ToolActToolAct

ZIP Unpack & Extract

Upload ZIP archives to preview and extract files, download individually or extract all

Upload ZIP File

Drag a ZIP file here, or click to select

Supports .zip format archives

What is ZIP Extraction?

ZIP extraction opens an archive and restores the files stored inside it. People use ZIP extraction when they receive a compressed package, want to inspect its contents before downloading everything, need only one file from a bundle, or want to verify filenames and sizes before trusting an archive. ZIP extraction is lossless for normal files, but it does not make unknown content safe. Archives can contain misleading filenames, unexpected folders, very large expanded data, or files that should not be opened without antivirus scanning. This browser tool reads the archive locally and lets you download selected files, which is convenient for small checks. It does not recreate a full folder tree on disk or replace careful security review for suspicious archives.

How to Use

How to use

  1. Drag a ZIP file to the upload area, or click 'Select ZIP File' button
  2. View the file list and file information inside the archive
  3. Click 'Download' on a single file to extract it
  4. Click 'Extract All' to download all files as a ZIP

Extraction Safety

  • Inspect the file list before downloading extracted items, especially when the archive came from an unknown source.
  • Be careful with executable files, nested archives, and suspicious filenames.

Use Cases

Inspect a ZIP before extracting anythingDrop a .zip file and the page builds a sorted folder tree with file-type icons, expandable folders, and computed file sizes. You can quickly see whether the archive contains the expected documents, assets, or code before downloading individual files. The reader walks the End of Central Directory record at the end of the file to locate the central directory, so an accidentally truncated or appended .zip that still ends in a valid EOCD marker will list its declared entries even when some local headers are damaged.
Download only the files you actually needSelect one file, a whole folder, several nested items, or everything in the archive, then download selected files from the browser. The selection logic expands folders into their contained files, so you can pull a few needed items from a larger archive.
Use browser-side extraction for lightweight archive reviewJSZip reads the archive locally and each extracted file is downloaded as its own browser download. Batch extraction does not recreate the original folder tree on disk or produce a new ZIP, so it works best for review, triage, and small retrieval tasks rather than full backup restoration.
Spot a suspicious filename before extracting itRead the file list for double extensions like report.pdf.exe, hidden system files, or paths that try to escape a directory with .. segments. Treat unknown archives as untrusted even if the source looks familiar, and scan anything executable with antivirus before opening. Filenames whose general-purpose flag bit 11 is set are stored as UTF-8, so non-ASCII names are decoded correctly, while missing flags can surface mojibake that itself is a hint of a tampered or repacked archive.
Pull a single config file from a backup ZIP without downloading the restBrowse the folder tree, select just the desired config.json or certificate, and download only that entry. This is a fast way to recover one lost file from a multi-gigabyte backup without burning bandwidth on the parts you do not need. Archives over 4 GB rely on the ZIP64 extension, and the tool reads the ZIP64 extra fields for uncompressed size, compressed size, and local header offset, so single-file recovery still works for backups that exceed the classic 32-bit limit.

Technical Principle

Reading a ZIP archive proceeds in the reverse order of writing one. The browser receives the file as an `ArrayBuffer` via the File API (`file.arrayBuffer()`) and the reader scans backward from the file tail looking for the End of Central Directory signature `0x06054b50` (PK\x05\x06). EOCD is at most 22 bytes plus an optional comment of up to 65,535 bytes, so the scan window is bounded. EOCD points at the offset and size of the Central Directory, which holds one File Header (`0x02014b50`) per entry. Each File Header carries the compressed and uncompressed sizes, CRC-32, compression method, filename, and the offset of the matching Local File Header (`0x04034b50`). The reader can then seek directly to any individual entry without parsing the entries before it — which is why single-file extraction from a multi-GB backup is fast. Decompression depends on the method byte: `0x00` is stored (no compression, just a memcpy), `0x08` is DEFLATE per RFC 1951 (~99% of archives in the wild), `0x0C` is BZIP2, `0x0E` is LZMA, and `0x5D` is the older PPMd. This tool uses JSZip (or fflate for higher throughput — fflate's `unzipSync` decodes a typical 10 MB DEFLATE archive in tens of milliseconds, several times faster than JSZip). After decompression the CRC-32 of the raw bytes is recomputed and compared against the value in the central directory; a mismatch indicates corruption or tampering. Two security concerns matter for any extraction code path. The first is the Zip Slip vulnerability (Snyk, 2018): a malicious archive can contain entries with path traversal sequences like `../../etc/passwd`, and a naive extractor that joins the entry name to a target directory will write outside the intended sandbox. The fix is to normalise the joined path with `path.resolve()` and verify it still starts with the target directory before any write. This tool offers each entry as an individual browser download via `URL.createObjectURL(new Blob([bytes]))` and the browser sandboxes the destination, so directory traversal cannot escape the user's Downloads folder, but the same archive on a server-side extractor would be exploitable. Second, encrypted archives are not handled: traditional ZipCrypto is a 32-bit stream cipher that is trivially broken with a known-plaintext attack of three bytes, and modern WinZip AES-256 (PKWARE APPNOTE 7.0) requires the AE-2 extra field with HMAC-SHA1 authentication — neither path is implemented here. Archives over 4 GiB rely on the ZIP64 extension's extra fields for 64-bit sizes and offsets, which the parser must read instead of the 32-bit central directory fields.

  • Parse order: scan backward from file tail for EOCD signature `0x06054b50` (max 22 + 65535 bytes from end) → seek to Central Directory → seek to each Local File Header.
  • Compression methods: `0x00` stored, `0x08` DEFLATE (RFC 1951, ~99% of archives), `0x0C` BZIP2, `0x0E` LZMA, `0x5D` PPMd.
  • Integrity: CRC-32 with polynomial `0xEDB88320` (reversed IEEE 802.3) recomputed on extracted bytes and compared against the central directory value.
  • Zip Slip (Snyk 2018): entries with `../` path traversal can write outside the extraction directory; fix by normalising and validating the resolved path before write.
  • Browser implementation: `File.arrayBuffer()` → JSZip / fflate `unzipSync()` → per-entry `URL.createObjectURL(new Blob([bytes]))` for downloads, no server round trip.
  • Encryption is not handled: ZipCrypto is broken in 3 known-plaintext bytes; WinZip AES-256 (APPNOTE 7.0, AE-2 extra field with HMAC-SHA1) is not implemented here.
  • ZIP64 (APPNOTE 4.5+) extends 32-bit size/offset fields to 64-bit via extra fields; required for archives or single entries above 4 GiB (2³² − 1 bytes).

Examples

View Archive Contents

View the file list inside a ZIP archive directly in the browser without installing extraction software

Extract Single Files

Download only the file you need from the archive without extracting everything

Batch Extract

Extract and download all files from the archive in one click

FAQ

Is the ZIP uploaded for extraction?

No. The page reads the ZIP locally via the FileReader API and decompresses entries in-browser using JSZip. Files never leave your device. You can confirm in the Network tab while extracting.

Which ZIP variants does it support?

Standard ZIP files using DEFLATE compression (the most common variant). Stored (uncompressed) entries also work. ZIP64 (for archives over 4 GB) is supported in most builds. Encrypted entries (password-protected) and 7Z, RAR, TAR are not supported - use a dedicated tool for those.

Can I extract password-protected ZIPs?

Generally no. JSZip does not handle ZipCrypto-encrypted or AES-encrypted entries. Decrypt with 7-Zip or WinRAR on the desktop first, then re-pack and upload here if you need to inspect the structure.

What if the ZIP has Chinese or Japanese filenames?

The page reads filenames as UTF-8 by default. Old Windows-created ZIPs may store filenames in GBK (Chinese) or Shift_JIS (Japanese) without setting the UTF-8 flag - those show as garbled. Re-create the ZIP with a UTF-8-aware tool, or use 7-Zip on the desktop with the right code page setting.

What's the file size limit?

Browser memory. Modern desktops handle 1+ GB ZIPs; mobile browsers run out around a few hundred MB. For very large archives, use a desktop tool that streams from disk.

Can I preview file contents without extracting?

Yes for text files - paste-or-click any entry and the page shows its content. Images preview as thumbnails. Binary entries (executables, ZIPs nested inside) only show metadata; download to inspect.

Are dotfiles and hidden files extracted?

Yes. ZIP doesn't have a 'hidden' attribute concept - all entries are visible. Filenames starting with a dot (.gitignore, .env) are extracted normally; treat them as ordinary files.