Friday, November 18, 2016

Steganography and the Invisible Sun Kickstarter ARG

When the Invisible Sun Kickstarter was started there was an alternate reality game (ARG) that ran along with it. We're going to be talking about the ARG when episode 7 hits the interwebs, but in the lead up to that I had bit of related research that merited a bit more detail. If you're looking for a way to hide information from your players, or the spies in the van outside your window, give this a read.


I was looking for a way to hide information in a way that my tech savvy players might be able to figure out for the Invisible Sun lead up campaign that I'm running. During my research, I stumbled upon a technique that I thought might reveal some additional information hidden in the images that were pulled from the caches that were found in the Kickstarter ARG. For reference, the images I've been looking at are From the Changery and Wrong Cat from the memory sticks in the caches. You can follow along by downloading those images, just right click the links or the images and download them.

From the Changery Wrong Cat

There's a discipline called steganography which is the practice of concealing messages/information in nonsecret text or data. Both of the images have information that's been hidden in the form of white text on a transparent background. That is a form of steganography that's pretty simple and straight forward. That's a pretty good way to hide information for a wide audience if you want the information to be discovered. It's not readily apparent, but with a little bit of work, or happenstance, that information will be discovered.

You can go deeper, however.

One thing I discovered is that you can append bytes after the end chunk of a PNG file without corrupting it. If you pop either image open in a tool like HxD you'll see the opening chunk of the PNG, the starting chunk (IHDR) and at the very end the closing chunk (IEND). You can totally type whatever you want in at the end there without disturbing the rest of the file. I took a look at the recovered image files with this in mind which unfortunately revealed no additional information at the end of the file.

Digging through the byte data of the file did reveal some interesting metadata that Adobe Photoshop had dropped in. Creation dates, modified dates, the tool that was used (Adobe on a Mac), layer names (Have you found a solid door?), change logs (looks like it was converted to a PNG on a Windows machine), dimensions. Lots of fun stuff you can infer the history of the file from. Unfortunately, nothing terribly useful once again.

<xmp:CreatorTool>Adobe Photoshop CC 2015 (Macintosh)</xmp:CreatorTool>
<rdf:li xml:lang="x-default">Words in White</rdf:li>
<photoshop:LayerName>Have you found a solid door? </photoshop:LayerName>
<photoshop:LayerText>Have you found a solid door? </photoshop:LayerText>

Neat, right?

What if there was more data?

Since you can dump data at the end of a PNG file, you can basically put anything you want there. Take the following image for example (right click the image or this link and download it).

This Wrong Cat contains more secrets

At first blush, nothing seems terribly odd about the image. If you double click it the image will open up in whatever program you view images with. This is where things start to get a bit odd if you care about image quality and how it relates to file size. The image is only about 200x250 pixels and shouldn't be nearly a megabyte in size. If you open the file up in HxD you'll see the standard PNG header at the beginning, but if you go to the very end you'll see some really odd plain text that reads "you_found_me" along with some PK and IEND characters. What you're seeing here are PKZip file headers, PKZip being the file format that's used to compress files.

The other way to pull all of the data out of the image is to open the image file up with a compression tool, like 7-Zip. Start up 7-Zip, then navigate to the directory you saved the image to and open the image. Normally, this would just open the image up in your image viewing program, but 7-Zip will simply open up the compressed file that's hanging out in there. Now you can just pull the data out of the image and do what you want with it.

There are two ways to extract the data that's in the file. First off, you can find the beginning of the zip file by searching for "PK". You'll find that header at offset 00003B30. Then you can copy everything from that point to the end of the file, including the "PK" characters you located. Once you've copied everything hit File > New and paste all of the data in the new file you've created in HxD and save it as a ".zip". Now you've got a clean zipped file that you can open up with a simple double click.

Yeah, it's not a way to hide information from players at the table. It's also not a great way to hide data if you want anyone to be able to find it. However, if you're running an ARG in which solving puzzles might take days or weeks, and your players like to mess with things in hex editors, then this might be something you want to look into.

No comments:

Post a Comment