![]() ![]() This generic method will also generate false positives: data that decompresses but is not actual compressed data. size of the decompressed data (decimal).start position of compressed data (hexadecimal).Here is the result of my beta program running on the DAA sample:Įach line represents compressed data found by the tool. Since a DAA file is essentially a concatenation of zlib compressed chunks, such a program should also be able to extract and decompress the ISO file inside a DAA file. For quite some time, I was playing with the idea to write a program that can detect compressed data inside a binary stream. DAA version 0x100 uses zlib compression (DEFLATE), and the compressed data is stored without header.Īrmed with this information, I could write a Python script to extract and decompress the chunks stored inside a DAA file. Together with the pointer to the first compressed chunk (position 0x0000005E), we can use this length list to calculate the offsets of the other compressed chunks.Įxample: the second chunk is located at 0x5E + 0圆97 = 0x06F3. So first you have the most significant byte, then the least significant byte, and then the remaining, middle byte. The number format is the following: hex value 697 is encoded as 00 97 06. The list of compressed chunk lengths is a bit special: each lenght value is encoded with 3 bytes, using neither big-endian nor little-endian format. And the chunks themselves (position 0x0000005E).And then we have the list of chunk lengths (position 0x0000004C).Fourth, we have an offset (0x0000005E) to the first compressed chunk.Third, we have the file format version: 0x00000100.Second, we have an offset (0x0000004C) to the list of compressed chunk lengths.First we have the magic sequence: DAA.With the source code of DAA2ISO, I was able to make some sense of this data. Here is an hex/ascii dump of the beginning of the file: Let's take a closer look at this file format. DAA Attachments", we extracted a malicious executable from a Direct Access Archive file. ![]()
0 Comments
Leave a Reply. |