1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
#------------------------------------------------------------------------------
# $File: coff,v 1.6 2021/04/26 15:56:00 christos Exp $
# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures
#
# COFF
#
# by Joerg Jenderek at Oct 2015, Feb 2021
# https://en.wikipedia.org/wiki/COFF
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
# display name+variables+flags of Common Object Files Format (32bit)
# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel,
# mips,motorola,msdos,osf1,sharc,varied.out,vax
0 name display-coff
# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags
>18 uleshort&0x8E80 0
# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections
>>2 uleshort >0
# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections
>>>2 uleshort <4207
>>>>0 clear x
# f_magic - magic number
# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel)
>>>>0 uleshort 0x014C Intel 80386
# Hitachi SH big-endian COFF (./hitachi-sh)
>>>>0 uleshort 0x0500 Hitachi SH big-endian
# Hitachi SH little-endian COFF (./hitachi-sh)
>>>>0 uleshort 0x0550 Hitachi SH little-endian
# executable (RISC System/6000 V3.1) or obj module (./ibm6000)
#>>>>0 uleshort 0x01DF
# MS Windows COFF Intel Itanium, AMD64
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680313(v=vs.85).aspx
>>>>0 uleshort 0x0200 Intel ia64
>>>>0 uleshort 0x8664 Intel amd64
# ARM COFF (./arm)
>>>>0 uleshort 0xaa64 Aarch64
>>>>0 uleshort 0x01c0 ARM
>>>>0 uleshort 0x01c2 ARM Thumb
>>>>0 uleshort 0x01c4 ARMv7 Thumb
# TODO for other COFFs
#>>>>0 uleshort 0xABCD COFF_TEMPLATE
>>>>0 default x
>>>>>0 uleshort x type %#04x
>>>>0 uleshort x COFF
# F_EXEC flag bit
>>>>18 leshort ^0x0002 object file
!:mime application/x-coff
!:ext o/obj/lib
# no cof sample found
#!:ext cof/o/obj/lib
>>>>18 leshort &0x0002 executable
#!:mime application/x-coffexec
# F_RELFLG flag bit,static object
>>>>18 leshort &0x0001 \b, no relocation info
# F_LNNO flag bit
>>>>18 leshort &0x0004 \b, no line number info
# F_LSYMS flag bit
>>>>18 leshort &0x0008 \b, stripped
>>>>18 leshort ^0x0008 \b, not stripped
# flags in other COFF versions
#0x0010 F_FDPR_PROF
#0x0020 F_FDPR_OPTI
#0x0040 F_DSA
# F_AR32WR flag bit
#>>>>18 leshort &0x0100 \b, 32 bit little endian
#0x1000 F_DYNLOAD
#0x2000 F_SHROBJ
#0x4000 F_LOADONLY
# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124
>>>>2 uleshort <2 \b, %u section
>>>>2 uleshort >1 \b, %u sections
# f_symptr - symbol table pointer, only for not stripped
# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0
>>>>8 ulelong >0 \b, symbol offset=%#x
# f_nsyms - number of symbols, only for not stripped
# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546
>>>>12 ulelong >0 \b, %d symbols
# f_opthdr - optional header size. An object file should have a value of 0
>>>>16 uleshort >0 \b, optional header size %u
# f_timdat - file time & date stamp only for little endian
>>>>4 ledate >0 \b, created %s
# at offset 20 can be optional header, extra bytes FILHSZ-20 because
# do not rely on sizeof(FILHDR) to give the correct size for header.
# or first section header
# additional variables for other COFF files
>>>>16 uleshort =0
# first section name s_name[8] like: .text .data .debug$S .drectve .testseg
>>>>>20 string x \b, 1st section name "%.8s"
# >20 beshort 0407 (impure)
# >20 beshort 0410 (pure)
# >20 beshort 0413 (demand paged)
# >20 beshort 0421 (standalone)
# >22 leshort >0 - version %d
# >168 string .lowmem Apple toolbox
|
