# Unswirl Image ![](/files/SodXh2GorBO82ygnV53P) ### 1. Introduction Imagine you get an Image like this which contains a text. But the image is digitaly distored and you should find a way to made it readable.\ I’ve tried to solve a particular challenge of a CTF Game and the final flag was masked like this :sunglasses: ### 2. The Challenge The challenge contained a file without file extension. It's a pdf file and I'll add it here: {% file src="/files/16aXnhv9JabDL4ora5ko" %} Challenge File {% endfile %} ### 3. Analysis Open that file in a texteditor shows a signature of a pdf file:

A recheck with the tool [TrIDNET](http://mark0.net/soft-tridnet-e.html) confirms that the signature match a pdf file:

The pdf file contains a image with a cartoon character and the text: **I dare you find it!** :smile: ![](/files/x7KfHuOMi51bHjaOjl1m) For the further analysis I've used a free tool called [Winking PDF Analyzer](https://www.winking.be/en/products/pdfanalyzer) A quick view shows that the pdf file contains streams. My assumption was that there is something hidden in that streams and I’ve tried to find a way to decode them.

On [stackoverflow](https://stackoverflow.com/questions/27997930/how-to-decode-a-pdf-stream) I did find a hint howto decode them: > The easiest way to decode a PDF file is to use a tool intended to do it, for example [MuPDF](https://mupdf.com) can do this with „`mutool clean -d `“ will decompress (`-d`) all the compressed streams in a PDF file and write the output to a new PDF file. > > mutool.exe clean -d enigma.pdf enigma\_decoded.pdf As we can see the filesize has changed from 161 KB to 2746 KB!

If I open the decoded pdf file again in Winking PDF Analyzer, I can see a reference of two images:

> mutool.exe extract enigma\_decoded.pdf I’m using again mutool to extract the images of the pdf:

img-005.png is the cartoon, but now let’s see what is **img-004.png** ![](/files/skfT2vXETdEweBC6V0PM) ### 4. Retrieve the flag Sadly I had no plan how to revert that image, but a friend of mine gave me a hint: **What computers can swirl, Computers can unswirl!** In 2007 the police [catched a pedophile](https://thelede.blogs.nytimes.com/2007/10/08/interpol-untwirls-a-suspected-pedophile/) men who tried to mask his identity with a swirl face.

It is possible to revert the image with photoshop or an online image editing tool.

Now we can try to revert the image with [photoshop](https://www.photoshop.com/tools) by choosing the effect distort –> twirl Or using an [online image editor](https://www298.lunapic.com/editor/?action=swirl), which is a much faster way: ![](/files/yl0KAqEKrehDjjRk0rgu) The same can be done with the black image above and we can read the text: ![](/files/AjOJ1zrqMfZl3oOQDQJ1) \
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cas-cyber.gitbook.io/cas-cybersecurity/forensic-exercises/image-forensics/unswirl-image.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.