I’m sure you all have solved this last crypto challenge, but in case you don’t . This is a short write up on how to get the hidden message.
You can use different tools to achieve what is described below. I’m going to use GNU/Linux command-line tools to get the message out of the file. Let’s go.
Looking into the image
First we have to be able to take a look to the contents of that noisy image. For easily doing this, I will use the convert tool from the ImageMagick package and convert the original grey-scale PNG into a plain PGM:
$ convert stego2.png stego2.pgm
The .PGM format is quite convenient because it contains all the data uncompressed just after a small header. This really simplifies the access to the pixels without writing any code or use special tools. So, the PGM file looks like this:
$ head -c 30 stego2.pgm
P5
653 55
255
-FLAC-
fLaC
The value 30 is just a random number (I already know which value have to put there :P), but, as you can see the header is around that size.
We can see the initial format identifier P5. Then we find the image dimension and finally the pixel encoding format. In this case, 255 means that each pixel is 1 byte (256 values).
FLAC
Those are the contents of the standard PGM header. The string -FLAC- we find just next is actually the value of the first 5 pixels in the image. If you do not know what FLAC is, you can do a quick search on the web.
If you are lazy like me, keep reading. FLAC ( https://en.wikipedia.org/wiki/FLAC ) is an audio file format supporting lossless compression. That makes sense. Compression will obfuscate the original message and the lossless nature of the file format will allow us to use bit masking techniques like the ones we already know ( [CryptoChallenge] Basic Stego - Making Of (Spoiler warning))
If you take a look to a FLAC file, you will find out that the format uses a magic string at the beginning of the file. That is common to many file format. The magic bytes for the FLAC format are fLaC. That is the string just after the first -FLAC-… So, let’s ignore the first -FLAC- that does not fit the FLAC format, and let’s extract what follows.
An audio file
To get the FLAC file our of our PGM image we have to first find out the offset to the data we are interested on and then dump that data into a file:
$ xxd stego2 | head -n 5
0000000: 5035 0a36 3533 2035 350a 3235 350a 2d46 P5.653 55.255.-F
0000010: 4c41 432d 0a66 4c61 4300 0000 2210 0010 LAC-.fLaC..."...
0000020: 0000 0575 001c b902 b110 f000 0053 fd80 ...u.........S..
0000030: 09c2 40f2 b686 21da 8ead 18cf e8e9 e103 ..@...!.........
0000040: 0000 1200 0000 0000 0000 0000 0000 0000 ................
Just counting, we find out that the offset (the beginning of fLaC string) is at 22 bytes from the beginning of the file. Let’s extract the file:
$ tail -c +22 stego2.pgm > stego2.flac
$ play stego2.flac
stego2.flac:
File Size: 35.9k Bit Rate: 147k
Encoding: FLAC Info: Processed by SoX
Channels: 1 @ 16-bit
Samplerate: 11025Hz
Replaygain: off
Duration: 00:00:01.95
In:95.3% 00:00:01.86 [00:00:00.09] Out:20.5k [!=====|=====!] Clip:0
Done.
play WARN flac: decoder MD5 checksum mismatch.
You should hear some audio when playing back the flac file.
Accessing Audio Samples
Now that we have our audio file, let’s look into it. The FLAC format is compressed. Do not waste time dumping the file. We have to uncompress it to ne able to look at what is inside.
For doing this, we are going to use the sox tool. This is a really handy command-line audio tool, that can convert between different audio formats and do some transformation to the audio stream. One of the formats it supports is raw samples… that format looks convenient.
$ sox steog2.flac stego2.raw
$ xxd stego2.raw | head
You should now be able to read the message, however as I used 16bits to encode the audio samples, and used the 8 lower bits to store the message, you have to skip one out of two chars or do some little programming/scripting to read the message.