xref: /freebsd/contrib/file/magic/Magdir/msdos (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.208 2024/08/27 18:50:57 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12!:ext	bat
13>1	string/cW	echo\ off	DOS batch file text
14!:mime	text/x-msdos-batch
15!:ext	bat
16>1	string/cW	rem		DOS batch file text
17!:mime	text/x-msdos-batch
18!:ext	bat
19>1	string/cW	set\ 		DOS batch file text
20!:mime	text/x-msdos-batch
21!:ext	bat
22
23
24# OS/2 batch files are REXX. the second regex is a bit generic, oh well
25# the matched commands seem to be common in REXX and uncommon elsewhere
26100	search/0xffff   rxfuncadd
27>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
28100	search/0xffff   say
29>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
30
31
32# Tests for various EXE types.
33#
34# Many of the compressed formats were extracted from IDARC 1.23 source code.
35#
36# e_magic
370	string/b	MZ
38#	TODO
39# FLT:	Syntrillium CoolEdit Filter		https://en.wikipedia.org/wiki/Adobe_Audition
40# FMX64:FileMaker Pro 64-bit plug-in		https://en.wikipedia.org/wiki/FileMaker
41# FMX:	FileMaker Pro 32-bit plug-in		https://en.wikipedia.org/wiki/FileMaker
42# FOD:	WIFE Font Driver
43# GAU:	MS Flight Simulator Gauge
44# IFS:	OS/2 Installable File System		https://en.wikipedia.org/wiki/OS/2
45# MEXW32:MATLAB Windows 32bit compiled function	https://en.wikipedia.org/wiki/MATLAB
46# MEXW64:MATLAB Windows 64bit compiled function	https://en.wikipedia.org/wiki/MATLAB
47# MLL:	Maya plug-in (generic)	       		http://en.wikipedia.org/wiki/Autodesk_Maya
48# PFL:	PhotoFilter plugin			http://photofiltre.free.fr
49# 8*:	PhotoShop plug-in (generic)		http://www.adobe.com/products/photoshop/main.html
50# PLG:	Aston Shell plugin			http://www.astonshell.com/
51# QLB:	Microsoft Basic Quick library		https://en.wikipedia.org/wiki/QuickBASIC
52# SKL:	WinLIFT skin				http://www.zapsolution.com/winlift/index.htm
53# TBK:	Asymetrix ToolBook application		http://www.toolbook.com
54# TBP:	The Bat! plugin	   			http://www.ritlabs.com
55# UPC:	Ultimate Paint Graphics Editor plugin	http://ultimatepaint.j-t-l.com
56# XFM:	Syntrillium Cool Edit Transform Effect	bad http://www.cooledit.com
57# XPL:	X-Plane plugin	      			http://www.xsquawkbox.net/xpsdk/
58# ZAP:	ZoneLabs Zone Alarm data		http://www.zonelabs.com
59#
60# NEXT LINES FOR DEBUGGING!
61# e_cblp; bytes on last page of file
62# e_cp; pages in file
63#>4		uleshort	x	\b, e_cp 0x%x
64# e_lfanew; file address of new exe header
65#>0x3c		ulelong		x	\b, e_lfanew 0x%x
66# e_lfarlc; address of relocation table
67#>0x18		uleshort	x	\b, e_lfarlc=0x%x
68# e_ovno; overlay number. If zero, this is the main executable foo
69#>0x1a		uleshort	!0	\b, e_ovno 0x%x
70#>0x1C		ubequad		!0	\b, e_res 0x%16.16llx
71# e_oemid; often 0
72#>0x24		uleshort	!0	\b, e_oemid 0x%x
73# e_oeminfo; typically zeroes, but 13Dh (WORDSTAR.CNV WPFT5.CNV) 143h (WRITWIN.CNV)
74# 1A3h (DBASE.CNV LOTUS123.CNV RFTDCA.CNV WORDDOS.CNV WORDMAC.CNV WORDWIN1.CNVXLBIFF.CNV)
75#>0x26		uleshort	!0	\b, e_oeminfo 0x%x
76#  e_res2; typically zeroes, but 000006006F082D2Ah SCSICFG.EXE 00009A0300007C03h de.exe
77# 0000CA0000000002h country.exe dosxmgr.exe 421E0A00421EA823h QMC.EXE
78#>0x28		ubequad		!0	\b, e_res2 0x%16.16llx
79# https://web.archive.org/web/20171116024937/http://www.ctyme.com/intr/rb-2939.htm#table1593
80# https://github.com/uxmal/reko/blob/master/src/ImageLoaders/MzExe/ExeImageLoader.cs
81# new exe header magic like: PE NE LE LX W3 W4
82# no examples found for ZM DL MP P2 P3
83#>(0x3c.l)	string		x	\b, at [0x3c] %.2s
84#>(0x3c.l)	ubelong		x	\b, at [0x3c] %#8.8x
85#>(0x3c.l+4)	ubelong		x	\b, at [0x3c+4] %#8.8x
86#
87# Most non-DOS MZ-executable extensions have the relocation table more than 0x40 bytes into the file.
88# http://www.mitec.cz/Downloads/EXE.zip/EXE64.exe	e_lfarlc=0x8ead
89# OS/2 ECS\INSTALL\DETECTEI\PCISCAN.EXE			e_lfarlc=0x1c
90# some EFI apps Shell_Full.efi ext4_x64_signed.efi	e_lfarlc=0
91# Icon library WORD60.ICL				e_lfarlc=0
92# Microsoft compiled help format 2.0 WINWORD.DEV.HXS	e_lfarlc=0
93>0x18	uleshort <0x40
94# check magic of new second header
95# skip Portable Executable (PE) with low e_lfarlc here, because handled later
96# like: ext4_x64_signed.efi Shell_Full.efi WINWORD.DEV.HXS
97>>(0x3c.l)		string		!PE\0\0	MS-DOS executable
98# NE executable with low e_lfarlc like: WORD60.ICL
99# This is Icon Manager (IM) by Impact Software format, based on NE version 5 with cleared NE version and e_lfarlc fields
100# It can be parsed/loaded as NE version 5 binary just by skipping e_lfarlc and NE version checks
101# ICL:	Icons Library 16-bit			http://fileformats.archiveteam.org/wiki/Icon_library
102>>(0x3c.l-0x02)		string		IMNE	\b, NE
103>>>(0x3c.l+0x02)	ubyte		x	\b version %u
104>>>(0x3c.l+0x36)	byte		2	for MS Windows
105>>>>(0x3c.l+0x3E)	ushort		!0
106>>>>>(0x3c.l+0x3F)	ubyte		x	%u
107>>>>>(0x3c.l+0x3E)	ubyte		x	\b.%02u
108>>>(0x3c.l+0x02)	ubyte		x	(Icon Library, Icon Manager by Impact Software)
109!:ext		icl
110# handle LX executable with low e_lfarlc like: PCISCAN.EXE
111>>(0x3c.l)	string	LX	\b, LX
112>>>(0x3c.l+0x2)	uleshort	=0x0000
113>>>>(0x3c.l)	use		lx-executable
114# no examples found for big endian variant
115>>>(0x3c.l+0x2)	uleshort	=0x0101
116>>>>(0x3c.l)	use		\^lx-executable
117# no examples found for PDP-11 endian variant
118>>>(0x3c.l+0x2)	uleshort	=0x0100
119# PDP-11-endian is not supported by magic "use" keyword yet
120# no examples found for other endian variants
121>>>0		default		x
122# other endianity is not supported by magic "use" keyword
123
124# Maybe it's a PE?
125# URL:		http://fileformats.archiveteam.org/wiki/Portable_Executable
126# Reference:	https://docs.microsoft.com/de-de/windows/win32/debug/pe-format
127>(0x3c.l)	string		PE\0\0	PE
128!:mime	application/vnd.microsoft.portable-executable
129# https://docs.microsoft.com/de-de/windows/win32/debug/pe-format#characteristics
130# DLL Characteristics
131#>>(0x3c.l+22)	uleshort	x	\b, CHARACTERISTICS %#4.4x,
132# 0x0200~IMAGE_FILE_DEBUG_STRIPPED Debugging information is removed from the image file
133# 0x1000~IMAGE_FILE_SYSTEM The image file is a system file, not a user program.
134# 0x2000~IMAGE_FILE_DLL The image file is a dynamic-link library (DLL)
135>>(0x3c.l+24)	leshort		0x010b	\b32 executable
136# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#windows-subsystem
137#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u
138>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
139#>>>(0x3c.l+92)	leshort		x	\b, SUBSYSTEM %u
140# ROM image is without DOS MZ header and without PE\0\0 signature
141#>>(0x3c.l+24)	leshort		0x0107	ROM image
142>>(0x3c.l+24)	default		x	with unknown signature
143>>>&0 		leshort		x	%#x
144
145## Start of the subsystem switch
146>>(0x3c.l+92)	clear		x
147
148# 0~IMAGE_SUBSYSTEM_UNKNOWN An unknown subsystem
149>>(0x3c.l+92)	leshort		0
150# WINE https://www.winehq.org/ DLL libraries without subsystem, some examples:
151# fakedlls/l3codeca.acm fakedlls/msadp32.acm fakedlls/inetcpl.cpl fakedlls/inetcpl.cpl fakedlls/kernel32.dll fakedlls/user32.dll fakedlls/gdi32.dll
152# fakedlls/winex11.drv fakedlls/winspool.drv fakedlls/gphoto2.ds fakedlls/sane.ds fakedlls/ntoskrnl.exe fakedlls/dhtmled.ocx fakedlls/hhctrl.ocx
153# fakedlls/hidclass.sys fakedlls/mshtml.tlb fakedlls/stdole32.tlb fakedlls/vwin32.vxd fakedlls/vmm.vxd
154>>>0x40		string		Wine\ placeholder\ DLL	for WINE stub (DLL)
155!:ext	acm/cpl/dll/drv/ds/exe/ocx/sys/tlb/vxd
156>>>0x40		string		Wine\ builtin\ DLL	for WINE (DLL)
157!:ext	acm/cpl/dll/drv/ds/exe/ocx/sys/tlb/vxd
158>>>0		default		x
159# Summary:	Microsoft compiled help *.HXS format 2.0
160# URL:		https://en.wikipedia.org/wiki/Microsoft_Help_2
161# Reference:	http://www.russotto.net/chm/itolitlsformat.html
162#		https://mark0.net/download/triddefs_xml.7z/defs/h/hxs.trid.xml
163# Note:		Microsoft compiled help format contains 2 PE32 sections (.rsrc, .its) for Intel i386;
164#		The help content is appended after the PE32 binary and starts with ITOLITLS string;
165#		End of the PE32 binary is immediately after the .its section.
166#		verified by command like:
167#		`pelook.exe -d WINWORD.HXS & pelook.exe -h WINWORD.HXS`
168#		`objdump -p -s WINWORD.HXS`
169#		`readpe WINWORD.HXS`
170>>>>(0x3c.l+6)		uleshort	=2
171# Second section for these binaries starts at fixed offset 288 (size of PE signature + size of COFF header + size
172# of PE32 optional header with all data dirs + size of first .rsrc section header = 4 + 20 + 96+8*16 + 40 = 288)
173>>>>>(0x3c.l+288)	string/b	.its\0\0\0\0
174# Read start+length of .its section and just after it
175>>>>>>(&4.l+(-4))	string		ITOLITLS	\b, Microsoft compiled help format 2.0
176!:ext	hxs
177# Fallback for any unrecognized binary with Unknown subsystem 0
178>>>>>>0		default		x	for Unknown subsystem 0
179>>>>>0		default		x	for Unknown subsystem 0
180>>>>0		default		x	for Unknown subsystem 0
181
182# 1~IMAGE_SUBSYSTEM_NATIVE device drivers and native Windows processes
183>>(0x3c.l+92)	leshort		1
184# WINE https://www.winehq.org/: fakedlls/fltmgr.sys fakedlls/mountmgr.sys fakedlls/scsiport.sys fakedlls/winebus.sys fakedlls/winehid.sys
185>>>0x40		string		Wine\ placeholder\ DLL	for WINE stub
186>>>0x40		string		Wine\ builtin\ DLL	for WINE
187>>>0		default		x	for MS Windows
188>>>>(0x3c.l+72)	leshort		x	%u
189>>>>(0x3c.l+74)	leshort		x	\b.%02u
190# Native PEs are used by:
191# - NT kernel DLLs: hal.dll, kdcom.dll, pshed.dll, bootvid.dll, ...
192# - NT kernel images: ntoskrnl.exe, ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe
193# - NT kernel drivers: Windows/System32/drivers/*.sys
194# - NT native userspace DLLs: ntdll.dll, ...
195# - NT native userspace executables: smss.exe, csrss.exe, autochk.exe, ...
196# TODO: write rule to distinguish between Kernel and Native processes
197#       (the only way to do this is based on the presence of ntoskrnl.exe in import table)
198>>>(0x3c.l+22)	leshort&0x2000	>0	(native)
199!:ext	dll/sys
200>>>(0x3c.l+22)	leshort&0x2000	0	(native)
201!:ext	exe/sys
202
203# 2~IMAGE_SUBSYSTEM_WINDOWS_GUI	The Windows graphical user interface (GUI) subsystem
204>>(0x3c.l+92)	leshort		2
205# WINE https://www.winehq.org/: fakedlls/clock.exe fakedlls/control.exe fakedlls/explorer.exe fakedlls/notepad.exe
206>>>0x40		string		Wine\ placeholder\ DLL	for WINE stub
207>>>0x40		string		Wine\ builtin\ DLL	for WINE
208>>>0		default		x	for MS Windows
209>>>>(0x3c.l+72)	leshort		x	%u
210>>>>(0x3c.l+74)	leshort		x	\b.%02u
211>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
212# These could probably be at least partially distinguished from one another by
213# looking for specific exported functions.
214# CPL: Control Panel item
215# TLB: Type library
216# OCX: OLE/ActiveX control
217# ACM: Audio compression manager codec
218# AX: DirectShow source filter
219# IME: Input method editor
220!:ext	dll/cpl/tlb/ocx/acm/ax/ime
221>>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
222# Screen savers typically include code from the scrnsave.lib static library, but
223# that's not guaranteed.
224!:ext	exe/scr
225
226# 3~IMAGE_SUBSYSTEM_WINDOWS_CUI	The Windows character subsystem
227>>(0x3c.l+92)	leshort		3
228# WINE https://www.winehq.org/: fakedlls/cacls.exe fakedlls/cmd.exe fakedlls/expand.exe fakedlls/net.exe fakedlls/reg.exe
229>>>0x40		string		Wine\ placeholder\ DLL	for WINE stub
230>>>0x40		string		Wine\ builtin\ DLL	for WINE
231>>>0		default		x	for MS Windows
232>>>>(0x3c.l+72)	leshort		x	%u
233>>>>(0x3c.l+74)	leshort		x	\b.%02u
234>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
235!:ext	dll/cpl/tlb/ocx/acm/ax/ime
236>>>(0x3c.l+22)	leshort&0x2000	0	(console)
237!:ext	exe/com
238
239# 4~Old Windows CE subsystem (never used)
240#>>(0x3c.l+92)	leshort		4	for MS Windows CE OLD
241
242# 5~IMAGE_SUBSYSTEM_OS2_CUI The OS/2 character subsystem
243# Not used in image files, constant used only in in-memory structures of OS/2 subsystem as part of Windows NT
244#>>(0x3c.l+92)	leshort		5	for OS/2
245
246# NO Windows Subsystem number 6!
247#>>(0x3c.l+92)	leshort		6	for Unknown subsystem 6
248
249# 7~IMAGE_SUBSYSTEM_POSIX_CUI The Posix character subsystem
250>>(0x3c.l+92)	leshort		7	for POSIX
251>>>(0x3c.l+72)	leshort		x	%u
252>>>(0x3c.l+74)	leshort		x	\b.%02u
253>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
254# like: PSXDLL.DLL
255!:ext	dll
256>>>(0x3c.l+22)	leshort&0x2000	0	(EXE)
257# like: PAX.EXE
258!:ext	exe
259
260# 8~IMAGE_SUBSYSTEM_NATIVE_WINDOWS Native Win9x driver
261# Win9x never used subsystem 8, all Win9x drivers are either LE/VXD or PE with native (1) subsystem
262# MSVC4 LINK.EXE can create PE binary for subsystem 8 by /SUBSYSTEM:MMOSA flag
263# MMOSA refers to Native Win32E (embedded) API, mentioned at:
264# https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-97-18.doc
265#>>(0x3c.l+92)	leshort		8	for Win9x/MMOSA
266# GRR: No examples found by Joerg Jenderek
267
268# 9~IMAGE_SUBSYSTEM_WINDOWS_CE_GUI Windows CE
269>>(0x3c.l+92)	leshort		9
270# WINE https://www.winehq.org/
271>>>0x40		string		Wine\ placeholder\ DLL	for WINE stub
272>>>0x40		string		Wine\ builtin\ DLL	for WINE
273>>>0		default		x	for MS Windows CE
274>>>>(0x3c.l+72)	leshort		x	%u
275>>>>(0x3c.l+74)	leshort		x	\b.%02u
276>>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
277# like: MCS9900Ce50.dll Mosiisr99x.dll TMCGPS.DLL
278!:ext	dll
279>>>(0x3c.l+22)	leshort&0x2000	0	(EXE)
280# like: NNGStart.exe navigator.exe
281!:ext	exe
282
283# 10~IMAGE_SUBSYSTEM_EFI_APPLICATION An Extensible Firmware Interface (EFI) application
284>>(0x3c.l+92)	leshort		10	for EFI (application)
285# like: bootmgfw.efi grub.efi gdisk_x64.efi Shell_Full.efi shim.efi syslinux.efi
286!:ext	efi
287
288# 11~IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER An EFI driver with boot services
289>>(0x3c.l+92)	leshort		11	for EFI (boot service driver)
290# like: ext2_x64_signed.efi Fat_x64.efi iso9660_x64_signed.efi
291!:ext	efi
292
293# 12~IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER An EFI driver with run-time services
294>>(0x3c.l+92)	leshort		12	for EFI (runtime driver)
295# no sample found
296!:ext	efi
297
298# 13~IMAGE_SUBSYSTEM_EFI_ROM An EFI ROM image
299>>(0x3c.l+92)	leshort		13	for EFI (ROM)
300# no sample found
301!:ext	efi
302
303# 14~IMAGE_SUBSYSTEM_XBOX XBOX
304>>(0x3c.l+92)	leshort		14	for XBOX
305#!:ext	foo-xbox
306
307# NO Windows Subsystem number 15!
308#>>(0x3c.l+92)	leshort		15	for Unknown subsystem 15
309
310# 16~IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION Windows boot application
311>>(0x3c.l+92)	leshort		16	for MS Windows
312>>>(0x3c.l+72)	leshort		x	%u
313>>>(0x3c.l+74)	leshort		x	\b.%02u
314>>>(0x3c.l+22)	leshort&0x2000	>0	(boot DLL)
315# like: bootvhd.dll bootuwf.dll hvloader.dll tcbloader.dll bootspaces.dll
316!:ext	dll
317>>>(0x3c.l+22)	leshort&0x2000	0	(boot application)
318# like: bootmgr.efi memtest.efi shellx64.efi memtest.exe winload.exe winresume.exe bootvhd.dll hvloader.dll
319!:ext	efi/exe
320
321>>(0x3c.l+92)	default		x
322>>>&0		leshort		x	for Unknown subsystem %#x
323## End of the subsystem switch
324
325>>(0x3c.l+4)	clear		x	\b,
326>>(0x3c.l+4)	use		display-coff-processor
327
328>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
329>>(0x3c.l+22)	leshort&0x1000	>0	system file
330
331# Check for presence of COM Runtime descriptor
332>>(0x3c.l+24)	leshort		0x010b
333>>>(0x3c.l+116)	leshort	>14
334>>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
335>>(0x3c.l+24)	leshort		0x020b
336>>>(0x3c.l+132)	leshort	>14
337>>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
338
339# hooray, there's a DOS extender using the PE format, with a valid PE
340# executable inside (which just prints a message and exits if run in win)
341# FIXME: Find sample of such executable for investigation. In was introduced
342# in file version 4.14 with following check:
343# "(8.s*16) string 32STUB for MS-DOS, 32rtm DOS extender"
344# "(8.s*16) string !32STUB for MS Windows"
345# But that check is too generic and had lot of false positives. 32STUB/32rtm
346# sounds like Borland DOS extender with PE loader and Windows emulation which
347# can be injected into any valid Windows PE binary.
348# So it is needed to look at the sample of such executable and check for
349# subsystem or cpu/machine.
350
351# Detect embedded DOS extenders
352>>(8.s*16)		string		32STUB
353# BRC32.EXE, TLINK32.EXE or TASM32.EXE from TASM 5.0
354>>>(8.s*16)		search/0x50	32rtm-stub\ for\ PE\ files	\b, Borland 32rtm DOS extender (stub)
355# CL.EXE or LINK.EXE from MS Visual C++ 1.x
356>>(8.s*16)		search/0x50	Phar\ Lap\ Software,\ Inc.	\b, Phar Lap TNT DOS extender
357# ulink.exe
358>>(8.s*16)		search/0x200	Can't\ find\ DOSWIN32.RTM	\b, DosWin32 DOS extender (stub)
359>>(8.s*16)		search/0x4000	Stub\ failed\ to\ find\ DOS/4G\ extender.	\b, DOS/4G DOS extender (stub)
360# LOADPEX.BIN and HDLD32.BIN
361# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49)
362>>(8.s*16)		ulequad&0xffff0000ff	=0x494d0000e9	\b, HX DOS extender (embedded with DPMI host)
363>>(8.s*16)		ulequad&0xffff0000ff	!0x494d0000e9
364# DPMIST32.BIN
365>>>(8.s*16)		search/0x200	cannot\ find\ loader\ DPMILD32.EXE	\b, HX DOS extender (stub)
366# LOADPE.BIN
367>>>(8.s*16)		search/0x600	PATH=HDPMI32.EXE	\b, HX DOS extender (embedded without DPMI host)
368# DPMILD32.BIN
369>>>(8.s*16)		search/0x4000	DPMILD32:	\b, HX DOS extender (embedded without DPMI host)
370
371>>(0x3c.l+0xf8)		string		UPX0 \b, UPX compressed
372>>(0x3c.l+0xf8)		search/0x140	PEC2 \b, PECompact2 compressed
373>>(0x3c.l+0xf8)		search/0x140	UPX2
374>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
375>>(0x3c.l+0xf8)		search/0x140	.idata
376>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
377>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
378>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
379>>(0x3c.l+0xf8)		search/0x140	.rsrc
380>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
381>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
382>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
383>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
384>>(0x3c.l+0xf8)		search/0x140	.data
385>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
386>>(0x3c.l+0xf8)		search/0x140	.petite\0 \b, Petite compressed
387>>>(0x3c.l+0xf7)	byte		x
388>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
389>>(0x3c.l+0xf8)		search/0x140	.WISE \b, WISE installer self-extracting archive
390>>(0x3c.l+0xf8)		search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
391>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
392>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
393>>0x30			string		Inno \b, InnoSetup self-extracting archive
394# NumberOfSections; Normal Dynamic Link libraries have a few sections for code, data and resource etc.
395# PE used as container have less sections
396>>(0x3c.l+6)	leshort			>1	\b, %u sections
397# do not display for 1 section to get output like in version 5.43 and to keep output columns low
398#>>(0x3c.l+6)	leshort			=1	\b, %u section
399
400# If the relocation table is 0x40 or more bytes into the file, it's definitely
401# not a DOS EXE.
402>0x18	uleshort	>0x3f
403
404# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
405# must be one of the unusual subformats.
406>>(0x3c.l) string !PE\0\0 MS-DOS executable
407#!:mime	application/x-dosexec
408
409>>(0x3c.l)		string		NE \b, NE
410#!:mime	application/x-dosexec
411!:mime	application/x-ms-ne-executable
412>>>(0x3c.l+0x02)	ubyte		x	\b version %u
413>>>(0x3c.l+0x02)	ubyte		>5
414>>>>(0x3c.l+0x03)	ubyte		x	\b.%02u
415# FOR DEBUGGING!
416# Reference:	https://wiki.osdev.org/NE
417# Create time for NE version <5 in FAT12 format
418#>>>(0x3c.l+0x02)    ubyte        <5
419#>>>>(0x3c.l+0x08)    ulelong        !0    \b, Created at
420#>>>>>(0x3c.l+0x0a)    lemsdosdate    x    %s
421#>>>>>(0x3c.l+0x08)    lemsdostime    x    %s
422# ProgFlags; Program flags, bitmapped
423#>>>(0x3c.l+0x0C)	ubyte		x	\b, ProgFlags 0x%2.2x
424# >>>(0x3c.l+0x0c)	ubyte&0x03	=0	\b, no automatic data segment
425# >>>(0x3c.l+0x0c)	ubyte&0x03	=1	\b, single shared
426# >>>(0x3c.l+0x0c)	ubyte&0x03	=2	\b, multiple
427# >>>(0x3c.l+0x0c)	ubyte&0x03	=3	\b, (null)
428# >>>(0x3c.l+0x0c)	ubyte		&0x04	\b, Per-Process Library Initialization OR real mode only
429# >>>(0x3c.l+0x0c)	ubyte		&0x08	\b, Protected mode only
430# >>>(0x3c.l+0x0c)	ubyte		&0x10	\b, 8086 instructions in OS/2 app OR LIM 3.2 EMS API in Win app
431# >>>(0x3c.l+0x0c)	ubyte		&0x20	\b, i286 instructions in OS/2 app OR each instance in separate EMS bank in Win app
432# >>>(0x3c.l+0x0c)	ubyte		&0x40	\b, i386 instructions in OS/2 app OR private GlobalAlloc above the EMS line in Win app
433# >>>(0x3c.l+0x0c)	ubyte		&0x80	\b, x87 floating point instructions
434# ApplFlags; Application flags, bitmapped
435# https://www.fileformat.info/format/exe/corion-ne.htm
436#>>>(0x3c.l+0x0D)	ubyte		x	\b, ApplFlags 0x%2.2x
437# Application type (bits 0-2); 1~Full screen (not aware of Windows/P.M. API)
438# 2~Compatible with Windows/P.M. API 3~Uses Windows/P.M. API
439#>>>(0x3c.l+0x0D)	ubyte&0x07	=1	\b, Not compatiblr with Windows/P.M. API (full screen)
440#>>>(0x3c.l+0x0D)	ubyte&0x07	=2	\b, Compatible with Windows/P.M. API (console mode)
441#>>>(0x3c.l+0x0D)	ubyte&0x07	=3	\b, use Windows/P.M. API (window mode)
442#>>>(0x3c.l+0x0D)	ubyte		&0x08	\b, Bound OS/2 app OR application specific loader in Win app
443#>>>(0x3c.l+0x0D)	ubyte		&0x20	\b, Errors in image
444#>>>(0x3c.l+0x0D)	ubyte		&0x40	\b, Non-conforming OS/2 app OR private Win library above EMS line
445# bit 7; DLL or driver (SS:SP info invalid, CS:IP points at FAR init routine called with AX handle
446#>>>(0x3c.l+0x0D)	ubyte		&0x80	\b, DLL or driver
447# AutoDataSegIndex; automatic data segment index like: 0 2 3 22
448# zero if the SINGLEDATA and MULTIPLEDATA bits are cleared
449#>>>(0x3c.l+0x0e)	uleshort	x	\b, AutoDataSegIndex %u
450# InitHeapSize; intial local heap size like; 0 400h 1400h
451# zero if there is no local allocation
452#>>>(0x3c.l+0x10)	uleshort	!0	\b, InitHeapSize 0x%x
453# InitStackSize; inital stack size like: 0 10h A00h 7D0h A8Ch FA0h 1000h 1388h
454# 1400h (CBT) 1800h 2000h 2800h 2EE0h 2F3Ch 3258h 3E80h 4000h 4E20h 5000h 6000h
455# 6D60h 8000h 40000h
456# zero if the SS register value does not equal the DS register value
457#>>>(0x3c.l+0x12)	uleshort	!0	\b, InitStackSize 0x%x
458# EntryPoint; segment offset value of CS:IP like: 0 10000h 18A84h 11C1Ah 307F1h
459#>>>(0x3c.l+0x14)	ulelong		!0 	\b, EntryPoint 0x%x
460# InitStack; specifies the segment offset value of stack pointer SS:SP
461# like: 0 20000h 160000h
462#>>>(0x3c.l+0x18)	ulelong		!0	\b, InitStack 0x%x
463# SegCount; number of segments in segment table like: 0 1 2 3 16h
464#>>>(0x3c.l+0x1C)	uleshort	x	\b, SegCount 0x%x
465# ModRefs; number of module references (DLLs) like; 0 1 3
466#>>>(0x3c.l+0x1E)	uleshort	!0	\b, ModRefs %u
467# NoResNamesTabSiz; size in bytes of non-resident names table
468# like: Bh 16h B4h B9h 2Ch 18Fh 16AAh
469#>>>(0x3c.l+0x20)	uleshort	x	\b, NoResNamesTabSiz 0x%x
470# SegTableOffset; offset of Segment table like: 40h
471#>>>(0x3c.l+0x22)	uleshort	!0x40	\b, SegTableOffset 0x%x
472# ResTableOffset; offset of resources table like: 40h 50h 58h F0h
473# 40h for most fonts likedos737.fon FMFONT.FOT but 60h for L1WBASE.FON
474#>>>(0x3c.l+0x24)	uleshort	x 	\b, ResTableOffset 0x%x
475# ResidNamTable; offset of resident names table
476# like: 58h 5Ch 60h 68h 74h 98h 2E3h 2E7h 2F0h
477#>>>(0x3c.l+0x26)	uleshort		x \b, ResidNamTable 0x%x
478# ImportNameTable; offset of imported names table (array of counted strings, terminated with string of length 00h)
479# like: 77h 7Eh 80h C6h A7h ACh 2F8h 3FFh
480#>>>(0x3c.l+0x2a)	uleshort	x	\b, ImportNameTable 0x%x
481# OffStartNonResTab; offset from start of file to non-resident names table
482# like: 110h 11Dh 19Bh 1A5h 3F5h 4C8h 4EEh D93h
483#>>>(0x3c.l+0x2c)	ulelong		x	\b, OffStartNonResTab 0x%x
484# MovEntryCount; number of movable entry points like: 0 4 5 6 16 17 24 312 355 446
485#>>>(0x3c.l+0x30)	uleshort	!0	\b, MovEntryCount %u
486# FileAlnSzShftCnt; log2 of the segment sector size; 4~16 0~9~512 (default)
487#>>>(0x3c.l+0x32)	uleshort	!9 	\b, FileAlnSzShftCnt %u
488# nResTabEntries; number of resource table entries like: 0 2
489#>>>(0x3c.l+0x34)	uleshort	!0	\b, nResTabEntries %u
490# Following fields are valid only for NE version 5+
491>>>(0x3c.l+0x02)	ubyte		>4
492# targOS; Target OS; 0~unspecified (OS/2 or Windows); detect it based on Windows-only flags and OS/2 specific import lib (DOSCALLS)
493#>>>(0x3c.l+0x36)	byte		x TARGOS %x
494>>>>(0x3c.l+0x36)	byte		0
495# if windows version is specified then it is windows binary
496>>>>>(0x3c.l+0x3E)	ushort		!0 for MS Windows
497>>>>>>(0x3c.l+0x3F)	ubyte		x	%u
498>>>>>>(0x3c.l+0x3E)	ubyte		x	\b.%02u
499>>>>>>(0x3c.l+0x3F)	ubyte		<3
500>>>>>>>(0x3c.l+0x37)	byte&0x04	0	(real mode only)
501>>>>>>>(0x3c.l+0x37)	byte&0x04	!0	(real+protected mode)
502>>>>>>(0x3c.l+0x3E)	ushort		=0x0300
503>>>>>>>(0x3c.l+0x0c)	ubyte&0x08	0	(real+protected mode)
504>>>>>>>(0x3c.l+0x0c)	ubyte&0x08	!0	(protected mode only)
505>>>>>(0x3c.l+0x3E)	ushort		0
506>>>>>>(0x3c.l+0x2a)	leshort		0 for OS/2 1.x or MS Windows 1.x/2.x
507>>>>>>(0x3c.l+0x2a)	default		x
508# Binaries with DOSCALLS import library are for OS/2
509>>>>>>>&(&0.s-0x29)	search/512/C	\x08DOSCALLS for OS/2 1.x
510>>>>>>>(0x3c.l+0x2a)	default		x
511# Binaries with KERNEL, USER or GDI import library are for Windows
512# FIXME: names are prefixed by its length, but regex type does not support binary bytes
513>>>>>>>>&(&0.s-0x29)	regex/512/C	KERNEL|USER|GDI for MS Windows 1.x/2.x
514>>>>>>>>>(0x3c.l+0x37)	byte&0x04	0	(real mode only)
515>>>>>>>>>(0x3c.l+0x37)	byte&0x04	!0	(real+protected mode)
516# Binaries without any of those import library can be for any OS
517>>>>>>>>(0x3c.l+0x2a)	default		x for OS/2 1.x or MS Windows 1.x/2.x
518>>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
519>>>>(0x3c.l+0x36)	byte		2 for MS Windows
520# expctwinver; expected Windows version (minor first) like:
521# 0.0~DTM.DLL 203.4~Windows 1.03 GDI.EXE 2.1~TTY.DRV 3.0~dos737.fon FMFONT.FOT THREED.VBX 3.10~GDI.EXE 4.0~(ME) VGAFULL.3GR
522>>>>>(0x3c.l+0x3E)	ushort		!0
523>>>>>>(0x3c.l+0x3F)	ubyte		x	%u
524>>>>>>(0x3c.l+0x3E)	ubyte		x	\b.%02u
525# Empty version is is treated by Windows 3.x OS as Windows 2.01 version and by Windows 2.x OS as Windows 1.01 version
526>>>>>(0x3c.l+0x3E)	ushort		0	1.x/2.x
527>>>>>(0x3c.l+0x3F)	ubyte		<3
528>>>>>>(0x3c.l+0x37)	byte&0x04	0	(real mode only)
529>>>>>>(0x3c.l+0x37)	byte&0x04	!0	(real+protected mode)
530>>>>>(0x3c.l+0x3E)	ushort		=0x0300
531>>>>>>(0x3c.l+0x0c)	ubyte&0x08	0	(real+protected mode)
532>>>>>>(0x3c.l+0x0c)	ubyte&0x08	!0	(protected mode only)
533# Windows P-code application
534# https://web.archive.org/web/20000304044656/http://msdn.microsoft.com/library/backgrnd/html/msdn_c7pcode2.htm
535# https://library.thedatadungeon.com/msdn-1992-09/msjv7/html/msjv0g6a.content.htm
536# https://en.wikipedia.org/wiki/P-code_machine#Microsoft_P-code
537# Can be created by MSC7 or MSVC1.x CL.EXE /Oq switch which calls MPC.EXE
538# MPC.EXE (Make P-Code utility) sets bit2 in MZ e_res[2] (e_flags) field
539# Filter out false-positive Windows 3.x applications with OS/2 WLO loader
540# (sets bit7 in NE ne_flagsothers) as they do not have MZ e_res[] fields
541>>>>>(0x3c.l+0x3E)	ushort		>0x0300
542>>>>>>(0x3c.l+0x37)	ubyte&0x80	0
543>>>>>>>0x20		ubyte&0x04	!0	\b, P-code application
544# 32-bit Watcom Win386 extender in 16-bit Windows 3.x NE binaries
545# https://www.os2museum.com/wp/watcom-win386/
546# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/win386/
547# https://misc.daniel-marschall.de/spiele/blown_away/disassemble.php
548# Examples: BA_LITE.EXE WALDO.EXE
549>>>>>(0x3c.l+0x3E)	ushort		>0x0300
550>>>>>>0x38		ulong		!0
551>>>>>>>(0x38.l)		string		MQ	\b, Watcom Win386 extender
552# OS 3 was reserved for Multitasking MS-DOS but it never used NE version 5+ (only NE version 4)
553#>>>>(0x3c.l+0x36)	byte		3 for Multitasking MS-DOS
554# OS 4 was reserved for MS Windows/386 device drivers but MS Windows/386 2.x never used NE format (Xenix x.out format was used instead)
555#>>>>(0x3c.l+0x36)	byte		4 for MS Windows/386 device driver
556# OS 5 is assigned to BOSS (Borland Operating System Services) but is used also by other 16-bit DOS applications
557>>>>(0x3c.l+0x36)	byte		5 for MS-DOS
558# HDLD16.BIN
559# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49)
560>>>>>(8.s*16)		ulequad&0xffff0000ff	=0x494d0000e9	\b, HX DOS extender 16-bit (embedded with DPMI host)
561>>>>>(8.s*16)		ulequad&0xffff0000ff	!0x494d0000e9
562# DPMIST16.BIN
563>>>>>>(8.s*16)		search/0x200	cannot\ find\ loader\ DPMILD16.EXE	\b, HX DOS extender 16-bit (stub)
564# DPMILD16.BIN
565>>>>>>(8.s*16)		search/0x4000	DPMILD16:	\b, HX DOS extender 16-bit (embedded without DPMI host)
566# TLINK.EXE or TD.EXE from TASM 5.0
567>>>>>>(8.s*16)		string		16STUB
568>>>>>>>(8.s*16)		search/0x1000	rtm.exe\0dpmi16bi.ovl	\b, Borland rtm DOS extender (stub)
569>>>>>>(8.s*16)		string		!16STUB
570# TLINK.EXE or BRC.EXE from Borland Pascal 7.0
571>>>>>>>(8.s*16)	search/0x1000	BOSS\ Stub\ Version	\b, Borland BOSS DOS extender (stub)
572# OS 6 is not assigned but is used by 32-bit DOS application with extender (found only with HX DOS extender 32-bit)
573# http://downloads.sourceforge.net/dfendreloaded/D-Fend-Reloaded-1.4.4.zip
574# D-Fend Reloaded/VirtualHD/FREEDOS/DPMILD32.EXE
575# https://www.japheth.de/HX/DPMILD32.TXT
576>>>>(0x3c.l+0x36)	byte		6 for MS-DOS
577# HDLD32.BIN
578# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49)
579>>>>>(8.s*16)		ulequad&0xffff0000ff	=0x494d0000e9	\b, HX DOS extender 32-bit (embedded with DPMI host)
580>>>>>(8.s*16)		ulequad&0xffff0000ff	!0x494d0000e9
581# DPMIST32.BIN
582>>>>>>(8.s*16)		search/0x200	cannot\ find\ loader\ DPMILD32.EXE	\b, HX DOS extender 32-bit (stub)
583# DPMILD32.BIN
584>>>>>>(8.s*16)		search/0x4000	DPMILD32:	\b, HX DOS extender 32-bit (embedded without DPMI host)
585# https://en.wikipedia.org/wiki/Phar_Lap_(company)
586# like: TELLPROT.EXE from 286DEX
587# can be created by BIND286.EXE from OS/2 NE binary
588>>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap 286 DOS extender, emulating OS/2 1.x
589# like: CVP7.EXE from 286DEX
590# can be created by BIND286.EXE from Windows NE binary
591>>>>(0x3c.l+0x36)	byte		0x82 for MS-DOS, Phar Lap 286 DOS extender, emulating MS Windows
592>>>>>(0x3c.l+0x3E)	ushort		0	1.x/2.x
593>>>>>(0x3c.l+0x3E)	ushort		!0
594>>>>>>(0x3c.l+0x3F)	ubyte		x	%u
595>>>>>>(0x3c.l+0x3E)	ubyte		x	\b.%02u
596>>>>(0x3c.l+0x36)	default		x
597>>>>>(0x3c.l+0x36)	ubyte		x for unknown OS %#x
598# OS2EXEFlags; other EXE flags
599# 1~Long filename support 2~Win2.x proportional fonts 4~Win2.x protected mode 8~Executable has gangload area 10~Win9x thunk lib without DllEntryPoint 80~Win3.x app with OS/2 WLO loader
600#>>>>(0x3c.l+0x37)	byte		!0	\b, OS2EXEFlags 0x%x
601# gangstart; offset to start of gangload area like: 0 34h 58h 246h
602#>>>>(0x3c.l+0x38)	uleshort	!0	\b, gangstart 0x%x
603# ganglength; size of gangload area
604# like: 0 33Eh 39Ah AEEh
605#>>>>(0x3c.l+0x3A)	uleshort	!0	\b, ganglength 0x%x
606# mincodeswap; minimum code swap area size like 0 620Ch
607#>>>>(0x3c.l+0x3C)	uleshort	!0 \b, mincodeswap 0x%x
608>>>>(0x3c.l+0x3F)	ubyte		=3
609>>>>>0x3c		ulelong		>0x800
610>>>>>>(0x3c.l+0x37)	ubyte		&0x80	with OS/2 WLO loader
611# Detection for NE versions <5 which do not have OS type byte 0x36
612# These versions are used only by WINE, Windows 1.x/2.x and Multitasking MS-DOS
613# WINE binaries have special signature after the dos header (at fixed offset 0x40)
614# Multitasking MS-DOS binaries imports DOSCALLS library, so use it for distinguishing
615# Import libraries are part of the string table which starts one byte after the
616# 16-bit indirect offset 0x2a relative to the beginning of NE header, and consist
617# of concatenated pascal strings (first byte of the string is its length)
618>>>(0x3c.l+0x02)	ubyte		<5
619# like: fakedlls/krnl386.exe16 fakedlls/gdi.exe16 fakedlls/winsock.dll16 fakedlls/winoldap.mod16 fakedlls/mouse.drv16
620>>>>0x40		string		Wine\ placeholder\ DLL for WINE stub
621>>>>(0x3c.l+0x2a)	default		x
622# like: HE_DAEM.EXE POPUP.EXE QUEUER.EXE
623>>>>>&(&0.s-0x29)	search/512/C	\x08DOSCALLS for Multitasking MS-DOS
624>>>>>(0x3c.l+0x2a)	default		x for MS Windows 1.x/2.x
625# Special case, Windows 3.x OS parse from NE version 4 binaries also following NE version 5 fields:
626# - os type if is 0 or 2
627# - bits proportional fonts and protected mode
628# Such NE version 4 binary is treated by Windows 3.x OS as Windows 2.01
629# compatible binary and by Windows 2.x OS as Windows 1.01 compatible binary.
630# So if os type is correct (0 or 2; matched mask 0xfd) and at least one
631# of those bits is set and others are cleared (matched mask 0xf9) then
632# detect if binary has NE version 5 protected mode bit set.
633>>>>>>(0x3c.l+0x36)	leshort&0xf9fd	0
634>>>>>>>(0x3c.l+0x37)	byte&0x06	!0
635>>>>>>>>(0x3c.l+0x37)	byte&0x04	0	(real mode only)
636>>>>>>>>(0x3c.l+0x37)	byte&0x04	!0	(real+protected mode)
637>>>>>>>(0x3c.l+0x37)	default		x	(real mode only)
638>>>>>>(0x3c.l+0x36)	default		x	(real mode only)
639# DRV: Driver
640# 3GR: Grabber device driver
641# CPL: Control Panel Item
642# VBX: Visual Basic Extension		https://en.wikipedia.org/wiki/Visual_Basic
643# FON: Bitmap font			http://fileformats.archiveteam.org/wiki/FON
644# FOT: Font resource file
645# EXE: WINSPOOL.EXE USER.EXE krnl386.exe GDI.EXE
646# CNV: Microsoft Word text conversion	https://www.file-extensions.org/cnv-file-extension-microsoft-word-text-conversion-data
647>>>(0x3c.l+0x0c)	leshort		&0x8000
648# Check segment count, if 0 then this is resource-only DLL
649>>>>(0x3c.l+0x1c)	leshort		0
650>>>>>(0x3c.l+0x2c)	lelong		!0
651>>>>>>(&-4.l+1)		string/C	FONTRES	(DLL, font)
652!:ext	fon/fot
653>>>>>>(&-4.l+1)		default		x	(DLL, resource-only)
654!:ext	dll
655>>>>>(0x3c.l+0x2c)	lelong		0	(DLL, resource-only)
656!:ext	dll
657>>>>(0x3c.l+0x1c)	leshort		!0
658# Check description of the module, first word specifies type of the DLL library
659>>>>>(0x3c.l+0x2c)	lelong		!0
660>>>>>>(&-4.l+1)		string/C	DDRV	(DLL, driver)
661!:ext	drv
662>>>>>>(&-4.l+1)		default		x	(DLL)
663!:ext	dll/drv/3gr/cpl/vbx
664>>>>>(0x3c.l+0x2c)	lelong		0	(DLL)
665!:ext	dll/drv/3gr/cpl/vbx
666>>>(0x3c.l+0x0c)	leshort&0x8000	0 (EXE)
667!:ext	exe/scr
668>>>>(0x3c.l+0x0d)	ubyte&0x07	=1 (full screen)
669>>>>(0x3c.l+0x0d)	ubyte&0x07	=2 (console)
670>>>>(0x3c.l+0x0d)	ubyte&0x07	=3 (GUI)
671>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
672>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
673
674>>(0x3c.l)		string		LX \b, LX
675!:mime	application/x-dosexec
676>>>(0x3c.l+0x2)		uleshort	=0x0000
677>>>>(0x3c.l)		use		lx-executable
678# no examples found for big endian variant
679>>>(0x3c.l+0x2)		uleshort	=0x0101
680>>>>(0x3c.l)		use		\^lx-executable
681# no examples found for PDP-11 endian variant
682>>>(0x3c.l+0x2)		uleshort	=0x0100
683# PDP-11-endian is not supported by magic "use" keyword yet
684# no examples found for other endian variants
685>>>0			default		x
686# other endianity is not supported by magic "use" keyword
687>>>(8.s*16)		string		emx \b, emx
688>>>>&1			string		x %s
689>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
690
691# MS Windows system file, supposedly a collection of LE executables
692# like vmm32.vxd WIN386.EXE
693>>(0x3c.l)		string		W3 \b, W3 for MS Windows
694#!:mime	application/x-dosexec
695!:mime	application/x-ms-w3-executable
696>>>(0x3c.l+0x3)		ubyte		<4 %u
697# Windows 3.x WIN386.EXE
698!:ext	exe
699>>>(0x3c.l+0x3)		ubyte		>3 %u
700# Windows 95 VMM32.VXD
701!:ext	vxd
702>>>(0x3c.l+0x2)		ubyte		x \b.%02u
703
704# W4 executable
705>>(0x3c.l)		string		W4 \b, W4 for MS Windows
706#!:mime	application/x-dosexec
707!:mime	application/x-ms-w4-executable
708# windows 98 VMM32.VXD
709!:ext	vxd
710>>>(0x3c.l+0x3)		ubyte		x %u
711>>>(0x3c.l+0x2)		ubyte		x \b.%02u
712
713# Linear Executable (LE) in Little Endian (\0\0)
714>>(0x3c.l)		string		LE\0\0 \b, LE
715!:mime	application/x-dosexec
716>>>(0x3c.l+0x0a)	leshort		1
717# some DOS extenders use LE files with OS/2 header
718>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS/4G DOS extender
719>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS/4GW DOS extender
720>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
721>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
722>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
723>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
724>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
725# D3XW.EXE
726>>>>(8.s*16)		string		o2LEstub for MS-DOS, D3X DOS extender
727>>>>0			default		x
728# DOS32MW.DLL
729>>>>>(0x3c.l+0x10)	lelong&0x38000	=0x18000 for MS-DOS (DLL)
730!:ext	dll
731# HPFS.386 (HPFS386 filesystem for OS/2 1.x, part of Microsoft LAN Manager)
732# https://www.os2museum.com/wp/os2-history/os2-16-bit-server/
733# EXE module (&0x38000=0x00000) with zero application type (&0x700=0x000) and
734# with no external fixups (&0x20=0x20) is .386 32-bit driver module for OS/2 1.x
735>>>>>(0x3c.l+0x10)	lelong&0x38720	=0x00020 for OS/2 1.x (driver)
736!:ext	386
737>>>>>0			default		x for unknown OS 0x1
738# this is a wild guess; hopefully it is a specific signature
739>>>>&0x24		lelong		<0x50
740>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
741>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
742# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
743#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
744# fails with DOS-Extenders.
745# OS 2 was reserved for MS Windows 16-bit but it never used LE (NE format was used instead)
746#>>>(0x3c.l+0x0a)	leshort		2 for MS Windows 16-bit
747# OS 3 was reserved for Multitasking MS-DOS but it never used LE (NE format was used instead)
748#>>>(0x3c.l+0x0a)	leshort		3 for Multitasking MS-DOS
749>>>(0x3c.l+0x0a)	leshort		4 for MS Windows
750>>>>(0x3c.l+0xc3)	ubyte		x %u
751>>>>(0x3c.l+0xc2)	ubyte		x \b.%02u
752>>>>(0x3c.l+0x10)	lelong&0x38000	=0x08000
753# DLL module (0x08000) with no external fixups (0x20) for i386 CPU (2) is .386 VxD file for MS Windows 3.x
754>>>>>(0x3c.l+0x10)	lelong&0x20	!0
755>>>>>>(0x3c.l+0x08)	leshort		2 (VxD 386)
756!:ext	386
757>>>>(0x3c.l+0x10)	lelong&0x38000	=0x28000 (VxD static)
758# VXD: VxD for MS Windows 95/98/Me
759# PDR: Port driver
760# MPD: Miniport driver (?)
761!:ext	vxd/pdr/mpd
762>>>>(0x3c.l+0x10)	lelong&0x38000	=0x38000 (VxD dynamic)
763!:ext	vxd/pdr/mpd
764>>>(0x3c.l+0x0a)	default		x
765>>>>(0x3c.l+0x0a)	leshort		x for unknown OS %#x
766>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
767>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
768
769# DOS/32A Linear Compressed file format
770>>(0x3c.l)		string		LC\0\0 \b, LC for MS-DOS
771>>>0x40			search/0x40	STUB/32A \b, DOS/32A DOS extender (stub)
772>>>0x40			search/0x80	STUB/32C \b, DOS/32A DOS extender (configurable stub)
773>>>0x40			search/0x80	DOS/32A \b, DOS/32A DOS extender (embedded)
774
775# PX\0\0 signature for 32bit DOS Applications in DOS-PE Format (https://www.japheth.de/HX.html)
776# SHDPMI.EXE, DOSTEST.EXE, GETVMODE.EXE, RMINT.EXE
777>(0x3c.l)	string		PX\0\0	\b, PE32
778>>(0x3c.l+24)	leshort		0x020b	\b+
779>>0		clear		x
780>>0		default		x	executable for MS-DOS
781# LOADPEX.BIN and HDLD32.BIN
782# x86 jmp near relative (0xe9 0x?? 0x??) + string "MI" (0x4d 0x49)
783>>(8.s*16)	ulequad&0xffff0000ff	=0x494d0000e9	\b, HX DOS extender (embedded with DPMI host)
784>>(8.s*16)	ulequad&0xffff0000ff	!0x494d0000e9
785# DPMIST32.BIN
786>>>(8.s*16)	search/0x200	cannot\ find\ loader\ DPMILD32.EXE	\b, HX DOS extender (stub)
787# LOADPE.BIN
788>>>(8.s*16)	search/0x600	PATH=HDPMI32.EXE	\b, HX DOS extender (embedded without DPMI host)
789# DPMILD32.BIN
790>>>(8.s*16)	search/0x4000	DPMILD32:	\b, HX DOS extender (embedded without DPMI host)
791
792>0		clear	x
793# Skip already parsed binary types
794# If magic in the branch is not parsed then always jumps to mz-unrecognized
795>(0x3c.l)	string	PE\0\0
796>(0x3c.l)	string	PX\0\0
797>(0x3c.l)	string	LX
798>(0x3c.l)	string	NE
799>>(0x3c.l-0x02)	string	!IMNE
800>>>0x18		uleshort <0x40
801>>>>0		use	mz-unrecognized
802>(0x3c.l)	string	W3
803>>0x18		uleshort <0x40
804>>>0		use	mz-unrecognized
805>(0x3c.l)	string	W4
806>>0x18		uleshort <0x40
807>>>0		use	mz-unrecognized
808>(0x3c.l)	string	LE\0\0
809>>0x18		uleshort <0x40
810>>>0		use	mz-unrecognized
811>(0x3c.l)	string	LC
812>>0x18		uleshort <0x40
813>>>0		use	mz-unrecognized
814>0		default	x
815# This sequence jumps to the next MZ overlay
816>>2		leshort	!0
817# FIXME: Following line does not match binaries which total size is less than (4.s*512)
818>>>(4.s*512)	leshort	x
819>>>>&(2.s-514)	leshort	x
820>>>>>&-2	use	mz-next-overlay
821>>>>>&-2	string	BW
822>>>>>>0		use	mz-bw-collection
823>>>>>&-2	string	3P
824>>>>>>0		use	mz-3p
825>>>>0		default	x
826>>>>>0		use	mz-unrecognized
827>>>0		default	x
828>>>>0		use	mz-unrecognized
829>>2		leshort	0
830>>>(4.s*512)	leshort	x
831>>>>&-2		use	mz-next-overlay
832>>>>&-2		string	BW
833>>>>>0		use	mz-bw-collection
834>>>>&-2	string	3P
835>>>>>0		use	mz-3p
836>>>0		default	x
837>>>>0		use	mz-unrecognized
838
839# Parse content of the COFF, executable type was already printed in mz-next-overlay
840>(4.s*512)	leshort		0x014c
841#!:mime	application/x-dosexec
842# djgpp go32 v1 COFF
843# F2C.EXE from f2c95201.zip or compress.exe from djdev112.zip
844>>(&-6.l)	string/b	StubInfoMagic!!\0 for MS-DOS
845# djgpp go32 v2 COFF
846>>(8.s*16)	string		go32stub for MS-DOS
847>>(8.s*16)	string		emx
848>>>&1		string		x for DOS, Win or OS/2, emx %s
849>>&(&0x42.l-3)	byte		x
850>>>&0x26	string		UPX \b, UPX compressed
851# and yet another guess: small .text, and after large .data is unusual, could be 32lite
852>>&0x2c		search/0xa0	.text
853>>>&0x0b	lelong		<0x2000
854>>>>&0		lelong		>0x6000 \b, 32lite compressed
855
856# Parse content of the a.out, executable type was already printed in mz-next-overlay
857>(4.s*512)	leshort		0x010b
858# djgpp go32 v1 a.out
859>>(&-6.l)	string/b	StubInfoMagic!!\0 for MS-DOS
860
861# djgpp go32 v1
862# Note that for "redirect" binaries is offset (4.s*512) behind end-of-file, so access it via "default"
863>(4.s*512)	clear		x
864>(4.s*512)	default		x
865>>(&-4.l)	string/b	StubInfoMagic!!\0
866>>>&0		lelong		>39
867>>>>&19		byte		x \b, DJGPP go32 v%u
868>>>>&18		byte		x \b.%u
869>>>>&17		byte		x \b%c DOS extender (stub)
870>>>&0		lelong		<40 \b, DJGPP go32 v1 DOS extender (stub)
871>>>&0		lelong		>35
872>>>>&0		byte		!0
873>>>>>&-1	string/16	x \b, autoload "%s"
874>>>&0		lelong		>62
875>>>>&28		byte		!0
876# zcat.exe from djdev112.zip
877>>>>>&-1	string/15	x \b, redirect to "%s"
878
879# djgpp go32 v2
880>(8.s*16)	string		go32stub
881# Version string is usually ", v 2.05", so skip leading spaces
882>>&0		string		,\ v\
883>>>&0		string/4	x \b, DJGPP go32 v%s DOS extender
884>>&0		default		x
885>>>&0		string/8	x \b, DJGPP go32 %s DOS extender
886>>&8		lelong		>43
887>>>&24		byte		0
888# check for embedded DPMI host PMODSTUB.EXE
889>>>>0x1c		string		PMODSTUB.EXE (embedded PMODE/DJ)
890>>>>0x1c		string		!PMODSTUB.EXE
891>>>>>0x18	leshort		0
892# check for the default djgpp stub
893>>>>>>0x40	search/0x80	The\ STUB.EXE\ stub\ loader (stub)
894>>>>>>>(8.s*16)	default		x
895>>>>>>>>&8	lelong		>83
896>>>>>>>>>&56	byte		!0
897# show which DPMI host executable is autoloaded when none is running
898>>>>>>>>>>&-1	string/16	x \b, autoload "%s"
899>>>>>(0x18.s)	default		x
900>>>>>>&(0x6.s*4)	default		x
901# check for embedded DPMI host CWSDSTUB.EXE
902>>>>>>>&0	search/16	CWSDPMI
903>>>>>>>>&-7	regex/T		=^CWSDPMI(\ [^\ ]+\ )? (embedded %s)
904# check for embedded DPMI host D3XD.EXE
905>>>>>>>&0	search/16	D3X
906>>>>>>>>&-3	regex/T		=^D3X(\ [^\ ]+\ )? (embedded %s)
907>>>&24		byte		!0
908# djtarx.exe or dxegen.exe from djdev205.zip
909>>>>&-1		string/8	x \b, redirect to "%s"
910
911>(8.s*16) string $WdX \b, WDos/X DOS extender
912
913# By now an executable type should have been printed out.  The executable
914# may be a self-uncompressing archive, so look for evidence of that and
915# print it out.
916#
917# Some signatures below from Greg Roelofs, newt@uchicago.edu.
918#
919>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
920>0xe7	string	LH/2\ 	Self-Extract \b, %s
921>0x1c	string	UC2X	\b, UCEXE compressed
922>0x1c	string	WWP\ 	\b, WWPACK compressed
923>0x1c	string	RJSX 	\b, ARJ self-extracting archive
924>0x1c	string	diet 	\b, diet compressed
925>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
926>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
927>0x1c	string	tz 	\b, TinyProg compressed
928>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	\b, Self-extracting PKZIP archive
929!:mime	application/zip
930# Yes, this really is "Copr", not "Corp."
931>0x1e	string	PKLITE\ Copr.	\b, Self-extracting PKZIP archive
932!:mime	application/zip
933# winarj stores a message in the stub instead of the sig in the MZ header
934>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
935>0x20	string AIN
936>>0x23	string 2	\b, AIN 2.x compressed
937>>0x23	string <2	\b, AIN 1.x compressed
938>>0x23	string >2	\b, AIN 1.x compressed
939>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
940!:mime	application/x-lha
941>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
942!:mime	application/x-lha
943>0x24	string	\ $ARX \b, ARX self-extracting archive
944>0x24	string	\ $LHarc \b, LHarc self-extracting archive
945>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
946>0x40	string aPKG \b, aPackage self-extracting archive
947>0x64	string	W\ Collis\0\0 \b, Compack compressed
948>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
949>>&0xf4 search/0x140 \x0\x40\x1\x0
950>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
951>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
952>0x17888 string Rar! \b, RAR self-extracting archive
953
954# Skip to the end of the EXE.  This will usually work fine in the PE case
955# because the MZ image is hardcoded into the toolchain and almost certainly
956# won't match any of these signatures.
957>(4.s*512)	long	x
958>>&(2.s-517)	byte	x
959>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
960>>>&0	string		Rar! \b, RAR self-extracting archive
961>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
962>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
963>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
964>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
965>>>&7	search/400	**ACE** \b, ACE self-extracting archive
966>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
967
968# a few unknown ZIP sfxes, no idea if they are needed or if they are
969# already captured by the generic patterns above
970>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
971# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
972#
973
974# TELVOX Teleinformatica CODEC self-extractor for OS/2:
975>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
976>>49824 leshort		=1			\b, 1 file
977>>49824 leshort		>1			\b, %u files
978
979
980# This named instance is called for multi overlay MZ executable with offset of the next overlay
9810	name	mz-next-overlay
982>0	string	P2	\b, EXP (P2) for MS-DOS, Phar Lap 286 DOS extender
983>0	string	P3	\b, EXP (P3) for MS-DOS, Phar Lap 386 DOS extender
984>0	string	MT	\b, MT for MS-DOS, IGC XMLOD i386 DOS extender
985>0	string	3P	\b, 3P for MS-DOS
986# Other 3P details are printed later as they depend on the original MZ content
987>>32	lelong&0x00000001	!0	\b, 16-bit
988>>32	lelong&0x00000001	0
989# CWC.EXE from cw349bin.zip is 32-bit
990>>>32	lelong&0x00010000	0	\b, 32-bit
991# WL32.EXE from cw349bin.zip is dual mode
992>>>32	lelong&0x00010000	!0	\b, Dual mode
993>>32	lelong&0x80000000	!0	\b, Compressed
994>0	string	D3X1	\b, D3X1 for MS-DOS, D3X DOS extender
995# BW details are printed later as they depend on the original MZ content
996>0	string	BW	\b, BW collection for MS-DOS
997# a.out details are printed later as they depend on the original MZ content
998>0	leshort	0x010b	\b, a.out
999# COFF details are printed later as they depend on the original MZ content
1000>0	leshort	0x014c	\b, COFF
1001>0	default	x
1002# now make offset aligned to 0x10
1003>>0	offset%0x10	0x0
1004# already aligned
1005>>>0x0	use	mz-next-overlay-aligned
1006>>0	offset%0x10	0x1
1007>>>0xf	use	mz-next-overlay-aligned
1008>>0	offset%0x10	0x2
1009>>>0xe	use	mz-next-overlay-aligned
1010>>0	offset%0x10	0x3
1011>>>0xd	use	mz-next-overlay-aligned
1012>>0	offset%0x10	0x4
1013>>>0xc	use	mz-next-overlay-aligned
1014>>0	offset%0x10	0x5
1015>>>0xb	use	mz-next-overlay-aligned
1016>>0	offset%0x10	0x6
1017>>>0xa	use	mz-next-overlay-aligned
1018>>0	offset%0x10	0x7
1019>>>0x9	use	mz-next-overlay-aligned
1020>>0	offset%0x10	0x8
1021>>>0x8	use	mz-next-overlay-aligned
1022>>0	offset%0x10	0x9
1023>>>0x7	use	mz-next-overlay-aligned
1024>>0	offset%0x10	0xa
1025>>>0x6	use	mz-next-overlay-aligned
1026>>0	offset%0x10	0xb
1027>>>0x5	use	mz-next-overlay-aligned
1028>>0	offset%0x10	0xc
1029>>>0x4	use	mz-next-overlay-aligned
1030>>0	offset%0x10	0xd
1031>>>0x3	use	mz-next-overlay-aligned
1032>>0	offset%0x10	0xe
1033>>>0x2	use	mz-next-overlay-aligned
1034>>0	offset%0x10	0xf
1035>>>0x1	use	mz-next-overlay-aligned
10360	name	mz-next-overlay-aligned
1037>0	string	MP	\b, EXP (MP) for MS-DOS, Phar Lap 386 DOS extender
1038>0	default	x
1039>>0	use	mz-unrecognized
1040
1041
1042# This named instance is called for unrecognized MZ DOS binary from any offset
10430	name	mz-unrecognized
1044>0	default	x	\b, MZ for MS-DOS
1045!:mime	application/x-dosexec
1046# Windows and later versions of DOS will allow .EXEs to be named with a .COM
1047# extension, mostly for compatibility's sake.
1048# like: EDIT.COM 4DOS.COM CMD8086.COM CMD-FR.COM SYSLINUX.COM
1049# URL:		https://en.wikipedia.org/wiki/Personal_NetWare#VLM
1050# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml
1051# also like: BGISRV.DRV
1052!:ext	exe/com/vlm/drv
1053
1054
1055# This named instance is called for BW collection with offset from the beginning of the file
10560	name	mz-bw-collection
1057>(8.s*16)	default	x
1058>>&(&0x30.s)	default	x
1059>>>&0	string	DOS/16M	\b, DOS/16M DOS extender (embedded)
1060>>>&-8	string	DOS/16M	\b, DOS/16M DOS extender (embedded)
1061>>>&-8	string	DOS/4G	\b, DOS/4G DOS extender (embedded)
1062>>>0		default	x
1063>>>>(8.s*16)	search/0x4000	Stub\ failed\ to\ find\ DOS/4G\ extender.	\b, DOS/4G DOS extender (stub)
1064
1065
1066# This named instance is called for CauseWay MZ 3P binary with offset from the beginning of the file
10670	name	mz-3p
1068# CWC.EXE and WL32.EXE from cw349bin.bin
1069>0x440	search/0x100	CauseWay\ DOS\ Extender			\b, CauseWay DOS extender
1070# CWHELP.EXE from cw349bin.bin
1071>0x200	search/0x100	CauseWay\ dynamic\ link\ library	\b, CauseWay DLL
1072
1073
1074# Summary:	OS/2 LX Library and device driver (no DOS stub)
1075# From:		Joerg Jenderek
1076# URL:		http://en.wikipedia.org/wiki/EXE
1077# Reference:	http://www.textfiles.com/programming/FORMATS/lxexe.txt
1078#		https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h
1079#		https://github.com/bitwiseworks/os2tk45/blob/master/h/exe386.h
1080#		https://archive.org/download/IBMOS2Warp4ToolkitDocuments2/lxref.htm
1081# Note:		by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)"
1082# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX"
10830	string/b	LX	LX executable
1084#!:mime	application/x-msdownload
1085!:mime	application/x-lx-executable
1086>2	uleshort	=0x0000
1087>>0	use			lx-executable
1088# no examples found for big endian variant
1089>2	uleshort	=0x0101
1090>>0	use			\^lx-executable
1091# no examples found for PDP-11 endian variant
1092>2	uleshort	=0x0100
1093# PDP-11-endian is not supported by magic "use" keyword yet
1094# no examples found for other endian variants
1095>>0	default		x
1096# other endianity is not supported by magic "use" keyword
1097
10980       name    	lx-executable
1099# FOR DEBUGGING!
1100# byte order: 00h~little-endian 01h~big-endian
1101#>0x02	ubyte			=0		\b, little-endian byte order
1102#>0x02	ubyte			=1		\b, big-endian word order
1103# word order: 00h~little-endian 01h~big-endian
1104#>0x03	ubyte			=0		\b, little-endian word order
1105#>0x03	ubyte			=1		\b, big-endian word order
1106# cpu_type; CPU type like: 1~i286 2~i386 3~i486 4~i586 20h~i860-N10 21h~i860-N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000
1107#>0x08	uleshort		x		\b, CPU %u
1108# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 16-bit 3~Multitasking MS-DOS 4.x 4~Windows 386 5~IBM Microkernel PN
1109#>0x0A	leshort			x		\b, OS %u
1110# flags; module type flags
1111#>0x10	ulelong			x		\b, FLAGS %#8.8x
1112# 00000002h				~Reserved for system use
1113#>0x10	ulelong			&0x00000002	\b, 2h reserved
1114# OSF_INIT_INSTANCE=00000004h		~Per-Process Library Initialization; setting this bit for EXE file is invalid
1115#>0x10	ulelong			&0x00000004	\b, per-process library Initialization
1116#>0x10	ulelong			&0x00000008	\b, system dll
1117# OSF_INTERNAL_FIXUPS_DONE=00000010h	~Internal fixups for the module have been applied
1118#>0x10	ulelong			&0x00000010	\b, int. fixup
1119# OSF_EXTERNAL_FIXUPS_DONE=00000020h	~External fixups for the module have been applied
1120#>0x10	ulelong			&0x00000020	\b, ext. fixup
1121# OSF_NOT_PM_COMPATIBLE=00000100h	~Incompatible with PM windowing
1122#>0x10	ulelong&0x00000700	=0x00000100	\b, incompatible with PM windowing
1123# OSF_PM_COMPATIBLE=00000200h		~Compatible with PM windowing
1124#>0x10	ulelong&0x00000700	=0x00000200	\b, compatible with PM windowing
1125#>0x10	ulelong&0x00000700	=0x00000300	\b, uses PM windowing API
1126#>0x10	ulelong			&0x00002000	\b, not loadable
1127#>0x10	ulelong			&0x00008000	\b, library module
1128# bit 17; device driver
1129#>0x10	ulelong			&0x00020000	\b, device driver
1130#>0x10	ulelong			&0x00080000	\b, multiple-processor unsafe
1131# Per-process Library Termination; setting this bit for EXE file is invalid
1132#>0x10	ulelong			&0x40000000	\b, per-process library termination
1133# OS type
1134>0x0a	clear			x
1135>0x0a	leshort			1		for OS/2
1136# OS 2 was reserved for MS Windows 16-bit but it never used LX (NE format was used instead)
1137#>0x0a	leshort			2		for MS Windows 16-bit
1138# OS 3 was reserved for Multitasking MS-DOS but it never used LX (NE format was used instead)
1139#>0x0a	leshort			3		for Multitasking MS-DOS
1140# OS 4 was reserved for MS Windows device drivers but it never used LX (LE format was used instead)
1141#>0x0a	leshort			4		for MS Windows
1142# OS 5 was reserved for IBM Microkernel Personality Neutral but it never used LX (the only released IBM Workplace OS for PowerPC used ELF format)
1143#>0x0a	leshort			5		for IBM Microkernel Personality Neutral
1144>0x0a	default			x
1145>>0x0a	leshort			x		for unknown OS %#x
1146# http://www.ctyme.com/intr/rb-2939.htm#Table1610
1147# library by module type mask 00038000h (bits 15-17);
1148# 0h ~executable Program module
1149>0x10	ulelong&0x00038000	=0x00000000	(EXE)
1150!:ext	exe
1151# bits 8-10; OSF_PM_APP=700h in flags	~Uses PM windowing API; either it is GUI or console
1152>>0x10	ulelong&0x00000700	=0x00000100	(full screen)
1153>>0x10	ulelong&0x00000700	=0x00000200	(console)
1154>>0x10	ulelong&0x00000700	=0x00000300	(GUI)
1155>0x10	ulelong&0x00038000	=0x00008000	(DLL)
1156!:ext	dll
1157>0x10	ulelong&0x00038000	=0x00010000	(unknown)
1158>0x10	ulelong&0x00038000	=0x00018000	(PMDLL)
1159>0x10	ulelong&0x00038000	=0x00020000	(PDD)
1160!:ext	sys
1161>0x10	ulelong&0x00038000	=0x00028000	(VDD)
1162!:ext	sys
1163>0x10	ulelong&0x00038000	=0x00030000	(DLD)
1164>0x10	ulelong&0x00038000	=0x00038000	(unknown)
1165# CPU type
1166>0x08	clear			x
1167>0x08	uleshort		1		\b, Intel i286
1168# all inspected examples
1169>0x08	uleshort		2		\b, Intel i386
1170>0x08	uleshort		3		\b, Intel i486
1171>0x08	uleshort		4		\b, Intel i586
1172# 20h 	Intel i860 N10 or compatible
1173# 21h 	Intel i860 N11 or compatible
1174# 40h 	MIPS Mark I ( R2000, R3000) or compatible
1175# 41h 	MIPS Mark II ( R6000 ) or compatible
1176# 42h 	MIPS Mark III ( R4000 ) or compatible
1177>0x08	default			x
1178>>0x08	uleshort		x		\b, unknown CPU %#x
1179# Endianity for debugging, there are no samples for non-little-endian
1180#>0x02	clear			x
1181#>0x02	uleshort		=0x0000		(little-endian)
1182#>0x02	uleshort		=0x0101		(big-endian)
1183#>0x02	uleshort		=0x0100		(PDP-11-endian)
1184#>0x02	default			x		(unknown-endian)
1185
1186# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc
1187# and https://www.freedos.org/software/?prog=kpdos
1188# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
11890	string/b	KCF		FreeDOS KEYBoard Layout collection
1190# only version=0x100 found
1191>3	uleshort	x		\b, version %#x
1192# length of string containing author,info and special characters
1193>6	ubyte		>0
1194#>>6	pstring		x		\b, name=%s
1195>>7	string		>\0		\b, author=%-.14s
1196>>7	search/254	\xff		\b, info=
1197#>>>&0	string		x		\b%-s
1198>>>&0	string		x		\b%-.15s
1199# for FreeDOS *.KL files
12000	string/b	KLF		FreeDOS KEYBoard Layout file
1201# only version=0x100 or 0x101 found
1202>3	uleshort	x		\b, version %#x
1203# stringlength
1204>5	ubyte		>0
1205>>8	string		x		\b, name=%-.2s
12060	string	\xffKEYB\ \ \ \0\0\0\0
1207>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
1208
1209# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020,Mar 2023
1210# URL:		http://fileformats.archiveteam.org/wiki/DOS_device_driver
1211# Reference:	http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html
1212# http://www.o3one.org/hwdocs/bios_doc/dosref22.html
12130	ulequad&0x07a0ffffffff		0xffffffff
1214# skip OS/2 INI ./os2
1215>4  ubelong   !0x14000000
1216#>>10  ubequad   x		MAYBE_DRIVER_NAME=%16.16llx
1217# https://bugs.astron.com/view.php?id=434
1218# skip OOXML document fragment 0000.dat where driver name is "empty" instead of "ASCII like"
1219>>10  ubequad   !0
1220>>>0	use				msdos-driver
12210       name    			msdos-driver		DOS executable (
1222#!:mime	application/octet-stream
1223!:mime	application/x-dosdriver
1224# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
1225# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used?
1226# PROTMAN.DOS ELNKPL.DOS
1227!:ext	sys/dev/bin/dos
1228# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device"
1229>40	search/7			UPX!			\bUPX compressed
1230# DOS device driver attributes
1231>4	uleshort&0x8000			0x0000			\bblock device driver
1232# character device
1233>4	uleshort&0x8000			0x8000			\b
1234# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$"
1235>>4	uleshort&0x0008			0x0008			\bclock
1236# fast video output by int 29h
1237# 1 space char after "fast" to get phrase like "fast standard input/output character device driver"
1238>>4	uleshort&0x0010			0x0010			\bfast
1239# standard input/output device
1240# 1 space char after "standard" to get phrase like "standard input/output character device driver"
1241>>4	uleshort&0x0003			>0			\bstandard
1242>>>4	uleshort&0x0001			0x0001			\binput
1243>>>4	uleshort&0x0003			0x0003			\b/
1244# 1 space char after "output" to get phrase like "input/output character device driver"
1245>>>4	uleshort&0x0002			0x0002			\boutput
1246>>4	uleshort&0x8000			0x8000			\bcharacter device driver
1247>0	ubyte				x
1248# upx compressed device driver has garbage instead of real in name field of header
1249>>40	search/7			UPX!
1250>>40	default				x
1251# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
1252# 1 space char before device driver name to get phrase like "device driver PROTMAN$" "device driver HP-150II" "device driver PC$MOUSE"
1253>>>12		ubyte			>0x23			\b
1254>>>>10		ubyte			>0x20
1255>>>>>10		ubyte			!0x2E
1256>>>>>>10	ubyte			!0x2A			\b%c
1257>>>>11		ubyte			>0x20
1258>>>>>11		ubyte			!0x2E			\b%c
1259>>>>12		ubyte			>0x20
1260>>>>>12		ubyte			!0x39
1261>>>>>>12	ubyte			!0x2E			\b%c
1262>>>13		ubyte			>0x20
1263>>>>13		ubyte			!0x2E			\b%c
1264>>>>14		ubyte			>0x20
1265>>>>>14		ubyte			!0x2E			\b%c
1266>>>>15		ubyte			>0x20
1267>>>>>15		ubyte			!0x2E			\b%c
1268>>>>16		ubyte			>0x20
1269>>>>>16		ubyte			!0x2E
1270>>>>>>16	ubyte			<0xCB			\b%c
1271>>>>17		ubyte			>0x20
1272>>>>>17		ubyte			!0x2E
1273>>>>>>17	ubyte			<0x90			\b%c
1274# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
1275>>>12		ubyte			<0x2F
1276# they have their real name at offset 22
1277# also block device drivers like DUMBDRV.SYS
1278>>>>22		string			>\056			%-.6s
1279>4	uleshort&0x8000			0x0000
1280# 32 bit sector addressing ( > 32 MB) for block devices
1281>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
1282# support by driver functions 13h, 17h, 18h
1283>4	uleshort&0x0040			0x0040			\b,IOCTL-
1284# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
1285>4	uleshort&0x0800			0x0800			\b,close media-
1286# output until busy support by int 10h for character device driver
1287>4	uleshort&0x8000			0x8000
1288>>4	uleshort&0x2000			0x2000			\b,until busy-
1289# direct read/write support by driver functions 03h,0Ch
1290>4	uleshort&0x4000			0x4000			\b,control strings-
1291>4	uleshort&0x8000			0x8000
1292>>4	uleshort&0x6840			>0			\bsupport
1293>4	uleshort&0x8000			0x0000
1294>>4	uleshort&0x4842			>0			\bsupport
1295>0	ubyte				x			\b)
1296>0	ulelong				!0xffffffff		with pointer %#x
1297# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
12980	ulequad				0x0513c00000000012
1299>0	use				msdos-driver
1300# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
13010	ulequad				0x32f28000ffff0016
1302>0	use				msdos-driver
13030	ulequad				0x007f00000000ffff
1304>0	use				msdos-driver
1305# https://www.uwe-sieber.de/files/cfg_echo.zip
13060	ulequad				0x001600000000ffff
1307>0	use				msdos-driver
1308# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
13090	ulequad				0x0bf708c2ffffffff
1310>0	use				msdos-driver
13110	ulequad				0x07bd08c2ffffffff
1312>0	use				msdos-driver
1313# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS
13140	ulequad				0x027ac0c0ffffffff
1315>0	use				msdos-driver
1316# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS
13170	ulequad				0x00228880ffffffff
1318>0	use				msdos-driver
1319
1320# updated by Joerg Jenderek
1321# GRR: line below too general as it catches also
1322# rt.lib DYADISKS.PIC and many more
1323# start with assembler instruction MOV
13240	ubyte		0x8c
1325# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
1326>4	string			!O====
1327# skip some unknown basic binaries like RocketRnger.SHR
1328>>5	string			!MAIN
1329# skip "GPG symmetrically encrypted data" ./gnu
1330# skip "PGP symmetric key encrypted data" ./pgp
1331# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
1332>>>4	ubyte			>13
1333>>>>0		use	msdos-com
1334# the remaining files should be DOS *.COM executables
1335# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
1336# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
1337# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
1338# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
1339# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
1340# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
1341# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
1342# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
1343
13440       name    msdos-com
1345# URL:		http://fileformats.archiveteam.org/wiki/DOS_executable_(.com)
1346>0  byte        x               DOS executable (
1347# DOS executable with JuMP 16-bit instruction
1348>0	byte			=0xE9
1349# check for probably nil padding til offset 64 of Lotus driver name
1350>>56		quad		=0
1351# check for "long" alphabetic Lotus driver name like:
1352# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus"
1353>>>24			regex	=^[A-Z][A-Za-z\040]{5,21}	\bLotus driver) %s
1354!:mime				application/x-dosexec
1355# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2)
1356!:ext				drv
1357# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1)
1358>>>24			default	x				\bCOM)
1359!:mime				application/x-dosexec
1360!:ext				com
1361# DOS executable with JuMP 16-bit and without nil padding
1362>>56		quad		!0
1363# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot
1364# TODO: HOWTO distinguish COMboot from pure DOS executables?
1365# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program
1366>>>1			search/0xc088	\xcd\x22		\bCOM or COMBOOT 16-bit)
1367!:mime				application/x-dosexec
1368# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2)
1369!:ext				com/cbt
1370>>>1			default		x			\bCOM)
1371!:mime				application/x-dosexec
1372!:ext				com
1373# DOS executable without JuMP 16-bit instruction
1374>0	byte			!0xE9
1375# SCREATE.SYS	https://en.wikipedia.org/wiki/Stac_Electronics
1376>>10		string		=?STACVOL			\bSCREATE.SYS)
1377!:mime			application/x-dosexec
1378!:ext			sys
1379# COM executable without JuMP 16-bit instruction and not SCREATE.SYS
1380>>10		string		!?STACVOL			\bCOM)
1381!:mime			application/x-dosexec
1382!:ext			com
1383>6	string		SFX\ of\ LHarc	\b, %s
1384>0x1FE leshort	0xAA55		    \b, boot code
1385>85	string		UPX		        \b, UPX compressed
1386>4	string		\ $ARX		    \b, ARX self-extracting archive
1387>4	string		\ $LHarc	    \b, LHarc self-extracting archive
1388>0x20e string	SFX\ by\ LARC	\b, LARC self-extracting archive
1389# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2)
1390>1	search/0xc088	\xcd\x22	\b, maybe with interrupt 22h
1391>0	ubelong		x		\b, start instruction %#8.8x
1392# show more instructions but not in samples like: rem.com (DJGPP)
1393>4	ubelong		x		%8.8x
1394
1395# JMP 8bit
13960	        byte	0xeb
1397# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent
1398# allow forward jumps only
1399>1          byte    >-1
1400# that offset must be accessible
1401# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc
1402>>(1.b+2)   byte    x
1403# if look like COM executable with x86 boot signature then this
1404# implies FAT volume with x86 real mode code already handled by ./filesystems
1405#
1406# No x86 boot signature implies often DOS executable
1407# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable
1408# like: FIXBIOS.COM (50 bytes)
1409>>>16		ubyte		>3
1410# https://www.drivedroid.io/
1411# skip MBR disk image drivedroid.img version 12 July 2013 by start message
1412>>>>2		string		!DriveDroid
1413# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/
1414# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM)
1415# by check for characteristic message text near the beginning
1416>>>>>15		string		!Non\040System\040disk
1417# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar"
1418# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux
1419# by check for characteristic message text near the beginning
1420>>>>>>6		string		!read\040error\015
1421# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip
1422# skip ventoy 1.0.78 boot_hybrid.img
1423>>>>>>>24	string		!\220\220\353I$\022\017
1424# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar"
1425# skip unusual floppy image PCDOS100.IMG of DOS 1.0
1426# by check for characteristic message text near the beginning
1427>>>>>>>>9	string		!7-May-81
1428# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar"
1429# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems
1430# by check for characteristic message near the beginning
1431>>>>>>>>>3	string		!\370sdfS\270
1432# like: FIXBIOS.COM (50 bytes)
1433>>>>>>>>>>0		use		msdos-com
1434# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable
1435# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15)
1436>>>16		ubyte		=0
1437# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux)
1438>>>>0x1FE	leshort		=0xAA55
1439>>>>0x1FE	default		x
1440# https://thestarman.pcministry.com/tool/hxd/dimtut.htm
1441# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10
1442# by check for characteristic bootloader names near end of boot sector
1443>>>>>395	string		!ibmbio\040\040com
1444>>>>>>0			use		msdos-com
1445# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems
1446# like: balder.img
1447>>>16		default		x
1448# skip disk images with boot signature at end of 1st sector
1449# like: TDSK-64b.img
1450>>>>(11.s-2)	uleshort	!0xAA55
1451# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18)
1452# by check for characteristic file system type text for FAT (12 bit or 16 bit)
1453>>>>>54		string		!FAT
1454# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar"
1455# skip unusual floppy image Disk4.img without boot signature and file system type text
1456# by check for characteristic OEM-ID text
1457>>>>>>3		string		!COMPAQ\040\040
1458# no such DOS COM executables found
1459>>>>>>>0		use		msdos-com
1460# JMP 16bit
14610           byte    0xe9
1462# display DOS executable (COM or COMBOOT 16-bit strength=40=40-0) after ESP-IDF application image (strength=40=40+0) handled by ./firmware
1463#!:strength	-0
1464# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM
1465# 2h (CPQ0TD.DRV) 4FEh (NDN.COM) 581h (DRMOUSE.COM) 1FDh (GAG.COM) BE07h (USBDRIVE.COM)
1466#>1		uleshort	x	\b, OFFSET=%#4.4x
1467#>1		leshort		x	\b, OFFSET %d
1468# forward jumps
1469>1		leshort	>-1
1470# that offset must be accessible
1471# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc
1472>>(1.s+3)   byte    x
1473# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable
1474# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes)
1475>>>16		ubyte		>3
1476>>>>0			use		msdos-com
1477# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable
1478# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV
1479# or ESP-IDF application image like: WLED_0.14.0_ESP32-C3.bin opendtu-generic_esp32.bin
1480>>>16		ubyte		=0
1481# skip ESP-IDF application image handled by ./firmware with ESP_APP_DESC_MAGIC_WORD
1482>>>>32	ulelong		!0xABCD5432
1483>>>>>0			use		msdos-com
1484# maybe disc image with valid number of FATs or DOS executable
1485# like: IPXODI.COM PERUSE.COM TASKID.COM
1486>>>16		default	x
1487# invalid low media descriptor. Then it is not a disk image and it is a DOS executable
1488>>>>21		ubyte		<0xE5
1489>>>>>0			use		msdos-com
1490# valid media descriptor. Then it is maybe disk image or DOS executable
1491>>>>21		ubyte		>0xE4
1492# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable
1493# like: LEARN.COM (Word 1.15)
1494>>>>>11		uleshort&0x001f	!0
1495>>>>>>0			use		msdos-com
1496# negative offset, must not lead into PSP
1497# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4)
1498# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS)
1499>1		leshort	<-259
1500# that offset must be accessible
1501# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset
1502>>(1,s+65539)   byte    x
1503# after jump next instruction for DEBUGGING!
1504#>>>&-1		ubelong	x	\b, NEXT instruction %#8.8x
1505>>>0        use msdos-com
1506
1507# updated by Joerg Jenderek at Oct 2008,2015,2022
1508# following line is too general
15090	ubyte		0xb8
1510# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
1511>0	string		!\xb8\xc0\x07\x8e
1512# modified by Joerg Jenderek
1513# syslinux COM32 or COM32R executable
1514>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
1515# https://www.syslinux.org/wiki/index.php/Comboot_API
1516# Since version 5.00 c32 modules switched from the COM32 object format to ELF
1517!:mime	application/x-c32-comboot-syslinux-exec
1518!:ext c32
1519# https://syslinux.zytor.com/comboot.php
1520# older syslinux version ( <4 )
1521# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
1522# start with assembler instructions mov eax,21cd4cffh
1523>>>1	lelong		0x21CD4CFf	\b)
1524# syslinux:doc/comboot.txt
1525# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
1526# eax,21cd4cfeh) as a magic number.
1527# syslinux version (4.x)
1528# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
1529>>>1	lelong		0x21CD4CFe	\b, relocatable)
1530>>1	default	x
1531# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x)
1532>>>3	search/118	\xCD
1533# FOR DEBUGGING; possible hexadecimal interrupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux)
1534# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS)
1535#>>>>&0	ubyte	x			\b, INTERUPT %#x
1536# few examples with interrupt 0x13 instruction
1537>>>>&0	ubyte	=0x13
1538# FOR DEBUGGING!
1539#>>>>>3	ubequad	x			\b, 2nd INSTRUCTION %#16.16llx
1540# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems
1541# by check for assembler instructions: mov  es,ax ; mov  ax,07c0h ; mov ds,ax
1542>>>>>3	ubequad	!0x8ec0b8c0078ed88d
1543# few COM executables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com
1544# http://bootcd.narod.ru/bcdw150z_en.zip
1545>>>>>>0		use		msdos-com
1546# few examples with interrupt 0x16 instruction like flashimg.img
1547>>>>&0	ubyte	=0x16
1548# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems
1549# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz
1550>>>>>8	ubelong	!0x3DE4E475
1551# no DOS executable with interrupt 0x16 found
1552>>>>>>0		use		msdos-com
1553# most examples with interrupt instruction unequal 0x13 and 0x16
1554>>>>&0	default	x
1555#>>>>>&-1 ubyte	x			\b, INTERUPT %#x
1556# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com
1557>>>>>0		use		msdos-com
1558# few COM executables without interrupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM
1559# or some EUC-KR text files or one Ulead Imaginfo thumbnail
1560>>>3	default	x
1561# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM)
1562# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt)
1563#>>>>3	ubyte	x			\b, 2nd INSTRUCTION %#x
1564# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow)
1565# inside SAMPLES/TEXTURES/SKY_SNOW
1566# from https://archive.org/download/PI3CANON/PI3CANON.iso
1567>>>>3	ubyte	!0x0
1568# skip some EUC-KR text files like: euckr_falsepositive.txt
1569# https://bugs.astron.com/view.php?id=186
1570>>>>>3	ubyte	!0xb1
1571# like: RESTART.COM (DOS 7.10) REBOOT.COM
1572>>>>>>0	use		msdos-com
1573
1574# URL:		https://en.wikipedia.org/wiki/UPX
1575# Reference:	https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/
1576#		src/stub/src/i086-dos16.com.S
1577# Update:	Joerg Jenderek
1578# assembler instructions: cmp sp, offset sp_limit
15790	string/b	\x81\xfc
1580#>2	uleshort	x		\b, sp_limit=%#x
1581# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy
1582>4	string	\x77\x02\xcd\x20\xb9
1583#>9	uleshort	x		\b, [bytes_to_copy]=%#x
1584# at different offsets assembler instructions: push di; jump decomp_start_n2b
1585>0x1e	search/3	\x57\xe9
1586#>>&0	uleshort	x		\b, decomp_start_n2b=%#x
1587# src/stub/src/include/header.S; UPX_MAGIC_LE32
1588>>&2	string		UPX!		FREE-DOS executable (COM), UPX
1589!:mime	application/x-dosexec
1590# UPX compressed *.CPI; See ./fonts
1591>>>&21	string		=FONT		compressed DOS code page font
1592!:ext	cpx
1593>>>&21	string		!FONT		compressed
1594!:ext	com
1595# compressed size?
1596#>>>&14	uleshort+152	x		\b, %u bytes
1597# uncompressed len
1598>>>&12	uleshort	x		\b, uncompressed %u bytes
1599252	string Must\ have\ DOS\ version DR-DOS executable (COM)
1600!:mime	application/x-dosexec
1601!:ext	com
1602# GRR search is not working
1603#2	search/28	\xcd\x21	COM executable for MS-DOS
1604#WHICHFAT.cOM
16052	string	\xcd\x21		COM executable for DOS
1606!:mime	application/x-dosexec
1607!:ext	com
1608#DELTREE.cOM DELTREE2.cOM
16094	string	\xcd\x21		COM executable for DOS
1610!:mime	application/x-dosexec
1611!:ext	com
1612#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
16135	string	\xcd\x21		COM executable for DOS
1614!:mime	application/x-dosexec
1615!:ext	com
1616#DELTMP.COm HASFAT32.cOM
16177	string	\xcd\x21
1618>0	byte	!0xb8			COM executable for DOS
1619!:mime	application/x-dosexec
1620!:ext	com
1621#COMP.cOM MORE.COm
162210	string	\xcd\x21
1623>5	string	!\xcd\x21		COM executable for DOS
1624!:mime	application/x-dosexec
1625!:ext	com
1626#comecho.com
162713	string	\xcd\x21		COM executable for DOS
1628!:mime	application/x-dosexec
1629!:ext	com
1630#HELP.COm EDIT.coM
163118	string	\xcd\x21
1632# not printable before it?
1633>17	byte	>32
1634>>17	byte	<126
1635>>17	default	x			COM executable for MS-DOS
1636!:mime	application/x-dosexec
1637!:ext	com
1638#NWRPLTRM.COm
163923	string	\xcd\x21		COM executable for MS-DOS
1640!:mime	application/x-dosexec
1641!:ext	com
1642#LOADFIX.cOm LOADFIX.cOm
164330	string	\xcd\x21		COM executable for MS-DOS
1644!:mime	application/x-dosexec
1645!:ext	com
1646#syslinux.com 3.11
164770	string	\xcd\x21		COM executable for DOS
1648!:mime	application/x-dosexec
1649!:ext	com
1650# many compressed/converted COMs start with a copy loop instead of a jump
16510x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
1652!:mime	application/x-dosexec
1653!:ext	com
16540x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
1655!:mime	application/x-dosexec
1656!:ext	com
1657>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
16580x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
1659!:mime	application/x-dosexec
1660!:ext	com
1661# FIXME: missing diet .com compression
1662
1663# miscellaneous formats
16640	string/b	LZ		MS-DOS executable (built-in)
1665#0	byte		0xf0		MS-DOS program library data
1666#
1667
1668# AAF files:
1669# <stuartc@rd.bbc.co.uk> Stuart Cunningham
16700	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
1671>30	byte	9		(512B sectors)
1672>30	byte	12		(4kB sectors)
16730	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
1674>30	byte	9		(512B sectors)
1675>30	byte	12		(4kB sectors)
1676
1677# Popular applications
1678#
1679# Update:	Joerg Jenderek
1680# URL:		http://fileformats.archiveteam.org/wiki/DOC
1681# Reference:	https://web.archive.org/web/20170206041048/
1682#		http://www.msxnet.org/word2rtf/formats/ffh-dosword5
1683# wIdent+dty
16840	belong	0x31be0000
1685# skip droid skeleton like x-fmt-274-signature-id-488.doc
1686>128	ubyte		>0  			Microsoft
1687>>96	uleshort	=0			Word
1688!:mime	application/msword
1689!:apple	MSWDWDBN
1690# DCX is used in the Unix version.
1691!:ext	doc/dcx
1692>>>0x6E	ulequad		=0			1.0-4.0
1693>>>0x6E	ulequad		!0			5.0-6.0
1694>>>0x6E	ulequad		x			(DOS) Document
1695# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt
1696>>96	uleshort	!0			Write 3.0 (Windows) Document
1697!:mime	application/x-mswrite
1698!:apple	MSWDWDBN
1699# sometimes also doc like in splitter.doc srchtest.doc
1700!:ext	wri/doc
1701# wTool must be 0125400 octal
1702#>>4	uleshort	!0xAB00			\b, wTool %o
1703# reserved; must be zero
1704#>>6	ulelong		!0			\b, reserved %u
1705# block pointer to the block containing optional file manager information
1706#>>0x1C	uleshort	x			\b, at %#x info block
1707# jump to File manager information block
1708>>(0x1C.s*128)	uleshort x
1709# test for valid information start; maybe also 0012h
1710>>>&-2		uleshort	=0x0014
1711# Document ASCIIZ name
1712>>>>&0x12	string		x		%s
1713# author name
1714>>>>>&1		string		x		\b, author %s
1715# reviser name
1716>>>>>>&1	string		x		\b, reviser %s
1717# keywords
1718>>>>>>>&1	string		x		\b, keywords %s
1719# comment
1720>>>>>>>>&1	string		x		\b, comment %s
1721# version number
1722>>>>>>>>>&1	string		x		\b, version %s
1723# date of last change MM/DD/YY
1724>>>>>>>>>>&1	string		x		\b, %-.8s
1725# creation date MM/DD/YY
1726>>>>>>>>>>&9	string		x		created %-.8s
1727# file name of print format like NORMAL.STY
1728>>0x1E	string		>0			\b, formatted by %-.66s
1729# count of pages in whole file for write variant; maybe some times wrong
1730>>96	uleshort	>0			\b, %u pages
1731# name of the printer driver like HPLASMS
1732>>0x62	string		>0			\b, %-.8s printer
1733# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0
1734>>0x6A	uleshort	>0			\b, %u blocks
1735# bit field for corrected text areas
1736#>>0x6C	uleshort	x			\b, %#x bit field
1737# text of document; some times start with 4 non printable characters like CR LF
1738>>128	ubyte		x			\b,
1739>>>128		ubyte	>0x1F
1740>>>>128		string	x			%s
1741>>>128		ubyte	<0x20
1742>>>>129		ubyte	>0x1F
1743>>>>>129	string	x			%s
1744>>>>129		ubyte	<0x20
1745>>>>>130	ubyte	>0x1F
1746>>>>>>130	string	x			%s
1747>>>>>130	ubyte	<0x20
1748>>>>>>131	ubyte	>0x1F
1749>>>>>>>131	string	x			%s
1750>>>>>>131	ubyte	<0x20
1751>>>>>>>132	ubyte	>0x1F
1752>>>>>>>>132	string	x			%s
1753>>>>>>>132	ubyte	<0x20
1754>>>>>>>>133	ubyte	>0x1F
1755>>>>>>>>>133	string	x			%s
1756#
17570	string/b	PO^Q`				Microsoft Word 6.0 Document
1758!:mime	application/msword
1759#
17604   long        0
1761>0  belong      0xfe320000      Microsoft Word for Macintosh 1.0
1762!:mime	application/msword
1763!:ext   mcw
1764>0  belong      0xfe340000      Microsoft Word for Macintosh 3.0
1765!:mime	application/msword
1766!:ext   mcw
1767>0  belong      0xfe37001c      Microsoft Word for Macintosh 4.0
1768!:mime	application/msword
1769!:ext   mcw
1770>0  belong      0xfe370023      Microsoft Word for Macintosh 5.0
1771!:mime	application/msword
1772!:ext   mcw
1773
17740	string/b	\333\245-\0\0\0			Microsoft Word 2.0 Document
1775!:mime	application/msword
1776!:ext   doc
1777# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs
1778#512	string/b	\354\245\301			Microsoft Word Document
1779#!:mime	application/msword
1780
1781#
17820	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
1783!:mime application/msword
1784
1785#
17860	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
1787!:mime	application/vnd.ms-excel
1788# https://www.macdisk.com/macsigen.php
1789!:apple	XCELXLS4
1790!:ext	xls
1791#
1792# Update: Joerg Jenderek
1793# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
1794# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
1795# Note: newer Lotus versions >2 use longer BOF record
1796# record type (BeginningOfFile=0000h) + length (001Ah)
17970	belong	0x00001a00
1798# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
1799#>18	uleshort&0x73E0	0
1800# Lotus Multi Byte Character Set (LMBCS=1-31)
1801>20	ubyte		>0
1802>>20	ubyte		<32	Lotus 1-2-3
1803#!:mime	application/x-123
1804!:mime	application/vnd.lotus-1-2-3
1805!:apple	????L123
1806# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
1807>>>4	uleshort	0x1000	WorKsheet, version 3
1808!:ext	wk3
1809# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
1810>>>4	uleshort	0x1002	WorKsheet, version 4
1811# also worksheet template 4 (.wt4)
1812!:ext	wk4/wt4
1813# no example or documentation for wk5
1814#>>4	uleshort	0x????	WorKsheet, version 4
1815#!:ext	wk5
1816# only MacrotoScript.123 example
1817>>>4	uleshort	0x1003	WorKsheet, version 97
1818# also worksheet template Smartmaster (.12M)?
1819!:ext	123
1820# only Set_Y2K.123 example
1821>>>4	uleshort	0x1005	WorKsheet, version 9.8 Millennium
1822!:ext	123
1823# no example for this version
1824>>>4	uleshort	0x8001	FoRMatting data
1825!:ext	frm
1826# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
1827# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
1828>>>4	uleshort	0x8007	ForMatting data, version 3
1829!:ext	fm3
1830>>>4	default		x	unknown
1831# file revision sub code 0004h for worksheets
1832>>>>6	uleshort	=0x0004	worksheet
1833!:ext	wXX
1834>>>>6	uleshort	!0x0004	formatting data
1835!:ext	fXX
1836# main revision number
1837>>>>4	uleshort	x	\b, revision %#x
1838>>>6	uleshort	=0x0004	\b, cell range
1839# active cellcoord range (start row, page,column ; end row, page, column)
1840# start values normally 0~1st sheet A1
1841>>>>8	ulelong		!0
1842>>>>>10	ubyte		>0	\b%d*
1843>>>>>8	uleshort	x	\b%d,
1844>>>>>11	ubyte		x	\b%d-
1845# end page mostly 0
1846>>>>14	ubyte		>0	\b%d*
1847# end raw, column normally not 0
1848>>>>12	uleshort	x	\b%d,
1849>>>>15	ubyte		x	\b%d
1850# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
1851>>>>20	ubyte		>1	\b, character set %#x
1852# flags
1853>>>>21	ubyte		x	\b, flags %#x
1854>>>6	uleshort	!0x0004
1855# record type (FONTNAME=00AEh)
1856>>>>30	search/29	\0\xAE
1857# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
1858>>>>>&4	string		>\0	\b, 1st font "%s"
1859#
1860# Update: Joerg Jenderek
1861# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
1862# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
1863# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
1864# record type (BeginningOfFile=0000h) + length (0002h)
18650	belong	0x00000200
1866# GRR: line above is too general as it catches also MS Windows CURsor
1867# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
1868!:strength -1
1869# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
1870>7	ubyte		0
1871# skip Windows cursors with image width 256 and keep Lotus with positive opcode
1872>>6	ubyte		>0	Lotus
1873# !:mime	application/x-123
1874!:mime	application/vnd.lotus-1-2-3
1875!:apple	????L123
1876# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
1877# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
1878>>>4	uleshort	0x0007	1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
1879!:ext	cnf
1880>>>4	uleshort	0x0C05	1-2-3 CoNFiguration, version 2.4J
1881!:ext	cnf
1882>>>4	uleshort	0x0801	1-2-3 CoNFiguration, version 1-2.1
1883!:ext	cnf
1884>>>4	uleshort	0x0802	Symphony CoNFiguration
1885!:ext	cnf
1886>>>4	uleshort	0x0804	1-2-3 CoNFiguration, version 2.2
1887!:ext	cnf
1888>>>4	uleshort	0x080A	1-2-3 CoNFiguration, version 2.3-2.4
1889!:ext	cnf
1890>>>4	uleshort	0x1402	1-2-3 CoNFiguration, version 3.x
1891!:ext	cnf
1892>>>4	uleshort	0x1450	1-2-3 CoNFiguration, version 4.x
1893!:ext	cnf
1894# (version 5.26) labeled the entry as "Lotus 123"
1895# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1896>>>4	uleshort	0x0404	1-2-3 WorKSheet, version 1
1897# extension "wks" also for Microsoft Works document
1898!:ext	wks
1899# (version 5.26) labeled the entry as "Lotus 123"
1900# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
1901>>>4	uleshort	0x0405	Symphony WoRksheet, version 1.0
1902!:ext	wrk/wr1
1903# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
1904# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
1905>>>4	uleshort	0x0406	1-2-3/Symphony worksheet, version 2
1906# Symphony (.wr1)
1907!:ext	wk1/wr1
1908# no example for this japan version
1909>>>4	uleshort	0x0600	1-2-3 WorKsheet, version 1.xJ
1910!:ext	wj1
1911# no example or documentation for wk2
1912#>>>4	uleshort	0x????	1-2-3 WorKsheet, version 2
1913#!:ext	wk2
1914# undocumented japan version
1915>>>4	uleshort	0x0602	1-2-3 worksheet, version 2.4J
1916!:ext	wj3
1917# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
1918>>>4	uleshort	0x8006	1-2-3 ForMaTting data, version 2.x
1919# japan version 2.4J (fj3)
1920!:ext	fmt/fj3
1921# no example for this version
1922>>>4	uleshort	0x8007	1-2-3 FoRMatting data, version 2.0
1923!:ext	frm
1924# (version 5.26) labeled the entry as "Lotus 1-2-3"
1925>>>4	default		x	unknown worksheet or configuration
1926!:ext	cnf
1927>>>>4	uleshort	x	\b, revision %#x
1928# 2nd record for most worksheets describes cells range
1929>>>6		use	lotus-cells
1930# 3rd record for most japan worksheets describes cells range
1931>>>(8.s+10)	use	lotus-cells
1932#	check and then display Lotus worksheet cells range
19330	name		lotus-cells
1934# look for type (RANGE=0006h) + length (0008h) at record begin
1935>0	ubelong	0x06000800	\b, cell range
1936# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
1937>>4	ulong		!0
1938>>>4	uleshort	x	\b%d,
1939>>>6	uleshort	x	\b%d-
1940# end of cell range
1941>>8	uleshort	x	\b%d,
1942>>10	uleshort	x	\b%d
1943# EndOfLotus123
19440	string/b		WordPro\0	Lotus WordPro
1945!:mime	application/vnd.lotus-wordpro
19460	string/b		WordPro\r\373	Lotus WordPro
1947!:mime	application/vnd.lotus-wordpro
1948
1949
1950# Summary: Script used by InstallScield to uninstall applications
1951# Extension: .isu
1952# Submitted by: unknown
1953# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
19540		string		\x71\xa8\x00\x00\x01\x02
1955>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
1956
1957# Winamp .avs
1958#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
19590	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
1960
1961# Windows Metafile .WMF
1962# URL: 		http://fileformats.archiveteam.org/wiki/Windows_Metafile
1963#		http://en.wikipedia.org/wiki/Windows_Metafile
1964# Reference:	https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-WMF/%5bMS-WMF%5d.pdf
1965#		http://mark0.net/download/triddefs_xml.7z/defs/w/wmf.trid.xml
1966# Note:		called "Windows Metafile" by TrID and
1967#		verified by ImageMagick `identify -verbose *.wmf` as WMF (Windows Meta File)
1968# META_PLACEABLE Record (Aldus Placeable Metafile signature)
19690	string/b	\327\315\306\232
1970# Note:		called "Windows Metafile Image with Placeable File Header" by DROID via PUID x-fmt/119
1971#		and verified by XnView `nconvert -info abydos.wmf SPA_FLAG.wmf hardcopy-windows-meta.wmf` as "Windows Placeable metafile"
1972# skip failed libreoffice-7.3.2.2 ofz35149-1.wmf with invalid version 2020h and exttextout-2.wmf with invalid version 3a02h
1973# and x-fmt-119-signature-id-609.wmf without version instead of 0100h=METAVERSION100 or 0300h=METAVERSION300
1974>26	uleshort&0xFDff	=0x0100			Windows metafile
1975# HWmf; resource handle to the metafile; When the metafile is on disk, this field MUST contain 0
1976# seems to be always true but in failed samples 2020h ofz35149-1.wmf 56f8h exttextout-2.wmf
1977>>4	uleshort	!0			\b, resource handle %#x
1978# BoundingBox; the rectangle in the playback context measured in logical units for displaying
1979# sometimes useful like: hardcopy-windows-meta.wmf (0,0 / 1280,1024)
1980# but garbage in x-fmt-119-signature-id-609.wmf (-21589,-21589 / -21589,-21589)
1981#>>6	ubequad		x			\b, bounding box %#16.16llx
1982# Left; x-coordinate of the upper-left corner of the rectangle
1983>>6	leshort		x			\b, bounding box (%d
1984# Top; y-coordinate upper-left corner
1985>>8	leshort		x			\b,%d
1986# Right; x-coordinate lower-right corner
1987>>10	leshort		x			/ %d
1988# Bottom; y-coordinate lower-right corner
1989>>12	leshort		x			\b,%d)
1990# Inch; number of logical units per inch like: 72 96 575 576 1000 1200 1439 1440 2540
1991>>14	uleshort	x			\b, dpi %u
1992# Reserved; field is not used and MUST be set to 0; but ababababh in x-fmt-119-signature-id-609.wmf
1993>>16	ulelong		!0			\b, reserved %#x
1994# Checksum; checksum for the previous 10 words
1995>>20	uleshort	x			\b, checksum %#x
1996# META_HEADER Record after META_PLACEABLE Record
1997>>22	use		wmf-head
1998# GRR:		no example for type 2 (DISKMETAFILE) variant found under few thousands WMF
19990	string/b	\002\000\011\000	Windows metafile
2000>0	use		wmf-head
2001# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/w/wmf-16.trid.xml
2002# Note:		called "Windows Metafile (old Win 3.x format)" by TrID and
2003#		"Windows Metafile Image without Placeable File Header" by DROID via PUID x-fmt/119
2004#		verified by XnView `nconvert -info *.wmf` as Windows metafile
2005# variant with type=1=MEMORYMETAFILE and valid HeaderSize 9
20060	string/b	\001\000\011\000
2007# skip DROID x-fmt-119-signature-id-1228.wmf by looking for content after header (18 bytes=2*011)
2008>18	ulelong		>0			Windows metafile
2009# GRR: in version 5.44 unequal and not endian variant not working!
2010#>18	ulelong		!0			THIS_SHOULD_NOT_HAPPEN
2011#>18	long		!0			THIS_SHOULD_NOT_HAPPEN
2012>>0	use		wmf-head
2013#	display information of Windows metafile header (type, size, objects)
20140	name		wmf-head
2015# MetafileType: 0001h=MEMORYMETAFILE~Metafile is stored in memory 0002h=DISKMETAFILE~Metafile is stored on disk
2016>0	uleshort	!0x0001			\b, type %#x
2017# HeaderSize; the number of WORDs in header record; seems to be always 9 (18 bytes)
2018>2	uleshort*2	!18			\b, header size %u
2019# MetafileVersion: 0100h=METAVERSION100~DIBs (device-independent bitmaps) not supported 0300h=METAVERSION300~DIBs are supported
2020# but in failed samples 2020h ofz35149-1.wmf 3a02h exttextout-2.wmf
2021>4	uleshort	=0x0100			\b, DIBs not supported
2022>4	uleshort	=0x0300
2023#>4	uleshort	=0x0300			\b, DIBs supported
2024# this should not happen!
2025>4	default		x			\b, version
2026>>4	uleshort	x			%#x
2027# Size; the number of WORDs in the entire metafile
2028>6	ulelong	x				\b, size %u words
2029#>6	ulelong*2	x			\b, size %u bytes
2030!:mime	image/wmf
2031!:ext	wmf
2032# NumberOfObjects: the number of graphics objects like: 0 hardcopy-windows-meta.wmf 1 2 3 4 5 6 7 8 9 12 13 14 16 17 20 27 110 PERSGRID.WMF
2033>10	uleshort	x			\b, %u objects
2034# MaxRecord: the size of the largest record in the metafile in WORDs like: 78h b0h 1f4h 310h 63fh 1e0022h 3fcc21h
2035>12	ulelong		x			\b, largest record size %#x
2036# NumberOfMembers: It SHOULD be 0x0000, but 5 TestBitBltStretchBlt.wmf 13 TestPalette.wmf and in failed samples 4254 bitcount-1.wmf 8224 ofz5942-1.wmf 56832 exttextout-2.wmf
2037>16	uleshort	!0			\b, %u members
2038
2039#tz3 files whatever that is (MS Works files)
20400	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
20410	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
20420	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
2043
2044# PGP sig files .sig
2045#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
20460 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
20470 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
20480 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
20490 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
20500 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
20510 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
2052
2053# windows zips files .dmf
20540	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
2055
2056# Windows icons
2057# Update: Joerg Jenderek
2058# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
2059# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
20600   belong  0x00000100
2061>9  byte    0
2062>>0 byte    x
2063>>0 use     cur-ico-dir
2064>9  ubyte   0xff
2065>>0 byte    x
2066>>0 use     cur-ico-dir
2067#	displays number of icons and information for icon or cursor
20680	name		cur-ico-dir
2069# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
2070# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
2071>18		ulelong		&0x00000006
2072# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
2073>>(18.l)	ulelong		x		MS Windows
2074>>>0		ubelong		0x00000100	icon resource
2075# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
2076!:mime		image/vnd.microsoft.icon
2077#!:mime		image/x-icon
2078!:ext		ico
2079>>>>4 		uleshort	x		- %d icon
2080# plural s
2081>>>>4 		uleshort	>1		\bs
2082# 1st icon
2083>>>>0x06	use		ico-entry
2084# 2nd icon
2085>>>>4 		uleshort	>1
2086>>>>>0x16	use		ico-entry
2087>>>0		ubelong		0x00000200	cursor resource
2088#!:mime		image/x-cur
2089!:mime		image/x-win-bitmap
2090!:ext		cur
2091>>>>4 		uleshort	x		- %d icon
2092>>>>4 		uleshort	>1		\bs
2093# 1st cursor
2094>>>>0x06	use		cur-entry
2095#>>>>0x16	use		cur-entry
2096#	display information of one cursor entry
20970	name		cur-entry
2098>0	use		cur-ico-entry
2099>4	uleshort	x	\b, hotspot @%dx
2100>6	uleshort	x	\b%d
2101#	display information of one icon entry
21020	name		ico-entry
2103>0			use	cur-ico-entry
2104# normally 0 1 but also found 14
2105>4	uleshort	>1	\b, %d planes
2106# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
2107>6	uleshort	>1	\b, %d bits/pixel
2108#	display shared information of cursor or icon entry
21090		name		cur-ico-entry
2110>0		byte		=0		\b, 256x
2111>0		byte		!0		\b, %dx
2112>1		byte        	=0		\b256
2113>1		byte        	!0		\b%d
2114# number of colors in palette
2115>2		ubyte		!0		\b, %d colors
2116# reserved 0 FFh
2117#>3		ubyte        	x		\b, reserved %x
2118#>8		ulelong		x		\b, image size %d
2119# offset of PNG or DIB image
2120#>12		ulelong		x		\b, offset %#x
2121# PNG header (\x89PNG)
2122>(12.l)		ubelong		=0x89504e47
2123# 1 space char after "with" to get phrase "with PNG image" by magic in ./images
2124>>&-4		indirect	x	\b with
2125# DIB image
2126>(12.l)		ubelong		!0x89504e47
2127#>>&-4		use     	dib-image
2128
2129# Windows non-animated cursors
2130# Update: Joerg Jenderek
2131# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
2132# Note: similar to Windows ICOn. container for BMP ( only DIB part)
2133# GRR: line below is too general as it catches also Lotus 1-2-3 files
21340   belong  0x00000200
2135>9  byte    0
2136>>0 use     cur-ico-dir
2137>9  ubyte   0xff
2138>>0 use     cur-ico-dir
2139
2140# .chr files
21410	string/b	PK\010\010BGI	Borland font
2142>4	string	>\0	%s
2143# then there is a copyright notice
2144
2145
2146# .bgi files
21470	string/b	pk\010\010BGI	Borland device
2148>4	string	>\0	%s
2149# then there is a copyright notice
2150
2151
2152# Windows Recycle Bin record file (named INFO2)
2153# By Abel Cheung (abelcheung AT gmail dot com)
2154# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
2155# Since Vista uses another structure, INFO2 structure probably won't change
2156# anymore. Detailed analysis in:
2157# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
21580	lelong		0x00000004
2159>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
2160
21610	lelong		0x00000005
2162>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
2163
2164# From Doug Lee via a FreeBSD pr
21659	string		GERBILDOC	First Choice document
21669	string		GERBILDB	First Choice database
21679	string		GERBILCLIP	First Choice database
21680	string		GERBIL		First Choice device file
21699	string		RABBITGRAPH	RabbitGraph file
21700	string		DCU1		Borland Delphi .DCU file
21710	string		=!<spell>	MKS Spell hash list (old format)
21720	string		=!<spell2>	MKS Spell hash list
2173# Too simple - MPi
2174#0	string		AH		Halo(TM) bitmapped font file
21750	lelong		0x08086b70	TurboC BGI file
21760	lelong		0x08084b50	TurboC Font file
2177
2178# Debian#712046: The magic below identifies "Delphi compiled form data".
2179# An additional source of information is available at:
2180# http://www.woodmann.com/fravia/dafix_t1.htm
21810	string		TPF0
2182>4	pstring		>\0		Delphi compiled form '%s'
2183
2184# tests for DBase files moved, updated and merged to database
2185
21860	string		PMCC		Windows 3.x .GRP file
21871	string		RDC-meg		MegaDots
2188>8	byte		>0x2F		version %c
2189>9	byte		>0x2F		\b.%c file
2190
2191# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
2192# only for windows versions equal or greater 3.0
21930x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
2194!:mime	application/x-dosexec
2195!:ext	pif
2196#>2	string	 	>\0		\b, Title:%.30s
2197>0x24	string		>\0		\b for %.63s
2198>0x65	string		>\0		\b, directory=%.64s
2199>0xA5	string		>\0		\b, parameters=%.64s
2200#>0x181	leshort	x	\b, offset %x
2201#>0x183	leshort	x	\b, offsetdata %x
2202#>0x185	leshort	x	\b, section length %x
2203>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
2204>>&0x5e		ubyte	>0
2205>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
2206#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
2207>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
2208>>&0xF0		ubyte	>0
2209>>>&-1		string	<Terminal		\b, font=%.32s
2210#>>>&-1		string	=Terminal		\b, font=%.32s
2211>>>&-1		string	>Terminal		\b, font=%.32s
2212>>&0x110	ubyte	>0
2213>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
2214#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
2215>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
2216#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
2217#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
2218>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
2219#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
2220>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
2221#>>&06		string	x			\b:%s
2222>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
2223#>>&06		string	x			\b:%s
2224
2225# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
2226# of http://www.davep.org/norton-guides/ng2h-105.tgz
2227# https://en.wikipedia.org/wiki/Norton_Guides
22280	string		NG\0\001
2229# only value 0x100 found at offset 2
2230>2	ulelong		0x00000100	Norton Guide
2231!:mime	application/x-norton-guide
2232# often like NORTON.NG but some times like NC.HLP
2233!:ext	ng/hlp
2234# Title[40]
2235>>8	string		>\0		"%-.40s"
2236#>>6	uleshort	x		\b, MenuCount=%u
2237# szCredits[5][66]
2238>>48	string		>\0		\b, %-.66s
2239>>114	string		>\0		%-.66s
2240
2241# URL:		https://en.wikipedia.org/wiki/Norton_Commander
2242# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml
2243# From:		Joerg Jenderek
2244# Note:		Message file is used by executable with same main name.
2245#		Only tested with version 5.50 (english) and 2.01 (Windows)
22460	string		Abort
2247# \0 or i
2248#>5	ubyte		x		%x
2249# skip ASCII Abort text by looking for error message like in NCVIEW.MSG
2250>6	search/7089	Non-DOS\ disk	Norton Commander module message
2251!:mime	application/x-norton-msg
2252!:ext	msg
2253
2254# URL:		http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm
2255# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml
2256# From:		Joerg Jenderek
22570	string	DOS\ Client\ Message\ File:	Novell DOS client message
2258#!:mime	application/octet-stream
2259#!:mime	application/x-novell-msg
2260!:ext	msg
2261# look for second letter instead space character
2262>26	ubyte		>0x20
2263# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr
2264>>25		ubyte	!0x20			%c
2265>>>26		ubyte	!0x20			\b%c
2266>>>>27		ubyte	!0x20			\b%c
2267>>>>>28		ubyte	!0x20			\b%c
2268>>>>>>29	ubyte	!0x20			\b%c
2269>>>>>>>30	ubyte	!0x20			\b%c
2270>>>>>>>>31	ubyte	!0x20			\b%c
2271>>>>>>>>>32	ubyte	!0x20			\b%c
2272>>>>>>>>>>33	ubyte	!0x20			\b%c
2273>>>>>>>>>>>34	ubyte	!0x20			\b%c
2274>>>>>>>>>>>>35	ubyte	!0x20			\b%c
2275>>>>>>>>>>>>>36	ubyte	!0x20			\b%c
2276# followed by string like: 0 v.10 V1.20
2277#
2278# followed by ,\040Tran
2279>28	search/14	,\040Tran
2280# probably translated version string like: 0 v1.00
2281>>&0	string	x				\b, tran version %s
2282# followed by Ctrl-J Ctrl-Z
2283>>>&0	ubyte		!0xa			\b, terminated by %#2.2x
2284>>>>&0	ubyte		x			\b%2.2x
2285# Ctrl-Z
2286>0x65	ubyte		!0x1A			\b, at 0x65 %#x
2287# one
2288>0x66	ubyte		!0x01			\b, at 0x66 %#x
2289# URL:		https://en.wikipedia.org/wiki/NetWare
2290# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml
2291# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html
2292# From:		Joerg Jenderek
22930	string	Novell\ Message\ Librarian\ Data\ File	Novell message librarian data
2294#>35	string	Version\ 1.00
2295#>49	string	COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc.
2296#>83	string	\ \ All\ Rights\ Reserved
2297#!:mime	application/octet-stream
2298#!:mime	application/x-novell-msg
2299!:ext	msg
2300#!:ext	msg/dat
2301
2302# Summary:	Turbo Pascal Help
2303# From:		Joerg Jenderek
2304# URL:		https://en.wikipedia.org/wiki/Turbo_Pascal
2305# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-tp-2.trid.xml
2306# Note:		called "Turbo Pascal Help (v2)" by TrID
23070	string		TPH2	Turbo Pascal help, version 2
2308#!:mime	application/octet-stream
2309!:mime	application/x-pascal-hlp
2310# 4DOS help file, version 1.00 3.30
2311!:ext	hlp
2312# URL:		https://en.wikipedia.org/wiki/4DOS
2313# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v2.trid.xml
2314# Note:		called "4DOS Help (v2)" by TrID
23150	string	ALIAS\r\nASSIGN\r\n
2316>13	search/3016	4DOS	4DOS help file, version 2.x
2317#!:mime	text/plain
2318!:mime	application/x-4dos-hlp
2319# DOS.HLP 4DOS help file, version 2.21
2320!:ext	hlp
2321# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos-v4.trid.xml
2322# Note:		called "4DOS Help (v4)" by TrID
23230	string		4DH4	4DOS help file, version 4.x
2324#!:mime	application/octet-stream
2325!:mime	application/x-4dos-hlp
2326# 4dos402b.hlp
2327!:ext	hlp
2328# Reference:	https://4dos.info/4dsource/4helpsrc.zip/TPHELP.PAS
2329# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-4dos.trid.xml
2330# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
2331# of https://www.4dos.info/
2332# check for valid pascal string length (6 or 8) of HelpID, 4DH magic, valid major number (5 6 7 8)
23330	ubequad&0xF1ffFFffF0000000	0x0034444830000000	4DOS help file
2334#!:mime	application/octet-stream
2335!:mime	application/x-4dos-hlp
2336!:ext	hlp
2337# pascal string length of of HelpID like: 6 8
2338#>0	ubyte	x			PLENGHT=%x
2339# Note:	version string correspond or is a little bit lower than value of _4VER variable or output of 4DOS command `VER /R`
2340# one-digit major version number of version string
2341>4	string	x			\b, version %-1.1s
2342# two-digit minor version number depending on pascal string length at the beginning
2343>>0	ubyte	8			\b.
2344>>>5	string	x			\b%-2.2s
2345# Byte at offset 7 (A=41h) and 8 (A=41h) is not Revison like C (=43h) as reported by VER /R for 4DOS602b.HLP
2346# GRR: maybe this is patch level
2347>>>7	string	x			%-.2s
2348# few samples with string length 6 (implying exact 2 byte minor version digits) like in 4DOS500f.HLP 4dos551c_ge.hlp
2349>>0	ubyte	6			\b.
2350>>>5	string	x			\b%-2.2s
2351# just in case pascal string length is neither 6 nor 8
2352#>>0	default	x			\b.
2353#>>>5	string	x			%-2.2s
2354# false for version 5.52 and older, but true for version 6.02 and newer
2355>4	ubeshort	>0x3535
2356# HighestTopic; highest topic number
2357#>>9	uleshort x			HighestTopic=%#4.4x
2358# NumTopics; number of topics
2359#>>11	uleshort x			NumTopics=%#4.4x
2360# BiggestTopic; size of largest topic in uncompressed bytes
2361#>>13	uleshort x			BiggestTopic=%#4.4x
2362# NamedTopics; number of topics in help index
2363#>>15	uleshort x			NamedTopics=%#4.4x
2364# NameSize; Size of largest name, 0 for none
2365#>>17	uleshort x			NameSize=%#4.4x
2366# PickSize; size of each entry in pick table, 0 for none
2367#>>18	uleshort x			PickSize=%#4.4x
2368# width; width of help window, with frame if any
2369#>>19	ubyte x				Width=%#2.2x
2370# FirstTopic; topic to show first (0 = index)
2371#>>20	uleshort x			FirstTopic=%#4.4x
2372# KeysTopic; topic to show when keys help needed
2373#>>22	uleshort x			KeysTopic=%#4.4x
2374# ExtHelpName; string[13]; name for external help program like: HELP.COM DOSBOOK.EXE
2375>>24	pstring	x			\b, external help %s
2376# ExtHelpEnv; String[16]; environment variable for alternate external help program name like: DOSHELP
2377>>38	pstring	x			or specified by DOS environment variable %s
2378# XlateArray = array[0..29] of Byte; {Most common characters in help text}
2379#>>55	ubequad x			XlateArray=%#16.16llx
2380# SharewareData : SharewareDataRec; shareware info for 4DOS.COM
2381#>>87	ubequad x			SharewareData=%#16.16llx
2382
2383# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
2384# URL:		http://fileformats.archiveteam.org/wiki/Microsoft_Advisor_Help
2385# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/h/hlp-ms-adv.trid.xml
2386# Note:		called "Microsoft Advisor Help" by TrID
23870	ulequad&0xFFffFFfeFFffFFff	0x003a000000024e4c	MS Advisor help file
2388#!:mime								application/octet-stream
2389!:mime								application/x-ms-hlp
2390!:ext								hlp
2391
2392# HtmlHelp files (.chm)
23930	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
2394!:mime	application/vnd.ms-htmlhelp
2395!:ext	chm
2396
2397# GFA-BASIC (Wolfram Kleff)
23982	string/b	GFA-BASIC3	GFA-BASIC 3 data
2399
2400#------------------------------------------------------------------------------
2401# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
2402# Update: Joerg Jenderek
2403# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format)
2404# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
2405# Note: verified by `7z l *.cab`
2406# Microsoft Cabinet files
24070	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
2408#
2409# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool
2410# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE
2411# because some archive does not have *.diag* as 1st or 2nd archive member like
2412# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab
2413# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section
2414>0x2c	search/980/c	.diag		\b, Diagnostic
2415!:mime	application/vnd.ms-cab-compressed
2416!:ext	diagcab
2417# http://fileformats.archiveteam.org/wiki/PUZ
2418# Microsoft Publisher version about 2003 has a "Pack and Go" feature that
2419# bundles a Publisher document *PNG.pub with all links into a CAB
2420>0x2c	search/300/c	png.pub\0		\b, Publisher Packed and Go
2421!:mime	application/vnd.ms-cab-compressed
2422!:ext	puz
2423# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation
2424>0x2c	search/17/c	ppview32.exe\0		\b, PowerPoint Viewer Packed and Go
2425!:mime	application/vnd.ms-powerpoint
2426#!:mime	application/mspowerpoint
2427!:ext	ppz
2428# URL:		https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets
2429# Reference:	https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/
2430# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget
2431>0x2c	search/968/c	gadget.xml		\b, Windows Desktop Gadget
2432#!:mime	application/vnd.ms-cab-compressed
2433# http://extension.nirsoft.net/gadget
2434!:mime	application/x-windows-gadget
2435!:ext	gadget
2436# http://www.incredimail.com/
2437# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims
2438>0x2c	search/3369/c	content.ini\0	\b, IncrediMail
2439!:mime	application/x-incredimail
2440# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf
2441>>0x2c	search/83/c	Flavor.htm\0	ecard
2442!:ext	imf
2443# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims
2444>>0x2c	search/211/c	.swf\0		skin
2445!:ext	ims
2446# member anim.im3 implies IncrediMail animation like in letter_fold.ima
2447>>0x2c	search/92/c	anim.im3\0	animation
2448!:ext	ima
2449# other IncrediMail cab archive
2450>>0x2c	default		x
2451>>>0x2c	search/116/c	thumb		ecard, image, notifier or skin
2452!:ext	imf/imi/imn/ims
2453# http://file-extension.net/seeker/file_extension_ime
2454>>>0x2c	default		x		emoticons or sound
2455!:ext	ime/imw
2456# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail
2457>0x2c	default		x
2458# look for 1st member name
2459>>(16.l+16)	ubyte	x
2460# From:		Joerg Jenderek
2461# URL:		https://docs.microsoft.com/en-us/windows-hardware/drivers/install/building-device-metadata-packages
2462# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/d/devicemetadata-ms.trid.xml
2463>>>&-1	string 		PackageInfo.xml	\b, Device Metadata Package
2464!:mime	application/vnd.ms-cab-compressed
2465!:ext	devicemetadata-ms
2466# https://en.wikipedia.org/wiki/SNP_file_format
2467>>>&-1	string/c 	_accrpt_.snp	\b, Access report snapshot
2468!:mime	application/msaccess
2469!:ext	snp
2470# https://en.wikipedia.org/wiki/Microsoft_InfoPath
2471>>>&-1	string 		manifest.xsf	\b, InfoPath Form Template
2472!:mime	application/vnd.ms-cab-compressed
2473#!:mime	application/vnd.ms-infopath
2474!:ext	xsn
2475# https://www.cabextract.org.uk/wince_cab_format/
2476# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer
2477>>>&7	string 		=.000		\b, WinCE install
2478!:mime	application/vnd.ms-cab-compressed
2479!:ext	cab
2480
2481# https://support.microsoft.com/kb/934307/en-US
2482# All inspected MSU contain a file with name WSUSSCAN.cab
2483# that is called "Windows Update meta data" by Microsoft
2484>>>&-1	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
2485!:mime	application/vnd.ms-cab-compressed
2486!:ext	msu
2487>>>&-1	default		x
2488# look at point character of 1st archive member name for file name extension
2489# GRR: search range is maybe too large and match point else where like in EN600x64.cab!
2490>>>>&-1	search/255 	.
2491# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
2492# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
2493# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
2494>>>>>&0	string/c	ppt\0
2495>>>>>>28 uleshort	>1		\b, PowerPoint Packed and Go
2496!:mime	application/vnd.ms-powerpoint
2497#!:mime	application/mspowerpoint
2498!:ext	ppz
2499# or POWERPNT.PPT packed as POWERPNT.PP_ found on Windows 2000,XP setup CD in directory i386
2500>>>>>>28 uleshort	=1		\b, one packed PowerPoint
2501!:mime	application/vnd.ms-cab-compressed
2502!:ext	pp_
2503# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
2504# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
2505# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
2506>>>>>&0	string/c	theme		\b, Windows
2507!:mime	application/x-windows-themepack
2508# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
2509# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
2510# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme
2511>>>>>>(16.l+16)	string	=Panoram	8
2512!:ext	deskthemepack
2513>>>>>>(16.l+16)	string	!Panoram	7 or 8
2514!:ext	themepack/deskthemepack
2515>>>>>>(16.l+16)	ubyte	x		Theme Pack
2516# URL:		https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format
2517#		http://fileformats.archiveteam.org/wiki/OneNote
2518# Reference:	https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml
2519# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor �ffnen.onetoc2"
2520>>>>>&0	string/c	one		\b, OneNote Package
2521!:mime	application/msonenote
2522!:ext	onepkg
2523>>>>>&0	default		x
2524# look for null terminator of 1st member name
2525>>>>>>&0	search/255 	\0
2526# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
2527>>>>>>>&16	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
2528!:mime	application/vnd.ms-cab-compressed
2529!:ext	msu
2530>>>>>>>&16	default	x
2531# archive with more then one file need some output in version 5.32 to avoid error message like
2532# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type
2533# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type
2534# file: could not find any valid magic files!
2535>>>>>>>>28	uleshort	>1	\b, many
2536!:mime	application/vnd.ms-cab-compressed
2537!:ext	cab
2538# remaining archives with just one file
2539>>>>>>>>28	uleshort	=1
2540# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386
2541>>>>>>>>>30	uleshort	=0x0000	\b, Windows 2000/XP setup
2542# cut of last char of source extension and add underscore to generate extension
2543# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_
2544!:mime	application/vnd.ms-cab-compressed
2545!:ext	_/?_/??_
2546# archive need some output like "single" in version 5.32 to avoid error messages
2547>>>>>>>>>30	uleshort	!0x0000	\b, single
2548!:mime	application/vnd.ms-cab-compressed
2549!:ext	cab
2550# first archive name without point character
2551>>>>&-1	default		x
2552>>>>>28	uleshort	=1	\b, single
2553!:mime	application/vnd.ms-cab-compressed
2554# on XP_CD\I386\ like: NETWORKS._ PROTOCOL._ QUOTES._ SERVICES._
2555!:ext	_
2556>>>>>28	uleshort	>1	\b, many
2557!:mime	application/vnd.ms-cab-compressed
2558# like: HP Envy 6000 printer driver packages Full_x86.cab Full_x64.cab
2559!:ext	cab
2560# TODO: additional extensions like
2561# .xtp	InfoPath Template Part
2562# .lvf	Logitech Video Effects Face Accessory
2563>8	ulelong		x		\b, %u bytes
2564>28	uleshort		1		\b, 1 file
2565>28	uleshort		>1		\b, %u files
2566# Reserved fields, set to zero
2567#>4	belong		!0		\b, reserved1 %x
2568#>12	belong		!0		\b, reserved2 %x
2569# offset of the first CFFILE entry coffFiles: minimal 2Ch
2570>16	ulelong		x		\b, at %#x
2571>(16.l)	use		cab-file
2572# at least also 2nd member
2573>28	uleshort		>1
2574>>(16.l+16)	ubyte	x
2575>>>&0	search/255 	\0
2576# second member info
2577>>>>&0	use		cab-file
2578#>20	belong		!0		\b, reserved %x
2579# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3
2580>24	ubeshort	!0x0301		\b version %#x
2581# number of CFFOLDER entries
2582>26	uleshort	>1		\b, %u cffolders
2583# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields
2584# only found for flags 0 1 2 3 4 not 7
2585>30	uleshort	>0		\b, flags %#x
2586# Cabinet files have a 16-bit cabinet setID field that is designed for application use.
2587# default is zero, however, the -i option of cabarc can be used to set this field
2588>32	uleshort	>0		\b, ID %u
2589# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet
2590#>34	uleshort	x		\b, iCabinet %u
2591# add one for display because humans start numbering by 1 and also fit to name of disk szDisk*
2592>34	uleshort+1	x		\b, number %u
2593>30	uleshort	&0x0004		\b, extra bytes
2594# cbCFHeader optional size of per-cabinet reserved area 14h 1800h
2595>>36	uleshort	>0		%u in head
2596# cbCFFolder is optional size of per-folder reserved area
2597>>38	ubyte		>0		%u in folder
2598# cbCFData is optional size of per-datablock reserved area
2599>>39	ubyte		>0		%u in data block
2600# optional per-cabinet reserved area abReserve[cbCFHeader]
2601>>36	uleshort	>0
2602# 1st CFFOLDER after reserved area in header
2603>>>(36.s+40)	use			cab-folder
2604# no reserved area in header
2605>30	uleshort	^0x0004
2606# no previous and next cab archive
2607>>30	uleshort		=0x0000
2608>>>36	use				cab-folder
2609# only previous cab archive
2610>>30	uleshort		=0x0001	\b, previous
2611>>>36	use				cab-anchor
2612# only next cab archive
2613>>30	uleshort		=0x0002	\b, next
2614>>>36	use				cab-anchor
2615# previous+next cab archive
2616# can not use sub routine cab-anchor to display previous and next cabinet together
2617#>>>36	use				cab-anchor
2618#>>>>&0	use				cab-anchor
2619>>30	uleshort		=0x0003	\b, previous
2620>>>36	string		x		%s
2621# optional name of previous disk szDisk*
2622>>>>&1	string		x		disk %s
2623>>>>>&1	string		x		\b, next %s
2624# optional name of previous disk szDisk*
2625>>>>>>&1	string		x	disk %s
2626>>>>>>>&1	use			cab-folder
2627#	display filename and disk name of previous or next cabinet
26280       name    			cab-anchor
2629# optional name of previous/next cabinet file szCabinet*[255]
2630>&0	string		x		%s
2631# optional name of previous/next disk szDisk*[255]
2632>>&1	string		x		disk %s
2633#	display folder structure CFFOLDER information like compression of cabinet
26340       name    			cab-folder
2635# offset of the CFDATA block in this folder
2636#>0	ulelong		x		\b, coffCabStart %#x
2637# number of CFDATA blocks in folder
2638>4	uleshort	x		\b, %u datablock
2639# plural s
2640>4	uleshort	>1		\bs
2641# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15
2642>6	uleshort	x		\b, %#x compression
2643# optional per-folder reserved area
2644#>8	ubequad		x		\b, abReserve %#llx
2645#	display member structure CFFILE information like member name of cabinet
26460       name    			cab-file
2647# cbFile is uncompressed size of file in bytes
2648#>0	ulelong		x		\b, cbFile %u
2649# uoffFolderStart is uncompressed offset of file in folder
2650#>4	ulelong		>0		\b, uoffFolderStart %#x
2651# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet
2652# define ifoldCONTINUED_FROM_PREV      (0xFFFD)
2653# define ifoldCONTINUED_TO_NEXT        (0xFFFE)
2654# define ifoldCONTINUED_PREV_AND_NEXT  (0xFFFF)
2655>8	uleshort	>0		\b, iFolder %#x
2656# date stamp for file
2657>10	lemsdosdate	x		last modified %s
2658# time stamp for file
2659>12	lemsdostime	x		%s
2660# attribs is attribute flags for file
2661# define  _A_RDONLY       (0x01)  file is read-only
2662# define  _A_HIDDEN       (0x02)  file is hidden
2663# define  _A_SYSTEM       (0x04)  file is a system file
2664# define  _A_ARCH         (0x20)  file modified since last backup
2665# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab
2666# define  _A_EXEC         (0x40)  run after extraction
2667# define  _A_NAME_IS_UTF  (0x80)  szName[] contains UTF
2668# define  UNKNOWN       (0x0100)  undocumented or accident
2669#>14	uleshort	x		\b, attribs %#x
2670>14	uleshort	>0		+
2671>>14	uleshort	&0x0001		\bR
2672>>14	uleshort	&0x0002		\bH
2673>>14	uleshort	&0x0004		\bS
2674>>14	uleshort	&0x0020		\bA
2675>>14	uleshort	&0x0040		\bX
2676>>14	uleshort	&0x0080		\bUtf
2677# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB
2678>>14	uleshort	&0x0100		\b?
2679# szName is name of archive member
2680>16	string		x		"%s"
2681# next archive member name if more files
2682#>>&17	string		>\0		\b, NEXT NAME %-.50s
2683
2684# InstallShield Cabinet files
26850	string/b	ISc(		InstallShield Cabinet archive data
2686>5	byte&0xf0	=0x60		version 6,
2687>5	byte&0xf0	!0x60		version 4/5,
2688>(12.l+40)	lelong	x		%u files
2689
2690# Windows CE package files
26910	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
2692>20	lelong		0		\b, architecture-independent
2693>20	lelong		103		\b, Hitachi SH3
2694>20	lelong		104		\b, Hitachi SH4
2695>20	lelong		0xA11		\b, StrongARM
2696>20	lelong		4000		\b, MIPS R4000
2697>20	lelong		10003		\b, Hitachi SH3
2698>20	lelong		10004		\b, Hitachi SH3E
2699>20	lelong		10005		\b, Hitachi SH4
2700>20	lelong		70001		\b, ARM 7TDMI
2701>52	leshort		1		\b, 1 file
2702>52	leshort		>1		\b, %u files
2703>56	leshort		1		\b, 1 registry entry
2704>56	leshort		>1		\b, %u registry entries
2705
2706
2707# Windows Enhanced Metafile (EMF)
2708# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
2709# for further information.
27100	ulelong 1
2711>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
2712>>44	ulelong x		version %#x
2713
2714
27150	string/b	\224\246\056		Microsoft Word Document
2716!:mime	application/msword
2717
2718# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
2719# Magic type for Dell's BIOS .hdr files
2720# Dell's .hdr
27210	string/b $RBU
2722>23	string Dell			%s system BIOS
2723>5	byte   2
2724>>48	byte   x			version %d.
2725>>49	byte   x			\b%d.
2726>>50	byte   x			\b%d
2727>5	byte   <2
2728>>48	string x			version %.3s
2729
2730# Type: Microsoft Document Imaging Format (.mdi)
2731# URL:	https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
2732# From: Daniele Sempione <scrows@oziosi.org>
2733# Too weak (EP)
2734#0	short	0x5045			Microsoft Document Imaging Format
2735
2736# MS eBook format (.lit)
27370	string/b	ITOLITLS		Microsoft Reader eBook Data
2738>8	lelong	x			\b, version %u
2739!:mime					application/x-ms-reader
2740
2741# Windows CE Binary Image Data Format
2742# From: Dr. Jesus <j@hug.gs>
27430	string/b	B000FF\n	Windows Embedded CE binary image
2744
2745# The second byte of these signatures is a file version; I don't know what,
2746# if anything, produced files with version numbers 0-2.
2747# From: John Elliott <johne@seasip.demon.co.uk>
27480	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
27490	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
27500	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
27510	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
2752
27530	string	MIOPEN		Mallard BASIC Jetsam data
27540	string	Jetsam0		Mallard BASIC Jetsam index data
2755
2756# DOS backup 2.0 to 3.2
2757# URL:		http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS)
2758# Reference:	http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm
2759# backupid.@@@
2760
2761# plausibility check for date
27620x3	ushort	>1979
2763>0x5	ubyte-1 <31
2764>>0x6	ubyte-1 <12
2765# actually 121 nul bytes
2766>>>0x7	string	\0\0\0\0\0\0\0\0
2767>>>>0x1 ubyte	x	DOS 2.0 backup id file, sequence %d
2768#!:mime	application/octet-stream
2769!:ext @@@
2770>>>>0x0 ubyte	0xff	\b, last disk
2771
2772# backed up file
2773
2774# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
2775# by looking for trailing nul of maximal file name string
27760x52	ubyte	0
2777# test for flag byte: FFh~complete file, 00h~split file
2778# FFh -127 =	-1 -127 =	-128
2779# 00h -127 =	 0 -127 =	-127
2780>0	byte-127	<-126
2781# plausibility check for file name length
2782>>0x53	ubyte-1	<78
2783# looking for terminating nul of file name string
2784>>>(0x53.b+4)	ubyte	0
2785# looking if last char of string is valid DOS file name
2786>>>>(0x53.b+3)	ubyte	>0x1F
2787# actually 44 nul bytes
2788# but sometimes garbage according to Ralf Quint. So can not be used as test
2789#>0x54	string	\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
2790# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
2791# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
2792>>>>>5	ubyte&0x8C	0x0C
2793# ./msdos (version 5.30) labeled the entry as
2794# "DOS 2.0 backed up file %s, split file, sequence %d" or
2795# "DOS 2.0 backed up file %s, complete file"
2796>>>>>>0	ubyte	x	DOS 2.0-3.2 backed up
2797#>>>>>>0	ubyte	0xff	complete
2798>>>>>>0	ubyte	0
2799>>>>>>>1 uleshort	x	sequence %d of
2800# full file name with path but without drive letter and colon stored from 0x05 til 0x52
2801>>>>>>0x5	string	x	file %s
2802#!:mime	application/octet-stream
2803# backup name is original filename
2804#!:ext	doc/exe/rar/zip
2805#!:ext	*
2806# magic/Magdir/msdos, 1169: Warning: EXTENSION type `     *' has bad char '*'
2807# file: line 1169: Bad magic entry '  *'
2808# after header original file content
2809>>>>>>128	indirect x	\b;
2810
2811
2812# DOS backup 3.3 to 5.x
2813
2814# CONTROL.nnn files
28150	string	\x8bBACKUP\x20
2816# actually 128 nul bytes
2817>0xa	string	\0\0\0\0\0\0\0\0
2818>>0x9	ubyte	x	DOS 3.3 backup control file, sequence %d
2819>>0x8a	ubyte	0xff	\b, last disk
2820
2821# NB: The BACKUP.nnn files consist of the files backed up,
2822# concatenated.
2823
2824# From:		Joerg Jenderek
2825# URL:		http://fileformats.archiveteam.org/wiki/MS-DOS_date/time
2826# Reference:	https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime
2827# Note:		DOS date+time format is different from formats such as Unix epoch
2828#		bit encoded; uses year values relative to 1980 and 2 second precision
28290	name		dos-date
2830# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2)
2831#>0	uleshort	x	RAW TIME [%#4.4x]
2832# hour part
2833#>0	uleshort/2048	x	hour [%u]
2834# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31)
2835#>2	uleshort	x	RAW DATE [%#4.4x]
2836# day part
2837>2	uleshort&0x001F	x	%u
2838#>2	uleshort/16	x	MONTH PART [%#x]
2839# GRR: not working
2840#>2	uleshort/16	&0x000F	MONTH [%u]
2841#>2	uleshort&0x01E0	x	MONTH PART [%#4.4x]
2842>2	uleshort&0x01E0	=0x0020	jan
2843>2	uleshort&0x01E0	=0x0040	feb
2844>2	uleshort&0x01E0	=0x0060	mar
2845>2	uleshort&0x01E0	=0x0080	apr
2846>2	uleshort&0x01E0	=0x00A0	may
2847>2	uleshort&0x01E0	=0x00C0	jun
2848>2	uleshort&0x01E0	=0x00E0	jul
2849>2	uleshort&0x01E0	=0x0100	aug
2850>2	uleshort&0x01E0	=0x0120	sep
2851>2	uleshort&0x01E0	=0x0140	oct
2852>2	uleshort&0x01E0	=0x0160	nov
2853>2	uleshort&0x01E0	=0x0180	dec
2854# year part
2855>2	uleshort/512	x	1980+%u
2856#
2857
2858# ExcelBIFF2-8BOF.magic - Excel Binary Interchange File Format versions 2-8
2859# Beginning of File records
2860# See https://www.gaia-gis.it/gaia-sins/freexl-1.0.6-doxy-doc/html/Format.html
2861#	Excel	Commercial	BIFF	Release
2862#	Version	Name		Version	Year	Notes
2863#	2.x	Excel 2.0	BIFF2	1987	Before CFBF. File is the BIFF
2864#						stream, containing a single
2865#						worksheet.
2866#	3.0	Excel 3.0	BIFF3	1990	""
2867#	4.0	Excel 4.0	BIFF4	1992	""
2868#	5.0	Excel 5.0	BIFF5	1993	Starting with BIFF5, a single
2869#						Workbook can internally store
2870#						many individual Worksheets.
2871#						The BIFF stream is stored in
2872#						the CFBF file container.
2873#	7.0	Excel 95	BIFF5	1995
2874#	8.0	Excel 98	BIFF8	1998
2875#	9.0	Excel 2000	BIFF8	1999
2876#	10.0	Excel XP	BIFF8	2001
2877#	11.0	Excel 2003	BIFF8	2003
2878# See https://www.openoffice.org/sc/excelfileformat.pdf#page=135
2879#	5.8 BOF – Beginning of File
2880# See also https://en.wikipedia.org/wiki/Microsoft_Excel;
2881#	Old file extensions
2882#	Format		Extension	Description
2883#	Spreadsheet	.xls	Main spreadsheet format which holds data in
2884#				worksheets, charts, and macros
2885#	Add-in (VBA)	.xla	Adds custom functionality; written in VBA
2886#	Toolbar		.xlb	The file extension where Microsoft Excel custom
2887#				toolbar settings are stored.
2888#	Chart		.xlc	A chart created with data from a Microsoft Excel
2889#				spreadsheet that only saves the chart.
2890#				To save the chart and spreadsheet save as .XLS.
2891#				XLC is not supported in Excel 2007 or in any
2892#				newer versions of Excel.
2893#	Dialog		.xld	Used in older versions of Excel.
2894#	Archive		.xlk	A backup of an Excel Spreadsheet
2895#	Add-in (DLL)	.xll	Adds custom functionality; written in C++/C,
2896#				Fortran, etc. and compiled in to a special
2897#				dynamic-link library
2898#	Macro		.xlm	A macro is created by the user or pre-installed
2899#				with Excel.
2900#	Template	.xlt	A pre-formatted spreadsheet created by the user
2901#				or by Microsoft Excel.
2902#	Module		.xlv	A module is written in VBA (Visual Basic for
2903#				Applications) for Microsoft Excel
2904#	Workspace	.xlw	Arrangement of the windows of multiple Workbooks
2905#	Library		.DLL	Code written in VBA may access functions in a
2906#				DLL, typically this is used to access the
2907#				Windows API
2908#!:ext	xls/xla/xlb/xlc/xld/xlk/xll/xlm/xlt/xlv/xlw
2909
2910#!:mime	application/vnd.ms-excel
2911
2912#	5.8.1 BOF Records Written by Excel
2913#	Record BOF, BIFF2 (record identifier is 0009 H):
2914#	Offset	Size	Contents
2915#	0	2	BIFF version (not used)
2916#	2	2	Type of the following data:	0010H = Sheet
2917#							0020H = Chart
2918#							0040H = Macro sheet
2919#	e.g. 0x0009 BOF len 4 version 2 content 0x0010 Sheet
29200	uleshort	=0x0009	Excel 2 BIFF 2
2921>2	uleshort	=4
2922#			version
2923>>4	uleshort	=0
2924>>4	uleshort	=2
2925>>>6	uleshort	=0x0010	Sheet
2926>>>6	uleshort	=0x0020	Chart
2927>>>6	uleshort	=0x0040	Macros
2928
2929#	Record BOF, BIFF3 (record identifier is 0209 H) and
2930#	BIFF4 (record identifier is 0409H):
2931#	Offset	Size	Contents
2932#	0	2	BIFF version (not used)
2933#	2	2	Type of the following data:	0010H = Sheet
2934#							0020H = Chart
2935#							0040H = Macro sheet
2936#							0100H = Workspace
2937#							(BIFF3W/BIFF4W only)
2938#	4	2        Not used
29390	uleshort	=0x0209	Excel 3 BIFF 3
2940>2	uleshort	=6
2941#			version
2942>>4	uleshort	=0
2943>>4	uleshort	=3
2944>>>6	uleshort	=0x0010	Sheet
2945>>>6	uleshort	=0x0020	Chart
2946>>>6	uleshort	=0x0040	Macros
2947#			(BIFF3W only)
2948>>>6	uleshort	=0x0100	Workspace
2949
29500	uleshort	=0x0409	Excel 4 BIFF 4
2951>2	uleshort	=6
2952#			version
2953>>4	uleshort	=0
2954>>4	uleshort	=4
2955>>>6	uleshort	=0x0010	Sheet
2956>>>6	uleshort	=0x0020	Chart
2957>>>6	uleshort	=0x0040	Macros
2958#			(BIFF4W only)
2959>>>6	uleshort	=0x0100	Workspace
2960
2961#	Record BOF, BIFF5 (record identifier is 0809 H):
2962#	Offset	Size        Contents
2963#	0	2	BIFF version (always 0500H for BIFF5).
2964#			Should only be used, if this record is the leading
2965#			workbook globals BOF (see above).
2966#	2	2	Type of the following data:
2967#			0005H = Workbook globals
2968#			0006H = Visual Basic module
2969#			0010H = Sheet or dialogue (see SHEETPR,
2970#						   ➜5.97)
2971#			0020H = Chart
2972#			0040H = Macro sheet
2973#			0100H = Workspace (BIFF5W only)
2974#	4	2	Build identifier, must not be 0
2975#	6	2	Build year
29760	uleshort	=0x0809	Excel 5 BIFF 5
2977>2	uleshort	=8
2978#			version
2979>>4	uleshort	=0x0500
2980>>4	uleshort	=5
2981>>4	uleshort	=0
2982>>>6	uleshort	=0x0005	Workbook Globals
2983>>>6	uleshort	=0x0006	VB Module
2984>>>6	uleshort	=0x0010	Sheet
2985>>>6	uleshort	=0x0020	Chart
2986>>>6	uleshort	=0x0040	Macros
2987#			(BIFF5W only)
2988>>>6	uleshort	=0x0100	Workspace
2989>>>>8	uleshort	>0	Build %d
2990>>>>>10	uleshort	>1900	Year %d
2991
2992#	Record BOF, BIFF8 (record identifier is 0809 H):
2993#	Offset	Size	Contents
2994#	 0	2	BIFF version (always 0600 H for BIFF8)
2995#	 2	2	Type of the following data:
2996#			0005H = Workbook globals
2997#			0006H = Visual Basic module
2998#			0010H = Sheet or dialogue (see SHEETPR,
2999#						   ➜5.97)
3000#			0020H = Chart
3001#			0040H = Macro sheet
3002#			0100H = Workspace (BIFF8W only)
3003#	 4	2	Build identifier, must not be 0
3004#	 6	2	Build year, must not be 0
3005#	 8	4	File history flags
3006#	12	4	Lowest Excel version that can read all records in this
3007#			file
30080	uleshort	=0x0809	Excel 8 BIFF 8
3009>2	uleshort	=16
3010#			version
3011>>4	uleshort	=0x0600
3012>>4	uleshort	=8
3013>>4	uleshort	=0
3014>>>6	uleshort	=0x0005	Workbook Globals
3015>>>6	uleshort	=0x0006	VB Module
3016>>>6	uleshort	=0x0010	Sheet
3017>>>6	uleshort	=0x0020	Chart
3018>>>6	uleshort	=0x0040	Macros
3019#			(BIFF8W only)
3020>>>6	uleshort	=0x0100	Workspace
3021>>>>8	uleshort	>0	Build %d
3022>>>>>10	uleshort	>1900	Year %d
3023>>>>>>12 ulelong	!0	File history %d
3024>>>>>>16 ulelong	>0	Excel version needed %d
3025
3026#	5.8.2 BOF Records Written by Other External Tools
3027#	Various external tools write non-standard BOF records with the record
3028#	identifier 0809H (determining a BIFF5-BIFF8 BOF record), but with a
3029#	different BIFF version field. In this case, the record identifier is
3030#	ignored, and only the version field is used to set the BIFF version of
3031#	the workbook.
3032#	Record BOF (record identifier is 0809 H):
3033#	Offset	Size	Contents
3034#	0	2	BIFF version:			0000H = BIFF5
3035#							0200H = BIFF2
3036#							0300H = BIFF3
3037#							0400H = BIFF4
3038#							0500H = BIFF5
3039#							0600H = BIFF8
3040#	2	2	Type of the following data:
3041#			0005H = Workbook globals
3042#			0006H = Visual Basic module
3043#			0010H = Sheet or dialogue (see SHEETPR,
3044#						   ➜5.97)
3045#			0020H = Chart
3046#			0040H = Macro sheet
3047#			0100H = Workspace
3048#	[4]	var.	(optional) Additional fields of a BOF record,
3049#			should be ignored
30500	uleshort	=0x0809
3051#			>= 4
3052>2	uleshort	>3
3053>>4	uleshort	=0	Excel 5 BIFF 5
3054>>4	uleshort	=0x0200	Excel 2 BIFF 2
3055>>4	uleshort	=2	Excel 2 BIFF 2
3056>>4	uleshort	=0x0300	Excel 3 BIFF 3
3057>>4	uleshort	=3	Excel 3 BIFF 3
3058>>4	uleshort	=0x0400	Excel 4 BIFF 4
3059>>4	uleshort	=4	Excel 4 BIFF 4
3060>>4	uleshort	=0x0500	Excel 5 BIFF 5
3061>>4	uleshort	=5	Excel 5 BIFF 5
3062>>4	uleshort	=0x0600	Excel 8 BIFF 8
3063>>4	uleshort	=6	Excel 8 BIFF 8
3064>>4	uleshort	=0x0800	Excel 8 BIFF 8
3065>>4	uleshort	=8	Excel 8 BIFF 8
3066>>>6	uleshort	=0x0005	Workbook Globals
3067>>>6	uleshort	=0x0006	VB Module
3068>>>6	uleshort	=0x0010	Sheet/Dialogue
3069>>>6	uleshort	=0x0020	Chart
3070>>>6	uleshort	=0x0040	Macros
3071#			(BIFF8W only)
3072>>>6	uleshort	=0x0100	Workspace
3073
3074