xref: /freebsd/contrib/file/magic/Magdir/msdos (revision 3e8eb5c7f4909209c042403ddee340b2ee7003a5)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.152 2021/10/12 18:26:10 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12!:ext	bat
13>1	string/cW	echo\ off	DOS batch file text
14!:mime	text/x-msdos-batch
15!:ext	bat
16>1	string/cW	rem		DOS batch file text
17!:mime	text/x-msdos-batch
18!:ext	bat
19>1	string/cW	set\ 		DOS batch file text
20!:mime	text/x-msdos-batch
21!:ext	bat
22
23
24# OS/2 batch files are REXX. the second regex is a bit generic, oh well
25# the matched commands seem to be common in REXX and uncommon elsewhere
26100	search/0xffff   rxfuncadd
27>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
28100	search/0xffff   say
29>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
30
31# updated by Joerg Jenderek at Oct 2015
32# https://de.wikipedia.org/wiki/Common_Object_File_Format
33# http://www.delorie.com/djgpp/doc/coff/filhdr.html
34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
35#0	leshort		0x14c	MS Windows COFF Intel 80386 object file
36#>4	ledate		x	stamp %s
370	leshort		0x166	MS Windows COFF MIPS R4000 object file
38#>4	ledate		x	stamp %s
390	leshort		0x184	MS Windows COFF Alpha object file
40#>4	ledate		x	stamp %s
410	leshort		0x268	MS Windows COFF Motorola 68000 object file
42#>4	ledate		x	stamp %s
430	leshort		0x1f0	MS Windows COFF PowerPC object file
44#>4	ledate		x	stamp %s
450	leshort		0x290	MS Windows COFF PA-RISC object file
46#>4	ledate		x	stamp %s
47
48# Tests for various EXE types.
49#
50# Many of the compressed formats were extracted from IDARC 1.23 source code.
51#
520	string/b	MZ
53# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
54>0x18	leshort <0x40 MS-DOS executable
55!:mime	application/x-dosexec
56# Windows and later versions of DOS will allow .EXEs to be named with a .COM
57# extension, mostly for compatibility's sake.
58# URL:		https://en.wikipedia.org/wiki/Personal_NetWare#VLM
59# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml
60!:ext	exe/com/vlm
61# These traditional tests usually work but not always.  When test quality support is
62# implemented these can be turned on.
63#>>0x18	leshort	0x1c	(Borland compiler)
64#>>0x18	leshort	0x1e	(MS compiler)
65
66# Maybe it's a PE?
67>(0x3c.l)	string		PE\0\0	PE
68!:mime	application/x-dosexec
69>>(0x3c.l+24)	leshort		0x010b	\b32 executable
70>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
71>>(0x3c.l+24)	leshort		0x0107	ROM image
72>>(0x3c.l+24)	default		x	Unknown PE signature
73>>>&0 		leshort		x	%#x
74>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
75>>(0x3c.l+92)	leshort		1
76# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the
77# drivers in Windows/System32/drivers/*.sys.
78>>>(0x3c.l+22)	leshort&0x2000	>0	(native)
79!:ext	dll/sys
80>>>(0x3c.l+22)	leshort&0x2000	0	(native)
81!:ext	exe/sys
82>>(0x3c.l+92)	leshort		2
83>>>(0x3c.l+22)	leshort&0x2000	>0	(GUI)
84# These could probably be at least partially distinguished from one another by
85# looking for specific exported functions.
86# CPL: Control Panel item
87# TLB: Type library
88# OCX: OLE/ActiveX control
89# ACM: Audio compression manager codec
90# AX: DirectShow source filter
91# IME: Input method editor
92!:ext	dll/cpl/tlb/ocx/acm/ax/ime
93>>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
94# Screen savers typically include code from the scrnsave.lib static library, but
95# that's not guaranteed.
96!:ext	exe/scr
97>>(0x3c.l+92)	leshort		3
98>>>(0x3c.l+22)	leshort&0x2000	>0	(console)
99!:ext	dll/cpl/tlb/ocx/acm/ax/ime
100>>>(0x3c.l+22)	leshort&0x2000	0	(console)
101!:ext	exe/com
102# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
103>>(0x3c.l+92)	leshort		7	(POSIX)
104>>(0x3c.l+92)	leshort		9	(Windows CE)
105>>(0x3c.l+92)	leshort		10	(EFI application)
106>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
107>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
108>>(0x3c.l+92)	leshort		13	(EFI ROM)
109>>(0x3c.l+92)	leshort		14	(XBOX)
110>>(0x3c.l+92)	leshort		15	(Windows boot application)
111>>(0x3c.l+92)	default		x	(Unknown subsystem
112>>>&0		leshort		x	%#x)
113>>(0x3c.l+4)	leshort		0x14c	Intel 80386
114>>(0x3c.l+4)	leshort		0x166	MIPS R4000
115>>(0x3c.l+4)	leshort		0x168	MIPS R10000
116>>(0x3c.l+4)	leshort		0x184	Alpha
117>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
118>>(0x3c.l+4)	leshort		0x1a3	Hitachi SH3 DSP
119>>(0x3c.l+4)	leshort		0x1a8	Hitachi SH5
120>>(0x3c.l+4)	leshort		0x169	MIPS WCE v2
121>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
122>>(0x3c.l+4)	leshort		0x1c0	ARM
123>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
124>>(0x3c.l+4)	leshort		0x1c4	ARMv7 Thumb
125>>(0x3c.l+4)	leshort		0x1d3	Matsushita AM33
126>>(0x3c.l+4)	leshort		0x1f0	PowerPC
127>>(0x3c.l+4)	leshort		0x1f1	PowerPC with FPU
128>>(0x3c.l+4)	leshort		0x1f2	PowerPC (big-endian)
129>>(0x3c.l+4)	leshort		0x200	Intel Itanium
130>>(0x3c.l+4)	leshort		0x266	MIPS16
131>>(0x3c.l+4)	leshort		0x268	Motorola 68000
132>>(0x3c.l+4)	leshort		0x290	PA-RISC
133>>(0x3c.l+4)	leshort		0x366	MIPSIV
134>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
135>>(0x3c.l+4)	leshort		0xebc	EFI byte code
136>>(0x3c.l+4)	leshort		0x5032	RISC-V 32-bit
137>>(0x3c.l+4)	leshort		0x5064	RISC-V 64-bit
138>>(0x3c.l+4)	leshort		0x5128	RISC-V 128-bit
139>>(0x3c.l+4)	leshort		0x9041	Mitsubishi M32R
140>>(0x3c.l+4)	leshort		0x8664	x86-64
141>>(0x3c.l+4)	leshort		0xaa64	Aarch64
142>>(0x3c.l+4)	leshort		0xc0ee	MSIL
143>>(0x3c.l+4)	default		x	Unknown processor type
144>>>&0		leshort		x	%#x
145>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
146>>(0x3c.l+22)	leshort&0x1000	>0	system file
147>>(0x3c.l+24)	leshort		0x010b
148>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
149>>(0x3c.l+24)	leshort		0x020b
150>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
151
152# hooray, there's a DOS extender using the PE format, with a valid PE
153# executable inside (which just prints a message and exits if run in win)
154>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
155>>(8.s*16)		string		!32STUB	\b, for MS Windows
156>>(0x3c.l+0xf8)		string		UPX0 \b, UPX compressed
157>>(0x3c.l+0xf8)		search/0x140	PEC2 \b, PECompact2 compressed
158>>(0x3c.l+0xf8)		search/0x140	UPX2
159>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
160>>(0x3c.l+0xf8)		search/0x140	.idata
161>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
162>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
163>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
164>>(0x3c.l+0xf8)		search/0x140	.rsrc
165>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
166>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
167>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
168>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
169>>(0x3c.l+0xf8)		search/0x140	.data
170>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
171>>(0x3c.l+0xf8)		search/0x140	.petite\0 \b, Petite compressed
172>>>(0x3c.l+0xf7)	byte		x
173>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
174>>(0x3c.l+0xf8)		search/0x140	.WISE \b, WISE installer self-extracting archive
175>>(0x3c.l+0xf8)		search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
176>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
177>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
178>>0x30			string		Inno \b, InnoSetup self-extracting archive
179
180# If the relocation table is 0x40 or more bytes into the file, it's definitely
181# not a DOS EXE.
182>0x18  leshort >0x3f
183
184# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
185# must be one of the unusual subformats.
186>>(0x3c.l) string !PE\0\0 MS-DOS executable
187!:mime	application/x-dosexec
188
189>>(0x3c.l)		string		NE \b, NE
190!:mime	application/x-dosexec
191>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
192>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
193>>>(0x3c.l+0x36)	byte		3 for MS-DOS
194>>>(0x3c.l+0x36)	byte		4 for Windows 386
195>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
196>>>(0x3c.l+0x36)	default		x
197>>>>(0x3c.l+0x36)	byte		x (unknown OS %x)
198>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
199>>>(0x3c.l+0x0c)	leshort&0x8000	0x8000 (DLL or font)
200# DRV: Driver
201# 3GR: Grabber device driver
202# CPL: Control Panel Item
203# VBX: Visual Basic Extension
204# FON: Bitmap font
205# FOT: Font resource file
206!:ext	dll/drv/3gr/cpl/vbx/fon/fot
207>>>(0x3c.l+0x0c)	leshort&0x8000	0 (EXE)
208!:ext	exe/scr
209>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
210>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
211
212>>(0x3c.l)		string		LX\0\0 \b, LX
213!:mime	application/x-dosexec
214>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
215>>>(0x3c.l+0x0a)	leshort		1 for OS/2
216>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
217>>>(0x3c.l+0x0a)	leshort		3 for DOS
218>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
219>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
220>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
221>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
222>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
223>>>(0x3c.l+0x08)	leshort		1 i80286
224>>>(0x3c.l+0x08)	leshort		2 i80386
225>>>(0x3c.l+0x08)	leshort		3 i80486
226>>>(8.s*16)		string		emx \b, emx
227>>>>&1			string		x %s
228>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
229
230# MS Windows system file, supposedly a collection of LE executables
231>>(0x3c.l)		string		W3 \b, W3 for MS Windows
232!:mime	application/x-dosexec
233
234>>(0x3c.l)		string		LE\0\0 \b, LE executable
235!:mime	application/x-dosexec
236>>>(0x3c.l+0x0a)	leshort		1
237# some DOS extenders use LE files with OS/2 header
238>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
239>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
240>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
241>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
242>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
243>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
244>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
245# this is a wild guess; hopefully it is a specific signature
246>>>>&0x24		lelong		<0x50
247>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
248>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
249# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
250#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
251# fails with DOS-Extenders.
252>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
253>>>(0x3c.l+0x0a)	leshort		3 for DOS
254>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
255# VXD: VxD for Windows 95/98/Me
256# 386: VxD for Windows 2.10, 3.0, 3.1x
257# PDR: Port driver
258# MPD: Miniport driver (?)
259!:ext	vxd/386/pdr/mpd
260>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
261>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
262
263# looks like ASCII, probably some embedded copyright message.
264# and definitely not NE/LE/LX/PE
265>>0x3c		lelong	>0x20000000
266>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
267!:mime	application/x-dosexec
268!:ext	exe/com
269# header data too small for extended executable
270>2		long	!0
271>>0x18		leshort <0x40
272>>>(4.s*512)	leshort !0x014c
273
274>>>>&(2.s-514)	string	!LE
275>>>>>&-2	string	!BW \b, MZ for MS-DOS
276!:mime	application/x-dosexec
277>>>>&(2.s-514)	string	LE \b, LE
278>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
279# educated guess since indirection is still not capable enough for complex offset
280# calculations (next embedded executable would be at &(&2*512+&0-2)
281# I suspect there are only LE executables in these multi-exe files
282>>>>&(2.s-514)	string	BW
283>>>>>0x240	search/0x100	DOS/4G	\b, LE for MS-DOS, DOS4GW DOS extender (embedded)
284>>>>>0x240	search/0x100	!DOS/4G	\b, BW collection for MS-DOS
285
286# This sequence skips to the first COFF segment, usually .text
287>(4.s*512)	leshort		0x014c \b, COFF
288!:mime	application/x-dosexec
289>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
290>>(8.s*16)	string		emx
291>>>&1		string		x for DOS, Win or OS/2, emx %s
292>>&(&0x42.l-3)	byte		x
293>>>&0x26	string		UPX \b, UPX compressed
294# and yet another guess: small .text, and after large .data is unusual, could be 32lite
295>>&0x2c		search/0xa0	.text
296>>>&0x0b	lelong		<0x2000
297>>>>&0		lelong		>0x6000 \b, 32lite compressed
298
299>(8.s*16) string $WdX \b, WDos/X DOS extender
300
301# By now an executable type should have been printed out.  The executable
302# may be a self-uncompressing archive, so look for evidence of that and
303# print it out.
304#
305# Some signatures below from Greg Roelofs, newt@uchicago.edu.
306#
307>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
308>0xe7	string	LH/2\ 	Self-Extract \b, %s
309>0x1c	string	UC2X	\b, UCEXE compressed
310>0x1c	string	WWP\ 	\b, WWPACK compressed
311>0x1c	string	RJSX 	\b, ARJ self-extracting archive
312>0x1c	string	diet 	\b, diet compressed
313>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
314>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
315>0x1c	string	tz 	\b, TinyProg compressed
316>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
317!:mime	application/zip
318# Yes, this really is "Copr", not "Corp."
319>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
320!:mime	application/zip
321# winarj stores a message in the stub instead of the sig in the MZ header
322>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
323>0x20	string AIN
324>>0x23	string 2	\b, AIN 2.x compressed
325>>0x23	string <2	\b, AIN 1.x compressed
326>>0x23	string >2	\b, AIN 1.x compressed
327>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
328!:mime	application/x-lha
329>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
330!:mime	application/x-lha
331>0x24	string	\ $ARX \b, ARX self-extracting archive
332>0x24	string	\ $LHarc \b, LHarc self-extracting archive
333>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
334>0x40	string aPKG \b, aPackage self-extracting archive
335>0x64	string	W\ Collis\0\0 \b, Compack compressed
336>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
337>>&0xf4 search/0x140 \x0\x40\x1\x0
338>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
339>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
340>0x17888 string Rar! \b, RAR self-extracting archive
341
342# Skip to the end of the EXE.  This will usually work fine in the PE case
343# because the MZ image is hardcoded into the toolchain and almost certainly
344# won't match any of these signatures.
345>(4.s*512)	long	x
346>>&(2.s-517)	byte	x
347>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
348>>>&0	string		Rar! \b, RAR self-extracting archive
349>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
350>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
351>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
352>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
353>>>&7	search/400	**ACE** \b, ACE self-extracting archive
354>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
355
356# a few unknown ZIP sfxes, no idea if they are needed or if they are
357# already captured by the generic patterns above
358>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
359# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
360#
361
362# TELVOX Teleinformatica CODEC self-extractor for OS/2:
363>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
364>>49824 leshort		=1			\b, 1 file
365>>49824 leshort		>1			\b, %u files
366
367# Summary:	OS/2 LX Library and device driver (no DOS stub)
368# From:		Joerg Jenderek
369# URL:		http://en.wikipedia.org/wiki/EXE
370# Reference:	http://www.textfiles.com/programming/FORMATS/lxexe.txt
371#		https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h
372# Note:		by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)"
373# TODO:		unify with DOS stub variant (MZ magic)
3740	string/b	LX
375>2	ushort		=0
376>>0	use			lx-executable
377# no examples found for big endian variant
378>2	ushort		=0x0101
379>>0	use			\^lx-executable
3800       name    	lx-executable
381# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX"
382#>0x00	uleshort		x	executable,
383# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE
384>0x00	uleshort		=0x584c	LX
385>0x00	uleshort		=0x454C	LE
386>0x00	uleshort		x	executable
387#!:mime	application/x-msdownload
388!:mime	application/x-lx-executable
389# byte order: 00h~little-endian non-zero=1~big-endian
390#>0x02	ubyte			=0		(little-endian)
391>0x02	ubyte			!0		(big-endian)
392# FOR DEBUGGING!
393# word order: 00h~little-endian non-zero=1~big-endian
394#>0x03	ubyte			=0		\b, little-endian word order
395#>0x03	ubyte			!0		\b, big-endian word order
396# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000
397#>0x08	uleshort		x		\b, CPU %u
398# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386
399#>0x0A	leshort			x		\b, OS %u
400# flags; module type flags
401#>0x10	ulelong			x		\b, FLAGS %#8.8x
402# 00000002h				~Reserved for system use
403#>0x10	ulelong			&0x00000002	\b, 2h reserved
404# OSF_INIT_INSTANCE=00000004h		~Per-Process Library Initialization; setting this bit for EXE file is invalid
405#>0x10	ulelong			&0x00000004	\b, per-process library Initialization
406# OSF_INTERNAL_FIXUPS_DONE=00000010h	~Internal fixups for the module have been applied
407#>0x10	ulelong			&0x00000010	\b, int. fixup
408# OSF_EXTERNAL_FIXUPS_DONE=00000020h	~External fixups for the module have been applied
409#>0x10	ulelong			&0x00000020	\b, ext. fixup
410# OSF_NOT_PM_COMPATIBLE=00000100h	~Incompatible with PM windowing
411#>0x10	ulelong&0x00000100	=0x00000100	\b, incompatible with PM windowing
412# OSF_PM_COMPATIBLE=00000200h		~Compatible with PM windowing
413#>0x10	ulelong&0x00000200	=0x00000200	\b, compatible with PM windowing
414# bit 17; device driver
415#>0x10	ulelong&0x00020000	>0		\b, device driver
416# Per-process Library Termination; setting this bit for EXE file is invalid
417#>0x10	ulelong&0x40000000	=0x40000000	\b, per-process library termination
418>0x0a	leshort			1		for OS/2
419# no example found
420>0x0a	leshort			3		for DOS
421# http://www.ctyme.com/intr/rb-2939.htm#Table1610
422# library by module type mask 00038000h (bits 15-17);
423# 0h ~exectable Program module
424>0x10	ulelong&0x00038000	=0x00000000	(program)
425#!:ext	exe
426# OSF_IS_DLL=8000h			~Library module (DLL)
427>0x10	ulelong&0x00038000	>0x00000000
428# OSF_PHYS_DEVICE=00020000h		~device driver
429>>0x10	ulelong&0x00020000	>0		(device driver)
430!:ext	sys
431# if not device driver it is library (DLL)
432>>0x10	ulelong&0x00020000	=0		(library)
433!:ext	dll
434# bits 8-10; OSF_PM_APP=300h in flags	~Uses PM windowing API; either it is GUI or console
435>0x10  	ulelong&0x00000300	=0x00000300	(GUI)
436>0x10	ulelong&0x00000300	!0x00000300	(console)
437# CPU type
438>0x08	uleshort		1		i80286
439# all inspected examples
440>0x08	uleshort		2		i80386
441>0x08	uleshort		3		i80486
442>0x08	uleshort		4		i80586
443# 21h 	Intel "N11" or compatible
444# 40h 	MIPS Mark I ( R2000, R3000) or compatible
445# 41h 	MIPS Mark II ( R6000 ) or compatible
446# 42h 	MIPS Mark III ( R4000 ) or compatible
447
448# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc
449# and https://www.freedos.org/software/?prog=kpdos
450# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
4510	string/b	KCF		FreeDOS KEYBoard Layout collection
452# only version=0x100 found
453>3	uleshort	x		\b, version %#x
454# length of string containing author,info and special characters
455>6	ubyte		>0
456#>>6	pstring		x		\b, name=%s
457>>7	string		>\0		\b, author=%-.14s
458>>7	search/254	\xff		\b, info=
459#>>>&0	string		x		\b%-s
460>>>&0	string		x		\b%-.15s
461# for FreeDOS *.KL files
4620	string/b	KLF		FreeDOS KEYBoard Layout file
463# only version=0x100 or 0x101 found
464>3	uleshort	x		\b, version %#x
465# stringlength
466>5	ubyte		>0
467>>8	string		x		\b, name=%-.2s
4680	string	\xffKEYB\ \ \ \0\0\0\0
469>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
470
471# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020
472# URL:		http://fileformats.archiveteam.org/wiki/DOS_device_driver
473# Reference:	http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html
474# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
4750	ulequad&0x07a0ffffffff		0xffffffff
476# skip OS/2 INI ./os2
477>4  ubelong   !0x14000000
478>>0	use				msdos-driver
4790       name    			msdos-driver		DOS executable (
480#!:mime	application/octet-stream
481!:mime	application/x-dosdriver
482# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
483# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used?
484# PROTMAN.DOS ELNKPL.DOS
485!:ext	sys/dev/bin/dos
486# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device"
487>40	search/7			UPX!			\bUPX compressed
488# DOS device driver attributes
489>4	uleshort&0x8000			0x0000			\bblock device driver
490# character device
491>4	uleshort&0x8000			0x8000			\b
492# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$"
493>>4	uleshort&0x0008			0x0008			\bclock
494# fast video output by int 29h
495# 1 space char after "fast" to get phrase like "fast standard input/output character device driver"
496>>4	uleshort&0x0010			0x0010			\bfast
497# standard input/output device
498# 1 space char after "standard" to get phrase like "standard input/output character device driver"
499>>4	uleshort&0x0003			>0			\bstandard
500>>>4	uleshort&0x0001			0x0001			\binput
501>>>4	uleshort&0x0003			0x0003			\b/
502# 1 space char after "output" to get phrase like "input/output character device driver"
503>>>4	uleshort&0x0002			0x0002			\boutput
504>>4	uleshort&0x8000			0x8000			\bcharacter device driver
505>0	ubyte				x
506# upx compressed device driver has garbage instead of real in name field of header
507>>40	search/7			UPX!
508>>40	default				x
509# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
510# 1 space char before device driver name to get phrase like "device driver PROTMAN$"
511>>>12		ubyte			>0x2E			\b
512>>>>10		ubyte			>0x20
513>>>>>10		ubyte			!0x2E
514>>>>>>10	ubyte			!0x2A			\b%c
515>>>>11		ubyte			>0x20
516>>>>>11		ubyte			!0x2E			\b%c
517>>>>12		ubyte			>0x20
518>>>>>12		ubyte			!0x39
519>>>>>>12	ubyte			!0x2E			\b%c
520>>>13		ubyte			>0x20
521>>>>13		ubyte			!0x2E			\b%c
522>>>>14		ubyte			>0x20
523>>>>>14		ubyte			!0x2E			\b%c
524>>>>15		ubyte			>0x20
525>>>>>15		ubyte			!0x2E			\b%c
526>>>>16		ubyte			>0x20
527>>>>>16		ubyte			!0x2E
528>>>>>>16	ubyte			<0xCB			\b%c
529>>>>17		ubyte			>0x20
530>>>>>17		ubyte			!0x2E
531>>>>>>17	ubyte			<0x90			\b%c
532# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
533>>>12		ubyte			<0x2F
534# they have their real name at offset 22
535# also block device drivers like DUMBDRV.SYS
536>>>>22		string			>\056			%-.6s
537>4	uleshort&0x8000			0x0000
538# 32 bit sector addressing ( > 32 MB) for block devices
539>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
540# support by driver functions 13h, 17h, 18h
541>4	uleshort&0x0040			0x0040			\b,IOCTL-
542# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
543>4	uleshort&0x0800			0x0800			\b,close media-
544# output until busy support by int 10h for character device driver
545>4	uleshort&0x8000			0x8000
546>>4	uleshort&0x2000			0x2000			\b,until busy-
547# direct read/write support by driver functions 03h,0Ch
548>4	uleshort&0x4000			0x4000			\b,control strings-
549>4	uleshort&0x8000			0x8000
550>>4	uleshort&0x6840			>0			\bsupport
551>4	uleshort&0x8000			0x0000
552>>4	uleshort&0x4842			>0			\bsupport
553>0	ubyte				x			\b)
554>0	ulelong				!0xffffffff		with pointer %#x
555# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
5560	ulequad				0x0513c00000000012
557>0	use				msdos-driver
558# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
5590	ulequad				0x32f28000ffff0016
560>0	use				msdos-driver
5610	ulequad				0x007f00000000ffff
562>0	use				msdos-driver
563# https://www.uwe-sieber.de/files/cfg_echo.zip
5640	ulequad				0x001600000000ffff
565>0	use				msdos-driver
566# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
5670	ulequad				0x0bf708c2ffffffff
568>0	use				msdos-driver
5690	ulequad				0x07bd08c2ffffffff
570>0	use				msdos-driver
571# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS
5720	ulequad				0x027ac0c0ffffffff
573>0	use				msdos-driver
574# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS
5750	ulequad				0x00228880ffffffff
576>0	use				msdos-driver
577
578# updated by Joerg Jenderek
579# GRR: line below too general as it catches also
580# rt.lib DYADISKS.PIC and many more
581# start with assembler instruction MOV
5820	ubyte		0x8c
583# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
584>4	string			!O====
585# skip some unknown basic binaries like RocketRnger.SHR
586>>5	string			!MAIN
587# skip "GPG symmetrically encrypted data" ./gnu
588# skip "PGP symmetric key encrypted data" ./pgp
589# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
590>>>4	ubyte			>13	DOS executable (COM, 0x8C-variant)
591# the remaining files should be DOS *.COM executables
592# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
593# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
594# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
595# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
596# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
597# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
598# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
599# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
600!:mime	application/x-dosexec
601!:ext com
602
603# updated by Joerg Jenderek at Oct 2008
6040	ulelong		0xffff10eb	DR-DOS executable (COM)
605# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
6060	ubeshort&0xeb8d	>0xeb00
607# DR-DOS STACKER.COM SCREATE.SYS missed
608
6090       name    msdos-com
610>0  byte        x               DOS executable (COM)
611!:mime	application/x-dosexec
612!:ext	com
613>6	string		SFX\ of\ LHarc	\b, %s
614>0x1FE leshort	0xAA55		    \b, boot code
615>85	string		UPX		        \b, UPX compressed
616>4	string		\ $ARX		    \b, ARX self-extracting archive
617>4	string		\ $LHarc	    \b, LHarc self-extracting archive
618>0x20e string	SFX\ by\ LARC	\b, LARC self-extracting archive
619
620# JMP 8bit
6210	        byte	0xeb
622# allow forward jumps only
623>1          byte    >-1
624# that offset must be accessible
625>>(1.b+2)   byte    x
626>>>0        use msdos-com
627
628# JMP 16bit
6290           byte    0xe9
630# forward jumps
631>1          short   >-1
632# that offset must be accessible
633>>(1.s+3)   byte    x
634>>>0        use msdos-com
635# negative offset, must not lead into PSP
636>1          short   <-259
637# that offset must be accessible
638>>(1,s+65539)   byte    x
639>>>0        use msdos-com
640
641# updated by Joerg Jenderek at Oct 2008,2015
642# following line is too general
6430	ubyte		0xb8
644# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
645>0	string		!\xb8\xc0\x07\x8e
646# modified by Joerg Jenderek
647# syslinux COM32 or COM32R executable
648>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
649# https://www.syslinux.org/wiki/index.php/Comboot_API
650# Since version 5.00 c32 modules switched from the COM32 object format to ELF
651!:mime	application/x-c32-comboot-syslinux-exec
652!:ext c32
653# https://syslinux.zytor.com/comboot.php
654# older syslinux version ( <4 )
655# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
656# start with assembler instructions mov eax,21cd4cffh
657>>>1	lelong		0x21CD4CFf	\b)
658# syslinux:doc/comboot.txt
659# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
660# eax,21cd4cfeh) as a magic number.
661# syslinux version (4.x)
662# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
663>>>1	lelong		0x21CD4CFe	\b, relocatable)
664# Hajin Jang <hajin_jang@worksmobile.com>:
665# Disable simplest COM signature to prevent false positive on some EUC-KR text files.
666## remaining are DOS COM executables starting with assembler instruction MOV
667## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
668## MS-DOS SYS.COM RESTART.COM
669## SYSLINUX.COM (version 1.40 - 2.13)
670## GFXBOOT.COM (version 3.75)
671## COPYBS.COM POWEROFF.COM INT18.COM
672>>1	default	x			COM executable for DOS
673!:mime	application/x-dosexec
674##!:mime	application/x-ms-dos-executable
675##!:mime	application/x-msdos-program
676!:ext com
677
678# URL:		https://en.wikipedia.org/wiki/UPX
679# Reference:	https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/
680#		src/stub/src/i086-dos16.com.S
681# Update:	Joerg Jenderek
682# assembler instructions: cmp sp, offset sp_limit
6830	string/b	\x81\xfc
684#>2	uleshort	x		\b, sp_limit=%#x
685# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy
686>4	string	\x77\x02\xcd\x20\xb9
687#>9	uleshort	x		\b, [bytes_to_copy]=%#x
688# at different offsets assembler instructions: push di; jump decomp_start_n2b
689>0x1e	search/3	\x57\xe9
690#>>&0	uleshort	x		\b, decomp_start_n2b=%#x
691# src/stub/src/include/header.S; UPX_MAGIC_LE32
692>>&2	string		UPX!		FREE-DOS executable (COM), UPX
693!:mime	application/x-dosexec
694# UPX compressed *.CPI; See ./fonts
695>>>&21	string		=FONT		compressed DOS code page font
696!:ext	cpx
697>>>&21	string		!FONT		compressed
698!:ext	com
699# compressed size?
700#>>>&14	uleshort+152	x		\b, %u bytes
701# uncompressed len
702>>>&12	uleshort	x		\b, uncompressed %u bytes
703252	string Must\ have\ DOS\ version DR-DOS executable (COM)
704!:mime	application/x-dosexec
705!:ext	com
706# GRR search is not working
707#2	search/28	\xcd\x21	COM executable for MS-DOS
708#WHICHFAT.cOM
7092	string	\xcd\x21		COM executable for DOS
710!:mime	application/x-dosexec
711!:ext	com
712#DELTREE.cOM DELTREE2.cOM
7134	string	\xcd\x21		COM executable for DOS
714!:mime	application/x-dosexec
715!:ext	com
716#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
7175	string	\xcd\x21		COM executable for DOS
718!:mime	application/x-dosexec
719!:ext	com
720#DELTMP.COm HASFAT32.cOM
7217	string	\xcd\x21
722>0	byte	!0xb8			COM executable for DOS
723!:mime	application/x-dosexec
724!:ext	com
725#COMP.cOM MORE.COm
72610	string	\xcd\x21
727>5	string	!\xcd\x21		COM executable for DOS
728!:mime	application/x-dosexec
729!:ext	com
730#comecho.com
73113	string	\xcd\x21		COM executable for DOS
732!:mime	application/x-dosexec
733!:ext	com
734#HELP.COm EDIT.coM
73518	string	\xcd\x21
736# not printable before it?
737>17	byte	>32
738>>17	byte	<126
739>>17	default	x			COM executable for MS-DOS
740!:mime	application/x-dosexec
741!:ext	com
742#NWRPLTRM.COm
74323	string	\xcd\x21		COM executable for MS-DOS
744!:mime	application/x-dosexec
745!:ext	com
746#LOADFIX.cOm LOADFIX.cOm
74730	string	\xcd\x21		COM executable for MS-DOS
748!:mime	application/x-dosexec
749!:ext	com
750#syslinux.com 3.11
75170	string	\xcd\x21		COM executable for DOS
752!:mime	application/x-dosexec
753!:ext	com
754# many compressed/converted COMs start with a copy loop instead of a jump
7550x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
756!:mime	application/x-dosexec
757!:ext	com
7580x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
759!:mime	application/x-dosexec
760!:ext	com
761>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
7620x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
763!:mime	application/x-dosexec
764!:ext	com
765# FIXME: missing diet .com compression
766
767# miscellaneous formats
7680	string/b	LZ		MS-DOS executable (built-in)
769#0	byte		0xf0		MS-DOS program library data
770#
771
772# AAF files:
773# <stuartc@rd.bbc.co.uk> Stuart Cunningham
7740	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
775>30	byte	9		(512B sectors)
776>30	byte	12		(4kB sectors)
7770	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
778>30	byte	9		(512B sectors)
779>30	byte	12		(4kB sectors)
780
781# Popular applications
782#
783# Update:	Joerg Jenderek
784# URL:		http://fileformats.archiveteam.org/wiki/DOC
785# Reference:	https://web.archive.org/web/20170206041048/
786#		http://www.msxnet.org/word2rtf/formats/ffh-dosword5
787# wIdent+dty
7880	belong	0x31be0000
789# skip droid skeleton like x-fmt-274-signature-id-488.doc
790>128	ubyte		>0  			Microsoft
791>>96	uleshort	=0			Word
792!:mime	application/msword
793!:apple	MSWDWDBN
794# DCX is used in the Unix version.
795!:ext	doc/dcx
796>>>0x6E	ulequad		=0			1.0-4.0
797>>>0x6E	ulequad		!0			5.0-6.0
798>>>0x6E	ulequad		x			(DOS) Document
799# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt
800>>96	uleshort	!0			Write 3.0 (Windows) Document
801!:mime	application/x-mswrite
802!:apple	MSWDWDBN
803# sometimes also doc like in splitter.doc srchtest.doc
804!:ext	wri/doc
805# wTool must be 0125400 octal
806#>>4	uleshort	!0xAB00			\b, wTool %o
807# reserved; must be zero
808#>>6	ulelong		!0			\b, reserved %u
809# block pointer to the block containing optional file manager information
810#>>0x1C	uleshort	x			\b, at %#x info block
811# jump to File manager information block
812>>(0x1C.s*128)	uleshort x
813# test for valid information start; maybe also 0012h
814>>>&-2		uleshort	=0x0014
815# Document ASCIIZ name
816>>>>&0x12	string		x		%s
817# author name
818>>>>>&1		string		x		\b, author %s
819# reviser name
820>>>>>>&1	string		x		\b, reviser %s
821# keywords
822>>>>>>>&1	string		x		\b, keywords %s
823# comment
824>>>>>>>>&1	string		x		\b, comment %s
825# version number
826>>>>>>>>>&1	string		x		\b, version %s
827# date of last change MM/DD/YY
828>>>>>>>>>>&1	string		x		\b, %-.8s
829# creation date MM/DD/YY
830>>>>>>>>>>&9	string		x		created %-.8s
831# file name of print format like NORMAL.STY
832>>0x1E	string		>0			\b, formatted by %-.66s
833# count of pages in whole file for write variant; maybe some times wrong
834>>96	uleshort	>0			\b, %u pages
835# name of the printer driver like HPLASMS
836>>0x62	string		>0			\b, %-.8s printer
837# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0
838>>0x6A	uleshort	>0			\b, %u blocks
839# bit field for corrected text areas
840#>>0x6C	uleshort	x			\b, %#x bit field
841# text of document; some times start with 4 non printable characters like CR LF
842>>128	ubyte		x			\b,
843>>>128		ubyte	>0x1F
844>>>>128		string	x			%s
845>>>128		ubyte	<0x20
846>>>>129		ubyte	>0x1F
847>>>>>129	string	x			%s
848>>>>129		ubyte	<0x20
849>>>>>130	ubyte	>0x1F
850>>>>>>130	string	x			%s
851>>>>>130	ubyte	<0x20
852>>>>>>131	ubyte	>0x1F
853>>>>>>>131	string	x			%s
854>>>>>>131	ubyte	<0x20
855>>>>>>>132	ubyte	>0x1F
856>>>>>>>>132	string	x			%s
857>>>>>>>132	ubyte	<0x20
858>>>>>>>>133	ubyte	>0x1F
859>>>>>>>>>133	string	x			%s
860#
8610	string/b	PO^Q`				Microsoft Word 6.0 Document
862!:mime	application/msword
863#
8644   long        0
865>0  belong      0xfe320000      Microsoft Word for Macintosh 1.0
866!:mime	application/msword
867!:ext   mcw
868>0  belong      0xfe340000      Microsoft Word for Macintosh 3.0
869!:mime	application/msword
870!:ext   mcw
871>0  belong      0xfe37001c      Microsoft Word for Macintosh 4.0
872!:mime	application/msword
873!:ext   mcw
874>0  belong      0xfe370023      Microsoft Word for Macintosh 5.0
875!:mime	application/msword
876!:ext   mcw
877
8780	string/b	\333\245-\0\0\0			Microsoft Word 2.0 Document
879!:mime	application/msword
880!:ext   doc
881# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs
882#512	string/b	\354\245\301			Microsoft Word Document
883#!:mime	application/msword
884
885#
8860	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
887!:mime application/msword
888#
8890	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
890!:mime application/msword
891
892#
8930	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
894!:mime	application/vnd.ms-excel
895# https://www.macdisk.com/macsigen.php
896!:apple	XCELXLS4
897!:ext	xls
898#
899# Update: Joerg Jenderek
900# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
901# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
902# Note: newer Lotus versions >2 use longer BOF record
903# record type (BeginningOfFile=0000h) + length (001Ah)
9040	belong	0x00001a00
905# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
906#>18	uleshort&0x73E0	0
907# Lotus Multi Byte Character Set (LMBCS=1-31)
908>20	ubyte		>0
909>>20	ubyte		<32	Lotus 1-2-3
910#!:mime	application/x-123
911!:mime	application/vnd.lotus-1-2-3
912!:apple	????L123
913# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
914>>>4	uleshort	0x1000	WorKsheet, version 3
915!:ext	wk3
916# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
917>>>4	uleshort	0x1002	WorKsheet, version 4
918# also worksheet template 4 (.wt4)
919!:ext	wk4/wt4
920# no example or documentation for wk5
921#>>4	uleshort	0x????	WorKsheet, version 4
922#!:ext	wk5
923# only MacrotoScript.123 example
924>>>4	uleshort	0x1003	WorKsheet, version 97
925# also worksheet template Smartmaster (.12M)?
926!:ext	123
927# only Set_Y2K.123 example
928>>>4	uleshort	0x1005	WorKsheet, version 9.8 Millennium
929!:ext	123
930# no example for this version
931>>>4	uleshort	0x8001	FoRMatting data
932!:ext	frm
933# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
934# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
935>>>4	uleshort	0x8007	ForMatting data, version 3
936!:ext	fm3
937>>>4	default		x	unknown
938# file revision sub code 0004h for worksheets
939>>>>6	uleshort	=0x0004	worksheet
940!:ext	wXX
941>>>>6	uleshort	!0x0004	formatting data
942!:ext	fXX
943# main revision number
944>>>>4	uleshort	x	\b, revision %#x
945>>>6	uleshort	=0x0004	\b, cell range
946# active cellcoord range (start row, page,column ; end row, page, column)
947# start values normally 0~1st sheet A1
948>>>>8	ulelong		!0
949>>>>>10	ubyte		>0	\b%d*
950>>>>>8	uleshort	x	\b%d,
951>>>>>11	ubyte		x	\b%d-
952# end page mostly 0
953>>>>14	ubyte		>0	\b%d*
954# end raw, column normally not 0
955>>>>12	uleshort	x	\b%d,
956>>>>15	ubyte		x	\b%d
957# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
958>>>>20	ubyte		>1	\b, character set %#x
959# flags
960>>>>21	ubyte		x	\b, flags %#x
961>>>6	uleshort	!0x0004
962# record type (FONTNAME=00AEh)
963>>>>30	search/29	\0\xAE
964# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
965>>>>>&4	string		>\0	\b, 1st font "%s"
966#
967# Update: Joerg Jenderek
968# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
969# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
970# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
971# record type (BeginningOfFile=0000h) + length (0002h)
9720	belong	0x00000200
973# GRR: line above is too general as it catches also MS Windows CURsor
974# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
975!:strength -1
976# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
977>7	ubyte		0
978# skip Windows cursors with image width 256 and keep Lotus with positive opcode
979>>6	ubyte		>0	Lotus
980# !:mime	application/x-123
981!:mime	application/vnd.lotus-1-2-3
982!:apple	????L123
983# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
984# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
985>>>4	uleshort	0x0007	1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
986!:ext	cnf
987>>>4	uleshort	0x0C05	1-2-3 CoNFiguration, version 2.4J
988!:ext	cnf
989>>>4	uleshort	0x0801	1-2-3 CoNFiguration, version 1-2.1
990!:ext	cnf
991>>>4	uleshort	0x0802	Symphony CoNFiguration
992!:ext	cnf
993>>>4	uleshort	0x0804	1-2-3 CoNFiguration, version 2.2
994!:ext	cnf
995>>>4	uleshort	0x080A	1-2-3 CoNFiguration, version 2.3-2.4
996!:ext	cnf
997>>>4	uleshort	0x1402	1-2-3 CoNFiguration, version 3.x
998!:ext	cnf
999>>>4	uleshort	0x1450	1-2-3 CoNFiguration, version 4.x
1000!:ext	cnf
1001# (version 5.26) labeled the entry as "Lotus 123"
1002# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1003>>>4	uleshort	0x0404	1-2-3 WorKSheet, version 1
1004# extension "wks" also for Microsoft Works document
1005!:ext	wks
1006# (version 5.26) labeled the entry as "Lotus 123"
1007# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1008>>>4	uleshort	0x0405	Symphony WoRksheet, version 1.0
1009!:ext	wrk/wr1
1010# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
1011# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
1012>>>4	uleshort	0x0406	1-2-3/Symphony worksheet, version 2
1013# Symphony (.wr1)
1014!:ext	wk1/wr1
1015# no example for this japan version
1016>>>4	uleshort	0x0600	1-2-3 WorKsheet, version 1.xJ
1017!:ext	wj1
1018# no example or documentation for wk2
1019#>>>4	uleshort	0x????	1-2-3 WorKsheet, version 2
1020#!:ext	wk2
1021# undocumented japan version
1022>>>4	uleshort	0x0602	1-2-3 worksheet, version 2.4J
1023!:ext	wj3
1024# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
1025>>>4	uleshort	0x8006	1-2-3 ForMaTting data, version 2.x
1026# japan version 2.4J (fj3)
1027!:ext	fmt/fj3
1028# no example for this version
1029>>>4	uleshort	0x8007	1-2-3 FoRMatting data, version 2.0
1030!:ext	frm
1031# (version 5.26) labeled the entry as "Lotus 1-2-3"
1032>>>4	default		x	unknown worksheet or configuration
1033!:ext	cnf
1034>>>>4	uleshort	x	\b, revision %#x
1035# 2nd record for most worksheets describes cells range
1036>>>6		use	lotus-cells
1037# 3rd record for most japan worksheets describes cells range
1038>>>(8.s+10)	use	lotus-cells
1039#	check and then display Lotus worksheet cells range
10400	name		lotus-cells
1041# look for type (RANGE=0006h) + length (0008h) at record begin
1042>0	ubelong	0x06000800	\b, cell range
1043# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
1044>>4	ulong		!0
1045>>>4	uleshort	x	\b%d,
1046>>>6	uleshort	x	\b%d-
1047# end of cell range
1048>>8	uleshort	x	\b%d,
1049>>10	uleshort	x	\b%d
1050# EndOfLotus123
10510	string/b		WordPro\0	Lotus WordPro
1052!:mime	application/vnd.lotus-wordpro
10530	string/b		WordPro\r\373	Lotus WordPro
1054!:mime	application/vnd.lotus-wordpro
1055
1056
1057# Summary: Script used by InstallScield to uninstall applications
1058# Extension: .isu
1059# Submitted by: unknown
1060# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
10610		string		\x71\xa8\x00\x00\x01\x02
1062>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
1063
1064# Winamp .avs
1065#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
10660	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
1067
1068# Windows Metafile .WMF
10690	string/b	\327\315\306\232	Windows metafile
1070!:mime	image/wmf
1071!:ext	wmf
10720	string/b	\002\000\011\000	Windows metafile
1073!:mime	image/wmf
1074!:ext	wmf
10750	string/b	\001\000\011\000	Windows metafile
1076!:mime	image/wmf
1077!:ext	wmf
1078
1079#tz3 files whatever that is (MS Works files)
10800	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
10810	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
10820	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
1083
1084# PGP sig files .sig
1085#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
10860 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
10870 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
10880 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
10890 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
10900 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
10910 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
1092
1093# windows zips files .dmf
10940	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
1095
1096# Windows icons
1097# Update: Joerg Jenderek
1098# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
1099# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
11000   belong  0x00000100
1101>9  byte    0
1102>>0 byte    x
1103>>0 use     cur-ico-dir
1104>9  ubyte   0xff
1105>>0 byte    x
1106>>0 use     cur-ico-dir
1107#	displays number of icons and information for icon or cursor
11080	name		cur-ico-dir
1109# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
1110# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
1111>18		ulelong		&0x00000006
1112# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
1113>>(18.l)	ulelong		x		MS Windows
1114>>>0		ubelong		0x00000100	icon resource
1115# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
1116!:mime		image/vnd.microsoft.icon
1117#!:mime		image/x-icon
1118!:ext		ico
1119>>>>4 		uleshort	x		- %d icon
1120# plural s
1121>>>>4 		uleshort	>1		\bs
1122# 1st icon
1123>>>>0x06	use		ico-entry
1124# 2nd icon
1125>>>>4 		uleshort	>1
1126>>>>>0x16	use		ico-entry
1127>>>0		ubelong		0x00000200	cursor resource
1128#!:mime		image/x-cur
1129!:mime		image/x-win-bitmap
1130!:ext		cur
1131>>>>4 		uleshort	x		- %d icon
1132>>>>4 		uleshort	>1		\bs
1133# 1st cursor
1134>>>>0x06	use		cur-entry
1135#>>>>0x16	use		cur-entry
1136#	display information of one cursor entry
11370	name		cur-entry
1138>0	use		cur-ico-entry
1139>4	uleshort	x	\b, hotspot @%dx
1140>6	uleshort	x	\b%d
1141#	display information of one icon entry
11420	name		ico-entry
1143>0			use	cur-ico-entry
1144# normally 0 1 but also found 14
1145>4	uleshort	>1	\b, %d planes
1146# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
1147>6	uleshort	>1	\b, %d bits/pixel
1148#	display shared information of cursor or icon entry
11490		name		cur-ico-entry
1150>0		byte		=0		\b, 256x
1151>0		byte		!0		\b, %dx
1152>1		byte        	=0		\b256
1153>1		byte        	!0		\b%d
1154# number of colors in palette
1155>2		ubyte		!0		\b, %d colors
1156# reserved 0 FFh
1157#>3		ubyte        	x		\b, reserved %x
1158#>8		ulelong		x		\b, image size %d
1159# offset of PNG or DIB image
1160#>12		ulelong		x		\b, offset %#x
1161# PNG header (\x89PNG)
1162>(12.l)		ubelong		=0x89504e47
1163# 1 space char after "with" to get phrase "with PNG image" by magic in ./images
1164>>&-4		indirect	x	\b with
1165# DIB image
1166>(12.l)		ubelong		!0x89504e47
1167#>>&-4		use     	dib-image
1168
1169# Windows non-animated cursors
1170# Update: Joerg Jenderek
1171# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
1172# Note: similar to Windows ICOn. container for BMP ( only DIB part)
1173# GRR: line below is too general as it catches also Lotus 1-2-3 files
11740   belong  0x00000200
1175>9  byte    0
1176>>0 use     cur-ico-dir
1177>9  ubyte   0xff
1178>>0 use     cur-ico-dir
1179
1180# .chr files
11810	string/b	PK\010\010BGI	Borland font
1182>4	string	>\0	%s
1183# then there is a copyright notice
1184
1185
1186# .bgi files
11870	string/b	pk\010\010BGI	Borland device
1188>4	string	>\0	%s
1189# then there is a copyright notice
1190
1191
1192# Windows Recycle Bin record file (named INFO2)
1193# By Abel Cheung (abelcheung AT gmail dot com)
1194# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
1195# Since Vista uses another structure, INFO2 structure probably won't change
1196# anymore. Detailed analysis in:
1197# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
11980	lelong		0x00000004
1199>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
1200
12010	lelong		0x00000005
1202>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
1203
1204# From Doug Lee via a FreeBSD pr
12059	string		GERBILDOC	First Choice document
12069	string		GERBILDB	First Choice database
12079	string		GERBILCLIP	First Choice database
12080	string		GERBIL		First Choice device file
12099	string		RABBITGRAPH	RabbitGraph file
12100	string		DCU1		Borland Delphi .DCU file
12110	string		=!<spell>	MKS Spell hash list (old format)
12120	string		=!<spell2>	MKS Spell hash list
1213# Too simple - MPi
1214#0	string		AH		Halo(TM) bitmapped font file
12150	lelong		0x08086b70	TurboC BGI file
12160	lelong		0x08084b50	TurboC Font file
1217
1218# Debian#712046: The magic below identifies "Delphi compiled form data".
1219# An additional source of information is available at:
1220# http://www.woodmann.com/fravia/dafix_t1.htm
12210	string		TPF0
1222>4	pstring		>\0		Delphi compiled form '%s'
1223
1224# tests for DBase files moved, updated and merged to database
1225
12260	string		PMCC		Windows 3.x .GRP file
12271	string		RDC-meg		MegaDots
1228>8	byte		>0x2F		version %c
1229>9	byte		>0x2F		\b.%c file
12300	lelong		0x4C
1231>4	lelong		0x00021401	Windows shortcut file
1232
1233# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
1234# only for windows versions equal or greater 3.0
12350x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
1236!:mime	application/x-dosexec
1237!:ext	pif
1238#>2	string	 	>\0		\b, Title:%.30s
1239>0x24	string		>\0		\b for %.63s
1240>0x65	string		>\0		\b, directory=%.64s
1241>0xA5	string		>\0		\b, parameters=%.64s
1242#>0x181	leshort	x	\b, offset %x
1243#>0x183	leshort	x	\b, offsetdata %x
1244#>0x185	leshort	x	\b, section length %x
1245>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
1246>>&0x5e		ubyte	>0
1247>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
1248#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
1249>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
1250>>&0xF0		ubyte	>0
1251>>>&-1		string	<Terminal		\b, font=%.32s
1252#>>>&-1		string	=Terminal		\b, font=%.32s
1253>>>&-1		string	>Terminal		\b, font=%.32s
1254>>&0x110	ubyte	>0
1255>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
1256#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
1257>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
1258#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
1259#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
1260>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
1261#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
1262>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
1263#>>&06		string	x			\b:%s
1264>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
1265#>>&06		string	x			\b:%s
1266
1267# DOS EPS Binary File Header
1268# From: Ed Sznyter <ews@Black.Market.NET>
12690	belong		0xC5D0D3C6	DOS EPS Binary File
1270!:mime	image/x-eps
1271>4	long		>0		Postscript starts at byte %d
1272>>8	long		>0		length %d
1273>>>12	long		>0		Metafile starts at byte %d
1274>>>>16	long		>0		length %d
1275>>>20	long		>0		TIFF starts at byte %d
1276>>>>24	long		>0		length %d
1277
1278# TNEF magic From "Joomy" <joomy@se-ed.net>
1279# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
12800	lelong		0x223e9f78	TNEF
1281!:mime	application/vnd.ms-tnef
1282
1283# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
1284# of http://www.davep.org/norton-guides/ng2h-105.tgz
1285# https://en.wikipedia.org/wiki/Norton_Guides
12860	string		NG\0\001
1287# only value 0x100 found at offset 2
1288>2	ulelong		0x00000100	Norton Guide
1289!:mime	application/x-norton-guide
1290# often like NORTON.NG but some times like NC.HLP
1291!:ext	ng/hlp
1292# Title[40]
1293>>8	string		>\0		"%-.40s"
1294#>>6	uleshort	x		\b, MenuCount=%u
1295# szCredits[5][66]
1296>>48	string		>\0		\b, %-.66s
1297>>114	string		>\0		%-.66s
1298
1299# URL:		https://en.wikipedia.org/wiki/Norton_Commander
1300# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml
1301# From:		Joerg Jenderek
1302# Note:		Message file is used by executable with same main name.
1303#		Only tested with version 5.50 (english) and 2.01 (Windows)
13040	string		Abort
1305# \0 or i
1306#>5	ubyte		x		%x
1307# skip ASCII Abort text by looking for error message like in NCVIEW.MSG
1308>6	search/7089	Non-DOS\ disk	Norton Commander module message
1309!:mime	application/x-norton-msg
1310!:ext	msg
1311
1312# URL:		http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
1313# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml
1314# From:		Joerg Jenderek
13150	string	DOS\ Client\ Message\ File:	Novell DOS client message
1316#!:mime	application/octet-stream
1317#!:mime	application/x-novell-msg
1318!:ext	msg
1319# look for second letter instead space character
1320>26	ubyte		>0x20
1321# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr
1322>>25		ubyte	!0x20			%c
1323>>>26		ubyte	!0x20			\b%c
1324>>>>27		ubyte	!0x20			\b%c
1325>>>>>28		ubyte	!0x20			\b%c
1326>>>>>>29	ubyte	!0x20			\b%c
1327>>>>>>>30	ubyte	!0x20			\b%c
1328>>>>>>>>31	ubyte	!0x20			\b%c
1329>>>>>>>>>32	ubyte	!0x20			\b%c
1330>>>>>>>>>>33	ubyte	!0x20			\b%c
1331>>>>>>>>>>>34	ubyte	!0x20			\b%c
1332>>>>>>>>>>>>35	ubyte	!0x20			\b%c
1333>>>>>>>>>>>>>36	ubyte	!0x20			\b%c
1334# followed by string like: 0 v.10 V1.20
1335#
1336# followed by ,\040Tran
1337>28	search/14	,\040Tran
1338# probably translated version string like: 0 v1.00
1339>>&0	string	x				\b, tran version %s
1340# followed by Ctrl-J Ctrl-Z
1341>>>&0	ubyte		!0xa			\b, terminated by %#2.2x
1342>>>>&0	ubyte		x			\b%2.2x
1343# Ctrl-Z
1344>0x65	ubyte		!0x1A			\b, at 0x65 %#x
1345# one
1346>0x66	ubyte		!0x01			\b, at 0x66 %#x
1347# URL:		https://en.wikipedia.org/wiki/NetWare
1348# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml
1349# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html
1350# From:		Joerg Jenderek
13510	string	Novell\ Message\ Librarian\ Data\ File	Novell message librarian data
1352#>35	string	Version\ 1.00
1353#>49	string	COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc.
1354#>83	string	\ \ All\ Rights\ Reserved
1355#!:mime	application/octet-stream
1356#!:mime	application/x-novell-msg
1357!:ext	msg
1358#!:ext	msg/dat
1359# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
1360# of https://www.4dos.info/
1361# pointer,HelpID[8]=4DHnnnmm
13620	ulelong	0x48443408		4DOS help file
1363>4	string	x			\b, version %-4.4s
1364
1365# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
13660	ulequad	0x3a000000024e4c	MS Advisor help file
1367
1368# HtmlHelp files (.chm)
13690	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
1370
1371# GFA-BASIC (Wolfram Kleff)
13722	string/b	GFA-BASIC3	GFA-BASIC 3 data
1373
1374#------------------------------------------------------------------------------
1375# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
1376# Update: Joerg Jenderek
1377# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format)
1378# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
1379# Note: verified by `7z l *.cab`
1380# Microsoft Cabinet files
13810	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
1382#
1383# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool
1384# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE
1385# because some archive does not have *.diag* as 1st or 2nd archive member like
1386# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab
1387# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section
1388>0x2c	search/980/c	.diag		\b, Diagnostic
1389!:mime	application/vnd.ms-cab-compressed
1390!:ext	diagcab
1391# http://fileformats.archiveteam.org/wiki/PUZ
1392# Microsoft Publisher version about 2003 has a "Pack and Go" feature that
1393# bundles a Publisher document *PNG.pub with all links into a CAB
1394>0x2c	search/300/c	png.pub\0		\b, Publisher Packed and Go
1395!:mime	application/vnd.ms-cab-compressed
1396!:ext	puz
1397# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation
1398>0x2c	search/17/c	ppview32.exe\0		\b, PowerPoint Viewer Packed and Go
1399!:mime	application/vnd.ms-powerpoint
1400#!:mime	application/mspowerpoint
1401!:ext	ppz
1402# URL:		https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets
1403# Reference:	https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/
1404# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget
1405>0x2c	search/968/c	gadget.xml		\b, Windows Desktop Gadget
1406#!:mime	application/vnd.ms-cab-compressed
1407# http://extension.nirsoft.net/gadget
1408!:mime	application/x-windows-gadget
1409!:ext	gadget
1410# http://www.incredimail.com/
1411# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims
1412>0x2c	search/3369/c	content.ini\0	\b, IncrediMail
1413!:mime	application/x-incredimail
1414# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf
1415>>0x2c	search/83/c	Flavor.htm\0	ecard
1416!:ext	imf
1417# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims
1418>>0x2c	search/211/c	.swf\0		skin
1419!:ext	ims
1420# member anim.im3 implies IncrediMail animation like in letter_fold.ima
1421>>0x2c	search/92/c	anim.im3\0	animation
1422!:ext	ima
1423# other IncrediMail cab archive
1424>>0x2c	default		x
1425>>>0x2c	search/116/c	thumb		ecard, image, notifier or skin
1426!:ext	imf/imi/imn/ims
1427# http://file-extension.net/seeker/file_extension_ime
1428>>>0x2c	default		x		emoticons or sound
1429!:ext	ime/imw
1430# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail
1431>0x2c	default		x
1432# look for 1st member name
1433>>(16.l+16)	ubyte	x
1434# https://en.wikipedia.org/wiki/SNP_file_format
1435>>>&-1	string/c 	_accrpt_.snp	\b, Access report snapshot
1436!:mime	application/msaccess
1437!:ext	snp
1438# https://en.wikipedia.org/wiki/Microsoft_InfoPath
1439>>>&-1	string 		manifest.xsf	\b, InfoPath Form Template
1440!:mime	application/vnd.ms-cab-compressed
1441#!:mime	application/vnd.ms-infopath
1442!:ext	xsn
1443# https://www.cabextract.org.uk/wince_cab_format/
1444# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer
1445>>>&7	string 		=.000		\b, WinCE install
1446!:mime	application/vnd.ms-cab-compressed
1447!:ext	cab
1448
1449# https://support.microsoft.com/kb/934307/en-US
1450# All inspected MSU contain a file with name WSUSSCAN.cab
1451# that is called "Windows Update meta data" by Microsoft
1452>>>&-1	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1453!:mime	application/vnd.ms-cab-compressed
1454!:ext	msu
1455>>>&-1	default		x
1456# look at point character of 1st archive member name for file name extension
1457>>>>&-1	search/255 	.
1458# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
1459# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
1460# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
1461>>>>>&0	string/c	ppt\0		\b, PowerPoint Packed and Go
1462!:mime	application/vnd.ms-powerpoint
1463#!:mime	application/mspowerpoint
1464!:ext	ppz
1465# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
1466# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
1467# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
1468>>>>>&0	string/c	theme		\b, Windows
1469!:mime	application/x-windows-themepack
1470# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
1471# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
1472# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme
1473>>>>>>(16.l+16)	string	=Panoram	8
1474!:ext	deskthemepack
1475>>>>>>(16.l+16)	string	!Panoram	7 or 8
1476!:ext	themepack/deskthemepack
1477>>>>>>(16.l+16)	ubyte	x		Theme Pack
1478>>>>>&0	default		x
1479# look for null terminator of 1st member name
1480>>>>>>&0	search/255 	\0
1481# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
1482>>>>>>>&16	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1483!:mime	application/vnd.ms-cab-compressed
1484!:ext	msu
1485>>>>>>>&16	default	x
1486# archive with more then one file need some output in version 5.32 to avoid error message like
1487# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type
1488# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type
1489# file: could not find any valid magic files!
1490>>>>>>>>28	uleshort	>1	\b, many
1491!:mime	application/vnd.ms-cab-compressed
1492!:ext	cab
1493# remaining archives with just one file
1494>>>>>>>>28	uleshort	=1
1495# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386
1496>>>>>>>>>30	uleshort	=0x0000	\b, Windows 2000/XP setup
1497# cut of last char of source extension and add underscore to generate extension
1498# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_
1499!:mime	application/vnd.ms-cab-compressed
1500!:ext	_/?_/??_
1501# archive need some output like "single" in version 5.32 to avoid error messages
1502>>>>>>>>>30	uleshort	!0x0000	\b, single
1503!:mime	application/vnd.ms-cab-compressed
1504!:ext	cab
1505# TODO: additional extensions like
1506# .xtp	InfoPath Template Part
1507# .lvf	Logitech Video Effects Face Accessory
1508>8	ulelong		x		\b, %u bytes
1509>28	uleshort		1		\b, 1 file
1510>28	uleshort		>1		\b, %u files
1511# Reserved fields, set to zero
1512#>4	belong		!0		\b, reserved1 %x
1513#>12	belong		!0		\b, reserved2 %x
1514# offset of the first CFFILE entry coffFiles: minimal 2Ch
1515>16	ulelong		x		\b, at %#x
1516>(16.l)	use		cab-file
1517# at least also 2nd member
1518>28	uleshort		>1
1519>>(16.l+16)	ubyte	x
1520>>>&0	search/255 	\0
1521# second member info
1522>>>>&0	use		cab-file
1523#>20	belong		!0		\b, reserved %x
1524# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3
1525>24	ubeshort	!0x0301		\b version %#x
1526# number of CFFOLDER entries
1527>26	uleshort	>1		\b, %u cffolders
1528# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields
1529# only found for flags 0 1 2 3 4 not 7
1530>30	uleshort	>0		\b, flags %#x
1531# Cabinet files have a 16-bit cabinet setID field that is designed for application use.
1532# default is zero, however, the -i option of cabarc can be used to set this field
1533>32	uleshort	>0		\b, ID %u
1534# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet
1535#>34	uleshort	x		\b, iCabinet %u
1536# add one for display because humans start numbering by 1 and also fit to name of disk szDisk*
1537>34	uleshort+1	x		\b, number %u
1538>30	uleshort	&0x0004		\b, extra bytes
1539# cbCFHeader optional size of per-cabinet reserved area 14h 1800h
1540>>36	uleshort	>0		%u in head
1541# cbCFFolder is optional size of per-folder reserved area
1542>>38	ubyte		>0		%u in folder
1543# cbCFData is optional size of per-datablock reserved area
1544>>39	ubyte		>0		%u in data block
1545# optional per-cabinet reserved area abReserve[cbCFHeader]
1546>>36	uleshort	>0
1547# 1st CFFOLDER after reserved area in header
1548>>>(36.s+40)	use			cab-folder
1549# no reserved area in header
1550>30	uleshort	^0x0004
1551# no previous and next cab archive
1552>>30	uleshort		=0x0000
1553>>>36	use				cab-folder
1554# only previous cab archive
1555>>30	uleshort		=0x0001	\b, previous
1556>>>36	use				cab-anchor
1557# only next cab archive
1558>>30	uleshort		=0x0002	\b, next
1559>>>36	use				cab-anchor
1560# previous+next cab archive
1561# can not use sub routine cab-anchor to display previous and next cabinet together
1562#>>>36	use				cab-anchor
1563#>>>>&0	use				cab-anchor
1564>>30	uleshort		=0x0003	\b, previous
1565>>>36	string		x		%s
1566# optional name of previous disk szDisk*
1567>>>>&1	string		x		disk %s
1568>>>>>&1	string		x		\b, next %s
1569# optional name of previous disk szDisk*
1570>>>>>>&1	string		x	disk %s
1571>>>>>>>&1	use			cab-folder
1572#	display filename and disk name of previous or next cabinet
15730       name    			cab-anchor
1574# optional name of previous/next cabinet file szCabinet*[255]
1575>&0	string		x		%s
1576# optional name of previous/next disk szDisk*[255]
1577>>&1	string		x		disk %s
1578#	display folder structure CFFOLDER information like compression of cabinet
15790       name    			cab-folder
1580# offset of the CFDATA block in this folder
1581#>0	ulelong		x		\b, coffCabStart %#x
1582# number of CFDATA blocks in folder
1583>4	uleshort	x		\b, %u datablock
1584# plural s
1585>4	uleshort	>1		\bs
1586# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15
1587>6	uleshort	x		\b, %#x compression
1588# optional per-folder reserved area
1589#>8	ubequad		x		\b, abReserve %#llx
1590#	display member structure CFFILE information like member name of cabinet
15910       name    			cab-file
1592# cbFile is uncompressed size of file in bytes
1593#>0	ulelong		x		\b, cbFile %u
1594# uoffFolderStart is uncompressed offset of file in folder
1595#>4	ulelong		>0		\b, uoffFolderStart %#x
1596# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet
1597# define ifoldCONTINUED_FROM_PREV      (0xFFFD)
1598# define ifoldCONTINUED_TO_NEXT        (0xFFFE)
1599# define ifoldCONTINUED_PREV_AND_NEXT  (0xFFFF)
1600>8	uleshort	>0		\b, iFolder %#x
1601# date stamp for file
1602#>10	uleshort	x		\b, date %#x
1603# time stamp for file
1604#>12	uleshort	x		\b, time %#x
1605# attribs is attribute flags for file
1606# define  _A_RDONLY       (0x01)  file is read-only
1607# define  _A_HIDDEN       (0x02)  file is hidden
1608# define  _A_SYSTEM       (0x04)  file is a system file
1609# define  _A_ARCH         (0x20)  file modified since last backup
1610# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab
1611# define  _A_EXEC         (0x40)  run after extraction
1612# define  _A_NAME_IS_UTF  (0x80)  szName[] contains UTF
1613# define  UNKNOWN       (0x0100)  undocumented or accident
1614#>14	uleshort	x		\b, attribs %#x
1615>14	uleshort	>0		+
1616>>14	uleshort	&0x0001		\bR
1617>>14	uleshort	&0x0002		\bH
1618>>14	uleshort	&0x0004		\bS
1619>>14	uleshort	&0x0020		\bA
1620>>14	uleshort	&0x0040		\bX
1621>>14	uleshort	&0x0080		\bUtf
1622# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB
1623>>14	uleshort	&0x0100		\b?
1624# szName is name of archive member
1625>16	string		x		"%s"
1626# next archive member name if more files
1627#>>&17	string		>\0		\b, NEXT NAME %-.50s
1628
1629# InstallShield Cabinet files
16300	string/b	ISc(		InstallShield Cabinet archive data
1631>5	byte&0xf0	=0x60		version 6,
1632>5	byte&0xf0	!0x60		version 4/5,
1633>(12.l+40)	lelong	x		%u files
1634
1635# Windows CE package files
16360	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
1637>20	lelong		0		\b, architecture-independent
1638>20	lelong		103		\b, Hitachi SH3
1639>20	lelong		104		\b, Hitachi SH4
1640>20	lelong		0xA11		\b, StrongARM
1641>20	lelong		4000		\b, MIPS R4000
1642>20	lelong		10003		\b, Hitachi SH3
1643>20	lelong		10004		\b, Hitachi SH3E
1644>20	lelong		10005		\b, Hitachi SH4
1645>20	lelong		70001		\b, ARM 7TDMI
1646>52	leshort		1		\b, 1 file
1647>52	leshort		>1		\b, %u files
1648>56	leshort		1		\b, 1 registry entry
1649>56	leshort		>1		\b, %u registry entries
1650
1651
1652# Windows Enhanced Metafile (EMF)
1653# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
1654# for further information.
16550	ulelong 1
1656>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
1657>>44	ulelong x		version %#x
1658
1659
16600	string/b	\224\246\056		Microsoft Word Document
1661!:mime	application/msword
1662
1663# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1664# Magic type for Dell's BIOS .hdr files
1665# Dell's .hdr
16660	string/b $RBU
1667>23	string Dell			%s system BIOS
1668>5	byte   2
1669>>48	byte   x			version %d.
1670>>49	byte   x			\b%d.
1671>>50	byte   x			\b%d
1672>5	byte   <2
1673>>48	string x			version %.3s
1674
1675# Type: Microsoft Document Imaging Format (.mdi)
1676# URL:	https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
1677# From: Daniele Sempione <scrows@oziosi.org>
1678# Too weak (EP)
1679#0	short	0x5045			Microsoft Document Imaging Format
1680
1681# MS eBook format (.lit)
16820	string/b	ITOLITLS		Microsoft Reader eBook Data
1683>8	lelong	x			\b, version %u
1684!:mime					application/x-ms-reader
1685
1686# Windows CE Binary Image Data Format
1687# From: Dr. Jesus <j@hug.gs>
16880	string/b	B000FF\n	Windows Embedded CE binary image
1689
1690# The second byte of these signatures is a file version; I don't know what,
1691# if anything, produced files with version numbers 0-2.
1692# From: John Elliott <johne@seasip.demon.co.uk>
16930	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
16940	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
16950	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
16960	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
1697
16980	string	MIOPEN		Mallard BASIC Jetsam data
16990	string	Jetsam0		Mallard BASIC Jetsam index data
1700
1701# DOS backup 2.0 to 3.2
1702# URL:		http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS)
1703# Reference:	http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm
1704# backupid.@@@
1705
1706# plausibility check for date
17070x3	ushort	>1979
1708>0x5	ubyte-1 <31
1709>>0x6	ubyte-1 <12
1710# actually 121 nul bytes
1711>>>0x7	string	\0\0\0\0\0\0\0\0
1712>>>>0x1 ubyte	x	DOS 2.0 backup id file, sequence %d
1713#!:mime	application/octet-stream
1714!:ext @@@
1715>>>>0x0 ubyte	0xff	\b, last disk
1716
1717# backed up file
1718
1719# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
1720# by looking for trailing nul of maximal file name string
17210x52	ubyte	0
1722# test for flag byte: FFh~complete file, 00h~split file
1723# FFh -127 =	-1 -127 =	-128
1724# 00h -127 =	 0 -127 =	-127
1725>0	byte-127	<-126
1726# plausibility check for file name length
1727>>0x53	ubyte-1	<78
1728# looking for terminating nul of file name string
1729>>>(0x53.b+4)	ubyte	0
1730# looking if last char of string is valid DOS file name
1731>>>>(0x53.b+3)	ubyte	>0x1F
1732# actually 44 nul bytes
1733# but sometimes garbage according to Ralf Quint. So can not be used as test
1734#>0x54	string	\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
1735# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
1736# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
1737>>>>>5	ubyte&0x8C	0x0C
1738# ./msdos (version 5.30) labeled the entry as
1739# "DOS 2.0 backed up file %s, split file, sequence %d" or
1740# "DOS 2.0 backed up file %s, complete file"
1741>>>>>>0	ubyte	x	DOS 2.0-3.2 backed up
1742#>>>>>>0	ubyte	0xff	complete
1743>>>>>>0	ubyte	0
1744>>>>>>>1 uleshort	x	sequence %d of
1745# full file name with path but without drive letter and colon stored from 0x05 til 0x52
1746>>>>>>0x5	string	x	file %s
1747#!:mime	application/octet-stream
1748# backup name is original filename
1749#!:ext	doc/exe/rar/zip
1750#!:ext	*
1751# magic/Magdir/msdos, 1169: Warning: EXTENSION type `     *' has bad char '*'
1752# file: line 1169: Bad magic entry '  *'
1753# after header original file content
1754>>>>>>128	indirect x	\b;
1755
1756
1757# DOS backup 3.3 to 5.x
1758
1759# CONTROL.nnn files
17600	string	\x8bBACKUP\x20
1761# actually 128 nul bytes
1762>0xa	string	\0\0\0\0\0\0\0\0
1763>>0x9	ubyte	x	DOS 3.3 backup control file, sequence %d
1764>>0x8a	ubyte	0xff	\b, last disk
1765
1766# NB: The BACKUP.nnn files consist of the files backed up,
1767# concatenated.
1768