
#------------------Standard file formats------------------------------------

#------------------------------------------------------------------------------
# elf:  file(1) magic for ELF executables
#
# We have to check the byte order flag to see what byte order all the
# other stuff in the header is in.
#
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0           string                  \177ELF         ELF,
>4          byte                    0               {invalid}
>4          byte                    1               32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18        leshort                 8
>>>36       lelong                  &0x20           N32
>>18        leshort                 10
>>>36       lelong                  &0x20           N32
>>18        beshort                 8
>>>36       belong                  &0x20           N32
>>18        beshort                 10
>>>36       belong                  &0x20           N32
>4          byte                    2               64-bit
>4          byte                    >2
>>4         byte                    x               unknown ELF class: 0x%X
>5          byte                    !1
>>5         byte                    !2              {invalid}
>5          byte                    1               LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8.
>>18        leshort                 8
# only for 32-bit
>>>4        byte                    1
>>>>36      lelong&0xf0000000       0x00000000      MIPS-I
>>>>36      lelong&0xf0000000       0x10000000      MIPS-II
>>>>36      lelong&0xf0000000       0x20000000      MIPS-III
>>>>36      lelong&0xf0000000       0x30000000      MIPS-IV
>>>>36      lelong&0xf0000000       0x40000000      MIPS-V
>>>>36      lelong&0xf0000000       0x60000000      MIPS32
>>>>36      lelong&0xf0000000       0x70000000      MIPS64
>>>>36      ulelong&0xf0000000      0x80000000      MIPS32 rel2
>>>>36      ulelong&0xf0000000      0x90000000      MIPS64 rel2
# only for 64-bit
>>>4        byte                    2
>>>>48      lelong&0xf0000000       0x00000000      MIPS-I
>>>>48      lelong&0xf0000000       0x10000000      MIPS-II
>>>>48      lelong&0xf0000000       0x20000000      MIPS-III
>>>>48      lelong&0xf0000000       0x30000000      MIPS-IV
>>>>48      lelong&0xf0000000       0x40000000      MIPS-V
>>>>48      lelong&0xf0000000       0x60000000      MIPS32
>>>>48      lelong&0xf0000000       0x70000000      MIPS64 
>>>>48      ulelong&0xf0000000      0x80000000      MIPS32 rel2
>>>>48      ulelong&0xf0000000      0x90000000      MIPS64 rel2
>>16        leshort                 0               no file type,
>>16        leshort                 1               relocatable,
>>16        leshort                 2               executable,
>>16        leshort                 3               shared object,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16        leshort                 4               core file
>>16        uleshort                &0xff00         processor-specific,
>>18        leshort                 0               no machine,
>>18        leshort                 1               AT&T WE32100 - wrong byte order,{invalid}
>>18        leshort                 2               SPARC - wrongbyte order,{invalid}
>>18        leshort                 3               Intel 80386,
>>18        leshort                 4               Motorola
>>>36       lelong                  &0x01000000     68000 - wrong byte order,{invalid}
>>>36       lelong                  &0x00810000     CPU32 - wrong byte order,{invalid}
>>>36       lelong                  0               68020 - wrong byte order,{invalid}
>>18        leshort                 5               Motorola 88000 - wrong byte order,{invalid}
>>18        leshort                 6               Intel 80486,
>>18        leshort                 7               Intel 80860,
>>18        leshort                 8               MIPS,
>>18        leshort                 9               Amdahl - wrong byte order,{invalid}
>>18        leshort                 10              MIPS (deprecated),
>>18        leshort                 11              RS6000 - wrong byte order,{invalid}
>>18        leshort                 15              PA-RISC - wrong byte order,{invalid}
>>>50       leshort                 0x0214          2.0
>>>48       leshort                 &0x0008         (LP64),
>>18        leshort                 16              nCUBE,
>>18        leshort                 17              Fujitsu VPP500,
>>18        leshort                 18              SPARC32PLUS,
>>18        leshort                 20              PowerPC,
>>18        leshort                 22              IBM S/390,
>>18        leshort                 36              NEC V800,
>>18        leshort                 37              Fujitsu FR20,
>>18        leshort                 38              TRW RH-32,
>>18        leshort                 39              Motorola RCE,
>>18        leshort                 40              ARM,
>>18        leshort                 41              Alpha,
>>18        uleshort                0xa390          IBM S/390 (obsolete),
>>18        leshort                 42              Hitachi SH,
>>18        leshort                 43              SPARC V9 - wrong byte order,{invalid}
>>18        leshort                 44              Siemens Tricore Embedded Processor,
>>18        leshort                 45              Argonaut RISC Core, Argonaut Technologies Inc.,
>>18        leshort                 46              Hitachi H8/300,
>>18        leshort                 47              Hitachi H8/300H,
>>18        leshort                 48              Hitachi H8S,
>>18        leshort                 49              Hitachi H8/500,
>>18        leshort                 50              IA-64 (Intel 64 bit architecture)
>>18        leshort                 51              Stanford MIPS-X,
>>18        leshort                 52              Motorola Coldfire,
>>18        leshort                 53              Motorola M68HC12,
>>18        leshort                 62              AMD x86-64,
>>18        leshort                 75              Digital VAX,
>>18        leshort                 97              NatSemi 32k,
>>18        uleshort                0x9026          Alpha (unofficial),
>>20        lelong                  0               {invalid} invalid version
>>20        lelong                  1               version 1
>>36        lelong                  1               MathCoPro/FPU/MAU Required
>5          byte                    2               MSB
# only for MIPS - see comment in little-endian section above.
>>18        beshort                 8
# only for 32-bit
>>>4        byte                    1
>>>>36      belong&0xf0000000       0x00000000      MIPS-I
>>>>36      belong&0xf0000000       0x10000000      MIPS-II
>>>>36      belong&0xf0000000       0x20000000      MIPS-III
>>>>36      belong&0xf0000000       0x30000000      MIPS-IV
>>>>36      belong&0xf0000000       0x40000000      MIPS-V
>>>>36      belong&0xf0000000       0x60000000      MIPS32
>>>>36      belong&0xf0000000       0x70000000      MIPS64
>>>>36      ubelong&0xf0000000      0x80000000      MIPS32 rel2
>>>>36      ubelong&0xf0000000      0x90000000      MIPS64 rel2
# only for 64-bit
>>>4        byte                    2
>>>>48      belong&0xf0000000       0x00000000      MIPS-I
>>>>48      belong&0xf0000000       0x10000000      MIPS-II
>>>>48      belong&0xf0000000       0x20000000      MIPS-III
>>>>48      belong&0xf0000000       0x30000000      MIPS-IV
>>>>48      belong&0xf0000000       0x40000000      MIPS-V
>>>>48      belong&0xf0000000       0x60000000      MIPS32
>>>>48      belong&0xf0000000       0x70000000      MIPS64 
>>>>48      ubelong&0xf0000000      0x80000000      MIPS32 rel2
>>>>48      ubelong&0xf0000000      0x90000000      MIPS64 rel2
>>16        beshort                 0               no file type,
>>16        beshort                 1               relocatable,
>>16        beshort                 2               executable,
>>16        beshort                 3               shared object,
>>16        beshort                 4               core file,
#>>>(0x38+0xcc) string    >\0        of '%s'
#>>>(0x38+0x10) belong    >0        (signal %d),
>>16        ubeshort                &0xff00         processor-specific,
>>18        beshort                 0               no machine,
>>18        beshort                 1               AT&T WE32100,
>>18        beshort                 2               SPARC,
>>18        beshort                 3               Intel 80386 - wrong byte order,{invalid}
>>18        beshort                 4               Motorola
>>>36       belong                  &0x01000000     68000,
>>>36       belong                  &0x00810000     CPU32,
>>>36       belong                  0               68020,
>>18        beshort                 5               Motorola 88000,
>>18        beshort                 6               Intel 80486 - wrong byte order,{invalid}
>>18        beshort                 7               Intel 80860 - wrong byte order,{invalid}
>>18        beshort                 8               MIPS,
>>18        beshort                 9               Amdahl,
>>18        beshort                 10              MIPS (deprecated),
>>18        beshort                 11              RS6000,
>>18        beshort                 15              PA-RISC
>>>50       beshort                 0x0214          2.0
>>>48       beshort                 &0x0008         (LP64)
>>18        beshort                 16              nCUBE,
>>18        beshort                 17              Fujitsu VPP500,
>>18        beshort                 18              SPARC32PLUS,
>>>36       belong&0xffff00         &0x000100       V8+ Required,
>>>36       belong&0xffff00         &0x000200       Sun UltraSPARC1 Extensions Required,
>>>36       belong&0xffff00         &0x000400       HaL R1 Extensions Required,
>>>36       belong&0xffff00         &0x000800       Sun UltraSPARC3 Extensions Required,
>>18        beshort                 20              PowerPC or cisco 4500,
>>18        beshort                 21              cisco 7500,
>>18        beshort                 22              IBM S/390,
>>18        beshort                 24              cisco SVIP,
>>18        beshort                 25              cisco 7200,
>>18        beshort                 36              NEC V800 or cisco 12000,
>>18        beshort                 37              Fujitsu FR20,
>>18        beshort                 38              TRW RH-32,
>>18        beshort                 39              Motorola RCE,
>>18        beshort                 40              ARM,
>>18        beshort                 41              Alpha,
>>18        beshort                 42              Hitachi SH,
>>18        beshort                 43              SPARC V9,
>>18        beshort                 44              Siemens Tricore Embedded Processor,
>>18        beshort                 45              Argonaut RISC Core, Argonaut Technologies Inc.,
>>18        beshort                 46              Hitachi H8/300,
>>18        beshort                 47              Hitachi H8/300H,
>>18        beshort                 48              Hitachi H8S,
>>18        beshort                 49              Hitachi H8/500,
>>18        beshort                 50              Intel Merced Processor,
>>18        beshort                 51              Stanford MIPS-X,
>>18        beshort                 52              Motorola Coldfire,
>>18        beshort                 53              Motorola M68HC12,
>>18        beshort                 73              Cray NV1,
>>18        beshort                 75              Digital VAX,
>>18        beshort                 97              NatSemi 32k,
>>18        ubeshort                0x9026          Alpha (unofficial),
>>18        ubeshort                0xa390          IBM S/390 (obsolete),
>>18        ubeshort                0xde3d          Ubicom32,
>>20        belong                  0               {invalid}invalid version
>>20        belong                  1               version 1
>>36        belong                  1               MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results.
>4          byte                    <0x80
>>8         byte                    !0
>>>8        string                  x               ("%s")
>8          byte                    0
>>7         byte                    0               (SYSV)
>>7         byte                    1               (HP-UX)
>>7         byte                    2               (NetBSD)
>>7         byte                    3               (GNU/Linux)
>>7         byte                    4               (GNU/Hurd)
>>7         byte                    5               (86Open)
>>7         byte                    6               (Solaris)
>>7         byte                    7               (Monterey)
>>7         byte                    8               (IRIX)
>>7         byte                    9               (FreeBSD)
>>7         byte                    10              (Tru64)
>>7         byte                    11              (Novell Modesto)
>>7         byte                    12              (OpenBSD)
>>7         byte                    97              (ARM)
>>7         ubyte                   255             (embedded)

# Some simple Microsoft executable signatures
0           string      MZ\0\0\0\0\0\0      Microsoft executable,
>0x3c       lelong      <4                  {invalid}
>(0x3c.l)   string      !PE\0\0             MS-DOS
>(0x3c.l)   string      PE\0\0              portable (PE)

0           string      MZ                  Microsoft executable,
>0x3c       lelong      <4                  {invalid}
>(0x3c.l)   string      !PE\0\0             {invalid}
>(0x3c.l)   string      PE\0\0              portable (PE)


#------------------------------------------------------------------------------
# bFLT: file(1) magic for BFLT uclinux binary files
#
# From Philippe De Muyter <phdm@macqel.be>
# 
# Additional fields added by Craig Heffner
#
0       string      bFLT    BFLT executable
>4      belong      <1      {invalid}
>4      belong      >4      {invalid}
>4      belong      x       version %d, 
>8      ubelong     x       code offset: 0x%.8X, 
>12     ubelong     x       data segment starts at: 0x%.8X, 
>16     ubelong     x       bss segment starts at: 0x%.8X, 
>20     ubelong     x       bss segment ends at: 0x%.8X, 
>24     ubelong     x       stack size: %d bytes, 
>28     ubelong     x       relocation records start at: 0x%.8X, 
>32     ubelong     x       number of reolcation records: %d, 
>>36    belong&0x1  0x1     ram
>>36    belong&0x2  0x2     gotpic
>>36    belong&0x4  0x4     gzip
>>36    belong&0x8  0x8     gzdata


# Windows CE package files
0       string          MSCE\0\0\0\0    Microsoft WinCE installer
>20     lelong          0               \b, architecture-independent
>20     lelong          103             \b, Hitachi SH3
>20     lelong          104             \b, Hitachi SH4
>20     lelong          0xA11           \b, StrongARM
>20     lelong          4000            \b, MIPS R4000
>20     lelong          10003           \b, Hitachi SH3
>20     lelong          10004           \b, Hitachi SH3E
>20     lelong          10005           \b, Hitachi SH4
>20     lelong          70001           \b, ARM 7TDMI
>52     leshort         1               \b, 1 file
>52     uleshort        >1              \b, %u files
>56     leshort         1               \b, 1 registry entry
>56     uleshort        >1              \b, %u registry entries

#------------------------------------------------------------------------------
# motorola:  file(1) magic for Motorola 68K and 88K binaries
#
# 68K
#
# These signatures are useless without further sanity checking. Disable them until 
# that can be implemented.
#0       beshort         0x0208          mc68k COFF
#>18     beshort         ^00000020       object
#>18     beshort         &00000020       executable
#>12     belong          >0              not stripped
#>168    string          .lowmem         Apple toolbox
#>20     beshort         0407            (impure)
#>20     beshort         0410            (pure)
#>20     beshort         0413            (demand paged)
#>20     beshort         0421            (standalone)
#0       beshort         0x0209          mc68k executable (shared)
#>12     belong          >0              not stripped
#0       beshort         0x020A          mc68k executable (shared demand paged)
#>12     belong          >0              not stripped


#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0       string  PS-X\x20EXE     Sony Playstation executable,
#  Area:
>113    string  x               "%s"

#------------------------------------------------------------------------------
# cisco:  file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
0   string      \x85\x01\x14    Cisco IOS microcode,
>7  byte        0               {invalid}
>7  string      x               for "%s"

0   string      \x85\x01\xcb    Cisco IOS experimental microcode,
>7  byte        0               {invalid}
>7  string      x               for "%s"

# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
0    string    ESTFBINR    EST flat binary

# These are not the binaries themselves, but string references to them
# are a strong indication that they exist elsewhere...
#0    string    /bin/busybox    Busybox string reference: "%s"{one-of-many}
#0    string /bin/sh        Shell string reference: "%s"{one-of-many}

# Mach-O's
0    string \xca\xfe\xba\xbe\x00\x00\x00\x01    Mach-O universal binary with 1 architecture
0    string \xca\xfe\xba\xbe\x00\x00\x00\x02    Mach-O universal binary with 2 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x03    Mach-O universal binary with 3 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x04    Mach-O universal binary with 4 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x05    Mach-O universal binary with 5 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x06    Mach-O universal binary with 6 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x07    Mach-O universal binary with 7 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x08    Mach-O universal binary with 8 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0a    Mach-O universal binary with 9 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0b    Mach-O universal binary with 10 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0c    Mach-O universal binary with 11 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0d    Mach-O universal binary with 12 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0e    Mach-O universal binary with 13 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x0f    Mach-O universal binary with 14 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x10    Mach-O universal binary with 15 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x11    Mach-O universal binary with 16 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x12    Mach-O universal binary with 17 architectures
0    string \xca\xfe\xba\xbe\x00\x00\x00\x13    Mach-O universal binary with 18 architectures

# The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255
# and all minor version numbers are 0. This gives us three more bytes we can signature on.
0       string          \xca\xfe\xba\xbe\x00\x00\x00    Compiled Java class data,
>6      beshort         x                               version %d.
>4      beshort         x                               \b%d
# Which is which?
>4      belong          0x032d                          (Java 1.0/1.1)
#>4     belong          0x032d                          (Java 1.1)
>4      belong          0x002e                          (Java 1.2)
>4      belong          0x002f                          (Java 1.3)
>4      belong          0x0030                          (Java 1.4)
>4      belong          0x0031                          (Java 1.5)
>4      belong          0x0032                          (Java 1.6)
>4      belong          >0x0050                         {invalid}

# Summary: HP-38/39 calculator
0       string          HP38Bin         HP 38 binary
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7      byte            <0x41           {invalid}
>7      byte            >0x4B           {invalid}

0       string          HP39Bin         HP 39 binary
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7      byte            <0x41           {invalid}
>7      byte            >0x4B           {invalid}

0       string          HP38Asc         HP 38 ASCII
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7      byte            <0x41           {invalid}
>7      byte            >0x4B           {invalid}

0       string          HP39Asc         HP 39 ASCII
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7      byte            <0x41           {invalid}
>7      byte            >0x4B           {invalid}

# Summary: HP-48/49 calculator
0       string          HPHP48          HP 48 binary
>8      leshort         0x2911          (ADR)
>8      leshort         0x2933          (REAL)
>8      leshort         0x2955          (LREAL)
>8      leshort         0x2977          (COMPLX)
>8      leshort         0x299d          (LCOMPLX)
>8      leshort         0x29bf          (CHAR)
>8      leshort         0x29e8          (ARRAY)
>8      leshort         0x2a0a          (LNKARRAY)
>8      leshort         0x2a2c          (STRING)
>8      leshort         0x2a4e          (HXS)
>8      leshort         0x2a74          (LIST)
>8      leshort         0x2a96          (DIR)
>8      leshort         0x2ab8          (ALG)
>8      leshort         0x2ada          (UNIT)
>8      leshort         0x2afc          (TAGGED)
>8      leshort         0x2b1e          (GROB)
>8      leshort         0x2b40          (LIB)
>8      leshort         0x2b62          (BACKUP)
>8      leshort         0x2b88          (LIBDATA)
>8      leshort         0x2d9d          (PROG)
>8      leshort         0x2dcc          (CODE)
>8      leshort         0x2e48          (GNAME)
>8      leshort         0x2e6d          (LNAME)
>8      leshort         0x2e92          (XLIB)
>8      leshort        <0x2911          {invalid}
>8      leshort        >0x2e92          {invalid}

0       string          HPHP49          HP 49 binary
>8      leshort         0x2911          (ADR)
>8      leshort         0x2933          (REAL)
>8      leshort         0x2955          (LREAL)
>8      leshort         0x2977          (COMPLX)
>8      leshort         0x299d          (LCOMPLX)
>8      leshort         0x29bf          (CHAR)
>8      leshort         0x29e8          (ARRAY)
>8      leshort         0x2a0a          (LNKARRAY)
>8      leshort         0x2a2c          (STRING)
>8      leshort         0x2a4e          (HXS)
>8      leshort         0x2a74          (LIST)
>8      leshort         0x2a96          (DIR)
>8      leshort         0x2ab8          (ALG)
>8      leshort         0x2ada          (UNIT)
>8      leshort         0x2afc          (TAGGED)
>8      leshort         0x2b1e          (GROB)
>8      leshort         0x2b40          (LIB)
>8      leshort         0x2b62          (BACKUP)
>8      leshort         0x2b88          (LIBDATA)
>8      leshort         0x2d9d          (PROG)
>8      leshort         0x2dcc          (CODE)
>8      leshort         0x2e48          (GNAME)
>8      leshort         0x2e6d          (LNAME)
>8      leshort         0x2e92          (XLIB)
>8      leshort         <0x2911         {invalid}
>8      leshort         >0x2e92         {invalid}

0       string          \x23\x21/       Executable script,
>6      byte            !0x2F
>>7     byte            !0x2F           {invalid}
>2      string          x               shebang: "%s"

0       string          \x23\x21\x20/   Executable script,
>7      byte            !0x2F
>>8     byte            !0x2F           {invalid}
>3      string          x               shebang: "%s"

