i.5.2.0.source-code.bdeploy-magic Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of api Show documentation
Show all versions of api Show documentation
Public API including dependencies, ready to be used for integrations and plugins.
# Minimal viable file(1) magic for BDeploy. Created using:
# $ cat aout elf java mach msdos varied.script > bdeploy-magic
# from this directory: https://github.com/file/file/tree/master/magic/Magdir
#------------------------------------------------------------------------------
# $File$
# aout: file(1) magic for a.out executable/object/etc entries that
# handle executables on multiple platforms.
#
#
# Little-endian 32-bit-int a.out, merged from bsdi (for BSD/OS, from
# BSDI), netbsd, and vax (for UNIX/32V and BSD)
#
# XXX - is there anything we can look at to distinguish BSD/OS 386 from
# NetBSD 386 from various VAX binaries? The BSD/OS shared library flag
# works only for binaries using shared libraries. Grabbing the entry
# point from the a.out header, using it to find the first code executed
# in the program, and looking at that might help.
#
0 lelong 0407 a.out little-endian 32-bit executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses BSD/OS shared libs)
0 lelong 0410 a.out little-endian 32-bit pure executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses BSD/OS shared libs)
0 lelong 0413 a.out little-endian 32-bit demand paged pure executable
>16 lelong >0 not stripped
>32 byte 0x6a (uses BSD/OS shared libs)
#
# Big-endian 32-bit-int a.out, merged from sun (for old 68010 SunOS a.out),
# mips (for old 68020(!) SGI a.out), and netbsd (for old big-endian a.out).
#
# XXX - is there anything we can look at to distinguish old SunOS 68010
# from old 68020 IRIX from old NetBSD? Again, I guess we could look at
# the first instruction or instructions in the program.
#
0 belong 0407 a.out big-endian 32-bit executable
>16 belong >0 not stripped
0 belong 0410 a.out big-endian 32-bit pure executable
>16 belong >0 not stripped
0 belong 0413 a.out big-endian 32-bit demand paged executable
>16 belong >0 not stripped
#------------------------------------------------------------------------------
# $File: elf,v 1.77 2019/01/16 19:33:35 christos Exp $
# elf: file(1) magic for ELF executables
#
# We have to check the byte order flag to see what byte order all the
# other stuff in the header is in.
#
# What're the correct byte orders for the nCUBE and the Fujitsu VPP500?
#
# Created by: unknown
# Modified by (1): Daniel Quinlan
# Modified by (2): Peter Tobias (core support)
# Modified by (3): Christian 'Dr. Disk' Hechelmann (fix of core support)
# Modified by (4): (VMS Itanium)
# Modified by (5): Matthias Urlichs (Listing of many architectures)
0 name elf-mips
>0 lelong&0xf0000000 0x00000000 MIPS-I
>0 lelong&0xf0000000 0x10000000 MIPS-II
>0 lelong&0xf0000000 0x20000000 MIPS-III
>0 lelong&0xf0000000 0x30000000 MIPS-IV
>0 lelong&0xf0000000 0x40000000 MIPS-V
>0 lelong&0xf0000000 0x50000000 MIPS32
>0 lelong&0xf0000000 0x60000000 MIPS64
>0 lelong&0xf0000000 0x70000000 MIPS32 rel2
>0 lelong&0xf0000000 0x80000000 MIPS64 rel2
>0 lelong&0xf0000000 0x90000000 MIPS32 rel6
>0 lelong&0xf0000000 0xa0000000 MIPS64 rel6
0 name elf-sparc
>0 lelong&0x00ffff00 0x00000100 V8+ Required,
>0 lelong&0x00ffff00 0x00000200 Sun UltraSPARC1 Extensions Required,
>0 lelong&0x00ffff00 0x00000400 HaL R1 Extensions Required,
>0 lelong&0x00ffff00 0x00000800 Sun UltraSPARC3 Extensions Required,
>0 lelong&0x3 0 total store ordering,
>0 lelong&0x3 1 partial store ordering,
>0 lelong&0x3 2 relaxed memory ordering,
0 name elf-pa-risc
>2 leshort 0x0208 1.0
>2 leshort 0x0210 1.1
>2 leshort 0x0214 2.0
>0 leshort &0x0008 (LP64)
0 name elf-le
>16 leshort 0 no file type,
!:mime application/octet-stream
>16 leshort 1 relocatable,
!:mime application/x-object
>16 leshort 2 executable,
!:mime application/x-executable
>16 leshort 3 ${x?pie executable:shared object},
!:mime application/x-${x?pie-executable:sharedlib}
>16 leshort 4 core file,
!:mime application/x-coredump
# OS-specific
>7 byte 202
>>16 leshort 0xFE01 executable,
!:mime application/x-executable
# Core file detection is not reliable.
#>>>(0x38+0xcc) string >\0 of '%s'
#>>>(0x38+0x10) lelong >0 (signal %d),
>16 leshort &0xff00 processor-specific,
>18 clear x
>18 leshort 0 no machine,
>18 leshort 1 AT&T WE32100,
>18 leshort 2 SPARC,
>18 leshort 3 Intel 80386,
>18 leshort 4 Motorola m68k,
>>4 byte 1
>>>36 lelong &0x01000000 68000,
>>>36 lelong &0x00810000 CPU32,
>>>36 lelong 0 68020,
>18 leshort 5 Motorola m88k,
>18 leshort 6 Intel 80486,
>18 leshort 7 Intel 80860,
# The official e_machine number for MIPS is now #8, regardless of endianness.
# The second number (#10) will be deprecated later. For now, we still
# say something if #10 is encountered, but only gory details for #8.
>18 leshort 8 MIPS,
>>4 byte 1
>>>36 lelong &0x20 N32
>18 leshort 10 MIPS,
>>4 byte 1
>>>36 lelong &0x20 N32
>18 leshort 8
# only for 32-bit
>>4 byte 1
>>>36 use elf-mips
# only for 64-bit
>>4 byte 2
>>>48 use elf-mips
>18 leshort 9 Amdahl,
>18 leshort 10 MIPS (deprecated),
>18 leshort 11 RS6000,
>18 leshort 15 PA-RISC,
# only for 32-bit
>>4 byte 1
>>>36 use elf-pa-risc
# only for 64-bit
>>4 byte 2
>>>48 use elf-pa-risc
>18 leshort 16 nCUBE,
>18 leshort 17 Fujitsu VPP500,
>18 leshort 18 SPARC32PLUS,
# only for 32-bit
>>4 byte 1
>>>36 use elf-sparc
>18 leshort 19 Intel 80960,
>18 leshort 20 PowerPC or cisco 4500,
>18 leshort 21 64-bit PowerPC or cisco 7500,
>18 leshort 22 IBM S/390,
>18 leshort 23 Cell SPU,
>18 leshort 24 cisco SVIP,
>18 leshort 25 cisco 7200,
>18 leshort 36 NEC V800 or cisco 12000,
>18 leshort 37 Fujitsu FR20,
>18 leshort 38 TRW RH-32,
>18 leshort 39 Motorola RCE,
>18 leshort 40 ARM,
>>4 byte 1
>>>36 lelong&0xff000000 0x04000000 EABI4
>>>36 lelong&0xff000000 0x05000000 EABI5
>>>36 lelong &0x00800000 BE8
>>>36 lelong &0x00400000 LE8
>18 leshort 41 Alpha,
>18 leshort 42 Renesas SH,
>18 leshort 43 SPARC V9,
>>4 byte 2
>>>48 use elf-sparc
>18 leshort 44 Siemens Tricore Embedded Processor,
>18 leshort 45 Argonaut RISC Core, Argonaut Technologies Inc.,
>18 leshort 46 Renesas H8/300,
>18 leshort 47 Renesas H8/300H,
>18 leshort 48 Renesas H8S,
>18 leshort 49 Renesas H8/500,
>18 leshort 50 IA-64,
>18 leshort 51 Stanford MIPS-X,
>18 leshort 52 Motorola Coldfire,
>18 leshort 53 Motorola M68HC12,
>18 leshort 54 Fujitsu MMA,
>18 leshort 55 Siemens PCP,
>18 leshort 56 Sony nCPU,
>18 leshort 57 Denso NDR1,
>18 leshort 58 Start*Core,
>18 leshort 59 Toyota ME16,
>18 leshort 60 ST100,
>18 leshort 61 Tinyj emb.,
>18 leshort 62 x86-64,
>18 leshort 63 Sony DSP,
>18 leshort 64 DEC PDP-10,
>18 leshort 65 DEC PDP-11,
>18 leshort 66 FX66,
>18 leshort 67 ST9+ 8/16 bit,
>18 leshort 68 ST7 8 bit,
>18 leshort 69 MC68HC16,
>18 leshort 70 MC68HC11,
>18 leshort 71 MC68HC08,
>18 leshort 72 MC68HC05,
>18 leshort 73 SGI SVx or Cray NV1,
>18 leshort 74 ST19 8 bit,
>18 leshort 75 Digital VAX,
>18 leshort 76 Axis cris,
>18 leshort 77 Infineon 32-bit embedded,
>18 leshort 78 Element 14 64-bit DSP,
>18 leshort 79 LSI Logic 16-bit DSP,
>18 leshort 80 MMIX,
>18 leshort 81 Harvard machine-independent,
>18 leshort 82 SiTera Prism,
>18 leshort 83 Atmel AVR 8-bit,
>18 leshort 84 Fujitsu FR30,
>18 leshort 85 Mitsubishi D10V,
>18 leshort 86 Mitsubishi D30V,
>18 leshort 87 NEC v850,
>18 leshort 88 Renesas M32R,
>18 leshort 89 Matsushita MN10300,
>18 leshort 90 Matsushita MN10200,
>18 leshort 91 picoJava,
>18 leshort 92 OpenRISC,
>18 leshort 93 ARC Cores Tangent-A5,
>18 leshort 94 Tensilica Xtensa,
>18 leshort 95 Alphamosaic VideoCore,
>18 leshort 96 Thompson Multimedia,
>18 leshort 97 NatSemi 32k,
>18 leshort 98 Tenor Network TPC,
>18 leshort 99 Trebia SNP 1000,
>18 leshort 100 STMicroelectronics ST200,
>18 leshort 101 Ubicom IP2022,
>18 leshort 102 MAX Processor,
>18 leshort 103 NatSemi CompactRISC,
>18 leshort 104 Fujitsu F2MC16,
>18 leshort 105 TI msp430,
>18 leshort 106 Analog Devices Blackfin,
>18 leshort 107 S1C33 Family of Seiko Epson,
>18 leshort 108 Sharp embedded,
>18 leshort 109 Arca RISC,
>18 leshort 110 PKU-Unity Ltd.,
>18 leshort 111 eXcess: 16/32/64-bit,
>18 leshort 112 Icera Deep Execution Processor,
>18 leshort 113 Altera Nios II,
>18 leshort 114 NatSemi CRX,
>18 leshort 115 Motorola XGATE,
>18 leshort 116 Infineon C16x/XC16x,
>18 leshort 117 Renesas M16C series,
>18 leshort 118 Microchip dsPIC30F,
>18 leshort 119 Freescale RISC core,
>18 leshort 120 Renesas M32C series,
>18 leshort 131 Altium TSK3000 core,
>18 leshort 132 Freescale RS08,
>18 leshort 134 Cyan Technology eCOG2,
>18 leshort 135 Sunplus S+core7 RISC,
>18 leshort 136 New Japan Radio (NJR) 24-bit DSP,
>18 leshort 137 Broadcom VideoCore III,
>18 leshort 138 LatticeMico32,
>18 leshort 139 Seiko Epson C17 family,
>18 leshort 140 TI TMS320C6000 DSP family,
>18 leshort 141 TI TMS320C2000 DSP family,
>18 leshort 142 TI TMS320C55x DSP family,
>18 leshort 160 STMicroelectronics 64bit VLIW DSP,
>18 leshort 161 Cypress M8C,
>18 leshort 162 Renesas R32C series,
>18 leshort 163 NXP TriMedia family,
>18 leshort 164 QUALCOMM DSP6,
>18 leshort 165 Intel 8051 and variants,
>18 leshort 166 STMicroelectronics STxP7x family,
>18 leshort 167 Andes embedded RISC,
>18 leshort 168 Cyan eCOG1X family,
>18 leshort 169 Dallas MAXQ30,
>18 leshort 170 New Japan Radio (NJR) 16-bit DSP,
>18 leshort 171 M2000 Reconfigurable RISC,
>18 leshort 172 Cray NV2 vector architecture,
>18 leshort 173 Renesas RX family,
>18 leshort 174 META,
>18 leshort 175 MCST Elbrus,
>18 leshort 176 Cyan Technology eCOG16 family,
>18 leshort 177 NatSemi CompactRISC,
>18 leshort 178 Freescale Extended Time Processing Unit,
>18 leshort 179 Infineon SLE9X,
>18 leshort 180 Intel L1OM,
>18 leshort 181 Intel K1OM,
>18 leshort 183 ARM aarch64,
>18 leshort 185 Atmel 32-bit family,
>18 leshort 186 STMicroeletronics STM8 8-bit,
>18 leshort 187 Tilera TILE64,
>18 leshort 188 Tilera TILEPro,
>18 leshort 189 Xilinx MicroBlaze 32-bit RISC,
>18 leshort 190 NVIDIA CUDA architecture,
>18 leshort 191 Tilera TILE-Gx,
>18 leshort 197 Renesas RL78 family,
>18 leshort 199 Renesas 78K0R,
>18 leshort 200 Freescale 56800EX,
>18 leshort 201 Beyond BA1,
>18 leshort 202 Beyond BA2,
>18 leshort 203 XMOS xCORE,
>18 leshort 204 Microchip 8-bit PIC(r),
>18 leshort 210 KM211 KM32,
>18 leshort 211 KM211 KMX32,
>18 leshort 212 KM211 KMX16,
>18 leshort 213 KM211 KMX8,
>18 leshort 214 KM211 KVARC,
>18 leshort 215 Paneve CDP,
>18 leshort 216 Cognitive Smart Memory,
>18 leshort 217 iCelero CoolEngine,
>18 leshort 218 Nanoradio Optimized RISC,
>18 leshort 243 UCB RISC-V,
>18 leshort 247 eBPF,
>18 leshort 251 NEC VE,
>18 leshort 0x1057 AVR (unofficial),
>18 leshort 0x1059 MSP430 (unofficial),
>18 leshort 0x1223 Adapteva Epiphany (unofficial),
>18 leshort 0x2530 Morpho MT (unofficial),
>18 leshort 0x3330 FR30 (unofficial),
>18 leshort 0x3426 OpenRISC (obsolete),
>18 leshort 0x4688 Infineon C166 (unofficial),
>18 leshort 0x5441 Cygnus FRV (unofficial),
>18 leshort 0x5aa5 DLX (unofficial),
>18 leshort 0x7650 Cygnus D10V (unofficial),
>18 leshort 0x7676 Cygnus D30V (unofficial),
>18 leshort 0x8217 Ubicom IP2xxx (unofficial),
>18 leshort 0x8472 OpenRISC (obsolete),
>18 leshort 0x9025 Cygnus PowerPC (unofficial),
>18 leshort 0x9026 Alpha (unofficial),
>18 leshort 0x9041 Cygnus M32R (unofficial),
>18 leshort 0x9080 Cygnus V850 (unofficial),
>18 leshort 0xa390 IBM S/390 (obsolete),
>18 leshort 0xabc7 Old Xtensa (unofficial),
>18 leshort 0xad45 xstormy16 (unofficial),
>18 leshort 0xbaab Old MicroBlaze (unofficial),,
>18 leshort 0xbeef Cygnus MN10300 (unofficial),
>18 leshort 0xdead Cygnus MN10200 (unofficial),
>18 leshort 0xf00d Toshiba MeP (unofficial),
>18 leshort 0xfeb0 Renesas M32C (unofficial),
>18 leshort 0xfeba Vitesse IQ2000 (unofficial),
>18 leshort 0xfebb NIOS (unofficial),
>18 leshort 0xfeed Moxie (unofficial),
>18 default x
>>18 leshort x *unknown arch 0x%x*
>20 lelong 0 invalid version
>20 lelong 1 version 1
0 string \177ELF ELF
!:strength *2
>4 byte 0 invalid class
>4 byte 1 32-bit
>4 byte 2 64-bit
>5 byte 0 invalid byte order
>5 byte 1 LSB
>>0 use elf-le
>5 byte 2 MSB
>>0 use \^elf-le
>7 byte 0 (SYSV)
>7 byte 1 (HP-UX)
>7 byte 2 (NetBSD)
>7 byte 3 (GNU/Linux)
>7 byte 4 (GNU/Hurd)
>7 byte 5 (86Open)
>7 byte 6 (Solaris)
>7 byte 7 (Monterey)
>7 byte 8 (IRIX)
>7 byte 9 (FreeBSD)
>7 byte 10 (Tru64)
>7 byte 11 (Novell Modesto)
>7 byte 12 (OpenBSD)
>7 byte 13 (OpenVMS)
>7 byte 14 (HP NonStop Kernel)
>7 byte 15 (AROS Research Operating System)
>7 byte 16 (FenixOS)
>7 byte 17 (Nuxi CloudABI)
>7 byte 97 (ARM)
>7 byte 202 (Cafe OS)
>7 byte 255 (embedded)
#------------------------------------------------------------
# $File: java,v 1.21 2019/02/18 17:58:50 christos Exp $
# Java ByteCode and Mach-O binaries (e.g., Mac OS X) use the
# same magic number, 0xcafebabe, so they are both handled
# in the entry called "cafebabe".
#------------------------------------------------------------
# Java serialization
# From Martin Pool ([email protected])
0 beshort 0xaced Java serialization data
>2 beshort >0x0004 \b, version %d
0 belong 0xfeedfeed Java KeyStore
!:mime application/x-java-keystore
0 belong 0xcececece Java JCE KeyStore
!:mime application/x-java-jce-keystore
# Java source
0 regex \^import.*;$ Java source
!:mime text/x-java
# Java HPROF dumps
# https://java.net/downloads/heap-snapshot/hprof-binary-format.html
0 string JAVA\x20PROFILE\x201.0.
>0x12 byte 0
>>0x11 ubyte-0x31 <2 Java HPROF dump,
>>>0x17 beqdate/1000 x created %s
# Java jmod module
# See https://hg.openjdk.java.net/jdk9/jdk9/jdk/file/tip/src/java.base/share/classes/jdk/internal/jmod/JmodFile.java
# Grr. 2 byte magic "JM", really? In 2019?
0 belong 0x4a4d0100 Java jmod module version 1.0
!:mime application/x-java-jmod
# Java jlinked image
# See https://hg.openjdk.java.net/jdk9/jdk9/jdk/file/tip/src/java.base/share/native/libjimage/imageFile.hpp
0 belong 0xcafedada Java module image (big endian)
>4 beshort >0x00 \b, version %d
>6 beshort x \b.%d
!:mime application/x-java-image
0 lelong 0xcafedada Java module image (little endian)
>6 leshort >0x00 \b, version %d
>4 leshort x \b.%d
!:mime application/x-java-image
#------------------------------------------------------------
# $File: mach,v 1.22 2015/10/15 16:54:01 christos Exp $
# Mach has two magic numbers, 0xcafebabe and 0xfeedface.
# Unfortunately the first, cafebabe, is shared with
# Java ByteCode, so they are both handled in the file "cafebabe".
# The "feedface" ones are handled herein.
#------------------------------------------------------------
# if set, it's for the 64-bit version of the architecture
# yes, this is separate from the low-order magic number bit
# it's also separate from the "64-bit libraries" bit in the
# upper 8 bits of the CPU subtype
0 name mach-o-cpu
>0 belong&0x01000000 0
#
# 32-bit ABIs.
#
# 1 vax
>>0 belong&0x00ffffff 1
>>>4 belong&0x00ffffff 0 vax
>>>4 belong&0x00ffffff 1 vax11/780
>>>4 belong&0x00ffffff 2 vax11/785
>>>4 belong&0x00ffffff 3 vax11/750
>>>4 belong&0x00ffffff 4 vax11/730
>>>4 belong&0x00ffffff 5 uvaxI
>>>4 belong&0x00ffffff 6 uvaxII
>>>4 belong&0x00ffffff 7 vax8200
>>>4 belong&0x00ffffff 8 vax8500
>>>4 belong&0x00ffffff 9 vax8600
>>>4 belong&0x00ffffff 10 vax8650
>>>4 belong&0x00ffffff 11 vax8800
>>>4 belong&0x00ffffff 12 uvaxIII
>>>4 belong&0x00ffffff >12 vax subarchitecture=%d
>>0 belong&0x00ffffff 2 romp
>>0 belong&0x00ffffff 3 architecture=3
>>0 belong&0x00ffffff 4 ns32032
>>0 belong&0x00ffffff 5 ns32332
>>0 belong&0x00ffffff 6 m68k
# 7 x86
>>0 belong&0x00ffffff 7
>>>4 belong&0x0000000f 3 i386
>>>4 belong&0x0000000f 4 i486
>>>>4 belong&0x00fffff0 0
>>>>4 belong&0x00fffff0 0x80 \bsx
>>>4 belong&0x0000000f 5 i586
>>>4 belong&0x0000000f 6
>>>>4 belong&0x00fffff0 0 p6
>>>>4 belong&0x00fffff0 0x10 pentium_pro
>>>>4 belong&0x00fffff0 0x20 pentium_2_m0x20
>>>>4 belong&0x00fffff0 0x30 pentium_2_m3
>>>>4 belong&0x00fffff0 0x40 pentium_2_m0x40
>>>>4 belong&0x00fffff0 0x50 pentium_2_m5
>>>>4 belong&0x00fffff0 >0x50 pentium_2_m0x%x
>>>4 belong&0x0000000f 7 celeron
>>>>4 belong&0x00fffff0 0x00 \b_m0x%x
>>>>4 belong&0x00fffff0 0x10 \b_m0x%x
>>>>4 belong&0x00fffff0 0x20 \b_m0x%x
>>>>4 belong&0x00fffff0 0x30 \b_m0x%x
>>>>4 belong&0x00fffff0 0x40 \b_m0x%x
>>>>4 belong&0x00fffff0 0x50 \b_m0x%x
>>>>4 belong&0x00fffff0 0x60
>>>>4 belong&0x00fffff0 0x70 \b_mobile
>>>>4 belong&0x00fffff0 >0x70 \b_m0x%x
>>>4 belong&0x0000000f 8 pentium_3
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 0x10 \b_m
>>>>4 belong&0x00fffff0 0x20 \b_xeon
>>>>4 belong&0x00fffff0 >0x20 \b_m0x%x
>>>4 belong&0x0000000f 9 pentiumM
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 >0x00 \b_m0x%x
>>>4 belong&0x0000000f 10 pentium_4
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 0x10 \b_m
>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x
>>>4 belong&0x0000000f 11 itanium
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 0x10 \b_2
>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x
>>>4 belong&0x0000000f 12 xeon
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 0x10 \b_mp
>>>>4 belong&0x00fffff0 >0x10 \b_m0x%x
>>>4 belong&0x0000000f >12 ia32 family=%d
>>>>4 belong&0x00fffff0 0x00
>>>>4 belong&0x00fffff0 >0x00 model=%x
>>0 belong&0x00ffffff 8 mips
>>>4 belong&0x00ffffff 1 R2300
>>>4 belong&0x00ffffff 2 R2600
>>>4 belong&0x00ffffff 3 R2800
>>>4 belong&0x00ffffff 4 R2000a
>>>4 belong&0x00ffffff 5 R2000
>>>4 belong&0x00ffffff 6 R3000a
>>>4 belong&0x00ffffff 7 R3000
>>>4 belong&0x00ffffff >7 subarchitecture=%d
>>0 belong&0x00ffffff 9 ns32532
>>0 belong&0x00ffffff 10 mc98000
>>0 belong&0x00ffffff 11 hppa
>>>4 belong&0x00ffffff 0 7100
>>>4 belong&0x00ffffff 1 7100LC
>>>4 belong&0x00ffffff >1 subarchitecture=%d
>>0 belong&0x00ffffff 12 arm
>>>4 belong&0x00ffffff 0
>>>4 belong&0x00ffffff 1 subarchitecture=%d
>>>4 belong&0x00ffffff 2 subarchitecture=%d
>>>4 belong&0x00ffffff 3 subarchitecture=%d
>>>4 belong&0x00ffffff 4 subarchitecture=%d
>>>4 belong&0x00ffffff 5 \bv4t
>>>4 belong&0x00ffffff 6 \bv6
>>>4 belong&0x00ffffff 7 \bv5tej
>>>4 belong&0x00ffffff 8 \bxscale
>>>4 belong&0x00ffffff 9 \bv7
>>>4 belong&0x00ffffff 10 \bv7f
>>>4 belong&0x00ffffff 11 \bv7s
>>>4 belong&0x00ffffff 12 \bv7k
>>>4 belong&0x00ffffff 13 \bv8
>>>4 belong&0x00ffffff 14 \bv6m
>>>4 belong&0x00ffffff 15 \bv7m
>>>4 belong&0x00ffffff 16 \bv7em
>>>4 belong&0x00ffffff >16 subarchitecture=%d
# 13 m88k
>>0 belong&0x00ffffff 13
>>>4 belong&0x00ffffff 0 mc88000
>>>4 belong&0x00ffffff 1 mc88100
>>>4 belong&0x00ffffff 2 mc88110
>>>4 belong&0x00ffffff >2 mc88000 subarchitecture=%d
>>0 belong&0x00ffffff 14 SPARC
>>0 belong&0x00ffffff 15 i860g
>>0 belong&0x00ffffff 16 alpha
>>0 belong&0x00ffffff 17 rs6000
>>0 belong&0x00ffffff 18 ppc
>>>4 belong&0x00ffffff 0
>>>4 belong&0x00ffffff 1 \b_601
>>>4 belong&0x00ffffff 2 \b_602
>>>4 belong&0x00ffffff 3 \b_603
>>>4 belong&0x00ffffff 4 \b_603e
>>>4 belong&0x00ffffff 5 \b_603ev
>>>4 belong&0x00ffffff 6 \b_604
>>>4 belong&0x00ffffff 7 \b_604e
>>>4 belong&0x00ffffff 8 \b_620
>>>4 belong&0x00ffffff 9 \b_650
>>>4 belong&0x00ffffff 10 \b_7400
>>>4 belong&0x00ffffff 11 \b_7450
>>>4 belong&0x00ffffff 100 \b_970
>>>4 belong&0x00ffffff >100 subarchitecture=%d
>>0 belong&0x00ffffff >18 architecture=%d
>0 belong&0x01000000 0x01000000
#
# 64-bit ABIs.
#
>>0 belong&0x00ffffff 0 64-bit architecture=%d
>>0 belong&0x00ffffff 1 64-bit architecture=%d
>>0 belong&0x00ffffff 2 64-bit architecture=%d
>>0 belong&0x00ffffff 3 64-bit architecture=%d
>>0 belong&0x00ffffff 4 64-bit architecture=%d
>>0 belong&0x00ffffff 5 64-bit architecture=%d
>>0 belong&0x00ffffff 6 64-bit architecture=%d
>>0 belong&0x00ffffff 7 x86_64
>>>4 belong&0x00ffffff 0 subarchitecture=%d
>>>4 belong&0x00ffffff 1 subarchitecture=%d
>>>4 belong&0x00ffffff 2 subarchitecture=%d
>>>4 belong&0x00ffffff 3
>>>4 belong&0x00ffffff 4 \b_arch1
>>>4 belong&0x00ffffff 8 \b_haswell
>>>4 belong&0x00ffffff >4 subarchitecture=%d
>>0 belong&0x00ffffff 8 64-bit architecture=%d
>>0 belong&0x00ffffff 9 64-bit architecture=%d
>>0 belong&0x00ffffff 10 64-bit architecture=%d
>>0 belong&0x00ffffff 11 64-bit architecture=%d
>>0 belong&0x00ffffff 12 arm64
>>>4 belong&0x00ffffff 0
>>>4 belong&0x00ffffff 1 \bv8
>>0 belong&0x00ffffff 13 64-bit architecture=%d
>>0 belong&0x00ffffff 14 64-bit architecture=%d
>>0 belong&0x00ffffff 15 64-bit architecture=%d
>>0 belong&0x00ffffff 16 64-bit architecture=%d
>>0 belong&0x00ffffff 17 64-bit architecture=%d
>>0 belong&0x00ffffff 18 ppc64
>>>4 belong&0x00ffffff 0
>>>4 belong&0x00ffffff 1 \b_601
>>>4 belong&0x00ffffff 2 \b_602
>>>4 belong&0x00ffffff 3 \b_603
>>>4 belong&0x00ffffff 4 \b_603e
>>>4 belong&0x00ffffff 5 \b_603ev
>>>4 belong&0x00ffffff 6 \b_604
>>>4 belong&0x00ffffff 7 \b_604e
>>>4 belong&0x00ffffff 8 \b_620
>>>4 belong&0x00ffffff 9 \b_650
>>>4 belong&0x00ffffff 10 \b_7400
>>>4 belong&0x00ffffff 11 \b_7450
>>>4 belong&0x00ffffff 100 \b_970
>>>4 belong&0x00ffffff >100 subarchitecture=%d
>>0 belong&0x00ffffff >18 64-bit architecture=%d
0 name mach-o-be
>0 byte 0xcf 64-bit
>4 use mach-o-cpu
>12 belong 1 object
>12 belong 2 executable
>12 belong 3 fixed virtual memory shared library
>12 belong 4 core
>12 belong 5 preload executable
>12 belong 6 dynamically linked shared library
>12 belong 7 dynamic linker
>12 belong 8 bundle
>12 belong 9 dynamically linked shared library stub
>12 belong 10 dSYM companion file
>12 belong 11 kext bundle
>12 belong >11
>>12 belong x filetype=%d
>24 belong >0 \b, flags:<
>>24 belong &0x0000001 \bNOUNDEFS
>>24 belong &0x0000002 \b|INCRLINK
>>24 belong &0x0000004 \b|DYLDLINK
>>24 belong &0x0000008 \b|BINDATLOAD
>>24 belong &0x0000010 \b|PREBOUND
>>24 belong &0x0000020 \b|SPLIT_SEGS
>>24 belong &0x0000040 \b|LAZY_INIT
>>24 belong &0x0000080 \b|TWOLEVEL
>>24 belong &0x0000100 \b|FORCE_FLAT
>>24 belong &0x0000200 \b|NOMULTIDEFS
>>24 belong &0x0000400 \b|NOFIXPREBINDING
>>24 belong &0x0000800 \b|PREBINDABLE
>>24 belong &0x0001000 \b|ALLMODSBOUND
>>24 belong &0x0002000 \b|SUBSECTIONS_VIA_SYMBOLS
>>24 belong &0x0004000 \b|CANONICAL
>>24 belong &0x0008000 \b|WEAK_DEFINES
>>24 belong &0x0010000 \b|BINDS_TO_WEAK
>>24 belong &0x0020000 \b|ALLOW_STACK_EXECUTION
>>24 belong &0x0040000 \b|ROOT_SAFE
>>24 belong &0x0080000 \b|SETUID_SAFE
>>24 belong &0x0100000 \b|NO_REEXPORTED_DYLIBS
>>24 belong &0x0200000 \b|PIE
>>24 belong &0x0400000 \b|DEAD_STRIPPABLE_DYLIB
>>24 belong &0x0800000 \b|HAS_TLV_DESCRIPTORS
>>24 belong &0x1000000 \b|NO_HEAP_EXECUTION
>>24 belong &0x2000000 \b|APP_EXTENSION_SAFE
>>24 belong x \b>
#
0 lelong&0xfffffffe 0xfeedface Mach-O
!:strength +1
!:mime application/x-mach-binary
>0 use \^mach-o-be
0 belong&0xfffffffe 0xfeedface Mach-O
!:strength +1
!:mime application/x-mach-binary
>0 use mach-o-be
#------------------------------------------------------------------------------
# $File: msdos,v 1.131 2019/08/02 18:08:18 christos Exp $
# msdos: file(1) magic for MS-DOS files
#
# .BAT files (Daniel Quinlan, [email protected])
# updated by Joerg Jenderek at Oct 2008,Apr 2011
0 string/t @
>1 string/cW \ echo\ off DOS batch file text
!:mime text/x-msdos-batch
!:ext bat
>1 string/cW echo\ off DOS batch file text
!:mime text/x-msdos-batch
!:ext bat
>1 string/cW rem DOS batch file text
!:mime text/x-msdos-batch
!:ext bat
>1 string/cW set\ DOS batch file text
!:mime text/x-msdos-batch
!:ext bat
# OS/2 batch files are REXX. the second regex is a bit generic, oh well
# the matched commands seem to be common in REXX and uncommon elsewhere
100 search/0xffff rxfuncadd
>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text
100 search/0xffff say
>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
# updated by Joerg Jenderek at Oct 2015
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
#0 leshort 0x14c MS Windows COFF Intel 80386 object file
#>4 ledate x stamp %s
0 leshort 0x166 MS Windows COFF MIPS R4000 object file
#>4 ledate x stamp %s
0 leshort 0x184 MS Windows COFF Alpha object file
#>4 ledate x stamp %s
0 leshort 0x268 MS Windows COFF Motorola 68000 object file
#>4 ledate x stamp %s
0 leshort 0x1f0 MS Windows COFF PowerPC object file
#>4 ledate x stamp %s
0 leshort 0x290 MS Windows COFF PA-RISC object file
#>4 ledate x stamp %s
# Tests for various EXE types.
#
# Many of the compressed formats were extraced from IDARC 1.23 source code.
#
0 string/b MZ
# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file.
>0x18 leshort <0x40 MS-DOS executable
!:mime application/x-dosexec
# Windows and later versions of DOS will allow .EXEs to be named with a .COM
# extension, mostly for compatibility's sake.
!:ext exe/com
# These traditional tests usually work but not always. When test quality support is
# implemented these can be turned on.
#>>0x18 leshort 0x1c (Borland compiler)
#>>0x18 leshort 0x1e (MS compiler)
# If the relocation table is 0x40 or more bytes into the file, it's definitely
# not a DOS EXE.
>0x18 leshort >0x3f
# Maybe it's a PE?
>>(0x3c.l) string PE\0\0 PE
!:mime application/x-dosexec
>>>(0x3c.l+24) leshort 0x010b \b32 executable
>>>(0x3c.l+24) leshort 0x020b \b32+ executable
>>>(0x3c.l+24) leshort 0x0107 ROM image
>>>(0x3c.l+24) default x Unknown PE signature
>>>>&0 leshort x 0x%x
>>>(0x3c.l+22) leshort&0x2000 >0 (DLL)
>>>(0x3c.l+92) leshort 1
# Native PEs include ntoskrnl.exe, hal.dll, smss.exe, autochk.exe, and all the
# drivers in Windows/System32/drivers/*.sys.
>>>>(0x3c.l+22) leshort&0x2000 >0 (native)
!:ext dll/sys
>>>>(0x3c.l+22) leshort&0x2000 0 (native)
!:ext exe/sys
>>>(0x3c.l+92) leshort 2
>>>>(0x3c.l+22) leshort&0x2000 >0 (GUI)
# These could probably be at least partially distinguished from one another by
# looking for specific exported functions.
# CPL: Control Panel item
# TLB: Type library
# OCX: OLE/ActiveX control
# ACM: Audio compression manager codec
# AX: DirectShow source filter
# IME: Input method editor
!:ext dll/cpl/tlb/ocx/acm/ax/ime
>>>>(0x3c.l+22) leshort&0x2000 0 (GUI)
# Screen savers typically include code from the scrnsave.lib static library, but
# that's not guaranteed.
!:ext exe/scr
>>>(0x3c.l+92) leshort 3
>>>>(0x3c.l+22) leshort&0x2000 >0 (console)
!:ext dll/cpl/tlb/ocx/acm/ax/ime
>>>>(0x3c.l+22) leshort&0x2000 0 (console)
!:ext exe/com
>>>(0x3c.l+92) leshort 7 (POSIX)
>>>(0x3c.l+92) leshort 9 (Windows CE)
>>>(0x3c.l+92) leshort 10 (EFI application)
>>>(0x3c.l+92) leshort 11 (EFI boot service driver)
>>>(0x3c.l+92) leshort 12 (EFI runtime driver)
>>>(0x3c.l+92) leshort 13 (EFI ROM)
>>>(0x3c.l+92) leshort 14 (XBOX)
>>>(0x3c.l+92) leshort 15 (Windows boot application)
>>>(0x3c.l+92) default x (Unknown subsystem
>>>>&0 leshort x 0x%x)
>>>(0x3c.l+4) leshort 0x14c Intel 80386
>>>(0x3c.l+4) leshort 0x166 MIPS R4000
>>>(0x3c.l+4) leshort 0x168 MIPS R10000
>>>(0x3c.l+4) leshort 0x184 Alpha
>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3
>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4
>>>(0x3c.l+4) leshort 0x1c0 ARM
>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb
>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb
>>>(0x3c.l+4) leshort 0x1f0 PowerPC
>>>(0x3c.l+4) leshort 0x200 Intel Itanium
>>>(0x3c.l+4) leshort 0x266 MIPS16
>>>(0x3c.l+4) leshort 0x268 Motorola 68000
>>>(0x3c.l+4) leshort 0x290 PA-RISC
>>>(0x3c.l+4) leshort 0x366 MIPSIV
>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU
>>>(0x3c.l+4) leshort 0xebc EFI byte code
>>>(0x3c.l+4) leshort 0x8664 x86-64
>>>(0x3c.l+4) leshort 0xc0ee MSIL
>>>(0x3c.l+4) default x Unknown processor type
>>>>&0 leshort x 0x%x
>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB)
>>>(0x3c.l+22) leshort&0x1000 >0 system file
>>>(0x3c.l+24) leshort 0x010b
>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly
>>>(0x3c.l+24) leshort 0x020b
>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly
# hooray, there's a DOS extender using the PE format, with a valid PE
# executable inside (which just prints a message and exits if run in win)
>>>(8.s*16) string 32STUB \b, 32rtm DOS extender
>>>(8.s*16) string !32STUB \b, for MS Windows
>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed
>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed
>>>(0x3c.l+0xf8) search/0x140 UPX2
>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
>>>(0x3c.l+0xf8) search/0x140 .idata
>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip)
>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive
>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive
>>>(0x3c.l+0xf8) search/0x140 .rsrc
>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive
>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive
>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive
>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive
>>>(0x3c.l+0xf8) search/0x140 .data
>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive
>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed
>>>>(0x3c.l+0xf7) byte x
>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive
>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive
>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive
>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip)
>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive
>>>0x30 string Inno \b, InnoSetup self-extracting archive
# Hmm, not a PE but the relocation table is too high for a traditional DOS exe,
# must be one of the unusual subformats.
>>(0x3c.l) string !PE\0\0 MS-DOS executable
!:mime application/x-dosexec
>>(0x3c.l) string NE \b, NE
!:mime application/x-dosexec
>>>(0x3c.l+0x36) byte 1 for OS/2 1.x
>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x
>>>(0x3c.l+0x36) byte 3 for MS-DOS
>>>(0x3c.l+0x36) byte 4 for Windows 386
>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services
>>>(0x3c.l+0x36) default x
>>>>(0x3c.l+0x36) byte x (unknown OS %x)
>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender
>>>(0x3c.l+0x0c) leshort&0x8000 0x8000 (DLL or font)
# DRV: Driver
# 3GR: Grabber device driver
# CPL: Control Panel Item
# VBX: Visual Basic Extension
# FON: Bitmap font
# FOT: Font resource file
!:ext dll/drv/3gr/cpl/vbx/fon/fot
>>>(0x3c.l+0x0c) leshort&0x8000 0 (EXE)
!:ext exe/scr
>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive
>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip)
>>(0x3c.l) string LX\0\0 \b, LX
!:mime application/x-dosexec
>>>(0x3c.l+0x0a) leshort <1 (unknown OS)
>>>(0x3c.l+0x0a) leshort 1 for OS/2
>>>(0x3c.l+0x0a) leshort 2 for MS Windows
>>>(0x3c.l+0x0a) leshort 3 for DOS
>>>(0x3c.l+0x0a) leshort >3 (unknown OS)
>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL)
>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver)
>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI)
>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console)
>>>(0x3c.l+0x08) leshort 1 i80286
>>>(0x3c.l+0x08) leshort 2 i80386
>>>(0x3c.l+0x08) leshort 3 i80486
>>>(8.s*16) string emx \b, emx
>>>>&1 string x %s
>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive
# MS Windows system file, supposedly a collection of LE executables
>>(0x3c.l) string W3 \b, W3 for MS Windows
!:mime application/x-dosexec
>>(0x3c.l) string LE\0\0 \b, LE executable
!:mime application/x-dosexec
>>>(0x3c.l+0x0a) leshort 1
# some DOS extenders use LE files with OS/2 header
>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender
>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender
>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender
>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub)
>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub)
>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded)
# this is a wild guess; hopefully it is a specific signature
>>>>&0x24 lelong <0x50
>>>>>(&0x4c.l) string \xfc\xb8WATCOM
>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed
# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP
#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2
# fails with DOS-Extenders.
>>>(0x3c.l+0x0a) leshort 2 for MS Windows
>>>(0x3c.l+0x0a) leshort 3 for DOS
>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD)
# VXD: VxD for Windows 95/98/Me
# 386: VxD for Windows 2.10, 3.0, 3.1x
# PDR: Port driver
# MPD: Miniport driver (?)
!:ext vxd/386/pdr/mpd
>>>(&0x7c.l+0x26) string UPX \b, UPX compressed
>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive
# looks like ASCII, probably some embedded copyright message.
# and definitely not NE/LE/LX/PE
>>0x3c lelong >0x20000000
>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS
!:mime application/x-dosexec
!:ext exe/com
# header data too small for extended executable
>2 long !0
>>0x18 leshort <0x40
>>>(4.s*512) leshort !0x014c
>>>>&(2.s-514) string !LE
>>>>>&-2 string !BW \b, MZ for MS-DOS
!:mime application/x-dosexec
>>>>&(2.s-514) string LE \b, LE
>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender
# educated guess since indirection is still not capable enough for complex offset
# calculations (next embedded executable would be at &(&2*512+&0-2)
# I suspect there are only LE executables in these multi-exe files
>>>>&(2.s-514) string BW
>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded)
>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS
# This sequence skips to the first COFF segment, usually .text
>(4.s*512) leshort 0x014c \b, COFF
!:mime application/x-dosexec
>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender
>>(8.s*16) string emx
>>>&1 string x for DOS, Win or OS/2, emx %s
>>&(&0x42.l-3) byte x
>>>&0x26 string UPX \b, UPX compressed
# and yet another guess: small .text, and after large .data is unusal, could be 32lite
>>&0x2c search/0xa0 .text
>>>&0x0b lelong <0x2000
>>>>&0 lelong >0x6000 \b, 32lite compressed
>(8.s*16) string $WdX \b, WDos/X DOS extender
# By now an executable type should have been printed out. The executable
# may be a self-uncompressing archive, so look for evidence of that and
# print it out.
#
# Some signatures below from Greg Roelofs, [email protected].
#
>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed
>0xe7 string LH/2\ Self-Extract \b, %s
>0x1c string UC2X \b, UCEXE compressed
>0x1c string WWP\ \b, WWPACK compressed
>0x1c string RJSX \b, ARJ self-extracting archive
>0x1c string diet \b, diet compressed
>0x1c string LZ09 \b, LZEXE v0.90 compressed
>0x1c string LZ91 \b, LZEXE v0.91 compressed
>0x1c string tz \b, TinyProg compressed
>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive
!:mime application/zip
# Yes, this really is "Copr", not "Corp."
>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive
!:mime application/zip
# winarj stores a message in the stub instead of the sig in the MZ header
>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive
>0x20 string AIN
>>0x23 string 2 \b, AIN 2.x compressed
>>0x23 string <2 \b, AIN 1.x compressed
>>0x23 string >2 \b, AIN 1.x compressed
>0x24 string LHa's\ SFX \b, LHa self-extracting archive
!:mime application/x-lha
>0x24 string LHA's\ SFX \b, LHa self-extracting archive
!:mime application/x-lha
>0x24 string \ $ARX \b, ARX self-extracting archive
>0x24 string \ $LHarc \b, LHarc self-extracting archive
>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive
>0x40 string aPKG \b, aPackage self-extracting archive
>0x64 string W\ Collis\0\0 \b, Compack compressed
>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive
>>&0xf4 search/0x140 \x0\x40\x1\x0
>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive
>1638 string -lh5- \b, LHa self-extracting archive v2.13S
>0x17888 string Rar! \b, RAR self-extracting archive
# Skip to the end of the EXE. This will usually work fine in the PE case
# because the MZ image is hardcoded into the toolchain and almost certainly
# won't match any of these signatures.
>(4.s*512) long x
>>&(2.s-517) byte x
>>>&0 string PK\3\4 \b, ZIP self-extracting archive
>>>&0 string Rar! \b, RAR self-extracting archive
>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive
>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive
>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive
>>>&7 search/400 **ACE** \b, ACE self-extracting archive
>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive
# a few unknown ZIP sfxes, no idea if they are needed or if they are
# already captured by the generic patterns above
>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP)
# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive
#
# TELVOX Teleinformatica CODEC self-extractor for OS/2:
>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21
>>49824 leshort =1 \b, 1 file
>>49824 leshort >1 \b, %u files
# added by Joerg Jenderek of https://www.freedos.org/software/?prog=kc
# and https://www.freedos.org/software/?prog=kpdos
# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD
0 string/b KCF FreeDOS KEYBoard Layout collection
# only version=0x100 found
>3 uleshort x \b, version 0x%x
# length of string containing author,info and special characters
>6 ubyte >0
#>>6 pstring x \b, name=%s
>>7 string >\0 \b, author=%-.14s
>>7 search/254 \xff \b, info=
#>>>&0 string x \b%-s
>>>&0 string x \b%-.15s
# for FreeDOS *.KL files
0 string/b KLF FreeDOS KEYBoard Layout file
# only version=0x100 or 0x101 found
>3 uleshort x \b, version 0x%x
# stringlength
>5 ubyte >0
>>8 string x \b, name=%-.2s
0 string \xffKEYB\ \ \ \0\0\0\0
>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017
# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
0 ulequad&0x07a0ffffffff 0xffffffff
>0 use msdos-driver
0 name msdos-driver DOS executable (
#!:mime application/octet-stream
!:mime application/x-dosdriver
# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
!:ext sys/dev/bin
>40 search/7 UPX! \bUPX compressed
# DOS device driver attributes
>4 uleshort&0x8000 0x0000 \bblock device driver
# character device
>4 uleshort&0x8000 0x8000 \b
>>4 uleshort&0x0008 0x0008 \bclock
# fast video output by int 29h
>>4 uleshort&0x0010 0x0010 \bfast
# standard input/output device
>>4 uleshort&0x0003 >0 \bstandard
>>>4 uleshort&0x0001 0x0001 \binput
>>>4 uleshort&0x0003 0x0003 \b/
>>>4 uleshort&0x0002 0x0002 \boutput
>>4 uleshort&0x8000 0x8000 \bcharacter device driver
>0 ubyte x
# upx compressed device driver has garbage instead of real in name field of header
>>40 search/7 UPX!
>>40 default x
# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
>>>12 ubyte >0x2E \b
>>>>10 ubyte >0x20
>>>>>10 ubyte !0x2E
>>>>>>10 ubyte !0x2A \b%c
>>>>11 ubyte >0x20
>>>>>11 ubyte !0x2E \b%c
>>>>12 ubyte >0x20
>>>>>12 ubyte !0x39
>>>>>>12 ubyte !0x2E \b%c
>>>13 ubyte >0x20
>>>>13 ubyte !0x2E \b%c
>>>>14 ubyte >0x20
>>>>>14 ubyte !0x2E \b%c
>>>>15 ubyte >0x20
>>>>>15 ubyte !0x2E \b%c
>>>>16 ubyte >0x20
>>>>>16 ubyte !0x2E
>>>>>>16 ubyte <0xCB \b%c
>>>>17 ubyte >0x20
>>>>>17 ubyte !0x2E
>>>>>>17 ubyte <0x90 \b%c
# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
>>>12 ubyte <0x2F
# they have their real name at offset 22
# also block device drivers like DUMBDRV.SYS
>>>>22 string >\056 %-.6s
>4 uleshort&0x8000 0x0000
# 32 bit sector addressing ( > 32 MB) for block devices
>>4 uleshort&0x0002 0x0002 \b,32-bit sector-
# support by driver functions 13h, 17h, 18h
>4 uleshort&0x0040 0x0040 \b,IOCTL-
# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
>4 uleshort&0x0800 0x0800 \b,close media-
# output until busy support by int 10h for character device driver
>4 uleshort&0x8000 0x8000
>>4 uleshort&0x2000 0x2000 \b,until busy-
# direct read/write support by driver functions 03h,0Ch
>4 uleshort&0x4000 0x4000 \b,control strings-
>4 uleshort&0x8000 0x8000
>>4 uleshort&0x6840 >0 \bsupport
>4 uleshort&0x8000 0x0000
>>4 uleshort&0x4842 >0 \bsupport
>0 ubyte x \b)
# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
0 ulequad 0x0513c00000000012
>0 use msdos-driver
# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
0 ulequad 0x32f28000ffff0016
>0 use msdos-driver
0 ulequad 0x007f00000000ffff
>0 use msdos-driver
0 ulequad 0x001600000000ffff
>0 use msdos-driver
# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
0 ulequad 0x0bf708c2ffffffff
>0 use msdos-driver
0 ulequad 0x07bd08c2ffffffff
>0 use msdos-driver
# updated by Joerg Jenderek
# GRR: line below too general as it catches also
# rt.lib DYADISKS.PIC and many more
# start with assembler instruction MOV
0 ubyte 0x8c
# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
>4 string !O====
# skip some unknown basic binaries like RocketRnger.SHR
>>5 string !MAIN
# skip "GPG symmetrically encrypted data" ./gnu
# skip "PGP symmetric key encrypted data" ./pgp
# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
>>>4 ubyte >13 DOS executable (COM, 0x8C-variant)
# the remaining files should be DOS *.COM executables
# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd
# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e
# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e
!:mime application/x-dosexec
!:ext com
# updated by Joerg Jenderek at Oct 2008
0 ulelong 0xffff10eb DR-DOS executable (COM)
# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
0 ubeshort&0xeb8d >0xeb00
# DR-DOS STACKER.COM SCREATE.SYS missed
0 name msdos-com
>0 byte x DOS executable (COM)
!:mime application/x-dosexec
!:ext com
>6 string SFX\ of\ LHarc \b, %s
>0x1FE leshort 0xAA55 \b, boot code
>85 string UPX \b, UPX compressed
>4 string \ $ARX \b, ARX self-extracting archive
>4 string \ $LHarc \b, LHarc self-extracting archive
>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive
# JMP 8bit
0 byte 0xeb
# allow forward jumps only
>1 byte >-1
# that offset must be accessible
>>(1.b+2) byte x
>>>0 use msdos-com
# JMP 16bit
0 byte 0xe9
# forward jumps
>1 short >-1
# that offset must be accessible
>>(1.s+3) byte x
>>>0 use msdos-com
# negative offset, must not lead into PSP
>1 short <-259
# that offset must be accessible
>>(1,s+65539) byte x
>>>0 use msdos-com
# updated by Joerg Jenderek at Oct 2008,2015
# following line is too general
0 ubyte 0xb8
# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
>0 string !\xb8\xc0\x07\x8e
# modified by Joerg Jenderek
# syslinux COM32 or COM32R executable
>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT
# https://www.syslinux.org/wiki/index.php/Comboot_API
# Since version 5.00 c32 modules switched from the COM32 object format to ELF
!:mime application/x-c32-comboot-syslinux-exec
!:ext c32
# https://syslinux.zytor.com/comboot.php
# older syslinux version ( <4 )
# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
# start with assembler instructions mov eax,21cd4cffh
>>>1 lelong 0x21CD4CFf \b)
# syslinux:doc/comboot.txt
# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
# eax,21cd4cfeh) as a magic number.
# syslinux version (4.x)
# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
>>>1 lelong 0x21CD4CFe \b, relocatable)
# remaining are DOS COM executables starting with assembler instruction MOV
# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
# MS-DOS SYS.COM RESTART.COM
# SYSLINUX.COM (version 1.40 - 2.13)
# GFXBOOT.COM (version 3.75)
# COPYBS.COM POWEROFF.COM INT18.COM
>>1 default x COM executable for DOS
!:mime application/x-dosexec
#!:mime application/x-ms-dos-executable
#!:mime application/x-msdos-program
!:ext com
0 string/b \x81\xfc
>4 string \x77\x02\xcd\x20\xb9
>>36 string UPX! FREE-DOS executable (COM), UPX compressed
!:mime application/x-dosexec
!:ext com
252 string Must\ have\ DOS\ version DR-DOS executable (COM)
!:mime application/x-dosexec
!:ext com
# added by Joerg Jenderek at Oct 2008
# GRR search is not working
#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed
34 string UPX! FREE-DOS executable (COM), UPX compressed
!:mime application/x-dosexec
!:ext com
35 string UPX! FREE-DOS executable (COM), UPX compressed
!:mime application/x-dosexec
!:ext com
# GRR search is not working
#2 search/28 \xcd\x21 COM executable for MS-DOS
#WHICHFAT.cOM
2 string \xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#DELTREE.cOM DELTREE2.cOM
4 string \xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
5 string \xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#DELTMP.COm HASFAT32.cOM
7 string \xcd\x21
>0 byte !0xb8 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#COMP.cOM MORE.COm
10 string \xcd\x21
>5 string !\xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#comecho.com
13 string \xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
#HELP.COm EDIT.coM
18 string \xcd\x21 COM executable for MS-DOS
!:mime application/x-dosexec
!:ext com
#NWRPLTRM.COm
23 string \xcd\x21 COM executable for MS-DOS
!:mime application/x-dosexec
!:ext com
#LOADFIX.cOm LOADFIX.cOm
30 string \xcd\x21 COM executable for MS-DOS
!:mime application/x-dosexec
!:ext com
#syslinux.com 3.11
70 string \xcd\x21 COM executable for DOS
!:mime application/x-dosexec
!:ext com
# many compressed/converted COMs start with a copy loop instead of a jump
0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS
!:mime application/x-dosexec
!:ext com
0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS
!:mime application/x-dosexec
!:ext com
>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed
0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed
!:mime application/x-dosexec
!:ext com
# FIXME: missing diet .com compression
# miscellaneous formats
0 string/b LZ MS-DOS executable (built-in)
#0 byte 0xf0 MS-DOS program library data
#
# AAF files:
# Stuart Cunningham
0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage
>30 byte 9 (512B sectors)
>30 byte 12 (4kB sectors)
0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage
>30 byte 9 (512B sectors)
>30 byte 12 (4kB sectors)
# Popular applications
#
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/DOC
# Reference: https://web.archive.org/web/20170206041048/
# http://www.msxnet.org/word2rtf/formats/ffh-dosword5
# wIdent+dty
0 belong 0x31be0000
# skip droid skeleton like x-fmt-274-signature-id-488.doc
>128 ubyte >0 Microsoft
>>96 uleshort =0 Word
!:mime application/msword
!:apple MSWDWDBN
# DCX is used in the Unix version.
!:ext doc/dcx
>>>0x6E ulequad =0 1.0-4.0
>>>0x6E ulequad !0 5.0-6.0
>>>0x6E ulequad x (DOS) Document
# https://web.archive.org/web/20130831064118/http://msxnet.org/word2rtf/formats/write.txt
>>96 uleshort !0 Write 3.0 (Windows) Document
!:mime application/x-mswrite
!:apple MSWDWDBN
# sometimes also doc like in splitter.doc srchtest.doc
!:ext wri/doc
# wTool must be 0125400 octal
#>>4 uleshort !0xAB00 \b, wTool %o
# reserved; must be zero
#>>6 ulelong !0 \b, reserved %u
# block pointer to the block containing optional file manager information
#>>0x1C uleshort x \b, at 0x%x info block
# jump to File manager information block
>>(0x1C.s*128) uleshort x
# test for valid information start; maybe also 0012h
>>>&-2 uleshort =0x0014
# Document ASCIIZ name
>>>>&0x12 string x %s
# author name
>>>>>&1 string x \b, author %s
# reviser name
>>>>>>&1 string x \b, reviser %s
# keywords
>>>>>>>&1 string x \b, keywords %s
# comment
>>>>>>>>&1 string x \b, comment %s
# version number
>>>>>>>>>&1 string x \b, version %s
# date of last change MM/DD/YY
>>>>>>>>>>&1 string x \b, %-.8s
# creation date MM/DD/YY
>>>>>>>>>>&9 string x created %-.8s
# file name of print format like NORMAL.STY
>>0x1E string >0 \b, formatted by %-.66s
# count of pages in whole file for write variant; maybe some times wrong
>>96 uleshort >0 \b, %u pages
# name of the printer driver like HPLASMS
>>0x62 string >0 \b, %-.8s printer
# number of blocks used in the file; seems to be 0 for Word 4.0 and Write 3.0
>>0x6A uleshort >0 \b, %u blocks
# bit field for corrected text areas
#>>0x6C uleshort x \b, 0x%x bit field
# text of document; some times start with 4 non printable characters like CR LF
>>128 ubyte x \b,
>>>128 ubyte >0x1F
>>>>128 string x %s
>>>128 ubyte <0x20
>>>>129 ubyte >0x1F
>>>>>129 string x %s
>>>>129 ubyte <0x20
>>>>>130 ubyte >0x1F
>>>>>>130 string x %s
>>>>>130 ubyte <0x20
>>>>>>131 ubyte >0x1F
>>>>>>>131 string x %s
>>>>>>131 ubyte <0x20
>>>>>>>132 ubyte >0x1F
>>>>>>>>132 string x %s
>>>>>>>132 ubyte <0x20
>>>>>>>>133 ubyte >0x1F
>>>>>>>>>133 string x %s
#
0 string/b PO^Q` Microsoft Word 6.0 Document
!:mime application/msword
#
4 long 0
>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0
!:mime application/msword
!:ext mcw
>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0
!:mime application/msword
!:ext mcw
>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0
!:mime application/msword
!:ext mcw
>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0
!:mime application/msword
!:ext mcw
0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document
!:mime application/msword
!:ext doc
# Note: seems already recognized as "OLE 2 Compound Document" in ./ole2compounddocs
#512 string/b \354\245\301 Microsoft Word Document
#!:mime application/msword
#
0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document
!:mime application/msword
#
0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document
!:mime application/msword
#
0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet
!:mime application/vnd.ms-excel
# https://www.macdisk.com/macsigen.php
!:apple XCELXLS4
!:ext xls
#
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
# Note: newer Lotus versions >2 use longer BOF record
# record type (BeginningOfFile=0000h) + length (001Ah)
0 belong 0x00001a00
# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
#>18 uleshort&0x73E0 0
# Lotus Multi Byte Character Set (LMBCS=1-31)
>20 ubyte >0
>>20 ubyte <32 Lotus 1-2-3
#!:mime application/x-123
!:mime application/vnd.lotus-1-2-3
!:apple ????L123
# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
>>>4 uleshort 0x1000 WorKsheet, version 3
!:ext wk3
# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
>>>4 uleshort 0x1002 WorKsheet, version 4
# also worksheet template 4 (.wt4)
!:ext wk4/wt4
# no example or documentation for wk5
#>>4 uleshort 0x???? WorKsheet, version 4
#!:ext wk5
# only MacrotoScript.123 example
>>>4 uleshort 0x1003 WorKsheet, version 97
# also worksheet template Smartmaster (.12M)?
!:ext 123
# only Set_Y2K.123 example
>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium
!:ext 123
# no example for this version
>>>4 uleshort 0x8001 FoRMatting data
!:ext frm
# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
>>>4 uleshort 0x8007 ForMatting data, version 3
!:ext fm3
>>>4 default x unknown
# file revision sub code 0004h for worksheets
>>>>6 uleshort =0x0004 worksheet
!:ext wXX
>>>>6 uleshort !0x0004 formatting data
!:ext fXX
# main revision number
>>>>4 uleshort x \b, revision 0x%x
>>>6 uleshort =0x0004 \b, cell range
# active cellcoord range (start row, page,column ; end row, page, column)
# start values normally 0~1st sheet A1
>>>>8 ulelong !0
>>>>>10 ubyte >0 \b%d*
>>>>>8 uleshort x \b%d,
>>>>>11 ubyte x \b%d-
# end page mostly 0
>>>>14 ubyte >0 \b%d*
# end raw, column normally not 0
>>>>12 uleshort x \b%d,
>>>>15 ubyte x \b%d
# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
>>>>20 ubyte >1 \b, character set 0x%x
# flags
>>>>21 ubyte x \b, flags 0x%x
>>>6 uleshort !0x0004
# record type (FONTNAME=00AEh)
>>>>30 search/29 \0\xAE
# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
>>>>>&4 string >\0 \b, 1st font "%s"
#
# Update: Joerg Jenderek
# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
# record type (BeginningOfFile=0000h) + length (0002h)
0 belong 0x00000200
# GRR: line above is too general as it catches also MS Windows CURsor
# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
!:strength -1
# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
>7 ubyte 0
# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
>>6 ubyte >0 Lotus
# !:mime application/x-123
!:mime application/vnd.lotus-1-2-3
!:apple ????L123
# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
!:ext cnf
>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J
!:ext cnf
>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1
!:ext cnf
>>>4 uleshort 0x0802 Symphony CoNFiguration
!:ext cnf
>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2
!:ext cnf
>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4
!:ext cnf
>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x
!:ext cnf
>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x
!:ext cnf
# (version 5.26) labeled the entry as "Lotus 123"
# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1
# extension "wks" also for Microsoft Works document
!:ext wks
# (version 5.26) labeled the entry as "Lotus 123"
# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0
!:ext wrk/wr1
# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2
# Symphony (.wr1)
!:ext wk1/wr1
# no example for this japan version
>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ
!:ext wj1
# no example or documentation for wk2
#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2
#!:ext wk2
# undocumented japan version
>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J
!:ext wj3
# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x
# japan version 2.4J (fj3)
!:ext fmt/fj3
# no example for this version
>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0
!:ext frm
# (version 5.26) labeled the entry as "Lotus 1-2-3"
>>>4 default x unknown worksheet or configuration
!:ext cnf
>>>>4 uleshort x \b, revision 0x%x
# 2nd record for most worksheets describes cells range
>>>6 use lotus-cells
# 3nd record for most japan worksheets describes cells range
>>>(8.s+10) use lotus-cells
# check and then display Lotus worksheet cells range
0 name lotus-cells
# look for type (RANGE=0006h) + length (0008h) at record begin
>0 ubelong 0x06000800 \b, cell range
# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
>>4 ulong !0
>>>4 uleshort x \b%d,
>>>6 uleshort x \b%d-
# end of cell range
>>8 uleshort x \b%d,
>>10 uleshort x \b%d
# EndOfLotus123
0 string/b WordPro\0 Lotus WordPro
!:mime application/vnd.lotus-wordpro
0 string/b WordPro\r\373 Lotus WordPro
!:mime application/vnd.lotus-wordpro
# Summary: Script used by InstallScield to uninstall applications
# Extension: .isu
# Submitted by: unknown
# Modified by (1): Abel Cheung (replace useless entry)
0 string \x71\xa8\x00\x00\x01\x02
>12 string Stirling\ Technologies, InstallShield Uninstall Script
# Winamp .avs
#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player
0 string/b Nullsoft\ AVS\ Preset\ Winamp plug in
# Windows Metafile .WMF
0 string/b \327\315\306\232 Windows metafile
!:mime image/wmf
!:ext wmf
0 string/b \002\000\011\000 Windows metafile
!:mime image/wmf
!:ext wmf
0 string/b \001\000\011\000 Windows metafile
!:mime image/wmf
!:ext wmf
#tz3 files whatever that is (MS Works files)
0 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file
0 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file
0 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file
# PGP sig files .sig
#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig
0 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig
# windows zips files .dmf
0 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file
# Windows icons
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
0 belong 0x00000100
>9 byte 0
>>0 byte x
>>0 use cur-ico-dir
>9 ubyte 0xff
>>0 byte x
>>0 use cur-ico-dir
# displays number of icons and information for icon or cursor
0 name cur-ico-dir
# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
>18 ulelong &0x00000006
# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
>>(18.l) ulelong x MS Windows
>>>0 ubelong 0x00000100 icon resource
# https://www.iana.org/assignments/media-types/image/vnd.microsoft.icon
!:mime image/vnd.microsoft.icon
#!:mime image/x-icon
!:ext ico
>>>>4 uleshort x - %d icon
# plural s
>>>>4 uleshort >1 \bs
# 1st icon
>>>>0x06 use ico-entry
# 2nd icon
>>>>4 uleshort >1
>>>>>0x16 use ico-entry
>>>0 ubelong 0x00000200 cursor resource
#!:mime image/x-cur
!:mime image/x-win-bitmap
!:ext cur
>>>>4 uleshort x - %d icon
>>>>4 uleshort >1 \bs
# 1st cursor
>>>>0x06 use cur-entry
#>>>>0x16 use cur-entry
# display information of one cursor entry
0 name cur-entry
>0 use cur-ico-entry
>4 uleshort x \b, hotspot @%dx
>6 uleshort x \b%d
# display information of one icon entry
0 name ico-entry
>0 use cur-ico-entry
# normally 0 1 but also found 14
>4 uleshort >1 \b, %d planes
# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
>6 uleshort >1 \b, %d bits/pixel
# display shared information of cursor or icon entry
0 name cur-ico-entry
>0 byte =0 \b, 256x
>0 byte !0 \b, %dx
>1 byte =0 \b256
>1 byte !0 \b%d
# number of colors in palette
>2 ubyte !0 \b, %d colors
# reserved 0 FFh
#>3 ubyte x \b, reserved %x
#>8 ulelong x \b, image size %d
# offset of PNG or DIB image
#>12 ulelong x \b, offset 0x%x
# PNG header (\x89PNG)
>(12.l) ubelong =0x89504e47
# 1 space char after "with" to get phrase "with PNG image" by magic in ./images
>>&-4 indirect x \b with
# DIB image
>(12.l) ubelong !0x89504e47
#>>&-4 use dib-image
# Windows non-animated cursors
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
# Note: similar to Windows ICOn. container for BMP ( only DIB part)
# GRR: line below is too general as it catches also Lotus 1-2-3 files
0 belong 0x00000200
>9 byte 0
>>0 use cur-ico-dir
>9 ubyte 0xff
>>0 use cur-ico-dir
# .chr files
0 string/b PK\010\010BGI Borland font
>4 string >\0 %s
# then there is a copyright notice
# .bgi files
0 string/b pk\010\010BGI Borland device
>4 string >\0 %s
# then there is a copyright notice
# Windows Recycle Bin record file (named INFO2)
# By Abel Cheung (abelcheung AT gmail dot com)
# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes
# Since Vista uses another structure, INFO2 structure probably won't change
# anymore. Detailed analysis in:
# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf
0 lelong 0x00000004
>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below)
0 lelong 0x00000005
>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
# From Doug Lee via a FreeBSD pr
9 string GERBILDOC First Choice document
9 string GERBILDB First Choice database
9 string GERBILCLIP First Choice database
0 string GERBIL First Choice device file
9 string RABBITGRAPH RabbitGraph file
0 string DCU1 Borland Delphi .DCU file
0 string =! MKS Spell hash list (old format)
0 string =! MKS Spell hash list
# Too simple - MPi
#0 string AH Halo(TM) bitmapped font file
0 lelong 0x08086b70 TurboC BGI file
0 lelong 0x08084b50 TurboC Font file
# Debian#712046: The magic below identifies "Delphi compiled form data".
# An additional source of information is available at:
# http://www.woodmann.com/fravia/dafix_t1.htm
0 string TPF0
>4 pstring >\0 Delphi compiled form '%s'
# tests for DBase files moved, updated and merged to database
0 string PMCC Windows 3.x .GRP file
1 string RDC-meg MegaDots
>8 byte >0x2F version %c
>9 byte >0x2F \b.%c file
0 lelong 0x4C
>4 lelong 0x00021401 Windows shortcut file
# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
# only for windows versions equal or greater 3.0
0x171 string MICROSOFT\ PIFEX\0 Windows Program Information File
!:mime application/x-dosexec
!:ext pif
#>2 string >\0 \b, Title:%.30s
>0x24 string >\0 \b for %.63s
>0x65 string >\0 \b, directory=%.64s
>0xA5 string >\0 \b, parameters=%.64s
#>0x181 leshort x \b, offset %x
#>0x183 leshort x \b, offsetdata %x
#>0x185 leshort x \b, section length %x
>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
>>&0x5e ubyte >0
>>>&-1 string >>&-1 string PIFMGR.DLL \b, icon=%s
>>>&-1 string >PIFMGR.DLL \b, icon=%s
>>&0xF0 ubyte >0
>>>&-1 string >>&-1 string =Terminal \b, font=%.32s
>>>&-1 string >Terminal \b, font=%.32s
>>&0x110 ubyte >0
>>>&-1 string >>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style
#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style
>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style
#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style
>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS
#>>&06 string x \b:%s
>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT
#>>&06 string x \b:%s
# DOS EPS Binary File Header
# From: Ed Sznyter
0 belong 0xC5D0D3C6 DOS EPS Binary File
!:mime image/x-eps
>4 long >0 Postscript starts at byte %d
>>8 long >0 length %d
>>>12 long >0 Metafile starts at byte %d
>>>>16 long >0 length %d
>>>20 long >0 TIFF starts at byte %d
>>>>24 long >0 length %d
# TNEF magic From "Joomy"
# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
0 lelong 0x223e9f78 TNEF
!:mime application/vnd.ms-tnef
# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
# of http://www.davep.org/norton-guides/ng2h-105.tgz
# https://en.wikipedia.org/wiki/Norton_Guides
0 string NG\0\001
# only value 0x100 found at offset 2
>2 ulelong 0x00000100 Norton Guide
# Title[40]
>>8 string >\0 "%-.40s"
#>>6 uleshort x \b, MenuCount=%u
# szCredits[5][66]
>>48 string >\0 \b, %-.66s
>>114 string >\0 %-.66s
# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
# of https://www.4dos.info/
# pointer,HelpID[8]=4DHnnnmm
0 ulelong 0x48443408 4DOS help file
>4 string x \b, version %-4.4s
# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp
0 ulequad 0x3a000000024e4c MS Advisor help file
# HtmlHelp files (.chm)
0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data
# GFA-BASIC (Wolfram Kleff)
2 string/b GFA-BASIC3 GFA-BASIC 3 data
#------------------------------------------------------------------------------
# From Stuart Caie (developer of cabextract)
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/Cabinet_(file_format)
# Reference: https://msdn.microsoft.com/en-us/library/bb267310.aspx
# Note: verified by `7z l *.cab`
# Microsoft Cabinet files
0 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data
#
# https://support.microsoft.com/en-us/help/973559/frequently-asked-questions-about-the-microsoft-support-diagnostic-tool
# CAB with *.{diagcfg,diagpkg} is used by Microsoft Support Diagnostic Tool MSDT.EXE
# because some archive does not have *.diag* as 1st or 2nd archive member like
# O15CTRRemove.diagcab or AzureStorageAnalyticsLogs_global.DiagCab
# brute looking after header for filenames with diagcfg or diagpkg extension in CFFILE section
>0x2c search/980/c .diag \b, Diagnostic
!:mime application/vnd.ms-cab-compressed
!:ext diagcab
# http://fileformats.archiveteam.org/wiki/PUZ
# Microsoft Publisher version about 2003 has a "Pack and Go" feature that
# bundles a Publisher document *PNG.pub with all links into a CAB
>0x2c search/300/c png.pub\0 \b, Publisher Packed and Go
!:mime application/vnd.ms-cab-compressed
!:ext puz
# ppz variant with Microsoft PowerPoint Viewer ppview32.exe to play PowerPoint presentation
>0x2c search/17/c ppview32.exe\0 \b, PowerPoint Viewer Packed and Go
!:mime application/vnd.ms-powerpoint
#!:mime application/mspowerpoint
!:ext ppz
# http://www.incredimail.com/
# IncrediMail CAB contains an initialisation file "content.ini" like in im2.ims
>0x2c search/3369/c content.ini\0 \b, IncrediMail
!:mime application/x-incredimail
# member Flavor.htm implies IncrediMail ecard like in tell_a_friend.imf
>>0x2c search/83/c Flavor.htm\0 ecard
!:ext imf
# member Macromedia Flash data *.swf implies IncrediMail skin like in im2.ims
>>0x2c search/211/c .swf\0 skin
!:ext ims
# member anim.im3 implies IncrediMail animation like in letter_fold.ima
>>0x2c search/92/c anim.im3\0 animation
!:ext ima
# other IncrediMail cab archive
>>0x2c default x
>>>0x2c search/116/c thumb ecard, image, notifier or skin
!:ext imf/imi/imn/ims
# http://file-extension.net/seeker/file_extension_ime
>>>0x2c default x emoticons or sound
!:ext ime/imw
# no Diagnostic and IncrediMail
>0x2c default x
# look for 1st member name
>>(16.l+16) ubyte x
# https://en.wikipedia.org/wiki/SNP_file_format
>>>&-1 string/c _accrpt_.snp \b, Access report snapshot
!:mime application/msaccess
!:ext snp
# https://www.cabextract.org.uk/wince_cab_format/
# extension of DOS 8+3 name with ".000" of 1st archive member name implies Windows CE installer
>>>&7 string =.000 \b, WinCE install
!:mime application/vnd.ms-cab-compressed
!:ext cab
# https://support.microsoft.com/kb/934307/en-US
# All inspected MSU contain a file with name WSUSSCAN.cab
# that is called "Windows Update meta data" by Microsoft
>>>&-1 string/c wsusscan.cab \b, Microsoft Standalone Update
!:mime application/vnd.ms-cab-compressed
!:ext msu
>>>&-1 default x
# look at point charcter of 1st archive member name for file name extension
>>>>&-1 search/255 .
# http://www.pptfaq.com/FAQ00164_What_is_a_PPZ_file-.htm
# PPZ were created using Pack & Go feature of PowerPoint versions 97 - 2002
# packs optional files, a PowerPoint presentation *.ppt with optional PLAYLIST.LST to CAB
>>>>>&0 string/c ppt\0 \b, PowerPoint Packed and Go
!:mime application/vnd.ms-powerpoint
#!:mime application/mspowerpoint
!:ext ppz
# https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx
# first member *.theme implies Windows 7 Theme Pack like in CommunityShowcaseAqua3.themepack
# or Windows 8 Desktop Theme Pack like in PanoramicGlaciers.deskthemepack
>>>>>&0 string/c theme \b, Windows
!:mime application/x-windows-themepack
# https://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8
# 1st member Panoramic.theme or Panoramas.theme implies Windows 8-10 Theme Pack
# with MTSM=RJSPBS in [MasterThemeSelector] inside *.theme
>>>>>>(16.l+16) string =Panoram 8
!:ext deskthemepack
>>>>>>(16.l+16) string !Panoram 7 or 8
!:ext themepack/deskthemepack
>>>>>>(16.l+16) ubyte x Theme Pack
>>>>>&0 default x
# look for null terminator of 1st member name
>>>>>>&0 search/255 \0
# 2nd member name WSUSSCAN.cab like in Microsoft-Windows-MediaFeaturePack-OOB-Package.msu
>>>>>>>&16 string/c wsusscan.cab \b, Microsoft Standalone Update
!:mime application/vnd.ms-cab-compressed
!:ext msu
>>>>>>>&16 default x
# archive with more then one file need some output in version 5.32 to avoid error message like
# Magdir/msdos, 1138: Warning: Current entry does not yet have a description for adding a MIME type
# Magdir/msdos, 1139: Warning: Current entry does not yet have a description for adding a EXTENSION type
# file: could not find any valid magic files!
>>>>>>>>28 uleshort >1 \b, many
!:mime application/vnd.ms-cab-compressed
!:ext cab
# remaining archives with just one file
>>>>>>>>28 uleshort =1
# neither extra bytes nor cab chain implies Windows 2000,XP setup files in directory i386
>>>>>>>>>30 uleshort =0x0000 \b, Windows 2000/XP setup
# cut of last char of source extension and add underscore to generate extension
# TERMCAP._ ... FXSCOUNT.H_ ... L3CODECA.AC_ ... NPDRMV2.ZI_
!:mime application/vnd.ms-cab-compressed
!:ext _/?_/??_
# archive need some output like "single" in version 5.32 to avoid error messages
>>>>>>>>>30 uleshort !0x0000 \b, single
!:mime application/vnd.ms-cab-compressed
!:ext cab
# TODO: additional extensions like
# .xsn InfoPath Dynamic Form
# .xtp InfoPath Template Part
# .lvf Logitech Video Effects Face Accessory
>8 ulelong x \b, %u bytes
>28 uleshort 1 \b, 1 file
>28 uleshort >1 \b, %u files
# Reserved fields, set to zero
#>4 belong !0 \b, reserved1 %x
#>12 belong !0 \b, reserved2 %x
# offset of the first CFFILE entry coffFiles: minimal 2Ch
>16 ulelong x \b, at 0x%x
>(16.l) use cab-file
# at least also 2nd member
>28 uleshort >1
>>(16.l+16) ubyte x
>>>&0 search/255 \0
# second member info
>>>>&0 use cab-file
#>20 belong !0 \b, reserved %x
# Cabinet file format version. Currently, versionMajor = 1 and versionMinor = 3
>24 ubeshort !0x0301 \b version 0x%x
# number of CFFOLDER entries
>26 uleshort >1 \b, %u cffolders
# cabinet file option indicators 1~PREVIOUS, 2~NEXT, 4~reserved fields
# only found for flags 0 1 2 3 4 not 7
>30 uleshort >0 \b, flags 0x%x
# Cabinet files have a 16-bit cabinet setID field that is designed for application use.
# default is zero, however, the -i option of cabarc can be used to set this field
>32 uleshort >0 \b, ID %u
# iCabinet is number of this cabinet file in a set, where 0 for the first cabinet
#>34 uleshort x \b, iCabinet %u
# add one for display because humans start numbering by 1 and also fit to name of disk szDisk*
>34 uleshort+1 x \b, number %u
>30 uleshort &0x0004 \b, extra bytes
# cbCFHeader optional size of per-cabinet reserved area 14h 1800h
>>36 uleshort >0 %u in head
# cbCFFolder is optional size of per-folder reserved area
>>38 ubyte >0 %u in folder
# cbCFData is optional size of per-datablock reserved area
>>39 ubyte >0 %u in data block
# optional per-cabinet reserved area abReserve[cbCFHeader]
>>36 uleshort >0
# 1st CFFOLDER after reserved area in header
>>>(36.s+40) use cab-folder
# no reserved area in header
>30 uleshort ^0x0004
# no previous and next cab archive
>>30 uleshort =0x0000
>>>36 use cab-folder
# only previous cab archive
>>30 uleshort =0x0001 \b, previous
>>>36 use cab-anchor
# only next cab archive
>>30 uleshort =0x0002 \b, next
>>>36 use cab-anchor
# previous+next cab archive
# can not use sub routine cab-anchor to display previous and next cabinet together
#>>>36 use cab-anchor
#>>>>&0 use cab-anchor
>>30 uleshort =0x0003 \b, previous
>>>36 string x %s
# optional name of previous disk szDisk*
>>>>&1 string x disk %s
>>>>>&1 string x \b, next %s
# optional name of previous disk szDisk*
>>>>>>&1 string x disk %s
>>>>>>>&1 use cab-folder
# display filename and disk name of previous or next cabinet
0 name cab-anchor
# optional name of previous/next cabinet file szCabinet*[255]
>&0 string x %s
# optional name of previous/next disk szDisk*[255]
>>&1 string x disk %s
# display folder structure CFFOLDER information like compression of cabinet
0 name cab-folder
# offset of the CFDATA block in this folder
#>0 ulelong x \b, coffCabStart 0x%x
# number of CFDATA blocks in folder
>4 uleshort x \b, %u datablock
# plural s
>4 uleshort >1 \bs
# compression typeCompress: 0~None 1~MSZIP 0x1503~LZX:21 0x1003~LZX:16 0x0f03~LZX:15
>6 uleshort x \b, 0x%x compression
# optional per-folder reserved area
#>8 ubequad x \b, abReserve 0x%llx
# display member structure CFFILE information like member name of cabinet
0 name cab-file
# cbFile is uncompressed size of file in bytes
#>0 ulelong x \b, cbFile %u
# uoffFolderStart is uncompressed offset of file in folder
#>4 ulelong >0 \b, uoffFolderStart 0x%x
# iFolder is index into the CFFOLDER area. 0 indicates first folder in cabinet
# define ifoldCONTINUED_FROM_PREV (0xFFFD)
# define ifoldCONTINUED_TO_NEXT (0xFFFE)
# define ifoldCONTINUED_PREV_AND_NEXT (0xFFFF)
>8 uleshort >0 \b, iFolder 0x%x
# date stamp for file
#>10 uleshort x \b, date 0x%x
# time stamp for file
#>12 uleshort x \b, time 0x%x
# attribs is attribute flags for file
# define _A_RDONLY (0x01) file is read-only
# define _A_HIDDEN (0x02) file is hidden
# define _A_SYSTEM (0x04) file is a system file
# define _A_ARCH (0x20) file modified since last backup
# example http://sebastien.kirche.free.fr/pebuilder_plugins/depends.cab
# define _A_EXEC (0x40) run after extraction
# define _A_NAME_IS_UTF (0x80) szName[] contains UTF
# define UNKNOWN (0x0100) undocumented or accident
#>14 uleshort x \b, attribs 0x%x
>14 uleshort >0 +
>>14 uleshort &0x0001 \bR
>>14 uleshort &0x0002 \bH
>>14 uleshort &0x0004 \bS
>>14 uleshort &0x0020 \bA
>>14 uleshort &0x0040 \bX
>>14 uleshort &0x0080 \bUtf
# unknown 0x0100 flag found on one XP_CD:\I386\DRIVER.CAB
>>14 uleshort &0x0100 \b?
# szName is name of archive member
>16 string x "%s"
# next archive member name if more files
#>>&17 string >\0 \b, NEXT NAME %-.50s
# InstallShield Cabinet files
0 string/b ISc( InstallShield Cabinet archive data
>5 byte&0xf0 =0x60 version 6,
>5 byte&0xf0 !0x60 version 4/5,
>(12.l+40) lelong x %u files
# Windows CE package files
0 string/b MSCE\0\0\0\0 Microsoft WinCE install header
>20 lelong 0 \b, architecture-independent
>20 lelong 103 \b, Hitachi SH3
>20 lelong 104 \b, Hitachi SH4
>20 lelong 0xA11 \b, StrongARM
>20 lelong 4000 \b, MIPS R4000
>20 lelong 10003 \b, Hitachi SH3
>20 lelong 10004 \b, Hitachi SH3E
>20 lelong 10005 \b, Hitachi SH4
>20 lelong 70001 \b, ARM 7TDMI
>52 leshort 1 \b, 1 file
>52 leshort >1 \b, %u files
>56 leshort 1 \b, 1 registry entry
>56 leshort >1 \b, %u registry entries
# Windows Enhanced Metafile (EMF)
# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
# for further information.
0 ulelong 1
>40 string \ EMF Windows Enhanced Metafile (EMF) image data
>>44 ulelong x version 0x%x
0 string/b \224\246\056 Microsoft Word Document
!:mime application/msword
# From: "Nelson A. de Oliveira"
# Magic type for Dell's BIOS .hdr files
# Dell's .hdr
0 string/b $RBU
>23 string Dell %s system BIOS
>5 byte 2
>>48 byte x version %d.
>>49 byte x \b%d.
>>50 byte x \b%d
>5 byte <2
>>48 string x version %.3s
# Type: Microsoft Document Imaging Format (.mdi)
# URL: https://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
# From: Daniele Sempione
# Too weak (EP)
#0 short 0x5045 Microsoft Document Imaging Format
# MS eBook format (.lit)
0 string/b ITOLITLS Microsoft Reader eBook Data
>8 lelong x \b, version %u
!:mime application/x-ms-reader
# Windows CE Binary Image Data Format
# From: Dr. Jesus
0 string/b B000FF\n Windows Embedded CE binary image
# The second byte of these signatures is a file version; I don't know what,
# if anything, produced files with version numbers 0-2.
# From: John Elliott
0 string \xfc\x03\x00 Mallard BASIC program data (v1.11)
0 string \xfc\x04\x00 Mallard BASIC program data (v1.29+)
0 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11)
0 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+)
0 string MIOPEN Mallard BASIC Jetsam data
0 string Jetsam0 Mallard BASIC Jetsam index data
# DOS backup 2.0 to 3.2
# backupid.@@@
# plausibility check for date
0x3 ushort >1979
>0x5 ubyte-1 <31
>>0x6 ubyte-1 <12
# actually 121 nul bytes
>>>0x7 string \0\0\0\0\0\0\0\0
>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d
!:ext @@@
>>>>0x0 ubyte 0xff \b, last disk
# backed up file
# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
# by looking for trailing nul of maximal file name string
0x52 ubyte 0
# test for flag byte: FFh~complete file, 00h~split file
# FFh -127 = -1 -127 = -128
# 00h -127 = 0 -127 = -127
>0 byte-127 <-126
# plausibility check for file name length
>>0x53 ubyte-1 <78
# looking for terminating nul of file name string
>>>(0x53.b+4) ubyte 0
# looking if last char of string is valid DOS file name
>>>>(0x53.b+3) ubyte >0x1F
# actually 44 nul bytes
# but sometimes garbage according to Ralf Quint. So can not be used as test
#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
>>>>>5 ubyte&0x8C 0x0C
# ./msdos (version 5.30) labeled the entry as
# "DOS 2.0 backed up file %s, split file, sequence %d" or
# "DOS 2.0 backed up file %s, complete file"
>>>>>>0 ubyte x DOS 2.0-3.2 backed up
#>>>>>>0 ubyte 0xff complete
>>>>>>0 ubyte 0
>>>>>>>1 uleshort x sequence %d of
# full file name with path but without drive letter and colon stored from 0x05 til 0x52
>>>>>>0x5 string x file %s
# backup name is original filename
#!:ext *
# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*'
# file: line 1169: Bad magic entry ' *'
# after header original file content
>>>>>>128 indirect x \b;
# DOS backup 3.3 to 5.x
# CONTROL.nnn files
0 string \x8bBACKUP\x20
# actually 128 nul bytes
>0xa string \0\0\0\0\0\0\0\0
>>0x9 ubyte x DOS 3.3 backup control file, sequence %d
>>0x8a ubyte 0xff \b, last disk
# NB: The BACKUP.nnn files consist of the files backed up,
# concatenated.
#------------------------------------------------------------------------------
# $File: varied.script,v 1.12 2019/04/19 00:42:27 christos Exp $
# varied.script: file(1) magic for various interpreter scripts
0 string/t #!\ / a
>3 string >\0 %s script text executable
0 string/b #!\ / a
>3 string >\0 %s script executable (binary data)
0 string/t #!\t/ a
>3 string >\0 %s script text executable
0 string/b #!\t/ a
>3 string >\0 %s script executable (binary data)
0 string/t #!/ a
>2 string >\0 %s script text executable
0 string/b #!/ a
>2 string >\0 %s script executable (binary data)
0 string/t #!\ script text executable
>3 string >\0 for %s
0 string/b #!\ script executable
>3 string >\0 for %s (binary data)
# using env
0 string/t #!/usr/bin/env a
>15 string/t >\0 %s script text executable
!:strength / 10
0 string/b #!/usr/bin/env a
>15 string/b >\0 %s script executable (binary data)
!:strength / 10
0 string/t #!\ /usr/bin/env a
>16 string/t >\0 %s script text executable
!:strength / 10
0 string/b #!\ /usr/bin/env a
>16 string/b >\0 %s script executable (binary data)
!:strength / 10
# From: arno
# mozilla xpconnect typelib
# see https://www.mozilla.org/scriptable/typelib_file.html
0 string XPCOM\nTypeLib\r\n\032 XPConnect Typelib
>0x10 byte x version %d
>>0x11 byte x \b.%d
© 2015 - 2024 Weber Informatics LLC | Privacy Policy