picoCTF Solutions
picoCTF 2019ForensicsHard

Investigative Reversing 4 picoCTF 2019 Solution

Published: April 2, 2026

Description

The final and most complex investigative reversing challenge. Multiple encodings and images.

Setup

Download all provided files.

bash
wget <url>/mystery
bash
# Download all associated PNG files
bash
chmod +x mystery

Solution

Walk me through it
  1. Step 1Full static analysis in Ghidra
    This is the most complex version. Load the binary in Ghidra and perform a thorough analysis. Map all functions, identify the encoding algorithm for each image, and document the complete encoding scheme before writing any extraction code.
    bash
    ghidra mystery &
    Learn more

    Approach complex reversing systematically: (1) Identify all file I/O operations. (2) Map the data flow from flag variable to pixel write. (3) Document each transformation step. (4) Work backwards from the write to understand what needs to be inverted.

    Ghidra's Function Graph view (Window > Function Graph) shows control flow graphically, making it easier to understand complex conditional logic.

  2. Step 2Run the binary and collect outputs
    Execute the binary with all image files. Note all output files created. Each output image contains part of the encoded flag.
    bash
    strace ./mystery *.png 2>&1 | grep open
    bash
    ./mystery *.png
    bash
    ls -la
    Learn more

    Using ltrace (library call trace) instead of strace shows calls to library functions like fopen, fwrite, and image manipulation functions. This can give a higher-level view of what the binary does with each file.

  3. Step 3Extract and reconstruct the flag
    Implement the complete inverse encoding pipeline in Python. Extract data from each image, undo each transformation, and assemble all pieces to reconstruct the full flag.
    python
    python3 << 'EOF'
from PIL import Image
import numpy as np

# Load all output images
# Apply inverse of each encoding step (from Ghidra analysis)
# Combine results to form the flag

flag = ""
print(flag)
EOF
    Learn more

    numpy makes image processing in Python much faster for large images. np.array(img) converts a PIL image to a numpy array, enabling vectorized pixel operations instead of slow Python loops.

    The Investigative Reversing series teaches the combination of binary reversing (Ghidra) and data extraction (Python PIL) - a skill set directly applicable to real forensics work where custom tools encode evidence in image files.

Flag

picoCTF{...}

Thoroughly analyze the binary in Ghidra, extract data from all output PNGs, and apply the inverse encoding pipeline to get the flag.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Forensics

Related reading

What to try next