summaryrefslogtreecommitdiff
path: root/magic/Magdir/msdos
diff options
context:
space:
mode:
Diffstat (limited to 'magic/Magdir/msdos')
-rw-r--r--magic/Magdir/msdos639
1 files changed, 478 insertions, 161 deletions
diff --git a/magic/Magdir/msdos b/magic/Magdir/msdos
index 64d4862..6eb12c2 100644
--- a/magic/Magdir/msdos
+++ b/magic/Magdir/msdos
@@ -1,12 +1,12 @@
#------------------------------------------------------------------------------
-# $File: msdos,v 1.100 2014/06/03 19:17:27 christos Exp $
+# $File: msdos,v 1.120 2017/08/13 00:21:47 christos Exp $
# msdos: file(1) magic for MS-DOS files
#
# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
# updated by Joerg Jenderek at Oct 2008,Apr 2011
-0 string/t @
+0 string/t @
>1 string/cW \ echo\ off DOS batch file text
!:mime text/x-msdos-batch
>1 string/cW echo\ off DOS batch file text
@@ -24,7 +24,11 @@
100 search/0xffff say
>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text
-0 leshort 0x14c MS Windows COFF Intel 80386 object file
+# updated by Joerg Jenderek at Oct 2015
+# https://de.wikipedia.org/wiki/Common_Object_File_Format
+# http://www.delorie.com/djgpp/doc/coff/filhdr.html
+# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable"
+#0 leshort 0x14c MS Windows COFF Intel 80386 object file
#>4 ledate x stamp %s
0 leshort 0x166 MS Windows COFF MIPS R4000 object file
#>4 ledate x stamp %s
@@ -226,7 +230,7 @@
>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender
>>(8.s*16) string emx
>>>&1 string x for DOS, Win or OS/2, emx %s
->>&(&0x42.l-3) byte x
+>>&(&0x42.l-3) byte x
>>>&0x26 string UPX \b, UPX compressed
# and yet another guess: small .text, and after large .data is unusal, could be 32lite
>>&0x2c search/0xa0 .text
@@ -236,8 +240,8 @@
>(8.s*16) string $WdX \b, WDos/X DOS extender
# By now an executable type should have been printed out. The executable
-# may be a self-uncompressing archive, so look for evidence of that and
-# print it out.
+# may be a self-uncompressing archive, so look for evidence of that and
+# print it out.
#
# Some signatures below from Greg Roelofs, newt@uchicago.edu.
#
@@ -279,8 +283,8 @@
# Skip to the end of the EXE. This will usually work fine in the PE case
# because the MZ image is hardcoded into the toolchain and almost certainly
# won't match any of these signatures.
->(4.s*512) long x
->>&(2.s-517) byte x
+>(4.s*512) long x
+>>&(2.s-517) byte x
>>>&0 string PK\3\4 \b, ZIP self-extracting archive
>>>&0 string Rar! \b, RAR self-extracting archive
>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
@@ -308,80 +312,77 @@
# only version=0x100 found
>3 uleshort x \b, version 0x%x
# length of string containing author,info and special characters
->6 ubyte >0
+>6 ubyte >0
#>>6 pstring x \b, name=%s
>>7 string >\0 \b, author=%-.14s
>>7 search/254 \xff \b, info=
#>>>&0 string x \b%-s
>>>&0 string x \b%-.15s
-# for FreeDOS *.KL files
+# for FreeDOS *.KL files
0 string/b KLF FreeDOS KEYBoard Layout file
# only version=0x100 or 0x101 found
>3 uleshort x \b, version 0x%x
# stringlength
->5 ubyte >0
+>5 ubyte >0
>>8 string x \b, name=%-.2s
-0 string \xffKEYB\ \ \ \0\0\0\0
+0 string \xffKEYB\ \ \ \0\0\0\0
>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
-# .COM formats (Daniel Quinlan, quinlan@yggdrasil.com)
-# Uncommenting only the first two lines will cover about 2/3 of COM files,
-# but it isn't feasible to match all COM files since there must be at least
-# two dozen different one-byte "magics".
-# test too generic ?
-0 byte 0xe9 DOS executable (COM)
->0x1FE leshort 0xAA55 \b, boot code
->6 string SFX\ of\ LHarc (%s)
-
-# DOS device driver updated by Joerg Jenderek at May 2011
-# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
-0 ulequad&0x07a0ffffffff 0xffffffff DOS executable (
->40 search/7 UPX! \bUPX compressed
+# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017
+# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
+0 ulequad&0x07a0ffffffff 0xffffffff
+>0 use msdos-driver
+0 name msdos-driver DOS executable (
+#!:mime application/octet-stream
+!:mime application/x-dosdriver
+# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
+!:ext sys/dev/bin
+>40 search/7 UPX! \bUPX compressed
# DOS device driver attributes
>4 uleshort&0x8000 0x0000 \bblock device driver
# character device
>4 uleshort&0x8000 0x8000 \b
->>4 uleshort&0x0008 0x0008 \bclock
+>>4 uleshort&0x0008 0x0008 \bclock
# fast video output by int 29h
->>4 uleshort&0x0010 0x0010 \bfast
+>>4 uleshort&0x0010 0x0010 \bfast
# standard input/output device
->>4 uleshort&0x0003 >0 \bstandard
+>>4 uleshort&0x0003 >0 \bstandard
>>>4 uleshort&0x0001 0x0001 \binput
>>>4 uleshort&0x0003 0x0003 \b/
->>>4 uleshort&0x0002 0x0002 \boutput
+>>>4 uleshort&0x0002 0x0002 \boutput
>>4 uleshort&0x8000 0x8000 \bcharacter device driver
->0 ubyte x
+>0 ubyte x
# upx compressed device driver has garbage instead of real in name field of header
->>40 search/7 UPX!
->>40 default x
+>>40 search/7 UPX!
+>>40 default x
# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
->>>12 ubyte >0x27 \b
->>>>10 ubyte >0x20
->>>>>10 ubyte !0x2E
+>>>12 ubyte >0x2E \b
+>>>>10 ubyte >0x20
+>>>>>10 ubyte !0x2E
>>>>>>10 ubyte !0x2A \b%c
->>>>11 ubyte >0x20
+>>>>11 ubyte >0x20
>>>>>11 ubyte !0x2E \b%c
->>>>12 ubyte >0x20
->>>>>12 ubyte !0x39
+>>>>12 ubyte >0x20
+>>>>>12 ubyte !0x39
>>>>>>12 ubyte !0x2E \b%c
->>>13 ubyte >0x20
+>>>13 ubyte >0x20
>>>>13 ubyte !0x2E \b%c
->>>>14 ubyte >0x20
+>>>>14 ubyte >0x20
>>>>>14 ubyte !0x2E \b%c
->>>>15 ubyte >0x20
+>>>>15 ubyte >0x20
>>>>>15 ubyte !0x2E \b%c
->>>>16 ubyte >0x20
->>>>>16 ubyte !0x2E
+>>>>16 ubyte >0x20
+>>>>>16 ubyte !0x2E
>>>>>>16 ubyte <0xCB \b%c
->>>>17 ubyte >0x20
->>>>>17 ubyte !0x2E
+>>>>17 ubyte >0x20
+>>>>>17 ubyte !0x2E
>>>>>>17 ubyte <0x90 \b%c
# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
->>>4 uleshort&0x8000 0x8000
->>>>12 ubyte <0x2F
+>>>12 ubyte <0x2F
# they have their real name at offset 22
->>>>>22 string >\0 \b%-.5s
->4 uleshort&0x8000 0x0000
+# also block device drivers like DUMBDRV.SYS
+>>>>22 string >\056 %-.6s
+>4 uleshort&0x8000 0x0000
# 32 bit sector addressing ( > 32 MB) for block devices
>>4 uleshort&0x0002 0x0002 \b,32-bit sector-
# support by driver functions 13h, 17h, 18h
@@ -389,54 +390,129 @@
# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
>4 uleshort&0x0800 0x0800 \b,close media-
# output until busy support by int 10h for character device driver
->4 uleshort&0x8000 0x8000
+>4 uleshort&0x8000 0x8000
>>4 uleshort&0x2000 0x2000 \b,until busy-
# direct read/write support by driver functions 03h,0Ch
>4 uleshort&0x4000 0x4000 \b,control strings-
->4 uleshort&0x8000 0x8000
+>4 uleshort&0x8000 0x8000
>>4 uleshort&0x6840 >0 \bsupport
->4 uleshort&0x8000 0x0000
+>4 uleshort&0x8000 0x0000
>>4 uleshort&0x4842 >0 \bsupport
>0 ubyte x \b)
-# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
-# Too weak, matches files that only contain 0's
-#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable (
-#>4 uleshort&0x8000 0x8000 \bcharacter device driver
-#>>10 string x %-.8s
-#>4 uleshort&0x4000 0x4000 \b,control strings-support)
-
-# test too generic ?
-0 byte 0x8c DOS executable (COM)
+# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
+0 ulequad 0x0513c00000000012
+>0 use msdos-driver
+# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
+0 ulequad 0x32f28000ffff0016
+>0 use msdos-driver
+0 ulequad 0x007f00000000ffff
+>0 use msdos-driver
+0 ulequad 0x001600000000ffff
+>0 use msdos-driver
+# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
+0 ulequad 0x0bf708c2ffffffff
+>0 use msdos-driver
+0 ulequad 0x07bd08c2ffffffff
+>0 use msdos-driver
+
+# updated by Joerg Jenderek
+# GRR: line below too general as it catches also
+# rt.lib DYADISKS.PIC and many more
+# start with assembler instruction MOV
+0 ubyte 0x8c
+# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
+>4 string !O====
+# skip some unknown basic binaries like RocketRnger.SHR
+>>5 string !MAIN
+# skip "GPG symmetrically encrypted data" ./gnu
+# skip "PGP symmetric key encrypted data" ./pgp
+# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
+>>>4 ubyte >13 DOS executable (COM, 0x8C-variant)
+# the remaining files should be DOS *.COM executables
+# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd
+# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4
+# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b
+# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b
+# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
+# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b
+# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e
+# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e
+!:mime application/x-dosexec
+!:ext com
+
# updated by Joerg Jenderek at Oct 2008
0 ulelong 0xffff10eb DR-DOS executable (COM)
# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
-0 ubeshort&0xeb8d >0xeb00
+0 ubeshort&0xeb8d >0xeb00
# DR-DOS STACKER.COM SCREATE.SYS missed
->0 byte 0xeb
->>0x1FE leshort 0xAA55 DOS executable (COM), boot code
->>85 string UPX DOS executable (COM), UPX compressed
->>4 string \ $ARX DOS executable (COM), ARX self-extracting archive
->>4 string \ $LHarc DOS executable (COM), LHarc self-extracting archive
->>0x20e string SFX\ by\ LARC DOS executable (COM), LARC self-extracting archive
-# updated by Joerg Jenderek at Oct 2008
-#0 byte 0xb8 COM executable
-0 uleshort&0x80ff 0x00b8
+
+0 name msdos-com
+>0 byte x DOS executable (COM)
+>6 string SFX\ of\ LHarc \b, %s
+>0x1FE leshort 0xAA55 \b, boot code
+>85 string UPX \b, UPX compressed
+>4 string \ $ARX \b, ARX self-extracting archive
+>4 string \ $LHarc \b, LHarc self-extracting archive
+>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive
+
+# JMP 8bit
+0 byte 0xeb
+# allow forward jumps only
+>1 byte >-1
+# that offset must be accessible
+>>(1.b+2) byte x
+>>>0 use msdos-com
+
+# JMP 16bit
+0 byte 0xe9
+# forward jumps
+>1 short >-1
+# that offset must be accessible
+>>(1.s+3) byte x
+>>>0 use msdos-com
+# negative offset, must not lead into PSP
+>1 short <-259
+# that offset must be accessible
+>>(1,s+65539) byte x
+>>>0 use msdos-com
+
+# updated by Joerg Jenderek at Oct 2008,2015
+# following line is too general
+0 ubyte 0xb8
+# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
+>0 string !\xb8\xc0\x07\x8e
# modified by Joerg Jenderek
->1 lelong !0x21cd4cff COM executable for DOS
+# syslinux COM32 or COM32R executable
+>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT
+# http://www.syslinux.org/wiki/index.php/Comboot_API
+# Since version 5.00 c32 modules switched from the COM32 object format to ELF
+!:mime application/x-c32-comboot-syslinux-exec
+!:ext c32
# http://syslinux.zytor.com/comboot.php
+# older syslinux version ( <4 )
# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode
# start with assembler instructions mov eax,21cd4cffh
-0 uleshort&0xc0ff 0xc0b8
->1 lelong 0x21cd4cff COM executable (32-bit COMBOOT)
+>>>1 lelong 0x21CD4CFf \b)
# syslinux:doc/comboot.txt
# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov
# eax,21cd4cfeh) as a magic number.
-0 string/b \xb8\xfe\x4c\xcd\x21 COM executable (COM32R)
-# start with assembler instructions mov eax,21cd4cfeh
-0 uleshort&0xc0ff 0xc0b8
->1 lelong 0x21cd4cfe COM executable (32-bit COMBOOT, relocatable)
-0 string/b \x81\xfc
->4 string \x77\x02\xcd\x20\xb9
+# syslinux version (4.x)
+# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID
+>>>1 lelong 0x21CD4CFe \b, relocatable)
+# remaining are DOS COM executables starting with assembler instruction MOV
+# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM
+# MS-DOS SYS.COM RESTART.COM
+# SYSLINUX.COM (version 1.40 - 2.13)
+# GFXBOOT.COM (version 3.75)
+# COPYBS.COM POWEROFF.COM INT18.COM
+>>1 default x COM executable for DOS
+!:mime application/x-dosexec
+#!:mime application/x-ms-dos-executable
+#!:mime application/x-msdos-program
+!:ext com
+
+0 string/b \x81\xfc
+>4 string \x77\x02\xcd\x20\xb9
>>36 string UPX! FREE-DOS executable (COM), UPX compressed
252 string Must\ have\ DOS\ version DR-DOS executable (COM)
# added by Joerg Jenderek at Oct 2008
@@ -453,10 +529,10 @@
#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
5 string \xcd\x21 COM executable for DOS
#DELTMP.COm HASFAT32.cOM
-7 string \xcd\x21
+7 string \xcd\x21
>0 byte !0xb8 COM executable for DOS
#COMP.cOM MORE.COm
-10 string \xcd\x21
+10 string \xcd\x21
>5 string !\xcd\x21 COM executable for DOS
#comecho.com
13 string \xcd\x21 COM executable for DOS
@@ -504,10 +580,23 @@
0 string/b PO^Q` Microsoft Word 6.0 Document
!:mime application/msword
#
-0 string/b \376\067\0\043 Microsoft Office Document
+4 long 0
+>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0
+!:mime application/msword
+!:ext mcw
+>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0
+!:mime application/msword
+!:ext mcw
+>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0
!:mime application/msword
-0 string/b \333\245-\0\0\0 Microsoft Office Document
+!:ext mcw
+>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0
!:mime application/msword
+!:ext mcw
+
+0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document
+!:mime application/msword
+!:ext doc
512 string/b \354\245\301 Microsoft Word Document
!:mime application/msword
@@ -533,17 +622,158 @@
0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet
!:mime application/vnd.ms-excel
#
-0 belong 0x00001a00 Lotus 1-2-3
-!:mime application/x-123
->4 belong 0x00100400 wk3 document data
->4 belong 0x02100400 wk4 document data
->4 belong 0x07800100 fm3 or fmb document data
->4 belong 0x07800000 fm3 or fmb document data
+# Update: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3
+# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
+# Note: newer Lotus versions >2 use longer BOF record
+# record type (BeginningOfFile=0000h) + length (001Ah)
+0 belong 0x00001a00
+# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
+#>18 uleshort&0x73E0 0
+# Lotus Multi Byte Character Set (LMBCS=1-31)
+>20 ubyte >0
+>>20 ubyte <32 Lotus 1-2-3
+#!:mime application/x-123
+!:mime application/vnd.lotus-1-2-3
+!:apple ????L123
+# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data"
+>>>4 uleshort 0x1000 WorKsheet, version 3
+!:ext wk3
+# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data"
+>>>4 uleshort 0x1002 WorKsheet, version 4
+# also worksheet template 4 (.wt4)
+!:ext wk4/wt4
+# no example or documentation for wk5
+#>>4 uleshort 0x???? WorKsheet, version 4
+#!:ext wk5
+# only MacrotoScript.123 example
+>>>4 uleshort 0x1003 WorKsheet, version 97
+# also worksheet template Smartmaster (.12M)?
+!:ext 123
+# only Set_Y2K.123 example
+>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium
+!:ext 123
+# no example for this version
+>>>4 uleshort 0x8001 FoRMatting data
+!:ext frm
+# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data"
+# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet"
+>>>4 uleshort 0x8007 ForMatting data, version 3
+!:ext fm3
+>>>4 default x unknown
+# file revision sub code 0004h for worksheets
+>>>>6 uleshort =0x0004 worksheet
+!:ext wXX
+>>>>6 uleshort !0x0004 formatting data
+!:ext fXX
+# main revision number
+>>>>4 uleshort x \b, revision 0x%x
+>>>6 uleshort =0x0004 \b, cell range
+# active cellcoord range (start row, page,column ; end row, page, column)
+# start values normally 0~1st sheet A1
+>>>>8 ulelong !0
+>>>>>10 ubyte >0 \b%d*
+>>>>>8 uleshort x \b%d,
+>>>>>11 ubyte x \b%d-
+# end page mostly 0
+>>>>14 ubyte >0 \b%d*
+# end raw, column normally not 0
+>>>>12 uleshort x \b%d,
+>>>>15 ubyte x \b%d
+# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??)
+>>>>20 ubyte >1 \b, character set 0x%x
+# flags
+>>>>21 ubyte x \b, flags 0x%x
+>>>6 uleshort !0x0004
+# record type (FONTNAME=00AEh)
+>>>>30 search/29 \0\xAE
+# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
+>>>>>&4 string >\0 \b, 1st font "%s"
#
-0 belong 0x00000200 Lotus 1-2-3
-!:mime application/x-123
->4 belong 0x06040600 wk1 document data
->4 belong 0x06800200 fmt document data
+# Update: Joerg Jenderek
+# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3
+# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
+# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
+# record type (BeginningOfFile=0000h) + length (0002h)
+0 belong 0x00000200
+# GRR: line above is too general as it catches also MS Windows CURsor
+# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
+!:strength -1
+# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
+>7 ubyte 0
+# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
+>>6 ubyte >0 Lotus
+# !:mime application/x-123
+!:mime application/vnd.lotus-1-2-3
+!:apple ????L123
+# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...)
+# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3"
+>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF)
+!:ext cnf
+>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J
+!:ext cnf
+>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1
+!:ext cnf
+>>>4 uleshort 0x0802 Symphony CoNFiguration
+!:ext cnf
+>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2
+!:ext cnf
+>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4
+!:ext cnf
+>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x
+!:ext cnf
+>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x
+!:ext cnf
+# (version 5.26) labeled the entry as "Lotus 123"
+# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
+>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1
+# extension "wks" also for Microsoft Works document
+!:ext wks
+# (version 5.26) labeled the entry as "Lotus 123"
+# TrID labeles the entry as "Lotus 123 Worksheet (generic)"
+>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0
+!:ext wrk/wr1
+# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data"
+# TrID labeles the entry as "Lotus 123 Worksheet (V2)"
+>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2
+# Symphony (.wr1)
+!:ext wk1/wr1
+# no example for this japan version
+>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ
+!:ext wj1
+# no example or documentation for wk2
+#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2
+#!:ext wk2
+# undocumented japan version
+>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J
+!:ext wj3
+# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data"
+>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x
+# japan version 2.4J (fj3)
+!:ext fmt/fj3
+# no example for this version
+>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0
+!:ext frm
+# (version 5.26) labeled the entry as "Lotus 1-2-3"
+>>>4 default x unknown worksheet or configuration
+!:ext cnf
+>>>>4 uleshort x \b, revision 0x%x
+# 2nd record for most worksheets describes cells range
+>>>6 use lotus-cells
+# 3nd record for most japan worksheets describes cells range
+>>>(8.s+10) use lotus-cells
+# check and then display Lotus worksheet cells range
+0 name lotus-cells
+# look for type (RANGE=0006h) + length (0008h) at record begin
+>0 ubelong 0x06000800 \b, cell range
+# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
+>>4 ulong !0
+>>>4 uleshort x \b%d,
+>>>6 uleshort x \b%d-
+# end of cell range
+>>8 uleshort x \b%d,
+>>10 uleshort x \b%d
+# EndOfLotus123
0 string/b WordPro\0 Lotus WordPro
!:mime application/vnd.lotus-wordpro
0 string/b WordPro\r\373 Lotus WordPro
@@ -588,56 +818,95 @@
0 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows
# Windows icons
-0 name ico-dir
-# not entirely accurate, the number of icons is part of the header
->0 byte 1 - 1 icon
->0 ubyte >1 - %d icons
->2 byte 0 \b, 256x
->2 byte !0 \b, %dx
->3 byte 0 \b256
->3 byte !0 \b%d
->4 ubyte !0 \b, %d colors
-
+# Update: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
+# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
0 belong 0x00000100
>9 byte 0
->>0 byte x MS Windows icon resource
-!:mime image/x-icon
->>4 use ico-dir
+>>0 byte x
+>>0 use cur-ico-dir
>9 ubyte 0xff
->>0 byte x MS Windows icon resource
-!:mime image/x-icon
->>4 use ico-dir
+>>0 byte x
+>>0 use cur-ico-dir
+# displays number of icons and information for icon or cursor
+0 name cur-ico-dir
+# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
+# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
+>18 ulelong &0x00000006
+# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
+>>(18.l) ulelong x MS Windows
+>>>0 ubelong 0x00000100 icon resource
+#!:mime image/vnd.microsoft.icon
+!:mime image/x-icon
+!:ext ico
+>>>>4 uleshort x - %d icon
+# plural s
+>>>>4 uleshort >1 \bs
+# 1st icon
+>>>>0x06 use ico-entry
+# 2nd icon
+>>>>4 uleshort >1
+>>>>>0x16 use ico-entry
+>>>0 ubelong 0x00000200 cursor resource
+#!:mime image/x-cur
+!:mime image/x-win-bitmap
+!:ext cur
+>>>>4 uleshort x - %d icon
+>>>>4 uleshort >1 \bs
+# 1st cursor
+>>>>0x06 use cur-entry
+#>>>>0x16 use cur-entry
+# display information of one cursor entry
+0 name cur-entry
+>0 use cur-ico-entry
+>4 uleshort x \b, hotspot @%dx
+>6 uleshort x \b%d
+# display information of one icon entry
+0 name ico-entry
+>0 use cur-ico-entry
+# normally 0 1 but also found 14
+>4 uleshort >1 \b, %d planes
+# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256
+>6 uleshort >1 \b, %d bits/pixel
+# display shared information of cursor or icon entry
+0 name cur-ico-entry
+>0 byte =0 \b, 256x
+>0 byte !0 \b, %dx
+>1 byte =0 \b256
+>1 byte !0 \b%d
+# number of colors in palette
+>2 ubyte !0 \b, %d colors
+# reserved 0 FFh
+#>3 ubyte x \b, reserved %x
+#>8 ulelong x \b, image size %d
+# offset of PNG or DIB image
+#>12 ulelong x \b, offset 0x%x
+# PNG header (\x89PNG)
+>(12.l) ubelong =0x89504e47
+>>&-4 indirect x \b with
+# DIB image
+>(12.l) ubelong !0x89504e47
+#>>&-4 use dib-image
# Windows non-animated cursors
-0 name cur-dir
-# not entirely accurate, the number of icons is part of the header
->0 byte 1 - 1 icon
->0 ubyte >1 - %d icons
->2 byte 0 \b, 256x
->2 byte !0 \b, %dx
->3 byte 0 \b256
->3 byte !0 \b%d
->6 uleshort x \b, hotspot @%dx
->8 uleshort x \b%d
-
+# Update: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
+# Note: similar to Windows ICOn. container for BMP ( only DIB part)
+# GRR: line below is too general as it catches also Lotus 1-2-3 files
0 belong 0x00000200
>9 byte 0
->>0 byte x MS Windows cursor resource
-!:mime image/x-cur
->>4 use cur-dir
+>>0 use cur-ico-dir
>9 ubyte 0xff
->>0 byte x MS Windows cursor resource
-!:mime image/x-cur
->>4 use cur-dir
+>>0 use cur-ico-dir
# .chr files
-0 string/b PK\010\010BGI Borland font
+0 string/b PK\010\010BGI Borland font
>4 string >\0 %s
# then there is a copyright notice
# .bgi files
-0 string/b pk\010\010BGI Borland device
+0 string/b pk\010\010BGI Borland device
>4 string >\0 %s
# then there is a copyright notice
@@ -654,24 +923,6 @@
0 lelong 0x00000005
>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP)
-
-##### put in Either Magic/font or Magic/news
-# Acroread or something files wrongly identified as G3 .pfm
-# these have the form \000 \001 any? \002 \000 \000
-# or \000 \001 any? \022 \000 \000
-0 belong&0xffff00ff 0x00010012 PFM data
->4 string \000\000
->6 string >\060 - %s
-
-0 belong&0xffff00ff 0x00010002 PFM data
->4 string \000\000
->6 string >\060 - %s
-#0 string \000\001 pfm?
-#>3 string \022\000\000Copyright\ yes
-#>3 string \002\000\000Copyright\ yes
-#>3 string >\0 oops, not a font file. Cancel that.
-#it clashes with ttf files so put it lower down.
-
# From Doug Lee via a FreeBSD pr
9 string GERBILDOC First Choice document
9 string GERBILDB First Choice database
@@ -686,7 +937,7 @@
0 lelong 0x08086b70 TurboC BGI file
0 lelong 0x08084b50 TurboC Font file
-# Debian#712046: The magic below identifies "Delphi compiled form data".
+# Debian#712046: The magic below identifies "Delphi compiled form data".
# An additional source of information is available at:
# http://www.woodmann.com/fravia/dafix_t1.htm
0 string TPF0
@@ -695,7 +946,7 @@
# tests for DBase files moved, updated and merged to database
0 string PMCC Windows 3.x .GRP file
-1 string RDC-meg MegaDots
+1 string RDC-meg MegaDots
>8 byte >0x2F version %c
>9 byte >0x2F \b.%c file
0 lelong 0x4C
@@ -712,16 +963,16 @@
#>0x181 leshort x \b, offset %x
#>0x183 leshort x \b, offsetdata %x
#>0x185 leshort x \b, section length %x
->0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
->>&0x5e ubyte >0
+>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
+>>&0x5e ubyte >0
>>>&-1 string <PIFMGR.DLL \b, icon=%s
#>>>&-1 string PIFMGR.DLL \b, icon=%s
>>>&-1 string >PIFMGR.DLL \b, icon=%s
->>&0xF0 ubyte >0
+>>&0xF0 ubyte >0
>>>&-1 string <Terminal \b, font=%.32s
#>>>&-1 string =Terminal \b, font=%.32s
>>>&-1 string >Terminal \b, font=%.32s
->>&0x110 ubyte >0
+>>&0x110 ubyte >0
>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s
#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
@@ -737,6 +988,7 @@
# DOS EPS Binary File Header
# From: Ed Sznyter <ews@Black.Market.NET>
0 belong 0xC5D0D3C6 DOS EPS Binary File
+!:mime image/x-eps
>4 long >0 Postscript starts at byte %d
>>8 long >0 length %d
>>>12 long >0 Metafile starts at byte %d
@@ -744,15 +996,15 @@
>>>20 long >0 TIFF starts at byte %d
>>>>24 long >0 length %d
-# TNEF magic From "Joomy" <joomy@se-ed.net>
+# TNEF magic From "Joomy" <joomy@se-ed.net>
# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
-0 leshort 0x223e9f78 TNEF
+0 lelong 0x223e9f78 TNEF
!:mime application/vnd.ms-tnef
# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
# of http://www.davep.org/norton-guides/ng2h-105.tgz
# http://en.wikipedia.org/wiki/Norton_Guides
-0 string NG\0\001
+0 string NG\0\001
# only value 0x100 found at offset 2
>2 ulelong 0x00000100 Norton Guide
# Title[40]
@@ -762,7 +1014,7 @@
>>48 string >\0 \b, %-.66s
>>114 string >\0 %-.66s
-# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
+# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
# of http://www.4dos.info/
# pointer,HelpID[8]=4DHnnnmm
0 ulelong 0x48443408 4DOS help file
@@ -772,7 +1024,7 @@
0 ulequad 0x3a000000024e4c MS Advisor help file
# HtmlHelp files (.chm)
-0 string/b ITSF\003\000\000\000\x60\000\000\000\001\000\000\000 MS Windows HtmlHelp Data
+0 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data
# GFA-BASIC (Wolfram Kleff)
2 string/b GFA-BASIC3 GFA-BASIC 3 data
@@ -810,7 +1062,7 @@
# Windows Enhanced Metafile (EMF)
-# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
+# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
# for further information.
0 ulelong 1
>40 string \ EMF Windows Enhanced Metafile (EMF) image data
@@ -856,7 +1108,8 @@
# Type: Microsoft Document Imaging Format (.mdi)
# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format
# From: Daniele Sempione <scrows@oziosi.org>
-0 short 0x5045 Microsoft Document Imaging Format
+# Too weak (EP)
+#0 short 0x5045 Microsoft Document Imaging Format
# MS eBook format (.lit)
0 string/b ITOLITLS Microsoft Reader eBook Data
@@ -869,8 +1122,9 @@
# Windows Imaging (WIM) Image
0 string/b MSWIM\000\000\000 Windows imaging (WIM) image
+0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format
-# The second byte of these signatures is a file version; I don't know what,
+# The second byte of these signatures is a file version; I don't know what,
# if anything, produced files with version numbers 0-2.
# From: John Elliott <johne@seasip.demon.co.uk>
0 string \xfc\x03\x00 Mallard BASIC program data (v1.11)
@@ -881,3 +1135,66 @@
0 string MIOPEN Mallard BASIC Jetsam data
0 string Jetsam0 Mallard BASIC Jetsam index data
+# DOS backup 2.0 to 3.2
+
+# backupid.@@@
+
+# plausibility check for date
+0x3 ushort >1979
+>0x5 ubyte-1 <31
+>>0x6 ubyte-1 <12
+# actually 121 nul bytes
+>>>0x7 string \0\0\0\0\0\0\0\0
+>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d
+!:ext @@@
+>>>>0x0 ubyte 0xff \b, last disk
+
+# backed up file
+
+# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
+# by looking for trailing nul of maximal file name string
+0x52 ubyte 0
+# test for flag byte: FFh~complete file, 00h~split file
+# FFh -127 = -1 -127 = -128
+# 00h -127 = 0 -127 = -127
+>0 byte-127 <-126
+# plausibility check for file name length
+>>0x53 ubyte-1 <78
+# looking for terminating nul of file name string
+>>>(0x53.b+4) ubyte 0
+# looking if last char of string is valid DOS file name
+>>>>(0x53.b+3) ubyte >0x1F
+# actually 44 nul bytes
+# but sometimes garbage according to Ralf Quint. So can not be used as test
+#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
+# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
+# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
+>>>>>5 ubyte&0x8C 0x0C
+# ./msdos (version 5.30) labeled the entry as
+# "DOS 2.0 backed up file %s, split file, sequence %d" or
+# "DOS 2.0 backed up file %s, complete file"
+>>>>>>0 ubyte x DOS 2.0-3.2 backed up
+#>>>>>>0 ubyte 0xff complete
+>>>>>>0 ubyte 0
+>>>>>>>1 uleshort x sequence %d of
+# full file name with path but without drive letter and colon stored from 0x05 til 0x52
+>>>>>>0x5 string x file %s
+# backup name is original filename
+#!:ext *
+# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*'
+# file: line 1169: Bad magic entry ' *'
+# after header original file content
+>>>>>>128 indirect x \b;
+
+
+# DOS backup 3.3 to 5.x
+
+# CONTROL.nnn files
+0 string \x8bBACKUP\x20
+# actually 128 nul bytes
+>0xa string \0\0\0\0\0\0\0\0
+>>0x9 ubyte x DOS 3.3 backup control file, sequence %d
+>>0x8a ubyte 0xff \b, last disk
+
+# NB: The BACKUP.nnn files consist of the files backed up,
+# concatenated.
View Lorry Controller Status