Fix issue #129 by rewriting the ARC handler yara rule.

[qkaiser]

See #129

[qkaiser]

I added two enhancements to ARC handler that will help with #129. Moved the size to an unsigned integer (should always be positive), and added a name validation function that verify if the file name is unicode encoded.

[vlaci]

Hm, a file doesn't get extracted now :(

[vlaci]

From the docstring of the yara rule:

        Then a null-byte or unitialized-byte terminated filename string of 13 bytes, the
        uninitialized byte is always set between 0xf0 and 0xff.

This matches with the output of the test:

struct heads:

• archive_marker: 0x1a
• header_type: 0x2
• name: b'apple.txt\x00\x00\x00\xfd'
• size: 0x6
• date: 0x5379
• time: 0x6cef
• crc: 0x3038
• length: 0x6

This will trip on the valid_name check.

[qkaiser]

Fixed valid_name by moving to this:

# we don't care about the terminating byte (null or unitialized)
snull(name[:-1]).decode("utf-8")

[vlaci]

Yaay, null bytes are valid unicode code points :D