#1
|
|||
|
|||
Firmware Analysis - ZLIB file conversion to Bitmap
Hi guys,
I've been picking away at the firmware for a common security system trying to see if the bitmaps can be modified and I'm a bit stuck. The files within the firmware are compressed using ZLIB, but after decompression, they don't resemble a bitmap file even though the firmware indicates that's what they are. Paste the below into a HEX editor and you'll see what I mean. Can anyone point me in the right direction on how to convert this back into a bitmap? The file below should be called: icon_ui_barrier_button_up_Bitmap Compressed ZLIB HEX. Zlib Magic number is 789C Code:
69 63 6F 6E 5F 75 69 5F 62 61 72 72 69 65 72 5F 62 75 74 74 6F 6E 5F 75 70 5F 42 69 74 6D 61 70 00 00 00 00 00 00 00 00 00 00 00 00 1A 05 00 00 78 9C 95 93 3F 68 53 51 18 C5 5F 4D 6B 12 1B CA B3 D5 6A 8C 7F 1A 6A AD B4 56 F1 4F 15 11 5B 74 51 D4 8A E2 E0 60 07 AD 83 88 9B 83 0A 5D A2 74 72 70 70 F0 CF E0 C3 51 44 1C 82 83 E0 64 9D DA A1 5B 5B 44 B0 16 85 0E A5 9B FA 48 3B 1C CF 77 BF 2F 1F 64 34 70 2E 37 E7 FC EE 7D E7 DD DC 3C 8C 1F 44 DD 91 7E 2E 51 C7 C3 2C 53 59 C0 C9 28 49 4F 05 C9 5C FD 63 61 CC 32 1D A6 FB 08 0B 48 91 A4 30 C9 5C BC 61 E3 8E F8 5E 19 D2 05 EA 0B 89 1F 68 89 84 CF 54 64 2E 9E 66 19 E3 0F 85 71 1D 57 E5 E9 9E A1 AA 68 0D 2B C4 AB 42 BD BC 71 07 9D 1E 25 F3 9C 29 D0 16 E8 A6 8A 7E 1F 35 66 BF B7 C9 71 FD 51 6A 8A 6D 56 B0 D1 DB AC 40 3C CD 72 C6 EF F3 FD 8B 74 2F 50 F3 D8 E2 6D E6 A1 5E D1 B8 FE 30 36 31 19 27 53 45 C9 9B 48 EF 71 CB F7 7A 93 98 6B AF 53 33 6C 52 C3 0E 6F 52 83 78 9A C5 C6 EF F1 26 7D 74 2F 53 35 74 7B 13 59 21 5E 9F 71 BB 1B 4E F1 29 D3 69 F4 3A 3D 0D F5 F2 C6 95 BD 51 33 E9 4E EA 31 1B CD A1 DF 1B CD 41 3C CD 9A 8D EF F2 67 0C D1 BD 1B C9 D9 1F F0 67 00 EA 0D 19 B7 CB CE 26 49 CF D1 5D C4 61 27 17 49 BE A0 7A A3 9D 81 D9 6E 6D 92 34 26 53 A6 BE B2 CD 32 7F 97 7A 9B 9F A4 3F 50 25 EE B4 21 2A 05 7E 9B B5 49 D2 02 39 B9 0D 9F 70 A2 A1 CD 33 EA 8A 71 45 6F 73 87 CC 5B DE D9 3A F9 97 D4 AB 70 CB B6 06 A6 D3 DB 14 C9 9C A7 BE B3 CD 6F 9C 6E B8 37 E2 95 D9 A6 3D DA 1C F8 4D DE A6 8B DC 18 F5 0D 67 FD 19 1F B9 62 2C DC E2 8E C0 75 78 9B 27 DC E7 33 EF 54 FD DE BC 23 79 3B 6A 0F 79 EC 4D 7A 98 DF A3 7E 91 5E C3 45 DB 37 49 FF 40 FD 1E 63 DB BC C5 20 DD 5B D4 2A 4F A0 4E AF 42 BD 41 E3 0A 4E CB FF ED 0D D3 59 5C 75 7A 16 EA B5 1A 97 F7 36 59 32 72 53 5E 87 5F E9 9A 9F CB 32 D4 93 2C 6B 7C CE DF 74 84 EE 04 6E F8 9B 4E 40 3C CD D7 7B 93 01 E6 EF 99 2C E1 A6 37 59 82 7A 03 C6 B5 F8 9E 2F E9 4E 42 DE 69 26 EC 39 09 F1 34 BF FF 9F E3 3F B7 0C 49 ED FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 55 CC 77 33 9A 01 00 00 97 6B 00 80 01 00 3C 21 Code:
69 63 6F 6E 5F 75 69 5F 62 61 72 72 69 65 72 5F 62 75 74 74 6F 6E 5F 75 70 5F 42 69 74 6D 61 70 00 00 00 00 00 00 00 00 00 00 00 00 1A 05 00 00 81 10 78 00 23 00 00 00 00 00 00 00 50 00 00 00 39 00 00 00 00 00 03 80 DF FF 3D 00 9E F7 41 00 9E F7 41 00 DF FF 3D 00 39 00 00 00 00 00 37 00 00 00 00 00 07 80 DF FF 3F 00 DF FF 82 FF DF FF F7 FF 9E F7 FF FF 9E F7 FF FF 9E F7 F7 FF 9E F7 82 FF DF FF 3F 00 37 00 00 00 00 00 34 00 00 00 00 00 03 80 DF FF 03 00 DF FF 0C 00 DF FF C3 FF 9E F7 E0 FF 05 00 9E F7 FF FF 03 80 9E F7 E0 FF DF FF C3 FF DF FF 0C 00 DF FF 03 00 34 00 00 00 00 00 32 00 00 00 00 00 02 80 DF FF 09 00 DF FF 47 00 DF FF B2 FF 0B 00 9E F7 FF FF 02 80 DF FF B2 FF DF FF 47 00 DF FF 09 00 32 00 00 00 00 00 31 00 00 00 00 00 02 80 DF FF 5C 00 9E F7 97 FF DF FF FF FF 0E 00 9E F7 FF FF 01 80 9E F7 97 FF DF FF 5C 00 31 00 00 00 00 00 2E 00 00 00 00 00 03 80 DF FF 08 00 DF FF 36 00 DF FF C9 FF 9E F7 ED FF 11 00 9E F7 FF FF 03 80 9E F7 ED FF DF FF C9 FF DF FF 36 00 DF FF 08 00 2E 00 00 00 00 00 2C 00 00 00 00 00 02 80 DF FF 19 00 DF FF 4C 00 DF FF D7 FF 17 00 9E F7 FF FF 02 80 DF FF D7 FF DF FF 4C 00 DF FF 19 00 2C 00 00 00 00 00 2B 00 00 00 00 00 01 80 DF FF 7B 00 9E F7 B2 FF 1B 00 9E F7 FF FF 01 80 9E F7 B2 FF DF FF 7B 00 2B 00 00 00 00 00 28 00 00 00 00 00 03 80 DF FF 10 00 DF FF 60 00 DF FF CE FF 9E F7 F9 FF 1D 00 9E F7 FF FF 03 80 9E F7 F9 FF DF FF CE FF DF FF 60 00 DF FF 10 00 28 00 00 00 00 00 26 00 00 00 00 00 02 80 DF FF 2A 00 DF FF 51 00 DF FF F9 FF 23 00 9E F7 FF FF 02 80 DF FF F9 FF DF FF 51 00 DF FF 2A 00 26 00 00 00 00 00 24 00 00 00 00 00 02 80 DF FF 09 00 DF FF 92 FF DF FF CA FF 27 00 9E F7 FF FF 02 80 DF FF CA FF DF FF 92 FF DF FF 09 00 24 00 00 00 00 00 21 00 00 00 00 00 03 80 DF FF 04 00 DF FF 16 00 DF FF 8A FF 9E F7 D6 FF 2B 00 9E F7 FF FF 03 80 9E F7 D6 FF DF FF 8A FF DF FF 16 00 DF FF 04 00 21 00 00 00 00 00 20 00 00 00 00 00 02 80 DF FF 3E 00 DF FF 72 00 DF FF FF FF 2F 00 9E F7 FF FF 02 80 DF FF FF FF DF FF 72 00 DF FF 3E 00 20 00 00 00 00 00 1F 00 00 00 00 00 01 80 9E F7 4A 00 DF FF E1 FF 33 00 9E F7 FF FF 02 80 DF FF E1 FF DF FF 98 FF DF FF 27 00 1E 00 00 00 00 00 1C 00 00 00 00 00 03 80 9E F7 10 00 9E F7 21 00 9E F7 D9 FF 9E F7 EB FF 36 00 9E F7 FF FF 03 80 9E F7 E3 FF DF FF B4 FF DF FF 1B 00 DF FF 0A 00 1B 00 00 00 00 00 1A 00 00 00 00 00 02 80 9E F7 0C 00 9E F7 5C 00 9E F7 BB FF 3B 00 9E F7 FF FF 02 80 DF FF FF FF DF FF 96 FF DF FF 53 00 1A 00 00 00 00 00 19 00 00 00 00 00 01 80 9E F7 6B 00 9E F7 AA FF 3F 00 9E F7 FF FF 02 80 DF FF F6 FF DF FF 9D FF DF FF 47 00 18 00 00 00 00 00 16 00 00 00 00 00 03 80 9E F7 19 00 9E F7 4B 00 9E F7 DE FF 9E F7 F4 FF 42 00 9E F7 FF FF 03 80 9E F7 ED FF DF FF DE FF 9E F7 21 00 DF FF 12 00 15 00 00 00 00 00 14 00 00 00 00 00 02 80 9E F7 20 00 9E F7 62 00 9E F7 DB FF 48 00 9E F7 FF FF 02 80 DF FF B8 FF DF FF 62 00 DF FF 09 00 13 00 00 00 00 00 13 00 00 00 00 00 01 80 9E F7 8E FF 9E F7 C1 FF 4C 00 9E F7 FF FF 01 80 9E F7 AC FF DF FF 69 00 12 00 00 00 00 00 10 00 00 00 00 00 03 80 9E F7 25 00 9E F7 76 00 9E F7 E4 FF 9E F7 FB FF 4E 00 9E F7 FF FF 02 80 9E F7 F5 FF 9E F7 76 00 9E F7 25 00 10 00 00 00 00 00 0E 00 00 00 00 00 02 80 9E F7 35 00 9E F7 67 00 9E F7 FA FF 53 00 9E F7 FF FF 02 80 9E F7 FA FF 9E F7 67 00 9E F7 35 00 0E 00 00 00 00 00 0C 00 00 00 00 00 02 80 9E F7 0B 00 9E F7 A8 FF 9E F7 D5 FF 57 00 9E F7 FF FF 02 80 9E F7 D5 FF 9E F7 A8 FF 9E F7 0B 00 0C 00 00 00 00 00 09 00 00 00 00 00 03 80 9E F7 07 00 9E F7 2B 00 9E F7 A0 FF 9E F7 EB FF 5B 00 9E F7 FF FF 03 80 9E F7 EB FF 9E F7 A0 FF 9E F7 2B 00 9E F7 07 00 09 00 00 00 00 00 08 00 00 00 00 00 01 80 9E F7 4D 00 9E F7 84 FF 61 00 9E F7 FF FF 01 80 9E F7 84 FF 9E F7 4D 00 08 00 00 00 00 00 06 00 00 00 00 00 02 80 9E F7 2D 00 9E F7 AE FF 9E F7 E7 FF 63 00 9E F7 FF FF 02 80 9E F7 E7 FF 9E F7 AE FF 9E F7 2D 00 06 00 00 00 00 00 05 00 00 00 00 00 01 80 9E F7 99 FF 9E F7 C2 FF 67 00 9E F7 CE FF 01 80 9E F7 C2 FF 9E F7 99 FF 05 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 77 00 00 00 00 00 |
#2
|
|||
|
|||
If you convert the ascii characters at the start you find: "icon_ui_barrier_button_up_Bitmap". Could be a custom encoded file format. You have to look for usual things like tags or width and height maybe computed based on data size, see where pixel data starts etc. Best is to disassemble the firmware and see how it parses it
|
#3
|
|||
|
|||
looks like a regular RAW picture.
just find a larger image, not a small icon, it will become clearer which header size need to cut off, as well as picture format, 24bit RGB variant, or some variant of 16bit 5:6:5 |
The Following User Says Thank You to carver For This Useful Post: | ||
niculaita (08-02-2021) |
#4
|
|||
|
|||
If it's common picture then it looks like it miss bitmap header or it's just some raw image (as is mentioned up).
Extracted data looks like bmp/ico type with size ~16x16 pixels and 256 colors (guess just by size, but it can be anything when you combine height, width and color depth) Maybe it's better find in application exact image and then compare real data with extracted one. Last edited by DARKER; 08-02-2021 at 15:19. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
What are the alternatives to Binwalk for firmware analysis? | SMH17 | General Discussion | 2 | 05-31-2021 21:02 |
usefull idc file for MIPS elf analysis | router | General Discussion | 0 | 11-04-2004 16:41 |