Problems with file detecting non-ASCII characters
Christos Zoulas
christos at zoulas.com
Wed Nov 21 15:50:21 EET 2007
On Nov 21, 10:42am, Andreas.Kasenides at cs.ucy.ac.cy (Andreas Kasenides) wrote:
-- Subject: Problems with file detecting non-ASCII characters
| Hi all.
| I am using MailScanner as part of our email services which uses "file"
| to detect (and thus reject) any potnetnially malicious file attachments
| to email messages (such as .exe .com etc.). Unfortunately "file" will
| also mark some purely text messages as "COM executable for DOS"
| resulting in MailScanner rejecting the messages. This is not good at all.
With the head code from cvs I am getting:
$ file test
test: UTF-8 Unicode text
Here are the current magic diffs from 4.21...
christos
Index: animation
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/animation,v
retrieving revision 1.19
retrieving revision 1.21
diff -u -r1.19 -r1.21
--- animation 14 Jan 2007 18:48:41 -0000 1.19
+++ animation 8 Nov 2007 00:31:37 -0000 1.21
@@ -678,3 +678,14 @@
>0x21 byte x v%x
0 string DVDVIDEO-VMG Video manager,
>0x21 byte x v%x
+
+# From: Behan Webster <behanw at websterwood.com>
+# NuppelVideo used by Mythtv (*.nuv)
+0 regex NuppelVideo|MythTVVideo MythTV NuppelVideo
+>12 string x v%s
+>20 lelong x (%d
+>24 lelong x \bx%d),
+>36 string P \bprogressive,
+>36 string I \binterlaced,
+>40 ledouble x \baspect:%.2f,
+>48 ledouble x \bfps:%.2f
Index: apple
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/apple,v
retrieving revision 1.15
retrieving revision 1.17
diff -u -r1.15 -r1.17
--- apple 2 Mar 2006 22:10:26 -0000 1.15
+++ apple 7 Nov 2007 22:10:13 -0000 1.17
@@ -189,3 +189,40 @@
>0 byte <5 \b
>>13 byte 0x81 \b
>>>14 uleshort x \b, system %hd
+
+#------------------------------------------------------------------------------
+# CAF: Apple CoreAudio File Format
+#
+# Container format for high-end audio purposes.
+# From: David Remahl <dremahl at apple.com>
+#
+0 string caff CoreAudio Format audio file
+>4 beshort <10 version %d
+>6 beshort x
+
+
+#------------------------------------------------------------------------------
+# Keychain database files
+0 string kych Mac OS X Keychain File
+
+#------------------------------------------------------------------------------
+# Code Signing related file types
+0 belong 0xfade0c00 Mac OS X Code Requirement
+>8 belong 1 (opExpr)
+>4 belong x - %d bytes
+
+0 belong 0xfade0c01 Mac OS X Code Requirement Set
+>8 belong >1 containing %d items
+>4 belong x - %d bytes
+
+0 belong 0xfade0c02 Mac OS X Code Directory
+>8 belong x version %x
+>12 belong >0 flags 0x%x
+>4 belong x - %d bytes
+
+0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable)
+>4 belong x - %d bytes
+
+0 belong 0xfade0cc1 Mac OS X Detached Code Signature
+>8 belong >1 (%d elements)
+>4 belong x - %d bytes
Index: archive
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/archive,v
retrieving revision 1.36
retrieving revision 1.42
diff -u -r1.36 -r1.42
--- archive 3 Apr 2007 21:12:26 -0000 1.36
+++ archive 8 Nov 2007 00:31:37 -0000 1.42
@@ -531,6 +531,7 @@
# ZIP archives (Greg Roelofs, c/o zip-bugs at wkuvx1.wku.edu)
0 string PK\003\004
+>4 byte 0x00 Zip archive data
>4 byte 0x09 Zip archive data, at least v0.9 to extract
>4 byte 0x0a Zip archive data, at least v1.0 to extract
>4 byte 0x0b Zip archive data, at least v1.1 to extract
@@ -731,3 +732,15 @@
>4 lelong 0x1000006D (EPOC release 3/4/5)
>4 lelong 0x10003A12 (EPOC release 6)
0 lelong 0x10201A7A Symbian installation file (Symbian OS 9.x)
+
+# Pack200 Java archives, http://jcp.org/en/jsr/detail?id=200
+0 belong 0xcafed00d Pack200 Java archive
+
+# From "Nelson A. de Oliveira" <naoliv at gmail.com>
+0 string MPQ\032 MoPaQ (MPQ) archive
+
+# From: Dirk Jagdmann <doj at cubic.org>
+# xar archive format: http://code.google.com/p/xar/
+0 string xar! xar archive
+>6 beshort x - version %ld
+
Index: audio
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/audio,v
retrieving revision 1.45
retrieving revision 1.47
diff -u -r1.45 -r1.47
--- audio 13 Mar 2007 13:59:13 -0000 1.45
+++ audio 2 Nov 2007 15:51:57 -0000 1.47
@@ -556,3 +556,10 @@
# From: Matthew Flaschen <matthew.flaschen at gatech.edu>
0 string #EXTM3U M3U playlist text
+# From: "Mateus Caruccio" <mateus at caruccio.com>
+# guitar pro v3,4,5 from http://filext.com/file-extension/gp3
+0 string \030FICHIER\ GUITAR\ PRO\ v3. Guitar Pro Ver. 3 Tablature
+
+# From: "Leslie P. Polzer" <leslie.polzer at gmx.net>
+60 string SONG SoundFX Module sound file
+
Index: commands
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/commands,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- commands 19 Jan 2007 19:53:18 -0000 1.27
+++ commands 1 Jun 2007 19:40:57 -0000 1.28
@@ -28,7 +28,8 @@
0 string/b #!\ /bin/awk awk script text executable
0 string/b #!\ /usr/bin/awk awk script text executable
# update to distinguish from *.vcf files
-0 regex BEGIN[[:space:]]*[{] awk script text
+# this is broken because postscript has /EBEGIN{ for example.
+#0 regex BEGIN[[:space:]]*[{] awk script text
# AT&T Bell Labs' Plan 9 shell
0 string/b #!\ /bin/rc Plan 9 rc shell script text executable
Index: console
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/console,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- console 18 Mar 2007 21:45:47 -0000 1.10
+++ console 26 Sep 2007 20:45:26 -0000 1.11
@@ -191,3 +191,64 @@
0 string PPF10 Playstation Patch File version 1.0
>5 byte 0 \b, Simple Encoding
>6 string x \b, description: %s
+
+# From: Daniel Dawson <ddawson at icehouse.net>
+# SNES9x .smv "movie" file format.
+0 string SMV\x1A SNES9x input recording
+>0x4 lelong x \b, version %d
+# version 4 is latest so far
+>0x4 lelong <5
+>>0x8 ledate x \b, recorded at %s
+>>0xc lelong >0 \b, rerecorded %d times
+>>0x10 lelong x \b, %d frames long
+>>0x14 byte >0 \b, data for controller(s):
+>>>0x14 byte &0x1 #1
+>>>0x14 byte &0x2 #2
+>>>0x14 byte &0x4 #3
+>>>0x14 byte &0x8 #4
+>>>0x14 byte &0x10 #5
+>>0x15 byte ^0x1 \b, begins from snapshot
+>>0x15 byte &0x1 \b, begins from reset
+>>0x15 byte ^0x2 \b, NTSC standard
+>>0x15 byte &0x2 \b, PAL standard
+>>0x17 byte &0x1 \b, settings:
+# WIP1Timing not used as of version 4
+>>>0x4 lelong <4
+>>>>0x17 byte &0x2 WIP1Timing
+>>>0x17 byte &0x4 Left+Right
+>>>0x17 byte &0x8 VolumeEnvX
+>>>0x17 byte &0x10 FakeMute
+>>>0x17 byte &0x20 SyncSound
+# New flag as of version 4
+>>>0x4 lelong >3
+>>>>0x17 byte &0x80 NoCPUShutdown
+>>0x4 lelong <4
+>>>0x18 lelong >0x23
+>>>>0x20 leshort !0
+>>>>>0x20 lestring16 x \b, metadata: "%s"
+>>0x4 lelong >3
+>>>0x24 byte >0 \b, port 1:
+>>>>0x24 byte 1 joypad
+>>>>0x24 byte 2 mouse
+>>>>0x24 byte 3 SuperScope
+>>>>0x24 byte 4 Justifier
+>>>>0x24 byte 5 multitap
+>>>0x24 byte >0 \b, port 2:
+>>>>0x25 byte 1 joypad
+>>>>0x25 byte 2 mouse
+>>>>0x25 byte 3 SuperScope
+>>>>0x25 byte 4 Justifier
+>>>>0x25 byte 5 multitap
+>>>0x18 lelong >0x43
+>>>>0x40 leshort !0
+>>>>>0x40 lestring16 x \b, metadata: "%s"
+>>0x17 byte &0x40 \b, ROM:
+>>>(0x18.l-26) lelong x CRC32 0x%08x
+>>>(0x18.l-23) string x "%s"
+
+# From: "Nelson A. de Oliveira" <naoliv at gmail.com>
+# .w3g
+0 string Warcraft\ III\ recorded\ game %s
+# .w3m
+0 string HM3W Warcraft III map file
+
Index: database
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/database,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- database 22 Jan 2007 06:40:50 -0000 1.16
+++ database 1 Jul 2007 23:43:26 -0000 1.17
@@ -210,3 +210,13 @@
16 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
17 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
18 string MIT-MAGIC-COOKIE-1 X11 Xauthority data
+
+# From: Maxime Henrion <mux at FreeBSD.org>
+# PostgreSQL's custom dump format, Maxime Henrion <mux at FreeBSD.org>
+0 string PGDMP PostgreSQL custom database dump
+>5 byte x - v%d
+>6 byte x \b.%d
+>5 beshort <=0x100 \b-0
+>5 beshort >0x100
+>>7 byte x \b-%d
+
Index: elf
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/elf,v
retrieving revision 1.40
retrieving revision 1.42
diff -u -r1.40 -r1.42
--- elf 2 Mar 2007 17:40:58 -0000 1.40
+++ elf 19 Nov 2007 19:26:17 -0000 1.42
@@ -51,10 +51,10 @@
>>>>36 lelong&0xf0000000 0x20000000 MIPS-III
>>>>36 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>36 lelong&0xf0000000 0x40000000 MIPS-V
->>>>36 lelong&0xf0000000 0x60000000 MIPS32
->>>>36 lelong&0xf0000000 0x70000000 MIPS64
->>>>36 lelong&0xf0000000 0x80000000 MIPS32 rel2
->>>>36 lelong&0xf0000000 0x90000000 MIPS64 rel2
+>>>>36 lelong&0xf0000000 0x50000000 MIPS32
+>>>>36 lelong&0xf0000000 0x60000000 MIPS64
+>>>>36 lelong&0xf0000000 0x70000000 MIPS32 rel2
+>>>>36 lelong&0xf0000000 0x80000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 lelong&0xf0000000 0x00000000 MIPS-I
@@ -62,10 +62,10 @@
>>>>48 lelong&0xf0000000 0x20000000 MIPS-III
>>>>48 lelong&0xf0000000 0x30000000 MIPS-IV
>>>>48 lelong&0xf0000000 0x40000000 MIPS-V
->>>>48 lelong&0xf0000000 0x60000000 MIPS32
->>>>48 lelong&0xf0000000 0x70000000 MIPS64
->>>>48 lelong&0xf0000000 0x80000000 MIPS32 rel2
->>>>48 lelong&0xf0000000 0x90000000 MIPS64 rel2
+>>>>48 lelong&0xf0000000 0x50000000 MIPS32
+>>>>48 lelong&0xf0000000 0x60000000 MIPS64
+>>>>48 lelong&0xf0000000 0x70000000 MIPS32 rel2
+>>>>48 lelong&0xf0000000 0x80000000 MIPS64 rel2
>>18 leshort 9 Amdahl - invalid byte order,
>>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - invalid byte order,
@@ -139,10 +139,10 @@
>>>>36 belong&0xf0000000 0x20000000 MIPS-III
>>>>36 belong&0xf0000000 0x30000000 MIPS-IV
>>>>36 belong&0xf0000000 0x40000000 MIPS-V
->>>>36 belong&0xf0000000 0x60000000 MIPS32
->>>>36 belong&0xf0000000 0x70000000 MIPS64
->>>>36 belong&0xf0000000 0x80000000 MIPS32 rel2
->>>>36 belong&0xf0000000 0x90000000 MIPS64 rel2
+>>>>36 belong&0xf0000000 0x50000000 MIPS32
+>>>>36 belong&0xf0000000 0x60000000 MIPS64
+>>>>36 belong&0xf0000000 0x70000000 MIPS32 rel2
+>>>>36 belong&0xf0000000 0x80000000 MIPS64 rel2
# only for 64-bit
>>>4 byte 2
>>>>48 belong&0xf0000000 0x00000000 MIPS-I
@@ -150,10 +150,10 @@
>>>>48 belong&0xf0000000 0x20000000 MIPS-III
>>>>48 belong&0xf0000000 0x30000000 MIPS-IV
>>>>48 belong&0xf0000000 0x40000000 MIPS-V
->>>>48 belong&0xf0000000 0x60000000 MIPS32
->>>>48 belong&0xf0000000 0x70000000 MIPS64
->>>>48 belong&0xf0000000 0x80000000 MIPS32 rel2
->>>>48 belong&0xf0000000 0x90000000 MIPS64 rel2
+>>>>48 belong&0xf0000000 0x50000000 MIPS32
+>>>>48 belong&0xf0000000 0x60000000 MIPS64
+>>>>48 belong&0xf0000000 0x70000000 MIPS32 rel2
+>>>>48 belong&0xf0000000 0x80000000 MIPS64 rel2
>>18 beshort 9 Amdahl,
>>18 beshort 10 MIPS (deprecated),
>>18 beshort 11 RS6000,
@@ -196,6 +196,7 @@
>>18 beshort 88 Renesas M32R,
>>18 beshort 94 Tensilica Xtensa,
>>18 beshort 97 NatSemi 32k,
+>>18 beshort 0x18ad AVR32 (unofficial),
>>18 beshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete),
>>20 belong 0 invalid version
Index: filesystems
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/filesystems,v
retrieving revision 1.32
retrieving revision 1.35
diff -u -r1.32 -r1.35
--- filesystems 16 May 2007 00:03:15 -0000 1.32
+++ filesystems 20 Oct 2007 15:38:25 -0000 1.35
@@ -52,7 +52,13 @@
>>>>11 ulelong >0 \b, %d sectors/track
>>>>15 ulelong >0 \b, %d cylinders
+# updated by Joerg Jenderek at Sep 2007
+# only for sector sizes with 512 or more Bytes
0x1FE leshort 0xAA55 x86 boot sector
+# to do also for sectors < than 512 Bytes and some other files, GRR
+#30 search/481 \x55\xAA x86 boot sector
+# not for BeOS floppy 1440k, MBRs
+#(11.s-2) uleshort 0xAA55 x86 boot sector
>2 string OSBS \b, OS/BS MBR
# J\xf6rg Jenderek <joerg dot jenderek at web dot de>
>0x8C string Invalid\ partition\ table \b, MS-DOS MBR
@@ -173,56 +179,59 @@
>>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z)
# mbr partion table entries
# OEM-ID not Microsoft,SYSLINUX,or MTOOLs
->3 string !MS
+>3 string !MS
>>3 string !SYSLINUX
>>>3 string !MTOOL
# not FAT (32 bit)
>>>>82 string !FAT32
#not IO.SYS
>>>>>472 string !IO\ \ \ \ \ \ SYS
+>>>>>>480 string !IO\ \ \ \ \ \ SYS
#not Linux kernel
->>>>>>514 string !HdrS
+>>>>>>>514 string !HdrS
+#not BeOS
+>>>>>>>>422 string !Be\ Boot\ Loader
# active flag 0 or 0x80 and type > 0
->>>>>>>446 ubyte <0x81
->>>>>>>>446 ubyte&0x7F 0
+>>>>>>>>>446 ubyte <0x81
+>>>>>>>>>>446 ubyte&0x7F 0
>>>>>>>>>>>450 ubyte >0 \b; partition 1: ID=0x%x
->>>>>>>>>>446 ubyte 0x80 \b, active
->>>>>>>>>>447 ubyte x \b, starthead %u
-#>>>>>>>>>>448 ubyte x \b, start C_S: 0x%x
-#>>>>>>>>>>448 ubeshort&1023 x \b, startcylinder? %d
->>>>>>>>>>454 ulelong x \b, startsector %u
->>>>>>>>>>458 ulelong x \b, %u sectors
-#
->>>>>>>462 ubyte <0x81
->>>>>>>>462 ubyte&0x7F 0
->>>>>>>>>466 ubyte >0 \b; partition 2: ID=0x%x
->>>>>>>>>>462 ubyte 0x80 \b, active
->>>>>>>>>>463 ubyte x \b, starthead %u
-#>>>>>>>>>>464 ubyte x \b, start C_S: 0x%x
-#>>>>>>>>>>464 ubeshort&1023 x \b, startcylinder? %d
->>>>>>>>>>470 ulelong x \b, startsector %u
->>>>>>>>>>474 ulelong x \b, %u sectors
-#
->>>>>>>478 ubyte <0x81
->>>>>>>>478 ubyte&0x7F 0
->>>>>>>>>482 ubyte >0 \b; partition 3: ID=0x%x
->>>>>>>>>>478 ubyte 0x80 \b, active
->>>>>>>>>>479 ubyte x \b, starthead %u
-#>>>>>>>>>>480 ubyte x \b, start C_S: 0x%x
-#>>>>>>>>>>481 ubyte x \b, start C2S: 0x%x
-#>>>>>>>>>>480 ubeshort&1023 x \b, startcylinder? %d
->>>>>>>>>>486 ulelong x \b, startsector %u
->>>>>>>>>>490 ulelong x \b, %u sectors
-#
->>>>>>>494 ubyte <0x81
->>>>>>>>494 ubyte&0x7F 0
->>>>>>>>>498 ubyte >0 \b; partition 4: ID=0x%x
->>>>>>>>>>494 ubyte 0x80 \b, active
->>>>>>>>>>495 ubyte x \b, starthead %u
-#>>>>>>>>>>496 ubyte x \b, start C_S: 0x%x
-#>>>>>>>>>>496 ubeshort&1023 x \b, startcylinder? %d
->>>>>>>>>>502 ulelong x \b, startsector %u
->>>>>>>>>>506 ulelong x \b, %u sectors
+>>>>>>>>>>>>446 ubyte 0x80 \b, active
+>>>>>>>>>>>>447 ubyte x \b, starthead %u
+#>>>>>>>>>>>>448 ubyte x \b, start C_S: 0x%x
+#>>>>>>>>>>>>448 ubeshort&1023 x \b, startcylinder? %d
+>>>>>>>>>>>>454 ulelong x \b, startsector %u
+>>>>>>>>>>>>458 ulelong x \b, %u sectors
+#
+>>>>>>>>>462 ubyte <0x81
+>>>>>>>>>>462 ubyte&0x7F 0
+>>>>>>>>>>>466 ubyte >0 \b; partition 2: ID=0x%x
+>>>>>>>>>>>>462 ubyte 0x80 \b, active
+>>>>>>>>>>>>463 ubyte x \b, starthead %u
+#>>>>>>>>>>>>464 ubyte x \b, start C_S: 0x%x
+#>>>>>>>>>>>>464 ubeshort&1023 x \b, startcylinder? %d
+>>>>>>>>>>>>470 ulelong x \b, startsector %u
+>>>>>>>>>>>>474 ulelong x \b, %u sectors
+#
+>>>>>>>>>478 ubyte <0x81
+>>>>>>>>>>478 ubyte&0x7F 0
+>>>>>>>>>>>482 ubyte >0 \b; partition 3: ID=0x%x
+>>>>>>>>>>>>478 ubyte 0x80 \b, active
+>>>>>>>>>>>>479 ubyte x \b, starthead %u
+#>>>>>>>>>>>>480 ubyte x \b, start C_S: 0x%x
+#>>>>>>>>>>>>481 ubyte x \b, start C2S: 0x%x
+#>>>>>>>>>>>>480 ubeshort&1023 x \b, startcylinder? %d
+>>>>>>>>>>>>486 ulelong x \b, startsector %u
+>>>>>>>>>>>>490 ulelong x \b, %u sectors
+#
+>>>>>>>>>494 ubyte <0x81
+>>>>>>>>>>494 ubyte&0x7F 0
+>>>>>>>>>>>498 ubyte >0 \b; partition 4: ID=0x%x
+>>>>>>>>>>>>494 ubyte 0x80 \b, active
+>>>>>>>>>>>>495 ubyte x \b, starthead %u
+#>>>>>>>>>>>>496 ubyte x \b, start C_S: 0x%x
+#>>>>>>>>>>>>496 ubeshort&1023 x \b, startcylinder? %d
+>>>>>>>>>>>>502 ulelong x \b, startsector %u
+>>>>>>>>>>>>506 ulelong x \b, %u sectors
# mbr partion table entries end
# http://www.acronis.de/
#FAT label=ACRONIS\ SZ
@@ -507,34 +516,52 @@
>>>>>>>498 ubyte&0xDF >0
>>>>>>>>498 string x \b.%-.3s
#
->486 ubyte&0xDF >0
->>416 string Non-System\ disk\ or\
->>>435 string disk\ error\r
->>>>447 string Replace\ and\ press\ any\ key\
->>>>>473 string when\ ready\r \b, Microsoft DOS Bootloader
->480 ubyte&0xDF >0
->>393 string Non-System\ disk\ or\
->>>412 string disk\ error\r
->>>>424 string Replace\ and\ press\ any\ key\
->>>>>450 string when\ ready\r \b, Microsoft DOS bootloader
-#IO.SYS
->>>>>480 string x \b %-.2s
->>>>>>482 ubyte&0xDF >0
->>>>>>>48 string x \b%-.6s
->>>>>488 ubyte&0xDF >0
->>>>>>488 string x \b.%-.3s
-#MSDOS.SYS
->>>>>>491 ubyte&0xDF >0 \b+
->>>>>>>491 string x \b%-.5s
->>>>>>>>496 ubyte&0xDF >0
->>>>>>>>>496 string x \b%-.3s
->>>>>>>499 ubyte&0xDF >0
->>>>>>>>499 string x \b.%-.3s
+>376 search/41 Non-System\ disk\ or\
+>>395 search/41 disk\ error\r
+>>>407 search/41 Replace\ and\
+>>>>419 search/41 press\ \b,
+>>>>419 search/41 strike\ \b, old
+>>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader
+#449 Disk\ Boot\ failure\r MS 3.21
+#466 Boot\ Failure\r MS 3.30
+>>>>>468 search/18 \0
+#IO.SYS,IBMBIO.COM
+>>>>>>&0 string x \b %-.2s
+>>>>>>>&-20 ubyte&0xDF >0
+>>>>>>>>&-1 string x \b%-.4s
+>>>>>>>>>&-16 ubyte&0xDF >0
+>>>>>>>>>>&-1 string x \b%-.2s
+>>>>>>&8 ubyte&0xDF >0 \b.
+>>>>>>>&-1 string x \b%-.3s
+#MSDOS.SYS,IBMDOS.COM
+>>>>>>&11 ubyte&0xDF >0 \b+
+>>>>>>>&-1 string x \b%-.5s
+>>>>>>>>&-6 ubyte&0xDF >0
+>>>>>>>>>&-1 string x \b%-.1s
+>>>>>>>>>>&-5 ubyte&0xDF >0
+>>>>>>>>>>>&-1 string x \b%-.2s
+>>>>>>>&7 ubyte&0xDF >0 \b.
+>>>>>>>>&-1 string x \b%-.3s
+>441 string Cannot\ load\ from\ harddisk.\n\r
+>>469 string Insert\ Systemdisk\
+>>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader
#>43 string \224R-LOADER\ \ SYS =label
>54 string SYS
>>324 string VASKK
>>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS)
#
+>98 string Press\ a\ key\ to\ retry\0\r
+>>120 string Cannot\ find\ file\ \0\r
+>>>139 string Disk\ read\ error\0\r
+>>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader
+#DRBIOS.SYS
+>>>>>44 ubyte&0xDF >0
+>>>>>>44 string x \b %-.6s
+>>>>>>>50 ubyte&0xDF >0
+>>>>>>>>50 string x \b%-.2s
+>>>>>>52 ubyte&0xDF >0
+>>>>>>>52 string x \b.%-.3s
+#
>70 string IBMBIO\ \ COM
>>472 string Cannot\ load\ DOS!\
>>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader
@@ -679,26 +706,43 @@
#it also hangs with another message ("NF").
>>>>>492 string RENF \b, FAT (12 bit)
>>>>>495 string RENF \b, FAT (16 bit)
+# added by Joerg Jenderek
+# http://syslinux.zytor.com/iso.php
+0 ulelong 0x7c40eafa isolinux Loader
+# http://syslinux.zytor.com/pxe.php
+0 ulelong 0x007c05ea pxelinux Loader
+0 ulelong 0x60669c66 pxelinux Loader
# loader end
-# Joerg Jenderek
->446 ubyte 0
->>450 ubyte >0
->>>482 ubyte 0
->>>>498 ubyte 0
->>>>466 ubyte 0x05 \b, extended partition table
->>>>466 ubyte 0x0F \b, extended partition table (LBA)
->>>>466 ubyte 0x0 \b, extended partition table (last)
+# updated by Joerg Jenderek at Sep 2007
+>3 ubyte 0
+#no active flag
+>>446 ubyte 0
+# partition 1 not empty
+>>>450 ubyte >0
+# partitions 3,4 empty
+>>>>482 ubyte 0
+>>>>>498 ubyte 0
+# partition 2 ID=0,5,15
+>>>>>>466 ubyte <0x10
+>>>>>>>466 ubyte 0x05 \b, extended partition table
+>>>>>>>466 ubyte 0x0F \b, extended partition table (LBA)
+>>>>>>>466 ubyte 0x0 \b, extended partition table (last)
# JuMP short bootcodeoffset NOP assembler instructions will usually be EB xx 90
-# older drives may use E9 xx xx
+# http://mirror.href.com/thestarman/asm/2bytejumps.htmm#FWD
+# older drives may use Near JuMP instruction E9 xx xx
>0 lelong&0x009000EB 0x009000EB
>0 lelong&0x000000E9 0x000000E9
->>1 ubyte >37 \b, code offset 0x%x
+# maximal short forward jump is 07fx
+>1 ubyte <0xff \b, code offset 0x%x
# mtools-3.9.8/msdos.h
# usual values are marked with comments to get only informations of strange FAT systems
-# valid sectorsize are from 32 to 2048
->>>11 uleshort <2049
->>>>11 uleshort >31
+# valid sectorsize must be a power of 2 from 32 to 32768
+>>11 uleshort&0x000f x
+>>>11 uleshort <32769
+>>>>11 uleshort >31
>>>>>3 string >\0 \b, OEM-ID "%8.8s"
+#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC
+>>>>>>8 string IHC \b cached by Windows 9M
>>>>>11 uleshort >512 \b, Bytes/sector %u
#>>>>>11 uleshort =512 \b, Bytes/sector %u=512 (usual)
>>>>>11 uleshort <512 \b, Bytes/sector %u
@@ -725,17 +769,18 @@
>>>>>26 ubyte >2 \b, heads %u
#>>>>>26 ubyte =2 \b, heads %u (usual floppy)
>>>>>26 ubyte =1 \b, heads %u
->>>>>28 ulelong >0 \b, hidden sectors %u
-#>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy)
->>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)
-#>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB)
+#skip for Digital Research DOS (version 3.41) 1440 kB Bootdisk
+>>>>>38 ubyte !0x70
+>>>>>>28 ulelong >0 \b, hidden sectors %u
+#>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy)
+>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)
+#>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB)
# FAT<32 specific
-# NOT le FAT3=NOT 3TAF=0xCCABBEB9
->>>>>82 ulelong&0xCCABBEB9 >0
->>>>>>36 ubyte >0x80 \b, physical drive 0x%x
-#>>>>>>36 ubyte =0x80 \b, physical drive 0x%x=0x80 (usual harddisk)
->>>>>>36 ubyte&0x7F >0 \b, physical drive 0x%x
-#>>>>>>36 ubyte =0 \b, physical drive 0x%x=0 (usual floppy)
+>>>>>82 string !FAT32
+#>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk)
+#>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy)
+>>>>>>36 ubyte !0x80
+>>>>>>>36 ubyte !0 \b, physical drive 0x%x
>>>>>>37 ubyte >0 \b, reserved 0x%x
#>>>>>>37 ubyte =0 \b, reserved 0x%x
>>>>>>38 ubyte >0x29 \b, dos < 4.0 BootSector (0x%x)
@@ -1072,13 +1117,12 @@
# Modified for UDF by gerardo.cacciari at gmail.com
32769 string CD001
>38913 string !NSR0 ISO 9660 CD-ROM filesystem data
->38913 string NSR01 UDF filesystem data (version 1.0)
->38913 string NSR02 UDF filesystem data (version 1.5)
->38913 string NSR03 UDF filesystem data (version 2.0)
->38913 string >NSR03 UDF filesystem data (unknown version,
->>38917 byte x id 'NSR0%c')
->38913 string <NSR01 UDF filesystem data (unknown version,
->>38917 byte x id 'NSR0%c')
+>38913 string NSR0 UDF filesystem data
+>>38917 string 1 (version 1.0)
+>>38917 string 2 (version 1.5)
+>>38917 string 3 (version 2.0)
+>>38917 byte >0x33 (unknown version, ID 0x%X)
+>>38917 byte <0x31 (unknown version, ID 0x%X)
# "application id" which appears to be used as a volume label
>32808 string >\0 '%s'
>34816 string \000CD001\001EL\ TORITO\ SPECIFICATION (bootable)
@@ -1210,3 +1254,8 @@
>525 byte x Level %d
>525 byte x (ODS-%d OpenVMS file system),
>984 string x volume label is '%-12.12s'
+
+# From: Thomas Klausner <wiz at NetBSD.org>
+# http://filext.com/file-extension/DAA
+# describes the daa file format. The magic would be:
+0 string DAA\x0\x0\x0\x0\x0 PowerISO Direct-Access-Archive
Index: macintosh
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/macintosh,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- macintosh 19 Jan 2005 17:56:21 -0000 1.11
+++ macintosh 7 Nov 2007 22:10:13 -0000 1.12
@@ -357,4 +357,4 @@
>>>>0xa54 belong x number of blocks: %d
# From: Remi Mommsen <mommsen at slac.stanford.edu>
-0 string BOMStore Mac OS X bill of materials (BOM) fil
+0 string BOMStore Mac OS X bill of materials (BOM) file
Index: msdos
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/msdos,v
retrieving revision 1.43
retrieving revision 1.47
diff -u -r1.43 -r1.47
--- msdos 8 May 2007 16:46:44 -0000 1.43
+++ msdos 26 Sep 2007 20:12:31 -0000 1.47
@@ -363,8 +363,6 @@
>30 byte 12 (4kB sectors)
# Popular applications
-# False positive with PPT
-#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
2080 string Microsoft\ Word\ 6.0\ Document %s
2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
# Pawel Wiecek <coven at i17linuxb.ists.pwr.wroc.pl> (for polish Word)
@@ -610,10 +608,44 @@
0 string VMDK VMware4 disk image
0 string KDMV VMware4 disk image
-0 belong 0x514649fb QEMU Copy-On-Write disk image
->4 belong x version %d,
->24 belong x size %d +
->28 belong x %d
+#--------------------------------------------------------------------
+# Qemu Emulator Images
+# Lines written by Friedrich Schwittay (f.schwittay at yousable.de)
+# Made by reading sources and doing trial and error on existing
+# qcow files
+0 string QFI Qemu Image, Format: Qcow
+
+# Uncomment the following line to display Magic (only used for debugging
+# this magic number)
+#>0 string x , Magic: %s
+
+# There are currently 2 Versions: "1" and "2"
+# I do not use Version 2 and therefor branch here
+# but can assure: it works (tested on both versions)
+# Also my Qemu 0.9.0 which uses this Version 2 refuses
+# to start in its bios
+>0x04 belong 2 , Version: 2
+>0x04 belong 1 , Version: 1
+
+# Using the existence of the Backing File Offset to Branch or not
+# to read Backing File Information
+>>0xc belong >0 , Backing File( Offset: %d
+>>>(0xc.L) string >\0 , Path: %s
+
+# Didnt got the Trick here how qemu stores the "Size" at this Position
+# There is actually something stored but nothing makes sense
+# The header in the sources talks about it
+#>>>16 lelong x , Size: %d
+
+# Modification time of the Backing File
+# Really usefull if you want to know if your backing
+# file is still usable together with this image
+>>>20 bedate x , Mtime: %s )
+
+# Dont know how to calculate in Magicfiles
+# Also: this Information is not reliably
+# stored in image-files
+>>24 lelong x , Disk Size could be: %d * 256 bytes
0 string QEVM QEMU's suspend to disk image
@@ -624,5 +656,14 @@
0 lelong 0x02468ace Bochs Sparse disk image
# from http://filext.com by Derek M Jones <derek at knosof.co.uk>
-0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
+# False positive with PPT
+#0 string \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF Microsoft Installer
0 string \320\317\021\340\241\261\032\341 Microsoft Office Document
+
+# From: "Nelson A. de Oliveira" <naoliv at gmail.com>
+# Magic type for Dell's BIOS .hdr files
+# Dell's .hdr
+0 string $RBU
+>23 string Dell %s system BIOS
+>48 string x version %.3s
+
Index: pdf
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/pdf,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- pdf 22 Jun 1996 22:11:05 -0000 1.1
+++ pdf 26 Sep 2007 20:45:26 -0000 1.2
@@ -5,3 +5,9 @@
0 string %PDF- PDF document
>5 byte x \b, version %c
>7 byte x \b.%c
+
+# From: Nick Schmalenberger <nick at schmalenberger.us>
+# Forms Data Format
+0 string %FDF- FDF text
+>5 byte x \b, version %c
+>7 byte x \b.%c
Index: sgi
===================================================================
RCS file: /p/file/cvsroot/file/magic/Magdir/sgi,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- sgi 22 Jun 2005 21:42:48 -0000 1.12
+++ sgi 26 Sep 2007 20:45:26 -0000 1.13
@@ -15,19 +15,22 @@
>20 lelong 0 log volume #0
>20 lelong >0 log volume #%ld
>24 string >\0 host: %s
-0 string PCPFolio PCP
+0 string PCPFolio PCP
>9 string Version: Archive Folio
>18 string >\0 (V.%s)
0 string #pmchart PCP pmchart view
>9 string Version
>17 string >\0 (V%-3.3s)
+0 string #kmchart PCP kmchart view
+>9 string Version
+>17 string >\0 (V.%s)
0 string pmview PCP pmview config
>7 string Version
>15 string >\0 (V%-3.3s)
0 string #pmlogger PCP pmlogger config
>10 string Version
>18 string >\0 (V%1.1s)
-0 string PcPh PCP Help
+0 string PcPh PCP Help
>4 string 1 Index
>4 string 2 Text
>5 string >\0 (V.%1.1s)
More information about the File
mailing list