 Hello, Didier Stevens here. I'm going to show you how you can use my updated zip dump tool to analyze malformed zip files. And we are going to do this with a sample that Xavier Mertes here analyzed and wrote a diary entry about in the internet storm center. It was a malicious document with VBA macros, an OO XML file, so an Office Open XML file. So that's a zip file that contains XML files and also an OLE file with the macros. So this file here was obfuscated or malformed because there was a character in front of the header, the start of the first record for the zip file. Xavier found out that in front of the PK there was a character and that character is a newline character. So I'm going to show you how you can analyze files like these malformed zip files with my zip dump tool. So first of all, if you run OLE dump on this sample, then you get an error message telling you it is not a valid OLE file. OLE dump is also able to analyze OO XML files, so zip containers, but it doesn't recognize this as a zip container. Also, if we run zip dump on it, my tool to analyze zip files, you also get an error. Zip file is not recognized. Now, a feature that has been present since version 0016 in ZipDump is scanning any arbitrary binary file that you give it, scan it for PK zip records, so the different records that make up a zip file. And you do this with F, find, and L for listing like this. And then you get a list of all the PK records inside that file. And as you can see here, the first entry is actually not a PK record, it's data. And you see here the index P. So this is prefix data. Data is prefixed to the file. And we can actually select that data to take a look. So what you see here, find the prefix, find P. And then as you can see, by default, you have an hexadecimal ASCII dump. And as you can see here, this is a new line character 0A in hexadecimal. Now, if we go back to the listing, the last record and PK end, this is the end of central directory record. And that's the record that is at the end of a zip file normally. And that is the record that is passed to find the other elements. Here you have each record here for a file with its compressed content. And then you have here records that are directory entries. So for each file, like here, content types, XML, you have a directory entry. And at the end of the directory entry, you have an end of central directory record. And one of the things, for example, inside here in this record, one of the fields is pointing to that first directory record. And as you can see, there is a message here, one byte is missing. So this record here is actually this end of central directory record is actually one byte short. And we can also select this. And if you select an end of central directory record like this dash f1, then a zip dump will pass that zip file like this. But we get an error. And the error that we get is because of that missing byte. There's a new option option info that provides you more info when you select a central direct end of a central directory record. And here you can see that the record is almost normal. Here is for, for example, the offset that I told you about. The only thing here is that there is one byte missing at the end. And it makes that the last field and the comment length field is incomplete. So if there are no comments that field is just two bytes long 0000. But here we are just missing one byte. As you can see, this field is just one zero and it should be two null bytes or two zero bytes. So one way we can fix this is to use my good bytes tool. My good bytes tool will allow you to add a suffix or a prefix to any arbitrary data that you give it. So what I'm going to do here is as a suffix, I'm going to add some extra decimal data, a null byte, and I'm going to next select the complete file. And so that's my code expression to select a complete file. And here I select that file. And by doing so, the output of this command will be the content of this file with this appended to it, the suffix. And then we can pipe this into zip dump and say find listing like this. And as you can see here, now we have no error. The file is complete. And as you can see, so find the first end of central directory record. And then you get the content of that zip file. The zip file is being parsed like zip dump would do usually. And then you can hear, for example, select VBAproject.bin. So that's entry five, select five, do a binary dump and pipe this, for example, into earlier dump. And then here you can see the streams with the macros. Now this can also be done a bit simpler. So remember here, this sample here is malformed because one, there's an extra byte at the beginning, a new line. And there is also a byte missing at the end. What we did here with this cut expression is append a missing byte. What we can also do at the same time with this cut expression is remove that leading new line. And this can be done just here by saying only select everything from position one under the first byte is position zero. Now select everything from position one until the end included. So that gives a fixed zip file. And then we can pipe this directory into Oli dump, which will recognize this now as an office open XML file and show you the macros.