# Unswirl Image ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F4PijZFaXU0DTuBT1nDtG%2Ftwirl_example_1.png?alt=media\&token=749ab0e6-5a90-4c0a-a4c0-4fc651c1058f) ### 1. Introduction Imagine you get an Image like this which contains a text. But the image is digitaly distored and you should find a way to made it readable.\ I’ve tried to solve a particular challenge of a CTF Game and the final flag was masked like this :sunglasses: ### 2. The Challenge The challenge contained a file without file extension. It's a pdf file and I'll add it here: {% file src="" %} Challenge File {% endfile %} ### 3. Analysis Open that file in a texteditor shows a signature of a pdf file:

A recheck with the tool [TrIDNET](http://mark0.net/soft-tridnet-e.html) confirms that the signature match a pdf file:

The pdf file contains a image with a cartoon character and the text: **I dare you find it!** :smile: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FamRTrMecEWeg3Dv6dgGE%2Fpdf.PNG?alt=media\&token=889d60a9-ea08-4f0e-8e6f-21790699b10e) For the further analysis I've used a free tool called [Winking PDF Analyzer](https://www.winking.be/en/products/pdfanalyzer) A quick view shows that the pdf file contains streams. My assumption was that there is something hidden in that streams and I’ve tried to find a way to decode them.

On [stackoverflow](https://stackoverflow.com/questions/27997930/how-to-decode-a-pdf-stream) I did find a hint howto decode them: > The easiest way to decode a PDF file is to use a tool intended to do it, for example [MuPDF](https://mupdf.com) can do this with „`mutool clean -d `“ will decompress (`-d`) all the compressed streams in a PDF file and write the output to a new PDF file. > > mutool.exe clean -d enigma.pdf enigma\_decoded.pdf As we can see the filesize has changed from 161 KB to 2746 KB!

If I open the decoded pdf file again in Winking PDF Analyzer, I can see a reference of two images:

> mutool.exe extract enigma\_decoded.pdf I’m using again mutool to extract the images of the pdf:

img-005.png is the cartoon, but now let’s see what is **img-004.png** ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXnrW7WsFiffFsqioARdJ%2FPage-1-Image-1.png?alt=media\&token=55795c4b-f3a6-4a3f-9cda-a25d07d2a55a) ### 4. Retrieve the flag Sadly I had no plan how to revert that image, but a friend of mine gave me a hint: **What computers can swirl, Computers can unswirl!** In 2007 the police [catched a pedophile](https://thelede.blogs.nytimes.com/2007/10/08/interpol-untwirls-a-suspected-pedophile/) men who tried to mask his identity with a swirl face.

It is possible to revert the image with photoshop or an online image editing tool.

Now we can try to revert the image with [photoshop](https://www.photoshop.com/tools) by choosing the effect distort –> twirl Or using an [online image editor](https://www298.lunapic.com/editor/?action=swirl), which is a much faster way: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fby6HobcBgfAaLdNViZhA%2Fdecode4.PNG?alt=media\&token=f73cc0bb-5e3c-400c-87b3-15d1bb53b127) The same can be done with the black image above and we can read the text: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FAFAXtfsUgZW7IJL3djWP%2F155430525967832887.png?alt=media\&token=fc59c766-ee7c-43cb-b09b-fb1071133938) \