Category: Forensics
File: sigmatour-image.jpg
Flag: scsc26{r3c0v3r_f!l3_s19n4tur3s}
Description
A JPEG image file that appears to be corrupted and cannot be opened.
Analysis
Examining the file header reveals the corruption:
$ xxd sigmatour-image.jpg | head -300000000: ff00 0000 0000 0000 4946 0001 0100 0001 ........IF......00000010: 0001 0000 ffdb 0043 0002 0101 0101 0102 .......C........00000020: 0101 0102 0202 0202 0403 0101 0102 0504 ................The file starts with FF 00 00 00 00 00 00 00 but a valid JPEG/JFIF file should start with:
-
FF D8- JPEG SOI (Start of Image) marker -
FF E0- APP0 marker (JFIF) -
00 10- Length of APP0 segment (16 bytes) -
4A 46 49 46- “JFIF” identifier
Notice that 49 46 (“IF” from “JFIF”) is still present at offset 8, confirming this is a corrupted JFIF header.
Solution
Restore the correct JPEG/JFIF file signature:
# Method 1: Using printf and dd$ cp sigmatour-image.jpg fixed.jpg$ printf '\xff\xd8\xff\xe0\x00\x10\x4a\x46' | dd of=fixed.jpg bs=1 count=8 conv=notrunc
# Method 2: Using Python$ python3 -c "with open('sigmatour-image.jpg', 'rb') as f: data = bytearray(f.read())
# Fix JFIF header (bytes 0-7)data[0:8] = b'\xff\xd8\xff\xe0\x00\x10\x4a\x46'
with open('fixed.jpg', 'wb') as f: f.write(data)"
# Verify the fix$ file fixed.jpgfixed.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2848x1600, components 3After fixing the header, open the image - the flag is displayed visually within the image itself.
File Signature Reference
Format Magic Bytes (Hex) ASCII
JPEG/JFIF
FF D8 FF E0 xx xx 4A 46 49 46
ÿØÿà..JFIF
JPEG/EXIF
FF D8 FF E1 xx xx 45 78 69 66
ÿØÿá..Exif
PNG
89 50 4E 47 0D 0A 1A 0A
.PNG…
GIF
47 49 46 38
GIF8