Last active
May 5, 2016 22:10
-
-
Save Ke-/e5b6c997e089dd3fad01e795b8d0d9a9 to your computer and use it in GitHub Desktop.
file_signature detection for Lasso 9.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Base on https://en.wikipedia.org/wiki/List_of_file_signatures | |
| define file_signature(filedata::bytes) => { | |
| local(hex) = #filedata->sub(1, 32)->encodehex | |
| match(true) => { | |
| case(#hex->substring(1, 2) == "00") return (: "PIC","PIF","SEA","YTR") | |
| case(#hex->substring(12, 16) == "0000000000000000") return (: "PDB") | |
| case(#hex->substring(12, 16) == "0000000000000000") return (: "PDB") | |
| case(#hex->substring(12, 16) == "0000000000000000") return (: "PDB") | |
| case(#hex->substring(1, 8) == "BEBAFECA") return (: "DBA") | |
| case(#hex->substring(1, 8) == "00014244") return (: "DBA") | |
| case(#hex->substring(1, 8) == "00014454") return (: "TDA") | |
| case(#hex->substring(1, 8) == "00010000") return (: "PDA") | |
| case(#hex->substring(1, 8) == "00000100") return (: "ico") | |
| case(#hex->substring(5, 12) == "667479703367") return (: "3gp","3g2") | |
| case(#hex->substring(1, 4) == "1F9D") return (: "z","tar.z") | |
| case(#hex->substring(1, 4) == "1FA0") return (: "z","tar.z") | |
| case(#hex->substring(1, 16) == "4241434B4D494B45") return (: "bac") | |
| case(#hex->substring(1, 8) == "4449534B") return (: "bac") | |
| case(#hex->substring(1, 6) == "425A68") return (: "bz2") | |
| case(#hex->substring(1, 12) == "474946383761") return (: "gif") | |
| case(#hex->substring(1, 12) == "474946383961") return (: "gif") | |
| case(#hex->substring(1, 8) == "49492A00") return (: "tif","tiff") | |
| case(#hex->substring(1, 8) == "4D4D002A") return (: "tif","tiff") | |
| case(#hex->substring(1, 16) == "49492A0010000000") return (: "cr2") | |
| case(#hex->substring(1, 4) == "4352") return (: "cr2") | |
| case(#hex->substring(1, 8) == "802A5FD7") return (: "cin") | |
| case(#hex->substring(1, 8) == "53445058") return (: "dpx") | |
| case(#hex->substring(1, 8) == "58504453") return (: "dpx") | |
| case(#hex->substring(1, 8) == "762F3101") return (: "exr") | |
| case(#hex->substring(1, 8) == "425047FB") return (: "bpg") | |
| case(#hex->substring(1, 8) == "FFD8FFE1" && #hex->substring(13, 4) == "4578") return (: "jpg","jpeg") | |
| case(#hex->substring(1, 8) == "69660000") return (: "jpg","jpeg") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "ilbm","lbm","ibm","iff") | |
| case(#hex->substring(1, 8) == "494C424D") return (: "ilbm","lbm","ibm","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "8svx","8sv","svx","snd","iff") | |
| case(#hex->substring(1, 8) == "38535658") return (: "8svx","8sv","svx","snd","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "acbm","iff") | |
| case(#hex->substring(1, 8) == "4143424D") return (: "acbm","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "anbm","iff") | |
| case(#hex->substring(1, 8) == "414E424D") return (: "anbm","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "anim","iff") | |
| case(#hex->substring(1, 8) == "414E494D") return (: "anim","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "faxx","fax","iff") | |
| case(#hex->substring(1, 8) == "46415858") return (: "faxx","fax","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "ftxt","txt","iff") | |
| case(#hex->substring(1, 8) == "46545854") return (: "ftxt","txt","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "smus","smu","mus","iff") | |
| case(#hex->substring(1, 8) == "534D5553") return (: "smus","smu","mus","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "cmus","mus","iff") | |
| case(#hex->substring(1, 8) == "434D5553") return (: "cmus","mus","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "yuvn","yuv","iff") | |
| case(#hex->substring(1, 8) == "5955564E") return (: "yuvn","yuv","iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "iff") | |
| case(#hex->substring(1, 8) == "46414E54") return (: "iff") | |
| case(#hex->substring(1, 8) == "464F524D") return (: "aiff","aif","aifc","snd","iff") | |
| case(#hex->substring(1, 8) == "41494646") return (: "aiff","aif","aifc","snd","iff") | |
| case(#hex->substring(1, 8) == "494E4458") return (: "idx") | |
| case(#hex->substring(1, 4) == "4D5A") return (: "exe") | |
| case(#hex->substring(1, 8) == "504B0304") return (: "zip","jar","odt","ods","odp","docx","xlsx","pptx","vsdx","apk") | |
| case(#hex->substring(1, 8) == "504B0506") return (: "zip","jar","odt","ods","odp","docx","xlsx","pptx","vsdx","apk") | |
| case(#hex->substring(1, 8) == "504B0708") return (: "zip","jar","odt","ods","odp","docx","xlsx","pptx","vsdx","apk") | |
| case(#hex->substring(1, 14) == "526172211A0700") return (: "rar") | |
| case(#hex->substring(1, 16) == "526172211A070100") return (: "rar") | |
| case(#hex->substring(1, 8) == "7F454C46") return (: "elf") | |
| case(#hex->substring(1, 16) == "89504E470D0A1A0A") return (: "png") | |
| case(#hex->substring(1, 8) == "CAFEBABE") return (: "class") | |
| case(#hex->substring(1, 6) == "EFBBBF") return (: "utf8") | |
| case(#hex->substring(1, 8) == "FEEDFACE") return (: "maco") | |
| case(#hex->substring(1, 8) == "FEEDFACF") return (: "maco") | |
| case(#hex->substring(1, 8) == "CEFAEDFE") return (: "maco") | |
| case(#hex->substring(1, 8) == "CFFAEDFE") return (: "maco") | |
| case(#hex->substring(1, 4) == "FFFE") return (: "unicode16") | |
| case(#hex->substring(1, 8) == "FFFE0000") return (: "unicode32") | |
| case(#hex->substring(1, 8) == "25215053") return (: "ps") | |
| case(#hex->substring(1, 8) == "25504446") return (: "pdf") | |
| case(#hex->substring(1, 16) == "3026B2758E66CF11") return (: "asf","wma","wmv") | |
| case(#hex->substring(1, 16) == "A6D900AA0062CE6C") return (: "asf","wma","wmv") | |
| case(#hex->substring(1, 16) == "2453444930303031") return (: "sysimage") | |
| case(#hex->substring(1, 8) == "4F676753") return (: "ogg","oga","ogv") | |
| case(#hex->substring(1, 8) == "38425053") return (: "psd") | |
| case(#hex->substring(1, 8) == "52494646") return (: "wav") | |
| case(#hex->substring(1, 8) == "57415645") return (: "wav") | |
| case(#hex->substring(1, 8) == "52494646") return (: "avi") | |
| case(#hex->substring(1, 8) == "41564920") return (: "avi") | |
| case(#hex->substring(1, 4) == "FFFB") return (: "mp3") | |
| case(#hex->substring(1, 6) == "494433") return (: "mp3") | |
| case(#hex->substring(1, 4) == "424D") return (: "bmp","dib") | |
| case(#hex->substring(1, 10) == "4344303031") return (: "iso") | |
| case(#hex->substring(1, 16) == "53494D504C452020") return (: "fits") | |
| case(#hex->substring(1, 16) == "3D20202020202020") return (: "fits") | |
| case(#hex->substring(1, 16) == "2020202020202020") return (: "fits") | |
| case(#hex->substring(1, 12) == "202020202054") return (: "fits") | |
| case(#hex->substring(1, 8) == "664C6143") return (: "flac") | |
| case(#hex->substring(1, 8) == "4D546864") return (: "mid","midi") | |
| case(#hex->substring(1, 16) == "D0CF11E0A1B11AE1") return (: "doc","xls","ppt","msg") | |
| case(#hex->substring(1, 16) == "6465780A30333500") return (: "dex") | |
| case(#hex->substring(1, 6) == "4B444D") return (: "vmdk") | |
| case(#hex->substring(1, 8) == "43723234") return (: "crx") | |
| case(#hex->substring(1, 8) == "41474433") return (: "fh8") | |
| case(#hex->substring(1, 16) == "05070000424F424F") return (: "cwk") | |
| case(#hex->substring(1, 16) == "0507000000000000") return (: "cwk") | |
| case(#hex->substring(1, 12) == "000000000001") return (: "cwk") | |
| case(#hex->substring(1, 16) == "0607E100424F424F") return (: "cwk") | |
| case(#hex->substring(1, 16) == "0607E10000000000") return (: "cwk") | |
| case(#hex->substring(1, 12) == "000000000001") return (: "cwk") | |
| case(#hex->substring(1, 12) == "455202000000") return (: "toast") | |
| case(#hex->substring(1, 14) == "8B455202000000") return (: "toast") | |
| case(#hex->substring(1, 14) == "7801730D626260") return (: "dmg") | |
| case(#hex->substring(1, 8) == "78617221") return (: "xar") | |
| case(#hex->substring(1, 16) == "504D4F43434D4F43") return (: "dat") | |
| case(#hex->substring(1, 8) == "4E45531A") return (: "nes") | |
| case(#hex->substring(1, 16) == "7573746172003030") return (: "tar") | |
| case(#hex->substring(1, 16) == "7573746172202000") return (: "tar") | |
| case(#hex->substring(1, 8) == "746F7833") return (: "tox") | |
| case(#hex->substring(1, 8) == "4D4C5649") return (: "MLV") | |
| case(#hex->substring(1, 16) == "44434D0150413330") return (: "dmc") | |
| case(#hex->substring(1, 12) == "377ABCAF271C") return (: "7z") | |
| case(#hex->substring(1, 4) == "1F8B") return (: "gz","tar.gz") | |
| case(#hex->substring(1, 8) == "04224D18") return (: "lz4") | |
| case(#hex->substring(1, 8) == "4D534346") return (: "cab") | |
| case(#hex->substring(1, 8) == "464C4946") return (: "flif") | |
| case(#hex->substring(1, 8) == "1A45DFA3") return (: "mkv","mka","mks","mk3d","webm") | |
| case(#hex->substring(1, 16) == "41542654464F524D" && #hex->substring(25, 6) == "444A56") return (: "djvu","djv") | |
| } | |
| retrun staticarray | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment