by Nikhil Wagholikar, NII Consulting
1. Need
Many a time during Forensics investigation or during Reverse Engineering, we come across the need where we have to check or extract the contents of an executable file. If the executable file is in human readable format (ex : a UNIX file having permissions –rwx-r-x-r-x) then the life of investigator is quite simple, since such kind of files could easily be opened in Unix built-in editors like “vi” or “emacs”, or even in MS Windows default editor “Notepad”. However this is not the case every time. The investigators or research persons could also come across various MS-Windows “.exe”, “.dll”, “.msi” files or RedHat Linux “.rpm” file, or very common “.zip”, “.rar”, “.bin”, “.cue” or “.uha” files during their course of action.
Forensics world, though have many softwares and tools to handle such kind of situations, but what they lack is, compatibility with all file extensions, ease of interpretation of results, & above all ‘the cost’. Hence there is a need of software or a tool, which though might not fulfill all the above said requirements, but fulfill at least a majority of them. One such software is “Universal Extractor”.
2. Introduction
“Universal Extractor” as the name indicates, extracts the contents of almost all kind of file types/extensions. You name it and it is there: exe, rpm, uha etc, the list of which is given in Table1. “Universal Extractor “is an Open Source/Free Software, which is written in AutoIt, a powerful open source scripting language, and is a compilation of many other open source software listed in Section 5.
Table 1: Supported Formats
| File Extension(s) | Archive Type |
| ??_ | Microsoft compressed file |
| 0.001 | RAR archive |
| .7z | 7-zip archive |
| .ace | ACE archive |
| .arc | ARC archive |
| .arj | ARJ archive |
| .bin | BIN/CUE CD-ROM image |
| .bz2 | bzip2 archive |
| .cab | InstallShield Cabinet archive, Microsoft Cabinet archive |
| .chm | Microsoft Compiled Help file |
| .cpio | CPIO compressed file |
| .cue | BIN/CUE CD-ROM image |
| .deb | Debian package |
| .dll | UPX compressed file |
| .exe | ARJ Self-Extracting archive,ASpack compressed file, Inno Setup package,InstallShield package,KGB Self-Extracting archive,Microsoft Cabinet Self-Extracting archive, Microsoft hotfix,NSIS package,RAR Self-Extracting archive,UPX compressed file,Wise Installer package,ZIP Self-Extracting archive |
| .gz | gzip archive |
| .hlp | Microsoft Windows Help file |
| .jar | ZIP archive |
| .imf | IncrediMail archive (Microsoft CAB) |
| .img | IMG floppy disk image |
| .iso | ISO CD-ROM image |
| .kgb | KGB archive |
| .kge | Encrypted KGB archive |
| .lha | LZH (Amiga) compressed file |
| .lit | Microsoft LIT e-book |
| .lzh | LZH (Amiga) compressed file |
| .lzo | LZO compressed file |
| .mht | MHTML file |
| .msi | Windows Installer package |
| .rar | RAR archive |
| .rpm | RPM package |
| .tar | TAR archive |
| .tar.bz2 | bzip2-compressed TAR archive |
| .tar.gz | gzip-compressed TAR archive |
| .tar.Z | LZW-compressed TAR archive |
| .tbz2 | bzip2-compressed TAR archive |
| .tgz | gzip-compressed TAR archive |
| .tz | LZW-compressed TAR archive |
| .uha | UHARC archive |
| .wz | ZIP archive |
| .xpi | ZIP archive |
| .Z | LZW compressed file |
| .zip | ZIP archive |
3. Download
Universal Extractor is available for free download:
1. Uniextract Installer – Application installer exe file which has the capacity to integrate to Windows context menu.
Size: 3MB
Download Here
2. Uniextract Sorce Code – Contains source code of this software with all scripts and installer code.
Size: 98.1KB
3. Uniextract binary Archive – Collection of binaries of this software if installer not needed.
Size: 2.78MB
Download Here
4. Using UniExtract
Installation of Universal Extractor (uniextract.exe) is quite simple. As said earlier it has feature of integration with Windows context menu.
Step 1: Double click “uniextract.exe” and press “Next” on Welcome Wizard.
Step 2: Select the folder where to install “uniextract” (Default: “%windir%:Program FilesUniversal Extractor”)
Step 3: Select the default language of Installation and location of the Debug file which Universal Extractor creates during fail of any extract operation. (Default: Language – English and Debug file location – %windir%:)
Step 4: Then comes the important step of integration.
Step 5: Finally the Wizard shows the tasks it’ll perform based on user’s choice in step 3 and 4.
And you are done. So as we can see, the installation is merely 5 steps and you are now fully prepared for extraction of any kind of archive or executable file.
Once you are successfully done with the installation and have selected the “Enable Explorer context menu integration” option during installation phase, you’ll be able to directly extract archives/executables with just a right click on any file.
Universal extractor can either be uninstalled from “Add/Remove Programs” or the directory itself could be deleted if self extracted.
5. Universal Extractor is a Compilation of many open source softwares.
All these softwares reside under the directory “%windir%:Program FilesUniversal Extractorbin”. So if anyone is comfortable using the command line version of any of these softwares, can use it by navigating the command shell to this directory.
The configuration files related to Universal Extract resides under the directory “%windir%:Program FilesUniversal Extractorlang”. This is language dependent configuration file which supports not only English but also Chinese, Japanese, Thai etc.
6. Working
Following is the way in which Universal Extractor works:
- When a file is passed to UniExtract, it examines the file type (using extension).
- If the file is non-executable, it’ll immediately start extraction from Archive.
- If the file is executable, it calls “PEiD” to analyze it’s signature in-order to determine its format and accordingly call appropriate sub extractor from the above mentioned pool of softwares in section 5.
- If somehow the signature is not in its database, 7-ZIP and UnZip programs will try extract from the target file.
- If 7-ZIP or UnZip recognizes the file, then it’s promptly extracted, otherwise it’ll display the corresponding reason for failure and will exit.
- However if PEiD is successful in recognizing the file signature, then it’ll spawn a shell to the corresponding sub extractor software to extract the file.
- Since Universal Extractor doesn’t have any control on its sub extractor software, it determines whether the extract was successful or not by checking the directory where it is extracted (except if it is extracted to current directory). If the directory size is nonzero, UniExtract assumes that the extract was successful, else it displays error on screen and log it simultaneously in a text file located at “%windir%:uniextract.log”. This log file is created during the extraction process by “tee” program.
7. Example
7.1 EXE file – Successfully extracted.
- Extract “mobile_ringtone_converter_trial.exe” to a directory.
2. Extracted output.
7.2 EXE file – Unsuccessful to extract.
- Extract “AutoStreamer.exe” to a directory.
2. Error disclosed.
8. Conclusion
After using Universal Extractor, we could realize how useful this software is to extract almost any type of globally known archives and executables. Moreover, this comfort can be achieved at free of cost, with an added facility to modify the code of this software according to our need and ease.
9. References
· Universal Extractor Software Website : http://www.legroom.net/modules.php?op=modload&name=Open_Source&file=index&page=software&app=uniextract
· Universal Extractor Software Forum : http://www.msfn.org/board/index.php?showtopic=62418
Neha Waze
Its actually helpful for the people who have interest in technology or for them who want to know some extra about technology. But I feel that this is one of the nice way to explore the knowledge and information with your and your company’s name under it. Great job done by you! And a great way of communication..indeed.
Igniny
inimitably informative))