In yesterday's diary entry "zipdump & Evasive ZIP Concatenation" I showed how one can inspect the PKZIP records that make up a ZIP file.

My tool zipdump.py can also inspect the data of PKZIP file records, and decompress it (not decrypt it).

To select the data of a PKZIP file record, use option -s data. Here we also use option -a to do a hex-ascii dump of the data:

When option -d is used (to perform a binary dump), only the raw data is send to stdout, no other metadata:

And when option -s decompress is used, the data is decompressed (only INFLATE is supported):

These options could also be helpful for corrupt ZIP files.

Didier Stevens
Senior handler
blog.DidierStevens.com