ZIX File Format

Kenneth Sörling (nevershaveyourduck@gmail.com)

May 11th, 2007

Revised: September 7th, 2007 (new format disclosure and link)

Revised: May 18th, 2007 (info on folders within ZIX archives)

Note:

This document details only the format of version 1.0 ZIX files, which are less and less common in the wild. A new format (2.0) with this extension is currently in widespread circulation which is radically different. Details can be found here

Introduction

The ZIX file is an archive file used to pack files together and serve as a unit, presumably for download. This is true as far as things go. However, the following warnings apply:

The ZIX file format is a bogus format, created solely as a vehicle for spreading the WinZix AdWare/SpyWare/Malware. Contrary to the claims of its creators, it offers no benefits whatsoever over established formats such as Zip, Rar, Arj, et cetera. In fact, observations to date have shown that ZIX files offer no compression whatsoever. The 'compressed' files are simply embedded as-is inside the archive without compression. In fact, the ZIX format offers no benefit at all! I will prove this when analyzing the file format further down in this document.

The sole purpose of this format is to entice/lure/force people to download and install the WinZix software, which can extract the contents of ZIX archive. In addition to offering this capability, the WinZix software will alter your system in a variety of ways, most of which are at best undesirable and at worst harmful to you. If you carefully read the EULA (End-User Licences Aggreement), you will realize that by installing their software, you are giving them legal permission to do whatever the hell they want to your computer. And that's just the stuff they're willing to tell you about. Observations have shown that the software does other harmful things to your system, and cannot be fully uninstalled.

Further details can be found here and here.

Therefore, I must warn people against installing the WinZix software. To make things perfectly clear:

The creators of WinZix are most certainly liars, and potentially also crooks, virus mongers and scam artists.
Anyone using their software to produce and spread ZIX archives are their cronies. Whether out of malice, greed or plain ignorance, they help proliferate the spread of this spyware and earn money for the WinZix distributors.

Therefore:

If possible, avoid downloading anything with a ZIX extension.
Avoid, at all costs, installing the WinZix software. Doing so may cause you all sorts of nastiness
If you absolutely feel the urge to install the WinZix software, read the EULA carefully! The creators are forthcoming about most of the crap they're about to do to your system, including but not limited to tampering with your firewall settings, altering your browsers's home page, plaguing you with popup advertisements and communicating with outside servers behind your back.
If you're dumb enogh to still want to install their software, ensure rollback capability! Do a full backup of your system, in case you need to reinstall everything in order to get rid of their malware. At a minimum, use the XP 'restore point' feature to safeguard yourself. But this probably won't help you.
If you have a ZIX archive, the contents of which you absolutely must access, use alternative software if possible. I will provide an alternate ZIX extractor, complete with source code, and no doubt others will do the same. Use whichever software you want, but be sure to virus check it first. This, off course, applies to software written by me as well!
Do not extract, and absolutely don't run, any executable within a ZIX archive. It may have been compromised to include trojans or viruses
Under no circumstances should you use WinZix to produce ZIX archives and spread them. Doing so will enlist you as a crony for the bandits who invented this miserable piece of trash. At best, you'll be criminally stupid. At worst, you'll simply be criminal.

The Good News

is that you don't need WinZix to extract the contents of ZIX archives. Since theyr'e neither compressed, encrypted or otherwise encoded, you can extract them easily using any programming language that allows binary access to reading and writing files, once you know how to get at the information to do so. By the end of the document, you will.

File Format Overview

Below is a brief description of the Zix file format, as deduced from observation, experimentation and a bit of educated guesswork:

The file starts with a 3-byte ASCII signature: "ZIX"
The next four bytes are the offset to the manifest (described later), stored in Intel byte order
The next four bytes are the high DWORD of the offset described above It will only contain a non-zero value if the archive is larger than 4 GB. You probably won't see this often, if ever.
The next n bytes are the enclosed file(s). If multiple files, they are stored back to back, with no delimitation or separation. Their filenames, sizes, offsets and attributes can be obtained by parsing the manifest (described shortly). The value n can be computed programmatically, as detailed further down.
The last n2 bytes of the file consists of the manifest, which is a bencoded dictionary in standard bittorrent format. It contains a list of the files in the archive and where to find them. The value n2 can be computed programmatically, as detailed shortly.

The Manifest format:

NOTE: The term 'Manifest' is my own naming for this metainformation. It is borrowed from the .Net framework architecture's semantics meaning 'declaration about contents and dependencies of an assembly' Another name might be 'directory' except that the manifest contains a whole lot less useful information than a traditional directory.

As stated, the manifest is a bencode dictionary containing metainformation about the contents. It is a pruned-down version of what is found in a bittorrent file. It has the following bencoded keys and values:

announce: <url to bandit website>
files: <list of files>
folders (optional)<list of folders>

where <list of files> is a list of dictionaries, one for each file, each consisting of the following keys:

attribute: <attributes value: typically 0>
finish: <offset of end of file>
name: <filename>
size: <file size>
start: <offset of start of file>

and, where <list of folders> is a list of dictionaries, one for each folder, each consisting of the following keys:

attributes: <attributes value: typically 16 (corresponds to FILE_ATTRIBUTE_DIRECTORY)
files: <list of files, as seen above>
folders: (guesswork -- hitherto unobserved, but potentially can occur here)
name: <folder name>
size: <size of folder: typically 0 (erroneous, but there it is)>

Should a folders key occur within this dictionary, it will follow the same format as <list of folders>, as just detailed, in a recursive format.

Proof that the ZIX file format is bogus

Note that there is no key mentioning "uncompressed size" or "compression algorithm", or even a "checksum". This should be proof enough that the WinZix software does not compress the contents in any way whatsoever. They're flat out lying about the so-called benefits of this format.

Furthermore, notice that you don't even get the standard useful information other packers provide, such as original creation/modification file dates or CRC32 checksums. Even the attribute value for each file is 0, meaning they don't even bother to encode it! Furthermore, notice the lack of version information in the file format as a whole. They're not even bothering to ensure backwards compatibility with future versions of the software or format. Why? Because the ZIX format is a bullshit scam. You don't need to provide backwards compatibility with a format which has no features whatsoever.

You should be suspicious of the presence of the 'announce' keyword/value pair, too. Why is it there? What is its purpose?

The reason I can think of is usage tracking and espionage. Whenever you use WinZix to open a ZIX archive, the URL found in the announce tag is used to signal an external tracker about the operation. This way, the WinZix distributors will know which files are spread, and to whom, and when they are accessed and by whom. But don't be outraged; by accepting their EULA, you have given them permission to do so.

Steps to read and extract a ZIX archive:

Read the 3-byte signature. It should be "ZIX" (without the encloseing quotes)
Read the 4-byte offset to the manifest. If the archive is 4GB or larger, the next four bytes will probably be the high-order DWORD of a LARGE_INTEGER, so do the appropriate math to construct the offset.
Seek to <offset>
Read <length-of-file>-<offset> bytes to obtain the manifest
Parse the manifest dictionary by using bencode parsing code to obtain a list of filenames, offsets and sizes.
Use this information to seek to and extract the files.

If you are fairly certain that the archive only contains one file, and you know the file type, and you don't care about the original file name, the job is even easier:

Read the 4-byte offset at address 0x03h in the file (assuming a zero-based start offset).
Compute the size of the extracted file as <offset> - 11 (to exclude the 11-byte header and the manifest)
Seek past the 11-byte file header to address 0x0Ah (10 decimal), where the actual file starts. This assumes a zero-based initial offset.
Read and extract <size> bytes and save them to their own file.

Note that this isn't failsafe: If the archive contains multiple files, you'll get a single file containing the concatenated binary data from each of them. And there's no guarantee that the first file is the one you wanted.

Parsing the Manifest

Space here does not permit a full breakdown of the bencode format or the details of dictionaries, lists, bencoded strings and integers. For this, go to this handy Wikipedia article.

Once you learned to grok the terminology, what you need to know that the manifest is a dictionary containing a list of dictionaries, each of which holds the details of a single file, as described above. Each detail is a bencode name / value pair.

Parsing such a manifest is a recursive process, and how you do it depends on your programming language of choice, your skills, and your inventiveness. My own code uses some heuristics to make assumptions about where to find the information and how to extract it. If you grok VB code, you are free to examine it and see how it can be done. But forewarned; it's a rocky ride. My code uses several recursive functions which use different passed-in contexts to call itself in various ways. Although profusely commented, it's not always easy to figure out what's going on, unless you're familiar with how bencoded torrent data is organized. Carefully tracing through the source code while it runs might help.

Disclaimer:

The information in this document applies to ZIX files as observed up until May 2007. The creators of WinZix might get more devious and add features to their software and the ZIX format to make it look less like the bullshit scam it is as of today. In particular, they might actually add compression and/or encryption features. This will not be intended as a service to you; rather, it will be introduced to make ZIX archives harder to crack for those who are too wise to install their spam software.

Donning my psychic hat, I can make the following predictions about the future of the format and the software:

A new, 'improved' version will appear in order to invalidate all information included in this document, barring, possibly, the presence of the "ZIX" signature. Even the manifest will be gone, or at least encrypted
Encryption will not be optional. This only to force obfuscattion of the file contents.
Compression will not be optional. This only to force obfuscation of the file contents.
They will refuse to disclose information about the internal structure of the file format, the compression algorithms used, the encryption methods used, or any other helpful information. They will cite plausible-sounding business reasons to refuse to do so, but the real purpose will be to prevent you from extracting ZIX contents by any other means than installing and using their software.
Hackers will later on deduce that the compression and encryption methods used are neither new nor original, and furthermore offer no better compression than other packers. Most likely, the compression will be a variant of the ZLIB compression, or one of the non-patented LZ algorithms. The makers of WinZix ar scam artists, not programmers (in any case, not visionary or even competent ones) and will not be able to invent any new and better compression methods. They're in it for the money.

I hope that these predictions, made on May 11th, 2007, will prove wrong. In that case, the information in this article will continue to be valid for some time to come, and the code I intend to provide to extract ZIX contents will continue to work. Most importantly, if I'm wrong, ZIX archives will continue to be parseable and extractable without having to install spyware onto your system.

About the UnZixWin utility

Along with this document, I'm writing a crude little app to extract the contents of Zix archives as they appear at present. This is only to try to help prevent the spread of the WinZix virus (for a virus it is).

The utility, written in Visual Basic 6.0 SP 5, will be extremely basic, in order to reduce dependencies on external OCX files and libraries. It will require that the VB6 runtime (MSVBM60.DLL) be placed in your system directory, which it might already be. It should require no further installation to run. As a price for this simplicity, it will be just about the ugliest piece of software you've seen in a long time. But hey, it'll be free, and it won't alter your system in any way (barring a couple of optional harmless registry settings which you can easily remove).

The operation will be as simple as possible: browse to a ZIX archive, click on it to see what it contains, select files to extract from a list, and use a menu item or shortcut key combination to extract them.

In the spirit of full disclosure, I will provide the full source code to the utility, so that any programmers familiar with basic can inspect the code to see what it does, alter anything they don't like, and compile their own version if they don't trust my compiled binary.

The utility, as well as the source code, will naturally not be in Zix format. It will in all probablility be in a ZIP format.

Should you choose to download and use the UnZixWin utility, check the readme file before running the software. It will contain the standard disclaimers, some basic tips about the operation, and any cleanup steps you might want to take when you're done with the utility.

Summary

The ZIX format is a useless bogus format that offers no benefit to anyone. Its sole purpose is to provoke the spread of the wretched WinZix spyware.

This document details the format of the ZIX file (as it is as of this writing), explains why it is useless and how the creators of WinZix are lying about its supposed usability.

Alternative software will undobtedly pop up to parse the format, mine included. However, you should not take this as a rationale for downloading ZIX 'archives', and especially not as a rationale for producing them, or writing software to produce them. This will only proliferate the spread of this wretched format and lure more unsuspecting victims into the clutches of the WinZix scam artitsts.

In short: Avoid ZIX files like the plague. Don't download them, don't share them, don't spread them, and don't in any way encourage or validate their existence.

Please! Make this article obsolete, and make the accompanying source code obsoletete. Do so by making ZIX obsolete.

ZIX! Just say No!

Update!

The new ZIX format (commonly referred to as 2.0) has been cracked. Version 0.0.9 of my UnZixWin has been updated to handle them. Other utilities are sure to follow.

Full disclosure of the new format can be found in this document.

Update!

June 2nd, 2007:

Thanks to feedback from many users, I've had the opportunity to examine more ZIX archives, and feel it only fair to include a warning: ever more often, ZIX archives appear which contain virus-infected executables. Along with those are some html file or such which encourage you to run the executable either to 'patch' a codec, or to install an application which proves to be spyware-infested.

Thus, refrain from extracting anything executable, such as EXE files.

Also note that we are observing a higher frequency of ZIX archives which contain crippled or garbage AVI's (as an enticement to install some spyware 'player'). Don't fall for this. Cut your losses and throw the file away.

I've complemented the UnZixWin utility to issue warnings about these conditions, so users can make an informed decision as to whether to extract something or not.

Update!

May 18th, 2007

After the initial release, an archive was discovered on the net and reported to me which UnZixWin couldn't handle. It turned out that it contained a hitherto unseen structure: folders.

I updated the code to handle them, but mainly to parse through them and pick up any files inside. UnZixWin has no provisions as yet for recreating the folder structure inside a ZIX archive, and I don't know if I can be bothered to add this feature. You still get all the files in a list, but you'll have to extract each individually and put them where you want them. Handle any name collisions by renaming the destination files in the process.

I updated this document to include information on this structure.

Update!

(May 14th, 2007)

As predicted, other utilities have indeed popped up to handle ZiX archives. A command-line utility, aptly named UnZix, written in PowerBasic by was put on the net by JimDunn. This happened while I was writing this article. UnZix was what I named my own utility as well. Do great minds think alike, or what? (grin)

I downloaded and checked out his code. It's even cruder than mine, is but very small and tight and exactly as functional as it needs to be. Good job, there!

I'll put my own utility online as well, but now I'll have to rename it and replace my nifty icons. Bummer. In case you like a friendly little windows user interface, my utility will shortly be available as UnZixWin. It lets you select which files to extract, browse to where you want them, and rename them in the process, plus you get a little progress dialog while you wait for extraction to complete. Otherwise, there is no need to prefer one over the other.