Your procedure is flawed in that you failed to do a control test to see what would happen if you applied the attack process to an image that had not been watermarked (or which had been watermarked with a constant image)
Your attack is affecting the entire watermarked image, including the bits used to encode the watermark. When you dct2 the attacked image, you are not going to extract the hidden coefficients: you might extract at the proper location but the values have been blurred. Your hiding process depends upon the premise that the attack will not be severe enough to make the extracted coefficients unrecognizable -- but what if the attack is sufficiently severe? Then your extracted image might not be good enough. If you had tested with a constant image (all zero for example) then you would probably have observed that the image that came out looked a fair bit like the cover image.
It is impossible to embed an image well enough to make it recoverable from all attacks -- since, after all, the attack could change most every bit of the image, making it a different image of the same size. So every embedding is limited. Your attack is too strong for your embedding scheme, and you did not plan for what the result might look like in that case so you thought you were getting the original image out.
There are other embedding schemes that can stand up to more. For example you can put the data to be embedded through an Error Correcting Code. Or you could embed the same data multiple times and when you recover, have the copies "vote" as to what the correct bit is.
Best Answer