Saturday, July 25, 2009

Analyzing And Cracking Camouflage

Personally Discovered through my experiments.

Camouflage is what is known as a steganography program. A steganography program that works to hide data from people where they wouldn't be likely to look for it. Camouflage (which can be downloaded from their website here) is a program that will let you take a data file and hide it behind another file. Sounds pretty cool right? But how secure is it? That's What we are here to find out.

First and Foremost. To follow along you will need a few tools:
  • Camouflage - Download Here
  • A text editor
  • A good Hex Editor (I use Hex Workshop)
  • a JPEG file
  • and a brain Probably wouldn't be bad either

Okay so lets study the behavior of this program. First we will create a text file with the text "This is a hidden Message to hide using Camo". Save it and call it hidden.txt. Once you have done this grab an jpeg image. This image is clean and has nothing attached to it. It is 4.15 KB (4,259 bytes) at the moment. Feel free to download and use it.

thcry.jpg original with no tampering
{Please Note: I didn't make this image and wish to give credit to it's creator. however I don't remember who that is or were i got this image {probably Deviant Art} from or even how long ago it was. If you are the artist who made this image PLEASE LET ME KNOW SO I CAN GIVE YOU THE CREDIT YOU SO RIGHTFULLY DESERVE}.

Now after installing camouflage, hide the hidden.txt file behind our image. To do this, Right click on hidden.txt and go to "Camouflage". The Program window will appear, click on "next". On the next screen browse to the image file and click "next". On this screen give it at new name(for study purposes I called mine thcry-test.jpg). On the next part it ask for a password. I used "test". This is my new image.

thcry.jpg with hidden.txt behind it with the password test
Now We have a new image with data Hidden behind it. Visually, Nothing happened. However the size did increase quite a bit 5.03 KB (5,157 bytes). Our text file is only 43 bytes but our image INCREASED 898 btyes! Interesting, this means 856 btyes extra. So lets increase the text file by one byte with the same password and see what happens.

thcry.jpg with hidden.txt at 43 bytes behind it with the password test
The new image only increase one byte! which means that the extra 856 bytes must have been for the program to structor and encapsulate the data it wants to hide! What does this mean. It means we should be able to tweak some minor settings and reverse engineer that structor by watching what changes. Now, The main reason I used the JPEG is that the end of a jpeg always ends with hex bytes 0xFF 0xD9. Thats the way the file format works, and that is what image viewers look for to stop loading the image data. Now open the 3 images in a hex editor. The original ends with 0xFF 0xD9. The other two however are ending with with a ton of 0x20, which is an ASCII space (same as hitting space on your key board). After the 0xFF 0xD9, we have a small cluster of data before the large packets of spaces. All this data is different with the exception of a string RIGHT AFTER the 0xFF 0XD9 which is 0x20 0x00 0xE2 0x0B 0xCA 0x01 0xF8 0xB5 0xF5 0x01. So why did the rest change so much while this string stayed the same? It's some setting which camo must be able to decrypt or read without a user supplied data

Hex dump of thcry-test.jpg Now it is time. Lets use the 42 byte text file again and lets create 5 new files using the passwords "A", "AA","AAA", "AAAA", "AAAAA". Here they are.

password = A
password = AA
password = AAA
password = AAAA
password = AAAAA

After this, The string listed above remains static. But more interesting is there are other parts in the Hex 0x20 that stay static as well. However most note able was at offset 0x00001309-0x00001313. This was static with data after it that changed... BUT WAS ALWAYS THE SAME LENGTH AS THE PASSWORD! Furthermore the password was a repeating character "A". Which this data is the same length but as it grows the data *wasn't* changing! If you are familar with XOR logic encryption, then you should already see this is what it looks like we're dealing with. If your not familar with XOR please take a look at this or This link here berfore you continue!

Click for larger image
So a Weakness Exist in XOR since it is a reversable encryption. There are three parts to it. The PlainText, The Key, and the Cipher text. As long as you have two of the 3, you can XOR them to get the missing part. So we Know the AAAA plaintext; which converted from ASCII to hex an "A" is 0x41, and we know it's Cipher text. So we are missing the key. We can for a quick example try to XOR 0x41414141 by 0x43D43B63 and should get a key, which should decrypt the "test" password as well. Microsoft actually provide Hex and XOR in the normal calculator that comes with windows under the Scientfic view.




So with this said. I noticed the only part the same on the pic with "test" password was the location and 0x02 0x00 so that marks the beginning of the poorly protected password. Now all we would do is make a password of about 256 A's and we will have a key that should be capable of decrypting most passwords for it. At this point I assume you Know how it would work. So I will Skip the steps and present you with the key which is in hex:

02957A220CA614E1E1CFBF65206F9EB399654A53FBF67554AD23CD7E9C29
E7FCE2F94DD2424E06C0F89A1C623874240055DF41CB01A2B7F38F8ADDAC
33836029F378243E7AEBD3E49D9D43944AC7456D2574EB0B98C97CFCC8BA
326B00D3C5C29434AFB0E5957D2A84A45FE56E272ADB967E3E483946CF6F
71AA3C319AA99E8F8973B339CA32D5F031597C022E8637F92B7E51F24181
0CD46515F770D4199820BF20B85567CC81188C133C633C9211E45B1B0822
604C4AC58AB3C575C3907AF2B2B6C8D0388AC286F0ACE9CA5C4E3E092978
29995A84D5BA5ED5927A38FAD060ECF527BAEEB7DE9F9BDE65D47639769C
DA688DA8A0A61ED9DB0F4DAB92CD71

Know we know that it is weak to this key because the password can be recovered. Also I thought Question 10 on the FAQ of Camouflage's site was cute.


Taken from http://camouflage.unfiction.com/FAQ.html#Q10

10. I've forgotten my password and can't uncamouflage a file. What can I do?

Camouflage always asks you for a password whether the file is camouflaged or not, or whether it is a camouflaged file with a password or not. This is because Camouflage doesn't give the game away that a file may be camouflaged. For security reasons we cannot release a program to reveal passwords in camouflaged files. If you forget your password we can't usually help you.
Be careful when typing in passwords - check your CAPS LOCK because Camouflage passwords are case-sensitive.


I have taken the time to code a program to recover these passwords and also test a file for signs of camouflage. I called this program "IfraReD" because IfraRed goggles can help you see someone wearing camouflage. This Program was coded in Visual Basic 6 and is open soruce (Nice and commented this time! ;-D ). As you can see it is very effective. After you have the password, Just use camouflage to decrypt it. Below is the program in action with the password on this picture.

password = P45$\/\/(0)|2|)
Don't think I would say this is Secure anymore!!!
Now you have a tool to recover the password! How do you locate the files that would contain hidden information? Well how about the registry!

HKEY_CURRENT_USER\Software\Camouflage\CamouflageFile has the name of files used for hiding (the original ones).

Also you should see:
HKEY_CURRENT_USER\Software\Camouflage\OutputFile Shows a list of the Output files with the hidden data! This can also be used against them as most people always use the same password everywhere, therefore, Crack this one and chances are it will work elsewhere. Enjoy!



Resources and Further Reading

InfraRed
w/ binary, source, and test files. 50.3 kB
Download

Camouflage
http://camouflage.unfiction.com/

XOR Encryption
http://en.wikipedia.org/wiki/XOR_cipher
http://www.tech-faq.com/xor-encryption.shtml

Further Reading
Hiding in Plain Sight: Steganography and the Art of Covert Communication