path: root/magic/Magdir/macintosh

#------------------------------------------------------------------------------
# $File: macintosh,v 1.22 2011/05/17 17:40:31 rrt Exp $
# macintosh description
#
# BinHex is the Macintosh ASCII-encoded file format (see also "apple")
# Daniel Quinlan, quinlan@yggdrasil.com
11	string	must\ be\ converted\ with\ BinHex	BinHex binary text
!:mime	application/mac-binhex40
>41	string	x					\b, version %.3s

# Stuffit archives are the de facto standard of compression for Macintosh
# files obtained from most archives. (franklsm@tuns.ca)
0	string		SIT!			StuffIt Archive (data)
!:mime	application/x-stuffit
!:apple	SIT!SIT!
>2	string		x			: %s
0	string		SITD			StuffIt Deluxe (data)
>2	string		x			: %s
0	string		Seg			StuffIt Deluxe Segment (data)
>2	string		x			: %s

# Newer StuffIt archives (grant@netbsd.org)
0	string		StuffIt			StuffIt Archive
!:mime	application/x-stuffit
!:apple	SIT!SIT!
#>162	string		>0			: %s

# Macintosh Applications and Installation binaries (franklsm@tuns.ca)
# GRR: Too weak
#0	string		APPL			Macintosh Application (data)
#>2	string		x			\b: %s

# Macintosh System files (franklsm@tuns.ca)
# GRR: Too weak
#0	string		zsys			Macintosh System File (data)
#0	string		FNDR			Macintosh Finder (data)
#0	string		libr			Macintosh Library (data)
#>2	string		x			: %s
#0	string		shlb			Macintosh Shared Library (data)
#>2	string		x			: %s
#0	string		cdev			Macintosh Control Panel (data)
#>2	string		x			: %s
#0	string		INIT			Macintosh Extension (data)
#>2	string		x			: %s
#0	string		FFIL			Macintosh Truetype Font (data)
#>2	string		x			: %s
#0	string		LWFN			Macintosh Postscript Font (data)
#>2	string		x			: %s

# Additional Macintosh Files (franklsm@tuns.ca)
# GRR: Too weak
#0	string		PACT			Macintosh Compact Pro Archive (data)
#>2	string		x			: %s
#0	string		ttro			Macintosh TeachText File (data)
#>2	string		x			: %s
#0	string		TEXT			Macintosh TeachText File (data)
#>2	string		x			: %s
#0	string		PDF			Macintosh PDF File (data)
#>2	string		x			: %s

# MacBinary format (Eric Fischer, enf@pobox.com)
#
# Unfortunately MacBinary doesn't really have a magic number prior
# to the MacBinary III format.  The checksum is really the way to
# do it, but the magic file format isn't up to the challenge.
#
# 0	byte		0
# 1	byte				# filename length
# 2	string				# filename
# 65    string				# file type
# 69	string				# file creator
# 73	byte				# Finder flags
# 74	byte		0
# 75	beshort				# vertical posn in window
# 77	beshort				# horiz posn in window
# 79	beshort				# window or folder ID
# 81    byte				# protected?
# 82	byte		0
# 83	belong				# length of data segment
# 87	belong				# length of resource segment
# 91	belong				# file creation date
# 95	belong				# file modification date
# 99	beshort				# length of comment after resource
# 101	byte				# new Finder flags
# 102	string		mBIN		# (only in MacBinary III)
# 106	byte				# char. code of file name
# 107	byte				# still more Finder flags
# 116	belong				# total file length
# 120	beshort				# length of add'l header
# 122	byte		129		# for MacBinary II
# 122	byte		130		# for MacBinary III
# 123	byte		129		# minimum version that can read fmt
# 124	beshort				# checksum
#
# This attempts to use the version numbers as a magic number, requiring
# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second
# be 0x81.  This works for the files I have, but maybe not for everyone's.

# Unfortunately, this magic is quite weak - MPi
#122	beshort&0xFCFF	0x8081		Macintosh MacBinary data

# MacBinary I doesn't have the version number field at all, but MacBinary II
# has been in use since 1987 so I hope there aren't many really old files
# floating around that this will miss.  The original spec calls for using
# the nulls in 0, 74, and 82 as the magic number.
#
# Another possibility, that would also work for MacBinary I, is to use
# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will
# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset,
# and that 74 will be 0.  So something like
# 
# 71 	belong&0x80804EFF 0x00000000 	Macintosh MacBinary data
# 
# >73	byte&0x01	0x01		\b, inited
# >73	byte&0x02	0x02		\b, changed
# >73	byte&0x04	0x04		\b, busy
# >73	byte&0x08	0x08		\b, bozo
# >73	byte&0x10	0x10		\b, system
# >73	byte&0x10	0x20		\b, bundle
# >73	byte&0x10	0x40		\b, invisible
# >73	byte&0x10	0x80		\b, locked

#>65	string		x		\b, type "%4.4s"

#>65	string		8BIM		(PhotoShop)
#>65	string		ALB3		(PageMaker 3)
#>65	string		ALB4		(PageMaker 4)
#>65	string		ALT3		(PageMaker 3)
#>65	string		APPL		(application)
#>65	string		AWWP		(AppleWorks word processor)
#>65	string		CIRC		(simulated circuit)
#>65	string		DRWG		(MacDraw)
#>65	string		EPSF		(Encapsulated PostScript)
#>65	string		FFIL		(font suitcase)
#>65	string		FKEY		(function key)
#>65	string		FNDR		(Macintosh Finder)
#>65	string		GIFf		(GIF image)
#>65	string		Gzip		(GNU gzip)
#>65	string		INIT		(system extension)
#>65	string		LIB\ 		(library)
#>65	string		LWFN		(PostScript font)
#>65	string		MSBC		(Microsoft BASIC)
#>65	string		PACT		(Compact Pro archive)
#>65	string		PDF\ 		(Portable Document Format)
#>65	string		PICT		(picture)
#>65	string		PNTG		(MacPaint picture)
#>65	string		PREF		(preferences)
#>65	string		PROJ		(Think C project)
#>65	string		QPRJ		(Think Pascal project)
#>65	string		SCFL		(Defender scores)
#>65	string		SCRN		(startup screen)
#>65	string		SITD		(StuffIt Deluxe)
#>65	string		SPn3		(SuperPaint)
#>65	string		STAK		(HyperCard stack)
#>65	string		Seg\ 		(StuffIt segment)
#>65	string		TARF		(Unix tar archive)
#>65	string		TEXT		(ASCII)
#>65	string		TIFF		(TIFF image)
#>65	string		TOVF		(Eudora table of contents)
#>65	string		WDBN		(Microsoft Word word processor)
#>65	string		WORD		(MacWrite word processor)
#>65	string		XLS\ 		(Microsoft Excel)
#>65	string		ZIVM		(compress (.Z))
#>65	string		ZSYS		(Pre-System 7 system file)
#>65	string		acf3		(Aldus FreeHand)
#>65	string		cdev		(control panel)
#>65	string		dfil		(Desk Acessory suitcase)
#>65	string		libr		(library)
#>65	string		nX^d		(WriteNow word processor)
#>65	string		nX^w		(WriteNow dictionary)
#>65	string		rsrc		(resource)
#>65	string		scbk		(Scrapbook)
#>65	string		shlb		(shared library)
#>65	string		ttro		(SimpleText read-only)
#>65	string		zsys		(system file)

#>69	string		x		\b, creator "%4.4s"

# Somewhere, Apple has a repository of registered Creator IDs.  These are
# just the ones that I happened to have files from and was able to identify.

#>69	string		8BIM		(Adobe Photoshop)
#>69	string		ALD3		(PageMaker 3)
#>69	string		ALD4		(PageMaker 4)
#>69	string		ALFA		(Alpha editor)
#>69	string		APLS		(Apple Scanner)
#>69	string		APSC		(Apple Scanner)
#>69	string		BRKL		(Brickles)
#>69	string		BTFT		(BitFont)
#>69	string		CCL2 		(Common Lisp 2)
#>69	string		CCL\ 		(Common Lisp)
#>69	string		CDmo		(The Talking Moose)
#>69	string		CPCT		(Compact Pro)
#>69	string		CSOm		(Eudora)
#>69	string		DMOV		(Font/DA Mover)
#>69	string		DSIM		(DigSim)
#>69	string		EDIT		(Macintosh Edit)
#>69	string		ERIK		(Macintosh Finder)
#>69	string		EXTR		(self-extracting archive)
#>69	string		Gzip		(GNU gzip)
#>69	string		KAHL		(Think C)
#>69	string		LWFU		(LaserWriter Utility)
#>69	string		LZIV		(compress)
#>69	string		MACA		(MacWrite)
#>69	string		MACS		(Macintosh operating system)
#>69	string		MAcK		(MacKnowledge terminal emulator)
#>69	string		MLND		(Defender)
#>69	string		MPNT		(MacPaint)
#>69	string		MSBB		(Microsoft BASIC (binary))
#>69	string		MSWD		(Microsoft Word)
#>69	string		NCSA		(NCSA Telnet)
#>69	string		PJMM		(Think Pascal)
#>69	string		PSAL		(Hunt the Wumpus)
#>69	string		PSI2		(Apple File Exchange)
#>69	string		R*ch		(BBEdit)
#>69	string		RMKR		(Resource Maker)
#>69	string		RSED		(Resource Editor)
#>69	string		Rich		(BBEdit)
#>69	string		SIT!		(StuffIt)
#>69	string		SPNT		(SuperPaint)
#>69	string		Unix		(NeXT Mac filesystem)
#>69	string		VIM!		(Vim editor)
#>69	string		WILD		(HyperCard)
#>69	string		XCEL		(Microsoft Excel)
#>69	string		aCa2		(Fontographer)
#>69	string		aca3		(Aldus FreeHand)
#>69	string		dosa		(Macintosh MS-DOS file system)
#>69	string		movr		(Font/DA Mover)
#>69	string		nX^n		(WriteNow)
#>69	string		pdos		(Apple ProDOS file system)
#>69	string		scbk		(Scrapbook)
#>69	string		ttxt		(SimpleText)
#>69	string		ufox		(Foreign File Access)

# Just in case...

102	string		mBIN		MacBinary III data with surprising version number

# sas magic from Bruce Foster (bef@nwu.edu)
#
#0	string		SAS		SAS
#>8	string		x		%s
0	string		SAS		SAS
>24	string		DATA		data file
>24	string		CATALOG		catalog
>24	string		INDEX		data file index
>24	string		VIEW		data view
# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com)
#
0x54    string          SAS             SAS 7+
>0x9C   string          DATA            data file
>0x9C   string          CATALOG         catalog
>0x9C   string          INDEX           data file index
>0x9C   string          VIEW            data view

# spss magic for SPSS system and portable files, 
#	 from Bruce Foster (bef@nwu.edu).

0	long		0xc1e2c3c9	SPSS Portable File
>40	string 		x		%s

0	string		$FL2		SPSS System File
>24	string		x		%s

# Macintosh filesystem data
# From "Tom N Harris" <telliamed@mac.com>
# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net>
# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these
# entries depend on the data arithmetic added after v.35
# There's also some Pascal strings in here, ditto...

# The boot block signature, according to IM:Files, is 
# "for HFS volumes, this field always contains the value 0x4C4B."
# But if this is true for MFS or HFS+ volumes, I don't know.
# Alternatively, the boot block is supposed to be zeroed if it's
# unused, so a simply >0 should suffice.

0x400	beshort			0xD2D7		Macintosh MFS data
>0	beshort			0x4C4B		(bootable)
>0x40a	beshort			&0x8000		(locked)
>0x402	beldate-0x7C25B080	x		created: %s,
>0x406	beldate-0x7C25B080	>0		last backup: %s,
>0x414	belong			x		block size: %d,
>0x412	beshort			x		number of blocks: %d,
>0x424	pstring			x		volume name: %s

# "BD" gives many false positives
#0x400	beshort			0x4244		Macintosh HFS data
#>0	beshort			0x4C4B		(bootable)
#>0x40a	beshort			&0x8000		(locked)
#>0x40a	beshort			^0x0100		(mounted)
#>0x40a	beshort			&0x0200		(spared blocks)
#>0x40a	beshort			&0x0800		(unclean)
#>0x47C	beshort			0x482B		(Embedded HFS+ Volume)
#>0x402	beldate-0x7C25B080	x		created: %s,
#>0x406	beldate-0x7C25B080	x		last modified: %s,
#>0x440	beldate-0x7C25B080	>0		last backup: %s,
#>0x414	belong			x		block size: %d,
#>0x412	beshort			x		number of blocks: %d,
#>0x424	pstring			x		volume name: %s

0x400	beshort			0x482B		Macintosh HFS Extended
>&0	beshort			x		version %d data
>0	beshort			0x4C4B		(bootable)
>0x404	belong			^0x00000100	(mounted)
>&2	belong			&0x00000200	(spared blocks)
>&2	belong			&0x00000800	(unclean)
>&2	belong			&0x00008000	(locked)
>&6	string			x		last mounted by: '%.4s',
# really, that should be treated as a belong and we print a string
# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1"
>&14	beldate-0x7C25B080	x		created: %s,
# only the creation date is local time, all other timestamps in HFS+ are UTC.
>&18	bedate-0x7C25B080	x		last modified: %s,
>&22	bedate-0x7C25B080	>0		last backup: %s,
>&26	bedate-0x7C25B080	>0		last checked: %s,
>&38	belong			x		block size: %d,
>&42	belong			x		number of blocks: %d,
>&46	belong			x		free blocks: %d

# I don't think this is really necessary since it doesn't do much and 
# anything with a valid driver descriptor will also have a valid
# partition map
#0		beshort		0x4552		Apple Device Driver data
#>&24		beshort		=1		\b, MacOS

# Is that the partition type a cstring or a pstring? Well, IM says "strings 
# shorter than 32 bytes must be terminated with NULL" so I'll treat it as a 
# cstring. Of course, partitions can contain more than four entries, but 
# what're you gonna do?
# GRR: This magic is too weak, it is just "PM"
#0x200		beshort		0x504D		Apple Partition data
#>0x2		beshort		x		(block size: %d):
#>0x230		string		x		first type: %s,
#>0x210		string		x		name: %s,
#>0x254		belong		x		number of blocks: %d,
#>0x400		beshort		0x504D		
#>>0x430		string		x		second type: %s,
#>>0x410		string		x		name: %s,
#>>0x454		belong		x		number of blocks: %d,
#>>0x600		beshort		0x504D
#>>>0x630	string		x		third type: %s,
#>>>0x610	string		x		name: %s,
#>>>0x654	belong		x		number of blocks: %d,
#>>0x800		beshort		0x504D		
#>>>0x830	string		x		fourth type: %s,
#>>>0x810	string		x		name: %s,
#>>>0x854	belong		x		number of blocks: %d,
#>>>0xa00	beshort		0x504D		
#>>>>0xa30	string		x		fifth type: %s,
#>>>>0xa10	string		x		name: %s,
#>>>>0xa54	belong		x		number of blocks: %d
#>>>0xc00	beshort		0x504D
#>>>>0xc30	string		x		sixth type: %s,
#>>>>0xc10	string		x		name: %s,
#>>>>0xc54	belong		x		number of blocks: %d
## AFAIK, only the signature is different
#0x200		beshort		0x5453		Apple Old Partition data
#>0x2		beshort		x		block size: %d,
#>0x230		string		x		first type: %s,
#>0x210		string		x		name: %s,
#>0x254		belong		x		number of blocks: %d,
#>0x400		beshort		0x504D		
#>>0x430		string		x		second type: %s,
#>>0x410		string		x		name: %s,
#>>0x454		belong		x		number of blocks: %d,
#>>0x800		beshort		0x504D		
#>>>0x830	string		x		third type: %s,
#>>>0x810	string		x		name: %s,
#>>>0x854	belong		x		number of blocks: %d,
#>>>0xa00	beshort		0x504D		
#>>>>0xa30	string		x		fourth type: %s,
#>>>>0xa10	string		x		name: %s,
#>>>>0xa54	belong		x		number of blocks: %d

# From: Remi Mommsen <mommsen@slac.stanford.edu>
0		string		BOMStore	Mac OS X bill of materials (BOM) file

# From: Adam Buchbinder <adam.buchbinder@gmail.com>
# URL: http://en.wikipedia.org/wiki/Datafork_TrueType
# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is
# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I
# don't know what they mean.
0	belong	0x100
>(0x4.L+24)	beshort	x
>>&4	belong	0x73666e74	Mac OSX datafork font, TrueType
>>&4	belong	0x464f4e54	Mac OSX datafork font, 'FONT'
>>&4	belong	0x4e464e54	Mac OSX datafork font, 'NFNT'
>>&4	belong	0x504f5354	Mac OSX datafork font, PostScript