Results 1 to 3 of 3

Thread: how to determine the end of gzipped image

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1

    how to determine the end of gzipped image

    hello,

    i've a difficulty in finding the end of gzipped image binary. it was a compressed linux kernel (i knew because it took random size, and unpack it though it showed an error). i knew that the crc and isize are supposed to placed in the end. but how do you know if it was it?

    i was trying to read about how the crc calculated, i mean from where to where, but, i don't really get it after reading the gzip source code.

    the image itself was placed in middle of another binary, which i'm not sure what it is yet. i tried with the longest size before another obvious border (another compressed image), but still can't get a good result.

    regards

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Look at here:

    http://www.gzip.org/zlib/rfc-gzip.html

    My guess is that the next compressed file header, which is easily recognizable by the magic number structure 0x1f,0x8b sits right after the previous compressed file end. Also with the structure of the footer in mind (8 bytes, 4 for the CRC 32, next 4 for the size of the compressed payload) you could code a small heuristic program that scans the file:

    while not eof{
    read 4 byte integer;
    if integer == distance from previous header (+/- 4 byte cushion)
    then found;
    else
    file_ pointer ++;
    }

  3. #3
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Blog Entries
    1
    nope.

    i think there is a bit wrong with your code.

    about the CRC and ISIZE, it's right placed in the end/footer.
    but ISIZE is not the size of the image itself (which is compressed). it is the size of the image that has been uncompressed/input size hence named isize.

    updated: i figured out that the crc is also, a whole uncompressed image crc.

    about the border, i had tried that to block all the way until the next compressed, but gzip unpack give err and produce just 1kb which is bad. (the other one i tried that also give error but produced 1MB, give good result as i see many recognized strings all over).
    Last edited by dion; December 28th, 2009 at 08:32.

Similar Threads

  1. determine call used?
    By nams in forum The Newbie Forum
    Replies: 0
    Last Post: January 1st, 2011, 21:32
  2. How does IDA determine MONOSPACED fonts?
    By Aimless in forum Off Topic
    Replies: 4
    Last Post: June 9th, 2009, 15:37
  3. How to determine what Specific API calls do
    By ShCiPwA in forum The Newbie Forum
    Replies: 4
    Last Post: April 2nd, 2005, 13:52
  4. How does Ollydbg determine if a file might be pack
    By 1bitshort in forum OllyDbg Support Forums
    Replies: 3
    Last Post: July 8th, 2004, 02:24
  5. how to determine importtype?
    By 0rp in forum The Newbie Forum
    Replies: 3
    Last Post: May 19th, 2004, 17:31

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •