dChan
Anonymous ID: 7c73bd July 28, 2018, 1:13 a.m. No.2321984   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>2011 >>3986 >>7203

>>2321660

Stegcracker is designed to crack file made by Steghide. Steghide used the Least Significant Bit (LSB) method. PixelKnot uses an algo called F5 that works by modifying the non-zero DCT values in a JPEG file. Stegcracker will never crack it. My condolences for your electric bill.

 

I'm scoping out the feasibility to making a similar tool for the F5 algo. The only way we are going to ever crack this thing is by generating and trying millions or billions of passwords. The Java implementation would be way too slow. It's about one second per test. Thus, someone needs to implement a very efficient minimal test in C. Most of it is pretty straight forward. But PixelKnot uses SecureRandom for the all-important psudo-randomness generator. So I need to make a byte-exact recreation of it's behavior. That's where I'm at. The exact code for the SHA1PRNG algo is surprisingly elusive.

It's going to take a while. I am starting to wonder if it's really that important to see whatever trash talk someone was sending to Q.

A slightly shorter route is to just implement it in Java. It woudn't be as fast but we could get it sooner. There is a LOT that doesn't need to be repeated for each test (extracting the image, Huffman decoding, etc). There is room for several orders of magnitude improvement over hitting the Extract function again and again. However, I'd have to learn Java. Some other codefag could probably do this before I finish reading the Java 101 tutorial. Read a line from STDIN, treat it as the password, decode the first few bytes, then if it's the correct sentinel string print the possible passwordโ€“ else continue at top with the next line from SDTIN.

Anonymous ID: 7c73bd July 28, 2018, 2:19 p.m. No.2328850   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>9024 >>0181

>>2327840

Sounds like you are way ahead of me. Can you pastebin your modified Extract.java ?

I saw that PixelUnknot jar you posted. No offense, but I'm not gonna run a large program that I can't verify that was posted in this board.. not with all the fuckery afoot.

Anonymous ID: 7c73bd July 28, 2018, 4:43 p.m. No.2330928   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>0984

>>2328825

That cannot possibly be correct. If I counted correctly, you are trying all 3 length combinations of 73 different characters. So it should require 3^73 combinations. That is 6.76x10^34

And the minimum the PixelKnot will allow is 4 chars. That would take one CPU until the heat death of the universe. And any reasonable person would use 10 to 15 chars for something like this.

We need to find or create a program that takes a list of possible word (scraped from that 4chan thread, plus other relevant terms, for example) and numbers up to a few digits and assembles them in various natural language ways. And then with 1337 speak substitute characters. Human beings chose that passphrase. So it's better to look at it as psychology problem than purely a math problem.

But first we need to make the tester as efficient as possible. That's what I'm working on now.

Anonymous ID: 7c73bd July 28, 2018, 5:03 p.m. No.2331140   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>1186 >>1367

>>2331057

>only need to match the last 1/3 of the password to verify

You sure? final F5Random random = new F5Random(password.substring((password.length()/3)*2).getBytes()); Int-divide by 3, times 2. Unless Java does some weird string math thing I don't understand it, it should be 2/3rds of the password.

Anonymous ID: 7c73bd July 28, 2018, 5:14 p.m. No.2331291   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>2331186

Ohhhhhโ€ฆ that explains why it I didn't for for me as quite I expected when I was tinkering with using the original F5 algo to decode test images.

 

Then it looks like your approach my be indeed be feasible.

Anonymous ID: 7c73bd July 28, 2018, 8:48 p.m. No.2333595   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>4176

>>2332718

What kind of speed are you getting?

I'm trying to optimize this code. I'm only getting about 200 per minute. And I can't think of any obvious way to optimize the Permutation part. But I'm going to keep thinking about it.

I assume you are generating a list with Crunch in the same method you posted above but with 4 chars. I'll do the same and start from the other end of the list.

Anonymous ID: 7c73bd July 28, 2018, 9:42 p.m. No.2334176   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>6001 >>1663

>>2332718

>>2333595

Better idea.

Many of these characters are awkward to produce from a phone keyboard or are simply not what a human picking a password would use. How many people are going to stick curly brackets in a passphrase? I wouldn't even use parentheses. So I suggest shortening the symbol set to "!@#%&-_+*? ". And don't forget 'space'. It's likely to turn up in passphrases.

For devision of labor let's generate a set of chunks the same way and attack it a few at a time. I generated them with,crunch 4 4 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#%&-_+*? "split -n 20 passwords4.txt passwords4.txt.

I've started with the first four, chunks aa through ad.

Anonymous ID: 7c73bd July 29, 2018, 2:01 a.m. No.2335715   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>5793 >>1663

>>2335545

I generated test images with known passwords in the Android app and then tested them on my Linux machine. It works. There is apparently no reason for SecureRandom to deviate from the default SHA1PRNG algo, at least not in this case. But I suspect that SecureRandom going out and grabbing other sources of entropy is why the app often fails to decode it own output. The app's creator should have rolled their own PRNG. It would have been trivially easy.

Anonymous ID: 7c73bd July 29, 2018, 3:24 a.m. No.2336001   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>6031 >>6698 >>1663 >>1802

Anons in the General thread are talking about this. So here is the method I'm using right now.

I'm not using the PixelUnknot tool written by [b856fa]. There is too much code for me to read through to verify that he's not a shill trying fuck with me. So I grabbed the original F5 algo that was rolled into F5Android and then into PixelKnot. Then I heavily modified Extract,java (PDF related).

 

  1. Install Java. OpenJDK on Linux works. Don't know about Windows.

  2. Download F5-steganography-master.zip

shasum:ef47173ed89dcd2173270de9f106774cc4c6e9d7

https://github.com/matthewgao/F5-steganography

Unpack it.

  1. Copy and paste the PDF into a file called BruteCrackPK.java. Save it right next to Embed and Extract.

  2. Compile the it with "javac BruteCrackPK.java"

  3. Generate a bunch of passwords. See

>>2334176

for an example. Feel free to jumble together any set of relevant words and variations.

  1. BruteCrackPK is setup to take the wordlist from standard input. I wanted to be able to eliminate filesystem overhead between Crunch and it. That was before I realized how much work it has to do internally for each test. Turns out fs overhead is comparatively trivial. By anyway, run it with something like,

java BruteCrackPK imagefilename.jpg < passwordlist.txt

  1. Wait. Maybe a long time.

 

The other attached image is encoded with the password "testtesttest". This program should produce a hit with "test". Only the last third of any password is crackable with this technique (it's only possible because of a design goof by PixelKnot's author). The hope is that if we can get the last third it will provide enough of a clue that we can guess the rest, or at least greatly reduce the search space for the next phase.

 

  1. (Optional, inefficient) You can also feed full-length passwords into the class in the other PDF file. But be aware of false positives. The image will hit on "blahblahtest" as well as the correct password. Save as "BruteCrackPH_fullpassword.java"

Anonymous ID: 7c73bd July 29, 2018, 5:34 a.m. No.2336510   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>2336293

The vast majority of the original pics from Q are in PNG format. The stegano technique used by PixelKnot is for JPEGs exclusively. If you can assemble a list of URLs for all JPEG images Q has posted than I'll be happy pull them down and test for any passphrases you suggest (eg: "WWEG1WGA").

 

Robots, canonical, nor manifest work. In fact, we think we've already ruled out all password of 9 chars or shorter.

 

And that is a strange image. The F5 decoder stalls when I try to examine it. I get the message "Nf weder 1 noch 3". This appears to be an error message (in german, "Nf neither 1 nor 3") coming from HuffmanDecode.java. I should have been in bed 4 hours ago. So I'll let some other codefag determine the significance for that and if it's something we need to be concerned about.

Anonymous ID: 7c73bd July 29, 2018, 1:06 p.m. No.2341888   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>2377

>>2341663

You must have a monster of a machine! I haven't had a need to upgrade my AMD Phemon II in 10 years. So I'm getting about 230 per minute x4 processes (about 15 per second). Time to upgrade to at high-end Ryzen.

 

BruteCrackPK.java

https://pastebin.com/Y1exTrjL

 

BrutcCrackPK_fullpassword.java

https://pastebin.com/PEnTtSaA

 

I made some optimizations for quick return as soon as it has enough to rule out a given password. But they didn't speed it up that much. It looks like >95% of the time is spend calling SecureRandom and its internal SHA1 based PRNG 1.8million times before it can decode the first byte. There is not a lot I can do to speed that up.

Anonymous ID: 7c73bd July 29, 2018, 3:52 p.m. No.2344703   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>4904 >>5204

>>2344586

I just get garbage.java Extract -p "0+CE"-e 1532237608528.jpg Huffman decoding startsPermutation starts1843200 indices shuffledExtraction startsLength of embedded file: 2951877 bytes(1, 255, 8) code usedIncomplete file: only 297 of 2951877 bytes extracted

Anonymous ID: 7c73bd July 29, 2018, 4:21 p.m. No.2345053   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>5066 >>5181 >>5191

>>2344904

Hmm. When I use f5.jar I still get the same results as with calling Extract directly.

You get consistent results both ways on your matching and I get different consistent results on mine. This shouldn't happen.

Have you tested images created with the app with known passwords? Does this image decode with "test" for you? (pic related).

Maybe there is some little variation in SecureRandom. I'm using OpenJDK 8. This probably shares much of its codebase with the Android version.

Anonymous ID: 7c73bd July 29, 2018, 4:52 p.m. No.2345468   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>2345204

No, quotes are not being set. If that were true "test" wouldn't work. It behaves that same way from a file as from a command line arg. And none of those strings produce anything for me but garbage on either the SS image or the test image.

That is exactly what testtesttest.jpg is supposed to decode to. PixelKnot stores the messages as base64 encoded AES encrypted blobs. This is not part of the F5 system.

One would expect 1-in-65536 bad decodes to start with two "-" chars by chance. If we are testing millions of passwords then a few that start with "- -" is not surprising. That's why BruteCrack doesn't go ding! until it sees 20 chars of matching sentinel string.

But even if PixelUnknot is simply not testing far enough it wouldn't explain why you would see valid message using F5.jar and I don't.

Very very strange.

Anonymous ID: 7c73bd July 29, 2018, 5:12 p.m. No.2345741   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>2345204

Actually.. if you are implementing that same size filter I am it would skip the vast majority before it got to that stage. Very few 32bit random integers will be between 96 and 2000, roughly 1-in-2.3million. That times 65536โ€ฆ and it's an eyebrow raising coincidence.

Anonymous ID: 7c73bd July 29, 2018, 6:02 p.m. No.2346356   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>2346134

I'l already at work scanning my entire offline backup of Q General. :)#!/bin/shrm with_tag.txtrm without_tag.txtlist=jpeg_list.txtprefix=~/q_backup/file_store/for filename in $(cat $list) ; do echo -n $filename echo -n " " head -c 20 $prefix$filename | grep "JFIF\|Exif" /dev/null if [ $? -eq 0 ] ; then echo "Yes" echo $filename >> with_tag_list.txt else echo "No" echo $filename >> without_tag.list.txt fidone

Anonymous ID: 7c73bd July 29, 2018, 7:37 p.m. No.2347619   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>7681 >>7705 >>7731 >>7883 >>0331 >>2189

>>2346134

Here is the set of Q Research images that start with those 6 bytes (from since I starting backing up the breads a few months ago). 66 files, 9.1MB. I haven't checked when they were uploaded. The two SS pics were clearly created by anons recently.

 

https://nofile.io/f/PR5CxvthaYp/jpeg_ffd8_ffdb_0084.zip

 

I haven't tried 4chan/pol/. The archive doesn't save the original images.

Anonymous ID: 7c73bd July 29, 2018, 8:13 p.m. No.2348214   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>8244 >>8285 >>8439

I think the logical way to approach this is to pick one or two very spoopy images to bruteforce for short passwords. I'm not gonna launch month-long efforts without confirmation from On High that there is something to find. Pics related.

 

Q's people are smarter than to use PixelKnot of they are communicating with stegano. Only the badguys would be using it. So the question is.. would they do it here right under our noses or on 4chan away from us? I don't know the 4chan ecosystem well enough.

If the baddies are doing this then they are probably using one password or a system of passwords for everything. If we can crack one then it would be relatively easy to scan huge data sets with the same password.

But before we get carried away we should examine known PK images to any other distinguishing features that can be used to further reduce the search space.

Anonymous ID: 7c73bd July 29, 2018, 9:07 p.m. No.2349117   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>9161 >>1351

>>2349017

And that shasum of the first 100 bytes turns up in about half of the suspect images posted above.alec@LinuxMint18 ~/sandbox/suspectJPEGs $ for filename in $(ls -x); do head -c 100 $filename | shasum | sort ; done3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -4e4f9f3343ec6dc8a18e504199f94ae3a16f1930 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -83b4365bc0019319cefb805b63f256c056899a04 -2c5f4e2a4e7ec5227ce72216291bb59339cd6779 -83b4365bc0019319cefb805b63f256c056899a04 -4e4f9f3343ec6dc8a18e504199f94ae3a16f1930 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -4e4f9f3343ec6dc8a18e504199f94ae3a16f1930 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -aa05b3385043676fc62e8dc4a87b8012c5c7f1d4 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -92a5cf0ead183258bd6184119e1a34dc832597dd -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -bee3287f79d35ab382750e8d3e3c7d88b9549a46 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -eb1806eb4f8844e0f9f368a57cd7dde25999f67f -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -6728c784fd823976c21f0cf1ef499b1fd3d96c18 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -bad252a36df757ff13dcd3fb2edb700f3f647164 -cd61d1fb36dc7d732fa123eb92f4f5d87b017663 -83b4365bc0019319cefb805b63f256c056899a04 -c901d6a82cc6cdbde6045647294a92e60501c317 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -352a738298546e72d3fac121536a313254b8fe7c -58396cc7c6c8996e68db794660339e291e369707 -83b4365bc0019319cefb805b63f256c056899a04 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -2cd7066aa944bfba204ca606dd654448ce95d35e -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -2cd7f80e375376a6274f012bed6d49a49546690e -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -d6b48f4360d9ae3ee12744c932b3ece682669e90 -fc4cf8b9ee6771fec14b502d8a2e4b508e9778c0 -83b4365bc0019319cefb805b63f256c056899a04 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -2cd7066aa944bfba204ca606dd654448ce95d35e -c3a09c88024ea7079d128ccdf4469d622b4e96ef -c2ebb5d2d7cf8ce51d94dcc3f80314143061d60d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -4e4f9f3343ec6dc8a18e504199f94ae3a16f1930 -c3a09c88024ea7079d128ccdf4469d622b4e96ef -4e4f9f3343ec6dc8a18e504199f94ae3a16f1930 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -5b4bcafab4c9fe7066b489f07ca243c6adfbfbc9 -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -465215dd9c144d3b2cff93b17b6210b6dfe1c99f -

Anonymous ID: 7c73bd July 29, 2018, 10:47 p.m. No.2350592   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>0621 >>0775 >>2189

>>2350331

 

I was already thinking about that. Many of these files were likely uploaded AFTER mentioned PixelKnot. There is no point in cracking files that were uploaded by anons as a joke. Q mentioned PK in bread #2896, which was post #2298164.

8ch.net/qresearch/res/2298164.html

The images from before that are more interesting.

 

https://pastebin.com/z4cXBLMv

 

As you can see many were posted long before Q put the idea of stegano in anons' heads.

Anonymous ID: 7c73bd July 29, 2018, 11:29 p.m. No.2351079   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>1362 >>7961

>>2350775

A suspiciously large number of this image set contains direct symbology.

That must be how (((they))) recognize which ones to examine.

And a large fraction of the images on QR are memes, baker-babes, shill infographics, side-by-side proofs, or clock faggotry. Yet none of that in in this set.

I think we're on the right track.

 

Here is a bundle of everything for the other anons.

https://nofile.io/f/SnmADANBz6t/suspect_images.zip

Anonymous ID: 7c73bd July 30, 2018, 8:54 p.m. No.2365916   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>6835

>>2362467

You wrote on QR that we are 100% sure that these images contain hidden massages. Ehโ€ฆ I'm about 90% sure.

It is possible that somewhere in the world there exist a piece of editing or conversion software that outputs jpeg headers in exactly same way. If the guy who wrote the F5 jpeg encode copy-and-pasted some example code and the developer of a different piece of software did the same then the outputs would look the same.

The only way to ever really be sure of the truth about anything is to try to prove what you don't believe and disprove what you do believe.

So before I invest lots of time and, maybe, money into cracking these things I want to eliminate any possibility that these files could have been made by something else.