1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.124 2018/07/10 04:05:50 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 search/0xffff rxfuncadd 23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24100 search/0xffff say 25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26 27# updated by Joerg Jenderek at Oct 2015 28# https://de.wikipedia.org/wiki/Common_Object_File_Format 29# http://www.delorie.com/djgpp/doc/coff/filhdr.html 30# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 31#0 leshort 0x14c MS Windows COFF Intel 80386 object file 32#>4 ledate x stamp %s 330 leshort 0x166 MS Windows COFF MIPS R4000 object file 34#>4 ledate x stamp %s 350 leshort 0x184 MS Windows COFF Alpha object file 36#>4 ledate x stamp %s 370 leshort 0x268 MS Windows COFF Motorola 68000 object file 38#>4 ledate x stamp %s 390 leshort 0x1f0 MS Windows COFF PowerPC object file 40#>4 ledate x stamp %s 410 leshort 0x290 MS Windows COFF PA-RISC object file 42#>4 ledate x stamp %s 43 44# Tests for various EXE types. 45# 46# Many of the compressed formats were extraced from IDARC 1.23 source code. 47# 480 string/b MZ 49# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 50>0x18 leshort <0x40 MS-DOS executable 51!:mime application/x-dosexec 52# These traditional tests usually work but not always. When test quality support is 53# implemented these can be turned on. 54#>>0x18 leshort 0x1c (Borland compiler) 55#>>0x18 leshort 0x1e (MS compiler) 56 57# If the relocation table is 0x40 or more bytes into the file, it's definitely 58# not a DOS EXE. 59>0x18 leshort >0x3f 60 61# Maybe it's a PE? 62>>(0x3c.l) string PE\0\0 PE 63!:mime application/x-dosexec 64>>>(0x3c.l+24) leshort 0x010b \b32 executable 65>>>(0x3c.l+24) leshort 0x020b \b32+ executable 66>>>(0x3c.l+24) leshort 0x0107 ROM image 67>>>(0x3c.l+24) default x Unknown PE signature 68>>>>&0 leshort x 0x%x 69>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 70>>>(0x3c.l+92) leshort 1 (native) 71>>>(0x3c.l+92) leshort 2 (GUI) 72>>>(0x3c.l+92) leshort 3 (console) 73>>>(0x3c.l+92) leshort 7 (POSIX) 74>>>(0x3c.l+92) leshort 9 (Windows CE) 75>>>(0x3c.l+92) leshort 10 (EFI application) 76>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 77>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 78>>>(0x3c.l+92) leshort 13 (EFI ROM) 79>>>(0x3c.l+92) leshort 14 (XBOX) 80>>>(0x3c.l+92) leshort 15 (Windows boot application) 81>>>(0x3c.l+92) default x (Unknown subsystem 82>>>>&0 leshort x 0x%x) 83>>>(0x3c.l+4) leshort 0x14c Intel 80386 84>>>(0x3c.l+4) leshort 0x166 MIPS R4000 85>>>(0x3c.l+4) leshort 0x168 MIPS R10000 86>>>(0x3c.l+4) leshort 0x184 Alpha 87>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 88>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 89>>>(0x3c.l+4) leshort 0x1c0 ARM 90>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 91>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 92>>>(0x3c.l+4) leshort 0x1f0 PowerPC 93>>>(0x3c.l+4) leshort 0x200 Intel Itanium 94>>>(0x3c.l+4) leshort 0x266 MIPS16 95>>>(0x3c.l+4) leshort 0x268 Motorola 68000 96>>>(0x3c.l+4) leshort 0x290 PA-RISC 97>>>(0x3c.l+4) leshort 0x366 MIPSIV 98>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 99>>>(0x3c.l+4) leshort 0xebc EFI byte code 100>>>(0x3c.l+4) leshort 0x8664 x86-64 101>>>(0x3c.l+4) leshort 0xc0ee MSIL 102>>>(0x3c.l+4) default x Unknown processor type 103>>>>&0 leshort x 0x%x 104>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 105>>>(0x3c.l+22) leshort&0x1000 >0 system file 106>>>(0x3c.l+24) leshort 0x010b 107>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 108>>>(0x3c.l+24) leshort 0x020b 109>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 110 111# hooray, there's a DOS extender using the PE format, with a valid PE 112# executable inside (which just prints a message and exits if run in win) 113>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 114>>>(8.s*16) string !32STUB \b, for MS Windows 115>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 116>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 117>>>(0x3c.l+0xf8) search/0x140 UPX2 118>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 119>>>(0x3c.l+0xf8) search/0x140 .idata 120>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 121>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 122>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 123>>>(0x3c.l+0xf8) search/0x140 .rsrc 124>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 125>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 126>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 127>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 128>>>(0x3c.l+0xf8) search/0x140 .data 129>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 130>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 131>>>>(0x3c.l+0xf7) byte x 132>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 133>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 134>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 135>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 136>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 137>>>0x30 string Inno \b, InnoSetup self-extracting archive 138 139# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 140# must be one of the unusual subformats. 141>>(0x3c.l) string !PE\0\0 MS-DOS executable 142!:mime application/x-dosexec 143 144>>(0x3c.l) string NE \b, NE 145!:mime application/x-dosexec 146>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 147>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 148>>>(0x3c.l+0x36) byte 3 for MS-DOS 149>>>(0x3c.l+0x36) byte 4 for Windows 386 150>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 151>>>(0x3c.l+0x36) default x 152>>>>(0x3c.l+0x36) byte x (unknown OS %x) 153>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 154>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 155>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 156>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 157>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 158 159>>(0x3c.l) string LX\0\0 \b, LX 160!:mime application/x-dosexec 161>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 162>>>(0x3c.l+0x0a) leshort 1 for OS/2 163>>>(0x3c.l+0x0a) leshort 2 for MS Windows 164>>>(0x3c.l+0x0a) leshort 3 for DOS 165>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 166>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 167>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 168>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 169>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 170>>>(0x3c.l+0x08) leshort 1 i80286 171>>>(0x3c.l+0x08) leshort 2 i80386 172>>>(0x3c.l+0x08) leshort 3 i80486 173>>>(8.s*16) string emx \b, emx 174>>>>&1 string x %s 175>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 176 177# MS Windows system file, supposedly a collection of LE executables 178>>(0x3c.l) string W3 \b, W3 for MS Windows 179!:mime application/x-dosexec 180 181>>(0x3c.l) string LE\0\0 \b, LE executable 182!:mime application/x-dosexec 183>>>(0x3c.l+0x0a) leshort 1 184# some DOS extenders use LE files with OS/2 header 185>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 186>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 187>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 188>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 189>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 190>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 191>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 192# this is a wild guess; hopefully it is a specific signature 193>>>>&0x24 lelong <0x50 194>>>>>(&0x4c.l) string \xfc\xb8WATCOM 195>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 196# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 197#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 198# fails with DOS-Extenders. 199>>>(0x3c.l+0x0a) leshort 2 for MS Windows 200>>>(0x3c.l+0x0a) leshort 3 for DOS 201>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 202>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 203>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 204 205# looks like ASCII, probably some embedded copyright message. 206# and definitely not NE/LE/LX/PE 207>>0x3c lelong >0x20000000 208>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 209!:mime application/x-dosexec 210# header data too small for extended executable 211>2 long !0 212>>0x18 leshort <0x40 213>>>(4.s*512) leshort !0x014c 214 215>>>>&(2.s-514) string !LE 216>>>>>&-2 string !BW \b, MZ for MS-DOS 217!:mime application/x-dosexec 218>>>>&(2.s-514) string LE \b, LE 219>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 220# educated guess since indirection is still not capable enough for complex offset 221# calculations (next embedded executable would be at &(&2*512+&0-2) 222# I suspect there are only LE executables in these multi-exe files 223>>>>&(2.s-514) string BW 224>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 225>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 226 227# This sequence skips to the first COFF segment, usually .text 228>(4.s*512) leshort 0x014c \b, COFF 229!:mime application/x-dosexec 230>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 231>>(8.s*16) string emx 232>>>&1 string x for DOS, Win or OS/2, emx %s 233>>&(&0x42.l-3) byte x 234>>>&0x26 string UPX \b, UPX compressed 235# and yet another guess: small .text, and after large .data is unusal, could be 32lite 236>>&0x2c search/0xa0 .text 237>>>&0x0b lelong <0x2000 238>>>>&0 lelong >0x6000 \b, 32lite compressed 239 240>(8.s*16) string $WdX \b, WDos/X DOS extender 241 242# By now an executable type should have been printed out. The executable 243# may be a self-uncompressing archive, so look for evidence of that and 244# print it out. 245# 246# Some signatures below from Greg Roelofs, newt@uchicago.edu. 247# 248>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 249>0xe7 string LH/2\ Self-Extract \b, %s 250>0x1c string UC2X \b, UCEXE compressed 251>0x1c string WWP\ \b, WWPACK compressed 252>0x1c string RJSX \b, ARJ self-extracting archive 253>0x1c string diet \b, diet compressed 254>0x1c string LZ09 \b, LZEXE v0.90 compressed 255>0x1c string LZ91 \b, LZEXE v0.91 compressed 256>0x1c string tz \b, TinyProg compressed 257>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 258!:mime application/zip 259# Yes, this really is "Copr", not "Corp." 260>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 261!:mime application/zip 262# winarj stores a message in the stub instead of the sig in the MZ header 263>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 264>0x20 string AIN 265>>0x23 string 2 \b, AIN 2.x compressed 266>>0x23 string <2 \b, AIN 1.x compressed 267>>0x23 string >2 \b, AIN 1.x compressed 268>0x24 string LHa's\ SFX \b, LHa self-extracting archive 269!:mime application/x-lha 270>0x24 string LHA's\ SFX \b, LHa self-extracting archive 271!:mime application/x-lha 272>0x24 string \ $ARX \b, ARX self-extracting archive 273>0x24 string \ $LHarc \b, LHarc self-extracting archive 274>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 275>0x40 string aPKG \b, aPackage self-extracting archive 276>0x64 string W\ Collis\0\0 \b, Compack compressed 277>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 278>>&0xf4 search/0x140 \x0\x40\x1\x0 279>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 280>1638 string -lh5- \b, LHa self-extracting archive v2.13S 281>0x17888 string Rar! \b, RAR self-extracting archive 282 283# Skip to the end of the EXE. This will usually work fine in the PE case 284# because the MZ image is hardcoded into the toolchain and almost certainly 285# won't match any of these signatures. 286>(4.s*512) long x 287>>&(2.s-517) byte x 288>>>&0 string PK\3\4 \b, ZIP self-extracting archive 289>>>&0 string Rar! \b, RAR self-extracting archive 290>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 291>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 292>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 293>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 294>>>&7 search/400 **ACE** \b, ACE self-extracting archive 295>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 296 297# a few unknown ZIP sfxes, no idea if they are needed or if they are 298# already captured by the generic patterns above 299>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 300# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 301# 302 303# TELVOX Teleinformatica CODEC self-extractor for OS/2: 304>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 305>>49824 leshort =1 \b, 1 file 306>>49824 leshort >1 \b, %u files 307 308# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 309# and http://www.freedos.org/software/?prog=kpdos 310# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 3110 string/b KCF FreeDOS KEYBoard Layout collection 312# only version=0x100 found 313>3 uleshort x \b, version 0x%x 314# length of string containing author,info and special characters 315>6 ubyte >0 316#>>6 pstring x \b, name=%s 317>>7 string >\0 \b, author=%-.14s 318>>7 search/254 \xff \b, info= 319#>>>&0 string x \b%-s 320>>>&0 string x \b%-.15s 321# for FreeDOS *.KL files 3220 string/b KLF FreeDOS KEYBoard Layout file 323# only version=0x100 or 0x101 found 324>3 uleshort x \b, version 0x%x 325# stringlength 326>5 ubyte >0 327>>8 string x \b, name=%-.2s 3280 string \xffKEYB\ \ \ \0\0\0\0 329>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 330 331# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 332# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3330 ulequad&0x07a0ffffffff 0xffffffff 334>0 use msdos-driver 3350 name msdos-driver DOS executable ( 336#!:mime application/octet-stream 337!:mime application/x-dosdriver 338# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 339!:ext sys/dev/bin 340>40 search/7 UPX! \bUPX compressed 341# DOS device driver attributes 342>4 uleshort&0x8000 0x0000 \bblock device driver 343# character device 344>4 uleshort&0x8000 0x8000 \b 345>>4 uleshort&0x0008 0x0008 \bclock 346# fast video output by int 29h 347>>4 uleshort&0x0010 0x0010 \bfast 348# standard input/output device 349>>4 uleshort&0x0003 >0 \bstandard 350>>>4 uleshort&0x0001 0x0001 \binput 351>>>4 uleshort&0x0003 0x0003 \b/ 352>>>4 uleshort&0x0002 0x0002 \boutput 353>>4 uleshort&0x8000 0x8000 \bcharacter device driver 354>0 ubyte x 355# upx compressed device driver has garbage instead of real in name field of header 356>>40 search/7 UPX! 357>>40 default x 358# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 359>>>12 ubyte >0x2E \b 360>>>>10 ubyte >0x20 361>>>>>10 ubyte !0x2E 362>>>>>>10 ubyte !0x2A \b%c 363>>>>11 ubyte >0x20 364>>>>>11 ubyte !0x2E \b%c 365>>>>12 ubyte >0x20 366>>>>>12 ubyte !0x39 367>>>>>>12 ubyte !0x2E \b%c 368>>>13 ubyte >0x20 369>>>>13 ubyte !0x2E \b%c 370>>>>14 ubyte >0x20 371>>>>>14 ubyte !0x2E \b%c 372>>>>15 ubyte >0x20 373>>>>>15 ubyte !0x2E \b%c 374>>>>16 ubyte >0x20 375>>>>>16 ubyte !0x2E 376>>>>>>16 ubyte <0xCB \b%c 377>>>>17 ubyte >0x20 378>>>>>17 ubyte !0x2E 379>>>>>>17 ubyte <0x90 \b%c 380# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 381>>>12 ubyte <0x2F 382# they have their real name at offset 22 383# also block device drivers like DUMBDRV.SYS 384>>>>22 string >\056 %-.6s 385>4 uleshort&0x8000 0x0000 386# 32 bit sector addressing ( > 32 MB) for block devices 387>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 388# support by driver functions 13h, 17h, 18h 389>4 uleshort&0x0040 0x0040 \b,IOCTL- 390# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 391>4 uleshort&0x0800 0x0800 \b,close media- 392# output until busy support by int 10h for character device driver 393>4 uleshort&0x8000 0x8000 394>>4 uleshort&0x2000 0x2000 \b,until busy- 395# direct read/write support by driver functions 03h,0Ch 396>4 uleshort&0x4000 0x4000 \b,control strings- 397>4 uleshort&0x8000 0x8000 398>>4 uleshort&0x6840 >0 \bsupport 399>4 uleshort&0x8000 0x0000 400>>4 uleshort&0x4842 >0 \bsupport 401>0 ubyte x \b) 402# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 4030 ulequad 0x0513c00000000012 404>0 use msdos-driver 405# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 4060 ulequad 0x32f28000ffff0016 407>0 use msdos-driver 4080 ulequad 0x007f00000000ffff 409>0 use msdos-driver 4100 ulequad 0x001600000000ffff 411>0 use msdos-driver 412# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 4130 ulequad 0x0bf708c2ffffffff 414>0 use msdos-driver 4150 ulequad 0x07bd08c2ffffffff 416>0 use msdos-driver 417 418# updated by Joerg Jenderek 419# GRR: line below too general as it catches also 420# rt.lib DYADISKS.PIC and many more 421# start with assembler instruction MOV 4220 ubyte 0x8c 423# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 424>4 string !O==== 425# skip some unknown basic binaries like RocketRnger.SHR 426>>5 string !MAIN 427# skip "GPG symmetrically encrypted data" ./gnu 428# skip "PGP symmetric key encrypted data" ./pgp 429# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 430>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 431# the remaining files should be DOS *.COM executables 432# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 433# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 434# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 435# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 436# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 437# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 438# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 439# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 440!:mime application/x-dosexec 441!:ext com 442 443# updated by Joerg Jenderek at Oct 2008 4440 ulelong 0xffff10eb DR-DOS executable (COM) 445# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 4460 ubeshort&0xeb8d >0xeb00 447# DR-DOS STACKER.COM SCREATE.SYS missed 448 4490 name msdos-com 450>0 byte x DOS executable (COM) 451>6 string SFX\ of\ LHarc \b, %s 452>0x1FE leshort 0xAA55 \b, boot code 453>85 string UPX \b, UPX compressed 454>4 string \ $ARX \b, ARX self-extracting archive 455>4 string \ $LHarc \b, LHarc self-extracting archive 456>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 457 458# JMP 8bit 4590 byte 0xeb 460# allow forward jumps only 461>1 byte >-1 462# that offset must be accessible 463>>(1.b+2) byte x 464>>>0 use msdos-com 465 466# JMP 16bit 4670 byte 0xe9 468# forward jumps 469>1 short >-1 470# that offset must be accessible 471>>(1.s+3) byte x 472>>>0 use msdos-com 473# negative offset, must not lead into PSP 474>1 short <-259 475# that offset must be accessible 476>>(1,s+65539) byte x 477>>>0 use msdos-com 478 479# updated by Joerg Jenderek at Oct 2008,2015 480# following line is too general 4810 ubyte 0xb8 482# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 483>0 string !\xb8\xc0\x07\x8e 484# modified by Joerg Jenderek 485# syslinux COM32 or COM32R executable 486>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 487# http://www.syslinux.org/wiki/index.php/Comboot_API 488# Since version 5.00 c32 modules switched from the COM32 object format to ELF 489!:mime application/x-c32-comboot-syslinux-exec 490!:ext c32 491# http://syslinux.zytor.com/comboot.php 492# older syslinux version ( <4 ) 493# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 494# start with assembler instructions mov eax,21cd4cffh 495>>>1 lelong 0x21CD4CFf \b) 496# syslinux:doc/comboot.txt 497# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 498# eax,21cd4cfeh) as a magic number. 499# syslinux version (4.x) 500# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 501>>>1 lelong 0x21CD4CFe \b, relocatable) 502# remaining are DOS COM executables starting with assembler instruction MOV 503# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 504# MS-DOS SYS.COM RESTART.COM 505# SYSLINUX.COM (version 1.40 - 2.13) 506# GFXBOOT.COM (version 3.75) 507# COPYBS.COM POWEROFF.COM INT18.COM 508>>1 default x COM executable for DOS 509!:mime application/x-dosexec 510#!:mime application/x-ms-dos-executable 511#!:mime application/x-msdos-program 512!:ext com 513 5140 string/b \x81\xfc 515>4 string \x77\x02\xcd\x20\xb9 516>>36 string UPX! FREE-DOS executable (COM), UPX compressed 517252 string Must\ have\ DOS\ version DR-DOS executable (COM) 518# added by Joerg Jenderek at Oct 2008 519# GRR search is not working 520#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 52134 string UPX! FREE-DOS executable (COM), UPX compressed 52235 string UPX! FREE-DOS executable (COM), UPX compressed 523# GRR search is not working 524#2 search/28 \xcd\x21 COM executable for MS-DOS 525#WHICHFAT.cOM 5262 string \xcd\x21 COM executable for DOS 527#DELTREE.cOM DELTREE2.cOM 5284 string \xcd\x21 COM executable for DOS 529#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5305 string \xcd\x21 COM executable for DOS 531#DELTMP.COm HASFAT32.cOM 5327 string \xcd\x21 533>0 byte !0xb8 COM executable for DOS 534#COMP.cOM MORE.COm 53510 string \xcd\x21 536>5 string !\xcd\x21 COM executable for DOS 537#comecho.com 53813 string \xcd\x21 COM executable for DOS 539#HELP.COm EDIT.coM 54018 string \xcd\x21 COM executable for MS-DOS 541#NWRPLTRM.COm 54223 string \xcd\x21 COM executable for MS-DOS 543#LOADFIX.cOm LOADFIX.cOm 54430 string \xcd\x21 COM executable for MS-DOS 545#syslinux.com 3.11 54670 string \xcd\x21 COM executable for DOS 547# many compressed/converted COMs start with a copy loop instead of a jump 5480x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 5490x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 550>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 5510x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 552# FIXME: missing diet .com compression 553 554# miscellaneous formats 5550 string/b LZ MS-DOS executable (built-in) 556#0 byte 0xf0 MS-DOS program library data 557# 558 559# AAF files: 560# <stuartc@rd.bbc.co.uk> Stuart Cunningham 5610 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 562>30 byte 9 (512B sectors) 563>30 byte 12 (4kB sectors) 5640 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 565>30 byte 9 (512B sectors) 566>30 byte 12 (4kB sectors) 567 568# Popular applications 5692080 string Microsoft\ Word\ 6.0\ Document %s 570!:mime application/msword 5712080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 572!:mime application/msword 573# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 5742112 string MSWordDoc Microsoft Word document data 575!:mime application/msword 576# 5770 belong 0x31be0000 Microsoft Word Document 578!:mime application/msword 579# 5800 string/b PO^Q` Microsoft Word 6.0 Document 581!:mime application/msword 582# 5834 long 0 584>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 585!:mime application/msword 586!:ext mcw 587>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 588!:mime application/msword 589!:ext mcw 590>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 591!:mime application/msword 592!:ext mcw 593>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 594!:mime application/msword 595!:ext mcw 596 5970 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 598!:mime application/msword 599!:ext doc 600# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 601#512 string/b \354\245\301 Microsoft Word Document 602#!:mime application/msword 603 604# 6050 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 606!:mime application/msword 607# 6082080 string Microsoft\ Excel\ 5.0\ Worksheet %s 609!:mime application/vnd.ms-excel 610# 6110 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 612!:mime application/msword 613 6142080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 615!:mime application/vnd.ms-excel 616# 617# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 6182114 string Biff5 Microsoft Excel 5.0 Worksheet 619!:mime application/vnd.ms-excel 620# Italian MS-Excel 6212121 string Biff5 Microsoft Excel 5.0 Worksheet 622!:mime application/vnd.ms-excel 6230 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 624!:mime application/vnd.ms-excel 625# 626# Update: Joerg Jenderek 627# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 628# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 629# Note: newer Lotus versions >2 use longer BOF record 630# record type (BeginningOfFile=0000h) + length (001Ah) 6310 belong 0x00001a00 632# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 633#>18 uleshort&0x73E0 0 634# Lotus Multi Byte Character Set (LMBCS=1-31) 635>20 ubyte >0 636>>20 ubyte <32 Lotus 1-2-3 637#!:mime application/x-123 638!:mime application/vnd.lotus-1-2-3 639!:apple ????L123 640# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 641>>>4 uleshort 0x1000 WorKsheet, version 3 642!:ext wk3 643# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 644>>>4 uleshort 0x1002 WorKsheet, version 4 645# also worksheet template 4 (.wt4) 646!:ext wk4/wt4 647# no example or documentation for wk5 648#>>4 uleshort 0x???? WorKsheet, version 4 649#!:ext wk5 650# only MacrotoScript.123 example 651>>>4 uleshort 0x1003 WorKsheet, version 97 652# also worksheet template Smartmaster (.12M)? 653!:ext 123 654# only Set_Y2K.123 example 655>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 656!:ext 123 657# no example for this version 658>>>4 uleshort 0x8001 FoRMatting data 659!:ext frm 660# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 661# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 662>>>4 uleshort 0x8007 ForMatting data, version 3 663!:ext fm3 664>>>4 default x unknown 665# file revision sub code 0004h for worksheets 666>>>>6 uleshort =0x0004 worksheet 667!:ext wXX 668>>>>6 uleshort !0x0004 formatting data 669!:ext fXX 670# main revision number 671>>>>4 uleshort x \b, revision 0x%x 672>>>6 uleshort =0x0004 \b, cell range 673# active cellcoord range (start row, page,column ; end row, page, column) 674# start values normally 0~1st sheet A1 675>>>>8 ulelong !0 676>>>>>10 ubyte >0 \b%d* 677>>>>>8 uleshort x \b%d, 678>>>>>11 ubyte x \b%d- 679# end page mostly 0 680>>>>14 ubyte >0 \b%d* 681# end raw, column normally not 0 682>>>>12 uleshort x \b%d, 683>>>>15 ubyte x \b%d 684# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 685>>>>20 ubyte >1 \b, character set 0x%x 686# flags 687>>>>21 ubyte x \b, flags 0x%x 688>>>6 uleshort !0x0004 689# record type (FONTNAME=00AEh) 690>>>>30 search/29 \0\xAE 691# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 692>>>>>&4 string >\0 \b, 1st font "%s" 693# 694# Update: Joerg Jenderek 695# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 696# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 697# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 698# record type (BeginningOfFile=0000h) + length (0002h) 6990 belong 0x00000200 700# GRR: line above is too general as it catches also MS Windows CURsor 701# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 702!:strength -1 703# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 704>7 ubyte 0 705# skip Windows cursors with image width 256 and keep Lotus with positiv opcode 706>>6 ubyte >0 Lotus 707# !:mime application/x-123 708!:mime application/vnd.lotus-1-2-3 709!:apple ????L123 710# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 711# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 712>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 713!:ext cnf 714>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 715!:ext cnf 716>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 717!:ext cnf 718>>>4 uleshort 0x0802 Symphony CoNFiguration 719!:ext cnf 720>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 721!:ext cnf 722>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 723!:ext cnf 724>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 725!:ext cnf 726>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 727!:ext cnf 728# (version 5.26) labeled the entry as "Lotus 123" 729# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 730>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 731# extension "wks" also for Microsoft Works document 732!:ext wks 733# (version 5.26) labeled the entry as "Lotus 123" 734# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 735>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 736!:ext wrk/wr1 737# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 738# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 739>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 740# Symphony (.wr1) 741!:ext wk1/wr1 742# no example for this japan version 743>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 744!:ext wj1 745# no example or documentation for wk2 746#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 747#!:ext wk2 748# undocumented japan version 749>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 750!:ext wj3 751# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 752>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 753# japan version 2.4J (fj3) 754!:ext fmt/fj3 755# no example for this version 756>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 757!:ext frm 758# (version 5.26) labeled the entry as "Lotus 1-2-3" 759>>>4 default x unknown worksheet or configuration 760!:ext cnf 761>>>>4 uleshort x \b, revision 0x%x 762# 2nd record for most worksheets describes cells range 763>>>6 use lotus-cells 764# 3nd record for most japan worksheets describes cells range 765>>>(8.s+10) use lotus-cells 766# check and then display Lotus worksheet cells range 7670 name lotus-cells 768# look for type (RANGE=0006h) + length (0008h) at record begin 769>0 ubelong 0x06000800 \b, cell range 770# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 771>>4 ulong !0 772>>>4 uleshort x \b%d, 773>>>6 uleshort x \b%d- 774# end of cell range 775>>8 uleshort x \b%d, 776>>10 uleshort x \b%d 777# EndOfLotus123 7780 string/b WordPro\0 Lotus WordPro 779!:mime application/vnd.lotus-wordpro 7800 string/b WordPro\r\373 Lotus WordPro 781!:mime application/vnd.lotus-wordpro 782 783 784# Summary: Script used by InstallScield to uninstall applications 785# Extension: .isu 786# Submitted by: unknown 787# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 7880 string \x71\xa8\x00\x00\x01\x02 789>12 string Stirling\ Technologies, InstallShield Uninstall Script 790 791# Winamp .avs 792#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 7930 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 794 795# Windows Metafile .WMF 7960 string/b \327\315\306\232 Windows metafile 797!:mime image/wmf 798!:ext wmf 7990 string/b \002\000\011\000 Windows metafile 800!:mime image/wmf 801!:ext wmf 8020 string/b \001\000\011\000 Windows metafile 803!:mime image/wmf 804!:ext wmf 805 806#tz3 files whatever that is (MS Works files) 8070 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 8080 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 8090 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 810 811# PGP sig files .sig 812#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 8130 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 8140 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 8150 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 8160 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 8170 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 8180 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 819 820# windows zips files .dmf 8210 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 822 823 824#ico files 8250 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 826 827# Windows icons 828# Update: Joerg Jenderek 829# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 830# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 8310 belong 0x00000100 832>9 byte 0 833>>0 byte x 834>>0 use cur-ico-dir 835>9 ubyte 0xff 836>>0 byte x 837>>0 use cur-ico-dir 838# displays number of icons and information for icon or cursor 8390 name cur-ico-dir 840# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 841# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 842>18 ulelong &0x00000006 843# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 844>>(18.l) ulelong x MS Windows 845>>>0 ubelong 0x00000100 icon resource 846#!:mime image/vnd.microsoft.icon 847!:mime image/x-icon 848!:ext ico 849>>>>4 uleshort x - %d icon 850# plural s 851>>>>4 uleshort >1 \bs 852# 1st icon 853>>>>0x06 use ico-entry 854# 2nd icon 855>>>>4 uleshort >1 856>>>>>0x16 use ico-entry 857>>>0 ubelong 0x00000200 cursor resource 858#!:mime image/x-cur 859!:mime image/x-win-bitmap 860!:ext cur 861>>>>4 uleshort x - %d icon 862>>>>4 uleshort >1 \bs 863# 1st cursor 864>>>>0x06 use cur-entry 865#>>>>0x16 use cur-entry 866# display information of one cursor entry 8670 name cur-entry 868>0 use cur-ico-entry 869>4 uleshort x \b, hotspot @%dx 870>6 uleshort x \b%d 871# display information of one icon entry 8720 name ico-entry 873>0 use cur-ico-entry 874# normally 0 1 but also found 14 875>4 uleshort >1 \b, %d planes 876# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 877>6 uleshort >1 \b, %d bits/pixel 878# display shared information of cursor or icon entry 8790 name cur-ico-entry 880>0 byte =0 \b, 256x 881>0 byte !0 \b, %dx 882>1 byte =0 \b256 883>1 byte !0 \b%d 884# number of colors in palette 885>2 ubyte !0 \b, %d colors 886# reserved 0 FFh 887#>3 ubyte x \b, reserved %x 888#>8 ulelong x \b, image size %d 889# offset of PNG or DIB image 890#>12 ulelong x \b, offset 0x%x 891# PNG header (\x89PNG) 892>(12.l) ubelong =0x89504e47 893>>&-4 indirect x \b with 894# DIB image 895>(12.l) ubelong !0x89504e47 896#>>&-4 use dib-image 897 898# Windows non-animated cursors 899# Update: Joerg Jenderek 900# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 901# Note: similar to Windows ICOn. container for BMP ( only DIB part) 902# GRR: line below is too general as it catches also Lotus 1-2-3 files 9030 belong 0x00000200 904>9 byte 0 905>>0 use cur-ico-dir 906>9 ubyte 0xff 907>>0 use cur-ico-dir 908 909# .chr files 9100 string/b PK\010\010BGI Borland font 911>4 string >\0 %s 912# then there is a copyright notice 913 914 915# .bgi files 9160 string/b pk\010\010BGI Borland device 917>4 string >\0 %s 918# then there is a copyright notice 919 920 921# Windows Recycle Bin record file (named INFO2) 922# By Abel Cheung (abelcheung AT gmail dot com) 923# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 924# Since Vista uses another structure, INFO2 structure probably won't change 925# anymore. Detailed analysis in: 926# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 9270 lelong 0x00000004 928>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 929 9300 lelong 0x00000005 931>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 932 933# From Doug Lee via a FreeBSD pr 9349 string GERBILDOC First Choice document 9359 string GERBILDB First Choice database 9369 string GERBILCLIP First Choice database 9370 string GERBIL First Choice device file 9389 string RABBITGRAPH RabbitGraph file 9390 string DCU1 Borland Delphi .DCU file 9400 string =!<spell> MKS Spell hash list (old format) 9410 string =!<spell2> MKS Spell hash list 942# Too simple - MPi 943#0 string AH Halo(TM) bitmapped font file 9440 lelong 0x08086b70 TurboC BGI file 9450 lelong 0x08084b50 TurboC Font file 946 947# Debian#712046: The magic below identifies "Delphi compiled form data". 948# An additional source of information is available at: 949# http://www.woodmann.com/fravia/dafix_t1.htm 9500 string TPF0 951>4 pstring >\0 Delphi compiled form '%s' 952 953# tests for DBase files moved, updated and merged to database 954 9550 string PMCC Windows 3.x .GRP file 9561 string RDC-meg MegaDots 957>8 byte >0x2F version %c 958>9 byte >0x2F \b.%c file 9590 lelong 0x4C 960>4 lelong 0x00021401 Windows shortcut file 961 962# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 963# only for windows versions equal or greater 3.0 9640x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 965!:mime application/x-dosexec 966#>2 string >\0 \b, Title:%.30s 967>0x24 string >\0 \b for %.63s 968>0x65 string >\0 \b, directory=%.64s 969>0xA5 string >\0 \b, parameters=%.64s 970#>0x181 leshort x \b, offset %x 971#>0x183 leshort x \b, offsetdata %x 972#>0x185 leshort x \b, section length %x 973>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 974>>&0x5e ubyte >0 975>>>&-1 string <PIFMGR.DLL \b, icon=%s 976#>>>&-1 string PIFMGR.DLL \b, icon=%s 977>>>&-1 string >PIFMGR.DLL \b, icon=%s 978>>&0xF0 ubyte >0 979>>>&-1 string <Terminal \b, font=%.32s 980#>>>&-1 string =Terminal \b, font=%.32s 981>>>&-1 string >Terminal \b, font=%.32s 982>>&0x110 ubyte >0 983>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 984#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 985>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 986#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 987#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 988>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 989#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 990>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 991#>>&06 string x \b:%s 992>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 993#>>&06 string x \b:%s 994 995# DOS EPS Binary File Header 996# From: Ed Sznyter <ews@Black.Market.NET> 9970 belong 0xC5D0D3C6 DOS EPS Binary File 998!:mime image/x-eps 999>4 long >0 Postscript starts at byte %d 1000>>8 long >0 length %d 1001>>>12 long >0 Metafile starts at byte %d 1002>>>>16 long >0 length %d 1003>>>20 long >0 TIFF starts at byte %d 1004>>>>24 long >0 length %d 1005 1006# TNEF magic From "Joomy" <joomy@se-ed.net> 1007# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 10080 lelong 0x223e9f78 TNEF 1009!:mime application/vnd.ms-tnef 1010 1011# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1012# of http://www.davep.org/norton-guides/ng2h-105.tgz 1013# http://en.wikipedia.org/wiki/Norton_Guides 10140 string NG\0\001 1015# only value 0x100 found at offset 2 1016>2 ulelong 0x00000100 Norton Guide 1017# Title[40] 1018>>8 string >\0 "%-.40s" 1019#>>6 uleshort x \b, MenuCount=%u 1020# szCredits[5][66] 1021>>48 string >\0 \b, %-.66s 1022>>114 string >\0 %-.66s 1023 1024# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 1025# of http://www.4dos.info/ 1026# pointer,HelpID[8]=4DHnnnmm 10270 ulelong 0x48443408 4DOS help file 1028>4 string x \b, version %-4.4s 1029 1030# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 10310 ulequad 0x3a000000024e4c MS Advisor help file 1032 1033# HtmlHelp files (.chm) 10340 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1035 1036# GFA-BASIC (Wolfram Kleff) 10372 string/b GFA-BASIC3 GFA-BASIC 3 data 1038 1039#------------------------------------------------------------------------------ 1040# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1041# Update: Joerg Jenderek 1042# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 1043# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 1044# Note: verified by `7z l *.cab` 1045# Microsoft Cabinet files 10460 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1047# 1048# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 1049# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 1050# because some archive does not have *.diag* as 1st or 2nd archive member like 1051# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 1052# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 1053>0x2c search/980/c .diag \b, Diagnostic 1054!:mime application/vnd.ms-cab-compressed 1055!:ext diagcab 1056# http://fileformats.archiveteam.org/wiki/PUZ 1057# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 1058# bundles a Publisher document *PNG.pub with all links into a CAB 1059>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 1060!:mime application/vnd.ms-cab-compressed 1061!:ext puz 1062# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 1063>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 1064!:mime application/vnd.ms-powerpoint 1065#!:mime application/mspowerpoint 1066!:ext ppz 1067# http://www.incredimail.com/ 1068# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 1069>0x2c search/3369/c content.ini\0 \b, IncrediMail 1070!:mime application/x-incredimail 1071# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 1072>>0x2c search/83/c Flavor.htm\0 ecard 1073!:ext imf 1074# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 1075>>0x2c search/211/c .swf\0 skin 1076!:ext ims 1077# member anim.im3 implies IncrediMail animation like in letter_fold.ima 1078>>0x2c search/92/c anim.im3\0 animation 1079!:ext ima 1080# other IncrediMail cab archive 1081>>0x2c default x 1082>>>0x2c search/116/c thumb ecard, image, notifier or skin 1083!:ext imf/imi/imn/ims 1084# http://file-extension.net/seeker/file_extension_ime 1085>>>0x2c default x emoticons or sound 1086!:ext ime/imw 1087# no Diagnostic and IncrediMail 1088>0x2c default x 1089# look for 1st member name 1090>>(16.l+16) ubyte x 1091# https://en.wikipedia.org/wiki/SNP_file_format 1092>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 1093!:mime application/msaccess 1094!:ext snp 1095# https://www.cabextract.org.uk/wince_cab_format/ 1096# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 1097>>>&7 string =.000 \b, WinCE install 1098!:mime application/vnd.ms-cab-compressed 1099!:ext cab 1100 1101# http://support.microsoft.com/kb/934307/en-US 1102# All inspected MSU contain a file with name WSUSSCAN.cab 1103# that is called "Windows Update meta data" by Microsoft 1104>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 1105!:mime application/vnd.ms-cab-compressed 1106!:ext msu 1107>>>&-1 default x 1108# look at point charcter of 1st archive member name for file name extension 1109>>>>&-1 search/255 . 1110# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 1111# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 1112# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 1113>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 1114!:mime application/vnd.ms-powerpoint 1115#!:mime application/mspowerpoint 1116!:ext ppz 1117# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 1118# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 1119# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 1120>>>>>&0 string/c theme \b, Windows 1121!:mime application/x-windows-themepack 1122# http://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 1123# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 1124# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 1125>>>>>>(16.l+16) string =Panoram 8 1126!:ext deskthemepack 1127>>>>>>(16.l+16) string !Panoram 7 or 8 1128!:ext themepack/deskthemepack 1129>>>>>>(16.l+16) ubyte x Theme Pack 1130>>>>>&0 default x 1131# look for null terminator of 1st member name 1132>>>>>>&0 search/255 \0 1133# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 1134>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 1135!:mime application/vnd.ms-cab-compressed 1136!:ext msu 1137>>>>>>>&16 default x 1138# archive with more then one file need some output in version 5.32 to avoid error message like 1139# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 1140# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 1141# file: could not find any valid magic files! 1142>>>>>>>>28 uleshort >1 \b, many 1143!:mime application/vnd.ms-cab-compressed 1144!:ext cab 1145# remaining archives with just one file 1146>>>>>>>>28 uleshort =1 1147# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 1148>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 1149# cut of last char of source extension and add underscore to generate extension 1150# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 1151!:mime application/vnd.ms-cab-compressed 1152!:ext _/?_/??_ 1153# archive need some output like "single" in version 5.32 to avoid error messages 1154>>>>>>>>>30 uleshort !0x0000 \b, single 1155!:mime application/vnd.ms-cab-compressed 1156!:ext cab 1157# TODO: additional extensions like 1158# .xsn InfoPath Dynamic Form 1159# .xtp InfoPath Template Part 1160# .lvf Logitech Video Effects Face Accessory 1161>8 ulelong x \b, %u bytes 1162>28 uleshort 1 \b, 1 file 1163>28 uleshort >1 \b, %u files 1164# Reserved fields, set to zero 1165#>4 belong !0 \b, reserved1 %x 1166#>12 belong !0 \b, reserved2 %x 1167# offset of the first CFFILE entry coffFiles: minimal 2Ch 1168>16 ulelong x \b, at 0x%x 1169>(16.l) use cab-file 1170# at least also 2nd member 1171>28 uleshort >1 1172>>(16.l+16) ubyte x 1173>>>&0 search/255 \0 1174# second member info 1175>>>>&0 use cab-file 1176#>20 belong !0 \b, reserved %x 1177# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 1178>24 ubeshort !0x0301 \b version 0x%x 1179# number of CFFOLDER entries 1180>26 uleshort >1 \b, %u cffolders 1181# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 1182# only found for flags 0 1 2 3 4 not 7 1183>30 uleshort >0 \b, flags 0x%x 1184# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 1185# default is zero, however, the -i option of cabarc can be used to set this field 1186>32 uleshort >0 \b, ID %u 1187# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 1188#>34 uleshort x \b, iCabinet %u 1189# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 1190>34 uleshort+1 x \b, number %u 1191>30 uleshort &0x0004 \b, extra bytes 1192# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 1193>>36 uleshort >0 %u in head 1194# cbCFFolder is optional size of per-folder reserved area 1195>>38 ubyte >0 %u in folder 1196# cbCFData is optional size of per-datablock reserved area 1197>>39 ubyte >0 %u in data block 1198# optional per-cabinet reserved area abReserve[cbCFHeader] 1199>>36 uleshort >0 1200# 1st CFFOLDER after reserved area in header 1201>>>(36.s+40) use cab-folder 1202# no reserved area in header 1203>30 uleshort ^0x0004 1204# no previous and next cab archive 1205>>30 uleshort =0x0000 1206>>>36 use cab-folder 1207# only previous cab archive 1208>>30 uleshort =0x0001 \b, previous 1209>>>36 use cab-anchor 1210# only next cab archive 1211>>30 uleshort =0x0002 \b, next 1212>>>36 use cab-anchor 1213# previous+next cab archive 1214# can not use sub routine cab-anchor to display previous and next cabinet together 1215#>>>36 use cab-anchor 1216#>>>>&0 use cab-anchor 1217>>30 uleshort =0x0003 \b, previous 1218>>>36 string x %s 1219# optional name of previous disk szDisk* 1220>>>>&1 string x disk %s 1221>>>>>&1 string x \b, next %s 1222# optional name of previous disk szDisk* 1223>>>>>>&1 string x disk %s 1224>>>>>>>&1 use cab-folder 1225# display filename and disk name of previous or next cabinet 12260 name cab-anchor 1227# optional name of previous/next cabinet file szCabinet*[255] 1228>&0 string x %s 1229# optional name of previous/next disk szDisk*[255] 1230>>&1 string x disk %s 1231# display folder structure CFFOLDER information like compression of cabinet 12320 name cab-folder 1233# offset of the CFDATA block in this folder 1234#>0 ulelong x \b, coffCabStart 0x%x 1235# number of CFDATA blocks in folder 1236>4 uleshort x \b, %u datablock 1237# plural s 1238>4 uleshort >1 \bs 1239# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 1240>6 uleshort x \b, 0x%x compression 1241# optional per-folder reserved area 1242#>8 ubequad x \b, abReserve 0x%llx 1243# display member structure CFFILE information like member name of cabinet 12440 name cab-file 1245# cbFile is uncompressed size of file in bytes 1246#>0 ulelong x \b, cbFile %u 1247# uoffFolderStart is uncompressed offset of file in folder 1248#>4 ulelong >0 \b, uoffFolderStart 0x%x 1249# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 1250# define ifoldCONTINUED_FROM_PREV (0xFFFD) 1251# define ifoldCONTINUED_TO_NEXT (0xFFFE) 1252# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 1253>8 uleshort >0 \b, iFolder 0x%x 1254# date stamp for file 1255#>10 uleshort x \b, date 0x%x 1256# time stamp for file 1257#>12 uleshort x \b, time 0x%x 1258# attribs is attribute flags for file 1259# define _A_RDONLY (0x01) file is read-only 1260# define _A_HIDDEN (0x02) file is hidden 1261# define _A_SYSTEM (0x04) file is a system file 1262# define _A_ARCH (0x20) file modified since last backup 1263# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 1264# define _A_EXEC (0x40) run after extraction 1265# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 1266# define UNKNOWN (0x0100) undocumented or accident 1267#>14 uleshort x \b, attribs 0x%x 1268>14 uleshort >0 + 1269>>14 uleshort &0x0001 \bR 1270>>14 uleshort &0x0002 \bH 1271>>14 uleshort &0x0004 \bS 1272>>14 uleshort &0x0020 \bA 1273>>14 uleshort &0x0040 \bX 1274>>14 uleshort &0x0080 \bUtf 1275# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 1276>>14 uleshort &0x0100 \b? 1277# szName is name of archive member 1278>16 string x "%s" 1279# next archive member name if more files 1280#>>&17 string >\0 \b, NEXT NAME %-.50s 1281 1282# InstallShield Cabinet files 12830 string/b ISc( InstallShield Cabinet archive data 1284>5 byte&0xf0 =0x60 version 6, 1285>5 byte&0xf0 !0x60 version 4/5, 1286>(12.l+40) lelong x %u files 1287 1288# Windows CE package files 12890 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1290>20 lelong 0 \b, architecture-independent 1291>20 lelong 103 \b, Hitachi SH3 1292>20 lelong 104 \b, Hitachi SH4 1293>20 lelong 0xA11 \b, StrongARM 1294>20 lelong 4000 \b, MIPS R4000 1295>20 lelong 10003 \b, Hitachi SH3 1296>20 lelong 10004 \b, Hitachi SH3E 1297>20 lelong 10005 \b, Hitachi SH4 1298>20 lelong 70001 \b, ARM 7TDMI 1299>52 leshort 1 \b, 1 file 1300>52 leshort >1 \b, %u files 1301>56 leshort 1 \b, 1 registry entry 1302>56 leshort >1 \b, %u registry entries 1303 1304 1305# Windows Enhanced Metafile (EMF) 1306# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1307# for further information. 13080 ulelong 1 1309>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1310>>44 ulelong x version 0x%x 1311 1312 13130 string/b \224\246\056 Microsoft Word Document 1314!:mime application/msword 1315 1316512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 1317!:mime application/msword 1318 1319# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1320# Magic type for Dell's BIOS .hdr files 1321# Dell's .hdr 13220 string/b $RBU 1323>23 string Dell %s system BIOS 1324>5 byte 2 1325>>48 byte x version %d. 1326>>49 byte x \b%d. 1327>>50 byte x \b%d 1328>5 byte <2 1329>>48 string x version %.3s 1330 1331# Type: Microsoft Document Imaging Format (.mdi) 1332# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1333# From: Daniele Sempione <scrows@oziosi.org> 1334# Too weak (EP) 1335#0 short 0x5045 Microsoft Document Imaging Format 1336 1337# MS eBook format (.lit) 13380 string/b ITOLITLS Microsoft Reader eBook Data 1339>8 lelong x \b, version %u 1340!:mime application/x-ms-reader 1341 1342# Windows CE Binary Image Data Format 1343# From: Dr. Jesus <j@hug.gs> 13440 string/b B000FF\n Windows Embedded CE binary image 1345 1346# Windows Imaging (WIM) Image 13470 string/b MSWIM\000\000\000 Windows imaging (WIM) image 13480 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format 1349 1350# The second byte of these signatures is a file version; I don't know what, 1351# if anything, produced files with version numbers 0-2. 1352# From: John Elliott <johne@seasip.demon.co.uk> 13530 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 13540 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 13550 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 13560 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1357 13580 string MIOPEN Mallard BASIC Jetsam data 13590 string Jetsam0 Mallard BASIC Jetsam index data 1360 1361# DOS backup 2.0 to 3.2 1362 1363# backupid.@@@ 1364 1365# plausibility check for date 13660x3 ushort >1979 1367>0x5 ubyte-1 <31 1368>>0x6 ubyte-1 <12 1369# actually 121 nul bytes 1370>>>0x7 string \0\0\0\0\0\0\0\0 1371>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1372!:ext @@@ 1373>>>>0x0 ubyte 0xff \b, last disk 1374 1375# backed up file 1376 1377# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1378# by looking for trailing nul of maximal file name string 13790x52 ubyte 0 1380# test for flag byte: FFh~complete file, 00h~split file 1381# FFh -127 = -1 -127 = -128 1382# 00h -127 = 0 -127 = -127 1383>0 byte-127 <-126 1384# plausibility check for file name length 1385>>0x53 ubyte-1 <78 1386# looking for terminating nul of file name string 1387>>>(0x53.b+4) ubyte 0 1388# looking if last char of string is valid DOS file name 1389>>>>(0x53.b+3) ubyte >0x1F 1390# actually 44 nul bytes 1391# but sometimes garbage according to Ralf Quint. So can not be used as test 1392#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1393# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1394# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1395>>>>>5 ubyte&0x8C 0x0C 1396# ./msdos (version 5.30) labeled the entry as 1397# "DOS 2.0 backed up file %s, split file, sequence %d" or 1398# "DOS 2.0 backed up file %s, complete file" 1399>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1400#>>>>>>0 ubyte 0xff complete 1401>>>>>>0 ubyte 0 1402>>>>>>>1 uleshort x sequence %d of 1403# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1404>>>>>>0x5 string x file %s 1405# backup name is original filename 1406#!:ext * 1407# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1408# file: line 1169: Bad magic entry ' *' 1409# after header original file content 1410>>>>>>128 indirect x \b; 1411 1412 1413# DOS backup 3.3 to 5.x 1414 1415# CONTROL.nnn files 14160 string \x8bBACKUP\x20 1417# actually 128 nul bytes 1418>0xa string \0\0\0\0\0\0\0\0 1419>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1420>>0x8a ubyte 0xff \b, last disk 1421 1422# NB: The BACKUP.nnn files consist of the files backed up, 1423# concatenated. 1424