Make your own free website on Tripod.com
Up ] Docs Home ]

Format of .EXE file header

Back ] Next ]

Offset Size Description

00h

2 BYTEs

.EXE signature, either "MZ" or "ZM" (5A4Dh or 4D5Ah) (see also #01593)

02h

WORD

number of bytes in last 512-byte page of executable

04h

WORD

total number of 512-byte pages in executable (includes any partial last page)

06h

WORD

number of relocation entries

08h

WORD

header size in paragraphs

0Ah

WORD

minimum paragraphs of memory required to allocate in addition to executable's size

0Ch

WORD

maximum paragraphs to allocate in addition to executable's size

0Eh

WORD

initial SS relative to start of executable

10h

WORD

initial SP

12h

WORD

checksum (one's complement of sum of all words in executable)

14h

DWORD

initial CS:IP relative to start of executable

18h

WORD

offset within header of relocation table
40h or greater for new-format (NE, LE, LX, W3, PE, etc.) executable

1Ah

WORD

overlay number (normally 0000h = main program)

---new executable---

1Ch

4 BYTEs

???

20h

WORD

behavior bits

22h

26 BYTEs

reserved for additional behavior info

3Ch

DWORD

offset of new executable (NE,LE,etc) header within disk file, or 00000000h if plain MZ executable

---Borland TLINK---

1Ch

2 BYTEs

??? (apparently always 01h 00h)

1Eh

BYTE

signature FBh

1Fh

BYTE

TLINK version (major in high nybble, minor in low nybble)

20h

2 BYTEs

??? (v2.0 apparently always 72h 6Ah, v3.0+ seems always 6Ah 72h)

---ARJ self-extracting archive---

1Ch

4 BYTEs

signature "RJSX" (older versions, new signature is "aRJsfX" in the first 1000 bytes of the file)

---LZEXE 0.90 compressed executable---

1Ch

4 BYTEs

signature "LZ09"

---LZEXE 0.91 compressed executable---

1Ch

4 BYTEs

signature "LZ91"

---PKLITE compressed executable---

1Ch

BYTE

minor version number

1Dh

BYTE

bits 0 - 3 : major version
bit 4 : extra compression
bit 5 : huge (multi-segment) file

1Eh

6 BYTEs

signature "PKLITE" (followed by copyright message)

---LHarc 1.x self-extracting archive---

1Ch

4 BYTEs

unused???

20h

3 BYTEs

jump to start of extraction code

23h

2 BYTEs

???

25h

12 BYTEs

signature "LHarc's SFX "

---LHA 2.x self-extracting archive---

1Ch

8 BYTEs

???

24h

10 BYTEs

signature "LHa's SFX " (v2.10) or "LHA's SFX " (v2.13)

---TopSpeed C 3.0 CRUNCH compressed file---

1Ch

DWORD

018A0001h

20h

WORD

1565h

---PKARCK 3.5 self-extracting archive---

1Ch

DWORD

00020001h

20h

WORD

0700h

---BSA (Soviet archiver) self-extracting archive---

1Ch

WORD

000Fh

1Eh

BYTE

A7h

---LARC self-extracting archive---

1Ch

4 BYTEs

???

20h

11 BYTEs

"SFX by LARC"

---LH self-extracting archive---

1Ch

8 BYTEs

???

24h

8 BYTEs

"LH's SFX "

---RAR self-extracting archive---

1Ch

4 BYTEs

signature "RSFX"

---other linkers---

1Ch

var

optional information

---

N

N DWORDs

relocation items
each is the segment:offset from start of load image at which to add the actual load segment to the indicated WORD

Note:

If the word at offset 02h is 4, it should be treated as 00h, since pre-1.10 versions of the MS linker set it that way.
If both minimum and maximum allocation (offset 0Ah/0Ch) are zero, the program is loaded as high in memory as possible (DOS only checks the maximum allocation, however).
The maximum allocation is set to FFFFh by default.
Additional data may be contained in the file beyond the end of the load image described by the .EXE header; this data may be overlays, the actual executable for newer-format executables, or debugging information (see #01600,#01624).
Relocations entries need not be in any particular order, although they are typically stored in order from beginning to end of the load image.

See Also:

#01596