---
title: SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)
author: Maltemo
tags: CTF, sharkyCTF, PNG
---
SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)
===
Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/).
[TOC]
## Statement of the challenge
### Description
Whoops. It seems Luffy played with my picture and I'm not able to open it anymore. Please help me.
Creator: 2phi
## TL;DR
The challenge consisted in replacing all chunks header called EASY by IDAT to repair the png file.
## Analyze
A png file was attached with this challenge : `7uffy.png`.
The first thing I want to check is if the [magic number](https://en.wikipedia.org/wiki/Magic_number_(programming)) of the file hasn't been changed.
For this, lets just check the type of file :
```bash=
file 7uffy.png
7uffy.png: PNG image data, 1113 x 885, 8-bit/color RGBA, non-interlaced
```
Nice, so the problem isn't coming from there.
There is a tool to help debug PNG errors : `pngcheck`.
Let's use it :
```
pngcheck 7uffy.png
7uffy.back illegal (unless recently approved) unknown, public chunk EASY
ERROR: 7uffy.png
```
So the problem is coming from the fact that a header chunk has been changed by the value `EASY`.
The only thing we will need to repair is replacing EASY by the correct chunk header names.
Let's take a look into the hexadecimal of the file :
```
xxd 7uffy.png | head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 0459 0000 0375 0806 0000 00a4 5424 ...Y...u......T$
00000020: fd00 0000 0662 4b47 4400 0000 0000 00f9 .....bKGD.......
00000030: 43bb 7f00 0000 0970 4859 7300 000b 1300 C......pHYs.....
00000040: 000b 1301 009a 9c18 0000 0007 7449 4d45 ............tIME
00000050: 07e4 031a 002d 0960 f3dc 5400 0000 1d69 .....-.`..T....i
00000060: 5458 7443 6f6d 6d65 6e74 0000 0000 0043 TXtComment.....C
00000070: 7265 6174 6564 2077 6974 6820 4749 4d50 reated with GIMP
00000080: 642e 6507 0000 2000 4541 5359 78da ecdd d.e... .EASYx...
00000090: 4f8c 65c7 5d2f f0ba dd3d 33b6 e321 2f10 O.e.]/...=3..!/.
```
We already can spot that the EASY chunks are after the main headers of the PNG file (IHDR,pHYs), so we can asume that those headers were the IDAT header chunks.
In addition, the length of the chunk of data is `0000 2000` is common for a IDAT chunk.
:::info
If you want to learn more about challenges with PNG to repair, checkout those other write-ups of mine :
* https://maltemo.github.io/write-ups/picoCTF_2019_Forensic_c0rrupted.html
* https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_We_are_Extr.html
* https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Song_of_My_People.html#Step-2--Correcting-the-PLTE-length-of-the-PNG-file
* https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Guillotine.html
There are more detailed explanations about the structure of a PNG file.
:::
The last part will be the editing of the PNG data.
I will use `bless` to edit the file, but you can use other editors like `hexeditor`.
```
bless 7uffy.png
```
![](https://i.imgur.com/claqIi1.png)
And then just replace all `EASY` data headers by `IDAT` (there were mutliples).
After editing, let's check if the file is correctly constructed with `pngcheck` :
```
pngcheck 7uffy.png
OK: 7uffy.png (1113x885, 32-bit RGB+alpha, non-interlaced, 99.3%).
```
Let's open it :
![](https://i.imgur.com/nb7xStJ.png)
:::success
And BOOM, we got the flag : The flag is __shkCTF{7uffy\_1s\_pr0ud\_0f\_y0u\_0a2a9795f0bdf8d17e4}__.
:::
## Flag
The flag is __shkCTF{7uffy\_1s\_pr0ud\_0f\_y0u\_0a2a9795f0bdf8d17e4}__
___
<a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.