1b6cee71dSXin LI 2b6cee71dSXin LI#------------------------------------------------------------------------------ 3*a4d6d3b8SXin LI# $File: msdos,v 1.154 2022/03/21 21:25:50 christos Exp $ 4b6cee71dSXin LI# msdos: file(1) magic for MS-DOS files 5b6cee71dSXin LI# 6b6cee71dSXin LI 7b6cee71dSXin LI# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8b6cee71dSXin LI# updated by Joerg Jenderek at Oct 2008,Apr 2011 9b6cee71dSXin LI0 string/t @ 10b6cee71dSXin LI>1 string/cW \ echo\ off DOS batch file text 11b6cee71dSXin LI!:mime text/x-msdos-batch 1248c779cdSXin LI!:ext bat 13b6cee71dSXin LI>1 string/cW echo\ off DOS batch file text 14b6cee71dSXin LI!:mime text/x-msdos-batch 1548c779cdSXin LI!:ext bat 16b6cee71dSXin LI>1 string/cW rem DOS batch file text 17b6cee71dSXin LI!:mime text/x-msdos-batch 1848c779cdSXin LI!:ext bat 19b6cee71dSXin LI>1 string/cW set\ DOS batch file text 20b6cee71dSXin LI!:mime text/x-msdos-batch 2148c779cdSXin LI!:ext bat 22b6cee71dSXin LI 23b6cee71dSXin LI 24b6cee71dSXin LI# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25b6cee71dSXin LI# the matched commands seem to be common in REXX and uncommon elsewhere 26b6cee71dSXin LI100 search/0xffff rxfuncadd 27b6cee71dSXin LI>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28b6cee71dSXin LI100 search/0xffff say 29b6cee71dSXin LI>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30b6cee71dSXin LI 313e41d09dSXin LI# updated by Joerg Jenderek at Oct 2015 323e41d09dSXin LI# https://de.wikipedia.org/wiki/Common_Object_File_Format 333e41d09dSXin LI# http://www.delorie.com/djgpp/doc/coff/filhdr.html 343e41d09dSXin LI# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 353e41d09dSXin LI#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36b6cee71dSXin LI#>4 ledate x stamp %s 37b6cee71dSXin LI0 leshort 0x166 MS Windows COFF MIPS R4000 object file 38b6cee71dSXin LI#>4 ledate x stamp %s 39b6cee71dSXin LI0 leshort 0x184 MS Windows COFF Alpha object file 40b6cee71dSXin LI#>4 ledate x stamp %s 41b6cee71dSXin LI0 leshort 0x268 MS Windows COFF Motorola 68000 object file 42b6cee71dSXin LI#>4 ledate x stamp %s 43b6cee71dSXin LI0 leshort 0x1f0 MS Windows COFF PowerPC object file 44b6cee71dSXin LI#>4 ledate x stamp %s 45b6cee71dSXin LI0 leshort 0x290 MS Windows COFF PA-RISC object file 46b6cee71dSXin LI#>4 ledate x stamp %s 47b6cee71dSXin LI 48b6cee71dSXin LI# Tests for various EXE types. 49b6cee71dSXin LI# 5043a5ec4eSXin LI# Many of the compressed formats were extracted from IDARC 1.23 source code. 51b6cee71dSXin LI# 52b6cee71dSXin LI0 string/b MZ 53b6cee71dSXin LI# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 54b6cee71dSXin LI>0x18 leshort <0x40 MS-DOS executable 55b6cee71dSXin LI!:mime application/x-dosexec 5648c779cdSXin LI# Windows and later versions of DOS will allow .EXEs to be named with a .COM 5748c779cdSXin LI# extension, mostly for compatibility's sake. 5843a5ec4eSXin LI# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM 5943a5ec4eSXin LI# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml 6043a5ec4eSXin LI!:ext exe/com/vlm 61b6cee71dSXin LI# These traditional tests usually work but not always. When test quality support is 62b6cee71dSXin LI# implemented these can be turned on. 63b6cee71dSXin LI#>>0x18 leshort 0x1c (Borland compiler) 64b6cee71dSXin LI#>>0x18 leshort 0x1e (MS compiler) 65b6cee71dSXin LI 66b6cee71dSXin LI# Maybe it's a PE? 67d38c30c0SXin LI>(0x3c.l) string PE\0\0 PE 68b6cee71dSXin LI!:mime application/x-dosexec 69d38c30c0SXin LI>>(0x3c.l+24) leshort 0x010b \b32 executable 70d38c30c0SXin LI>>(0x3c.l+24) leshort 0x020b \b32+ executable 71d38c30c0SXin LI>>(0x3c.l+24) leshort 0x0107 ROM image 72d38c30c0SXin LI>>(0x3c.l+24) default x Unknown PE signature 7343a5ec4eSXin LI>>>&0 leshort x %#x 74d38c30c0SXin LI>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 75d38c30c0SXin LI>>(0x3c.l+92) leshort 1 7648c779cdSXin LI# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 7748c779cdSXin LI# drivers in Windows/System32/drivers/*.sys. 78d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (native) 7948c779cdSXin LI!:ext dll/sys 80d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (native) 8148c779cdSXin LI!:ext exe/sys 82d38c30c0SXin LI>>(0x3c.l+92) leshort 2 83d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 8448c779cdSXin LI# These could probably be at least partially distinguished from one another by 8548c779cdSXin LI# looking for specific exported functions. 8648c779cdSXin LI# CPL: Control Panel item 8748c779cdSXin LI# TLB: Type library 8848c779cdSXin LI# OCX: OLE/ActiveX control 8948c779cdSXin LI# ACM: Audio compression manager codec 9048c779cdSXin LI# AX: DirectShow source filter 9148c779cdSXin LI# IME: Input method editor 9248c779cdSXin LI!:ext dll/cpl/tlb/ocx/acm/ax/ime 93d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 9448c779cdSXin LI# Screen savers typically include code from the scrnsave.lib static library, but 9548c779cdSXin LI# that's not guaranteed. 9648c779cdSXin LI!:ext exe/scr 97d38c30c0SXin LI>>(0x3c.l+92) leshort 3 98d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 >0 (console) 9948c779cdSXin LI!:ext dll/cpl/tlb/ocx/acm/ax/ime 100d38c30c0SXin LI>>>(0x3c.l+22) leshort&0x2000 0 (console) 10148c779cdSXin LI!:ext exe/com 102d38c30c0SXin LI# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 103d38c30c0SXin LI>>(0x3c.l+92) leshort 7 (POSIX) 104d38c30c0SXin LI>>(0x3c.l+92) leshort 9 (Windows CE) 105d38c30c0SXin LI>>(0x3c.l+92) leshort 10 (EFI application) 106d38c30c0SXin LI>>(0x3c.l+92) leshort 11 (EFI boot service driver) 107d38c30c0SXin LI>>(0x3c.l+92) leshort 12 (EFI runtime driver) 108d38c30c0SXin LI>>(0x3c.l+92) leshort 13 (EFI ROM) 109d38c30c0SXin LI>>(0x3c.l+92) leshort 14 (XBOX) 110d38c30c0SXin LI>>(0x3c.l+92) leshort 15 (Windows boot application) 111d38c30c0SXin LI>>(0x3c.l+92) default x (Unknown subsystem 11243a5ec4eSXin LI>>>&0 leshort x %#x) 113d38c30c0SXin LI>>(0x3c.l+4) leshort 0x14c Intel 80386 114d38c30c0SXin LI>>(0x3c.l+4) leshort 0x166 MIPS R4000 115d38c30c0SXin LI>>(0x3c.l+4) leshort 0x168 MIPS R10000 116d38c30c0SXin LI>>(0x3c.l+4) leshort 0x184 Alpha 117d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 118d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 119d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 120d38c30c0SXin LI>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 121d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 122d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c0 ARM 123d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 124d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 125d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 126d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1f0 PowerPC 127d38c30c0SXin LI>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 1282726a701SXin LI>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 129d38c30c0SXin LI>>(0x3c.l+4) leshort 0x200 Intel Itanium 130d38c30c0SXin LI>>(0x3c.l+4) leshort 0x266 MIPS16 131d38c30c0SXin LI>>(0x3c.l+4) leshort 0x268 Motorola 68000 132d38c30c0SXin LI>>(0x3c.l+4) leshort 0x290 PA-RISC 133d38c30c0SXin LI>>(0x3c.l+4) leshort 0x366 MIPSIV 134d38c30c0SXin LI>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 135d38c30c0SXin LI>>(0x3c.l+4) leshort 0xebc EFI byte code 136d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 137d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 138d38c30c0SXin LI>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 139d38c30c0SXin LI>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 140d38c30c0SXin LI>>(0x3c.l+4) leshort 0x8664 x86-64 141d38c30c0SXin LI>>(0x3c.l+4) leshort 0xaa64 Aarch64 142d38c30c0SXin LI>>(0x3c.l+4) leshort 0xc0ee MSIL 143d38c30c0SXin LI>>(0x3c.l+4) default x Unknown processor type 14443a5ec4eSXin LI>>>&0 leshort x %#x 145d38c30c0SXin LI>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 146d38c30c0SXin LI>>(0x3c.l+22) leshort&0x1000 >0 system file 147d38c30c0SXin LI>>(0x3c.l+24) leshort 0x010b 148d38c30c0SXin LI>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 149d38c30c0SXin LI>>(0x3c.l+24) leshort 0x020b 150d38c30c0SXin LI>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 151b6cee71dSXin LI 152b6cee71dSXin LI# hooray, there's a DOS extender using the PE format, with a valid PE 153b6cee71dSXin LI# executable inside (which just prints a message and exits if run in win) 154d38c30c0SXin LI>>(8.s*16) string 32STUB \b, 32rtm DOS extender 155d38c30c0SXin LI>>(8.s*16) string !32STUB \b, for MS Windows 156d38c30c0SXin LI>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 157d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 158d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 UPX2 159d38c30c0SXin LI>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 160d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .idata 161d38c30c0SXin LI>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 162d38c30c0SXin LI>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 163d38c30c0SXin LI>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 164d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .rsrc 165d38c30c0SXin LI>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 166d38c30c0SXin LI>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 167d38c30c0SXin LI>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 168d38c30c0SXin LI>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 169d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .data 170d38c30c0SXin LI>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 171d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 172d38c30c0SXin LI>>>(0x3c.l+0xf7) byte x 173d38c30c0SXin LI>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 174d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 175d38c30c0SXin LI>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 176d38c30c0SXin LI>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 177d38c30c0SXin LI>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 178d38c30c0SXin LI>>0x30 string Inno \b, InnoSetup self-extracting archive 179d38c30c0SXin LI 180d38c30c0SXin LI# If the relocation table is 0x40 or more bytes into the file, it's definitely 181d38c30c0SXin LI# not a DOS EXE. 182d38c30c0SXin LI>0x18 leshort >0x3f 183b6cee71dSXin LI 184b6cee71dSXin LI# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 185b6cee71dSXin LI# must be one of the unusual subformats. 186b6cee71dSXin LI>>(0x3c.l) string !PE\0\0 MS-DOS executable 187b6cee71dSXin LI!:mime application/x-dosexec 188b6cee71dSXin LI 189b6cee71dSXin LI>>(0x3c.l) string NE \b, NE 190b6cee71dSXin LI!:mime application/x-dosexec 191b6cee71dSXin LI>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 192b6cee71dSXin LI>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 193b6cee71dSXin LI>>>(0x3c.l+0x36) byte 3 for MS-DOS 194b6cee71dSXin LI>>>(0x3c.l+0x36) byte 4 for Windows 386 195b6cee71dSXin LI>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 196b6cee71dSXin LI>>>(0x3c.l+0x36) default x 197b6cee71dSXin LI>>>>(0x3c.l+0x36) byte x (unknown OS %x) 198b6cee71dSXin LI>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 19948c779cdSXin LI>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 20048c779cdSXin LI# DRV: Driver 20148c779cdSXin LI# 3GR: Grabber device driver 20248c779cdSXin LI# CPL: Control Panel Item 20348c779cdSXin LI# VBX: Visual Basic Extension 20448c779cdSXin LI# FON: Bitmap font 20548c779cdSXin LI# FOT: Font resource file 20648c779cdSXin LI!:ext dll/drv/3gr/cpl/vbx/fon/fot 20748c779cdSXin LI>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 20848c779cdSXin LI!:ext exe/scr 209b6cee71dSXin LI>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 210b6cee71dSXin LI>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 211b6cee71dSXin LI 212b6cee71dSXin LI>>(0x3c.l) string LX\0\0 \b, LX 213b6cee71dSXin LI!:mime application/x-dosexec 214b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 215b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 1 for OS/2 216b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 2 for MS Windows 217b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 3 for DOS 218b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 219b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 220b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 221b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 222b6cee71dSXin LI>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 223b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 1 i80286 224b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 2 i80386 225b6cee71dSXin LI>>>(0x3c.l+0x08) leshort 3 i80486 226b6cee71dSXin LI>>>(8.s*16) string emx \b, emx 227b6cee71dSXin LI>>>>&1 string x %s 228b6cee71dSXin LI>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 229b6cee71dSXin LI 230b6cee71dSXin LI# MS Windows system file, supposedly a collection of LE executables 231b6cee71dSXin LI>>(0x3c.l) string W3 \b, W3 for MS Windows 232b6cee71dSXin LI!:mime application/x-dosexec 233b6cee71dSXin LI 234b6cee71dSXin LI>>(0x3c.l) string LE\0\0 \b, LE executable 235b6cee71dSXin LI!:mime application/x-dosexec 236b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 1 237b6cee71dSXin LI# some DOS extenders use LE files with OS/2 header 238b6cee71dSXin LI>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 239b6cee71dSXin LI>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 240b6cee71dSXin LI>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 241b6cee71dSXin LI>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 242b6cee71dSXin LI>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 243b6cee71dSXin LI>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 244b6cee71dSXin LI>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 245b6cee71dSXin LI# this is a wild guess; hopefully it is a specific signature 246b6cee71dSXin LI>>>>&0x24 lelong <0x50 247b6cee71dSXin LI>>>>>(&0x4c.l) string \xfc\xb8WATCOM 248b6cee71dSXin LI>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 249b6cee71dSXin LI# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 250b6cee71dSXin LI#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 251b6cee71dSXin LI# fails with DOS-Extenders. 252b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 2 for MS Windows 253b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 3 for DOS 254b6cee71dSXin LI>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 25548c779cdSXin LI# VXD: VxD for Windows 95/98/Me 25648c779cdSXin LI# 386: VxD for Windows 2.10, 3.0, 3.1x 25748c779cdSXin LI# PDR: Port driver 25848c779cdSXin LI# MPD: Miniport driver (?) 25948c779cdSXin LI!:ext vxd/386/pdr/mpd 260b6cee71dSXin LI>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 261b6cee71dSXin LI>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 262b6cee71dSXin LI 263b6cee71dSXin LI# looks like ASCII, probably some embedded copyright message. 264b6cee71dSXin LI# and definitely not NE/LE/LX/PE 265b6cee71dSXin LI>>0x3c lelong >0x20000000 266b6cee71dSXin LI>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 267b6cee71dSXin LI!:mime application/x-dosexec 26848c779cdSXin LI!:ext exe/com 269b6cee71dSXin LI# header data too small for extended executable 270b6cee71dSXin LI>2 long !0 271b6cee71dSXin LI>>0x18 leshort <0x40 272b6cee71dSXin LI>>>(4.s*512) leshort !0x014c 273b6cee71dSXin LI 274b6cee71dSXin LI>>>>&(2.s-514) string !LE 275b6cee71dSXin LI>>>>>&-2 string !BW \b, MZ for MS-DOS 276b6cee71dSXin LI!:mime application/x-dosexec 277b6cee71dSXin LI>>>>&(2.s-514) string LE \b, LE 278b6cee71dSXin LI>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 279b6cee71dSXin LI# educated guess since indirection is still not capable enough for complex offset 280b6cee71dSXin LI# calculations (next embedded executable would be at &(&2*512+&0-2) 281b6cee71dSXin LI# I suspect there are only LE executables in these multi-exe files 282b6cee71dSXin LI>>>>&(2.s-514) string BW 283b6cee71dSXin LI>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 284b6cee71dSXin LI>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 285b6cee71dSXin LI 286b6cee71dSXin LI# This sequence skips to the first COFF segment, usually .text 287b6cee71dSXin LI>(4.s*512) leshort 0x014c \b, COFF 288b6cee71dSXin LI!:mime application/x-dosexec 289b6cee71dSXin LI>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 290b6cee71dSXin LI>>(8.s*16) string emx 291b6cee71dSXin LI>>>&1 string x for DOS, Win or OS/2, emx %s 292b6cee71dSXin LI>>&(&0x42.l-3) byte x 293b6cee71dSXin LI>>>&0x26 string UPX \b, UPX compressed 29443a5ec4eSXin LI# and yet another guess: small .text, and after large .data is unusual, could be 32lite 295b6cee71dSXin LI>>&0x2c search/0xa0 .text 296b6cee71dSXin LI>>>&0x0b lelong <0x2000 297b6cee71dSXin LI>>>>&0 lelong >0x6000 \b, 32lite compressed 298b6cee71dSXin LI 299b6cee71dSXin LI>(8.s*16) string $WdX \b, WDos/X DOS extender 300b6cee71dSXin LI 301b6cee71dSXin LI# By now an executable type should have been printed out. The executable 302b6cee71dSXin LI# may be a self-uncompressing archive, so look for evidence of that and 303b6cee71dSXin LI# print it out. 304b6cee71dSXin LI# 305b6cee71dSXin LI# Some signatures below from Greg Roelofs, newt@uchicago.edu. 306b6cee71dSXin LI# 307b6cee71dSXin LI>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 308b6cee71dSXin LI>0xe7 string LH/2\ Self-Extract \b, %s 309b6cee71dSXin LI>0x1c string UC2X \b, UCEXE compressed 310b6cee71dSXin LI>0x1c string WWP\ \b, WWPACK compressed 311b6cee71dSXin LI>0x1c string RJSX \b, ARJ self-extracting archive 312b6cee71dSXin LI>0x1c string diet \b, diet compressed 313b6cee71dSXin LI>0x1c string LZ09 \b, LZEXE v0.90 compressed 314b6cee71dSXin LI>0x1c string LZ91 \b, LZEXE v0.91 compressed 315b6cee71dSXin LI>0x1c string tz \b, TinyProg compressed 316b6cee71dSXin LI>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 317b6cee71dSXin LI!:mime application/zip 318b6cee71dSXin LI# Yes, this really is "Copr", not "Corp." 319b6cee71dSXin LI>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 320b6cee71dSXin LI!:mime application/zip 321b6cee71dSXin LI# winarj stores a message in the stub instead of the sig in the MZ header 322b6cee71dSXin LI>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 323b6cee71dSXin LI>0x20 string AIN 324b6cee71dSXin LI>>0x23 string 2 \b, AIN 2.x compressed 325b6cee71dSXin LI>>0x23 string <2 \b, AIN 1.x compressed 326b6cee71dSXin LI>>0x23 string >2 \b, AIN 1.x compressed 327b6cee71dSXin LI>0x24 string LHa's\ SFX \b, LHa self-extracting archive 328b6cee71dSXin LI!:mime application/x-lha 329b6cee71dSXin LI>0x24 string LHA's\ SFX \b, LHa self-extracting archive 330b6cee71dSXin LI!:mime application/x-lha 331b6cee71dSXin LI>0x24 string \ $ARX \b, ARX self-extracting archive 332b6cee71dSXin LI>0x24 string \ $LHarc \b, LHarc self-extracting archive 333b6cee71dSXin LI>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 334b6cee71dSXin LI>0x40 string aPKG \b, aPackage self-extracting archive 335b6cee71dSXin LI>0x64 string W\ Collis\0\0 \b, Compack compressed 336b6cee71dSXin LI>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 337b6cee71dSXin LI>>&0xf4 search/0x140 \x0\x40\x1\x0 338b6cee71dSXin LI>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 339b6cee71dSXin LI>1638 string -lh5- \b, LHa self-extracting archive v2.13S 340b6cee71dSXin LI>0x17888 string Rar! \b, RAR self-extracting archive 341b6cee71dSXin LI 342b6cee71dSXin LI# Skip to the end of the EXE. This will usually work fine in the PE case 343b6cee71dSXin LI# because the MZ image is hardcoded into the toolchain and almost certainly 344b6cee71dSXin LI# won't match any of these signatures. 345b6cee71dSXin LI>(4.s*512) long x 346b6cee71dSXin LI>>&(2.s-517) byte x 347b6cee71dSXin LI>>>&0 string PK\3\4 \b, ZIP self-extracting archive 348b6cee71dSXin LI>>>&0 string Rar! \b, RAR self-extracting archive 349b6cee71dSXin LI>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 350b6cee71dSXin LI>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 351b6cee71dSXin LI>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 352b6cee71dSXin LI>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 353b6cee71dSXin LI>>>&7 search/400 **ACE** \b, ACE self-extracting archive 354b6cee71dSXin LI>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 355b6cee71dSXin LI 356b6cee71dSXin LI# a few unknown ZIP sfxes, no idea if they are needed or if they are 357b6cee71dSXin LI# already captured by the generic patterns above 358b6cee71dSXin LI>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 359b6cee71dSXin LI# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 360b6cee71dSXin LI# 361b6cee71dSXin LI 362b6cee71dSXin LI# TELVOX Teleinformatica CODEC self-extractor for OS/2: 363b6cee71dSXin LI>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 364b6cee71dSXin LI>>49824 leshort =1 \b, 1 file 365b6cee71dSXin LI>>49824 leshort >1 \b, %u files 366b6cee71dSXin LI 36743a5ec4eSXin LI# Summary: OS/2 LX Library and device driver (no DOS stub) 36843a5ec4eSXin LI# From: Joerg Jenderek 36943a5ec4eSXin LI# URL: http://en.wikipedia.org/wiki/EXE 37043a5ec4eSXin LI# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt 37143a5ec4eSXin LI# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h 37243a5ec4eSXin LI# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" 37343a5ec4eSXin LI# TODO: unify with DOS stub variant (MZ magic) 37443a5ec4eSXin LI0 string/b LX 37543a5ec4eSXin LI>2 ushort =0 37643a5ec4eSXin LI>>0 use lx-executable 37743a5ec4eSXin LI# no examples found for big endian variant 37843a5ec4eSXin LI>2 ushort =0x0101 37943a5ec4eSXin LI>>0 use \^lx-executable 38043a5ec4eSXin LI0 name lx-executable 38143a5ec4eSXin LI# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" 38243a5ec4eSXin LI#>0x00 uleshort x executable, 38343a5ec4eSXin LI# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE 38443a5ec4eSXin LI>0x00 uleshort =0x584c LX 38543a5ec4eSXin LI>0x00 uleshort =0x454C LE 38643a5ec4eSXin LI>0x00 uleshort x executable 38743a5ec4eSXin LI#!:mime application/x-msdownload 38843a5ec4eSXin LI!:mime application/x-lx-executable 38943a5ec4eSXin LI# byte order: 00h~little-endian non-zero=1~big-endian 39043a5ec4eSXin LI#>0x02 ubyte =0 (little-endian) 39143a5ec4eSXin LI>0x02 ubyte !0 (big-endian) 39243a5ec4eSXin LI# FOR DEBUGGING! 39343a5ec4eSXin LI# word order: 00h~little-endian non-zero=1~big-endian 39443a5ec4eSXin LI#>0x03 ubyte =0 \b, little-endian word order 39543a5ec4eSXin LI#>0x03 ubyte !0 \b, big-endian word order 39643a5ec4eSXin LI# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 39743a5ec4eSXin LI#>0x08 uleshort x \b, CPU %u 39843a5ec4eSXin LI# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 39943a5ec4eSXin LI#>0x0A leshort x \b, OS %u 40043a5ec4eSXin LI# flags; module type flags 40143a5ec4eSXin LI#>0x10 ulelong x \b, FLAGS %#8.8x 40243a5ec4eSXin LI# 00000002h ~Reserved for system use 40343a5ec4eSXin LI#>0x10 ulelong &0x00000002 \b, 2h reserved 40443a5ec4eSXin LI# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid 40543a5ec4eSXin LI#>0x10 ulelong &0x00000004 \b, per-process library Initialization 40643a5ec4eSXin LI# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied 40743a5ec4eSXin LI#>0x10 ulelong &0x00000010 \b, int. fixup 40843a5ec4eSXin LI# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied 40943a5ec4eSXin LI#>0x10 ulelong &0x00000020 \b, ext. fixup 41043a5ec4eSXin LI# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing 41143a5ec4eSXin LI#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing 41243a5ec4eSXin LI# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing 41343a5ec4eSXin LI#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing 41443a5ec4eSXin LI# bit 17; device driver 41543a5ec4eSXin LI#>0x10 ulelong&0x00020000 >0 \b, device driver 41643a5ec4eSXin LI# Per-process Library Termination; setting this bit for EXE file is invalid 41743a5ec4eSXin LI#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination 41843a5ec4eSXin LI>0x0a leshort 1 for OS/2 41943a5ec4eSXin LI# no example found 42043a5ec4eSXin LI>0x0a leshort 3 for DOS 42143a5ec4eSXin LI# http://www.ctyme.com/intr/rb-2939.htm#Table1610 42243a5ec4eSXin LI# library by module type mask 00038000h (bits 15-17); 42343a5ec4eSXin LI# 0h ~exectable Program module 42443a5ec4eSXin LI>0x10 ulelong&0x00038000 =0x00000000 (program) 42543a5ec4eSXin LI#!:ext exe 42643a5ec4eSXin LI# OSF_IS_DLL=8000h ~Library module (DLL) 42743a5ec4eSXin LI>0x10 ulelong&0x00038000 >0x00000000 42843a5ec4eSXin LI# OSF_PHYS_DEVICE=00020000h ~device driver 42943a5ec4eSXin LI>>0x10 ulelong&0x00020000 >0 (device driver) 43043a5ec4eSXin LI!:ext sys 43143a5ec4eSXin LI# if not device driver it is library (DLL) 43243a5ec4eSXin LI>>0x10 ulelong&0x00020000 =0 (library) 43343a5ec4eSXin LI!:ext dll 43443a5ec4eSXin LI# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console 43543a5ec4eSXin LI>0x10 ulelong&0x00000300 =0x00000300 (GUI) 43643a5ec4eSXin LI>0x10 ulelong&0x00000300 !0x00000300 (console) 43743a5ec4eSXin LI# CPU type 43843a5ec4eSXin LI>0x08 uleshort 1 i80286 43943a5ec4eSXin LI# all inspected examples 44043a5ec4eSXin LI>0x08 uleshort 2 i80386 44143a5ec4eSXin LI>0x08 uleshort 3 i80486 44243a5ec4eSXin LI>0x08 uleshort 4 i80586 44343a5ec4eSXin LI# 21h Intel "N11" or compatible 44443a5ec4eSXin LI# 40h MIPS Mark I ( R2000, R3000) or compatible 44543a5ec4eSXin LI# 41h MIPS Mark II ( R6000 ) or compatible 44643a5ec4eSXin LI# 42h MIPS Mark III ( R4000 ) or compatible 44743a5ec4eSXin LI 44848c779cdSXin LI# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 44948c779cdSXin LI# and https://www.freedos.org/software/?prog=kpdos 450b6cee71dSXin LI# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 451b6cee71dSXin LI0 string/b KCF FreeDOS KEYBoard Layout collection 452b6cee71dSXin LI# only version=0x100 found 45343a5ec4eSXin LI>3 uleshort x \b, version %#x 454b6cee71dSXin LI# length of string containing author,info and special characters 455b6cee71dSXin LI>6 ubyte >0 456b6cee71dSXin LI#>>6 pstring x \b, name=%s 457b6cee71dSXin LI>>7 string >\0 \b, author=%-.14s 458b6cee71dSXin LI>>7 search/254 \xff \b, info= 459b6cee71dSXin LI#>>>&0 string x \b%-s 460b6cee71dSXin LI>>>&0 string x \b%-.15s 461b6cee71dSXin LI# for FreeDOS *.KL files 462b6cee71dSXin LI0 string/b KLF FreeDOS KEYBoard Layout file 463b6cee71dSXin LI# only version=0x100 or 0x101 found 46443a5ec4eSXin LI>3 uleshort x \b, version %#x 465b6cee71dSXin LI# stringlength 466b6cee71dSXin LI>5 ubyte >0 467b6cee71dSXin LI>>8 string x \b, name=%-.2s 468b6cee71dSXin LI0 string \xffKEYB\ \ \ \0\0\0\0 469b6cee71dSXin LI>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 470b6cee71dSXin LI 47143a5ec4eSXin LI# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 47243a5ec4eSXin LI# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver 47343a5ec4eSXin LI# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html 47440427ccaSGordon Tetlow# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 47540427ccaSGordon Tetlow0 ulequad&0x07a0ffffffff 0xffffffff 47643a5ec4eSXin LI# skip OS/2 INI ./os2 47743a5ec4eSXin LI>4 ubelong !0x14000000 47843a5ec4eSXin LI>>0 use msdos-driver 47940427ccaSGordon Tetlow0 name msdos-driver DOS executable ( 48040427ccaSGordon Tetlow#!:mime application/octet-stream 48140427ccaSGordon Tetlow!:mime application/x-dosdriver 48240427ccaSGordon Tetlow# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 48343a5ec4eSXin LI# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? 48443a5ec4eSXin LI# PROTMAN.DOS ELNKPL.DOS 48543a5ec4eSXin LI!:ext sys/dev/bin/dos 48643a5ec4eSXin LI# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" 487b6cee71dSXin LI>40 search/7 UPX! \bUPX compressed 488b6cee71dSXin LI# DOS device driver attributes 489b6cee71dSXin LI>4 uleshort&0x8000 0x0000 \bblock device driver 490b6cee71dSXin LI# character device 491b6cee71dSXin LI>4 uleshort&0x8000 0x8000 \b 49243a5ec4eSXin LI# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" 493b6cee71dSXin LI>>4 uleshort&0x0008 0x0008 \bclock 494b6cee71dSXin LI# fast video output by int 29h 49543a5ec4eSXin LI# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" 496b6cee71dSXin LI>>4 uleshort&0x0010 0x0010 \bfast 497b6cee71dSXin LI# standard input/output device 49843a5ec4eSXin LI# 1 space char after "standard" to get phrase like "standard input/output character device driver" 499b6cee71dSXin LI>>4 uleshort&0x0003 >0 \bstandard 500b6cee71dSXin LI>>>4 uleshort&0x0001 0x0001 \binput 501b6cee71dSXin LI>>>4 uleshort&0x0003 0x0003 \b/ 50243a5ec4eSXin LI# 1 space char after "output" to get phrase like "input/output character device driver" 503b6cee71dSXin LI>>>4 uleshort&0x0002 0x0002 \boutput 504b6cee71dSXin LI>>4 uleshort&0x8000 0x8000 \bcharacter device driver 505b6cee71dSXin LI>0 ubyte x 506b6cee71dSXin LI# upx compressed device driver has garbage instead of real in name field of header 507b6cee71dSXin LI>>40 search/7 UPX! 508b6cee71dSXin LI>>40 default x 509b6cee71dSXin LI# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 51043a5ec4eSXin LI# 1 space char before device driver name to get phrase like "device driver PROTMAN$" 51140427ccaSGordon Tetlow>>>12 ubyte >0x2E \b 512b6cee71dSXin LI>>>>10 ubyte >0x20 513b6cee71dSXin LI>>>>>10 ubyte !0x2E 514b6cee71dSXin LI>>>>>>10 ubyte !0x2A \b%c 515b6cee71dSXin LI>>>>11 ubyte >0x20 516b6cee71dSXin LI>>>>>11 ubyte !0x2E \b%c 517b6cee71dSXin LI>>>>12 ubyte >0x20 518b6cee71dSXin LI>>>>>12 ubyte !0x39 519b6cee71dSXin LI>>>>>>12 ubyte !0x2E \b%c 520b6cee71dSXin LI>>>13 ubyte >0x20 521b6cee71dSXin LI>>>>13 ubyte !0x2E \b%c 522b6cee71dSXin LI>>>>14 ubyte >0x20 523b6cee71dSXin LI>>>>>14 ubyte !0x2E \b%c 524b6cee71dSXin LI>>>>15 ubyte >0x20 525b6cee71dSXin LI>>>>>15 ubyte !0x2E \b%c 526b6cee71dSXin LI>>>>16 ubyte >0x20 527b6cee71dSXin LI>>>>>16 ubyte !0x2E 528b6cee71dSXin LI>>>>>>16 ubyte <0xCB \b%c 529b6cee71dSXin LI>>>>17 ubyte >0x20 530b6cee71dSXin LI>>>>>17 ubyte !0x2E 531b6cee71dSXin LI>>>>>>17 ubyte <0x90 \b%c 532b6cee71dSXin LI# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 53340427ccaSGordon Tetlow>>>12 ubyte <0x2F 534b6cee71dSXin LI# they have their real name at offset 22 53540427ccaSGordon Tetlow# also block device drivers like DUMBDRV.SYS 53640427ccaSGordon Tetlow>>>>22 string >\056 %-.6s 537b6cee71dSXin LI>4 uleshort&0x8000 0x0000 538b6cee71dSXin LI# 32 bit sector addressing ( > 32 MB) for block devices 539b6cee71dSXin LI>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 540b6cee71dSXin LI# support by driver functions 13h, 17h, 18h 541b6cee71dSXin LI>4 uleshort&0x0040 0x0040 \b,IOCTL- 542b6cee71dSXin LI# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 543b6cee71dSXin LI>4 uleshort&0x0800 0x0800 \b,close media- 544b6cee71dSXin LI# output until busy support by int 10h for character device driver 545b6cee71dSXin LI>4 uleshort&0x8000 0x8000 546b6cee71dSXin LI>>4 uleshort&0x2000 0x2000 \b,until busy- 547b6cee71dSXin LI# direct read/write support by driver functions 03h,0Ch 548b6cee71dSXin LI>4 uleshort&0x4000 0x4000 \b,control strings- 549b6cee71dSXin LI>4 uleshort&0x8000 0x8000 550b6cee71dSXin LI>>4 uleshort&0x6840 >0 \bsupport 551b6cee71dSXin LI>4 uleshort&0x8000 0x0000 552b6cee71dSXin LI>>4 uleshort&0x4842 >0 \bsupport 553b6cee71dSXin LI>0 ubyte x \b) 55443a5ec4eSXin LI>0 ulelong !0xffffffff with pointer %#x 555b6cee71dSXin LI# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 55640427ccaSGordon Tetlow0 ulequad 0x0513c00000000012 55740427ccaSGordon Tetlow>0 use msdos-driver 55840427ccaSGordon Tetlow# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 55940427ccaSGordon Tetlow0 ulequad 0x32f28000ffff0016 56040427ccaSGordon Tetlow>0 use msdos-driver 56140427ccaSGordon Tetlow0 ulequad 0x007f00000000ffff 56240427ccaSGordon Tetlow>0 use msdos-driver 56343a5ec4eSXin LI# https://www.uwe-sieber.de/files/cfg_echo.zip 56440427ccaSGordon Tetlow0 ulequad 0x001600000000ffff 56540427ccaSGordon Tetlow>0 use msdos-driver 56640427ccaSGordon Tetlow# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 56740427ccaSGordon Tetlow0 ulequad 0x0bf708c2ffffffff 56840427ccaSGordon Tetlow>0 use msdos-driver 56940427ccaSGordon Tetlow0 ulequad 0x07bd08c2ffffffff 57040427ccaSGordon Tetlow>0 use msdos-driver 57143a5ec4eSXin LI# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS 57243a5ec4eSXin LI0 ulequad 0x027ac0c0ffffffff 57343a5ec4eSXin LI>0 use msdos-driver 57443a5ec4eSXin LI# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS 57543a5ec4eSXin LI0 ulequad 0x00228880ffffffff 57643a5ec4eSXin LI>0 use msdos-driver 577b6cee71dSXin LI 5783e41d09dSXin LI# updated by Joerg Jenderek 5793e41d09dSXin LI# GRR: line below too general as it catches also 5803e41d09dSXin LI# rt.lib DYADISKS.PIC and many more 5813e41d09dSXin LI# start with assembler instruction MOV 5823e41d09dSXin LI0 ubyte 0x8c 5833e41d09dSXin LI# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 5843e41d09dSXin LI>4 string !O==== 5853e41d09dSXin LI# skip some unknown basic binaries like RocketRnger.SHR 5863e41d09dSXin LI>>5 string !MAIN 5873e41d09dSXin LI# skip "GPG symmetrically encrypted data" ./gnu 5883e41d09dSXin LI# skip "PGP symmetric key encrypted data" ./pgp 5893e41d09dSXin LI# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 5903e41d09dSXin LI>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 5913e41d09dSXin LI# the remaining files should be DOS *.COM executables 5923e41d09dSXin LI# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 5933e41d09dSXin LI# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 5943e41d09dSXin LI# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 5953e41d09dSXin LI# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 5963e41d09dSXin LI# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 5973e41d09dSXin LI# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 5983e41d09dSXin LI# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 5993e41d09dSXin LI# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 6003e41d09dSXin LI!:mime application/x-dosexec 6013e41d09dSXin LI!:ext com 6023e41d09dSXin LI 603b6cee71dSXin LI# updated by Joerg Jenderek at Oct 2008 604b6cee71dSXin LI0 ulelong 0xffff10eb DR-DOS executable (COM) 605b6cee71dSXin LI# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 606b6cee71dSXin LI0 ubeshort&0xeb8d >0xeb00 607b6cee71dSXin LI# DR-DOS STACKER.COM SCREATE.SYS missed 608a5d223e6SXin LI 609a5d223e6SXin LI0 name msdos-com 610a5d223e6SXin LI>0 byte x DOS executable (COM) 61148c779cdSXin LI!:mime application/x-dosexec 61248c779cdSXin LI!:ext com 613a5d223e6SXin LI>6 string SFX\ of\ LHarc \b, %s 614a5d223e6SXin LI>0x1FE leshort 0xAA55 \b, boot code 615a5d223e6SXin LI>85 string UPX \b, UPX compressed 616a5d223e6SXin LI>4 string \ $ARX \b, ARX self-extracting archive 617a5d223e6SXin LI>4 string \ $LHarc \b, LHarc self-extracting archive 618a5d223e6SXin LI>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 619a5d223e6SXin LI 620a5d223e6SXin LI# JMP 8bit 621a5d223e6SXin LI0 byte 0xeb 622a5d223e6SXin LI# allow forward jumps only 623a5d223e6SXin LI>1 byte >-1 624a5d223e6SXin LI# that offset must be accessible 625a5d223e6SXin LI>>(1.b+2) byte x 626a5d223e6SXin LI>>>0 use msdos-com 627a5d223e6SXin LI 628a5d223e6SXin LI# JMP 16bit 629a5d223e6SXin LI0 byte 0xe9 630a5d223e6SXin LI# forward jumps 631a5d223e6SXin LI>1 short >-1 632a5d223e6SXin LI# that offset must be accessible 633a5d223e6SXin LI>>(1.s+3) byte x 634a5d223e6SXin LI>>>0 use msdos-com 635a5d223e6SXin LI# negative offset, must not lead into PSP 636a5d223e6SXin LI>1 short <-259 637a5d223e6SXin LI# that offset must be accessible 638a5d223e6SXin LI>>(1,s+65539) byte x 639a5d223e6SXin LI>>>0 use msdos-com 640a5d223e6SXin LI 6413e41d09dSXin LI# updated by Joerg Jenderek at Oct 2008,2015 6423e41d09dSXin LI# following line is too general 6433e41d09dSXin LI0 ubyte 0xb8 6443e41d09dSXin LI# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 6453e41d09dSXin LI>0 string !\xb8\xc0\x07\x8e 646b6cee71dSXin LI# modified by Joerg Jenderek 6473e41d09dSXin LI# syslinux COM32 or COM32R executable 6483e41d09dSXin LI>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 64948c779cdSXin LI# https://www.syslinux.org/wiki/index.php/Comboot_API 6503e41d09dSXin LI# Since version 5.00 c32 modules switched from the COM32 object format to ELF 6513e41d09dSXin LI!:mime application/x-c32-comboot-syslinux-exec 6523e41d09dSXin LI!:ext c32 65348c779cdSXin LI# https://syslinux.zytor.com/comboot.php 6543e41d09dSXin LI# older syslinux version ( <4 ) 655b6cee71dSXin LI# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 656b6cee71dSXin LI# start with assembler instructions mov eax,21cd4cffh 6573e41d09dSXin LI>>>1 lelong 0x21CD4CFf \b) 658b6cee71dSXin LI# syslinux:doc/comboot.txt 659b6cee71dSXin LI# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 660b6cee71dSXin LI# eax,21cd4cfeh) as a magic number. 6613e41d09dSXin LI# syslinux version (4.x) 6623e41d09dSXin LI# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 6633e41d09dSXin LI>>>1 lelong 0x21CD4CFe \b, relocatable) 66443a5ec4eSXin LI# Hajin Jang <hajin_jang@worksmobile.com>: 66543a5ec4eSXin LI# Disable simplest COM signature to prevent false positive on some EUC-KR text files. 66643a5ec4eSXin LI## remaining are DOS COM executables starting with assembler instruction MOV 66743a5ec4eSXin LI## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 66843a5ec4eSXin LI## MS-DOS SYS.COM RESTART.COM 66943a5ec4eSXin LI## SYSLINUX.COM (version 1.40 - 2.13) 67043a5ec4eSXin LI## GFXBOOT.COM (version 3.75) 67143a5ec4eSXin LI## COPYBS.COM POWEROFF.COM INT18.COM 6723e41d09dSXin LI>>1 default x COM executable for DOS 6733e41d09dSXin LI!:mime application/x-dosexec 67443a5ec4eSXin LI##!:mime application/x-ms-dos-executable 67543a5ec4eSXin LI##!:mime application/x-msdos-program 6763e41d09dSXin LI!:ext com 6773e41d09dSXin LI 67843a5ec4eSXin LI# URL: https://en.wikipedia.org/wiki/UPX 67943a5ec4eSXin LI# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ 68043a5ec4eSXin LI# src/stub/src/i086-dos16.com.S 68143a5ec4eSXin LI# Update: Joerg Jenderek 68243a5ec4eSXin LI# assembler instructions: cmp sp, offset sp_limit 683b6cee71dSXin LI0 string/b \x81\xfc 68443a5ec4eSXin LI#>2 uleshort x \b, sp_limit=%#x 68543a5ec4eSXin LI# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy 686b6cee71dSXin LI>4 string \x77\x02\xcd\x20\xb9 68743a5ec4eSXin LI#>9 uleshort x \b, [bytes_to_copy]=%#x 68843a5ec4eSXin LI# at different offsets assembler instructions: push di; jump decomp_start_n2b 68943a5ec4eSXin LI>0x1e search/3 \x57\xe9 69043a5ec4eSXin LI#>>&0 uleshort x \b, decomp_start_n2b=%#x 69143a5ec4eSXin LI# src/stub/src/include/header.S; UPX_MAGIC_LE32 69243a5ec4eSXin LI>>&2 string UPX! FREE-DOS executable (COM), UPX 69348c779cdSXin LI!:mime application/x-dosexec 69443a5ec4eSXin LI# UPX compressed *.CPI; See ./fonts 69543a5ec4eSXin LI>>>&21 string =FONT compressed DOS code page font 69643a5ec4eSXin LI!:ext cpx 69743a5ec4eSXin LI>>>&21 string !FONT compressed 69848c779cdSXin LI!:ext com 69943a5ec4eSXin LI# compressed size? 70043a5ec4eSXin LI#>>>&14 uleshort+152 x \b, %u bytes 70143a5ec4eSXin LI# uncompressed len 70243a5ec4eSXin LI>>>&12 uleshort x \b, uncompressed %u bytes 703b6cee71dSXin LI252 string Must\ have\ DOS\ version DR-DOS executable (COM) 70448c779cdSXin LI!:mime application/x-dosexec 70548c779cdSXin LI!:ext com 706b6cee71dSXin LI# GRR search is not working 707b6cee71dSXin LI#2 search/28 \xcd\x21 COM executable for MS-DOS 708b6cee71dSXin LI#WHICHFAT.cOM 709b6cee71dSXin LI2 string \xcd\x21 COM executable for DOS 71048c779cdSXin LI!:mime application/x-dosexec 71148c779cdSXin LI!:ext com 712b6cee71dSXin LI#DELTREE.cOM DELTREE2.cOM 713b6cee71dSXin LI4 string \xcd\x21 COM executable for DOS 71448c779cdSXin LI!:mime application/x-dosexec 71548c779cdSXin LI!:ext com 716b6cee71dSXin LI#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 717b6cee71dSXin LI5 string \xcd\x21 COM executable for DOS 71848c779cdSXin LI!:mime application/x-dosexec 71948c779cdSXin LI!:ext com 720b6cee71dSXin LI#DELTMP.COm HASFAT32.cOM 721b6cee71dSXin LI7 string \xcd\x21 722b6cee71dSXin LI>0 byte !0xb8 COM executable for DOS 72348c779cdSXin LI!:mime application/x-dosexec 72448c779cdSXin LI!:ext com 725b6cee71dSXin LI#COMP.cOM MORE.COm 726b6cee71dSXin LI10 string \xcd\x21 727b6cee71dSXin LI>5 string !\xcd\x21 COM executable for DOS 72848c779cdSXin LI!:mime application/x-dosexec 72948c779cdSXin LI!:ext com 730b6cee71dSXin LI#comecho.com 731b6cee71dSXin LI13 string \xcd\x21 COM executable for DOS 73248c779cdSXin LI!:mime application/x-dosexec 73348c779cdSXin LI!:ext com 734b6cee71dSXin LI#HELP.COm EDIT.coM 73543a5ec4eSXin LI18 string \xcd\x21 73643a5ec4eSXin LI# not printable before it? 73743a5ec4eSXin LI>17 byte >32 73843a5ec4eSXin LI>>17 byte <126 73943a5ec4eSXin LI>>17 default x COM executable for MS-DOS 74048c779cdSXin LI!:mime application/x-dosexec 74148c779cdSXin LI!:ext com 742b6cee71dSXin LI#NWRPLTRM.COm 743b6cee71dSXin LI23 string \xcd\x21 COM executable for MS-DOS 74448c779cdSXin LI!:mime application/x-dosexec 74548c779cdSXin LI!:ext com 746b6cee71dSXin LI#LOADFIX.cOm LOADFIX.cOm 747b6cee71dSXin LI30 string \xcd\x21 COM executable for MS-DOS 74848c779cdSXin LI!:mime application/x-dosexec 74948c779cdSXin LI!:ext com 750b6cee71dSXin LI#syslinux.com 3.11 751b6cee71dSXin LI70 string \xcd\x21 COM executable for DOS 75248c779cdSXin LI!:mime application/x-dosexec 75348c779cdSXin LI!:ext com 754b6cee71dSXin LI# many compressed/converted COMs start with a copy loop instead of a jump 755b6cee71dSXin LI0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 75648c779cdSXin LI!:mime application/x-dosexec 75748c779cdSXin LI!:ext com 758b6cee71dSXin LI0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 75948c779cdSXin LI!:mime application/x-dosexec 76048c779cdSXin LI!:ext com 761b6cee71dSXin LI>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 762b6cee71dSXin LI0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 76348c779cdSXin LI!:mime application/x-dosexec 76448c779cdSXin LI!:ext com 765b6cee71dSXin LI# FIXME: missing diet .com compression 766b6cee71dSXin LI 767b6cee71dSXin LI# miscellaneous formats 768b6cee71dSXin LI0 string/b LZ MS-DOS executable (built-in) 769b6cee71dSXin LI#0 byte 0xf0 MS-DOS program library data 770b6cee71dSXin LI# 771b6cee71dSXin LI 772b6cee71dSXin LI# AAF files: 773b6cee71dSXin LI# <stuartc@rd.bbc.co.uk> Stuart Cunningham 774b6cee71dSXin LI0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 775b6cee71dSXin LI>30 byte 9 (512B sectors) 776b6cee71dSXin LI>30 byte 12 (4kB sectors) 777b6cee71dSXin LI0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 778b6cee71dSXin LI>30 byte 9 (512B sectors) 779b6cee71dSXin LI>30 byte 12 (4kB sectors) 780b6cee71dSXin LI 781b6cee71dSXin LI# Popular applications 782b6cee71dSXin LI# 783d38c30c0SXin LI# Update: Joerg Jenderek 784d38c30c0SXin LI# URL: http://fileformats.archiveteam.org/wiki/DOC 785d38c30c0SXin LI# Reference: https://web.archive.org/web/20170206041048/ 786d38c30c0SXin LI# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 787d38c30c0SXin LI# wIdent+dty 788d38c30c0SXin LI0 belong 0x31be0000 789d38c30c0SXin LI# skip droid skeleton like x-fmt-274-signature-id-488.doc 790d38c30c0SXin LI>128 ubyte >0 Microsoft 791d38c30c0SXin LI>>96 uleshort =0 Word 792b6cee71dSXin LI!:mime application/msword 793d38c30c0SXin LI!:apple MSWDWDBN 794d38c30c0SXin LI# DCX is used in the Unix version. 795d38c30c0SXin LI!:ext doc/dcx 796d38c30c0SXin LI>>>0x6E ulequad =0 1.0-4.0 797d38c30c0SXin LI>>>0x6E ulequad !0 5.0-6.0 798d38c30c0SXin LI>>>0x6E ulequad x (DOS) Document 799d38c30c0SXin LI# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 800d38c30c0SXin LI>>96 uleshort !0 Write 3.0 (Windows) Document 801d38c30c0SXin LI!:mime application/x-mswrite 802d38c30c0SXin LI!:apple MSWDWDBN 803d38c30c0SXin LI# sometimes also doc like in splitter.doc srchtest.doc 804d38c30c0SXin LI!:ext wri/doc 805d38c30c0SXin LI# wTool must be 0125400 octal 806d38c30c0SXin LI#>>4 uleshort !0xAB00 \b, wTool %o 807d38c30c0SXin LI# reserved; must be zero 808d38c30c0SXin LI#>>6 ulelong !0 \b, reserved %u 809d38c30c0SXin LI# block pointer to the block containing optional file manager information 81043a5ec4eSXin LI#>>0x1C uleshort x \b, at %#x info block 811d38c30c0SXin LI# jump to File manager information block 812d38c30c0SXin LI>>(0x1C.s*128) uleshort x 813d38c30c0SXin LI# test for valid information start; maybe also 0012h 814d38c30c0SXin LI>>>&-2 uleshort =0x0014 815d38c30c0SXin LI# Document ASCIIZ name 816d38c30c0SXin LI>>>>&0x12 string x %s 817d38c30c0SXin LI# author name 818d38c30c0SXin LI>>>>>&1 string x \b, author %s 819d38c30c0SXin LI# reviser name 820d38c30c0SXin LI>>>>>>&1 string x \b, reviser %s 821d38c30c0SXin LI# keywords 822d38c30c0SXin LI>>>>>>>&1 string x \b, keywords %s 823d38c30c0SXin LI# comment 824d38c30c0SXin LI>>>>>>>>&1 string x \b, comment %s 825d38c30c0SXin LI# version number 826d38c30c0SXin LI>>>>>>>>>&1 string x \b, version %s 827d38c30c0SXin LI# date of last change MM/DD/YY 828d38c30c0SXin LI>>>>>>>>>>&1 string x \b, %-.8s 829d38c30c0SXin LI# creation date MM/DD/YY 830d38c30c0SXin LI>>>>>>>>>>&9 string x created %-.8s 831d38c30c0SXin LI# file name of print format like NORMAL.STY 832d38c30c0SXin LI>>0x1E string >0 \b, formatted by %-.66s 833d38c30c0SXin LI# count of pages in whole file for write variant; maybe some times wrong 834d38c30c0SXin LI>>96 uleshort >0 \b, %u pages 835d38c30c0SXin LI# name of the printer driver like HPLASMS 836d38c30c0SXin LI>>0x62 string >0 \b, %-.8s printer 837d38c30c0SXin LI# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 838d38c30c0SXin LI>>0x6A uleshort >0 \b, %u blocks 839d38c30c0SXin LI# bit field for corrected text areas 84043a5ec4eSXin LI#>>0x6C uleshort x \b, %#x bit field 841d38c30c0SXin LI# text of document; some times start with 4 non printable characters like CR LF 842d38c30c0SXin LI>>128 ubyte x \b, 843d38c30c0SXin LI>>>128 ubyte >0x1F 844d38c30c0SXin LI>>>>128 string x %s 845d38c30c0SXin LI>>>128 ubyte <0x20 846d38c30c0SXin LI>>>>129 ubyte >0x1F 847d38c30c0SXin LI>>>>>129 string x %s 848d38c30c0SXin LI>>>>129 ubyte <0x20 849d38c30c0SXin LI>>>>>130 ubyte >0x1F 850d38c30c0SXin LI>>>>>>130 string x %s 851d38c30c0SXin LI>>>>>130 ubyte <0x20 852d38c30c0SXin LI>>>>>>131 ubyte >0x1F 853d38c30c0SXin LI>>>>>>>131 string x %s 854d38c30c0SXin LI>>>>>>131 ubyte <0x20 855d38c30c0SXin LI>>>>>>>132 ubyte >0x1F 856d38c30c0SXin LI>>>>>>>>132 string x %s 857d38c30c0SXin LI>>>>>>>132 ubyte <0x20 858d38c30c0SXin LI>>>>>>>>133 ubyte >0x1F 859d38c30c0SXin LI>>>>>>>>>133 string x %s 860b6cee71dSXin LI# 861b6cee71dSXin LI0 string/b PO^Q` Microsoft Word 6.0 Document 862b6cee71dSXin LI!:mime application/msword 863b6cee71dSXin LI# 86440427ccaSGordon Tetlow4 long 0 86540427ccaSGordon Tetlow>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 866b6cee71dSXin LI!:mime application/msword 86740427ccaSGordon Tetlow!:ext mcw 86840427ccaSGordon Tetlow>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 869b6cee71dSXin LI!:mime application/msword 87040427ccaSGordon Tetlow!:ext mcw 87140427ccaSGordon Tetlow>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 87240427ccaSGordon Tetlow!:mime application/msword 87340427ccaSGordon Tetlow!:ext mcw 87440427ccaSGordon Tetlow>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 87540427ccaSGordon Tetlow!:mime application/msword 87640427ccaSGordon Tetlow!:ext mcw 87740427ccaSGordon Tetlow 87840427ccaSGordon Tetlow0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 87940427ccaSGordon Tetlow!:mime application/msword 88040427ccaSGordon Tetlow!:ext doc 88158a0f0d0SEitan Adler# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 88258a0f0d0SEitan Adler#512 string/b \354\245\301 Microsoft Word Document 88358a0f0d0SEitan Adler#!:mime application/msword 884b6cee71dSXin LI 885b6cee71dSXin LI# 886b6cee71dSXin LI0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 887b6cee71dSXin LI!:mime application/msword 888b6cee71dSXin LI# 889b6cee71dSXin LI0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 890b6cee71dSXin LI!:mime application/msword 891b6cee71dSXin LI 892b6cee71dSXin LI# 893b6cee71dSXin LI0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 894b6cee71dSXin LI!:mime application/vnd.ms-excel 895d38c30c0SXin LI# https://www.macdisk.com/macsigen.php 896d38c30c0SXin LI!:apple XCELXLS4 897d38c30c0SXin LI!:ext xls 898b6cee71dSXin LI# 899a5d223e6SXin LI# Update: Joerg Jenderek 900a5d223e6SXin LI# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 901a5d223e6SXin LI# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 902a5d223e6SXin LI# Note: newer Lotus versions >2 use longer BOF record 903a5d223e6SXin LI# record type (BeginningOfFile=0000h) + length (001Ah) 904a5d223e6SXin LI0 belong 0x00001a00 905a5d223e6SXin LI# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 906a5d223e6SXin LI#>18 uleshort&0x73E0 0 907a5d223e6SXin LI# Lotus Multi Byte Character Set (LMBCS=1-31) 908a5d223e6SXin LI>20 ubyte >0 909a5d223e6SXin LI>>20 ubyte <32 Lotus 1-2-3 910a5d223e6SXin LI#!:mime application/x-123 911a5d223e6SXin LI!:mime application/vnd.lotus-1-2-3 912a5d223e6SXin LI!:apple ????L123 913a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 914a5d223e6SXin LI>>>4 uleshort 0x1000 WorKsheet, version 3 915a5d223e6SXin LI!:ext wk3 916a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 917a5d223e6SXin LI>>>4 uleshort 0x1002 WorKsheet, version 4 918a5d223e6SXin LI# also worksheet template 4 (.wt4) 919a5d223e6SXin LI!:ext wk4/wt4 920a5d223e6SXin LI# no example or documentation for wk5 921a5d223e6SXin LI#>>4 uleshort 0x???? WorKsheet, version 4 922a5d223e6SXin LI#!:ext wk5 923a5d223e6SXin LI# only MacrotoScript.123 example 924a5d223e6SXin LI>>>4 uleshort 0x1003 WorKsheet, version 97 925a5d223e6SXin LI# also worksheet template Smartmaster (.12M)? 926a5d223e6SXin LI!:ext 123 927a5d223e6SXin LI# only Set_Y2K.123 example 928a5d223e6SXin LI>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 929a5d223e6SXin LI!:ext 123 930a5d223e6SXin LI# no example for this version 931a5d223e6SXin LI>>>4 uleshort 0x8001 FoRMatting data 932a5d223e6SXin LI!:ext frm 933a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 934a5d223e6SXin LI# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 935a5d223e6SXin LI>>>4 uleshort 0x8007 ForMatting data, version 3 936a5d223e6SXin LI!:ext fm3 937a5d223e6SXin LI>>>4 default x unknown 938a5d223e6SXin LI# file revision sub code 0004h for worksheets 939a5d223e6SXin LI>>>>6 uleshort =0x0004 worksheet 940a5d223e6SXin LI!:ext wXX 941a5d223e6SXin LI>>>>6 uleshort !0x0004 formatting data 942a5d223e6SXin LI!:ext fXX 943a5d223e6SXin LI# main revision number 94443a5ec4eSXin LI>>>>4 uleshort x \b, revision %#x 945a5d223e6SXin LI>>>6 uleshort =0x0004 \b, cell range 946a5d223e6SXin LI# active cellcoord range (start row, page,column ; end row, page, column) 947a5d223e6SXin LI# start values normally 0~1st sheet A1 948a5d223e6SXin LI>>>>8 ulelong !0 949a5d223e6SXin LI>>>>>10 ubyte >0 \b%d* 950a5d223e6SXin LI>>>>>8 uleshort x \b%d, 951a5d223e6SXin LI>>>>>11 ubyte x \b%d- 952a5d223e6SXin LI# end page mostly 0 953a5d223e6SXin LI>>>>14 ubyte >0 \b%d* 954a5d223e6SXin LI# end raw, column normally not 0 955a5d223e6SXin LI>>>>12 uleshort x \b%d, 956a5d223e6SXin LI>>>>15 ubyte x \b%d 957a5d223e6SXin LI# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 95843a5ec4eSXin LI>>>>20 ubyte >1 \b, character set %#x 959a5d223e6SXin LI# flags 96043a5ec4eSXin LI>>>>21 ubyte x \b, flags %#x 961a5d223e6SXin LI>>>6 uleshort !0x0004 962a5d223e6SXin LI# record type (FONTNAME=00AEh) 963a5d223e6SXin LI>>>>30 search/29 \0\xAE 964a5d223e6SXin LI# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 965a5d223e6SXin LI>>>>>&4 string >\0 \b, 1st font "%s" 966b6cee71dSXin LI# 967a5d223e6SXin LI# Update: Joerg Jenderek 968a5d223e6SXin LI# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 969a5d223e6SXin LI# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 970a5d223e6SXin LI# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 971a5d223e6SXin LI# record type (BeginningOfFile=0000h) + length (0002h) 972a5d223e6SXin LI0 belong 0x00000200 973a5d223e6SXin LI# GRR: line above is too general as it catches also MS Windows CURsor 974a5d223e6SXin LI# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 975a5d223e6SXin LI!:strength -1 976a5d223e6SXin LI# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 977a5d223e6SXin LI>7 ubyte 0 97843a5ec4eSXin LI# skip Windows cursors with image width 256 and keep Lotus with positive opcode 979a5d223e6SXin LI>>6 ubyte >0 Lotus 980a5d223e6SXin LI# !:mime application/x-123 981a5d223e6SXin LI!:mime application/vnd.lotus-1-2-3 982a5d223e6SXin LI!:apple ????L123 983a5d223e6SXin LI# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 984a5d223e6SXin LI# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 985a5d223e6SXin LI>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 986a5d223e6SXin LI!:ext cnf 987a5d223e6SXin LI>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 988a5d223e6SXin LI!:ext cnf 989a5d223e6SXin LI>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 990a5d223e6SXin LI!:ext cnf 991a5d223e6SXin LI>>>4 uleshort 0x0802 Symphony CoNFiguration 992a5d223e6SXin LI!:ext cnf 993a5d223e6SXin LI>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 994a5d223e6SXin LI!:ext cnf 995a5d223e6SXin LI>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 996a5d223e6SXin LI!:ext cnf 997a5d223e6SXin LI>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 998a5d223e6SXin LI!:ext cnf 999a5d223e6SXin LI>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 1000a5d223e6SXin LI!:ext cnf 1001a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 123" 1002a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1003a5d223e6SXin LI>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 1004a5d223e6SXin LI# extension "wks" also for Microsoft Works document 1005a5d223e6SXin LI!:ext wks 1006a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 123" 1007a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1008a5d223e6SXin LI>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 1009a5d223e6SXin LI!:ext wrk/wr1 1010a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 1011a5d223e6SXin LI# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 1012a5d223e6SXin LI>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 1013a5d223e6SXin LI# Symphony (.wr1) 1014a5d223e6SXin LI!:ext wk1/wr1 1015a5d223e6SXin LI# no example for this japan version 1016a5d223e6SXin LI>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 1017a5d223e6SXin LI!:ext wj1 1018a5d223e6SXin LI# no example or documentation for wk2 1019a5d223e6SXin LI#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 1020a5d223e6SXin LI#!:ext wk2 1021a5d223e6SXin LI# undocumented japan version 1022a5d223e6SXin LI>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 1023a5d223e6SXin LI!:ext wj3 1024a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 1025a5d223e6SXin LI>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 1026a5d223e6SXin LI# japan version 2.4J (fj3) 1027a5d223e6SXin LI!:ext fmt/fj3 1028a5d223e6SXin LI# no example for this version 1029a5d223e6SXin LI>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 1030a5d223e6SXin LI!:ext frm 1031a5d223e6SXin LI# (version 5.26) labeled the entry as "Lotus 1-2-3" 1032a5d223e6SXin LI>>>4 default x unknown worksheet or configuration 1033a5d223e6SXin LI!:ext cnf 103443a5ec4eSXin LI>>>>4 uleshort x \b, revision %#x 1035a5d223e6SXin LI# 2nd record for most worksheets describes cells range 1036a5d223e6SXin LI>>>6 use lotus-cells 103743a5ec4eSXin LI# 3rd record for most japan worksheets describes cells range 1038a5d223e6SXin LI>>>(8.s+10) use lotus-cells 1039a5d223e6SXin LI# check and then display Lotus worksheet cells range 1040a5d223e6SXin LI0 name lotus-cells 1041a5d223e6SXin LI# look for type (RANGE=0006h) + length (0008h) at record begin 1042a5d223e6SXin LI>0 ubelong 0x06000800 \b, cell range 1043a5d223e6SXin LI# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 1044a5d223e6SXin LI>>4 ulong !0 1045a5d223e6SXin LI>>>4 uleshort x \b%d, 1046a5d223e6SXin LI>>>6 uleshort x \b%d- 1047a5d223e6SXin LI# end of cell range 1048a5d223e6SXin LI>>8 uleshort x \b%d, 1049a5d223e6SXin LI>>10 uleshort x \b%d 1050a5d223e6SXin LI# EndOfLotus123 1051b6cee71dSXin LI0 string/b WordPro\0 Lotus WordPro 1052b6cee71dSXin LI!:mime application/vnd.lotus-wordpro 1053b6cee71dSXin LI0 string/b WordPro\r\373 Lotus WordPro 1054b6cee71dSXin LI!:mime application/vnd.lotus-wordpro 1055b6cee71dSXin LI 1056b6cee71dSXin LI 1057b6cee71dSXin LI# Summary: Script used by InstallScield to uninstall applications 1058b6cee71dSXin LI# Extension: .isu 1059b6cee71dSXin LI# Submitted by: unknown 1060b6cee71dSXin LI# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 1061b6cee71dSXin LI0 string \x71\xa8\x00\x00\x01\x02 1062b6cee71dSXin LI>12 string Stirling\ Technologies, InstallShield Uninstall Script 1063b6cee71dSXin LI 1064b6cee71dSXin LI# Winamp .avs 1065b6cee71dSXin LI#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 1066b6cee71dSXin LI0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 1067b6cee71dSXin LI 10682dc4dbb9SEitan Adler# Windows Metafile .WMF 10692dc4dbb9SEitan Adler0 string/b \327\315\306\232 Windows metafile 10702dc4dbb9SEitan Adler!:mime image/wmf 10712dc4dbb9SEitan Adler!:ext wmf 10722dc4dbb9SEitan Adler0 string/b \002\000\011\000 Windows metafile 10732dc4dbb9SEitan Adler!:mime image/wmf 10742dc4dbb9SEitan Adler!:ext wmf 10752dc4dbb9SEitan Adler0 string/b \001\000\011\000 Windows metafile 10762dc4dbb9SEitan Adler!:mime image/wmf 10772dc4dbb9SEitan Adler!:ext wmf 1078b6cee71dSXin LI 1079b6cee71dSXin LI#tz3 files whatever that is (MS Works files) 1080b6cee71dSXin LI0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 1081b6cee71dSXin LI0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 1082b6cee71dSXin LI0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 1083b6cee71dSXin LI 1084b6cee71dSXin LI# PGP sig files .sig 1085b6cee71dSXin LI#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 1086b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 1087b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 1088b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 1089b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 1090b6cee71dSXin LI0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 1091b6cee71dSXin LI0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 1092b6cee71dSXin LI 1093b6cee71dSXin LI# windows zips files .dmf 1094b6cee71dSXin LI0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 1095b6cee71dSXin LI 1096b6cee71dSXin LI# Windows icons 1097282e23f0SXin LI# Update: Joerg Jenderek 1098282e23f0SXin LI# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 109940427ccaSGordon Tetlow# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 1100b6cee71dSXin LI0 belong 0x00000100 1101b6cee71dSXin LI>9 byte 0 1102282e23f0SXin LI>>0 byte x 1103282e23f0SXin LI>>0 use cur-ico-dir 1104b6cee71dSXin LI>9 ubyte 0xff 1105282e23f0SXin LI>>0 byte x 1106282e23f0SXin LI>>0 use cur-ico-dir 1107282e23f0SXin LI# displays number of icons and information for icon or cursor 1108282e23f0SXin LI0 name cur-ico-dir 1109282e23f0SXin LI# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 1110282e23f0SXin LI# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 1111282e23f0SXin LI>18 ulelong &0x00000006 1112282e23f0SXin LI# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 1113282e23f0SXin LI>>(18.l) ulelong x MS Windows 1114282e23f0SXin LI>>>0 ubelong 0x00000100 icon resource 111548c779cdSXin LI# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 111648c779cdSXin LI!:mime image/vnd.microsoft.icon 111748c779cdSXin LI#!:mime image/x-icon 1118282e23f0SXin LI!:ext ico 1119282e23f0SXin LI>>>>4 uleshort x - %d icon 1120282e23f0SXin LI# plural s 1121282e23f0SXin LI>>>>4 uleshort >1 \bs 1122282e23f0SXin LI# 1st icon 1123282e23f0SXin LI>>>>0x06 use ico-entry 1124282e23f0SXin LI# 2nd icon 1125282e23f0SXin LI>>>>4 uleshort >1 1126282e23f0SXin LI>>>>>0x16 use ico-entry 1127282e23f0SXin LI>>>0 ubelong 0x00000200 cursor resource 1128282e23f0SXin LI#!:mime image/x-cur 1129282e23f0SXin LI!:mime image/x-win-bitmap 1130282e23f0SXin LI!:ext cur 1131282e23f0SXin LI>>>>4 uleshort x - %d icon 1132282e23f0SXin LI>>>>4 uleshort >1 \bs 1133282e23f0SXin LI# 1st cursor 1134282e23f0SXin LI>>>>0x06 use cur-entry 1135282e23f0SXin LI#>>>>0x16 use cur-entry 1136282e23f0SXin LI# display information of one cursor entry 1137282e23f0SXin LI0 name cur-entry 1138282e23f0SXin LI>0 use cur-ico-entry 1139282e23f0SXin LI>4 uleshort x \b, hotspot @%dx 1140282e23f0SXin LI>6 uleshort x \b%d 1141282e23f0SXin LI# display information of one icon entry 1142282e23f0SXin LI0 name ico-entry 1143282e23f0SXin LI>0 use cur-ico-entry 1144282e23f0SXin LI# normally 0 1 but also found 14 1145282e23f0SXin LI>4 uleshort >1 \b, %d planes 1146282e23f0SXin LI# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1147282e23f0SXin LI>6 uleshort >1 \b, %d bits/pixel 1148282e23f0SXin LI# display shared information of cursor or icon entry 1149282e23f0SXin LI0 name cur-ico-entry 1150282e23f0SXin LI>0 byte =0 \b, 256x 1151282e23f0SXin LI>0 byte !0 \b, %dx 1152282e23f0SXin LI>1 byte =0 \b256 1153282e23f0SXin LI>1 byte !0 \b%d 1154282e23f0SXin LI# number of colors in palette 1155282e23f0SXin LI>2 ubyte !0 \b, %d colors 1156282e23f0SXin LI# reserved 0 FFh 1157282e23f0SXin LI#>3 ubyte x \b, reserved %x 1158282e23f0SXin LI#>8 ulelong x \b, image size %d 1159282e23f0SXin LI# offset of PNG or DIB image 116043a5ec4eSXin LI#>12 ulelong x \b, offset %#x 1161282e23f0SXin LI# PNG header (\x89PNG) 1162282e23f0SXin LI>(12.l) ubelong =0x89504e47 116348c779cdSXin LI# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1164282e23f0SXin LI>>&-4 indirect x \b with 1165282e23f0SXin LI# DIB image 1166282e23f0SXin LI>(12.l) ubelong !0x89504e47 1167282e23f0SXin LI#>>&-4 use dib-image 1168b6cee71dSXin LI 1169b6cee71dSXin LI# Windows non-animated cursors 1170282e23f0SXin LI# Update: Joerg Jenderek 1171282e23f0SXin LI# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 117240427ccaSGordon Tetlow# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1173282e23f0SXin LI# GRR: line below is too general as it catches also Lotus 1-2-3 files 1174b6cee71dSXin LI0 belong 0x00000200 1175b6cee71dSXin LI>9 byte 0 1176282e23f0SXin LI>>0 use cur-ico-dir 1177b6cee71dSXin LI>9 ubyte 0xff 1178282e23f0SXin LI>>0 use cur-ico-dir 1179b6cee71dSXin LI 1180b6cee71dSXin LI# .chr files 1181b6cee71dSXin LI0 string/b PK\010\010BGI Borland font 1182b6cee71dSXin LI>4 string >\0 %s 1183b6cee71dSXin LI# then there is a copyright notice 1184b6cee71dSXin LI 1185b6cee71dSXin LI 1186b6cee71dSXin LI# .bgi files 1187b6cee71dSXin LI0 string/b pk\010\010BGI Borland device 1188b6cee71dSXin LI>4 string >\0 %s 1189b6cee71dSXin LI# then there is a copyright notice 1190b6cee71dSXin LI 1191b6cee71dSXin LI 1192b6cee71dSXin LI# Windows Recycle Bin record file (named INFO2) 1193b6cee71dSXin LI# By Abel Cheung (abelcheung AT gmail dot com) 1194b6cee71dSXin LI# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 1195b6cee71dSXin LI# Since Vista uses another structure, INFO2 structure probably won't change 1196b6cee71dSXin LI# anymore. Detailed analysis in: 1197b6cee71dSXin LI# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 1198b6cee71dSXin LI0 lelong 0x00000004 1199b6cee71dSXin LI>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 1200b6cee71dSXin LI 1201b6cee71dSXin LI0 lelong 0x00000005 1202b6cee71dSXin LI>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1203b6cee71dSXin LI 1204b6cee71dSXin LI# From Doug Lee via a FreeBSD pr 1205b6cee71dSXin LI9 string GERBILDOC First Choice document 1206b6cee71dSXin LI9 string GERBILDB First Choice database 1207b6cee71dSXin LI9 string GERBILCLIP First Choice database 1208b6cee71dSXin LI0 string GERBIL First Choice device file 1209b6cee71dSXin LI9 string RABBITGRAPH RabbitGraph file 1210b6cee71dSXin LI0 string DCU1 Borland Delphi .DCU file 1211b6cee71dSXin LI0 string =!<spell> MKS Spell hash list (old format) 1212b6cee71dSXin LI0 string =!<spell2> MKS Spell hash list 1213b6cee71dSXin LI# Too simple - MPi 1214b6cee71dSXin LI#0 string AH Halo(TM) bitmapped font file 1215b6cee71dSXin LI0 lelong 0x08086b70 TurboC BGI file 1216b6cee71dSXin LI0 lelong 0x08084b50 TurboC Font file 1217b6cee71dSXin LI 1218b6cee71dSXin LI# Debian#712046: The magic below identifies "Delphi compiled form data". 1219b6cee71dSXin LI# An additional source of information is available at: 1220b6cee71dSXin LI# http://www.woodmann.com/fravia/dafix_t1.htm 1221b6cee71dSXin LI0 string TPF0 1222b6cee71dSXin LI>4 pstring >\0 Delphi compiled form '%s' 1223b6cee71dSXin LI 1224b6cee71dSXin LI# tests for DBase files moved, updated and merged to database 1225b6cee71dSXin LI 1226b6cee71dSXin LI0 string PMCC Windows 3.x .GRP file 1227b6cee71dSXin LI1 string RDC-meg MegaDots 1228b6cee71dSXin LI>8 byte >0x2F version %c 1229b6cee71dSXin LI>9 byte >0x2F \b.%c file 1230b6cee71dSXin LI0 lelong 0x4C 1231b6cee71dSXin LI>4 lelong 0x00021401 Windows shortcut file 1232b6cee71dSXin LI 123348c779cdSXin LI# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1234b6cee71dSXin LI# only for windows versions equal or greater 3.0 1235b6cee71dSXin LI0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1236b6cee71dSXin LI!:mime application/x-dosexec 123748c779cdSXin LI!:ext pif 1238b6cee71dSXin LI#>2 string >\0 \b, Title:%.30s 1239b6cee71dSXin LI>0x24 string >\0 \b for %.63s 1240b6cee71dSXin LI>0x65 string >\0 \b, directory=%.64s 1241b6cee71dSXin LI>0xA5 string >\0 \b, parameters=%.64s 1242b6cee71dSXin LI#>0x181 leshort x \b, offset %x 1243b6cee71dSXin LI#>0x183 leshort x \b, offsetdata %x 1244b6cee71dSXin LI#>0x185 leshort x \b, section length %x 1245b6cee71dSXin LI>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1246b6cee71dSXin LI>>&0x5e ubyte >0 1247b6cee71dSXin LI>>>&-1 string <PIFMGR.DLL \b, icon=%s 1248b6cee71dSXin LI#>>>&-1 string PIFMGR.DLL \b, icon=%s 1249b6cee71dSXin LI>>>&-1 string >PIFMGR.DLL \b, icon=%s 1250b6cee71dSXin LI>>&0xF0 ubyte >0 1251b6cee71dSXin LI>>>&-1 string <Terminal \b, font=%.32s 1252b6cee71dSXin LI#>>>&-1 string =Terminal \b, font=%.32s 1253b6cee71dSXin LI>>>&-1 string >Terminal \b, font=%.32s 1254b6cee71dSXin LI>>&0x110 ubyte >0 1255b6cee71dSXin LI>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1256b6cee71dSXin LI#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1257b6cee71dSXin LI>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1258b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1259b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1260b6cee71dSXin LI>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1261b6cee71dSXin LI#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1262b6cee71dSXin LI>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1263b6cee71dSXin LI#>>&06 string x \b:%s 1264b6cee71dSXin LI>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1265b6cee71dSXin LI#>>&06 string x \b:%s 1266b6cee71dSXin LI 1267b6cee71dSXin LI# DOS EPS Binary File Header 1268b6cee71dSXin LI# From: Ed Sznyter <ews@Black.Market.NET> 1269b6cee71dSXin LI0 belong 0xC5D0D3C6 DOS EPS Binary File 127040427ccaSGordon Tetlow!:mime image/x-eps 1271b6cee71dSXin LI>4 long >0 Postscript starts at byte %d 1272b6cee71dSXin LI>>8 long >0 length %d 1273b6cee71dSXin LI>>>12 long >0 Metafile starts at byte %d 1274b6cee71dSXin LI>>>>16 long >0 length %d 1275b6cee71dSXin LI>>>20 long >0 TIFF starts at byte %d 1276b6cee71dSXin LI>>>>24 long >0 length %d 1277b6cee71dSXin LI 1278b6cee71dSXin LI# TNEF magic From "Joomy" <joomy@se-ed.net> 1279b6cee71dSXin LI# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 128040427ccaSGordon Tetlow0 lelong 0x223e9f78 TNEF 1281b6cee71dSXin LI!:mime application/vnd.ms-tnef 1282b6cee71dSXin LI 1283b6cee71dSXin LI# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1284b6cee71dSXin LI# of http://www.davep.org/norton-guides/ng2h-105.tgz 128548c779cdSXin LI# https://en.wikipedia.org/wiki/Norton_Guides 1286b6cee71dSXin LI0 string NG\0\001 1287b6cee71dSXin LI# only value 0x100 found at offset 2 1288b6cee71dSXin LI>2 ulelong 0x00000100 Norton Guide 128943a5ec4eSXin LI!:mime application/x-norton-guide 129043a5ec4eSXin LI# often like NORTON.NG but some times like NC.HLP 129143a5ec4eSXin LI!:ext ng/hlp 1292b6cee71dSXin LI# Title[40] 1293b6cee71dSXin LI>>8 string >\0 "%-.40s" 1294b6cee71dSXin LI#>>6 uleshort x \b, MenuCount=%u 1295b6cee71dSXin LI# szCredits[5][66] 1296b6cee71dSXin LI>>48 string >\0 \b, %-.66s 1297b6cee71dSXin LI>>114 string >\0 %-.66s 1298b6cee71dSXin LI 129943a5ec4eSXin LI# URL: https://en.wikipedia.org/wiki/Norton_Commander 130043a5ec4eSXin LI# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml 130143a5ec4eSXin LI# From: Joerg Jenderek 130243a5ec4eSXin LI# Note: Message file is used by executable with same main name. 130343a5ec4eSXin LI# Only tested with version 5.50 (english) and 2.01 (Windows) 130443a5ec4eSXin LI0 string Abort 130543a5ec4eSXin LI# \0 or i 130643a5ec4eSXin LI#>5 ubyte x %x 130743a5ec4eSXin LI# skip ASCII Abort text by looking for error message like in NCVIEW.MSG 130843a5ec4eSXin LI>6 search/7089 Non-DOS\ disk Norton Commander module message 130943a5ec4eSXin LI!:mime application/x-norton-msg 131043a5ec4eSXin LI!:ext msg 131143a5ec4eSXin LI 131243a5ec4eSXin LI# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm 131343a5ec4eSXin LI# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml 131443a5ec4eSXin LI# From: Joerg Jenderek 131543a5ec4eSXin LI0 string DOS\ Client\ Message\ File: Novell DOS client message 131643a5ec4eSXin LI#!:mime application/octet-stream 131743a5ec4eSXin LI#!:mime application/x-novell-msg 131843a5ec4eSXin LI!:ext msg 131943a5ec4eSXin LI# look for second letter instead space character 132043a5ec4eSXin LI>26 ubyte >0x20 132143a5ec4eSXin LI# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr 132243a5ec4eSXin LI>>25 ubyte !0x20 %c 132343a5ec4eSXin LI>>>26 ubyte !0x20 \b%c 132443a5ec4eSXin LI>>>>27 ubyte !0x20 \b%c 132543a5ec4eSXin LI>>>>>28 ubyte !0x20 \b%c 132643a5ec4eSXin LI>>>>>>29 ubyte !0x20 \b%c 132743a5ec4eSXin LI>>>>>>>30 ubyte !0x20 \b%c 132843a5ec4eSXin LI>>>>>>>>31 ubyte !0x20 \b%c 132943a5ec4eSXin LI>>>>>>>>>32 ubyte !0x20 \b%c 133043a5ec4eSXin LI>>>>>>>>>>33 ubyte !0x20 \b%c 133143a5ec4eSXin LI>>>>>>>>>>>34 ubyte !0x20 \b%c 133243a5ec4eSXin LI>>>>>>>>>>>>35 ubyte !0x20 \b%c 133343a5ec4eSXin LI>>>>>>>>>>>>>36 ubyte !0x20 \b%c 133443a5ec4eSXin LI# followed by string like: 0 v.10 V1.20 133543a5ec4eSXin LI# 133643a5ec4eSXin LI# followed by ,\040Tran 133743a5ec4eSXin LI>28 search/14 ,\040Tran 133843a5ec4eSXin LI# probably translated version string like: 0 v1.00 133943a5ec4eSXin LI>>&0 string x \b, tran version %s 134043a5ec4eSXin LI# followed by Ctrl-J Ctrl-Z 134143a5ec4eSXin LI>>>&0 ubyte !0xa \b, terminated by %#2.2x 134243a5ec4eSXin LI>>>>&0 ubyte x \b%2.2x 134343a5ec4eSXin LI# Ctrl-Z 134443a5ec4eSXin LI>0x65 ubyte !0x1A \b, at 0x65 %#x 134543a5ec4eSXin LI# one 134643a5ec4eSXin LI>0x66 ubyte !0x01 \b, at 0x66 %#x 134743a5ec4eSXin LI# URL: https://en.wikipedia.org/wiki/NetWare 134843a5ec4eSXin LI# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml 134943a5ec4eSXin LI# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html 135043a5ec4eSXin LI# From: Joerg Jenderek 135143a5ec4eSXin LI0 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data 135243a5ec4eSXin LI#>35 string Version\ 1.00 135343a5ec4eSXin LI#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. 135443a5ec4eSXin LI#>83 string \ \ All\ Rights\ Reserved 135543a5ec4eSXin LI#!:mime application/octet-stream 135643a5ec4eSXin LI#!:mime application/x-novell-msg 135743a5ec4eSXin LI!:ext msg 135843a5ec4eSXin LI#!:ext msg/dat 1359b6cee71dSXin LI# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 136048c779cdSXin LI# of https://www.4dos.info/ 1361b6cee71dSXin LI# pointer,HelpID[8]=4DHnnnmm 1362b6cee71dSXin LI0 ulelong 0x48443408 4DOS help file 1363b6cee71dSXin LI>4 string x \b, version %-4.4s 1364b6cee71dSXin LI 1365b6cee71dSXin LI# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 1366b6cee71dSXin LI0 ulequad 0x3a000000024e4c MS Advisor help file 1367b6cee71dSXin LI 1368b6cee71dSXin LI# HtmlHelp files (.chm) 13699ce06829SXin LI0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1370*a4d6d3b8SXin LI!:mime application/vnd.ms-htmlhelp 1371*a4d6d3b8SXin LI!:ext chm 1372b6cee71dSXin LI 1373b6cee71dSXin LI# GFA-BASIC (Wolfram Kleff) 1374b6cee71dSXin LI2 string/b GFA-BASIC3 GFA-BASIC 3 data 1375b6cee71dSXin LI 1376b6cee71dSXin LI#------------------------------------------------------------------------------ 1377b6cee71dSXin LI# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 13782dc4dbb9SEitan Adler# Update: Joerg Jenderek 13792dc4dbb9SEitan Adler# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 13802dc4dbb9SEitan Adler# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 13812dc4dbb9SEitan Adler# Note: verified by `7z l *.cab` 1382b6cee71dSXin LI# Microsoft Cabinet files 1383b6cee71dSXin LI0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 13842dc4dbb9SEitan Adler# 13852dc4dbb9SEitan Adler# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 13862dc4dbb9SEitan Adler# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 13872dc4dbb9SEitan Adler# because some archive does not have *.diag* as 1st or 2nd archive member like 13882dc4dbb9SEitan Adler# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 13892dc4dbb9SEitan Adler# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 13902dc4dbb9SEitan Adler>0x2c search/980/c .diag \b, Diagnostic 1391b6cee71dSXin LI!:mime application/vnd.ms-cab-compressed 13922dc4dbb9SEitan Adler!:ext diagcab 13932dc4dbb9SEitan Adler# http://fileformats.archiveteam.org/wiki/PUZ 13942dc4dbb9SEitan Adler# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 13952dc4dbb9SEitan Adler# bundles a Publisher document *PNG.pub with all links into a CAB 13962dc4dbb9SEitan Adler>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 13972dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 13982dc4dbb9SEitan Adler!:ext puz 13992dc4dbb9SEitan Adler# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 14002dc4dbb9SEitan Adler>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 14012dc4dbb9SEitan Adler!:mime application/vnd.ms-powerpoint 14022dc4dbb9SEitan Adler#!:mime application/mspowerpoint 14032dc4dbb9SEitan Adler!:ext ppz 14042726a701SXin LI# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 14052726a701SXin LI# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 14062726a701SXin LI# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 14072726a701SXin LI>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 14082726a701SXin LI#!:mime application/vnd.ms-cab-compressed 14092726a701SXin LI# http://extension.nirsoft.net/gadget 14102726a701SXin LI!:mime application/x-windows-gadget 14112726a701SXin LI!:ext gadget 14122dc4dbb9SEitan Adler# http://www.incredimail.com/ 14132dc4dbb9SEitan Adler# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 14142dc4dbb9SEitan Adler>0x2c search/3369/c content.ini\0 \b, IncrediMail 14152dc4dbb9SEitan Adler!:mime application/x-incredimail 14162dc4dbb9SEitan Adler# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 14172dc4dbb9SEitan Adler>>0x2c search/83/c Flavor.htm\0 ecard 14182dc4dbb9SEitan Adler!:ext imf 14192dc4dbb9SEitan Adler# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 14202dc4dbb9SEitan Adler>>0x2c search/211/c .swf\0 skin 14212dc4dbb9SEitan Adler!:ext ims 14222dc4dbb9SEitan Adler# member anim.im3 implies IncrediMail animation like in letter_fold.ima 14232dc4dbb9SEitan Adler>>0x2c search/92/c anim.im3\0 animation 14242dc4dbb9SEitan Adler!:ext ima 14252dc4dbb9SEitan Adler# other IncrediMail cab archive 14262dc4dbb9SEitan Adler>>0x2c default x 14272dc4dbb9SEitan Adler>>>0x2c search/116/c thumb ecard, image, notifier or skin 14282dc4dbb9SEitan Adler!:ext imf/imi/imn/ims 14292dc4dbb9SEitan Adler# http://file-extension.net/seeker/file_extension_ime 14302dc4dbb9SEitan Adler>>>0x2c default x emoticons or sound 14312dc4dbb9SEitan Adler!:ext ime/imw 14322726a701SXin LI# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 14332dc4dbb9SEitan Adler>0x2c default x 14342dc4dbb9SEitan Adler# look for 1st member name 14352dc4dbb9SEitan Adler>>(16.l+16) ubyte x 14362dc4dbb9SEitan Adler# https://en.wikipedia.org/wiki/SNP_file_format 14372dc4dbb9SEitan Adler>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 14382dc4dbb9SEitan Adler!:mime application/msaccess 14392dc4dbb9SEitan Adler!:ext snp 14402726a701SXin LI# https://en.wikipedia.org/wiki/Microsoft_InfoPath 14412726a701SXin LI>>>&-1 string manifest.xsf \b, InfoPath Form Template 14422726a701SXin LI!:mime application/vnd.ms-cab-compressed 14432726a701SXin LI#!:mime application/vnd.ms-infopath 14442726a701SXin LI!:ext xsn 14452dc4dbb9SEitan Adler# https://www.cabextract.org.uk/wince_cab_format/ 14462dc4dbb9SEitan Adler# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 14472dc4dbb9SEitan Adler>>>&7 string =.000 \b, WinCE install 14482dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 14492dc4dbb9SEitan Adler!:ext cab 14502dc4dbb9SEitan Adler 145148c779cdSXin LI# https://support.microsoft.com/kb/934307/en-US 14522dc4dbb9SEitan Adler# All inspected MSU contain a file with name WSUSSCAN.cab 14532dc4dbb9SEitan Adler# that is called "Windows Update meta data" by Microsoft 14542dc4dbb9SEitan Adler>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 14552dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 14562dc4dbb9SEitan Adler!:ext msu 14572dc4dbb9SEitan Adler>>>&-1 default x 145843a5ec4eSXin LI# look at point character of 1st archive member name for file name extension 14592dc4dbb9SEitan Adler>>>>&-1 search/255 . 14602dc4dbb9SEitan Adler# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 14612dc4dbb9SEitan Adler# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 14622dc4dbb9SEitan Adler# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 14632dc4dbb9SEitan Adler>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 14642dc4dbb9SEitan Adler!:mime application/vnd.ms-powerpoint 14652dc4dbb9SEitan Adler#!:mime application/mspowerpoint 14662dc4dbb9SEitan Adler!:ext ppz 14672dc4dbb9SEitan Adler# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 14682dc4dbb9SEitan Adler# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 14692dc4dbb9SEitan Adler# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 14702dc4dbb9SEitan Adler>>>>>&0 string/c theme \b, Windows 14712dc4dbb9SEitan Adler!:mime application/x-windows-themepack 147248c779cdSXin LI# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 14732dc4dbb9SEitan Adler# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 14742dc4dbb9SEitan Adler# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 14752dc4dbb9SEitan Adler>>>>>>(16.l+16) string =Panoram 8 14762dc4dbb9SEitan Adler!:ext deskthemepack 14772dc4dbb9SEitan Adler>>>>>>(16.l+16) string !Panoram 7 or 8 14782dc4dbb9SEitan Adler!:ext themepack/deskthemepack 14792dc4dbb9SEitan Adler>>>>>>(16.l+16) ubyte x Theme Pack 14802dc4dbb9SEitan Adler>>>>>&0 default x 14812dc4dbb9SEitan Adler# look for null terminator of 1st member name 14822dc4dbb9SEitan Adler>>>>>>&0 search/255 \0 14832dc4dbb9SEitan Adler# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 14842dc4dbb9SEitan Adler>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 14852dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 14862dc4dbb9SEitan Adler!:ext msu 14872dc4dbb9SEitan Adler>>>>>>>&16 default x 14882dc4dbb9SEitan Adler# archive with more then one file need some output in version 5.32 to avoid error message like 14892dc4dbb9SEitan Adler# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 14902dc4dbb9SEitan Adler# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 14912dc4dbb9SEitan Adler# file: could not find any valid magic files! 14922dc4dbb9SEitan Adler>>>>>>>>28 uleshort >1 \b, many 14932dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 14942dc4dbb9SEitan Adler!:ext cab 14952dc4dbb9SEitan Adler# remaining archives with just one file 14962dc4dbb9SEitan Adler>>>>>>>>28 uleshort =1 14972dc4dbb9SEitan Adler# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 14982dc4dbb9SEitan Adler>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 14992dc4dbb9SEitan Adler# cut of last char of source extension and add underscore to generate extension 15002dc4dbb9SEitan Adler# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 15012dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 15022dc4dbb9SEitan Adler!:ext _/?_/??_ 15032dc4dbb9SEitan Adler# archive need some output like "single" in version 5.32 to avoid error messages 15042dc4dbb9SEitan Adler>>>>>>>>>30 uleshort !0x0000 \b, single 15052dc4dbb9SEitan Adler!:mime application/vnd.ms-cab-compressed 15062dc4dbb9SEitan Adler!:ext cab 15072dc4dbb9SEitan Adler# TODO: additional extensions like 15082dc4dbb9SEitan Adler# .xtp InfoPath Template Part 15092dc4dbb9SEitan Adler# .lvf Logitech Video Effects Face Accessory 15102dc4dbb9SEitan Adler>8 ulelong x \b, %u bytes 15112dc4dbb9SEitan Adler>28 uleshort 1 \b, 1 file 15122dc4dbb9SEitan Adler>28 uleshort >1 \b, %u files 15132dc4dbb9SEitan Adler# Reserved fields, set to zero 15142dc4dbb9SEitan Adler#>4 belong !0 \b, reserved1 %x 15152dc4dbb9SEitan Adler#>12 belong !0 \b, reserved2 %x 15162dc4dbb9SEitan Adler# offset of the first CFFILE entry coffFiles: minimal 2Ch 151743a5ec4eSXin LI>16 ulelong x \b, at %#x 15182dc4dbb9SEitan Adler>(16.l) use cab-file 15192dc4dbb9SEitan Adler# at least also 2nd member 15202dc4dbb9SEitan Adler>28 uleshort >1 15212dc4dbb9SEitan Adler>>(16.l+16) ubyte x 15222dc4dbb9SEitan Adler>>>&0 search/255 \0 15232dc4dbb9SEitan Adler# second member info 15242dc4dbb9SEitan Adler>>>>&0 use cab-file 15252dc4dbb9SEitan Adler#>20 belong !0 \b, reserved %x 15262dc4dbb9SEitan Adler# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 152743a5ec4eSXin LI>24 ubeshort !0x0301 \b version %#x 15282dc4dbb9SEitan Adler# number of CFFOLDER entries 15292dc4dbb9SEitan Adler>26 uleshort >1 \b, %u cffolders 15302dc4dbb9SEitan Adler# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 15312dc4dbb9SEitan Adler# only found for flags 0 1 2 3 4 not 7 153243a5ec4eSXin LI>30 uleshort >0 \b, flags %#x 15332dc4dbb9SEitan Adler# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 15342dc4dbb9SEitan Adler# default is zero, however, the -i option of cabarc can be used to set this field 15352dc4dbb9SEitan Adler>32 uleshort >0 \b, ID %u 15362dc4dbb9SEitan Adler# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 15372dc4dbb9SEitan Adler#>34 uleshort x \b, iCabinet %u 15382dc4dbb9SEitan Adler# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 15392dc4dbb9SEitan Adler>34 uleshort+1 x \b, number %u 15402dc4dbb9SEitan Adler>30 uleshort &0x0004 \b, extra bytes 15412dc4dbb9SEitan Adler# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 15422dc4dbb9SEitan Adler>>36 uleshort >0 %u in head 15432dc4dbb9SEitan Adler# cbCFFolder is optional size of per-folder reserved area 15442dc4dbb9SEitan Adler>>38 ubyte >0 %u in folder 15452dc4dbb9SEitan Adler# cbCFData is optional size of per-datablock reserved area 15462dc4dbb9SEitan Adler>>39 ubyte >0 %u in data block 15472dc4dbb9SEitan Adler# optional per-cabinet reserved area abReserve[cbCFHeader] 15482dc4dbb9SEitan Adler>>36 uleshort >0 15492dc4dbb9SEitan Adler# 1st CFFOLDER after reserved area in header 15502dc4dbb9SEitan Adler>>>(36.s+40) use cab-folder 15512dc4dbb9SEitan Adler# no reserved area in header 15522dc4dbb9SEitan Adler>30 uleshort ^0x0004 15532dc4dbb9SEitan Adler# no previous and next cab archive 15542dc4dbb9SEitan Adler>>30 uleshort =0x0000 15552dc4dbb9SEitan Adler>>>36 use cab-folder 15562dc4dbb9SEitan Adler# only previous cab archive 15572dc4dbb9SEitan Adler>>30 uleshort =0x0001 \b, previous 15582dc4dbb9SEitan Adler>>>36 use cab-anchor 15592dc4dbb9SEitan Adler# only next cab archive 15602dc4dbb9SEitan Adler>>30 uleshort =0x0002 \b, next 15612dc4dbb9SEitan Adler>>>36 use cab-anchor 15622dc4dbb9SEitan Adler# previous+next cab archive 15632dc4dbb9SEitan Adler# can not use sub routine cab-anchor to display previous and next cabinet together 15642dc4dbb9SEitan Adler#>>>36 use cab-anchor 15652dc4dbb9SEitan Adler#>>>>&0 use cab-anchor 15662dc4dbb9SEitan Adler>>30 uleshort =0x0003 \b, previous 15672dc4dbb9SEitan Adler>>>36 string x %s 15682dc4dbb9SEitan Adler# optional name of previous disk szDisk* 15692dc4dbb9SEitan Adler>>>>&1 string x disk %s 15702dc4dbb9SEitan Adler>>>>>&1 string x \b, next %s 15712dc4dbb9SEitan Adler# optional name of previous disk szDisk* 15722dc4dbb9SEitan Adler>>>>>>&1 string x disk %s 15732dc4dbb9SEitan Adler>>>>>>>&1 use cab-folder 15742dc4dbb9SEitan Adler# display filename and disk name of previous or next cabinet 15752dc4dbb9SEitan Adler0 name cab-anchor 15762dc4dbb9SEitan Adler# optional name of previous/next cabinet file szCabinet*[255] 15772dc4dbb9SEitan Adler>&0 string x %s 15782dc4dbb9SEitan Adler# optional name of previous/next disk szDisk*[255] 15792dc4dbb9SEitan Adler>>&1 string x disk %s 15802dc4dbb9SEitan Adler# display folder structure CFFOLDER information like compression of cabinet 15812dc4dbb9SEitan Adler0 name cab-folder 15822dc4dbb9SEitan Adler# offset of the CFDATA block in this folder 158343a5ec4eSXin LI#>0 ulelong x \b, coffCabStart %#x 15842dc4dbb9SEitan Adler# number of CFDATA blocks in folder 15852dc4dbb9SEitan Adler>4 uleshort x \b, %u datablock 15862dc4dbb9SEitan Adler# plural s 15872dc4dbb9SEitan Adler>4 uleshort >1 \bs 15882dc4dbb9SEitan Adler# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 158943a5ec4eSXin LI>6 uleshort x \b, %#x compression 15902dc4dbb9SEitan Adler# optional per-folder reserved area 159143a5ec4eSXin LI#>8 ubequad x \b, abReserve %#llx 15922dc4dbb9SEitan Adler# display member structure CFFILE information like member name of cabinet 15932dc4dbb9SEitan Adler0 name cab-file 15942dc4dbb9SEitan Adler# cbFile is uncompressed size of file in bytes 15952dc4dbb9SEitan Adler#>0 ulelong x \b, cbFile %u 15962dc4dbb9SEitan Adler# uoffFolderStart is uncompressed offset of file in folder 159743a5ec4eSXin LI#>4 ulelong >0 \b, uoffFolderStart %#x 15982dc4dbb9SEitan Adler# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 15992dc4dbb9SEitan Adler# define ifoldCONTINUED_FROM_PREV (0xFFFD) 16002dc4dbb9SEitan Adler# define ifoldCONTINUED_TO_NEXT (0xFFFE) 16012dc4dbb9SEitan Adler# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 160243a5ec4eSXin LI>8 uleshort >0 \b, iFolder %#x 16032dc4dbb9SEitan Adler# date stamp for file 160443a5ec4eSXin LI#>10 uleshort x \b, date %#x 16052dc4dbb9SEitan Adler# time stamp for file 160643a5ec4eSXin LI#>12 uleshort x \b, time %#x 16072dc4dbb9SEitan Adler# attribs is attribute flags for file 16082dc4dbb9SEitan Adler# define _A_RDONLY (0x01) file is read-only 16092dc4dbb9SEitan Adler# define _A_HIDDEN (0x02) file is hidden 16102dc4dbb9SEitan Adler# define _A_SYSTEM (0x04) file is a system file 16112dc4dbb9SEitan Adler# define _A_ARCH (0x20) file modified since last backup 16122dc4dbb9SEitan Adler# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 16132dc4dbb9SEitan Adler# define _A_EXEC (0x40) run after extraction 16142dc4dbb9SEitan Adler# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 16152dc4dbb9SEitan Adler# define UNKNOWN (0x0100) undocumented or accident 161643a5ec4eSXin LI#>14 uleshort x \b, attribs %#x 16172dc4dbb9SEitan Adler>14 uleshort >0 + 16182dc4dbb9SEitan Adler>>14 uleshort &0x0001 \bR 16192dc4dbb9SEitan Adler>>14 uleshort &0x0002 \bH 16202dc4dbb9SEitan Adler>>14 uleshort &0x0004 \bS 16212dc4dbb9SEitan Adler>>14 uleshort &0x0020 \bA 16222dc4dbb9SEitan Adler>>14 uleshort &0x0040 \bX 16232dc4dbb9SEitan Adler>>14 uleshort &0x0080 \bUtf 16242dc4dbb9SEitan Adler# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 16252dc4dbb9SEitan Adler>>14 uleshort &0x0100 \b? 16262dc4dbb9SEitan Adler# szName is name of archive member 16272dc4dbb9SEitan Adler>16 string x "%s" 16282dc4dbb9SEitan Adler# next archive member name if more files 16292dc4dbb9SEitan Adler#>>&17 string >\0 \b, NEXT NAME %-.50s 1630b6cee71dSXin LI 1631b6cee71dSXin LI# InstallShield Cabinet files 1632b6cee71dSXin LI0 string/b ISc( InstallShield Cabinet archive data 1633b6cee71dSXin LI>5 byte&0xf0 =0x60 version 6, 1634b6cee71dSXin LI>5 byte&0xf0 !0x60 version 4/5, 1635b6cee71dSXin LI>(12.l+40) lelong x %u files 1636b6cee71dSXin LI 1637b6cee71dSXin LI# Windows CE package files 1638b6cee71dSXin LI0 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1639b6cee71dSXin LI>20 lelong 0 \b, architecture-independent 1640b6cee71dSXin LI>20 lelong 103 \b, Hitachi SH3 1641b6cee71dSXin LI>20 lelong 104 \b, Hitachi SH4 1642b6cee71dSXin LI>20 lelong 0xA11 \b, StrongARM 1643b6cee71dSXin LI>20 lelong 4000 \b, MIPS R4000 1644b6cee71dSXin LI>20 lelong 10003 \b, Hitachi SH3 1645b6cee71dSXin LI>20 lelong 10004 \b, Hitachi SH3E 1646b6cee71dSXin LI>20 lelong 10005 \b, Hitachi SH4 1647b6cee71dSXin LI>20 lelong 70001 \b, ARM 7TDMI 1648b6cee71dSXin LI>52 leshort 1 \b, 1 file 1649b6cee71dSXin LI>52 leshort >1 \b, %u files 1650b6cee71dSXin LI>56 leshort 1 \b, 1 registry entry 1651b6cee71dSXin LI>56 leshort >1 \b, %u registry entries 1652b6cee71dSXin LI 1653b6cee71dSXin LI 1654b6cee71dSXin LI# Windows Enhanced Metafile (EMF) 1655b6cee71dSXin LI# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1656b6cee71dSXin LI# for further information. 1657b6cee71dSXin LI0 ulelong 1 1658b6cee71dSXin LI>40 string \ EMF Windows Enhanced Metafile (EMF) image data 165943a5ec4eSXin LI>>44 ulelong x version %#x 1660b6cee71dSXin LI 1661b6cee71dSXin LI 1662b6cee71dSXin LI0 string/b \224\246\056 Microsoft Word Document 1663b6cee71dSXin LI!:mime application/msword 1664b6cee71dSXin LI 1665b6cee71dSXin LI# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1666b6cee71dSXin LI# Magic type for Dell's BIOS .hdr files 1667b6cee71dSXin LI# Dell's .hdr 1668b6cee71dSXin LI0 string/b $RBU 1669b6cee71dSXin LI>23 string Dell %s system BIOS 1670b6cee71dSXin LI>5 byte 2 1671b6cee71dSXin LI>>48 byte x version %d. 1672b6cee71dSXin LI>>49 byte x \b%d. 1673b6cee71dSXin LI>>50 byte x \b%d 1674b6cee71dSXin LI>5 byte <2 1675b6cee71dSXin LI>>48 string x version %.3s 1676b6cee71dSXin LI 1677b6cee71dSXin LI# Type: Microsoft Document Imaging Format (.mdi) 167848c779cdSXin LI# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1679b6cee71dSXin LI# From: Daniele Sempione <scrows@oziosi.org> 1680a5d223e6SXin LI# Too weak (EP) 1681a5d223e6SXin LI#0 short 0x5045 Microsoft Document Imaging Format 1682b6cee71dSXin LI 1683b6cee71dSXin LI# MS eBook format (.lit) 1684b6cee71dSXin LI0 string/b ITOLITLS Microsoft Reader eBook Data 1685b6cee71dSXin LI>8 lelong x \b, version %u 1686b6cee71dSXin LI!:mime application/x-ms-reader 1687b6cee71dSXin LI 1688b6cee71dSXin LI# Windows CE Binary Image Data Format 1689b6cee71dSXin LI# From: Dr. Jesus <j@hug.gs> 1690b6cee71dSXin LI0 string/b B000FF\n Windows Embedded CE binary image 1691b6cee71dSXin LI 1692b6cee71dSXin LI# The second byte of these signatures is a file version; I don't know what, 1693b6cee71dSXin LI# if anything, produced files with version numbers 0-2. 1694b6cee71dSXin LI# From: John Elliott <johne@seasip.demon.co.uk> 1695b6cee71dSXin LI0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 1696b6cee71dSXin LI0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 1697b6cee71dSXin LI0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 1698b6cee71dSXin LI0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1699b6cee71dSXin LI 1700b6cee71dSXin LI0 string MIOPEN Mallard BASIC Jetsam data 1701b6cee71dSXin LI0 string Jetsam0 Mallard BASIC Jetsam index data 1702b6cee71dSXin LI 170340427ccaSGordon Tetlow# DOS backup 2.0 to 3.2 170443a5ec4eSXin LI# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) 170543a5ec4eSXin LI# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm 170640427ccaSGordon Tetlow# backupid.@@@ 170740427ccaSGordon Tetlow 170840427ccaSGordon Tetlow# plausibility check for date 170940427ccaSGordon Tetlow0x3 ushort >1979 171040427ccaSGordon Tetlow>0x5 ubyte-1 <31 171140427ccaSGordon Tetlow>>0x6 ubyte-1 <12 171240427ccaSGordon Tetlow# actually 121 nul bytes 171340427ccaSGordon Tetlow>>>0x7 string \0\0\0\0\0\0\0\0 171440427ccaSGordon Tetlow>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 171543a5ec4eSXin LI#!:mime application/octet-stream 171640427ccaSGordon Tetlow!:ext @@@ 171740427ccaSGordon Tetlow>>>>0x0 ubyte 0xff \b, last disk 171840427ccaSGordon Tetlow 171940427ccaSGordon Tetlow# backed up file 172040427ccaSGordon Tetlow 172140427ccaSGordon Tetlow# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 172240427ccaSGordon Tetlow# by looking for trailing nul of maximal file name string 172340427ccaSGordon Tetlow0x52 ubyte 0 172440427ccaSGordon Tetlow# test for flag byte: FFh~complete file, 00h~split file 172540427ccaSGordon Tetlow# FFh -127 = -1 -127 = -128 172640427ccaSGordon Tetlow# 00h -127 = 0 -127 = -127 172740427ccaSGordon Tetlow>0 byte-127 <-126 172840427ccaSGordon Tetlow# plausibility check for file name length 172940427ccaSGordon Tetlow>>0x53 ubyte-1 <78 173040427ccaSGordon Tetlow# looking for terminating nul of file name string 173140427ccaSGordon Tetlow>>>(0x53.b+4) ubyte 0 173240427ccaSGordon Tetlow# looking if last char of string is valid DOS file name 173340427ccaSGordon Tetlow>>>>(0x53.b+3) ubyte >0x1F 173440427ccaSGordon Tetlow# actually 44 nul bytes 173540427ccaSGordon Tetlow# but sometimes garbage according to Ralf Quint. So can not be used as test 173640427ccaSGordon Tetlow#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 173740427ccaSGordon Tetlow# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 173840427ccaSGordon Tetlow# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 173940427ccaSGordon Tetlow>>>>>5 ubyte&0x8C 0x0C 174040427ccaSGordon Tetlow# ./msdos (version 5.30) labeled the entry as 174140427ccaSGordon Tetlow# "DOS 2.0 backed up file %s, split file, sequence %d" or 174240427ccaSGordon Tetlow# "DOS 2.0 backed up file %s, complete file" 174340427ccaSGordon Tetlow>>>>>>0 ubyte x DOS 2.0-3.2 backed up 174440427ccaSGordon Tetlow#>>>>>>0 ubyte 0xff complete 174540427ccaSGordon Tetlow>>>>>>0 ubyte 0 174640427ccaSGordon Tetlow>>>>>>>1 uleshort x sequence %d of 174740427ccaSGordon Tetlow# full file name with path but without drive letter and colon stored from 0x05 til 0x52 174840427ccaSGordon Tetlow>>>>>>0x5 string x file %s 174943a5ec4eSXin LI#!:mime application/octet-stream 175040427ccaSGordon Tetlow# backup name is original filename 175143a5ec4eSXin LI#!:ext doc/exe/rar/zip 175240427ccaSGordon Tetlow#!:ext * 175340427ccaSGordon Tetlow# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 175440427ccaSGordon Tetlow# file: line 1169: Bad magic entry ' *' 175540427ccaSGordon Tetlow# after header original file content 175640427ccaSGordon Tetlow>>>>>>128 indirect x \b; 175740427ccaSGordon Tetlow 175840427ccaSGordon Tetlow 175940427ccaSGordon Tetlow# DOS backup 3.3 to 5.x 176040427ccaSGordon Tetlow 176140427ccaSGordon Tetlow# CONTROL.nnn files 176240427ccaSGordon Tetlow0 string \x8bBACKUP\x20 176340427ccaSGordon Tetlow# actually 128 nul bytes 176440427ccaSGordon Tetlow>0xa string \0\0\0\0\0\0\0\0 176540427ccaSGordon Tetlow>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 176640427ccaSGordon Tetlow>>0x8a ubyte 0xff \b, last disk 176740427ccaSGordon Tetlow 176840427ccaSGordon Tetlow# NB: The BACKUP.nnn files consist of the files backed up, 176940427ccaSGordon Tetlow# concatenated. 1770*a4d6d3b8SXin LI 1771*a4d6d3b8SXin LI# From: Joerg Jenderek 1772*a4d6d3b8SXin LI# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time 1773*a4d6d3b8SXin LI# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime 1774*a4d6d3b8SXin LI# Note: DOS date+time format is different from formats such as Unix epoch 1775*a4d6d3b8SXin LI# bit encoded; uses year values relative to 1980 and 2 second precision 1776*a4d6d3b8SXin LI0 name dos-date 1777*a4d6d3b8SXin LI# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) 1778*a4d6d3b8SXin LI#>0 uleshort x RAW TIME [%#4.4x] 1779*a4d6d3b8SXin LI# hour part 1780*a4d6d3b8SXin LI#>0 uleshort/2048 x hour [%u] 1781*a4d6d3b8SXin LI# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) 1782*a4d6d3b8SXin LI#>2 uleshort x RAW DATE [%#4.4x] 1783*a4d6d3b8SXin LI# day part 1784*a4d6d3b8SXin LI>2 uleshort&0x001F x %u 1785*a4d6d3b8SXin LI#>2 uleshort/16 x MONTH PART [%#x] 1786*a4d6d3b8SXin LI# GRR: not working 1787*a4d6d3b8SXin LI#>2 uleshort/16 &0x000F MONTH [%u] 1788*a4d6d3b8SXin LI#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] 1789*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0020 jan 1790*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0040 feb 1791*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0060 mar 1792*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0080 apr 1793*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x00A0 may 1794*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x00C0 jun 1795*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x00E0 jul 1796*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0100 aug 1797*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0120 sep 1798*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0140 oct 1799*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0160 nov 1800*a4d6d3b8SXin LI>2 uleshort&0x01E0 =0x0180 dec 1801*a4d6d3b8SXin LI# year part 1802*a4d6d3b8SXin LI>2 uleshort/512 x 1980+%u 1803*a4d6d3b8SXin LI# 1804