[removed]

A compressed file is a description for the decompression tool as to how to generate the original content. If the decompression tool follows the descriptions in the compressed file step by step it will end up with the exact same data as the compression tool got as input. A zip bomb however is not made by any compression tool. Someone made the “compressed” file by hand creating instructions that would be impossible to follow without consuming infinite amounts of CPU, memory and storage.

They aren’t actually compressing something that already exists, they’re creating a file that tricks the decompresser into creating a lot of files out of nowhere.

Like imagine you have instructions for creating a book, and the instructions read, “put a 1 on each page, and print a million pages”

You don’t actually have to have an existing million page book to write those instructions, the decompresser/book maker will follow those instructions anyways. The (instructions for making a book/zip file) is really tiny, but the end result is huge.

It’s basically a code telling itself to write more code, so the initial instructions don’t need to be large at all.

Simple example:

1 Set “number” equal to 0

2 Set “number” equal to (*number*+1)

3 Save *number* in new file named “(*number*)”

4 Go to step 2

So in this entirely fake program, the idea is it will start with a variable =0. It will then change that variable to 1. Then it will make a save file called “1.” Then it will change the variable to 2, and make a save file called “2.” And it just keeps repeating, adding one more and then creating a new file in your computer. This would eventually take up every single bit of free memory and it will never stop running.

Different tools will have different limits, but some antiviruses consider anything with a compression ratio greater than 90% to be a zip bomb. It isn’t difficult to make such a file, just a 4KB file filled with zeroes will have around 178 bytes when zipped, which is a 96% compression ratio. And you can easily do this yourself.

However, this file is not really large enough to be malicious. To be malicious, you’d have to use a larger file. For example, a 1GB zip with that compression ratio would take up 23GB when unzipped, which could easily be seen as malicious depending on the content.

If you want to create an even larger zip bomb, you probably won’t have enough space on your system to compress a file, but you would just manually modify the zip structure so that instead of saying 4000 zeroes it says 40000000000000 zeroes. This would give you a compression ratio very close to 100%.

You don’t have to compress the results of the bomb, just the means to make the bomb.

For example, you write an instruction for the computer to calculate pi to 1 million places. You don’t need to calculate pi yourself and compress the million characters. The zip file telling the computer to calculate pi is much smaller than 100 digits of pi.