Failed Compression

Forensics - 80 Points

I was trying to compress some files, but I think I messed it up?

file: [compressed.zip] (not available)

Writeup

When you try to open the ZIP file, every ZIP programs tell you that it’s not a valid archive file. With an HexEditor we can see that it’s not a ZIP file because it doesn’t have known Magic Byte

$ file compressed.zip
compressed.zip: data

Also I noticed that there were lots of PNG/IHDR signature and JPG/JFIF signature. So I excluded the APNG option and thought that maybe the archive was a concatenation of PNG and JPG files. Unfortunately every file’s header was changed so we extraced with Binwalk the start position and end position of every PNG file (based on IHDRpos -12byte and IENDpos +5byte) and JPEG file (based on JFIFpos -6byte and the JPG EOF 0xFF 0xD9)

So I wrote a script to extract with dd every single image fixing the Magic Byte (loaded from a file).

#!/usr/bin/env python

import sys
import os
import subprocess

def our_dd(i,e,ff):
print i," ",e
n = "src/immagine"+str(i)
h = subprocess.check_output("dd if=compressed.zip of="+n+"1."+ff+" bs=1 skip="+str(i)+" count="+str(e-i), shell=True)
print h
h = subprocess.check_output("cat "+ff+"_magic "+n+"1."+ff+" > "+n+"."+ff+"; rm "+n+"1."+ff, shell=True)
print h


with open("JFIFpos.txt") as f:
jfifpos = f.read().splitlines()
with open("EOFJFIFpos.txt") as f:
eofjfifpos = f.read().splitlines()

c=0
for line in jfifpos:
while True:
start = int(line)-2
end = int(eofjfifpos[c])+2
if end-start > 0:
our_dd(start,end,"jpg")
break
c+=1

with open("IHDRpos.txt") as f:
ihdrpos = f.read().splitlines()
with open("IENDpos.txt") as f:
iendpos = f.read().splitlines()

c=0
for line in ihdrpos:
our_dd(int(line)-8,int(iendpos[c])+5+3,"png")
c+=1

Meme

And finally I found a flag, in the sea of memes Flag