picoCTF Solutions
picoCTF 2019General SkillsMedium

whats-the-difference

Published: April 2, 2026

Description

Can you spot the difference? kitters.jpg and cattos.jpg look nearly identical -- but the bytes that differ spell out the flag.

Setup

Download kitters.jpg and cattos.jpg from the challenge page.

Solution

  1. Step 1Compare the two files byte by byte
    Read both files in binary mode, zip them together, and collect every byte that differs between them. The differing bytes from kitters.jpg are ASCII characters that spell out the flag.
    python3 -c "a=open('kitters.jpg','rb').read(); b=open('cattos.jpg','rb').read(); print(''.join(chr(x) for x,y in zip(a,b) if x!=y))"
    Learn more

    This challenge hides the flag by substituting individual bytes in an image file at specific positions. Visually, the images are indistinguishable -- the changed bytes represent tiny color variations invisible to human perception. But a byte-by-byte comparison instantly reveals every differing position and its value.

    The Python approach here uses zip(a, b) to pair up bytes at identical positions from both files simultaneously, then filters to pairs where x != y (the byte differs) and collects the byte from the first file (kitters.jpg). Since the differing bytes are ASCII characters spelling the flag, joining them with ''.join(chr(x) ...) produces the readable flag string.

    The standard Unix tool for binary file comparison is cmp (byte-by-byte comparison) or diff (line-by-line for text files). For binary files specifically:

    • cmp -l file1 file2 -- list all differing byte offsets and values
    • xxd file | diff - <(xxd file2) -- hex dump diff for visual inspection
    • vbindiff file1 file2 -- interactive binary diff viewer
    • dhex file1 file2 -- another hex diff tool

    In real-world digital forensics, binary diffing is used to analyze firmware patches (to see what vulnerabilities were fixed), compare malware samples (to find new variants), and verify file integrity. Tools like BinDiff (by Google/Zynamics) perform sophisticated binary diffing at the function and basic-block level for compiled executables, which is essential for reverse engineering patched binaries.

Flag

picoCTF{...}

The two images are nearly identical -- flag bytes were substituted at scattered positions, making visual comparison impossible but byte-by-byte comparison trivial.

More General Skills