dChan
spaceB0x ID: ffc9f6 Ghidra Hidden ByteCode/Stegonography/Crypto May 5, 2020, 9:20 a.m. No.9038853   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>0069 >>9917 >>2790 >>5114 >>7343 >>8629

Long time lurker/autist, breaking silence. Have tried to get hacker community in on this but to no avail. Ghidra is a tool for reverse engineering. The image itself has code in it. I have been using radare2 to reverse for a long while on q images. Remember "graphic is key" and "you have more than you know"

 

Have been doing research in parallel with some others on Q posts for a while looking for stegonography, encryption keys, and more and have found bits and pieces that are near misses. See twitter for more details, though much hasn't been released. https://twitter.com/spaceB0xx/

 

But we need to get as many people who are cryptographically minded on this. It has been a struggle to get others involved on this route.

spaceB0x ID: ffc9f6 May 5, 2020, 11:54 a.m. No.9041102   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>1137

>>9040069

This is correct, that it isn't a stego tool. it is a reversing tool. What I was trying to communicate is that there is stegonography in many of these images, as well as embedded code. You can see some of my posts in the twitter link.

 

The image of Ghidra that I posted is the disassembled 8chan image. I should have been more clear

spaceB0x ID: ffc9f6 May 5, 2020, 11:57 a.m. No.9041137   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>4201

>>9041102

 

For example, the exifdata from last night's 8chan image also has a "Keyword" embedded in it. That is stegonography. See this screencap

 

There is something here I am convinced of it. I have done much crypto and cracking. Ghidra could help reverse binaries, and find binary/executable data in seemingly arbitrary files.

spaceB0x ID: ffc9f6 May 5, 2020, 12:52 p.m. No.9041828   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>6344

>>9041408

 

The Ghidra reference is really for reversing, so in that regard, I would try to figure out what these functions are actually doing inside of the image. The fact that they is a "Keyword" in the exif data is a start.

 

What I have been working on the past number of months is finding cryptographic keys. I am convinced that Q post 1441 has an encryption certificate in it. I can see pieces of it, but can seem to cryptographically, or stegonographically extract them.

 

What one of the above posters said is true, that if you don't have the key and don't know algorithm, then decryping is worthless.

 

However, Q posted the work "Spray" (like password spraying?). A technique I use when hacking things with a password. Just brute forcing the crap out of it.

spaceB0x ID: ffc9f6 May 5, 2020, 2:22 p.m. No.9043048   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun   >>3078

>>9042906

Well, if you load the image into Ghidra (and originally I was using a software called radare2), there are "bytecode" functions which are identified. Bytecode is compiled binary/assembly which is actually executable code. (this is why "stegonography" and such are closely correlated with the work I have been doing.)

 

Now, when you are looking for random opcodes, in a sea of bytes (all the images) you are bound to run across a crapton of false positives. Like, a lot. So the key is to be able to know if any bytecode returns are legit (ie, the assembly code interpreted actually makes sense)

 

The code in the 8chan image does. Now what it is doing, I am not sure yet. But Ghidra interprets it properly as functions with parameters which are initialized, and then referenced/assigned, with conditional loops etc.

 

This would be hard to do randomly

spaceB0x ID: ffc9f6 May 5, 2020, 2:24 p.m. No.9043078   ๐Ÿ—„๏ธ.is ๐Ÿ”—kun

>>9043048

 

They seem to be pieces to a binary whose "entrypoint" I cannot find. It also helps to have an idea what architecture the binary pieces were intended to run on, as that will dictate how the bytecode is actually interpreted.