1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
0 string -afx- AFX compressed file data{offset-adjust:-2}
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data
>4 byte x \b, version: %d
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 invalid
>6 byte 0 invalid
>6 byte >20 invalid
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Implemented in the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, invalid reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, invalid extra flags
>8 byte 3 \b, invalid extra flags
>8 byte >4 \b, invalid extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, invalid
#>>9 byte x source: 0x%.2X
#>9 byte <0 \b, invalid
#>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted (invalid)
# Dates before 1992 are invalid, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 \b, invalid date:
>4 lelong >0
>>4 lelong <694224000 \b, invalid date:
>>4 lelong =694224000 \b, invalid date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{epoch:%d}
# Zlib signatures
# Too short to be useful on their own; see:
#
# o src/binwalk/magic/zlib
# o src/binwalk/plugins/zlib.py
#
#0 beshort 0x789C zlib compressed data
#0 beshort 0x78DA zlib compressed data
#0 beshort 0x7801 zlib compressed data
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
# See lzma file for LZMA signatures