ZIP Unpack & Extract
Upload ZIP archives to preview and extract files, download individually or extract all
Drag a ZIP file here, or click to select
Supports .zip format archives
What is ZIP Extraction?
ZIP extraction opens an archive and restores the files stored inside it. People use ZIP extraction when they receive a compressed package, want to inspect its contents before downloading everything, need only one file from a bundle, or want to verify filenames and sizes before trusting an archive. ZIP extraction is lossless for normal files, but it does not make unknown content safe. Archives can contain misleading filenames, unexpected folders, very large expanded data, or files that should not be opened without antivirus scanning. This browser tool reads the archive locally and lets you download selected files, which is convenient for small checks. It does not recreate a full folder tree on disk or replace careful security review for suspicious archives.
How to Use
How to use
- Drag a ZIP file to the upload area, or click 'Select ZIP File' button
- View the file list and file information inside the archive
- Click 'Download' on a single file to extract it
- Click 'Extract All' to download all files as a ZIP
Extraction Safety
- Inspect the file list before downloading extracted items, especially when the archive came from an unknown source.
- Be careful with executable files, nested archives, and suspicious filenames.
Use Cases
Technical Principle
Reading a ZIP archive proceeds in the reverse order of writing one. The browser receives the file as an `ArrayBuffer` via the File API (`file.arrayBuffer()`) and the reader scans backward from the file tail looking for the End of Central Directory signature `0x06054b50` (PK\x05\x06). EOCD is at most 22 bytes plus an optional comment of up to 65,535 bytes, so the scan window is bounded. EOCD points at the offset and size of the Central Directory, which holds one File Header (`0x02014b50`) per entry. Each File Header carries the compressed and uncompressed sizes, CRC-32, compression method, filename, and the offset of the matching Local File Header (`0x04034b50`). The reader can then seek directly to any individual entry without parsing the entries before it — which is why single-file extraction from a multi-GB backup is fast. Decompression depends on the method byte: `0x00` is stored (no compression, just a memcpy), `0x08` is DEFLATE per RFC 1951 (~99% of archives in the wild), `0x0C` is BZIP2, `0x0E` is LZMA, and `0x5D` is the older PPMd. This tool uses JSZip (or fflate for higher throughput — fflate's `unzipSync` decodes a typical 10 MB DEFLATE archive in tens of milliseconds, several times faster than JSZip). After decompression the CRC-32 of the raw bytes is recomputed and compared against the value in the central directory; a mismatch indicates corruption or tampering. Two security concerns matter for any extraction code path. The first is the Zip Slip vulnerability (Snyk, 2018): a malicious archive can contain entries with path traversal sequences like `../../etc/passwd`, and a naive extractor that joins the entry name to a target directory will write outside the intended sandbox. The fix is to normalise the joined path with `path.resolve()` and verify it still starts with the target directory before any write. This tool offers each entry as an individual browser download via `URL.createObjectURL(new Blob([bytes]))` and the browser sandboxes the destination, so directory traversal cannot escape the user's Downloads folder, but the same archive on a server-side extractor would be exploitable. Second, encrypted archives are not handled: traditional ZipCrypto is a 32-bit stream cipher that is trivially broken with a known-plaintext attack of three bytes, and modern WinZip AES-256 (PKWARE APPNOTE 7.0) requires the AE-2 extra field with HMAC-SHA1 authentication — neither path is implemented here. Archives over 4 GiB rely on the ZIP64 extension's extra fields for 64-bit sizes and offsets, which the parser must read instead of the 32-bit central directory fields.
- Parse order: scan backward from file tail for EOCD signature `0x06054b50` (max 22 + 65535 bytes from end) → seek to Central Directory → seek to each Local File Header.
- Compression methods: `0x00` stored, `0x08` DEFLATE (RFC 1951, ~99% of archives), `0x0C` BZIP2, `0x0E` LZMA, `0x5D` PPMd.
- Integrity: CRC-32 with polynomial `0xEDB88320` (reversed IEEE 802.3) recomputed on extracted bytes and compared against the central directory value.
- Zip Slip (Snyk 2018): entries with `../` path traversal can write outside the extraction directory; fix by normalising and validating the resolved path before write.
- Browser implementation: `File.arrayBuffer()` → JSZip / fflate `unzipSync()` → per-entry `URL.createObjectURL(new Blob([bytes]))` for downloads, no server round trip.
- Encryption is not handled: ZipCrypto is broken in 3 known-plaintext bytes; WinZip AES-256 (APPNOTE 7.0, AE-2 extra field with HMAC-SHA1) is not implemented here.
- ZIP64 (APPNOTE 4.5+) extends 32-bit size/offset fields to 64-bit via extra fields; required for archives or single entries above 4 GiB (2³² − 1 bytes).
Examples
View Archive Contents
View the file list inside a ZIP archive directly in the browser without installing extraction softwareExtract Single Files
Download only the file you need from the archive without extracting everythingBatch Extract
Extract and download all files from the archive in one clickFAQ
Is the ZIP uploaded for extraction?
No. The page reads the ZIP locally via the FileReader API and decompresses entries in-browser using JSZip. Files never leave your device. You can confirm in the Network tab while extracting.
Which ZIP variants does it support?
Standard ZIP files using DEFLATE compression (the most common variant). Stored (uncompressed) entries also work. ZIP64 (for archives over 4 GB) is supported in most builds. Encrypted entries (password-protected) and 7Z, RAR, TAR are not supported - use a dedicated tool for those.
Can I extract password-protected ZIPs?
Generally no. JSZip does not handle ZipCrypto-encrypted or AES-encrypted entries. Decrypt with 7-Zip or WinRAR on the desktop first, then re-pack and upload here if you need to inspect the structure.
What if the ZIP has Chinese or Japanese filenames?
The page reads filenames as UTF-8 by default. Old Windows-created ZIPs may store filenames in GBK (Chinese) or Shift_JIS (Japanese) without setting the UTF-8 flag - those show as garbled. Re-create the ZIP with a UTF-8-aware tool, or use 7-Zip on the desktop with the right code page setting.
What's the file size limit?
Browser memory. Modern desktops handle 1+ GB ZIPs; mobile browsers run out around a few hundred MB. For very large archives, use a desktop tool that streams from disk.
Can I preview file contents without extracting?
Yes for text files - paste-or-click any entry and the page shows its content. Images preview as thumbnails. Binary entries (executables, ZIPs nested inside) only show metadata; download to inspect.
Are dotfiles and hidden files extracted?
Yes. ZIP doesn't have a 'hidden' attribute concept - all entries are visible. Filenames starting with a dot (.gitignore, .env) are extracted normally; treat them as ordinary files.