Invisible Text Extractor
Detect and extract hidden messages from text containing zero-width Unicode characters. Auto-detect encoding. AES decryption. CTF flag detection. 100% client-side.
Paste Suspicious Text
Paste any text to instantly detect hidden zero-width characters. Counts appear before you click anything.
🔒 Runs locally — your text never leaves your device
How to Find a Hidden Message in Text (4 steps)
- Paste the suspicious text — zero-width character count appears instantly before any button press
- Review the ZW Visualizer to see which invisible characters are present and where
- Click Auto-Detect to try all encoding combinations automatically (or select mode manually)
- Enter the password if the payload is AES-encrypted — then copy or download your decoded message
Zero-Width Steganography Detection — What This Tool Handles
| Feature | Technique | Speed | Best For |
|---|---|---|---|
| Auto-Detect | Tries 6 encoding combinations: binary ZWNJ/ZWJ, binary ZWSP/ZWJ, binary ZWNJ/WJ, binary LRM/RLM, quaternary, octal | < 50 ms | Recommended — covers 99% of real-world ZW steganography |
| ZW Visualizer | Renders each ZW char as a colored inline glyph — ZWNJ=blue, ZWJ=red, WJ=yellow, ZWSP=green | Instant | Makes the invisible visible — best tool for CTF analysis |
| Suspicion Scorer | 0–100 score based on ZW density, type count, and distribution pattern | Instant | Quickly assess whether a text contains intentional steganography |
| AES-256-GCM Decryption | Detects encrypted payload format and decrypts with provided password | +32 bytes overhead handled | Matches encoder's encryption — PBKDF2 100k iterations |
| CTF Flag Auto-Detection | Scans decoded output for FLAG{}, HTB{}, picoCTF{}, CTF{}, CHTB{} patterns | Instant | One-click copy for extracted flags |
Frequently Asked Questions
How does Auto-Detect work?
It tries 6 different encoding mode + character set combinations in order: Binary ZWNJ/ZWJ (most common), Binary ZWSP/ZWJ, Binary ZWNJ/WJ, Binary LRM/RLM, Quaternary (4-char), and Octal (8-char). For each attempt, it validates the output: checks UTF-8 validity, printable character ratio, Shannon entropy, and CTF flag patterns. The attempt producing the most readable output wins.
Why did Auto-Detect fail?
Possible reasons: (1) The text was encoded with a non-standard character set — use Manual mode and specify the characters. (2) The platform stripped some ZW chars in transit — enable RS recovery if available. (3) The payload is encrypted but no password was provided. (4) The text contains accidental ZW chars but no intentional payload. (5) Seed-based scatter was used — sequential reading is attempted first; if output looks garbled, the encoder used a custom seed.
The decoded output looks like garbled text. What does that mean?
High entropy (>7.5/8.0) means the payload is encrypted — enter the password used during encoding. Low entropy noise means the character set or mode doesn't match what the encoder used — try Manual mode with different settings. The Entropy display in the result view tells you which case applies.
I see ZW characters but nothing decodes. Why?
The ZW characters might be: (1) Accidental — many websites use ZWNJ/ZWJ for typographic reasons, not steganography. Check the Suspicion Score — below 30/100 usually means no intentional payload. (2) A different encoding tool was used — try Manual mode and specify different character sets. (3) The payload requires the correct seed value for scatter-mode decoding.
How do I decode a CTF zero-width steganography challenge?
Paste the challenge text and click Auto-Detect. The most common CTF approach uses ZWNJ (U+200C) and ZWJ (U+200D) in binary mode, which is the first combination Auto-Detect tries. The CTF Flag Detector automatically highlights FLAG{}, HTB{}, and picoCTF{} patterns in the decoded output.
Can I remove the hidden data and get clean text?
Yes. Click 'Download Clean Text' in the result view — this removes all zero-width characters from the text, returning exactly the visible content with no hidden data. You can also download the clean text as a .txt file.
Is my text sent to any server?
Never. The decoder runs entirely in your browser — all scanning, decoding, and AES decryption uses pure JavaScript and the Web Crypto API. Even suspicious corporate documents can be safely analyzed.