- Portals
- The Current Year
- ED in the News
- Admins
- Help ED Rebuild
- Archive
- ED Bookmarklet
- Donate Bitcoin
Contact an admin on Discord or EDF if you want an account. Also fuck bots.
Embedded files: Difference between revisions
imported>Writen unclear No edit summary |
imported>Writen unclear |
||
| Line 56: | Line 56: | ||
== Steganography == | == Steganography == | ||
For most of the above methods, the embedded files are fairly easy to detect, whether by script or by eye. Steganography is the art of making embedded files hard to detect | |||
The [http://goldaccount.byethost4.com/ 4chan Gold File Embedder] is another Java program that embeds files in images, but will be harder for moot to block because it uses an LSB-based steganography scheme to attach files, rather than appending them after the end of the image. It also includes a web interface; if you run the 4chan Gold proxy on your machine, and connect to 4chan through it, you can embed and extract files whenever you post or view an image. Source code is included in the JAR file. The minimum required Java version is 5.0. | The [http://goldaccount.byethost4.com/ 4chan Gold File Embedder] is another Java program that embeds files in images, but will be harder for moot to block because it uses an LSB-based steganography scheme to attach files, rather than appending them after the end of the image. It also includes a web interface; if you run the 4chan Gold proxy on your machine, and connect to 4chan through it, you can embed and extract files whenever you post or view an image. Source code is included in the JAR file. The minimum required Java version is 5.0. | ||
Revision as of 03:43, 24 May 2011
An embedded file is a file that is stored or hidden inside another file, particularly inside an image which may then be posted to the *chans. For example, concatenating a JPEG file with a RAR file produces an embedded archive which can be read either as a JPEG or a RAR, depending on how it's opened.
File concatenation
One of the most common ways of embedding files into images is simple concatenation. It usually doesn't matter what the first file is, but it should be a GIF, JPEG, or PNG file if you want to post it to 4chan. If the second file should be one of the following types, it will still be readable when opened with the appropriate program:
In addition:
- OGG sound files appended to images and posted to 4chan can be played with the 4chan sounds userscript.
- Broken web pages occasionally append HTML to the end of the images they serve. In most cases, the contents are unremarkable. But several images from the diaper fetish website wetherbed.com contain the login credentials. These images are often reposted in diaper fetish threads on /b/ with the posters unaware of what's in them. You can find this information by opening the files in a text editor such as Wordpad, and searching for "password".
Examples
In Windows:
copy /B foo.jpg + bar.rar foobar.jpg
In *nix:
cat foo.jpg bar.rar > foobar.jpg
Both of these examples will create a file named foobar.jpg, that when viewed graphically is identical to foo.jpg, but when unrar'd contains the contents of bar.rar.
Why does it work?
Many types of compressed archives (7Z, RAR, ZIP) can be distributed as self-extracting files, which are composed of an executable file concatenated with the archive. So these types of files are designed to be readable even if they're appended to another file.
Blocked on 4chan
Embedded 7Z, RAR, and ZIP files are currently blocked on 4chan, giving posters the message "Image file contains embedded archive." RAR files in particular are prohibited by lit rules. But as in the case of 4chan.js, moot's jpg-rar filter is easy to circumvent, since he isn't scanning the whole file, only the first and last 64 KB first 256 KB and last 64 KB. All you generally need to do to get around it is add padding after the image (using several copies of the image will do) to push the beginning of the RAR file past the 256 KB threshold. See instructions in the image to the right.
Some other ways of evading the filter are:
- Alter the magic number in the RAR file, for example by replacing "Rar!" with "Bar!". Use a hex editor to do this so you don't make other unintentional changes to the file.
- Concatenate the image and file without compressing the file. If file isn't an archive, it most likely won't be blocked. But if the file isn't one of the types listed above, you'll need to use a hex editor to extract it. If the image is a JPEG file, search for FF D9 to find the end of the image data, and delete it. Alternatively, those of you not versed in Computer Science III may want to try this Greasemonkey script, which can detect the added data in images on 4chan and split the image back up into its original pieces. Also useful for telling fake jpeg-rar books from real ones. Do not use this technique to upload source code or HTML files as this may trigger the anti-4chan.js filter and get you banned.
You can also try one of the other methods of embedding archives:
Cornelian archives
These are archives embedded into the image data of a Windows bitmap, then converted it to a PNG so you can post it on 4chan. Historically this format was used by Cornelia to post the dox of infected users. Moot never figured out how to block Cornelia, and instead gave up and added CAPTCHA to 4chan, so we can expect Cornelian archives to remain unblocked for some time. They can also fit into a smaller file size than JPEG-RARs with the now-required 256 KB of padding, and can be posted even on sites that strip off data appended after the image.
To create one, start with a .bmp file that's large enough to hold the archive. The image must be at least 54 bytes longer than the archive. It's also important that the image width is a multiple of 4. Any title or instructions you want to include should be at the top of the image, in the space that will be left over after embedding the archive. Then on Linux / OS X you can do:
head -c 54 foo.bmp > tmp cat bar.7z >> tmp dd if=tmp of=foo.bmp conv=notrunc convert foo.bmp foo.png
To extract the files from a Cornelian archive:
- Convert the image to a .bmp file (you can do this by resaving it in MSPaint). Make sure the file type is set to 24-bit Windows bitmap (no alpha channel).
- Open the .bmp file with 7-Zip or WinRAR.
ChanGrouper
ChanGrouper (v1:[2] v2:[3]) is a Java program that appends files and their names to images in its own special format, and extracts files added to images by others. It is similar to pFBind, except that pFBind is now blocked from 4chan, whereas ChanGrouper has not been blocked yet. The ChanGrouper websites are often down; if you can't reach them now, try again later. The original source code of the program is included in the JAR file; you can examine it by downloading the file and either renaming it to .zip or opening it in your favorite archiver.
Steganography
For most of the above methods, the embedded files are fairly easy to detect, whether by script or by eye. Steganography is the art of making embedded files hard to detect
The 4chan Gold File Embedder is another Java program that embeds files in images, but will be harder for moot to block because it uses an LSB-based steganography scheme to attach files, rather than appending them after the end of the image. It also includes a web interface; if you run the 4chan Gold proxy on your machine, and connect to 4chan through it, you can embed and extract files whenever you post or view an image. Source code is included in the JAR file. The minimum required Java version is 5.0.
Google will find you all sorts of other steganography utilities, some of them much harder to block. One of the better ones is steghide. The downside is that the hardest-to-block steganography tools typically require you to use a cover image at least 5-20 times the size of the hidden file. This can run you up against 4chan's file size limit.