Can't quite understand how to use the -x option

[frank-lar]

I am playing around with this tool to understand how it works.

Let's say I created a secret.zip file with an older version of WinRar, encrypting a file content.txt it with the password "test"

bkcrack 1.7.0 - 2024-05-26
Archive: secret.zip
Index Encryption Compression CRC32    Uncompressed  Packed size Name
----- ---------- ----------- -------- ------------ ------------ ----------------
    0 ZipCrypto  Deflate     fa39ece9        90112        14183 content.txt

I also created a not encrypted content.zip with the same method, just no password.

Therefore:

bkcrack.exe -C secret.zip -c content.txt -P content.zip -p content.txt

Will easily find the keys.

Now, since this was so easy I wanted to test using just a portion of the plaintext taken from the content.zip (since the file to crack uses Deflate, right?), so I expected to do:

bkcrack.exe -C secret.zip -c content.txt -x 0 abcdef0123456789whatever

Of course I took the first 100 or 200 bytes from content.zip and it did not work.
But how do I correctly "extract" from content.zip the plaintext bytes to use with -x option in this case?

[kimci86]

To get compressed data manually from content.zip, one way is to open it in an hexadecimal editor and look at bytes following the local file header of content.txt entry. See local file header format: https://en.wikipedia.org/wiki/ZIP_(file_format)#Local_file_header
Then pass bytes in hexadecimal with option -x 0 hexadecimal_data (assuming you pass the first bytes, otherwise adjust the offset -x offset hexadecimal_data)

In this exact scenario, there is no point doing this manual work. This is exactly what bkcrack does automatically with options -P content.zip -p content.txt. But for more advanced scenarios where you need to inspect compressed data with infgen for example, I plan to add an option to output data from zip archives (#93).

[kimci86]

If you just want to see how bkcrack behaves with less data, you can truncate how much plaintext it reads from the archive with -t option.
Example: bkcrack.exe -C secret.zip -c content.txt -P content.zip -p content.txt -t 100

[frank-lar]

To get compressed data manually from content.zip, one way is to open it in an hexadecimal editor and look at bytes following the local file header of content.txt entry. See local file header format: https://en.wikipedia.org/wiki/ZIP_(file_format)#Local_file_header Then pass bytes in hexadecimal with option -x 0 _hexadecimal_data_ (assuming you pass the first bytes, otherwise adjust the offset -x _offset_ _hexadecimal_data_)

Thank you!

Well, that was an example for a more complex case I was trying to understand if it was feasible or not, that is: I would like to extract a deflated binary file (roughly 100-200k) for which I know some parts of the uncompressed plaintext, so I deployed a simple sample case to work on and get to the grips with bkcrack.
I understand I have very low chances to get useful compressed plaintext bytes because of how compression works, but I'll still make a few more tries now that I know how to correctly extract the compressed data before giving up.