diff --git a/src/binwalk/core/filter.py b/src/binwalk/core/filter.py
deleted file mode 100644
index 994afd2..0000000
--- a/src/binwalk/core/filter.py
+++ /dev/null
@@ -1,214 +0,0 @@
-# Code for filtering of results (e.g., removing invalid results)
-
-import re
-import binwalk.core.common as common
-from binwalk.core.smart import Signature
-from binwalk.core.compat import *
-
-class FilterType(object):
-
- FILTER_INCLUDE = 0
- FILTER_EXCLUDE = 1
-
- def __init__(self, **kwargs):
- self.type = None
- self.filter = None
- self.regex = None
-
- for (k,v) in iterator(kwargs):
- setattr(self, k, v)
-
- if self.regex is None:
- self.regex = re.compile(self.filter)
-
-class FilterInclude(FilterType):
-
- def __init__(self, **kwargs):
- super(FilterInclude, self).__init__(**kwargs)
- self.type = self.FILTER_INCLUDE
-
-class FilterExclude(FilterType):
-
- def __init__(self, **kwargs):
- super(FilterExclude, self).__init__(**kwargs)
- self.type = self.FILTER_EXCLUDE
-
-class Filter(object):
- '''
- Class to filter results based on include/exclude rules and false positive detection.
- Note that all filter strings should be in lower case.
- '''
-
- # If the result returned by libmagic is "data" or contains the text
- # 'invalid' or a backslash are known to be invalid/false positives.
- UNKNOWN_RESULTS = ["data", "very short file (no magic)"]
- INVALID_RESULT = "invalid"
- NON_PRINTABLE_RESULT = "\\"
-
- def __init__(self, show_invalid_results=None):
- '''
- Class constructor.
-
- @show_invalid_results - A function to call that will return True to display results marked as invalid.
-
- Returns None.
- '''
- self.filters = []
- self.grep_filters = []
- self.show_invalid_results = show_invalid_results
- self.exclusive_filter = False
- self.smart = Signature(self)
-
- def include(self, match, exclusive=True):
- '''
- Adds a new filter which explicitly includes results that contain
- the specified matching text.
-
- @match - Regex, or list of regexs, to match.
- @exclusive - If True, then results that do not explicitly contain
- a FILTER_INCLUDE match will be excluded. If False,
- signatures that contain the FILTER_INCLUDE match will
- be included in the scan, but will not cause non-matching
- results to be excluded.
-
- Returns None.
- '''
- if not isinstance(match, type([])):
- matches = [match]
- else:
- matches = match
-
- for m in matches:
- if m:
- if exclusive and not self.exclusive_filter:
- self.exclusive_filter = True
-
- self.filters.append(FilterInclude(filter=m))
-
- def exclude(self, match):
- '''
- Adds a new filter which explicitly excludes results that contain
- the specified matching text.
-
- @match - Regex, or list of regexs, to match.
-
- Returns None.
- '''
- if not isinstance(match, type([])):
- matches = [match]
- else:
- matches = match
-
- for m in matches:
- if m:
- self.filters.append(FilterExclude(filter=m))
-
- def filter(self, data):
- '''
- Checks to see if a given string should be excluded from or included in the results.
- Called internally by Binwalk.scan().
-
- @data - String to check.
-
- Returns FILTER_INCLUDE if the string should be included.
- Returns FILTER_EXCLUDE if the string should be excluded.
- '''
- data = data.lower()
-
- # Loop through the filters to see if any of them are a match.
- # If so, return the registered type for the matching filter (FILTER_INCLUDE || FILTER_EXCLUDE).
- for f in self.filters:
- if f.regex.search(data):
- return f.type
-
- # If there was not explicit match and exclusive filtering is enabled, return FILTER_EXCLUDE.
- if self.exclusive_filter:
- return FilterType.FILTER_EXCLUDE
-
- return FilterType.FILTER_INCLUDE
-
- def valid_result(self, data):
- '''
- Checks if the given string contains invalid data.
-
- @data - String to validate.
-
- Returns True if data is valid, False if invalid.
- '''
- # A result of 'data' is never ever valid (for libmagic results)
- if data in self.UNKNOWN_RESULTS:
- return False
-
- # Make sure this result wasn't filtered
- if self.filter(data) == FilterType.FILTER_EXCLUDE:
- return False
-
- # If showing invalid results, just return True without further checking.
- if self.show_invalid_results:
- return True
-
- # Sanitized data contains only the non-quoted portion of the data
- sanitized_data = common.strip_quoted_strings(self.smart.strip_tags(data))
-
- # Don't include quoted strings or keyword arguments in this search, as
- # strings from the target file may legitimately contain the INVALID_RESULT text.
- if self.INVALID_RESULT in sanitized_data:
- return False
-
- # There should be no non-printable characters in any of the quoted string data
- non_printables_raw = set(re.findall("\\\\\d{3}", data))
- non_printables_sanitized = set(re.findall("\\\\d{3}", sanitized_data))
- if len(non_printables_raw) and non_printables_raw != non_printables_sanitized:
- return False
-
- return True
-
- def grep(self, data=None, filters=[]):
- '''
- Add or check case-insensitive grep filters against the supplied data string.
-
- @data - Data string to check grep filters against. Not required if filters is specified.
- @filters - Regex, or list of regexs, to add to the grep filters list. Not required if data is specified.
-
- Returns None if data is not specified.
- If data is specified, returns True if the data contains a grep filter, or if no grep filters exist.
- If data is specified, returns False if the data does not contain any grep filters.
- '''
- # Add any specified filters to self.grep_filters
- if filters:
- if not isinstance(filters, type([])):
- gfilters = [filters]
- else:
- gfilters = filters
-
- for gfilter in gfilters:
- # Filters are case insensitive
- self.grep_filters.append(re.compile(gfilter))
-
- # Check the data against all grep filters until one is found
- if data is not None:
- # If no grep filters have been created, always return True
- if not self.grep_filters:
- return True
-
- # Filters are case insensitive
- data = data.lower()
-
- # If a filter exists in data, return True
- for gfilter in self.grep_filters:
- if gfilter.search(data):
- return True
-
- # Else, return False
- return False
-
- return None
-
- def clear(self):
- '''
- Clears all include, exclude and grep filters.
-
- Retruns None.
- '''
- self.filters = []
- self.grep_filters = []
diff --git a/src/binwalk/core/magic.py b/src/binwalk/core/magic.py
index d6f6263..73117c7 100644
--- a/src/binwalk/core/magic.py
+++ b/src/binwalk/core/magic.py
@@ -1,64 +1,377 @@
-# Python wrapper for the libmagic library.
-# Although libmagic comes with its own wrapper, there are compatibility issues with older libmagic versions
-# as well as unofficial libmagic Python wrappers, so it's easier to just have our own wrapper.
+import re
+import time
+import struct
+import datetime
+import binwalk.core.compat
-import binwalk.core.C
-import binwalk.core.common
-from ctypes import *
-from binwalk.core.compat import *
+class ParserException(Exception):
+ pass
-class magic_set(Structure):
+class GenericContainer(object):
+ def __init__(self, **kwargs):
+ for (k,v) in binwalk.core.compat.iterator(kwargs):
+ setattr(self, k, v)
+class DataType(GenericContainer):
+ pass
+class SignatureTag(GenericContainer):
pass
-magic_set._fields_ = []
-magic_t = POINTER(magic_set)
-class Magic(object):
- '''
- Minimalist Python wrapper around libmagic.
- '''
-
- LIBMAGIC_FUNCTIONS = [
- binwalk.core.C.Function(name="magic_open", type=magic_t),
- binwalk.core.C.Function(name="magic_close", type=int),
- binwalk.core.C.Function(name="magic_load", type=int),
- binwalk.core.C.Function(name="magic_buffer", type=str),
- ]
-
- MAGIC_CONTINUE = 0x000020
- MAGIC_NO_CHECK_TEXT = 0x020000
- MAGIC_NO_CHECK_APPTYPE = 0x008000
- MAGIC_NO_CHECK_TOKENS = 0x100000
- MAGIC_NO_CHECK_ENCODING = 0x200000
-
- MAGIC_FLAGS = MAGIC_NO_CHECK_TEXT | MAGIC_NO_CHECK_ENCODING | MAGIC_NO_CHECK_APPTYPE | MAGIC_NO_CHECK_TOKENS
-
- LIBRARY = "magic"
-
- def __init__(self, magic_file=None, flags=0, keep_going=False):
- if magic_file:
- self.magic_file = str2bytes(magic_file)
+class SignatureLine(object):
+
+ def __init__(self, line):
+ self.tags = []
+
+ line = line.replace('\\ ', '\x20')
+
+ parts = line.split(None, 3)
+
+ self.level = parts[0].count('>')
+
+ self.offset = parts[0].replace('>', '')
+ try:
+ self.offset = int(self.offset, 0)
+ except ValueError as e:
+ pass
+
+ if '&' in parts[1]:
+ (self.type, self.bitmask) = parts[1].split('&', 1)
+ self.boolean = '&'
+ self.bitmask = int(self.bitmask, 0)
else:
- self.magic_file = None
+ self.type = parts[1]
+ self.boolean = None
+ self.bitmask = None
+
+ if parts[2][0] in ['=', '!', '>', '<', '&', '|']:
+ self.condition = parts[2][0]
+ self.value = parts[2][1:]
+ else:
+ self.condition = '='
+ self.value = parts[2]
+
+ if self.value == 'x':
+ self.value = None
+ elif self.type == 'string':
+ try:
+ self.value = binwalk.core.compat.string_decode(self.value)
+ except ValueError as e:
+ raise ParserException("Failed to decode string value '%s' in line '%s'" % (self.value, line))
+ else:
+ self.value = int(self.value, 0)
+
+ if len(parts) == 4:
+ self.format = parts[3].replace('%ll', '%l')
+ retag = re.compile(r'\{.*?\}')
+
+ # Parse out tag keywords from the format string
+ for tag in [m.group() for m in retag.finditer(self.format)]:
+ tag = tag.replace('{', '').replace('}', '')
+ if ':' in tag:
+ (n, v) = tag.split(':', 1)
+ else:
+ n = tag
+ v = True
+ self.tags.append(SignatureTag(name=n, value=v))
+
+ # Remove tags from the printable format string
+ self.format = retag.sub('', self.format).strip()
+ else:
+ self.format = ""
+
+ if self.type[0] == 'u':
+ self.signed = False
+ self.type = self.type[1:]
+ else:
+ self.signed = True
+
+ if self.type.startswith('be'):
+ self.type = self.type[2:]
+ self.endianess = '>'
+ elif self.type.startswith('le'):
+ self.endianess = '<'
+ self.type = self.type[2:]
+ else:
+ self.endianess = '<'
+
+ if self.type == 'string':
+ self.fmt = None
+ if self.value:
+ self.size = len(self.value)
+ else:
+ self.size = 128
+ elif self.type == 'byte':
+ self.fmt = 'b'
+ self.size = 1
+ elif self.type == 'short':
+ self.fmt = 'h'
+ self.size = 2
+ elif self.type == 'quad':
+ self.fmt = 'q'
+ self.size = 8
+ else:
+ self.fmt = 'i'
+ self.size = 4
+
+ if self.fmt:
+ self.pkfmt = '%c%c' % (self.endianess, self.fmt)
+ else:
+ self.pkfmt = None
+
+ if not self.signed:
+ self.fmt = self.fmt.upper()
+
+class Signature(object):
+
+ def __init__(self, first_line):
+ self.lines = [first_line]
+ self.offset = first_line.offset
+ self.confidence = first_line.size
+ self.regex = self.generate_regex(first_line)
+
+ def generate_regex(self, line):
+ restr = ""
+
+ if line.type in ['string']:
+ restr = re.escape(line.value)
+ elif line.size == 1:
+ restr = re.escape(chr(line.value))
+ elif line.size == 2:
+ if line.endianess == '<':
+ restr = re.escape(chr(line.value & 0xFF) + chr(line.value >> 8))
+ elif line.endianess == '>':
+ restr = re.escape(chr(line.value >> 8) + chr(line.value & 0xFF))
+ elif line.size == 4:
+ if line.endianess == '<':
+ restr = re.escape(chr(line.value & 0xFF) +
+ chr((line.value >> 8) & 0xFF) +
+ chr((line.value >> 16) & 0xFF) +
+ chr(line.value >> 24))
+ elif line.endianess == '>':
+ restr = re.escape(chr(line.value >> 24) +
+ chr((line.value >> 16) & 0xFF) +
+ chr((line.value >> 8) & 0xFF) +
+ chr(line.value & 0xFF))
+ elif line.size == 8:
+ if line.endianess == '<':
+ restr = re.escape(chr(line.value & 0xFF) +
+ chr((line.value >> 8) & 0xFF) +
+ chr((line.value >> 16) & 0xFF) +
+ chr((line.value >> 24) & 0xFF) +
+ chr((line.value >> 32) & 0xFF) +
+ chr((line.value >> 40) & 0xFF) +
+ chr((line.value >> 48) & 0xFF) +
+ chr(line.value >> 56))
+ elif line.endianess == '>':
+ restr = re.escape(chr(line.value >> 56) +
+ chr((line.value >> 48) & 0xFF) +
+ chr((line.value >> 40) & 0xFF) +
+ chr((line.value >> 32) & 0xFF) +
+ chr((line.value >> 24) & 0xFF) +
+ chr((line.value >> 16) & 0xFF) +
+ chr((line.value >> 8) & 0xFF) +
+ chr(line.value & 0xFF))
+
+ return re.compile(restr)
+
+ def append(self, line):
+ self.lines.append(line)
+
+class SignatureResult(object):
+
+ def __init__(self, **kwargs):
+ self.offset = 0
+ self.adjust = 0
+ self.jump = 0
+ self.size = 0
+ self.description = ""
+ self.valid = True
+ self.invalid = False
+ self.display = True
+ self.file = None
+
+ for (k,v) in binwalk.core.compat.iterator(kwargs):
+ setattr(self, k, v)
+
+class Magic(object):
+
+ def __init__(self, exclude=[], include=[], invalid=False):
+ '''
+ Class constructor.
+
+ @invalid - If set to True, invalid results will not be ignored.
+
+ Returns None.
+ '''
+ self.data = ""
+ self.signatures = []
+ self.show_invalid = invalid
+ self.bspace = re.compile(".\\\\b")
+ self.printable = re.compile("[ -~]*")
+
+ def parse(self, signature, offset):
+ description = []
+ max_line_level = 0
+ tags = {'offset' : offset, 'invalid' : False}
+
+ for line in signature.lines:
+ if line.level <= max_line_level:
+ if isinstance(line.offset, int):
+ line_offset = line.offset
+ else:
+ # (4.l+12)
+ if '.' in line.offset:
+ (o, t) = line.offset.split('.', 1)
+ o = offset + int(o.split('(', 1)[1], 0)
+ t = t[0]
+
+ try:
+ if t in ['b', 'B']:
+ v = struct.unpack('b', binwalk.core.compat.str2bytes(self.data[o:o+1]))[0]
+ elif t == 's':
+ v = struct.unpack('<h', binwalk.core.compat.str2bytes(self.data[o:o+2]))[0]
+ elif t == 'l':
+ v = struct.unpack('<i', binwalk.core.compat.str2bytes(self.data[o:o+4]))[0]
+ elif t == 'S':
+ v = struct.unpack('>h', binwalk.core.compat.str2bytes(self.data[o:o+2]))[0]
+ elif t == 'L':
+ v = struct.unpack('>i', binwalk.core.compat.str2bytes(self.data[o:o+4]))[0]
+ except struct.error as e:
+ v = 0
+
+ v = "(%d%s" % (v, line.offset.split(t, 1)[1])
+ # (32+0x20)
+ else:
+ v = line.offset
+
+ #print ("Converted offset '%s' to '%s'" % (line.offset, v))
+ line_offset = binwalk.core.common.MathExpression(v).value
+
+ start = offset + line_offset
+ end = start + line.size
+
+ if line.pkfmt:
+ try:
+ dvalue = struct.unpack(line.pkfmt, binwalk.core.compat.str2bytes(self.data[start:end]))[0]
+ except struct.error as e:
+ dvalue = 0
+ elif line.size:
+ dvalue = self.data[start:end]
+ if line.value is None:
+ dvalue = dvalue.split('\x00')[0].split('\r')[0].split('\r')[0]
+
+ if line.boolean == '&':
+ dvalue &= line.bitmask
+
+ if ((line.value is None) or
+ (line.condition == '=' and dvalue == line.value) or
+ (line.condition == '>' and dvalue > line.value) or
+ (line.condition == '<' and dvalue < line.value) or
+ (line.condition == '!' and dvalue != line.value) or
+ (line.condition == '&' and (dvalue & line.value)) or
+ (line.condition == '|' and (dvalue | line.value))):
+
+ if line.type == 'date':
+ ts = datetime.datetime.utcfromtimestamp(dvalue)
+ dvalue = ts.strftime("%Y-%m-%d %H:%M:%S")
+
+ if '%' in line.format:
+ description.append(line.format % dvalue)
+ else:
+ description.append(line.format)
+
+ for tag in line.tags:
+ if isinstance(tag.value, str) and '%' in tag.value:
+ tags[tag.name] = tag.value % dvalue
+ else:
+ try:
+ tags[tag.name] = int(tag.value, 0)
+ except KeyboardInterrupt as e:
+ raise e
+ except Exception as e:
+ tags[tag.name] = tag.value
+
+ # Abort abort abort
+ if not self.show_invalid and tags['invalid']:
+ break
+
+ max_line_level = line.level + 1
+ else:
+ max_line_level = line.level
+
+ tags['description'] = self.bspace.sub('', " ".join(description))
+
+ if (('\\' in tags['description']) or
+ (self.printable.match(tags['description']).group() != tags['description'])):
+ tags['invalid'] = True
+
+ tags['valid'] = (not tags['invalid'])
+
+ return tags
+
+ def scan(self, data, dlen=None):
+ sigs = {}
+ results = []
+
+ self.data = data
+
+ if dlen is None:
+ dlen = len(self.data)
+
+ for signature in self.signatures:
+ offset = set([(match.start() - signature.offset) for match in signature.regex.finditer(self.data) if (match.start() - signature.offset) >= 0 and (match.start() - signature.offset) <= dlen])
+ sigs[signature] = offset
+
+ for (signature, offsets) in binwalk.core.compat.iterator(sigs):
+ for offset in offsets:
+ tags = self.parse(signature, offset)
+ if not tags['invalid'] or self.show_invalid:
+ results.append(SignatureResult(**tags))
+ if not self.show_invalid:
+ break
+
+ return results
+
+ def load(self, fname):
+ '''
+ Load signatures from a file.
+
+ @fname - Path to signature file.
+
+ Returns None.
+ '''
+ signature = None
+
+ fp = open(fname, "r")
+
+ for line in fp.readlines():
+ line = line.split('#')[0].strip()
+ if line:
+ sigline = SignatureLine(line)
+ if sigline.level == 0:
+ if signature:
+ self.signatures.append(signature)
+ signature = Signature(sigline)
+ elif signature:
+ signature.append(sigline)
+ else:
+ raise ParserException("Invalid signature line: '%s'" % line)
+
+ if signature:
+ self.signatures.append(signature)
- if keep_going:
- flags = flags | self.MAGIC_CONTINUE
+ fp.close()
- self.libmagic = binwalk.core.C.Library(self.LIBRARY, self.LIBMAGIC_FUNCTIONS)
+ self.signatures.sort(key=lambda x: x.confidence, reverse=True)
- binwalk.core.common.debug("libmagic.magic_open(0x%X)" % (self.MAGIC_FLAGS | flags))
- self.magic_cookie = self.libmagic.magic_open(self.MAGIC_FLAGS | flags)
- binwalk.core.common.debug("libmagic.magic_load(%s, %s)" % (type(self.magic_cookie), self.magic_file))
- self.libmagic.magic_load(self.magic_cookie, self.magic_file)
- binwalk.core.common.debug("libmagic loaded OK!")
- def close(self):
- if self.magic_cookie:
- self.libmagic.magic_close(self.magic_cookie)
- del self.magic_cookie
- self.magic_cookie = None
- def buffer(self, data):
- if self.magic_cookie:
- return self.libmagic.magic_buffer(self.magic_cookie, str2bytes(data), len(data))
+if __name__ == '__main__':
+ import sys
+ m = Magic(invalid=True)
+ m.load(sys.argv[1])
+ print ("Loaded %d signatures" % len(m.signatures))
+ for signature in m.scan(open(sys.argv[2], "r").read()):
+ if signature.valid:
+ print (signature.offset, signature.description)
diff --git a/src/binwalk/core/parser.py b/src/binwalk/core/parser.py
deleted file mode 100644
index a152e85..0000000
--- a/src/binwalk/core/parser.py
+++ /dev/null
@@ -1,369 +0,0 @@
-# Code for performing minimal parsing of libmagic-compatible signature files.
-# This allows for building a single signature file from multiple other signature files,
-# and for parsing out the initial magic signature bytes for each signature (used for
-# pre-processing of data to limit the number of actual calls into libmagic).
-#
-# Also performs splitting/formatting of libmagic result text.
-
-import io
-import re
-import os.path
-import tempfile
-import binwalk.core.common
-from binwalk.core.compat import *
-from binwalk.core.filter import FilterType
-
-class MagicSignature(object):
-
- def __init__(self, **kwargs):
- self.offset = 0
- self.type = ''
- self.condition = ''
- self.description = ''
- self.length = 0
-
- for (k,v) in iterator(kwargs):
- try:
- v = int(v, 0)
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- pass
-
- setattr(self, k, v)
-
-class MagicParser(object):
- '''
- Class for loading, parsing and creating libmagic-compatible magic files.
-
- This class is primarily used internally by the Binwalk class, and a class instance of it is available via the Binwalk.parser object.
-
- One useful method however, is file_from_string(), which will generate a temporary magic file from a given signature string:
-
- import binwalk
-
- bw = binwalk.Binwalk()
-
- # Create a temporary magic file that contains a single entry with a signature of '\\x00FOOBAR\\xFF', and append the resulting
- # temporary file name to the list of magic files in the Binwalk class instance.
- bw.magic_files.append(bw.parser.file_from_string('\\x00FOOBAR\\xFF', display_name='My custom signature'))
-
- bw.scan('firmware.bin')
-
- All magic files generated by this class will be deleted when the class deconstructor is called.
- '''
-
- BIG_ENDIAN = 'big'
- LITTLE_ENDIAN = 'little'
-
- MAGIC_STRING_FORMAT = "%d\tstring\t%s\t%s\n"
- DEFAULT_DISPLAY_NAME = "Raw string signature"
-
- WILDCARD = 'x'
-
- # If libmagic returns multiple results, they are delimited with this string.
- RESULT_SEPERATOR = "\\012- "
-
- def __init__(self, filter=None, smart=None):
- '''
- Class constructor.
-
- @filter - Instance of the MagicFilter class. May be None if the parse/parse_file methods are not used.
- @smart - Instance of the SmartSignature class. May be None if the parse/parse_file methods are not used.
- Returns None.
- '''
- self.matches = set([])
- self.signatures = {}
- self.filter = filter
- self.smart = smart
- self.raw_fd = None
- self.signature_count = 0
- self.signature_set = set()
-
- def __del__(self):
- try:
- self.cleanup()
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- pass
-
- def rm_magic_files(self):
- '''
- Cleans up the temporary magic file(s).
-
- Returns None.
- '''
- try:
- self.fd.close()
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- pass
-
- try:
- self.raw_fd.close()
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- pass
-
- def cleanup(self):
- '''
- Cleans up any tempfiles created by the class instance.
-
- Returns None.
- '''
- self.rm_magic_files()
-
- def file_from_string(self, signature_string, offset=0, display_name=DEFAULT_DISPLAY_NAME):
- '''
- Generates a magic file from a signature string.
- This method is intended to be used once per instance.
- If invoked multiple times, any previously created magic files will be closed and deleted.
-
- @signature_string - The string signature to search for.
- @offset - The offset at which the signature should occur.
- @display_name - The text to display when the signature is found.
-
- Returns the name of the generated temporary magic file.
- '''
- self.raw_fd = tempfile.NamedTemporaryFile()
- self.raw_fd.write(str2bytes(self.MAGIC_STRING_FORMAT % (offset, signature_string, display_name)))
- self.raw_fd.seek(0)
- return self.raw_fd.name
-
- def parse(self, file_name):
- '''
- Parses magic file(s) and contatenates them into a single temporary magic file
- while simultaneously removing filtered signatures.
-
- @file_name - Magic file, or list of magic files, to parse.
-
- Returns the name of the generated temporary magic file, which will be automatically
- deleted when the class deconstructor is called.
- '''
- self.matches = set([])
- self.signatures = {}
- self.signature_count = 0
- self.fd = tempfile.NamedTemporaryFile()
-
- if isinstance(file_name, type([])):
- files = file_name
- else:
- files = [file_name]
-
- for fname in files:
- if fname:
- if os.path.exists(fname) and os.path.isfile(fname):
- self.parse_file(fname)
- else:
- binwalk.core.common.warning("Magic file '%s' does not exist!" % fname)
-
- self.fd.seek(0)
- return self.fd.name
-
- def parse_file(self, file_name):
- '''
- Parses a magic file and appends valid signatures to the temporary magic file, as allowed
- by the existing filter rules.
-
- @file_name - Magic file to parse.
-
- Returns None.
- '''
- # Default to not including signature entries until we've
- # found what looks like a valid entry.
- include = False
- line_count = 0
-
- try:
- fp = open(file_name, 'rb')
- for line in fp.readlines():
- line = bytes2str(line)
- line_count += 1
-
- # Check if this is the first line of a signature entry
- entry = self._parse_line(line)
-
- if entry is not None:
- # If this signature is marked for inclusion, include it.
- if self.filter.filter(entry.description) == FilterType.FILTER_INCLUDE:
-
- include = True
- self.signature_count += 1
-
- if not has_key(self.signatures, entry.offset):
- self.signatures[entry.offset] = []
-
- if entry.condition not in self.signatures[entry.offset]:
- self.signatures[entry.offset].append(entry.condition)
- else:
- include = False
-
- # Keep writing lines of the signature to the temporary magic file until
- # we detect a signature that should not be included.
- if include:
- self.fd.write(str2bytes(line))
-
- fp.close()
- self.build_signature_set()
- except KeyboardInterrupt as e:
- raise e
- except Exception as e:
- raise Exception("Error parsing magic file '%s' on line %d: %s" % (file_name, line_count, str(e)))
-
- def _parse_line(self, line):
- '''
- Parses a signature line into its four parts (offset, type, condition and description),
- looking for the first line of a given signature.
-
- @line - The signature line to parse.
-
- Returns a dictionary with the respective line parts populated if the line is the first of a signature.
- Returns a dictionary with all parts set to None if the line is not the first of a signature.
- '''
- entry = MagicSignature()
-
- # Quick and dirty pre-filter. We are only concerned with the first line of a
- # signature, which will always start with a number. Make sure the first byte of
- # the line is a number; if not, don't process.
- if line[:1] < '0' or line[:1] > '9':
- return None
-
- try:
- # Split the line into white-space separated parts.
- # For this to work properly, replace escaped spaces ('\ ') with '\x20'.
- # This means the same thing, but doesn't confuse split().
- line_parts = line.replace('\\ ', '\\x20').split()
- entry.offset = line_parts[0]
- entry.type = line_parts[1]
- # The condition line may contain escaped sequences, so be sure to decode it properly.
- entry.condition = string_decode(line_parts[2])
- entry.description = ' '.join(line_parts[3:])
- except KeyboardInterrupt as e:
- raise e
- except Exception as e:
- raise Exception("%s :: %s", (str(e), line))
-
- # We've already verified that the first character in this line is a number, so this *shouldn't*
- # throw an exception, but let's catch it just in case...
- try:
- entry.offset = int(entry.offset, 0)
- except KeyboardInterrupt as e:
- raise e
- except Exception as e:
- raise Exception("%s :: %s", (str(e), line))
-
- # If this is a string, get the length of the string
- if 'string' in entry.type or entry.condition == self.WILDCARD:
- entry.length = len(entry.condition)
- # Else, we need to jump through a few more hoops...
- else:
- # Default to little endian, unless the type field starts with 'be'.
- # This assumes that we're running on a little endian system...
- if entry.type.startswith('be'):
- endianness = self.BIG_ENDIAN
- else:
- endianness = self.LITTLE_ENDIAN
-
- # Try to convert the condition to an integer. This does not allow
- # for more advanced conditions for the first line of a signature,
- # but needing that is rare.
- try:
- intval = int(entry.condition.strip('L'), 0)
- except KeyboardInterrupt as e:
- raise e
- except Exception as e:
- raise Exception("Failed to evaluate condition for '%s' type: '%s', condition: '%s', error: %s" % (entry['description'], entry['type'], entry['condition'], str(e)))
-
- # How long is the field type?
- if entry.type == 'byte':
- entry.length = 1
- elif 'short' in entry.type:
- entry.length = 2
- elif 'long' in entry.type:
- entry.length = 4
- elif 'quad' in entry.type:
- entry.length = 8
-
- # Convert the integer value to a string of the appropriate endianness
- entry.condition = self._to_string(intval, entry.length, endianness)
-
- return entry
-
- def build_signature_set(self):
- '''
- Builds a set of signature tuples.
-
- Returns a set of tuples in the format: [(<signature offset>, [signature regex])].
- '''
- self.signature_set = set()
-
- for (offset, sigs) in iterator(self.signatures):
-
- for sig in sigs:
- if sig == self.WILDCARD:
- sig = re.compile('.')
- else:
- sig = re.compile(re.escape(sig))
-
- self.signature_set.add((offset, sig))
-
- return self.signature_set
-
- def find_signature_candidates(self, data, end):
- '''
- Finds candidate signatures inside of the data buffer.
- Called internally by Binwalk.single_scan.
-
- @data - Data to scan for candidate signatures.
- @end - Don't look for signatures beyond this offset.
-
- Returns an ordered list of offsets inside of data at which candidate offsets were found.
- '''
- candidate_offsets = []
-
- for (offset, regex) in self.signature_set:
- candidate_offsets += [(match.start() - offset) for match in regex.finditer(data) if (match.start() - offset) < end and (match.start() - offset) >= 0]
-
- candidate_offsets = list(set(candidate_offsets))
- candidate_offsets.sort()
-
- return candidate_offsets
-
- def _to_string(self, value, size, endianness):
- '''
- Converts an integer value into a raw string.
-
- @value - The integer value to convert.
- @size - Size, in bytes, of the integer value.
- @endianness - One of self.LITTLE_ENDIAN | self.BIG_ENDIAN.
-
- Returns a raw string containing value.
- '''
- data = ""
-
- for i in range(0, size):
- data += chr((value >> (8*i)) & 0xFF)
-
- if endianness != self.LITTLE_ENDIAN:
- data = data[::-1]
-
- return data
-
- def split(self, data):
- '''
- Splits multiple libmagic results in the data string into a list of separate results.
-
- @data - Data string returned from libmagic.
-
- Returns a list of result strings.
- '''
- try:
- return data.split(self.RESULT_SEPERATOR)
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- return []
-
diff --git a/src/binwalk/core/smart.py b/src/binwalk/core/smart.py
deleted file mode 100644
index 21b8b69..0000000
--- a/src/binwalk/core/smart.py
+++ /dev/null
@@ -1,339 +0,0 @@
-# "Smart" parser for handling libmagic signature results. Specifically, this implements
-# support for binwalk's custom libmagic signature extensions (keyword tags, string processing,
-# false positive detection, etc).
-
-import re
-import binwalk.core.module
-from binwalk.core.compat import *
-from binwalk.core.common import get_quoted_strings, MathExpression
-
-class Tag(object):
-
- TAG_DELIM_START = "{"
- TAG_DELIM_END = "}"
- TAG_ARG_SEPERATOR = ":"
-
- def __init__(self, **kwargs):
- self.name = None
- self.keyword = None
- self.type = None
- self.handler = None
- self.tag = None
- self.default = None
-
- for (k,v) in iterator(kwargs):
- setattr(self, k, v)
-
- if self.type == int:
- self.default = 0
- elif self.type == str:
- self.default = ''
-
- if self.keyword is not None:
- self.tag = self.TAG_DELIM_START + self.keyword
- if self.type is None:
- self.tag += self.TAG_DELIM_END
- else:
- self.tag += self.TAG_ARG_SEPERATOR
-
- if self.handler is None:
- if self.type == int:
- self.handler = 'get_math_arg'
- elif self.type == str:
- self.handler = 'get_keyword_arg'
-
-class Signature(object):
- '''
- Class for parsing smart signature tags in libmagic result strings.
-
- This class is intended for internal use only, but a list of supported 'smart keywords' that may be used
- in magic files is available via the SmartSignature.KEYWORDS dictionary:
-
- from binwalk import SmartSignature
-
- for tag in SmartSignature.TAGS:
- print tag.keyword
- '''
-
- TAGS = [
- Tag(name='raw-string', keyword='raw-string', type=str, handler='parse_raw_string'),
- Tag(name='string-len', keyword='string-len', type=str, handler='parse_string_len'),
- Tag(name='math', keyword='math', type=int, handler='parse_math'),
- Tag(name='one-of-many', keyword='one-of-many', handler='one_of_many'),
- Tag(name='display-once', keyword='display-once', handler='display_once'),
-
- Tag(name='jump', keyword='jump-to-offset', type=int),
- Tag(name='name', keyword='file-name', type=str),
- Tag(name='size', keyword='file-size', type=int),
- Tag(name='adjust', keyword='offset-adjust', type=int),
- Tag(name='delay', keyword='extract-delay', type=str),
- Tag(name='year', keyword='file-year', type=str),
- Tag(name='epoch', keyword='file-epoch', type=int),
-
- Tag(name='raw-size', keyword='raw-string-length', type=int),
- Tag(name='raw-replace', keyword='raw-replace'),
- Tag(name='string-len-replace', keyword='string-len'),
- ]
-
- def __init__(self, filter, ignore_smart_signatures=False):
- '''
- Class constructor.
-
- @filter - Instance of the MagicFilter class.
- @ignore_smart_signatures - Set to True to ignore smart signature keywords.
-
- Returns None.
- '''
- self.filter = filter
- self.last_one_of_many = None
- self.valid_once_already_seen = set()
- self.ignore_smart_signatures = ignore_smart_signatures
-
- def parse(self, data):
- '''
- Parse a given data string for smart signature keywords. If any are found, interpret them and strip them.
-
- @data - String to parse, as returned by libmagic.
-
- Returns a dictionary of parsed values.
- '''
- results = {}
- self.valid = True
- self.display = True
-
- if data:
- for tag in self.TAGS:
- if tag.handler is not None:
- (d, arg) = getattr(self, tag.handler)(data, tag)
- if not self.ignore_smart_signatures:
- data = d
-
- if isinstance(arg, type(False)) and arg == False and not self.ignore_smart_signatures:
- self.valid = False
- elif tag.type is not None:
- if self.ignore_smart_signatures:
- results[tag.name] = tag.default
- else:
- results[tag.name] = arg
-
- if self.ignore_smart_signatures:
- results['description'] = data
- else:
- results['description'] = self.strip_tags(data)
- else:
- self.valid = False
-
- results['valid'] = self.valid
- results['display'] = self.display
-
- return binwalk.core.module.Result(**results)
-
- def tag_lookup(self, keyword):
- for tag in self.TAGS:
- if tag.keyword == keyword:
- return tag
- return None
-
- def is_valid(self, data):
- '''
- Validates that result data does not contain smart keywords in file-supplied strings.
-
- @data - Data string to validate.
-
- Returns True if data is OK.
- Returns False if data is not OK.
- '''
- # All strings printed from the target file should be placed in strings, else there is
- # no way to distinguish between intended keywords and unintended keywords. Get all the
- # quoted strings.
- quoted_data = get_quoted_strings(data)
-
- # Check to see if there was any quoted data, and if so, if it contained the keyword starting delimiter
- if quoted_data and Tag.TAG_DELIM_START in quoted_data:
- # If so, check to see if the quoted data contains any of our keywords.
- # If any keywords are found inside of quoted data, consider the keywords invalid.
- for tag in self.TAGS:
- if tag.tag in quoted_data:
- return False
- return True
-
- def safe_string(self, data):
- '''
- Strips out quoted data (i.e., data taken directly from a file).
- '''
- quoted_string = get_quoted_strings(data)
- if quoted_string:
- data = data.replace('"' + quoted_string + '"', "")
- return data
-
- def display_once(self, data, tag):
- '''
- Determines if a given data string should be printed if {display-once} was specified.
-
- @data - String result data.
-
- Returns False if the string result should not be displayed.
- Returns True if the string result should be displayed.
- '''
- if self.filter.valid_result(data):
- signature = data.split(',')[0]
- if signature in self.valid_once_already_seen:
- self.display = False
- return (data, False)
- elif tag.tag in data:
- self.valid_once_already_seen.add(signature)
- return (data, True)
-
- return (data, True)
-
- def one_of_many(self, data, tag):
- '''
- Determines if a given data string is one result of many.
-
- @data - String result data.
-
- Returns False if the string result is one of many and should not be displayed.
- Returns True if the string result is not one of many and should be displayed.
- '''
- if self.filter.valid_result(data):
- if self.last_one_of_many is not None and data.startswith(self.last_one_of_many):
- self.display = False
- elif tag.tag in data:
- # Only match on the data before the first comma, as that is typically unique and static
- self.last_one_of_many = data.split(',')[0]
- else:
- self.last_one_of_many = None
-
- return (data, True)
-
- def get_keyword_arg(self, data, tag):
- '''
- Retrieves the argument for keywords that specify arguments.
-
- @data - String result data, as returned by libmagic.
- @keyword - Keyword index in KEYWORDS.
-
- Returns the argument string value on success.
- Returns a blank string on failure.
- '''
- arg = ''
- safe_data = self.safe_string(data)
-
- if tag.tag in safe_data:
- arg = safe_data.split(tag.tag)[1].split(tag.TAG_DELIM_END)[0]
-
- return (data, arg)
-
- def get_math_arg(self, data, tag):
- '''
- Retrieves the argument for keywords that specifiy mathematical expressions as arguments.
-
- @data - String result data, as returned by libmagic.
- @keyword - Keyword index in KEYWORDS.
-
- Returns the resulting calculated value.
- '''
- value = 0
-
- (data, arg) = self.get_keyword_arg(data, tag)
- if arg:
- value = MathExpression(arg).value
- if value is None:
- value = 0
- self.valid = False
-
- return (data, value)
-
- def parse_math(self, data, tag):
- '''
- Replace math keywords with the requested values.
-
- @data - String result data.
-
- Returns the modified string result data.
- '''
- while tag.tag in self.safe_string(data):
- (data, arg) = self.get_keyword_arg(data, tag)
- v = '%s%s%s' % (tag.tag, arg, tag.TAG_DELIM_END)
- (data, math_value) = self.get_math_arg(data, tag)
- data = data.replace(v, "%d" % math_value)
-
- return (data, None)
-
- def parse_raw_string(self, data, raw_str_tag):
- '''
- Process strings that aren't NULL byte terminated, but for which we know the string length.
- This should be called prior to any other smart parsing functions.
-
- @data - String to parse.
-
- Returns a parsed string.
- '''
- if self.is_valid(data):
- raw_str_length_tag = self.tag_lookup('raw-string-length')
- raw_replace_tag = self.tag_lookup('raw-replace')
-
- # Get the raw string keyword arg
- (data, raw_string) = self.get_keyword_arg(data, raw_str_tag)
-
- # Was a raw string keyword specified?
- if raw_string:
- # Get the raw string length arg
- (data, raw_size) = self.get_math_arg(data, raw_str_length_tag)
-
- # Replace all instances of raw-replace in data with raw_string[:raw_size]
- # Also strip out everything after the raw-string keyword, including the keyword itself.
- # Failure to do so may (will) result in non-printable characters and this string will be
- # marked as invalid when it shouldn't be.
- data = data[:data.find(raw_str_tag.tag)].replace(raw_replace_tag.tag, '"' + raw_string[:raw_size] + '"')
-
- return (data, True)
-
- def parse_string_len(self, data, str_len_tag):
- '''
- Process {string-len} macros.
-
- @data - String to parse.
-
- Returns parsed data string.
- '''
- if not self.ignore_smart_signatures and self.is_valid(data):
-
- str_len_replace_tag = self.tag_lookup('string-len-replace')
-
- # Get the raw string keyword arg
- (data, raw_string) = self.get_keyword_arg(data, str_len_tag)
-
- # Was a string-len keyword specified?
- if raw_string:
- # Get the string length
- try:
- string_length = '%d' % len(raw_string)
- except KeyboardInterrupt as e:
- raise e
- except Exception:
- string_length = '0'
-
- # Strip out *everything* after the string-len keyword, including the keyword itself.
- # Failure to do so can potentially allow keyword injection from a maliciously created file.
- data = data.split(str_len_tag.tag)[0].replace(str_len_replace_tag.tag, string_length)
-
- return (data, True)
-
- def strip_tags(self, data):
- '''
- Strips the smart tags from a result string.
-
- @data - String result data.
-
- Returns a sanitized string.
- '''
- if not self.ignore_smart_signatures:
- for tag in self.TAGS:
- start = data.find(tag.tag)
- if start != -1:
- end = data[start:].find(tag.TAG_DELIM_END)
- if end != -1:
- data = data.replace(data[start:start+end+1], "")
- return data
-
diff --git a/src/binwalk/modules/general.py b/src/binwalk/modules/general.py
index 9deb452..22fc863 100644
--- a/src/binwalk/modules/general.py
+++ b/src/binwalk/modules/general.py
@@ -4,7 +4,6 @@ import os
import sys
import argparse
import binwalk.core.idb
-import binwalk.core.filter
import binwalk.core.common
import binwalk.core.display
import binwalk.core.settings
diff --git a/src/binwalk/modules/signature.py b/src/binwalk/modules/signature.py
index 0668111..3944891 100644
--- a/src/binwalk/modules/signature.py
+++ b/src/binwalk/modules/signature.py
@@ -4,8 +4,6 @@
# If the lzma import fails, this module won't be loaded at all.
import lzma
import binwalk.core.magic
-import binwalk.core.smart
-import binwalk.core.parser
from binwalk.core.module import Module, Option, Kwarg
class Signature(Module):
@@ -75,27 +73,13 @@ class Signature(Module):
VERBOSE_FORMAT = "%s %d"
def init(self):
- self.keep_going = self.config.keep_going
-
- # Initialize the filter
- self.filter = binwalk.core.filter.Filter(self.show_invalid)
-
- # Set any specified include/exclude filters
- for regex in self.exclude_filters:
- self.filter.exclude(regex)
- for regex in self.include_filters:
- self.filter.include(regex)
-
- # Create Signature and MagicParser class instances. These are mostly for internal use.
- self.smart = binwalk.core.smart.Signature(self.filter, ignore_smart_signatures=self.dumb_scan)
- self.parser = binwalk.core.parser.MagicParser(self.filter, self.smart)
-
# If a raw byte sequence was specified, build a magic file from that instead of using the default magic files
- if self.raw_bytes is not None:
- self.magic_files = [self.parser.file_from_string(self.raw_bytes)]
+ # TODO: re-implement this
+ #if self.raw_bytes is not None:
+ # self.magic_files = [self.parser.file_from_string(self.raw_bytes)]
# Append the user's magic file first so that those signatures take precedence
- elif self.search_for_opcodes:
+ if self.search_for_opcodes:
self.magic_files = [
self.config.settings.user.binarch,
self.config.settings.system.binarch,
@@ -113,26 +97,25 @@ class Signature(Module):
self.magic_files.append(self.config.settings.user.binwalk)
self.magic_files.append(self.config.settings.system.binwalk)
- # Parse the magic file(s)
- binwalk.core.common.debug("Loading magic files: %s" % str(self.magic_files))
- self.mfile = self.parser.parse(self.magic_files)
-
# Initialize libmagic
- self.magic = binwalk.core.magic.Magic(self.mfile, keep_going=self.keep_going)
+ self.magic = binwalk.core.magic.Magic(include=self.include_filters,
+ exclude=self.exclude_filters,
+ invalid=self.show_invalid)
- # Once the temporary magic files are loaded into libmagic, we don't need them anymore; delete the temp files
- if not binwalk.core.common.DEBUG:
- self.parser.rm_magic_files()
+ # Parse the magic file(s)
+ binwalk.core.common.debug("Loading magic files: %s" % str(self.magic_files))
+ for f in self.magic_files:
+ self.magic.load(f)
- self.VERBOSE = ["Signatures:", self.parser.signature_count]
+ self.VERBOSE = ["Signatures:", len(self.magic.signatures)]
def validate(self, r):
'''
Called automatically by self.result.
'''
- if self.filter.show_invalid_results:
+ if self.show_invalid:
r.valid = True
- else:
+ elif r.valid:
if not r.description:
r.valid = False
@@ -142,8 +125,6 @@ class Signature(Module):
if r.jump and (r.jump + r.offset) > r.file.size:
r.valid = False
- r.valid = self.filter.valid_result(r.description)
-
def scan_file(self, fp):
current_file_offset = 0
@@ -156,29 +137,26 @@ class Signature(Module):
block_start = fp.tell() - dlen
self.status.completed = block_start - fp.offset
- for candidate_offset in self.parser.find_signature_candidates(data, dlen):
+ # TODO: Make magic scan return a results object.
+ for r in self.magic.scan(data, dlen):
# current_block_offset is set when a jump-to-offset keyword is encountered while
# processing signatures. This points to an offset inside the current data block
# that scanning should jump to, so ignore any subsequent candidate signatures that
- # occurr before this offset inside the current data block.
- if candidate_offset < current_block_offset:
- continue
-
- # Pass the data to libmagic for parsing
- magic_result = self.magic.buffer(data[candidate_offset:candidate_offset+fp.block_peek_size])
- if not magic_result:
+ # occur before this offset inside the current data block.
+ if r.offset < current_block_offset:
continue
- # The smart filter parser returns a binwalk.core.module.Result object
- r = self.smart.parse(magic_result)
-
# Set the absolute offset inside the target file
- r.offset = block_start + candidate_offset + r.adjust
+ # TODO: Don't need the offset adjust stuff anymore, get rid of it
+ r.offset = block_start + r.offset + r.adjust
# Provide an instance of the current file object
r.file = fp
+ # Check if this was marked as invalid
+ r.valid = (not r.invalid)
+
# Register the result for futher processing/display
# self.result automatically calls self.validate for result validation
self.result(r=r)
@@ -200,6 +178,3 @@ class Signature(Module):
self.scan_file(fp)
self.footer()
- if hasattr(self, "magic") and self.magic:
- self.magic.close()
-
diff --git a/src/magic/archives b/src/magic/archives
index 3c05e3f..5fc8cff 100644
--- a/src/magic/archives
+++ b/src/magic/archives
@@ -37,14 +37,14 @@
>4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0
->>18 lelong <0 invalid
+>>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d,
>>18 lelong x {jump-to-offset:%d}
>22 lelong !0
->>22 lelong <0 invalid
+>>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,{extract-delay:End of Zip archive}
->30 byte <0x2D invalid file name,
->30 byte >0x7A invalid file name,
+>30 byte <0x2D {invalid} file name,
+>30 byte >0x7A {invalid} file name,
>30 string x name: {raw-replace}
>26 leshort x {raw-string-length:%d}
>30 string x {raw-string:%s
@@ -66,25 +66,25 @@
# ARJ archiver (jason@jarthur.Claremont.EDU)
0 leshort 0xea60 ARJ archive data,
>2 leshort x header size: %d,
->5 byte <1 invalid
->5 byte >16 invalid
+>5 byte <1 {invalid}
+>5 byte >16 {invalid}
>5 byte x version %d,
->6 byte <1 invalid
->6 byte >16 invalid
+>6 byte <1 {invalid}
+>6 byte >16 {invalid}
>6 byte x minimum version to extract: %d,
->8 byte <0 invalid flags,
+>8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched,
>8 byte &0x20 backup,
->9 byte <0 invalid compression method,
->9 byte >4 invalid compression method,
+>9 byte <0 {invalid} compression method,
+>9 byte >4 {invalid} compression method,
>9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest,
->10 byte <0 invalid file type
->10 byte >4 invalid file type
+>10 byte <0 {invalid} file type
+>10 byte >4 {invalid} file type
>10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header,
@@ -94,9 +94,9 @@
>>34 string x {file-name:%s}
>>34 string x original name: "%s",
>0xC ledate x original file date: %s,
->0x10 lelong <0 invalid
+>0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d,
->0x14 lelong <0 invalid
+>0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS
@@ -108,13 +108,13 @@
>7 byte 7 os: Atari ST
>7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS
->7 byte >9 invalid os
->7 byte <0 invalid os
+>7 byte >9 {invalid} os
+>7 byte <0 {invalid} os
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
->9 ubyte <0x72 invalid
->9 ubyte >0x7B invalid
+>9 ubyte <0x72 {invalid}
+>9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD
@@ -155,18 +155,18 @@
# This keyword is not intended to be passed a string (%s), and doing so can open
# up the possibility of keyword injection by a malicious file. This works here though, because:
#
-# 1) It would result in an invalid CPIO file (invalid size)
+# 1) It would result in an {invalid} CPIO file ({invalid} size)
# 2) All valid keywords require more than 8 bytes, so a valid one can't be
# injected in the %.8s field.
0 string 070701 ASCII cpio archive (SVR4 with no CRC),
->110 byte 0 invalid
+>110 byte 0 {invalid}
#>110 byte !0x2F
-#>>110 string !TRAILER!!! invalid
->94 byte <0x30 invalid
->94 byte >0x66 invalid
->54 byte <0x30 invalid
->54 byte >0x66 invalid
+#>>110 string !TRAILER!!! {invalid}
+>94 byte <0x30 {invalid}
+>94 byte >0x66 {invalid}
+>54 byte <0x30 {invalid}
+>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
@@ -174,13 +174,13 @@
>94 string x \b0x%.8s}
0 string 070702 ASCII cpio archive (SVR4 with CRC)
->110 byte 0 invalid
+>110 byte 0 {invalid}
#>110 byte !0x2F
-#>>110 string !TRAILER!!! invalid
->94 byte <0x30 invalid
->94 byte >0x66 invalid
->54 byte <0x30 invalid
->54 byte >0x66 invalid
+#>>110 string !TRAILER!!! {invalid}
+>94 byte <0x30 {invalid}
+>94 byte >0x66 {invalid}
+>54 byte <0x30 {invalid}
+>54 byte >0x66 {invalid}
>110 string x file name: "%s",
>94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s"
@@ -226,8 +226,8 @@
# IBM AIX Backup File Format header and entry signatures
0 lelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X,
->6 leshort <0 invalid
->6 leshort 0 invalid
+>6 leshort <0 {invalid}
+>6 leshort 0 {invalid}
>6 leshort x volume number: %d,
>8 ledate x current date: %s,
>12 ledate x starting date: %s,
@@ -236,47 +236,47 @@
>52 string x user name: "%s"
0 leshort 0xea6b BFF volume entry,{offset-adjust:-2}
->22 lelong <0 invalid
+>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
->>54 lelong <0 invalid
->>54 lelong 0 invalid
+>>54 lelong <0 {invalid}
+>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
->58 lelong !0 invalid
->62 byte 0 invalid
+>58 lelong !0 {invalid}
+>62 byte 0 {invalid}
>62 byte !0x2e
->>62 byte !0x2f invalid
+>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6c BFF volume entry, compressed,{offset-adjust:-2}
->22 lelong <0 invalid
+>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
->>54 lelong <0 invalid
->>54 lelong 0 invalid
+>>54 lelong <0 {invalid}
+>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
->58 lelong !0 invalid
->62 byte 0 invalid
+>58 lelong !0 {invalid}
+>62 byte 0 {invalid}
>62 byte !0x2e
->>62 byte !0x2f invalid
+>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
0 leshort 0xea6d BFF volume entry, AIXv3,{offset-adjust:-2}
->22 lelong <0 invalid
+>22 lelong <0 {invalid}
>22 lelong 0 directory,
>22 lelong >0
>>22 lelong x file size: %d,
->>54 lelong <0 invalid
->>54 lelong 0 invalid
+>>54 lelong <0 {invalid}
+>>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d,
->58 lelong !0 invalid
->62 byte 0 invalid
+>58 lelong !0 {invalid}
+>62 byte 0 {invalid}
>62 byte !0x2e
->>62 byte !0x2f invalid
+>>62 byte !0x2f {invalid}
>62 string x file name: "%s
>92 string x \b%s"
@@ -285,10 +285,10 @@
# Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
->25 byte !1 \b,invalid major version
->24 byte !3 \b,invalid minor version
+>25 byte !1 \b,{invalid} major version
+>24 byte !3 \b,{invalid} minor version
>8 lelong x \b, %u bytes
->28 leshort 0 \b, 0 files (invalid)
+>28 leshort 0 \b, 0 files ({invalid})
>28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files
@@ -297,9 +297,9 @@
# TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5,
->5 byte&0xf0 >0x60 invalid version,
->12 lelong <0 invalid offset,
->12 lelong >100000 invalid offset,
+>5 byte&0xf0 >0x60 {invalid} version,
+>12 lelong <0 {invalid} offset,
+>12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files
# Windows CE package files
@@ -330,9 +330,9 @@
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103,
->8 byte !0x24 invalid
+>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104,
->8 byte !0x24 invalid
+>8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d
diff --git a/src/magic/bootloaders b/src/magic/bootloaders
index 68768a3..6d7686d 100644
--- a/src/magic/bootloaders
+++ b/src/magic/bootloaders
@@ -3,11 +3,11 @@
# CFE bootloader
0 string CFE1CFE1 CFE boot loader
->40 string CFE1CFE1 invalid
+>40 string CFE1CFE1 {invalid}
# U-Boot boot loader
0 string U-Boot\x20 U-Boot version string,
->7 byte <48 invalid,
->7 byte >57 invalid,
->8 byte !0x2E invalid,
+>7 byte <48 {invalid},
+>7 byte >57 {invalid},
+>8 byte !0x2E {invalid},
>0 string x "%s"
diff --git a/src/magic/compressed b/src/magic/compressed
index 392fa17..91dd924 100644
--- a/src/magic/compressed
+++ b/src/magic/compressed
@@ -17,11 +17,11 @@
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
->9 beshort >0x093F invalid
+>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
->>9 beshort&0x0fff <1 invalid,
+>>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
@@ -58,9 +58,9 @@
# lzip
0 string LZIP lzip compressed data,
->4 ubyte 0 invalid
+>4 ubyte 0 {invalid}
# Current version is still 1.x
->4 ubyte >4 invalid
+>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
@@ -73,10 +73,10 @@
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
->6 byte <0 invalid
+>6 byte <0 {invalid}
>6 byte 0
->>7 byte 0 invalid
->6 byte >20 invalid
+>>7 byte 0 {invalid}
+>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
@@ -95,12 +95,12 @@
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
->3 byte&0xE0 !0x00 \b, invalid reserved flag bits
+>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
->8 byte 1 \b, invalid extra flags
->8 byte 3 \b, invalid extra flags
->8 byte >4 \b, invalid extra flags
+>8 byte 1 \b, {invalid} extra flags
+>8 byte 3 \b, {invalid} extra flags
+>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
@@ -125,18 +125,18 @@
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
-#>9 byte >0x0D \b, invalid
+#>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X
-#>9 byte <0 \b, invalid
+#>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X
->3 byte &0x20 \b, encrypted (invalid)
-# Dates before 1992 are invalid, unless of course you're DD-WRT in which
+>3 byte &0x20 \b, encrypted ({invalid})
+# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
->4 lelong <0 \b, invalid date:
+>4 lelong <0 \b, {invalid} date:
>4 lelong >0
->>4 lelong <694224000 \b, invalid date:
->>4 lelong =694224000 \b, invalid date:
+>>4 lelong <694224000 \b, {invalid} date:
+>>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{file-epoch:%d}
diff --git a/src/magic/console b/src/magic/console
index 9fbe0c3..e5c2623 100644
--- a/src/magic/console
+++ b/src/magic/console
@@ -77,16 +77,16 @@
0 string XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not
>0x0004 ulelong =0x0
->>2 ulelong !0x0 \b, invalid
+>>2 ulelong !0x0 \b, {invalid}
>>2 ulelong =0x0
->>>2 ulelong !0x0 \b, invalid
+>>>2 ulelong !0x0 \b, {invalid}
>>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0
->>2 ulelong =0x0 \b, invalid
+>>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0
->>>2 ulelong =0x0 \b, invalid
+>>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed
->0x0104 lelong <0 \b, invalid base address
+>0x0104 lelong <0 \b, {invalid} base address
## expect base address of 0x10000
>0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
@@ -103,8 +103,8 @@
# # http://home.comcast.net/~admiral_powerslave/filestructure.html
0 string XIP0 XIP, Microsoft Xbox data,
>12 lelong x total size: %d
->16 lelong !0 invalid
->24 lelong !0 invalid
+>16 lelong !0 {invalid}
+>24 lelong !0 {invalid}
0 string XTF0\x00\x00\x00 XTF, Microsoft Xbox data
diff --git a/src/magic/crypto b/src/magic/crypto
index f0b31f4..04fb8b5 100644
--- a/src/magic/crypto
+++ b/src/magic/crypto
@@ -18,11 +18,11 @@
# Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com>
0 string \x30\x82 Private key in DER format (PKCS#8),
->4 string !\x02\x01\x00 invalid,
+>4 string !\x02\x01\x00 {invalid},
>>2 beshort x header length: 4, sequence length: %d
0 string \x30\x82 Certificate in DER format (x509 v3),
->4 string !\x30\x82 invalid,
+>4 string !\x30\x82 {invalid},
>>2 beshort x header length: 4, sequence length: %d
# GnuPG
@@ -40,11 +40,11 @@
# Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt: file(1) magic for mcrypt 2.2.x;
#0 string \0m\3 mcrypt 2.5 encrypted data,
-#>4 byte 0 invalid
+#>4 byte 0 {invalid}
#>4 string >\0 algorithm: "%s",
-#>>&1 leshort <1 invalid
+#>>&1 leshort <1 {invalid}
#>>&1 leshort >0 keysize: %d bytes,
-#>>>&0 byte 0 invalid
+#>>>&0 byte 0 {invalid}
#>>>&0 string >\0 mode: "%s",
0 string \0m\2 mcrypt 2.2 encrypted data,
@@ -66,23 +66,23 @@
>3 byte 16 algorithm: blowfish-256,
>3 byte 100 algorithm: RC6,
>3 byte 101 algorithm: IDEA,
->3 byte <0 invalid algorithm
->3 byte >101 invalid algorithm,
+>3 byte <0 {invalid} algorithm
+>3 byte >101 {invalid} algorithm,
>3 byte >16
->>3 byte <100 invalid algorithm,
+>>3 byte <100 {invalid} algorithm,
>4 byte 0 mode: CBC,
>4 byte 1 mode: ECB,
>4 byte 2 mode: CFB,
>4 byte 3 mode: OFB,
>4 byte 4 mode: nOFB,
->4 byte <0 invalid mode,
->4 byte >4 invalid mode,
+>4 byte <0 {invalid} mode,
+>4 byte >4 {invalid} mode,
>5 byte 0 keymode: 8bit
>5 byte 1 keymode: 4bit
>5 byte 2 keymode: SHA-1 hash
>5 byte 3 keymode: MD5 hash
->5 byte <0 invalid keymode
->5 byte >3 invalid keymode
+>5 byte <0 {invalid} keymode
+>5 byte >3 {invalid} keymode
#------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy
diff --git a/src/magic/executables b/src/magic/executables
index eba1bd9..9b0731a 100644
--- a/src/magic/executables
+++ b/src/magic/executables
@@ -11,7 +11,7 @@
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF
->4 byte 0 invalid class
+>4 byte 0 {invalid} class
>4 byte 1 32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18 leshort 8
@@ -26,7 +26,7 @@
>4 byte >2
>>4 byte x unknown ELF class: 0x%X
>5 byte !1
->>5 byte !2 invalid byte order
+>>5 byte !2 {invalid} byte order
>5 byte 1 LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
@@ -66,21 +66,21 @@
#>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific,
>>18 leshort 0 no machine,
->>18 leshort 1 AT&T WE32100 - invalid byte order,
->>18 leshort 2 SPARC - invalid byte order,
+>>18 leshort 1 AT&T WE32100 - {invalid} byte order,
+>>18 leshort 2 SPARC - {invalid} byte order,
>>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola
->>>36 lelong &0x01000000 68000 - invalid byte order,
->>>36 lelong &0x00810000 CPU32 - invalid byte order,
->>>36 lelong 0 68020 - invalid byte order,
->>18 leshort 5 Motorola 88000 - invalid byte order,
+>>>36 lelong &0x01000000 68000 - {invalid} byte order,
+>>>36 lelong &0x00810000 CPU32 - {invalid} byte order,
+>>>36 lelong 0 68020 - {invalid} byte order,
+>>18 leshort 5 Motorola 88000 - {invalid} byte order,
>>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS,
->>18 leshort 9 Amdahl - invalid byte order,
+>>18 leshort 9 Amdahl - {invalid} byte order,
>>18 leshort 10 MIPS (deprecated),
->>18 leshort 11 RS6000 - invalid byte order,
->>18 leshort 15 PA-RISC - invalid byte order,
+>>18 leshort 11 RS6000 - {invalid} byte order,
+>>18 leshort 15 PA-RISC - {invalid} byte order,
>>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE,
@@ -96,7 +96,7 @@
>>18 leshort 41 Alpha,
>>18 leshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH,
->>18 leshort 43 SPARC V9 - invalid byte order,
+>>18 leshort 43 SPARC V9 - {invalid} byte order,
>>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300,
@@ -111,7 +111,7 @@
>>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k,
>>18 leshort 0x9026 Alpha (unofficial),
->>20 lelong 0 invalid version
+>>20 lelong 0 {invalid} version
>>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB
@@ -150,13 +150,13 @@
>>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC,
->>18 beshort 3 Intel 80386 - invalid byte order,
+>>18 beshort 3 Intel 80386 - {invalid} byte order,
>>18 beshort 4 Motorola
>>>36 belong &0x01000000 68000,
>>>36 belong &0x00810000 CPU32,
>>>36 belong 0 68020,
>>18 beshort 5 Motorola 88000,
->>18 beshort 6 Intel 80486 - invalid byte order,
+>>18 beshort 6 Intel 80486 - {invalid} byte order,
>>18 beshort 7 Intel 80860,
>>18 beshort 8 MIPS,
>>18 beshort 9 Amdahl,
@@ -201,7 +201,7 @@
>>18 beshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete),
>>18 beshort 0xde3d Ubicom32,
->>20 belong 0 invalid version
+>>20 belong 0 {invalid} version
>>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
@@ -227,13 +227,13 @@
# Some simple Microsoft executable signatures
0 string MZ\0\0\0\0\0\0 Microsoft
->0x3c lelong <4 invalid
+>0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 MS-DOS executable
>(0x3c.l) string PE\0\0 portable executable
0 string MZ Microsoft
->0x3c lelong <4 invalid
->(0x3c.l) string !PE\0\0 invalid
+>0x3c lelong <4 {invalid}
+>(0x3c.l) string !PE\0\0 {invalid}
>(0x3c.l) string PE\0\0 portable executable
@@ -245,8 +245,8 @@
# Additional fields added by Craig Heffner
#
0 string bFLT BFLT executable
->4 belong <1 invalid
->4 belong >4 invalid
+>4 belong <1 {invalid}
+>4 belong >4 {invalid}
>4 belong x version %d,
>4 belong 4
>8 belong x code offset: 0x%.8X,
@@ -361,7 +361,7 @@
>4 belong 0x0030 (Java 1.4)
>4 belong 0x0031 (Java 1.5)
>4 belong 0x0032 (Java 1.6)
->4 belong >0x0050 invalid
+>4 belong >0x0050 {invalid}
# Summary: HP-38/39 calculator
0 string HP38Bin HP 38 binary
@@ -376,8 +376,8 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
->7 byte <0x41 invalid
->7 byte >0x4B invalid
+>7 byte <0x41 {invalid}
+>7 byte >0x4B {invalid}
0 string HP39Bin HP 39 binary
>7 string A (Directory List)
@@ -391,8 +391,8 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
->7 byte <0x41 invalid
->7 byte >0x4B invalid
+>7 byte <0x41 {invalid}
+>7 byte >0x4B {invalid}
0 string HP38Asc HP 38 ASCII
>7 string A (Directory List)
@@ -406,8 +406,8 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
->7 byte <0x41 invalid
->7 byte >0x4B invalid
+>7 byte <0x41 {invalid}
+>7 byte >0x4B {invalid}
0 string HP39Asc HP 39 ASCII
>7 string A (Directory List)
@@ -421,8 +421,8 @@
>7 string I (Target List)
>7 string J (ASCII Vector specification)
>7 string K (wildcard)
->7 byte <0x41 invalid
->7 byte >0x4B invalid
+>7 byte <0x41 {invalid}
+>7 byte >0x4B {invalid}
# Summary: HP-48/49 calculator
0 string HPHP48 HP 48 binary
@@ -450,8 +450,8 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
->8 leshort <0x2911 (invalid)
->8 leshort >0x2e92 (invalid)
+>8 leshort <0x2911 ({invalid})
+>8 leshort >0x2e92 ({invalid})
0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR)
@@ -478,16 +478,16 @@
>8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB)
->8 leshort <0x2911 (invalid)
->8 leshort >0x2e92 (invalid)
+>8 leshort <0x2911 ({invalid})
+>8 leshort >0x2e92 ({invalid})
0 string \x23!/ Executable script,
>6 byte !0x2F
->>7 byte !0x2F invalid
+>>7 byte !0x2F {invalid}
>2 string x shebang: "%s"
0 string \x23!\x20/ Executable script,
>7 byte !0x2F
->>8 byte !0x2F invalid
+>>8 byte !0x2F {invalid}
>3 string x shebang: "%s"
diff --git a/src/magic/filesystems b/src/magic/filesystems
index f2a47d9..d49cbc2 100644
--- a/src/magic/filesystems
+++ b/src/magic/filesystems
@@ -5,25 +5,25 @@
>0x402 beshort x %d zones
>0x1e string minix \b, bootable
>0x1e string !minix
->>0x1e string !\x00\x00\x00\x00\x00 invalid
+>>0x1e string !\x00\x00\x00\x00\x00 {invalid}
0x410 string \x13\x7f\x00\x00\x00\x00 Minix filesystem, V1, big endian,
>0x402 beshort x %d zones
>0x1e string minix \b, bootable
>0x1e string !minix
->>0x1e string !\x00\x00\x00\x00\x00 invalid
+>>0x1e string !\x00\x00\x00\x00\x00 {invalid}
0x410 string \x8f\x13\x00\x00\x00\x00 Minix filesystem, V1, little endian, 30 char names,
>0x402 beshort x %d zones
>0x1e string minix \b, bootable
>0x1e string !minix
->>0x1e string !\x00\x00\x00\x00\x00 invalid
+>>0x1e string !\x00\x00\x00\x00\x00 {invalid}
0x410 string \x13\x8f\x00\x00\x00\x00 Minix filesystem, V1, big endian, 30 char names,
>0x402 beshort x %d zones
>0x1e string minix \b, bootable
>0x1e string !minix
->>0x1e string !\x00\x00\x00\x00\x00 invalid
+>>0x1e string !\x00\x00\x00\x00\x00 {invalid}
#0x410 leshort 0x2468 Minix filesystem, V2, little endian,
#>0x402 beshort x %d zones
@@ -38,7 +38,7 @@
# EFS2 file system - jojo@utulsa.edu
0 lelong 0x53000000 EFS2 Qualcomm filesystem super block, little endian,
->8 string !EFSSuper invalid,
+>8 string !EFSSuper {invalid},
>4 leshort&0x01 1 NAND
>4 leshort&0x01 0 NOR
>4 leshort x version 0x%x,
@@ -47,7 +47,7 @@
>20 lelong x 0x%x bytes per page
0 belong 0x53000000 EFS2 Qualcomm filesystem super block, big endian,
->8 string !SSFErepu invalid,
+>8 string !SSFErepu {invalid},
>4 beshort&0x01 1 NAND
>4 beshort&0x01 0 NOR
>4 beshort x version 0x%x,
@@ -58,7 +58,7 @@
# TROC file system
0 string TROC TROC filesystem,
>4 lelong x %d file entries
->4 lelong <1 (invalid)
+>4 lelong <1 ({invalid})
# PFS file system
0 string PFS/ PFS filesystem,
@@ -73,33 +73,33 @@
# cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 CramFS filesystem, little endian
->4 lelong <0 invalid
->4 lelong >1073741824 invalid
+>4 lelong <0 {invalid}
+>4 lelong >1073741824 {invalid}
>4 lelong x size %u
>8 lelong &1 version #2
>8 lelong &2 sorted_dirs
>8 lelong &4 hole_support
>32 lelong x CRC 0x%x,
>36 lelong x edition %u,
->40 lelong <0 invalid
+>40 lelong <0 {invalid}
>40 lelong x %u blocks,
->44 lelong <0 invalid
+>44 lelong <0 {invalid}
>44 lelong x %u files
>4 lelong x {jump-to-offset:%u}
>4 lelong x {file-size:%u}
0 belong 0x28cd3d45 CramFS filesystem, big endian
->4 belong <0 invalid
->4 belong >1073741824 invalid
+>4 belong <0 {invalid}
+>4 belong >1073741824 {invalid}
>4 belong x size %u
>8 belong &1 version #2
>8 belong &2 sorted_dirs
>8 belong &4 hole_support
>32 belong x CRC 0x%x,
>36 belong x edition %u,
->40 belong <0 invalid
+>40 belong <0 {invalid}
>40 belong x %u blocks,
->44 belong <0 invalid
+>44 belong <0 {invalid}
>44 belong x %u files
>4 belong x {jump-to-offset:%u}
>4 belong x {file-size:%u}
@@ -120,7 +120,7 @@
>>>>2 leshort !0x2004
>>>>>2 leshort !0x2006
>>>>>>2 leshort !0xE008
->>>>>>>2 leshort !0xE009 \b, invalid
+>>>>>>>2 leshort !0xE009 \b, {invalid}
>(4.l) leshort !0x1985
>>(4.l+1) leshort !0x1985
>>>(4.l+2) leshort !0x1985
@@ -128,9 +128,9 @@
>>>>>(4.l) leshort !0xFFFF
>>>>>>(4.l+1) leshort !0xFFFF
>>>>>>>(4.l+2) leshort !0xFFFF
->>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid
->4 lelong 0 invalid
->4 lelong <0 invalid
+>>>>>>>>(4.l+3) leshort !0xFFFF \b, {invalid}
+>4 lelong 0 {invalid}
+>4 lelong <0 {invalid}
>4 lelong x {one-of-many}{jump-to-offset:%d}
0 beshort 0x1985 JFFS2 filesystem, big endian
@@ -140,7 +140,7 @@
>>>>2 beshort !0x2004
>>>>>2 beshort !0x2006
>>>>>>2 beshort !0xE008
->>>>>>>2 beshort !0xE009 \b, invalid
+>>>>>>>2 beshort !0xE009 \b, {invalid}
>(4.L) beshort !0x1985
>>(4.L+1) beshort !0x1985
>>>(4.L+2) beshort !0x1985
@@ -148,17 +148,17 @@
>>>>>(4.L) beshort !0xFFFF
>>>>>>(4.L+1) beshort !0xFFFF
>>>>>>>(4.L+2) beshort !0xFFFF
->>>>>>>>(4.L+3) beshort !0xFFFF \b, invalid
->4 belong 0 invalid
->4 belong <0 invalid
+>>>>>>>>(4.L+3) beshort !0xFFFF \b, {invalid}
+>4 belong 0 {invalid}
+>4 belong <0 {invalid}
>4 belong x {one-of-many}{jump-to-offset:%d}
# Squashfs, big endian
0 string sqsh Squashfs filesystem, big endian,
->28 beshort >10 invalid
->28 beshort <1 invalid
->30 beshort >10 invalid
+>28 beshort >10 {invalid}
+>28 beshort <1 {invalid}
+>30 beshort >10 {invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
@@ -166,8 +166,8 @@
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
->>20 beshort 0 \binvalid,
->>20 beshort >4 \binvalid,
+>>20 beshort 0 \b{invalid},
+>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x \b{jump-to-offset:%d}
@@ -198,9 +198,9 @@
# Squashfs, little endian
0 string hsqs Squashfs filesystem, little endian,
->28 leshort >10 invalid
->28 leshort <1 invalid
->30 leshort >10 invalid
+>28 leshort >10 {invalid}
+>28 leshort <1 {invalid}
+>30 leshort >10 {invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
@@ -208,8 +208,8 @@
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
->>20 leshort 0 \binvalid,
->>20 leshort >4 \binvalid,
+>>20 leshort 0 \b{invalid},
+>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
@@ -243,9 +243,9 @@
# Squashfs with LZMA compression
0 string sqlz Squashfs filesystem, big endian, lzma compression,
->28 beshort >10 invalid
->28 beshort <1 invalid
->30 beshort >10 invalid
+>28 beshort >10 {invalid}
+>28 beshort <1 {invalid}
+>30 beshort >10 {invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
@@ -253,8 +253,8 @@
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
->>20 beshort 0 \binvalid,
->>20 beshort >4 \binvalid,
+>>20 beshort 0 \b{invalid},
+>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
@@ -288,9 +288,9 @@
# Squashfs 3.3 LZMA signature
0 string qshs Squashfs filesystem, big endian, lzma signature,
->28 beshort >10 invalid
->28 beshort <1 invalid
->30 beshort >10 invalid
+>28 beshort >10 {invalid}
+>28 beshort <1 {invalid}
+>30 beshort >10 {invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
@@ -298,8 +298,8 @@
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
->>20 beshort 0 \binvalid,
->>20 beshort >4 \binvalid,
+>>20 beshort 0 \b{invalid},
+>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
@@ -333,9 +333,9 @@
# Squashfs for DD-WRT
0 string tqsh Squashfs filesystem, big endian, DD-WRT signature,
->28 beshort >10 invalid
->28 beshort <1 invalid
->30 beshort >10 invalid
+>28 beshort >10 {invalid}
+>28 beshort <1 {invalid}
+>30 beshort >10 {invalid}
>28 beshort x version %d.
>30 beshort x \b%d,
>28 beshort >3 compression:
@@ -343,8 +343,8 @@
>>20 beshort 2 \blzma,
>>20 beshort 3 \bgzip (non-standard type definition),
>>20 beshort 4 \blzma (non-standard type definition),
->>20 beshort 0 \binvalid,
->>20 beshort >4 \binvalid,
+>>20 beshort 0 \b{invalid},
+>>20 beshort >4 \b{invalid},
>28 beshort <3
>>8 belong x size: %d bytes,
>>8 belong x {file-size:%d}
@@ -378,9 +378,9 @@
# Squashfs for DD-WRT
0 string hsqt Squashfs filesystem, little endian, DD-WRT signature,
->28 leshort >10 invalid
->28 leshort <1 invalid
->30 leshort >10 invalid
+>28 leshort >10 {invalid}
+>28 leshort <1 {invalid}
+>30 leshort >10 {invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
@@ -388,8 +388,8 @@
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
->>20 leshort 0 \binvalid,
->>20 leshort >4 \binvalid,
+>>20 leshort 0 \b{invalid},
+>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
@@ -423,9 +423,9 @@
# Non-standard Squashfs signature found on some D-Link routers
0 string shsq Squashfs filesystem, little endian, non-standard signature,
->28 leshort >10 invalid
->28 leshort <1 invalid
->30 leshort >10 invalid
+>28 leshort >10 {invalid}
+>28 leshort <1 {invalid}
+>30 leshort >10 {invalid}
>28 leshort x version %d.
>30 leshort x \b%d,
>28 leshort >3 compression:
@@ -433,8 +433,8 @@
>>20 leshort 2 \blzma,
>>20 leshort 3 \bgzip (non-standard type definition),
>>20 leshort 4 \blzma (non-standard type definition),
->>20 leshort 0 \binvalid,
->>20 leshort >4 \binvalid,
+>>20 leshort 0 \b{invalid},
+>>20 leshort >4 \b{invalid},
>28 leshort <3
>>8 lelong x size: %d bytes,
>>8 lelong x {file-size:%d}
@@ -471,13 +471,13 @@
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0 leshort 0xEF53 Linux EXT filesystem,{offset-adjust:-0x438}
->2 leshort >4 invalid state
->2 leshort 3 invalid state
->2 leshort <0 invalid state
->4 leshort >3 invalid error behavior
->4 leshort <0 invalid error behavior
->4 lelong >1 invalid major revision
->4 lelong <0 invalid major revision
+>2 leshort >4 {invalid} state
+>2 leshort 3 {invalid} state
+>2 leshort <0 {invalid} state
+>4 leshort >3 {invalid} error behavior
+>4 leshort <0 {invalid} error behavior
+>4 lelong >1 {invalid} major revision
+>4 lelong <0 {invalid} major revision
>4 lelong x rev %d
>6 leshort x \b.%d
# No journal? ext2
@@ -504,7 +504,7 @@
#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0 string -rom1fs-\0 romfs filesystem, version 1
->8 belong >10000000 invalid
+>8 belong >10000000 {invalid}
>8 belong x size: %d bytes,
>16 string x {file-name:%s}
>16 string x named "%s"
@@ -513,7 +513,7 @@
# Wind River MemFS file system, found in some VxWorks devices
0 string owowowowowowowowowowowowowowow Wind River management filesystem,
->30 string !ow invalid,
+>30 string !ow {invalid},
>32 belong 1 compressed,
>32 belong 2 plain text,
>36 belong x %d files
@@ -523,7 +523,7 @@
>4 lelong&0xFFFFFF00 0
>>4 lelong&0x100 0x000 mode 2
>>4 lelong&0x100 0x100 mode 3
->4 lelong&0xFFFFFF00 !0 unknown mode (invalid)
+>4 lelong&0xFFFFFF00 !0 unknown mode ({invalid})
0 string WDK\x202.0\x00 WDK file system, version 2.0{offset-adjust:-18}
@@ -533,15 +533,15 @@
>6148 string 1 version 1.0,
>6148 string 2 version 2.0,
>6148 string 3 version 3.0
->6148 byte >0x33 invalid version,
->6148 byte <0x31 invalid version,
+>6148 byte >0x33 {invalid} version,
+>6148 byte <0x31 {invalid} version,
>38 string >\0 volume name: "%s",
>2047 string \000CD001\001EL\x20TORITO\x20SPECIFICATION bootable
# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0 string DOSEMU\0 DOS Emulator image
->0x27E leshort !0xAA55 \b, invalid
+>0x27E leshort !0xAA55 \b, {invalid}
>0x27E leshort 0xAA55
#offset is 128
>>19 byte 128
@@ -573,7 +573,7 @@
# BSD 2.x file system image; used in RetroBSD for PIC32.
0 string FS\x3C\x3C BSD 2.x filesystem,
->1020 string !\x3E\x3EFS invalid (missing FSMAGIC2),
+>1020 string !\x3E\x3EFS {invalid} (missing FSMAGIC2),
>8 lelong x size: {math:%d*1024} bytes,
>8 lelong x \b{file-size:%d*1024}
>8 lelong x \b{jump-to-offset:%d*1024}
@@ -586,13 +586,13 @@
# Simple file system found in Foscam camera firmware
0 beshort 0xbd9a Foscam WebUI filesystem,
>2 leshort x checksum: 0x%X,
->16 lelong <3 invalid first file name length,
->16 lelong >127 invalid first file name length,
->20 byte 0 invalid first file name,
+>16 lelong <3 {invalid} first file name length,
+>16 lelong >127 {invalid} first file name length,
+>20 byte 0 {invalid} first file name,
>20 byte !0x2E
>>20 byte !0x2F
->>>20 byte <65 invalid first file name,
->>>20 byte >122 invalid first file name,
+>>>20 byte <65 {invalid} first file name,
+>>>20 byte >122 {invalid} first file name,
>20 byte x first file name: {raw-replace}
>16 lelong x {raw-string-length:%d}
>20 string x {raw-string:%s}
diff --git a/src/magic/firmware b/src/magic/firmware
index ff47e0c..9f97cc6 100644
--- a/src/magic/firmware
+++ b/src/magic/firmware
@@ -6,13 +6,13 @@
0 belong 0x27051956 uImage header, header size: 64 bytes,
>4 belong x header CRC: 0x%X,
>8 bedate x created: %s,
->12 belong <1 invalid
+>12 belong <1 {invalid}
>12 belong x image size: %d bytes,
>16 belong x Data Address: 0x%X,
>20 belong x Entry Point: 0x%X,
>24 belong x data CRC: 0x%X,
#>28 byte x OS type: %d,
->28 byte 0 OS: invalid OS,
+>28 byte 0 OS: {invalid} OS,
>28 byte 1 OS: OpenBSD,
>28 byte 2 OS: NetBSD,
>28 byte 3 OS: FreeBSD,
@@ -34,7 +34,7 @@
>28 byte 19 OS: ARTOS,
>28 byte 20 OS: Unity OS,
#>29 byte x CPU arch: %d,
->29 byte 0 CPU: invalid OS,
+>29 byte 0 CPU: {invalid} OS,
>29 byte 1 CPU: Alpha,
>29 byte 2 CPU: ARM,
>29 byte 3 CPU: Intel x86,
@@ -54,7 +54,7 @@
>29 byte 17 CPU: AVR,
>29 byte 18 CPU: STMicroelectronics ST200,
#>30 byte x image type: %d,
->30 byte 0 image type: invalid Image,
+>30 byte 0 image type: {invalid} Image,
>30 byte 1 image type: Standalone Program,
>30 byte 2 image type: OS Kernel Image,
>30 byte 3 image type: RAMDisk Image,
@@ -72,7 +72,7 @@
#IMG0 header, found in VxWorks-based Mercury router firmware
0 string IMG0 IMG0 (VxWorks) header,
->4 belong <1 invalid
+>4 belong <1 {invalid}
>4 belong x size: %d
#Mediatek bootloader signature
@@ -93,26 +93,26 @@
# trx image file
0 string HDR0 TRX firmware header, little endian, header size: 28 bytes,
->4 lelong <1 invalid
+>4 lelong <1 {invalid}
>4 lelong x image size: %d bytes,
>8 lelong x CRC32: 0x%X
>12 leshort x flags: 0x%X,
->14 leshort >5 invalid
+>14 leshort >5 {invalid}
>14 leshort x version: %d
0 string 0RDH TRX firmware header, big endian, header size: 28 bytes,
->4 belong <1 invalid
+>4 belong <1 {invalid}
>4 belong x image size: %d bytes,
>8 belong x CRC32: 0x%X
>12 beshort x flags: 0x%X,
->14 beshort >5 invalid
+>14 beshort >5 {invalid}
>14 beshort x version: %d
# Ubicom firmware image
0 belong 0xFA320080 Ubicom firmware header,
>12 belong x checksum: 0x%X,
->24 belong <0 invalid
+>24 belong <0 {invalid}
>24 belong x image size: %d
# The ROME bootloader is used by several RealTek-based products.
@@ -129,9 +129,9 @@
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
->10 ubyte >12 invalid month
->12 ubyte >31 invalid day
->8 ubyte >3000 invalid year
+>10 ubyte >12 {invalid} month
+>12 ubyte >31 {invalid} day
+>8 ubyte >3000 {invalid} year
#month
>10 byte x created: %d/
#day
@@ -152,9 +152,9 @@
>4 beshort 0x6ce8 image type: DCFG,
>4 beshort 0xc371 image type: LOG,
>6 byte x header version: %d,
->10 ubyte >12 invalid month
->12 ubyte >31 invalid day
->8 ubyte >3000 invalid year
+>10 ubyte >12 {invalid} month
+>12 ubyte >31 {invalid} day
+>8 ubyte >3000 {invalid} year
#month
>10 byte x created: %d/
#day
@@ -169,9 +169,9 @@
0 string --PaCkImGs-- PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16 lelong >0x20000000
->>16 belong >0x20000000 invalid
+>>16 belong >0x20000000 {invalid}
>16 lelong <0
->>16 belong <0 invalid
+>>16 belong <0 {invalid}
>16 lelong >0
>>16 lelong x little endian size: %d bytes;
>16 belong >0
@@ -182,7 +182,7 @@
# Broadcom header format
#
0 string BCRM Broadcom header,
->4 lelong <0 invalid
+>4 lelong <0 {invalid}
>4 lelong x number of sections: %d,
>>8 lelong 18 first section type: flash
>>8 lelong 19 first section type: disk
@@ -258,8 +258,8 @@
0 string SIG ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0 belong x load address 0x%X,
>3 byte <0x7F rom image type:
->>3 byte <1 invalid,
->>3 byte >7 invalid,
+>>3 byte <1 {invalid},
+>>3 byte >7 {invalid},
>>3 byte 1 ROMIMG,
>>3 byte 2 ROMBOOT,
>>3 byte 3 BOOTEXT,
@@ -268,17 +268,17 @@
>>3 byte 6 6,
>>3 byte 7 ROMMAP,
>3 byte >0x7F ram image type:
->>3 byte >0x82 invalid,
+>>3 byte >0x82 {invalid},
>>3 byte 0x80 RAM,
>>3 byte 0x81 RAMCODE,
>>3 byte 0x82 RAMBOOT,
->4 belong >0x40000000 invalid
->4 belong <0 invalid
->4 belong 0 invalid
+>4 belong >0x40000000 {invalid}
+>4 belong <0 {invalid}
+>4 belong 0 {invalid}
>4 belong x uncompressed size: %d,
->8 belong >0x40000000 invalid
->8 belong <0 invalid
->8 belong 0 invalid
+>8 belong >0x40000000 {invalid}
+>8 belong <0 {invalid}
+>8 belong 0 {invalid}
>8 belong x compressed size: %d,
>14 beshort x uncompressed checksum: 0x%X,
>16 beshort x compressed checksum: 0x%X,
@@ -290,13 +290,13 @@
# Firmware header used by some VxWorks-based Cisco products
0 string CI032.00 Cisco VxWorks firmware header,
->8 lelong >1024 invalid
->8 lelong <0 invalid
+>8 lelong >1024 {invalid}
+>8 lelong <0 {invalid}
>8 lelong x header size: %d bytes,
->32 lelong >1024 invalid
->32 lelong <0 invalid
+>32 lelong >1024 {invalid}
+>32 lelong <0 {invalid}
>32 lelong x number of files: %d,
->48 lelong <0 invalid
+>48 lelong <0 {invalid}
>48 lelong x image size: %d,
>64 string x firmware version: "%s"
@@ -314,12 +314,12 @@
>12 lelong x start address: 0x%.8X,
>16 lelong x checksum: 0x%.8X,
>20 lelong x version: 0x%.8X,
->24 lelong <1 invalid
+>24 lelong <1 {invalid}
>24 lelong x image size: %d bytes
# Firmware header used by several D-Link routers (and probably others)
0 string \x5e\xa3\xa4\x17 DLOB firmware header,
->(7.b+12) string !\x5e\xa3\xa4\x17 invalid,
+>(7.b+12) string !\x5e\xa3\xa4\x17 {invalid},
#>>12 string x %s,
>(7.b+40) string x boot partition: "%s"
@@ -345,7 +345,7 @@
# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0 string \x36\x00\x00\x00 Broadcom 96345 firmware header, header size: 256,
>4 string !Broadcom
->>4 string !\x20\x20\x20\x20 invalid
+>>4 string !\x20\x20\x20\x20 {invalid}
>41 beshort !0x2020
>>41 beshort !0x0000
>>>41 string x firmware version: "%.4s",
@@ -365,11 +365,11 @@
# Generic copyright signature
0 string Copyright Copyright string:
->9 byte 0 invalid
+>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
0 string copyright Copyright string:
->9 byte 0 invalid
+>9 byte 0 {invalid}
>0 string x "%s
>63 string x \b%s"
@@ -385,7 +385,7 @@
# NPK firmware header, used by Mikrotik
0 belong 0x1EF1D0BA NPK firmware header,
->4 lelong <0 invalid
+>4 lelong <0 {invalid}
>4 lelong x image size: %d,
>14 string x image name: "%s",
>(48.l+58) string x description: "%s
@@ -393,33 +393,33 @@
# Ubiquiti firmware signatures
0 string UBNT Ubiquiti firmware header, header size: 264 bytes,
->0x108 belong !0 invalid,
+>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
->4 byte 0 invalid,
+>4 byte 0 {invalid},
>4 string x version: "%s"
0 string GEOS Ubiquiti firmware header, header size: 264 bytes,
->0x108 belong !0 invalid,
+>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
->4 byte 0 invalid,
+>4 byte 0 {invalid},
>4 string x version: "%s"
0 string OPEN Ubiquiti firmware header, third party,
->0x108 belong !0 invalid,
+>0x108 belong !0 {invalid},
>0x104 belong x ~CRC32: 0x%X,
->4 byte 0 invalid,
+>4 byte 0 {invalid},
>4 string x version: "%s"
0 string \x00\x00\x00\x00PART Ubiquiti partition header,{offset-adjust:4}
>0 byte x header size: 56 bytes,
->8 byte 0 invalid
+>8 byte 0 {invalid}
>8 string x name: "%s",
>44 belong x base address: 0x%.8X,
>52 belong x data size: %d bytes
>52 belong x {file-size:%d}
0 string \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes,{offset-adjust:4}
->12 belong !0 invalid,
+>12 belong !0 {invalid},
>8 belong x cumulative ~CRC32: 0x%.8X
@@ -432,34 +432,34 @@
0 belong 0x5EA3A417 SEAMA firmware header, big endian,
>6 beshort x meta size: %d,
->8 belong <1 invalid
+>8 belong <1 {invalid}
>8 belong x size: %d
0 lelong 0x5EA3A417 SEAMA firmware header, little endian,
>6 leshort x meta size: %d,
->8 lelong <1 invalid
+>8 lelong <1 {invalid}
>8 lelong x size: %d
0 belong 0x4D544443 NSP firmware header, big endian,
->16 belong <1 invalid
+>16 belong <1 {invalid}
>16 belong x header size: %d,
->20 belong <1 invalid
+>20 belong <1 {invalid}
>20 belong x image size: %d,
>20 belong x {file-size:%d}
->4 belong <1 invalid
+>4 belong <1 {invalid}
>4 belong x kernel offset: %d,
->12 belong <1 invalid
+>12 belong <1 {invalid}
>12 belong x header version: %d,
0 lelong 0x4D544443 NSP firmware header, little endian,
->16 lelong <1 invalid
+>16 lelong <1 {invalid}
>16 lelong x header size: %d,
->20 lelong <1 invalid
+>20 lelong <1 {invalid}
>20 lelong x image size: %d,
>20 lelong x {file-size:%d}
->4 lelong <1 invalid
+>4 lelong <1 {invalid}
>4 lelong x kernel offset: %d,
->12 lelong <1 invalid
+>12 lelong <1 {invalid}
>12 lelong x header version: %d,
# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
@@ -522,7 +522,7 @@
# Obfuscated Arcadyan firmware
0x68 belong 0x00D50800 Obfuscated Arcadyan firmware,
>0 belong x signature bytes: 0x%X,
->0x70 string !\x00\x00\x00\x00\x00\x00\x00 invalid,
+>0x70 string !\x00\x00\x00\x00\x00\x00\x00 {invalid},
>0x70 belong 0x00000000 see https://github.com/devttys0/wrt120n/deobfuscator
# Digi firmware images
@@ -535,7 +535,7 @@
>>>>>>0xC8 beshort !0x4f53
>>>>>>>0xC8 beshort !0x4f43
>>>>>>>>0xC8 beshort !0x4646
->>>>>>>>>0xC8 beshort !0x5350 invalid header,
+>>>>>>>>>0xC8 beshort !0x5350 {invalid} header,
>0xD4 belong x load address: 0x%.8X,
>0xDC belong x entry point: 0x%.8X,
@@ -585,200 +585,200 @@
# Signatures to identify the start of a VxWorks symbol table
8 string \x00\x00\x05\x00\x00\x00\x00\x00 VxWorks symbol table, big endian,
->4 belong 0 invalid
+>4 belong 0 {invalid}
>4 belong x first entry: [type: function, code address: 0x%X,
->0 belong 0 invalid
+>0 belong 0 {invalid}
>0 belong x symbol address: 0x%X]{display-once}
>24 belong !0x500
>>24 belong !0x700
->>>24 belong !0x900 \b, invalid
+>>>24 belong !0x900 \b, {invalid}
>40 belong !0x500
>>40 belong !0x700
->>>40 belong !0x900 \b, invalid
+>>>40 belong !0x900 \b, {invalid}
>56 belong !0x500
>>56 belong !0x700
->>>56 belong !0x900 \b, invalid
+>>>56 belong !0x900 \b, {invalid}
>72 belong !0x500
>>72 belong !0x700
->>>72 belong !0x900 \b, invalid
+>>>72 belong !0x900 \b, {invalid}
>88 belong !0x500
>>88 belong !0x700
->>>88 belong !0x900 \b, invalid
+>>>88 belong !0x900 \b, {invalid}
>104 belong !0x500
>>104 belong !0x700
->>>104 belong !0x900 \b, invalid
+>>>104 belong !0x900 \b, {invalid}
>120 belong !0x500
>>120 belong !0x700
->>>120 belong !0x900 \b, invalid
+>>>120 belong !0x900 \b, {invalid}
>136 belong !0x500
>>136 belong !0x700
->>>136 belong !0x900 \b, invalid
+>>>136 belong !0x900 \b, {invalid}
>152 belong !0x500
>>152 belong !0x700
->>>152 belong !0x900 \b, invalid
+>>>152 belong !0x900 \b, {invalid}
8 string \x00\x00\x07\x00\x00\x00\x00\x00 VxWorks symbol table, big endian,
->4 belong 0 invalid
+>4 belong 0 {invalid}
>4 belong x first entry: [type: initialized data, code address: 0x%X,
->0 belong 0 invalid
+>0 belong 0 {invalid}
>0 belong x symbol address: 0x%X]{display-once}
>24 belong !0x500
>>24 belong !0x700
->>>24 belong !0x900 \b, invalid
+>>>24 belong !0x900 \b, {invalid}
>40 belong !0x500
>>40 belong !0x700
->>>40 belong !0x900 \b, invalid
+>>>40 belong !0x900 \b, {invalid}
>56 belong !0x500
>>56 belong !0x700
->>>56 belong !0x900 \b, invalid
+>>>56 belong !0x900 \b, {invalid}
>72 belong !0x500
>>72 belong !0x700
->>>72 belong !0x900 \b, invalid
+>>>72 belong !0x900 \b, {invalid}
>88 belong !0x500
>>88 belong !0x700
->>>88 belong !0x900 \b, invalid
+>>>88 belong !0x900 \b, {invalid}
>104 belong !0x500
>>104 belong !0x700
->>>104 belong !0x900 \b, invalid
+>>>104 belong !0x900 \b, {invalid}
>120 belong !0x500
>>120 belong !0x700
->>>120 belong !0x900 \b, invalid
+>>>120 belong !0x900 \b, {invalid}
>136 belong !0x500
>>136 belong !0x700
->>>136 belong !0x900 \b, invalid
+>>>136 belong !0x900 \b, {invalid}
>152 belong !0x500
>>152 belong !0x700
->>>152 belong !0x900 \b, invalid
+>>>152 belong !0x900 \b, {invalid}
8 string \x00\x00\x09\x00\x00\x00\x00\x00 VxWorks symbol table, big endian,
->4 belong 0 invalid
+>4 belong 0 {invalid}
>4 belong x first entry: [type: uninitialized data, code address: 0x%X,
->0 belong 0 invalid
+>0 belong 0 {invalid}
>0 belong x symbol address: 0x%X]{display-once}
>24 belong !0x500
>>24 belong !0x700
->>>24 belong !0x900 \b, invalid
+>>>24 belong !0x900 \b, {invalid}
>40 belong !0x500
>>40 belong !0x700
->>>40 belong !0x900 \b, invalid
+>>>40 belong !0x900 \b, {invalid}
>56 belong !0x500
>>56 belong !0x700
->>>56 belong !0x900 \b, invalid
+>>>56 belong !0x900 \b, {invalid}
>72 belong !0x500
>>72 belong !0x700
->>>72 belong !0x900 \b, invalid
+>>>72 belong !0x900 \b, {invalid}
>88 belong !0x500
>>88 belong !0x700
->>>88 belong !0x900 \b, invalid
+>>>88 belong !0x900 \b, {invalid}
>104 belong !0x500
>>104 belong !0x700
->>>104 belong !0x900 \b, invalid
+>>>104 belong !0x900 \b, {invalid}
>120 belong !0x500
>>120 belong !0x700
->>>120 belong !0x900 \b, invalid
+>>>120 belong !0x900 \b, {invalid}
>136 belong !0x500
>>136 belong !0x700
->>>136 belong !0x900 \b, invalid
+>>>136 belong !0x900 \b, {invalid}
>152 belong !0x500
>>152 belong !0x700
->>>152 belong !0x900 \b, invalid
+>>>152 belong !0x900 \b, {invalid}
8 string \x00\x05\x00\x00\x00\x00\x00\x00 VxWorks symbol table, little endian,
->4 lelong 0 invalid
+>4 lelong 0 {invalid}
>4 lelong x first entry: [type: function, code address: 0x%X,
->0 lelong 0 invalid
+>0 lelong 0 {invalid}
>0 lelong x symbol address: 0x%X]{display-once}
>24 lelong !0x500
>>24 lelong !0x700
->>>24 lelong !0x900 \b, invalid
+>>>24 lelong !0x900 \b, {invalid}
>40 lelong !0x500
>>40 lelong !0x700
->>>40 lelong !0x900 \b, invalid
+>>>40 lelong !0x900 \b, {invalid}
>56 lelong !0x500
>>56 lelong !0x700
->>>56 lelong !0x900 \b, invalid
+>>>56 lelong !0x900 \b, {invalid}
>72 lelong !0x500
>>72 lelong !0x700
->>>72 lelong !0x900 \b, invalid
+>>>72 lelong !0x900 \b, {invalid}
>88 lelong !0x500
>>88 lelong !0x700
->>>88 lelong !0x900 \b, invalid
+>>>88 lelong !0x900 \b, {invalid}
>104 lelong !0x500
>>104 lelong !0x700
->>>104 lelong !0x900 \b, invalid
+>>>104 lelong !0x900 \b, {invalid}
>120 lelong !0x500
>>120 lelong !0x700
->>>120 lelong !0x900 \b, invalid
+>>>120 lelong !0x900 \b, {invalid}
>136 lelong !0x500
>>136 lelong !0x700
->>>136 lelong !0x900 \b, invalid
+>>>136 lelong !0x900 \b, {invalid}
>152 lelong !0x500
>>152 lelong !0x700
->>>152 lelong !0x900 \b, invalid
+>>>152 lelong !0x900 \b, {invalid}
8 string \x00\x07\x00\x00\x00\x00\x00\x00 VxWorks symbol table, little endian,
->4 lelong 0 invalid
+>4 lelong 0 {invalid}
>4 lelong x first entry: [type: initialized data, code address: 0x%X,
->0 lelong 0 invalid
+>0 lelong 0 {invalid}
>0 lelong x symbol address: 0x%X]{display-once}
>24 lelong !0x500
>>24 lelong !0x700
->>>24 lelong !0x900 \b, invalid
+>>>24 lelong !0x900 \b, {invalid}
>40 lelong !0x500
>>40 lelong !0x700
->>>40 lelong !0x900 \b, invalid
+>>>40 lelong !0x900 \b, {invalid}
>56 lelong !0x500
>>56 lelong !0x700
->>>56 lelong !0x900 \b, invalid
+>>>56 lelong !0x900 \b, {invalid}
>72 lelong !0x500
>>72 lelong !0x700
->>>72 lelong !0x900 \b, invalid
+>>>72 lelong !0x900 \b, {invalid}
>88 lelong !0x500
>>88 lelong !0x700
->>>88 lelong !0x900 \b, invalid
+>>>88 lelong !0x900 \b, {invalid}
>104 lelong !0x500
>>104 lelong !0x700
->>>104 lelong !0x900 \b, invalid
+>>>104 lelong !0x900 \b, {invalid}
>120 lelong !0x500
>>120 lelong !0x700
->>>120 lelong !0x900 \b, invalid
+>>>120 lelong !0x900 \b, {invalid}
>136 lelong !0x500
>>136 lelong !0x700
->>>136 lelong !0x900 \b, invalid
+>>>136 lelong !0x900 \b, {invalid}
>152 lelong !0x500
>>152 lelong !0x700
->>>152 lelong !0x900 \b, invalid
+>>>152 lelong !0x900 \b, {invalid}
8 string \x00\x09\x00\x00\x00\x00\x00\x00 VxWorks symbol table, little endian,
->4 lelong 0 invalid
+>4 lelong 0 {invalid}
>4 lelong x first entry: [type: uninitialized data, code address: 0x%X,
->0 lelong 0 invalid
+>0 lelong 0 {invalid}
>0 lelong x symbol address: 0x%X]{display-once}
>24 lelong !0x500
>>24 lelong !0x700
->>>24 lelong !0x900 \b, invalid
+>>>24 lelong !0x900 \b, {invalid}
>40 lelong !0x500
>>40 lelong !0x700
->>>40 lelong !0x900 \b, invalid
+>>>40 lelong !0x900 \b, {invalid}
>56 lelong !0x500
>>56 lelong !0x700
->>>56 lelong !0x900 \b, invalid
+>>>56 lelong !0x900 \b, {invalid}
>72 lelong !0x500
>>72 lelong !0x700
->>>72 lelong !0x900 \b, invalid
+>>>72 lelong !0x900 \b, {invalid}
>88 lelong !0x500
>>88 lelong !0x700
->>>88 lelong !0x900 \b, invalid
+>>>88 lelong !0x900 \b, {invalid}
>104 lelong !0x500
>>104 lelong !0x700
->>>104 lelong !0x900 \b, invalid
+>>>104 lelong !0x900 \b, {invalid}
>120 lelong !0x500
>>120 lelong !0x700
->>>120 lelong !0x900 \b, invalid
+>>>120 lelong !0x900 \b, {invalid}
>136 lelong !0x500
>>136 lelong !0x700
->>>136 lelong !0x900 \b, invalid
+>>>136 lelong !0x900 \b, {invalid}
>152 lelong !0x500
>>152 lelong !0x700
->>>152 lelong !0x900 \b, invalid
+>>>152 lelong !0x900 \b, {invalid}
diff --git a/src/magic/images b/src/magic/images
index 2f60466..e94219e 100644
--- a/src/magic/images
+++ b/src/magic/images
@@ -2,18 +2,18 @@
# The second word of TIFF files is the TIFF version number, 42, which has
# never changed. The TIFF specification recommends testing for it.
0 string MM\x00\x2a TIFF image data, big-endian,
->4 belong 0 invalid
->4 belong <0 invalid
+>4 belong 0 {invalid}
+>4 belong <0 {invalid}
# First image directory must begin on an even byte boundary
->4 belong &1 invalid
->4 belong >10000000 invalid
+>4 belong &1 {invalid}
+>4 belong >10000000 {invalid}
>4 belong x offset of first image directory: %d
0 string II\x2a\x00 TIFF image data, little-endian
->4 lelong 0 invalid
->4 lelong <0 invalid
->4 lelong &1 invalid
->4 lelong >10000000 invalid
+>4 lelong 0 {invalid}
+>4 lelong <0 {invalid}
+>4 lelong &1 {invalid}
+>4 lelong >10000000 {invalid}
>4 lelong x offset of first image directory: %d
# PNG [Portable Network Graphics, or "PNG's Not GIF"] images
@@ -23,10 +23,10 @@
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
#
0 string \x89PNG\x0d\x0a\x1a\x0a PNG image
->16 belong <1 invalid
->16 belong >10000 invalid
->20 belong <1 invalid
->20 belong >10000 invalid
+>16 belong <1 {invalid}
+>16 belong >10000 {invalid}
+>20 belong <1 {invalid}
+>20 belong >10000 {invalid}
>16 belong x \b, %d x
>20 belong x %d,
>24 byte x %d-bit
@@ -58,38 +58,38 @@
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM
>14 leshort 12 PC bitmap, OS/2 1.x format
->>18 lelong <1 invalid
->>18 lelong >1000000 invalid
+>>18 lelong <1 {invalid}
+>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
->>20 lelong <1 invalid
->>20 lelong >1000000 invalid
+>>20 lelong <1 {invalid}
+>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 64 PC bitmap, OS/2 2.x format
->>18 lelong <1 invalid
->>18 lelong >1000000 invalid
+>>18 lelong <1 {invalid}
+>>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x
->>20 lelong <1 invalid
->>20 lelong >1000000 invalid
+>>20 lelong <1 {invalid}
+>>20 lelong >1000000 {invalid}
>>20 leshort x %d
>14 leshort 40 PC bitmap, Windows 3.x format
->>18 lelong <1 invalid
->>18 lelong >1000000 invalid
+>>18 lelong <1 {invalid}
+>>18 lelong >1000000 {invalid}
>>18 lelong x \b, %d x
->>22 lelong <1 invalid
->>22 lelong >1000000 invalid
+>>22 lelong <1 {invalid}
+>>22 lelong >1000000 {invalid}
>>22 lelong x %d x
->>28 lelong <1 invalid
->>28 lelong >1000000 invalid
+>>28 lelong <1 {invalid}
+>>28 lelong >1000000 {invalid}
>>28 leshort x %d
>14 leshort 128 PC bitmap, Windows NT/2000 format
->>18 lelong >1000000 invalid
->>18 lelong <1 invalid
+>>18 lelong >1000000 {invalid}
+>>18 lelong <1 {invalid}
>>18 lelong x \b, %d x
->>22 lelong <1 invalid
->>22 lelong >1000000 invalid
+>>22 lelong <1 {invalid}
+>>22 lelong >1000000 {invalid}
>>22 lelong x %d x
->>28 lelong <1 invalid
->>28 lelong >1000000 invalid
+>>28 lelong <1 {invalid}
+>>28 lelong >1000000 {invalid}
>>28 leshort x %d
#------------------------------------------------------------------------------
@@ -102,7 +102,7 @@
# both of which turn into "JPEG image data" here.
#
0 belong 0xffd8ffe0 JPEG image data, JFIF standard
->6 string !JFIF invalid
+>6 string !JFIF {invalid}
# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
# in a vain attempt to add image size reporting for JFIF. Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently
@@ -124,7 +124,7 @@
# EXIF moved down here to avoid reporting a bogus version number,
# and EXIF version number printing added.
# - Patrik R=E5dman <patrik+file-magic@iki.fi>
->6 string !Exif invalid
+>6 string !Exif {invalid}
# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
# All possible combinations of entries have to be enumerated, since no looping
# is possible. And both endians are possible...
@@ -246,5 +246,5 @@
#>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
->27 string !8888888888\n invalid
+>27 string !8888888888\n {invalid}
diff --git a/src/magic/kernels b/src/magic/kernels
index d4cdae1..8c7dc1d 100644
--- a/src/magic/kernels
+++ b/src/magic/kernels
@@ -6,12 +6,12 @@
# and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image
->514 string !HdrS (invalid)
+>514 string !HdrS ({invalid})
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version
->14 byte 0 invalid
+>14 byte 0 {invalid}
>14 byte !0
>>14 string x "%s
>>45 string x \b%s"
@@ -27,12 +27,12 @@
# jr $k1
# nop
0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL,
->14 leshort !0x3C1B invalid
->18 leshort !0x277B invalid
+>14 leshort !0x3C1B {invalid}
+>18 leshort !0x277B {invalid}
>12 leshort x exception vector table base address: 0x%.4X
>16 leshort x \b%.4X
0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS,
->12 beshort !0x3C1B invalid
->16 beshort !0x277B invalid
+>12 beshort !0x3C1B {invalid}
+>16 beshort !0x277B {invalid}
>14 beshort x exception vector table base address: 0x%.4X
>18 beshort x \b%.4X
diff --git a/src/magic/lzma b/src/magic/lzma
index 3a7f72b..284e2bc 100644
--- a/src/magic/lzma
+++ b/src/magic/lzma
@@ -14,38 +14,38 @@
#>>>>>>>1 lelong !4194304
#>>>>>>>>1 lelong !8388608
#>>>>>>>>>1 lelong !16777216
-#>>>>>>>>>>1 lelong !33554432 invalid
+#>>>>>>>>>>1 lelong !33554432 {invalid}
#>1 lelong x dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5 lequad !-1
-#>>5 lequad <32 invalid
-#>>5 lequad >0x40000000 invalid
+#>>5 lequad <32 {invalid}
+#>>5 lequad >0x40000000 {invalid}
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+## marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
#>1 lelong 65536
-#>>5 lequad 65536 invalid
+#>>5 lequad 65536 {invalid}
#>1 lelong 131072
-#>>5 lequad 131072 invalid
+#>>5 lequad 131072 {invalid}
#>1 lelong 262144
-#>>5 lequad 262144 invalid
+#>>5 lequad 262144 {invalid}
#>1 lelong 524288
-#>>5 lequad 524288 invalid
+#>>5 lequad 524288 {invalid}
#>1 lelong 1048576
-#>>5 lequad 1048576 invalid
+#>>5 lequad 1048576 {invalid}
#>1 lelong 2097152
-#>>5 lequad 2097152 invalid
+#>>5 lequad 2097152 {invalid}
#>1 lelong 4194304
-#>>5 lequad 4194304 invalid
+#>>5 lequad 4194304 {invalid}
#>1 lelong 8388608
-#>>5 lequad 8388608 invalid
+#>>5 lequad 8388608 {invalid}
#>1 lelong 16777216
-#>>5 lequad 16777216 invalid
+#>>5 lequad 16777216 {invalid}
#>1 lelong 33554432
-#>>5 lequad 33554432 invalid
+#>>5 lequad 33554432 {invalid}
#>5 lequad x uncompressed size: %lld bytes
#
#
@@ -64,38 +64,38 @@
#>>>>>>>1 lelong !4194304
#>>>>>>>>1 lelong !8388608
#>>>>>>>>>1 lelong !16777216
-#>>>>>>>>>>1 lelong !33554432 invalid
+#>>>>>>>>>>1 lelong !33554432 {invalid}
#>1 lelong x dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5 lequad !-1
-#>>5 lequad <32 invalid
-#>>5 lequad >0x40000000 invalid
+#>>5 lequad <32 {invalid}
+#>>5 lequad >0x40000000 {invalid}
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+## marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
#>1 lelong 65536
-#>>5 lequad 65536 invalid
+#>>5 lequad 65536 {invalid}
#>1 lelong 131072
-#>>5 lequad 131072 invalid
+#>>5 lequad 131072 {invalid}
#>1 lelong 262144
-#>>5 lequad 262144 invalid
+#>>5 lequad 262144 {invalid}
#>1 lelong 524288
-#>>5 lequad 524288 invalid
+#>>5 lequad 524288 {invalid}
#>1 lelong 1048576
-#>>5 lequad 1048576 invalid
+#>>5 lequad 1048576 {invalid}
#>1 lelong 2097152
-#>>5 lequad 2097152 invalid
+#>>5 lequad 2097152 {invalid}
#>1 lelong 4194304
-#>>5 lequad 4194304 invalid
+#>>5 lequad 4194304 {invalid}
#>1 lelong 8388608
-#>>5 lequad 8388608 invalid
+#>>5 lequad 8388608 {invalid}
#>1 lelong 16777216
-#>>5 lequad 16777216 invalid
+#>>5 lequad 16777216 {invalid}
#>1 lelong 33554432
-#>>5 lequad 33554432 invalid
+#>>5 lequad 33554432 {invalid}
#>5 lequad x uncompressed size: %lld bytes
#
#
@@ -114,38 +114,38 @@
#>>>>>>>1 lelong !4194304
#>>>>>>>>1 lelong !8388608
#>>>>>>>>>1 lelong !16777216
-#>>>>>>>>>>1 lelong !33554432 invalid
+#>>>>>>>>>>1 lelong !33554432 {invalid}
#>1 lelong x dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5 lequad !-1
-#>>5 lequad <32 invalid
-#>>5 lequad >0x40000000 invalid
+#>>5 lequad <32 {invalid}
+#>>5 lequad >0x40000000 {invalid}
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+## marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
#>1 lelong 65536
-#>>5 lequad 65536 invalid
+#>>5 lequad 65536 {invalid}
#>1 lelong 131072
-#>>5 lequad 131072 invalid
+#>>5 lequad 131072 {invalid}
#>1 lelong 262144
-#>>5 lequad 262144 invalid
+#>>5 lequad 262144 {invalid}
#>1 lelong 524288
-#>>5 lequad 524288 invalid
+#>>5 lequad 524288 {invalid}
#>1 lelong 1048576
-#>>5 lequad 1048576 invalid
+#>>5 lequad 1048576 {invalid}
#>1 lelong 2097152
-#>>5 lequad 2097152 invalid
+#>>5 lequad 2097152 {invalid}
#>1 lelong 4194304
-#>>5 lequad 4194304 invalid
+#>>5 lequad 4194304 {invalid}
#>1 lelong 8388608
-#>>5 lequad 8388608 invalid
+#>>5 lequad 8388608 {invalid}
#>1 lelong 16777216
-#>>5 lequad 16777216 invalid
+#>>5 lequad 16777216 {invalid}
#>1 lelong 33554432
-#>>5 lequad 33554432 invalid
+#>>5 lequad 33554432 {invalid}
#>5 lequad x uncompressed size: %lld bytes
#
#
@@ -164,38 +164,38 @@
#>>>>>>>1 lelong !4194304
#>>>>>>>>1 lelong !8388608
#>>>>>>>>>1 lelong !16777216
-#>>>>>>>>>>1 lelong !33554432 invalid
+#>>>>>>>>>>1 lelong !33554432 {invalid}
#>1 lelong x dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5 lequad !-1
-#>>5 lequad <32 invalid
-#>>5 lequad >0x40000000 invalid
+#>>5 lequad <32 {invalid}
+#>>5 lequad >0x40000000 {invalid}
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+## marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
#>1 lelong 65536
-#>>5 lequad 65536 invalid
+#>>5 lequad 65536 {invalid}
#>1 lelong 131072
-#>>5 lequad 131072 invalid
+#>>5 lequad 131072 {invalid}
#>1 lelong 262144
-#>>5 lequad 262144 invalid
+#>>5 lequad 262144 {invalid}
#>1 lelong 524288
-#>>5 lequad 524288 invalid
+#>>5 lequad 524288 {invalid}
#>1 lelong 1048576
-#>>5 lequad 1048576 invalid
+#>>5 lequad 1048576 {invalid}
#>1 lelong 2097152
-#>>5 lequad 2097152 invalid
+#>>5 lequad 2097152 {invalid}
#>1 lelong 4194304
-#>>5 lequad 4194304 invalid
+#>>5 lequad 4194304 {invalid}
#>1 lelong 8388608
-#>>5 lequad 8388608 invalid
+#>>5 lequad 8388608 {invalid}
#>1 lelong 16777216
-#>>5 lequad 16777216 invalid
+#>>5 lequad 16777216 {invalid}
#>1 lelong 33554432
-#>>5 lequad 33554432 invalid
+#>>5 lequad 33554432 {invalid}
#>5 lequad x uncompressed size: %lld bytes
@@ -214,38 +214,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -264,38 +264,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -314,38 +314,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -364,38 +364,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -414,38 +414,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -464,38 +464,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -514,38 +514,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -564,38 +564,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -614,38 +614,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -664,38 +664,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -714,38 +714,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -764,38 +764,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -814,38 +814,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -864,38 +864,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -914,38 +914,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -964,38 +964,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1014,38 +1014,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1064,38 +1064,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1114,38 +1114,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1164,38 +1164,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1214,38 +1214,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1264,38 +1264,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1314,38 +1314,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1364,38 +1364,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1414,38 +1414,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1464,38 +1464,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1514,38 +1514,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1564,38 +1564,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1614,38 +1614,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1664,38 +1664,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1714,38 +1714,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1764,38 +1764,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1814,38 +1814,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1864,38 +1864,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1914,38 +1914,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -1964,38 +1964,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2014,38 +2014,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2064,38 +2064,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2114,38 +2114,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2164,38 +2164,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2214,38 +2214,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2264,38 +2264,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2314,38 +2314,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2364,38 +2364,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2414,38 +2414,38 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
@@ -2464,37 +2464,37 @@
>>>>>>>1 lelong !4194304
>>>>>>>>1 lelong !8388608
>>>>>>>>>1 lelong !16777216
->>>>>>>>>>1 lelong !33554432 invalid
+>>>>>>>>>>1 lelong !33554432 {invalid}
>1 lelong x dictionary size: %d bytes,
# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5 lequad !-1
->>5 lequad <32 invalid
->>5 lequad >0x40000000 invalid
+>>5 lequad <32 {invalid}
+>>5 lequad >0x40000000 {invalid}
# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
-# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+# marking matches with the same uncompressed and dictionary sizes as {invalid} eliminates much of these false positives.
>1 lelong 65536
->>5 lequad 65536 invalid
+>>5 lequad 65536 {invalid}
>1 lelong 131072
->>5 lequad 131072 invalid
+>>5 lequad 131072 {invalid}
>1 lelong 262144
->>5 lequad 262144 invalid
+>>5 lequad 262144 {invalid}
>1 lelong 524288
->>5 lequad 524288 invalid
+>>5 lequad 524288 {invalid}
>1 lelong 1048576
->>5 lequad 1048576 invalid
+>>5 lequad 1048576 {invalid}
>1 lelong 2097152
->>5 lequad 2097152 invalid
+>>5 lequad 2097152 {invalid}
>1 lelong 4194304
->>5 lequad 4194304 invalid
+>>5 lequad 4194304 {invalid}
>1 lelong 8388608
->>5 lequad 8388608 invalid
+>>5 lequad 8388608 {invalid}
>1 lelong 16777216
->>5 lequad 16777216 invalid
+>>5 lequad 16777216 {invalid}
>1 lelong 33554432
->>5 lequad 33554432 invalid
+>>5 lequad 33554432 {invalid}
>5 lequad x uncompressed size: %lld bytes
diff --git a/src/magic/misc b/src/magic/misc
index 33747d3..8d6b028 100644
--- a/src/magic/misc
+++ b/src/magic/misc
@@ -3,7 +3,7 @@
# pdf: file(1) magic for Portable Document Format
#
0 string %PDF- PDF document,
->6 byte !0x2e invalid
+>6 byte !0x2e {invalid}
>5 string x version: "%3s"
#------------------------------------------------------------------------------
@@ -27,10 +27,10 @@
0 string \x3chtml HTML document header{extract-delay:HTML document footer}
>5 byte !0x20
->>5 byte !0x3e \b, invalid
+>>5 byte !0x3e \b, {invalid}
0 string \x3cHTML HTML document header{extract-delay:HTML document footer}
>5 byte !0x20
->>5 byte !0x3e \b, invalid
+>>5 byte !0x3e \b, {invalid}
0 string \x3c/html\x3e HTML document footer{offset-adjust:7}
0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7}
@@ -57,13 +57,13 @@
>63 string x \b%s"
0 string begin\x20 uuencoded data,
->9 byte !0x20 invalid format,
->6 byte <0x30 invalid permissions,
->6 byte >0x39 invalid permissions,
->7 byte <0x30 invalid permissions,
->7 byte >0x39 invalid permissions,
->8 byte <0x30 invalid permissions,
->8 byte >0x39 invalid permissions,
+>9 byte !0x20 {invalid} format,
+>6 byte <0x30 {invalid} permissions,
+>6 byte >0x39 {invalid} permissions,
+>7 byte <0x30 {invalid} permissions,
+>7 byte >0x39 {invalid} permissions,
+>8 byte <0x30 {invalid} permissions,
+>8 byte >0x39 {invalid} permissions,
>10 string x file name: "%s",
>6 string x file permissions: "%.3s"
diff --git a/src/magic/network b/src/magic/network
index 642e691..94c63ff 100644
--- a/src/magic/network
+++ b/src/magic/network
@@ -16,7 +16,7 @@
# "libpcap" capture files.
#
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
->4 beshort >2 invalid
+>4 beshort >2 {invalid}
>4 beshort x version %d
>6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation
@@ -79,13 +79,13 @@
>20 belong 161 (Private use 14
>20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header
->20 belong >163 (invalid link layer
->20 belong <0 (invalid link layer
+>20 belong >163 ({invalid} link layer
+>20 belong <0 ({invalid} link layer
>16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
->4 leshort >2 invalid
->4 leshort <0 invalid
+>4 leshort >2 {invalid}
+>4 leshort <0 {invalid}
>4 leshort x version %d
>6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation
@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header
->20 lelong >163 (invalid link layer
->20 lelong <0 (invalid link layer
+>20 lelong >163 ({invalid} link layer
+>20 lelong <0 ({invalid} link layer
>16 lelong x \b, snaplen: %d)
diff --git a/src/magic/sql b/src/magic/sql
index fb2032a..86dc95c 100644
--- a/src/magic/sql
+++ b/src/magic/sql
@@ -6,24 +6,24 @@
# Recognize some MySQL files.
#
0 beshort 0xfe01 MySQL table definition file
->2 string <1 invalid
->2 string >\11 invalid
+>2 string <1 {invalid}
+>2 string >\11 {invalid}
>2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file
->3 string <1 invalid
->3 string >\11 invalid
+>3 string <1 {invalid}
+>3 string >\11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file
->3 string <1 invalid
->3 string >\11 invalid
+>3 string <1 {invalid}
+>3 string >\11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file
->3 string <1 invalid
->3 string >\11 invalid
+>3 string <1 {invalid}
+>3 string >\11 {invalid}
>3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file
->3 string <1 invalid
->3 string >\11 invalid
+>3 string <1 {invalid}
+>3 string >\11 {invalid}
>3 byte x Version %d
#0 string \376bin MySQL replication log