|
Steganos Key Relief (Reducing the key search burden) |
Advanced Steganography | |
 |
|
|
| fra_00xx 98xxxx handle 1100 NA PC | Long life to King Caprinus! Let's hope that he won't stop once reached the advanced pages, they are the path not the goal, as he writes, and we'll need Caprine more and more, because a great darkness came over our programmer's land. |
|
This is my second visit with Steganos. My first go round with Steganos was very similar to Jean Flynn's dictionary approach. Although I was able to find the password that way, I was'nt thrilled with downloading tons of text and creating word lists. I had discovered Steganos's checksum early on. mrf explains the checksum in his essay. As a matter of fact, I think I made an remark somewhere that using the checksum you should be able to brute the password in 11 hours. So, now its time to do it. I'll assume that you have read the other essays because there is information there that I'm not going to rehash. [no pun intended]
t_tamra7.zip
All this Steganos stuff reminds me of a story told to me as a young child. It went something like this. A long long time ago in a mythical kingdom known as Sifer, a great darkness came over the land. The citizens of Sifer were terrified a sent forth a messenger to the king. Now, Caprineous was king over all of Sifer, and was a kind and gentle king. He was also tall, strong, very handsome, and the most intelligent of all throughout the kingdom. ( Hey, It's my story) The messenger came to Caprineous and told him of the great darkness. He said the citizens have heard rumors of a great dragon that was going forth throughout all the lands of earth, devouring knowledge and hiding it from the eyes of men. "If this great dragon known as Steganos comes to our land I fear we shall all perish. The people of Sifer beg you dear king, rid us of the beast." The king then replied, "Tell all the people of Sifer that I will learn of this great dragon in order to defeat it." The king then summoned his faithful servant Netscapian. Now, Netscapian had magical powers. He was able to travel to far a distant lands in a twinkle of an eye. The king spoke," Netscapian, go forth into your magic realm and bring back to me all the scrolls that people have written about this great and terrible dragon, Steganos." So Netscapian went out, as if a bolt of lightening, and returned. "My king", Netscapian spoke, "I have brought to you scrolls from a far and distant land, across great waters. I have found these scrolls in a strong fortress, guarded with high walls. The keeper of these scrolls has prepared much knowledge about this Steganos dragon and other dragons of its kind. He has placed these scrolls in a special room were only those found worthy of reading the scrolls may enter. He has also sent with me this painting of a young girl. He has told me the name of this special room is contained in a scroll hidden by the dragon in this painting so that no mortal man may read it. He has also sent this still beating heart of a Steganos dragon and has told me that it contains the secrets of the dragon and must be studied. The Scrollkeeper has also told to me a riddle to be solved." At this the king clinched his fists, raised his arms to the heavens and in pain and anger shouted out" Why must these mythical stories always have to have a damn riddle." " Continue Netscapian", the king quietly spoke. " The riddle my king is, only One key will take away the Steganos magic and reveal the secret gate. And that one key is the name of one of our citizens. We must shout out that citizens name to the still beating Steganos heart and the scroll that contains the secret gate will appear to us." (Now, I must give you a little background on the naming of citizens in Sifer. In the very early day of Sifer, even before the first king was crowned, the name tag makers got together and decided among themselves that in order to reduce expenses and maximize profits that all names should be 8 characters. Now since the early Siferians considered themselves very good at math they treated numbers as almost sacred so they could not be part of a name. The Siferians were also a people of little emotion so therefore punctuation symbols could not be used in a name. But, above all the Siferians were a humble people, therefore all capital letters were not to be used in a name. So, that meant that all names were 8 characters comprised of the letters a..z.. Now the population of Sifer is exactly 208,827,064,576. Fortunately, they are a very skinny people and didn't take up a lot of room. Now, every citizen in Sifer has a unique name, so all the names have been taken. Well, as luck would have it, a strange almost magical twist of fate has fallen on Sifer. For every Siferian that passes on, one and only one child is born and it inherits that name. Amazing, isn't it. Anyway, I think you get the drift behind this whole name thing. The king then said, "I shall summon my good and trusted friend Winicus, and together we shall look at this Steganos heart and view it's secrets." So the king and Winicus studied the heart for some hours and discovered much about it. As the king was pondering this riddle and the secrets revealed, Lamerious came into the room and queried the king as to this thoughts. And the king relayed to Lamerious the whole story. Now, Lamerious was known thought the land as almost a jester. He professed to know many great things, and oft spoke in words that impressed. But everyone knew that he knew little. "Lamerious", the king said, "I have a vision to learn the name of the citizen that will lead to the hidden scroll. I wish to tell it to you and see if it may be of merit." Now he spoke to Lamerious of extracting the words of the painting to a scroll. It turns out that other kings and noblemen on earth had also fought the Steganos dragon and have recorded on scrolls how they have defeated it. Please read them all, but a scroll by a fine nobleman Jean Flynneus shows us how to extract the words hidden in the painting to a .SEF scroll. Also, another noble one mrf, has written a scroll showing us the working of the magical checksum number.(Obviously, mrf comes from a land that has a worse naming policy than Sifer.) To continue, the king spoke out, "Let us first extract the words from the painting to a SEF scroll and exam it." So they proceeded to do this much as Jean Flynneus did. "There, we have it" said the king and he laid it on a table. Here is what the scroll contained : 00000000 5374 6567 616E 6F73 456E 6372 7970 7465 SteganosEncrypte 00000010 6446 696C 6500 0100 8AA3 4382 E6AB 80E1 dFile.....C..... 00000020 A187 8532 C57D 0FB3 A200 9CCC D3F1 0B39 ...2.}.........9 00000030 5D0A E91E 266D 19AC 4DE1 76E6 CA23 D3A8 ]...&m..M.v..#.. 00000040 CD17 464E 1EFC 521E 47E9 6086 5A7B 1B6F ..FN..R.G.`.Z{.o 00000050 6796 8697 The king spoke, "I have learned with my friend Winicus that this magic checksum number is at offset 0x18 of this scroll. We have also revealed that at offset 0x19 begins the confounded name of the scroll. The gatekeeper has told to us the scroll is to be called 'adva.txt' So, if we shout out to the Steganos heart the correct citizens name, the byths(Sifer equivalent to a byte) at 0x19 through 0x1f will become unjumbled before our eyes to spell 'adva.txt' I also know that the byte following will unjumble to be null." "I know that to test the name of every one of 208827064576 citizens would take to long and we would surely perish before we could find it. I have thought much about the magic checksum test that every name must first pass to be worthy. Since it is a byth long, I may in effect divide my total population by 256. This will leave us with about 816 million names that are worthy to be tested. If we can test these names at 20,000 names per second it shall only take about 11 hours to exhaust the list. Let us first examine this magical checksum calculation", as the king wrote it down. checksum = (char_1^(char_2*2)^(char_3*3)^(char_4*4))^((char_5*5)^(char_6*6)^(char_7*7) ^(char_8*8)) & 0xFF; "Then Lamerious spoke up, "That is a noble thought my king, but still you must perform this checksum calculation on 208827064576 names. This will itself will take to long and we shall die." The king replied, "Yes, that is correct, but be patient for there is more. If one were to split this calculation in two, then the left half xored with the right half would be equal to our checksum of 8a. So, if we began with 0 as the left_ checksum then 8a would have to be the right_checksum. If 1 was left, then 1^8a would be right. So, Lamerious, we have 256 possibilities of 4 character halves. I have also learned that the left_checksum, with the characters we use in our naming policy, will have a left_checksum between 0 and 127. Therefore, we shall cycle left_checksum from 0 to 127 and calculate right_checksum. Now,on every cycle of this, we shall also cycle through every 4 character combination of a..z. For each 4 characters we shall perform a left and right calculation. left = (char_1 ^ (char_2*2) ^ (char_3*3) ^ (char_4*4)) & 0xFF; right = ((char_1*5) ^ (char_2*6) ^ (char_3*7) ^ (char_4*8)) & 0xFF; If the left calculation is equal to the left_checksum, we will write down the 4 characters and place them on a table. If the right calculation is equal to the right_checksum, we will write down the 4 characters and place them on a second table. We know that all the combinations of the left table and the right table will pass the magic checksum test. Lamerious, go fetch us 2 tables that we may place the characters." Lamerious was half way out the door when he turned with a puzzled look. "How large should the tables be?", he asked. "I have done calculations on this Lamerious and have found that the distribution of the 4 character combinations is not exactly even throughout the checksums. I have found the largest number of 4 characters of any left checksum to be 3793, and 1853 for the rights. So, Lamerious the tables shall be large enough to hold that many. "So Lamerious went on his way in search of the two tables but was quickly sidetracked with the offer of a free smut scroll. Well, king Caprineous never intended to do this manually but he thought it was a good way to rid himself of Lamerious. Have I mentioned that Capacious was a kind, smart, good looking king before? The king said to himself, "We can surely do this thing, and it shall be good and the citizens of Sifer will rejoice. The king then called for Ceplusiam, a general in his army. "Ceplusiam, you are a strong and swift warrior. Together we shall conjure up a spirit to carry out a list of instructions we shall prepare. "So the king and Ceplusiam wrote down these instructions and began conjuring the spirit. After fixing a few minor conjure errors, there it was, the most vile and disgusting of all creatures. This thing had no understanding, it didn't care to have understanding. I stood like a chunk of frozen ice, expressionless, emotionless, it's only purpose was to carry out the instructions. And the king called the creature Brutus. Then Caprineous drew his sword from it's sheath and handed it and the list of instructions to Ceplusiam and spoke, "Give these to Brutus and release him so we may see if he is strong enough. "So, Ceplusiam handed the sword and instructions to Brutus and unchained him. "My lord", Ceplusiam spoke, "I have observed Brutus and found him to cut through 14,000 of the names per second". The king was saddened ,at that rate it would take 16 hours to empty the list of names and the Steganos dragon was drawing nearer to his border. "Ceplusiam, you are indeed a great and swift general, but I fear that in order to retrieve the name in time we must beg for assistance from Assemblius." "But my lord, you know that Assemblius can be such a hard one to work with at times!", Ceplusiam retorted. "Yes, I know Ceplusiam, but he is the only one who truly knows the inner workings of such creatures. "So, the king sent for Assembius, and Ceplusiam and Assemblius worked together to strengthen Brutus. And they gave to Brutus the sword and the instructions. "My king", Ceplusiam spoke, "Brutus will now cut through 19,000 of the names per second, and it shall take 12 hours to exhaust the list. "The king thought to himself, "This I suppose this shall be acceptable, but is there more I can do as the dragon even now is entering our land?" "I have given to Brutus my Pentius133 sword, a fine and sharp sword, but there a newer sharper swords available. But, Inteliam produces a sharper sword every 18 months, I certainly can not buy a new sword that often." Along with being very bad at naming, the Siferians were not a terribly affluent civilization. They were not poor, but they didn't live in luxury either. Well, all except the name tag makers were doing quite well. It was almost morning and Caprineous was preparing to travel forth into Corporatus Americus were he and millions were daily forced to pay tribute. Then a thought came over him. Corporatus Americus had many of the Pentius233 swords. He would simply take Brutus with him and borrow the swords. So, early in the morn, while the IS overseers were still sleeping off the drunkenness of there own importance, the king smuggled Brutus in the swordsmanship training room. There he withdrew a Pentius233 and turned it over to Brutus. He watched Brutus slicing his way through the name list at 36,000 names a second. Caprineous was pleased. In 6.25 hours the name that would unlock the gate would be his. He left Brutus and went to pay tribute the Corporatus statue. At noon time a great bell rang throughout the land and the people began salivating. Caprineous went back to the training room where Brutus had been slicing away for 4.5 hours. The king walked into the room and there stood Brutus with a name in his hand. The king was very excited, and he thought he saw a little smirk on Brutus's face. That evening when they returned home to Sifer ,they stood before the Steganos heart a shouted out the name Brutus had found. And lo and behold, the adva.txt appeared before them. The king slowly unrolled the scroll and learned the name of the gate at the scroll keeper fortress. Caprineous then summoned again Netscapian and said, "My good and faithful servant take me to the scroll keepers fortress so I may enter this gate and gain knowledge to defeat the dragon. "So ,in the blink of an eye Netscapian and Caprineous were standing before the gate. Caprineous shouted out the name of the gate and behold, it opened. Netscapian and the king walked into the scroll room. There they saw scrolls from other kings and wizards. There were even scrolls from the wizard who conjured up the Steganos dragon. After the king had read these scrolls he realized that the knowledge they contained was only a first step. Much more had to be learned about the Steganos dragon and other dragons of its kind. He also learned that the Steganos dragon was not evil after all, but simply pissed off about silly export laws. So the king and Netscapian returned home to Sifer and gathered all the people together for a large celebration.Everyone was there, including the Steganos dragon whom they found to be very friendly and a all round nice guy. The king shouted out, "We have learned many things on this adventure. 1. There is no substitute for a sharper sword. 2. Disqualify citizens name as quickly as possible. 3. arrange your list of instructions as to maximized Brutus's effectiveness. This will help you avoid pipeline stalls and better use caches. The instructions we gave Brutus have plenty of room for even more improvements. Maybe some other king or wizard will write scrolls on this. But for now, Let's party". So there was a great party with singing and drinking and eating. And as the king looked around he saw that it was good. There was Brutus with a group of citizens and as he walked up he could hear the conversation. Brutus was saying, "How many Siferians does it take to screw in a light bulb? Only one if he can decrypt it." "The important thing", the king thought to himself, "was that Brutus was trying. "The king turned around an saw Lamerious talking with the Steganos dragon. And Lamerious was telling the dragon how it was really Lamerious who had figured the riddle out. And all of a sudden a huge fire came forth from the dragon.A deafening silence came over the room. The king walked over as the smoke cleared and there was Lamerious covered with soot from head to toe. Every hair on his body had burnt off. Lamerious just stood there not knowing whether to run or beg for mercy. Capinious turned slowly to face Steganos and after a brief pause exclaimed, "Nice flame" And everyone started laughing and drinking again and everyone was having a real great time. The Steganos dragon would shoot out flames and people would light cigarettes and cigars off it, and roast those little cocktail weenies. And as Sifer partied on into the night the king thought, "We shall write down in a scroll all that we have seen here that others may learn what has been done here. And we shall send it to the scroll keeper that if it is worthy, it also shall be placed behind the secret gate." And that is the tale as told to me, to the best of my recollection. /* Brutus copyblight@alongtimeago Caprineous */ #include <stdio.h> #include <stdlib.h> #include <string.h> void main() { unsigned int l,lc,lr,x,y; static unsigned int index_left,index_right,checksum=0x8a,checksum_left4,checksum_right4,csl,csr; static unsigned char key_left4[3793][4],key_right4[1853][4],key[256]; static unsigned char state[256],init_state[256],counter; static unsigned char char_1,char_2,char_3,char_4,buffer[9],cte,xorIndex; static unsigned char encrypted_filename[9]={0xa3,0x43,0x82,0xe6,0xab,0x80,0xe1,0xa1,0x87,}; for(l=0;l<256;l++) init_state[l]=l; for (checksum_left4 = 0; checksum_left4 < 0x80 ; checksum_left4++) { printf("."); checksum_right4=checksum_left4 ^ checksum; index_left=0;index_right=0; for (char_1=0x61;char_1<0x7b;char_1++){ for (char_2=0x61;char_2<0x7b;char_2++){ for (char_3=0x61;char_3<0x7b;char_3++){ for (char_4=0x61;char_4<0x7b;char_4++){ csl = (char_1 ^ (char_2*2) ^ (char_3*3) ^ (char_4*4)) & 0xFF; csr = ((char_1*5) ^ (char_2*6) ^ (char_3*7) ^ (char_4*8)) & 0xFF; if (csl==checksum_left4){ key_left4[index_left][0]=char_1; key_left4[index_left][1]=char_2; key_left4[index_left][2]=char_3; key_left4[index_left][3]=char_4; index_left++; } if (csr==checksum_right4){ key_right4[index_right][0]=char_1; key_right4[index_right][1]=char_2; key_right4[index_right][2]=char_3; key_right4[index_right][3]=char_4; index_right++; } } } } } for(lc=0;lc < index_left;lc++){ for(lr=0;lr < index_right;lr++){ memcpy(state, init_state, 256) ; // Build key array asm{ mov di,offset key_left4 mov si,offset key_right4 mov bx,offset key mov ax,lc shl ax,2 add di,ax mov ax,lr shl ax,2 add si,ax mov cx,0x20 key_loop: mov ax,word ptr[di] mov word ptr[bx],ax add di,2 mov ax,word ptr[di] add bx,2 mov word ptr[bx],ax sub di,2 add bx,2 mov ax,word ptr[si] mov word ptr[bx],ax add si,2 mov ax,word ptr[si] add bx,2 mov word ptr[bx],ax sub si,2 add bx,2 loop key_loop } // Prepare key asm{ xor ax,ax mov di,offset key mov bx,offset state mov cx,0xff rchar_4: add al,byte ptr[di] add al,byte ptr[bx] and ax,0xff mov si,ax mov dl,[bx] mov dh,state[si] mov [bx],dh mov state[si],dl inc bx inc di loop rchar_4 } x=0;y=0;cte=0x28; for(counter=0;counter<9;counter++) { x = (x + 1) % 256; y = (state[x] + y) % 256; // swapByte = state[x]; // state[x] = state[y]; // state[y] = swapByte; asm{ mov si,x mov di,y mov al,state[si] mov bl,state[di] mov state[di],al mov state[si],bl } xorIndex = (state[x] + state[y]) % 256; cte += 0xd ; cte &= 0xFF ; buffer[counter] = encrypted_filename[counter] ^ state[xorIndex] ^ cte; } if(buffer[8]==0 && buffer[4]==0x2e && buffer[0]=='a') { key[8]=0; printf("\n password - %s filename - %s\n",key,buffer); } } } } }
Spring has arrived like a dear lost friend. Who among us will embrace her and walk with her during her short stay?
BTW: Don't stop once you reach the advanced pages, they are the path not the goal.
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?