From 3cd1572bddab55119240bdd7c62bb9e06f9c8f4b Mon Sep 17 00:00:00 2001
From: Raj <76973361+devilamongus@users.noreply.github.com>
Date: Fri, 25 Jun 2021 15:57:12 +0530
Subject: [PATCH] Update readme.md

---
 Forensics/87kB Magic/readme.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Forensics/87kB Magic/readme.md b/Forensics/87kB Magic/readme.md
index 2f28f14..ec0a3a9 100644
--- a/Forensics/87kB Magic/readme.md	
+++ b/Forensics/87kB Magic/readme.md	
@@ -9,10 +9,14 @@ Author: SolvedPack#1949
 Using "pngcheck" on the png file gives "additional data after IEND chunk" which means there is some data appended to the png file. Now use "binwalk" which searches for file header and footer bytes (aka magic numbers) and outputs the list of files it found. The output it gives is:
 
 DECIMAL       HEXADECIMAL     DESCRIPTION
+
 0             0x0             PNG image, 850 x 500, 8-bit colormap, non-interlaced
+
 157           0x9D            Zlib compressed data, best compression
+
 87211         0x154AB         End of Zip archive
 
+
 (Ignore the Zlib line as that is the part of the png image compression)
 This shows that it recognized the footer bytes of a zip file, which means there is a zip file appended to the png. Notice that the program didn't find the header bytes which means they are corrupted(or edited). 
 Reading online about png file reveals that the png files end with "IEND" in ascii or "49 45 4e 44 ae 42 60 82" in hex. Also, in the start "pngcheck" said it found data after "IEND" chunk. So we just need to edit the bytes of plank.png (use any hex editor) and type in the correct zip header (50 4B 03 04) after the "IEND" bytes. After that use "binwalk -e plank.png" in the terminal and it should extract the zip file into a new directory. Open the directory, unzip the file and the flag will be in the .txt file.