Thread Archive

Bread Archive: #2371258
Posted [2018-07-31 15:28:07Z] Updated [2018-12-05 20:20:19Z]
Source: [qresearch] 401 replies
Warning: Some boards on 4chan/8chan might have content of an adult or offensive nature. Please cease use of this website if it is illegal for you to view such content.
Boards and posts are user-created and do not represent the opinions of the administration. [Nothing is ever truly deleted].

PixelKnot General

PixelKnot General Anonymous ID: 745039 2018-07-31 15:28:07Z No. 2371258




You'd be amazed how much is shared on /pol/

0_PDlwBQSymrdu7_5D[1].jpg Hello I am a reporter from CBS.


and on







q drop about pixelknot



anons found pixel knot messages posted on /qresearch/ before Q drop



sha256 hashes



pages they were posted


html files of pages


original filenames of the images


original weird filenames



look at the old posts, at the id of the post and replies

find the originals

figure out clues for the keys

hiding in plain sight?







>>2314068 Exodus Chapter 8


none of the images have been cracked yet

these methods are confirmed to work on test images

PixelKnot on Bluestacks





use the last 1/3 of the password to crack first layer of f5 encryption






>curl –output f5.jar

>java -jar f5.jar x -p plan -e out.txt Q4example.jpg

>cat out.txt

Anonymous ID: 745039 2018-07-31 15:38:05Z No. 2371388



>It is possible that somewhere in the world there exist a piece of editing or conversion software that outputs jpeg headers in exactly same way?

great question!

f5Android library was ported in 2012

it was modified in 2/10/17 to remove the JFIF header (on line 666)

that change was merged to guardianproject f5Android 2/15/17

the pixel knot versions on the download page do NOT have the change (all 2015 and earlier)

so ONLY the play store version has the change


the two devs involved in removing that header don't commit very often to the project, it's a strange change to make…

especially by this person

this is not a popular library


Anonymous ID: 745039 2018-07-31 15:51:00Z No. 2371551


PixelKnot posted to /pol/

Q predicted this

0_PDlwBQSymrdu7_5D[1].jpg Hello I am a reporter from CBS.


Anonymous ID: 745039 2018-07-31 15:52:12Z No. 2371566


pixel knot posted on

Anonymous ID: 745039 2018-07-31 15:55:40Z No. 2371604


stegdetect thinks these have f5 data, and they all have the PixelKnot signature

0_PDlwBQSymrdu7_5D.jpg : f5[1.687834](***)

1_v3vvVO3DuvEB-osQDcIqlw.jpeg : f5[1.664398](***)

1_Wu-LPq1zKK-R5lsT67nRYA.jpeg : f5[0.652062](***)

1_xv-xqPhM_w3qdIatlg8L9A.jpeg : f5[3.026896](***)

1-0V2r2vC9pJRhMu8E_i0B7A.jpg : f5[1.590077](***)

Anonymous ID: 745039 2018-07-31 15:58:55Z No. 2371636

f5 detected in all of these with the PixelKnot header

00c9c0a7f1e16262b2fc85bda8bf7f35d87777fa4ce17aedf2cb111be3fa8c19.jpg : f5[1.487972](***)

18e535c2558973824cf2f11ea009066d0cd1fe3ac6c8b4bc0d5fa687d89da67a.jpg : f5[1.077547](***)

1b01e2fbd7483fe2167a417ed605269fa0fc8aaf9bbd1859898ea13b22ba4dee.jpg : f5[0.754573](***)

252ff478b5b8fff4c1f21d2a2fc1e7fb7fe63567f97c0d48f8015554c238f95f.jpeg : f5[0.629857](***)

262033564a1203326fea09ce1690e6466d577eb328c2f701a38781041a95f865.jpeg : f5[0.635810](***)

27cbddbc07d9b2e1fd99e4a79027b84f7dfbfc036fc446e216c8c5d79c524f45.jpeg : f5[1.069136](***)

310f67a6d8347ca66d1f9834c57590f0d848599155233ced507339e12dff764f.jpeg : f5[1.430104](***)

3acfcd9010a0c4ac35b0094eba3091edd503c8567e19245bf4439d933783d499.jpg : f5[1.762944](***)

419a76281780faaba70a562eadb3259afa20f110bde50d6b3a59611a1990c63e.jpeg : f5[0.652062](***)

43cade15e74ea33de94fe1e348366276d52b586f3e3cc37aa5c78740730282dd.jpg : f5[0.672636](***)

593888383f3b0cb45830b446e147fb0a63fa2323f2d5cae0fa667f432537ad7f.jpeg : f5[1.720412](***)

595033569a40a6b9371eec9374ee85f5f9f15cb795abcb231d743c632ca8c8e2.jpeg : f5[1.646860](***)

66e906944458a8e86480d8a5a167d8d59d7439f1a50a7606990ecaff2d875d1a.jpg : f5[0.313252](**)

68ccb4146da74068a0d8749ac6bd3dab249e1a6d947c8ee106ef5bfdc0c9cf6e.jpeg : f5[3.026896](***)

8956211e37873f95544dc8411b96cec78ab9015e5ab1bfb32e77dcf7e23efffa.jpg : f5[0.385592](**)

9a63066551a3fb4c3372b0de92d1f2765f5e3282407a9eff8f02bda18abc19f0.jpeg : f5[0.646259](***)

a1677d3d755fabf1c73b1786f5ac39f714c59cf72fc288029c166f9be119b7cf.jpg : f5[1.687834](***)

a5e5c137d0b352d8dbacaf8e2802f62bf59dac5dbd2b6af2d8379ac308b7b3d8.jpg : f5[0.369714](**)

be471d6d62109bc5be47082d1cf9a537777d9f6de5b1d777d4ee113a9c47ab63.jpg : f5[1.220465](***)

c17f5a9d1c3a40b5a866c68c964919f0e9dd29cd22f65d42817e6fb98f9baade.jpeg : f5[0.531815](***)

ce753f2d52183cbfa45b036d424ae516ce052f7b5b199b9f104db4f3b2ebc33d.jpg : f5[1.233975](***)

da6e9b4af508b04b76ec9882d59d6e85477e56f0c099914cf0f28f6a78f4b1c4.jpg : f5[1.661258](***)

db993b32deab77deff84aed2d656da90f820e6e0a86419368c7fddf3a3399557.jpeg : f5[0.540917](***)

e32140dca7b6a613fc23e47d7c7fb80ee953ae905328bff12a63afbade44cddc.jpeg : f5[1.664398](***)

e5393fba4fcca1dab2d66f98e520503ca942e3bf42bae78de2aa08c8576fa024.jpg : f5[1.590077](***)

e6b8db63781c16e82f72a5ed3fea3bfda5913bcd4b8bc881a81641b4b803ba8e.jpg : f5[1.484567](***)

ec1a0995e2b221546988a8e79fd4432f4464bef83a01b625a29b28192f2a083e.jpg : f5[0.366998](**)

ee59b2d2e90904a33d5176302c4982d0496a1536cf16aa73f6029d4ff0734878.jpg : f5[1.828625](***)

f5ee16710b749e2c4dd3e95a1f725723b322f9963010256dc3cffad0eddff752.jpg : f5[1.235872](***)

fb4155bf04f4b1dbe5cd387772dd7b02c33165c5cd8d4f244ff89743e9dfdeb6.jpg : f5[0.626920](***)

Anonymous ID: 745039 2018-07-31 16:02:12Z No. 2371666


focus on the evil eye posted to /pol/ on 01 May 2018 14:22:30

0_PDlwBQSymrdu7_5D.jpg : f5[1.687834](***)

Hello I am a reporter from CBS.

tried every 3 letter combo already

Anonymous ID: c69a4f 2018-07-31 16:04:03Z No. 2371688

The identified pxlknot images I looked at were all 96dpi and 24bit color.

A general approach to decryption is to start with the simplest image, and then encode one character. Examine the resulting image. Do it again with the same characterto see if there is a change.

Then sequentially encode '1','2', '3', etc. and see if there is a predictable pattern.

What you're looking for is a way to brute-force decode the image.

Also try to find the original images before they were subjected to pxlknot.

Anonymous ID: d09e22 2018-07-31 16:06:23Z No. 2371713


that ring is pedo symbol.

jackson lee wears one.

Anonymous ID: c69a4f 2018-07-31 16:35:03Z No. 2372025

Here is source code for determining entropy of a file. Can be used in connection with brute force decrypter to identify results with significantly different entropies.

Anonymous ID: f7173a 2018-07-31 16:46:16Z No. 2372148


The spiral has many meanings. It is an ancient symbol.

Anonymous ID: 35f05f 2018-07-31 16:53:43Z No. 2372226


So just so to be sure, are you are saying the app store version is incompatible with the F5 library that is used with say tools built on linux?

I can't seem to extract data on linux that I embeded with the appstore apk (that I built from the source). I can't figure out why, but it mimic's some of the other responses from the previous bread.

Huffman decoding starts

Permutation starts

921600 indices shuffled

Extraction starts

Length of embedded file: 1798344 bytes

(1, 8388607, -9) code used

Incomplete file: only 0 of 1798344 bytes extracted

Anonymous ID: 745039 2018-07-31 17:03:33Z No. 2372349


>are you are saying the app store version is incompatible with the F5 library


the change looks compatible, the header is optional

I have decoded the Q4example.jpg with google code f5.jar build in 2011 (where f5Android was ported from) and from the most recent source on windows using sun jdk 1.8

not sure if openjdk or linux would be different

java -jar f5.jar x -p plan Q4example.jpg -e msg.txt; cat msg.txt

Huffman decoding starts

Permutation starts

172800 indices shuffled

Extraction starts

Length of embedded file: 88 bytes

(1, 127, 7) code used



Anonymous ID: 35f05f 2018-07-31 17:43:44Z No. 2372815


See if you can decode please.


Anonymous ID: fa9e7b 2018-07-31 17:51:24Z No. 2372909

I ran the pixelknot python detection script that was on here in the last few days on my cache of qresearch image files and found there was a few of them.

Uploaded what i found so far to as i don't have the computing power to tinker with them.

Anonymous ID: 745039 2018-07-31 18:00:24Z No. 2373016


f5 layer with last 1/3 (non)

java -jar f5.jar x -p non -e msg.txt ../../Downloads/760ba9dfcb03613b2db84902b7dec4c2edba182945542a18456b9a18cda2a857.jpg; cat msg.txt

Huffman decoding starts

Permutation starts

1238400 indices shuffled

Extraction starts

Length of embedded file: 104 bytes

(1, 127, 7) code used

—-* PK v 1.0 REQUIRES PASSWORD —-*vNOvTv6i78CsQvHg





Evil Everywhere …


Anonymous ID: 757a03 2018-07-31 18:06:53Z No. 2373115


Anonymous ID: 757a03 2018-07-31 18:09:53Z No. 2373154


I just wanted to link this over here from the Silverman password thread in case there's any significance.

I'll bug off now!

Anonymous ID: 745039 2018-07-31 18:10:40Z No. 2373165





Anonymous ID: 745039 2018-07-31 18:18:05Z No. 2373244


great work anon, this image is small enough i can try 2000 passwords/second -

tried all 3 combos (rules out all passwords < 10)

takes 7 hours to go through all 4 char combinations (all password < 13 chars)

if we crack one image it might give us a clue on the passwords for the other

Anonymous ID: 745039 2018-07-31 18:36:51Z No. 2373486




Anonymous ID: c5ee9d 2018-07-31 18:40:57Z No. 2373544


But is it still possible that another, entirely irrelevant piece of software could coincidentally produce images with the same header?

Anonymous ID: fa9e7b 2018-07-31 18:44:56Z No. 2373593


Wish i had a faster computer. Glad someone can make a go of it.

Anonymous ID: 35f05f 2018-07-31 19:01:43Z No. 2373814


This is a stretch, but what if they didn't use PixelNot at all? What if they used the JS version of F5?

Anonymous ID: 745039 2018-07-31 20:05:00Z No. 2374639

updated PixelUnknot main with timer

Anonymous ID: 35f05f 2018-07-31 20:22:36Z No. 2374860


Thanks for your help. I think I'm missing something, PixelUnknot is needed to decode the output from f5?

After getting bounced around in the 'bouncy castle' I was able to run PixelUnknot, but not sure how to get the message decoded.

Anonymous ID: 8a1878 2018-07-31 20:24:20Z No. 2374887


Honestly, the only way I know of to speed this up would be to do what the bitcoin miners do and find a way to shunt the data into a graphics card to 'render' out the solution.

Not knowledgeable enough on this topic though to even wrap my head around how this gets done on a mathematical level, I just know that a graphics card can pump out hashes like there's no tomorrow.

Anonymous ID: 745039 2018-07-31 20:30:11Z No. 2374957


you need two files, the image and text file with the list of passwords to try

you can run in intellij with this run config (see pic)

or command line

jar -cp "<classpath crap>" q.Main Q4example.txt passwords.txt


i wish, need to have java's secure random and that won't run on a GPU

Anonymous ID: 21c507 2018-07-31 20:31:24Z No. 2374970


Yes. Any software that uses the "james" library to write JPEG images.

Anonymous ID: 745039 2018-07-31 20:35:14Z No. 2375023


it's a stretch, jpeg header can come in any order this is unique. only way to know for sure is to decode one of these or find another piece of software that does the same.

look at the images - they are creepy - and some of them are unique enough to find the sources - different websites images with the same naming convention 1_XXXX_XXXXXX that were posted on qresearch over the last few months

Anonymous ID: 35f05f 2018-07-31 20:35:47Z No. 2375031


Huffman decoding starts

non good byte - at 0

non good byte - at 1

non good byte - at 2

non good byte - at 3

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

!!!!!!!!!!! PARTIAL MATCH - non

I'm not getting the message … Since in my case I just added qanon to the passwords.txt

Anonymous ID: 745039 2018-07-31 20:38:22Z No. 2375089


james is an implementation of f5 jpeg encoder, so if it is another program it'd probably be a f5 steg program too

Anonymous ID: e511db 2018-07-31 20:42:50Z No. 2375171


Don't know if it was already done, but I ran the python pixelknot detection script in a folder with all of Q's images he posted.

0 pixelknot images…

Anonymous ID: 745039 2018-07-31 20:43:06Z No. 2375174

these look like ports of the original java both write the JFIF header on encoding




Anonymous ID: ccc1fa 2018-07-31 20:44:20Z No. 2375198


that py script is trash, can't tell its ass from a hole in the ground

Anonymous ID: 21c507 2018-07-31 20:46:18Z No. 2375234


Yes, it's probably used by nothing else than the F5 library, but James JPEG Encoder actually predates F5.

Anonymous ID: 745039 2018-07-31 20:52:25Z No. 2375351


hmm pretty widespread, still all write JFIF

weird that somebody would move it down to line 666 and comment it out

Anonymous ID: e511db 2018-07-31 20:54:26Z No. 2375386


So how do you detect a pixelknot image?

Anonymous ID: 745039 2018-07-31 20:54:36Z No. 2375392



Anonymous ID: 745039 2018-07-31 20:55:03Z No. 2375402


missing JFIF and signature at 0x88

Anonymous ID: 35f05f 2018-07-31 20:55:58Z No. 2375416

Not sure which is more important, trying to decipher hidden messaging/files in Q's posts are PixelKnot comms.

We are going to have to start from scratch if try to extract (if any) hidden data from Q's images.

Anonymous ID: 745039 2018-07-31 20:58:43Z No. 2375458


it's not Q using PixelKnot it's them…

they are trading information over these images posted places, on /pol/ …on /qresearch/… on

they are using them to identify each other

Anonymous ID: c5ee9d 2018-07-31 21:01:29Z No. 2375498


Anything to back this up, or just guess work?

Anonymous ID: e511db 2018-07-31 21:05:44Z No. 2375569


I used the f5.jar to add a message to a picture, and to extract it again for verification.

That encoded picture does have JFIF in it and does not have that FF C0 00 11 @ 88

Anonymous ID: 35f05f 2018-07-31 21:06:41Z No. 2375588


I know this, I'm saying what if Q hid data in PNG's, all this PK work is for not. Some of the PNG's Q uploaded seemed pretty large for what they are..

Anonymous ID: 35f05f 2018-07-31 21:08:20Z No. 2375616


I think the C0 is the start of the image, but I could be wrong.

Anonymous ID: 35f05f 2018-07-31 21:13:16Z No. 2375683


Marker Identifier 2 bytes 0xff, 0xc0 to identify SOF0 marker.

My hex compare using PixelKnot app, the image with message is 0xff, 0xc0, and the image without is 0xff, 0xc2

Anonymous ID: e511db 2018-07-31 21:14:20Z No. 2375702

This is what I get with a little test.

Hope it helps

Anonymous ID: 745039 2018-07-31 21:15:12Z No. 2375707


exactly - only pixelknot encoded images are missing that - f5 will decode it


pixelknot only does jpg/jpeg

Anonymous ID: 35f05f 2018-07-31 21:20:20Z No. 2375762


>pixelknot only does jpg/jpeg

I know :)

Hence why I said start all over …

Anonymous ID: 35f05f 2018-07-31 21:22:21Z No. 2375793


If I specify the full password to f5.jar it chokes, if I specify the last 3 digits I get (in out.txt):

—-* PK v 1.0 REQUIRES PASSWORD —-*vNOvTv6i78CsQvHg


Anonymous ID: 35f05f 2018-07-31 21:25:54Z No. 2375858


By choke I get this instead:

java -jar f5.jar x -p qanon ~/Downloads/goods.jpg

Huffman decoding starts

Permutation starts

1238400 indices shuffled

Extraction starts

Length of embedded file: 485098 bytes

(1, 67108863, -6) code used

Incomplete file: only 0 of 485098 bytes extracted

Anonymous ID: ccc1fa 2018-07-31 21:31:50Z No. 2375964


This is not a consistent way to find f5 images. In fact, it doesn't even work with the q test image available in this thread. Also, I see the same patterns in images I've created myself. Also if you use a hex editor to examine various images that are implicated as f5 this pattern does not fit. If you want to start comparing I recommend using beyondcompare and renaming the jpg to txt.

Anonymous ID: ccc1fa 2018-07-31 21:34:35Z No. 2376015


Still trying to determine that consistently. I saw someone here using stegdetect but I haven't tried it yet and it looks like based on settings you use can result in a high rate of false positives

Anonymous ID: 757a03 2018-07-31 21:55:26Z No. 2376405

I imagine someone has already caught on to this.

Just in case though, there seems to be a punisher image hidden in the Silverman image brought out with image filters.

Also what looks like a navy seal eagle image on the nose of the punisher skull.

Both images have significant meaning to this group of patriots.

I'll try and get it clearer.

Password may be blackwater, Erik Prince or Frontier Group

Anonymous ID: 745039 2018-07-31 21:58:07Z No. 2376447




this fellow anon is how you recognize them

they want to slide the conversation with arguments that are easy to argue

glad we have your attention

Anonymous ID: 745039 2018-07-31 22:01:17Z No. 2376493


the code is trying to find the last 1/3 of the password

here is a that decodes the message

Anonymous ID: 35f05f 2018-07-31 22:07:46Z No. 2376582


Thanks, I get this when I build with your changes …

java -jar PixelUnknot-1.0-SNAPSHOT.jar ~/Downloads/goods.jpg passwords.txt

Huffman decoding starts

non good byte - at 0

non good byte - at 1

non good byte - at 2

non good byte - at 3

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon

!!!!!!!!!!! PARTIAL MATCH - qanon Illegal key size

at javax.crypto.Cipher.checkCryptoPerm(

at javax.crypto.Cipher.init(

at javax.crypto.Cipher.init(

at q.Main.DecryptWithPassword(

at q.Main.extract(

at q.Main.lambda$main$0(


at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(



at java.util.concurrent.CountedCompleter.exec(

at java.util.concurrent.ForkJoinTask.doExec(

at java.util.concurrent.ForkJoinTask.doInvoke(

at java.util.concurrent.ForkJoinTask.invoke(






at q.Main.main(

Anonymous ID: 745039 2018-07-31 22:09:45Z No. 2376618



exactly right

pixelknot uses the last 1/3 of the password for the f5 encryption

the rest is for the AES encryption layer after

if we can find the last 1/3 of the password we can PROVE there is a pixelknot message in one of these images

Anonymous ID: 745039 2018-07-31 22:14:15Z No. 2376678


does it work with Q4example.jpg and passwords.txt ? might be that qanon is too short of a password

Anonymous ID: 4d00ef 2018-07-31 22:18:52Z No. 2376757


Working on pic related

Have searched this keyspace up to length of 3 chars for the F5 seed

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 .,:;!?()-+*/\[]{}@_><#~=^`'"&%$

space included

No hits - proceeding to length of 4 - will report back in a few days

Anonymous ID: 35f05f 2018-07-31 22:21:15Z No. 2376795


I'll check, but someone was able to extract the message in the image I uploaded earlier. So there is some difference with my runtime vs. anon's runtime, or some bug someplace.

I want to make sure that I can verify results from PK app and then extract then on my box, this way I know for sure I have something that's reliable. I'm using 1.8 on mac, I was thinking about switching to VB vm instead (I have a couple different VMs aready setup), but I'm just puzzled why I'm not getting the same results as the other anon.

Anonymous ID: 745039 2018-07-31 22:22:09Z No. 2376809


don't forget single and double quotes

I'm running this on all the images

crunch_win.exe 1 3 '[email protected]#$%^&*()_+=-[]\|}{,./<>?" '"'"

and running

crunch_win.exe 4 4 '[email protected]#$%^&*()_+=-[]\|}{,./<>?" '"'"

on evil eye

Anonymous ID: 4d00ef 2018-07-31 22:24:19Z No. 2376829


I haz both. I started on the evil eye but I noticed the rate was way low on that image (in comparison to test images)… you may want to check yourself. Much faster against illumipepe

Anonymous ID: ccc1fa 2018-07-31 22:24:51Z No. 2376835


You got the fellow anon part right but sliding, in the same thread?

Yours is the first I've seen that matches that cap (just started working on this today). Do you have other images that fit this pattern? Otherwise, I haven't found any yet and the other version of the q example image had the FF C0 starting at 9E not 88, something isn't fitting here.

As for the python script its looking for files that begin with 'ff d8 ff db 00 84' which I also haven't found any images posted as examples on the board fitting this format.

This is also just one implementation of f5 with the missing jfif header. There are many from my understanding.

The CBS eye everyone keeps posting is 9E not 88 and has a header.

many others are FF C2 around 9E instead of C0.

Anonymous ID: 35f05f 2018-07-31 22:25:38Z No. 2376851


Would be nice to have a distributed setup for this, because if we crack one, we have many others that probably won't have the same password.

Silverman passcode Anonymous ID: ed2885 2018-07-31 22:26:08Z No. 2376856

New avenue…the instructions to decode are in the original message. Google, Yandex, iqdb. What do they have in common? Reverse image search. Use the Silverman image to reverse search. Now what pictures? Is it given right in the image number? IMG_382. Third pic Google, eighth pic Yandex, 2nd pic iqdb. What info from these three pics? Hit a wall, run with it.

Anonymous ID: 745039 2018-07-31 22:27:52Z No. 2376887


see you glowing

Anonymous ID: ed2885 2018-07-31 22:29:41Z No. 2376914


>Silverman passcode

>New avenue…the instructions to decode are in the original message. Google, Yandex, iqdb. What do they have in common? Reverse image search. Use the Silverman image to reverse search. Now what pictures? Is it given right in the image number? IMG_382. Third pic Google, eighth pic Yandex, 2nd pic iqdb. What info from these three pics? Hit a wall, run with it.

WAIT also stands for what anime is this, and has reverse image search

Anonymous ID: 745039 2018-07-31 22:36:13Z No. 2377012



oh yeah i switch too when the new file bundle came out, i'm trying 4 char combos on the smallest image

progress - count: 30089632 elapsed: 15622s = rate: 1926 pw/s

Anonymous ID: ccc1fa 2018-07-31 22:36:41Z No. 2377022


No it looks like its just how I've been downloading the image to check it.

Thanks for the example and showing me what I was doing wrong, perhaps you'd like to confirm.

Without expanding the image, right-click and save image as. View the hex.

Then expand or use the direct link above the image and you get that header.

Anonymous ID: 745039 2018-07-31 22:49:48Z No. 2377210


download these two batches of files

Anonymous ID: 745039 2018-07-31 22:50:38Z No. 2377224


research where they come from

Anonymous ID: 745039 2018-07-31 22:51:13Z No. 2377229


Anonymous ID: 745039 2018-07-31 22:51:44Z No. 2377235


J.TrIDr3ESpPJEs ID: ee4cfa 2018-07-31 22:57:47Z No. 2377313


>don't forget single and double quotes

Assuming the password accepts unicode, you may have a much bigger fight ahead of you. Consider other symbols like the pound sign (£) or the euro found on keyboards from other countries.

If it's unicode, you can safely assume UTF-8, given it's a pretty widespread standard.

Also, I recommend avoiding random character generators, but having a pre-computed array/table (for 3 characters).

If you're looking at additional bruteforcing power, a couple of recommendations:

1) Each of you should pick one picture each and specify what image you are trying to decode, and how. That way you're not duplicating each other's work.

2) If failed, specify what you tried and the 'results', if any.

For bringing hardware resources to bear:

1) Consider modded PS3s (some of you might have one or two lurking around), they're ideal for bruteforcing

2) Trial periods on cloud hosting repurposed (or alternately rent out some rackspace)

3) Dust off some old laptops, machines, and set them to work continuously whilst you do other things

4) Get some programmerfags to rewrite the testing code in bare metal (like C++) which would see mild performance improvements

Alternatively, if exhausting the three character space is too much, assign each of yourselves a single first character, and brute force all characters under that character.

So if one of you was to do 'A' (A), the next person would do 'B' (B).

Brute forcing isn't just about power but also efficient allocation of resources.

PS, Bitcoin's algorithm is SHA256. So if you're looking to break SHA256, look no further than your own noses. ; )

Anonymous ID: 745039 2018-07-31 23:05:50Z No. 2377440


>If it's unicode, you can safely assume UTF-8, given it's a pretty widespread standard.

yeah great point … looked at the code and no reason why unicode passwords wouldn't work

Anonymous ID: 745039 2018-07-31 23:12:56Z No. 2377671




Anonymous ID: b10bfd 2018-07-31 23:29:05Z No. 2378123

just having some fun…

Anonymous ID: 1b4548 2018-07-31 23:30:00Z No. 2378143


>the pixel knot versions on the download page do NOT have the change (all 2015 and earlier)

>so ONLY the play store version has the change

Reposting from last bread, possibly relevant.

Are the brute force tools developed here based on the most recent github resources?



>Updated: February 17, 2017

>Current Version:1.0.1

>n8fr8 released this on Feb 16, 2017 · 0 commits to version_2 since this release

I'm probably tired or a dumbass, maybe both. But is version 2 in github the same as the one on in the play store right now?

Anonymous ID: 1b4548 2018-08-01 01:05:02Z No. 2380484




Took the apk, put it through a decompiler and found an additional file

import info.guardianproject.f5android.C0217R;

import info.guardianproject.f5android.plugins.PluginNotificationListener;


package info.guardianproject.f5android;

public final class C0217R {

public static final class drawable {

public static final int ic_launcher = 2130837601;


public static final class string {

public static final int app_name = 2131165211;

public static final int cleaning_up = 2131165272;

public static final int downsampling_components = 2131165273;

public static final int init_coeffs = 2131165274;

public static final int init_huffman_buffer = 2131165275;

public static final int init_permutation = 2131165276;

public static final int querying_image = 2131165277;

public static final int reading_huffman_buffer = 2131165278;

public static final int setting_huffman_buffer = 2131165279;


public static final class style {

public static final int AppBaseTheme = 2131296416;

public static final int AppTheme = 2131296417;



Anonymous ID: 1eb45a 2018-08-01 01:05:18Z No. 2380486


I think so. The test image I created with Pixelknot (from the Play store) is missing the JFIF at the beginning of the file. The "pixelunknot" brute force tool (almost) works on my test image.

I say "almost" because I ended up modifying the loop (pic related). My test image's password was "test", so that's a seed string of "st". The loop wouldn't try it even though I had "test" in the dictionary file. On a side note, I also added a HashSet that keeps track of everything attempted, to avoid re-trying common word endings.

Anonymous ID: f3fd5b 2018-08-01 01:13:48Z No. 2380686

PNG DECODE HERE in bread 3000.



Anonymous ID: 1b4548 2018-08-01 01:59:35Z No. 2381600


I'm using

to obtain the source code directly from the android app, not github.


Again, even the older version /pol/ shared also has an additional file in the F5 bundle

import info.guardianproject.f5android.C0064R;

import info.guardianproject.f5android.plugins.PluginNotificationListener;

package info.guardianproject.f5android;

public final class C0064R {

public static final class drawable {

public static final int ic_launcher = 2130837631;


public static final class string {

public static final int app_name = 2131361805;

public static final int cleaning_up = 2131361806;

public static final int downsampling_components = 2131361813;

public static final int init_coeffs = 2131361809;

public static final int init_huffman_buffer = 2131361808;

public static final int init_permutation = 2131361807;

public static final int querying_image = 2131361810;

public static final int reading_huffman_buffer = 2131361812;

public static final int setting_huffman_buffer = 2131361811;


public static final class style {

public static final int AppBaseTheme = 2131427417;

public static final int AppTheme = 2131427418;



Anonymous ID: bbb839 2018-08-01 02:39:27Z No. 2382513


I don't understand all the details but F5 stegnography encodes data by altering the DCT coefficients per 8x8 pixel block, those coefficients are stored with Huffman compression. The method of encoding is why the output image is always a JPEG. You would have to do statistical analysis of the JPEG coefficients… (assuming the software wasn't comprimised to leak additional info as well, the absence of JFIF header appears to be such a case)

Anonymous ID: 0016c5 2018-08-01 04:42:11Z No. 2384816


We might be able to put the GPU to some use. The decoding part obviously has too much conditional branching for it to be of any use there. But the Permutation generation step is highly linear. It should be well suited to parallelization. It could be sent perspective passwords and a sizeN and send back an arrays. However, it would be memory bound. And the huge bandwidth requirements to send those arrays back to the main memory might be an issue.

I found the source for all the parts of SecureRandom and plan on making a perfect replica of it in C as a stepping stone to a possible GPU implementation. That is extremely ambitious for someone with my coding skill-level. But I can to it… eventually.

Anonymous ID: e15c71 2018-08-01 04:45:56Z No. 2384880

Not a code flag, but is it possible code/key/password is John Podesta's password [email protected] ? Q said future/news unlocks past?!?idk maybe iz just a baboon loose on board.

Anonymous ID: 4d00ef 2018-08-01 05:08:29Z No. 2385149


https://arxiv. org/pdf/1606.00519.pdf

Anonymous ID: 0016c5 2018-08-01 05:14:41Z No. 2385219


The Huffman decoding part is a non issue. You only need to do that once for an unlimited number of password attempts.

It's calling the SHA-based psudorandom number generator a million times in series (can't be paralleled) to decide which integers to shuffle around that takes most of the work.

Anonymous ID: 4d00ef 2018-08-01 05:18:05Z No. 2385265


Can't we just use/modify the existing hashcat code for that?

Anonymous ID: 4d00ef 2018-08-01 05:24:07Z No. 2385325


Sorry that's for the AES decryption portion… still, I think we could use the existing hashcat code for the SHA portion of PRNG. SHA1/256 on hashcat is stupid fast. Something like 600m hashes/s on my old ass card.

Anonymous ID: 0016c5 2018-08-01 05:42:53Z No. 2385604


Hashcat is doing something totally different. It's trying to find the passwords that produced a set of hashes. It does this by hashing lots for trial passwords once in parallel'. We need to take one password, use it to set the state of the SHA algo, and then cycle the output back in many many times. This is an unavoidably serial process. If I indeed go down this rabbit hole it will probably involved reading the HashCat code as a way of learning how CPU<->GPU coding works. I might even use some parts from it. But beyond that programs like HashCat and John the Ripper are not useful to us.

Anonymous ID: 4d00ef 2018-08-01 05:52:14Z No. 2385732


I know. Rather than shooting for one target hash, we try 1k passwords at once and run each serially with however many iterations required, in parallel. I don't see a problem here. I still think it can be modified to our purpose.

Anonymous ID: 0016c5 2018-08-01 06:12:28Z No. 2386063


We are not really looking for one target hash. It would be nice if it were that simple. Here is the annoying chunk of code in question. 'random.getNextValue' calls 'SecureRandom' which was previously seeded using the password under test. Inside 'SecureRandom" there is a SHA hash function at the heart of it. 'size' is typically around a million.[code]public Permutation(int size, F5Random random) {

int i, randomIndex, tmp;

shuffled = new int[size];

// To create the shuffled sequence, we initialise an array

// with the integers 0 … (size-1).

for (i=0; i<size; i++) // initialise with size integers

shuffled[i] = i;

int maxRandom = size; // set number of entries to shuffle

for (i=0; i<size; i++) { // shuffle entries

randomIndex = random.getNextValue(maxRandom–);

tmp = shuffled[randomIndex];

shuffled[randomIndex] = shuffled[maxRandom];

shuffled[maxRandom] = tmp;

}[code] It's serial. And it's memory intensive. But at least there need be little conditional branching (which GPUs suck at). So this would use all of the GPUs RAM long before you got enough processes in parallel to use all of its computing power. It can't hurt to have a few hundred more cores helping the main CPU (as long as there are no memory bandwidth issues). But we're not going to get the same astronomical performance boost that HashCat gets.

Anonymous ID: 0016c5 2018-08-01 06:15:22Z No. 2386109


Oops, for got the /

	for (i=0; i<size; i++) {	// shuffle entries

randomIndex = random.getNextValue(maxRandom–);

tmp = shuffled[randomIndex];

shuffled[randomIndex] = shuffled[maxRandom];

shuffled[maxRandom] = tmp;


Anonymous ID: 4d00ef 2018-08-01 06:35:57Z No. 2386525


Is size the size of the decompressed bitmap? Or is it something else?

PS tells me that's about 303K for illumipepe.

Even if it's 1MB as you say, that's still 1500 instances of the image.

With my lame 1.5GB graphics card that's still almost 5K potential instances

Anonymous ID: 0016c5 2018-08-01 06:50:31Z No. 2386742


Its the size of the DCT coefficient list.. which works out to be the same as the number of pixels * channels (RGB). But, practically, yes. Many of the images are larger than that one.

>With my lame 1.5GB graphics card that's still almost 5K potential instances

Indeed. I just need to work out how it will handle all the out of order loading and storing.

Anonymous ID: 4d00ef 2018-08-01 06:58:19Z No. 2386850


The DCT coefficient list only gets computed once, correct? If so, we only need to push one copy of the data to the graphics card and we should be able to copy it as many times as we want, no? And if we manage to implement it all on the graphics card, then all we really care about getting back is the rate of attempts and the valid key, if any. And yes, I understand many images are larger but essentially it would work out to max available GPU mem divided by decompressed image size in terms of threads. I'm willing to bet that's still a fuckton more than we've got going currently.

Anonymous ID: 0016c5 2018-08-01 07:08:42Z No. 2386977


Uh-huh. That is why I'm currently reading up on GPU programming.

The stumbling block I foresee is that there is a lot or random accessing going on after very short work segments will very short arrays. This is really not what GPUs are good at.

Disclaimer: I have no experience with this kind of stuff and I'm mostly just talking out my ass. So if anyone who has ever done anything in CUDA or OpenCL would like to weigh in it would be much appreciated.

Anonymous ID: 745039 2018-08-01 07:23:06Z No. 2387120


i've done CUDA and been looking at f5 and no it would not be a good fit… too bad too because i've got some monster gpu power

Anonymous ID: 4d00ef 2018-08-01 07:29:40Z No. 2387183


Roger that.If there's one thing I'm certain of though, it's that we drastically need to speed things up. Perhaps a pure-C implementation would be enough. IDK. I'm gonna sleep on it. G'night anon.

Anonymous ID: bb8fea 2018-08-01 09:15:26Z No. 2387734


So the only people stupid enough to use that app are media types. Well, that's interesting. So when we crack this, there is a slightly less chance of finding CP from perverts and more of a chance finding gamer gate type collusion between media personal and/or leaks to the press from stupid gov members. Perfect. I knew there had to be a reason why Q pointed us to such a trash app.

I guess a good project, for those who aren't skilled at writing efficient code for password cracking, would be to work at better detecting PK images and scrapping them from the archives of /pol/, 4/pol/, perhaps QResearch, and all the social media of the various media figures/known government leakers. Perhaps even look at some of the pizza gate dumps for stego. And as always, If you do start finding PK images from journalists on their social media, archive and backup everything before you blow your load, so they don't delete more than they already have once they find out we know.

Anonymous ID: 0016c5 2018-08-01 09:35:52Z No. 2387811



Anonymous ID: fa9e7b 2018-08-01 09:51:02Z No. 2387890


I do android programming and the C0217R code you psoted looks like resource ids compiled by the either android studio or gradle. They must be manually added because usually they are in or sometimes in (in the final apk)

Anonymous ID: fa9e7b 2018-08-01 10:06:04Z No. 2387952

I ran the apk version 1.0.1 (last version listed on the playstore) and couldn't find the C0217R class, ran it through two decompilers and neither had it in its output set of files.

Anonymous ID: 1eb45a 2018-08-01 10:26:07Z No. 2388029

I wondered if the first 100 bytes of jpeg files we're looking for is not unique to PixelKnot. So I made a "" shell script to recursively search directories on my computer. I searched a backup from an old hard drive to see if any jpeg files that predate PixelKnot could be found. There were no matches out of 17k jpeg files. I'm leaving it here in case any anons find it useful.


./ <path to search recursively from>


PN_HASH_DESIRED_OUTPUT="3f3078870bf5ddc7c4d0e6e5941805b7a062c45d -"



# Make sure globstar is enabled to support recursively searching
shopt -s globstar

declare -i FILES_EXAMINED=0
declare -i MATCHES_FOUND=0

echo "Searching for jpeg files to see if it looks like Pixelknot created them."

function exit_output {
echo "";
echo "Terminated. Jpeg files examined: ${FILES_EXAMINED}, matches found: ${MATCHES_FOUND}.";

trap exit_output EXIT

for filename in **/*.jp*; do
FILE_HEADER_SHASUM_OUTPUT=$(head -c 100 "$filename" | shasum)
echo "File $filename looks like a Pixelknot image.";

Anonymous ID: 5c991a 2018-08-01 10:53:37Z No. 2388161

Anonymous ID: fa9e7b 2018-08-01 11:00:45Z No. 2388204


Anonymous ID: 0b8713 2018-08-01 13:17:33Z No. 2389010

Have the pictures Q posted been checked? Perhaps Q has posted some passwords, like his bolded words.

Anonymous ID: e0b5a0 2018-08-01 14:48:12Z No. 2389880

Anonymous ID: 1b4548 2018-08-01 15:53:51Z No. 2390679


Thanks for clarifying, I thought I was on to something. Did the same with another decompiler and they were either absent or listed as like you said.

Anonymous ID: 745039 2018-08-01 15:59:29Z No. 2390758


>only people stupid enough to use that app are media types. Well, that's interesting

started in 2012

n8fr8 and harlo are contributors up until 2015

sep/nov 2016 N-Pex starts updating and 2.0 is released 11/20/2016

out of the blue on feb 15 2017, n8fr8 updates the f5Android "update F5 to latest with fix"

but that "FIX" is only the removal of the JFIF header making it possible to easily identify PixelKnot images

without that "FIX" PixelKnot images would not be easy to detect

would look like any other images from software that uses james jpg encoder or f5 encoding

and that change was pushed down to line 666


>scrapping them from the archives of /pol/, 4/pol/, perhaps QResearch


brute forcing encryption is the worst way to figure this out

search for more images

look where they come from

find patterns

Anonymous ID: fa9e7b 2018-08-01 16:01:34Z No. 2390788


Welcome, just glad i spotted it so no one wastes time on that than needs to happen :)

Anonymous ID: 745039 2018-08-01 16:50:58Z No. 2391530



no decode on 2c19435a6c6d0b75661f8bed4269e540bdea162d20426e2865fa99473d164863 (scroll wheel)


crunch 4 4 '[email protected]#$%^&*()_+=-[]\|}{,./<>?" '"'"

no decode on any with default passwords

currently running 1 to 3 char combos on all from smallest to largest


Huffman decoding starts

count: 12378 elapsed: 60s = rate: 206 pw/s

Anonymous ID: 745039 2018-08-01 16:53:15Z No. 2391563


this rules out a lot of passwords anons might dream up

Anonymous ID: 0016c5 2018-08-01 17:06:17Z No. 2391741


I picked a random file and tried generating a 4 letter list using only the characters in a files filename. Nothing.

But occurred to me last night that it was a 13 char filename. If it done by shuffling the filename somehow then I'd be looking for a 5 char key. I don't have the horsepower to attack that in a reasonable time. So when I get home today I'm gonna write a filter that reduces the set to only those that use any single char no more than the number of time it appears in the source filename, unless you want try it first. If you do then let me know so I don't reinvent a bad wheel.

Anonymous ID: 745039 2018-08-01 18:01:02Z No. 2392853


the 13 char filenames are the hashes from qresearch, you have to find the original filenames

>first batch

original filenames of the images


we don't have filenames for the second batch


Anonymous ID: 745039 2018-08-01 18:35:53Z No. 2393746


this code change makes NO SENSE

Anonymous ID: 1b4548 2018-08-01 18:45:54Z No. 2393967

Interesting review from Jan 11 2018 from a user called "The45Guy 1776"

The45Guy 1776

January 11, 2018

I tried to send 2 pics thru mms and facebook messenger and niether were hidden they showed just the way they were. Deleted

Anonymous ID: 745039 2018-08-01 18:52:14Z No. 2394093


Another suspect change on 1/7/17

why add jni c++ buffers for performance?

quietly change the encoded quality from 80 to 90?

were they TRYING to make the PixelKnot images detectable on 1/7?

did it not work so so then they made the change on 2/10 to remove the the JFIF header?

spidey senses are tingly

Anonymous ID: 745039 2018-08-01 18:54:11Z No. 2394128


oh, no that was in 2013… the only change besides the 2017 change

Anonymous ID: 35f05f 2018-08-01 19:05:35Z No. 2394381


I was hoping that the quality that the image was encoded with was written to the file, unfortunately that's not the case. I think the header removal change is all we need for now anyways.

The road is steep from here though, something tells me they aren't going to use a complex password, and I have a feeling that the password will unlock many images.

Anonymous ID: 745039 2018-08-01 19:13:56Z No. 2394535


before 2/10/2017 pixelknot f5 encryption layer had a fixed password of abcdefg123

it was ALWAYS possible to detect a pixelknot image, the method just changed on 2/10/17

there might be .jpg with JFIF header out there that can recognized with f5.jar with the password abcdefg123

Anonymous ID: 745039 2018-08-01 19:15:58Z No. 2394586


can somebody with an archive of images download f5.jar and run

for F in *.jpg *.jpeg; do java -jar ./f5.jar x -p 'abcdefg123' -e $F.msg.txt $F; done

strings *.txt

i do find some images lock up the f5 decrypt, you may need to kill some java processes along the way

Anonymous ID: 745039 2018-08-01 19:39:43Z No. 2395061


the original filenames we have found all start with a number.. the PixelKnot source will append a _1 when it is writing out if the file already exists

are the filenames reversed?












Anonymous ID: 745039 2018-08-01 20:39:36Z No. 2396389




>You'd be amazed how much is shared on /pol/


Hello I am a reporter from CBS.


think mirror


evil eye posted on 5/1/18

Q drop 1332 about D5 was on 5/10/18

>The snowball has begun rolling

D5 = Checkmate

Q drops about D5 4 time in may

and then again RIGHT AFTER we figure out the f5 layer of PixelKnot

Anonymous ID: 5c991a 2018-08-01 20:44:59Z No. 2396481



Very nice finds.

So yes, the filenames are reversed, and perhaps the images are as well.

Try flipping the images horizontally before trying to extract the data from them.

As for what the passwords are.. try the filename without any number appended to the end, both regular and reversed.

Let me know if that works for you… I still haven't found a way to test these out on my own computer.. MacOS.

Anyone know of a way? If so then I can help.

Anonymous ID: 5c991a 2018-08-01 20:46:07Z No. 2396504


Actually I'm not sure if flipping the image changes the ability to extract data from it or not - that would be the first thing to test with an image we already know has data and already know the password to.

Anonymous ID: 745039 2018-08-01 20:51:27Z No. 2396613


install java

open terminal

download f5 jar from google code

curl –output f5.jar

here's how to test a password on the f5 layer (this will only be the last 1/3 of the full password)

java -jar f5.jar x -p plan -e out.txt Q4example.jpg

cat out.txt


scaling, flipping, or modifying in any way will remove the hidden data

Anonymous ID: 5c991a 2018-08-01 20:58:11Z No. 2396723


Thank you anon I will set things up in a few hours and try and see if I can get anything out of these images.

I'll report back with any important findings.

Anonymous ID: 745039 2018-08-01 21:05:00Z No. 2396863


>>2396389 was D5 the CBS PixelKnot Message on /pol/?

Anonymous ID: 1b4548 2018-08-01 21:20:09Z No. 2397152


Mirrored, yes





Anonymous ID: 1b4548 2018-08-01 21:23:56Z No. 2397240


though nothing extracted with steghide with the whole string D5_7udrmySQBwlDP_0 or just the underscored 7udrmySQBwlDP

Anonymous ID: 745039 2018-08-01 21:58:54Z No. 2397994



this was posted to /qresearch/ 07/08/18 during 20 days of silence


filename ends in -Q (extra group from other filenames)

pixelknot header

same image on

posted 7/11/18

filename is diffferent


both PixelKnot

not the same files

Anonymous ID: 745039 2018-08-01 21:59:32Z No. 2398004


oops not the same image

Anonymous ID: 745039 2018-08-01 22:02:59Z No. 2398080


all these images on

have pixelknot headers

Anonymous ID: c5ee9d 2018-08-01 22:21:43Z No. 2398467

Lmao, you guys are stupid.

All JPEG images uploaded to meet the criteria set out in the OP (no JFIF, xFF xC0 x00 x11 @ 0x88).

Good job, everyone! You have been collecting and brute-forcing random images originally hosted on

Anonymous ID: 745039 2018-08-01 22:33:32Z No. 2398717



here's an article written before the PixelKnot header change:

Jan 31, 2017

missing JFIF and has the second sig

Anonymous ID: 4d00ef 2018-08-01 22:44:49Z No. 2398936


K so all we need to do is image search for an image with that header. If no results found (and the original filename isn't like medium's random naming bullshit) then we probably have a PK image.

Anonymous ID: 745039 2018-08-01 22:45:44Z No. 2398947


not all of these were posted on

there is (at least) one other piece of software that makes the same header

stegdetect doesn't find any f5 data in images

1_b3jcMKfQQzl0t56L1kiuZQ.jpeg : negative

1_OF9MABBWU8CN6Dmyu1N32w.jpeg : negative

1_V7KBi6mUHK914qssJEFwfw.jpeg : negative

others do

1_FCAsiu79H2b2aUGLdD7mBw.jpeg : f5[1.949593](***)

1_S72sax0zPtFX7yE-9hlxYg.jpeg : f5[1.565821](***)

1_Wu-LPq1zKK-R5lsT67nRYA.jpeg : f5[0.652062](***)

1-0V2r2vC9pJRhMu8E_i0B7A.jpg : f5[1.590077](***)

CBS evil eye

0_PDlwBQSymrdu7_5D.jpg : f5[1.687834](***)

Anonymous ID: 5c991a 2018-08-01 22:46:15Z No. 2398957

Alright I am testing now.

I can confirm that flipping a test image horizontally (or doing anything to it) breaks the stenography. But putting it back in place, or back the right way even after saving makes it work again.

So flipping the images could be the right way to go.

Another thing I found online:

mention of f5 in clinton emails

"nf weder 1 noch 3"

its in the source code for huffman

This pixelknot stuff might be bigger than we know.

Anonymous ID: 745039 2018-08-01 22:53:27Z No. 2399125



the missing header is not unique to PixelKnot (doh)

images with the missing header that stegdetect thinks have f5 data

Anonymous ID: 4d00ef 2018-08-01 22:57:30Z No. 2399203


Does stegdetect hit false positives?

Here's a medium article with the exact illumipepe image [positive ID by SHA] that's in your list.

https://medium. com/@Freequincy/right-wing-dove-squad-how-trash-dove-became-the-symbol-of-the-alt-right-c7794b84a48d

Anonymous ID: 5c991a 2018-08-01 23:03:17Z No. 2399313

Alright guys I played around with it more. I learned that if you get near the actual password with f5.jar, it starts spitting out some bytes of data and extracting some stuff instead of giving nothing.

With this attached image (I flipped it horizontally) and a password of BwlDP I was able to extract some nonsense data. I think it means we are getting close, but I don't have pixelknot in order to try actually getting the real message out.

I'm not able to get a clean file out that says "pixelknot v1.0 password required" etc.

Will update.

Anonymous ID: 5c991a 2018-08-01 23:06:30Z No. 2399373

Can someone with pixelknot give me more test images with known passwords to experiment with?

Anonymous ID: c5ee9d 2018-08-01 23:10:14Z No. 2399442


And it is before the header change.

So we have now established that stegdetect gives false positives, and all JPEGs meet the other criteria.

A new approach is needed. Perhaps focus less on finding PixelKnot images and more on Q's images.

Anonymous ID: 745039 2018-08-01 23:10:31Z No. 2399450


"The results obtained shows that

the ratio of false positive generated by Stegdetect depends highly on setting the sensitivity value, and it

is generally quite high"

Anonymous ID: 745039 2018-08-01 23:14:15Z No. 2399498


not sure this image is after the change this is right at the same time

when was the build was pushed to the store?

stegdetect really things there is something but with a small image like that who knows

68ccb4146da74068a0d8749ac6bd3dab249e1a6d947c8ee106ef5bfdc0c9cf6e.jpeg : f5[3.026896](***)

Anonymous ID: 4d00ef 2018-08-01 23:16:01Z No. 2399532


Either Test or test



I think we just need to gulag image search a candidate image ID'd by stegdetect against - if you get a result, move on. If no matches, then it's probably highly likely we've got an actual PK'd image.

Anonymous ID: 5c991a 2018-08-01 23:21:31Z No. 2399620


Thank you anon, that one works perfectly.


>if you get near the actual password

this theory is bunk.

disregard it.

Anonymous ID: 323ec5 2018-08-01 23:31:22Z No. 2399798


This and several other posts…

The tech literate have always known spy agencies cripple publicly available encryption but good grief! We aren't even experts at this stuff, just code monkeys poking through an open source repo. The whole thing is vulnerable! It's only a matter of time before we crack this.

Anonymous ID: 4d00ef 2018-08-01 23:35:22Z No. 2399880


I managed to get stegdetect working myself here…

So I tried adjusting the sensitivity but I don't see any difference in the output. Can you please try anon?



Anonymous ID: 4d00ef 2018-08-01 23:47:46Z No. 2400150

The pedo jewelry is the smallest image I can find that has the correct headers, gets a positive from stegdetect, and is not found on

Anonymous ID: 1b4548 2018-08-01 23:53:08Z No. 2400272


got some more for you. avatar is the original. password is the title. each have the same message except PKcrew.jpg

Anonymous ID: 4d00ef 2018-08-02 00:08:16Z No. 2400585


Scratch that - wrong header

Anonymous ID: 745039 2018-08-02 00:10:59Z No. 2400637

right header

Anonymous ID: 4d00ef 2018-08-02 00:14:04Z No. 2400699


These bytes don't matter?

Anonymous ID: 323ec5 2018-08-02 00:15:36Z No. 2400732



Use the ImageMagick command "identify" like this:

$ identify -format '%Q\n' yourimage.jpg

Anonymous ID: 5c991a 2018-08-02 00:26:15Z No. 2400934


Thank you anon.

Anonymous ID: 745039 2018-08-02 00:30:22Z No. 2401017


> The DQT header

> 0 is the luminance index and 1 is the chrominance index

Anonymous ID: 4d00ef 2018-08-02 00:36:28Z No. 2401150


Thanks anon. Just wanted to confirm I understood that code correctly.

J.TrIDr3ESpPJEs ID: ee4cfa 2018-08-02 00:56:38Z No. 2401525

I had posted to this thread, but my post appears to have mysteriously (?) gone missing.

I mentioned to factor in symbols from international keyboards (£, euro sign), dusting off old hardware to assist in brute-forcing, and divying up tasks between yourselves (and let each other know) so you're not all trying to brute force the same issue.

It's curious my suggestions on ways to improve the efficiency of detecting PixelKnot 'magically disappeared', given no other post I've written so far has.

I had posted to this thread, but my ID: ee4cfa 2018-08-02 00:58:24Z No. 2401556

Oh yeah, don't forget to factor in unicode (if the password supports it and isn't just ASCII). Most format common is UTF-8 (non-BOM), and would exponentially increase the number of characters you'd need to check before solving.

But I digress.

Anonymous ID: 4d00ef 2018-08-02 01:04:32Z No. 2401673

ROFL Holeee Sheit

Anonymous ID: b2ea3f 2018-08-02 01:10:26Z No. 2401778

I'd like to help out (two 16 core machines) but I don't know any java. A lot of these images run through f5 seem to hang at a German error message from Also f5 doesn't seem to take "jpeg" but needs "jpg"

Does this header need to be repaired or is that part of the processing in some other way?

How do I setup the workflow for password brute forcing?

Anonymous ID: 4d00ef 2018-08-02 01:29:42Z No. 2402121


This is what I'm using anon - single thread per instance though. You'll have to manually split your wordlists. It will automatically generate every permutation for a given charset and exit if a correct solution is found.

Run by calling the following on your command line:

java -cp bcprov-jdk15on-160.jar; q.Main %IMGNAME% %CHARSETFILE% %STARTINGWORD%

Anonymous ID: 745039 2018-08-02 01:34:56Z No. 2402218



is it possible to use emojis for the passwords?

can an anon try?

Anonymous ID: 745039 2018-08-02 01:40:22Z No. 2402331


glad to help anon

good to double check work

Anonymous ID: 11b051 2018-08-02 01:47:23Z No. 2402460


I'm losing my mind, I cannot decode my own image from the app, but another anon could UGH!

What's somewhat strange when I download the image from 8chan, it has the header even though the app removes it.

Also, I thought I saw someplace in the code where there is maximum dimensions for an image, but I can't seem to find it.

Anonymous ID: 4ee9d4 2018-08-02 04:16:48Z No. 2405387

You know how a bunch of qposts have weird codes in them? Any way we could incorporate a line for line, raw text record of all drops as a password list?

I think this would be especially applicable to any knotted images found in the drops themselves, if there are any.

Anonymous ID: 0016c5 2018-08-02 05:35:57Z No. 2406738


Kek! Yeah, I had a flash of terror when I though of that too.

Thankfully, no.

Anonymous ID: 0146c4 2018-08-02 06:05:19Z No. 2407136


It's weird how similar the filenames are to the stringers, no idea if they encoded the passwords this way, but it's possible. How else would DS operators share passwords? and if they could share passwords why not share messages that way? why F5?

Anonymous ID: 0016c5 2018-08-02 07:25:11Z No. 2407861

Wait a second… files that I uploaded yesterday that were encoded with PK are no longer so.

Check 'em. Their sha256 hashes no longer match their sha256 filenames. CodeMonkey must have heard about what we've discovered and not liked that his site is being used for such purposes.

sage sage ID: 909d2e 2018-08-02 08:24:54Z No. 2408393

Steg in the news

Anonymous ID: 0016c5 2018-08-02 09:08:41Z No. 2408637


How much you wanna bet half-chan is doing the same thing? We shouldn't have announced our finds so publicly. Now we can't scrape pages to find more such images. That spoils all my fun.

I discovered this while testing a python script to scrape and quickly check all the images on a page. It detected 36 images on this page on one test and none on a subsequent test without changing anything in that section of code. They must be checking and reencoding old images when accessed.

Here is my code to scrape and scan a chan and forum type sites (anything without fancy-shmancy frames or JS). Doesn't work on Pinterest, Instagram, Medium, etc.

I don't know what good it will do now that the word is out about how easy it is to find this kind of stenago. Damnit. If we find another way to detect such hidden messages let's swap PGP keys and discuss it privately.

Anonymous ID: 0016c5 2018-08-02 11:54:30Z No. 2409560


It's not just the missing header. The first 139 bytes of nearly every file in Medium is identical.

The "James" that wrote the JPEG encoder in f5.jar and PK used to sell/license that same code. It may have found it way into the Medium back end. And it's conceivable that someone annoyed by the default comment that it normally produces got a little over zealous when they went in to shut-up that section and also commented out the JFIF part.

Alternately, Medium is know to be badguy territory. Maybe they either use stegano extensively. Or perhaps they know that PK images are easily recognizable and are intentionally sowing innocuous images with same signature to create cover for people using PK.

Anonymous ID: 11b051 2018-08-02 12:08:43Z No. 2409640


I will verify this myself here soon, I believe this is a huge discovery.

So imageboard must reference the original uploaded file in the database for the site. Likely , someone has written some script to re-encode/change headers of all the jpg files that have been uploaded.

I know when I uploaded my PK image it didn't have the header, and now it does! I believe this is going to be the case for every stego file on 4&8.

This is a potential huge FU to all of us, this is why we archive offline, but it means that we cannot pass jpgs around on here since the headers (at least) have been changed or the files have been re-encoded.

IF this is indeed the case the question is why?

Anonymous ID: 11b051 2018-08-02 12:11:44Z No. 2409668


>So imageboard must reference the original uploaded file in the database for the site.


Anonymous ID: 11b051 2018-08-02 12:15:52Z No. 2409701


I'm not aware of Medium, is it connected to these boards?

Anonymous ID: 0d7643 2018-08-02 13:54:01Z No. 2410424

I'm curious, is thre a PC version of Pixelknot somewhere?

Anonymous ID: bb8fea 2018-08-02 15:52:10Z No. 2411695


have to run it through an emulator.

Anonymous ID: c25bbb 2018-08-02 16:03:36Z No. 2411831

Testing PK

Anonymous ID: c25bbb 2018-08-02 16:13:23Z No. 2411942


Can you download the jpg from my test again, and compare against your original download from Tuesday? (Sadly I don't have the original)

Also, can you even decode it – once you download the new copy of it?

Anonymous ID: 59cecc 2018-08-02 16:24:48Z No. 2412101

Might be nothing, but "Sarah" is posting again over on halfchan. Figured I'd let you pixelfags take a look.

Anonymous ID: 0016c5 2018-08-02 17:00:13Z No. 2412561


One of the spoopy images we found on QResearch was traced back to hear:

Anonymous ID: 0016c5 2018-08-02 17:08:25Z No. 2412677



Anonymous ID: 0146c4 2018-08-02 19:05:40Z No. 2414691


I get the german huffman error with lime-cat.jpg.

Anonymous ID: 0146c4 2018-08-02 19:13:02Z No. 2414834



steg detect was positive, these aren't following the filename formats though, i think they are changing password exchange up.

Anonymous ID: 71686a 2018-08-02 20:48:04Z No. 2416423


Did you notice the Nazi photo with a squirrel on his shoulder? Look at filename "1_07NuaT7Ds4D5eaufbUMVnA.png".

It is a PNG image instead of a JPEG though, it would not have F5 in it (if anything). The contents could have been scrubbed already but uploaded a ZIP file.

We don't know if the real SS is involed or just her likeness used again, but the OP's 4 posts do sound like a Jew (they know the talking points). The Nazi-bashing is ridiculous but someone might talk that way… :/

Anonymous ID: bb8fea 2018-08-02 21:00:14Z No. 2416626


from a medium post from 2016 filename on medium is 1*07NuaT7Ds4D5eaufbUMVnA.png

Anonymous ID: c25bbb 2018-08-02 21:29:39Z No. 2417121


There is an image called goods.jpg (pw: qanon) - that was extracted previously (not by me). Something tells me the image that was uploaded then, is no longer the same as it is now.

This refers back to >> 2408637, when I uploaded this other pick and re-downloaded it, it still has the header.

This likely means that some script was run around Tuesday sometime, that altered the images stored here and would have had to be done by someone on the back end. So if anyone was able to decode any images earlier in the bread, and have the source files (before they were uploaded), could verify that there was changes done on the back-end to those files that would be great.

If the files were re-encoded then the stego is gone, and that is a huge blow to finding more images here and on half-chan. (I'm assuming the same was done on half too)

Anonymous ID: 0146c4 2018-08-02 21:39:41Z No. 2417299


I think this is the case. The photos of the letter 'Q' for example only partially worked when I was looking at these last night. avenger.jpg didn't work but GreatAwakening.jpeg still did. maybe it missed the .jpeg extensions..


Interesting, I'm starting to think the filenames are a result of tooling or cache systems rather than being an autokey cipher of sorts. Back to the drawing board I guess. Maybe Q will help us out later with the 'key'.

Anonymous ID: 745039 2018-08-02 22:54:00Z No. 2418536


running 3 char combos on these files


'[email protected]#$%^&*()_+=-[]\|}{,./<>?" '"'"

these files done scanning with all 3 char combos and no matche


















Anonymous ID: bb8fea 2018-08-02 23:05:45Z No. 2418768


Yeah, all the files that I had earlier, and the ones still in my browser cache, would decode fine. After a hard refresh, and a clearing of the cache, the new images showed. They are indeed re encoded and don't work. tip stego

Anonymous ID: 1b4548 2018-08-03 00:02:58Z No. 2419895





Yup, reencoded to cover their asses. Not only to write in the JFIF in the initial line, but going back to this post


notice that between yesterday's and today's downloads the string after the DQT header is absent

a writeup on an online information security exercise points this out as a clue to get to the next level of the exercise

>could be contain malware or steganography on line



>inside alien picture

>use the application Steghide to extract data from the picture:

>steghide.exe extract -sf aliens.jpg -xf out.txt

example pic

Anonymous ID: 745039 2018-08-03 04:36:29Z No. 2424756

I went through the rest of the f5 detected images and did google image searches and ruled out images that I could find somewhere else and was left with 3. The CBS eye I left in because it was posted on /pol/ and has 5D (D5 mirror) in the filename

focusing on these three now

Anonymous ID: 0016c5 2018-08-03 05:37:26Z No. 2425587


I think Evil Eye one is a false positive. Steg detection works by finding what should be sharp lines and checking for if they are not. A image like this has no business ever being encode with JPEG. You get too much buzzing around the sharp edges.

I just manufactured a test image as closely as I could to the a1 file using a PNG of the same logo at high rez and GIMP and quality 70. Stegdetect -t F gives me 1.711036. I think it's because if the very similar buzzing you see when you zoom in (use Pix, it doesn't smooth pixels).

Anonymous ID: 0016c5 2018-08-03 08:55:59Z No. 2427826



Drop a PGP key. I want to talk to you about something privatively.

Here's mine,

Anonymous ID: b95bf4 2018-08-03 10:44:52Z No. 2428579

Remember the Wikileaks that contained Antarctica photos that John Kerry took of the ice? Didn't JA/Wikileaks put a tweet out prior to the dump with a hash code? I always wondered why photos of the ice were of significance. I am looking for the photos and the hash code tweet to see if anything is there now that I am aware of pixelknot. Any assistance would be appreciated.

Anonymous ID: 745039 2018-08-03 16:12:37Z No. 2431674


Anonymous ID: 0e2334 2018-08-03 16:32:36Z No. 2431983


Great time for by modem to reset. :/ But that's what signing is for.

Anonymous ID: 745039 2018-08-03 17:12:34Z No. 2432554



Anonymous ID: 745039 2018-08-03 17:40:24Z No. 2432888


makes sense… these drops keep coming to mind though


Left eye [marker].


How do you hide a message in clear sight?

You'd be amazed how much is shared on /pol/.

Data exchange.

Anonymous ID: cbb4cd 2018-08-03 18:44:15Z No. 2433919


Is this the one

Anonymous ID: cbb4cd 2018-08-03 18:45:34Z No. 2433945


Or this

Anonymous ID: 745039 2018-08-03 22:36:09Z No. 2438149


>Huma interviewed by FBI on Jan 6 2017

>Harlo code change on 2/10/17 (gradle build #5)

merge of all harlo's local changes for the last 3 years she pushed to gitlab.. removed the JFIF header then merged into guardian project F5Android, then consumed by PixelKnot and playstore image was updated (but not the .apk on the download page)

>John Podesta joins The Washington Post as a contributing columnist February 23, 2017

Anonymous ID: 1b4548 2018-08-03 23:22:23Z No. 2438967


>build for all archs

Refers to a make file for the app to compile shared object .so files for the architecture the OS is running on. ARM for phones and tablets x86 for the PC port of android. Not sure if Androidx86 and linux are directly compatible. Open the app's apk as a zip file and it shows for different archs

Anonymous ID: 96faf4 2018-08-03 23:31:34Z No. 2439136


What's taking so long?

They decode top secret passwords in movies in just a few minutes.

Thought that was gonna be easy peasy?

Anonymous ID: 745039 2018-08-03 23:42:09Z No. 2439305


if it was easy it would be your mom

Anonymous ID: 96faf4 2018-08-03 23:47:27Z No. 2439394


Maybe you are just lacking some skillz?

I did the maths - we might see some results in about 100 yrs

What is you ETA for the results?

Anonymous ID: 745039 2018-08-04 01:51:12Z No. 2441444


thank you we needed a bump

Anonymous ID: 96faf4 2018-08-04 02:25:18Z No. 2442019


Tick tock

Anonymous ID: 1b4548 2018-08-04 09:01:14Z No. 2446299




Has anyone tried the experiment to estimate the original/cover image DCT that these two pointed out.



Not going to lie it was way too much post-grad statistical math for me to understand completely. Found a summary paper which made reference to it.

Steps for the F5 Steganalysis algorithm [3][4][6].

Step 1: Input the stego image for performing Steganalysis. (get steg quantization parameters)

Step 2: Decompressed the stego image.

Step 3: Crop the image by 4ҳ4 column from all sides.

Step 4: Apply blurring operation to remove artifacts.

Step 5: Then re- compressed the image. (using quantization parameters from step 1)

Step 6: Count the different histogram value for the stego image and cover image.

Step 7: Calculate the difference

Difference = stego image value – cover image value.

Anonymous ID: 745039 2018-08-04 15:23:43Z No. 2448557




all this attention for little me?

you're making me blush

Anonymous ID: 745039 2018-08-04 15:34:39Z No. 2448673


good thinking anon

been using stegdetect which does this exact thing for f5

what we know:

* images made by PixelKnot before 2/10/17 were f5 encoded with the password abcdefg123 (these would not be compatible with the latest version of PixelKnot)

* images made by the version after 2/10/17 (on play store) are missing the JFIF header (a few websites like match the same signature, not sure why) and are decoded with the last 1/3 of the full password

anon with archive of jpg from qresearch or pol

might be worth it to try to decode any jpg with f5.jar using password abcdefg123

for F in *.jp*g; do java -jar f5.jar x -p abcdefg123 -o msg.txt $F; cat msg.txt; done

Anonymous ID: 745039 2018-08-04 16:04:00Z No. 2449002


ruled out 54,700,816 4 letter combos on evil eye

/crunch 4 4 '[email protected]#$%^&*()_+=-[]\|}{,./<>?" '"'"

either false positive or password is longer than 12 chars

found the pedo ring image on, looks like they strip the 'JFIF' header too

Anonymous ID: 745039 2018-08-04 16:25:13Z No. 2449226

found the vineyard jpg on medium with the missing header

found the evil eye too

Anonymous ID: 745039 2018-08-04 16:28:21Z No. 2449249


crunch string was missing a few chars ~-`

should be

crunch 1 4 '[email protected]#$%^&*()_-+=-`~[]\|}{,./<>?" '"'"

trying all 1-4 combos with those missing chars on the evil eye (8m should take about 6 hours)

Anonymous ID: 745039 2018-08-04 16:56:33Z No. 2449514


landon uploaded the evil eye may 2018, same month it showed up on pol

BUT - the landon photo with the same filename does not have the pixelknot header (and doesn't decode with abcdefg123)

found cbs-logo.jpg that is the same size on from 2018

it doesn't not have the JFIF string but doesn't match the PixelKnot header

Anonymous ID: 4569e1 2018-08-04 17:01:02Z No. 2449563



The photos were released in one of the Wikileaks drops.

Anonymous ID: 0146c4 2018-08-04 17:15:06Z No. 2449706


Well if anybody wants to study a pixelknot mask we have a source and an encode photo. also bump.

Anonymous ID: 745039 2018-08-04 18:25:32Z No. 2450617


Anonymous ID: 745039 2018-08-04 21:22:26Z No. 2453024


done, none of those

Anonymous ID: 0146c4 2018-08-05 02:32:30Z No. 2457804

Does anybody have more details on the underlying implementation of SecureRandom? Depending on the psuedo random number generator we may be able to reduce the search space to the possible values of the seed (ex, 0 to maxint).

Anonymous ID: 96faf4 2018-08-05 02:35:35Z No. 2457842


Moar results - fewer pictures

Anonymous ID: 0e2334 2018-08-05 07:49:30Z No. 2461532


Beyond 4 chars we are going to have to get a lot smarter with how we pick what passwords to try. It not hard to imaging a 20 char passphrase.

One way to do this is to try the endings of long dictionary world and short words with a space and short random prefix. Then run the same set through 1337 speak substitutions. And then add ending punctuations.

Another idea I had is to score perspective random passwords based on the combinatorial frequency of character pairs. "TH" is more common than "ZD". We could have crunch generate a 100, 000 times as many passwords as we could directly check and then filter them down to the top 99.999th percentile.

Obviously the optimizing it from the start would be better. But I don't think I'm smart enough to work out all of the patterns in how people chooses passwords and phrases or to build a highly optimized generator (I could eventually, but I'm not going to spend the rest of my life on this).

In the short term we could keep a file of all failed password. Diff might get awfully bogged down comparing TB scale sets. But if the archive is kept asciibetically presorted then a custom tool could be it efficiently enough for it to be worthwhile.

Anonymous ID: 0146c4 2018-08-05 13:42:20Z No. 2463119


Did you just realize the same attack vector I did? There a way we can group up outside public space? Here's a quick rundown, use your key.

Anonymous ID: 0e2334 2018-08-05 14:24:24Z No. 2463526



SecureRandom basically works by taking the password, hashing it with SHA1 to set the initial state (160 bits, 20 bytes), passing these bytes out as requested, and rehashing the state to create a new state when it runs out of bytes. It does this as many times as needed to create as many psudorandom bytes as requested.

This data is first used to shuffle a list of integers (0 to the number of DCT coefficents, which is also happens to be the number of pixels) which is used as a secret treasure map to scatter bits the message throughout the image. Further output of SecureRandom acts as a simple XOR cypher upon the payload message.

Without the password we don't even know which bit of what pixels and in what order contain the encrypted message. We are not even sure there IS a message. It could just be a wonky JPEG encoder.

Any kind of REAL cryptanalysis, linear or differential, is waayyyyy out of our league. And the password is always going to be the weakest part of the system. Efficient and smart password guessing is really the only option.

If you want to see the exact details you can download it directly from Oracle.

Anonymous ID: 0146c4 2018-08-05 14:37:08Z No. 2463615


Thanks for the reply. I noticed the message byte XOR with a random byte after the fact, so yea I don't think we can reconstruct the first steps of 'the map'. If we are to take the brute force approach tho, I would suggest we patch F5.jar to short circuit if the first message byte doesn't come out as expected. We can also make it retry different passwords without reloading too to save some more time (instead of decompressing the image over and over again, reading disk, etc). Just some ideas.

Anonymous ID: 0e2334 2018-08-05 14:56:44Z No. 2463782


That is exactly what I did immediately.

Lines 147 to 149. I also early abort if the 32bit message length comes out as an unreasonable number. It should never be more then a couple kilobytes. Give it a file and feed it lines through STDIN. I haven't got around to multithreading it. So just run it in four terminals.

When ( if ) I ever stop getting distracted by side projects, I intend to make a C based implementation. There are a lot of steps between the five state integers in the SHA algo and the permutation table could be trimmed down.

Anonymous ID: 0e2334 2018-08-05 14:59:09Z No. 2463803


* Add the above to the F5-steganography files from here. Drop in next to Embed and Extract compile.

Anonymous ID: d68afe 2018-08-05 16:39:52Z No. 2464928


Found an old password used by Robert the Bruce in Aberdeen….

"Bon-Appart" tgry with and without dash. Try capital and lower-case. try backwards.

==Please try for password on all Q pics you can and POTUS tweet pics"

Anonymous ID: fb35f4 2018-08-05 19:20:48Z No. 2467100


This paper talks about detecting F5 by analyzing the histogram of DCT coefficients. I suspect this may be a more accurate means than stegdetect.

Anonymous ID: fb35f4 2018-08-05 19:41:35Z No. 2467430


After looking at the source for stegdetect, it appears it uses exactly the method in the paper.

Anonymous ID: 1b4548 2018-08-05 21:31:23Z No. 2469199





With PixelUnknot code, is this kind of the workflow it's taking?

get wordlist string ~ "lovely8unch0fcoconut$"

test last third string "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

if matched, test DecryptWithPassword with string "lovely8unch0fcoconut$"

return secret message

else, get new wordlist string

or ist it doing this?

get wordlist string1 ~ "oconut$"

test string1 "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

if matched, crunch wordlist string2 with 2x length of string "oconut$" ~ "lovely8unch0fc"

test DecryptWithPassword with string "lovely8unch0fc"+"oconut$"

return secret message

else get new string2

else get new string1

Anonymous ID: 745039 2018-08-05 21:36:24Z No. 2469295




can't get over this filename…

what software renames files with square brackets [1]?

seems more like a Q post

[1]D5 7udrmySQBwlDP 0

found an automated cryptogram solver

7udrmySQBwlDP = 7in the COMpaNY

Q says less than 10 can confirm, read somewhere that 3 were non-military, would leave 7 in the company

[1]D5_7in the COMpaNY_0

maybe reading tea leaves here

still brute forcing…

(pic unrelated)

Anonymous ID: 745039 2018-08-05 21:40:54Z No. 2469375


right now the code

loads the words from the file and tries it (and every substring of the end over 3 chars) to decode the f5 layer. it early exits if the chars don't match the PixelKnot special string '—-*' and if it finds one it will print out the pass and exit. this would be the last 1/3 of the password and we can change the code back to try to decode the rest

this code is a little better, tries the word backward and forward and prints out the progress

Anonymous ID: fb35f4 2018-08-05 21:57:30Z No. 2469702


Neither. For detecting F5 it's analyzing the DCT histogram of the image in comparison to the (predicted) histogram of the original image before F5 data was embedded.

Anonymous ID: 745039 2018-08-05 21:59:51Z No. 2469749


anon multithread it like this:

Files.readAllLines(filePath, StandardCharsets.ISO_8859_1)


.forEach(line -> {

// your code



Anonymous ID: fb35f4 2018-08-05 22:03:32Z No. 2469816



Fuck sorry answering the wrong question… apparently I have two IDs but still getting my (you)s

>get wordlist string ~ "lovely8unch0fcoconut$"

>test last third string "oconut$" in e.extract(coeff, ostream, extractF5Seed(mPassword))

>if matched, test DecryptWithPassword with string "lovely8unch0fcoconut$"

>return secret message

>else, get new wordlist string

What I uploaded is like this, except it is modified to only do the F5 seed portion - the output of the string generator gets passed directly

<e.extract(coeff, ostream, mPassword)

Anonymous ID: 745039 2018-08-05 22:47:46Z No. 2470605



java has supported writing jpeg in imageio since 5

why do images look like they written by a modified james jpeg encoder?

they didn't always have the same header, changed after 2013

f5 encoding something in the images?

Anonymous ID: 0146c4 2018-08-06 00:50:11Z No. 2472406


The [1] is new actually. When I first pulled the file it was not there. Only after 'scrubpocalypse' last teusday evening did I look again and saw [1] added on the chan archives. Was strange.

Anonymous ID: d68afe 2018-08-06 09:27:42Z No. 2477411


Try Vanguard or vanguard (backwards/mirrored also) on ALL NXIVM or Allison Mack pixelKnot images dealing with them… run it on auto if possible on everything

Anonymous ID: 745039 2018-08-06 15:00:37Z No. 2479397


it was [1] on the /pol/ post

HERE is the evil eye on medium

different size same filename

that makes all of the images that anon have found matching the pixelknot header that were originally on

Anonymous ID: 0146c4 2018-08-06 15:53:33Z No. 2479932


I mean that it wasn't one on the archives before Tuesday. They CHANGED the archives. PixelKnot adds '_#' for conflicting filenames, so it wasn't from that. I literally downloaded a steg'd version from the archive without the [1]. plz no gaslight.

Anonymous ID: 0e2334 2018-08-06 17:29:03Z No. 2481143


That's odd. I found the same image on Medium last week and it had the same hash as the one from /pol/. Now it doesn't. It has indeed been changed. And the archive now has one with yet a different hash.

Someone is cleaning up. Good thing we have offline backups.

Anonymous ID: 0e2334 2018-08-06 17:53:57Z No. 2481502


All of the files from our reduced set all traced back to Medium, Motherboard, or Flipboard. And I spot checked a few of them last week; and the files from there had the same hashes as on their source sites.

Anonymous ID: 9db91f 2018-08-06 17:57:01Z No. 2481567

It’s amazing the pushback I get from my own, they think I’m crazy when sharing Q. They give me every reason to prove the Great Awakening false. But I know better than they and push that they might also consider. They don’t believe me when i speak about the gospel either or the covenant our True God made with mankind.

“A prophet is not without honor, except in his own country, and his own kin, and in his own house.”

Anonymous ID: 0146c4 2018-08-06 18:27:44Z No. 2482058

Heads UP, they may be changing the stego in their comms:

Filenames have a funny ~2 at the end, ironically they re-used the photo from a previously identified stego in their 'screenshot'.

Anonymous ID: 745039 2018-08-06 19:05:18Z No. 2482637

Going back to Q Silverman drop


the file in the drop is IMG_382.jpg which didn't have the PixelKnot header or stegdetect didn't find anything… but the next day this post shows up on pol with IMG_0457.jpg and stegdetect thinks it has something (maybe false positive, not pixelknot header)

Anonymous ID: 0146c4 2018-08-06 19:06:06Z No. 2482651


another one:

$ md5sum 1533557639424.png

9f4a2a5c8b07b183e2de8fd4908c77aa 1533557639424.png

$ md5sum 1533557639424~2.png

1831a96086323b3994c9caa924467cb4 1533557639424~2.png

The ~2 may actually be the chan's way of handling duplicate filenames.. odd the md5s are different however. saw something said something.

Anonymous ID: 745039 2018-08-06 21:52:59Z No. 2485093


Reddit post about PixelKnot looks like a honeypot




Do you have the skills to handle dangerous files? Want to help take down the cabal? Go here - <URL SHORTENED>


leads to

picture has the JFIF header so it was made with an older version of PixelKnot (from the download page)

seems like a huge time waste or trap to catch people like us

be aware

Anonymous ID: aafb4b 2018-08-06 22:50:23Z No. 2486032


I'm probably not the first with this, but is this related?

Anonymous ID: aafb4b 2018-08-06 22:51:14Z No. 2486050


(I tried cntrl-f "anonymous" but on this page I got more hay than needle)

Anonymous ID: 0e2334 2018-08-07 03:14:10Z No. 2490756


CM has been doing that here too, but without changing the filenames. After we found a easy way to spot the products of the weird JPEG encoder used by PixelKnot (hash the first 100 bytes) images posted here with that characteristic started being reencoded behind the scenes. 4Chan has probably heard by now and is doing the same.

Anonymous ID: 0b6cd6 2018-08-07 03:20:29Z No. 2490855


FYI - CM / 8ch is NOT altering originals.

It's CloudFlare. When snagging the originals gotta make sure to bust the caching front ends.

A simple "?13245123" or something random at the end of the filename will help.

Also: curl -H -vvvv is your friend.

Finally: the jpeg header hex signature isn't a 100% guarantee it's PixelKnot. All it says is that the image has been through some sort of image editing tool.

The more you know…

Anonymous ID: 0e2334 2018-08-07 04:45:10Z No. 2491957


I posted this image that I made with PK,


It has been totally reencoded. It's not a case of them appending a few bytes.

8chan uses the SHA256 sums of files when they're uploaded to uniquely identify them. Grab a random file from around here and check it. The SHA256 hash of the above impostor is now


They would never just stick extra bytes onto the end of a file. And they have no reason to "bust the cache" for guaranteed uniquely named static content. It's only files missing their JFIF headers that are mysteriously changing.

Anonymous ID: 0146c4 2018-08-07 05:42:15Z No. 2492592


failed to confirm, avatar.jpg still doesn't extract correctly when fetching uncached with ?blablabla.


did you post the password somewhere for that photo? I can run a test on my end to confirm.

Anonymous ID: 0146c4 2018-08-07 05:44:55Z No. 2492625


steg detect comes back negative on your photo btw.

Anonymous ID: ea52ce 2018-08-07 08:01:27Z No. 2493839


The more you know, you mean? I have confirmed this myself, files were altered on here on last Tuesday sometime. Someone got worried and started re-encoding files on the back-end. AFAIK they only did it in once, on last Tuesday, this was to prevent us from finding more images that were uploaded. So basically we have whatever we have archived, everything beyond that point is likely lost forever.

Anonymous ID: 745039 2018-08-07 20:19:18Z No. 2499435

playing with images, the URL has the maxfilesize and you can change it to get different size images. all of the results have headers exactly matching the PixelKnot header (only the image size changes)*WkosvaZ2ARJ2hnmXFs02Ow.jpeg*WkosvaZ2ARJ2hnmXFs02Ow.jpeg*WkosvaZ2ARJ2hnmXFs02Ow.jpeg

must be a server side transcoder doing the header stripping (or adding f5 steg?)

a little weird that some .png images are actually .jpg*QbhKIMLavtBdrZI_-DJxtQ.png*QbhKIMLavtBdrZI_-DJxtQ.png

Anonymous ID: 1eb45a 2018-08-09 07:19:47Z No. 2521648


I agree. I uploaded a test image last bread. The hash hasn't changed (I checked against my own copy). Downloading the file and running sha256sum returns an identical hash.


Test image I uploaded in this comment still works. sha256sum starts with 3b51fbf. Right clicking on the file link, pasting the link to download with wget works. Use the link on the left side (with a hash). Using the one on the right side (user-friendly filename) resulted in a different sha256sum.

Downloading using the link on the right side had a different hash.

$ cd /tmp
$ wget https:''//''
--2018-08-09 00:13:11-- https:''//''
Resolving (,
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 21247 (21K) [image/jpeg]
Saving to: ‘pixelknot_test_image.jpg’

pixelknot_test_image.jpg 100%\[=============================================>\] 20.75K 62.1KB/s in 0.3s

2018-08-09 00:13:13 (62.1 KB/s) - ‘pixelknot_test_image.jpg’ saved [21247/21247]

Downloading using the link on the left side had the correct hash.

$ sha256sum pixelknot_test_image.jpg
b8fb084705fb6301e6313c5207e8a71d39d4bbd850fc568dfd90bf99006c0b01 pixelknot_test_image.jpg
$ wget https:''//''
--2018-08-09 00:14:13-- https:''//''
Resolving (,
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28771 (28K) [image/jpeg]
Saving to: ‘3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg’

3b51fbf8b6a2597e1e31ca33c6b8 100%\[=============================================>\] 28.10K --.-KB/s in 0.1s

2018-08-09 00:14:13 (223 KB/s) - ‘3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg’ saved [28771/28771]

$ sha256sum 3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg
3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98 3b51fbf8b6a2597e1e31ca33c6b836af6d70054ca14155461381ff67118aaf98.jpg

Anonymous ID: 1eb45a 2018-08-09 07:25:17Z No. 2521685


Oops, I split the terminal output at the wrong spot. The first line in the second section should have been at the end of the previous section. Also, extra characters were added to the beginning of the download urls by the board apparently. So not the best example, but the point is to download using the left link (the one with the hash, not the user-friendly filename).

Anonymous ID: 66c715 2018-08-09 17:29:59Z No. 2525416


Curious. The originals have all been restored.

Anyway, this thing seems to have fizzled. There is a legitimate explanation for all of the spoopyness that we have been examining. It's coming from Medium's weird backend image resizing code. They appear to be using the same funky Java-based encoder library from the late '90s that's only other use was in the F5 stegano demo code, also from the late '90s, which is what PixelKnot is based around.

So I think I might switch teams and instead work on patching all the problems with F5 and PixelKnot. ;)

Anonymous ID: 745039 2018-08-09 18:03:47Z No. 2525792


>this thing seems to have fizzled

in the first thread the shills were full force when we were digging on the silverman photo but after we started brute forcing the images .zip that anon posted with the images the clowns went away

time to circle back, figure out where we got off course



Put to death, therefore, whatever belongs to your earthly nature: sexual immorality, impurity, lust, evil desires and greed, which is idolatry. 6 Because of these, the wrath of God is coming.

-Colossians 3:5

Your evil has no place in this world.



The author of the post…..

The face is never the author.

Direct comms come in many different forms.



How do you hide a message in clear sight?



You'd be amazed how much is shared on /pol/.

Data exchange.


Q didn't say if /pol/ was 8ch or halfchan

the silverman photo in the drop is IMG_182.jpg, i haven't been able to find that one. every one i have found stegdetect comes up negative

the inverted one posted on /pol/ IMG_0457.jpg though does


Anonymous ID: 128651 2018-08-09 22:49:17Z No. 2529049


Very strange indeed. The fuckery occurred on Tuesday July 31st. I believe the following day I uploaded an image here and downloaded it the following day, and it was unchanged from the OG (still had PK header – missing JIFF). The following days I downloaded an image that I had uploaded prior to the 'fuckery', and it had the JIFF header (and wasn't a PK file). I just downloaded the same image now, and it's been restored and is the same as the one I uploaded prior to the 'fuckery' on July 31st.

Hard to know if all the files have returned to the originals, maybe some of the F5 files that had important messages were never restored.

I think we should work on a distributed BF tool, would be great if it could be done is JS, so we can have people just visit a website and have it go. There is a f5 JS stego, but it's not compatible with this one, but perhaps it could be altered to be compatible.

Anonymous ID: 66c715 2018-08-10 03:33:37Z No. 2533601


>time to circle back, figure out where we got off course

Agreed. If we are to continue then we should focus on the SS photo. And we should look beyond PK and F5. Other stegano programs may leave telltale traces on the structure of their output JPEGs that could help narrow the search for the right method.

As far as I know this (pic related) is the original SS file. It was being passed around early and it's size matches the 4Chan screen caps.

SHA1: f1335a1095a3ae15094e0a09e1cb83e5679dda26


We can tell that they are originals if their SHA256 hash matches the links in archived threads (8chan hashes all uploaded files and uses that hash on the back end as a easy way to eliminate redundancy what the same memes keep getting uploaded numerous times). I haven't noticed links to the file_store ever changing, not even what the files stored under a given hash have changed.

Anonymous ID: 71ccb4 2018-08-10 04:16:20Z No. 2534389



>look at the old posts, at the id of the post and replies

>find the originals

>figure out clues for the keys

Or, alternately, you could just go to 4chan where Q gets all his info and get it yourself. You're in a messageboard roleplaying game and you don't even know it. But oh well, carry on detectives

Anonymous ID: 5c991a 2018-08-10 14:10:39Z No. 2537744

found this while broswing online

dunno if it helps

Anonymous ID: 757a03 2018-08-10 21:31:47Z No. 2544659

8 char password.

So he wanted it hackable or he is fake. why wouldn't an intel person add another char or 2?

That would make it infinitely harder to crack. So either Q is a genius or a complete moron.

Pamphlet is a moron soooooo… who knows?

Anonymous ID: 757a03 2018-08-10 21:34:46Z No. 2544712


I think this was done on purpose by Q's Peeps to give some insight or help with hacking the STEG images. We have been asking for help, maybe this is it!

Anonymous ID: 66c715 2018-08-12 10:43:56Z No. 2567164


I finally quit screwing around and got that C-based cracker I've been talking about to a (unfinished but) usable state. It's a bit faster than the Java code, but not by as much as I had thought. I have newfound respect for the JIT compiler.

(You can probably tell from my folk-code that I'm not a professional programmer. I'm a welder and machinist at a widget factory. All that I know about coding I learned through many late segfault filled evenings. )

Anonymous ID: 96faf4 2018-08-12 11:15:15Z No. 2567227


The ambitous stego decode here has apparently been silently abandoned (because the approach was ill-defined and doomed to fail)

Anonymous ID: 66c715 2018-08-12 11:35:24Z No. 2567296


…because we don't know what software was used… or if there is even anything there.

Q linked to the PixelKnot app. PK leaves behind a very distinctive signature in the JPEG file that does not exist in the Sarah Silverman pic. So either 1) it's a modified version of PK made to fix its weaknesses, it's and entirely different program, or there is no hidden data and Q was simply citing PK as an example of the sort of thing that is widely uses on the Chans.

If there is an expectation that were are to crack this thing then we are going to need more clues.

Anonymous ID: 745039 2018-08-12 17:40:34Z No. 2570246




don't have time to try it out right now but looked at the code and awesome job

Anonymous ID: 745039 2018-08-12 22:08:50Z No. 2573936


might be able to easily turn this into CUDA code and run on a GPU

>To do this, all I have to do is add the specifier global to the function, which tells the CUDA C++ compiler that this is a function that runs on the GPU and can be called from CPU code.

>add the specifier global to the function

>The key is in CUDA’s <<<1, 1>>>syntax. >tells the CUDA runtime how many parallel threads to use for the launch on the GPU


or the silverman pic was a clue to an actual encoded images, or we're going get some images later

until we find find what Q was pointing us to we can keep working on the tools to decode/detect them


>silently abandoned (because the approach was ill-defined and doomed to fail)

still here, still digging

keep calm, clown on

Anonymous ID: 7f2525 2018-08-13 00:42:07Z No. 2576121


it amazes me how dead this thread is, Q gives us an android app the decode messages from images/memes and we only go 270 posts deep digging it? come on guys, wheres the beef?

Anonymous ID: 66c715 2018-08-13 07:18:44Z No. 2580354


In the previous bread you said you were trying RockYou and some others against the SS pic. Did you finish? And was this only with the last third of the password?

Anonymous ID: 745039 2018-08-16 04:31:52Z No. 2622913

had to travel

scary all the airplane/airport goings on


no when i saw the silverman pic wasn't made by pixelknot i stopped

i did all rockyou (suffixes + reverse) on the evil eye


751+250 = 1001 posts into this dig

previous bread >>2300468

and now…


looked closely and I think what you did is perfect for GPU

This Coudl Be A Game Changer

setting up a CUDA dev environment now

my plan:

>rip the guts out of your code

>fill array with coeff and initial scramble

>fill array with passwords to try


>returns array with 16 bytes of decode for each pass

>if any decodes start with PKZIP password string then bingo

still need more target images

what if the pixelknot header was changed to help them blend into the images?

Anonymous ID: 745039 2018-08-16 07:26:45Z No. 2624497




dev environment setup and code is building

need to rework F5_rand_series instead generate the random numbers on demand so we can early exit and save memory

need sleep now

Anonymous ID: 96faf4 2018-08-16 08:00:59Z No. 2624689


They just want to be spoon feed now, liked zoo animals who have lost the talent to hunt and are just bored and lazy.

Then they can still tell all their friends about how they researched and gave it to Q to a take action.

After all do you think Lenin & Trotsky did any street fighting in their revolution?

Anonymous ID: 96faf4 2018-08-16 09:16:14Z No. 2624966


They gave up on guessing the password and didn't even know the length to brute force it

Anonymous ID: 9c0fb3 2018-08-16 16:48:47Z No. 2628550


>looked closely and I think what you did is perfect for GPU

Really? The random series generation is pretty straight forward. But the permutation stage is all out-of-order memory access. And the decrypt stage is very heavy in conditional branching.

>still need more target images

Anonymous ID: 9c0fb3 2018-08-17 15:05:46Z No. 2643661

It doesn't look like spidering through chan sites looking for PK images is going to work. 8chan has started reencoding again. And I tested halfchan: they don't fully reencode, but do add the missing JFIF header. Game forums are likely going to be the same way.

So until Q points at a image and says, "This pic contains a hidden message and was used by No Name to arrange a weapons sale. Have at it boys!" then I don't think there is anything left for us to do with this.

Anonymous ID: 745039 2018-08-17 19:06:05Z No. 2646329


the initial code port to CUDA can decode a test image!








>they don't fully reencode, but do add the missing JFIF header

did you post a pixelknot image to halfchan and then download the resulting image? could you zip both and post?

Anonymous ID: 745039 2018-08-17 19:59:43Z No. 2646891



updated: added a timer and removed some debug strings

need codefags to help cleanup, compile and distribute so others can use

Anonymous ID: 00201d 2018-08-18 01:47:11Z No. 2650867


Nice work. What's the easiest way to compile?

Anonymous ID: 9c0fb3 2018-08-18 03:16:15Z No. 2651955


>could you zip both and post?

Same DQT and DHT chunks. And the image scan is (or at least starts out) identical. They must have some little script that slips in the APP0 chunk if it's missing.


Wow. How does this compare with the CPU alone? I know you have a monster of a system.

Anonymous ID: 3b8834 2018-08-18 04:43:04Z No. 2652801


I hacked together a makefile from the CUDA samples and compiled it, but I'm having issues running CUDA samples so I can't tell if the program works.

I'll post more once I verify it's working.

Anonymous ID: a24eff 2018-08-18 04:49:05Z No. 2652860


Q Said "These people are dumb" a thousand times.

Has anyone looked to see if they openly emailed the password for Pixelnot when trying on the Wikileaks Podesta leaks pictures?

Anonymous ID: 66b620 2018-08-18 11:17:44Z No. 2655048

You have More Than You Know.

Has anyone used Pixelknot on Q Proofs or posts?

I don’t know how or I would.

Anonymous ID: 66b620 2018-08-18 11:19:31Z No. 2655055


Link blocked now.

New drop?

Anonymous ID: 745039 2018-08-18 17:57:57Z No. 2657461


oh wow, not only the header also coeff has been changed at 0x00146200 so the message doesn't decode…

does this rule out halfchan ???

Anonymous ID: 745039 2018-08-18 18:13:10Z No. 2657591



Anonymous ID: 745039 2018-08-18 18:47:43Z No. 2657955



You'd be amazed how much is shared on /pol/.

Data exchange.



this infographic has pixelknot header posted in 8ch/pol meta info thread



Anonymous ID: 745039 2018-08-18 18:51:00Z No. 2657981


maebe knot

Anonymous ID: 63e9b0 2018-08-18 19:28:27Z No. 2658285

Hi anons heres one to check ? the attachments on podesta emails linked in Q1917 just white rectangle or just placeholder for missing data or something?

Anonymous ID: 745039 2018-08-18 19:51:55Z No. 2658485


only empty data, too small to hold any message

Anonymous ID: 745039 2018-08-18 20:32:12Z No. 2658832


found 2 files from 8ch /pol/ with pixelknot header

this zip has jpg and .coeff files to use for CUDA or C brute force

Anonymous ID: 63e9b0 2018-08-18 20:39:48Z No. 2658895


ok thanks thats why i thought they might be just placeholders cause they were small. wonder what image data was there?

Anonymous ID: 7fd60f 2018-08-19 08:03:41Z No. 2664366

Some new computer parts arrived (pic related). New case doesn't fit where the old one did, which set off a cascade of furniture rearranging and reorganizing that spread to three rooms. So I've been busy.



F5.jar doesn't support progressive-scan JPEGs and handles them ungracefully. That's probably what it is.


That Raid on is interesting. I found a version of that pic without a JFIF header but a different hash here:

And another version with a JFIF header but the same hash-like filename as the above here,

The Google reverse image search also weirdly leads to these sketchy links, which bounce of a rotation of domain names an ultimately lead to a porn game:

Anonymous ID: 7fd60f 2018-08-19 08:12:20Z No. 2664402


The notebook one is from here, a Medium satellite site:

I was able to find it despite 8ch reencodeing it (but the hash of the file from the Medium site matches the 8chan filename.)

I know that I was that first person to open the Raid image link because the file I got, the first time, matched its hash and was without its JFIF header. 8chan's reencoding appears to be triggered after a file is first accessed.

Anonymous ID: 43ad21 2018-08-19 18:27:25Z No. 2667764


Sorry to bother. Seems you're talking about images from elsewhere when you say pixleknot. I think this pic is using stenography. posted twice on research board and noone's picked it up. Look a the the hand. Who would take a selfie of THAT hand? Medallion belong there? What is the appropriate term for a hidden image-in-image when it's directly related to board topics? Thank you.

Anonymous ID: 7fd60f 2018-08-19 23:06:59Z No. 2670779


For us to be successful in eavesdropping on the badguys' comms we need three things: Software, Image, and Password.

If we have a password then we can crawl image boards and game forums and try it against a millions of images. If We are given a single image with assurances from on high that it is a target then we can try billions of passwords. But we cannot try billions of passwords against millions of images. That is simply beyond the resources of a few guys with desktops. And we can't do anything if we don't have access to the same software that they are using. Q pointed to PixelKnot. But that could have been merely an example. The C_A would likely have developed their own stego system; and this could have been shared with their civilians cohorts.

But even if we assume on variable we cannot solve for the remaining two with the resources available. It would require an awful lot of luck. If any wizards or warlocks would like to give us a hint, they have my PGP key (they also have the secret key that I use for this. I emailed it to myself knowing there is nothing yummier to the NSA's systems than a PGP secret key packet transmitted in the clear).

The only stone left for me to turn over is this variant of the F5 algo I found on GitHub:

While testing various stego programs with long and short messages in large and small files in search of clues to how the SS pic might be encoded, F5steg.js stood out. I've never written a line of JavaScript in my life. But perusing the code, it looks like it's doing basically the same thing as the baseline F5 algo. So it's strange that stegdetect can barely catch a whiff of it, even when a image is loaded to max payload capacity. I found that stegdetect can find F5 even with very sort messages in very large files. (passwords "redhead" and "pepe"). I haven't worked out yet what F5steg.js is doing so differently to evade detection. But given that this is specifically designed for image boards and is available as a browser plugin I think we should find a way to detect its handywork and make an efficient cracking program similar to the one for PK/baselineF5.

Anonymous ID: 745039 2018-08-22 22:06:31Z No. 2705654

the 8ch image reencoding is this

Anonymous ID: d36a3b 2018-08-22 22:33:24Z No. 2705870


Podesta's left hand seems shopped.

Anonymous ID: 745039 2018-08-23 15:14:38Z No. 2712077


compile like so

>nvcc -o kernel


using a 1080 but it's my main display so it gives me trouble

fired up an aws instance with a Nvidia Tesla M60 with the cuda and it's slower than my i9

waiting for access to a V100

Anonymous ID: 745039 2018-08-24 16:15:30Z No. 2723413

still sifting through 8ch/pol images and found 2 more which led me to figure out where the RAAID image came from - - images from are false positives for but when you look closer at the rest of the header doesn't match

Anonymous ID: 745039 2018-08-24 16:26:04Z No. 2723486

it is 1 month after Q posts about pixelknot and /pol/ Data Exchange and we've learned

* pixelknot on jpeg, header has unique signature and only last 1/3 of pass needed break f5 layer

* halfchan re-encodes images, breaks f5 steno and can't be used for data exchange

* false positive images from (and affiliates) and walmart

* qresearch images found were from

* 8ch /pol/ images found were from walmart

* sara silverman pictures are not pixelknot

wild goose chase?

Anonymous ID: 745039 2018-08-25 20:47:12Z No. 2734509









f5 cuda brute force using hashcat sha1

realized that hashcat has a faster implementation of sha1

it's in opencl, spent the morning porting to cuda

this version of the f5-cuda is more than 50% faster, get it while you can

compile with

nvcc -o kernel

looking for more target images, think I've ruled out everything I've seen so far

Anonymous ID: 745039 2018-08-25 22:13:41Z No. 2735242

here's is what i don't get - Q links to halfchan /pol/ image IMG_382.jpg and says data exchange on /pol/ with pixelknot

but half chan re-transcodes images breaking the stego, which is why that image didn't look like a pixelknot image

so okay… MAYBE the silverman picture was made by pixelknot BEFORE it was posted to halfchan but it wouldn't be a way to exchange data

Anonymous ID: 3fc3ff 2018-08-25 22:59:49Z No. 2735651


It's possible that {{{they}}} use their own system cooked-up by the C_A for use by their own spies and that PixelKnot was only a generic example of steganography.

Anonymous ID: 745039 2018-08-26 20:10:07Z No. 2746327


played around with halfchan and Q4example.jpg - halfchan does re-encode the image but the message is still decodable

updated the pixelknot detection script to detect pixelknot image uploaded to halfchan along with those not, this will probably hit many false positives

it does detect the silverman picture as pixelknot

Anonymous ID: 745039 2018-08-26 20:42:33Z No. 2746706


new pixelknot detection script

>detect pixelknot uploaded to halfchan



I was expecting more false positives, this is actually a sensible list of images that the script detected

new possible pixelknot images



Anonymous ID: 745039 2018-08-26 20:49:17Z No. 2746813

check out at the image artifacts in this one….

Anonymous ID: 745039 2018-08-26 21:31:05Z No. 2747276


more matches fresh from halfchan

Anonymous ID: 745039 2018-08-26 21:33:33Z No. 2747302

turn up the contrast

Anonymous ID: bb8fea 2018-08-26 22:37:40Z No. 2747975


For reference, I am getting around 3300 pw/s on a 1080ti. As it stands, it would crunch through all four letter combos in about 6 hours.

Anonymous ID: 745039 2018-08-26 22:48:17Z No. 2748092


sweet anon!

here's an updated version, I made a couple memory optimizations and added command line flags


coeff files for the new images


Anonymous ID: 745039 2018-08-26 23:45:24Z No. 2748657



on the smallest coeff file i'm getting 6600 pass/sec on 1080 ti and 4900 on 1080

using –blocks 32 –threads 64

had to do the tdrdelay thing


Anonymous ID: 8a5cb0 2018-08-27 00:25:46Z No. 2749064

There is also a Steg tool called Outguess. It is a linux command line tool. Not sure if anyone here has tried to use it to find stuff on pictures here…

Anonymous ID: 3fc3ff 2018-08-27 01:16:13Z No. 2749627


Wait a sec… all you are checking for is that they are either missing the normal JFIF header, or have the normal header and are encoded with a 94% quantification table, like the SS pic. Then you check to see that they have the standard Huffman tables from the JPEG spec that is used by 99.9% of all the color JPEGs in existence.

But PK is hardcoded to always encode at 90%. And 4chan's JPEG recombobulator does not change the compression quality.

94% is not a number that a developer would hardcode as a default. That is a number from someone moving a GUI slider when exporting an image from Photoshop or GIMP. So if there is stego in the SS pic then it was done with a program that does not change the quality level.

You are forcing a match on the Sarah Silverman pic without explaining why that DQT is indicative of PixelKnot.

Anonymous ID: 745039 2018-08-27 14:20:58Z No. 2753991


uploaded q4example to halfchan and inspected what was the same, the order and location of the DQT and huffman table along some bytes of the huffman table

waiting on your improved version ;)

Anonymous ID: 745039 2018-08-27 16:20:53Z No. 2754886


just for (You), updated the detect script to be more discriminating - no longer detects the silverman pic though

images that match

Anonymous ID: 745039 2018-08-27 19:30:18Z No. 2756444


another updated detection script to rule out more false positives, 63 images from halfchan /pol/ with coeff files

Anonymous ID: 745039 2018-08-27 19:31:02Z No. 2756449


starting to see themes here

Anonymous ID: 745039 2018-08-27 19:32:43Z No. 2756467


Anonymous ID: 745039 2018-08-27 19:34:04Z No. 2756480



Anonymous ID: 745039 2018-08-27 19:35:06Z No. 2756489


Anonymous ID: 745039 2018-08-27 19:42:56Z No. 2756545



Anonymous ID: 745039 2018-08-27 22:16:12Z No. 2757678



girls with red or flowers

Anonymous ID: 745039 2018-08-27 22:17:40Z No. 2757686


Anonymous ID: 745039 2018-08-27 22:29:19Z No. 2757787


Anonymous ID: 745039 2018-08-27 22:31:15Z No. 2757806

wget -P 4chan -nd -np -r -l 1 -e robots=off -H -D -A jpg,jpeg<THREADID>

for F in 4chan/*.jp*g; do python $F; done

Anonymous ID: 96faf4 2018-08-27 22:31:59Z No. 2757815


Should be banned for incoherent rants.

Personal gratification that has no value for others

"Notice me - I am special"

Simply narcissist vanity

Anonymous ID: 745039 2018-08-27 22:36:37Z No. 2757852


Anonymous ID: 745039 2018-08-27 22:37:58Z No. 2757868


Anonymous ID: 745039 2018-08-27 22:38:19Z No. 2757871


Anonymous ID: 745039 2018-08-27 22:38:49Z No. 2757877

Anonymous ID: 745039 2018-08-27 22:42:46Z No. 2757908


downloaded 1000 jpg from halfchan /pol/ and 5% of them match PK header, probably a bunch of false positives in there

58 more images

Anonymous ID: 745039 2018-08-27 23:08:05Z No. 2758088


Anonymous ID: 39ebd4 2018-08-28 02:55:25Z No. 2761102

Just wondering about this pixelknot; not sure if anyone looked at the Antarctica

pictures in the wikileaks drop?

Anonymous ID: 745039 2018-08-28 08:53:30Z No. 2764174


post em and i'll take a look

the PK file sign is fairly uncommon, i've only found 178 jpg that match it

all the test images i have have the same DQT table, what i wonder is if pixelknot could have generated a different table like the silverman

Anonymous ID: 745039 2018-08-28 08:55:18Z No. 2764183

this same shade of blue shows up



Anonymous ID: 745039 2018-08-28 08:59:52Z No. 2764199

red shoes…

Anonymous ID: 745039 2018-08-28 09:03:50Z No. 2764217


Anonymous ID: 745039 2018-08-28 09:05:50Z No. 2764224


Anonymous ID: 745039 2018-08-28 09:09:21Z No. 2764239

Anonymous ID: 745039 2018-08-28 09:10:38Z No. 2764243

Anonymous ID: 745039 2018-08-28 09:11:24Z No. 2764246


Anonymous ID: 745039 2018-08-28 09:12:44Z No. 2764253

Anonymous ID: 745039 2018-08-28 09:14:28Z No. 2764262


Anonymous ID: 745039 2018-08-28 09:27:27Z No. 2764328


out of a few thousand scanned jpg from halfchan, 178 matches

here's how

wget -P 4chan -nd -np -r -l 1 -e robots=off -H -D -A jpg,jpeg<THREADID>

for F in 4chan/*.jp*g; do python $F; done

Anonymous ID: 745039 2018-08-28 17:04:33Z No. 2767218



new blue, red and orange today

Anonymous ID: 745039 2018-08-28 17:05:15Z No. 2767232

Anonymous ID: 745039 2018-08-28 17:09:56Z No. 2767294

Anonymous ID: 745039 2018-08-28 17:51:14Z No. 2767849


a few have this weird artifact, a line that doesn't match up

Anonymous ID: 745039 2018-08-28 17:54:30Z No. 2767900


here's the same line artifact on a pixelknot test image

Anonymous ID: 745039 2018-08-28 18:02:05Z No. 2768019


16 images + coeff files that match PK header and have the unaligned square artifact

Anonymous ID: 745039 2018-08-28 18:23:12Z No. 2768255


this one too

Anonymous ID: 745039 2018-08-28 18:24:28Z No. 2768269

cccp girl too

Anonymous ID: 745039 2018-08-28 18:30:28Z No. 2768327

red shoe cammo woman too

Anonymous ID: 745039 2018-08-28 18:33:25Z No. 2768354

of the jpg with matching PK headers with line artifacts i've found, half are of women in red

Anonymous ID: 745039 2018-08-28 19:17:25Z No. 2768915


only the shitty windows photo viewer is showing the artifact… maybe it is only a bug with that?

Anonymous ID: 3fc3ff 2018-08-29 04:58:56Z No. 2779614


Pic of the mouse is a test image I posted there.


Same for middle Pepe.

Anonymous ID: 745039 2018-08-29 15:49:53Z No. 2783440



new match from pol and the original

f5 does not encode data in 0s

here is diff, contrast and brightness turned way upp

does that look like encoded data to you?

Anonymous ID: 745039 2018-08-29 19:39:01Z No. 2786451


another diff

these two look identical, turn up the contrast on the difference and see small changes all over

Anonymous ID: 3fc3ff 2018-08-30 03:22:05Z No. 2792806



We can't tell with the naked eye. Re-encoding for whatever reason would do that. Have you checked that ONLY the non-zero AC coefficients have changed? If any DC coeff is different or if any AC coeff was was zero is non-zero, or vise versa, then you are looking at a false positive.

Anonymous ID: 745039 2018-08-31 17:09:59Z No. 2817954



can another codeanon take the ball?

need to care for self and family

updated pixelunknot github with my code changes

added,, BruteCrackF5 and F5CUDA




Anonymous ID: 745039 2018-08-31 17:15:04Z No. 2818057


Anonymous ID: 3fc3ff 2018-09-01 02:54:57Z No. 2826539


I'd take up the torch if I still believed this was feasible. But we have too many unknowns to solve for.

We can test a known password against millions of pics from image boards. Or we can try a billion passwords against a (confidently) known target image. But when trying to solve both unknowns the problem size increases beyond what is feasible for two guys with high-end desktops.

Anonymous ID: 745039 2018-09-03 16:51:14Z No. 2859316


maebe this will help?


The cult color codes are

Green Forrest = "I am your plant"

Yellow Sunshine= "Gold/Reward"

Blue Ocean= "Info/Surveillance"

Red Fire= "Anger/Smear"

Orange Sunset= "End this now"

Anonymous ID: 9969c2 2018-09-11 22:53:05Z No. 2981121

Tried this too.

4767 5774 6a7a 4d6c 6330 666b 314a 3453 0000 0907 84b4 f787 7616 86f7 a737 5707 5736

Anonymous ID: e1c5f2 2018-09-17 07:25:31Z No. 3055048

Anonymous ID: e1c5f2 2018-09-20 08:33:44Z No. 3101607


Anonymous ID: 745039 2018-09-22 16:14:55Z No. 3138967



that image does load into pixelunknot

if there is a message in it, not bruteforcing anytime soon

Anonymous ID: 4c3284 2018-09-29 20:30:14Z No. 3252291


Posted this in main bread. Very close to a pixelknot header.

Anonymous ID: f6d946 2018-10-02 07:20:07Z No. 3291536

This sucks, that this hasn’t gotten anywhere… Did anyone ever try passwords that anons without androids, have suggested? If breaking the code isn’t possible, then there must be clues. I was gonna try to get the app, but the day I decided to charge an old android, I met a stray, who needed a phone. Too cosmic, couldn’t resist.

Anonymous ID: c3c0f7 2018-10-02 07:32:48Z No. 3291607


maybe it's noy so much about steg - maybe it's about the connections - Guardian Project >PK> Haven > Freedom of Press Foun -

Anonymous ID: c3c0f7 2018-10-02 07:39:52Z No. 3291646


and securedrop

Maybe JPB stood for something different than the cabal

The doc of SecureDrop assumes the Organization Hosting SecureDrop (in

this case FPF)

• The organization wants to preserve the anonymity of its sources.

• The organization acts in the interest of allowing sources to submit documents, regardless of the contents of these documents.

• The users of the system, and those with physical access to the servers, can be trusted to uphold the previous assumptions unless the entire organization has been compromised.

• The organization is prepared to push back on any and all requests to compromise the integrity of the system and its users, including requests to deanonymize sources, block document submissions, or hand over encrypted or decrypted submissions.

What if the above is assumed, but the assumption's incorrect?


Anonymous ID: 179bd7 2018-10-02 22:31:11Z No. 3301018


Long-time lurker, first time poster. No android, or stenanography exp but one "keystone" that sticks in my head is the masonic keystone.

>>>2336488 (pb)

Has HTWSSTKS been tried?

Ty for the work anons. Back to lurking…

Anonymous ID: cbacdb 2018-10-05 17:29:04Z No. 3348866

When Washington and his troops crossed the Delaware and landed, the sentry troops we're told not to let anyone through that didn't have the password. The password was Victory or Death. Don't know if anyone has tried it yet.

Anonymous ID: 18a7f3 2018-10-07 06:47:49Z No. 3377680




Thought this interesting with Q's post today of Nanci Peosi talking about smear tactics

Anonymous ID: 5fb619 2018-10-07 13:41:16Z No. 3379774

This thread is still upsetting me. Q made it seem kinda easy, right? I gotta get my hands on this thing. For the pics, we have to find the original? Posting here changes it?

Anonymous ID: 448d1b 2018-10-07 16:46:31Z No. 3381423


I"m still thinking that's a normal occurrence in jpgs. I've seen it long before all this PK stuff.

Anonymous ID: 18a7f3 2018-10-07 20:53:51Z No. 3384298


Maybe it's here!

Anonymous ID: 84723a 2018-10-08 03:52:57Z No. 3389253

I have an android, but no idea what to do :(

Anonymous ID: 42f321 2018-10-08 18:37:12Z No. 3395995


I was thinking someone said reposting images here, changes the file, so then I thought we had to go outside the Chans to find the original… But if /pol is the point of data exchange, none of that makes sense. The only thing us new fags can offer you, is fresh perspective: brand new eyes. An eye for an eye is fine, if you give me yours and I give you mine.

Anyhoo… this whole thing is worth a read, but things start heating up in July (Coincidence? Pic related):

7/12: Syrian Electric Army

7/13: Coincidence pic: a sign? ID: adad33, def chosen.

7/15: Someone complaining about “gigantic pics about nothing”, says please stop in /crypto posts too. Did anyone find a correlation between file size?

7/22: “…most corrupt images have steg” = Good to know, anymore helpful tidbits floating around?

9/7: Post re: steg, poster ID: 000000, def chosen. Clearly someone with knowledge, lurking and checking images. Follow them? There are few real humans, choices limited. Also, this exchange almost seems scripted, dropping hints? The whole thread could be a set up, but who’s the trap set for? Us or them?

We’re trying to intercept black hat comms, right? They hang where it’s easy to mix with bots. Spot the difference, people are jaded and quick to dismiss. “How do you hide a message in clear sight?” Amongst other random images, possibly on a thread dedicated to such. These people are stupid, right? How do they get the password to each other? Always the same? I’d say try: JEWS, but that’s too easy. What’s one step up from “too stupid”? PW is file name?

Or else we’re being led to pol, to get the answers on HOW to crack the code/spot the images. Q doesn’t have to be “Q”, white hats have to have a way of being known too. Dark/Light, Mirror, blah blah blah… Haven’t gotten ahold of PK yet, handing off until then. If this is repeat info, super duper my bad. Am phonefag, hard to scroll. Using “find on page” tool to dig = annoying to the maxxxxx.

Anonymous ID: 42f321 2018-10-08 18:56:11Z No. 3396244


I thought this was a good line of thinking too. But not sure where it leads. Good guys or bad guys? Did you get murdered as you were writing this? On the bright side, at least that means you’re over target.

Anonymous ID: 42f321 2018-10-08 19:06:15Z No. 3396366


Step 1: Get pixel knot at App Store/Google Play?

Step 2: Try that buddah image I posted, with the pw as the image file name. (Save from the original, within the thread that I linked below)

Step 3: Go through /pol yourself and see if you find any images/ideas OR scroll through everybody else’s ideas.

Step 4: Throw anything, see what sticks. Much appreciated.

Anonymous ID: 09f21a 2018-10-11 13:13:01Z No. 3437327

Non code fag here, apologize in advance if this is retarded. With the CBS logo. It should be pretty simple black and white. Can you overlay a "good" one and compare to the messaged one? Wouldn't there be differences in pixels from the "original" picture to the messaged picture? Can you test it by making a picture, putting in a simple message and comparing both.

Anonymous ID: 09f21a 2018-10-11 13:43:35Z No. 3437561


yup kinda retarded. Did find this though.

Anonymous ID: 5e2135 2018-10-12 03:56:51Z No. 3447338

Hello pixelfag anon steganon fresh out the psych ward ( that ntv world order post got me sonically targetted) bantz

Anonymous ID: 09f21a 2018-10-14 00:57:32Z No. 3468757

Been thinking about the pixel knot thing for a while. Non

code monkey/crypto fag.I am not sure you would need a

password to decrypt. I don't know alot of the language so it

may be rough in translation, I am more of a visual type.

Experiment: take a picture and run it through pixelknot.

Create new picture with the changes between the original and

the new pixelknot photo. This will create a template of the

changes to work with on the experiment. This may not be

necessary in the future, but it is a starting point. Run it

through an algorythm/formula and create a new pic. Do this

with 10K-100K algorythms.

It is my hypothesis that the static overlay will behave

slightly different than the hardcoded message. Maybe less

than 1/10th%. Create a program that looks for anomalies. A

couple of pixels in a straight line or curve. Overlay the

pics, all 10-100K and look for letters based on anomalies

that form possible letters in a stacked formation in the top

50% (or whatever).

I would liken it to creating waves in the picture and much

like looking for subs as the Chinese satelites are purported

to do with wave photographs. Or, like tuning into UHF, there

is alot of static, but you can see the words or image even

though it is not crystal clear. After doing this a few

hundred times, you may be able to analyze which algorythms

are more successful.

I don't know how much computing power that would take or if

anyone has that much. If this is viable, there is no need

to send anyone to knock on my door, I am just working on a


Anonymous ID: c3c0f7 2018-10-19 20:03:20Z No. 3534063


Thanks. Leads to the bad guys (some of them, anyway)

I think you are correct in >>3395995 re: hiding in plain sight where "people are jaded and quick to dismiss" and that the password is a simple one.

Admire you persistent Anons trying to crack the code.

Anonymous ID: 162c77 2018-10-24 19:01:40Z No. 3588616

Dunno if anybody has suggested yet. Not necessarily helpful for the PK problem, but good for checking if images have been altered in general. The tutorials/challenges page was super helpful, if you don’t know much about what to look for/what the data tells you.

I haven’t found any other threads on /pol that look promising besides “lost content”, which is pretty dead now. There was mention of “crypto posts”, but haven’t looked beyond /pol. Cryptofags, where y’all hang out?

Do you think after all is said and done, if we haven’t gotten it by then, Q will throw us a bone?!?! This feels like a puzzle, when your dog eats half the pieces.

Anonymous ID: e54a40 2018-10-30 13:34:32Z No. 3663002


did you find anything yet?

Anonymous ID: b9f4ed 2018-11-12 05:32:49Z No. 3863005

can anyone dissect this image? probably benign. maybe not. came from a cryptic /disclosure/ #4 post. Thank you.

Anonymous ID: 6ce197 2018-12-02 14:30:24Z No. 4113200


Anonymous ID: a32688 2018-12-05 18:40:34Z No. 4167702

sorry test

= test =


Anonymous ID: f75b53 2018-12-05 20:20:19Z No. 4169365



The grip is weird…?

Free Mason thing? Jesuit thing?