1 2#------------------------------------------------------------------------------ 3# $File: apple,v 1.31 2015/08/29 07:10:35 christos Exp $ 4# apple: file(1) magic for Apple file formats 5# 60 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 70 string \x0aGL Binary II (apple ][) data 80 string \x76\xff Squeezed (apple ][) data 90 string NuFile NuFile archive (apple ][) data 100 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 110 belong 0x00051600 AppleSingle encoded Macintosh file 120 belong 0x00051607 AppleDouble encoded Macintosh file 13 14# Type: Apple Emulator 2IMG format 15# From: Radek Vokal <rvokal@redhat.com> 160 string 2IMG Apple ][ 2IMG Disk Image 17>4 string XGS! \b, XGS 18>4 string CTKG \b, Catakig 19>4 string ShIm \b, Sheppy's ImageMaker 20>4 string WOOF \b, Sweet 16 21>4 string B2TR \b, Bernie ][ the Rescue 22>4 string !nfc \b, ASIMOV2 23>4 string x \b, Unknown Format 24>0xc byte 00 \b, DOS 3.3 sector order 25>>0x10 byte 00 \b, Volume 254 26>>0x10 byte&0x7f x \b, Volume %u 27>0xc byte 01 \b, ProDOS sector order 28>>0x14 short x \b, %u Blocks 29>0xc byte 02 \b, NIB data 30 31# magic for Newton PDA package formats 32# from Ruda Moura <ruda@helllabs.org> 330 string package0 Newton package, NOS 1.x, 34>12 belong &0x80000000 AutoRemove, 35>12 belong &0x40000000 CopyProtect, 36>12 belong &0x10000000 NoCompression, 37>12 belong &0x04000000 Relocation, 38>12 belong &0x02000000 UseFasterCompression, 39>16 belong x version %d 40 410 string package1 Newton package, NOS 2.x, 42>12 belong &0x80000000 AutoRemove, 43>12 belong &0x40000000 CopyProtect, 44>12 belong &0x10000000 NoCompression, 45>12 belong &0x04000000 Relocation, 46>12 belong &0x02000000 UseFasterCompression, 47>16 belong x version %d 48 490 string package4 Newton package, 50>8 byte 8 NOS 1.x, 51>8 byte 9 NOS 2.x, 52>12 belong &0x80000000 AutoRemove, 53>12 belong &0x40000000 CopyProtect, 54>12 belong &0x10000000 NoCompression, 55 56# The following entries for the Apple II are for files that have 57# been transferred as raw binary data from an Apple, without having 58# been encapsulated by any of the above archivers. 59# 60# In general, Apple II formats are hard to identify because Apple DOS 61# and especially Apple ProDOS have strong typing in the file system and 62# therefore programmers never felt much need to include type information 63# in the files themselves. 64# 65# Eric Fischer <enf@pobox.com> 66 67# AppleWorks word processor: 68# 69# This matches the standard tab stops for an AppleWorks file, but if 70# a file has a tab stop set in the first four columns this will fail. 71# 72# The "O" is really the magic number, but that's so common that it's 73# necessary to check the tab stops that follow it to avoid false positives. 74 754 string O==== AppleWorks word processor data 76>85 byte&0x01 >0 \b, zoomed 77>90 byte&0x01 >0 \b, paginated 78>92 byte&0x01 >0 \b, with mail merge 79#>91 byte x \b, left margin %d 80 81# AppleWorks database: 82# 83# This isn't really a magic number, but it's the closest thing to one 84# that I could find. The 1 and 2 really mean "order in which you defined 85# categories" and "left to right, top to bottom," respectively; the D and R 86# mean that the cursor should move either down or right when you press Return. 87 88#30 string \x01D AppleWorks database data 89#30 string \x02D AppleWorks database data 90#30 string \x01R AppleWorks database data 91#30 string \x02R AppleWorks database data 92 93# AppleWorks spreadsheet: 94# 95# Likewise, this isn't really meant as a magic number. The R or C means 96# row- or column-order recalculation; the A or M means automatic or manual 97# recalculation. 98 99#131 string RA AppleWorks spreadsheet data 100#131 string RM AppleWorks spreadsheet data 101#131 string CA AppleWorks spreadsheet data 102#131 string CM AppleWorks spreadsheet data 103 104# Applesoft BASIC: 105# 106# This is incredibly sloppy, but will be true if the program was 107# written at its usual memory location of 2048 and its first line 108# number is less than 256. Yuck. 109# update by Joerg Jenderek at Feb 2013 110 111# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) 112#0 belong&0xff00ff 0x80000 Applesoft BASIC program data 1130 belong&0x00ff00ff 0x00080000 114# assuming that line number must be positive 115>2 leshort >0 Applesoft BASIC program data, first line number %d 116#>2 leshort x \b, first line number %d 117 118# ORCA/EZ assembler: 119# 120# This will not identify ORCA/M source files, since those have 121# some sort of date code instead of the two zero bytes at 6 and 7 122# XXX Conflicts with ELF 123#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data 124#>5 byte x \b, build number %d 125 126# Broderbund Fantavision 127# 128# I don't know what these values really mean, but they seem to recur. 129# Will they cause too many conflicts? 130 131# Probably :-) 132#2 belong&0xFF00FF 0x040008 Fantavision movie data 133 134# Some attempts at images. 135# 136# These are actually just bit-for-bit dumps of the frame buffer, so 137# there's really no reasonably way to distinguish them except for their 138# address (if preserved) -- 8192 or 16384 -- and their length -- 8192 139# or, occasionally, 8184. 140# 141# Nevertheless this will manage to catch a lot of images that happen 142# to have a solid-colored line at the bottom of the screen. 143 144# GRR: Magic too weak 145#8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background 146#8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background 147#8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background 148#8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background 149#8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background 150 151# Beagle Bros. Apple Mechanic fonts 152 1530 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font 154 155# Apple Universal Disk Image Format (UDIF) - dmg files. 156# From Johan Gade. 157# These entries are disabled for now until we fix the following issues. 158# 159# Note there might be some problems with the "VAX COFF executable" 160# entry. Note this entry should be placed before the mac filesystem section, 161# particularly the "Apple Partition data" entry. 162# 163# The intended meaning of these tests is, that the file is only of the 164# specified type if both of the lines are correct - i.e. if the first 165# line matches and the second doesn't then it is not of that type. 166# 167#0 long 0x7801730d 168#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) 169# 170# Note that this entry is recognized correctly by the "Apple Partition 171# data" entry - however since this entry is more specific - this 172# information seems to be more useful. 173#0 long 0x45520200 174#>0x410 string disk\ image UDIF read/write image (UDRW) 175 176# From: Toby Peterson <toby@apple.com> 1770 string bplist00 Apple binary property list 178 179# Apple binary property list (bplist) 180# Assumes version bytes are hex. 181# Provides content hints for version 0 files. Assumes that the root 182# object is the first object (true for CoreFoundation implementation). 183# From: David Remahl <dremahl@apple.com> 1840 string bplist 185>6 byte x \bCoreFoundation binary property list data, version 0x%c 186>>7 byte x \b%c 187>6 string 00 \b 188>>8 byte&0xF0 0x00 \b 189>>>8 byte&0x0F 0x00 \b, root type: null 190>>>8 byte&0x0F 0x08 \b, root type: false boolean 191>>>8 byte&0x0F 0x09 \b, root type: true boolean 192>>8 byte&0xF0 0x10 \b, root type: integer 193>>8 byte&0xF0 0x20 \b, root type: real 194>>8 byte&0xF0 0x30 \b, root type: date 195>>8 byte&0xF0 0x40 \b, root type: data 196>>8 byte&0xF0 0x50 \b, root type: ascii string 197>>8 byte&0xF0 0x60 \b, root type: unicode string 198>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) 199>>8 byte&0xF0 0xa0 \b, root type: array 200>>8 byte&0xF0 0xd0 \b, root type: dictionary 201 202# Apple/NeXT typedstream data 203# Serialization format used by NeXT and Apple for various 204# purposes in YellowStep/Cocoa, including some nib files. 205# From: David Remahl <dremahl@apple.com> 2062 string typedstream NeXT/Apple typedstream data, big endian 207>0 byte x \b, version %d 208>0 byte <5 \b 209>>13 byte 0x81 \b 210>>>14 ubeshort x \b, system %d 2112 string streamtyped NeXT/Apple typedstream data, little endian 212>0 byte x \b, version %d 213>0 byte <5 \b 214>>13 byte 0x81 \b 215>>>14 uleshort x \b, system %d 216 217#------------------------------------------------------------------------------ 218# CAF: Apple CoreAudio File Format 219# 220# Container format for high-end audio purposes. 221# From: David Remahl <dremahl@apple.com> 222# 2230 string caff CoreAudio Format audio file 224>4 beshort <10 version %d 225>6 beshort x 226 227 228#------------------------------------------------------------------------------ 229# Keychain database files 2300 string kych Mac OS X Keychain File 231 232#------------------------------------------------------------------------------ 233# Code Signing related file types 2340 belong 0xfade0c00 Mac OS X Code Requirement 235>8 belong 1 (opExpr) 236>4 belong x - %d bytes 237 2380 belong 0xfade0c01 Mac OS X Code Requirement Set 239>8 belong >1 containing %d items 240>4 belong x - %d bytes 241 2420 belong 0xfade0c02 Mac OS X Code Directory 243>8 belong x version %x 244>12 belong >0 flags 0x%x 245>4 belong x - %d bytes 246 2470 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) 248>4 belong x - %d bytes 249 2500 belong 0xfade0cc1 Mac OS X Detached Code Signature 251>8 belong >1 (%d elements) 252>4 belong x - %d bytes 253 254# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 255# .vdi 2564 string innotek\ VirtualBox\ Disk\ Image %s 257 258# Apple disk partition stuff, strengthen the magic using byte 4 2590 beshort 0x4552 260>4 byte 0 Apple Driver Map 261>>2 beshort x \b, blocksize %d 262>>4 belong x \b, blockcount %d 263>>10 beshort x \b, devtype %d 264>>12 beshort x \b, devid %d 265>>20 beshort x \b, descriptors %d 266# Assume 8 partitions each at a multiple of the sector size. 267# We could glean this from the partition descriptors, but they are empty!?!? 268>>(2.S*1) indirect x \b, contains[@0x%x]: 269>>(2.S*2) indirect x \b, contains[@0x%x]: 270>>(2.S*3) indirect x \b, contains[@0x%x]: 271>>(2.S*4) indirect x \b, contains[@0x%x]: 272>>(2.S*5) indirect x \b, contains[@0x%x]: 273>>(2.S*6) indirect x \b, contains[@0x%x]: 274>>(2.S*7) indirect x \b, contains[@0x%x]: 275>>(2.S*8) indirect x \b, contains[@0x%x]: 276 277# Yes, the 3rd and 4th bytes are reserved, but we use them to make the 278# magic stronger. 2790 belong 0x504d0000 Apple Partition Map 280>4 belong x \b, map block count %d 281>8 belong x \b, start block %d 282>12 belong x \b, block count %d 283>16 string >0 \b, name %s 284>48 string >0 \b, type %s 285>124 string >0 \b, processor %s 286>140 string >0 \b, boot arguments %s 287>92 belong & 1 \b, valid 288>92 belong & 2 \b, allocated 289>92 belong & 4 \b, in use 290>92 belong & 8 \b, has boot info 291>92 belong & 16 \b, readable 292>92 belong & 32 \b, writable 293>92 belong & 64 \b, pic boot code 294>92 belong & 128 \b, chain compatible driver 295>92 belong & 256 \b, real driver 296>92 belong & 512 \b, chain driver 297>92 belong & 1024 \b, mount at startup 298>92 belong & 2048 \b, is the startup partition 299 300#http://wiki.mozilla.org/DS_Store_File_Format` 301#http://en.wikipedia.org/wiki/.DS_Store 3020 string \0\0\0\1Bud1\0 Apple Desktop Services Store 303 304# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) 305# Usually not in separate files, but have either filename rsrc with 306# no extension, or a filename corresponding to another file, with 307# extensions rsr/rsrc 3080 string \000\000\001\000 309>4 leshort 0 310>>16 lelong 0 Apple HFS/HFS+ resource fork 311 312