Catalog

Thread Archive

Bread Archive: #9038853
Posted [2020-05-05 16:20:10Z] Updated [2020-05-28 15:34:53Z]
Source: [qresearch] 218 replies
Warning: Some boards on 4chan/8chan might have content of an adult or offensive nature. Please cease use of this website if it is illegal for you to view such content.
Boards and posts are user-created and do not represent the opinions of the administration. [Nothing is ever truly deleted].

Ghidra Hidden ByteCode/Stegonography/Crypto

Ghidra Hidden ByteCode/Stegonography/Crypto spaceB0x ID: ffc9f6 2020-05-05 16:20:10Z No. 9038853

Long time lurker/autist, breaking silence. Have tried to get hacker community in on this but to no avail. Ghidra is a tool for reverse engineering. The image itself has code in it. I have been using radare2 to reverse for a long while on q images. Remember "graphic is key" and "you have more than you know"

Have been doing research in parallel with some others on Q posts for a while looking for stegonography, encryption keys, and more and have found bits and pieces that are near misses. See twitter for more details, though much hasn't been released. https://twitter.com/spaceB0xx/

But we need to get as many people who are cryptographically minded on this. It has been a struggle to get others involved on this route.

Anonymous ID: 94e2ff 2020-05-05 16:46:17Z No. 9039279

hey, new fag here.

I used Ghidra (new for me too) with the last two images (Qdrop 4109 and 4108). I found this:

https://www.biorxiv.org/content/10.1101/2020.02.21.958678v1.full.pdf

Anonymous ID: f8082f 2020-05-05 17:42:48Z No. 9040069

>>9038853

Ghidra isn't really a steganography tool

more a tool to crack programs, reverse engineer programs and some limited forms of security analysis and network analysis

>It has been a struggle to get others involved on this route.

ya, it has, been trying for a while

>>>/comms/3264

hacking, cracking background

some crypto & steg experience

been looking at Q posted graphics and so far have found nothing substantial either

possibilities

a. nothing to find

b. don't have password for specific program used

steganography is almost impossible to crack if you don't know the program / algorithm used

still waiting for further crumbs from Q

Anonymous ID: ab834d 2020-05-05 18:33:28Z No. 9040860

>>9040069

>Ghidra isn't really a steganography tool

Q re-posted the link to Ghidra last night along with two pics, one of them a gift.

He doesn't post things without meaning and stated:

"Toolkits can be helpful. Q"

Based on that I think you are incorrect.

I believe there is something to find in all of his pics.

Anonymous ID: 7fce13 2020-05-05 18:53:55Z No. 9041086

>>9040860

Everyone is dumping their tools and that's nice and all but, what about reverse-engineering the stupid app they want people to use? The COVID Symptoms App or w/e.

spaceB0x ID: ffc9f6 2020-05-05 18:54:53Z No. 9041102

>>9040069

This is correct, that it isn't a stego tool. it is a reversing tool. What I was trying to communicate is that there is stegonography in many of these images, as well as embedded code. You can see some of my posts in the twitter link.

The image of Ghidra that I posted is the disassembled 8chan image. I should have been more clear

spaceB0x ID: ffc9f6 2020-05-05 18:57:59Z No. 9041137

>>9041102

For example, the exifdata from last night's 8chan image also has a "Keyword" embedded in it. That is stegonography. See this screencap

There is something here I am convinced of it. I have done much crypto and cracking. Ghidra could help reverse binaries, and find binary/executable data in seemingly arbitrary files.

Anonymous ID: 3347cd 2020-05-05 19:22:27Z No. 9041408

Thank you for this discussion, I am studying Industrial and Human Factors Engineering as a second masters track. Stopped Course for bit for health and money issues then November 2016 miracle happened. Followed crumbs from others to Q. Which direction are you headed with the this dig?

spaceB0x ID: ffc9f6 2020-05-05 19:52:38Z No. 9041828

>>9041408

The Ghidra reference is really for reversing, so in that regard, I would try to figure out what these functions are actually doing inside of the image. The fact that they is a "Keyword" in the exif data is a start.

What I have been working on the past number of months is finding cryptographic keys. I am convinced that Q post 1441 has an encryption certificate in it. I can see pieces of it, but can seem to cryptographically, or stegonographically extract them.

What one of the above posters said is true, that if you don't have the key and don't know algorithm, then decryping is worthless.

However, Q posted the work "Spray" (like password spraying?). A technique I use when hacking things with a password. Just brute forcing the crap out of it.

spaceB0x ID: ffc9f6 2020-05-05 20:22:44Z No. 9042267

And also, the "present" image has a very unique string in the image data….

Using the basic "strings" command line utility on Linux/MacOS

spaceB0x ID: ffc9f6 2020-05-05 20:23:22Z No. 9042277

>>9042267

Excuse me… the "gift" image…no present

Anonymous ID: 4948e6 2020-05-05 20:34:49Z No. 9042464

>>9042267

>>9042267

is that brainfuck code?

Anonymous ID: 4948e6 2020-05-05 20:35:57Z No. 9042478

>>9042267

>>9042464

https://en.wikipedia.org/wiki/Brainfuck

Anonymous ID: 4948e6 2020-05-05 20:41:47Z No. 9042549

>>9042464

>>9042478

i um think that is a coincindence

Anonymous ID: d1ffc5 2020-05-05 20:55:28Z No. 9042718

Pretty sure Q is showing the world how this language is unknown to quite a many and is something that needs to be addressed. This level of programming .. To older people it is simple.. a very few at that. and to a great many more they are more interested in the higher levels of code beyond the base. This is interesting to see again. Especially considering how game developers have been requiring users to submit to playing via essentially a streaming service now.

Anonymous ID: d1ffc5 2020-05-05 20:56:17Z No. 9042731

>>9042718

Think code injection or the like to induce reactions etc. this is beyond the gaming level but it is a start.

Anonymous ID: 94e2ff 2020-05-05 21:09:43Z No. 9042906

what if parts of a program were hidden in different images?

spaceB0x ID: ffc9f6 2020-05-05 21:17:02Z No. 9042985

>>9042549

Exactly what I'm talking about! Now we are getting somewhere. You think a random brainfuck string is embedded in a Jpg binary, entitle Present? And that value ens up being -17? I don't think so.

Anonymous ID: 4948e6 2020-05-05 21:19:48Z No. 9043015

>>9042985

tbh i couldnt reproduce that result on any other online brainfuck compilers. like i said, seems like a fluke. i didnt put enugh time into it to try to hand convert whatever that string is in bf.

spaceB0x ID: ffc9f6 2020-05-05 21:22:04Z No. 9043048

>>9042906

Well, if you load the image into Ghidra (and originally I was using a software called radare2), there are "bytecode" functions which are identified. Bytecode is compiled binary/assembly which is actually executable code. (this is why "stegonography" and such are closely correlated with the work I have been doing.)

Now, when you are looking for random opcodes, in a sea of bytes (all the images) you are bound to run across a crapton of false positives. Like, a lot. So the key is to be able to know if any bytecode returns are legit (ie, the assembly code interpreted actually makes sense)

The code in the 8chan image does. Now what it is doing, I am not sure yet. But Ghidra interprets it properly as functions with parameters which are initialized, and then referenced/assigned, with conditional loops etc.

This would be hard to do randomly

spaceB0x ID: ffc9f6 2020-05-05 21:24:29Z No. 9043078

>>9043048

They seem to be pieces to a binary whose "entrypoint" I cannot find. It also helps to have an idea what architecture the binary pieces were intended to run on, as that will dictate how the bytecode is actually interpreted.

spaceB0x ID: ffc9f6 2020-05-05 21:26:47Z No. 9043105

>>9039279

What Architecture did you import as?

Anonymous ID: 94e2ff 2020-05-05 21:42:24Z No. 9043296

>>9043105

you mean this?

spaceB0x ID: ffc9f6 2020-05-05 21:49:12Z No. 9043374

>>9043296

You said in Ghidra you imported those images, and found said doc. when importing raw data in Ghidra you must sepcify architecture.

O just detail where you found said pdf link

spaceB0x ID: ffc9f6 2020-05-05 21:50:49Z No. 9043401

>>9043296

>>9043374

Disregard, I got what you mean. My brain is on empty. And thanks for those screengrabs

Anonymous ID: 7d5539 2020-05-05 21:53:39Z No. 9043433

>>9042267

Tried concerting the +/- to number string and letters for passphrase…did not appear to work with steghide passphrase. There is definitely information in the gift file. If you fire up the image in GIMP you will find blocked out pixels at another layer. Use the brightness and contrast tools in gimp to reveal.

The "punisher pic" also reveals interesting information when using the brightness and contrast tools in gimp haven't fully revealed the information but there are patterns there. Ghidra may help on the gift image. I had an older version and was unable to get through the python analysis before it would crash my systeem. (I was on a shitty laptop.)

Anonymous ID: 4948e6 2020-05-05 21:56:36Z No. 9043470

>>9043433

Anonymous ID: 710638 2020-05-05 22:06:08Z No. 9043561

>>9043470

Close….go the other direction on the spectrum to see if you see what I am seeing. Here is the hint I used…Get it to the point where you are making "red cross" like lines in the forehead area. I will have look at what you are seeing. TY

Anonymous ID: e84dea 2020-05-05 22:16:43Z No. 9043666

>>9043470

???

Anonymous ID: 4948e6 2020-05-05 22:19:20Z No. 9043689

>>9043561

>>9043666

Believe it or not, i made a python program to read one of them

Anonymous ID: 4948e6 2020-05-05 22:21:21Z No. 9043711

>>9043689


#!/usr/bin/env python

from PIL import Image

im = Image.open("skull-code.png")

width, height = im.size

yellowAsZero=""
greenAsZero=""
for y in range(height):
for x in range(width):
r,g,b = im.getpixel((x,y))
if r > 200:
yellowAsZero += "0"
greenAsZero += "1"
else:
yellowAsZero += "1"
greenAsZero += "0"
yellowAsZero +="\n"
greenAsZero +="\n"


print(yellowAsZero)

It didnt come out with anything but that was my quick attempt

Anonymous ID: 4948e6 2020-05-05 22:23:20Z No. 9043728

>>9043470

>>9043666

Anonymous ID: 4948e6 2020-05-05 22:23:54Z No. 9043734

>>9043728

8kun snake logo ? i almost see it if i stretch my imagination haha

Anonymous ID: 6e1353 2020-05-05 22:34:12Z No. 9043835

>>9043689

I like your thinking anyway. Nice work!

I was thinking tineye search for original. If difference file compare script.

Anonymous ID: 872778 2020-05-05 22:38:27Z No. 9043883

>>9043728

So moving the spectrum to the other end reveals a braille like dot patterns. Gets the image to red and white lines ( a few red / white crosses) reveals dot patterns the remind me of braille. Haven't tuned it in fully for decode. Just throwing that out there. Braille (dot patterns) is a common message passing technique for StegAnons

Anonymous ID: 8b7181 2020-05-05 22:57:17Z No. 9044073

>>9042267

looks like a voice frequency

Anonymous ID: 94e2ff 2020-05-05 23:05:09Z No. 9044191

>>9043728

I tried to use the parts as if they were a puzzle…

I don't think I have much, though… I tried to follow some kind of graphic logic

Anonymous ID: 4948e6 2020-05-05 23:19:51Z No. 9044377

>>9044191

It looks like sprites of an aztec dude running and doing flying kicks for an 8bit game

Anonymous ID: 94e2ff 2020-05-06 00:27:20Z No. 9045175

it's probabily nothing but… the tie strips should appear also in the reflection on the desk, right?

https://www.instagram.com/p/B_0eEKyB8LH/

Anonymous ID: dffc81 2020-05-06 01:16:22Z No. 9045788

Anybody get Ghidra to work with Eclipse (java)?

Anonymous ID: 3347cd 2020-05-06 02:04:38Z No. 9046344

>>9041828

file names seem to be pointing to abstract items or strings of information that are not random. You are aware of the cypher the founders used? books at the lib of congress cover it

So here is a path from the punisher file name capitals TTiC the file name transposed, missing, or incorrect syntax are paths to endless data… seems to point to 1-99 items that tie each bad actor by money deed generational to the main death cult [93]

Anonymous ID: 64776a 2020-05-06 02:18:42Z No. 9046487

>>9045175

If this is part of the "map" then "news" unlocks it

Anonymous ID: 2a5bd7 2020-05-06 03:07:42Z No. 9046953

How do we know that there isn't spyware or malware or a

rootkit or whatever, embedded in the ghidra code itself?

Stegano & reverse-engineering compiled code both interest

me, and I've always suspected (from the first time that Q

said, "you have more than you know"), that there might be a

lot of stegano in at least some of the images (and I have in

fact gone and looked inside some, finding nothing – which

doesn't mean it isn't there, but might mean there isn't – so,

this all interests me, but I'm not installing software on any of

my computers, that is DL'ed from this Wilderness of Mirrors,

unless I have solid reasons to trust it isn't itself malware/d.

Anonymous ID: 2a5bd7 2020-05-06 03:09:07Z No. 9046965

>>9046487

If future unlocks past, then maybe

"future" is the keyword – to unlock

some or other thing that is tagged

with "past" as a label.

I'm just speculating, here.

Anonymous ID: 3347cd 2020-05-06 03:53:29Z No. 9047252

>>9046953

you don't so sand box it

spaceB0x ID: ffc9f6 2020-05-06 04:08:48Z No. 9047349

>>9047252

Amen to this. These tools don't need internet. Running in a networkless VM is highly recommended.

Anonymous ID: 4d5cd6 2020-05-06 04:11:53Z No. 9047369

>>9046953

>How do we know that there isn't spyware or malware or a rootkit or whatever, embedded in the ghidra code itself?

You mean so the NSA could get access to your personal information?

Have you even thought this through or are you just typing things as they flash into your little brain?

Anonymous ID: b3809b 2020-05-06 04:25:46Z No. 9047423

>>9047252

>>9046953 ( Yep Yep never trust anything)

>>9047369

Sandbox isolation works well but at the end of the day if you are running anything other than linux secure OSs you are already sharing your information. This is why we are actually working with Ghidra. To mitigate that challenge. Kinda like cleaning the garage. You have to make a mess before you can get cleaned up and organized.

Anonymous ID: 128f74 2020-05-06 04:26:32Z No. 9047426

Thanks For The Thread…

These Tools ..Will Be Greatly Useful In The Months To Come.

Peace & Respect.. ..

Righting The Ship.

Anonymous ID: 933f4f 2020-05-06 04:49:47Z No. 9047567

>>9046965

WHO knows?

Keep thinking like this.

Anonymous ID: 26a5aa 2020-05-06 04:57:08Z No. 9047613

>>9047426

Jah me heart'E: ['ow's Davy do'n?]

Brainfuck<:>K.I.S.S.

F.I.R.E. ('n 'Hank's Louise) 'bout time, too.

Fire. . .. … (phive)<:>Live

A<:>D<:>Ana.

Circle-of-5ths<:>[,]7!

Fire!

Again: Louise_5; Out STAND'n!

>JAH FIRE - RASTA FOR LOVE AND PEASE

https://www.youtube.com/watch?v=X0B6zUykXWk

Anonymous ID: 492716 2020-05-06 05:22:23Z No. 9047720

>>9043470

the orange section could be pineal related.

Anonymous ID: 7289c2 2020-05-06 06:34:32Z No. 9048040

>>9047720

agree

Anonymous ID: ce0691 2020-05-06 07:42:01Z No. 9048298

>>9046953

Doesn't matter what is embedded in source of Ghidra. I have come about two and a half years following Q. I have to believe that if there is embedded code, it must be beneficial. Otherwise we don't "trust the plan", and if that WHAT THE FUCK ARE WE DOING HERE? In for a penny; In for a pound! WWG1WGA!

Anonymous ID: ce0691 2020-05-06 07:44:12Z No. 9048307

>>9048298

How about if Q has embedded a key to unlock steg info in every pic they have posted? Worth building a Virtual Box! Hell, its worth a shot on my home laptop! LOL

Anonymous ID: ce0691 2020-05-06 07:59:24Z No. 9048359

>>9046965

Maybe faggot, but we also have almost three years worth of drops to sort through and and see if any of them get new meanings because of this.

Anonymous ID: 7a2a58 2020-05-06 09:21:02Z No. 9048580

the filenames of Qs Images have always intrigued me.

Maybe put all of them chronologically together and decode?

I'm sure if someone gets creative enough there will be something.

other Ideas

- try putting meta/exif-info tags together from multiple Images

- always the "last" or "first" few characters of the actual Image Info

Might also make sense to think how one would go about to code info-snippets into these images.

I'm quite sure that if there is more info embedded in the images, in the end its something simple.

If there is info like "the Map" there must be a lot of characters - and it would take multiple Images to hide it, since the malformation of jpegs can only go so far until it breaks noticably down. Keep this in mind while experimenting.

Anonymous ID: 3347cd 2020-05-06 13:06:07Z No. 9049428

>>9047423

true on the garbage

Anonymous ID: 3347cd 2020-05-06 13:15:53Z No. 9049488

>>9048580

my oldest fine so far was 1867, railroad times, a financial newspaper with article written by [Librairain of congress] He was wrote about the need for central bank to foundry of their works…. projection for the changes to come

Anonymous ID: 79faac 2020-05-06 17:09:33Z No. 9052108

Ghidra / SRE Resources

For those that might be interested and struggle with how to start, or can't find help.

Course and Resources

Reverse Engineering Tutorial: How to Reverse Engineer Any Software

https://blog.udemy.com/reverse-engineering-tutorial/

Data Structures and Algorithms: Deep Dive Using Java

https://www.udemy.com/course/data-structures-and-algorithms-deep-dive-using-java/

GitHub Ultimate: Master Git and GitHub - Beginner to Expert

https://www.udemy.com/course/github-ultimate/

The Complete Networking Fundamentals Course. Your CCNA start

https://www.udemy.com/course/complete-networking-fundamentals-course-ccna-start/

Complete Python Bootcamp: Go from zero to hero in Python 3

https://www.udemy.com/course/complete-python-bootcamp/

97-things-every-programmer-should-know

https://github.com/97-things/97-things-every-programmer-should-know/tree/master/en

https://github.com/97-things/97-things-every-programmer-should-know

Articles and Blogs

How to start out in reverse engineering?

https://www.reddit.com/r/ReverseEngineering/comments/12ajwc/how_to_start_out_in_reverse_engineering/

How to Reverse Engineer Software

https://techeries.com/how-to-reverse-engineer-software/

The Power of Reverse Engineering

https://www.thesoftwareguild.com/blog/what-is-reverse-engineering/

Anonymous ID: 86e65b 2020-05-06 21:41:39Z No. 9055529

>>9047567

>>9046965

>>9048359

>>9048580

Did a search last night on images posted with the name unknown. There are not that many …. if I remember correctly there were 8 total.

Just following this path for a bit digging through the metadata and potential strings.

Anonymous ID: 86e65b 2020-05-06 21:47:32Z No. 9055579

>>9048307

That would be nice.

I am enjoying the show and playing in an area I love. Its great expanding my knowledge on Ghidra, and other NSA tools and playing around with Steganography. Its great hanging with like minded anons diggin for the truth and taking down the [DS} at the same time.

Comfy AF!

Anonymous ID: 0476eb 2020-05-06 22:01:46Z No. 9055716

>>9039279

Not seeing anything like that, it should be embedded code, not a link.

What language/architecture did you use?

Can you post a screenshot of the link in Ghidra?

Anonymous ID: b65ee1 2020-05-06 22:24:20Z No. 9055905

Anonymous ID: 8077ab 2020-05-06 22:27:14Z No. 9055934

>>9039279

Not seeing this either….Can you post the steps you performed do find this pdf?

Anonymous ID: b65ee1 2020-05-07 02:31:28Z No. 9059549

Could Q have dropped it to reverse this Pandora's Box on the NWO's control system?

This guy found what looks to be the motherload of control grid

Anonymous ID: e58177 2020-05-07 02:54:59Z No. 9059824

>>9039279

You’re full of shit. Your screen shot shows Copia.exe which is malware, not the JPEG file. There’s no pdf file in the image.

Fuck off.

Anonymous ID: 605726 2020-05-07 02:55:06Z No. 9059825

>>9055716

The only thing he could've found was the link in encrypted form. The file is too small to contain the PDF. I'd say he's lying - no reason not to post where the link was.

Anonymous ID: e58177 2020-05-07 02:55:55Z No. 9059836

>>9059825

He’s full of shit.

Anonymous ID: 2a5bd7 2020-05-07 02:56:59Z No. 9059853

>>9047369

You know, I almost impulsively carpet-bombed you back with insults – but then I realized:

you are almost certainly sperging out, and not shilling, so, hail and well-met, brother anon.

#pro-tip: on the internet, $="no one knows you're a dog".

One posts things into the vasty deep, to see what calls back. One baits a hook, according

to what fish one wishes to catch. One scans this part of the EM spectrum, and not that one,

to see who is broadcasting here, and not there. One pretends to be this kind of poster, so in

the event of a reply, one may make inferences from data unobtainable by posting as some or

other different set of personae.

Alle ist so kläre wie schläm?

Anonymous ID: 605726 2020-05-07 03:01:20Z No. 9059895

The only picture I've found anything is the punisher pic with the grey stripe at the lower edge. That one has 60kb of extra data. Went through it with a hex editor and binwalk. There's two valid png blocks of which the first is the image. The second I have no idea what is.

Anonymous ID: e58177 2020-05-07 03:03:51Z No. 9059917

>>9038853

Your image of Ghidra…There is no function in the main window, how are you seeing that in the decompiler? The address in the decompile image doesn’t match the listing window.

Anonymous ID: e58177 2020-05-07 03:10:38Z No. 9059989

>>9059895

Which Q post is that in?

Anonymous ID: 2a5bd7 2020-05-07 03:30:11Z No. 9060192

>>9048298

I had had similar thoughts, and it is interesting to see them echoed.

But I have been following "this" story, in its broadest context, for, I dunno, close on 50 years. It surprised me completely when I realized that was the case, about 35-40 years in: I had always thought it was a bunch of separate, unrelated weird things, but it turns out it is one big weird thing. Or mostly so, anyway.

The digger you deep, the getter it weirds. The sophistication of some of the less obvious psy-ops is mind-bending to behold. Their implicit malice, inarguable.

If Clown City in Langley Virginia is setting up false drop boxes so they can catch, and do wet jobs on, bona fide US patriots who've decided to risk all and be whistle-blowers, then …?

If Snowden was sent to Kansas as an infiltrator, to do sabotage, so an entire, vast, fake privacy-theft crisis could be run, to conceal-in-plain-sight, another, far vaster one, then …?

If the moment facial recognition CCTV-harvesting AI's become technologically feasible, all of the sudden tattoo parlors start springing up everywhere because "it's popular", then … ?

If the rabbit hole goes down, and down, and down – if you drop a pebble, and it never seems to hit bottom, ever, ever, then …?

It's not that I don't "trust" Q; it's that at the end of the day, I don't trust.

When Q came along, I was core-optimistic for the first time in my life. So there's that.

But watching previous proto-counter-coups, however feeble, get crushed outright by cold-blooded murder ($={FBI "they're all insane"}) and decent, patriotic human beings die cruelly at the hands of a deeply-embedded Evil, because no one "normal" realizes what is going on in front of their very eyes (not blindness, but trance), has had this result: at the end of the day, I do not trust.

I hope Q is everything it promises to be. An America where the US Constitution is actually, you know, observed, and where, to pick a tiny example, you have to actually be sworn properly into the Office, in order to discharge the extensive executive powers of The President of The United States of America, would be an unprecedented (sic) and wonderful, World-improving thing.

But at the back of my mind is the thought, that (like the badly written final minutes of the movie, *Basic*, except more credibly and coherently), as every unveiling so far (I did say almost 50 years, right?) has got us to "bedrock" that proved to be 1" of mudstone, with a trap-door entrance right there, to another hundred feet of ladder, down, down, down into the dark – this could be just another one of those situations, only fancier, and with better theatrical props.

I do not trust. Not, at heart. Or rather, obviously I do: I am fully aware this channel is approximately as "private" as FB, just with ostensibly better-intentioned Overwatchers.

Except, I don't.

Anonymous ID: 2a5bd7 2020-05-07 03:44:56Z No. 9060366

>>9048359

True. Also traffic analysis: not just the "Q Proof Offsets", but any other

patterns in the timing, timing-correlated size (length) and number, etc.

of the drops. Comms analysis isn't just about content alone.

I think the only "optimal" strategy is to start digging anywhere, and if it

doesn't hit pay-dirt before you get bored, stop and start digging in some

other place – iteratively.

Unless you have hard evidence a particular approach is a total waste of

time (and if so: serve it with sauce, of STFU & GTFO), don't shit on any

other Anon's wild guess.

Q has given us N haystacks hiding M needles, N>>M – except some of

the needles are something other than needles, and we don't know what.

The only reasonable strategy is to search anywhere. For anything.

All of which is a roundabout way of telling you to fuck off.

Anonymous ID: 605726 2020-05-07 03:47:07Z No. 9060410

>>9059989

#3982

We are ready.

[Set 1]

Mission good.

Q

Anonymous ID: 2a5bd7 2020-05-07 03:51:26Z No. 9060480

>>9059825

Especially since showing us where the link was, and how concealed, would hint at methods for finding others, elsewhere.

I interpret that whole thing as being a slide.

The Shills on this (Ghidra) sub-board have to use different shilling tactics than on other sub-boards. Different human terrain here.

Anonymous ID: e58177 2020-05-07 03:57:52Z No. 9060586

>>9060480

>>Especially since showing us where the link was, and how concealed, would hint at methods for finding others, elsewhere.

Except there is no link hidden in that file, the screenshot is not a representation of the jpeg file but is of a completely different file that is a malware executable.

It is a slide, but not a concealment of knowledge. That person only knows photoshop, not Ghidra or reverse engineering.

Anonymous ID: ddd144 2020-05-07 11:11:53Z No. 9062790

>>9059825

>>9055716

>>9059824

>>9038853

>>9055934

>>9059825

>>9059836

I put the screenshot in the first post but I had checked the "spoiler" box (newfag here, as I said, this platform is new for me), but you can still see it on my first post, though…

In the image there is the sequence I followed.

I never said the pdf is IN the image, I just searched on internet what appeared in the code (it was not my intention to make it look as if I found the pdf inside the image, but English is not my first language… what I meant is that I arrived to the pdf thanks to what I saw with Ghidra… and for that I attached a .png file with the steps I followed)

In the screenshot png file the steps are:

I just put in the browser what there was in the image according to Ghidra (so I tryied different parts in the browser) and

when I searched for "INTMEM:00-INTMEM:07" (which appeares at the beginning when opening the image with Ghidra, as I showed you in the screenshot), I found the pdf IN the internet

(so I found the pdf copying what Ghidra showed me and pasting it in the browser).

About Copia.exe:

I saw only now that I used the Copia.exe for the screenshot, here what it is:

I tryed to change the extension of the images to see if Ghidra showed me different codes (it may be stupid, but as I said.. that was my first time using Ghidra… I also tryied to change the images in .txt … ). There were no differencies between the original image (which I used for the research I was talking about) and the image with the extention modified in .exe (I just renamed it to distinguish them).

So here what happened: I used for the screenshot the version of the image with the modified extension…

…because here it was 3 am and I took the screenshot of the .exe instead of the original one for mistake… also because there were no differencies in the codes, so… my mistake in that.

You can check what I'm saying by opening the original image, copying and searching for the "INTMEM:00-INTMEM:07" and you should see the pdf in the first page (depending on the browser you are using, of course…)

(PS: I did not copy -in the attached png image- the full pdf I found IN the internet -not IN the image- as it was too long.)

Anonymous ID: ddd144 2020-05-07 12:30:10Z No. 9063059

>>9062790

…and I thought the pdf could be something because if I try to copy and paste any part of it, what I paste is not what the pdf shows.

In example:

if i try to copy the first sentence: "Multicellular development depends (…) organization. "

what I have in the pasted text is:

"0XOWLFHOOXODU GHYHORSPHQW GHSHQGV RQ WKH GLIIHUHQWLDWLRQ RI FHOOV LQWR VSHFLILF IDWHV

ZLWK SUHFLVH VSDWLDO RUJDQL]DWLRQ"

that's why I shared it with you.

It may be nothing, though…

Anonymous ID: c18b56 2020-05-07 12:45:25Z No. 9063132

To the Anons in these threads, don't expect too much from Ghidra.

A lot of the nasty stuff that compromised mobile applications will be doing won't be on the app, but on the server they communicate with.

At best, Ghidra will be able to show and tell what information is being sent off and to where if they're not smart, as well as encryption methods and programming libraries used.

But the above is still a best case scenario for digging. Most decompiles won't return much.

Anonymous ID: 07a54e 2020-05-07 12:51:08Z No. 9063162

>>9063059

I have had that copy and paste issue if i try to copy it from the browser, usually have to open it in a standalone pdf program

Anonymous ID: ddd144 2020-05-07 12:57:41Z No. 9063210

>>9063162

Yes, it happened to me too, but I downloaded the file and opened it with different reader and still does it… but again, except for the fact that I find the topic of the pdf interesting,

the copy issue may be nothing… and the pdf itself may be not related to what we are looking for…

I just shared here because I know there are many people who are better than me in this kind of things and in digging.

Anonymous ID: b55d6c 2020-05-07 14:03:42Z No. 9063708

>>9048580

>>9055529

Try this.

It's a graphic/analytic that has gathered up all the images that Q has posted and then cross references all of the filenames with text that Q has posted.

Freedom.png : 'Freedom' appears in 55 drops.

Links to all related drops and images.

https://qanon.news/Analytics/FileNameMap1

Anonymous ID: 2a5bd7 2020-05-07 14:06:29Z No. 9063737

Is it possible to embed (stegano conceal) non-rendering pdf pages/docs *inside* another pdf? If so, how do you extract the "hidden" ones? If there is no pre-existing software to do this, how do you do it "by hand"?

Similarly for .doc, .docx, .odt, .xls, .xlsx, .ppt, .pptx, etc., etc. – but mainly for pdfs (I have some target files for that right now).

If a pdf weighs in at >10Mb, but renders as just one, single, miserable, boring page of mostly text & near-constant background color – is it a reasonable target for steganalysis? It should be (from the 'surface' needs, a way smaller file, no?

All the steganalysis tools I know are for image files – ignoring the obvious trick of opening any file format whatever either in a hex editor or as if a txt file.

I know just enough stegano to misunderstand everything badly – are there tools for the steganalysis of file formats that are *not* image file formats?

Hiding something as LSBs (etc.) does not make sense (that I understand … yet), except for image files. What are the (most frequently found in the wild) stegano methods that are based on other file formats?

For one thing, it is now public lore (thought not "knowledge") that you can hide things in *image* files. Therefore, people who want to avoid random scrutiny comping their stegano at the hands of script-kiddies (such as myself) probably would have shifted to other file formats.

Throw me a friggin' rope, here (no noose jokes, please: no noose is good noose).

– An anon.

Anonymous ID: b55d6c 2020-05-07 14:07:39Z No. 9063750

>>9063132

Agree.

I looked at Facebook.apk a couple days ago and found alot of camera related functions, alot of location functions, other sensors trying to detect the direction the user is facing.

Seemed out of place to me, but I don't lifelog. Possible it's all part of the Facebook featureset, could be that it's always running.

Anonymous ID: e3b7e9 2020-05-07 17:32:38Z No. 9065874

Upfront disclaimer not a stegano expert, but willing to be another set of eyes on Q graphics to join the research. Ghidra too.

Anonymous ID: 605726 2020-05-07 20:04:24Z No. 9068395

Latest flag image:

Offset 0 (0x00):

File type: Portable Network Graphics image

Extension: png

MIME type: image/png

Offset 138 (0x8a):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

Offset 396 (0x18c):

File type: MPEG-3 audio

Extension: mp3

MIME type: audio/mpeg

Offset 5255 (0x1487):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

Offset 18864 (0x49b0):

File type: MPEG-3 audio

Extension: mp3

MIME type: audio/mpeg

Offset 24673 (0x6061):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

Anonymous ID: 2a5bd7 2020-05-07 21:35:01Z No. 9069769

https:// www.researchgate. net/post/Which_is_the_best_steganalysis_tool

Anonymous ID: e58177 2020-05-07 21:36:28Z No. 9069792

>>9059895

>>There's two valid png blocks of which the first is the image. The second I have no idea what is.

That’s a zlib-encoded stream, PNG files use zlib to compress the image. It’s not anything.

Anonymous ID: 2a5bd7 2020-05-07 21:38:13Z No. 9069810

>>9069792

http://bugtraq-apps.com/ supposedly has a few good stegananalysis tools in it, but I am not running around with penguins and so I cannot DLstall it, so cannot say.

Anonymous ID: 2a5bd7 2020-05-07 21:40:45Z No. 9069848

http://dde.binghamton.edu/download/

… more steganalysis tools

Anonymous ID: 2a5bd7 2020-05-07 21:42:24Z No. 9069866

>>9069848

See esp. http://dde.binghamton.edu/download/feature_extractors/

Anonymous ID: 2a5bd7 2020-05-07 21:43:04Z No. 9069881

https://en.wikipedia.org/wiki/Steganalysis

Anonymous ID: 2a5bd7 2020-05-07 21:44:00Z No. 9069893

>>9069881

Key paragraph:

"The steganalyst is usually something of a forensic statistician, and must start by reducing this set of data files (which is often quite large; in many cases, it may be the entire set of files on a computer) to the subset most likely to have been altered. "

Anonymous ID: 2a5bd7 2020-05-07 21:46:14Z No. 9069923

>>9069881

See also: https://en.wikipedia.org/wiki/Steganography_tools … although the author uses "encrypt" to mean "conceal steganographically", even though it isn't a synonym.

Anonymous ID: 2a5bd7 2020-05-07 21:47:45Z No. 9069944

>>9069923

The meat of the article (for the purposes of Anons working on this board) is: https://en.wikipedia.org/wiki/Steganography_tools#Tools_comparison

Anonymous ID: 2a5bd7 2020-05-07 21:52:11Z No. 9070001

More tools:

Digital Invisible Ink Toolkit – http://diit.sourceforge.net/

"StegSecret. A simple steganalysis tool" – http://stegsecret.sourceforge.net/

"Virtual Steganographic Laboratory for Digital Images (VSL) - Free tool for steganography and steganalysis" – http://vsl.sourceforge.net/

Anonymous ID: a28a3c 2020-05-07 22:07:49Z No. 9070231

>>9063132

Hmmm. While this is a true statement it is not necessary true for all apps. Take for example GEO location, facial recognition, voice recognition, iris tracking, finger print, sentance structure and language usage. etc…. There are all ways to correlate who you are, who you are communicating with, where you are, where you go, and what you are thinking about and create a dynamic profile. Notice recently that Scroogle and other companies stopped using cookies? Why? Because they don't need them any more for tracking. This tech is very advanced. They are using other techniques to identify you on your devices. While command and control (if well designed and thought out) does behave in this manor you are suggesting. There are many many layers and many many techniques as to how personal data / life is now compromised. Ghidra is very good at what it does. However extending your tool kits to steganography hide and seek tools, malware analysis checkers etc are very important as you do your detective work. There are many clues that can be discovered with Ghidra. Some can be easily missed. I just found an exe that was zipped up in an img file. I didn't see the exe in Ghidra (it was hidden very well) but I did find the bread crumbs for the zip file. Once I found the exe I put it back into Ghidra to see whats up…another layer of hidden information. Still working on that one particular challenge. I am always working to expand my tool kits and sharing what I know. If other anons have go to apps they like for this work it would be great to see what tools you use and the process you use for de compiling. It will take a digital army of anons to clean up all the compromised phone apps, PC, and Mac software. Now that we are on our way to cleaning up the compromised MSM "system" now its time to rip apart the web and its applications. Its disgusting what it has become. I love technology, been working in this area of tech for many years. I have watched brilliant technology get used for corruption fo way too long. Its time for this behavior to stop and make Technology Great Again. Our industry must be saved from what it has become. Surveillance is at an all time high right now. Chinese tech has subverted everything technical from the inside of or apps out. (Its a pervasive pattern in fact its right out of their playbook. Look up the book Unrestricted Warfare if interested). There are so many craptastic applications and services we all really need to get our shit together and fix these problems. Its a matter of national security when you think about how many chip sets we have in our homes, and businesses. They are all compromised in one way or another. Its shocking actually.

….Hack the planet anons. Lets roll!!

Anonymous ID: 2a5bd7 2020-05-07 22:08:23Z No. 9070244

>>9070001

DLs:

DIIT: https://sourceforge.net/projects/diit/files/diit/1.5/diit-1.5.jar/download?use_mirror=gigenet … from:

https://sourceforge.net/projects/diit/

<Documentation (incl. FAQs):

http://diit.sourceforge.net/doco.html

StegSecret: http://stegsecret.sourceforge.net/

http://stegsecret.sourceforge.net/XStegSecret.Beta.v0.1.zip

<Documentation & examples:

http://stegsecret.sourceforge.net/SpanishManual.pdf … sorry, no habla Inglez

http://stegsecret.sourceforge.net/imagenesEjemplo.zip

VSL: - https://sourceforge.net/projects/vsl/files/vsl/vsl-1.1/vsl-1.1.zip/download

<Documentation:

Forczmański, P., and Węgrzyn, M. Open Virtual Steganographic Laboratory, International Conference on Advanced Computer Systems, ACS-AISBIS 2009.

Forczmański, P., and Węgrzyn, M. Virtual Steganographic Laboratory for Digital Images. In Information Systems Architecture and Technology:

Information Systems and Computer Communication Networks (Wrocław, Polska, 2008), pp. 163–174.

https://www.google.ca/search?as_q=Forczmański+steganographic

https://www.google.ca/search?as_q=Forczma%C5%84ski+steganographic&as_filetype=pdf

Anonymous ID: 65d3fb 2020-05-07 22:18:04Z No. 9070428

>>9041086

Bingo!!! I see many useful Target for GHIDRA.

* Various Covid Tracking app fro different country.

* Tesla app

And The Windows Driver for this Chinese Chinese laptop…..

HUAWEI HONOR MagicBook Pro 2019

https://www.aliexpress.com/item/4000902503352.html?spm=a2g0o.productlist.0.0.3e6db10a6mkL0T&algo_pvid=2a5f306d-533f-43fc-a44d-23f540150779&algo_expid=2a5f306d-533f-43fc-a44d-23f540150779-9&btsid=0ab6f82215888889442575290e2be2&ws_ab_test=searchweb0_0,searchweb201602_,searchweb201603_

This Laptop come pre-installed with Deepin Linux. It is the only Linux Distro That can be installed. And if you decide to install windows 10 on it. It will boot. But it will work like crap until you install the Driver from HUAWEI. I guarantee that the driver are full of Backdoor that lead directly to the CCP surveillance apparatus. So if a NSA spook would like to have some fun……….

Anonymous ID: 2a5bd7 2020-05-07 22:19:42Z No. 9070452

>>9070231

That's not quite true.

Here's the returned URL for a Goolag search for "whatever", which is so effing long I have parsed it at every ampersand, as &amp; seems to be the field delimiter:

This is their domain: https://www.google.com/search?source=hp&

This is basically an in-link cookie: ei=CYe0XveWHoyStQXJ4JToBg&

This is my search string: q=whatever&

This is my original search string, so they can track refinements I make(*): oq=whatever&

This is, I think their attempt to geolocate my ass(**): gs_lcp=CgZwc3ktYWIQAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAAyAggAMgUIABCDATICCABQpw1YnxVg2x5oAHAAeACAAZgBiAHfB5IBAzMuNpgBAKABAaoBB2d3cy13aXqwAQA&

I haven't a fucking clue: sclient=psy-ab&

Who the fuck knows: ved=0ahUKEwi3v4KM4qLpAhUMSa0KHUkwBW0Q4dUDCAg&

No fucking idea: uact=5

(*): This is one of the ways they train their neural networks, for free – your work (our work, collectively), but "their" IP.

Terms of Service, my ass.

(**): It can only go to Internet nodes of a certain rank – the building in your neighborhood that houses your ISP's boxes.

Anonymous ID: 2a5bd7 2020-05-07 22:21:18Z No. 9070481

>>9070428

Anonymous ID: 2a5bd7 2020-05-07 22:22:11Z No. 9070498

>>9070452

Anonymous ID: 2a5bd7 2020-05-07 22:22:43Z No. 9070511

>>9070498

Sorry – mousefart.

Anonymous ID: 25121b 2020-05-07 22:26:33Z No. 9070567

Transcripts released

https://intelligence.house.gov/russiainvestigation/

Can anything be found in these pdfs?

Anonymous ID: 2a5bd7 2020-05-07 22:29:48Z No. 9070614

GitHub - https://github.com/ragibson/Steganography

Sales pitch: Least Significant Bit Steganography for bitmap images (.bmp and .png), WAV sound files,

and byte sequences. Simple LSB Steganalysis (LSB extraction) for bitmap images.

Anonymous ID: 2a5bd7 2020-05-07 22:36:43Z No. 9070684

Anonymous ID: 2a5bd7 2020-05-07 23:02:13Z No. 9070973

https://en.wikipedia.org/wiki/File_carving

Anonymous ID: 43cf29 2020-05-07 23:18:43Z No. 9071116

"strings -10 [imagefile]" may lead to something. Linux.

Anonymous ID: 2a5bd7 2020-05-07 23:21:22Z No. 9071140

https://www.coursehero.com/file/p2ksksp/Another-simple-and-effective-way-to-hide-a-message-is-to-use-white-text-on-a/

Anonymous ID: 2a5bd7 2020-05-07 23:23:48Z No. 9071173

https://en.wikipedia.org/wiki/List_of_file_signatures

Anonymous ID: adcfe1 2020-05-07 23:40:40Z No. 9071370

>>9063737

non-rendering pdf pages = pdf templates and/or layers. requires pdf javascript and Acrobat Professional

Anonymous ID: a28a3c 2020-05-08 00:07:18Z No. 9071733

>>9063737

The short answer is yes it is possible.

There are a few tools out there for decode. I had one at one time on my system I was looking at but can't remember the name. If you dig on PDF Steganography decoders you should find it….

Anonymous ID: 40dd42 2020-05-08 00:27:46Z No. 9072020

>>9039279

L-Serine is indeed a cerebral protein. Interesting paper.

Anonymous ID: f9e419 2020-05-08 00:57:25Z No. 9072526

>>9071370

You're in luck, i just happen to be an Acrobat Professional. I spent 6 years with the circus

Anonymous ID: 2a5bd7 2020-05-08 01:04:22Z No. 9072636

OK, so … I was reading various things about how to identify candidate files for steganalysis,

and some of what I read said, good luck: no algorithm, no key, no can-do.

But other things said: well, what are your candidate files? Don't you have traffic analysis or

other hints that there might be steganography in play? Get a bunch of these files, and do a

statistical analysis of the data and metadata, and see what you find – maybe that will give

you clues about who, how, and what key, blah, blah, blah.

So – here's the deal: Q & Q+ are obviously operating under all kinds of hard legal, constitutional,

strategic, tactical and other constraints – but, if I thought they were just fucking with us and

nothing else, I wouldn't be here at all. So, I made the guess that they would hide things (plausible

deniability, parallel construction, blah, blah), but not bury them so deep that we couldn't find them.

Which means, therewillbe clues. Like what? Anon thinks and thinks and realizes: recurring files.

So, I went back through a bunch of Q Drops that had "the same" image files – here are some attached;

Why should the flag from #3908 be a smaller file-size than the others, when they "are the same image",

and all have "the same dimensions".

This hinted that, yes, there is something there. So I did the laziest of steganalysis possible: you open

the supposed image file as a .txt file (use a simple text editor like MSFT's notepad.exe), and just look.

So I did. The internal 1s & 0s of these files are completely different from each other! Go look yourselves.

"Same image file", my @$$.

If there isn't stegano in there, then I don't know what else could explain this. So, fellow anons: please

look inside these, and suggest steganalytic lines of attack based on what you see, or think you see.

How do we identify and extract?

There are other "recurring" image file series also: I am looking at some of them and will report back.

This is either garbage or gold – let's dig & find out!

Anonymous ID: dffc81 2020-05-08 01:11:07Z No. 9072714

For those completely confused about Ghidra…

I've bee pouring through the tutorial included in the download and it looks like Ghidra is a tool for reverse engineering complied computer code. If you don't have a background in programming… and a pretty good one… it will most likely be a complete waste of time for you.

I haven't found a way to "inspect images" for hidden messages. If I'm wrong, please tell me how stupid I am. Show no mercy.

Anonymous ID: 2a5bd7 2020-05-08 01:13:13Z No. 9072737

>>9072636

There's a sixth one @ QDrop #4140 – I tried to post it here, but was told it was already in the thread (where?)

Note that #2790 has smaller dimensions – it's the other ones (incl. #4140) that have "the same dimensions", but different binary guts.

Surface: all six are the same.

Guts: totally different.

Take a look at each in notepad.exe and compare – now what?

Anonymous ID: 2a5bd7 2020-05-08 01:17:59Z No. 9072789

>>9072714

Ghidra, as other anons here have suggested, may be intended for us to use

to "out" spyware embedded in, say, Coronavirus-tracking "public health" apps

for smart phones, and other "gifts" from Bill Gates, WHO, and others.

I doubt Q intended us to use it for steganalysis – but I am also sure that we

are supposed to do steganalysis, …

which is why I posted all those links to misc. steganalytic tools, … not a single

one of which I know how to use … yet.

So, if steganalysis of images in Q Drops interests you – check out some of the other

posts here (above) for possible tools, and dig in.

Anonymous ID: e58177 2020-05-08 01:30:41Z No. 9072945

>>9062790

For the 8051 CPU, the PC memory register has RAM pointers: R0, R1, etc. What you’re seeing is simply the memory map for these register arrays (banks).

In the Ghidra code you can see these register arrays mapped to specific addresses (BANK_R0 maps to INTMEM:00). So INTMEM:00 thru INTMEM:07 are assigned to register bank 1.

The result you got by Googling "INTMEM:00-INTMEM:07" was not because of any secret code you found in the image.

Test this:

Download any random jpg from the Internet and open it in Ghidra using the language 8051 Archimedes 16 bit Big and you will see the same thing.

Anonymous ID: 44ddbe 2020-05-08 01:37:35Z No. 9073052

>>9043433

>>9042267

>>9042464

Guys, not a coder or anything else but want to let you know something that might/might not be useful.

My phone has been getting hacked a lot when I'm on twatter posting for the team, and occasionally when I'm on /qr/.

By hacked, I mean I try to type text in a reply and something takes over and starts typing seemingly random shit. I can't stop it from happening, but it quits after a few minutes and doesn't come back.

What is typed looks A LOT like brainfuck string, except if you're looking for particular letters think upper and lower case letters Q and A and the number 1.

The string looks like that except with those differences. Never any other numbers or letters. Just those.

Dunno if it means anything or is helpful, I hope that it is. Just saw the discussion and that immediately registered. Thanks for all your hard work!

Anonymous ID: e58177 2020-05-08 02:04:34Z No. 9073375

>>9072714

The way you’d go about incorporating Ghidra into Steganalysis is by first using the various tools to inspect the image for hidden files. Binwalk is good for this.

If you find a hidden file you have to extract it using binwalk. Then you open that file in Ghidra to see what it does. You’ll have to figure out which CPU language it needs but you can try various platforms, or hopefully we’ll be given some direction.

Reverse engineering is not for the faint of heart.

Thus far I have not found any hidden files or text in the more recent images as of yet.

Anonymous ID: 3443a3 2020-05-08 02:30:10Z No. 9073717

>>9060192

What a post, anon. Many thanks.

Anonymous ID: 3fe71e 2020-05-08 02:38:31Z No. 9073851

>>9042985

>>9042267

Your brainfuck string is the quantization tables for the image. It is related to the compression of the jpeg image.

That said, it is possible to use the quantization table to hide data, the space available severely limits the quantity of data that can be embedded.

Anonymous ID: 3c15f1 2020-05-08 02:43:12Z No. 9073921

The issue with stego in Q drops that is all the images are too small to really store much data. It also doesn't fit with what's been going on here to expect to find some secret leak or something linking us to some off site file drop. I feel like if we are to find anything hidden in the images it will be a simple message like "Bring on the PAIN" or "WWG1WGA", where the message itself isn't so much the drop, but the method we used to find it is. It'll probably be something trolly that not only shows us how they communicated in plain sight, but also taunts them that Q team knows everything that they've said.

Anonymous ID: f25184 2020-05-08 02:57:06Z No. 9074092

Anyone pulling apart the games? I'm just starting working on Star Wars Commander, Windows platform.

I am looking for unusual functions that might be described as 'easter eggs' which might open backchannel comms. 'Cheat' interfaces.

If anyone else is honchoing this particular operation, point me at 'em.

Otherwise I would suggest, let's pull apart each platform of this app because it was called out specifically by Q, and we can move onto others

Anonymous ID: 0b7156 2020-05-08 03:16:53Z No. 9074438

Be sure to drink your Ovaltine

Anonymous ID: 62f144 2020-05-08 03:31:57Z No. 9074616

I'm doing the same thing with one of the PDF's that the Schiff just dropped to see if I can come up with anything.

So far no dice, but I'm also fairly new at reverse-engineering and Ghidra, so it's possible I'm missing things.

Having said that, I am glad OP put this board up for Ghidra hunting, and I think we may be focusing too much on his images and trying to decode the hidden meaning in them. There may very well be more there 'than we know,' but we shouldn't forget to tear new things apart too.

Anyway, glad to be here. Thanks for the board OP.

Anonymous ID: 62f144 2020-05-08 03:36:09Z No. 9074669

>>9074438

Is Star Wars Commander even available for download anymore?

Anonymous ID: 62f144 2020-05-08 03:48:52Z No. 9074898

>>9074092

Well I made myself look like an ass. I replied to the wrong guy with a question I easily answered by a quick search.

So from what I can tell I don't think you can download Star Wars: Commander from official sources anymore. However, I was able to find the Android apk file for download from:

https://star-wars-commander.en.uptodown.com/android

Anonymous ID: 43cf29 2020-05-08 03:48:56Z No. 9074901

Not sure if this helps:

https://superuser.com/questions/275502/how-to-get-information-about-an-image-picture-from-the-linux-command-line

Anonymous ID: 43cf29 2020-05-08 03:49:23Z No. 9074910

Not sure if this helps.

https://superuser.com/questions/275502/how-to-get-information-about-an-image-picture-from-the-linux-command-line

Anonymous ID: 96d63c 2020-05-08 04:49:08Z No. 9075755

NaturalMotionGames Ltd

Pulled from all the stores early.

Could only find the APK if anyone is interested. Ghidra batch import worked. There are 15 embedded files.

https://apkpure.com/star-wars%E2%84%A2-commander/com.lucasarts.starts_goo

Anonymous ID: 62f144 2020-05-08 09:54:23Z No. 9077094

Just occurred to me:

https://qmap.pub/read/4000

In this drop, Q asks us "Rebellion or Empire?"

Now, I've never played Star Wars: Commander before, but I could probably see this being a question on account creation. If we crack this apk open with Ghidra and take a look at where that screen/text is, maybe there's something there?

I'm starting to look through it now, but I likely wont be able to really dig into it until later today. I just wanted to share this idea in the meantime if someone else thinks it may be a good place to start.

Anonymous ID: 96d63c 2020-05-08 13:55:53Z No. 9078415

>>9077094

Neither have I played this game but I agree it is worth diving into. Given that Q mentioned Ghidra and then re-posted an Anon saying it is something to mess around with sounds like a direction.

From what I read in previous posts, others mentioned some thinks I was thinking too..that it is interesting he posted the flag in particular 6 times and that maybe even the file name has some relevance.

Anonymous ID: 62f144 2020-05-08 16:26:57Z No. 9079983

For you anons, another resource as I learn to go through this, myself:

https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html

It requires you to have an understanding of software/programming, but if you are like me (novice programmer) you should be able to understand it enough to jump on in.

One thing I found a lot easier to handle was unextracting all the files from the .apk first (linked above in other posts). You can do that with WinZip, and just place it in some random folder. I went too far down one rabbit hole and had the game running in an emulator, but I stopped after I got to the screen in the included image. I wanted to, at least, get to the screen we had mentioned that would have the option of joining the empire or the rebellion, and there it is.

So now I'm digging through the code a bit, trying to find out how the game runs (I've never programmed apps before so its new to me), but I think it runs out of the lib/(processor)/libmain.so file. I'm looking into the libunity.so file right now since its called out in the (I)Ljava/lang/String; line, but I'm not sure if I'm going down a rabbit hole again that I don't need to.

Anyway, I'm learning a lot. I hope some of you other anons that are more experienced in this than I are on a better path.

Anonymous ID: 2a5bd7 2020-05-08 18:28:21Z No. 9081503

>>9073921

No they aren't:

(1) See >>9072636

(2) The data could be something as simple as a single, short sentence that tells us where to dig for something bigger – think bootstrapping.

Anonymous ID: 564a3c 2020-05-08 23:33:00Z No. 9085813

>>9072636

I was thinking same about repetition of the flag, potentially having clues seems plausible. Q could have just said "great news everyone Flynn is free".

At first look, the file names displayed not necessarily matching actual is curious.

Why did Q bother changing the displayed file names to patriot phrases instead of just writing it normally in the body of the message?

Q2790 patriot phrase displayed, actual file name…

a7ffb193423f0a5573ceeefe7c2a7863d1fc6d1559e28d93af78f63e36cdceed.png

Q3080 patriot phrase displayed, actual file name…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q3823 patriot phrase displayed, actual file name…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q3908 a file name is displayed…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

…but the actual file name is…

274534d7d1780203956040e16a2fd8712e21596c92d7ac2ecd959d0166f8a501.png

Why display the last flag's file name. Seems deliberate, but what kind of delta if any might be here?

Q3983 is just AMERICA

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q4140 is the only flag with an exact match between displayed and actual…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Anonymous ID: 117af0 2020-05-09 00:51:28Z No. 9086726

>>9077094

I was thinking the same thing. Soro's bought Blizzard. I think it would be worth digging into their games.

Also, it's long been said that China has built back doors into everything. You can reverse engineer software to find the vulnerabilities and back doors.

The other thing I was thinking is it might be worth to check out WeChat and Whatsapp. Zuckerberg made a major pivot in 2018 towards encrypted comms. His number one guy quit warning, specifically, it will allow child trafficking and terrorism to be impossible to track…. very cryptic.

Anonymous ID: 62f144 2020-05-09 15:01:52Z No. 9093749

I posted it already, but if you are looking to get into reverse-engineering App's (like android apps, such as Star Wars: Commander) I've put together a small list of resources. I'll also give my notes at the end since Q has told us to work together, essentially, in that one picture of people climbing a hill.

Resources

Virtual Environment

https://www.virtualbox.org/

Operating System Suggestion (Ubuntu is user-friendly)

https://ubuntu.com/

Star Wars: Commander App:

https://apkpure.com/star-wars%E2%84%A2-commander/com.lucasarts.starts_goo

-or-

https://star-wars-commander.en.uptodown.com/android

Ghidra

https://ghidra-sre.org/

Jadx (helpful for this project and other android apps)

https://github.com/skylot/jadx

Tutorial for Basic App Reverse Programming (get the .ova in this tutorial and load it into VirtualBox, it's essentially loaded with what the tutorial goes through)

https://maddiestone.github.io/AndroidAppRE/index.html

As a rule of thumb its much safer to run everything through the virtualbox, but if you want to all the above will also work/have options to work on an average Windows machine. I wouldn't suggest it, but I can't say that I'm above just running it all on my computer anyway. I'll accept the risk.

Exploratory Notes

As a disclaimer, I'm very new to software engineering and I've never reverse-engineered anything before in my life. Having said that, I encourage anyone with an interest in this to try their hand. The more people we have on this the better.

So right off the bat, looking at the AndroidManifest.xml, it looks like this application runs like a normal app does with nothing nefarious that stands out. I'm not seeing anything out of the ordinary in the Manifest but I still have a loooooooooooooot of code to go through. I did notice that a few things can be activated by other apps/programs though:

FBUnityDeepLinkingActivity (fuck you FaceBook)

SwrvePushEngageReceiver

SwrveEngageEventSender

FirebaseMessagingService

FirebaseInstanceIdService

Only thought on this is that the Firebase messaging service seems to be able to activate even when the app is closed, but I don't think that in and of itself is abnormal or malicious, as apps should be able to do this (right?). Someone with more app development experience can tell me otherwise, but I'm going to move on.

The game runs on the Unity3d.player…

Lots of source code in Java to look through…

Boy, Facebook really likes our activity…

Nothing stands out. I'm going to take a look at the Native Libraries now and see if I can pry those apart. The 'native libraries' are the '.so' files, such as…

libbugsnag-ndk.so

libbugsnag-unity.so (another bugsnag file, ho-hum)

libil2cpp.so (my God its huge [~30MB]. That's going to take forever!)

libmain.so

libunity.so (I haven't looked just yet, but I think this is the unity engine that the game runs in. Also my God its 19MB and is going to take forever)

Kind of getting hung up. I decompiled the libl2cpp.so with Ghidra and there's an awful lot to go through here, and it takes some in-depth analysis to do so. I'm thinking I need to hit the books a bit more before I start jumping into this because passively reading and hoping that something jumps out at me will be futile.

Any suggestions would be welcome.

Anonymous ID: 62f144 2020-05-09 15:54:25Z No. 9094189

Wait I just realized something.

Reading through some of the java code for the messaging service under:

Source Code>com>google>firebase>lib

I've realized that a lot of the messages sent back and forth aren't just stored at Google's cloud, but they SEEM to be also sent to FaceBook for tracking purposes.

This means that there are two separate locations that have stored that shady conversation we saw. And its not just message content, but user data as well (meaning it could be directly attributed to the sender).

I mean this isn't ground-shattering or anything, but it gives me some insight as to how Q and/or NSA could be catching these dudes.

Anonymous ID: 798730 2020-05-09 15:56:17Z No. 9094201

>>9041137

"luke lurks" too. ;)

There are a few images that have "non-displayable characters" in them.

Pull the keyword field from the metadata & see what it's encoding is??

You know I'm all about "it's in little pieceslike a puzzlethat we have to reassemble" (combine all the little "crumbs" of data into 1 file and that'll give us XYZ proof)

MANY Q pics (PNGs) will reveal a similar NDC string with stegano-red.

zsteg has spit out some interesting stuff, but I'm wearing of short string false positives like we talked about.

We've talked about IMAGE NAMES being important because Q (or the poster) can CHOOSE what they name the image before they upload it. This and the TIMESTAMP (to me) are the most important pieces of the posts (that don't have to do with the content of them–which truly could even just be "cover text" to conceal 'steganographic messages' utilizing timestamps and/or image names).

more to come!

Anonymous ID: 798730 2020-05-09 15:57:34Z No. 9094214

>>9094189

This may be why "even if you DELETE Facebook, it STILL tracks you!!"

(because you still have things on your phoneespecially if it's Androidthat utilize that Google libs)

Anonymous ID: 798730 2020-05-09 16:01:47Z No. 9094240

>>9085813

yes @ flags w/ diff names & sizes!

some are ~23 kb lol

Some are PNG, some are JPG.

I remember someone even mentioning that one of the flags had the WRONG number of STARS? (don't recall which or if this was verified though)

Another little "coincidence" is that the PAIN/Punisher pics always seem to come FIRST, and then shortly after, there'll be a FLAG pic.

PAIN = Operation?

FLAG = SUCCESS?

Anonymous ID: 896c3c 2020-05-09 18:12:20Z No. 9095843

>>9052108

ty

Anonymous ID: 798730 2020-05-09 22:03:44Z No. 9099831

>>9085813

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

This is the SHA256 of the PNG above.

274534d7d1780203956040e16a2fd8712e21596c92d7ac2ecd959d0166f8a501.png

Grab all the flags, check MD5, SHA256, etc. and you can see what IS and IS NOT actually the same files.

Anonymous ID: 6d5e4b 2020-05-10 00:54:01Z No. 9102319

Hi anons. Wondering if I could get a little help. Not a stenofag or a codefag. Totally useless. I used to pirate a lot of music and the folders always came with cover scans.

They've always been normal except the scans for this album. Instead of jpegs they're TIF files and they're fucking huge 68mb is the size of one. Ever since I downloaded it I wondered about the covers. Always suspected something hidden. Anyone wanna take a look?

https://anonfile.com/x2v5H1xeob/Covers_7z

Anonymous ID: 82ce9d 2020-05-10 02:32:21Z No. 9103699

>>9041086

By its very nature its a tracking tool. Of course its going to have bullshit it that app. Think about the database correlation on the backend. They have had this technology for years. Its a COVID tracking app. A shiny new nickel to ride the same shit slide.

Think about it! Cause and effect.

They have always been tracking us with phones and apps. Now they are putting a different label on it

"Install this app to save lives" "For your family." "For humanity" "Be a hero install this app"….what a crock of shit. They are attempting to have you download bullshit and the sheep are willingly installing it on their phones. WILLINGLY By its very nature its comped. They call it a psyop for a reason BRO!

Strange Anonymous ID: c3ada3 2020-05-10 03:52:34Z No. 9104738

Weird how the back end system to Ghidra is visible when you scan for it. I would expect errors and to be blocked

Anonymous ID: 97afe1 2020-05-10 23:23:09Z No. 9114309

bamp

Anonymous ID: ec4333 2020-05-11 00:51:23Z No. 9115305

ran this jpg through ghidra. got a SHA256 string

1bd7bc7c32abacc27045fbe189296c856bffda4999043db01d20e888f07368b6

ran through youtube search.

result-

https://www.youtube.com/watch?v=Hk1KNhCCAHM

At best 460 of (You)s found this already.

Seems this file has more data embedded, throughout. It's doing wierd shit on my first level look. Happy hunting, faggots.

Enjoy the show!

Anonymous ID: e58177 2020-05-11 03:27:57Z No. 9117546

>>9115305

What language/cpu did you use? What was the SHA256 string?

Anonymous ID: ec4333 2020-05-11 03:36:08Z No. 9117642

>>9117546

>What language/cpu did you use? What was the SHA256 string?

SHA2 string just under the jpg. on the post. i gotta believe the language/cpu set is machine dependent. that said, my project ran on powerpc.

Anonymous ID: a85e22 2020-05-11 04:47:07Z No. 9118540

>>9115305

the name of the jpg in the drop is the SHA256 of the image.

you got the yt result bc the vid description lists the file name.

Anonymous ID: a55360 2020-05-11 10:08:03Z No. 9120686

Checking in. Kind of set the Star Wars: Commander dig on the backburner since I'm not convinced that's the right rabbit hole to be jumping down. I heard someone mention that the redactions can be pulled off the Transcripts in Ghidra, but I'm not sure. The PDF's don't have any executable code in them, so Ghidra would really only show bytes in the documents.

Having said that, I loaded up two PDF's anyway just to take a cursory glance. I used Andrew Brown's transcript as an experiment, looking first at Schiff's release and then the DNI release.

Schiff's release looks about what I would expect a PDF to look like in Ghidra. Pretty mundane. I looked through the ASCII translation of the bytes and saw some XML formatting code, and I was able to differentiate when paragraphs start, but all-in-all there's nothing to see there.

The DNI's release is a bit more interesting though. I haven't found anything just yet, but it looks different from Schiff's. The ASCII readout is about the same with some differences (at first glance), but what stood out to me was that the code analyzer actually returned stuff. I'm not sure what it all means, but (as we knew) there's an obvious difference between the files that Schiff releases and the ones that the DNI released.

Observations:

The DNI's version seems to be images as opposed to Schiff's, which could be close to the original PDF documents but with redactions. The DNI, it seems, did the smart thing by scanning these documents back in after redactions, removing the ability for the documents to be torn apart. I think it would be worth opening Schiff's documents up in Adobe Pro and seeing if you can't just simply erase the bars.

I will have to give this a shot. As always, I'm open to anyone else's opinions or direction on this. I'm very new to this but I'm dedicated. Also, if these redactions CAN be stripped, it'd be smart to download all of them before they get taken down.

Anonymous ID: 76180a 2020-05-11 13:26:43Z No. 9121894

CALLING ALL TECHYS!!!!! I JUST HEARD THAT GHIDRA ALLOWS YOU TO "MOVE THE REDACTIONS" THIS IS HUUUUGGGEEE

https://twitter.com/DrLahiri2/status/1259825328505012224

Anonymous ID: 2c6622 2020-05-11 13:47:32Z No. 9122082

>>9121894

Big maybe. I've had a few of the documents open and I haven't seen anything specifically that would effectively allow me to remove the redactions. Now, I'm not the smartest, maybe someone else here can do just that.

I've taken a look at Schiff's released files versus the DNI released files. I was right, the DNI essentially printed the pages and scanned them back in, so the redactions on those are permanent. Not much we can do about that.

Now Schiff, though… we may be able to recover the redactions there, because when you tear them apart with Adobe Pro you can move the black 'redacted' parts around. There's no text behind them in the field (or rather above them, the black boxes are on a layer behind the text boxes), but maybe I'll take another look at these in Ghidra…

If this is a possibility, I'd vote on digging into Schiff's released files.

Anonymous ID: f8082f 2020-05-11 14:19:40Z No. 9122398

>>9121894

any results?

just saw

>>9122180 (ob)

>>9121987 (ob)

https://blackarch.org/tools.html

for searching pdf files for hidden bits this might be the tools you need

my 2¢

Anonymous ID: 699848 2020-05-11 14:42:01Z No. 9122598

>>9099831

Good pointers., using SHA256 of the image. So probably nothing in that context. But perhaps there are clues in the images. I wonder if others think the repetition of images would indicate a pattern worth identifying, or, maybe Q is merely using them to reinforce events, e.g. use a flag when it is a patriotic win, use Obama's 'renegade' when they have evidence against him, etc.

Anonymous ID: 1ff91f 2020-05-11 14:59:43Z No. 9122779

>>9121894

This is what i found, isn't related to ghidra but it could help.

https://eclecticlight.co/2019/03/11/pdf-without-adobe-17-unredacting-manaforts-documents-and-recovering-pdf-versions/

Anonymous ID: a55360 2020-05-11 17:36:56Z No. 9125009

Idea

Okay so PDF's are essentially heaps of code that Adobe Viewer/Acrobat translate into readable text. There are some nuances to it, but you can read a few articles here to get a good idea of how a PDF is built:

https://blog.idrsolutions.com/2013/01/understanding-the-pdf-file-format-overview/#helloworld

Here's where I'm at. PDF files will declare objects that will be present when opened in Adobe. Those objects can be a number of things (text, images, signatures, etc), but the problem is that the actual contents of those objects are encoded. Luckily for us, we know what it uses to encode:

FlateDecode

So I'm still learning a bit more about that, but conceptually one would be able to grab the bytes from the objects in Ghidra and run them through a Decoder (using the… FlateDecoder algorithm?). What this would do is essentially display the encoded object as plaintext. In the event that the object is a picture it'd look like jumbled plaintext, but if it were a text box it may have some code describing the box, and then possibly the string inside.

I haven't tried it yet. I'm having to learn about decoding first. I'm trying to figure out if there's a way for me to decode straight from binary or hex through the algorithm into plaintext, or if I'm just barking up the wrong tree again.

Anonymous ID: 78c6ef 2020-05-11 17:51:56Z No. 9125184

Has anyone figured out the Legend to the entire Q Crumb Map?

Can Ghidra analyze something like qmap.pub?

provide an overview (40,000ft)?

Anonymous ID: 94e2ff 2020-05-12 13:33:44Z No. 9138660

>>9072945

Thanks for the explanation >>9072945

Anonymous ID: b58790 2020-05-12 13:37:51Z No. 9138696

>>9122779

HAS ANY ANON RUN THE GHIDRA PROGRAM ON Q'S RED

PUNISHER IMAGE YET? I was up with my dog who was having seizures. Besides, I still have a flip phone.

Anonymous ID: aea24e 2020-05-12 20:35:17Z No. 9144066

>>9138696

Novice anon here…I’m finding symbols in Q’s images. I have been doing symbol counts…& looking back at corresponding drop #s. That one is 428. Idk if I’m on the right path? Haven’t seen anons saying this…thoughts?

Anonymous ID: aea24e 2020-05-12 20:38:11Z No. 9144105

>>9144066

Also, drop pic boom time baker is 64-which really reference the pic. That’s what made me think I might be onto something.

Anonymous ID: bb9940 2020-05-12 22:00:55Z No. 9145517

All of these people pushing ghidra as a steg tool seem to forget that Q already provided us with a steg tool long ago.

Anonymous ID: 87d248 2020-05-12 22:38:02Z No. 9145994

What you all are doing here is interesting. I Only understand a little tiny bit of any of this but still like seeing what you find. The only thing I have to offer is some old knowledge that may or may not be useful. Many govt systems, especially legacy ones use the language COBOL. Sometimes PASCAL and FORTRAN were also used. I know those aren’t as common anymore but don’t forget about them.

Anonymous ID: fe58d6 2020-05-13 00:58:41Z No. 9148162

>>9145994

Yeah I think the pascal is usually used as an embed in ada though.

Anonymous ID: a53a08 2020-05-13 01:06:15Z No. 9148279

So I have yet to install ghidra, but I took a look at some of the photos on Obama's tweets and ran some segments through an online brainfuck editor here's what I found. Is it normal for jpgs to have this?

>options passed to editor

Cell size (Bits): 8 16 32

Dynamic (infinite) Memory:

Memory size:

30000

Memory overflow behaviour:

undefined (fast) wrap abort

End of input: no change char:

\n

Dump Memory at char:

#

Count instructions

>input

ø.Id›¶Òî %A^z–³Ïì &Ca~›¹×õ1OmŒªÉè&Ed„£Ãã#Ccƒ¤Åå'Ij‹­Îð4Vx›½à&Il²ÖúAe‰®Ò÷@eŠ¯Õú Ek‘·Ý*QwžÅì;cŠ²Ú*R{£ÌõGp™Ãì@j”¾é>i”¿ê  A l ˜ Ä ð!!H!u!¡!Î!û"'"U"‚"¯"Ý#

#8#f#”#Â#ð$$M$|$«$Ú% %8%h%—%Ç%÷&'&W&‡&·&è''I'z'«'Ü(

(?(q(¢(Ô))8)k))Ð**5*h*›*Ï++6+i++Ñ,,9,n,¢,×- -A-v-«-á..L.‚.·.î/$/Z/‘/Ç/þ050l0¤0Û11J1‚1º1ò2*2c2›2Ô3

3F33¸3ñ4+4e4ž4Ø55M5‡5Â5ý676r6®6é7$7`7

>output

Syntax error: Unexpected closing bracket in line 4 char 445.

'use strict';var _,o=[],c=0,p=0,j=0,i=[],m=new Uint8Array(30000);function q(i){self.postMessage({o:[i]})}q(m[p]);m[p+1]+=5;i.length&&(m[p+1]=i.pop());i.length&&(m[p+1]=i.pop());i.length&&(m[p+1]=i.pop());i.length&&(m[p+1]=i.pop());i.length&&(m[p+1]=i.pop());m[p+1]-=5;q(m[p+1]);q(m[p+1]);q(m[p+1]);q(m[p+1]);q(m[p+1]);m[p+1]++;return self.postMessage({s:-1,o:o,c:c,m:m,p:p+1,n:-1});

Anonymous ID: a53a08 2020-05-13 01:13:52Z No. 9148379

>>9148279

nevermind, I was using the editor incorrectly

Anonymous ID: a53a08 2020-05-13 01:30:07Z No. 9148606

>>9044191

brainfuck-esoteric programming language in the quantization table

>>9043433

>>9073851

>>9043728

obscure color information in punisher pic

it might be another esoteric language - piet

https://www.dangermouse.net/esoteric/piet/samples.html

Anonymous ID: e58177 2020-05-13 03:04:24Z No. 9149955

>>9125009

I ran some of the House pdf’s through various pdf forensic tools and even Ghidra (and ran the embedded jpgs through forensic tools) and got nothing revealing. I did not see a way to view redacted data.

I also haven’t found anything in the flag or skull images, but I haven’t looked at the most recent red skull, it’s on my todo list. These are better suited for image forensic tools but also threw them into Ghidra but saw nothing.

I’m guessing Ghidra is meant for the Star Wars game or a future file or app.

Anonymous ID: e79ecb 2020-05-13 03:09:28Z No. 9150018

StegoAnons

Not sure if this is anything yet. Still poking around. I work with a ton of different stego tools and scripts as I attempt to detect patterns. The other night I was using StegoDetect and StegoLSB (python stego tools family) with the recent flag image and the punisher_red image which appears to be identical to the original Q-posted (BTW).

I was getting strange results playing with the LSB number 2. The file was reporting incorrect sizes due to bit decision. Typically defaults to 2 when playing with LSB. I changed it to 17 for fun and got interesting results. Still working to figure out the file type signatures it produced…but just wanted to throw this out to the group in case you are playing with these types of tools. Here are the command lines I was using on the files.

stegolsb steglsb -r -i flag.png -o output_file. -n 2

and

stegolsb steglsb -r -i flag.png -o output_file -n 17

Anonymous ID: f2c621 2020-05-13 05:00:27Z No. 9151220

>>9145517

Pixel Knot? Yes it is one of many tools for exchanging secret information. Steghide is another….there are many. Wav and mp4 files etc… The key thing that Q did state is "'tools' All of these tools work together to find the surveillance challenges'' and hidden information etc…

Its really no different from digging in the web. All anons are actually wired for this type of forensic work. By our very observation, autism OCD, ADD nature.

Ghidra can do many things. It can decode many files types, different platforms, chip sets, controllers. Its a primary tool for decoding executable files, and code with internal functions. I have dug into images, PDFs and other file types. Just to look and see whats going on from a particular angle. With a similar tool I will look again from another angle. Its one of many tools that can be utilized. It is however extremely powerful. The thing is… we need all the tools we can get as we identify the security holes in most of the products we use every day. Phones / PCs, CPUs, routers, chip sets, software and apps. China has produced almost everything tech in the US and guess who we are in a silent war with right now…. It will take an army of anons to dig into the compromised digital universe. I encourage every anon out there with skills or no skills to start digging into our technology.

Anonymous ID: e58177 2020-05-13 06:10:33Z No. 9151706

>>9151220

“Toolkits can be helpful.”

Ghidra is just one of many tools for digital forensics. You are right that we need to be thinking beyond just one tool.

Anonymous ID: 4948e6 2020-05-13 16:59:28Z No. 9155724

I've got an image for you to play around with

https://twitter.com/BillClinton/status/1260613471697358848

Looks photoshopped. All albums look face. his face looks odd.

Anonymous ID: 4948e6 2020-05-13 17:09:18Z No. 9155845

>>9155724

Ran it through hexdump and got this:


0000f1b0 26 94 bd 5c 08 22 d2 26 96 ff 00 c4 70 cb 1b e5 |&..\.".&....p...|
0000f1c0 e2 22 ed 77 e4 a9 5c 60 39 55 ea 57 79 9c 0e 09 |.".w..\`9U.Wy...|
0000f1d0 a1 f1 2c 8a 0a d6 1f 03 ea 67 0a e5 e0 fe d0 b8 |..,......g......|
0000f1e0 b6 d8 e0 7f dc ca 31 bc 32 b4 cf 98 fe c1 05 c2 |......1.2.......|
0000f1f0 db 9f 13 31 8c 82 5a 8f 3a ac 47 40 4e ce 1b b8 |...1..Z.:[email protected].|
0000f200 bc 10 46 cb 01 bf 98 60 c1 63 6e d1 e2 0b 62 d0 |..F....`.cn...b.|
0000f210 0b 56 c3 d3 29 29 c3 16 ef 11 e9 98 10 70 1d a2 |.V..)).......p..|
0000f220 09 3b 4c 1e d1 93 2c a7 a7 fc 4a 63 6e 47 4b ee |.;L...,...JcnGK.|
0000f230 1f 52 94 55 d2 6e bc 5c ff d9 |.R.U.n.\..|
0000f23a

Anonymous ID: 40dd42 2020-05-13 18:26:49Z No. 9156296

>>9155724

>>9155845

My b, apparently this is a meme

https://knowyourmeme.com/photos/page/5?gallery_cache_key=1849770

But the album name is probably the comms. (Hotter than July). Q said, spring summer would be HOT

Anonymous ID: 40dd42 2020-05-15 03:40:42Z No. 9179608

well fuck right off

>>9173188

Anonymous ID: c012ff 2020-05-15 15:23:04Z No. 9184158

>>9148162

I think I remember it being used to condense code and formulas or calculations because back in the day everything had to be done to save space on the system. Different than now. That is probably what you said but I don’t know much of the lingo.

Burn in hell America Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:44:42Z No. 9209405

For making your internal problems the problem of the rest of the world

And saying or doing nothing

Julian Assange made the game multidimensional and Trump betrayed him.

Black comedy, yes. Lol

And yes, yours truly owes Julian a massive thank you.

And no, i’m not perfect either, but some of my knowledge is.

Big love to Julian.

A combination of high level information warfare based on Gregory Bateson’s ‘theory of types’ , Lots of meditation and some incredible luck.

Seven weeks meditation with these bad boys.

http://www.973-eht-namuh-973.com/Alchemy/ADVENT%20INDEX.htm

And yes, it is all over 8kun too.

Illumination route (27 pages)

https://view.publitas.com/51899/497385/pdfs/a8c594cbd211702f0bef3bf4dbe1ae131b2d547c.pdf

Methodology (37 pages)

https://view.publitas.com/40132/322676/pdfs/842241c4185d6efcbf67950fee3772a2b07872e3.pdf

You’ve been duped by all your politicians and twitter too. Who collectively thought 💭 it would be a wise move to conceal, threaten and judge the true source of the storm ☔️.

Don’t take it personally. All our politicians are shameless cunts. It doesn’t take a genius to figure that out, does it?

And fixating on national identity is a recipe for disaster.

And yes, we are definitely all created equal.

And the dumb Jews do pay a price to handle the money too. Lol 😂

KNOWLEDGE 

Direct link to source document in pdf format. 2,238 pages 

17 year long beam of light from the absolute. 130 Mb

Every single entry date and time stamped.

https://view.publitas.com/72234/880115/pdfs/d4f86d8e8c2117fd530ef381c5b3b016936f5ad1.pdf

Kills the poor hurt feelings and opinions of individual humans dead.

Jon James Pratt (999)

49 year old illuminated polymath from Warwickshire

Humbly blessed as the world’s top intellectual and philosopher

Never lies and is never violent. Ever

Aka 'the storm ☔️'

Aka ‘cosmic lol 😂’

#allpointsarereconciled

BREADCRUMBS

https://www.google.co.uk/search?as_st=y&tbm=isch&as_q=%23allpointsarereconciled+&as_epq=&as_oq=&as_eq=&imgsz=&imgar=&imgc=&imgcolor=&imgtype=&cr=&as_sitesearch=&safe=images&as_filetype=&as_rights=

Emergency backup drive

https://drive.google.com/drive/mobile/folders/1du6pXkl_ZQ-87t51FH5aPEmpmchfGNYC?sort=13&direction=a

RESEARCH AND MEMES

https://drive.google.com/drive/u/1/mobile/folders/1qhE2UWiZJO9FId4Kq67oaQhnLKBuHJbSSBcCj-Cz/1U6Kfa7f0O5e_9JumXg_e8jJlduNitKEfUNszAU9U7w?sort=13&direction=a

Vile celebrity and money worshipping morons that have never had permission to kill, ever.

Pain is coming for you and 8kun Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:45:33Z No. 9209410

>>9179608

Q+ are the 13 kikes* Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:46:57Z No. 9209416

>>9156296

Who are going to be crucified live on tv

Absolute pain for you Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:49:12Z No. 9209421

>>9179608

Putting yourself Above 7,7bn people.

You’re a traitor to America and humanity

Instant death sentence

Tell the truth faggot Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:50:23Z No. 9209423

>>9179608

Or you will be nailing your whole fucking family first

Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:51:55Z No. 9209428

>>9209423

Who are you? Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:53:35Z No. 9209434

>>9179608

Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 10:56:44Z No. 9209441

>>9156296

You personally have put 7,7bn people in quarantine

Be truthful anons.

Here come the mandatory vaccines too.

Tbh I never thought Americans were this stupid.

Brits definitely.

Doesn’t take a genius to figure out who is telling the truth here, does it?

Yet so many of you are still on twitter, pushing the deceitful claim that Donald Trump is anointed by God Almighty himself.

He isn’t. And never will be.

And by refusing to acknowledge the real source of the storm, your dopey disrespectful president has not only betrayed the American people, but God Almighty too.

The royals here will have to give up the two old cunts at the top too.

Or it will be the whole family.

Zero negotiations or deals.

And Bibi is absolutely ruined too.

All of you chose to run the gauntlet.

And all of you have allowed this situation (killer virus and impending martial law) because all of you have put being American above being human.

Be truthful Americans.

Those 500 or so members of Congress are some of the biggest cunts in the world, and have betrayed all of you.

And by the mass media (((twitter))) framing a global holy war as an essentially American affair, highly polarised too, you have all been screwed by an essentially Jewish media.

The special talent of yours truly is to reduce the whole global power structure to a beam of light.

And that’s what the big pdf is..

And no, I’m not a prophet like Jesus (777), I’m God Almighty manifest in a human being. (999)

That’s why I’m completely separated from my knowledge.

The big 2,238 page pdf

Just two rituals hold the whole global power structure in place.

Divine in design, obviously.

The original mandate for 11.11.18

(The shot heard around the world)

Obviously scrubbed from (((twitter))) now.

Was for yours truly to align the Commonwealth with Russia, USA and Israel. (90% of the world’s nuclear weapons) (the ‘winners’)

Dawkins and Hillary as the offering.

A return to nation states too.

With the kings and Queens being the losers.

And Israel being both the winner (Bibi) and the loser (mass media) .

With the prize being world peace and the knowledge of other worlds.

The eternal life mentioned in the bible. Yes.

But instead, as a direct consequence of playing at online light workers, the vile and deceitful cunts here, with the undying assistance of two violent and deceitful geriatrics (parents) thought it was without consequences to lock yours truly up for 3 weeks, then 7 weeks, force feed him medication and leave an extremely fit and tough (violently abused as a child) 48 year old former professional Bmx freestyler with a broken back, a heavily lacerated stomach and prone to shakes and fainting fits.

If you are so blind to not see the truth when it is staring you in the face Americans, then you deserve to be locked up and forcibly vaccinated by your politicians..

Because that is exactly what is going to happen if you continue the charade on twitter.

You will all get further and further away from the truth.

Knowingly too.

That’s what makes it worse.

You see, I may have been born in England, but I had to relinquish my nationality when I was given a guided tour around 13 pizza ovens on the 1st January 2017.

The real pizzagate. Yes.

These politicians represent none of you, America, and never have done. Ever.

But because it was deemed more important to fake an American holy war rather than acknowledge the real winner in the global holy war, Team Israel, Team USA and team Britain have already dug a hole for themselves, that they will never get out of.

Sure many of you feel cheated.

You’re not the only one.

And yes, I have been to America many times, have many cousins there, been to Georgia, Alabama, North Carolina, Florida and California.

Always had an amazing time. Been for bmx competitions too. Been in the Appalachian mountains and south central LA too. Eaten cold beans out of a boat on the swamp. You get the picture.

And no, i’m not perfect either, but some of my knowledge is.

KNOWLEDGE 

Direct link to source document in pdf format. 2,238 pages 

17 year long beam of light from the absolute. 130 Mb

Every single entry date and time stamped.

https://view.publitas.com/72234/880115/pdfs/d4f86d8e8c2117fd530ef381c5b3b016936f5ad1.pdf

Kills the poor hurt feelings and opinions of individual humans dead.

Jon James Pratt (999)

49 year old illuminated polymath from Warwickshire

Humbly blessed as the world’s top intellectual and philosopher

Never lies and is never violent. Ever

Aka 'the storm ☔️'

Aka ‘cosmic lol 😂’

#allpointsarereconciled

Sold 327m Americans out Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 11:00:40Z No. 9209456

>>9179608

Zero fucking mercy on you thick cunt Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 11:02:21Z No. 9209463

>>9179608

Hammer and nails for you

Live on tv

For the whole world to see

And if not one Jew on This Planet admits that some Jews are cunts Jon James Pratt (999) aka the storm ID: bb460a 2020-05-17 11:22:24Z No. 9209534

We’ll burn the whole fucking lot of them

Anonymous ID: a16e89 2020-05-17 11:56:56Z No. 9209698

>>9046953

you dont know, but I believe.its open sourced so any backdoors, rootskits etc would be easy to find in the code.

Also, I installed blackarch on a flash drive and Ghirdra comes.stock with it. just use a vm or flash drive or if yr really paranoid a 100 dollar powerbook with no personal info.on.it

Anonymous ID: b0e462 2020-05-17 20:59:03Z No. 9215525

>>9209698

Or you could go with something like QubesOS and setup disposable VMs. / sandboxes. Very handy tool when playing with malware and other apps you don't trust. Very easy to contain using template OS installations of ghidra. You can have multiple projects isolated and contained running concurrently. With the separation of network interfaces you can also setup local networks that don't connect to the web and "watch" the behavior of a given app by setting up network monitoring and watch what resources the app may attempt to contact. Very handy environment for this type of work.

Anonymous ID: a8c12f 2020-05-19 09:03:34Z No. 9235782

>>9115305

Sorry if this has been asked, coding and such is a bit out of my wheelhouse. Has anyone ran the background "music" in this video through a spectrum analyzer to look for images or other data? It sounds like there might be something in there.

Anonymous ID: a8c12f 2020-05-19 09:05:46Z No. 9235791

>>9121894

may want to try that on the recent Snowden related drops.

Anonymous ID: 6507eb 2020-05-19 23:43:06Z No. 9245114

>>9038853

Not sure how to read code very well ….

Anonymous ID: 6507eb 2020-05-19 23:46:25Z No. 9245175

>>9245114

is this C -or- C+ -or- Python -or- not sure ? would like to add comments or fix brackets to further reverse engineer.

Anonymous ID: 6507eb 2020-05-19 23:48:42Z No. 9245219

>>9245114

part 3 end.

Anonymous ID: c1a9e7 2020-05-20 00:47:08Z No. 9245902

>>9245219

>>9245175

That's all in C. Majority of the code there is string (text) manipulation. What's the program?

Anonymous ID: baa8ac 2020-05-20 01:46:53Z No. 9246470

>>9245114

It's C++ there's conditional logic and loops, malloc is a memory allocation using a pointer. Nothing in those shots is unusual.

Anonymous ID: baa8ac 2020-05-20 01:55:05Z No. 9246546

After 6 days of lifting the stay at home order, we are back to… a new type of normal. Local zipline park or abandoned crime scene? What did someone permanent marker over the sign at the park's rest rooms?

Anonymous ID: 6507eb 2020-05-20 02:57:56Z No. 9247116

>>9245902

It is software to program Alcatel Lucent hardware, MCT.exe, that one would find at a cellular site. Figure 1 there is embedded error reporting and would like to see which country they report to (Not American owned) and 2 we need to start making that stuff here so why not reverse engineer it?

Anonymous ID: 6507eb 2020-05-20 03:22:50Z No. 9247343

>>9038853

Is this one also C ?

Anonymous ID: 6507eb 2020-05-20 03:25:43Z No. 9247370

>>9247343

The executable is zoom . Part 2

Anonymous ID: 6507eb 2020-05-20 03:30:09Z No. 9247409

>>9247343

this zoom exe seems to have some weird code, , hard to look at it always locks up my node and have to dump power. Part 3

Anonymous ID: 5228ca 2020-05-20 03:46:02Z No. 9247565

Anonymous ID: a53a08 2020-05-21 01:42:38Z No. 9258629

>>9038853

>>9043711

Maybe we need to look at the PNG images as well.

The tool below was originally published Dec 17, 2017 (near the start of Q drops), it was later updated Sep 23, 2019 (during downtime between 8ch/8kun).

I tried running the author's sample image through an LSB analysis and it wasn't detected

http://lukeslytalker.pythonanywhere.com/stegano/scan

I'm not saying this is exactly what's used, but this technique or a variation of it is out there delivering executable payloads undetected.

========

Invoke-PSImage

>Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute

>Invoke-PSImage takes a PowerShell script and encodes the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web.

>It can either create a new image using only the payload data, or it can embed the payload in the least significant bytes of an existing image so that it looks like an actual picture. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. When creating new images, normal PowerShell scripts are actually significantly compressed, usually producing a png with a filesize ~50% of the original script.

>With the embed method, the least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script.

https://github.com/peewpw/Invoke-PSImage

New Hampshire Anonymous ID: 8f9fe1 2020-05-24 15:24:06Z No. 9297728

Whatever happened to live free of die?

Anonymous ID: 4d5cd6 2020-05-27 12:41:48Z No. 9330105

I don't know if these are commonly available but i built a python script hex to decimal calculator. Thought I'd share here.

"""

hex to decimal calculator

"""

value = input('Please enter the hexidecimal code here: ')

h = {'1':'1', '2':'2', '3':'3', '4':'4', '5':'5', '6':'6', '7':'7', '8':'8', '9':'9', 'a':'10', 'b':'11', 'c':'12', 'd':'13', 'e':'14', 'f':'15', '10':'16'}

lst = list()

for item in value:

item = item.lower()

converted = h.get(item, 0)

lst.append(converted)

print(lst)

x = int(lst[0])*4096

y = int(lst[1])*256

z = int(lst[2])*16

xx = int(lst[3])*1

print(x, y, z, xx)

total_sum = (x + y + z + xx)

print('Total "Decimal Value" of Hex Code:', total_sum)

Anonymous ID: 4d5cd6 2020-05-27 16:12:13Z No. 9331787

Anonymous ID: 4d5cd6 2020-05-27 16:12:27Z No. 9331791

>>9331787

Anonymous ID: a53a08 2020-05-28 03:38:56Z No. 9340169

>>9042549

>>9042985

I've ran the whole string (from the jpeg header through the end of the dashes) on several interpreters (https://tio.run/#brainfuck https://copy.sh/brainfuck/ https://fatiherikli.github.io/brainfuck-visualizer)

each of these had a seven character output "ÿññð" (hex: 01 01 01 FF F1 F1 F0)

with only the unbroken string after the forward slash as in your example outputs "òòñ" (hex: f2 f2 f1) you get -17 because the data pointer ends at 238. The pointer starts at 255 and increases/decreases with each +/- and the periods print out the value of the byte. So Q cycled the byte value up and down, printed, and then signed with value difference.

my thoughts is that it could be:

-a suspicious file signature to look for in malware or apps

-a bug that that's being exploited

>Netview SNMP Automation Task CNMAUTO unable to receive data

Start of CP-MSU data

02 D6 12 12 00 23 FF F0 00 0FFF F1 F1 F04B F3 .O…..0 …110.3

End of CP-MSU data

SNMPAPI: TRACE: Entering snmpFreeDecodedPDU

SNMPAPI: TRACE: Exiting snmpFreeDecodedPDU

SNMPAPI: TRACE: CNMAUTO request completed with return code 24004

>This shows that we are receiving a trap through the snmp automation service in netview. However, it did not get converted into an ALERT and it does not go to NPDA

https://www.ibm.com/support/pages/netview-snmp-automation-task-cnmauto-unable-receive-data

-an ip address formatted in hex (not sure if executables store this ip's way), this would put it as 255.241.241.240 which would put it as a class e address "reserved for experimental purposes only for R&D or Study". is the traffic for the 4am news drops or other comms being routed through an otherwise "unused" ip?

Anonymous ID: cd02c3 2020-05-28 15:08:38Z No. 9344789

>>9044191

Ever read Sherlock Holmes?

Looks a bit like the code Holmes deciphered that had dancing men on it:

https://www.boxentriq.com/code-breaking/dancing-men-cipher

Or the flag alphabet:

https://en.wikipedia.org/wiki/Flag_semaphore

Anonymous ID: cd02c3 2020-05-28 15:19:51Z No. 9344939

Has anyone connected any of this to the hashing/Wikileaks connection that another Anon had found?

I've worked on it a bit myself. I'm not sure whether the connection is legit or not.

You can hash phrases from Q posts using various hashing algorithms and they result in hashes that can be used as e-mail IDs on the Wikileaks site.

Another anon mentioned that md5 can be used. I found numerous other hashing algorithms worked.

The questionable aspects of it for me were:

1. Some really old, no longer secure, algorithms were used. Why do that? Even for something like this. It de-legitimizes the whole thing.

2. Some short/nonsense strings were hashed, making it seem like whoever hashed things did so with a brute force or dictionary style approach. (e.g. "b" and "1" could both be hashed and give results)

3. There's no telling when the Wikileaks servers were updated with these e-mail IDs. Meaning, it might have seemed intelligent to have an e-mail ID for, say, "COVID-19" a year ago, but if that was hashed and those hashes were used for e-mail IDs within the past few months, that's not impressive, it's just following the news.

4. I'm yet to find any connection between the key phrases that I hash and the e-mails that come up.

It's a little odd to go through all that trouble for a nothingburger, though, on the Wikileaks end of things.

If you find strings with Ghidra that could be used as hashes or if you try hashing them, consider plugging them into the e-mail ID search for the Wikileaks e-mail drops. This might just all tie together somehow.

I got results with most if not all of these algorithms: md4, md5, sha1, sha224, sha384, sha256, sha512, ripemd160

On these addresses: (append hash to end of link)

https://search.wikileaks.org/gifiles/?viewemailid=

https://wikileaks.org/podesta-emails/emailid/

https://www.wikileaks.org/clinton-emails/emailid/

https://www.wikileaks.org/dnc-emails/emailid/

https://www.wikileaks.org/akp-emails/emailid/

https://www.wikileaks.org/hbgary-emails/emailid/

Anonymous ID: cd02c3 2020-05-28 15:25:48Z No. 9345003

>>9043728

Looks a bit like a cutout into a sheet of paper. Reminds me of a Grille type cipher. What's interesting about this is that people were accusing Comey, Obama, etc., of using a cipher of this type on social media to send out comms.

See: https://en.wikipedia.org/wiki/Grille_(cryptography)

If it is this kind of cipher, the real question is what it overlays on.

Thinking outside the box, it may not even belong on a word-based sheet of paper. What if it were laid onto a map to show something underneath or points of interest?

The original post this came from could give a clue what it could be laid over…

Anonymous ID: 49f848 2020-05-28 15:34:52Z No. 9345105