aboutsummaryrefslogtreecommitdiff
path: root/magic/Magdir/archive
diff options
context:
space:
mode:
Diffstat (limited to 'magic/Magdir/archive')
-rw-r--r--magic/Magdir/archive223
1 files changed, 193 insertions, 30 deletions
diff --git a/magic/Magdir/archive b/magic/Magdir/archive
index f8cf3a2684b5..cd0213fa9f3c 100644
--- a/magic/Magdir/archive
+++ b/magic/Magdir/archive
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: archive,v 1.119 2018/04/24 23:19:45 christos Exp $
+# $File: archive,v 1.129 2019/05/09 18:58:02 christos Exp $
# archive: file(1) magic for archive formats (see also "msdos" for self-
# extracting compressed archives)
#
@@ -148,7 +148,7 @@
>>>257 string >\0 \b, comment: %-.40s
# Incremental snapshot gnu-tar format from:
-# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
+# https://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0 string GNU\ tar- GNU tar incremental snapshot data
>&0 regex [0-9]\.[0-9]+-[0-9]+ version %s
@@ -226,21 +226,48 @@
# a portable archive whose first member has a name beginning with
# "debian".
#
+# Update: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/Deb_(file_format)
0 string =!<arch>\ndebian
->8 string debian-split part of multipart Debian package
+# https://manpages.debian.org/testing/dpkg/dpkg-split.1.en.html
+>14 string -split part of multipart Debian package
!:mime application/vnd.debian.binary-package
->8 string debian-binary Debian binary package
+# udeb is used for stripped down deb file
+!:ext deb/udeb
+>14 string -binary Debian binary package
!:mime application/vnd.debian.binary-package
->8 string !debian
+!:ext deb/udeb
+# This should not happen
+>14 default x Unknown Debian package
+# NL terminated version; for most Debian cases this is 2.0 or 2.1 for splitted
>68 string >\0 (format %s)
-# These next two lines do not work, because a bzip2 Debian archive
-# still uses gzip for the control.tar (first in the archive). Only
-# data.tar varies, and the location of its filename varies too.
-# file/libmagic does not current have support for ascii-string based
-# (offsets) as of 2005-09-15.
-#>81 string bz2 \b, uses bzip2 compression
-#>84 string gz \b, uses gzip compression
-#>136 ledate x created: %s
+#>68 string !2.0\n
+#>>68 string x (format %.3s)
+>68 string =2.0\n
+# 2nd archive name=control archive name like control.tar.gz or control.tar.xz
+>>72 string >\0 \b, with %.14s
+# look for 3rd archive name=data archive name like data.tar.{gz,xz,bz2,lzma}
+>>0 search/0x93e4f data.tar. \b, data compression
+# the above line only works if FILE_BYTES_MAX in ../../src/file.h is raised
+# for example like libreoffice-dev-doc_1%3a5.2.7-1+rpi1+deb9u3_all.deb
+>>>&0 string x %.4s
+# splitted debian package case
+>68 string =2.1\n
+# dpkg-1.18.25/dpkg-split/info.c
+# NL terminated ASCII package name like ckermit
+>>&0 string x \b, %s
+# NL terminated package version like 302-5.3
+>>>&1 string x %s
+# NL terminated MD5 checksum
+>>>>&1 string x \b, MD5 %s
+# NL terminated original package length
+>>>>>&1 string x \b, unsplitted size %s
+# NL terminated part length
+>>>>>>&1 string x \b, part lenght %s
+# NL terminated package part like n/m
+>>>>>>>&1 string x \b, part %s
+# NL terminated package architecture like armhf since dpkg 1.16.1 or later
+>>>>>>>>&1 string x \b, %s
#
# MIPS archive; they're in the portable archive format, and need to go
@@ -257,15 +284,35 @@
>19 string B and an EB hash table
>22 string X -- out of date
-0 search/1 -h- Software Tools format archive text
-
#
# BSD/SVR2-and-later portable archive formats.
#
+# Update: Joerg Jenderek
+# URL: http://fileformats.archiveteam.org/wiki/AR
+# Reference: https://www.unix.com/man-page/opensolaris/3HEAD/ar.h/
+# Note: Mach-O universal binary in ./cafebabe is dependent
+# TODO: unify current ar archive, MIPS archive, Debian package
+# distinguish BSD, SVR; 32, 64 bit; HP from other 32-bit SVR;
+# *.ar packages from *.a libraries. handle empty archive
0 string =!<arch>\n current ar archive
+# print first and possibly second ar_name[16] for debugging purpose
+#>8 string x \b, 1st "%.16s"
+#>68 string x \b, 2nd "%.16s"
!:mime application/x-archive
+# a in most case for libraries; lib for Microsoft libraries; ar else cases
+!:ext a/lib/ar
>8 string __.SYMDEF random library
+# first member with long marked name __.SYMDEF SORTED implies BSD library
>68 string __.SYMDEF\ SORTED random library
+# Reference: https://parisc.wiki.kernel.org/images-parisc/b/b2/Rad_11_0_32.pdf
+# "archive file" entry moved from ./hp
+# LST header system_id 0210h~PA-RISC 1.1,... identifies the target architecture
+# LST header a_magic 0619h~relocatable library
+>68 belong 0x020b0619 - PA-RISC1.0 relocatable library
+>68 belong 0x02100619 - PA-RISC1.1 relocatable library
+>68 belong 0x02110619 - PA-RISC1.2 relocatable library
+>68 belong 0x02140619 - PA-RISC2.0 relocatable library
+#EOF for common ar archives
#
# "Thin" archive, as can be produced by GNU ar.
@@ -275,6 +322,8 @@
>68 belong 1 %d symbol entry
>68 belong >1 %d symbol entries
+0 search/1 -h- Software Tools format archive text
+
# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
#
# The first byte is the magic (0x1a), byte 2 is the compression type for
@@ -799,7 +848,7 @@
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
-# Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
+# Reference: https://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
#
# check and display information of lharc (LHa,PMarc) file
0 name lharc-file
@@ -999,7 +1048,7 @@
!:ext rar
# Very old RAR archive
-# http://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
+# https://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
0 string RE\x7e\x5e RAR archive data (<v1.5)
!:mime application/x-rar
!:ext rar/cbr
@@ -1020,7 +1069,9 @@
0 string PK\005\006 Zip archive data (empty)
!:mime application/zip
!:ext zip/cbz
+!:strength +1
0 string PK\003\004
+!:strength +1
# Specialised zip formats which start with a member named 'mimetype'
# (stored uncompressed, with no 'extra field') containing the file's MIME type.
@@ -1063,7 +1114,7 @@
>>>62 string base Database file
# OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
-# http://lists.oasis-open.org/archives/office/200505/msg00006.html
+# https://lists.oasis-open.org/archives/office/200505/msg00006.html
# (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
>>50 string vnd.oasis.opendocument. OpenDocument
>>>73 string text
@@ -1112,7 +1163,7 @@
!:mime application/vnd.oasis.opendocument.image-template
# EPUB (OEBPS) books using OCF (OEBPS Container Format)
-# http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
+# https://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
# From: Ralf Brown <ralf.brown@gmail.com>
>>50 string epub+zip EPUB document
!:mime application/epub+zip
@@ -1306,6 +1357,16 @@
>5 byte x \b.%d
>6 belong x (%d bytes)
+# From: Joerg Jenderek
+# URL: https://help.foxitsoftware.com/kb/install-fzip-file.php
+# reference: http://mark0.net/download/triddefs_xml.7z/
+# defs/f/fzip.trid.xml
+# Note: unknown compression; No "PK" zip magic; normally in directory like
+# "%APPDATA%\Foxit Software\Addon\Foxit Reader\Install"
+0 ubequad 0x2506781901010000 Foxit add-on/update
+!:mime application/x-fzip
+!:ext fzip
+
# From: "Robert Dale" <robdale@gmail.com>
0 belong 123 dar archive,
>4 belong x label "%.8x
@@ -1316,7 +1377,7 @@
>14 beshort 0x4e53 multi-part, with -S
# Symbian installation files
-# http://www.thouky.co.uk/software/psifs/sis.html
+# https://www.thouky.co.uk/software/psifs/sis.html
# http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
8 lelong 0x10000419 Symbian installation file
!:mime application/vnd.symbian.install
@@ -1334,24 +1395,74 @@
>10 string x with compression level %.1s
# xar (eXtensible ARchiver) archive
-# xar archive format: http://code.google.com/p/xar/
+# URL: https://en.wikipedia.org/wiki/Xar_(archiver)
+# xar archive format: https://code.google.com/p/xar/
# From: "David Remahl" <dremahl@apple.com>
+# Update: Joerg Jenderek
+# TODO: lzma compression; X509Data for pkg and xip
+# Note: verified by `xar --dump-header -f FullBundleUpdate.xar` or
+# 7z t -txar Xcode_10.2_beta_4.xip`
0 string xar! xar archive
!:mime application/x-xar
-#>4 beshort x header size %d
->6 beshort x version %d,
-#>8 quad x compressed TOC: %d,
-#>16 quad x uncompressed TOC: %d,
+# pkg for Mac OSX installer package like FullBundleUpdate.pkg
+# xip for signed Apple software like Xcode_10.2_beta_4.xip
+!:ext xar/pkg/xip
+# always 28 in older archives
+>4 ubeshort >28 \b, header size %u
+# currently there exit only version 1 since about 2014
+>6 ubeshort >1 version %u,
+>8 ubequad x compressed TOC: %llu,
+#>16 ubequad x uncompressed TOC: %llu,
+# cksum_alg 0-2 in older and also 3-4 in newer
>24 belong 0 no checksum
>24 belong 1 SHA-1 checksum
>24 belong 2 MD5 checksum
+>24 belong 3 SHA-256 checksum
+>24 belong 4 SHA-512 checksum
+>24 belong >4 unknown 0x%x checksum
+#>24 belong >4 checksum
+# For no compression jump 0 bytes
+>24 belong 0
+>>0 ubyte x
+# jump more bytes forward by header size
+>>>&(4.S) ubyte x
+# jump more bytes forward by compressed table of contents size
+#>>>>&(8.Q) ubequad x \b, heap data 0x%llx
+>>>>&(8.Q) ubyte x
+# look for data by ./compress after message with 1 space at end
+>>>>>&-3 indirect x \b, contains
+# For SHA-1 jump 20 minus 2 bytes
+>24 belong 1
+>>18 ubyte x
+# jump more bytes forward by header size
+>>>&(4.S) ubyte x
+# jump more bytes forward by compressed table of contents size
+>>>>&(8.Q) ubyte x
+# data compressed by gzip, bzip, lzma or none
+>>>>>&-1 indirect x \b, contains
+# For SHA-256 jump 32 minus 2 bytes
+>24 belong 3
+>>30 ubyte x
+# jump more bytes forward by header size
+>>>&(4.S) ubyte x
+# jump more bytes forward by compressed table of contents size
+>>>>&(8.Q) ubyte x
+>>>>>&-1 indirect x \b, contains
+# For SHA-512 jump 64 minus 2 bytes
+>24 belong 4
+>>62 ubyte x
+# jump more bytes forward by header size
+>>>&(4.S) ubyte x
+# jump more bytes forward by compressed table of contents size
+>>>>&(8.Q) ubyte x
+>>>>>&-1 indirect x \b, contains
# Type: Parity Archive
# From: Daniel van Eeden <daniel_e@dds.nl>
0 string PAR2 Parity Archive Volume Set
# Bacula volume format. (Volumes always start with a block header.)
-# URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
+# URL: https://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
12 string BB02 Bacula volume
>20 bedate x \b, started %s
@@ -1366,11 +1477,11 @@
0 string zPQ ZPAQ stream
>3 byte x \b, level %d
# From: Barry Carter <carter.barry@gmail.com>
-# http://encode.ru/threads/456-zpaq-updates/page32
+# https://encode.ru/threads/456-zpaq-updates/page32
0 string 7kSt ZPAQ file
# BBeB ebook, unencrypted (LRF format)
-# URL: http://www.sven.de/librie/Librie/LrfFormat
+# URL: https://www.sven.de/librie/Librie/LrfFormat
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
0 string L\0R\0F\0\0\0 BBeB ebook data, unencrypted
>8 beshort x \b, version %d
@@ -1380,8 +1491,8 @@
>44 beshort x %d)
# Symantec GHOST image by Joerg Jenderek at May 2014
-# http://us.norton.com/ghost/
-# http://www.garykessler.net/library/file_sigs.html
+# https://us.norton.com/ghost/
+# https://www.garykessler.net/library/file_sigs.html
0 ubelong&0xFFFFf7f0 0xFEEF0100 Norton GHost image
# *.GHO
>2 ubyte&0x08 0x00 \b, first file
@@ -1427,3 +1538,55 @@
# LyNX archive
56 string USE\040LYNX\040TO\040DISSOLVE\040THIS\040FILE LyNX archive
+
+# From: Joerg Jenderek
+# URL: https://www.acronis.com/
+# Reference: https://en.wikipedia.org/wiki/TIB_(file_format)
+# Note: only tested with True Image 2013 Build 5962 and 2019 Build 14110
+0 ubequad 0xce24b9a220000000 Acronis True Image backup
+!:mime application/x-acronis-tib
+!:ext tib
+# 01000000
+#>20 ubelong x \b, at 20 0x%x
+# 20000000
+#>28 ubelong x \b, at 28 0x%x
+# strings like "Generic- SD/MMC 1.00" "Unknown Disk" "Msft Virtual Disk 1.0"
+# ???
+# strings like "\Device\0000011e" "\Device\0000015a"
+#>0 search/0x6852300/cs \\Device\\
+#>>&-1 pstring x \b, %s
+# "\Device\HarddiskVolume30" "\Device\HarddiskVolume39"
+#>>>&1 search/180/cs \\Device\\
+#>>>>&-1 pstring x \b, %s
+#>>>>>&0 search/29/cs \0\0\xc8\0
+# disk label
+#>>>>>>&10 lestring16 x \b, disk label %11.11s
+#>>>>>>&9 plestring16 x \b, disk label "%11.11s"
+#>>>>>>&10 ubequad x %16.16llx
+
+
+# Gentoo XPAK binary package
+# by Michal Gorny <mgorny@gentoo.org>
+# https://gitweb.gentoo.org/proj/portage.git/tree/man/xpak.5
+-4 string STOP
+>-16 string XPAKSTOP Gentoo binary package (XPAK)
+
+# From: Joerg Jenderek
+# URL: https://kodi.wiki/view/TexturePacker
+# Reference: https://mirrors.kodi.tv/releases/source/17.3-Krypton.tar.gz
+# /xbmc-Krypton/xbmc/guilib/XBTF.h
+# /xbmc-Krypton/xbmc/guilib/XBTF.cpp
+0 string XBTF
+# skip ASCII text by looking for terminating \0 of path
+>264 ubyte 0 XBMC texture package
+!:mime application/x-xbmc-xbt
+!:ext xbt
+# XBTF_VERSION 2
+>>4 string !2 \b, version %-.1s
+# nofFiles /xbmc-Krypton/xbmc/guilib/XBTFReader.cpp
+>>5 ulelong x \b, %u file
+# plural s
+>>5 ulelong >1 \bs
+# path[CXBTFFile[MaximumPathLength=256]
+>>9 string x \b, 1st %s
+
generated by cgit v1.3 (git 2.53.0) at 2026-03-10 15:13:58 +0000