Imported Upstream version 1.0 upstream/1.0
authorDevon Kearns <dookie@kali.org>
Fri, 15 Feb 2013 17:52:36 +0000 (10:52 -0700)
committerDevon Kearns <dookie@kali.org>
Fri, 15 Feb 2013 17:52:36 +0000 (10:52 -0700)
59 files changed:
bin/binwalk [new file with mode: 0755]
binwalk/__init__.py [new file with mode: 0644]
binwalk/common.py [new file with mode: 0644]
binwalk/config.py [new file with mode: 0644]
binwalk/config/extract.conf [new file with mode: 0644]
binwalk/extractor.py [new file with mode: 0644]
binwalk/filter.py [new file with mode: 0644]
binwalk/magic/binarch [new file with mode: 0644]
binwalk/magic/bincast [new file with mode: 0644]
binwalk/magic/binwalk [new file with mode: 0644]
binwalk/parser.py [new file with mode: 0644]
binwalk/prettyprint.py [new file with mode: 0644]
binwalk/smartsig.py [new file with mode: 0644]
binwalk/update.py [new file with mode: 0644]
docs/API [new file with mode: 0644]
docs/README
magic/archives [new file with mode: 0644]
magic/bootloaders [new file with mode: 0644]
magic/compressed [new file with mode: 0644]
magic/crypto [new file with mode: 0644]
magic/executables [new file with mode: 0644]
magic/filesystems [new file with mode: 0644]
magic/firmware [new file with mode: 0644]
magic/images [new file with mode: 0644]
magic/kernels [new file with mode: 0644]
magic/lzma [new file with mode: 0644]
magic/sql [new file with mode: 0644]
setup.py [new file with mode: 0755]
src/Makefile.in [deleted file]
src/binwalk.c [deleted file]
src/binwalk.h [deleted file]
src/common.c [deleted file]
src/common.h [deleted file]
src/configure [deleted file]
src/configure.ac [deleted file]
src/dd.c [deleted file]
src/dd.h [deleted file]
src/filter.c [deleted file]
src/filter.h [deleted file]
src/magic.binarch [deleted file]
src/magic.bincast [deleted file]
src/magic.binwalk [deleted file]
src/magic/magic.archives [deleted file]
src/magic/magic.bootloaders [deleted file]
src/magic/magic.compressed [deleted file]
src/magic/magic.crypto [deleted file]
src/magic/magic.executables [deleted file]
src/magic/magic.filesystems [deleted file]
src/magic/magic.firmware [deleted file]
src/magic/magic.images [deleted file]
src/magic/magic.kernels [deleted file]
src/magic/magic.sql [deleted file]
src/md5.c [deleted file]
src/md5.h [deleted file]
src/mparse.c [deleted file]
src/mparse.h [deleted file]
src/update.c [deleted file]
src/update.h [deleted file]
support/lzma_gen.py [new file with mode: 0755]

diff --git a/bin/binwalk b/bin/binwalk
new file mode 100755 (executable)
index 0000000..8622cdf
--- /dev/null
@@ -0,0 +1,294 @@
+#!/usr/bin/env python
+
+import sys
+import os.path
+import binwalk
+from threading import Thread
+from binwalk.common import str2int
+from getopt import GetoptError, getopt as GetOpt
+
+def display_status(bwalk):
+       while True:
+               # Display the current scan progress when the enter key is pressed.
+               raw_input()
+               print "Progress: %.2f%% (%d / %d)\n" % (((float(bwalk.total_scanned) / float(bwalk.scan_length)) * 100), bwalk.total_scanned, bwalk.scan_length)
+
+def usage(fd):
+       fd.write("\n")
+       fd.write("Binwalk v%s\n" % binwalk.Config.VERSION)
+       fd.write("Craig Heffner, http://www.devttys0.com\n")
+       fd.write("\n")
+       fd.write("Usage: %s [OPTIONS] [FILE1] [FILE2] [FILE3] ...\n" % os.path.basename(sys.argv[0]))
+       fd.write("\n")
+       fd.write("\t-o, --offset=<int>            Start scan at this file offset\n")
+       fd.write("\t-l, --length=<int>            Number of bytes to scan\n")
+       fd.write("\t-b, --align=<int>             Set byte alignment [default: 1]\n")
+       fd.write("\t-m, --magic=<file>            Specify an alternate magic file to use\n")
+       fd.write("\t-i, --include=<filter>        Include matches that are normally excluded and that have <filter> in their description\n")
+       fd.write("\t-x, --exclude=<filter>        Exclude matches that have <filter> in their description\n")
+       fd.write("\t-y, --search=<filter>         Only search for matches that have <filter> in their description\n")
+       fd.write("\t-g, --grep=<text>             Grep results for the specified text\n")
+       fd.write("\t-R, --raw-bytes=<string>      Search for a sequence of raw bytes instead of using the default magic signatures\n")
+       fd.write("\t-f, --file=<file>             Log results to file\n")
+       fd.write("\t-D, --dd=<type:ext[:cmd]>     Extract entries whose descriptions match <type>, give them file extension <ext>, and execute <cmd>\n")
+       fd.write("\t-e, --extract=[file]          Automatically extract known file types. Load rules from file, if specified.\n")
+       fd.write("\t-r, --rm                      Cleanup extracted files and zero-size files\n")
+       fd.write("\t-d, --delay                   Delay file extraction for files with known footers\n")
+       fd.write("\t-a, --all                     Include all short signatures\n")
+       fd.write("\t-I, --show-invalid            Show results marked as invalid\n")
+       fd.write("\t-A, --opcodes                 Scan for executable code\n")
+       fd.write("\t-C, --cast                    Cast file contents as various data types\n")
+       fd.write("\t-k, --keep-going              Show all matching results at a given offset, not just the first one\n")
+       fd.write("\t-q, --quiet                   Supress output to stdout\n")
+       fd.write("\t-v, --verbose                 Be verbose (specify twice for very verbose)\n")
+       fd.write("\t-u, --update                  Update magic signature files\n")
+       fd.write("\t-h, --help                    Show help output\n")
+       fd.write("\n")
+
+       if fd == sys.stderr:
+               sys.exit(1)
+       else:
+               sys.exit(0)
+
+def main():
+       MIN_ARGC = 2
+       align = 1
+       offset = 0
+       length = 0
+       quiet = False
+       pre_filter = True
+       verbose = 0
+       log_file = None
+       show_invalid = False
+       short_sig = True
+       custom_signature = None
+       delay_extraction = False
+       extract_rules_file = None
+       extract_from_config = False
+       cleanup_after_extract = False
+       magic_flags = binwalk.magic.MAGIC_NONE
+       options = []
+       magic_files = []
+       target_files = []
+       greps = []
+       includes = []
+       excludes = []
+       searches = []
+       extracts = []
+
+       config = binwalk.Config()
+
+       short_options = "aACdhkeqruvPIf:o:l:b:i:x:y:D:m:R:g:"
+       long_options = [
+                       "rm",
+                       "all",
+                       "help", 
+                       "quiet", 
+                       "verbose",
+                       "opcodes",
+                       "cast",
+                       "update",
+                       "keep-going",
+                       "show-invalid",
+                       "profile",
+                       "delay",
+                       "file=", 
+                       "offset=", 
+                       "length=", 
+                       "align=",
+                       "include=",
+                       "exclude=",
+                       "extract=",
+                       "search=",
+                       "dd=",
+                       "grep=",
+                       "magic=",
+                       "raw-bytes=",
+       ]
+
+       # Require at least one argument (the target file)
+       if len(sys.argv) < MIN_ARGC:
+               usage(sys.stderr)
+
+       try:
+               opts, args = GetOpt(sys.argv[1:], short_options, long_options)
+       except GetoptError, e:
+               sys.stderr.write("%s\n" % str(e))
+               usage(sys.stderr)
+
+       for opt, arg in opts:
+               if opt in ("-h", "--help"):
+                       usage(sys.stdout)
+               elif opt in ("-d", "--delay"):
+                       delay_extraction = True
+               elif opt in ("-f", "--file"):
+                       log_file = arg
+               elif opt in ("-q", "--quiet"):
+                       quiet = True
+               elif opt in ("-v", "--verbose"):
+                       verbose += 1
+               elif opt in ("-o", "--offset"):
+                       offset = str2int(arg)
+               elif opt in ("-l", "--length"):
+                       length = str2int(arg)
+               elif opt in ("-b", "--align"):
+                       align = str2int(arg)
+               elif opt in ("-i", "--include"):
+                       includes.append(arg)
+               elif opt in ("-y", "--search"):
+                       searches.append(arg)
+               elif opt in ("-x", "--exclude"):
+                       excludes.append(arg)
+               elif opt in ("-D", "--dd"):
+                       extracts.append(arg)
+               elif opt in ("-g", "--grep"):
+                       greps.append(arg)
+               elif opt in ("-e", "--extract"):
+                       if arg:
+                               extract_rules_file = arg
+                       else:
+                               extract_from_config = True
+               elif opt in ("-r", "--rm"):
+                       cleanup_after_extract = True
+               elif opt in ("-m", "--magic"):
+                       magic_files.append(arg)
+               elif opt in ("-a", "--all"):
+                       short_sig = False
+               elif opt in ("-k", "--keep-going"):
+                       magic_flags |= binwalk.magic.MAGIC_CONTINUE
+               elif opt in ("-I", "--show-invalid"):
+                       show_invalid = True
+
+               elif opt in ("-A", "--opcodes"):
+                       # Check every single offset
+                       align = 1
+                       # Don't filter out short signatures as some opcode sigs are only 2 bytes
+                       short_sig = False
+                       # Load user file first so its signatures take precedence
+                       magic_files.append(config.paths['user'][config.BINARCH_MAGIC_FILE])
+                       magic_files.append(config.paths['system'][config.BINARCH_MAGIC_FILE])
+               elif opt in ("-C", "--cast"):
+                       # Check every single offset
+                       align = 1
+                       # Don't stop at the first match (everything matches everything in this scan)
+                       magic_flags |= binwalk.magic.MAGIC_CONTINUE
+                       # Disable all pre filtering; we want to check everything for this scan
+                       pre_filter = False
+                       # Don't filter shot signatures, or else some casts won't be displayed
+                       short_sig = False
+                       # Load user file first so its signatures take precedence
+                       magic_files.append(config.paths['user'][config.BINCAST_MAGIC_FILE])
+                       magic_files.append(config.paths['system'][config.BINCAST_MAGIC_FILE])
+               elif opt in ("-R", "--raw-bytes"):
+                       # Disable short signature filtering, as the supplied string may be short
+                       short_sig = False
+                       custom_signature = arg
+               elif opt in ("-u", "--update"):
+                       try:
+                               sys.stdout.write("Updating signatures...")
+                               sys.stdout.flush()
+
+                               binwalk.Update().update()
+
+                               sys.stdout.write("done.\n")
+                               sys.exit(0)
+                       except Exception, e:
+                               if 'Permission denied' in str(e):
+                                       sys.stderr.write("failed (permission denied). Check your user permissions, or run the update as root.\n")
+                               else:
+                                       sys.stderr.write('\n' + str(e) + '\n')
+                               sys.exit(1)
+               # The --profile option is handled prior to calling main()
+               elif opt not in ('-P', '--profile'):
+                       usage(sys.stderr)
+
+               # Append the option and argument to the list of processed options
+               # This is used later to determine which argv entries are file names
+               options.append(opt)
+               options.append(arg)
+               options.append("%s%s" % (opt, arg))
+               options.append("%s=%s" % (opt, arg))
+
+       # Treat any command line options not processed by getopt as target file paths
+       for opt in sys.argv[1:]:
+               #TODO: Do we really want to not process valid files that start with a '-'?
+               #      This is probably OK, and ensures that no options are treated as target files.
+               if opt not in options and not opt.startswith('-'):
+                       target_files.append(opt)
+
+       # If more than one target file was specified, enable verbose mode; else, there is
+       # nothing in the output to indicate which scan corresponds to which file.
+       if len(target_files) > 1:
+               verbose = True
+
+       # Instantiate the Binwalk class
+       bwalk = binwalk.Binwalk(flags=magic_flags, verbose=verbose, log=log_file, quiet=quiet)
+
+       # If a custom signature was specified, create a temporary magic file containing the custom signature
+       # and ensure that it is the only magic file that will be loaded when Binwalk.scan() is called.
+       if custom_signature is not None:
+               magic_files = bwalk.parser.file_from_string(custom_signature)
+
+       # Set any specified filters
+       bwalk.filter.include(includes, exclusive=False)
+       bwalk.filter.exclude(excludes)
+       bwalk.filter.include(searches)
+       bwalk.filter.grep(filters=greps)
+
+       # Add any specified extract rules
+       bwalk.extractor.add_rule(extracts)
+
+       # If -e was specified, load the default extract rules
+       if extract_from_config:
+               bwalk.extractor.load_defaults()
+
+       # If --extract was specified, load the specified extraction rules file
+       if extract_rules_file is not None:
+               bwalk.extractor.load_from_file(extract_rules_file)
+
+       # Set the extractor cleanup value (True to clean up files, False to leave them on disk)
+       bwalk.extractor.cleanup_extracted_files(cleanup_after_extract)
+
+       # Enable delayed extraction, which will prevent supported file types from having trailing data when extracted
+       bwalk.extractor.enable_delayed_extract(delay_extraction)
+
+       # Load the magic file(s)
+       bwalk.load_signatures(magic_files=magic_files, pre_filter_signatures=pre_filter, filter_short_signatures=short_sig)
+       
+       # Scan each target file
+       for target_file in target_files:
+               bwalk.display.header(target_file)
+
+               # Start the display_status function as a daemon thread
+               t = Thread(target=display_status, args=(bwalk,))
+               t.setDaemon(True)
+               t.start()
+
+               # Catch keyboard interrupts so that we can properly clean up after the scan
+               try:
+                       bwalk.scan(target_file, 
+                               offset=offset, 
+                               length=length, 
+                               align=align,
+                               show_invalid_results=show_invalid, 
+                               callback=bwalk.display.results)
+               except KeyboardInterrupt:
+                       pass
+
+               bwalk.display.footer()
+
+       # Be sure to drink your ovaltine.
+       # And also to clean up any temporary magic files.
+       bwalk.cleanup()
+
+try:
+       # Special options for profiling the code. For debug use only.
+       if '--profile' in sys.argv or '-P' in sys.argv:
+               import cProfile
+               cProfile.run('main()')
+       else:
+               main()
+except KeyboardInterrupt:
+       pass
+
+
diff --git a/binwalk/__init__.py b/binwalk/__init__.py
new file mode 100644 (file)
index 0000000..742ec4b
--- /dev/null
@@ -0,0 +1,376 @@
+import os
+import magic
+from config import *
+from update import *
+from filter import *
+from parser import *
+from smartsig import *
+from extractor import *
+from prettyprint import *
+from common import file_size
+
+class Binwalk:
+       '''
+       Primary Binwalk class.
+
+       Interesting class objects:
+
+               self.filter        - An instance of the MagicFilter class.
+               self.extractor     - An instance of the Extractor class.
+               self.parser        - An instance of the MagicParser class.
+               self.display       - An instance of the PrettyPrint class.
+               self.magic_files   - A list of magic file path strings to use whenever the scan() method is invoked.
+               self.scan_length   - The total number of bytes to be scanned.
+               self.total_scanned - The number of bytes that have already been scanned.
+       '''
+
+       # Default libmagic flags. Basically disable anything we don't need in the name of speed.
+       DEFAULT_FLAGS = magic.MAGIC_NO_CHECK_TEXT | magic.MAGIC_NO_CHECK_ENCODING | magic.MAGIC_NO_CHECK_APPTYPE | magic.MAGIC_NO_CHECK_TOKENS
+
+       # The MAX_SIGNATURE_SIZE limits the amount of data available to a signature.
+       # While most headers/signatures are far less than this value, some may reference 
+       # pointers in the header structure which may point well beyond the header itself.
+       # Passing the entire remaining buffer to libmagic is resource intensive and will
+       # significantly slow the scan; this value represents a reasonable buffer size to
+       # pass to libmagic which will not drastically affect scan time.
+       MAX_SIGNATURE_SIZE = 8092
+
+       # Max number of bytes to process at one time. Everyone should have 50MB of memory, right?
+       READ_BLOCK_SIZE = 50 * 1024 * 1024
+
+       # Minimum verbosity level at which to enable extractor verbosity.
+       VERY_VERBOSE = 2
+
+       # Scan every byte by default.
+       DEFAULT_BYTE_ALIGNMENT = 1
+
+       def __init__(self, magic_files=[], flags=magic.MAGIC_NONE, log=None, quiet=False, verbose=0):
+               '''
+               Class constructor.
+
+               @magic_files - A list of magic files to use.
+               @flags       - Flags to pass to magic_open. [TODO: Might this be more appropriate as an argument to load_signaures?]
+               @log         - Output PrettyPrint data to log file as well as to stdout.
+               @quiet       - If set to True, supress PrettyPrint output to stdout.
+               @verbose     - Verbosity level.
+
+               Returns None.
+               '''
+               self.flags = self.DEFAULT_FLAGS | flags
+               self.magic_files = magic_files
+               self.verbose = verbose
+               self.total_scanned = 0
+               self.scan_length = 0
+               self.total_read = 0
+               self.magic = None
+               self.mfile = None
+
+               # Instantiate the config class so we can access file/directory paths
+               self.config = Config()
+
+               # Use the system default magic file if no other was specified
+               if not self.magic_files or self.magic_files is None:
+                       # Append the user's magic file first so that those signatures take precedence
+                       self.magic_files = [
+                                       self.config.paths['user'][self.config.BINWALK_MAGIC_FILE],
+                                       self.config.paths['system'][self.config.BINWALK_MAGIC_FILE],
+                       ]
+
+
+               # Only set the extractor verbosity if told to be very verbose
+               if self.verbose >= self.VERY_VERBOSE:
+                       extractor_verbose = True
+               else:
+                       extractor_verbose = False
+
+               # Create an instance of the PrettyPrint class, which can be used to print results to screen/file.
+               self.display = PrettyPrint(log=log, quiet=quiet, verbose=verbose, bwalk=self)
+
+               # Create MagicFilter and Extractor class instances. These can be used to:
+               #
+               #       o Create include/exclude filters
+               #       o Specify file extraction rules to be applied during a scan
+               #
+               self.filter = MagicFilter()
+               self.extractor = Extractor(verbose=extractor_verbose)
+               
+               # Create SmartSignature and MagicParser class instances. These are mostly for internal use.
+               self.smart = SmartSignature(self.filter)
+               self.parser = MagicParser(self.filter, self.smart)
+
+       def __del__(self):
+               '''
+               Class deconstructor.
+               '''
+               self.cleanup()
+
+       def cleanup(self):
+               '''
+               Cleanup any temporary files generated by the internal instance of MagicParser.
+
+               Returns None.
+               '''
+               try:
+                       self.parser.cleanup()
+               except:
+                       pass
+
+       def load_signatures(self, magic_files=[], pre_filter_signatures=True, filter_short_signatures=True):
+               '''
+               Load signatures from magic file(s).
+               Called automatically by Binwalk.scan() with all defaults, if not already called manually.
+
+               @magic_files                    - A list of magic files to use (default: self.magic_files).
+               @pre_filter_signatures          - Set to False to disable pre-filtering of signatures before invoking libmagic.
+               @filter_short_signatures        - Set to True to include signatures with short (<= 2 byte) magic strings.
+       
+               Returns None.   
+               '''
+               # Disable pre filtering in the smart signature class instance.
+               # This is also checked by Binwalk.scan() before performing pre-filtering.
+               self.smart.pre_filter = pre_filter_signatures
+
+               # The magic files specified here override any already set
+               if magic_files and magic_files is not None:
+                       self.magic_files = magic_files
+
+               # Parse the magic file(s) and initialize libmagic
+               self.mfile = self.parser.parse(self.magic_files, filter_short_signatures=filter_short_signatures, pre_filter_signatures=pre_filter_signatures)
+               self.magic = magic.open(self.flags)
+               self.magic.load(self.mfile)
+
+       def scan(self, target_file, offset=0, length=0, align=DEFAULT_BYTE_ALIGNMENT, show_invalid_results=False, callback=None):
+               '''
+               Performs a Binwalk scan on the target file.
+
+               @target_file                    - File to scan.
+               @offset                         - Starting offset at which to start the scan.
+               @length                         - Number of bytes to scan.
+               @align                          - Look for signatures every align bytes.
+               @show_invalid_results           - Set to True to display invalid results.
+               @callback                       - Callback function to be invoked when matches are found.
+
+               The callback function is passed two arguments: a list of result dictionaries containing the scan results
+               (one result per dict), and the offset at which those results were identified. Example callback function:
+
+                       def my_callback(offset, results):
+                               print "Found %d results at offset %d:" % (len(results), offset)
+                               for result in results:
+                                       print "\t%s" % result['description']
+
+                       binwalk.Binwalk(callback=my_callback).scan("firmware.bin")
+
+               Upon completion, the scan method returns a sorted list of tuples containing a list of results dictionaries
+               and the offsets at which those results were identified:
+
+                       scan_items = [
+                                       (0, [{description : "LZMA compressed data..."}]),
+                                       (112, [{description : "gzip compressed data..."}])
+                       ]
+
+               See SmartSignature.parse for a more detailed description of the results dictionary structure.
+               '''
+               scan_results = {}
+               self.total_read = 0
+               self.total_scanned = 0
+               self.scan_length = length
+               self.filter.show_invalid_results = show_invalid_results
+
+               # Load the default signatures if self.load_signatures has not already been invoked
+               if self.magic is None:
+                       self.load_signatures()
+
+               # Get a local copy of the signature sets generated by self.parser.build_signature_set.
+               # This is accessed heavily throughout the scan, and there is less overhead for accessing local variables in Python.
+               signature_set = self.parser.build_signature_set()
+
+               # Need the total size of the target file, even if we aren't scanning the whole thing
+               fsize = file_size(target_file)
+
+               # Open the target file and seek to the specified start offset
+               fd = open(target_file)
+               fd.seek(offset)
+               
+               # If no length was specified, make the length the size of the target file minus the starting offset
+               if self.scan_length == 0:
+                       self.scan_length = fsize - offset
+               # Sanity check on the byte alignment; default to 1
+               if align <= 0:
+                       align = 1
+
+               # Main loop, scan through all the data
+               while True:
+                       i = 0
+
+                       # Read in the next block of data from the target file and make sure it's valid
+                       (data, dlen) = self._read_block(fd)
+                       if data is None or dlen == 0:
+                               break
+
+                       # The total number of bytes scanned could be bigger than the total number
+                       # of bytes read from the file under the following circumstances:
+                       #
+                       #       o The previous dlen was not a multiple of align
+                       #       o A previous result specified a jump offset that was beyond the end of the
+                       #         then current data block
+                       #
+                       # If this is the case, we need to index into this data block appropriately in order to 
+                       # resume the scan from the appropriate offset, and adjust dlen accordingly.
+                       bufindex = self.total_scanned - self.total_read
+                       if bufindex > 0:
+                               # If the total_scanned > total_read, then the total_scanned offset is in a subsequent block.
+                               # Set i to bufindex, which will cause i to be greater than dlen and this block will be skipped.
+                               i = bufindex
+                       elif bufindex < 0:
+                               # If the total_scanned offset is less than total_read, then the total_scanned offset is
+                               # somewhere inside this block. Set i to index into the block appropriately.
+                               i = dlen + bufindex
+                       else:
+                               # If the total_scanned offset ends at the end of this block, don't scan any of this block
+                               i = dlen
+
+                       # Scan through each block of data looking for signatures
+                       while i < dlen:
+                               smart = {}
+                               results = []
+                               results_offset = -1
+                               pre_filter_ok = False
+                               smart_jump_done = False
+
+                               # Pre-filter data by checking to see if the parser thinks this might be a valid match.
+                               # This eliminates unnecessary calls into libmagic, which are very expensive.
+                               #
+                               # Ideally, this should be done in the MagicParser class, but function calls are expensive.
+                               # Doing it here greatly decreases the scan time.
+                               if self.smart.pre_filter:
+                                       for (sig_offset, sigset) in signature_set:
+                                               if data[i+sig_offset:i+sig_offset+self.parser.MATCH_INDEX_SIZE] in sigset:
+                                                       pre_filter_ok = True
+                                                       break
+                               else:
+                                       pre_filter_ok = True
+
+                               if pre_filter_ok:
+                                       # Pass the data to libmagic, and split out multiple results into a list
+                                       for magic_result in self.parser.split(self.magic.buffer(data[i:i+self.MAX_SIGNATURE_SIZE])):
+
+                                               # Some file names are not NULL byte terminated, but rather their length is
+                                               # specified in a size field. To ensure these are not marked as invalid due to
+                                               # non-printable characters existing in the file name, parse the filename(s) and
+                                               # trim them to the specified filename length, if one was specified.
+                                               magic_result = self.smart._parse_raw_strings(magic_result)
+
+                                               # Make sure this is a valid result before further processing
+                                               if not self.filter.invalid(magic_result):
+                                                       # The smart filter parser returns a dictionary of keyword values and the signature description.
+                                                       smart = self.smart.parse(magic_result)
+       
+                                                       # Validate the jump value and check if the response description should be displayed
+                                                       if smart['jump'] > -1 and self._should_display(smart['description']):
+                                                               # If multiple results are returned and one of them has smart['jump'] set to a non-zero value,
+                                                               # the calculated results offset will be wrong since i will have been incremented. Only set the
+                                                               # results_offset value when the first match is encountered.
+                                                               if results_offset < 0:
+                                                                       results_offset = offset + smart['adjust'] + self.total_scanned
+
+                                                               # Double check to make sure the smart['adjust'] value is sane. 
+                                                               # If it makes results_offset negative, then it is not sane.
+                                                               if results_offset >= 0:
+                                                                       # Extract the result, if it matches one of the extract rules and is not a delayed extract.
+                                                                       if self.extractor.enabled and not (self.extractor.delayed and smart['delay']):
+                                                                               # If the signature did not specify a size, extract to the end of the file.
+                                                                               if smart['size'] == 0:
+                                                                                       smart['size'] = fsize-results_offset
+
+                                                                               smart['extract'] = self.extractor.extract(      results_offset, 
+                                                                                                                               smart['description'], 
+                                                                                                                               target_file, 
+                                                                                                                               smart['size'], 
+                                                                                                                               name=smart['name'])
+
+                                                                       # This appears to be a valid result, so append it to the results list.
+                                                                       results.append(smart)
+
+                                                       # Jump to the offset specified by jump. Only do this once, so that if multiple results
+                                                       # are returned each of which specify a jump offset, only the first will be honored.
+                                                       if smart['jump'] > 0 and not smart_jump_done:
+                                                               # Once a jump offset has been honored, we need to start scanning every byte since the
+                                                               # jump offset may have thrown off the original alignment. In terms of speed this is fine,
+                                                               # since the jump offset usually saves more time anyway. If this is not what the user
+                                                               # wanted/intended, disabling pre filtering will disable jump offset processing completely.
+                                                               align = self.DEFAULT_BYTE_ALIGNMENT
+                                                               smart_jump_done = True
+                                                               i += (smart['jump'] - align)
+                                                               self.total_scanned += (smart['jump'] - align)
+
+                               # Did we find any valid results?
+                               if results_offset >= 0:
+                                       scan_results[results_offset] = results
+                                       
+                                       if callback is not None:
+                                               callback(results_offset, results)
+
+                               # Track the number of bytes scanned in this block, and the total number of bytes scanned.       
+                               i += align
+                               self.total_scanned += align
+
+               # Sort the results before returning them
+               scan_items = scan_results.items()
+               scan_items.sort()
+
+               # Do delayed extraction, if specified.
+               if self.extractor.enabled and self.extractor.delayed:
+                       scan_items = self.extractor.delayed_extract(scan_items, target_file, fsize)
+
+               return scan_items
+
+       def _should_display(self, data):
+               '''
+               Determines if a result string should be displayed to the user or not.
+               
+               @data - Display string.
+
+               Returns True if the string should be displayed.
+               Returns False if the string should not be displayed.
+               '''
+               return (data and data is not None and not self.filter.invalid(data) and self.filter.filter(data) != self.filter.FILTER_EXCLUDE)
+
+       def _read_block(self, fd):
+               '''
+               Reads in a block of data from the target file.
+
+               @fd - File object for the target file.
+
+               Returns a tuple of (file block data, block data length).
+               '''
+               dlen = 0
+               data = None
+               # Read in READ_BLOCK_SIZE plus MAX_SIGNATURE_SIZE bytes, but return a max dlen value
+               # of READ_BLOCK_SIZE. This ensures that there is a MAX_SIGNATURE_SIZE buffer at the
+               # end of the returned data in case a signature is found at or near data[dlen].
+               rlen = self.READ_BLOCK_SIZE + self.MAX_SIGNATURE_SIZE
+
+               if self.total_read < self.scan_length:
+                       
+                       data = fd.read(rlen)
+                       
+                       if data and data is not None:
+                               # Get the actual length of the read in data
+                               dlen = len(data)
+
+                               # If we've read in more data than the scan length, truncate the dlen value
+                               if (self.total_read + dlen) >= self.scan_length:
+                                       dlen = self.scan_length - self.total_read
+                               # If dlen is the expected rlen size, it should be set to READ_BLOCK_SIZE
+                               elif dlen == rlen:
+                                       dlen = self.READ_BLOCK_SIZE
+
+                               # Increment self.total_read to reflect the amount of data that has been read
+                               # for processing (actual read size is larger of course, due to the MAX_SIGNATURE_SIZE
+                               # buffer of data at the end of each block).
+                               self.total_read += dlen
+                               # Seek to the self.total_read offset so the next read can pick up where this one left off
+                               fd.seek(self.total_read)
+
+               return (data, dlen)
+
diff --git a/binwalk/common.py b/binwalk/common.py
new file mode 100644 (file)
index 0000000..c4ca2d0
--- /dev/null
@@ -0,0 +1,68 @@
+# Common functions.
+import os
+import re
+
+def file_size(filename):
+       '''
+       Obtains the size of a given file.
+
+       @filename - Path to the file.
+
+       Returns the size of the file.
+       '''
+       # Using open/lseek works on both regular files and block devices
+       fd = os.open(filename, os.O_RDONLY)
+       try:
+               return os.lseek(fd, 0, os.SEEK_END)
+       except Exception, e:
+               raise Exception("file_size failed to obtain the size of '%s': %s" % (filename, str(e)))
+       finally:
+               os.close(fd)
+
+def str2int(string):
+       '''
+       Attempts to convert string to a base 10 integer; if that fails, then base 16.
+
+       @string - String to convert to an integer.
+
+       Returns the integer value on success.
+       Throws an exception if the string cannot be converted into either a base 10 or base 16 integer value.
+       '''
+       try:
+               return int(string)
+       except:
+               return int(string, 16)
+
+def strip_quoted_strings(string):
+       '''
+       Strips out data in between double quotes.
+       
+       @string - String to strip.
+
+       Returns a sanitized string.
+       '''
+       # This regex removes all quoted data from string.
+       # Note that this removes everything in between the first and last double quote.
+       # This is intentional, as printed (and quoted) strings from a target file may contain 
+       # double quotes, and this function should ignore those. However, it also means that any 
+       # data between two quoted strings (ex: '"quote 1" you won't see me "quote 2"') will also be stripped.
+       return re.sub(r'\"(.*)\"', "", string)
+
+def get_quoted_strings(string):
+       '''
+       Returns a string comprised of all data in between double quotes.
+
+       @string - String to get quoted data from.
+
+       Returns a string of quoted data on success.
+       Returns a blank string if no quoted data is present.
+       '''
+       try:
+               # This regex grabs all quoted data from string.
+               # Note that this gets everything in between the first and last double quote.
+               # This is intentional, as printed (and quoted) strings from a target file may contain 
+               # double quotes, and this function should ignore those. However, it also means that any 
+               # data between two quoted strings (ex: '"quote 1" non-quoted data "quote 2"') will also be included.
+               return re.findall(r'\"(.*)\"', string)[0]
+       except:
+               return ''
diff --git a/binwalk/config.py b/binwalk/config.py
new file mode 100644 (file)
index 0000000..cb1d72f
--- /dev/null
@@ -0,0 +1,143 @@
+import os
+
+class Config:
+       '''
+       Binwalk configuration class, used for accessing user and system file paths.
+       
+       After instatiating the class, file paths can be accessed via the self.paths dictionary.
+       System file paths are listed under the 'system' key, user file paths under the 'user' key.
+
+       For example, to get the path to both the user and system binwalk magic files:
+
+               from binwalk import Config
+
+               conf = Config()
+               user_binwalk_file = conf.paths['user'][conf.BINWALK_MAGIC_FILE]
+               system_binwalk_file = conf.paths['system'][conf.BINWALK_MAGIC_FILE]
+
+       There is also an instance of this class available via the Binwalk.config object:
+
+               import binwalk
+
+               bw = binwalk.Binwalk()
+
+               user_binwalk_file = bw.config.paths['user'][conf.BINWALK_MAGIC_FILE]
+               system_binwalk_file = bw.config.paths['system'][conf.BINWALK_MAGIC_FILE]
+
+       Valid file names under both the 'user' and 'system' keys are as follows:
+
+               o BINWALK_MAGIC_FILE  - Path to the default binwalk magic file.
+               o BINCAST_MAGIC_FILE  - Path to the bincast magic file (used when -C is specified with the command line binwalk script)
+               o BINARCH_MAGIC_FILE  - Path to the binarch magic file (used when -A is specified with the command line binwalk script)
+               o EXTRACT_FILE        - Path to the extract configuration file (used when -e is specified with the command line binwalk script)
+       '''
+       # Release version
+       VERSION = "1.0"
+
+       # Sub directories
+       BINWALK_USER_DIR = ".binwalk"
+       BINWALK_MAGIC_DIR = "magic"
+       BINWALK_CONFIG_DIR = "config"
+
+       # File names
+       EXTRACT_FILE = "extract.conf"
+       BINWALK_MAGIC_FILE = "binwalk"
+       BINCAST_MAGIC_FILE = "bincast"
+       BINARCH_MAGIC_FILE = "binarch"
+
+       def __init__(self):
+               '''
+               Class constructor. Enumerates file paths and populates self.paths.
+               '''
+               # Path to the user binwalk directory
+               self.user_dir = self._get_user_dir()
+               # Path to the system wide binwalk directory
+               self.system_dir = self._get_system_dir()
+
+               # Dictionary of all absolute user/system file paths
+               self.paths = {
+                       'user'          : {},
+                       'system'        : {},
+               }
+
+               # Build the paths to all user-specific files
+               self.paths['user'][self.BINWALK_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE)
+               self.paths['user'][self.BINCAST_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINCAST_MAGIC_FILE)
+               self.paths['user'][self.BINARCH_MAGIC_FILE] = self._user_file(self.BINWALK_MAGIC_DIR, self.BINARCH_MAGIC_FILE)
+               self.paths['user'][self.EXTRACT_FILE] = self._user_file(self.BINWALK_CONFIG_DIR, self.EXTRACT_FILE)
+
+               # Build the paths to all system-wide files
+               self.paths['system'][self.BINWALK_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINWALK_MAGIC_FILE)
+               self.paths['system'][self.BINCAST_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINCAST_MAGIC_FILE)
+               self.paths['system'][self.BINARCH_MAGIC_FILE] = self._system_file(self.BINWALK_MAGIC_DIR, self.BINARCH_MAGIC_FILE)
+               self.paths['system'][self.EXTRACT_FILE] = self._system_file(self.BINWALK_CONFIG_DIR, self.EXTRACT_FILE)
+       
+       def _get_system_dir(self):
+               '''
+               Find the directory where the binwalk module is installed on the system.
+               '''
+               try:
+                       root = __file__
+                       if os.path.islink(root):
+                               root = os.path.realpath(root)
+                       return os.path.dirname(os.path.abspath(root))
+               except:
+                       return ''
+
+       def _get_user_dir(self):
+               '''
+               Get the user's home directory.
+               '''
+               try:
+                       # This should work in both Windows and Unix environments
+                       return os.getenv('USERPROFILE') or os.getenv('HOME')
+               except:
+                       return ''
+
+       def _file_path(self, dirname, filename):
+               '''
+               Builds an absolute path and creates the directory and file if they don't already exist.
+
+               @dirname  - Directory path.
+               @filename - File name.
+               
+               Returns a full path of 'dirname/filename'.
+               '''
+               if not os.path.exists(dirname):
+                       try:
+                               os.makedirs(dirname)
+                       except:
+                               pass
+               
+               fpath = os.path.join(dirname, filename)
+
+               if not os.path.exists(fpath):
+                       try:
+                               open(fpath, "w").close()
+                       except:
+                               pass
+
+               return fpath
+
+       def _user_file(self, subdir, basename):
+               '''
+               Gets the full path to the 'subdir/basename' file in the user binwalk directory.
+
+               @subdir   - Subdirectory inside the user binwalk directory.
+               @basename - File name inside the subdirectory.
+
+               Returns the full path to the 'subdir/basename' file.
+               '''
+               return self._file_path(os.path.join(self.user_dir, self.BINWALK_USER_DIR, subdir), basename)
+
+       def _system_file(self, subdir, basename):
+               '''
+               Gets the full path to the 'subdir/basename' file in the system binwalk directory.
+               
+               @subdir   - Subdirectory inside the system binwalk directory.
+               @basename - File name inside the subdirectory.
+               
+               Returns the full path to the 'subdir/basename' file.
+               '''
+               return self._file_path(os.path.join(self.system_dir, subdir), basename)
+
diff --git a/binwalk/config/extract.conf b/binwalk/config/extract.conf
new file mode 100644 (file)
index 0000000..06888e7
--- /dev/null
@@ -0,0 +1,26 @@
+#################################################################################################################
+# Default extract rules loaded when --extract is specified.
+# 
+# <case-insensitive unique string from binwalk output text>:<desired file extension>:<command to execute>
+#
+# Note that %e is a place holder for the extracted file name.
+#################################################################################################################
+
+# Assumes these utilities are installed in $PATH.
+gzip compressed data:gz:gzip -d -f '%e'
+lzma compressed data:7z:7zr e -y '%e'
+bzip2 compressed data:bz2:bzip2 -d -f '%e'
+zip archive data:zip:jar xf '%e' # jar does a better job of unzipping than unzip does...
+posix tar archive:tar:tar xvf '%e'
+
+# These assume the firmware-mod-kit is installed to /opt/firmware-mod-kit.
+# If not, change the file paths appropriately.
+squashfs filesystem:squashfs:/opt/firmware-mod-kit/trunk/unsquashfs_all.sh '%e'
+jffs2 filesystem:jffs2:/opt/firmware-mod-kit/trunk/src/jffs2/unjffs2 '%e' # requires root
+cpio archive:cpio:/opt/firmware-mod-kit/trunk/uncpio.sh '%e'
+
+# Extract, but don't run anything
+ext2 filesystem:ext2
+romfs filesystem:romfs
+cramfs filesystem:cramfs
+private key:key
diff --git a/binwalk/extractor.py b/binwalk/extractor.py
new file mode 100644 (file)
index 0000000..fdcd511
--- /dev/null
@@ -0,0 +1,372 @@
+import os
+import sys
+import shlex
+import tempfile
+import subprocess
+from config import *
+from common import file_size
+
+class Extractor:
+       '''
+       Extractor class, responsible for extracting files from the target file and executing external applications, if requested.
+       An instance of this class is accessible via the Binwalk.extractor object.
+
+       Example usage:
+
+               import binwalk
+               
+               bw = binwalk.Binwalk()
+
+               # Create extraction rules for scan results containing the string 'gzip compressed data' and 'filesystem'.
+               # The former will be saved to disk with a file extension of 'gz' and the command 'gunzip <file name on disk>' will be executed (note the %e placeholder).
+               # The latter will be saved to disk with a file extension of 'fs' and no command will be executed.
+               # These rules will take precedence over subsequent rules with the same match string.
+               bw.extractor.add_rule(['gzip compressed data:gz:gunzip %e', 'filesystem:fs'])
+
+               # Load the extraction rules from the default extract.conf file(s).
+               bw.extractor.load_defaults()
+
+               # Run the binwalk scan.
+               bw.scan('firmware.bin')
+               
+       '''
+       # Extract rules are delimited with a colon.
+       # <case insensitive matching string>:<file extension>[:<command to run>]
+       RULE_DELIM = ':'
+
+       # Comments in the extract.conf files start with a pound
+       COMMENT_DELIM ='#'
+
+       # Place holder for the extracted file name in the command 
+       FILE_NAME_PLACEHOLDER = '%e'
+
+       def __init__(self, verbose=False):
+               '''
+               Class constructor.
+       
+               @verbose - Set to True to display the output from any executed external applications.
+
+               Returns None.
+               '''
+               self.config = Config()
+               self.enabled = False
+               self.delayed = False
+               self.verbose = verbose
+               self.extract_rules = {}
+               self.remove_after_execute = False
+
+       def add_rule(self, rule):
+               '''
+               Adds a set of rules to the extraction rule list.
+
+               @rule - Rule string, or list of rule strings, in the format <case insensitive matching string>:<file extension>[:<command to run>]
+
+               Returns None.
+               '''
+               r = {
+                       'extension'     : '',
+                       'cmd'           : ''
+               }
+
+               if type(rule) != type([]):
+                       rules = [rule]
+               else:
+                       rules = rule
+
+               for rule in rules:
+                       r['cmd'] = ''
+                       r['extension'] = ''
+
+                       try:
+                               values = self._parse_rule(rule)
+                               match = values[0].lower()
+                               r['extension'] = values[1]
+                               r['cmd'] = values[2]
+                       except:
+                               pass
+
+                       # Verify that the match string and file extension were retrieved.
+                       # Only add the rule if it is a new one (first come, first served).
+                       if match and r['extension'] and not self.extract_rules.has_key(match):
+                               self.extract_rules[match] = {}
+                               self.extract_rules[match]['cmd'] = r['cmd']
+                               self.extract_rules[match]['extension'] = r['extension']
+                               # Once any rule is added, set self.enabled to True
+                               self.enabled = True
+
+       def enable_delayed_extract(self, tf=None):
+               '''
+               Enables / disables the delayed extraction feature.
+               This feature ensures that certian supported file types will not contain extra data at the end of the
+               file when they are extracted, but also means that these files will not be extracted until the end of the scan.
+
+               @tf - Set to True to enable, False to disable. 
+
+               Returns the current delayed extraction setting.
+               '''
+               if tf is not None:
+                       self.delayed = tf
+               return self.delayed
+
+       def load_from_file(self, fname):
+               '''
+               Loads extraction rules from the specified file.
+
+               @fname - Path to the extraction rule file.
+               
+               Returns None.
+               '''
+               try:
+                       # Process each line from the extract file, ignoring comments
+                       for rule in open(fname).readlines():
+                               self.add_rule(rule.split(self.COMMENT_DELIM, 1)[0])
+               except Exception, e:
+                       raise Exception("Extractor.load_from_file failed to load file '%s': %s" % (fname, str(e)))
+
+       def load_defaults(self):
+               '''
+               Loads default extraction rules from the user and system extract.conf files.
+
+               Returns None.
+               '''
+               # Load the user extract file first to ensure its rules take precedence.
+               extract_files = [
+                       self.config.paths['user'][self.config.EXTRACT_FILE],
+                       self.config.paths['system'][self.config.EXTRACT_FILE],
+               ]
+
+               for extract_file in extract_files:
+                       try:
+                               self.load_from_file(extract_file)
+                       except Exception, e:
+                               if self.verbose:
+                                       raise Exception("Extractor.load_defaults failed to load file '%s': %s" % (extract_file, str(e)))
+
+       def cleanup_extracted_files(self, tf=None):
+               '''
+               Set the action to take after a file is extracted.
+
+               @tf - If set to True, extracted files will be cleaned up after running a command against them.
+                     If set to False, extracted files will not be cleaned up after running a command against them.
+                     If set to None or not specified, the current setting will not be changed.
+
+               Returns the current cleanup status (True/False).
+               '''
+               if tf is not None:
+                       self.remove_after_execute = tf
+
+               return self.remove_after_execute
+       
+       def extract(self, offset, description, file_name, size, name=None):
+               '''
+               Extract an embedded file from the target file, if it matches an extract rule.
+               Called automatically by Binwalk.scan().
+
+               @offset      - Offset inside the target file to begin the extraction.
+               @description - Description of the embedded file to extract, as returned by libmagic.
+               @file_name   - Path to the target file.
+               @size        - Number of bytes to extract.
+               @name        - Name to save the file as.
+
+               Returns the name of the extracted file (blank string if nothing was extracted).
+               '''
+               cleanup_extracted_fname = True
+
+               rule = self._match(description)
+               if rule is not None:
+                       fname = self._dd(file_name, offset, size, rule['extension'], output_file_name=name)
+                       if rule['cmd']:
+
+                               # Many extraction utilities will extract the file to a new file, just without
+                               # the file extension (i.e., myfile.7z => myfile). If the presumed resulting
+                               # file name already exists before executing the extract command, do not attempt 
+                               # to clean it up even if its resulting file size is 0.
+                               if self.remove_after_execute:
+                                       extracted_fname = os.path.splitext(fname)[0]
+                                       if os.path.exists(extracted_fname):
+                                               cleanup_extracted_fname = False
+
+                               # Execute the specified command against the extracted file
+                               self._execute(rule['cmd'], fname)
+
+                               # Only clean up files if remove_after_execute was specified                             
+                               if self.remove_after_execute:
+
+                                       # Remove the original file that we extracted
+                                       try:
+                                               os.unlink(fname)
+                                       except:
+                                               pass
+
+                                       # If the command worked, assume it removed the file extension from the extracted file
+
+                                       # If the extracted file name file exists and is empty, remove it
+                                       if cleanup_extracted_fname and os.path.exists(extracted_fname) and file_size(extracted_fname) == 0:
+                                               try:
+                                                       os.unlink(extracted_fname)
+                                               except:
+                                                       pass
+               else:
+                       fname = ''
+
+               return fname
+
+       def delayed_extract(self, results, file_name, size):
+               '''
+               Performs a delayed extraction (see self.enable_delayed_extract).
+               Called internally by Binwalk.Scan().
+
+               @results   - A list of dictionaries of all the scan results.
+               @file_name - The path to the scanned file.
+               @size      - The size of the scanned file.
+
+               Returns an updated results list containing the names of the newly extracted files.
+               '''
+               index = 0
+               info_count = 0
+               nresults = results
+
+               for (offset, infos) in results:
+                       info_count = 0
+
+                       for info in infos:
+                               ninfos = infos
+
+                               if info['delay']:
+                                       end_offset = self._entry_offset(index, results, info['delay'])
+                                       if end_offset == -1:
+                                               extract_size = size
+                                       else:
+                                               extract_size = (end_offset - offset)
+
+                                       ninfos[info_count]['extract'] = self.extract(offset, info['description'], file_name, extract_size, info['name'])
+                                       nresults[index] = (offset, ninfos)
+
+                               info_count += 1
+
+                       index += 1
+               
+               return nresults
+
+       def _entry_offset(self, index, entries, description):
+               '''
+               Gets the offset of the first entry that matches the description.
+
+               @index       - Index into the entries list to begin searching.
+               @entries     - Dictionary of result entries.
+               @description - Case insensitive description.
+
+               Returns the offset, if a matching description is found.
+               Returns -1 if a matching description is not found.
+               '''
+               description = description.lower()
+
+               for (offset, infos) in entries[index:]:
+                       for info in infos:
+                               if info['description'].lower().startswith(description):
+                                       return offset
+               return -1
+
+       def _match(self, description):
+               '''
+               Check to see if the provided description string matches an extract rule.
+               Called internally by self.extract().
+
+               @description - Description string to check.
+
+               Returns the associated rule dictionary if a match is found.
+               Returns None if no match is found.
+               '''
+               description = description.lower()
+
+               for (m, rule) in self.extract_rules.iteritems():
+                       if m in description:
+                               return rule
+               return None
+
+       def _parse_rule(self, rule):
+               '''
+               Parses an extraction rule.
+
+               @rule - Rule string.
+
+               Returns an array of ['<case insensitive matching string>', '<file extension>', '<command to run>'].
+               '''
+               return rule.strip().split(self.RULE_DELIM, 2)
+
+       def _dd(self, file_name, offset, size, extension, output_file_name=None):
+               '''
+               Extracts a file embedded inside the target file.
+
+               @file_name        - Path to the target file.
+               @offset           - Offset inside the target file where the embedded file begins.
+               @size             - Number of bytes to extract.
+               @extension        - The file exension to assign to the extracted file on disk.
+               @output_file_name - The requested name of the output file.
+
+               Returns the extracted file name.
+               '''
+               # Default extracted file name is <hex offset>.<extension>
+               altname = "%X.%s" % (offset, extension)
+               
+               if not output_file_name or output_file_name is None:
+                       fname = altname
+               else:
+                       fname = "%s.%s" % (output_file_name, extension)
+       
+               # Sanitize output file name of invalid/dangerous characters (like file paths)   
+               fname = os.path.basename(fname)
+
+               try:
+                       # Open the target file and seek to the offset
+                       fdin = open(file_name, "rb")
+                       fdin.seek(offset)
+                       
+                       # Open the extracted file
+                       try:
+                               fdout = open(fname, "wb")
+                       except:
+                               # Fall back to the alternate name if the requested name fails
+                               fname = altname
+                               fdout = open(fname, "wb")
+
+                       # Read size bytes from target file and write it to the extracted file
+                       fdout.write(fdin.read(size))
+
+                       # Cleanup
+                       fdout.close()
+                       fdin.close()
+               except Exception, e:
+                       raise Exception("Extractor.dd failed to extract data from '%s' to '%s': %s" % (file_name, fname, str(e)))
+               
+               return fname
+
+       def _execute(self, cmd, fname):
+               '''
+               Execute a command against the specified file.
+
+               @cmd   - Command to execute.
+               @fname - File to run command against.
+
+               Returns None.
+               '''
+               tmp = None
+
+               # If not in verbose mode, create a temporary file to redirect stdout and stderr to
+               if not self.verbose:
+                       tmp = tempfile.TemporaryFile()
+
+               try:
+                       # Replace all instances of FILE_NAME_PLACEHOLDER in the command with fname
+                       cmd = cmd.replace(self.FILE_NAME_PLACEHOLDER, fname)
+
+                       # Execute.
+                       subprocess.call(shlex.split(cmd), stdout=tmp, stderr=tmp)
+               except Exception, e:
+                       sys.stderr.write("WARNING: Extractor.execute failed to run '%s': %s\n" % (cmd, str(e)))
+               
+               if tmp is not None:
+                       tmp.close()
+
+       
+
diff --git a/binwalk/filter.py b/binwalk/filter.py
new file mode 100644 (file)
index 0000000..5192cd9
--- /dev/null
@@ -0,0 +1,212 @@
+import common
+from smartsig import SmartSignature
+
+class MagicFilter:
+       '''
+       Class to filter libmagic results based on include/exclude rules and false positive detection.
+       An instance of this class is available via the Binwalk.filter object.
+
+       Example code which creates include, exclude, and grep filters before running a Binwalk scan:
+
+               import binwalk
+
+               bw = binwalk.Binwalk()
+
+               # Include all signatures whose descriptions contain the string 'filesystem' in the first line of the signature, even if those signatures are normally excluded.
+               # Note that if exclusive=False was specified, this would merely add these signatures to the default signatures.
+               # Since exclusive=True (the default) has been specified, ONLY those matching signatures will be loaded; all others will be ignored.
+               bw.filter.include('filesystem')
+
+               # Exclude all signatures whose descriptions contain the string 'jffs2', even if those signatures are normally included.
+               # In this case, we are now searching for all filesystem signatures, except JFFS2.
+               bw.filter.exclude('jffs2')
+
+               # Add a grep filter. Unlike the include and exclude filters, it does not affect which results are returned by Binwalk.scan(), but it does affect which results
+               # are printed by Binwalk.display.results(). This is particularly useful for cases like the bincast scan, where multiple lines of results are returned per offset,
+               # but you only want certian ones displayed. In this case, only file systems whose description contain the string '2012' will be displayed.
+               bw.filter.grep(filters=['2012'])
+
+               bw.scan('firmware.bin')
+       '''
+
+       # If the result returned by libmagic is "data" or contains the text
+       # 'invalid' or a backslash are known to be invalid/false positives.
+       DATA_RESULT = "data"
+       INVALID_RESULTS = ["invalid", "\\"]
+       INVALID_RESULT = "invalid"
+       NON_PRINTABLE_RESULT = "\\"
+
+       FILTER_INCLUDE = 0
+       FILTER_EXCLUDE = 1
+
+       def __init__(self, show_invalid_results=False):
+               '''
+               Class constructor.
+
+               @show_invalid_results - Set to True to display results marked as invalid.
+
+               Returns None.
+               '''
+               self.filters = []
+               self.grep_filters = []
+               self.show_invalid_results = show_invalid_results
+               self.exclusive_filter = False
+               self.smart = SmartSignature(self)
+
+       def include(self, match, exclusive=True):
+               '''
+               Adds a new filter which explicitly includes results that contain
+               the specified matching text.
+
+               @match     - Case insensitive text, or list of texts, to match.
+               @exclusive - If True, then results that do not explicitly contain
+                            a FILTER_INCLUDE match will be excluded. If False,
+                            signatures that contain the FILTER_INCLUDE match will
+                            be included in the scan, but will not cause non-matching
+                            results to be excluded.
+               
+               Returns None.
+               '''
+               include_filter = {
+                               'type'          : self.FILTER_INCLUDE,
+                               'filter'        : ''
+               }
+
+               if type(match) != type([]):
+                       matches = [match]
+               else:
+                       matches = match
+
+               for m in matches:
+                       if m:
+                               if exclusive and not self.exclusive_filter:
+                                       self.exclusive_filter = True
+
+                               include_filter['filter'] = m.lower()
+                               self.filters.append(include_filter)
+
+       def exclude(self, match):
+               '''
+               Adds a new filter which explicitly excludes results that contain
+               the specified matching text.
+
+               @match - Case insensitive text, or list of texts, to match.
+               
+               Returns None.
+               '''
+               exclude_filter = {
+                               'type'          : self.FILTER_EXCLUDE,
+                               'filter'        : ''
+               }
+
+               if type(match) != type([]):
+                       matches = [match]
+               else:
+                       matches = match
+
+               for m in matches:
+                       if m:
+                               exclude_filter['filter'] = m.lower()
+                               self.filters.append(exclude_filter)
+
+       def filter(self, data):
+               '''
+               Checks to see if a given string should be excluded from or included in the results.
+               Called internally by Binwalk.scan().
+
+               @data - String to check.
+
+               Returns FILTER_INCLUDE if the string should be included.
+               Returns FILTER_EXCLUDE if the string should be excluded.
+               '''
+               data = data.lower()
+
+               # Loop through the filters to see if any of them are a match. 
+               # If so, return the registered type for the matching filter (FILTER_INCLUDE | FILTER_EXCLUDE). 
+               for f in self.filters:
+                       if f['filter'] in data:
+                               return f['type']
+
+               # If there was not explicit match and exclusive filtering is enabled, return FILTER_EXCLUDE.
+               if self.exclusive_filter:
+                       return self.FILTER_EXCLUDE
+
+               return self.FILTER_INCLUDE
+
+       def invalid(self, data):
+               '''
+               Checks if the given string contains invalid data.
+               Called internally by Binwalk.scan().
+
+               @data - String to validate.
+
+               Returns True if data is invalid, False if valid.
+               '''
+               # A result of 'data' is never ever valid.
+               if data == self.DATA_RESULT:
+                       return True
+
+               # If showing invalid results, just return False.
+               if self.show_invalid_results:
+                       return False
+
+               # Don't include quoted strings or keyword arguments in this search, as 
+               # strings from the target file may legitimately contain the INVALID_RESULT text.
+               if self.INVALID_RESULT in common.strip_quoted_strings(self.smart._strip_tags(data)):
+                       return True
+
+               # There should be no non-printable data in any of the data
+               if self.NON_PRINTABLE_RESULT in data:
+                       return True
+
+               return False
+
+       def grep(self, data=None, filters=[]):
+               '''
+               Add or check case-insensitive grep filters against the supplied data string.
+
+               @data    - Data string to check grep filters against. Not required if filters is specified.
+               @filters - Filter, or list of filters, to add to the grep filters list. Not required if data is specified.
+
+               Returns None if data is not specified.
+               If data is specified, returns True if the data contains a grep filter, or if no grep filters exist.
+               If data is specified, returns False if the data does not contain any grep filters.
+               '''
+               # Add any specified filters to self.grep_filters
+               if filters:
+                       if type(filters) != type([]):
+                               gfilters = [filters]
+                       else:
+                               gfilters = filters
+
+                       for gfilter in gfilters:
+                               # Filters are case insensitive
+                               self.grep_filters.append(gfilter.lower())
+
+               # Check the data against all grep filters until one is found
+               if data is not None:
+                       # If no grep filters have been created, always return True
+                       if not self.grep_filters:
+                               return True
+
+                       # Filters are case insensitive
+                       data = data.lower()
+
+                       # If a filter exists in data, return True
+                       for gfilter in self.grep_filters:
+                               if gfilter in data:
+                                       return True
+
+                       # Else, return False
+                       return False
+       
+               return None
+
+       def clear(self):
+               '''
+               Clears all include, exclude and grep filters.
+               
+               Retruns None.
+               '''
+               self.filters = []
+               self.grep_filters = []
diff --git a/binwalk/magic/binarch b/binwalk/magic/binarch
new file mode 100644 (file)
index 0000000..4a5b60a
--- /dev/null
@@ -0,0 +1,30 @@
+# MIPS prologue
+# addiu $sp, -XX
+# 27 BD FF XX
+1      string  \377\275\47     MIPSEL function prologue
+0       string  \47\275\377    MIPS function prologue
+
+# MIPS epilogue
+# jr $ra
+0      belong  0x03e00008      MIPS function epilogue
+0      lelong  0x03e00008      MIPSEL function epilogue
+
+# PowerPC epilogue
+# blr
+0      belong 0x4E800020       PowerPC big endian function epilogue
+0      lelong 0x4E800020       PowerPC little endian function epilogue
+
+# ARM prologue
+# STMFD SP!, {XX}
+0      beshort 0xE92D          ARMEB function prologue
+2      leshort 0xE92D          ARM function prologue
+
+# ARM epilogue
+# LDMFD SP!, {XX}
+0      beshort 0xE8BD          ARMEB function epilogue
+2      leshort 0xE8BD          ARM function epilogue
+
+# x86 epilogue
+# push ebp
+# move ebp, esp
+0      string  \x55\x89\xE5    Intel x86 function epilogue
diff --git a/binwalk/magic/bincast b/binwalk/magic/bincast
new file mode 100644 (file)
index 0000000..3d3ec27
--- /dev/null
@@ -0,0 +1,8 @@
+0      belong x        Hex:                 0x%.8X
+#0     string x        String:              %s
+0      lelong x        Little Endian Long:  %d
+0      belong x        Big Endian Long:     %d
+0      leshort x       Little Endian Short: %d
+0      beshort x       Big Endian Short:    %d
+0      ledate x        Little Endian Date:  %s
+0      bedate x        Big Endian Date:     %s
diff --git a/binwalk/magic/binwalk b/binwalk/magic/binwalk
new file mode 100644 (file)
index 0000000..5f2e183
--- /dev/null
@@ -0,0 +1,5603 @@
+# ----------------------------Archive Formats--------------------------------------
+
+# POSIX tar archives
+0      string          ustar\000               POSIX tar archive{offset-adjust:-257}
+0      string          ustar\040\040\000       POSIX tar archive (GNU){offset-adjust:-257}
+
+# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
+0       string  \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14}
+0       string  JARCS JAR (ARJ Software, Inc.) archive data
+
+
+# ARJ archiver (jason@jarthur.Claremont.EDU)
+0       leshort         0xea60          ARJ archive data
+>5      byte            x               \b, v%d,
+>8      byte            &0x04           multi-volume,
+>8      byte            &0x10           slash-switched,
+>8      byte            &0x20           backup,
+>34     string          x               original name: "%s",
+>7      byte            0               os: MS-DOS 
+>7      byte            1               os: PRIMOS
+>7      byte            2               os: Unix
+>7      byte            3               os: Amiga
+>7      byte            4               os: Macintosh
+>7      byte            5               os: OS/2
+>7      byte            6               os: Apple ][ GS
+>7      byte            7               os: Atari ST
+>7      byte            8               os: NeXT
+>7      byte            9               os: VAX/VMS
+>3      byte            >0              %d]
+
+# RAR archiver (Greg Roelofs, newt@uchicago.edu)
+0      string          Rar!            RAR archive data
+
+# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
+0      string          HPAK            HPACK archive data
+
+# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
+0      string          \351,\001JAM    JAM archive
+
+# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
+0      string          -lzs-           LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh\40-         LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lhd-           LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh2-           LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh3-           LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh4-           LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh5-           LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh6-           LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2}
+0      string          -lh7-           LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2}
+
+
+# cpio archives
+#
+# The SVR4 "cpio(4)" hints that there are additional formats, but they
+# are defined as "short"s; I think all the new formats are
+# character-header formats and thus are strings, not numbers.
+#0       string          070707          ASCII cpio archive (pre-SVR4 or odc)
+
+0       string          070701          ASCII cpio archive (SVR4 with no CRC),
+>110   byte            0               invalid
+>110   string          x               file name: "%s"
+>54    string          x               {jump-to-offset:0x%.8s+112}
+
+0       string          070702          ASCII cpio archive (SVR4 with CRC)
+>110   byte            0               invalid
+>110   string          x               file name: "%s"
+>54    string          x               {jump-to-offset:0x%.8s+112}
+
+
+# HP Printer Job Language
+# The header found on Win95 HP plot files is the "Silliest Thing possible" 
+# (TM)
+# Every driver puts the language at some random position, with random case
+# (LANGUAGE and Language)
+# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
+# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
+# 
+0       string          \033%-12345X@PJL        HP Printer Job Language data
+>&0     string          >\0                     "%s"
+>>&0    string          >\0                     "%s"
+>>>&0   string          >\0                     "%s"
+>>>>&0  string          >\0                     "%s"
+
+#------------------------------------------------------------------------------
+#
+# RPM: file(1) magic for Red Hat Packages   Erik Troan (ewt@redhat.com)
+#
+0      belong          0xedabeedb      RPM
+>4     byte            x               v%d
+>6     beshort         0               bin
+>6     beshort         1               src
+>8     beshort         1               i386
+>8     beshort         2               Alpha
+>8     beshort         3               Sparc
+>8     beshort         4               MIPS
+>8     beshort         5               PowerPC
+>8     beshort         6               68000
+>8     beshort         7       SGI
+>8     beshort         8               RS6000
+>8     beshort         9               IA64
+>8     beshort         10              Sparc64
+>8     beshort         11              MIPSel
+>8     beshort         12              ARM
+>10    string          x               "%s"
+
+
+#---------------------------Bootloaders--------------------------------
+
+# CFE bootloader
+0      string  CFE1CFE1        CFE boot loader, little endian
+0      string  1EFC1EFC        CFE boot loader, big endian
+
+
+#------------------Compression Formats-----------------------------
+
+# AFX compressed files (Wolfram Kleff)
+0      string          -afx-           AFX compressed file data{offset-adjust:-2}
+
+# bzip2
+0      string BZh91AY&SY       bzip2 compressed data, block size = 900k
+0      string BZh81AY&SY       bzip2 compressed data, block size = 800k
+0      string BZh71AY&SY       bzip2 compressed data, block size = 700k
+0      string BZh61AY&SY       bzip2 compressed data, block size = 600k
+0      string BZh51AY&SY       bzip2 compressed data, block size = 500k
+0      string BZh41AY&SY       bzip2 compressed data, block size = 400k
+0      string BZh31AY&SY       bzip2 compressed data, block size = 300k
+0      string BZh21AY&SY       bzip2 compressed data, block size = 200k
+0      string BZh11AY&SY       bzip2 compressed data, block size = 100k
+
+# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
+0      string          \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a    lzop compressed data
+>9     beshort         <0x0940
+>>9    byte&0xf0       =0x00           - version 0.
+>>9    beshort&0x0fff  x               \b%03x,
+>>13   byte            1               LZO1X-1,
+>>13   byte            2               LZO1X-1(15),
+>>13   byte            3               LZO1X-999,
+## >>22        bedate          >0              last modified: %s,
+>>14   byte            =0x00           os: MS-DOS
+>>14   byte            =0x01           os: Amiga
+>>14   byte            =0x02           os: VMS
+>>14   byte            =0x03           os: Unix
+>>14   byte            =0x05           os: Atari
+>>14   byte            =0x06           os: OS/2
+>>14   byte            =0x07           os: MacOS
+>>14   byte            =0x0A           os: Tops/20
+>>14   byte            =0x0B           os: WinNT
+>>14   byte            =0x0E           os: Win32
+>9     beshort         >0x0939
+>>9    byte&0xf0       =0x00           - version 0.
+>>9    byte&0xf0       =0x10           - version 1.
+>>9    byte&0xf0       =0x20           - version 2.
+>>9    beshort&0x0fff  x               \b%03x,
+>>15   byte            1               LZO1X-1,
+>>15   byte            2               LZO1X-1(15),
+>>15   byte            3               LZO1X-999,
+## >>25        bedate          >0              last modified: %s,
+>>17   byte            =0x00           os: MS-DOS
+>>17   byte            =0x01           os: Amiga
+>>17   byte            =0x02           os: VMS
+>>17   byte            =0x03           os: Unix
+>>17   byte            =0x05           os: Atari
+>>17   byte            =0x06           os: OS/2
+>>17   byte            =0x07           os: MacOS
+>>17   byte            =0x0A           os: Tops/20
+>>17   byte            =0x0B           os: WinNT
+>>17   byte            =0x0E           os: Win32
+
+# lzip  
+0       string          LZIP            lzip compressed data
+>4      byte            x               \b, version: %d
+
+# LZO
+0      string          \211LZO\000\015\012\032\012     LZO compressed data
+
+# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
+# http://www.7-zip.org or DOC/7zFormat.txt 
+#
+0       string          7z\274\257\047\034      7-zip archive data,
+>6      byte            x                       version %d
+>7      byte            x                       \b.%d
+
+# standard unix compress
+0       beshort                0x1f9d          compress'd data
+>2      byte&0x80       >0              block compressed
+>2     byte&0x1f       !16             invalid
+>2      byte&0x1f       x               %d bits
+
+# http://tukaani.org/xz/xz-file-format.txt
+0      string          \xFD\x37\x7a\x58\x5a\x00        xz compressed data
+
+# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
+#   Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
+#       * Original filename is only at offset 10 if "extra field" absent
+#       * Produce shorter output - notably, only report compression methods
+#         other than 8 ("deflate", the only method defined in RFC 1952).
+0       string          \037\213\x08    gzip compressed data
+>3      byte            &0x01           \b, ASCII
+>3      byte            &0x02           \b, has CRC
+>3      byte            &0x04           \b, extra field
+>3      byte&0xC        =0x08
+>>10   string          x               \b{file-name:%s}
+>>10    string          x               \b, was "%s"
+>3      byte            &0x10           \b, has comment
+>9      byte            =0x00           \b, from FAT filesystem (MS-DOS, OS/2, NT)
+>9      byte            =0x01           \b, from Amiga
+>9      byte            =0x02           \b, from VMS
+>9      byte            =0x03           \b, from Unix
+>9      byte            =0x04           \b, from VM/CMS
+>9      byte            =0x05           \b, from Atari
+>9      byte            =0x06           \b, from HPFS filesystem (OS/2, NT)
+>9      byte            =0x07           \b, from MacOS
+>9      byte            =0x08           \b, from Z-System
+>9      byte            =0x09           \b, from CP/M
+>9      byte            =0x0A           \b, from TOPS/20
+>9      byte            =0x0B           \b, from NTFS filesystem (NT)
+>9      byte            =0x0C           \b, from QDOS
+>9      byte            =0x0D           \b, from Acorn RISCOS
+>9     byte            >0x0D           \b, invalid source
+>9     byte            <0              \b, invalid source
+>3      byte            &0x20           \b, encrypted (invalid)
+# Dates before 1992 are invalid, unless of course you're DD-WRT in which
+# case you don't know how to set a date in your gzip files. Brilliant.
+>4     lelong          =0              \b, NULL date:
+>4     lelong          <0              \b, invalid date:
+>4     lelong          >0              
+>>4    lelong          <694224000      \b, invalid date:
+>>4    lelong          =694224000      \b, invalid date:
+>>4    lelong          >694224000      \b, last modified:
+>4      ledate          x               %s
+>8      byte            2               \b, max compression
+>8      byte            4               \b, max speed
+
+# Zlib signatures
+0      beshort         0x789C          zlib compressed data
+0      beshort         0x78DA          zlib compressed data
+0      beshort         0x7801          zlib compressed data
+
+# Supplementary magic data for the file(1) command to support
+# rzip(1).  The format is described in magic(5).
+#
+# Copyright (C) 2003 by Andrew Tridgell.  You may do whatever you want with
+# this file.
+#
+0       string          RZIP            rzip compressed data
+>4      byte            x               - version %d
+>5      byte            x               \b.%d
+>6      belong          x               (%d bytes)
+
+# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
+0       string          PK\003\004      Zip archive data,
+>4      byte            0x00            v0.0
+>4      byte            0x09            at least v0.9 to extract,
+>4      byte            0x0a            at least v1.0 to extract,
+>4      byte            0x0b            at least v1.1 to extract,
+>0x161  string          WINZIP          WinZIP self-extracting,
+>4      byte            0x14
+>>30    ubelong         !0x6d696d65     at least v2.0 to extract,
+>18    lelong          !0
+>>18   lelong          <0              invalid
+>>18   lelong          x               compressed size: %d,
+>22    lelong          !0
+>>22   lelong          <0              invalid
+>>22   lelong          x               uncompressed size: %d,{extract-delay:end of zip archive}
+>30    string          x               {file-name:{raw-replace}}name: {raw-replace}
+>26    leshort         x               {raw-string-length:%d}
+>30    string          x               {raw-string:%s
+>61    string          x               \b%s
+>92    string          x               \b%s
+>123   string          x               \b%s
+>154   string          x               \b%s}
+
+# ZIP footer
+0      string          PK\x05\x06      End of Zip archive
+>20    leshort         x               {offset-adjust:22+%d}
+>20    leshort         >0
+>>20   leshort         x               \b, comment: {raw-replace}
+>>20   leshort         x               {raw-string-length:%d}
+>>22   string          x               {raw-string:%s}
+
+# New LZMA format signature
+0      string          \xFFLZMA\x00    LZMA compressed data (new),
+>6     byte&0x10       0               single-block stream
+>6     byte&0x10       0x10            multi-block stream
+
+# See lzma file for LZMA signatures
+# Type: OpenSSL certificates/key files
+# From: Nicolas Collignon <tsointsoin@gmail.com>
+
+0       string  -----BEGIN\x20CERTIFICATE-----    PEM certificate
+0       string  -----BEGIN\x20CERTIFICATE\x20REQ    PEM certificate request
+0       string  -----BEGIN\x20RSA\x20PRIVATE        PEM RSA private key
+0       string  -----BEGIN\x20DSA\x20PRIVATE        PEM DSA private key
+
+# Type: OpenSSH key files
+# From: Nicolas Collignon <tsointsoin@gmail.com>
+
+0       string  SSH\x20PRIVATE\x20KEY  OpenSSH RSA1 private key,
+>28     string  >\0                    version "%s"
+
+0       string  ssh-dss\x20               OpenSSH DSA public key
+0       string  ssh-rsa\x20               OpenSSH RSA public key
+
+# Type: Certificates/key files in DER format
+# From: Gert Hulselmans <hulselmansgert@gmail.com>
+0      string  \x30\x82                Private key in DER format (PKCS#8),
+>4     string  !\x02\x01\x00           invalid,
+>>2    beshort x                       header length: 4, sequence length: %d
+
+0      string  \x30\x82                Certificate in DER format (x509 v3),
+>4     string  !\x30\x82               invalid,
+>>2    beshort x                       header length: 4, sequence length: %d
+
+# GnuPG
+# The format is very similar to pgp
+0      string          \001gpg                 GPG key trust database
+>4     byte            x                       version %d
+0       beshort         0x9901                  GPG key public ring
+# This magic is not particularly good, as the keyrings don't have true
+# magic. Nevertheless, it covers many keyrings.
+
+#------------------------------------------------------------------------------
+# Mavroyanopoulos Nikos <nmav@hellug.gr>
+# mcrypt:   file(1) magic for mcrypt 2.2.x;
+0      string          \0m\3           mcrypt 2.5 encrypted data,
+>4     byte            0               invalid
+>4     string          >\0             algorithm: "%s",
+>>&1   leshort         <1              invalid
+>>&1   leshort         >0              keysize: %d bytes,
+>>>&0  byte            0               invalid
+>>>&0  string          >\0             mode: "%s",
+
+0      string          \0m\2           mcrypt 2.2 encrypted data,
+>3     byte            0               algorithm: blowfish-448,
+>3     byte            1               algorithm: DES,
+>3     byte            2               algorithm: 3DES,
+>3     byte            3               algorithm: 3-WAY,
+>3     byte            4               algorithm: GOST,
+>3     byte            6               algorithm: SAFER-SK64,
+>3     byte            7               algorithm: SAFER-SK128,
+>3     byte            8               algorithm: CAST-128,
+>3     byte            9               algorithm: xTEA,
+>3     byte            10              algorithm: TWOFISH-128,
+>3     byte            11              algorithm: RC2,
+>3     byte            12              algorithm: TWOFISH-192,
+>3     byte            13              algorithm: TWOFISH-256,
+>3     byte            14              algorithm: blowfish-128,
+>3     byte            15              algorithm: blowfish-192,
+>3     byte            16              algorithm: blowfish-256,
+>3     byte            100             algorithm: RC6,
+>3     byte            101             algorithm: IDEA,
+>3     byte            <0              invalid algorithm
+>3     byte            >101            invalid algorithm,
+>3     byte            >16
+>>3    byte            <100            invalid algorithm,
+>4     byte            0               mode: CBC,
+>4     byte            1               mode: ECB,
+>4     byte            2               mode: CFB,
+>4     byte            3               mode: OFB,
+>4     byte            4               mode: nOFB,
+>4     byte            <0              invalid mode,
+>4     byte            >4              invalid mode,
+>5     byte            0               keymode: 8bit
+>5     byte            1               keymode: 4bit
+>5     byte            2               keymode: SHA-1 hash
+>5     byte            3               keymode: MD5 hash
+>5     byte            <0              invalid keymode
+>5     byte            >3              invalid keymode
+
+#------------------------------------------------------------------------------
+# pgp:  file(1) magic for Pretty Good Privacy
+#
+#0       beshort         0x9900                  PGP key public ring
+#0       beshort         0x9501                  PGP key security ring
+#0       beshort         0x9500                  PGP key security ring
+#0     beshort         0xa600                  PGP encrypted data
+0       string          -----BEGIN\040PGP       PGP armored data
+>15     string          PUBLIC\040KEY\040BLOCK- public key block
+>15     string          MESSAGE-                message
+>15     string          SIGNED\040MESSAGE-      signed message
+>15     string          PGP\040SIGNATURE-       signature
+
+
+#------------------Standard file formats------------------------------------
+
+#------------------------------------------------------------------------------
+# elf:  file(1) magic for ELF executables
+#
+# We have to check the byte order flag to see what byte order all the
+# other stuff in the header is in.
+#
+# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
+#
+# updated by Daniel Quinlan (quinlan@yggdrasil.com)
+0      string          \177ELF         ELF
+>4     byte            0               invalid class
+>4     byte            1               32-bit
+# only for MIPS - in the future, the ABI field of e_flags should be used.
+>>18   leshort         8
+>>>36  lelong          &0x20           N32
+>>18   leshort         10
+>>>36  lelong          &0x20           N32
+>>18   beshort         8
+>>>36  belong          &0x20           N32
+>>18   beshort         10
+>>>36  belong          &0x20           N32
+>4     byte            2               64-bit
+>5     byte            0               invalid byte order
+>5     byte            1               LSB
+# The official e_machine number for MIPS is now #8, regardless of endianness.
+# The second number (#10) will be deprecated later. For now, we still
+# say something if #10 is encountered, but only gory details for #8.
+>>18    leshort                8
+# only for 32-bit
+>>>4   byte            1
+>>>>36  lelong&0xf0000000      0x00000000      MIPS-I
+>>>>36  lelong&0xf0000000      0x10000000      MIPS-II
+>>>>36  lelong&0xf0000000      0x20000000      MIPS-III
+>>>>36  lelong&0xf0000000      0x30000000      MIPS-IV
+>>>>36  lelong&0xf0000000      0x40000000      MIPS-V
+>>>>36  lelong&0xf0000000      0x60000000      MIPS32
+>>>>36  lelong&0xf0000000      0x70000000      MIPS64
+>>>>36  lelong&0xf0000000      0x80000000      MIPS32 rel2
+>>>>36  lelong&0xf0000000      0x90000000      MIPS64 rel2
+# only for 64-bit
+>>>4   byte            2
+>>>>48  lelong&0xf0000000      0x00000000      MIPS-I
+>>>>48  lelong&0xf0000000      0x10000000      MIPS-II
+>>>>48  lelong&0xf0000000      0x20000000      MIPS-III
+>>>>48  lelong&0xf0000000      0x30000000      MIPS-IV
+>>>>48  lelong&0xf0000000      0x40000000      MIPS-V
+>>>>48  lelong&0xf0000000      0x60000000      MIPS32
+>>>>48  lelong&0xf0000000      0x70000000      MIPS64 
+>>>>48  lelong&0xf0000000      0x80000000      MIPS32 rel2
+>>>>48  lelong&0xf0000000      0x90000000      MIPS64 rel2
+>>16   leshort         0               no file type,
+>>16   leshort         1               relocatable,
+>>16   leshort         2               executable,
+>>16   leshort         3               shared object,
+# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
+# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
+>>16   leshort         4               core file
+# Core file detection is not reliable.
+#>>>(0x38+0xcc) string >\0             of '%s'
+#>>>(0x38+0x10) lelong >0              (signal %d),
+>>16   leshort         &0xff00         processor-specific,
+>>18   leshort         0               no machine,
+>>18   leshort         1               AT&T WE32100 - invalid byte order,
+>>18   leshort         2               SPARC - invalid byte order,
+>>18   leshort         3               Intel 80386,
+>>18   leshort         4               Motorola
+>>>36  lelong          &0x01000000     68000 - invalid byte order,
+>>>36  lelong          &0x00810000     CPU32 - invalid byte order,
+>>>36  lelong          0               68020 - invalid byte order,
+>>18   leshort         5               Motorola 88000 - invalid byte order,
+>>18   leshort         6               Intel 80486,
+>>18   leshort         7               Intel 80860,
+>>18   leshort         8               MIPS,
+>>18   leshort         9               Amdahl - invalid byte order,
+>>18   leshort         10              MIPS (deprecated),
+>>18   leshort         11              RS6000 - invalid byte order,
+>>18   leshort         15              PA-RISC - invalid byte order,
+>>>50  leshort         0x0214          2.0
+>>>48  leshort         &0x0008         (LP64),
+>>18   leshort         16              nCUBE,
+>>18   leshort         17              Fujitsu VPP500,
+>>18   leshort         18              SPARC32PLUS,
+>>18   leshort         20              PowerPC,
+>>18   leshort         22              IBM S/390,
+>>18   leshort         36              NEC V800,
+>>18   leshort         37              Fujitsu FR20,
+>>18   leshort         38              TRW RH-32,
+>>18   leshort         39              Motorola RCE,
+>>18   leshort         40              ARM,
+>>18   leshort         41              Alpha,
+>>18   leshort         0xa390          IBM S/390 (obsolete),
+>>18   leshort         42              Hitachi SH,
+>>18   leshort         43              SPARC V9 - invalid byte order,
+>>18   leshort         44              Siemens Tricore Embedded Processor,
+>>18   leshort         45              Argonaut RISC Core, Argonaut Technologies Inc.,
+>>18   leshort         46              Hitachi H8/300,
+>>18   leshort         47              Hitachi H8/300H,
+>>18   leshort         48              Hitachi H8S,
+>>18   leshort         49              Hitachi H8/500,
+>>18   leshort         50              IA-64 (Intel 64 bit architecture)
+>>18   leshort         51              Stanford MIPS-X,
+>>18   leshort         52              Motorola Coldfire,
+>>18   leshort         53              Motorola M68HC12,
+>>18   leshort         62              AMD x86-64,
+>>18   leshort         75              Digital VAX,
+>>18   leshort         97              NatSemi 32k,
+>>18   leshort         0x9026          Alpha (unofficial),
+>>20   lelong          0               invalid version
+>>20   lelong          1               version 1
+>>36   lelong          1               MathCoPro/FPU/MAU Required
+>5     byte            2               MSB
+# only for MIPS - see comment in little-endian section above.
+>>18    beshort                8
+# only for 32-bit
+>>>4   byte            1
+>>>>36  belong&0xf0000000      0x00000000      MIPS-I
+>>>>36  belong&0xf0000000      0x10000000      MIPS-II
+>>>>36  belong&0xf0000000      0x20000000      MIPS-III
+>>>>36  belong&0xf0000000      0x30000000      MIPS-IV
+>>>>36  belong&0xf0000000      0x40000000      MIPS-V
+>>>>36  belong&0xf0000000      0x60000000      MIPS32
+>>>>36  belong&0xf0000000      0x70000000      MIPS64
+>>>>36  belong&0xf0000000      0x80000000      MIPS32 rel2
+>>>>36  belong&0xf0000000      0x90000000      MIPS64 rel2
+# only for 64-bit
+>>>4   byte            2
+>>>>48 belong&0xf0000000       0x00000000      MIPS-I
+>>>>48 belong&0xf0000000       0x10000000      MIPS-II
+>>>>48 belong&0xf0000000       0x20000000      MIPS-III
+>>>>48 belong&0xf0000000       0x30000000      MIPS-IV
+>>>>48 belong&0xf0000000       0x40000000      MIPS-V
+>>>>48 belong&0xf0000000       0x60000000      MIPS32
+>>>>48 belong&0xf0000000       0x70000000      MIPS64 
+>>>>48 belong&0xf0000000       0x80000000      MIPS32 rel2
+>>>>48 belong&0xf0000000       0x90000000      MIPS64 rel2
+>>16   beshort         0               no file type,
+>>16   beshort         1               relocatable,
+>>16   beshort         2               executable,
+>>16   beshort         3               shared object,
+>>16   beshort         4               core file,
+#>>>(0x38+0xcc) string >\0             of '%s'
+#>>>(0x38+0x10) belong >0              (signal %d),
+>>16   beshort         &0xff00         processor-specific,
+>>18   beshort         0               no machine,
+>>18   beshort         1               AT&T WE32100,
+>>18   beshort         2               SPARC,
+>>18   beshort         3               Intel 80386 - invalid byte order,
+>>18   beshort         4               Motorola
+>>>36  belong          &0x01000000     68000,
+>>>36  belong          &0x00810000     CPU32,
+>>>36  belong          0               68020,
+>>18   beshort         5               Motorola 88000,
+>>18   beshort         6               Intel 80486 - invalid byte order,
+>>18   beshort         7               Intel 80860,
+>>18   beshort         8               MIPS,
+>>18   beshort         9               Amdahl,
+>>18   beshort         10              MIPS (deprecated),
+>>18   beshort         11              RS6000,
+>>18   beshort         15              PA-RISC
+>>>50  beshort         0x0214          2.0
+>>>48  beshort         &0x0008         (LP64)
+>>18   beshort         16              nCUBE,
+>>18   beshort         17              Fujitsu VPP500,
+>>18   beshort         18              SPARC32PLUS,
+>>>36  belong&0xffff00 &0x000100       V8+ Required,
+>>>36  belong&0xffff00 &0x000200       Sun UltraSPARC1 Extensions Required,
+>>>36  belong&0xffff00 &0x000400       HaL R1 Extensions Required,
+>>>36  belong&0xffff00 &0x000800       Sun UltraSPARC3 Extensions Required,
+>>18   beshort         20              PowerPC or cisco 4500,
+>>18   beshort         21              cisco 7500,
+>>18   beshort         22              IBM S/390,
+>>18   beshort         24              cisco SVIP,
+>>18   beshort         25              cisco 7200,
+>>18   beshort         36              NEC V800 or cisco 12000,
+>>18   beshort         37              Fujitsu FR20,
+>>18   beshort         38              TRW RH-32,
+>>18   beshort         39              Motorola RCE,
+>>18   beshort         40              ARM,
+>>18   beshort         41              Alpha,
+>>18   beshort         42              Hitachi SH,
+>>18   beshort         43              SPARC V9,
+>>18   beshort         44              Siemens Tricore Embedded Processor,
+>>18   beshort         45              Argonaut RISC Core, Argonaut Technologies Inc.,
+>>18   beshort         46              Hitachi H8/300,
+>>18   beshort         47              Hitachi H8/300H,
+>>18   beshort         48              Hitachi H8S,
+>>18   beshort         49              Hitachi H8/500,
+>>18   beshort         50              Intel Merced Processor,
+>>18   beshort         51              Stanford MIPS-X,
+>>18   beshort         52              Motorola Coldfire,
+>>18   beshort         53              Motorola M68HC12,
+>>18   beshort         73              Cray NV1,
+>>18   beshort         75              Digital VAX,
+>>18   beshort         97              NatSemi 32k,
+>>18   beshort         0x9026          Alpha (unofficial),
+>>18   beshort         0xa390          IBM S/390 (obsolete),
+>>18    beshort         0xde3d          Ubicom32,
+>>20   belong          0               invalid version
+>>20   belong          1               version 1
+>>36   belong          1               MathCoPro/FPU/MAU Required
+# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
+# like proper ELF, but extracting the string had bad results.
+>4      byte            <0x80
+>>8    string          >\0             ("%s")
+>8     string          \0
+>>7    byte            0               (SYSV)
+>>7    byte            1               (HP-UX)
+>>7    byte            2               (NetBSD)
+>>7    byte            3               (GNU/Linux)
+>>7    byte            4               (GNU/Hurd)
+>>7    byte            5               (86Open)
+>>7    byte            6               (Solaris)
+>>7    byte            7               (Monterey)
+>>7    byte            8               (IRIX)
+>>7    byte            9               (FreeBSD)
+>>7    byte            10              (Tru64)
+>>7    byte            11              (Novell Modesto)
+>>7    byte            12              (OpenBSD)
+>>7    byte            97              (ARM)
+>>7    byte            255             (embedded)
+
+# XXX - according to Microsoft's spec, at an offset of 0x3c in a
+# PE-format executable is the offset in the file of the PE header;
+# unfortunately, that's a little-endian offset, and there's no way
+# to specify an indirect offset with a specified byte order.
+# So, for now, we assume the standard MS-DOS stub, which puts the
+# PE header at 0x80 = 128.
+#
+# Required OS version and subsystem version were 4.0 on some NT 3.51
+# executables built with Visual C++ 4.0, so it's not clear that
+# they're interesting.  The user version was 0.0, but there's
+# probably some linker directive to set it.  The linker version was
+# 3.0, except for one ".exe" which had it as 4.20 (same damn linker!).
+#
+# many of the compressed formats were extraced from IDARC 1.23 source code
+#
+0       string  MZ     Microsoft
+>0x18  leshort <0x40 MS-DOS executable
+>0 string MZ\0\0\0\0\0\0\0\0\0\0PE\0\0 \b, PE for MS Windows
+>>&18   leshort&0x2000  >0      (DLL)
+>>&88   leshort         0       (unknown subsystem)
+>>&88   leshort         1       (native)
+>>&88   leshort         2       (GUI)
+>>&88   leshort         3       (console)
+>>&88   leshort         7       (POSIX)
+>>&0    leshort         0x0     unknown processor
+>>&0    leshort         0x14c   Intel 80386
+>>&0    leshort         0x166   MIPS R4000
+>>&0    leshort         0x184   Alpha
+>>&0    leshort         0x268   Motorola 68000
+>>&0    leshort         0x1f0   PowerPC
+>>&0    leshort         0x290   PA-RISC
+>>&18   leshort&0x0100  >0      32-bit
+>>&18   leshort&0x1000  >0      system file
+>>&228  lelong          >0      \b, Mono/.Net assembly
+>>&0xf4 search/0x140 \x0\x40\x1\x0
+>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
+>30             string  Copyright\x201989-1990\x20PKWARE\x20Inc.      Self-extracting PKZIP archive
+# Is next line correct? One might expect "Corp." not "Copr." If it is right, add a note to that effect.
+>30             string  PKLITE\x20Copr.   Self-extracting PKZIP archive
+
+>0x18  leshort >0x3f
+>>(0x3c.l) string PE\0\0 PE
+>>>(0x3c.l+25) byte             1 \b32 executable
+>>>(0x3c.l+25) byte             2 \b32+ executable
+# hooray, there's a DOS extender using the PE format, with a valid PE
+# executable inside (which just prints a message and exits if run in win)
+>>>(0x3c.l+92)  leshort         <10
+>>>>(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender
+>>>>(8.s*16) string !32STUB for MS Windows
+>>>>>(0x3c.l+22)        leshort&0x2000  >0      (DLL)
+>>>>>(0x3c.l+92)        leshort         0       (unknown subsystem)
+>>>>>(0x3c.l+92)        leshort         1       (native)
+>>>>>(0x3c.l+92)        leshort         2       (GUI)
+>>>>>(0x3c.l+92)        leshort         3       (console)
+>>>>>(0x3c.l+92)        leshort         7       (POSIX)
+>>>(0x3c.l+92)  leshort         10      (EFI application)
+>>>(0x3c.l+92)  leshort         11      (EFI boot service driver)
+>>>(0x3c.l+92)  leshort         12      (EFI runtime driver)
+>>>(0x3c.l+92)  leshort         13      (XBOX)
+>>>(0x3c.l+4)   leshort         0x0     unknown processor
+>>>(0x3c.l+4)   leshort         0x14c   Intel 80386
+>>>(0x3c.l+4)   leshort         0x166   MIPS R4000
+>>>(0x3c.l+4)   leshort         0x184   Alpha
+>>>(0x3c.l+4)   leshort         0x268   Motorola 68000
+>>>(0x3c.l+4)   leshort         0x1f0   PowerPC
+>>>(0x3c.l+4)   leshort         0x290   PA-RISC
+>>>(0x3c.l+4)   leshort         0x200   Intel Itanium
+>>>(0x3c.l+22)  leshort&0x0100  >0      32-bit
+>>>(0x3c.l+22)  leshort&0x1000  >0      system file
+>>>(0x3c.l+232) lelong  >0      Mono/.Net assembly
+>>>>(0x3c.l+0xf8)       string          UPX0 \b, UPX compressed
+>>>>(0x3c.l+0xf8)       search/0x140    PEC2 \b, PECompact2 compressed
+>>>>(0x3c.l+0xf8)       search/0x140    UPX2
+>>>>>(&0x10.l+(-4))     string          PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
+>>>>(0x3c.l+0xf8)       search/0x140    .idata
+>>>>>(&0xe.l+(-4))      string          PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
+>>>>>(&0xe.l+(-4))      string          ZZ0 \b, ZZip self-extracting archive
+>>>>>(&0xe.l+(-4))      string          ZZ1 \b, ZZip self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .rsrc
+>>>>>(&0x0f.l+(-4))     string          a\\\4\5 \b, WinHKI self-extracting archive
+>>>>>(&0x0f.l+(-4))     string          Rar! \b, RAR self-extracting archive
+>>>>>(&0x0f.l+(-4))     search/0x3000   MSCF \b, InstallShield self-extracting archive
+>>>>>(&0x0f.l+(-4))     search/32       Nullsoft \b, Nullsoft Installer self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .data
+>>>>>(&0x0f.l)          string          WEXTRACT \b, MS CAB-Installer self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .petite\0 \b, Petite compressed
+>>>>>(0x3c.l+0xf7)      byte            x
+>>>>>>(&0x104.l+(-4))   string          =!sfx! \b, ACE self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .WISE \b, WISE installer self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .dz\0\0\0 \b, Dzip self-extracting archive
+>>>>(0x3c.l+0xf8)       search/0x140    .reloc
+>>>>>(&0xe.l+(-4))      search/0x180    PK\3\4 \b, ZIP self-extracting archive (WinZip)
+
+>>>>&(0x3c.l+0xf8)      search/0x100    _winzip_ \b, ZIP self-extracting archive (WinZip)
+>>>>&(0x3c.l+0xf8)      search/0x100    SharedD \b, Microsoft Installer self-extracting archive
+>>>>0x30                string          Inno \b, InnoSetup self-extracting archive
+
+>>(0x3c.l) string !PE\0\0 MS-DOS executable
+
+>>(0x3c.l)              string          NE \b, NE
+>>>(0x3c.l+0x36)        byte            0 (unknown OS)
+>>>(0x3c.l+0x36)        byte            1 for OS/2 1.x
+>>>(0x3c.l+0x36)        byte            2 for MS Windows 3.x
+>>>(0x3c.l+0x36)        byte            3 for MS-DOS
+>>>(0x3c.l+0x36)        byte            >3 (unknown OS)
+>>>(0x3c.l+0x36)        byte            0x81 for MS-DOS, Phar Lap DOS extender
+>>>(0x3c.l+0x0c)        leshort&0x8003  0x8002 (DLL)
+>>>(0x3c.l+0x0c)        leshort&0x8003  0x8001 (driver)
+>>>&(&0x24.s-1)         string          ARJSFX \b, ARJ self-extracting archive
+>>>(0x3c.l+0x70)        search/0x80     WinZip(R)\x20Self-Extractor \b, ZIP self-extracting archive (WinZip)
+
+>>(0x3c.l)              string          LX\0\0 \b, LX
+>>>(0x3c.l+0x0a)        leshort         <1 (unknown OS)
+>>>(0x3c.l+0x0a)        leshort         1 for OS/2
+>>>(0x3c.l+0x0a)        leshort         2 for MS Windows
+>>>(0x3c.l+0x0a)        leshort         3 for DOS
+>>>(0x3c.l+0x0a)        leshort         >3 (unknown OS)
+>>>(0x3c.l+0x10)        lelong&0x28000  =0x8000 (DLL)
+>>>(0x3c.l+0x10)        lelong&0x20000  >0 (device driver)
+>>>(0x3c.l+0x10)        lelong&0x300    0x300 (GUI)
+>>>(0x3c.l+0x10)        lelong&0x28300  <0x300 (console)
+>>>(0x3c.l+0x08)        leshort         1 i80286
+>>>(0x3c.l+0x08)        leshort         2 i80386
+>>>(0x3c.l+0x08)        leshort         3 i80486
+>>>(8.s*16)             string          emx \b, emx
+>>>>&1                  string          x "%s"
+>>>&(&0x54.l-3)         string          arjsfx \b, ARJ self-extracting archive
+
+
+
+#------------------------------------------------------------------------------
+# bFLT: file(1) magic for BFLT uclinux binary files
+#
+# From Philippe De Muyter <phdm@macqel.be>
+# 
+# Additional fields added by Craig Heffner
+#
+0       string          bFLT            BFLT executable 
+>4      belong          x               version %ld, 
+>4      belong          4
+>8     belong          x               code offset: 0x%.8X, 
+>12    belong          x               data segment starts at: 0x%.8X, 
+>16    belong          x               bss segment starts at: 0x%.8X, 
+>20    belong          x               bss segment ends at: 0x%.8X, 
+>24    belong          x               stack size: %d bytes, 
+>28    belong          x               relocation records start at: 0x%.8X, 
+>32    belong          x               number of reolcation records: %d, 
+>>36    belong&0x1      0x1             ram
+>>36    belong&0x2      0x2             gotpic
+>>36    belong&0x4      0x4             gzip
+>>36    belong&0x8      0x8             gzdata
+
+
+#-----------------------------------------------------------------
+# MIPS COFF file formats
+#
+0       beshort 0x0160          MIPSEB ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>22     byte    x               - version %ld
+>23     byte    x               \b.%ld
+#
+0       beshort 0x0162          MIPSEL-BE ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %d
+>22     byte    x               \b.%ld
+#
+0       beshort 0x6001          MIPSEB-LE ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %d
+>22     byte    x               \b.%ld
+#
+0       beshort 0x6201          MIPSEL ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %ld
+>22     byte    x               \b.%ld
+# MIPS 2 additions
+#
+0       beshort 0x0163          MIPSEB MIPS-II ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>22     byte    x               - version %ld
+>23     byte    x               \b.%ld
+#
+0       beshort 0x0166          MIPSEL-BE MIPS-II ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>22     byte    x               - version %ld
+>23     byte    x               \b.%ld
+#
+0       beshort 0x6301          MIPSEB-LE MIPS-II ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %ld
+>22     byte    x               \b.%ld
+#
+0       beshort 0x6601          MIPSEL MIPS-II ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %ld
+>22     byte    x               \b.%ld
+# MIPS 3 additions
+#
+0       beshort 0x0140          MIPSEB MIPS-III ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>22     byte    x               - version %ld
+>23     byte    x               \b.%ld
+#
+0       beshort 0x0142          MIPSEL-BE MIPS-III ECOFF executable
+>20     beshort 0407            (impure)
+>20     beshort 0410            (swapped)
+>20     beshort 0413            (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>22     byte    x               - version %ld
+>23     byte    x               \b.%ld
+#
+0       beshort 0x4001          MIPSEB-LE MIPS-III ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %ld
+>22     byte    x               \b.%ld
+#
+0       beshort 0x4201          MIPSEL MIPS-III ECOFF executable
+>20     beshort 03401           (impure)
+>20     beshort 04001           (swapped)
+>20     beshort 05401           (paged)
+>8      belong  >0              not stripped
+>8      belong  0               stripped
+>23     byte    x               - version %ld
+>22     byte    x               \b.%ld
+#
+0       beshort 0x180           MIPSEB Ucode
+0       beshort 0x182           MIPSEL-BE Ucode
+
+
+# Windows CE package files
+0       string          MSCE\0\0\0\0    Microsoft WinCE installer
+>20     lelong          0               \b, architecture-independent
+>20     lelong          103             \b, Hitachi SH3
+>20     lelong          104             \b, Hitachi SH4
+>20     lelong          0xA11           \b, StrongARM
+>20     lelong          4000            \b, MIPS R4000
+>20     lelong          10003           \b, Hitachi SH3
+>20     lelong          10004           \b, Hitachi SH3E
+>20     lelong          10005           \b, Hitachi SH4
+>20     lelong          70001           \b, ARM 7TDMI
+>52     leshort         1               \b, 1 file
+>52     leshort         >1              \b, %u files
+>56     leshort         1               \b, 1 registry entry
+>56     leshort         >1              \b, %u registry entries
+
+#------------------------------------------------------------------------------
+# Microsoft Xbox executables .xbe (Esa Hyytiä <ehyytia@cc.hut.fi>)
+0       string          XBEH            XBE, Microsoft Xbox executable
+# probabilistic checks whether signed or not
+>0x0004 ulelong =0x0
+>>&2    ulelong =0x0
+>>>&2   ulelong =0x0  \b, not signed
+>0x0004 ulelong >0
+>>&2    ulelong >0
+>>>&2   ulelong >0    \b, signed
+# expect base address of 0x10000
+>0x0104               ulelong =0x10000
+>>(0x0118-0x0FF60)    ulelong&0x80000007  0x80000007 \b, all regions
+>>(0x0118-0x0FF60)    ulelong&0x80000007  !0x80000007
+>>>(0x0118-0x0FF60)   ulelong >0           (regions:
+>>>>(0x0118-0x0FF60)  ulelong &0x00000001  NA
+>>>>(0x0118-0x0FF60)  ulelong &0x00000002  Japan
+>>>>(0x0118-0x0FF60)  ulelong &0x00000004  Rest_of_World
+>>>>(0x0118-0x0FF60)  ulelong &0x80000000  Manufacturer
+>>>(0x0118-0x0FF60)   ulelong >0           \b)
+
+#------------------------------------------------------------------------------
+# motorola:  file(1) magic for Motorola 68K and 88K binaries
+#
+# 68K
+#
+0       beshort         0x0208          mc68k COFF
+>18     beshort         ^00000020       object
+>18     beshort         &00000020       executable
+>12     belong          >0              not stripped
+>168    string          .lowmem         Apple toolbox
+>20     beshort         0407            (impure)
+>20     beshort         0410            (pure)
+>20     beshort         0413            (demand paged)
+>20     beshort         0421            (standalone)
+0       beshort         0x0209          mc68k executable (shared)
+>12     belong          >0              not stripped
+0       beshort         0x020A          mc68k executable (shared demand paged)
+>12     belong          >0              not stripped
+
+
+#
+# Motorola/UniSoft 68K Binary Compatibility Standard (BCS)
+#
+0       beshort         0x022A            68K BCS executable
+#
+# 88K
+#
+# Motorola/88Open BCS
+#
+0       beshort         0x022B            88K BCS executable
+
+#------------------------------------------------------------------------------
+# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
+0       string  PS-X\x20EXE       Sony Playstation executable
+#  Area:
+>113    string  x               ("%s")
+
+#------------------------------------------------------------------------------
+# cisco:  file(1) magic for cisco Systems routers
+#
+# Most cisco file-formats are covered by the generic elf code
+#
+# Microcode files are non-ELF, 0x8501 conflicts with NetBSD/alpha.
+0      beshort                 0x8501      cisco IOS
+>0      belong&0xffffff00       0x85011400  microcode
+>0      belong&0xffffff00       0x8501cb00  experimental microcode
+>7      string                 >\0         for "%s"
+
+# EST flat binary format (which isn't, but anyway)
+# From: Mark Brown <broonie@sirena.org.uk>
+0      string  ESTFBINR        EST flat binary
+
+# These are not the binaries themselves, but string references to them
+# are a strong indication that they exist elsewhere...
+#0     string  /bin/busybox    Busybox string reference: "%s"{one-of-many}
+#0     string /bin/sh          Shell string reference: "%s"{one-of-many}
+
+#--------------------File Systems---------------------
+
+# Minix filesystems - Juan Cespedes <cespedes@debian.org>
+0x410   leshort         0x137f          Minix filesystem
+>0x402  beshort         !0              \b, %d zones
+>0x1e   string          minix           \b, bootable
+0x410   leshort         0x138f          Minix filesystem, 30 char names
+0x410   leshort         0x2468          Minix filesystem, version 2
+0x410   leshort         0x2478          Minix filesystem, version 2, 30 char names
+0x410  leshort         0x4d5a          Minix filesystem, version 3
+0x410  leshort         0x4d6a          Minix filesystem, version 3, 30 char names
+
+0x410   beshort         0x137f          Minix filesystem (big endian)
+>0x402  beshort         !0              \b, %d zones
+>0x1e   string          minix           \b, bootable
+0x410   beshort         0x138f          Minix filesystem (big endian), 30 char names
+0x410   beshort         0x2468          Minix filesystem (big endian), version 2
+0x410   beshort         0x2478          Minix filesystem (big endian), version 2, 30 char names
+0x410  beshort         0x4d5a          Minix filesystem (big endian), version 3
+0x410  beshort         0x4d6a          Minix filesystem (big endian), version 3, 30 char names
+
+# YAFFS
+0      string  \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF        YAFFS filesystem
+
+# EFS2 file system - jojo@utulsa.edu
+0      lelong 0x53000000       EFS2 Qualcomm filesystem super block, little endian,
+>8     string !EFSSuper        invalid,
+>4     leshort &1              NAND
+>4     leshort ^1              NOR
+>4     leshort x               version 0x%x,
+>24    lelong  x               %d blocks,
+>16    lelong  x               0x%x pages per block,
+>20    lelong  x               0x%x bytes per page
+
+0      belong 0x53000000       EFS2 Qualcomm filesystem super block, big endian,
+>8     string !SSFErepu               invalid,
+>4     beshort &1              NAND
+>4     beshort ^1              NOR
+>4     beshort x               version 0x%x,
+>24    belong  x               %d blocks,
+>16    belong  x               0x%x pages per block,
+>20    belong  x               0x%x bytes per page
+
+# TROC file system
+0      string  TROC            TROC filesystem,
+>4     lelong  x               %d file entries
+
+# PFS file system
+0      string  PFS/            PFS filesystem,
+>4     string  x               version "%s",
+>14    leshort x               %d files
+
+# MPFS file system
+0      string  MPFS            MPFS (Microchip) filesystem,
+>4     byte    x               version %d.
+>5     byte    x               \b%d,
+>6     leshort x               %d file entries
+
+# cramfs filesystem - russell@coker.com.au
+0       lelong  0x28cd3d45      CramFS filesystem, little endian
+>4     lelong  <0              invalid
+>4      lelong  x              size %lu
+>8      lelong  &1             version #2
+>8      lelong  &2             sorted_dirs
+>8      lelong  &4             hole_support
+>32     lelong  x              CRC 0x%x,
+>36     lelong  x              edition %lu,
+>40    lelong  <0              invalid
+>40     lelong  x              %lu blocks,
+>44    lelong  <0              invalid
+>44     lelong  x              %lu files
+>4      lelong  x              {jump-to-offset:%lu}
+>4      lelong  x              {file-size:%lu}
+
+0       belong  0x28cd3d45      CramFS filesystem, big endian
+>4     belong  <0              invalid
+>4      belong  x              size %lu
+>8      belong  &1             version #2
+>8      belong  &2             sorted_dirs
+>8      belong  &4             hole_support
+>32     belong  x              CRC 0x%x,
+>36     belong  x              edition %lu,
+>40    belong  <0              invalid
+>40     belong  x              %lu blocks,
+>44    belong  <0              invalid
+>44     belong  x              %lu files
+>4      belong  x              {jump-to-offset:%lu}
+>4      belong  x              {file-size:%lu}
+
+
+
+# JFFS2 file system
+# If used with binwalk's smart signature feature (on by default, -S to disable)
+# this signature can potentially lead to missing some JFFS2 file systems if there
+# are multiple JFFS2 file systems in a target file and there are no other identified
+# files in between the JFFS2 file systems. This is an unlikely scenario however, and
+# the below signatures are much improved in terms of readability and accuracy in the
+# vast majority of real world scenarios.
+0              leshort 0x1985  JFFS2 filesystem, little endian{filter-include}
+>2             leshort !0xE001
+>>2            leshort !0xE002
+>>>2           leshort !0x2003
+>>>>2          leshort !0x2004
+>>>>>2         leshort !0x2006
+>>>>>>2                leshort !0xE008
+>>>>>>>2       leshort !0xE009 \b, invalid
+>(4.l)         leshort !0x1985         
+>>(4.l+1)      leshort !0x1985 
+>>>(4.l+2)     leshort !0x1985 
+>>>>(4.l+3)    leshort !0x1985
+>>>>>(4.l)      leshort !0xFFFF
+>>>>>>(4.l+1)   leshort !0xFFFF
+>>>>>>>(4.l+2)  leshort !0xFFFF
+>>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid
+>4             lelong  x       {one-of-many}{jump-to-offset:%d}
+
+0              beshort 0x1985  JFFS2 filesystem, big endian{filter-include}
+>2             beshort !0xE001
+>>2            beshort !0xE002
+>>>2           beshort !0x2003
+>>>>2          beshort !0x2004
+>>>>>2         beshort !0x2006
+>>>>>>2                beshort !0xE008
+>>>>>>>2       beshort !0xE009 \b, invalid
+>(4.L)         beshort !0x1985  
+>>(4.L+1)      beshort !0x1985  
+>>>(4.L+2)     beshort !0x1985
+>>>>(4.L+3)    beshort !0x1985 
+>>>>>(4.L)     beshort !0xFFFF
+>>>>>>(4.L+1)  beshort !0xFFFF
+>>>>>>>(4.L+2) beshort !0xFFFF
+>>>>>>>>(4.L+3)        beshort !0xFFFF \b, invalid
+>4             belong  x       {one-of-many}{jump-to-offset:%d}
+
+
+# Squashfs, big endian
+0       string  sqsh    Squashfs filesystem, big endian,
+>28     beshort >10     invalid
+>28     beshort <1      invalid
+>30    beshort >10     invalid
+>28     beshort x       version %d.
+>30     beshort x       \b%d,
+>28     beshort >3      compression:
+>>20    beshort 1       \bgzip,
+>>20    beshort 2       \blzma,
+>>20    beshort 0       \binvalid,
+>>20    beshort >4      \binvalid,
+>28     beshort <3
+>>8     belong  x       size: %d bytes,
+>28     beshort 3
+>>63    bequad x        size: %lld bytes,
+>28     beshort >3
+>>40    bequad  x       size: %lld bytes,
+>4      belong  x       %d inodes,
+>28     beshort >3
+>>12    belong          blocksize: %d bytes,
+>28     beshort <2
+>>32    beshort x       blocksize: %d bytes,
+>28     beshort 2
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort 3
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort >3
+>>12    belong  x       blocksize: %d bytes,
+>28     beshort <4
+>>39    bedate  x       created: %s
+>28     beshort >3
+>>8     bedate x        created: %s
+>28    beshort <3
+>>8    belong  x       {jump-to-offset:%d}
+>28    beshort 3       
+>>63   bequad  x       {jump-to-offset:%lld}
+>28    beshort >3
+>>40   bequad  x       {jump-to-offset:%lld}
+
+# Squashfs, little endian
+0       string  hsqs    Squashfs filesystem, little endian,
+>28     leshort >10     invalid
+>28     leshort <1      invalid
+>30    leshort >10     invalid
+>28     leshort x       version %d.
+>30     leshort x       \b%d,
+>28    leshort >3      compression: 
+>>20   leshort 1       \bgzip,
+>>20   leshort 2       \blzma,
+>>20   leshort 0       \binvalid,
+>>20   leshort >4      \binvalid,
+>28     leshort <3
+>>8     lelong  x       size: %d bytes,
+>>8     lelong  x       {file-size:%d}
+>28     leshort 3
+>>63    lequad x        size: %lld bytes,
+>>63    lequad x        {file-size:%lld}
+>28    leshort >3      
+>>40   lequad  x       size: %lld bytes,
+>>40   lequad  x       {file-size:%lld}
+>4      lelong  x       %d inodes,
+>28    leshort >3
+>>12   lelong          blocksize: %d bytes,
+>28     leshort <2
+>>32    leshort x       blocksize: %d bytes,
+>28     leshort 2
+>>51    lelong  x       blocksize: %d bytes,
+>28    leshort 3
+>>51   lelong  x       blocksize: %d bytes,
+>28    leshort >3      
+>>12   lelong  x       blocksize: %d bytes,
+>28    leshort <4
+>>39    ledate  x      created: %s
+>28    leshort >3
+>>8    ledate x        created: %s
+>28     leshort <3
+>>8     lelong  x       {jump-to-offset:%d}
+>28     leshort 3
+>>63    lequad x        {jump-to-offset:%lld}
+>28     leshort >3
+>>40    lequad  x       {jump-to-offset:%lld}
+
+# Squashfs with LZMA compression
+0       string  sqlz    Squashfs filesystem, big endian, lzma compression, 
+>28     beshort >10     invalid
+>28     beshort <1      invalid
+>30    beshort >10     invalid
+>28     beshort x       version %d.
+>30     beshort x       \b%d,
+>28     beshort >3      compression:
+>>20    beshort 1       \bgzip,
+>>20    beshort 2       \blzma,
+>>20    beshort 0       \binvalid,
+>>20    beshort >4      \binvalid,
+>28     beshort <3
+>>8     belong  x       size: %d bytes,
+>>8     belong  x       {file-size:%d}
+>28     beshort 3
+>>63    bequad x        size: %lld bytes,
+>>63    bequad x        {file-size:%lld}
+>28     beshort >3
+>>40    bequad  x       size: %lld bytes,
+>>40    bequad  x       {file-size:%lld}
+>4      belong  x       %d inodes,
+>28     beshort >3
+>>12    belong          blocksize: %d bytes,
+>28     beshort <2
+>>32    beshort x       blocksize: %d bytes,
+>28     beshort 2
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort 3
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort >3
+>>12    belong  x       blocksize: %d bytes,
+>28     beshort <4
+>>39    bedate  x       created: %s
+>28     beshort >3
+>>8     bedate x        created: %s
+>28     beshort <3
+>>8     belong  x       {jump-to-offset:%d}
+>28     beshort 3
+>>63    bequad  x       {jump-to-offset:%lld}
+>28     beshort >3
+>>40    bequad  x       {jump-to-offset:%lld}
+
+# Squashfs 3.3 LZMA signature
+0       string  qshs    Squashfs filesystem, big endian, lzma signature,
+>28     beshort >10     invalid
+>28     beshort <1      invalid
+>30    beshort >10     invalid
+>28     beshort x       version %d.
+>30     beshort x       \b%d,
+>28     beshort >3      compression:
+>>20    beshort 1       \bgzip,
+>>20    beshort 2       \blzma,
+>>20    beshort 0       \binvalid,
+>>20    beshort >4      \binvalid,
+>28     beshort <3
+>>8     belong  x       size: %d bytes,
+>>8     belong  x       {file-size:%d}
+>28     beshort 3
+>>63    bequad x        size: %lld bytes,
+>>63    bequad x        {file-size:%lld}
+>28     beshort >3
+>>40    bequad  x       size: %lld bytes,
+>>40    bequad  x       {file-size:%lld}
+>4      belong  x       %d inodes,
+>28     beshort >3
+>>12    belong          blocksize: %d bytes,
+>28     beshort <2
+>>32    beshort x       blocksize: %d bytes,
+>28     beshort 2
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort 3
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort >3
+>>12    belong  x       blocksize: %d bytes,
+>28     beshort <4
+>>39    bedate  x       created: %s
+>28     beshort >3
+>>8     bedate x        created: %s
+>28     beshort <3
+>>8     belong  x       {jump-to-offset:%d}
+>28     beshort 3
+>>63    bequad  x       {jump-to-offset:%lld}
+>28     beshort >3
+>>40    bequad  x       {jump-to-offset:%lld}
+
+# Squashfs for DD-WRT
+0       string  tqsh    Squashfs filesystem, big endian, DD-WRT signature,
+>28     beshort >10     invalid
+>28     beshort <1      invalid
+>30    beshort >10     invalid
+>28     beshort x       version %d.
+>30     beshort x       \b%d,
+>28     beshort >3      compression:
+>>20    beshort 1       \bgzip,
+>>20    beshort 2       \blzma,
+>>20    beshort 0       \binvalid,
+>>20    beshort >4      \binvalid,
+>28     beshort <3
+>>8     belong  x       size: %d bytes,
+>>8     belong  x       {file-size:%d}
+>28     beshort 3
+>>63    bequad x        size: %lld bytes,
+>>63    bequad x        {file-size:%lld}
+>28     beshort >3
+>>40    bequad  x       size: %lld bytes,
+>>40    bequad  x       {file-size:%lld}
+>4      belong  x       %d inodes,
+>28     beshort >3
+>>12    belong          blocksize: %d bytes,
+>28     beshort <2
+>>32    beshort x       blocksize: %d bytes,
+>28     beshort 2
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort 3
+>>51    belong  x       blocksize: %d bytes,
+>28     beshort >3
+>>12    belong  x       blocksize: %d bytes,
+>28     beshort <4
+>>39    bedate  x       created: %s
+>28     beshort >3
+>>8     bedate x        created: %s
+>28     beshort <3
+>>8     belong  x       {jump-to-offset:%d}
+>28     beshort 3
+>>63    bequad  x       {jump-to-offset:%lld}
+>28     beshort >3
+>>40    bequad  x       {jump-to-offset:%lld}
+
+# Squashfs for DD-WRT
+0       string  hsqt    Squashfs filesystem, little endian, DD-WRT signature,
+>28     leshort >10     invalid
+>28     leshort <1      invalid
+>30    leshort >10     invalid
+>28     leshort x       version %d.
+>30     leshort x       \b%d,
+>28     leshort >3      compression:
+>>20    leshort 1       \bgzip,
+>>20    leshort 2       \blzma,
+>>20    leshort 0       \binvalid,
+>>20    leshort >4      \binvalid,
+>28     leshort <3
+>>8     lelong  x       size: %d bytes,
+>>8     lelong  x       {file-size:%d}
+>28     leshort 3
+>>63    lequad x        size: %lld bytes,
+>>63    lequad x        {file-size:%lld}
+>28     leshort >3
+>>40    lequad  x       size: %lld bytes,
+>>40    lequad  x       {file-size:%lld}
+>4      lelong  x       %d inodes,
+>28     leshort >3
+>>12    lelong          blocksize: %d bytes,
+>28     leshort <2
+>>32    leshort x       blocksize: %d bytes,
+>28     leshort 2
+>>51    lelong  x       blocksize: %d bytes,
+>28     leshort 3
+>>51    lelong  x       blocksize: %d bytes,
+>28     leshort >3
+>>12    lelong  x       blocksize: %d bytes,
+>28     leshort <4
+>>39    ledate  x       created: %s
+>28     leshort >3
+>>8     ledate x        created: %s
+>28     leshort <3
+>>8     lelong  x       {jump-to-offset:%d}
+>28     leshort 3
+>>63    lequad x        {jump-to-offset:%lld}
+>28     leshort >3
+>>40    lequad  x       {jump-to-offset:%lld}
+
+# Non-standard Squashfs signature found on some D-Link routers
+0       string  shsq    Squashfs filesystem, little endian, non-standard signature, 
+>28     leshort >10     invalid
+>28     leshort <1      invalid
+>30    leshort >10     invalid
+>28     leshort x       version %d.
+>30     leshort x       \b%d,
+>28     leshort >3      compression:
+>>20    leshort 1       \bgzip,
+>>20    leshort 2       \blzma,
+>>20    leshort 0       \binvalid,
+>>20    leshort >4      \binvalid,
+>28     leshort <3
+>>8     lelong  x       size: %d bytes,
+>>8     lelong  x       {file-size:%d}
+>28     leshort 3
+>>63    lequad x        size: %lld bytes,
+>>63    lequad x        {file-size:%lld}
+>28     leshort >3
+>>40    lequad  x       size: %lld bytes,
+>>40    lequad  x       {file-size:%lld}
+>4      lelong  x       %d inodes,
+>28     leshort >3
+>>12    lelong          blocksize: %d bytes,
+>28     leshort <2
+>>32    leshort x       blocksize: %d bytes,
+>28     leshort 2
+>>51    lelong  x       blocksize: %d bytes,
+>28     leshort 3
+>>51    lelong  x       blocksize: %d bytes,
+>28     leshort >3
+>>12    lelong  x       blocksize: %d bytes,
+>28     leshort <4
+>>39    ledate  x       created: %s
+>28     leshort >3
+>>8     ledate x        created: %s
+>28     leshort <3
+>>8     lelong  x       {jump-to-offset:%d}
+>28     leshort 3
+>>63    lequad x        {jump-to-offset:%lld}
+>28     leshort >3
+>>40    lequad  x       {jump-to-offset:%lld}
+
+# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
+# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
+# volume label and UUID Russell Coker
+# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
+0   leshort         0xEF53             Linux EXT filesystem,{filter-include}{offset-adjust:-0x438}
+>2     leshort         >4              invalid state
+>2     leshort         3               invalid state
+>2     leshort         <0              invalid state
+>4     leshort         >3              invalid error behavior
+>4     leshort         <0              invalid error behavior
+>4     lelong          >1              invalid major revision
+>4  lelong             <0              invalid major revision
+>4  lelong          x               rev %d
+>6  leshort         x               \b.%d
+# No journal?  ext2
+>36  lelong          ^0x0000004      ext2 filesystem data
+>>2 leshort         ^0x0000001      (mounted or unclean)
+# Has a journal?  ext3 or ext4
+>36  lelong          &0x0000004
+#  and small INCOMPAT?
+>>40 lelong          <0x0000040
+#   and small RO_COMPAT?
+>>>44 lelong         <0x0000008      ext3 filesystem data
+#   else large RO_COMPAT?
+>>>44 lelong         >0x0000007      ext4 filesystem data
+#  else large INCOMPAT?
+>>40 lelong          >0x000003f      ext4 filesystem data
+>48  belong          x               \b, UUID=%08x
+>52  beshort         x               \b-%04x
+>54  beshort         x               \b-%04x
+>56  beshort         x               \b-%04x
+>58  belong          x               \b-%08x
+>60  beshort         x               \b%04x
+>64  string          >0              \b, volume name "%s"
+
+
+#romfs filesystems - Juan Cespedes <cespedes@debian.org>
+0       string -rom1fs-\0              romfs filesystem, version 1
+>8     belong  >10000000               invalid
+>8      belong  x                       size: %d bytes,
+>16    string  x                       {file-name:%s}
+>16     string  x                       named "%s"
+>8     belong  x                       {file-size:%d}
+>8     belong  x                       {jump-to-offset:%d}
+
+# Wind River MemFS file system, found in some VxWorks devices
+0      string  owowowowowowowowowowowowowowow          Wind River management filesystem,
+>30    string  !ow                                     invalid,
+>32    belong  1                                       compressed,
+>32    belong  2                                       plain text,
+>36    belong  x                                       %d files
+
+
+# netboot image - Juan Cespedes <cespedes@debian.org>
+0      lelong                  0x1b031336L     Netboot image,
+>4     lelong&0xFFFFFF00       0
+>>4    lelong&0x100            0x000           mode 2
+>>4    lelong&0x100            0x100           mode 3
+>4     lelong&0xFFFFFF00       !0              unknown mode (invalid)
+
+#--------------------------Firmware Formats---------------------------
+
+# uImage file     
+# From: Craig Heffner, U-Boot image.h header definitions file
+0      belong  0x27051956      uImage header, header size: 64 bytes,
+>4     belong  x               header CRC: 0x%X,
+>8     bedate  x               created: %s,
+>12    belong  x               image size: %d bytes,
+>16    belong  x               Data Address: 0x%X,
+>20    belong  x               Entry Point: 0x%X,
+>24    belong  x               data CRC: 0x%X,
+#>28   byte    x               OS type: %d,
+>28    byte    0               OS: invalid OS,
+>28    byte    1               OS: OpenBSD,
+>28    byte    2               OS: NetBSD,
+>28    byte    3               OS: FreeBSD,
+>28    byte    4               OS: 4.4BSD,
+>28    byte    5               OS: Linux,
+>28    byte    6               OS: SVR4,
+>28    byte    7               OS: Esix,
+>28    byte    8               OS: Solaris,
+>28    byte    9               OS: Irix,
+>28    byte    10              OS: SCO,
+>28    byte    11              OS: Dell,
+>28    byte    12              OS: NCR,
+>28    byte    13              OS: LynxOS,
+>28    byte    14              OS: VxWorks,
+>28    byte    15              OS: pSOS,
+>28    byte    16              OS: QNX,
+>28    byte    17              OS: Firmware,
+>28    byte    18              OS: RTEMS,
+>28    byte    19              OS: ARTOS,
+>28    byte    20              OS: Unity OS,
+#>29   byte    x               CPU arch: %d,
+>29    byte    0               CPU: invalid OS,
+>29    byte    1               CPU: Alpha,
+>29    byte    2               CPU: ARM,
+>29    byte    3               CPU: Intel x86,
+>29    byte    4               CPU: IA64,
+>29    byte    5               CPU: MIPS,
+>29    byte    6               CPU: MIPS 64 bit,
+>29    byte    7               CPU: PowerPC,
+>29    byte    8               CPU: IBM S390,
+>29    byte    9               CPU: SuperH,
+>29    byte    10              CPU: Sparc,
+>29    byte    11              CPU: Sparc 64 bit,
+>29    byte    12              CPU: M68K,
+>29    byte    13              CPU: Nios-32,
+>29    byte    14              CPU: MicroBlaze,
+>29    byte    15              CPU: Nios-II,
+>29    byte    16              CPU: Blackfin,
+>29    byte    17              CPU: AVR,
+>29    byte    18              CPU: STMicroelectronics ST200,
+#>30   byte    x               image type: %d,
+>30    byte    0               image type: invalid Image,
+>30    byte    1               image type: Standalone Program,
+>30    byte    2               image type: OS Kernel Image,
+>30    byte    3               image type: RAMDisk Image,
+>30    byte    4               image type: Multi-File Image,
+>30    byte    5               image type: Firmware Image,
+>30    byte    6               image type: Script file,
+>30    byte    7               image type: Filesystem Image,
+>30    byte    8               image type: Binary Flat Device Tree Blob
+#>31   byte    x               compression type: %d,
+>31    byte    0               compression type: none,
+>31    byte    1               compression type: gzip,
+>31    byte    2               compression type: bzip2,
+>31    byte    3               compression type: lzma,
+>32    string  x               image name: "%s"
+
+#IMG0 header, found in VxWorks-based Mercury router firmware
+0      string          IMG0            IMG0 (VxWorks) header,
+>4     belong          x               size: %d
+
+#Mediatek bootloader signature
+#From xp-dev.com
+0      string          BOOTLOADER!     Mediatek bootloader
+
+#CSYS header formats
+0      string          CSYS\x00        CSYS header, little endian, 
+>8     lelong          x               size: %d
+
+0      string          CSYS\x80        CSYS header, big endian,
+>8     belong          x               size: %d
+
+# wrgg firmware image
+0      string          wrgg02          WRGG firmware header,
+>6     string          x               name: "%s",
+>48    string          x               root device: "%s"
+
+# trx image file
+0      string          HDR0            TRX firmware header, little endian, header size: 28 bytes, 
+>4     lelong          x               image size: %d bytes,
+>8     lelong          x               CRC32: 0x%X
+>12    lelong          x               flags/version: 0x%X
+
+0      string          0RDH            TRX firmware header, big endian, header size: 28 bytes,
+>4     belong          x               image size: %d bytes,
+>8     belong          x               CRC32: 0x%X
+>12    belong          x               flags/version: 0x%X
+
+
+# Ubicom firmware image
+0      belong  0xFA320080              Ubicom firmware header,
+>12    belong  x                       checksum: 0x%X,
+>24    belong  x                       image size: %d
+
+# The ROME bootloader is used by several RealTek-based products.
+# Unfortunately, the magic bytes are specific to each product, so
+# separate signatures must be created for each one.
+
+# Netgear KWGR614 ROME image
+0      string          G614            Realtek firmware header (ROME bootloader),
+>4     beshort         0xd92f          image type: KFS,
+>4     beshort         0xb162          image type: RDIR,
+>4     beshort         0xea43          image type: BOOT,
+>4     beshort         0x8dc9          image type: RUN,
+>4     beshort         0x2a05          image type: CCFG,
+>4     beshort         0x6ce8          image type: DCFG,
+>4     beshort         0xc371          image type: LOG,
+>6     byte            x               header version: %d,
+#month
+>10    byte            x               created: %d/
+#day   
+>12    byte            x               \b%d/
+#year
+>8     beshort         x               \b%d,
+>16    belong          x               image size: %d bytes,
+>22    byte            x               body checksum: 0x%X,
+>23    byte            x               header checksum: 0x%X
+
+# Linksys WRT54GX ROME image
+0      belong          0x59a0e842      Realtek firmware header (ROME bootloader)
+>4      beshort         0xd92f          image type: KFS,
+>4      beshort         0xb162          image type: RDIR,
+>4      beshort         0xea43          image type: BOOT,
+>4      beshort         0x8dc9          image type: RUN,
+>4      beshort         0x2a05          image type: CCFG,
+>4      beshort         0x6ce8          image type: DCFG,
+>4      beshort         0xc371          image type: LOG,
+>6      byte            x               header version: %d,
+#month
+>10     byte            x               created: %d/
+#day    
+>12     byte            x               \b%d/
+#year
+>8      beshort         x               \b%d,
+>16     belong          x               image size: %d bytes,
+>22     byte            x               body checksum: 0x%X,
+>23     byte            x               header checksum: 0x%X
+
+# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
+0      string          --PaCkImGs--    PackImg section delimiter tag,
+>16    lelong          x               little endian size: %d bytes;
+>16    belong          x               big endian size: %d bytes
+
+
+#------------------------------------------------------------------------------
+# Broadcom header format
+#
+0       string          BCRM            Broadcom header,
+>4      lelong          x               number of sections: %d,
+>>8     lelong          18              first section type: flash
+>>8     lelong          19              first section type: disk
+>>8     lelong          21              first section type: tag
+
+
+# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
+# http://ftg.lbl.gov/checkpoint
+0       string  Ck0\0\0R\0\0\0  BLCR
+>16     lelong  1       x86
+>16     lelong  3       alpha
+>16     lelong  5       x86-64
+>16     lelong  7       ARM
+>8      lelong  x       context data (little endian, version %d)
+
+0       string  \0\0\0C\0\0\0R  BLCR
+>16     belong  2       SPARC
+>16     belong  4       ppc
+>16     belong  6       ppc64
+>16     belong  7       ARMEB
+>16     belong  8       SPARC64
+>8      belong  x       context data (big endian, version %d)
+
+# Aculab VoIP firmware
+# From: Mark Brown <broonie@sirena.org.uk>
+0       string  VoIP\x20Startup\x20and      Aculab VoIP firmware
+>35     string  x       format "%s"
+
+#------------------------------------------------------------------------------
+# HP LaserJet 1000 series downloadable firmware file
+0       string  \xbe\xefABCDEFGH        HP LaserJet 1000 series downloadable firmware
+
+# From Albert Cahalan <acahalan@gmail.com>
+# really le32 operation,destination,payloadsize (but quite predictable)
+# 01 00 00 00 00 00 00 c0 00 02 00 00
+0       string          \1\0\0\0\0\0\0\300\0\2\0\0      Marvell Libertas firmware
+
+#---------------------------------------------------------------------------
+# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
+# lead Sun/Cobalt developer) who agrees that they are good and worthy of
+# inclusion.
+
+# Boot ROM images for Sun/Cobalt Linux server appliances
+0       string  Cobalt\x20Networks\x20Inc.\nFirmware\x20v     Paged COBALT boot rom
+>38     string x        V%.4s
+
+# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
+# at the very end where file(1) can't get it.
+0       string CRfs     COBALT boot rom data (Flat boot rom or file system)
+
+#
+# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
+0   string      S0          Motorola S-Record; binary data in text format
+
+# --------------------------------
+# Microsoft Xbox data file formats
+0       string          XIP0            XIP, Microsoft Xbox data
+0       string          XTF0            XTF, Microsoft Xbox data
+
+#Windows CE
+0      string          CECE            Windows CE RTOS{offset-adjust:-64}
+
+# --------------------------------
+# ZynOS ROM header format
+# From openwrt zynos.h.
+0      string          SIG             ZynOS header, header size: 48 bytes,{offset-adjust:-6}
+#>0    belong          x               load address 0x%X,
+>3     byte            <0x7F           rom image type:
+>>3    byte            <1              invalid,
+>>3    byte            >7              invalid,
+>>3    byte            1               ROMIMG,
+>>3    byte            2               ROMBOOT,
+>>3    byte            3               BOOTEXT,
+>>3    byte            4               ROMBIN,
+>>3    byte            5               ROMDIR,
+>>3    byte            6               6,
+>>3    byte            7               ROMMAP,
+>3     byte            >0x7F           ram image type:
+>>3    byte            >0x82           invalid,
+>>3    byte            0x80            RAM,
+>>3    byte            0x81            RAMCODE,
+>>3    byte            0x82            RAMBOOT,
+>4     belong          >0x40000000     invalid
+>4     belong          <0              invalid
+>4     belong          0               invalid
+>4     belong          x               uncompressed size: %d,
+>8     belong          >0x40000000     invalid
+>8     belong          <0              invalid
+>8     belong          0               invalid
+>8     belong          x               compressed size: %d,
+>14    beshort         x               uncompressed checksum: 0x%X,
+>16    beshort         x               compressed checksum: 0x%X,
+>12    byte            x               flags: 0x%X,
+>12    byte            &0x40           uncompressed checksum is valid,
+>12    byte            &0x80           the binary is compressed,
+>>12   byte            &0x20           compressed checksum is valid,
+>35    belong          x               memory map table address: 0x%X
+
+# Firmware header used by some VxWorks-based Cisco products
+0      string          CI032.00        Cisco VxWorks firmware header,
+>8     lelong          >1024           invalid
+>8     lelong          <0              invalid
+>8     lelong          x               header size: %d bytes,
+>32    lelong          >1024           invalid
+>32    lelong          <0              invalid
+>32    lelong          x               number of files: %d,
+>48    lelong          <0              invalid
+>48    lelong          x               image size: %d,
+>64    string          x               firmware version: "%s"
+
+# Firmware header used by some TV's
+0      string          FNIB            ZBOOT firmware header, header size: 32 bytes,
+>8     lelong          x               load address: 0x%.8X,
+>12    lelong          x               start address: 0x%.8X,
+>16    lelong          x               checksum: 0x%.8X,
+>20    lelong          x               version: 0x%.8X,
+>24    lelong          <1              invalid
+>24    lelong          x               image size: %d bytes
+
+# Firmware header used by several D-Link routers (and probably others)
+0               string  \x5e\xa3\xa4\x17       DLOB firmware header,
+>(7.b+12)       string  !\x5e\xa3\xa4\x17       invalid,
+#>>12           string  x                       %s,
+>(7.b+40)       string  x                       boot partition: "%s"
+
+# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
+0      string          TP-LINK\x20Technologies         TP-Link firmware header,{offset-adjust:-4}
+#>-4   lelong          x                               header version: %d,
+>0x94          beshort         x                               firmware version: %d.
+>0x96          beshort         x                               \b%d.
+>0x98          beshort         x                               \b%d,
+>0x18          string          x                               image version: "%s",
+#>0x74  belong          x                              image size: %d bytes,
+>0x3C          belong          x                               product ID: 0x%X,
+>0x40          belong          x                               product version: %d,
+>0x70          belong          x                               kernel load address: 0x%X,
+>0x74          belong          x                               kernel entry point: 0x%X,
+>0x7C          belong          x                               kernel offset: %d,
+>0x80          belong          x                               kernel length: %d,
+>0x84          belong          x                               rootfs offset: %d,
+>0x88          belong          x                               rootfs length: %d,
+>0x8C          belong          x                               bootloader offset: %d,
+>0x90          belong          x                               bootloader length: %d
+
+# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com)
+# The second word of TIFF files is the TIFF version number, 42, which has
+# never changed.  The TIFF specification recommends testing for it.
+0       string          MM\x00\x2a      TIFF image data, big-endian
+0       string          II\x2a\x00      TIFF image data, little-endian
+
+# PNG [Portable Network Graphics, or "PNG's Not GIF"] images
+# (Greg Roelofs, newt@uchicago.edu)
+# (Albert Cahalan, acahalan@cs.uml.edu)
+#
+# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
+#
+0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image
+>16     belong          x               \b, %ld x
+>20     belong          x               %ld,
+>24     byte            x               %d-bit
+>25     byte            0               grayscale,
+>25     byte            2               \b/color RGB,
+>25     byte            3               colormap,
+>25     byte            4               gray+alpha,
+>25     byte            6               \b/color RGBA,
+#>26    byte            0               deflate/32K,
+>28     byte            0               non-interlaced
+>28     byte            1               interlaced
+
+# GIF
+0       string          GIF8            GIF image data
+>4      string          7a              \b, version 8"%s",
+>4      string          9a              \b, version 8"%s",
+>6      leshort         >0              %hd x
+>8      leshort         >0              %hd
+#>10    byte            &0x80           color mapped,
+#>10    byte&0x07       =0x00           2 colors
+#>10    byte&0x07       =0x01           4 colors
+#>10    byte&0x07       =0x02           8 colors
+#>10    byte&0x07       =0x03           16 colors
+#>10    byte&0x07       =0x04           32 colors
+#>10    byte&0x07       =0x05           64 colors
+#>10    byte&0x07       =0x06           128 colors
+#>10    byte&0x07       =0x07           256 colors
+
+# PC bitmaps (OS/2, Windows BMP files)  (Greg Roelofs, newt@uchicago.edu)
+0       string          BM
+>14     leshort         12              PC bitmap, OS/2 1.x format
+>>18    leshort         x               \b, %d x
+>>20    leshort         x               %d
+>14     leshort         64              PC bitmap, OS/2 2.x format
+>>18    leshort         x               \b, %d x
+>>20    leshort         x               %d
+>14     leshort         40              PC bitmap, Windows 3.x format
+>>18    lelong          x               \b, %d x
+>>22    lelong          x               %d x
+>>28    leshort         x               %d
+>14     leshort         128             PC bitmap, Windows NT/2000 format
+>>18    lelong          x               \b, %d x
+>>22    lelong          x               %d x
+>>28    leshort         x               %d
+
+#------------------------------------------------------------------------------
+# JPEG images
+# SunOS 5.5.1 had
+#
+#       0       string          \377\330\377\340        JPEG file
+#       0       string          \377\330\377\356        JPG file
+#
+# both of which turn into "JPEG image data" here.
+#
+0       beshort         0xffd8          JPEG image data
+>6      string          JFIF            \b, JFIF standard
+# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
+# in a vain attempt to add image size reporting for JFIF.  Note that these
+# tests are not fool-proof since some perfectly valid JPEGs are currently
+# impossible to specify in magic(4) format.
+# First, a little JFIF version info:
+>>11    byte            x               \b %d.
+>>12    byte            x               \b%02d
+# Next, the resolution or aspect ratio of the image:
+#>>13   byte            0               \b, aspect ratio
+#>>13   byte            1               \b, resolution (DPI)
+#>>13   byte            2               \b, resolution (DPCM)
+#>>4    beshort         x               \b, segment length %d
+# Next, show thumbnail info, if it exists:
+>>18    byte            !0              \b, thumbnail %dx
+>>>19   byte            x               \b%d
+
+# EXIF moved down here to avoid reporting a bogus version number,
+# and EXIF version number printing added.
+#   - Patrik R=E5dman <patrik+file-magic@iki.fi>
+>6      string          Exif            \b, EXIF standard
+# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
+# All possible combinations of entries have to be enumerated, since no looping
+# is possible. And both endians are possible...
+# The combinations included below are from real-world JPEGs.
+# Little-endian
+>>12    string          II
+# IFD 0 Entry #5:
+>>>70   leshort         0x8769
+# EXIF IFD Entry #1:
+>>>>(78.l+14)   leshort 0x9000
+>>>>>(78.l+23)  byte    x               %c
+>>>>>(78.l+24)  byte    x               \b.%c
+>>>>>(78.l+25)  byte    !0x30           \b%c
+# IFD 0 Entry #9:
+>>>118  leshort         0x8769
+# EXIF IFD Entry #3:
+>>>>(126.l+38)  leshort 0x9000
+>>>>>(126.l+47) byte    x               %c
+>>>>>(126.l+48) byte    x               \b.%c
+>>>>>(126.l+49) byte    !0x30           \b%c
+# IFD 0 Entry #10
+>>>130  leshort         0x8769
+# EXIF IFD Entry #3:
+>>>>(138.l+38)  leshort 0x9000
+>>>>>(138.l+47) byte    x               %c
+>>>>>(138.l+48) byte    x               \b.%c
+>>>>>(138.l+49) byte    !0x30           \b%c
+# EXIF IFD Entry #4:
+>>>>(138.l+50)  leshort 0x9000
+>>>>>(138.l+59) byte    x               %c
+>>>>>(138.l+60) byte    x               \b.%c
+>>>>>(138.l+61) byte    !0x30           \b%c
+# EXIF IFD Entry #5:
+>>>>(138.l+62)  leshort 0x9000
+>>>>>(138.l+71) byte    x               %c
+>>>>>(138.l+72) byte    x               \b.%c
+>>>>>(138.l+73) byte    !0x30           \b%c
+# IFD 0 Entry #11
+>>>142  leshort         0x8769
+# EXIF IFD Entry #3:
+>>>>(150.l+38)  leshort 0x9000
+>>>>>(150.l+47) byte    x               %c
+>>>>>(150.l+48) byte    x               \b.%c
+>>>>>(150.l+49) byte    !0x30           \b%c
+# EXIF IFD Entry #4:
+>>>>(150.l+50)  leshort 0x9000
+>>>>>(150.l+59) byte    x               %c
+>>>>>(150.l+60) byte    x               \b.%c
+>>>>>(150.l+61) byte    !0x30           \b%c
+# EXIF IFD Entry #5:
+>>>>(150.l+62)  leshort 0x9000
+>>>>>(150.l+71) byte    x               %c
+>>>>>(150.l+72) byte    x               \b.%c
+>>>>>(150.l+73) byte    !0x30           \b%c
+# Big-endian
+>>12    string          MM
+# IFD 0 Entry #9:
+>>>118  beshort         0x8769
+# EXIF IFD Entry #1:
+>>>>(126.L+14)  beshort 0x9000
+>>>>>(126.L+23) byte    x               %c
+>>>>>(126.L+24) byte    x               \b.%c
+>>>>>(126.L+25) byte    !0x30           \b%c
+# EXIF IFD Entry #3:
+>>>>(126.L+38)  beshort 0x9000
+>>>>>(126.L+47) byte    x               %c
+>>>>>(126.L+48) byte    x               \b.%c
+>>>>>(126.L+49) byte    !0x30           \b%c
+# IFD 0 Entry #10
+>>>130  beshort         0x8769
+# EXIF IFD Entry #3:
+>>>>(138.L+38)  beshort 0x9000
+>>>>>(138.L+47) byte    x               %c
+>>>>>(138.L+48) byte    x               \b.%c
+>>>>>(138.L+49) byte    !0x30           \b%c
+# EXIF IFD Entry #5:
+>>>>(138.L+62)  beshort 0x9000
+>>>>>(138.L+71) byte    x               %c
+>>>>>(138.L+72) byte    x               \b.%c
+>>>>>(138.L+73) byte    !0x30           \b%c
+# IFD 0 Entry #11
+>>>142  beshort         0x8769
+# EXIF IFD Entry #4:
+>>>>(150.L+50)  beshort 0x9000
+>>>>>(150.L+59) byte    x               %c
+>>>>>(150.L+60) byte    x               \b.%c
+>>>>>(150.L+61) byte    !0x30           \b%c
+# Here things get sticky.  We can do ONE MORE marker segment with
+# indirect addressing, and that's all.  It would be great if we could
+# do pointer arithemetic like in an assembler language.  Christos?
+# And if there was some sort of looping construct to do searches, plus a few
+# named accumulators, it would be even more effective...
+# At least we can show a comment if no other segments got inserted before:
+>(4.S+5)        byte            0xFE
+>>(4.S+8)       string          >\0             \b, comment: "%s"
+# FIXME: When we can do non-byte counted strings, we can use that to get
+# the string's count, and fix Debian bug #283760
+#>(4.S+5)       byte            0xFE            \b, comment
+#>>(4.S+6)      beshort         x               \b length=%d
+#>>(4.S+8)      string          >\0             \b, "%s"
+# Or, we can show the encoding type (I've included only the three most common)
+# and image dimensions if we are lucky and the SOFn (image segment) is here:
+>(4.S+5)        byte            0xC0            \b, baseline
+>>(4.S+6)       byte            x               \b, precision %d
+>>(4.S+7)       beshort         x               \b, %dx
+>>(4.S+9)       beshort         x               \b%d
+>(4.S+5)        byte            0xC1            \b, extended sequential
+>>(4.S+6)       byte            x               \b, precision %d
+>>(4.S+7)       beshort         x               \b, %dx
+>>(4.S+9)       beshort         x               \b%d
+>(4.S+5)        byte            0xC2            \b, progressive
+>>(4.S+6)       byte            x               \b, precision %d
+>>(4.S+7)       beshort         x               \b, %dx
+>>(4.S+9)       beshort         x               \b%d
+# I've commented-out quantisation table reporting.  I doubt anyone cares yet.
+#>(4.S+5)       byte            0xDB            \b, quantisation table
+#>>(4.S+6)      beshort         x               \b length=%d
+#>14    beshort         x               \b, %d x
+#>16    beshort         x               \b %d
+
+
+#-------------------------Kernels-------------------------------------
+
+# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
+# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
+# and Nicolás Lichtmaier <nick@debian.org>
+# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
+0      string          \xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29        Linux kernel boot image
+>514   string          !HdrS                                                                   (invalid)
+
+# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
+# Commonly found in decompressed embedded kernel binaries.
+0      string          Linux\ version\         Linux kernel version
+>14    byte            0                       invalid
+>14    byte            !0
+>>14   string          x                       "%s
+>>45   string          x                       \b%s
+>>76   string          x                       \b%s
+>>107  string          x                       \b%s"
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x5D
+# ------------------------------------------------------------------
+0              string  \x5D\x00\x00    LZMA compressed data, properties: 0x5D,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x01
+# ------------------------------------------------------------------
+0              string  \x01\x00\x00    LZMA compressed data, properties: 0x01,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x02
+# ------------------------------------------------------------------
+0              string  \x02\x00\x00    LZMA compressed data, properties: 0x02,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x03
+# ------------------------------------------------------------------
+0              string  \x03\x00\x00    LZMA compressed data, properties: 0x03,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x04
+# ------------------------------------------------------------------
+0              string  \x04\x00\x00    LZMA compressed data, properties: 0x04,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x09
+# ------------------------------------------------------------------
+0              string  \x09\x00\x00    LZMA compressed data, properties: 0x09,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x0A
+# ------------------------------------------------------------------
+0              string  \x0A\x00\x00    LZMA compressed data, properties: 0x0A,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x0B
+# ------------------------------------------------------------------
+0              string  \x0B\x00\x00    LZMA compressed data, properties: 0x0B,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x0C
+# ------------------------------------------------------------------
+0              string  \x0C\x00\x00    LZMA compressed data, properties: 0x0C,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x12
+# ------------------------------------------------------------------
+0              string  \x12\x00\x00    LZMA compressed data, properties: 0x12,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x13
+# ------------------------------------------------------------------
+0              string  \x13\x00\x00    LZMA compressed data, properties: 0x13,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x14
+# ------------------------------------------------------------------
+0              string  \x14\x00\x00    LZMA compressed data, properties: 0x14,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x1B
+# ------------------------------------------------------------------
+0              string  \x1B\x00\x00    LZMA compressed data, properties: 0x1B,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x1C
+# ------------------------------------------------------------------
+0              string  \x1C\x00\x00    LZMA compressed data, properties: 0x1C,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x24
+# ------------------------------------------------------------------
+0              string  \x24\x00\x00    LZMA compressed data, properties: 0x24,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x2D
+# ------------------------------------------------------------------
+0              string  \x2D\x00\x00    LZMA compressed data, properties: 0x2D,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x2E
+# ------------------------------------------------------------------
+0              string  \x2E\x00\x00    LZMA compressed data, properties: 0x2E,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x2F
+# ------------------------------------------------------------------
+0              string  \x2F\x00\x00    LZMA compressed data, properties: 0x2F,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x30
+# ------------------------------------------------------------------
+0              string  \x30\x00\x00    LZMA compressed data, properties: 0x30,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x31
+# ------------------------------------------------------------------
+0              string  \x31\x00\x00    LZMA compressed data, properties: 0x31,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x36
+# ------------------------------------------------------------------
+0              string  \x36\x00\x00    LZMA compressed data, properties: 0x36,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x37
+# ------------------------------------------------------------------
+0              string  \x37\x00\x00    LZMA compressed data, properties: 0x37,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x38
+# ------------------------------------------------------------------
+0              string  \x38\x00\x00    LZMA compressed data, properties: 0x38,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x39
+# ------------------------------------------------------------------
+0              string  \x39\x00\x00    LZMA compressed data, properties: 0x39,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x3F
+# ------------------------------------------------------------------
+0              string  \x3F\x00\x00    LZMA compressed data, properties: 0x3F,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x40
+# ------------------------------------------------------------------
+0              string  \x40\x00\x00    LZMA compressed data, properties: 0x40,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x41
+# ------------------------------------------------------------------
+0              string  \x41\x00\x00    LZMA compressed data, properties: 0x41,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x48
+# ------------------------------------------------------------------
+0              string  \x48\x00\x00    LZMA compressed data, properties: 0x48,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x49
+# ------------------------------------------------------------------
+0              string  \x49\x00\x00    LZMA compressed data, properties: 0x49,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x51
+# ------------------------------------------------------------------
+0              string  \x51\x00\x00    LZMA compressed data, properties: 0x51,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x5A
+# ------------------------------------------------------------------
+0              string  \x5A\x00\x00    LZMA compressed data, properties: 0x5A,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x5B
+# ------------------------------------------------------------------
+0              string  \x5B\x00\x00    LZMA compressed data, properties: 0x5B,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x5C
+# ------------------------------------------------------------------
+0              string  \x5C\x00\x00    LZMA compressed data, properties: 0x5C,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x5E
+# ------------------------------------------------------------------
+0              string  \x5E\x00\x00    LZMA compressed data, properties: 0x5E,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x63
+# ------------------------------------------------------------------
+0              string  \x63\x00\x00    LZMA compressed data, properties: 0x63,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x64
+# ------------------------------------------------------------------
+0              string  \x64\x00\x00    LZMA compressed data, properties: 0x64,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x65
+# ------------------------------------------------------------------
+0              string  \x65\x00\x00    LZMA compressed data, properties: 0x65,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x66
+# ------------------------------------------------------------------
+0              string  \x66\x00\x00    LZMA compressed data, properties: 0x66,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x6C
+# ------------------------------------------------------------------
+0              string  \x6C\x00\x00    LZMA compressed data, properties: 0x6C,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x6D
+# ------------------------------------------------------------------
+0              string  \x6D\x00\x00    LZMA compressed data, properties: 0x6D,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x6E
+# ------------------------------------------------------------------
+0              string  \x6E\x00\x00    LZMA compressed data, properties: 0x6E,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x75
+# ------------------------------------------------------------------
+0              string  \x75\x00\x00    LZMA compressed data, properties: 0x75,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x76
+# ------------------------------------------------------------------
+0              string  \x76\x00\x00    LZMA compressed data, properties: 0x76,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x7E
+# ------------------------------------------------------------------
+0              string  \x7E\x00\x00    LZMA compressed data, properties: 0x7E,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x87
+# ------------------------------------------------------------------
+0              string  \x87\x00\x00    LZMA compressed data, properties: 0x87,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x88
+# ------------------------------------------------------------------
+0              string  \x88\x00\x00    LZMA compressed data, properties: 0x88,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x89
+# ------------------------------------------------------------------
+0              string  \x89\x00\x00    LZMA compressed data, properties: 0x89,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x8A
+# ------------------------------------------------------------------
+0              string  \x8A\x00\x00    LZMA compressed data, properties: 0x8A,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x8B
+# ------------------------------------------------------------------
+0              string  \x8B\x00\x00    LZMA compressed data, properties: 0x8B,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x90
+# ------------------------------------------------------------------
+0              string  \x90\x00\x00    LZMA compressed data, properties: 0x90,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5             lequad  x               uncompressed size: %lld bytes
+
+
+# ------------------------------------------------------------------
+# Signature for LZMA compressed data with valid properties byte 0x91
+# ------------------------------------------------------------------
+0              string  \x91\x00\x00    LZMA compressed data, properties: 0x91,
+
+# These are all the valid dictionary sizes supported by LZMA utils.
+>1             lelong  !65536  
+>>1            lelong  !131072 
+>>>1           lelong  !262144 
+>>>>1          lelong  !524288 
+>>>>>1         lelong  !1048576        
+>>>>>>1                lelong  !2097152        
+>>>>>>>1       lelong  !4194304        
+>>>>>>>>1      lelong  !8388608        
+>>>>>>>>>1     lelong  !16777216       
+>>>>>>>>>>1    lelong  !33554432       invalid
+>1             lelong  x               dictionary size: %d bytes,
+
+# Assume that a valid size will be less than 1GB. This could technically be valid, but is unlikely.
+>5             lequad  <1              invalid
+>5             lequad  >0x40000000     invalid
+
+# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
+# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
+# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
+>1             lelong  65536
+>>5            lequad  65536           invalid
+>1             lelong  131072
+>>5            lequad  131072          invalid
+>1             lelong  262144
+>>5            lequad  262144          invalid
+>1             lelong  524288
+>>5            lequad  524288          invalid
+>1             lelong  1048576
+>>5            lequad  1048576         invalid
+>1             lelong  2097152
+>>5            lequad  2097152         invalid
+>1             lelong  4194304
+>>5            lequad  4194304         invalid
+>1             lelong  8388608
+>>5            lequad  8388608         invalid
+>1             lelong  16777216
+>>5            lequad  16777216        invalid
+>1             lelong  33554432
+>>5            lequad  33554432        invalid
+>5            &nb