- Portals
- The Current Year
- ED in the News
- Admins
- Help ED Rebuild
- Archive
- ED Bookmarklet
- Donate Bitcoin
Contact an admin on Discord or EDF if you want an account. Also fuck bots.
Embedded files: Difference between revisions
imported>Writen unclear No edit summary |
imported>Writen unclear |
||
| Line 26: | Line 26: | ||
== Blocked on 4chan == | == Blocked on 4chan == | ||
[[Image:Evading_the_4chan_Lithursday_Filter.png|thumb|The modern technique for posting embedded archives on 4chan, working as of May 23, 2011.]] | |||
Embedded 7Z, RAR, and ZIP files are currently blocked on [[4chan]], giving posters the message "Image file contains embedded archive." RAR files in particular are prohibited by [[/lit/]] rules. But as in the case of [[4chan.js]], moot's jpg-rar filter is easy to circumvent, since he isn't scanning the whole file, only the <strike>first and last 64 KB</strike> first 256 KB and last 64 KB. All you generally need to do to get around it is add padding after the image (using several copies of the image will do) to push the beginning of the RAR file past the 256 KB threshold. See instructions in the image below. | Embedded 7Z, RAR, and ZIP files are currently blocked on [[4chan]], giving posters the message "Image file contains embedded archive." RAR files in particular are prohibited by [[/lit/]] rules. But as in the case of [[4chan.js]], moot's jpg-rar filter is easy to circumvent, since he isn't scanning the whole file, only the <strike>first and last 64 KB</strike> first 256 KB and last 64 KB. All you generally need to do to get around it is add padding after the image (using several copies of the image will do) to push the beginning of the RAR file past the 256 KB threshold. See instructions in the image below. | ||
[[ | If or when moot fixes his filter, a number of fallbacks are available: | ||
===Cornelian archives=== | |||
Embed an archive into the image data of a [[MS Paint|Windows bitmap]], then convert it to a PNG so you can post it on 4chan. This was the format historically used by [[Cornelia]] to post the [[dox]] of infected users. Moot never figured out how to block Cornelia, and instead gave up and added [[CAPTCHA]] to 4chan, so we can expect Cornelian archives to remain unblocked for some time. They can also fit into a smaller file size than JPEG-RARs with 256 KB of padding, and can be posted even on sites that strip off data appended after the image. | |||
Start with a .bmp file that's large enough to hold the archive. The image must be at least 54 bytes longer than the archive. It's also important that the image width is a multiple of 4. Any title or instructions you want to include should be at the top of the image, in the space that will be left over after embedding the archive. Then on Linux / OS X you can do: | |||
head -c 54 foo.bmp > tmp | |||
cat bar.7z >> tmp | |||
dd if=tmp of=foo.bmp conv=notrunc | |||
convert foo.bmp foo.png | |||
To extract the files from a Cornelian archive: | |||
# Convert the image to a .bmp file (you can do this by resaving it in MSPaint). Make sure the file type is set to 24-bit Windows bitmap (no alpha channel). | |||
# Open the .bmp file with 7-Zip or WinRAR. | |||
===Changing the magic number=== | |||
Alter the magic number in the RAR file, for example by replacing "Rar!" with "Bar!". Use a hex editor to do this so you don't make other unintentional changes to the file. | |||
===Concatenation without compression=== | |||
Concatenate the image and file without compressing the file. If file isn't an archive, it most likely won't be blocked. But if the file isn't one of the types listed above, you'll need to use a hex editor to extract it. If the image is a JPEG file, search for FF D9 to find the end of the image data, and delete it. Alternatively, those of you not versed in Computer Science III may want to try [http://userscripts.org/scripts/show/40343 this] Greasemonkey script, which can detect the added data in images on 4chan and split the image back up into its original pieces. Also useful for telling fake jpeg-rar books from real ones. Do '''not''' use this technique to upload source code or HTML files as this may trigger the anti-[[4chan.js]] filter and get you banned. | |||
===ChanGrouper=== | |||
ChanGrouper (v1:[http://chngrpr.atspace.us/chngrpr.jar] v2:[http://chg2.atspace.us/chngrpr2.jar]) is a [[Java]] program that appends files and their names to images in its own special format, and extracts files added to images by others. It is similar to [[pFBind]], except that [[pFBind]] is now blocked from 4chan, whereas ChanGrouper has not been blocked yet. The ChanGrouper websites are often down; if you can't reach them now, try again later. The original source code of the program is included in the JAR file; you can examine it by downloading the file and either renaming it to .zip or opening it in your favorite archiver. | |||
===4chan Gold File Embedder=== | |||
The [http://goldaccount.byethost4.com/ 4chan Gold File Embedder] is another Java program that embeds files in images, but will be harder for moot to block because it uses an LSB-based steganography scheme to attach files, rather than appending them after the end of the image. It also includes a web interface; if you run the 4chan Gold proxy on your machine, and connect to 4chan through it, you can embed and extract files whenever you post or view an image. Source code is included in the JAR file. The minimum required Java version is 5.0. | |||
===Steganography=== | |||
[[Google]] will find you all sorts of other steganography utilities, some of them much harder to block. One of the better ones is [http://steghide.sourceforge.net/ steghide]. The downside is that the hardest-to-block steganography tools typically require you to use a cover image at least 5-20 times the size of the hidden file. This can run you up against 4chan's file size limit. | |||
== Accidental file synthesis == | == Accidental file synthesis == | ||
Revision as of 02:41, 24 May 2011
Combining different filetypes into a single file, such that the appropriate data is preserved with respect to how the file is being read. This is usually accomplished by concatenating the files together.
Compatible file types
It usually doesn't matter what the first file is, but it should be a GIF, JPEG, or PNG file if you want to post it to 4chan. The second file should be one of these types:
OGG sound files appended to images and posted to 4chan can be played with the 4chan sounds userscript.
Examples
In Windows:
copy /B foo.jpg + bar.rar foobar.jpg
In *nix:
cat foo.jpg bar.rar > foobar.jpg
Both of these examples will create a file named foobar.jpg, that when viewed graphically is identical to foo.jpg, but when unrar'd contains the contents of bar.rar.
Why does it work?
Many types of compressed archives (7Z, RAR, ZIP) can be distributed as self-extracting files, which are composed of an executable file concatenated with the archive. So these types of files are designed to be readable even if they're appended to another file.
Blocked on 4chan
Embedded 7Z, RAR, and ZIP files are currently blocked on 4chan, giving posters the message "Image file contains embedded archive." RAR files in particular are prohibited by lit rules. But as in the case of 4chan.js, moot's jpg-rar filter is easy to circumvent, since he isn't scanning the whole file, only the first and last 64 KB first 256 KB and last 64 KB. All you generally need to do to get around it is add padding after the image (using several copies of the image will do) to push the beginning of the RAR file past the 256 KB threshold. See instructions in the image below.
If or when moot fixes his filter, a number of fallbacks are available:
Cornelian archives
Embed an archive into the image data of a Windows bitmap, then convert it to a PNG so you can post it on 4chan. This was the format historically used by Cornelia to post the dox of infected users. Moot never figured out how to block Cornelia, and instead gave up and added CAPTCHA to 4chan, so we can expect Cornelian archives to remain unblocked for some time. They can also fit into a smaller file size than JPEG-RARs with 256 KB of padding, and can be posted even on sites that strip off data appended after the image.
Start with a .bmp file that's large enough to hold the archive. The image must be at least 54 bytes longer than the archive. It's also important that the image width is a multiple of 4. Any title or instructions you want to include should be at the top of the image, in the space that will be left over after embedding the archive. Then on Linux / OS X you can do:
head -c 54 foo.bmp > tmp cat bar.7z >> tmp dd if=tmp of=foo.bmp conv=notrunc convert foo.bmp foo.png
To extract the files from a Cornelian archive:
- Convert the image to a .bmp file (you can do this by resaving it in MSPaint). Make sure the file type is set to 24-bit Windows bitmap (no alpha channel).
- Open the .bmp file with 7-Zip or WinRAR.
Changing the magic number
Alter the magic number in the RAR file, for example by replacing "Rar!" with "Bar!". Use a hex editor to do this so you don't make other unintentional changes to the file.
Concatenation without compression
Concatenate the image and file without compressing the file. If file isn't an archive, it most likely won't be blocked. But if the file isn't one of the types listed above, you'll need to use a hex editor to extract it. If the image is a JPEG file, search for FF D9 to find the end of the image data, and delete it. Alternatively, those of you not versed in Computer Science III may want to try this Greasemonkey script, which can detect the added data in images on 4chan and split the image back up into its original pieces. Also useful for telling fake jpeg-rar books from real ones. Do not use this technique to upload source code or HTML files as this may trigger the anti-4chan.js filter and get you banned.
ChanGrouper
ChanGrouper (v1:[2] v2:[3]) is a Java program that appends files and their names to images in its own special format, and extracts files added to images by others. It is similar to pFBind, except that pFBind is now blocked from 4chan, whereas ChanGrouper has not been blocked yet. The ChanGrouper websites are often down; if you can't reach them now, try again later. The original source code of the program is included in the JAR file; you can examine it by downloading the file and either renaming it to .zip or opening it in your favorite archiver.
4chan Gold File Embedder
The 4chan Gold File Embedder is another Java program that embeds files in images, but will be harder for moot to block because it uses an LSB-based steganography scheme to attach files, rather than appending them after the end of the image. It also includes a web interface; if you run the 4chan Gold proxy on your machine, and connect to 4chan through it, you can embed and extract files whenever you post or view an image. Source code is included in the JAR file. The minimum required Java version is 5.0.
Steganography
Google will find you all sorts of other steganography utilities, some of them much harder to block. One of the better ones is steghide. The downside is that the hardest-to-block steganography tools typically require you to use a cover image at least 5-20 times the size of the hidden file. This can run you up against 4chan's file size limit.
Accidental file synthesis
Broken web pages occasionally append HTML to the end of the images they serve. In most cases, the contents are unremarkable. But several images from the diaper fetish website wetherbed.com contain the login credentials. These images are often reposted in diaper fetish threads on /b/ with the posters unaware of what's in them. You can find this information by opening the files in a text editor such as Wordpad, and searching for "password".