1b6cee71dSXin LI 2b6cee71dSXin LI#------------------------------------------------------------------------------ 3*2726a701SXin LI# $File: msdos,v 1.137 2020/03/20 17:20:19 christos Exp $ 4b6cee71dSXin LI# msdos: file(1) magic for MS-DOS files 5b6cee71dSXin LI# 6b6cee71dSXin LI 7b6cee71dSXin LI# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8b6cee71dSXin LI# updated by Joerg Jenderek at Oct 2008,Apr 2011 9b6cee71dSXin LI0 string/t @ 10b6cee71dSXin LI>1 string/cW \ echo\ off DOS batch file text 11b6cee71dSXin LI!:mime text/x-msdos-batch 1248c779cdSXin LI!:ext bat 13b6cee71dSXin LI>1 string/cW echo\ off DOS batch file text 14b6cee71dSXin LI!:mime text/x-msdos-batch 1548c779cdSXin LI!:ext bat 16b6cee71dSXin LI>1 string/cW rem DOS batch file text 17b6cee71dSXin LI!:mime text/x-msdos-batch 1848c779cdSXin LI!:ext bat 19b6cee71dSXin LI>1 string/cW set\ DOS batch file text 20b6cee71dSXin LI!:mime text/x-msdos-batch 2148c779cdSXin LI!:ext bat 22b6cee71dSXin LI 23b6cee71dSXin LI 24b6cee71dSXin LI# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25b6cee71dSXin LI# the matched commands seem to be common in REXX and uncommon elsewhere 26b6cee71dSXin LI100 search/0xffff rxfuncadd 27b6cee71dSXin LI>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28b6cee71dSXin LI100 search/0xffff say 29b6cee71dSXin LI>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30b6cee71dSXin LI 313e41d09dSXin LI# updated by Joerg Jenderek at Oct 2015 323e41d09dSXin LI# https://de.wikipedia.org/wiki/Common_Object_File_Format 333e41d09dSXin LI# http://www.delorie.com/djgpp/doc/coff/filhdr.html 343e41d09dSXin LI# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 353e41d09dSXin LI#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36b6cee71dSXin LI#>4 ledate x stamp %s 37b6cee71dSXin LI0 leshort 0x166 MS Windows COFF MIPS R4000 object file 38b6cee71dSXin LI#>4 ledate x stamp %s 39b6cee71dSXin LI0 leshort 0x184 MS Windows COFF Alpha object file 40b6cee71dSXin LI#>4 ledate x stamp %s 41b6cee71dSXin LI0 leshort 0x268 MS Windows COFF Motorola 68000 object file 42b6cee71dSXin LI#>4 ledate x stamp %s 43b6cee71dSXin LI0 leshort 0x1f0 MS Windows COFF PowerPC object file 44b6cee71dSXin LI#>4 ledate x stamp %s 45b6cee71dSXin LI0 leshort 0x290 MS Windows COFF PA-RISC object file 46b6cee71dSXin LI#>4 ledate x stamp %s 47b6cee71dSXin LI 48b6cee71dSXin LI# Tests for various EXE types. 49b6cee71dSXin LI# 50b6cee71dSXin LI# Many of the compressed formats were extraced from IDARC 1.23 source code. 51b6cee71dSXin LI# 52b6cee71dSXin LI0 string/b MZ 53b6cee71dSXin LI# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 54b6cee71dSXin LI>0x18 leshort <0x40 MS-DOS executable 55b6cee71dSXin LI!:mime application/x-dosexec 5648c779cdSXin LI# Windows and later versions of DOS will allow .EXEs to be named with a .COM 5748c779cdSXin LI# extension, mostly for compatibility's sake. 5848c779cdSXin LI!:ext exe/com 59b6cee71dSXin LI# These traditional tests usually work but not always. When test quality support is 60b6cee71dSXin LI# implemented these can be turned on. 61b6cee71dSXin LI#>>0x18 leshort 0x1c (Borland compiler) 62b6cee71dSXin LI#>>0x18 leshort 0x1e (MS compiler) 63b6cee71dSXin LI 64b6cee71dSXin LI# Maybe it's a PE? 65d38c30c0SXin LI>(0x3c.l) string PE\0\0 PE 66b6cee71dSXin LI!:mime application/x-dosexec 67d38c30c0SXin LI>>(0x3c.l+24) leshort 0x010b \b32 executable 68d38c30c0SXin LI>>(0x3c.l+24) leshort 0x020b \b32+ executable 69d38c30c0SXin LI>>(0x3c.l+24) leshort 0x0107 ROM image 70d38c30c0SXin LI>>(0x3c.l+24) default x Unknown PE signature 71d38c30c0SXin LI>>>&0 leshort x 0x%x 72d38c30c0SXin LI>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 73d38c30c0SXin LI>>(0x3c.l+92) leshort 1 7448c779cdSXin LI# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 7548c779cdSXin LI# drivers in Windows/System32/drivers/*.sys. 76d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (native) 7748c779cdSXin LI!:ext dll/sys 78d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (native) 7948c779cdSXin LI!:ext exe/sys 80d38c30c0SXin LI>>(0x3c.l+92) leshort 2 81d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 8248c779cdSXin LI# These could probably be at least partially distinguished from one another by 8348c779cdSXin LI# looking for specific exported functions. 8448c779cdSXin LI# CPL: Control Panel item 8548c779cdSXin LI# TLB: Type library 8648c779cdSXin LI# OCX: OLE/ActiveX control 8748c779cdSXin LI# ACM: Audio compression manager codec 8848c779cdSXin LI# AX: DirectShow source filter 8948c779cdSXin LI# IME: Input method editor 9048c779cdSXin LI!:ext dll/cpl/tlb/ocx/acm/ax/ime 91d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 9248c779cdSXin LI# Screen savers typically include code from the scrnsave.lib static library, but 9348c779cdSXin LI# that's not guaranteed. 9448c779cdSXin LI!:ext exe/scr 95d38c30c0SXin LI>>(0x3c.l+92) leshort 3 96d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (console) 9748c779cdSXin LI!:ext dll/cpl/tlb/ocx/acm/ax/ime 98d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (console) 9948c779cdSXin LI!:ext exe/com 100d38c30c0SXin LI# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 101d38c30c0SXin LI>>(0x3c.l+92) leshort 7 (POSIX) 102d38c30c0SXin LI>>(0x3c.l+92) leshort 9 (Windows CE) 103d38c30c0SXin LI>>(0x3c.l+92) leshort 10 (EFI application) 104d38c30c0SXin LI>>(0x3c.l+92) leshort 11 (EFI boot service driver) 105d38c30c0SXin LI>>(0x3c.l+92) leshort 12 (EFI runtime driver) 106d38c30c0SXin LI>>(0x3c.l+92) leshort 13 (EFI ROM) 107d38c30c0SXin LI>>(0x3c.l+92) leshort 14 (XBOX) 108d38c30c0SXin LI>>(0x3c.l+92) leshort 15 (Windows boot application) 109d38c30c0SXin LI>>(0x3c.l+92) default x (Unknown subsystem 110d38c30c0SXin LI>>>&0 leshort x 0x%x) 111d38c30c0SXin LI>>(0x3c.l+4) leshort 0x14c Intel 80386 112d38c30c0SXin LI>>(0x3c.l+4) leshort 0x166 MIPS R4000 113d38c30c0SXin LI>>(0x3c.l+4) leshort 0x168 MIPS R10000 114d38c30c0SXin LI>>(0x3c.l+4) leshort 0x184 Alpha 115d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 116d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 117d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 118d38c30c0SXin LI>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 119d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 120d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c0 ARM 121d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 122d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 123d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 124d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1f0 PowerPC 125d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 126*2726a701SXin LI>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 127d38c30c0SXin LI>>(0x3c.l+4) leshort 0x200 Intel Itanium 128d38c30c0SXin LI>>(0x3c.l+4) leshort 0x266 MIPS16 129d38c30c0SXin LI>>(0x3c.l+4) leshort 0x268 Motorola 68000 130d38c30c0SXin LI>>(0x3c.l+4) leshort 0x290 PA-RISC 131d38c30c0SXin LI>>(0x3c.l+4) leshort 0x366 MIPSIV 132d38c30c0SXin LI>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 133d38c30c0SXin LI>>(0x3c.l+4) leshort 0xebc EFI byte code 134d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 135d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 136d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 137d38c30c0SXin LI>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 138d38c30c0SXin LI>>(0x3c.l+4) leshort 0x8664 x86-64 139d38c30c0SXin LI>>(0x3c.l+4) leshort 0xaa64 Aarch64 140d38c30c0SXin LI>>(0x3c.l+4) leshort 0xc0ee MSIL 141d38c30c0SXin LI>>(0x3c.l+4) default x Unknown processor type 142d38c30c0SXin LI>>>&0 leshort x 0x%x 143d38c30c0SXin LI>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 144d38c30c0SXin LI>>(0x3c.l+22) leshort&0x1000 >0 system file 145d38c30c0SXin LI>>(0x3c.l+24) leshort 0x010b 146d38c30c0SXin LI>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 147d38c30c0SXin LI>>(0x3c.l+24) leshort 0x020b 148d38c30c0SXin LI>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 149b6cee71dSXin LI 150b6cee71dSXin LI# hooray, there's a DOS extender using the PE format, with a valid PE 151b6cee71dSXin LI# executable inside (which just prints a message and exits if run in win) 152d38c30c0SXin LI>>(8.s*16) string 32STUB \b, 32rtm DOS extender 153d38c30c0SXin LI>>(8.s*16) string !32STUB \b, for MS Windows 154d38c30c0SXin LI>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 155d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 156d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 UPX2 157d38c30c0SXin LI>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 158d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .idata 159d38c30c0SXin LI>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 160d38c30c0SXin LI>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 161d38c30c0SXin LI>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 162d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .rsrc 163d38c30c0SXin LI>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 164d38c30c0SXin LI>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 165d38c30c0SXin LI>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 166d38c30c0SXin LI>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 167d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .data 168d38c30c0SXin LI>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 169d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 170d38c30c0SXin LI>>>(0x3c.l+0xf7) byte x 171d38c30c0SXin LI>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 172d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 173d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 174d38c30c0SXin LI>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 175d38c30c0SXin LI>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 176d38c30c0SXin LI>>0x30 string Inno \b, InnoSetup self-extracting archive 177d38c30c0SXin LI 178d38c30c0SXin LI# If the relocation table is 0x40 or more bytes into the file, it's definitely 179d38c30c0SXin LI# not a DOS EXE. 180d38c30c0SXin LI>0x18 leshort >0x3f 181b6cee71dSXin LI 182b6cee71dSXin LI# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 183b6cee71dSXin LI# must be one of the unusual subformats. 184b6cee71dSXin LI>>(0x3c.l) string !PE\0\0 MS-DOS executable 185b6cee71dSXin LI!:mime application/x-dosexec 186b6cee71dSXin LI 187b6cee71dSXin LI>>(0x3c.l) string NE \b, NE 188b6cee71dSXin LI!:mime application/x-dosexec 189b6cee71dSXin LI>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 190b6cee71dSXin LI>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 191b6cee71dSXin LI>>>(0x3c.l+0x36) byte 3 for MS-DOS 192b6cee71dSXin LI>>>(0x3c.l+0x36) byte 4 for Windows 386 193b6cee71dSXin LI>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 194b6cee71dSXin LI>>>(0x3c.l+0x36) default x 195b6cee71dSXin LI>>>>(0x3c.l+0x36) byte x (unknown OS %x) 196b6cee71dSXin LI>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 19748c779cdSXin LI>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 19848c779cdSXin LI# DRV: Driver 19948c779cdSXin LI# 3GR: Grabber device driver 20048c779cdSXin LI# CPL: Control Panel Item 20148c779cdSXin LI# VBX: Visual Basic Extension 20248c779cdSXin LI# FON: Bitmap font 20348c779cdSXin LI# FOT: Font resource file 20448c779cdSXin LI!:ext dll/drv/3gr/cpl/vbx/fon/fot 20548c779cdSXin LI>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 20648c779cdSXin LI!:ext exe/scr 207b6cee71dSXin LI>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 208b6cee71dSXin LI>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 209b6cee71dSXin LI 210b6cee71dSXin LI>>(0x3c.l) string LX\0\0 \b, LX 211b6cee71dSXin LI!:mime application/x-dosexec 212b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 213b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 1 for OS/2 214b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 2 for MS Windows 215b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 3 for DOS 216b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 217b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 218b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 219b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 220b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 221b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 1 i80286 222b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 2 i80386 223b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 3 i80486 224b6cee71dSXin LI>>>(8.s*16) string emx \b, emx 225b6cee71dSXin LI>>>>&1 string x %s 226b6cee71dSXin LI>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 227b6cee71dSXin LI 228b6cee71dSXin LI# MS Windows system file, supposedly a collection of LE executables 229b6cee71dSXin LI>>(0x3c.l) string W3 \b, W3 for MS Windows 230b6cee71dSXin LI!:mime application/x-dosexec 231b6cee71dSXin LI 232b6cee71dSXin LI>>(0x3c.l) string LE\0\0 \b, LE executable 233b6cee71dSXin LI!:mime application/x-dosexec 234b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 1 235b6cee71dSXin LI# some DOS extenders use LE files with OS/2 header 236b6cee71dSXin LI>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 237b6cee71dSXin LI>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 238b6cee71dSXin LI>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 239b6cee71dSXin LI>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 240b6cee71dSXin LI>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 241b6cee71dSXin LI>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 242b6cee71dSXin LI>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 243b6cee71dSXin LI# this is a wild guess; hopefully it is a specific signature 244b6cee71dSXin LI>>>>&0x24 lelong <0x50 245b6cee71dSXin LI>>>>>(&0x4c.l) string \xfc\xb8WATCOM 246b6cee71dSXin LI>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 247b6cee71dSXin LI# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 248b6cee71dSXin LI#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 249b6cee71dSXin LI# fails with DOS-Extenders. 250b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 2 for MS Windows 251b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 3 for DOS 252b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 25348c779cdSXin LI# VXD: VxD for Windows 95/98/Me 25448c779cdSXin LI# 386: VxD for Windows 2.10, 3.0, 3.1x 25548c779cdSXin LI# PDR: Port driver 25648c779cdSXin LI# MPD: Miniport driver (?) 25748c779cdSXin LI!:ext vxd/386/pdr/mpd 258b6cee71dSXin LI>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 259b6cee71dSXin LI>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 260b6cee71dSXin LI 261b6cee71dSXin LI# looks like ASCII, probably some embedded copyright message. 262b6cee71dSXin LI# and definitely not NE/LE/LX/PE 263b6cee71dSXin LI>>0x3c lelong >0x20000000 264b6cee71dSXin LI>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 265b6cee71dSXin LI!:mime application/x-dosexec 26648c779cdSXin LI!:ext exe/com 267b6cee71dSXin LI# header data too small for extended executable 268b6cee71dSXin LI>2 long !0 269b6cee71dSXin LI>>0x18 leshort <0x40 270b6cee71dSXin LI>>>(4.s*512) leshort !0x014c 271b6cee71dSXin LI 272b6cee71dSXin LI>>>>&(2.s-514) string !LE 273b6cee71dSXin LI>>>>>&-2 string !BW \b, MZ for MS-DOS 274b6cee71dSXin LI!:mime application/x-dosexec 275b6cee71dSXin LI>>>>&(2.s-514) string LE \b, LE 276b6cee71dSXin LI>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 277b6cee71dSXin LI# educated guess since indirection is still not capable enough for complex offset 278b6cee71dSXin LI# calculations (next embedded executable would be at &(&2*512+&0-2) 279b6cee71dSXin LI# I suspect there are only LE executables in these multi-exe files 280b6cee71dSXin LI>>>>&(2.s-514) string BW 281b6cee71dSXin LI>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 282b6cee71dSXin LI>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 283b6cee71dSXin LI 284b6cee71dSXin LI# This sequence skips to the first COFF segment, usually .text 285b6cee71dSXin LI>(4.s*512) leshort 0x014c \b, COFF 286b6cee71dSXin LI!:mime application/x-dosexec 287b6cee71dSXin LI>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 288b6cee71dSXin LI>>(8.s*16) string emx 289b6cee71dSXin LI>>>&1 string x for DOS, Win or OS/2, emx %s 290b6cee71dSXin LI>>&(&0x42.l-3) byte x 291b6cee71dSXin LI>>>&0x26 string UPX \b, UPX compressed 292b6cee71dSXin LI# and yet another guess: small .text, and after large .data is unusal, could be 32lite 293b6cee71dSXin LI>>&0x2c search/0xa0 .text 294b6cee71dSXin LI>>>&0x0b lelong <0x2000 295b6cee71dSXin LI>>>>&0 lelong >0x6000 \b, 32lite compressed 296b6cee71dSXin LI 297b6cee71dSXin LI>(8.s*16) string $WdX \b, WDos/X DOS extender 298b6cee71dSXin LI 299b6cee71dSXin LI# By now an executable type should have been printed out. The executable 300b6cee71dSXin LI# may be a self-uncompressing archive, so look for evidence of that and 301b6cee71dSXin LI# print it out. 302b6cee71dSXin LI# 303b6cee71dSXin LI# Some signatures below from Greg Roelofs, newt@uchicago.edu. 304b6cee71dSXin LI# 305b6cee71dSXin LI>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 306b6cee71dSXin LI>0xe7 string LH/2\ Self-Extract \b, %s 307b6cee71dSXin LI>0x1c string UC2X \b, UCEXE compressed 308b6cee71dSXin LI>0x1c string WWP\ \b, WWPACK compressed 309b6cee71dSXin LI>0x1c string RJSX \b, ARJ self-extracting archive 310b6cee71dSXin LI>0x1c string diet \b, diet compressed 311b6cee71dSXin LI>0x1c string LZ09 \b, LZEXE v0.90 compressed 312b6cee71dSXin LI>0x1c string LZ91 \b, LZEXE v0.91 compressed 313b6cee71dSXin LI>0x1c string tz \b, TinyProg compressed 314b6cee71dSXin LI>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 315b6cee71dSXin LI!:mime application/zip 316b6cee71dSXin LI# Yes, this really is "Copr", not "Corp." 317b6cee71dSXin LI>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 318b6cee71dSXin LI!:mime application/zip 319b6cee71dSXin LI# winarj stores a message in the stub instead of the sig in the MZ header 320b6cee71dSXin LI>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 321b6cee71dSXin LI>0x20 string AIN 322b6cee71dSXin LI>>0x23 string 2 \b, AIN 2.x compressed 323b6cee71dSXin LI>>0x23 string <2 \b, AIN 1.x compressed 324b6cee71dSXin LI>>0x23 string >2 \b, AIN 1.x compressed 325b6cee71dSXin LI>0x24 string LHa's\ SFX \b, LHa self-extracting archive 326b6cee71dSXin LI!:mime application/x-lha 327b6cee71dSXin LI>0x24 string LHA's\ SFX \b, LHa self-extracting archive 328b6cee71dSXin LI!:mime application/x-lha 329b6cee71dSXin LI>0x24 string \ $ARX \b, ARX self-extracting archive 330b6cee71dSXin LI>0x24 string \ $LHarc \b, LHarc self-extracting archive 331b6cee71dSXin LI>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 332b6cee71dSXin LI>0x40 string aPKG \b, aPackage self-extracting archive 333b6cee71dSXin LI>0x64 string W\ Collis\0\0 \b, Compack compressed 334b6cee71dSXin LI>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 335b6cee71dSXin LI>>&0xf4 search/0x140 \x0\x40\x1\x0 336b6cee71dSXin LI>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 337b6cee71dSXin LI>1638 string -lh5- \b, LHa self-extracting archive v2.13S 338b6cee71dSXin LI>0x17888 string Rar! \b, RAR self-extracting archive 339b6cee71dSXin LI 340b6cee71dSXin LI# Skip to the end of the EXE. This will usually work fine in the PE case 341b6cee71dSXin LI# because the MZ image is hardcoded into the toolchain and almost certainly 342b6cee71dSXin LI# won't match any of these signatures. 343b6cee71dSXin LI>(4.s*512) long x 344b6cee71dSXin LI>>&(2.s-517) byte x 345b6cee71dSXin LI>>>&0 string PK\3\4 \b, ZIP self-extracting archive 346b6cee71dSXin LI>>>&0 string Rar! \b, RAR self-extracting archive 347b6cee71dSXin LI>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 348b6cee71dSXin LI>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 349b6cee71dSXin LI>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 350b6cee71dSXin LI>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 351b6cee71dSXin LI>>>&7 search/400 **ACE** \b, ACE self-extracting archive 352b6cee71dSXin LI>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 353b6cee71dSXin LI 354b6cee71dSXin LI# a few unknown ZIP sfxes, no idea if they are needed or if they are 355b6cee71dSXin LI# already captured by the generic patterns above 356b6cee71dSXin LI>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 357b6cee71dSXin LI# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 358b6cee71dSXin LI# 359b6cee71dSXin LI 360b6cee71dSXin LI# TELVOX Teleinformatica CODEC self-extractor for OS/2: 361b6cee71dSXin LI>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 362b6cee71dSXin LI>>49824 leshort =1 \b, 1 file 363b6cee71dSXin LI>>49824 leshort >1 \b, %u files 364b6cee71dSXin LI 36548c779cdSXin LI# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 36648c779cdSXin LI# and https://www.freedos.org/software/?prog=kpdos 367b6cee71dSXin LI# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 368b6cee71dSXin LI0 string/b KCF FreeDOS KEYBoard Layout collection 369b6cee71dSXin LI# only version=0x100 found 370b6cee71dSXin LI>3 uleshort x \b, version 0x%x 371b6cee71dSXin LI# length of string containing author,info and special characters 372b6cee71dSXin LI>6 ubyte >0 373b6cee71dSXin LI#>>6 pstring x \b, name=%s 374b6cee71dSXin LI>>7 string >\0 \b, author=%-.14s 375b6cee71dSXin LI>>7 search/254 \xff \b, info= 376b6cee71dSXin LI#>>>&0 string x \b%-s 377b6cee71dSXin LI>>>&0 string x \b%-.15s 378b6cee71dSXin LI# for FreeDOS *.KL files 379b6cee71dSXin LI0 string/b KLF FreeDOS KEYBoard Layout file 380b6cee71dSXin LI# only version=0x100 or 0x101 found 381b6cee71dSXin LI>3 uleshort x \b, version 0x%x 382b6cee71dSXin LI# stringlength 383b6cee71dSXin LI>5 ubyte >0 384b6cee71dSXin LI>>8 string x \b, name=%-.2s 385b6cee71dSXin LI0 string \xffKEYB\ \ \ \0\0\0\0 386b6cee71dSXin LI>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 387b6cee71dSXin LI 38840427ccaSGordon Tetlow# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 38940427ccaSGordon Tetlow# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 39040427ccaSGordon Tetlow0 ulequad&0x07a0ffffffff 0xffffffff 39140427ccaSGordon Tetlow>0 use msdos-driver 39240427ccaSGordon Tetlow0 name msdos-driver DOS executable ( 39340427ccaSGordon Tetlow#!:mime application/octet-stream 39440427ccaSGordon Tetlow!:mime application/x-dosdriver 39540427ccaSGordon Tetlow# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 39640427ccaSGordon Tetlow!:ext sys/dev/bin 397b6cee71dSXin LI>40 search/7 UPX! \bUPX compressed 398b6cee71dSXin LI# DOS device driver attributes 399b6cee71dSXin LI>4 uleshort&0x8000 0x0000 \bblock device driver 400b6cee71dSXin LI# character device 401b6cee71dSXin LI>4 uleshort&0x8000 0x8000 \b 402b6cee71dSXin LI>>4 uleshort&0x0008 0x0008 \bclock 403b6cee71dSXin LI# fast video output by int 29h 404b6cee71dSXin LI>>4 uleshort&0x0010 0x0010 \bfast 405b6cee71dSXin LI# standard input/output device 406b6cee71dSXin LI>>4 uleshort&0x0003 >0 \bstandard 407b6cee71dSXin LI>>>4 uleshort&0x0001 0x0001 \binput 408b6cee71dSXin LI>>>4 uleshort&0x0003 0x0003 \b/ 409b6cee71dSXin LI>>>4 uleshort&0x0002 0x0002 \boutput 410b6cee71dSXin LI>>4 uleshort&0x8000 0x8000 \bcharacter device driver 411b6cee71dSXin LI>0 ubyte x 412b6cee71dSXin LI# upx compressed device driver has garbage instead of real in name field of header 413b6cee71dSXin LI>>40 search/7 UPX! 414b6cee71dSXin LI>>40 default x 415b6cee71dSXin LI# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 41640427ccaSGordon Tetlow>>>12 ubyte >0x2E \b 417b6cee71dSXin LI>>>>10 ubyte >0x20 418b6cee71dSXin LI>>>>>10 ubyte !0x2E 419b6cee71dSXin LI>>>>>>10 ubyte !0x2A \b%c 420b6cee71dSXin LI>>>>11 ubyte >0x20 421b6cee71dSXin LI>>>>>11 ubyte !0x2E \b%c 422b6cee71dSXin LI>>>>12 ubyte >0x20 423b6cee71dSXin LI>>>>>12 ubyte !0x39 424b6cee71dSXin LI>>>>>>12 ubyte !0x2E \b%c 425b6cee71dSXin LI>>>13 ubyte >0x20 426b6cee71dSXin LI>>>>13 ubyte !0x2E \b%c 427b6cee71dSXin LI>>>>14 ubyte >0x20 428b6cee71dSXin LI>>>>>14 ubyte !0x2E \b%c 429b6cee71dSXin LI>>>>15 ubyte >0x20 430b6cee71dSXin LI>>>>>15 ubyte !0x2E \b%c 431b6cee71dSXin LI>>>>16 ubyte >0x20 432b6cee71dSXin LI>>>>>16 ubyte !0x2E 433b6cee71dSXin LI>>>>>>16 ubyte <0xCB \b%c 434b6cee71dSXin LI>>>>17 ubyte >0x20 435b6cee71dSXin LI>>>>>17 ubyte !0x2E 436b6cee71dSXin LI>>>>>>17 ubyte <0x90 \b%c 437b6cee71dSXin LI# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 43840427ccaSGordon Tetlow>>>12 ubyte <0x2F 439b6cee71dSXin LI# they have their real name at offset 22 44040427ccaSGordon Tetlow# also block device drivers like DUMBDRV.SYS 44140427ccaSGordon Tetlow>>>>22 string >\056 %-.6s 442b6cee71dSXin LI>4 uleshort&0x8000 0x0000 443b6cee71dSXin LI# 32 bit sector addressing ( > 32 MB) for block devices 444b6cee71dSXin LI>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 445b6cee71dSXin LI# support by driver functions 13h, 17h, 18h 446b6cee71dSXin LI>4 uleshort&0x0040 0x0040 \b,IOCTL- 447b6cee71dSXin LI# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 448b6cee71dSXin LI>4 uleshort&0x0800 0x0800 \b,close media- 449b6cee71dSXin LI# output until busy support by int 10h for character device driver 450b6cee71dSXin LI>4 uleshort&0x8000 0x8000 451b6cee71dSXin LI>>4 uleshort&0x2000 0x2000 \b,until busy- 452b6cee71dSXin LI# direct read/write support by driver functions 03h,0Ch 453b6cee71dSXin LI>4 uleshort&0x4000 0x4000 \b,control strings- 454b6cee71dSXin LI>4 uleshort&0x8000 0x8000 455b6cee71dSXin LI>>4 uleshort&0x6840 >0 \bsupport 456b6cee71dSXin LI>4 uleshort&0x8000 0x0000 457b6cee71dSXin LI>>4 uleshort&0x4842 >0 \bsupport 458b6cee71dSXin LI>0 ubyte x \b) 459b6cee71dSXin LI# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 46040427ccaSGordon Tetlow0 ulequad 0x0513c00000000012 46140427ccaSGordon Tetlow>0 use msdos-driver 46240427ccaSGordon Tetlow# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 46340427ccaSGordon Tetlow0 ulequad 0x32f28000ffff0016 46440427ccaSGordon Tetlow>0 use msdos-driver 46540427ccaSGordon Tetlow0 ulequad 0x007f00000000ffff 46640427ccaSGordon Tetlow>0 use msdos-driver 46740427ccaSGordon Tetlow0 ulequad 0x001600000000ffff 46840427ccaSGordon Tetlow>0 use msdos-driver 46940427ccaSGordon Tetlow# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 47040427ccaSGordon Tetlow0 ulequad 0x0bf708c2ffffffff 47140427ccaSGordon Tetlow>0 use msdos-driver 47240427ccaSGordon Tetlow0 ulequad 0x07bd08c2ffffffff 47340427ccaSGordon Tetlow>0 use msdos-driver 474b6cee71dSXin LI 4753e41d09dSXin LI# updated by Joerg Jenderek 4763e41d09dSXin LI# GRR: line below too general as it catches also 4773e41d09dSXin LI# rt.lib DYADISKS.PIC and many more 4783e41d09dSXin LI# start with assembler instruction MOV 4793e41d09dSXin LI0 ubyte 0x8c 4803e41d09dSXin LI# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 4813e41d09dSXin LI>4 string !O==== 4823e41d09dSXin LI# skip some unknown basic binaries like RocketRnger.SHR 4833e41d09dSXin LI>>5 string !MAIN 4843e41d09dSXin LI# skip "GPG symmetrically encrypted data" ./gnu 4853e41d09dSXin LI# skip "PGP symmetric key encrypted data" ./pgp 4863e41d09dSXin LI# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 4873e41d09dSXin LI>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 4883e41d09dSXin LI# the remaining files should be DOS *.COM executables 4893e41d09dSXin LI# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 4903e41d09dSXin LI# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 4913e41d09dSXin LI# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 4923e41d09dSXin LI# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 4933e41d09dSXin LI# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 4943e41d09dSXin LI# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 4953e41d09dSXin LI# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 4963e41d09dSXin LI# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 4973e41d09dSXin LI!:mime application/x-dosexec 4983e41d09dSXin LI!:ext com 4993e41d09dSXin LI 500b6cee71dSXin LI# updated by Joerg Jenderek at Oct 2008 501b6cee71dSXin LI0 ulelong 0xffff10eb DR-DOS executable (COM) 502b6cee71dSXin LI# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 503b6cee71dSXin LI0 ubeshort&0xeb8d >0xeb00 504b6cee71dSXin LI# DR-DOS STACKER.COM SCREATE.SYS missed 505a5d223e6SXin LI 506a5d223e6SXin LI0 name msdos-com 507a5d223e6SXin LI>0 byte x DOS executable (COM) 50848c779cdSXin LI!:mime application/x-dosexec 50948c779cdSXin LI!:ext com 510a5d223e6SXin LI>6 string SFX\ of\ LHarc \b, %s 511a5d223e6SXin LI>0x1FE leshort 0xAA55 \b, boot code 512a5d223e6SXin LI>85 string UPX \b, UPX compressed 513a5d223e6SXin LI>4 string \ $ARX \b, ARX self-extracting archive 514a5d223e6SXin LI>4 string \ $LHarc \b, LHarc self-extracting archive 515a5d223e6SXin LI>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 516a5d223e6SXin LI 517a5d223e6SXin LI# JMP 8bit 518a5d223e6SXin LI0 byte 0xeb 519a5d223e6SXin LI# allow forward jumps only 520a5d223e6SXin LI>1 byte >-1 521a5d223e6SXin LI# that offset must be accessible 522a5d223e6SXin LI>>(1.b+2) byte x 523a5d223e6SXin LI>>>0 use msdos-com 524a5d223e6SXin LI 525a5d223e6SXin LI# JMP 16bit 526a5d223e6SXin LI0 byte 0xe9 527a5d223e6SXin LI# forward jumps 528a5d223e6SXin LI>1 short >-1 529a5d223e6SXin LI# that offset must be accessible 530a5d223e6SXin LI>>(1.s+3) byte x 531a5d223e6SXin LI>>>0 use msdos-com 532a5d223e6SXin LI# negative offset, must not lead into PSP 533a5d223e6SXin LI>1 short <-259 534a5d223e6SXin LI# that offset must be accessible 535a5d223e6SXin LI>>(1,s+65539) byte x 536a5d223e6SXin LI>>>0 use msdos-com 537a5d223e6SXin LI 5383e41d09dSXin LI# updated by Joerg Jenderek at Oct 2008,2015 5393e41d09dSXin LI# following line is too general 5403e41d09dSXin LI0 ubyte 0xb8 5413e41d09dSXin LI# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 5423e41d09dSXin LI>0 string !\xb8\xc0\x07\x8e 543b6cee71dSXin LI# modified by Joerg Jenderek 5443e41d09dSXin LI# syslinux COM32 or COM32R executable 5453e41d09dSXin LI>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 54648c779cdSXin LI# https://www.syslinux.org/wiki/index.php/Comboot_API 5473e41d09dSXin LI# Since version 5.00 c32 modules switched from the COM32 object format to ELF 5483e41d09dSXin LI!:mime application/x-c32-comboot-syslinux-exec 5493e41d09dSXin LI!:ext c32 55048c779cdSXin LI# https://syslinux.zytor.com/comboot.php 5513e41d09dSXin LI# older syslinux version ( <4 ) 552b6cee71dSXin LI# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 553b6cee71dSXin LI# start with assembler instructions mov eax,21cd4cffh 5543e41d09dSXin LI>>>1 lelong 0x21CD4CFf \b) 555b6cee71dSXin LI# syslinux:doc/comboot.txt 556b6cee71dSXin LI# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 557b6cee71dSXin LI# eax,21cd4cfeh) as a magic number. 5583e41d09dSXin LI# syslinux version (4.x) 5593e41d09dSXin LI# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 5603e41d09dSXin LI>>>1 lelong 0x21CD4CFe \b, relocatable) 5613e41d09dSXin LI# remaining are DOS COM executables starting with assembler instruction MOV 5623e41d09dSXin LI# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 5633e41d09dSXin LI# MS-DOS SYS.COM RESTART.COM 5643e41d09dSXin LI# SYSLINUX.COM (version 1.40 - 2.13) 5653e41d09dSXin LI# GFXBOOT.COM (version 3.75) 5663e41d09dSXin LI# COPYBS.COM POWEROFF.COM INT18.COM 5673e41d09dSXin LI>>1 default x COM executable for DOS 5683e41d09dSXin LI!:mime application/x-dosexec 5693e41d09dSXin LI#!:mime application/x-ms-dos-executable 5703e41d09dSXin LI#!:mime application/x-msdos-program 5713e41d09dSXin LI!:ext com 5723e41d09dSXin LI 573b6cee71dSXin LI0 string/b \x81\xfc 574b6cee71dSXin LI>4 string \x77\x02\xcd\x20\xb9 575b6cee71dSXin LI>>36 string UPX! FREE-DOS executable (COM), UPX compressed 57648c779cdSXin LI!:mime application/x-dosexec 57748c779cdSXin LI!:ext com 578b6cee71dSXin LI252 string Must\ have\ DOS\ version DR-DOS executable (COM) 57948c779cdSXin LI!:mime application/x-dosexec 58048c779cdSXin LI!:ext com 581b6cee71dSXin LI# added by Joerg Jenderek at Oct 2008 582b6cee71dSXin LI# GRR search is not working 583b6cee71dSXin LI#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 584b6cee71dSXin LI34 string UPX! FREE-DOS executable (COM), UPX compressed 58548c779cdSXin LI!:mime application/x-dosexec 58648c779cdSXin LI!:ext com 587b6cee71dSXin LI35 string UPX! FREE-DOS executable (COM), UPX compressed 58848c779cdSXin LI!:mime application/x-dosexec 58948c779cdSXin LI!:ext com 590b6cee71dSXin LI# GRR search is not working 591b6cee71dSXin LI#2 search/28 \xcd\x21 COM executable for MS-DOS 592b6cee71dSXin LI#WHICHFAT.cOM 593b6cee71dSXin LI2 string \xcd\x21 COM executable for DOS 59448c779cdSXin LI!:mime application/x-dosexec 59548c779cdSXin LI!:ext com 596b6cee71dSXin LI#DELTREE.cOM DELTREE2.cOM 597b6cee71dSXin LI4 string \xcd\x21 COM executable for DOS 59848c779cdSXin LI!:mime application/x-dosexec 59948c779cdSXin LI!:ext com 600b6cee71dSXin LI#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 601b6cee71dSXin LI5 string \xcd\x21 COM executable for DOS 60248c779cdSXin LI!:mime application/x-dosexec 60348c779cdSXin LI!:ext com 604b6cee71dSXin LI#DELTMP.COm HASFAT32.cOM 605b6cee71dSXin LI7 string \xcd\x21 606b6cee71dSXin LI>0 byte !0xb8 COM executable for DOS 60748c779cdSXin LI!:mime application/x-dosexec 60848c779cdSXin LI!:ext com 609b6cee71dSXin LI#COMP.cOM MORE.COm 610b6cee71dSXin LI10 string \xcd\x21 611b6cee71dSXin LI>5 string !\xcd\x21 COM executable for DOS 61248c779cdSXin LI!:mime application/x-dosexec 61348c779cdSXin LI!:ext com 614b6cee71dSXin LI#comecho.com 615b6cee71dSXin LI13 string \xcd\x21 COM executable for DOS 61648c779cdSXin LI!:mime application/x-dosexec 61748c779cdSXin LI!:ext com 618b6cee71dSXin LI#HELP.COm EDIT.coM 619b6cee71dSXin LI18 string \xcd\x21 COM executable for MS-DOS 62048c779cdSXin LI!:mime application/x-dosexec 62148c779cdSXin LI!:ext com 622b6cee71dSXin LI#NWRPLTRM.COm 623b6cee71dSXin LI23 string \xcd\x21 COM executable for MS-DOS 62448c779cdSXin LI!:mime application/x-dosexec 62548c779cdSXin LI!:ext com 626b6cee71dSXin LI#LOADFIX.cOm LOADFIX.cOm 627b6cee71dSXin LI30 string \xcd\x21 COM executable for MS-DOS 62848c779cdSXin LI!:mime application/x-dosexec 62948c779cdSXin LI!:ext com 630b6cee71dSXin LI#syslinux.com 3.11 631b6cee71dSXin LI70 string \xcd\x21 COM executable for DOS 63248c779cdSXin LI!:mime application/x-dosexec 63348c779cdSXin LI!:ext com 634b6cee71dSXin LI# many compressed/converted COMs start with a copy loop instead of a jump 635b6cee71dSXin LI0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 63648c779cdSXin LI!:mime application/x-dosexec 63748c779cdSXin LI!:ext com 638b6cee71dSXin LI0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 63948c779cdSXin LI!:mime application/x-dosexec 64048c779cdSXin LI!:ext com 641b6cee71dSXin LI>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 642b6cee71dSXin LI0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 64348c779cdSXin LI!:mime application/x-dosexec 64448c779cdSXin LI!:ext com 645b6cee71dSXin LI# FIXME: missing diet .com compression 646b6cee71dSXin LI 647b6cee71dSXin LI# miscellaneous formats 648b6cee71dSXin LI0 string/b LZ MS-DOS executable (built-in) 649b6cee71dSXin LI#0 byte 0xf0 MS-DOS program library data 650b6cee71dSXin LI# 651b6cee71dSXin LI 652b6cee71dSXin LI# AAF files: 653b6cee71dSXin LI# <stuartc@rd.bbc.co.uk> Stuart Cunningham 654b6cee71dSXin LI0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 655b6cee71dSXin LI>30 byte 9 (512B sectors) 656b6cee71dSXin LI>30 byte 12 (4kB sectors) 657b6cee71dSXin LI0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 658b6cee71dSXin LI>30 byte 9 (512B sectors) 659b6cee71dSXin LI>30 byte 12 (4kB sectors) 660b6cee71dSXin LI 661b6cee71dSXin LI# Popular applications 662b6cee71dSXin LI# 663d38c30c0SXin LI# Update: Joerg Jenderek 664d38c30c0SXin LI# URL: http://fileformats.archiveteam.org/wiki/DOC 665d38c30c0SXin LI# Reference: https://web.archive.org/web/20170206041048/ 666d38c30c0SXin LI# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 667d38c30c0SXin LI# wIdent+dty 668d38c30c0SXin LI0 belong 0x31be0000 669d38c30c0SXin LI# skip droid skeleton like x-fmt-274-signature-id-488.doc 670d38c30c0SXin LI>128 ubyte >0 Microsoft 671d38c30c0SXin LI>>96 uleshort =0 Word 672b6cee71dSXin LI!:mime application/msword 673d38c30c0SXin LI!:apple MSWDWDBN 674d38c30c0SXin LI# DCX is used in the Unix version. 675d38c30c0SXin LI!:ext doc/dcx 676d38c30c0SXin LI>>>0x6E ulequad =0 1.0-4.0 677d38c30c0SXin LI>>>0x6E ulequad !0 5.0-6.0 678d38c30c0SXin LI>>>0x6E ulequad x (DOS) Document 679d38c30c0SXin LI# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 680d38c30c0SXin LI>>96 uleshort !0 Write 3.0 (Windows) Document 681d38c30c0SXin LI!:mime application/x-mswrite 682d38c30c0SXin LI!:apple MSWDWDBN 683d38c30c0SXin LI# sometimes also doc like in splitter.doc srchtest.doc 684d38c30c0SXin LI!:ext wri/doc 685d38c30c0SXin LI# wTool must be 0125400 octal 686d38c30c0SXin LI#>>4 uleshort !0xAB00 \b, wTool %o 687d38c30c0SXin LI# reserved; must be zero 688d38c30c0SXin LI#>>6 ulelong !0 \b, reserved %u 689d38c30c0SXin LI# block pointer to the block containing optional file manager information 690d38c30c0SXin LI#>>0x1C uleshort x \b, at 0x%x info block 691d38c30c0SXin LI# jump to File manager information block 692d38c30c0SXin LI>>(0x1C.s*128) uleshort x 693d38c30c0SXin LI# test for valid information start; maybe also 0012h 694d38c30c0SXin LI>>>&-2 uleshort =0x0014 695d38c30c0SXin LI# Document ASCIIZ name 696d38c30c0SXin LI>>>>&0x12 string x %s 697d38c30c0SXin LI# author name 698d38c30c0SXin LI>>>>>&1 string x \b, author %s 699d38c30c0SXin LI# reviser name 700d38c30c0SXin LI>>>>>>&1 string x \b, reviser %s 701d38c30c0SXin LI# keywords 702d38c30c0SXin LI>>>>>>>&1 string x \b, keywords %s 703d38c30c0SXin LI# comment 704d38c30c0SXin LI>>>>>>>>&1 string x \b, comment %s 705d38c30c0SXin LI# version number 706d38c30c0SXin LI>>>>>>>>>&1 string x \b, version %s 707d38c30c0SXin LI# date of last change MM/DD/YY 708d38c30c0SXin LI>>>>>>>>>>&1 string x \b, %-.8s 709d38c30c0SXin LI# creation date MM/DD/YY 710d38c30c0SXin LI>>>>>>>>>>&9 string x created %-.8s 711d38c30c0SXin LI# file name of print format like NORMAL.STY 712d38c30c0SXin LI>>0x1E string >0 \b, formatted by %-.66s 713d38c30c0SXin LI# count of pages in whole file for write variant; maybe some times wrong 714d38c30c0SXin LI>>96 uleshort >0 \b, %u pages 715d38c30c0SXin LI# name of the printer driver like HPLASMS 716d38c30c0SXin LI>>0x62 string >0 \b, %-.8s printer 717d38c30c0SXin LI# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 718d38c30c0SXin LI>>0x6A uleshort >0 \b, %u blocks 719d38c30c0SXin LI# bit field for corrected text areas 720d38c30c0SXin LI#>>0x6C uleshort x \b, 0x%x bit field 721d38c30c0SXin LI# text of document; some times start with 4 non printable characters like CR LF 722d38c30c0SXin LI>>128 ubyte x \b, 723d38c30c0SXin LI>>>128 ubyte >0x1F 724d38c30c0SXin LI>>>>128 string x %s 725d38c30c0SXin LI>>>128 ubyte <0x20 726d38c30c0SXin LI>>>>129 ubyte >0x1F 727d38c30c0SXin LI>>>>>129 string x %s 728d38c30c0SXin LI>>>>129 ubyte <0x20 729d38c30c0SXin LI>>>>>130 ubyte >0x1F 730d38c30c0SXin LI>>>>>>130 string x %s 731d38c30c0SXin LI>>>>>130 ubyte <0x20 732d38c30c0SXin LI>>>>>>131 ubyte >0x1F 733d38c30c0SXin LI>>>>>>>131 string x %s 734d38c30c0SXin LI>>>>>>131 ubyte <0x20 735d38c30c0SXin LI>>>>>>>132 ubyte >0x1F 736d38c30c0SXin LI>>>>>>>>132 string x %s 737d38c30c0SXin LI>>>>>>>132 ubyte <0x20 738d38c30c0SXin LI>>>>>>>>133 ubyte >0x1F 739d38c30c0SXin LI>>>>>>>>>133 string x %s 740b6cee71dSXin LI# 741b6cee71dSXin LI0 string/b PO^Q` Microsoft Word 6.0 Document 742b6cee71dSXin LI!:mime application/msword 743b6cee71dSXin LI# 74440427ccaSGordon Tetlow4 long 0 74540427ccaSGordon Tetlow>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 746b6cee71dSXin LI!:mime application/msword 74740427ccaSGordon Tetlow!:ext mcw 74840427ccaSGordon Tetlow>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 749b6cee71dSXin LI!:mime application/msword 75040427ccaSGordon Tetlow!:ext mcw 75140427ccaSGordon Tetlow>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 75240427ccaSGordon Tetlow!:mime application/msword 75340427ccaSGordon Tetlow!:ext mcw 75440427ccaSGordon Tetlow>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 75540427ccaSGordon Tetlow!:mime application/msword 75640427ccaSGordon Tetlow!:ext mcw 75740427ccaSGordon Tetlow 75840427ccaSGordon Tetlow0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 75940427ccaSGordon Tetlow!:mime application/msword 76040427ccaSGordon Tetlow!:ext doc 76158a0f0d0SEitan Adler# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 76258a0f0d0SEitan Adler#512 string/b \354\245\301 Microsoft Word Document 76358a0f0d0SEitan Adler#!:mime application/msword 764b6cee71dSXin LI 765b6cee71dSXin LI# 766b6cee71dSXin LI0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 767b6cee71dSXin LI!:mime application/msword 768b6cee71dSXin LI# 769b6cee71dSXin LI0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 770b6cee71dSXin LI!:mime application/msword 771b6cee71dSXin LI 772b6cee71dSXin LI# 773b6cee71dSXin LI0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 774b6cee71dSXin LI!:mime application/vnd.ms-excel 775d38c30c0SXin LI# https://www.macdisk.com/macsigen.php 776d38c30c0SXin LI!:apple XCELXLS4 777d38c30c0SXin LI!:ext xls 778b6cee71dSXin LI# 779a5d223e6SXin LI# Update: Joerg Jenderek 780a5d223e6SXin LI# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 781a5d223e6SXin LI# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 782a5d223e6SXin LI# Note: newer Lotus versions >2 use longer BOF record 783a5d223e6SXin LI# record type (BeginningOfFile=0000h) + length (001Ah) 784a5d223e6SXin LI0 belong 0x00001a00 785a5d223e6SXin LI# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 786a5d223e6SXin LI#>18 uleshort&0x73E0 0 787a5d223e6SXin LI# Lotus Multi Byte Character Set (LMBCS=1-31) 788a5d223e6SXin LI>20 ubyte >0 789a5d223e6SXin LI>>20 ubyte <32 Lotus 1-2-3 790a5d223e6SXin LI#!:mime application/x-123 791a5d223e6SXin LI!:mime application/vnd.lotus-1-2-3 792a5d223e6SXin LI!:apple ????L123 793a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 794a5d223e6SXin LI>>>4 uleshort 0x1000 WorKsheet, version 3 795a5d223e6SXin LI!:ext wk3 796a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 797a5d223e6SXin LI>>>4 uleshort 0x1002 WorKsheet, version 4 798a5d223e6SXin LI# also worksheet template 4 (.wt4) 799a5d223e6SXin LI!:ext wk4/wt4 800a5d223e6SXin LI# no example or documentation for wk5 801a5d223e6SXin LI#>>4 uleshort 0x???? WorKsheet, version 4 802a5d223e6SXin LI#!:ext wk5 803a5d223e6SXin LI# only MacrotoScript.123 example 804a5d223e6SXin LI>>>4 uleshort 0x1003 WorKsheet, version 97 805a5d223e6SXin LI# also worksheet template Smartmaster (.12M)? 806a5d223e6SXin LI!:ext 123 807a5d223e6SXin LI# only Set_Y2K.123 example 808a5d223e6SXin LI>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 809a5d223e6SXin LI!:ext 123 810a5d223e6SXin LI# no example for this version 811a5d223e6SXin LI>>>4 uleshort 0x8001 FoRMatting data 812a5d223e6SXin LI!:ext frm 813a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 814a5d223e6SXin LI# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 815a5d223e6SXin LI>>>4 uleshort 0x8007 ForMatting data, version 3 816a5d223e6SXin LI!:ext fm3 817a5d223e6SXin LI>>>4 default x unknown 818a5d223e6SXin LI# file revision sub code 0004h for worksheets 819a5d223e6SXin LI>>>>6 uleshort =0x0004 worksheet 820a5d223e6SXin LI!:ext wXX 821a5d223e6SXin LI>>>>6 uleshort !0x0004 formatting data 822a5d223e6SXin LI!:ext fXX 823a5d223e6SXin LI# main revision number 824a5d223e6SXin LI>>>>4 uleshort x \b, revision 0x%x 825a5d223e6SXin LI>>>6 uleshort =0x0004 \b, cell range 826a5d223e6SXin LI# active cellcoord range (start row, page,column ; end row, page, column) 827a5d223e6SXin LI# start values normally 0~1st sheet A1 828a5d223e6SXin LI>>>>8 ulelong !0 829a5d223e6SXin LI>>>>>10 ubyte >0 \b%d* 830a5d223e6SXin LI>>>>>8 uleshort x \b%d, 831a5d223e6SXin LI>>>>>11 ubyte x \b%d- 832a5d223e6SXin LI# end page mostly 0 833a5d223e6SXin LI>>>>14 ubyte >0 \b%d* 834a5d223e6SXin LI# end raw, column normally not 0 835a5d223e6SXin LI>>>>12 uleshort x \b%d, 836a5d223e6SXin LI>>>>15 ubyte x \b%d 837a5d223e6SXin LI# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 838a5d223e6SXin LI>>>>20 ubyte >1 \b, character set 0x%x 839a5d223e6SXin LI# flags 840a5d223e6SXin LI>>>>21 ubyte x \b, flags 0x%x 841a5d223e6SXin LI>>>6 uleshort !0x0004 842a5d223e6SXin LI# record type (FONTNAME=00AEh) 843a5d223e6SXin LI>>>>30 search/29 \0\xAE 844a5d223e6SXin LI# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 845a5d223e6SXin LI>>>>>&4 string >\0 \b, 1st font "%s" 846b6cee71dSXin LI# 847a5d223e6SXin LI# Update: Joerg Jenderek 848a5d223e6SXin LI# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 849a5d223e6SXin LI# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 850a5d223e6SXin LI# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 851a5d223e6SXin LI# record type (BeginningOfFile=0000h) + length (0002h) 852a5d223e6SXin LI0 belong 0x00000200 853a5d223e6SXin LI# GRR: line above is too general as it catches also MS Windows CURsor 854a5d223e6SXin LI# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 855a5d223e6SXin LI!:strength -1 856a5d223e6SXin LI# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 857a5d223e6SXin LI>7 ubyte 0 858a5d223e6SXin LI# skip Windows cursors with image width 256 and keep Lotus with positiv opcode 859a5d223e6SXin LI>>6 ubyte >0 Lotus 860a5d223e6SXin LI# !:mime application/x-123 861a5d223e6SXin LI!:mime application/vnd.lotus-1-2-3 862a5d223e6SXin LI!:apple ????L123 863a5d223e6SXin LI# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 864a5d223e6SXin LI# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 865a5d223e6SXin LI>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 866a5d223e6SXin LI!:ext cnf 867a5d223e6SXin LI>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 868a5d223e6SXin LI!:ext cnf 869a5d223e6SXin LI>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 870a5d223e6SXin LI!:ext cnf 871a5d223e6SXin LI>>>4 uleshort 0x0802 Symphony CoNFiguration 872a5d223e6SXin LI!:ext cnf 873a5d223e6SXin LI>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 874a5d223e6SXin LI!:ext cnf 875a5d223e6SXin LI>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 876a5d223e6SXin LI!:ext cnf 877a5d223e6SXin LI>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 878a5d223e6SXin LI!:ext cnf 879a5d223e6SXin LI>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 880a5d223e6SXin LI!:ext cnf 881a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 123" 882a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 883a5d223e6SXin LI>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 884a5d223e6SXin LI# extension "wks" also for Microsoft Works document 885a5d223e6SXin LI!:ext wks 886a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 123" 887a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 888a5d223e6SXin LI>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 889a5d223e6SXin LI!:ext wrk/wr1 890a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 891a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 892a5d223e6SXin LI>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 893a5d223e6SXin LI# Symphony (.wr1) 894a5d223e6SXin LI!:ext wk1/wr1 895a5d223e6SXin LI# no example for this japan version 896a5d223e6SXin LI>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 897a5d223e6SXin LI!:ext wj1 898a5d223e6SXin LI# no example or documentation for wk2 899a5d223e6SXin LI#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 900a5d223e6SXin LI#!:ext wk2 901a5d223e6SXin LI# undocumented japan version 902a5d223e6SXin LI>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 903a5d223e6SXin LI!:ext wj3 904a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 905a5d223e6SXin LI>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 906a5d223e6SXin LI# japan version 2.4J (fj3) 907a5d223e6SXin LI!:ext fmt/fj3 908a5d223e6SXin LI# no example for this version 909a5d223e6SXin LI>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 910a5d223e6SXin LI!:ext frm 911a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3" 912a5d223e6SXin LI>>>4 default x unknown worksheet or configuration 913a5d223e6SXin LI!:ext cnf 914a5d223e6SXin LI>>>>4 uleshort x \b, revision 0x%x 915a5d223e6SXin LI# 2nd record for most worksheets describes cells range 916a5d223e6SXin LI>>>6 use lotus-cells 917a5d223e6SXin LI# 3nd record for most japan worksheets describes cells range 918a5d223e6SXin LI>>>(8.s+10) use lotus-cells 919a5d223e6SXin LI# check and then display Lotus worksheet cells range 920a5d223e6SXin LI0 name lotus-cells 921a5d223e6SXin LI# look for type (RANGE=0006h) + length (0008h) at record begin 922a5d223e6SXin LI>0 ubelong 0x06000800 \b, cell range 923a5d223e6SXin LI# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 924a5d223e6SXin LI>>4 ulong !0 925a5d223e6SXin LI>>>4 uleshort x \b%d, 926a5d223e6SXin LI>>>6 uleshort x \b%d- 927a5d223e6SXin LI# end of cell range 928a5d223e6SXin LI>>8 uleshort x \b%d, 929a5d223e6SXin LI>>10 uleshort x \b%d 930a5d223e6SXin LI# EndOfLotus123 931b6cee71dSXin LI0 string/b WordPro\0 Lotus WordPro 932b6cee71dSXin LI!:mime application/vnd.lotus-wordpro 933b6cee71dSXin LI0 string/b WordPro\r\373 Lotus WordPro 934b6cee71dSXin LI!:mime application/vnd.lotus-wordpro 935b6cee71dSXin LI 936b6cee71dSXin LI 937b6cee71dSXin LI# Summary: Script used by InstallScield to uninstall applications 938b6cee71dSXin LI# Extension: .isu 939b6cee71dSXin LI# Submitted by: unknown 940b6cee71dSXin LI# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 941b6cee71dSXin LI0 string \x71\xa8\x00\x00\x01\x02 942b6cee71dSXin LI>12 string Stirling\ Technologies, InstallShield Uninstall Script 943b6cee71dSXin LI 944b6cee71dSXin LI# Winamp .avs 945b6cee71dSXin LI#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 946b6cee71dSXin LI0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 947b6cee71dSXin LI 9482dc4dbb9SEitan Adler# Windows Metafile .WMF 9492dc4dbb9SEitan Adler0 string/b \327\315\306\232 Windows metafile 9502dc4dbb9SEitan Adler!:mime image/wmf 9512dc4dbb9SEitan Adler!:ext wmf 9522dc4dbb9SEitan Adler0 string/b \002\000\011\000 Windows metafile 9532dc4dbb9SEitan Adler!:mime image/wmf 9542dc4dbb9SEitan Adler!:ext wmf 9552dc4dbb9SEitan Adler0 string/b \001\000\011\000 Windows metafile 9562dc4dbb9SEitan Adler!:mime image/wmf 9572dc4dbb9SEitan Adler!:ext wmf 958b6cee71dSXin LI 959b6cee71dSXin LI#tz3 files whatever that is (MS Works files) 960b6cee71dSXin LI0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 961b6cee71dSXin LI0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 962b6cee71dSXin LI0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 963b6cee71dSXin LI 964b6cee71dSXin LI# PGP sig files .sig 965b6cee71dSXin LI#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 966b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 967b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 968b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 969b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 970b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 971b6cee71dSXin LI0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 972b6cee71dSXin LI 973b6cee71dSXin LI# windows zips files .dmf 974b6cee71dSXin LI0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 975b6cee71dSXin LI 976b6cee71dSXin LI# Windows icons 977282e23f0SXin LI# Update: Joerg Jenderek 978282e23f0SXin LI# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 97940427ccaSGordon Tetlow# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 980b6cee71dSXin LI0 belong 0x00000100 981b6cee71dSXin LI>9 byte 0 982282e23f0SXin LI>>0 byte x 983282e23f0SXin LI>>0 use cur-ico-dir 984b6cee71dSXin LI>9 ubyte 0xff 985282e23f0SXin LI>>0 byte x 986282e23f0SXin LI>>0 use cur-ico-dir 987282e23f0SXin LI# displays number of icons and information for icon or cursor 988282e23f0SXin LI0 name cur-ico-dir 989282e23f0SXin LI# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 990282e23f0SXin LI# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 991282e23f0SXin LI>18 ulelong &0x00000006 992282e23f0SXin LI# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 993282e23f0SXin LI>>(18.l) ulelong x MS Windows 994282e23f0SXin LI>>>0 ubelong 0x00000100 icon resource 99548c779cdSXin LI# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 99648c779cdSXin LI!:mime image/vnd.microsoft.icon 99748c779cdSXin LI#!:mime image/x-icon 998282e23f0SXin LI!:ext ico 999282e23f0SXin LI>>>>4 uleshort x - %d icon 1000282e23f0SXin LI# plural s 1001282e23f0SXin LI>>>>4 uleshort >1 \bs 1002282e23f0SXin LI# 1st icon 1003282e23f0SXin LI>>>>0x06 use ico-entry 1004282e23f0SXin LI# 2nd icon 1005282e23f0SXin LI>>>>4 uleshort >1 1006282e23f0SXin LI>>>>>0x16 use ico-entry 1007282e23f0SXin LI>>>0 ubelong 0x00000200 cursor resource 1008282e23f0SXin LI#!:mime image/x-cur 1009282e23f0SXin LI!:mime image/x-win-bitmap 1010282e23f0SXin LI!:ext cur 1011282e23f0SXin LI>>>>4 uleshort x - %d icon 1012282e23f0SXin LI>>>>4 uleshort >1 \bs 1013282e23f0SXin LI# 1st cursor 1014282e23f0SXin LI>>>>0x06 use cur-entry 1015282e23f0SXin LI#>>>>0x16 use cur-entry 1016282e23f0SXin LI# display information of one cursor entry 1017282e23f0SXin LI0 name cur-entry 1018282e23f0SXin LI>0 use cur-ico-entry 1019282e23f0SXin LI>4 uleshort x \b, hotspot @%dx 1020282e23f0SXin LI>6 uleshort x \b%d 1021282e23f0SXin LI# display information of one icon entry 1022282e23f0SXin LI0 name ico-entry 1023282e23f0SXin LI>0 use cur-ico-entry 1024282e23f0SXin LI# normally 0 1 but also found 14 1025282e23f0SXin LI>4 uleshort >1 \b, %d planes 1026282e23f0SXin LI# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1027282e23f0SXin LI>6 uleshort >1 \b, %d bits/pixel 1028282e23f0SXin LI# display shared information of cursor or icon entry 1029282e23f0SXin LI0 name cur-ico-entry 1030282e23f0SXin LI>0 byte =0 \b, 256x 1031282e23f0SXin LI>0 byte !0 \b, %dx 1032282e23f0SXin LI>1 byte =0 \b256 1033282e23f0SXin LI>1 byte !0 \b%d 1034282e23f0SXin LI# number of colors in palette 1035282e23f0SXin LI>2 ubyte !0 \b, %d colors 1036282e23f0SXin LI# reserved 0 FFh 1037282e23f0SXin LI#>3 ubyte x \b, reserved %x 1038282e23f0SXin LI#>8 ulelong x \b, image size %d 1039282e23f0SXin LI# offset of PNG or DIB image 1040282e23f0SXin LI#>12 ulelong x \b, offset 0x%x 1041282e23f0SXin LI# PNG header (\x89PNG) 1042282e23f0SXin LI>(12.l) ubelong =0x89504e47 104348c779cdSXin LI# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1044282e23f0SXin LI>>&-4 indirect x \b with 1045282e23f0SXin LI# DIB image 1046282e23f0SXin LI>(12.l) ubelong !0x89504e47 1047282e23f0SXin LI#>>&-4 use dib-image 1048b6cee71dSXin LI 1049b6cee71dSXin LI# Windows non-animated cursors 1050282e23f0SXin LI# Update: Joerg Jenderek 1051282e23f0SXin LI# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 105240427ccaSGordon Tetlow# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1053282e23f0SXin LI# GRR: line below is too general as it catches also Lotus 1-2-3 files 1054b6cee71dSXin LI0 belong 0x00000200 1055b6cee71dSXin LI>9 byte 0 1056282e23f0SXin LI>>0 use cur-ico-dir 1057b6cee71dSXin LI>9 ubyte 0xff 1058282e23f0SXin LI>>0 use cur-ico-dir 1059b6cee71dSXin LI 1060b6cee71dSXin LI# .chr files 1061b6cee71dSXin LI0 string/b PK\010\010BGI Borland font 1062b6cee71dSXin LI>4 string >\0 %s 1063b6cee71dSXin LI# then there is a copyright notice 1064b6cee71dSXin LI 1065b6cee71dSXin LI 1066b6cee71dSXin LI# .bgi files 1067b6cee71dSXin LI0 string/b pk\010\010BGI Borland device 1068b6cee71dSXin LI>4 string >\0 %s 1069b6cee71dSXin LI# then there is a copyright notice 1070b6cee71dSXin LI 1071b6cee71dSXin LI 1072b6cee71dSXin LI# Windows Recycle Bin record file (named INFO2) 1073b6cee71dSXin LI# By Abel Cheung (abelcheung AT gmail dot com) 1074b6cee71dSXin LI# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 1075b6cee71dSXin LI# Since Vista uses another structure, INFO2 structure probably won't change 1076b6cee71dSXin LI# anymore. Detailed analysis in: 1077b6cee71dSXin LI# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 1078b6cee71dSXin LI0 lelong 0x00000004 1079b6cee71dSXin LI>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 1080b6cee71dSXin LI 1081b6cee71dSXin LI0 lelong 0x00000005 1082b6cee71dSXin LI>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1083b6cee71dSXin LI 1084b6cee71dSXin LI# From Doug Lee via a FreeBSD pr 1085b6cee71dSXin LI9 string GERBILDOC First Choice document 1086b6cee71dSXin LI9 string GERBILDB First Choice database 1087b6cee71dSXin LI9 string GERBILCLIP First Choice database 1088b6cee71dSXin LI0 string GERBIL First Choice device file 1089b6cee71dSXin LI9 string RABBITGRAPH RabbitGraph file 1090b6cee71dSXin LI0 string DCU1 Borland Delphi .DCU file 1091b6cee71dSXin LI0 string =!<spell> MKS Spell hash list (old format) 1092b6cee71dSXin LI0 string =!<spell2> MKS Spell hash list 1093b6cee71dSXin LI# Too simple - MPi 1094b6cee71dSXin LI#0 string AH Halo(TM) bitmapped font file 1095b6cee71dSXin LI0 lelong 0x08086b70 TurboC BGI file 1096b6cee71dSXin LI0 lelong 0x08084b50 TurboC Font file 1097b6cee71dSXin LI 1098b6cee71dSXin LI# Debian#712046: The magic below identifies "Delphi compiled form data". 1099b6cee71dSXin LI# An additional source of information is available at: 1100b6cee71dSXin LI# http://www.woodmann.com/fravia/dafix_t1.htm 1101b6cee71dSXin LI0 string TPF0 1102b6cee71dSXin LI>4 pstring >\0 Delphi compiled form '%s' 1103b6cee71dSXin LI 1104b6cee71dSXin LI# tests for DBase files moved, updated and merged to database 1105b6cee71dSXin LI 1106b6cee71dSXin LI0 string PMCC Windows 3.x .GRP file 1107b6cee71dSXin LI1 string RDC-meg MegaDots 1108b6cee71dSXin LI>8 byte >0x2F version %c 1109b6cee71dSXin LI>9 byte >0x2F \b.%c file 1110b6cee71dSXin LI0 lelong 0x4C 1111b6cee71dSXin LI>4 lelong 0x00021401 Windows shortcut file 1112b6cee71dSXin LI 111348c779cdSXin LI# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1114b6cee71dSXin LI# only for windows versions equal or greater 3.0 1115b6cee71dSXin LI0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1116b6cee71dSXin LI!:mime application/x-dosexec 111748c779cdSXin LI!:ext pif 1118b6cee71dSXin LI#>2 string >\0 \b, Title:%.30s 1119b6cee71dSXin LI>0x24 string >\0 \b for %.63s 1120b6cee71dSXin LI>0x65 string >\0 \b, directory=%.64s 1121b6cee71dSXin LI>0xA5 string >\0 \b, parameters=%.64s 1122b6cee71dSXin LI#>0x181 leshort x \b, offset %x 1123b6cee71dSXin LI#>0x183 leshort x \b, offsetdata %x 1124b6cee71dSXin LI#>0x185 leshort x \b, section length %x 1125b6cee71dSXin LI>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1126b6cee71dSXin LI>>&0x5e ubyte >0 1127b6cee71dSXin LI>>>&-1 string <PIFMGR.DLL \b, icon=%s 1128b6cee71dSXin LI#>>>&-1 string PIFMGR.DLL \b, icon=%s 1129b6cee71dSXin LI>>>&-1 string >PIFMGR.DLL \b, icon=%s 1130b6cee71dSXin LI>>&0xF0 ubyte >0 1131b6cee71dSXin LI>>>&-1 string <Terminal \b, font=%.32s 1132b6cee71dSXin LI#>>>&-1 string =Terminal \b, font=%.32s 1133b6cee71dSXin LI>>>&-1 string >Terminal \b, font=%.32s 1134b6cee71dSXin LI>>&0x110 ubyte >0 1135b6cee71dSXin LI>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1136b6cee71dSXin LI#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1137b6cee71dSXin LI>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1138b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1139b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1140b6cee71dSXin LI>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1141b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1142b6cee71dSXin LI>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1143b6cee71dSXin LI#>>&06 string x \b:%s 1144b6cee71dSXin LI>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1145b6cee71dSXin LI#>>&06 string x \b:%s 1146b6cee71dSXin LI 1147b6cee71dSXin LI# DOS EPS Binary File Header 1148b6cee71dSXin LI# From: Ed Sznyter <ews@Black.Market.NET> 1149b6cee71dSXin LI0 belong 0xC5D0D3C6 DOS EPS Binary File 115040427ccaSGordon Tetlow!:mime image/x-eps 1151b6cee71dSXin LI>4 long >0 Postscript starts at byte %d 1152b6cee71dSXin LI>>8 long >0 length %d 1153b6cee71dSXin LI>>>12 long >0 Metafile starts at byte %d 1154b6cee71dSXin LI>>>>16 long >0 length %d 1155b6cee71dSXin LI>>>20 long >0 TIFF starts at byte %d 1156b6cee71dSXin LI>>>>24 long >0 length %d 1157b6cee71dSXin LI 1158b6cee71dSXin LI# TNEF magic From "Joomy" <joomy@se-ed.net> 1159b6cee71dSXin LI# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 116040427ccaSGordon Tetlow0 lelong 0x223e9f78 TNEF 1161b6cee71dSXin LI!:mime application/vnd.ms-tnef 1162b6cee71dSXin LI 1163b6cee71dSXin LI# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1164b6cee71dSXin LI# of http://www.davep.org/norton-guides/ng2h-105.tgz 116548c779cdSXin LI# https://en.wikipedia.org/wiki/Norton_Guides 1166b6cee71dSXin LI0 string NG\0\001 1167b6cee71dSXin LI# only value 0x100 found at offset 2 1168b6cee71dSXin LI>2 ulelong 0x00000100 Norton Guide 1169b6cee71dSXin LI# Title[40] 1170b6cee71dSXin LI>>8 string >\0 "%-.40s" 1171b6cee71dSXin LI#>>6 uleshort x \b, MenuCount=%u 1172b6cee71dSXin LI# szCredits[5][66] 1173b6cee71dSXin LI>>48 string >\0 \b, %-.66s 1174b6cee71dSXin LI>>114 string >\0 %-.66s 1175b6cee71dSXin LI 1176b6cee71dSXin LI# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 117748c779cdSXin LI# of https://www.4dos.info/ 1178b6cee71dSXin LI# pointer,HelpID[8]=4DHnnnmm 1179b6cee71dSXin LI0 ulelong 0x48443408 4DOS help file 1180b6cee71dSXin LI>4 string x \b, version %-4.4s 1181b6cee71dSXin LI 1182b6cee71dSXin LI# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 1183b6cee71dSXin LI0 ulequad 0x3a000000024e4c MS Advisor help file 1184b6cee71dSXin LI 1185b6cee71dSXin LI# HtmlHelp files (.chm) 11869ce06829SXin LI0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1187b6cee71dSXin LI 1188b6cee71dSXin LI# GFA-BASIC (Wolfram Kleff) 1189b6cee71dSXin LI2 string/b GFA-BASIC3 GFA-BASIC 3 data 1190b6cee71dSXin LI 1191b6cee71dSXin LI#------------------------------------------------------------------------------ 1192b6cee71dSXin LI# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 11932dc4dbb9SEitan Adler# Update: Joerg Jenderek 11942dc4dbb9SEitan Adler# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 11952dc4dbb9SEitan Adler# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 11962dc4dbb9SEitan Adler# Note: verified by `7z l *.cab` 1197b6cee71dSXin LI# Microsoft Cabinet files 1198b6cee71dSXin LI0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 11992dc4dbb9SEitan Adler# 12002dc4dbb9SEitan Adler# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 12012dc4dbb9SEitan Adler# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 12022dc4dbb9SEitan Adler# because some archive does not have *.diag* as 1st or 2nd archive member like 12032dc4dbb9SEitan Adler# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 12042dc4dbb9SEitan Adler# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 12052dc4dbb9SEitan Adler>0x2c search/980/c .diag \b, Diagnostic 1206b6cee71dSXin LI!:mime application/vnd.ms-cab-compressed 12072dc4dbb9SEitan Adler!:ext diagcab 12082dc4dbb9SEitan Adler# http://fileformats.archiveteam.org/wiki/PUZ 12092dc4dbb9SEitan Adler# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 12102dc4dbb9SEitan Adler# bundles a Publisher document *PNG.pub with all links into a CAB 12112dc4dbb9SEitan Adler>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 12122dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 12132dc4dbb9SEitan Adler!:ext puz 12142dc4dbb9SEitan Adler# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 12152dc4dbb9SEitan Adler>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 12162dc4dbb9SEitan Adler!:mime application/vnd.ms-powerpoint 12172dc4dbb9SEitan Adler#!:mime application/mspowerpoint 12182dc4dbb9SEitan Adler!:ext ppz 1219*2726a701SXin LI# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 1220*2726a701SXin LI# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 1221*2726a701SXin LI# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 1222*2726a701SXin LI>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 1223*2726a701SXin LI#!:mime application/vnd.ms-cab-compressed 1224*2726a701SXin LI# http://extension.nirsoft.net/gadget 1225*2726a701SXin LI!:mime application/x-windows-gadget 1226*2726a701SXin LI!:ext gadget 12272dc4dbb9SEitan Adler# http://www.incredimail.com/ 12282dc4dbb9SEitan Adler# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 12292dc4dbb9SEitan Adler>0x2c search/3369/c content.ini\0 \b, IncrediMail 12302dc4dbb9SEitan Adler!:mime application/x-incredimail 12312dc4dbb9SEitan Adler# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 12322dc4dbb9SEitan Adler>>0x2c search/83/c Flavor.htm\0 ecard 12332dc4dbb9SEitan Adler!:ext imf 12342dc4dbb9SEitan Adler# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 12352dc4dbb9SEitan Adler>>0x2c search/211/c .swf\0 skin 12362dc4dbb9SEitan Adler!:ext ims 12372dc4dbb9SEitan Adler# member anim.im3 implies IncrediMail animation like in letter_fold.ima 12382dc4dbb9SEitan Adler>>0x2c search/92/c anim.im3\0 animation 12392dc4dbb9SEitan Adler!:ext ima 12402dc4dbb9SEitan Adler# other IncrediMail cab archive 12412dc4dbb9SEitan Adler>>0x2c default x 12422dc4dbb9SEitan Adler>>>0x2c search/116/c thumb ecard, image, notifier or skin 12432dc4dbb9SEitan Adler!:ext imf/imi/imn/ims 12442dc4dbb9SEitan Adler# http://file-extension.net/seeker/file_extension_ime 12452dc4dbb9SEitan Adler>>>0x2c default x emoticons or sound 12462dc4dbb9SEitan Adler!:ext ime/imw 1247*2726a701SXin LI# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 12482dc4dbb9SEitan Adler>0x2c default x 12492dc4dbb9SEitan Adler# look for 1st member name 12502dc4dbb9SEitan Adler>>(16.l+16) ubyte x 12512dc4dbb9SEitan Adler# https://en.wikipedia.org/wiki/SNP_file_format 12522dc4dbb9SEitan Adler>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 12532dc4dbb9SEitan Adler!:mime application/msaccess 12542dc4dbb9SEitan Adler!:ext snp 1255*2726a701SXin LI# https://en.wikipedia.org/wiki/Microsoft_InfoPath 1256*2726a701SXin LI>>>&-1 string manifest.xsf \b, InfoPath Form Template 1257*2726a701SXin LI!:mime application/vnd.ms-cab-compressed 1258*2726a701SXin LI#!:mime application/vnd.ms-infopath 1259*2726a701SXin LI!:ext xsn 12602dc4dbb9SEitan Adler# https://www.cabextract.org.uk/wince_cab_format/ 12612dc4dbb9SEitan Adler# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 12622dc4dbb9SEitan Adler>>>&7 string =.000 \b, WinCE install 12632dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 12642dc4dbb9SEitan Adler!:ext cab 12652dc4dbb9SEitan Adler 126648c779cdSXin LI# https://support.microsoft.com/kb/934307/en-US 12672dc4dbb9SEitan Adler# All inspected MSU contain a file with name WSUSSCAN.cab 12682dc4dbb9SEitan Adler# that is called "Windows Update meta data" by Microsoft 12692dc4dbb9SEitan Adler>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 12702dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 12712dc4dbb9SEitan Adler!:ext msu 12722dc4dbb9SEitan Adler>>>&-1 default x 12732dc4dbb9SEitan Adler# look at point charcter of 1st archive member name for file name extension 12742dc4dbb9SEitan Adler>>>>&-1 search/255 . 12752dc4dbb9SEitan Adler# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 12762dc4dbb9SEitan Adler# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 12772dc4dbb9SEitan Adler# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 12782dc4dbb9SEitan Adler>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 12792dc4dbb9SEitan Adler!:mime application/vnd.ms-powerpoint 12802dc4dbb9SEitan Adler#!:mime application/mspowerpoint 12812dc4dbb9SEitan Adler!:ext ppz 12822dc4dbb9SEitan Adler# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 12832dc4dbb9SEitan Adler# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 12842dc4dbb9SEitan Adler# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 12852dc4dbb9SEitan Adler>>>>>&0 string/c theme \b, Windows 12862dc4dbb9SEitan Adler!:mime application/x-windows-themepack 128748c779cdSXin LI# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 12882dc4dbb9SEitan Adler# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 12892dc4dbb9SEitan Adler# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 12902dc4dbb9SEitan Adler>>>>>>(16.l+16) string =Panoram 8 12912dc4dbb9SEitan Adler!:ext deskthemepack 12922dc4dbb9SEitan Adler>>>>>>(16.l+16) string !Panoram 7 or 8 12932dc4dbb9SEitan Adler!:ext themepack/deskthemepack 12942dc4dbb9SEitan Adler>>>>>>(16.l+16) ubyte x Theme Pack 12952dc4dbb9SEitan Adler>>>>>&0 default x 12962dc4dbb9SEitan Adler# look for null terminator of 1st member name 12972dc4dbb9SEitan Adler>>>>>>&0 search/255 \0 12982dc4dbb9SEitan Adler# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 12992dc4dbb9SEitan Adler>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 13002dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 13012dc4dbb9SEitan Adler!:ext msu 13022dc4dbb9SEitan Adler>>>>>>>&16 default x 13032dc4dbb9SEitan Adler# archive with more then one file need some output in version 5.32 to avoid error message like 13042dc4dbb9SEitan Adler# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 13052dc4dbb9SEitan Adler# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 13062dc4dbb9SEitan Adler# file: could not find any valid magic files! 13072dc4dbb9SEitan Adler>>>>>>>>28 uleshort >1 \b, many 13082dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 13092dc4dbb9SEitan Adler!:ext cab 13102dc4dbb9SEitan Adler# remaining archives with just one file 13112dc4dbb9SEitan Adler>>>>>>>>28 uleshort =1 13122dc4dbb9SEitan Adler# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 13132dc4dbb9SEitan Adler>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 13142dc4dbb9SEitan Adler# cut of last char of source extension and add underscore to generate extension 13152dc4dbb9SEitan Adler# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 13162dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 13172dc4dbb9SEitan Adler!:ext _/?_/??_ 13182dc4dbb9SEitan Adler# archive need some output like "single" in version 5.32 to avoid error messages 13192dc4dbb9SEitan Adler>>>>>>>>>30 uleshort !0x0000 \b, single 13202dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 13212dc4dbb9SEitan Adler!:ext cab 13222dc4dbb9SEitan Adler# TODO: additional extensions like 13232dc4dbb9SEitan Adler# .xtp InfoPath Template Part 13242dc4dbb9SEitan Adler# .lvf Logitech Video Effects Face Accessory 13252dc4dbb9SEitan Adler>8 ulelong x \b, %u bytes 13262dc4dbb9SEitan Adler>28 uleshort 1 \b, 1 file 13272dc4dbb9SEitan Adler>28 uleshort >1 \b, %u files 13282dc4dbb9SEitan Adler# Reserved fields, set to zero 13292dc4dbb9SEitan Adler#>4 belong !0 \b, reserved1 %x 13302dc4dbb9SEitan Adler#>12 belong !0 \b, reserved2 %x 13312dc4dbb9SEitan Adler# offset of the first CFFILE entry coffFiles: minimal 2Ch 13322dc4dbb9SEitan Adler>16 ulelong x \b, at 0x%x 13332dc4dbb9SEitan Adler>(16.l) use cab-file 13342dc4dbb9SEitan Adler# at least also 2nd member 13352dc4dbb9SEitan Adler>28 uleshort >1 13362dc4dbb9SEitan Adler>>(16.l+16) ubyte x 13372dc4dbb9SEitan Adler>>>&0 search/255 \0 13382dc4dbb9SEitan Adler# second member info 13392dc4dbb9SEitan Adler>>>>&0 use cab-file 13402dc4dbb9SEitan Adler#>20 belong !0 \b, reserved %x 13412dc4dbb9SEitan Adler# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 13422dc4dbb9SEitan Adler>24 ubeshort !0x0301 \b version 0x%x 13432dc4dbb9SEitan Adler# number of CFFOLDER entries 13442dc4dbb9SEitan Adler>26 uleshort >1 \b, %u cffolders 13452dc4dbb9SEitan Adler# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 13462dc4dbb9SEitan Adler# only found for flags 0 1 2 3 4 not 7 13472dc4dbb9SEitan Adler>30 uleshort >0 \b, flags 0x%x 13482dc4dbb9SEitan Adler# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 13492dc4dbb9SEitan Adler# default is zero, however, the -i option of cabarc can be used to set this field 13502dc4dbb9SEitan Adler>32 uleshort >0 \b, ID %u 13512dc4dbb9SEitan Adler# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 13522dc4dbb9SEitan Adler#>34 uleshort x \b, iCabinet %u 13532dc4dbb9SEitan Adler# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 13542dc4dbb9SEitan Adler>34 uleshort+1 x \b, number %u 13552dc4dbb9SEitan Adler>30 uleshort &0x0004 \b, extra bytes 13562dc4dbb9SEitan Adler# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 13572dc4dbb9SEitan Adler>>36 uleshort >0 %u in head 13582dc4dbb9SEitan Adler# cbCFFolder is optional size of per-folder reserved area 13592dc4dbb9SEitan Adler>>38 ubyte >0 %u in folder 13602dc4dbb9SEitan Adler# cbCFData is optional size of per-datablock reserved area 13612dc4dbb9SEitan Adler>>39 ubyte >0 %u in data block 13622dc4dbb9SEitan Adler# optional per-cabinet reserved area abReserve[cbCFHeader] 13632dc4dbb9SEitan Adler>>36 uleshort >0 13642dc4dbb9SEitan Adler# 1st CFFOLDER after reserved area in header 13652dc4dbb9SEitan Adler>>>(36.s+40) use cab-folder 13662dc4dbb9SEitan Adler# no reserved area in header 13672dc4dbb9SEitan Adler>30 uleshort ^0x0004 13682dc4dbb9SEitan Adler# no previous and next cab archive 13692dc4dbb9SEitan Adler>>30 uleshort =0x0000 13702dc4dbb9SEitan Adler>>>36 use cab-folder 13712dc4dbb9SEitan Adler# only previous cab archive 13722dc4dbb9SEitan Adler>>30 uleshort =0x0001 \b, previous 13732dc4dbb9SEitan Adler>>>36 use cab-anchor 13742dc4dbb9SEitan Adler# only next cab archive 13752dc4dbb9SEitan Adler>>30 uleshort =0x0002 \b, next 13762dc4dbb9SEitan Adler>>>36 use cab-anchor 13772dc4dbb9SEitan Adler# previous+next cab archive 13782dc4dbb9SEitan Adler# can not use sub routine cab-anchor to display previous and next cabinet together 13792dc4dbb9SEitan Adler#>>>36 use cab-anchor 13802dc4dbb9SEitan Adler#>>>>&0 use cab-anchor 13812dc4dbb9SEitan Adler>>30 uleshort =0x0003 \b, previous 13822dc4dbb9SEitan Adler>>>36 string x %s 13832dc4dbb9SEitan Adler# optional name of previous disk szDisk* 13842dc4dbb9SEitan Adler>>>>&1 string x disk %s 13852dc4dbb9SEitan Adler>>>>>&1 string x \b, next %s 13862dc4dbb9SEitan Adler# optional name of previous disk szDisk* 13872dc4dbb9SEitan Adler>>>>>>&1 string x disk %s 13882dc4dbb9SEitan Adler>>>>>>>&1 use cab-folder 13892dc4dbb9SEitan Adler# display filename and disk name of previous or next cabinet 13902dc4dbb9SEitan Adler0 name cab-anchor 13912dc4dbb9SEitan Adler# optional name of previous/next cabinet file szCabinet*[255] 13922dc4dbb9SEitan Adler>&0 string x %s 13932dc4dbb9SEitan Adler# optional name of previous/next disk szDisk*[255] 13942dc4dbb9SEitan Adler>>&1 string x disk %s 13952dc4dbb9SEitan Adler# display folder structure CFFOLDER information like compression of cabinet 13962dc4dbb9SEitan Adler0 name cab-folder 13972dc4dbb9SEitan Adler# offset of the CFDATA block in this folder 13982dc4dbb9SEitan Adler#>0 ulelong x \b, coffCabStart 0x%x 13992dc4dbb9SEitan Adler# number of CFDATA blocks in folder 14002dc4dbb9SEitan Adler>4 uleshort x \b, %u datablock 14012dc4dbb9SEitan Adler# plural s 14022dc4dbb9SEitan Adler>4 uleshort >1 \bs 14032dc4dbb9SEitan Adler# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 14042dc4dbb9SEitan Adler>6 uleshort x \b, 0x%x compression 14052dc4dbb9SEitan Adler# optional per-folder reserved area 14062dc4dbb9SEitan Adler#>8 ubequad x \b, abReserve 0x%llx 14072dc4dbb9SEitan Adler# display member structure CFFILE information like member name of cabinet 14082dc4dbb9SEitan Adler0 name cab-file 14092dc4dbb9SEitan Adler# cbFile is uncompressed size of file in bytes 14102dc4dbb9SEitan Adler#>0 ulelong x \b, cbFile %u 14112dc4dbb9SEitan Adler# uoffFolderStart is uncompressed offset of file in folder 14122dc4dbb9SEitan Adler#>4 ulelong >0 \b, uoffFolderStart 0x%x 14132dc4dbb9SEitan Adler# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 14142dc4dbb9SEitan Adler# define ifoldCONTINUED_FROM_PREV (0xFFFD) 14152dc4dbb9SEitan Adler# define ifoldCONTINUED_TO_NEXT (0xFFFE) 14162dc4dbb9SEitan Adler# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 14172dc4dbb9SEitan Adler>8 uleshort >0 \b, iFolder 0x%x 14182dc4dbb9SEitan Adler# date stamp for file 14192dc4dbb9SEitan Adler#>10 uleshort x \b, date 0x%x 14202dc4dbb9SEitan Adler# time stamp for file 14212dc4dbb9SEitan Adler#>12 uleshort x \b, time 0x%x 14222dc4dbb9SEitan Adler# attribs is attribute flags for file 14232dc4dbb9SEitan Adler# define _A_RDONLY (0x01) file is read-only 14242dc4dbb9SEitan Adler# define _A_HIDDEN (0x02) file is hidden 14252dc4dbb9SEitan Adler# define _A_SYSTEM (0x04) file is a system file 14262dc4dbb9SEitan Adler# define _A_ARCH (0x20) file modified since last backup 14272dc4dbb9SEitan Adler# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 14282dc4dbb9SEitan Adler# define _A_EXEC (0x40) run after extraction 14292dc4dbb9SEitan Adler# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 14302dc4dbb9SEitan Adler# define UNKNOWN (0x0100) undocumented or accident 14312dc4dbb9SEitan Adler#>14 uleshort x \b, attribs 0x%x 14322dc4dbb9SEitan Adler>14 uleshort >0 + 14332dc4dbb9SEitan Adler>>14 uleshort &0x0001 \bR 14342dc4dbb9SEitan Adler>>14 uleshort &0x0002 \bH 14352dc4dbb9SEitan Adler>>14 uleshort &0x0004 \bS 14362dc4dbb9SEitan Adler>>14 uleshort &0x0020 \bA 14372dc4dbb9SEitan Adler>>14 uleshort &0x0040 \bX 14382dc4dbb9SEitan Adler>>14 uleshort &0x0080 \bUtf 14392dc4dbb9SEitan Adler# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 14402dc4dbb9SEitan Adler>>14 uleshort &0x0100 \b? 14412dc4dbb9SEitan Adler# szName is name of archive member 14422dc4dbb9SEitan Adler>16 string x "%s" 14432dc4dbb9SEitan Adler# next archive member name if more files 14442dc4dbb9SEitan Adler#>>&17 string >\0 \b, NEXT NAME %-.50s 1445b6cee71dSXin LI 1446b6cee71dSXin LI# InstallShield Cabinet files 1447b6cee71dSXin LI0 string/b ISc( InstallShield Cabinet archive data 1448b6cee71dSXin LI>5 byte&0xf0 =0x60 version 6, 1449b6cee71dSXin LI>5 byte&0xf0 !0x60 version 4/5, 1450b6cee71dSXin LI>(12.l+40) lelong x %u files 1451b6cee71dSXin LI 1452b6cee71dSXin LI# Windows CE package files 1453b6cee71dSXin LI0 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1454b6cee71dSXin LI>20 lelong 0 \b, architecture-independent 1455b6cee71dSXin LI>20 lelong 103 \b, Hitachi SH3 1456b6cee71dSXin LI>20 lelong 104 \b, Hitachi SH4 1457b6cee71dSXin LI>20 lelong 0xA11 \b, StrongARM 1458b6cee71dSXin LI>20 lelong 4000 \b, MIPS R4000 1459b6cee71dSXin LI>20 lelong 10003 \b, Hitachi SH3 1460b6cee71dSXin LI>20 lelong 10004 \b, Hitachi SH3E 1461b6cee71dSXin LI>20 lelong 10005 \b, Hitachi SH4 1462b6cee71dSXin LI>20 lelong 70001 \b, ARM 7TDMI 1463b6cee71dSXin LI>52 leshort 1 \b, 1 file 1464b6cee71dSXin LI>52 leshort >1 \b, %u files 1465b6cee71dSXin LI>56 leshort 1 \b, 1 registry entry 1466b6cee71dSXin LI>56 leshort >1 \b, %u registry entries 1467b6cee71dSXin LI 1468b6cee71dSXin LI 1469b6cee71dSXin LI# Windows Enhanced Metafile (EMF) 1470b6cee71dSXin LI# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1471b6cee71dSXin LI# for further information. 1472b6cee71dSXin LI0 ulelong 1 1473b6cee71dSXin LI>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1474b6cee71dSXin LI>>44 ulelong x version 0x%x 1475b6cee71dSXin LI 1476b6cee71dSXin LI 1477b6cee71dSXin LI0 string/b \224\246\056 Microsoft Word Document 1478b6cee71dSXin LI!:mime application/msword 1479b6cee71dSXin LI 1480b6cee71dSXin LI# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1481b6cee71dSXin LI# Magic type for Dell's BIOS .hdr files 1482b6cee71dSXin LI# Dell's .hdr 1483b6cee71dSXin LI0 string/b $RBU 1484b6cee71dSXin LI>23 string Dell %s system BIOS 1485b6cee71dSXin LI>5 byte 2 1486b6cee71dSXin LI>>48 byte x version %d. 1487b6cee71dSXin LI>>49 byte x \b%d. 1488b6cee71dSXin LI>>50 byte x \b%d 1489b6cee71dSXin LI>5 byte <2 1490b6cee71dSXin LI>>48 string x version %.3s 1491b6cee71dSXin LI 1492b6cee71dSXin LI# Type: Microsoft Document Imaging Format (.mdi) 149348c779cdSXin LI# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1494b6cee71dSXin LI# From: Daniele Sempione <scrows@oziosi.org> 1495a5d223e6SXin LI# Too weak (EP) 1496a5d223e6SXin LI#0 short 0x5045 Microsoft Document Imaging Format 1497b6cee71dSXin LI 1498b6cee71dSXin LI# MS eBook format (.lit) 1499b6cee71dSXin LI0 string/b ITOLITLS Microsoft Reader eBook Data 1500b6cee71dSXin LI>8 lelong x \b, version %u 1501b6cee71dSXin LI!:mime application/x-ms-reader 1502b6cee71dSXin LI 1503b6cee71dSXin LI# Windows CE Binary Image Data Format 1504b6cee71dSXin LI# From: Dr. Jesus <j@hug.gs> 1505b6cee71dSXin LI0 string/b B000FF\n Windows Embedded CE binary image 1506b6cee71dSXin LI 1507b6cee71dSXin LI# The second byte of these signatures is a file version; I don't know what, 1508b6cee71dSXin LI# if anything, produced files with version numbers 0-2. 1509b6cee71dSXin LI# From: John Elliott <johne@seasip.demon.co.uk> 1510b6cee71dSXin LI0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 1511b6cee71dSXin LI0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 1512b6cee71dSXin LI0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 1513b6cee71dSXin LI0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1514b6cee71dSXin LI 1515b6cee71dSXin LI0 string MIOPEN Mallard BASIC Jetsam data 1516b6cee71dSXin LI0 string Jetsam0 Mallard BASIC Jetsam index data 1517b6cee71dSXin LI 151840427ccaSGordon Tetlow# DOS backup 2.0 to 3.2 151940427ccaSGordon Tetlow 152040427ccaSGordon Tetlow# backupid.@@@ 152140427ccaSGordon Tetlow 152240427ccaSGordon Tetlow# plausibility check for date 152340427ccaSGordon Tetlow0x3 ushort >1979 152440427ccaSGordon Tetlow>0x5 ubyte-1 <31 152540427ccaSGordon Tetlow>>0x6 ubyte-1 <12 152640427ccaSGordon Tetlow# actually 121 nul bytes 152740427ccaSGordon Tetlow>>>0x7 string \0\0\0\0\0\0\0\0 152840427ccaSGordon Tetlow>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 152940427ccaSGordon Tetlow!:ext @@@ 153040427ccaSGordon Tetlow>>>>0x0 ubyte 0xff \b, last disk 153140427ccaSGordon Tetlow 153240427ccaSGordon Tetlow# backed up file 153340427ccaSGordon Tetlow 153440427ccaSGordon Tetlow# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 153540427ccaSGordon Tetlow# by looking for trailing nul of maximal file name string 153640427ccaSGordon Tetlow0x52 ubyte 0 153740427ccaSGordon Tetlow# test for flag byte: FFh~complete file, 00h~split file 153840427ccaSGordon Tetlow# FFh -127 = -1 -127 = -128 153940427ccaSGordon Tetlow# 00h -127 = 0 -127 = -127 154040427ccaSGordon Tetlow>0 byte-127 <-126 154140427ccaSGordon Tetlow# plausibility check for file name length 154240427ccaSGordon Tetlow>>0x53 ubyte-1 <78 154340427ccaSGordon Tetlow# looking for terminating nul of file name string 154440427ccaSGordon Tetlow>>>(0x53.b+4) ubyte 0 154540427ccaSGordon Tetlow# looking if last char of string is valid DOS file name 154640427ccaSGordon Tetlow>>>>(0x53.b+3) ubyte >0x1F 154740427ccaSGordon Tetlow# actually 44 nul bytes 154840427ccaSGordon Tetlow# but sometimes garbage according to Ralf Quint. So can not be used as test 154940427ccaSGordon Tetlow#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 155040427ccaSGordon Tetlow# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 155140427ccaSGordon Tetlow# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 155240427ccaSGordon Tetlow>>>>>5 ubyte&0x8C 0x0C 155340427ccaSGordon Tetlow# ./msdos (version 5.30) labeled the entry as 155440427ccaSGordon Tetlow# "DOS 2.0 backed up file %s, split file, sequence %d" or 155540427ccaSGordon Tetlow# "DOS 2.0 backed up file %s, complete file" 155640427ccaSGordon Tetlow>>>>>>0 ubyte x DOS 2.0-3.2 backed up 155740427ccaSGordon Tetlow#>>>>>>0 ubyte 0xff complete 155840427ccaSGordon Tetlow>>>>>>0 ubyte 0 155940427ccaSGordon Tetlow>>>>>>>1 uleshort x sequence %d of 156040427ccaSGordon Tetlow# full file name with path but without drive letter and colon stored from 0x05 til 0x52 156140427ccaSGordon Tetlow>>>>>>0x5 string x file %s 156240427ccaSGordon Tetlow# backup name is original filename 156340427ccaSGordon Tetlow#!:ext * 156440427ccaSGordon Tetlow# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 156540427ccaSGordon Tetlow# file: line 1169: Bad magic entry ' *' 156640427ccaSGordon Tetlow# after header original file content 156740427ccaSGordon Tetlow>>>>>>128 indirect x \b; 156840427ccaSGordon Tetlow 156940427ccaSGordon Tetlow 157040427ccaSGordon Tetlow# DOS backup 3.3 to 5.x 157140427ccaSGordon Tetlow 157240427ccaSGordon Tetlow# CONTROL.nnn files 157340427ccaSGordon Tetlow0 string \x8bBACKUP\x20 157440427ccaSGordon Tetlow# actually 128 nul bytes 157540427ccaSGordon Tetlow>0xa string \0\0\0\0\0\0\0\0 157640427ccaSGordon Tetlow>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 157740427ccaSGordon Tetlow>>0x8a ubyte 0xff \b, last disk 157840427ccaSGordon Tetlow 157940427ccaSGordon Tetlow# NB: The BACKUP.nnn files consist of the files backed up, 158040427ccaSGordon Tetlow# concatenated. 1581