Imported Upstream version 0.4.5
[packages/binwalk.git] / src / magic / magic.compressed
1
2 #------------------Compression Formats-----------------------------
3
4 # bzip2
5 0       string          BZh
6 >4      string          1AY&SY          bzip2 compressed data
7 !:mime  application/x-bzip2
8 >>3      byte            >47            \b, block size = %c00k
9
10 # lzip  
11 0       string          LZIP            lzip compressed data
12 !:mime application/x-lzip
13 >4      byte            x               \b, version: %d
14
15 # LZO
16 0       string          \211LZO\000\015\012\032\012     LZO compressed data
17
18 # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
19 # http://www.7-zip.org or DOC/7zFormat.txt 
20 #
21 0       string          7z\274\257\047\034      7-zip archive data,
22 >6      byte            x                       version %d
23 >7      byte            x                       \b.%d
24
25 # standard unix compress
26 0       beshort         0x1f9d          compress'd data
27 >2      byte&0x80       >0              block compressed
28 >2      byte&0x1f       x               %d bits
29
30 # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
31 #   Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
32 #       * Original filename is only at offset 10 if "extra field" absent
33 #       * Produce shorter output - notably, only report compression methods
34 #         other than 8 ("deflate", the only method defined in RFC 1952).
35 0       string          \037\213        gzip compressed data
36 !:mime  application/x-gzip
37 >2      byte            <8              \b, reserved (invalid) method
38 >2      byte            >8              \b, unknown (invalid) method
39 >3      byte            &0x01           \b, ASCII
40 >3      byte            &0x02           \b, has CRC
41 >3      byte            &0x04           \b, extra field
42 >3      byte&0xC        =0x08
43 >>10    string          x               \b, was "%s"
44 >3      byte            &0x10           \b, has comment
45 >9      byte            =0x00           \b, from FAT filesystem (MS-DOS, OS/2, NT)
46 >9      byte            =0x01           \b, from Amiga
47 >9      byte            =0x02           \b, from VMS
48 >9      byte            =0x03           \b, from Unix
49 >9      byte            =0x04           \b, from VM/CMS
50 >9      byte            =0x05           \b, from Atari
51 >9      byte            =0x06           \b, from HPFS filesystem (OS/2, NT)
52 >9      byte            =0x07           \b, from MacOS
53 >9      byte            =0x08           \b, from Z-System
54 >9      byte            =0x09           \b, from CP/M
55 >9      byte            =0x0A           \b, from TOPS/20
56 >9      byte            =0x0B           \b, from NTFS filesystem (NT)
57 >9      byte            =0x0C           \b, from QDOS
58 >9      byte            =0x0D           \b, from Acorn RISCOS
59 >9      byte            >0x0D           \b, invalid source
60 >3      byte            &0x10           \b, comment
61 >3      byte            &0x20           \b, encrypted
62 # Dates before 1992 are invalid, unless of course you're DD-WRT in which
63 # case you don't know how to set a date in your gzip files. Brilliant.
64 >4      lelong          =0              \b, NULL date:
65 >4      lelong          <0              \b, invalid date:
66 >4      lelong          >0              
67 >>4     lelong          <694224000      \b, invalid date:
68 >>4     lelong          =694224000      \b, invalid date:
69 >>4     lelong          >694224000      \b, last modified:
70 >4      ledate          x               %s
71 >8      byte            2               \b, max compression
72 >8      byte            4               \b, max speed
73
74 # Zlib signatures
75 0       beshort         0x789C          zlib compressed data
76 0       beshort         0x78DA          zlib compressed data
77 0       beshort         0x7801          zlib compressed data
78
79 # Supplementary magic data for the file(1) command to support
80 # rzip(1).  The format is described in magic(5).
81 #
82 # Copyright (C) 2003 by Andrew Tridgell.  You may do whatever you want with
83 # this file.
84 #
85 0       string          RZIP            rzip compressed data
86 >4      byte            x               - version %d
87 >5      byte            x               \b.%d
88 >6      belong          x               (%d bytes)
89
90 # ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
91 0       string          PK\003\004      Zip archive data, 
92 >4      byte            0x00            v0.0
93 !:mime  application/zip 
94 >4      byte            0x09            at least v0.9 to extract
95 !:mime  application/zip 
96 >4      byte            0x0a            at least v1.0 to extract
97 !:mime  application/zip 
98 >4      byte            0x0b            at least v1.1 to extract
99 !:mime  application/zip
100 >0x161  string          WINZIP          WinZIP self-extracting
101 !:mime  application/zip
102 >4      byte            0x14
103 >>30    ubelong         !0x6d696d65     at least v2.0 to extract
104 !:mime  application/zip
105
106 # Alternate ZIP string (amc@arwen.cs.berkeley.edu)
107 0       string          PK00PK\003\004  Zip archive data [NSRL|ZIP]
108
109 # Type: LZMA            
110 # URL:  http://www.7-zip.org/sdk.html   
111 #
112 # Added additional parsing to help verify LZMA matches and weed out false positives.
113 # Added improved signature checking.
114 # Added checks for possibly (probably) invalid matches.
115 # From: Craig Heffner
116
117 #First LZMA signature
118 0       string                  \x5d\x00\x00            LZMA compressed data,
119 >0      leshort                 >0xE0                   invalid
120 >0      byte                    x                       properties: 0x%.2X,
121 >1      lelong                  <1                      invalid
122 >1      lelong                  x                       dictionary size: %d bytes,
123 >5      lequad                  0                       invalid
124 >5      lequad                  <0                      invalid
125 >5      lequad                  >0x40000000             invalid
126 >5      lequad                  x                       uncompressed size: %lld bytes
127
128 #An alternative common LZMA signature
129 1       belong                  0x00008000              LZMA compressed data,
130 >0      byte                    0                       invalid
131 >0      leshort                 >0xE0                   invalid
132 >0      byte                    x                       properties: 0x%.2X,
133 >1      lelong                  <1                      invalid
134 >1      lelong                  x                       dictionary size: %d bytes,
135 >5      lequad                  0                       invalid
136 >5      lequad                  <0                      invalid
137 >5      lequad                  >0x40000000             invalid
138 >5      lequad                  x                       uncompressed size: %lld bytes
139
140 #Signature for less common LZMA flag/dictionary values. Results in lots of false positives, but usually marked as invalid.
141 1       beshort                 0x0000                  LZMA compressed data,
142 >0      byte                    0                       invalid
143 >0      byte                    >0xE0                   invalid
144 >0      byte                    x                       properties: 0x%.2X,
145 >1      lelong                  <1                      invalid
146 >1      lelong                  x                       dictionary size: %d bytes,
147 >5      lequad                  0                       invalid
148 >5      lequad                  <0                      invalid
149 >5      lequad                  >0x40000000             invalid
150 >5      lequad                  x                       uncompressed size: %lld bytes
151
152