forensicsfreeeasy

Thomas Schools of China

tjctf

Task: reverse-engineer a custom image format (.tsc/TSCF) and extract a flag hidden in pixel RGB values. Solution: parse the 17-byte header to get dimensions (60×61), render 4-byte RGBX pixels, then find pixels where all three channels are printable ASCII (32–126) with distinct values — each encodes 3 flag characters.

$ ls tags/ techniques/

steganography image_forensics custom_file_format pixel_art ascii_in_pixels

custom_format_reverse_engineeringascii_channel_value_extractionpixel_filtering

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Thomas Schools of China — TJCTF 2026

Description

I infiltrated our rival counterpart in china and found this file on one of the computers... never heard of this filetype before... hm.

A 14657-byte file chall.tsc with an unknown/custom format. The file command identifies it only as "data". The goal is to reverse-engineer the file format and extract the hidden flag.

Analysis

TSCF File Format Structure

The file begins with magic bytes TSCF ("Thomas Schools of China File"). The complete header is 17 bytes:

Offset	Size	Field	Value
0–3	4 bytes	Magic	`TSCF` (0x54 0x53 0x43 0x46)
4–7	uint32 LE	Version	1
8–11	uint32 LE	Width	60 (0x0000003c)
12–13	uint16 LE	Height	61 (0x003d)
14–15	uint16 LE	Format/flags	0x0005
16	uint8	Unknown	0x39

Pixel data starts at offset 17. Total pixel data: 14640 bytes = 3660 pixels × 4 bytes per pixel. Each pixel is stored as R G B 0x00 — the 4th byte is always zero (padding).

Image dimensions: 60 × 61 = 3660 pixels — matches exactly.

Rendered Image

The image shows a pixel-art goose/duck on a mint green background (RGB 219, 233, 204). The goose has white body pixels (255, 255, 255), black outline (0, 0, 0), and various gray tones.

Flag Hiding Technique

The flag is NOT hidden via traditional LSB steganography. Instead, specific pixels have their R, G, B channel values set to printable ASCII character codes (range 32–126), with each pixel encoding 3 characters of the flag (one per channel: chr(R) + chr(G) + chr(B)).

...

$ grep --similar

Similar writeups

[forensics][free]Triplets— tjctf
[reverse][Pro]Nava - ASIS CTF Reverse Challenge— ASIS CTF
[forensics][free]Obscure Crusher 1— tjctf
[crypto][free]stained-glass— tjctf
[reverse][free]rotated— tjctf