2

I am currently investigating a crash during unarchiving of a file supposedly stored through NSKeyedArchiver. The crash log contains the first 8 byte quartets of the file (I only included the first 2 below).

Fatal Exception: NSInvalidArgumentException
*** -[NSKeyedUnarchiver initForReadingWithData:]: incomprehensible archive (0xffffffa6, 0xffffff9e, ...)

I have been unable to decode these bytes into anything useful using ASCII, Base64, UTF8 or UTF16. Does anyone know what kind of file format and/or character encoding NSKeyedArchiver uses or how I could decode these bytes to something human readable?

rmaddy
  • 314,917
  • 42
  • 532
  • 579
hennes
  • 9,147
  • 4
  • 43
  • 63
  • Perhaps the fact that you can't decode it into anything sensible is precisely because it's corrupted. – Avi Nov 17 '15 at 12:57
  • @Avi Yes, that could be correct. It's just weird that the only way the file is written is through an `NSKeyedArchiver` - at least as far as I can see. Hence, I was hoping there was a way to manually decode an archive into something human readable. – hennes Nov 17 '15 at 13:10
  • It might a binary plist. – Avi Nov 17 '15 at 13:26
  • 1
    It is indeed a binary plist. You can use `plutil -p` on your archive file. There are also other options to check the integrity. – Avi Nov 17 '15 at 13:33
  • @Avi Thank you. Unfortunately, the `plutil` command doesn't seem to be able to generate a human-readable format from just the start of the file. I only have the first few bytes as the crash log is from Fabric. – hennes Nov 17 '15 at 19:57

1 Answers1

2

Keyed archives are stored as binary plists. You can use the plutil command line utility to print, verify or manipulate the contents.

Avi
  • 7,469
  • 2
  • 21
  • 22
  • Thank you. Unfortunately, the `plutil` command doesn't seem to be able to generate a human-readable format from just the start of the file. I only have the first few bytes as the crash log is from Fabric. – hennes Nov 17 '15 at 19:57
  • That really says that it's simply corrupt, hence the crash. A strange situation, to be sure. – Avi Nov 18 '15 at 02:28
  • I'll give you the accepted answer since I asked for the file format. A pity that `plutil` doesn't help me in this case. Thanks anyway. – hennes Nov 18 '15 at 16:00
  • plutil is only the first step to convert the binary into xml. you then can run the data value (only) through a base64 decoder to try to extract some of the info.. but you'll have to search through the output a bit to be able to piece any relevant info – Louis Tur Jun 20 '16 at 19:15