xref: /freebsd/contrib/file/magic/Magdir/msdos (revision ab00ac327a66a53edaac95b536b209db3ae2cd9f)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.111 2016/09/14 01:26:26 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12>1	string/cW	echo\ off	DOS batch file text
13!:mime	text/x-msdos-batch
14>1	string/cW	rem		DOS batch file text
15!:mime	text/x-msdos-batch
16>1	string/cW	set\ 		DOS batch file text
17!:mime	text/x-msdos-batch
18
19
20# OS/2 batch files are REXX. the second regex is a bit generic, oh well
21# the matched commands seem to be common in REXX and uncommon elsewhere
22100	search/0xffff   rxfuncadd
23>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
24100	search/0xffff   say
25>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
26
27# updated by Joerg Jenderek at Oct 2015
28# https://de.wikipedia.org/wiki/Common_Object_File_Format
29# http://www.delorie.com/djgpp/doc/coff/filhdr.html
30# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
31#0	leshort		0x14c	MS Windows COFF Intel 80386 object file
32#>4	ledate		x	stamp %s
330	leshort		0x166	MS Windows COFF MIPS R4000 object file
34#>4	ledate		x	stamp %s
350	leshort		0x184	MS Windows COFF Alpha object file
36#>4	ledate		x	stamp %s
370	leshort		0x268	MS Windows COFF Motorola 68000 object file
38#>4	ledate		x	stamp %s
390	leshort		0x1f0	MS Windows COFF PowerPC object file
40#>4	ledate		x	stamp %s
410	leshort		0x290	MS Windows COFF PA-RISC object file
42#>4	ledate		x	stamp %s
43
44# Tests for various EXE types.
45#
46# Many of the compressed formats were extraced from IDARC 1.23 source code.
47#
480	string/b	MZ
49# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
50>0x18	leshort <0x40 MS-DOS executable
51!:mime	application/x-dosexec
52# These traditional tests usually work but not always.  When test quality support is
53# implemented these can be turned on.
54#>>0x18	leshort	0x1c	(Borland compiler)
55#>>0x18	leshort	0x1e	(MS compiler)
56
57# If the relocation table is 0x40 or more bytes into the file, it's definitely
58# not a DOS EXE.
59>0x18  leshort >0x3f
60
61# Maybe it's a PE?
62>>(0x3c.l) string PE\0\0 PE
63!:mime	application/x-dosexec
64>>>(0x3c.l+24)	leshort		0x010b	\b32 executable
65>>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
66>>>(0x3c.l+24)	leshort		0x0107	ROM image
67>>>(0x3c.l+24)	default		x	Unknown PE signature
68>>>>&0 		leshort		x	0x%x
69>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
70>>>(0x3c.l+92)	leshort		1	(native)
71>>>(0x3c.l+92)	leshort		2	(GUI)
72>>>(0x3c.l+92)	leshort		3	(console)
73>>>(0x3c.l+92)	leshort		7	(POSIX)
74>>>(0x3c.l+92)	leshort		9	(Windows CE)
75>>>(0x3c.l+92)	leshort		10	(EFI application)
76>>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
77>>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
78>>>(0x3c.l+92)	leshort		13	(EFI ROM)
79>>>(0x3c.l+92)	leshort		14	(XBOX)
80>>>(0x3c.l+92)	leshort		15	(Windows boot application)
81>>>(0x3c.l+92)	default		x	(Unknown subsystem
82>>>>&0		leshort		x	0x%x)
83>>>(0x3c.l+4)	leshort		0x14c	Intel 80386
84>>>(0x3c.l+4)	leshort		0x166	MIPS R4000
85>>>(0x3c.l+4)	leshort		0x168	MIPS R10000
86>>>(0x3c.l+4)	leshort		0x184	Alpha
87>>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
88>>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
89>>>(0x3c.l+4)	leshort		0x1c0	ARM
90>>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
91>>>(0x3c.l+4)	leshort		0x1c4	ARMv7 Thumb
92>>>(0x3c.l+4)	leshort		0x1f0	PowerPC
93>>>(0x3c.l+4)	leshort		0x200	Intel Itanium
94>>>(0x3c.l+4)	leshort		0x266	MIPS16
95>>>(0x3c.l+4)	leshort		0x268	Motorola 68000
96>>>(0x3c.l+4)	leshort		0x290	PA-RISC
97>>>(0x3c.l+4)	leshort		0x366	MIPSIV
98>>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
99>>>(0x3c.l+4)	leshort		0xebc	EFI byte code
100>>>(0x3c.l+4)	leshort		0x8664	x86-64
101>>>(0x3c.l+4)	leshort		0xc0ee	MSIL
102>>>(0x3c.l+4)	default		x	Unknown processor type
103>>>>&0		leshort		x	0x%x
104>>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
105>>>(0x3c.l+22)	leshort&0x1000	>0	system file
106>>>(0x3c.l+24)	leshort		0x010b
107>>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
108>>>(0x3c.l+24)	leshort		0x020b
109>>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
110
111# hooray, there's a DOS extender using the PE format, with a valid PE
112# executable inside (which just prints a message and exits if run in win)
113>>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
114>>>(8.s*16)		string		!32STUB	\b, for MS Windows
115>>>(0x3c.l+0xf8)	string		UPX0 \b, UPX compressed
116>>>(0x3c.l+0xf8)	search/0x140	PEC2 \b, PECompact2 compressed
117>>>(0x3c.l+0xf8)	search/0x140	UPX2
118>>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
119>>>(0x3c.l+0xf8)	search/0x140	.idata
120>>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
121>>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
122>>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
123>>>(0x3c.l+0xf8)	search/0x140	.rsrc
124>>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
125>>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
126>>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
127>>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
128>>>(0x3c.l+0xf8)	search/0x140	.data
129>>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
130>>>(0x3c.l+0xf8)	search/0x140	.petite\0 \b, Petite compressed
131>>>>(0x3c.l+0xf7)	byte		x
132>>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
133>>>(0x3c.l+0xf8)	search/0x140	.WISE \b, WISE installer self-extracting archive
134>>>(0x3c.l+0xf8)	search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
135>>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
136>>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
137>>>0x30			string		Inno \b, InnoSetup self-extracting archive
138
139# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
140# must be one of the unusual subformats.
141>>(0x3c.l) string !PE\0\0 MS-DOS executable
142!:mime	application/x-dosexec
143
144>>(0x3c.l)		string		NE \b, NE
145!:mime	application/x-dosexec
146>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
147>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
148>>>(0x3c.l+0x36)	byte		3 for MS-DOS
149>>>(0x3c.l+0x36)	byte		4 for Windows 386
150>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
151>>>(0x3c.l+0x36)	default		x
152>>>>(0x3c.l+0x36)	byte		x (unknown OS %x)
153>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
154>>>(0x3c.l+0x0c)	leshort&0x8003	0x8002 (DLL)
155>>>(0x3c.l+0x0c)	leshort&0x8003	0x8001 (driver)
156>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
157>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
158
159>>(0x3c.l)		string		LX\0\0 \b, LX
160!:mime	application/x-dosexec
161>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
162>>>(0x3c.l+0x0a)	leshort		1 for OS/2
163>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
164>>>(0x3c.l+0x0a)	leshort		3 for DOS
165>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
166>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
167>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
168>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
169>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
170>>>(0x3c.l+0x08)	leshort		1 i80286
171>>>(0x3c.l+0x08)	leshort		2 i80386
172>>>(0x3c.l+0x08)	leshort		3 i80486
173>>>(8.s*16)		string		emx \b, emx
174>>>>&1			string		x %s
175>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
176
177# MS Windows system file, supposedly a collection of LE executables
178>>(0x3c.l)		string		W3 \b, W3 for MS Windows
179!:mime	application/x-dosexec
180
181>>(0x3c.l)		string		LE\0\0 \b, LE executable
182!:mime	application/x-dosexec
183>>>(0x3c.l+0x0a)	leshort		1
184# some DOS extenders use LE files with OS/2 header
185>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
186>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
187>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
188>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
189>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
190>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
191>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
192# this is a wild guess; hopefully it is a specific signature
193>>>>&0x24		lelong		<0x50
194>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
195>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
196# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
197#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
198# fails with DOS-Extenders.
199>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
200>>>(0x3c.l+0x0a)	leshort		3 for DOS
201>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
202>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
203>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
204
205# looks like ASCII, probably some embedded copyright message.
206# and definitely not NE/LE/LX/PE
207>>0x3c		lelong	>0x20000000
208>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
209!:mime	application/x-dosexec
210# header data too small for extended executable
211>2		long	!0
212>>0x18		leshort <0x40
213>>>(4.s*512)	leshort !0x014c
214
215>>>>&(2.s-514)	string	!LE
216>>>>>&-2	string	!BW \b, MZ for MS-DOS
217!:mime	application/x-dosexec
218>>>>&(2.s-514)	string	LE \b, LE
219>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
220# educated guess since indirection is still not capable enough for complex offset
221# calculations (next embedded executable would be at &(&2*512+&0-2)
222# I suspect there are only LE executables in these multi-exe files
223>>>>&(2.s-514)	string	BW
224>>>>>0x240	search/0x100	DOS/4G	\b, LE for MS-DOS, DOS4GW DOS extender (embedded)
225>>>>>0x240	search/0x100	!DOS/4G	\b, BW collection for MS-DOS
226
227# This sequence skips to the first COFF segment, usually .text
228>(4.s*512)	leshort		0x014c \b, COFF
229!:mime	application/x-dosexec
230>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
231>>(8.s*16)	string		emx
232>>>&1		string		x for DOS, Win or OS/2, emx %s
233>>&(&0x42.l-3)	byte		x
234>>>&0x26	string		UPX \b, UPX compressed
235# and yet another guess: small .text, and after large .data is unusal, could be 32lite
236>>&0x2c		search/0xa0	.text
237>>>&0x0b	lelong		<0x2000
238>>>>&0		lelong		>0x6000 \b, 32lite compressed
239
240>(8.s*16) string $WdX \b, WDos/X DOS extender
241
242# By now an executable type should have been printed out.  The executable
243# may be a self-uncompressing archive, so look for evidence of that and
244# print it out.
245#
246# Some signatures below from Greg Roelofs, newt@uchicago.edu.
247#
248>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
249>0xe7	string	LH/2\ 	Self-Extract \b, %s
250>0x1c	string	UC2X	\b, UCEXE compressed
251>0x1c	string	WWP\ 	\b, WWPACK compressed
252>0x1c	string	RJSX 	\b, ARJ self-extracting archive
253>0x1c	string	diet 	\b, diet compressed
254>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
255>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
256>0x1c	string	tz 	\b, TinyProg compressed
257>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
258!:mime	application/zip
259# Yes, this really is "Copr", not "Corp."
260>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
261!:mime	application/zip
262# winarj stores a message in the stub instead of the sig in the MZ header
263>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
264>0x20	string AIN
265>>0x23	string 2	\b, AIN 2.x compressed
266>>0x23	string <2	\b, AIN 1.x compressed
267>>0x23	string >2	\b, AIN 1.x compressed
268>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
269!:mime	application/x-lha
270>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
271!:mime	application/x-lha
272>0x24	string	\ $ARX \b, ARX self-extracting archive
273>0x24	string	\ $LHarc \b, LHarc self-extracting archive
274>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
275>0x40	string aPKG \b, aPackage self-extracting archive
276>0x64	string	W\ Collis\0\0 \b, Compack compressed
277>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
278>>&0xf4 search/0x140 \x0\x40\x1\x0
279>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
280>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
281>0x17888 string Rar! \b, RAR self-extracting archive
282
283# Skip to the end of the EXE.  This will usually work fine in the PE case
284# because the MZ image is hardcoded into the toolchain and almost certainly
285# won't match any of these signatures.
286>(4.s*512)	long	x
287>>&(2.s-517)	byte	x
288>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
289>>>&0	string		Rar! \b, RAR self-extracting archive
290>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
291>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
292>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
293>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
294>>>&7	search/400	**ACE** \b, ACE self-extracting archive
295>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
296
297# a few unknown ZIP sfxes, no idea if they are needed or if they are
298# already captured by the generic patterns above
299>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
300# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
301#
302
303# TELVOX Teleinformatica CODEC self-extractor for OS/2:
304>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
305>>49824 leshort		=1			\b, 1 file
306>>49824 leshort		>1			\b, %u files
307
308# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc
309# and http://www.freedos.org/software/?prog=kpdos
310# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
3110	string/b	KCF		FreeDOS KEYBoard Layout collection
312# only version=0x100 found
313>3	uleshort	x		\b, version 0x%x
314# length of string containing author,info and special characters
315>6	ubyte		>0
316#>>6	pstring		x		\b, name=%s
317>>7	string		>\0		\b, author=%-.14s
318>>7	search/254	\xff		\b, info=
319#>>>&0	string		x		\b%-s
320>>>&0	string		x		\b%-.15s
321# for FreeDOS *.KL files
3220	string/b	KLF		FreeDOS KEYBoard Layout file
323# only version=0x100 or 0x101 found
324>3	uleshort	x		\b, version 0x%x
325# stringlength
326>5	ubyte		>0
327>>8	string		x		\b, name=%-.2s
3280	string	\xffKEYB\ \ \ \0\0\0\0
329>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
330
331# DOS device driver updated by Joerg Jenderek at May 2011
332# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
3330	ulequad&0x07a0ffffffff		0xffffffff		DOS executable (
334>40	search/7			UPX!			\bUPX compressed
335# DOS device driver attributes
336>4	uleshort&0x8000			0x0000			\bblock device driver
337# character device
338>4	uleshort&0x8000			0x8000			\b
339>>4	uleshort&0x0008			0x0008			\bclock
340# fast video output by int 29h
341>>4	uleshort&0x0010			0x0010			\bfast
342# standard input/output device
343>>4	uleshort&0x0003			>0			\bstandard
344>>>4	uleshort&0x0001			0x0001			\binput
345>>>4	uleshort&0x0003			0x0003			\b/
346>>>4	uleshort&0x0002			0x0002			\boutput
347>>4	uleshort&0x8000			0x8000			\bcharacter device driver
348>0	ubyte				x
349# upx compressed device driver has garbage instead of real in name field of header
350>>40	search/7			UPX!
351>>40	default				x
352# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
353>>>12		ubyte			>0x27			\b
354>>>>10		ubyte			>0x20
355>>>>>10		ubyte			!0x2E
356>>>>>>10	ubyte			!0x2A			\b%c
357>>>>11		ubyte			>0x20
358>>>>>11		ubyte			!0x2E			\b%c
359>>>>12		ubyte			>0x20
360>>>>>12		ubyte			!0x39
361>>>>>>12	ubyte			!0x2E			\b%c
362>>>13		ubyte			>0x20
363>>>>13		ubyte			!0x2E			\b%c
364>>>>14		ubyte			>0x20
365>>>>>14		ubyte			!0x2E			\b%c
366>>>>15		ubyte			>0x20
367>>>>>15		ubyte			!0x2E			\b%c
368>>>>16		ubyte			>0x20
369>>>>>16		ubyte			!0x2E
370>>>>>>16	ubyte			<0xCB			\b%c
371>>>>17		ubyte			>0x20
372>>>>>17		ubyte			!0x2E
373>>>>>>17	ubyte			<0x90			\b%c
374# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
375>>>4		uleshort&0x8000		0x8000
376>>>>12		ubyte			<0x2F
377# they have their real name at offset 22
378>>>>>22		string			>\0			\b%-.5s
379>4	uleshort&0x8000			0x0000
380# 32 bit sector addressing ( > 32 MB) for block devices
381>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
382# support by driver functions 13h, 17h, 18h
383>4	uleshort&0x0040			0x0040			\b,IOCTL-
384# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
385>4	uleshort&0x0800			0x0800			\b,close media-
386# output until busy support by int 10h for character device driver
387>4	uleshort&0x8000			0x8000
388>>4	uleshort&0x2000			0x2000			\b,until busy-
389# direct read/write support by driver functions 03h,0Ch
390>4	uleshort&0x4000			0x4000			\b,control strings-
391>4	uleshort&0x8000			0x8000
392>>4	uleshort&0x6840			>0			\bsupport
393>4	uleshort&0x8000			0x0000
394>>4	uleshort&0x4842			>0			\bsupport
395>0	ubyte				x			\b)
396# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
397# Too weak, matches files that only contain 0's
398#0	ulequad&0x000007a0ffffffed	0x0000000000000000	DOS-executable (
399#>4	uleshort&0x8000			0x8000			\bcharacter device driver
400#>>10	string				x			%-.8s
401#>4	uleshort&0x4000			0x4000			\b,control strings-support)
402
403# updated by Joerg Jenderek
404# GRR: line below too general as it catches also
405# rt.lib DYADISKS.PIC and many more
406# start with assembler instruction MOV
4070	ubyte		0x8c
408# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
409>4	string			!O====
410# skip some unknown basic binaries like RocketRnger.SHR
411>>5	string			!MAIN
412# skip "GPG symmetrically encrypted data" ./gnu
413# skip "PGP symmetric key encrypted data" ./pgp
414# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
415>>>4	ubyte			>13	DOS executable (COM, 0x8C-variant)
416# the remaining files should be DOS *.COM executables
417# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
418# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
419# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
420# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
421# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
422# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
423# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
424# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
425!:mime	application/x-dosexec
426!:ext com
427
428# updated by Joerg Jenderek at Oct 2008
4290	ulelong		0xffff10eb	DR-DOS executable (COM)
430# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
4310	ubeshort&0xeb8d	>0xeb00
432# DR-DOS STACKER.COM SCREATE.SYS missed
433
4340       name    msdos-com
435>0  byte        x               DOS executable (COM)
436>6	string		SFX\ of\ LHarc	\b, %s
437>0x1FE leshort	0xAA55		    \b, boot code
438>85	string		UPX		        \b, UPX compressed
439>4	string		\ $ARX		    \b, ARX self-extracting archive
440>4	string		\ $LHarc	    \b, LHarc self-extracting archive
441>0x20e string	SFX\ by\ LARC	\b, LARC self-extracting archive
442
443# JMP 8bit
4440	        byte	0xeb
445# allow forward jumps only
446>1          byte    >-1
447# that offset must be accessible
448>>(1.b+2)   byte    x
449>>>0        use msdos-com
450
451# JMP 16bit
4520           byte    0xe9
453# forward jumps
454>1          short   >-1
455# that offset must be accessible
456>>(1.s+3)   byte    x
457>>>0        use msdos-com
458# negative offset, must not lead into PSP
459>1          short   <-259
460# that offset must be accessible
461>>(1,s+65539)   byte    x
462>>>0        use msdos-com
463
464# updated by Joerg Jenderek at Oct 2008,2015
465# following line is too general
4660	ubyte		0xb8
467# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
468>0	string		!\xb8\xc0\x07\x8e
469# modified by Joerg Jenderek
470# syslinux COM32 or COM32R executable
471>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
472# http://www.syslinux.org/wiki/index.php/Comboot_API
473# Since version 5.00 c32 modules switched from the COM32 object format to ELF
474!:mime	application/x-c32-comboot-syslinux-exec
475!:ext c32
476# http://syslinux.zytor.com/comboot.php
477# older syslinux version ( <4 )
478# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
479# start with assembler instructions mov eax,21cd4cffh
480>>>1	lelong		0x21CD4CFf	\b)
481# syslinux:doc/comboot.txt
482# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
483# eax,21cd4cfeh) as a magic number.
484# syslinux version (4.x)
485# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
486>>>1	lelong		0x21CD4CFe	\b, relocatable)
487# remaining are DOS COM executables starting with assembler instruction MOV
488# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
489# MS-DOS SYS.COM RESTART.COM
490# SYSLINUX.COM (version 1.40 - 2.13)
491# GFXBOOT.COM (version 3.75)
492# COPYBS.COM POWEROFF.COM INT18.COM
493>>1	default	x			COM executable for DOS
494!:mime	application/x-dosexec
495#!:mime	application/x-ms-dos-executable
496#!:mime	application/x-msdos-program
497!:ext com
498
4990	string/b	\x81\xfc
500>4	string	\x77\x02\xcd\x20\xb9
501>>36	string	UPX!			FREE-DOS executable (COM), UPX compressed
502252	string Must\ have\ DOS\ version DR-DOS executable (COM)
503# added by Joerg Jenderek at Oct 2008
504# GRR search is not working
505#34	search/2	UPX!		FREE-DOS executable (COM), UPX compressed
50634	string	UPX!			FREE-DOS executable (COM), UPX compressed
50735	string	UPX!			FREE-DOS executable (COM), UPX compressed
508# GRR search is not working
509#2	search/28	\xcd\x21	COM executable for MS-DOS
510#WHICHFAT.cOM
5112	string	\xcd\x21		COM executable for DOS
512#DELTREE.cOM DELTREE2.cOM
5134	string	\xcd\x21		COM executable for DOS
514#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
5155	string	\xcd\x21		COM executable for DOS
516#DELTMP.COm HASFAT32.cOM
5177	string	\xcd\x21
518>0	byte	!0xb8			COM executable for DOS
519#COMP.cOM MORE.COm
52010	string	\xcd\x21
521>5	string	!\xcd\x21		COM executable for DOS
522#comecho.com
52313	string	\xcd\x21		COM executable for DOS
524#HELP.COm EDIT.coM
52518	string	\xcd\x21		COM executable for MS-DOS
526#NWRPLTRM.COm
52723	string	\xcd\x21		COM executable for MS-DOS
528#LOADFIX.cOm LOADFIX.cOm
52930	string	\xcd\x21		COM executable for MS-DOS
530#syslinux.com 3.11
53170	string	\xcd\x21		COM executable for DOS
532# many compressed/converted COMs start with a copy loop instead of a jump
5330x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
5340x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
535>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
5360x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
537# FIXME: missing diet .com compression
538
539# miscellaneous formats
5400	string/b	LZ		MS-DOS executable (built-in)
541#0	byte		0xf0		MS-DOS program library data
542#
543
544# AAF files:
545# <stuartc@rd.bbc.co.uk> Stuart Cunningham
5460	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
547>30	byte	9		(512B sectors)
548>30	byte	12		(4kB sectors)
5490	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
550>30	byte	9		(512B sectors)
551>30	byte	12		(4kB sectors)
552
553# Popular applications
5542080	string	Microsoft\ Word\ 6.0\ Document	%s
555!:mime	application/msword
5562080	string	Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data
557!:mime	application/msword
558# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word)
5592112	string	MSWordDoc			Microsoft Word document data
560!:mime	application/msword
561#
5620	belong	0x31be0000			Microsoft Word Document
563!:mime	application/msword
564#
5650	string/b	PO^Q`				Microsoft Word 6.0 Document
566!:mime	application/msword
567#
5680	string/b	\376\067\0\043			Microsoft Office Document
569!:mime	application/msword
5700	string/b	\333\245-\0\0\0			Microsoft Office Document
571!:mime	application/msword
572512	string/b	\354\245\301			Microsoft Word Document
573!:mime	application/msword
574
575#
5760	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
577!:mime application/msword
578#
5792080	string	Microsoft\ Excel\ 5.0\ Worksheet	%s
580!:mime	application/vnd.ms-excel
581#
5820	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
583!:mime application/msword
584
5852080	string	Foglio\ di\ lavoro\ Microsoft\ Exce	%s
586!:mime	application/vnd.ms-excel
587#
588# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel)
5892114	string	Biff5		Microsoft Excel 5.0 Worksheet
590!:mime	application/vnd.ms-excel
591# Italian MS-Excel
5922121	string	Biff5		Microsoft Excel 5.0 Worksheet
593!:mime	application/vnd.ms-excel
5940	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
595!:mime	application/vnd.ms-excel
596#
597# Update: Joerg Jenderek
598# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
599# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
600# Note: newer Lotus versions >2 use longer BOF record
601# record type (BeginningOfFile=0000h) + length (001Ah)
6020	belong	0x00001a00
603# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
604#>18	uleshort&0x73E0	0
605# Lotus Multi Byte Character Set (LMBCS=1-31)
606>20	ubyte		>0
607>>20	ubyte		<32	Lotus 1-2-3
608#!:mime	application/x-123
609!:mime	application/vnd.lotus-1-2-3
610!:apple	????L123
611# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
612>>>4	uleshort	0x1000	WorKsheet, version 3
613!:ext	wk3
614# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
615>>>4	uleshort	0x1002	WorKsheet, version 4
616# also worksheet template 4 (.wt4)
617!:ext	wk4/wt4
618# no example or documentation for wk5
619#>>4	uleshort	0x????	WorKsheet, version 4
620#!:ext	wk5
621# only MacrotoScript.123 example
622>>>4	uleshort	0x1003	WorKsheet, version 97
623# also worksheet template Smartmaster (.12M)?
624!:ext	123
625# only Set_Y2K.123 example
626>>>4	uleshort	0x1005	WorKsheet, version 9.8 Millennium
627!:ext	123
628# no example for this version
629>>>4	uleshort	0x8001	FoRMatting data
630!:ext	frm
631# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
632# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
633>>>4	uleshort	0x8007	ForMatting data, version 3
634!:ext	fm3
635>>>4	default		x	unknown
636# file revision sub code 0004h for worksheets
637>>>>6	uleshort	=0x0004	worksheet
638!:ext	wXX
639>>>>6	uleshort	!0x0004	formatting data
640!:ext	fXX
641# main revision number
642>>>>4	uleshort	x	\b, revision 0x%x
643>>>6	uleshort	=0x0004	\b, cell range
644# active cellcoord range (start row, page,column ; end row, page, column)
645# start values normally 0~1st sheet A1
646>>>>8	ulelong		!0
647>>>>>10	ubyte		>0	\b%d*
648>>>>>8	uleshort	x	\b%d,
649>>>>>11	ubyte		x	\b%d-
650# end page mostly 0
651>>>>14	ubyte		>0	\b%d*
652# end raw, column normally not 0
653>>>>12	uleshort	x	\b%d,
654>>>>15	ubyte		x	\b%d
655# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
656>>>>20	ubyte		>1	\b, character set 0x%x
657# flags
658>>>>21	ubyte		x	\b, flags 0x%x
659>>>6	uleshort	!0x0004
660# record type (FONTNAME=00AEh)
661>>>>30	search/29	\0\xAE
662# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
663>>>>>&4	string		>\0	\b, 1st font "%s"
664#
665# Update: Joerg Jenderek
666# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
667# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
668# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
669# record type (BeginningOfFile=0000h) + length (0002h)
6700	belong	0x00000200
671# GRR: line above is too general as it catches also MS Windows CURsor
672# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
673!:strength -1
674# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
675>7	ubyte		0
676# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
677>>6	ubyte		>0	Lotus
678# !:mime	application/x-123
679!:mime	application/vnd.lotus-1-2-3
680!:apple	????L123
681# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
682# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
683>>>4	uleshort	0x0007	1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
684!:ext	cnf
685>>>4	uleshort	0x0C05	1-2-3 CoNFiguration, version 2.4J
686!:ext	cnf
687>>>4	uleshort	0x0801	1-2-3 CoNFiguration, version 1-2.1
688!:ext	cnf
689>>>4	uleshort	0x0802	Symphony CoNFiguration
690!:ext	cnf
691>>>4	uleshort	0x0804	1-2-3 CoNFiguration, version 2.2
692!:ext	cnf
693>>>4	uleshort	0x080A	1-2-3 CoNFiguration, version 2.3-2.4
694!:ext	cnf
695>>>4	uleshort	0x1402	1-2-3 CoNFiguration, version 3.x
696!:ext	cnf
697>>>4	uleshort	0x1450	1-2-3 CoNFiguration, version 4.x
698!:ext	cnf
699# (version 5.26) labeled the entry as "Lotus 123"
700# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
701>>>4	uleshort	0x0404	1-2-3 WorKSheet, version 1
702# extension "wks" also for Microsoft Works document
703!:ext	wks
704# (version 5.26) labeled the entry as "Lotus 123"
705# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
706>>>4	uleshort	0x0405	Symphony WoRksheet, version 1.0
707!:ext	wrk/wr1
708# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
709# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
710>>>4	uleshort	0x0406	1-2-3/Symphony worksheet, version 2
711# Symphony (.wr1)
712!:ext	wk1/wr1
713# no example for this japan version
714>>>4	uleshort	0x0600	1-2-3 WorKsheet, version 1.xJ
715!:ext	wj1
716# no example or documentation for wk2
717#>>>4	uleshort	0x????	1-2-3 WorKsheet, version 2
718#!:ext	wk2
719# undocumented japan version
720>>>4	uleshort	0x0602	1-2-3 worksheet, version 2.4J
721!:ext	wj3
722# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
723>>>4	uleshort	0x8006	1-2-3 ForMaTting data, version 2.x
724# japan version 2.4J (fj3)
725!:ext	fmt/fj3
726# no example for this version
727>>>4	uleshort	0x8007	1-2-3 FoRMatting data, version 2.0
728!:ext	frm
729# (version 5.26) labeled the entry as "Lotus 1-2-3"
730>>>4	default		x	unknown worksheet or configuration
731!:ext	cnf
732>>>>4	uleshort	x	\b, revision 0x%x
733# 2nd record for most worksheets describes cells range
734>>>6		use	lotus-cells
735# 3nd record for most japan worksheets describes cells range
736>>>(8.s+10)	use	lotus-cells
737#	check and then display Lotus worksheet cells range
7380	name		lotus-cells
739# look for type (RANGE=0006h) + length (0008h) at record begin
740>0	ubelong	0x06000800	\b, cell range
741# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
742>>4	ulong		!0
743>>>4	uleshort	x	\b%d,
744>>>6	uleshort	x	\b%d-
745# end of cell range
746>>8	uleshort	x	\b%d,
747>>10	uleshort	x	\b%d
748# EndOfLotus123
7490	string/b		WordPro\0	Lotus WordPro
750!:mime	application/vnd.lotus-wordpro
7510	string/b		WordPro\r\373	Lotus WordPro
752!:mime	application/vnd.lotus-wordpro
753
754
755# Summary: Script used by InstallScield to uninstall applications
756# Extension: .isu
757# Submitted by: unknown
758# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
7590		string		\x71\xa8\x00\x00\x01\x02
760>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
761
762# Winamp .avs
763#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
7640	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
765
766# Windows Metafont .WMF
7670	string/b	\327\315\306\232	ms-windows metafont .wmf
7680	string/b	\002\000\011\000	ms-windows metafont .wmf
7690	string/b	\001\000\011\000	ms-windows metafont .wmf
770
771#tz3 files whatever that is (MS Works files)
7720	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
7730	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
7740	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
775
776# PGP sig files .sig
777#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
7780 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
7790 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
7800 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
7810 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
7820 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
7830 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
784
785# windows zips files .dmf
7860	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
787
788
789#ico files
7900	string/b	\102\101\050\000\000\000\056\000\000\000\000\000\000\000	Icon for MS Windows
791
792# Windows icons
793# Update: Joerg Jenderek
794# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
795# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG
7960   belong  0x00000100
797>9  byte    0
798>>0 byte    x
799>>0 use     cur-ico-dir
800>9  ubyte   0xff
801>>0 byte    x
802>>0 use     cur-ico-dir
803#	displays number of icons and information for icon or cursor
8040	name		cur-ico-dir
805# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
806# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
807>18		ulelong		&0x00000006
808# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
809>>(18.l)	ulelong		x		MS Windows
810>>>0		ubelong		0x00000100	icon resource
811#!:mime		image/vnd.microsoft.icon
812!:mime		image/x-icon
813!:ext		ico
814>>>>4 		uleshort	x		- %d icon
815# plural s
816>>>>4 		uleshort	>1		\bs
817# 1st icon
818>>>>0x06	use		ico-entry
819# 2nd icon
820>>>>4 		uleshort	>1
821>>>>>0x16	use		ico-entry
822>>>0		ubelong		0x00000200	cursor resource
823#!:mime		image/x-cur
824!:mime		image/x-win-bitmap
825!:ext		cur
826>>>>4 		uleshort	x		- %d icon
827>>>>4 		uleshort	>1		\bs
828# 1st cursor
829>>>>0x06	use		cur-entry
830#>>>>0x16	use		cur-entry
831#	display information of one cursor entry
8320	name		cur-entry
833>0	use		cur-ico-entry
834>4	uleshort	x	\b, hotspot @%dx
835>6	uleshort	x	\b%d
836#	display information of one icon entry
8370	name		ico-entry
838>0			use	cur-ico-entry
839# normally 0 1 but also found 14
840>4	uleshort	>1	\b, %d planes
841# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
842>6	uleshort	>1	\b, %d bits/pixel
843#	display shared information of cursor or icon entry
8440		name		cur-ico-entry
845>0		byte		=0		\b, 256x
846>0		byte		!0		\b, %dx
847>1		byte        	=0		\b256
848>1		byte        	!0		\b%d
849# number of colors in palette
850>2		ubyte		!0		\b, %d colors
851# reserved 0 FFh
852#>3		ubyte        	x		\b, reserved %x
853#>8		ulelong		x		\b, image size %d
854# offset of PNG or DIB image
855#>12		ulelong		x		\b, offset 0x%x
856# PNG header (\x89PNG)
857>(12.l)		ubelong		=0x89504e47
858>>&-4		indirect	x	\b with
859# DIB image
860>(12.l)		ubelong		!0x89504e47
861#>>&-4		use     	dib-image
862
863# Windows non-animated cursors
864# Update: Joerg Jenderek
865# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
866# Note: similiar to Windows ICOn. container for BMP ( only DIB part)
867# GRR: line below is too general as it catches also Lotus 1-2-3 files
8680   belong  0x00000200
869>9  byte    0
870>>0 use     cur-ico-dir
871>9  ubyte   0xff
872>>0 use     cur-ico-dir
873
874# .chr files
8750	string/b	PK\010\010BGI	Borland font
876>4	string	>\0	%s
877# then there is a copyright notice
878
879
880# .bgi files
8810	string/b	pk\010\010BGI	Borland device
882>4	string	>\0	%s
883# then there is a copyright notice
884
885
886# Windows Recycle Bin record file (named INFO2)
887# By Abel Cheung (abelcheung AT gmail dot com)
888# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
889# Since Vista uses another structure, INFO2 structure probably won't change
890# anymore. Detailed analysis in:
891# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
8920	lelong		0x00000004
893>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
894
8950	lelong		0x00000005
896>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
897
898# From Doug Lee via a FreeBSD pr
8999	string		GERBILDOC	First Choice document
9009	string		GERBILDB	First Choice database
9019	string		GERBILCLIP	First Choice database
9020	string		GERBIL		First Choice device file
9039	string		RABBITGRAPH	RabbitGraph file
9040	string		DCU1		Borland Delphi .DCU file
9050	string		=!<spell>	MKS Spell hash list (old format)
9060	string		=!<spell2>	MKS Spell hash list
907# Too simple - MPi
908#0	string		AH		Halo(TM) bitmapped font file
9090	lelong		0x08086b70	TurboC BGI file
9100	lelong		0x08084b50	TurboC Font file
911
912# Debian#712046: The magic below identifies "Delphi compiled form data".
913# An additional source of information is available at:
914# http://www.woodmann.com/fravia/dafix_t1.htm
9150	string		TPF0
916>4	pstring		>\0		Delphi compiled form '%s'
917
918# tests for DBase files moved, updated and merged to database
919
9200	string		PMCC		Windows 3.x .GRP file
9211	string		RDC-meg		MegaDots
922>8	byte		>0x2F		version %c
923>9	byte		>0x2F		\b.%c file
9240	lelong		0x4C
925>4	lelong		0x00021401	Windows shortcut file
926
927# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm
928# only for windows versions equal or greater 3.0
9290x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
930!:mime	application/x-dosexec
931#>2	string	 	>\0		\b, Title:%.30s
932>0x24	string		>\0		\b for %.63s
933>0x65	string		>\0		\b, directory=%.64s
934>0xA5	string		>\0		\b, parameters=%.64s
935#>0x181	leshort	x	\b, offset %x
936#>0x183	leshort	x	\b, offsetdata %x
937#>0x185	leshort	x	\b, section length %x
938>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
939>>&0x5e		ubyte	>0
940>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
941#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
942>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
943>>&0xF0		ubyte	>0
944>>>&-1		string	<Terminal		\b, font=%.32s
945#>>>&-1		string	=Terminal		\b, font=%.32s
946>>>&-1		string	>Terminal		\b, font=%.32s
947>>&0x110	ubyte	>0
948>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
949#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
950>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
951#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
952#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
953>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
954#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
955>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
956#>>&06		string	x			\b:%s
957>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
958#>>&06		string	x			\b:%s
959
960# DOS EPS Binary File Header
961# From: Ed Sznyter <ews@Black.Market.NET>
9620	belong		0xC5D0D3C6	DOS EPS Binary File
963>4	long		>0		Postscript starts at byte %d
964>>8	long		>0		length %d
965>>>12	long		>0		Metafile starts at byte %d
966>>>>16	long		>0		length %d
967>>>20	long		>0		TIFF starts at byte %d
968>>>>24	long		>0		length %d
969
970# TNEF magic From "Joomy" <joomy@se-ed.net>
971# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
9720	leshort		0x223e9f78	TNEF
973!:mime	application/vnd.ms-tnef
974
975# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
976# of http://www.davep.org/norton-guides/ng2h-105.tgz
977# http://en.wikipedia.org/wiki/Norton_Guides
9780	string		NG\0\001
979# only value 0x100 found at offset 2
980>2	ulelong		0x00000100	Norton Guide
981# Title[40]
982>>8	string		>\0		"%-.40s"
983#>>6	uleshort	x		\b, MenuCount=%u
984# szCredits[5][66]
985>>48	string		>\0		\b, %-.66s
986>>114	string		>\0		%-.66s
987
988# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
989# of http://www.4dos.info/
990# pointer,HelpID[8]=4DHnnnmm
9910	ulelong	0x48443408		4DOS help file
992>4	string	x			\b, version %-4.4s
993
994# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
9950	ulequad	0x3a000000024e4c	MS Advisor help file
996
997# HtmlHelp files (.chm)
9980	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
999
1000# GFA-BASIC (Wolfram Kleff)
10012	string/b	GFA-BASIC3	GFA-BASIC 3 data
1002
1003#------------------------------------------------------------------------------
1004# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
1005# Microsoft Cabinet files
10060	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
1007!:mime application/vnd.ms-cab-compressed
1008>8	lelong		x		\b, %u bytes
1009>28	leshort		1		\b, 1 file
1010>28	leshort		>1		\b, %u files
1011
1012# InstallShield Cabinet files
10130	string/b	ISc(		InstallShield Cabinet archive data
1014>5	byte&0xf0	=0x60		version 6,
1015>5	byte&0xf0	!0x60		version 4/5,
1016>(12.l+40)	lelong	x		%u files
1017
1018# Windows CE package files
10190	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
1020>20	lelong		0		\b, architecture-independent
1021>20	lelong		103		\b, Hitachi SH3
1022>20	lelong		104		\b, Hitachi SH4
1023>20	lelong		0xA11		\b, StrongARM
1024>20	lelong		4000		\b, MIPS R4000
1025>20	lelong		10003		\b, Hitachi SH3
1026>20	lelong		10004		\b, Hitachi SH3E
1027>20	lelong		10005		\b, Hitachi SH4
1028>20	lelong		70001		\b, ARM 7TDMI
1029>52	leshort		1		\b, 1 file
1030>52	leshort		>1		\b, %u files
1031>56	leshort		1		\b, 1 registry entry
1032>56	leshort		>1		\b, %u registry entries
1033
1034
1035# Windows Enhanced Metafile (EMF)
1036# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
1037# for further information.
10380	ulelong 1
1039>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
1040>>44	ulelong x		version 0x%x
1041
1042# from http://filext.com by Derek M Jones <derek@knosof.co.uk>
1043# False positive with PPT (also currently this string is too long)
1044#0	string/b	\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06	Microsoft Installer
10450	string/b	\320\317\021\340\241\261\032\341	Microsoft Office Document
1046#>48	byte	0x1B					Excel Document
1047#!:mime application/vnd.ms-excel
1048>546	string	bjbj			Microsoft Word Document
1049!:mime	application/msword
1050>546	string	jbjb			Microsoft Word Document
1051!:mime	application/msword
1052
10530	string/b	\224\246\056		Microsoft Word Document
1054!:mime	application/msword
1055
1056512	string	R\0o\0o\0t\0\ \0E\0n\0t\0r\0y	Microsoft Word Document
1057!:mime	application/msword
1058
1059# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1060# Magic type for Dell's BIOS .hdr files
1061# Dell's .hdr
10620	string/b $RBU
1063>23	string Dell			%s system BIOS
1064>5	byte   2
1065>>48	byte   x			version %d.
1066>>49	byte   x			\b%d.
1067>>50	byte   x			\b%d
1068>5	byte   <2
1069>>48	string x			version %.3s
1070
1071# Type: Microsoft DirectDraw Surface
1072# URL:	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp
1073# From: Morten Hustveit <morten@debian.org>
10740	string/b	DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS),
1075>16	lelong	>0			%d x
1076>12	lelong	>0			%d,
1077>84	string	x			%.4s
1078
1079# Type: Microsoft Document Imaging Format (.mdi)
1080# URL:	http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
1081# From: Daniele Sempione <scrows@oziosi.org>
1082# Too weak (EP)
1083#0	short	0x5045			Microsoft Document Imaging Format
1084
1085# MS eBook format (.lit)
10860	string/b	ITOLITLS		Microsoft Reader eBook Data
1087>8	lelong	x			\b, version %u
1088!:mime					application/x-ms-reader
1089
1090# Windows CE Binary Image Data Format
1091# From: Dr. Jesus <j@hug.gs>
10920	string/b	B000FF\n	Windows Embedded CE binary image
1093
1094# Windows Imaging (WIM) Image
10950	string/b	MSWIM\000\000\000	Windows imaging (WIM) image
10960	string/b	WLPWM\000\000\000	Windows imaging (WIM) image, wimlib pipable format
1097
1098# The second byte of these signatures is a file version; I don't know what,
1099# if anything, produced files with version numbers 0-2.
1100# From: John Elliott <johne@seasip.demon.co.uk>
11010	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
11020	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
11030	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
11040	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
1105
11060	string	MIOPEN		Mallard BASIC Jetsam data
11070	string	Jetsam0		Mallard BASIC Jetsam index data
1108
1109