Lost in Waves - EH4X CTF 2026 Forensics (500 pts)
Challenge: Taru got an intel that a package containing classified documents is being moved in covert channels. Author: Anonimbus Flag:
EH4X{P4g3d_lik3_a_b00k}
TL;DR
Saleae logic capture -> UART decode (inverted, 125000 baud) -> RAR password -> 4 WAV files -> POCSAG1200 pager protocol decode -> flag in a pager conversation
Step 1: The Logic Analyzer Capture
We're given a .sal file — a Saleae Logic 2 capture. Opening it up (or parsing the binary), we find a single digital channel with transitions over ~613ms.
I exported the transitions to a VCD (Value Change Dump) file to work with standard tools:
$timescale 1us $end
$var wire 1 ! signal $end
...
#0 1!
#8 0!
#16 1!
...
UART Decoding
The signal looks like UART, but here's the catch — the signal is inverted and runs at 125000 baud (not your typical 9600 or 115200).
Normal signal: garbage
Inverted signal @ 125000 baud: ohblimey**ehax\r\n
me trying every standard baud rate before flipping the signal:
"It's not 9600... not 115200... not 19200... maybe the analyzer is broken?"
Narrator: it was inverted the whole time
The password is: ohblimey**ehax
Step 2: Extracting the RAR
The Saleae capture also contained a binary blob — a RAR5 encrypted archive. Using our decoded password:
unrar x data.rar
# Password: ohblimey**ehax
# Extracted:
# 1.wav 2.wav 3.wav 4.wavFour WAV files. All stereo, 16-bit PCM, 48kHz. Identical left/right channels.
Step 3: The Audio Rabbit Hole
This is where things got... interesting. Each WAV file has three distinct sections:
| NOISE | 600Hz Square Wave | Variable Freq Data | NOISE |
|~~~~~~~~~|___/^^^\_/^^^\_/^^^\_|__/^^^\__/^^\__/^^^^\_|~~~~~~~~~|
What I Tried (and Failed)
| Technique | Result |
|---|---|
| Spectrogram analysis | Just harmonics, no hidden image |
| SSTV decode | No calibration header |
| DTMF detection | Nope |
| Morse code | Garbled nonsense |
| minimodem FSK | Nothing readable |
| steghide | Wrong password / empty |
| LSB steganography | Random-looking bytes |
| Rendering audio as 2D image | Cool patterns, no flag |
| UART decode from audio | Gibberish at every baud rate |
| Manual half-cycle analysis | [several hours of my life I won't get back] |
| XORing the 4 files | More gibberish |
me after trying 15 different audio stego techniques:
"maybe the real flag was the friends we made along the way"
The Half-Cycle Rabbit Hole
I spent WAY too long analyzing the half-cycle durations of the square wave data section. They're all exact multiples of 40 samples! I found sync patterns, data bursts, separators...
Normalized half-cycles: 2, 5, 2, 2, 1, 1, 3, 1, 4, 1, 1, 1, 1, 3, 1, 2, ...
^--- repeating pattern!
I tried decoding these as: ASCII, base-6, Morse, run-length binary, UART framing, frequency-to-brightness mapping, and about 10 other schemes. All garbage.
The lesson: When you're manually analyzing signal timing and getting nowhere, step back and try automated protocol decoders.
Step 4: POCSAG - The Answer Was Pagers
The breakthrough came from multimon-ng, a multi-protocol decoder. The magic command:
sox 1.wav -t raw -r 22050 -e signed -b 16 -c 1 - | \
multimon-ng -t raw -a POCSAG1200 -q -What is POCSAG?
POCSAG (Post Office Code Standardisation Advisory Group) is a protocol used by pagers — those little devices from the 90s that beeped when someone sent you a message.
Key specs:
- Operates at 512, 1200, or 2400 baud
- Uses FSK (Frequency Shift Keying) modulation
- The 600 Hz base frequency + variable deviations = classic POCSAG FSK pattern
- The "sync" pattern I found was literally the POCSAG synchronization codeword!
The Decoded Conversation
The four WAV files contain a POCSAG-encoded conversation between two characters:
File 1:
Address 1: "Oi, tell us your name then, yeah?"
Address 2: "Alright Benzoo, Im Awoonimbuss."
Address 3: "c00lz, mate"
File 2:
Address 1: "You got the package sorted?"
Address 2: "Too right. Tucked away safe and sound."
File 3:
Address 1: "And the code??"
File 4:
Address 2: "Passwordz EH4X{P4g3d_lik3_a_b00k}. Keep it hush, yeah?"
the characters having a casual chat on 1990s pager technology to exchange classified intel. absolute legends
The Full Attack Chain
Tools Used
| Tool | Purpose |
|---|---|
| Python + struct | Parse Saleae .sal binary format |
| Custom UART decoder | Decode inverted UART at non-standard baud |
unrar | Extract encrypted RAR archive |
sox | Audio format conversion (stereo->mono, WAV->raw) |
multimon-ng | POCSAG1200 protocol decoder (the hero) |
scipy / numpy | Signal analysis (spectrograms, zero-crossings) |
Key Takeaways
1. Always try protocol decoders before manual analysis
I spent hours manually analyzing half-cycle durations when multimon-ng decoded it in 0.2 seconds. Lesson learned.
2. POCSAG is a real CTF goldmine
POCSAG pager protocol shows up in forensics/radio challenges. The key signatures:
- FSK modulation around a base frequency
- Sync pattern: 32-bit sync codeword
0x7CD215D8repeated - 1200 baud is the most common speed
- Square wave preamble (alternating 1/0 bits) at the start
3. Inverted UART is more common than you'd think
Many logic analyzers and serial interfaces can have inverted polarity. If your UART decode gives garbage, try inverting the signal.
4. multimon-ng is your best friend
For unknown audio protocols, just throw everything at multimon-ng:
sox input.wav -t raw -r 22050 -e signed -b 16 -c 1 - | \
multimon-ng -t raw -a POCSAG512 -a POCSAG1200 -a POCSAG2400 \
-a AFSK1200 -a AFSK2400 -a FSK9600 -a DTMF -a MORSE_CW -q -5. The flag name is a pun
P4g3d_lik3_a_b00k = "Paged like a book" — because it was sent via a pager. The challenge author "Anonimbus" was referenced in the conversation as "Awoonimbuss". Cheeky.
POCSAG Protocol Quick Reference
For anyone wanting to learn more about POCSAG for future CTFs:
POCSAG Frame Structure:
========================
| Preamble | Sync | Frame 0 | Frame 1 | ... | Frame 7 | Sync | Frame 0 | ...
| 576 bits | 32b | 64 bits each (address or message) | 32b | ...
Preamble: alternating 10101010... (at least 576 bits)
Sync Codeword: 0x7CD215D8
Each frame: 2 codewords (32 bits each + parity)
Modulation: 2-FSK
- "1" = +4.5 kHz deviation from center
- "0" = -4.5 kHz deviation from center
Common baud rates: 512, 1200, 2400
Useful resources:
Writeup by smothy | EH4X CTF 2026 "I didn't choose the pager life, the pager life chose me"