misc study zip

文件结构

请看官方文档
为了更好认识zip,我们可以自己压缩几个文件。
先准备两个文件,分别用winrar和7z压缩,010editor帮助我们分析。



Local file header

文件头结构如下,重点学习以下几个字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
A.  Local file header:

local file header signature 4 bytes (0x04034b50)
version needed to extract 2 bytes
general purpose bit flag 2 bytes
compression method 2 bytes
last mod file time 2 bytes
last mod file date 2 bytes
crc-32 4 bytes
compressed size 4 bytes
uncompressed size 4 bytes
file name length 2 bytes
extra field length 2 bytes

file name (variable size)
extra field (variable size)

local file header signature

首先看文件头:50 4B 03 04
ASCII显示PK..,大多数情况下,文件头显示的是后缀的名称,这里的PK是指zip的发明者Phil Katz

version needed to extract

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
version needed to extract (2 bytes)

The minimum supported ZIP specification version needed to
extract the file, mapped as above. This value is based on
the specific format features a ZIP program must support to
be able to extract the file. If multiple features are
applied to a file, the minimum version should be set to the
feature having the highest value. New features or feature
changes affecting the published format specification will be
implemented using higher version numbers than the last
published value to avoid conflict.

Current minimum feature versions are as defined below:

1.0 - Default value
1.1 - File is a volume label
2.0 - File is a folder (directory)
2.0 - File is compressed using Deflate compression
2.0 - File is encrypted using traditional PKWARE encryption
2.1 - File is compressed using Deflate64(tm)
2.5 - File is compressed using PKWARE DCL Implode
2.7 - File is a patch data set
4.5 - File uses ZIP64 format extensions
4.6 - File is compressed using BZIP2 compression*
5.0 - File is encrypted using DES
5.0 - File is encrypted using 3DES
5.0 - File is encrypted using original RC2 encryption
5.0 - File is encrypted using RC4 encryption
5.1 - File is encrypted using AES encryption
5.1 - File is encrypted using corrected RC2 encryption**
5.2 - File is encrypted using corrected RC2-64 encryption**
6.1 - File is encrypted using non-OAEP key wrapping***
6.2 - Central directory encryption


* Early 7.x (pre-7.2) versions of PKZIP incorrectly set the
version needed to extract for BZIP2 compression to be 50
when it should have been 46.

** Refer to the section on Strong Encryption Specification
for additional information regarding RC2 corrections.

*** Certificate encryption using non-OAEP key wrapping is the
intended mode of operation for all versions beginning with 6.1.
Support for OAEP key wrapping should only be used for
backward compatibility when sending ZIP files to be opened by
versions of PKZIP older than 6.1 (5.0 or 6.0).

When using ZIP64 extensions, the corresponding value in the
Zip64 end of central directory record should also be set.
This field currently supports only the value 45 to indicate
ZIP64 extensions are present.

解压文件所需pkware最低版本,通过两个图片可以发现通过winrar压缩的是14 00,而通过7z压缩的是0A 00
在明文攻击时,确认此处可以快速判断是用winrar还是7z压缩文件,当然也可能有Bandizip压缩的,不同的软件压缩的文件是不能明文攻击的,ARCHPR会报错。

general purpose bit flag

通用比特标志位,作用就是标记是否加密,未加密的情况下,winrar压缩的是08 00,而通过7z压缩的是00 00,加密的情况下,winrar压缩的为09 00,7z压缩的为01 00,之前看过一篇博客介绍,奇数标示加密,偶数标示未加密。
如果认为的将其改为09 00或者01 00,软件也认为是加密过的,爆破是不行的,伪加密是一个高频考点,所以,加密文件可以先尝试修改此标志位。

compression method

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
compression method: (2 bytes)

(see accompanying documentation for algorithm
descriptions)

0 - The file is stored (no compression)
1 - The file is Shrunk
2 - The file is Reduced with compression factor 1
3 - The file is Reduced with compression factor 2
4 - The file is Reduced with compression factor 3
5 - The file is Reduced with compression factor 4
6 - The file is Imploded
7 - Reserved for Tokenizing compression algorithm
8 - The file is Deflated
9 - Enhanced Deflating using Deflate64(tm)
10 - PKWARE Data Compression Library Imploding
11 - Reserved by PKWARE
12 - File is compressed using BZIP2 algorithm

压缩方式

last mod file time

文件最后修改时间

last mod file date

文件最后修改日期

crc-32

CRC-32校验码

compressed size

压缩后的大小

uncompressed size

未压缩的大小

file name length

文件名长度

extra field length

扩展区长度

file name (variable size)

文件名

extra field (variable size)

扩展区

End of central directory record

文件尾结构长度:22 bytes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
I.  End of central directory record:

end of central dir signature 4 bytes (0x06054b50)
number of this disk 2 bytes
number of the disk with the
start of the central directory 2 bytes
total number of entries in the
central directory on this disk 2 bytes
total number of entries in
the central directory 2 bytes
size of the central directory 4 bytes
offset of start of central
directory with respect to
the starting disk number 4 bytes
.ZIP file comment length 2 bytes
.ZIP file comment (variable size)

local file header signature

文件尾签名:50 4B 05 06

number of this disk

当前磁盘编号,现在都不用了

number of the disk with the start of the central directory

中央目录开始的磁盘编号,现在都不用了

total number of entries in the central directory on this disk

该磁盘的中央目录个数

total number of entries in the central directory

中央目录结构总数

size of the central directory

中央目录大小:BC 00 00 00

offset of start of central directory with respect to the starting disk number

中央目录的偏移,7A 00 00 00代表中央目录数据从00 7A开始

.ZIP file comment length

注释长度

Central directory structure

中央目录记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
F.  Central directory structure:

[file header 1]
.
.
.
[file header n]
[digital signature]

File header:

central file header signature 4 bytes (0x02014b50)
version made by 2 bytes
version needed to extract 2 bytes
general purpose bit flag 2 bytes
compression method 2 bytes
last mod file time 2 bytes
last mod file date 2 bytes
crc-32 4 bytes
compressed size 4 bytes
uncompressed size 4 bytes
file name length 2 bytes
extra field length 2 bytes
file comment length 2 bytes
disk number start 2 bytes
internal file attributes 2 bytes
external file attributes 4 bytes
relative offset of local header 4 bytes

file name (variable size)
extra field (variable size)
file comment (variable size)

Digital signature:

header signature 4 bytes (0x05054b50)
size of data 2 bytes
signature data (variable size)

With the introduction of the Central Directory Encryption
feature in version 6.2 of this specification, the Central
Directory Structure may be stored both compressed and encrypted.
Although not required, it is assumed when encrypting the
Central Directory Structure, that it will be compressed
for greater storage efficiency. Information on the
Central Directory Encryption feature can be found in the section
describing the Strong Encryption Specification. The Digital
Signature record will be neither compressed nor encrypted.

central file header signature

文件头标识:50 4B 01 02

version made by

压缩时的版本,winrar压缩的是1F 00,7z压缩的是3F 00

version needed to extract

解压缩需要的最低版本

general purpose bit flag

通用位标记

compression method

压缩方式

last mod file time

文件最后修改时间

last mod file date

文件最后修改日期

crc-32

CRC-32校验码

compressed size

压缩后的大小

uncompressed size

未压缩的大小

file name length

文件名长度

extra field length

扩展区长度

file comment length

文件注释长度

disk number start

磁盘号开始,已经不用了

internal file attributes

内部文件属性

external file attributes

外部文件属性

relative offset of local header

本地文件头的相对偏移