1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.145 2021/02/23 00:51:10 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12!:ext bat 13>1 string/cW echo\ off DOS batch file text 14!:mime text/x-msdos-batch 15!:ext bat 16>1 string/cW rem DOS batch file text 17!:mime text/x-msdos-batch 18!:ext bat 19>1 string/cW set\ DOS batch file text 20!:mime text/x-msdos-batch 21!:ext bat 22 23 24# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25# the matched commands seem to be common in REXX and uncommon elsewhere 26100 search/0xffff rxfuncadd 27>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28100 search/0xffff say 29>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30 31# updated by Joerg Jenderek at Oct 2015 32# https://de.wikipedia.org/wiki/Common_Object_File_Format 33# http://www.delorie.com/djgpp/doc/coff/filhdr.html 34# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 35#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36#>4 ledate x stamp %s 370 leshort 0x166 MS Windows COFF MIPS R4000 object file 38#>4 ledate x stamp %s 390 leshort 0x184 MS Windows COFF Alpha object file 40#>4 ledate x stamp %s 410 leshort 0x268 MS Windows COFF Motorola 68000 object file 42#>4 ledate x stamp %s 430 leshort 0x1f0 MS Windows COFF PowerPC object file 44#>4 ledate x stamp %s 450 leshort 0x290 MS Windows COFF PA-RISC object file 46#>4 ledate x stamp %s 47 48# Tests for various EXE types. 49# 50# Many of the compressed formats were extracted from IDARC 1.23 source code. 51# 520 string/b MZ 53# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 54>0x18 leshort <0x40 MS-DOS executable 55!:mime application/x-dosexec 56# Windows and later versions of DOS will allow .EXEs to be named with a .COM 57# extension, mostly for compatibility's sake. 58# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM 59# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml 60!:ext exe/com/vlm 61# These traditional tests usually work but not always. When test quality support is 62# implemented these can be turned on. 63#>>0x18 leshort 0x1c (Borland compiler) 64#>>0x18 leshort 0x1e (MS compiler) 65 66# Maybe it's a PE? 67>(0x3c.l) string PE\0\0 PE 68!:mime application/x-dosexec 69>>(0x3c.l+24) leshort 0x010b \b32 executable 70>>(0x3c.l+24) leshort 0x020b \b32+ executable 71>>(0x3c.l+24) leshort 0x0107 ROM image 72>>(0x3c.l+24) default x Unknown PE signature 73>>>&0 leshort x 0x%x 74>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 75>>(0x3c.l+92) leshort 1 76# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 77# drivers in Windows/System32/drivers/*.sys. 78>>>(0x3c.l+22) leshort&0x2000 >0 (native) 79!:ext dll/sys 80>>>(0x3c.l+22) leshort&0x2000 0 (native) 81!:ext exe/sys 82>>(0x3c.l+92) leshort 2 83>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 84# These could probably be at least partially distinguished from one another by 85# looking for specific exported functions. 86# CPL: Control Panel item 87# TLB: Type library 88# OCX: OLE/ActiveX control 89# ACM: Audio compression manager codec 90# AX: DirectShow source filter 91# IME: Input method editor 92!:ext dll/cpl/tlb/ocx/acm/ax/ime 93>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 94# Screen savers typically include code from the scrnsave.lib static library, but 95# that's not guaranteed. 96!:ext exe/scr 97>>(0x3c.l+92) leshort 3 98>>>(0x3c.l+22) leshort&0x2000 >0 (console) 99!:ext dll/cpl/tlb/ocx/acm/ax/ime 100>>>(0x3c.l+22) leshort&0x2000 0 (console) 101!:ext exe/com 102# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 103>>(0x3c.l+92) leshort 7 (POSIX) 104>>(0x3c.l+92) leshort 9 (Windows CE) 105>>(0x3c.l+92) leshort 10 (EFI application) 106>>(0x3c.l+92) leshort 11 (EFI boot service driver) 107>>(0x3c.l+92) leshort 12 (EFI runtime driver) 108>>(0x3c.l+92) leshort 13 (EFI ROM) 109>>(0x3c.l+92) leshort 14 (XBOX) 110>>(0x3c.l+92) leshort 15 (Windows boot application) 111>>(0x3c.l+92) default x (Unknown subsystem 112>>>&0 leshort x 0x%x) 113>>(0x3c.l+4) leshort 0x14c Intel 80386 114>>(0x3c.l+4) leshort 0x166 MIPS R4000 115>>(0x3c.l+4) leshort 0x168 MIPS R10000 116>>(0x3c.l+4) leshort 0x184 Alpha 117>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 118>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 119>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 120>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 121>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 122>>(0x3c.l+4) leshort 0x1c0 ARM 123>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 124>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 125>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 126>>(0x3c.l+4) leshort 0x1f0 PowerPC 127>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 128>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 129>>(0x3c.l+4) leshort 0x200 Intel Itanium 130>>(0x3c.l+4) leshort 0x266 MIPS16 131>>(0x3c.l+4) leshort 0x268 Motorola 68000 132>>(0x3c.l+4) leshort 0x290 PA-RISC 133>>(0x3c.l+4) leshort 0x366 MIPSIV 134>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 135>>(0x3c.l+4) leshort 0xebc EFI byte code 136>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 137>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 138>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 139>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 140>>(0x3c.l+4) leshort 0x8664 x86-64 141>>(0x3c.l+4) leshort 0xaa64 Aarch64 142>>(0x3c.l+4) leshort 0xc0ee MSIL 143>>(0x3c.l+4) default x Unknown processor type 144>>>&0 leshort x 0x%x 145>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 146>>(0x3c.l+22) leshort&0x1000 >0 system file 147>>(0x3c.l+24) leshort 0x010b 148>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 149>>(0x3c.l+24) leshort 0x020b 150>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 151 152# hooray, there's a DOS extender using the PE format, with a valid PE 153# executable inside (which just prints a message and exits if run in win) 154>>(8.s*16) string 32STUB \b, 32rtm DOS extender 155>>(8.s*16) string !32STUB \b, for MS Windows 156>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 157>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 158>>(0x3c.l+0xf8) search/0x140 UPX2 159>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 160>>(0x3c.l+0xf8) search/0x140 .idata 161>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 162>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 163>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 164>>(0x3c.l+0xf8) search/0x140 .rsrc 165>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 166>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 167>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 168>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 169>>(0x3c.l+0xf8) search/0x140 .data 170>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 171>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 172>>>(0x3c.l+0xf7) byte x 173>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 174>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 175>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 176>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 177>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 178>>0x30 string Inno \b, InnoSetup self-extracting archive 179 180# If the relocation table is 0x40 or more bytes into the file, it's definitely 181# not a DOS EXE. 182>0x18 leshort >0x3f 183 184# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 185# must be one of the unusual subformats. 186>>(0x3c.l) string !PE\0\0 MS-DOS executable 187!:mime application/x-dosexec 188 189>>(0x3c.l) string NE \b, NE 190!:mime application/x-dosexec 191>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 192>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 193>>>(0x3c.l+0x36) byte 3 for MS-DOS 194>>>(0x3c.l+0x36) byte 4 for Windows 386 195>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 196>>>(0x3c.l+0x36) default x 197>>>>(0x3c.l+0x36) byte x (unknown OS %x) 198>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 199>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 200# DRV: Driver 201# 3GR: Grabber device driver 202# CPL: Control Panel Item 203# VBX: Visual Basic Extension 204# FON: Bitmap font 205# FOT: Font resource file 206!:ext dll/drv/3gr/cpl/vbx/fon/fot 207>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 208!:ext exe/scr 209>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 210>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 211 212>>(0x3c.l) string LX\0\0 \b, LX 213!:mime application/x-dosexec 214>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 215>>>(0x3c.l+0x0a) leshort 1 for OS/2 216>>>(0x3c.l+0x0a) leshort 2 for MS Windows 217>>>(0x3c.l+0x0a) leshort 3 for DOS 218>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 219>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 220>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 221>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 222>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 223>>>(0x3c.l+0x08) leshort 1 i80286 224>>>(0x3c.l+0x08) leshort 2 i80386 225>>>(0x3c.l+0x08) leshort 3 i80486 226>>>(8.s*16) string emx \b, emx 227>>>>&1 string x %s 228>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 229 230# MS Windows system file, supposedly a collection of LE executables 231>>(0x3c.l) string W3 \b, W3 for MS Windows 232!:mime application/x-dosexec 233 234>>(0x3c.l) string LE\0\0 \b, LE executable 235!:mime application/x-dosexec 236>>>(0x3c.l+0x0a) leshort 1 237# some DOS extenders use LE files with OS/2 header 238>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 239>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 240>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 241>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 242>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 243>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 244>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 245# this is a wild guess; hopefully it is a specific signature 246>>>>&0x24 lelong <0x50 247>>>>>(&0x4c.l) string \xfc\xb8WATCOM 248>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 249# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 250#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 251# fails with DOS-Extenders. 252>>>(0x3c.l+0x0a) leshort 2 for MS Windows 253>>>(0x3c.l+0x0a) leshort 3 for DOS 254>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 255# VXD: VxD for Windows 95/98/Me 256# 386: VxD for Windows 2.10, 3.0, 3.1x 257# PDR: Port driver 258# MPD: Miniport driver (?) 259!:ext vxd/386/pdr/mpd 260>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 261>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 262 263# looks like ASCII, probably some embedded copyright message. 264# and definitely not NE/LE/LX/PE 265>>0x3c lelong >0x20000000 266>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 267!:mime application/x-dosexec 268!:ext exe/com 269# header data too small for extended executable 270>2 long !0 271>>0x18 leshort <0x40 272>>>(4.s*512) leshort !0x014c 273 274>>>>&(2.s-514) string !LE 275>>>>>&-2 string !BW \b, MZ for MS-DOS 276!:mime application/x-dosexec 277>>>>&(2.s-514) string LE \b, LE 278>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 279# educated guess since indirection is still not capable enough for complex offset 280# calculations (next embedded executable would be at &(&2*512+&0-2) 281# I suspect there are only LE executables in these multi-exe files 282>>>>&(2.s-514) string BW 283>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 284>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 285 286# This sequence skips to the first COFF segment, usually .text 287>(4.s*512) leshort 0x014c \b, COFF 288!:mime application/x-dosexec 289>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 290>>(8.s*16) string emx 291>>>&1 string x for DOS, Win or OS/2, emx %s 292>>&(&0x42.l-3) byte x 293>>>&0x26 string UPX \b, UPX compressed 294# and yet another guess: small .text, and after large .data is unusual, could be 32lite 295>>&0x2c search/0xa0 .text 296>>>&0x0b lelong <0x2000 297>>>>&0 lelong >0x6000 \b, 32lite compressed 298 299>(8.s*16) string $WdX \b, WDos/X DOS extender 300 301# By now an executable type should have been printed out. The executable 302# may be a self-uncompressing archive, so look for evidence of that and 303# print it out. 304# 305# Some signatures below from Greg Roelofs, newt@uchicago.edu. 306# 307>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 308>0xe7 string LH/2\ Self-Extract \b, %s 309>0x1c string UC2X \b, UCEXE compressed 310>0x1c string WWP\ \b, WWPACK compressed 311>0x1c string RJSX \b, ARJ self-extracting archive 312>0x1c string diet \b, diet compressed 313>0x1c string LZ09 \b, LZEXE v0.90 compressed 314>0x1c string LZ91 \b, LZEXE v0.91 compressed 315>0x1c string tz \b, TinyProg compressed 316>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 317!:mime application/zip 318# Yes, this really is "Copr", not "Corp." 319>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 320!:mime application/zip 321# winarj stores a message in the stub instead of the sig in the MZ header 322>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 323>0x20 string AIN 324>>0x23 string 2 \b, AIN 2.x compressed 325>>0x23 string <2 \b, AIN 1.x compressed 326>>0x23 string >2 \b, AIN 1.x compressed 327>0x24 string LHa's\ SFX \b, LHa self-extracting archive 328!:mime application/x-lha 329>0x24 string LHA's\ SFX \b, LHa self-extracting archive 330!:mime application/x-lha 331>0x24 string \ $ARX \b, ARX self-extracting archive 332>0x24 string \ $LHarc \b, LHarc self-extracting archive 333>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 334>0x40 string aPKG \b, aPackage self-extracting archive 335>0x64 string W\ Collis\0\0 \b, Compack compressed 336>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 337>>&0xf4 search/0x140 \x0\x40\x1\x0 338>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 339>1638 string -lh5- \b, LHa self-extracting archive v2.13S 340>0x17888 string Rar! \b, RAR self-extracting archive 341 342# Skip to the end of the EXE. This will usually work fine in the PE case 343# because the MZ image is hardcoded into the toolchain and almost certainly 344# won't match any of these signatures. 345>(4.s*512) long x 346>>&(2.s-517) byte x 347>>>&0 string PK\3\4 \b, ZIP self-extracting archive 348>>>&0 string Rar! \b, RAR self-extracting archive 349>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 350>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 351>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 352>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 353>>>&7 search/400 **ACE** \b, ACE self-extracting archive 354>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 355 356# a few unknown ZIP sfxes, no idea if they are needed or if they are 357# already captured by the generic patterns above 358>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 359# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 360# 361 362# TELVOX Teleinformatica CODEC self-extractor for OS/2: 363>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 364>>49824 leshort =1 \b, 1 file 365>>49824 leshort >1 \b, %u files 366 367# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 368# and https://www.freedos.org/software/?prog=kpdos 369# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 3700 string/b KCF FreeDOS KEYBoard Layout collection 371# only version=0x100 found 372>3 uleshort x \b, version 0x%x 373# length of string containing author,info and special characters 374>6 ubyte >0 375#>>6 pstring x \b, name=%s 376>>7 string >\0 \b, author=%-.14s 377>>7 search/254 \xff \b, info= 378#>>>&0 string x \b%-s 379>>>&0 string x \b%-.15s 380# for FreeDOS *.KL files 3810 string/b KLF FreeDOS KEYBoard Layout file 382# only version=0x100 or 0x101 found 383>3 uleshort x \b, version 0x%x 384# stringlength 385>5 ubyte >0 386>>8 string x \b, name=%-.2s 3870 string \xffKEYB\ \ \ \0\0\0\0 388>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 389 390# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 391# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver 392# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html 393# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3940 ulequad&0x07a0ffffffff 0xffffffff 395# skip OS/2 INI ./os2 396>4 ubelong !0x14000000 397>>0 use msdos-driver 3980 name msdos-driver DOS executable ( 399#!:mime application/octet-stream 400!:mime application/x-dosdriver 401# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 402# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? 403# PROTMAN.DOS ELNKPL.DOS 404!:ext sys/dev/bin/dos 405# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" 406>40 search/7 UPX! \bUPX compressed\040 407# DOS device driver attributes 408>4 uleshort&0x8000 0x0000 \bblock device driver 409# character device 410>4 uleshort&0x8000 0x8000 \b 411# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" 412>>4 uleshort&0x0008 0x0008 \bclock\040 413# fast video output by int 29h 414# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" 415>>4 uleshort&0x0010 0x0010 \bfast\040 416# standard input/output device 417# 1 space char after "standard" to get phrase like "standard input/output character device driver" 418>>4 uleshort&0x0003 >0 \bstandard\040 419>>>4 uleshort&0x0001 0x0001 \binput 420>>>4 uleshort&0x0003 0x0003 \b/ 421# 1 space char after "output" to get phrase like "input/output character device driver" 422>>>4 uleshort&0x0002 0x0002 \boutput\040 423>>4 uleshort&0x8000 0x8000 \bcharacter device driver 424>0 ubyte x 425# upx compressed device driver has garbage instead of real in name field of header 426>>40 search/7 UPX! 427>>40 default x 428# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 429# 1 space char before device driver name to get phrase like "device driver PROTMAN$" 430>>>12 ubyte >0x2E \b\040 431>>>>10 ubyte >0x20 432>>>>>10 ubyte !0x2E 433>>>>>>10 ubyte !0x2A \b%c 434>>>>11 ubyte >0x20 435>>>>>11 ubyte !0x2E \b%c 436>>>>12 ubyte >0x20 437>>>>>12 ubyte !0x39 438>>>>>>12 ubyte !0x2E \b%c 439>>>13 ubyte >0x20 440>>>>13 ubyte !0x2E \b%c 441>>>>14 ubyte >0x20 442>>>>>14 ubyte !0x2E \b%c 443>>>>15 ubyte >0x20 444>>>>>15 ubyte !0x2E \b%c 445>>>>16 ubyte >0x20 446>>>>>16 ubyte !0x2E 447>>>>>>16 ubyte <0xCB \b%c 448>>>>17 ubyte >0x20 449>>>>>17 ubyte !0x2E 450>>>>>>17 ubyte <0x90 \b%c 451# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 452>>>12 ubyte <0x2F 453# they have their real name at offset 22 454# also block device drivers like DUMBDRV.SYS 455>>>>22 string >\056 %-.6s 456>4 uleshort&0x8000 0x0000 457# 32 bit sector addressing ( > 32 MB) for block devices 458>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 459# support by driver functions 13h, 17h, 18h 460>4 uleshort&0x0040 0x0040 \b,IOCTL- 461# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 462>4 uleshort&0x0800 0x0800 \b,close media- 463# output until busy support by int 10h for character device driver 464>4 uleshort&0x8000 0x8000 465>>4 uleshort&0x2000 0x2000 \b,until busy- 466# direct read/write support by driver functions 03h,0Ch 467>4 uleshort&0x4000 0x4000 \b,control strings- 468>4 uleshort&0x8000 0x8000 469>>4 uleshort&0x6840 >0 \bsupport 470>4 uleshort&0x8000 0x0000 471>>4 uleshort&0x4842 >0 \bsupport 472>0 ubyte x \b) 473>0 ulelong !0xffffffff with pointer 0x%x 474# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 4750 ulequad 0x0513c00000000012 476>0 use msdos-driver 477# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 4780 ulequad 0x32f28000ffff0016 479>0 use msdos-driver 4800 ulequad 0x007f00000000ffff 481>0 use msdos-driver 482# https://www.uwe-sieber.de/files/cfg_echo.zip 4830 ulequad 0x001600000000ffff 484>0 use msdos-driver 485# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 4860 ulequad 0x0bf708c2ffffffff 487>0 use msdos-driver 4880 ulequad 0x07bd08c2ffffffff 489>0 use msdos-driver 490# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS 4910 ulequad 0x027ac0c0ffffffff 492>0 use msdos-driver 493# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS 4940 ulequad 0x00228880ffffffff 495>0 use msdos-driver 496 497# updated by Joerg Jenderek 498# GRR: line below too general as it catches also 499# rt.lib DYADISKS.PIC and many more 500# start with assembler instruction MOV 5010 ubyte 0x8c 502# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 503>4 string !O==== 504# skip some unknown basic binaries like RocketRnger.SHR 505>>5 string !MAIN 506# skip "GPG symmetrically encrypted data" ./gnu 507# skip "PGP symmetric key encrypted data" ./pgp 508# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 509>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 510# the remaining files should be DOS *.COM executables 511# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 512# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 513# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 514# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 515# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 516# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 517# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 518# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 519!:mime application/x-dosexec 520!:ext com 521 522# updated by Joerg Jenderek at Oct 2008 5230 ulelong 0xffff10eb DR-DOS executable (COM) 524# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 5250 ubeshort&0xeb8d >0xeb00 526# DR-DOS STACKER.COM SCREATE.SYS missed 527 5280 name msdos-com 529>0 byte x DOS executable (COM) 530!:mime application/x-dosexec 531!:ext com 532>6 string SFX\ of\ LHarc \b, %s 533>0x1FE leshort 0xAA55 \b, boot code 534>85 string UPX \b, UPX compressed 535>4 string \ $ARX \b, ARX self-extracting archive 536>4 string \ $LHarc \b, LHarc self-extracting archive 537>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 538 539# JMP 8bit 5400 byte 0xeb 541# allow forward jumps only 542>1 byte >-1 543# that offset must be accessible 544>>(1.b+2) byte x 545>>>0 use msdos-com 546 547# JMP 16bit 5480 byte 0xe9 549# forward jumps 550>1 short >-1 551# that offset must be accessible 552>>(1.s+3) byte x 553>>>0 use msdos-com 554# negative offset, must not lead into PSP 555>1 short <-259 556# that offset must be accessible 557>>(1,s+65539) byte x 558>>>0 use msdos-com 559 560# updated by Joerg Jenderek at Oct 2008,2015 561# following line is too general 5620 ubyte 0xb8 563# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 564>0 string !\xb8\xc0\x07\x8e 565# modified by Joerg Jenderek 566# syslinux COM32 or COM32R executable 567>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 568# https://www.syslinux.org/wiki/index.php/Comboot_API 569# Since version 5.00 c32 modules switched from the COM32 object format to ELF 570!:mime application/x-c32-comboot-syslinux-exec 571!:ext c32 572# https://syslinux.zytor.com/comboot.php 573# older syslinux version ( <4 ) 574# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 575# start with assembler instructions mov eax,21cd4cffh 576>>>1 lelong 0x21CD4CFf \b) 577# syslinux:doc/comboot.txt 578# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 579# eax,21cd4cfeh) as a magic number. 580# syslinux version (4.x) 581# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 582>>>1 lelong 0x21CD4CFe \b, relocatable) 583# Hajin Jang <hajin_jang@worksmobile.com>: 584# Disable simplest COM signature to prevent false positive on some EUC-KR text files. 585## remaining are DOS COM executables starting with assembler instruction MOV 586## like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 587## MS-DOS SYS.COM RESTART.COM 588## SYSLINUX.COM (version 1.40 - 2.13) 589## GFXBOOT.COM (version 3.75) 590## COPYBS.COM POWEROFF.COM INT18.COM 591#>>1 default x COM executable for DOS 592#!:mime application/x-dosexec 593##!:mime application/x-ms-dos-executable 594##!:mime application/x-msdos-program 595#!:ext com 596 597# URL: https://en.wikipedia.org/wiki/UPX 598# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ 599# src/stub/src/i086-dos16.com.S 600# Update: Joerg Jenderek 601# assembler instructions: cmp sp, offset sp_limit 6020 string/b \x81\xfc 603#>2 uleshort x \b, sp_limit=0x%x 604# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy 605>4 string \x77\x02\xcd\x20\xb9 606#>9 uleshort x \b, [bytes_to_copy]=0x%x 607# at different offsets assembler instructions: push di; jump decomp_start_n2b 608>0x1e search/3 \x57\xe9 609#>>&0 uleshort x \b, decomp_start_n2b=0x%x 610# src/stub/src/include/header.S; UPX_MAGIC_LE32 611>>&2 string UPX! FREE-DOS executable (COM), UPX 612!:mime application/x-dosexec 613# UPX compressed *.CPI; See ./fonts 614>>>&21 string =FONT compressed DOS code page font 615!:ext cpx 616>>>&21 string !FONT compressed 617!:ext com 618# compressed size? 619#>>>&14 uleshort+152 x \b, %u bytes 620# uncompressed len 621>>>&12 uleshort x \b, uncompressed %u bytes 622252 string Must\ have\ DOS\ version DR-DOS executable (COM) 623!:mime application/x-dosexec 624!:ext com 625# GRR search is not working 626#2 search/28 \xcd\x21 COM executable for MS-DOS 627#WHICHFAT.cOM 6282 string \xcd\x21 COM executable for DOS 629!:mime application/x-dosexec 630!:ext com 631#DELTREE.cOM DELTREE2.cOM 6324 string \xcd\x21 COM executable for DOS 633!:mime application/x-dosexec 634!:ext com 635#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 6365 string \xcd\x21 COM executable for DOS 637!:mime application/x-dosexec 638!:ext com 639#DELTMP.COm HASFAT32.cOM 6407 string \xcd\x21 641>0 byte !0xb8 COM executable for DOS 642!:mime application/x-dosexec 643!:ext com 644#COMP.cOM MORE.COm 64510 string \xcd\x21 646>5 string !\xcd\x21 COM executable for DOS 647!:mime application/x-dosexec 648!:ext com 649#comecho.com 65013 string \xcd\x21 COM executable for DOS 651!:mime application/x-dosexec 652!:ext com 653#HELP.COm EDIT.coM 65418 string \xcd\x21 COM executable for MS-DOS 655!:mime application/x-dosexec 656!:ext com 657#NWRPLTRM.COm 65823 string \xcd\x21 COM executable for MS-DOS 659!:mime application/x-dosexec 660!:ext com 661#LOADFIX.cOm LOADFIX.cOm 66230 string \xcd\x21 COM executable for MS-DOS 663!:mime application/x-dosexec 664!:ext com 665#syslinux.com 3.11 66670 string \xcd\x21 COM executable for DOS 667!:mime application/x-dosexec 668!:ext com 669# many compressed/converted COMs start with a copy loop instead of a jump 6700x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 671!:mime application/x-dosexec 672!:ext com 6730x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 674!:mime application/x-dosexec 675!:ext com 676>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 6770x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 678!:mime application/x-dosexec 679!:ext com 680# FIXME: missing diet .com compression 681 682# miscellaneous formats 6830 string/b LZ MS-DOS executable (built-in) 684#0 byte 0xf0 MS-DOS program library data 685# 686 687# AAF files: 688# <stuartc@rd.bbc.co.uk> Stuart Cunningham 6890 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 690>30 byte 9 (512B sectors) 691>30 byte 12 (4kB sectors) 6920 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 693>30 byte 9 (512B sectors) 694>30 byte 12 (4kB sectors) 695 696# Popular applications 697# 698# Update: Joerg Jenderek 699# URL: http://fileformats.archiveteam.org/wiki/DOC 700# Reference: https://web.archive.org/web/20170206041048/ 701# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 702# wIdent+dty 7030 belong 0x31be0000 704# skip droid skeleton like x-fmt-274-signature-id-488.doc 705>128 ubyte >0 Microsoft 706>>96 uleshort =0 Word 707!:mime application/msword 708!:apple MSWDWDBN 709# DCX is used in the Unix version. 710!:ext doc/dcx 711>>>0x6E ulequad =0 1.0-4.0 712>>>0x6E ulequad !0 5.0-6.0 713>>>0x6E ulequad x (DOS) Document 714# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 715>>96 uleshort !0 Write 3.0 (Windows) Document 716!:mime application/x-mswrite 717!:apple MSWDWDBN 718# sometimes also doc like in splitter.doc srchtest.doc 719!:ext wri/doc 720# wTool must be 0125400 octal 721#>>4 uleshort !0xAB00 \b, wTool %o 722# reserved; must be zero 723#>>6 ulelong !0 \b, reserved %u 724# block pointer to the block containing optional file manager information 725#>>0x1C uleshort x \b, at 0x%x info block 726# jump to File manager information block 727>>(0x1C.s*128) uleshort x 728# test for valid information start; maybe also 0012h 729>>>&-2 uleshort =0x0014 730# Document ASCIIZ name 731>>>>&0x12 string x %s 732# author name 733>>>>>&1 string x \b, author %s 734# reviser name 735>>>>>>&1 string x \b, reviser %s 736# keywords 737>>>>>>>&1 string x \b, keywords %s 738# comment 739>>>>>>>>&1 string x \b, comment %s 740# version number 741>>>>>>>>>&1 string x \b, version %s 742# date of last change MM/DD/YY 743>>>>>>>>>>&1 string x \b, %-.8s 744# creation date MM/DD/YY 745>>>>>>>>>>&9 string x created %-.8s 746# file name of print format like NORMAL.STY 747>>0x1E string >0 \b, formatted by %-.66s 748# count of pages in whole file for write variant; maybe some times wrong 749>>96 uleshort >0 \b, %u pages 750# name of the printer driver like HPLASMS 751>>0x62 string >0 \b, %-.8s printer 752# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 753>>0x6A uleshort >0 \b, %u blocks 754# bit field for corrected text areas 755#>>0x6C uleshort x \b, 0x%x bit field 756# text of document; some times start with 4 non printable characters like CR LF 757>>128 ubyte x \b, 758>>>128 ubyte >0x1F 759>>>>128 string x %s 760>>>128 ubyte <0x20 761>>>>129 ubyte >0x1F 762>>>>>129 string x %s 763>>>>129 ubyte <0x20 764>>>>>130 ubyte >0x1F 765>>>>>>130 string x %s 766>>>>>130 ubyte <0x20 767>>>>>>131 ubyte >0x1F 768>>>>>>>131 string x %s 769>>>>>>131 ubyte <0x20 770>>>>>>>132 ubyte >0x1F 771>>>>>>>>132 string x %s 772>>>>>>>132 ubyte <0x20 773>>>>>>>>133 ubyte >0x1F 774>>>>>>>>>133 string x %s 775# 7760 string/b PO^Q` Microsoft Word 6.0 Document 777!:mime application/msword 778# 7794 long 0 780>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 781!:mime application/msword 782!:ext mcw 783>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 784!:mime application/msword 785!:ext mcw 786>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 787!:mime application/msword 788!:ext mcw 789>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 790!:mime application/msword 791!:ext mcw 792 7930 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 794!:mime application/msword 795!:ext doc 796# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 797#512 string/b \354\245\301 Microsoft Word Document 798#!:mime application/msword 799 800# 8010 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 802!:mime application/msword 803# 8040 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 805!:mime application/msword 806 807# 8080 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 809!:mime application/vnd.ms-excel 810# https://www.macdisk.com/macsigen.php 811!:apple XCELXLS4 812!:ext xls 813# 814# Update: Joerg Jenderek 815# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 816# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 817# Note: newer Lotus versions >2 use longer BOF record 818# record type (BeginningOfFile=0000h) + length (001Ah) 8190 belong 0x00001a00 820# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 821#>18 uleshort&0x73E0 0 822# Lotus Multi Byte Character Set (LMBCS=1-31) 823>20 ubyte >0 824>>20 ubyte <32 Lotus 1-2-3 825#!:mime application/x-123 826!:mime application/vnd.lotus-1-2-3 827!:apple ????L123 828# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 829>>>4 uleshort 0x1000 WorKsheet, version 3 830!:ext wk3 831# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 832>>>4 uleshort 0x1002 WorKsheet, version 4 833# also worksheet template 4 (.wt4) 834!:ext wk4/wt4 835# no example or documentation for wk5 836#>>4 uleshort 0x???? WorKsheet, version 4 837#!:ext wk5 838# only MacrotoScript.123 example 839>>>4 uleshort 0x1003 WorKsheet, version 97 840# also worksheet template Smartmaster (.12M)? 841!:ext 123 842# only Set_Y2K.123 example 843>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 844!:ext 123 845# no example for this version 846>>>4 uleshort 0x8001 FoRMatting data 847!:ext frm 848# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 849# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 850>>>4 uleshort 0x8007 ForMatting data, version 3 851!:ext fm3 852>>>4 default x unknown 853# file revision sub code 0004h for worksheets 854>>>>6 uleshort =0x0004 worksheet 855!:ext wXX 856>>>>6 uleshort !0x0004 formatting data 857!:ext fXX 858# main revision number 859>>>>4 uleshort x \b, revision 0x%x 860>>>6 uleshort =0x0004 \b, cell range 861# active cellcoord range (start row, page,column ; end row, page, column) 862# start values normally 0~1st sheet A1 863>>>>8 ulelong !0 864>>>>>10 ubyte >0 \b%d* 865>>>>>8 uleshort x \b%d, 866>>>>>11 ubyte x \b%d- 867# end page mostly 0 868>>>>14 ubyte >0 \b%d* 869# end raw, column normally not 0 870>>>>12 uleshort x \b%d, 871>>>>15 ubyte x \b%d 872# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 873>>>>20 ubyte >1 \b, character set 0x%x 874# flags 875>>>>21 ubyte x \b, flags 0x%x 876>>>6 uleshort !0x0004 877# record type (FONTNAME=00AEh) 878>>>>30 search/29 \0\xAE 879# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 880>>>>>&4 string >\0 \b, 1st font "%s" 881# 882# Update: Joerg Jenderek 883# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 884# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 885# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 886# record type (BeginningOfFile=0000h) + length (0002h) 8870 belong 0x00000200 888# GRR: line above is too general as it catches also MS Windows CURsor 889# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 890!:strength -1 891# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 892>7 ubyte 0 893# skip Windows cursors with image width 256 and keep Lotus with positive opcode 894>>6 ubyte >0 Lotus 895# !:mime application/x-123 896!:mime application/vnd.lotus-1-2-3 897!:apple ????L123 898# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 899# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 900>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 901!:ext cnf 902>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 903!:ext cnf 904>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 905!:ext cnf 906>>>4 uleshort 0x0802 Symphony CoNFiguration 907!:ext cnf 908>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 909!:ext cnf 910>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 911!:ext cnf 912>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 913!:ext cnf 914>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 915!:ext cnf 916# (version 5.26) labeled the entry as "Lotus 123" 917# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 918>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 919# extension "wks" also for Microsoft Works document 920!:ext wks 921# (version 5.26) labeled the entry as "Lotus 123" 922# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 923>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 924!:ext wrk/wr1 925# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 926# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 927>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 928# Symphony (.wr1) 929!:ext wk1/wr1 930# no example for this japan version 931>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 932!:ext wj1 933# no example or documentation for wk2 934#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 935#!:ext wk2 936# undocumented japan version 937>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 938!:ext wj3 939# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 940>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 941# japan version 2.4J (fj3) 942!:ext fmt/fj3 943# no example for this version 944>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 945!:ext frm 946# (version 5.26) labeled the entry as "Lotus 1-2-3" 947>>>4 default x unknown worksheet or configuration 948!:ext cnf 949>>>>4 uleshort x \b, revision 0x%x 950# 2nd record for most worksheets describes cells range 951>>>6 use lotus-cells 952# 3rd record for most japan worksheets describes cells range 953>>>(8.s+10) use lotus-cells 954# check and then display Lotus worksheet cells range 9550 name lotus-cells 956# look for type (RANGE=0006h) + length (0008h) at record begin 957>0 ubelong 0x06000800 \b, cell range 958# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 959>>4 ulong !0 960>>>4 uleshort x \b%d, 961>>>6 uleshort x \b%d- 962# end of cell range 963>>8 uleshort x \b%d, 964>>10 uleshort x \b%d 965# EndOfLotus123 9660 string/b WordPro\0 Lotus WordPro 967!:mime application/vnd.lotus-wordpro 9680 string/b WordPro\r\373 Lotus WordPro 969!:mime application/vnd.lotus-wordpro 970 971 972# Summary: Script used by InstallScield to uninstall applications 973# Extension: .isu 974# Submitted by: unknown 975# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 9760 string \x71\xa8\x00\x00\x01\x02 977>12 string Stirling\ Technologies, InstallShield Uninstall Script 978 979# Winamp .avs 980#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 9810 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 982 983# Windows Metafile .WMF 9840 string/b \327\315\306\232 Windows metafile 985!:mime image/wmf 986!:ext wmf 9870 string/b \002\000\011\000 Windows metafile 988!:mime image/wmf 989!:ext wmf 9900 string/b \001\000\011\000 Windows metafile 991!:mime image/wmf 992!:ext wmf 993 994#tz3 files whatever that is (MS Works files) 9950 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 9960 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 9970 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 998 999# PGP sig files .sig 1000#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 10010 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 10020 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 10030 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 10040 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 10050 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 10060 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 1007 1008# windows zips files .dmf 10090 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 1010 1011# Windows icons 1012# Update: Joerg Jenderek 1013# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1014# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 10150 belong 0x00000100 1016>9 byte 0 1017>>0 byte x 1018>>0 use cur-ico-dir 1019>9 ubyte 0xff 1020>>0 byte x 1021>>0 use cur-ico-dir 1022# displays number of icons and information for icon or cursor 10230 name cur-ico-dir 1024# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 1025# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 1026>18 ulelong &0x00000006 1027# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 1028>>(18.l) ulelong x MS Windows 1029>>>0 ubelong 0x00000100 icon resource 1030# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 1031!:mime image/vnd.microsoft.icon 1032#!:mime image/x-icon 1033!:ext ico 1034>>>>4 uleshort x - %d icon 1035# plural s 1036>>>>4 uleshort >1 \bs 1037# 1st icon 1038>>>>0x06 use ico-entry 1039# 2nd icon 1040>>>>4 uleshort >1 1041>>>>>0x16 use ico-entry 1042>>>0 ubelong 0x00000200 cursor resource 1043#!:mime image/x-cur 1044!:mime image/x-win-bitmap 1045!:ext cur 1046>>>>4 uleshort x - %d icon 1047>>>>4 uleshort >1 \bs 1048# 1st cursor 1049>>>>0x06 use cur-entry 1050#>>>>0x16 use cur-entry 1051# display information of one cursor entry 10520 name cur-entry 1053>0 use cur-ico-entry 1054>4 uleshort x \b, hotspot @%dx 1055>6 uleshort x \b%d 1056# display information of one icon entry 10570 name ico-entry 1058>0 use cur-ico-entry 1059# normally 0 1 but also found 14 1060>4 uleshort >1 \b, %d planes 1061# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1062>6 uleshort >1 \b, %d bits/pixel 1063# display shared information of cursor or icon entry 10640 name cur-ico-entry 1065>0 byte =0 \b, 256x 1066>0 byte !0 \b, %dx 1067>1 byte =0 \b256 1068>1 byte !0 \b%d 1069# number of colors in palette 1070>2 ubyte !0 \b, %d colors 1071# reserved 0 FFh 1072#>3 ubyte x \b, reserved %x 1073#>8 ulelong x \b, image size %d 1074# offset of PNG or DIB image 1075#>12 ulelong x \b, offset 0x%x 1076# PNG header (\x89PNG) 1077>(12.l) ubelong =0x89504e47 1078# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1079>>&-4 indirect x \b with\040 1080# DIB image 1081>(12.l) ubelong !0x89504e47 1082#>>&-4 use dib-image 1083 1084# Windows non-animated cursors 1085# Update: Joerg Jenderek 1086# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1087# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1088# GRR: line below is too general as it catches also Lotus 1-2-3 files 10890 belong 0x00000200 1090>9 byte 0 1091>>0 use cur-ico-dir 1092>9 ubyte 0xff 1093>>0 use cur-ico-dir 1094 1095# .chr files 10960 string/b PK\010\010BGI Borland font 1097>4 string >\0 %s 1098# then there is a copyright notice 1099 1100 1101# .bgi files 11020 string/b pk\010\010BGI Borland device 1103>4 string >\0 %s 1104# then there is a copyright notice 1105 1106 1107# Windows Recycle Bin record file (named INFO2) 1108# By Abel Cheung (abelcheung AT gmail dot com) 1109# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 1110# Since Vista uses another structure, INFO2 structure probably won't change 1111# anymore. Detailed analysis in: 1112# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 11130 lelong 0x00000004 1114>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 1115 11160 lelong 0x00000005 1117>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1118 1119# From Doug Lee via a FreeBSD pr 11209 string GERBILDOC First Choice document 11219 string GERBILDB First Choice database 11229 string GERBILCLIP First Choice database 11230 string GERBIL First Choice device file 11249 string RABBITGRAPH RabbitGraph file 11250 string DCU1 Borland Delphi .DCU file 11260 string =!<spell> MKS Spell hash list (old format) 11270 string =!<spell2> MKS Spell hash list 1128# Too simple - MPi 1129#0 string AH Halo(TM) bitmapped font file 11300 lelong 0x08086b70 TurboC BGI file 11310 lelong 0x08084b50 TurboC Font file 1132 1133# Debian#712046: The magic below identifies "Delphi compiled form data". 1134# An additional source of information is available at: 1135# http://www.woodmann.com/fravia/dafix_t1.htm 11360 string TPF0 1137>4 pstring >\0 Delphi compiled form '%s' 1138 1139# tests for DBase files moved, updated and merged to database 1140 11410 string PMCC Windows 3.x .GRP file 11421 string RDC-meg MegaDots 1143>8 byte >0x2F version %c 1144>9 byte >0x2F \b.%c file 11450 lelong 0x4C 1146>4 lelong 0x00021401 Windows shortcut file 1147 1148# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1149# only for windows versions equal or greater 3.0 11500x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1151!:mime application/x-dosexec 1152!:ext pif 1153#>2 string >\0 \b, Title:%.30s 1154>0x24 string >\0 \b for %.63s 1155>0x65 string >\0 \b, directory=%.64s 1156>0xA5 string >\0 \b, parameters=%.64s 1157#>0x181 leshort x \b, offset %x 1158#>0x183 leshort x \b, offsetdata %x 1159#>0x185 leshort x \b, section length %x 1160>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1161>>&0x5e ubyte >0 1162>>>&-1 string <PIFMGR.DLL \b, icon=%s 1163#>>>&-1 string PIFMGR.DLL \b, icon=%s 1164>>>&-1 string >PIFMGR.DLL \b, icon=%s 1165>>&0xF0 ubyte >0 1166>>>&-1 string <Terminal \b, font=%.32s 1167#>>>&-1 string =Terminal \b, font=%.32s 1168>>>&-1 string >Terminal \b, font=%.32s 1169>>&0x110 ubyte >0 1170>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1171#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1172>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1173#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1174#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1175>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1176#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1177>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1178#>>&06 string x \b:%s 1179>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1180#>>&06 string x \b:%s 1181 1182# DOS EPS Binary File Header 1183# From: Ed Sznyter <ews@Black.Market.NET> 11840 belong 0xC5D0D3C6 DOS EPS Binary File 1185!:mime image/x-eps 1186>4 long >0 Postscript starts at byte %d 1187>>8 long >0 length %d 1188>>>12 long >0 Metafile starts at byte %d 1189>>>>16 long >0 length %d 1190>>>20 long >0 TIFF starts at byte %d 1191>>>>24 long >0 length %d 1192 1193# TNEF magic From "Joomy" <joomy@se-ed.net> 1194# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 11950 lelong 0x223e9f78 TNEF 1196!:mime application/vnd.ms-tnef 1197 1198# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1199# of http://www.davep.org/norton-guides/ng2h-105.tgz 1200# https://en.wikipedia.org/wiki/Norton_Guides 12010 string NG\0\001 1202# only value 0x100 found at offset 2 1203>2 ulelong 0x00000100 Norton Guide 1204!:mime application/x-norton-guide 1205# often like NORTON.NG but some times like NC.HLP 1206!:ext ng/hlp 1207# Title[40] 1208>>8 string >\0 "%-.40s" 1209#>>6 uleshort x \b, MenuCount=%u 1210# szCredits[5][66] 1211>>48 string >\0 \b, %-.66s 1212>>114 string >\0 %-.66s 1213 1214# URL: https://en.wikipedia.org/wiki/Norton_Commander 1215# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml 1216# From: Joerg Jenderek 1217# Note: Message file is used by executable with same main name. 1218# Only tested with version 5.50 (english) and 2.01 (Windows) 12190 string Abort 1220# \0 or i 1221#>5 ubyte x %x 1222# skip ASCII Abort text by looking for error message like in NCVIEW.MSG 1223>6 search/7089 Non-DOS\ disk Norton Commander module message 1224!:mime application/x-norton-msg 1225!:ext msg 1226 1227# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm 1228# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml 1229# From: Joerg Jenderek 12300 string DOS\ Client\ Message\ File: Novell DOS client message 1231#!:mime application/octet-stream 1232#!:mime application/x-novell-msg 1233!:ext msg 1234# look for second letter instead space character 1235>26 ubyte >0x20 1236# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr 1237>>25 ubyte !0x20 %c 1238>>>26 ubyte !0x20 \b%c 1239>>>>27 ubyte !0x20 \b%c 1240>>>>>28 ubyte !0x20 \b%c 1241>>>>>>29 ubyte !0x20 \b%c 1242>>>>>>>30 ubyte !0x20 \b%c 1243>>>>>>>>31 ubyte !0x20 \b%c 1244>>>>>>>>>32 ubyte !0x20 \b%c 1245>>>>>>>>>>33 ubyte !0x20 \b%c 1246>>>>>>>>>>>34 ubyte !0x20 \b%c 1247>>>>>>>>>>>>35 ubyte !0x20 \b%c 1248>>>>>>>>>>>>>36 ubyte !0x20 \b%c 1249# followed by string like: 0 v.10 V1.20 1250# 1251# followed by ,\040Tran\040 1252>28 search/14 ,\040Tran\040 1253# probably translated version string like: 0 v1.00 1254>>&0 string x \b, tran version %s 1255# followed by Ctrl-J Ctrl-Z 1256>>>&0 ubyte !0xa \b, terminated by 0x%2.2x 1257>>>>&0 ubyte x \b%2.2x 1258# Ctrl-Z 1259>0x65 ubyte !0x1A \b, at 0x65 0x%x 1260# one 1261>0x66 ubyte !0x01 \b, at 0x66 0x%x 1262# URL: https://en.wikipedia.org/wiki/NetWare 1263# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml 1264# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html 1265# From: Joerg Jenderek 12660 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data 1267#>35 string Version\ 1.00 1268#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. 1269#>83 string \ \ All\ Rights\ Reserved 1270#!:mime application/octet-stream 1271#!:mime application/x-novell-msg 1272!:ext msg 1273#!:ext msg/dat 1274# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 1275# of https://www.4dos.info/ 1276# pointer,HelpID[8]=4DHnnnmm 12770 ulelong 0x48443408 4DOS help file 1278>4 string x \b, version %-4.4s 1279 1280# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 12810 ulequad 0x3a000000024e4c MS Advisor help file 1282 1283# HtmlHelp files (.chm) 12840 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1285 1286# GFA-BASIC (Wolfram Kleff) 12872 string/b GFA-BASIC3 GFA-BASIC 3 data 1288 1289#------------------------------------------------------------------------------ 1290# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1291# Update: Joerg Jenderek 1292# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 1293# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 1294# Note: verified by `7z l *.cab` 1295# Microsoft Cabinet files 12960 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1297# 1298# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 1299# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 1300# because some archive does not have *.diag* as 1st or 2nd archive member like 1301# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 1302# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 1303>0x2c search/980/c .diag \b, Diagnostic 1304!:mime application/vnd.ms-cab-compressed 1305!:ext diagcab 1306# http://fileformats.archiveteam.org/wiki/PUZ 1307# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 1308# bundles a Publisher document *PNG.pub with all links into a CAB 1309>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 1310!:mime application/vnd.ms-cab-compressed 1311!:ext puz 1312# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 1313>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 1314!:mime application/vnd.ms-powerpoint 1315#!:mime application/mspowerpoint 1316!:ext ppz 1317# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 1318# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 1319# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 1320>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 1321#!:mime application/vnd.ms-cab-compressed 1322# http://extension.nirsoft.net/gadget 1323!:mime application/x-windows-gadget 1324!:ext gadget 1325# http://www.incredimail.com/ 1326# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 1327>0x2c search/3369/c content.ini\0 \b, IncrediMail 1328!:mime application/x-incredimail 1329# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 1330>>0x2c search/83/c Flavor.htm\0 ecard 1331!:ext imf 1332# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 1333>>0x2c search/211/c .swf\0 skin 1334!:ext ims 1335# member anim.im3 implies IncrediMail animation like in letter_fold.ima 1336>>0x2c search/92/c anim.im3\0 animation 1337!:ext ima 1338# other IncrediMail cab archive 1339>>0x2c default x 1340>>>0x2c search/116/c thumb ecard, image, notifier or skin 1341!:ext imf/imi/imn/ims 1342# http://file-extension.net/seeker/file_extension_ime 1343>>>0x2c default x emoticons or sound 1344!:ext ime/imw 1345# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 1346>0x2c default x 1347# look for 1st member name 1348>>(16.l+16) ubyte x 1349# https://en.wikipedia.org/wiki/SNP_file_format 1350>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 1351!:mime application/msaccess 1352!:ext snp 1353# https://en.wikipedia.org/wiki/Microsoft_InfoPath 1354>>>&-1 string manifest.xsf \b, InfoPath Form Template 1355!:mime application/vnd.ms-cab-compressed 1356#!:mime application/vnd.ms-infopath 1357!:ext xsn 1358# https://www.cabextract.org.uk/wince_cab_format/ 1359# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 1360>>>&7 string =.000 \b, WinCE install 1361!:mime application/vnd.ms-cab-compressed 1362!:ext cab 1363 1364# https://support.microsoft.com/kb/934307/en-US 1365# All inspected MSU contain a file with name WSUSSCAN.cab 1366# that is called "Windows Update meta data" by Microsoft 1367>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 1368!:mime application/vnd.ms-cab-compressed 1369!:ext msu 1370>>>&-1 default x 1371# look at point character of 1st archive member name for file name extension 1372>>>>&-1 search/255 . 1373# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 1374# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 1375# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 1376>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 1377!:mime application/vnd.ms-powerpoint 1378#!:mime application/mspowerpoint 1379!:ext ppz 1380# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 1381# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 1382# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 1383>>>>>&0 string/c theme \b, Windows 1384!:mime application/x-windows-themepack 1385# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 1386# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 1387# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 1388>>>>>>(16.l+16) string =Panoram 8 1389!:ext deskthemepack 1390>>>>>>(16.l+16) string !Panoram 7 or 8 1391!:ext themepack/deskthemepack 1392>>>>>>(16.l+16) ubyte x Theme Pack 1393>>>>>&0 default x 1394# look for null terminator of 1st member name 1395>>>>>>&0 search/255 \0 1396# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 1397>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 1398!:mime application/vnd.ms-cab-compressed 1399!:ext msu 1400>>>>>>>&16 default x 1401# archive with more then one file need some output in version 5.32 to avoid error message like 1402# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 1403# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 1404# file: could not find any valid magic files! 1405>>>>>>>>28 uleshort >1 \b, many 1406!:mime application/vnd.ms-cab-compressed 1407!:ext cab 1408# remaining archives with just one file 1409>>>>>>>>28 uleshort =1 1410# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 1411>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 1412# cut of last char of source extension and add underscore to generate extension 1413# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 1414!:mime application/vnd.ms-cab-compressed 1415!:ext _/?_/??_ 1416# archive need some output like "single" in version 5.32 to avoid error messages 1417>>>>>>>>>30 uleshort !0x0000 \b, single 1418!:mime application/vnd.ms-cab-compressed 1419!:ext cab 1420# TODO: additional extensions like 1421# .xtp InfoPath Template Part 1422# .lvf Logitech Video Effects Face Accessory 1423>8 ulelong x \b, %u bytes 1424>28 uleshort 1 \b, 1 file 1425>28 uleshort >1 \b, %u files 1426# Reserved fields, set to zero 1427#>4 belong !0 \b, reserved1 %x 1428#>12 belong !0 \b, reserved2 %x 1429# offset of the first CFFILE entry coffFiles: minimal 2Ch 1430>16 ulelong x \b, at 0x%x 1431>(16.l) use cab-file 1432# at least also 2nd member 1433>28 uleshort >1 1434>>(16.l+16) ubyte x 1435>>>&0 search/255 \0 1436# second member info 1437>>>>&0 use cab-file 1438#>20 belong !0 \b, reserved %x 1439# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 1440>24 ubeshort !0x0301 \b version 0x%x 1441# number of CFFOLDER entries 1442>26 uleshort >1 \b, %u cffolders 1443# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 1444# only found for flags 0 1 2 3 4 not 7 1445>30 uleshort >0 \b, flags 0x%x 1446# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 1447# default is zero, however, the -i option of cabarc can be used to set this field 1448>32 uleshort >0 \b, ID %u 1449# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 1450#>34 uleshort x \b, iCabinet %u 1451# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 1452>34 uleshort+1 x \b, number %u 1453>30 uleshort &0x0004 \b, extra bytes 1454# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 1455>>36 uleshort >0 %u in head 1456# cbCFFolder is optional size of per-folder reserved area 1457>>38 ubyte >0 %u in folder 1458# cbCFData is optional size of per-datablock reserved area 1459>>39 ubyte >0 %u in data block 1460# optional per-cabinet reserved area abReserve[cbCFHeader] 1461>>36 uleshort >0 1462# 1st CFFOLDER after reserved area in header 1463>>>(36.s+40) use cab-folder 1464# no reserved area in header 1465>30 uleshort ^0x0004 1466# no previous and next cab archive 1467>>30 uleshort =0x0000 1468>>>36 use cab-folder 1469# only previous cab archive 1470>>30 uleshort =0x0001 \b, previous 1471>>>36 use cab-anchor 1472# only next cab archive 1473>>30 uleshort =0x0002 \b, next 1474>>>36 use cab-anchor 1475# previous+next cab archive 1476# can not use sub routine cab-anchor to display previous and next cabinet together 1477#>>>36 use cab-anchor 1478#>>>>&0 use cab-anchor 1479>>30 uleshort =0x0003 \b, previous 1480>>>36 string x %s 1481# optional name of previous disk szDisk* 1482>>>>&1 string x disk %s 1483>>>>>&1 string x \b, next %s 1484# optional name of previous disk szDisk* 1485>>>>>>&1 string x disk %s 1486>>>>>>>&1 use cab-folder 1487# display filename and disk name of previous or next cabinet 14880 name cab-anchor 1489# optional name of previous/next cabinet file szCabinet*[255] 1490>&0 string x %s 1491# optional name of previous/next disk szDisk*[255] 1492>>&1 string x disk %s 1493# display folder structure CFFOLDER information like compression of cabinet 14940 name cab-folder 1495# offset of the CFDATA block in this folder 1496#>0 ulelong x \b, coffCabStart 0x%x 1497# number of CFDATA blocks in folder 1498>4 uleshort x \b, %u datablock 1499# plural s 1500>4 uleshort >1 \bs 1501# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 1502>6 uleshort x \b, 0x%x compression 1503# optional per-folder reserved area 1504#>8 ubequad x \b, abReserve 0x%llx 1505# display member structure CFFILE information like member name of cabinet 15060 name cab-file 1507# cbFile is uncompressed size of file in bytes 1508#>0 ulelong x \b, cbFile %u 1509# uoffFolderStart is uncompressed offset of file in folder 1510#>4 ulelong >0 \b, uoffFolderStart 0x%x 1511# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 1512# define ifoldCONTINUED_FROM_PREV (0xFFFD) 1513# define ifoldCONTINUED_TO_NEXT (0xFFFE) 1514# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 1515>8 uleshort >0 \b, iFolder 0x%x 1516# date stamp for file 1517#>10 uleshort x \b, date 0x%x 1518# time stamp for file 1519#>12 uleshort x \b, time 0x%x 1520# attribs is attribute flags for file 1521# define _A_RDONLY (0x01) file is read-only 1522# define _A_HIDDEN (0x02) file is hidden 1523# define _A_SYSTEM (0x04) file is a system file 1524# define _A_ARCH (0x20) file modified since last backup 1525# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 1526# define _A_EXEC (0x40) run after extraction 1527# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 1528# define UNKNOWN (0x0100) undocumented or accident 1529#>14 uleshort x \b, attribs 0x%x 1530>14 uleshort >0 + 1531>>14 uleshort &0x0001 \bR 1532>>14 uleshort &0x0002 \bH 1533>>14 uleshort &0x0004 \bS 1534>>14 uleshort &0x0020 \bA 1535>>14 uleshort &0x0040 \bX 1536>>14 uleshort &0x0080 \bUtf 1537# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 1538>>14 uleshort &0x0100 \b? 1539# szName is name of archive member 1540>16 string x "%s" 1541# next archive member name if more files 1542#>>&17 string >\0 \b, NEXT NAME %-.50s 1543 1544# InstallShield Cabinet files 15450 string/b ISc( InstallShield Cabinet archive data 1546>5 byte&0xf0 =0x60 version 6, 1547>5 byte&0xf0 !0x60 version 4/5, 1548>(12.l+40) lelong x %u files 1549 1550# Windows CE package files 15510 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1552>20 lelong 0 \b, architecture-independent 1553>20 lelong 103 \b, Hitachi SH3 1554>20 lelong 104 \b, Hitachi SH4 1555>20 lelong 0xA11 \b, StrongARM 1556>20 lelong 4000 \b, MIPS R4000 1557>20 lelong 10003 \b, Hitachi SH3 1558>20 lelong 10004 \b, Hitachi SH3E 1559>20 lelong 10005 \b, Hitachi SH4 1560>20 lelong 70001 \b, ARM 7TDMI 1561>52 leshort 1 \b, 1 file 1562>52 leshort >1 \b, %u files 1563>56 leshort 1 \b, 1 registry entry 1564>56 leshort >1 \b, %u registry entries 1565 1566 1567# Windows Enhanced Metafile (EMF) 1568# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1569# for further information. 15700 ulelong 1 1571>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1572>>44 ulelong x version 0x%x 1573 1574 15750 string/b \224\246\056 Microsoft Word Document 1576!:mime application/msword 1577 1578# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1579# Magic type for Dell's BIOS .hdr files 1580# Dell's .hdr 15810 string/b $RBU 1582>23 string Dell %s system BIOS 1583>5 byte 2 1584>>48 byte x version %d. 1585>>49 byte x \b%d. 1586>>50 byte x \b%d 1587>5 byte <2 1588>>48 string x version %.3s 1589 1590# Type: Microsoft Document Imaging Format (.mdi) 1591# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1592# From: Daniele Sempione <scrows@oziosi.org> 1593# Too weak (EP) 1594#0 short 0x5045 Microsoft Document Imaging Format 1595 1596# MS eBook format (.lit) 15970 string/b ITOLITLS Microsoft Reader eBook Data 1598>8 lelong x \b, version %u 1599!:mime application/x-ms-reader 1600 1601# Windows CE Binary Image Data Format 1602# From: Dr. Jesus <j@hug.gs> 16030 string/b B000FF\n Windows Embedded CE binary image 1604 1605# The second byte of these signatures is a file version; I don't know what, 1606# if anything, produced files with version numbers 0-2. 1607# From: John Elliott <johne@seasip.demon.co.uk> 16080 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 16090 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 16100 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 16110 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1612 16130 string MIOPEN Mallard BASIC Jetsam data 16140 string Jetsam0 Mallard BASIC Jetsam index data 1615 1616# DOS backup 2.0 to 3.2 1617 1618# backupid.@@@ 1619 1620# plausibility check for date 16210x3 ushort >1979 1622>0x5 ubyte-1 <31 1623>>0x6 ubyte-1 <12 1624# actually 121 nul bytes 1625>>>0x7 string \0\0\0\0\0\0\0\0 1626>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1627!:ext @@@ 1628>>>>0x0 ubyte 0xff \b, last disk 1629 1630# backed up file 1631 1632# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1633# by looking for trailing nul of maximal file name string 16340x52 ubyte 0 1635# test for flag byte: FFh~complete file, 00h~split file 1636# FFh -127 = -1 -127 = -128 1637# 00h -127 = 0 -127 = -127 1638>0 byte-127 <-126 1639# plausibility check for file name length 1640>>0x53 ubyte-1 <78 1641# looking for terminating nul of file name string 1642>>>(0x53.b+4) ubyte 0 1643# looking if last char of string is valid DOS file name 1644>>>>(0x53.b+3) ubyte >0x1F 1645# actually 44 nul bytes 1646# but sometimes garbage according to Ralf Quint. So can not be used as test 1647#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1648# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1649# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1650>>>>>5 ubyte&0x8C 0x0C 1651# ./msdos (version 5.30) labeled the entry as 1652# "DOS 2.0 backed up file %s, split file, sequence %d" or 1653# "DOS 2.0 backed up file %s, complete file" 1654>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1655#>>>>>>0 ubyte 0xff complete 1656>>>>>>0 ubyte 0 1657>>>>>>>1 uleshort x sequence %d of 1658# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1659>>>>>>0x5 string x file %s 1660# backup name is original filename 1661#!:ext * 1662# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1663# file: line 1169: Bad magic entry ' *' 1664# after header original file content 1665>>>>>>128 indirect x \b;\040 1666 1667 1668# DOS backup 3.3 to 5.x 1669 1670# CONTROL.nnn files 16710 string \x8bBACKUP\x20 1672# actually 128 nul bytes 1673>0xa string \0\0\0\0\0\0\0\0 1674>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1675>>0x8a ubyte 0xff \b, last disk 1676 1677# NB: The BACKUP.nnn files consist of the files backed up, 1678# concatenated. 1679