Joseph K. Myers
Tuesday, December 17, 2002
(or "extracting from cache.waf")
Internet Explorer (IE) on Mac supplies the Web Archive Format (.waf) in its browser cache (cache.waf) as the hardest-to-rescue user file on a Macintosh computer. There seems to be no way of getting anything from it, and no documentation seems to exist on its architecture or methods of extraction.
Suppose you have deleted a file by mistake. However, the file had been on the internet, and like all files of ordinary webmasters, has been visited by you. You absolutely know that it is in your cache, and yet you have no alternative but to pretend that it is at the bottom of the ocean.
You don't even need to interfere with privacy of anyone. You don't even need to know much more about cache.waf than what you already do--nothing. It would be sufficient to extract each file (as text) and tediously go through until you have found what you want. After all, it's your cache file--isn't it?
Or maybe it isn't. There is no way to inspect the contents--unless you wish to pore through the equivalent of one hundred thousand lines of an unknown language. Even Internet Explorer, probably the only creature that speaks that language, offers you no way of accessing your file. You own it, and yet you don't.
Well, anyway, that isn't very nice of Microsoft.
I didn't like it, and each time I needed something from cache.waf, I didn't like it even more. I inspected the file in agonizing detail (and discovered only a minute bit of information). The next time I inspected it again, and again.
Finally, I decided to create some files, load them in the browser, and analyze what they became when they were stored in cache.waf. I had a hunch that each file was data-continuous: no file contents were split up. (I have no way of knowing whether this is always correct.)
When I eventually found that every file seemed to be prefixed with "\0\0\0\x03\x64\x61\x74\x61\0\0\0\0" and suffixed with "\x70\x6f\x73\x74\0\0\0\x04" the best I could do was make a bet. Possibly reading between these values would return contents that I needed.
The results of this bet are in spoof-ie-waf-cache.pl, a program which uses this extremely unreliable technique to extract the files contained in a .waf file.
Download: waf-cache.tar.gz (871 bytes)
Usage:
spoof-ie-waf-cache.pl < cache.waf
Important! Change to a directory which may be used to dump the contents of cache.waf before running.
Installation:
Change the .txt extention to .pl. (chmod +x may be necessary).
http://www.myersdaily.org/joseph/problems/waf-cache.txt