View Full Version : how to determine the end of gzipped image

December 27th, 2009, 22:13

i've a difficulty in finding the end of gzipped image binary. it was a compressed linux kernel (i knew because it took random size, and unpack it though it showed an error). i knew that the crc and isize are supposed to placed in the end. but how do you know if it was it?

i was trying to read about how the crc calculated, i mean from where to where, but, i don't really get it after reading the gzip source code.

the image itself was placed in middle of another binary, which i'm not sure what it is yet. i tried with the longest size before another obvious border (another compressed image), but still can't get a good result.


December 28th, 2009, 07:27
Look at here:


My guess is that the next compressed file header, which is easily recognizable by the magic number structure 0x1f,0x8b sits right after the previous compressed file end. Also with the structure of the footer in mind (8 bytes, 4 for the CRC 32, next 4 for the size of the compressed payload) you could code a small heuristic program that scans the file:

while not eof{
read 4 byte integer;
if integer == distance from previous header (+/- 4 byte cushion)
then found;
file_ pointer ++;

December 28th, 2009, 08:26

i think there is a bit wrong with your code.

about the CRC and ISIZE, it's right placed in the end/footer.
but ISIZE is not the size of the image itself (which is compressed). it is the size of the image that has been uncompressed/input size hence named isize.

updated: i figured out that the crc is also, a whole uncompressed image crc.

about the border, i had tried that to block all the way until the next compressed, but gzip unpack give err and produce just 1kb which is bad. (the other one i tried that also give error but produced 1MB, give good result as i see many recognized strings all over).