Comments (6)
devttys0
commented on July 18, 2024
You can't do negative offsets, but you can do something like this:
0x108 string \x1f\x8b\x08 Packed gzip file,
>0 string x original file name: "%s"
Note that non-zero starting offsets were not supported in binwalk versions prior to 2.0 (current master branch).
from binwalk.
richud
commented on July 18, 2024
hi devttys0, thanks for quick reply.
I can now see the file names but the produced files are starting at the file name offset, not the gzip start. (Also {file-name} doesn't seem to be working with --dd)
Thanks for any suggestions!
0x108 string \x1f\x8b\x08 Packed gzip file,
>0 string x {file-name:%s}
>0 string x original file name: "%s"
/usr/local/bin/binwalk --dd=gzip:gz WIN_R590_11JB.exe
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------------------------------------------------------------------
105439 0x19BDF Copyright string: " 1995-2002 Jean-loup Gailly "
109335 0x1AB17 Copyright string: " 1995-2002 Mark Adler "
132096 0x20400 LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes, uncompressed size: 2048 bytes
143144 0x22F28 LZMA compressed data, properties: 0x40, dictionary size: 16777216 bytes, uncompressed size: 2048 bytes
172044 0x2A00C Packed gzip file, original file name: "01KVB.wph.gz"
1423487 0x15B87F Packed gzip file, original file name: "11JBB.wph.gz"
2736292 0x29C0A4 Packed gzip file, original file name: "AddMem.sys.gz"
2738148 0x29C7E4 Packed gzip file, original file name: "ConResChs.dll.gz"
2755835 0x2A0CFB Packed gzip file, original file name: "ConResCht.dll.gz"
2773495 0x2A51F7 Packed gzip file, original file name: "ConResEn.dll.gz"
2791489 0x2A9841 Packed gzip file, original file name: "ConResFr.dll.gz"
2809592 0x2ADEF8 Packed gzip file, original file name: "ConResGr.dll.gz"
2827695 0x2B25AF Packed gzip file, original file name: "ConResKr.dll.gz"
2845604 0x2B6BA4 Packed gzip file, original file name: "ConResPo.dll.gz"
2863713 0x2BB261 Packed gzip file, original file name: "ConResRu.dll.gz"
<SNIP>
$ ls -la
total 26964
drwxr-xr-x 2 rich rich 4096 Mar 5 08:05 .
drwxr-xr-x 5 rich rich 4096 Mar 5 08:05 ..
-rw-r--r-- 1 rich rich 2692988 Mar 5 08:05 15B87F.gz
-rw-r--r-- 1 rich rich 1380183 Mar 5 08:05 29C0A4.gz
-rw-r--r-- 1 rich rich 1378327 Mar 5 08:05 29C7E4.gz
-rw-r--r-- 1 rich rich 3944431 Mar 5 08:05 2A00C.gz
-rw-r--r-- 1 rich rich 1360640 Mar 5 08:05 2A0CFB.gz
-rw-r--r-- 1 rich rich 1342980 Mar 5 08:05 2A51F7.gz
<SNIP>
from binwalk.
devttys0
commented on July 18, 2024
You can adjust the reported/extracted offset using the offset-adjust keyword:
0x108 string \x1f\x8b\x08 Packed gzip file,{offset-adjust:0x108}
>0 string x {file-name:%s}
>0 string x original file name: "%s"
This will cause the reported (and extracted) offset to start 0x108 bytes away from the beginning of the packed file.
I looked into the file-name issue and found it was a bug in the code; I've fixed it and committed it to the master branch.
Also, since the file names already have the file extension 'gz', you can simplify your --dd option so that you don't get double file extensions (e.g., ConResRu.dll.gz.gz):
binwalk --dd=gzip WIN_R590_11JB.exe
from binwalk.
richud
commented on July 18, 2024
ahh brilliant, many thanks for help - now working with below for auto extraction!
(using -e appears to not work though)
(and a very minor thing but ~ doesn't expand for home, i.e. -m"~/.binwalk/magic/binwalk" fails))
/usr/local/bin/binwalk --dd="gzip::gunzip %e" -m"/home/rich/.binwalk/magic/binwalk" WIN_R590_11JB.exe
from binwalk.
devttys0
commented on July 18, 2024
If you look at the extraction rules implemented by the -e option, it only auto-gunzips results whose description starts with the string 'gzip'. If you change your signature description string to something like "gzip packed file", then -e should work, although you'll get an extra .gz file extension since your original file name already has .gz in it.
The tilde path expansion is done by the shell, so binwalk doesn't have control over that. If you use it without the quotes and with a space between the -m and the path, it should work:
/usr/local/bin/binwalk --dd="gzip::gunzip %e" -m ~/.binwalk/magic/binwalk WIN_R590_11JB.exe
from binwalk.
richud
commented on July 18, 2024
hmm, -e still doesn't seem to work with changed description, but doesn't matter if --dd works
many thanks for all your help and great program!
from binwalk.
Related Issues (20)
- files are extracted in the wrong directory
- No module named 'binwalk.__main__' HOT 2
- Error when installing ubi_reader in deps.sh HOT 2
- Anti-patterns in extractor.py module
- Binwalk stuck when extracting .xz archive
- Cannot extract anything from a device, not file
- If providing more than one file, binwalk uses verbose mode only.
- AttributeError: module 'binwalk' has no attribute 'scan'
- Symlink Error HOT 1
- ubireader problem HOT 6
- Unable to proceed from the installation guide.
- Add support for ArchLinux in deps.sh
- Would it be possible to use the built-in python module 'getpass' as a somewhat OS agnostic way to get the username? HOT 2
- Dockerfile fails to build due to ubi_reader changes HOT 1
- binwalk fails to extract after filename/extension confusion HOT 3
- Call plugins when Result is Valid
- Name 'np' is not defined while calculating file entropy. HOT 1
- deprecated nose dependency, deprecated used of setup.py test
- Python 3.12 compatibility issue: No module named 'imp' HOT 4
- Trouble extracting cpio embedded into kernel file
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from binwalk.