1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.152 2021/10/12 18:26:10 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12!:ext bat 13>1 string/cW echo\ off DOS batch file text 14!:mime text/x-msdos-batch 15!:ext bat 16>1 string/cW rem DOS batch file text 17!:mime text/x-msdos-batch 18!:ext bat 19>1 string/cW set\ DOS batch file text 20!:mime text/x-msdos-batch 21!:ext bat 22 23 24# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25# the matched commands seem to be common in REXX and uncommon elsewhere 26100 search/0xffff rxfuncadd 27>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28100 search/0xffff say 29>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30 31# updated by Joerg Jenderek at Oct 2015 32# https://de.wikipedia.org/wiki/Common_Object_File_Format 33# http://www.delorie.com/djgpp/doc/coff/filhdr.html 34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 35#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36#>4 ledate x stamp %s 370 leshort 0x166 MS Windows COFF MIPS R4000 object file 38#>4 ledate x stamp %s 390 leshort 0x184 MS Windows COFF Alpha object file 40#>4 ledate x stamp %s 410 leshort 0x268 MS Windows COFF Motorola 68000 object file 42#>4 ledate x stamp %s 430 leshort 0x1f0 MS Windows COFF PowerPC object file 44#>4 ledate x stamp %s 450 leshort 0x290 MS Windows COFF PA-RISC object file 46#>4 ledate x stamp %s 47 48# Tests for various EXE types. 49# 50# Many of the compressed formats were extracted from IDARC 1.23 source code. 51# 520 string/b MZ 53# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 54>0x18 leshort <0x40 MS-DOS executable 55!:mime application/x-dosexec 56# Windows and later versions of DOS will allow .EXEs to be named with a .COM 57# extension, mostly for compatibility's sake. 58# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM 59# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml 60!:ext exe/com/vlm 61# These traditional tests usually work but not always. When test quality support is 62# implemented these can be turned on. 63#>>0x18 leshort 0x1c (Borland compiler) 64#>>0x18 leshort 0x1e (MS compiler) 65 66# Maybe it's a PE? 67>(0x3c.l) string PE\0\0 PE 68!:mime application/x-dosexec 69>>(0x3c.l+24) leshort 0x010b \b32 executable 70>>(0x3c.l+24) leshort 0x020b \b32+ executable 71>>(0x3c.l+24) leshort 0x0107 ROM image 72>>(0x3c.l+24) default x Unknown PE signature 73>>>&0 leshort x %#x 74>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 75>>(0x3c.l+92) leshort 1 76# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 77# drivers in Windows/System32/drivers/*.sys. 78>>>(0x3c.l+22) leshort&0x2000 >0 (native) 79!:ext dll/sys 80>>>(0x3c.l+22) leshort&0x2000 0 (native) 81!:ext exe/sys 82>>(0x3c.l+92) leshort 2 83>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 84# These could probably be at least partially distinguished from one another by 85# looking for specific exported functions. 86# CPL: Control Panel item 87# TLB: Type library 88# OCX: OLE/ActiveX control 89# ACM: Audio compression manager codec 90# AX: DirectShow source filter 91# IME: Input method editor 92!:ext dll/cpl/tlb/ocx/acm/ax/ime 93>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 94# Screen savers typically include code from the scrnsave.lib static library, but 95# that's not guaranteed. 96!:ext exe/scr 97>>(0x3c.l+92) leshort 3 98>>>(0x3c.l+22) leshort&0x2000 >0 (console) 99!:ext dll/cpl/tlb/ocx/acm/ax/ime 100>>>(0x3c.l+22) leshort&0x2000 0 (console) 101!:ext exe/com 102# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 103>>(0x3c.l+92) leshort 7 (POSIX) 104>>(0x3c.l+92) leshort 9 (Windows CE) 105>>(0x3c.l+92) leshort 10 (EFI application) 106>>(0x3c.l+92) leshort 11 (EFI boot service driver) 107>>(0x3c.l+92) leshort 12 (EFI runtime driver) 108>>(0x3c.l+92) leshort 13 (EFI ROM) 109>>(0x3c.l+92) leshort 14 (XBOX) 110>>(0x3c.l+92) leshort 15 (Windows boot application) 111>>(0x3c.l+92) default x (Unknown subsystem 112>>>&0 leshort x %#x) 113>>(0x3c.l+4) leshort 0x14c Intel 80386 114>>(0x3c.l+4) leshort 0x166 MIPS R4000 115>>(0x3c.l+4) leshort 0x168 MIPS R10000 116>>(0x3c.l+4) leshort 0x184 Alpha 117>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 118>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 119>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 120>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 121>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 122>>(0x3c.l+4) leshort 0x1c0 ARM 123>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 124>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 125>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 126>>(0x3c.l+4) leshort 0x1f0 PowerPC 127>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 128>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 129>>(0x3c.l+4) leshort 0x200 Intel Itanium 130>>(0x3c.l+4) leshort 0x266 MIPS16 131>>(0x3c.l+4) leshort 0x268 Motorola 68000 132>>(0x3c.l+4) leshort 0x290 PA-RISC 133>>(0x3c.l+4) leshort 0x366 MIPSIV 134>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 135>>(0x3c.l+4) leshort 0xebc EFI byte code 136>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 137>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 138>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 139>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 140>>(0x3c.l+4) leshort 0x8664 x86-64 141>>(0x3c.l+4) leshort 0xaa64 Aarch64 142>>(0x3c.l+4) leshort 0xc0ee MSIL 143>>(0x3c.l+4) default x Unknown processor type 144>>>&0 leshort x %#x 145>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 146>>(0x3c.l+22) leshort&0x1000 >0 system file 147>>(0x3c.l+24) leshort 0x010b 148>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 149>>(0x3c.l+24) leshort 0x020b 150>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 151 152# hooray, there's a DOS extender using the PE format, with a valid PE 153# executable inside (which just prints a message and exits if run in win) 154>>(8.s*16) string 32STUB \b, 32rtm DOS extender 155>>(8.s*16) string !32STUB \b, for MS Windows 156>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 157>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 158>>(0x3c.l+0xf8) search/0x140 UPX2 159>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 160>>(0x3c.l+0xf8) search/0x140 .idata 161>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 162>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 163>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 164>>(0x3c.l+0xf8) search/0x140 .rsrc 165>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 166>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 167>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 168>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 169>>(0x3c.l+0xf8) search/0x140 .data 170>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 171>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 172>>>(0x3c.l+0xf7) byte x 173>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 174>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 175>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 176>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 177>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 178>>0x30 string Inno \b, InnoSetup self-extracting archive 179 180# If the relocation table is 0x40 or more bytes into the file, it's definitely 181# not a DOS EXE. 182>0x18 leshort >0x3f 183 184# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 185# must be one of the unusual subformats. 186>>(0x3c.l) string !PE\0\0 MS-DOS executable 187!:mime application/x-dosexec 188 189>>(0x3c.l) string NE \b, NE 190!:mime application/x-dosexec 191>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 192>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 193>>>(0x3c.l+0x36) byte 3 for MS-DOS 194>>>(0x3c.l+0x36) byte 4 for Windows 386 195>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 196>>>(0x3c.l+0x36) default x 197>>>>(0x3c.l+0x36) byte x (unknown OS %x) 198>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 199>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 200# DRV: Driver 201# 3GR: Grabber device driver 202# CPL: Control Panel Item 203# VBX: Visual Basic Extension 204# FON: Bitmap font 205# FOT: Font resource file 206!:ext dll/drv/3gr/cpl/vbx/fon/fot 207>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 208!:ext exe/scr 209>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 210>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 211 212>>(0x3c.l) string LX\0\0 \b, LX 213!:mime application/x-dosexec 214>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 215>>>(0x3c.l+0x0a) leshort 1 for OS/2 216>>>(0x3c.l+0x0a) leshort 2 for MS Windows 217>>>(0x3c.l+0x0a) leshort 3 for DOS 218>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 219>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 220>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 221>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 222>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 223>>>(0x3c.l+0x08) leshort 1 i80286 224>>>(0x3c.l+0x08) leshort 2 i80386 225>>>(0x3c.l+0x08) leshort 3 i80486 226>>>(8.s*16) string emx \b, emx 227>>>>&1 string x %s 228>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 229 230# MS Windows system file, supposedly a collection of LE executables 231>>(0x3c.l) string W3 \b, W3 for MS Windows 232!:mime application/x-dosexec 233 234>>(0x3c.l) string LE\0\0 \b, LE executable 235!:mime application/x-dosexec 236>>>(0x3c.l+0x0a) leshort 1 237# some DOS extenders use LE files with OS/2 header 238>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 239>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 240>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 241>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 242>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 243>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 244>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 245# this is a wild guess; hopefully it is a specific signature 246>>>>&0x24 lelong <0x50 247>>>>>(&0x4c.l) string \xfc\xb8WATCOM 248>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 249# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 250#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 251# fails with DOS-Extenders. 252>>>(0x3c.l+0x0a) leshort 2 for MS Windows 253>>>(0x3c.l+0x0a) leshort 3 for DOS 254>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 255# VXD: VxD for Windows 95/98/Me 256# 386: VxD for Windows 2.10, 3.0, 3.1x 257# PDR: Port driver 258# MPD: Miniport driver (?) 259!:ext vxd/386/pdr/mpd 260>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 261>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 262 263# looks like ASCII, probably some embedded copyright message. 264# and definitely not NE/LE/LX/PE 265>>0x3c lelong >0x20000000 266>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 267!:mime application/x-dosexec 268!:ext exe/com 269# header data too small for extended executable 270>2 long !0 271>>0x18 leshort <0x40 272>>>(4.s*512) leshort !0x014c 273 274>>>>&(2.s-514) string !LE 275>>>>>&-2 string !BW \b, MZ for MS-DOS 276!:mime application/x-dosexec 277>>>>&(2.s-514) string LE \b, LE 278>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 279# educated guess since indirection is still not capable enough for complex offset 280# calculations (next embedded executable would be at &(&2*512+&0-2) 281# I suspect there are only LE executables in these multi-exe files 282>>>>&(2.s-514) string BW 283>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 284>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 285 286# This sequence skips to the first COFF segment, usually .text 287>(4.s*512) leshort 0x014c \b, COFF 288!:mime application/x-dosexec 289>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 290>>(8.s*16) string emx 291>>>&1 string x for DOS, Win or OS/2, emx %s 292>>&(&0x42.l-3) byte x 293>>>&0x26 string UPX \b, UPX compressed 294# and yet another guess: small .text, and after large .data is unusual, could be 32lite 295>>&0x2c search/0xa0 .text 296>>>&0x0b lelong <0x2000 297>>>>&0 lelong >0x6000 \b, 32lite compressed 298 299>(8.s*16) string $WdX \b, WDos/X DOS extender 300 301# By now an executable type should have been printed out. The executable 302# may be a self-uncompressing archive, so look for evidence of that and 303# print it out. 304# 305# Some signatures below from Greg Roelofs, newt@uchicago.edu. 306# 307>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 308>0xe7 string LH/2\ Self-Extract \b, %s 309>0x1c string UC2X \b, UCEXE compressed 310>0x1c string WWP\ \b, WWPACK compressed 311>0x1c string RJSX \b, ARJ self-extracting archive 312>0x1c string diet \b, diet compressed 313>0x1c string LZ09 \b, LZEXE v0.90 compressed 314>0x1c string LZ91 \b, LZEXE v0.91 compressed 315>0x1c string tz \b, TinyProg compressed 316>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 317!:mime application/zip 318# Yes, this really is "Copr", not "Corp." 319>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 320!:mime application/zip 321# winarj stores a message in the stub instead of the sig in the MZ header 322>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 323>0x20 string AIN 324>>0x23 string 2 \b, AIN 2.x compressed 325>>0x23 string <2 \b, AIN 1.x compressed 326>>0x23 string >2 \b, AIN 1.x compressed 327>0x24 string LHa's\ SFX \b, LHa self-extracting archive 328!:mime application/x-lha 329>0x24 string LHA's\ SFX \b, LHa self-extracting archive 330!:mime application/x-lha 331>0x24 string \ $ARX \b, ARX self-extracting archive 332>0x24 string \ $LHarc \b, LHarc self-extracting archive 333>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 334>0x40 string aPKG \b, aPackage self-extracting archive 335>0x64 string W\ Collis\0\0 \b, Compack compressed 336>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 337>>&0xf4 search/0x140 \x0\x40\x1\x0 338>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 339>1638 string -lh5- \b, LHa self-extracting archive v2.13S 340>0x17888 string Rar! \b, RAR self-extracting archive 341 342# Skip to the end of the EXE. This will usually work fine in the PE case 343# because the MZ image is hardcoded into the toolchain and almost certainly 344# won't match any of these signatures. 345>(4.s*512) long x 346>>&(2.s-517) byte x 347>>>&0 string PK\3\4 \b, ZIP self-extracting archive 348>>>&0 string Rar! \b, RAR self-extracting archive 349>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 350>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 351>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 352>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 353>>>&7 search/400 **ACE** \b, ACE self-extracting archive 354>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 355 356# a few unknown ZIP sfxes, no idea if they are needed or if they are 357# already captured by the generic patterns above 358>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 359# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 360# 361 362# TELVOX Teleinformatica CODEC self-extractor for OS/2: 363>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 364>>49824 leshort =1 \b, 1 file 365>>49824 leshort >1 \b, %u files 366 367# Summary: OS/2 LX Library and device driver (no DOS stub) 368# From: Joerg Jenderek 369# URL: http://en.wikipedia.org/wiki/EXE 370# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt 371# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h 372# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" 373# TODO: unify with DOS stub variant (MZ magic) 3740 string/b LX 375>2 ushort =0 376>>0 use lx-executable 377# no examples found for big endian variant 378>2 ushort =0x0101 379>>0 use \^lx-executable 3800 name lx-executable 381# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" 382#>0x00 uleshort x executable, 383# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE 384>0x00 uleshort =0x584c LX 385>0x00 uleshort =0x454C LE 386>0x00 uleshort x executable 387#!:mime application/x-msdownload 388!:mime application/x-lx-executable 389# byte order: 00h~little-endian non-zero=1~big-endian 390#>0x02 ubyte =0 (little-endian) 391>0x02 ubyte !0 (big-endian) 392# FOR DEBUGGING! 393# word order: 00h~little-endian non-zero=1~big-endian 394#>0x03 ubyte =0 \b, little-endian word order 395#>0x03 ubyte !0 \b, big-endian word order 396# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 397#>0x08 uleshort x \b, CPU %u 398# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 399#>0x0A leshort x \b, OS %u 400# flags; module type flags 401#>0x10 ulelong x \b, FLAGS %#8.8x 402# 00000002h ~Reserved for system use 403#>0x10 ulelong &0x00000002 \b, 2h reserved 404# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid 405#>0x10 ulelong &0x00000004 \b, per-process library Initialization 406# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied 407#>0x10 ulelong &0x00000010 \b, int. fixup 408# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied 409#>0x10 ulelong &0x00000020 \b, ext. fixup 410# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing 411#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing 412# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing 413#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing 414# bit 17; device driver 415#>0x10 ulelong&0x00020000 >0 \b, device driver 416# Per-process Library Termination; setting this bit for EXE file is invalid 417#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination 418>0x0a leshort 1 for OS/2 419# no example found 420>0x0a leshort 3 for DOS 421# http://www.ctyme.com/intr/rb-2939.htm#Table1610 422# library by module type mask 00038000h (bits 15-17); 423# 0h ~exectable Program module 424>0x10 ulelong&0x00038000 =0x00000000 (program) 425#!:ext exe 426# OSF_IS_DLL=8000h ~Library module (DLL) 427>0x10 ulelong&0x00038000 >0x00000000 428# OSF_PHYS_DEVICE=00020000h ~device driver 429>>0x10 ulelong&0x00020000 >0 (device driver) 430!:ext sys 431# if not device driver it is library (DLL) 432>>0x10 ulelong&0x00020000 =0 (library) 433!:ext dll 434# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console 435>0x10 ulelong&0x00000300 =0x00000300 (GUI) 436>0x10 ulelong&0x00000300 !0x00000300 (console) 437# CPU type 438>0x08 uleshort 1 i80286 439# all inspected examples 440>0x08 uleshort 2 i80386 441>0x08 uleshort 3 i80486 442>0x08 uleshort 4 i80586 443# 21h Intel "N11" or compatible 444# 40h MIPS Mark I ( R2000, R3000) or compatible 445# 41h MIPS Mark II ( R6000 ) or compatible 446# 42h MIPS Mark III ( R4000 ) or compatible 447 448# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 449# and https://www.freedos.org/software/?prog=kpdos 450# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 4510 string/b KCF FreeDOS KEYBoard Layout collection 452# only version=0x100 found 453>3 uleshort x \b, version %#x 454# length of string containing author,info and special characters 455>6 ubyte >0 456#>>6 pstring x \b, name=%s 457>>7 string >\0 \b, author=%-.14s 458>>7 search/254 \xff \b, info= 459#>>>&0 string x \b%-s 460>>>&0 string x \b%-.15s 461# for FreeDOS *.KL files 4620 string/b KLF FreeDOS KEYBoard Layout file 463# only version=0x100 or 0x101 found 464>3 uleshort x \b, version %#x 465# stringlength 466>5 ubyte >0 467>>8 string x \b, name=%-.2s 4680 string \xffKEYB\ \ \ \0\0\0\0 469>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 470 471# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 472# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver 473# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html 474# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 4750 ulequad&0x07a0ffffffff 0xffffffff 476# skip OS/2 INI ./os2 477>4 ubelong !0x14000000 478>>0 use msdos-driver 4790 name msdos-driver DOS executable ( 480#!:mime application/octet-stream 481!:mime application/x-dosdriver 482# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 483# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? 484# PROTMAN.DOS ELNKPL.DOS 485!:ext sys/dev/bin/dos 486# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" 487>40 search/7 UPX! \bUPX compressed 488# DOS device driver attributes 489>4 uleshort&0x8000 0x0000 \bblock device driver 490# character device 491>4 uleshort&0x8000 0x8000 \b 492# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" 493>>4 uleshort&0x0008 0x0008 \bclock 494# fast video output by int 29h 495# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" 496>>4 uleshort&0x0010 0x0010 \bfast 497# standard input/output device 498# 1 space char after "standard" to get phrase like "standard input/output character device driver" 499>>4 uleshort&0x0003 >0 \bstandard 500>>>4 uleshort&0x0001 0x0001 \binput 501>>>4 uleshort&0x0003 0x0003 \b/ 502# 1 space char after "output" to get phrase like "input/output character device driver" 503>>>4 uleshort&0x0002 0x0002 \boutput 504>>4 uleshort&0x8000 0x8000 \bcharacter device driver 505>0 ubyte x 506# upx compressed device driver has garbage instead of real in name field of header 507>>40 search/7 UPX! 508>>40 default x 509# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 510# 1 space char before device driver name to get phrase like "device driver PROTMAN$" 511>>>12 ubyte >0x2E \b 512>>>>10 ubyte >0x20 513>>>>>10 ubyte !0x2E 514>>>>>>10 ubyte !0x2A \b%c 515>>>>11 ubyte >0x20 516>>>>>11 ubyte !0x2E \b%c 517>>>>12 ubyte >0x20 518>>>>>12 ubyte !0x39 519>>>>>>12 ubyte !0x2E \b%c 520>>>13 ubyte >0x20 521>>>>13 ubyte !0x2E \b%c 522>>>>14 ubyte >0x20 523>>>>>14 ubyte !0x2E \b%c 524>>>>15 ubyte >0x20 525>>>>>15 ubyte !0x2E \b%c 526>>>>16 ubyte >0x20 527>>>>>16 ubyte !0x2E 528>>>>>>16 ubyte <0xCB \b%c 529>>>>17 ubyte >0x20 530>>>>>17 ubyte !0x2E 531>>>>>>17 ubyte <0x90 \b%c 532# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 533>>>12 ubyte <0x2F 534# they have their real name at offset 22 535# also block device drivers like DUMBDRV.SYS 536>>>>22 string >\056 %-.6s 537>4 uleshort&0x8000 0x0000 538# 32 bit sector addressing ( > 32 MB) for block devices 539>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 540# support by driver functions 13h, 17h, 18h 541>4 uleshort&0x0040 0x0040 \b,IOCTL- 542# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 543>4 uleshort&0x0800 0x0800 \b,close media- 544# output until busy support by int 10h for character device driver 545>4 uleshort&0x8000 0x8000 546>>4 uleshort&0x2000 0x2000 \b,until busy- 547# direct read/write support by driver functions 03h,0Ch 548>4 uleshort&0x4000 0x4000 \b,control strings- 549>4 uleshort&0x8000 0x8000 550>>4 uleshort&0x6840 >0 \bsupport 551>4 uleshort&0x8000 0x0000 552>>4 uleshort&0x4842 >0 \bsupport 553>0 ubyte x \b) 554>0 ulelong !0xffffffff with pointer %#x 555# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 5560 ulequad 0x0513c00000000012 557>0 use msdos-driver 558# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 5590 ulequad 0x32f28000ffff0016 560>0 use msdos-driver 5610 ulequad 0x007f00000000ffff 562>0 use msdos-driver 563# https://www.uwe-sieber.de/files/cfg_echo.zip 5640 ulequad 0x001600000000ffff 565>0 use msdos-driver 566# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 5670 ulequad 0x0bf708c2ffffffff 568>0 use msdos-driver 5690 ulequad 0x07bd08c2ffffffff 570>0 use msdos-driver 571# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS 5720 ulequad 0x027ac0c0ffffffff 573>0 use msdos-driver 574# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS 5750 ulequad 0x00228880ffffffff 576>0 use msdos-driver 577 578# updated by Joerg Jenderek 579# GRR: line below too general as it catches also 580# rt.lib DYADISKS.PIC and many more 581# start with assembler instruction MOV 5820 ubyte 0x8c 583# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 584>4 string !O==== 585# skip some unknown basic binaries like RocketRnger.SHR 586>>5 string !MAIN 587# skip "GPG symmetrically encrypted data" ./gnu 588# skip "PGP symmetric key encrypted data" ./pgp 589# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 590>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 591# the remaining files should be DOS *.COM executables 592# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 593# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 594# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 595# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 596# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 597# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 598# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 599# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 600!:mime application/x-dosexec 601!:ext com 602 603# updated by Joerg Jenderek at Oct 2008 6040 ulelong 0xffff10eb DR-DOS executable (COM) 605# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 6060 ubeshort&0xeb8d >0xeb00 607# DR-DOS STACKER.COM SCREATE.SYS missed 608 6090 name msdos-com 610>0 byte x DOS executable (COM) 611!:mime application/x-dosexec 612!:ext com 613>6 string SFX\ of\ LHarc \b, %s 614>0x1FE leshort 0xAA55 \b, boot code 615>85 string UPX \b, UPX compressed 616>4 string \ $ARX \b, ARX self-extracting archive 617>4 string \ $LHarc \b, LHarc self-extracting archive 618>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 619 620# JMP 8bit 6210 byte 0xeb 622# allow forward jumps only 623>1 byte >-1 624# that offset must be accessible 625>>(1.b+2) byte x 626>>>0 use msdos-com 627 628# JMP 16bit 6290 byte 0xe9 630# forward jumps 631>1 short >-1 632# that offset must be accessible 633>>(1.s+3) byte x 634>>>0 use msdos-com 635# negative offset, must not lead into PSP 636>1 short <-259 637# that offset must be accessible 638>>(1,s+65539) byte x 639>>>0 use msdos-com 640 641# updated by Joerg Jenderek at Oct 2008,2015 642# following line is too general 6430 ubyte 0xb8 644# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 645>0 string !\xb8\xc0\x07\x8e 646# modified by Joerg Jenderek 647# syslinux COM32 or COM32R executable 648>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 649# https://www.syslinux.org/wiki/index.php/Comboot_API 650# Since version 5.00 c32 modules switched from the COM32 object format to ELF 651!:mime application/x-c32-comboot-syslinux-exec 652!:ext c32 653# https://syslinux.zytor.com/comboot.php 654# older syslinux version ( <4 ) 655# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 656# start with assembler instructions mov eax,21cd4cffh 657>>>1 lelong 0x21CD4CFf \b) 658# syslinux:doc/comboot.txt 659# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 660# eax,21cd4cfeh) as a magic number. 661# syslinux version (4.x) 662# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 663>>>1 lelong 0x21CD4CFe \b, relocatable) 664# Hajin Jang <hajin_jang@worksmobile.com>: 665# Disable simplest COM signature to prevent false positive on some EUC-KR text files. 666## remaining are DOS COM executables starting with assembler instruction MOV 667## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 668## MS-DOS SYS.COM RESTART.COM 669## SYSLINUX.COM (version 1.40 - 2.13) 670## GFXBOOT.COM (version 3.75) 671## COPYBS.COM POWEROFF.COM INT18.COM 672>>1 default x COM executable for DOS 673!:mime application/x-dosexec 674##!:mime application/x-ms-dos-executable 675##!:mime application/x-msdos-program 676!:ext com 677 678# URL: https://en.wikipedia.org/wiki/UPX 679# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ 680# src/stub/src/i086-dos16.com.S 681# Update: Joerg Jenderek 682# assembler instructions: cmp sp, offset sp_limit 6830 string/b \x81\xfc 684#>2 uleshort x \b, sp_limit=%#x 685# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy 686>4 string \x77\x02\xcd\x20\xb9 687#>9 uleshort x \b, [bytes_to_copy]=%#x 688# at different offsets assembler instructions: push di; jump decomp_start_n2b 689>0x1e search/3 \x57\xe9 690#>>&0 uleshort x \b, decomp_start_n2b=%#x 691# src/stub/src/include/header.S; UPX_MAGIC_LE32 692>>&2 string UPX! FREE-DOS executable (COM), UPX 693!:mime application/x-dosexec 694# UPX compressed *.CPI; See ./fonts 695>>>&21 string =FONT compressed DOS code page font 696!:ext cpx 697>>>&21 string !FONT compressed 698!:ext com 699# compressed size? 700#>>>&14 uleshort+152 x \b, %u bytes 701# uncompressed len 702>>>&12 uleshort x \b, uncompressed %u bytes 703252 string Must\ have\ DOS\ version DR-DOS executable (COM) 704!:mime application/x-dosexec 705!:ext com 706# GRR search is not working 707#2 search/28 \xcd\x21 COM executable for MS-DOS 708#WHICHFAT.cOM 7092 string \xcd\x21 COM executable for DOS 710!:mime application/x-dosexec 711!:ext com 712#DELTREE.cOM DELTREE2.cOM 7134 string \xcd\x21 COM executable for DOS 714!:mime application/x-dosexec 715!:ext com 716#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 7175 string \xcd\x21 COM executable for DOS 718!:mime application/x-dosexec 719!:ext com 720#DELTMP.COm HASFAT32.cOM 7217 string \xcd\x21 722>0 byte !0xb8 COM executable for DOS 723!:mime application/x-dosexec 724!:ext com 725#COMP.cOM MORE.COm 72610 string \xcd\x21 727>5 string !\xcd\x21 COM executable for DOS 728!:mime application/x-dosexec 729!:ext com 730#comecho.com 73113 string \xcd\x21 COM executable for DOS 732!:mime application/x-dosexec 733!:ext com 734#HELP.COm EDIT.coM 73518 string \xcd\x21 736# not printable before it? 737>17 byte >32 738>>17 byte <126 739>>17 default x COM executable for MS-DOS 740!:mime application/x-dosexec 741!:ext com 742#NWRPLTRM.COm 74323 string \xcd\x21 COM executable for MS-DOS 744!:mime application/x-dosexec 745!:ext com 746#LOADFIX.cOm LOADFIX.cOm 74730 string \xcd\x21 COM executable for MS-DOS 748!:mime application/x-dosexec 749!:ext com 750#syslinux.com 3.11 75170 string \xcd\x21 COM executable for DOS 752!:mime application/x-dosexec 753!:ext com 754# many compressed/converted COMs start with a copy loop instead of a jump 7550x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 756!:mime application/x-dosexec 757!:ext com 7580x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 759!:mime application/x-dosexec 760!:ext com 761>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 7620x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 763!:mime application/x-dosexec 764!:ext com 765# FIXME: missing diet .com compression 766 767# miscellaneous formats 7680 string/b LZ MS-DOS executable (built-in) 769#0 byte 0xf0 MS-DOS program library data 770# 771 772# AAF files: 773# <stuartc@rd.bbc.co.uk> Stuart Cunningham 7740 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 775>30 byte 9 (512B sectors) 776>30 byte 12 (4kB sectors) 7770 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 778>30 byte 9 (512B sectors) 779>30 byte 12 (4kB sectors) 780 781# Popular applications 782# 783# Update: Joerg Jenderek 784# URL: http://fileformats.archiveteam.org/wiki/DOC 785# Reference: https://web.archive.org/web/20170206041048/ 786# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 787# wIdent+dty 7880 belong 0x31be0000 789# skip droid skeleton like x-fmt-274-signature-id-488.doc 790>128 ubyte >0 Microsoft 791>>96 uleshort =0 Word 792!:mime application/msword 793!:apple MSWDWDBN 794# DCX is used in the Unix version. 795!:ext doc/dcx 796>>>0x6E ulequad =0 1.0-4.0 797>>>0x6E ulequad !0 5.0-6.0 798>>>0x6E ulequad x (DOS) Document 799# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 800>>96 uleshort !0 Write 3.0 (Windows) Document 801!:mime application/x-mswrite 802!:apple MSWDWDBN 803# sometimes also doc like in splitter.doc srchtest.doc 804!:ext wri/doc 805# wTool must be 0125400 octal 806#>>4 uleshort !0xAB00 \b, wTool %o 807# reserved; must be zero 808#>>6 ulelong !0 \b, reserved %u 809# block pointer to the block containing optional file manager information 810#>>0x1C uleshort x \b, at %#x info block 811# jump to File manager information block 812>>(0x1C.s*128) uleshort x 813# test for valid information start; maybe also 0012h 814>>>&-2 uleshort =0x0014 815# Document ASCIIZ name 816>>>>&0x12 string x %s 817# author name 818>>>>>&1 string x \b, author %s 819# reviser name 820>>>>>>&1 string x \b, reviser %s 821# keywords 822>>>>>>>&1 string x \b, keywords %s 823# comment 824>>>>>>>>&1 string x \b, comment %s 825# version number 826>>>>>>>>>&1 string x \b, version %s 827# date of last change MM/DD/YY 828>>>>>>>>>>&1 string x \b, %-.8s 829# creation date MM/DD/YY 830>>>>>>>>>>&9 string x created %-.8s 831# file name of print format like NORMAL.STY 832>>0x1E string >0 \b, formatted by %-.66s 833# count of pages in whole file for write variant; maybe some times wrong 834>>96 uleshort >0 \b, %u pages 835# name of the printer driver like HPLASMS 836>>0x62 string >0 \b, %-.8s printer 837# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 838>>0x6A uleshort >0 \b, %u blocks 839# bit field for corrected text areas 840#>>0x6C uleshort x \b, %#x bit field 841# text of document; some times start with 4 non printable characters like CR LF 842>>128 ubyte x \b, 843>>>128 ubyte >0x1F 844>>>>128 string x %s 845>>>128 ubyte <0x20 846>>>>129 ubyte >0x1F 847>>>>>129 string x %s 848>>>>129 ubyte <0x20 849>>>>>130 ubyte >0x1F 850>>>>>>130 string x %s 851>>>>>130 ubyte <0x20 852>>>>>>131 ubyte >0x1F 853>>>>>>>131 string x %s 854>>>>>>131 ubyte <0x20 855>>>>>>>132 ubyte >0x1F 856>>>>>>>>132 string x %s 857>>>>>>>132 ubyte <0x20 858>>>>>>>>133 ubyte >0x1F 859>>>>>>>>>133 string x %s 860# 8610 string/b PO^Q` Microsoft Word 6.0 Document 862!:mime application/msword 863# 8644 long 0 865>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 866!:mime application/msword 867!:ext mcw 868>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 869!:mime application/msword 870!:ext mcw 871>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 872!:mime application/msword 873!:ext mcw 874>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 875!:mime application/msword 876!:ext mcw 877 8780 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 879!:mime application/msword 880!:ext doc 881# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 882#512 string/b \354\245\301 Microsoft Word Document 883#!:mime application/msword 884 885# 8860 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 887!:mime application/msword 888# 8890 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 890!:mime application/msword 891 892# 8930 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 894!:mime application/vnd.ms-excel 895# https://www.macdisk.com/macsigen.php 896!:apple XCELXLS4 897!:ext xls 898# 899# Update: Joerg Jenderek 900# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 901# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 902# Note: newer Lotus versions >2 use longer BOF record 903# record type (BeginningOfFile=0000h) + length (001Ah) 9040 belong 0x00001a00 905# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 906#>18 uleshort&0x73E0 0 907# Lotus Multi Byte Character Set (LMBCS=1-31) 908>20 ubyte >0 909>>20 ubyte <32 Lotus 1-2-3 910#!:mime application/x-123 911!:mime application/vnd.lotus-1-2-3 912!:apple ????L123 913# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 914>>>4 uleshort 0x1000 WorKsheet, version 3 915!:ext wk3 916# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 917>>>4 uleshort 0x1002 WorKsheet, version 4 918# also worksheet template 4 (.wt4) 919!:ext wk4/wt4 920# no example or documentation for wk5 921#>>4 uleshort 0x???? WorKsheet, version 4 922#!:ext wk5 923# only MacrotoScript.123 example 924>>>4 uleshort 0x1003 WorKsheet, version 97 925# also worksheet template Smartmaster (.12M)? 926!:ext 123 927# only Set_Y2K.123 example 928>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 929!:ext 123 930# no example for this version 931>>>4 uleshort 0x8001 FoRMatting data 932!:ext frm 933# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 934# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 935>>>4 uleshort 0x8007 ForMatting data, version 3 936!:ext fm3 937>>>4 default x unknown 938# file revision sub code 0004h for worksheets 939>>>>6 uleshort =0x0004 worksheet 940!:ext wXX 941>>>>6 uleshort !0x0004 formatting data 942!:ext fXX 943# main revision number 944>>>>4 uleshort x \b, revision %#x 945>>>6 uleshort =0x0004 \b, cell range 946# active cellcoord range (start row, page,column ; end row, page, column) 947# start values normally 0~1st sheet A1 948>>>>8 ulelong !0 949>>>>>10 ubyte >0 \b%d* 950>>>>>8 uleshort x \b%d, 951>>>>>11 ubyte x \b%d- 952# end page mostly 0 953>>>>14 ubyte >0 \b%d* 954# end raw, column normally not 0 955>>>>12 uleshort x \b%d, 956>>>>15 ubyte x \b%d 957# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 958>>>>20 ubyte >1 \b, character set %#x 959# flags 960>>>>21 ubyte x \b, flags %#x 961>>>6 uleshort !0x0004 962# record type (FONTNAME=00AEh) 963>>>>30 search/29 \0\xAE 964# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 965>>>>>&4 string >\0 \b, 1st font "%s" 966# 967# Update: Joerg Jenderek 968# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 969# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 970# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 971# record type (BeginningOfFile=0000h) + length (0002h) 9720 belong 0x00000200 973# GRR: line above is too general as it catches also MS Windows CURsor 974# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 975!:strength -1 976# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 977>7 ubyte 0 978# skip Windows cursors with image width 256 and keep Lotus with positive opcode 979>>6 ubyte >0 Lotus 980# !:mime application/x-123 981!:mime application/vnd.lotus-1-2-3 982!:apple ????L123 983# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 984# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 985>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 986!:ext cnf 987>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 988!:ext cnf 989>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 990!:ext cnf 991>>>4 uleshort 0x0802 Symphony CoNFiguration 992!:ext cnf 993>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 994!:ext cnf 995>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 996!:ext cnf 997>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 998!:ext cnf 999>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 1000!:ext cnf 1001# (version 5.26) labeled the entry as "Lotus 123" 1002# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1003>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 1004# extension "wks" also for Microsoft Works document 1005!:ext wks 1006# (version 5.26) labeled the entry as "Lotus 123" 1007# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1008>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 1009!:ext wrk/wr1 1010# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 1011# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 1012>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 1013# Symphony (.wr1) 1014!:ext wk1/wr1 1015# no example for this japan version 1016>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 1017!:ext wj1 1018# no example or documentation for wk2 1019#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 1020#!:ext wk2 1021# undocumented japan version 1022>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 1023!:ext wj3 1024# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 1025>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 1026# japan version 2.4J (fj3) 1027!:ext fmt/fj3 1028# no example for this version 1029>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 1030!:ext frm 1031# (version 5.26) labeled the entry as "Lotus 1-2-3" 1032>>>4 default x unknown worksheet or configuration 1033!:ext cnf 1034>>>>4 uleshort x \b, revision %#x 1035# 2nd record for most worksheets describes cells range 1036>>>6 use lotus-cells 1037# 3rd record for most japan worksheets describes cells range 1038>>>(8.s+10) use lotus-cells 1039# check and then display Lotus worksheet cells range 10400 name lotus-cells 1041# look for type (RANGE=0006h) + length (0008h) at record begin 1042>0 ubelong 0x06000800 \b, cell range 1043# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 1044>>4 ulong !0 1045>>>4 uleshort x \b%d, 1046>>>6 uleshort x \b%d- 1047# end of cell range 1048>>8 uleshort x \b%d, 1049>>10 uleshort x \b%d 1050# EndOfLotus123 10510 string/b WordPro\0 Lotus WordPro 1052!:mime application/vnd.lotus-wordpro 10530 string/b WordPro\r\373 Lotus WordPro 1054!:mime application/vnd.lotus-wordpro 1055 1056 1057# Summary: Script used by InstallScield to uninstall applications 1058# Extension: .isu 1059# Submitted by: unknown 1060# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 10610 string \x71\xa8\x00\x00\x01\x02 1062>12 string Stirling\ Technologies, InstallShield Uninstall Script 1063 1064# Winamp .avs 1065#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 10660 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 1067 1068# Windows Metafile .WMF 10690 string/b \327\315\306\232 Windows metafile 1070!:mime image/wmf 1071!:ext wmf 10720 string/b \002\000\011\000 Windows metafile 1073!:mime image/wmf 1074!:ext wmf 10750 string/b \001\000\011\000 Windows metafile 1076!:mime image/wmf 1077!:ext wmf 1078 1079#tz3 files whatever that is (MS Works files) 10800 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 10810 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 10820 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 1083 1084# PGP sig files .sig 1085#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 10860 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 10870 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 10880 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 10890 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 10900 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 10910 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 1092 1093# windows zips files .dmf 10940 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 1095 1096# Windows icons 1097# Update: Joerg Jenderek 1098# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1099# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 11000 belong 0x00000100 1101>9 byte 0 1102>>0 byte x 1103>>0 use cur-ico-dir 1104>9 ubyte 0xff 1105>>0 byte x 1106>>0 use cur-ico-dir 1107# displays number of icons and information for icon or cursor 11080 name cur-ico-dir 1109# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 1110# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 1111>18 ulelong &0x00000006 1112# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 1113>>(18.l) ulelong x MS Windows 1114>>>0 ubelong 0x00000100 icon resource 1115# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 1116!:mime image/vnd.microsoft.icon 1117#!:mime image/x-icon 1118!:ext ico 1119>>>>4 uleshort x - %d icon 1120# plural s 1121>>>>4 uleshort >1 \bs 1122# 1st icon 1123>>>>0x06 use ico-entry 1124# 2nd icon 1125>>>>4 uleshort >1 1126>>>>>0x16 use ico-entry 1127>>>0 ubelong 0x00000200 cursor resource 1128#!:mime image/x-cur 1129!:mime image/x-win-bitmap 1130!:ext cur 1131>>>>4 uleshort x - %d icon 1132>>>>4 uleshort >1 \bs 1133# 1st cursor 1134>>>>0x06 use cur-entry 1135#>>>>0x16 use cur-entry 1136# display information of one cursor entry 11370 name cur-entry 1138>0 use cur-ico-entry 1139>4 uleshort x \b, hotspot @%dx 1140>6 uleshort x \b%d 1141# display information of one icon entry 11420 name ico-entry 1143>0 use cur-ico-entry 1144# normally 0 1 but also found 14 1145>4 uleshort >1 \b, %d planes 1146# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1147>6 uleshort >1 \b, %d bits/pixel 1148# display shared information of cursor or icon entry 11490 name cur-ico-entry 1150>0 byte =0 \b, 256x 1151>0 byte !0 \b, %dx 1152>1 byte =0 \b256 1153>1 byte !0 \b%d 1154# number of colors in palette 1155>2 ubyte !0 \b, %d colors 1156# reserved 0 FFh 1157#>3 ubyte x \b, reserved %x 1158#>8 ulelong x \b, image size %d 1159# offset of PNG or DIB image 1160#>12 ulelong x \b, offset %#x 1161# PNG header (\x89PNG) 1162>(12.l) ubelong =0x89504e47 1163# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1164>>&-4 indirect x \b with 1165# DIB image 1166>(12.l) ubelong !0x89504e47 1167#>>&-4 use dib-image 1168 1169# Windows non-animated cursors 1170# Update: Joerg Jenderek 1171# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1172# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1173# GRR: line below is too general as it catches also Lotus 1-2-3 files 11740 belong 0x00000200 1175>9 byte 0 1176>>0 use cur-ico-dir 1177>9 ubyte 0xff 1178>>0 use cur-ico-dir 1179 1180# .chr files 11810 string/b PK\010\010BGI Borland font 1182>4 string >\0 %s 1183# then there is a copyright notice 1184 1185 1186# .bgi files 11870 string/b pk\010\010BGI Borland device 1188>4 string >\0 %s 1189# then there is a copyright notice 1190 1191 1192# Windows Recycle Bin record file (named INFO2) 1193# By Abel Cheung (abelcheung AT gmail dot com) 1194# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 1195# Since Vista uses another structure, INFO2 structure probably won't change 1196# anymore. Detailed analysis in: 1197# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 11980 lelong 0x00000004 1199>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 1200 12010 lelong 0x00000005 1202>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1203 1204# From Doug Lee via a FreeBSD pr 12059 string GERBILDOC First Choice document 12069 string GERBILDB First Choice database 12079 string GERBILCLIP First Choice database 12080 string GERBIL First Choice device file 12099 string RABBITGRAPH RabbitGraph file 12100 string DCU1 Borland Delphi .DCU file 12110 string =!<spell> MKS Spell hash list (old format) 12120 string =!<spell2> MKS Spell hash list 1213# Too simple - MPi 1214#0 string AH Halo(TM) bitmapped font file 12150 lelong 0x08086b70 TurboC BGI file 12160 lelong 0x08084b50 TurboC Font file 1217 1218# Debian#712046: The magic below identifies "Delphi compiled form data". 1219# An additional source of information is available at: 1220# http://www.woodmann.com/fravia/dafix_t1.htm 12210 string TPF0 1222>4 pstring >\0 Delphi compiled form '%s' 1223 1224# tests for DBase files moved, updated and merged to database 1225 12260 string PMCC Windows 3.x .GRP file 12271 string RDC-meg MegaDots 1228>8 byte >0x2F version %c 1229>9 byte >0x2F \b.%c file 12300 lelong 0x4C 1231>4 lelong 0x00021401 Windows shortcut file 1232 1233# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1234# only for windows versions equal or greater 3.0 12350x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1236!:mime application/x-dosexec 1237!:ext pif 1238#>2 string >\0 \b, Title:%.30s 1239>0x24 string >\0 \b for %.63s 1240>0x65 string >\0 \b, directory=%.64s 1241>0xA5 string >\0 \b, parameters=%.64s 1242#>0x181 leshort x \b, offset %x 1243#>0x183 leshort x \b, offsetdata %x 1244#>0x185 leshort x \b, section length %x 1245>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1246>>&0x5e ubyte >0 1247>>>&-1 string <PIFMGR.DLL \b, icon=%s 1248#>>>&-1 string PIFMGR.DLL \b, icon=%s 1249>>>&-1 string >PIFMGR.DLL \b, icon=%s 1250>>&0xF0 ubyte >0 1251>>>&-1 string <Terminal \b, font=%.32s 1252#>>>&-1 string =Terminal \b, font=%.32s 1253>>>&-1 string >Terminal \b, font=%.32s 1254>>&0x110 ubyte >0 1255>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1256#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1257>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1258#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1259#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1260>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1261#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1262>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1263#>>&06 string x \b:%s 1264>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1265#>>&06 string x \b:%s 1266 1267# DOS EPS Binary File Header 1268# From: Ed Sznyter <ews@Black.Market.NET> 12690 belong 0xC5D0D3C6 DOS EPS Binary File 1270!:mime image/x-eps 1271>4 long >0 Postscript starts at byte %d 1272>>8 long >0 length %d 1273>>>12 long >0 Metafile starts at byte %d 1274>>>>16 long >0 length %d 1275>>>20 long >0 TIFF starts at byte %d 1276>>>>24 long >0 length %d 1277 1278# TNEF magic From "Joomy" <joomy@se-ed.net> 1279# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 12800 lelong 0x223e9f78 TNEF 1281!:mime application/vnd.ms-tnef 1282 1283# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1284# of http://www.davep.org/norton-guides/ng2h-105.tgz 1285# https://en.wikipedia.org/wiki/Norton_Guides 12860 string NG\0\001 1287# only value 0x100 found at offset 2 1288>2 ulelong 0x00000100 Norton Guide 1289!:mime application/x-norton-guide 1290# often like NORTON.NG but some times like NC.HLP 1291!:ext ng/hlp 1292# Title[40] 1293>>8 string >\0 "%-.40s" 1294#>>6 uleshort x \b, MenuCount=%u 1295# szCredits[5][66] 1296>>48 string >\0 \b, %-.66s 1297>>114 string >\0 %-.66s 1298 1299# URL: https://en.wikipedia.org/wiki/Norton_Commander 1300# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml 1301# From: Joerg Jenderek 1302# Note: Message file is used by executable with same main name. 1303# Only tested with version 5.50 (english) and 2.01 (Windows) 13040 string Abort 1305# \0 or i 1306#>5 ubyte x %x 1307# skip ASCII Abort text by looking for error message like in NCVIEW.MSG 1308>6 search/7089 Non-DOS\ disk Norton Commander module message 1309!:mime application/x-norton-msg 1310!:ext msg 1311 1312# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm 1313# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml 1314# From: Joerg Jenderek 13150 string DOS\ Client\ Message\ File: Novell DOS client message 1316#!:mime application/octet-stream 1317#!:mime application/x-novell-msg 1318!:ext msg 1319# look for second letter instead space character 1320>26 ubyte >0x20 1321# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr 1322>>25 ubyte !0x20 %c 1323>>>26 ubyte !0x20 \b%c 1324>>>>27 ubyte !0x20 \b%c 1325>>>>>28 ubyte !0x20 \b%c 1326>>>>>>29 ubyte !0x20 \b%c 1327>>>>>>>30 ubyte !0x20 \b%c 1328>>>>>>>>31 ubyte !0x20 \b%c 1329>>>>>>>>>32 ubyte !0x20 \b%c 1330>>>>>>>>>>33 ubyte !0x20 \b%c 1331>>>>>>>>>>>34 ubyte !0x20 \b%c 1332>>>>>>>>>>>>35 ubyte !0x20 \b%c 1333>>>>>>>>>>>>>36 ubyte !0x20 \b%c 1334# followed by string like: 0 v.10 V1.20 1335# 1336# followed by ,\040Tran 1337>28 search/14 ,\040Tran 1338# probably translated version string like: 0 v1.00 1339>>&0 string x \b, tran version %s 1340# followed by Ctrl-J Ctrl-Z 1341>>>&0 ubyte !0xa \b, terminated by %#2.2x 1342>>>>&0 ubyte x \b%2.2x 1343# Ctrl-Z 1344>0x65 ubyte !0x1A \b, at 0x65 %#x 1345# one 1346>0x66 ubyte !0x01 \b, at 0x66 %#x 1347# URL: https://en.wikipedia.org/wiki/NetWare 1348# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml 1349# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html 1350# From: Joerg Jenderek 13510 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data 1352#>35 string Version\ 1.00 1353#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. 1354#>83 string \ \ All\ Rights\ Reserved 1355#!:mime application/octet-stream 1356#!:mime application/x-novell-msg 1357!:ext msg 1358#!:ext msg/dat 1359# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 1360# of https://www.4dos.info/ 1361# pointer,HelpID[8]=4DHnnnmm 13620 ulelong 0x48443408 4DOS help file 1363>4 string x \b, version %-4.4s 1364 1365# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 13660 ulequad 0x3a000000024e4c MS Advisor help file 1367 1368# HtmlHelp files (.chm) 13690 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1370 1371# GFA-BASIC (Wolfram Kleff) 13722 string/b GFA-BASIC3 GFA-BASIC 3 data 1373 1374#------------------------------------------------------------------------------ 1375# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1376# Update: Joerg Jenderek 1377# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 1378# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 1379# Note: verified by `7z l *.cab` 1380# Microsoft Cabinet files 13810 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1382# 1383# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 1384# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 1385# because some archive does not have *.diag* as 1st or 2nd archive member like 1386# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 1387# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 1388>0x2c search/980/c .diag \b, Diagnostic 1389!:mime application/vnd.ms-cab-compressed 1390!:ext diagcab 1391# http://fileformats.archiveteam.org/wiki/PUZ 1392# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 1393# bundles a Publisher document *PNG.pub with all links into a CAB 1394>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 1395!:mime application/vnd.ms-cab-compressed 1396!:ext puz 1397# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 1398>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 1399!:mime application/vnd.ms-powerpoint 1400#!:mime application/mspowerpoint 1401!:ext ppz 1402# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 1403# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 1404# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 1405>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 1406#!:mime application/vnd.ms-cab-compressed 1407# http://extension.nirsoft.net/gadget 1408!:mime application/x-windows-gadget 1409!:ext gadget 1410# http://www.incredimail.com/ 1411# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 1412>0x2c search/3369/c content.ini\0 \b, IncrediMail 1413!:mime application/x-incredimail 1414# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 1415>>0x2c search/83/c Flavor.htm\0 ecard 1416!:ext imf 1417# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 1418>>0x2c search/211/c .swf\0 skin 1419!:ext ims 1420# member anim.im3 implies IncrediMail animation like in letter_fold.ima 1421>>0x2c search/92/c anim.im3\0 animation 1422!:ext ima 1423# other IncrediMail cab archive 1424>>0x2c default x 1425>>>0x2c search/116/c thumb ecard, image, notifier or skin 1426!:ext imf/imi/imn/ims 1427# http://file-extension.net/seeker/file_extension_ime 1428>>>0x2c default x emoticons or sound 1429!:ext ime/imw 1430# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 1431>0x2c default x 1432# look for 1st member name 1433>>(16.l+16) ubyte x 1434# https://en.wikipedia.org/wiki/SNP_file_format 1435>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 1436!:mime application/msaccess 1437!:ext snp 1438# https://en.wikipedia.org/wiki/Microsoft_InfoPath 1439>>>&-1 string manifest.xsf \b, InfoPath Form Template 1440!:mime application/vnd.ms-cab-compressed 1441#!:mime application/vnd.ms-infopath 1442!:ext xsn 1443# https://www.cabextract.org.uk/wince_cab_format/ 1444# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 1445>>>&7 string =.000 \b, WinCE install 1446!:mime application/vnd.ms-cab-compressed 1447!:ext cab 1448 1449# https://support.microsoft.com/kb/934307/en-US 1450# All inspected MSU contain a file with name WSUSSCAN.cab 1451# that is called "Windows Update meta data" by Microsoft 1452>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 1453!:mime application/vnd.ms-cab-compressed 1454!:ext msu 1455>>>&-1 default x 1456# look at point character of 1st archive member name for file name extension 1457>>>>&-1 search/255 . 1458# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 1459# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 1460# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 1461>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 1462!:mime application/vnd.ms-powerpoint 1463#!:mime application/mspowerpoint 1464!:ext ppz 1465# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 1466# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 1467# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 1468>>>>>&0 string/c theme \b, Windows 1469!:mime application/x-windows-themepack 1470# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 1471# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 1472# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 1473>>>>>>(16.l+16) string =Panoram 8 1474!:ext deskthemepack 1475>>>>>>(16.l+16) string !Panoram 7 or 8 1476!:ext themepack/deskthemepack 1477>>>>>>(16.l+16) ubyte x Theme Pack 1478>>>>>&0 default x 1479# look for null terminator of 1st member name 1480>>>>>>&0 search/255 \0 1481# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 1482>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 1483!:mime application/vnd.ms-cab-compressed 1484!:ext msu 1485>>>>>>>&16 default x 1486# archive with more then one file need some output in version 5.32 to avoid error message like 1487# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 1488# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 1489# file: could not find any valid magic files! 1490>>>>>>>>28 uleshort >1 \b, many 1491!:mime application/vnd.ms-cab-compressed 1492!:ext cab 1493# remaining archives with just one file 1494>>>>>>>>28 uleshort =1 1495# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 1496>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 1497# cut of last char of source extension and add underscore to generate extension 1498# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 1499!:mime application/vnd.ms-cab-compressed 1500!:ext _/?_/??_ 1501# archive need some output like "single" in version 5.32 to avoid error messages 1502>>>>>>>>>30 uleshort !0x0000 \b, single 1503!:mime application/vnd.ms-cab-compressed 1504!:ext cab 1505# TODO: additional extensions like 1506# .xtp InfoPath Template Part 1507# .lvf Logitech Video Effects Face Accessory 1508>8 ulelong x \b, %u bytes 1509>28 uleshort 1 \b, 1 file 1510>28 uleshort >1 \b, %u files 1511# Reserved fields, set to zero 1512#>4 belong !0 \b, reserved1 %x 1513#>12 belong !0 \b, reserved2 %x 1514# offset of the first CFFILE entry coffFiles: minimal 2Ch 1515>16 ulelong x \b, at %#x 1516>(16.l) use cab-file 1517# at least also 2nd member 1518>28 uleshort >1 1519>>(16.l+16) ubyte x 1520>>>&0 search/255 \0 1521# second member info 1522>>>>&0 use cab-file 1523#>20 belong !0 \b, reserved %x 1524# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 1525>24 ubeshort !0x0301 \b version %#x 1526# number of CFFOLDER entries 1527>26 uleshort >1 \b, %u cffolders 1528# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 1529# only found for flags 0 1 2 3 4 not 7 1530>30 uleshort >0 \b, flags %#x 1531# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 1532# default is zero, however, the -i option of cabarc can be used to set this field 1533>32 uleshort >0 \b, ID %u 1534# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 1535#>34 uleshort x \b, iCabinet %u 1536# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 1537>34 uleshort+1 x \b, number %u 1538>30 uleshort &0x0004 \b, extra bytes 1539# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 1540>>36 uleshort >0 %u in head 1541# cbCFFolder is optional size of per-folder reserved area 1542>>38 ubyte >0 %u in folder 1543# cbCFData is optional size of per-datablock reserved area 1544>>39 ubyte >0 %u in data block 1545# optional per-cabinet reserved area abReserve[cbCFHeader] 1546>>36 uleshort >0 1547# 1st CFFOLDER after reserved area in header 1548>>>(36.s+40) use cab-folder 1549# no reserved area in header 1550>30 uleshort ^0x0004 1551# no previous and next cab archive 1552>>30 uleshort =0x0000 1553>>>36 use cab-folder 1554# only previous cab archive 1555>>30 uleshort =0x0001 \b, previous 1556>>>36 use cab-anchor 1557# only next cab archive 1558>>30 uleshort =0x0002 \b, next 1559>>>36 use cab-anchor 1560# previous+next cab archive 1561# can not use sub routine cab-anchor to display previous and next cabinet together 1562#>>>36 use cab-anchor 1563#>>>>&0 use cab-anchor 1564>>30 uleshort =0x0003 \b, previous 1565>>>36 string x %s 1566# optional name of previous disk szDisk* 1567>>>>&1 string x disk %s 1568>>>>>&1 string x \b, next %s 1569# optional name of previous disk szDisk* 1570>>>>>>&1 string x disk %s 1571>>>>>>>&1 use cab-folder 1572# display filename and disk name of previous or next cabinet 15730 name cab-anchor 1574# optional name of previous/next cabinet file szCabinet*[255] 1575>&0 string x %s 1576# optional name of previous/next disk szDisk*[255] 1577>>&1 string x disk %s 1578# display folder structure CFFOLDER information like compression of cabinet 15790 name cab-folder 1580# offset of the CFDATA block in this folder 1581#>0 ulelong x \b, coffCabStart %#x 1582# number of CFDATA blocks in folder 1583>4 uleshort x \b, %u datablock 1584# plural s 1585>4 uleshort >1 \bs 1586# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 1587>6 uleshort x \b, %#x compression 1588# optional per-folder reserved area 1589#>8 ubequad x \b, abReserve %#llx 1590# display member structure CFFILE information like member name of cabinet 15910 name cab-file 1592# cbFile is uncompressed size of file in bytes 1593#>0 ulelong x \b, cbFile %u 1594# uoffFolderStart is uncompressed offset of file in folder 1595#>4 ulelong >0 \b, uoffFolderStart %#x 1596# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 1597# define ifoldCONTINUED_FROM_PREV (0xFFFD) 1598# define ifoldCONTINUED_TO_NEXT (0xFFFE) 1599# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 1600>8 uleshort >0 \b, iFolder %#x 1601# date stamp for file 1602#>10 uleshort x \b, date %#x 1603# time stamp for file 1604#>12 uleshort x \b, time %#x 1605# attribs is attribute flags for file 1606# define _A_RDONLY (0x01) file is read-only 1607# define _A_HIDDEN (0x02) file is hidden 1608# define _A_SYSTEM (0x04) file is a system file 1609# define _A_ARCH (0x20) file modified since last backup 1610# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 1611# define _A_EXEC (0x40) run after extraction 1612# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 1613# define UNKNOWN (0x0100) undocumented or accident 1614#>14 uleshort x \b, attribs %#x 1615>14 uleshort >0 + 1616>>14 uleshort &0x0001 \bR 1617>>14 uleshort &0x0002 \bH 1618>>14 uleshort &0x0004 \bS 1619>>14 uleshort &0x0020 \bA 1620>>14 uleshort &0x0040 \bX 1621>>14 uleshort &0x0080 \bUtf 1622# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 1623>>14 uleshort &0x0100 \b? 1624# szName is name of archive member 1625>16 string x "%s" 1626# next archive member name if more files 1627#>>&17 string >\0 \b, NEXT NAME %-.50s 1628 1629# InstallShield Cabinet files 16300 string/b ISc( InstallShield Cabinet archive data 1631>5 byte&0xf0 =0x60 version 6, 1632>5 byte&0xf0 !0x60 version 4/5, 1633>(12.l+40) lelong x %u files 1634 1635# Windows CE package files 16360 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1637>20 lelong 0 \b, architecture-independent 1638>20 lelong 103 \b, Hitachi SH3 1639>20 lelong 104 \b, Hitachi SH4 1640>20 lelong 0xA11 \b, StrongARM 1641>20 lelong 4000 \b, MIPS R4000 1642>20 lelong 10003 \b, Hitachi SH3 1643>20 lelong 10004 \b, Hitachi SH3E 1644>20 lelong 10005 \b, Hitachi SH4 1645>20 lelong 70001 \b, ARM 7TDMI 1646>52 leshort 1 \b, 1 file 1647>52 leshort >1 \b, %u files 1648>56 leshort 1 \b, 1 registry entry 1649>56 leshort >1 \b, %u registry entries 1650 1651 1652# Windows Enhanced Metafile (EMF) 1653# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1654# for further information. 16550 ulelong 1 1656>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1657>>44 ulelong x version %#x 1658 1659 16600 string/b \224\246\056 Microsoft Word Document 1661!:mime application/msword 1662 1663# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1664# Magic type for Dell's BIOS .hdr files 1665# Dell's .hdr 16660 string/b $RBU 1667>23 string Dell %s system BIOS 1668>5 byte 2 1669>>48 byte x version %d. 1670>>49 byte x \b%d. 1671>>50 byte x \b%d 1672>5 byte <2 1673>>48 string x version %.3s 1674 1675# Type: Microsoft Document Imaging Format (.mdi) 1676# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1677# From: Daniele Sempione <scrows@oziosi.org> 1678# Too weak (EP) 1679#0 short 0x5045 Microsoft Document Imaging Format 1680 1681# MS eBook format (.lit) 16820 string/b ITOLITLS Microsoft Reader eBook Data 1683>8 lelong x \b, version %u 1684!:mime application/x-ms-reader 1685 1686# Windows CE Binary Image Data Format 1687# From: Dr. Jesus <j@hug.gs> 16880 string/b B000FF\n Windows Embedded CE binary image 1689 1690# The second byte of these signatures is a file version; I don't know what, 1691# if anything, produced files with version numbers 0-2. 1692# From: John Elliott <johne@seasip.demon.co.uk> 16930 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 16940 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 16950 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 16960 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1697 16980 string MIOPEN Mallard BASIC Jetsam data 16990 string Jetsam0 Mallard BASIC Jetsam index data 1700 1701# DOS backup 2.0 to 3.2 1702# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) 1703# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm 1704# backupid.@@@ 1705 1706# plausibility check for date 17070x3 ushort >1979 1708>0x5 ubyte-1 <31 1709>>0x6 ubyte-1 <12 1710# actually 121 nul bytes 1711>>>0x7 string \0\0\0\0\0\0\0\0 1712>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1713#!:mime application/octet-stream 1714!:ext @@@ 1715>>>>0x0 ubyte 0xff \b, last disk 1716 1717# backed up file 1718 1719# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1720# by looking for trailing nul of maximal file name string 17210x52 ubyte 0 1722# test for flag byte: FFh~complete file, 00h~split file 1723# FFh -127 = -1 -127 = -128 1724# 00h -127 = 0 -127 = -127 1725>0 byte-127 <-126 1726# plausibility check for file name length 1727>>0x53 ubyte-1 <78 1728# looking for terminating nul of file name string 1729>>>(0x53.b+4) ubyte 0 1730# looking if last char of string is valid DOS file name 1731>>>>(0x53.b+3) ubyte >0x1F 1732# actually 44 nul bytes 1733# but sometimes garbage according to Ralf Quint. So can not be used as test 1734#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1735# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1736# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1737>>>>>5 ubyte&0x8C 0x0C 1738# ./msdos (version 5.30) labeled the entry as 1739# "DOS 2.0 backed up file %s, split file, sequence %d" or 1740# "DOS 2.0 backed up file %s, complete file" 1741>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1742#>>>>>>0 ubyte 0xff complete 1743>>>>>>0 ubyte 0 1744>>>>>>>1 uleshort x sequence %d of 1745# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1746>>>>>>0x5 string x file %s 1747#!:mime application/octet-stream 1748# backup name is original filename 1749#!:ext doc/exe/rar/zip 1750#!:ext * 1751# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1752# file: line 1169: Bad magic entry ' *' 1753# after header original file content 1754>>>>>>128 indirect x \b; 1755 1756 1757# DOS backup 3.3 to 5.x 1758 1759# CONTROL.nnn files 17600 string \x8bBACKUP\x20 1761# actually 128 nul bytes 1762>0xa string \0\0\0\0\0\0\0\0 1763>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1764>>0x8a ubyte 0xff \b, last disk 1765 1766# NB: The BACKUP.nnn files consist of the files backed up, 1767# concatenated. 1768