New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to decompress - LZXpress Huffman code sizes are over-subscribed #6
Comments
@scudette thx for the report, could be some LZXpress Huffman edge-case
|
Yes it is definitely related to decompression. I used Francesco Picaso's script here https://gist.github.com/dfirfpi/113ff71274a97b489dfd to decompress using the API and it worked without problems. A binary diff shows a discrepancy starting at byte 79768 (which continues to completely fail) but I have no idea why. |
I'll have a closer look later if time permits, I suspect the WINAPI decompression routines to maybe be more error tolerant |
For libfwnt judging on the output the of RtlDecompressBufferEx using https://github.com/libyal/assorted/blob/master/src/lzxpressdecompress.c the corruption happens around 0x000137e0 in the decompressed data.
Per prebious debug output libfwnt this corresponds to approx offset 0x00004c24 in the input data
Looks like around 0x4c2a there is a new chunk of LZXpress-Huffman comrpessed data
Results in a uncompressed output of:
A first assumption is that chunks of 0x20000 bytes are used. |
Ignore that, chunks are 0x10000 bytes in size.
The second extended compression size of 0 is the edge-case and appears to have a special behavior. Which corresponds to offset 0x00004c1a + 8 = 0x00004c22.
Which looks like an extension for a 32-bit extended size |
Will make the changes to libfwnt to add 32-bit extended size support. Wondering when this was introduced and if this leads to issues with solutions using the WINAPI on older versions of Windows as well. |
Closing this in favor of libyal/libfwnt#8 |
Thanks so much for looking into this!
…On Thu, Jul 23, 2020, 19:56 Joachim Metz ***@***.***> wrote:
Closed #6 <#6>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA5NRIQG72UIROWBYYBGUULR5ACMJANCNFSM4PENZG7Q>
.
|
Just linking this issue Velocidex/go-prefetch#4 which also seems to affect libscca.
I have reattached the problematic file.
DOWNLOADER.EXE-CAE991BA.pf.zip
I only tested with pyscca version from pip (
pip install libscca-python
) maybe it is fixed in the latest version?The text was updated successfully, but these errors were encountered: