# ----------------------------Archive Formats--------------------------------------

# POSIX tar archives
0	string		ustar\000		POSIX tar archive{offset-adjust:-257}
>8	byte		!0
>>8	string		x			\b, owner user name: "%.32s"
>40	byte		!0
>>40	string		x			\b, owner group name: "%.32s"

0	string          ustar\040\040\000	POSIX tar archive (GNU){offset-adjust:-257}
>8	byte		!0
>>8	string		x			\b, owner user name: "%.32s"
>40	byte		!0
>>40	string		x			\b, owner group name: "%.32s"

# Incremental snapshot gnu-tar format from:
# http://www.gnu.org/software/tar/manual/html_node/Snapshot-Files.html
0       string          GNU\x20tar-     GNU tar incremental snapshot data,
>0	string		x		version: "%s"

# JAR archiver (.j), this is the successor to ARJ, not Java's JAR (which is essentially ZIP)
0       string  \x1aJar\x1b JAR (ARJ Software, Inc.) archive data{offset-adjust:-14}
0       string  JARCS JAR (ARJ Software, Inc.) archive data

# PKZIP multi-volume archive
0       string          PK\x07\x08PK\x03\x04    Zip multi-volume archive data, at least PKZIP v2.50 to extract

# ZIP compression (Greg Roelofs, c/o zip-bugs@wkuvx1.wku.edu)
0		string		PK\003\004      Zip
>6		leshort		&0x01			encrypted
>0		byte		x				archive data,
>4      byte		0x00            v0.0
>4      byte		0x09            at least v0.9 to extract,
>4      byte		0x0a            at least v1.0 to extract,
>4      byte		0x0b            at least v1.1 to extract,
>0x161  string		WINZIP          WinZIP self-extracting,
>4      byte		0x14
>>30    ubelong		!0x6d696d65     at least v2.0 to extract,
>18		lelong		!0
>>18	lelong		<0				invalid
>>18	lelong		x				compressed size: %d,
>>18	lelong		x				{jump-to-offset:%d}
>22		lelong		!0
>>22	lelong		<0				invalid
>>22	lelong		x				uncompressed size: %d,{extract-delay:End of Zip archive}
>30     byte        <0x2D           invalid file name,
>30     byte        >0x7A           invalid file name, 
>30		string		x				name: {raw-replace}
>26		leshort		x				{raw-string-length:%d}
>30		string		x				{raw-string:%s
>61		string		x				\b%s
>92		string		x				\b%s
>123	string		x				\b%s
>154	string		x				\b%s}

# ZIP footer
0	string		PK\x05\x06	End of Zip archive
#>10	leshort		x		number of records: %d,
#>12	leshort		x		size of central directory: %d
#>20	leshort		x		{offset-adjust:22+%d}
>20	leshort		>0
>>20	leshort		x		\b, comment: {raw-replace}
>>20	leshort		x		{raw-string-length:%d}
>>22	string		x		{raw-string:%s}

# ARJ archiver (jason@jarthur.Claremont.EDU)
0       leshort         0xea60          ARJ archive data,
>2	leshort		x		header size: %d,
>5	byte		<1		invalid
>5	byte		>16		invalid
>5      byte            x               version %d,
>6	byte		<1		invalid
>6	byte		>16		invalid
>6	byte		x		minimum version to extract: %d,
>8	byte		<0		invalid flags,
>8      byte            &0x04           multi-volume,
>8      byte            &0x10           slash-switched,
>8      byte            &0x20           backup,
>9	byte		<0		invalid compression method,
>9	byte		>4		invalid compression method,
>9	byte		0		compression method: stored,
>9	byte		1		compression method: compressed most,
>9	byte		2		compression method: compressed,
>9	byte		3		compression method: compressed faster,
>9	byte		4		compression method: compressed fastest,
>10	byte		<0		invalid file type
>10	byte		>4		invalid file type
>10	byte 		0		file type: binary,
>10	byte 		1		file type: 7-bit text,
>10	byte 		2		file type: comment header,
>10	byte 		3		file type: directory,
>10	byte 		4		file type: volume label,
>34	byte		!0
>>34	string		x		{file-name:%s}
>>34    string          x               original name: "%s",
>0xC	ledate		x		original file date: %s,
>0x10	lelong		<0		invalid
>0x10	lelong		x		compressed file size: %d,
>0x14	lelong		<0		invalid
>0x14	lelong		x		uncompressed file size: %d,
>7      byte            0               os: MS-DOS 
>7      byte            1               os: PRIMOS
>7      byte            2               os: Unix
>7      byte            3               os: Amiga
>7      byte            4               os: Macintosh
>7      byte            5               os: OS/2
>7      byte            6               os: Apple ][ GS
>7      byte            7               os: Atari ST
>7      byte            8               os: NeXT
>7      byte            9               os: VAX/VMS
>7	byte		>9		invalid os
>7	byte		<0		invalid os

# RAR archiver (Greg Roelofs, newt@uchicago.edu)
0	string		Rar!		RAR archive data

# HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz)
0	string		HPAK		HPACK archive data

# JAM Archive volume format, by Dmitry.Kohmanyuk@UA.net
0	string		\351,\001JAM	JAM archive

# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
0	string		-lzs-		LHa 2.x? archive data [lzs] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh\40-		LHa 2.x? archive data [lh ] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lhd-		LHa 2.x? archive data [lhd] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh2-		LHa 2.x? archive data [lh2] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh3-		LHa 2.x? archive data [lh3] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh4-		LHa (2.x) archive data [lh4] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh5-		LHa (2.x) archive data [lh5] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh6-		LHa (2.x) archive data [lh6] [NSRL|LHA2]{offset-adjust:-2}
0	string		-lh7-		LHa (2.x) archive data [lh7] [NSRL|LHA2]{offset-adjust:-2}


# cpio archives
#
# The SVR4 "cpio(4)" hints that there are additional formats, but they
# are defined as "short"s; I think all the new formats are
# character-header formats and thus are strings, not numbers.
#0       string          070707          ASCII cpio archive (pre-SVR4 or odc)

# WARNING: The jump-to-offset value in the ASCII cpio signatures below is a terrible hack.
#          This keyword is not intended to be passed a string (%s), and doing so can open
#          up the possibility of keyword injection by a malicious file. This works here though, because:
#
#          	1) It would result in an invalid CPIO file (invalid size)
#           2) All valid keywords require more than 8 bytes, so a valid one can't be
#              injected in the %.8s field.

0       string      070701  ASCII cpio archive (SVR4 with no CRC),
>110	byte		0		invalid
#>110	byte		!0x2F
#>>110	string		!TRAILER!!!	invalid
>94     byte        <0x30   invalid
>94     byte        >0x66   invalid
>54     byte        <0x30   invalid
>54     byte        >0x66   invalid
>110	string		x		file name: "%s",
>94	    string		x		file name length: "0x%.8s",
>54	    string		x		file size: "0x%.8s"
>54	    string		x		{jump-to-offset:0x%.8s+110+
>94	    string		x		\b0x%.8s}

0       string      070702  ASCII cpio archive (SVR4 with CRC)
>110	byte		0		invalid
#>110	byte		!0x2F
#>>110	string		!TRAILER!!!	invalid
>94     byte        <0x30   invalid
>94     byte        >0x66   invalid
>54     byte        <0x30   invalid
>54     byte        >0x66   invalid
>110	string		x		file name: "%s",
>94	    string		x		file name length: "0x%.8s",
>54	    string		x		file size: "0x%.8s"
>54	    string		x		{jump-to-offset:0x%.8s+110+
>94	    string		x		\b0x%.8s}


# HP Printer Job Language
# The header found on Win95 HP plot files is the "Silliest Thing possible" 
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
# 
0       string          \033%-12345X@PJL        HP Printer Job Language data
>&0     string          >\0                     "%s"
>>&0    string          >\0                     "%s"
>>>&0   string          >\0                     "%s"
>>>>&0  string          >\0                     "%s"

#------------------------------------------------------------------------------
#
# RPM: file(1) magic for Red Hat Packages   Erik Troan (ewt@redhat.com)
#
0	belong		0xedabeedb	RPM
>4	byte		x		v%d
>6	beshort		0		bin
>6	beshort		1		src
>8	beshort		1		i386
>8	beshort		2		Alpha
>8	beshort		3		Sparc
>8	beshort		4		MIPS
>8	beshort		5		PowerPC
>8	beshort		6		68000
>8	beshort		7		SGI
>8	beshort		8		RS6000
>8	beshort		9		IA64
>8	beshort		10		Sparc64
>8	beshort		11		MIPSel
>8	beshort		12		ARM
>10	string		x		"%s"

# IBM AIX Backup File Format header and entry signatures
0	lelong	0xea6b0009	BFF volume header,
>4	leshort	x		checksum: 0x%.4X,
>6	leshort	<0		invalid
>6	leshort	0		invalid
>6	leshort	x		volume number: %d,
>8	ledate	x		current date: %s,
>12	ledate	x		starting date: %s,
>20	string	x		disk name: "%s",
>36	string	x		file system name: "%s",
>52	string	x		user name: "%s"

0	leshort	0xea6b		BFF volume entry,{offset-adjust:-2}
>22	lelong	<0		invalid
>22	lelong	0		directory,
>22	lelong	>0
>>22	lelong	x		file size: %d,
>>54	lelong	<0		invalid
>>54	lelong	0		invalid
>>54	lelong	x		compressed size: %d,
>58	lelong	!0		invalid
>62	byte	0		invalid
>62	byte	!0x2e
>>62	byte	!0x2f		invalid
>62	string	x		file name: "%s
>92	string	x		\b%s"

0	leshort	0xea6c		BFF volume entry, compressed,{offset-adjust:-2}
>22	lelong	<0		invalid
>22	lelong	0		directory,
>22	lelong	>0
>>22	lelong	x		file size: %d,
>>54	lelong	<0		invalid
>>54	lelong	0		invalid
>>54	lelong	x		compressed size: %d,
>58	lelong	!0		invalid
>62	byte	0		invalid
>62	byte	!0x2e
>>62	byte	!0x2f		invalid
>62	string	x		file name: "%s
>92	string	x		\b%s"

0	leshort	0xea6d		BFF volume entry, AIXv3,{offset-adjust:-2}
>22	lelong	<0		invalid
>22	lelong	0		directory,
>22	lelong	>0
>>22	lelong	x		file size: %d,
>>54	lelong	<0		invalid
>>54	lelong	0		invalid
>>54	lelong	x		compressed size: %d,
>58	lelong	!0		invalid
>62	byte	0		invalid
>62	byte	!0x2e
>>62	byte	!0x2f		invalid
>62	string	x		file name: "%s
>92	string	x		\b%s"

#------------------------------------------------------------------------------
# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
# Microsoft Cabinet files
0       string          MSCF\0\0\0\0    Microsoft Cabinet archive data
# According to libmagic comments, CAB version number is always 1.3
>25	byte		!1		\b,invalid major version
>24	byte		!3		\b,invalid minor version
>8      lelong          x               \b, %u bytes
>28	leshort		0		\b, 0 files (invalid)
>28     leshort         1               \b, 1 file
>28     leshort         >1              \b, %u files

# InstallShield Cabinet files
0       string          ISc(            InstallShield Cabinet archive data
# TODO: Version number checks should be made more specific for false positive filtering
>5      byte&0xf0       =0x60           version 6,
>5      byte&0xf0       <0x60           version 4/5,
>5      byte&0xf0       >0x60           invalid version,
>12     lelong          <0              invalid offset,
>12     lelong          >100000         invalid offset,
>(12.l+40)      lelong  x               %u files

# Windows CE package files
0       string          MSCE\0\0\0\0    Microsoft WinCE install header
>20     lelong          0               \b, architecture-independent
>20     lelong          103             \b, Hitachi SH3
>20     lelong          104             \b, Hitachi SH4
>20     lelong          0xA11           \b, StrongARM
>20     lelong          4000            \b, MIPS R4000
>20     lelong          10003           \b, Hitachi SH3
>20     lelong          10004           \b, Hitachi SH3E
>20     lelong          10005           \b, Hitachi SH4
>20     lelong          70001           \b, ARM 7TDMI
>52     leshort         1               \b, 1 file
>52     leshort         >1              \b, %u files
>56     leshort         1               \b, 1 registry entry
>56     leshort         >1              \b, %u registry entries

0       string  \0\ \ \ \ \ \ \ \ \ \ \ \0\0    LBR archive data

# Parity archive reconstruction file, the 'par' file format now used on Usenet.
0       string          PAR\0   PARity archive data
>48     leshort         =0      - Index file
>48     leshort         >0      - file number %d

# Felix von Leitner <felix-file@fefe.de>
0       string  d8:announce     BitTorrent file

#---------------------------Bootloaders--------------------------------

# CFE bootloader
0	string	CFE1CFE1	CFE boot loader
>40	string	CFE1CFE1	invalid

# U-Boot boot loader
0	string	U-Boot\x20  U-Boot version string,
>7  byte    <48         invalid,
>7  byte    >57         invalid,
>8  byte    !0x2E       invalid,
>0  string  x           "%s"

#------------------Compression Formats-----------------------------

# AFX compressed files (Wolfram Kleff)
0	string		-afx-		AFX compressed file data{offset-adjust:-2}

# bzip2
0	string BZh91AY&SY	bzip2 compressed data, block size = 900k
0	string BZh81AY&SY	bzip2 compressed data, block size = 800k
0	string BZh71AY&SY	bzip2 compressed data, block size = 700k
0	string BZh61AY&SY	bzip2 compressed data, block size = 600k
0	string BZh51AY&SY	bzip2 compressed data, block size = 500k
0	string BZh41AY&SY	bzip2 compressed data, block size = 400k
0	string BZh31AY&SY	bzip2 compressed data, block size = 300k
0	string BZh21AY&SY	bzip2 compressed data, block size = 200k
0	string BZh11AY&SY	bzip2 compressed data, block size = 100k

# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0	string		\x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a	lzop compressed data
>9	beshort		<0x0940
>>9	byte&0xf0	=0x00		- version 0.
>>9	beshort&0x0fff	x		\b%03x,
>>13	byte		1		LZO1X-1,
>>13	byte		2		LZO1X-1(15),
>>13	byte		3		LZO1X-999,
## >>22	bedate		>0		last modified: %s,
>>14	byte		=0x00		os: MS-DOS
>>14	byte		=0x01		os: Amiga
>>14	byte		=0x02		os: VMS
>>14	byte		=0x03		os: Unix
>>14	byte		=0x05		os: Atari
>>14	byte		=0x06		os: OS/2
>>14	byte		=0x07		os: MacOS
>>14	byte		=0x0A		os: Tops/20
>>14	byte		=0x0B		os: WinNT
>>14	byte		=0x0E		os: Win32
>9	beshort		>0x0939
>>9	byte&0xf0	=0x00		- version 0.
>>9	byte&0xf0	=0x10		- version 1.
>>9	byte&0xf0	=0x20		- version 2.
>>9	beshort&0x0fff	x		\b%03x,
>>15	byte		1		LZO1X-1,
>>15	byte		2		LZO1X-1(15),
>>15	byte		3		LZO1X-999,
## >>25	bedate		>0		last modified: %s,
>>17	byte		=0x00		os: MS-DOS
>>17	byte		=0x01		os: Amiga
>>17	byte		=0x02		os: VMS
>>17	byte		=0x03		os: Unix
>>17	byte		=0x05		os: Atari
>>17	byte		=0x06		os: OS/2
>>17	byte		=0x07		os: MacOS
>>17	byte		=0x0A		os: Tops/20
>>17	byte		=0x0B		os: WinNT
>>17	byte		=0x0E		os: Win32

# lzip  
0       string          LZIP            lzip compressed data
>4      byte            x               \b, version: %d

# lrzip
0       string          LRZI            lrzip compressed data

# LZO
0	string		\211LZO\000\015\012\032\012	LZO compressed data

# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt 
#
0       string          7z\274\257\047\034      7-zip archive data,
>6	byte		<0			invalid
>6	byte		0			
>>7	byte		0			invalid
>6	byte		>20			invalid
>6      byte            x                       version %d
>7      byte            x                       \b.%d

# standard unix compress
# Implemented in the compress binwalk plugin.
#0       string		\x1f\x9d\x90          compress'd data, 16 bits

# http://tukaani.org/xz/xz-file-format.txt
0	string		\xFD\x37\x7a\x58\x5a\x00	xz compressed data

# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
#   Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
#       * Original filename is only at offset 10 if "extra field" absent
#       * Produce shorter output - notably, only report compression methods
#         other than 8 ("deflate", the only method defined in RFC 1952).
#0       string          \037\213\x08    gzip compressed data
0	string		\x1f\x8b\x08	gzip compressed data
>3      byte            &0x01           \b, ASCII
>3	byte&0xE0	!0x00		\b, invalid reserved flag bits
>8	byte		2		\b, maximum compression
>8	byte		4		\b, fastest compression
>8	byte		1		\b, invalid extra flags
>8	byte		3		\b, invalid extra flags
>8	byte		>4		\b, invalid extra flags
>3      byte            &0x02           \b, has header CRC
>3      byte&0x04       0x04
>>10	leshort		x		\b, has %d bytes of extra data
>3      byte&0xC        =0x08		\b, has original file name
>>10	string		x		\b{file-name:%s}
>>10    string          x               \b: "%s"
>3      byte            &0x10           \b, has comment
>>3	byte&0xC	0
>>>10	string		x		\b: "%s"
>9      byte            =0x00           \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9      byte            =0x01           \b, from Amiga
>9      byte            =0x02           \b, from VMS
>9      byte            =0x03           \b, from Unix
>9      byte            =0x04           \b, from VM/CMS
>9      byte            =0x05           \b, from Atari
>9      byte            =0x06           \b, from HPFS filesystem (OS/2, NT)
>9      byte            =0x07           \b, from MacOS
>9      byte            =0x08           \b, from Z-System
>9      byte            =0x09           \b, from CP/M
>9      byte            =0x0A           \b, from TOPS/20
>9      byte            =0x0B           \b, from NTFS filesystem (NT)
>9      byte            =0x0C           \b, from QDOS
>9      byte            =0x0D           \b, from Acorn RISCOS
#>9	byte		=0xFF		\b, from ZyNOS
#>9	byte		>0x0D		\b, invalid
#>>9	byte		x		source: 0x%.2X
#>9	byte		<0		\b, invalid
#>>9	byte		x		source: 0x%.2X
>3      byte            &0x20           \b, encrypted (invalid)
# Dates before 1992 are invalid, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4	lelong		=0		\b, NULL date:
>4	lelong		<0		\b, invalid date:
>4	lelong		>0		
>>4	lelong		<694224000	\b, invalid date:
>>4	lelong		=694224000	\b, invalid date:
>>4	lelong		>694224000	\b, last modified:
>4      ledate          x               %s
>4	lelong		x		\b{file-epoch:%d}

# Zlib signatures
# Too short to be useful on their own; see:
#
#	o src/binwalk/magic/zlib
#	o src/binwalk/plugins/zlib.py
#
#0	beshort		0x789C		zlib compressed data
#0	beshort		0x78DA		zlib compressed data
#0	beshort		0x7801		zlib compressed data

# Supplementary magic data for the file(1) command to support
# rzip(1).  The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell.  You may do whatever you want with
# this file.
#
0       string          RZIP            rzip compressed data
>4      byte            x               - version %d
>5      byte            x               \b.%d
>6      belong          x               (%d bytes)

# JAR
0       belong          0xcafed00d      JAR compressed with pack200,
>5      byte            x               version %d.
>4      byte            x               \b%d

# New LZMA format signature
# See lzma file for LZMA signatures
0	string		\xFFLZMA\x00	LZMA compressed data (new),
>6	byte&0x10	0				single-block stream
>6	byte&0x10	0x10			multi-block stream

0	string	\xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59	Snappy compression, stream identifier

0   string	\x1f\x9d\x90	compress'd data, 16 bits

#0	beshort		0x7801		Zlib header, no compression
0	beshort		0x789c		Zlib compressed data, default compression
0	beshort		0x78da		Zlib compressed data, best compression
0	beshort		0x785e		Zlib compressed data, compressed

# Type: OpenSSL certificates/key files
# From: Nicolas Collignon <tsointsoin@gmail.com>

0       string  -----BEGIN\x20CERTIFICATE-----      PEM certificate
0       string  -----BEGIN\x20CERTIFICATE\x20REQ    PEM certificate request
0       string  -----BEGIN\x20RSA\x20PRIVATE        PEM RSA private key
0       string  -----BEGIN\x20DSA\x20PRIVATE        PEM DSA private key

# Type: OpenSSH key files
# From: Nicolas Collignon <tsointsoin@gmail.com>

0       string  SSH\x20PRIVATE\x20KEY	OpenSSH RSA1 private key,
>28     string  >\0			version "%s"

0       string  ssh-dss\x20               OpenSSH DSA public key
0       string  ssh-rsa\x20               OpenSSH RSA public key

# Type: Certificates/key files in DER format
# From: Gert Hulselmans <hulselmansgert@gmail.com>
0	string	\x30\x82		Private key in DER format (PKCS#8),
>4	string	!\x02\x01\x00		invalid,
>>2	beshort	x			header length: 4, sequence length: %d

0	string  \x30\x82		Certificate in DER format (x509 v3),
>4	string	!\x30\x82		invalid,
>>2	beshort	x			header length: 4, sequence length: %d

# GnuPG
# The format is very similar to pgp
0	string          \001gpg                 GPG key trust database
>4	byte            x                       version %d

# Not a very useful signature
#0       beshort         0x9901                  GPG key public ring

# This magic is not particularly good, as the keyrings don't have true
# magic. Nevertheless, it covers many keyrings.

#------------------------------------------------------------------------------
# Mavroyanopoulos Nikos <nmav@hellug.gr>
# mcrypt:   file(1) magic for mcrypt 2.2.x;
0	string		\0m\3		mcrypt 2.5 encrypted data,
>4	byte		0		invalid
>4	string		>\0		algorithm: "%s",
>>&1	leshort		<1		invalid
>>&1	leshort		>0		keysize: %d bytes,
>>>&0	byte		0		invalid
>>>&0	string		>\0		mode: "%s",

0	string		\0m\2		mcrypt 2.2 encrypted data,
>3	byte		0		algorithm: blowfish-448,
>3	byte		1		algorithm: DES,
>3	byte		2		algorithm: 3DES,
>3	byte		3		algorithm: 3-WAY,
>3	byte		4		algorithm: GOST,
>3	byte		6		algorithm: SAFER-SK64,
>3	byte		7		algorithm: SAFER-SK128,
>3	byte		8		algorithm: CAST-128,
>3	byte		9		algorithm: xTEA,
>3	byte		10		algorithm: TWOFISH-128,
>3	byte		11		algorithm: RC2,
>3	byte		12		algorithm: TWOFISH-192,
>3	byte		13		algorithm: TWOFISH-256,
>3	byte		14		algorithm: blowfish-128,
>3	byte		15		algorithm: blowfish-192,
>3	byte		16		algorithm: blowfish-256,
>3	byte		100		algorithm: RC6,
>3	byte		101		algorithm: IDEA,
>3	byte		<0		invalid algorithm
>3	byte		>101		invalid algorithm,
>3	byte		>16
>>3	byte		<100		invalid algorithm,
>4	byte		0		mode: CBC,
>4	byte		1		mode: ECB,
>4	byte		2		mode: CFB,
>4	byte		3		mode: OFB,
>4	byte		4		mode: nOFB,
>4	byte		<0		invalid mode,
>4	byte		>4		invalid mode,
>5	byte		0		keymode: 8bit
>5	byte		1		keymode: 4bit
>5	byte		2		keymode: SHA-1 hash
>5	byte		3		keymode: MD5 hash
>5	byte		<0		invalid keymode
>5	byte		>3		invalid keymode

#------------------------------------------------------------------------------
# pgp:  file(1) magic for Pretty Good Privacy
#
#0       beshort         0x9900                  PGP key public ring
#0       beshort         0x9501                  PGP key security ring
#0       beshort         0x9500                  PGP key security ring
#0	beshort		0xa600			PGP encrypted data
0       string          -----BEGIN\040PGP       PGP armored data,
>15     string          PUBLIC\040KEY\040BLOCK- public key block
>15     string          MESSAGE-                message
>15     string          SIGNED\040MESSAGE-      signed message
>15     string          PGP\040SIGNATURE-       signature

0	string		Salted__		OpenSSL encryption, salted,
>8	belong		x			salt: 0x%X
>12	belong		x			\b%X

#------------------Standard file formats------------------------------------

#------------------------------------------------------------------------------
# elf:  file(1) magic for ELF executables
#
# We have to check the byte order flag to see what byte order all the
# other stuff in the header is in.
#
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# updated by Daniel Quinlan (quinlan@yggdrasil.com)
0	string		\177ELF		ELF
>4	byte		0		invalid class
>4	byte		1		32-bit
# only for MIPS - in the future, the ABI field of e_flags should be used.
>>18	leshort		8
>>>36	lelong		&0x20		N32
>>18	leshort		10
>>>36	lelong		&0x20		N32
>>18	beshort		8
>>>36	belong		&0x20		N32
>>18	beshort		10
>>>36	belong		&0x20		N32
>4	byte		2		64-bit
>4	byte		>2
>>4	byte		x		unknown ELF class: 0x%X
>5	byte		!1
>>5	byte		!2		invalid byte order
>5	byte		1		LSB
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8.
>>18    leshort		8
# only for 32-bit
>>>4	byte		1
>>>>36  lelong&0xf0000000	0x00000000	MIPS-I
>>>>36  lelong&0xf0000000	0x10000000	MIPS-II
>>>>36  lelong&0xf0000000	0x20000000	MIPS-III
>>>>36  lelong&0xf0000000	0x30000000	MIPS-IV
>>>>36  lelong&0xf0000000	0x40000000	MIPS-V
>>>>36  lelong&0xf0000000	0x60000000	MIPS32
>>>>36  lelong&0xf0000000	0x70000000	MIPS64
>>>>36  lelong&0xf0000000	0x80000000	MIPS32 rel2
>>>>36  lelong&0xf0000000	0x90000000	MIPS64 rel2
# only for 64-bit
>>>4	byte		2
>>>>48  lelong&0xf0000000	0x00000000	MIPS-I
>>>>48  lelong&0xf0000000	0x10000000	MIPS-II
>>>>48  lelong&0xf0000000	0x20000000	MIPS-III
>>>>48  lelong&0xf0000000	0x30000000	MIPS-IV
>>>>48  lelong&0xf0000000	0x40000000	MIPS-V
>>>>48  lelong&0xf0000000	0x60000000	MIPS32
>>>>48  lelong&0xf0000000	0x70000000	MIPS64 
>>>>48  lelong&0xf0000000	0x80000000	MIPS32 rel2
>>>>48  lelong&0xf0000000	0x90000000	MIPS64 rel2
>>16	leshort		0		no file type,
>>16	leshort		1		relocatable,
>>16	leshort		2		executable,
>>16	leshort		3		shared object,
# Core handling from Peter Tobias <tobias@server.et-inf.fho-emden.de>
# corrections by Christian 'Dr. Disk' Hechelmann <drdisk@ds9.au.s.shuttle.de>
>>16	leshort		4		core file
# Core file detection is not reliable.
#>>>(0x38+0xcc) string	>\0		of '%s'
#>>>(0x38+0x10) lelong	>0		(signal %d),
>>16	leshort		&0xff00		processor-specific,
>>18	leshort		0		no machine,
>>18	leshort		1		AT&T WE32100 - invalid byte order,
>>18	leshort		2		SPARC - invalid byte order,
>>18	leshort		3		Intel 80386,
>>18	leshort		4		Motorola
>>>36	lelong		&0x01000000	68000 - invalid byte order,
>>>36	lelong		&0x00810000	CPU32 - invalid byte order,
>>>36	lelong		0		68020 - invalid byte order,
>>18	leshort		5		Motorola 88000 - invalid byte order,
>>18	leshort		6		Intel 80486,
>>18	leshort		7		Intel 80860,
>>18	leshort		8		MIPS,
>>18	leshort		9		Amdahl - invalid byte order,
>>18	leshort		10		MIPS (deprecated),
>>18	leshort		11		RS6000 - invalid byte order,
>>18	leshort		15		PA-RISC - invalid byte order,
>>>50	leshort		0x0214		2.0
>>>48	leshort		&0x0008		(LP64),
>>18	leshort		16		nCUBE,
>>18	leshort		17		Fujitsu VPP500,
>>18	leshort		18		SPARC32PLUS,
>>18	leshort		20		PowerPC,
>>18	leshort		22		IBM S/390,
>>18	leshort		36		NEC V800,
>>18	leshort		37		Fujitsu FR20,
>>18	leshort		38		TRW RH-32,
>>18	leshort		39		Motorola RCE,
>>18	leshort		40		ARM,
>>18	leshort		41		Alpha,
>>18	leshort		0xa390		IBM S/390 (obsolete),
>>18	leshort		42		Hitachi SH,
>>18	leshort		43		SPARC V9 - invalid byte order,
>>18	leshort		44		Siemens Tricore Embedded Processor,
>>18	leshort		45		Argonaut RISC Core, Argonaut Technologies Inc.,
>>18	leshort		46		Hitachi H8/300,
>>18	leshort		47		Hitachi H8/300H,
>>18	leshort		48		Hitachi H8S,
>>18	leshort		49		Hitachi H8/500,
>>18	leshort		50		IA-64 (Intel 64 bit architecture)
>>18	leshort		51		Stanford MIPS-X,
>>18	leshort		52		Motorola Coldfire,
>>18	leshort		53		Motorola M68HC12,
>>18	leshort		62		AMD x86-64,
>>18	leshort		75		Digital VAX,
>>18	leshort		97		NatSemi 32k,
>>18	leshort		0x9026		Alpha (unofficial),
>>20	lelong		0		invalid version
>>20	lelong		1		version 1
>>36	lelong		1		MathCoPro/FPU/MAU Required
>5	byte		2		MSB
# only for MIPS - see comment in little-endian section above.
>>18    beshort		8
# only for 32-bit
>>>4	byte		1
>>>>36  belong&0xf0000000	0x00000000	MIPS-I
>>>>36  belong&0xf0000000	0x10000000	MIPS-II
>>>>36  belong&0xf0000000	0x20000000	MIPS-III
>>>>36  belong&0xf0000000	0x30000000	MIPS-IV
>>>>36  belong&0xf0000000	0x40000000	MIPS-V
>>>>36  belong&0xf0000000	0x60000000	MIPS32
>>>>36  belong&0xf0000000	0x70000000	MIPS64
>>>>36  belong&0xf0000000	0x80000000	MIPS32 rel2
>>>>36  belong&0xf0000000	0x90000000	MIPS64 rel2
# only for 64-bit
>>>4	byte		2
>>>>48	belong&0xf0000000	0x00000000	MIPS-I
>>>>48	belong&0xf0000000	0x10000000	MIPS-II
>>>>48	belong&0xf0000000	0x20000000	MIPS-III
>>>>48	belong&0xf0000000	0x30000000	MIPS-IV
>>>>48	belong&0xf0000000	0x40000000	MIPS-V
>>>>48	belong&0xf0000000	0x60000000	MIPS32
>>>>48	belong&0xf0000000	0x70000000	MIPS64 
>>>>48	belong&0xf0000000	0x80000000	MIPS32 rel2
>>>>48	belong&0xf0000000	0x90000000	MIPS64 rel2
>>16	beshort		0		no file type,
>>16	beshort		1		relocatable,
>>16	beshort		2		executable,
>>16	beshort		3		shared object,
>>16	beshort		4		core file,
#>>>(0x38+0xcc) string	>\0		of '%s'
#>>>(0x38+0x10) belong	>0		(signal %d),
>>16	beshort		&0xff00		processor-specific,
>>18	beshort		0		no machine,
>>18	beshort		1		AT&T WE32100,
>>18	beshort		2		SPARC,
>>18	beshort		3		Intel 80386 - invalid byte order,
>>18	beshort		4		Motorola
>>>36	belong		&0x01000000	68000,
>>>36	belong		&0x00810000	CPU32,
>>>36	belong		0		68020,
>>18	beshort		5		Motorola 88000,
>>18	beshort		6		Intel 80486 - invalid byte order,
>>18	beshort		7		Intel 80860,
>>18	beshort		8		MIPS,
>>18	beshort		9		Amdahl,
>>18	beshort		10		MIPS (deprecated),
>>18	beshort		11		RS6000,
>>18	beshort		15		PA-RISC
>>>50	beshort		0x0214		2.0
>>>48	beshort		&0x0008		(LP64)
>>18	beshort		16		nCUBE,
>>18	beshort		17		Fujitsu VPP500,
>>18	beshort		18		SPARC32PLUS,
>>>36	belong&0xffff00	&0x000100	V8+ Required,
>>>36	belong&0xffff00	&0x000200	Sun UltraSPARC1 Extensions Required,
>>>36	belong&0xffff00	&0x000400	HaL R1 Extensions Required,
>>>36	belong&0xffff00	&0x000800	Sun UltraSPARC3 Extensions Required,
>>18	beshort		20		PowerPC or cisco 4500,
>>18	beshort		21		cisco 7500,
>>18	beshort		22		IBM S/390,
>>18	beshort		24		cisco SVIP,
>>18	beshort		25		cisco 7200,
>>18	beshort		36		NEC V800 or cisco 12000,
>>18	beshort		37		Fujitsu FR20,
>>18	beshort		38		TRW RH-32,
>>18	beshort		39		Motorola RCE,
>>18	beshort		40		ARM,
>>18	beshort		41		Alpha,
>>18	beshort		42		Hitachi SH,
>>18	beshort		43		SPARC V9,
>>18	beshort		44		Siemens Tricore Embedded Processor,
>>18	beshort		45		Argonaut RISC Core, Argonaut Technologies Inc.,
>>18	beshort		46		Hitachi H8/300,
>>18	beshort		47		Hitachi H8/300H,
>>18	beshort		48		Hitachi H8S,
>>18	beshort		49		Hitachi H8/500,
>>18	beshort		50		Intel Merced Processor,
>>18	beshort		51		Stanford MIPS-X,
>>18	beshort		52		Motorola Coldfire,
>>18	beshort		53		Motorola M68HC12,
>>18	beshort		73		Cray NV1,
>>18	beshort		75		Digital VAX,
>>18	beshort		97		NatSemi 32k,
>>18	beshort		0x9026		Alpha (unofficial),
>>18	beshort		0xa390		IBM S/390 (obsolete),
>>18    beshort         0xde3d          Ubicom32,
>>20	belong		0		invalid version
>>20	belong		1		version 1
>>36	belong		1		MathCoPro/FPU/MAU Required
# Up to now only 0, 1 and 2 are defined; I've seen a file with 0x83, it seemed
# like proper ELF, but extracting the string had bad results.
>4	byte		<0x80
>>8	string		>\0		("%s")
>8	string		\0
>>7	byte		0		(SYSV)
>>7	byte		1		(HP-UX)
>>7	byte		2		(NetBSD)
>>7	byte		3		(GNU/Linux)
>>7	byte		4		(GNU/Hurd)
>>7	byte		5		(86Open)
>>7	byte		6		(Solaris)
>>7	byte		7		(Monterey)
>>7	byte		8		(IRIX)
>>7	byte		9		(FreeBSD)
>>7	byte		10		(Tru64)
>>7	byte		11		(Novell Modesto)
>>7	byte		12		(OpenBSD)
>>7	byte		97		(ARM)
>>7	byte		255		(embedded)

# Some simple Microsoft executable signatures
0 		    string 		MZ\0\0\0\0\0\0		Microsoft
>0x3c		lelong		<4			        invalid
>(0x3c.l)   string      !PE\0\0     		MS-DOS executable
>(0x3c.l)   string      PE\0\0      		portable executable

0           string      MZ                  Microsoft
>0x3c		lelong		<4			        invalid
>(0x3c.l)   string      !PE\0\0             invalid
>(0x3c.l)   string      PE\0\0              portable executable


#------------------------------------------------------------------------------
# bFLT: file(1) magic for BFLT uclinux binary files
#
# From Philippe De Muyter <phdm@macqel.be>
# 
# Additional fields added by Craig Heffner
#
0       string          bFLT            BFLT executable
>4	belong		<1		invalid
>4	belong		>4		invalid
>4      belong          x               version %d, 
>4      belong          4
>8	belong		x		code offset: 0x%.8X, 
>12	belong		x		data segment starts at: 0x%.8X, 
>16	belong		x		bss segment starts at: 0x%.8X, 
>20	belong		x		bss segment ends at: 0x%.8X, 
>24	belong		x		stack size: %d bytes, 
>28	belong 		x		relocation records start at: 0x%.8X, 
>32	belong		x		number of reolcation records: %d, 
>>36    belong&0x1      0x1             ram
>>36    belong&0x2      0x2             gotpic
>>36    belong&0x4      0x4             gzip
>>36    belong&0x8      0x8             gzdata


# Windows CE package files
0       string          MSCE\0\0\0\0    Microsoft WinCE installer
>20     lelong          0               \b, architecture-independent
>20     lelong          103             \b, Hitachi SH3
>20     lelong          104             \b, Hitachi SH4
>20     lelong          0xA11           \b, StrongARM
>20     lelong          4000            \b, MIPS R4000
>20     lelong          10003           \b, Hitachi SH3
>20     lelong          10004           \b, Hitachi SH3E
>20     lelong          10005           \b, Hitachi SH4
>20     lelong          70001           \b, ARM 7TDMI
>52     leshort         1               \b, 1 file
>52     leshort         >1              \b, %u files
>56     leshort         1               \b, 1 registry entry
>56     leshort         >1              \b, %u registry entries

#------------------------------------------------------------------------------
# Microsoft Xbox executables .xbe (Esa HyytiÃ¤ <ehyytia@cc.hut.fi>)
0       string          XBEH            XBE, Microsoft Xbox executable
# probabilistic checks whether signed or not
>0x0004 ulelong =0x0
>>&2    ulelong !0x0  \b, invalid
>>&2    ulelong =0x0
>>>&2   ulelong !0x0  \b, invalid
>>>&2   ulelong =0x0  \b, not signed
>0x0004 ulelong >0
>>&2    ulelong =0x0  \b, invalid
>>&2    ulelong >0
>>>&2   ulelong =0x0  \b, invalid
>>>&2   ulelong >0    \b, signed
>0x0104 lelong  <0    \b, invalid base address
# expect base address of 0x10000
>0x0104               ulelong =0x10000
>>(0x0118-0x0FF60)    ulelong&0x80000007  0x80000007 \b, all regions
>>(0x0118-0x0FF60)    ulelong&0x80000007  !0x80000007
>>>(0x0118-0x0FF60)   ulelong >0           (regions:
>>>>(0x0118-0x0FF60)  ulelong &0x00000001  NA
>>>>(0x0118-0x0FF60)  ulelong &0x00000002  Japan
>>>>(0x0118-0x0FF60)  ulelong &0x00000004  Rest_of_World
>>>>(0x0118-0x0FF60)  ulelong &0x80000000  Manufacturer
>>>(0x0118-0x0FF60)   ulelong >0           \b)


#------------------------------------------------------------------------------
# motorola:  file(1) magic for Motorola 68K and 88K binaries
#
# 68K
#
# These signatures are useless without further sanity checking. Disable them until 
# that can be implemented.
#0       beshort         0x0208          mc68k COFF
#>18     beshort         ^00000020       object
#>18     beshort         &00000020       executable
#>12     belong          >0              not stripped
#>168    string          .lowmem         Apple toolbox
#>20     beshort         0407            (impure)
#>20     beshort         0410            (pure)
#>20     beshort         0413            (demand paged)
#>20     beshort         0421            (standalone)
#0       beshort         0x0209          mc68k executable (shared)
#>12     belong          >0              not stripped
#0       beshort         0x020A          mc68k executable (shared demand paged)
#>12     belong          >0              not stripped


#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
0       string  PS-X\x20EXE       Sony Playstation executable
#  Area:
>113    string  x               ("%s")

#------------------------------------------------------------------------------
# cisco:  file(1) magic for cisco Systems routers
#
# Most cisco file-formats are covered by the generic elf code
0	string			\x85\x01\x14	Cisco IOS microcode
>7      string          	>\0         	
>>7	string			x		for "%s"
0	string			\x85\x01\xcb	Cisco IOS experimental microcode
>7      string          	>\0         	
>>7	string			x		for "%s"

# EST flat binary format (which isn't, but anyway)
# From: Mark Brown <broonie@sirena.org.uk>
0	string	ESTFBINR	EST flat binary

# These are not the binaries themselves, but string references to them
# are a strong indication that they exist elsewhere...
#0	string	/bin/busybox	Busybox string reference: "%s"{one-of-many}
#0	string /bin/sh		Shell string reference: "%s"{one-of-many}

# Mach-O's
0	string \xca\xfe\xba\xbe\x00\x00\x00\x01	Mach-O universal binary with 1 architecture
0	string \xca\xfe\xba\xbe\x00\x00\x00\x02	Mach-O universal binary with 2 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x03	Mach-O universal binary with 3 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x04	Mach-O universal binary with 4 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x05	Mach-O universal binary with 5 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x06	Mach-O universal binary with 6 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x07	Mach-O universal binary with 7 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x08	Mach-O universal binary with 8 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0a	Mach-O universal binary with 9 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0b	Mach-O universal binary with 10 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0c	Mach-O universal binary with 11 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0d	Mach-O universal binary with 12 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0e	Mach-O universal binary with 13 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x0f	Mach-O universal binary with 14 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x10	Mach-O universal binary with 15 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x11	Mach-O universal binary with 16 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x12	Mach-O universal binary with 17 architectures
0	string \xca\xfe\xba\xbe\x00\x00\x00\x13	Mach-O universal binary with 18 architectures

# The magic bytes for Java .class files is 0xcafebabe, but AFAIK all major version numbers are less than 255
# and all minor version numbers are 0. This gives us three more bytes we can signature on.
0       string          \xca\xfe\xba\xbe\x00\x00\x00    Compiled Java class data,
>6      beshort         x                               version %d.
>4      beshort         x                               \b%d
# Which is which?
>4      belong          0x032d                          (Java 1.0/1.1)
#>4     belong          0x032d                          (Java 1.1)
>4      belong          0x002e                          (Java 1.2)
>4      belong          0x002f                          (Java 1.3)
>4      belong          0x0030                          (Java 1.4)
>4      belong          0x0031                          (Java 1.5)
>4      belong          0x0032                          (Java 1.6)
>4      belong          >0x0050                         invalid

# Summary: HP-38/39 calculator
0	string		HP38Bin		HP 38 binary
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7	byte		<0x41		invalid
>7	byte		>0x4B		invalid

0	string		HP39Bin		HP 39 binary
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7	byte		<0x41		invalid
>7	byte		>0x4B		invalid

0	string		HP38Asc		HP 38 ASCII
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7	byte		<0x41		invalid
>7	byte		>0x4B		invalid

0	string		HP39Asc		HP 39 ASCII
>7      string          A               (Directory List)
>7      string          B               (Zaplet)
>7      string          C               (Note)
>7      string          D               (Program)
>7      string          E               (Variable)
>7      string          F               (List)
>7      string          G               (Matrix)
>7      string          H               (Library)
>7      string          I               (Target List)
>7      string          J               (ASCII Vector specification)
>7      string          K               (wildcard)
>7	byte		<0x41		invalid
>7	byte		>0x4B		invalid

# Summary: HP-48/49 calculator
0       string          HPHP48          HP 48 binary
>8      leshort         0x2911          (ADR)
>8      leshort         0x2933          (REAL)
>8      leshort         0x2955          (LREAL)
>8      leshort         0x2977          (COMPLX)
>8      leshort         0x299d          (LCOMPLX)
>8      leshort         0x29bf          (CHAR)
>8      leshort         0x29e8          (ARRAY)
>8      leshort         0x2a0a          (LNKARRAY)
>8      leshort         0x2a2c          (STRING)
>8      leshort         0x2a4e          (HXS)
>8      leshort         0x2a74          (LIST)
>8      leshort         0x2a96          (DIR)
>8      leshort         0x2ab8          (ALG)
>8      leshort         0x2ada          (UNIT)
>8      leshort         0x2afc          (TAGGED)
>8      leshort         0x2b1e          (GROB)
>8      leshort         0x2b40          (LIB)
>8      leshort         0x2b62          (BACKUP)
>8      leshort         0x2b88          (LIBDATA)
>8      leshort         0x2d9d          (PROG)
>8      leshort         0x2dcc          (CODE)
>8      leshort         0x2e48          (GNAME)
>8      leshort         0x2e6d          (LNAME)
>8      leshort         0x2e92          (XLIB)
>8	leshort		<0x2911		(invalid)
>8	leshort		>0x2e92		(invalid)

0       string          HPHP49          HP 49 binary
>8      leshort         0x2911          (ADR)
>8      leshort         0x2933          (REAL)
>8      leshort         0x2955          (LREAL)
>8      leshort         0x2977          (COMPLX)
>8      leshort         0x299d          (LCOMPLX)
>8      leshort         0x29bf          (CHAR)
>8      leshort         0x29e8          (ARRAY)
>8      leshort         0x2a0a          (LNKARRAY)
>8      leshort         0x2a2c          (STRING)
>8      leshort         0x2a4e          (HXS)
>8      leshort         0x2a74          (LIST)
>8      leshort         0x2a96          (DIR)
>8      leshort         0x2ab8          (ALG)
>8      leshort         0x2ada          (UNIT)
>8      leshort         0x2afc          (TAGGED)
>8      leshort         0x2b1e          (GROB)
>8      leshort         0x2b40          (LIB)
>8      leshort         0x2b62          (BACKUP)
>8      leshort         0x2b88          (LIBDATA)
>8      leshort         0x2d9d          (PROG)
>8      leshort         0x2dcc          (CODE)
>8      leshort         0x2e48          (GNAME)
>8      leshort         0x2e6d          (LNAME)
>8      leshort         0x2e92          (XLIB)
>8      leshort         <0x2911         (invalid)
>8      leshort         >0x2e92         (invalid)

0	string		\x23!/		Executable script,
>6	byte		!0x2F
>>7	byte		!0x2F		invalid
>2	string		x		shebang: "%s"

0	string		\x23!\x20/	Executable script,
>7	byte		!0x2F
>>8	byte		!0x2F		invalid
>3	string		x		shebang: "%s"

#--------------------File Systems---------------------

# Minix filesystems - Juan Cespedes <cespedes@debian.org>
# These signatures are useless until they can be improved.
#0x410   leshort         0x137f          Minix filesystem
#>0x402  beshort         !0              \b, %d zones
#>0x1e   string          minix           \b, bootable
#0x410   leshort         0x138f          Minix filesystem, 30 char names
#0x410   leshort         0x2468          Minix filesystem, version 2
#0x410   leshort         0x2478          Minix filesystem, version 2, 30 char names
#0x410	leshort		0x4d5a		Minix filesystem, version 3
#0x410	leshort		0x4d6a		Minix filesystem, version 3, 30 char names

#0x410   beshort         0x137f          Minix filesystem (big endian)
#>0x402  beshort         !0              \b, %d zones
#>0x1e   string          minix           \b, bootable
#0x410   beshort         0x138f          Minix filesystem (big endian), 30 char names
#0x410   beshort         0x2468          Minix filesystem (big endian), version 2
#0x410   beshort         0x2478          Minix filesystem (big endian), version 2, 30 char names
#0x410	beshort		0x4d5a		Minix filesystem (big endian), version 3
#0x410	beshort		0x4d6a		Minix filesystem (big endian), version 3, 30 char names

# YAFFS
0	string	\x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF	YAFFS filesystem

# EFS2 file system - jojo@utulsa.edu
0      lelong 0x53000000       EFS2 Qualcomm filesystem super block, little endian,
>8     string !EFSSuper        invalid,
>4     leshort &1              NAND
>4     leshort ^1              NOR
>4     leshort x               version 0x%x,
>24    lelong  x               %d blocks,
>16    lelong  x               0x%x pages per block,
>20    lelong  x               0x%x bytes per page

0      belong 0x53000000       EFS2 Qualcomm filesystem super block, big endian,
>8     string !SSFErepu	       invalid,
>4     beshort &1              NAND
>4     beshort ^1              NOR
>4     beshort x               version 0x%x,
>24    belong  x               %d blocks,
>16    belong  x               0x%x pages per block,
>20    belong  x               0x%x bytes per page

# TROC file system
0	string	TROC		TROC filesystem,
>4	lelong	x		%d file entries

# PFS file system
0	string	PFS/		PFS filesystem,
>4	string	x		version "%s",
>14	leshort	x		%d files

# MPFS file system
0	string	MPFS		MPFS (Microchip) filesystem,
>4	byte	x		version %d.
>5	byte	x		\b%d,
>6	leshort	x		%d file entries

# cramfs filesystem - russell@coker.com.au
0       lelong  0x28cd3d45      CramFS filesystem, little endian
>4	lelong	<0		invalid
>4	lelong	>1073741824	invalid
>4      lelong  x 		size %u
>8      lelong  &1 		version #2
>8      lelong  &2 		sorted_dirs
>8      lelong  &4 		hole_support
>32     lelong  x 		CRC 0x%x,
>36     lelong  x 		edition %u,
>40	lelong	<0		invalid
>40     lelong  x 		%u blocks,
>44	lelong	<0		invalid
>44     lelong  x 		%u files
>4      lelong  x 		{jump-to-offset:%u}
>4      lelong  x 		{file-size:%u}

0       belong  0x28cd3d45      CramFS filesystem, big endian
>4	belong	<0		invalid
>4	belong	>1073741824	invalid
>4      belong  x 		size %u
>8      belong  &1 		version #2
>8      belong  &2 		sorted_dirs
>8      belong  &4 		hole_support
>32     belong  x 		CRC 0x%x,
>36     belong  x 		edition %u,
>40	belong	<0		invalid
>40     belong  x 		%u blocks,
>44	belong	<0		invalid
>44     belong  x 		%u files
>4      belong  x 		{jump-to-offset:%u}
>4      belong  x 		{file-size:%u}



# JFFS2 file system
# If used with binwalk's smart signature feature (on by default, -S to disable)
# this signature can potentially lead to missing some JFFS2 file systems if there
# are multiple JFFS2 file systems in a target file and there are no other identified
# files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios.
0		leshort 0x1985	JFFS2 filesystem, little endian
>2		leshort !0xE001
>>2		leshort !0xE002
>>>2		leshort !0x2003
>>>>2		leshort !0x2004
>>>>>2		leshort !0x2006
>>>>>>2		leshort !0xE008
>>>>>>>2	leshort !0xE009	\b, invalid
>(4.l)		leshort !0x1985		
>>(4.l+1)	leshort !0x1985	
>>>(4.l+2)	leshort !0x1985	
>>>>(4.l+3)	leshort !0x1985
>>>>>(4.l)      leshort !0xFFFF
>>>>>>(4.l+1)   leshort !0xFFFF
>>>>>>>(4.l+2)  leshort !0xFFFF
>>>>>>>>(4.l+3) leshort !0xFFFF \b, invalid
>4		lelong	0	invalid
>4		lelong	<0	invalid
>4		lelong	x	{one-of-many}{jump-to-offset:%d}

0       	beshort 0x1985	JFFS2 filesystem, big endian
>2		beshort !0xE001
>>2		beshort !0xE002
>>>2		beshort !0x2003
>>>>2		beshort !0x2004
>>>>>2		beshort !0x2006
>>>>>>2		beshort !0xE008
>>>>>>>2	beshort !0xE009	\b, invalid
>(4.L)		beshort	!0x1985	 
>>(4.L+1)	beshort	!0x1985	 
>>>(4.L+2)	beshort	!0x1985
>>>>(4.L+3)	beshort	!0x1985	
>>>>>(4.L)	beshort !0xFFFF
>>>>>>(4.L+1)	beshort !0xFFFF
>>>>>>>(4.L+2)	beshort !0xFFFF
>>>>>>>>(4.L+3)	beshort !0xFFFF \b, invalid
>4		belong	0	invalid
>4		belong	<0	invalid
>4		belong	x	{one-of-many}{jump-to-offset:%d}


# Squashfs, big endian
0       string  sqsh    Squashfs filesystem, big endian,
>28     beshort >10     invalid
>28     beshort <1      invalid
>30	beshort >10	invalid
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20	beshort 3	\bgzip (non-standard type definition),
>>20	beshort 4	\blzma (non-standard type definition),
>>20    beshort 0       \binvalid,
>>20    beshort >4      \binvalid,
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8	    belong	x	\b{jump-to-offset:%d}
>>8	    belong	x	\b{file-size:%d}
>28     beshort 3
>>63    bequad x        size: %lld bytes,
>>63	bequad	x	\b{jump-to-offset:%lld}
>>63	bequad	x	\b{file-size:%lld}
>28     beshort >3
>>40    bequad  x       size: %lld bytes,
>>40	bequad	x	\b{jump-to-offset:%lld}
>>40	bequad	x	\b{file-size:%lld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong          blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate x        created: %s

# Squashfs, little endian
0       string  hsqs    Squashfs filesystem, little endian,
>28     leshort >10     invalid
>28     leshort <1      invalid
>30	leshort >10	invalid
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28	leshort >3	compression:
>>20	leshort 1	\bgzip,
>>20	leshort	2	\blzma,
>>20	leshort 3	\bgzip (non-standard type definition),
>>20	leshort 4	\blzma (non-standard type definition),
>>20	leshort 0	\binvalid,
>>20	leshort >4	\binvalid,
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {file-size:%d}
>28     leshort 3
>>63    lequad x        size: %lld bytes,
>>63    lequad x        {file-size:%lld}
>28	leshort >3	
>>40	lequad	x	size: %lld bytes,
>>40	lequad	x	{file-size:%lld}
>4      lelong  x       %d inodes,
>28	leshort >3
>>12	lelong		blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28	leshort 3
>>51	lelong 	x	blocksize: %d bytes,
>28	leshort	>3	
>>12	lelong	x	blocksize: %d bytes,
>28	leshort <4
>>39    ledate  x	created: %s
>28	leshort >3
>>8	ledate x	created: %s
>28     leshort <3
>>8     lelong  x       {jump-to-offset:%d}
>28     leshort 3
>>63    lequad x        {jump-to-offset:%lld}
>28     leshort >3
>>40    lequad  x       {jump-to-offset:%lld}

# Squashfs with LZMA compression
0       string  sqlz    Squashfs filesystem, big endian, lzma compression, 
>28     beshort >10     invalid
>28     beshort <1      invalid
>30	beshort >10	invalid
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20	beshort 3	\bgzip (non-standard type definition),
>>20	beshort 4	\blzma (non-standard type definition),
>>20    beshort 0       \binvalid,
>>20    beshort >4      \binvalid,
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {file-size:%d}
>28     beshort 3
>>63    bequad x        size: %lld bytes,
>>63    bequad x        {file-size:%lld}
>28     beshort >3
>>40    bequad  x       size: %lld bytes,
>>40    bequad  x       {file-size:%lld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong          blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate x        created: %s
>28     beshort <3
>>8     belong  x       {jump-to-offset:%d}
>28     beshort 3
>>63    bequad  x       {jump-to-offset:%lld}
>28     beshort >3
>>40    bequad  x       {jump-to-offset:%lld}

# Squashfs 3.3 LZMA signature
0       string  qshs    Squashfs filesystem, big endian, lzma signature,
>28     beshort >10     invalid
>28     beshort <1      invalid
>30	beshort >10	invalid
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20	beshort 3	\bgzip (non-standard type definition),
>>20	beshort 4	\blzma (non-standard type definition),
>>20    beshort 0       \binvalid,
>>20    beshort >4      \binvalid,
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {file-size:%d}
>28     beshort 3
>>63    bequad x        size: %lld bytes,
>>63    bequad x        {file-size:%lld}
>28     beshort >3
>>40    bequad  x       size: %lld bytes,
>>40    bequad  x       {file-size:%lld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong          blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate x        created: %s
>28     beshort <3
>>8     belong  x       {jump-to-offset:%d}
>28     beshort 3
>>63    bequad  x       {jump-to-offset:%lld}
>28     beshort >3
>>40    bequad  x       {jump-to-offset:%lld}

# Squashfs for DD-WRT
0       string  tqsh    Squashfs filesystem, big endian, DD-WRT signature,
>28     beshort >10     invalid
>28     beshort <1      invalid
>30	beshort >10	invalid
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20	beshort 3	\bgzip (non-standard type definition),
>>20	beshort 4	\blzma (non-standard type definition),
>>20    beshort 0       \binvalid,
>>20    beshort >4      \binvalid,
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {file-size:%d}
>28     beshort 3
>>63    bequad x        size: %lld bytes,
>>63    bequad x        {file-size:%lld}
>28     beshort >3
>>40    bequad  x       size: %lld bytes,
>>40    bequad  x       {file-size:%lld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong          blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate x        created: %s
>28     beshort <3
>>8     belong  x       {jump-to-offset:%d}
>28     beshort 3
>>63    bequad  x       {jump-to-offset:%lld}
>28     beshort >3
>>40    bequad  x       {jump-to-offset:%lld}

# Squashfs for DD-WRT
0       string  hsqt    Squashfs filesystem, little endian, DD-WRT signature,
>28     leshort >10     invalid
>28     leshort <1      invalid
>30	leshort >10	invalid
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28     leshort >3      compression:
>>20    leshort 1       \bgzip,
>>20    leshort 2       \blzma,
>>20	leshort 3	\bgzip (non-standard type definition),
>>20	leshort 4	\blzma (non-standard type definition),
>>20    leshort 0       \binvalid,
>>20    leshort >4      \binvalid,
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {file-size:%d}
>28     leshort 3
>>63    lequad x        size: %lld bytes,
>>63    lequad x        {file-size:%lld}
>28     leshort >3
>>40    lequad  x       size: %lld bytes,
>>40    lequad  x       {file-size:%lld}
>4      lelong  x       %d inodes,
>28     leshort >3
>>12    lelong          blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28     leshort 3
>>51    lelong  x       blocksize: %d bytes,
>28     leshort >3
>>12    lelong  x       blocksize: %d bytes,
>28     leshort <4
>>39    ledate  x       created: %s
>28     leshort >3
>>8     ledate x        created: %s
>28     leshort <3
>>8     lelong  x       {jump-to-offset:%d}
>28     leshort 3
>>63    lequad x        {jump-to-offset:%lld}
>28     leshort >3
>>40    lequad  x       {jump-to-offset:%lld}

# Non-standard Squashfs signature found on some D-Link routers
0       string  shsq    Squashfs filesystem, little endian, non-standard signature, 
>28     leshort >10     invalid
>28     leshort <1      invalid
>30	leshort >10	invalid
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28     leshort >3      compression:
>>20    leshort 1       \bgzip,
>>20    leshort 2       \blzma,
>>20	leshort 3	\bgzip (non-standard type definition),
>>20	leshort 4	\blzma (non-standard type definition),
>>20    leshort 0       \binvalid,
>>20    leshort >4      \binvalid,
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {file-size:%d}
>28     leshort 3
>>63    lequad x        size: %lld bytes,
>>63    lequad x        {file-size:%lld}
>28     leshort >3
>>40    lequad  x       size: %lld bytes,
>>40    lequad  x       {file-size:%lld}
>4      lelong  x       %d inodes,
>28     leshort >3
>>12    lelong          blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28     leshort 3
>>51    lelong  x       blocksize: %d bytes,
>28     leshort >3
>>12    lelong  x       blocksize: %d bytes,
>28     leshort <4
>>39    ledate  x       created: %s
>28     leshort >3
>>8     ledate x        created: %s
>28     leshort <3
>>8     lelong  x       {jump-to-offset:%d}
>28     leshort 3
>>63    lequad x        {jump-to-offset:%lld}
>28     leshort >3
>>40    lequad  x       {jump-to-offset:%lld}

# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0   leshort         0xEF53      	Linux EXT filesystem,{offset-adjust:-0x438}
>2	leshort		>4		invalid state
>2	leshort		3		invalid state
>2	leshort		<0		invalid state
>4	leshort		>3		invalid error behavior
>4	leshort		<0		invalid error behavior
>4	lelong		>1		invalid major revision
>4  lelong		<0		invalid major revision
>4  lelong          x               rev %d
>6  leshort         x               \b.%d
# No journal?  ext2
>36  lelong          ^0x0000004      ext2 filesystem data
>>2 leshort         ^0x0000001      (mounted or unclean)
# Has a journal?  ext3 or ext4
>36  lelong          &0x0000004
#  and small INCOMPAT?
>>40 lelong          <0x0000040
#   and small RO_COMPAT?
>>>44 lelong         <0x0000008      ext3 filesystem data
#   else large RO_COMPAT?
>>>44 lelong         >0x0000007      ext4 filesystem data
#  else large INCOMPAT?
>>40 lelong          >0x000003f      ext4 filesystem data
>48  belong          x               \b, UUID=%08x
>52  beshort         x               \b-%04x
>54  beshort         x               \b-%04x
>56  beshort         x               \b-%04x
>58  belong          x               \b-%08x
>60  beshort         x               \b%04x
>64  string          >0              \b, volume name "%s"


#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0       string	-rom1fs-\0		romfs filesystem, version 1
>8	belong	>10000000		invalid
>8      belong  x                       size: %d bytes,
>16	string	x			{file-name:%s}
>16     string  x                       named "%s"
>8	belong	x			{file-size:%d}
>8	belong	x			{jump-to-offset:%d}

# Wind River MemFS file system, found in some VxWorks devices
0	string	owowowowowowowowowowowowowowow		Wind River management filesystem,
>30	string	!ow					invalid,
>32	belong	1					compressed,
>32	belong	2					plain text,
>36	belong	x					%d files

# netboot image - Juan Cespedes <cespedes@debian.org>
0	lelong			0x1b031336L	Netboot image,
>4	lelong&0xFFFFFF00	0
>>4	lelong&0x100		0x000		mode 2
>>4	lelong&0x100		0x100		mode 3
>4	lelong&0xFFFFFF00	!0		unknown mode (invalid)

0	string			WDK\x202.0\x00	WDK file system, version 2.0{offset-adjust:-18}

0	string		CD001						ISO{offset-adjust:-32769}
>6144	string		!NSR0						9660 CD-ROM filesystem data,
>6144	string		NSR0						UDF filesystem data,
>6148	string		1						version 1.0,
>6148	string		2						version 2.0,
>6148	string		3						version 3.0
>6148	byte		>0x33						invalid version,
>6148	byte		<0x31						invalid version,
>38	string		>\0						volume name: "%s",
>2047	string		\000CD001\001EL\x20TORITO\x20SPECIFICATION	bootable

# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0       	string  DOSEMU\0	DOS Emulator image
>0x27E		leshort	!0xAA55		\b, invalid
>0x27E  	leshort 0xAA55
#offset is 128
>>19    	byte   128
>>>(19.b-1)     byte   0x0
>>>>7   	lelong >0              \b, %d heads
>>>>11  	lelong >0              \b, %d sectors/track
>>>>15  	lelong >0              \b, %d cylinders

# From: Alex Beregszaszi <alex@fsn.hu>
0       string  COWD\x03        VMWare3 disk image,
>32     lelong  x               (%d/
>36     lelong  x               \b%d/
>40     lelong  x               \b%d)

0	string	COWD\x02	VMWare3 undoable disk image,
>32     string  >\0             "%s"

# TODO: Add header validation
0       string        VMDK             VMware4 disk image
0       string        KDMV             VMware4 disk image

#--------------------------------------------------------------------
# Qemu Emulator Image
# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files
0       string		QFI\xFB QEMU QCOW Image

# BSD 2.x file system image; used in RetroBSD for PIC32.
0		string		FS\x3C\x3C		BSD 2.x filesystem,
>1020	string		!\x3E\x3EFS		invalid (missing FSMAGIC2),
>8		lelong		x				size: {math:%d*1024} bytes,
>8		lelong		x				\b{file-size:%d*1024}
>8		lelong		x				\b{jump-to-offset:%d*1024}
>8		lelong		x				total blocks: %d,
>972	lelong		x				free blocks: %d,
>968	ledate		x				last modified: %s
>980	byte		!0
>>980	string		x				\b, last mounted on: "%s"

# Simple file system found in Foscam camera firmware
0       beshort 0xbd9a  Foscam WebUI filesystem,
>2      leshort x       checksum: 0x%X,
>16     lelong  <3      invalid first file name length,
>16     lelong  >127    invalid first file name length,
>20     byte    0       invalid first file name,
>20     byte    !0x2E
>>20    byte    !0x2F
>>>20   byte    <65     invalid first file name,
>>>20   byte    >122    invalid first file name,
>20     byte    x       first file name: {raw-replace}
>16     lelong  x       {raw-string-length:%d}
>20     string  x       {raw-string:%s}


#--------------------------Firmware Formats---------------------------

# uImage file     
# From: Craig Heffner, U-Boot image.h header definitions file
0	belong	0x27051956	uImage header, header size: 64 bytes,
>4	belong	x		header CRC: 0x%X,
>8	bedate	x		created: %s,
>12 belong  <1      invalid
>12	belong	x		image size: %d bytes,
>16	belong	x		Data Address: 0x%X,
>20	belong	x		Entry Point: 0x%X,
>24	belong	x		data CRC: 0x%X,
#>28	byte	x		OS type: %d,
>28	byte	0		OS: invalid OS,
>28	byte	1		OS: OpenBSD,
>28	byte	2		OS: NetBSD,
>28	byte	3		OS: FreeBSD,
>28	byte	4		OS: 4.4BSD,
>28	byte	5		OS: Linux,
>28	byte	6		OS: SVR4,
>28	byte	7		OS: Esix,
>28	byte	8		OS: Solaris,
>28	byte	9		OS: Irix,
>28	byte	10		OS: SCO,
>28	byte	11		OS: Dell,
>28	byte	12		OS: NCR,
>28	byte	13		OS: LynxOS,
>28	byte	14		OS: VxWorks,
>28	byte	15		OS: pSOS,
>28	byte	16		OS: QNX,
>28	byte	17		OS: Firmware,
>28	byte	18		OS: RTEMS,
>28	byte	19		OS: ARTOS,
>28	byte	20		OS: Unity OS,
#>29	byte	x		CPU arch: %d,
>29	byte	0		CPU: invalid OS,
>29	byte	1		CPU: Alpha,
>29	byte	2		CPU: ARM,
>29	byte	3		CPU: Intel x86,
>29	byte	4		CPU: IA64,
>29	byte	5		CPU: MIPS,
>29	byte	6		CPU: MIPS 64 bit,
>29	byte	7		CPU: PowerPC,
>29	byte	8		CPU: IBM S390,
>29	byte	9		CPU: SuperH,
>29	byte	10		CPU: Sparc,
>29	byte	11		CPU: Sparc 64 bit,
>29	byte	12		CPU: M68K,
>29	byte	13		CPU: Nios-32,
>29	byte	14		CPU: MicroBlaze,
>29	byte	15		CPU: Nios-II,
>29	byte	16		CPU: Blackfin,
>29	byte	17		CPU: AVR,
>29	byte	18		CPU: STMicroelectronics ST200,
#>30	byte	x		image type: %d,
>30	byte	0		image type: invalid Image,
>30	byte	1		image type: Standalone Program,
>30	byte	2		image type: OS Kernel Image,
>30	byte 	3		image type: RAMDisk Image,
>30	byte	4		image type: Multi-File Image,
>30	byte	5		image type: Firmware Image,
>30	byte	6		image type: Script file,
>30	byte	7		image type: Filesystem Image,
>30	byte	8		image type: Binary Flat Device Tree Blob
#>31	byte	x		compression type: %d,
>31	byte	0		compression type: none,
>31	byte	1		compression type: gzip,
>31	byte	2		compression type: bzip2,
>31	byte	3		compression type: lzma,
>32	string	x		image name: "%s"

#IMG0 header, found in VxWorks-based Mercury router firmware
0	string		IMG0	IMG0 (VxWorks) header,
>4	belong		<1		invalid
>4	belong		x		size: %d

#Mediatek bootloader signature
#From xp-dev.com
0	string		BOOTLOADER!	Mediatek bootloader

#CSYS header formats
0	string		CSYS\x00	CSYS header, little endian, 
>8	lelong		x			size: %d

0	string		CSYS\x80	CSYS header, big endian,
>8	belong		x			size: %d

# wrgg firmware image
0	string		wrgg02	WRGG firmware header,
>6	string		x		name: "%s",
>48	string		x		root device: "%s"

# trx image file
0	string		HDR0	TRX firmware header, little endian, header size: 28 bytes,
>4	lelong		<1		invalid
>4	lelong		x		image size: %d bytes,
>8	lelong		x		CRC32: 0x%X
>12	leshort		x		flags: 0x%X,
>14	leshort		>5		invalid
>14	leshort		x		version: %d

0	string		0RDH	TRX firmware header, big endian, header size: 28 bytes,
>4	belong		<1		invalid
>4	belong		x		image size: %d bytes,
>8	belong		x		CRC32: 0x%X
>12	beshort		x		flags: 0x%X,
>14	beshort		>5		invalid
>14	beshort		x		version: %d


# Ubicom firmware image
0	belong	0xFA320080	Ubicom firmware header,
>12	belong	x			checksum: 0x%X,
>24	belong	<0			invalid
>24	belong	x			image size: %d

# The ROME bootloader is used by several RealTek-based products.
# Unfortunately, the magic bytes are specific to each product, so
# separate signatures must be created for each one.

# Netgear KWGR614 ROME image
0	string		G614		Realtek firmware header, ROME bootloader,
>4	beshort		0xd92f		image type: KFS,
>4	beshort		0xb162		image type: RDIR,
>4	beshort		0xea43		image type: BOOT,
>4	beshort		0x8dc9		image type: RUN,
>4	beshort		0x2a05		image type: CCFG,
>4	beshort		0x6ce8		image type: DCFG,
>4	beshort		0xc371		image type: LOG,
>6	byte		x		header version: %d,
#month
>10	byte		x		created: %d/
#day	
>12	byte 		x		\b%d/
#year
>8	beshort		x		\b%d,
>16	belong		x		image size: %d bytes,
>22	byte		x		body checksum: 0x%X,
>23	byte		x		header checksum: 0x%X

# Linksys WRT54GX ROME image
0		belong			0x59a0e842		Realtek firmware header, ROME bootloader,
>4      beshort         0xd92f          image type: KFS,
>4      beshort         0xb162          image type: RDIR,
>4      beshort         0xea43          image type: BOOT,
>4      beshort         0x8dc9          image type: RUN,
>4      beshort         0x2a05          image type: CCFG,
>4      beshort         0x6ce8          image type: DCFG,
>4      beshort         0xc371          image type: LOG,
>6      byte            x               header version: %d,
#month
>10     byte            x               created: %d/
#day    
>12     byte            x               \b%d/
#year
>8      beshort         x               \b%d,
>16     belong          x               image size: %d bytes,
>22     byte            x               body checksum: 0x%X,
>23     byte            x               header checksum: 0x%X

# PackImg tag, somtimes used as a delimiter between the kernel and rootfs in firmware images.
0	string		--PaCkImGs--	PackImg section delimiter tag,
# If the size in both big and little endian is greater than 512MB, consider this a false positive
>16	lelong		>0x20000000
>>16	belong		>0x20000000	invalid
>16	lelong		<0
>>16	belong		<0		invalid
>16	lelong		>0
>>16	lelong		x		little endian size: %d bytes;
>16	belong		>0		
>>16	belong		x		big endian size: %d bytes


#------------------------------------------------------------------------------
# Broadcom header format
#
0       string          BCRM            Broadcom header,
>4	lelong		<0		invalid
>4      lelong          x               number of sections: %d,
>>8     lelong          18              first section type: flash
>>8     lelong          19              first section type: disk
>>8     lelong          21              first section type: tag


# Berkeley Lab Checkpoint Restart (BLCR) checkpoint context files
# http://ftg.lbl.gov/checkpoint
0       string  Ck0\0\0R\0\0\0  BLCR
>16     lelong  1       x86
>16     lelong  3       alpha
>16     lelong  5       x86-64
>16     lelong  7       ARM
>8      lelong  x       context data (little endian, version %d)

0       string  \0\0\0C\0\0\0R  BLCR
>16     belong  2       SPARC
>16     belong  4       ppc
>16     belong  6       ppc64
>16     belong  7       ARMEB
>16     belong  8       SPARC64
>8      belong  x       context data (big endian, version %d)

# Aculab VoIP firmware
# From: Mark Brown <broonie@sirena.org.uk>
0       string  VoIP\x20Startup\x20and      Aculab VoIP firmware
>35     string  x       format "%s"

#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
0       string  \xbe\xefABCDEFGH        HP LaserJet 1000 series downloadable firmware

# From Albert Cahalan <acahalan@gmail.com>
# really le32 operation,destination,payloadsize (but quite predictable)
# 01 00 00 00 00 00 00 c0 00 02 00 00
0       string          \1\0\0\0\0\0\0\300\0\2\0\0      Marvell Libertas firmware

#---------------------------------------------------------------------------
# The following entries have been tested by Duncan Laurie <duncan@sun.com> (a
# lead Sun/Cobalt developer) who agrees that they are good and worthy of
# inclusion.

# Boot ROM images for Sun/Cobalt Linux server appliances
0       string  Cobalt\x20Networks\x20Inc.\nFirmware\x20v     Paged COBALT boot rom
>38     string x        V%.4s

# New format for Sun/Cobalt boot ROMs is annoying, it stores the version code
# at the very end where file(1) can't get it.
0       string CRfs     COBALT boot rom data (Flat boot rom or file system)

#
# Motorola S-Records, from Gerd Truschinski <gt@freebsd.first.gmd.de>
# Useless until forther improvements can be made to the signature.
#0   string      S0          Motorola S-Record; binary data in text format

# --------------------------------
# Microsoft Xbox data file formats
0       string          XIP0            XIP, Microsoft Xbox data
0       string          XTF0            XTF, Microsoft Xbox data

#Windows CE Binary Image Data Format aka B000FF
#More information on the format:
#http://msdn.microsoft.com/en-us/library/ms924510.aspx
#http://forum.xda-developers.com/showthread.php?t=801167
0	string	B000FF	B000FF Windows CE image header,
>7	lelong	x	Image start: 0x%X,
>11	lelong	x	Image length: %d


#Windows CE RomImage
0    string    \x00ECEC     Windows CE memory segment header, {offset-adjust:-63}
>4	lelong	x	TOC address: 0x%X


# --------------------------------
# ZynOS ROM header format
# From openwrt zynos.h.
0	string		SIG		ZynOS header, header size: 48 bytes,{offset-adjust:-6}
#>0	belong		x		load address 0x%X,
>3	byte		<0x7F		rom image type:
>>3	byte		<1		invalid,
>>3	byte		>7		invalid,
>>3	byte		1		ROMIMG,
>>3	byte		2		ROMBOOT,
>>3	byte		3		BOOTEXT,
>>3	byte		4		ROMBIN,
>>3	byte		5		ROMDIR,
>>3	byte		6		6,
>>3	byte		7		ROMMAP,
>3	byte		>0x7F		ram image type:
>>3	byte		>0x82		invalid,
>>3	byte		0x80		RAM,
>>3	byte		0x81		RAMCODE,
>>3	byte		0x82		RAMBOOT,
>4	belong		>0x40000000	invalid
>4	belong		<0		invalid
>4	belong		0		invalid
>4	belong		x		uncompressed size: %d,
>8	belong		>0x40000000	invalid
>8	belong		<0		invalid
>8	belong		0  		invalid
>8	belong		x		compressed size: %d,
>14	beshort		x		uncompressed checksum: 0x%X,
>16	beshort		x		compressed checksum: 0x%X,
>12	byte		x		flags: 0x%X,
>12	byte		&0x40		uncompressed checksum is valid,
>12	byte		&0x80		the binary is compressed,
>>12	byte		&0x20		compressed checksum is valid,
>35	belong		x		memory map table address: 0x%X

# Firmware header used by some VxWorks-based Cisco products
0	string		CI032.00	Cisco VxWorks firmware header,
>8	lelong		>1024		invalid
>8	lelong		<0		invalid
>8	lelong		x		header size: %d bytes,
>32	lelong		>1024		invalid
>32	lelong		<0		invalid
>32	lelong		x		number of files: %d,
>48	lelong		<0		invalid
>48	lelong		x		image size: %d,
>64	string		x		firmware version: "%s"

# Simple VxWorks reference strings
#0	string		VxWorks		VxWorks string referece:
#>0	string		x			"%s"
#0	string		vxworks		VxWorks string referece:
#>0	string		x			"%s"
#0	string		VXWORKS		VxWorks string referece:
#>0	string		x			"%s"

# Firmware header used by some TV's
0	string		FNIB		ZBOOT firmware header, header size: 32 bytes,
>8	lelong		x		load address: 0x%.8X,
>12	lelong		x		start address: 0x%.8X,
>16	lelong		x		checksum: 0x%.8X,
>20	lelong		x		version: 0x%.8X,
>24	lelong		<1		invalid
>24	lelong		x		image size: %d bytes

# Firmware header used by several D-Link routers (and probably others)
0               string  \x5e\xa3\xa4\x17	DLOB firmware header,
>(7.b+12)       string  !\x5e\xa3\xa4\x17       invalid,
#>>12           string  x                       %s,
>(7.b+40)       string  x                       boot partition: "%s"

# TP-Link firmware header structure; thanks to Jonathan McGowan for reversing and documenting this format
0	string          TP-LINK\x20Technologies		TP-Link firmware header,{offset-adjust:-4}
#>-4	lelong          x               		header version: %d,
>0x94  	beshort         x               		firmware version: %d.
>0x96  	beshort         x               		\b%d.
>0x98  	beshort         x               		\b%d,
>0x18  	string          x               		image version: "%s",
#>0x74  belong          x               		image size: %d bytes,
>0x3C  	belong          x               		product ID: 0x%X,
>0x40  	belong          x               		product version: %d,
>0x70  	belong          x               		kernel load address: 0x%X,
>0x74  	belong          x               		kernel entry point: 0x%X,
>0x7C  	belong          x               		kernel offset: %d,
>0x80  	belong          x               		kernel length: %d,
>0x84  	belong          x               		rootfs offset: %d,
>0x88  	belong          x               		rootfs length: %d,
>0x8C  	belong          x               		bootloader offset: %d,
>0x90  	belong          x               		bootloader length: %d

# Header format from: http://skaya.enix.org/wiki/FirmwareFormat
0	string		\x36\x00\x00\x00		Broadcom 96345 firmware header, header size: 256,
>4	string		!Broadcom
>>4	string		!\x20\x20\x20\x20		invalid
>41	beshort		!0x2020
>>41	beshort		!0x0000
>>>41	string		x				firmware version: "%.4s",
>45	beshort		!0x0202
>>45	beshort		!0x0000
>>>45	string		x				board id: "%s",
>236	belong		x				~CRC32 header checksum: 0x%X,
>216	belong		x				~CRC32 data checksum: 0x%X

# Xerox MFP DLM signatures
0	string		%%XRXbegin			Xerox DLM firmware start of header
0	string		%%OID_ATT_DLM_NAME		Xerox DLM firmware name:
>19	string		x				"%s"
0	string		%%OID_ATT_DLM_VERSION		Xerox DLM firmware version:
>22	string		x				"%s"
0	string		%%XRXend			Xerox DLM firmware end of header

# Generic copyright signature
0	string		Copyright			Copyright string:
>9	byte		0				invalid
>9	string		x				"%s
>40	string		x				\b%s"

# Sercomm firmware header
0	string		sErCoMm				Sercomm firmware signature,
>7	leshort		x				version control: %d,
>9	leshort		x				download control: %d,
>11	string		x				hardware ID: "%s",
>44	leshort		x				hardware version: 0x%X,
>58	leshort		x				firmware version: 0x%X,
>60	leshort		x				starting code segment: 0x%X,
>62	leshort		x				code size: 0x%X

# NPK firmware header, used by Mikrotik
0		belong		0x1EF1D0BA		NPK firmware header,
>4		lelong		<0			invalid
>4		lelong		x			image size: %d,
>14		string		x			image name: "%s",
>(48.l+58)	string		x			description: "%s
>(48.l+121)	string		x			\b%s"

# Ubiquiti firmware signatures
0       string		UBNT		Ubiquiti firmware header, header size: 264 bytes,
>0x108  belong      !0          invalid,
>0x104	belong		x           ~CRC32: 0x%X,
>4      byte        0           invalid,
>4      string		x           version: "%s"

0       string		GEOS	    Ubiquiti firmware header, header size: 264 bytes,
>0x108  belong      !0          invalid,
>0x104	belong		x		    ~CRC32: 0x%X,
>4      byte        0           invalid,
>4	    string		x		    version: "%s"

0       string		OPEN		Ubiquiti firmware header, third party,
>0x108  belong      !0          invalid,
>0x104	belong		x		    ~CRC32: 0x%X,
>4      byte        0           invalid,
>4	    string		x		    version: "%s"

0   string      \x00\x00\x00\x00PART    Ubiquiti partition header,{offset-adjust:4}
>0  byte        x                       header size: 56 bytes,
>8  byte        0                       invalid
>8  string      x                       name: "%s",
>44 belong      x                       base address: 0x%.8X,
>52 belong      x                       data size: %d bytes
>52 belong      x                       {file-size:%d}

0   string      \x00\x00\x00\x00END\x2e Ubiquiti end header, header size: 12 bytes,{offset-adjust:4}
>12 belong      !0                      invalid,
>8  belong      x                       cumulative ~CRC32: 0x%.8X


# Found in DIR-100 firmware
0       string  	AIH0N   	AIH0N firmware header, header size: 48,
>12     belong  	x       	size: %d,
>8      belong  	!0      	executable code,
>>8     belong  	x       	load address: 0x%X,
>32     string  	x       	version: "%s"

0	belong		0x5EA3A417	SEAMA firmware header, big endian,
>6	beshort		x		meta size: %d,
>8  belong      <1      invalid
>8	belong		x		size: %d

0	lelong		0x5EA3A417	SEAMA firmware header, little endian,
>6	leshort		x		meta size: %d,
>8  lelong      <1      invalid
>8	lelong		x		size: %d

0	belong		0x4D544443	NSP firmware header, big endian,
>16 belong      <1      invalid
>16	belong		x		header size: %d,
>20 belong      <1      invalid
>20	belong		x		image size: %d,
>20 belong      x       {file-size:%d}
>4  belong      <1      invalid
>4	belong		x		kernel offset: %d,
>12 belong      <1      invalid
>12	belong		x		header version: %d,

0	lelong		0x4D544443	NSP firmware header, little endian,
>16 lelong      <1      invalid
>16	lelong		x		header size: %d,
>20 lelong      <1      invalid
>20	lelong		x		image size: %d,
>20 lelong      x       {file-size:%d}
>4  lelong      <1      invalid
>4	lelong		x		kernel offset: %d,
>12 lelong      <1      invalid
>12	lelong		x		header version: %d,

# http://www.openwiz.org/wiki/Firmware_Layout#Beyonwiz_.wrp_header_structure
0	string		WizFwPkgl	Beyonwiz firmware header,
>20	string		x		    version: "%s"

0	string		BLI223WJ0	Thompson/Alcatel encoded firmware,
>32	byte		x		version: %d.
>33	byte		x		\b%d.
>34	byte		x		\b%d.
>35	byte		x		\b%d,
>44	belong		x		size: %d,
>48	belong		x		crc: 0x%.8X,
>35	byte		x		try decryption tool from:
>35	byte		x		http://download.modem-help.co.uk/mfcs-A/Alcatel/Modems/Misc/

0	string		\xd9\x54\x93\x7a\x68\x04\x4a\x44\x81\xce\x0b\xf6\x17\xd8\x90\xdf	UEFI PI firmware volume{offset-adjust:-16}

# http://android.stackexchange.com/questions/23357/\
# is-there-a-way-to-look-inside-and-modify-an-adb-backup-created-file/\
# 23608#23608
0       string  ANDROID\040BACKUP\n     Android Backup
>15     string  1\n                     \b, version 1
>17     string  0\n                     \b, uncompressed
>17     string  1\n                     \b, compressed
>19     string  none\n                  \b, unencrypted
>19     string  AES-256\n               \b, encrypted AES-256

# http://forum.xda-developers.com/showthread.php?p=47818657
0	string	imgARMcC 		Roku aimage SB{offset-adjust:-8}

# Boot ROM images for Sun/Cobalt Linux server appliances
0       string	Cobalt\ Networks\ Inc.\nFirmware\ v	Paged Sun/COBALT boot rom,
>38     string	x        				version: "%.4s"

# Simple eCos string signatures
0		string	ecos					eCos RTOS string reference:
>0		string	x						"%s"
0		string	eCos					eCos RTOS string reference:
>0		string	x						"%s"
0		string	ECOS					eCos RTOS string reference:
>0		string	x						"%s"

# ZyXEL config signatures
0		string	dbgarea					ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

0		string	spt.dat					ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

0		string	autoexec.net			ZyXEL rom-0 configuration block, name: "%s",{offset-adjust:-6}
>16		beshort	x						compressed size: %d,
>14		beshort	x						uncompressed size: %d,
>18		beshort	x						data offset from start of block: {math:16+%d}

# Obfuscated Arcadyan firmware, used on the WRT120N
0       belong  0x04010920              Obfuscated Arcadyan firmware (WRT120N?),
>0x68   belong  !0x00D50800             invalid
>0x68   belong  0x00D50800              see https://github.com/devttys0/wrt120n

# Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com)
# The second word of TIFF files is the TIFF version number, 42, which has
# never changed.  The TIFF specification recommends testing for it.
0       string          MM\x00\x2a      TIFF image data, big-endian
0       string          II\x2a\x00      TIFF image data, little-endian

# PNG [Portable Network Graphics, or "PNG's Not GIF"] images
# (Greg Roelofs, newt@uchicago.edu)
# (Albert Cahalan, acahalan@cs.uml.edu)
#
# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
#
0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image
>16		belong			<1				invalid
>16		belong			>10000			invalid
>20		belong			<1				invalid
>20		belong			>10000			invalid
>16     belong          x               \b, %d x
>20     belong          x               %d,
>24     byte            x               %d-bit
>25     byte            0               grayscale,
>25     byte            2               \b/color RGB,
>25     byte            3               colormap,
>25     byte            4               gray+alpha,
>25     byte            6               \b/color RGBA,
#>26    byte            0               deflate/32K,
>28     byte            0               non-interlaced
>28     byte            1               interlaced

# GIF
0       string          GIF8            GIF image data
>4      string          7a              \b, version "8%s",
>4      string          9a              \b, version "8%s",
>6      leshort         >0              %d x
>8      leshort         >0              %d
#>10    byte            &0x80           color mapped,
#>10    byte&0x07       =0x00           2 colors
#>10    byte&0x07       =0x01           4 colors
#>10    byte&0x07       =0x02           8 colors
#>10    byte&0x07       =0x03           16 colors
#>10    byte&0x07       =0x04           32 colors
#>10    byte&0x07       =0x05           64 colors
#>10    byte&0x07       =0x06           128 colors
#>10    byte&0x07       =0x07           256 colors

# PC bitmaps (OS/2, Windows BMP files)  (Greg Roelofs, newt@uchicago.edu)
0       string          BM
>14     leshort         12              PC bitmap, OS/2 1.x format
>>18	lelong		<1		invalid
>>18	lelong		>1000000	invalid
>>18    leshort         x               \b, %d x
>>20	lelong		<1		invalid
>>20	lelong		>1000000	invalid
>>20    leshort         x               %d
>14     leshort         64              PC bitmap, OS/2 2.x format
>>18	lelong		<1		invalid
>>18	lelong		>1000000	invalid
>>18    leshort         x               \b, %d x
>>20	lelong		<1		invalid
>>20	lelong		>1000000	invalid
>>20    leshort         x               %d
>14     leshort         40              PC bitmap, Windows 3.x format
>>18	lelong		<1		invalid
>>18	lelong		>1000000	invalid
>>18    lelong          x               \b, %d x
>>22	lelong		<1		invalid
>>22	lelong		>1000000	invalid
>>22    lelong          x               %d x
>>28	lelong		<1		invalid
>>28	lelong		>1000000	invalid
>>28    leshort         x               %d
>14     leshort         128             PC bitmap, Windows NT/2000 format
>>18	lelong		>1000000	invalid
>>18	lelong		<1		invalid
>>18    lelong          x               \b, %d x
>>22	lelong		<1		invalid
>>22	lelong		>1000000	invalid
>>22    lelong          x               %d x
>>28	lelong		<1		invalid
>>28	lelong		>1000000	invalid
>>28    leshort         x               %d

#------------------------------------------------------------------------------
# JPEG images
# SunOS 5.5.1 had
#
#       0       string          \377\330\377\340        JPEG file
#       0       string          \377\330\377\356        JPG file
#
# both of which turn into "JPEG image data" here.
#
0       belong		0xffd8ffe0	JPEG image data, JFIF standard 
>6      string		!JFIF           invalid
# The following added by Erik Rossen <rossen@freesurf.ch> 1999-09-06
# in a vain attempt to add image size reporting for JFIF.  Note that these
# tests are not fool-proof since some perfectly valid JPEGs are currently
# impossible to specify in magic(4) format.
# First, a little JFIF version info:
>11    byte            x               \b %d.
>12    byte            x               \b%02d
# Next, the resolution or aspect ratio of the image:
#>>13   byte            0               \b, aspect ratio
#>>13   byte            1               \b, resolution (DPI)
#>>13   byte            2               \b, resolution (DPCM)
#>>4    beshort         x               \b, segment length %d
# Next, show thumbnail info, if it exists:
>18    byte            !0              \b, thumbnail %dx
>>19   byte            x               \b%d


0	belong		0xffd8ffe1	JPEG image data, EXIF standard
# EXIF moved down here to avoid reporting a bogus version number,
# and EXIF version number printing added.
#   - Patrik R=E5dman <patrik+file-magic@iki.fi>
>6      string          !Exif            invalid
# Look for EXIF IFD offset in IFD 0, and then look for EXIF version tag in EXIF IFD.
# All possible combinations of entries have to be enumerated, since no looping
# is possible. And both endians are possible...
# The combinations included below are from real-world JPEGs.
# Little-endian
>12    string          II
# IFD 0 Entry #5:
>>70   leshort         0x8769
# EXIF IFD Entry #1:
>>>(78.l+14)   leshort 0x9000
>>>>(78.l+23)  byte    x               %c
>>>>(78.l+24)  byte    x               \b.%c
>>>>(78.l+25)  byte    !0x30           \b%c
# IFD 0 Entry #9:
>>118  leshort         0x8769
# EXIF IFD Entry #3:
>>>(126.l+38)  leshort 0x9000
>>>>(126.l+47) byte    x               %c
>>>>(126.l+48) byte    x               \b.%c
>>>>(126.l+49) byte    !0x30           \b%c
# IFD 0 Entry #10
>>130  leshort         0x8769
# EXIF IFD Entry #3:
>>>(138.l+38)  leshort 0x9000
>>>>(138.l+47) byte    x               %c
>>>>(138.l+48) byte    x               \b.%c
>>>>(138.l+49) byte    !0x30           \b%c
# EXIF IFD Entry #4:
>>>(138.l+50)  leshort 0x9000
>>>>(138.l+59) byte    x               %c
>>>>(138.l+60) byte    x               \b.%c
>>>>(138.l+61) byte    !0x30           \b%c
# EXIF IFD Entry #5:
>>>(138.l+62)  leshort 0x9000
>>>>(138.l+71) byte    x               %c
>>>>(138.l+72) byte    x               \b.%c
>>>>(138.l+73) byte    !0x30           \b%c
# IFD 0 Entry #11
>>142  leshort         0x8769
# EXIF IFD Entry #3:
>>>(150.l+38)  leshort 0x9000
>>>>(150.l+47) byte    x               %c
>>>>(150.l+48) byte    x               \b.%c
>>>>(150.l+49) byte    !0x30           \b%c
# EXIF IFD Entry #4:
>>>(150.l+50)  leshort 0x9000
>>>>(150.l+59) byte    x               %c
>>>>(150.l+60) byte    x               \b.%c
>>>>(150.l+61) byte    !0x30           \b%c
# EXIF IFD Entry #5:
>>>(150.l+62)  leshort 0x9000
>>>>(150.l+71) byte    x               %c
>>>>(150.l+72) byte    x               \b.%c
>>>>(150.l+73) byte    !0x30           \b%c
# Big-endian
>12    string          MM
# IFD 0 Entry #9:
>>118  beshort         0x8769
# EXIF IFD Entry #1:
>>>(126.L+14)  beshort 0x9000
>>>>(126.L+23) byte    x               %c
>>>>(126.L+24) byte    x               \b.%c
>>>>(126.L+25) byte    !0x30           \b%c
# EXIF IFD Entry #3:
>>>(126.L+38)  beshort 0x9000
>>>>(126.L+47) byte    x               %c
>>>>(126.L+48) byte    x               \b.%c
>>>>(126.L+49) byte    !0x30           \b%c
# IFD 0 Entry #10
>>130  beshort         0x8769
# EXIF IFD Entry #3:
>>>(138.L+38)  beshort 0x9000
>>>>(138.L+47) byte    x               %c
>>>>(138.L+48) byte    x               \b.%c
>>>>(138.L+49) byte    !0x30           \b%c
# EXIF IFD Entry #5:
>>>(138.L+62)  beshort 0x9000
>>>>(138.L+71) byte    x               %c
>>>>(138.L+72) byte    x               \b.%c
>>>>(138.L+73) byte    !0x30           \b%c
# IFD 0 Entry #11
>>142  beshort         0x8769
# EXIF IFD Entry #4:
>>>(150.L+50)  beshort 0x9000
>>>>(150.L+59) byte    x               %c
>>>>(150.L+60) byte    x               \b.%c
>>>>(150.L+61) byte    !0x30           \b%c
# Here things get sticky.  We can do ONE MORE marker segment with
# indirect addressing, and that's all.  It would be great if we could
# do pointer arithemetic like in an assembler language.  Christos?
# And if there was some sort of looping construct to do searches, plus a few
# named accumulators, it would be even more effective...
# At least we can show a comment if no other segments got inserted before:
>(4.S+5)        byte            0xFE
>>(4.S+8)       string          >\0             \b, comment: "%s"
# FIXME: When we can do non-byte counted strings, we can use that to get
# the string's count, and fix Debian bug #283760
#>(4.S+5)       byte            0xFE            \b, comment
#>>(4.S+6)      beshort         x               \b length=%d
#>>(4.S+8)      string          >\0             \b, "%s"
# Or, we can show the encoding type (I've included only the three most common)
# and image dimensions if we are lucky and the SOFn (image segment) is here:
>(4.S+5)        byte            0xC0            \b, baseline
>>(4.S+6)       byte            x               \b, precision %d
>>(4.S+7)       beshort         x               \b, %dx
>>(4.S+9)       beshort         x               \b%d
>(4.S+5)        byte            0xC1            \b, extended sequential
>>(4.S+6)       byte            x               \b, precision %d
>>(4.S+7)       beshort         x               \b, %dx
>>(4.S+9)       beshort         x               \b%d
>(4.S+5)        byte            0xC2            \b, progressive
>>(4.S+6)       byte            x               \b, precision %d
>>(4.S+7)       beshort         x               \b, %dx
>>(4.S+9)       beshort         x               \b%d
# I've commented-out quantisation table reporting.  I doubt anyone cares yet.
#>(4.S+5)       byte            0xDB            \b, quantisation table
#>>(4.S+6)      beshort         x               \b length=%d
#>14    beshort         x               \b, %d x
#>16    beshort         x               \b %d

0	string	M88888888888888888888888888	Binwalk logo, ASCII art (Toph){offset-adjust:-50}
>27	string	!8888888888\n			invalid


#-------------------------Kernels-------------------------------------

# Linux kernel boot images, from Albert Cahalan <acahalan@cs.uml.edu>
# and others such as Axel Kohlmeyer <akohlmey@rincewind.chemie.uni-ulm.de>
# and Nicolás Lichtmaier <nick@debian.org>
# All known start with: b8 c0 07 8e d8 b8 00 90 8e c0 b9 00 01 29 f6 29
0		string		\xb8\xc0\x07\x8e\xd8\xb8\x00\x90\x8e\xc0\xb9\x00\x01\x29\xf6\x29	Linux kernel boot image
>514	string          !HdrS            							(invalid)

# Finds and prints Linux kernel strings in raw Linux kernels (output like uname -a).
# Commonly found in decompressed embedded kernel binaries.
0	string		Linux\ version\ 	Linux kernel version
>14	byte		0			invalid
>14	byte		!0
>>14	string		x			"%s
>>45	string		x			\b%s"

# eCos kernel exception handlers
#
# mfc0    $k0, Cause       # Cause of last exception
# nop
# andi    $k0, 0x7F
# li      $k1, 0xXXXXXXXX
# add     $k1, $k0
# lw      $k1, 0($k1)
# jr      $k1
# nop
0	string	\x00\x68\x1A\x40\x00\x00\x00\x00\x7F\x00\x5A\x33	eCos kernel exception handler, architecture: MIPSEL,
>14	leshort	!0x3C1B												invalid
>18	leshort	!0x277B												invalid
>12	leshort	x													exception vector table base address: 0x%.4X
>16	leshort	x													\b%.4X
0	string	\x40\x1A\x68\x00\x00\x00\x00\x00\x33\x5A\x00\x7F	eCos kernel exception handler, architecture: MIPS,
>12	beshort	!0x3C1B												invalid
>16	beshort	!0x277B												invalid
>14	beshort	x													exception vector table base address: 0x%.4X
>18	beshort	x													\b%.4X
#
## ------------------------------------------------------------------
## Signature for LZMA compressed data with valid properties byte 0x40
## ------------------------------------------------------------------
#0		string	\x40\x00\x00	LZMA compressed data, properties: 0x40,
#
## These are all the valid dictionary sizes supported by LZMA utils.
#>1		lelong	!65536	
#>>1		lelong	!131072	
#>>>1		lelong	!262144	
#>>>>1		lelong	!524288	
#>>>>>1		lelong	!1048576	
#>>>>>>1		lelong	!2097152	
#>>>>>>>1	lelong	!4194304	
#>>>>>>>>1	lelong	!8388608	
#>>>>>>>>>1	lelong	!16777216	
#>>>>>>>>>>1	lelong	!33554432	invalid
#>1		lelong	x		dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5		lequad	!-1
#>>5		lequad	<32		invalid
#>>5		lequad	>0x40000000	invalid
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
#>1		lelong	65536
#>>5		lequad	65536		invalid
#>1		lelong	131072
#>>5		lequad	131072		invalid
#>1		lelong	262144
#>>5		lequad	262144		invalid
#>1		lelong	524288
#>>5		lequad	524288		invalid
#>1		lelong	1048576
#>>5		lequad	1048576		invalid
#>1		lelong	2097152
#>>5		lequad	2097152		invalid
#>1		lelong	4194304
#>>5		lequad	4194304		invalid
#>1		lelong	8388608
#>>5		lequad	8388608		invalid
#>1		lelong	16777216
#>>5		lequad	16777216	invalid
#>1		lelong	33554432
#>>5		lequad	33554432	invalid
#>5		lequad	x		uncompressed size: %lld bytes
#
#
## ------------------------------------------------------------------
## Signature for LZMA compressed data with valid properties byte 0x41
## ------------------------------------------------------------------
#0		string	\x41\x00\x00	LZMA compressed data, properties: 0x41,
#
## These are all the valid dictionary sizes supported by LZMA utils.
#>1		lelong	!65536	
#>>1		lelong	!131072	
#>>>1		lelong	!262144	
#>>>>1		lelong	!524288	
#>>>>>1		lelong	!1048576	
#>>>>>>1		lelong	!2097152	
#>>>>>>>1	lelong	!4194304	
#>>>>>>>>1	lelong	!8388608	
#>>>>>>>>>1	lelong	!16777216	
#>>>>>>>>>>1	lelong	!33554432	invalid
#>1		lelong	x		dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5		lequad	!-1
#>>5		lequad	<32		invalid
#>>5		lequad	>0x40000000	invalid
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
#>1		lelong	65536
#>>5		lequad	65536		invalid
#>1		lelong	131072
#>>5		lequad	131072		invalid
#>1		lelong	262144
#>>5		lequad	262144		invalid
#>1		lelong	524288
#>>5		lequad	524288		invalid
#>1		lelong	1048576
#>>5		lequad	1048576		invalid
#>1		lelong	2097152
#>>5		lequad	2097152		invalid
#>1		lelong	4194304
#>>5		lequad	4194304		invalid
#>1		lelong	8388608
#>>5		lequad	8388608		invalid
#>1		lelong	16777216
#>>5		lequad	16777216	invalid
#>1		lelong	33554432
#>>5		lequad	33554432	invalid
#>5		lequad	x		uncompressed size: %lld bytes
#
#
## ------------------------------------------------------------------
## Signature for LZMA compressed data with valid properties byte 0x48
## ------------------------------------------------------------------
#0		string	\x48\x00\x00	LZMA compressed data, properties: 0x48,
#
## These are all the valid dictionary sizes supported by LZMA utils.
#>1		lelong	!65536	
#>>1		lelong	!131072	
#>>>1		lelong	!262144	
#>>>>1		lelong	!524288	
#>>>>>1		lelong	!1048576	
#>>>>>>1		lelong	!2097152	
#>>>>>>>1	lelong	!4194304	
#>>>>>>>>1	lelong	!8388608	
#>>>>>>>>>1	lelong	!16777216	
#>>>>>>>>>>1	lelong	!33554432	invalid
#>1		lelong	x		dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5		lequad	!-1
#>>5		lequad	<32		invalid
#>>5		lequad	>0x40000000	invalid
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
#>1		lelong	65536
#>>5		lequad	65536		invalid
#>1		lelong	131072
#>>5		lequad	131072		invalid
#>1		lelong	262144
#>>5		lequad	262144		invalid
#>1		lelong	524288
#>>5		lequad	524288		invalid
#>1		lelong	1048576
#>>5		lequad	1048576		invalid
#>1		lelong	2097152
#>>5		lequad	2097152		invalid
#>1		lelong	4194304
#>>5		lequad	4194304		invalid
#>1		lelong	8388608
#>>5		lequad	8388608		invalid
#>1		lelong	16777216
#>>5		lequad	16777216	invalid
#>1		lelong	33554432
#>>5		lequad	33554432	invalid
#>5		lequad	x		uncompressed size: %lld bytes
#
#
## ------------------------------------------------------------------
## Signature for LZMA compressed data with valid properties byte 0x49
## ------------------------------------------------------------------
#0		string	\x49\x00\x00	LZMA compressed data, properties: 0x49,
#
## These are all the valid dictionary sizes supported by LZMA utils.
#>1		lelong	!65536	
#>>1		lelong	!131072	
#>>>1		lelong	!262144	
#>>>>1		lelong	!524288	
#>>>>>1		lelong	!1048576	
#>>>>>>1		lelong	!2097152	
#>>>>>>>1	lelong	!4194304	
#>>>>>>>>1	lelong	!8388608	
#>>>>>>>>>1	lelong	!16777216	
#>>>>>>>>>>1	lelong	!33554432	invalid
#>1		lelong	x		dictionary size: %d bytes,
#
## Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
## This could technically be valid, but is unlikely.
#>5		lequad	!-1
#>>5		lequad	<32		invalid
#>>5		lequad	>0x40000000	invalid
#
## These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
## Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
## marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
#>1		lelong	65536
#>>5		lequad	65536		invalid
#>1		lelong	131072
#>>5		lequad	131072		invalid
#>1		lelong	262144
#>>5		lequad	262144		invalid
#>1		lelong	524288
#>>5		lequad	524288		invalid
#>1		lelong	1048576
#>>5		lequad	1048576		invalid
#>1		lelong	2097152
#>>5		lequad	2097152		invalid
#>1		lelong	4194304
#>>5		lequad	4194304		invalid
#>1		lelong	8388608
#>>5		lequad	8388608		invalid
#>1		lelong	16777216
#>>5		lequad	16777216	invalid
#>1		lelong	33554432
#>>5		lequad	33554432	invalid
#>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x51
# ------------------------------------------------------------------
0		string	\x51\x00\x00	LZMA compressed data, properties: 0x51,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x5A
# ------------------------------------------------------------------
0		string	\x5A\x00\x00	LZMA compressed data, properties: 0x5A,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x5B
# ------------------------------------------------------------------
0		string	\x5B\x00\x00	LZMA compressed data, properties: 0x5B,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x5C
# ------------------------------------------------------------------
0		string	\x5C\x00\x00	LZMA compressed data, properties: 0x5C,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x5D
# ------------------------------------------------------------------
0		string	\x5D\x00\x00	LZMA compressed data, properties: 0x5D,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x5E
# ------------------------------------------------------------------
0		string	\x5E\x00\x00	LZMA compressed data, properties: 0x5E,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x63
# ------------------------------------------------------------------
0		string	\x63\x00\x00	LZMA compressed data, properties: 0x63,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x64
# ------------------------------------------------------------------
0		string	\x64\x00\x00	LZMA compressed data, properties: 0x64,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x65
# ------------------------------------------------------------------
0		string	\x65\x00\x00	LZMA compressed data, properties: 0x65,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x66
# ------------------------------------------------------------------
0		string	\x66\x00\x00	LZMA compressed data, properties: 0x66,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x6C
# ------------------------------------------------------------------
0		string	\x6C\x00\x00	LZMA compressed data, properties: 0x6C,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x6D
# ------------------------------------------------------------------
0		string	\x6D\x00\x00	LZMA compressed data, properties: 0x6D,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x6E
# ------------------------------------------------------------------
0		string	\x6E\x00\x00	LZMA compressed data, properties: 0x6E,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x75
# ------------------------------------------------------------------
0		string	\x75\x00\x00	LZMA compressed data, properties: 0x75,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x76
# ------------------------------------------------------------------
0		string	\x76\x00\x00	LZMA compressed data, properties: 0x76,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x7E
# ------------------------------------------------------------------
0		string	\x7E\x00\x00	LZMA compressed data, properties: 0x7E,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x87
# ------------------------------------------------------------------
0		string	\x87\x00\x00	LZMA compressed data, properties: 0x87,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x88
# ------------------------------------------------------------------
0		string	\x88\x00\x00	LZMA compressed data, properties: 0x88,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x89
# ------------------------------------------------------------------
0		string	\x89\x00\x00	LZMA compressed data, properties: 0x89,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x8A
# ------------------------------------------------------------------
0		string	\x8A\x00\x00	LZMA compressed data, properties: 0x8A,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x8B
# ------------------------------------------------------------------
0		string	\x8B\x00\x00	LZMA compressed data, properties: 0x8B,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x90
# ------------------------------------------------------------------
0		string	\x90\x00\x00	LZMA compressed data, properties: 0x90,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x91
# ------------------------------------------------------------------
0		string	\x91\x00\x00	LZMA compressed data, properties: 0x91,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x92
# ------------------------------------------------------------------
0		string	\x92\x00\x00	LZMA compressed data, properties: 0x92,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x93
# ------------------------------------------------------------------
0		string	\x93\x00\x00	LZMA compressed data, properties: 0x93,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x99
# ------------------------------------------------------------------
0		string	\x99\x00\x00	LZMA compressed data, properties: 0x99,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x9A
# ------------------------------------------------------------------
0		string	\x9A\x00\x00	LZMA compressed data, properties: 0x9A,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0x9B
# ------------------------------------------------------------------
0		string	\x9B\x00\x00	LZMA compressed data, properties: 0x9B,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xA2
# ------------------------------------------------------------------
0		string	\xA2\x00\x00	LZMA compressed data, properties: 0xA2,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xA3
# ------------------------------------------------------------------
0		string	\xA3\x00\x00	LZMA compressed data, properties: 0xA3,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xAB
# ------------------------------------------------------------------
0		string	\xAB\x00\x00	LZMA compressed data, properties: 0xAB,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xB4
# ------------------------------------------------------------------
0		string	\xB4\x00\x00	LZMA compressed data, properties: 0xB4,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xB5
# ------------------------------------------------------------------
0		string	\xB5\x00\x00	LZMA compressed data, properties: 0xB5,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xB6
# ------------------------------------------------------------------
0		string	\xB6\x00\x00	LZMA compressed data, properties: 0xB6,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xB7
# ------------------------------------------------------------------
0		string	\xB7\x00\x00	LZMA compressed data, properties: 0xB7,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xB8
# ------------------------------------------------------------------
0		string	\xB8\x00\x00	LZMA compressed data, properties: 0xB8,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xBD
# ------------------------------------------------------------------
0		string	\xBD\x00\x00	LZMA compressed data, properties: 0xBD,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xBE
# ------------------------------------------------------------------
0		string	\xBE\x00\x00	LZMA compressed data, properties: 0xBE,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xBF
# ------------------------------------------------------------------
0		string	\xBF\x00\x00	LZMA compressed data, properties: 0xBF,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xC0
# ------------------------------------------------------------------
0		string	\xC0\x00\x00	LZMA compressed data, properties: 0xC0,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xC6
# ------------------------------------------------------------------
0		string	\xC6\x00\x00	LZMA compressed data, properties: 0xC6,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xC7
# ------------------------------------------------------------------
0		string	\xC7\x00\x00	LZMA compressed data, properties: 0xC7,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xC8
# ------------------------------------------------------------------
0		string	\xC8\x00\x00	LZMA compressed data, properties: 0xC8,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xCF
# ------------------------------------------------------------------
0		string	\xCF\x00\x00	LZMA compressed data, properties: 0xCF,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xD0
# ------------------------------------------------------------------
0		string	\xD0\x00\x00	LZMA compressed data, properties: 0xD0,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes


# ------------------------------------------------------------------
# Signature for LZMA compressed data with valid properties byte 0xD8
# ------------------------------------------------------------------
0		string	\xD8\x00\x00	LZMA compressed data, properties: 0xD8,

# These are all the valid dictionary sizes supported by LZMA utils.
>1		lelong	!65536	
>>1		lelong	!131072	
>>>1		lelong	!262144	
>>>>1		lelong	!524288	
>>>>>1		lelong	!1048576	
>>>>>>1		lelong	!2097152	
>>>>>>>1	lelong	!4194304	
>>>>>>>>1	lelong	!8388608	
>>>>>>>>>1	lelong	!16777216	
>>>>>>>>>>1	lelong	!33554432	invalid
>1		lelong	x		dictionary size: %d bytes,

# Assume that a valid size will be greater than 32 bytes and less than 1GB (a value of -1 IS valid).
# This could technically be valid, but is unlikely.
>5		lequad	!-1
>>5		lequad	<32		invalid
>>5		lequad	>0x40000000	invalid

# These are not 100%. The uncompressed size could be exactly the same as the dicionary size, but it is unlikely.
# Since most false positives are the result of repeating sequences of bytes (such as executable instructions),
# marking matches with the same uncompressed and dictionary sizes as invalid eliminates much of these false positives.
>1		lelong	65536
>>5		lequad	65536		invalid
>1		lelong	131072
>>5		lequad	131072		invalid
>1		lelong	262144
>>5		lequad	262144		invalid
>1		lelong	524288
>>5		lequad	524288		invalid
>1		lelong	1048576
>>5		lequad	1048576		invalid
>1		lelong	2097152
>>5		lequad	2097152		invalid
>1		lelong	4194304
>>5		lequad	4194304		invalid
>1		lelong	8388608
>>5		lequad	8388608		invalid
>1		lelong	16777216
>>5		lequad	16777216	invalid
>1		lelong	33554432
>>5		lequad	33554432	invalid
>5		lequad	x		uncompressed size: %lld bytes

#------------------------------------------------------------------------------
# $File: pdf,v 1.6 2009/09/19 16:28:11 christos Exp $
# pdf:  file(1) magic for Portable Document Format
#
0       string          %PDF-           PDF document,
>6	byte		!0x2e		invalid
>5      string          x               version: "%3s"

#------------------------------------------------------------------------------
# $File: zyxel,v 1.6 2009/09/19 16:28:13 christos Exp $
# zyxel:  file(1) magic for ZyXEL modems
#
# From <rob@pe1chl.ampr.org>
# These are the /etc/magic entries to decode datafiles as used for the
# ZyXEL U-1496E DATA/FAX/VOICE modems.  (This header conforms to a
# ZyXEL-defined standard)

0       string          ZyXEL\002       ZyXEL voice data
>10     byte            0               \b, CELP encoding
>10     byte&0x0B       1               \b, ADPCM2 encoding
>10     byte&0x0B       2               \b, ADPCM3 encoding
>10     byte&0x0B       3               \b, ADPCM4 encoding
>10     byte&0x0B       8               \b, New ADPCM3 encoding
>10     byte&0x04       4               \b,with resync

0       string          LinuxGuestRecord        Xen saved domain file

0	string		\x3chtml		HTML document header{extract-delay:HTML document footer}
>5	byte		!0x20
>>5	byte		!0x3e			\b, invalid
0	string		\x3cHTML		HTML document header{extract-delay:HTML document footer}
>5	byte		!0x20
>>5	byte		!0x3e			\b, invalid

0	string		\x3c/html\x3e		HTML document footer{offset-adjust:7}
0	string		\x3c/HTML\x3e		HTML document footer{offset-adjust:7}

0	string		\x3c?xml\x20version	XML document,
>15	string		x			version: "%.3s"

# CodeGate 2011 http://nopsrus.blogspot.com/2013/05/codegate-ctf-2011-binary-100-points.html
0    string    \x23\x40\x7e\x5e    Windows Script Encoded Data (screnc.exe)

0   string     /home/              Unix home path string:
>0  string     x                   "%s"

#
# "pcap-ng" capture files.
# http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
# Pcap-ng files can contain multiple sections. Printing the endianness,
# snaplen, or other information from the first SHB may be misleading.
#
0	string		\x0a\x0d\x0d\x0a\x1a\x2b\x3c\x4d	Pcap-ng capture file, big-endian,
>12    beshort         x               			version %d
>14    beshort         x               			\b.%d

0	string		\x0a\x0d\x0d\x0a\x4d\x3c\x2b\x1a	Pcap-ng capture file, little-endian,
>12    leshort         x               			version %d
>14    leshort         x               			\b.%d

#
# "libpcap" capture files.
#
0       string          \xa1\xb2\xc3\xd4\x00      Libpcap capture file, big-endian,
>4	beshort		>2		invalid
>4      beshort         x               version %d
>6      beshort         x               \b.%d,
>20     belong          0               (No link-layer encapsulation
>20     belong          1               (Ethernet
>20     belong          2               (3Mb Ethernet
>20     belong          3               (AX.25
>20     belong          4               (ProNET
>20     belong          5               (CHAOS
>20     belong          6               (Token Ring
>20     belong          7               (BSD ARCNET
>20     belong          8               (SLIP
>20     belong          9               (PPP
>20     belong          10              (FDDI
>20     belong          11              (RFC 1483 ATM
>20     belong          12              (raw IP
>20     belong          13              (BSD/OS SLIP
>20     belong          14              (BSD/OS PPP
>20     belong          19              (Linux ATM Classical IP
>20     belong          50              (PPP or Cisco HDLC
>20     belong          51              (PPP-over-Ethernet
>20     belong          99              (Symantec Enterprise Firewall
>20     belong          100             (RFC 1483 ATM
>20     belong          101             (raw IP
>20     belong          102             (BSD/OS SLIP
>20     belong          103             (BSD/OS PPP
>20     belong          104             (BSD/OS Cisco HDLC
>20     belong          105             (802.11
>20     belong          106             (Linux Classical IP over ATM
>20     belong          107             (Frame Relay
>20     belong          108             (OpenBSD loopback
>20     belong          109             (OpenBSD IPsec encrypted
>20     belong          112             (Cisco HDLC
>20     belong          113             (Linux "cooked"
>20     belong          114             (LocalTalk
>20     belong          117             (OpenBSD PFLOG
>20     belong          119             (802.11 with Prism header
>20     belong          122             (RFC 2625 IP over Fibre Channel
>20     belong          123             (SunATM
>20     belong          127             (802.11 with radiotap header
>20     belong          129             (Linux ARCNET
>20     belong          138             (Apple IP over IEEE 1394
>20     belong          140             (MTP2
>20     belong          141             (MTP3
>20     belong          143             (DOCSIS
>20     belong          144             (IrDA
>20     belong          147             (Private use 0
>20     belong          148             (Private use 1
>20     belong          149             (Private use 2
>20     belong          150             (Private use 3
>20     belong          151             (Private use 4
>20     belong          152             (Private use 5
>20     belong          153             (Private use 6
>20     belong          154             (Private use 7
>20     belong          155             (Private use 8
>20     belong          156             (Private use 9
>20     belong          157             (Private use 10
>20     belong          158             (Private use 11
>20     belong          159             (Private use 12
>20     belong          160             (Private use 13
>20     belong          161             (Private use 14
>20     belong          162             (Private use 15
>20     belong          163             (802.11 with AVS header
>20	belong		>163		(invalid link layer
>20	belong		<0		(invalid link layer
>16     belong          x               \b, snaplen: %d)

0       lelong          0xa1b2c3d4      Libpcap capture file, little-endian,
>4	leshort		>2		invalid
>4	leshort		<0		invalid
>4      leshort         x               version %d
>6      leshort         x               \b.%d,
>20     lelong          0               (No link-layer encapsulation
>20     lelong          1               (Ethernet
>20     lelong          2               (3Mb Ethernet
>20     lelong          3               (AX.25
>20     lelong          4               (ProNET
>20     lelong          5               (CHAOS
>20     lelong          6               (Token Ring
>20     lelong          7               (ARCNET
>20     lelong          8               (SLIP
>20     lelong          9               (PPP
>20     lelong          10              (FDDI
>20     lelong          11              (RFC 1483 ATM
>20     lelong          12              (raw IP
>20     lelong          13              (BSD/OS SLIP
>20     lelong          14              (BSD/OS PPP
>20     lelong          19              (Linux ATM Classical IP
>20     lelong          50              (PPP or Cisco HDLC
>20     lelong          51              (PPP-over-Ethernet
>20     lelong          99              (Symantec Enterprise Firewall
>20     lelong          100             (RFC 1483 ATM
>20     lelong          101             (raw IP
>20     lelong          102             (BSD/OS SLIP
>20     lelong          103             (BSD/OS PPP
>20     lelong          104             (BSD/OS Cisco HDLC
>20     lelong          105             (802.11
>20     lelong          106             (Linux Classical IP over ATM
>20     lelong          107             (Frame Relay
>20     lelong          108             (OpenBSD loopback
>20     lelong          109             (OpenBSD IPsec encrypted
>20     lelong          112             (Cisco HDLC
>20     lelong          113             (Linux "cooked"
>20     lelong          114             (LocalTalk
>20     lelong          117             (OpenBSD PFLOG
>20     lelong          119             (802.11 with Prism header
>20     lelong          122             (RFC 2625 IP over Fibre Channel
>20     lelong          123             (SunATM
>20     lelong          127             (802.11 with radiotap header
>20     lelong          129             (Linux ARCNET
>20     lelong          138             (Apple IP over IEEE 1394
>20     lelong          140             (MTP2
>20     lelong          141             (MTP3
>20     lelong          143             (DOCSIS
>20     lelong          144             (IrDA
>20     lelong          147             (Private use 0
>20     lelong          148             (Private use 1
>20     lelong          149             (Private use 2
>20     lelong          150             (Private use 3
>20     lelong          151             (Private use 4
>20     lelong          152             (Private use 5
>20     lelong          153             (Private use 6
>20     lelong          154             (Private use 7
>20     lelong          155             (Private use 8
>20     lelong          156             (Private use 9
>20     lelong          157             (Private use 10
>20     lelong          158             (Private use 11
>20     lelong          159             (Private use 12
>20     lelong          160             (Private use 13
>20     lelong          161             (Private use 14
>20     lelong          162             (Private use 15
>20     lelong          163             (802.11 with AVS header
>20	lelong		>163		(invalid link layer
>20	lelong		<0		(invalid link layer
>16     lelong          x               \b, snaplen: %d)

#------------------------------------------------------------------------------
# $File: sql,v 1.6 2009/09/19 16:28:12 christos Exp $
# sql:  file(1) magic for SQL files
#
# From: "Marty Leisner" <mleisner@eng.mc.xerox.com>
# Recognize some MySQL files.
#
0       beshort                 0xfe01          MySQL table definition file
>2	string			<1		invalid
>2	string			>\11		invalid
>2      byte                    x               Version %d
0       string		        \xfe\xfe\x03    MySQL MISAM index file
>3	string			<1		invalid
>3	string			>\11		invalid
>3      byte                    x               Version %d
0       string                  \xfe\xfe\x07    MySQL MISAM compressed data file
>3	string			<1		invalid
>3	string			>\11		invalid
>3      byte                    x               Version %d
0       string                  \xfe\xfe\x05    MySQL ISAM index file
>3	string			<1		invalid
>3	string			>\11		invalid
>3      byte                    x               Version %d
0       string                  \xfe\xfe\x06    MySQL ISAM compressed data file
>3	string			<1		invalid
>3	string			>\11		invalid
>3      byte                    x               Version %d
0       string                  \376bin         MySQL replication log

#------------------------------------------------------------------------------
# iRiver H Series database file 
# From Ken Guest <ken@linux.ie>
# As observed from iRivNavi.iDB and unencoded firmware
#
0   string              iRivDB  iRiver Database file
>11  string     >\0     Version "%s"
>39  string             iHP-100 [H Series]

#------------------------------------------------------------------------------
# SQLite database files
# Ken Guest <ken@linux.ie>, Ty Sarna, Zack Weinberg
#
# Version 1 used GDBM internally; its files cannot be distinguished
# from other GDBM files.
#
# Version 2 used this format:
0       string  **\x20This\x20file\x20contains\x20an\x20SQLite  SQLite 2.x database

# Version 3 of SQLite allows applications to embed their own "user version"
# number in the database.  Detect this and distinguish those files.

0   string  SQLite\x20format\x203
>60 string  _MTN               Monotone source repository
>60 belong  !0                 SQLite 3.x database, user version %u
>60 belong  0                  SQLite 3.x database
