xref: /freebsd/contrib/file/magic/Magdir/archive (revision ab00ac327a66a53edaac95b536b209db3ae2cd9f)
1#------------------------------------------------------------------------------
2# $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $
3# archive:  file(1) magic for archive formats (see also "msdos" for self-
4#           extracting compressed archives)
5#
6# cpio, ar, arc, arj, hpack, lha/lharc, rar, squish, uc2, zip, zoo, etc.
7# pre-POSIX "tar" archives are handled in the C code.
8
9# POSIX tar archives
10257	string		ustar\0		POSIX tar archive
11!:mime	application/x-tar # encoding: posix
12257	string		ustar\040\040\0	GNU tar archive
13!:mime	application/x-tar # encoding: gnu
14
15# Incremental snapshot gnu-tar format from:
16# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
170	string		GNU\ tar-	GNU tar incremental snapshot data
18>&0	regex		[0-9]\.[0-9]+-[0-9]+	version %s
19
20# cpio archives
21#
22# Yes, the top two "cpio archive" formats *are* supposed to just be "short".
23# The idea is to indicate archives produced on machines with the same
24# byte order as the machine running "file" with "cpio archive", and
25# to indicate archives produced on machines with the opposite byte order
26# from the machine running "file" with "byte-swapped cpio archive".
27#
28# The SVR4 "cpio(4)" hints that there are additional formats, but they
29# are defined as "short"s; I think all the new formats are
30# character-header formats and thus are strings, not numbers.
310	short		070707		cpio archive
32!:mime	application/x-cpio
330	short		0143561		byte-swapped cpio archive
34!:mime	application/x-cpio # encoding: swapped
350	string		070707		ASCII cpio archive (pre-SVR4 or odc)
360	string		070701		ASCII cpio archive (SVR4 with no CRC)
370	string		070702		ASCII cpio archive (SVR4 with CRC)
38
39#
40# Various archive formats used by various versions of the "ar"
41# command.
42#
43
44#
45# Original UNIX archive formats.
46# They were written with binary values in host byte order, and
47# the magic number was a host "int", which might have been 16 bits
48# or 32 bits.  We don't say "PDP-11" or "VAX", as there might have
49# been ports to little-endian 16-bit-int or 32-bit-int platforms
50# (x86?) using some of those formats; if none existed, feel free
51# to use "PDP-11" for little-endian 16-bit and "VAX" for little-endian
52# 32-bit.  There might have been big-endian ports of that sort as
53# well.
54#
550	leshort		0177555		very old 16-bit-int little-endian archive
560	beshort		0177555		very old 16-bit-int big-endian archive
570	lelong		0177555		very old 32-bit-int little-endian archive
580	belong		0177555		very old 32-bit-int big-endian archive
59
600	leshort		0177545		old 16-bit-int little-endian archive
61>2	string		__.SYMDEF	random library
620	beshort		0177545		old 16-bit-int big-endian archive
63>2	string		__.SYMDEF	random library
640	lelong		0177545		old 32-bit-int little-endian archive
65>4	string		__.SYMDEF	random library
660	belong		0177545		old 32-bit-int big-endian archive
67>4	string		__.SYMDEF	random library
68
69#
70# From "pdp" (but why a 4-byte quantity?)
71#
720	lelong		0x39bed		PDP-11 old archive
730	lelong		0x39bee		PDP-11 4.0 archive
74
75#
76# XXX - what flavor of APL used this, and was it a variant of
77# some ar archive format?  It's similar to, but not the same
78# as, the APL workspace magic numbers in pdp.
79#
800	long		0100554		apl workspace
81
82#
83# System V Release 1 portable(?) archive format.
84#
850	string		=<ar>		System V Release 1 ar archive
86!:mime	application/x-archive
87
88#
89# Debian package; it's in the portable archive format, and needs to go
90# before the entry for regular portable archives, as it's recognized as
91# a portable archive whose first member has a name beginning with
92# "debian".
93#
940	string		=!<arch>\ndebian
95>8	string		debian-split	part of multipart Debian package
96!:mime	application/vnd.debian.binary-package
97>8	string		debian-binary	Debian binary package
98!:mime	application/vnd.debian.binary-package
99>8	string		!debian
100>68	string		>\0		(format %s)
101# These next two lines do not work, because a bzip2 Debian archive
102# still uses gzip for the control.tar (first in the archive).  Only
103# data.tar varies, and the location of its filename varies too.
104# file/libmagic does not current have support for ascii-string based
105# (offsets) as of 2005-09-15.
106#>81	string		bz2		\b, uses bzip2 compression
107#>84	string		gz		\b, uses gzip compression
108#>136	ledate		x		created: %s
109
110#
111# MIPS archive; they're in the portable archive format, and need to go
112# before the entry for regular portable archives, as it's recognized as
113# a portable archive whose first member has a name beginning with
114# "__________E".
115#
1160	string	=!<arch>\n__________E	MIPS archive
117!:mime	application/x-archive
118>20	string	U			with MIPS Ucode members
119>21	string	L			with MIPSEL members
120>21	string	B			with MIPSEB members
121>19	string	L			and an EL hash table
122>19	string	B			and an EB hash table
123>22	string	X			-- out of date
124
1250	search/1	-h-		Software Tools format archive text
126
127#
128# BSD/SVR2-and-later portable archive formats.
129#
1300	string		=!<arch>		current ar archive
131!:mime	application/x-archive
132>8	string		__.SYMDEF	random library
133>68	string		__.SYMDEF\ SORTED	random library
134
135#
136# "Thin" archive, as can be produced by GNU ar.
137#
1380	string		=!<thin>\n	thin archive with
139>68	belong		0		no symbol entries
140>68	belong		1		%d symbol entry
141>68	belong		>1		%d symbol entries
142
143# ARC archiver, from Daniel Quinlan (quinlan@yggdrasil.com)
144#
145# The first byte is the magic (0x1a), byte 2 is the compression type for
146# the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS
147# filename of the first file (null terminated).  Since some types collide
148# we only test some types on basis of frequency: 0x08 (83%), 0x09 (5%),
149# 0x02 (5%), 0x03 (3%), 0x04 (2%), 0x06 (2%).  0x01 collides with terminfo.
1500	lelong&0x8080ffff	0x0000081a	ARC archive data, dynamic LZW
151!:mime	application/x-arc
1520	lelong&0x8080ffff	0x0000091a	ARC archive data, squashed
153!:mime	application/x-arc
1540	lelong&0x8080ffff	0x0000021a	ARC archive data, uncompressed
155!:mime	application/x-arc
1560	lelong&0x8080ffff	0x0000031a	ARC archive data, packed
157!:mime	application/x-arc
1580	lelong&0x8080ffff	0x0000041a	ARC archive data, squeezed
159!:mime	application/x-arc
1600	lelong&0x8080ffff	0x0000061a	ARC archive data, crunched
161!:mime	application/x-arc
162# [JW] stuff taken from idarc, obviously ARC successors:
1630	lelong&0x8080ffff	0x00000a1a	PAK archive data
164!:mime	application/x-arc
1650	lelong&0x8080ffff	0x0000141a	ARC+ archive data
166!:mime	application/x-arc
1670	lelong&0x8080ffff	0x0000481a	HYP archive data
168!:mime	application/x-arc
169
170# Acorn archive formats (Disaster prone simpleton, m91dps@ecs.ox.ac.uk)
171# I can't create either SPARK or ArcFS archives so I have not tested this stuff
172# [GRR:  the original entries collide with ARC, above; replaced with combined
173#  version (not tested)]
174#0	byte		0x1a		RISC OS archive (spark format)
1750	string		\032archive	RISC OS archive (ArcFS format)
1760       string          Archive\000     RISC OS archive (ArcFS format)
177
178# All these were taken from idarc, many could not be verified. Unfortunately,
179# there were many low-quality sigs, i.e. easy to trigger false positives.
180# Please notify me of any real-world fishy/ambiguous signatures and I'll try
181# to get my hands on the actual archiver and see if I find something better. [JW]
182# probably many can be enhanced by finding some 0-byte or control char near the start
183
184# idarc calls this Crush/Uncompressed... *shrug*
1850	string	CRUSH Crush archive data
186# Squeeze It (.sqz)
1870	string	HLSQZ Squeeze It archive data
188# SQWEZ
1890	string	SQWEZ SQWEZ archive data
190# HPack (.hpk)
1910	string	HPAK HPack archive data
192# HAP
1930	string	\x91\x33HF HAP archive data
194# MD/MDCD
1950	string	MDmd MDCD archive data
196# LIM
1970	string	LIM\x1a LIM archive data
198# SAR
1993	string	LH5 SAR archive data
200# BSArc/BS2
2010	string	\212\3SB\020\0	BSArc/BS2 archive data
202# Bethesda Softworks Archive (Oblivion)
2030	string	BSA\0 		BSArc archive data
204>4	lelong	x		version %d
205# MAR
2062	string	=-ah MAR archive data
207# ACB
208#0	belong&0x00f800ff	0x00800000 ACB archive data
209# CPZ
210# TODO, this is what idarc says: 0	string	\0\0\0 CPZ archive data
211# JRC
2120	string	JRchive JRC archive data
213# Quantum
2140	string	DS\0 Quantum archive data
215# ReSOF
2160	string	PK\3\6 ReSOF archive data
217# QuArk
2180	string	7\4 QuArk archive data
219# YAC
22014	string	YC YAC archive data
221# X1
2220	string	X1 X1 archive data
2230	string	XhDr X1 archive data
224# CDC Codec (.dqt)
2250	belong&0xffffe000	0x76ff2000 CDC Codec archive data
226# AMGC
2270	string	\xad6" AMGC archive data
228# NuLIB
2290	string	N\xc3\xb5F\xc3\xa9lx\xc3\xa5 NuLIB archive data
230# PakLeo
2310	string	LEOLZW PAKLeo archive data
232# ChArc
2330	string	SChF ChArc archive data
234# PSA
2350	string	PSA PSA archive data
236# CrossePAC
2370	string	DSIGDCC CrossePAC archive data
238# Freeze
2390	string	\x1f\x9f\x4a\x10\x0a Freeze archive data
240# KBoom
2410	string	\xc2\xa8MP\xc2\xa8 KBoom archive data
242# NSQ, must go after CDC Codec
2430	string	\x76\xff NSQ archive data
244# DPA
2450	string	Dirk\ Paehl DPA archive data
246# BA
247# TODO: idarc says "bytes 0-2 == bytes 3-5"
248# TTComp
249# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
250# Update: Joerg Jenderek
251# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
2520	string	\0\6
253# look for first keyword of Panorama database *.pan
254>12	search/261	DESIGN
255# skip keyword with low entropy
256>12	default		x	TTComp archive, binary, 4K dictionary
257# (version 5.25) labeled the above entry as "TTComp archive data"
258# ESP, could this conflict with Easy Software Products' (e.g.ESP ghostscript) documentation?
2590	string	ESP ESP archive data
260# ZPack
2610	string	\1ZPK\1 ZPack archive data
262# Sky
2630	string	\xbc\x40 Sky archive data
264# UFA
2650	string	UFA UFA archive data
266# Dry
2670	string	=-H2O DRY archive data
268# FoxSQZ
2690	string	FOXSQZ FoxSQZ archive data
270# AR7
2710	string	,AR7 AR7 archive data
272# PPMZ
2730	string	PPMZ PPMZ archive data
274# MS Compress
2754	string	\x88\xf0\x27 MS Compress archive data
276# updated by Joerg Jenderek
277>9	string	\0
278>>0	string	KWAJ
279>>>7	string	\321\003	MS Compress archive data
280>>>>14	ulong	>0		\b, original size: %d bytes
281>>>>18		ubyte	>0x65
282>>>>>18		string	x       \b, was %.8s
283>>>>>(10.b-4)	string	x       \b.%.3s
284# MP3 (archiver, not lossy audio compression)
2850	string	MP3\x1a MP3-Archiver archive data
286# ZET
2870	string	OZ\xc3\x9d ZET archive data
288# TSComp
2890	string	\x65\x5d\x13\x8c\x08\x01\x03\x00 TSComp archive data
290# ARQ
2910	string	gW\4\1 ARQ archive data
292# Squash
2933	string	OctSqu Squash archive data
294# Terse
2950	string	\5\1\1\0 Terse archive data
296# PUCrunch
2970	string	\x01\x08\x0b\x08\xef\x00\x9e\x32\x30\x36\x31 PUCrunch archive data
298# UHarc
2990	string	UHA UHarc archive data
300# ABComp
3010	string	\2AB ABComp archive data
3020	string	\3AB2 ABComp archive data
303# CMP
3040	string	CO\0 CMP archive data
305# Splint
3060	string	\x93\xb9\x06 Splint archive data
307# InstallShield
3080	string	\x13\x5d\x65\x8c InstallShield Z archive Data
309# Gather
3101	string	GTH Gather archive data
311# BOA
3120	string	BOA BOA archive data
313# RAX
3140	string	ULEB\xa RAX archive data
315# Xtreme
3160	string	ULEB\0 Xtreme archive data
317# Pack Magic
3180	string	@\xc3\xa2\1\0 Pack Magic archive data
319# BTS
3200	belong&0xfeffffff	0x1a034465 BTS archive data
321# ELI 5750
3220	string	Ora\  ELI 5750 archive data
323# QFC
3240	string	\x1aFC\x1a QFC archive data
3250	string	\x1aQF\x1a QFC archive data
326# PRO-PACK
3270	string	RNC PRO-PACK archive data
328# 777
3290	string	777 777 archive data
330# LZS221
3310	string	sTaC LZS221 archive data
332# HPA
3330	string	HPA HPA archive data
334# Arhangel
3350	string	LG Arhangel archive data
336# EXP1, uses bzip2
3370	string	0123456789012345BZh EXP1 archive data
338# IMP
3390	string	IMP\xa IMP archive data
340# NRV
3410	string	\x00\x9E\x6E\x72\x76\xFF NRV archive data
342# Squish
3430	string	\x73\xb2\x90\xf4 Squish archive data
344# Par
3450	string	PHILIPP Par archive data
3460	string	PAR Par archive data
347# HIT
3480	string	UB HIT archive data
349# SBX
3500	belong&0xfffff000	0x53423000 SBX archive data
351# NaShrink
3520	string	NSK NaShrink archive data
353# SAPCAR
3540	string	#\ CAR\ archive\ header SAPCAR archive data
3550	string	CAR\ 2.00RG SAPCAR archive data
356# Disintegrator
3570	string	DST Disintegrator archive data
358# ASD
3590	string	ASD ASD archive data
360# InstallShield CAB
3610	string	ISc( InstallShield CAB
362# TOP4
3630	string	T4\x1a TOP4 archive data
364# BatComp left out: sig looks like COM executable
365# so TODO: get real 4dos batcomp file and find sig
366# BlakHole
3670	string	BH\5\7 BlakHole archive data
368# BIX
3690	string	BIX0 BIX archive data
370# ChiefLZA
3710	string	ChfLZ ChiefLZA archive data
372# Blink
3730	string	Blink Blink archive data
374# Logitech Compress
3750	string	\xda\xfa Logitech Compress archive data
376# ARS-Sfx (FIXME: really a SFX? then goto COM/EXE)
3771	string	(C)\ STEPANYUK ARS-Sfx archive data
378# AKT/AKT32
3790	string	AKT32 AKT32 archive data
3800	string	AKT AKT archive data
381# NPack
3820	string	MSTSM NPack archive data
383# PFT
3840	string	\0\x50\0\x14 PFT archive data
385# SemOne
3860	string	SEM SemOne archive data
387# PPMD
3880	string	\x8f\xaf\xac\x84 PPMD archive data
389# FIZ
3900	string	FIZ FIZ archive data
391# MSXiE
3920	belong&0xfffff0f0	0x4d530000 MSXiE archive data
393# DeepFreezer
3940	belong&0xfffffff0	0x797a3030 DeepFreezer archive data
395# DC
3960	string	=<DC- DC archive data
397# TPac
3980	string	\4TPAC\3 TPac archive data
399# Ai
4000	string	Ai\1\1\0 Ai archive data
4010	string	Ai\1\0\0 Ai archive data
402# Ai32
4030	string	Ai\2\0 Ai32 archive data
4040	string	Ai\2\1 Ai32 archive data
405# SBC
4060	string	SBC SBC archive data
407# Ybs
4080	string	YBS Ybs archive data
409# DitPack
4100	string	\x9e\0\0 DitPack archive data
411# DMS
4120	string	DMS! DMS archive data
413# EPC
4140	string	\x8f\xaf\xac\x8c EPC archive data
415# VSARC
4160	string	VS\x1a VSARC archive data
417# PDZ
4180	string	PDZ PDZ archive data
419# ReDuq
4200	string	rdqx ReDuq archive data
421# GCA
4220	string	GCAX GCA archive data
423# PPMN
4240	string	pN PPMN archive data
425# WinImage
4263	string	WINIMAGE WinImage archive data
427# Compressia
4280	string	CMP0CMP Compressia archive data
429# UHBC
4300	string	UHB UHBC archive data
431# WinHKI
4320	string	\x61\x5C\x04\x05 WinHKI archive data
433# WWPack data file
4340	string	WWP WWPack archive data
435# BSN (BSA, PTS-DOS)
4360	string	\xffBSG BSN archive data
4371	string	\xffBSG BSN archive data
4383	string	\xffBSG BSN archive data
4391	string	\0\xae\2 BSN archive data
4401	string	\0\xae\3 BSN archive data
4411	string	\0\xae\7 BSN archive data
442# AIN
4430	string	\x33\x18 AIN archive data
4440	string	\x33\x17 AIN archive data
445# XPA32 test moved and merged with XPA by Joerg Jenderek at Sep 2015
446# SZip (TODO: doesn't catch all versions)
4470	string	SZ\x0a\4 SZip archive data
448# XPack DiskImage
449# *.XDI updated by Joerg Jenderek Sep 2015
450# ftp://ftp.sac.sk/pub/sac/pack/0index.txt
451# GRR: this test is still too general as it catches also text files starting with jm
4520	string	jm
453# only found examples with this additional characteristic 2 bytes
454>2	string	\x2\x4	Xpack DiskImage archive data
455#!:ext xdi
456# XPack Data
457# *.xpa updated by Joerg Jenderek Sep 2015
458# ftp://ftp.elf.stuba.sk/pub/pc/pack/
4590	string	xpa	XPA
460!:ext	xpa
461# XPA32
462# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
463# created by XPA32.EXE version 1.0.2 for Windows
464>0	string	xpa\0\1 \b32 archive data
465# created by XPACK.COM version 1.67m or 1.67r with short 0x1800
466>3	ubeshort	!0x0001	\bck archive data
467# XPack Single Data
468# changed by Joerg Jenderek Sep 2015 back to like in version 5.12
469# letter 'I'+ acute accent is equivalent to \xcd
4700	string	\xcd\ jm	Xpack single archive data
471#!:mime	application/x-xpa-compressed
472!:ext xpa
473
474# TODO: missing due to unknown magic/magic at end of file:
475#DWC
476#ARG
477#ZAR
478#PC/3270
479#InstallIt
480#RKive
481#RK
482#XPack Diskimage
483
484# These were inspired by idarc, but actually verified
485# Dzip archiver (.dz)
4860	string	DZ Dzip archive data
487>2	byte	x \b, version %i
488>3	byte	x \b.%i
489# ZZip archiver (.zz)
4900	string	ZZ\ \0\0 ZZip archive data
4910	string	ZZ0 ZZip archive data
492# PAQ archiver (.paq)
4930	string	\xaa\x40\x5f\x77\x1f\xe5\x82\x0d PAQ archive data
4940	string	PAQ PAQ archive data
495>3	byte&0xf0	0x30
496>>3	byte	x (v%c)
497# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
4980xe	string	\x1aJar\x1b JAR (ARJ Software, Inc.) archive data
4990	string	JARCS JAR (ARJ Software, Inc.) archive data
500
501# ARJ archiver (jason@jarthur.Claremont.EDU)
5020	leshort		0xea60		ARJ archive data
503!:mime	application/x-arj
504>5	byte		x		\b, v%d,
505>8	byte		&0x04		multi-volume,
506>8	byte		&0x10		slash-switched,
507>8	byte		&0x20		backup,
508>34	string		x		original name: %s,
509>7	byte		0		os: MS-DOS
510>7	byte		1		os: PRIMOS
511>7	byte		2		os: Unix
512>7	byte		3		os: Amiga
513>7	byte		4		os: Macintosh
514>7	byte		5		os: OS/2
515>7	byte		6		os: Apple ][ GS
516>7	byte		7		os: Atari ST
517>7	byte		8		os: NeXT
518>7	byte		9		os: VAX/VMS
519>3	byte		>0		%d]
520# [JW] idarc says this is also possible
5212	leshort		0xea60		ARJ archive data
522
523# HA archiver (Greg Roelofs, newt@uchicago.edu)
524# This is a really bad format. A file containing HAWAII will match this...
525#0	string		HA		HA archive data,
526#>2	leshort		=1		1 file,
527#>2	leshort		>1		%hu files,
528#>4	byte&0x0f	=0		first is type CPY
529#>4	byte&0x0f	=1		first is type ASC
530#>4	byte&0x0f	=2		first is type HSC
531#>4	byte&0x0f	=0x0e		first is type DIR
532#>4	byte&0x0f	=0x0f		first is type SPECIAL
533# suggestion: at least identify small archives (<1024 files)
5340  belong&0xffff00fc 0x48410000 HA archive data
535>2	leshort		=1		1 file,
536>2	leshort		>1		%u files,
537>4	byte&0x0f	=0		first is type CPY
538>4	byte&0x0f	=1		first is type ASC
539>4	byte&0x0f	=2		first is type HSC
540>4	byte&0x0f	=0x0e		first is type DIR
541>4	byte&0x0f	=0x0f		first is type SPECIAL
542
543# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
5440	string		HPAK		HPACK archive data
545
546# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
5470	string		\351,\001JAM\ 		JAM archive,
548>7	string		>\0			version %.4s
549>0x26	byte		=0x27			-
550>>0x2b	string          >\0			label %.11s,
551>>0x27	lelong		x			serial %08x,
552>>0x36	string		>\0			fstype %.8s
553
554# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
555# Update: Joerg Jenderek
556# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
557# Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
558#
559#	check and display information of lharc (LHa,PMarc) file
5600	name				lharc-file
561# check 1st character of method id like -lz4- -lh5- or -pm2-
562>2	string		-
563# check 5th character of method id
564>>6	string		-
565# check header level 0 1 2 3
566>>>20	ubyte		<4
567# check 2nd, 3th and 4th character of method id
568>>>>3	regex		\^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1)		\b
569!:mime	application/x-lzh-compressed
570# creator type "LHA "
571!:apple	????LHA
572# display archive type name like "LHa/LZS archive data" or "LArc archive"
573>>>>>2	string		-lz		\b
574!:ext	lzs
575# already known  -lzs- -lz4- -lz5- with old names
576>>>>>>2	string	-lzs		LHa/LZS archive data
577>>>>>>3	regex	\^lz[45]	LHarc 1.x archive data
578# missing -lz?- with wikipedia names
579>>>>>>3	regex	\^lz[2378]	LArc archive
580# display archive type name like "LHa (2.x) archive data"
581>>>>>2	string		-lh		\b
582# already known -lh0- -lh1- -lh2- -lh3-  -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
583>>>>>>3	regex		\^lh[01]	LHarc 1.x/ARX archive data
584# LHice archiver use ".ICE" as name extension instead usual one ".lzh"
585# FOOBAR archiver use ".foo" as name extension instead usual one
586# "Florain Orjanov's and Olga Bachetska's ARchiver" not found at the moment
587>>>>>>>2	string	-lh1		\b
588!:ext lha/lzh/ice
589>>>>>>3	regex		\^lh[23d]	LHa 2.x? archive data
590>>>>>>3	regex		\^lh[7]		LHa (2.x)/LHark archive data
591>>>>>>3	regex		\^lh[456]	LHa (2.x) archive data
592>>>>>>>2	string	-lh5		\b
593# https://en.wikipedia.org/wiki/BIOS
594# Some mainboard BIOS like Award use LHa compression. So archives with unusal extension are found like
595# bios.rom , kd7_v14.bin, 1010.004, ...
596!:ext lha/lzh/rom/bin
597# missing -lh?- variants (Joe Jared)
598>>>>>>3	regex		\^lh[89a-ce]	LHa (Joe Jared) archive
599# UNLHA32 2.67a
600>>>>>>2	string		-lhx		LHa (UNLHA32) archive
601# lha archives with standard file name extensions ".lha" ".lzh"
602>>>>>>3	regex		!\^(lh1|lh5)	\b
603!:ext lha/lzh
604# this should not happen if all -lh variants are described
605>>>>>>2	default		x		LHa (unknown) archive
606#!:ext	lha
607# PMarc
608>>>>>3	regex		\^pm[012]	PMarc archive data
609!:ext pma
610# append method id without leading and trailing minus character
611>>>>>3	string		x		[%3.3s]
612>>>>>>0	use	lharc-header
613#
614#	check and display information of lharc header
6150	name				lharc-header
616# header size 0x4 , 0x1b-0x61
617>0	ubyte		x
618# compressed data size != compressed file size
619#>7	ulelong		x		\b, data size %d
620# attribute: 0x2~?? 0x10~symlink|target 0x20~normal
621#>19	ubyte		x		\b, 19_0x%x
622# level identifier 0 1 2 3
623#>20	ubyte		x		\b, level %d
624# time stamp
625#>15		ubelong	x		DATE 0x%8.8x
626# OS ID for level 1
627>20	ubyte		1
628# 0x20 types find for *.rom files
629>>(21.b+24)	ubyte	<0x21		\b, 0x%x OS
630# ascii type like M for MSDOS
631>>(21.b+24)	ubyte	>0x20		\b, '%c' OS
632# OS ID for level 2
633>20	ubyte		2
634#>>23	ubyte		x		\b, OS ID 0x%x
635>>23	ubyte		<0x21		\b, 0x%x OS
636>>23	ubyte		>0x20		\b, '%c' OS
637# filename only for level 0 and 1
638>20	ubyte		<2
639# length of filename
640>>21		ubyte	>0		\b, with
641# filename
642>>>21		pstring	x		"%s"
643#
644#2	string		-lh0-		LHarc 1.x/ARX archive data [lh0]
645#!:mime	application/x-lharc
6462	string		-lh0-
647>0	use	lharc-file
648#2	string		-lh1-		LHarc 1.x/ARX archive data [lh1]
649#!:mime	application/x-lharc
6502	string		-lh1-
651>0	use	lharc-file
652# NEW -lz2- ... -lz8-
6532	string		-lz2-
654>0	use	lharc-file
6552	string		-lz3-
656>0	use	lharc-file
6572	string		-lz4-
658>0	use	lharc-file
6592	string		-lz5-
660>0	use	lharc-file
6612	string		-lz7-
662>0	use	lharc-file
6632	string		-lz8-
664>0	use	lharc-file
665#	[never seen any but the last; -lh4- reported in comp.compression:]
666#2	string		-lzs-		LHa/LZS archive data [lzs]
6672	string		-lzs-
668>0	use	lharc-file
669# According to wikipedia and others such a version does not exist
670#2	string		-lh\40-		LHa 2.x? archive data [lh ]
671#2	string		-lhd-		LHa 2.x? archive data [lhd]
6722	string		-lhd-
673>0	use	lharc-file
674#2	string		-lh2-		LHa 2.x? archive data [lh2]
6752	string		-lh2-
676>0	use	lharc-file
677#2	string		-lh3-		LHa 2.x? archive data [lh3]
6782	string		-lh3-
679>0	use	lharc-file
680#2	string		-lh4-		LHa (2.x) archive data [lh4]
6812	string		-lh4-
682>0	use	lharc-file
683#2	string		-lh5-		LHa (2.x) archive data [lh5]
6842	string		-lh5-
685>0	use	lharc-file
686#2	string		-lh6-		LHa (2.x) archive data [lh6]
6872	string		-lh6-
688>0	use	lharc-file
689#2	string		-lh7-		LHa (2.x)/LHark archive data [lh7]
6902	string		-lh7-
691# !:mime	application/x-lha
692# >20	byte		x		- header level %d
693>0	use	lharc-file
694# NEW -lh8- ... -lhe- , -lhx-
6952	string		-lh8-
696>0	use	lharc-file
6972	string		-lh9-
698>0	use	lharc-file
6992	string		-lha-
700>0	use	lharc-file
7012	string		-lhb-
702>0	use	lharc-file
7032	string		-lhc-
704>0	use	lharc-file
7052	string		-lhe-
706>0	use	lharc-file
7072	string		-lhx-
708>0	use	lharc-file
709# taken from idarc [JW]
7102   string      -lZ         PUT archive data
711# already done by LHarc magics
712# this should never happen if all sub types of LZS archive are identified
713#2   string      -lz         LZS archive data
7142   string      -sw1-       Swag archive data
715
7160	name		rar-file-header
717>24	byte		15		\b, v1.5
718>24	byte		20		\b, v2.0
719>24	byte		29		\b, v4
720>15	byte		0		\b, os: MS-DOS
721>15	byte		1		\b, os: OS/2
722>15	byte		2		\b, os: Win32
723>15	byte		3		\b, os: Unix
724>15	byte		4		\b, os: Mac OS
725>15	byte		5		\b, os: BeOS
726
7270	name		rar-archive-header
728>3	leshort&0x1ff	>0		\b, flags:
729>>3	leshort		&0x01		ArchiveVolume
730>>3	leshort		&0x02		Commented
731>>3	leshort		&0x04		Locked
732>>3	leshort		&0x10		NewVolumeNaming
733>>3	leshort		&0x08		Solid
734>>3	leshort		&0x20		Authenticated
735>>3	leshort		&0x40		RecoveryRecordPresent
736>>3	leshort		&0x80		EncryptedBlockHeader
737>>3	leshort		&0x100		FirstVolume
738
739# RAR (Roshal Archive) archive
7400	string		Rar!\x1a\7\0		RAR archive data
741!:mime	application/x-rar
742!:ext	rar/cbr
743# file header
744>(0xc.l+9)	byte	0x74
745>>(0xc.l+7)	use	rar-file-header
746# subblock seems to share information with file header
747>(0xc.l+9)	byte	0x7a
748>>(0xc.l+7)	use	rar-file-header
749>9		byte	0x73
750>>7		use	rar-archive-header
751
7520	string		Rar!\x1a\7\1\0		RAR archive data, v5
753!:mime	application/x-rar
754!:ext	rar
755
756# Very old RAR archive
757# http://jasonblanks.com/wp-includes/images/papers/KnowyourarchiveRAR.pdf
7580	string		RE\x7e\x5e  RAR archive data (<v1.5)
759!:mime	application/x-rar
760!:ext	rar/cbr
761
762# SQUISH archiver (Greg Roelofs, newt@uchicago.edu)
7630	string		SQSH		squished archive data (Acorn RISCOS)
764
765# UC2 archiver (Greg Roelofs, newt@uchicago.edu)
766# [JW] see exe section for self-extracting version
7670	string		UC2\x1a		UC2 archive data
768
769# PKZIP multi-volume archive
7700	string		PK\x07\x08PK\x03\x04	Zip multi-volume archive data, at least PKZIP v2.50 to extract
771!:mime	application/zip
772!:ext zip/cbz
773
774# Zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
7750	string		PK\005\006	Zip archive data (empty)
776!:mime application/zip
777!:ext zip/cbz
7780	string		PK\003\004
779
780# Specialised zip formats which start with a member named 'mimetype'
781# (stored uncompressed, with no 'extra field') containing the file's MIME type.
782# Check for have 8-byte name, 0-byte extra field, name "mimetype", and
783#  contents starting with "application/":
784>26	string		\x8\0\0\0mimetypeapplication/
785
786#  KOffice / OpenOffice & StarOffice / OpenDocument formats
787#    From: Abel Cheung <abel@oaka.org>
788
789#   KOffice (1.2 or above) formats
790#    (mimetype contains "application/vnd.kde.<SUBTYPE>")
791>>50	string	vnd.kde.		KOffice (>=1.2)
792>>>58	string	karbon			Karbon document
793>>>58	string	kchart			KChart document
794>>>58	string	kformula		KFormula document
795>>>58	string	kivio			Kivio document
796>>>58	string	kontour			Kontour document
797>>>58	string	kpresenter		KPresenter document
798>>>58	string	kspread			KSpread document
799>>>58	string	kword			KWord document
800
801#   OpenOffice formats (for OpenOffice 1.x / StarOffice 6/7)
802#    (mimetype contains "application/vnd.sun.xml.<SUBTYPE>")
803>>50	string	vnd.sun.xml.		OpenOffice.org 1.x
804>>>62	string	writer			Writer
805>>>>68	byte	!0x2e			document
806>>>>68	string	.template		template
807>>>>68	string	.global			global document
808>>>62	string	calc			Calc
809>>>>66	byte	!0x2e			spreadsheet
810>>>>66	string	.template		template
811>>>62	string	draw			Draw
812>>>>66	byte	!0x2e			document
813>>>>66	string	.template		template
814>>>62	string	impress			Impress
815>>>>69	byte	!0x2e			presentation
816>>>>69	string	.template		template
817>>>62	string	math			Math document
818>>>62	string	base			Database file
819
820#   OpenDocument formats (for OpenOffice 2.x / StarOffice >= 8)
821#    http://lists.oasis-open.org/archives/office/200505/msg00006.html
822#    (mimetype contains "application/vnd.oasis.opendocument.<SUBTYPE>")
823>>50	string	vnd.oasis.opendocument.	OpenDocument
824>>>73	string	text
825>>>>77	byte	!0x2d			Text
826!:mime	application/vnd.oasis.opendocument.text
827>>>>77	string	-template		Text Template
828!:mime	application/vnd.oasis.opendocument.text-template
829>>>>77	string	-web			HTML Document Template
830!:mime	application/vnd.oasis.opendocument.text-web
831>>>>77	string	-master			Master Document
832!:mime	application/vnd.oasis.opendocument.text-master
833>>>73	string	graphics
834>>>>81	byte	!0x2d			Drawing
835!:mime	application/vnd.oasis.opendocument.graphics
836>>>>81	string	-template		Template
837!:mime	application/vnd.oasis.opendocument.graphics-template
838>>>73	string	presentation
839>>>>85	byte	!0x2d			Presentation
840!:mime	application/vnd.oasis.opendocument.presentation
841>>>>85	string	-template		Template
842!:mime	application/vnd.oasis.opendocument.presentation-template
843>>>73	string	spreadsheet
844>>>>84	byte	!0x2d			Spreadsheet
845!:mime	application/vnd.oasis.opendocument.spreadsheet
846>>>>84	string	-template		Template
847!:mime	application/vnd.oasis.opendocument.spreadsheet-template
848>>>73	string	chart
849>>>>78	byte	!0x2d			Chart
850!:mime	application/vnd.oasis.opendocument.chart
851>>>>78	string	-template		Template
852!:mime	application/vnd.oasis.opendocument.chart-template
853>>>73	string	formula
854>>>>80	byte	!0x2d			Formula
855!:mime	application/vnd.oasis.opendocument.formula
856>>>>80	string	-template		Template
857!:mime	application/vnd.oasis.opendocument.formula-template
858>>>73	string	database		Database
859!:mime	application/vnd.oasis.opendocument.database
860>>>73	string	image
861>>>>78	byte	!0x2d			Image
862!:mime	application/vnd.oasis.opendocument.image
863>>>>78	string	-template		Template
864!:mime	application/vnd.oasis.opendocument.image-template
865
866#  EPUB (OEBPS) books using OCF (OEBPS Container Format)
867#    http://www.idpf.org/ocf/ocf1.0/download/ocf10.htm, section 4.
868#    From: Ralf Brown <ralf.brown@gmail.com>
869>>50	string	epub+zip	EPUB document
870!:mime application/epub+zip
871
872#  Catch other ZIP-with-mimetype formats
873#	In a ZIP file, the bytes immediately after a member's contents are
874#	always "PK". The 2 regex rules here print the "mimetype" member's
875#	contents up to the first 'P'. Luckily, most MIME types don't contain
876#	any capital 'P's. This is a kludge.
877#    (mimetype contains "application/<OTHER>")
878>>50		string	!epub+zip
879>>>50		string	!vnd.oasis.opendocument.
880>>>>50		string	!vnd.sun.xml.
881>>>>>50		string	!vnd.kde.
882>>>>>>38	regex	[!-OQ-~]+		Zip data (MIME type "%s"?)
883!:mime	application/zip
884#    (mimetype contents other than "application/*")
885>26		string	\x8\0\0\0mimetype
886>>38		string	!application/
887>>>38		regex	[!-OQ-~]+		Zip data (MIME type "%s"?)
888!:mime	application/zip
889
890# Java Jar files
891>(26.s+30)	leshort	0xcafe		Java archive data (JAR)
892!:mime	application/java-archive
893
894# iOS App
895>(26.s+30)	leshort	!0xcafe
896>>26		string	!\x8\0\0\0mimetype
897>>>30		string	Payload/
898>>>>38		search/64       .app/   iOS App
899!:mime application/x-ios-app
900
901
902# Generic zip archives (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
903#   Next line excludes specialized formats:
904>(26.s+30)	leshort	!0xcafe
905>>26    string          !\x8\0\0\0mimetype	Zip archive data
906!:mime	application/zip
907>>>4	byte		0x09		\b, at least v0.9 to extract
908>>>4	byte		0x0a		\b, at least v1.0 to extract
909>>>4	byte		0x0b		\b, at least v1.1 to extract
910>>>4	byte		0x14		\b, at least v2.0 to extract
911>>>4	byte		0x2d		\b, at least v4.5 to extract
912>>>0x161	string		WINZIP		\b, WinZIP self-extracting
913
914# StarView Metafile
915# From Pierre Ducroquet <pinaraf@pinaraf.info>
9160	string	VCLMTF	StarView MetaFile
917>6	beshort	x	\b, version %d
918>8	belong	x	\b, size %d
919
920# Zoo archiver
92120	lelong		0xfdc4a7dc	Zoo archive data
922!:mime	application/x-zoo
923>4	byte		>48		\b, v%c.
924>>6	byte		>47		\b%c
925>>>7	byte		>47		\b%c
926>32	byte		>0		\b, modify: v%d
927>>33	byte		x		\b.%d+
928>42	lelong		0xfdc4a7dc	\b,
929>>70	byte		>0		extract: v%d
930>>>71	byte		x		\b.%d+
931
932# Shell archives
93310	string		#\ This\ is\ a\ shell\ archive	shell archive text
934!:mime	application/octet-stream
935
936#
937# LBR. NB: May conflict with the questionable
938#          "binary Computer Graphics Metafile" format.
939#
9400       string  \0\ \ \ \ \ \ \ \ \ \ \ \0\0    LBR archive data
941#
942# PMA (CP/M derivative of LHA)
943# Update: Joerg Jenderek
944# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
945#
946#2       string          -pm0-           PMarc archive data [pm0]
9472	string		-pm0-
948>0	use	lharc-file
949#2       string          -pm1-           PMarc archive data [pm1]
9502	string		-pm1-
951>0	use	lharc-file
952#2       string          -pm2-           PMarc archive data [pm2]
9532	string		-pm2-
954>0	use	lharc-file
9552       string          -pms-           PMarc SFX archive (CP/M, DOS)
956#!:mime	application/x-foobar-exec
957!:ext com
9585       string          -pc1-           PopCom compressed executable (CP/M)
959#!:mime	application/x-
960#!:ext com
961
962# From Rafael Laboissiere <rafael@laboissiere.net>
963# The Project Revision Control System (see
964# http://prcs.sourceforge.net) generates a packaged project
965# file which is recognized by the following entry:
9660	leshort		0xeb81	PRCS packaged project
967
968# Microsoft cabinets
969# by David Necas (Yeti) <yeti@physics.muni.cz>
970#0	string	MSCF\0\0\0\0	Microsoft cabinet file data,
971#>25	byte	x		v%d
972#>24	byte	x		\b.%d
973# MPi: All CABs have version 1.3, so this is pointless.
974# Better magic in debian-additions.
975
976# GTKtalog catalogs
977# by David Necas (Yeti) <yeti@physics.muni.cz>
9784	string	gtktalog\ 	GTKtalog catalog data,
979>13	string	3		version 3
980>>14	beshort	0x677a		(gzipped)
981>>14	beshort	!0x677a		(not gzipped)
982>13	string	>3		version %s
983
984############################################################################
985# Parity archive reconstruction file, the 'par' file format now used on Usenet.
9860       string          PAR\0	PARity archive data
987>48	leshort		=0	- Index file
988>48	leshort		>0	- file number %d
989
990# Felix von Leitner <felix-file@fefe.de>
9910	string	d8:announce	BitTorrent file
992!:mime	application/x-bittorrent
993# Durval Menezes, <jmgthbfile at durval dot com>
9940	string	d13:announce-list	BitTorrent file
995!:mime	application/x-bittorrent
996
997# Atari MSA archive - Teemu Hukkanen <tjhukkan@iki.fi>
9980	beshort 0x0e0f		Atari MSA archive data
999>2	beshort x		\b, %d sectors per track
1000>4	beshort 0		\b, 1 sided
1001>4	beshort 1		\b, 2 sided
1002>6	beshort x		\b, starting track: %d
1003>8	beshort x		\b, ending track: %d
1004
1005# Alternate ZIP string (amc@arwen.cs.berkeley.edu)
10060	string	PK00PK\003\004	Zip archive data
1007
1008# ACE archive (from http://www.wotsit.org/download.asp?f=ace)
1009# by Stefan `Sec` Zehl <sec@42.org>
10107	string		**ACE**		ACE archive data
1011>15	byte	>0		version %d
1012>16	byte	=0x00		\b, from MS-DOS
1013>16	byte	=0x01		\b, from OS/2
1014>16	byte	=0x02		\b, from Win/32
1015>16	byte	=0x03		\b, from Unix
1016>16	byte	=0x04		\b, from MacOS
1017>16	byte	=0x05		\b, from WinNT
1018>16	byte	=0x06		\b, from Primos
1019>16	byte	=0x07		\b, from AppleGS
1020>16	byte	=0x08		\b, from Atari
1021>16	byte	=0x09		\b, from Vax/VMS
1022>16	byte	=0x0A		\b, from Amiga
1023>16	byte	=0x0B		\b, from Next
1024>14	byte	x		\b, version %d to extract
1025>5	leshort &0x0080		\b, multiple volumes,
1026>>17	byte	x		\b (part %d),
1027>5	leshort &0x0002		\b, contains comment
1028>5	leshort	&0x0200		\b, sfx
1029>5	leshort	&0x0400		\b, small dictionary
1030>5	leshort	&0x0800		\b, multi-volume
1031>5	leshort	&0x1000		\b, contains AV-String
1032>>30	string	\x16*UNREGISTERED\x20VERSION*	(unregistered)
1033>5	leshort &0x2000		\b, with recovery record
1034>5	leshort &0x4000		\b, locked
1035>5	leshort &0x8000		\b, solid
1036# Date in MS-DOS format (whatever that is)
1037#>18	lelong	x		Created on
1038
1039# sfArk : compression program for Soundfonts (sf2) by Dirk Jagdmann
1040# <doj@cubic.org>
10410x1A	string	sfArk		sfArk compressed Soundfont
1042>0x15	string	2
1043>>0x1	string	>\0		Version %s
1044>>0x2A	string	>\0		: %s
1045
1046# DR-DOS 7.03 Packed File *.??_
10470	string	Packed\ File\ 	Personal NetWare Packed File
1048>12	string	x		\b, was "%.12s"
1049
1050# EET archive
1051# From: Tilman Sauerbeck <tilman@code-monkey.de>
10520	belong	0x1ee7ff00	EET archive
1053!:mime	application/x-eet
1054
1055# rzip archives
10560	string	RZIP		rzip compressed data
1057>4	byte	x		- version %d
1058>5	byte	x		\b.%d
1059>6	belong	x		(%d bytes)
1060
1061# From: "Robert Dale" <robdale@gmail.com>
10620	belong	123		dar archive,
1063>4	belong	x		label "%.8x
1064>>8	belong	x		%.8x
1065>>>12	beshort	x		%.4x"
1066>14	byte	0x54		end slice
1067>14	beshort	0x4e4e		multi-part
1068>14	beshort	0x4e53		multi-part, with -S
1069
1070# Symbian installation files
1071#  http://www.thouky.co.uk/software/psifs/sis.html
1072#  http://developer.symbian.com/main/downloads/papers/SymbianOSv91/softwareinstallsis.pdf
10738	lelong	0x10000419	Symbian installation file
1074!:mime	application/vnd.symbian.install
1075>4	lelong	0x1000006D	(EPOC release 3/4/5)
1076>4	lelong	0x10003A12	(EPOC release 6)
10770	lelong	0x10201A7A	Symbian installation file (Symbian OS 9.x)
1078!:mime	x-epoc/x-sisx-app
1079
1080# From "Nelson A. de Oliveira" <naoliv@gmail.com>
10810	string	MPQ\032		MoPaQ (MPQ) archive
1082
1083# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1084# .kgb
10850	string KGB_arch		KGB Archiver file
1086>10	string x		with compression level %.1s
1087
1088# xar (eXtensible ARchiver) archive
1089# xar archive format: http://code.google.com/p/xar/
1090# From: "David Remahl" <dremahl@apple.com>
10910	string	xar!		xar archive
1092!:mime	application/x-xar
1093#>4	beshort	x		header size %d
1094>6	beshort	x		version %d,
1095#>8	quad	x		compressed TOC: %d,
1096#>16	quad	x		uncompressed TOC: %d,
1097>24	belong	0		no checksum
1098>24	belong	1		SHA-1 checksum
1099>24	belong	2		MD5 checksum
1100
1101# Type: Parity Archive
1102# From: Daniel van Eeden <daniel_e@dds.nl>
11030	string	PAR2		Parity Archive Volume Set
1104
1105# Bacula volume format. (Volumes always start with a block header.)
1106# URL: http://bacula.org/3.0.x-manuals/en/developers/developers/Block_Header.html
1107# From: Adam Buchbinder <adam.buchbinder@gmail.com>
110812	string	BB02		Bacula volume
1109>20	bedate	x		\b, started %s
1110
1111# ePub is XHTML + XML inside a ZIP archive.  The first member of the
1112#   archive must be an uncompressed file called 'mimetype' with contents
1113#   'application/epub+zip'
1114
1115
1116# From: "Michael Gorny" <mgorny@gentoo.org>
1117# ZPAQ: http://mattmahoney.net/dc/zpaq.html
11180	string	zPQ	ZPAQ stream
1119>3	byte	x	\b, level %d
1120# From: Barry Carter <carter.barry@gmail.com>
1121# http://encode.ru/threads/456-zpaq-updates/page32
11220	string	7kSt	ZPAQ file
1123
1124# BBeB ebook, unencrypted (LRF format)
1125# URL: http://www.sven.de/librie/Librie/LrfFormat
1126# From: Adam Buchbinder <adam.buchbinder@gmail.com>
11270	string	L\0R\0F\0\0\0	BBeB ebook data, unencrypted
1128>8	beshort	x		\b, version %d
1129>36	byte	1		\b, front-to-back
1130>36	byte	16		\b, back-to-front
1131>42	beshort	x		\b, (%dx,
1132>44	beshort	x		%d)
1133
1134# Symantec GHOST image by Joerg Jenderek at May 2014
1135# http://us.norton.com/ghost/
1136# http://www.garykessler.net/library/file_sigs.html
11370		ubelong&0xFFFFf7f0	0xFEEF0100	Norton GHost image
1138# *.GHO
1139>2		ubyte&0x08		0x00		\b, first file
1140# *.GHS or *.[0-9] with cns program option
1141>2		ubyte&0x08		0x08		\b, split file
1142# part of split index interesting for *.ghs
1143>>4		ubyte			x		id=0x%x
1144# compression tag minus one equals numeric compression command line switch z[1-9]
1145>3		ubyte			0		\b, no compression
1146>3		ubyte			2		\b, fast compression (Z1)
1147>3		ubyte			3		\b, medium compression (Z2)
1148>3		ubyte			>3
1149>>3		ubyte			<11		\b, compression (Z%d-1)
1150>2		ubyte&0x08		0x00
1151# ~ 30 byte password field only for *.gho
1152>>12		ubequad			!0		\b, password protected
1153>>44		ubyte			!1
1154# 1~Image All, sector-by-sector only for *.gho
1155>>>10		ubyte			1		\b, sector copy
1156# 1~Image Boot track only for *.gho
1157>>>43		ubyte			1		\b, boot track
1158# 1~Image Disc only for *.gho implies Image Boot track and sector copy
1159>>44		ubyte			1		\b, disc sector copy
1160# optional image description only *.gho
1161>>0xff		string			>\0		"%-.254s"
1162# look for DOS sector end sequence
1163>0xE08	search/7776		\x55\xAA
1164>>&-512	indirect		x		\b; contains
1165
1166# Google Chrome extensions
1167# https://developer.chrome.com/extensions/crx
1168# https://developer.chrome.com/extensions/hosting
11690	string	Cr24	Google Chrome extension
1170!:mime	application/x-chrome-extension
1171>4	ulong	x	\b, version %u
1172