cbiedl
/
file


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217
							
#------------------------------------------------------------------------------
# $File: coff,v 1.15 2024/11/10 18:54:33 christos Exp $
# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures
#
# COFF
#
# by Joerg Jenderek at Oct 2015, Feb 2021, Mar 2024
# https://en.wikipedia.org/wiki/COFF
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
# https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-file-header-object-and-image
# https://formats.kaitai.io/uefi_te/index.html

# Display COFF processor type, including MS COFF and PE/COFF
0	name				display-coff-processor
# PE/COFF, DJGPP, i386 COFF executable, MS Windows COFF Intel i386 object file (./intel)
>0	uleshort		0x014c	Intel i386
>0	uleshort		0x014d	Intel i860
>0	uleshort		0x0160	MIPS R3000 (big-endian)
>0	uleshort		0x0162	MIPS R3000
>0	uleshort		0x0166	MIPS R4000
>0	uleshort		0x0168	MIPS R10000
>0	uleshort		0x0169	MIPS WCE v2
>0	uleshort		0x0184	Alpha 32-bit
>0	uleshort		0x01a2	Hitachi SH3
>0	uleshort		0x01a3	Hitachi SH3 DSP
>0	uleshort		0x01a4	Hitachi SH4E
>0	uleshort		0x01a6	Hitachi SH4
>0	uleshort		0x01a8	Hitachi SH5
>0	uleshort		0x01c0	ARMv4
>0	uleshort		0x01c2	ARMv4T
>0	uleshort		0x01c4	ARMv7
>0	uleshort		0x01d3	Matsushita AM33
# executable (RISC System/6000 V3.1) or obj module (./ibm6000 v 1.15), not PE/COFF
>0	uleshort		0x01df	RISC System/6000
>0	uleshort		0x01f0	PowerPC 32-bit (little-endian)
>0	uleshort		0x01f1	PowerPC 32-bit with FPU (little-endian)
>0	uleshort		0x01f2	PowerPC 64-bit (big-endian)
>0	uleshort		0x0200	Intel Itanium
>0	uleshort		0x0266	MIPS16
>0	uleshort		0x0268	Motorola 68000
>0	uleshort		0x0284	Alpha 64-bit
>0	uleshort		0x0290	PA-RISC
>0	uleshort		0x0366	MIPS with FPU
>0	uleshort		0x0466	MIPS16 with FPU
# Hitachi SH big-endian COFF (./hitachi-sh), not PE/COFF
>0	uleshort		0x0500	Hitachi SH (big-endian)
>0	uleshort		0x0520	Tricore
# Hitachi SH little-endian COFF (./hitachi-sh), not PE/COFF
>0	uleshort		0x0550	Hitachi SH (little-endian)
>0	uleshort		0x0601	PowerPC 32-bit (big-endian)
# Windows CE 3.0 Common Executable Format, created by linkcef.exe with /MACHINE:CEF flag
# https://web.archive.org/web/20000819035046/http://microsoft.com/windows/embedded/ce/downloads/cef.asp
# https://web.archive.org/web/20000914080342/http://microsoft.com/windows/embedded/ce/developer/applications/appdevelopment/cef2.asp
# https://web.archive.org/web/20021022055906/http://msdn.microsoft.com/library/en-us/dnce30/html/cef2.asp
>0	uleshort		0x0cef	Common Executable Format
>0	uleshort		0x0ebc	EFI byte code
>0	uleshort		0x3a64	ARM64 (i386 ABI)
>0	uleshort		0x5032	RISC-V 32-bit
>0	uleshort		0x5064	RISC-V 64-bit
>0	uleshort		0x5128	RISC-V 128-bit
>0	uleshort		0x6232	LoongArch 32-bit
>0	uleshort		0x6264	LoongArch 64-bit
>0	uleshort		0x8664	x86-64
>0	uleshort		0x9041	Mitsubishi M32R
>0	uleshort		0xa641	ARM64 (x86-64 ABI)
>0	uleshort		0xa64e	ARM64 (classic + x86-64 ABI)
# PE/COFF ARM64 classic ABI, ARM COFF (./arm)
>0	uleshort		0xaa64	ARM64
>0	uleshort		0xace1	OMNI VM (omniprox.dll)
# Processor type CEE can be only in object files (created by older ilasm.exe with /OBJECT flag), not in PE executables
>0	uleshort		0xc0ee	COM+ Execution Engine
>0	default			x	Unknown processor
>>0	uleshort		x	0x%04x

# display name+variables+flags of Common Object Files Format (32bit)
# Maybe used also in adi,att3b,clipper,hitachi-sh,hp,ibm6000,intel,
# mips,motorola,msdos,osf1,sharc,varied.out,vax
0	name				display-coff
# test for unused flag bits (0x8000,x0080) in f_flags
# flag bits (0x0800,0x0400,0x0200) now seems to be used in RISC System/6000 V3.1
>18	uleshort&0x8080	0
# skip DOCTOR.DAILY READER.NDA REDBOX.ROOT by looking for positive number of sections
>>2	uleshort	>0
# skip ega80woa.fnt svgafix.fnt HP3FNTS1.DAT HP3FNTS2.DAT INTRO.ACT LEARN.PIF by looking for low number of sections
>>>2	uleshort	<4207
# f_magic - magic number
>>>>0	use		display-coff-processor
>>>>0	uleshort	x		COFF
# F_EXEC flag bit
>>>>18	leshort		^0x0002		object file
!:mime	application/x-coff
!:ext	o/obj/lib
# no cof sample found
#!:ext	cof/o/obj/lib
>>>>18	leshort		&0x0002		executable
#!:mime	application/x-coffexec
!:mime	application/x-coff-executable
# typically no file name suffix for executables
!:ext	/
# F_RELFLG flag bit,static object
>>>>18	leshort		&0x0001		\b, no relocation info
# F_LNNO flag bit
>>>>18	leshort		&0x0004		\b, no line number info
# F_LSYMS flag bit
>>>>18	leshort		&0x0008		\b, stripped
>>>>18	leshort		^0x0008		\b, not stripped
# flags in other COFF versions
#0x0010    F_FDPR_PROF
#0x0020    F_FDPR_OPTI
#0x0040    F_DSA
# F_AR32WR flag bit
#>>>>18	leshort		&0x0100		\b, 32 bit little endian
#0x1000    F_DYNLOAD
#0x2000    F_SHROBJ
#0x4000    F_LOADONLY
# f_nscns - number of sections like: 1 2 3 4 5 7 8 9 11 12 15 16 19 20 21 22 26 30 36 40 42 56 80 89 96 124
>>>>2	uleshort	<2		\b, %u section
>>>>2	uleshort	>1		\b, %u sections
# f_symptr - symbol table pointer, only for not stripped
# like: 0 0x7c 0xf4 0x104 0x182 0x1c2 0x1c6 0x468 0x948 0x416e 0x149a6 0x1c9d8 0x23a68 0x35120 0x7afa0
>>>>8	ulelong		>0		\b, symbol offset=%#x
# f_nsyms - number of symbols, only for not stripped
# like: 0 2 7 9 10 11 20 35 41 63 71 80 105 146 153 158 170 208 294 572 831 1546
>>>>12	ulelong		>0		\b, %d symbols
# f_opthdr - optional header size. An object file should have a value of 0
# like: 72 (IBM\HH\HYPERHLP)
>>>>16	uleshort	>0		\b, optional header size %u
# f_timdat - file time & date stamp
>>>>4	ledate		>0		\b, created %s
# at offset 20 can be optional header, extra bytes FILHSZ-20 because
# do not rely on sizeof(FILHDR) to give the correct size for header.
# or first section header
# additional variables for other COFF files
>>>>16	uleshort	=0
# most section names start with point character except samples created by "exotic" compilers
# first section name s_name[8] like: .text .data .debug$S .drectve .testseg .rsrc .rsrc$01 .pad
>>>>>(16.s+20)	string		x		\b, 1st section name "%.8s"
# physical address s_paddr like: 0
#>>>>>(16.s+28)	lelong		!0		\b, s_paddr %#8.8x
# virtual address s_vaddr like: 0
#>>>>>(16.s+32)	lelong		!0		\b, s_vaddr %#8.8x
# section size s_size
#>>>>>(16.s+36)	lelong		x		\b, s_size %#8.8x
# file ptr to raw data for section s_scnpt
#>>>>>(16.s+40)	lelong		x		\b, s_scnpt %#8.8x
# file ptr to relocation s_relptr like: 0
#>>>>>(16.s+44)	lelong		!0		\b, s_relptr %#8.8x
# file ptr to gp histogram s_lnnoptr like: 0
#>>>>>(16.s+48)	lelong		!0		\b, s_lnnoptr %#8.8x
# number of relocation entries s_nreloc like: 0 1 2 5 6 8 19h 26h 27h 38h 50h 5Fh 89h Dh 1Ch 69h A9h 1DCh 651h
#>>>>>(16.s+52)	uleshort	x		\b, s_nreloc %#4.4x
# number of gp histogram entries s_nlnno like: 0
#>>>>>(16.s+54)	uleshort	!0		\b, s_nlnno %#4.4x
# flags s_flags
#>>>>>(16.s+56)	lelong		x		\b, s_flags %#8.8x
# second section name s_name[8] like: .bss .data .debug$S .rsrc$01
>>>>2	uleshort	>1
>>>>>(16.s+60)	string		x		\b, 2nd section name "%.8s"
# >20	beshort		0407		(impure)
# >20	beshort		0410		(pure)
# >20	beshort		0413		(demand paged)
# >20	beshort		0421		(standalone)
# >22	leshort		>0		- version %d
# >168	string		.lowmem		Apple toolbox

# PowerPC COFF object file or executable
0	leshort		0x01f0
>16	leshort		0
>>0	use		display-coff
# can be created by: LINK.EXE /MACHINE:powerpc /ROM
>16	leshort		!0
>>18	leshort		&0x0002
>>>20	leshort		0x010b
>>>>0	use		display-coff
0	leshort		0x01f1
>16	leshort		0
>>0	use		display-coff
0	leshort		0x01f2
>16	leshort		0
>>0	use		display-coff
0	leshort		0x0601
>16	leshort		0
>>0	use		display-coff
# can be created by: LINK.EXE /MACHINE:MPPC /ROM
>16	leshort		!0
>>18	leshort		&0x0002
>>>20	leshort		0x010b
>>>>0	use		display-coff

0	name		display-subsystem
>0	ubyte		0	unknown
>0	ubyte		1	native
>0	ubyte		2	windows_gui
>0	ubyte		3	windows_cui
>0	ubyte		7	posix_cui
>0	ubyte		9	windows_ce_gui
>0	ubyte		10	efi_application
>0	ubyte		11	efi_boot_service_driver
>0	ubyte		12	efi_runtime_driver
>0	ubyte		13	efi_rom
>0	ubyte		14	xbox
>0	ubyte		16	windows_boot-application
>0	default		x	Unknown subsystem
>>0	ubyte		x	%#x


# https://formats.kaitai.io/uefi_te/index.html
0	string		VZ	TE (Terse Executable) file
>2	use		display-coff-processor
>4	byte		x	\b, sections %d
>5	use		display-subsystem
>6	uleshort	x	\b, stripped-size %u
>8	ulelong		x	\b, entry %#x
>12	ulelong		x	\b, base_of_code %#x
>16	ulequad		x	\b, image_base %#llx