英文:
What could cause invalid distance too far back and how to modify zlib to fix it?
问题
I am trying to decompress a raw stream of data from a 3rd party source. The data is compressed with zlib library (version 1.2.13) and transmitted over TCP protocol. I was able to capture both compressed and uncompressed streams of data using WireShark and a mix of reverse engineering methods:
Compressed form: 0xCA 0x05 0xDB 0xC8 0xE8 0x07 0x22 0x01 0x00
Uncompressed form: 0x6D 0x4D 0x7D 0x9B 0x7C 0x07 0x01 0x4E 0x7D 0x9B 0x7C 0x07 0x00
z_stream strm;
unsigned char in[9] = {0xCA, 0x05, 0xDB, 0xC8, 0xE8, 0x07, 0x22, 0x01, 0x00};
unsigned char out[65535] = {0};
strm.zalloc = Z_NULL;
strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
int ret = inflateInit2(&strm, -15);
if (ret != Z_OK)
return ret;
strm.next_in = (unsigned char *) in;
strm.avail_in = 9;
strm.next_out = (unsigned char *) out;
strm.avail_out = 65535;
strm.total_out = 0;
ret = inflate(&strm, Z_SYNC_FLUSH);
Initially, the inflate function returned -3 (with the message "invalid distance too far back"). I then recompiled zlib with two modifications: added the DINFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR flag and changed sane = 0 in the inflateResetKeep function to allow an invalid distance.
After these modifications, calling the inflate function, I am getting the following result (in the output buffer):
0x6D 0x00 0x00 0x00 0x00 0x00 0x01 0x4E 0x00 0x00 0x00 0x00 0x00
I've tried to debug this deflate stream with the infgen tool, but it gives me an error saying "incomplete deflate stream."
There is a chance that the deflate stream comes from a modified zlib library (but I am not sure about it). Could anyone point me in the right direction, please?
英文:
I am trying to decompress a raw stream of data from 3rd party source. The data is compressed with zlib library (version 1.2.13) and transmitted over TCP protocol. I was able to capture both compressed and uncompressed stream of data using WireShark and mix of reverse engineering methods:
Compressed form: 0xCA 0x05 0xDB 0xC8 0xE8 0x07 0x22 0x01 0x00
Uncompressed form: 0x6D 0x4D 0x7D 0x9B 0x7C 0x07 0x01 0x4E 0x7D 0x9B 0x7C 0x07 0x00
z_stream strm;
unsigned char in[9] = {0xCA, 0x05, 0xDB, 0xC8, 0xE8, 0x07, 0x22, 0x01, 0x00};
unsigned char out[65535] = {0};
strm.zalloc = Z_NULL;
strm.zfree = Z_NULL;
strm.opaque = Z_NULL;
int ret = inflateInit2(&strm, -15);
if (ret != Z_OK)
return ret;
strm.next_in = (unsigned char *) in;
strm.avail_in = 9;
strm.next_out = (unsigned char *) out;
strm.avail_out = 65535;
strm.total_out = 0;
ret = inflate(&strm, Z_SYNC_FLUSH);
Initially, the inflate function returned -3 (with message "invalid distance too far back"). I then recompiled zlib with two modifications: added DINFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR flag and changed sane = 0 in inflateResetKeep function to allow invalid distance.
After these modifications, calling inflate function I am getting the following result (in output buffer):
0x6D 0x00 0x00 0x00 0x00 0x00 0x01 0x4E 0x00 0x00 0x00 0x00 0x00
I've tried to debug this deflate stream with infgen tool but it gives me an error saying incomplete deflate stream.
There is a chance that the deflate stream comes from modified zlib library (but I am not sure about it). Could anyone point me in right direction, please?
答案1
得分: 6
你的数据是一个deflate流的片段。那些拆开的位如下:
! infgen 3.0 输出
!
固定
文字 ''m
匹配 5 114
infgen 警告:距离太远(114/1)
文字 1 ''N
匹配 4 6
结束
!
存储
infgen 警告:不完整的deflate数据
需要从这段数据之前的113个字节中获取五个字节,这将是deflate流较早部分的一部分。稍后,这五个字节中的四个会再次重复。
仅凭这个deflate流片段无法获取你期望的数据。你期望的 0x4D 0x7D 0x9B 0x7C 0x07 必须来自其他地方。
英文:
Your data is a fragment of a deflate stream. Those bits disassembled are:
! infgen 3.0 output
!
fixed
literal 'm
match 5 114
infgen warning: distance too far back (114/1)
literal 1 'N
match 4 6
end
!
stored
infgen warning: incomplete deflate data
It needs five bytes from 113 bytes before the start of this data, which would be part of an earlier portion of the deflate stream. Later, four of those five bytes that you don't have get repeated again.
It is not possible to get the data you are expecting just from that fragment of a deflate stream. The 0x4D 0x7D 0x9B 0x7C 0x07 you are expecting has to come from somewhere else.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论