Last Updated: 2017-10-08 23:03:55 UTC
by Didier Stevens (Version: 1)
I had a JPEG file to analyze that would not render properly: image viewers would display an error, but no image.
My new jpegdump tool confirmed that it started with the right JPEG markers, but that the data sizes were wrong:
2576 bytes for an APP0 marker is really large...
Taking a look with a hex editor, I saw that the markers were present, but that the size of the data were wrong.
With re-search, I took a closer look at the markers with their data size:
The size of the data following a marker is encoded with two bytes, big endian notation. And for the first markers in the JPEG file, they all looked too large. Then I noticed that the 3rd byte (e.g. the first byte of the size field) was always 0x0A, were I expected it to be 0x00.
Counting all the bytes reveals that in this file, there were no 0x00 bytes but an unusual large amount of 0x0A bytes:
I formed a hypothesis: somehow, all 0x00 values were replaced by 0x0A values. To test this hypothesis, I replaced all 0x0A values by 0x00 values and parsed the result with jpegdump:
This was indeed a JPEG file. But I could not repair it, as I did not know what 0x0A values were original bytes, and which were replacemnt values for 0x00.
At least I new it was most likely not malicious, but corrupted by some unknown process.