1 2#------------------------------------------------------------------------------ 3# $File: apple,v 1.39 2018/03/02 15:26:39 christos Exp $ 4# apple: file(1) magic for Apple file formats 5# 60 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text 70 string \x0aGL Binary II (apple ][) data 80 string \x76\xff Squeezed (apple ][) data 90 string NuFile NuFile archive (apple ][) data 100 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data 110 belong 0x00051600 AppleSingle encoded Macintosh file 120 belong 0x00051607 AppleDouble encoded Macintosh file 13 14# Type: Apple Emulator 2IMG format 15# From: Radek Vokal <rvokal@redhat.com> 160 string 2IMG Apple ][ 2IMG Disk Image 17>4 string XGS! \b, XGS 18>4 string CTKG \b, Catakig 19>4 string ShIm \b, Sheppy's ImageMaker 20>4 string WOOF \b, Sweet 16 21>4 string B2TR \b, Bernie ][ the Rescue 22>4 string !nfc \b, ASIMOV2 23>4 string x \b, Unknown Format 24>0xc byte 00 \b, DOS 3.3 sector order 25>>0x10 byte 00 \b, Volume 254 26>>0x10 byte&0x7f x \b, Volume %u 27>0xc byte 01 \b, ProDOS sector order 28>>0x14 short x \b, %u Blocks 29>0xc byte 02 \b, NIB data 30 31# magic for Newton PDA package formats 32# from Ruda Moura <ruda@helllabs.org> 330 string package0 Newton package, NOS 1.x, 34>12 belong &0x80000000 AutoRemove, 35>12 belong &0x40000000 CopyProtect, 36>12 belong &0x10000000 NoCompression, 37>12 belong &0x04000000 Relocation, 38>12 belong &0x02000000 UseFasterCompression, 39>16 belong x version %d 40 410 string package1 Newton package, NOS 2.x, 42>12 belong &0x80000000 AutoRemove, 43>12 belong &0x40000000 CopyProtect, 44>12 belong &0x10000000 NoCompression, 45>12 belong &0x04000000 Relocation, 46>12 belong &0x02000000 UseFasterCompression, 47>16 belong x version %d 48 490 string package4 Newton package, 50>8 byte 8 NOS 1.x, 51>8 byte 9 NOS 2.x, 52>12 belong &0x80000000 AutoRemove, 53>12 belong &0x40000000 CopyProtect, 54>12 belong &0x10000000 NoCompression, 55 56# The following entries for the Apple II are for files that have 57# been transferred as raw binary data from an Apple, without having 58# been encapsulated by any of the above archivers. 59# 60# In general, Apple II formats are hard to identify because Apple DOS 61# and especially Apple ProDOS have strong typing in the file system and 62# therefore programmers never felt much need to include type information 63# in the files themselves. 64# 65# Eric Fischer <enf@pobox.com> 66 67# AppleWorks word processor: 68# URL: https://en.wikipedia.org/wiki/AppleWorks 69# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx 70# Update: Joerg Jenderek 71# NOTE: 72# The "O" is really the magic number, but that's so common that it's 73# necessary to check the tab stops that follow it to avoid false positives. 74# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge 75# the newer AppleWorks is from claris with extension CWK 764 string O 77# test for unused bits of zoom- , paginated-boolean bytes 78>84 ubequad ^0x00Fe00000000Fe00 79# look for tabstop definitions "=" no tab, "|" no tab 80# "<" left tab,"^" center tab,">" right tab, "." decimal tab, 81# unofficial "!" other , "\x8a" other 82# official only if SFMinVers is nonzero 83>>5 regex/s [=.<>|!^\x8a]{79} AppleWorks Word Processor 84# AppleWorks Word Processor File (Apple II) 85# ./apple (version 5.25) labeled the entry as "AppleWorks word processor data" 86# application/x-appleworks is mime type for claris version with cwk extension 87!:mime application/x-appleworks3 88# http://home.earthlink.net/~hughhood/appleiiworksenvoy/ 89# ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type') 90# $70 $1A $F8 $FF is this the apple type ? 91#:apple pdosp�� 92!:ext awp 93# minimum version needed to read this files. SFMinVers (0 , 30~3.0 ) 94>>>183 ubyte 30 3.0 95>>>183 ubyte !30 96>>>>183 ubyte !0 0x%x 97# usual tabstop start sequence "=====<" 98>>>5 string x \b, tabstop ruler "%6.6s" 99# tabstop ruler 100#>>>5 string >\0 \b, tabstops "%-79s" 101# zoom switch 102>>>85 byte&0x01 >0 \b, zoomed 103# whether paginated 104>>>90 byte&0x01 >0 \b, paginated 105# contains any mail-merge commands 106>>>92 byte&0x01 >0 \b, with mail merge 107# left margin in 1/10 inches ( normally 0 or 10 ) 108>>>91 ubyte >0 109>>>>91 ubyte x \b, %d/10 inch left margin 110 111# AppleWorks database: 112# 113# This isn't really a magic number, but it's the closest thing to one 114# that I could find. The 1 and 2 really mean "order in which you defined 115# categories" and "left to right, top to bottom," respectively; the D and R 116# mean that the cursor should move either down or right when you press Return. 117 118#30 string \x01D AppleWorks database data 119#30 string \x02D AppleWorks database data 120#30 string \x01R AppleWorks database data 121#30 string \x02R AppleWorks database data 122 123# AppleWorks spreadsheet: 124# 125# Likewise, this isn't really meant as a magic number. The R or C means 126# row- or column-order recalculation; the A or M means automatic or manual 127# recalculation. 128 129#131 string RA AppleWorks spreadsheet data 130#131 string RM AppleWorks spreadsheet data 131#131 string CA AppleWorks spreadsheet data 132#131 string CM AppleWorks spreadsheet data 133 134# Applesoft BASIC: 135# 136# This is incredibly sloppy, but will be true if the program was 137# written at its usual memory location of 2048 and its first line 138# number is less than 256. Yuck. 139# update by Joerg Jenderek at Feb 2013 140 141# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000) 142#0 belong&0xff00ff 0x80000 Applesoft BASIC program data 1430 belong&0x00ff00ff 0x00080000 144# assuming that line number must be positive 145>2 leshort >0 Applesoft BASIC program data, first line number %d 146#>2 leshort x \b, first line number %d 147 148# ORCA/EZ assembler: 149# 150# This will not identify ORCA/M source files, since those have 151# some sort of date code instead of the two zero bytes at 6 and 7 152# XXX Conflicts with ELF 153#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data 154#>5 byte x \b, build number %d 155 156# Broderbund Fantavision 157# 158# I don't know what these values really mean, but they seem to recur. 159# Will they cause too many conflicts? 160 161# Probably :-) 162#2 belong&0xFF00FF 0x040008 Fantavision movie data 163 164# Some attempts at images. 165# 166# These are actually just bit-for-bit dumps of the frame buffer, so 167# there's really no reasonably way to distinguish them except for their 168# address (if preserved) -- 8192 or 16384 -- and their length -- 8192 169# or, occasionally, 8184. 170# 171# Nevertheless this will manage to catch a lot of images that happen 172# to have a solid-colored line at the bottom of the screen. 173 174# GRR: Magic too weak 175#8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background 176#8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background 177#8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background 178#8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background 179#8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background 180 181# Beagle Bros. Apple Mechanic fonts 182 1830 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font 184 185# Apple Universal Disk Image Format (UDIF) - dmg files. 186# From Johan Gade. 187# These entries are disabled for now until we fix the following issues. 188# 189# Note there might be some problems with the "VAX COFF executable" 190# entry. Note this entry should be placed before the mac filesystem section, 191# particularly the "Apple Partition data" entry. 192# 193# The intended meaning of these tests is, that the file is only of the 194# specified type if both of the lines are correct - i.e. if the first 195# line matches and the second doesn't then it is not of that type. 196# 197#0 long 0x7801730d 198#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO) 199# 200# Note that this entry is recognized correctly by the "Apple Partition 201# data" entry - however since this entry is more specific - this 202# information seems to be more useful. 203#0 long 0x45520200 204#>0x410 string disk\ image UDIF read/write image (UDRW) 205 206# From: Toby Peterson <toby@apple.com> 2070 string bplist00 Apple binary property list 208 209# Apple binary property list (bplist) 210# Assumes version bytes are hex. 211# Provides content hints for version 0 files. Assumes that the root 212# object is the first object (true for CoreFoundation implementation). 213# From: David Remahl <dremahl@apple.com> 2140 string bplist 215>6 byte x \bCoreFoundation binary property list data, version 0x%c 216>>7 byte x \b%c 217>6 string 00 \b 218>>8 byte&0xF0 0x00 \b 219>>>8 byte&0x0F 0x00 \b, root type: null 220>>>8 byte&0x0F 0x08 \b, root type: false boolean 221>>>8 byte&0x0F 0x09 \b, root type: true boolean 222>>8 byte&0xF0 0x10 \b, root type: integer 223>>8 byte&0xF0 0x20 \b, root type: real 224>>8 byte&0xF0 0x30 \b, root type: date 225>>8 byte&0xF0 0x40 \b, root type: data 226>>8 byte&0xF0 0x50 \b, root type: ascii string 227>>8 byte&0xF0 0x60 \b, root type: unicode string 228>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT) 229>>8 byte&0xF0 0xa0 \b, root type: array 230>>8 byte&0xF0 0xd0 \b, root type: dictionary 231 232# Apple/NeXT typedstream data 233# Serialization format used by NeXT and Apple for various 234# purposes in YellowStep/Cocoa, including some nib files. 235# From: David Remahl <dremahl@apple.com> 2362 string typedstream NeXT/Apple typedstream data, big endian 237>0 byte x \b, version %d 238>0 byte <5 \b 239>>13 byte 0x81 \b 240>>>14 ubeshort x \b, system %d 2412 string streamtyped NeXT/Apple typedstream data, little endian 242>0 byte x \b, version %d 243>0 byte <5 \b 244>>13 byte 0x81 \b 245>>>14 uleshort x \b, system %d 246 247#------------------------------------------------------------------------------ 248# CAF: Apple CoreAudio File Format 249# 250# Container format for high-end audio purposes. 251# From: David Remahl <dremahl@apple.com> 252# 2530 string caff CoreAudio Format audio file 254>4 beshort <10 version %d 255>6 beshort x 256 257 258#------------------------------------------------------------------------------ 259# Keychain database files 2600 string kych Mac OS X Keychain File 261 262#------------------------------------------------------------------------------ 263# Code Signing related file types 2640 belong 0xfade0c00 Mac OS X Code Requirement 265>8 belong 1 (opExpr) 266>4 belong x - %d bytes 267 2680 belong 0xfade0c01 Mac OS X Code Requirement Set 269>8 belong >1 containing %d items 270>4 belong x - %d bytes 271 2720 belong 0xfade0c02 Mac OS X Code Directory 273>8 belong x version %x 274>12 belong >0 flags 0x%x 275>4 belong x - %d bytes 276 2770 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable) 278>4 belong x - %d bytes 279 2800 belong 0xfade0cc1 Mac OS X Detached Code Signature 281>8 belong >1 (%d elements) 282>4 belong x - %d bytes 283 284# From: "Nelson A. de Oliveira" <naoliv@gmail.com> 285# .vdi 2864 string innotek\ VirtualBox\ Disk\ Image %s 287 288# Apple disk partition stuff 289# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map 290# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h 291# Update: Joerg Jenderek 292# "ER" is APPLE_DRVR_MAP_MAGIC signature 2930 beshort 0x4552 294# display Apple Driver Map (strength=50) after Syslinux bootloader (71) 295#!:strength +0 296# strengthen the magic by looking for used blocksizes 512 2048 297>2 ubeshort&0xf1FF 0 Apple Driver Map 298# last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid 299#>>504 ubequad&0x0000FFffFFff0000 0 300!:mime application/x-apple-diskimage 301!:apple ????devr 302# https://en.wikipedia.org/wiki/Apple_Disk_Image 303!:ext dmg/iso 304# sbBlkSize for driver descriptor map 512 2048 305>>2 beshort x \b, blocksize %d 306# sbBlkCount sometimes garbish like 307# 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg 308# 0xf2720100 for bunziped Firefox 48.0-2.dmg 309# 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso 310# 0x00009090 by syslinux-6.03/utils/isohybrid.c 311>>4 ubelong x \b, blockcount %u 312# following device/driver information not very useful 313# device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 314>>8 ubeshort x \b, devtype %u 315# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 316>>10 ubeshort x \b, devid %u 317# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso) 318>>12 ubelong >0 319>>>12 ubelong x \b, driver data %u 320# number of driver descriptors sbDrvrCount <= 61 321# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso) 322>>16 ubeshort x \b, driver count %u 323# 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map 324# >>18 use apple-driver-map 325# >>26 use apple-driver-map 326# # ... 327# >>500 use apple-driver-map 328# number of partitions is always same in every partition (map block count) 329#>>0x0204 ubelong x \b, %u partitions 330>>0x0204 ubelong >0 \b, contains[@0x200]: 331>>>0x0200 use apple-apm 332>>0x0204 ubelong >1 \b, contains[@0x400]: 333>>>0x0400 use apple-apm 334>>0x0204 ubelong >2 \b, contains[@0x600]: 335>>>0x0600 use apple-apm 336>>0x0204 ubelong >3 \b, contains[@0x800]: 337>>>0x0800 use apple-apm 338>>0x0204 ubelong >4 \b, contains[@0xA00]: 339>>>0x0A00 use apple-apm 340>>0x0204 ubelong >5 \b, contains[@0xC00]: 341>>>0x0C00 use apple-apm 342>>0x0204 ubelong >6 \b, contains[@0xE00]: 343>>>0x0E00 use apple-apm 344>>0x0204 ubelong >7 \b, contains[@0x1000]: 345>>>0x1000 use apple-apm 346# display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type) 3470 name apple-driver-map 348>0 ubequad !0 349# descBlock first block of driver 350>>0 ubelong x \b, driver start block %u 351# descSize driver size in blocks 352>>4 ubeshort x \b, size %u 353# descType driver system type 1 701h F8FFh FFFFh 354>>6 ubeshort x \b, type 0x%x 355 356# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map 357# Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h 358# Update: Joerg Jenderek 359# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the 360# magic stronger. 361# for apple partition map stored as a single file 3620 belong 0x504d0000 363# to display Apple Partition Map (strength=70) after Syslinux bootloader (71) 364#!:strength +0 365>0 use apple-apm 366# magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type 367# file: could not find any valid magic files! 368#!:ext bin 369# display apple partition map. Normally called after Apple driver map 3700 name apple-apm 371>0 belong 0x504d0000 Apple Partition Map 372# number of partitions 373>>4 ubelong x \b, map block count %u 374# logical block (512 bytes) start of partition 375>>8 ubelong x \b, start block %u 376>>12 ubelong x \b, block count %u 377>>16 string >0 \b, name %s 378>>48 string >0 \b, type %s 379# processor type dpme_process_id[16] e.g. "68000" "68020" 380>>120 string >0 \b, processor %s 381# A/UX boot arguments BootArgs[128] 382>>136 string >0 \b, boot arguments %s 383# status of partition dpme_flags 384>>88 belong & 1 \b, valid 385>>88 belong & 2 \b, allocated 386>>88 belong & 4 \b, in use 387>>88 belong & 8 \b, has boot info 388>>88 belong & 16 \b, readable 389>>88 belong & 32 \b, writable 390>>88 belong & 64 \b, pic boot code 391>>88 belong & 128 \b, chain compatible driver 392>>88 belong & 256 \b, real driver 393>>88 belong & 512 \b, chain driver 394# mount automatically at startup APPLE_PS_AUTO_MOUNT 395>>88 ubelong &0x40000000 \b, mount at startup 396# is the startup partition APPLE_PS_STARTUP 397>>88 ubelong &0x80000000 \b, is the startup partition 398 399#http://wiki.mozilla.org/DS_Store_File_Format 400#http://en.wikipedia.org/wiki/.DS_Store 4010 string \0\0\0\1Bud1\0 Apple Desktop Services Store 402 403# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015) 404# Usually not in separate files, but have either filename rsrc with 405# no extension, or a filename corresponding to another file, with 406# extensions rsr/rsrc 4070 string \000\000\001\000 408>4 leshort 0 409>>16 lelong 0 Apple HFS/HFS+ resource fork 410 411#https://en.wikipedia.org/wiki/AppleScript 4120 string FasdUAS AppleScript compiled 413 414# AppleWorks/ClarisWorks 415# https://github.com/joshenders/appleworks_format 416# http://fileformats.archiveteam.org/wiki/AppleWorks 4170 name appleworks 418>0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document 419>0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document 420>0 default x 421>>0 belong x AppleWorks/ClarisWorks CWK Document 422>0 byte x \b, version %d 423>30 beshort x \b, %d 424>32 beshort x \bx%d 425!:ext cwk 426 4274 string BOBO 428>0 byte >4 429>>12 belong 0 430>>>26 belong 0 431>>>>0 use appleworks 432>0 belong 0x0481ad00 433>>0 use appleworks 434 435# magic for Apple File System (APFS) 436# from Alex Myczko <alex@aiei.ch> 43732 string NXSB Apple File System (APFS) 438>36 ulelong x \b, blocksize %u 439 440# iTunes cover art (versions 1 and 2) 4414 string itch 442>24 string artw 443>>0x1e8 string data iTunes cover art 444>>>0x1ed string PNG (PNG) 445>>>0x1ec beshort 0xffd8 (JPEG) 446 447# MacPaint image 44865 string PNTGMPNT MacPaint image data 449#0 belong 2 MacPaint image data 450