{"id":457,"date":"2019-04-04T14:17:23","date_gmt":"2019-04-04T13:17:23","guid":{"rendered":"https:\/\/cybercop-training.ch\/?p=457"},"modified":"2019-04-04T14:21:07","modified_gmt":"2019-04-04T13:21:07","slug":"unswirl-an-image","status":"publish","type":"post","link":"https:\/\/cybercop-training.ch\/?p=457","title":{"rendered":"Unswirl an Image"},"content":{"rendered":"<p>Imagine you get an Image like this which contains a text. But the image is digitaly distored and you should find a way to made it readable.<\/p>\n<p>I&#8217;ve tried to solve a particular challenge of a CTF Game and the final flag was masked like this.<\/p>\n<h1>Let&#8217;s start<\/h1>\n<p>I had to download a file called enigma without file extension.<\/p>\n<p>Open that file in a texteditor shows a signature of a pdf file.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-460\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture.png\" alt=\"\" width=\"557\" height=\"198\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture.png 557w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture-300x107.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/a><\/p>\n<p>A recheck with the tool <a href=\"http:\/\/mark0.net\/soft-tridnet-e.html\" target=\"_blank\" rel=\"noopener noreferrer\">TrIDNET<\/a> confirms that it is a pdf file.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-461\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture2.png\" alt=\"\" width=\"494\" height=\"367\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture2.png 494w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture2-300x223.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/signture2-80x60.png 80w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/a><\/p>\n<p>Let&#8217;s add the fileexenstion pdf and open the file.<\/p>\n<p>The pdf file contains a image with a cartoon character and the text: <strong>I dare you find it! \ud83d\ude42<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/pdf.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-462\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/pdf.png\" alt=\"\" width=\"951\" height=\"833\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/pdf.png 951w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/pdf-300x263.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/pdf-768x673.png 768w\" sizes=\"auto, (max-width: 951px) 100vw, 951px\" \/><\/a><\/p>\n<h1>Finding Secrets<\/h1>\n<p>For the further analysis I used a free tool called <a href=\"https:\/\/www.winking.be\/en\/products\/pdfanalyzer\" target=\"_blank\" rel=\"noopener noreferrer\">Winking PDF Analyzer<\/a><\/p>\n<p>A quick view shows that the pdf file contains streams. My assumption was that there is something hidden in that streams and I&#8217;ve tried to find a way to decode them.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-464\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze1.png\" alt=\"\" width=\"601\" height=\"529\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze1.png 601w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze1-300x264.png 300w\" sizes=\"auto, (max-width: 601px) 100vw, 601px\" \/><\/a><\/p>\n<p>On <a href=\"https:\/\/stackoverflow.com\/questions\/27997930\/how-to-decode-a-pdf-stream\" target=\"_blank\" rel=\"noopener noreferrer\">stackoverflow<\/a> I did find a hint howto decode them:<\/p>\n<blockquote><p>The easiest way to decode a PDF file is to use a tool intended to do it, for example <a href=\"https:\/\/mupdf.com\" target=\"_blank\" rel=\"noopener noreferrer\">MuPDF<\/a> can do this with &#171;<code>mutool clean -d &lt;input pdf file&gt; &lt;output PDF file&gt;<\/code>&#187; will decompress (<code>-d<\/code>) all the compressed streams in a PDF file and write the output to a new PDF file.<\/p>\n<p>mutool.exe clean -d enigma.pdf enigma_decoded.pdf<\/p><\/blockquote>\n<p>As we can see the filesize has changed from 161 KB\u00a0 to 2756 KB<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-466\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode1.png\" alt=\"\" width=\"675\" height=\"300\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode1.png 675w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode1-300x133.png 300w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-467\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze2.png\" alt=\"\" width=\"468\" height=\"258\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze2.png 468w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze2-300x165.png 300w\" sizes=\"auto, (max-width: 468px) 100vw, 468px\" \/><\/a><\/p>\n<p>If I open the decoded pdf file again in Winking PDF Analyzer, I can see a reference of two images:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-469\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze3.png\" alt=\"\" width=\"424\" height=\"348\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze3.png 424w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/analyze3-300x246.png 300w\" sizes=\"auto, (max-width: 424px) 100vw, 424px\" \/><\/a><\/p>\n<p>I&#8217;m using again mutool to extract the images of the pdf:<\/p>\n<blockquote><p>mutool.exe extract enigma_decoded.pdf<\/p><\/blockquote>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-470\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode2.png\" alt=\"\" width=\"686\" height=\"477\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode2.png 686w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode2-300x209.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/a><\/p>\n<p>img-005.png is the cartoon, but now let&#8217;s see what is <strong>img-004.png<\/strong><\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-471\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004-1024x384.png\" alt=\"\" width=\"1024\" height=\"384\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004-1024x384.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004-300x112.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004-768x288.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/img-0004.png 1163w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>Sadly I had no plan how to revert that image, but a friend of mine gave me a hint:<\/p>\n<h1>What computers can swirl,<\/h1>\n<h1>Computers can unswirl<\/h1>\n<p>In 2007 the police <a href=\"https:\/\/thelede.blogs.nytimes.com\/2007\/10\/08\/interpol-untwirls-a-suspected-pedophile\/\" target=\"_blank\" rel=\"noopener noreferrer\">catched a pedophile<\/a> men who tried to mask his identity with a swirl face.<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-474\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil.jpg\" alt=\"\" width=\"665\" height=\"500\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil.jpg 665w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil-300x226.jpg 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil-326x245.jpg 326w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/suspect-ChristopherPaulNeil-80x60.jpg 80w\" sizes=\"auto, (max-width: 665px) 100vw, 665px\" \/><\/a><\/p>\n<p>It is possible to revert the image with photoshop or an online image editing tool.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"http:\/\/matzjb.se\/wp-content\/uploads\/media\/Twirl\/twisted.gif\" alt=\"\" width=\"440\" height=\"364\" \/><\/p>\n<p>Now we can try to revert the image with <a href=\"https:\/\/www.photoshop.com\/tools\">photoshop<\/a> by choosing the effect distort &#8211;&gt; twirl<\/p>\n<p>Or using an <a href=\"https:\/\/www298.lunapic.com\/editor\/?action=swirl\" target=\"_blank\" rel=\"noopener noreferrer\">online image editor<\/a>, which is a much faster way:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-482\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4-1024x485.png\" alt=\"\" width=\"1024\" height=\"485\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4-1024x485.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4-300x142.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4-768x364.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/decode4.png 1240w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<p>The same can be done with the black image above and we can read the text:<\/p>\n<p><a href=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-483\" src=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887-1024x1024.png\" alt=\"\" width=\"1024\" height=\"1024\" srcset=\"https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887-1024x1024.png 1024w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887-150x150.png 150w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887-300x300.png 300w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887-768x768.png 768w, https:\/\/cybercop-training.ch\/wp-content\/uploads\/2019\/04\/155430525967832887.png 1134w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>Imagine you get an Image like this which contains a text. But the image is digitaly distored and you should find a way to made <a class=\"mh-excerpt-more\" href=\"https:\/\/cybercop-training.ch\/?p=457\" title=\"Unswirl an Image\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":2,"featured_media":458,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-forensic"],"_links":{"self":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=457"}],"version-history":[{"count":11,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions"}],"predecessor-version":[{"id":486,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/posts\/457\/revisions\/486"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=\/wp\/v2\/media\/458"}],"wp:attachment":[{"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercop-training.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}