%~~~~~~~~~~~~~~~~~~~~~~~~%
|H4sIAAAAAAACA3P3dLOwTOxh|
|YGF4zsBg7tHJMApGwYgE////|
|V/zJwsjF8I9BB8QH5QkGjhYG|
|xj/MD'              gULH|
|JrY'                BbVi|
|Tlx|   Y4NgmoOxWoxH4yL5d|
|VDR|   oTseHh8f6WK359lQU|
|qJy\              \YJOGt|
|xhN5I\              \dlr|
|qoJvnIznRDXvHjPWZ   |SY7|
|Lz31nKtYPklkV0F6w   |AKr|
|1E17                ,Vk5|
|afng              ,hp63R|
|VsvNzy8u9qpU670lon11hvnS|
|KNWuSS+vrvNf3HV05beU0NXB|
|p71kJQQYrAFt8kQCpwMAAA==|
%~~~~~~~~~~~~~~~~~~~~~~~~%
  D  E  C  O  D  E  M  E

We are pretty sure that "S" stands for Sophos not Superman. Now, the first thing that comes to mind when you look at the "picture" is that the data around the "S" is important. And if we look at the last two letters we see the base64 trademark signature. Which means that all that data is an encoded message or a file. To decode it, we must strip that "S" to form a proper base64 data chain. Once done, the data looks like this:

H4sIAAAAAAACA3P3dLOwTOxhYGF4zsBg7tHJMApGwYgE////V/zJwsj
F8I9BB8QH5QkGjhYGxj/MDgULHJrYBbViTlxY4NgmoOxWoxH4yL5dVD
RoTseHh8f6WK359lQUqJyYJOGtxhN5IdlrqoJvnIznRDXvHjPWZSY7L
z31nKtYPklkV0F6wAKr1E17Vk5afnghp63RVsvNzy8u9qpU670lon11
hvnSKNWuSS+vrvNf3HV05beU0NXBp71kJQQYrAFt8kQCpwMAAA==

That data must be reverted to either text or binary to continue. First, we tried  an online base64 decoder but it returns a very strange string. So then, we decoded the data to a binary file and opened that with a hex editor, where we see the well known 0x1F 0x8B signature, which indicates that the decoded data is in fact a GZIP file. Now, we know GZip files may or may not store a file name, so when we decompress the packed data we do another hex data inspection to discover that the decompressed file is a GIF file. It's an image showing us this: Not quite readable, but once you zoom in on it, and lower-case it, it points to: http://www.sophos.com/anz/sofarsogood.html which holds the last piece of the puzzle.

Sadly last piece of the puzzle has nothing to do with file analysis whatsoever. Its a crypto challenge requiring you to play with letter substitution crypto algorithms. And this isn't something we are really interested in. You are however more than welcome to fiddle with it if you like. For some help on solving it check this out. Until next week...

Two weeks ago we introduced our NyxEngine to the World and we got nothing but positive comments and responses about it. That is why for today's blog we have decided make it do something its not primarily designed to do. With that in mind we decided to create a simple program based on the NyxEngine which does archive conversion from one file type to another. For the purpose of this blog we designed the program called gzip2zip which as its name implies converts GZIP archives to ZIP ones without any sort of decompression/compression procedure involved. And this is possible only do to the fact that both ZIP and GZIP use DEFLATE compression algorithm which is why no data manipulation other than moving is necessary. In order to do a quick conversion we need to perform the following steps:

• Read GZIP data (file name, packed content & size and unpacked content size & CRC)
• Recreate ZIP header data in memory (recreate local and central directories)
• Write data to disk

This is quite a short and simple checklist which is why creation of such program is a relatively simple task. Reverse process is also possible and just as easy to create but since the ZIP file format is more popular we decided to stop at one way conversion. Until next week....

NyxEngine ReversingLabs Corporation

GZip2Zip (package contains the tool with source and the samples used