Skip to content

Instantly share code, notes, and snippets.

@williballenthin

williballenthin/_kaitai-examples.md

Last active August 18, 2020 22:00
Show Gist options
  • Save williballenthin/8a1d2d9273b20461139542b104b9e799 to your computer and use it in GitHub Desktop.
Save williballenthin/8a1d2d9273b20461139542b104b9e799 to your computer and use it in GitHub Desktop.
Download ZIP
parsing some test data with kaitai
Raw
_kaitai-examples.md

here i'm parsing some test data with kaitai to see what it can extract.

this is the dumper that i'm using:

import binascii
import tabulate

PRIMATIVE_TYPES = (str, bytes, int)

def truncate(s, width=0x10):
    if len(s) > width:
        return s[:width] + "..."
    else:
        return s

def dump_primative(v, path):
    if isinstance(v, str):
        v = '"' + v + '"'
    elif isinstance(v, bytes):
        v = "hex(" + truncate(binascii.hexlify(v).decode("ascii")) + ")"
    elif isinstance(v, int):
        v = hex(v)
        
    return (".".join(path), v)

def dump(o, path=()):
    rows = []
    for f in sorted(dir(o)):
        if f.startswith("_"): continue
        if f in ("close", "from_bytes", "from_file", "from_io"): continue
        v = getattr(o, f)
        
        if isinstance(v, type):
            continue  
        elif isinstance(v, PRIMATIVE_TYPES):
            rows.append(dump_primative(v, path + (f, )))
        elif isinstance(v, list):
            for i, v in enumerate(v):
                rows.extend(dump(v, path + (f, "[%d]" % i)))
        else:
            rows.extend(dump(v, path + (f, )))
    return rows


from kaitaistruct import KaitaiStream, BytesIO
with open("/mnt/c/Windows/System32/kernel32.dll", "rb") as f:
    struct = MicrosoftPe(KaitaiStream(BytesIO(f.read())))

print(tabulate.tabulate(dump(struct.pe)))
Raw
kaitai-jpg.txt
------------------------------------------------------ ------------------------
segments.[0].magic hex(ff)
segments.[0].marker.name "soi"
segments.[0].marker.value 0xd8
segments.[1].data.density_units.name "pixels_per_inch"
segments.[1].data.density_units.value 0x1
segments.[1].data.density_x 0x60
segments.[1].data.density_y 0x60
segments.[1].data.magic "JFIF"
segments.[1].data.thumbnail hex()
segments.[1].data.thumbnail_x 0x0
segments.[1].data.thumbnail_y 0x0
segments.[1].data.version_major 0x1
segments.[1].data.version_minor 0x1
segments.[1].length 0x10
segments.[1].magic hex(ff)
segments.[1].marker.name "app0"
segments.[1].marker.value 0xe0
segments.[2].data hex(0003020203020203...)
segments.[2].length 0x43
segments.[2].magic hex(ff)
segments.[2].marker.name "dqt"
segments.[2].marker.value 0xdb
segments.[3].data hex(0103040405040509...)
segments.[3].length 0x43
segments.[3].magic hex(ff)
segments.[3].marker.name "dqt"
segments.[3].marker.value 0xdb
segments.[4].data.bits_per_sample 0x8
segments.[4].data.components.[0].id.name "y"
segments.[4].data.components.[0].id.value 0x1
segments.[4].data.components.[0].quantization_table_id 0x0
segments.[4].data.components.[0].sampling_factors 0x22
segments.[4].data.components.[0].sampling_x 0x2
segments.[4].data.components.[0].sampling_y 0x2
segments.[4].data.components.[1].id.name "cb"
segments.[4].data.components.[1].id.value 0x2
segments.[4].data.components.[1].quantization_table_id 0x1
segments.[4].data.components.[1].sampling_factors 0x11
segments.[4].data.components.[1].sampling_x 0x1
segments.[4].data.components.[1].sampling_y 0x1
segments.[4].data.components.[2].id.name "cr"
segments.[4].data.components.[2].id.value 0x3
segments.[4].data.components.[2].quantization_table_id 0x1
segments.[4].data.components.[2].sampling_factors 0x11
segments.[4].data.components.[2].sampling_x 0x1
segments.[4].data.components.[2].sampling_y 0x1
segments.[4].data.image_height 0xc7
segments.[4].data.image_width 0x3b3
segments.[4].data.num_components 0x3
segments.[4].length 0x11
segments.[4].magic hex(ff)
segments.[4].marker.name "sof0"
segments.[4].marker.value 0xc0
segments.[5].data hex(0000010501010101...)
segments.[5].length 0x1f
segments.[5].magic hex(ff)
segments.[5].marker.name "dht"
segments.[5].marker.value 0xc4
segments.[6].data hex(1000020103030204...)
segments.[6].length 0xb5
segments.[6].magic hex(ff)
segments.[6].marker.name "dht"
segments.[6].marker.value 0xc4
segments.[7].data hex(0100030101010101...)
segments.[7].length 0x1f
segments.[7].magic hex(ff)
segments.[7].marker.name "dht"
segments.[7].marker.value 0xc4
segments.[8].data hex(1100020102040403...)
segments.[8].length 0xb5
segments.[8].magic hex(ff)
segments.[8].marker.name "dht"
segments.[8].marker.value 0xc4
segments.[9].data.appr_bit_pos 0x0
segments.[9].data.components.[0].huffman_table 0x0
segments.[9].data.components.[0].id.name "y"
segments.[9].data.components.[0].id.value 0x1
segments.[9].data.components.[1].huffman_table 0x11
segments.[9].data.components.[1].id.name "cb"
segments.[9].data.components.[1].id.value 0x2
segments.[9].data.components.[2].huffman_table 0x11
segments.[9].data.components.[2].id.name "cr"
segments.[9].data.components.[2].id.value 0x3
segments.[9].data.end_spectral 0x3f
segments.[9].data.num_components 0x3
segments.[9].data.start_spectral_selection 0x0
segments.[9].image_data hex(fd53a28a2800a28a...)
segments.[9].length 0xc
segments.[9].magic hex(ff)
segments.[9].marker.name "sos"
segments.[9].marker.value 0xda
------------------------------------------------------ ------------------------
Raw
kaitai-lnk.txt
----------------------------------------------------------- ---------------------------------------------------------
header.file_attrs 0x20
header.flags.has_arguments 0x0
header.flags.has_icon_location 0x0
header.flags.has_link_info 0x1
header.flags.has_link_target_id_list 0x1
header.flags.has_name 0x0
header.flags.has_rel_path 0x1
header.flags.has_work_dir 0x1
header.flags.is_unicode 0x1
header.flags.keep_local_id_list_for_unc_target 0x0
header.flags.reserved 0x0
header.hotkey 0x0
header.icon_index 0x0
header.len_header hex(4c000000)
header.link_clsid hex(0114020000000000...)
header.reserved hex(0000000000000000...)
header.show_command.name "normal"
header.show_command.value 0x1
header.target_file_size 0x9722b6
header.time_access 0x1d481be4d837e75
header.time_creation 0x1d481be4c445977
header.time_write 0x1d481be4d837e75
info.all.header.flags.has_common_net_rel_link 0x0
info.all.header.flags.has_volume_id_and_local_base_path 0x1
info.all.header.flags.reserved1 0x0
info.all.header.flags.reserved2 0x0
info.all.header.ofs_common_net_rel_link 0x0
info.all.header.ofs_common_path_suffix 0x6e
info.all.header.ofs_local_base_path 0x37
info.all.header.ofs_volume_id 0x1c
info.all.len_header 0x1c
info.all.local_base_path hex(433a5c5573657273...)
info.all.volume_id.body.drive_serial_number 0x808552b5
info.all.volume_id.body.drive_type.name "fixed"
info.all.volume_id.body.drive_type.value 0x3
info.all.volume_id.body.is_unicode 0x0
info.all.volume_id.body.ofs_volume_label 0x10
info.all.volume_id.body.volume_label_ansi "Local Disk"
info.all.volume_id.len_all 0x1b
info.len_all 0x6f
rel_path.chars_str 0x37
rel_path.str "..\..\..\..\..\Downloads\Practical_Malware_Analysis.pdf"
target_id_list.id_list.items.[0].data.body1.shell_folder_id hex(e04fd020ea3a6910...)
target_id_list.id_list.items.[0].data.body1.sort_index 0x50
target_id_list.id_list.items.[0].data.code 0x1f
target_id_list.id_list.items.[0].len_data 0x14
target_id_list.id_list.items.[1].data.body2.flags 0x80
target_id_list.id_list.items.[1].data.code 0x2e
target_id_list.id_list.items.[1].len_data 0x3a
target_id_list.id_list.items.[2].data.body2.file_attrs 0x20
target_id_list.id_list.items.[2].data.body2.file_size 0x9722b6
target_id_list.id_list.items.[2].data.body2.is_dir 0x0
target_id_list.id_list.items.[2].data.body2.is_file 0x1
target_id_list.id_list.items.[2].data.body2.last_mod_time 0x8a634d75
target_id_list.id_list.items.[2].data.code 0x32
target_id_list.id_list.items.[2].len_data 0x8a
target_id_list.id_list.items.[3].len_data 0x0
target_id_list.len_id_list 0xda
work_dir.chars_str 0x17
work_dir.str "C:\Users\user\Downloads"
----------------------------------------------------------- ---------------------------------------------------------
Raw
kaitai-pe.txt
-------------------------------------------------------------- ------------------------
certificate_table.items.[0].certificate_bytes hex(30823c1506092a86...)
certificate_table.items.[0].certificate_type.name "pkcs_signed_data"
certificate_table.items.[0].certificate_type.value 0x2
certificate_table.items.[0].length 0x3c28
certificate_table.items.[0].revision.name "revision_2_0"
certificate_table.items.[0].revision.value 0x200
coff_hdr.characteristics 0x2022
coff_hdr.machine.name "amd64"
coff_hdr.machine.value 0x8664
coff_hdr.number_of_sections 0x7
coff_hdr.number_of_symbols 0x0
coff_hdr.pointer_to_symbol_table 0x0
coff_hdr.size_of_optional_header 0xf0
coff_hdr.symbol_name_table_offset 0x0
coff_hdr.symbol_name_table_size 0x905a4d
coff_hdr.symbol_table_size 0x0
coff_hdr.time_date_stamp 0x73317569
optional_hdr.data_dirs.architecture.size 0x0
optional_hdr.data_dirs.architecture.virtual_address 0x0
optional_hdr.data_dirs.base_relocation_table.size 0x2fc
optional_hdr.data_dirs.base_relocation_table.virtual_address 0xbc000
optional_hdr.data_dirs.bound_import.size 0x0
optional_hdr.data_dirs.bound_import.virtual_address 0x0
optional_hdr.data_dirs.certificate_table.size 0x3c28
optional_hdr.data_dirs.certificate_table.virtual_address 0xb6e00
optional_hdr.data_dirs.clr_runtime_header.size 0x0
optional_hdr.data_dirs.clr_runtime_header.virtual_address 0x0
optional_hdr.data_dirs.debug.size 0x70
optional_hdr.data_dirs.debug.virtual_address 0x866f0
optional_hdr.data_dirs.delay_import_descriptor.size 0x60
optional_hdr.data_dirs.delay_import_descriptor.virtual_address 0x98cc4
optional_hdr.data_dirs.exception_table.size 0x555c
optional_hdr.data_dirs.exception_table.virtual_address 0xb4000
optional_hdr.data_dirs.export_table.size 0xde44
optional_hdr.data_dirs.export_table.virtual_address 0x98f10
optional_hdr.data_dirs.global_ptr.size 0x0
optional_hdr.data_dirs.global_ptr.virtual_address 0x0
optional_hdr.data_dirs.iat.size 0x2a50
optional_hdr.data_dirs.iat.virtual_address 0x807c0
optional_hdr.data_dirs.import_table.size 0x794
optional_hdr.data_dirs.import_table.virtual_address 0xa6d54
optional_hdr.data_dirs.load_config_table.size 0x118
optional_hdr.data_dirs.load_config_table.virtual_address 0x7f7f0
optional_hdr.data_dirs.resource_table.size 0x520
optional_hdr.data_dirs.resource_table.virtual_address 0xbb000
optional_hdr.data_dirs.tls_table.size 0x0
optional_hdr.data_dirs.tls_table.virtual_address 0x0
optional_hdr.std.address_of_entry_point 0x17070
optional_hdr.std.base_of_code 0x1000
optional_hdr.std.format.name "pe32_plus"
optional_hdr.std.format.value 0x20b
optional_hdr.std.major_linker_version 0xe
optional_hdr.std.minor_linker_version 0x14
optional_hdr.std.size_of_code 0x7d400
optional_hdr.std.size_of_initialized_data 0x3a400
optional_hdr.std.size_of_uninitialized_data 0x0
optional_hdr.windows.check_sum 0xbcf26
optional_hdr.windows.dll_characteristics 0x4160
optional_hdr.windows.file_alignment 0x200
optional_hdr.windows.image_base_64 0x180000000
optional_hdr.windows.loader_flags 0x0
optional_hdr.windows.major_image_version 0xa
optional_hdr.windows.major_operating_system_version 0xa
optional_hdr.windows.major_subsystem_version 0xa
optional_hdr.windows.minor_image_version 0x0
optional_hdr.windows.minor_operating_system_version 0x0
optional_hdr.windows.minor_subsystem_version 0x0
optional_hdr.windows.number_of_rva_and_sizes 0x10
optional_hdr.windows.section_alignment 0x1000
optional_hdr.windows.size_of_headers 0x400
optional_hdr.windows.size_of_heap_commit_64 0x1000
optional_hdr.windows.size_of_heap_reserve_64 0x100000
optional_hdr.windows.size_of_image 0xbd000
optional_hdr.windows.size_of_stack_commit_64 0x1000
optional_hdr.windows.size_of_stack_reserve_64 0x40000
optional_hdr.windows.subsystem.name "windows_cui"
optional_hdr.windows.subsystem.value 0x3
optional_hdr.windows.win32_version_value 0x0
pe_signature hex(50450000)
sections.[0].body hex(cccccccccccccccc...)
sections.[0].characteristics 0x60000020
sections.[0].name ".text"
sections.[0].number_of_linenumbers 0x0
sections.[0].number_of_relocations 0x0
sections.[0].pointer_to_linenumbers 0x0
sections.[0].pointer_to_raw_data 0x400
sections.[0].pointer_to_relocations 0x0
sections.[0].size_of_raw_data 0x7d400
sections.[0].virtual_address 0x1000
sections.[0].virtual_size 0x7d26b
sections.[1].body hex(3400360000000000...)
sections.[1].characteristics 0x40000040
sections.[1].name ".rdata"
sections.[1].number_of_linenumbers 0x0
sections.[1].number_of_relocations 0x0
sections.[1].pointer_to_linenumbers 0x0
sections.[1].pointer_to_raw_data 0x7d800
sections.[1].pointer_to_relocations 0x0
sections.[1].size_of_raw_data 0x32e00
sections.[1].virtual_address 0x7f000
sections.[1].virtual_size 0x32c40
sections.[2].body hex(0000000000000000...)
sections.[2].characteristics 0xc0000040
sections.[2].name ".data"
sections.[2].number_of_linenumbers 0x0
sections.[2].number_of_relocations 0x0
sections.[2].pointer_to_linenumbers 0x0
sections.[2].pointer_to_raw_data 0xb0600
sections.[2].pointer_to_relocations 0x0
sections.[2].size_of_raw_data 0x600
sections.[2].virtual_address 0xb2000
sections.[2].virtual_size 0x121c
sections.[3].body hex(1010000053100000...)
sections.[3].characteristics 0x40000040
sections.[3].name ".pdata"
sections.[3].number_of_linenumbers 0x0
sections.[3].number_of_relocations 0x0
sections.[3].pointer_to_linenumbers 0x0
sections.[3].pointer_to_raw_data 0xb0c00
sections.[3].pointer_to_relocations 0x0
sections.[3].size_of_raw_data 0x5600
sections.[3].virtual_address 0xb4000
sections.[3].virtual_size 0x555c
sections.[4].body hex(8d59028001000000...)
sections.[4].characteristics 0xc0000040
sections.[4].name ".didat"
sections.[4].number_of_linenumbers 0x0
sections.[4].number_of_relocations 0x0
sections.[4].pointer_to_linenumbers 0x0
sections.[4].pointer_to_raw_data 0xb6200
sections.[4].pointer_to_relocations 0x0
sections.[4].size_of_raw_data 0x200
sections.[4].virtual_address 0xba000
sections.[4].virtual_size 0x68
sections.[5].body hex(0000000000000000...)
sections.[5].characteristics 0x40000040
sections.[5].name ".rsrc"
sections.[5].number_of_linenumbers 0x0
sections.[5].number_of_relocations 0x0
sections.[5].pointer_to_linenumbers 0x0
sections.[5].pointer_to_raw_data 0xb6400
sections.[5].pointer_to_relocations 0x0
sections.[5].size_of_raw_data 0x600
sections.[5].virtual_address 0xbb000
sections.[5].virtual_size 0x520
sections.[6].body hex(00f0070090010000...)
sections.[6].characteristics 0x42000040
sections.[6].name ".reloc"
sections.[6].number_of_linenumbers 0x0
sections.[6].number_of_relocations 0x0
sections.[6].pointer_to_linenumbers 0x0
sections.[6].pointer_to_raw_data 0xb6a00
sections.[6].pointer_to_relocations 0x0
sections.[6].size_of_raw_data 0x400
sections.[6].virtual_address 0xbc000
sections.[6].virtual_size 0x2fc
-------------------------------------------------------------- ------------------------
Raw
kaitai-png.txt
---------------------------------------- ------------------------
chunks.[0].body.compression_method.name "zlib"
chunks.[0].body.compression_method.value 0x0
chunks.[0].body.keyword "Raw profile type exif"
chunks.[0].body.text_datastream hex(0a657869660a2020...)
chunks.[0].crc hex(9c212465)
chunks.[0].len 0x29a6
chunks.[0].type "zTXt"
chunks.[1].body.bkgd.blue 0x17
chunks.[1].body.bkgd.green 0x48
chunks.[1].body.bkgd.red 0x6b
chunks.[1].crc hex(eafba49c)
chunks.[1].len 0x6
chunks.[1].type "bKGD"
chunks.[2].body.pixels_per_unit_x 0x2e23
chunks.[2].body.pixels_per_unit_y 0x2e23
chunks.[2].body.unit.name "meter"
chunks.[2].body.unit.value 0x1
chunks.[2].crc hex(78a53f76)
chunks.[2].len 0x9
chunks.[2].type "pHYs"
chunks.[3].body.day 0xf
chunks.[3].body.hour 0x16
chunks.[3].body.minute 0x1f
chunks.[3].body.month 0x7
chunks.[3].body.second 0x1
chunks.[3].body.year 0x7e4
chunks.[3].crc hex(09b4deb8)
chunks.[3].len 0x7
chunks.[3].type "tIME"
chunks.[4].body hex(78daecbd79b86455...)
chunks.[4].crc hex(5bbc1984)
chunks.[4].len 0x2000
chunks.[4].type "IDAT"
chunks.[5].body hex(387b90d7a798b4d6...)
chunks.[5].crc hex(94dfb63e)
chunks.[5].len 0x2000
chunks.[5].type "IDAT"
chunks.[6].body hex(325aec5243492907...)
chunks.[6].crc hex(7fbe811b)
chunks.[6].len 0x2000
chunks.[6].type "IDAT"
chunks.[7].body hex(186402c5a39bfe8d...)
chunks.[7].crc hex(77703649)
chunks.[7].len 0x2000
chunks.[7].type "IDAT"
chunks.[8].body hex(a1724d4e29e079bf...)
chunks.[8].crc hex(55e0281f)
chunks.[8].len 0x1a7e
chunks.[8].type "IDAT"
chunks.[9].body hex()
chunks.[9].crc hex(ae426082)
chunks.[9].len 0x0
chunks.[9].type "IEND"
ihdr.bit_depth 0x8
ihdr.color_type.name "truecolor_alpha"
ihdr.color_type.value 0x6
ihdr.compression_method 0x0
ihdr.filter_method 0x0
ihdr.height 0xdc
ihdr.interlace_method 0x0
ihdr.width 0xdc
ihdr_crc hex(1b5acf81)
ihdr_len hex(0000000d)
ihdr_type hex(49484452)
magic hex(89504e470d0a1a0a)
---------------------------------------- ------------------------
Raw
kaitai-zip.txt
----------------------------------------------------------------------------- ------------------------
sections.[0].body.body hex()
sections.[0].body.header.compression_method.name "none"
sections.[0].body.header.compression_method.value 0x0
sections.[0].body.header.crc32 0x0
sections.[0].body.header.file_mod_date 0x4f9b
sections.[0].body.header.file_mod_time 0x6b8b
sections.[0].body.header.file_name "level1/"
sections.[0].body.header.flags 0x0
sections.[0].body.header.len_body_compressed 0x0
sections.[0].body.header.len_body_uncompressed 0x0
sections.[0].body.header.len_extra 0x0
sections.[0].body.header.len_file_name 0x7
sections.[0].body.header.version 0x14
sections.[0].magic hex(504b)
sections.[0].section_type 0x403
sections.[1].body.body hex(ad57696f133110fd...)
sections.[1].body.header.compression_method.name "deflated"
sections.[1].body.header.compression_method.value 0x8
sections.[1].body.header.crc32 0x48031005
sections.[1].body.header.file_mod_date 0x4f9b
sections.[1].body.header.file_mod_time 0x6cc1
sections.[1].body.header.file_name "level1/README.txt"
sections.[1].body.header.flags 0x0
sections.[1].body.header.len_body_compressed 0x658
sections.[1].body.header.len_body_uncompressed 0xcc6
sections.[1].body.header.len_extra 0x0
sections.[1].body.header.len_file_name 0x11
sections.[1].body.header.version 0x14
sections.[1].magic hex(504b)
sections.[1].section_type 0x403
sections.[2].body.body hex(504b030414000100...)
sections.[2].body.header.compression_method.name "none"
sections.[2].body.header.compression_method.value 0x0
sections.[2].body.header.crc32 0x70f15a3f
sections.[2].body.header.file_mod_date 0x4f9b
sections.[2].body.header.file_mod_time 0x6b88
sections.[2].body.header.file_name "level1/so.zip"
sections.[2].body.header.flags 0x0
sections.[2].body.header.len_body_compressed 0xb620
sections.[2].body.header.len_body_uncompressed 0xb620
sections.[2].body.header.len_extra 0x0
sections.[2].body.header.len_file_name 0xd
sections.[2].body.header.version 0xa
sections.[2].magic hex(504b)
sections.[2].section_type 0x403
sections.[3].body.comment ""
sections.[3].body.compression_method.name "none"
sections.[3].body.compression_method.value 0x0
sections.[3].body.crc32 0x0
sections.[3].body.disk_number_start 0x0
sections.[3].body.ext_file_attr 0x10
sections.[3].body.extra.entries.[0].body.attributes.[0].body.creation_time 0x1d5bce29e8ef5e6
sections.[3].body.extra.entries.[0].body.attributes.[0].body.last_access_time 0x1d5bce36a36dc87
sections.[3].body.extra.entries.[0].body.attributes.[0].body.last_mod_time 0x1d5bce36a36dc87
sections.[3].body.extra.entries.[0].body.attributes.[0].len_body 0x18
sections.[3].body.extra.entries.[0].body.attributes.[0].tag 0x1
sections.[3].body.extra.entries.[0].body.reserved 0x0
sections.[3].body.extra.entries.[0].code.name "ntfs"
sections.[3].body.extra.entries.[0].code.value 0xa
sections.[3].body.extra.entries.[0].len_body 0x20
sections.[3].body.file_name "level1/"
sections.[3].body.flags 0x0
sections.[3].body.int_file_attr 0x0
sections.[3].body.last_mod_file_date 0x4f9b
sections.[3].body.last_mod_file_time 0x6b8b
sections.[3].body.len_body_compressed 0x0
sections.[3].body.len_body_uncompressed 0x0
sections.[3].body.len_comment 0x0
sections.[3].body.len_extra 0x24
sections.[3].body.len_file_name 0x7
sections.[3].body.local_header.body.body hex()
sections.[3].body.local_header.body.header.compression_method.name "none"
sections.[3].body.local_header.body.header.compression_method.value 0x0
sections.[3].body.local_header.body.header.crc32 0x0
sections.[3].body.local_header.body.header.file_mod_date 0x4f9b
sections.[3].body.local_header.body.header.file_mod_time 0x6b8b
sections.[3].body.local_header.body.header.file_name "level1/"
sections.[3].body.local_header.body.header.flags 0x0
sections.[3].body.local_header.body.header.len_body_compressed 0x0
sections.[3].body.local_header.body.header.len_body_uncompressed 0x0
sections.[3].body.local_header.body.header.len_extra 0x0
sections.[3].body.local_header.body.header.len_file_name 0x7
sections.[3].body.local_header.body.header.version 0x14
sections.[3].body.local_header.magic hex(504b)
sections.[3].body.local_header.section_type 0x403
sections.[3].body.ofs_local_header 0x0
sections.[3].body.version_made_by 0x3f
sections.[3].body.version_needed_to_extract 0x14
sections.[3].magic hex(504b)
sections.[3].section_type 0x201
sections.[4].body.comment ""
sections.[4].body.compression_method.name "deflated"
sections.[4].body.compression_method.value 0x8
sections.[4].body.crc32 0x48031005
sections.[4].body.disk_number_start 0x0
sections.[4].body.ext_file_attr 0x20
sections.[4].body.extra.entries.[0].body.attributes.[0].body.creation_time 0x1d5bce2b2ccd299
sections.[4].body.extra.entries.[0].body.attributes.[0].body.last_access_time 0x1d5bce4c438c19c
sections.[4].body.extra.entries.[0].body.attributes.[0].body.last_mod_time 0x1d5bce4c438c19c
sections.[4].body.extra.entries.[0].body.attributes.[0].len_body 0x18
sections.[4].body.extra.entries.[0].body.attributes.[0].tag 0x1
sections.[4].body.extra.entries.[0].body.reserved 0x0
sections.[4].body.extra.entries.[0].code.name "ntfs"
sections.[4].body.extra.entries.[0].code.value 0xa
sections.[4].body.extra.entries.[0].len_body 0x20
sections.[4].body.file_name "level1/README.txt"
sections.[4].body.flags 0x0
sections.[4].body.int_file_attr 0x0
sections.[4].body.last_mod_file_date 0x4f9b
sections.[4].body.last_mod_file_time 0x6cc1
sections.[4].body.len_body_compressed 0x658
sections.[4].body.len_body_uncompressed 0xcc6
sections.[4].body.len_comment 0x0
sections.[4].body.len_extra 0x24
sections.[4].body.len_file_name 0x11
sections.[4].body.local_header.body.body hex(ad57696f133110fd...)
sections.[4].body.local_header.body.header.compression_method.name "deflated"
sections.[4].body.local_header.body.header.compression_method.value 0x8
sections.[4].body.local_header.body.header.crc32 0x48031005
sections.[4].body.local_header.body.header.file_mod_date 0x4f9b
sections.[4].body.local_header.body.header.file_mod_time 0x6cc1
sections.[4].body.local_header.body.header.file_name "level1/README.txt"
sections.[4].body.local_header.body.header.flags 0x0
sections.[4].body.local_header.body.header.len_body_compressed 0x658
sections.[4].body.local_header.body.header.len_body_uncompressed 0xcc6
sections.[4].body.local_header.body.header.len_extra 0x0
sections.[4].body.local_header.body.header.len_file_name 0x11
sections.[4].body.local_header.body.header.version 0x14
sections.[4].body.local_header.magic hex(504b)
sections.[4].body.local_header.section_type 0x403
sections.[4].body.ofs_local_header 0x25
sections.[4].body.version_made_by 0x3f
sections.[4].body.version_needed_to_extract 0x14
sections.[4].magic hex(504b)
sections.[4].section_type 0x201
sections.[5].body.comment ""
sections.[5].body.compression_method.name "none"
sections.[5].body.compression_method.value 0x0
sections.[5].body.crc32 0x70f15a3f
sections.[5].body.disk_number_start 0x0
sections.[5].body.ext_file_attr 0x20
sections.[5].body.extra.entries.[0].body.attributes.[0].body.creation_time 0x1d5bce367200683
sections.[5].body.extra.entries.[0].body.attributes.[0].body.last_access_time 0x1d5bce36736b337
sections.[5].body.extra.entries.[0].body.attributes.[0].body.last_mod_time 0x1d5bce36736b337
sections.[5].body.extra.entries.[0].body.attributes.[0].len_body 0x18
sections.[5].body.extra.entries.[0].body.attributes.[0].tag 0x1
sections.[5].body.extra.entries.[0].body.reserved 0x0
sections.[5].body.extra.entries.[0].code.name "ntfs"
sections.[5].body.extra.entries.[0].code.value 0xa
sections.[5].body.extra.entries.[0].len_body 0x20
sections.[5].body.file_name "level1/so.zip"
sections.[5].body.flags 0x0
sections.[5].body.int_file_attr 0x0
sections.[5].body.last_mod_file_date 0x4f9b
sections.[5].body.last_mod_file_time 0x6b88
sections.[5].body.len_body_compressed 0xb620
sections.[5].body.len_body_uncompressed 0xb620
sections.[5].body.len_comment 0x0
sections.[5].body.len_extra 0x24
sections.[5].body.len_file_name 0xd
sections.[5].body.local_header.body.body hex(504b030414000100...)
sections.[5].body.local_header.body.header.compression_method.name "none"
sections.[5].body.local_header.body.header.compression_method.value 0x0
sections.[5].body.local_header.body.header.crc32 0x70f15a3f
sections.[5].body.local_header.body.header.file_mod_date 0x4f9b
sections.[5].body.local_header.body.header.file_mod_time 0x6b88
sections.[5].body.local_header.body.header.file_name "level1/so.zip"
sections.[5].body.local_header.body.header.flags 0x0
sections.[5].body.local_header.body.header.len_body_compressed 0xb620
sections.[5].body.local_header.body.header.len_body_uncompressed 0xb620
sections.[5].body.local_header.body.header.len_extra 0x0
sections.[5].body.local_header.body.header.len_file_name 0xd
sections.[5].body.local_header.body.header.version 0xa
sections.[5].body.local_header.magic hex(504b)
sections.[5].body.local_header.section_type 0x403
sections.[5].body.ofs_local_header 0x6ac
sections.[5].body.version_made_by 0x3f
sections.[5].body.version_needed_to_extract 0xa
sections.[5].magic hex(504b)
sections.[5].section_type 0x201
sections.[6].body.comment ""
sections.[6].body.disk_of_central_dir 0x0
sections.[6].body.disk_of_end_of_central_dir 0x0
sections.[6].body.len_central_dir 0x11b
sections.[6].body.len_comment 0x0
sections.[6].body.num_central_dir_entries_on_disk 0x3
sections.[6].body.num_central_dir_entries_total 0x3
sections.[6].body.ofs_central_dir 0xbcf7
sections.[6].magic hex(504b)
sections.[6].section_type 0x605
----------------------------------------------------------------------------- ------------------------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment