Tools / Stegall

Stegall: Comprehensive Steganography Auto-Solver

Drop any file (image, audio, archive, document, capture, disk image) and Stegall runs every applicable steg technique in parallel, recursively unpacks whatever falls out, runs each text output through layered decoder cascades, and surfaces any flag matches at the top.

Drop a challenge file here, or click to pick one

PNG, JPG, BMP, GIF, WAV, ZIP, DOCX, PPTX, gzip, text. Files never leave your browser.

What gets tried

Ordered by how often the flag actually lives there. Metadata first, pixel analysis second, encoded text last.

Metadata & embedded textmost common

PNG tEXt / zTXt / iTXt / eXIf chunks (with CRC verify)
JPEG EXIF (APP1) / XMP / COM / APPn segments
MP3 ID3v1 + ID3v2 tags
FLAC Vorbis comments
PDF /Info metadata + text streams (catches redaction-gone-wrong)
DOCX / PPTX / XLSX full text scan + comments

Strings & trailing carving

ASCII + UTF-16 string extraction across the whole file
Post-IEND (PNG) / post-FFD9 (JPEG) trailing carving for appended-blob steg and polyglot files
Polyglot magic-byte scan: locate and carve embedded files anywhere

PNG structure

Pixel-perfect raw decode that bypasses canvas alpha-premultiplication, so LSBs survive
Color types 0 / 2 / 3 / 4 / 6 at bit depths 1 / 2 / 4 / 8 / 16, plus Adam7 interlace
Anomalies flagged: chunks-after-IEND, duplicate IHDR, CRC mismatch

JPEG DCT

Baseline-DCT entropy decoder (Huffman + dequantize) reconstructs the quantized coefficient blocks per component
jsteg-style and lax LSB extraction across luminance and all components, catching DCT-domain steg from jsteg / JSteg / OutGuess-class tools

Image pixel analysis(PNG / JPG / BMP / GIF / WebP)

Chi-square LSB-presence detector per channel (suspicious-channel hint)
Full LSB sweep: per channel × bit 0-7 × row/col-major × LSB/MSB-first
zsteg-parity multi-bit pass (b1 / b2 / b3 / b4) across all 8 pixel-walking directions (xy, Xy, xY, XY, yx, yX, Yx, YX) for RGB / BGR / RGBA / BGRA / ABGR
Bit-plane PNGs, channel isolation, invert
Image arithmetic: R-XOR-G, R-XOR-B, G-XOR-B
Horizontal stretch (catches narrow-line steg)
QR / barcode decode

Audio(WAV / MP3 / FLAC)

Per-channel integer-sample LSB sweep, 4 bits deep, both byte orderings
Stereo difference-channel LSB sweep (catches L-R-only steg)
Goertzel-filter DTMF touch-tone decoder
Morse-code decoder via tone-duration envelope detection
Web-Audio FFT spectrogram

Network(PCAP / PCAPng)

Timestamp-ordered frame extraction
Ethernet → IPv4 → TCP / UDP / ICMP decode
Per-flow TCP reassembly sorted by sequence number
HTTP-style header extraction (User-Agent / Cookie / X-*, all common exfil channels)
DNS query-name capture with concatenated leftmost-label decode (catches dnscat2-style hex / base64 tunnels)
ICMP echo payload concatenation
Segmented base64 reassembly for chunk-per-packet exfil patterns

Documents

DOCX / PPTX / XLSX whitespace-steg decoding (space = 0, tab = 1, plus inverse)

Text

Trailing-whitespace decoder
Zero-width Unicode (ZWSP / ZWNJ)

Decoder cascade

Applied to every text output and to raw bytes, up to 6 layers deep:

base64 / base32 / base16 / base58 / base85 / ascii85 / URL
ROT 1-25 + ROT47, Atbash, reverse
zlib / gzip / bz2 / lzma / brotli
Single-byte XOR sweep + repeating-key XOR brute-force with cribs ("picoCTF", "flag{", etc.)
Embedded encoded substrings pulled out of mixed text automatically

How it works

Stegall runs entirely in your browser. Files never leave your machine. The engine uses the Canvas, Web Audio, and DecompressionStream APIs to do most of what a server-side steg toolkit would, then runs every text output through a 6-layer decoder cascade and scans every byte at every layer for flag patterns.

The image LSB sweep (~600 extractions per image counting all channel orderings, bit packings, and pixel-walk directions) fans out across a Web Worker pool sized to your CPU’s logical cores, so the UI stays responsive even on multi-megapixel inputs.