A summary of implicit writing technique

A summary of AppLeU0 in the occult writing technique2015/02/10 10:14

0x00 Preface

I have not seen the drops on the implicit writing of the summary, I have been more interested in the steganography, the feeling of the hidden writing technique is more fun. So I'm going to summarize some of the hidden-writing things. When writing, there may be errors in the place, please advise, thank you.

The pictures of the steganography used in this chapter are packed here: the art of steganography, you can download it if you want to try it again.

The first contact with the steganography, is to see a kind of called the graph of things, then do not understand, just say to save as zip, and then extract it out on it, then feel particularly magical, like the discovery of the new World, and then try to find a way to save as a zip, with 7z or WinZip tools open, Then you can see the benefits.

Figure 1.png

Later learned, first make a 1.zip, want to hide things put in, then need a JPG image 2.jpg, and then you can execute a command copy/b 2.jpg+1.zip output.jpg. You can get a graph, which uses the copy command to connect two files in binary mode to generate new output.jpg files. In JPG, there is Terminator, 16 is the FF D9, using Winhex can see the normal JPG end is FF D9, the picture viewer ignores the content after the JPG terminator, so we attach the zip, naturally will not affect the normal display of the image.

Figure 2.png

This type of steganography is also relatively easy to find, if found to be a JPG image, observe the content after the end of the file, to see if the content is attached, the normal picture will be FF D9 end. Another way to find out is to use the Binwalk tool, a command-line tool that comes with Kali.

Picture 3.png

The Binwalk can be used to automate the analysis of other files attached to the picture, the principle is to retrieve the matching file header, some common file headers can be found, and then use the offset can be used with Winhex or DD split the hidden parts.

0x01 Modifying data

The hidden method mentioned above is to use the method of increasing data to add data directly behind the JPG. There is another kind of hidden approach, which is to use the way you modify data to hide the information that you pass.

One common way is to use LSB for steganography, and LSB is the least significant bit (Least significant bit). The principle is that the image in the picture is generally composed of three colors, that is, the three primary colors, from the three primary colors can be composed of other colors, for example, in the storage of PNG pictures, each color will have 8BIT,LSB is modified the lowest 1bit in the image number, in the eyes of the human eye is not see the difference, It also hides the information. For example, we want to hide ' a ' in the words, such as, you can turn A into 16 binary 0x61 and then into the binary 01100001, and then modify the lowest bit of the red channel for these binary strings.

Figure 4.png

Figure 4.png

If you are looking for this lsb hidden trace, there is a tool that is an artifact that can assist us in the analysis. Stegsolve This software is

Http://www.caesum.com/handbook/Stegsolve.jar

After opening, use Stegsolve--analyse--frame Browser This can browse three color channels in each bit, can be in the red channel the lowest bit, found a QR code, and then can scan to get results.

Figure 6.png

Again QRCode, with the online can be http://tool.chinaz.com/qrcode/, got flag{appleu0}, if the use of the hidden ASCII words, you can use stegsolve--analyse-- Data extract to view the ASCII code.

In this process, we should note that the hidden vector is the PNG format, if it is like a previous JPG image is not possible, because the JPG image of the number of lossy compression, the information you modify may be corrupted by the process of compression. While PNG images are compressed, they are lossless compression, which keeps the information you modify to be correctly expressed and not lost. BMP picture is the same, is not compressed, you can find BMP picture is particularly large, because the BMP to all the image number are stored as is, there is no compression process.

0x02 implicit writing and encryption

Let us first distinguish between a concept, a steganography and the addition of decryption. In fact, it is very simple to say, add decryption words, there will be some mysterious, suspicious strings or data and so on. And the steganography, is that the information is clearly in front of you, but you are blind to him. When the steganography appears in the CTF, it often comes together with the addition and decryption, or some coding methods appear together to improve the difficulty of the problem.

Using a CTF title as an example, there is a topic in iscc2014 that gives a GIF image named this. gif file, opened and found an error. Sometimes, we will need to repair the image, which we have a picture of the file structure to understand. Locate the GIF file format, and then control the damaged file. GIF picture Format document can view this link, http://dev.gameres.com/Program/Visual/Other/GIFDoc.htm

Picture 8.png

Open with Winhex, we will find that he and ordinary GIF pictures are not the same, the head is missing something, in contrast to some documents, will find that there is less GIF8.

Picture 9.png

Let's fix it manually and add GIF8.

Picture 10.png

Then browse the picture will find, there is a password flash, GIF and other pictures The biggest difference is that GIF is a dynamic graph, it can be composed of multiple frames can be played in sequence, and some of the problem is to play the time is very slow, almost will not move, so we can use the tool frame one frame of the observation picture. Stegsolve has this function.

Stegsolve--analyse--frame Brower can see that there are 8 frames of the picture, a little overlap is not very good observation, you can also use namo_gif_gr this tool. Got the password is y2f0y2hfdghlx2r5bmftawnfzmxhz19pc19xdw10zv9zaw1wbgu=. Obviously, this time password is encoded, we can see the character range is 0-9a-z end also has =, so the judgment is Base64 encoding, decoding has been catch_the_dynamic_flag_is_qumte_simple. This is in combination with the coding method, passing some suspicious data, steganography often with the addition of decryption or coding together, to some common coding and encryption methods to understand, get ciphertext of the character range and length can find what this is encryption or encoding.

0X03 Carrier

When data is hidden, we often need to analyze where the data is hidden, that is, what he is using as a carrier, and then further analysis is encrypted or encoded. This means that we have to understand the format of a picture, to know which areas are suspicious, which can hide the information, there will be redundant components in. For example, give a picture of a JPG. In addition to what we said earlier about hiding the message after the Terminator, the JPG image can also be used to hide the information from the EXIF part. EXIF information is a JPG's head inserted into the digital photo of the information, such as what the camera shot. We can also control this information, we can modify some of the information in the way of viewing properties, and can also be edited with the Exif editor. Power_exif This can be used for editing.

Picture 11.png

Can see flag{appleu0}, is the need to understand the hidden information place, steganography sometimes difficult, is difficult in a picture there are too many places to hide information, and sometimes even hidden carrier can not find, in your eyes he is a normal picture.

0X04 Programming Assistance

In some cases, we also do not have a ready-made tool to complete, you can write some simple program to assist us in the analysis, or add decryption. For example, SCTF's misc400 topic, you need to use some simple programming. The title gives a PNG image that requires us to find flag with sctf{} flags.

This question needs our understanding of the format of the PNG image, first with Stegsolve, other LSB and so on did not find any problems, and then looked at the structure of the discovery, there are some abnormal idat block. Idat is a block of image data stored in a PNG image. Extended reading of PNG image format see this article

Http://www.cnblogs.com/fengyv/archive/2006/04/30/2423964.html

There is a detailed introduction.

Picture 12.png

can use Pngcheck to assist us to observe, can see more clearly. Pngcheck.exe-v Sctf.png

Picture 13.png

As you can see, the length of the normal block is full at 65524, while the penultimate Idat block is 45027, the last length is 138, and it is obvious that the last Idat block is problematic because he should have been incorporated into the second-to-penultimate block.

Picture 14.png

We use Winhex to buckle this part of the abnormal idat block. Then is to study the situation of this block, found the carrier is to find ways to identify his laws. Observe that part of the data, you can see is 16 in the beginning of 9C, Baidu analysis is zlib compression logo. In the PNG Baidu Encyclopedia can also find out that PNG Idat is using a lossless data compression algorithm derived from LZ77, can be extracted with zlib. Then try to use the zlib to solve this piece of data. Zlib's extended reading http://zlib.net/

We use Python to program, first of all data processing, stored in 16 binary.

Picture 15.png

Get 16 binary to facilitate Python processing, the front 4 bytes is the length then the flag bit idat then begins to be the data until D9 CF A5 A8 is the CRC32 check bit. So the actual data is:

789c5d91011280400802bf04ffff5c75294b5537738a21a27d1e49cfd17db3937a92e7e603880a6d485100901fb0410153350de83112ea2d51c54ce2e 585b15a2fc78e8872f51c6fc1881882f93d372def78e665b0c36c529622a0a45588138833a170a2071ddcd18219db8c0d465d8b6989719645ed9c11c3 6ae3abdaefcfc0acf023e77c17c7897667

Then use Python to write zlib decompression

123456789

#! /usr/bin/env pythonimport zlibimport binasciiIDAT = "789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667".decode(‘hex‘)#print IDATresult = binascii.hexlify(zlib.decompress(IDAT))print result#print result.decode(‘hex‘)

found that some 3031 of the string, 30 and 31 are hex 0 and 1 of the code, and then the hex to get a string of 625-length 01 string.

1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101 1101100000101010110110100000111111110101010101011111110000000010111011100000000110100110000010100111011011110101010010000 1110000000000010100000000100100110100010011100111101110011110000111011111000110010100011001110000101010001101000111101011 0000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100 0011001100011110101110100011010011111000010111010110001110100111001011101001001110110110001100000101100011010001100011111 11011010110111011011

The resulting 01 strings are 625, divided by 8 divided by 7, which means they cannot be converted directly into ASCII code.

Picture 16.png

Then found 625 = 25*25, just a square shape, then try to put these 01 into a square to see what is, you can use the Python PIL programming can be very convenient to draw, in Kali can have, win environment needs to install PIL third-party library.

12345678910111213141516

#!/usr/bin/env pythonimport ImageMAX = 25pic = Image.new("RGB",(MAX, MAX))str = "1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011"i=0for y in range (0,MAX):    for x in range (0,MAX):        if(str[i] == ‘1‘):            pic.putpixel([x,y],(0, 0, 0))        else:            pic.putpixel([x,y],(255,255,255))        i = i+1pic.show()pic.save("flag.png")

Discovery is a QR code can be coded to draw 0 for the white and 1 for the black, and then may need to be rotated to adjust a bit to scan it out. Processing to get a two-dimensional code. Then the scan got flag.

Picture 17.png

Picture 18.png

sctf{(121.518549,25.040854)}, successfully received the flag.

In some cases, it is impossible to use ready-made tools to deal with, so we need to use programming to solve. Python's PiL is a good thing. It may be needed for batch processing of pictures.

0x05 Double View

There is one more special situation, sometimes give two pictures, or you need to look for the original image to compare the search for hidden information. This is generally because a picture of the hidden information is too hidden, can not find a specific location, specific information. It's time to use some contrasting techniques to find out. For example, ISG2014 's misc200 is used to give two pictures of this. In some cases, the second picture needs to be found on your own.

We came to see isg2014-misc200 's problem, the topic gave a PNG picture, PNG Pictures, afraid of the inside of what RAR and so on, so first with Linux under the Binwalk command run a run.

Picture 19.png

Run a run, found that there are two PNG images, Binwalk will give an offset, determined that the offset is 0X1D55DC, with Winhex to the picture, save to 2.png. The original figure Final.png deleted part of the back, saved to 1.png. Looking at the naked eye, we found that the two pictures were not very different, and we used the software to help us distinguish him.

Picture 20.png

The commands under Linux can be compared to create a different picture diff.png. Compare 1.png 2.png Diff.png Observe that there is an exception in the lower left corner, and the PNG image number is saved from left to right and from bottom to top.

Picture 21.png

Found the lower left of the second pixel has an exception, compared to 1.png 2.png found 2.png has a problem then we can use artifact Stegsolve to assist, Stegsolve--analyse--image combiner compare two files. Looking at Sub or XOR, you can find the lower left corner, the second image number is abnormal, there is a red appearance.

Picture 22.png

Take 1.png and 2.png a sub method to save the results to solved.bmp.

Then the 2.png is saved as a 2.bmp 24-bit bitmap format, this is because the PNG image is compressed, not a direct comparison of each byte, and BMP picture is not compressed, directly save the data of each image points.

There's a point in the problem. The image of PNG is scanned from left to right, from bottom to top. And the pit is that the information hidden in the image is not at the beginning of the image number, but the second line like number, so you need to use the advantages of BMP, storage uncompressed, easy to find the offset, to find information hiding place. Using Winhex to open, the black image number of hex in the BMP 00 saved, then we are looking for not 00 place. Where you can find the offset 0x1110.

Picture 23.png

There are not 00 bytes, initially thought these are flag information, and later found that because two picture sub affect the effect, The real information is hidden in the 2.png, so open the 2.bmp converted by 2.png to the right, through the previous diff to get the offset, find the 0x1110 place until the end of 0x1330, this is the hidden information.

Picture 24.png

Picture 25.png

only 00 01, this is because of the RGB relationship, only hidden in the R channel inside, the other channels are pictures of the normal image number information, filtered out on it.

0001000001000001000100010000010100010000000101010001010101000101000100000001000100000101000100000001010100000101000100010 1000001000100010101010100010001000001010001010100010000000100000001000100010100000101010000010100010000000101000101010000 0001010000000000010100000101010001000100000100000001010001000000010101000000000001000001000000000101010100000100010101010 10001

Observation can be found, and the odd digits are 0, is superfluous, to remove these. Replace 00 directly with 0, 01 to 1.

0100100101010011010001110111101101000101001101000111001101011001010111110101001101110100010001010110011100110100011011100 011000001100111010100100011010001110000010010000111100101111101

After getting this, you can find that his length is 184, is a multiple of 8, convert him to ASCII code on it. You can use the JPK tool to convert, and the download link for the tool is Www.wechall.net/applet/JPK_406.jar.

Contrast 2.bmp can be found to hide some 00 01 of this information, the part of the deduction.

Picture 26.png

Jpk--binary--binary to ASCII

Picture 27.png

You get the flag,isg{e4sy_steg4n0gr4phy}

This is the use of two images to look for differences, so as to find a place to hide information, this is often because a picture can provide too little information.

0x06 PostScript

This summary is still missing a lot of, because the steganography can write too many things, such as JPG of the redundant information can also be hidden in the compression of information, as well as other multimedia files can also be hidden, such as audio files, video files, etc., there are many things to study. In the beginning, I felt that the hidden writing technique is especially interesting, just like the treasure hunt, especially fun, I hope you can feel the joy. Welcome everyone to communicate with me, my blog address is http://appleu0.sinaapp.com/.

CollectionShare
<textarea id="comment_content" class="mousetrap"></textarea>laterain 2015-03-21 09:42:28

I'm under welfare. Torrent, watch it together at night.

replyhamapi 2015-02-26 22:22:14

Worship

replySword 2015-02-21 23:02:58

The cult of Apple greatly

replyAppLeU0 2015-02-15 12:36:03

is to see the type of picture, if you are looking at a GIF, you can view each frame, if you open a PNG picture can see the various color channels you can open different types of pictures to try

replyskysider 2015-02-15 12:00:08

Stegsolve Analyse's Framebrowse function is not viewed by frame, how can I see the image of each bit of each color channel?

replySicmatrix 2015-02-13 16:39:37

Siri lying gun

replySicmatrix 2015-02-13 16:32:54

I wrote a picture maker with C for the benefit of the masses Http://pan.baidu.com/s/1hqvMOfE

replyAppLeU0 2015-02-13 10:11:43

Worship AppLeU0, the Great God

reply0xmuhe 2015-02-13 00:42:57

Worship U0 Big ~ ~

replyth1nk 2015-02-12 22:11:26

Please out of the CTF pictures of the gods @cyrils

replyLazy Drip 1994 2015-02-12 16:39:50

That may involve a lot, what F5 algorithm, audio, video is mainly copyright,

replySky 2015-02-12 15:51:44

mark~

replysco4x0 2015-02-12 12:46:51

U0 Big 666, collection.

replyFourth Dimension 2015-02-12 12:29:33

Work, study, with this article, after doing CTF, are not afraid!

replyKnight 2015-02-11 23:56:15

Less audio steganography.

replylinkbg 2015-02-11 23:31:34

Study. It's really pure dry. Come on. Thank you

replyMonkey 2015-02-11 20:20:21

Worship cows silently, the CTF on this mixed

replyLiyang 2015-02-11 16:25:59

Mark CTF Essentials ~

replybangs brother 2015-02-11 16:10:37

I remember reading a similar article is great! There are many games in this project!

replyCert.pem 2015-02-11 15:37:53

32.75G of steganography Tutorial ... AppLeU0 I'm going to give you a monkey!

replyPeony Floral 2015-02-11 14:29:59

Being pulled together to worship AppLeU0, the great God.

replysyjzwjj 2015-02-11 14:24:04

U0 to seek seeds!

replyCat Flow 2015-02-11 13:15:29

Worship AppLeU0, the Great God

replyAppLeU0 2015-02-11 12:17:22

At the beginning of the Baidu link there is a diagram of the quick to see

replyAppLeU0 2015-02-11 12:16:31

Master will take me to fly.

replyDark plume 2015-02-11 12:15:09

Seeking welfare. torrent

replySpongeBob SquarePants 2015-02-11 11:55:28

AppLeU0 I'm going to give you a baby.

replySummer 2015-02-11 11:48:14

AppLeU0 Mighty, Take Me to fly

replycovertops 2015-02-11 11:15:59

Seeking welfare. torrent

replyWilson 2015-02-11 10:46:20

AppLeU0 Daniel good cock mom no longer have to worry about me not being a CTF.

replyAppLeU0

Thanks to the Licensing page template

A summary of implicit writing technique