1327e51cbSPeter Avalos 2327e51cbSPeter Avalos#------------------------------------------------------------------------------ 3*3b9cdfa3SAntonio Huete Jimenez# $File: msdos,v 1.158 2022/09/07 11:17:31 christos Exp $ 4327e51cbSPeter Avalos# msdos: file(1) magic for MS-DOS files 5327e51cbSPeter Avalos# 6327e51cbSPeter Avalos 7327e51cbSPeter Avalos# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8884044a5SPeter Avalos# updated by Joerg Jenderek at Oct 2008,Apr 2011 9e4d4ce0cSPeter Avalos0 string/t @ 10f72f8299SJan Lentfer>1 string/cW \ echo\ off DOS batch file text 1179343712SPeter Avalos!:mime text/x-msdos-batch 126fca56fbSSascha Wildner!:ext bat 13f72f8299SJan Lentfer>1 string/cW echo\ off DOS batch file text 1479343712SPeter Avalos!:mime text/x-msdos-batch 156fca56fbSSascha Wildner!:ext bat 16884044a5SPeter Avalos>1 string/cW rem DOS batch file text 1779343712SPeter Avalos!:mime text/x-msdos-batch 186fca56fbSSascha Wildner!:ext bat 19f72f8299SJan Lentfer>1 string/cW set\ DOS batch file text 2079343712SPeter Avalos!:mime text/x-msdos-batch 216fca56fbSSascha Wildner!:ext bat 22327e51cbSPeter Avalos 23327e51cbSPeter Avalos 24327e51cbSPeter Avalos# OS/2 batch files are REXX. the second regex is a bit generic, oh well 25327e51cbSPeter Avalos# the matched commands seem to be common in REXX and uncommon elsewhere 26e4d4ce0cSPeter Avalos100 search/0xffff rxfuncadd 27e4d4ce0cSPeter Avalos>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 28e4d4ce0cSPeter Avalos100 search/0xffff say 29e4d4ce0cSPeter Avalos>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 30327e51cbSPeter Avalos 31c30bd091SSascha Wildner# updated by Joerg Jenderek at Oct 2015 32c30bd091SSascha Wildner# https://de.wikipedia.org/wiki/Common_Object_File_Format 33c30bd091SSascha Wildner# http://www.delorie.com/djgpp/doc/coff/filhdr.html 34c30bd091SSascha Wildner# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 35c30bd091SSascha Wildner#0 leshort 0x14c MS Windows COFF Intel 80386 object file 36327e51cbSPeter Avalos#>4 ledate x stamp %s 37327e51cbSPeter Avalos0 leshort 0x166 MS Windows COFF MIPS R4000 object file 38327e51cbSPeter Avalos#>4 ledate x stamp %s 39327e51cbSPeter Avalos0 leshort 0x184 MS Windows COFF Alpha object file 40327e51cbSPeter Avalos#>4 ledate x stamp %s 41327e51cbSPeter Avalos0 leshort 0x268 MS Windows COFF Motorola 68000 object file 42327e51cbSPeter Avalos#>4 ledate x stamp %s 43327e51cbSPeter Avalos0 leshort 0x1f0 MS Windows COFF PowerPC object file 44327e51cbSPeter Avalos#>4 ledate x stamp %s 45327e51cbSPeter Avalos0 leshort 0x290 MS Windows COFF PA-RISC object file 46327e51cbSPeter Avalos#>4 ledate x stamp %s 47327e51cbSPeter Avalos 48e4d4ce0cSPeter Avalos# Tests for various EXE types. 49327e51cbSPeter Avalos# 50970935fdSSascha Wildner# Many of the compressed formats were extracted from IDARC 1.23 source code. 51327e51cbSPeter Avalos# 529f86ab30SPeter Avalos0 string/b MZ 53e4d4ce0cSPeter Avalos# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 5479343712SPeter Avalos>0x18 leshort <0x40 MS-DOS executable 55e8af9738SPeter Avalos!:mime application/x-dosexec 566fca56fbSSascha Wildner# Windows and later versions of DOS will allow .EXEs to be named with a .COM 576fca56fbSSascha Wildner# extension, mostly for compatibility's sake. 58970935fdSSascha Wildner# URL: https://en.wikipedia.org/wiki/Personal_NetWare#VLM 59970935fdSSascha Wildner# Reference: https://mark0.net/download/triddefs_xml.7z/defs/e/exe-vlm-msg.trid.xml 60970935fdSSascha Wildner!:ext exe/com/vlm 61e4d4ce0cSPeter Avalos# These traditional tests usually work but not always. When test quality support is 62e4d4ce0cSPeter Avalos# implemented these can be turned on. 63e4d4ce0cSPeter Avalos#>>0x18 leshort 0x1c (Borland compiler) 64e4d4ce0cSPeter Avalos#>>0x18 leshort 0x1e (MS compiler) 65327e51cbSPeter Avalos 66e4d4ce0cSPeter Avalos# Maybe it's a PE? 676fca56fbSSascha Wildner>(0x3c.l) string PE\0\0 PE 6882c5fa3eSPeter Avalos!:mime application/x-dosexec 696fca56fbSSascha Wildner>>(0x3c.l+24) leshort 0x010b \b32 executable 706fca56fbSSascha Wildner>>(0x3c.l+24) leshort 0x020b \b32+ executable 716fca56fbSSascha Wildner>>(0x3c.l+24) leshort 0x0107 ROM image 726fca56fbSSascha Wildner>>(0x3c.l+24) default x Unknown PE signature 73614728caSSascha Wildner>>>&0 leshort x %#x 746fca56fbSSascha Wildner>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 756fca56fbSSascha Wildner>>(0x3c.l+92) leshort 1 766fca56fbSSascha Wildner# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the 776fca56fbSSascha Wildner# drivers in Windows/System32/drivers/*.sys. 786fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 >0 (native) 796fca56fbSSascha Wildner!:ext dll/sys 806fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 0 (native) 816fca56fbSSascha Wildner!:ext exe/sys 826fca56fbSSascha Wildner>>(0x3c.l+92) leshort 2 836fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 >0 (GUI) 846fca56fbSSascha Wildner# These could probably be at least partially distinguished from one another by 856fca56fbSSascha Wildner# looking for specific exported functions. 866fca56fbSSascha Wildner# CPL: Control Panel item 876fca56fbSSascha Wildner# TLB: Type library 886fca56fbSSascha Wildner# OCX: OLE/ActiveX control 896fca56fbSSascha Wildner# ACM: Audio compression manager codec 906fca56fbSSascha Wildner# AX: DirectShow source filter 916fca56fbSSascha Wildner# IME: Input method editor 926fca56fbSSascha Wildner!:ext dll/cpl/tlb/ocx/acm/ax/ime 936fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 0 (GUI) 946fca56fbSSascha Wildner# Screen savers typically include code from the scrnsave.lib static library, but 956fca56fbSSascha Wildner# that's not guaranteed. 966fca56fbSSascha Wildner!:ext exe/scr 976fca56fbSSascha Wildner>>(0x3c.l+92) leshort 3 986fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 >0 (console) 996fca56fbSSascha Wildner!:ext dll/cpl/tlb/ocx/acm/ax/ime 1006fca56fbSSascha Wildner>>>(0x3c.l+22) leshort&0x2000 0 (console) 1016fca56fbSSascha Wildner!:ext exe/com 1026fca56fbSSascha Wildner# https://docs.microsoft.com/en-us/windows/win32/debug/pe-format 1036fca56fbSSascha Wildner>>(0x3c.l+92) leshort 7 (POSIX) 1046fca56fbSSascha Wildner>>(0x3c.l+92) leshort 9 (Windows CE) 1056fca56fbSSascha Wildner>>(0x3c.l+92) leshort 10 (EFI application) 1066fca56fbSSascha Wildner>>(0x3c.l+92) leshort 11 (EFI boot service driver) 1076fca56fbSSascha Wildner>>(0x3c.l+92) leshort 12 (EFI runtime driver) 1086fca56fbSSascha Wildner>>(0x3c.l+92) leshort 13 (EFI ROM) 1096fca56fbSSascha Wildner>>(0x3c.l+92) leshort 14 (XBOX) 1106fca56fbSSascha Wildner>>(0x3c.l+92) leshort 15 (Windows boot application) 1116fca56fbSSascha Wildner>>(0x3c.l+92) default x (Unknown subsystem 112614728caSSascha Wildner>>>&0 leshort x %#x) 1136fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x14c Intel 80386 1146fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x166 MIPS R4000 1156fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x168 MIPS R10000 1166fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x184 Alpha 1176fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 1186fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1a3 Hitachi SH3 DSP 1196fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1a8 Hitachi SH5 1206fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x169 MIPS WCE v2 1216fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 1226fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1c0 ARM 1236fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 1246fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 1256fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1d3 Matsushita AM33 1266fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1f0 PowerPC 1276fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x1f1 PowerPC with FPU 128c990e5baSDaniel Fojt>>(0x3c.l+4) leshort 0x1f2 PowerPC (big-endian) 1296fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x200 Intel Itanium 1306fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x266 MIPS16 1316fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x268 Motorola 68000 1326fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x290 PA-RISC 1336fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x366 MIPSIV 1346fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 1356fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0xebc EFI byte code 1366fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x5032 RISC-V 32-bit 1376fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x5064 RISC-V 64-bit 1386fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x5128 RISC-V 128-bit 1396fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x9041 Mitsubishi M32R 1406fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0x8664 x86-64 1416fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0xaa64 Aarch64 1426fca56fbSSascha Wildner>>(0x3c.l+4) leshort 0xc0ee MSIL 1436fca56fbSSascha Wildner>>(0x3c.l+4) default x Unknown processor type 144614728caSSascha Wildner>>>&0 leshort x %#x 1456fca56fbSSascha Wildner>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 1466fca56fbSSascha Wildner>>(0x3c.l+22) leshort&0x1000 >0 system file 1476fca56fbSSascha Wildner>>(0x3c.l+24) leshort 0x010b 1486fca56fbSSascha Wildner>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 1496fca56fbSSascha Wildner>>(0x3c.l+24) leshort 0x020b 1506fca56fbSSascha Wildner>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 151327e51cbSPeter Avalos 152e4d4ce0cSPeter Avalos# hooray, there's a DOS extender using the PE format, with a valid PE 153e4d4ce0cSPeter Avalos# executable inside (which just prints a message and exits if run in win) 1546fca56fbSSascha Wildner>>(8.s*16) string 32STUB \b, 32rtm DOS extender 1556fca56fbSSascha Wildner>>(8.s*16) string !32STUB \b, for MS Windows 1566fca56fbSSascha Wildner>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 1576fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 1586fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 UPX2 1596fca56fbSSascha Wildner>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 1606fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .idata 1616fca56fbSSascha Wildner>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 1626fca56fbSSascha Wildner>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 1636fca56fbSSascha Wildner>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 1646fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .rsrc 1656fca56fbSSascha Wildner>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 1666fca56fbSSascha Wildner>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 1676fca56fbSSascha Wildner>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 1686fca56fbSSascha Wildner>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 1696fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .data 1706fca56fbSSascha Wildner>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 1716fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 1726fca56fbSSascha Wildner>>>(0x3c.l+0xf7) byte x 1736fca56fbSSascha Wildner>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 1746fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 1756fca56fbSSascha Wildner>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 1766fca56fbSSascha Wildner>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 1776fca56fbSSascha Wildner>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 1786fca56fbSSascha Wildner>>0x30 string Inno \b, InnoSetup self-extracting archive 1796fca56fbSSascha Wildner 1806fca56fbSSascha Wildner# If the relocation table is 0x40 or more bytes into the file, it's definitely 1816fca56fbSSascha Wildner# not a DOS EXE. 1826fca56fbSSascha Wildner>0x18 leshort >0x3f 183327e51cbSPeter Avalos 184e4d4ce0cSPeter Avalos# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 185e4d4ce0cSPeter Avalos# must be one of the unusual subformats. 18679343712SPeter Avalos>>(0x3c.l) string !PE\0\0 MS-DOS executable 18782c5fa3eSPeter Avalos!:mime application/x-dosexec 18879343712SPeter Avalos 189327e51cbSPeter Avalos>>(0x3c.l) string NE \b, NE 19082c5fa3eSPeter Avalos!:mime application/x-dosexec 191327e51cbSPeter Avalos>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 192327e51cbSPeter Avalos>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 193327e51cbSPeter Avalos>>>(0x3c.l+0x36) byte 3 for MS-DOS 194e4d4ce0cSPeter Avalos>>>(0x3c.l+0x36) byte 4 for Windows 386 195e4d4ce0cSPeter Avalos>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 196e4d4ce0cSPeter Avalos>>>(0x3c.l+0x36) default x 197e4d4ce0cSPeter Avalos>>>>(0x3c.l+0x36) byte x (unknown OS %x) 198327e51cbSPeter Avalos>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 1996fca56fbSSascha Wildner>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font) 2006fca56fbSSascha Wildner# DRV: Driver 2016fca56fbSSascha Wildner# 3GR: Grabber device driver 2026fca56fbSSascha Wildner# CPL: Control Panel Item 2036fca56fbSSascha Wildner# VBX: Visual Basic Extension 2046fca56fbSSascha Wildner# FON: Bitmap font 2056fca56fbSSascha Wildner# FOT: Font resource file 2066fca56fbSSascha Wildner!:ext dll/drv/3gr/cpl/vbx/fon/fot 2076fca56fbSSascha Wildner>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE) 2086fca56fbSSascha Wildner!:ext exe/scr 209327e51cbSPeter Avalos>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 210327e51cbSPeter Avalos>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 211327e51cbSPeter Avalos 212327e51cbSPeter Avalos>>(0x3c.l) string LX\0\0 \b, LX 21382c5fa3eSPeter Avalos!:mime application/x-dosexec 214327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 215327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 1 for OS/2 216327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 2 for MS Windows 217327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 3 for DOS 218327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 219327e51cbSPeter Avalos>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 220327e51cbSPeter Avalos>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 221327e51cbSPeter Avalos>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 222327e51cbSPeter Avalos>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 223327e51cbSPeter Avalos>>>(0x3c.l+0x08) leshort 1 i80286 224327e51cbSPeter Avalos>>>(0x3c.l+0x08) leshort 2 i80386 225327e51cbSPeter Avalos>>>(0x3c.l+0x08) leshort 3 i80486 226327e51cbSPeter Avalos>>>(8.s*16) string emx \b, emx 227327e51cbSPeter Avalos>>>>&1 string x %s 228327e51cbSPeter Avalos>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 229327e51cbSPeter Avalos 230327e51cbSPeter Avalos# MS Windows system file, supposedly a collection of LE executables 231327e51cbSPeter Avalos>>(0x3c.l) string W3 \b, W3 for MS Windows 23282c5fa3eSPeter Avalos!:mime application/x-dosexec 233327e51cbSPeter Avalos 234327e51cbSPeter Avalos>>(0x3c.l) string LE\0\0 \b, LE executable 23582c5fa3eSPeter Avalos!:mime application/x-dosexec 236327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 1 237327e51cbSPeter Avalos# some DOS extenders use LE files with OS/2 header 238327e51cbSPeter Avalos>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 239327e51cbSPeter Avalos>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 240327e51cbSPeter Avalos>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 241327e51cbSPeter Avalos>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 242327e51cbSPeter Avalos>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 243327e51cbSPeter Avalos>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 244327e51cbSPeter Avalos>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 245327e51cbSPeter Avalos# this is a wild guess; hopefully it is a specific signature 246327e51cbSPeter Avalos>>>>&0x24 lelong <0x50 247327e51cbSPeter Avalos>>>>>(&0x4c.l) string \xfc\xb8WATCOM 248327e51cbSPeter Avalos>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 249327e51cbSPeter Avalos# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 250327e51cbSPeter Avalos#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 251327e51cbSPeter Avalos# fails with DOS-Extenders. 252327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 2 for MS Windows 253327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 3 for DOS 254327e51cbSPeter Avalos>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 2556fca56fbSSascha Wildner# VXD: VxD for Windows 95/98/Me 2566fca56fbSSascha Wildner# 386: VxD for Windows 2.10, 3.0, 3.1x 2576fca56fbSSascha Wildner# PDR: Port driver 2586fca56fbSSascha Wildner# MPD: Miniport driver (?) 2596fca56fbSSascha Wildner!:ext vxd/386/pdr/mpd 260327e51cbSPeter Avalos>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 261327e51cbSPeter Avalos>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 262327e51cbSPeter Avalos 263327e51cbSPeter Avalos# looks like ASCII, probably some embedded copyright message. 264327e51cbSPeter Avalos# and definitely not NE/LE/LX/PE 265327e51cbSPeter Avalos>>0x3c lelong >0x20000000 266327e51cbSPeter Avalos>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 26782c5fa3eSPeter Avalos!:mime application/x-dosexec 2686fca56fbSSascha Wildner!:ext exe/com 269327e51cbSPeter Avalos# header data too small for extended executable 270327e51cbSPeter Avalos>2 long !0 271327e51cbSPeter Avalos>>0x18 leshort <0x40 272327e51cbSPeter Avalos>>>(4.s*512) leshort !0x014c 273327e51cbSPeter Avalos 274327e51cbSPeter Avalos>>>>&(2.s-514) string !LE 275327e51cbSPeter Avalos>>>>>&-2 string !BW \b, MZ for MS-DOS 27682c5fa3eSPeter Avalos!:mime application/x-dosexec 277327e51cbSPeter Avalos>>>>&(2.s-514) string LE \b, LE 278327e51cbSPeter Avalos>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 279327e51cbSPeter Avalos# educated guess since indirection is still not capable enough for complex offset 280327e51cbSPeter Avalos# calculations (next embedded executable would be at &(&2*512+&0-2) 281327e51cbSPeter Avalos# I suspect there are only LE executables in these multi-exe files 282327e51cbSPeter Avalos>>>>&(2.s-514) string BW 283e8af9738SPeter Avalos>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 284e8af9738SPeter Avalos>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 285327e51cbSPeter Avalos 286327e51cbSPeter Avalos# This sequence skips to the first COFF segment, usually .text 287327e51cbSPeter Avalos>(4.s*512) leshort 0x014c \b, COFF 28882c5fa3eSPeter Avalos!:mime application/x-dosexec 289327e51cbSPeter Avalos>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 290327e51cbSPeter Avalos>>(8.s*16) string emx 291327e51cbSPeter Avalos>>>&1 string x for DOS, Win or OS/2, emx %s 292327e51cbSPeter Avalos>>&(&0x42.l-3) byte x 293327e51cbSPeter Avalos>>>&0x26 string UPX \b, UPX compressed 294970935fdSSascha Wildner# and yet another guess: small .text, and after large .data is unusual, could be 32lite 295327e51cbSPeter Avalos>>&0x2c search/0xa0 .text 296327e51cbSPeter Avalos>>>&0x0b lelong <0x2000 297327e51cbSPeter Avalos>>>>&0 lelong >0x6000 \b, 32lite compressed 298327e51cbSPeter Avalos 299327e51cbSPeter Avalos>(8.s*16) string $WdX \b, WDos/X DOS extender 300327e51cbSPeter Avalos 301e4d4ce0cSPeter Avalos# By now an executable type should have been printed out. The executable 302e4d4ce0cSPeter Avalos# may be a self-uncompressing archive, so look for evidence of that and 303e4d4ce0cSPeter Avalos# print it out. 304e4d4ce0cSPeter Avalos# 305e4d4ce0cSPeter Avalos# Some signatures below from Greg Roelofs, newt@uchicago.edu. 306327e51cbSPeter Avalos# 307327e51cbSPeter Avalos>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 308327e51cbSPeter Avalos>0xe7 string LH/2\ Self-Extract \b, %s 309e4d4ce0cSPeter Avalos>0x1c string UC2X \b, UCEXE compressed 310e4d4ce0cSPeter Avalos>0x1c string WWP\ \b, WWPACK compressed 311e4d4ce0cSPeter Avalos>0x1c string RJSX \b, ARJ self-extracting archive 312327e51cbSPeter Avalos>0x1c string diet \b, diet compressed 313327e51cbSPeter Avalos>0x1c string LZ09 \b, LZEXE v0.90 compressed 314327e51cbSPeter Avalos>0x1c string LZ91 \b, LZEXE v0.91 compressed 315327e51cbSPeter Avalos>0x1c string tz \b, TinyProg compressed 316e4d4ce0cSPeter Avalos>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 317e4d4ce0cSPeter Avalos!:mime application/zip 318e4d4ce0cSPeter Avalos# Yes, this really is "Copr", not "Corp." 319e4d4ce0cSPeter Avalos>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 320e4d4ce0cSPeter Avalos!:mime application/zip 321e4d4ce0cSPeter Avalos# winarj stores a message in the stub instead of the sig in the MZ header 322e4d4ce0cSPeter Avalos>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 323e4d4ce0cSPeter Avalos>0x20 string AIN 324e4d4ce0cSPeter Avalos>>0x23 string 2 \b, AIN 2.x compressed 325e4d4ce0cSPeter Avalos>>0x23 string <2 \b, AIN 1.x compressed 326e4d4ce0cSPeter Avalos>>0x23 string >2 \b, AIN 1.x compressed 327327e51cbSPeter Avalos>0x24 string LHa's\ SFX \b, LHa self-extracting archive 32879343712SPeter Avalos!:mime application/x-lha 329327e51cbSPeter Avalos>0x24 string LHA's\ SFX \b, LHa self-extracting archive 33079343712SPeter Avalos!:mime application/x-lha 331327e51cbSPeter Avalos>0x24 string \ $ARX \b, ARX self-extracting archive 332327e51cbSPeter Avalos>0x24 string \ $LHarc \b, LHarc self-extracting archive 333327e51cbSPeter Avalos>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 334e4d4ce0cSPeter Avalos>0x40 string aPKG \b, aPackage self-extracting archive 335e4d4ce0cSPeter Avalos>0x64 string W\ Collis\0\0 \b, Compack compressed 336e4d4ce0cSPeter Avalos>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 337e4d4ce0cSPeter Avalos>>&0xf4 search/0x140 \x0\x40\x1\x0 338e4d4ce0cSPeter Avalos>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 339327e51cbSPeter Avalos>1638 string -lh5- \b, LHa self-extracting archive v2.13S 340327e51cbSPeter Avalos>0x17888 string Rar! \b, RAR self-extracting archive 341327e51cbSPeter Avalos 342e4d4ce0cSPeter Avalos# Skip to the end of the EXE. This will usually work fine in the PE case 343e4d4ce0cSPeter Avalos# because the MZ image is hardcoded into the toolchain and almost certainly 344e4d4ce0cSPeter Avalos# won't match any of these signatures. 345327e51cbSPeter Avalos>(4.s*512) long x 346327e51cbSPeter Avalos>>&(2.s-517) byte x 347327e51cbSPeter Avalos>>>&0 string PK\3\4 \b, ZIP self-extracting archive 348327e51cbSPeter Avalos>>>&0 string Rar! \b, RAR self-extracting archive 349327e51cbSPeter Avalos>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 350327e51cbSPeter Avalos>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 351327e51cbSPeter Avalos>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 352327e51cbSPeter Avalos>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 353327e51cbSPeter Avalos>>>&7 search/400 **ACE** \b, ACE self-extracting archive 354327e51cbSPeter Avalos>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 355327e51cbSPeter Avalos 356327e51cbSPeter Avalos# a few unknown ZIP sfxes, no idea if they are needed or if they are 357327e51cbSPeter Avalos# already captured by the generic patterns above 358327e51cbSPeter Avalos>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 359327e51cbSPeter Avalos# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 360327e51cbSPeter Avalos# 361327e51cbSPeter Avalos 362327e51cbSPeter Avalos# TELVOX Teleinformatica CODEC self-extractor for OS/2: 363327e51cbSPeter Avalos>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 364327e51cbSPeter Avalos>>49824 leshort =1 \b, 1 file 365327e51cbSPeter Avalos>>49824 leshort >1 \b, %u files 366327e51cbSPeter Avalos 367614728caSSascha Wildner# Summary: OS/2 LX Library and device driver (no DOS stub) 368614728caSSascha Wildner# From: Joerg Jenderek 369614728caSSascha Wildner# URL: http://en.wikipedia.org/wiki/EXE 370614728caSSascha Wildner# Reference: http://www.textfiles.com/programming/FORMATS/lxexe.txt 371614728caSSascha Wildner# https://github.com/open-watcom/open-watcom-v2/blob/master/bld/watcom/h/exeflat.h 372614728caSSascha Wildner# Note: by dll-os2-no-dos-stub.trid.xml called "OS/2 Dynamic Link Library (no DOS stub)" 373614728caSSascha Wildner# TODO: unify with DOS stub variant (MZ magic) 374614728caSSascha Wildner0 string/b LX 375614728caSSascha Wildner>2 ushort =0 376614728caSSascha Wildner>>0 use lx-executable 377614728caSSascha Wildner# no examples found for big endian variant 378614728caSSascha Wildner>2 ushort =0x0101 379614728caSSascha Wildner>>0 use \^lx-executable 380614728caSSascha Wildner0 name lx-executable 381614728caSSascha Wildner# similar looking like variant with MS-DOS stub (MZ magic): "MS-DOS executable, LX" 382614728caSSascha Wildner#>0x00 uleshort x executable, 383614728caSSascha Wildner# signature OSF_FLAT_LX_SIGNATURE~0x584C~LX OSF_FLAT_SIGNATURE~0x454C~LE 384614728caSSascha Wildner>0x00 uleshort =0x584c LX 385614728caSSascha Wildner>0x00 uleshort =0x454C LE 386614728caSSascha Wildner>0x00 uleshort x executable 387614728caSSascha Wildner#!:mime application/x-msdownload 388614728caSSascha Wildner!:mime application/x-lx-executable 389614728caSSascha Wildner# byte order: 00h~little-endian non-zero=1~big-endian 390614728caSSascha Wildner#>0x02 ubyte =0 (little-endian) 391614728caSSascha Wildner>0x02 ubyte !0 (big-endian) 392614728caSSascha Wildner# FOR DEBUGGING! 393614728caSSascha Wildner# word order: 00h~little-endian non-zero=1~big-endian 394614728caSSascha Wildner#>0x03 ubyte =0 \b, little-endian word order 395614728caSSascha Wildner#>0x03 ubyte !0 \b, big-endian word order 396614728caSSascha Wildner# cpu_type; CPU type like: 1~286 2~386 3~486 4 20h~i860 21h~Intel N11 40h~MIPS R2000,R3000 41h~MIPS R6000 42h~MIPS R4000 397614728caSSascha Wildner#>0x08 uleshort x \b, CPU %u 398614728caSSascha Wildner# os_type; target operating system like: 0~unknown 1~OS/2 2~Windows 3~DOS 4.x 4~Windows 386 399614728caSSascha Wildner#>0x0A leshort x \b, OS %u 400614728caSSascha Wildner# flags; module type flags 401614728caSSascha Wildner#>0x10 ulelong x \b, FLAGS %#8.8x 402614728caSSascha Wildner# 00000002h ~Reserved for system use 403614728caSSascha Wildner#>0x10 ulelong &0x00000002 \b, 2h reserved 404614728caSSascha Wildner# OSF_INIT_INSTANCE=00000004h ~Per-Process Library Initialization; setting this bit for EXE file is invalid 405614728caSSascha Wildner#>0x10 ulelong &0x00000004 \b, per-process library Initialization 406614728caSSascha Wildner# OSF_INTERNAL_FIXUPS_DONE=00000010h ~Internal fixups for the module have been applied 407614728caSSascha Wildner#>0x10 ulelong &0x00000010 \b, int. fixup 408614728caSSascha Wildner# OSF_EXTERNAL_FIXUPS_DONE=00000020h ~External fixups for the module have been applied 409614728caSSascha Wildner#>0x10 ulelong &0x00000020 \b, ext. fixup 410614728caSSascha Wildner# OSF_NOT_PM_COMPATIBLE=00000100h ~Incompatible with PM windowing 411614728caSSascha Wildner#>0x10 ulelong&0x00000100 =0x00000100 \b, incompatible with PM windowing 412614728caSSascha Wildner# OSF_PM_COMPATIBLE=00000200h ~Compatible with PM windowing 413614728caSSascha Wildner#>0x10 ulelong&0x00000200 =0x00000200 \b, compatible with PM windowing 414614728caSSascha Wildner# bit 17; device driver 415614728caSSascha Wildner#>0x10 ulelong&0x00020000 >0 \b, device driver 416614728caSSascha Wildner# Per-process Library Termination; setting this bit for EXE file is invalid 417614728caSSascha Wildner#>0x10 ulelong&0x40000000 =0x40000000 \b, per-process library termination 418614728caSSascha Wildner>0x0a leshort 1 for OS/2 419614728caSSascha Wildner# no example found 420614728caSSascha Wildner>0x0a leshort 3 for DOS 421614728caSSascha Wildner# http://www.ctyme.com/intr/rb-2939.htm#Table1610 422614728caSSascha Wildner# library by module type mask 00038000h (bits 15-17); 423614728caSSascha Wildner# 0h ~exectable Program module 424614728caSSascha Wildner>0x10 ulelong&0x00038000 =0x00000000 (program) 425614728caSSascha Wildner#!:ext exe 426614728caSSascha Wildner# OSF_IS_DLL=8000h ~Library module (DLL) 427614728caSSascha Wildner>0x10 ulelong&0x00038000 >0x00000000 428614728caSSascha Wildner# OSF_PHYS_DEVICE=00020000h ~device driver 429614728caSSascha Wildner>>0x10 ulelong&0x00020000 >0 (device driver) 430614728caSSascha Wildner!:ext sys 431614728caSSascha Wildner# if not device driver it is library (DLL) 432614728caSSascha Wildner>>0x10 ulelong&0x00020000 =0 (library) 433614728caSSascha Wildner!:ext dll 434614728caSSascha Wildner# bits 8-10; OSF_PM_APP=300h in flags ~Uses PM windowing API; either it is GUI or console 435614728caSSascha Wildner>0x10 ulelong&0x00000300 =0x00000300 (GUI) 436614728caSSascha Wildner>0x10 ulelong&0x00000300 !0x00000300 (console) 437614728caSSascha Wildner# CPU type 438614728caSSascha Wildner>0x08 uleshort 1 i80286 439614728caSSascha Wildner# all inspected examples 440614728caSSascha Wildner>0x08 uleshort 2 i80386 441614728caSSascha Wildner>0x08 uleshort 3 i80486 442614728caSSascha Wildner>0x08 uleshort 4 i80586 443614728caSSascha Wildner# 21h Intel "N11" or compatible 444614728caSSascha Wildner# 40h MIPS Mark I ( R2000, R3000) or compatible 445614728caSSascha Wildner# 41h MIPS Mark II ( R6000 ) or compatible 446614728caSSascha Wildner# 42h MIPS Mark III ( R4000 ) or compatible 447614728caSSascha Wildner 4486fca56fbSSascha Wildner# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc 4496fca56fbSSascha Wildner# and https://www.freedos.org/software/?prog=kpdos 450884044a5SPeter Avalos# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 4519f86ab30SPeter Avalos0 string/b KCF FreeDOS KEYBoard Layout collection 452884044a5SPeter Avalos# only version=0x100 found 453614728caSSascha Wildner>3 uleshort x \b, version %#x 454884044a5SPeter Avalos# length of string containing author,info and special characters 455884044a5SPeter Avalos>6 ubyte >0 456884044a5SPeter Avalos#>>6 pstring x \b, name=%s 457884044a5SPeter Avalos>>7 string >\0 \b, author=%-.14s 458884044a5SPeter Avalos>>7 search/254 \xff \b, info= 459884044a5SPeter Avalos#>>>&0 string x \b%-s 460884044a5SPeter Avalos>>>&0 string x \b%-.15s 461884044a5SPeter Avalos# for FreeDOS *.KL files 4629f86ab30SPeter Avalos0 string/b KLF FreeDOS KEYBoard Layout file 463884044a5SPeter Avalos# only version=0x100 or 0x101 found 464614728caSSascha Wildner>3 uleshort x \b, version %#x 465884044a5SPeter Avalos# stringlength 466884044a5SPeter Avalos>5 ubyte >0 467884044a5SPeter Avalos>>8 string x \b, name=%-.2s 468884044a5SPeter Avalos0 string \xffKEYB\ \ \ \0\0\0\0 469e8af9738SPeter Avalos>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 470884044a5SPeter Avalos 471970935fdSSascha Wildner# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 472970935fdSSascha Wildner# URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver 473970935fdSSascha Wildner# Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html 474c30bd091SSascha Wildner# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 475c30bd091SSascha Wildner0 ulequad&0x07a0ffffffff 0xffffffff 476970935fdSSascha Wildner# skip OS/2 INI ./os2 477970935fdSSascha Wildner>4 ubelong !0x14000000 478970935fdSSascha Wildner>>0 use msdos-driver 479c30bd091SSascha Wildner0 name msdos-driver DOS executable ( 480c30bd091SSascha Wildner#!:mime application/octet-stream 481c30bd091SSascha Wildner!:mime application/x-dosdriver 482c30bd091SSascha Wildner# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 483970935fdSSascha Wildner# and IBM Token-Ring adapter IBMTOK.DOS. Why and when DOS instead SYS is used? 484970935fdSSascha Wildner# PROTMAN.DOS ELNKPL.DOS 485970935fdSSascha Wildner!:ext sys/dev/bin/dos 486970935fdSSascha Wildner# 1 space char after "UPX compressed" to get phrase like "UPX compressed character device" 487614728caSSascha Wildner>40 search/7 UPX! \bUPX compressed 488884044a5SPeter Avalos# DOS device driver attributes 489884044a5SPeter Avalos>4 uleshort&0x8000 0x0000 \bblock device driver 490884044a5SPeter Avalos# character device 491884044a5SPeter Avalos>4 uleshort&0x8000 0x8000 \b 492970935fdSSascha Wildner# 1 space char after "clock" to get phrase like "clock character device driver CLOCK$" 493614728caSSascha Wildner>>4 uleshort&0x0008 0x0008 \bclock 494884044a5SPeter Avalos# fast video output by int 29h 495970935fdSSascha Wildner# 1 space char after "fast" to get phrase like "fast standard input/output character device driver" 496614728caSSascha Wildner>>4 uleshort&0x0010 0x0010 \bfast 497884044a5SPeter Avalos# standard input/output device 498970935fdSSascha Wildner# 1 space char after "standard" to get phrase like "standard input/output character device driver" 499614728caSSascha Wildner>>4 uleshort&0x0003 >0 \bstandard 500884044a5SPeter Avalos>>>4 uleshort&0x0001 0x0001 \binput 501884044a5SPeter Avalos>>>4 uleshort&0x0003 0x0003 \b/ 502970935fdSSascha Wildner# 1 space char after "output" to get phrase like "input/output character device driver" 503614728caSSascha Wildner>>>4 uleshort&0x0002 0x0002 \boutput 504884044a5SPeter Avalos>>4 uleshort&0x8000 0x8000 \bcharacter device driver 505884044a5SPeter Avalos>0 ubyte x 506884044a5SPeter Avalos# upx compressed device driver has garbage instead of real in name field of header 507884044a5SPeter Avalos>>40 search/7 UPX! 508884044a5SPeter Avalos>>40 default x 509884044a5SPeter Avalos# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 510970935fdSSascha Wildner# 1 space char before device driver name to get phrase like "device driver PROTMAN$" 511614728caSSascha Wildner>>>12 ubyte >0x2E \b 512884044a5SPeter Avalos>>>>10 ubyte >0x20 513884044a5SPeter Avalos>>>>>10 ubyte !0x2E 514884044a5SPeter Avalos>>>>>>10 ubyte !0x2A \b%c 515884044a5SPeter Avalos>>>>11 ubyte >0x20 516884044a5SPeter Avalos>>>>>11 ubyte !0x2E \b%c 517884044a5SPeter Avalos>>>>12 ubyte >0x20 518884044a5SPeter Avalos>>>>>12 ubyte !0x39 519884044a5SPeter Avalos>>>>>>12 ubyte !0x2E \b%c 520884044a5SPeter Avalos>>>13 ubyte >0x20 521884044a5SPeter Avalos>>>>13 ubyte !0x2E \b%c 522884044a5SPeter Avalos>>>>14 ubyte >0x20 523884044a5SPeter Avalos>>>>>14 ubyte !0x2E \b%c 524884044a5SPeter Avalos>>>>15 ubyte >0x20 525884044a5SPeter Avalos>>>>>15 ubyte !0x2E \b%c 526884044a5SPeter Avalos>>>>16 ubyte >0x20 527884044a5SPeter Avalos>>>>>16 ubyte !0x2E 528884044a5SPeter Avalos>>>>>>16 ubyte <0xCB \b%c 529884044a5SPeter Avalos>>>>17 ubyte >0x20 530884044a5SPeter Avalos>>>>>17 ubyte !0x2E 531884044a5SPeter Avalos>>>>>>17 ubyte <0x90 \b%c 532884044a5SPeter Avalos# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 533c30bd091SSascha Wildner>>>12 ubyte <0x2F 534884044a5SPeter Avalos# they have their real name at offset 22 535c30bd091SSascha Wildner# also block device drivers like DUMBDRV.SYS 536c30bd091SSascha Wildner>>>>22 string >\056 %-.6s 537884044a5SPeter Avalos>4 uleshort&0x8000 0x0000 53882c5fa3eSPeter Avalos# 32 bit sector addressing ( > 32 MB) for block devices 539884044a5SPeter Avalos>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 540884044a5SPeter Avalos# support by driver functions 13h, 17h, 18h 541884044a5SPeter Avalos>4 uleshort&0x0040 0x0040 \b,IOCTL- 542884044a5SPeter Avalos# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 543884044a5SPeter Avalos>4 uleshort&0x0800 0x0800 \b,close media- 544884044a5SPeter Avalos# output until busy support by int 10h for character device driver 545884044a5SPeter Avalos>4 uleshort&0x8000 0x8000 546884044a5SPeter Avalos>>4 uleshort&0x2000 0x2000 \b,until busy- 547884044a5SPeter Avalos# direct read/write support by driver functions 03h,0Ch 548884044a5SPeter Avalos>4 uleshort&0x4000 0x4000 \b,control strings- 549884044a5SPeter Avalos>4 uleshort&0x8000 0x8000 550884044a5SPeter Avalos>>4 uleshort&0x6840 >0 \bsupport 551884044a5SPeter Avalos>4 uleshort&0x8000 0x0000 552884044a5SPeter Avalos>>4 uleshort&0x4842 >0 \bsupport 553884044a5SPeter Avalos>0 ubyte x \b) 554614728caSSascha Wildner>0 ulelong !0xffffffff with pointer %#x 555884044a5SPeter Avalos# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 556c30bd091SSascha Wildner0 ulequad 0x0513c00000000012 557c30bd091SSascha Wildner>0 use msdos-driver 558c30bd091SSascha Wildner# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 559c30bd091SSascha Wildner0 ulequad 0x32f28000ffff0016 560c30bd091SSascha Wildner>0 use msdos-driver 561c30bd091SSascha Wildner0 ulequad 0x007f00000000ffff 562c30bd091SSascha Wildner>0 use msdos-driver 563970935fdSSascha Wildner# https://www.uwe-sieber.de/files/cfg_echo.zip 564c30bd091SSascha Wildner0 ulequad 0x001600000000ffff 565c30bd091SSascha Wildner>0 use msdos-driver 566c30bd091SSascha Wildner# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 567c30bd091SSascha Wildner0 ulequad 0x0bf708c2ffffffff 568c30bd091SSascha Wildner>0 use msdos-driver 569c30bd091SSascha Wildner0 ulequad 0x07bd08c2ffffffff 570c30bd091SSascha Wildner>0 use msdos-driver 571970935fdSSascha Wildner# 3Com EtherLink 3C501 CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\ELNK.DOS 572970935fdSSascha Wildner0 ulequad 0x027ac0c0ffffffff 573970935fdSSascha Wildner>0 use msdos-driver 574970935fdSSascha Wildner# IBM Streamer CID\SERVER\IBMLS\IBM500D1\DLSNETDR.ZIP\IBMMPC.DOS 575970935fdSSascha Wildner0 ulequad 0x00228880ffffffff 576970935fdSSascha Wildner>0 use msdos-driver 577884044a5SPeter Avalos 578c30bd091SSascha Wildner# updated by Joerg Jenderek 579c30bd091SSascha Wildner# GRR: line below too general as it catches also 580c30bd091SSascha Wildner# rt.lib DYADISKS.PIC and many more 581c30bd091SSascha Wildner# start with assembler instruction MOV 582c30bd091SSascha Wildner0 ubyte 0x8c 583c30bd091SSascha Wildner# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 584c30bd091SSascha Wildner>4 string !O==== 585c30bd091SSascha Wildner# skip some unknown basic binaries like RocketRnger.SHR 586c30bd091SSascha Wildner>>5 string !MAIN 587c30bd091SSascha Wildner# skip "GPG symmetrically encrypted data" ./gnu 588c30bd091SSascha Wildner# skip "PGP symmetric key encrypted data" ./pgp 589c30bd091SSascha Wildner# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 590*3b9cdfa3SAntonio Huete Jimenez>>>4 ubyte >13 591*3b9cdfa3SAntonio Huete Jimenez>>>>0 use msdos-com 592c30bd091SSascha Wildner# the remaining files should be DOS *.COM executables 593c30bd091SSascha Wildner# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 594c30bd091SSascha Wildner# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 595c30bd091SSascha Wildner# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 596c30bd091SSascha Wildner# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 597c30bd091SSascha Wildner# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 598c30bd091SSascha Wildner# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 599c30bd091SSascha Wildner# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 600c30bd091SSascha Wildner# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 601c30bd091SSascha Wildner 602c30bd091SSascha Wildner0 name msdos-com 603*3b9cdfa3SAntonio Huete Jimenez# URL: http://fileformats.archiveteam.org/wiki/DOS_executable_(.com) 604*3b9cdfa3SAntonio Huete Jimenez>0 byte x DOS executable ( 605*3b9cdfa3SAntonio Huete Jimenez# DOS execuable with JuMP 16-bit instruction 606*3b9cdfa3SAntonio Huete Jimenez>0 byte =0xE9 607*3b9cdfa3SAntonio Huete Jimenez# check for probably nil padding til offset 64 of Lotus driver name 608*3b9cdfa3SAntonio Huete Jimenez>>56 quad =0 609*3b9cdfa3SAntonio Huete Jimenez# check for "long" alpabetical Lotus driver name like: 610*3b9cdfa3SAntonio Huete Jimenez# Diablo "COMPAQ Text Display" "IBM Monochrome Display" "Plantronics ColorPlus" 611*3b9cdfa3SAntonio Huete Jimenez>>>24 regex =^[A-Z][A-Za-z\040]{5,21} \bLotus driver) %s 612*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-dosexec 613*3b9cdfa3SAntonio Huete Jimenez# like: CPQ0TD.DRV IBM0MONO.DRV (Lotus 123 10a) SDIAB4.DRV SPL0CPLS.DRV (Lotus Symphony 2) 614*3b9cdfa3SAntonio Huete Jimenez!:ext drv 615*3b9cdfa3SAntonio Huete Jimenez# COM with nils like MODE.COM IBMDOS.COM (pcdos 3.31 ru Compaq) RSSTUB.COM (PC-DOS 2000 de) ACCESS.COM (Lotus Symphony 1) 616*3b9cdfa3SAntonio Huete Jimenez>>>24 default x \bCOM) 617*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-dosexec 618*3b9cdfa3SAntonio Huete Jimenez!:ext com 619*3b9cdfa3SAntonio Huete Jimenez# DOS excutable with JuMP 16-bit and without nil padding 620*3b9cdfa3SAntonio Huete Jimenez>>56 quad !0 621*3b9cdfa3SAntonio Huete Jimenez# https://wiki.syslinux.org/wiki/index.php?title=Doc/comboot 622*3b9cdfa3SAntonio Huete Jimenez# TODO: HOWTO distinguish COMboot from pure DOS executables? 623*3b9cdfa3SAntonio Huete Jimenez# look for unreliable Syslinux specific api call INTerrupt 22h for 16-bit COMBOOT program 624*3b9cdfa3SAntonio Huete Jimenez>>>1 search/0xc088 \xcd\x22 \bCOM or COMBOOT 16-bit) 625*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-dosexec 626*3b9cdfa3SAntonio Huete Jimenez# like: sbm.cbt command.com (Windows XP) UNI2ASCI.COM (FreeDOS 1.2) 627*3b9cdfa3SAntonio Huete Jimenez!:ext com/cbt 628*3b9cdfa3SAntonio Huete Jimenez>>>1 default x \bCOM) 629*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-dosexec 630*3b9cdfa3SAntonio Huete Jimenez!:ext com 631*3b9cdfa3SAntonio Huete Jimenez# DOS executable without JuMP 16-bit instruction 632*3b9cdfa3SAntonio Huete Jimenez>0 byte !0xE9 633*3b9cdfa3SAntonio Huete Jimenez# SCREATE.SYS https://en.wikipedia.org/wiki/Stac_Electronics 634*3b9cdfa3SAntonio Huete Jimenez>>10 string =?STACVOL \bSCREATE.SYS) 635*3b9cdfa3SAntonio Huete Jimenez!:mime application/x-dosexec 636*3b9cdfa3SAntonio Huete Jimenez!:ext sys 637*3b9cdfa3SAntonio Huete Jimenez# COM executable without JuMP 16-bit instruction and not SCREATE.SYS 638*3b9cdfa3SAntonio Huete Jimenez>>10 string !?STACVOL \bCOM) 6396fca56fbSSascha Wildner!:mime application/x-dosexec 6406fca56fbSSascha Wildner!:ext com 641c30bd091SSascha Wildner>6 string SFX\ of\ LHarc \b, %s 642c30bd091SSascha Wildner>0x1FE leshort 0xAA55 \b, boot code 643c30bd091SSascha Wildner>85 string UPX \b, UPX compressed 644c30bd091SSascha Wildner>4 string \ $ARX \b, ARX self-extracting archive 645c30bd091SSascha Wildner>4 string \ $LHarc \b, LHarc self-extracting archive 646c30bd091SSascha Wildner>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 647*3b9cdfa3SAntonio Huete Jimenez# like: E30ODI.COM MADGEODI.COM UNI2ASCI.COM RECOVER.COM (DOS 2) COMMAND.COM (DOS 2) 648*3b9cdfa3SAntonio Huete Jimenez>1 search/0xc088 \xcd\x22 \b, maybe with interrupt 22h 649*3b9cdfa3SAntonio Huete Jimenez>0 ubelong x \b, start instruction %#8.8x 650*3b9cdfa3SAntonio Huete Jimenez# show more instructions but not in samples like: rem.com (DJGPP) 651*3b9cdfa3SAntonio Huete Jimenez>4 ubelong x %8.8x 652c30bd091SSascha Wildner 653c30bd091SSascha Wildner# JMP 8bit 654c30bd091SSascha Wildner0 byte 0xeb 655*3b9cdfa3SAntonio Huete Jimenez# byte 0xeb conflicts with magic leshort 0xn2eb of "SYMMETRY i386" handled by ./sequent 656c30bd091SSascha Wildner# allow forward jumps only 657c30bd091SSascha Wildner>1 byte >-1 658c30bd091SSascha Wildner# that offset must be accessible 659*3b9cdfa3SAntonio Huete Jimenez# with hexadecimal values like: 0e 2e 50 8c 8d ba bc bd be e8 fb fc 660c30bd091SSascha Wildner>>(1.b+2) byte x 661*3b9cdfa3SAntonio Huete Jimenez# if look like COM executable with x86 boot signature then this 662*3b9cdfa3SAntonio Huete Jimenez# implies FAT volume with x86 real mode code already handled by ./filesystems 663*3b9cdfa3SAntonio Huete Jimenez# 664*3b9cdfa3SAntonio Huete Jimenez# No x86 boot signature implies often DOS executable 665*3b9cdfa3SAntonio Huete Jimenez# check for unrealistic high number of FATs. Then it is an unusual disk image or often a DOS executable 666*3b9cdfa3SAntonio Huete Jimenez# like: FIXBIOS.COM (50 bytes) 667*3b9cdfa3SAntonio Huete Jimenez>>>16 ubyte >3 668*3b9cdfa3SAntonio Huete Jimenez# https://www.drivedroid.io/ 669*3b9cdfa3SAntonio Huete Jimenez# skip MBR disk image drivedroid.img version 12 July 2013 by start message 670*3b9cdfa3SAntonio Huete Jimenez>>>>2 string !DriveDroid 671*3b9cdfa3SAntonio Huete Jimenez# ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/ 672*3b9cdfa3SAntonio Huete Jimenez# skip unusual floppy image disk1.img of MS-DOS 1.25 (Corona Data Systems OEM) 673*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic message text near the beginning 674*3b9cdfa3SAntonio Huete Jimenez>>>>>15 string !Non\040System\040disk 675*3b9cdfa3SAntonio Huete Jimenez# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 4.0.rar" 676*3b9cdfa3SAntonio Huete Jimenez# skip BeOS 4 bootfloppy.img done as "Linux kernel x86 boot executable" by ./linux 677*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic message text near the beginning 678*3b9cdfa3SAntonio Huete Jimenez>>>>>>6 string !read\040error\015 679*3b9cdfa3SAntonio Huete Jimenez# https://github.com/ventoy/Ventoy/releases/download/v1.0.78/ventoy-1.0.78-windows.zip 680*3b9cdfa3SAntonio Huete Jimenez# skip ventoy 1.0.78 boot_hybrid.img 681*3b9cdfa3SAntonio Huete Jimenez>>>>>>>24 string !\220\220\353I$\022\017 682*3b9cdfa3SAntonio Huete Jimenez# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/PC-DOS 1.0 (5.25).rar" 683*3b9cdfa3SAntonio Huete Jimenez# skip unusual floppy image PCDOS100.IMG of DOS 1.0 684*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic message text near the beginning 685*3b9cdfa3SAntonio Huete Jimenez>>>>>>>>9 string !7-May-81 686*3b9cdfa3SAntonio Huete Jimenez# "ftp://old-dos.ru/OSCollect/OS/BeOS/BeOS 5.0 Personal (BA).rar" 687*3b9cdfa3SAntonio Huete Jimenez# skip BeOS 5 floppy_1.44.00.ima done as "DOS/MBR boot sector" by ./filesystems 688*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic message near the beginning 689*3b9cdfa3SAntonio Huete Jimenez>>>>>>>>>3 string !\370sdfS\270 690*3b9cdfa3SAntonio Huete Jimenez# like: FIXBIOS.COM (50 bytes) 691*3b9cdfa3SAntonio Huete Jimenez>>>>>>>>>>0 use msdos-com 692*3b9cdfa3SAntonio Huete Jimenez# check for unrealistic low number of FATs. Then it is an unusual FAT disk image or often a DOS executable 693*3b9cdfa3SAntonio Huete Jimenez# like: DEVICE.COM INSTALL.COM (GAG 4.10) WORD.COM (Word 1.15) 694*3b9cdfa3SAntonio Huete Jimenez>>>16 ubyte =0 695*3b9cdfa3SAntonio Huete Jimenez# if low FATs with x86 boot signature it can be unusual disk image like: boot.img (Ventoy 1.0.27) geodspms.img (Syslinux) 696*3b9cdfa3SAntonio Huete Jimenez>>>>0x1FE leshort =0xAA55 697*3b9cdfa3SAntonio Huete Jimenez>>>>0x1FE default x 698*3b9cdfa3SAntonio Huete Jimenez# https://thestarman.pcministry.com/tool/hxd/dimtut.htm 699*3b9cdfa3SAntonio Huete Jimenez# skip unusual floppy image TK-DOS11.img IBMDOS11.img of IBM DOS 1.10 700*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic bootloader names near end of boot sector 701*3b9cdfa3SAntonio Huete Jimenez>>>>>395 string !ibmbio\040\040com 702*3b9cdfa3SAntonio Huete Jimenez>>>>>>0 use msdos-com 703*3b9cdfa3SAntonio Huete Jimenez# 8-bit jump with valid number of FAT implies FAT volume already handled by ./filesystems 704*3b9cdfa3SAntonio Huete Jimenez# like: balder.img 705*3b9cdfa3SAntonio Huete Jimenez>>>16 default x 706*3b9cdfa3SAntonio Huete Jimenez# skip disk images with boot signature at end of 1st sector 707*3b9cdfa3SAntonio Huete Jimenez# like: TDSK-64b.img 708*3b9cdfa3SAntonio Huete Jimenez>>>>(11.s-2) uleshort !0xAA55 709*3b9cdfa3SAntonio Huete Jimenez# skip unusual floppy image without boot signature like 360k-256.img (mtools 4.0.18) 710*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic file system type text for FAT (12 bit or 16 bit) 711*3b9cdfa3SAntonio Huete Jimenez>>>>>54 string !FAT 712*3b9cdfa3SAntonio Huete Jimenez# "ftp://old-dos.ru/OSCollect/OS/MS-DOS/Final Releases/Microsoft MS-DOS 3.31 (Compaq OEM) (3.5).rar" 713*3b9cdfa3SAntonio Huete Jimenez# skip unusual floppy image Disk4.img without boot signature and file system type text 714*3b9cdfa3SAntonio Huete Jimenez# by check for characteristic OEM-ID text 715*3b9cdfa3SAntonio Huete Jimenez>>>>>>3 string !COMPAQ\040\040 716*3b9cdfa3SAntonio Huete Jimenez# no such DOS COM executables found 717*3b9cdfa3SAntonio Huete Jimenez>>>>>>>0 use msdos-com 718c30bd091SSascha Wildner# JMP 16bit 719c30bd091SSascha Wildner0 byte 0xe9 720*3b9cdfa3SAntonio Huete Jimenez# 16-bit offset; for DEBUGGING!; can be negative like: USBDRIVE.COM 721*3b9cdfa3SAntonio Huete Jimenez#>1 leshort x \b, OFFSET %d 722c30bd091SSascha Wildner# forward jumps 723*3b9cdfa3SAntonio Huete Jimenez>1 leshort >-1 724c30bd091SSascha Wildner# that offset must be accessible 725*3b9cdfa3SAntonio Huete Jimenez# with hexadecimal values like: 06 1e 0e 2e 60 8c 8d b4 ba be e8 fc 726c30bd091SSascha Wildner>>(1.s+3) byte x 727*3b9cdfa3SAntonio Huete Jimenez# check for unrealistic high number of FATs. Then it is not a disk image and it is a DOS executable 728*3b9cdfa3SAntonio Huete Jimenez# like: CALLVER.COM CPUCACHE.COM K437_EUR.COM SHSUCDX.COM UMBFILL.COM (183 bytes) 729*3b9cdfa3SAntonio Huete Jimenez>>>16 ubyte >3 730*3b9cdfa3SAntonio Huete Jimenez>>>>0 use msdos-com 731*3b9cdfa3SAntonio Huete Jimenez# check for unrealistic low number of FATs. Then it is not a disk image and it is a DOS executable 732*3b9cdfa3SAntonio Huete Jimenez# like: GAG.COM DRMOUSE.COM NDN.COM CPQ0TD.DRV 733*3b9cdfa3SAntonio Huete Jimenez>>>16 ubyte =0 734*3b9cdfa3SAntonio Huete Jimenez>>>>0 use msdos-com 735*3b9cdfa3SAntonio Huete Jimenez# maybe disc image with valid number of FATs or DOS executable 736*3b9cdfa3SAntonio Huete Jimenez# like: IPXODI.COM PERUSE.COM TASKID.COM 737*3b9cdfa3SAntonio Huete Jimenez>>>16 default x 738*3b9cdfa3SAntonio Huete Jimenez# invalid low media descriptor. Then it is not a disk image and it is a DOS executable 739*3b9cdfa3SAntonio Huete Jimenez>>>>21 ubyte <0xE5 740*3b9cdfa3SAntonio Huete Jimenez>>>>>0 use msdos-com 741*3b9cdfa3SAntonio Huete Jimenez# valid media descriptor. Then it is maybe disk image or DOS executable 742*3b9cdfa3SAntonio Huete Jimenez>>>>21 ubyte >0xE4 743*3b9cdfa3SAntonio Huete Jimenez# invalid sectorsize not a power of 2 from 32-32768. Then it is not a disk image and it must be DOS executable 744*3b9cdfa3SAntonio Huete Jimenez# like: LEARN.COM (Word 1.15) 745*3b9cdfa3SAntonio Huete Jimenez>>>>>11 uleshort&0x001f !0 746*3b9cdfa3SAntonio Huete Jimenez>>>>>>0 use msdos-com 747c30bd091SSascha Wildner# negative offset, must not lead into PSP 748*3b9cdfa3SAntonio Huete Jimenez# like: BASICA.COM (PC dos 3.20) FORMAT.COM SMC8100.COM WORD.COM (word4) 749*3b9cdfa3SAntonio Huete Jimenez# HIDSUPT1.COM USBDRIVE.COM USBSUPT1.COM USBUHCI.COM (FreeDOS USBDOS) 750*3b9cdfa3SAntonio Huete Jimenez>1 leshort <-259 751c30bd091SSascha Wildner# that offset must be accessible 752*3b9cdfa3SAntonio Huete Jimenez# add 10000h to jump at end of 64 KiB segment, add 1 for jump instruction and 2 for 16-bit offset 753c30bd091SSascha Wildner>>(1,s+65539) byte x 754*3b9cdfa3SAntonio Huete Jimenez# after jump next instruction for DEBUGGING! 755*3b9cdfa3SAntonio Huete Jimenez#>>>&-1 ubelong x \b, NEXT instruction %#8.8x 756c30bd091SSascha Wildner>>>0 use msdos-com 757c30bd091SSascha Wildner 758*3b9cdfa3SAntonio Huete Jimenez# updated by Joerg Jenderek at Oct 2008,2015,2022 759c30bd091SSascha Wildner# following line is too general 760c30bd091SSascha Wildner0 ubyte 0xb8 761c30bd091SSascha Wildner# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 762c30bd091SSascha Wildner>0 string !\xb8\xc0\x07\x8e 763327e51cbSPeter Avalos# modified by Joerg Jenderek 764c30bd091SSascha Wildner# syslinux COM32 or COM32R executable 765c30bd091SSascha Wildner>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 7666fca56fbSSascha Wildner# https://www.syslinux.org/wiki/index.php/Comboot_API 767c30bd091SSascha Wildner# Since version 5.00 c32 modules switched from the COM32 object format to ELF 768c30bd091SSascha Wildner!:mime application/x-c32-comboot-syslinux-exec 769c30bd091SSascha Wildner!:ext c32 7706fca56fbSSascha Wildner# https://syslinux.zytor.com/comboot.php 771c30bd091SSascha Wildner# older syslinux version ( <4 ) 772327e51cbSPeter Avalos# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 773327e51cbSPeter Avalos# start with assembler instructions mov eax,21cd4cffh 774c30bd091SSascha Wildner>>>1 lelong 0x21CD4CFf \b) 775e4d4ce0cSPeter Avalos# syslinux:doc/comboot.txt 776e4d4ce0cSPeter Avalos# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 777e4d4ce0cSPeter Avalos# eax,21cd4cfeh) as a magic number. 778c30bd091SSascha Wildner# syslinux version (4.x) 779c30bd091SSascha Wildner# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 780c30bd091SSascha Wildner>>>1 lelong 0x21CD4CFe \b, relocatable) 781*3b9cdfa3SAntonio Huete Jimenez>>1 default x 782*3b9cdfa3SAntonio Huete Jimenez# look for interrupt instruction like in rem.com (DJGPP) LOADER.COM (DR-DOS 7.x) 783*3b9cdfa3SAntonio Huete Jimenez>>>3 search/118 \xCD 784*3b9cdfa3SAntonio Huete Jimenez# FOR DEBUGGING; possible hexadecimal interupt number like: 10~BANNER.COM 13~bcdw_cl.com 15~poweroff.com (Syslinux) 785*3b9cdfa3SAntonio Huete Jimenez# 1A~BERNDPCI.COM 20~SETENHKB.COM 21~mostly 22~gfxboot.com (Syslinux) 2F~SHUTDOWN.COM (GEMSYS) 786*3b9cdfa3SAntonio Huete Jimenez#>>>>&0 ubyte x \b, INTERUPT %#x 787*3b9cdfa3SAntonio Huete Jimenez# few examples with interrupt 0x13 instruction 788*3b9cdfa3SAntonio Huete Jimenez>>>>&0 ubyte =0x13 789*3b9cdfa3SAntonio Huete Jimenez# FOR DEBUGGING! 790*3b9cdfa3SAntonio Huete Jimenez#>>>>>3 ubequad x \b, 2nd INSTRUCTION %#16.16llx 791*3b9cdfa3SAntonio Huete Jimenez# skip Gpt.com Mbr.com (edk2-UDK2018 bootsector) described as "DOS/MBR boot sector" by ./filesystems 792*3b9cdfa3SAntonio Huete Jimenez# by check for assembler instructions: mov es,ax ; mov ax,07c0h ; mov ds,ax 793*3b9cdfa3SAntonio Huete Jimenez>>>>>3 ubequad !0x8ec0b8c0078ed88d 794*3b9cdfa3SAntonio Huete Jimenez# few COM exectables with interrupt 0x13 instruction like: Bootable CD Wizard executables bcdw_cl.com fdemuoff.com 795*3b9cdfa3SAntonio Huete Jimenez# http://bootcd.narod.ru/bcdw150z_en.zip 796*3b9cdfa3SAntonio Huete Jimenez>>>>>>0 use msdos-com 797*3b9cdfa3SAntonio Huete Jimenez# few examples with interrupt 0x16 instruction like flashimg.img 798*3b9cdfa3SAntonio Huete Jimenez>>>>&0 ubyte =0x16 799*3b9cdfa3SAntonio Huete Jimenez# skip Syslinux 3.71 flashimg.img done as "DOS/MBR boot sector" by ./filesystems 800*3b9cdfa3SAntonio Huete Jimenez# by check for assembler instructions: cmp ax 0xE4E4 (magic); jnz 801*3b9cdfa3SAntonio Huete Jimenez>>>>>8 ubelong !0x3DE4E475 802*3b9cdfa3SAntonio Huete Jimenez# no DOS executable with interrupt 0x16 found 803*3b9cdfa3SAntonio Huete Jimenez>>>>>>0 use msdos-com 804*3b9cdfa3SAntonio Huete Jimenez# most examples with interrupt instruction unequal 0x13 and 0x16 805*3b9cdfa3SAntonio Huete Jimenez>>>>&0 default x 806*3b9cdfa3SAntonio Huete Jimenez#>>>>>&-1 ubyte x \b, INTERUPT %#x 807*3b9cdfa3SAntonio Huete Jimenez# like: LOADER.COM SETENHKB.COM banner.com copybs.com gif2raw.com poweroff.com rem.com 808*3b9cdfa3SAntonio Huete Jimenez>>>>>0 use msdos-com 809*3b9cdfa3SAntonio Huete Jimenez# few COM executables without interupt instruction like RESTART.COM (DOS 7.10) REBOOT.COM 810*3b9cdfa3SAntonio Huete Jimenez# or some EUC-KR text files or one Ulead Imaginfo thumbnail 811*3b9cdfa3SAntonio Huete Jimenez>>>3 default x 812*3b9cdfa3SAntonio Huete Jimenez# FOR DEBUGGING; 2nd instruction like 0x50 (RESTART.COM) 0x8e (REBOOT.COM) 813*3b9cdfa3SAntonio Huete Jimenez# or random like: 0x0 (IMAGINFO.PE3 sky_snow) 0xb1 (euckr_.txt) 814*3b9cdfa3SAntonio Huete Jimenez#>>>>3 ubyte x \b, 2nd INSTRUCTION %#x 815*3b9cdfa3SAntonio Huete Jimenez# skip 1 Ulead Imaginfo thumbnail (IMAGINFO.PE3 sky_snow) 816*3b9cdfa3SAntonio Huete Jimenez# inside SAMPLES/TEXTURES/SKY_SNOW 817*3b9cdfa3SAntonio Huete Jimenez# from https://archive.org/download/PI3CANON/PI3CANON.iso 818*3b9cdfa3SAntonio Huete Jimenez>>>>3 ubyte !0x0 819*3b9cdfa3SAntonio Huete Jimenez# skip some EUC-KR text files like: euckr_falsepositive.txt 820*3b9cdfa3SAntonio Huete Jimenez# https://bugs.astron.com/view.php?id=186 821*3b9cdfa3SAntonio Huete Jimenez>>>>>3 ubyte !0xb1 822*3b9cdfa3SAntonio Huete Jimenez# like: RESTART.COM (DOS 7.10) REBOOT.COM 823*3b9cdfa3SAntonio Huete Jimenez>>>>>>0 use msdos-com 824c30bd091SSascha Wildner 825970935fdSSascha Wildner# URL: https://en.wikipedia.org/wiki/UPX 826970935fdSSascha Wildner# Reference: https://github.com/upx/upx/archive/v3.96.zip/upx-3.96/ 827970935fdSSascha Wildner# src/stub/src/i086-dos16.com.S 828970935fdSSascha Wildner# Update: Joerg Jenderek 829970935fdSSascha Wildner# assembler instructions: cmp sp, offset sp_limit 8309f86ab30SPeter Avalos0 string/b \x81\xfc 831614728caSSascha Wildner#>2 uleshort x \b, sp_limit=%#x 832970935fdSSascha Wildner# assembler instructions: jump above +2; int 0x20; mov cx, offset bytes_to_copy 833327e51cbSPeter Avalos>4 string \x77\x02\xcd\x20\xb9 834614728caSSascha Wildner#>9 uleshort x \b, [bytes_to_copy]=%#x 835970935fdSSascha Wildner# at different offsets assembler instructions: push di; jump decomp_start_n2b 836970935fdSSascha Wildner>0x1e search/3 \x57\xe9 837614728caSSascha Wildner#>>&0 uleshort x \b, decomp_start_n2b=%#x 838970935fdSSascha Wildner# src/stub/src/include/header.S; UPX_MAGIC_LE32 839970935fdSSascha Wildner>>&2 string UPX! FREE-DOS executable (COM), UPX 8406fca56fbSSascha Wildner!:mime application/x-dosexec 841970935fdSSascha Wildner# UPX compressed *.CPI; See ./fonts 842970935fdSSascha Wildner>>>&21 string =FONT compressed DOS code page font 843970935fdSSascha Wildner!:ext cpx 844970935fdSSascha Wildner>>>&21 string !FONT compressed 8456fca56fbSSascha Wildner!:ext com 846970935fdSSascha Wildner# compressed size? 847970935fdSSascha Wildner#>>>&14 uleshort+152 x \b, %u bytes 848970935fdSSascha Wildner# uncompressed len 849970935fdSSascha Wildner>>>&12 uleshort x \b, uncompressed %u bytes 850327e51cbSPeter Avalos252 string Must\ have\ DOS\ version DR-DOS executable (COM) 8516fca56fbSSascha Wildner!:mime application/x-dosexec 8526fca56fbSSascha Wildner!:ext com 853327e51cbSPeter Avalos# GRR search is not working 854327e51cbSPeter Avalos#2 search/28 \xcd\x21 COM executable for MS-DOS 855327e51cbSPeter Avalos#WHICHFAT.cOM 856327e51cbSPeter Avalos2 string \xcd\x21 COM executable for DOS 8576fca56fbSSascha Wildner!:mime application/x-dosexec 8586fca56fbSSascha Wildner!:ext com 859327e51cbSPeter Avalos#DELTREE.cOM DELTREE2.cOM 860327e51cbSPeter Avalos4 string \xcd\x21 COM executable for DOS 8616fca56fbSSascha Wildner!:mime application/x-dosexec 8626fca56fbSSascha Wildner!:ext com 863327e51cbSPeter Avalos#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 864327e51cbSPeter Avalos5 string \xcd\x21 COM executable for DOS 8656fca56fbSSascha Wildner!:mime application/x-dosexec 8666fca56fbSSascha Wildner!:ext com 867327e51cbSPeter Avalos#DELTMP.COm HASFAT32.cOM 868327e51cbSPeter Avalos7 string \xcd\x21 869327e51cbSPeter Avalos>0 byte !0xb8 COM executable for DOS 8706fca56fbSSascha Wildner!:mime application/x-dosexec 8716fca56fbSSascha Wildner!:ext com 872327e51cbSPeter Avalos#COMP.cOM MORE.COm 873327e51cbSPeter Avalos10 string \xcd\x21 874327e51cbSPeter Avalos>5 string !\xcd\x21 COM executable for DOS 8756fca56fbSSascha Wildner!:mime application/x-dosexec 8766fca56fbSSascha Wildner!:ext com 877327e51cbSPeter Avalos#comecho.com 878327e51cbSPeter Avalos13 string \xcd\x21 COM executable for DOS 8796fca56fbSSascha Wildner!:mime application/x-dosexec 8806fca56fbSSascha Wildner!:ext com 881327e51cbSPeter Avalos#HELP.COm EDIT.coM 882614728caSSascha Wildner18 string \xcd\x21 883614728caSSascha Wildner# not printable before it? 884614728caSSascha Wildner>17 byte >32 885614728caSSascha Wildner>>17 byte <126 886614728caSSascha Wildner>>17 default x COM executable for MS-DOS 8876fca56fbSSascha Wildner!:mime application/x-dosexec 8886fca56fbSSascha Wildner!:ext com 889327e51cbSPeter Avalos#NWRPLTRM.COm 890327e51cbSPeter Avalos23 string \xcd\x21 COM executable for MS-DOS 8916fca56fbSSascha Wildner!:mime application/x-dosexec 8926fca56fbSSascha Wildner!:ext com 893327e51cbSPeter Avalos#LOADFIX.cOm LOADFIX.cOm 894327e51cbSPeter Avalos30 string \xcd\x21 COM executable for MS-DOS 8956fca56fbSSascha Wildner!:mime application/x-dosexec 8966fca56fbSSascha Wildner!:ext com 897327e51cbSPeter Avalos#syslinux.com 3.11 898327e51cbSPeter Avalos70 string \xcd\x21 COM executable for DOS 8996fca56fbSSascha Wildner!:mime application/x-dosexec 9006fca56fbSSascha Wildner!:ext com 901327e51cbSPeter Avalos# many compressed/converted COMs start with a copy loop instead of a jump 902327e51cbSPeter Avalos0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 9036fca56fbSSascha Wildner!:mime application/x-dosexec 9046fca56fbSSascha Wildner!:ext com 905327e51cbSPeter Avalos0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 9066fca56fbSSascha Wildner!:mime application/x-dosexec 9076fca56fbSSascha Wildner!:ext com 908327e51cbSPeter Avalos>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 909327e51cbSPeter Avalos0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 9106fca56fbSSascha Wildner!:mime application/x-dosexec 9116fca56fbSSascha Wildner!:ext com 912327e51cbSPeter Avalos# FIXME: missing diet .com compression 913327e51cbSPeter Avalos 914327e51cbSPeter Avalos# miscellaneous formats 9159f86ab30SPeter Avalos0 string/b LZ MS-DOS executable (built-in) 916327e51cbSPeter Avalos#0 byte 0xf0 MS-DOS program library data 917327e51cbSPeter Avalos# 918327e51cbSPeter Avalos 919327e51cbSPeter Avalos# AAF files: 920327e51cbSPeter Avalos# <stuartc@rd.bbc.co.uk> Stuart Cunningham 9219f86ab30SPeter Avalos0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 922327e51cbSPeter Avalos>30 byte 9 (512B sectors) 923327e51cbSPeter Avalos>30 byte 12 (4kB sectors) 9249f86ab30SPeter Avalos0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 925327e51cbSPeter Avalos>30 byte 9 (512B sectors) 926327e51cbSPeter Avalos>30 byte 12 (4kB sectors) 927327e51cbSPeter Avalos 928327e51cbSPeter Avalos# Popular applications 929327e51cbSPeter Avalos# 9306fca56fbSSascha Wildner# Update: Joerg Jenderek 9316fca56fbSSascha Wildner# URL: http://fileformats.archiveteam.org/wiki/DOC 9326fca56fbSSascha Wildner# Reference: https://web.archive.org/web/20170206041048/ 9336fca56fbSSascha Wildner# http://www.msxnet.org/word2rtf/formats/ffh-dosword5 9346fca56fbSSascha Wildner# wIdent+dty 9356fca56fbSSascha Wildner0 belong 0x31be0000 9366fca56fbSSascha Wildner# skip droid skeleton like x-fmt-274-signature-id-488.doc 9376fca56fbSSascha Wildner>128 ubyte >0 Microsoft 9386fca56fbSSascha Wildner>>96 uleshort =0 Word 93979343712SPeter Avalos!:mime application/msword 9406fca56fbSSascha Wildner!:apple MSWDWDBN 9416fca56fbSSascha Wildner# DCX is used in the Unix version. 9426fca56fbSSascha Wildner!:ext doc/dcx 9436fca56fbSSascha Wildner>>>0x6E ulequad =0 1.0-4.0 9446fca56fbSSascha Wildner>>>0x6E ulequad !0 5.0-6.0 9456fca56fbSSascha Wildner>>>0x6E ulequad x (DOS) Document 9466fca56fbSSascha Wildner# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt 9476fca56fbSSascha Wildner>>96 uleshort !0 Write 3.0 (Windows) Document 9486fca56fbSSascha Wildner!:mime application/x-mswrite 9496fca56fbSSascha Wildner!:apple MSWDWDBN 9506fca56fbSSascha Wildner# sometimes also doc like in splitter.doc srchtest.doc 9516fca56fbSSascha Wildner!:ext wri/doc 9526fca56fbSSascha Wildner# wTool must be 0125400 octal 9536fca56fbSSascha Wildner#>>4 uleshort !0xAB00 \b, wTool %o 9546fca56fbSSascha Wildner# reserved; must be zero 9556fca56fbSSascha Wildner#>>6 ulelong !0 \b, reserved %u 9566fca56fbSSascha Wildner# block pointer to the block containing optional file manager information 957614728caSSascha Wildner#>>0x1C uleshort x \b, at %#x info block 9586fca56fbSSascha Wildner# jump to File manager information block 9596fca56fbSSascha Wildner>>(0x1C.s*128) uleshort x 9606fca56fbSSascha Wildner# test for valid information start; maybe also 0012h 9616fca56fbSSascha Wildner>>>&-2 uleshort =0x0014 9626fca56fbSSascha Wildner# Document ASCIIZ name 9636fca56fbSSascha Wildner>>>>&0x12 string x %s 9646fca56fbSSascha Wildner# author name 9656fca56fbSSascha Wildner>>>>>&1 string x \b, author %s 9666fca56fbSSascha Wildner# reviser name 9676fca56fbSSascha Wildner>>>>>>&1 string x \b, reviser %s 9686fca56fbSSascha Wildner# keywords 9696fca56fbSSascha Wildner>>>>>>>&1 string x \b, keywords %s 9706fca56fbSSascha Wildner# comment 9716fca56fbSSascha Wildner>>>>>>>>&1 string x \b, comment %s 9726fca56fbSSascha Wildner# version number 9736fca56fbSSascha Wildner>>>>>>>>>&1 string x \b, version %s 9746fca56fbSSascha Wildner# date of last change MM/DD/YY 9756fca56fbSSascha Wildner>>>>>>>>>>&1 string x \b, %-.8s 9766fca56fbSSascha Wildner# creation date MM/DD/YY 9776fca56fbSSascha Wildner>>>>>>>>>>&9 string x created %-.8s 9786fca56fbSSascha Wildner# file name of print format like NORMAL.STY 9796fca56fbSSascha Wildner>>0x1E string >0 \b, formatted by %-.66s 9806fca56fbSSascha Wildner# count of pages in whole file for write variant; maybe some times wrong 9816fca56fbSSascha Wildner>>96 uleshort >0 \b, %u pages 9826fca56fbSSascha Wildner# name of the printer driver like HPLASMS 9836fca56fbSSascha Wildner>>0x62 string >0 \b, %-.8s printer 9846fca56fbSSascha Wildner# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0 9856fca56fbSSascha Wildner>>0x6A uleshort >0 \b, %u blocks 9866fca56fbSSascha Wildner# bit field for corrected text areas 987614728caSSascha Wildner#>>0x6C uleshort x \b, %#x bit field 9886fca56fbSSascha Wildner# text of document; some times start with 4 non printable characters like CR LF 9896fca56fbSSascha Wildner>>128 ubyte x \b, 9906fca56fbSSascha Wildner>>>128 ubyte >0x1F 9916fca56fbSSascha Wildner>>>>128 string x %s 9926fca56fbSSascha Wildner>>>128 ubyte <0x20 9936fca56fbSSascha Wildner>>>>129 ubyte >0x1F 9946fca56fbSSascha Wildner>>>>>129 string x %s 9956fca56fbSSascha Wildner>>>>129 ubyte <0x20 9966fca56fbSSascha Wildner>>>>>130 ubyte >0x1F 9976fca56fbSSascha Wildner>>>>>>130 string x %s 9986fca56fbSSascha Wildner>>>>>130 ubyte <0x20 9996fca56fbSSascha Wildner>>>>>>131 ubyte >0x1F 10006fca56fbSSascha Wildner>>>>>>>131 string x %s 10016fca56fbSSascha Wildner>>>>>>131 ubyte <0x20 10026fca56fbSSascha Wildner>>>>>>>132 ubyte >0x1F 10036fca56fbSSascha Wildner>>>>>>>>132 string x %s 10046fca56fbSSascha Wildner>>>>>>>132 ubyte <0x20 10056fca56fbSSascha Wildner>>>>>>>>133 ubyte >0x1F 10066fca56fbSSascha Wildner>>>>>>>>>133 string x %s 1007327e51cbSPeter Avalos# 10089f86ab30SPeter Avalos0 string/b PO^Q` Microsoft Word 6.0 Document 100979343712SPeter Avalos!:mime application/msword 1010327e51cbSPeter Avalos# 1011c30bd091SSascha Wildner4 long 0 1012c30bd091SSascha Wildner>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 101379343712SPeter Avalos!:mime application/msword 1014c30bd091SSascha Wildner!:ext mcw 1015c30bd091SSascha Wildner>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 101679343712SPeter Avalos!:mime application/msword 1017c30bd091SSascha Wildner!:ext mcw 1018c30bd091SSascha Wildner>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 1019c30bd091SSascha Wildner!:mime application/msword 1020c30bd091SSascha Wildner!:ext mcw 1021c30bd091SSascha Wildner>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 1022c30bd091SSascha Wildner!:mime application/msword 1023c30bd091SSascha Wildner!:ext mcw 1024c30bd091SSascha Wildner 1025c30bd091SSascha Wildner0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 1026c30bd091SSascha Wildner!:mime application/msword 1027c30bd091SSascha Wildner!:ext doc 10286fca56fbSSascha Wildner# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs 10296fca56fbSSascha Wildner#512 string/b \354\245\301 Microsoft Word Document 10306fca56fbSSascha Wildner#!:mime application/msword 1031e8af9738SPeter Avalos 1032e8af9738SPeter Avalos# 1033e8af9738SPeter Avalos0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 1034e8af9738SPeter Avalos!:mime application/msword 1035327e51cbSPeter Avalos# 1036e8af9738SPeter Avalos0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 1037e8af9738SPeter Avalos!:mime application/msword 103879343712SPeter Avalos 1039327e51cbSPeter Avalos# 10409f86ab30SPeter Avalos0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 104179343712SPeter Avalos!:mime application/vnd.ms-excel 10426fca56fbSSascha Wildner# https://www.macdisk.com/macsigen.php 10436fca56fbSSascha Wildner!:apple XCELXLS4 10446fca56fbSSascha Wildner!:ext xls 1045327e51cbSPeter Avalos# 1046c30bd091SSascha Wildner# Update: Joerg Jenderek 1047c30bd091SSascha Wildner# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 1048c30bd091SSascha Wildner# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 1049c30bd091SSascha Wildner# Note: newer Lotus versions >2 use longer BOF record 1050c30bd091SSascha Wildner# record type (BeginningOfFile=0000h) + length (001Ah) 1051c30bd091SSascha Wildner0 belong 0x00001a00 1052c30bd091SSascha Wildner# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 1053c30bd091SSascha Wildner#>18 uleshort&0x73E0 0 1054c30bd091SSascha Wildner# Lotus Multi Byte Character Set (LMBCS=1-31) 1055c30bd091SSascha Wildner>20 ubyte >0 1056c30bd091SSascha Wildner>>20 ubyte <32 Lotus 1-2-3 1057c30bd091SSascha Wildner#!:mime application/x-123 1058c30bd091SSascha Wildner!:mime application/vnd.lotus-1-2-3 1059c30bd091SSascha Wildner!:apple ????L123 1060c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 1061c30bd091SSascha Wildner>>>4 uleshort 0x1000 WorKsheet, version 3 1062c30bd091SSascha Wildner!:ext wk3 1063c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 1064c30bd091SSascha Wildner>>>4 uleshort 0x1002 WorKsheet, version 4 1065c30bd091SSascha Wildner# also worksheet template 4 (.wt4) 1066c30bd091SSascha Wildner!:ext wk4/wt4 1067c30bd091SSascha Wildner# no example or documentation for wk5 1068c30bd091SSascha Wildner#>>4 uleshort 0x???? WorKsheet, version 4 1069c30bd091SSascha Wildner#!:ext wk5 1070c30bd091SSascha Wildner# only MacrotoScript.123 example 1071c30bd091SSascha Wildner>>>4 uleshort 0x1003 WorKsheet, version 97 1072c30bd091SSascha Wildner# also worksheet template Smartmaster (.12M)? 1073c30bd091SSascha Wildner!:ext 123 1074c30bd091SSascha Wildner# only Set_Y2K.123 example 1075c30bd091SSascha Wildner>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 1076c30bd091SSascha Wildner!:ext 123 1077c30bd091SSascha Wildner# no example for this version 1078c30bd091SSascha Wildner>>>4 uleshort 0x8001 FoRMatting data 1079c30bd091SSascha Wildner!:ext frm 1080c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 1081c30bd091SSascha Wildner# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 1082c30bd091SSascha Wildner>>>4 uleshort 0x8007 ForMatting data, version 3 1083c30bd091SSascha Wildner!:ext fm3 1084c30bd091SSascha Wildner>>>4 default x unknown 1085c30bd091SSascha Wildner# file revision sub code 0004h for worksheets 1086c30bd091SSascha Wildner>>>>6 uleshort =0x0004 worksheet 1087c30bd091SSascha Wildner!:ext wXX 1088c30bd091SSascha Wildner>>>>6 uleshort !0x0004 formatting data 1089c30bd091SSascha Wildner!:ext fXX 1090c30bd091SSascha Wildner# main revision number 1091614728caSSascha Wildner>>>>4 uleshort x \b, revision %#x 1092c30bd091SSascha Wildner>>>6 uleshort =0x0004 \b, cell range 1093c30bd091SSascha Wildner# active cellcoord range (start row, page,column ; end row, page, column) 1094c30bd091SSascha Wildner# start values normally 0~1st sheet A1 1095c30bd091SSascha Wildner>>>>8 ulelong !0 1096c30bd091SSascha Wildner>>>>>10 ubyte >0 \b%d* 1097c30bd091SSascha Wildner>>>>>8 uleshort x \b%d, 1098c30bd091SSascha Wildner>>>>>11 ubyte x \b%d- 1099c30bd091SSascha Wildner# end page mostly 0 1100c30bd091SSascha Wildner>>>>14 ubyte >0 \b%d* 1101c30bd091SSascha Wildner# end raw, column normally not 0 1102c30bd091SSascha Wildner>>>>12 uleshort x \b%d, 1103c30bd091SSascha Wildner>>>>15 ubyte x \b%d 1104c30bd091SSascha Wildner# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 1105614728caSSascha Wildner>>>>20 ubyte >1 \b, character set %#x 1106c30bd091SSascha Wildner# flags 1107614728caSSascha Wildner>>>>21 ubyte x \b, flags %#x 1108c30bd091SSascha Wildner>>>6 uleshort !0x0004 1109c30bd091SSascha Wildner# record type (FONTNAME=00AEh) 1110c30bd091SSascha Wildner>>>>30 search/29 \0\xAE 1111c30bd091SSascha Wildner# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 1112c30bd091SSascha Wildner>>>>>&4 string >\0 \b, 1st font "%s" 1113327e51cbSPeter Avalos# 1114c30bd091SSascha Wildner# Update: Joerg Jenderek 1115c30bd091SSascha Wildner# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 1116c30bd091SSascha Wildner# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 1117c30bd091SSascha Wildner# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 1118c30bd091SSascha Wildner# record type (BeginningOfFile=0000h) + length (0002h) 1119c30bd091SSascha Wildner0 belong 0x00000200 1120c30bd091SSascha Wildner# GRR: line above is too general as it catches also MS Windows CURsor 1121c30bd091SSascha Wildner# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 1122c30bd091SSascha Wildner!:strength -1 1123c30bd091SSascha Wildner# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 1124c30bd091SSascha Wildner>7 ubyte 0 1125970935fdSSascha Wildner# skip Windows cursors with image width 256 and keep Lotus with positive opcode 1126c30bd091SSascha Wildner>>6 ubyte >0 Lotus 1127c30bd091SSascha Wildner# !:mime application/x-123 1128c30bd091SSascha Wildner!:mime application/vnd.lotus-1-2-3 1129c30bd091SSascha Wildner!:apple ????L123 1130c30bd091SSascha Wildner# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 1131c30bd091SSascha Wildner# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 1132c30bd091SSascha Wildner>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 1133c30bd091SSascha Wildner!:ext cnf 1134c30bd091SSascha Wildner>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 1135c30bd091SSascha Wildner!:ext cnf 1136c30bd091SSascha Wildner>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 1137c30bd091SSascha Wildner!:ext cnf 1138c30bd091SSascha Wildner>>>4 uleshort 0x0802 Symphony CoNFiguration 1139c30bd091SSascha Wildner!:ext cnf 1140c30bd091SSascha Wildner>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 1141c30bd091SSascha Wildner!:ext cnf 1142c30bd091SSascha Wildner>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 1143c30bd091SSascha Wildner!:ext cnf 1144c30bd091SSascha Wildner>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 1145c30bd091SSascha Wildner!:ext cnf 1146c30bd091SSascha Wildner>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 1147c30bd091SSascha Wildner!:ext cnf 1148c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 123" 1149c30bd091SSascha Wildner# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1150c30bd091SSascha Wildner>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 1151c30bd091SSascha Wildner# extension "wks" also for Microsoft Works document 1152c30bd091SSascha Wildner!:ext wks 1153c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 123" 1154c30bd091SSascha Wildner# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 1155c30bd091SSascha Wildner>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 1156c30bd091SSascha Wildner!:ext wrk/wr1 1157c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 1158c30bd091SSascha Wildner# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 1159c30bd091SSascha Wildner>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 1160c30bd091SSascha Wildner# Symphony (.wr1) 1161c30bd091SSascha Wildner!:ext wk1/wr1 1162c30bd091SSascha Wildner# no example for this japan version 1163c30bd091SSascha Wildner>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 1164c30bd091SSascha Wildner!:ext wj1 1165c30bd091SSascha Wildner# no example or documentation for wk2 1166c30bd091SSascha Wildner#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 1167c30bd091SSascha Wildner#!:ext wk2 1168c30bd091SSascha Wildner# undocumented japan version 1169c30bd091SSascha Wildner>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 1170c30bd091SSascha Wildner!:ext wj3 1171c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 1172c30bd091SSascha Wildner>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 1173c30bd091SSascha Wildner# japan version 2.4J (fj3) 1174c30bd091SSascha Wildner!:ext fmt/fj3 1175c30bd091SSascha Wildner# no example for this version 1176c30bd091SSascha Wildner>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 1177c30bd091SSascha Wildner!:ext frm 1178c30bd091SSascha Wildner# (version 5.26) labeled the entry as "Lotus 1-2-3" 1179c30bd091SSascha Wildner>>>4 default x unknown worksheet or configuration 1180c30bd091SSascha Wildner!:ext cnf 1181614728caSSascha Wildner>>>>4 uleshort x \b, revision %#x 1182c30bd091SSascha Wildner# 2nd record for most worksheets describes cells range 1183c30bd091SSascha Wildner>>>6 use lotus-cells 1184970935fdSSascha Wildner# 3rd record for most japan worksheets describes cells range 1185c30bd091SSascha Wildner>>>(8.s+10) use lotus-cells 1186c30bd091SSascha Wildner# check and then display Lotus worksheet cells range 1187c30bd091SSascha Wildner0 name lotus-cells 1188c30bd091SSascha Wildner# look for type (RANGE=0006h) + length (0008h) at record begin 1189c30bd091SSascha Wildner>0 ubelong 0x06000800 \b, cell range 1190c30bd091SSascha Wildner# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 1191c30bd091SSascha Wildner>>4 ulong !0 1192c30bd091SSascha Wildner>>>4 uleshort x \b%d, 1193c30bd091SSascha Wildner>>>6 uleshort x \b%d- 1194c30bd091SSascha Wildner# end of cell range 1195c30bd091SSascha Wildner>>8 uleshort x \b%d, 1196c30bd091SSascha Wildner>>10 uleshort x \b%d 1197c30bd091SSascha Wildner# EndOfLotus123 11989f86ab30SPeter Avalos0 string/b WordPro\0 Lotus WordPro 119979343712SPeter Avalos!:mime application/vnd.lotus-wordpro 12009f86ab30SPeter Avalos0 string/b WordPro\r\373 Lotus WordPro 120179343712SPeter Avalos!:mime application/vnd.lotus-wordpro 1202327e51cbSPeter Avalos 1203327e51cbSPeter Avalos 120479343712SPeter Avalos# Summary: Script used by InstallScield to uninstall applications 120579343712SPeter Avalos# Extension: .isu 120679343712SPeter Avalos# Submitted by: unknown 120779343712SPeter Avalos# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 120879343712SPeter Avalos0 string \x71\xa8\x00\x00\x01\x02 120979343712SPeter Avalos>12 string Stirling\ Technologies, InstallShield Uninstall Script 1210327e51cbSPeter Avalos 1211327e51cbSPeter Avalos# Winamp .avs 1212327e51cbSPeter Avalos#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 12139f86ab30SPeter Avalos0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 1214327e51cbSPeter Avalos 12156fca56fbSSascha Wildner# Windows Metafile .WMF 12166fca56fbSSascha Wildner0 string/b \327\315\306\232 Windows metafile 12176fca56fbSSascha Wildner!:mime image/wmf 12186fca56fbSSascha Wildner!:ext wmf 12196fca56fbSSascha Wildner0 string/b \002\000\011\000 Windows metafile 12206fca56fbSSascha Wildner!:mime image/wmf 12216fca56fbSSascha Wildner!:ext wmf 12226fca56fbSSascha Wildner0 string/b \001\000\011\000 Windows metafile 12236fca56fbSSascha Wildner!:mime image/wmf 12246fca56fbSSascha Wildner!:ext wmf 1225327e51cbSPeter Avalos 1226327e51cbSPeter Avalos#tz3 files whatever that is (MS Works files) 12279f86ab30SPeter Avalos0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 12289f86ab30SPeter Avalos0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 12299f86ab30SPeter Avalos0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 1230327e51cbSPeter Avalos 1231327e51cbSPeter Avalos# PGP sig files .sig 1232327e51cbSPeter Avalos#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 1233327e51cbSPeter Avalos0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 1234327e51cbSPeter Avalos0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 1235327e51cbSPeter Avalos0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 1236327e51cbSPeter Avalos0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 1237327e51cbSPeter Avalos0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 1238327e51cbSPeter Avalos0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 1239327e51cbSPeter Avalos 1240327e51cbSPeter Avalos# windows zips files .dmf 12419f86ab30SPeter Avalos0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 1242327e51cbSPeter Avalos 1243e8af9738SPeter Avalos# Windows icons 1244c30bd091SSascha Wildner# Update: Joerg Jenderek 1245c30bd091SSascha Wildner# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1246c30bd091SSascha Wildner# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 1247e8af9738SPeter Avalos0 belong 0x00000100 1248e8af9738SPeter Avalos>9 byte 0 1249c30bd091SSascha Wildner>>0 byte x 1250c30bd091SSascha Wildner>>0 use cur-ico-dir 1251e8af9738SPeter Avalos>9 ubyte 0xff 1252c30bd091SSascha Wildner>>0 byte x 1253c30bd091SSascha Wildner>>0 use cur-ico-dir 1254c30bd091SSascha Wildner# displays number of icons and information for icon or cursor 1255c30bd091SSascha Wildner0 name cur-ico-dir 1256c30bd091SSascha Wildner# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 1257c30bd091SSascha Wildner# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 1258c30bd091SSascha Wildner>18 ulelong &0x00000006 1259c30bd091SSascha Wildner# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 1260c30bd091SSascha Wildner>>(18.l) ulelong x MS Windows 1261c30bd091SSascha Wildner>>>0 ubelong 0x00000100 icon resource 12626fca56fbSSascha Wildner# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon 12636fca56fbSSascha Wildner!:mime image/vnd.microsoft.icon 12646fca56fbSSascha Wildner#!:mime image/x-icon 1265c30bd091SSascha Wildner!:ext ico 1266c30bd091SSascha Wildner>>>>4 uleshort x - %d icon 1267c30bd091SSascha Wildner# plural s 1268c30bd091SSascha Wildner>>>>4 uleshort >1 \bs 1269c30bd091SSascha Wildner# 1st icon 1270c30bd091SSascha Wildner>>>>0x06 use ico-entry 1271c30bd091SSascha Wildner# 2nd icon 1272c30bd091SSascha Wildner>>>>4 uleshort >1 1273c30bd091SSascha Wildner>>>>>0x16 use ico-entry 1274c30bd091SSascha Wildner>>>0 ubelong 0x00000200 cursor resource 1275c30bd091SSascha Wildner#!:mime image/x-cur 1276c30bd091SSascha Wildner!:mime image/x-win-bitmap 1277c30bd091SSascha Wildner!:ext cur 1278c30bd091SSascha Wildner>>>>4 uleshort x - %d icon 1279c30bd091SSascha Wildner>>>>4 uleshort >1 \bs 1280c30bd091SSascha Wildner# 1st cursor 1281c30bd091SSascha Wildner>>>>0x06 use cur-entry 1282c30bd091SSascha Wildner#>>>>0x16 use cur-entry 1283c30bd091SSascha Wildner# display information of one cursor entry 1284c30bd091SSascha Wildner0 name cur-entry 1285c30bd091SSascha Wildner>0 use cur-ico-entry 1286c30bd091SSascha Wildner>4 uleshort x \b, hotspot @%dx 1287c30bd091SSascha Wildner>6 uleshort x \b%d 1288c30bd091SSascha Wildner# display information of one icon entry 1289c30bd091SSascha Wildner0 name ico-entry 1290c30bd091SSascha Wildner>0 use cur-ico-entry 1291c30bd091SSascha Wildner# normally 0 1 but also found 14 1292c30bd091SSascha Wildner>4 uleshort >1 \b, %d planes 1293c30bd091SSascha Wildner# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 1294c30bd091SSascha Wildner>6 uleshort >1 \b, %d bits/pixel 1295c30bd091SSascha Wildner# display shared information of cursor or icon entry 1296c30bd091SSascha Wildner0 name cur-ico-entry 1297c30bd091SSascha Wildner>0 byte =0 \b, 256x 1298c30bd091SSascha Wildner>0 byte !0 \b, %dx 1299c30bd091SSascha Wildner>1 byte =0 \b256 1300c30bd091SSascha Wildner>1 byte !0 \b%d 1301c30bd091SSascha Wildner# number of colors in palette 1302c30bd091SSascha Wildner>2 ubyte !0 \b, %d colors 1303c30bd091SSascha Wildner# reserved 0 FFh 1304c30bd091SSascha Wildner#>3 ubyte x \b, reserved %x 1305c30bd091SSascha Wildner#>8 ulelong x \b, image size %d 1306c30bd091SSascha Wildner# offset of PNG or DIB image 1307614728caSSascha Wildner#>12 ulelong x \b, offset %#x 1308c30bd091SSascha Wildner# PNG header (\x89PNG) 1309c30bd091SSascha Wildner>(12.l) ubelong =0x89504e47 13106fca56fbSSascha Wildner# 1 space char after "with" to get phrase "with PNG image" by magic in ./images 1311614728caSSascha Wildner>>&-4 indirect x \b with 1312c30bd091SSascha Wildner# DIB image 1313c30bd091SSascha Wildner>(12.l) ubelong !0x89504e47 1314c30bd091SSascha Wildner#>>&-4 use dib-image 1315e8af9738SPeter Avalos 1316e8af9738SPeter Avalos# Windows non-animated cursors 1317c30bd091SSascha Wildner# Update: Joerg Jenderek 1318c30bd091SSascha Wildner# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 1319c30bd091SSascha Wildner# Note: similar to Windows ICOn. container for BMP ( only DIB part) 1320c30bd091SSascha Wildner# GRR: line below is too general as it catches also Lotus 1-2-3 files 1321e8af9738SPeter Avalos0 belong 0x00000200 1322e8af9738SPeter Avalos>9 byte 0 1323c30bd091SSascha Wildner>>0 use cur-ico-dir 1324e8af9738SPeter Avalos>9 ubyte 0xff 1325c30bd091SSascha Wildner>>0 use cur-ico-dir 1326327e51cbSPeter Avalos 1327327e51cbSPeter Avalos# .chr files 13289f86ab30SPeter Avalos0 string/b PK\010\010BGI Borland font 1329327e51cbSPeter Avalos>4 string >\0 %s 1330327e51cbSPeter Avalos# then there is a copyright notice 1331327e51cbSPeter Avalos 1332327e51cbSPeter Avalos 1333327e51cbSPeter Avalos# .bgi files 13349f86ab30SPeter Avalos0 string/b pk\010\010BGI Borland device 1335327e51cbSPeter Avalos>4 string >\0 %s 1336327e51cbSPeter Avalos# then there is a copyright notice 1337327e51cbSPeter Avalos 1338327e51cbSPeter Avalos 133979343712SPeter Avalos# Windows Recycle Bin record file (named INFO2) 134079343712SPeter Avalos# By Abel Cheung (abelcheung AT gmail dot com) 134179343712SPeter Avalos# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 134279343712SPeter Avalos# Since Vista uses another structure, INFO2 structure probably won't change 134379343712SPeter Avalos# anymore. Detailed analysis in: 134479343712SPeter Avalos# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 134579343712SPeter Avalos0 lelong 0x00000004 134679343712SPeter Avalos>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 134779343712SPeter Avalos 134879343712SPeter Avalos0 lelong 0x00000005 134979343712SPeter Avalos>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 1350327e51cbSPeter Avalos 1351327e51cbSPeter Avalos# From Doug Lee via a FreeBSD pr 1352327e51cbSPeter Avalos9 string GERBILDOC First Choice document 1353327e51cbSPeter Avalos9 string GERBILDB First Choice database 1354327e51cbSPeter Avalos9 string GERBILCLIP First Choice database 1355327e51cbSPeter Avalos0 string GERBIL First Choice device file 1356327e51cbSPeter Avalos9 string RABBITGRAPH RabbitGraph file 1357327e51cbSPeter Avalos0 string DCU1 Borland Delphi .DCU file 1358327e51cbSPeter Avalos0 string =!<spell> MKS Spell hash list (old format) 1359327e51cbSPeter Avalos0 string =!<spell2> MKS Spell hash list 1360327e51cbSPeter Avalos# Too simple - MPi 1361327e51cbSPeter Avalos#0 string AH Halo(TM) bitmapped font file 1362327e51cbSPeter Avalos0 lelong 0x08086b70 TurboC BGI file 1363327e51cbSPeter Avalos0 lelong 0x08084b50 TurboC Font file 1364327e51cbSPeter Avalos 1365e8af9738SPeter Avalos# Debian#712046: The magic below identifies "Delphi compiled form data". 1366e8af9738SPeter Avalos# An additional source of information is available at: 1367e8af9738SPeter Avalos# http://www.woodmann.com/fravia/dafix_t1.htm 1368e8af9738SPeter Avalos0 string TPF0 1369e8af9738SPeter Avalos>4 pstring >\0 Delphi compiled form '%s' 1370e8af9738SPeter Avalos 1371e8af9738SPeter Avalos# tests for DBase files moved, updated and merged to database 1372e8af9738SPeter Avalos 1373327e51cbSPeter Avalos0 string PMCC Windows 3.x .GRP file 1374327e51cbSPeter Avalos1 string RDC-meg MegaDots 1375327e51cbSPeter Avalos>8 byte >0x2F version %c 1376327e51cbSPeter Avalos>9 byte >0x2F \b.%c file 1377327e51cbSPeter Avalos0 lelong 0x4C 1378327e51cbSPeter Avalos>4 lelong 0x00021401 Windows shortcut file 1379327e51cbSPeter Avalos 13806fca56fbSSascha Wildner# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm 1381884044a5SPeter Avalos# only for windows versions equal or greater 3.0 1382884044a5SPeter Avalos0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 1383884044a5SPeter Avalos!:mime application/x-dosexec 13846fca56fbSSascha Wildner!:ext pif 1385884044a5SPeter Avalos#>2 string >\0 \b, Title:%.30s 1386884044a5SPeter Avalos>0x24 string >\0 \b for %.63s 1387884044a5SPeter Avalos>0x65 string >\0 \b, directory=%.64s 1388884044a5SPeter Avalos>0xA5 string >\0 \b, parameters=%.64s 1389884044a5SPeter Avalos#>0x181 leshort x \b, offset %x 1390884044a5SPeter Avalos#>0x183 leshort x \b, offsetdata %x 1391884044a5SPeter Avalos#>0x185 leshort x \b, section length %x 1392884044a5SPeter Avalos>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 1393884044a5SPeter Avalos>>&0x5e ubyte >0 1394884044a5SPeter Avalos>>>&-1 string <PIFMGR.DLL \b, icon=%s 1395884044a5SPeter Avalos#>>>&-1 string PIFMGR.DLL \b, icon=%s 1396884044a5SPeter Avalos>>>&-1 string >PIFMGR.DLL \b, icon=%s 1397884044a5SPeter Avalos>>&0xF0 ubyte >0 1398884044a5SPeter Avalos>>>&-1 string <Terminal \b, font=%.32s 1399884044a5SPeter Avalos#>>>&-1 string =Terminal \b, font=%.32s 1400884044a5SPeter Avalos>>>&-1 string >Terminal \b, font=%.32s 1401884044a5SPeter Avalos>>&0x110 ubyte >0 1402884044a5SPeter Avalos>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 1403884044a5SPeter Avalos#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 1404884044a5SPeter Avalos>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 1405884044a5SPeter Avalos#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 1406884044a5SPeter Avalos#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 1407884044a5SPeter Avalos>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 1408884044a5SPeter Avalos#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 1409884044a5SPeter Avalos>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 1410884044a5SPeter Avalos#>>&06 string x \b:%s 1411884044a5SPeter Avalos>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 1412884044a5SPeter Avalos#>>&06 string x \b:%s 1413884044a5SPeter Avalos 1414327e51cbSPeter Avalos# DOS EPS Binary File Header 1415327e51cbSPeter Avalos# From: Ed Sznyter <ews@Black.Market.NET> 1416327e51cbSPeter Avalos0 belong 0xC5D0D3C6 DOS EPS Binary File 1417c30bd091SSascha Wildner!:mime image/x-eps 1418327e51cbSPeter Avalos>4 long >0 Postscript starts at byte %d 1419327e51cbSPeter Avalos>>8 long >0 length %d 1420327e51cbSPeter Avalos>>>12 long >0 Metafile starts at byte %d 1421327e51cbSPeter Avalos>>>>16 long >0 length %d 1422327e51cbSPeter Avalos>>>20 long >0 TIFF starts at byte %d 1423327e51cbSPeter Avalos>>>>24 long >0 length %d 1424327e51cbSPeter Avalos 142582c5fa3eSPeter Avalos# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 142682c5fa3eSPeter Avalos# of http://www.davep.org/norton-guides/ng2h-105.tgz 14276fca56fbSSascha Wildner# https://en.wikipedia.org/wiki/Norton_Guides 142882c5fa3eSPeter Avalos0 string NG\0\001 142982c5fa3eSPeter Avalos# only value 0x100 found at offset 2 143082c5fa3eSPeter Avalos>2 ulelong 0x00000100 Norton Guide 1431970935fdSSascha Wildner!:mime application/x-norton-guide 1432970935fdSSascha Wildner# often like NORTON.NG but some times like NC.HLP 1433970935fdSSascha Wildner!:ext ng/hlp 143482c5fa3eSPeter Avalos# Title[40] 143582c5fa3eSPeter Avalos>>8 string >\0 "%-.40s" 143682c5fa3eSPeter Avalos#>>6 uleshort x \b, MenuCount=%u 143782c5fa3eSPeter Avalos# szCredits[5][66] 143882c5fa3eSPeter Avalos>>48 string >\0 \b, %-.66s 143982c5fa3eSPeter Avalos>>114 string >\0 %-.66s 144082c5fa3eSPeter Avalos 1441970935fdSSascha Wildner# URL: https://en.wikipedia.org/wiki/Norton_Commander 1442970935fdSSascha Wildner# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/msg-nc-eng.trid.xml 1443970935fdSSascha Wildner# From: Joerg Jenderek 1444970935fdSSascha Wildner# Note: Message file is used by executable with same main name. 1445970935fdSSascha Wildner# Only tested with version 5.50 (english) and 2.01 (Windows) 1446970935fdSSascha Wildner0 string Abort 1447970935fdSSascha Wildner# \0 or i 1448970935fdSSascha Wildner#>5 ubyte x %x 1449970935fdSSascha Wildner# skip ASCII Abort text by looking for error message like in NCVIEW.MSG 1450970935fdSSascha Wildner>6 search/7089 Non-DOS\ disk Norton Commander module message 1451970935fdSSascha Wildner!:mime application/x-norton-msg 1452970935fdSSascha Wildner!:ext msg 1453970935fdSSascha Wildner 1454970935fdSSascha Wildner# URL: http://www.antonis.de/dos/dos-tuts/mpdostip/html/nwdostip.htm 1455970935fdSSascha Wildner# Reference: https://mark0.net/download/triddefs_xml.7z/defs/m/msg-netware-dos.trid.xml 1456970935fdSSascha Wildner# From: Joerg Jenderek 1457970935fdSSascha Wildner0 string DOS\ Client\ Message\ File: Novell DOS client message 1458970935fdSSascha Wildner#!:mime application/octet-stream 1459970935fdSSascha Wildner#!:mime application/x-novell-msg 1460970935fdSSascha Wildner!:ext msg 1461970935fdSSascha Wildner# look for second letter instead space character 1462970935fdSSascha Wildner>26 ubyte >0x20 1463970935fdSSascha Wildner# digit 1 or often main or program name like: IPXODI.COM TASKID pnwtrap DOSRqstr 1464970935fdSSascha Wildner>>25 ubyte !0x20 %c 1465970935fdSSascha Wildner>>>26 ubyte !0x20 \b%c 1466970935fdSSascha Wildner>>>>27 ubyte !0x20 \b%c 1467970935fdSSascha Wildner>>>>>28 ubyte !0x20 \b%c 1468970935fdSSascha Wildner>>>>>>29 ubyte !0x20 \b%c 1469970935fdSSascha Wildner>>>>>>>30 ubyte !0x20 \b%c 1470970935fdSSascha Wildner>>>>>>>>31 ubyte !0x20 \b%c 1471970935fdSSascha Wildner>>>>>>>>>32 ubyte !0x20 \b%c 1472970935fdSSascha Wildner>>>>>>>>>>33 ubyte !0x20 \b%c 1473970935fdSSascha Wildner>>>>>>>>>>>34 ubyte !0x20 \b%c 1474970935fdSSascha Wildner>>>>>>>>>>>>35 ubyte !0x20 \b%c 1475970935fdSSascha Wildner>>>>>>>>>>>>>36 ubyte !0x20 \b%c 1476970935fdSSascha Wildner# followed by string like: 0 v.10 V1.20 1477970935fdSSascha Wildner# 1478614728caSSascha Wildner# followed by ,\040Tran 1479614728caSSascha Wildner>28 search/14 ,\040Tran 1480970935fdSSascha Wildner# probably translated version string like: 0 v1.00 1481970935fdSSascha Wildner>>&0 string x \b, tran version %s 1482970935fdSSascha Wildner# followed by Ctrl-J Ctrl-Z 1483614728caSSascha Wildner>>>&0 ubyte !0xa \b, terminated by %#2.2x 1484970935fdSSascha Wildner>>>>&0 ubyte x \b%2.2x 1485970935fdSSascha Wildner# Ctrl-Z 1486614728caSSascha Wildner>0x65 ubyte !0x1A \b, at 0x65 %#x 1487970935fdSSascha Wildner# one 1488614728caSSascha Wildner>0x66 ubyte !0x01 \b, at 0x66 %#x 1489970935fdSSascha Wildner# URL: https://en.wikipedia.org/wiki/NetWare 1490970935fdSSascha Wildner# Reference: http://mark0.net/download/triddefs_xml.7z/defs/d/dat-novell-msg.trid.xml 1491970935fdSSascha Wildner# ftp://ftp.iitb.ac.in/LDP/en/NLM-HOWTO/NLM-HOWTO-single.html 1492970935fdSSascha Wildner# From: Joerg Jenderek 1493970935fdSSascha Wildner0 string Novell\ Message\ Librarian\ Data\ File Novell message librarian data 1494970935fdSSascha Wildner#>35 string Version\ 1.00 1495970935fdSSascha Wildner#>49 string COPYRIGHT\ (c)\ 1985\ by\ Novell,\ Inc. 1496970935fdSSascha Wildner#>83 string \ \ All\ Rights\ Reserved 1497970935fdSSascha Wildner#!:mime application/octet-stream 1498970935fdSSascha Wildner#!:mime application/x-novell-msg 1499970935fdSSascha Wildner!:ext msg 1500970935fdSSascha Wildner#!:ext msg/dat 1501e8af9738SPeter Avalos# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 15026fca56fbSSascha Wildner# of https://www.4dos.info/ 1503e8af9738SPeter Avalos# pointer,HelpID[8]=4DHnnnmm 1504e8af9738SPeter Avalos0 ulelong 0x48443408 4DOS help file 1505e8af9738SPeter Avalos>4 string x \b, version %-4.4s 1506e8af9738SPeter Avalos 1507e8af9738SPeter Avalos# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 1508e8af9738SPeter Avalos0 ulequad 0x3a000000024e4c MS Advisor help file 1509e8af9738SPeter Avalos 1510327e51cbSPeter Avalos# HtmlHelp files (.chm) 1511c30bd091SSascha Wildner0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1512*3b9cdfa3SAntonio Huete Jimenez!:mime application/vnd.ms-htmlhelp 1513*3b9cdfa3SAntonio Huete Jimenez!:ext chm 1514327e51cbSPeter Avalos 1515327e51cbSPeter Avalos# GFA-BASIC (Wolfram Kleff) 15169f86ab30SPeter Avalos2 string/b GFA-BASIC3 GFA-BASIC 3 data 1517327e51cbSPeter Avalos 1518327e51cbSPeter Avalos#------------------------------------------------------------------------------ 1519327e51cbSPeter Avalos# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 15206fca56fbSSascha Wildner# Update: Joerg Jenderek 15216fca56fbSSascha Wildner# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format) 15226fca56fbSSascha Wildner# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx 15236fca56fbSSascha Wildner# Note: verified by `7z l *.cab` 1524327e51cbSPeter Avalos# Microsoft Cabinet files 15259f86ab30SPeter Avalos0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 15266fca56fbSSascha Wildner# 15276fca56fbSSascha Wildner# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool 15286fca56fbSSascha Wildner# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE 15296fca56fbSSascha Wildner# because some archive does not have *.diag* as 1st or 2nd archive member like 15306fca56fbSSascha Wildner# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab 15316fca56fbSSascha Wildner# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section 15326fca56fbSSascha Wildner>0x2c search/980/c .diag \b, Diagnostic 153379343712SPeter Avalos!:mime application/vnd.ms-cab-compressed 15346fca56fbSSascha Wildner!:ext diagcab 15356fca56fbSSascha Wildner# http://fileformats.archiveteam.org/wiki/PUZ 15366fca56fbSSascha Wildner# Microsoft Publisher version about 2003 has a "Pack and Go" feature that 15376fca56fbSSascha Wildner# bundles a Publisher document *PNG.pub with all links into a CAB 15386fca56fbSSascha Wildner>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go 15396fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 15406fca56fbSSascha Wildner!:ext puz 15416fca56fbSSascha Wildner# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation 15426fca56fbSSascha Wildner>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go 15436fca56fbSSascha Wildner!:mime application/vnd.ms-powerpoint 15446fca56fbSSascha Wildner#!:mime application/mspowerpoint 15456fca56fbSSascha Wildner!:ext ppz 1546c990e5baSDaniel Fojt# URL: https://en.wikipedia.org/wiki/Windows_Desktop_Gadgets 1547c990e5baSDaniel Fojt# Reference: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/sidebar/ 1548c990e5baSDaniel Fojt# http://win10gadgets.com/download/273/ All_CPU_Meter1.zip/All_CPU_Meter_V4.7.3.gadget 1549c990e5baSDaniel Fojt>0x2c search/968/c gadget.xml \b, Windows Desktop Gadget 1550c990e5baSDaniel Fojt#!:mime application/vnd.ms-cab-compressed 1551c990e5baSDaniel Fojt# http://extension.nirsoft.net/gadget 1552c990e5baSDaniel Fojt!:mime application/x-windows-gadget 1553c990e5baSDaniel Fojt!:ext gadget 15546fca56fbSSascha Wildner# http://www.incredimail.com/ 15556fca56fbSSascha Wildner# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims 15566fca56fbSSascha Wildner>0x2c search/3369/c content.ini\0 \b, IncrediMail 15576fca56fbSSascha Wildner!:mime application/x-incredimail 15586fca56fbSSascha Wildner# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf 15596fca56fbSSascha Wildner>>0x2c search/83/c Flavor.htm\0 ecard 15606fca56fbSSascha Wildner!:ext imf 15616fca56fbSSascha Wildner# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims 15626fca56fbSSascha Wildner>>0x2c search/211/c .swf\0 skin 15636fca56fbSSascha Wildner!:ext ims 15646fca56fbSSascha Wildner# member anim.im3 implies IncrediMail animation like in letter_fold.ima 15656fca56fbSSascha Wildner>>0x2c search/92/c anim.im3\0 animation 15666fca56fbSSascha Wildner!:ext ima 15676fca56fbSSascha Wildner# other IncrediMail cab archive 15686fca56fbSSascha Wildner>>0x2c default x 15696fca56fbSSascha Wildner>>>0x2c search/116/c thumb ecard, image, notifier or skin 15706fca56fbSSascha Wildner!:ext imf/imi/imn/ims 15716fca56fbSSascha Wildner# http://file-extension.net/seeker/file_extension_ime 15726fca56fbSSascha Wildner>>>0x2c default x emoticons or sound 15736fca56fbSSascha Wildner!:ext ime/imw 1574c990e5baSDaniel Fojt# no Diagnostic, Packed and Go, Windows Desktop Gadget, IncrediMail 15756fca56fbSSascha Wildner>0x2c default x 15766fca56fbSSascha Wildner# look for 1st member name 15776fca56fbSSascha Wildner>>(16.l+16) ubyte x 15786fca56fbSSascha Wildner# https://en.wikipedia.org/wiki/SNP_file_format 15796fca56fbSSascha Wildner>>>&-1 string/c _accrpt_.snp \b, Access report snapshot 15806fca56fbSSascha Wildner!:mime application/msaccess 15816fca56fbSSascha Wildner!:ext snp 1582c990e5baSDaniel Fojt# https://en.wikipedia.org/wiki/Microsoft_InfoPath 1583c990e5baSDaniel Fojt>>>&-1 string manifest.xsf \b, InfoPath Form Template 1584c990e5baSDaniel Fojt!:mime application/vnd.ms-cab-compressed 1585c990e5baSDaniel Fojt#!:mime application/vnd.ms-infopath 1586c990e5baSDaniel Fojt!:ext xsn 15876fca56fbSSascha Wildner# https://www.cabextract.org.uk/wince_cab_format/ 15886fca56fbSSascha Wildner# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer 15896fca56fbSSascha Wildner>>>&7 string =.000 \b, WinCE install 15906fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 15916fca56fbSSascha Wildner!:ext cab 15926fca56fbSSascha Wildner 15936fca56fbSSascha Wildner# https://support.microsoft.com/kb/934307/en-US 15946fca56fbSSascha Wildner# All inspected MSU contain a file with name WSUSSCAN.cab 15956fca56fbSSascha Wildner# that is called "Windows Update meta data" by Microsoft 15966fca56fbSSascha Wildner>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update 15976fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 15986fca56fbSSascha Wildner!:ext msu 15996fca56fbSSascha Wildner>>>&-1 default x 1600970935fdSSascha Wildner# look at point character of 1st archive member name for file name extension 16016fca56fbSSascha Wildner>>>>&-1 search/255 . 16026fca56fbSSascha Wildner# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm 16036fca56fbSSascha Wildner# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002 16046fca56fbSSascha Wildner# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB 16056fca56fbSSascha Wildner>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go 16066fca56fbSSascha Wildner!:mime application/vnd.ms-powerpoint 16076fca56fbSSascha Wildner#!:mime application/mspowerpoint 16086fca56fbSSascha Wildner!:ext ppz 16096fca56fbSSascha Wildner# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx 16106fca56fbSSascha Wildner# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack 16116fca56fbSSascha Wildner# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack 16126fca56fbSSascha Wildner>>>>>&0 string/c theme \b, Windows 16136fca56fbSSascha Wildner!:mime application/x-windows-themepack 16146fca56fbSSascha Wildner# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 16156fca56fbSSascha Wildner# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack 16166fca56fbSSascha Wildner# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme 16176fca56fbSSascha Wildner>>>>>>(16.l+16) string =Panoram 8 16186fca56fbSSascha Wildner!:ext deskthemepack 16196fca56fbSSascha Wildner>>>>>>(16.l+16) string !Panoram 7 or 8 16206fca56fbSSascha Wildner!:ext themepack/deskthemepack 16216fca56fbSSascha Wildner>>>>>>(16.l+16) ubyte x Theme Pack 1622*3b9cdfa3SAntonio Huete Jimenez# URL: https://en.wikipedia.org/wiki/Microsoft_OneNote#File_format 1623*3b9cdfa3SAntonio Huete Jimenez# http://fileformats.archiveteam.org/wiki/OneNote 1624*3b9cdfa3SAntonio Huete Jimenez# Reference: https://mark0.net/download/triddefs_xml.7z/defs/o/onepkg.trid.xml 1625*3b9cdfa3SAntonio Huete Jimenez# 1st member name like: "Class Notes.one" "test-onenote.one" "Open Notebook.onetoc2" "Editor �ffnen.onetoc2" 1626*3b9cdfa3SAntonio Huete Jimenez>>>>>&0 string/c one \b, OneNote Package 1627*3b9cdfa3SAntonio Huete Jimenez!:mime application/msonenote 1628*3b9cdfa3SAntonio Huete Jimenez!:ext onepkg 16296fca56fbSSascha Wildner>>>>>&0 default x 16306fca56fbSSascha Wildner# look for null terminator of 1st member name 16316fca56fbSSascha Wildner>>>>>>&0 search/255 \0 16326fca56fbSSascha Wildner# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu 16336fca56fbSSascha Wildner>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update 16346fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 16356fca56fbSSascha Wildner!:ext msu 16366fca56fbSSascha Wildner>>>>>>>&16 default x 16376fca56fbSSascha Wildner# archive with more then one file need some output in version 5.32 to avoid error message like 16386fca56fbSSascha Wildner# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type 16396fca56fbSSascha Wildner# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type 16406fca56fbSSascha Wildner# file: could not find any valid magic files! 16416fca56fbSSascha Wildner>>>>>>>>28 uleshort >1 \b, many 16426fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 16436fca56fbSSascha Wildner!:ext cab 16446fca56fbSSascha Wildner# remaining archives with just one file 16456fca56fbSSascha Wildner>>>>>>>>28 uleshort =1 16466fca56fbSSascha Wildner# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386 16476fca56fbSSascha Wildner>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup 16486fca56fbSSascha Wildner# cut of last char of source extension and add underscore to generate extension 16496fca56fbSSascha Wildner# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_ 16506fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 16516fca56fbSSascha Wildner!:ext _/?_/??_ 16526fca56fbSSascha Wildner# archive need some output like "single" in version 5.32 to avoid error messages 16536fca56fbSSascha Wildner>>>>>>>>>30 uleshort !0x0000 \b, single 16546fca56fbSSascha Wildner!:mime application/vnd.ms-cab-compressed 16556fca56fbSSascha Wildner!:ext cab 16566fca56fbSSascha Wildner# TODO: additional extensions like 16576fca56fbSSascha Wildner# .xtp InfoPath Template Part 16586fca56fbSSascha Wildner# .lvf Logitech Video Effects Face Accessory 16596fca56fbSSascha Wildner>8 ulelong x \b, %u bytes 16606fca56fbSSascha Wildner>28 uleshort 1 \b, 1 file 16616fca56fbSSascha Wildner>28 uleshort >1 \b, %u files 16626fca56fbSSascha Wildner# Reserved fields, set to zero 16636fca56fbSSascha Wildner#>4 belong !0 \b, reserved1 %x 16646fca56fbSSascha Wildner#>12 belong !0 \b, reserved2 %x 16656fca56fbSSascha Wildner# offset of the first CFFILE entry coffFiles: minimal 2Ch 1666614728caSSascha Wildner>16 ulelong x \b, at %#x 16676fca56fbSSascha Wildner>(16.l) use cab-file 16686fca56fbSSascha Wildner# at least also 2nd member 16696fca56fbSSascha Wildner>28 uleshort >1 16706fca56fbSSascha Wildner>>(16.l+16) ubyte x 16716fca56fbSSascha Wildner>>>&0 search/255 \0 16726fca56fbSSascha Wildner# second member info 16736fca56fbSSascha Wildner>>>>&0 use cab-file 16746fca56fbSSascha Wildner#>20 belong !0 \b, reserved %x 16756fca56fbSSascha Wildner# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3 1676614728caSSascha Wildner>24 ubeshort !0x0301 \b version %#x 16776fca56fbSSascha Wildner# number of CFFOLDER entries 16786fca56fbSSascha Wildner>26 uleshort >1 \b, %u cffolders 16796fca56fbSSascha Wildner# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields 16806fca56fbSSascha Wildner# only found for flags 0 1 2 3 4 not 7 1681614728caSSascha Wildner>30 uleshort >0 \b, flags %#x 16826fca56fbSSascha Wildner# Cabinet files have a 16-bit cabinet setID field that is designed for application use. 16836fca56fbSSascha Wildner# default is zero, however, the -i option of cabarc can be used to set this field 16846fca56fbSSascha Wildner>32 uleshort >0 \b, ID %u 16856fca56fbSSascha Wildner# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet 16866fca56fbSSascha Wildner#>34 uleshort x \b, iCabinet %u 16876fca56fbSSascha Wildner# add one for display because humans start numbering by 1 and also fit to name of disk szDisk* 16886fca56fbSSascha Wildner>34 uleshort+1 x \b, number %u 16896fca56fbSSascha Wildner>30 uleshort &0x0004 \b, extra bytes 16906fca56fbSSascha Wildner# cbCFHeader optional size of per-cabinet reserved area 14h 1800h 16916fca56fbSSascha Wildner>>36 uleshort >0 %u in head 16926fca56fbSSascha Wildner# cbCFFolder is optional size of per-folder reserved area 16936fca56fbSSascha Wildner>>38 ubyte >0 %u in folder 16946fca56fbSSascha Wildner# cbCFData is optional size of per-datablock reserved area 16956fca56fbSSascha Wildner>>39 ubyte >0 %u in data block 16966fca56fbSSascha Wildner# optional per-cabinet reserved area abReserve[cbCFHeader] 16976fca56fbSSascha Wildner>>36 uleshort >0 16986fca56fbSSascha Wildner# 1st CFFOLDER after reserved area in header 16996fca56fbSSascha Wildner>>>(36.s+40) use cab-folder 17006fca56fbSSascha Wildner# no reserved area in header 17016fca56fbSSascha Wildner>30 uleshort ^0x0004 17026fca56fbSSascha Wildner# no previous and next cab archive 17036fca56fbSSascha Wildner>>30 uleshort =0x0000 17046fca56fbSSascha Wildner>>>36 use cab-folder 17056fca56fbSSascha Wildner# only previous cab archive 17066fca56fbSSascha Wildner>>30 uleshort =0x0001 \b, previous 17076fca56fbSSascha Wildner>>>36 use cab-anchor 17086fca56fbSSascha Wildner# only next cab archive 17096fca56fbSSascha Wildner>>30 uleshort =0x0002 \b, next 17106fca56fbSSascha Wildner>>>36 use cab-anchor 17116fca56fbSSascha Wildner# previous+next cab archive 17126fca56fbSSascha Wildner# can not use sub routine cab-anchor to display previous and next cabinet together 17136fca56fbSSascha Wildner#>>>36 use cab-anchor 17146fca56fbSSascha Wildner#>>>>&0 use cab-anchor 17156fca56fbSSascha Wildner>>30 uleshort =0x0003 \b, previous 17166fca56fbSSascha Wildner>>>36 string x %s 17176fca56fbSSascha Wildner# optional name of previous disk szDisk* 17186fca56fbSSascha Wildner>>>>&1 string x disk %s 17196fca56fbSSascha Wildner>>>>>&1 string x \b, next %s 17206fca56fbSSascha Wildner# optional name of previous disk szDisk* 17216fca56fbSSascha Wildner>>>>>>&1 string x disk %s 17226fca56fbSSascha Wildner>>>>>>>&1 use cab-folder 17236fca56fbSSascha Wildner# display filename and disk name of previous or next cabinet 17246fca56fbSSascha Wildner0 name cab-anchor 17256fca56fbSSascha Wildner# optional name of previous/next cabinet file szCabinet*[255] 17266fca56fbSSascha Wildner>&0 string x %s 17276fca56fbSSascha Wildner# optional name of previous/next disk szDisk*[255] 17286fca56fbSSascha Wildner>>&1 string x disk %s 17296fca56fbSSascha Wildner# display folder structure CFFOLDER information like compression of cabinet 17306fca56fbSSascha Wildner0 name cab-folder 17316fca56fbSSascha Wildner# offset of the CFDATA block in this folder 1732614728caSSascha Wildner#>0 ulelong x \b, coffCabStart %#x 17336fca56fbSSascha Wildner# number of CFDATA blocks in folder 17346fca56fbSSascha Wildner>4 uleshort x \b, %u datablock 17356fca56fbSSascha Wildner# plural s 17366fca56fbSSascha Wildner>4 uleshort >1 \bs 17376fca56fbSSascha Wildner# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15 1738614728caSSascha Wildner>6 uleshort x \b, %#x compression 17396fca56fbSSascha Wildner# optional per-folder reserved area 1740614728caSSascha Wildner#>8 ubequad x \b, abReserve %#llx 17416fca56fbSSascha Wildner# display member structure CFFILE information like member name of cabinet 17426fca56fbSSascha Wildner0 name cab-file 17436fca56fbSSascha Wildner# cbFile is uncompressed size of file in bytes 17446fca56fbSSascha Wildner#>0 ulelong x \b, cbFile %u 17456fca56fbSSascha Wildner# uoffFolderStart is uncompressed offset of file in folder 1746614728caSSascha Wildner#>4 ulelong >0 \b, uoffFolderStart %#x 17476fca56fbSSascha Wildner# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet 17486fca56fbSSascha Wildner# define ifoldCONTINUED_FROM_PREV (0xFFFD) 17496fca56fbSSascha Wildner# define ifoldCONTINUED_TO_NEXT (0xFFFE) 17506fca56fbSSascha Wildner# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF) 1751614728caSSascha Wildner>8 uleshort >0 \b, iFolder %#x 17526fca56fbSSascha Wildner# date stamp for file 1753614728caSSascha Wildner#>10 uleshort x \b, date %#x 17546fca56fbSSascha Wildner# time stamp for file 1755614728caSSascha Wildner#>12 uleshort x \b, time %#x 17566fca56fbSSascha Wildner# attribs is attribute flags for file 17576fca56fbSSascha Wildner# define _A_RDONLY (0x01) file is read-only 17586fca56fbSSascha Wildner# define _A_HIDDEN (0x02) file is hidden 17596fca56fbSSascha Wildner# define _A_SYSTEM (0x04) file is a system file 17606fca56fbSSascha Wildner# define _A_ARCH (0x20) file modified since last backup 17616fca56fbSSascha Wildner# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab 17626fca56fbSSascha Wildner# define _A_EXEC (0x40) run after extraction 17636fca56fbSSascha Wildner# define _A_NAME_IS_UTF (0x80) szName[] contains UTF 17646fca56fbSSascha Wildner# define UNKNOWN (0x0100) undocumented or accident 1765614728caSSascha Wildner#>14 uleshort x \b, attribs %#x 17666fca56fbSSascha Wildner>14 uleshort >0 + 17676fca56fbSSascha Wildner>>14 uleshort &0x0001 \bR 17686fca56fbSSascha Wildner>>14 uleshort &0x0002 \bH 17696fca56fbSSascha Wildner>>14 uleshort &0x0004 \bS 17706fca56fbSSascha Wildner>>14 uleshort &0x0020 \bA 17716fca56fbSSascha Wildner>>14 uleshort &0x0040 \bX 17726fca56fbSSascha Wildner>>14 uleshort &0x0080 \bUtf 17736fca56fbSSascha Wildner# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB 17746fca56fbSSascha Wildner>>14 uleshort &0x0100 \b? 17756fca56fbSSascha Wildner# szName is name of archive member 17766fca56fbSSascha Wildner>16 string x "%s" 17776fca56fbSSascha Wildner# next archive member name if more files 17786fca56fbSSascha Wildner#>>&17 string >\0 \b, NEXT NAME %-.50s 1779327e51cbSPeter Avalos 1780327e51cbSPeter Avalos# InstallShield Cabinet files 17819f86ab30SPeter Avalos0 string/b ISc( InstallShield Cabinet archive data 1782327e51cbSPeter Avalos>5 byte&0xf0 =0x60 version 6, 1783327e51cbSPeter Avalos>5 byte&0xf0 !0x60 version 4/5, 1784327e51cbSPeter Avalos>(12.l+40) lelong x %u files 1785327e51cbSPeter Avalos 1786327e51cbSPeter Avalos# Windows CE package files 17879f86ab30SPeter Avalos0 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1788327e51cbSPeter Avalos>20 lelong 0 \b, architecture-independent 1789327e51cbSPeter Avalos>20 lelong 103 \b, Hitachi SH3 1790327e51cbSPeter Avalos>20 lelong 104 \b, Hitachi SH4 1791327e51cbSPeter Avalos>20 lelong 0xA11 \b, StrongARM 1792327e51cbSPeter Avalos>20 lelong 4000 \b, MIPS R4000 1793327e51cbSPeter Avalos>20 lelong 10003 \b, Hitachi SH3 1794327e51cbSPeter Avalos>20 lelong 10004 \b, Hitachi SH3E 1795327e51cbSPeter Avalos>20 lelong 10005 \b, Hitachi SH4 1796327e51cbSPeter Avalos>20 lelong 70001 \b, ARM 7TDMI 1797327e51cbSPeter Avalos>52 leshort 1 \b, 1 file 1798327e51cbSPeter Avalos>52 leshort >1 \b, %u files 1799327e51cbSPeter Avalos>56 leshort 1 \b, 1 registry entry 1800327e51cbSPeter Avalos>56 leshort >1 \b, %u registry entries 1801327e51cbSPeter Avalos 1802327e51cbSPeter Avalos 1803327e51cbSPeter Avalos# Windows Enhanced Metafile (EMF) 1804327e51cbSPeter Avalos# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 180579343712SPeter Avalos# for further information. 180679343712SPeter Avalos0 ulelong 1 180779343712SPeter Avalos>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1808614728caSSascha Wildner>>44 ulelong x version %#x 1809327e51cbSPeter Avalos 181079343712SPeter Avalos 18119f86ab30SPeter Avalos0 string/b \224\246\056 Microsoft Word Document 181279343712SPeter Avalos!:mime application/msword 181379343712SPeter Avalos 1814327e51cbSPeter Avalos# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1815327e51cbSPeter Avalos# Magic type for Dell's BIOS .hdr files 1816327e51cbSPeter Avalos# Dell's .hdr 18179f86ab30SPeter Avalos0 string/b $RBU 1818327e51cbSPeter Avalos>23 string Dell %s system BIOS 1819a96e001bSPeter Avalos>5 byte 2 1820a96e001bSPeter Avalos>>48 byte x version %d. 1821a96e001bSPeter Avalos>>49 byte x \b%d. 1822a96e001bSPeter Avalos>>50 byte x \b%d 1823a96e001bSPeter Avalos>5 byte <2 1824a96e001bSPeter Avalos>>48 string x version %.3s 1825327e51cbSPeter Avalos 182679343712SPeter Avalos# Type: Microsoft Document Imaging Format (.mdi) 18276fca56fbSSascha Wildner# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 182879343712SPeter Avalos# From: Daniele Sempione <scrows@oziosi.org> 1829c30bd091SSascha Wildner# Too weak (EP) 1830c30bd091SSascha Wildner#0 short 0x5045 Microsoft Document Imaging Format 183179343712SPeter Avalos 183279343712SPeter Avalos# MS eBook format (.lit) 18339f86ab30SPeter Avalos0 string/b ITOLITLS Microsoft Reader eBook Data 183479343712SPeter Avalos>8 lelong x \b, version %u 183579343712SPeter Avalos!:mime application/x-ms-reader 1836e4d4ce0cSPeter Avalos 1837e4d4ce0cSPeter Avalos# Windows CE Binary Image Data Format 1838e4d4ce0cSPeter Avalos# From: Dr. Jesus <j@hug.gs> 18399f86ab30SPeter Avalos0 string/b B000FF\n Windows Embedded CE binary image 1840e4d4ce0cSPeter Avalos 1841e8af9738SPeter Avalos# The second byte of these signatures is a file version; I don't know what, 1842e8af9738SPeter Avalos# if anything, produced files with version numbers 0-2. 1843e8af9738SPeter Avalos# From: John Elliott <johne@seasip.demon.co.uk> 1844e8af9738SPeter Avalos0 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 1845e8af9738SPeter Avalos0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 1846e8af9738SPeter Avalos0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 1847e8af9738SPeter Avalos0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1848e8af9738SPeter Avalos 1849e8af9738SPeter Avalos0 string MIOPEN Mallard BASIC Jetsam data 1850e8af9738SPeter Avalos0 string Jetsam0 Mallard BASIC Jetsam index data 1851e8af9738SPeter Avalos 1852c30bd091SSascha Wildner# DOS backup 2.0 to 3.2 1853614728caSSascha Wildner# URL: http://fileformats.archiveteam.org/wiki/BACKUP_(MS-DOS) 1854614728caSSascha Wildner# Reference: http://www.ibiblio.org/pub/micro/pc-stuff/freedos/files/dos/restore/brtecdoc.htm 1855c30bd091SSascha Wildner# backupid.@@@ 1856c30bd091SSascha Wildner 1857c30bd091SSascha Wildner# plausibility check for date 1858c30bd091SSascha Wildner0x3 ushort >1979 1859c30bd091SSascha Wildner>0x5 ubyte-1 <31 1860c30bd091SSascha Wildner>>0x6 ubyte-1 <12 1861c30bd091SSascha Wildner# actually 121 nul bytes 1862c30bd091SSascha Wildner>>>0x7 string \0\0\0\0\0\0\0\0 1863c30bd091SSascha Wildner>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1864614728caSSascha Wildner#!:mime application/octet-stream 1865c30bd091SSascha Wildner!:ext @@@ 1866c30bd091SSascha Wildner>>>>0x0 ubyte 0xff \b, last disk 1867c30bd091SSascha Wildner 1868c30bd091SSascha Wildner# backed up file 1869c30bd091SSascha Wildner 1870c30bd091SSascha Wildner# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1871c30bd091SSascha Wildner# by looking for trailing nul of maximal file name string 1872c30bd091SSascha Wildner0x52 ubyte 0 1873c30bd091SSascha Wildner# test for flag byte: FFh~complete file, 00h~split file 1874c30bd091SSascha Wildner# FFh -127 = -1 -127 = -128 1875c30bd091SSascha Wildner# 00h -127 = 0 -127 = -127 1876c30bd091SSascha Wildner>0 byte-127 <-126 1877c30bd091SSascha Wildner# plausibility check for file name length 1878c30bd091SSascha Wildner>>0x53 ubyte-1 <78 1879c30bd091SSascha Wildner# looking for terminating nul of file name string 1880c30bd091SSascha Wildner>>>(0x53.b+4) ubyte 0 1881c30bd091SSascha Wildner# looking if last char of string is valid DOS file name 1882c30bd091SSascha Wildner>>>>(0x53.b+3) ubyte >0x1F 1883c30bd091SSascha Wildner# actually 44 nul bytes 1884c30bd091SSascha Wildner# but sometimes garbage according to Ralf Quint. So can not be used as test 1885c30bd091SSascha Wildner#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1886c30bd091SSascha Wildner# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1887c30bd091SSascha Wildner# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1888c30bd091SSascha Wildner>>>>>5 ubyte&0x8C 0x0C 1889c30bd091SSascha Wildner# ./msdos (version 5.30) labeled the entry as 1890c30bd091SSascha Wildner# "DOS 2.0 backed up file %s, split file, sequence %d" or 1891c30bd091SSascha Wildner# "DOS 2.0 backed up file %s, complete file" 1892c30bd091SSascha Wildner>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1893c30bd091SSascha Wildner#>>>>>>0 ubyte 0xff complete 1894c30bd091SSascha Wildner>>>>>>0 ubyte 0 1895c30bd091SSascha Wildner>>>>>>>1 uleshort x sequence %d of 1896c30bd091SSascha Wildner# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1897c30bd091SSascha Wildner>>>>>>0x5 string x file %s 1898614728caSSascha Wildner#!:mime application/octet-stream 1899c30bd091SSascha Wildner# backup name is original filename 1900614728caSSascha Wildner#!:ext doc/exe/rar/zip 1901c30bd091SSascha Wildner#!:ext * 1902c30bd091SSascha Wildner# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1903c30bd091SSascha Wildner# file: line 1169: Bad magic entry ' *' 1904c30bd091SSascha Wildner# after header original file content 1905614728caSSascha Wildner>>>>>>128 indirect x \b; 1906c30bd091SSascha Wildner 1907c30bd091SSascha Wildner 1908c30bd091SSascha Wildner# DOS backup 3.3 to 5.x 1909c30bd091SSascha Wildner 1910c30bd091SSascha Wildner# CONTROL.nnn files 1911c30bd091SSascha Wildner0 string \x8bBACKUP\x20 1912c30bd091SSascha Wildner# actually 128 nul bytes 1913c30bd091SSascha Wildner>0xa string \0\0\0\0\0\0\0\0 1914c30bd091SSascha Wildner>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1915c30bd091SSascha Wildner>>0x8a ubyte 0xff \b, last disk 1916c30bd091SSascha Wildner 1917c30bd091SSascha Wildner# NB: The BACKUP.nnn files consist of the files backed up, 1918c30bd091SSascha Wildner# concatenated. 1919*3b9cdfa3SAntonio Huete Jimenez 1920*3b9cdfa3SAntonio Huete Jimenez# From: Joerg Jenderek 1921*3b9cdfa3SAntonio Huete Jimenez# URL: http://fileformats.archiveteam.org/wiki/MS-DOS_date/time 1922*3b9cdfa3SAntonio Huete Jimenez# Reference: https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-dosdatetimetofiletime 1923*3b9cdfa3SAntonio Huete Jimenez# Note: DOS date+time format is different from formats such as Unix epoch 1924*3b9cdfa3SAntonio Huete Jimenez# bit encoded; uses year values relative to 1980 and 2 second precision 1925*3b9cdfa3SAntonio Huete Jimenez0 name dos-date 1926*3b9cdfa3SAntonio Huete Jimenez# HHHHHMMMMMMSSSSS bit encoded Hour (0-23) Minute (0-59) SecondPart (*2) 1927*3b9cdfa3SAntonio Huete Jimenez#>0 uleshort x RAW TIME [%#4.4x] 1928*3b9cdfa3SAntonio Huete Jimenez# hour part 1929*3b9cdfa3SAntonio Huete Jimenez#>0 uleshort/2048 x hour [%u] 1930*3b9cdfa3SAntonio Huete Jimenez# YYYYYMMMMDDDDD bit encoded YearPart (+1980) Month (1-12) Day (1-31) 1931*3b9cdfa3SAntonio Huete Jimenez#>2 uleshort x RAW DATE [%#4.4x] 1932*3b9cdfa3SAntonio Huete Jimenez# day part 1933*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x001F x %u 1934*3b9cdfa3SAntonio Huete Jimenez#>2 uleshort/16 x MONTH PART [%#x] 1935*3b9cdfa3SAntonio Huete Jimenez# GRR: not working 1936*3b9cdfa3SAntonio Huete Jimenez#>2 uleshort/16 &0x000F MONTH [%u] 1937*3b9cdfa3SAntonio Huete Jimenez#>2 uleshort&0x01E0 x MONTH PART [%#4.4x] 1938*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0020 jan 1939*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0040 feb 1940*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0060 mar 1941*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0080 apr 1942*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x00A0 may 1943*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x00C0 jun 1944*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x00E0 jul 1945*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0100 aug 1946*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0120 sep 1947*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0140 oct 1948*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0160 nov 1949*3b9cdfa3SAntonio Huete Jimenez>2 uleshort&0x01E0 =0x0180 dec 1950*3b9cdfa3SAntonio Huete Jimenez# year part 1951*3b9cdfa3SAntonio Huete Jimenez>2 uleshort/512 x 1980+%u 1952*3b9cdfa3SAntonio Huete Jimenez# 1953