Log in

View Full Version : Steganography


raven58
October 15th, 2001, 15:55
This little freeware program deals with the concept noted in the subject and is relevant in light of how some communication occurs over the internet today. It opens with a "nag or splash screen" with a disclaimer message. If you agree, you are taken into the program and an interesting one it is. If you disagree, you exit the program. Of course, it would be interesting to bypass the nag and go straight to the program and thats the aim of this little mini-project. Now I will say that this newbie played with it for a while and could not solve it. So we look to others for assistance and a detailed explanation as to how they accomplish the objective. Hopefully, those of us they couldn't solve it will add to our knowledge. Of course there is the possibility that no one solves it.

Raven58

Js
October 15th, 2001, 18:36
bpx destroywindow, f12 back till you see where the nag is called from, replace the CALL MFC42!ORD_09D2 with mov eax,1. I'm
not proud, quick and dirty but it works.

BlackB
October 17th, 2001, 03:44
Some more detailed explanation ;-)

Set a breakpoint on ShowWindow. When the nag is drawn, click
on the accept button. You should be back in softice then. Execute
the ret's until you're back in to the main program. (this is basic
stuff, you should know)

001B:0040F9AD MOV DWORD PTR [ESP+00000084],00000000
001B:0040F9B8 CALL 00410A22
001B:0040F9BD CMP EAX,01 <-
001B:0040F9C0 PUSH 00
001B:0040F9C2 JNZ 0040F9D4
001B:0040F9C4 MOV ECX,[ESI+20]
001B:0040F9C7 PUSH 00008009
001B:0040F9CC PUSH 00000111

You land where the arrow is.
001B:0040F9B8 CALL 00410A22 draws the nagscreen and checks
what button you pushed.
If the 'Accept' button was pushed EAX=00000001 if the 'Don't accept'
button was pushed EAX=00000002.

Solutions? (didn't try them tho, it's up to you)
1. edit the call with a hexeditor so eax always gets the 01 value
without showing the nag (it's a matter of tracing the call with
softice and understand how things work)
2. replace the call instruction with 'mov eax, 01'

Well, hope this was a bit more interesting then the above reply
Good luck.

greets,

The Blackbird

Js
October 17th, 2001, 05:26
you want to offer a more detailed explanation, fine, you don't like the above explanataion, fine too.
"Well, hope this was a bit more interesting then the above reply"
leave it out

raven58
October 20th, 2001, 12:38
Js and blackb, I guess that was an easy exercise. I see that by changing the call at 40f9b8 to mov eax, 01 the nag is eliminated and everything works fine. And so it does.Sounds like both of you know this inside out. Of course for this newbie and perhaps others it was "wow", how did they arrive at destroywindow and showwindow, what lead them to this call,how did they get into the code etc. Seems like you took different paths to the same objective. It would be appreciated , at least by me, if you could expand this somewhat. Perhaps a tut might be called for so us newbies can increase our knowledge. Your time and effort is much appreciated.

raven58

jomamameister
October 23rd, 2001, 11:02
what i did was to do a lookup in restorator for a dialog and fonud it to be 134 in dec, then convert that to hex = 86. after disassembly in w32dasm look for the dialog 86 in the dialog section and it is easily found. Do a double-click on that and you land at the exact call to the dialog box. search a little higher and you see that it is in turn called by 0040F9A4. Go to that spot and you see some code:

:0040F99E 6A00 push 00000000
:0040F9A0 8D4C2408 lea ecx, dword ptr [esp+08]
:0040F9A4 E8A729FFFF call 00402350
:0040F9A9 8D4C2404 lea ecx, dword ptr [esp+04]
:0040F9AD C784248400000000000000 mov dword ptr [esp+00000084], 00000000

* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:0040F9B8 E865100000 Call 00410A22 <--xor eax, eax, inc eax, nop, nop 31C0409090
:0040F9BD 83F801 cmp eax, 00000001
:0040F9C0 6A00 push 00000000
:0040F9C2 7510 jne 0040F9D4
:0040F9C4 8B4E20 mov ecx, dword ptr [esi+20]

so as you see above, just replace the call at 0040F9B8 with the code you see there and the call to the nag box is never initiated and the correct value is forced in eax. 1 = yes, 2 = no now the cmp is always true and the prog loads correctly. hope this helps.
jomamameister

raven58
October 23rd, 2001, 19:44
Jomamameister, thank you for your insight. I have never heard of or used "restorator". Perhaps you would be willing to explain for us newbies how it is used on the program in question, whats its intended purpose is, etc. I would also be curious to learn why you took the tact that you did. As noted in posts above, there are many ways "to the top of the mountain". Yours marks a third approch in addition to "destroywindow" and "showwindow' Perhaps I am beating "a dead horse" here, but I believe we can learn a lot more , especially use of the tool"restorator"

Thanks, raven58

Kayaker
October 24th, 2001, 01:37
Hi Raven58,

Restorator is a resource editor (beware cracking this one - CRC check(s) then it deletes its files in its home directory) somewhat similar to Exescope. I actually prefer the freeware Resource Hacker

h**p://rpi.net.au/~ajohnson/resourcehacker , or the Toolz sites.

Sometimes you can successfully delete a resource after patching the code which calls it, and occasionly just deleting the resource is enough if the app is really lame. And of course a resource editor is always handy to see any "hidden" string or dialog resources.

While it's a little difficult tracing back in this app because of the MFC code, you can sometimes use FindResourceA to locate where a particular resource is being loaded and short circuit the call to it, i.e.

BPX FindResourceA if esp.8 == 86

will break when the 2nd parameter of the FindResourceA call (the pointer to the resource Id) is equal to 86h. If it finds the resource there is usually a call to LoadResource/LockResource immediately afterwards. You may find a patch point tracing back from there.

Kayaker

jomamameister
October 24th, 2001, 21:29
restorator is more than simply a resource editor. it can also do extractions and insertion of said resources, and can make patches. i use restorator routinely on lots of progs just to see what's inside. frequently you can see the dialogs, bitmaps, or strings that may provide a clue. as i said earlier i looked for a hex number in the prog that corresonded to the dialog that i was looking for and then backed traced it through w32dasm. there is a new version of restorator out, 2.51, h**p://www.bome.com/restorator and has a 30 day time limit. this is a very limited expose' of restorator, but it is an excellent tool. i mention it in all of my tutorials.
jomamameister

Kayaker
October 25th, 2001, 01:20
Hi Jomamameister,

You've made better use of Restorator than I ;-) I agree it is a nice resource editor and is great for extracting resources. Plus it can make a resource patcher if you want to distribute a crack I guess.

It does all that Resource Hacker does, but I like ResHack because it allows you to modify and recompile Delphi resources on the fly without having to dump it to disk first. I've noticed Restorator craps out on (not-so) large Delphi forms ("text exceeds memo capacity". Maybe the newer version works better.

I'm not sure if Restorator handles changes in file size very well either, and I can't seem to simply delete a resource entirely. All depends on what you want to use it for, Exescope still works OK too for regular stuff.

regards,
Kayaker

Mandelbrot
January 15th, 2003, 17:38
I tried to use this hide and seek program to one image I have,but it just exits the program when I do it..no such problem with any other image!! What might be the problem? I really wish to know if my pic. is steganoed or not..any help is welcome..It is a jpg pic. I downloaded from a website, and seems to be the key to enter there..there is just this image on the site,and I know from other sources,that there's a lot more on that site..TIA
And I'm a complete newbie to this genre..

Kayaker
January 16th, 2003, 01:18
It seems all this program does is hide a data file in a jpeg, the maximum size of the data file that can be 'safely' hidden dependant on the jpeg compression already present. It knows nothing about the jpg otherwise, other than it's dealing with a valid jpg.

When you say it exits with your jpeg does it crash or exit quietly? The jpeg itself looks OK otherwise? Can you give a link or up the jpg, it's really hard to guess anything otherwise.

Kayaker

peterg70
January 16th, 2003, 02:06
Quote:
It is a jpg pic. I downloaded from a website, and seems to be the key to enter there..there is just this image on the site,and I know from other sources,that there's a lot more on that site..TIA


Now this sounds interesting any chance of a link (send via PM or email). It will be interesting if the information to access the site is encrypted into the jpg via steno.


peterg70

Kayaker
January 16th, 2003, 13:52
Hi

Um, thanks for the link. I suspect there's not much going on here, the reason this jpeg app couldn't handle the file is simply because it's a gif file not a jpg/jpeg. If you were to look at it in a text or hex editor you'd see the file begins with GIF89a. It exits because it's supposed to.

As for the source on the web page there's no href html tags indicating a link associated with the picture, just a standard align / img src / alt tag set. I rather doubt there's much going on behind a mislabelled 15kb picture file, unless this is getting really cloak and dagger and there's a secret password buried in there somewhere. Looks more like a site under construction/deconstruction. (Aha, that's just what they *want* you to think...)

Actually, if we make use of Woodmann's latest Searching Games lesson, if you were to use tracert.exe on that website link you would find it actually resolves to a different DNS name. If you enter this DNS name in your browser instead of the original link you find a directory listing - recently modified and empty! So it's possible the site you're looking for just doesn't exist anymore.

Kayaker

dion
March 20th, 2003, 07:50
OOT: just wondering if you guys had looked at +Ma games, its fun, sadly i dont have many time online