1 files changed, 505 insertions, 0 deletions
diff --git a/magic/Magdir/macintosh b/magic/Magdir/macintosh
new file mode 100644
index 0000000..a74aac4
--- /dev/null
+++ b/magic/Magdir/macintosh
@@ -0,0 +1,505 @@
+
+#------------------------------------------------------------------------------
+# $File: macintosh,v 1.36 2022/12/06 18:45:20 christos Exp $
+# macintosh description
+#
+# BinHex is the Macintosh ASCII-encoded file format (see also "apple")
+# Daniel Quinlan, quinlan@yggdrasil.com
+# Update:	Joerg Jenderek
+# URL:		https://en.wikipedia.org/wiki/BinHex
+# Reference:	http://fileformats.archiveteam.org/wiki/BinHex
+# Note:		only tested with version 4.0 and hqx extension
+# Any text/binary before the characteristic comment sentence is to be ignored like in
+# http://ftp.vim.org/pub/ftp/ftp/infomac/disk/mac-update-40b7.hqx
+0	search/1602	(This\ file\ 
+>&0	use		binhex
+# http://ftp.vim.org/pub/ftp/ftp/infomac/_Disk_&_File/zap-res-forks-101.hqx
+0	search/2652/b	(This\ file\ 
+>&0	use		binhex
+0	name				binhex
+# keep split search string format similar like in version 5.37
+>0	string	must\ be\ converted\ with\ BinHex\ 	BinHex binary text, version
+# http://www.macdisk.com/binhexen.php3
+!:apple	BNHQTEXT
+# http://www.faqs.org/faqs/macintosh/comm-faq/part1/
+>>&0	string	1.0					1.0
+!:mime	application/mac-binhex
+!:ext	hex
+>>&0	string	2.0					2.0
+!:mime	application/mac-binhex
+!:ext	hcx
+# BinHex	3.0 never existed
+>>&0	string	4.0					4.0
+!:mime	application/mac-binhex40
+!:ext	hqx
+# BinHex	5.0 also MacBinary I
+>>&0	string	5.0					5.0
+!:mime	application/mac-binhex40
+!:ext	hqx
+# this should never happen
+>>&0	default	x					
+>>>&0	string	x					%.3s
+!:mime	application/mac-binhex
+!:ext	hqx
+
+# Stuffit archives are the de facto standard of compression for Macintosh
+# files obtained from most archives. (franklsm@tuns.ca)
+0	string		SIT!			StuffIt Archive (data)
+!:mime	application/x-stuffit
+!:apple	SIT!SIT!
+>2	string		x			: %s
+0	string		SITD			StuffIt Deluxe (data)
+>2	string		x			: %s
+0	string		Seg			StuffIt Deluxe Segment (data)
+>2	string		x			: %s
+
+# Newer StuffIt archives (grant@netbsd.org)
+0	string		StuffIt			StuffIt Archive
+!:mime	application/x-stuffit
+!:apple	SIT!SIT!
+#>162	string		>0			: %s
+
+# Macintosh Applications and Installation binaries (franklsm@tuns.ca)
+# GRR: Too weak
+#0	string		APPL			Macintosh Application (data)
+#>2	string		x			\b: %s
+
+# Macintosh System files (franklsm@tuns.ca)
+# GRR: Too weak
+#0	string		zsys			Macintosh System File (data)
+#0	string		FNDR			Macintosh Finder (data)
+#0	string		libr			Macintosh Library (data)
+#>2	string		x			: %s
+#0	string		shlb			Macintosh Shared Library (data)
+#>2	string		x			: %s
+#0	string		cdev			Macintosh Control Panel (data)
+#>2	string		x			: %s
+#0	string		INIT			Macintosh Extension (data)
+#>2	string		x			: %s
+#0	string		FFIL			Macintosh Truetype Font (data)
+#>2	string		x			: %s
+#0	string		LWFN			Macintosh Postscript Font (data)
+#>2	string		x			: %s
+
+# Additional Macintosh Files (franklsm@tuns.ca)
+# GRR: Too weak
+#0	string		PACT			Macintosh Compact Pro Archive (data)
+#>2	string		x			: %s
+#0	string		ttro			Macintosh TeachText File (data)
+#>2	string		x			: %s
+#0	string		TEXT			Macintosh TeachText File (data)
+#>2	string		x			: %s
+#0	string		PDF			Macintosh PDF File (data)
+#>2	string		x			: %s
+
+# MacBinary format (Eric Fischer, enf@pobox.com)
+# Update: Joerg Jenderek 
+# URL: https://en.wikipedia.org/wiki/MacBinary
+#	http://fileformats.archiveteam.org/wiki/MacBinary
+# Reference: https://files.stairways.com/other/macbinaryii-standard-info.txt
+# Note:	verified by macutils `macunpack -i -v BBEdit4.0.sit.bin` and
+#	`deark -l -d -m macbinary G3FirmwareUpdate1.1.smi.bin`
+#
+# Unfortunately MacBinary doesn't really have a magic number prior
+# to the MacBinary III format.
+#
+
+# old version number, must be kept at zero for compatibility
+0	byte	0
+# length of filename (must be in the range 1-63)
+>1	ubyte	>0
+# skip T.PIC.LZ INSTRUMENT.7T INVENTORY
+>>1	ubyte	<64
+# skip Docs.MWII ReadMe.MacWrite "Notes (MacWrite II)"
+# by looking for printable characters at beginning of file name
+>>>2	ubelong	>0x1F000000
+# zero fill, must be zero for compatibility
+>>>>74	byte	0
+# zero fill, must be zero for compatibility
+>>>>>82	byte	0
+# skip few DEGAS mid-res uncompressed bitmap (GEMINI03.PI2 CODE_RAM.PI2) with "too high" file names ffffff88 ffff4f00
+>>>>>>2	ubelong		<0xffff0000
+# MacBinary I		test for valid version numbers
+>>>>>>>122	ubeshort	0
+# additional check for undefined header fields in MacBinary I
+#>>>>>>>>101	ulong		0
+>>>>>>>>0	use	mac-bin
+# MacBinary II		the newer versions begins at 129
+>>>>>>>122	ubeshort	0x8181
+>>>>>>>>0	use	mac-bin
+# MacBinary III with MacBinary II to read
+>>>>>>122	ubeshort	0x8281
+>>>>>>>0	use	mac-bin
+
+#	display information of MacBinary file
+0	name		mac-bin
+>122	ubyte	x	MacBinary
+# versions for MacBinary II/III
+>122	ubyte	129		II
+>122	ubyte	130		III
+# only in MacBinary III
+>>102	string	!mBIN		with surprising version
+!:mime	application/x-macbinary
+!:apple	PSPTBINA
+!:ext	bin/macbin
+# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified as MacBinary
+#>1	ubyte	>63		\b, name length %u too BIG!
+#>122	ubeshort	x	\b, version %#x
+# Finder flags if not 0
+# >73	byte		!0		\b, flags 0x
+# >73	byte		=0		
+# >>101	byte		!0		\b, flags 0x
+# # original Finder flags (Bits 8-15)
+# >73	byte		!0		\b%x
+# # finder flags, bits 0-7
+# >101	byte		!0		\b%x
+>73	byte		&0x01		\b, inited
+>73	byte		&0x02		\b, changed
+>73	byte		&0x04		\b, busy
+>73	byte		&0x08		\b, bozo
+>73	byte		&0x10		\b, system
+>73	byte		&0x20		\b, bundle
+>73	byte		&0x40		\b, invisible
+>73	byte		&0x80		\b, locked
+
+# 75	beshort				# vertical posn in window
+#>75	beshort		!0		\b, v.pos %u
+# 77	beshort				# horiz posn in window
+#>77	beshort		!0		\b, h.pos %u
+# 79	beshort				# window or folder ID
+>79	ubeshort	!0		\b, ID %#x
+# protected flag
+>81	byte		!0		\b, protected %#x
+# length of comment after resource
+>99	ubeshort	!0		\b, comment length %u
+# char. code of file name
+>106	ubyte		!0		\b, char. code %#x
+# still more Finder flags
+>107	ubyte		!0		\b, more flags %#x
+# length of total files when unpacked only used when pack and unpack on the fly
+>116	ubelong		!0		\b, total length %u
+# 120	beshort				# length of add'l header
+>120	ubeshort	!0		\b, 2nd header length %u
+# 124	beshort				# checksum
+#>124	ubeshort	!0		\b, CRC %#x
+# creation date in seconds since MacOS epoch start. So 1 Jan 1970 ~ 7C25B080
+# few (31/1247) examples (hinkC4.0.sitx.bin InternetExplorer5.1.smi.bin G3FirmwareUpdate1.1.smi.bin Firewire2.3.3.smi.bin LR2image.bin) contain zeroed date fields
+>91	long		!0
+>>91	beldate-0x7C25B080	x	\b, %s
+# THIS SHOULD NEVER HAPPEN! Maybe another file type is misidentified or time overflow
+>91	ubelong		<0x7c25b080	INVALID date
+# reported date seconds by deark
+#>91	ubelong		x		deark-DATE=%u
+# last modified date
+>95	long		!0
+>>95	beldate-0x7C25B080	x	\b, modified %s
+# Apple creator+typ if not null
+# file creator (normally expressed as four characters)
+>69	ulong			!0	\b, creator
+# instead 4 character code display full creator name
+>>69	use			apple-creator
+# file type (normally expressed as four characters)
+>65	ulong			!0	\b, type
+>>65	use			apple-type
+# length of data segment
+>83	ubelong			!0	\b, %u bytes
+# filename (in the range 1-63)
+# like "BBEdit4.0.sit" "Archive.sitx" "MacPGP 2.2  (.sea)"
+>1	pstring			x	"%s"
+# print 1 space and then at offset 128 inspect data fork content if it has one
+>83	ubelong			!0	\b 
+>>128	indirect		x
+# Afterwards resource fork if length of resource segment not zero
+>87	ubelong			!0
+# calculate resource fork offset
+>>83	ubelong+128		x	\b, at %#x
+# length of resource segment
+>>87	ubelong			!0	%u bytes
+>>(83.S+128)	ubequad		x	resource 
+# further resource fork content inspection 
+>>>&-8	indirect		x
+
+# Apple Type/Creator Database
+# URL: https://en.wikipedia.org/wiki/Type_code
+# Reference:	https://www.lacikam.co.il/tcdb/
+#		https://www.macdisk.com/macsigen.php
+# Note:	classic Mac OS files have two 4 character codes for type and creator.
+#	Thereby the Finder attach documents types to applications.
+
+#>65	string		x		\b, type "%4.4s"
+
+#	display information about apple type
+0	name		apple-type
+>0	string		8BIM		PhotoShop
+>0	string		ALB3		PageMaker 3
+>0	string		ALB4		PageMaker 4
+>0	string		ALT3		PageMaker 3
+>0	string		APPL		application
+>0	string		AWWP		AppleWorks word processor
+>0	string		CIRC		simulated circuit
+>0	string		DRWG		MacDraw
+>0	string		EPSF		Encapsulated PostScript
+>0	string		FFIL		font suitcase
+>0	string		FKEY		function key
+>0	string		FNDR		Macintosh Finder
+>0	string		GIFf		GIF image
+>0	string		Gzip		GNU gzip
+>0	string		INIT		system extension
+>0	string		LIB\ 		library
+>0	string		LWFN		PostScript font
+>0	string		MSBC		Microsoft BASIC
+>0	string		PACT		Compact Pro archive
+>0	string		PDF\ 		Portable Document Format
+>0	string		PICT		picture
+>0	string		PNTG		MacPaint picture
+>0	string		PREF		preferences
+>0	string		PROJ		Think C project
+>0	string		QPRJ		Think Pascal project
+>0	string		SCFL		Defender scores
+>0	string		SCRN		startup screen
+>0	string		SITD		StuffIt Deluxe
+>0	string		SPn3		SuperPaint
+>0	string		STAK		HyperCard stack
+>0	string		Seg\ 		StuffIt segment
+>0	string		TARF		Unix tar archive
+>0	string		TEXT		ASCII
+>0	string		TIFF		TIFF image
+>0	string		TOVF		Eudora table of contents
+>0	string		WDBN		Microsoft Word word processor
+>0	string		WORD		MacWrite word processor
+>0	string		XLS\ 		Microsoft Excel
+>0	string		ZIVM		compress (.Z)
+>0	string		ZSYS		Pre-System 7 system file
+>0	string		acf3		Aldus FreeHand
+>0	string		cdev		control panel
+>0	string		dfil		Desk Accessory suitcase
+>0	string		libr		library
+>0	string		nX^d		WriteNow word processor
+>0	string		nX^w		WriteNow dictionary
+>0	string		rsrc		resource
+>0	string		scbk		Scrapbook
+>0	string		shlb		shared library
+>0	string		ttro		SimpleText read-only
+>0	string		zsys		system file
+
+#	additional types added in Dec 2017
+>0	string		BINA		binary file
+>0	string		BMPp		BMP image
+>0	string		JPEG		JPEG image
+#>0	string		W4BN		Microsoft Word x.y word processor?
+# if type name is not known display 4 character identifier
+>0	default		x		
+>>0	string		x		'%4.4s'
+
+#>69	string		x		\b, creator "%4.4s"
+
+# Now Apple has no repository of registered Creator IDs any more. These are
+# just the ones that I happened to have files from and was able to identify.
+
+#	display information about apple creator
+0	name		apple-creator
+>0	string		8BIM		Adobe Photoshop
+>0	string		ALD3		PageMaker 3
+>0	string		ALD4		PageMaker 4
+>0	string		ALFA		Alpha editor
+>0	string		APLS		Apple Scanner
+>0	string		APSC		Apple Scanner
+>0	string		BRKL		Brickles
+>0	string		BTFT		BitFont
+>0	string		CCL2		Common Lisp 2
+>0	string		CCL\ 		Common Lisp
+>0	string		CDmo		The Talking Moose
+>0	string		CPCT		Compact Pro
+>0	string		CSOm		Eudora
+>0	string		DMOV		Font/DA Mover
+>0	string		DSIM		DigSim
+>0	string		EDIT		Macintosh Edit
+>0	string		ERIK		Macintosh Finder
+>0	string		EXTR		self-extracting archive
+>0	string		Gzip		GNU gzip
+>0	string		KAHL		Think C
+>0	string		LWFU		LaserWriter Utility
+>0	string		LZIV		compress
+>0	string		MACA		MacWrite
+>0	string		MACS		Macintosh operating system
+>0	string		MAcK		MacKnowledge terminal emulator
+>0	string		MLND		Defender
+>0	string		MPNT		MacPaint
+>0	string		MSBB		Microsoft BASIC (binary)
+>0	string		MSWD		Microsoft Word
+>0	string		NCSA		NCSA Telnet
+>0	string		PJMM		Think Pascal
+>0	string		PSAL		Hunt the Wumpus
+#>0	string		PSI2		Apple File Exchange
+>0	string		R*ch		BBEdit
+>0	string		RMKR		Resource Maker
+>0	string		RSED		Resource Editor
+>0	string		Rich		BBEdit
+>0	string		SIT!		StuffIt
+>0	string		SPNT		SuperPaint
+>0	string		Unix		NeXT Mac filesystem
+>0	string		VIM!		Vim editor
+>0	string		WILD		HyperCard
+>0	string		XCEL		Microsoft Excel
+>0	string		aCa2		Fontographer
+>0	string		aca3		Aldus FreeHand
+>0	string		dosa		Macintosh MS-DOS file system
+>0	string		movr		Font/DA Mover
+>0	string		nX^n		WriteNow
+>0	string		pdos		Apple ProDOS file system
+>0	string		scbk		Scrapbook
+>0	string		ttxt		SimpleText
+>0	string		ufox		Foreign File Access
+#	additional creators added in Dec 2017
+# Claris/Apple Works
+>0	string		BOBO		Apple Works
+# CU-SeeMe_0.87b3_(68K).bin
+#>0	string		CUce		bar
+>0	string		PSPT		Apple File Exchange
+# Disk_Copy_4.2.sea.bin
+#>0	string		NCse		foo
+# probably StuffIt/Aladdin by Smith Micro Software, Inc.
+>0	string		STi0		stuffit
+# MacGzip-1.1.3.sea.bin
+#>0	string		aust		bar
+# D-Disk_Copy_6.3.3.smi.bin 
+>0	string		oneb		Disk Copy Self Mounting
+# if creator name is not known display 4 character identifier
+>0	default		x		
+>>0	string		x		'%4.4s'
+
+# sas magic from Bruce Foster (bef@nwu.edu)
+#
+#0	string		SAS		SAS
+#>8	string		x		%s
+0	string		SAS		SAS
+>24	string		DATA		data file
+>24	string		CATALOG		catalog
+>24	string		INDEX		data file index
+>24	string		VIEW		data view
+# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com)
+#
+0x54    string          SAS             SAS 7+
+>0x9C   string          DATA            data file
+>0x9C   string          CATALOG         catalog
+>0x9C   string          INDEX           data file index
+>0x9C   string          VIEW            data view
+
+# spss magic for SPSS system and portable files,
+#	 from Bruce Foster (bef@nwu.edu).
+
+0	long		0xc1e2c3c9	SPSS Portable File
+>40	string 		x		%s
+
+0	string		$FL2		SPSS System File
+>24	string		x		%s
+
+0	string		$FL3		SPSS System File
+>24	string		x		%s
+
+# Macintosh filesystem data
+# From "Tom N Harris" <telliamed@mac.com>
+# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net>
+# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these
+# entries depend on the data arithmetic added after v.35
+# There's also some Pascal strings in here, ditto...
+
+# The boot block signature, according to IM:Files, is
+# "for HFS volumes, this field always contains the value 0x4C4B."
+# But if this is true for MFS or HFS+ volumes, I don't know.
+# Alternatively, the boot block is supposed to be zeroed if it's
+# unused, so a simply >0 should suffice.
+
+0x400	beshort			0xD2D7		Macintosh MFS data
+>0	beshort			0x4C4B		(bootable)
+>0x40a	beshort			&0x8000		(locked)
+>0x402	beldate-0x7C25B080	x		created: %s,
+>0x406	beldate-0x7C25B080	>0		last backup: %s,
+>0x414	belong			x		block size: %d,
+>0x412	beshort			x		number of blocks: %d,
+>0x424	pstring			x		volume name: %s
+
+# *.hfs updated by Joerg Jenderek
+# https://en.wikipedia.org/wiki/Hierarchical_File_System
+# "BD" gives many false positives
+0x400	beshort			0x4244
+# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h
+# first block of volume bit map (always 3)
+>0x40e	ubeshort		0x0003
+# maximal length of volume name is 27
+>>0x424		ubyte			<28	Macintosh HFS data
+!:mime	application/x-apple-diskimage
+#!:apple	hfsdINIT
+#!:apple	MACSdisk
+# https://www.macdisk.com/macsigen.php
+#!:apple	ddskdevi
+!:apple	????devi
+# https://en.wikipedia.org/wiki/Apple_Disk_Image
+!:ext hfs/dmg
+>>>0		beshort			0x4C4B	(bootable)
+#>>>0		beshort			0x0000	(not bootable)
+>>>0x40a	beshort			&0x8000	(locked)
+>>>0x40a	beshort			^0x0100	(mounted)
+>>>0x40a	beshort			&0x0200	(spared blocks)
+>>>0x40a	beshort			&0x0800	(unclean)
+>>>0x47C	beshort			0x482B	(Embedded HFS+ Volume)
+# https://www.epochconverter.com/
+# 0x7C245F00 seconds	~ 2082758400	~ 01 Jan 2036 00:00:00	~ 66 years to 1970
+# 0x7C25B080 seconds	~ 2082844800	~ 02 Jan 2036 00:00:00
+# construct not working
+#>>>0x402	beldate-0x7C25B080	x	created: %s,
+#>>>0x406	beldate-0x7C25B080	x	last modified: %s,
+#>>>0x440	beldate-0x7C25B080	>0	last backup: %s,
+# found block sizes 200h,1200h,2800h
+>>>0x414	belong			x	block size: %d,
+>>>0x412	beshort			x	number of blocks: %d,
+>>>0x424	pstring			x	volume name: %s
+
+0	name			hfsplus
+>&0	beshort			x		version %d data
+>0	beshort			0x4C4B		(bootable)
+>0x404	belong			^0x00000100	(mounted)
+>&2	belong			&0x00000200	(spared blocks)
+>&2	belong			&0x00000800	(unclean)
+>&2	belong			&0x00008000	(locked)
+>&6	string			x		last mounted by: '%.4s',
+# really, that should be treated as a belong and we print a string
+# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1"
+>&14	beldate-0x7C25B080	x		created: %s,
+# only the creation date is local time, all other timestamps in HFS+ are UTC.
+>&18	bedate-0x7C25B080	x		last modified: %s,
+>&22	bedate-0x7C25B080	>0		last backup: %s,
+>&26	bedate-0x7C25B080	>0		last checked: %s,
+>&38	belong			x		block size: %d,
+>&42	belong			x		number of blocks: %d,
+>&46	belong			x		free blocks: %d
+
+0x400	beshort			0x482B		Apple HFS Plus
+>&0	use			hfsplus
+0x400	beshort			0x4858		Apple HFS Plus Extended
+>&0	use			hfsplus
+
+## AFAIK, only the signature is different
+# same as Apple Partition Map
+# GRR: This magic is too weak, it is just "TS"
+#0x200		beshort		0x5453		Apple Old Partition data
+#>0x2		beshort		x		block size: %d,
+#>0x230		string		x		first type: %s,
+#>0x210		string		x		name: %s,
+#>0x254		belong		x		number of blocks: %d,
+#>0x400		beshort		0x504D
+#>>0x430		string		x		second type: %s,
+#>>0x410		string		x		name: %s,
+#>>0x454		belong		x		number of blocks: %d,
+#>>0x800		beshort		0x504D
+#>>>0x830	string		x		third type: %s,
+#>>>0x810	string		x		name: %s,
+#>>>0x854	belong		x		number of blocks: %d,
+#>>>0xa00	beshort		0x504D
+#>>>>0xa30	string		x		fourth type: %s,
+#>>>>0xa10	string		x		name: %s,
+#>>>>0xa54	belong		x		number of blocks: %d
+
+# From: Remi Mommsen <mommsen@slac.stanford.edu>
+0		string		BOMStore	Mac OS X bill of materials (BOM) file
+