - not stripped
0 belong 0x0210010d PA-RISC1.1 dynamic load library
>96 belong >0 - not stripped
#### PA-RISC 2.0
0 belong 0x02140106 PA-RISC2.0 relocatable object
0 belong 0x02140107 PA-RISC2.0 executable
>168 belong &0x00000004 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x02140108 PA-RISC2.0 shared executable
>168 belong &0x00000004 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x0214010b PA-RISC2.0 demand-load executable
>168 belong &0x00000004 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x0214010e PA-RISC2.0 shared library
>96 belong >0 - not stripped
0 belong 0x0214010d PA-RISC2.0 dynamic load library
>96 belong >0 - not stripped
#### 800
0 belong 0x020b0106 PA-RISC1.0 relocatable object
0 belong 0x020b0107 PA-RISC1.0 executable
>168 belong&0x4 0x4 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x020b0108 PA-RISC1.0 shared executable
>168 belong&0x4 0x4 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x020b010b PA-RISC1.0 demand-load executable
>168 belong&0x4 0x4 dynamically linked
>(144) belong 0x054ef630 dynamically linked
>96 belong >0 - not stripped
0 belong 0x020b010e PA-RISC1.0 shared library
>96 belong >0 - not stripped
0 belong 0x020b010d PA-RISC1.0 dynamic load library
>96 belong >0 - not stripped
0 belong 0x213c6172 archive file
>68 belong 0x020b0619 - PA-RISC1.0 relocatable library
>68 belong 0x02100619 - PA-RISC1.1 relocatable library
>68 belong 0x02110619 - PA-RISC1.2 relocatable library
>68 belong 0x02140619 - PA-RISC2.0 relocatable library
#### 500
0 long 0x02080106 HP s500 relocatable executable
>16 long >0 - version %ld
0 long 0x02080107 HP s500 executable
>16 long >0 - version %ld
0 long 0x02080108 HP s500 pure executable
>16 long >0 - version %ld
#### 200
0 belong 0x020c0108 HP s200 pure executable
>4 beshort >0 - version %ld
>8 belong &0x80000000 save fp regs
>8 belong &0x40000000 dynamically linked
>8 belong &0x20000000 debuggable
>36 belong >0 not stripped
0 belong 0x020c0107 HP s200 executable
>4 beshort >0 - version %ld
>8 belong &0x80000000 save fp regs
>8 belong &0x40000000 dynamically linked
>8 belong &0x20000000 debuggable
>36 belong >0 not stripped
0 belong 0x020c010b HP s200 demand-load executable
>4 beshort >0 - version %ld
>8 belong &0x80000000 save fp regs
>8 belong &0x40000000 dynamically linked
>8 belong &0x20000000 debuggable
>36 belong >0 not stripped
0 belong 0x020c0106 HP s200 relocatable executable
>4 beshort >0 - version %ld
>6 beshort >0 - highwater %d
>8 belong &0x80000000 save fp regs
>8 belong &0x20000000 debuggable
>8 belong &0x10000000 PIC
0 belong 0x020a0108 HP s200 (2.x release) pure executable
>4 beshort >0 - version %ld
>36 belong >0 not stripped
0 belong 0x020a0107 HP s200 (2.x release) executable
>4 beshort >0 - version %ld
>36 belong >0 not stripped
0 belong 0x020c010e HP s200 shared library
>4 beshort >0 - version %ld
>6 beshort >0 - highwater %d
>36 belong >0 not stripped
0 belong 0x020c010d HP s200 dynamic load library
>4 beshort >0 - version %ld
>6 beshort >0 - highwater %d
>36 belong >0 not stripped
#### MISC
0 long 0x0000ff65 HP old archive
0 long 0x020aff65 HP s200 old archive
0 long 0x020cff65 HP s200 old archive
0 long 0x0208ff65 HP s500 old archive
0 long 0x015821a6 HP core file
0 long 0x4da7eee8 HP-WINDOWS font
>8 byte >0 - version %ld
0 string Bitmapfile HP Bitmapfile
0 string IMGfile CIS compimg HP Bitmapfile
# XXX - see "lif"
#0 short 0x8000 lif file
0 long 0x020c010c compiled Lisp
0 string msgcat01 HP NLS message catalog,
>8 long >0 %d messages
# addendum to /etc/magic with HP-48sx file-types by phk@data.fls.dk 1jan92
0 string HPHP48- HP48 binary
>7 byte >0 - Rev %c
>8 beshort 0x1129 (ADR)
>8 beshort 0x3329 (REAL)
>8 beshort 0x5529 (LREAL)
>8 beshort 0x7729 (COMPLX)
>8 beshort 0x9d29 (LCOMPLX)
>8 beshort 0xbf29 (CHAR)
>8 beshort 0xe829 (ARRAY)
>8 beshort 0x0a2a (LNKARRAY)
>8 beshort 0x2c2a (STRING)
>8 beshort 0x4e2a (HXS)
>8 beshort 0x742a (LIST)
>8 beshort 0x962a (DIR)
>8 beshort 0xb82a (ALG)
>8 beshort 0xda2a (UNIT)
>8 beshort 0xfc2a (TAGGED)
>8 beshort 0x1e2b (GROB)
>8 beshort 0x402b (LIB)
>8 beshort 0x622b (BACKUP)
>8 beshort 0x882b (LIBDATA)
>8 beshort 0x9d2d (PROG)
>8 beshort 0xcc2d (CODE)
>8 beshort 0x482e (GNAME)
>8 beshort 0x6d2e (LNAME)
>8 beshort 0x922e (XLIB)
0 string %%HP: HP48 text
>6 string T(0) - T(0)
>6 string T(1) - T(1)
>6 string T(2) - T(2)
>6 string T(3) - T(3)
>10 string A(D) A(D)
>10 string A(R) A(R)
>10 string A(G) A(G)
>14 string F(.) F(.);
>14 string F(,) F(,);
# hpBSD magic numbers
0 beshort 200 hp200 (68010) BSD
>2 beshort 0407 impure binary
>2 beshort 0410 read-only binary
>2 beshort 0413 demand paged binary
0 beshort 300 hp300 (68020+68881) BSD
>2 beshort 0407 impure binary
>2 beshort 0410 read-only binary
>2 beshort 0413 demand paged binary
#------------------------------------------------------------------------------
# ibm370: file(1) magic for IBM 370 and compatibles.
#
# "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable".
# What the heck *is* "USS/370"?
# AIX 4.1's "/etc/magic" has
#
# 0 short 0535 370 sysV executable
# >12 long >0 not stripped
# >22 short >0 - version %d
# >30 long >0 - 5.2 format
# 0 short 0530 370 sysV pure executable
# >12 long >0 not stripped
# >22 short >0 - version %d
# >30 long >0 - 5.2 format
#
# instead of the "USS/370" versions of the same magic numbers.
#
0 beshort 0537 370 XA sysV executable
>12 belong >0 not stripped
>22 beshort >0 - version %d
>30 belong >0 - 5.2 format
0 beshort 0532 370 XA sysV pure executable
>12 belong >0 not stripped
>22 beshort >0 - version %d
>30 belong >0 - 5.2 format
0 beshort 054001 370 sysV pure executable
>12 belong >0 not stripped
0 beshort 055001 370 XA sysV pure executable
>12 belong >0 not stripped
0 beshort 056401 370 sysV executable
>12 belong >0 not stripped
0 beshort 057401 370 XA sysV executable
>12 belong >0 not stripped
0 beshort 0531 SVR2 executable (Amdahl-UTS)
>12 belong >0 not stripped
>24 belong >0 - version %ld
0 beshort 0534 SVR2 pure executable (Amdahl-UTS)
>12 belong >0 not stripped
>24 belong >0 - version %ld
0 beshort 0530 SVR2 pure executable (USS/370)
>12 belong >0 not stripped
>24 belong >0 - version %ld
0 beshort 0535 SVR2 executable (USS/370)
>12 belong >0 not stripped
>24 belong >0 - version %ld
#------------------------------------------------------------------------------
# ibm6000: file(1) magic for RS/6000 and the RT PC.
#
0 beshort 0x01df executable (RISC System/6000 V3.1) or ob
j module
>12 belong >0 not stripped
# Breaks sun4 statically linked execs.
#0 beshort 0x0103 executable (RT Version 2) or obj module
#>2 byte 0x50 pure
#>28 belong >0 not stripped
#>6 beshort >0 - version %ld
0 beshort 0x0104 shared library
0 beshort 0x0105 ctab data
0 beshort 0xfe04 structured file
0 string 0xabcdef AIX message catalog
0 belong 0x000001f9 AIX compiled message catalog
0 string \ archive
#------------------------------------------------------------------------------
# iff: file(1) magic for Interchange File Format (see also "audio" & "images")
#
# Daniel Quinlan (quinlan@yggdrasil.com) -- IFF was designed by Electronic
# Arts for file interchange. It has also been used by Apple, SGI, and
# especially Commodore-Amiga.
#
# IFF files begin with an 8 byte FORM header, followed by a 4 character
# FORM type, which is followed by the first chunk in the FORM.
0 string FORM IFF data
#>4 belong x \b, FORM is %d bytes long
# audio formats
>8 string AIFF \b, AIFF audio
>8 string AIFC \b, AIFF-C compressed audio
>8 string 8SVX \b, 8SVX 8-bit sampled sound voice
>8 string SAMP \b, SAMP sampled audio
# image formats
>8 string ILBMBMHD \b, ILBM interleaved image
>>20 beshort x \b, %d x
>>22 beshort x %d
>8 string RGBN \b, RGBN 12-bit RGB image
>8 string RGB8 \b, RGB8 24-bit RGB image
>8 string DR2D \b, DR2D 2-D object
>8 string TDDD \b, TDDD 3-D rendering
# other formats
>8 string FTXT \b, FTXT formatted text
#------------------------------------------------------------------------------
# images: file(1) magic for image formats (see also "iff")
#
# originally from jef@helios.ee.lbl.gov (Jef Poskanzer),
# additions by janl@ifi.uio.no as well as others. Jan also suggested
# merging several one- and two-line files into here.
#
# little magic: PCX (first byte is 0x0a)
# Targa - matches `povray', `ppmtotga' and `xv' outputs
# by Philippe De Muyter
# at 2, byte ImgType must be 1, 2, 3, 9, 10 or 11
# at 1, byte CoMapType must be 1 if ImgType is 1 or 9, 0 otherwise
# at 3, leshort Index is 0 for povray, ppmtotga and xv outputs
# `xv' recognizes only a subset of the following (RGB with pixelsize = 24)
# `tgatoppm' recognizes a superset (Index may be anything)
1 belong&0xfff7ffff 0x01010000 Targa image data - Map
>2 byte&8 8 - RLE
1 belong&0xfff7ffff 0x00020000 Targa image data - RGB
>2 byte&8 8 - RLE
1 belong&0xfff7ffff 0x00030000 Targa image data - Mono
>2 byte&8 8 - RLE
# PBMPLUS images
# The next byte following the magic is always whitespace.
0 string P1 Netpbm PBM image text
0 string P2 Netpbm PGM image text
0 string P3 Netpbm PPM image text
0 string P4 Netpbm PBM "rawbits" image data
0 string P5 Netpbm PGM "rawbits" image data
0 string P6 Netpbm PPM "rawbits" image data
0 string P7 Netpbm PAM image file
# From: bryanh@giraffe-data.com (Bryan Henderson)
0 string \117\072 Solitaire Image Recorder format
>4 string \013 MGI Type 11
>4 string \021 MGI Type 17
0 string .MDA MicroDesign data
>21 byte 48 version 2
>21 byte 51 version 3
0 string .MDP MicroDesign page data
>21 byte 48 version 2
>21 byte 51 version 3
# NIFF (Navy Interchange File Format, a modification of TIFF) images
0 string IIN1 NIFF image data
# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com)
# The second word of TIFF files is the TIFF version number, 42, which has
# never changed. The TIFF specification recommends testing for it.
0 string MM\x00\x2a TIFF image data, big-endian
0 string II\x2a\x00 TIFF image data, little-endian
# PNG [Portable Network Graphics, or "PNG's Not GIF"] images
# (Greg Roelofs, newt@uchicago.edu)
# (Albert Cahalan, acahalan@cs.uml.edu)
#
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
#
0 string \x89PNG PNG image data,
>4 belong !0x0d0a1a0a CORRUPTED,
>4 belong 0x0d0a1a0a
>>16 belong x %ld x
>>20 belong x %ld,
>>24 byte x %d-bit
>>25 byte 0 grayscale,
>>25 byte 2 \b/color RGB,
>>25 byte 3 colormap,
>>25 byte 4 gray+alpha,
>>25 byte 6 \b/color RGBA,
#>>26 byte 0 deflate/32K,
>>28 byte 0 non-interlaced
>>28 byte 1 interlaced
1 string PNG PNG image data, CORRUPTED
# GIF
0 string GIF8 GIF image data
>4 string 7a \b, version 8%s,
>4 string 9a \b, version 8%s,
>6 leshort >0 %hd x
>8 leshort >0 %hd,
#>10 byte &0x80 color mapped,
#>10 byte&0x07 =0x00 2 colors
#>10 byte&0x07 =0x01 4 colors
#>10 byte&0x07 =0x02 8 colors
#>10 byte&0x07 =0x03 16 colors
#>10 byte&0x07 =0x04 32 colors
#>10 byte&0x07 =0x05 64 colors
#>10 byte&0x07 =0x06 128 colors
#>10 byte&0x07 =0x07 256 colors
# ITC (CMU WM) raster files. It is essentially a byte-reversed Sun raster,
# 1 plane, no encoding.
0 string \361\0\100\273 CMU window manager raster image data
>4 lelong >0 %d x
>8 lelong >0 %d,
>12 lelong >0 %d-bit
# Magick Image File Format
0 string id=ImageMagick MIFF image data
# Artisan
0 long 1123028772 Artisan image data
>4 long 1 \b, rectangular 24-bit
>4 long 2 \b, rectangular 8-bit with colormap
>4 long 3 \b, rectangular 32-bit (24-bit with matt
e)
# FIG (Facility for Interactive Generation of figures), an object-based format
0 string #FIG FIG image text
>5 string x \b, version %.3s
# PHIGS
0 string ARF_BEGARF PHIGS clear text archive
0 string @(#)SunPHIGS SunPHIGS
# version number follows, in the form m.n
>40 string SunBin binary
>32 string archive archive
# GKS (Graphics Kernel System)
0 string GKSM GKS Metafile
>24 string SunGKS \b, SunGKS
# CGM image files
0 string BEGMF clear text Computer Graphics Metafile
# XXX - questionable magic
0 beshort&0xffe0 0x0020 binary Computer Graphics Metafile
0 beshort 0x3020 character Computer Graphics Metafile
# MGR bitmaps (Michael Haardt, u31b3hs@pool.informatik.rwth-aachen.de)
0 string yz MGR bitmap, modern format, 8-bit aligned
0 string zz MGR bitmap, old format, 1-bit deep, 16-bit aligned
0 string xz MGR bitmap, old format, 1-bit deep, 32-bit aligned
0 string yx MGR bitmap, modern format, squeezed
# Fuzzy Bitmap (FBM) images
0 string %bitmap\0 FBM image data
>30 long 0x31 \b, mono
>30 long 0x33 \b, color
# facsimile data
1 string PC\ Research,\ Inc group 3 fax data
>29 byte 0 \b, normal resolution (204x98 DPI)
>29 byte 1 \b, fine resolution (204x196 DPI)
# PC bitmaps (OS/2, Windoze BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM PC bitmap data
>14 leshort 12 \b, OS/2 1.x format
>>18 leshort x \b, %d x
>>20 leshort x %d
>14 leshort 64 \b, OS/2 2.x format
>>18 leshort x \b, %d x
>>20 leshort x %d
>14 leshort 40 \b, Windows 3.x format
>>18 lelong x \b, %d x
>>22 lelong x %d x
>>28 leshort x %d
0 string IC PC icon data
0 string PI PC pointer image data
0 string CI PC color icon data
0 string CP PC color pointer image data
# Conflicts with other entries [BABYL]
#0 string BA PC bitmap array data
# JPEG images
# SunOS 5.5.1 had
#
# 0 string \377\330\377\340 JPEG file
# 0 string \377\330\377\356 JPG file
#
# both of which turn into "JPEG image data" here.
#
0 beshort 0xffd8 JPEG image data
>6 string JFIF \b, JFIF standard
# HSI is Handmade Software's proprietary JPEG encoding scheme
0 string hsi1 JPEG image data, HSI proprietary
# XPM icons (Greg Roelofs, newt@uchicago.edu)
# note possible collision with C/REXX entry in c-lang; currently commented out
0 string /*\ XPM\ */ X pixmap image text
# Utah Raster Toolkit RLE images (janl@ifi.uio.no)
0 leshort 0xcc52 RLE image data,
>6 leshort x %d x
>8 leshort x %d
>2 leshort >0 \b, lower left corner: %d
>4 leshort >0 \b, lower right corner: %d
>10 byte&0x1 =0x1 \b, clear first
>10 byte&0x2 =0x2 \b, no background
>10 byte&0x4 =0x4 \b, alpha channel
>10 byte&0x8 =0x8 \b, comment
>11 byte >0 \b, %d color channels
>12 byte >0 \b, %d bits per pixel
>13 byte >0 \b, %d color map channels
# image file format (Robert Potter, potter@cs.rochester.edu)
0 string Imagefile\ version- iff image data
# this adds the whole header (inc. version number), informative but longish
>10 string >\0 %s
# Sun raster images, from Daniel Quinlan (quinlan@yggdrasil.com)
0 belong 0x59a66a95 Sun raster image data
>4 belong >0 \b, %d x
>8 belong >0 %d,
>12 belong >0 %d-bit,
#>16 belong >0 %d bytes long,
>20 belong 0 old format,
#>20 belong 1 standard,
>20 belong 2 compressed,
>20 belong 3 RGB,
>20 belong 4 TIFF,
>20 belong 5 IFF,
>20 belong 0xffff reserved for testing,
>24 belong 0 no colormap
>24 belong 1 RGB colormap
>24 belong 2 raw colormap
#>28 belong >0 colormap is %d bytes long
# SGI image file format, from Daniel Quinlan (quinlan@yggdrasil.com)
#
# See
# http://reality.sgi.com/grafica/sgiimage.html
#
0 beshort 474 SGI image data
#>2 byte 0 \b, verbatim
>2 byte 1 \b, RLE
#>3 byte 1 \b, normal precision
>3 byte 2 \b, high precision
>4 beshort x \b, %d-D
>6 beshort x \b, %d x
>8 beshort x %d
>10 beshort x \b, %d channel
>10 beshort !1 \bs
>80 string >0 \b, "%s"
0 string IT01 FIT image data
>4 belong x \b, %d x
>8 belong x %d x
>12 belong x %d
#
0 string IT02 FIT image data
>4 belong x \b, %d x
>8 belong x %d x
>12 belong x %d
#
2048 string PCD_IPI Kodak Photo CD image pack file
0 string PCD_OPA Kodak Photo CD overview pack file
# FITS format. Jeff Uphoff
# FITS is the Flexible Image Transport System, the de facto standard for
# data and image transfer, storage, etc., for the astronomical community.
# (FITS floating point formats are big-endian.)
0 string SIMPLE\ \ = FITS image data
>109 string 8 \b, 8-bit, character or unsigned binary integer
>108 string 16 \b, 16-bit, two's complement binary integer
>107 string \ 32 \b, 32-bit, two's complement binary integer
>107 string -32 \b, 32-bit, floating point, single precision
>107 string -64 \b, 64-bit, floating point, double precision
# other images
0 string This\ is\ a\ BitMap\ file Lisp Machine bit-array-file
0 string !! Bennet Yee's "face" format
# From SunOS 5.5.1 "/etc/magic" - appeared right before Sun raster image
# stuff.
#
0 beshort 0x1010 PEX Binary Archive
# Visio drawings
03000 string Visio\ (TM)\ Drawing %s
# Tgif files
0 string \%TGIF\ x Tgif file version %s
# DICOM medical imaging data
128 string DICM DICOM medical imaging data
#------------------------------------------------------------------------------
# intel: file(1) magic for x86 Unix
#
# Various flavors of x86 UNIX executable/object (other than Xenix, which
# is in "microsoft"). DOS is in "msdos"; the ambitious soul can do
# Windows as well.
#
# Windows NT belongs elsewhere, as you need x86 and MIPS and Alpha and
# whatever comes next (HP-PA Hummingbird?). OS/2 may also go elsewhere
# as well, if, as, and when IBM makes it portable.
#
# The `versions' should be un-commented if they work for you.
# (Was the problem just one of endianness?)
#
0 leshort 0502 basic-16 executable
>12 lelong >0 not stripped
#>22 leshort >0 - version %ld
0 leshort 0503 basic-16 executable (TV)
>12 lelong >0 not stripped
#>22 leshort >0 - version %ld
0 leshort 0510 x86 executable
>12 lelong >0 not stripped
0 leshort 0511 x86 executable (TV)
>12 lelong >0 not stripped
0 leshort =0512 iAPX 286 executable small model (COFF)
>12 lelong >0 not stripped
#>22 leshort >0 - version %ld
0 leshort =0522 iAPX 286 executable large model (COFF)
>12 lelong >0 not stripped
#>22 leshort >0 - version %ld
# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan
0 leshort =0514 80386 COFF executable
>12 lelong >0 not stripped
>22 leshort >0 - version %ld
#------------------------------------------------------------------------------
# interleaf: file(1) magic for InterLeaf TPS:
#
0 string =\210OPS Interleaf saved data
0 string =5 string ,\ Version\ = \b, version
>>17 string >\0 %.3s
#------------------------------------------------------------------------------
# island: file(1) magic for IslandWite/IslandDraw, from SunOS 5.5.1
# "/etc/magic":
# From: guy@netapp.com (Guy Harris)
#
4 string pgscriptver IslandWrite document
13 string DrawFile IslandDraw document
#------------------------------------------------------------------------------
# ispell: file(1) magic for ispell
#
# Ispell 3.0 has a magic of 0x9601 and ispell 3.1 has 0x9602. This magic
# will match 0x9600 through 0x9603 in *both* little endian and big endian.
# (No other current magic entries collide.)
#
# Updated by Daniel Quinlan (quinlan@yggdrasil.com)
#
0 leshort&0xFFFC 0x9600 little endian ispell
>0 byte 0 hash file (?),
>0 byte 1 3.0 hash file,
>0 byte 2 3.1 hash file,
>0 byte 3 hash file (?),
>2 leshort 0x00 8-bit, no capitalization, 26 flags
>2 leshort 0x01 7-bit, no capitalization, 26 flags
>2 leshort 0x02 8-bit, capitalization, 26 flags
>2 leshort 0x03 7-bit, capitalization, 26 flags
>2 leshort 0x04 8-bit, no capitalization, 52 flags
>2 leshort 0x05 7-bit, no capitalization, 52 flags
>2 leshort 0x06 8-bit, capitalization, 52 flags
>2 leshort 0x07 7-bit, capitalization, 52 flags
>2 leshort 0x08 8-bit, no capitalization, 128 flags
>2 leshort 0x09 7-bit, no capitalization, 128 flags
>2 leshort 0x0A 8-bit, capitalization, 128 flags
>2 leshort 0x0B 7-bit, capitalization, 128 flags
>2 leshort 0x0C 8-bit, no capitalization, 256 flags
>2 leshort 0x0D 7-bit, no capitalization, 256 flags
>2 leshort 0x0E 8-bit, capitalization, 256 flags
>2 leshort 0x0F 7-bit, capitalization, 256 flags
>4 leshort >0 and %d string characters
0 beshort&0xFFFC 0x9600 big endian ispell
>1 byte 0 hash file (?),
>1 byte 1 3.0 hash file,
>1 byte 2 3.1 hash file,
>1 byte 3 hash file (?),
>2 beshort 0x00 8-bit, no capitalization, 26 flags
>2 beshort 0x01 7-bit, no capitalization, 26 flags
>2 beshort 0x02 8-bit, capitalization, 26 flags
>2 beshort 0x03 7-bit, capitalization, 26 flags
>2 beshort 0x04 8-bit, no capitalization, 52 flags
>2 beshort 0x05 7-bit, no capitalization, 52 flags
>2 beshort 0x06 8-bit, capitalization, 52 flags
>2 beshort 0x07 7-bit, capitalization, 52 flags
>2 beshort 0x08 8-bit, no capitalization, 128 flags
>2 beshort 0x09 7-bit, no capitalization, 128 flags
>2 beshort 0x0A 8-bit, capitalization, 128 flags
>2 beshort 0x0B 7-bit, capitalization, 128 flags
>2 beshort 0x0C 8-bit, no capitalization, 256 flags
>2 beshort 0x0D 7-bit, no capitalization, 256 flags
>2 beshort 0x0E 8-bit, capitalization, 256 flags
>2 beshort 0x0F 7-bit, capitalization, 256 flags
>4 beshort >0 and %d string characters
# ispell 4.0 hash files kromJx
# Ispell 4.0
0 string ISPL ispell
>4 long x hash file version %d,
>8 long x lexletters %d,
>12 long x lexsize %d,
>16 long x hashsize %d,
>20 long x stblsize %d
#------------------------------------------------------------
# Java ByteCode
# From Larry Schwimmer (schwim@cs.stanford.edu)
0 belong 0xcafebabe compiled Java class data,
>6 beshort x version %d.
>4 beshort x \b%d
#------------------------------------------------------------
# Java serialization
# From Martin Pool (m.pool@pharos.com.au)
0 beshort 0xaced Java serialization data
>2 beshort >0x0004 \b, version %d
#------------------------------------------------------------------------------
# JPEG images
# SunOS 5.5.1 had
#
# 0 string \377\330\377\340 JPEG file
# 0 string \377\330\377\356 JPG file
#
# both of which turn into "JPEG image data" here.
#
0 beshort 0xffd8 JPEG image data
>6 string JFIF \b, JFIF standard
# The following added by Erik Rossen 1999-09-06
# in a vain attempt to add image size reporting for JFIF. Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently
# impossible to specify in magic(4) format.
# First, a little JFIF version info:
>11 byte x \b %d.
>12 byte x \b%02d
# Next, the resolution or aspect ratio of the image:
>13 byte 0 \b, aspect ratio
>13 byte 1 \b, resolution (DPI)
>13 byte 2 \b, resolution (DPCM)
>14 beshort x \b X%d:
>16 beshort x \bY%d
#>4 beshort x \b, segment length %d
# Next, show thumbnail info, if it exists:
>18 byte !0 \b, thumbnail %dx
>>19 byte x \b%d
# Here things get sticky. We can do ONE MORE marker segment with
# indirect addressing, and that's all. It would be great if we could
# do pointer arithemetic like in an assembler language. Christos?
# And if there was some sort of looping construct to do searches, plus a few
# named accumulators, it would be even more effective...
# At least we can show a comment if no other segments got inserted before:
>(4.S+5) byte 0xFE
>>(4.S+8) string >\0 \b, "%s"
#>(4.S+5) byte 0xFE \b, comment
#>>(4.S+6) beshort x \b length=%d
#>>(4.S+8) string >\0 \b, "%s"
# Or, we can show the encoding type (I've included only the three most common)
# and image dimensions if we are lucky and the SOFn (image segment) is here:
>(4.S+5) byte 0xC0 \b, baseline
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
>(4.S+5) byte 0xC1 \b, extended sequential
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
>(4.S+5) byte 0xC2 \b, progressive
>>(4.S+6) byte x \b, precision %d
>>(4.S+7) beshort x \b, %dx
>>(4.S+9) beshort x \b%d
# I've commented-out quantisation table reporting. I doubt anyone cares yet.
#>(4.S+5) byte 0xDB \b, quantisation table
#>>(4.S+6) beshort x \b length=%d
# HSI is Handmade Software's proprietary JPEG encoding scheme
0 string hsi1 JPEG image data, HSI proprietary
#------------------------------------------------------------------------------
# karma: file(1) magic for Karma data files
#
# From
0 string KarmaRHD Version Karma Data Structure Version
>16 belong x %lu
#------------------------------------------------------------------------------
# DEC SRC Virtual Paper: Lectern files
# Karl M. Hegbloom
0 string lect DEC SRC Virtual Paper Lectern file
#------------------------------------------------------------------------------
# lex: file(1) magic for lex
#
# derived empirically, your offsets may vary!
53 string yyprevious C program text (from lex)
>3 string >\0 for %s
# C program text from GNU flex, from Daniel Quinlan
21 string generated\ by\ flex C program text (from flex)
# lex description file, from Daniel Quinlan
0 string %{ lex description text
#------------------------------------------------------------------------------
# lif: file(1) magic for lif
#
# (Daniel Quinlan )
#
0 beshort 0x8000 lif file
#------------------------------------------------------------------------------
# linux: file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan
# The following basic Linux magic is useful for reference, but using
# "long" magic is a better practice in order to avoid collisions.
#
# 2 leshort 100 Linux/i386
# >0 leshort 0407 impure executable (OMAGIC)
# >0 leshort 0410 pure executable (NMAGIC)
# >0 leshort 0413 demand-paged executable (ZMAGIC)
# >0 leshort 0314 demand-paged executable (QMAGIC)
#
0 lelong 0x00640107 Linux/i386 impure executable (OMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x00640108 Linux/i386 pure executable (NMAGIC)
>16 lelong 0 \b, stripped
0 lelong 0x0064010b Linux/i386 demand-paged executable (ZMAG
IC)
>16 lelong 0 \b, stripped
0 lelong 0x006400cc Linux/i386 demand-paged executable (QMAG
IC)
>16 lelong 0 \b, stripped
#
0 string \007\001\000 Linux/i386 object file
>20 lelong >0x1020 \b, DLL library
# Linux-8086 stuff:
0 string \01\03\020\04 Linux-8086 impure executable
>28 long !0 not stripped
0 string \01\03\040\04 Linux-8086 executable
>28 long !0 not stripped
#
0 string \243\206\001\0 Linux-8086 object file
#
0 string \01\03\020\20 Minix-386 impure executable
>28 long !0 not stripped
0 string \01\03\040\20 Minix-386 executable
>28 long !0 not stripped
# core dump file, from Bill Reynolds
216 lelong 0421 Linux/i386 core file
>220 string >\0 of '%s'
>200 lelong >0 (signal %d)
#
# LILO boot/chain loaders, from Daniel Quinlan
# this can be overridden by the DOS executable (COM) entry
2 string LILO Linux/i386 LILO boot/chain loader
#
# Debian Packages, from Peter Tobias
0 string 0.9
>8 byte 0x0a old Debian Binary Package
>>3 byte >0 \b, created by dpkg 0.9%c
>>4 byte >0 pl%c
# PSF fonts, from H. Peter Anvin
0 leshort 0x0436 Linux/i386 PC Screen Font data,
>2 byte 0 256 characters, no directory,
>2 byte 1 512 characters, no directory,
>2 byte 2 256 characters, Unicode directory,
>2 byte 3 512 characters, Unicode directory,
>3 byte >0 8x%d
# Linux swap file, from Daniel Quinlan
4086 string SWAP-SPACE Linux/i386 swap file
# ECOFF magic for OSF/1 and Linux (only tested under Linux though)
#
# from Erik Troan (ewt@redhat.com) examining od dumps, so this
# could be wrong
# updated by David Mosberger (davidm@azstarnet.com) based on
# GNU BFD and MIPS info found below.
#
0 leshort 0x0183 ECOFF alpha
>24 leshort 0407 executable
>24 leshort 0410 pure
>24 leshort 0413 demand paged
>8 long >0 not stripped
>8 long 0 stripped
>23 leshort >0 - version %ld.
#
# Linux kernel boot images, from Albert Cahalan
# and others such as Axel Kohlmeyer
# and Nicolás Lichtmaier
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
514 string HdrS Linux kernel
>518 leshort >0
>>529 byte 0 zImage data,
>>529 byte 1 bzImage data,
>0x048c byte 0x31
>>0x048c string x version %s
>0x0493 byte 0x31
>>0x0493 string x version %s
>0x048c byte 0x32
>>0x048c string x version %s
>0x0493 byte 0x32
>>0x0493 string x version %s
>0x04df byte 0x32
>>0x04df string x version %s
>0x04fb byte 0x32
>>0x04fb string x version %s
# This also matches new kernels, which were caught above by "HdrS".
0 belong 0xb8c0078e Linux kernel
>0x1e3 string Loading version 1.3.79 or older
>0x1e9 string Loading from prehistoric times
# LSM entries - Nicolás Lichtmaier
0 string Begin3 Linux Software Map entry text
#------------------------------------------------------------------------------
# lisp: file(1) magic for lisp programs
#
# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
0 string ;; Lisp/Scheme program text
# Emacs 18 - this is always correct, but not very magical.
0 string \012( byte-compiled Emacs-Lisp program data
# Emacs 19
0 string ;ELC\023\000\000\000 byte-compiled Emacs-Lisp program data
#
# Files produced by CLISP Common Lisp From: Bruno Haible
0 string (SYSTEM::VERSION\040' CLISP byte-compiled Lisp program text
0 long 0x70768BD2 CLISP memory image data
0 long 0xD28B7670 CLISP memory image data, other endian
# Files produced by GNU gettext
0 long 0xDE120495 GNU-format message catalog data
0 long 0x950412DE GNU-format message catalog data
#.com and .bin for MIT scheme
0 string \372\372\372\372 MIT scheme (library?)
#------------------------------------------------------------------------------
# mach file description
#
0 belong 0xcafebabe Mach-O fat file
>4 belong 1 with 1 architecture
>4 belong >1
>>4 belong x with %ld architectures
#
0 belong 0xfeedface Mach-O
>12 belong 1 object
>12 belong 2 executable
>12 belong 3 shared library
>12 belong 4 core
>12 belong 5 preload executable
>12 belong >5
>>12 belong x filetype=%ld
>4 belong <0
>>4 belong x architecture=%ld
>4 belong 1 vax
>4 belong 2 romp
>4 belong 3 architecture=3
>4 belong 4 ns32032
>4 belong 5 ns32332
>4 belong 6 for m68k architecture
# from NeXTstep 3.0
# i.e. mc680x0_all, ignore
# >>8 belong 1 (mc68030)
>>8 belong 2 (mc68040)
>>8 belong 3 (mc68030 only)
>4 belong 7 i386
>4 belong 8 mips
>4 belong 9 ns32532
>4 belong 10 architecture=10
>4 belong 11 hp pa-risc
>4 belong 12 acorn
>4 belong 13 m88k
>4 belong 14 sparc
>4 belong 15 i860-big
>4 belong 16 i860
>4 belong 17 rs6000
>4 belong 18 powerPC
>4 belong >18
>>4 belong x architecture=%ld
#------------------------------------------------------------------------------
# macintosh description
#
# BinHex is the Macintosh ASCII-encoded file format (see also "apple")
# Daniel Quinlan, quinlan@yggdrasil.com
11 string must\ be\ converted\ with\ BinHex BinHex binary text
>41 string x \b, version %.3s
# Stuffit archives are the de facto standard of compression for Macintosh
# files obtained from most archives. (franklsm@tuns.ca)
0 string SIT! StuffIt Archive (data)
>2 string x : %s
0 string SITD StuffIt Deluxe (data)
>2 string x : %s
0 string Seg StuffIt Deluxe Segment (data)
>2 string x : %s
# Macintosh Applications and Installation binaries (franklsm@tuns.ca)
0 string APPL Macintosh Application (data)
>2 string x \b: %s
# Macintosh System files (franklsm@tuns.ca)
0 string zsys Macintosh System File (data)
0 string FNDR Macintosh Finder (data)
0 string libr Macintosh Library (data)
>2 string x : %s
0 string shlb Macintosh Shared Library (data)
>2 string x : %s
0 string cdev Macintosh Control Panel (data)
>2 string x : %s
0 string INIT Macintosh Extension (data)
>2 string x : %s
0 string FFIL Macintosh Truetype Font (data)
>2 string x : %s
0 string LWFN Macintosh Postscript Font (data)
>2 string x : %s
# Additional Macintosh Files (franklsm@tuns.ca)
0 string PACT Macintosh Compact Pro Archive (d
ata)
>2 string x : %s
0 string ttro Macintosh TeachText File (data)
>2 string x : %s
0 string TEXT Macintosh TeachText File (data)
>2 string x : %s
0 string PDF Macintosh PDF File (data)
>2 string x : %s
# MacBinary format (Eric Fischer, enf@pobox.com)
#
# Unfortunately MacBinary doesn't really have a magic number prior
# to the MacBinary III format. The checksum is really the way to
# do it, but the magic file format isn't up to the challenge.
#
# 0 byte 0
# 1 byte # filename length
# 2 string # filename
# 65 string # file type
# 69 string # file creator
# 73 byte # Finder flags
# 74 byte 0
# 75 beshort # vertical posn in window
# 77 beshort # horiz posn in window
# 79 beshort # window or folder ID
# 81 byte # protected?
# 82 byte 0
# 83 belong # length of data segment
# 87 belong # length of resource segment
# 91 belong # file creation date
# 95 belong # file modification date
# 99 beshort # length of comment after resource
# 101 byte # new Finder flags
# 102 string mBIN # (only in MacBinary III)
# 106 byte # char. code of file name
# 107 byte # still more Finder flags
# 116 belong # total file length
# 120 beshort # length of add'l header
# 122 byte 129 # for MacBinary II
# 122 byte 130 # for MacBinary III
# 123 byte 129 # minimum version that can read fmt
# 124 beshort # checksum
#
# This attempts to use the version numbers as a magic number, requiring
# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second
# be 0x81. This works for the files I have, but maybe not for everyone's.
122 beshort&0xFCFF 0x8081 Macintosh MacBinary data
# MacBinary I doesn't have the version number field at all, but MacBinary II
# has been in use since 1987 so I hope there aren't many really old files
# floating around that this will miss. The original spec calls for using
# the nulls in 0, 74, and 82 as the magic number.
#
# Another possibility, that would also work for MacBinary I, is to use
# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will
# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset,
# and that 74 will be 0. So something like
#
# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data
#
# >73 byte&0x01 0x01 \b, inited
# >73 byte&0x02 0x02 \b, changed
# >73 byte&0x04 0x04 \b, busy
# >73 byte&0x08 0x08 \b, bozo
# >73 byte&0x10 0x10 \b, system
# >73 byte&0x10 0x20 \b, bundle
# >73 byte&0x10 0x40 \b, invisible
# >73 byte&0x10 0x80 \b, locked
>65 string x \b, type "%4.4s"
>65 string 8BIM (PhotoShop)
>65 string ALB3 (PageMaker 3)
>65 string ALB4 (PageMaker 4)
>65 string ALT3 (PageMaker 3)
>65 string APPL (application)
>65 string AWWP (AppleWorks word processor)
>65 string CIRC (simulated circuit)
>65 string DRWG (MacDraw)
>65 string EPSF (Encapsulated PostScript)
>65 string FFIL (font suitcase)
>65 string FKEY (function key)
>65 string FNDR (Macintosh Finder)
>65 string GIFf (GIF image)
>65 string Gzip (GNU gzip)
>65 string INIT (system extension)
>65 string LIB\ (library)
>65 string LWFN (PostScript font)
>65 string MSBC (Microsoft BASIC)
>65 string PACT (Compact Pro archive)
>65 string PDF\ (Portable Document Format)
>65 string PICT (picture)
>65 string PNTG (MacPaint picture)
>65 string PREF (preferences)
>65 string PROJ (Think C project)
>65 string QPRJ (Think Pascal project)
>65 string SCFL (Defender scores)
>65 string SCRN (startup screen)
>65 string SITD (StuffIt Deluxe)
>65 string SPn3 (SuperPaint)
>65 string STAK (HyperCard stack)
>65 string Seg\ (StuffIt segment)
>65 string TARF (Unix tar archive)
>65 string TEXT (ASCII)
>65 string TIFF (TIFF image)
>65 string TOVF (Eudora table of contents)
>65 string WDBN (Microsoft Word word processor)
>65 string WORD (MacWrite word processor)
>65 string XLS\ (Microsoft Excel)
>65 string ZIVM (compress (.Z))
>65 string ZSYS (Pre-System 7 system file)
>65 string acf3 (Aldus FreeHand)
>65 string cdev (control panel)
>65 string dfil (Desk Acessory suitcase)
>65 string libr (library)
>65 string nX^d (WriteNow word processor)
>65 string nX^w (WriteNow dictionary)
>65 string rsrc (resource)
>65 string scbk (Scrapbook)
>65 string shlb (shared library)
>65 string ttro (SimpleText read-only)
>65 string zsys (system file)
>69 string x \b, creator "%4.4s"
# Somewhere, Apple has a repository of registered Creator IDs. These are
# just the ones that I happened to have files from and was able to identify.
>69 string 8BIM (Adobe Photoshop)
>69 string ALD3 (PageMaker 3)
>69 string ALD4 (PageMaker 4)
>69 string ALFA (Alpha editor)
>69 string APLS (Apple Scanner)
>69 string APSC (Apple Scanner)
>69 string BRKL (Brickles)
>69 string BTFT (BitFont)
>69 string CCL2 (Common Lisp 2)
>69 string CCL\ (Common Lisp)
>69 string CDmo (The Talking Moose)
>69 string CPCT (Compact Pro)
>69 string CSOm (Eudora)
>69 string DMOV (Font/DA Mover)
>69 string DSIM (DigSim)
>69 string EDIT (Macintosh Edit)
>69 string ERIK (Macintosh Finder)
>69 string EXTR (self-extracting archive)
>69 string Gzip (GNU gzip)
>69 string KAHL (Think C)
>69 string LWFU (LaserWriter Utility)
>69 string LZIV (compress)
>69 string MACA (MacWrite)
>69 string MACS (Macintosh operating system)
>69 string MAcK (MacKnowledge terminal emulator)
>69 string MLND (Defender)
>69 string MPNT (MacPaint)
>69 string MSBB (Microsoft BASIC (binary))
>69 string MSWD (Microsoft Word)
>69 string NCSA (NCSA Telnet)
>69 string PJMM (Think Pascal)
>69 string PSAL (Hunt the Wumpus)
>69 string PSI2 (Apple File Exchange)
>69 string R*ch (BBEdit)
>69 string RMKR (Resource Maker)
>69 string RSED (Resource Editor)
>69 string Rich (BBEdit)
>69 string SIT! (StuffIt)
>69 string SPNT (SuperPaint)
>69 string Unix (NeXT Mac filesystem)
>69 string VIM! (Vim editor)
>69 string WILD (HyperCard)
>69 string XCEL (Microsoft Excel)
>69 string aCa2 (Fontographer)
>69 string aca3 (Aldus FreeHand)
>69 string dosa (Macintosh MS-DOS file system)
>69 string movr (Font/DA Mover)
>69 string nX^n (WriteNow)
>69 string pdos (Apple ProDOS file system)
>69 string scbk (Scrapbook)
>69 string ttxt (SimpleText)
>69 string ufox (Foreign File Access)
# Just in case...
102 string mBIN MacBinary III data with surprising versi
on number
# sas magic from Bruce Foster (bef@nwu.edu)
#
#0 string SAS SAS
#>8 string x %s
0 string SAS SAS
>24 string DATA data file
>24 string CATALOG catalog
>24 string INDEX data file index
>24 string VIEW data view
# spss magic for SPSS system and portable files,
# from Bruce Foster (bef@nwu.edu).
0 long 0xc1e2c3c9 SPSS Portable File
>40 string x %s
0 string $FL2 SPSS System File
>24 string x %s
#------------------------------------------------------------------------------
# magic: file(1) magic for magic files
#
0 string #\ Magic magic text file for file(1) cmd
#------------------------------------------------------------------------------
# mail.news: file(1) magic for mail and news
#
# Unfortunately, saved netnews also has From line added in some news software.
#0 string From mail text
# There are tests to ascmagic.c to cope with mail and news.
0 string Relay-Version: old news text
0 string #!\ rnews batched news text
0 string N#!\ rnews mailed, batched news text
0 string Forward\ to mail forwarding text
0 string Pipe\ to mail piping text
0 string Return-Path: smtp mail text
0 string Path: news text
0 string Xref: news text
0 string From: news or mail text
0 string Article saved news text
0 string BABYL Emacs RMAIL text
0 string Received: RFC 822 mail text
0 string MIME-Version: MIME entity text
#0 string Content- MIME entity text
# TNEF files...
0 lelong 0x223E9F78 Transport Neutral Encapsulation Format
#------------------------------------------------------------------------------
# maple: file(1) magic for maple files
# "H. Nanosecond"
# Maple V release 4, a multi-purpose math program
#
# maple library .lib
0 string \000MVR4\nI MapleVr4 library
# .ind
# no magic for these :-(
# they are compiled indexes for maple files
# .hdb
0 string \000\004\000\000 Maple help database
# .mhp
# this has the form
0 string \9 string >\0 version %.1s.
>>10 string
>>>11 string >\0 %.1s
# .mps
0 string \0\0\001$ Maple something
# from byte 4 it is either 'nul E' or 'soh R'
# I think 'nul E' means a file that was saved as a different name
# a sort of revision marking
# 'soh R' means new
>4 string \000\105 An old revision
>4 string \001\122 The latest save
# .mpl
# some of these are the same as .mps above
#0000000 000 000 001 044 000 105 same as .mps
#0000000 000 000 001 044 001 122 same as .mps
0 string #\n##\ Maple something anomalous.
#------------------------------------------------------------------------------
# mathematica: file(1) magic for mathematica files
# "H. Nanosecond"
# Mathematica a multi-purpose math program
# versions 2.2 and 3.0
#mathematica .mb
0 string \064\024\012\000\035\000\000\000 Mathematica version 2 no
tebook
0 string \064\024\011\000\035\000\000\000 Mathematica version 2 no
tebook
# .ma
# multiple possibilites:
0 string (*^\n\n::[\011frontEndVersion\ =\ Mathematica notebook
#>41 string >\0 %s
#0 string (*^\n\n::[\011palette Mathematica notebook version 2.x
#0 string (*^\n\n::[\011Information Mathematica notebook version 2.x
#>675 string >\0 %s #doesn't work well
# there may be 'cr' instread of 'nl' in some does this matter?
# generic:
0 string (*^\r\r::[\011 Mathematica notebook version 2.x
0 string \(\*\^\r\n\r\n\:\:\[\011 Mathematica notebook version 2.x
0 string (*^\015 Mathematica notebook version 2.x
0 string (*^\n\r\n\r::[\011 Mathematica notebook version 2.x
0 string (*^\r::[\011 Mathematica notebook version 2.x
0 string (*^\r\n::[\011 Mathematica notebook version 2.x
0 string (*^\n\n::[\011 Mathematica notebook version 2.x
0 string (*^\n::[\011 Mathematica notebook version 2.x
# Mathematica .mx files
#0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ lo
aded\ with