123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311 |
- #------------------------------------------------------------------------------
- # $File: apple,v 1.31 2015/08/29 07:10:35 christos Exp $
- # apple: file(1) magic for Apple file formats
- #
- 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text
- 0 string \x0aGL Binary II (apple ][) data
- 0 string \x76\xff Squeezed (apple ][) data
- 0 string NuFile NuFile archive (apple ][) data
- 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data
- 0 belong 0x00051600 AppleSingle encoded Macintosh file
- 0 belong 0x00051607 AppleDouble encoded Macintosh file
- # Type: Apple Emulator 2IMG format
- # From: Radek Vokal <rvokal@redhat.com>
- 0 string 2IMG Apple ][ 2IMG Disk Image
- >4 string XGS! \b, XGS
- >4 string CTKG \b, Catakig
- >4 string ShIm \b, Sheppy's ImageMaker
- >4 string WOOF \b, Sweet 16
- >4 string B2TR \b, Bernie ][ the Rescue
- >4 string !nfc \b, ASIMOV2
- >4 string x \b, Unknown Format
- >0xc byte 00 \b, DOS 3.3 sector order
- >>0x10 byte 00 \b, Volume 254
- >>0x10 byte&0x7f x \b, Volume %u
- >0xc byte 01 \b, ProDOS sector order
- >>0x14 short x \b, %u Blocks
- >0xc byte 02 \b, NIB data
- # magic for Newton PDA package formats
- # from Ruda Moura <ruda@helllabs.org>
- 0 string package0 Newton package, NOS 1.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- >12 belong &0x04000000 Relocation,
- >12 belong &0x02000000 UseFasterCompression,
- >16 belong x version %d
- 0 string package1 Newton package, NOS 2.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- >12 belong &0x04000000 Relocation,
- >12 belong &0x02000000 UseFasterCompression,
- >16 belong x version %d
- 0 string package4 Newton package,
- >8 byte 8 NOS 1.x,
- >8 byte 9 NOS 2.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- # The following entries for the Apple II are for files that have
- # been transferred as raw binary data from an Apple, without having
- # been encapsulated by any of the above archivers.
- #
- # In general, Apple II formats are hard to identify because Apple DOS
- # and especially Apple ProDOS have strong typing in the file system and
- # therefore programmers never felt much need to include type information
- # in the files themselves.
- #
- # Eric Fischer <enf@pobox.com>
- # AppleWorks word processor:
- #
- # This matches the standard tab stops for an AppleWorks file, but if
- # a file has a tab stop set in the first four columns this will fail.
- #
- # The "O" is really the magic number, but that's so common that it's
- # necessary to check the tab stops that follow it to avoid false positives.
- 4 string O==== AppleWorks word processor data
- >85 byte&0x01 >0 \b, zoomed
- >90 byte&0x01 >0 \b, paginated
- >92 byte&0x01 >0 \b, with mail merge
- #>91 byte x \b, left margin %d
- # AppleWorks database:
- #
- # This isn't really a magic number, but it's the closest thing to one
- # that I could find. The 1 and 2 really mean "order in which you defined
- # categories" and "left to right, top to bottom," respectively; the D and R
- # mean that the cursor should move either down or right when you press Return.
- #30 string \x01D AppleWorks database data
- #30 string \x02D AppleWorks database data
- #30 string \x01R AppleWorks database data
- #30 string \x02R AppleWorks database data
- # AppleWorks spreadsheet:
- #
- # Likewise, this isn't really meant as a magic number. The R or C means
- # row- or column-order recalculation; the A or M means automatic or manual
- # recalculation.
- #131 string RA AppleWorks spreadsheet data
- #131 string RM AppleWorks spreadsheet data
- #131 string CA AppleWorks spreadsheet data
- #131 string CM AppleWorks spreadsheet data
- # Applesoft BASIC:
- #
- # This is incredibly sloppy, but will be true if the program was
- # written at its usual memory location of 2048 and its first line
- # number is less than 256. Yuck.
- # update by Joerg Jenderek at Feb 2013
- # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000)
- #0 belong&0xff00ff 0x80000 Applesoft BASIC program data
- 0 belong&0x00ff00ff 0x00080000
- # assuming that line number must be positive
- >2 leshort >0 Applesoft BASIC program data, first line number %d
- #>2 leshort x \b, first line number %d
- # ORCA/EZ assembler:
- #
- # This will not identify ORCA/M source files, since those have
- # some sort of date code instead of the two zero bytes at 6 and 7
- # XXX Conflicts with ELF
- #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data
- #>5 byte x \b, build number %d
- # Broderbund Fantavision
- #
- # I don't know what these values really mean, but they seem to recur.
- # Will they cause too many conflicts?
- # Probably :-)
- #2 belong&0xFF00FF 0x040008 Fantavision movie data
- # Some attempts at images.
- #
- # These are actually just bit-for-bit dumps of the frame buffer, so
- # there's really no reasonably way to distinguish them except for their
- # address (if preserved) -- 8192 or 16384 -- and their length -- 8192
- # or, occasionally, 8184.
- #
- # Nevertheless this will manage to catch a lot of images that happen
- # to have a solid-colored line at the bottom of the screen.
- # GRR: Magic too weak
- #8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background
- #8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background
- #8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background
- #8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background
- #8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background
- # Beagle Bros. Apple Mechanic fonts
- 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
- # Apple Universal Disk Image Format (UDIF) - dmg files.
- # From Johan Gade.
- # These entries are disabled for now until we fix the following issues.
- #
- # Note there might be some problems with the "VAX COFF executable"
- # entry. Note this entry should be placed before the mac filesystem section,
- # particularly the "Apple Partition data" entry.
- #
- # The intended meaning of these tests is, that the file is only of the
- # specified type if both of the lines are correct - i.e. if the first
- # line matches and the second doesn't then it is not of that type.
- #
- #0 long 0x7801730d
- #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO)
- #
- # Note that this entry is recognized correctly by the "Apple Partition
- # data" entry - however since this entry is more specific - this
- # information seems to be more useful.
- #0 long 0x45520200
- #>0x410 string disk\ image UDIF read/write image (UDRW)
- # From: Toby Peterson <toby@apple.com>
- 0 string bplist00 Apple binary property list
- # Apple binary property list (bplist)
- # Assumes version bytes are hex.
- # Provides content hints for version 0 files. Assumes that the root
- # object is the first object (true for CoreFoundation implementation).
- # From: David Remahl <dremahl@apple.com>
- 0 string bplist
- >6 byte x \bCoreFoundation binary property list data, version 0x%c
- >>7 byte x \b%c
- >6 string 00 \b
- >>8 byte&0xF0 0x00 \b
- >>>8 byte&0x0F 0x00 \b, root type: null
- >>>8 byte&0x0F 0x08 \b, root type: false boolean
- >>>8 byte&0x0F 0x09 \b, root type: true boolean
- >>8 byte&0xF0 0x10 \b, root type: integer
- >>8 byte&0xF0 0x20 \b, root type: real
- >>8 byte&0xF0 0x30 \b, root type: date
- >>8 byte&0xF0 0x40 \b, root type: data
- >>8 byte&0xF0 0x50 \b, root type: ascii string
- >>8 byte&0xF0 0x60 \b, root type: unicode string
- >>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT)
- >>8 byte&0xF0 0xa0 \b, root type: array
- >>8 byte&0xF0 0xd0 \b, root type: dictionary
- # Apple/NeXT typedstream data
- # Serialization format used by NeXT and Apple for various
- # purposes in YellowStep/Cocoa, including some nib files.
- # From: David Remahl <dremahl@apple.com>
- 2 string typedstream NeXT/Apple typedstream data, big endian
- >0 byte x \b, version %d
- >0 byte <5 \b
- >>13 byte 0x81 \b
- >>>14 ubeshort x \b, system %d
- 2 string streamtyped NeXT/Apple typedstream data, little endian
- >0 byte x \b, version %d
- >0 byte <5 \b
- >>13 byte 0x81 \b
- >>>14 uleshort x \b, system %d
- #------------------------------------------------------------------------------
- # CAF: Apple CoreAudio File Format
- #
- # Container format for high-end audio purposes.
- # From: David Remahl <dremahl@apple.com>
- #
- 0 string caff CoreAudio Format audio file
- >4 beshort <10 version %d
- >6 beshort x
- #------------------------------------------------------------------------------
- # Keychain database files
- 0 string kych Mac OS X Keychain File
- #------------------------------------------------------------------------------
- # Code Signing related file types
- 0 belong 0xfade0c00 Mac OS X Code Requirement
- >8 belong 1 (opExpr)
- >4 belong x - %d bytes
- 0 belong 0xfade0c01 Mac OS X Code Requirement Set
- >8 belong >1 containing %d items
- >4 belong x - %d bytes
- 0 belong 0xfade0c02 Mac OS X Code Directory
- >8 belong x version %x
- >12 belong >0 flags 0x%x
- >4 belong x - %d bytes
- 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable)
- >4 belong x - %d bytes
- 0 belong 0xfade0cc1 Mac OS X Detached Code Signature
- >8 belong >1 (%d elements)
- >4 belong x - %d bytes
- # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
- # .vdi
- 4 string innotek\ VirtualBox\ Disk\ Image %s
- # Apple disk partition stuff, strengthen the magic using byte 4
- 0 beshort 0x4552
- >4 byte 0 Apple Driver Map
- >>2 beshort x \b, blocksize %d
- >>4 belong x \b, blockcount %d
- >>10 beshort x \b, devtype %d
- >>12 beshort x \b, devid %d
- >>20 beshort x \b, descriptors %d
- # Assume 8 partitions each at a multiple of the sector size.
- # We could glean this from the partition descriptors, but they are empty!?!?
- >>(2.S*1) indirect x \b, contains[@0x%x]:
- >>(2.S*2) indirect x \b, contains[@0x%x]:
- >>(2.S*3) indirect x \b, contains[@0x%x]:
- >>(2.S*4) indirect x \b, contains[@0x%x]:
- >>(2.S*5) indirect x \b, contains[@0x%x]:
- >>(2.S*6) indirect x \b, contains[@0x%x]:
- >>(2.S*7) indirect x \b, contains[@0x%x]:
- >>(2.S*8) indirect x \b, contains[@0x%x]:
- # Yes, the 3rd and 4th bytes are reserved, but we use them to make the
- # magic stronger.
- 0 belong 0x504d0000 Apple Partition Map
- >4 belong x \b, map block count %d
- >8 belong x \b, start block %d
- >12 belong x \b, block count %d
- >16 string >0 \b, name %s
- >48 string >0 \b, type %s
- >124 string >0 \b, processor %s
- >140 string >0 \b, boot arguments %s
- >92 belong & 1 \b, valid
- >92 belong & 2 \b, allocated
- >92 belong & 4 \b, in use
- >92 belong & 8 \b, has boot info
- >92 belong & 16 \b, readable
- >92 belong & 32 \b, writable
- >92 belong & 64 \b, pic boot code
- >92 belong & 128 \b, chain compatible driver
- >92 belong & 256 \b, real driver
- >92 belong & 512 \b, chain driver
- >92 belong & 1024 \b, mount at startup
- >92 belong & 2048 \b, is the startup partition
- #http://wiki.mozilla.org/DS_Store_File_Format`
- #http://en.wikipedia.org/wiki/.DS_Store
- 0 string \0\0\0\1Bud1\0 Apple Desktop Services Store
- # HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015)
- # Usually not in separate files, but have either filename rsrc with
- # no extension, or a filename corresponding to another file, with
- # extensions rsr/rsrc
- 0 string \000\000\001\000
- >4 leshort 0
- >>16 lelong 0 Apple HFS/HFS+ resource fork
|