1
2#------------------------------------------------------------------------------
3# archive: file(1) magic for archive formats (see also "msdos" for self-
4# extracting compressed archives)
5#
6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7# pre-POSIX "tar" archives are handled in the C code.
8
9# POSIX tar archives
10257 string ustar\0 POSIX tar archive
11257 string ustar\040\040\0 GNU tar archive
12
13# cpio archives
14#
15# Yes, the top two "cpio archive" formats *are* supposed to just be "short".
16# The idea is to indicate archives produced on machines with the same
17# byte order as the machine running "file" with "cpio archive", and
18# to indicate archives produced on machines with the opposite byte order
19# from the machine running "file" with "byte-swapped cpio archive".
20#
21# The SVR4 "cpio(4)" hints that there are additional formats, but they
22# are defined as "short"s; I think all the new formats are
23# character-header formats and thus are strings, not numbers.
240 short 070707 cpio archive
250 short 0143561 byte-swapped cpio archive
260 string 070707 ASCII cpio archive (pre-SVR4 or odc)
270 string 070701 ASCII cpio archive (SVR4 with no CRC)
280 string 070702 ASCII cpio archive (SVR4 with CRC)
29
30# Debian package (needs to go before regular portable archives)
31#
320 string =!<arch>\ndebian
33>8 string debian-split part of multipart Debian package
34>8 string debian-binary Debian binary package
35>68 string >\0 (format %s)
36# These next two lines do not work, because a bzip2 Debian archive
37# still uses gzip for the control.tar (first in the archive). Only
38# data.tar varies, and the location of its filename varies too.
39# file/libmagic does not current have support for ascii-string based
40# (offsets) as of 2005-09-15.
41#>81 string bz2 \b, uses bzip2 compression
42#>84 string gz \b, uses gzip compression
43#>136 ledate x created: %s
44
45# other archives
460 long 0177555 very old archive
470 short 0177555 very old PDP-11 archive
480 long 0177545 old archive
490 short 0177545 old PDP-11 archive
500 long 0100554 apl workspace
510 string =<ar> archive
52
53# MIPS archive (needs to go before regular portable archives)
54#
550 string =!<arch>\n__________E MIPS archive
56>20 string U with MIPS Ucode members
57>21 string L with MIPSEL members
58>21 string B with MIPSEB members
59>19 string L and an EL hash table
60>19 string B and an EB hash table
61>22 string X -- out of date
62
630 string -h- Software Tools format archive text
64
65#
66# XXX - why are there multiple <ar> thingies? Note that 0x213c6172 is
67# "!<ar", so, for new-style (4.xBSD/SVR2andup) archives, we have:
68#
69# 0 string =!<arch> current ar archive
70# 0 long 0x213c6172 archive file
71#
72# and for SVR1 archives, we have:
73#
74# 0 string \<ar> System V Release 1 ar archive
75# 0 string =<ar> archive
76#
77# XXX - did Aegis really store shared libraries, breakpointed modules,
78# and absolute code program modules in the same format as new-style
79# "ar" archives?
80#
810 string =!<arch> current ar archive
82>8 string __.SYMDEF random library
83>0 belong =65538 - pre SR9.5
84>0 belong =65539 - post SR9.5
85>0 beshort 2 - object archive
86>0 beshort 3 - shared library module
87>0 beshort 4 - debug break-pointed module
88>0 beshort 5 - absolute code program module
890 string \<ar> System V Release 1 ar archive
900 string =<ar> archive
91#
92# XXX - from "vax", which appears to collect a bunch of byte-swapped
93# thingies, to help you recognize VAX files on big-endian machines;
94# with "leshort", "lelong", and "string", that's no longer necessary....
95#
960 belong 0x65ff0000 VAX 3.0 archive
970 belong 0x3c61723e VAX 5.0 archive
98#
990 long 0x213c6172 archive file
1000 lelong 0177555 very old VAX archive
1010 leshort 0177555 very old PDP-11 archive
102#
103# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus
104# be a random library (it said 0xff65 rather than 0177545).
105#
1060 lelong 0177545 old VAX archive
107>8 string __.SYMDEF random library
1080 leshort 0177545 old PDP-11 archive
109>8 string __.SYMDEF random library
110#
111# From "pdp" (but why a 4-byte quantity?)
112#
1130 lelong 0x39bed PDP-11 old archive
1140 lelong 0x39bee PDP-11 4.0 archive
115
116# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
117#
118# The first byte is the magic (0x1a), byte 2 is the compression type for
119# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
120# filename of the first file (null terminated). Since some types collide
121# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
122# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
1230 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
1240 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
1250 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
1260 lelong&0x8080ffff 0x0000031a ARC archive data, packed
1270 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
1280 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
129# [JW] stuff taken from idarc, obviously ARC successors:
1300 lelong&0x8080ffff 0x00000a1a PAK archive data
1310 lelong&0x8080ffff 0x0000141a ARC+ archive data
1320 lelong&0x8080ffff 0x0000481a HYP archive data
133
134# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
135# I can't create either SPARK or ArcFS archives so I have not tested this stuff
136# [GRR: the original entries collide with ARC, above; replaced with combined
137# version (not tested)]
138#0 byte 0x1a RISC OS archive (spark format)
1390 string \032archive RISC OS archive (ArcFS format)
1400 string Archive\000 RISC OS archive (ArcFS format)
141
142# All these were taken from idarc, many could not be verified. Unfortunately,
143# there were many low-quality sigs, i.e. easy to trigger false positives.
144# Please notify me of any real-world fishy/ambiguous signatures and I'll try
145# to get my hands on the actual archiver and see if I find something better. [JW]
146# probably many can be enhanced by finding some 0-byte or control char near the start
147
148# idarc calls this Crush/Uncompressed... *shrug*
1490 string CRUSH Crush archive data
150# Squeeze It (.sqz)
1510 string HLSQZ Squeeze It archive data
152# SQWEZ
1530 string SQWEZ SQWEZ archive data
154# HPack (.hpk)
1550 string HPAK HPack archive data
156# HAP
1570 string \x91\x33HF HAP archive data
158# MD/MDCD
1590 string MDmd MDCD archive data
160# LIM
1610 string LIM\x1a LIM archive data
162# SAR
1633 string LH5 SAR archive data
164# BSArc/BS2
1650 string \212\3SB \0 BSArc/BS2 archive data
166# MAR
1672 string =-ah MAR archive data
168# ACB
1690 belong&0x00f800ff 0x00800000 ACB archive data
170# CPZ
171# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
172# JRC
1730 string JRchive JRC archive data
174# Quantum
1750 string DS\0 Quantum archive data
176# ReSOF
1770 string PK\3\6 ReSOF archive data
178# QuArk
1790 string 7\4 QuArk archive data
180# YAC
18114 string YC YAC archive data
182# X1
1830 string X1 X1 archive data
1840 string XhDr X1 archive data
185# CDC Codec (.dqt)
1860 belong&0xffffe000 0x76ff2000 CDC Codec archive data
187# AMGC
1880 string \xad6" AMGC archive data
189# NuLIB
1900 string N��F��l�� NuLIB archive data
191# PakLeo
1920 string LEOLZW PAKLeo archive data
193# ChArc
1940 string SChF ChArc archive data
195# PSA
1960 string PSA PSA archive data
197# CrossePAC
1980 string DSIGDCC CrossePAC archive data
199# Freeze
2000 string \x1f\x9f\x4a\x10\x0a Freeze archive data
201# KBoom
2020 string ��MP�� KBoom archive data
203# NSQ, must go after CDC Codec
2040 string \x76\xff NSQ archive data
205# DPA
2060 string Dirk\ Paehl DPA archive data
207# BA
208# TODO: idarc says "bytes 0-2 == bytes 3-5"
209# TTComp
2100 string \0\6 TTComp archive data
211# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
2120 string ESP ESP archive data
213# ZPack
2140 string \1ZPK\1 ZPack archive data
215# Sky
2160 string \xbc\x40 Sky archive data
217# UFA
2180 string UFA UFA archive data
219# Dry
2200 string =-H2O DRY archive data
221# FoxSQZ
2220 string FOXSQZ FoxSQZ archive data
223# AR7
2240 string ,AR7 AR7 archive data
225# PPMZ
2260 string PPMZ PPMZ archive data
227# MS Compress
2284 string \x88\xf0\x27 MS Compress archive data
229# updated by Joerg Jenderek
230>9 string \0
231>>0 string KWAJ
232>>>7 string \321\003 MS Compress archive data
233>>>>14 ulong >0 \b, original size: %ld bytes
234>>>>18 ubyte >0x65
235>>>>>18 string x \b, was %.8s
236>>>>>(10.b-4) string x \b.%.3s
237# MP3 (archiver, not lossy audio compression)
2380 string MP3\x1a MP3-Archiver archive data
239# ZET
2400 string OZ�� ZET archive data
241# TSComp
2420 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
243# ARQ
2440 string gW\4\1 ARQ archive data
245# Squash
2463 string OctSqu Squash archive data
247# Terse
2480 string \5\1\1\0 Terse archive data
249# PUCrunch
2500 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
251# UHarc
2520 string UHA UHarc archive data
253# ABComp
2540 string \2AB ABComp archive data
2550 string \3AB2 ABComp archive data
256# CMP
2570 string CO\0 CMP archive data
258# Splint
2590 string \x93\xb9\x06 Splint archive data
260# InstallShield
2610 string \x13\x5d\x65\x8c InstallShield Z archive Data
262# Gather
2631 string GTH Gather archive data
264# BOA
2650 string BOA BOA archive data
266# RAX
2670 string ULEB\xa RAX archive data
268# Xtreme
2690 string ULEB\0 Xtreme archive data
270# Pack Magic
2710 string @��\1\0 Pack Magic archive data
272# BTS
2730 belong&0xfeffffff 0x1a034465 BTS archive data
274# ELI 5750
2750 string Ora\ ELI 5750 archive data
276# QFC
2770 string \x1aFC\x1a QFC archive data
2780 string \x1aQF\x1a QFC archive data
279# PRO-PACK
2800 string RNC PRO-PACK archive data
281# 777
2820 string 777 777 archive data
283# LZS221
2840 string sTaC LZS221 archive data
285# HPA
2860 string HPA HPA archive data
287# Arhangel
2880 string LG Arhangel archive data
289# EXP1, uses bzip2
2900 string 0123456789012345BZh EXP1 archive data
291# IMP
2920 string IMP\xa IMP archive data
293# NRV
2940 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
295# Squish
2960 string \x73\xb2\x90\xf4 Squish archive data
297# Par
2980 string PHILIPP Par archive data
2990 string PAR Par archive data
300# HIT
3010 string UB HIT archive data
302# SBX
3030 belong&0xfffff000 0x53423000 SBX archive data
304# NaShrink
3050 string NSK NaShrink archive data
306# SAPCAR
3070 string #\ CAR\ archive\ header SAPCAR archive data
3080 string CAR\ 2.00RG SAPCAR archive data
309# Disintegrator
3100 string DST Disintegrator archive data
311# ASD
3120 string ASD ASD archive data
313# InstallShield CAB
3140 string ISc( InstallShield CAB
315# TOP4
3160 string T4\x1a TOP4 archive data
317# BatComp left out: sig looks like COM executable
318# so TODO: get real 4dos batcomp file and find sig
319# BlakHole
3200 string BH\5\7 BlakHole archive data
321# BIX
3220 string BIX0 BIX archive data
323# ChiefLZA
3240 string ChfLZ ChiefLZA archive data
325# Blink
3260 string Blink Blink archive data
327# Logitech Compress
3280 string \xda\xfa Logitech Compress archive data
329# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
3301 string (C)\ STEPANYUK ARS-Sfx archive data
331# AKT/AKT32
3320 string AKT32 AKT32 archive data
3330 string AKT AKT archive data
334# NPack
3350 string MSTSM NPack archive data
336# PFT
3370 string \0\x50\0\x14 PFT archive data
338# SemOne
3390 string SEM SemOne archive data
340# PPMD
3410 string \x8f\xaf\xac\x84 PPMD archive data
342# FIZ
3430 string FIZ FIZ archive data
344# MSXiE
3450 belong&0xfffff0f0 0x4d530000 MSXiE archive data
346# DeepFreezer
3470 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
348# DC
3490 string =<DC- DC archive data
350# TPac
3510 string \4TPAC\3 TPac archive data
352# Ai
3530 string Ai\1\1\0 Ai archive data
3540 string Ai\1\0\0 Ai archive data
355# Ai32
3560 string Ai\2\0 Ai32 archive data
3570 string Ai\2\1 Ai32 archive data
358# SBC
3590 string SBC SBC archive data
360# Ybs
3610 string YBS Ybs archive data
362# DitPack
3630 string \x9e\0\0 DitPack archive data
364# DMS
3650 string DMS! DMS archive data
366# EPC
3670 string \x8f\xaf\xac\x8c EPC archive data
368# VSARC
3690 string VS\x1a VSARC archive data
370# PDZ
3710 string PDZ PDZ archive data
372# ReDuq
3730 string rdqx ReDuq archive data
374# GCA
3750 string GCAX GCA archive data
376# PPMN
3770 string pN PPMN archive data
378# WinImage
3793 string WINIMAGE WinImage archive data
380# Compressia
3810 string CMP0CMP Compressia archive data
382# UHBC
3830 string UHB UHBC archive data
384# WinHKI
3850 string \x61\x5C\x04\x05 WinHKI archive data
386# WWPack data file
3870 string WWP WWPack archive data
388# BSN (BSA, PTS-DOS)
3890 string \xffBSG BSN archive data
3901 string \xffBSG BSN archive data
3913 string \xffBSG BSN archive data
3921 string \0\xae\2 BSN archive data
3931 string \0\xae\3 BSN archive data
3941 string \0\xae\7 BSN archive data
395# AIN
3960 string \x33\x18 AIN archive data
3970 string \x33\x17 AIN archive data
398# XPA32
3990 string xpa\0\1 XPA32 archive data
400# SZip (TODO: doesn't catch all versions)
4010 string SZ\x0a\4 SZip archive data
402# XPack DiskImage
4030 string jm XPack DiskImage archive data
404# XPack Data
4050 string xpa XPack archive data
406# XPack Single Data
4070 string ��\ jm XPack single archive data
408
409# TODO: missing due to unknown magic/magic at end of file:
410#DWC
411#ARG
412#ZAR
413#PC/3270
414#InstallIt
415#RKive
416#RK
417#XPack Diskimage
418
419# These were inspired by idarc, but actually verified
420# Dzip archiver (.dz)
4210 string DZ Dzip archive data
422>2 byte x \b, version %i
423>3 byte x \b.%i
424# ZZip archiver (.zz)
4250 string ZZ\ \0\0 ZZip archive data
4260 string ZZ0 ZZip archive data
427# PAQ archiver (.paq)
4280 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
4290 string PAQ PAQ archive data
430>3 byte&0xf0 0x30
431>>3 byte x (v%c)
432# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
4330xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
4340 string JARCS JAR (ARJ Software, Inc.) archive data
435
436# ARJ archiver (jason@jarthur.Claremont.EDU)
4370 leshort 0xea60 ARJ archive data
438>5 byte x \b, v%d,
439>8 byte &0x04 multi-volume,
440>8 byte &0x10 slash-switched,
441>8 byte &0x20 backup,
442>34 string x original name: %s,
443>7 byte 0 os: MS-DOS
444>7 byte 1 os: PRIMOS
445>7 byte 2 os: Unix
446>7 byte 3 os: Amiga
447>7 byte 4 os: Macintosh
448>7 byte 5 os: OS/2
449>7 byte 6 os: Apple ][ GS
450>7 byte 7 os: Atari ST
451>7 byte 8 os: NeXT
452>7 byte 9 os: VAX/VMS
453>3 byte >0 %d]
454# [JW] idarc says this is also possible
4552 leshort 0xea60 ARJ archive data
456
457# HA archiver (Greg Roelofs, newt@uchicago.edu)
458# This is a really bad format. A file containing HAWAII will match this...
459#0 string HA HA archive data,
460#>2 leshort =1 1 file,
461#>2 leshort >1 %u files,
462#>4 byte&0x0f =0 first is type CPY
463#>4 byte&0x0f =1 first is type ASC
464#>4 byte&0x0f =2 first is type HSC
465#>4 byte&0x0f =0x0e first is type DIR
466#>4 byte&0x0f =0x0f first is type SPECIAL
467# suggestion: at least identify small archives (<1024 files)
4680 belong&0xffff00fc 0x48410000 HA archive data
469>2 leshort =1 1 file,
470>2 leshort >1 %u files,
471>4 byte&0x0f =0 first is type CPY
472>4 byte&0x0f =1 first is type ASC
473>4 byte&0x0f =2 first is type HSC
474>4 byte&0x0f =0x0e first is type DIR
475>4 byte&0x0f =0x0f first is type SPECIAL
476
477# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
4780 string HPAK HPACK archive data
479
480# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
| 1
2#------------------------------------------------------------------------------
3# archive: file(1) magic for archive formats (see also "msdos" for self-
4# extracting compressed archives)
5#
6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7# pre-POSIX "tar" archives are handled in the C code.
8
9# POSIX tar archives
10257 string ustar\0 POSIX tar archive
11257 string ustar\040\040\0 GNU tar archive
12
13# cpio archives
14#
15# Yes, the top two "cpio archive" formats *are* supposed to just be "short".
16# The idea is to indicate archives produced on machines with the same
17# byte order as the machine running "file" with "cpio archive", and
18# to indicate archives produced on machines with the opposite byte order
19# from the machine running "file" with "byte-swapped cpio archive".
20#
21# The SVR4 "cpio(4)" hints that there are additional formats, but they
22# are defined as "short"s; I think all the new formats are
23# character-header formats and thus are strings, not numbers.
240 short 070707 cpio archive
250 short 0143561 byte-swapped cpio archive
260 string 070707 ASCII cpio archive (pre-SVR4 or odc)
270 string 070701 ASCII cpio archive (SVR4 with no CRC)
280 string 070702 ASCII cpio archive (SVR4 with CRC)
29
30# Debian package (needs to go before regular portable archives)
31#
320 string =!<arch>\ndebian
33>8 string debian-split part of multipart Debian package
34>8 string debian-binary Debian binary package
35>68 string >\0 (format %s)
36# These next two lines do not work, because a bzip2 Debian archive
37# still uses gzip for the control.tar (first in the archive). Only
38# data.tar varies, and the location of its filename varies too.
39# file/libmagic does not current have support for ascii-string based
40# (offsets) as of 2005-09-15.
41#>81 string bz2 \b, uses bzip2 compression
42#>84 string gz \b, uses gzip compression
43#>136 ledate x created: %s
44
45# other archives
460 long 0177555 very old archive
470 short 0177555 very old PDP-11 archive
480 long 0177545 old archive
490 short 0177545 old PDP-11 archive
500 long 0100554 apl workspace
510 string =<ar> archive
52
53# MIPS archive (needs to go before regular portable archives)
54#
550 string =!<arch>\n__________E MIPS archive
56>20 string U with MIPS Ucode members
57>21 string L with MIPSEL members
58>21 string B with MIPSEB members
59>19 string L and an EL hash table
60>19 string B and an EB hash table
61>22 string X -- out of date
62
630 string -h- Software Tools format archive text
64
65#
66# XXX - why are there multiple <ar> thingies? Note that 0x213c6172 is
67# "!<ar", so, for new-style (4.xBSD/SVR2andup) archives, we have:
68#
69# 0 string =!<arch> current ar archive
70# 0 long 0x213c6172 archive file
71#
72# and for SVR1 archives, we have:
73#
74# 0 string \<ar> System V Release 1 ar archive
75# 0 string =<ar> archive
76#
77# XXX - did Aegis really store shared libraries, breakpointed modules,
78# and absolute code program modules in the same format as new-style
79# "ar" archives?
80#
810 string =!<arch> current ar archive
82>8 string __.SYMDEF random library
83>0 belong =65538 - pre SR9.5
84>0 belong =65539 - post SR9.5
85>0 beshort 2 - object archive
86>0 beshort 3 - shared library module
87>0 beshort 4 - debug break-pointed module
88>0 beshort 5 - absolute code program module
890 string \<ar> System V Release 1 ar archive
900 string =<ar> archive
91#
92# XXX - from "vax", which appears to collect a bunch of byte-swapped
93# thingies, to help you recognize VAX files on big-endian machines;
94# with "leshort", "lelong", and "string", that's no longer necessary....
95#
960 belong 0x65ff0000 VAX 3.0 archive
970 belong 0x3c61723e VAX 5.0 archive
98#
990 long 0x213c6172 archive file
1000 lelong 0177555 very old VAX archive
1010 leshort 0177555 very old PDP-11 archive
102#
103# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus
104# be a random library (it said 0xff65 rather than 0177545).
105#
1060 lelong 0177545 old VAX archive
107>8 string __.SYMDEF random library
1080 leshort 0177545 old PDP-11 archive
109>8 string __.SYMDEF random library
110#
111# From "pdp" (but why a 4-byte quantity?)
112#
1130 lelong 0x39bed PDP-11 old archive
1140 lelong 0x39bee PDP-11 4.0 archive
115
116# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
117#
118# The first byte is the magic (0x1a), byte 2 is the compression type for
119# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
120# filename of the first file (null terminated). Since some types collide
121# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
122# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo.
1230 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW
1240 lelong&0x8080ffff 0x0000091a ARC archive data, squashed
1250 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed
1260 lelong&0x8080ffff 0x0000031a ARC archive data, packed
1270 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed
1280 lelong&0x8080ffff 0x0000061a ARC archive data, crunched
129# [JW] stuff taken from idarc, obviously ARC successors:
1300 lelong&0x8080ffff 0x00000a1a PAK archive data
1310 lelong&0x8080ffff 0x0000141a ARC+ archive data
1320 lelong&0x8080ffff 0x0000481a HYP archive data
133
134# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
135# I can't create either SPARK or ArcFS archives so I have not tested this stuff
136# [GRR: the original entries collide with ARC, above; replaced with combined
137# version (not tested)]
138#0 byte 0x1a RISC OS archive (spark format)
1390 string \032archive RISC OS archive (ArcFS format)
1400 string Archive\000 RISC OS archive (ArcFS format)
141
142# All these were taken from idarc, many could not be verified. Unfortunately,
143# there were many low-quality sigs, i.e. easy to trigger false positives.
144# Please notify me of any real-world fishy/ambiguous signatures and I'll try
145# to get my hands on the actual archiver and see if I find something better. [JW]
146# probably many can be enhanced by finding some 0-byte or control char near the start
147
148# idarc calls this Crush/Uncompressed... *shrug*
1490 string CRUSH Crush archive data
150# Squeeze It (.sqz)
1510 string HLSQZ Squeeze It archive data
152# SQWEZ
1530 string SQWEZ SQWEZ archive data
154# HPack (.hpk)
1550 string HPAK HPack archive data
156# HAP
1570 string \x91\x33HF HAP archive data
158# MD/MDCD
1590 string MDmd MDCD archive data
160# LIM
1610 string LIM\x1a LIM archive data
162# SAR
1633 string LH5 SAR archive data
164# BSArc/BS2
1650 string \212\3SB \0 BSArc/BS2 archive data
166# MAR
1672 string =-ah MAR archive data
168# ACB
1690 belong&0x00f800ff 0x00800000 ACB archive data
170# CPZ
171# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data
172# JRC
1730 string JRchive JRC archive data
174# Quantum
1750 string DS\0 Quantum archive data
176# ReSOF
1770 string PK\3\6 ReSOF archive data
178# QuArk
1790 string 7\4 QuArk archive data
180# YAC
18114 string YC YAC archive data
182# X1
1830 string X1 X1 archive data
1840 string XhDr X1 archive data
185# CDC Codec (.dqt)
1860 belong&0xffffe000 0x76ff2000 CDC Codec archive data
187# AMGC
1880 string \xad6" AMGC archive data
189# NuLIB
1900 string N��F��l�� NuLIB archive data
191# PakLeo
1920 string LEOLZW PAKLeo archive data
193# ChArc
1940 string SChF ChArc archive data
195# PSA
1960 string PSA PSA archive data
197# CrossePAC
1980 string DSIGDCC CrossePAC archive data
199# Freeze
2000 string \x1f\x9f\x4a\x10\x0a Freeze archive data
201# KBoom
2020 string ��MP�� KBoom archive data
203# NSQ, must go after CDC Codec
2040 string \x76\xff NSQ archive data
205# DPA
2060 string Dirk\ Paehl DPA archive data
207# BA
208# TODO: idarc says "bytes 0-2 == bytes 3-5"
209# TTComp
2100 string \0\6 TTComp archive data
211# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
2120 string ESP ESP archive data
213# ZPack
2140 string \1ZPK\1 ZPack archive data
215# Sky
2160 string \xbc\x40 Sky archive data
217# UFA
2180 string UFA UFA archive data
219# Dry
2200 string =-H2O DRY archive data
221# FoxSQZ
2220 string FOXSQZ FoxSQZ archive data
223# AR7
2240 string ,AR7 AR7 archive data
225# PPMZ
2260 string PPMZ PPMZ archive data
227# MS Compress
2284 string \x88\xf0\x27 MS Compress archive data
229# updated by Joerg Jenderek
230>9 string \0
231>>0 string KWAJ
232>>>7 string \321\003 MS Compress archive data
233>>>>14 ulong >0 \b, original size: %ld bytes
234>>>>18 ubyte >0x65
235>>>>>18 string x \b, was %.8s
236>>>>>(10.b-4) string x \b.%.3s
237# MP3 (archiver, not lossy audio compression)
2380 string MP3\x1a MP3-Archiver archive data
239# ZET
2400 string OZ�� ZET archive data
241# TSComp
2420 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
243# ARQ
2440 string gW\4\1 ARQ archive data
245# Squash
2463 string OctSqu Squash archive data
247# Terse
2480 string \5\1\1\0 Terse archive data
249# PUCrunch
2500 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
251# UHarc
2520 string UHA UHarc archive data
253# ABComp
2540 string \2AB ABComp archive data
2550 string \3AB2 ABComp archive data
256# CMP
2570 string CO\0 CMP archive data
258# Splint
2590 string \x93\xb9\x06 Splint archive data
260# InstallShield
2610 string \x13\x5d\x65\x8c InstallShield Z archive Data
262# Gather
2631 string GTH Gather archive data
264# BOA
2650 string BOA BOA archive data
266# RAX
2670 string ULEB\xa RAX archive data
268# Xtreme
2690 string ULEB\0 Xtreme archive data
270# Pack Magic
2710 string @��\1\0 Pack Magic archive data
272# BTS
2730 belong&0xfeffffff 0x1a034465 BTS archive data
274# ELI 5750
2750 string Ora\ ELI 5750 archive data
276# QFC
2770 string \x1aFC\x1a QFC archive data
2780 string \x1aQF\x1a QFC archive data
279# PRO-PACK
2800 string RNC PRO-PACK archive data
281# 777
2820 string 777 777 archive data
283# LZS221
2840 string sTaC LZS221 archive data
285# HPA
2860 string HPA HPA archive data
287# Arhangel
2880 string LG Arhangel archive data
289# EXP1, uses bzip2
2900 string 0123456789012345BZh EXP1 archive data
291# IMP
2920 string IMP\xa IMP archive data
293# NRV
2940 string \x00\x9E\x6E\x72\x76\xFF NRV archive data
295# Squish
2960 string \x73\xb2\x90\xf4 Squish archive data
297# Par
2980 string PHILIPP Par archive data
2990 string PAR Par archive data
300# HIT
3010 string UB HIT archive data
302# SBX
3030 belong&0xfffff000 0x53423000 SBX archive data
304# NaShrink
3050 string NSK NaShrink archive data
306# SAPCAR
3070 string #\ CAR\ archive\ header SAPCAR archive data
3080 string CAR\ 2.00RG SAPCAR archive data
309# Disintegrator
3100 string DST Disintegrator archive data
311# ASD
3120 string ASD ASD archive data
313# InstallShield CAB
3140 string ISc( InstallShield CAB
315# TOP4
3160 string T4\x1a TOP4 archive data
317# BatComp left out: sig looks like COM executable
318# so TODO: get real 4dos batcomp file and find sig
319# BlakHole
3200 string BH\5\7 BlakHole archive data
321# BIX
3220 string BIX0 BIX archive data
323# ChiefLZA
3240 string ChfLZ ChiefLZA archive data
325# Blink
3260 string Blink Blink archive data
327# Logitech Compress
3280 string \xda\xfa Logitech Compress archive data
329# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
3301 string (C)\ STEPANYUK ARS-Sfx archive data
331# AKT/AKT32
3320 string AKT32 AKT32 archive data
3330 string AKT AKT archive data
334# NPack
3350 string MSTSM NPack archive data
336# PFT
3370 string \0\x50\0\x14 PFT archive data
338# SemOne
3390 string SEM SemOne archive data
340# PPMD
3410 string \x8f\xaf\xac\x84 PPMD archive data
342# FIZ
3430 string FIZ FIZ archive data
344# MSXiE
3450 belong&0xfffff0f0 0x4d530000 MSXiE archive data
346# DeepFreezer
3470 belong&0xfffffff0 0x797a3030 DeepFreezer archive data
348# DC
3490 string =<DC- DC archive data
350# TPac
3510 string \4TPAC\3 TPac archive data
352# Ai
3530 string Ai\1\1\0 Ai archive data
3540 string Ai\1\0\0 Ai archive data
355# Ai32
3560 string Ai\2\0 Ai32 archive data
3570 string Ai\2\1 Ai32 archive data
358# SBC
3590 string SBC SBC archive data
360# Ybs
3610 string YBS Ybs archive data
362# DitPack
3630 string \x9e\0\0 DitPack archive data
364# DMS
3650 string DMS! DMS archive data
366# EPC
3670 string \x8f\xaf\xac\x8c EPC archive data
368# VSARC
3690 string VS\x1a VSARC archive data
370# PDZ
3710 string PDZ PDZ archive data
372# ReDuq
3730 string rdqx ReDuq archive data
374# GCA
3750 string GCAX GCA archive data
376# PPMN
3770 string pN PPMN archive data
378# WinImage
3793 string WINIMAGE WinImage archive data
380# Compressia
3810 string CMP0CMP Compressia archive data
382# UHBC
3830 string UHB UHBC archive data
384# WinHKI
3850 string \x61\x5C\x04\x05 WinHKI archive data
386# WWPack data file
3870 string WWP WWPack archive data
388# BSN (BSA, PTS-DOS)
3890 string \xffBSG BSN archive data
3901 string \xffBSG BSN archive data
3913 string \xffBSG BSN archive data
3921 string \0\xae\2 BSN archive data
3931 string \0\xae\3 BSN archive data
3941 string \0\xae\7 BSN archive data
395# AIN
3960 string \x33\x18 AIN archive data
3970 string \x33\x17 AIN archive data
398# XPA32
3990 string xpa\0\1 XPA32 archive data
400# SZip (TODO: doesn't catch all versions)
4010 string SZ\x0a\4 SZip archive data
402# XPack DiskImage
4030 string jm XPack DiskImage archive data
404# XPack Data
4050 string xpa XPack archive data
406# XPack Single Data
4070 string ��\ jm XPack single archive data
408
409# TODO: missing due to unknown magic/magic at end of file:
410#DWC
411#ARG
412#ZAR
413#PC/3270
414#InstallIt
415#RKive
416#RK
417#XPack Diskimage
418
419# These were inspired by idarc, but actually verified
420# Dzip archiver (.dz)
4210 string DZ Dzip archive data
422>2 byte x \b, version %i
423>3 byte x \b.%i
424# ZZip archiver (.zz)
4250 string ZZ\ \0\0 ZZip archive data
4260 string ZZ0 ZZip archive data
427# PAQ archiver (.paq)
4280 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
4290 string PAQ PAQ archive data
430>3 byte&0xf0 0x30
431>>3 byte x (v%c)
432# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
4330xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data
4340 string JARCS JAR (ARJ Software, Inc.) archive data
435
436# ARJ archiver (jason@jarthur.Claremont.EDU)
4370 leshort 0xea60 ARJ archive data
438>5 byte x \b, v%d,
439>8 byte &0x04 multi-volume,
440>8 byte &0x10 slash-switched,
441>8 byte &0x20 backup,
442>34 string x original name: %s,
443>7 byte 0 os: MS-DOS
444>7 byte 1 os: PRIMOS
445>7 byte 2 os: Unix
446>7 byte 3 os: Amiga
447>7 byte 4 os: Macintosh
448>7 byte 5 os: OS/2
449>7 byte 6 os: Apple ][ GS
450>7 byte 7 os: Atari ST
451>7 byte 8 os: NeXT
452>7 byte 9 os: VAX/VMS
453>3 byte >0 %d]
454# [JW] idarc says this is also possible
4552 leshort 0xea60 ARJ archive data
456
457# HA archiver (Greg Roelofs, newt@uchicago.edu)
458# This is a really bad format. A file containing HAWAII will match this...
459#0 string HA HA archive data,
460#>2 leshort =1 1 file,
461#>2 leshort >1 %u files,
462#>4 byte&0x0f =0 first is type CPY
463#>4 byte&0x0f =1 first is type ASC
464#>4 byte&0x0f =2 first is type HSC
465#>4 byte&0x0f =0x0e first is type DIR
466#>4 byte&0x0f =0x0f first is type SPECIAL
467# suggestion: at least identify small archives (<1024 files)
4680 belong&0xffff00fc 0x48410000 HA archive data
469>2 leshort =1 1 file,
470>2 leshort >1 %u files,
471>4 byte&0x0f =0 first is type CPY
472>4 byte&0x0f =1 first is type ASC
473>4 byte&0x0f =2 first is type HSC
474>4 byte&0x0f =0x0e first is type DIR
475>4 byte&0x0f =0x0f first is type SPECIAL
476
477# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
4780 string HPAK HPACK archive data
479
480# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
|
482>7 string >\0 version %.4s
483>0x26 byte =0x27 -
484>>0x2b string >\0 label %.11s,
485>>0x27 lelong x serial %08x,
486>>0x36 string >\0 fstype %.8s
487
488# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
4892 string -lh0- LHarc 1.x/ARX archive data [lh0]
4902 string -lh1- LHarc 1.x/ARX archive data [lh1]
4912 string -lz4- LHarc 1.x archive data [lz4]
4922 string -lz5- LHarc 1.x archive data [lz5]
493# [never seen any but the last; -lh4- reported in comp.compression:]
4942 string -lzs- LHa/LZS archive data [lzs]
4952 string -lh\40- LHa 2.x? archive data [lh ]
4962 string -lhd- LHa 2.x? archive data [lhd]
4972 string -lh2- LHa 2.x? archive data [lh2]
4982 string -lh3- LHa 2.x? archive data [lh3]
4992 string -lh4- LHa (2.x) archive data [lh4]
5002 string -lh5- LHa (2.x) archive data [lh5]
5012 string -lh6- LHa (2.x) archive data [lh6]
5022 string -lh7- LHa (2.x)/LHark archive data [lh7]
503>20 byte x - header level %d
504# taken from idarc [JW]
5052 string -lZ PUT archive data
5062 string -lz LZS archive data
5072 string -sw1- Swag archive data
508
509# RAR archiver (Greg Roelofs, newt@uchicago.edu)
5100 string Rar! RAR archive data,
511>44 byte x v%0x,
512>10 byte >0 flags:
513>>10 byte &0x01 Archive volume,
514>>10 byte &0x02 Commented,
515>>10 byte &0x04 Locked,
516>>10 byte &0x08 Solid,
517>>10 byte &0x20 Authenticated,
518>35 byte 0 os: MS-DOS
519>35 byte 1 os: OS/2
520>35 byte 2 os: Win32
521>35 byte 3 os: Unix
522# some old version? idarc says:
5230 string RE\x7e\x5e RAR archive data
524
525# SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
5260 string SQSH squished archive data (Acorn RISCOS)
527
528# UC2 archiver (Greg Roelofs, newt@uchicago.edu)
529# [JW] see exe section for self-extracting version
5300 string UC2\x1a UC2 archive data
531
532# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
5330 string PK\003\004
534>4 byte 0x09 Zip archive data, at least v0.9 to extract
535>4 byte 0x0a Zip archive data, at least v1.0 to extract
536>4 byte 0x0b Zip archive data, at least v1.1 to extract
537>4 byte 0x14
538>>30 ubelong !0x6d696d65 Zip archive data, at least v2.0 to extract
539>0x161 string WINZIP Zip archive data, WinZIP self-extracting
540
541
542# OpenOffice.org / KOffice / StarOffice documents
543# From: Abel Cheung <abel@oaka.org>
544# Listed here because they are basically zip files
545>>30 string mimetype
546
547# KOffice (1.2 or above) formats
548>>>50 string vnd.kde. KOffice (>=1.2)
549>>>>58 string karbon Karbon document
550>>>>58 string kchart KChart document
551>>>>58 string kformula KFormula document
552>>>>58 string kivio Kivio document
553>>>>58 string kontour Kontour document
554>>>>58 string kpresenter KPresenter document
555>>>>58 string kspread KSpread document
556>>>>58 string kword KWord document
557
558# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
559>>>50 string vnd.sun.xml. OpenOffice.org 1.x
560>>>>62 string writer Writer
561>>>>>68 byte !0x2e document
562>>>>>68 string .template template
563>>>>>68 string .global global document
564>>>>62 string calc Calc
565>>>>>66 byte !0x2e spreadsheet
566>>>>>66 string .template template
567>>>>62 string draw Draw
568>>>>>66 byte !0x2e document
569>>>>>66 string .template template
570>>>>62 string impress Impress
571>>>>>69 byte !0x2e presentation
572>>>>>69 string .template template
573>>>>62 string math Math document
574
575# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
576# http://lists.oasis-open.org/archives/office/200505/msg00006.html
577>>>50 string vnd.oasis.opendocument. OpenDocument
578>>>>73 string text
579>>>>>77 byte !0x2d Text
580>>>>>77 string -template Text Template
581>>>>>77 string -web HTML Document Template
582>>>>>77 string -master Master Document
583>>>>73 string graphics Drawing
584>>>>>81 string -template Template
585>>>>73 string presentation Presentation
586>>>>>85 string -template Template
587>>>>73 string spreadsheet Spreadsheet
588>>>>>84 string -template Template
589>>>>73 string chart Chart
590>>>>>78 string -template Template
591>>>>73 string formula Formula
592>>>>>80 string -template Template
593>>>>73 string database Database
594>>>>73 string image Image
595
596# Zoo archiver
59720 lelong 0xfdc4a7dc Zoo archive data
598>4 byte >48 \b, v%c.
599>>6 byte >47 \b%c
600>>>7 byte >47 \b%c
601>32 byte >0 \b, modify: v%d
602>>33 byte x \b.%d+
603>42 lelong 0xfdc4a7dc \b,
604>>70 byte >0 extract: v%d
605>>>71 byte x \b.%d+
606
607# Shell archives
60810 string #\ This\ is\ a\ shell\ archive shell archive text
609
610#
611# LBR. NB: May conflict with the questionable
612# "binary Computer Graphics Metafile" format.
613#
6140 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
615#
616# PMA (CP/M derivative of LHA)
617#
6182 string -pm0- PMarc archive data [pm0]
6192 string -pm1- PMarc archive data [pm1]
6202 string -pm2- PMarc archive data [pm2]
6212 string -pms- PMarc SFX archive (CP/M, DOS)
6225 string -pc1- PopCom compressed executable (CP/M)
623
624# From Rafael Laboissiere <rafael@laboissiere.net>
625# The Project Revision Control System (see
626# http://prcs.sourceforge.net) generates a packaged project
627# file which is recognized by the following entry:
6280 leshort 0xeb81 PRCS packaged project
629
630# Microsoft cabinets
631# by David Necas (Yeti) <yeti@physics.muni.cz>
632#0 string MSCF\0\0\0\0 Microsoft cabinet file data,
633#>25 byte x v%d
634#>24 byte x \b.%d
635# MPi: All CABs have version 1.3, so this is pointless.
636# Better magic in debian-additions.
637
638# GTKtalog catalogs
639# by David Necas (Yeti) <yeti@physics.muni.cz>
6404 string gtktalog\ GTKtalog catalog data,
641>13 string 3 version 3
642>>14 beshort 0x677a (gzipped)
643>>14 beshort !0x677a (not gzipped)
644>13 string >3 version %s
645
646############################################################################
647# Parity archive reconstruction file, the 'par' file format now used on Usenet.
6480 string PAR\0 PARity archive data
649>48 leshort =0 - Index file
650>48 leshort >0 - file number %d
651
652# Felix von Leitner <felix-file@fefe.de>
6530 string d8:announce BitTorrent file
654
655# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
6560 beshort 0x0e0f Atari MSA archive data
657>2 beshort x \b, %d sectors per track
658>4 beshort 0 \b, 1 sided
659>4 beshort 1 \b, 2 sided
660>6 beshort x \b, starting track: %d
661>8 beshort x \b, ending track: %d
662
663# Alternate ZIP string (amc@arwen.cs.berkeley.edu)
6640 string PK00PK\003\004 Zip archive data
665
666# ACE archive (from http://www.wotsit.org/download.asp?f=ace)
667# by Stefan `Sec` Zehl <sec@42.org>
6687 string **ACE** ACE archive data
669>15 byte >0 version %d
670>16 byte =0x00 \b, from MS-DOS
671>16 byte =0x01 \b, from OS/2
672>16 byte =0x02 \b, from Win/32
673>16 byte =0x03 \b, from Unix
674>16 byte =0x04 \b, from MacOS
675>16 byte =0x05 \b, from WinNT
676>16 byte =0x06 \b, from Primos
677>16 byte =0x07 \b, from AppleGS
678>16 byte =0x08 \b, from Atari
679>16 byte =0x09 \b, from Vax/VMS
680>16 byte =0x0A \b, from Amiga
681>16 byte =0x0B \b, from Next
682>14 byte x \b, version %d to extract
683>5 leshort &0x0080 \b, multiple volumes,
684>>17 byte x \b (part %d),
685>5 leshort &0x0002 \b, contains comment
686>5 leshort &0x0200 \b, sfx
687>5 leshort &0x0400 \b, small dictionary
688>5 leshort &0x0800 \b, multi-volume
689>5 leshort &0x1000 \b, contains AV-String
690>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
691>5 leshort &0x2000 \b, with recovery record
692>5 leshort &0x4000 \b, locked
693>5 leshort &0x8000 \b, solid
694# Date in MS-DOS format (whatever that is)
695#>18 lelong x Created on
696
697# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
698# <doj@cubic.org>
6990x1A string sfArk sfArk compressed Soundfont
700>0x15 string 2
701>>0x1 string >\0 Version %s
702>>0x2A string >\0 : %s
703
704# DR-DOS 7.03 Packed File *.??_
7050 string Packed\ File\ Personal NetWare Packed File
706>12 string x \b, was "%.12s"
707
708# EET archive
709# From: Tilman Sauerbeck <tilman@code-monkey.de>
7100 belong 0x1ee7ff00 EET archive
711
712# rzip archives
7130 string RZIP rzip compressed data
714>4 byte x - version %d
715>5 byte x \b.%d
716>6 belong x (%d bytes)
717
718# From: "Robert Dale" <robdale@gmail.com>
7190 belong 123 dar archive,
720>4 belong x label "%.8x
721>>8 belong x %.8x
722>>>12 beshort x %.4x"
723>14 byte 0x54 end slice
724>14 beshort 0x4e4e multi-part
725>14 beshort 0x4e53 multi-part, with -S
| 482>7 string >\0 version %.4s
483>0x26 byte =0x27 -
484>>0x2b string >\0 label %.11s,
485>>0x27 lelong x serial %08x,
486>>0x36 string >\0 fstype %.8s
487
488# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
4892 string -lh0- LHarc 1.x/ARX archive data [lh0]
4902 string -lh1- LHarc 1.x/ARX archive data [lh1]
4912 string -lz4- LHarc 1.x archive data [lz4]
4922 string -lz5- LHarc 1.x archive data [lz5]
493# [never seen any but the last; -lh4- reported in comp.compression:]
4942 string -lzs- LHa/LZS archive data [lzs]
4952 string -lh\40- LHa 2.x? archive data [lh ]
4962 string -lhd- LHa 2.x? archive data [lhd]
4972 string -lh2- LHa 2.x? archive data [lh2]
4982 string -lh3- LHa 2.x? archive data [lh3]
4992 string -lh4- LHa (2.x) archive data [lh4]
5002 string -lh5- LHa (2.x) archive data [lh5]
5012 string -lh6- LHa (2.x) archive data [lh6]
5022 string -lh7- LHa (2.x)/LHark archive data [lh7]
503>20 byte x - header level %d
504# taken from idarc [JW]
5052 string -lZ PUT archive data
5062 string -lz LZS archive data
5072 string -sw1- Swag archive data
508
509# RAR archiver (Greg Roelofs, newt@uchicago.edu)
5100 string Rar! RAR archive data,
511>44 byte x v%0x,
512>10 byte >0 flags:
513>>10 byte &0x01 Archive volume,
514>>10 byte &0x02 Commented,
515>>10 byte &0x04 Locked,
516>>10 byte &0x08 Solid,
517>>10 byte &0x20 Authenticated,
518>35 byte 0 os: MS-DOS
519>35 byte 1 os: OS/2
520>35 byte 2 os: Win32
521>35 byte 3 os: Unix
522# some old version? idarc says:
5230 string RE\x7e\x5e RAR archive data
524
525# SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
5260 string SQSH squished archive data (Acorn RISCOS)
527
528# UC2 archiver (Greg Roelofs, newt@uchicago.edu)
529# [JW] see exe section for self-extracting version
5300 string UC2\x1a UC2 archive data
531
532# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
5330 string PK\003\004
534>4 byte 0x09 Zip archive data, at least v0.9 to extract
535>4 byte 0x0a Zip archive data, at least v1.0 to extract
536>4 byte 0x0b Zip archive data, at least v1.1 to extract
537>4 byte 0x14
538>>30 ubelong !0x6d696d65 Zip archive data, at least v2.0 to extract
539>0x161 string WINZIP Zip archive data, WinZIP self-extracting
540
541
542# OpenOffice.org / KOffice / StarOffice documents
543# From: Abel Cheung <abel@oaka.org>
544# Listed here because they are basically zip files
545>>30 string mimetype
546
547# KOffice (1.2 or above) formats
548>>>50 string vnd.kde. KOffice (>=1.2)
549>>>>58 string karbon Karbon document
550>>>>58 string kchart KChart document
551>>>>58 string kformula KFormula document
552>>>>58 string kivio Kivio document
553>>>>58 string kontour Kontour document
554>>>>58 string kpresenter KPresenter document
555>>>>58 string kspread KSpread document
556>>>>58 string kword KWord document
557
558# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
559>>>50 string vnd.sun.xml. OpenOffice.org 1.x
560>>>>62 string writer Writer
561>>>>>68 byte !0x2e document
562>>>>>68 string .template template
563>>>>>68 string .global global document
564>>>>62 string calc Calc
565>>>>>66 byte !0x2e spreadsheet
566>>>>>66 string .template template
567>>>>62 string draw Draw
568>>>>>66 byte !0x2e document
569>>>>>66 string .template template
570>>>>62 string impress Impress
571>>>>>69 byte !0x2e presentation
572>>>>>69 string .template template
573>>>>62 string math Math document
574
575# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
576# http://lists.oasis-open.org/archives/office/200505/msg00006.html
577>>>50 string vnd.oasis.opendocument. OpenDocument
578>>>>73 string text
579>>>>>77 byte !0x2d Text
580>>>>>77 string -template Text Template
581>>>>>77 string -web HTML Document Template
582>>>>>77 string -master Master Document
583>>>>73 string graphics Drawing
584>>>>>81 string -template Template
585>>>>73 string presentation Presentation
586>>>>>85 string -template Template
587>>>>73 string spreadsheet Spreadsheet
588>>>>>84 string -template Template
589>>>>73 string chart Chart
590>>>>>78 string -template Template
591>>>>73 string formula Formula
592>>>>>80 string -template Template
593>>>>73 string database Database
594>>>>73 string image Image
595
596# Zoo archiver
59720 lelong 0xfdc4a7dc Zoo archive data
598>4 byte >48 \b, v%c.
599>>6 byte >47 \b%c
600>>>7 byte >47 \b%c
601>32 byte >0 \b, modify: v%d
602>>33 byte x \b.%d+
603>42 lelong 0xfdc4a7dc \b,
604>>70 byte >0 extract: v%d
605>>>71 byte x \b.%d+
606
607# Shell archives
60810 string #\ This\ is\ a\ shell\ archive shell archive text
609
610#
611# LBR. NB: May conflict with the questionable
612# "binary Computer Graphics Metafile" format.
613#
6140 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
615#
616# PMA (CP/M derivative of LHA)
617#
6182 string -pm0- PMarc archive data [pm0]
6192 string -pm1- PMarc archive data [pm1]
6202 string -pm2- PMarc archive data [pm2]
6212 string -pms- PMarc SFX archive (CP/M, DOS)
6225 string -pc1- PopCom compressed executable (CP/M)
623
624# From Rafael Laboissiere <rafael@laboissiere.net>
625# The Project Revision Control System (see
626# http://prcs.sourceforge.net) generates a packaged project
627# file which is recognized by the following entry:
6280 leshort 0xeb81 PRCS packaged project
629
630# Microsoft cabinets
631# by David Necas (Yeti) <yeti@physics.muni.cz>
632#0 string MSCF\0\0\0\0 Microsoft cabinet file data,
633#>25 byte x v%d
634#>24 byte x \b.%d
635# MPi: All CABs have version 1.3, so this is pointless.
636# Better magic in debian-additions.
637
638# GTKtalog catalogs
639# by David Necas (Yeti) <yeti@physics.muni.cz>
6404 string gtktalog\ GTKtalog catalog data,
641>13 string 3 version 3
642>>14 beshort 0x677a (gzipped)
643>>14 beshort !0x677a (not gzipped)
644>13 string >3 version %s
645
646############################################################################
647# Parity archive reconstruction file, the 'par' file format now used on Usenet.
6480 string PAR\0 PARity archive data
649>48 leshort =0 - Index file
650>48 leshort >0 - file number %d
651
652# Felix von Leitner <felix-file@fefe.de>
6530 string d8:announce BitTorrent file
654
655# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
6560 beshort 0x0e0f Atari MSA archive data
657>2 beshort x \b, %d sectors per track
658>4 beshort 0 \b, 1 sided
659>4 beshort 1 \b, 2 sided
660>6 beshort x \b, starting track: %d
661>8 beshort x \b, ending track: %d
662
663# Alternate ZIP string (amc@arwen.cs.berkeley.edu)
6640 string PK00PK\003\004 Zip archive data
665
666# ACE archive (from http://www.wotsit.org/download.asp?f=ace)
667# by Stefan `Sec` Zehl <sec@42.org>
6687 string **ACE** ACE archive data
669>15 byte >0 version %d
670>16 byte =0x00 \b, from MS-DOS
671>16 byte =0x01 \b, from OS/2
672>16 byte =0x02 \b, from Win/32
673>16 byte =0x03 \b, from Unix
674>16 byte =0x04 \b, from MacOS
675>16 byte =0x05 \b, from WinNT
676>16 byte =0x06 \b, from Primos
677>16 byte =0x07 \b, from AppleGS
678>16 byte =0x08 \b, from Atari
679>16 byte =0x09 \b, from Vax/VMS
680>16 byte =0x0A \b, from Amiga
681>16 byte =0x0B \b, from Next
682>14 byte x \b, version %d to extract
683>5 leshort &0x0080 \b, multiple volumes,
684>>17 byte x \b (part %d),
685>5 leshort &0x0002 \b, contains comment
686>5 leshort &0x0200 \b, sfx
687>5 leshort &0x0400 \b, small dictionary
688>5 leshort &0x0800 \b, multi-volume
689>5 leshort &0x1000 \b, contains AV-String
690>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered)
691>5 leshort &0x2000 \b, with recovery record
692>5 leshort &0x4000 \b, locked
693>5 leshort &0x8000 \b, solid
694# Date in MS-DOS format (whatever that is)
695#>18 lelong x Created on
696
697# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
698# <doj@cubic.org>
6990x1A string sfArk sfArk compressed Soundfont
700>0x15 string 2
701>>0x1 string >\0 Version %s
702>>0x2A string >\0 : %s
703
704# DR-DOS 7.03 Packed File *.??_
7050 string Packed\ File\ Personal NetWare Packed File
706>12 string x \b, was "%.12s"
707
708# EET archive
709# From: Tilman Sauerbeck <tilman@code-monkey.de>
7100 belong 0x1ee7ff00 EET archive
711
712# rzip archives
7130 string RZIP rzip compressed data
714>4 byte x - version %d
715>5 byte x \b.%d
716>6 belong x (%d bytes)
717
718# From: "Robert Dale" <robdale@gmail.com>
7190 belong 123 dar archive,
720>4 belong x label "%.8x
721>>8 belong x %.8x
722>>>12 beshort x %.4x"
723>14 byte 0x54 end slice
724>14 beshort 0x4e4e multi-part
725>14 beshort 0x4e53 multi-part, with -S
|