> For the complete documentation index, see [llms.txt](https://lance-kenji.gitbook.io/me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/emoji.md). # Emoji **Category:** Misc **Difficulty:** Easy *** ### 1. Challenge Overview The challenge provides a single `README.md` file containing what appears to be a solitary emoji: `πŸ’―`. However, when looking at the file metadata or simply clicking and dragging over the text, it becomes clear that there is a significant amount of "invisible" data trailing the emoji. We are told the flag follows the `ENO{...}` format. ### 2. Vulnerability Analysis This is a classic case of **Unicode Tag Steganography**. Characters in the Unicode range `U+E0000` to `U+E007F` are non-rendering "Tag" characters. When I inspected the raw content of the `README.md` file, I found a sequence of these high-value Unicode points following the 100 emoji: * `σ „΅` (U+E0135) * `σ „Ύ` (U+E013E) * `σ „Ώ` (U+E013F) * `σ …«` (U+E016B) Since the flag starts with `ENO{`, I can calculate the offset between the hidden Unicode characters and standard ASCII. ### 3. Developing the Exploit To find the hidden message, I mapped the first hidden character to the first letter of the known flag format (`E`). The hex value of the first hidden character is `0xE0135`. The ASCII value for `E` is `0x45`. By performing a simple subtraction, I found the constant offset used to hide the text: $$0xE0135 - 0x45 = 0xE00F0$$ By subtracting $0xE00F0$ from every hidden Unicode character in the string, the plain text flag should be revealed. ### 4. The Solution Script I wrote a quick Python script to automate the extraction and subtraction process: ```python # The raw string from the README data = "πŸ’―σ „΅σ „Ύσ „Ώσ …«σ „΅σ „½σ „ σ „Ίσ „‘σ …ƒσ …σ ……σ „Ύσ „‘σ „³σ „Ώσ „΄σ „£σ …σ „‘σ …ƒσ …σ „½σ „±σ „·σ „‘σ „³σ …­" # The 100 emoji is at index 0, the tags start at index 1 hidden_chars = data[1:] flag = "" for char in hidden_chars: # Subtract the E00F0 offset from the code point codepoint = ord(char) flag += chr(codepoint - 0xE00F0) print(f"Decoded Flag: {flag}") ``` ### 5. The Winning Payload Applying the offset of `0xE00F0` to the entire hidden string yields the following ASCII sequence: * `σ „΅` β†’ E * `σ „Ύ` β†’ N * `σ „Ώ` β†’ O * `σ …«` β†’ { * ...and so on. The full decoded string is: **`ENO{EM0J1S_UN1COD3_1S_MAG1C}`** ### 6. Result The flag was successfully extracted from the Unicode tag block hidden behind the emoji. **Flag:** `ENO{EM0J1S_UN1COD3_1S_MAG1C}` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lance-kenji.gitbook.io/me/nullcon-hackim-ctf-goa-2026-writeups/misc/emoji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.