msdos revision 328875
1230557Sjimharris 2230557Sjimharris#------------------------------------------------------------------------------ 3230557Sjimharris# $File: msdos,v 1.120 2017/08/13 00:21:47 christos Exp $ 4230557Sjimharris# msdos: file(1) magic for MS-DOS files 5230557Sjimharris# 6230557Sjimharris 7230557Sjimharris# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com) 8230557Sjimharris# updated by Joerg Jenderek at Oct 2008,Apr 2011 9230557Sjimharris0 string/t @ 10230557Sjimharris>1 string/cW \ echo\ off DOS batch file text 11230557Sjimharris!:mime text/x-msdos-batch 12230557Sjimharris>1 string/cW echo\ off DOS batch file text 13230557Sjimharris!:mime text/x-msdos-batch 14230557Sjimharris>1 string/cW rem DOS batch file text 15230557Sjimharris!:mime text/x-msdos-batch 16230557Sjimharris>1 string/cW set\ DOS batch file text 17230557Sjimharris!:mime text/x-msdos-batch 18230557Sjimharris 19230557Sjimharris 20230557Sjimharris# OS/2 batch files are REXX. the second regex is a bit generic, oh well 21230557Sjimharris# the matched commands seem to be common in REXX and uncommon elsewhere 22230557Sjimharris100 search/0xffff rxfuncadd 23230557Sjimharris>100 regex/c =^[\ \t]{0,10}call[\ \t]{1,10}rxfunc OS/2 REXX batch file text 24230557Sjimharris100 search/0xffff say 25230557Sjimharris>100 regex/c =^[\ \t]{0,10}say\ ['"] OS/2 REXX batch file text 26230557Sjimharris 27230557Sjimharris# updated by Joerg Jenderek at Oct 2015 28230557Sjimharris# https://de.wikipedia.org/wiki/Common_Object_File_Format 29230557Sjimharris# http://www.delorie.com/djgpp/doc/coff/filhdr.html 30230557Sjimharris# ./intel already labeled COFF type 0x14c=0514 as "80386 COFF executable" 31230557Sjimharris#0 leshort 0x14c MS Windows COFF Intel 80386 object file 32230557Sjimharris#>4 ledate x stamp %s 33230557Sjimharris0 leshort 0x166 MS Windows COFF MIPS R4000 object file 34230557Sjimharris#>4 ledate x stamp %s 35230557Sjimharris0 leshort 0x184 MS Windows COFF Alpha object file 36230557Sjimharris#>4 ledate x stamp %s 37230557Sjimharris0 leshort 0x268 MS Windows COFF Motorola 68000 object file 38230557Sjimharris#>4 ledate x stamp %s 39230557Sjimharris0 leshort 0x1f0 MS Windows COFF PowerPC object file 40230557Sjimharris#>4 ledate x stamp %s 41230557Sjimharris0 leshort 0x290 MS Windows COFF PA-RISC object file 42230557Sjimharris#>4 ledate x stamp %s 43230557Sjimharris 44230557Sjimharris# Tests for various EXE types. 45230557Sjimharris# 46230557Sjimharris# Many of the compressed formats were extraced from IDARC 1.23 source code. 47230557Sjimharris# 48230557Sjimharris0 string/b MZ 49230557Sjimharris# All non-DOS EXE extensions have the relocation table more than 0x40 bytes into the file. 50230557Sjimharris>0x18 leshort <0x40 MS-DOS executable 51230557Sjimharris!:mime application/x-dosexec 52230557Sjimharris# These traditional tests usually work but not always. When test quality support is 53230557Sjimharris# implemented these can be turned on. 54230557Sjimharris#>>0x18 leshort 0x1c (Borland compiler) 55230557Sjimharris#>>0x18 leshort 0x1e (MS compiler) 56230557Sjimharris 57230557Sjimharris# If the relocation table is 0x40 or more bytes into the file, it's definitely 58230557Sjimharris# not a DOS EXE. 59230557Sjimharris>0x18 leshort >0x3f 60230557Sjimharris 61230557Sjimharris# Maybe it's a PE? 62230557Sjimharris>>(0x3c.l) string PE\0\0 PE 63230557Sjimharris!:mime application/x-dosexec 64230557Sjimharris>>>(0x3c.l+24) leshort 0x010b \b32 executable 65230557Sjimharris>>>(0x3c.l+24) leshort 0x020b \b32+ executable 66230557Sjimharris>>>(0x3c.l+24) leshort 0x0107 ROM image 67230557Sjimharris>>>(0x3c.l+24) default x Unknown PE signature 68230557Sjimharris>>>>&0 leshort x 0x%x 69230557Sjimharris>>>(0x3c.l+22) leshort&0x2000 >0 (DLL) 70230557Sjimharris>>>(0x3c.l+92) leshort 1 (native) 71230557Sjimharris>>>(0x3c.l+92) leshort 2 (GUI) 72230557Sjimharris>>>(0x3c.l+92) leshort 3 (console) 73230557Sjimharris>>>(0x3c.l+92) leshort 7 (POSIX) 74230557Sjimharris>>>(0x3c.l+92) leshort 9 (Windows CE) 75230557Sjimharris>>>(0x3c.l+92) leshort 10 (EFI application) 76230557Sjimharris>>>(0x3c.l+92) leshort 11 (EFI boot service driver) 77230557Sjimharris>>>(0x3c.l+92) leshort 12 (EFI runtime driver) 78230557Sjimharris>>>(0x3c.l+92) leshort 13 (EFI ROM) 79230557Sjimharris>>>(0x3c.l+92) leshort 14 (XBOX) 80230557Sjimharris>>>(0x3c.l+92) leshort 15 (Windows boot application) 81230557Sjimharris>>>(0x3c.l+92) default x (Unknown subsystem 82230557Sjimharris>>>>&0 leshort x 0x%x) 83230557Sjimharris>>>(0x3c.l+4) leshort 0x14c Intel 80386 84230557Sjimharris>>>(0x3c.l+4) leshort 0x166 MIPS R4000 85230557Sjimharris>>>(0x3c.l+4) leshort 0x168 MIPS R10000 86230557Sjimharris>>>(0x3c.l+4) leshort 0x184 Alpha 87230557Sjimharris>>>(0x3c.l+4) leshort 0x1a2 Hitachi SH3 88230557Sjimharris>>>(0x3c.l+4) leshort 0x1a6 Hitachi SH4 89230557Sjimharris>>>(0x3c.l+4) leshort 0x1c0 ARM 90230557Sjimharris>>>(0x3c.l+4) leshort 0x1c2 ARM Thumb 91230557Sjimharris>>>(0x3c.l+4) leshort 0x1c4 ARMv7 Thumb 92230557Sjimharris>>>(0x3c.l+4) leshort 0x1f0 PowerPC 93230557Sjimharris>>>(0x3c.l+4) leshort 0x200 Intel Itanium 94230557Sjimharris>>>(0x3c.l+4) leshort 0x266 MIPS16 95230557Sjimharris>>>(0x3c.l+4) leshort 0x268 Motorola 68000 96230557Sjimharris>>>(0x3c.l+4) leshort 0x290 PA-RISC 97230557Sjimharris>>>(0x3c.l+4) leshort 0x366 MIPSIV 98230557Sjimharris>>>(0x3c.l+4) leshort 0x466 MIPS16 with FPU 99230557Sjimharris>>>(0x3c.l+4) leshort 0xebc EFI byte code 100230557Sjimharris>>>(0x3c.l+4) leshort 0x8664 x86-64 101230557Sjimharris>>>(0x3c.l+4) leshort 0xc0ee MSIL 102230557Sjimharris>>>(0x3c.l+4) default x Unknown processor type 103230557Sjimharris>>>>&0 leshort x 0x%x 104230557Sjimharris>>>(0x3c.l+22) leshort&0x0200 >0 (stripped to external PDB) 105230557Sjimharris>>>(0x3c.l+22) leshort&0x1000 >0 system file 106230557Sjimharris>>>(0x3c.l+24) leshort 0x010b 107230557Sjimharris>>>>(0x3c.l+232) lelong >0 Mono/.Net assembly 108230557Sjimharris>>>(0x3c.l+24) leshort 0x020b 109230557Sjimharris>>>>(0x3c.l+248) lelong >0 Mono/.Net assembly 110230557Sjimharris 111230557Sjimharris# hooray, there's a DOS extender using the PE format, with a valid PE 112230557Sjimharris# executable inside (which just prints a message and exits if run in win) 113230557Sjimharris>>>(8.s*16) string 32STUB \b, 32rtm DOS extender 114230557Sjimharris>>>(8.s*16) string !32STUB \b, for MS Windows 115230557Sjimharris>>>(0x3c.l+0xf8) string UPX0 \b, UPX compressed 116230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 PEC2 \b, PECompact2 compressed 117230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 UPX2 118230557Sjimharris>>>>(&0x10.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 119230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .idata 120230557Sjimharris>>>>(&0xe.l+(-4)) string PK\3\4 \b, ZIP self-extracting archive (Info-Zip) 121230557Sjimharris>>>>(&0xe.l+(-4)) string ZZ0 \b, ZZip self-extracting archive 122230557Sjimharris>>>>(&0xe.l+(-4)) string ZZ1 \b, ZZip self-extracting archive 123230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .rsrc 124230557Sjimharris>>>>(&0x0f.l+(-4)) string a\\\4\5 \b, WinHKI self-extracting archive 125230557Sjimharris>>>>(&0x0f.l+(-4)) string Rar! \b, RAR self-extracting archive 126230557Sjimharris>>>>(&0x0f.l+(-4)) search/0x3000 MSCF \b, InstallShield self-extracting archive 127230557Sjimharris>>>>(&0x0f.l+(-4)) search/32 Nullsoft \b, Nullsoft Installer self-extracting archive 128230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .data 129230557Sjimharris>>>>(&0x0f.l) string WEXTRACT \b, MS CAB-Installer self-extracting archive 130230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .petite\0 \b, Petite compressed 131230557Sjimharris>>>>(0x3c.l+0xf7) byte x 132230557Sjimharris>>>>>(&0x104.l+(-4)) string =!sfx! \b, ACE self-extracting archive 133230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .WISE \b, WISE installer self-extracting archive 134230557Sjimharris>>>(0x3c.l+0xf8) search/0x140 .dz\0\0\0 \b, Dzip self-extracting archive 135230557Sjimharris>>>&(0x3c.l+0xf8) search/0x100 _winzip_ \b, ZIP self-extracting archive (WinZip) 136230557Sjimharris>>>&(0x3c.l+0xf8) search/0x100 SharedD \b, Microsoft Installer self-extracting archive 137230557Sjimharris>>>0x30 string Inno \b, InnoSetup self-extracting archive 138230557Sjimharris 139230557Sjimharris# Hmm, not a PE but the relocation table is too high for a traditional DOS exe, 140230557Sjimharris# must be one of the unusual subformats. 141230557Sjimharris>>(0x3c.l) string !PE\0\0 MS-DOS executable 142230557Sjimharris!:mime application/x-dosexec 143230557Sjimharris 144230557Sjimharris>>(0x3c.l) string NE \b, NE 145230557Sjimharris!:mime application/x-dosexec 146230557Sjimharris>>>(0x3c.l+0x36) byte 1 for OS/2 1.x 147230557Sjimharris>>>(0x3c.l+0x36) byte 2 for MS Windows 3.x 148230557Sjimharris>>>(0x3c.l+0x36) byte 3 for MS-DOS 149230557Sjimharris>>>(0x3c.l+0x36) byte 4 for Windows 386 150230557Sjimharris>>>(0x3c.l+0x36) byte 5 for Borland Operating System Services 151230557Sjimharris>>>(0x3c.l+0x36) default x 152230557Sjimharris>>>>(0x3c.l+0x36) byte x (unknown OS %x) 153230557Sjimharris>>>(0x3c.l+0x36) byte 0x81 for MS-DOS, Phar Lap DOS extender 154230557Sjimharris>>>(0x3c.l+0x0c) leshort&0x8003 0x8002 (DLL) 155230557Sjimharris>>>(0x3c.l+0x0c) leshort&0x8003 0x8001 (driver) 156230557Sjimharris>>>&(&0x24.s-1) string ARJSFX \b, ARJ self-extracting archive 157230557Sjimharris>>>(0x3c.l+0x70) search/0x80 WinZip(R)\ Self-Extractor \b, ZIP self-extracting archive (WinZip) 158230557Sjimharris 159230557Sjimharris>>(0x3c.l) string LX\0\0 \b, LX 160230557Sjimharris!:mime application/x-dosexec 161230557Sjimharris>>>(0x3c.l+0x0a) leshort <1 (unknown OS) 162230557Sjimharris>>>(0x3c.l+0x0a) leshort 1 for OS/2 163230557Sjimharris>>>(0x3c.l+0x0a) leshort 2 for MS Windows 164230557Sjimharris>>>(0x3c.l+0x0a) leshort 3 for DOS 165230557Sjimharris>>>(0x3c.l+0x0a) leshort >3 (unknown OS) 166230557Sjimharris>>>(0x3c.l+0x10) lelong&0x28000 =0x8000 (DLL) 167230557Sjimharris>>>(0x3c.l+0x10) lelong&0x20000 >0 (device driver) 168230557Sjimharris>>>(0x3c.l+0x10) lelong&0x300 0x300 (GUI) 169230557Sjimharris>>>(0x3c.l+0x10) lelong&0x28300 <0x300 (console) 170230557Sjimharris>>>(0x3c.l+0x08) leshort 1 i80286 171230557Sjimharris>>>(0x3c.l+0x08) leshort 2 i80386 172230557Sjimharris>>>(0x3c.l+0x08) leshort 3 i80486 173230557Sjimharris>>>(8.s*16) string emx \b, emx 174230557Sjimharris>>>>&1 string x %s 175230557Sjimharris>>>&(&0x54.l-3) string arjsfx \b, ARJ self-extracting archive 176230557Sjimharris 177230557Sjimharris# MS Windows system file, supposedly a collection of LE executables 178230557Sjimharris>>(0x3c.l) string W3 \b, W3 for MS Windows 179230557Sjimharris!:mime application/x-dosexec 180230557Sjimharris 181230557Sjimharris>>(0x3c.l) string LE\0\0 \b, LE executable 182230557Sjimharris!:mime application/x-dosexec 183230557Sjimharris>>>(0x3c.l+0x0a) leshort 1 184230557Sjimharris# some DOS extenders use LE files with OS/2 header 185230557Sjimharris>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 186230557Sjimharris>>>>0x240 search/0x200 WATCOM\ C/C++ for MS-DOS, DOS4GW DOS extender 187230557Sjimharris>>>>0x440 search/0x100 CauseWay\ DOS\ Extender for MS-DOS, CauseWay DOS extender 188230557Sjimharris>>>>0x40 search/0x40 PMODE/W for MS-DOS, PMODE/W DOS extender 189230557Sjimharris>>>>0x40 search/0x40 STUB/32A for MS-DOS, DOS/32A DOS extender (stub) 190230557Sjimharris>>>>0x40 search/0x80 STUB/32C for MS-DOS, DOS/32A DOS extender (configurable stub) 191230557Sjimharris>>>>0x40 search/0x80 DOS/32A for MS-DOS, DOS/32A DOS extender (embedded) 192230557Sjimharris# this is a wild guess; hopefully it is a specific signature 193230557Sjimharris>>>>&0x24 lelong <0x50 194230557Sjimharris>>>>>(&0x4c.l) string \xfc\xb8WATCOM 195230557Sjimharris>>>>>>&0 search/8 3\xdbf\xb9 \b, 32Lite compressed 196230557Sjimharris# another wild guess: if real OS/2 LE executables exist, they probably have higher start EIP 197230557Sjimharris#>>>>(0x3c.l+0x1c) lelong >0x10000 for OS/2 198230557Sjimharris# fails with DOS-Extenders. 199230557Sjimharris>>>(0x3c.l+0x0a) leshort 2 for MS Windows 200230557Sjimharris>>>(0x3c.l+0x0a) leshort 3 for DOS 201230557Sjimharris>>>(0x3c.l+0x0a) leshort 4 for MS Windows (VxD) 202230557Sjimharris>>>(&0x7c.l+0x26) string UPX \b, UPX compressed 203230557Sjimharris>>>&(&0x54.l-3) string UNACE \b, ACE self-extracting archive 204230557Sjimharris 205230557Sjimharris# looks like ASCII, probably some embedded copyright message. 206230557Sjimharris# and definitely not NE/LE/LX/PE 207230557Sjimharris>>0x3c lelong >0x20000000 208230557Sjimharris>>>(4.s*512) leshort !0x014c \b, MZ for MS-DOS 209230557Sjimharris!:mime application/x-dosexec 210230557Sjimharris# header data too small for extended executable 211230557Sjimharris>2 long !0 212230557Sjimharris>>0x18 leshort <0x40 213230557Sjimharris>>>(4.s*512) leshort !0x014c 214230557Sjimharris 215230557Sjimharris>>>>&(2.s-514) string !LE 216230557Sjimharris>>>>>&-2 string !BW \b, MZ for MS-DOS 217230557Sjimharris!:mime application/x-dosexec 218230557Sjimharris>>>>&(2.s-514) string LE \b, LE 219230557Sjimharris>>>>>0x240 search/0x100 DOS/4G for MS-DOS, DOS4GW DOS extender 220230557Sjimharris# educated guess since indirection is still not capable enough for complex offset 221230557Sjimharris# calculations (next embedded executable would be at &(&2*512+&0-2) 222230557Sjimharris# I suspect there are only LE executables in these multi-exe files 223230557Sjimharris>>>>&(2.s-514) string BW 224230557Sjimharris>>>>>0x240 search/0x100 DOS/4G \b, LE for MS-DOS, DOS4GW DOS extender (embedded) 225230557Sjimharris>>>>>0x240 search/0x100 !DOS/4G \b, BW collection for MS-DOS 226230557Sjimharris 227230557Sjimharris# This sequence skips to the first COFF segment, usually .text 228230557Sjimharris>(4.s*512) leshort 0x014c \b, COFF 229230557Sjimharris!:mime application/x-dosexec 230230557Sjimharris>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender 231230557Sjimharris>>(8.s*16) string emx 232230557Sjimharris>>>&1 string x for DOS, Win or OS/2, emx %s 233230557Sjimharris>>&(&0x42.l-3) byte x 234230557Sjimharris>>>&0x26 string UPX \b, UPX compressed 235230557Sjimharris# and yet another guess: small .text, and after large .data is unusal, could be 32lite 236230557Sjimharris>>&0x2c search/0xa0 .text 237230557Sjimharris>>>&0x0b lelong <0x2000 238230557Sjimharris>>>>&0 lelong >0x6000 \b, 32lite compressed 239230557Sjimharris 240230557Sjimharris>(8.s*16) string $WdX \b, WDos/X DOS extender 241230557Sjimharris 242230557Sjimharris# By now an executable type should have been printed out. The executable 243230557Sjimharris# may be a self-uncompressing archive, so look for evidence of that and 244230557Sjimharris# print it out. 245230557Sjimharris# 246230557Sjimharris# Some signatures below from Greg Roelofs, newt@uchicago.edu. 247230557Sjimharris# 248230557Sjimharris>0x35 string \x8e\xc0\xb9\x08\x00\xf3\xa5\x4a\x75\xeb\x8e\xc3\x8e\xd8\x33\xff\xbe\x30\x00\x05 \b, aPack compressed 249230557Sjimharris>0xe7 string LH/2\ Self-Extract \b, %s 250230557Sjimharris>0x1c string UC2X \b, UCEXE compressed 251230557Sjimharris>0x1c string WWP\ \b, WWPACK compressed 252230557Sjimharris>0x1c string RJSX \b, ARJ self-extracting archive 253230557Sjimharris>0x1c string diet \b, diet compressed 254230557Sjimharris>0x1c string LZ09 \b, LZEXE v0.90 compressed 255230557Sjimharris>0x1c string LZ91 \b, LZEXE v0.91 compressed 256230557Sjimharris>0x1c string tz \b, TinyProg compressed 257230557Sjimharris>0x1e string Copyright\ 1989-1990\ PKWARE\ Inc. Self-extracting PKZIP archive 258230557Sjimharris!:mime application/zip 259230557Sjimharris# Yes, this really is "Copr", not "Corp." 260230557Sjimharris>0x1e string PKLITE\ Copr. Self-extracting PKZIP archive 261230557Sjimharris!:mime application/zip 262230557Sjimharris# winarj stores a message in the stub instead of the sig in the MZ header 263230557Sjimharris>0x20 search/0xe0 aRJsfX \b, ARJ self-extracting archive 264230557Sjimharris>0x20 string AIN 265230557Sjimharris>>0x23 string 2 \b, AIN 2.x compressed 266230557Sjimharris>>0x23 string <2 \b, AIN 1.x compressed 267230557Sjimharris>>0x23 string >2 \b, AIN 1.x compressed 268230557Sjimharris>0x24 string LHa's\ SFX \b, LHa self-extracting archive 269230557Sjimharris!:mime application/x-lha 270230557Sjimharris>0x24 string LHA's\ SFX \b, LHa self-extracting archive 271230557Sjimharris!:mime application/x-lha 272230557Sjimharris>0x24 string \ $ARX \b, ARX self-extracting archive 273230557Sjimharris>0x24 string \ $LHarc \b, LHarc self-extracting archive 274230557Sjimharris>0x20 string SFX\ by\ LARC \b, LARC self-extracting archive 275230557Sjimharris>0x40 string aPKG \b, aPackage self-extracting archive 276230557Sjimharris>0x64 string W\ Collis\0\0 \b, Compack compressed 277230557Sjimharris>0x7a string Windows\ self-extracting\ ZIP \b, ZIP self-extracting archive 278230557Sjimharris>>&0xf4 search/0x140 \x0\x40\x1\x0 279230557Sjimharris>>>(&0.l+(4)) string MSCF \b, WinHKI CAB self-extracting archive 280230557Sjimharris>1638 string -lh5- \b, LHa self-extracting archive v2.13S 281230557Sjimharris>0x17888 string Rar! \b, RAR self-extracting archive 282230557Sjimharris 283230557Sjimharris# Skip to the end of the EXE. This will usually work fine in the PE case 284230557Sjimharris# because the MZ image is hardcoded into the toolchain and almost certainly 285230557Sjimharris# won't match any of these signatures. 286230557Sjimharris>(4.s*512) long x 287230557Sjimharris>>&(2.s-517) byte x 288230557Sjimharris>>>&0 string PK\3\4 \b, ZIP self-extracting archive 289230557Sjimharris>>>&0 string Rar! \b, RAR self-extracting archive 290230557Sjimharris>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive 291230557Sjimharris>>>&0 string =!\x12 \b, AIN 2.x self-extracting archive 292230557Sjimharris>>>&0 string =!\x17 \b, AIN 1.x self-extracting archive 293230557Sjimharris>>>&0 string =!\x18 \b, AIN 1.x self-extracting archive 294230557Sjimharris>>>&7 search/400 **ACE** \b, ACE self-extracting archive 295230557Sjimharris>>>&0 search/0x480 UC2SFX\ Header \b, UC2 self-extracting archive 296230557Sjimharris 297230557Sjimharris# a few unknown ZIP sfxes, no idea if they are needed or if they are 298230557Sjimharris# already captured by the generic patterns above 299230557Sjimharris>(8.s*16) search/0x20 PKSFX \b, ZIP self-extracting archive (PKZIP) 300230557Sjimharris# TODO: how to add this? >FileSize-34 string Windows\ Self-Installing\ Executable \b, ZIP self-extracting archive 301230557Sjimharris# 302230557Sjimharris 303230557Sjimharris# TELVOX Teleinformatica CODEC self-extractor for OS/2: 304230557Sjimharris>49801 string \x79\xff\x80\xff\x76\xff \b, CODEC archive v3.21 305230557Sjimharris>>49824 leshort =1 \b, 1 file 306230557Sjimharris>>49824 leshort >1 \b, %u files 307230557Sjimharris 308230557Sjimharris# added by Joerg Jenderek of http://www.freedos.org/software/?prog=kc 309230557Sjimharris# and http://www.freedos.org/software/?prog=kpdos 310230557Sjimharris# for FreeDOS files like KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, *.KBD 311230557Sjimharris0 string/b KCF FreeDOS KEYBoard Layout collection 312230557Sjimharris# only version=0x100 found 313230557Sjimharris>3 uleshort x \b, version 0x%x 314230557Sjimharris# length of string containing author,info and special characters 315230557Sjimharris>6 ubyte >0 316230557Sjimharris#>>6 pstring x \b, name=%s 317230557Sjimharris>>7 string >\0 \b, author=%-.14s 318230557Sjimharris>>7 search/254 \xff \b, info= 319230557Sjimharris#>>>&0 string x \b%-s 320230557Sjimharris>>>&0 string x \b%-.15s 321230557Sjimharris# for FreeDOS *.KL files 322230557Sjimharris0 string/b KLF FreeDOS KEYBoard Layout file 323230557Sjimharris# only version=0x100 or 0x101 found 324230557Sjimharris>3 uleshort x \b, version 0x%x 325230557Sjimharris# stringlength 326230557Sjimharris>5 ubyte >0 327230557Sjimharris>>8 string x \b, name=%-.2s 328230557Sjimharris0 string \xffKEYB\ \ \ \0\0\0\0 329230557Sjimharris>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file 330230557Sjimharris 331230557Sjimharris# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017 332230557Sjimharris# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 333230557Sjimharris0 ulequad&0x07a0ffffffff 0xffffffff 334230557Sjimharris>0 use msdos-driver 335230557Sjimharris0 name msdos-driver DOS executable ( 336230557Sjimharris#!:mime application/octet-stream 337230557Sjimharris!:mime application/x-dosdriver 338230557Sjimharris# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN 339230557Sjimharris!:ext sys/dev/bin 340230557Sjimharris>40 search/7 UPX! \bUPX compressed 341230557Sjimharris# DOS device driver attributes 342230557Sjimharris>4 uleshort&0x8000 0x0000 \bblock device driver 343230557Sjimharris# character device 344230557Sjimharris>4 uleshort&0x8000 0x8000 \b 345230557Sjimharris>>4 uleshort&0x0008 0x0008 \bclock 346230557Sjimharris# fast video output by int 29h 347230557Sjimharris>>4 uleshort&0x0010 0x0010 \bfast 348230557Sjimharris# standard input/output device 349230557Sjimharris>>4 uleshort&0x0003 >0 \bstandard 350230557Sjimharris>>>4 uleshort&0x0001 0x0001 \binput 351230557Sjimharris>>>4 uleshort&0x0003 0x0003 \b/ 352230557Sjimharris>>>4 uleshort&0x0002 0x0002 \boutput 353230557Sjimharris>>4 uleshort&0x8000 0x8000 \bcharacter device driver 354230557Sjimharris>0 ubyte x 355230557Sjimharris# upx compressed device driver has garbage instead of real in name field of header 356230557Sjimharris>>40 search/7 UPX! 357230557Sjimharris>>40 default x 358230557Sjimharris# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped 359230557Sjimharris>>>12 ubyte >0x2E \b 360230557Sjimharris>>>>10 ubyte >0x20 361230557Sjimharris>>>>>10 ubyte !0x2E 362230557Sjimharris>>>>>>10 ubyte !0x2A \b%c 363230557Sjimharris>>>>11 ubyte >0x20 364230557Sjimharris>>>>>11 ubyte !0x2E \b%c 365230557Sjimharris>>>>12 ubyte >0x20 366230557Sjimharris>>>>>12 ubyte !0x39 367230557Sjimharris>>>>>>12 ubyte !0x2E \b%c 368230557Sjimharris>>>13 ubyte >0x20 369230557Sjimharris>>>>13 ubyte !0x2E \b%c 370230557Sjimharris>>>>14 ubyte >0x20 371230557Sjimharris>>>>>14 ubyte !0x2E \b%c 372230557Sjimharris>>>>15 ubyte >0x20 373230557Sjimharris>>>>>15 ubyte !0x2E \b%c 374230557Sjimharris>>>>16 ubyte >0x20 375230557Sjimharris>>>>>16 ubyte !0x2E 376230557Sjimharris>>>>>>16 ubyte <0xCB \b%c 377230557Sjimharris>>>>17 ubyte >0x20 378230557Sjimharris>>>>>17 ubyte !0x2E 379230557Sjimharris>>>>>>17 ubyte <0x90 \b%c 380230557Sjimharris# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field 381230557Sjimharris>>>12 ubyte <0x2F 382230557Sjimharris# they have their real name at offset 22 383230557Sjimharris# also block device drivers like DUMBDRV.SYS 384230557Sjimharris>>>>22 string >\056 %-.6s 385230557Sjimharris>4 uleshort&0x8000 0x0000 386230557Sjimharris# 32 bit sector addressing ( > 32 MB) for block devices 387230557Sjimharris>>4 uleshort&0x0002 0x0002 \b,32-bit sector- 388230557Sjimharris# support by driver functions 13h, 17h, 18h 389230557Sjimharris>4 uleshort&0x0040 0x0040 \b,IOCTL- 390230557Sjimharris# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh 391230557Sjimharris>4 uleshort&0x0800 0x0800 \b,close media- 392230557Sjimharris# output until busy support by int 10h for character device driver 393230557Sjimharris>4 uleshort&0x8000 0x8000 394230557Sjimharris>>4 uleshort&0x2000 0x2000 \b,until busy- 395230557Sjimharris# direct read/write support by driver functions 03h,0Ch 396230557Sjimharris>4 uleshort&0x4000 0x4000 \b,control strings- 397230557Sjimharris>4 uleshort&0x8000 0x8000 398230557Sjimharris>>4 uleshort&0x6840 >0 \bsupport 399230557Sjimharris>4 uleshort&0x8000 0x0000 400230557Sjimharris>>4 uleshort&0x4842 >0 \bsupport 401230557Sjimharris>0 ubyte x \b) 402230557Sjimharris# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header 403230557Sjimharris0 ulequad 0x0513c00000000012 404230557Sjimharris>0 use msdos-driver 405230557Sjimharris# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field 406230557Sjimharris0 ulequad 0x32f28000ffff0016 407230557Sjimharris>0 use msdos-driver 408230557Sjimharris0 ulequad 0x007f00000000ffff 409230557Sjimharris>0 use msdos-driver 410230557Sjimharris0 ulequad 0x001600000000ffff 411230557Sjimharris>0 use msdos-driver 412230557Sjimharris# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field 413230557Sjimharris0 ulequad 0x0bf708c2ffffffff 414230557Sjimharris>0 use msdos-driver 415230557Sjimharris0 ulequad 0x07bd08c2ffffffff 416230557Sjimharris>0 use msdos-driver 417230557Sjimharris 418230557Sjimharris# updated by Joerg Jenderek 419230557Sjimharris# GRR: line below too general as it catches also 420230557Sjimharris# rt.lib DYADISKS.PIC and many more 421230557Sjimharris# start with assembler instruction MOV 422230557Sjimharris0 ubyte 0x8c 423230557Sjimharris# skip "AppleWorks word processor data" like ARTICLE.1 ./apple 424230557Sjimharris>4 string !O==== 425230557Sjimharris# skip some unknown basic binaries like RocketRnger.SHR 426230557Sjimharris>>5 string !MAIN 427230557Sjimharris# skip "GPG symmetrically encrypted data" ./gnu 428230557Sjimharris# skip "PGP symmetric key encrypted data" ./pgp 429230557Sjimharris# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type 430230557Sjimharris>>>4 ubyte >13 DOS executable (COM, 0x8C-variant) 431230557Sjimharris# the remaining files should be DOS *.COM executables 432230557Sjimharris# dosshell.COM 8cc0 2ea35f07 e85211 e88a11 b80058 cd 433230557Sjimharris# hmload.COM 8cc8 8ec0 bbc02b 89dc 83c30f c1eb04 b4 434230557Sjimharris# UNDELETE.COM 8cca 2e8916 6503 b430 cd21 8b 2e0200 8b 435230557Sjimharris# BOOTFIX.COM 8cca 2e8916 9603 b430 cd21 8b 2e0200 8b 436230557Sjimharris# RAWRITE3.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 437230557Sjimharris# SHARE.COM 8cca 2e8916 d602 b430 cd21 8b 2e0200 8b 438230557Sjimharris# validchr.COM 8cca 2e8916 9603 b430 cd21 8b 2e028b1e 439230557Sjimharris# devload.COM 8cca 8916ad01 b430 cd21 8b2e0200 892e 440230557Sjimharris!:mime application/x-dosexec 441230557Sjimharris!:ext com 442230557Sjimharris 443230557Sjimharris# updated by Joerg Jenderek at Oct 2008 444230557Sjimharris0 ulelong 0xffff10eb DR-DOS executable (COM) 445230557Sjimharris# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb 446230557Sjimharris0 ubeshort&0xeb8d >0xeb00 447230557Sjimharris# DR-DOS STACKER.COM SCREATE.SYS missed 448230557Sjimharris 449230557Sjimharris0 name msdos-com 450230557Sjimharris>0 byte x DOS executable (COM) 451230557Sjimharris>6 string SFX\ of\ LHarc \b, %s 452230557Sjimharris>0x1FE leshort 0xAA55 \b, boot code 453230557Sjimharris>85 string UPX \b, UPX compressed 454230557Sjimharris>4 string \ $ARX \b, ARX self-extracting archive 455230557Sjimharris>4 string \ $LHarc \b, LHarc self-extracting archive 456230557Sjimharris>0x20e string SFX\ by\ LARC \b, LARC self-extracting archive 457230557Sjimharris 458230557Sjimharris# JMP 8bit 459230557Sjimharris0 byte 0xeb 460230557Sjimharris# allow forward jumps only 461230557Sjimharris>1 byte >-1 462230557Sjimharris# that offset must be accessible 463230557Sjimharris>>(1.b+2) byte x 464230557Sjimharris>>>0 use msdos-com 465230557Sjimharris 466230557Sjimharris# JMP 16bit 467230557Sjimharris0 byte 0xe9 468230557Sjimharris# forward jumps 469230557Sjimharris>1 short >-1 470230557Sjimharris# that offset must be accessible 471230557Sjimharris>>(1.s+3) byte x 472230557Sjimharris>>>0 use msdos-com 473230557Sjimharris# negative offset, must not lead into PSP 474230557Sjimharris>1 short <-259 475230557Sjimharris# that offset must be accessible 476230557Sjimharris>>(1,s+65539) byte x 477230557Sjimharris>>>0 use msdos-com 478230557Sjimharris 479230557Sjimharris# updated by Joerg Jenderek at Oct 2008,2015 480230557Sjimharris# following line is too general 481230557Sjimharris0 ubyte 0xb8 482230557Sjimharris# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux 483230557Sjimharris>0 string !\xb8\xc0\x07\x8e 484230557Sjimharris# modified by Joerg Jenderek 485230557Sjimharris# syslinux COM32 or COM32R executable 486230557Sjimharris>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT 487230557Sjimharris# http://www.syslinux.org/wiki/index.php/Comboot_API 488230557Sjimharris# Since version 5.00 c32 modules switched from the COM32 object format to ELF 489230557Sjimharris!:mime application/x-c32-comboot-syslinux-exec 490230557Sjimharris!:ext c32 491230557Sjimharris# http://syslinux.zytor.com/comboot.php 492230557Sjimharris# older syslinux version ( <4 ) 493230557Sjimharris# (32-bit COMBOOT) programs *.C32 contain 32-bit code and run in flat-memory 32-bit protected mode 494230557Sjimharris# start with assembler instructions mov eax,21cd4cffh 495230557Sjimharris>>>1 lelong 0x21CD4CFf \b) 496230557Sjimharris# syslinux:doc/comboot.txt 497230557Sjimharris# A COM32R program must start with the byte sequence B8 FE 4C CD 21 (mov 498230557Sjimharris# eax,21cd4cfeh) as a magic number. 499230557Sjimharris# syslinux version (4.x) 500230557Sjimharris# "COM executable (COM32R)" or "Syslinux COM32 module" by TrID 501230557Sjimharris>>>1 lelong 0x21CD4CFe \b, relocatable) 502230557Sjimharris# remaining are DOS COM executables starting with assembler instruction MOV 503230557Sjimharris# like FreeDOS BANNER*.COM FINDDISK.COM GIF2RAW.COM WINCHK.COM 504230557Sjimharris# MS-DOS SYS.COM RESTART.COM 505230557Sjimharris# SYSLINUX.COM (version 1.40 - 2.13) 506230557Sjimharris# GFXBOOT.COM (version 3.75) 507230557Sjimharris# COPYBS.COM POWEROFF.COM INT18.COM 508230557Sjimharris>>1 default x COM executable for DOS 509230557Sjimharris!:mime application/x-dosexec 510230557Sjimharris#!:mime application/x-ms-dos-executable 511230557Sjimharris#!:mime application/x-msdos-program 512230557Sjimharris!:ext com 513230557Sjimharris 514230557Sjimharris0 string/b \x81\xfc 515230557Sjimharris>4 string \x77\x02\xcd\x20\xb9 516230557Sjimharris>>36 string UPX! FREE-DOS executable (COM), UPX compressed 517230557Sjimharris252 string Must\ have\ DOS\ version DR-DOS executable (COM) 518230557Sjimharris# added by Joerg Jenderek at Oct 2008 519230557Sjimharris# GRR search is not working 520230557Sjimharris#34 search/2 UPX! FREE-DOS executable (COM), UPX compressed 521230557Sjimharris34 string UPX! FREE-DOS executable (COM), UPX compressed 522230557Sjimharris35 string UPX! FREE-DOS executable (COM), UPX compressed 523230557Sjimharris# GRR search is not working 524230557Sjimharris#2 search/28 \xcd\x21 COM executable for MS-DOS 525230557Sjimharris#WHICHFAT.cOM 526230557Sjimharris2 string \xcd\x21 COM executable for DOS 527230557Sjimharris#DELTREE.cOM DELTREE2.cOM 528230557Sjimharris4 string \xcd\x21 COM executable for DOS 529230557Sjimharris#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM 530230557Sjimharris5 string \xcd\x21 COM executable for DOS 531230557Sjimharris#DELTMP.COm HASFAT32.cOM 532230557Sjimharris7 string \xcd\x21 533230557Sjimharris>0 byte !0xb8 COM executable for DOS 534230557Sjimharris#COMP.cOM MORE.COm 535230557Sjimharris10 string \xcd\x21 536230557Sjimharris>5 string !\xcd\x21 COM executable for DOS 537230557Sjimharris#comecho.com 538230557Sjimharris13 string \xcd\x21 COM executable for DOS 539230557Sjimharris#HELP.COm EDIT.coM 540230557Sjimharris18 string \xcd\x21 COM executable for MS-DOS 541230557Sjimharris#NWRPLTRM.COm 542230557Sjimharris23 string \xcd\x21 COM executable for MS-DOS 543230557Sjimharris#LOADFIX.cOm LOADFIX.cOm 544230557Sjimharris30 string \xcd\x21 COM executable for MS-DOS 545230557Sjimharris#syslinux.com 3.11 546230557Sjimharris70 string \xcd\x21 COM executable for DOS 547230557Sjimharris# many compressed/converted COMs start with a copy loop instead of a jump 548230557Sjimharris0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 549230557Sjimharris0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for DOS 550230557Sjimharris>0x18 search/0x10 \x50\xa4\xff\xd5\x73 \b, aPack compressed 551230557Sjimharris0x3c string W\ Collis\0\0 COM executable for MS-DOS, Compack compressed 552230557Sjimharris# FIXME: missing diet .com compression 553230557Sjimharris 554230557Sjimharris# miscellaneous formats 555230557Sjimharris0 string/b LZ MS-DOS executable (built-in) 556230557Sjimharris#0 byte 0xf0 MS-DOS program library data 557230557Sjimharris# 558230557Sjimharris 559230557Sjimharris# AAF files: 560230557Sjimharris# <stuartc@rd.bbc.co.uk> Stuart Cunningham 561230557Sjimharris0 string/b \320\317\021\340\241\261\032\341AAFB\015\000OM\006\016\053\064\001\001\001\377 AAF legacy file using MS Structured Storage 562230557Sjimharris>30 byte 9 (512B sectors) 563230557Sjimharris>30 byte 12 (4kB sectors) 564230557Sjimharris0 string/b \320\317\021\340\241\261\032\341\001\002\001\015\000\002\000\000\006\016\053\064\003\002\001\001 AAF file using MS Structured Storage 565230557Sjimharris>30 byte 9 (512B sectors) 566230557Sjimharris>30 byte 12 (4kB sectors) 567230557Sjimharris 568230557Sjimharris# Popular applications 569230557Sjimharris2080 string Microsoft\ Word\ 6.0\ Document %s 570230557Sjimharris!:mime application/msword 571230557Sjimharris2080 string Documento\ Microsoft\ Word\ 6 Spanish Microsoft Word 6 document data 572230557Sjimharris!:mime application/msword 573230557Sjimharris# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Word) 574230557Sjimharris2112 string MSWordDoc Microsoft Word document data 575230557Sjimharris!:mime application/msword 576230557Sjimharris# 577230557Sjimharris0 belong 0x31be0000 Microsoft Word Document 578230557Sjimharris!:mime application/msword 579230557Sjimharris# 580230557Sjimharris0 string/b PO^Q` Microsoft Word 6.0 Document 581230557Sjimharris!:mime application/msword 582230557Sjimharris# 583230557Sjimharris4 long 0 584230557Sjimharris>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0 585230557Sjimharris!:mime application/msword 586230557Sjimharris!:ext mcw 587230557Sjimharris>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0 588230557Sjimharris!:mime application/msword 589230557Sjimharris!:ext mcw 590230557Sjimharris>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0 591230557Sjimharris!:mime application/msword 592230557Sjimharris!:ext mcw 593230557Sjimharris>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0 594230557Sjimharris!:mime application/msword 595230557Sjimharris!:ext mcw 596230557Sjimharris 597230557Sjimharris0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document 598230557Sjimharris!:mime application/msword 599230557Sjimharris!:ext doc 600230557Sjimharris512 string/b \354\245\301 Microsoft Word Document 601230557Sjimharris!:mime application/msword 602230557Sjimharris 603230557Sjimharris# 604230557Sjimharris0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 605230557Sjimharris!:mime application/msword 606230557Sjimharris# 607230557Sjimharris2080 string Microsoft\ Excel\ 5.0\ Worksheet %s 608230557Sjimharris!:mime application/vnd.ms-excel 609230557Sjimharris# 610230557Sjimharris0 string/b \xDB\xA5\x2D\x00 Microsoft WinWord 2.0 Document 611230557Sjimharris!:mime application/msword 612230557Sjimharris 613230557Sjimharris2080 string Foglio\ di\ lavoro\ Microsoft\ Exce %s 614230557Sjimharris!:mime application/vnd.ms-excel 615230557Sjimharris# 616230557Sjimharris# Pawel Wiecek <coven@i17linuxb.ists.pwr.wroc.pl> (for polish Excel) 617230557Sjimharris2114 string Biff5 Microsoft Excel 5.0 Worksheet 618230557Sjimharris!:mime application/vnd.ms-excel 619230557Sjimharris# Italian MS-Excel 620230557Sjimharris2121 string Biff5 Microsoft Excel 5.0 Worksheet 621230557Sjimharris!:mime application/vnd.ms-excel 622230557Sjimharris0 string/b \x09\x04\x06\x00\x00\x00\x10\x00 Microsoft Excel Worksheet 623!:mime application/vnd.ms-excel 624# 625# Update: Joerg Jenderek 626# URL: https://en.wikipedia.org/wiki/Lotus_1-2-3 627# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf 628# Note: newer Lotus versions >2 use longer BOF record 629# record type (BeginningOfFile=0000h) + length (001Ah) 6300 belong 0x00001a00 631# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3 632#>18 uleshort&0x73E0 0 633# Lotus Multi Byte Character Set (LMBCS=1-31) 634>20 ubyte >0 635>>20 ubyte <32 Lotus 1-2-3 636#!:mime application/x-123 637!:mime application/vnd.lotus-1-2-3 638!:apple ????L123 639# (version 5.26) labeled the entry as "Lotus 1-2-3 wk3 document data" 640>>>4 uleshort 0x1000 WorKsheet, version 3 641!:ext wk3 642# (version 5.26) labeled the entry as "Lotus 1-2-3 wk4 document data" 643>>>4 uleshort 0x1002 WorKsheet, version 4 644# also worksheet template 4 (.wt4) 645!:ext wk4/wt4 646# no example or documentation for wk5 647#>>4 uleshort 0x???? WorKsheet, version 4 648#!:ext wk5 649# only MacrotoScript.123 example 650>>>4 uleshort 0x1003 WorKsheet, version 97 651# also worksheet template Smartmaster (.12M)? 652!:ext 123 653# only Set_Y2K.123 example 654>>>4 uleshort 0x1005 WorKsheet, version 9.8 Millennium 655!:ext 123 656# no example for this version 657>>>4 uleshort 0x8001 FoRMatting data 658!:ext frm 659# (version 5.26) labeled the entry as "Lotus 1-2-3 fm3 or fmb document data" 660# TrID labeles the entry as "Formatting Data for Lotus 1-2-3 worksheet" 661>>>4 uleshort 0x8007 ForMatting data, version 3 662!:ext fm3 663>>>4 default x unknown 664# file revision sub code 0004h for worksheets 665>>>>6 uleshort =0x0004 worksheet 666!:ext wXX 667>>>>6 uleshort !0x0004 formatting data 668!:ext fXX 669# main revision number 670>>>>4 uleshort x \b, revision 0x%x 671>>>6 uleshort =0x0004 \b, cell range 672# active cellcoord range (start row, page,column ; end row, page, column) 673# start values normally 0~1st sheet A1 674>>>>8 ulelong !0 675>>>>>10 ubyte >0 \b%d* 676>>>>>8 uleshort x \b%d, 677>>>>>11 ubyte x \b%d- 678# end page mostly 0 679>>>>14 ubyte >0 \b%d* 680# end raw, column normally not 0 681>>>>12 uleshort x \b%d, 682>>>>15 ubyte x \b%d 683# Lotus Multi Byte Character Set (1~cp850,2~cp851,...,16~japan,...,31~??) 684>>>>20 ubyte >1 \b, character set 0x%x 685# flags 686>>>>21 ubyte x \b, flags 0x%x 687>>>6 uleshort !0x0004 688# record type (FONTNAME=00AEh) 689>>>>30 search/29 \0\xAE 690# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n) 691>>>>>&4 string >\0 \b, 1st font "%s" 692# 693# Update: Joerg Jenderek 694# URL: http://fileformats.archiveteam.org/wiki/Lotus_1-2-3 695# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT 696# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x 697# record type (BeginningOfFile=0000h) + length (0002h) 6980 belong 0x00000200 699# GRR: line above is too general as it catches also MS Windows CURsor 700# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1) 701!:strength -1 702# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h 703>7 ubyte 0 704# skip Windows cursors with image width 256 and keep Lotus with positiv opcode 705>>6 ubyte >0 Lotus 706# !:mime application/x-123 707!:mime application/vnd.lotus-1-2-3 708!:apple ????L123 709# revision number (0404h = 123 1A, 0405h = Lotus Symphony , 0406h = 123 2.x wk1 , 8006h = fmt , ...) 710# undocumented; (version 5.26) labeled the configurations as "Lotus 1-2-3" 711>>>4 uleshort 0x0007 1-2-3 CoNFiguration, version 2.x (PGRAPH.CNF) 712!:ext cnf 713>>>4 uleshort 0x0C05 1-2-3 CoNFiguration, version 2.4J 714!:ext cnf 715>>>4 uleshort 0x0801 1-2-3 CoNFiguration, version 1-2.1 716!:ext cnf 717>>>4 uleshort 0x0802 Symphony CoNFiguration 718!:ext cnf 719>>>4 uleshort 0x0804 1-2-3 CoNFiguration, version 2.2 720!:ext cnf 721>>>4 uleshort 0x080A 1-2-3 CoNFiguration, version 2.3-2.4 722!:ext cnf 723>>>4 uleshort 0x1402 1-2-3 CoNFiguration, version 3.x 724!:ext cnf 725>>>4 uleshort 0x1450 1-2-3 CoNFiguration, version 4.x 726!:ext cnf 727# (version 5.26) labeled the entry as "Lotus 123" 728# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 729>>>4 uleshort 0x0404 1-2-3 WorKSheet, version 1 730# extension "wks" also for Microsoft Works document 731!:ext wks 732# (version 5.26) labeled the entry as "Lotus 123" 733# TrID labeles the entry as "Lotus 123 Worksheet (generic)" 734>>>4 uleshort 0x0405 Symphony WoRksheet, version 1.0 735!:ext wrk/wr1 736# (version 5.26) labeled the entry as "Lotus 1-2-3 wk1 document data" 737# TrID labeles the entry as "Lotus 123 Worksheet (V2)" 738>>>4 uleshort 0x0406 1-2-3/Symphony worksheet, version 2 739# Symphony (.wr1) 740!:ext wk1/wr1 741# no example for this japan version 742>>>4 uleshort 0x0600 1-2-3 WorKsheet, version 1.xJ 743!:ext wj1 744# no example or documentation for wk2 745#>>>4 uleshort 0x???? 1-2-3 WorKsheet, version 2 746#!:ext wk2 747# undocumented japan version 748>>>4 uleshort 0x0602 1-2-3 worksheet, version 2.4J 749!:ext wj3 750# (version 5.26) labeled the entry as "Lotus 1-2-3 fmt document data" 751>>>4 uleshort 0x8006 1-2-3 ForMaTting data, version 2.x 752# japan version 2.4J (fj3) 753!:ext fmt/fj3 754# no example for this version 755>>>4 uleshort 0x8007 1-2-3 FoRMatting data, version 2.0 756!:ext frm 757# (version 5.26) labeled the entry as "Lotus 1-2-3" 758>>>4 default x unknown worksheet or configuration 759!:ext cnf 760>>>>4 uleshort x \b, revision 0x%x 761# 2nd record for most worksheets describes cells range 762>>>6 use lotus-cells 763# 3nd record for most japan worksheets describes cells range 764>>>(8.s+10) use lotus-cells 765# check and then display Lotus worksheet cells range 7660 name lotus-cells 767# look for type (RANGE=0006h) + length (0008h) at record begin 768>0 ubelong 0x06000800 \b, cell range 769# cell range (start column, row, end column, row) start values normally 0,0~A1 cell 770>>4 ulong !0 771>>>4 uleshort x \b%d, 772>>>6 uleshort x \b%d- 773# end of cell range 774>>8 uleshort x \b%d, 775>>10 uleshort x \b%d 776# EndOfLotus123 7770 string/b WordPro\0 Lotus WordPro 778!:mime application/vnd.lotus-wordpro 7790 string/b WordPro\r\373 Lotus WordPro 780!:mime application/vnd.lotus-wordpro 781 782 783# Summary: Script used by InstallScield to uninstall applications 784# Extension: .isu 785# Submitted by: unknown 786# Modified by (1): Abel Cheung <abelcheung@gmail.com> (replace useless entry) 7870 string \x71\xa8\x00\x00\x01\x02 788>12 string Stirling\ Technologies, InstallShield Uninstall Script 789 790# Winamp .avs 791#0 string Nullsoft\ AVS\ Preset\ \060\056\061\032 A plug in for Winamp ms-windows Freeware media player 7920 string/b Nullsoft\ AVS\ Preset\ Winamp plug in 793 794# Windows Metafont .WMF 7950 string/b \327\315\306\232 ms-windows metafont .wmf 7960 string/b \002\000\011\000 ms-windows metafont .wmf 7970 string/b \001\000\011\000 ms-windows metafont .wmf 798 799#tz3 files whatever that is (MS Works files) 8000 string/b \003\001\001\004\070\001\000\000 tz3 ms-works file 8010 string/b \003\002\001\004\070\001\000\000 tz3 ms-works file 8020 string/b \003\003\001\004\070\001\000\000 tz3 ms-works file 803 804# PGP sig files .sig 805#0 string \211\000\077\003\005\000\063\237\127 065 to \027\266\151\064\005\045\101\233\021\002 PGP sig 8060 string \211\000\077\003\005\000\063\237\127\065\027\266\151\064\005\045\101\233\021\002 PGP sig 8070 string \211\000\077\003\005\000\063\237\127\066\027\266\151\064\005\045\101\233\021\002 PGP sig 8080 string \211\000\077\003\005\000\063\237\127\067\027\266\151\064\005\045\101\233\021\002 PGP sig 8090 string \211\000\077\003\005\000\063\237\127\070\027\266\151\064\005\045\101\233\021\002 PGP sig 8100 string \211\000\077\003\005\000\063\237\127\071\027\266\151\064\005\045\101\233\021\002 PGP sig 8110 string \211\000\225\003\005\000\062\122\207\304\100\345\042 PGP sig 812 813# windows zips files .dmf 8140 string/b MDIF\032\000\010\000\000\000\372\046\100\175\001\000\001\036\001\000 MS Windows special zipped file 815 816 817#ico files 8180 string/b \102\101\050\000\000\000\056\000\000\000\000\000\000\000 Icon for MS Windows 819 820# Windows icons 821# Update: Joerg Jenderek 822# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 823# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG 8240 belong 0x00000100 825>9 byte 0 826>>0 byte x 827>>0 use cur-ico-dir 828>9 ubyte 0xff 829>>0 byte x 830>>0 use cur-ico-dir 831# displays number of icons and information for icon or cursor 8320 name cur-ico-dir 833# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with 834# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h 835>18 ulelong &0x00000006 836# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG) 837>>(18.l) ulelong x MS Windows 838>>>0 ubelong 0x00000100 icon resource 839#!:mime image/vnd.microsoft.icon 840!:mime image/x-icon 841!:ext ico 842>>>>4 uleshort x - %d icon 843# plural s 844>>>>4 uleshort >1 \bs 845# 1st icon 846>>>>0x06 use ico-entry 847# 2nd icon 848>>>>4 uleshort >1 849>>>>>0x16 use ico-entry 850>>>0 ubelong 0x00000200 cursor resource 851#!:mime image/x-cur 852!:mime image/x-win-bitmap 853!:ext cur 854>>>>4 uleshort x - %d icon 855>>>>4 uleshort >1 \bs 856# 1st cursor 857>>>>0x06 use cur-entry 858#>>>>0x16 use cur-entry 859# display information of one cursor entry 8600 name cur-entry 861>0 use cur-ico-entry 862>4 uleshort x \b, hotspot @%dx 863>6 uleshort x \b%d 864# display information of one icon entry 8650 name ico-entry 866>0 use cur-ico-entry 867# normally 0 1 but also found 14 868>4 uleshort >1 \b, %d planes 869# normally 0 1 but also found some 3, 4, some 6, 8, 24, many 32, two 256 870>6 uleshort >1 \b, %d bits/pixel 871# display shared information of cursor or icon entry 8720 name cur-ico-entry 873>0 byte =0 \b, 256x 874>0 byte !0 \b, %dx 875>1 byte =0 \b256 876>1 byte !0 \b%d 877# number of colors in palette 878>2 ubyte !0 \b, %d colors 879# reserved 0 FFh 880#>3 ubyte x \b, reserved %x 881#>8 ulelong x \b, image size %d 882# offset of PNG or DIB image 883#>12 ulelong x \b, offset 0x%x 884# PNG header (\x89PNG) 885>(12.l) ubelong =0x89504e47 886>>&-4 indirect x \b with 887# DIB image 888>(12.l) ubelong !0x89504e47 889#>>&-4 use dib-image 890 891# Windows non-animated cursors 892# Update: Joerg Jenderek 893# URL: https://en.wikipedia.org/wiki/CUR_(file_format) 894# Note: similar to Windows ICOn. container for BMP ( only DIB part) 895# GRR: line below is too general as it catches also Lotus 1-2-3 files 8960 belong 0x00000200 897>9 byte 0 898>>0 use cur-ico-dir 899>9 ubyte 0xff 900>>0 use cur-ico-dir 901 902# .chr files 9030 string/b PK\010\010BGI Borland font 904>4 string >\0 %s 905# then there is a copyright notice 906 907 908# .bgi files 9090 string/b pk\010\010BGI Borland device 910>4 string >\0 %s 911# then there is a copyright notice 912 913 914# Windows Recycle Bin record file (named INFO2) 915# By Abel Cheung (abelcheung AT gmail dot com) 916# Version 4 always has 280 bytes (0x118) per record, version 5 has 800 bytes 917# Since Vista uses another structure, INFO2 structure probably won't change 918# anymore. Detailed analysis in: 919# http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf 9200 lelong 0x00000004 921>12 lelong 0x00000118 Windows Recycle Bin INFO2 file (Win98 or below) 922 9230 lelong 0x00000005 924>12 lelong 0x00000320 Windows Recycle Bin INFO2 file (Win2k - WinXP) 925 926# From Doug Lee via a FreeBSD pr 9279 string GERBILDOC First Choice document 9289 string GERBILDB First Choice database 9299 string GERBILCLIP First Choice database 9300 string GERBIL First Choice device file 9319 string RABBITGRAPH RabbitGraph file 9320 string DCU1 Borland Delphi .DCU file 9330 string =!<spell> MKS Spell hash list (old format) 9340 string =!<spell2> MKS Spell hash list 935# Too simple - MPi 936#0 string AH Halo(TM) bitmapped font file 9370 lelong 0x08086b70 TurboC BGI file 9380 lelong 0x08084b50 TurboC Font file 939 940# Debian#712046: The magic below identifies "Delphi compiled form data". 941# An additional source of information is available at: 942# http://www.woodmann.com/fravia/dafix_t1.htm 9430 string TPF0 944>4 pstring >\0 Delphi compiled form '%s' 945 946# tests for DBase files moved, updated and merged to database 947 9480 string PMCC Windows 3.x .GRP file 9491 string RDC-meg MegaDots 950>8 byte >0x2F version %c 951>9 byte >0x2F \b.%c file 9520 lelong 0x4C 953>4 lelong 0x00021401 Windows shortcut file 954 955# .PIF files added by Joerg Jenderek from http://smsoft.ru/en/pifdoc.htm 956# only for windows versions equal or greater 3.0 9570x171 string MICROSOFT\ PIFEX\0 Windows Program Information File 958!:mime application/x-dosexec 959#>2 string >\0 \b, Title:%.30s 960>0x24 string >\0 \b for %.63s 961>0x65 string >\0 \b, directory=%.64s 962>0xA5 string >\0 \b, parameters=%.64s 963#>0x181 leshort x \b, offset %x 964#>0x183 leshort x \b, offsetdata %x 965#>0x185 leshort x \b, section length %x 966>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0 967>>&0x5e ubyte >0 968>>>&-1 string <PIFMGR.DLL \b, icon=%s 969#>>>&-1 string PIFMGR.DLL \b, icon=%s 970>>>&-1 string >PIFMGR.DLL \b, icon=%s 971>>&0xF0 ubyte >0 972>>>&-1 string <Terminal \b, font=%.32s 973#>>>&-1 string =Terminal \b, font=%.32s 974>>>&-1 string >Terminal \b, font=%.32s 975>>&0x110 ubyte >0 976>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s 977#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s 978>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s 979#>0x187 search/0xB55 WINDOWS\ 286\ 3.0\0 \b, Windows 3.X standard mode-style 980#>0x187 search/0xB55 WINDOWS\ 386\ 3.0\0 \b, Windows 3.X enhanced mode-style 981>0x187 search/0xB55 WINDOWS\ NT\ \ 3.1\0 \b, Windows NT-style 982#>0x187 search/0xB55 WINDOWS\ NT\ \ 4.0\0 \b, Windows NT-style 983>0x187 search/0xB55 CONFIG\ \ SYS\ 4.0\0 \b +CONFIG.SYS 984#>>&06 string x \b:%s 985>0x187 search/0xB55 AUTOEXECBAT\ 4.0\0 \b +AUTOEXEC.BAT 986#>>&06 string x \b:%s 987 988# DOS EPS Binary File Header 989# From: Ed Sznyter <ews@Black.Market.NET> 9900 belong 0xC5D0D3C6 DOS EPS Binary File 991!:mime image/x-eps 992>4 long >0 Postscript starts at byte %d 993>>8 long >0 length %d 994>>>12 long >0 Metafile starts at byte %d 995>>>>16 long >0 length %d 996>>>20 long >0 TIFF starts at byte %d 997>>>>24 long >0 length %d 998 999# TNEF magic From "Joomy" <joomy@se-ed.net> 1000# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF) 10010 lelong 0x223e9f78 TNEF 1002!:mime application/vnd.ms-tnef 1003 1004# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C 1005# of http://www.davep.org/norton-guides/ng2h-105.tgz 1006# http://en.wikipedia.org/wiki/Norton_Guides 10070 string NG\0\001 1008# only value 0x100 found at offset 2 1009>2 ulelong 0x00000100 Norton Guide 1010# Title[40] 1011>>8 string >\0 "%-.40s" 1012#>>6 uleshort x \b, MenuCount=%u 1013# szCredits[5][66] 1014>>48 string >\0 \b, %-.66s 1015>>114 string >\0 %-.66s 1016 1017# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS 1018# of http://www.4dos.info/ 1019# pointer,HelpID[8]=4DHnnnmm 10200 ulelong 0x48443408 4DOS help file 1021>4 string x \b, version %-4.4s 1022 1023# old binary Microsoft (.HLP) files added by Joerg Jenderek from http://file-extension.net/seeker/file_extension_hlp 10240 ulequad 0x3a000000024e4c MS Advisor help file 1025 1026# HtmlHelp files (.chm) 10270 string/b ITSF\003\000\000\000\x60\000\000\000 MS Windows HtmlHelp Data 1028 1029# GFA-BASIC (Wolfram Kleff) 10302 string/b GFA-BASIC3 GFA-BASIC 3 data 1031 1032#------------------------------------------------------------------------------ 1033# From Stuart Caie <kyzer@4u.net> (developer of cabextract) 1034# Microsoft Cabinet files 10350 string/b MSCF\0\0\0\0 Microsoft Cabinet archive data 1036!:mime application/vnd.ms-cab-compressed 1037>8 lelong x \b, %u bytes 1038>28 leshort 1 \b, 1 file 1039>28 leshort >1 \b, %u files 1040 1041# InstallShield Cabinet files 10420 string/b ISc( InstallShield Cabinet archive data 1043>5 byte&0xf0 =0x60 version 6, 1044>5 byte&0xf0 !0x60 version 4/5, 1045>(12.l+40) lelong x %u files 1046 1047# Windows CE package files 10480 string/b MSCE\0\0\0\0 Microsoft WinCE install header 1049>20 lelong 0 \b, architecture-independent 1050>20 lelong 103 \b, Hitachi SH3 1051>20 lelong 104 \b, Hitachi SH4 1052>20 lelong 0xA11 \b, StrongARM 1053>20 lelong 4000 \b, MIPS R4000 1054>20 lelong 10003 \b, Hitachi SH3 1055>20 lelong 10004 \b, Hitachi SH3E 1056>20 lelong 10005 \b, Hitachi SH4 1057>20 lelong 70001 \b, ARM 7TDMI 1058>52 leshort 1 \b, 1 file 1059>52 leshort >1 \b, %u files 1060>56 leshort 1 \b, 1 registry entry 1061>56 leshort >1 \b, %u registry entries 1062 1063 1064# Windows Enhanced Metafile (EMF) 1065# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp 1066# for further information. 10670 ulelong 1 1068>40 string \ EMF Windows Enhanced Metafile (EMF) image data 1069>>44 ulelong x version 0x%x 1070 1071# from http://filext.com by Derek M Jones <derek@knosof.co.uk> 1072# False positive with PPT (also currently this string is too long) 1073#0 string/b \xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x3E\x00\x03\x00\xFE\xFF\x09\x00\x06 Microsoft Installer 10740 string/b \320\317\021\340\241\261\032\341 Microsoft Office Document 1075#>48 byte 0x1B Excel Document 1076#!:mime application/vnd.ms-excel 1077>546 string bjbj Microsoft Word Document 1078!:mime application/msword 1079>546 string jbjb Microsoft Word Document 1080!:mime application/msword 1081 10820 string/b \224\246\056 Microsoft Word Document 1083!:mime application/msword 1084 1085512 string R\0o\0o\0t\0\ \0E\0n\0t\0r\0y Microsoft Word Document 1086!:mime application/msword 1087 1088# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 1089# Magic type for Dell's BIOS .hdr files 1090# Dell's .hdr 10910 string/b $RBU 1092>23 string Dell %s system BIOS 1093>5 byte 2 1094>>48 byte x version %d. 1095>>49 byte x \b%d. 1096>>50 byte x \b%d 1097>5 byte <2 1098>>48 string x version %.3s 1099 1100# Type: Microsoft DirectDraw Surface 1101# URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/directx9_c/directx/graphics/reference/DDSFileReference/ddsfileformat.asp 1102# From: Morten Hustveit <morten@debian.org> 11030 string/b DDS\040\174\000\000\000 Microsoft DirectDraw Surface (DDS), 1104>16 lelong >0 %d x 1105>12 lelong >0 %d, 1106>84 string x %.4s 1107 1108# Type: Microsoft Document Imaging Format (.mdi) 1109# URL: http://en.wikipedia.org/wiki/Microsoft_Document_Imaging_Format 1110# From: Daniele Sempione <scrows@oziosi.org> 1111# Too weak (EP) 1112#0 short 0x5045 Microsoft Document Imaging Format 1113 1114# MS eBook format (.lit) 11150 string/b ITOLITLS Microsoft Reader eBook Data 1116>8 lelong x \b, version %u 1117!:mime application/x-ms-reader 1118 1119# Windows CE Binary Image Data Format 1120# From: Dr. Jesus <j@hug.gs> 11210 string/b B000FF\n Windows Embedded CE binary image 1122 1123# Windows Imaging (WIM) Image 11240 string/b MSWIM\000\000\000 Windows imaging (WIM) image 11250 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format 1126 1127# The second byte of these signatures is a file version; I don't know what, 1128# if anything, produced files with version numbers 0-2. 1129# From: John Elliott <johne@seasip.demon.co.uk> 11300 string \xfc\x03\x00 Mallard BASIC program data (v1.11) 11310 string \xfc\x04\x00 Mallard BASIC program data (v1.29+) 11320 string \xfc\x03\x01 Mallard BASIC protected program data (v1.11) 11330 string \xfc\x04\x01 Mallard BASIC protected program data (v1.29+) 1134 11350 string MIOPEN Mallard BASIC Jetsam data 11360 string Jetsam0 Mallard BASIC Jetsam index data 1137 1138# DOS backup 2.0 to 3.2 1139 1140# backupid.@@@ 1141 1142# plausibility check for date 11430x3 ushort >1979 1144>0x5 ubyte-1 <31 1145>>0x6 ubyte-1 <12 1146# actually 121 nul bytes 1147>>>0x7 string \0\0\0\0\0\0\0\0 1148>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d 1149!:ext @@@ 1150>>>>0x0 ubyte 0xff \b, last disk 1151 1152# backed up file 1153 1154# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd 1155# by looking for trailing nul of maximal file name string 11560x52 ubyte 0 1157# test for flag byte: FFh~complete file, 00h~split file 1158# FFh -127 = -1 -127 = -128 1159# 00h -127 = 0 -127 = -127 1160>0 byte-127 <-126 1161# plausibility check for file name length 1162>>0x53 ubyte-1 <78 1163# looking for terminating nul of file name string 1164>>>(0x53.b+4) ubyte 0 1165# looking if last char of string is valid DOS file name 1166>>>>(0x53.b+3) ubyte >0x1F 1167# actually 44 nul bytes 1168# but sometimes garbage according to Ralf Quint. So can not be used as test 1169#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 1170# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator 1171# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE 1172>>>>>5 ubyte&0x8C 0x0C 1173# ./msdos (version 5.30) labeled the entry as 1174# "DOS 2.0 backed up file %s, split file, sequence %d" or 1175# "DOS 2.0 backed up file %s, complete file" 1176>>>>>>0 ubyte x DOS 2.0-3.2 backed up 1177#>>>>>>0 ubyte 0xff complete 1178>>>>>>0 ubyte 0 1179>>>>>>>1 uleshort x sequence %d of 1180# full file name with path but without drive letter and colon stored from 0x05 til 0x52 1181>>>>>>0x5 string x file %s 1182# backup name is original filename 1183#!:ext * 1184# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*' 1185# file: line 1169: Bad magic entry ' *' 1186# after header original file content 1187>>>>>>128 indirect x \b; 1188 1189 1190# DOS backup 3.3 to 5.x 1191 1192# CONTROL.nnn files 11930 string \x8bBACKUP\x20 1194# actually 128 nul bytes 1195>0xa string \0\0\0\0\0\0\0\0 1196>>0x9 ubyte x DOS 3.3 backup control file, sequence %d 1197>>0x8a ubyte 0xff \b, last disk 1198 1199# NB: The BACKUP.nnn files consist of the files backed up, 1200# concatenated. 1201