12

Terminal app on OSX stores the information about its windows and content in its state files in Library/Saved Application State/com.apple.Terminal.savedState.

I did the backup of the file before the crash to be able to restore my data, but I don't know how to read it now (as Terminal refuses to use it). It starts with: NSCR1000 as below:

$ hexdump -Cn8 ~/Library/Saved\ Application\ State/com.apple.Terminal.savedState/data.data
00000000  4e 53 43 52 31 30 30 30                           |NSCR1000|

It's used by windows.plist file which can be decoded by:

plutil -convert xml1 -o windows.plist windows.plist

What kind of method I can use to read that .data file? Or where do I start?

$ strings data.data | head -10
NSCR1000
p+5v
0>[t
kJX6X
@NSCR1000

This file is automatically generated by Terminal app when you start and start typing something, so the terminal data is stored there.

kenorb
  • 485
  • 1
  • 8
  • 23
  • Can anyone elaborate on exact steps to take? I believe i've stored/copied the needed files, but can't make sense of this seemingly easy statement: "Quit Terminal, copy the contents of this folder from your backup, then open Terminal." from this SO: https://apple.stackexchange.com/questions/326108/restore-terminal-tabs-with-session-history Files are copied, where do i put em? I'm using Zsh via terminal app.. – N3rdB0mber Dec 06 '23 at 19:55

1 Answers1

11

It is encrypted with AES so you will need the keys from windows.plist to decode.

The format is (all stored in big-endian):

offset  value
0-3     magic ('NSCR' for PersistentUIRecord)
4-7     version (either '1000' or '0006')
8-11    NSWindowID (used to lookup 128-bit AES key stored in windows.plist)
12-15   record length (including from 0 to xxx)
16-xxx  encrypted binary plist data

There may be multiple records stored in a file consecutively.

Similar approach AppKit framework is using to decipher the data.data file. The most relevant code base to look at is the +[NSPersistentUIRecord parseOneRecordFromReadBlock:withDecryptionKeys:] block which parses each record in the data.data file.

kenorb
  • 485
  • 1
  • 8
  • 23
cimarron
  • 1,331
  • 1
  • 9
  • 13
  • 1
    Thanks for the answer! One question I have: how did you learn those details? – Stanislav Pankevich Jan 15 '16 at 11:28
  • 3
    I just poked around the AppKit framework reversing how it deciphered the data.data file. The most relevant code base to look at is the +[NSPersistentUIRecord parseOneRecordFromReadBlock:withDecryptionKeys:] block which parses each record in the data.data file. – cimarron Jan 15 '16 at 16:21
  • 2
    That sounds great like it was so easy thing to do! Awesome inspiration to learn more about RE. Thanks again for answer. – Stanislav Pankevich Jan 15 '16 at 17:09
  • 2
    I am not sure how kind you are to be asked but that would be truly great if you could share your mastery in a blog post. I highly encourage you to do that as it would be very interesting reading for everyone especially if you could explain your technique of finding the right answer in a simple way. So many developers could benefit from your experience, please do! – Stanislav Pankevich Jan 15 '16 at 20:52