0x01 Zip文件组成

官方文档如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Overall .ZIP file format:

    [local file header 1]
    [file data 1]
    [data descriptor 1]
    . 
    .
    .
    [local file header n]
    [file data n]
    [data descriptor n]
    [archive decryption header] (EFS)
    [archive extra data record] (EFS)
    [central directory]
    [zip64 end of central directory record]
    [zip64 end of central directory locator] 
    [end of central directory record]

样例分析

0x02 明文攻击

条件:

  • 已知加密压缩包的文件(可以比较crc32)或部分文件(特殊文件的格式:至少12个字节,其中8个是连续的)
  • 压缩算法相同

目前zip常见压缩算法:store、deflate 和bzip2。

0x03 Magic Number

以下是常见魔数

Hex ISO 8859-1 Offset Filename extension Description
a1 b2 c3 d4``d4 c3 b2 a1 ¡²ÃÔ``Ôò¡ 0 pcap Libpcap File Format[1]
0a 0d 0d 0a .... 0 pcapng PCAP Next Generation Dump File Format[2]
ed ab ee db í«îÛ 0 rpm RedHat Package Manager (RPM) package [3]
53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 SQLite format 3. 0 sqlitedb sqlite db SQLite Database [4]
47 49 46 38 37 61``47 49 46 38 39 61 GIF87a``GIF89a 0 gif Image file encoded in the Graphics Interchange Format (GIF)[7]
FF D8 FF DB FF D8 FF E0 00 10 4A 46 49 46 00 01 FF D8 FF EE``FF D8 FF E1 ?? ?? 45 78 69 66 00 00 ÿØÿÛ ÿØÿà..JFIF.. ÿØÿî``ÿØÿá..Exif.. 0 jpg jpeg JPEG raw or in the JFIF or Exif file format
4D 5A MZ 0 exe dll DOS MZ executable file format and its descendants (including NE and PE)
50 4B 03 04 50 4B 05 06(empty archive) 50 4B 07 08(spanned archive) PK.. 0 zip aar apk docx epub ipa jar kmz maff odp ods odt pk3 pk4 pptx usdz vsdx xlsx xpi zip file format and formats based on it, such as EPUB, JAR, ODF, OOXML
52 61 72 21 1A 07 00 Rar!... 0 rar RAR archive version 1.50 onwards[11]
52 61 72 21 1A 07 01 00 Rar!.... 0 rar RAR archive version 5.0 onwards[12]
5A 4D ZM 0 exe DOS ZM executable file format and its descendants (rare)
7F 45 4C 46 .ELF 0 Executable and Linkable Format
89 50 4E 47 0D 0A 1A 0A .PNG.... 0 png Image encoded in the Portable Network Graphics format[13]
CA FE BA BE Êþº¾ 0 class Java class file, Mach-O Fat Binary
25 50 44 46 2d %PDF- 0 pdf PDF document[16]
52 49 46 46 ?? ?? ?? ?? 57 41 56 45 RIFF.... WAVE 0 wav Waveform Audio File Format
52 49 46 46 ?? ?? ?? ?? 41 56 49 20 RIFF.... AVI. 0 avi Audio Video Interleave video format
42 4D BM 0 bmp dib BMP file, a bitmap format used mostly in the Windows world
43 44 30 30 31 CD001 0x8001 0x8801 0x9001 iso ISO9660 CD/DVD image file[18]
D0 CF 11 E0 A1 B1 1A E1 0 doc xls ppt msg Compound File Binary Format, a container format used for document by older versions of Microsoft Office.[22] It is however an open format used by other programs as well.
43 72 32 34 Cr24 0 crx Google Chrome extension[25] or packaged app[26]
78 01 73 0D 62 62 60 `x.s.bb`` 0 dmg Apple Disk Image file
50 4D 4F 43 43 4D 4F 43 PMOCCMOC 0 dat Windows Files And Settings Transfer Repository[31]See also USMT 3.0 (Win XP)[32] and USMT 4.0 (Win 7)[33] User Guides
75 73 74 61 72 00 30 30``75 73 74 61 72 20 20 00 ustar.00``ustar . 0x101 tar tar archive[35]
37 7A BC AF 27 1C 7z¼¯' 0 7z 7-Zip File Format
1F 8B .. 0 gz tar.gz GZIP compressed file[39]
FD 37 7A 58 5A 00 ²7zXZ.. 0 xz tar.xz XZ compression utility using LZMA2 compression
3c 3f 78 6d 6c 20 <?xml 0 XML eXtensible Markup Language when using the ASCII character encoding
43 57 53 ``46 57 53 CWSFWS 0 swf flash .swf
21 3C 61 72 63 68 3E !. 0 deb linux deb file
52 49 46 46 ?? ?? ?? ?? 57 45 42 50 RIFF…WEBP 0 webp Google WebP image file, where ?? ?? ?? ?? is the file size. More information on WebP File Header
66 74 79 70 69 73 6F 6D ftypisom 4 mp4 ISO Base Media file (MPEG-4)
78 01 78 5E 78 9C 78 DA 78 20 78 7D 78 BB 78 F9 .... 0 zlib No Compression (no preset dictionary)Best speed (no preset dictionary)Default Compression (no preset dictionary)Best Compression (no preset dictionary)No Compression (with preset dictionary)Best speed (with preset dictionary)Default Compression (with preset dictionary)Best Compression (with preset dictionary)
62 6F 6F 6B 00 00 00 00 6D 61 72 6B 00 00 00 00 book....mark.... 0 alias macOS file Alias[47] (Symbolic link)