What kind of deflate compression is this?

Question

I must be missing something obvious here. I cannot make sense of the following deflate stream.

Steps:

% wget https://github.com/lrq3000/mri_protocol/raw/master/SiemensVidaProtocol/Coma%20Science%20Group.exar1
% sqlite3 Coma\ Science\ Group.exar1 "SELECT writefile('ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw', Data) FROM Content WHERE hash = 'ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c'"
% file ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw
ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw: data

However upon closer look:

% binwalk -X ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw | head
DECIMAL       HEXADECIMAL     DESCRIPTION
0             0x0             Raw deflate compression stream

Looking at the entropy (binwalk -EJ), this really looks like a typical deflate algorithm:

But it seems the signature is broken:

% zlib-flate -uncompress < ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw
flate: inflate: data: incorrect header check

Anyone recognize the compression here ?

score 0 · Accepted Answer · answered Oct 28 '22 at 09:40

Turns out this is indeed pure deflate bitstream. zlib-flate is for zlib stream.

% ./decomp.py ae126b7a3fe86811f981f53cf7cf59cfc1e5bc7c.raw | colrm 82
b'EDF V1: ContentType=syngo.MR.ExamDataFoundation.Data.EdfAddInConfigContent;\r\n

With simply:

% cat decomp.py
#!/bin/env python3
import zlib
import sys
with open(sys.argv[1], 'rb') as input_file:
    compressed_data = input_file.read()
    unzipped = zlib.decompress(compressed_data, -zlib.MAX_WBITS)
    print(unzipped)

Ref:

https://stackoverflow.com/a/22310760/136285

What kind of deflate compression is this?

DECIMAL HEXADECIMAL DESCRIPTION

1 Answers1