1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
|
#------------------------------------------------------------------------------
# $File: macintosh,v 1.26 2015/11/25 00:36:02 christos Exp $
# macintosh description
#
# BinHex is the Macintosh ASCII-encoded file format (see also "apple")
# Daniel Quinlan, quinlan@yggdrasil.com
11 string must\ be\ converted\ with\ BinHex BinHex binary text
!:mime application/mac-binhex40
>41 string x \b, version %.3s
# Stuffit archives are the de facto standard of compression for Macintosh
# files obtained from most archives. (franklsm@tuns.ca)
0 string SIT! StuffIt Archive (data)
!:mime application/x-stuffit
!:apple SIT!SIT!
>2 string x : %s
0 string SITD StuffIt Deluxe (data)
>2 string x : %s
0 string Seg StuffIt Deluxe Segment (data)
>2 string x : %s
# Newer StuffIt archives (grant@netbsd.org)
0 string StuffIt StuffIt Archive
!:mime application/x-stuffit
!:apple SIT!SIT!
#>162 string >0 : %s
# Macintosh Applications and Installation binaries (franklsm@tuns.ca)
# GRR: Too weak
#0 string APPL Macintosh Application (data)
#>2 string x \b: %s
# Macintosh System files (franklsm@tuns.ca)
# GRR: Too weak
#0 string zsys Macintosh System File (data)
#0 string FNDR Macintosh Finder (data)
#0 string libr Macintosh Library (data)
#>2 string x : %s
#0 string shlb Macintosh Shared Library (data)
#>2 string x : %s
#0 string cdev Macintosh Control Panel (data)
#>2 string x : %s
#0 string INIT Macintosh Extension (data)
#>2 string x : %s
#0 string FFIL Macintosh Truetype Font (data)
#>2 string x : %s
#0 string LWFN Macintosh Postscript Font (data)
#>2 string x : %s
# Additional Macintosh Files (franklsm@tuns.ca)
# GRR: Too weak
#0 string PACT Macintosh Compact Pro Archive (data)
#>2 string x : %s
#0 string ttro Macintosh TeachText File (data)
#>2 string x : %s
#0 string TEXT Macintosh TeachText File (data)
#>2 string x : %s
#0 string PDF Macintosh PDF File (data)
#>2 string x : %s
# MacBinary format (Eric Fischer, enf@pobox.com)
#
# Unfortunately MacBinary doesn't really have a magic number prior
# to the MacBinary III format. The checksum is really the way to
# do it, but the magic file format isn't up to the challenge.
#
# 0 byte 0
# 1 byte # filename length
# 2 string # filename
# 65 string # file type
# 69 string # file creator
# 73 byte # Finder flags
# 74 byte 0
# 75 beshort # vertical posn in window
# 77 beshort # horiz posn in window
# 79 beshort # window or folder ID
# 81 byte # protected?
# 82 byte 0
# 83 belong # length of data segment
# 87 belong # length of resource segment
# 91 belong # file creation date
# 95 belong # file modification date
# 99 beshort # length of comment after resource
# 101 byte # new Finder flags
# 102 string mBIN # (only in MacBinary III)
# 106 byte # char. code of file name
# 107 byte # still more Finder flags
# 116 belong # total file length
# 120 beshort # length of add'l header
# 122 byte 129 # for MacBinary II
# 122 byte 130 # for MacBinary III
# 123 byte 129 # minimum version that can read fmt
# 124 beshort # checksum
#
# This attempts to use the version numbers as a magic number, requiring
# that the first one be 0x80, 0x81, 0x82, or 0x83, and that the second
# be 0x81. This works for the files I have, but maybe not for everyone's.
# Unfortunately, this magic is quite weak - MPi
#122 beshort&0xFCFF 0x8081 Macintosh MacBinary data
# MacBinary I doesn't have the version number field at all, but MacBinary II
# has been in use since 1987 so I hope there aren't many really old files
# floating around that this will miss. The original spec calls for using
# the nulls in 0, 74, and 82 as the magic number.
#
# Another possibility, that would also work for MacBinary I, is to use
# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will
# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset,
# and that 74 will be 0. So something like
#
# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data
#
# >73 byte&0x01 0x01 \b, inited
# >73 byte&0x02 0x02 \b, changed
# >73 byte&0x04 0x04 \b, busy
# >73 byte&0x08 0x08 \b, bozo
# >73 byte&0x10 0x10 \b, system
# >73 byte&0x10 0x20 \b, bundle
# >73 byte&0x10 0x40 \b, invisible
# >73 byte&0x10 0x80 \b, locked
#>65 string x \b, type "%4.4s"
#>65 string 8BIM (PhotoShop)
#>65 string ALB3 (PageMaker 3)
#>65 string ALB4 (PageMaker 4)
#>65 string ALT3 (PageMaker 3)
#>65 string APPL (application)
#>65 string AWWP (AppleWorks word processor)
#>65 string CIRC (simulated circuit)
#>65 string DRWG (MacDraw)
#>65 string EPSF (Encapsulated PostScript)
#>65 string FFIL (font suitcase)
#>65 string FKEY (function key)
#>65 string FNDR (Macintosh Finder)
#>65 string GIFf (GIF image)
#>65 string Gzip (GNU gzip)
#>65 string INIT (system extension)
#>65 string LIB\ (library)
#>65 string LWFN (PostScript font)
#>65 string MSBC (Microsoft BASIC)
#>65 string PACT (Compact Pro archive)
#>65 string PDF\ (Portable Document Format)
#>65 string PICT (picture)
#>65 string PNTG (MacPaint picture)
#>65 string PREF (preferences)
#>65 string PROJ (Think C project)
#>65 string QPRJ (Think Pascal project)
#>65 string SCFL (Defender scores)
#>65 string SCRN (startup screen)
#>65 string SITD (StuffIt Deluxe)
#>65 string SPn3 (SuperPaint)
#>65 string STAK (HyperCard stack)
#>65 string Seg\ (StuffIt segment)
#>65 string TARF (Unix tar archive)
#>65 string TEXT (ASCII)
#>65 string TIFF (TIFF image)
#>65 string TOVF (Eudora table of contents)
#>65 string WDBN (Microsoft Word word processor)
#>65 string WORD (MacWrite word processor)
#>65 string XLS\ (Microsoft Excel)
#>65 string ZIVM (compress (.Z))
#>65 string ZSYS (Pre-System 7 system file)
#>65 string acf3 (Aldus FreeHand)
#>65 string cdev (control panel)
#>65 string dfil (Desk Accessory suitcase)
#>65 string libr (library)
#>65 string nX^d (WriteNow word processor)
#>65 string nX^w (WriteNow dictionary)
#>65 string rsrc (resource)
#>65 string scbk (Scrapbook)
#>65 string shlb (shared library)
#>65 string ttro (SimpleText read-only)
#>65 string zsys (system file)
#>69 string x \b, creator "%4.4s"
# Somewhere, Apple has a repository of registered Creator IDs. These are
# just the ones that I happened to have files from and was able to identify.
#>69 string 8BIM (Adobe Photoshop)
#>69 string ALD3 (PageMaker 3)
#>69 string ALD4 (PageMaker 4)
#>69 string ALFA (Alpha editor)
#>69 string APLS (Apple Scanner)
#>69 string APSC (Apple Scanner)
#>69 string BRKL (Brickles)
#>69 string BTFT (BitFont)
#>69 string CCL2 (Common Lisp 2)
#>69 string CCL\ (Common Lisp)
#>69 string CDmo (The Talking Moose)
#>69 string CPCT (Compact Pro)
#>69 string CSOm (Eudora)
#>69 string DMOV (Font/DA Mover)
#>69 string DSIM (DigSim)
#>69 string EDIT (Macintosh Edit)
#>69 string ERIK (Macintosh Finder)
#>69 string EXTR (self-extracting archive)
#>69 string Gzip (GNU gzip)
#>69 string KAHL (Think C)
#>69 string LWFU (LaserWriter Utility)
#>69 string LZIV (compress)
#>69 string MACA (MacWrite)
#>69 string MACS (Macintosh operating system)
#>69 string MAcK (MacKnowledge terminal emulator)
#>69 string MLND (Defender)
#>69 string MPNT (MacPaint)
#>69 string MSBB (Microsoft BASIC (binary))
#>69 string MSWD (Microsoft Word)
#>69 string NCSA (NCSA Telnet)
#>69 string PJMM (Think Pascal)
#>69 string PSAL (Hunt the Wumpus)
#>69 string PSI2 (Apple File Exchange)
#>69 string R*ch (BBEdit)
#>69 string RMKR (Resource Maker)
#>69 string RSED (Resource Editor)
#>69 string Rich (BBEdit)
#>69 string SIT! (StuffIt)
#>69 string SPNT (SuperPaint)
#>69 string Unix (NeXT Mac filesystem)
#>69 string VIM! (Vim editor)
#>69 string WILD (HyperCard)
#>69 string XCEL (Microsoft Excel)
#>69 string aCa2 (Fontographer)
#>69 string aca3 (Aldus FreeHand)
#>69 string dosa (Macintosh MS-DOS file system)
#>69 string movr (Font/DA Mover)
#>69 string nX^n (WriteNow)
#>69 string pdos (Apple ProDOS file system)
#>69 string scbk (Scrapbook)
#>69 string ttxt (SimpleText)
#>69 string ufox (Foreign File Access)
# Just in case...
102 string mBIN MacBinary III data with surprising version number
# sas magic from Bruce Foster (bef@nwu.edu)
#
#0 string SAS SAS
#>8 string x %s
0 string SAS SAS
>24 string DATA data file
>24 string CATALOG catalog
>24 string INDEX data file index
>24 string VIEW data view
# sas 7+ magic from Reinhold Koch (reinhold.koch@roche.com)
#
0x54 string SAS SAS 7+
>0x9C string DATA data file
>0x9C string CATALOG catalog
>0x9C string INDEX data file index
>0x9C string VIEW data view
# spss magic for SPSS system and portable files,
# from Bruce Foster (bef@nwu.edu).
0 long 0xc1e2c3c9 SPSS Portable File
>40 string x %s
0 string $FL2 SPSS System File
>24 string x %s
0 string $FL3 SPSS System File
>24 string x %s
# Macintosh filesystem data
# From "Tom N Harris" <telliamed@mac.com>
# Fixed HFS+ and Partition map magic: Ethan Benson <erbenson@alaska.net>
# The MacOS epoch begins on 1 Jan 1904 instead of 1 Jan 1970, so these
# entries depend on the data arithmetic added after v.35
# There's also some Pascal strings in here, ditto...
# The boot block signature, according to IM:Files, is
# "for HFS volumes, this field always contains the value 0x4C4B."
# But if this is true for MFS or HFS+ volumes, I don't know.
# Alternatively, the boot block is supposed to be zeroed if it's
# unused, so a simply >0 should suffice.
0x400 beshort 0xD2D7 Macintosh MFS data
>0 beshort 0x4C4B (bootable)
>0x40a beshort &0x8000 (locked)
>0x402 beldate-0x7C25B080 x created: %s,
>0x406 beldate-0x7C25B080 >0 last backup: %s,
>0x414 belong x block size: %d,
>0x412 beshort x number of blocks: %d,
>0x424 pstring x volume name: %s
# *.hfs updated by Joerg Jenderek
# http://en.wikipedia.org/wiki/Hierarchical_File_System
# "BD" gives many false positives
0x400 beshort 0x4244
# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h
# first block of volume bit map (always 3)
>0x40e ubeshort 0x0003
# maximal length of volume name is 27
>>0x424 ubyte <28 Macintosh HFS data
!:mime application/x-apple-diskimage
#!:apple hfsdINIT
#!:apple MACSdisk
# http://www.macdisk.com/macsigen.php
#!:apple ddskdevi
!:apple ????devi
# https://en.wikipedia.org/wiki/Apple_Disk_Image
!:ext hfs/dmg
>>>0 beshort 0x4C4B (bootable)
#>>>0 beshort 0x0000 (not bootable)
>>>0x40a beshort &0x8000 (locked)
>>>0x40a beshort ^0x0100 (mounted)
>>>0x40a beshort &0x0200 (spared blocks)
>>>0x40a beshort &0x0800 (unclean)
>>>0x47C beshort 0x482B (Embedded HFS+ Volume)
# http://www.epochconverter.com/
# 0x7C245F00 seconds ~ 2082758400 ~ 01 Jan 2036 00:00:00 ~ 66 years to 1970
# 0x7C25B080 seconds ~ 2082844800 ~ 02 Jan 2036 00:00:00
# construct not working
#>>>0x402 beldate-0x7C25B080 x created: %s,
#>>>0x406 beldate-0x7C25B080 x last modified: %s,
#>>>0x440 beldate-0x7C25B080 >0 last backup: %s,
# found block sizes 200h,1200h,2800h
>>>0x414 belong x block size: %d,
>>>0x412 beshort x number of blocks: %d,
>>>0x424 pstring x volume name: %s
0x400 beshort 0x482B Macintosh HFS Extended
>&0 beshort x version %d data
>0 beshort 0x4C4B (bootable)
>0x404 belong ^0x00000100 (mounted)
>&2 belong &0x00000200 (spared blocks)
>&2 belong &0x00000800 (unclean)
>&2 belong &0x00008000 (locked)
>&6 string x last mounted by: '%.4s',
# really, that should be treated as a belong and we print a string
# based on the value. TN1150 only mentions '8.10' for "MacOS 8.1"
>&14 beldate-0x7C25B080 x created: %s,
# only the creation date is local time, all other timestamps in HFS+ are UTC.
>&18 bedate-0x7C25B080 x last modified: %s,
>&22 bedate-0x7C25B080 >0 last backup: %s,
>&26 bedate-0x7C25B080 >0 last checked: %s,
>&38 belong x block size: %d,
>&42 belong x number of blocks: %d,
>&46 belong x free blocks: %d
## AFAIK, only the signature is different
# same as Apple Partition Map
# GRR: This magic is too weak, it is just "TS"
#0x200 beshort 0x5453 Apple Old Partition data
#>0x2 beshort x block size: %d,
#>0x230 string x first type: %s,
#>0x210 string x name: %s,
#>0x254 belong x number of blocks: %d,
#>0x400 beshort 0x504D
#>>0x430 string x second type: %s,
#>>0x410 string x name: %s,
#>>0x454 belong x number of blocks: %d,
#>>0x800 beshort 0x504D
#>>>0x830 string x third type: %s,
#>>>0x810 string x name: %s,
#>>>0x854 belong x number of blocks: %d,
#>>>0xa00 beshort 0x504D
#>>>>0xa30 string x fourth type: %s,
#>>>>0xa10 string x name: %s,
#>>>>0xa54 belong x number of blocks: %d
# From: Remi Mommsen <mommsen@slac.stanford.edu>
0 string BOMStore Mac OS X bill of materials (BOM) file
# From: Adam Buchbinder <adam.buchbinder@gmail.com>
# URL: http://en.wikipedia.org/wiki/Datafork_TrueType
# Derived from the 'fondu' and 'ufond' source code (fondu.sf.net). 'sfnt' is
# TrueType; 'POST' is PostScript. 'FONT' and 'NFNT' sometimes appear, but I
# don't know what they mean.
0 belong 0x100
>(0x4.L+24) beshort x
>>&4 belong 0x73666e74 Mac OSX datafork font, TrueType
>>&4 belong 0x464f4e54 Mac OSX datafork font, 'FONT'
>>&4 belong 0x4e464e54 Mac OSX datafork font, 'NFNT'
>>&4 belong 0x504f5354 Mac OSX datafork font, PostScript
|