Author Topic: inflate the flatedecode stream ?  (Read 10134 times)

0 Members and 1 Guest are viewing this topic.

June 05, 2010, 06:16:19 pm
Read 10134 times

freelancer_blr

  • Newbie

  • Offline
  • *

  • 4
Can somebody help me how to inflate the flatedecode stream please. ?

June 05, 2010, 06:43:04 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

June 05, 2010, 07:20:13 pm
Reply #2

freelancer_blr

  • Newbie

  • Offline
  • *

  • 4
just tell me the steps .. i will try out here.

i tried out pdf-parser -f switch and pdftk as well but doesn't work :(

June 05, 2010, 10:15:18 pm
Reply #3

Garlando

  • Full Member

  • Offline
  • ***

  • 40
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>

June 05, 2010, 10:22:07 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
just tell me the steps .. i will try out here.

i tried out pdf-parser -f switch and pdftk as well but doesn't work :(

Without the file, it's a little difficult to determine *WHY* it's not working for you, so unless you're prepared to provide either the file, or URL to such, it's unlikely you're going to be assisted.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 05, 2010, 10:23:14 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>

Bear in mind, this won't work for some PDFs ITW, and additionally risks, running the actual code inside them if using this method ;) (you'd be better off dumping the data to a file, rather than echo'ing it out).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 06, 2010, 11:06:08 am
Reply #6

Garlando

  • Full Member

  • Offline
  • ***

  • 40
do it manually

<?php
$x = 'gz compressed stream';
echo gzuncompress($x);
?>

Bear in mind, this won't work for some PDFs ITW, and additionally risks, running the actual code inside them if using this method ;) (you'd be better off dumping the data to a file, rather than echo'ing it out).

it won't be executed anyways, browsers require <script> tags, pdf dont :)

June 06, 2010, 09:20:00 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've come across a few PDFs that I've decoded using that method, and a couple of them have still executed, thanks to Adobe being plugged into IE (one of the reasons I don't run Adobe now).
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 07, 2010, 02:34:46 am
Reply #8

freelancer_blr

  • Newbie

  • Offline
  • *

  • 4
here is the stream code

June 08, 2010, 03:42:19 am
Reply #9

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security

June 08, 2010, 03:48:39 pm
Reply #10

parody

  • Private Forum
  • Jr. Member

  • Offline
  • *

  • 27
He's wanting us to do the puzzle on http://blog.didierstevens.com/2010/06/03/a-win7-puzzle/ ;)   Nice try...   BUT NO WINDOWS LICENSE FOR YOU!   ONE YEAR!  </soupnazi>

June 10, 2010, 06:17:55 pm
Reply #11

freelancer_blr

  • Newbie

  • Offline
  • *

  • 4
nah . not for license... i am a newbie to this domian ... needs to understand.  seems thy have used pdftk to uncompress then they have used hexdump to decode the text ... can someone explain me please .. why those steps are taken out ?

June 11, 2010, 03:52:14 am
Reply #12

binary

  • Jr. Member

  • Offline
  • **

  • 15
Here you go... I used notepad to extract the stream from the PDF.

Use the python script against all the attached file. If you use the script against "puzzle - stream extracted - 397 byte" you will get "stream after first decoding".... if you use the script against that you will get the a 100 mb file that's filled with hex '20' (spaces).... if you search through them you will get the answer for the puzzle - "De Ultieme Hallucinatie"

By the way results are already out... :P
There are only 10 kinds of people in this world, those who understand binary and those who don't