1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.137 2020/03/20 17:20:19 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12!:ext bat 13>1 string/cW echo\ off DOS batch file text 14!:mime text/x-msdos-batch 15!:ext bat 16>1 string/cW rem DOS batch file text 17!:mime text/x-msdos-batch 18!:ext bat 19>1 string/cW set\ DOS batch file text 20!:mime text/x-msdos-batch 21!:ext bat 22 23 24# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25# the matched commands seem to be common in REXX and uncommon elsewhere 26100 search/0xffff rxfuncadd 27>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28100 search/0xffff say 29>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30 31# updated by Joerg Jenderek at Oct 2015 32# https://de.wikipedia.org/wiki/Common_Object_File_Format 33# http://www.delorie.com/djgpp/doc/coff/filhdr.html 34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 35#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36#>4 ledate x stamp %s 370 leshort 0x166 MS Windows COFF MIPS R4000 object file 38#>4 ledate x stamp %s 390 leshort 0x184 MS Windows COFF Alpha object file 40#>4 ledate x stamp %s 410 leshort 0x268 MS Windows COFF Motorola 68000 object file 42#>4 ledate x stamp %s 430 leshort 0x1f0 MS Windows COFF PowerPC object file 44#>4 ledate x stamp %s 450 leshort 0x290 MS Windows COFF PA-RISC object file 46#>4 ledate x stamp %s 47 48# Tests for various EXE types. 49# 50# Many of the compressed formats were extraced from IDARC 1.23 source code. 51# 520 string/b MZ 53# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 54>0x18 leshort <0x40 MS-DOS executable 55!:mime application/x-dosexec 56# Windows and later versions of DOS will allow .EXEs to be named with a .COM 57# extension, mostly for compatibility's sake. 58!:ext exe/com 59# These traditional tests usually work but not always. When test quality support is 60# implemented these can be turned on. 61#>>0x18 leshort 0x1c (Borland compiler) 62#>>0x18 leshort 0x1e (MS compiler) 63 64# Maybe it's a PE? 65>(0x3c.l) string PE\0\0 PE 66!:mime application/x-dosexec 67>>(0x3c.l+24) leshort 0x010b \b32 executable 68>>(0x3c.l+24) leshort 0x020b \b32+ executable 69>>(0x3c.l+24) leshort 0x0107 ROM image 70>>(0x3c.l+24) default x Unknown PE signature 71>>>&0 leshort x 0x%x 72>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 73>>(0x3c.l+92) leshort 1 74# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 75# drivers in Windows/System32/drivers/*.sys. 76>>>(0x3c.l+22) leshort&0x2000 >0 (native) 77!:ext dll/sys 78>>>(0x3c.l+22) leshort&0x2000 0 (native) 79!:ext exe/sys 80>>(0x3c.l+92) leshort 2 81>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 82# These could probably be at least partially distinguished from one another by 83# looking for specific exported functions. 84# CPL: Control Panel item 85# TLB: Type library 86# OCX: OLE/ActiveX control 87# ACM: Audio compression manager codec 88# AX: DirectShow source filter 89# IME: Input method editor 90!:ext dll/cpl/tlb/ocx/acm/ax/ime 91>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 92# Screen savers typically include code from the scrnsave.lib static library, but 93# that's not guaranteed. 94!:ext exe/scr 95>>(0x3c.l+92) leshort 3 96>>>(0x3c.l+22) leshort&0x2000 >0 (console) 97!:ext dll/cpl/tlb/ocx/acm/ax/ime 98>>>(0x3c.l+22) leshort&0x2000 0 (console) 99!:ext exe/com 100# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 101>>(0x3c.l+92) leshort 7 (POSIX) 102>>(0x3c.l+92) leshort 9 (Windows CE) 103>>(0x3c.l+92) leshort 10 (EFI application) 104>>(0x3c.l+92) leshort 11 (EFI boot service driver) 105>>(0x3c.l+92) leshort 12 (EFI runtime driver) 106>>(0x3c.l+92) leshort 13 (EFI ROM) 107>>(0x3c.l+92) leshort 14 (XBOX) 108>>(0x3c.l+92) leshort 15 (Windows boot application) 109>>(0x3c.l+92) default x (Unknown subsystem 110>>>&0 leshort x 0x%x) 111>>(0x3c.l+4) leshort 0x14c Intel 80386 112>>(0x3c.l+4) leshort 0x166 MIPS R4000 113>>(0x3c.l+4) leshort 0x168 MIPS R10000 114>>(0x3c.l+4) leshort 0x184 Alpha 115>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 116>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 117>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 118>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 119>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 120>>(0x3c.l+4) leshort 0x1c0 ARM 121>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 122>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 123>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 124>>(0x3c.l+4) leshort 0x1f0 PowerPC 125>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 126>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 127>>(0x3c.l+4) leshort 0x200 Intel Itanium 128>>(0x3c.l+4) leshort 0x266 MIPS16 129>>(0x3c.l+4) leshort 0x268 Motorola 68000 130>>(0x3c.l+4) leshort 0x290 PA-RISC 131>>(0x3c.l+4) leshort 0x366 MIPSIV 132>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 133>>(0x3c.l+4) leshort 0xebc EFI byte code 134>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 135>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 136>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 137>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 138>>(0x3c.l+4) leshort 0x8664 x86-64 139>>(0x3c.l+4) leshort 0xaa64 Aarch64 140>>(0x3c.l+4) leshort 0xc0ee MSIL 141>>(0x3c.l+4) default x Unknown processor type 142>>>&0 leshort x 0x%x 143>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 144>>(0x3c.l+22) leshort&0x1000 >0 system file 145>>(0x3c.l+24) leshort 0x010b 146>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 147>>(0x3c.l+24) leshort 0x020b 148>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 149 150# hooray, there's a DOS extender using the PE format, with a valid PE 151# executable inside (which just prints a message and exits if run in win) 152>>(8.s*16) string 32STUB \b, 32rtm DOS extender 153>>(8.s*16) string !32STUB \b, for MS Windows 154>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 155>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 156>>(0x3c.l+0xf8) search/0x140 UPX2 157>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 158>>(0x3c.l+0xf8) search/0x140 .idata 159>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 160>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 161>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 162>>(0x3c.l+0xf8) search/0x140 .rsrc 163>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 164>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 165>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 166>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 167>>(0x3c.l+0xf8) search/0x140 .data 168>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 169>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 170>>>(0x3c.l+0xf7) byte x 171>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 172>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 173>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 174>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 175>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 176>>0x30 string Inno \b, InnoSetup self-extracting archive 177 178# If the relocation table is 0x40 or more bytes into the file, it's definitely 179# not a DOS EXE. 180>0x18 leshort >0x3f 181 182# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 183# must be one of the unusual subformats. 184>>(0x3c.l) string !PE\0\0 MS-DOS executable 185!:mime application/x-dosexec 186 187>>(0x3c.l) string NE \b, NE 188!:mime application/x-dosexec 189>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 190>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 191>>>(0x3c.l+0x36) byte 3 for MS-DOS 192>>>(0x3c.l+0x36) byte 4 for Windows 386 193>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 194>>>(0x3c.l+0x36) default x 195>>>>(0x3c.l+0x36) byte x (unknown OS %x) 196>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 197>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 198# DRV: Driver 199# 3GR: Grabber device driver 200# CPL: Control Panel Item 201# VBX: Visual Basic Extension 202# FON: Bitmap font 203# FOT: Font resource file 204!:ext dll/drv/3gr/cpl/vbx/fon/fot 205>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 206!:ext exe/scr 207>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 208>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 209 210>>(0x3c.l) string LX\0\0 \b, LX 211!:mime application/x-dosexec 212>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 213>>>(0x3c.l+0x0a) leshort 1 for OS/2 214>>>(0x3c.l+0x0a) leshort 2 for MS Windows 215>>>(0x3c.l+0x0a) leshort 3 for DOS 216>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 217>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 218>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 219>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 220>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 221>>>(0x3c.l+0x08) leshort 1 i80286 222>>>(0x3c.l+0x08) leshort 2 i80386 223>>>(0x3c.l+0x08) leshort 3 i80486 224>>>(8.s*16) string emx \b, emx 225>>>>&1 string x %s 226>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 227 228# MS Windows system file, supposedly a collection of LE executables 229>>(0x3c.l) string W3 \b, W3 for MS Windows 230!:mime application/x-dosexec 231 232>>(0x3c.l) string LE\0\0 \b, LE executable 233!:mime application/x-dosexec 234>>>(0x3c.l+0x0a) leshort 1 235# some DOS extenders use LE files with OS/2 header 236>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 237>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 238>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 239>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 240>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 241>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 242>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 243# this is a wild guess; hopefully it is a specific signature 244>>>>&0x24 lelong <0x50 245>>>>>(&0x4c.l) string \xfc\xb8WATCOM 246>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 247# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 248#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 249# fails with DOS-Extenders. 250>>>(0x3c.l+0x0a) leshort 2 for MS Windows 251>>>(0x3c.l+0x0a) leshort 3 for DOS 252>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 253# VXD: VxD for Windows 95/98/Me 254# 386: VxD for Windows 2.10, 3.0, 3.1x 255# PDR: Port driver 256# MPD: Miniport driver (?) 257!:ext vxd/386/pdr/mpd 258>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 259>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 260 261# looks like ASCII, probably some embedded copyright message. 262# and definitely not NE/LE/LX/PE 263>>0x3c lelong >0x20000000 264>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 265!:mime application/x-dosexec 266!:ext exe/com 267# header data too small for extended executable 268>2 long !0 269>>0x18 leshort <0x40 270>>>(4.s*512) leshort !0x014c 271 272>>>>&(2.s-514) string !LE 273>>>>>&-2 string !BW \b, MZ for MS-DOS 274!:mime application/x-dosexec 275>>>>&(2.s-514) string LE \b, LE 276>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 277# educated guess since indirection is still not capable enough for complex offset 278# calculations (next embedded executable would be at &(&2*512+&0-2) 279# I suspect there are only LE executables in these multi-exe files 280>>>>&(2.s-514) string BW 281>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 282>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 283 284# This sequence skips to the first COFF segment, usually .text 285>(4.s*512) leshort 0x014c \b, COFF 286!:mime application/x-dosexec 287>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 288>>(8.s*16) string emx 289>>>&1 string x for DOS, Win or OS/2, emx %s 290>>&(&0x42.l-3) byte x 291>>>&0x26 string UPX \b, UPX compressed 292# and yet another guess: small .text, and after large .data is unusal, could be 32lite 293>>&0x2c search/0xa0 .text 294>>>&0x0b lelong <0x2000 295>>>>&0 lelong >0x6000 \b, 32lite compressed 296 297>(8.s*16) string $WdX \b, WDos/X DOS extender 298 299# By now an executable type should have been printed out. The executable 300# may be a self-uncompressing archive, so look for evidence of that and 301# print it out. 302# 303# Some signatures below from Greg Roelofs, newt@uchicago.edu. 304# 305>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 306>0xe7 string LH/2\ Self-Extract \b, %s 307>0x1c string UC2X \b, UCEXE compressed 308>0x1c string WWP\ \b, WWPACK compressed 309>0x1c string RJSX \b, ARJ self-extracting archive 310>0x1c string diet \b, diet compressed 311>0x1c string LZ09 \b, LZEXE v0.90 compressed 312>0x1c string LZ91 \b, LZEXE v0.91 compressed 313>0x1c string tz \b, TinyProg compressed 314>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 315!:mime application/zip 316# Yes, this really is "Copr", not "Corp." 317>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 318!:mime application/zip 319# winarj stores a message in the stub instead of the sig in the MZ header 320>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 321>0x20 string AIN 322>>0x23 string 2 \b, AIN 2.x compressed 323>>0x23 string <2 \b, AIN 1.x compressed 324>>0x23 string >2 \b, AIN 1.x compressed 325>0x24 string LHa's\ SFX \b, LHa self-extracting archive 326!:mime application/x-lha 327>0x24 string LHA's\ SFX \b, LHa self-extracting archive 328!:mime application/x-lha 329>0x24 string \ $ARX \b, ARX self-extracting archive 330>0x24 string \ $LHarc \b, LHarc self-extracting archive 331>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 332>0x40 string aPKG \b, aPackage self-extracting archive 333>0x64 string W\ Collis\0\0 \b, Compack compressed 334>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 335>>&0xf4 search/0x140 \x0\x40\x1\x0 336>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 337>1638 string -lh5- \b, LHa self-extracting archive v2.13S 338>0x17888 string Rar! \b, RAR self-extracting archive 339 340# Skip to the end of the EXE. This will usually work fine in the PE case 341# because the MZ image is hardcoded into the toolchain and almost certainly 342# won't match any of these signatures. 343>(4.s*512) long x 344>>&(2.s-517) byte x 345>>>&0 string PK\3\4 \b, ZIP self-extracting archive 346>>>&0 string Rar! \b, RAR self-extracting archive 347>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 348>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 349>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 350>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 351>>>&7 search/400 **ACE** \b, ACE self-extracting archive 352>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 353 354# a few unknown ZIP sfxes, no idea if they are needed or if they are 355# already captured by the generic patterns above 356>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 357# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 358# 359 360# TELVOX Teleinformatica CODEC self-extractor for OS/2: 361>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 362>>49824 leshort =1 \b, 1 file 363>>49824 leshort >1 \b, %u files 364 365# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 366# and https://www.freedos.org/software/?prog=kpdos 367# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 3680 string/b KCF FreeDOS KEYBoard Layout collection 369# only version=0x100 found 370>3 uleshort x \b, version 0x%x 371# length of string containing author,info and special characters 372>6 ubyte >0 373#>>6 pstring x \b, name=%s 374>>7 string >\0 \b, author=%-.14s 375>>7 search/254 \xff \b, info= 376#>>>&0 string x \b%-s 377>>>&0 string x \b%-.15s 378# for FreeDOS *.KL files 3790 string/b KLF FreeDOS KEYBoard Layout file 380# only version=0x100 or 0x101 found 381>3 uleshort x \b, version 0x%x 382# stringlength 383>5 ubyte >0 384>>8 string x \b, name=%-.2s 3850 string \xffKEYB\ \ \ \0\0\0\0 386>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 387 388# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 389# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3900 ulequad&0x07a0ffffffff 0xffffffff 391>0 use msdos-driver 3920 name msdos-driver DOS executable ( 393#!:mime application/octet-stream 394!:mime application/x-dosdriver 395# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 396!:ext sys/dev/bin 397>40 search/7 UPX! \bUPX compressed 398# DOS device driver attributes 399>4 uleshort&0x8000 0x0000 \bblock device driver 400# character device 401>4 uleshort&0x8000 0x8000 \b 402>>4 uleshort&0x0008 0x0008 \bclock 403# fast video output by int 29h 404>>4 uleshort&0x0010 0x0010 \bfast 405# standard input/output device 406>>4 uleshort&0x0003 >0 \bstandard 407>>>4 uleshort&0x0001 0x0001 \binput 408>>>4 uleshort&0x0003 0x0003 \b/ 409>>>4 uleshort&0x0002 0x0002 \boutput 410>>4 uleshort&0x8000 0x8000 \bcharacter device driver 411>0 ubyte x 412# upx compressed device driver has garbage instead of real in name field of header 413>>40 search/7 UPX! 414>>40 default x 415# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 416>>>12 ubyte >0x2E \b 417>>>>10 ubyte >0x20 418>>>>>10 ubyte !0x2E 419>>>>>>10 ubyte !0x2A \b%c 420>>>>11 ubyte >0x20 421>>>>>11 ubyte !0x2E \b%c 422>>>>12 ubyte >0x20 423>>>>>12 ubyte !0x39 424>>>>>>12 ubyte !0x2E \b%c 425>>>13 ubyte >0x20 426>>>>13 ubyte !0x2E \b%c 427>>>>14 ubyte >0x20 428>>>>>14 ubyte !0x2E \b%c 429>>>>15 ubyte >0x20 430>>>>>15 ubyte !0x2E \b%c 431>>>>16 ubyte >0x20 432>>>>>16 ubyte !0x2E 433>>>>>>16 ubyte <0xCB \b%c 434>>>>17 ubyte >0x20 435>>>>>17 ubyte !0x2E 436>>>>>>17 ubyte <0x90 \b%c 437# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 438>>>12 ubyte <0x2F 439# they have their real name at offset 22 440# also block device drivers like DUMBDRV.SYS 441>>>>22 string >\056 %-.6s 442>4 uleshort&0x8000 0x0000 443# 32 bit sector addressing ( > 32 MB) for block devices 444>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 445# support by driver functions 13h, 17h, 18h 446>4 uleshort&0x0040 0x0040 \b,IOCTL- 447# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 448>4 uleshort&0x0800 0x0800 \b,close media- 449# output until busy support by int 10h for character device driver 450>4 uleshort&0x8000 0x8000 451>>4 uleshort&0x2000 0x2000 \b,until busy- 452# direct read/write support by driver functions 03h,0Ch 453>4 uleshort&0x4000 0x4000 \b,control strings- 454>4 uleshort&0x8000 0x8000 455>>4 uleshort&0x6840 >0 \bsupport 456>4 uleshort&0x8000 0x0000 457>>4 uleshort&0x4842 >0 \bsupport 458>0 ubyte x \b) 459# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 4600 ulequad 0x0513c00000000012 461>0 use msdos-driver 462# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 4630 ulequad 0x32f28000ffff0016 464>0 use msdos-driver 4650 ulequad 0x007f00000000ffff 466>0 use msdos-driver 4670 ulequad 0x001600000000ffff 468>0 use msdos-driver 469# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 4700 ulequad 0x0bf708c2ffffffff 471>0 use msdos-driver 4720 ulequad 0x07bd08c2ffffffff 473>0 use msdos-driver 474 475# updated by Joerg Jenderek 476# GRR: line below too general as it catches also 477# rt.lib DYADISKS.PIC and many more 478# start with assembler instruction MOV 4790 ubyte 0x8c 480# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 481>4 string !O==== 482# skip some unknown basic binaries like RocketRnger.SHR 483>>5 string !MAIN 484# skip "GPG symmetrically encrypted data" ./gnu 485# skip "PGP symmetric key encrypted data" ./pgp 486# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 487>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 488# the remaining files should be DOS *.COM executables 489# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 490# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 491# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 492# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 493# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 494# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 495# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 496# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 497!:mime application/x-dosexec 498!:ext com 499 500# updated by Joerg Jenderek at Oct 2008 5010 ulelong 0xffff10eb DR-DOS executable (COM) 502# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 5030 ubeshort&0xeb8d >0xeb00 504# DR-DOS STACKER.COM SCREATE.SYS missed 505 5060 name msdos-com 507>0 byte x DOS executable (COM) 508!:mime application/x-dosexec 509!:ext com 510>6 string SFX\ of\ LHarc \b, %s 511>0x1FE leshort 0xAA55 \b, boot code 512>85 string UPX \b, UPX compressed 513>4 string \ $ARX \b, ARX self-extracting archive 514>4 string \ $LHarc \b, LHarc self-extracting archive 515>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 516 517# JMP 8bit 5180 byte 0xeb 519# allow forward jumps only 520>1 byte >-1 521# that offset must be accessible 522>>(1.b+2) byte x 523>>>0 use msdos-com 524 525# JMP 16bit 5260 byte 0xe9 527# forward jumps 528>1 short >-1 529# that offset must be accessible 530>>(1.s+3) byte x 531>>>0 use msdos-com 532# negative offset, must not lead into PSP 533>1 short <-259 534# that offset must be accessible 535>>(1,s+65539) byte x 536>>>0 use msdos-com 537 538# updated by Joerg Jenderek at Oct 2008,2015 539# following line is too general 5400 ubyte 0xb8 541# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 542>0 string !\xb8\xc0\x07\x8e 543# modified by Joerg Jenderek 544# syslinux COM32 or COM32R executable 545>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 546# https://www.syslinux.org/wiki/index.php/Comboot_API 547# Since version 5.00 c32 modules switched from the COM32 object format to ELF 548!:mime application/x-c32-comboot-syslinux-exec 549!:ext c32 550# https://syslinux.zytor.com/comboot.php 551# older syslinux version ( <4 ) 552# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 553# start with assembler instructions mov eax,21cd4cffh 554>>>1 lelong 0x21CD4CFf \b) 555# syslinux:doc/comboot.txt 556# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 557# eax,21cd4cfeh) as a magic number. 558# syslinux version (4.x) 559# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 560>>>1 lelong 0x21CD4CFe \b, relocatable) 561# remaining are DOS COM executables starting with assembler instruction MOV 562# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 563# MS-DOS SYS.COM RESTART.COM 564# SYSLINUX.COM (version 1.40 - 2.13) 565# GFXBOOT.COM (version 3.75) 566# COPYBS.COM POWEROFF.COM INT18.COM 567>>1 default x COM executable for DOS 568!:mime application/x-dosexec 569#!:mime application/x-ms-dos-executable 570#!:mime application/x-msdos-program 571!:ext com 572 5730 string/b \x81\xfc 574>4 string \x77\x02\xcd\x20\xb9 575>>36 string UPX! FREE-DOS executable (COM), UPX compressed 576!:mime application/x-dosexec 577!:ext com 578252 string Must\ have\ DOS\ version DR-DOS executable (COM) 579!:mime application/x-dosexec 580!:ext com 581# added by Joerg Jenderek at Oct 2008 582# GRR search is not working 583#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 58434 string UPX! FREE-DOS executable (COM), UPX compressed 585!:mime application/x-dosexec 586!:ext com 58735 string UPX! FREE-DOS executable (COM), UPX compressed 588!:mime application/x-dosexec 589!:ext com 590# GRR search is not working 591#2 search/28 \xcd\x21 COM executable for MS-DOS 592#WHICHFAT.cOM 5932 string \xcd\x21 COM executable for DOS 594!:mime application/x-dosexec 595!:ext com 596#DELTREE.cOM DELTREE2.cOM 5974 string \xcd\x21 COM executable for DOS 598!:mime application/x-dosexec 599!:ext com 600#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 6015 string \xcd\x21 COM executable for DOS 602!:mime application/x-dosexec 603!:ext com 604#DELTMP.COm HASFAT32.cOM 6057 string \xcd\x21 606>0 byte !0xb8 COM executable for DOS 607!:mime application/x-dosexec 608!:ext com 609#COMP.cOM MORE.COm 61010 string \xcd\x21 611>5 string !\xcd\x21 COM executable for DOS 612!:mime application/x-dosexec 613!:ext com 614#comecho.com 61513 string \xcd\x21 COM executable for DOS 616!:mime application/x-dosexec 617!:ext com 618#HELP.COm EDIT.coM 61918 string \xcd\x21 COM executable for MS-DOS 620!:mime application/x-dosexec 621!:ext com 622#NWRPLTRM.COm 62323 string \xcd\x21 COM executable for MS-DOS 624!:mime application/x-dosexec 625!:ext com 626#LOADFIX.cOm LOADFIX.cOm 62730 string \xcd\x21 COM executable for MS-DOS 628!:mime application/x-dosexec 629!:ext com 630#syslinux.com 3.11 63170 string \xcd\x21 COM executable for DOS 632!:mime application/x-dosexec 633!:ext com 634# many compressed/converted COMs start with a copy loop instead of a jump 6350x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 636!:mime application/x-dosexec 637!:ext com 6380x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 639!:mime application/x-dosexec 640!:ext com 641>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 6420x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 643!:mime application/x-dosexec 644!:ext com 645# FIXME: missing diet .com compression 646 647# miscellaneous formats 6480 string/b LZ MS-DOS executable (built-in) 649#0 byte 0xf0 MS-DOS program library data 650# 651 652# AAF files: 653# <stuartc@rd.bbc.co.uk> Stuart Cunningham 6540 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 655>30 byte 9 (512B sectors) 656>30 byte 12 (4kB sectors) 6570 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 658>30 byte 9 (512B sectors) 659>30 byte 12 (4kB sectors) 660 661# Popular applications 662# 663# Update: Joerg Jenderek 664# URL: http://fileformats.archiveteam.org/wiki/DOC 665# Reference: https://web.archive.org/web/20170206041048/ 666# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 667# wIdent+dty 6680 belong 0x31be0000 669# skip droid skeleton like x-fmt-274-signature-id-488.doc 670>128 ubyte >0 Microsoft 671>>96 uleshort =0 Word 672!:mime application/msword 673!:apple MSWDWDBN 674# DCX is used in the Unix version. 675!:ext doc/dcx 676>>>0x6E ulequad =0 1.0-4.0 677>>>0x6E ulequad !0 5.0-6.0 678>>>0x6E ulequad x (DOS) Document 679# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 680>>96 uleshort !0 Write 3.0 (Windows) Document 681!:mime application/x-mswrite 682!:apple MSWDWDBN 683# sometimes also doc like in splitter.doc srchtest.doc 684!:ext wri/doc 685# wTool must be 0125400 octal 686#>>4 uleshort !0xAB00 \b, wTool %o 687# reserved; must be zero 688#>>6 ulelong !0 \b, reserved %u 689# block pointer to the block containing optional file manager information 690#>>0x1C uleshort x \b, at 0x%x info block 691# jump to File manager information block 692>>(0x1C.s*128) uleshort x 693# test for valid information start; maybe also 0012h 694>>>&-2 uleshort =0x0014 695# Document ASCIIZ name 696>>>>&0x12 string x %s 697# author name 698>>>>>&1 string x \b, author %s 699# reviser name 700>>>>>>&1 string x \b, reviser %s 701# keywords 702>>>>>>>&1 string x \b, keywords %s 703# comment 704>>>>>>>>&1 string x \b, comment %s 705# version number 706>>>>>>>>>&1 string x \b, version %s 707# date of last change MM/DD/YY 708>>>>>>>>>>&1 string x \b, %-.8s 709# creation date MM/DD/YY 710>>>>>>>>>>&9 string x created %-.8s 711# file name of print format like NORMAL.STY 712>>0x1E string >0 \b, formatted by %-.66s 713# count of pages in whole file for write variant; maybe some times wrong 714>>96 uleshort >0 \b, %u pages 715# name of the printer driver like HPLASMS 716>>0x62 string >0 \b, %-.8s printer 717# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 718>>0x6A uleshort >0 \b, %u blocks 719# bit field for corrected text areas 720#>>0x6C uleshort x \b, 0x%x bit field 721# text of document; some times start with 4 non printable characters like CR LF 722>>128 ubyte x \b, 723>>>128 ubyte >0x1F 724>>>>128 string x %s 725>>>128 ubyte <0x20 726>>>>129 ubyte >0x1F 727>>>>>129 string x %s 728>>>>129 ubyte <0x20 729>>>>>130 ubyte >0x1F 730>>>>>>130 string x %s 731>>>>>130 ubyte <0x20 732>>>>>>131 ubyte >0x1F 733>>>>>>>131 string x %s 734>>>>>>131 ubyte <0x20 735>>>>>>>132 ubyte >0x1F 736>>>>>>>>132 string x %s 737>>>>>>>132 ubyte <0x20 738>>>>>>>>133 ubyte >0x1F 739>>>>>>>>>133 string x %s 740# 7410 string/b PO^Q` Microsoft Word 6.0 Document 742!:mime application/msword 743# 7444 long 0 745>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 746!:mime application/msword 747!:ext mcw 748>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 749!:mime application/msword 750!:ext mcw 751>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 752!:mime application/msword 753!:ext mcw 754>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 755!:mime application/msword 756!:ext mcw 757 7580 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 759!:mime application/msword 760!:ext doc 761# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 762#512 string/b \354\245\301 Microsoft Word Document 763#!:mime application/msword 764 765# 7660 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 767!:mime application/msword 768# 7690 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 770!:mime application/msword 771 772# 7730 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 774!:mime application/vnd.ms-excel 775# https://www.macdisk.com/macsigen.php 776!:apple XCELXLS4 777!:ext xls 778# 779# Update: Joerg Jenderek 780# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 781# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 782# Note: newer Lotus versions >2 use longer BOF record 783# record type (BeginningOfFile=0000h) + length (001Ah) 7840 belong 0x00001a00 785# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 786#>18 uleshort&0x73E0 0 787# Lotus Multi Byte Character Set (LMBCS=1-31) 788>20 ubyte >0 789>>20 ubyte <32 Lotus 1-2-3 790#!:mime application/x-123 791!:mime application/vnd.lotus-1-2-3 792!:apple ????L123 793# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 794>>>4 uleshort 0x1000 WorKsheet, version 3 795!:ext wk3 796# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 797>>>4 uleshort 0x1002 WorKsheet, version 4 798# also worksheet template 4 (.wt4) 799!:ext wk4/wt4 800# no example or documentation for wk5 801#>>4 uleshort 0x???? WorKsheet, version 4 802#!:ext wk5 803# only MacrotoScript.123 example 804>>>4 uleshort 0x1003 WorKsheet, version 97 805# also worksheet template Smartmaster (.12M)? 806!:ext 123 807# only Set_Y2K.123 example 808>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 809!:ext 123 810# no example for this version 811>>>4 uleshort 0x8001 FoRMatting data 812!:ext frm 813# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 814# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 815>>>4 uleshort 0x8007 ForMatting data, version 3 816!:ext fm3 817>>>4 default x unknown 818# file revision sub code 0004h for worksheets 819>>>>6 uleshort =0x0004 worksheet 820!:ext wXX 821>>>>6 uleshort !0x0004 formatting data 822!:ext fXX 823# main revision number 824>>>>4 uleshort x \b, revision 0x%x 825>>>6 uleshort =0x0004 \b, cell range 826# active cellcoord range (start row, page,column ; end row, page, column) 827# start values normally 0~1st sheet A1 828>>>>8 ulelong !0 829>>>>>10 ubyte >0 \b%d* 830>>>>>8 uleshort x \b%d, 831>>>>>11 ubyte x \b%d- 832# end page mostly 0 833>>>>14 ubyte >0 \b%d* 834# end raw, column normally not 0 835>>>>12 uleshort x \b%d, 836>>>>15 ubyte x \b%d 837# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 838>>>>20 ubyte >1 \b, character set 0x%x 839# flags 840>>>>21 ubyte x \b, flags 0x%x 841>>>6 uleshort !0x0004 842# record type (FONTNAME=00AEh) 843>>>>30 search/29 \0\xAE 844# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 845>>>>>&4 string >\0 \b, 1st font "%s" 846# 847# Update: Joerg Jenderek 848# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 849# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 850# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 851# record type (BeginningOfFile=0000h) + length (0002h) 8520 belong 0x00000200 853# GRR: line above is too general as it catches also MS Windows CURsor 854# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 855!:strength -1 856# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 857>7 ubyte 0 858# skip Windows cursors with image width 256 and keep Lotus with positiv opcode 859>>6 ubyte >0 Lotus 860# !:mime application/x-123 861!:mime application/vnd.lotus-1-2-3 862!:apple ????L123 863# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 864# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 865>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 866!:ext cnf 867>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 868!:ext cnf 869>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 870!:ext cnf 871>>>4 uleshort 0x0802 Symphony CoNFiguration 872!:ext cnf 873>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 874!:ext cnf 875>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 876!:ext cnf 877>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 878!:ext cnf 879>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 880!:ext cnf 881# (version 5.26) labeled the entry as "Lotus 123" 882# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 883>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 884# extension "wks" also for Microsoft Works document 885!:ext wks 886# (version 5.26) labeled the entry as "Lotus 123" 887# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 888>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 889!:ext wrk/wr1 890# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 891# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 892>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 893# Symphony (.wr1) 894!:ext wk1/wr1 895# no example for this japan version 896>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 897!:ext wj1 898# no example or documentation for wk2 899#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 900#!:ext wk2 901# undocumented japan version 902>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 903!:ext wj3 904# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 905>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 906# japan version 2.4J (fj3) 907!:ext fmt/fj3 908# no example for this version 909>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 910!:ext frm 911# (version 5.26) labeled the entry as "Lotus 1-2-3" 912>>>4 default x unknown worksheet or configuration 913!:ext cnf 914>>>>4 uleshort x \b, revision 0x%x 915# 2nd record for most worksheets describes cells range 916>>>6 use lotus-cells 917# 3nd record for most japan worksheets describes cells range 918>>>(8.s+10) use lotus-cells 919# check and then display Lotus worksheet cells range 9200 name lotus-cells 921# look for type (RANGE=0006h) + length (0008h) at record begin 922>0 ubelong 0x06000800 \b, cell range 923# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 924>>4 ulong !0 925>>>4 uleshort x \b%d, 926>>>6 uleshort x \b%d- 927# end of cell range 928>>8 uleshort x \b%d, 929>>10 uleshort x \b%d 930# EndOfLotus123 9310 string/b WordPro\0 Lotus WordPro 932!:mime application/vnd.lotus-wordpro 9330 string/b WordPro\r\373 Lotus WordPro 934!:mime application/vnd.lotus-wordpro 935 936 937# Summary: Script used by InstallScield to uninstall applications 938# Extension: .isu 939# Submitted by: unknown 940# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 9410 string \x71\xa8\x00\x00\x01\x02 942>12 string Stirling\ Technologies, InstallShield Uninstall Script 943 944# Winamp .avs 945#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 9460 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 947 948# Windows Metafile .WMF 9490 string/b \327\315\306\232 Windows metafile 950!:mime image/wmf 951!:ext wmf 9520 string/b \002\000\011\000 Windows metafile 953!:mime image/wmf 954!:ext wmf 9550 string/b \001\000\011\000 Windows metafile 956!:mime image/wmf 957!:ext wmf 958 959#tz3 files whatever that is (MS Works files) 9600 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 9610 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 9620 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 963 964# PGP sig files .sig 965#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 9660 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 9670 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 9680 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 9690 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 9700 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 9710 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 972 973# windows zips files .dmf 9740 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 975 976# Windows icons 977# Update: Joerg Jenderek 978# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 979# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 9800 belong 0x00000100 981>9 byte 0 982>>0 byte x 983>>0 use cur-ico-dir 984>9 ubyte 0xff 985>>0 byte x 986>>0 use cur-ico-dir 987# displays number of icons and information for icon or cursor 9880 name cur-ico-dir 989# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 990# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 991>18 ulelong &0x00000006 992# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 993>>(18.l) ulelong x MS Windows 994>>>0 ubelong 0x00000100 icon resource 995# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 996!:mime image/vnd.microsoft.icon 997#!:mime image/x-icon 998!:ext ico 999>>>>4 uleshort x - %d icon 1000# plural s 1001>>>>4 uleshort >1 \bs 1002# 1st icon 1003>>>>0x06 use ico-entry 1004# 2nd icon 1005>>>>4 uleshort >1 1006>>>>>0x16 use ico-entry 1007>>>0 ubelong 0x00000200 cursor resource 1008#!:mime image/x-cur 1009!:mime image/x-win-bitmap 1010!:ext cur 1011>>>>4 uleshort x - %d icon 1012>>>>4 uleshort >1 \bs 1013# 1st cursor 1014>>>>0x06 use cur-entry 1015#>>>>0x16 use cur-entry 1016# display information of one cursor entry 10170 name cur-entry 1018>0 use cur-ico-entry 1019>4 uleshort x \b, hotspot @%dx 1020>6 uleshort x \b%d 1021# display information of one icon entry 10220 name ico-entry 1023>0 use cur-ico-entry 1024# normally 0 1 but also found 14 1025>4 uleshort >1 \b, %d planes 1026# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1027>6 uleshort >1 \b, %d bits/pixel 1028# display shared information of cursor or icon entry 10290 name cur-ico-entry 1030>0 byte =0 \b, 256x 1031>0 byte !0 \b, %dx 1032>1 byte =0 \b256 1033>1 byte !0 \b%d 1034# number of colors in palette 1035>2 ubyte !0 \b, %d colors 1036# reserved 0 FFh 1037#>3 ubyte x \b, reserved %x 1038#>8 ulelong x \b, image size %d 1039# offset of PNG or DIB image 1040#>12 ulelong x \b, offset 0x%x 1041# PNG header (\x89PNG) 1042>(12.l) ubelong =0x89504e47 1043# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1044>>&-4 indirect x \b with 1045# DIB image 1046>(12.l) ubelong !0x89504e47 1047#>>&-4 use dib-image 1048 1049# Windows non-animated cursors 1050# Update: Joerg Jenderek 1051# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1052# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1053# GRR: line below is too general as it catches also Lotus 1-2-3 files 10540 belong 0x00000200 1055>9 byte 0 1056>>0 use cur-ico-dir 1057>9 ubyte 0xff 1058>>0 use cur-ico-dir 1059 1060# .chr files 10610 string/b PK\010\010BGI Borland font 1062>4 string >\0 %s 1063# then there is a copyright notice 1064 1065 1066# .bgi files 10670 string/b pk\010\010BGI Borland device 1068>4 string >\0 %s 1069# then there is a copyright notice 1070 1071 1072# Windows Recycle Bin record file (named INFO2) 1073# By Abel Cheung (abelcheung AT gmail dot com) 1074# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 1075# Since Vista uses another structure, INFO2 structure probably won't change 1076# anymore. Detailed analysis in: 1077# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 10780 lelong 0x00000004 1079>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 1080 10810 lelong 0x00000005 1082>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1083 1084# From Doug Lee via a FreeBSD pr 10859 string GERBILDOC First Choice document 10869 string GERBILDB First Choice database 10879 string GERBILCLIP First Choice database 10880 string GERBIL First Choice device file 10899 string RABBITGRAPH RabbitGraph file 10900 string DCU1 Borland Delphi .DCU file 10910 string =!<spell> MKS Spell hash list (old format) 10920 string =!<spell2> MKS Spell hash list 1093# Too simple - MPi 1094#0 string AH Halo(TM) bitmapped font file 10950 lelong 0x08086b70 TurboC BGI file 10960 lelong 0x08084b50 TurboC Font file 1097 1098# Debian#712046: The magic below identifies "Delphi compiled form data". 1099# An additional source of information is available at: 1100# http://www.woodmann.com/fravia/dafix_t1.htm 11010 string TPF0 1102>4 pstring >\0 Delphi compiled form '%s' 1103 1104# tests for DBase files moved, updated and merged to database 1105 11060 string PMCC Windows 3.x .GRP file 11071 string RDC-meg MegaDots 1108>8 byte >0x2F version %c 1109>9 byte >0x2F \b.%c file 11100 lelong 0x4C 1111>4 lelong 0x00021401 Windows shortcut file 1112 1113# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1114# only for windows versions equal or greater 3.0 11150x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1116!:mime application/x-dosexec 1117!:ext pif 1118#>2 string >\0 \b, Title:%.30s 1119>0x24 string >\0 \b for %.63s 1120>0x65 string >\0 \b, directory=%.64s 1121>0xA5 string >\0 \b, parameters=%.64s 1122#>0x181 leshort x \b, offset %x 1123#>0x183 leshort x \b, offsetdata %x 1124#>0x185 leshort x \b, section length %x 1125>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1126>>&0x5e ubyte >0 1127>>>&-1 string <PIFMGR.DLL \b, icon=%s 1128#>>>&-1 string PIFMGR.DLL \b, icon=%s 1129>>>&-1 string >PIFMGR.DLL \b, icon=%s 1130>>&0xF0 ubyte >0 1131>>>&-1 string <Terminal \b, font=%.32s 1132#>>>&-1 string =Terminal \b, font=%.32s 1133>>>&-1 string >Terminal \b, font=%.32s 1134>>&0x110 ubyte >0 1135>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1136#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1137>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1138#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1139#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1140>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1141#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1142>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1143#>>&06 string x \b:%s 1144>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1145#>>&06 string x \b:%s 1146 1147# DOS EPS Binary File Header 1148# From: Ed Sznyter <ews@Black.Market.NET> 11490 belong 0xC5D0D3C6 DOS EPS Binary File 1150!:mime image/x-eps 1151>4 long >0 Postscript starts at byte %d 1152>>8 long >0 length %d 1153>>>12 long >0 Metafile starts at byte %d 1154>>>>16 long >0 length %d 1155>>>20 long >0 TIFF starts at byte %d 1156>>>>24 long >0 length %d 1157 1158# TNEF magic From "Joomy" <joomy@se-ed.net> 1159# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 11600 lelong 0x223e9f78 TNEF 1161!:mime application/vnd.ms-tnef 1162 1163# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1164# of http://www.davep.org/norton-guides/ng2h-105.tgz 1165# https://en.wikipedia.org/wiki/Norton_Guides 11660 string NG\0\001 1167# only value 0x100 found at offset 2 1168>2 ulelong 0x00000100 Norton Guide 1169# Title[40] 1170>>8 string >\0 "%-.40s" 1171#>>6 uleshort x \b, MenuCount=%u 1172# szCredits[5][66] 1173>>48 string >\0 \b, %-.66s 1174>>114 string >\0 %-.66s 1175 1176# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 1177# of https://www.4dos.info/ 1178# pointer,HelpID[8]=4DHnnnmm 11790 ulelong 0x48443408 4DOS help file 1180>4 string x \b, version %-4.4s 1181 1182# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 11830 ulequad 0x3a000000024e4c MS Advisor help file 1184 1185# HtmlHelp files (.chm) 11860 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1187 1188# GFA-BASIC (Wolfram Kleff) 11892 string/b GFA-BASIC3 GFA-BASIC 3 data 1190 1191#------------------------------------------------------------------------------ 1192# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1193# Update: Joerg Jenderek 1194# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 1195# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 1196# Note: verified by `7z l *.cab` 1197# Microsoft Cabinet files 11980 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1199# 1200# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 1201# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 1202# because some archive does not have *.diag* as 1st or 2nd archive member like 1203# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 1204# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 1205>0x2c search/980/c .diag \b, Diagnostic 1206!:mime application/vnd.ms-cab-compressed 1207!:ext diagcab 1208# http://fileformats.archiveteam.org/wiki/PUZ 1209# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 1210# bundles a Publisher document *PNG.pub with all links into a CAB 1211>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 1212!:mime application/vnd.ms-cab-compressed 1213!:ext puz 1214# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 1215>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 1216!:mime application/vnd.ms-powerpoint 1217#!:mime application/mspowerpoint 1218!:ext ppz 1219# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 1220# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 1221# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 1222>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 1223#!:mime application/vnd.ms-cab-compressed 1224# http://extension.nirsoft.net/gadget 1225!:mime application/x-windows-gadget 1226!:ext gadget 1227# http://www.incredimail.com/ 1228# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 1229>0x2c search/3369/c content.ini\0 \b, IncrediMail 1230!:mime application/x-incredimail 1231# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 1232>>0x2c search/83/c Flavor.htm\0 ecard 1233!:ext imf 1234# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 1235>>0x2c search/211/c .swf\0 skin 1236!:ext ims 1237# member anim.im3 implies IncrediMail animation like in letter_fold.ima 1238>>0x2c search/92/c anim.im3\0 animation 1239!:ext ima 1240# other IncrediMail cab archive 1241>>0x2c default x 1242>>>0x2c search/116/c thumb ecard, image, notifier or skin 1243!:ext imf/imi/imn/ims 1244# http://file-extension.net/seeker/file_extension_ime 1245>>>0x2c default x emoticons or sound 1246!:ext ime/imw 1247# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 1248>0x2c default x 1249# look for 1st member name 1250>>(16.l+16) ubyte x 1251# https://en.wikipedia.org/wiki/SNP_file_format 1252>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 1253!:mime application/msaccess 1254!:ext snp 1255# https://en.wikipedia.org/wiki/Microsoft_InfoPath 1256>>>&-1 string manifest.xsf \b, InfoPath Form Template 1257!:mime application/vnd.ms-cab-compressed 1258#!:mime application/vnd.ms-infopath 1259!:ext xsn 1260# https://www.cabextract.org.uk/wince_cab_format/ 1261# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 1262>>>&7 string =.000 \b, WinCE install 1263!:mime application/vnd.ms-cab-compressed 1264!:ext cab 1265 1266# https://support.microsoft.com/kb/934307/en-US 1267# All inspected MSU contain a file with name WSUSSCAN.cab 1268# that is called "Windows Update meta data" by Microsoft 1269>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 1270!:mime application/vnd.ms-cab-compressed 1271!:ext msu 1272>>>&-1 default x 1273# look at point charcter of 1st archive member name for file name extension 1274>>>>&-1 search/255 . 1275# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 1276# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 1277# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 1278>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 1279!:mime application/vnd.ms-powerpoint 1280#!:mime application/mspowerpoint 1281!:ext ppz 1282# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 1283# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 1284# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 1285>>>>>&0 string/c theme \b, Windows 1286!:mime application/x-windows-themepack 1287# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 1288# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 1289# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 1290>>>>>>(16.l+16) string =Panoram 8 1291!:ext deskthemepack 1292>>>>>>(16.l+16) string !Panoram 7 or 8 1293!:ext themepack/deskthemepack 1294>>>>>>(16.l+16) ubyte x Theme Pack 1295>>>>>&0 default x 1296# look for null terminator of 1st member name 1297>>>>>>&0 search/255 \0 1298# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 1299>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 1300!:mime application/vnd.ms-cab-compressed 1301!:ext msu 1302>>>>>>>&16 default x 1303# archive with more then one file need some output in version 5.32 to avoid error message like 1304# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 1305# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 1306# file: could not find any valid magic files! 1307>>>>>>>>28 uleshort >1 \b, many 1308!:mime application/vnd.ms-cab-compressed 1309!:ext cab 1310# remaining archives with just one file 1311>>>>>>>>28 uleshort =1 1312# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 1313>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 1314# cut of last char of source extension and add underscore to generate extension 1315# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 1316!:mime application/vnd.ms-cab-compressed 1317!:ext _/?_/??_ 1318# archive need some output like "single" in version 5.32 to avoid error messages 1319>>>>>>>>>30 uleshort !0x0000 \b, single 1320!:mime application/vnd.ms-cab-compressed 1321!:ext cab 1322# TODO: additional extensions like 1323# .xtp InfoPath Template Part 1324# .lvf Logitech Video Effects Face Accessory 1325>8 ulelong x \b, %u bytes 1326>28 uleshort 1 \b, 1 file 1327>28 uleshort >1 \b, %u files 1328# Reserved fields, set to zero 1329#>4 belong !0 \b, reserved1 %x 1330#>12 belong !0 \b, reserved2 %x 1331# offset of the first CFFILE entry coffFiles: minimal 2Ch 1332>16 ulelong x \b, at 0x%x 1333>(16.l) use cab-file 1334# at least also 2nd member 1335>28 uleshort >1 1336>>(16.l+16) ubyte x 1337>>>&0 search/255 \0 1338# second member info 1339>>>>&0 use cab-file 1340#>20 belong !0 \b, reserved %x 1341# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 1342>24 ubeshort !0x0301 \b version 0x%x 1343# number of CFFOLDER entries 1344>26 uleshort >1 \b, %u cffolders 1345# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 1346# only found for flags 0 1 2 3 4 not 7 1347>30 uleshort >0 \b, flags 0x%x 1348# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 1349# default is zero, however, the -i option of cabarc can be used to set this field 1350>32 uleshort >0 \b, ID %u 1351# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 1352#>34 uleshort x \b, iCabinet %u 1353# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 1354>34 uleshort+1 x \b, number %u 1355>30 uleshort &0x0004 \b, extra bytes 1356# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 1357>>36 uleshort >0 %u in head 1358# cbCFFolder is optional size of per-folder reserved area 1359>>38 ubyte >0 %u in folder 1360# cbCFData is optional size of per-datablock reserved area 1361>>39 ubyte >0 %u in data block 1362# optional per-cabinet reserved area abReserve[cbCFHeader] 1363>>36 uleshort >0 1364# 1st CFFOLDER after reserved area in header 1365>>>(36.s+40) use cab-folder 1366# no reserved area in header 1367>30 uleshort ^0x0004 1368# no previous and next cab archive 1369>>30 uleshort =0x0000 1370>>>36 use cab-folder 1371# only previous cab archive 1372>>30 uleshort =0x0001 \b, previous 1373>>>36 use cab-anchor 1374# only next cab archive 1375>>30 uleshort =0x0002 \b, next 1376>>>36 use cab-anchor 1377# previous+next cab archive 1378# can not use sub routine cab-anchor to display previous and next cabinet together 1379#>>>36 use cab-anchor 1380#>>>>&0 use cab-anchor 1381>>30 uleshort =0x0003 \b, previous 1382>>>36 string x %s 1383# optional name of previous disk szDisk* 1384>>>>&1 string x disk %s 1385>>>>>&1 string x \b, next %s 1386# optional name of previous disk szDisk* 1387>>>>>>&1 string x disk %s 1388>>>>>>>&1 use cab-folder 1389# display filename and disk name of previous or next cabinet 13900 name cab-anchor 1391# optional name of previous/next cabinet file szCabinet*[255] 1392>&0 string x %s 1393# optional name of previous/next disk szDisk*[255] 1394>>&1 string x disk %s 1395# display folder structure CFFOLDER information like compression of cabinet 13960 name cab-folder 1397# offset of the CFDATA block in this folder 1398#>0 ulelong x \b, coffCabStart 0x%x 1399# number of CFDATA blocks in folder 1400>4 uleshort x \b, %u datablock 1401# plural s 1402>4 uleshort >1 \bs 1403# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 1404>6 uleshort x \b, 0x%x compression 1405# optional per-folder reserved area 1406#>8 ubequad x \b, abReserve 0x%llx 1407# display member structure CFFILE information like member name of cabinet 14080 name cab-file 1409# cbFile is uncompressed size of file in bytes 1410#>0 ulelong x \b, cbFile %u 1411# uoffFolderStart is uncompressed offset of file in folder 1412#>4 ulelong >0 \b, uoffFolderStart 0x%x 1413# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 1414# define ifoldCONTINUED_FROM_PREV (0xFFFD) 1415# define ifoldCONTINUED_TO_NEXT (0xFFFE) 1416# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 1417>8 uleshort >0 \b, iFolder 0x%x 1418# date stamp for file 1419#>10 uleshort x \b, date 0x%x 1420# time stamp for file 1421#>12 uleshort x \b, time 0x%x 1422# attribs is attribute flags for file 1423# define _A_RDONLY (0x01) file is read-only 1424# define _A_HIDDEN (0x02) file is hidden 1425# define _A_SYSTEM (0x04) file is a system file 1426# define _A_ARCH (0x20) file modified since last backup 1427# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 1428# define _A_EXEC (0x40) run after extraction 1429# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 1430# define UNKNOWN (0x0100) undocumented or accident 1431#>14 uleshort x \b, attribs 0x%x 1432>14 uleshort >0 + 1433>>14 uleshort &0x0001 \bR 1434>>14 uleshort &0x0002 \bH 1435>>14 uleshort &0x0004 \bS 1436>>14 uleshort &0x0020 \bA 1437>>14 uleshort &0x0040 \bX 1438>>14 uleshort &0x0080 \bUtf 1439# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 1440>>14 uleshort &0x0100 \b? 1441# szName is name of archive member 1442>16 string x "%s" 1443# next archive member name if more files 1444#>>&17 string >\0 \b, NEXT NAME %-.50s 1445 1446# InstallShield Cabinet files 14470 string/b ISc( InstallShield Cabinet archive data 1448>5 byte&0xf0 =0x60 version 6, 1449>5 byte&0xf0 !0x60 version 4/5, 1450>(12.l+40) lelong x %u files 1451 1452# Windows CE package files 14530 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1454>20 lelong 0 \b, architecture-independent 1455>20 lelong 103 \b, Hitachi SH3 1456>20 lelong 104 \b, Hitachi SH4 1457>20 lelong 0xA11 \b, StrongARM 1458>20 lelong 4000 \b, MIPS R4000 1459>20 lelong 10003 \b, Hitachi SH3 1460>20 lelong 10004 \b, Hitachi SH3E 1461>20 lelong 10005 \b, Hitachi SH4 1462>20 lelong 70001 \b, ARM 7TDMI 1463>52 leshort 1 \b, 1 file 1464>52 leshort >1 \b, %u files 1465>56 leshort 1 \b, 1 registry entry 1466>56 leshort >1 \b, %u registry entries 1467 1468 1469# Windows Enhanced Metafile (EMF) 1470# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1471# for further information. 14720 ulelong 1 1473>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1474>>44 ulelong x version 0x%x 1475 1476 14770 string/b \224\246\056 Microsoft Word Document 1478!:mime application/msword 1479 1480# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1481# Magic type for Dell's BIOS .hdr files 1482# Dell's .hdr 14830 string/b $RBU 1484>23 string Dell %s system BIOS 1485>5 byte 2 1486>>48 byte x version %d. 1487>>49 byte x \b%d. 1488>>50 byte x \b%d 1489>5 byte <2 1490>>48 string x version %.3s 1491 1492# Type: Microsoft Document Imaging Format (.mdi) 1493# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1494# From: Daniele Sempione <scrows@oziosi.org> 1495# Too weak (EP) 1496#0 short 0x5045 Microsoft Document Imaging Format 1497 1498# MS eBook format (.lit) 14990 string/b ITOLITLS Microsoft Reader eBook Data 1500>8 lelong x \b, version %u 1501!:mime application/x-ms-reader 1502 1503# Windows CE Binary Image Data Format 1504# From: Dr. Jesus <j@hug.gs> 15050 string/b B000FF\n Windows Embedded CE binary image 1506 1507# The second byte of these signatures is a file version; I don't know what, 1508# if anything, produced files with version numbers 0-2. 1509# From: John Elliott <johne@seasip.demon.co.uk> 15100 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 15110 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 15120 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 15130 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1514 15150 string MIOPEN Mallard BASIC Jetsam data 15160 string Jetsam0 Mallard BASIC Jetsam index data 1517 1518# DOS backup 2.0 to 3.2 1519 1520# backupid.@@@ 1521 1522# plausibility check for date 15230x3 ushort >1979 1524>0x5 ubyte-1 <31 1525>>0x6 ubyte-1 <12 1526# actually 121 nul bytes 1527>>>0x7 string \0\0\0\0\0\0\0\0 1528>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1529!:ext @@@ 1530>>>>0x0 ubyte 0xff \b, last disk 1531 1532# backed up file 1533 1534# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1535# by looking for trailing nul of maximal file name string 15360x52 ubyte 0 1537# test for flag byte: FFh~complete file, 00h~split file 1538# FFh -127 = -1 -127 = -128 1539# 00h -127 = 0 -127 = -127 1540>0 byte-127 <-126 1541# plausibility check for file name length 1542>>0x53 ubyte-1 <78 1543# looking for terminating nul of file name string 1544>>>(0x53.b+4) ubyte 0 1545# looking if last char of string is valid DOS file name 1546>>>>(0x53.b+3) ubyte >0x1F 1547# actually 44 nul bytes 1548# but sometimes garbage according to Ralf Quint. So can not be used as test 1549#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1550# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1551# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1552>>>>>5 ubyte&0x8C 0x0C 1553# ./msdos (version 5.30) labeled the entry as 1554# "DOS 2.0 backed up file %s, split file, sequence %d" or 1555# "DOS 2.0 backed up file %s, complete file" 1556>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1557#>>>>>>0 ubyte 0xff complete 1558>>>>>>0 ubyte 0 1559>>>>>>>1 uleshort x sequence %d of 1560# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1561>>>>>>0x5 string x file %s 1562# backup name is original filename 1563#!:ext * 1564# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1565# file: line 1169: Bad magic entry ' *' 1566# after header original file content 1567>>>>>>128 indirect x \b; 1568 1569 1570# DOS backup 3.3 to 5.x 1571 1572# CONTROL.nnn files 15730 string \x8bBACKUP\x20 1574# actually 128 nul bytes 1575>0xa string \0\0\0\0\0\0\0\0 1576>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1577>>0x8a ubyte 0xff \b, last disk 1578 1579# NB: The BACKUP.nnn files consist of the files backed up, 1580# concatenated. 1581