1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
|
#------------------------------------------------------------------------------
# apple: file(1) magic for Apple file formats
#
0 string FiLeStArTfIlEsTaRt binscii (apple ][) text
0 string \x0aGL Binary II (apple ][) data
0 string \x76\xff Squeezed (apple ][) data
0 string NuFile NuFile archive (apple ][) data
0 string N\xf5F\xe9l\xe5 NuFile archive (apple ][) data
0 belong 0x00051600 AppleSingle encoded Macintosh file
0 belong 0x00051607 AppleDouble encoded Macintosh file
# magic for Newton PDA package formats
# from Ruda Moura <ruda@helllabs.org>
0 string package0 Newton package, NOS 1.x,
>12 belong &0x80000000 AutoRemove,
>12 belong &0x40000000 CopyProtect,
>12 belong &0x10000000 NoCompression,
>12 belong &0x04000000 Relocation,
>12 belong &0x02000000 UseFasterCompression,
>16 belong x version %d
0 string package1 Newton package, NOS 2.x,
>12 belong &0x80000000 AutoRemove,
>12 belong &0x40000000 CopyProtect,
>12 belong &0x10000000 NoCompression,
>12 belong &0x04000000 Relocation,
>12 belong &0x02000000 UseFasterCompression,
>16 belong x version %d
0 string package4 Newton package,
>8 byte 8 NOS 1.x,
>8 byte 9 NOS 2.x,
>12 belong &0x80000000 AutoRemove,
>12 belong &0x40000000 CopyProtect,
>12 belong &0x10000000 NoCompression,
# The following entries for the Apple II are for files that have
# been transferred as raw binary data from an Apple, without having
# been encapsulated by any of the above archivers.
#
# In general, Apple II formats are hard to identify because Apple DOS
# and especially Apple ProDOS have strong typing in the file system and
# therefore programmers never felt much need to include type information
# in the files themselves.
#
# Eric Fischer <enf@pobox.com>
# AppleWorks word processor:
#
# This matches the standard tab stops for an AppleWorks file, but if
# a file has a tab stop set in the first four columns this will fail.
#
# The "O" is really the magic number, but that's so common that it's
# necessary to check the tab stops that follow it to avoid false positives.
4 string O==== AppleWorks word processor data
>85 byte&0x01 >0 \b, zoomed
>90 byte&0x01 >0 \b, paginated
>92 byte&0x01 >0 \b, with mail merge
#>91 byte x \b, left margin %d
# AppleWorks database:
#
# This isn't really a magic number, but it's the closest thing to one
# that I could find. The 1 and 2 really mean "order in which you defined
# categories" and "left to right, top to bottom," respectively; the D and R
# mean that the cursor should move either down or right when you press Return.
#30 string \x01D AppleWorks database data
#30 string \x02D AppleWorks database data
#30 string \x01R AppleWorks database data
#30 string \x02R AppleWorks database data
# AppleWorks spreadsheet:
#
# Likewise, this isn't really meant as a magic number. The R or C means
# row- or column-order recalculation; the A or M means automatic or manual
# recalculation.
#131 string RA AppleWorks spreadsheet data
#131 string RM AppleWorks spreadsheet data
#131 string CA AppleWorks spreadsheet data
#131 string CM AppleWorks spreadsheet data
# Applesoft BASIC:
#
# This is incredibly sloppy, but will be true if the program was
# written at its usual memory location of 2048 and its first line
# number is less than 256. Yuck.
0 belong&0xff00ff 0x80000 Applesoft BASIC program data
#>2 leshort x \b, first line number %d
# ORCA/EZ assembler:
#
# This will not identify ORCA/M source files, since those have
# some sort of date code instead of the two zero bytes at 6 and 7
# XXX Conflicts with ELF
#4 belong&0xff00ffff 0x01000000 ORCA/EZ assembler source data
#>5 byte x \b, build number %d
# Broderbund Fantavision
#
# I don't know what these values really mean, but they seem to recur.
# Will they cause too many conflicts?
# Probably :-)
#2 belong&0xFF00FF 0x040008 Fantavision movie data
# Some attempts at images.
#
# These are actually just bit-for-bit dumps of the frame buffer, so
# there's really no reasonably way to distinguish them except for their
# address (if preserved) -- 8192 or 16384 -- and their length -- 8192
# or, occasionally, 8184.
#
# Nevertheless this will manage to catch a lot of images that happen
# to have a solid-colored line at the bottom of the screen.
8144 string \x7F\x7F\x7F\x7F\x7F\x7F\x7F\x7F Apple II image with white background
8144 string \x55\x2A\x55\x2A\x55\x2A\x55\x2A Apple II image with purple background
8144 string \x2A\x55\x2A\x55\x2A\x55\x2A\x55 Apple II image with green background
8144 string \xD5\xAA\xD5\xAA\xD5\xAA\xD5\xAA Apple II image with blue background
8144 string \xAA\xD5\xAA\xD5\xAA\xD5\xAA\xD5 Apple II image with orange background
# Beagle Bros. Apple Mechanic fonts
0 belong&0xFF00FFFF 0x6400D000 Apple Mechanic font
# Apple Universal Disk Image Format (UDIF) - dmg files.
# From Johan Gade.
# These entries are disabled for now until we fix the following issues.
#
# Note there might be some problems with the "VAX COFF executable"
# entry. Note this entry should be placed before the mac filesystem section,
# particularly the "Apple Partition data" entry.
#
# The intended meaning of these tests is, that the file is only of the
# specified type if both of the lines are correct - i.e. if the first
# line matches and the second doesn't then it is not of that type.
#
#0 long 0x7801730d
#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO)
#
# Note that this entry is recognized correctly by the "Apple Partition
# data" entry - however since this entry is more specific - this
# information seems to be more useful.
#0 long 0x45520200
#>0x410 string disk\ image UDIF read/write image (UDRW)
# From: Toby Peterson <toby@apple.com>
0 string bplist00 Apple binary property list
# Apple binary property list (bplist)
# Assumes version bytes are hex.
# Provides content hints for version 0 files. Assumes that the root
# object is the first object (true for CoreFoundation implementation).
# From: David Remahl <dremahl@apple.com>
0 string bplist
>6 byte x \bCoreFoundation binary property list data, version 0x%c
>>7 byte x \b%c
>6 string 00 \b
>>8 byte&0xF0 0x00 \b
>>>8 byte&0x0F 0x00 \b, root type: null
>>>8 byte&0x0F 0x08 \b, root type: false boolean
>>>8 byte&0x0F 0x09 \b, root type: true boolean
>>8 byte&0xF0 0x10 \b, root type: integer
>>8 byte&0xF0 0x20 \b, root type: real
>>8 byte&0xF0 0x30 \b, root type: date
>>8 byte&0xF0 0x40 \b, root type: data
>>8 byte&0xF0 0x50 \b, root type: ascii string
>>8 byte&0xF0 0x60 \b, root type: unicode string
>>8 byte&0xF0 0x80 \b, root type: uid (CORRUPT)
>>8 byte&0xF0 0xa0 \b, root type: array
>>8 byte&0xF0 0xd0 \b, root type: dictionary
# Apple/NeXT typedstream data
# Serialization format used by NeXT and Apple for various
# purposes in YellowStep/Cocoa, including some nib files.
# From: David Remahl <dremahl@apple.com>
2 string typedstream NeXT/Apple typedstream data, big endian
>0 byte x \b, version %hhd
>0 byte <5 \b
>>13 byte 0x81 \b
>>>14 ubeshort x \b, system %hd
2 string streamtyped NeXT/Apple typedstream data, little endian
>0 byte x \b, version %hhd
>0 byte <5 \b
>>13 byte 0x81 \b
>>>14 uleshort x \b, system %hd
#------------------------------------------------------------------------------
# CAF: Apple CoreAudio File Format
#
# Container format for high-end audio purposes.
# From: David Remahl <dremahl@apple.com>
#
0 string caff CoreAudio Format audio file
>4 beshort <10 version %d
>6 beshort x
#------------------------------------------------------------------------------
# Keychain database files
0 string kych Mac OS X Keychain File
#------------------------------------------------------------------------------
# Code Signing related file types
0 belong 0xfade0c00 Mac OS X Code Requirement
>8 belong 1 (opExpr)
>4 belong x - %d bytes
0 belong 0xfade0c01 Mac OS X Code Requirement Set
>8 belong >1 containing %d items
>4 belong x - %d bytes
0 belong 0xfade0c02 Mac OS X Code Directory
>8 belong x version %x
>12 belong >0 flags 0x%x
>4 belong x - %d bytes
0 belong 0xfade0cc0 Mac OS X Detached Code Signature (non-executable)
>4 belong x - %d bytes
0 belong 0xfade0cc1 Mac OS X Detached Code Signature
>8 belong >1 (%d elements)
>4 belong x - %d bytes
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
# .vdi
4 string innotek\ VirtualBox\ Disk\ Image %s
|