CSAW CTF 2013 | Misc 200 : Deadbeef [Write Up]

This task was some stegano / forensic challenge. A PNG was given : IMG_0707.png. The PNG was corrupted, due to a problem with CRC32, but some image viewers / editors could read it. We could correct the CRC32 in the PNG to have a valid image too, but seeing the image content was not helpful, and classic steganalysis on the pixels (like LSB) didn’t reveal anything.


The problem in the original corrupted PNG was the CRC32 of the IHDR chunk : the CRC32 written in the PNG (right after the IHDR content) was 0xC1D0B3E4, but the calculated CRC32 of the IHDR content was different (0xFCC410A). If correcting the CRC32 didn’t lead us to anything, we had to search for something else. If we just had to correct the CRC, why would the wrong CRC be 0xC1D0B3E4 ? This can’t be a random CRC32. This led us to a new path : what if we had to change the IHDR content to make its CRC correspond to 0xC1D0B3E4 ? Here are the 17 bytes in hex of the IHDR (including chunk name, « IHDR », which is used too in the CRC32 calculation) :

49 48 44 52 : IHDR
00 00 0C C0 : Width
00 00 06 91 : Height
08 : Bit depth
06 : Color type
00 : Compression method
00 : Filter method
00 : Interlace method

So we have to change some bytes to make the CRC32 correct. Let’s start by the beginning : the size of the image (width & height). We may have to change the image size to make something appear… We directly tried to brute-force each size in a range of 0 – 10000 pixels. Here is our brute-force, which surprisingly revealed us another size for the image that would make the CRC32 correct!

    # ask for code

Result: we now just have to change the size of the image. In fact, only the height of the image is changed, so new lines of pixels are added, revealing the flag. Here is the final correct image. Enjoy :D


Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s