From: Christos Zoulas Date: Tue, 15 Dec 2015 01:06:17 +0000 (+0000) Subject: Microsoft Help file magic from Joerg Jenderek X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e5a09779ed97ed58974ec9c95ca482a5e2daaa11;p=file Microsoft Help file magic from Joerg Jenderek --- diff --git a/magic/Magdir/windows b/magic/Magdir/windows index b1c5b97e..faaa7e29 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.13 2015/09/23 16:03:03 christos Exp $ +# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -64,10 +64,148 @@ # Summary: Old format help files -# Extension: .hlp +# URL: https://en.wikipedia.org/wiki/WinHelp +# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm +# Update: Joerg Jenderek # Created by: Dirk Jagdmann -0 lelong 0x00035f3f MS Windows 3.x help file +# +# check and then display version and date inside MS Windows HeLP file fragment +0 name help-ver-date +# look for Magic of SYSTEMHEADER +>0 leshort 0x036C +# version Major 1 for right file fragment +>>4 leshort 1 Windows +# print non empty string above to avoid error message +# Warning: Current entry does not yet have a description for adding a MIME type +!:mime application/winhelp +!:ext hlp +# version Minor of help file format is hint for windows version +>>>2 leshort 0x0F 3.x +>>>2 leshort 0x15 3.0 +>>>2 leshort 0x21 3.1 +>>>2 leshort 0x27 x.y +>>>2 leshort 0x33 95 +>>>2 default x y.z +>>>>2 leshort x 0x%x +# to complete message string like "MS Windows 3.x help file" +>>>2 leshort x help +# GenDate often older than file creation date +>>>6 ldate x \b, %s +# +# Magic for HeLP files +0 lelong 0x00035f3f +# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" +# file header magic 0x293B at DirectoryStart+9 +>(4.l+9) uleshort 0x293B MS +# look for @VERSION bmf.. like IBMAVW.ANN +>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation +!:mime application/x-winhelp +!:ext ann +>>0xD4 string !\x62\x6D\x66\x01\x00 +# "GID Help index" by TrID +>>>(4.l+0x65) string =|Pete Windows help Global Index +!:mime application/x-winhelp +!:ext gid +# HeLP Bookmark or +# "Windows HELP File" by TrID +>>>(4.l+0x65) string !|Pete +# maybe there exist a cleaner way to detect HeLP fragments +# brute search for Magic 0x036C with matching Major maximal 7 iterations +# discapp.hlp +>>>>16 search/0x49AF/s \x6c\x03 +>>>>>&0 use help-ver-date +>>>>>&4 leshort !1 +# putty.hlp +>>>>>>&0 search/0x69AF/s \x6c\x03 +>>>>>>>&0 use help-ver-date +>>>>>>>&4 leshort !1 +>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>&0 use help-ver-date +>>>>>>>>>&4 leshort !1 +>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +>>>>>>>>>>>>>>>&0 use help-ver-date +>>>>>>>>>>>>>>>&4 leshort !1 +>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 +# GCC.HLP is detected after 7 iterations +>>>>>>>>>>>>>>>>>&0 use help-ver-date +# this only happens if bigger hlp file is detected after used search iterations +>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help +!:mime application/winhelp +!:ext hlp +# repeat search again or following default line does not work +>>>>16 search/0x49AF/s \x6c\x03 +# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) +>>>>16 default x Windows help Bookmark +!:mime application/x-winhelp +!:ext /bmk +## FirstFreeBlock normally FFFFFFFFh 10h for *ANN +##>>8 lelong x \b, FirstFreeBlock 0x%8.8x +# EntireFileSize +>>12 lelong x \b, %d bytes +## ReservedSpace normally 042Fh AFh for *.ANN +#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x +## UsedSpace normally 0426h A6h for *.ANN +#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x +## FileFlags normally 04... +#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x +## file header magic 0x293B +#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x +## file header Flags 0x0402 +#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x +## file header PageSize 0400h 80h for *.ANN +#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x +## Structure[16] z4 +#>>(4.l+15) string >\0 \b, Structure_"%-.16s" +## MustBeZero 0 +#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x +## PageSplits +#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x +## RootPage +#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x +## MustBeNegOne 0xffff +#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x +## TotalPages 1 +#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x +## NLevels 0x0001 +#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x +## TotalBtreeEntries +#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x +## pages of the B+ tree +#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx +# start with colon or semicolon for comment line like Back2Life.cnt +0 regex \^(:|;) +# look for first keyword Base +>0 search/45 :Base +>>&0 use cnt-name +# only solution to search again from beginning , because relative offsets changes when use is called +>0 search/45 :Base +>0 default x +# look for other keyword Title like in putty.cnt +>>0 search/45 :Title +>>>&0 use cnt-name +# +# display mime type and name of Windows help Content source +0 name cnt-name +# skip space at beginning +>0 string \ +# name without extension and greater character or name with hlp extension +>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" +!:mime text/plain +!:apple ????TEXT +!:ext cnt +# +# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing +0 string tfMR MS Windows help Full Text Search index +!:mime application/x-winhelp-fts +!:ext fts +>16 string >\0 for "%s" # Summary: Hyper terminal # Extension: .ht