OK, you found it sunny boy
How to (try to) see some light
through steganographical smoke
~ approaches ~ hints ~
tricks ~ links ~
Courtesy of reverser's page
of reverse engineering
Well, I have received so many questions about steganography, it was about
time that I could give some 'cracker' answers... what I mean is: you'll be able to find on the
web many (good) pages about steganography, yet I don't believe that you'll find
many good pages about steganographical CRACKING.
And the aim of this page is
exactly that: to teach you how to hide and how to un-hide information. You already had
to perform some relatively easy steganographical cracking in order to get here (else
you are either one of the administrators of my servers (Hi Sharp! Hi Camilo!,
Hi Tony!) or a friend with the keys (Hi +gthorne!)
or an idiot that has received this URL from somebody more able and is
wasting his and my time). Yet landing here, as you will see, is only the beginning of a very long trip! In this page we will see how you can
crack ALL currently used steganographical programs.
Let's first of all have a look at
how zeezee, +ReZiDeNt and all the other ones have cracked the 'Andromeda' pictures... Clearly each one
of you coming here should mail me a short (altough interesting and 'crackling')
essay, explaining how HE got the right path... You learn, you teach: you teach,
Massimiliano's approach and his anticontraband proggy
Fabian Hansmann's short essay
Sanity_sync's anticontraband c code
("programs i wrote that help crack contrab stegged
Caprine's short answer to Jean Flynn
("Let's work together")
12 February 1998
Joe Peschel's Steganos, The Duke of Earl, and The Dancing Men __NEW__
("Cracking the T_tamra7.bmp")
04 March 1998
("I had to reverse engineer steganos again, on my own")
26 March 1998
Caprine's beautiful story A great dragon
known as Steganos
(Steganos Key Relief (Reducing the key search burden))
22 April 1998
Gary Benson's Unconventional Access: My
way into the Advanced Steganography pages
(Steganos Key Relief (Reducing the key search burden))
23 September 1998
The HackLab's Steganography Thumbprinting __NEW__
("methods of detection")
18 March 1998
We will begin with +ReZiDeNt's approach:
A lazy brute force approach to cracking the 'Andromeda' picture, by +ReZiDeNt
OK, here is how I retrieved the text file hidden inside the
stegonated Andromeda picture (outfile.gif) on reverser's+ very
interesting page about steganography
Firstly, I downloaded Hide and Seek 4.1, and took a look at it.
Reverser+ had already told us that the code we needed was four digits
long - so I first tried a few 'common' combinations (e.g. '1984',
1997', '2001', '2010' etc.) - this didn't find it, so I knew I would
have to try another approach: I decided to 'brute force' the number.
In other words, I would try every single combination of fou
digits until I found the right one. Using four digits there are
10,000 possible combinations, so typing these all in would be long
and tedious to say the leas
Obviously, I would need to make a program (in C of course, the only
'real' language IMHO) to do this for me, and automate the typing in
of the different codes. All I would need to do is make a prog
m that passes the SEEK.EXE program a code, and then checks to see
whether it has successfully extracted the hidden file.
So I first tried to look at the Hide and Seek source code and see if
I could edit it a bit, to change some things I didn't like (I didn't
like the 'press any key' prompt that it showed you before a
empting to extract the hidden file, and I wanted to stop it from
showing the image as it worked). However, the program uses a
commercial graphics library and although I tried to edit those out it
Oh well, let's crack it instead! So I did - I used SoftICE and set a
breakpoint on INT21 - sure enough, SoftICE snapped just before the
'press any key' message - I just had to nop the INT call out
d that took care of that problem. I decided not to bother getting rid
of the image display, so I was now ready to make the simple C
The C source is shown below (I compiled this with Borland C 4.5, but
it should work with any ANSI C compiler):/* START findit.c */
int code = 0; /* starting value for the code */
int found = 0;
char cline; /* this will store the command line */
while(!found && (code <= 9999))
/* the below line creates the command line */
sprintf(cline, "seek.exe outfile.gif found.txt %.4d", code);
code++; /* generate the next code "*/.class" tppabs="http://fravia.org/*/.class"
system(cline); /* now execute the command line */
/* the line below checks to see if we have found anything */
fp = fopen("found.txt","r");
found = 0;
/* if we have found the hidden file, save the */
/* code in key.txt for future reference */
found = 1;
fp = fopen("key.txt","w");
/* END findit.c */
On my Cyrix P166+ with 16MB RAM (under Windows 95) this took about
half an hour to forty-five minutes to find the hidden file, running
the program as a foreground task. It took slightly less than o
second per iteration (e.g. it took less than a second to test each
code), so the maximum time it would have taken (in minutes) is:
10000 / 60, about 166 minutes, nearly three hours.
The above program is very simple, starting from 0 and going up to
9999. In all but the simplest cases, you would probably have two
counters, one starting at 0 (counting up) and one at 9999 (countin
down), to speed things up. I'm not going to tell you how long it took
me to find the code, because that would enable you to cheat and make
a guess :
Anyway, I found that to be good fun and a very worthwhile evening's
We will continue with zeezee's approach:
Thanks for Christmas puzzle with Andromeda! Nice picture, btw.
The working codes (.BMP version) are: 0995, 4575 and 8155.
It was a simple but enjoying "source code reversing".
My way of thinking was (assuming p0/1/2/3 are password digits):
1. Goal: Searching for: BlkSize, Offset and XOR all made from p0/1/2/3.
Algorithms are near the end of .C file
2. Opened .C source in notepad
3. Created .DIF file between two .BMP files using fc
4. Bytes differ from offset 003F to 150B ie min. during 5324 bytes
5. Divided 5324 by 587 to compute BlkSize. It's 9.
6. Blksize is 8 + p1 % 4. So
p1 may be 1, 5 or 9
5. To determine Offset I checked various p0 values to get 537 bytes long
outfile. So I determined that p0 + p1 = 1.
Possible combinations are:
Then I tried to decode using password 4555 creating a file 4555.txt
6. Assuming that there is a 'http://' phrase repeating in the text I determined
that near start of file (offset 1,2) are identical bytes. Let's assume
they should be 't'.
7. Determined XOR between 'ist' and 'soll' and computed existing mask
Mask for 4555 is CF.
Should be E3.
So one of the codewords is 4575.
8. Created two additional codewords so that XOR is E3.
9. Checked the files mentioned in the file.
Most of them are since long time on my HD, one gives 404.
10. Mailed to reverser+.
Merry xmas and many good cracks in New Year!
We will continue with caprine's approach:
Although I have spent many hours learning from and enjoying your pages,
I admit this is the first time I have taken the time to bestow my humble
"thank you" for the passion you have for teaching 'KNOWLEDGE' (but you
probably get too much email anyway)
A quick observation about 'contraband' :
After reviewing the source, and with your hint of the 587 byte file
size and a little file probing, one can quickly determine that the
'offset' = 9.
Therefore , the PIN 0 & 1 combinations can be '09',
'18','27','36','45,'54','63','72','81',or'90' (down to 1000
A quick FC -b Androm.bmp _ndrom.bmp(we all remember those nice little
DOS tools don't we) tells us the last modified byte is at offset 5387.
block size (high probability) = (5387-96)/587 = 9
That means PIN= '1','5',or'9'
Now the valid PIN 01 combo's are '09','45',or'81'
Now I got a little lazy. I extracted 3 files using passwords
'0900','4500',and '8100'. Now a quick little program to read each file
and xor all characters with 0 thru 255 and display. To my surprise, all
3 files decoded your file. That means (In this case) their are 3 valid
Well, anyway, it suprised me and I thought I would mention it. So if
this common knowledge,or you really don't care, just write this off as
someone who doesn't have anything better to do.
Got to go look for the advanced steganography' pages now. Thanks again.
We will continue with Massimiliano's approach:
Thank you for giving so much information about the stegonated
I just asked myself: would have been possible to decode the file
without knowing so much about it ? (length=578, type=text file,
The answer is in a small utility I wrote in a few spare hours.
Although not yet perfect, it can be useful to show that contraband
is a fairly breakable tool (even if the attack I prepared is far from
It could also be possible to search the entire keyspace, but this is
unnecessary. I'm giving this tool to your advanced readers just to keep
people from using contraband, since it is indeed flawed.
Keep publishing your site, I love it, and I greatly appreciate
(and enjoy) your work. Happy new year.
Download here Massimiliano's anti-contraband program
_ _ _ _ _ _ _ _ _ _
Back to Reverser's Anonymity Academy ___Back to the Stego 'normal' page
antismut CGI tricks
Is software reverse engineering illegal?
(c) Reverser, 1995, 1996, 1997, 1998.
All rights reserved