Description
Can you spot the difference? kitters.jpg and cattos.jpg look nearly identical - but the bytes that differ spell out the flag.
Setup
Download kitters.jpg and cattos.jpg from the challenge page.
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Compare the two files byte by byteObservationI noticed the challenge described kitters.jpg and cattos.jpg as looking 'nearly identical' but guaranteed a difference, which suggested the images shared the same visual content while hiding data in individual byte values that fall below the threshold of visual perception and required a byte-level comparison to extract.Read both files in binary mode, zip them together, and collect every byte that differs between them. The differing bytes from cattos.jpg are ASCII characters that spell out the flag.pythonpython3 -c "a=open('kitters.jpg','rb').read(); b=open('cattos.jpg','rb').read(); print(''.join(chr(y) for x,y in zip(a,b) if x!=y))"Expected output
picoCTF{th3yr3_a5_d1ff3r3nt_4s_bu773r_4nd_j311y_...}What didn't work first
Tried: Running 'diff kitters.jpg cattos.jpg' to find the differing bytes
The 'diff' command operates line by line on text and treats binary files as opaque blobs, so it reports 'Binary files kitters.jpg and cattos.jpg differ' with no further detail. The correct tool for byte-level comparison is 'cmp -l' or a Python script that reads both files in binary mode ('rb') and iterates every byte position.
Tried: Collecting the bytes from kitters.jpg instead of cattos.jpg - using 'chr(x)' rather than 'chr(y)' in the zip loop
Swapping which file's byte is collected prints the original cover bytes rather than the substituted flag characters, producing garbled JPEG data instead of readable ASCII. The flag is encoded in cattos.jpg, so 'y' (the second file) must be selected when the pair differs.
Learn more
This challenge hides the flag by substituting individual bytes in an image file at specific positions. Visually, the images are indistinguishable - the changed bytes represent tiny color variations invisible to human perception. But a byte-by-byte comparison instantly reveals every differing position and its value.
The Python approach here uses
zip(a, b)to pair up bytes at identical positions from both files simultaneously, then filters to pairs wherex != y(the byte differs) and collects the byte from the second file (cattos.jpg). Since the differing bytes are ASCII characters spelling the flag, joining them with''.join(chr(y) ...)produces the readable flag string.The standard Unix tool for binary file comparison is
cmp(byte-by-byte comparison) ordiff(line-by-line for text files). For binary files specifically:cmp -l file1 file2- list all differing byte offsets and valuesxxd file | diff - <(xxd file2)- hex dump diff for visual inspectionvbindiff file1 file2- interactive binary diff viewerdhex file1 file2- another hex diff tool
In real-world digital forensics, binary diffing is used to analyze firmware patches (to see what vulnerabilities were fixed), compare malware samples (to find new variants), and verify file integrity. Tools like BinDiff (by Google/Zynamics) perform sophisticated binary diffing at the function and basic-block level for compiled executables, which is essential for reverse engineering patched binaries.
Patch diffing for vulnerability research: when a vendor releases a security patch, researchers download both the old and new versions of the binary and diff them with BinDiff or Diaphora. The changed functions reveal exactly which code was modified to fix the vulnerability. From there, reversing the fix often reveals the root cause, and writing a proof-of-concept exploit becomes feasible within hours - which is why unpatched systems face elevated risk in the days immediately after a security patch release. This technique, called "n-day exploitation", is a major part of real-world vulnerability research.
File integrity monitoring (FIM) uses the same concept to detect unauthorized changes to system files. Tools like AIDE (Advanced Intrusion Detection Environment) and Tripwire compute cryptographic hashes (SHA-256) of critical system files at a known-good baseline and periodically re-hash them, alerting when any file changes. A rootkit that modifies
/bin/lsto hide processes would be caught by FIM because the file's hash would no longer match the baseline. Binary-level diffing then identifies exactly what was changed.Hash verification is the reliable alternative to byte-by-byte comparison for integrity checking. Computing
sha256sum file1 file2and comparing hashes is orders of magnitude faster than diffing entire files and provides a definitive answer: if hashes match, the files are identical bit-for-bit; if not, something differs (though it does not tell you what). In CTF challenges involving forensics or steganography, computing hashes of suspicious files and cross-referencing them with known-good versions of common images online can instantly confirm whether a file has been tampered with.
Interactive tools
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{th3yr3_a5_d1ff3r3nt_4s_bu773r_4nd_j311y_...}
The two images are nearly identical - flag bytes were substituted at scattered positions, making visual comparison impossible but byte-by-byte comparison trivial.