|
I was taking a closer look at Xavier's Word document he analyzed in yesterday's diary entry: "Obfuscated with a Simple 0x0A". I expected that the latest version of my zipdump tool would be able to handle this special ZIP file, but it didn't. After a bit of research, I discoverd that this Word document not only has one byte prefixed to it (a newline, 0x0A), but that it is also missing one byte at the end. That missing byte is part of the comment length field of the EOCD record. If you have an idea what is going on here, please post a comment.
Didier Stevens |
DidierStevens 597 Posts ISC Handler Apr 4th 2020 |
| Thread locked Subscribe |
Apr 4th 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
