1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.111 2016/09/14 01:26:26 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 search/0xffff rxfuncadd 23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24100 search/0xffff say 25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26 27# updated by Joerg Jenderek at Oct 2015 28# https://de.wikipedia.org/wiki/Common_Object_File_Format 29# http://www.delorie.com/djgpp/doc/coff/filhdr.html 30# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 31#0 leshort 0x14c MS Windows COFF Intel 80386 object file 32#>4 ledate x stamp %s 330 leshort 0x166 MS Windows COFF MIPS R4000 object file 34#>4 ledate x stamp %s 350 leshort 0x184 MS Windows COFF Alpha object file 36#>4 ledate x stamp %s 370 leshort 0x268 MS Windows COFF Motorola 68000 object file 38#>4 ledate x stamp %s 390 leshort 0x1f0 MS Windows COFF PowerPC object file 40#>4 ledate x stamp %s 410 leshort 0x290 MS Windows COFF PA-RISC object file 42#>4 ledate x stamp %s 43 44# Tests for various EXE types. 45# 46# Many of the compressed formats were extraced from IDARC 1.23 source code. 47# 480 string/b MZ 49# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 50>0x18 leshort <0x40 MS-DOS executable 51!:mime application/x-dosexec 52# These traditional tests usually work but not always. When test quality support is 53# implemented these can be turned on. 54#>>0x18 leshort 0x1c (Borland compiler) 55#>>0x18 leshort 0x1e (MS compiler) 56 57# If the relocation table is 0x40 or more bytes into the file, it's definitely 58# not a DOS EXE. 59>0x18 leshort >0x3f 60 61# Maybe it's a PE? 62>>(0x3c.l) string PE\0\0 PE 63!:mime application/x-dosexec 64>>>(0x3c.l+24) leshort 0x010b \b32 executable 65>>>(0x3c.l+24) leshort 0x020b \b32+ executable 66>>>(0x3c.l+24) leshort 0x0107 ROM image 67>>>(0x3c.l+24) default x Unknown PE signature 68>>>>&0 leshort x 0x%x 69>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 70>>>(0x3c.l+92) leshort 1 (native) 71>>>(0x3c.l+92) leshort 2 (GUI) 72>>>(0x3c.l+92) leshort 3 (console) 73>>>(0x3c.l+92) leshort 7 (POSIX) 74>>>(0x3c.l+92) leshort 9 (Windows CE) 75>>>(0x3c.l+92) leshort 10 (EFI application) 76>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 77>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 78>>>(0x3c.l+92) leshort 13 (EFI ROM) 79>>>(0x3c.l+92) leshort 14 (XBOX) 80>>>(0x3c.l+92) leshort 15 (Windows boot application) 81>>>(0x3c.l+92) default x (Unknown subsystem 82>>>>&0 leshort x 0x%x) 83>>>(0x3c.l+4) leshort 0x14c Intel 80386 84>>>(0x3c.l+4) leshort 0x166 MIPS R4000 85>>>(0x3c.l+4) leshort 0x168 MIPS R10000 86>>>(0x3c.l+4) leshort 0x184 Alpha 87>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 88>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 89>>>(0x3c.l+4) leshort 0x1c0 ARM 90>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 91>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 92>>>(0x3c.l+4) leshort 0x1f0 PowerPC 93>>>(0x3c.l+4) leshort 0x200 Intel Itanium 94>>>(0x3c.l+4) leshort 0x266 MIPS16 95>>>(0x3c.l+4) leshort 0x268 Motorola 68000 96>>>(0x3c.l+4) leshort 0x290 PA-RISC 97>>>(0x3c.l+4) leshort 0x366 MIPSIV 98>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 99>>>(0x3c.l+4) leshort 0xebc EFI byte code 100>>>(0x3c.l+4) leshort 0x8664 x86-64 101>>>(0x3c.l+4) leshort 0xc0ee MSIL 102>>>(0x3c.l+4) default x Unknown processor type 103>>>>&0 leshort x 0x%x 104>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 105>>>(0x3c.l+22) leshort&0x1000 >0 system file 106>>>(0x3c.l+24) leshort 0x010b 107>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 108>>>(0x3c.l+24) leshort 0x020b 109>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 110 111# hooray, there's a DOS extender using the PE format, with a valid PE 112# executable inside (which just prints a message and exits if run in win) 113>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 114>>>(8.s*16) string !32STUB \b, for MS Windows 115>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 116>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 117>>>(0x3c.l+0xf8) search/0x140 UPX2 118>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 119>>>(0x3c.l+0xf8) search/0x140 .idata 120>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 121>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 122>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 123>>>(0x3c.l+0xf8) search/0x140 .rsrc 124>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 125>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 126>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 127>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 128>>>(0x3c.l+0xf8) search/0x140 .data 129>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 130>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 131>>>>(0x3c.l+0xf7) byte x 132>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 133>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 134>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 135>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 136>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 137>>>0x30 string Inno \b, InnoSetup self-extracting archive 138 139# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 140# must be one of the unusual subformats. 141>>(0x3c.l) string !PE\0\0 MS-DOS executable 142!:mime application/x-dosexec 143 144>>(0x3c.l) string NE \b, NE 145!:mime application/x-dosexec 146>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 147>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 148>>>(0x3c.l+0x36) byte 3 for MS-DOS 149>>>(0x3c.l+0x36) byte 4 for Windows 386 150>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 151>>>(0x3c.l+0x36) default x 152>>>>(0x3c.l+0x36) byte x (unknown OS %x) 153>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 154>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 155>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 156>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 157>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 158 159>>(0x3c.l) string LX\0\0 \b, LX 160!:mime application/x-dosexec 161>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 162>>>(0x3c.l+0x0a) leshort 1 for OS/2 163>>>(0x3c.l+0x0a) leshort 2 for MS Windows 164>>>(0x3c.l+0x0a) leshort 3 for DOS 165>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 166>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 167>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 168>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 169>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 170>>>(0x3c.l+0x08) leshort 1 i80286 171>>>(0x3c.l+0x08) leshort 2 i80386 172>>>(0x3c.l+0x08) leshort 3 i80486 173>>>(8.s*16) string emx \b, emx 174>>>>&1 string x %s 175>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 176 177# MS Windows system file, supposedly a collection of LE executables 178>>(0x3c.l) string W3 \b, W3 for MS Windows 179!:mime application/x-dosexec 180 181>>(0x3c.l) string LE\0\0 \b, LE executable 182!:mime application/x-dosexec 183>>>(0x3c.l+0x0a) leshort 1 184# some DOS extenders use LE files with OS/2 header 185>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 186>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 187>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 188>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 189>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 190>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 191>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 192# this is a wild guess; hopefully it is a specific signature 193>>>>&0x24 lelong <0x50 194>>>>>(&0x4c.l) string \xfc\xb8WATCOM 195>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 196# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 197#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 198# fails with DOS-Extenders. 199>>>(0x3c.l+0x0a) leshort 2 for MS Windows 200>>>(0x3c.l+0x0a) leshort 3 for DOS 201>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 202>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 203>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 204 205# looks like ASCII, probably some embedded copyright message. 206# and definitely not NE/LE/LX/PE 207>>0x3c lelong >0x20000000 208>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 209!:mime application/x-dosexec 210# header data too small for extended executable 211>2 long !0 212>>0x18 leshort <0x40 213>>>(4.s*512) leshort !0x014c 214 215>>>>&(2.s-514) string !LE 216>>>>>&-2 string !BW \b, MZ for MS-DOS 217!:mime application/x-dosexec 218>>>>&(2.s-514) string LE \b, LE 219>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 220# educated guess since indirection is still not capable enough for complex offset 221# calculations (next embedded executable would be at &(&2*512+&0-2) 222# I suspect there are only LE executables in these multi-exe files 223>>>>&(2.s-514) string BW 224>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 225>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 226 227# This sequence skips to the first COFF segment, usually .text 228>(4.s*512) leshort 0x014c \b, COFF 229!:mime application/x-dosexec 230>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 231>>(8.s*16) string emx 232>>>&1 string x for DOS, Win or OS/2, emx %s 233>>&(&0x42.l-3) byte x 234>>>&0x26 string UPX \b, UPX compressed 235# and yet another guess: small .text, and after large .data is unusal, could be 32lite 236>>&0x2c search/0xa0 .text 237>>>&0x0b lelong <0x2000 238>>>>&0 lelong >0x6000 \b, 32lite compressed 239 240>(8.s*16) string $WdX \b, WDos/X DOS extender 241 242# By now an executable type should have been printed out. The executable 243# may be a self-uncompressing archive, so look for evidence of that and 244# print it out. 245# 246# Some signatures below from Greg Roelofs, newt@uchicago.edu. 247# 248>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 249>0xe7 string LH/2\ Self-Extract \b, %s 250>0x1c string UC2X \b, UCEXE compressed 251>0x1c string WWP\ \b, WWPACK compressed 252>0x1c string RJSX \b, ARJ self-extracting archive 253>0x1c string diet \b, diet compressed 254>0x1c string LZ09 \b, LZEXE v0.90 compressed 255>0x1c string LZ91 \b, LZEXE v0.91 compressed 256>0x1c string tz \b, TinyProg compressed 257>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 258!:mime application/zip 259# Yes, this really is "Copr", not "Corp." 260>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 261!:mime application/zip 262# winarj stores a message in the stub instead of the sig in the MZ header 263>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 264>0x20 string AIN 265>>0x23 string 2 \b, AIN 2.x compressed 266>>0x23 string <2 \b, AIN 1.x compressed 267>>0x23 string >2 \b, AIN 1.x compressed 268>0x24 string LHa's\ SFX \b, LHa self-extracting archive 269!:mime application/x-lha 270>0x24 string LHA's\ SFX \b, LHa self-extracting archive 271!:mime application/x-lha 272>0x24 string \ $ARX \b, ARX self-extracting archive 273>0x24 string \ $LHarc \b, LHarc self-extracting archive 274>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 275>0x40 string aPKG \b, aPackage self-extracting archive 276>0x64 string W\ Collis\0\0 \b, Compack compressed 277>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 278>>&0xf4 search/0x140 \x0\x40\x1\x0 279>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 280>1638 string -lh5- \b, LHa self-extracting archive v2.13S 281>0x17888 string Rar! \b, RAR self-extracting archive 282 283# Skip to the end of the EXE. This will usually work fine in the PE case 284# because the MZ image is hardcoded into the toolchain and almost certainly 285# won't match any of these signatures. 286>(4.s*512) long x 287>>&(2.s-517) byte x 288>>>&0 string PK\3\4 \b, ZIP self-extracting archive 289>>>&0 string Rar! \b, RAR self-extracting archive 290>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 291>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 292>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 293>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 294>>>&7 search/400 **ACE** \b, ACE self-extracting archive 295>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 296 297# a few unknown ZIP sfxes, no idea if they are needed or if they are 298# already captured by the generic patterns above 299>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 300# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 301# 302 303# TELVOX Teleinformatica CODEC self-extractor for OS/2: 304>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 305>>49824 leshort =1 \b, 1 file 306>>49824 leshort >1 \b, %u files 307 308# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 309# and http://www.freedos.org/software/?prog=kpdos 310# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 3110 string/b KCF FreeDOS KEYBoard Layout collection 312# only version=0x100 found 313>3 uleshort x \b, version 0x%x 314# length of string containing author,info and special characters 315>6 ubyte >0 316#>>6 pstring x \b, name=%s 317>>7 string >\0 \b, author=%-.14s 318>>7 search/254 \xff \b, info= 319#>>>&0 string x \b%-s 320>>>&0 string x \b%-.15s 321# for FreeDOS *.KL files 3220 string/b KLF FreeDOS KEYBoard Layout file 323# only version=0x100 or 0x101 found 324>3 uleshort x \b, version 0x%x 325# stringlength 326>5 ubyte >0 327>>8 string x \b, name=%-.2s 3280 string \xffKEYB\ \ \ \0\0\0\0 329>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 330 331# DOS device driver updated by Joerg Jenderek at May 2011 332# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3330 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( 334>40 search/7 UPX! \bUPX compressed 335# DOS device driver attributes 336>4 uleshort&0x8000 0x0000 \bblock device driver 337# character device 338>4 uleshort&0x8000 0x8000 \b 339>>4 uleshort&0x0008 0x0008 \bclock 340# fast video output by int 29h 341>>4 uleshort&0x0010 0x0010 \bfast 342# standard input/output device 343>>4 uleshort&0x0003 >0 \bstandard 344>>>4 uleshort&0x0001 0x0001 \binput 345>>>4 uleshort&0x0003 0x0003 \b/ 346>>>4 uleshort&0x0002 0x0002 \boutput 347>>4 uleshort&0x8000 0x8000 \bcharacter device driver 348>0 ubyte x 349# upx compressed device driver has garbage instead of real in name field of header 350>>40 search/7 UPX! 351>>40 default x 352# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 353>>>12 ubyte >0x27 \b 354>>>>10 ubyte >0x20 355>>>>>10 ubyte !0x2E 356>>>>>>10 ubyte !0x2A \b%c 357>>>>11 ubyte >0x20 358>>>>>11 ubyte !0x2E \b%c 359>>>>12 ubyte >0x20 360>>>>>12 ubyte !0x39 361>>>>>>12 ubyte !0x2E \b%c 362>>>13 ubyte >0x20 363>>>>13 ubyte !0x2E \b%c 364>>>>14 ubyte >0x20 365>>>>>14 ubyte !0x2E \b%c 366>>>>15 ubyte >0x20 367>>>>>15 ubyte !0x2E \b%c 368>>>>16 ubyte >0x20 369>>>>>16 ubyte !0x2E 370>>>>>>16 ubyte <0xCB \b%c 371>>>>17 ubyte >0x20 372>>>>>17 ubyte !0x2E 373>>>>>>17 ubyte <0x90 \b%c 374# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 375>>>4 uleshort&0x8000 0x8000 376>>>>12 ubyte <0x2F 377# they have their real name at offset 22 378>>>>>22 string >\0 \b%-.5s 379>4 uleshort&0x8000 0x0000 380# 32 bit sector addressing ( > 32 MB) for block devices 381>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 382# support by driver functions 13h, 17h, 18h 383>4 uleshort&0x0040 0x0040 \b,IOCTL- 384# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 385>4 uleshort&0x0800 0x0800 \b,close media- 386# output until busy support by int 10h for character device driver 387>4 uleshort&0x8000 0x8000 388>>4 uleshort&0x2000 0x2000 \b,until busy- 389# direct read/write support by driver functions 03h,0Ch 390>4 uleshort&0x4000 0x4000 \b,control strings- 391>4 uleshort&0x8000 0x8000 392>>4 uleshort&0x6840 >0 \bsupport 393>4 uleshort&0x8000 0x0000 394>>4 uleshort&0x4842 >0 \bsupport 395>0 ubyte x \b) 396# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 397# Too weak, matches files that only contain 0's 398#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( 399#>4 uleshort&0x8000 0x8000 \bcharacter device driver 400#>>10 string x %-.8s 401#>4 uleshort&0x4000 0x4000 \b,control strings-support) 402 403# updated by Joerg Jenderek 404# GRR: line below too general as it catches also 405# rt.lib DYADISKS.PIC and many more 406# start with assembler instruction MOV 4070 ubyte 0x8c 408# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 409>4 string !O==== 410# skip some unknown basic binaries like RocketRnger.SHR 411>>5 string !MAIN 412# skip "GPG symmetrically encrypted data" ./gnu 413# skip "PGP symmetric key encrypted data" ./pgp 414# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 415>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 416# the remaining files should be DOS *.COM executables 417# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 418# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 419# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 420# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 421# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 422# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 423# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 424# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 425!:mime application/x-dosexec 426!:ext com 427 428# updated by Joerg Jenderek at Oct 2008 4290 ulelong 0xffff10eb DR-DOS executable (COM) 430# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 4310 ubeshort&0xeb8d >0xeb00 432# DR-DOS STACKER.COM SCREATE.SYS missed 433 4340 name msdos-com 435>0 byte x DOS executable (COM) 436>6 string SFX\ of\ LHarc \b, %s 437>0x1FE leshort 0xAA55 \b, boot code 438>85 string UPX \b, UPX compressed 439>4 string \ $ARX \b, ARX self-extracting archive 440>4 string \ $LHarc \b, LHarc self-extracting archive 441>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 442 443# JMP 8bit 4440 byte 0xeb 445# allow forward jumps only 446>1 byte >-1 447# that offset must be accessible 448>>(1.b+2) byte x 449>>>0 use msdos-com 450 451# JMP 16bit 4520 byte 0xe9 453# forward jumps 454>1 short >-1 455# that offset must be accessible 456>>(1.s+3) byte x 457>>>0 use msdos-com 458# negative offset, must not lead into PSP 459>1 short <-259 460# that offset must be accessible 461>>(1,s+65539) byte x 462>>>0 use msdos-com 463 464# updated by Joerg Jenderek at Oct 2008,2015 465# following line is too general 4660 ubyte 0xb8 467# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 468>0 string !\xb8\xc0\x07\x8e 469# modified by Joerg Jenderek 470# syslinux COM32 or COM32R executable 471>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 472# http://www.syslinux.org/wiki/index.php/Comboot_API 473# Since version 5.00 c32 modules switched from the COM32 object format to ELF 474!:mime application/x-c32-comboot-syslinux-exec 475!:ext c32 476# http://syslinux.zytor.com/comboot.php 477# older syslinux version ( <4 ) 478# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 479# start with assembler instructions mov eax,21cd4cffh 480>>>1 lelong 0x21CD4CFf \b) 481# syslinux:doc/comboot.txt 482# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 483# eax,21cd4cfeh) as a magic number. 484# syslinux version (4.x) 485# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 486>>>1 lelong 0x21CD4CFe \b, relocatable) 487# remaining are DOS COM executables starting with assembler instruction MOV 488# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 489# MS-DOS SYS.COM RESTART.COM 490# SYSLINUX.COM (version 1.40 - 2.13) 491# GFXBOOT.COM (version 3.75) 492# COPYBS.COM POWEROFF.COM INT18.COM 493>>1 default x COM executable for DOS 494!:mime application/x-dosexec 495#!:mime application/x-ms-dos-executable 496#!:mime application/x-msdos-program 497!:ext com 498 4990 string/b \x81\xfc 500>4 string \x77\x02\xcd\x20\xb9 501>>36 string UPX! FREE-DOS executable (COM), UPX compressed 502252 string Must\ have\ DOS\ version DR-DOS executable (COM) 503# added by Joerg Jenderek at Oct 2008 504# GRR search is not working 505#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 50634 string UPX! FREE-DOS executable (COM), UPX compressed 50735 string UPX! FREE-DOS executable (COM), UPX compressed 508# GRR search is not working 509#2 search/28 \xcd\x21 COM executable for MS-DOS 510#WHICHFAT.cOM 5112 string \xcd\x21 COM executable for DOS 512#DELTREE.cOM DELTREE2.cOM 5134 string \xcd\x21 COM executable for DOS 514#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 5155 string \xcd\x21 COM executable for DOS 516#DELTMP.COm HASFAT32.cOM 5177 string \xcd\x21 518>0 byte !0xb8 COM executable for DOS 519#COMP.cOM MORE.COm 52010 string \xcd\x21 521>5 string !\xcd\x21 COM executable for DOS 522#comecho.com 52313 string \xcd\x21 COM executable for DOS 524#HELP.COm EDIT.coM 52518 string \xcd\x21 COM executable for MS-DOS 526#NWRPLTRM.COm 52723 string \xcd\x21 COM executable for MS-DOS 528#LOADFIX.cOm LOADFIX.cOm 52930 string \xcd\x21 COM executable for MS-DOS 530#syslinux.com 3.11 53170 string \xcd\x21 COM executable for DOS 532# many compressed/converted COMs start with a copy loop instead of a jump 5330x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 5340x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 535>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 5360x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 537# FIXME: missing diet .com compression 538 539# miscellaneous formats 5400 string/b LZ MS-DOS executable (built-in) 541#0 byte 0xf0 MS-DOS program library data 542# 543 544# AAF files: 545# <stuartc@rd.bbc.co.uk> Stuart Cunningham 5460 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 547>30 byte 9 (512B sectors) 548>30 byte 12 (4kB sectors) 5490 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 550>30 byte 9 (512B sectors) 551>30 byte 12 (4kB sectors) 552 553# Popular applications 5542080 string Microsoft\ Word\ 6.0\ Document %s 555!:mime application/msword 5562080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 557!:mime application/msword 558# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 5592112 string MSWordDoc Microsoft Word document data 560!:mime application/msword 561# 5620 belong 0x31be0000 Microsoft Word Document 563!:mime application/msword 564# 5650 string/b PO^Q` Microsoft Word 6.0 Document 566!:mime application/msword 567# 5680 string/b \376\067\0\043 Microsoft Office Document 569!:mime application/msword 5700 string/b \333\245-\0\0\0 Microsoft Office Document 571!:mime application/msword 572512 string/b \354\245\301 Microsoft Word Document 573!:mime application/msword 574 575# 5760 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 577!:mime application/msword 578# 5792080 string Microsoft\ Excel\ 5.0\ Worksheet %s 580!:mime application/vnd.ms-excel 581# 5820 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 583!:mime application/msword 584 5852080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 586!:mime application/vnd.ms-excel 587# 588# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 5892114 string Biff5 Microsoft Excel 5.0 Worksheet 590!:mime application/vnd.ms-excel 591# Italian MS-Excel 5922121 string Biff5 Microsoft Excel 5.0 Worksheet 593!:mime application/vnd.ms-excel 5940 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 595!:mime application/vnd.ms-excel 596# 597# Update: Joerg Jenderek 598# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 599# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 600# Note: newer Lotus versions >2 use longer BOF record 601# record type (BeginningOfFile=0000h) + length (001Ah) 6020 belong 0x00001a00 603# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 604#>18 uleshort&0x73E0 0 605# Lotus Multi Byte Character Set (LMBCS=1-31) 606>20 ubyte >0 607>>20 ubyte <32 Lotus 1-2-3 608#!:mime application/x-123 609!:mime application/vnd.lotus-1-2-3 610!:apple ????L123 611# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 612>>>4 uleshort 0x1000 WorKsheet, version 3 613!:ext wk3 614# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 615>>>4 uleshort 0x1002 WorKsheet, version 4 616# also worksheet template 4 (.wt4) 617!:ext wk4/wt4 618# no example or documentation for wk5 619#>>4 uleshort 0x???? WorKsheet, version 4 620#!:ext wk5 621# only MacrotoScript.123 example 622>>>4 uleshort 0x1003 WorKsheet, version 97 623# also worksheet template Smartmaster (.12M)? 624!:ext 123 625# only Set_Y2K.123 example 626>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 627!:ext 123 628# no example for this version 629>>>4 uleshort 0x8001 FoRMatting data 630!:ext frm 631# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 632# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 633>>>4 uleshort 0x8007 ForMatting data, version 3 634!:ext fm3 635>>>4 default x unknown 636# file revision sub code 0004h for worksheets 637>>>>6 uleshort =0x0004 worksheet 638!:ext wXX 639>>>>6 uleshort !0x0004 formatting data 640!:ext fXX 641# main revision number 642>>>>4 uleshort x \b, revision 0x%x 643>>>6 uleshort =0x0004 \b, cell range 644# active cellcoord range (start row, page,column ; end row, page, column) 645# start values normally 0~1st sheet A1 646>>>>8 ulelong !0 647>>>>>10 ubyte >0 \b%d* 648>>>>>8 uleshort x \b%d, 649>>>>>11 ubyte x \b%d- 650# end page mostly 0 651>>>>14 ubyte >0 \b%d* 652# end raw, column normally not 0 653>>>>12 uleshort x \b%d, 654>>>>15 ubyte x \b%d 655# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 656>>>>20 ubyte >1 \b, character set 0x%x 657# flags 658>>>>21 ubyte x \b, flags 0x%x 659>>>6 uleshort !0x0004 660# record type (FONTNAME=00AEh) 661>>>>30 search/29 \0\xAE 662# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 663>>>>>&4 string >\0 \b, 1st font "%s" 664# 665# Update: Joerg Jenderek 666# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 667# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 668# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 669# record type (BeginningOfFile=0000h) + length (0002h) 6700 belong 0x00000200 671# GRR: line above is too general as it catches also MS Windows CURsor 672# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 673!:strength -1 674# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 675>7 ubyte 0 676# skip Windows cursors with image width 256 and keep Lotus with positiv opcode 677>>6 ubyte >0 Lotus 678# !:mime application/x-123 679!:mime application/vnd.lotus-1-2-3 680!:apple ????L123 681# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 682# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 683>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 684!:ext cnf 685>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 686!:ext cnf 687>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 688!:ext cnf 689>>>4 uleshort 0x0802 Symphony CoNFiguration 690!:ext cnf 691>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 692!:ext cnf 693>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 694!:ext cnf 695>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 696!:ext cnf 697>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 698!:ext cnf 699# (version 5.26) labeled the entry as "Lotus 123" 700# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 701>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 702# extension "wks" also for Microsoft Works document 703!:ext wks 704# (version 5.26) labeled the entry as "Lotus 123" 705# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 706>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 707!:ext wrk/wr1 708# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 709# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 710>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 711# Symphony (.wr1) 712!:ext wk1/wr1 713# no example for this japan version 714>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 715!:ext wj1 716# no example or documentation for wk2 717#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 718#!:ext wk2 719# undocumented japan version 720>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 721!:ext wj3 722# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 723>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 724# japan version 2.4J (fj3) 725!:ext fmt/fj3 726# no example for this version 727>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 728!:ext frm 729# (version 5.26) labeled the entry as "Lotus 1-2-3" 730>>>4 default x unknown worksheet or configuration 731!:ext cnf 732>>>>4 uleshort x \b, revision 0x%x 733# 2nd record for most worksheets describes cells range 734>>>6 use lotus-cells 735# 3nd record for most japan worksheets describes cells range 736>>>(8.s+10) use lotus-cells 737# check and then display Lotus worksheet cells range 7380 name lotus-cells 739# look for type (RANGE=0006h) + length (0008h) at record begin 740>0 ubelong 0x06000800 \b, cell range 741# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 742>>4 ulong !0 743>>>4 uleshort x \b%d, 744>>>6 uleshort x \b%d- 745# end of cell range 746>>8 uleshort x \b%d, 747>>10 uleshort x \b%d 748# EndOfLotus123 7490 string/b WordPro\0 Lotus WordPro 750!:mime application/vnd.lotus-wordpro 7510 string/b WordPro\r\373 Lotus WordPro 752!:mime application/vnd.lotus-wordpro 753 754 755# Summary: Script used by InstallScield to uninstall applications 756# Extension: .isu 757# Submitted by: unknown 758# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 7590 string \x71\xa8\x00\x00\x01\x02 760>12 string Stirling\ Technologies, InstallShield Uninstall Script 761 762# Winamp .avs 763#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 7640 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 765 766# Windows Metafont .WMF 7670 string/b \327\315\306\232 ms-windows metafont .wmf 7680 string/b \002\000\011\000 ms-windows metafont .wmf 7690 string/b \001\000\011\000 ms-windows metafont .wmf 770 771#tz3 files whatever that is (MS Works files) 7720 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 7730 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 7740 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 775 776# PGP sig files .sig 777#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 7780 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 7790 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 7800 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 7810 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 7820 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 7830 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 784 785# windows zips files .dmf 7860 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 787 788 789#ico files 7900 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 791 792# Windows icons 793# Update: Joerg Jenderek 794# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 795# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG 7960 belong 0x00000100 797>9 byte 0 798>>0 byte x 799>>0 use cur-ico-dir 800>9 ubyte 0xff 801>>0 byte x 802>>0 use cur-ico-dir 803# displays number of icons and information for icon or cursor 8040 name cur-ico-dir 805# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 806# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 807>18 ulelong &0x00000006 808# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 809>>(18.l) ulelong x MS Windows 810>>>0 ubelong 0x00000100 icon resource 811#!:mime image/vnd.microsoft.icon 812!:mime image/x-icon 813!:ext ico 814>>>>4 uleshort x - %d icon 815# plural s 816>>>>4 uleshort >1 \bs 817# 1st icon 818>>>>0x06 use ico-entry 819# 2nd icon 820>>>>4 uleshort >1 821>>>>>0x16 use ico-entry 822>>>0 ubelong 0x00000200 cursor resource 823#!:mime image/x-cur 824!:mime image/x-win-bitmap 825!:ext cur 826>>>>4 uleshort x - %d icon 827>>>>4 uleshort >1 \bs 828# 1st cursor 829>>>>0x06 use cur-entry 830#>>>>0x16 use cur-entry 831# display information of one cursor entry 8320 name cur-entry 833>0 use cur-ico-entry 834>4 uleshort x \b, hotspot @%dx 835>6 uleshort x \b%d 836# display information of one icon entry 8370 name ico-entry 838>0 use cur-ico-entry 839# normally 0 1 but also found 14 840>4 uleshort >1 \b, %d planes 841# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 842>6 uleshort >1 \b, %d bits/pixel 843# display shared information of cursor or icon entry 8440 name cur-ico-entry 845>0 byte =0 \b, 256x 846>0 byte !0 \b, %dx 847>1 byte =0 \b256 848>1 byte !0 \b%d 849# number of colors in palette 850>2 ubyte !0 \b, %d colors 851# reserved 0 FFh 852#>3 ubyte x \b, reserved %x 853#>8 ulelong x \b, image size %d 854# offset of PNG or DIB image 855#>12 ulelong x \b, offset 0x%x 856# PNG header (\x89PNG) 857>(12.l) ubelong =0x89504e47 858>>&-4 indirect x \b with 859# DIB image 860>(12.l) ubelong !0x89504e47 861#>>&-4 use dib-image 862 863# Windows non-animated cursors 864# Update: Joerg Jenderek 865# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 866# Note: similiar to Windows ICOn. container for BMP ( only DIB part) 867# GRR: line below is too general as it catches also Lotus 1-2-3 files 8680 belong 0x00000200 869>9 byte 0 870>>0 use cur-ico-dir 871>9 ubyte 0xff 872>>0 use cur-ico-dir 873 874# .chr files 8750 string/b PK\010\010BGI Borland font 876>4 string >\0 %s 877# then there is a copyright notice 878 879 880# .bgi files 8810 string/b pk\010\010BGI Borland device 882>4 string >\0 %s 883# then there is a copyright notice 884 885 886# Windows Recycle Bin record file (named INFO2) 887# By Abel Cheung (abelcheung AT gmail dot com) 888# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 889# Since Vista uses another structure, INFO2 structure probably won't change 890# anymore. Detailed analysis in: 891# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 8920 lelong 0x00000004 893>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 894 8950 lelong 0x00000005 896>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 897 898# From Doug Lee via a FreeBSD pr 8999 string GERBILDOC First Choice document 9009 string GERBILDB First Choice database 9019 string GERBILCLIP First Choice database 9020 string GERBIL First Choice device file 9039 string RABBITGRAPH RabbitGraph file 9040 string DCU1 Borland Delphi .DCU file 9050 string =!<spell> MKS Spell hash list (old format) 9060 string =!<spell2> MKS Spell hash list 907# Too simple - MPi 908#0 string AH Halo(TM) bitmapped font file 9090 lelong 0x08086b70 TurboC BGI file 9100 lelong 0x08084b50 TurboC Font file 911 912# Debian#712046: The magic below identifies "Delphi compiled form data". 913# An additional source of information is available at: 914# http://www.woodmann.com/fravia/dafix_t1.htm 9150 string TPF0 916>4 pstring >\0 Delphi compiled form '%s' 917 918# tests for DBase files moved, updated and merged to database 919 9200 string PMCC Windows 3.x .GRP file 9211 string RDC-meg MegaDots 922>8 byte >0x2F version %c 923>9 byte >0x2F \b.%c file 9240 lelong 0x4C 925>4 lelong 0x00021401 Windows shortcut file 926 927# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 928# only for windows versions equal or greater 3.0 9290x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 930!:mime application/x-dosexec 931#>2 string >\0 \b, Title:%.30s 932>0x24 string >\0 \b for %.63s 933>0x65 string >\0 \b, directory=%.64s 934>0xA5 string >\0 \b, parameters=%.64s 935#>0x181 leshort x \b, offset %x 936#>0x183 leshort x \b, offsetdata %x 937#>0x185 leshort x \b, section length %x 938>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 939>>&0x5e ubyte >0 940>>>&-1 string <PIFMGR.DLL \b, icon=%s 941#>>>&-1 string PIFMGR.DLL \b, icon=%s 942>>>&-1 string >PIFMGR.DLL \b, icon=%s 943>>&0xF0 ubyte >0 944>>>&-1 string <Terminal \b, font=%.32s 945#>>>&-1 string =Terminal \b, font=%.32s 946>>>&-1 string >Terminal \b, font=%.32s 947>>&0x110 ubyte >0 948>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 949#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 950>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 951#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 952#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 953>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 954#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 955>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 956#>>&06 string x \b:%s 957>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 958#>>&06 string x \b:%s 959 960# DOS EPS Binary File Header 961# From: Ed Sznyter <ews@Black.Market.NET> 9620 belong 0xC5D0D3C6 DOS EPS Binary File 963>4 long >0 Postscript starts at byte %d 964>>8 long >0 length %d 965>>>12 long >0 Metafile starts at byte %d 966>>>>16 long >0 length %d 967>>>20 long >0 TIFF starts at byte %d 968>>>>24 long >0 length %d 969 970# TNEF magic From "Joomy" <joomy@se-ed.net> 971# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 9720 leshort 0x223e9f78 TNEF 973!:mime application/vnd.ms-tnef 974 975# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 976# of http://www.davep.org/norton-guides/ng2h-105.tgz 977# http://en.wikipedia.org/wiki/Norton_Guides 9780 string NG\0\001 979# only value 0x100 found at offset 2 980>2 ulelong 0x00000100 Norton Guide 981# Title[40] 982>>8 string >\0 "%-.40s" 983#>>6 uleshort x \b, MenuCount=%u 984# szCredits[5][66] 985>>48 string >\0 \b, %-.66s 986>>114 string >\0 %-.66s 987 988# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 989# of http://www.4dos.info/ 990# pointer,HelpID[8]=4DHnnnmm 9910 ulelong 0x48443408 4DOS help file 992>4 string x \b, version %-4.4s 993 994# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 9950 ulequad 0x3a000000024e4c MS Advisor help file 996 997# HtmlHelp files (.chm) 9980 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 999 1000# GFA-BASIC (Wolfram Kleff) 10012 string/b GFA-BASIC3 GFA-BASIC 3 data 1002 1003#------------------------------------------------------------------------------ 1004# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1005# Microsoft Cabinet files 10060 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1007!:mime application/vnd.ms-cab-compressed 1008>8 lelong x \b, %u bytes 1009>28 leshort 1 \b, 1 file 1010>28 leshort >1 \b, %u files 1011 1012# InstallShield Cabinet files 10130 string/b ISc( InstallShield Cabinet archive data 1014>5 byte&0xf0 =0x60 version 6, 1015>5 byte&0xf0 !0x60 version 4/5, 1016>(12.l+40) lelong x %u files 1017 1018# Windows CE package files 10190 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1020>20 lelong 0 \b, architecture-independent 1021>20 lelong 103 \b, Hitachi SH3 1022>20 lelong 104 \b, Hitachi SH4 1023>20 lelong 0xA11 \b, StrongARM 1024>20 lelong 4000 \b, MIPS R4000 1025>20 lelong 10003 \b, Hitachi SH3 1026>20 lelong 10004 \b, Hitachi SH3E 1027>20 lelong 10005 \b, Hitachi SH4 1028>20 lelong 70001 \b, ARM 7TDMI 1029>52 leshort 1 \b, 1 file 1030>52 leshort >1 \b, %u files 1031>56 leshort 1 \b, 1 registry entry 1032>56 leshort >1 \b, %u registry entries 1033 1034 1035# Windows Enhanced Metafile (EMF) 1036# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1037# for further information. 10380 ulelong 1 1039>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1040>>44 ulelong x version 0x%x 1041 1042# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 1043# False positive with PPT (also currently this string is too long) 1044#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 10450 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document 1046#>48 byte 0x1B Excel Document 1047#!:mime application/vnd.ms-excel 1048>546 string bjbj Microsoft Word Document 1049!:mime application/msword 1050>546 string jbjb Microsoft Word Document 1051!:mime application/msword 1052 10530 string/b \224\246\056 Microsoft Word Document 1054!:mime application/msword 1055 1056512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 1057!:mime application/msword 1058 1059# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1060# Magic type for Dell's BIOS .hdr files 1061# Dell's .hdr 10620 string/b $RBU 1063>23 string Dell %s system BIOS 1064>5 byte 2 1065>>48 byte x version %d. 1066>>49 byte x \b%d. 1067>>50 byte x \b%d 1068>5 byte <2 1069>>48 string x version %.3s 1070 1071# Type: Microsoft DirectDraw Surface 1072# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 1073# From: Morten Hustveit <morten@debian.org> 10740 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 1075>16 lelong >0 %d x 1076>12 lelong >0 %d, 1077>84 string x %.4s 1078 1079# Type: Microsoft Document Imaging Format (.mdi) 1080# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1081# From: Daniele Sempione <scrows@oziosi.org> 1082# Too weak (EP) 1083#0 short 0x5045 Microsoft Document Imaging Format 1084 1085# MS eBook format (.lit) 10860 string/b ITOLITLS Microsoft Reader eBook Data 1087>8 lelong x \b, version %u 1088!:mime application/x-ms-reader 1089 1090# Windows CE Binary Image Data Format 1091# From: Dr. Jesus <j@hug.gs> 10920 string/b B000FF\n Windows Embedded CE binary image 1093 1094# Windows Imaging (WIM) Image 10950 string/b MSWIM\000\000\000 Windows imaging (WIM) image 10960 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format 1097 1098# The second byte of these signatures is a file version; I don't know what, 1099# if anything, produced files with version numbers 0-2. 1100# From: John Elliott <johne@seasip.demon.co.uk> 11010 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 11020 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 11030 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 11040 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1105 11060 string MIOPEN Mallard BASIC Jetsam data 11070 string Jetsam0 Mallard BASIC Jetsam index data 1108 1109