xref: /freebsd/contrib/file/magic/Magdir/apple (revision cab6a39d7b343596a5823e65c0f7b426551ec22d) 
1
2#------------------------------------------------------------------------------
3# $File: apple,v 1.44 2019/10/18 15:21:02 christos Exp $
4# apple:  file(1) magic for Apple file formats
5#
60	search/1/t	FiLeStArTfIlEsTaRt	binscii (apple ][) text
70	string		\x0aGL			Binary II (apple ][) data
80	string		\x76\xff		Squeezed (apple ][) data
90	string		NuFile			NuFile archive (apple ][) data
100	string		N\xf5F\xe9l\xe5		NuFile archive (apple ][) data
110	belong		0x00051600		AppleSingle encoded Macintosh file
120	belong		0x00051607		AppleDouble encoded Macintosh file
13
14# Type: Apple Emulator WOZ format
15# From: Greg Wildman <greg@apple2.org.za>
16# Ref: https://applesaucefdc.com/woz/reference/
17# Ref: https://applesaucefdc.com/woz/reference2/
18#
19# Note: The following test are mostly identical. I would rather not
20# use a regex to identify the WOZ format number.
210	string		WOZ1
22>4	string		\xFF\x0A\x0D\x0A	Apple ][ WOZ 1.0 Disk Image
23>12	string		INFO
24>>21	byte		01			\b, 5.25 inch
25>>21	byte		02			\b, 3.5 inch
26>>22	byte		01			\b, write protected
27>>23	byte		01			\b, cross track synchronized
28>>25	string/T	x			\b, %.32s
290	string		WOZ2
30>4	string		\xFF\x0A\x0D\x0A	Apple ][ WOZ 2.0 Disk Image
31>12	string		INFO
32>>21	byte		01			\b, 5.25 inch
33>>21	byte		02			\b, 3.5 inch
34>>22	byte		01			\b, write protected
35>>23	byte		01			\b, cross track synchronized
36>>25	string/T	x			\b, %.32s
37
38# Type: Apple Emulator disk images
39# From: Greg Wildman <greg@apple2.org.za>
40# ProDOS boot loader?
410		string	\x01\x38\xB0\x03\x4C	Apple ProDOS Image
42# Detect Volume Directory block ($02)
43>0x400		string	\x00\x00\x03\x00
44>>0x404		byte	&0xF0
45>>>0x405	string	x			\b, Volume /%s
46>>>0x429	leshort	x			\b, %u Blocks
47# ProDOS ordered ?
48>0xb00		string	\x00\x00\x03\x00
49>>0xb04		byte	&0xF0
50>>>0xb05	string	x			\b, Volume /%s
51>>>0xb29	leshort	x			\b, %u Blocks
52#
53# DOS3.3 boot loader?
540		string	\x01\xA5\x27\xC9\x09\xD0\x18\xA5\x2B
55>0x11001	string	\x11\x0F\x03	Apple DOS 3.3 Image
56>>0x11006	byte	x		\b, Volume %u
57>>0x11034	byte	x		\b, %u Tracks
58>>0x11035	byte	x		\b, %u Sectors
59>>0x11036	leshort	x		\b, %u bytes per sector
60# DOS3.2 ?
61>0x11001	string	\x11\x0C\x02	Apple DOS 3.2 Image
62>>0x11006	byte	x		\b, Volume %u
63>>0x11034	byte	x		\b, %u Tracks
64>>0x11035	byte	x		\b, %u Sectors
65>>0x11036	leshort	x		\b, %u bytes per sector
66# DOS3.1 ?
67>0x11001	string	\x11\x0C\x01
68>>0x11c00	string	\x00\x11\x0B	Apple DOS 3.1 Image
69#
70# Pascal boot loader?
710		string	\x01\xE0\x60\xF0\x03\x4C\xE3\x08\xAD
72>0xd6		pstring SYSTEM.APPLE
73>>0xb00		leshort	0x0000
74>>>0xb04	leshort 0x0000		Apple Pascal Image
75>>>>0xb06	pstring x		\b, Volume %s:
76>>>>0xb0e	leshort x		\b, %u Blocks
77>>>>0xb10	leshort x		\b, %u Files
78#
79# Diversi Dos boot loader?
800		string	\x01\xA8\xAD\x81\xC0\xEE\x09\x08\xAD
81>0x11001	string	\x11\x0F\x03	Apple Diversi Dos Image
82>>0x11006	byte	x		\b, Volume %u
83>>0x11034	byte	x		\b, %u Tracks
84>>0x11035	byte	x		\b, %u Sectors
85>>0x11036	leshort	x		\b, %u bytes per sector
86
87# Type: Apple Emulator 2IMG format
88# From: Radek Vokal <rvokal@redhat.com>
89# Update: Greg Wildman <greg@apple2.org.za>
900		string	2IMG		Apple ][ 2IMG Disk Image
91>4		clear	x
92>4		string	XGS!		\b, XGS
93>4		string	CTKG		\b, Catakig
94>4		string	ShIm		\b, Sheppy's ImageMaker
95>4		string	SHEP		\b, Sheppy's ImageMaker
96>4		string	WOOF		\b, Sweet 16
97>4		string	B2TR		\b, Bernie ][ the Rescue
98>4		string	\!nfc		\b, ASIMOV2
99>4		string	\>BD\<		\b, Brutal Deluxe's Cadius
100>4		string	CdrP		\b, CiderPress
101>4		string	Vi][		\b, Virtual ][
102>4		string	PRFS		\b, ProFUSE
103>4		string	FISH		\b, FishWings
104>4		string	RVLW		\b, Revival for Windows
105>4		default	x
106>>4		string	x		\b, Creator tag "%-4.4s"
107>0xc		byte	00		\b, DOS 3.3 sector order
108>>0x10		byte	00		\b, Volume 254
109>>0x10		byte&0x7f x		\b, Volume %u
110>0xc		byte	01		\b, ProDOS sector order
111# Detect Volume Directory block ($02) + 2mg header offset
112>>0x440		string	\x00\x00\x03\x00
113>>>0x444	byte	&0xF0
114>>>>0x445	string	x		\b, Volume /%s
115>>>>0x469	leshort	x		\b, %u Blocks
116>0xc		byte	02		\b, NIB data
117
118# magic for Newton PDA package formats
119# from Ruda Moura <ruda@helllabs.org>
1200	string	package0	Newton package, NOS 1.x,
121>12	belong	&0x80000000	AutoRemove,
122>12	belong	&0x40000000	CopyProtect,
123>12	belong	&0x10000000	NoCompression,
124>12	belong	&0x04000000	Relocation,
125>12	belong	&0x02000000	UseFasterCompression,
126>16	belong	x		version %d
127
1280	string	package1	Newton package, NOS 2.x,
129>12	belong	&0x80000000	AutoRemove,
130>12	belong	&0x40000000	CopyProtect,
131>12	belong	&0x10000000	NoCompression,
132>12	belong	&0x04000000	Relocation,
133>12	belong	&0x02000000	UseFasterCompression,
134>16	belong	x		version %d
135
1360	string	package4	Newton package,
137>8	byte	8		NOS 1.x,
138>8	byte	9		NOS 2.x,
139>12	belong	&0x80000000	AutoRemove,
140>12	belong	&0x40000000	CopyProtect,
141>12	belong	&0x10000000	NoCompression,
142
143# The following entries for the Apple II are for files that have
144# been transferred as raw binary data from an Apple, without having
145# been encapsulated by any of the above archivers.
146#
147# In general, Apple II formats are hard to identify because Apple DOS
148# and especially Apple ProDOS have strong typing in the file system and
149# therefore programmers never felt much need to include type information
150# in the files themselves.
151#
152# Eric Fischer <enf@pobox.com>
153
154# AppleWorks word processor:
155# URL: https://en.wikipedia.org/wiki/AppleWorks
156# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx
157# Update: Joerg Jenderek
158# NOTE:
159# The "O" is really the magic number, but that's so common that it's
160# necessary to check the tab stops that follow it to avoid false positives.
161# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge
162# the newer AppleWorks is from claris with extension CWK
1634	string		O
164# test for unused bits of zoom- , paginated-boolean bytes
165>84	ubequad		^0x00Fe00000000Fe00
166# look for tabstop definitions "=" no tab, "|" no tab
167# "<" left tab,"^" center tab,">" right tab, "." decimal tab,
168# unofficial "!" other , "\x8a" other
169# official only if SFMinVers is nonzero
170>>5	regex/s	[=.<>|!^\x8a]{79}	AppleWorks Word Processor
171# AppleWorks Word Processor File (Apple II)
172# ./apple (version 5.25) labeled the entry as "AppleWorks word processor data"
173# application/x-appleworks is mime type for claris version with cwk extension
174!:mime	application/x-appleworks3
175# http://home.earthlink.net/~hughhood/appleiiworksenvoy/
176# ('p' + 1-byte ProDOS File Type + 2-byte ProDOS Aux Type')
177# $70 $1A $F8 $FF is this the apple type ?
178#:apple pdosp^Z\xf8\xff
179!:ext awp
180# minimum version needed to read this files. SFMinVers (0 , 30~3.0 )
181>>>183	ubyte		30	3.0
182>>>183	ubyte		!30
183>>>>183	ubyte		!0	0x%x
184# usual tabstop start sequence "=====<"
185>>>5	string		x	\b, tabstop ruler "%6.6s"
186# tabstop ruler
187#>>>5	string		>\0	\b, tabstops "%-79s"
188# zoom switch
189>>>85	  byte&0x01	>0	\b, zoomed
190# whether paginated
191>>>90	  byte&0x01	>0	\b, paginated
192# contains any mail-merge commands
193>>>92	  byte&0x01	>0	\b, with mail merge
194# left margin in 1/10 inches ( normally 0 or 10 )
195>>>91	ubyte		>0
196>>>>91	ubyte		x	\b, %d/10 inch left margin
197
198# AppleWorks database:
199#
200# This isn't really a magic number, but it's the closest thing to one
201# that I could find.  The 1 and 2 really mean "order in which you defined
202# categories" and "left to right, top to bottom," respectively; the D and R
203# mean that the cursor should move either down or right when you press Return.
204
205#30	string		\x01D	AppleWorks database data
206#30	string		\x02D	AppleWorks database data
207#30	string		\x01R	AppleWorks database data
208#30	string		\x02R	AppleWorks database data
209
210# AppleWorks spreadsheet:
211#
212# Likewise, this isn't really meant as a magic number.  The R or C means
213# row- or column-order recalculation; the A or M means automatic or manual
214# recalculation.
215
216#131	string		RA	AppleWorks spreadsheet data
217#131	string		RM	AppleWorks spreadsheet data
218#131	string		CA	AppleWorks spreadsheet data
219#131	string		CM	AppleWorks spreadsheet data
220
221# Applesoft BASIC:
222#
223# This is incredibly sloppy, but will be true if the program was
224# written at its usual memory location of 2048 and its first line
225# number is less than 256.  Yuck.
226# update by Joerg Jenderek at Feb 2013
227
228# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000)
229#0       belong&0xff00ff 0x80000 Applesoft BASIC program data
2300	belong&0x00ff00ff	0x00080000
231# assuming that line number must be positive
232>2	leshort			>0		Applesoft BASIC program data, first line number %d
233#>2     leshort         x       \b, first line number %d
234
235# ORCA/EZ assembler:
236#
237# This will not identify ORCA/M source files, since those have
238# some sort of date code instead of the two zero bytes at 6 and 7
239# XXX Conflicts with ELF
240#4       belong&0xff00ffff       0x01000000      ORCA/EZ assembler source data
241#>5      byte                    x               \b, build number %d
242
243# Broderbund Fantavision
244#
245# I don't know what these values really mean, but they seem to recur.
246# Will they cause too many conflicts?
247
248# Probably :-)
249#2	belong&0xFF00FF		0x040008	Fantavision movie data
250
251# Some attempts at images.
252#
253# These are actually just bit-for-bit dumps of the frame buffer, so
254# there's really no reasonably way to distinguish them except for their
255# address (if preserved) -- 8192 or 16384 -- and their length -- 8192
256# or, occasionally, 8184.
257#
258# Nevertheless this will manage to catch a lot of images that happen
259# to have a solid-colored line at the bottom of the screen.
260
261# GRR: Magic too weak
262#8144	string	\x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F	Apple II image with white background
263#8144	string	\x55\x2A\x55\x2A\x55\x2A\x55\x2A	Apple II image with purple background
264#8144	string	\x2A\x55\x2A\x55\x2A\x55\x2A\x55	Apple II image with green background
265#8144	string	\xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA	Apple II image with blue background
266#8144	string	\xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5	Apple II image with orange background
267
268# Beagle Bros. Apple Mechanic fonts
269
2700	belong&0xFF00FFFF	0x6400D000	Apple Mechanic font
271
272# Apple Universal Disk Image Format (UDIF) - dmg files.
273# From Johan Gade.
274# These entries are disabled for now until we fix the following issues.
275#
276# Note there might be some problems with the "VAX COFF executable"
277# entry. Note this entry should be placed before the mac filesystem section,
278# particularly the "Apple Partition data" entry.
279#
280# The intended meaning of these tests is, that the file is only of the
281# specified type if both of the lines are correct - i.e. if the first
282# line matches and the second doesn't then it is not of that type.
283#
284#0	long	0x7801730d
285#>4	long	0x62626060	UDIF read-only zlib-compressed image (UDZO)
286#
287# Note that this entry is recognized correctly by the "Apple Partition
288# data" entry - however since this entry is more specific - this
289# information seems to be more useful.
290#0	long	0x45520200
291#>0x410	string	disk\ image	UDIF read/write image (UDRW)
292
293# From: Toby Peterson <toby@apple.com>
2940	string	bplist00	Apple binary property list
295
296# Apple binary property list (bplist)
297#  Assumes version bytes are hex.
298#  Provides content hints for version 0 files. Assumes that the root
299#  object is the first object (true for CoreFoundation implementation).
300# From: David Remahl <dremahl@apple.com>
3010		string	bplist
302>6		byte	x	\bCoreFoundation binary property list data, version 0x%c
303>>7		byte	x	\b%c
304>6		string		00		\b
305>>8		byte&0xF0	0x00	\b
306>>>8	byte&0x0F	0x00	\b, root type: null
307>>>8	byte&0x0F	0x08	\b, root type: false boolean
308>>>8	byte&0x0F	0x09	\b, root type: true boolean
309>>8		byte&0xF0	0x10	\b, root type: integer
310>>8		byte&0xF0	0x20	\b, root type: real
311>>8		byte&0xF0	0x30	\b, root type: date
312>>8		byte&0xF0	0x40    \b, root type: data
313>>8		byte&0xF0	0x50	\b, root type: ascii string
314>>8		byte&0xF0	0x60	\b, root type: unicode string
315>>8		byte&0xF0	0x80	\b, root type: uid (CORRUPT)
316>>8		byte&0xF0	0xa0	\b, root type: array
317>>8		byte&0xF0	0xd0	\b, root type: dictionary
318
319# Apple/NeXT typedstream data
320#  Serialization format used by NeXT and Apple for various
321#  purposes in YellowStep/Cocoa, including some nib files.
322# From: David Remahl <dremahl@apple.com>
3232		string		typedstream	NeXT/Apple typedstream data, big endian
324>0		byte		x		\b, version %d
325>0		byte		<5		\b
326>>13	byte		0x81	\b
327>>>14	ubeshort	x		\b, system %d
3282		string		streamtyped NeXT/Apple typedstream data, little endian
329>0		byte		x		\b, version %d
330>0		byte		<5		\b
331>>13	byte		0x81	\b
332>>>14	uleshort	x		\b, system %d
333
334#------------------------------------------------------------------------------
335# CAF: Apple CoreAudio File Format
336#
337# Container format for high-end audio purposes.
338# From: David Remahl <dremahl@apple.com>
339#
3400	string		caff		CoreAudio Format audio file
341>4	beshort		<10		version %d
342>6	beshort		x
343
344
345#------------------------------------------------------------------------------
346# Keychain database files
3470	string		kych		Mac OS X Keychain File
348
349#------------------------------------------------------------------------------
350# Code Signing related file types
3510	belong		0xfade0c00	Mac OS X Code Requirement
352>8	belong		1			(opExpr)
353>4	belong		x			- %d bytes
354
3550	belong		0xfade0c01	Mac OS X Code Requirement Set
356>8	belong		>1			containing %d items
357>4	belong		x			- %d bytes
358
3590	belong		0xfade0c02	Mac OS X Code Directory
360>8	belong		x			version %x
361>12	belong		>0			flags 0x%x
362>4	belong		x			- %d bytes
363
3640	belong		0xfade0cc0	Mac OS X Detached Code Signature (non-executable)
365>4	belong		x			- %d bytes
366
3670	belong		0xfade0cc1	Mac OS X Detached Code Signature
368>8	belong		>1			(%d elements)
369>4	belong		x			- %d bytes
370
371# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
372# .vdi
3734	string innotek\ VirtualBox\ Disk\ Image %s
374
375# Apple disk partition stuff
376# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
377# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h
378# Update: Joerg Jenderek
379# "ER" is APPLE_DRVR_MAP_MAGIC signature
3800	beshort	0x4552
381# display Apple Driver Map (strength=50) after Syslinux bootloader (71)
382#!:strength +0
383# strengthen the magic by looking for used blocksizes 512 2048
384>2	ubeshort&0xf1FF		0	Apple Driver Map
385# last 6 bytes for padding found are 0 or end with 55AAh marker for MBR hybrid
386#>>504	ubequad&0x0000FFffFFff0000	0
387!:mime	application/x-apple-diskimage
388!:apple	????devr
389# https://en.wikipedia.org/wiki/Apple_Disk_Image
390!:ext	dmg/iso
391# sbBlkSize for driver descriptor map 512 2048
392>>2	beshort	x			\b, blocksize %d
393# sbBlkCount sometimes garbish like
394# 0xb0200000 for unzlibed install_flash_player_19.0.0.245_osx.dmg
395# 0xf2720100 for bunziped Firefox 48.0-2.dmg
396# 0xeb02ffff for super_grub2_disk_hybrid_2.02s3.iso
397# 0x00009090 by syslinux-6.03/utils/isohybrid.c
398>>4	ubelong	x			\b, blockcount %u
399# following device/driver information not very useful
400# device type 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
401>>8	ubeshort	x		\b, devtype %u
402# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
403>>10	ubeshort	x		\b, devid %u
404# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso)
405>>12	ubelong		>0
406>>>12	ubelong		x		\b, driver data %u
407# number of driver descriptors sbDrvrCount <= 61
408# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
409>>16	ubeshort	x		\b, driver count %u
410# 61 * apple_drvr_descriptor[8]. information not very useful or same as in partition map
411# >>18	use		apple-driver-map
412# >>26	use		apple-driver-map
413# # ...
414# >>500	use		apple-driver-map
415# number of partitions is always same in every partition (map block count)
416#>>0x0204	ubelong		x	\b, %u partitions
417>>0x0204	ubelong		>0	\b, contains[@0x200]:
418>>>0x0200	use		apple-apm
419>>0x0204	ubelong		>1	\b, contains[@0x400]:
420>>>0x0400	use		apple-apm
421>>0x0204	ubelong		>2	\b, contains[@0x600]:
422>>>0x0600	use		apple-apm
423>>0x0204	ubelong		>3	\b, contains[@0x800]:
424>>>0x0800	use		apple-apm
425>>0x0204	ubelong		>4	\b, contains[@0xA00]:
426>>>0x0A00	use		apple-apm
427>>0x0204	ubelong		>5	\b, contains[@0xC00]:
428>>>0x0C00	use		apple-apm
429>>0x0204	ubelong		>6	\b, contains[@0xE00]:
430>>>0x0E00	use		apple-apm
431>>0x0204	ubelong		>7	\b, contains[@0x1000]:
432>>>0x1000	use		apple-apm
433#	display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type)
4340	name				apple-driver-map
435>0	ubequad		!0
436# descBlock first block of driver
437>>0	ubelong	x			\b, driver start block %u
438# descSize driver size in blocks
439>>4	ubeshort	x		\b, size %u
440# descType driver system type 1 701h F8FFh FFFFh
441>>6	ubeshort	x		\b, type 0x%x
442
443# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
444# Reference: https://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h
445# Update: Joerg Jenderek
446# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the
447# magic stronger.
448# for apple partition map stored as a single file
4490	belong	0x504d0000
450# to display Apple Partition Map (strength=70) after Syslinux bootloader (71)
451#!:strength +0
452>0	use		apple-apm
453# magic/Magdir/apple14.test, 365: Warning: Current entry does not yet have a description for adding a EXTENSION type
454# file: could not find any valid magic files!
455#!:ext	bin
456#	display apple partition map. Normally called after Apple driver map
4570	name				apple-apm
458>0	belong	0x504d0000		Apple Partition Map
459# number of partitions
460>>4	ubelong	x			\b, map block count %u
461# logical block (512 bytes) start of partition
462>>8	ubelong	x			\b, start block %u
463>>12	ubelong	x			\b, block count %u
464>>16	string >0			\b, name %s
465>>48	string >0			\b, type %s
466# processor type dpme_process_id[16] e.g. "68000" "68020"
467>>120	string >0			\b, processor %s
468# A/UX boot arguments BootArgs[128]
469>>136	string >0			\b, boot arguments %s
470# status of partition dpme_flags
471>>88	belong	& 1			\b, valid
472>>88	belong	& 2			\b, allocated
473>>88	belong	& 4			\b, in use
474>>88	belong	& 8			\b, has boot info
475>>88	belong	& 16			\b, readable
476>>88	belong	& 32			\b, writable
477>>88	belong	& 64			\b, pic boot code
478>>88	belong	& 128			\b, chain compatible driver
479>>88	belong	& 256			\b, real driver
480>>88	belong	& 512			\b, chain driver
481# mount automatically at startup APPLE_PS_AUTO_MOUNT
482>>88	ubelong	&0x40000000		\b, mount at startup
483# is the startup partition APPLE_PS_STARTUP
484>>88	ubelong	&0x80000000		\b, is the startup partition
485
486#https://wiki.mozilla.org/DS_Store_File_Format
487#https://en.wikipedia.org/wiki/.DS_Store
4880	string	\0\0\0\1Bud1\0		Apple Desktop Services Store
489
490# HFS/HFS+ Resource fork files (andrew.roazen@nau.edu Apr 13 2015)
491# Usually not in separate files, but have either filename rsrc with
492# no extension, or a filename corresponding to another file, with
493# extensions rsr/rsrc
4940	string  \000\000\001\000
495>4	leshort 0
496>>16	lelong  0			Apple HFS/HFS+ resource fork
497
498#https://en.wikipedia.org/wiki/AppleScript
4990	string	FasdUAS			AppleScript compiled
500
501# AppleWorks/ClarisWorks
502# https://github.com/joshenders/appleworks_format
503# http://fileformats.archiveteam.org/wiki/AppleWorks
5040	name			appleworks
505>0	belong&0x00ffffff	0x07e100	AppleWorks CWK Document
506>0	belong&0x00ffffff	0x008803	ClarisWorks CWK Document
507>0	default			x
508>>0	belong			x		AppleWorks/ClarisWorks CWK Document
509>0	byte			x		\b, version %d
510>30	beshort			x		\b, %d
511>32	beshort			x		\bx%d
512!:ext cwk
513
5144	string	BOBO
515>0	byte	>4
516>>12	belong	0
517>>>26	belong	0
518>>>>0	use	appleworks
519>0	belong	0x0481ad00
520>>0	use 	appleworks
521
522# magic for Apple File System (APFS)
523# from Alex Myczko <alex@aiei.ch>
52432		string	NXSB		Apple File System (APFS)
525>36		ulelong	x		\b, blocksize %u
526
527# iTunes cover art (versions 1 and 2)
5284		string	itch
529>24		string	artw
530>>0x1e8		string	data		iTunes cover art
531>>>0x1ed	string	PNG		(PNG)
532>>>0x1ec	beshort 0xffd8		(JPEG)
533
534# MacPaint image
53565		string	PNTGMPNT	MacPaint image data
536#0		belong	2		MacPaint image data
537