I took a photo at university on a sunny day~~
天気がいい日に大学で写真を撮ったよ
(with a JPEG file, attached to this writeup as problem.jpg)
- Some of the 8x8 blocks in the provided JPEG image have a redundant ZRL just before an EOB.
- If you plot those blocks, a QR code shows up.
- The QR code reads:
Whoa, congratulations! The flag is: TSGCTF{I_understand_JPEG_perf3ctly}
In JPEG encoding, the image is partitioned into 8x8 (= 64 pixels) blocks and each block is transformed by the forward DCT into 64 coefficients. 63 out of the 64 coefficients are called AC coefficients and are encoded with Huffman encoding in the zig-zag sequence. The zig-zag sequence orders coefficients by (roughly) ascending frequency.
In Huffman encoding, coefficients of value zero are treated specially: they are encoded as a run-length of zero coefficients (in 4 bits). If the run-length exceeds 15 (the maximum 4-bit number), a special value ZRL is put which means a run of 16 zero coefficients. In addition, a special value EOB is put when all the remaining coefficients in the block are zero.
Here I noticed that a sequence of ZRL+EOB is just the same as a single EOB. This led me to think that I can embed arbitrary data, corresponding one bit to whether one block has ZRL+EOB or not.
This plots the blocks in the provided JPEG file which have the ZRL+EOB sequence. (patch.diff and solve.js are attached to this writeup)
$ npm install jpeg-js@0.3.5
$ cp node_modules/jpeg-js/lib/decoder.js ./decoder.js
$ patch < patch.diff
$ node solve.js | gnuplot -e "set size square; set terminal png; set output 'plot.png'; plot '-' using 1:(-\$2) pt 5 ps 0.3"Then a QR code shows up (see plot.png). Read it and get the flag.
TSGCTF{I_understand_JPEG_perf3ctly}
There is some noise in the QR code because some blocks had more than 48 non-zero coefficients so I couldn't put a ZRL before an EOB.
