123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449 |
- #------------------------------------------------------------------------------
- # $File: apple,v 1.39 2018/03/02 15:26:39 christos Exp $
- # apple: file(1) magic for Apple file formats
- #
- 0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text
- 0 string \x0aGL Binary II (apple ][) data
- 0 string \x76\xff Squeezed (apple ][) data
- 0 string NuFile NuFile archive (apple ][) data
- 0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data
- 0 belong 0x00051600 AppleSingle encoded Macintosh file
- 0 belong 0x00051607 AppleDouble encoded Macintosh file
- # Type: Apple Emulator 2IMG format
- # From: Radek Vokal <rvokal@redhat.com>
- 0 string 2IMG Apple ][ 2IMG Disk Image
- >4 string XGS! \b, XGS
- >4 string CTKG \b, Catakig
- >4 string ShIm \b, Sheppy's ImageMaker
- >4 string WOOF \b, Sweet 16
- >4 string B2TR \b, Bernie ][ the Rescue
- >4 string !nfc \b, ASIMOV2
- >4 string x \b, Unknown Format
- >0xc byte 00 \b, DOS 3.3 sector order
- >>0x10 byte 00 \b, Volume 254
- >>0x10 byte&0x7f x \b, Volume %u
- >0xc byte 01 \b, ProDOS sector order
- >>0x14 short x \b, %u Blocks
- >0xc byte 02 \b, NIB data
- # magic for Newton PDA package formats
- # from Ruda Moura <ruda@helllabs.org>
- 0 string package0 Newton package, NOS 1.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- >12 belong &0x04000000 Relocation,
- >12 belong &0x02000000 UseFasterCompression,
- >16 belong x version %d
- 0 string package1 Newton package, NOS 2.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- >12 belong &0x04000000 Relocation,
- >12 belong &0x02000000 UseFasterCompression,
- >16 belong x version %d
- 0 string package4 Newton package,
- >8 byte 8 NOS 1.x,
- >8 byte 9 NOS 2.x,
- >12 belong &0x80000000 AutoRemove,
- >12 belong &0x40000000 CopyProtect,
- >12 belong &0x10000000 NoCompression,
- # The following entries for the Apple II are for files that have
- # been transferred as raw binary data from an Apple, without having
- # been encapsulated by any of the above archivers.
- #
- # In general, Apple II formats are hard to identify because Apple DOS
- # and especially Apple ProDOS have strong typing in the file system and
- # therefore programmers never felt much need to include type information
- # in the files themselves.
- #
- # Eric Fischer <enf@pobox.com>
- # AppleWorks word processor:
- # URL: https://en.wikipedia.org/wiki/AppleWorks
- # Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx
- # Update: Joerg Jenderek
- # NOTE:
- # The "O" is really the magic number, but that's so common that it's
- # necessary to check the tab stops that follow it to avoid false positives.
- # and/or look for unused bits of booleans bytes like zoom, paginated, mail merge
- # the newer AppleWorks is from claris with extension CWK
- 4 string O
- # test for unused bits of zoom- , paginated-boolean bytes
- >84 ubequad ^0x00Fe00000000Fe00
- # look for tabstop definitions "=" no tab, "|" no tab
- # "<" left tab,"^" center tab,">" right tab, "." decimal tab,
- # unofficial "!" other , "\x8a" other
- # official only if SFMinVers is nonzero
- >>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor
- # AppleWorks Word Processor File (Apple II)
- # ./apple (version 5.25) labeled the entry as "AppleWorks word processor data"
- # application/x-appleworks is mime type for claris version with cwk extension
- !:mime application/x-appleworks3
- # http://home.earthlink.net/~hughhood/appleiiworksenvoy/
- # ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type')
- # $70 $1A $F8 $FF is this the apple type ?
- #:apple pdospøÿ
- !:ext awp
- # minimum version needed to read this files. SFMinVers (0 , 30~3.0 )
- >>>183 ubyte 30 3.0
- >>>183 ubyte !30
- >>>>183 ubyte !0 0x%x
- # usual tabstop start sequence "=====<"
- >>>5 string x \b, tabstop ruler "%6.6s"
- # tabstop ruler
- #>>>5 string >\0 \b, tabstops "%-79s"
- # zoom switch
- >>>85 byte&0x01 >0 \b, zoomed
- # whether paginated
- >>>90 byte&0x01 >0 \b, paginated
- # contains any mail-merge commands
- >>>92 byte&0x01 >0 \b, with mail merge
- # left margin in 1/10 inches ( normally 0 or 10 )
- >>>91 ubyte >0
- >>>>91 ubyte x \b, %d/10 inch left margin
- # AppleWorks database:
- #
- # This isn't really a magic number, but it's the closest thing to one
- # that I could find. The 1 and 2 really mean "order in which you defined
- # categories" and "left to right, top to bottom," respectively; the D and R
- # mean that the cursor should move either down or right when you press Return.
- #30 string \x01D AppleWorks database data
- #30 string \x02D AppleWorks database data
- #30 string \x01R AppleWorks database data
- #30 string \x02R AppleWorks database data
- # AppleWorks spreadsheet:
- #
- # Likewise, this isn't really meant as a magic number. The R or C means
- # row- or column-order recalculation; the A or M means automatic or manual
- # recalculation.
- #131 string RA AppleWorks spreadsheet data
- #131 string RM AppleWorks spreadsheet data
- #131 string CA AppleWorks spreadsheet data
- #131 string CM AppleWorks spreadsheet data
- # Applesoft BASIC:
- #
- # This is incredibly sloppy, but will be true if the program was
- # written at its usual memory location of 2048 and its first line
- # number is less than 256. Yuck.
- # update by Joerg Jenderek at Feb 2013
- # GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000)
- #0 belong&0xff00ff 0x80000 Applesoft BASIC program data
- 0 belong&0x00ff00ff 0x00080000
- # assuming that line number must be positive
- >2 leshort >0 Applesoft BASIC program data, first line number %d
- #>2 leshort x \b, first line number %d
- # ORCA/EZ assembler:
- #
- # This will not identify ORCA/M source files, since those have
- # some sort of date code instead of the two zero bytes at 6 and 7
- # XXX Conflicts with ELF
- #4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data
- #>5 byte x \b, build number %d
- # Broderbund Fantavision
- #
- # I don't know what these values really mean, but they seem to recur.
- # Will they cause too many conflicts?
- # Probably :-)
- #2 belong&0xFF00FF 0x040008 Fantavision movie data
- # Some attempts at images.
- #
- # These are actually just bit-for-bit dumps of the frame buffer, so
- # there's really no reasonably way to distinguish them except for their
- # address (if preserved) -- 8192 or 16384 -- and their length -- 8192
- # or, occasionally, 8184.
- #
- # Nevertheless this will manage to catch a lot of images that happen
- # to have a solid-colored line at the bottom of the screen.
- # GRR: Magic too weak
- #8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background
- #8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background
- #8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background
- #8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background
- #8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background
- # Beagle Bros. Apple Mechanic fonts
- 0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
- # Apple Universal Disk Image Format (UDIF) - dmg files.
- # From Johan Gade.
- # These entries are disabled for now until we fix the following issues.
- #
- # Note there might be some problems with the "VAX COFF executable"
- # entry. Note this entry should be placed before the mac filesystem section,
- # particularly the "Apple Partition data" entry.
- #
- # The intended meaning of these tests is, that the file is only of the
- # specified type if both of the lines are correct - i.e. if the first
- # line matches and the second doesn't then it is not of that type.
- #
- #0 long 0x7801730d
- #>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO)
- #
- # Note that this entry is recognized correctly by the "Apple Partition
- # data" entry - however since this entry is more specific - this
- # information seems to be more useful.
- #0 long 0x45520200
- #>0x410 string disk\ image UDIF read/write image (UDRW)
- # From: Toby Peterson <toby@apple.com>
- 0 string bplist00 Apple binary property list
- # Apple binary property list (bplist)
- # Assumes version bytes are hex.
- # Provides content hints for version 0 files. Assumes that the root
- # object is the first object (true for CoreFoundation implementation).
- # From: David Remahl <dremahl@apple.com>
- 0 string bplist
- >6 byte x \bCoreFoundation binary property list data, version 0x%c
- >>7 byte x \b%c
- >6 string 00 \b
- >>8 byte&0xF0 0x00 \b
- >>>8 byte&0x0F 0x00 \b, root type: null
- >>>8 byte&0x0F 0x08 \b, root type: false boolean
- >>>8 byte&0x0F 0x09 \b, root type: true boolean
- >>8 byte&0xF0 0x10 \b, root type: integer
- >>8 byte&0xF0 0x20 \b, root type: real
- >>8 byte&0xF0 0x30 \b, root type: date
- >>8 byte&0xF0 0x40 \b, root type: data
- >>8 byte&0xF0 0x50 \b, root type: ascii string
- >>8 byte&0xF0 0x60 \b, root type: unicode string
- >>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT)
- >>8 byte&0xF0 0xa0 \b, root type: array
- >>8 byte&0xF0 0xd0 \b, root type: dictionary
- # Apple/NeXT typedstream data
- # Serialization format used by NeXT and Apple for various
- # purposes in YellowStep/Cocoa, including some nib files.
- # From: David Remahl <dremahl@apple.com>
- 2 string typedstream NeXT/Apple typedstream data, big endian
- >0 byte x \b, version %d
- >0 byte <5 \b
- >>13 byte 0x81 \b
- >>>14 ubeshort x \b, system %d
- 2 string streamtyped NeXT/Apple typedstream data, little endian
- >0 byte x \b, version %d
- >0 byte <5 \b
- >>13 byte 0x81 \b
- >>>14 uleshort x \b, system %d
- #------------------------------------------------------------------------------
- # CAF: Apple CoreAudio File Format
- #
- # Container format for high-end audio purposes.
- # From: David Remahl <dremahl@apple.com>
- #
- 0 string caff CoreAudio Format audio file
- >4 beshort <10 version %d
- >6 beshort x
- #------------------------------------------------------------------------------
- # Keychain database files
- 0 string kych Mac OS X Keychain File
- #------------------------------------------------------------------------------
- # Code Signing related file types
- 0 belong 0xfade0c00 Mac OS X Code Requirement
- >8 belong 1 (opExpr)
- >4 belong x - %d bytes
- 0 belong 0xfade0c01 Mac OS X Code Requirement Set
- >8 belong >1 containing %d items
- >4 belong x - %d bytes
- 0 belong 0xfade0c02 Mac OS X Code Directory
- >8 belong x version %x
- >12 belong >0 flags 0x%x
- >4 belong x - %d bytes
- 0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable)
- >4 belong x - %d bytes
- 0 belong 0xfade0cc1 Mac OS X Detached Code Signature
- >8 belong >1 (%d elements)
- >4 belong x - %d bytes
- # From: "Nelson A. de Oliveira" <naoliv@gmail.com>
- # .vdi
- 4 string innotek\ VirtualBox\ Disk\ Image %s
- # Apple disk partition stuff
- # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
- # Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h
- # Update: Joerg Jenderek
- # "ER" is APPLE_DRVR_MAP_MAGIC signature
- 0 beshort 0x4552
- # display Apple Driver Map (strength=50) after Syslinux bootloader (71)
- #!:strength +0
- # strengthen the magic by looking for used blocksizes 512 2048
- >2 ubeshort&0xf1FF 0 Apple Driver Map
- # last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid
- #>>504 ubequad&0x0000FFffFFff0000 0
- !:mime application/x-apple-diskimage
- !:apple ????devr
- # https://en.wikipedia.org/wiki/Apple_Disk_Image
- !:ext dmg/iso
- # sbBlkSize for driver descriptor map 512 2048
- >>2 beshort x \b, blocksize %d
- # sbBlkCount sometimes garbish like
- # 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg
- # 0xf2720100 for bunziped Firefox 48.0-2.dmg
- # 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso
- # 0x00009090 by syslinux-6.03/utils/isohybrid.c
- >>4 ubelong x \b, blockcount %u
- # following device/driver information not very useful
- # device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
- >>8 ubeshort x \b, devtype %u
- # device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
- >>10 ubeshort x \b, devid %u
- # driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso)
- >>12 ubelong >0
- >>>12 ubelong x \b, driver data %u
- # number of driver descriptors sbDrvrCount <= 61
- # (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
- >>16 ubeshort x \b, driver count %u
- # 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map
- # >>18 use apple-driver-map
- # >>26 use apple-driver-map
- # # ...
- # >>500 use apple-driver-map
- # number of partitions is always same in every partition (map block count)
- #>>0x0204 ubelong x \b, %u partitions
- >>0x0204 ubelong >0 \b, contains[@0x200]:
- >>>0x0200 use apple-apm
- >>0x0204 ubelong >1 \b, contains[@0x400]:
- >>>0x0400 use apple-apm
- >>0x0204 ubelong >2 \b, contains[@0x600]:
- >>>0x0600 use apple-apm
- >>0x0204 ubelong >3 \b, contains[@0x800]:
- >>>0x0800 use apple-apm
- >>0x0204 ubelong >4 \b, contains[@0xA00]:
- >>>0x0A00 use apple-apm
- >>0x0204 ubelong >5 \b, contains[@0xC00]:
- >>>0x0C00 use apple-apm
- >>0x0204 ubelong >6 \b, contains[@0xE00]:
- >>>0x0E00 use apple-apm
- >>0x0204 ubelong >7 \b, contains[@0x1000]:
- >>>0x1000 use apple-apm
- # display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type)
- 0 name apple-driver-map
- >0 ubequad !0
- # descBlock first block of driver
- >>0 ubelong x \b, driver start block %u
- # descSize driver size in blocks
- >>4 ubeshort x \b, size %u
- # descType driver system type 1 701h F8FFh FFFFh
- >>6 ubeshort x \b, type 0x%x
- # URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
- # Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h
- # Update: Joerg Jenderek
- # Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the
- # magic stronger.
- # for apple partition map stored as a single file
- 0 belong 0x504d0000
- # to display Apple Partition Map (strength=70) after Syslinux bootloader (71)
- #!:strength +0
- >0 use apple-apm
- # magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type
- # file: could not find any valid magic files!
- #!:ext bin
- # display apple partition map. Normally called after Apple driver map
- 0 name apple-apm
- >0 belong 0x504d0000 Apple Partition Map
- # number of partitions
- >>4 ubelong x \b, map block count %u
- # logical block (512 bytes) start of partition
- >>8 ubelong x \b, start block %u
- >>12 ubelong x \b, block count %u
- >>16 string >0 \b, name %s
- >>48 string >0 \b, type %s
- # processor type dpme_process_id[16] e.g. "68000" "68020"
- >>120 string >0 \b, processor %s
- # A/UX boot arguments BootArgs[128]
- >>136 string >0 \b, boot arguments %s
- # status of partition dpme_flags
- >>88 belong & 1 \b, valid
- >>88 belong & 2 \b, allocated
- >>88 belong & 4 \b, in use
- >>88 belong & 8 \b, has boot info
- >>88 belong & 16 \b, readable
- >>88 belong & 32 \b, writable
- >>88 belong & 64 \b, pic boot code
- >>88 belong & 128 \b, chain compatible driver
- >>88 belong & 256 \b, real driver
- >>88 belong & 512 \b, chain driver
- # mount automatically at startup APPLE_PS_AUTO_MOUNT
- >>88 ubelong &0x40000000 \b, mount at startup
- # is the startup partition APPLE_PS_STARTUP
- >>88 ubelong &0x80000000 \b, is the startup partition
- #http://wiki.mozilla.org/DS_Store_File_Format
- #http://en.wikipedia.org/wiki/.DS_Store
- 0 string \0\0\0\1Bud1\0 Apple Desktop Services Store
- # HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015)
- # Usually not in separate files, but have either filename rsrc with
- # no extension, or a filename corresponding to another file, with
- # extensions rsr/rsrc
- 0 string \000\000\001\000
- >4 leshort 0
- >>16 lelong 0 Apple HFS/HFS+ resource fork
- #https://en.wikipedia.org/wiki/AppleScript
- 0 string FasdUAS AppleScript compiled
- # AppleWorks/ClarisWorks
- # https://github.com/joshenders/appleworks_format
- # http://fileformats.archiveteam.org/wiki/AppleWorks
- 0 name appleworks
- >0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document
- >0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document
- >0 default x
- >>0 belong x AppleWorks/ClarisWorks CWK Document
- >0 byte x \b, version %d
- >30 beshort x \b, %d
- >32 beshort x \bx%d
- !:ext cwk
- 4 string BOBO
- >0 byte >4
- >>12 belong 0
- >>>26 belong 0
- >>>>0 use appleworks
- >0 belong 0x0481ad00
- >>0 use appleworks
- # magic for Apple File System (APFS)
- # from Alex Myczko <alex@aiei.ch>
- 32 string NXSB Apple File System (APFS)
- >36 ulelong x \b, blocksize %u
- # iTunes cover art (versions 1 and 2)
- 4 string itch
- >24 string artw
- >>0x1e8 string data iTunes cover art
- >>>0x1ed string PNG (PNG)
- >>>0x1ec beshort 0xffd8 (JPEG)
- # MacPaint image
- 65 string PNTGMPNT MacPaint image data
- #0 belong 2 MacPaint image data
|