diff options
Diffstat (limited to 'magic/Magdir/macintosh')
| -rw-r--r-- | magic/Magdir/macintosh | 390 |
1 files changed, 390 insertions, 0 deletions
diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh new file mode 100644 index 0000000..b9933b1 --- /dev/null +++ b/magic/Magdir/macintosh @@ -0,0 +1,390 @@ + +#------------------------------------------------------------------------------ +# $File: macintosh,v 1.22 2011/05/17 17:40:31 rrt Exp $ +# macintosh description +# +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +11 string must\ be\ converted\ with\ BinHex BinHex binary text +!:mime application/mac-binhex40 +>41 string x \b, version %.3s + +# Stuffit archives are the de facto standard of compression for Macintosh +# files obtained from most archives. (franklsm@tuns.ca) +0 string SIT! StuffIt Archive (data) +!:mime application/x-stuffit +!:apple SIT!SIT! +>2 string x : %s +0 string SITD StuffIt Deluxe (data) +>2 string x : %s +0 string Seg StuffIt Deluxe Segment (data) +>2 string x : %s + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt StuffIt Archive +!:mime application/x-stuffit +!:apple SIT!SIT! +#>162 string >0 : %s + +# Macintosh Applications and Installation binaries (franklsm@tuns.ca) +# GRR: Too weak +#0 string APPL Macintosh Application (data) +#>2 string x \b: %s + +# Macintosh System files (franklsm@tuns.ca) +# GRR: Too weak +#0 string zsys Macintosh System File (data) +#0 string FNDR Macintosh Finder (data) +#0 string libr Macintosh Library (data) +#>2 string x : %s +#0 string shlb Macintosh Shared Library (data) +#>2 string x : %s +#0 string cdev Macintosh Control Panel (data) +#>2 string x : %s +#0 string INIT Macintosh Extension (data) +#>2 string x : %s +#0 string FFIL Macintosh Truetype Font (data) +#>2 string x : %s +#0 string LWFN Macintosh Postscript Font (data) +#>2 string x : %s + +# Additional Macintosh Files (franklsm@tuns.ca) +# GRR: Too weak +#0 string PACT Macintosh Compact Pro Archive (data) +#>2 string x : %s +#0 string ttro Macintosh TeachText File (data) +#>2 string x : %s +#0 string TEXT Macintosh TeachText File (data) +#>2 string x : %s +#0 string PDF Macintosh PDF File (data) +#>2 string x : %s + +# MacBinary format (Eric Fischer, enf@pobox.com) +# +# Unfortunately MacBinary doesn't really have a magic number prior +# to the MacBinary III format. The checksum is really the way to +# do it, but the magic file format isn't up to the challenge. +# +# 0 byte 0 +# 1 byte # filename length +# 2 string # filename +# 65 string # file type +# 69 string # file creator +# 73 byte # Finder flags +# 74 byte 0 +# 75 beshort # vertical posn in window +# 77 beshort # horiz posn in window +# 79 beshort # window or folder ID +# 81 byte # protected? +# 82 byte 0 +# 83 belong # length of data segment +# 87 belong # length of resource segment +# 91 belong # file creation date +# 95 belong # file modification date +# 99 beshort # length of comment after resource +# 101 byte # new Finder flags +# 102 string mBIN # (only in MacBinary III) +# 106 byte # char. code of file name +# 107 byte # still more Finder flags +# 116 belong # total file length +# 120 beshort # length of add'l header +# 122 byte 129 # for MacBinary II +# 122 byte 130 # for MacBinary III +# 123 byte 129 # minimum version that can read fmt +# 124 beshort # checksum +# +# This attempts to use the version numbers as a magic number, requiring +# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second +# be 0x81. This works for the files I have, but maybe not for everyone's. + +# Unfortunately, this magic is quite weak - MPi +#122 beshort&0xFCFF 0x8081 Macintosh MacBinary data + +# MacBinary I doesn't have the version number field at all, but MacBinary II +# has been in use since 1987 so I hope there aren't many really old files +# floating around that this will miss. The original spec calls for using +# the nulls in 0, 74, and 82 as the magic number. +# +# Another possibility, that would also work for MacBinary I, is to use +# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will +# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset, +# and that 74 will be 0. So something like +# +# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data +# +# >73 byte&0x01 0x01 \b, inited +# >73 byte&0x02 0x02 \b, changed +# >73 byte&0x04 0x04 \b, busy +# >73 byte&0x08 0x08 \b, bozo +# >73 byte&0x10 0x10 \b, system +# >73 byte&0x10 0x20 \b, bundle +# >73 byte&0x10 0x40 \b, invisible +# >73 byte&0x10 0x80 \b, locked + +#>65 string x \b, type "%4.4s" + +#>65 string 8BIM (PhotoShop) +#>65 string ALB3 (PageMaker 3) +#>65 string ALB4 (PageMaker 4) +#>65 string ALT3 (PageMaker 3) +#>65 string APPL (application) +#>65 string AWWP (AppleWorks word processor) +#>65 string CIRC (simulated circuit) +#>65 string DRWG (MacDraw) +#>65 string EPSF (Encapsulated PostScript) +#>65 string FFIL (font suitcase) +#>65 string FKEY (function key) +#>65 string FNDR (Macintosh Finder) +#>65 string GIFf (GIF image) +#>65 string Gzip (GNU gzip) +#>65 string INIT (system extension) +#>65 string LIB\ (library) +#>65 string LWFN (PostScript font) +#>65 string MSBC (Microsoft BASIC) +#>65 string PACT (Compact Pro archive) +#>65 string PDF\ (Portable Document Format) +#>65 string PICT (picture) +#>65 string PNTG (MacPaint picture) +#>65 string PREF (preferences) +#>65 string PROJ (Think C project) +#>65 string QPRJ (Think Pascal project) +#>65 string SCFL (Defender scores) +#>65 string SCRN (startup screen) +#>65 string SITD (StuffIt Deluxe) +#>65 string SPn3 (SuperPaint) +#>65 string STAK (HyperCard stack) +#>65 string Seg\ (StuffIt segment) +#>65 string TARF (Unix tar archive) +#>65 string TEXT (ASCII) +#>65 string TIFF (TIFF image) +#>65 string TOVF (Eudora table of contents) +#>65 string WDBN (Microsoft Word word processor) +#>65 string WORD (MacWrite word processor) +#>65 string XLS\ (Microsoft Excel) +#>65 string ZIVM (compress (.Z)) +#>65 string ZSYS (Pre-System 7 system file) +#>65 string acf3 (Aldus FreeHand) +#>65 string cdev (control panel) +#>65 string dfil (Desk Acessory suitcase) +#>65 string libr (library) +#>65 string nX^d (WriteNow word processor) +#>65 string nX^w (WriteNow dictionary) +#>65 string rsrc (resource) +#>65 string scbk (Scrapbook) +#>65 string shlb (shared library) +#>65 string ttro (SimpleText read-only) +#>65 string zsys (system file) + +#>69 string x \b, creator "%4.4s" + +# Somewhere, Apple has a repository of registered Creator IDs. These are +# just the ones that I happened to have files from and was able to identify. + +#>69 string 8BIM (Adobe Photoshop) +#>69 string ALD3 (PageMaker 3) +#>69 string ALD4 (PageMaker 4) +#>69 string ALFA (Alpha editor) +#>69 string APLS (Apple Scanner) +#>69 string APSC (Apple Scanner) +#>69 string BRKL (Brickles) +#>69 string BTFT (BitFont) +#>69 string CCL2 (Common Lisp 2) +#>69 string CCL\ (Common Lisp) +#>69 string CDmo (The Talking Moose) +#>69 string CPCT (Compact Pro) +#>69 string CSOm (Eudora) +#>69 string DMOV (Font/DA Mover) +#>69 string DSIM (DigSim) +#>69 string EDIT (Macintosh Edit) +#>69 string ERIK (Macintosh Finder) +#>69 string EXTR (self-extracting archive) +#>69 string Gzip (GNU gzip) +#>69 string KAHL (Think C) +#>69 string LWFU (LaserWriter Utility) +#>69 string LZIV (compress) +#>69 string MACA (MacWrite) +#>69 string MACS (Macintosh operating system) +#>69 string MAcK (MacKnowledge terminal emulator) +#>69 string MLND (Defender) +#>69 string MPNT (MacPaint) +#>69 string MSBB (Microsoft BASIC (binary)) +#>69 string MSWD (Microsoft Word) +#>69 string NCSA (NCSA Telnet) +#>69 string PJMM (Think Pascal) +#>69 string PSAL (Hunt the Wumpus) +#>69 string PSI2 (Apple File Exchange) +#>69 string R*ch (BBEdit) +#>69 string RMKR (Resource Maker) +#>69 string RSED (Resource Editor) +#>69 string Rich (BBEdit) +#>69 string SIT! (StuffIt) +#>69 string SPNT (SuperPaint) +#>69 string Unix (NeXT Mac filesystem) +#>69 string VIM! (Vim editor) +#>69 string WILD (HyperCard) +#>69 string XCEL (Microsoft Excel) +#>69 string aCa2 (Fontographer) +#>69 string aca3 (Aldus FreeHand) +#>69 string dosa (Macintosh MS-DOS file system) +#>69 string movr (Font/DA Mover) +#>69 string nX^n (WriteNow) +#>69 string pdos (Apple ProDOS file system) +#>69 string scbk (Scrapbook) +#>69 string ttxt (SimpleText) +#>69 string ufox (Foreign File Access) + +# Just in case... + +102 string mBIN MacBinary III data with surprising version number + +# sas magic from Bruce Foster (bef@nwu.edu) +# +#0 string SAS SAS +#>8 string x %s +0 string SAS SAS +>24 string DATA data file +>24 string CATALOG catalog +>24 string INDEX data file index +>24 string VIEW data view +# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) +# +0x54 string SAS SAS 7+ +>0x9C string DATA data file +>0x9C string CATALOG catalog +>0x9C string INDEX data file index +>0x9C string VIEW data view + +# spss magic for SPSS system and portable files, +# from Bruce Foster (bef@nwu.edu). + +0 long 0xc1e2c3c9 SPSS Portable File +>40 string x %s + +0 string $FL2 SPSS System File +>24 string x %s + +# Macintosh filesystem data +# From "Tom N Harris" <telliamed@mac.com> +# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net> +# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these +# entries depend on the data arithmetic added after v.35 +# There's also some Pascal strings in here, ditto... + +# The boot block signature, according to IM:Files, is +# "for HFS volumes, this field always contains the value 0x4C4B." +# But if this is true for MFS or HFS+ volumes, I don't know. +# Alternatively, the boot block is supposed to be zeroed if it's +# unused, so a simply >0 should suffice. + +0x400 beshort 0xD2D7 Macintosh MFS data +>0 beshort 0x4C4B (bootable) +>0x40a beshort &0x8000 (locked) +>0x402 beldate-0x7C25B080 x created: %s, +>0x406 beldate-0x7C25B080 >0 last backup: %s, +>0x414 belong x block size: %d, +>0x412 beshort x number of blocks: %d, +>0x424 pstring x volume name: %s + +# "BD" gives many false positives +#0x400 beshort 0x4244 Macintosh HFS data +#>0 beshort 0x4C4B (bootable) +#>0x40a beshort &0x8000 (locked) +#>0x40a beshort ^0x0100 (mounted) +#>0x40a beshort &0x0200 (spared blocks) +#>0x40a beshort &0x0800 (unclean) +#>0x47C beshort 0x482B (Embedded HFS+ Volume) +#>0x402 beldate-0x7C25B080 x created: %s, +#>0x406 beldate-0x7C25B080 x last modified: %s, +#>0x440 beldate-0x7C25B080 >0 last backup: %s, +#>0x414 belong x block size: %d, +#>0x412 beshort x number of blocks: %d, +#>0x424 pstring x volume name: %s + +0x400 beshort 0x482B Macintosh HFS Extended +>&0 beshort x version %d data +>0 beshort 0x4C4B (bootable) +>0x404 belong ^0x00000100 (mounted) +>&2 belong &0x00000200 (spared blocks) +>&2 belong &0x00000800 (unclean) +>&2 belong &0x00008000 (locked) +>&6 string x last mounted by: '%.4s', +# really, that should be treated as a belong and we print a string +# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" +>&14 beldate-0x7C25B080 x created: %s, +# only the creation date is local time, all other timestamps in HFS+ are UTC. +>&18 bedate-0x7C25B080 x last modified: %s, +>&22 bedate-0x7C25B080 >0 last backup: %s, +>&26 bedate-0x7C25B080 >0 last checked: %s, +>&38 belong x block size: %d, +>&42 belong x number of blocks: %d, +>&46 belong x free blocks: %d + +# I don't think this is really necessary since it doesn't do much and +# anything with a valid driver descriptor will also have a valid +# partition map +#0 beshort 0x4552 Apple Device Driver data +#>&24 beshort =1 \b, MacOS + +# Is that the partition type a cstring or a pstring? Well, IM says "strings +# shorter than 32 bytes must be terminated with NULL" so I'll treat it as a +# cstring. Of course, partitions can contain more than four entries, but +# what're you gonna do? +# GRR: This magic is too weak, it is just "PM" +#0x200 beshort 0x504D Apple Partition data +#>0x2 beshort x (block size: %d): +#>0x230 string x first type: %s, +#>0x210 string x name: %s, +#>0x254 belong x number of blocks: %d, +#>0x400 beshort 0x504D +#>>0x430 string x second type: %s, +#>>0x410 string x name: %s, +#>>0x454 belong x number of blocks: %d, +#>>0x600 beshort 0x504D +#>>>0x630 string x third type: %s, +#>>>0x610 string x name: %s, +#>>>0x654 belong x number of blocks: %d, +#>>0x800 beshort 0x504D +#>>>0x830 string x fourth type: %s, +#>>>0x810 string x name: %s, +#>>>0x854 belong x number of blocks: %d, +#>>>0xa00 beshort 0x504D +#>>>>0xa30 string x fifth type: %s, +#>>>>0xa10 string x name: %s, +#>>>>0xa54 belong x number of blocks: %d +#>>>0xc00 beshort 0x504D +#>>>>0xc30 string x sixth type: %s, +#>>>>0xc10 string x name: %s, +#>>>>0xc54 belong x number of blocks: %d +## AFAIK, only the signature is different +#0x200 beshort 0x5453 Apple Old Partition data +#>0x2 beshort x block size: %d, +#>0x230 string x first type: %s, +#>0x210 string x name: %s, +#>0x254 belong x number of blocks: %d, +#>0x400 beshort 0x504D +#>>0x430 string x second type: %s, +#>>0x410 string x name: %s, +#>>0x454 belong x number of blocks: %d, +#>>0x800 beshort 0x504D +#>>>0x830 string x third type: %s, +#>>>0x810 string x name: %s, +#>>>0x854 belong x number of blocks: %d, +#>>>0xa00 beshort 0x504D +#>>>>0xa30 string x fourth type: %s, +#>>>>0xa10 string x name: %s, +#>>>>0xa54 belong x number of blocks: %d + +# From: Remi Mommsen <mommsen@slac.stanford.edu> +0 string BOMStore Mac OS X bill of materials (BOM) file + +# From: Adam Buchbinder <adam.buchbinder@gmail.com> +# URL: http://en.wikipedia.org/wiki/Datafork_TrueType +# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is +# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I +# don't know what they mean. +0 belong 0x100 +>(0x4.L+24) beshort x +>>&4 belong 0x73666e74 Mac OSX datafork font, TrueType +>>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT' +>>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT' +>>&4 belong 0x504f5354 Mac OSX datafork font, PostScript |