diff --git a/README.md b/README.md index be4d60f4..e3135e6a 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ bitcoin_blkdat, [bitcoin_block](doc/formats.md#bitcoin_block), bitcoin_script, bitcoin_transaction, -bplist, +[bplist](doc/formats.md#bplist), bsd_loopback_frame, [bson](doc/formats.md#bson), bzip2, diff --git a/doc/formats.md b/doc/formats.md index 39980187..256ca312 100644 --- a/doc/formats.md +++ b/doc/formats.md @@ -27,7 +27,7 @@ |[`bitcoin_block`](#bitcoin_block) |Bitcoin block |`bitcoin_transaction`| |`bitcoin_script` |Bitcoin script || |`bitcoin_transaction` |Bitcoin transaction |`bitcoin_script`| -|`bplist` |Apple Binary Property List || +|[`bplist`](#bplist) |Apple Binary Property List || |`bsd_loopback_frame` |BSD loopback frame |`inet_packet`| |[`bson`](#bson) |Binary JSON || |`bzip2` |bzip2 compression |`probe`| @@ -257,6 +257,46 @@ Decode value as bitcoin_block ... | bitcoin_block({has_header:false}) ``` +## bplist + +### Show full decoding +```sh +$ fq -d bplist dv Info.plist +``` + +### Timestamps +Timestamps in Apple Binary Property Lists are encoded as Cocoa Core Data +timestamps, where the raw value is the floating point number of seconds since +January 1, 2001. By default, `fq` will render the raw floating point value. In +order to get the raw value or string description, use the `todescription` +function, you can use the `tovalue` and `todescription` functions: + +```sh +$ fq 'torepr.SomeTimeStamp | tovalue' Info.plist +685135328 + +$ fq 'torepr.SomeTimeStamp | todescription' Info.plist +"2022-09-17T19:22:08Z" +``` + + +### Get JSON representation +```sh +$ fq torepr com.apple.UIAutomation.plist +{ + "UIAutomationEnabled": true +} +``` + +### Authors +- David McDonald +[@dgmcdona](https://github.com/dgmcdona) + +### References +- http://fileformats.archiveteam.org/wiki/Property_List/Binary +- https://medium.com/@karaiskc/understanding-apples-binary-property-list-format-281e6da00dbd +- https://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c + ## bson ### Convert represented value to JSON diff --git a/format/bplist/bplist.go b/format/bplist/bplist.go index 650c855d..0a7c9f1a 100644 --- a/format/bplist/bplist.go +++ b/format/bplist/bplist.go @@ -11,7 +11,7 @@ import ( "github.com/wader/fq/pkg/scalar" ) -//go:embed bplist.jq +//go:embed bplist.jq bplist.md var bplistFS embed.FS func init() { diff --git a/format/bplist/bplist.md b/format/bplist/bplist.md index 67d0a338..f3e92bd0 100644 --- a/format/bplist/bplist.md +++ b/format/bplist/bplist.md @@ -3,10 +3,25 @@ $ fq -d bplist dv Info.plist ``` -### Get JSON representation -``` -$ fq torepr com.apple.UIAutomation.plist +### Timestamps +Timestamps in Apple Binary Property Lists are encoded as Cocoa Core Data +timestamps, where the raw value is the floating point number of seconds since +January 1, 2001. By default, `fq` will render the raw floating point value. In +order to get the raw value or string description, use the `todescription` +function, you can use the `tovalue` and `todescription` functions: +```sh +$ fq 'torepr.SomeTimeStamp | tovalue' Info.plist +685135328 + +$ fq 'torepr.SomeTimeStamp | todescription' Info.plist +"2022-09-17T19:22:08Z" +``` + + +### Get JSON representation +```sh +$ fq torepr com.apple.UIAutomation.plist { "UIAutomationEnabled": true } diff --git a/pkg/decode/decode.go b/pkg/decode/decode.go index a7892bab..d05ee366 100644 --- a/pkg/decode/decode.go +++ b/pkg/decode/decode.go @@ -803,7 +803,7 @@ func (d *D) FieldStructArrayLoop(name string, structName string, condFn func() b }) } -// FieldStructArrayN decodes an array of elements with a known count. +// FieldStructNArray decodes an array of elements with a known count. func (d *D) FieldStructNArray(name string, structName string, count int64, fn func(d *D)) *D { return d.FieldArray(name, func(d *D) { for i := int64(0); i < count; i++ {