1 2#------------------------------------------------------------------------------ 3# archive: file(1) magic for archive formats (see also "msdos" for self- 4# extracting compressed archives) 5# 6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. 7# pre-POSIX "tar" archives are handled in the C code. 8 9# POSIX tar archives 10257 string ustar\0 POSIX tar archive 11257 string ustar\040\040\0 GNU tar archive 12 13# cpio archives 14# 15# Yes, the top two "cpio archive" formats *are* supposed to just be "short". 16# The idea is to indicate archives produced on machines with the same 17# byte order as the machine running "file" with "cpio archive", and 18# to indicate archives produced on machines with the opposite byte order 19# from the machine running "file" with "byte-swapped cpio archive". 20# 21# The SVR4 "cpio(4)" hints that there are additional formats, but they 22# are defined as "short"s; I think all the new formats are 23# character-header formats and thus are strings, not numbers. 240 short 070707 cpio archive 250 short 0143561 byte-swapped cpio archive 260 string 070707 ASCII cpio archive (pre-SVR4 or odc) 270 string 070701 ASCII cpio archive (SVR4 with no CRC) 280 string 070702 ASCII cpio archive (SVR4 with CRC) 29 30# Debian package (needs to go before regular portable archives) 31# 320 string =!<arch>\ndebian 33>8 string debian-split part of multipart Debian package 34>8 string debian-binary Debian binary package 35>68 string >\0 (format %s) 36# These next two lines do not work, because a bzip2 Debian archive 37# still uses gzip for the control.tar (first in the archive). Only 38# data.tar varies, and the location of its filename varies too. 39# file/libmagic does not current have support for ascii-string based 40# (offsets) as of 2005-09-15. 41#>81 string bz2 \b, uses bzip2 compression 42#>84 string gz \b, uses gzip compression 43#>136 ledate x created: %s 44 45# other archives 460 long 0177555 very old archive 470 short 0177555 very old PDP-11 archive 480 long 0177545 old archive 490 short 0177545 old PDP-11 archive 500 long 0100554 apl workspace 510 string =<ar> archive 52 53# MIPS archive (needs to go before regular portable archives) 54# 550 string =!<arch>\n__________E MIPS archive 56>20 string U with MIPS Ucode members 57>21 string L with MIPSEL members 58>21 string B with MIPSEB members 59>19 string L and an EL hash table 60>19 string B and an EB hash table 61>22 string X -- out of date 62 630 string -h- Software Tools format archive text 64 65# 66# XXX - why are there multiple <ar> thingies? Note that 0x213c6172 is 67# "!<ar", so, for new-style (4.xBSD/SVR2andup) archives, we have: 68# 69# 0 string =!<arch> current ar archive 70# 0 long 0x213c6172 archive file 71# 72# and for SVR1 archives, we have: 73# 74# 0 string \<ar> System V Release 1 ar archive 75# 0 string =<ar> archive 76# 77# XXX - did Aegis really store shared libraries, breakpointed modules, 78# and absolute code program modules in the same format as new-style 79# "ar" archives? 80# 810 string =!<arch> current ar archive 82>8 string __.SYMDEF random library 83>0 belong =65538 - pre SR9.5 84>0 belong =65539 - post SR9.5 85>0 beshort 2 - object archive 86>0 beshort 3 - shared library module 87>0 beshort 4 - debug break-pointed module 88>0 beshort 5 - absolute code program module 890 string \<ar> System V Release 1 ar archive 900 string =<ar> archive 91# 92# XXX - from "vax", which appears to collect a bunch of byte-swapped 93# thingies, to help you recognize VAX files on big-endian machines; 94# with "leshort", "lelong", and "string", that's no longer necessary.... 95# 960 belong 0x65ff0000 VAX 3.0 archive 970 belong 0x3c61723e VAX 5.0 archive 98# 990 long 0x213c6172 archive file 1000 lelong 0177555 very old VAX archive 1010 leshort 0177555 very old PDP-11 archive 102# 103# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus 104# be a random library (it said 0xff65 rather than 0177545). 105# 1060 lelong 0177545 old VAX archive 107>8 string __.SYMDEF random library 1080 leshort 0177545 old PDP-11 archive 109>8 string __.SYMDEF random library 110# 111# From "pdp" (but why a 4-byte quantity?) 112# 1130 lelong 0x39bed PDP-11 old archive 1140 lelong 0x39bee PDP-11 4.0 archive 115 116# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) 117# 118# The first byte is the magic (0x1a), byte 2 is the compression type for 119# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS 120# filename of the first file (null terminated). Since some types collide 121# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), 122# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 1230 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW 1240 lelong&0x8080ffff 0x0000091a ARC archive data, squashed 1250 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed 1260 lelong&0x8080ffff 0x0000031a ARC archive data, packed 1270 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed 1280 lelong&0x8080ffff 0x0000061a ARC archive data, crunched 129# [JW] stuff taken from idarc, obviously ARC successors: 1300 lelong&0x8080ffff 0x00000a1a PAK archive data 1310 lelong&0x8080ffff 0x0000141a ARC+ archive data 1320 lelong&0x8080ffff 0x0000481a HYP archive data 133 134# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) 135# I can't create either SPARK or ArcFS archives so I have not tested this stuff 136# [GRR: the original entries collide with ARC, above; replaced with combined 137# version (not tested)] 138#0 byte 0x1a RISC OS archive (spark format) 1390 string \032archive RISC OS archive (ArcFS format) 1400 string Archive\000 RISC OS archive (ArcFS format) 141 142# All these were taken from idarc, many could not be verified. Unfortunately, 143# there were many low-quality sigs, i.e. easy to trigger false positives. 144# Please notify me of any real-world fishy/ambiguous signatures and I'll try 145# to get my hands on the actual archiver and see if I find something better. [JW] 146# probably many can be enhanced by finding some 0-byte or control char near the start 147 148# idarc calls this Crush/Uncompressed... *shrug* 1490 string CRUSH Crush archive data 150# Squeeze It (.sqz) 1510 string HLSQZ Squeeze It archive data 152# SQWEZ 1530 string SQWEZ SQWEZ archive data 154# HPack (.hpk) 1550 string HPAK HPack archive data 156# HAP 1570 string \x91\x33HF HAP archive data 158# MD/MDCD 1590 string MDmd MDCD archive data 160# LIM 1610 string LIM\x1a LIM archive data 162# SAR 1633 string LH5 SAR archive data 164# BSArc/BS2 1650 string \212\3SB \0 BSArc/BS2 archive data 166# MAR 1672 string =-ah MAR archive data 168# ACB 1690 belong&0x00f800ff 0x00800000 ACB archive data 170# CPZ 171# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data 172# JRC 1730 string JRchive JRC archive data 174# Quantum 1750 string DS\0 Quantum archive data 176# ReSOF 1770 string PK\3\6 ReSOF archive data 178# QuArk 1790 string 7\4 QuArk archive data 180# YAC 18114 string YC YAC archive data 182# X1 1830 string X1 X1 archive data 1840 string XhDr X1 archive data 185# CDC Codec (.dqt) 1860 belong&0xffffe000 0x76ff2000 CDC Codec archive data 187# AMGC 1880 string \xad6" AMGC archive data 189# NuLIB 1900 string N��F��l�� NuLIB archive data 191# PakLeo 1920 string LEOLZW PAKLeo archive data 193# ChArc 1940 string SChF ChArc archive data 195# PSA 1960 string PSA PSA archive data 197# CrossePAC 1980 string DSIGDCC CrossePAC archive data 199# Freeze 2000 string \x1f\x9f\x4a\x10\x0a Freeze archive data 201# KBoom 2020 string ��MP�� KBoom archive data 203# NSQ, must go after CDC Codec 2040 string \x76\xff NSQ archive data 205# DPA 2060 string Dirk\ Paehl DPA archive data 207# BA 208# TODO: idarc says "bytes 0-2 == bytes 3-5" 209# TTComp 2100 string \0\6 TTComp archive data 211# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 2120 string ESP ESP archive data 213# ZPack 2140 string \1ZPK\1 ZPack archive data 215# Sky 2160 string \xbc\x40 Sky archive data 217# UFA 2180 string UFA UFA archive data 219# Dry 2200 string =-H2O DRY archive data 221# FoxSQZ 2220 string FOXSQZ FoxSQZ archive data 223# AR7 2240 string ,AR7 AR7 archive data 225# PPMZ 2260 string PPMZ PPMZ archive data 227# MS Compress 2284 string \x88\xf0\x27 MS Compress archive data 229# updated by Joerg Jenderek 230>9 string \0 231>>0 string KWAJ 232>>>7 string \321\003 MS Compress archive data 233>>>>14 ulong >0 \b, original size: %ld bytes 234>>>>18 ubyte >0x65 235>>>>>18 string x \b, was %.8s 236>>>>>(10.b-4) string x \b.%.3s 237# MP3 (archiver, not lossy audio compression) 2380 string MP3\x1a MP3-Archiver archive data 239# ZET 2400 string OZ�� ZET archive data 241# TSComp 2420 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data 243# ARQ 2440 string gW\4\1 ARQ archive data 245# Squash 2463 string OctSqu Squash archive data 247# Terse 2480 string \5\1\1\0 Terse archive data 249# PUCrunch 2500 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data 251# UHarc 2520 string UHA UHarc archive data 253# ABComp 2540 string \2AB ABComp archive data 2550 string \3AB2 ABComp archive data 256# CMP 2570 string CO\0 CMP archive data 258# Splint 2590 string \x93\xb9\x06 Splint archive data 260# InstallShield 2610 string \x13\x5d\x65\x8c InstallShield Z archive Data 262# Gather 2631 string GTH Gather archive data 264# BOA 2650 string BOA BOA archive data 266# RAX 2670 string ULEB\xa RAX archive data 268# Xtreme 2690 string ULEB\0 Xtreme archive data 270# Pack Magic 2710 string @��\1\0 Pack Magic archive data 272# BTS 2730 belong&0xfeffffff 0x1a034465 BTS archive data 274# ELI 5750 2750 string Ora\ ELI 5750 archive data 276# QFC 2770 string \x1aFC\x1a QFC archive data 2780 string \x1aQF\x1a QFC archive data 279# PRO-PACK 2800 string RNC PRO-PACK archive data 281# 777 2820 string 777 777 archive data 283# LZS221 2840 string sTaC LZS221 archive data 285# HPA 2860 string HPA HPA archive data 287# Arhangel 2880 string LG Arhangel archive data 289# EXP1, uses bzip2 2900 string 0123456789012345BZh EXP1 archive data 291# IMP 2920 string IMP\xa IMP archive data 293# NRV 2940 string \x00\x9E\x6E\x72\x76\xFF NRV archive data 295# Squish 2960 string \x73\xb2\x90\xf4 Squish archive data 297# Par 2980 string PHILIPP Par archive data 2990 string PAR Par archive data 300# HIT 3010 string UB HIT archive data 302# SBX 3030 belong&0xfffff000 0x53423000 SBX archive data 304# NaShrink 3050 string NSK NaShrink archive data 306# SAPCAR 3070 string #\ CAR\ archive\ header SAPCAR archive data 3080 string CAR\ 2.00RG SAPCAR archive data 309# Disintegrator 3100 string DST Disintegrator archive data 311# ASD 3120 string ASD ASD archive data 313# InstallShield CAB 3140 string ISc( InstallShield CAB 315# TOP4 3160 string T4\x1a TOP4 archive data 317# BatComp left out: sig looks like COM executable 318# so TODO: get real 4dos batcomp file and find sig 319# BlakHole 3200 string BH\5\7 BlakHole archive data 321# BIX 3220 string BIX0 BIX archive data 323# ChiefLZA 3240 string ChfLZ ChiefLZA archive data 325# Blink 3260 string Blink Blink archive data 327# Logitech Compress 3280 string \xda\xfa Logitech Compress archive data 329# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 3301 string (C)\ STEPANYUK ARS-Sfx archive data 331# AKT/AKT32 3320 string AKT32 AKT32 archive data 3330 string AKT AKT archive data 334# NPack 3350 string MSTSM NPack archive data 336# PFT 3370 string \0\x50\0\x14 PFT archive data 338# SemOne 3390 string SEM SemOne archive data 340# PPMD 3410 string \x8f\xaf\xac\x84 PPMD archive data 342# FIZ 3430 string FIZ FIZ archive data 344# MSXiE 3450 belong&0xfffff0f0 0x4d530000 MSXiE archive data 346# DeepFreezer 3470 belong&0xfffffff0 0x797a3030 DeepFreezer archive data 348# DC 3490 string =<DC- DC archive data 350# TPac 3510 string \4TPAC\3 TPac archive data 352# Ai 3530 string Ai\1\1\0 Ai archive data 3540 string Ai\1\0\0 Ai archive data 355# Ai32 3560 string Ai\2\0 Ai32 archive data 3570 string Ai\2\1 Ai32 archive data 358# SBC 3590 string SBC SBC archive data 360# Ybs 3610 string YBS Ybs archive data 362# DitPack 3630 string \x9e\0\0 DitPack archive data 364# DMS 3650 string DMS! DMS archive data 366# EPC 3670 string \x8f\xaf\xac\x8c EPC archive data 368# VSARC 3690 string VS\x1a VSARC archive data 370# PDZ 3710 string PDZ PDZ archive data 372# ReDuq 3730 string rdqx ReDuq archive data 374# GCA 3750 string GCAX GCA archive data 376# PPMN 3770 string pN PPMN archive data 378# WinImage 3793 string WINIMAGE WinImage archive data 380# Compressia 3810 string CMP0CMP Compressia archive data 382# UHBC 3830 string UHB UHBC archive data 384# WinHKI 3850 string \x61\x5C\x04\x05 WinHKI archive data 386# WWPack data file 3870 string WWP WWPack archive data 388# BSN (BSA, PTS-DOS) 3890 string \xffBSG BSN archive data 3901 string \xffBSG BSN archive data 3913 string \xffBSG BSN archive data 3921 string \0\xae\2 BSN archive data 3931 string \0\xae\3 BSN archive data 3941 string \0\xae\7 BSN archive data 395# AIN 3960 string \x33\x18 AIN archive data 3970 string \x33\x17 AIN archive data 398# XPA32 3990 string xpa\0\1 XPA32 archive data 400# SZip (TODO: doesn't catch all versions) 4010 string SZ\x0a\4 SZip archive data 402# XPack DiskImage 4030 string jm XPack DiskImage archive data 404# XPack Data 4050 string xpa XPack archive data 406# XPack Single Data 4070 string ��\ jm XPack single archive data 408 409# TODO: missing due to unknown magic/magic at end of file: 410#DWC 411#ARG 412#ZAR 413#PC/3270 414#InstallIt 415#RKive 416#RK 417#XPack Diskimage 418 419# These were inspired by idarc, but actually verified 420# Dzip archiver (.dz) 4210 string DZ Dzip archive data 422>2 byte x \b, version %i 423>3 byte x \b.%i 424# ZZip archiver (.zz) 4250 string ZZ\ \0\0 ZZip archive data 4260 string ZZ0 ZZip archive data 427# PAQ archiver (.paq) 4280 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 4290 string PAQ PAQ archive data 430>3 byte&0xf0 0x30 431>>3 byte x (v%c) 432# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 4330xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 4340 string JARCS JAR (ARJ Software, Inc.) archive data 435 436# ARJ archiver (jason@jarthur.Claremont.EDU) 4370 leshort 0xea60 ARJ archive data 438>5 byte x \b, v%d, 439>8 byte &0x04 multi-volume, 440>8 byte &0x10 slash-switched, 441>8 byte &0x20 backup, 442>34 string x original name: %s, 443>7 byte 0 os: MS-DOS 444>7 byte 1 os: PRIMOS 445>7 byte 2 os: Unix 446>7 byte 3 os: Amiga 447>7 byte 4 os: Macintosh 448>7 byte 5 os: OS/2 449>7 byte 6 os: Apple ][ GS 450>7 byte 7 os: Atari ST 451>7 byte 8 os: NeXT 452>7 byte 9 os: VAX/VMS 453>3 byte >0 %d] 454# [JW] idarc says this is also possible 4552 leshort 0xea60 ARJ archive data 456 457# HA archiver (Greg Roelofs, newt@uchicago.edu) 458# This is a really bad format. A file containing HAWAII will match this... 459#0 string HA HA archive data, 460#>2 leshort =1 1 file, 461#>2 leshort >1 %u files, 462#>4 byte&0x0f =0 first is type CPY 463#>4 byte&0x0f =1 first is type ASC 464#>4 byte&0x0f =2 first is type HSC 465#>4 byte&0x0f =0x0e first is type DIR 466#>4 byte&0x0f =0x0f first is type SPECIAL 467# suggestion: at least identify small archives (<1024 files) 4680 belong&0xffff00fc 0x48410000 HA archive data 469>2 leshort =1 1 file, 470>2 leshort >1 %u files, 471>4 byte&0x0f =0 first is type CPY 472>4 byte&0x0f =1 first is type ASC 473>4 byte&0x0f =2 first is type HSC 474>4 byte&0x0f =0x0e first is type DIR 475>4 byte&0x0f =0x0f first is type SPECIAL 476 477# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 4780 string HPAK HPACK archive data 479 480# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
| 1 2#------------------------------------------------------------------------------ 3# archive: file(1) magic for archive formats (see also "msdos" for self- 4# extracting compressed archives) 5# 6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc. 7# pre-POSIX "tar" archives are handled in the C code. 8 9# POSIX tar archives 10257 string ustar\0 POSIX tar archive 11257 string ustar\040\040\0 GNU tar archive 12 13# cpio archives 14# 15# Yes, the top two "cpio archive" formats *are* supposed to just be "short". 16# The idea is to indicate archives produced on machines with the same 17# byte order as the machine running "file" with "cpio archive", and 18# to indicate archives produced on machines with the opposite byte order 19# from the machine running "file" with "byte-swapped cpio archive". 20# 21# The SVR4 "cpio(4)" hints that there are additional formats, but they 22# are defined as "short"s; I think all the new formats are 23# character-header formats and thus are strings, not numbers. 240 short 070707 cpio archive 250 short 0143561 byte-swapped cpio archive 260 string 070707 ASCII cpio archive (pre-SVR4 or odc) 270 string 070701 ASCII cpio archive (SVR4 with no CRC) 280 string 070702 ASCII cpio archive (SVR4 with CRC) 29 30# Debian package (needs to go before regular portable archives) 31# 320 string =!<arch>\ndebian 33>8 string debian-split part of multipart Debian package 34>8 string debian-binary Debian binary package 35>68 string >\0 (format %s) 36# These next two lines do not work, because a bzip2 Debian archive 37# still uses gzip for the control.tar (first in the archive). Only 38# data.tar varies, and the location of its filename varies too. 39# file/libmagic does not current have support for ascii-string based 40# (offsets) as of 2005-09-15. 41#>81 string bz2 \b, uses bzip2 compression 42#>84 string gz \b, uses gzip compression 43#>136 ledate x created: %s 44 45# other archives 460 long 0177555 very old archive 470 short 0177555 very old PDP-11 archive 480 long 0177545 old archive 490 short 0177545 old PDP-11 archive 500 long 0100554 apl workspace 510 string =<ar> archive 52 53# MIPS archive (needs to go before regular portable archives) 54# 550 string =!<arch>\n__________E MIPS archive 56>20 string U with MIPS Ucode members 57>21 string L with MIPSEL members 58>21 string B with MIPSEB members 59>19 string L and an EL hash table 60>19 string B and an EB hash table 61>22 string X -- out of date 62 630 string -h- Software Tools format archive text 64 65# 66# XXX - why are there multiple <ar> thingies? Note that 0x213c6172 is 67# "!<ar", so, for new-style (4.xBSD/SVR2andup) archives, we have: 68# 69# 0 string =!<arch> current ar archive 70# 0 long 0x213c6172 archive file 71# 72# and for SVR1 archives, we have: 73# 74# 0 string \<ar> System V Release 1 ar archive 75# 0 string =<ar> archive 76# 77# XXX - did Aegis really store shared libraries, breakpointed modules, 78# and absolute code program modules in the same format as new-style 79# "ar" archives? 80# 810 string =!<arch> current ar archive 82>8 string __.SYMDEF random library 83>0 belong =65538 - pre SR9.5 84>0 belong =65539 - post SR9.5 85>0 beshort 2 - object archive 86>0 beshort 3 - shared library module 87>0 beshort 4 - debug break-pointed module 88>0 beshort 5 - absolute code program module 890 string \<ar> System V Release 1 ar archive 900 string =<ar> archive 91# 92# XXX - from "vax", which appears to collect a bunch of byte-swapped 93# thingies, to help you recognize VAX files on big-endian machines; 94# with "leshort", "lelong", and "string", that's no longer necessary.... 95# 960 belong 0x65ff0000 VAX 3.0 archive 970 belong 0x3c61723e VAX 5.0 archive 98# 990 long 0x213c6172 archive file 1000 lelong 0177555 very old VAX archive 1010 leshort 0177555 very old PDP-11 archive 102# 103# XXX - "pdp" claims that 0177545 can have an __.SYMDEF member and thus 104# be a random library (it said 0xff65 rather than 0177545). 105# 1060 lelong 0177545 old VAX archive 107>8 string __.SYMDEF random library 1080 leshort 0177545 old PDP-11 archive 109>8 string __.SYMDEF random library 110# 111# From "pdp" (but why a 4-byte quantity?) 112# 1130 lelong 0x39bed PDP-11 old archive 1140 lelong 0x39bee PDP-11 4.0 archive 115 116# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com) 117# 118# The first byte is the magic (0x1a), byte 2 is the compression type for 119# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS 120# filename of the first file (null terminated). Since some types collide 121# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%), 122# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%). 0x01 collides with terminfo. 1230 lelong&0x8080ffff 0x0000081a ARC archive data, dynamic LZW 1240 lelong&0x8080ffff 0x0000091a ARC archive data, squashed 1250 lelong&0x8080ffff 0x0000021a ARC archive data, uncompressed 1260 lelong&0x8080ffff 0x0000031a ARC archive data, packed 1270 lelong&0x8080ffff 0x0000041a ARC archive data, squeezed 1280 lelong&0x8080ffff 0x0000061a ARC archive data, crunched 129# [JW] stuff taken from idarc, obviously ARC successors: 1300 lelong&0x8080ffff 0x00000a1a PAK archive data 1310 lelong&0x8080ffff 0x0000141a ARC+ archive data 1320 lelong&0x8080ffff 0x0000481a HYP archive data 133 134# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk) 135# I can't create either SPARK or ArcFS archives so I have not tested this stuff 136# [GRR: the original entries collide with ARC, above; replaced with combined 137# version (not tested)] 138#0 byte 0x1a RISC OS archive (spark format) 1390 string \032archive RISC OS archive (ArcFS format) 1400 string Archive\000 RISC OS archive (ArcFS format) 141 142# All these were taken from idarc, many could not be verified. Unfortunately, 143# there were many low-quality sigs, i.e. easy to trigger false positives. 144# Please notify me of any real-world fishy/ambiguous signatures and I'll try 145# to get my hands on the actual archiver and see if I find something better. [JW] 146# probably many can be enhanced by finding some 0-byte or control char near the start 147 148# idarc calls this Crush/Uncompressed... *shrug* 1490 string CRUSH Crush archive data 150# Squeeze It (.sqz) 1510 string HLSQZ Squeeze It archive data 152# SQWEZ 1530 string SQWEZ SQWEZ archive data 154# HPack (.hpk) 1550 string HPAK HPack archive data 156# HAP 1570 string \x91\x33HF HAP archive data 158# MD/MDCD 1590 string MDmd MDCD archive data 160# LIM 1610 string LIM\x1a LIM archive data 162# SAR 1633 string LH5 SAR archive data 164# BSArc/BS2 1650 string \212\3SB \0 BSArc/BS2 archive data 166# MAR 1672 string =-ah MAR archive data 168# ACB 1690 belong&0x00f800ff 0x00800000 ACB archive data 170# CPZ 171# TODO, this is what idarc says: 0 string \0\0\0 CPZ archive data 172# JRC 1730 string JRchive JRC archive data 174# Quantum 1750 string DS\0 Quantum archive data 176# ReSOF 1770 string PK\3\6 ReSOF archive data 178# QuArk 1790 string 7\4 QuArk archive data 180# YAC 18114 string YC YAC archive data 182# X1 1830 string X1 X1 archive data 1840 string XhDr X1 archive data 185# CDC Codec (.dqt) 1860 belong&0xffffe000 0x76ff2000 CDC Codec archive data 187# AMGC 1880 string \xad6" AMGC archive data 189# NuLIB 1900 string N��F��l�� NuLIB archive data 191# PakLeo 1920 string LEOLZW PAKLeo archive data 193# ChArc 1940 string SChF ChArc archive data 195# PSA 1960 string PSA PSA archive data 197# CrossePAC 1980 string DSIGDCC CrossePAC archive data 199# Freeze 2000 string \x1f\x9f\x4a\x10\x0a Freeze archive data 201# KBoom 2020 string ��MP�� KBoom archive data 203# NSQ, must go after CDC Codec 2040 string \x76\xff NSQ archive data 205# DPA 2060 string Dirk\ Paehl DPA archive data 207# BA 208# TODO: idarc says "bytes 0-2 == bytes 3-5" 209# TTComp 2100 string \0\6 TTComp archive data 211# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation? 2120 string ESP ESP archive data 213# ZPack 2140 string \1ZPK\1 ZPack archive data 215# Sky 2160 string \xbc\x40 Sky archive data 217# UFA 2180 string UFA UFA archive data 219# Dry 2200 string =-H2O DRY archive data 221# FoxSQZ 2220 string FOXSQZ FoxSQZ archive data 223# AR7 2240 string ,AR7 AR7 archive data 225# PPMZ 2260 string PPMZ PPMZ archive data 227# MS Compress 2284 string \x88\xf0\x27 MS Compress archive data 229# updated by Joerg Jenderek 230>9 string \0 231>>0 string KWAJ 232>>>7 string \321\003 MS Compress archive data 233>>>>14 ulong >0 \b, original size: %ld bytes 234>>>>18 ubyte >0x65 235>>>>>18 string x \b, was %.8s 236>>>>>(10.b-4) string x \b.%.3s 237# MP3 (archiver, not lossy audio compression) 2380 string MP3\x1a MP3-Archiver archive data 239# ZET 2400 string OZ�� ZET archive data 241# TSComp 2420 string \x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data 243# ARQ 2440 string gW\4\1 ARQ archive data 245# Squash 2463 string OctSqu Squash archive data 247# Terse 2480 string \5\1\1\0 Terse archive data 249# PUCrunch 2500 string \x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data 251# UHarc 2520 string UHA UHarc archive data 253# ABComp 2540 string \2AB ABComp archive data 2550 string \3AB2 ABComp archive data 256# CMP 2570 string CO\0 CMP archive data 258# Splint 2590 string \x93\xb9\x06 Splint archive data 260# InstallShield 2610 string \x13\x5d\x65\x8c InstallShield Z archive Data 262# Gather 2631 string GTH Gather archive data 264# BOA 2650 string BOA BOA archive data 266# RAX 2670 string ULEB\xa RAX archive data 268# Xtreme 2690 string ULEB\0 Xtreme archive data 270# Pack Magic 2710 string @��\1\0 Pack Magic archive data 272# BTS 2730 belong&0xfeffffff 0x1a034465 BTS archive data 274# ELI 5750 2750 string Ora\ ELI 5750 archive data 276# QFC 2770 string \x1aFC\x1a QFC archive data 2780 string \x1aQF\x1a QFC archive data 279# PRO-PACK 2800 string RNC PRO-PACK archive data 281# 777 2820 string 777 777 archive data 283# LZS221 2840 string sTaC LZS221 archive data 285# HPA 2860 string HPA HPA archive data 287# Arhangel 2880 string LG Arhangel archive data 289# EXP1, uses bzip2 2900 string 0123456789012345BZh EXP1 archive data 291# IMP 2920 string IMP\xa IMP archive data 293# NRV 2940 string \x00\x9E\x6E\x72\x76\xFF NRV archive data 295# Squish 2960 string \x73\xb2\x90\xf4 Squish archive data 297# Par 2980 string PHILIPP Par archive data 2990 string PAR Par archive data 300# HIT 3010 string UB HIT archive data 302# SBX 3030 belong&0xfffff000 0x53423000 SBX archive data 304# NaShrink 3050 string NSK NaShrink archive data 306# SAPCAR 3070 string #\ CAR\ archive\ header SAPCAR archive data 3080 string CAR\ 2.00RG SAPCAR archive data 309# Disintegrator 3100 string DST Disintegrator archive data 311# ASD 3120 string ASD ASD archive data 313# InstallShield CAB 3140 string ISc( InstallShield CAB 315# TOP4 3160 string T4\x1a TOP4 archive data 317# BatComp left out: sig looks like COM executable 318# so TODO: get real 4dos batcomp file and find sig 319# BlakHole 3200 string BH\5\7 BlakHole archive data 321# BIX 3220 string BIX0 BIX archive data 323# ChiefLZA 3240 string ChfLZ ChiefLZA archive data 325# Blink 3260 string Blink Blink archive data 327# Logitech Compress 3280 string \xda\xfa Logitech Compress archive data 329# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE) 3301 string (C)\ STEPANYUK ARS-Sfx archive data 331# AKT/AKT32 3320 string AKT32 AKT32 archive data 3330 string AKT AKT archive data 334# NPack 3350 string MSTSM NPack archive data 336# PFT 3370 string \0\x50\0\x14 PFT archive data 338# SemOne 3390 string SEM SemOne archive data 340# PPMD 3410 string \x8f\xaf\xac\x84 PPMD archive data 342# FIZ 3430 string FIZ FIZ archive data 344# MSXiE 3450 belong&0xfffff0f0 0x4d530000 MSXiE archive data 346# DeepFreezer 3470 belong&0xfffffff0 0x797a3030 DeepFreezer archive data 348# DC 3490 string =<DC- DC archive data 350# TPac 3510 string \4TPAC\3 TPac archive data 352# Ai 3530 string Ai\1\1\0 Ai archive data 3540 string Ai\1\0\0 Ai archive data 355# Ai32 3560 string Ai\2\0 Ai32 archive data 3570 string Ai\2\1 Ai32 archive data 358# SBC 3590 string SBC SBC archive data 360# Ybs 3610 string YBS Ybs archive data 362# DitPack 3630 string \x9e\0\0 DitPack archive data 364# DMS 3650 string DMS! DMS archive data 366# EPC 3670 string \x8f\xaf\xac\x8c EPC archive data 368# VSARC 3690 string VS\x1a VSARC archive data 370# PDZ 3710 string PDZ PDZ archive data 372# ReDuq 3730 string rdqx ReDuq archive data 374# GCA 3750 string GCAX GCA archive data 376# PPMN 3770 string pN PPMN archive data 378# WinImage 3793 string WINIMAGE WinImage archive data 380# Compressia 3810 string CMP0CMP Compressia archive data 382# UHBC 3830 string UHB UHBC archive data 384# WinHKI 3850 string \x61\x5C\x04\x05 WinHKI archive data 386# WWPack data file 3870 string WWP WWPack archive data 388# BSN (BSA, PTS-DOS) 3890 string \xffBSG BSN archive data 3901 string \xffBSG BSN archive data 3913 string \xffBSG BSN archive data 3921 string \0\xae\2 BSN archive data 3931 string \0\xae\3 BSN archive data 3941 string \0\xae\7 BSN archive data 395# AIN 3960 string \x33\x18 AIN archive data 3970 string \x33\x17 AIN archive data 398# XPA32 3990 string xpa\0\1 XPA32 archive data 400# SZip (TODO: doesn't catch all versions) 4010 string SZ\x0a\4 SZip archive data 402# XPack DiskImage 4030 string jm XPack DiskImage archive data 404# XPack Data 4050 string xpa XPack archive data 406# XPack Single Data 4070 string ��\ jm XPack single archive data 408 409# TODO: missing due to unknown magic/magic at end of file: 410#DWC 411#ARG 412#ZAR 413#PC/3270 414#InstallIt 415#RKive 416#RK 417#XPack Diskimage 418 419# These were inspired by idarc, but actually verified 420# Dzip archiver (.dz) 4210 string DZ Dzip archive data 422>2 byte x \b, version %i 423>3 byte x \b.%i 424# ZZip archiver (.zz) 4250 string ZZ\ \0\0 ZZip archive data 4260 string ZZ0 ZZip archive data 427# PAQ archiver (.paq) 4280 string \xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data 4290 string PAQ PAQ archive data 430>3 byte&0xf0 0x30 431>>3 byte x (v%c) 432# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP) 4330xe string \x1aJar\x1b JAR (ARJ Software, Inc.) archive data 4340 string JARCS JAR (ARJ Software, Inc.) archive data 435 436# ARJ archiver (jason@jarthur.Claremont.EDU) 4370 leshort 0xea60 ARJ archive data 438>5 byte x \b, v%d, 439>8 byte &0x04 multi-volume, 440>8 byte &0x10 slash-switched, 441>8 byte &0x20 backup, 442>34 string x original name: %s, 443>7 byte 0 os: MS-DOS 444>7 byte 1 os: PRIMOS 445>7 byte 2 os: Unix 446>7 byte 3 os: Amiga 447>7 byte 4 os: Macintosh 448>7 byte 5 os: OS/2 449>7 byte 6 os: Apple ][ GS 450>7 byte 7 os: Atari ST 451>7 byte 8 os: NeXT 452>7 byte 9 os: VAX/VMS 453>3 byte >0 %d] 454# [JW] idarc says this is also possible 4552 leshort 0xea60 ARJ archive data 456 457# HA archiver (Greg Roelofs, newt@uchicago.edu) 458# This is a really bad format. A file containing HAWAII will match this... 459#0 string HA HA archive data, 460#>2 leshort =1 1 file, 461#>2 leshort >1 %u files, 462#>4 byte&0x0f =0 first is type CPY 463#>4 byte&0x0f =1 first is type ASC 464#>4 byte&0x0f =2 first is type HSC 465#>4 byte&0x0f =0x0e first is type DIR 466#>4 byte&0x0f =0x0f first is type SPECIAL 467# suggestion: at least identify small archives (<1024 files) 4680 belong&0xffff00fc 0x48410000 HA archive data 469>2 leshort =1 1 file, 470>2 leshort >1 %u files, 471>4 byte&0x0f =0 first is type CPY 472>4 byte&0x0f =1 first is type ASC 473>4 byte&0x0f =2 first is type HSC 474>4 byte&0x0f =0x0e first is type DIR 475>4 byte&0x0f =0x0f first is type SPECIAL 476 477# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 4780 string HPAK HPACK archive data 479 480# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
|
482>7 string >\0 version %.4s 483>0x26 byte =0x27 - 484>>0x2b string >\0 label %.11s, 485>>0x27 lelong x serial %08x, 486>>0x36 string >\0 fstype %.8s 487 488# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 4892 string -lh0- LHarc 1.x/ARX archive data [lh0] 4902 string -lh1- LHarc 1.x/ARX archive data [lh1] 4912 string -lz4- LHarc 1.x archive data [lz4] 4922 string -lz5- LHarc 1.x archive data [lz5] 493# [never seen any but the last; -lh4- reported in comp.compression:] 4942 string -lzs- LHa/LZS archive data [lzs] 4952 string -lh\40- LHa 2.x? archive data [lh ] 4962 string -lhd- LHa 2.x? archive data [lhd] 4972 string -lh2- LHa 2.x? archive data [lh2] 4982 string -lh3- LHa 2.x? archive data [lh3] 4992 string -lh4- LHa (2.x) archive data [lh4] 5002 string -lh5- LHa (2.x) archive data [lh5] 5012 string -lh6- LHa (2.x) archive data [lh6] 5022 string -lh7- LHa (2.x)/LHark archive data [lh7] 503>20 byte x - header level %d 504# taken from idarc [JW] 5052 string -lZ PUT archive data 5062 string -lz LZS archive data 5072 string -sw1- Swag archive data 508 509# RAR archiver (Greg Roelofs, newt@uchicago.edu) 5100 string Rar! RAR archive data, 511>44 byte x v%0x, 512>10 byte >0 flags: 513>>10 byte &0x01 Archive volume, 514>>10 byte &0x02 Commented, 515>>10 byte &0x04 Locked, 516>>10 byte &0x08 Solid, 517>>10 byte &0x20 Authenticated, 518>35 byte 0 os: MS-DOS 519>35 byte 1 os: OS/2 520>35 byte 2 os: Win32 521>35 byte 3 os: Unix 522# some old version? idarc says: 5230 string RE\x7e\x5e RAR archive data 524 525# SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 5260 string SQSH squished archive data (Acorn RISCOS) 527 528# UC2 archiver (Greg Roelofs, newt@uchicago.edu) 529# [JW] see exe section for self-extracting version 5300 string UC2\x1a UC2 archive data 531 532# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 5330 string PK\003\004 534>4 byte 0x09 Zip archive data, at least v0.9 to extract 535>4 byte 0x0a Zip archive data, at least v1.0 to extract 536>4 byte 0x0b Zip archive data, at least v1.1 to extract 537>4 byte 0x14 538>>30 ubelong !0x6d696d65 Zip archive data, at least v2.0 to extract 539>0x161 string WINZIP Zip archive data, WinZIP self-extracting 540 541 542# OpenOffice.org / KOffice / StarOffice documents 543# From: Abel Cheung <abel@oaka.org> 544# Listed here because they are basically zip files 545>>30 string mimetype 546 547# KOffice (1.2 or above) formats 548>>>50 string vnd.kde. KOffice (>=1.2) 549>>>>58 string karbon Karbon document 550>>>>58 string kchart KChart document 551>>>>58 string kformula KFormula document 552>>>>58 string kivio Kivio document 553>>>>58 string kontour Kontour document 554>>>>58 string kpresenter KPresenter document 555>>>>58 string kspread KSpread document 556>>>>58 string kword KWord document 557 558# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) 559>>>50 string vnd.sun.xml. OpenOffice.org 1.x 560>>>>62 string writer Writer 561>>>>>68 byte !0x2e document 562>>>>>68 string .template template 563>>>>>68 string .global global document 564>>>>62 string calc Calc 565>>>>>66 byte !0x2e spreadsheet 566>>>>>66 string .template template 567>>>>62 string draw Draw 568>>>>>66 byte !0x2e document 569>>>>>66 string .template template 570>>>>62 string impress Impress 571>>>>>69 byte !0x2e presentation 572>>>>>69 string .template template 573>>>>62 string math Math document 574 575# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) 576# http://lists.oasis-open.org/archives/office/200505/msg00006.html 577>>>50 string vnd.oasis.opendocument. OpenDocument 578>>>>73 string text 579>>>>>77 byte !0x2d Text 580>>>>>77 string -template Text Template 581>>>>>77 string -web HTML Document Template 582>>>>>77 string -master Master Document 583>>>>73 string graphics Drawing 584>>>>>81 string -template Template 585>>>>73 string presentation Presentation 586>>>>>85 string -template Template 587>>>>73 string spreadsheet Spreadsheet 588>>>>>84 string -template Template 589>>>>73 string chart Chart 590>>>>>78 string -template Template 591>>>>73 string formula Formula 592>>>>>80 string -template Template 593>>>>73 string database Database 594>>>>73 string image Image 595 596# Zoo archiver 59720 lelong 0xfdc4a7dc Zoo archive data 598>4 byte >48 \b, v%c. 599>>6 byte >47 \b%c 600>>>7 byte >47 \b%c 601>32 byte >0 \b, modify: v%d 602>>33 byte x \b.%d+ 603>42 lelong 0xfdc4a7dc \b, 604>>70 byte >0 extract: v%d 605>>>71 byte x \b.%d+ 606 607# Shell archives 60810 string #\ This\ is\ a\ shell\ archive shell archive text 609 610# 611# LBR. NB: May conflict with the questionable 612# "binary Computer Graphics Metafile" format. 613# 6140 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data 615# 616# PMA (CP/M derivative of LHA) 617# 6182 string -pm0- PMarc archive data [pm0] 6192 string -pm1- PMarc archive data [pm1] 6202 string -pm2- PMarc archive data [pm2] 6212 string -pms- PMarc SFX archive (CP/M, DOS) 6225 string -pc1- PopCom compressed executable (CP/M) 623 624# From Rafael Laboissiere <rafael@laboissiere.net> 625# The Project Revision Control System (see 626# http://prcs.sourceforge.net) generates a packaged project 627# file which is recognized by the following entry: 6280 leshort 0xeb81 PRCS packaged project 629 630# Microsoft cabinets 631# by David Necas (Yeti) <yeti@physics.muni.cz> 632#0 string MSCF\0\0\0\0 Microsoft cabinet file data, 633#>25 byte x v%d 634#>24 byte x \b.%d 635# MPi: All CABs have version 1.3, so this is pointless. 636# Better magic in debian-additions. 637 638# GTKtalog catalogs 639# by David Necas (Yeti) <yeti@physics.muni.cz> 6404 string gtktalog\ GTKtalog catalog data, 641>13 string 3 version 3 642>>14 beshort 0x677a (gzipped) 643>>14 beshort !0x677a (not gzipped) 644>13 string >3 version %s 645 646############################################################################ 647# Parity archive reconstruction file, the 'par' file format now used on Usenet. 6480 string PAR\0 PARity archive data 649>48 leshort =0 - Index file 650>48 leshort >0 - file number %d 651 652# Felix von Leitner <felix-file@fefe.de> 6530 string d8:announce BitTorrent file 654 655# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> 6560 beshort 0x0e0f Atari MSA archive data 657>2 beshort x \b, %d sectors per track 658>4 beshort 0 \b, 1 sided 659>4 beshort 1 \b, 2 sided 660>6 beshort x \b, starting track: %d 661>8 beshort x \b, ending track: %d 662 663# Alternate ZIP string (amc@arwen.cs.berkeley.edu) 6640 string PK00PK\003\004 Zip archive data 665 666# ACE archive (from http://www.wotsit.org/download.asp?f=ace) 667# by Stefan `Sec` Zehl <sec@42.org> 6687 string **ACE** ACE archive data 669>15 byte >0 version %d 670>16 byte =0x00 \b, from MS-DOS 671>16 byte =0x01 \b, from OS/2 672>16 byte =0x02 \b, from Win/32 673>16 byte =0x03 \b, from Unix 674>16 byte =0x04 \b, from MacOS 675>16 byte =0x05 \b, from WinNT 676>16 byte =0x06 \b, from Primos 677>16 byte =0x07 \b, from AppleGS 678>16 byte =0x08 \b, from Atari 679>16 byte =0x09 \b, from Vax/VMS 680>16 byte =0x0A \b, from Amiga 681>16 byte =0x0B \b, from Next 682>14 byte x \b, version %d to extract 683>5 leshort &0x0080 \b, multiple volumes, 684>>17 byte x \b (part %d), 685>5 leshort &0x0002 \b, contains comment 686>5 leshort &0x0200 \b, sfx 687>5 leshort &0x0400 \b, small dictionary 688>5 leshort &0x0800 \b, multi-volume 689>5 leshort &0x1000 \b, contains AV-String 690>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) 691>5 leshort &0x2000 \b, with recovery record 692>5 leshort &0x4000 \b, locked 693>5 leshort &0x8000 \b, solid 694# Date in MS-DOS format (whatever that is) 695#>18 lelong x Created on 696 697# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann 698# <doj@cubic.org> 6990x1A string sfArk sfArk compressed Soundfont 700>0x15 string 2 701>>0x1 string >\0 Version %s 702>>0x2A string >\0 : %s 703 704# DR-DOS 7.03 Packed File *.??_ 7050 string Packed\ File\ Personal NetWare Packed File 706>12 string x \b, was "%.12s" 707 708# EET archive 709# From: Tilman Sauerbeck <tilman@code-monkey.de> 7100 belong 0x1ee7ff00 EET archive 711 712# rzip archives 7130 string RZIP rzip compressed data 714>4 byte x - version %d 715>5 byte x \b.%d 716>6 belong x (%d bytes) 717 718# From: "Robert Dale" <robdale@gmail.com> 7190 belong 123 dar archive, 720>4 belong x label "%.8x 721>>8 belong x %.8x 722>>>12 beshort x %.4x" 723>14 byte 0x54 end slice 724>14 beshort 0x4e4e multi-part 725>14 beshort 0x4e53 multi-part, with -S
| 482>7 string >\0 version %.4s 483>0x26 byte =0x27 - 484>>0x2b string >\0 label %.11s, 485>>0x27 lelong x serial %08x, 486>>0x36 string >\0 fstype %.8s 487 488# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) 4892 string -lh0- LHarc 1.x/ARX archive data [lh0] 4902 string -lh1- LHarc 1.x/ARX archive data [lh1] 4912 string -lz4- LHarc 1.x archive data [lz4] 4922 string -lz5- LHarc 1.x archive data [lz5] 493# [never seen any but the last; -lh4- reported in comp.compression:] 4942 string -lzs- LHa/LZS archive data [lzs] 4952 string -lh\40- LHa 2.x? archive data [lh ] 4962 string -lhd- LHa 2.x? archive data [lhd] 4972 string -lh2- LHa 2.x? archive data [lh2] 4982 string -lh3- LHa 2.x? archive data [lh3] 4992 string -lh4- LHa (2.x) archive data [lh4] 5002 string -lh5- LHa (2.x) archive data [lh5] 5012 string -lh6- LHa (2.x) archive data [lh6] 5022 string -lh7- LHa (2.x)/LHark archive data [lh7] 503>20 byte x - header level %d 504# taken from idarc [JW] 5052 string -lZ PUT archive data 5062 string -lz LZS archive data 5072 string -sw1- Swag archive data 508 509# RAR archiver (Greg Roelofs, newt@uchicago.edu) 5100 string Rar! RAR archive data, 511>44 byte x v%0x, 512>10 byte >0 flags: 513>>10 byte &0x01 Archive volume, 514>>10 byte &0x02 Commented, 515>>10 byte &0x04 Locked, 516>>10 byte &0x08 Solid, 517>>10 byte &0x20 Authenticated, 518>35 byte 0 os: MS-DOS 519>35 byte 1 os: OS/2 520>35 byte 2 os: Win32 521>35 byte 3 os: Unix 522# some old version? idarc says: 5230 string RE\x7e\x5e RAR archive data 524 525# SQUISH archiver (Greg Roelofs, newt@uchicago.edu) 5260 string SQSH squished archive data (Acorn RISCOS) 527 528# UC2 archiver (Greg Roelofs, newt@uchicago.edu) 529# [JW] see exe section for self-extracting version 5300 string UC2\x1a UC2 archive data 531 532# ZIP archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu) 5330 string PK\003\004 534>4 byte 0x09 Zip archive data, at least v0.9 to extract 535>4 byte 0x0a Zip archive data, at least v1.0 to extract 536>4 byte 0x0b Zip archive data, at least v1.1 to extract 537>4 byte 0x14 538>>30 ubelong !0x6d696d65 Zip archive data, at least v2.0 to extract 539>0x161 string WINZIP Zip archive data, WinZIP self-extracting 540 541 542# OpenOffice.org / KOffice / StarOffice documents 543# From: Abel Cheung <abel@oaka.org> 544# Listed here because they are basically zip files 545>>30 string mimetype 546 547# KOffice (1.2 or above) formats 548>>>50 string vnd.kde. KOffice (>=1.2) 549>>>>58 string karbon Karbon document 550>>>>58 string kchart KChart document 551>>>>58 string kformula KFormula document 552>>>>58 string kivio Kivio document 553>>>>58 string kontour Kontour document 554>>>>58 string kpresenter KPresenter document 555>>>>58 string kspread KSpread document 556>>>>58 string kword KWord document 557 558# OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7) 559>>>50 string vnd.sun.xml. OpenOffice.org 1.x 560>>>>62 string writer Writer 561>>>>>68 byte !0x2e document 562>>>>>68 string .template template 563>>>>>68 string .global global document 564>>>>62 string calc Calc 565>>>>>66 byte !0x2e spreadsheet 566>>>>>66 string .template template 567>>>>62 string draw Draw 568>>>>>66 byte !0x2e document 569>>>>>66 string .template template 570>>>>62 string impress Impress 571>>>>>69 byte !0x2e presentation 572>>>>>69 string .template template 573>>>>62 string math Math document 574 575# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8) 576# http://lists.oasis-open.org/archives/office/200505/msg00006.html 577>>>50 string vnd.oasis.opendocument. OpenDocument 578>>>>73 string text 579>>>>>77 byte !0x2d Text 580>>>>>77 string -template Text Template 581>>>>>77 string -web HTML Document Template 582>>>>>77 string -master Master Document 583>>>>73 string graphics Drawing 584>>>>>81 string -template Template 585>>>>73 string presentation Presentation 586>>>>>85 string -template Template 587>>>>73 string spreadsheet Spreadsheet 588>>>>>84 string -template Template 589>>>>73 string chart Chart 590>>>>>78 string -template Template 591>>>>73 string formula Formula 592>>>>>80 string -template Template 593>>>>73 string database Database 594>>>>73 string image Image 595 596# Zoo archiver 59720 lelong 0xfdc4a7dc Zoo archive data 598>4 byte >48 \b, v%c. 599>>6 byte >47 \b%c 600>>>7 byte >47 \b%c 601>32 byte >0 \b, modify: v%d 602>>33 byte x \b.%d+ 603>42 lelong 0xfdc4a7dc \b, 604>>70 byte >0 extract: v%d 605>>>71 byte x \b.%d+ 606 607# Shell archives 60810 string #\ This\ is\ a\ shell\ archive shell archive text 609 610# 611# LBR. NB: May conflict with the questionable 612# "binary Computer Graphics Metafile" format. 613# 6140 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data 615# 616# PMA (CP/M derivative of LHA) 617# 6182 string -pm0- PMarc archive data [pm0] 6192 string -pm1- PMarc archive data [pm1] 6202 string -pm2- PMarc archive data [pm2] 6212 string -pms- PMarc SFX archive (CP/M, DOS) 6225 string -pc1- PopCom compressed executable (CP/M) 623 624# From Rafael Laboissiere <rafael@laboissiere.net> 625# The Project Revision Control System (see 626# http://prcs.sourceforge.net) generates a packaged project 627# file which is recognized by the following entry: 6280 leshort 0xeb81 PRCS packaged project 629 630# Microsoft cabinets 631# by David Necas (Yeti) <yeti@physics.muni.cz> 632#0 string MSCF\0\0\0\0 Microsoft cabinet file data, 633#>25 byte x v%d 634#>24 byte x \b.%d 635# MPi: All CABs have version 1.3, so this is pointless. 636# Better magic in debian-additions. 637 638# GTKtalog catalogs 639# by David Necas (Yeti) <yeti@physics.muni.cz> 6404 string gtktalog\ GTKtalog catalog data, 641>13 string 3 version 3 642>>14 beshort 0x677a (gzipped) 643>>14 beshort !0x677a (not gzipped) 644>13 string >3 version %s 645 646############################################################################ 647# Parity archive reconstruction file, the 'par' file format now used on Usenet. 6480 string PAR\0 PARity archive data 649>48 leshort =0 - Index file 650>48 leshort >0 - file number %d 651 652# Felix von Leitner <felix-file@fefe.de> 6530 string d8:announce BitTorrent file 654 655# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi> 6560 beshort 0x0e0f Atari MSA archive data 657>2 beshort x \b, %d sectors per track 658>4 beshort 0 \b, 1 sided 659>4 beshort 1 \b, 2 sided 660>6 beshort x \b, starting track: %d 661>8 beshort x \b, ending track: %d 662 663# Alternate ZIP string (amc@arwen.cs.berkeley.edu) 6640 string PK00PK\003\004 Zip archive data 665 666# ACE archive (from http://www.wotsit.org/download.asp?f=ace) 667# by Stefan `Sec` Zehl <sec@42.org> 6687 string **ACE** ACE archive data 669>15 byte >0 version %d 670>16 byte =0x00 \b, from MS-DOS 671>16 byte =0x01 \b, from OS/2 672>16 byte =0x02 \b, from Win/32 673>16 byte =0x03 \b, from Unix 674>16 byte =0x04 \b, from MacOS 675>16 byte =0x05 \b, from WinNT 676>16 byte =0x06 \b, from Primos 677>16 byte =0x07 \b, from AppleGS 678>16 byte =0x08 \b, from Atari 679>16 byte =0x09 \b, from Vax/VMS 680>16 byte =0x0A \b, from Amiga 681>16 byte =0x0B \b, from Next 682>14 byte x \b, version %d to extract 683>5 leshort &0x0080 \b, multiple volumes, 684>>17 byte x \b (part %d), 685>5 leshort &0x0002 \b, contains comment 686>5 leshort &0x0200 \b, sfx 687>5 leshort &0x0400 \b, small dictionary 688>5 leshort &0x0800 \b, multi-volume 689>5 leshort &0x1000 \b, contains AV-String 690>>30 string \x16*UNREGISTERED\x20VERSION* (unregistered) 691>5 leshort &0x2000 \b, with recovery record 692>5 leshort &0x4000 \b, locked 693>5 leshort &0x8000 \b, solid 694# Date in MS-DOS format (whatever that is) 695#>18 lelong x Created on 696 697# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann 698# <doj@cubic.org> 6990x1A string sfArk sfArk compressed Soundfont 700>0x15 string 2 701>>0x1 string >\0 Version %s 702>>0x2A string >\0 : %s 703 704# DR-DOS 7.03 Packed File *.??_ 7050 string Packed\ File\ Personal NetWare Packed File 706>12 string x \b, was "%.12s" 707 708# EET archive 709# From: Tilman Sauerbeck <tilman@code-monkey.de> 7100 belong 0x1ee7ff00 EET archive 711 712# rzip archives 7130 string RZIP rzip compressed data 714>4 byte x - version %d 715>5 byte x \b.%d 716>6 belong x (%d bytes) 717 718# From: "Robert Dale" <robdale@gmail.com> 7190 belong 123 dar archive, 720>4 belong x label "%.8x 721>>8 belong x %.8x 722>>>12 beshort x %.4x" 723>14 byte 0x54 end slice 724>14 beshort 0x4e4e multi-part 725>14 beshort 0x4e53 multi-part, with -S
|