For a very particular thing, I need to decompress a bzImage in order to Disassemblers it .

I take the bzImage, remove the bootsect.s and setup.s header to get the
compressed kernel. but I can't unzip it because the extracted kernel
does not begin with gzip magic number (0x1f,0x8b|| 0x9e). But it should
(if I look to arch/i386/boot/compressed/misc.c and gunzip() ).

hi wsgtrsys!

ok - the structure of bzimage files you can see here
http://en.wikipedia.org/wiki/Image:Anatomy-of-bzimage.png

note that the compression used is gzip, not bzip2 as one could assume by the file name.

i did it the other way around - i loaded my bzImage into a hex editor. next is to find the compressed image within. as its gzip it will start with the Magic bytes 0x1f 0x8b
( http://schmidt.devlib.org/file-formats/gzip-archive-file-format.html )

the first occurence could possibly be the start of the compressed kernel image.
for fun i gzipped a test file and it starts with 0x1f 0x8b 0x08, which matches our first occurrence in the bzImage file.



So you can extract the data from this addres starting at your 0x1f 0x8b 0x08 bytes (in this case 0x5574) to end of file and save it to disk as ie yourfile.gz. (I did this all with cygwin hexedit.exe )

next you can gzip -d yourfile.gz and load it into your favorite disassembler
hehehehehe

regards,

--
0xf001

thanks 0xf001!
i read this article:
http://linux.derkeiler.com/Mailing-Lists/Kernel/2004-03/5506.html

and decompression the kernel,but the vmlinux don't have elf head,IDA pro can't Disassemblers it .sou i use w32dasm　Disassemblers it ,but w32dasm　Disassem result is too difficult understand.

so i think,how can set it ,then IDA can Disassemblers it ?

there is vmlinux file:
ftp://61.161.79.48/vmlinux

hi,

use HTE, it can open raw files

[edit] - btw the link you showed pretty much explains everything - oltough they make it unnecessary complicated ! you need to know how the kernel loads itself look maybe a bit about boot process and kernel startup ;

regards, 0xf001