1 2#------------------------------------------------------------------------------ 3# $File: apple,v 1.43 2019/04/19 00:42:27 christos Exp $ 4# apple: file(1) magic for Apple file formats 5# 60 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 70 string \x0aGL Binary II (apple ][) data 80 string \x76\xff Squeezed (apple ][) data 90 string NuFile NuFile archive (apple ][) data 100 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 110 belong 0x00051600 AppleSingle encoded Macintosh file 120 belong 0x00051607 AppleDouble encoded Macintosh file 13 14# Type: Apple Emulator WOZ format 15# From: Greg Wildman <greg@apple2.org.za> 16# Ref: https://applesaucefdc.com/woz/reference/ 17# Ref: https://applesaucefdc.com/woz/reference2/ 18# 19# Note: The following test are mostly identical. I would rather not 20# use a regex to identify the WOZ format number. 210 string WOZ1 22>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 1.0 Disk Image 23>12 string INFO 24>>21 byte 01 \b, 5.25 inch 25>>21 byte 02 \b, 3.5 inch 26>>22 byte 01 \b, write protected 27>>23 byte 01 \b, cross track synchronized 28>>25 string/T x \b, %.32s 290 string WOZ2 30>4 string \xFF\x0A\x0D\x0A Apple ][ WOZ 2.0 Disk Image 31>12 string INFO 32>>21 byte 01 \b, 5.25 inch 33>>21 byte 02 \b, 3.5 inch 34>>22 byte 01 \b, write protected 35>>23 byte 01 \b, cross track synchronized 36>>25 string/T x \b, %.32s 37 38# Type: Apple Emulator disk images 39# From: Greg Wildman <greg@apple2.org.za> 40# ProDOS boot loader? 410 string \x01\x38\xB0\x03\x4C Apple ProDOS Image 42# Detect Volume Directory block ($02) 43>0x400 string \x00\x00\x03\x00 44>>0x404 byte &0xF0 45>>>0x405 string x \b, Volume /%s 46>>>0x429 leshort x \b, %u Blocks 47# ProDOS ordered ? 48>0xb00 string \x00\x00\x03\x00 49>>0xb04 byte &0xF0 50>>>0xb05 string x \b, Volume /%s 51>>>0xb29 leshort x \b, %u Blocks 52# 53# DOS3.3 boot loader? 540 string \x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B 55>0x11001 string \x11\x0F\x03 Apple DOS 3.3 Image 56>>0x11006 byte x \b, Volume %u 57>>0x11034 byte x \b, %u Tracks 58>>0x11035 byte x \b, %u Sectors 59>>0x11036 leshort x \b, %u bytes per sector 60# DOS3.2 ? 61>0x11001 string \x11\x0C\x02 Apple DOS 3.2 Image 62>>0x11006 byte x \b, Volume %u 63>>0x11034 byte x \b, %u Tracks 64>>0x11035 byte x \b, %u Sectors 65>>0x11036 leshort x \b, %u bytes per sector 66# DOS3.1 ? 67>0x11001 string \x11\x0C\x01 68>>0x11c00 string \x00\x11\x0B Apple DOS 3.1 Image 69# 70# Pascal boot loader? 710 string \x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD 72>0xd6 pstring SYSTEM.APPLE 73>>0xb00 leshort 0x0000 74>>>0xb04 leshort 0x0000 Apple Pascal Image 75>>>>0xb06 pstring x \b, Volume %s: 76>>>>0xb0e leshort x \b, %u Blocks 77>>>>0xb10 leshort x \b, %u Files 78 79# Type: Apple Emulator 2IMG format 80# From: Radek Vokal <rvokal@redhat.com> 81# Update: Greg Wildman <greg@apple2.org.za> 820 string 2IMG Apple ][ 2IMG Disk Image 83>4 clear x 84>4 string XGS! \b, XGS 85>4 string CTKG \b, Catakig 86>4 string ShIm \b, Sheppy's ImageMaker 87>4 string SHEP \b, Sheppy's ImageMaker 88>4 string WOOF \b, Sweet 16 89>4 string B2TR \b, Bernie ][ the Rescue 90>4 string \!nfc \b, ASIMOV2 91>4 string \>BD\< \b, Brutal Deluxe's Cadius 92>4 string CdrP \b, CiderPress 93>4 string Vi][ \b, Virtual ][ 94>4 string PRFS \b, ProFUSE 95>4 string FISH \b, FishWings 96>4 string RVLW \b, Revival for Windows 97>4 default x 98>>4 string x \b, Creator tag "%-4.4s" 99>0xc byte 00 \b, DOS 3.3 sector order 100>>0x10 byte 00 \b, Volume 254 101>>0x10 byte&0x7f x \b, Volume %u 102>0xc byte 01 \b, ProDOS sector order 103>>0x14 short x \b, %u Blocks 104>0xc byte 02 \b, NIB data 105 106# magic for Newton PDA package formats 107# from Ruda Moura <ruda@helllabs.org> 1080 string package0 Newton package, NOS 1.x, 109>12 belong &0x80000000 AutoRemove, 110>12 belong &0x40000000 CopyProtect, 111>12 belong &0x10000000 NoCompression, 112>12 belong &0x04000000 Relocation, 113>12 belong &0x02000000 UseFasterCompression, 114>16 belong x version %d 115 1160 string package1 Newton package, NOS 2.x, 117>12 belong &0x80000000 AutoRemove, 118>12 belong &0x40000000 CopyProtect, 119>12 belong &0x10000000 NoCompression, 120>12 belong &0x04000000 Relocation, 121>12 belong &0x02000000 UseFasterCompression, 122>16 belong x version %d 123 1240 string package4 Newton package, 125>8 byte 8 NOS 1.x, 126>8 byte 9 NOS 2.x, 127>12 belong &0x80000000 AutoRemove, 128>12 belong &0x40000000 CopyProtect, 129>12 belong &0x10000000 NoCompression, 130 131# The following entries for the Apple II are for files that have 132# been transferred as raw binary data from an Apple, without having 133# been encapsulated by any of the above archivers. 134# 135# In general, Apple II formats are hard to identify because Apple DOS 136# and especially Apple ProDOS have strong typing in the file system and 137# therefore programmers never felt much need to include type information 138# in the files themselves. 139# 140# Eric Fischer <enf@pobox.com> 141 142# AppleWorks word processor: 143# URL: https://en.wikipedia.org/wiki/AppleWorks 144# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx 145# Update: Joerg Jenderek 146# NOTE: 147# The "O" is really the magic number, but that's so common that it's 148# necessary to check the tab stops that follow it to avoid false positives. 149# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge 150# the newer AppleWorks is from claris with extension CWK 1514 string O 152# test for unused bits of zoom- , paginated-boolean bytes 153>84 ubequad ^0x00Fe00000000Fe00 154# look for tabstop definitions "=" no tab, "|" no tab 155# "<" left tab,"^" center tab,">" right tab, "." decimal tab, 156# unofficial "!" other , "\x8a" other 157# official only if SFMinVers is nonzero 158>>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor 159# AppleWorks Word Processor File (Apple II) 160# ./apple (version 5.25) labeled the entry as "AppleWorks word processor data" 161# application/x-appleworks is mime type for claris version with cwk extension 162!:mime application/x-appleworks3 163# http://home.earthlink.net/~hughhood/appleiiworksenvoy/ 164# ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type') 165# $70 $1A $F8 $FF is this the apple type ? 166#:apple pdosp^Z\xf8\xff 167!:ext awp 168# minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) 169>>>183 ubyte 30 3.0 170>>>183 ubyte !30 171>>>>183 ubyte !0 0x%x 172# usual tabstop start sequence "=====<" 173>>>5 string x \b, tabstop ruler "%6.6s" 174# tabstop ruler 175#>>>5 string >\0 \b, tabstops "%-79s" 176# zoom switch 177>>>85 byte&0x01 >0 \b, zoomed 178# whether paginated 179>>>90 byte&0x01 >0 \b, paginated 180# contains any mail-merge commands 181>>>92 byte&0x01 >0 \b, with mail merge 182# left margin in 1/10 inches ( normally 0 or 10 ) 183>>>91 ubyte >0 184>>>>91 ubyte x \b, %d/10 inch left margin 185 186# AppleWorks database: 187# 188# This isn't really a magic number, but it's the closest thing to one 189# that I could find. The 1 and 2 really mean "order in which you defined 190# categories" and "left to right, top to bottom," respectively; the D and R 191# mean that the cursor should move either down or right when you press Return. 192 193#30 string \x01D AppleWorks database data 194#30 string \x02D AppleWorks database data 195#30 string \x01R AppleWorks database data 196#30 string \x02R AppleWorks database data 197 198# AppleWorks spreadsheet: 199# 200# Likewise, this isn't really meant as a magic number. The R or C means 201# row- or column-order recalculation; the A or M means automatic or manual 202# recalculation. 203 204#131 string RA AppleWorks spreadsheet data 205#131 string RM AppleWorks spreadsheet data 206#131 string CA AppleWorks spreadsheet data 207#131 string CM AppleWorks spreadsheet data 208 209# Applesoft BASIC: 210# 211# This is incredibly sloppy, but will be true if the program was 212# written at its usual memory location of 2048 and its first line 213# number is less than 256. Yuck. 214# update by Joerg Jenderek at Feb 2013 215 216# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) 217#0 belong&0xff00ff 0x80000 Applesoft BASIC program data 2180 belong&0x00ff00ff 0x00080000 219# assuming that line number must be positive 220>2 leshort >0 Applesoft BASIC program data, first line number %d 221#>2 leshort x \b, first line number %d 222 223# ORCA/EZ assembler: 224# 225# This will not identify ORCA/M source files, since those have 226# some sort of date code instead of the two zero bytes at 6 and 7 227# XXX Conflicts with ELF 228#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data 229#>5 byte x \b, build number %d 230 231# Broderbund Fantavision 232# 233# I don't know what these values really mean, but they seem to recur. 234# Will they cause too many conflicts? 235 236# Probably :-) 237#2 belong&0xFF00FF 0x040008 Fantavision movie data 238 239# Some attempts at images. 240# 241# These are actually just bit-for-bit dumps of the frame buffer, so 242# there's really no reasonably way to distinguish them except for their 243# address (if preserved) -- 8192 or 16384 -- and their length -- 8192 244# or, occasionally, 8184. 245# 246# Nevertheless this will manage to catch a lot of images that happen 247# to have a solid-colored line at the bottom of the screen. 248 249# GRR: Magic too weak 250#8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background 251#8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background 252#8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background 253#8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background 254#8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background 255 256# Beagle Bros. Apple Mechanic fonts 257 2580 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font 259 260# Apple Universal Disk Image Format (UDIF) - dmg files. 261# From Johan Gade. 262# These entries are disabled for now until we fix the following issues. 263# 264# Note there might be some problems with the "VAX COFF executable" 265# entry. Note this entry should be placed before the mac filesystem section, 266# particularly the "Apple Partition data" entry. 267# 268# The intended meaning of these tests is, that the file is only of the 269# specified type if both of the lines are correct - i.e. if the first 270# line matches and the second doesn't then it is not of that type. 271# 272#0 long 0x7801730d 273#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) 274# 275# Note that this entry is recognized correctly by the "Apple Partition 276# data" entry - however since this entry is more specific - this 277# information seems to be more useful. 278#0 long 0x45520200 279#>0x410 string disk\ image UDIF read/write image (UDRW) 280 281# From: Toby Peterson <toby@apple.com> 2820 string bplist00 Apple binary property list 283 284# Apple binary property list (bplist) 285# Assumes version bytes are hex. 286# Provides content hints for version 0 files. Assumes that the root 287# object is the first object (true for CoreFoundation implementation). 288# From: David Remahl <dremahl@apple.com> 2890 string bplist 290>6 byte x \bCoreFoundation binary property list data, version 0x%c 291>>7 byte x \b%c 292>6 string 00 \b 293>>8 byte&0xF0 0x00 \b 294>>>8 byte&0x0F 0x00 \b, root type: null 295>>>8 byte&0x0F 0x08 \b, root type: false boolean 296>>>8 byte&0x0F 0x09 \b, root type: true boolean 297>>8 byte&0xF0 0x10 \b, root type: integer 298>>8 byte&0xF0 0x20 \b, root type: real 299>>8 byte&0xF0 0x30 \b, root type: date 300>>8 byte&0xF0 0x40 \b, root type: data 301>>8 byte&0xF0 0x50 \b, root type: ascii string 302>>8 byte&0xF0 0x60 \b, root type: unicode string 303>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) 304>>8 byte&0xF0 0xa0 \b, root type: array 305>>8 byte&0xF0 0xd0 \b, root type: dictionary 306 307# Apple/NeXT typedstream data 308# Serialization format used by NeXT and Apple for various 309# purposes in YellowStep/Cocoa, including some nib files. 310# From: David Remahl <dremahl@apple.com> 3112 string typedstream NeXT/Apple typedstream data, big endian 312>0 byte x \b, version %d 313>0 byte <5 \b 314>>13 byte 0x81 \b 315>>>14 ubeshort x \b, system %d 3162 string streamtyped NeXT/Apple typedstream data, little endian 317>0 byte x \b, version %d 318>0 byte <5 \b 319>>13 byte 0x81 \b 320>>>14 uleshort x \b, system %d 321 322#------------------------------------------------------------------------------ 323# CAF: Apple CoreAudio File Format 324# 325# Container format for high-end audio purposes. 326# From: David Remahl <dremahl@apple.com> 327# 3280 string caff CoreAudio Format audio file 329>4 beshort <10 version %d 330>6 beshort x 331 332 333#------------------------------------------------------------------------------ 334# Keychain database files 3350 string kych Mac OS X Keychain File 336 337#------------------------------------------------------------------------------ 338# Code Signing related file types 3390 belong 0xfade0c00 Mac OS X Code Requirement 340>8 belong 1 (opExpr) 341>4 belong x - %d bytes 342 3430 belong 0xfade0c01 Mac OS X Code Requirement Set 344>8 belong >1 containing %d items 345>4 belong x - %d bytes 346 3470 belong 0xfade0c02 Mac OS X Code Directory 348>8 belong x version %x 349>12 belong >0 flags 0x%x 350>4 belong x - %d bytes 351 3520 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) 353>4 belong x - %d bytes 354 3550 belong 0xfade0cc1 Mac OS X Detached Code Signature 356>8 belong >1 (%d elements) 357>4 belong x - %d bytes 358 359# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 360# .vdi 3614 string innotek\ VirtualBox\ Disk\ Image %s 362 363# Apple disk partition stuff 364# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map 365# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h 366# Update: Joerg Jenderek 367# "ER" is APPLE_DRVR_MAP_MAGIC signature 3680 beshort 0x4552 369# display Apple Driver Map (strength=50) after Syslinux bootloader (71) 370#!:strength +0 371# strengthen the magic by looking for used blocksizes 512 2048 372>2 ubeshort&0xf1FF 0 Apple Driver Map 373# last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid 374#>>504 ubequad&0x0000FFffFFff0000 0 375!:mime application/x-apple-diskimage 376!:apple ????devr 377# https://en.wikipedia.org/wiki/Apple_Disk_Image 378!:ext dmg/iso 379# sbBlkSize for driver descriptor map 512 2048 380>>2 beshort x \b, blocksize %d 381# sbBlkCount sometimes garbish like 382# 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg 383# 0xf2720100 for bunziped Firefox 48.0-2.dmg 384# 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso 385# 0x00009090 by syslinux-6.03/utils/isohybrid.c 386>>4 ubelong x \b, blockcount %u 387# following device/driver information not very useful 388# device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 389>>8 ubeshort x \b, devtype %u 390# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 391>>10 ubeshort x \b, devid %u 392# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) 393>>12 ubelong >0 394>>>12 ubelong x \b, driver data %u 395# number of driver descriptors sbDrvrCount <= 61 396# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 397>>16 ubeshort x \b, driver count %u 398# 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map 399# >>18 use apple-driver-map 400# >>26 use apple-driver-map 401# # ... 402# >>500 use apple-driver-map 403# number of partitions is always same in every partition (map block count) 404#>>0x0204 ubelong x \b, %u partitions 405>>0x0204 ubelong >0 \b, contains[@0x200]: 406>>>0x0200 use apple-apm 407>>0x0204 ubelong >1 \b, contains[@0x400]: 408>>>0x0400 use apple-apm 409>>0x0204 ubelong >2 \b, contains[@0x600]: 410>>>0x0600 use apple-apm 411>>0x0204 ubelong >3 \b, contains[@0x800]: 412>>>0x0800 use apple-apm 413>>0x0204 ubelong >4 \b, contains[@0xA00]: 414>>>0x0A00 use apple-apm 415>>0x0204 ubelong >5 \b, contains[@0xC00]: 416>>>0x0C00 use apple-apm 417>>0x0204 ubelong >6 \b, contains[@0xE00]: 418>>>0x0E00 use apple-apm 419>>0x0204 ubelong >7 \b, contains[@0x1000]: 420>>>0x1000 use apple-apm 421# display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 4220 name apple-driver-map 423>0 ubequad !0 424# descBlock first block of driver 425>>0 ubelong x \b, driver start block %u 426# descSize driver size in blocks 427>>4 ubeshort x \b, size %u 428# descType driver system type 1 701h F8FFh FFFFh 429>>6 ubeshort x \b, type 0x%x 430 431# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map 432# Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h 433# Update: Joerg Jenderek 434# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the 435# magic stronger. 436# for apple partition map stored as a single file 4370 belong 0x504d0000 438# to display Apple Partition Map (strength=70) after Syslinux bootloader (71) 439#!:strength +0 440>0 use apple-apm 441# magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type 442# file: could not find any valid magic files! 443#!:ext bin 444# display apple partition map. Normally called after Apple driver map 4450 name apple-apm 446>0 belong 0x504d0000 Apple Partition Map 447# number of partitions 448>>4 ubelong x \b, map block count %u 449# logical block (512 bytes) start of partition 450>>8 ubelong x \b, start block %u 451>>12 ubelong x \b, block count %u 452>>16 string >0 \b, name %s 453>>48 string >0 \b, type %s 454# processor type dpme_process_id[16] e.g. "68000" "68020" 455>>120 string >0 \b, processor %s 456# A/UX boot arguments BootArgs[128] 457>>136 string >0 \b, boot arguments %s 458# status of partition dpme_flags 459>>88 belong & 1 \b, valid 460>>88 belong & 2 \b, allocated 461>>88 belong & 4 \b, in use 462>>88 belong & 8 \b, has boot info 463>>88 belong & 16 \b, readable 464>>88 belong & 32 \b, writable 465>>88 belong & 64 \b, pic boot code 466>>88 belong & 128 \b, chain compatible driver 467>>88 belong & 256 \b, real driver 468>>88 belong & 512 \b, chain driver 469# mount automatically at startup APPLE_PS_AUTO_MOUNT 470>>88 ubelong &0x40000000 \b, mount at startup 471# is the startup partition APPLE_PS_STARTUP 472>>88 ubelong &0x80000000 \b, is the startup partition 473 474#https://wiki.mozilla.org/DS_Store_File_Format 475#https://en.wikipedia.org/wiki/.DS_Store 4760 string \0\0\0\1Bud1\0 Apple Desktop Services Store 477 478# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) 479# Usually not in separate files, but have either filename rsrc with 480# no extension, or a filename corresponding to another file, with 481# extensions rsr/rsrc 4820 string \000\000\001\000 483>4 leshort 0 484>>16 lelong 0 Apple HFS/HFS+ resource fork 485 486#https://en.wikipedia.org/wiki/AppleScript 4870 string FasdUAS AppleScript compiled 488 489# AppleWorks/ClarisWorks 490# https://github.com/joshenders/appleworks_format 491# http://fileformats.archiveteam.org/wiki/AppleWorks 4920 name appleworks 493>0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document 494>0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document 495>0 default x 496>>0 belong x AppleWorks/ClarisWorks CWK Document 497>0 byte x \b, version %d 498>30 beshort x \b, %d 499>32 beshort x \bx%d 500!:ext cwk 501 5024 string BOBO 503>0 byte >4 504>>12 belong 0 505>>>26 belong 0 506>>>>0 use appleworks 507>0 belong 0x0481ad00 508>>0 use appleworks 509 510# magic for Apple File System (APFS) 511# from Alex Myczko <alex@aiei.ch> 51232 string NXSB Apple File System (APFS) 513>36 ulelong x \b, blocksize %u 514 515# iTunes cover art (versions 1 and 2) 5164 string itch 517>24 string artw 518>>0x1e8 string data iTunes cover art 519>>>0x1ed string PNG (PNG) 520>>>0x1ec beshort 0xffd8 (JPEG) 521 522# MacPaint image 52365 string PNTGMPNT MacPaint image data 524#0 belong 2 MacPaint image data 525