1 files changed, 188 insertions, 95 deletions
diff --git a/magic/Magdir/database b/magic/Magdir/database
index b00252b..a0300ae 100644
--- a/magic/Magdir/database
+++ b/magic/Magdir/database
@@ -1,6 +1,6 @@
 
 #------------------------------------------------------------------------------
-# $File: database,v 1.43 2014/10/28 15:47:39 christos Exp $
+# $File: database,v 1.52 2017/08/13 00:21:47 christos Exp $
 # database:  file(1) magic for various databases
 #
 # extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
@@ -84,7 +84,7 @@
 # From Max Bowsher.
 12	long	0x00040988	Berkeley DB
 >16	long	>0		(Log, version %d, native byte-order)
-12	belong	0x00040988	Berkeley DB 
+12	belong	0x00040988	Berkeley DB
 >16	belong	>0		(Log, version %d, big-endian)
 12	lelong	0x00040988	Berkeley DB
 >16	lelong	>0		(Log, version %d, little-endian)
@@ -103,7 +103,7 @@
 >>>12	long		!0		32bit aligned
 >>>>12	bedouble	8.642135e+130	big-endian
 >>>>>20 long		0		64bit long
->>>>>20 long		!0		32bit long  
+>>>>>20 long		!0		32bit long
 >>>>12	ledouble	8.642135e+130	little-endian
 >>>>>24 long		0		64bit long
 >>>>>24 long		!0		32bit long (i386)
@@ -128,22 +128,22 @@
 # XXX: Weak magic.
 # Alex Ott <ott@jet.msk.su>
 ## Paradox file formats
-#2	  leshort	0x0800	Paradox 
-#>0x39	  byte		3	v. 3.0 
-#>0x39	  byte		4	v. 3.5 
-#>0x39	  byte		9	v. 4.x 
-#>0x39	  byte		10	v. 5.x 
-#>0x39	  byte		11	v. 5.x 
-#>0x39	  byte		12	v. 7.x 
-#>>0x04	  byte		0	indexed .DB data file 
-#>>0x04	  byte		1	primary index .PX file 
-#>>0x04	  byte		2	non-indexed .DB data file 
-#>>0x04	  byte		3	non-incrementing secondary index .Xnn file 
-#>>0x04	  byte		4	secondary index .Ynn file 
-#>>0x04	  byte		5	incrementing secondary index .Xnn file 
-#>>0x04	  byte		6	non-incrementing secondary index .XGn file 
-#>>0x04	  byte		7	secondary index .YGn file 
-#>>>0x04	  byte		8	incrementing secondary index .XGn file 
+#2	  leshort	0x0800	Paradox
+#>0x39	  byte		3	v. 3.0
+#>0x39	  byte		4	v. 3.5
+#>0x39	  byte		9	v. 4.x
+#>0x39	  byte		10	v. 5.x
+#>0x39	  byte		11	v. 5.x
+#>0x39	  byte		12	v. 7.x
+#>>0x04	  byte		0	indexed .DB data file
+#>>0x04	  byte		1	primary index .PX file
+#>>0x04	  byte		2	non-indexed .DB data file
+#>>0x04	  byte		3	non-incrementing secondary index .Xnn file
+#>>0x04	  byte		4	secondary index .Ynn file
+#>>0x04	  byte		5	incrementing secondary index .Xnn file
+#>>0x04	  byte		6	non-incrementing secondary index .XGn file
+#>>0x04	  byte		7	secondary index .YGn file
+#>>>0x04	  byte		8	incrementing secondary index .XGn file
 
 ## XBase database files
 # updated by Joerg Jenderek at Feb 2013
@@ -151,33 +151,33 @@
 # http://www.clicketyclick.dk/databases/xbase/format/dbf.html
 # http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm
 # inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
-0	ubelong&0x0000FFFF		<0x00000C20	
+0	ubelong&0x0000FFFF		<0x00000C20
 # skip Infocom game Z-machine
->2		ubyte			>0		
+>2		ubyte			>0
 # skip Androids *.xml
->>3		ubyte			>0		
->>>3		ubyte			<32		
+>>3		ubyte			>0
+>>>3		ubyte			<32
 # 1 < version VV
->>>>0		ubyte			>1		
+>>>>0		ubyte			>1
 # skip HELP.CA3 by test for reserved byte ( NULL )
->>>>>27		ubyte			0		
+>>>>>27		ubyte			0
 # reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF)
 #>>>>>30		ubeshort     		x		30NULL?%x
-# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL) 
->>>>>>24	ubelong&0xffFFFFff	>0x01302000	
+# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
+>>>>>>24	ubelong&0xffFFFFff	>0x01302000
 # .DBF or .MDX
->>>>>>24	ubelong&0xffFFFFff	<0x01302001	
+>>>>>>24	ubelong&0xffFFFFff	<0x01302001
 # for Xbase Database file (*.DBF) reserved (NULL) for multi-user
->>>>>>>24	ubelong&0xffFFFFff	=0		
+>>>>>>>24	ubelong&0xffFFFFff	=0
 # test for 2 reserved NULL bytes,transaction and encryption byte flag
->>>>>>>>12	ubelong&0xFFFFfEfE	0		
+>>>>>>>>12	ubelong&0xFFFFfEfE	0
 # test for MDX flag
->>>>>>>>>28	ubyte			x		
->>>>>>>>>28	ubyte&0xf8		0		
+>>>>>>>>>28	ubyte			x
+>>>>>>>>>28	ubyte&0xf8		0
 # header size >= 32
->>>>>>>>>>8	uleshort		>31		
+>>>>>>>>>>8	uleshort		>31
 # skip PIC15736.PCX by test for language driver name or field name
->>>>>>>>>>>32	ubyte			>0		
+>>>>>>>>>>>32	ubyte			>0
 #!:mime	application/x-dbf; charset=unknown-8bit ??
 #!:mime	application/x-dbase
 >>>>>>>>>>>>0	use			xbase-type
@@ -202,22 +202,22 @@
 >>>>>>>>>>>>28	ubyte&0x02		2		\b, with memo .FPT
 >>>>>>>>>>>>28	ubyte&0x04		4		\b, DataBaseContainer
 # 1st record offset + 1 = header size
->>>>>>>>>>>>8	uleshort		>0		
->>>>>>>>>>>>(8.s+1)	ubyte		>0		
+>>>>>>>>>>>>8	uleshort		>0
+>>>>>>>>>>>>(8.s+1)	ubyte		>0
 >>>>>>>>>>>>>8		uleshort	>0		\b, at offset %d
->>>>>>>>>>>>>(8.s+1)	ubyte		>0		
+>>>>>>>>>>>>>(8.s+1)	ubyte		>0
 >>>>>>>>>>>>>>&-1	string		>\0		1st record "%s"
-# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL) 
->>>>>>>24	ubelong&0x0133f7ff	>0		
+# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
+>>>>>>>24	ubelong&0x0133f7ff	>0
 # test for reserved NULL byte
->>>>>>>>47	ubyte			0		
+>>>>>>>>47	ubyte			0
 # test for valid TAG key format (0x10 or 0)
->>>>>>>>>559	ubyte&0xeF		0		
+>>>>>>>>>559	ubyte&0xeF		0
 # test MM <= 12
->>>>>>>>>>45	ubeshort		<0x0C20		
->>>>>>>>>>>45	ubyte			>0		
->>>>>>>>>>>>46	ubyte			<32		
->>>>>>>>>>>>>46	ubyte			>0		
+>>>>>>>>>>45	ubeshort		<0x0C20
+>>>>>>>>>>>45	ubyte			>0
+>>>>>>>>>>>>46	ubyte			<32
+>>>>>>>>>>>>>46	ubyte			>0
 #!:mime	application/x-mdx
 >>>>>>>>>>>>>>0		use		xbase-type
 >>>>>>>>>>>>>>0		ubyte		x		\b MDX
@@ -236,11 +236,11 @@
 # 2nd tag name
 #>>>>>>>>>>>>(26.b+548)	string		x		\b, 2nd tag "%.11s"
 #
-#		Print the xBase names of different version variants 
+#		Print the xBase names of different version variants
 0	name				xbase-type
->0	ubyte		<2		
+>0	ubyte		<2
 # 1 < version
->0	ubyte		>1		
+>0	ubyte		>1
 >>0	ubyte		0x02		FoxBase
 # FoxBase+/dBaseIII+, no memo
 >>0	ubyte		0x03		FoxBase+/dBase III
@@ -293,7 +293,7 @@
 # dBASE IV with SQL table, with memo .DBT
 >>0	ubyte		0xCB		dBase IV with SQL table, with memo .DBT
 !:mime	application/x-dbf
-# HiPer-Six format;Clipper SIX, with SMT memo file		
+# HiPer-Six format;Clipper SIX, with SMT memo file
 >>0	ubyte		0xE5		Clipper SIX with memo
 !:mime	application/x-dbf
 # http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
@@ -318,12 +318,12 @@
 #		test and print the date of xBase .DBF .MDX
 0	name				xbase-date
 # inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
->0	ubelong		x		
->1	ubyte		<13		
->>1	ubyte		>0		
->>>2	ubyte		>0		
->>>>2	ubyte		<32		
->>>>>0	ubyte		x		
+>0	ubelong		x
+>1	ubyte		<13
+>>1	ubyte		>0
+>>>2	ubyte		>0
+>>>>2	ubyte		<32
+>>>>>0	ubyte		x
 # YY is interpreted as 20YY or 19YY
 >>>>>>0	ubyte		<100		\b %.2d
 # YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY
@@ -333,53 +333,56 @@
 
 #	dBase memo files .DBT or .FPT
 # http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx
-16		ubyte		<4		
->16		ubyte		!2		
->>16		ubyte		!1		
+16		ubyte		<4
+>16		ubyte		!2
+>>16		ubyte		!1
 # next free block index is positive
->>>0		ulelong		>0		
+>>>0		ulelong		>0
 # skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size
->>>>17		ubelong&0xFFfdFE00	0x00000000	
+>>>>17		ubelong&0xFFfdFE00	0x00000000
 # skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h
->>>>>20		ubelong&0xFF01209B	0x00000000	
+>>>>>20		ubelong&0xFF01209B	0x00000000
 # dBASE III
->>>>>>16	ubyte		3		
+>>>>>>16	ubyte		3
 # dBASE III DBT
 >>>>>>>0	use		dbase3-memo-print
 # dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage
->>>>>>16	ubyte		0		
+>>>>>>16	ubyte		0
 # unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT ,  or garbage PCX DBF
->>>>>>>20	uleshort	0		
+>>>>>>>20	uleshort	0
 # FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage
->>>>>>>>8	ulong		=0		
->>>>>>>>>6	ubeshort	>0		
+>>>>>>>>8	ulong		=0
+>>>>>>>>>6	ubeshort	>0
 # skip emacs.PIF
->>>>>>>>>>4	ushort		0		
+>>>>>>>>>>4	ushort		0
 >>>>>>>>>>>0	use		foxpro-memo-print
 # dBASE III DBT , garbage
->>>>>>>>>6	ubeshort	0		
+>>>>>>>>>6	ubeshort	0
 # skip MM*DD*.bin by test for for reserved NULL byte
->>>>>>>>>>510	ubeshort	0		
+>>>>>>>>>>510	ubeshort	0
 # skip TK-DOS11.img image by looking for memo text
->>>>>>>>>>>512	ubelong		<0xfeffff03	
+>>>>>>>>>>>512	ubelong		<0xfeffff03
 # skip EFI executables by looking for memo text
->>>>>>>>>>>>512	ubelong		>0x1F202020	
->>>>>>>>>>>>>513 ubyte		>0		
+>>>>>>>>>>>>512	ubelong		>0x1F202020
+>>>>>>>>>>>>>513 ubyte		>0
 # unusual dBASE III DBT like adressen.dbt
 >>>>>>>>>>>>>>0	use		dbase3-memo-print
 # dBASE III DBT like angest.dbt, or garbage PCX DBF
->>>>>>>>8	ubelong		!0		
+>>>>>>>>8	ubelong		!0
 # skip PCX and some DBF by test for for reserved NULL bytes
->>>>>>>>>510	ubeshort	0		
+>>>>>>>>>510	ubeshort	0
 # skip some DBF by test of invalid version
->>>>>>>>>>0	ubyte		>5		
->>>>>>>>>>>0	ubyte		<48		
+>>>>>>>>>>0	ubyte		>5
+>>>>>>>>>>>0	ubyte		<48
 >>>>>>>>>>>>0	use		dbase3-memo-print
 # dBASE IV DBT with positive block size
->>>>>>>20	uleshort	>0		
->>>>>>>>0	use		dbase4-memo-print
+>>>>>>>20	uleshort	>0
+# dBASE IV DBT with valid block length like 512, 1024
+# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero
+>>>>>>>>20	uleshort&0x800f	0
+>>>>>>>>>0	use		dbase4-memo-print
 
-#		Print the information of dBase III DBT memo file 
+#		Print the information of dBase III DBT memo file
 0	name				dbase3-memo-print
 >0	ubyte			x		dBase III DBT
 # instead 3 as version number 0 for unusual examples like biblio.dbt
@@ -392,43 +395,45 @@
 >20	uleshort		!0		\b, block length %u
 # dBase III memo field terminated by \032\032
 >512	string			>\0		\b, 1st item "%s"
-#		Print the information of dBase IV DBT memo file 
+#		Print the information of dBase IV DBT memo file
 0	name				dbase4-memo-print
 >0		lelong		x		dBase IV DBT
+!:mime	application/x-dbt
+!:ext dbt
 # 8 character shorted main name of coresponding dBASE IV DBF file
->8		ubelong		>0x20000000	
+>8		ubelong		>0x20000000
 # skip unusual like for angest.dbt
->>20		uleshort	>0	
+>>20		uleshort	>0
 >>>8		string		>\0		\b of %-.8s.DBF
 # value 0 implies 512 as size
 #>4		ulelong		=0		\b, blocks size %u
 # size of blocks not reliable like 0x2020204C in angest.dbt
->4		ulelong		!0		
+>4		ulelong		!0
 >>4		ulelong&0x0000003f	0	\b, blocks size %u
 # dBase IV DBT with positive block length (found 512 , 1024)
 >20		uleshort	>0		\b, block length %u
 # next available block
 #>0		lelong		=0		\b, next free block index %u
 >0		lelong		!0		\b, next free block index %u
->20		uleshort	>0		
->>(20.s)	ubelong		x		
+>20		uleshort	>0
+>>(20.s)	ubelong		x
 >>>&-4		use		dbase4-memofield-print
 # unusual dBase IV DBT without block length (implies 512 as length)
->20		uleshort	=0		
->>512		ubelong		x		
+>20		uleshort	=0
+>>512		ubelong		x
 >>>&-4		use				dbase4-memofield-print
-#		Print the information of dBase IV memo field 
+#		Print the information of dBase IV memo field
 0	name			dbase4-memofield-print
 # free dBase IV memo field
->0		ubelong		!0xFFFF0800	
+>0		ubelong		!0xFFFF0800
 >>0		lelong		x		\b, next free block %u
 >>4		lelong		x		\b, next used block %u
 # used dBase IV memo field
->0		ubelong		=0xFFFF0800	
+>0		ubelong		=0xFFFF0800
 # length of memo field
 >>4		lelong		x		\b, field length %d
 >>>8		string		>\0		\b, 1st used item "%s"
-#		Print the information of FoxPro FPT memo file 
+#		Print the information of FoxPro FPT memo file
 0	name				foxpro-memo-print
 >0		belong		x		FoxPro FPT
 # Size of blocks for FoxPro ( 64,256 )
@@ -436,14 +441,14 @@
 # next available block
 #>0		belong		=0		\b, next free block index %u
 >0		belong		!0		\b, next free block index %u
-# field type ( 0~picture, 1~memo, 2~object ) 
+# field type ( 0~picture, 1~memo, 2~object )
 >512		ubelong		<3		\b, field type %u
 # length of memo field
->512		ubelong		1		
+>512		ubelong		1
 >>516		belong		>0		\b, field length %d
 >>>520		string		>\0		\b, 1st item "%s"
 
-# TODO: 
+# TODO:
 # DBASE index file *.NDX
 # DBASE Compound Index file *.CDX
 # dBASE IV Printer Driver *.PRF
@@ -455,6 +460,52 @@
 4	string	Standard\ ACE\ DB	Microsoft Access Database
 !:mime	application/x-msaccess
 
+# From: Joerg Jenderek
+# URL: http://fileformats.archiveteam.org/wiki/Extensible_Storage_Engine
+# Reference: https://github.com/libyal/libesedb/archive/master.zip
+#	libesedb-master/documentation/
+#	Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc
+# Note: also known as "JET Blue". Used by numerous Windows components such as
+# Windows Search, Mail, Exchange and Active Directory.
+4	ubelong		0xefcdab89
+# unknown1
+>132	ubelong		0		Extensible storage engine
+!:mime	application/x-ms-ese
+# file_type 0~database 1~stream
+>>12	ulelong		0		DataBase
+# Security DataBase (sdb)
+!:ext	edb/sdb
+>>12	ulelong		1		STreaMing
+!:ext	stm
+# format_version 620h
+>>8	uleshort	x		\b, version 0x%x
+>>10	uleshort	>0		revision 0x%4.4x
+>>0	ubelong		x	 	\b, checksum 0x%8.8x
+# Page size 4096 8192 32768
+>>236	ulequad		x		\b, page size %lld
+# database_state
+>>52	ulelong		1		\b, JustCreated
+>>52	ulelong		2		\b, DirtyShutdown
+#>>52	ulelong		3		\b, CleanShutdown
+>>52	ulelong		4		\b, BeingConverted
+>>52	ulelong		5		\b, ForceDetach
+# Windows�NT major version when the databases indexes were updated.
+>>216	ulelong		x		\b, Windows version %d
+# Windows�NT minor version
+>>220	ulelong		x		\b.%d
+
+# From: Joerg Jenderek
+# URL: http://forensicswiki.org/wiki/Windows_Application_Compatibility
+# Note: files contain application compatibility fixes, application compatibility modes and application help messages.
+8	string		sdbf
+>7	ubyte		0
+# TAG_TYPE_LIST+TAG_INDEXES
+>>12	uleshort	0x7802		Windows application compatibility Shim DataBase
+# version? 2 3
+#>>>0	ulelong		x		\b, version %d
+!:mime	application/x-ms-sdb
+!:ext	sdb
+
 # TDB database from Samba et al - Martin Pool <mbp@samba.org>
 0	string	TDB\ file		TDB database
 >32	lelong	0x2601196D		version 6, little-endian
@@ -533,9 +584,51 @@
 
 # From:  Stephane Blondon http://www.yaal.fr
 # Database file for Zope (done by FileStorage)
-0	string		FS21	Zope Object Database File Storage (data)
+0	string	FS21	Zope Object Database File Storage v3 (data)
+0	string	FS30	Zope Object Database File Storage v4 (data)
+
 # Cache file for the database of Zope (done by ClientStorage)
 0	string		ZEC3	Zope Object Database Client Cache File (data)
 
 # IDA (Interactive Disassembler) database
 0	string		IDA1	IDA (Interactive Disassembler) database
+
+# Hopper (reverse engineering tool) http://www.hopperapp.com/
+0	string		hopperdb	Hopper database
+
+# URL: https://en.wikipedia.org/wiki/Panorama_(database_engine)
+# Reference: http://www.provue.com/Panorama/
+# From: Joerg Jenderek
+# NOTE: test only versions 4 and 6.0 with Windows
+# length of Panorama database name
+5	ubyte				>0
+# look after database name for "some" null bits
+>(5.B+7)	ubelong&0xF3ffF000	0
+# look for first keyword
+>>&1		search/2		DESIGN		Panorama database
+#!:mime	application/x-panorama-database
+!:apple	KASXZEPD
+!:ext	pan
+# database name
+>>>5	pstring				x		\b, "%s"
+
+#
+#
+# askSam Database by Stefan A. Haubenthal <polluks@web.de>
+0	string	askw40\0	askSam DB
+
+#
+#
+# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de>
+0	string	MBSTV\040	MUIbase DB
+>6	string	x		version %s
+
+#
+# CDB database
+0	string	NBCDB\012	NetBSD Constant Database
+>7	byte	x		\b, version %d
+>8	string	x		\b, for '%s'
+>24	lelong	x		\b, datasize %d
+>28	lelong	x		\b, entries %d
+>32	lelong	x		\b, index %d
+>36	lelong	x		\b, seed %#x