Manual for FILE 2.0, (C) 1993-94 by Fefe Soft =[ Introduction ]= FILE is the best file recognizer known to me, and I am collecting things like that. File's job is to analyze files you give to it and then tell you what it found out about the file. FILE's syntax is: FILE [-?] [-k] [-o] [-f] [filespec [filespec...]] FILE without parameters analyzes all files in the current directory. The -k parameter tells FILE not to touch unwanted files. The -o parameter lets FILE output the size and CRC-32 of the files. The -f parameter tells FILE not to ask you if it should kill unwanted files. FILE's filespecs are more advanced DOS filespecs, that is, "A*B" will match "ARB" and not "ATC" like under DOS. =[ Disclaimer ]= I have done nearly everything to insure FILE's proper functionality, but I cannot assume any liability for any damage resulting directly or indirectly from use or not use of FILE or any other Fefe Soft product. Neither can I guarantee FILE's functionality or fitness for any purpose. There is no money-back-guarantee, since this program is ShareWare, i.e. you can test it before you buy for it, I won't give any money back. Especially concerning FILE, much is guesswork. Almost everything I use here is found out empirically, that is, I tried it on a few samples and then concluded that it works in general. Of course, this *may* work, but then, it may *not* work. So don't trust FILE 100% ! If you find something you want FILE to recognize, then SEND ME A COPY (my Internet account: leitner@inf.fu-berlin.de, or via Snail Mail to the address below. Even more important: If you find that FILE is wrong (not counting text files, because this is the best heuristics can do when only analyzing the first 512 bytes of the files), please let me know and send me the sample. However, if you have any problem which cannot be solved with this manual or if you have any suggestion what this program should do or should not do then write me : Felix von Leitner Gervinusstrasse 22 Tel: +49-30-32700270 ISDN 10629 Berlin GERMANY =[ ShareWare ]= You are allowed to test FILE 1 month, then you must decide if you want to use FILE further, then you must register, or not, then you must not use it any longer. If you decide to register this great program, then send $20 or DM 30 to the above adress or let your bank put the money on my account : Name: Felix von Leitner Account no: 5870043 bank ID: 100 700 00 Bank: Deutsche Bank If you register (and have an Internet account), I will notify you of important updates. Nothing will happen to your FILE if you register it, but you will take a heavy burden off your heart (hopefully) ;-) By the way, I have asked my bank and they could not help me to accept credit cards. I understand that most Americans want to register via credit card (if they want to register), but my bank does not know how to handle that. If anybody has a hint for me how to accept other means of payment than cash or via my bank account, I would appreciate it ! By the way, maybe we can trade registrations if you write ShareWare ? =[ Install ]= Put FILE into some path in your PATH= statement. Put FILE.DB into the same directory FILE.EXE is in. That's all. =[ Unwanted files ]= FILE recognizes several files I don't want on my system and asks if you want it to kill them for you. Those are tons of BBS ads and - intros, TheDraw COM files and 0-byte files with strange letters in their name. BTW: Just because FILE knows a BBS ad that doesn't mean I know the number of that BBS or I even know the BBS or I even know the BBS ad, since several people have contributed annoying files to me. By the way: I found a BBS ad from a BBS called 'Waves of Warez' which changed to say 'Warm fuckings to Fefe Soft' or something. Well, that does not bother me too much, but I am happy that FILE seems to see more of the world than I do ;) A message to the friendly sysop: FILE 2.0 detects this new intro as unwanted, too ;) Since only one person tried to send me something FILE did not know and he failed and almost daily I find new BBS ads, I decided to make FILE's BBS ad detection better. Now you can make FILE find previously unknown BBS ads ! I included the hacked program NEWAD.EXE for this purpose. Please notice that NEWAD.EXE is really a hack, so don't expect error detection and stuff like that. You just call NEWAD filename.ext where filename.ext is the ad you want FILE to find. Make sure that the file NEWAD.EXE is in the same directory as FILE.EXE ! Please contribute your new BBS ads to me if you have Internet access !!! The program NEWINTRO.EXE is a hack from NEWAD.EXE which does exactly the same, but FILE will think it's an intro (different color). BTW: You may have noticed that FILE.DB is a text file. If FILE does not understand a line, it will silently ignore it. So feel free to experi- ment, but don't expect your changes to work ;) =[ Debug info ]= FILE recognizes Borland and MicroSoft debug info. If it finds it, it asks you if you want it removed. If you are not the programmer, you can safely throw away debug info and save a few bytes on your hard disk. I have been told that FILE has had some difficulties on some system, but here everything works fine and I have not been able to reproduce this. I suspect that the program file had the Read-only flag set. =[ Wanted ]= Things I am especially interested in : - EXE packers FILE doesn't know - Image formats FILE doesn't know - Sound formats FILE doesn't know - Word processor file formats FILE doesn't know If you have something to contribute, please send it to me. Someone tried to send me a disk with some things I should implement, but the German Post Office clobbered the disk and since I could not read it, I trashed the accompanying letter by accident. So if you read this and you were the one sending that disk : I am sorry that the post killed that disk and I can't find the letter with your name. =[ Purpose ]= You just unzipped a demo called LAMEDEMO which contains a nice sound module. But the demo contains 100 files, called LAMEDEMO.000 through .099, and you want to know which one is the module. FILE can analyze all the files and find out which ones are modules, which ones are GIFs. Since FILE recognizes many popular compilers' executables, it can act as half-secure link virus checker. It won't find some stealth virii, and it doesn't know all compilers. But if FILE says the executable is a Borland Pascal executable, you can be pretty sure it does not contain a virus (I know of no virus written using Borland Pascal). Of course, this program can be used malevolently, by a cracker who wants to know which EXE packer or crypter you used to protect your program. But reveiling which method you used does not unprotect your file, so FILE does not really cause harm. =[ Features ]= FILE is so feature loaded that I put this section at the end of this document. Historically, FILE was an EXE analyzer. Then I added other file types, like sound files, graphics files, text files, and finally, BBS ads. FILE recognizes tons of BBS ads, including 0-byte files with strange characters in the name, and some BBS intros (including TheDraw .COM files) as unwanted and asks you whether it should kill them for you. Since there exist thousands of BBSs, many of them putting annoying BBS ads into their archives, FILE will never recognize ALL of them. But if you find some FILE doesn't recognize, feel free to send it to me. FILE recognizes these EXE file types : - LHarc SFX other SFX's have a SFX executable and the archive as overlay since FILE analyzes overlays separately, so you might see : PKLite 1.20 DOS executable; ZIP archive - Diet 1.0 - Diet 1.44d - Diet 1.45f - PKLite 1.03 - PKLite 1.12 - PKLite 1.14/1.15 - PKLite 1.20 - PKLite a.b send me this file ! - PKLite -e x.y send me this file ! - COMPACK 4.4/4.5 Almost identical, but 4.4 crashes on 486s - Ady''s glue I think this one is rather a scrambler than a compressor - PGMPAK 0.15á send me other versions ! - PROPACK send me the file ! - PRO-PACK 2.8 - PROTECT! 1.0 send me other versions ! - PROTECT! 5.0 - TINYPROG - TINYPROG /P The /P option encrypts the files with a password - Cruncher creates a loader with the compressed data as overlay - EXEPACK (several versions) there are more than 10 variants of EXEPACK, FILE finds the ones I have encountered. - KVETCH 1.02á send me other versions ! - LZEXE 0.91 or 1.0a send me other versions ! - LZEXE 0.90 - fake 'PK' loader from UNP - f-Shield anti-viral shield from McAfee - Borland Pascal executable this one analyzes the code, and does NOT use the 'Runtime error' string or the Borland (C) notice ! - Borland 16-bit DPMI executable - MicroSoft [Quick] C executable - MicroSoft C executable - MicroSoft Quick C executable If you know more about these cathegories (different memory models or different versions or whatever) tell me about it ! - Metaware High C executable - Turbo C executable - Turbo C starting with JMP (small model ?) - Turbo C[++] executable See the MicroSoft C family - Turbo Basic executable - Intel Code Builder 32-bit executable This is a 32-bit protected mode C compiler from Intel - Zortech C 32-bit executable - Zortech C 16-bit executable Does Symante C trigger this, too ? - Phar Lap stub This is a small program which loads the Phar Lap DOS extender which in turn executes the program - old style Phar Lap protected mode executable - Phar Lap flat/multi-segment executables - emx 0.8g 32-bit executable - emx 0.8h stubbed executable - emx 0.8h 32-bit executable emx is the 32-bit DOS extender from Eberhard Mattes' port of GNU C to DOS and OS/2 - go32 32-bit executable - go32 1.11 - go32 1.11 with program - go32 1.?? - go32 1.?? with program go32 is the 32-bit DOS extender from DJ Delorie's port of GNU C to DOS - CODE32 32-bit executable CODE32 is a 32-bit DOS extender by Tran of Renaissance for 100% assembly language programs - DOS4GW executable DOS4GW is a 32-bit DOS extender from Rational Systems Watcom C/C++ creates DOS4GW executables - 16 and 32 bit, Windoze or OS/2, applications or DLLs - Win32 portable executable FILE recognizes DOS device drivers (COM or EXE flavors) FILE recognizes these COM files : - COMPACK 4.4 - COMPACK 4.5 - Diet 1.0 - Diet 1.02 - Diet 1.20 - Diet 1.44 - Ady's glue - PROPACK 2.8 - ICE 1.0 - PKLite - SHRINK 1.0 - SCRNCH 1.0 - MicroSoft [Quick] C - Self-applying Patch - TheDraw COM file - TXT2COM COM file - generic COM files (using a heuristic, not the .COM extension !) FILE recognizes these code, debug info and ressource files : Amiga ProTracker 2.3A module loader DJGPP .o file DJGPP is DJ Delories port of GNU C to DOS COFF COFF means Common Output File Format and is the format of the DJGPP's code which is executed by it's loader go32 Turbo Pascal 6.0 Unit Borland Pascal 7.0 Unit OBJect This is only based on 1 (!) bytes, so it may be wrong ! Borland Overlay Borland Ressource Borland debug info MicroSoft debug info If you find a file whose overlay is a debug info, you can safely cut it away Borland Graphics Interface Driver TP6 BGI driver DIGPAK driver: Advanced Gravis UltraSound MIDPAK driver: Advanced Gravis UltraSound WAVE-Miles Driver: Forte UltraSound(TM) Digital Sound MIDI-Miles Driver: Advanced Gravis UltraSound Card FILE recognizes these images, fonts and movies : TeX DeVice Independant bitmap TeX is a typesetting language by Donald Knuth Windoze 640x480 24-bit bitmap 640x480 GIF87a image 640x480 GIF89a image GIF is the Graphics Interchange Format from Compu$erve I can't detect the number of colors yet TIFF image Tag Image File Format I can't detect the number of colors and the TIFF type 640x480 JFIF image I think JPEG files are always 24-bit 640x512 24 bit IFF ILBM image 640x512 8 bit IFF Portable Bitmap 640x480 PCX image PCX detection is not very reliable OS/2 AVI movie I have been told that Video for Windows uses this format, too 3d Studio mesh 3d-Studio is a modeller and renderer for DOS Borland Graphics Interface vector font Amiga Workbench .inf Icon 320x200x123 Fefe Soft Compressed Bitmap revision 0 This is my very own graphics format ;) FIF Fractal Compressed Image Found a decompression demo with two demo images FILE recognizes these help and word processor files : Borland Pascal help file Windows help file Norton Guide help file Turbo Vision help file OS/2 help file / book WordPerfect text file Windoze WRITE text file WinWord 2.0 text file WinWord 6.0 text file This is a guess, too. Please tell me about versions etc. FILE recognizes these archives and compressed files : ARJ archive ZIP archive PKZIP 1.1 SFX archive (this happens only as overlay) LHA archive LIMIT archive HA archive HA is Harry's Archiver UC2 archive UC2 is UltraCompressor ][ encrypted UltraCompressor ][ archive (usually .UE2) RAR archive RAR is a russian archiver HAP archive PAH is the decompressor for HAP HPACK archive TeleDisk file TeleDisk can produce a file with an exact copy of a diskette gzipped gzip is GNU Zip, the compressor from the GNU project 'compress'ed compress is the UNIX LZW compress program PowerPacker packed file PowerPacker is an Amiga compressor. Occasionally you can find sound modules compressed with it could be a TAR archive the heuristic has become quite reliable now FILE recognizes these sound files : .CMF Creative Music tune .ROL FM tune These are FM (Adlib) music files General MIDI tune MultiTracker 1.0 Module "blah" UltraTracker Module "blah" Scream Tracker 3.0 tune "blah" Delusion DMF "blah" Advanced Module Format "blah" 669 tune "blah" extended 669 tune "blah" LIQUID tune "blah" Farandole Composer tune These are all modules from PC trackers. They include the tune and the sampled instruments Face The Music tune "blah" This is an Amiga tracker (no playback on PC so far) Oktalyzer module This is an 8 channel Amiga tracker MED module Another Amiga tracker 31 sample MOD "blah" These are Amiga 'M.K.' 4-channel MODs 4 channel MOD "blah" These are Amiga 'FLT4' 4-channel MODs or PC '4CHN' FastTracker MODs 6 channel FastTracker MOD "blah" 8 channel FastTracker MOD "blah" 8 channel Octalyzer MOD "blah" Some Amiga tracker with 'OCTA' signature Don't know if this is Octalyzer or OctaMED or the other Octa-MOD is OctaMED ... enlighten me ! Unix 22.0 KHz .au audio file VOC sound wave 22.0 KHz 16 bit stereo sound wave this is the Windoze WAV format Farandole Composer sample Gravis UltraSound Patch file FILE recognizes these text files : ANSI files (including some unwanted BBS ads) UNIX style MAC style DOS style This means how lines end. UNIX lines end with LF, MAC lines end with CR, DOS lines end with CRLF "/bin/sh" script These are UNIX shell scripts, "/bin/sh" is the shell C/C++ source code PASCAL source code HelpDK source file HelpDK is the Help Development Kit from Ron Loewy, which creates different help compilers' source files from your HelpDK help file definition POPHELP source file POPHELP is a help file viewer from TurboPower software LaTeX source file Makefile This is not very reliable, FILE may tell you about some text files they are Makefiles DOS/OS2 batch file UNIX man page source file These heuristics are very good, but because FILE only analyzes the first 512 bytes of each file, they can never be perfect. So don't count on FILE's findings, the text file recognition is rather a gag than a killer feature. =[ Revision History ]= 1.0 first publicly available version 2.0 added expandable BBS ad database "FILE.DB" !