Scripts for analysing and modifying zip files:
./bruteforce_*.sh
- Attempt to extract file by iterating through all possible values for a given metadata property./decrypt_xod.sh
- Create unencrypted xod file from an encrypted one./kaitai_struct/aggregate_file_types.py
- Count files in zip with a given file extension and compression method./kaitai_struct/count_first_3_bits_group_by_compression_method.py
- Visualize histograms of first 3 bits of each file's compressed data./kaitai_struct/enumerate_files.py
- List files in a zip by index
./kaitai_struct/dump_metadata.py
- Serializes and dumps kaitai object as json
One use case is to compare different zip files in a scriptable manner, for example, fields which aren't related to body size, using gron to compare entries in a line-oriented method:
diff -Nauw \
<(./dump_metadata.py a.zip | gron | grep -v '\.\(un\)\?compressed_size') \
<(./dump_metadata.py b.zip | gron | grep -v '\.\(un\)\?compressed_size') \
| vim -c 'set filetype=diff' -
We can catch differences such as the comment bytes:
-json.sections[2].body.comment["py/b64"] = "bWFkZSBmb3IgdWl1Y3RmIGJ5IGt1aWxpbgAAAAAAAAA=";
+json.sections[2].body.comment["py/b64"] = "bWFkZSBmb3IgdWl1Y3RmIGJ5IGt1aWxpbiA6IF+kE0M=";
For comparing multiple files at a time, one can aggregate their fields. During manual analysis, ignore those that appear in all files (i.e. count = number of files):
printf '%s\n' \
a.zip \
b.zip \
c.zip \
| xargs -i sh -c './dump_metadata.py "$1" | gron | grep -v "\.\(un\)\?compressed_size"' _ {} \
| sort | uniq -c | sort -n | vim -c 'set filetype=diff' -
Alternatives: zipdetails, used in the CTF writeup: UIUCTF 2020 - Zip Heck.