misc study zip

文件结构

请看官方文档。
为了更好认识zip，我们可以自己压缩几个文件。
先准备两个文件，分别用winrar和7z压缩，010editor帮助我们分析。

Local file header

文件头结构如下，重点学习以下几个字段

A.  Local file header:

      local file header signature     4 bytes  (0x04034b50)
      version needed to extract       2 bytes
      general purpose bit flag        2 bytes
      compression method              2 bytes
      last mod file time              2 bytes
      last mod file date              2 bytes
      crc-32                          4 bytes
      compressed size                 4 bytes
      uncompressed size               4 bytes
      file name length                2 bytes
      extra field length              2 bytes

      file name (variable size)
      extra field (variable size)

local file header signature

首先看文件头：50 4B 03 04
ASCII显示PK..，大多数情况下，文件头显示的是后缀的名称，这里的PK是指zip的发明者Phil Katz。

version needed to extract

version needed to extract (2 bytes)

    The minimum supported ZIP specification version needed to
    extract the file, mapped as above.  This value is based on
    the specific format features a ZIP program must support to
    be able to extract the file.  If multiple features are
    applied to a file, the minimum version should be set to the
    feature having the highest value. New features or feature
    changes affecting the published format specification will be
    implemented using higher version numbers than the last
    published value to avoid conflict.

    Current minimum feature versions are as defined below:

    1.0 - Default value
    1.1 - File is a volume label
    2.0 - File is a folder (directory)
    2.0 - File is compressed using Deflate compression
    2.0 - File is encrypted using traditional PKWARE encryption
    2.1 - File is compressed using Deflate64(tm)
    2.5 - File is compressed using PKWARE DCL Implode
    2.7 - File is a patch data set
    4.5 - File uses ZIP64 format extensions
    4.6 - File is compressed using BZIP2 compression*
    5.0 - File is encrypted using DES
    5.0 - File is encrypted using 3DES
    5.0 - File is encrypted using original RC2 encryption
    5.0 - File is encrypted using RC4 encryption
    5.1 - File is encrypted using AES encryption
    5.1 - File is encrypted using corrected RC2 encryption**
    5.2 - File is encrypted using corrected RC2-64 encryption**
    6.1 - File is encrypted using non-OAEP key wrapping***
    6.2 - Central directory encryption


    * Early 7.x (pre-7.2) versions of PKZIP incorrectly set the
    version needed to extract for BZIP2 compression to be 50
    when it should have been 46.

    ** Refer to the section on Strong Encryption Specification
    for additional information regarding RC2 corrections.

    *** Certificate encryption using non-OAEP key wrapping is the
    intended mode of operation for all versions beginning with 6.1.
    Support for OAEP key wrapping should only be used for
    backward compatibility when sending ZIP files to be opened by
    versions of PKZIP older than 6.1 (5.0 or 6.0).

    When using ZIP64 extensions, the corresponding value in the
    Zip64 end of central directory record should also be set.  
    This field currently supports only the value 45 to indicate
    ZIP64 extensions are present.

解压文件所需pkware最低版本，通过两个图片可以发现通过winrar压缩的是14 00，而通过7z压缩的是0A 00。
在明文攻击时，确认此处可以快速判断是用winrar还是7z压缩文件，当然也可能有Bandizip压缩的，不同的软件压缩的文件是不能明文攻击的，ARCHPR会报错。

general purpose bit flag

通用比特标志位，作用就是标记是否加密，未加密的情况下，winrar压缩的是08 00，而通过7z压缩的是00 00，加密的情况下，winrar压缩的为09 00，7z压缩的为01 00，之前看过一篇博客介绍，奇数标示加密，偶数标示未加密。
如果认为的将其改为09 00或者01 00，软件也认为是加密过的，爆破是不行的，伪加密是一个高频考点，所以，加密文件可以先尝试修改此标志位。

compression method

compression method: (2 bytes)

    (see accompanying documentation for algorithm
    descriptions)

    0 - The file is stored (no compression)
    1 - The file is Shrunk
    2 - The file is Reduced with compression factor 1
    3 - The file is Reduced with compression factor 2
    4 - The file is Reduced with compression factor 3
    5 - The file is Reduced with compression factor 4
    6 - The file is Imploded
    7 - Reserved for Tokenizing compression algorithm
    8 - The file is Deflated
    9 - Enhanced Deflating using Deflate64(tm)
   10 - PKWARE Data Compression Library Imploding
   11 - Reserved by PKWARE
   12 - File is compressed using BZIP2 algorithm

压缩方式

last mod file time

文件最后修改时间

last mod file date

文件最后修改日期

crc-32

CRC-32校验码

compressed size

压缩后的大小

uncompressed size

未压缩的大小

file name length

文件名长度

extra field length

扩展区长度

file name (variable size)

文件名

extra field (variable size)

扩展区

End of central directory record

文件尾结构长度:22 bytes

I.  End of central directory record:

      end of central dir signature    4 bytes  (0x06054b50)
      number of this disk             2 bytes
      number of the disk with the
      start of the central directory  2 bytes
      total number of entries in the
      central directory on this disk  2 bytes
      total number of entries in
      the central directory           2 bytes
      size of the central directory   4 bytes
      offset of start of central
      directory with respect to
      the starting disk number        4 bytes
      .ZIP file comment length        2 bytes
      .ZIP file comment       (variable size)

local file header signature

文件尾签名：50 4B 05 06

number of this disk

当前磁盘编号,现在都不用了

number of the disk with the start of the central directory

中央目录开始的磁盘编号,现在都不用了

total number of entries in the central directory on this disk

该磁盘的中央目录个数

total number of entries in the central directory

中央目录结构总数

size of the central directory

中央目录大小：BC 00 00 00

offset of start of central directory with respect to the starting disk number

中央目录的偏移，7A 00 00 00代表中央目录数据从00 7A开始

.ZIP file comment length

注释长度

Central directory structure

中央目录记录

F.  Central directory structure:

    [file header 1]
    .
    .
    .
    [file header n]
    [digital signature]

    File header:

      central file header signature   4 bytes  (0x02014b50)
      version made by                 2 bytes
      version needed to extract       2 bytes
      general purpose bit flag        2 bytes
      compression method              2 bytes
      last mod file time              2 bytes
      last mod file date              2 bytes
      crc-32                          4 bytes
      compressed size                 4 bytes
      uncompressed size               4 bytes
      file name length                2 bytes
      extra field length              2 bytes
      file comment length             2 bytes
      disk number start               2 bytes
      internal file attributes        2 bytes
      external file attributes        4 bytes
      relative offset of local header 4 bytes

      file name (variable size)
      extra field (variable size)
      file comment (variable size)

    Digital signature:

      header signature                4 bytes  (0x05054b50)
      size of data                    2 bytes
      signature data (variable size)

    With the introduction of the Central Directory Encryption
    feature in version 6.2 of this specification, the Central
    Directory Structure may be stored both compressed and encrypted.
    Although not required, it is assumed when encrypting the
    Central Directory Structure, that it will be compressed
    for greater storage efficiency.  Information on the
    Central Directory Encryption feature can be found in the section
    describing the Strong Encryption Specification. The Digital
    Signature record will be neither compressed nor encrypted.

central file header signature

文件头标识：50 4B 01 02

version made by

压缩时的版本，winrar压缩的是1F 00，7z压缩的是3F 00

version needed to extract

解压缩需要的最低版本

general purpose bit flag

通用位标记

compression method

压缩方式

last mod file time

文件最后修改时间

last mod file date

文件最后修改日期

crc-32

CRC-32校验码

compressed size

压缩后的大小

uncompressed size

未压缩的大小

file name length

文件名长度

extra field length

扩展区长度

file comment length

文件注释长度

disk number start

磁盘号开始，已经不用了

internal file attributes

内部文件属性

external file attributes

外部文件属性

relative offset of local header

本地文件头的相对偏移