Extract compressed blobs from binaries

Jeremy Rauch | December 12th, 2005 | Filed Under: Matasano

A few months ago, Tom made a post about having to extract gzip’d content out of a binary glob.

At that time, I gave him a tool I had quickly written to extract zlib contents from binaries — very common in firmware for routers, switches and the like. Its come in very handy when we’ve done product evaluation work. Have firmware you want strings from? Use this tool, and cat the contents of the files it produces to strings. You could use the output to check for hidden passwords or SNMP communities. Have a weird kernel dump that seems unreadable? Maybe it has zlib compressed components.

I cleaned up the code, added support for extracting gzip components, and added the little “user friendly” features (like actually not crashing if you don’t pass in a filename. Oops).

Its been extremely useful, in spite of how simple it is. Maybe it can be of use for you too. I call it deezee, because thats what it does — it de-zlibs or de-gzips sections out of whatever you send its way.

Download it here.

Using it is easy. Simply supply the name of a file to extract compressed components from. Every decompressed component will be placed in an individual file with the same name as the file you’re extracting from, with the addition of a numerically increasing extension.

$ ls -l firmware.bin
  -rwx------   1 jrauch   other     731336 Dec 13 00:27 firmware.bin*
  $ ./deezee firmware.bin
  Scanning file firmware.bin for compressed components
  Compressed size: 731336 bytes
  Compressed segment found.  Expanded to 2407948 bytes
  $ ls -l firmware.bin.0
  -rw-------   1 jrauch     other    2407948 Dec 13 00:28 firmware.bin.0