zsteg 0.0.1 → 0.1.0

data/Gemfile

@@ -1,6 +1,6 @@
 source "http://rubygems.org"
 
-gem 'zpng', ">= 0.2.2"
+gem 'zpng', ">= 0.2.3"
 gem "iostruct"
 
 group :development do

data/Gemfile.lock

@@ -22,7 +22,7 @@ GEM
     rspec-expectations (2.12.1)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.12.1)
-    zpng (0.2.2)
+    zpng (0.2.3)
       rainbow
 
 PLATFORMS
@@ -33,4 +33,4 @@ DEPENDENCIES
   iostruct
   jeweler (~> 1.8.4)
   rspec (>= 2.8.0)
-  zpng (>= 0.2.2)
+  zpng (>= 0.2.3)

data/TODO

@@ -7,6 +7,12 @@
 [ ] http://search.cpan.org/~nwclark/Acme-Steganography-Image-Png-0.06/Png.pm
 [ ] http://registry.gimp.org/node/25988 - GIMP stego plugin
 [ ] zsteg-mask: normalize all to white
+[ ] stego by pixels of single color (hackquest on wiki)
+[ ] advices on what tool to use
+[ ] SilentEye
+[ ] chunks length check, as in pngcheck
+
+[ ] CLI: self-describe
 
 [+] auto pixel order for BMP
 [+] BMP

data/VERSION

@@ -1 +1 @@
-0.0.1
+0.1.0

data/bin/zsteg

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
 
-$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
-require 'zsteg'
-require 'zsteg/cli'
+base = File.expand_path('../lib', File.dirname(__FILE__))
+$:.unshift(base)
 
-ZSteg::CLI.new.run
+require File.join(base, 'zsteg')
+
+ZSteg::CLI.run

data/bin/zsteg-mask

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
 
-$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + '/../lib'))
-require 'zsteg'
-require 'zsteg/mask_cli'
+base = File.expand_path('../lib', File.dirname(__FILE__))
+$:.unshift(base)
 
-ZSteg::MaskCLI.new.run
+require File.join(base, 'zsteg')
+
+ZSteg::CLI.run

data/bin/zsteg-reflow

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+
+base = File.expand_path('../lib', File.dirname(__FILE__))
+$:.unshift(base)
+
+require File.join(base, 'zsteg')
+
+ZSteg::CLI.run

data/lib/zsteg.rb

@@ -10,5 +10,30 @@ require 'zsteg/result'
 require 'zsteg/file_cmd'
 
 require 'zsteg/checker/wbstego'
+require 'zsteg/checker/scanline_checker'
+require 'zsteg/checker/zlib'
 
 require 'zsteg/masker'
+
+require 'zsteg/analyzer'
+
+module ZSteg::CLI
+  class << self
+    def run
+      a = File.basename($0).downcase.scan(/\w+/) - %w'zsteg rb'
+      a = %w'cli' if a.empty?
+
+      klass = a.map(&:capitalize).join
+      req = a.join('_')
+      require File.expand_path( File.join('zsteg', 'cli', req), File.dirname(__FILE__))
+
+      const_get(klass).new.run
+    end
+
+    # shortcut for ZSteg::CLI::Cli.new, mostly for RSpec
+    def new *args
+      require 'zsteg/cli/cli'
+      Cli.new(*args)
+    end
+  end
+end

data/lib/zsteg/analyzer.rb

@@ -0,0 +1,63 @@
+require 'zpng'
+
+module ZSteg
+  class Analyzer
+    def initialize image, params = {}
+      @params = params
+      @image = image.is_a?(ZPNG::Image) ? image : ZPNG::Image.load(image)
+    end
+
+    def analyze!
+      if bs = detect_block_size
+        puts "[!] possible image block size is #{bs.join('x')}, downscaling may be necessary".yellow
+      end
+    end
+
+    def check_block_size dx, dy, x0, y0
+      c0 = @image[x0,y0]
+      y0.upto(y0+dy-1) do |y|
+        x0.upto(x0+dx-1) do |x|
+          return if @image[x,y] != c0
+        end
+      end
+      true
+    end
+
+    def detect_block_size
+      x=y=0
+      c0 = @image[x,y]
+      dx = dy = 1
+
+      while (x+dx) < @image.width && @image[x+dx,y] == c0
+        dx+=1
+      end
+      while (y+dy) < @image.height && @image[x,y+dy] == c0
+        dy+=1
+      end
+
+      return if dx<2 && dy<2
+      return if [1, @image.width].include?(dx) && [1, @image.height].include?(dy)
+
+      # check 3x3 block
+      0.step([dy*3, @image.height-1].min, dy) do |y|
+        0.step([dx*3, @image.width-1].min, dx) do |x|
+          return unless check_block_size dx, dy, x, y
+        end
+      end
+
+      [dx,dy]
+    end
+  end
+end
+
+if __FILE__ == $0
+  ARGV.each do |fname|
+    printf "\r[.] %-40s .. ", fname
+    begin
+      ZSteg::Analyzer.new(fname).analyze!
+    rescue
+      p $!
+    end
+  end
+  puts
+end

data/lib/zsteg/checker.rb

@@ -1,3 +1,4 @@
+#coding: utf-8
 require 'stringio'
 require 'zlib'
 require 'set'
@@ -6,11 +7,11 @@ module ZSteg
   class Checker
     attr_accessor :params, :channels, :verbose, :results
 
-    MIN_TEXT_LENGTH      = 8
-    MIN_WHOLETEXT_LENGTH = 6           # when entire data is a text
     DEFAULT_BITS         = [1,2,3,4]
     DEFAULT_ORDER        = 'auto'
     DEFAULT_LIMIT        = 256         # number of checked bytes, 0 = no limit
+    DEFAULT_EXTRA_CHECKS = true
+    DEFAULT_MIN_STR_LEN  = 8
 
     # image can be either filename or ZPNG::Image
     def initialize image, params = {}
@@ -31,6 +32,16 @@ module ZSteg
       @params[:bits]  ||= DEFAULT_BITS
       @params[:order] ||= DEFAULT_ORDER
       @params[:limit] ||= DEFAULT_LIMIT
+
+      if @params[:min_str_len]
+        @min_str_len = @min_wholetext_len = @params[:min_str_len]
+      else
+        @min_str_len = DEFAULT_MIN_STR_LEN
+        @min_wholetext_len = @min_str_len - 2
+      end
+      @strings_re = /[\x20-\x7e\r\n\t]{#@min_str_len,}/
+
+      @extra_checks = params.fetch(:extra_checks, DEFAULT_EXTRA_CHECKS)
     end
 
     private
@@ -56,9 +67,11 @@ module ZSteg
       @found_anything = false
       @file_cmd.start!
 
-      check_extradata
-      check_metadata
-      check_imagedata
+      if @extra_checks
+        check_extradata
+        check_metadata
+        check_imagedata
+      end
 
       if @image.format == :bmp
         case params[:order].to_s.downcase
@@ -96,6 +109,11 @@ module ZSteg
         puts "\r[=] nothing :(" + " "*20 # line cleanup
       end
 
+      if @extra_checks
+        Analyzer.new(@image).analyze!
+      end
+
+      # return everything found if this method was called from some code
       @results
     ensure
       @file_cmd.stop!
@@ -107,11 +125,30 @@ module ZSteg
     end
 
     def check_extradata
-      if @image.extradata
+      # accessing imagedata implicitly unpacks zlib stream
+      # zlib stream may contain extradata
+      if @image.imagedata.size > (t=@image.scanlines.map(&:size).inject(&:+))
+        @found_anything = true
+        data = @image.imagedata[t..-1]
+        title = "extradata:imagedata"
+        show_title title, :bright_red
+        process_result data, :special => true, :title => title
+      end
+
+      if @image.extradata.any?
+        @found_anything = true
+        @image.extradata.each_with_index do |data,idx|
+          title = "extradata:#{idx}"
+          show_title title, :bright_red
+          process_result data, :special => true, :title => title
+        end
+      end
+
+      if data = ScanlineChecker.check_image(@image, @params)
         @found_anything = true
-        title = "data after IEND"
+        title = "scanline extradata"
         show_title title, :bright_red
-        process_result @image.extradata, :special => true, :title => title
+        process_result data, :special => true, :title => title
       end
     end
 
@@ -199,6 +236,10 @@ module ZSteg
       p1[:title] = title
       data = @extractor.extract p1
 
+      if p1[:invert]
+        data.size.times{ |i| data.setbyte(i, data.getbyte(i)^0xff) }
+      end
+
       @need_cr = !process_result(data, p1) # carriage return needed?
       @found_anything ||= !@need_cr
     end
@@ -208,6 +249,21 @@ module ZSteg
       $stdout.flush
     end
 
+    def show_result result, params
+      case result
+      when Array
+        result.each_with_index do |r,idx|
+          # empty title for multiple results from same title
+          show_title(" ") if idx > 0
+          puts r
+        end
+      when nil, false
+        # do nothing?
+      else
+        puts result
+      end
+    end
+
     # returns true if was any output
     def process_result data, params
       verbose = params[:special] ? [@verbose,1.5].max : @verbose
@@ -234,7 +290,7 @@ module ZSteg
         # verbosity=0: only show result if anything interesting found
         if result && !result.is_a?(Result::OneChar)
           show_title params[:title] if params[:show_title]
-          puts result
+          show_result result, params
           return true
         else
           return false
@@ -242,22 +298,28 @@ module ZSteg
       when 1
         # verbosity=1: if anything interesting found show result & hexdump
         return false unless result
+      else
+        # verbosity>1: always show hexdump
       end
 
-      # verbosity>1: always show hexdump
       show_title params[:title] if params[:show_title]
 
       if params[:special]
         puts result.is_a?(Result::PartialText) ? nil : result
       else
-        puts result
+        show_result result, params
       end
       if data.size > 0 && !result.is_a?(Result::OneChar) && !result.is_a?(Result::WholeText)
-        print ZPNG::Hexdump.dump(data){ |x| x.prepend(" "*4) }
+        limit = (params[:limit] || @params[:limit]).to_i
+        t = limit > 0 ? data[0,limit] : data
+        print ZPNG::Hexdump.dump(t){ |x| x.prepend(" "*4) }
       end
       true
     end
 
+    CAMOUFLAGE_SIG1 = "\x00\x00".force_encoding('binary')
+    CAMOUFLAGE_SIG2 = "\xed\xcd\x01".force_encoding('binary')
+
     def data2result data, params
       if one_char?(data)
         return Result::OneChar.new(data[0,1], data.size)
@@ -269,8 +331,11 @@ module ZSteg
         return Result::OpenStego.read(io)
       end
 
-      if data[0,2] == "\x00\x00" && data[3,3] == "\xed\xcd\x01"
-        return Result::Camouflage.new(data)
+      # only in extradata
+      if params[:title]['extradata']
+        if data[0,2] == CAMOUFLAGE_SIG1 && data[3,3] == CAMOUFLAGE_SIG2
+          return Result::Camouflage.new(data)
+        end
       end
 
       # only BMP & 1-bit-per-channel
@@ -283,40 +348,45 @@ module ZSteg
         end
       end
 
-      if data.size >= MIN_WHOLETEXT_LENGTH && data =~ /\A[\x20-\x7e\r\n\t]+\Z/
+      if data.size >= @min_wholetext_len && data =~ /\A[\x20-\x7e\r\n\t]+\Z/
         # whole ASCII
         return Result::WholeText.new(data, 0)
       end
 
-      # XXX TODO refactor params hack
-      if !params.key?(:no_check_file) && (r = @file_cmd.data2result(data))
+      if params.fetch(:file, true) && (r = @file_cmd.data2result(data))
         return r
       end
 
-      # try to find zlib
-      # http://blog.w3challs.com/index.php?post/2012/03/25/NDH2k12-Prequals-We-are-looking-for-a-real-hacker-Wallpaper-image
-      # http://blog.w3challs.com/public/ndh2k12_prequalls/sp113.bmp
-      # XXX TODO refactor params hack
-      if !params.key?(:no_check_zlib) && (idx = data.index(/\x78[\x9c\xda\x01]/))
-        begin
-#          x = Zlib::Inflate.inflate(data[idx,4096])
-          zi = Zlib::Inflate.new(Zlib::MAX_WBITS)
-          x = zi.inflate data[idx..-1]
-          # decompress OK
-          return Result::Zlib.new x, idx if x.size > 2
-        rescue Zlib::BufError
-          # tried to decompress, but got EOF - need more data
-          return Result::Zlib.new x, idx
-        rescue Zlib::DataError, Zlib::NeedDict
-          # not a zlib
-        ensure
-          zi.close if zi && !zi.closed?
-        end
+      if r = Checker::Zlib.check_data(data)
+        return r
       end
 
-      if (r=data[/[\x20-\x7e\r\n\t]{#{MIN_TEXT_LENGTH},}/])
-        return Result::PartialText.new(r, data.index(r))
+      case params.fetch(:strings, :first)
+      when :all
+        r=[]
+        data.scan(@strings_re) do
+          r << Result::PartialText.from_matchdata($~)
+        end
+        return r if r.any?
+      when :first
+        if data[@strings_re]
+          return Result::PartialText.from_matchdata($~)
+        end
+      when :longest
+        r=[]
+        data.scan(@strings_re){ r << $~ }
+        return Result::PartialText.from_matchdata(r.sort_by(&:size).last) if r.any?
       end
+
+      # utf-8 string matching, may be slow, may throw exceptions
+#      begin
+#        t = data.
+#          encode('UTF-16', 'UTF-8', :invalid => :replace, :replace => '').
+#          encode!('UTF-8', 'UTF-16')
+#        r = t.scan(/\p{Word}{#{MIN_TEXT_LENGTH},}/)
+#        r if r.any?
+#      rescue
+#      end
     end
 
     private

data/lib/zsteg/checker/scanline_checker.rb

@@ -0,0 +1,82 @@
+module ZSteg
+  class Checker
+    module ScanlineChecker
+      class << self
+        def check_image image, params={}
+          # TODO: interlaced images
+          sl = image.scanlines.first
+          significant_bits = sl.width*sl.bpp
+          total_bits = sl.size*8
+          # 1 byte for PNG scanline filter mode
+          # XXX maybe move this into ZPNG::ScanLine#data_size ?
+          total_bits -= 8 if image.format == :png
+          return if total_bits == significant_bits
+
+          #puts "[nbits] tb=#{total_bits}, sb=#{significant_bits}, nbits=#{total_bits-significant_bits}"
+          nbits = total_bits-significant_bits
+          raise "WTF" if nbits<0      # significant size greatar than total size?!
+
+          data = ''
+          scanlines = image.scanlines
+          # DO NOT use 'reverse!' here - it will affect original image too
+          scanlines = scanlines.reverse if image.format == :bmp
+          if nbits%8 == 0
+            # whole bytes
+            nbytes = nbits/8
+            scanlines.each do |sl|
+              data << sl.decoded_bytes[-nbytes,nbytes]
+            end
+          else
+            # extract a number of bits from each scanline
+            nbytes = (nbits/8.0).ceil # number of whole bytes, rounded up
+            mask = 2**nbits-1
+            a = []
+            scanlines.each do |sl|
+              bytes = sl.decoded_bytes[-nbytes,nbytes]
+              value = 0
+              # convert 1+ bytes into one big integer
+              bytes.each_byte{ |b| value = (value<<8) + b }
+
+              # remove unwanted bits
+              value &= mask
+
+              # fix[n] -> 0, 1
+              # Bit Reference - Returns the nth bit in the binary representation of fix
+              # http://www.ruby-doc.org/core-1.9.3/Fixnum.html#method-i-5B-5D
+              #
+              # also "<<" + "reverse!" is 30% faster than "unshift"
+              nbits.times{ |i| a << value[i] }
+              a.reverse!
+
+              while a.size >= 8
+                byte = 0
+                if params[:bit_order] == :msb
+                  8.times{ |i| byte |= (a.shift<<i)}
+                else
+                  8.times{ |i| byte |= (a.shift<<(7-i))}
+                end
+                data << byte.chr
+#                if data.size >= @limit
+#                  print "[limit #@limit]".gray if @verbose > 1
+#                  break
+#                end
+              end
+            end
+          end
+          return if data =~ /\A\x00+\Z/ # nothing special, only zero bytes
+
+          # something found
+          data
+        end
+      end # class << self
+    end # Scanline
+  end # Checker
+end # ZSteg
+
+if $0 == __FILE__
+  require 'zpng'
+  ARGV.each do |fname|
+    img = ZPNG::Image.load fname
+    ZSteg::Checker::ScanlineChecker.check_image img
+  end
+end