[zxhet]

I know you just rename the files to zip and use WinRAR to open it in Windows. But WinRAR only has the command line tool for Mac and it only supports .rar. UnRarX can't open ,zip. And I tried my Stuffit and Unarchiver but they can't either even after I've renamed the files to .zip. Maybe I need the more recent versions? So...how do you do it on Mac?
Thanks!

[Spheric Harlot]

From my experience:

Either it's a .zip file, in which case renaming it and using any app that can open zip files will work.

Or it's a .rar file, in which case UnRarX will work.

If neither works, you're either not actually changing the extension, or you're not dealing with a proper .zip OR a .rar file (or possibly a corrupted file).

[zxhet]

Thanks for your reply. The thing is, I don't think the file I'm dealing with is simply disguised by simply renaming its extension to .wmv or .jpg, in which case renaming it back to .zip should work.

I believe this kind of files have truly been merged with something else such as a video or a picture. If you double click it you WILL see a video or picture intended as a front where the confidential file hides within. I know for sure WinRAR has the ability to do that. In Windows, you can't even unzip it with Winzip even after you rename it back to .zip. Only WinRAR is able to recognize there's a zip file underneath.

I might be wrong but I think this is the reason my Stuffit and Unarchiver, just like Winzip of Windows, can't recognize the double identity of the disguised files. But again, I don't have the most recent versions of Stuffit and Unarchiver. But I'm guessing unless the program knows how to mask a file like WinRAR, it probably can't unmask it. Is there anything I can use on Mac for that?

[CharlesS]

You can see for yourself what type of file it is by doing one of the following things:

1. Use the "file" command at the command line. It can detect a large number of file types.

2. Open it with a hex editor and look at the first few bytes. If it's a zip, it should begin with 0x50 4B, 'PK'. If it's a RAR, then according to Google the file should start with 0x52 61 72 21 1A 07 00, 'Rar!...'.

[zxhet]

Originally Posted by CharlesS 

You can see for yourself what type of file it is by doing one of the following things:

1. Use the "file" command at the command line. It can detect a large number of file types.

2. Open it with a hex editor and look at the first few bytes. If it's a zip, it should begin with 0x50 4B, 'PK'. If it's a RAR, then according to Google the file should start with 0x52 61 72 21 1A 07 00, 'Rar!...'.

"file" command says it's a Microsoft ASF. Just as the extension .wmv suggests? Sorry I don't know how to read hex editor properly but there's nothing close to 0x50. The first line in the content box looks like this:
30 26 b2 75 8e 66 cf 11 a6 d9 00 aa 00 62 ce 6c

[CharlesS]

Originally Posted by zxhet 

The first line in the content box looks like this:
30 26 b2 75 8e 66 cf 11 a6 d9 00 aa 00 62 ce 6c

Yep, that looks like WMA/WMV. The reason RAR and ZIP utilities haven't been working is because this is an audio or video file, and not a compressed archive. You should probably be able to play it with Flip4Mac.

[zxhet]

OK, let me rephrase my question before it gets too confusing.

I have a .wmv file that I know is mainly a .zip file. By using WinRAR's disguise function in Windows (I think that's how you manage to do it), this zip file is hidden within an actual video and retains the .wmv format. If you double click it it will play the video, so nobody will notice it has something else in it and the real zip file is perfectly disguised.

In Windows, it is easy if you know you're dealing with this kind of file. You just rename it back to .zip and use WinRAR to unzip it to reveal the true content. If I remember correctly, even Winzip can't do it if the file is orginally handled by WinRAR.

But I have no idea what to do on Mac. My Stuffit and Unarchiver usually take care of the zip files but they don't recognize this one as a standard zip file even after renaming. And UnRarX obviously doesn't like zip. Anybody got experience on this kind of files?

[Spheric Harlot]

Who the hell goes through so much trouble?

[zxhet]

Originally Posted by Spheric Harlot 

Who the hell goes through so much trouble?

People who have confidential files and for some reason need to keep them in a computer others have access to? I mean I've never done something like that myself but I can kinda understand the need. Your files are the safest when nobody even thinks there are password protected files or folders in the computer. Isn't that what they do in covert ops, blend in as oppose to dress up mysteriously like agent Smith of Matrix?

Anyway, there's a reason WinRAR has the disguise function. The important thing is, as Mac users how do we retrieve the information underneath?

[besson3c]

You can run the "file" command on any file regardless of extension to determine the file type...

$ file s3cmd-1.0.0.zip
s3cmd-1.0.0.zip: Zip archive data, at least v2.0 to extract

I think this only works if the file headers are not garbled somehow, but this might be worth a try.

[CharlesS]

Well, the ASF format is apparently documented here, so you should be able to use that information and a hex editor to find the zip file hidden in there and copy/paste it out into a separate file.

edit: actually, on doing a Google search, it appears that the technique you are referring to is far more simple than embedding an archive in a WMV's metadata — people are just tacking the archive on the end of the file. (link) So, if you just take a hex editor and copy out the archive at the end, you should get your original archive back. You can do a search for the appropriate magic number to find the beginning of the archive. For a zip file, that's 0x50 4B 03 04. For RAR, it's 0x52 61 72 21 1A 07 00.

[zxhet]

Originally Posted by CharlesS 

Well, the ASF format is apparently documented here, so you should be able to use that information and a hex editor to find the zip file hidden in there and copy/paste it out into a separate file.

edit: actually, on doing a Google search, it appears that the technique you are referring to is far more simple than embedding an archive in a WMV's metadata — people are just tacking the archive on the end of the file. (link) So, if you just take a hex editor and copy out the archive at the end, you should get your original archive back. You can do a search for the appropriate magic number to find the beginning of the archive. For a zip file, that's 0x50 4B 03 04. For RAR, it's 0x52 61 72 21 1A 07 00.

Thanks a lot for the pointers. So the hidden archive is between 0x50 4B 03 04 and the end? Sounds promising. But you have to bear with me. I've never touched a hex editor before you told me about it. For a starter, how do you do a search? I typed in those numbers in the "First" box under "Selection" and hit enter. It became 0x50 and it brought me down to the 00000050 rank. But I can't find those numbers in the "Contents". Is that the way to do it?

[nitant]

There is a simpler way. Use WinRAR on your mac. Use VMWare or Crossover. Both get WinRAR working perfect.

[besson3c]

Originally Posted by nitant 

There is a simpler way. Use WinRAR on your mac. Use VMWare or Crossover. Both get WinRAR working perfect.

Or WINE if you don't want to pay money for Crossover. The WINE application DB shows absolutely no problems with WinRAR (WineHQ - WinRAR 3.x (32-bit)), so it should work right out of the box.

[zxhet]

Thanks. Sounds like a more direct and perfect solution to the problem, especially WINE. But I checked the requirements and I don't think my PPC meet them...

[besson3c]

Correct... None of the solutions listed will work on your PPC Mac (VMWare/Parallels/Virtualbox/Crossover/WINE), sorry!

[reader50]

Virtual PC would solve that for PPC Macs.

ASF is a container format, like MKV, MOV, AVI, etc. Container formats typically contain video and audio components, but may contain most anything else too. Like subtitle files, alternate vid or audio tracks, cover pics, author info, etc. Chances are your hidden zip file is an extra stream in the main file.

Try checking the file with MediaInfo Mac. This will show the individual components in the file. Your hidden zip may be mislabeled as an extra stream, a big subtitle file, or an unknown element. You may have to find it via file size.

So what you need is an ASF maintenance utility, which lets you extract / assemble ASF files. Something like MKVtools, only for ASF. I don't know of any Mac utilities for that.

[CharlesS]

How do you make these disguised zip files anyway? I downloaded the trial copy of WinRAR to my VMWare installation, but couldn't find the option anywhere. Does this require the paid version or something?

[reader50]

One would assume you assemble an ASF file. Label the zip as .txt and include as a subtitle stream. Or mislabel and include as an alt video or audio track. Which might be selectable, but won't play because it uses an unknown codec.

[CharlesS]

I'm wondering more about how he made it, so I could make a guess as to how it might be laid out, since there are multiple ways to do this.

[zxhet]

I didn't make it myself. As for the exactly method it was made in, I don't really know either but this should be one of the common way using WinRAR:
Make Best Use of WinRAR to Disguise Your Confidential File
I don't really understand but maybe you can and figure something out.

[CharlesS]

Yeah, basically taking the archive on at the end using a hex editor. If that's what they did, then you should be able to pull it out using a hex editor easily enough. Encoding it as a separate stream in the ASF file is certainly possible, but complicated enough that I doubt that's what they did if they did it by hand (unless they have some app that does this for them, in which case all bets are off).

Do you know for certain that the archive contained inside is a .zip, and not some other archive format like .rar, .7z, etc.?

[zxhet]

Yep, I'm positive it's a zip and supposedly only WinRAR can unzip.

[CharlesS]

Okay, I just tried appending a .zip file to the end of a .wmv. The resulting file still played in Flip4Mac, and WinRAR was able to open the .zip. It is likely that this is what is going on here.

Do a search for the hex bytes 50 4B 03 04 in the file with a hex editor, copy everything from there to the end, paste it into a new file, and give the new file the .zip extension. Hopefully it will work.

[zxhet]

So you tried making one? Cool. Did you also try using Stuffit to open it but then it failed?

I put "50 4B 03 04" in "First" under Selection in hex editor and it just brought me down to the 00000050 rank but there's no this exact number sequence. Tried "0x50 4B 03 04", no luck either. Am I doing the search properly?