Malware Domain List

Malware Related => Malware Analysis => Topic started by: freelancer_blr on June 05, 2010, 06:16:19 pm

Title: inflate the flatedecode stream ?
Post by: freelancer_blr on June 05, 2010, 06:16:19 pm
Can somebody help me how to inflate the flatedecode stream please. ?
Title: Re: inflate the flatedecode stream ?
Post by: SysAdMini on June 05, 2010, 06:43:04 pm
Where is the file ?
Title: Re: inflate the flatedecode stream ?
Post by: freelancer_blr on June 05, 2010, 07:20:13 pm
just tell me the steps .. i will try out here.

i tried out pdf-parser -f switch and pdftk as well but doesn't work :(
Title: Re: inflate the flatedecode stream ?
Post by: Garlando on June 05, 2010, 10:15:18 pm
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>
Title: Re: inflate the flatedecode stream ?
Post by: MysteryFCM on June 05, 2010, 10:22:07 pm
just tell me the steps .. i will try out here.

i tried out pdf-parser -f switch and pdftk as well but doesn't work :(

Without the file, it's a little difficult to determine *WHY* it's not working for you, so unless you're prepared to provide either the file, or URL to such, it's unlikely you're going to be assisted.
Title: Re: inflate the flatedecode stream ?
Post by: MysteryFCM on June 05, 2010, 10:23:14 pm
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>

Bear in mind, this won't work for some PDFs ITW, and additionally risks, running the actual code inside them if using this method ;) (you'd be better off dumping the data to a file, rather than echo'ing it out).
Title: Re: inflate the flatedecode stream ?
Post by: Garlando on June 06, 2010, 11:06:08 am
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>

Bear in mind, this won't work for some PDFs ITW, and additionally risks, running the actual code inside them if using this method ;) (you'd be better off dumping the data to a file, rather than echo'ing it out).

it won't be executed anyways, browsers require <script> tags, pdf dont :)
Title: Re: inflate the flatedecode stream ?
Post by: MysteryFCM on June 06, 2010, 09:20:00 pm
I've come across a few PDFs that I've decoded using that method, and a couple of them have still executed, thanks to Adobe being plugged into IE (one of the reasons I don't run Adobe now).
Title: Re: inflate the flatedecode stream ?
Post by: freelancer_blr on June 07, 2010, 02:34:46 am
here is the stream code
Title: Re: inflate the flatedecode stream ?
Post by: WIEx on June 08, 2010, 03:42:19 am
double flate
Title: Re: inflate the flatedecode stream ?
Post by: parody on June 08, 2010, 03:48:39 pm
He's wanting us to do the puzzle on http://blog.didierstevens.com/2010/06/03/a-win7-puzzle/ ;)   Nice try...   BUT NO WINDOWS LICENSE FOR YOU!   ONE YEAR!  </soupnazi>
Title: Re: inflate the flatedecode stream ?
Post by: freelancer_blr on June 10, 2010, 06:17:55 pm
nah . not for license... i am a newbie to this domian ... needs to understand.  seems thy have used pdftk to uncompress then they have used hexdump to decode the text ... can someone explain me please .. why those steps are taken out ?
Title: Re: inflate the flatedecode stream ?
Post by: binary on June 11, 2010, 03:52:14 am
Here you go... I used notepad to extract the stream from the PDF.

Use the python script against all the attached file. If you use the script against "puzzle - stream extracted - 397 byte" you will get "stream after first decoding".... if you use the script against that you will get the a 100 mb file that's filled with hex '20' (spaces).... if you search through them you will get the answer for the puzzle - "De Ultieme Hallucinatie"

By the way results are already out... :P