1 2#------------------------------------------------------------------------------ 3# $File: msdos,v 1.92 2014/03/14 18:47:29 christos Exp $ 4# msdos: file(1) magic for MS-DOS files 5# 6 7# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8# updated by Joerg Jenderek at Oct 2008,Apr 2011 90 string/t @ 10>1 string/cW \ echo\ off DOS batch file text 11!:mime text/x-msdos-batch 12>1 string/cW echo\ off DOS batch file text 13!:mime text/x-msdos-batch 14>1 string/cW rem DOS batch file text 15!:mime text/x-msdos-batch 16>1 string/cW set\ DOS batch file text 17!:mime text/x-msdos-batch 18 19 20# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21# the matched commands seem to be common in REXX and uncommon elsewhere 22100 search/0xffff rxfuncadd 23>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24100 search/0xffff say 25>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26 270 leshort 0x14c MS Windows COFF Intel 80386 object file 28#>4 ledate x stamp %s 290 leshort 0x166 MS Windows COFF MIPS R4000 object file 30#>4 ledate x stamp %s 310 leshort 0x184 MS Windows COFF Alpha object file 32#>4 ledate x stamp %s 330 leshort 0x268 MS Windows COFF Motorola 68000 object file 34#>4 ledate x stamp %s 350 leshort 0x1f0 MS Windows COFF PowerPC object file 36#>4 ledate x stamp %s 370 leshort 0x290 MS Windows COFF PA-RISC object file 38#>4 ledate x stamp %s 39 40# Tests for various EXE types. 41# 42# Many of the compressed formats were extraced from IDARC 1.23 source code. 43# 440 string/b MZ 45# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 46>0x18 leshort <0x40 MS-DOS executable 47!:mime application/x-dosexec 48# These traditional tests usually work but not always. When test quality support is 49# implemented these can be turned on. 50#>>0x18 leshort 0x1c (Borland compiler) 51#>>0x18 leshort 0x1e (MS compiler) 52 53# If the relocation table is 0x40 or more bytes into the file, it's definitely 54# not a DOS EXE. 55>0x18 leshort >0x3f 56 57# Maybe it's a PE? 58>>(0x3c.l) string PE\0\0 PE 59>>>(0x3c.l+24) leshort 0x010b \b32 executable 60>>>(0x3c.l+24) leshort 0x020b \b32+ executable 61>>>(0x3c.l+24) leshort 0x0107 ROM image 62>>>(0x3c.l+24) default x Unknown PE signature 63>>>>&0 leshort x 0x%x 64>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 65>>>(0x3c.l+92) leshort 1 (native) 66>>>(0x3c.l+92) leshort 2 (GUI) 67>>>(0x3c.l+92) leshort 3 (console) 68>>>(0x3c.l+92) leshort 7 (POSIX) 69>>>(0x3c.l+92) leshort 9 (Windows CE) 70>>>(0x3c.l+92) leshort 10 (EFI application) 71>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 72>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 73>>>(0x3c.l+92) leshort 13 (EFI ROM) 74>>>(0x3c.l+92) leshort 14 (XBOX) 75>>>(0x3c.l+92) leshort 15 (Windows boot application) 76>>>(0x3c.l+92) default x (Unknown subsystem 77>>>>&0 leshort x 0x%x) 78>>>(0x3c.l+4) leshort 0x14c Intel 80386 79>>>(0x3c.l+4) leshort 0x166 MIPS R4000 80>>>(0x3c.l+4) leshort 0x168 MIPS R10000 81>>>(0x3c.l+4) leshort 0x184 Alpha 82>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 83>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 84>>>(0x3c.l+4) leshort 0x1c0 ARM 85>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 86>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 87>>>(0x3c.l+4) leshort 0x1f0 PowerPC 88>>>(0x3c.l+4) leshort 0x200 Intel Itanium 89>>>(0x3c.l+4) leshort 0x266 MIPS16 90>>>(0x3c.l+4) leshort 0x268 Motorola 68000 91>>>(0x3c.l+4) leshort 0x290 PA-RISC 92>>>(0x3c.l+4) leshort 0x366 MIPSIV 93>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 94>>>(0x3c.l+4) leshort 0xebc EFI byte code 95>>>(0x3c.l+4) leshort 0x8664 x86-64 96>>>(0x3c.l+4) leshort 0xc0ee MSIL 97>>>(0x3c.l+4) default x Unknown processor type 98>>>>&0 leshort x 0x%x 99>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 100>>>(0x3c.l+22) leshort&0x1000 >0 system file 101>>>(0x3c.l+24) leshort 0x010b 102>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 103>>>(0x3c.l+24) leshort 0x020b 104>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 105 106# hooray, there's a DOS extender using the PE format, with a valid PE 107# executable inside (which just prints a message and exits if run in win) 108>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 109>>>(8.s*16) string !32STUB \b, for MS Windows 110>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 111>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 112>>>(0x3c.l+0xf8) search/0x140 UPX2 113>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 114>>>(0x3c.l+0xf8) search/0x140 .idata 115>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 116>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 117>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 118>>>(0x3c.l+0xf8) search/0x140 .rsrc 119>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 120>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 121>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 122>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 123>>>(0x3c.l+0xf8) search/0x140 .data 124>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 125>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 126>>>>(0x3c.l+0xf7) byte x 127>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 128>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 129>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 130>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 131>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 132>>>0x30 string Inno \b, InnoSetup self-extracting archive 133 134# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 135# must be one of the unusual subformats. 136>>(0x3c.l) string !PE\0\0 MS-DOS executable 137 138>>(0x3c.l) string NE \b, NE 139>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 140>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 141>>>(0x3c.l+0x36) byte 3 for MS-DOS 142>>>(0x3c.l+0x36) byte 4 for Windows 386 143>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 144>>>(0x3c.l+0x36) default x 145>>>>(0x3c.l+0x36) byte x (unknown OS %x) 146>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 147>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 148>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 149>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 150>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 151 152>>(0x3c.l) string LX\0\0 \b, LX 153>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 154>>>(0x3c.l+0x0a) leshort 1 for OS/2 155>>>(0x3c.l+0x0a) leshort 2 for MS Windows 156>>>(0x3c.l+0x0a) leshort 3 for DOS 157>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 158>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 159>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 160>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 161>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 162>>>(0x3c.l+0x08) leshort 1 i80286 163>>>(0x3c.l+0x08) leshort 2 i80386 164>>>(0x3c.l+0x08) leshort 3 i80486 165>>>(8.s*16) string emx \b, emx 166>>>>&1 string x %s 167>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 168 169# MS Windows system file, supposedly a collection of LE executables 170>>(0x3c.l) string W3 \b, W3 for MS Windows 171 172>>(0x3c.l) string LE\0\0 \b, LE executable 173>>>(0x3c.l+0x0a) leshort 1 174# some DOS extenders use LE files with OS/2 header 175>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 176>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 177>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 178>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 179>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 180>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 181>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 182# this is a wild guess; hopefully it is a specific signature 183>>>>&0x24 lelong <0x50 184>>>>>(&0x4c.l) string \xfc\xb8WATCOM 185>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 186# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 187#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 188# fails with DOS-Extenders. 189>>>(0x3c.l+0x0a) leshort 2 for MS Windows 190>>>(0x3c.l+0x0a) leshort 3 for DOS 191>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 192>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 193>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 194 195# looks like ASCII, probably some embedded copyright message. 196# and definitely not NE/LE/LX/PE 197>>0x3c lelong >0x20000000 198>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 199# header data too small for extended executable 200>2 long !0 201>>0x18 leshort <0x40 202>>>(4.s*512) leshort !0x014c 203 204>>>>&(2.s-514) string !LE 205>>>>>&-2 string !BW \b, MZ for MS-DOS 206>>>>&(2.s-514) string LE \b, LE 207>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 208# educated guess since indirection is still not capable enough for complex offset 209# calculations (next embedded executable would be at &(&2*512+&0-2) 210# I suspect there are only LE executables in these multi-exe files 211>>>>&(2.s-514) string BW 212>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 213>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 214 215# This sequence skips to the first COFF segment, usually .text 216>(4.s*512) leshort 0x014c \b, COFF 217>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 218>>(8.s*16) string emx 219>>>&1 string x for DOS, Win or OS/2, emx %s 220>>&(&0x42.l-3) byte x 221>>>&0x26 string UPX \b, UPX compressed 222# and yet another guess: small .text, and after large .data is unusal, could be 32lite 223>>&0x2c search/0xa0 .text 224>>>&0x0b lelong <0x2000 225>>>>&0 lelong >0x6000 \b, 32lite compressed 226 227>(8.s*16) string $WdX \b, WDos/X DOS extender 228 229# By now an executable type should have been printed out. The executable 230# may be a self-uncompressing archive, so look for evidence of that and 231# print it out. 232# 233# Some signatures below from Greg Roelofs, newt@uchicago.edu. 234# 235>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 236>0xe7 string LH/2\ Self-Extract \b, %s 237>0x1c string UC2X \b, UCEXE compressed 238>0x1c string WWP\ \b, WWPACK compressed 239>0x1c string RJSX \b, ARJ self-extracting archive 240>0x1c string diet \b, diet compressed 241>0x1c string LZ09 \b, LZEXE v0.90 compressed 242>0x1c string LZ91 \b, LZEXE v0.91 compressed 243>0x1c string tz \b, TinyProg compressed 244>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 245!:mime application/zip 246# Yes, this really is "Copr", not "Corp." 247>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 248!:mime application/zip 249# winarj stores a message in the stub instead of the sig in the MZ header 250>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 251>0x20 string AIN 252>>0x23 string 2 \b, AIN 2.x compressed 253>>0x23 string <2 \b, AIN 1.x compressed 254>>0x23 string >2 \b, AIN 1.x compressed 255>0x24 string LHa's\ SFX \b, LHa self-extracting archive 256!:mime application/x-lha 257>0x24 string LHA's\ SFX \b, LHa self-extracting archive 258!:mime application/x-lha 259>0x24 string \ $ARX \b, ARX self-extracting archive 260>0x24 string \ $LHarc \b, LHarc self-extracting archive 261>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 262>0x40 string aPKG \b, aPackage self-extracting archive 263>0x64 string W\ Collis\0\0 \b, Compack compressed 264>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 265>>&0xf4 search/0x140 \x0\x40\x1\x0 266>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 267>1638 string -lh5- \b, LHa self-extracting archive v2.13S 268>0x17888 string Rar! \b, RAR self-extracting archive 269 270# Skip to the end of the EXE. This will usually work fine in the PE case 271# because the MZ image is hardcoded into the toolchain and almost certainly 272# won't match any of these signatures. 273>(4.s*512) long x 274>>&(2.s-517) byte x 275>>>&0 string PK\3\4 \b, ZIP self-extracting archive 276>>>&0 string Rar! \b, RAR self-extracting archive 277>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 278>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 279>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 280>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 281>>>&7 search/400 **ACE** \b, ACE self-extracting archive 282>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 283 284# a few unknown ZIP sfxes, no idea if they are needed or if they are 285# already captured by the generic patterns above 286>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 287# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 288# 289 290# TELVOX Teleinformatica CODEC self-extractor for OS/2: 291>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 292>>49824 leshort =1 \b, 1 file 293>>49824 leshort >1 \b, %u files 294 295# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 296# and http://www.freedos.org/software/?prog=kpdos 297# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 2980 string/b KCF FreeDOS KEYBoard Layout collection 299# only version=0x100 found 300>3 uleshort x \b, version 0x%x 301# length of string containing author,info and special characters 302>6 ubyte >0 303#>>6 pstring x \b, name=%s 304>>7 string >\0 \b, author=%-.14s 305>>7 search/254 \xff \b, info= 306#>>>&0 string x \b%-s 307>>>&0 string x \b%-.15s 308# for FreeDOS *.KL files 3090 string/b KLF FreeDOS KEYBoard Layout file 310# only version=0x100 or 0x101 found 311>3 uleshort x \b, version 0x%x 312# stringlength 313>5 ubyte >0 314>>8 string x \b, name=%-.2s 3150 string \xffKEYB\ \ \ \0\0\0\0 316>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 317 318# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com) 319# Uncommenting only the first two lines will cover about 2/3 of COM files, 320# but it isn't feasible to match all COM files since there must be at least 321# two dozen different one-byte "magics". 322# test too generic ? 3230 byte 0xe9 DOS executable (COM) 324>0x1FE leshort 0xAA55 \b, boot code 325>6 string SFX\ of\ LHarc (%s) 326 327# DOS device driver updated by Joerg Jenderek at May 2011 328# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 3290 ulequad&0x07a0ffffffff 0xffffffff DOS executable ( 330>40 search/7 UPX! \bUPX compressed 331# DOS device driver attributes 332>4 uleshort&0x8000 0x0000 \bblock device driver 333# character device 334>4 uleshort&0x8000 0x8000 \b 335>>4 uleshort&0x0008 0x0008 \bclock 336# fast video output by int 29h 337>>4 uleshort&0x0010 0x0010 \bfast 338# standard input/output device 339>>4 uleshort&0x0003 >0 \bstandard 340>>>4 uleshort&0x0001 0x0001 \binput 341>>>4 uleshort&0x0003 0x0003 \b/ 342>>>4 uleshort&0x0002 0x0002 \boutput 343>>4 uleshort&0x8000 0x8000 \bcharacter device driver 344>0 ubyte x 345# upx compressed device driver has garbage instead of real in name field of header 346>>40 search/7 UPX! 347>>40 default x 348# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 349>>>12 ubyte >0x27 \b 350>>>>10 ubyte >0x20 351>>>>>10 ubyte !0x2E 352>>>>>>10 ubyte !0x2A \b%c 353>>>>11 ubyte >0x20 354>>>>>11 ubyte !0x2E \b%c 355>>>>12 ubyte >0x20 356>>>>>12 ubyte !0x39 357>>>>>>12 ubyte !0x2E \b%c 358>>>13 ubyte >0x20 359>>>>13 ubyte !0x2E \b%c 360>>>>14 ubyte >0x20 361>>>>>14 ubyte !0x2E \b%c 362>>>>15 ubyte >0x20 363>>>>>15 ubyte !0x2E \b%c 364>>>>16 ubyte >0x20 365>>>>>16 ubyte !0x2E 366>>>>>>16 ubyte <0xCB \b%c 367>>>>17 ubyte >0x20 368>>>>>17 ubyte !0x2E 369>>>>>>17 ubyte <0x90 \b%c 370# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 371>>>4 uleshort&0x8000 0x8000 372>>>>12 ubyte <0x2F 373# they have their real name at offset 22 374>>>>>22 string >\0 \b%-.5s 375>4 uleshort&0x8000 0x0000 376# 32 bit sector adressing ( > 32 MB) for block devices 377>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 378# support by driver functions 13h, 17h, 18h 379>4 uleshort&0x0040 0x0040 \b,IOCTL- 380# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 381>4 uleshort&0x0800 0x0800 \b,close media- 382# output until busy support by int 10h for character device driver 383>4 uleshort&0x8000 0x8000 384>>4 uleshort&0x2000 0x2000 \b,until busy- 385# direct read/write support by driver functions 03h,0Ch 386>4 uleshort&0x4000 0x4000 \b,control strings- 387>4 uleshort&0x8000 0x8000 388>>4 uleshort&0x6840 >0 \bsupport 389>4 uleshort&0x8000 0x0000 390>>4 uleshort&0x4842 >0 \bsupport 391>0 ubyte x \b) 392# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 393# Too weak, matches files that only contain 0's 394#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable ( 395#>4 uleshort&0x8000 0x8000 \bcharacter device driver 396#>>10 string x %-.8s 397#>4 uleshort&0x4000 0x4000 \b,control strings-support) 398 399# test too generic ? 4000 byte 0x8c DOS executable (COM) 401# updated by Joerg Jenderek at Oct 2008 4020 ulelong 0xffff10eb DR-DOS executable (COM) 403# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 4040 ubeshort&0xeb8d >0xeb00 405# DR-DOS STACKER.COM SCREATE.SYS missed 406>0 byte 0xeb 407>>0x1FE leshort 0xAA55 DOS executable (COM), boot code 408>>85 string UPX DOS executable (COM), UPX compressed 409>>4 string \ $ARX DOS executable (COM), ARX self-extracting archive 410>>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive 411>>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive 412# updated by Joerg Jenderek at Oct 2008 413#0 byte 0xb8 COM executable 4140 uleshort&0x80ff 0x00b8 415# modified by Joerg Jenderek 416>1 lelong !0x21cd4cff COM executable for DOS 417# http://syslinux.zytor.com/comboot.php 418# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 419# start with assembler instructions mov eax,21cd4cffh 4200 uleshort&0xc0ff 0xc0b8 421>1 lelong 0x21cd4cff COM executable (32-bit COMBOOT) 422# syslinux:doc/comboot.txt 423# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 424# eax,21cd4cfeh) as a magic number. 4250 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R) 426# start with assembler instructions mov eax,21cd4cfeh 4270 uleshort&0xc0ff 0xc0b8 428>1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable) 4290 string/b \x81\xfc 430>4 string \x77\x02\xcd\x20\xb9 431>>36 string UPX! FREE-DOS executable (COM), UPX compressed 432252 string Must\ have\ DOS\ version DR-DOS executable (COM) 433# added by Joerg Jenderek at Oct 2008 434# GRR search is not working 435#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 43634 string UPX! FREE-DOS executable (COM), UPX compressed 43735 string UPX! FREE-DOS executable (COM), UPX compressed 438# GRR search is not working 439#2 search/28 \xcd\x21 COM executable for MS-DOS 440#WHICHFAT.cOM 4412 string \xcd\x21 COM executable for DOS 442#DELTREE.cOM DELTREE2.cOM 4434 string \xcd\x21 COM executable for DOS 444#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 4455 string \xcd\x21 COM executable for DOS 446#DELTMP.COm HASFAT32.cOM 4477 string \xcd\x21 448>0 byte !0xb8 COM executable for DOS 449#COMP.cOM MORE.COm 45010 string \xcd\x21 451>5 string !\xcd\x21 COM executable for DOS 452#comecho.com 45313 string \xcd\x21 COM executable for DOS 454#HELP.COm EDIT.coM 45518 string \xcd\x21 COM executable for MS-DOS 456#NWRPLTRM.COm 45723 string \xcd\x21 COM executable for MS-DOS 458#LOADFIX.cOm LOADFIX.cOm 45930 string \xcd\x21 COM executable for MS-DOS 460#syslinux.com 3.11 46170 string \xcd\x21 COM executable for DOS 462# many compressed/converted COMs start with a copy loop instead of a jump 4630x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 4640x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 465>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 4660x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 467# FIXME: missing diet .com compression 468 469# miscellaneous formats 4700 string/b LZ MS-DOS executable (built-in) 471#0 byte 0xf0 MS-DOS program library data 472# 473 474# AAF files: 475# <stuartc@rd.bbc.co.uk> Stuart Cunningham 4760 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 477>30 byte 9 (512B sectors) 478>30 byte 12 (4kB sectors) 4790 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 480>30 byte 9 (512B sectors) 481>30 byte 12 (4kB sectors) 482 483# Popular applications 4842080 string Microsoft\ Word\ 6.0\ Document %s 485!:mime application/msword 4862080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 487!:mime application/msword 488# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 4892112 string MSWordDoc Microsoft Word document data 490!:mime application/msword 491# 4920 belong 0x31be0000 Microsoft Word Document 493!:mime application/msword 494# 4950 string/b PO^Q` Microsoft Word 6.0 Document 496!:mime application/msword 497# 4980 string/b \376\067\0\043 Microsoft Office Document 499!:mime application/msword 5000 string/b \333\245-\0\0\0 Microsoft Office Document 501!:mime application/msword 502512 string/b \354\245\301 Microsoft Word Document 503!:mime application/msword 504 505# 5060 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 507!:mime application/msword 508# 5092080 string Microsoft\ Excel\ 5.0\ Worksheet %s 510!:mime application/vnd.ms-excel 511# 5120 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 513!:mime application/msword 514 5152080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 516!:mime application/vnd.ms-excel 517# 518# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 5192114 string Biff5 Microsoft Excel 5.0 Worksheet 520!:mime application/vnd.ms-excel 521# Italian MS-Excel 5222121 string Biff5 Microsoft Excel 5.0 Worksheet 523!:mime application/vnd.ms-excel 5240 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 525!:mime application/vnd.ms-excel 526# 5270 belong 0x00001a00 Lotus 1-2-3 528!:mime application/x-123 529>4 belong 0x00100400 wk3 document data 530>4 belong 0x02100400 wk4 document data 531>4 belong 0x07800100 fm3 or fmb document data 532>4 belong 0x07800000 fm3 or fmb document data 533# 5340 belong 0x00000200 Lotus 1-2-3 535!:mime application/x-123 536>4 belong 0x06040600 wk1 document data 537>4 belong 0x06800200 fmt document data 5380 string/b WordPro\0 Lotus WordPro 539!:mime application/vnd.lotus-wordpro 5400 string/b WordPro\r\373 Lotus WordPro 541!:mime application/vnd.lotus-wordpro 542 543 544# Summary: Script used by InstallScield to uninstall applications 545# Extension: .isu 546# Submitted by: unknown 547# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 5480 string \x71\xa8\x00\x00\x01\x02 549>12 string Stirling\ Technologies, InstallShield Uninstall Script 550 551# Winamp .avs 552#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 5530 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 554 555# Windows Metafont .WMF 5560 string/b \327\315\306\232 ms-windows metafont .wmf 5570 string/b \002\000\011\000 ms-windows metafont .wmf 5580 string/b \001\000\011\000 ms-windows metafont .wmf 559 560#tz3 files whatever that is (MS Works files) 5610 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 5620 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 5630 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 564 565# PGP sig files .sig 566#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 5670 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 5680 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 5690 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 5700 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 5710 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 5720 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 573 574# windows zips files .dmf 5750 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 576 577 578#ico files 5790 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 580 581# Windows icons 5820 name ico-dir 583# not entirely accurate, the number of icons is part of the header 584>0 byte 1 - 1 icon 585>0 ubyte >1 - %d icons 586>2 byte 0 \b, 256x 587>2 byte !0 \b, %dx 588>3 byte 0 \b256 589>3 byte !0 \b%d 590>4 ubyte !0 \b, %d colors 591 5920 belong 0x00000100 593 594>9 byte 0 595>>0 byte x MS Windows icon resource 596!:mime image/x-icon 597>>4 use ico-dir 598>9 ubyte 0xff 599>>0 byte x MS Windows icon resource 600!:mime image/x-icon 601>>4 use ico-dir 602 603# Windows non-animated cursors 6040 name cur-dir 605# not entirely accurate, the number of icons is part of the header 606>0 byte 1 - 1 icon 607>0 ubyte >1 - %d icons 608>2 byte 0 \b, 256x 609>2 byte !0 \b, %dx 610>3 byte 0 \b256 611>3 byte !0 \b%d 612>6 uleshort x \b, hotspot @%dx 613>8 uleshort x \b%d 614 6150 belong 0x00000200 616>9 byte 0 617>>0 byte x MS Windows cursor resource 618!:mime image/x-cur 619>>4 use cur-dir 620>9 ubyte 0xff 621>>0 byte x MS Windows cursor resource 622!:mime image/x-cur 623>>4 use cur-dir 624 625# .chr files 6260 string/b PK\010\010BGI Borland font 627>4 string >\0 %s 628# then there is a copyright notice 629 630 631# .bgi files 6320 string/b pk\010\010BGI Borland device 633>4 string >\0 %s 634# then there is a copyright notice 635 636 637# Windows Recycle Bin record file (named INFO2) 638# By Abel Cheung (abelcheung AT gmail dot com) 639# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 640# Since Vista uses another structure, INFO2 structure probably won't change 641# anymore. Detailed analysis in: 642# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 6430 lelong 0x00000004 644>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 645 6460 lelong 0x00000005 647>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 648 649 650##### put in Either Magic/font or Magic/news 651# Acroread or something files wrongly identified as G3 .pfm 652# these have the form \000 \001 any? \002 \000 \000 653# or \000 \001 any? \022 \000 \000 6540 belong&0xffff00ff 0x00010012 PFM data 655>4 string \000\000 656>6 string >\060 - %s 657 6580 belong&0xffff00ff 0x00010002 PFM data 659>4 string \000\000 660>6 string >\060 - %s 661#0 string \000\001 pfm? 662#>3 string \022\000\000Copyright\ yes 663#>3 string \002\000\000Copyright\ yes 664#>3 string >\0 oops, not a font file. Cancel that. 665#it clashes with ttf files so put it lower down. 666 667# From Doug Lee via a FreeBSD pr 6689 string GERBILDOC First Choice document 6699 string GERBILDB First Choice database 6709 string GERBILCLIP First Choice database 6710 string GERBIL First Choice device file 6729 string RABBITGRAPH RabbitGraph file 6730 string DCU1 Borland Delphi .DCU file 6740 string =!<spell> MKS Spell hash list (old format) 6750 string =!<spell2> MKS Spell hash list 676# Too simple - MPi 677#0 string AH Halo(TM) bitmapped font file 6780 lelong 0x08086b70 TurboC BGI file 6790 lelong 0x08084b50 TurboC Font file 680 681# Debian#712046: The magic below identifies "Delphi compiled form data". 682# An additional source of information is available at: 683# http://www.woodmann.com/fravia/dafix_t1.htm 6840 string TPF0 685>4 pstring >\0 Delphi compiled form '%s' 686 687# tests for DBase files moved, updated and merged to database 688 6890 string PMCC Windows 3.x .GRP file 6901 string RDC-meg MegaDots 691>8 byte >0x2F version %c 692>9 byte >0x2F \b.%c file 6930 lelong 0x4C 694>4 lelong 0x00021401 Windows shortcut file 695 696# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 697# only for windows versions equal or greater 3.0 6980x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 699!:mime application/x-dosexec 700#>2 string >\0 \b, Title:%.30s 701>0x24 string >\0 \b for %.63s 702>0x65 string >\0 \b, directory=%.64s 703>0xA5 string >\0 \b, parameters=%.64s 704#>0x181 leshort x \b, offset %x 705#>0x183 leshort x \b, offsetdata %x 706#>0x185 leshort x \b, section length %x 707>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 708>>&0x5e ubyte >0 709>>>&-1 string <PIFMGR.DLL \b, icon=%s 710#>>>&-1 string PIFMGR.DLL \b, icon=%s 711>>>&-1 string >PIFMGR.DLL \b, icon=%s 712>>&0xF0 ubyte >0 713>>>&-1 string <Terminal \b, font=%.32s 714#>>>&-1 string =Terminal \b, font=%.32s 715>>>&-1 string >Terminal \b, font=%.32s 716>>&0x110 ubyte >0 717>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 718#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 719>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 720#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 721#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 722>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 723#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 724>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 725#>>&06 string x \b:%s 726>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 727#>>&06 string x \b:%s 728 729# DOS EPS Binary File Header 730# From: Ed Sznyter <ews@Black.Market.NET> 7310 belong 0xC5D0D3C6 DOS EPS Binary File 732>4 long >0 Postscript starts at byte %d 733>>8 long >0 length %d 734>>>12 long >0 Metafile starts at byte %d 735>>>>16 long >0 length %d 736>>>20 long >0 TIFF starts at byte %d 737>>>>24 long >0 length %d 738 739# TNEF magic From "Joomy" <joomy@se-ed.net> 740# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 7410 leshort 0x223e9f78 TNEF 742!:mime application/vnd.ms-tnef 743 744# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 745# of http://www.4dos.info/ 746# pointer,HelpID[8]=4DHnnnmm 7470 ulelong 0x48443408 4DOS help file 748>4 string x \b, version %-4.4s 749 750# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 7510 ulequad 0x3a000000024e4c MS Advisor help file 752 753# HtmlHelp files (.chm) 7540 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data 755 756# GFA-BASIC (Wolfram Kleff) 7572 string/b GFA-BASIC3 GFA-BASIC 3 data 758 759#------------------------------------------------------------------------------ 760# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 761# Microsoft Cabinet files 7620 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 763!:mime application/vnd.ms-cab-compressed 764>8 lelong x \b, %u bytes 765>28 leshort 1 \b, 1 file 766>28 leshort >1 \b, %u files 767 768# InstallShield Cabinet files 7690 string/b ISc( InstallShield Cabinet archive data 770>5 byte&0xf0 =0x60 version 6, 771>5 byte&0xf0 !0x60 version 4/5, 772>(12.l+40) lelong x %u files 773 774# Windows CE package files 7750 string/b MSCE\0\0\0\0 Microsoft WinCE install header 776>20 lelong 0 \b, architecture-independent 777>20 lelong 103 \b, Hitachi SH3 778>20 lelong 104 \b, Hitachi SH4 779>20 lelong 0xA11 \b, StrongARM 780>20 lelong 4000 \b, MIPS R4000 781>20 lelong 10003 \b, Hitachi SH3 782>20 lelong 10004 \b, Hitachi SH3E 783>20 lelong 10005 \b, Hitachi SH4 784>20 lelong 70001 \b, ARM 7TDMI 785>52 leshort 1 \b, 1 file 786>52 leshort >1 \b, %u files 787>56 leshort 1 \b, 1 registry entry 788>56 leshort >1 \b, %u registry entries 789 790 791# Windows Enhanced Metafile (EMF) 792# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 793# for further information. 7940 ulelong 1 795>40 string \ EMF Windows Enhanced Metafile (EMF) image data 796>>44 ulelong x version 0x%x 797 798# From: Alex Beregszaszi <alex@fsn.hu> 7990 string/b COWD VMWare3 800>4 byte 3 disk image 801>>32 lelong x (%d/ 802>>36 lelong x \b%d/ 803>>40 lelong x \b%d) 804>4 byte 2 undoable disk image 805>>32 string >\0 (%s) 806 8070 string/b VMDK VMware4 disk image 8080 string/b KDMV VMware4 disk image 809 810#-------------------------------------------------------------------- 811# Qemu Emulator Images 812# Lines written by Friedrich Schwittay (f.schwittay@yousable.de) 813# Updated by Adam Buchbinder (adam.buchbinder@gmail.com) 814# Made by reading sources, reading documentation, and doing trial and error 815# on existing QCOW files 8160 string/b QFI\xFB QEMU QCOW Image 817 818# Uncomment the following line to display Magic (only used for debugging 819# this magic number) 820#>0 string/b x , Magic: %s 821 822# There are currently 2 Versions: "1" and "2". 823# http://www.gnome.org/~markmc/qcow-image-format-version-1.html 824>4 belong 1 (v1) 825 826# Using the existence of the Backing File Offset to determine whether 827# to read Backing File Information 828>>12 belong >0 \b, has backing file ( 829# Note that this isn't a null-terminated string; the length is actually 830# (16.L). Assuming a null-terminated string happens to work usually, but it 831# may spew junk until it reaches a \0 in some cases. 832>>>(12.L) string >\0 \bpath %s 833 834# Modification time of the Backing File 835# Really useful if you want to know if your backing 836# file is still usable together with this image 837>>>>20 bedate >0 \b, mtime %s) 838>>>>20 default x \b) 839 840# Size is stored in bytes in a big-endian u64. 841>>24 bequad x \b, %lld bytes 842 843# 1 for AES encryption, 0 for none. 844>>36 belong 1 \b, AES-encrypted 845 846# http://www.gnome.org/~markmc/qcow-image-format.html 847>4 belong 2 (v2) 848# Using the existence of the Backing File Offset to determine whether 849# to read Backing File Information 850>>8 bequad >0 \b, has backing file 851# Note that this isn't a null-terminated string; the length is actually 852# (16.L). Assuming a null-terminated string happens to work usually, but it 853# may spew junk until it reaches a \0 in some cases. Also, since there's no 854# .Q modifier, we just use the bottom four bytes as an offset. Note that if 855# the file is over 4G, and the backing file path is stored after the first 4G, 856# the wrong filename will be printed. (This should be (8.Q), when that syntax 857# is introduced.) 858>>>(12.L) string >\0 (path %s) 859>>24 bequad x \b, %lld bytes 860>>32 belong 1 \b, AES-encrypted 861 862>4 belong 3 (v3) 863# Using the existence of the Backing File Offset to determine whether 864# to read Backing File Information 865>>8 bequad >0 \b, has backing file 866# Note that this isn't a null-terminated string; the length is actually 867# (16.L). Assuming a null-terminated string happens to work usually, but it 868# may spew junk until it reaches a \0 in some cases. Also, since there's no 869# .Q modifier, we just use the bottom four bytes as an offset. Note that if 870# the file is over 4G, and the backing file path is stored after the first 4G, 871# the wrong filename will be printed. (This should be (8.Q), when that syntax 872# is introduced.) 873>>>(12.L) string >\0 (path %s) 874>>24 bequad x \b, %lld bytes 875>>32 belong 1 \b, AES-encrypted 876 877>4 default x (unknown version) 878 8790 string/b QEVM QEMU suspend to disk image 880 881# QEMU QED Image 882# http://wiki.qemu.org/Features/QED/Specification 8830 string/b QED\0 QEMU QED Image 884 885# VDI Image 88664 string/b \x7f\x10\xda\xbe VDI Image 887>68 string/b \x01\x00\x01\x00 version 1.1 888>0 string >\0 (%s) 889>368 lequad x \b, %lld bytes 890 8910 string/b Bochs\ Virtual\ HD\ Image Bochs disk image, 892>32 string x type %s, 893>48 string x subtype %s 894 8950 lelong 0x02468ace Bochs Sparse disk image 896 897# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 898# False positive with PPT (also currently this string is too long) 899#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 9000 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document 901#>48 byte 0x1B Excel Document 902#!:mime application/vnd.ms-excel 903>546 string bjbj Microsoft Word Document 904!:mime application/msword 905>546 string jbjb Microsoft Word Document 906!:mime application/msword 907 9080 string/b \224\246\056 Microsoft Word Document 909!:mime application/msword 910 911512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 912!:mime application/msword 913 914# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 915# Magic type for Dell's BIOS .hdr files 916# Dell's .hdr 9170 string/b $RBU 918>23 string Dell %s system BIOS 919>5 byte 2 920>>48 byte x version %d. 921>>49 byte x \b%d. 922>>50 byte x \b%d 923>5 byte <2 924>>48 string x version %.3s 925 926# Type: Microsoft DirectDraw Surface 927# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 928# From: Morten Hustveit <morten@debian.org> 9290 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 930>16 lelong >0 %hd x 931>12 lelong >0 %hd, 932>84 string x %.4s 933 934# Type: Microsoft Document Imaging Format (.mdi) 935# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 936# From: Daniele Sempione <scrows@oziosi.org> 9370 short 0x5045 Microsoft Document Imaging Format 938 939# MS eBook format (.lit) 9400 string/b ITOLITLS Microsoft Reader eBook Data 941>8 lelong x \b, version %u 942!:mime application/x-ms-reader 943 944# Windows CE Binary Image Data Format 945# From: Dr. Jesus <j@hug.gs> 9460 string/b B000FF\n Windows Embedded CE binary image 947 948# Windows Imaging (WIM) Image 9490 string/b MSWIM\000\000\000 Windows imaging (WIM) image 950 951# The second byte of these signatures is a file version; I don't know what, 952# if anything, produced files with version numbers 0-2. 953# From: John Elliott <johne@seasip.demon.co.uk> 9540 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 9550 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 9560 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 9570 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 958 9590 string MIOPEN Mallard BASIC Jetsam data 9600 string Jetsam0 Mallard BASIC Jetsam index data 961 962