[Recipe request] Unzip / Remove useless files / Rename remaining file(s) / Create a password-protected zip file

[wikijm]

Hello,

I'm wondering if someone already played with .zip files, and especially manipulating files inside of it?

I'd like to do steps below:

1. Unzip a password-protected file
2. Remove useless files (based on their name and/or extension)
3. Rename one file (based on its name and/or extension)
4. Create a new password-protected .zip file with remaining files

When I use 'Unzip', I got a list of files, and I don't know how I can manipulate them.
It seems that I can't use 'Fork' to manage each file in a different child.

Thank you for your help!

Regards,
@wikijm

[mattnotmax]

Hey @wikijm! A nice problem.

So I've played around with this quickly and its somewhat possible. But it may depend on the files within the ZIP.

One solution might be to extract the files from the ZIP without unzipping. But the file format is reasonably complex and would take some reversing to convert it to a CyberChef recipe in itself.

As you note there is the unzip operation. You can then 'merge' the data to get one blob on unzipped files concatenated together. It would then rely on you knowing the best way to extract the data based probably on the headers and footers of the hex.

For an example, I zipped a PE file and a JPEG. I can extract the PE file based on the MZ header and the start of the JPEG - but I know that's what they are. It wouldn't work if there were multiple files and/or I didn't know the contents. So not perfect, but perhaps a starting point to work around.

mz+jpg.zip

[{"op":"Unzip","args":["",false]},{"op":"Merge","args":[]},{"op":"To Hex","args":["None",0]},{"op":"Regular expression","args":["User defined","^4d5a.*(?=ffd8ff)",true,true,false,false,false,false,"List matches"]},{"op":"From Hex","args":["Auto"]},{"op":"Zip","args":["mz-only.zip","","infected","Deflate","MSDOS","Dynamic Huffman Coding"]}]

NB: the PE file is a simple 'hello world' compiled and is not malicious! :D