Skip to content

B
binwalk
Commit 9557e518 by devttys0
Options

Initial commit of libmagic replacement

parent a3c4c779
Showing with 228 additions and 468 deletions
src/binwalk/core/filter.py deleted 100644 → 0
# Code for filtering of results (e.g., removing invalid results)
import re
import binwalk.core.common as common
from binwalk.core.smart import Signature
from binwalk.core.compat import *
class FilterType(object):
FILTER_INCLUDE = 0
FILTER_EXCLUDE = 1
def __init__(self, **kwargs):
self.type = None
self.filter = None
self.regex = None
for (k,v) in iterator(kwargs):
setattr(self, k, v)
if self.regex is None:
self.regex = re.compile(self.filter)
class FilterInclude(FilterType):
def __init__(self, **kwargs):
super(FilterInclude, self).__init__(**kwargs)
self.type = self.FILTER_INCLUDE
class FilterExclude(FilterType):
def __init__(self, **kwargs):
super(FilterExclude, self).__init__(**kwargs)
self.type = self.FILTER_EXCLUDE
class Filter(object):
'''
Class to filter results based on include/exclude rules and false positive detection.
Note that all filter strings should be in lower case.
'''
# If the result returned by libmagic is "data" or contains the text
# 'invalid' or a backslash are known to be invalid/false positives.
UNKNOWN_RESULTS = ["data", "very short file (no magic)"]
INVALID_RESULT = "invalid"
NON_PRINTABLE_RESULT = "\\"
def __init__(self, show_invalid_results=None):
'''
Class constructor.
@show_invalid_results - A function to call that will return True to display results marked as invalid.
Returns None.
'''
self.filters = []
self.grep_filters = []
self.show_invalid_results = show_invalid_results
self.exclusive_filter = False
self.smart = Signature(self)
def include(self, match, exclusive=True):
'''
Adds a new filter which explicitly includes results that contain
the specified matching text.
@match - Regex, or list of regexs, to match.
@exclusive - If True, then results that do not explicitly contain
a FILTER_INCLUDE match will be excluded. If False,
signatures that contain the FILTER_INCLUDE match will
be included in the scan, but will not cause non-matching
results to be excluded.
Returns None.
'''
if not isinstance(match, type([])):
matches = [match]
else:
matches = match
for m in matches:
if m:
if exclusive and not self.exclusive_filter:
self.exclusive_filter = True
self.filters.append(FilterInclude(filter=m))
def exclude(self, match):
'''
Adds a new filter which explicitly excludes results that contain
the specified matching text.
@match - Regex, or list of regexs, to match.
Returns None.
'''
if not isinstance(match, type([])):
matches = [match]
else:
matches = match
for m in matches:
if m:
self.filters.append(FilterExclude(filter=m))
def filter(self, data):
'''
Checks to see if a given string should be excluded from or included in the results.
Called internally by Binwalk.scan().
@data - String to check.
Returns FILTER_INCLUDE if the string should be included.
Returns FILTER_EXCLUDE if the string should be excluded.
'''
data = data.lower()
# Loop through the filters to see if any of them are a match.
# If so, return the registered type for the matching filter (FILTER_INCLUDE || FILTER_EXCLUDE).
for f in self.filters:
if f.regex.search(data):
return f.type
# If there was not explicit match and exclusive filtering is enabled, return FILTER_EXCLUDE.
if self.exclusive_filter:
return FilterType.FILTER_EXCLUDE
return FilterType.FILTER_INCLUDE
def valid_result(self, data):
'''
Checks if the given string contains invalid data.
@data - String to validate.
Returns True if data is valid, False if invalid.
'''
# A result of 'data' is never ever valid (for libmagic results)
if data in self.UNKNOWN_RESULTS:
return False
# Make sure this result wasn't filtered
if self.filter(data) == FilterType.FILTER_EXCLUDE:
return False
# If showing invalid results, just return True without further checking.
if self.show_invalid_results:
return True
# Sanitized data contains only the non-quoted portion of the data
sanitized_data = common.strip_quoted_strings(self.smart.strip_tags(data))
# Don't include quoted strings or keyword arguments in this search, as
# strings from the target file may legitimately contain the INVALID_RESULT text.
if self.INVALID_RESULT in sanitized_data:
return False
# There should be no non-printable characters in any of the quoted string data
non_printables_raw = set(re.findall("\\\\\d{3}", data))
non_printables_sanitized = set(re.findall("\\\\d{3}", sanitized_data))
if len(non_printables_raw) and non_printables_raw != non_printables_sanitized:
return False
return True
def grep(self, data=None, filters=[]):
'''
Add or check case-insensitive grep filters against the supplied data string.
@data - Data string to check grep filters against. Not required if filters is specified.
@filters - Regex, or list of regexs, to add to the grep filters list. Not required if data is specified.
Returns None if data is not specified.
If data is specified, returns True if the data contains a grep filter, or if no grep filters exist.
If data is specified, returns False if the data does not contain any grep filters.
'''
# Add any specified filters to self.grep_filters
if filters:
if not isinstance(filters, type([])):
gfilters = [filters]
else:
gfilters = filters
for gfilter in gfilters:
# Filters are case insensitive
self.grep_filters.append(re.compile(gfilter))
# Check the data against all grep filters until one is found
if data is not None:
# If no grep filters have been created, always return True
if not self.grep_filters:
return True
# Filters are case insensitive
data = data.lower()
# If a filter exists in data, return True
for gfilter in self.grep_filters:
if gfilter.search(data):
return True
# Else, return False
return False
return None
def clear(self):
'''
Clears all include, exclude and grep filters.
Retruns None.
'''
self.filters = []
self.grep_filters = []
src/binwalk/modules/general.py
...@@ -4,7 +4,6 @@ import os ...@@ -4,7 +4,6 @@ import os
import sys import sys
import argparse import argparse
import binwalk.core.idb import binwalk.core.idb
import binwalk.core.filter
import binwalk.core.common import binwalk.core.common
import binwalk.core.display import binwalk.core.display
import binwalk.core.settings import binwalk.core.settings
......
src/binwalk/modules/signature.py
...@@ -4,8 +4,6 @@ ...@@ -4,8 +4,6 @@
# If the lzma import fails, this module won't be loaded at all. # If the lzma import fails, this module won't be loaded at all.
import lzma import lzma
import binwalk.core.magic import binwalk.core.magic
import binwalk.core.smart
import binwalk.core.parser
from binwalk.core.module import Module, Option, Kwarg from binwalk.core.module import Module, Option, Kwarg
class Signature(Module): class Signature(Module):
...@@ -75,27 +73,13 @@ class Signature(Module): ...@@ -75,27 +73,13 @@ class Signature(Module):
VERBOSE_FORMAT = "%s %d" VERBOSE_FORMAT = "%s %d"
def init(self): def init(self):
self.keep_going = self.config.keep_going
# Initialize the filter
self.filter = binwalk.core.filter.Filter(self.show_invalid)
# Set any specified include/exclude filters
for regex in self.exclude_filters:
self.filter.exclude(regex)
for regex in self.include_filters:
self.filter.include(regex)
# Create Signature and MagicParser class instances. These are mostly for internal use.
self.smart = binwalk.core.smart.Signature(self.filter, ignore_smart_signatures=self.dumb_scan)
self.parser = binwalk.core.parser.MagicParser(self.filter, self.smart)
# If a raw byte sequence was specified, build a magic file from that instead of using the default magic files # If a raw byte sequence was specified, build a magic file from that instead of using the default magic files
if self.raw_bytes is not None: # TODO: re-implement this
self.magic_files = [self.parser.file_from_string(self.raw_bytes)] #if self.raw_bytes is not None:
# self.magic_files = [self.parser.file_from_string(self.raw_bytes)]
# Append the user's magic file first so that those signatures take precedence # Append the user's magic file first so that those signatures take precedence
elif self.search_for_opcodes: if self.search_for_opcodes:
self.magic_files = [ self.magic_files = [
self.config.settings.user.binarch, self.config.settings.user.binarch,
self.config.settings.system.binarch, self.config.settings.system.binarch,
...@@ -113,26 +97,25 @@ class Signature(Module): ...@@ -113,26 +97,25 @@ class Signature(Module):
self.magic_files.append(self.config.settings.user.binwalk) self.magic_files.append(self.config.settings.user.binwalk)
self.magic_files.append(self.config.settings.system.binwalk) self.magic_files.append(self.config.settings.system.binwalk)
# Parse the magic file(s)
binwalk.core.common.debug("Loading magic files: %s" % str(self.magic_files))
self.mfile = self.parser.parse(self.magic_files)
# Initialize libmagic # Initialize libmagic
self.magic = binwalk.core.magic.Magic(self.mfile, keep_going=self.keep_going) self.magic = binwalk.core.magic.Magic(include=self.include_filters,
exclude=self.exclude_filters,
invalid=self.show_invalid)
# Once the temporary magic files are loaded into libmagic, we don't need them anymore; delete the temp files # Parse the magic file(s)
if not binwalk.core.common.DEBUG: binwalk.core.common.debug("Loading magic files: %s" % str(self.magic_files))
self.parser.rm_magic_files() for f in self.magic_files:
self.magic.load(f)
self.VERBOSE = ["Signatures:", self.parser.signature_count] self.VERBOSE = ["Signatures:", len(self.magic.signatures)]
def validate(self, r): def validate(self, r):
''' '''
Called automatically by self.result. Called automatically by self.result.
''' '''
if self.filter.show_invalid_results: if self.show_invalid:
r.valid = True r.valid = True
else: elif r.valid:
if not r.description: if not r.description:
r.valid = False r.valid = False
...@@ -142,8 +125,6 @@ class Signature(Module): ...@@ -142,8 +125,6 @@ class Signature(Module):
if r.jump and (r.jump + r.offset) > r.file.size: if r.jump and (r.jump + r.offset) > r.file.size:
r.valid = False r.valid = False
r.valid = self.filter.valid_result(r.description)
def scan_file(self, fp): def scan_file(self, fp):
current_file_offset = 0 current_file_offset = 0
...@@ -156,29 +137,26 @@ class Signature(Module): ...@@ -156,29 +137,26 @@ class Signature(Module):
block_start = fp.tell() - dlen block_start = fp.tell() - dlen
self.status.completed = block_start - fp.offset self.status.completed = block_start - fp.offset
for candidate_offset in self.parser.find_signature_candidates(data, dlen): # TODO: Make magic scan return a results object.
for r in self.magic.scan(data, dlen):
# current_block_offset is set when a jump-to-offset keyword is encountered while # current_block_offset is set when a jump-to-offset keyword is encountered while
# processing signatures. This points to an offset inside the current data block # processing signatures. This points to an offset inside the current data block
# that scanning should jump to, so ignore any subsequent candidate signatures that # that scanning should jump to, so ignore any subsequent candidate signatures that
# occurr before this offset inside the current data block. # occur before this offset inside the current data block.
if candidate_offset < current_block_offset: if r.offset < current_block_offset:
continue
# Pass the data to libmagic for parsing
magic_result = self.magic.buffer(data[candidate_offset:candidate_offset+fp.block_peek_size])
if not magic_result:
continue continue
# The smart filter parser returns a binwalk.core.module.Result object
r = self.smart.parse(magic_result)
# Set the absolute offset inside the target file # Set the absolute offset inside the target file
r.offset = block_start + candidate_offset + r.adjust # TODO: Don't need the offset adjust stuff anymore, get rid of it
r.offset = block_start + r.offset + r.adjust
# Provide an instance of the current file object # Provide an instance of the current file object
r.file = fp r.file = fp
# Check if this was marked as invalid
r.valid = (not r.invalid)
# Register the result for futher processing/display # Register the result for futher processing/display
# self.result automatically calls self.validate for result validation # self.result automatically calls self.validate for result validation
self.result(r=r) self.result(r=r)
...@@ -200,6 +178,3 @@ class Signature(Module): ...@@ -200,6 +178,3 @@ class Signature(Module):
self.scan_file(fp) self.scan_file(fp)
self.footer() self.footer()
if hasattr(self, "magic") and self.magic:
self.magic.close()
src/magic/archives
...@@ -37,14 +37,14 @@ ...@@ -37,14 +37,14 @@
>4 byte 0x14 >4 byte 0x14
>>30 ubelong !0x6d696d65 at least v2.0 to extract, >>30 ubelong !0x6d696d65 at least v2.0 to extract,
>18 lelong !0 >18 lelong !0
>>18 lelong <0 invalid >>18 lelong <0 {invalid}
>>18 lelong x compressed size: %d, >>18 lelong x compressed size: %d,
>>18 lelong x {jump-to-offset:%d} >>18 lelong x {jump-to-offset:%d}
>22 lelong !0 >22 lelong !0
>>22 lelong <0 invalid >>22 lelong <0 {invalid}
>>22 lelong x uncompressed size: %d,{extract-delay:End of Zip archive} >>22 lelong x uncompressed size: %d,{extract-delay:End of Zip archive}
>30 byte <0x2D invalid file name, >30 byte <0x2D {invalid} file name,
>30 byte >0x7A invalid file name, >30 byte >0x7A {invalid} file name,
>30 string x name: {raw-replace} >30 string x name: {raw-replace}
>26 leshort x {raw-string-length:%d} >26 leshort x {raw-string-length:%d}
>30 string x {raw-string:%s >30 string x {raw-string:%s
...@@ -66,25 +66,25 @@ ...@@ -66,25 +66,25 @@
# ARJ archiver (jason@jarthur.Claremont.EDU) # ARJ archiver (jason@jarthur.Claremont.EDU)
0 leshort 0xea60 ARJ archive data, 0 leshort 0xea60 ARJ archive data,
>2 leshort x header size: %d, >2 leshort x header size: %d,
>5 byte <1 invalid >5 byte <1 {invalid}
>5 byte >16 invalid >5 byte >16 {invalid}
>5 byte x version %d, >5 byte x version %d,
>6 byte <1 invalid >6 byte <1 {invalid}
>6 byte >16 invalid >6 byte >16 {invalid}
>6 byte x minimum version to extract: %d, >6 byte x minimum version to extract: %d,
>8 byte <0 invalid flags, >8 byte <0 {invalid} flags,
>8 byte &0x04 multi-volume, >8 byte &0x04 multi-volume,
>8 byte &0x10 slash-switched, >8 byte &0x10 slash-switched,
>8 byte &0x20 backup, >8 byte &0x20 backup,
>9 byte <0 invalid compression method, >9 byte <0 {invalid} compression method,
>9 byte >4 invalid compression method, >9 byte >4 {invalid} compression method,
>9 byte 0 compression method: stored, >9 byte 0 compression method: stored,
>9 byte 1 compression method: compressed most, >9 byte 1 compression method: compressed most,
>9 byte 2 compression method: compressed, >9 byte 2 compression method: compressed,
>9 byte 3 compression method: compressed faster, >9 byte 3 compression method: compressed faster,
>9 byte 4 compression method: compressed fastest, >9 byte 4 compression method: compressed fastest,
>10 byte <0 invalid file type >10 byte <0 {invalid} file type
>10 byte >4 invalid file type >10 byte >4 {invalid} file type
>10 byte 0 file type: binary, >10 byte 0 file type: binary,
>10 byte 1 file type: 7-bit text, >10 byte 1 file type: 7-bit text,
>10 byte 2 file type: comment header, >10 byte 2 file type: comment header,
...@@ -94,9 +94,9 @@ ...@@ -94,9 +94,9 @@
>>34 string x {file-name:%s} >>34 string x {file-name:%s}
>>34 string x original name: "%s", >>34 string x original name: "%s",
>0xC ledate x original file date: %s, >0xC ledate x original file date: %s,
>0x10 lelong <0 invalid >0x10 lelong <0 {invalid}
>0x10 lelong x compressed file size: %d, >0x10 lelong x compressed file size: %d,
>0x14 lelong <0 invalid >0x14 lelong <0 {invalid}
>0x14 lelong x uncompressed file size: %d, >0x14 lelong x uncompressed file size: %d,
>7 byte 0 os: MS-DOS >7 byte 0 os: MS-DOS
>7 byte 1 os: PRIMOS >7 byte 1 os: PRIMOS
...@@ -108,13 +108,13 @@ ...@@ -108,13 +108,13 @@
>7 byte 7 os: Atari ST >7 byte 7 os: Atari ST
>7 byte 8 os: NeXT >7 byte 8 os: NeXT
>7 byte 9 os: VAX/VMS >7 byte 9 os: VAX/VMS
>7 byte >9 invalid os >7 byte >9 {invalid} os
>7 byte <0 invalid os >7 byte <0 {invalid} os
# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html) # RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html)
0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type: 0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type:
>9 ubyte <0x72 invalid >9 ubyte <0x72 {invalid}
>9 ubyte >0x7B invalid >9 ubyte >0x7B {invalid}
>9 ubyte 0x72 MARK_HEAD >9 ubyte 0x72 MARK_HEAD
>9 ubyte 0x73 MAIN_HEAD >9 ubyte 0x73 MAIN_HEAD
>9 ubyte 0x74 FILE_HEAD >9 ubyte 0x74 FILE_HEAD
...@@ -155,18 +155,18 @@ ...@@ -155,18 +155,18 @@
# This keyword is not intended to be passed a string (%s), and doing so can open # This keyword is not intended to be passed a string (%s), and doing so can open
# up the possibility of keyword injection by a malicious file. This works here though, because: # up the possibility of keyword injection by a malicious file. This works here though, because:
# #
# 1) It would result in an invalid CPIO file (invalid size) # 1) It would result in an {invalid} CPIO file ({invalid} size)
# 2) All valid keywords require more than 8 bytes, so a valid one can't be # 2) All valid keywords require more than 8 bytes, so a valid one can't be
# injected in the %.8s field. # injected in the %.8s field.
0 string 070701 ASCII cpio archive (SVR4 with no CRC), 0 string 070701 ASCII cpio archive (SVR4 with no CRC),
>110 byte 0 invalid >110 byte 0 {invalid}
#>110 byte !0x2F #>110 byte !0x2F
#>>110 string !TRAILER!!! invalid #>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 invalid >94 byte <0x30 {invalid}
>94 byte >0x66 invalid >94 byte >0x66 {invalid}
>54 byte <0x30 invalid >54 byte <0x30 {invalid}
>54 byte >0x66 invalid >54 byte >0x66 {invalid}
>110 string x file name: "%s", >110 string x file name: "%s",
>94 string x file name length: "0x%.8s", >94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s" >54 string x file size: "0x%.8s"
...@@ -174,13 +174,13 @@ ...@@ -174,13 +174,13 @@
>94 string x \b0x%.8s} >94 string x \b0x%.8s}
0 string 070702 ASCII cpio archive (SVR4 with CRC) 0 string 070702 ASCII cpio archive (SVR4 with CRC)
>110 byte 0 invalid >110 byte 0 {invalid}
#>110 byte !0x2F #>110 byte !0x2F
#>>110 string !TRAILER!!! invalid #>>110 string !TRAILER!!! {invalid}
>94 byte <0x30 invalid >94 byte <0x30 {invalid}
>94 byte >0x66 invalid >94 byte >0x66 {invalid}
>54 byte <0x30 invalid >54 byte <0x30 {invalid}
>54 byte >0x66 invalid >54 byte >0x66 {invalid}
>110 string x file name: "%s", >110 string x file name: "%s",
>94 string x file name length: "0x%.8s", >94 string x file name length: "0x%.8s",
>54 string x file size: "0x%.8s" >54 string x file size: "0x%.8s"
...@@ -226,8 +226,8 @@ ...@@ -226,8 +226,8 @@
# IBM AIX Backup File Format header and entry signatures # IBM AIX Backup File Format header and entry signatures
0 lelong 0xea6b0009 BFF volume header, 0 lelong 0xea6b0009 BFF volume header,
>4 leshort x checksum: 0x%.4X, >4 leshort x checksum: 0x%.4X,
>6 leshort <0 invalid >6 leshort <0 {invalid}
>6 leshort 0 invalid >6 leshort 0 {invalid}
>6 leshort x volume number: %d, >6 leshort x volume number: %d,
>8 ledate x current date: %s, >8 ledate x current date: %s,
>12 ledate x starting date: %s, >12 ledate x starting date: %s,
...@@ -236,47 +236,47 @@ ...@@ -236,47 +236,47 @@
>52 string x user name: "%s" >52 string x user name: "%s"
0 leshort 0xea6b BFF volume entry,{offset-adjust:-2} 0 leshort 0xea6b BFF volume entry,{offset-adjust:-2}
>22 lelong <0 invalid >22 lelong <0 {invalid}
>22 lelong 0 directory, >22 lelong 0 directory,
>22 lelong >0 >22 lelong >0
>>22 lelong x file size: %d, >>22 lelong x file size: %d,
>>54 lelong <0 invalid >>54 lelong <0 {invalid}
>>54 lelong 0 invalid >>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d, >>54 lelong x compressed size: %d,
>58 lelong !0 invalid >58 lelong !0 {invalid}
>62 byte 0 invalid >62 byte 0 {invalid}
>62 byte !0x2e >62 byte !0x2e
>>62 byte !0x2f invalid >>62 byte !0x2f {invalid}
>62 string x file name: "%s >62 string x file name: "%s
>92 string x \b%s" >92 string x \b%s"
0 leshort 0xea6c BFF volume entry, compressed,{offset-adjust:-2} 0 leshort 0xea6c BFF volume entry, compressed,{offset-adjust:-2}
>22 lelong <0 invalid >22 lelong <0 {invalid}
>22 lelong 0 directory, >22 lelong 0 directory,
>22 lelong >0 >22 lelong >0
>>22 lelong x file size: %d, >>22 lelong x file size: %d,
>>54 lelong <0 invalid >>54 lelong <0 {invalid}
>>54 lelong 0 invalid >>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d, >>54 lelong x compressed size: %d,
>58 lelong !0 invalid >58 lelong !0 {invalid}
>62 byte 0 invalid >62 byte 0 {invalid}
>62 byte !0x2e >62 byte !0x2e
>>62 byte !0x2f invalid >>62 byte !0x2f {invalid}
>62 string x file name: "%s >62 string x file name: "%s
>92 string x \b%s" >92 string x \b%s"
0 leshort 0xea6d BFF volume entry, AIXv3,{offset-adjust:-2} 0 leshort 0xea6d BFF volume entry, AIXv3,{offset-adjust:-2}
>22 lelong <0 invalid >22 lelong <0 {invalid}
>22 lelong 0 directory, >22 lelong 0 directory,
>22 lelong >0 >22 lelong >0
>>22 lelong x file size: %d, >>22 lelong x file size: %d,
>>54 lelong <0 invalid >>54 lelong <0 {invalid}
>>54 lelong 0 invalid >>54 lelong 0 {invalid}
>>54 lelong x compressed size: %d, >>54 lelong x compressed size: %d,
>58 lelong !0 invalid >58 lelong !0 {invalid}
>62 byte 0 invalid >62 byte 0 {invalid}
>62 byte !0x2e >62 byte !0x2e
>>62 byte !0x2f invalid >>62 byte !0x2f {invalid}
>62 string x file name: "%s >62 string x file name: "%s
>92 string x \b%s" >92 string x \b%s"
...@@ -285,10 +285,10 @@ ...@@ -285,10 +285,10 @@
# Microsoft Cabinet files # Microsoft Cabinet files
0 string MSCF\0\0\0\0 Microsoft Cabinet archive data 0 string MSCF\0\0\0\0 Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3 # According to libmagic comments, CAB version number is always 1.3
>25 byte !1 \b,invalid major version >25 byte !1 \b,{invalid} major version
>24 byte !3 \b,invalid minor version >24 byte !3 \b,{invalid} minor version
>8 lelong x \b, %u bytes >8 lelong x \b, %u bytes
>28 leshort 0 \b, 0 files (invalid) >28 leshort 0 \b, 0 files ({invalid})
>28 leshort 1 \b, 1 file >28 leshort 1 \b, 1 file
>28 leshort >1 \b, %u files >28 leshort >1 \b, %u files
...@@ -297,9 +297,9 @@ ...@@ -297,9 +297,9 @@
# TODO: Version number checks should be made more specific for false positive filtering # TODO: Version number checks should be made more specific for false positive filtering
>5 byte&0xf0 =0x60 version 6, >5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 <0x60 version 4/5, >5 byte&0xf0 <0x60 version 4/5,
>5 byte&0xf0 >0x60 invalid version, >5 byte&0xf0 >0x60 {invalid} version,
>12 lelong <0 invalid offset, >12 lelong <0 {invalid} offset,
>12 lelong >100000 invalid offset, >12 lelong >100000 {invalid} offset,
>(12.l+40) lelong x %u files >(12.l+40) lelong x %u files
# Windows CE package files # Windows CE package files
...@@ -330,9 +330,9 @@ ...@@ -330,9 +330,9 @@
# BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16 # BSA archives, based on http://forum.step-project.com/topic/5033-ramifications-of-bsa-extraction-in-mod-organizer/page-16
0 string BSA\x00\x67 BSA archive, version: 103, 0 string BSA\x00\x67 BSA archive, version: 103,
>8 byte !0x24 invalid >8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d >8 byte 0x24 folder records offset: %d
0 string BSA\x00\x68 BSA archive, version: 104, 0 string BSA\x00\x68 BSA archive, version: 104,
>8 byte !0x24 invalid >8 byte !0x24 {invalid}
>8 byte 0x24 folder records offset: %d >8 byte 0x24 folder records offset: %d
src/magic/bootloaders
...@@ -3,11 +3,11 @@ ...@@ -3,11 +3,11 @@
# CFE bootloader # CFE bootloader
0 string CFE1CFE1 CFE boot loader 0 string CFE1CFE1 CFE boot loader
>40 string CFE1CFE1 invalid >40 string CFE1CFE1 {invalid}
# U-Boot boot loader # U-Boot boot loader
0 string U-Boot\x20 U-Boot version string, 0 string U-Boot\x20 U-Boot version string,
>7 byte <48 invalid, >7 byte <48 {invalid},
>7 byte >57 invalid, >7 byte >57 {invalid},
>8 byte !0x2E invalid, >8 byte !0x2E {invalid},
>0 string x "%s" >0 string x "%s"
src/magic/compressed
...@@ -17,11 +17,11 @@ ...@@ -17,11 +17,11 @@
# lzop from <markus.oberhumer@jk.uni-linz.ac.at> # lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort >0x093F invalid >9 beshort >0x093F {invalid}
>9 beshort <0x0940 >9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x, >>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 invalid, >>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1, >>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15), >>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999, >>13 byte 3 LZO1X-999,
...@@ -58,9 +58,9 @@ ...@@ -58,9 +58,9 @@
# lzip # lzip
0 string LZIP lzip compressed data, 0 string LZIP lzip compressed data,
>4 ubyte 0 invalid >4 ubyte 0 {invalid}
# Current version is still 1.x # Current version is still 1.x
>4 ubyte >4 invalid >4 ubyte >4 {invalid}
>4 byte x version: %d >4 byte x version: %d
# lrzip # lrzip
...@@ -73,10 +73,10 @@ ...@@ -73,10 +73,10 @@
# http://www.7-zip.org or DOC/7zFormat.txt # http://www.7-zip.org or DOC/7zFormat.txt
# #
0 string 7z\274\257\047\034 7-zip archive data, 0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 invalid >6 byte <0 {invalid}
>6 byte 0 >6 byte 0
>>7 byte 0 invalid >>7 byte 0 {invalid}
>6 byte >20 invalid >6 byte >20 {invalid}
>6 byte x version %d >6 byte x version %d
>7 byte x \b.%d >7 byte x \b.%d
...@@ -95,12 +95,12 @@ ...@@ -95,12 +95,12 @@
#0 string \037\213\x08 gzip compressed data #0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data 0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII >3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, invalid reserved flag bits >3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression >8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression >8 byte 4 \b, fastest compression
>8 byte 1 \b, invalid extra flags >8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, invalid extra flags >8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, invalid extra flags >8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC >3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04 >3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data >>10 leshort x \b, has %d bytes of extra data
...@@ -125,18 +125,18 @@ ...@@ -125,18 +125,18 @@
>9 byte =0x0C \b, from QDOS >9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS >9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS #>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, invalid #>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X #>>9 byte x source: 0x%.2X
#>9 byte <0 \b, invalid #>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X #>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted (invalid) >3 byte &0x20 \b, encrypted ({invalid})
# Dates before 1992 are invalid, unless of course you're DD-WRT in which # Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant. # case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date: >4 lelong =0 \b, NULL date:
>4 lelong <0 \b, invalid date: >4 lelong <0 \b, {invalid} date:
>4 lelong >0 >4 lelong >0
>>4 lelong <694224000 \b, invalid date: >>4 lelong <694224000 \b, {invalid} date:
>>4 lelong =694224000 \b, invalid date: >>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified: >>4 lelong >694224000 \b, last modified:
>4 ledate x %s >4 ledate x %s
>4 lelong x \b{file-epoch:%d} >4 lelong x \b{file-epoch:%d}
......
src/magic/console
...@@ -77,16 +77,16 @@ ...@@ -77,16 +77,16 @@
0 string XBEH Microsoft Xbox executable (XBE), 0 string XBEH Microsoft Xbox executable (XBE),
## probabilistic checks whether signed or not ## probabilistic checks whether signed or not
>0x0004 ulelong =0x0 >0x0004 ulelong =0x0
>>2 ulelong !0x0 \b, invalid >>2 ulelong !0x0 \b, {invalid}
>>2 ulelong =0x0 >>2 ulelong =0x0
>>>2 ulelong !0x0 \b, invalid >>>2 ulelong !0x0 \b, {invalid}
>>>2 ulelong =0x0 \b, not signed >>>2 ulelong =0x0 \b, not signed
>0x0004 ulelong >0 >0x0004 ulelong >0
>>2 ulelong =0x0 \b, invalid >>2 ulelong =0x0 \b, {invalid}
>>2 ulelong >0 >>2 ulelong >0
>>>2 ulelong =0x0 \b, invalid >>>2 ulelong =0x0 \b, {invalid}
>>>2 ulelong >0 \b, signed >>>2 ulelong >0 \b, signed
>0x0104 lelong <0 \b, invalid base address >0x0104 lelong <0 \b, {invalid} base address
## expect base address of 0x10000 ## expect base address of 0x10000
>0x0104 ulelong =0x10000 >0x0104 ulelong =0x10000
>>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions >>(0x0118-0x0FF60) ulelong&0x80000007 0x80000007 \b, all regions
...@@ -103,8 +103,8 @@ ...@@ -103,8 +103,8 @@
# # http://home.comcast.net/~admiral_powerslave/filestructure.html # # http://home.comcast.net/~admiral_powerslave/filestructure.html
0 string XIP0 XIP, Microsoft Xbox data, 0 string XIP0 XIP, Microsoft Xbox data,
>12 lelong x total size: %d >12 lelong x total size: %d
>16 lelong !0 invalid >16 lelong !0 {invalid}
>24 lelong !0 invalid >24 lelong !0 {invalid}
0 string XTF0\x00\x00\x00 XTF, Microsoft Xbox data 0 string XTF0\x00\x00\x00 XTF, Microsoft Xbox data
......
src/magic/crypto
...@@ -18,11 +18,11 @@ ...@@ -18,11 +18,11 @@
# Type: Certificates/key files in DER format # Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com> # From: Gert Hulselmans <hulselmansgert@gmail.com>
0 string \x30\x82 Private key in DER format (PKCS#8), 0 string \x30\x82 Private key in DER format (PKCS#8),
>4 string !\x02\x01\x00 invalid, >4 string !\x02\x01\x00 {invalid},
>>2 beshort x header length: 4, sequence length: %d >>2 beshort x header length: 4, sequence length: %d
0 string \x30\x82 Certificate in DER format (x509 v3), 0 string \x30\x82 Certificate in DER format (x509 v3),
>4 string !\x30\x82 invalid, >4 string !\x30\x82 {invalid},
>>2 beshort x header length: 4, sequence length: %d >>2 beshort x header length: 4, sequence length: %d
# GnuPG # GnuPG
...@@ -40,11 +40,11 @@ ...@@ -40,11 +40,11 @@
# Mavroyanopoulos Nikos <nmav@hellug.gr> # Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt: file(1) magic for mcrypt 2.2.x; # mcrypt: file(1) magic for mcrypt 2.2.x;
#0 string \0m\3 mcrypt 2.5 encrypted data, #0 string \0m\3 mcrypt 2.5 encrypted data,
#>4 byte 0 invalid #>4 byte 0 {invalid}
#>4 string >\0 algorithm: "%s", #>4 string >\0 algorithm: "%s",
#>>&1 leshort <1 invalid #>>&1 leshort <1 {invalid}
#>>&1 leshort >0 keysize: %d bytes, #>>&1 leshort >0 keysize: %d bytes,
#>>>&0 byte 0 invalid #>>>&0 byte 0 {invalid}
#>>>&0 string >\0 mode: "%s", #>>>&0 string >\0 mode: "%s",
0 string \0m\2 mcrypt 2.2 encrypted data, 0 string \0m\2 mcrypt 2.2 encrypted data,
...@@ -66,23 +66,23 @@ ...@@ -66,23 +66,23 @@
>3 byte 16 algorithm: blowfish-256, >3 byte 16 algorithm: blowfish-256,
>3 byte 100 algorithm: RC6, >3 byte 100 algorithm: RC6,
>3 byte 101 algorithm: IDEA, >3 byte 101 algorithm: IDEA,
>3 byte <0 invalid algorithm >3 byte <0 {invalid} algorithm
>3 byte >101 invalid algorithm, >3 byte >101 {invalid} algorithm,
>3 byte >16 >3 byte >16
>>3 byte <100 invalid algorithm, >>3 byte <100 {invalid} algorithm,
>4 byte 0 mode: CBC, >4 byte 0 mode: CBC,
>4 byte 1 mode: ECB, >4 byte 1 mode: ECB,
>4 byte 2 mode: CFB, >4 byte 2 mode: CFB,
>4 byte 3 mode: OFB, >4 byte 3 mode: OFB,
>4 byte 4 mode: nOFB, >4 byte 4 mode: nOFB,
>4 byte <0 invalid mode, >4 byte <0 {invalid} mode,
>4 byte >4 invalid mode, >4 byte >4 {invalid} mode,
>5 byte 0 keymode: 8bit >5 byte 0 keymode: 8bit
>5 byte 1 keymode: 4bit >5 byte 1 keymode: 4bit
>5 byte 2 keymode: SHA-1 hash >5 byte 2 keymode: SHA-1 hash
>5 byte 3 keymode: MD5 hash >5 byte 3 keymode: MD5 hash
>5 byte <0 invalid keymode >5 byte <0 {invalid} keymode
>5 byte >3 invalid keymode >5 byte >3 {invalid} keymode
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
# pgp: file(1) magic for Pretty Good Privacy # pgp: file(1) magic for Pretty Good Privacy
......
src/magic/executables
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
# updated by Daniel Quinlan (quinlan@yggdrasil.com) # updated by Daniel Quinlan (quinlan@yggdrasil.com)
0 string \177ELF ELF 0 string \177ELF ELF
>4 byte 0 invalid class >4 byte 0 {invalid} class
>4 byte 1 32-bit >4 byte 1 32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used. # only for MIPS - in the future, the ABI field of e_flags should be used.
>>18 leshort 8 >>18 leshort 8
...@@ -26,7 +26,7 @@ ...@@ -26,7 +26,7 @@
>4 byte >2 >4 byte >2
>>4 byte x unknown ELF class: 0x%X >>4 byte x unknown ELF class: 0x%X
>5 byte !1 >5 byte !1
>>5 byte !2 invalid byte order >>5 byte !2 {invalid} byte order
>5 byte 1 LSB >5 byte 1 LSB
# The official e_machine number for MIPS is now #8, regardless of endianness. # The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still # The second number (#10) will be deprecated later. For now, we still
...@@ -66,21 +66,21 @@ ...@@ -66,21 +66,21 @@
#>>>(0x38+0x10) lelong >0 (signal %d), #>>>(0x38+0x10) lelong >0 (signal %d),
>>16 leshort &0xff00 processor-specific, >>16 leshort &0xff00 processor-specific,
>>18 leshort 0 no machine, >>18 leshort 0 no machine,
>>18 leshort 1 AT&T WE32100 - invalid byte order, >>18 leshort 1 AT&T WE32100 - {invalid} byte order,
>>18 leshort 2 SPARC - invalid byte order, >>18 leshort 2 SPARC - {invalid} byte order,
>>18 leshort 3 Intel 80386, >>18 leshort 3 Intel 80386,
>>18 leshort 4 Motorola >>18 leshort 4 Motorola
>>>36 lelong &0x01000000 68000 - invalid byte order, >>>36 lelong &0x01000000 68000 - {invalid} byte order,
>>>36 lelong &0x00810000 CPU32 - invalid byte order, >>>36 lelong &0x00810000 CPU32 - {invalid} byte order,
>>>36 lelong 0 68020 - invalid byte order, >>>36 lelong 0 68020 - {invalid} byte order,
>>18 leshort 5 Motorola 88000 - invalid byte order, >>18 leshort 5 Motorola 88000 - {invalid} byte order,
>>18 leshort 6 Intel 80486, >>18 leshort 6 Intel 80486,
>>18 leshort 7 Intel 80860, >>18 leshort 7 Intel 80860,
>>18 leshort 8 MIPS, >>18 leshort 8 MIPS,
>>18 leshort 9 Amdahl - invalid byte order, >>18 leshort 9 Amdahl - {invalid} byte order,
>>18 leshort 10 MIPS (deprecated), >>18 leshort 10 MIPS (deprecated),
>>18 leshort 11 RS6000 - invalid byte order, >>18 leshort 11 RS6000 - {invalid} byte order,
>>18 leshort 15 PA-RISC - invalid byte order, >>18 leshort 15 PA-RISC - {invalid} byte order,
>>>50 leshort 0x0214 2.0 >>>50 leshort 0x0214 2.0
>>>48 leshort &0x0008 (LP64), >>>48 leshort &0x0008 (LP64),
>>18 leshort 16 nCUBE, >>18 leshort 16 nCUBE,
...@@ -96,7 +96,7 @@ ...@@ -96,7 +96,7 @@
>>18 leshort 41 Alpha, >>18 leshort 41 Alpha,
>>18 leshort 0xa390 IBM S/390 (obsolete), >>18 leshort 0xa390 IBM S/390 (obsolete),
>>18 leshort 42 Hitachi SH, >>18 leshort 42 Hitachi SH,
>>18 leshort 43 SPARC V9 - invalid byte order, >>18 leshort 43 SPARC V9 - {invalid} byte order,
>>18 leshort 44 Siemens Tricore Embedded Processor, >>18 leshort 44 Siemens Tricore Embedded Processor,
>>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc., >>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>>18 leshort 46 Hitachi H8/300, >>18 leshort 46 Hitachi H8/300,
...@@ -111,7 +111,7 @@ ...@@ -111,7 +111,7 @@
>>18 leshort 75 Digital VAX, >>18 leshort 75 Digital VAX,
>>18 leshort 97 NatSemi 32k, >>18 leshort 97 NatSemi 32k,
>>18 leshort 0x9026 Alpha (unofficial), >>18 leshort 0x9026 Alpha (unofficial),
>>20 lelong 0 invalid version >>20 lelong 0 {invalid} version
>>20 lelong 1 version 1 >>20 lelong 1 version 1
>>36 lelong 1 MathCoPro/FPU/MAU Required >>36 lelong 1 MathCoPro/FPU/MAU Required
>5 byte 2 MSB >5 byte 2 MSB
...@@ -150,13 +150,13 @@ ...@@ -150,13 +150,13 @@
>>18 beshort 0 no machine, >>18 beshort 0 no machine,
>>18 beshort 1 AT&T WE32100, >>18 beshort 1 AT&T WE32100,
>>18 beshort 2 SPARC, >>18 beshort 2 SPARC,
>>18 beshort 3 Intel 80386 - invalid byte order, >>18 beshort 3 Intel 80386 - {invalid} byte order,
>>18 beshort 4 Motorola >>18 beshort 4 Motorola
>>>36 belong &0x01000000 68000, >>>36 belong &0x01000000 68000,
>>>36 belong &0x00810000 CPU32, >>>36 belong &0x00810000 CPU32,
>>>36 belong 0 68020, >>>36 belong 0 68020,
>>18 beshort 5 Motorola 88000, >>18 beshort 5 Motorola 88000,
>>18 beshort 6 Intel 80486 - invalid byte order, >>18 beshort 6 Intel 80486 - {invalid} byte order,
>>18 beshort 7 Intel 80860, >>18 beshort 7 Intel 80860,
>>18 beshort 8 MIPS, >>18 beshort 8 MIPS,
>>18 beshort 9 Amdahl, >>18 beshort 9 Amdahl,
...@@ -201,7 +201,7 @@ ...@@ -201,7 +201,7 @@
>>18 beshort 0x9026 Alpha (unofficial), >>18 beshort 0x9026 Alpha (unofficial),
>>18 beshort 0xa390 IBM S/390 (obsolete), >>18 beshort 0xa390 IBM S/390 (obsolete),
>>18 beshort 0xde3d Ubicom32, >>18 beshort 0xde3d Ubicom32,
>>20 belong 0 invalid version >>20 belong 0 {invalid} version
>>20 belong 1 version 1 >>20 belong 1 version 1
>>36 belong 1 MathCoPro/FPU/MAU Required >>36 belong 1 MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed # Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
...@@ -227,13 +227,13 @@ ...@@ -227,13 +227,13 @@
# Some simple Microsoft executable signatures # Some simple Microsoft executable signatures
0 string MZ\0\0\0\0\0\0 Microsoft 0 string MZ\0\0\0\0\0\0 Microsoft
>0x3c lelong <4 invalid >0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 MS-DOS executable >(0x3c.l) string !PE\0\0 MS-DOS executable
>(0x3c.l) string PE\0\0 portable executable >(0x3c.l) string PE\0\0 portable executable
0 string MZ Microsoft 0 string MZ Microsoft
>0x3c lelong <4 invalid >0x3c lelong <4 {invalid}
>(0x3c.l) string !PE\0\0 invalid >(0x3c.l) string !PE\0\0 {invalid}
>(0x3c.l) string PE\0\0 portable executable >(0x3c.l) string PE\0\0 portable executable
...@@ -245,8 +245,8 @@ ...@@ -245,8 +245,8 @@
# Additional fields added by Craig Heffner # Additional fields added by Craig Heffner
# #
0 string bFLT BFLT executable 0 string bFLT BFLT executable
>4 belong <1 invalid >4 belong <1 {invalid}
>4 belong >4 invalid >4 belong >4 {invalid}
>4 belong x version %d, >4 belong x version %d,
>4 belong 4 >4 belong 4
>8 belong x code offset: 0x%.8X, >8 belong x code offset: 0x%.8X,
...@@ -361,7 +361,7 @@ ...@@ -361,7 +361,7 @@
>4 belong 0x0030 (Java 1.4) >4 belong 0x0030 (Java 1.4)
>4 belong 0x0031 (Java 1.5) >4 belong 0x0031 (Java 1.5)
>4 belong 0x0032 (Java 1.6) >4 belong 0x0032 (Java 1.6)
>4 belong >0x0050 invalid >4 belong >0x0050 {invalid}
# Summary: HP-38/39 calculator # Summary: HP-38/39 calculator
0 string HP38Bin HP 38 binary 0 string HP38Bin HP 38 binary
...@@ -376,8 +376,8 @@ ...@@ -376,8 +376,8 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 invalid >7 byte <0x41 {invalid}
>7 byte >0x4B invalid >7 byte >0x4B {invalid}
0 string HP39Bin HP 39 binary 0 string HP39Bin HP 39 binary
>7 string A (Directory List) >7 string A (Directory List)
...@@ -391,8 +391,8 @@ ...@@ -391,8 +391,8 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 invalid >7 byte <0x41 {invalid}
>7 byte >0x4B invalid >7 byte >0x4B {invalid}
0 string HP38Asc HP 38 ASCII 0 string HP38Asc HP 38 ASCII
>7 string A (Directory List) >7 string A (Directory List)
...@@ -406,8 +406,8 @@ ...@@ -406,8 +406,8 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 invalid >7 byte <0x41 {invalid}
>7 byte >0x4B invalid >7 byte >0x4B {invalid}
0 string HP39Asc HP 39 ASCII 0 string HP39Asc HP 39 ASCII
>7 string A (Directory List) >7 string A (Directory List)
...@@ -421,8 +421,8 @@ ...@@ -421,8 +421,8 @@
>7 string I (Target List) >7 string I (Target List)
>7 string J (ASCII Vector specification) >7 string J (ASCII Vector specification)
>7 string K (wildcard) >7 string K (wildcard)
>7 byte <0x41 invalid >7 byte <0x41 {invalid}
>7 byte >0x4B invalid >7 byte >0x4B {invalid}
# Summary: HP-48/49 calculator # Summary: HP-48/49 calculator
0 string HPHP48 HP 48 binary 0 string HPHP48 HP 48 binary
...@@ -450,8 +450,8 @@ ...@@ -450,8 +450,8 @@
>8 leshort 0x2e48 (GNAME) >8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME) >8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB) >8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 (invalid) >8 leshort <0x2911 ({invalid})
>8 leshort >0x2e92 (invalid) >8 leshort >0x2e92 ({invalid})
0 string HPHP49 HP 49 binary 0 string HPHP49 HP 49 binary
>8 leshort 0x2911 (ADR) >8 leshort 0x2911 (ADR)
...@@ -478,16 +478,16 @@ ...@@ -478,16 +478,16 @@
>8 leshort 0x2e48 (GNAME) >8 leshort 0x2e48 (GNAME)
>8 leshort 0x2e6d (LNAME) >8 leshort 0x2e6d (LNAME)
>8 leshort 0x2e92 (XLIB) >8 leshort 0x2e92 (XLIB)
>8 leshort <0x2911 (invalid) >8 leshort <0x2911 ({invalid})
>8 leshort >0x2e92 (invalid) >8 leshort >0x2e92 ({invalid})
0 string \x23!/ Executable script, 0 string \x23!/ Executable script,
>6 byte !0x2F >6 byte !0x2F
>>7 byte !0x2F invalid >>7 byte !0x2F {invalid}
>2 string x shebang: "%s" >2 string x shebang: "%s"
0 string \x23!\x20/ Executable script, 0 string \x23!\x20/ Executable script,
>7 byte !0x2F >7 byte !0x2F
>>8 byte !0x2F invalid >>8 byte !0x2F {invalid}
>3 string x shebang: "%s" >3 string x shebang: "%s"
src/magic/images
...@@ -2,18 +2,18 @@ ...@@ -2,18 +2,18 @@
# The second word of TIFF files is the TIFF version number, 42, which has # The second word of TIFF files is the TIFF version number, 42, which has
# never changed. The TIFF specification recommends testing for it. # never changed. The TIFF specification recommends testing for it.
0 string MM\x00\x2a TIFF image data, big-endian, 0 string MM\x00\x2a TIFF image data, big-endian,
>4 belong 0 invalid >4 belong 0 {invalid}
>4 belong <0 invalid >4 belong <0 {invalid}
# First image directory must begin on an even byte boundary # First image directory must begin on an even byte boundary
>4 belong &1 invalid >4 belong &1 {invalid}
>4 belong >10000000 invalid >4 belong >10000000 {invalid}
>4 belong x offset of first image directory: %d >4 belong x offset of first image directory: %d
0 string II\x2a\x00 TIFF image data, little-endian 0 string II\x2a\x00 TIFF image data, little-endian
>4 lelong 0 invalid >4 lelong 0 {invalid}
>4 lelong <0 invalid >4 lelong <0 {invalid}
>4 lelong &1 invalid >4 lelong &1 {invalid}
>4 lelong >10000000 invalid >4 lelong >10000000 {invalid}
>4 lelong x offset of first image directory: %d >4 lelong x offset of first image directory: %d
# PNG [Portable Network Graphics, or "PNG's Not GIF"] images # PNG [Portable Network Graphics, or "PNG's Not GIF"] images
...@@ -23,10 +23,10 @@ ...@@ -23,10 +23,10 @@
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ... # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
# #
0 string \x89PNG\x0d\x0a\x1a\x0a PNG image 0 string \x89PNG\x0d\x0a\x1a\x0a PNG image
>16 belong <1 invalid >16 belong <1 {invalid}
>16 belong >10000 invalid >16 belong >10000 {invalid}
>20 belong <1 invalid >20 belong <1 {invalid}
>20 belong >10000 invalid >20 belong >10000 {invalid}
>16 belong x \b, %d x >16 belong x \b, %d x
>20 belong x %d, >20 belong x %d,
>24 byte x %d-bit >24 byte x %d-bit
...@@ -58,38 +58,38 @@ ...@@ -58,38 +58,38 @@
# PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu) # PC bitmaps (OS/2, Windows BMP files) (Greg Roelofs, newt@uchicago.edu)
0 string BM 0 string BM
>14 leshort 12 PC bitmap, OS/2 1.x format >14 leshort 12 PC bitmap, OS/2 1.x format
>>18 lelong <1 invalid >>18 lelong <1 {invalid}
>>18 lelong >1000000 invalid >>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x >>18 leshort x \b, %d x
>>20 lelong <1 invalid >>20 lelong <1 {invalid}
>>20 lelong >1000000 invalid >>20 lelong >1000000 {invalid}
>>20 leshort x %d >>20 leshort x %d
>14 leshort 64 PC bitmap, OS/2 2.x format >14 leshort 64 PC bitmap, OS/2 2.x format
>>18 lelong <1 invalid >>18 lelong <1 {invalid}
>>18 lelong >1000000 invalid >>18 lelong >1000000 {invalid}
>>18 leshort x \b, %d x >>18 leshort x \b, %d x
>>20 lelong <1 invalid >>20 lelong <1 {invalid}
>>20 lelong >1000000 invalid >>20 lelong >1000000 {invalid}
>>20 leshort x %d >>20 leshort x %d
>14 leshort 40 PC bitmap, Windows 3.x format >14 leshort 40 PC bitmap, Windows 3.x format
>>18 lelong <1 invalid >>18 lelong <1 {invalid}
>>18 lelong >1000000 invalid >>18 lelong >1000000 {invalid}
>>18 lelong x \b, %d x >>18 lelong x \b, %d x
>>22 lelong <1 invalid >>22 lelong <1 {invalid}
>>22 lelong >1000000 invalid >>22 lelong >1000000 {invalid}
>>22 lelong x %d x >>22 lelong x %d x
>>28 lelong <1 invalid >>28 lelong <1 {invalid}
>>28 lelong >1000000 invalid >>28 lelong >1000000 {invalid}
>>28 leshort x %d >>28 leshort x %d
>14 leshort 128 PC bitmap, Windows NT/2000 format >14 leshort 128 PC bitmap, Windows NT/2000 format
>>18 lelong >1000000 invalid >>18 lelong >1000000 {invalid}
>>18 lelong <1 invalid >>18 lelong <1 {invalid}
>>18 lelong x \b, %d x >>18 lelong x \b, %d x
>>22 lelong <1 invalid >>22 lelong <1 {invalid}
>>22 lelong >1000000 invalid >>22 lelong >1000000 {invalid}
>>22 lelong x %d x >>22 lelong x %d x
>>28 lelong <1 invalid >>28 lelong <1 {invalid}
>>28 lelong >1000000 invalid >>28 lelong >1000000 {invalid}
>>28 leshort x %d >>28 leshort x %d
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
...@@ -102,7 +102,7 @@ ...@@ -102,7 +102,7 @@
# both of which turn into "JPEG image data" here. # both of which turn into "JPEG image data" here.
# #
0 belong 0xffd8ffe0 JPEG image data, JFIF standard 0 belong 0xffd8ffe0 JPEG image data, JFIF standard
>6 string !JFIF invalid >6 string !JFIF {invalid}
# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06 # The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
# in a vain attempt to add image size reporting for JFIF. Note that these # in a vain attempt to add image size reporting for JFIF. Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently # tests are not fool-proof since some perfectly valid JPEGs are currently
...@@ -124,7 +124,7 @@ ...@@ -124,7 +124,7 @@
# EXIF moved down here to avoid reporting a bogus version number, # EXIF moved down here to avoid reporting a bogus version number,
# and EXIF version number printing added. # and EXIF version number printing added.
# - Patrik R=E5dman <patrik+file-magic@iki.fi> # - Patrik R=E5dman <patrik+file-magic@iki.fi>
>6 string !Exif invalid >6 string !Exif {invalid}
# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD. # Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
# All possible combinations of entries have to be enumerated, since no looping # All possible combinations of entries have to be enumerated, since no looping
# is possible. And both endians are possible... # is possible. And both endians are possible...
...@@ -246,5 +246,5 @@ ...@@ -246,5 +246,5 @@
#>16 beshort x \b %d #>16 beshort x \b %d
0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50} 0 string M88888888888888888888888888 Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27 string !8888888888\n invalid >27 string !8888888888\n {invalid}
src/magic/kernels
...@@ -6,12 +6,12 @@ ...@@ -6,12 +6,12 @@
# and Nicolás Lichtmaier <nick@debian.org> # and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29 # All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image 0 string \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29 Linux kernel boot image
>514 string !HdrS (invalid) >514 string !HdrS ({invalid})
# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a). # Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries. # Commonly found in decompressed embedded kernel binaries.
0 string Linux\ version\ Linux kernel version 0 string Linux\ version\ Linux kernel version
>14 byte 0 invalid >14 byte 0 {invalid}
>14 byte !0 >14 byte !0
>>14 string x "%s >>14 string x "%s
>>45 string x \b%s" >>45 string x \b%s"
...@@ -27,12 +27,12 @@ ...@@ -27,12 +27,12 @@
# jr $k1 # jr $k1
# nop # nop
0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL, 0 string \x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33 eCos kernel exception handler, architecture: MIPSEL,
>14 leshort !0x3C1B invalid >14 leshort !0x3C1B {invalid}
>18 leshort !0x277B invalid >18 leshort !0x277B {invalid}
>12 leshort x exception vector table base address: 0x%.4X >12 leshort x exception vector table base address: 0x%.4X
>16 leshort x \b%.4X >16 leshort x \b%.4X
0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS, 0 string \x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F eCos kernel exception handler, architecture: MIPS,
>12 beshort !0x3C1B invalid >12 beshort !0x3C1B {invalid}
>16 beshort !0x277B invalid >16 beshort !0x277B {invalid}
>14 beshort x exception vector table base address: 0x%.4X >14 beshort x exception vector table base address: 0x%.4X
>18 beshort x \b%.4X >18 beshort x \b%.4X
src/magic/misc
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
# pdf: file(1) magic for Portable Document Format # pdf: file(1) magic for Portable Document Format
# #
0 string %PDF- PDF document, 0 string %PDF- PDF document,
>6 byte !0x2e invalid >6 byte !0x2e {invalid}
>5 string x version: "%3s" >5 string x version: "%3s"
#------------------------------------------------------------------------------ #------------------------------------------------------------------------------
...@@ -27,10 +27,10 @@ ...@@ -27,10 +27,10 @@
0 string \x3chtml HTML document header{extract-delay:HTML document footer} 0 string \x3chtml HTML document header{extract-delay:HTML document footer}
>5 byte !0x20 >5 byte !0x20
>>5 byte !0x3e \b, invalid >>5 byte !0x3e \b, {invalid}
0 string \x3cHTML HTML document header{extract-delay:HTML document footer} 0 string \x3cHTML HTML document header{extract-delay:HTML document footer}
>5 byte !0x20 >5 byte !0x20
>>5 byte !0x3e \b, invalid >>5 byte !0x3e \b, {invalid}
0 string \x3c/html\x3e HTML document footer{offset-adjust:7} 0 string \x3c/html\x3e HTML document footer{offset-adjust:7}
0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7} 0 string \x3c/HTML\x3e HTML document footer{offset-adjust:7}
...@@ -57,13 +57,13 @@ ...@@ -57,13 +57,13 @@
>63 string x \b%s" >63 string x \b%s"
0 string begin\x20 uuencoded data, 0 string begin\x20 uuencoded data,
>9 byte !0x20 invalid format, >9 byte !0x20 {invalid} format,
>6 byte <0x30 invalid permissions, >6 byte <0x30 {invalid} permissions,
>6 byte >0x39 invalid permissions, >6 byte >0x39 {invalid} permissions,
>7 byte <0x30 invalid permissions, >7 byte <0x30 {invalid} permissions,
>7 byte >0x39 invalid permissions, >7 byte >0x39 {invalid} permissions,
>8 byte <0x30 invalid permissions, >8 byte <0x30 {invalid} permissions,
>8 byte >0x39 invalid permissions, >8 byte >0x39 {invalid} permissions,
>10 string x file name: "%s", >10 string x file name: "%s",
>6 string x file permissions: "%.3s" >6 string x file permissions: "%.3s"
src/magic/network
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
# "libpcap" capture files. # "libpcap" capture files.
# #
0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian, 0 string \xa1\xb2\xc3\xd4\x00 Libpcap capture file, big-endian,
>4 beshort >2 invalid >4 beshort >2 {invalid}
>4 beshort x version %d >4 beshort x version %d
>6 beshort x \b.%d, >6 beshort x \b.%d,
>20 belong 0 (No link-layer encapsulation >20 belong 0 (No link-layer encapsulation
...@@ -79,13 +79,13 @@ ...@@ -79,13 +79,13 @@
>20 belong 161 (Private use 14 >20 belong 161 (Private use 14
>20 belong 162 (Private use 15 >20 belong 162 (Private use 15
>20 belong 163 (802.11 with AVS header >20 belong 163 (802.11 with AVS header
>20 belong >163 (invalid link layer >20 belong >163 ({invalid} link layer
>20 belong <0 (invalid link layer >20 belong <0 ({invalid} link layer
>16 belong x \b, snaplen: %d) >16 belong x \b, snaplen: %d)
0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian, 0 lelong 0xa1b2c3d4 Libpcap capture file, little-endian,
>4 leshort >2 invalid >4 leshort >2 {invalid}
>4 leshort <0 invalid >4 leshort <0 {invalid}
>4 leshort x version %d >4 leshort x version %d
>6 leshort x \b.%d, >6 leshort x \b.%d,
>20 lelong 0 (No link-layer encapsulation >20 lelong 0 (No link-layer encapsulation
...@@ -148,7 +148,7 @@ ...@@ -148,7 +148,7 @@
>20 lelong 161 (Private use 14 >20 lelong 161 (Private use 14
>20 lelong 162 (Private use 15 >20 lelong 162 (Private use 15
>20 lelong 163 (802.11 with AVS header >20 lelong 163 (802.11 with AVS header
>20 lelong >163 (invalid link layer >20 lelong >163 ({invalid} link layer
>20 lelong <0 (invalid link layer >20 lelong <0 ({invalid} link layer
>16 lelong x \b, snaplen: %d) >16 lelong x \b, snaplen: %d)
src/magic/sql
...@@ -6,24 +6,24 @@ ...@@ -6,24 +6,24 @@
# Recognize some MySQL files. # Recognize some MySQL files.
# #
0 beshort 0xfe01 MySQL table definition file 0 beshort 0xfe01 MySQL table definition file
>2 string <1 invalid >2 string <1 {invalid}
>2 string >\11 invalid >2 string >\11 {invalid}
>2 byte x Version %d >2 byte x Version %d
0 string \xfe\xfe\x03 MySQL MISAM index file 0 string \xfe\xfe\x03 MySQL MISAM index file
>3 string <1 invalid >3 string <1 {invalid}
>3 string >\11 invalid >3 string >\11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x07 MySQL MISAM compressed data file 0 string \xfe\xfe\x07 MySQL MISAM compressed data file
>3 string <1 invalid >3 string <1 {invalid}
>3 string >\11 invalid >3 string >\11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x05 MySQL ISAM index file 0 string \xfe\xfe\x05 MySQL ISAM index file
>3 string <1 invalid >3 string <1 {invalid}
>3 string >\11 invalid >3 string >\11 {invalid}
>3 byte x Version %d >3 byte x Version %d
0 string \xfe\xfe\x06 MySQL ISAM compressed data file 0 string \xfe\xfe\x06 MySQL ISAM compressed data file
>3 string <1 invalid >3 string <1 {invalid}
>3 string >\11 invalid >3 string >\11 {invalid}
>3 byte x Version %d >3 byte x Version %d
#0 string \376bin MySQL replication log #0 string \376bin MySQL replication log
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment