Post

DeconstruCT.F 2023 - Magicplay

Posted
By Nolliv22 2 min read

Description

Category: Forensic

Dwayne’s mischevious nephew played around in his pc and corrupted a very important file.. Help dwayne recover it!

magic_play.png

Resolution

Here we have a corrupted PNG file and we need to fix it.

All along the challenge, we will use pngcheck to find errors, ImHex to edit file’s bytes and PNG Specification to know how to fix those errors.

1. PNG Header

First error:

1
2
3
4

$ pngcheck -v magic_play.png 
File: magic_play.png (250137 bytes)
  this is neither a PNG or JNG image nor a MNG stream
ERRORS DETECTED in magic_play.png

This error occurs when the header of the file is not correct.

PNGs always have those first eight bytes: 89 50 4E 47 0D 0A 1A 0A:

PNG Signature

2. PNG chunks name

The next error is:

1
2
3
4

pngcheck -v magic_play.png 
File: magic_play.png (250137 bytes)
  invalid chunk name "I0NR" (49 30 4e 52)
ERRORS DETECTED in magic_play.png

The chunk name is not valid. According to the PNG Specification, the chunk name that looks like the one we have is IHDR:

IHDR Chunk

Next error:

1
2
3
4
5
6

$ pngcheck -v magic_play.png 
File: magic_play.png (250137 bytes)
  chunk IHDR at offset 0x0000c, length 13
    1225 x 618 image, 32-bit RGB+alpha, non-interlaced
  invalid chunk name "s�GB" (73 ffffffe6 47 42)
ERRORS DETECTED in magic_play.png

Again the chunk name is corrupted, the real chunck name that looks like the one we have is sRGB:

sRGB chunk

Another chunk name error:

1
2
3
4
5
6
7
8

$ pngcheck -v magic_play.png 
File: magic_play.png (250137 bytes)
  chunk IHDR at offset 0x0000c, length 13
    1225 x 618 image, 32-bit RGB+alpha, non-interlaced
  chunk sRGB at offset 0x00025, length 1
    rendering intent = perceptual
  invalid chunk name "gAe5" (67 41 65 35)
ERRORS DETECTED in magic_play.png

We replace it with the closest one gAMA:

gAMA

Now we should be able to open the image (the last error doesn’t matter):

1
2
3
4
5
6
7
8
9

$ pngcheck -v magic_play.png 
File: magic_play.png (250137 bytes)
  chunk IHDR at offset 0x0000c, length 13
    1225 x 618 image, 32-bit RGB+alpha, non-interlaced
  chunk sRGB at offset 0x00025, length 1
    rendering intent = perceptual
  chunk gAMA at offset 0x00032, length 4: 0.45455
  chunk hHYs at offset 0x00042, length 9:  illegal (unless recently approved) unknown, public chunk
ERRORS DETECTED in magic_play.png

repaired

And we get the flag: dsc{COrrupt3d_M4g1C_f1Ag}.

Writeups, DeconstruCT.F 2023
Forensic
This post is licensed under CC BY 4.0 by the author.