The program (source given), unpacks a custom archive file. If we run strings on the archive file, however, it appears that not all the files get unpacked, specifically a hidden "flag.png" file.
000db100: 3db9 bff7 28f0 e20b bb76 0a00 00e7 1f66 =...(....v.....f
000db110: 6c61 672e 706e 6700 4f6e 58a9 15ea 15fd lag.png.OnX.....
000db120: 1fe7 12e7 57ae 4da3 1fe7 90e6 1fe7 01e7 ....W.M.........
A packed file starts with the metadata [bsz (4)][k1 (1)][k2 (1)][name]
. So if the offset to flag.png
name is 0xdb10f, then 0xdb10f-6 is the start of the block.
We can reuse the program to force it to unpack this block.
fblk_t blk2;
parse_fblk(buff, 0x000db10f+0x1000, 0x000db10f-6, &blk2);
FILE *fp = fopen(blk2.name, "wb");
if (fwrite(blk2.data, 1, blk2.length, fp) != (size_t) blk2.length) {
puts("Error writing output file");
free(buff);
return 1;
}
Compiling and running it shows that this works.
$ gcc extract.c -o extract; ./extract arc out; ls -al out/flag.png
paint.png
aaaa.png
sentence.png
yeehaw.png
flag.png
-rw-rw-r-- 1 andrew andrew 2663 Aug 8 17:21 out/flag.png
Flag: l05t_buT_n0t_f0rGotT3n_18a9b735