DeconstruCT.F 2023 - Magicplay
Description
Category: Forensic
Dwayne’s mischevious nephew played around in his pc and corrupted a very important file.. Help dwayne recover it!
Resolution
Here we have a corrupted PNG file and we need to fix it.
All along the challenge, we will use pngcheck to find errors, ImHex to edit file’s bytes and PNG Specification to know how to fix those errors.
1. PNG Header
First error:
1
2
3
4
$ pngcheck -v magic_play.png
File: magic_play.png (250137 bytes)
this is neither a PNG or JNG image nor a MNG stream
ERRORS DETECTED in magic_play.png
This error occurs when the header of the file is not correct.
PNGs always have those first eight bytes: 89 50 4E 47 0D 0A 1A 0A
:
2. PNG chunks name
The next error is:
1
2
3
4
pngcheck -v magic_play.png
File: magic_play.png (250137 bytes)
invalid chunk name "I0NR" (49 30 4e 52)
ERRORS DETECTED in magic_play.png
The chunk name is not valid. According to the PNG Specification, the chunk name that looks like the one we have is IHDR
:
Next error:
1
2
3
4
5
6
$ pngcheck -v magic_play.png
File: magic_play.png (250137 bytes)
chunk IHDR at offset 0x0000c, length 13
1225 x 618 image, 32-bit RGB+alpha, non-interlaced
invalid chunk name "s�GB" (73 ffffffe6 47 42)
ERRORS DETECTED in magic_play.png
Again the chunk name is corrupted, the real chunck name that looks like the one we have is sRGB
:
Another chunk name error:
1
2
3
4
5
6
7
8
$ pngcheck -v magic_play.png
File: magic_play.png (250137 bytes)
chunk IHDR at offset 0x0000c, length 13
1225 x 618 image, 32-bit RGB+alpha, non-interlaced
chunk sRGB at offset 0x00025, length 1
rendering intent = perceptual
invalid chunk name "gAe5" (67 41 65 35)
ERRORS DETECTED in magic_play.png
We replace it with the closest one gAMA
:
Now we should be able to open the image (the last error doesn’t matter):
1
2
3
4
5
6
7
8
9
$ pngcheck -v magic_play.png
File: magic_play.png (250137 bytes)
chunk IHDR at offset 0x0000c, length 13
1225 x 618 image, 32-bit RGB+alpha, non-interlaced
chunk sRGB at offset 0x00025, length 1
rendering intent = perceptual
chunk gAMA at offset 0x00032, length 4: 0.45455
chunk hHYs at offset 0x00042, length 9: illegal (unless recently approved) unknown, public chunk
ERRORS DETECTED in magic_play.png
And we get the flag: dsc{COrrupt3d_M4g1C_f1Ag}
.