Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Steganography 22


Steganography 22

By elmiguel avatarelmiguel | 11317 Reads |
0     0

Hello everyone, if you are here that means you are stuck about how to attack this challenge. For this challenge, you will need to read up on JPEG header information and how to convert decimal numbers to hexadecimal numbers. In this article, you will learn a little about JPEG headers and how to look at this challenge Outside the box.

JPEG headers are the main construct of the image. They carry all the information about the image. When you open an image into a viewer it first loads these headers which are triggered by viewing markers. The first marker is called SOI, or Start of Image, marker. This marker tells the rendering application that it is a JPEG image and it is a standard image that can be read by any platform. This marker is shown as JFIF. After the SOI marker is read, a series of other markers follow; the header information. Each header holds a specific attribute of the image and is immediately followed by two bytes to set the length of the headers’ information. A marker is starts off with the hexadecimal FF. Here is a basic outline of what image headers look like.

– Copied, not my own layout! –

Start of Image (SOI) marker – two bytes (FFD8) JFIF marker (FFE0)

• length – two bytes • identifier – five bytes: 4A, 46, 49, 46, 00 (the ASCII code equivalent of a zero terminated "JFIF" string) • version – two bytes: often 01, 02 o the most significant byte is used for major revisions o the least significant byte for minor revisions • units – one byte: Units for the X and Y densities o 0 => no units, X and Y specify the pixel aspect ratio o 1 => X and Y are dots per inch o 2 => X and Y are dots per cm • Xdensity – two bytes • Ydensity – two bytes • Xthumbnail – one byte: 0 = no thumbnail • Ythumbnail – one byte: 0 = no thumbnail • (RGB)n – 3n bytes: packed (24-bit) RGB values for the thumbnail pixels, n = Xthumbnail * Ythumbnail Define Quantization table marker (FFDB)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains • until the length is exhausted (loads two quantization tables for baseline JPEG) o the precision and the quantization table index – one byte: precision is specified by the higher four bits and index is specified by the lower four bits  precision in this case is either 0 or 1 and indicates the precision of the quantized values; 8-bit (baseline) for 0 and up to 16-bit for 1 o the quantization values – 64 bytes  the quantization tables are stored in zigzag format Define Huffman table marker (FFC4)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains • until length is exhausted (usually four Huffman tables) o index – one byte: if >15 (i.e. 0x10 or more) then an AC table, otherwise a DC table o bits – 16 bytes o Huffman values – # of bytes = the sum of the previous 16 bytes Start of frame marker (FFC0)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains • P – one byte: sample precision in bits (usually 8, for baseline JPEG) • Y – two bytes • X – two bytes • Nf – one byte: the number of components in the image o 3 for color baseline JPEG images o 1 for grayscale baseline JPEG images • Nf times: o Component ID – one byte o H and V sampling factors – one byte: H is first four bits and V is second four bits o Quantization table number– one byte The H and V sampling factors dictate the final size of the component they are associated with. For instance, the color space defaults to YCbCr and the H and V sampling factors for each component, Y, Cb, and Cr, default to 2, 1, and 1, respectively (2 for both H and V of the Y component, etc.) in the Jpeg-6a library by the Independent Jpeg Group. While this does mean that the Y component will be twice the size of the other two components–giving it a higher resolution, the lower resolution components are quartered in size during compression in order to achieve this difference. Thus, the Cb and Cr components must be quadrupled in size during decompression. Start of Scan marker (FFDA)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains • Number of components, n – one byte: the number of components in this scan • n times: o Component ID – one byte o DC and AC table numbers – one byte: DC # is first four bits and AC # is last four bits • Ss – one byte • Se – one byte • Ah and Al – one byte Comment marker (FFFE)

• the first two bytes, the length, after the marker indicate the number of bytes, including the two length bytes, that this header contains • whatever the user wants End of Image (EOI) marker (FFD9)

• the very last marker (Taken from James R. Weeks : http://www.obrador.com/essentialjpeg/headerinfo.htm ) – End of Copy –

Now that you have a basic understanding on how a JPEG image is rendered you can start thinking on how Steg22 can be withholding or providing information.

For the final part you need to “think Outside the box”. Think on that for a bit it will come to you. Once you figure out that little riddle, congrats!

I would like to thank System_Meltdown for pointing me in the right direction for this challenge. Without his knowledge I would still be lost.

edited due to spoilers - elmiguel -elmiguel

Comments
ghost's avatar
ghost 14 years ago

*sight. Too much spoilers. You'd rather give them the answer lol. Anyways, it was a good informative article about JPEG image header.

korg's avatar
korg 14 years ago

Not too many spoilers, At least not in my opinion. Hell I haven't got it yet and I've had this article for a month. :@

ghost's avatar
ghost 14 years ago

You have? Then why wasn't this published sooner?

ghost's avatar
ghost 14 years ago

@korg, when you solve this challenge you will know then why I said this. BTW, me and system_meltdown think that this article should be edited so I contacted elmiguel.

korg's avatar
korg 14 years ago

If you contacted system, He could have edited this himself. If you think something is a spoiler Pm me and I will edit it. I don't see anything but info that is readily available about a Jpeg image. @Spy I didn't want it out too soon. Again if something is out of line let me know.

Mouzi's avatar
Mouzi 14 years ago

The rest of the article makes it sound like it has nothing to do with JPEG headers and is just some HEX joke/wordplay and not appliable as stegano for any information like 19 was. I don't know if that's the case but just made it sound like that. If it was just a technical stegano with JPEG headers what's the need for riddles and "find and replace all" which usually has unpredictable results.

elmiguel's avatar
elmiguel 14 years ago

Edited. Hope that its all good now.

korg's avatar
korg 14 years ago

@Moshbat pen test 2 was a joke, Doesn't need spoilers there already there.

korg's avatar
korg 14 years ago

This article is no help in finishing the challenge. I did it and NOTHING in here helps or pertains to the challenge. Might just delete this so people aren't mislead.

mido's avatar
mido 14 years ago

Dude, you could have just posted a link to the web page, duh.

4rm4g3dd0n's avatar
4rm4g3dd0n 13 years ago

well whatever spoilders there were are gone now so all i can say is my head hurts looks like alien triginometry what the hell are you talking about