xref: /freebsd/contrib/file/magic/Magdir/msdos (revision dc318a4ffabcbfa23bb56a33403aad36e6de30af)
1
2#------------------------------------------------------------------------------
3# $File: msdos,v 1.137 2020/03/20 17:20:19 christos Exp $
4# msdos:  file(1) magic for MS-DOS files
5#
6
7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
8# updated by Joerg Jenderek at Oct 2008,Apr 2011
90	string/t	@
10>1	string/cW	\ echo\ off	DOS batch file text
11!:mime	text/x-msdos-batch
12!:ext	bat
13>1	string/cW	echo\ off	DOS batch file text
14!:mime	text/x-msdos-batch
15!:ext	bat
16>1	string/cW	rem		DOS batch file text
17!:mime	text/x-msdos-batch
18!:ext	bat
19>1	string/cW	set\ 		DOS batch file text
20!:mime	text/x-msdos-batch
21!:ext	bat
22
23
24# OS/2 batch files are REXX. the second regex is a bit generic, oh well
25# the matched commands seem to be common in REXX and uncommon elsewhere
26100	search/0xffff   rxfuncadd
27>100	regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc	OS/2 REXX batch file text
28100	search/0xffff   say
29>100	regex/c =^[\ \t]{0,10}say\ ['"]			OS/2 REXX batch file text
30
31# updated by Joerg Jenderek at Oct 2015
32# https://de.wikipedia.org/wiki/Common_Object_File_Format
33# http://www.delorie.com/djgpp/doc/coff/filhdr.html
34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
35#0	leshort		0x14c	MS Windows COFF Intel 80386 object file
36#>4	ledate		x	stamp %s
370	leshort		0x166	MS Windows COFF MIPS R4000 object file
38#>4	ledate		x	stamp %s
390	leshort		0x184	MS Windows COFF Alpha object file
40#>4	ledate		x	stamp %s
410	leshort		0x268	MS Windows COFF Motorola 68000 object file
42#>4	ledate		x	stamp %s
430	leshort		0x1f0	MS Windows COFF PowerPC object file
44#>4	ledate		x	stamp %s
450	leshort		0x290	MS Windows COFF PA-RISC object file
46#>4	ledate		x	stamp %s
47
48# Tests for various EXE types.
49#
50# Many of the compressed formats were extraced from IDARC 1.23 source code.
51#
520	string/b	MZ
53# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
54>0x18	leshort <0x40 MS-DOS executable
55!:mime	application/x-dosexec
56# Windows and later versions of DOS will allow .EXEs to be named with a .COM
57# extension, mostly for compatibility's sake.
58!:ext	exe/com
59# These traditional tests usually work but not always.  When test quality support is
60# implemented these can be turned on.
61#>>0x18	leshort	0x1c	(Borland compiler)
62#>>0x18	leshort	0x1e	(MS compiler)
63
64# Maybe it's a PE?
65>(0x3c.l)	string		PE\0\0	PE
66!:mime	application/x-dosexec
67>>(0x3c.l+24)	leshort		0x010b	\b32 executable
68>>(0x3c.l+24)	leshort		0x020b	\b32+ executable
69>>(0x3c.l+24)	leshort		0x0107	ROM image
70>>(0x3c.l+24)	default		x	Unknown PE signature
71>>>&0 		leshort		x	0x%x
72>>(0x3c.l+22)	leshort&0x2000	>0	(DLL)
73>>(0x3c.l+92)	leshort		1
74# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the
75# drivers in Windows/System32/drivers/*.sys.
76>>>(0x3c.l+22)	leshort&0x2000	>0	(native)
77!:ext	dll/sys
78>>>(0x3c.l+22)	leshort&0x2000	0	(native)
79!:ext	exe/sys
80>>(0x3c.l+92)	leshort		2
81>>>(0x3c.l+22)	leshort&0x2000	>0	(GUI)
82# These could probably be at least partially distinguished from one another by
83# looking for specific exported functions.
84# CPL: Control Panel item
85# TLB: Type library
86# OCX: OLE/ActiveX control
87# ACM: Audio compression manager codec
88# AX: DirectShow source filter
89# IME: Input method editor
90!:ext	dll/cpl/tlb/ocx/acm/ax/ime
91>>>(0x3c.l+22)	leshort&0x2000	0	(GUI)
92# Screen savers typically include code from the scrnsave.lib static library, but
93# that's not guaranteed.
94!:ext	exe/scr
95>>(0x3c.l+92)	leshort		3
96>>>(0x3c.l+22)	leshort&0x2000	>0	(console)
97!:ext	dll/cpl/tlb/ocx/acm/ax/ime
98>>>(0x3c.l+22)	leshort&0x2000	0	(console)
99!:ext	exe/com
100# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format
101>>(0x3c.l+92)	leshort		7	(POSIX)
102>>(0x3c.l+92)	leshort		9	(Windows CE)
103>>(0x3c.l+92)	leshort		10	(EFI application)
104>>(0x3c.l+92)	leshort		11	(EFI boot service driver)
105>>(0x3c.l+92)	leshort		12	(EFI runtime driver)
106>>(0x3c.l+92)	leshort		13	(EFI ROM)
107>>(0x3c.l+92)	leshort		14	(XBOX)
108>>(0x3c.l+92)	leshort		15	(Windows boot application)
109>>(0x3c.l+92)	default		x	(Unknown subsystem
110>>>&0		leshort		x	0x%x)
111>>(0x3c.l+4)	leshort		0x14c	Intel 80386
112>>(0x3c.l+4)	leshort		0x166	MIPS R4000
113>>(0x3c.l+4)	leshort		0x168	MIPS R10000
114>>(0x3c.l+4)	leshort		0x184	Alpha
115>>(0x3c.l+4)	leshort		0x1a2	Hitachi SH3
116>>(0x3c.l+4)	leshort		0x1a3	Hitachi SH3 DSP
117>>(0x3c.l+4)	leshort		0x1a8	Hitachi SH5
118>>(0x3c.l+4)	leshort		0x169	MIPS WCE v2
119>>(0x3c.l+4)	leshort		0x1a6	Hitachi SH4
120>>(0x3c.l+4)	leshort		0x1c0	ARM
121>>(0x3c.l+4)	leshort		0x1c2	ARM Thumb
122>>(0x3c.l+4)	leshort		0x1c4	ARMv7 Thumb
123>>(0x3c.l+4)	leshort		0x1d3	Matsushita AM33
124>>(0x3c.l+4)	leshort		0x1f0	PowerPC
125>>(0x3c.l+4)	leshort		0x1f1	PowerPC with FPU
126>>(0x3c.l+4)	leshort		0x1f2	PowerPC (big-endian)
127>>(0x3c.l+4)	leshort		0x200	Intel Itanium
128>>(0x3c.l+4)	leshort		0x266	MIPS16
129>>(0x3c.l+4)	leshort		0x268	Motorola 68000
130>>(0x3c.l+4)	leshort		0x290	PA-RISC
131>>(0x3c.l+4)	leshort		0x366	MIPSIV
132>>(0x3c.l+4)	leshort		0x466	MIPS16 with FPU
133>>(0x3c.l+4)	leshort		0xebc	EFI byte code
134>>(0x3c.l+4)	leshort		0x5032	RISC-V 32-bit
135>>(0x3c.l+4)	leshort		0x5064	RISC-V 64-bit
136>>(0x3c.l+4)	leshort		0x5128	RISC-V 128-bit
137>>(0x3c.l+4)	leshort		0x9041	Mitsubishi M32R
138>>(0x3c.l+4)	leshort		0x8664	x86-64
139>>(0x3c.l+4)	leshort		0xaa64	Aarch64
140>>(0x3c.l+4)	leshort		0xc0ee	MSIL
141>>(0x3c.l+4)	default		x	Unknown processor type
142>>>&0		leshort		x	0x%x
143>>(0x3c.l+22)	leshort&0x0200	>0	(stripped to external PDB)
144>>(0x3c.l+22)	leshort&0x1000	>0	system file
145>>(0x3c.l+24)	leshort		0x010b
146>>>(0x3c.l+232) lelong	>0	Mono/.Net assembly
147>>(0x3c.l+24)	leshort		0x020b
148>>>(0x3c.l+248) lelong	>0	Mono/.Net assembly
149
150# hooray, there's a DOS extender using the PE format, with a valid PE
151# executable inside (which just prints a message and exits if run in win)
152>>(8.s*16)		string		32STUB	\b, 32rtm DOS extender
153>>(8.s*16)		string		!32STUB	\b, for MS Windows
154>>(0x3c.l+0xf8)		string		UPX0 \b, UPX compressed
155>>(0x3c.l+0xf8)		search/0x140	PEC2 \b, PECompact2 compressed
156>>(0x3c.l+0xf8)		search/0x140	UPX2
157>>>(&0x10.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
158>>(0x3c.l+0xf8)		search/0x140	.idata
159>>>(&0xe.l+(-4))	string		PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
160>>>(&0xe.l+(-4))	string		ZZ0 \b, ZZip self-extracting archive
161>>>(&0xe.l+(-4))	string		ZZ1 \b, ZZip self-extracting archive
162>>(0x3c.l+0xf8)		search/0x140	.rsrc
163>>>(&0x0f.l+(-4))	string		a\\\4\5 \b, WinHKI self-extracting archive
164>>>(&0x0f.l+(-4))	string		Rar! \b, RAR self-extracting archive
165>>>(&0x0f.l+(-4))	search/0x3000	MSCF \b, InstallShield self-extracting archive
166>>>(&0x0f.l+(-4))	search/32	Nullsoft \b, Nullsoft Installer self-extracting archive
167>>(0x3c.l+0xf8)		search/0x140	.data
168>>>(&0x0f.l)		string		WEXTRACT \b, MS CAB-Installer self-extracting archive
169>>(0x3c.l+0xf8)		search/0x140	.petite\0 \b, Petite compressed
170>>>(0x3c.l+0xf7)	byte		x
171>>>>(&0x104.l+(-4))	string		=!sfx! \b, ACE self-extracting archive
172>>(0x3c.l+0xf8)		search/0x140	.WISE \b, WISE installer self-extracting archive
173>>(0x3c.l+0xf8)		search/0x140	.dz\0\0\0 \b, Dzip self-extracting archive
174>>&(0x3c.l+0xf8)	search/0x100	_winzip_ \b, ZIP self-extracting archive (WinZip)
175>>&(0x3c.l+0xf8)	search/0x100	SharedD \b, Microsoft Installer self-extracting archive
176>>0x30			string		Inno \b, InnoSetup self-extracting archive
177
178# If the relocation table is 0x40 or more bytes into the file, it's definitely
179# not a DOS EXE.
180>0x18  leshort >0x3f
181
182# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
183# must be one of the unusual subformats.
184>>(0x3c.l) string !PE\0\0 MS-DOS executable
185!:mime	application/x-dosexec
186
187>>(0x3c.l)		string		NE \b, NE
188!:mime	application/x-dosexec
189>>>(0x3c.l+0x36)	byte		1 for OS/2 1.x
190>>>(0x3c.l+0x36)	byte		2 for MS Windows 3.x
191>>>(0x3c.l+0x36)	byte		3 for MS-DOS
192>>>(0x3c.l+0x36)	byte		4 for Windows 386
193>>>(0x3c.l+0x36)	byte		5 for Borland Operating System Services
194>>>(0x3c.l+0x36)	default		x
195>>>>(0x3c.l+0x36)	byte		x (unknown OS %x)
196>>>(0x3c.l+0x36)	byte		0x81 for MS-DOS, Phar Lap DOS extender
197>>>(0x3c.l+0x0c)	leshort&0x8000	0x8000 (DLL or font)
198# DRV: Driver
199# 3GR: Grabber device driver
200# CPL: Control Panel Item
201# VBX: Visual Basic Extension
202# FON: Bitmap font
203# FOT: Font resource file
204!:ext	dll/drv/3gr/cpl/vbx/fon/fot
205>>>(0x3c.l+0x0c)	leshort&0x8000	0 (EXE)
206!:ext	exe/scr
207>>>&(&0x24.s-1)		string		ARJSFX \b, ARJ self-extracting archive
208>>>(0x3c.l+0x70)	search/0x80	WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
209
210>>(0x3c.l)		string		LX\0\0 \b, LX
211!:mime	application/x-dosexec
212>>>(0x3c.l+0x0a)	leshort		<1 (unknown OS)
213>>>(0x3c.l+0x0a)	leshort		1 for OS/2
214>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
215>>>(0x3c.l+0x0a)	leshort		3 for DOS
216>>>(0x3c.l+0x0a)	leshort		>3 (unknown OS)
217>>>(0x3c.l+0x10)	lelong&0x28000	=0x8000 (DLL)
218>>>(0x3c.l+0x10)	lelong&0x20000	>0 (device driver)
219>>>(0x3c.l+0x10)	lelong&0x300	0x300 (GUI)
220>>>(0x3c.l+0x10)	lelong&0x28300	<0x300 (console)
221>>>(0x3c.l+0x08)	leshort		1 i80286
222>>>(0x3c.l+0x08)	leshort		2 i80386
223>>>(0x3c.l+0x08)	leshort		3 i80486
224>>>(8.s*16)		string		emx \b, emx
225>>>>&1			string		x %s
226>>>&(&0x54.l-3)		string		arjsfx \b, ARJ self-extracting archive
227
228# MS Windows system file, supposedly a collection of LE executables
229>>(0x3c.l)		string		W3 \b, W3 for MS Windows
230!:mime	application/x-dosexec
231
232>>(0x3c.l)		string		LE\0\0 \b, LE executable
233!:mime	application/x-dosexec
234>>>(0x3c.l+0x0a)	leshort		1
235# some DOS extenders use LE files with OS/2 header
236>>>>0x240		search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
237>>>>0x240		search/0x200	WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
238>>>>0x440		search/0x100	CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
239>>>>0x40		search/0x40	PMODE/W for MS-DOS, PMODE/W DOS extender
240>>>>0x40		search/0x40	STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
241>>>>0x40		search/0x80	STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
242>>>>0x40		search/0x80	DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
243# this is a wild guess; hopefully it is a specific signature
244>>>>&0x24		lelong		<0x50
245>>>>>(&0x4c.l)		string		\xfc\xb8WATCOM
246>>>>>>&0		search/8	3\xdbf\xb9 \b, 32Lite compressed
247# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
248#>>>>(0x3c.l+0x1c)	lelong		>0x10000 for OS/2
249# fails with DOS-Extenders.
250>>>(0x3c.l+0x0a)	leshort		2 for MS Windows
251>>>(0x3c.l+0x0a)	leshort		3 for DOS
252>>>(0x3c.l+0x0a)	leshort		4 for MS Windows (VxD)
253# VXD: VxD for Windows 95/98/Me
254# 386: VxD for Windows 2.10, 3.0, 3.1x
255# PDR: Port driver
256# MPD: Miniport driver (?)
257!:ext	vxd/386/pdr/mpd
258>>>(&0x7c.l+0x26)	string		UPX \b, UPX compressed
259>>>&(&0x54.l-3)		string		UNACE \b, ACE self-extracting archive
260
261# looks like ASCII, probably some embedded copyright message.
262# and definitely not NE/LE/LX/PE
263>>0x3c		lelong	>0x20000000
264>>>(4.s*512)	leshort !0x014c \b, MZ for MS-DOS
265!:mime	application/x-dosexec
266!:ext	exe/com
267# header data too small for extended executable
268>2		long	!0
269>>0x18		leshort <0x40
270>>>(4.s*512)	leshort !0x014c
271
272>>>>&(2.s-514)	string	!LE
273>>>>>&-2	string	!BW \b, MZ for MS-DOS
274!:mime	application/x-dosexec
275>>>>&(2.s-514)	string	LE \b, LE
276>>>>>0x240	search/0x100	DOS/4G for MS-DOS, DOS4GW DOS extender
277# educated guess since indirection is still not capable enough for complex offset
278# calculations (next embedded executable would be at &(&2*512+&0-2)
279# I suspect there are only LE executables in these multi-exe files
280>>>>&(2.s-514)	string	BW
281>>>>>0x240	search/0x100	DOS/4G	\b, LE for MS-DOS, DOS4GW DOS extender (embedded)
282>>>>>0x240	search/0x100	!DOS/4G	\b, BW collection for MS-DOS
283
284# This sequence skips to the first COFF segment, usually .text
285>(4.s*512)	leshort		0x014c \b, COFF
286!:mime	application/x-dosexec
287>>(8.s*16)	string		go32stub for MS-DOS, DJGPP go32 DOS extender
288>>(8.s*16)	string		emx
289>>>&1		string		x for DOS, Win or OS/2, emx %s
290>>&(&0x42.l-3)	byte		x
291>>>&0x26	string		UPX \b, UPX compressed
292# and yet another guess: small .text, and after large .data is unusal, could be 32lite
293>>&0x2c		search/0xa0	.text
294>>>&0x0b	lelong		<0x2000
295>>>>&0		lelong		>0x6000 \b, 32lite compressed
296
297>(8.s*16) string $WdX \b, WDos/X DOS extender
298
299# By now an executable type should have been printed out.  The executable
300# may be a self-uncompressing archive, so look for evidence of that and
301# print it out.
302#
303# Some signatures below from Greg Roelofs, newt@uchicago.edu.
304#
305>0x35	string	\x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
306>0xe7	string	LH/2\ 	Self-Extract \b, %s
307>0x1c	string	UC2X	\b, UCEXE compressed
308>0x1c	string	WWP\ 	\b, WWPACK compressed
309>0x1c	string	RJSX 	\b, ARJ self-extracting archive
310>0x1c	string	diet 	\b, diet compressed
311>0x1c	string	LZ09 	\b, LZEXE v0.90 compressed
312>0x1c	string	LZ91 	\b, LZEXE v0.91 compressed
313>0x1c	string	tz 	\b, TinyProg compressed
314>0x1e	string	Copyright\ 1989-1990\ PKWARE\ Inc.	Self-extracting PKZIP archive
315!:mime	application/zip
316# Yes, this really is "Copr", not "Corp."
317>0x1e	string	PKLITE\ Copr.	Self-extracting PKZIP archive
318!:mime	application/zip
319# winarj stores a message in the stub instead of the sig in the MZ header
320>0x20	search/0xe0	aRJsfX \b, ARJ self-extracting archive
321>0x20	string AIN
322>>0x23	string 2	\b, AIN 2.x compressed
323>>0x23	string <2	\b, AIN 1.x compressed
324>>0x23	string >2	\b, AIN 1.x compressed
325>0x24	string	LHa's\ SFX \b, LHa self-extracting archive
326!:mime	application/x-lha
327>0x24	string	LHA's\ SFX \b, LHa self-extracting archive
328!:mime	application/x-lha
329>0x24	string	\ $ARX \b, ARX self-extracting archive
330>0x24	string	\ $LHarc \b, LHarc self-extracting archive
331>0x20	string	SFX\ by\ LARC \b, LARC self-extracting archive
332>0x40	string aPKG \b, aPackage self-extracting archive
333>0x64	string	W\ Collis\0\0 \b, Compack compressed
334>0x7a	string		Windows\ self-extracting\ ZIP	\b, ZIP self-extracting archive
335>>&0xf4 search/0x140 \x0\x40\x1\x0
336>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
337>1638	string	-lh5- \b, LHa self-extracting archive v2.13S
338>0x17888 string Rar! \b, RAR self-extracting archive
339
340# Skip to the end of the EXE.  This will usually work fine in the PE case
341# because the MZ image is hardcoded into the toolchain and almost certainly
342# won't match any of these signatures.
343>(4.s*512)	long	x
344>>&(2.s-517)	byte	x
345>>>&0	string		PK\3\4 \b, ZIP self-extracting archive
346>>>&0	string		Rar! \b, RAR self-extracting archive
347>>>&0	string		=!\x11 \b, AIN 2.x self-extracting archive
348>>>&0	string		=!\x12 \b, AIN 2.x self-extracting archive
349>>>&0	string		=!\x17 \b, AIN 1.x self-extracting archive
350>>>&0	string		=!\x18 \b, AIN 1.x self-extracting archive
351>>>&7	search/400	**ACE** \b, ACE self-extracting archive
352>>>&0	search/0x480	UC2SFX\ Header \b, UC2 self-extracting archive
353
354# a few unknown ZIP sfxes, no idea if they are needed or if they are
355# already captured by the generic patterns above
356>(8.s*16)	search/0x20	PKSFX \b, ZIP self-extracting archive (PKZIP)
357# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
358#
359
360# TELVOX Teleinformatica CODEC self-extractor for OS/2:
361>49801	string	\x79\xff\x80\xff\x76\xff	\b, CODEC archive v3.21
362>>49824 leshort		=1			\b, 1 file
363>>49824 leshort		>1			\b, %u files
364
365# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc
366# and https://www.freedos.org/software/?prog=kpdos
367# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
3680	string/b	KCF		FreeDOS KEYBoard Layout collection
369# only version=0x100 found
370>3	uleshort	x		\b, version 0x%x
371# length of string containing author,info and special characters
372>6	ubyte		>0
373#>>6	pstring		x		\b, name=%s
374>>7	string		>\0		\b, author=%-.14s
375>>7	search/254	\xff		\b, info=
376#>>>&0	string		x		\b%-s
377>>>&0	string		x		\b%-.15s
378# for FreeDOS *.KL files
3790	string/b	KLF		FreeDOS KEYBoard Layout file
380# only version=0x100 or 0x101 found
381>3	uleshort	x		\b, version 0x%x
382# stringlength
383>5	ubyte		>0
384>>8	string		x		\b, name=%-.2s
3850	string	\xffKEYB\ \ \ \0\0\0\0
386>12	string	\0\0\0\0`\004\360	MS-DOS KEYBoard Layout file
387
388# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017
389# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
3900	ulequad&0x07a0ffffffff		0xffffffff
391>0	use				msdos-driver
3920       name    			msdos-driver		DOS executable (
393#!:mime	application/octet-stream
394!:mime	application/x-dosdriver
395# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
396!:ext	sys/dev/bin
397>40	search/7			UPX!			\bUPX compressed
398# DOS device driver attributes
399>4	uleshort&0x8000			0x0000			\bblock device driver
400# character device
401>4	uleshort&0x8000			0x8000			\b
402>>4	uleshort&0x0008			0x0008			\bclock
403# fast video output by int 29h
404>>4	uleshort&0x0010			0x0010			\bfast
405# standard input/output device
406>>4	uleshort&0x0003			>0			\bstandard
407>>>4	uleshort&0x0001			0x0001			\binput
408>>>4	uleshort&0x0003			0x0003			\b/
409>>>4	uleshort&0x0002			0x0002			\boutput
410>>4	uleshort&0x8000			0x8000			\bcharacter device driver
411>0	ubyte				x
412# upx compressed device driver has garbage instead of real in name field of header
413>>40	search/7			UPX!
414>>40	default				x
415# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
416>>>12		ubyte			>0x2E			\b
417>>>>10		ubyte			>0x20
418>>>>>10		ubyte			!0x2E
419>>>>>>10	ubyte			!0x2A			\b%c
420>>>>11		ubyte			>0x20
421>>>>>11		ubyte			!0x2E			\b%c
422>>>>12		ubyte			>0x20
423>>>>>12		ubyte			!0x39
424>>>>>>12	ubyte			!0x2E			\b%c
425>>>13		ubyte			>0x20
426>>>>13		ubyte			!0x2E			\b%c
427>>>>14		ubyte			>0x20
428>>>>>14		ubyte			!0x2E			\b%c
429>>>>15		ubyte			>0x20
430>>>>>15		ubyte			!0x2E			\b%c
431>>>>16		ubyte			>0x20
432>>>>>16		ubyte			!0x2E
433>>>>>>16	ubyte			<0xCB			\b%c
434>>>>17		ubyte			>0x20
435>>>>>17		ubyte			!0x2E
436>>>>>>17	ubyte			<0x90			\b%c
437# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
438>>>12		ubyte			<0x2F
439# they have their real name at offset 22
440# also block device drivers like DUMBDRV.SYS
441>>>>22		string			>\056			%-.6s
442>4	uleshort&0x8000			0x0000
443# 32 bit sector addressing ( > 32 MB) for block devices
444>>4	uleshort&0x0002			0x0002			\b,32-bit sector-
445# support by driver functions 13h, 17h, 18h
446>4	uleshort&0x0040			0x0040			\b,IOCTL-
447# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
448>4	uleshort&0x0800			0x0800			\b,close media-
449# output until busy support by int 10h for character device driver
450>4	uleshort&0x8000			0x8000
451>>4	uleshort&0x2000			0x2000			\b,until busy-
452# direct read/write support by driver functions 03h,0Ch
453>4	uleshort&0x4000			0x4000			\b,control strings-
454>4	uleshort&0x8000			0x8000
455>>4	uleshort&0x6840			>0			\bsupport
456>4	uleshort&0x8000			0x0000
457>>4	uleshort&0x4842			>0			\bsupport
458>0	ubyte				x			\b)
459# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
4600	ulequad				0x0513c00000000012
461>0	use				msdos-driver
462# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
4630	ulequad				0x32f28000ffff0016
464>0	use				msdos-driver
4650	ulequad				0x007f00000000ffff
466>0	use				msdos-driver
4670	ulequad				0x001600000000ffff
468>0	use				msdos-driver
469# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
4700	ulequad				0x0bf708c2ffffffff
471>0	use				msdos-driver
4720	ulequad				0x07bd08c2ffffffff
473>0	use				msdos-driver
474
475# updated by Joerg Jenderek
476# GRR: line below too general as it catches also
477# rt.lib DYADISKS.PIC and many more
478# start with assembler instruction MOV
4790	ubyte		0x8c
480# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
481>4	string			!O====
482# skip some unknown basic binaries like RocketRnger.SHR
483>>5	string			!MAIN
484# skip "GPG symmetrically encrypted data" ./gnu
485# skip "PGP symmetric key encrypted data" ./pgp
486# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
487>>>4	ubyte			>13	DOS executable (COM, 0x8C-variant)
488# the remaining files should be DOS *.COM executables
489# dosshell.COM	8cc0 2ea35f07 e85211 e88a11 b80058 cd
490# hmload.COM	8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
491# UNDELETE.COM	8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
492# BOOTFIX.COM	8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
493# RAWRITE3.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
494# SHARE.COM	8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
495# validchr.COM	8cca 2e8916 9603 b430 cd21 8b 2e028b1e
496# devload.COM	8cca 8916ad01 b430 cd21 8b2e0200 892e
497!:mime	application/x-dosexec
498!:ext com
499
500# updated by Joerg Jenderek at Oct 2008
5010	ulelong		0xffff10eb	DR-DOS executable (COM)
502# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
5030	ubeshort&0xeb8d	>0xeb00
504# DR-DOS STACKER.COM SCREATE.SYS missed
505
5060       name    msdos-com
507>0  byte        x               DOS executable (COM)
508!:mime	application/x-dosexec
509!:ext	com
510>6	string		SFX\ of\ LHarc	\b, %s
511>0x1FE leshort	0xAA55		    \b, boot code
512>85	string		UPX		        \b, UPX compressed
513>4	string		\ $ARX		    \b, ARX self-extracting archive
514>4	string		\ $LHarc	    \b, LHarc self-extracting archive
515>0x20e string	SFX\ by\ LARC	\b, LARC self-extracting archive
516
517# JMP 8bit
5180	        byte	0xeb
519# allow forward jumps only
520>1          byte    >-1
521# that offset must be accessible
522>>(1.b+2)   byte    x
523>>>0        use msdos-com
524
525# JMP 16bit
5260           byte    0xe9
527# forward jumps
528>1          short   >-1
529# that offset must be accessible
530>>(1.s+3)   byte    x
531>>>0        use msdos-com
532# negative offset, must not lead into PSP
533>1          short   <-259
534# that offset must be accessible
535>>(1,s+65539)   byte    x
536>>>0        use msdos-com
537
538# updated by Joerg Jenderek at Oct 2008,2015
539# following line is too general
5400	ubyte		0xb8
541# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
542>0	string		!\xb8\xc0\x07\x8e
543# modified by Joerg Jenderek
544# syslinux COM32 or COM32R executable
545>>1	lelong&0xFFFFFFFe 0x21CD4CFe	COM executable (32-bit COMBOOT
546# https://www.syslinux.org/wiki/index.php/Comboot_API
547# Since version 5.00 c32 modules switched from the COM32 object format to ELF
548!:mime	application/x-c32-comboot-syslinux-exec
549!:ext c32
550# https://syslinux.zytor.com/comboot.php
551# older syslinux version ( <4 )
552# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
553# start with assembler instructions mov eax,21cd4cffh
554>>>1	lelong		0x21CD4CFf	\b)
555# syslinux:doc/comboot.txt
556# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
557# eax,21cd4cfeh) as a magic number.
558# syslinux version (4.x)
559# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
560>>>1	lelong		0x21CD4CFe	\b, relocatable)
561# remaining are DOS COM executables starting with assembler instruction MOV
562# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
563# MS-DOS SYS.COM RESTART.COM
564# SYSLINUX.COM (version 1.40 - 2.13)
565# GFXBOOT.COM (version 3.75)
566# COPYBS.COM POWEROFF.COM INT18.COM
567>>1	default	x			COM executable for DOS
568!:mime	application/x-dosexec
569#!:mime	application/x-ms-dos-executable
570#!:mime	application/x-msdos-program
571!:ext com
572
5730	string/b	\x81\xfc
574>4	string	\x77\x02\xcd\x20\xb9
575>>36	string	UPX!			FREE-DOS executable (COM), UPX compressed
576!:mime	application/x-dosexec
577!:ext	com
578252	string Must\ have\ DOS\ version DR-DOS executable (COM)
579!:mime	application/x-dosexec
580!:ext	com
581# added by Joerg Jenderek at Oct 2008
582# GRR search is not working
583#34	search/2	UPX!		FREE-DOS executable (COM), UPX compressed
58434	string	UPX!			FREE-DOS executable (COM), UPX compressed
585!:mime	application/x-dosexec
586!:ext	com
58735	string	UPX!			FREE-DOS executable (COM), UPX compressed
588!:mime	application/x-dosexec
589!:ext	com
590# GRR search is not working
591#2	search/28	\xcd\x21	COM executable for MS-DOS
592#WHICHFAT.cOM
5932	string	\xcd\x21		COM executable for DOS
594!:mime	application/x-dosexec
595!:ext	com
596#DELTREE.cOM DELTREE2.cOM
5974	string	\xcd\x21		COM executable for DOS
598!:mime	application/x-dosexec
599!:ext	com
600#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
6015	string	\xcd\x21		COM executable for DOS
602!:mime	application/x-dosexec
603!:ext	com
604#DELTMP.COm HASFAT32.cOM
6057	string	\xcd\x21
606>0	byte	!0xb8			COM executable for DOS
607!:mime	application/x-dosexec
608!:ext	com
609#COMP.cOM MORE.COm
61010	string	\xcd\x21
611>5	string	!\xcd\x21		COM executable for DOS
612!:mime	application/x-dosexec
613!:ext	com
614#comecho.com
61513	string	\xcd\x21		COM executable for DOS
616!:mime	application/x-dosexec
617!:ext	com
618#HELP.COm EDIT.coM
61918	string	\xcd\x21		COM executable for MS-DOS
620!:mime	application/x-dosexec
621!:ext	com
622#NWRPLTRM.COm
62323	string	\xcd\x21		COM executable for MS-DOS
624!:mime	application/x-dosexec
625!:ext	com
626#LOADFIX.cOm LOADFIX.cOm
62730	string	\xcd\x21		COM executable for MS-DOS
628!:mime	application/x-dosexec
629!:ext	com
630#syslinux.com 3.11
63170	string	\xcd\x21		COM executable for DOS
632!:mime	application/x-dosexec
633!:ext	com
634# many compressed/converted COMs start with a copy loop instead of a jump
6350x6	search/0xa	\xfc\x57\xf3\xa5\xc3	COM executable for MS-DOS
636!:mime	application/x-dosexec
637!:ext	com
6380x6	search/0xa	\xfc\x57\xf3\xa4\xc3	COM executable for DOS
639!:mime	application/x-dosexec
640!:ext	com
641>0x18	search/0x10	\x50\xa4\xff\xd5\x73	\b, aPack compressed
6420x3c	string		W\ Collis\0\0		COM executable for MS-DOS, Compack compressed
643!:mime	application/x-dosexec
644!:ext	com
645# FIXME: missing diet .com compression
646
647# miscellaneous formats
6480	string/b	LZ		MS-DOS executable (built-in)
649#0	byte		0xf0		MS-DOS program library data
650#
651
652# AAF files:
653# <stuartc@rd.bbc.co.uk> Stuart Cunningham
6540	string/b	\320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377			AAF legacy file using MS Structured Storage
655>30	byte	9		(512B sectors)
656>30	byte	12		(4kB sectors)
6570	string/b	\320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001			AAF file using MS Structured Storage
658>30	byte	9		(512B sectors)
659>30	byte	12		(4kB sectors)
660
661# Popular applications
662#
663# Update:	Joerg Jenderek
664# URL:		http://fileformats.archiveteam.org/wiki/DOC
665# Reference:	https://web.archive.org/web/20170206041048/
666#		http://www.msxnet.org/word2rtf/formats/ffh-dosword5
667# wIdent+dty
6680	belong	0x31be0000
669# skip droid skeleton like x-fmt-274-signature-id-488.doc
670>128	ubyte		>0  			Microsoft
671>>96	uleshort	=0			Word
672!:mime	application/msword
673!:apple	MSWDWDBN
674# DCX is used in the Unix version.
675!:ext	doc/dcx
676>>>0x6E	ulequad		=0			1.0-4.0
677>>>0x6E	ulequad		!0			5.0-6.0
678>>>0x6E	ulequad		x			(DOS) Document
679# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt
680>>96	uleshort	!0			Write 3.0 (Windows) Document
681!:mime	application/x-mswrite
682!:apple	MSWDWDBN
683# sometimes also doc like in splitter.doc srchtest.doc
684!:ext	wri/doc
685# wTool must be 0125400 octal
686#>>4	uleshort	!0xAB00			\b, wTool %o
687# reserved; must be zero
688#>>6	ulelong		!0			\b, reserved %u
689# block pointer to the block containing optional file manager information
690#>>0x1C	uleshort	x			\b, at 0x%x info block
691# jump to File manager information block
692>>(0x1C.s*128)	uleshort x
693# test for valid information start; maybe also 0012h
694>>>&-2		uleshort	=0x0014
695# Document ASCIIZ name
696>>>>&0x12	string		x		%s
697# author name
698>>>>>&1		string		x		\b, author %s
699# reviser name
700>>>>>>&1	string		x		\b, reviser %s
701# keywords
702>>>>>>>&1	string		x		\b, keywords %s
703# comment
704>>>>>>>>&1	string		x		\b, comment %s
705# version number
706>>>>>>>>>&1	string		x		\b, version %s
707# date of last change MM/DD/YY
708>>>>>>>>>>&1	string		x		\b, %-.8s
709# creation date MM/DD/YY
710>>>>>>>>>>&9	string		x		created %-.8s
711# file name of print format like NORMAL.STY
712>>0x1E	string		>0			\b, formatted by %-.66s
713# count of pages in whole file for write variant; maybe some times wrong
714>>96	uleshort	>0			\b, %u pages
715# name of the printer driver like HPLASMS
716>>0x62	string		>0			\b, %-.8s printer
717# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0
718>>0x6A	uleshort	>0			\b, %u blocks
719# bit field for corrected text areas
720#>>0x6C	uleshort	x			\b, 0x%x bit field
721# text of document; some times start with 4 non printable characters like CR LF
722>>128	ubyte		x			\b,
723>>>128		ubyte	>0x1F
724>>>>128		string	x			%s
725>>>128		ubyte	<0x20
726>>>>129		ubyte	>0x1F
727>>>>>129	string	x			%s
728>>>>129		ubyte	<0x20
729>>>>>130	ubyte	>0x1F
730>>>>>>130	string	x			%s
731>>>>>130	ubyte	<0x20
732>>>>>>131	ubyte	>0x1F
733>>>>>>>131	string	x			%s
734>>>>>>131	ubyte	<0x20
735>>>>>>>132	ubyte	>0x1F
736>>>>>>>>132	string	x			%s
737>>>>>>>132	ubyte	<0x20
738>>>>>>>>133	ubyte	>0x1F
739>>>>>>>>>133	string	x			%s
740#
7410	string/b	PO^Q`				Microsoft Word 6.0 Document
742!:mime	application/msword
743#
7444   long        0
745>0  belong      0xfe320000      Microsoft Word for Macintosh 1.0
746!:mime	application/msword
747!:ext   mcw
748>0  belong      0xfe340000      Microsoft Word for Macintosh 3.0
749!:mime	application/msword
750!:ext   mcw
751>0  belong      0xfe37001c      Microsoft Word for Macintosh 4.0
752!:mime	application/msword
753!:ext   mcw
754>0  belong      0xfe370023      Microsoft Word for Macintosh 5.0
755!:mime	application/msword
756!:ext   mcw
757
7580	string/b	\333\245-\0\0\0			Microsoft Word 2.0 Document
759!:mime	application/msword
760!:ext   doc
761# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs
762#512	string/b	\354\245\301			Microsoft Word Document
763#!:mime	application/msword
764
765#
7660	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
767!:mime application/msword
768#
7690	string/b	\xDB\xA5\x2D\x00		Microsoft WinWord 2.0 Document
770!:mime application/msword
771
772#
7730	string/b	\x09\x04\x06\x00\x00\x00\x10\x00	Microsoft Excel Worksheet
774!:mime	application/vnd.ms-excel
775# https://www.macdisk.com/macsigen.php
776!:apple	XCELXLS4
777!:ext	xls
778#
779# Update: Joerg Jenderek
780# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
781# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
782# Note: newer Lotus versions >2 use longer BOF record
783# record type (BeginningOfFile=0000h) + length (001Ah)
7840	belong	0x00001a00
785# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
786#>18	uleshort&0x73E0	0
787# Lotus Multi Byte Character Set (LMBCS=1-31)
788>20	ubyte		>0
789>>20	ubyte		<32	Lotus 1-2-3
790#!:mime	application/x-123
791!:mime	application/vnd.lotus-1-2-3
792!:apple	????L123
793# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
794>>>4	uleshort	0x1000	WorKsheet, version 3
795!:ext	wk3
796# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
797>>>4	uleshort	0x1002	WorKsheet, version 4
798# also worksheet template 4 (.wt4)
799!:ext	wk4/wt4
800# no example or documentation for wk5
801#>>4	uleshort	0x????	WorKsheet, version 4
802#!:ext	wk5
803# only MacrotoScript.123 example
804>>>4	uleshort	0x1003	WorKsheet, version 97
805# also worksheet template Smartmaster (.12M)?
806!:ext	123
807# only Set_Y2K.123 example
808>>>4	uleshort	0x1005	WorKsheet, version 9.8 Millennium
809!:ext	123
810# no example for this version
811>>>4	uleshort	0x8001	FoRMatting data
812!:ext	frm
813# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
814# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
815>>>4	uleshort	0x8007	ForMatting data, version 3
816!:ext	fm3
817>>>4	default		x	unknown
818# file revision sub code 0004h for worksheets
819>>>>6	uleshort	=0x0004	worksheet
820!:ext	wXX
821>>>>6	uleshort	!0x0004	formatting data
822!:ext	fXX
823# main revision number
824>>>>4	uleshort	x	\b, revision 0x%x
825>>>6	uleshort	=0x0004	\b, cell range
826# active cellcoord range (start row, page,column ; end row, page, column)
827# start values normally 0~1st sheet A1
828>>>>8	ulelong		!0
829>>>>>10	ubyte		>0	\b%d*
830>>>>>8	uleshort	x	\b%d,
831>>>>>11	ubyte		x	\b%d-
832# end page mostly 0
833>>>>14	ubyte		>0	\b%d*
834# end raw, column normally not 0
835>>>>12	uleshort	x	\b%d,
836>>>>15	ubyte		x	\b%d
837# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
838>>>>20	ubyte		>1	\b, character set 0x%x
839# flags
840>>>>21	ubyte		x	\b, flags 0x%x
841>>>6	uleshort	!0x0004
842# record type (FONTNAME=00AEh)
843>>>>30	search/29	\0\xAE
844# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
845>>>>>&4	string		>\0	\b, 1st font "%s"
846#
847# Update: Joerg Jenderek
848# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
849# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
850# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
851# record type (BeginningOfFile=0000h) + length (0002h)
8520	belong	0x00000200
853# GRR: line above is too general as it catches also MS Windows CURsor
854# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
855!:strength -1
856# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
857>7	ubyte		0
858# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
859>>6	ubyte		>0	Lotus
860# !:mime	application/x-123
861!:mime	application/vnd.lotus-1-2-3
862!:apple	????L123
863# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
864# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
865>>>4	uleshort	0x0007	1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
866!:ext	cnf
867>>>4	uleshort	0x0C05	1-2-3 CoNFiguration, version 2.4J
868!:ext	cnf
869>>>4	uleshort	0x0801	1-2-3 CoNFiguration, version 1-2.1
870!:ext	cnf
871>>>4	uleshort	0x0802	Symphony CoNFiguration
872!:ext	cnf
873>>>4	uleshort	0x0804	1-2-3 CoNFiguration, version 2.2
874!:ext	cnf
875>>>4	uleshort	0x080A	1-2-3 CoNFiguration, version 2.3-2.4
876!:ext	cnf
877>>>4	uleshort	0x1402	1-2-3 CoNFiguration, version 3.x
878!:ext	cnf
879>>>4	uleshort	0x1450	1-2-3 CoNFiguration, version 4.x
880!:ext	cnf
881# (version 5.26) labeled the entry as "Lotus 123"
882# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
883>>>4	uleshort	0x0404	1-2-3 WorKSheet, version 1
884# extension "wks" also for Microsoft Works document
885!:ext	wks
886# (version 5.26) labeled the entry as "Lotus 123"
887# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
888>>>4	uleshort	0x0405	Symphony WoRksheet, version 1.0
889!:ext	wrk/wr1
890# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
891# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
892>>>4	uleshort	0x0406	1-2-3/Symphony worksheet, version 2
893# Symphony (.wr1)
894!:ext	wk1/wr1
895# no example for this japan version
896>>>4	uleshort	0x0600	1-2-3 WorKsheet, version 1.xJ
897!:ext	wj1
898# no example or documentation for wk2
899#>>>4	uleshort	0x????	1-2-3 WorKsheet, version 2
900#!:ext	wk2
901# undocumented japan version
902>>>4	uleshort	0x0602	1-2-3 worksheet, version 2.4J
903!:ext	wj3
904# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
905>>>4	uleshort	0x8006	1-2-3 ForMaTting data, version 2.x
906# japan version 2.4J (fj3)
907!:ext	fmt/fj3
908# no example for this version
909>>>4	uleshort	0x8007	1-2-3 FoRMatting data, version 2.0
910!:ext	frm
911# (version 5.26) labeled the entry as "Lotus 1-2-3"
912>>>4	default		x	unknown worksheet or configuration
913!:ext	cnf
914>>>>4	uleshort	x	\b, revision 0x%x
915# 2nd record for most worksheets describes cells range
916>>>6		use	lotus-cells
917# 3nd record for most japan worksheets describes cells range
918>>>(8.s+10)	use	lotus-cells
919#	check and then display Lotus worksheet cells range
9200	name		lotus-cells
921# look for type (RANGE=0006h) + length (0008h) at record begin
922>0	ubelong	0x06000800	\b, cell range
923# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
924>>4	ulong		!0
925>>>4	uleshort	x	\b%d,
926>>>6	uleshort	x	\b%d-
927# end of cell range
928>>8	uleshort	x	\b%d,
929>>10	uleshort	x	\b%d
930# EndOfLotus123
9310	string/b		WordPro\0	Lotus WordPro
932!:mime	application/vnd.lotus-wordpro
9330	string/b		WordPro\r\373	Lotus WordPro
934!:mime	application/vnd.lotus-wordpro
935
936
937# Summary: Script used by InstallScield to uninstall applications
938# Extension: .isu
939# Submitted by: unknown
940# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry)
9410		string		\x71\xa8\x00\x00\x01\x02
942>12		string		Stirling\ Technologies,		InstallShield Uninstall Script
943
944# Winamp .avs
945#0	string	Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
9460	string/b	Nullsoft\ AVS\ Preset\ 	Winamp plug in
947
948# Windows Metafile .WMF
9490	string/b	\327\315\306\232	Windows metafile
950!:mime	image/wmf
951!:ext	wmf
9520	string/b	\002\000\011\000	Windows metafile
953!:mime	image/wmf
954!:ext	wmf
9550	string/b	\001\000\011\000	Windows metafile
956!:mime	image/wmf
957!:ext	wmf
958
959#tz3 files whatever that is (MS Works files)
9600	string/b	\003\001\001\004\070\001\000\000	tz3 ms-works file
9610	string/b	\003\002\001\004\070\001\000\000	tz3 ms-works file
9620	string/b	\003\003\001\004\070\001\000\000	tz3 ms-works file
963
964# PGP sig files .sig
965#0 string \211\000\077\003\005\000\063\237\127 065 to  \027\266\151\064\005\045\101\233\021\002 PGP sig
9660 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
9670 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
9680 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
9690 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
9700 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
9710 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
972
973# windows zips files .dmf
9740	string/b	MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
975
976# Windows icons
977# Update: Joerg Jenderek
978# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
979# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
9800   belong  0x00000100
981>9  byte    0
982>>0 byte    x
983>>0 use     cur-ico-dir
984>9  ubyte   0xff
985>>0 byte    x
986>>0 use     cur-ico-dir
987#	displays number of icons and information for icon or cursor
9880	name		cur-ico-dir
989# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
990# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
991>18		ulelong		&0x00000006
992# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
993>>(18.l)	ulelong		x		MS Windows
994>>>0		ubelong		0x00000100	icon resource
995# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
996!:mime		image/vnd.microsoft.icon
997#!:mime		image/x-icon
998!:ext		ico
999>>>>4 		uleshort	x		- %d icon
1000# plural s
1001>>>>4 		uleshort	>1		\bs
1002# 1st icon
1003>>>>0x06	use		ico-entry
1004# 2nd icon
1005>>>>4 		uleshort	>1
1006>>>>>0x16	use		ico-entry
1007>>>0		ubelong		0x00000200	cursor resource
1008#!:mime		image/x-cur
1009!:mime		image/x-win-bitmap
1010!:ext		cur
1011>>>>4 		uleshort	x		- %d icon
1012>>>>4 		uleshort	>1		\bs
1013# 1st cursor
1014>>>>0x06	use		cur-entry
1015#>>>>0x16	use		cur-entry
1016#	display information of one cursor entry
10170	name		cur-entry
1018>0	use		cur-ico-entry
1019>4	uleshort	x	\b, hotspot @%dx
1020>6	uleshort	x	\b%d
1021#	display information of one icon entry
10220	name		ico-entry
1023>0			use	cur-ico-entry
1024# normally 0 1 but also found 14
1025>4	uleshort	>1	\b, %d planes
1026# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
1027>6	uleshort	>1	\b, %d bits/pixel
1028#	display shared information of cursor or icon entry
10290		name		cur-ico-entry
1030>0		byte		=0		\b, 256x
1031>0		byte		!0		\b, %dx
1032>1		byte        	=0		\b256
1033>1		byte        	!0		\b%d
1034# number of colors in palette
1035>2		ubyte		!0		\b, %d colors
1036# reserved 0 FFh
1037#>3		ubyte        	x		\b, reserved %x
1038#>8		ulelong		x		\b, image size %d
1039# offset of PNG or DIB image
1040#>12		ulelong		x		\b, offset 0x%x
1041# PNG header (\x89PNG)
1042>(12.l)		ubelong		=0x89504e47
1043# 1 space char after "with" to get phrase "with PNG image" by magic in ./images
1044>>&-4		indirect	x	\b with
1045# DIB image
1046>(12.l)		ubelong		!0x89504e47
1047#>>&-4		use     	dib-image
1048
1049# Windows non-animated cursors
1050# Update: Joerg Jenderek
1051# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
1052# Note: similar to Windows ICOn. container for BMP ( only DIB part)
1053# GRR: line below is too general as it catches also Lotus 1-2-3 files
10540   belong  0x00000200
1055>9  byte    0
1056>>0 use     cur-ico-dir
1057>9  ubyte   0xff
1058>>0 use     cur-ico-dir
1059
1060# .chr files
10610	string/b	PK\010\010BGI	Borland font
1062>4	string	>\0	%s
1063# then there is a copyright notice
1064
1065
1066# .bgi files
10670	string/b	pk\010\010BGI	Borland device
1068>4	string	>\0	%s
1069# then there is a copyright notice
1070
1071
1072# Windows Recycle Bin record file (named INFO2)
1073# By Abel Cheung (abelcheung AT gmail dot com)
1074# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
1075# Since Vista uses another structure, INFO2 structure probably won't change
1076# anymore. Detailed analysis in:
1077# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
10780	lelong		0x00000004
1079>12	lelong		0x00000118	Windows Recycle Bin INFO2 file (Win98 or below)
1080
10810	lelong		0x00000005
1082>12	lelong		0x00000320	Windows Recycle Bin INFO2 file (Win2k - WinXP)
1083
1084# From Doug Lee via a FreeBSD pr
10859	string		GERBILDOC	First Choice document
10869	string		GERBILDB	First Choice database
10879	string		GERBILCLIP	First Choice database
10880	string		GERBIL		First Choice device file
10899	string		RABBITGRAPH	RabbitGraph file
10900	string		DCU1		Borland Delphi .DCU file
10910	string		=!<spell>	MKS Spell hash list (old format)
10920	string		=!<spell2>	MKS Spell hash list
1093# Too simple - MPi
1094#0	string		AH		Halo(TM) bitmapped font file
10950	lelong		0x08086b70	TurboC BGI file
10960	lelong		0x08084b50	TurboC Font file
1097
1098# Debian#712046: The magic below identifies "Delphi compiled form data".
1099# An additional source of information is available at:
1100# http://www.woodmann.com/fravia/dafix_t1.htm
11010	string		TPF0
1102>4	pstring		>\0		Delphi compiled form '%s'
1103
1104# tests for DBase files moved, updated and merged to database
1105
11060	string		PMCC		Windows 3.x .GRP file
11071	string		RDC-meg		MegaDots
1108>8	byte		>0x2F		version %c
1109>9	byte		>0x2F		\b.%c file
11100	lelong		0x4C
1111>4	lelong		0x00021401	Windows shortcut file
1112
1113# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
1114# only for windows versions equal or greater 3.0
11150x171	string	MICROSOFT\ PIFEX\0	Windows Program Information File
1116!:mime	application/x-dosexec
1117!:ext	pif
1118#>2	string	 	>\0		\b, Title:%.30s
1119>0x24	string		>\0		\b for %.63s
1120>0x65	string		>\0		\b, directory=%.64s
1121>0xA5	string		>\0		\b, parameters=%.64s
1122#>0x181	leshort	x	\b, offset %x
1123#>0x183	leshort	x	\b, offsetdata %x
1124#>0x185	leshort	x	\b, section length %x
1125>0x187	search/0xB55	WINDOWS\ VMM\ 4.0\0
1126>>&0x5e		ubyte	>0
1127>>>&-1		string	<PIFMGR.DLL		\b, icon=%s
1128#>>>&-1		string	PIFMGR.DLL		\b, icon=%s
1129>>>&-1		string	>PIFMGR.DLL		\b, icon=%s
1130>>&0xF0		ubyte	>0
1131>>>&-1		string	<Terminal		\b, font=%.32s
1132#>>>&-1		string	=Terminal		\b, font=%.32s
1133>>>&-1		string	>Terminal		\b, font=%.32s
1134>>&0x110	ubyte	>0
1135>>>&-1		string	<Lucida\ Console	\b, TrueTypeFont=%.32s
1136#>>>&-1		string	=Lucida\ Console	\b, TrueTypeFont=%.32s
1137>>>&-1		string	>Lucida\ Console	\b, TrueTypeFont=%.32s
1138#>0x187	search/0xB55	WINDOWS\ 286\ 3.0\0	\b, Windows 3.X standard mode-style
1139#>0x187	search/0xB55	WINDOWS\ 386\ 3.0\0	\b, Windows 3.X enhanced mode-style
1140>0x187	search/0xB55	WINDOWS\ NT\ \ 3.1\0	\b, Windows NT-style
1141#>0x187	search/0xB55	WINDOWS\ NT\ \ 4.0\0	\b, Windows NT-style
1142>0x187	search/0xB55	CONFIG\ \ SYS\ 4.0\0	\b +CONFIG.SYS
1143#>>&06		string	x			\b:%s
1144>0x187	search/0xB55	AUTOEXECBAT\ 4.0\0	\b +AUTOEXEC.BAT
1145#>>&06		string	x			\b:%s
1146
1147# DOS EPS Binary File Header
1148# From: Ed Sznyter <ews@Black.Market.NET>
11490	belong		0xC5D0D3C6	DOS EPS Binary File
1150!:mime	image/x-eps
1151>4	long		>0		Postscript starts at byte %d
1152>>8	long		>0		length %d
1153>>>12	long		>0		Metafile starts at byte %d
1154>>>>16	long		>0		length %d
1155>>>20	long		>0		TIFF starts at byte %d
1156>>>>24	long		>0		length %d
1157
1158# TNEF magic From "Joomy" <joomy@se-ed.net>
1159# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
11600	lelong		0x223e9f78	TNEF
1161!:mime	application/vnd.ms-tnef
1162
1163# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
1164# of http://www.davep.org/norton-guides/ng2h-105.tgz
1165# https://en.wikipedia.org/wiki/Norton_Guides
11660	string		NG\0\001
1167# only value 0x100 found at offset 2
1168>2	ulelong		0x00000100	Norton Guide
1169# Title[40]
1170>>8	string		>\0		"%-.40s"
1171#>>6	uleshort	x		\b, MenuCount=%u
1172# szCredits[5][66]
1173>>48	string		>\0		\b, %-.66s
1174>>114	string		>\0		%-.66s
1175
1176# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
1177# of https://www.4dos.info/
1178# pointer,HelpID[8]=4DHnnnmm
11790	ulelong	0x48443408		4DOS help file
1180>4	string	x			\b, version %-4.4s
1181
1182# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
11830	ulequad	0x3a000000024e4c	MS Advisor help file
1184
1185# HtmlHelp files (.chm)
11860	string/b	ITSF\003\000\000\000\x60\000\000\000	MS Windows HtmlHelp Data
1187
1188# GFA-BASIC (Wolfram Kleff)
11892	string/b	GFA-BASIC3	GFA-BASIC 3 data
1190
1191#------------------------------------------------------------------------------
1192# From Stuart Caie <kyzer@4u.net> (developer of cabextract)
1193# Update: Joerg Jenderek
1194# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format)
1195# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
1196# Note: verified by `7z l *.cab`
1197# Microsoft Cabinet files
11980	string/b	MSCF\0\0\0\0	Microsoft Cabinet archive data
1199#
1200# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool
1201# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE
1202# because some archive does not have *.diag* as 1st or 2nd archive member like
1203# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab
1204# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section
1205>0x2c	search/980/c	.diag		\b, Diagnostic
1206!:mime	application/vnd.ms-cab-compressed
1207!:ext	diagcab
1208# http://fileformats.archiveteam.org/wiki/PUZ
1209# Microsoft Publisher version about 2003 has a "Pack and Go" feature that
1210# bundles a Publisher document *PNG.pub with all links into a CAB
1211>0x2c	search/300/c	png.pub\0		\b, Publisher Packed and Go
1212!:mime	application/vnd.ms-cab-compressed
1213!:ext	puz
1214# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation
1215>0x2c	search/17/c	ppview32.exe\0		\b, PowerPoint Viewer Packed and Go
1216!:mime	application/vnd.ms-powerpoint
1217#!:mime	application/mspowerpoint
1218!:ext	ppz
1219# URL:		https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets
1220# Reference:	https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/
1221# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget
1222>0x2c	search/968/c	gadget.xml		\b, Windows Desktop Gadget
1223#!:mime	application/vnd.ms-cab-compressed
1224# http://extension.nirsoft.net/gadget
1225!:mime	application/x-windows-gadget
1226!:ext	gadget
1227# http://www.incredimail.com/
1228# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims
1229>0x2c	search/3369/c	content.ini\0	\b, IncrediMail
1230!:mime	application/x-incredimail
1231# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf
1232>>0x2c	search/83/c	Flavor.htm\0	ecard
1233!:ext	imf
1234# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims
1235>>0x2c	search/211/c	.swf\0		skin
1236!:ext	ims
1237# member anim.im3 implies IncrediMail animation like in letter_fold.ima
1238>>0x2c	search/92/c	anim.im3\0	animation
1239!:ext	ima
1240# other IncrediMail cab archive
1241>>0x2c	default		x
1242>>>0x2c	search/116/c	thumb		ecard, image, notifier or skin
1243!:ext	imf/imi/imn/ims
1244# http://file-extension.net/seeker/file_extension_ime
1245>>>0x2c	default		x		emoticons or sound
1246!:ext	ime/imw
1247# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail
1248>0x2c	default		x
1249# look for 1st member name
1250>>(16.l+16)	ubyte	x
1251# https://en.wikipedia.org/wiki/SNP_file_format
1252>>>&-1	string/c 	_accrpt_.snp	\b, Access report snapshot
1253!:mime	application/msaccess
1254!:ext	snp
1255# https://en.wikipedia.org/wiki/Microsoft_InfoPath
1256>>>&-1	string 		manifest.xsf	\b, InfoPath Form Template
1257!:mime	application/vnd.ms-cab-compressed
1258#!:mime	application/vnd.ms-infopath
1259!:ext	xsn
1260# https://www.cabextract.org.uk/wince_cab_format/
1261# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer
1262>>>&7	string 		=.000		\b, WinCE install
1263!:mime	application/vnd.ms-cab-compressed
1264!:ext	cab
1265
1266# https://support.microsoft.com/kb/934307/en-US
1267# All inspected MSU contain a file with name WSUSSCAN.cab
1268# that is called "Windows Update meta data" by Microsoft
1269>>>&-1	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1270!:mime	application/vnd.ms-cab-compressed
1271!:ext	msu
1272>>>&-1	default		x
1273# look at point charcter of 1st archive member name for file name extension
1274>>>>&-1	search/255 	.
1275# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
1276# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
1277# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
1278>>>>>&0	string/c	ppt\0		\b, PowerPoint Packed and Go
1279!:mime	application/vnd.ms-powerpoint
1280#!:mime	application/mspowerpoint
1281!:ext	ppz
1282# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
1283# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
1284# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
1285>>>>>&0	string/c	theme		\b, Windows
1286!:mime	application/x-windows-themepack
1287# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
1288# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
1289# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme
1290>>>>>>(16.l+16)	string	=Panoram	8
1291!:ext	deskthemepack
1292>>>>>>(16.l+16)	string	!Panoram	7 or 8
1293!:ext	themepack/deskthemepack
1294>>>>>>(16.l+16)	ubyte	x		Theme Pack
1295>>>>>&0	default		x
1296# look for null terminator of 1st member name
1297>>>>>>&0	search/255 	\0
1298# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
1299>>>>>>>&16	string/c 	wsusscan.cab	\b, Microsoft Standalone Update
1300!:mime	application/vnd.ms-cab-compressed
1301!:ext	msu
1302>>>>>>>&16	default	x
1303# archive with more then one file need some output in version 5.32 to avoid error message like
1304# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type
1305# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type
1306# file: could not find any valid magic files!
1307>>>>>>>>28	uleshort	>1	\b, many
1308!:mime	application/vnd.ms-cab-compressed
1309!:ext	cab
1310# remaining archives with just one file
1311>>>>>>>>28	uleshort	=1
1312# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386
1313>>>>>>>>>30	uleshort	=0x0000	\b, Windows 2000/XP setup
1314# cut of last char of source extension and add underscore to generate extension
1315# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_
1316!:mime	application/vnd.ms-cab-compressed
1317!:ext	_/?_/??_
1318# archive need some output like "single" in version 5.32 to avoid error messages
1319>>>>>>>>>30	uleshort	!0x0000	\b, single
1320!:mime	application/vnd.ms-cab-compressed
1321!:ext	cab
1322# TODO: additional extensions like
1323# .xtp	InfoPath Template Part
1324# .lvf	Logitech Video Effects Face Accessory
1325>8	ulelong		x		\b, %u bytes
1326>28	uleshort		1		\b, 1 file
1327>28	uleshort		>1		\b, %u files
1328# Reserved fields, set to zero
1329#>4	belong		!0		\b, reserved1 %x
1330#>12	belong		!0		\b, reserved2 %x
1331# offset of the first CFFILE entry coffFiles: minimal 2Ch
1332>16	ulelong		x		\b, at 0x%x
1333>(16.l)	use		cab-file
1334# at least also 2nd member
1335>28	uleshort		>1
1336>>(16.l+16)	ubyte	x
1337>>>&0	search/255 	\0
1338# second member info
1339>>>>&0	use		cab-file
1340#>20	belong		!0		\b, reserved %x
1341# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3
1342>24	ubeshort	!0x0301		\b version 0x%x
1343# number of CFFOLDER entries
1344>26	uleshort	>1		\b, %u cffolders
1345# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields
1346# only found for flags 0 1 2 3 4 not 7
1347>30	uleshort	>0		\b, flags 0x%x
1348# Cabinet files have a 16-bit cabinet setID field that is designed for application use.
1349# default is zero, however, the -i option of cabarc can be used to set this field
1350>32	uleshort	>0		\b, ID %u
1351# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet
1352#>34	uleshort	x		\b, iCabinet %u
1353# add one for display because humans start numbering by 1 and also fit to name of disk szDisk*
1354>34	uleshort+1	x		\b, number %u
1355>30	uleshort	&0x0004		\b, extra bytes
1356# cbCFHeader optional size of per-cabinet reserved area 14h 1800h
1357>>36	uleshort	>0		%u in head
1358# cbCFFolder is optional size of per-folder reserved area
1359>>38	ubyte		>0		%u in folder
1360# cbCFData is optional size of per-datablock reserved area
1361>>39	ubyte		>0		%u in data block
1362# optional per-cabinet reserved area abReserve[cbCFHeader]
1363>>36	uleshort	>0
1364# 1st CFFOLDER after reserved area in header
1365>>>(36.s+40)	use			cab-folder
1366# no reserved area in header
1367>30	uleshort	^0x0004
1368# no previous and next cab archive
1369>>30	uleshort		=0x0000
1370>>>36	use				cab-folder
1371# only previous cab archive
1372>>30	uleshort		=0x0001	\b, previous
1373>>>36	use				cab-anchor
1374# only next cab archive
1375>>30	uleshort		=0x0002	\b, next
1376>>>36	use				cab-anchor
1377# previous+next cab archive
1378# can not use sub routine cab-anchor to display previous and next cabinet together
1379#>>>36	use				cab-anchor
1380#>>>>&0	use				cab-anchor
1381>>30	uleshort		=0x0003	\b, previous
1382>>>36	string		x		%s
1383# optional name of previous disk szDisk*
1384>>>>&1	string		x		disk %s
1385>>>>>&1	string		x		\b, next %s
1386# optional name of previous disk szDisk*
1387>>>>>>&1	string		x	disk %s
1388>>>>>>>&1	use			cab-folder
1389#	display filename and disk name of previous or next cabinet
13900       name    			cab-anchor
1391# optional name of previous/next cabinet file szCabinet*[255]
1392>&0	string		x		%s
1393# optional name of previous/next disk szDisk*[255]
1394>>&1	string		x		disk %s
1395#	display folder structure CFFOLDER information like compression of cabinet
13960       name    			cab-folder
1397# offset of the CFDATA block in this folder
1398#>0	ulelong		x		\b, coffCabStart 0x%x
1399# number of CFDATA blocks in folder
1400>4	uleshort	x		\b, %u datablock
1401# plural s
1402>4	uleshort	>1		\bs
1403# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15
1404>6	uleshort	x		\b, 0x%x compression
1405# optional per-folder reserved area
1406#>8	ubequad		x		\b, abReserve 0x%llx
1407#	display member structure CFFILE information like member name of cabinet
14080       name    			cab-file
1409# cbFile is uncompressed size of file in bytes
1410#>0	ulelong		x		\b, cbFile %u
1411# uoffFolderStart is uncompressed offset of file in folder
1412#>4	ulelong		>0		\b, uoffFolderStart 0x%x
1413# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet
1414# define ifoldCONTINUED_FROM_PREV      (0xFFFD)
1415# define ifoldCONTINUED_TO_NEXT        (0xFFFE)
1416# define ifoldCONTINUED_PREV_AND_NEXT  (0xFFFF)
1417>8	uleshort	>0		\b, iFolder 0x%x
1418# date stamp for file
1419#>10	uleshort	x		\b, date 0x%x
1420# time stamp for file
1421#>12	uleshort	x		\b, time 0x%x
1422# attribs is attribute flags for file
1423# define  _A_RDONLY       (0x01)  file is read-only
1424# define  _A_HIDDEN       (0x02)  file is hidden
1425# define  _A_SYSTEM       (0x04)  file is a system file
1426# define  _A_ARCH         (0x20)  file modified since last backup
1427# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab
1428# define  _A_EXEC         (0x40)  run after extraction
1429# define  _A_NAME_IS_UTF  (0x80)  szName[] contains UTF
1430# define  UNKNOWN       (0x0100)  undocumented or accident
1431#>14	uleshort	x		\b, attribs 0x%x
1432>14	uleshort	>0		+
1433>>14	uleshort	&0x0001		\bR
1434>>14	uleshort	&0x0002		\bH
1435>>14	uleshort	&0x0004		\bS
1436>>14	uleshort	&0x0020		\bA
1437>>14	uleshort	&0x0040		\bX
1438>>14	uleshort	&0x0080		\bUtf
1439# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB
1440>>14	uleshort	&0x0100		\b?
1441# szName is name of archive member
1442>16	string		x		"%s"
1443# next archive member name if more files
1444#>>&17	string		>\0		\b, NEXT NAME %-.50s
1445
1446# InstallShield Cabinet files
14470	string/b	ISc(		InstallShield Cabinet archive data
1448>5	byte&0xf0	=0x60		version 6,
1449>5	byte&0xf0	!0x60		version 4/5,
1450>(12.l+40)	lelong	x		%u files
1451
1452# Windows CE package files
14530	string/b	MSCE\0\0\0\0	Microsoft WinCE install header
1454>20	lelong		0		\b, architecture-independent
1455>20	lelong		103		\b, Hitachi SH3
1456>20	lelong		104		\b, Hitachi SH4
1457>20	lelong		0xA11		\b, StrongARM
1458>20	lelong		4000		\b, MIPS R4000
1459>20	lelong		10003		\b, Hitachi SH3
1460>20	lelong		10004		\b, Hitachi SH3E
1461>20	lelong		10005		\b, Hitachi SH4
1462>20	lelong		70001		\b, ARM 7TDMI
1463>52	leshort		1		\b, 1 file
1464>52	leshort		>1		\b, %u files
1465>56	leshort		1		\b, 1 registry entry
1466>56	leshort		>1		\b, %u registry entries
1467
1468
1469# Windows Enhanced Metafile (EMF)
1470# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
1471# for further information.
14720	ulelong 1
1473>40	string	\ EMF		Windows Enhanced Metafile (EMF) image data
1474>>44	ulelong x		version 0x%x
1475
1476
14770	string/b	\224\246\056		Microsoft Word Document
1478!:mime	application/msword
1479
1480# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
1481# Magic type for Dell's BIOS .hdr files
1482# Dell's .hdr
14830	string/b $RBU
1484>23	string Dell			%s system BIOS
1485>5	byte   2
1486>>48	byte   x			version %d.
1487>>49	byte   x			\b%d.
1488>>50	byte   x			\b%d
1489>5	byte   <2
1490>>48	string x			version %.3s
1491
1492# Type: Microsoft Document Imaging Format (.mdi)
1493# URL:	https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
1494# From: Daniele Sempione <scrows@oziosi.org>
1495# Too weak (EP)
1496#0	short	0x5045			Microsoft Document Imaging Format
1497
1498# MS eBook format (.lit)
14990	string/b	ITOLITLS		Microsoft Reader eBook Data
1500>8	lelong	x			\b, version %u
1501!:mime					application/x-ms-reader
1502
1503# Windows CE Binary Image Data Format
1504# From: Dr. Jesus <j@hug.gs>
15050	string/b	B000FF\n	Windows Embedded CE binary image
1506
1507# The second byte of these signatures is a file version; I don't know what,
1508# if anything, produced files with version numbers 0-2.
1509# From: John Elliott <johne@seasip.demon.co.uk>
15100	string	\xfc\x03\x00	Mallard BASIC program data (v1.11)
15110	string	\xfc\x04\x00	Mallard BASIC program data (v1.29+)
15120	string	\xfc\x03\x01	Mallard BASIC protected program data (v1.11)
15130	string	\xfc\x04\x01	Mallard BASIC protected program data (v1.29+)
1514
15150	string	MIOPEN		Mallard BASIC Jetsam data
15160	string	Jetsam0		Mallard BASIC Jetsam index data
1517
1518# DOS backup 2.0 to 3.2
1519
1520# backupid.@@@
1521
1522# plausibility check for date
15230x3	ushort	>1979
1524>0x5	ubyte-1 <31
1525>>0x6	ubyte-1 <12
1526# actually 121 nul bytes
1527>>>0x7	string	\0\0\0\0\0\0\0\0
1528>>>>0x1 ubyte	x	DOS 2.0 backup id file, sequence %d
1529!:ext @@@
1530>>>>0x0 ubyte	0xff	\b, last disk
1531
1532# backed up file
1533
1534# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
1535# by looking for trailing nul of maximal file name string
15360x52	ubyte	0
1537# test for flag byte: FFh~complete file, 00h~split file
1538# FFh -127 =	-1 -127 =	-128
1539# 00h -127 =	 0 -127 =	-127
1540>0	byte-127	<-126
1541# plausibility check for file name length
1542>>0x53	ubyte-1	<78
1543# looking for terminating nul of file name string
1544>>>(0x53.b+4)	ubyte	0
1545# looking if last char of string is valid DOS file name
1546>>>>(0x53.b+3)	ubyte	>0x1F
1547# actually 44 nul bytes
1548# but sometimes garbage according to Ralf Quint. So can not be used as test
1549#>0x54	string	\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
1550# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
1551# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
1552>>>>>5	ubyte&0x8C	0x0C
1553# ./msdos (version 5.30) labeled the entry as
1554# "DOS 2.0 backed up file %s, split file, sequence %d" or
1555# "DOS 2.0 backed up file %s, complete file"
1556>>>>>>0	ubyte	x	DOS 2.0-3.2 backed up
1557#>>>>>>0	ubyte	0xff	complete
1558>>>>>>0	ubyte	0
1559>>>>>>>1 uleshort	x	sequence %d of
1560# full file name with path but without drive letter and colon stored from 0x05 til 0x52
1561>>>>>>0x5	string	x	file %s
1562# backup name is original filename
1563#!:ext	*
1564# magic/Magdir/msdos, 1169: Warning: EXTENSION type `     *' has bad char '*'
1565# file: line 1169: Bad magic entry '  *'
1566# after header original file content
1567>>>>>>128	indirect x	\b;
1568
1569
1570# DOS backup 3.3 to 5.x
1571
1572# CONTROL.nnn files
15730	string	\x8bBACKUP\x20
1574# actually 128 nul bytes
1575>0xa	string	\0\0\0\0\0\0\0\0
1576>>0x9	ubyte	x	DOS 3.3 backup control file, sequence %d
1577>>0x8a	ubyte	0xff	\b, last disk
1578
1579# NB: The BACKUP.nnn files consist of the files backed up,
1580# concatenated.
1581