#------------------Compression Formats----------------------------- # Stuffit archives are the de facto standard of compression for Macintosh # files obtained from most archives. (franklsm@tuns.ca) # Found in some firmware updates. 0 string SIT! StuffIt Archive (data) >2 string x \b: %s 0 string SITD StuffIt Deluxe (data) >2 string x \b: %s 0 string Sef StuffIt Deluxe Segment (data) >2 string x \b: %s # Newer StuffIt archives (grant@netbsd.org) 0 string StuffIt StuffIt Archive # AFX compressed files (Wolfram Kleff) 2 string -afx AFX compressed file data >6 string !- {invalid} # bzip2 0 string BZh91AY&SY bzip2 compressed data, block size = 900k 0 string BZh81AY&SY bzip2 compressed data, block size = 800k 0 string BZh71AY&SY bzip2 compressed data, block size = 700k 0 string BZh61AY&SY bzip2 compressed data, block size = 600k 0 string BZh51AY&SY bzip2 compressed data, block size = 500k 0 string BZh41AY&SY bzip2 compressed data, block size = 400k 0 string BZh31AY&SY bzip2 compressed data, block size = 300k 0 string BZh21AY&SY bzip2 compressed data, block size = 200k 0 string BZh11AY&SY bzip2 compressed data, block size = 100k # lzop from 0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data, >9 beshort >0x093F {invalid} >9 beshort <0x0940 >>9 byte&0xf0 =0x00 - version 0. >>9 beshort&0x0fff x \b%03x, >>9 beshort&0x0fff <1 {invalid} >>13 byte 1 LZO1X-1, >>13 byte 2 LZO1X-1(15), >>13 byte 3 LZO1X-999, >>14 byte =0x00 os: MS-DOS >>14 byte =0x01 os: Amiga >>14 byte =0x02 os: VMS >>14 byte =0x03 os: Unix >>14 byte =0x05 os: Atari >>14 byte =0x06 os: OS/2 >>14 byte =0x07 os: MacOS >>14 byte =0x0A os: Tops/20 >>14 byte =0x0B os: WinNT >>14 byte =0x0E os: Win32 >9 beshort >0x0939 >>9 byte&0xf0 =0x00 - version 0. >>9 byte&0xf0 =0x10 - version 1. >>9 byte&0xf0 =0x20 - version 2. >>9 beshort&0x0fff x \b%03x, >>15 byte 1 LZO1X-1, >>15 byte 2 LZO1X-1(15), >>15 byte 3 LZO1X-999, >>17 byte =0x00 os: MS-DOS >>17 byte =0x01 os: Amiga >>17 byte =0x02 os: VMS >>17 byte =0x03 os: Unix >>17 byte =0x05 os: Atari >>17 byte =0x06 os: OS/2 >>17 byte =0x07 os: MacOS >>17 byte =0x0A os: Tops/20 >>17 byte =0x0B os: WinNT >>17 byte =0x0E os: Win32 # lzip 0 string LZIP lzip compressed data, >4 ubyte 0 {invalid} # Current version is still 1.x >4 ubyte >4 {invalid} >4 byte x version: %d # lrzip 0 string LRZI lrzip compressed data # LZO 0 string \211LZO\000\015\012\032\012 LZO compressed data # 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at) # http://www.7-zip.org or DOC/7zFormat.txt # 0 string 7z\274\257\047\034 7-zip archive data, >6 byte <0 {invalid} >6 byte 0 >>7 byte 0 {invalid} >6 byte >20 {invalid} >6 byte x version %d >7 byte x \b.%d # standard unix compress # Disabled until a python alternative can be found for the compress binwalk plugin. #0 string \x1f\x9d\x90 compress'd data, 16 bits # http://tukaani.org/xz/xz-file-format.txt 0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data # gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver) # Edited by Chris Chittleborough , March 2002 # * Original filename is only at offset 10 if "extra field" absent # * Produce shorter output - notably, only report compression methods # other than 8 ("deflate", the only method defined in RFC 1952). #0 string \037\213\x08 gzip compressed data 0 string \x1f\x8b\x08 gzip compressed data >3 byte &0x01 \b, ASCII >3 byte&0xE0 !0x00 \b, {invalid}invalid reserved flag bits >8 byte 2 \b, maximum compression >8 byte 4 \b, fastest compression >8 byte 1 \b, {invalid}invalid extra flags >8 byte 3 \b, {invalid}invalid extra flags >8 byte >4 \b, {invalid}invalid extra flags >3 byte &0x02 \b, has header CRC >3 byte&0x04 0x04 >>10 leshort x \b, has %d bytes of extra data >>10 leshort <0 {invalid}(invalid extra data size) >3 byte&0xC =0x08 \b, has original file name >>10 string x \b: "%s"{name:%s} >3 byte &0x10 \b, has comment >>3 byte&0xC 0 >>>10 string x \b: "%s" >9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT) >9 byte =0x01 \b, from Amiga >9 byte =0x02 \b, from VMS >9 byte =0x03 \b, from Unix >9 byte =0x04 \b, from VM/CMS >9 byte =0x05 \b, from Atari >9 byte =0x06 \b, from HPFS filesystem (OS/2, NT) >9 byte =0x07 \b, from MacOS >9 byte =0x08 \b, from Z-System >9 byte =0x09 \b, from CP/M >9 byte =0x0A \b, from TOPS/20 >9 byte =0x0B \b, from NTFS filesystem (NT) >9 byte =0x0C \b, from QDOS >9 byte =0x0D \b, from Acorn RISCOS >3 byte &0x20 \b, encrypted{invalid} # Dates before 1992 are {invalid}, unless of course you're DD-WRT in which # case you don't know how to set a date in your gzip files. Brilliant. >4 uledate x \b, last modified: %s >4 lelong =0 (null date) >4 lelong !0 >>4 lelong <694224000 (bogus date) >>4 lelong =694224000 (bogus date) # Supplementary magic data for the file(1) command to support # rzip(1). The format is described in magic(5). # # Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with # this file. # 0 string RZIP rzip compressed data >4 byte x - version %d >5 byte x \b.%d >6 belong x (%d bytes) # JAR 0 belong 0xcafed00d JAR compressed with pack200, >5 byte x version %d. >4 byte x \b%d # New LZMA format signature # See lzma file for LZMA signatures 0 string \xFFLZMA\x00 LZMA compressed data (new), >6 byte&0x10 0 single-block stream >6 byte&0x10 0x10 multi-block stream 0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier # KGB Archiver http://www.garykessler.net/library/file_sigs.html 0 string \x4B\x47\x42\x5F\x61\x72\x63\x68\x20\x2D KGB archive #0 beshort 0x7801 Zlib header, no compression 0 beshort 0x789c Zlib compressed data, default compression 0 beshort 0x78da Zlib compressed data, best compression 0 beshort 0x785e Zlib compressed data, compressed # http://justsolve.archiveteam.org/wiki/LZ4 0 belong 0x04224D18 LZ4 compressed data 0 belong 0x02214C18 LZ4 compressed data, legacy