unforum

[Fraxxxi]

[LilSerf]

Does stegbreak just use each word in the list? I have a feeling this passphrase isn't going to be a one-word answer. We're probably looking at a full sentence, and I don't think stegbreak's dictionary attack is going to find that.

[LilSerf]

[Fraxxxi]

[hotblack]

I've been through the majority of the Webster's dict, given names, myths and legends, phrases, chinese phonetics and shakespeare... no joy.
Time to try to be more creative methinks... or put this one down as a false positive.

[Max Damage]

Indeed. Does anyone know exactly the false-positive ratio for this app? If I showed it a hundred random, undoctored images, would it think it's found messages in two of them?

[LilSerf]

I haven't been able to find exact info on the false-positive rate, but stegdetect gives the maximum 3-star rating for this file. If it was only 1 star I'd be more likely to believe it was a false positive...

[LilSerf]

Read the whitepaper on the stegdetect website:

[Moriarty]

Spurred on by people running the UNIX command 'strings' on some of the distorted images and getting some sensible text back, I took it upon myself to see what changes are made to some of the distorted images. I'm probably not going to have much time, but I can certainly tell you what I did so others can follow up.

We know that at least some of the images on the site are in rotation such that they are garbled some of the time. The image I chose to test on was BEE_LOGO.gif, from the front page. Image 1 is the original, and Image 2 is the altered version. I loaded the image until I had a copy of each.

The command line I used was 'diff --text --forward-ed <image1> <image2>'. This is in UNIX, by the way. The result is an 'ed script' (series of commands to the line editor) to transform the original image into the distorted image. From this we can see that only two lines of the file are changed. The file size remains constant however, meaning that the change is a strict replacement. Changes are on lines 3 and 36. On line three, a section of characters (rendered in my editor as —""'á,?Æ?à¶) is replaced with "Instead of ". The rest of the line remains the same, and the length is unchanged. On line 36, the change is to Ñ‚‰%@ @âp¢ÏPî*LBÈîp , becoming "carrying them with ".

The first change is 14 characters into the line, and the second is 11. Probably my editor is being confused by the linebreaks. I'll try to get them ignored and see if there's any pattern here.

It might behoove us to take some of these images and see whether the mangled versions have these kinds of changes. I'll try to get some more distorted images to figure out.

[hotblack]

Very interesting approach :)
Unfortunately I think that your results are just the same as those found by other methods though. If you look on the wiki the corrupted image text retrieved for the file BEE_LOGO.GIF was "Instead of carrying them with / her, she scratched the ruby and each of the / greater blocks with her knife, marking / it as part of her Queen's domain." of which "carrying them with " is a substring.

[Moriarty]

Yep. Just caught that - that is indeed what's been going on with the image-story as cobbled together. In fact I realized that almost as soon as I posted.

There might be something to the positioning of these replacements though. What led our shipwrecked friend to replace these particular portions of the images with his text?

Sorry for the repeat - I bet everyone's getting tired of it.

[cyanogen]

101 million permutations, no dice.

i still think this jpeg is stegged, but i don't think we're meant to decypher it, yet.

[LilSerf]

Yeah, I think the passphrase is going to be some huge sentence that's not brute-forceable.

[ScarpeGrosse]

Or.... and here's a crazy thought... it could not actually be stegged

*gasp!*

It's just as possible as the ridiculously long passphrase.

[LilSerf]