uncompress zlib network packet from hex

I am reversing some kind of protocol and it looks like it is using zlib compression, the current packet is :

170300002009254CBCE1DC7A5578D1588577EF63AE8DDCA721FFCA453775BCA7375CB65EE31703000090AA883A355CB9A7450EA7BA8D485C655EB5FCB71E22F274E9FF03F326296E7F2D5960AB7CFB2986C4985D6B7D33BE2C7348142D738B522C3B89AA3723A5CADB9C3DF124B3AB405E0513766384D3C0C6C11395D51E317F1DF342F3731D498C84EE0BE9172C130A89C7EE287560E64337E4A0D49A211E40F846DBAF019ADEF2F2F601A145C1F587C792CF3C2EE1CEE558031703000020259BAFBADABE5B22360C727D6E2494C41542FC3E14EEE3B5317C13F06044BB77170300005012E5BF7E631E9E3C5F0D133890808281A769C3AEC50ACF8BB0FBF39CAEC0E2EA75C09BAD7A3F22A15DC2B5C3751561DB3219164AB80E55A7DB141F5F6FAB4DE9189CC145C47E49D741075DDAA6EFD2A6

If we take a look at rfc1950 we see the specifications of the format, in my script (php) i extract the zlib related info for the above packet :

compression method : 1
compression info   : 7
------------------------------
flag check          : 0
flag dict           : 0
flag level          : 3

However I cannot find a way to uncompress the hex data, even if I convert it to a binary string with pack('H*',$data) it still gives an error about wrong data.

Is it possible to use a commandline program and feed it with the 开发者_开发问答above hex data where the commandline utility returns the uncompressed string in HEX.

Here's a python script for decompressing zlib streams:

https://web.archive.org/web/20130305133247/http://blog.2of1.org/2011/03/03/decompressing-zlib-images/

.. but your data is not zlib compressed.

Cursory look shows that your data is cleanly divided by a 4 byte marker "17 03 00 00" followed by a length byte indicating size of that segment.

17 03 00 00 20 09 25 4C BC E1 DC 7A 55 78 D1 58
85 77 EF 63 AE 8D DC A7 21 FF CA 45 37 75 BC A7
37 5C B6 5E E3 

               17 03 00 00 90 AA 88 3A 35 5C B9
A7 45 0E A7 BA 8D 48 5C 65 5E B5 FC B7 1E 22 F2
74 E9 FF 03 F3 26 29 6E 7F 2D 59 60 AB 7C FB 29
86 C4 98 5D 6B 7D 33 BE 2C 73 48 14 2D 73 8B 52
2C 3B 89 AA 37 23 A5 CA DB 9C 3D F1 24 B3 AB 40
5E 05 13 76 63 84 D3 C0 C6 C1 13 95 D5 1E 31 7F
1D F3 42 F3 73 1D 49 8C 84 EE 0B E9 17 2C 13 0A
89 C7 EE 28 75 60 E6 43 37 E4 A0 D4 9A 21 1E 40
F8 46 DB AF 01 9A DE F2 F2 F6 01 A1 45 C1 F5 87
C7 92 CF 3C 2E E1 CE E5 58 03 

                              17 03 00 00 20 25
9B AF BA DA BE 5B 22 36 0C 72 7D 6E 24 94 C4 15
42 FC 3E 14 EE E3 B5 31 7C 13 F0 60 44 BB 77 

                                             17
03 00 00 50 12 E5 BF 7E 63 1E 9E 3C 5F 0D 13 38
90 80 82 81 A7 69 C3 AE C5 0A CF 8B B0 FB F3 9C
AE C0 E2 EA 75 C0 9B AD 7A 3F 22 A1 5D C2 B5 C3
75 15 61 DB 32 19 16 4A B8 0E 55 A7 DB 14 1F 5F
6F AB 4D E9 18 9C C1 45 C4 7E 49 D7 41 07 5D DA
A6 EF D2 A6

So lengths here are:

0x20 in first case
0x90 in second segment
0x20 in 3rd segment
0x50 in 4th segment.

And this corresponds correctly with marker positions.

I could spend a while to reverse this, but I think this should be enough to bring you back to correct path.

Hope this helps.