bindump & bin2file ... and steganography 4 fun

Certainly many people recognized Lena in some earlier post on bindump or bin2file and asked to themselves: "WTH? Why keeping Lena in the article?".
In fact the image of Lena is usually used (among other) for steganography... but I never say anything about it... not yet (-:

Now I can say that the real goal of bindump and bin2file is to hide informations _into any file_ (with consciousness) or _on each part of hard disk_ (with consciousness) having the opportunity to _manage every single bit_.

As POC I wrote inside boot loader a message.

DON'T TRY THIS AT HOME!!! (if you don't know what are you doing)

All these steps have been done on my virtual machine debian (called elisabetha in Dracula's wife honor).

I extract the boot loader:

elisabetha:~# dd if=/dev/sda of=BOOT_LOADER.ORIG bs=466 count=1
1+0 records in
1+0 records out
466 bytes (466 B) copied, 0.00416124 s, 112 kB/s

Then I write on the text file insert_in_boot_loader the string "eddy22 was here":

elisabetha:~# ./bindump insert_in_boot_loader
00000000 01100101 01100100 01100100 01111001 00110010 00110010 00100000 01110111 eddy22 w
00000008 01100001 01110011 00100000 01101000 01100101 01110010 01100101 00001010 as here.
elisabetha:~# ./bindump insert_in_boot_loader > insert_in_boot_loader.txt

Now I copy the bits from insert_in_boot_loader to boot_loader.txt

Editing boot loader

...and I "reassemble" (with bin2file) the new boot loader with the message and overwrite the old one:

elisabetha:~# cat boot_loader.txt 
[...]
00000416 00010000 10101100 00111100 00000000 01110101 11110100 11000011 00000000 ..<.u...
00000424 01100101 01100100 01100100 01111001 00110010 00110010 00100000 01110111 eddy22 w
00000432 01100001 01110011 00100000 01101000 01100101 01110010 01100101 00001010 as here.
00000440 01001101 10011111 00001011 00000000 00000000 00000000 10000000 00000001 M.......
[...]
elisabetha:~# cat boot_loader.txt | cut -c10-80 | xargs ./bin2file -w new_boot_loader
elisabetha:~# ls -l BOOT_LOADER.ORIG new_boot_loader 
-rw-r--r-- 1 root root 466  9 apr 18:22 BOOT_LOADER.ORIG
-rw-r--r-- 1 root root 466  9 apr 18:25 new_boot_loader
elisabetha:~# dd if=new_boot_loader of=/dev/sda bs=466 count=1
1+0 records in
1+0 records out
466 bytes (466 B) copied, 0.00327222 s, 142 kB/s

Now I try to reboot and... it works! (-:

Hidden informations on MBR

ATTENTION!!! If you have fuck*d your system, restore the original boot loader with this command:

# dd if=BOOT_LOADER.ORIG of=/dev/sda bs=466 count=1

Well, the first part is ended.

Next example'll show you how to hide a "secret" file into another file, even better we will use two file, in fact: has anybody said that we must use only one file to hide informations? (-;

The secret file (called "secret") is here

At first I use bindump to extract the bits from secret file (and I cut off the first and last column of the output)

eddy22@elisabetha:~/myprog/bindump$ ls -l secret
-rw-r--r-- 1 eddy22 eddy22 13277  9 apr 19:32 secret
eddy22@elisabetha:~/myprog/bindump$ ./bindump secret | cut -c10-80 > secret.txt

I calculate the lines of new file and I halve it.

eddy22@elisabetha:~/myprog/bindump$ cat secret.txt | wc -l
1660
eddy22@elisabetha:~/myprog/bindump$ sed -n "1,830w secret1.txt" secret.txt
eddy22@elisabetha:~/myprog/bindump$ sed -n "831,\$w secret2.txt" secret.txt
eddy22@elisabetha:~/myprog/bindump$ ls -l secret*
-rw-r--r-- 1 eddy22 eddy22  13277  9 apr 19:32 secret
-rw-r--r-- 1 eddy22 eddy22  59760  9 apr 19:39 secret1.txt
-rw-r--r-- 1 eddy22 eddy22  59760  9 apr 19:39 secret2.txt
-rw-r--r-- 1 eddy22 eddy22 119520  9 apr 19:35 secret.txt

Now I choose two file as boxes: one mp3 file and a bitmap file.

eddy22@elisabetha:~/myprog/bindump$ ./bindump 04\ Fade\ To\ Black.mp3 > fade_to_black.txt

To include the first part of secret I use a regular expression and a simple perl script to insert bit per bit into less order bit of the first byte of the line (which match the regular expression).
First stega.pl argument is the box file (in binary string mode);
second one is the file to include (in binary string mode);
last one is the steganographed file (create by the program).

        if (($i <= $#con) && /^.[19][258]/) {
                substr ($_, 16, 1, $con[$i++]); 
        }

eddy22@elisabetha:~/myprog/bindump$ ./stega.pl fade_to_black.txt secret1.txt fade_secret.txt

Now I "reassemble" the mp3 steganographed file (using bin2file) and I repeat the same steps for bitmap file (but using a different regular expression):

eddy22@elisabetha:~/myprog/bindump$ cat fade_secret.txt | cut -c10-80 |
xargs ./bin2file -w fade_secret.mp3
eddy22@elisabetha:~/myprog/bindump$ ls -l *.mp3
-rw-r--r-- 1 eddy22 eddy22 10012025 18 mar 15:14 04 Fade To Black.mp3
-rw-r--r-- 1 eddy22 eddy22 10012025  9 apr 19:43 fade_secret.mp3

eddy22@elisabetha:~/myprog/bindump$ ./bindump lena.bmp > lena.txt

        if (($i <= $#con) && /^.....[4-9]/) {
                substr ($_, 16, 1, $con[$i++]); 
        }

eddy22@elisabetha:~/myprog/bindump$ ./stega.pl lena.txt secret2.txt lena_secret.txt
eddy22@elisabetha:~/myprog/bindump$ cat lena_secret.txt | cut -c10-80 |
xargs ./bin2file -w lena_secret.bmp

Lena secret

Here we are at last, we have the secret file splitted and hidden into fade_secret.mp3 and lena_secret.bmp!!!

...
Maybe you want to have again the secret file, just use:

eddy22@elisabetha:~/myprog/bindump$ ./bindump fade_secret.mp3 | grep -m53120 "^.[19][258]" |
cut -c17 | perl -nle 'undef $\; print $_' | sed -e 's/\(........\)/\1 /g' |
xargs ./bin2file -w secret_destega
eddy22@elisabetha:~/myprog/bindump$ ./bindump lena_secret.bmp | grep -m53096 "^.....[4-9]" |
cut -c17 | perl -nle 'undef $\; print $_' | sed -e 's/\(........\)/\1 /g' |
xargs ./bin2file -w secret_destega
eddy22@elisabetha:~/myprog/bindump$ file secret_destega 
secret_destega: JPEG image data, JFIF standard 1.02
eddy22@elisabetha:~/myprog/bindump$ cp secret_destega secret_destega.jpg

I'd like to explain that -m53120 and -m53096 means the amount of bits to be extracted for first and second secret file. Last thing, as I wrote on my last post, is that the file take as argument from bin2file is opened in append mode to allow multiple file usage.

Here it is the secret file:

secret file