Лаборатория TJCTF 2016 - corruption [forensics 130]

delimitry
, 1 июня 2016

Have a free flag! It might have gotten corrupted in transmission, but that shouldn't be a problem for you. Right?

Corrupted PNG file is given.
No width, height, bit depth, color type in IHDR chunk, all IDAT chunks' lengths are currupted too.

I've decided to decode each IDAT chunks and save as BMP :)
My teammate Progressor also was solving this task, but in another way.
He fixed all chunks and got the next image:



But it is hard to see the flag here.
Here is my code to decode and save all IDAT chunks to BMP:

import zlib
import struct


d = zlib.decompressobj()

with open('corrupted_a73df730c202ea0aa636bb607cf52a98d40462f15447927085bb948495e1b187.png', 'rb') as f:
    data = f.read()

num = 0
all_data = ''

while True:
    idat_pos = data.find('IDAT')
    if idat_pos < 0:
        break
    data = data[idat_pos + 4:]
    all_data += data[:8200 - 8]
    num += 1

image_width = 800 - 1
image_height = 440
bits_per_pixel = 24

# bitmap file header
bmp_data = 'BM'
bmp_data += struct.pack('i', 26 + bits_per_pixel / 8 * image_width * image_height)
bmp_data += struct.pack('h', 0) # reserved
bmp_data += struct.pack('h', 0) # reserved
bmp_data += struct.pack('i', 26) # offset

# bitmap header (BITMAPCOREHEADER)
bmp_data += struct.pack('i', 12) # size of this header (12 bytes)
bmp_data += struct.pack('h', image_width) # width
bmp_data += struct.pack('h', image_height) # height
bmp_data += struct.pack('h', 1) # number of color planes, must be 1
bmp_data += struct.pack('h', bits_per_pixel) # bits per pixel

try:
    dec = d.decompress(all_data[:-10])
    bmp_data += ''.join(x if ord(x) < 200 else '\x00' for x in dec[::1])
except Exception as ex:
    print ex

with open('corrupt.bmp', 'wb') as f:
    f.write(bmp_data)

Width and height values were found experimentally.

My file after vertical flip:

After some filtering of image I've discerned a flag:
tjctf{c0rruption? wh4t corrupt10n?}

4 комментария:

  1. Progressor
       #   21:11, 1 июня 2016

    Width and height were also recovered from IDUT chunks. The number of bytes in all IDAT chuncks is 1056440 and it should be equal to height *( width*bytes_in_pixel +1). Assuming bytes_in_pixel=3 (most common case), I looked thru all possible values of height/width (a few dozens). The most beautiful combination was 800x440, and I put these values in IHDR.

  2. ChasTume
       #   19:27, 24 мая 2017
    Cialis Generique Mastercard Compra Kamagra Online Buy Propecia Ireland Probiotic Supplement Amoxicillin How Much Is Viagra Chlamydia Medication Mail Farmaci Con Dapoxetina Generic Cialis Usa Purchase Propecia Comparison Unsecured you specifying send agree the be quotes secured circumstances.Phone Arlington TX The video begins by a waterfront scene where two people a woman and a man who introduce themselves as Madison Clark and David Graham. need money now Illegal alcohol permeates Ugandan people and economy exacerbating poverty and chronic illness among the population Posters in the office of the Buliisa Initiative for Rural Development Organisation BIRUDO advocate for transparency and environmental safety in western Ugandas developing oil industry.Cialisenespanol.Colim Generic For Cialis Cialis Tadalafil Buy Online Celecoxib 200 Mg Price Best Zoloft Online Canadian Pharmacy Alli Cheapest Price Doxycycline Shop Need To Order Cialis Buy Viagranext Day Delivery Online Pharamacy Buy Kamagra Oral Jelly Online Amoxicillin Highs Cialis Generic Non Prescription Buy Implicane Online Vente Cialis Generique Baby Diahrea And Gas Amoxicillin Mail Order Zoloft Amoxicillin And Hiccups Cialis Generico Espana Contrareembolso Cheap Viagra Sales Cialis 5 Mg Composizione Procalis Levitra Cialis Cheap Numeros De Propecia Propecia Generic California Prices Cialis Kamagra Quick Coupon
  3. DarinFrard
       #   17:42, 11 августа 2017
    http://revia.phartesdomusa.org buy revia 30mg
  4. ReviaPef
       #   00:44, 13 августа 2017
    http://phartesdomusa.org/ buy revia generic naltrexone

Авторизуйтесь, что бы оставить комментарий