Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time informations.
Some examples:
- Compiled Java class files (bytecode) start with hex
CAFEBABE. When compressed with Pack200the bytes are changed toCAFED00D. - GIF image files have the ASCII code for "GIF89a" (
474946383961) or "GIF87a" (474946383761) - JPEG image files begin with
FFD8and end withFFD9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A464946) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45786966) also as a null terminated string, followed by more metadata about the file. - PNG image files begin with an 8-byte signature which identifies the file as a PNG file and allows detection of common file transfer problems:
\211PNG\r\n\032\n(89504E470D0A1A0A). That signature contains various newline characters to permit detecting unwarranted automated newline conversions, such as transferring the file using FTP with the ASCII transfer mode instead of the binary mode. - Standard MIDI music files have the ASCII code for "MThd" (
4D546864) followed by more metadata. - Unix script files usually start with a shebang, "#!" (
2321) followed by the path to an interpreter. - PostScript files and programs start with "%!" (
2521). - PDF files start with "%PDF" (hex
25504446). - MS-DOS EXE files and the EXE stub of the Microsoft Windows PE (Portable Executable) files start with the characters "MZ" (
4D5A), the initials of the designer of the file format, Mark Zbikowski. The definition allows "ZM" (5A4D) as well, but this is quite uncommon. - The Berkeley Fast File System superblock format is identified as either
19540119or011954depending on version; both represent the birthday of the author, Marshall Kirk McKusick. - The Master Boot Record of bootable storage devices on almost all IA-32 IBM PC compatibles has a code of
AA55as its last two bytes. - Executables for the Game Boy and Game Boy Advance handheld video game systems have a 48-byte or 156-byte magic number, respectively, at a fixed spot in the header. This magic number encodes a bitmap of the Nintendo logo.
- Amiga software executable Hunk files running on Amiga classic 68000 machines all started with the hexadecimal number $000003f3, nicknamed the "Magic Cookie."
- Amiga's black screen of death called Guru Meditation, in its first version, when the machine hung up for uncertain reasons, showed the hexadecimal number 48454C50, which stands for "HELP" in hexadecimal ASCII characters (48=H, 45=E, 4C=L, 50=P).
- In the Amiga, the only absolute address in the system is hex $0000 0004 (memory location 4), which contains the start location called SysBase, a pointer to exec.library, the so-called kernel of Amiga.
- PEF files, used by Mac OS and BeOS for PowerPC executables, contain the ASCII code for "Joy!" (
4A6F7921) as a prefix. - TIFF files begin with either
IIorMMfollowed by 42 as a two-byte integer in little or big endian byte ordering.IIis for Intel, which uses little endian byte ordering, so the magic number is49492A00.MMis for Motorola, which uses big endian byte ordering, so the magic number is4D4D002A. - Unicode text files encoded in UTF-16 often start with the Byte Order Mark to detect endianness(
FEFFfor big endian andFFFEfor little endian). UTF-8 text files often start with the UTF-8 encoding of the same character,EFBBBF. - LLVM Bitcode files start with
BC(0x42, 0x43) - WAD files start with
IWADorPWAD(for doom),WAD2(for quekc) andWAD3(for Half-life). - Microsoft Office document files start with
D0CF11E0, which is visually suggestive of the word "DOCFILE0". - Headers in ZIP files begin with "PK" (
504B), the initials of Phil Katz, author of DOS compression utility PKZIP.
Tidak ada komentar:
Posting Komentar