Although it looks like all the interesting content is in the protobuf payload, it looks like the header might not be the NUL-delimited/ASCII control char sequence the author inteprets it as.<p>Unless it's coincidence, each of the string portions is prefixed by its length in bytes. Since they're all so short[1], it's not obvious if they're 1,2 or 4 byte lengths, or if those are just padding or other flag bytes. It smells almost like the binary plist format[2], but doesn't seem to obviously decode.<p>This is just casual inspection of only the sequences in the article, so might be wildly wrong, and probably irrelevant.<p>Brute-forcing the protobuf message without the schema surprisingly effective here though. I didn't realise it left as much structure in there.<p>[1] NPI<p>[2] <a href="https://synalysis.com/how-to-decode-apple-binary-property-list-files/" rel="nofollow">https://synalysis.com/how-to-decode-apple-binary-property-li...</a>