We use cookies to make your experience better. To comply with the new e-Privacy directive, we need to ask for your consent to set the cookies. Learn more.
C32zip
: The "Extra Field" length and content are often manipulated to hide data or throw off automated parsers.
: The filename length field in the local file header is set to an impossibly large value (e.g., 9001 or 0x2329 ), causing extraction tools to fail or truncate the filename.
: Use binwalk or file to confirm it is a ZIP. Try to unzip it; if it fails with "filename too long" or "offset error," the headers are tampered with. C32zip
To solve these "C32" related zip challenges, one must understand the ZIP file format : : Starts with the signature 50 4B 03 04 .
In this specific challenge, players are given a ZIP file ( zipp.zip ) that appears broken. Upon inspection with a hex editor, several issues are discovered that prevent standard extraction: : The "Extra Field" length and content are
: Open the file in a tool like 010 Editor or Hxd . Look for the filename length at 0x1A . If the actual filename is just a few characters (like flag.txt ) but the length is 9001 , manually change it to the correct length (e.g., 0x08 ).
: Located at offset 0x0E . This is the checksum of the uncompressed data. Compressed Size (4 bytes) : Offset 0x12 . Uncompressed Size (4 bytes) : Offset 0x16 . Try to unzip it; if it fails with
: Once lengths and CRC values are consistent, standard tools like 7z or unzip will be able to process the file correctly. CTFtime.org / PlaidCTF 2017 / zipper / Writeup
