Format of .EXE file header:
Offset Size Description )
00h 2 BYTEs .EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah)
(see also #01593)
02h WORD number of bytes in last 512-byte page of executable
04h WORD total number of 512-byte pages in executable (includes any
partial last page)
06h WORD number of relocation entries
08h WORD header size in paragraphs
0Ah WORD minimum paragraphs of memory required to allocate in addition
to executable's size
0Ch WORD maximum paragraphs to allocate in addition to executable's size
0Eh WORD initial SS relative to start of executable
10h WORD initial SP
12h WORD checksum (one's complement of sum of all words in executable)
14h DWORD initial CS:IP relative to start of executable
18h WORD offset within header of relocation table
40h or greater for new-format (NE,LE,LX,W3,PE,etc.) executable
1Ah WORD overlay number (normally 0000h = main program)
---new executable---
1Ch 4 BYTEs ???
20h WORD behavior bits
22h 26 BYTEs reserved for additional behavior info
3Ch DWORD offset of new executable (NE,LE,etc) header within disk file,
or 00000000h if plain MZ executable
---Borland TLINK---
1Ch 2 BYTEs ??? (apparently always 01h 00h)
1Eh BYTE signature FBh
1Fh BYTE TLINK version (major in high nybble, minor in low nybble)
20h 2 BYTEs ??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h)
---ARJ self-extracting archive---
1Ch 4 BYTEs signature "RJSX" (older versions, new signature is "aRJsfX" in
the first 1000 bytes of the file)
---LZEXE 0.90 compressed executable---
1Ch 4 BYTEs signature "LZ09"
---LZEXE 0.91 compressed executable---
1Ch 4 BYTEs signature "LZ91"
---PKLITE compressed executable---
1Ch BYTE minor version number
1Dh BYTE bits 0-3: major version
bit 4: extra compression
bit 5: huge (multi-segment) file
1Eh 6 BYTEs signature "PKLITE" (followed by copyright message)
---LHarc 1.x self-extracting archive---
1Ch 4 BYTEs unused???
20h 3 BYTEs jump to start of extraction code
23h 2 BYTEs ???
25h 12 BYTEs signature "LHarc's SFX "
---LHA 2.x self-extracting archive---
1Ch 8 BYTEs ???
24h 10 BYTEs signature "LHa's SFX " (v2.10) or "LHA's SFX " (v2.13)
---TopSpeed C 3.0 CRUNCH compressed file---
1Ch DWORD 018A0001h
20h WORD 1565h
---PKARCK 3.5 self-extracting archive---
1Ch DWORD 00020001h
20h WORD 0700h
---BSA (Soviet archiver) self-extracting archive---
1Ch WORD 000Fh
1Eh BYTE A7h
---LARC self-extracting archive---
1Ch 4 BYTEs ???
20h 11 BYTEs "SFX by LARC "
---LH self-extracting archive---
1Ch 8 BYTEs ???
24h 8 BYTEs "LH's SFX "
---RAR self-extracting archive---
1Ch 4 BYTEs signature "RSFX"
---other linkers---
1Ch var optional information
---
N N DWORDs relocation items
each is the segment:offset from start of load image at which
to add the actual load segment to the indicated WORD
Notes: if the word at offset 02h is 4, it should be treated as 00h, since
pre-1.10 versions of the MS linker set it that way
if both minimum and maximum allocation (offset 0Ah/0Ch) are zero, the
program is loaded as high in memory as possible (DOS only checks
the maximum allocation, however)
the maximum allocation is set to FFFFh by default
additional data may be contained in the file beyond the end of the
load image described by the .EXE header; this data may be overlays,
the actual executable for newer-format executables, or debugging
information (see #01600,#01624)
relocations entries need not be in any particular order, although they
are typically stored in order from beginning to end of the load
image
SeeAlso: #01596