diff options
Diffstat (limited to '')
-rw-r--r-- | magic/Magdir/macintosh | 505 |
1 files changed, 505 insertions, 0 deletions
diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh new file mode 100644 index 0000000..a74aac4 --- /dev/null +++ b/magic/Magdir/macintosh @@ -0,0 +1,505 @@ + +#------------------------------------------------------------------------------ +# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $ +# macintosh description +# +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/BinHex +# Reference: http://fileformats.archiveteam.org/wiki/BinHex +# Note: only tested with version 4.0 and hqx extension +# Any text/binary before the characteristic comment sentence is to be ignored like in +# http://ftp.vim.org/pub/ftp/ftp/infomac/disk/mac-update-40b7.hqx +0 search/1602 (This\ file\ +>&0 use binhex +# http://ftp.vim.org/pub/ftp/ftp/infomac/_Disk_&_File/zap-res-forks-101.hqx +0 search/2652/b (This\ file\ +>&0 use binhex +0 name binhex +# keep split search string format similar like in version 5.37 +>0 string must\ be\ converted\ with\ BinHex\ BinHex binary text, version +# http://www.macdisk.com/binhexen.php3 +!:apple BNHQTEXT +# http://www.faqs.org/faqs/macintosh/comm-faq/part1/ +>>&0 string 1.0 1.0 +!:mime application/mac-binhex +!:ext hex +>>&0 string 2.0 2.0 +!:mime application/mac-binhex +!:ext hcx +# BinHex 3.0 never existed +>>&0 string 4.0 4.0 +!:mime application/mac-binhex40 +!:ext hqx +# BinHex 5.0 also MacBinary I +>>&0 string 5.0 5.0 +!:mime application/mac-binhex40 +!:ext hqx +# this should never happen +>>&0 default x +>>>&0 string x %.3s +!:mime application/mac-binhex +!:ext hqx + +# Stuffit archives are the de facto standard of compression for Macintosh +# files obtained from most archives. (franklsm@tuns.ca) +0 string SIT! StuffIt Archive (data) +!:mime application/x-stuffit +!:apple SIT!SIT! +>2 string x : %s +0 string SITD StuffIt Deluxe (data) +>2 string x : %s +0 string Seg StuffIt Deluxe Segment (data) +>2 string x : %s + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt StuffIt Archive +!:mime application/x-stuffit +!:apple SIT!SIT! +#>162 string >0 : %s + +# Macintosh Applications and Installation binaries (franklsm@tuns.ca) +# GRR: Too weak +#0 string APPL Macintosh Application (data) +#>2 string x \b: %s + +# Macintosh System files (franklsm@tuns.ca) +# GRR: Too weak +#0 string zsys Macintosh System File (data) +#0 string FNDR Macintosh Finder (data) +#0 string libr Macintosh Library (data) +#>2 string x : %s +#0 string shlb Macintosh Shared Library (data) +#>2 string x : %s +#0 string cdev Macintosh Control Panel (data) +#>2 string x : %s +#0 string INIT Macintosh Extension (data) +#>2 string x : %s +#0 string FFIL Macintosh Truetype Font (data) +#>2 string x : %s +#0 string LWFN Macintosh Postscript Font (data) +#>2 string x : %s + +# Additional Macintosh Files (franklsm@tuns.ca) +# GRR: Too weak +#0 string PACT Macintosh Compact Pro Archive (data) +#>2 string x : %s +#0 string ttro Macintosh TeachText File (data) +#>2 string x : %s +#0 string TEXT Macintosh TeachText File (data) +#>2 string x : %s +#0 string PDF Macintosh PDF File (data) +#>2 string x : %s + +# MacBinary format (Eric Fischer, enf@pobox.com) +# Update: Joerg Jenderek +# URL: https://en.wikipedia.org/wiki/MacBinary +# http://fileformats.archiveteam.org/wiki/MacBinary +# Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt +# Note: verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and +# `deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin` +# +# Unfortunately MacBinary doesn't really have a magic number prior +# to the MacBinary III format. +# + +# old version number, must be kept at zero for compatibility +0 byte 0 +# length of filename (must be in the range 1-63) +>1 ubyte >0 +# skip T.PIC.LZ INSTRUMENT.7T INVENTORY +>>1 ubyte <64 +# skip Docs.MWII ReadMe.MacWrite "Notes (MacWrite II)" +# by looking for printable characters at beginning of file name +>>>2 ubelong >0x1F000000 +# zero fill, must be zero for compatibility +>>>>74 byte 0 +# zero fill, must be zero for compatibility +>>>>>82 byte 0 +# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00 +>>>>>>2 ubelong <0xffff0000 +# MacBinary I test for valid version numbers +>>>>>>>122 ubeshort 0 +# additional check for undefined header fields in MacBinary I +#>>>>>>>>101 ulong 0 +>>>>>>>>0 use mac-bin +# MacBinary II the newer versions begins at 129 +>>>>>>>122 ubeshort 0x8181 +>>>>>>>>0 use mac-bin +# MacBinary III with MacBinary II to read +>>>>>>122 ubeshort 0x8281 +>>>>>>>0 use mac-bin + +# display information of MacBinary file +0 name mac-bin +>122 ubyte x MacBinary +# versions for MacBinary II/III +>122 ubyte 129 II +>122 ubyte 130 III +# only in MacBinary III +>>102 string !mBIN with surprising version +!:mime application/x-macbinary +!:apple PSPTBINA +!:ext bin/macbin +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary +#>1 ubyte >63 \b, name length %u too BIG! +#>122 ubeshort x \b, version %#x +# Finder flags if not 0 +# >73 byte !0 \b, flags 0x +# >73 byte =0 +# >>101 byte !0 \b, flags 0x +# # original Finder flags (Bits 8-15) +# >73 byte !0 \b%x +# # finder flags, bits 0-7 +# >101 byte !0 \b%x +>73 byte &0x01 \b, inited +>73 byte &0x02 \b, changed +>73 byte &0x04 \b, busy +>73 byte &0x08 \b, bozo +>73 byte &0x10 \b, system +>73 byte &0x20 \b, bundle +>73 byte &0x40 \b, invisible +>73 byte &0x80 \b, locked + +# 75 beshort # vertical posn in window +#>75 beshort !0 \b, v.pos %u +# 77 beshort # horiz posn in window +#>77 beshort !0 \b, h.pos %u +# 79 beshort # window or folder ID +>79 ubeshort !0 \b, ID %#x +# protected flag +>81 byte !0 \b, protected %#x +# length of comment after resource +>99 ubeshort !0 \b, comment length %u +# char. code of file name +>106 ubyte !0 \b, char. code %#x +# still more Finder flags +>107 ubyte !0 \b, more flags %#x +# length of total files when unpacked only used when pack and unpack on the fly +>116 ubelong !0 \b, total length %u +# 120 beshort # length of add'l header +>120 ubeshort !0 \b, 2nd header length %u +# 124 beshort # checksum +#>124 ubeshort !0 \b, CRC %#x +# creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080 +# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields +>91 long !0 +>>91 beldate-0x7C25B080 x \b, %s +# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow +>91 ubelong <0x7c25b080 INVALID date +# reported date seconds by deark +#>91 ubelong x deark-DATE=%u +# last modified date +>95 long !0 +>>95 beldate-0x7C25B080 x \b, modified %s +# Apple creator+typ if not null +# file creator (normally expressed as four characters) +>69 ulong !0 \b, creator +# instead 4 character code display full creator name +>>69 use apple-creator +# file type (normally expressed as four characters) +>65 ulong !0 \b, type +>>65 use apple-type +# length of data segment +>83 ubelong !0 \b, %u bytes +# filename (in the range 1-63) +# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2 (.sea)" +>1 pstring x "%s" +# print 1 space and then at offset 128 inspect data fork content if it has one +>83 ubelong !0 \b +>>128 indirect x +# Afterwards resource fork if length of resource segment not zero +>87 ubelong !0 +# calculate resource fork offset +>>83 ubelong+128 x \b, at %#x +# length of resource segment +>>87 ubelong !0 %u bytes +>>(83.S+128) ubequad x resource +# further resource fork content inspection +>>>&-8 indirect x + +# Apple Type/Creator Database +# URL: https://en.wikipedia.org/wiki/Type_code +# Reference: https://www.lacikam.co.il/tcdb/ +# https://www.macdisk.com/macsigen.php +# Note: classic Mac OS files have two 4 character codes for type and creator. +# Thereby the Finder attach documents types to applications. + +#>65 string x \b, type "%4.4s" + +# display information about apple type +0 name apple-type +>0 string 8BIM PhotoShop +>0 string ALB3 PageMaker 3 +>0 string ALB4 PageMaker 4 +>0 string ALT3 PageMaker 3 +>0 string APPL application +>0 string AWWP AppleWorks word processor +>0 string CIRC simulated circuit +>0 string DRWG MacDraw +>0 string EPSF Encapsulated PostScript +>0 string FFIL font suitcase +>0 string FKEY function key +>0 string FNDR Macintosh Finder +>0 string GIFf GIF image +>0 string Gzip GNU gzip +>0 string INIT system extension +>0 string LIB\ library +>0 string LWFN PostScript font +>0 string MSBC Microsoft BASIC +>0 string PACT Compact Pro archive +>0 string PDF\ Portable Document Format +>0 string PICT picture +>0 string PNTG MacPaint picture +>0 string PREF preferences +>0 string PROJ Think C project +>0 string QPRJ Think Pascal project +>0 string SCFL Defender scores +>0 string SCRN startup screen +>0 string SITD StuffIt Deluxe +>0 string SPn3 SuperPaint +>0 string STAK HyperCard stack +>0 string Seg\ StuffIt segment +>0 string TARF Unix tar archive +>0 string TEXT ASCII +>0 string TIFF TIFF image +>0 string TOVF Eudora table of contents +>0 string WDBN Microsoft Word word processor +>0 string WORD MacWrite word processor +>0 string XLS\ Microsoft Excel +>0 string ZIVM compress (.Z) +>0 string ZSYS Pre-System 7 system file +>0 string acf3 Aldus FreeHand +>0 string cdev control panel +>0 string dfil Desk Accessory suitcase +>0 string libr library +>0 string nX^d WriteNow word processor +>0 string nX^w WriteNow dictionary +>0 string rsrc resource +>0 string scbk Scrapbook +>0 string shlb shared library +>0 string ttro SimpleText read-only +>0 string zsys system file + +# additional types added in Dec 2017 +>0 string BINA binary file +>0 string BMPp BMP image +>0 string JPEG JPEG image +#>0 string W4BN Microsoft Word x.y word processor? +# if type name is not known display 4 character identifier +>0 default x +>>0 string x '%4.4s' + +#>69 string x \b, creator "%4.4s" + +# Now Apple has no repository of registered Creator IDs any more. These are +# just the ones that I happened to have files from and was able to identify. + +# display information about apple creator +0 name apple-creator +>0 string 8BIM Adobe Photoshop +>0 string ALD3 PageMaker 3 +>0 string ALD4 PageMaker 4 +>0 string ALFA Alpha editor +>0 string APLS Apple Scanner +>0 string APSC Apple Scanner +>0 string BRKL Brickles +>0 string BTFT BitFont +>0 string CCL2 Common Lisp 2 +>0 string CCL\ Common Lisp +>0 string CDmo The Talking Moose +>0 string CPCT Compact Pro +>0 string CSOm Eudora +>0 string DMOV Font/DA Mover +>0 string DSIM DigSim +>0 string EDIT Macintosh Edit +>0 string ERIK Macintosh Finder +>0 string EXTR self-extracting archive +>0 string Gzip GNU gzip +>0 string KAHL Think C +>0 string LWFU LaserWriter Utility +>0 string LZIV compress +>0 string MACA MacWrite +>0 string MACS Macintosh operating system +>0 string MAcK MacKnowledge terminal emulator +>0 string MLND Defender +>0 string MPNT MacPaint +>0 string MSBB Microsoft BASIC (binary) +>0 string MSWD Microsoft Word +>0 string NCSA NCSA Telnet +>0 string PJMM Think Pascal +>0 string PSAL Hunt the Wumpus +#>0 string PSI2 Apple File Exchange +>0 string R*ch BBEdit +>0 string RMKR Resource Maker +>0 string RSED Resource Editor +>0 string Rich BBEdit +>0 string SIT! StuffIt +>0 string SPNT SuperPaint +>0 string Unix NeXT Mac filesystem +>0 string VIM! Vim editor +>0 string WILD HyperCard +>0 string XCEL Microsoft Excel +>0 string aCa2 Fontographer +>0 string aca3 Aldus FreeHand +>0 string dosa Macintosh MS-DOS file system +>0 string movr Font/DA Mover +>0 string nX^n WriteNow +>0 string pdos Apple ProDOS file system +>0 string scbk Scrapbook +>0 string ttxt SimpleText +>0 string ufox Foreign File Access +# additional creators added in Dec 2017 +# Claris/Apple Works +>0 string BOBO Apple Works +# CU-SeeMe_0.87b3_(68K).bin +#>0 string CUce bar +>0 string PSPT Apple File Exchange +# Disk_Copy_4.2.sea.bin +#>0 string NCse foo +# probably StuffIt/Aladdin by Smith Micro Software, Inc. +>0 string STi0 stuffit +# MacGzip-1.1.3.sea.bin +#>0 string aust bar +# D-Disk_Copy_6.3.3.smi.bin +>0 string oneb Disk Copy Self Mounting +# if creator name is not known display 4 character identifier +>0 default x +>>0 string x '%4.4s' + +# sas magic from Bruce Foster (bef@nwu.edu) +# +#0 string SAS SAS +#>8 string x %s +0 string SAS SAS +>24 string DATA data file +>24 string CATALOG catalog +>24 string INDEX data file index +>24 string VIEW data view +# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com) +# +0x54 string SAS SAS 7+ +>0x9C string DATA data file +>0x9C string CATALOG catalog +>0x9C string INDEX data file index +>0x9C string VIEW data view + +# spss magic for SPSS system and portable files, +# from Bruce Foster (bef@nwu.edu). + +0 long 0xc1e2c3c9 SPSS Portable File +>40 string x %s + +0 string $FL2 SPSS System File +>24 string x %s + +0 string $FL3 SPSS System File +>24 string x %s + +# Macintosh filesystem data +# From "Tom N Harris" <telliamed@mac.com> +# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net> +# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these +# entries depend on the data arithmetic added after v.35 +# There's also some Pascal strings in here, ditto... + +# The boot block signature, according to IM:Files, is +# "for HFS volumes, this field always contains the value 0x4C4B." +# But if this is true for MFS or HFS+ volumes, I don't know. +# Alternatively, the boot block is supposed to be zeroed if it's +# unused, so a simply >0 should suffice. + +0x400 beshort 0xD2D7 Macintosh MFS data +>0 beshort 0x4C4B (bootable) +>0x40a beshort &0x8000 (locked) +>0x402 beldate-0x7C25B080 x created: %s, +>0x406 beldate-0x7C25B080 >0 last backup: %s, +>0x414 belong x block size: %d, +>0x412 beshort x number of blocks: %d, +>0x424 pstring x volume name: %s + +# *.hfs updated by Joerg Jenderek +# https://en.wikipedia.org/wiki/Hierarchical_File_System +# "BD" gives many false positives +0x400 beshort 0x4244 +# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h +# first block of volume bit map (always 3) +>0x40e ubeshort 0x0003 +# maximal length of volume name is 27 +>>0x424 ubyte <28 Macintosh HFS data +!:mime application/x-apple-diskimage +#!:apple hfsdINIT +#!:apple MACSdisk +# https://www.macdisk.com/macsigen.php +#!:apple ddskdevi +!:apple ????devi +# https://en.wikipedia.org/wiki/Apple_Disk_Image +!:ext hfs/dmg +>>>0 beshort 0x4C4B (bootable) +#>>>0 beshort 0x0000 (not bootable) +>>>0x40a beshort &0x8000 (locked) +>>>0x40a beshort ^0x0100 (mounted) +>>>0x40a beshort &0x0200 (spared blocks) +>>>0x40a beshort &0x0800 (unclean) +>>>0x47C beshort 0x482B (Embedded HFS+ Volume) +# https://www.epochconverter.com/ +# 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970 +# 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00 +# construct not working +#>>>0x402 beldate-0x7C25B080 x created: %s, +#>>>0x406 beldate-0x7C25B080 x last modified: %s, +#>>>0x440 beldate-0x7C25B080 >0 last backup: %s, +# found block sizes 200h,1200h,2800h +>>>0x414 belong x block size: %d, +>>>0x412 beshort x number of blocks: %d, +>>>0x424 pstring x volume name: %s + +0 name hfsplus +>&0 beshort x version %d data +>0 beshort 0x4C4B (bootable) +>0x404 belong ^0x00000100 (mounted) +>&2 belong &0x00000200 (spared blocks) +>&2 belong &0x00000800 (unclean) +>&2 belong &0x00008000 (locked) +>&6 string x last mounted by: '%.4s', +# really, that should be treated as a belong and we print a string +# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1" +>&14 beldate-0x7C25B080 x created: %s, +# only the creation date is local time, all other timestamps in HFS+ are UTC. +>&18 bedate-0x7C25B080 x last modified: %s, +>&22 bedate-0x7C25B080 >0 last backup: %s, +>&26 bedate-0x7C25B080 >0 last checked: %s, +>&38 belong x block size: %d, +>&42 belong x number of blocks: %d, +>&46 belong x free blocks: %d + +0x400 beshort 0x482B Apple HFS Plus +>&0 use hfsplus +0x400 beshort 0x4858 Apple HFS Plus Extended +>&0 use hfsplus + +## AFAIK, only the signature is different +# same as Apple Partition Map +# GRR: This magic is too weak, it is just "TS" +#0x200 beshort 0x5453 Apple Old Partition data +#>0x2 beshort x block size: %d, +#>0x230 string x first type: %s, +#>0x210 string x name: %s, +#>0x254 belong x number of blocks: %d, +#>0x400 beshort 0x504D +#>>0x430 string x second type: %s, +#>>0x410 string x name: %s, +#>>0x454 belong x number of blocks: %d, +#>>0x800 beshort 0x504D +#>>>0x830 string x third type: %s, +#>>>0x810 string x name: %s, +#>>>0x854 belong x number of blocks: %d, +#>>>0xa00 beshort 0x504D +#>>>>0xa30 string x fourth type: %s, +#>>>>0xa10 string x name: %s, +#>>>>0xa54 belong x number of blocks: %d + +# From: Remi Mommsen <mommsen@slac.stanford.edu> +0 string BOMStore Mac OS X bill of materials (BOM) file + |