zsteg 0.0.0 → 0.0.1

data/Gemfile

@@ -1,13 +1,8 @@
 source "http://rubygems.org"
-# Add dependencies required to use your gem here.
-# Example:
-#   gem "activesupport", ">= 2.3.5"
-gem 'zpng', ">= 0.2.1"
-gem "awesome_print"
+
+gem 'zpng', ">= 0.2.2"
 gem "iostruct"
 
-# Add dependencies to develop your gem here.
-# Include everything needed to run rake, tests, features, etc.
 group :development do
   gem "rspec",   ">= 2.8.0"
   gem "bundler", ">= 1.0.0"

data/Gemfile.lock

@@ -1,7 +1,6 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    awesome_print (1.1.0)
     diff-lcs (1.1.3)
     git (1.2.5)
     iostruct (0.0.1)
@@ -23,16 +22,15 @@ GEM
     rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.1)
-    zpng (0.2.1)
+    zpng (0.2.2)
       rainbow
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  awesome_print
   bundler (>= 1.0.0)
   iostruct
   jeweler (~> 1.8.4)
   rspec (>= 2.8.0)
-  zpng (>= 0.2.1)
+  zpng (>= 0.2.2)

data/README.md

@@ -18,6 +18,7 @@ Detects:
  * zlib-compressed data
  * [OpenStego](http://openstego.sourceforge.net/)
  * [Camouflage 1.2.1](http://camouflage.unfiction.com/)
+ * [LSB with The Eratosthenes set](http://wiki.cedricbonhomme.org/security:steganography)
 
 
 Usage
@@ -25,7 +26,7 @@ Usage
 
     # zsteg -h
 
-    Usage: zsteg [options] filename.png
+    Usage: zsteg [options] filename.png [param_string]
     
         -c, --channels X                 channels (R/G/B/A) or any combination, comma separated
                                          valid values: r,g,b,a,rg,rgb,bgr,rgba,...
@@ -33,13 +34,83 @@ Usage
         -b, --bits N                     number of bits (1..8), single value or '1,3,5' or '1-8'
             --lsb                        least significant BIT comes first
             --msb                        most significant BIT comes first
+        -P, --prime                      analyze/extract only prime bytes/pixels
+        -a, --all                        try all known methods
         -o, --order X                    pixel iteration order (default: 'auto')
                                          valid values: ALL,xy,yx,XY,YX,xY,Xy,bY,...
         -E, --extract NAME               extract specified payload, NAME is like '1b,rgb,lsb'
     
         -v, --verbose                    Run verbosely (can be used multiple times)
         -q, --quiet                      Silent any warnings (can be used multiple times)
+        -C, --[no-]color                 Force (or disable) color output (default: auto)
+    
+    PARAMS SHORTCUT
+    	zsteg fname.png 2b,b,lsb,xy  ==>  --bits 2 --channel b --lsb --order xy
+
+Examples
+--------
+
+### Simple LSB
+
+    # zsteg flower_rgb3.png
+
+    3b,rgb,lsb,xy       .. text: "SuperSecretMessage"
+
+### Multi-result file
+
+    # zsteg cats.png
+
+    meta F              .. ["Z" repeated 14999985 times]
+    meta C              .. text: "Fourth and last cat is Luke"
+    meta A              .. [same as "meta F"]
+    meta date:create    .. text: "2012-03-15T23:32:46+07:00"
+    meta date:modify    .. text: "2012-03-15T23:32:14+07:00"
+    1b,r,lsb,xy         .. text: "Second cat is Marussia"
+    1b,g,lsb,xy         .. text: "Good, but look a bit deeper..."
+    1b,bgr,lsb,xy       .. text: "MF_WIhf>"
+    2b,g,lsb,xy         .. text: "VHello, third kitten is Bessy"
+
+### wbStego even distributed
+
+    # zsteg wbstego/wbsteg_noenc_even.bmp 1b,lsb,bY -v
+
+    1b,lsb,bY           .. <wbStego size=22, data="xtSuperSecretMessage\n", even=true, mix=true, controlbyte="t">
+        00000000: 51 00 00 16 00 00 74 0d  b5 78 1e a1 39 74 e8 38  |Q.....t..x..9t.8|
+        00000010: 53 c6 56 94 75 d1 a5 70  84 c8 27 65 fe 08 72 35  |S.V.u..p..'e..r5|
+        00000020: 1f 3e 53 5d a7 65 8b 6e  3b 63 6b 1d bf 72 ee 27  |.>S].e.n;ck..r.'|
+        00000030: 65 8d ee 82 74 da 8d 4d  b3 8a 06 65 7e f8 73 9c  |e...t..M...e~.s.|
+        00000040: 36 0c 73 aa bd 61 67 29  37 67 5f 0b 06 65 1f a4  |6.s..ag)7g_..e..|
+        00000050: 0a a1 f8 35                                       |...5            |
+
+### wbStego encrypted
+
+    # zsteg wbstego/wbsteg_blowfish_pass_1.bmp 1b,lsb,bY -v
+
+    1b,lsb,bY           .. <wbStego size=26, data="\rC\xF5\xBF#\xFF[6\e\xB3"..., even=false, hdr="\x01", enc="Blowfish">
+        00000000: 1a 00 00 00 ff 01 01 0d  43 f5 bf 23 ff 5b 36 1b  |........C..#.[6.|
+        00000010: b3 17 42 4a 3f ba eb c7  ee 9c d7 7a 2b           |..BJ?......z+   |
+
+### zlib
+
+    # zsteg ndh2k12_sp113.bmp -b 1 -o yx -v
 
+    1b,rgb,lsb,yx       .. zlib: data="%PDF-1.4\n%\xC3\xA4\xC3\xBC\xC3\xB6\xC3\x9F\n2 0 obj\n<</Length 3 0 R/Filter/FlateDecode>>\nstream\nx\x9C\x8DT\xC9n\xDB@\f\xBD\xCFW\xF0\x1C \x13\x92\xB3\x03\x86\x80\xC8K\xD1\xDE\\\b\xE8\xA1\xE8)K\x8B\xA2n\x91\\\xF2\xFB!5Zl\xD5v\v\x01\xD4\x90C\xBE\xF7\x86\x1A\n-\xC1\x9By\x01\x94'\x94`=d\xCF\xF0\xFA\x04_n\xE0\xF7\x10Gx\xFDn\xDA\xCE\xB0\x8F6\x80s$Y\xDD#\xDC\xED\b\x1CC\xF7\xBCBBF\x87^\xDE\xA1\xE9~\x9Amg\xF6\x8BZ\xCAYj", offset=4
+        00000000: 00 02 eb 9b 78 9c d4 b9  65 54 24 cc 92 36 58 b8  |....x...eT$..6X.|
+        00000010: d3 68 e3 ee ee 4e e3 ee  ee 0e 85 bb 3b dd 68 23  |.h...N......;.h#|
+        00000020: 8d bb bb bb 3b 8d bb bb  3b 34 ee 6e 1f ef 7b ef  |....;...;4.n..{.|
+        00000030: 9d 3b b3 e7 cc 9e d9 3d  df 9e dd cd 8a 1f 99 19  |.;.....=........|
+        00000040: 99 55 11 99 4f 58 25 99  82 88 18 1d 13 3d 2b 2c  |.U..OX%......=+,|
+        00000050: 59 6f 7e 6f 7b 6f 63 6f  16 2c 33 21 23 a1 9d 91  |Yo~o{oco.,3!#...|
+        00000060: 25 2c 2f 2f 83 0c d0 d6  cc d9 9c 90 e5 73 46 89  |%,//.........sF.|
+        00000070: 41 cc c2 da 19 e8 c8 20  66 6d e8 0c 14 01 1a db  |A...... fm......|
+        00000080: 99 00 f9 f8 60 9d 9c 1d  81 86 36 b0 ee e9 bf 54  |....`.....6....T|
+        00000090: 86 6d 57 05 e0 3b 26 d5  2f 71 09 51 63 eb c0 82  |.mW..;&./q.Qc...|
+        000000a0: bf 0f 49 4f 6f e8 40 ff  c9 f9 43 25 1d 9e 6b 1b  |..IOo.@...C%..k.|
+        000000b0: a3 73 fd 42 c4 a6 65 3d  ef 0a 07 32 17 2d dc f9  |.s.B..e=...2.-..|
+        000000c0: 10 8c 0d 4b d7 9d e6 01  12 4f 11 6f f0 cd 64 f2  |...K.....O.o..d.|
+        000000d0: f2 19 5c df 76 eb 01 49  dc fd cd 76 65 a2 3a 8a  |..\.v..I...ve.:.|
+        000000e0: fd bb 13 a9 e6 3a c9 da  19 34 ae f0 43 bb 90 90  |.....:...4..C...|
+        000000f0: 58 88 de 46 ce 91 6f aa  8d d9 7d b8 d6 88 a6 65  |X..F..o...}....e|
 
 License
 -------

data/README.md.tpl

@@ -18,6 +18,7 @@ Detects:
  * zlib-compressed data
  * [OpenStego](http://openstego.sourceforge.net/)
  * [Camouflage 1.2.1](http://camouflage.unfiction.com/)
+ * [LSB with The Eratosthenes set](http://wiki.cedricbonhomme.org/security:steganography)
 
 
 Usage
@@ -25,6 +26,28 @@ Usage
 
 % zsteg -h
 
+Examples
+--------
+
+### Simple LSB
+
+% zsteg flower_rgb3.png
+
+### Multi-result file
+
+% zsteg cats.png
+
+### wbStego even distributed
+
+% zsteg wbstego/wbsteg_noenc_even.bmp 1b,lsb,bY -v
+
+### wbStego encrypted
+
+% zsteg wbstego/wbsteg_blowfish_pass_1.bmp 1b,lsb,bY -v
+
+### zlib
+
+% zsteg ndh2k12_sp113.bmp -b 1 -o yx -v
 
 License
 -------

data/Rakefile

@@ -23,7 +23,8 @@ Jeweler::Tasks.new do |gem|
   gem.authors = ["Andrey \"Zed\" Zaikin"]
   #gem.executables = %w'zsteg'
   gem.files.include "lib/**/*.rb"
-  gem.files.include "bin/zsteg"
+  gem.files.include "bin/*"
+  gem.files.exclude "samples/*"
   # dependencies defined in Gemfile
 end
 Jeweler::RubygemsDotOrgTasks.new
@@ -53,9 +54,10 @@ task :readme do
     puts "[.] #{cmd} ..."
     r = "    # #{cmd}\n\n"
     cmd.sub! /^zsteg/,"../bin/zsteg"
-    lines = `#{cmd}`.sub(/\A\n+/m,'').sub(/\s+\Z/,'').split("\n")
+    lines = `#{cmd}`.sub(/\A\n+/m,'').split("\n")
+    lines.map!{ |l| l.split("\r").last } # emulate CR's
     lines = lines[0,25] + ['...'] if lines.size > 50
-    r << lines.map{|x| "    #{x}"}.join("\n")
+    r << lines.map{|x| "    #{x}"}.join("\n").rstrip
     r << "\n"
   end
   Dir.chdir 'samples'

data/TODO

@@ -1,9 +1,12 @@
 [ ] make 'extract' cmd stream its data directly to stdout
 [ ] gzip
-[*] wbStego
+[ ] wbStego: 4bpp/8bpp BMP
 [ ] openstego
 [ ] tmp/steg*/*.bmp
 [ ] 4bpp/8bpp BMP
+[ ] http://search.cpan.org/~nwclark/Acme-Steganography-Image-Png-0.06/Png.pm
+[ ] http://registry.gimp.org/node/25988 - GIMP stego plugin
+[ ] zsteg-mask: normalize all to white
 
 [+] auto pixel order for BMP
 [+] BMP
@@ -11,4 +14,4 @@
 
 [ ] detect AES from http://punkroy.drque.net/PNG_Steganography/Steganography5.php
 [?] http://tobyinkster.co.uk/article/steg-encode/
-[ ] Sieve of Eratosthenes: http://wiki.cedricbonhomme.org/security:steganography
+[+] Sieve of Eratosthenes: http://wiki.cedricbonhomme.org/security:steganography

data/VERSION

@@ -1 +1 @@
-0.0.0
+0.0.1

data/bin/zsteg-mask

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
+require 'zsteg'
+require 'zsteg/mask_cli'
+
+ZSteg::MaskCLI.new.run

data/lib/zsteg/checker/wbstego.rb

@@ -2,17 +2,60 @@ module ZSteg
   class Checker
     module WBStego
 
-      class Result < IOStruct.new "a3a3a*", :size, :ext, :data, :even
+      ENCRYPTIONS = [
+        nil,         # 0
+        "Blowfish",  # 1
+        "Twofish",   # 2
+        "CAST128",   # 3
+        "Rijndael",  # 4
+      ]
+
+      class Result < IOStruct.new "a3a3a*", :size, :ext, :data, :even, :hdr, :enc, :mix, :controlbyte
+        attr_accessor :color
+
         def initialize *args
           super
           if self.size.is_a?(String)
             self.size = (self.size[0,3] + "\x00").unpack('V')[0]
           end
-          self.even = false if self.even.nil?
+          self.even ||= false
+          #self.encrypted ||= false
+          if ext[0,2] == "\x00\xff"
+            # wbStego 4.x header
+            self.hdr  = data[0,ext[2].ord] # 3rd ext byte is hdr len
+            self.data = data[hdr.size..-1]
+            self.ext  = nil                # encrypted files have no ext
+            self.enc  = ENCRYPTIONS[hdr[0].ord] || "unknown ##{hdr[0].ord}"
+          elsif (cb=ext[0].ord) & 0xc0 != 0
+            # wbStego 2.x/3.x controlbyte
+            self.controlbyte = ext[0]
+            self.data = ext[1..-1] + data
+            self.ext  = nil                # have ext but its encrypted/mixed with data
+            self.mix  = true if cb & 0x40 != 0
+            self.enc  = "wbStego 2.x/3.x" if cb & 0x80 != 0
+          end
         end
 
         def to_s
-          inspect.sub("#<struct #{self.class.to_s}", "<wbStego").red
+          s = inspect.
+              sub("#<struct #{self.class.to_s}", "<wbStego").
+              gsub(/, \w+=nil/,'')
+
+          color = @color
+
+          if ext && !valid_ext?
+            s.sub!(data.inspect, data[0,10].inspect+"...") if data && data.size>13
+            color ||= :gray
+          else
+            s.sub!(data.inspect, data[0,10].inspect+"...") if data && data.size>13 && enc
+            color ||= :bright_red
+          end
+          s.send(color)
+        end
+
+        # XXX require that file extension be 7-bit ASCII
+        def valid_ext?
+          ext =~ /\A[\x20-\x7e]+\Z/ && !ext['*'] && !ext['?']
         end
       end
 
@@ -49,8 +92,15 @@ module ZSteg
         def check data, params = {}
           return if data.size < 4
           return if params[:bit_order] != :lsb
+
+          force_color = nil
+
           if params[:image].format == :bmp
             return if params[:order] !~ /b/i
+          else
+            # PNG
+            return if Array(params[:channels]).join != 'bgr'
+            force_color = :gray if params[:order] != 'xY'
           end
 
           size1 = (data[0,3] + "\x00").unpack('V')[0]
@@ -61,9 +111,16 @@ module ZSteg
               params[:max_hidden_size]
             end
           return if size1 == 0 || size1 > avail_size
+
+          # check if too many zeroes, prevent false positive
+          nzeroes = data[3..-1].count("\x00")
+          return if nzeroes > 10 && data.size-3-nzeroes < 4
+
+          result = nil
+
           size2 = (data[3,3] + "\x00").unpack('V')[0]
 #          p [size1, size2, avail_size]
-          if size2 < avail_size
+          if size2 < avail_size && size2 > 0
             spacing = 1.0*avail_size/(size2+5) - 1
 #            puts "[d] spacing=#{spacing}"
             if spacing > 0
@@ -77,21 +134,19 @@ module ZSteg
                   error -= 1
                 end
               end
-#              puts "[d] r=#{r.inspect} (#{r.size})"
-              ext = r[0,3]
-              return unless valid_ext?(ext)
-              return Result.new(size2, ext, r[3..-1], true)
+              if r.size > 4
+                ext = r[0,3]
+                result = Result.new(size2, ext, r[3..-1], true)
+              end
             end
           end
           # no even distribution
-          return unless valid_ext?(data[3,3])
-          return Result.read(data)
+          #return unless valid_ext?(data[3,3])
+          result ||= Result.read(data)
+          result.color = force_color if result && force_color
+          result
         end
 
-        # XXX require that file extension be 7-bit ASCII
-        def valid_ext? ext
-          ext =~ /\A[\x20-\x7e]+\Z/
-        end
       end
     end
   end

data/lib/zsteg/checker.rb

@@ -1,16 +1,21 @@
 require 'stringio'
 require 'zlib'
+require 'set'
 
 module ZSteg
   class Checker
-    attr_accessor :params, :channels, :verbose
+    attr_accessor :params, :channels, :verbose, :results
 
-    MIN_TEXT_LENGTH = 8
+    MIN_TEXT_LENGTH      = 8
+    MIN_WHOLETEXT_LENGTH = 6           # when entire data is a text
+    DEFAULT_BITS         = [1,2,3,4]
+    DEFAULT_ORDER        = 'auto'
+    DEFAULT_LIMIT        = 256         # number of checked bytes, 0 = no limit
 
     # image can be either filename or ZPNG::Image
     def initialize image, params = {}
       @params = params
-      @cache = {}
+      @cache = {}; @wastitles = Set.new
       @image = image.is_a?(ZPNG::Image) ? image : ZPNG::Image.load(image)
       @extractor = Extractor.new(@image, params)
       @channels = params[:channels] ||
@@ -19,32 +24,67 @@ module ZSteg
         else
           %w'r g b rgb bgr'
         end
-      @verbose = params[:verbose] || 0
+      @verbose = params[:verbose] || -2
       @file_cmd = FileCmd.new
+      @results = []
+
+      @params[:bits]  ||= DEFAULT_BITS
+      @params[:order] ||= DEFAULT_ORDER
+      @params[:limit] ||= DEFAULT_LIMIT
+    end
+
+    private
+
+    # catch Kernel#print for easier verbosity handling
+    def print *args
+      Kernel.print(*args) if @verbose >= 0
+    end
+
+    # catch Kernel#printf for easier verbosity handling
+    def printf *args
+      Kernel.printf(*args) if @verbose >= 0
+    end
+
+    # catch Kernel#puts for easier verbosity handling
+    def puts *args
+      Kernel.puts(*args) if @verbose >= 0
     end
 
+    public
+
     def check
       @found_anything = false
       @file_cmd.start!
 
       check_extradata
       check_metadata
-
-      case params[:order].to_s.downcase
-      when /all/
-        params[:order] = %w'xy yx XY YX Xy yX xY Yx'
-      when /auto/
-        params[:order] = @image.format == :bmp ? %w'bY xY' : 'xy'
+      check_imagedata
+
+      if @image.format == :bmp
+        case params[:order].to_s.downcase
+        when /all/
+          params[:order] = %w'bY xY xy yx XY YX Xy yX Yx'
+        when /auto/
+          params[:order] = %w'bY xY'
+        end
+      else
+        case params[:order].to_s.downcase
+        when /all/
+          params[:order] = %w'xy yx XY YX Xy yX xY Yx'
+        when /auto/
+          params[:order] = 'xy'
+        end
       end
 
       Array(params[:order]).uniq.each do |order|
-        Array(params[:bits]).uniq.each do |bits|
-          if order[/b/i]
-            # byte iterator does not need channels
-            check_channels nil, @params.merge( :bits => bits, :order => order )
-          else
-            channels.each do |c|
-              check_channels c, @params.merge( :bits => bits, :order => order )
+        (params[:prime] == :all ? [false,true] : [params[:prime]]).each do |prime|
+          Array(params[:bits]).uniq.each do |bits|
+            p1 = @params.merge :bits => bits, :order => order, :prime => prime
+            if order[/b/i]
+              # byte iterator does not need channels
+              check_channels nil, p1
+            else
+              channels.each{ |c| check_channels c, p1 }
             end
           end
         end
@@ -55,15 +95,22 @@ module ZSteg
       else
         puts "\r[=] nothing :(" + " "*20 # line cleanup
       end
+
+      @results
     ensure
       @file_cmd.stop!
     end
 
+    def check_imagedata
+      h = { :title => "imagedata", :show_title => true }
+      process_result @image.imagedata, h
+    end
+
     def check_extradata
       if @image.extradata
         @found_anything = true
         title = "data after IEND"
-        show_title title, :red
+        show_title title, :bright_red
         process_result @image.extradata, :special => true, :title => title
       end
     end
@@ -83,24 +130,73 @@ module ZSteg
         return
       end
 
-      title = ["#{params[:bits]}b",channels,params[:bit_order],params[:order]].compact.join(',')
-      show_title title
-
       p1 = params.clone
-      p1.delete :channel
-      p1[:title] = title
 
+      # number of bits
+      # equals to params[:bits] if in range 1..8
+      # otherwise equals to number of 1's, like 0b1000_0001
+      nbits = p1[:bits] <= 8 ? p1[:bits] : (p1[:bits]&0xff).to_s(2).count("1")
+
+      show_bits = true
+      # channels is a String
       if channels
-        p1[:channels] = channels.split('')
-        @max_hidden_size = p1[:channels].size*@image.width
+        p1[:channels] =
+          if channels[1] && channels[1] =~ /\A\d\Z/
+            # 'r3g2b3'
+            a=[]
+            cbits = 0
+            (channels.size/2).times do |i|
+              a << (t=channels[i*2,2])
+              cbits += t[1].to_i
+            end
+            show_bits = false
+            @max_hidden_size = cbits * @image.width
+            a
+          else
+            # 'rgb'
+            a = channels.chars.to_a
+            @max_hidden_size = a.size * @image.width * nbits
+            a
+          end
+        # p1[:channels] is an Array
       elsif params[:order] =~ /b/i
         # byte extractor
-        @max_hidden_size = @image.scanlines[0].decoded_bytes.size
+        @max_hidden_size = @image.scanlines[0].decoded_bytes.size * nbits
       else
         raise "invalid params #{params.inspect}"
       end
-      @max_hidden_size *= p1[:bits]*@image.height/8
+      @max_hidden_size *= @image.height/8
+
+      bits_tag =
+        if show_bits
+          if params[:bits] > 0x100
+            if params[:bits].to_s(2) =~ /(1{1,8})$/
+              # mask => number of bits
+              "b#{$1.size}"
+            else
+              # mask
+              "b#{(params[:bits]&0xff).to_s(2)}"
+            end
+          else
+            # number of bits
+            "b#{params[:bits]}"
+          end
+        end
+
+      title = [
+        bits_tag,
+        channels,
+        params[:bit_order],
+        params[:order],
+        params[:prime] ? 'prime' : nil
+      ].compact.join(',')
 
+      return if @wastitles.include?(title)
+      @wastitles << title
+
+      show_title title
+
+      p1[:title] = title
       data = @extractor.extract p1
 
       @need_cr = !process_result(data, p1) # carriage return needed?
@@ -108,7 +204,7 @@ module ZSteg
     end
 
     def show_title title, color = :gray
-      printf "\r[.] %-14s.. ".send(color), title
+      printf "\r%-20s.. ".send(color), title
       $stdout.flush
     end
 
@@ -129,12 +225,15 @@ module ZSteg
       # TODO: store hash of data for large datas
       @cache[data] = params[:title]
 
-      result = data2result data, params
+      if result = data2result(data, params)
+        @results << result
+      end
 
       case verbose
       when -999..0
         # verbosity=0: only show result if anything interesting found
         if result && !result.is_a?(Result::OneChar)
+          show_title params[:title] if params[:show_title]
           puts result
           return true
         else
@@ -146,6 +245,7 @@ module ZSteg
       end
 
       # verbosity>1: always show hexdump
+      show_title params[:title] if params[:show_title]
 
       if params[:special]
         puts result.is_a?(Result::PartialText) ? nil : result
@@ -183,24 +283,27 @@ module ZSteg
         end
       end
 
-      if data =~ /\A[\x20-\x7e\r\n\t]+\Z/
+      if data.size >= MIN_WHOLETEXT_LENGTH && data =~ /\A[\x20-\x7e\r\n\t]+\Z/
         # whole ASCII
         return Result::WholeText.new(data, 0)
       end
 
-      if r = @file_cmd.check_data(data)
-        return Result::FileCmd.new(r, data)
+      # XXX TODO refactor params hack
+      if !params.key?(:no_check_file) && (r = @file_cmd.data2result(data))
+        return r
       end
 
+      # try to find zlib
       # http://blog.w3challs.com/index.php?post/2012/03/25/NDH2k12-Prequals-We-are-looking-for-a-real-hacker-Wallpaper-image
       # http://blog.w3challs.com/public/ndh2k12_prequalls/sp113.bmp
-      if idx = data.index(/\x78[\x9c\xda\x01]/)
+      # XXX TODO refactor params hack
+      if !params.key?(:no_check_zlib) && (idx = data.index(/\x78[\x9c\xda\x01]/))
         begin
 #          x = Zlib::Inflate.inflate(data[idx,4096])
           zi = Zlib::Inflate.new(Zlib::MAX_WBITS)
           x = zi.inflate data[idx..-1]
           # decompress OK
-          return Result::Zlib.new x, idx
+          return Result::Zlib.new x, idx if x.size > 2
         rescue Zlib::BufError
           # tried to decompress, but got EOF - need more data
           return Result::Zlib.new x, idx