# Part 1 : Subliminal advertising

## Overview of file
First of all we download the provided file which has the extension .apng.
Quick search on the internet to find out it is an animated png file. Let's try to open it with a browser : ideed, it is a space ship rotating.

By making some quick commands (strings / exif) we find out no hidden information can be found in this file.

## Splitting the APNG file
Let's split it into the different png images. To do this we use the tool APNG Disassember (sudo apt-get install apngdis)

First step is to put the apng file into a folder, there is no possibility to extract to a selected directory.
Then we send the command :

`apngdis ugo.apng`

We get 61 different images, that might take a while...

## Getting the flag

We scroll through the images using the picture viewer of our kali linux and we find out the 2 last images are the same. Or they seem to be the same.
On the 60th one we have additional pixels on the right side of the starship.

-----


-----

We zoom in and find out the flag. We shouln't zoom too much or it will be unreadable :

> CTF{4d115cb1c0a42cecac7899eee584dbcb}

# Part 2 : Space Time

The description of this second parts talks about supporting spacetime. As it is an animated PNG maybe the time between two images is configurable ?
Let's find out by looking at the APNG specification :[APNG Specification](https://wiki.mozilla.org/APNG_Specification#Structure)

In the specification we found out the fcTL Chunk (Frame Control Chunk) and the following structure of the chunk :

| byte | Name | Type | Description
| -------- | -------- | -------- | --------
| 0 | sequence_number | (unsigned int) | Sequence number of the animation chunk, starting from 0
| 4 | width | (unsigned int) | Width of the following frame
| 8 | height | (unsigned int) | Height of the following frame
| 12 | x_offset | (unsigned int) | X position at which to render the following frame
| 16 | y_offset | (unsigned int) | Y position at which to render the following frame
| 20 | delay_num | (unsigned short)| Frame delay fraction numerator
| 22 | delay_den | (unsigned short)| Frame delay fraction denominator
| 24 | dispose_op | (byte) | Type of frame area disposal to be done after rendering this frame
| 25 | blend_op | (byte) | Type of frame area rendering for this frame

-----

We have on bytes 20 and 22 the "Frame delay".
Let's look at theses bytes inside the ugo.apng file using a hex reader.
In order to have an easy reading we know that :
* height = 00 00 0B 40
* x_offset = 00 00 00 00
* y_offset = 00 00 00 00

So by searching (with Ctrl+F) the bytes : 00 00 0B 40 00 00 00 00 00 00 00 00 we can easily get the bytes delay_num and delay_den.
At first we see the delay_num is always equal to 00 5F but as we scroll we find out some bytes are modified.

-----


-----

We then get all the bytes of the delay_num information which are between 43 ("C" in ascii) and 7D ("}" in ascii) :

> 43 54 46 7B 73 75 62 6C 69 6D 69 6E 61 6C 5F 73 70 61 63 65 74 69 6D 65 5F 6D 65 73 73 61 67 65 73 7D

We transform theses bytes into ascii characters to get the second flag

> CTF{subliminal_spacetime_messages}