06290544.txt 29-Jun-00


Subject: Re: Norton Giude File Layout
From: davep.news@davep.org (Dave Pearson)

Bloody typical, I was looking in megs and megs of archived
  mail folders while it was still in a "live" mail folder.
  ;-)
Ok, here's a quick and dirty guide to the format of a Norton
  Guide file:
-- cut here --
>
Without going into the long explanation, how are NG's
  enoded? I know you can't get anything out of them with a
  hex editor.
>
Norton Guides are XOR "encrypted", so the basic function for
  decoding them is:
  unsigned char Decrypt( unsigned char b )
  {
    return( (unsigned char) ( b ^ 0x1A ) );
  }
IOW, XOR each byte with 26 decimal.
The basic structure of an NG is:
  Header (not encrypted)
    Magic value (0x474E == NG, 0x4845 == EH) (short)
    Unknown (short)
    Unknown (short)
    Menu Count (short)
    Title (char 40, NUL terminated if < 40)
    Credit Line 1 (char 66, NUL terminated if < 66)
    Credit Line 2 (char 66, NUL terminated if < 66)
    Credit Line 3 (char 66, NUL terminated if < 66)
    Credit Line 4 (char 66, NUL terminated if < 66)
    Credit Line 5 (char 66, NUL terminated if < 66)
  [Encryption starts here]
  Entry (one or more entries)
    Entry type (short)
    Entry length (short)
    Data depending on entry type.
Three entry types exist, menu, short, long, IDs are:
  Short : 0
  Long  : 1
  Menu  : 2
A short entry looks like:
  ID (short)
  Length in bytes (short)
  Number of entries (short)
  Unknown (maps to see also count in long entry) (short)
  Line in parent entry (short)
  Offset of parent entry (long)
  Unknown (12 bytes)
  Array of offset pointers for each line (array of number
    of entries * long)
  Text of lines (each NUL terminated after decryption)
  Fluff that I'm not sure about (IIRC 1 byte)
A long entry looks like:
  ID (short)
  Length in bytes (short)
  Number of entries (short)
  See Also Flag (short)

  Line in parent entry (short)
  Offset of parent entry (long)
  Unknown (4 bytes)
  Offset of previous long entry (long)
  Offset of next long entry (long)
  Text of lines (each NUL terminated after decryption)
  [If long has see alsos (see also flag != 0)]
    See also count (short)
    Array of offset pointers for each see also (array
      of number of entries * long)
    Text of See Alsos (each NUL terminated after decryption)
  Fluff that I'm not sure about (IIRC 1 byte)
A menu entry looks like:
  ID (short)
  Length in bytes (short)
  Number of prompts (short)
  Unknown (20 bytes)
  Array of offset pointers for each prompt (array of
    long * # of prompts)
  Unknown (# of prompts * 8 bytes)
  Menu title (max 40, NUL terminated)
  Prompt text (array of max 50 NUL terminated)
  Fluff that I'm not sure about (IIRC 1 byte)
One other thing to know is that an NG employs a simple form
  of run-length encoding. If you hit upon 255 as a byte
  value (after decryption) the following byte should be
  interpreted as the number of space to "insert here".
-- cut here --
I've since figured out some of the "unknown" entries above.
  Have a look at the source for WEG for details (see the
  class TNGEntry and look at the load procedure).
For example, the unknown 12 bytes in the short entry are two
  shorts describing the menu and prompt that the short
  belongs to. The remaining eight bytes map to the
  previous/next entries in the long structure (IOW the short
  and longs use the same "header" structure).

Hope this helps.