LSB new twist : text based Stegnograph

Today i am going to discuss about a simple twist in existing Stegnography and text base data hiding techniques. While creating challenges for Preconference hacking challenge “HACKIM” for nullcon conference. we cameup with text based LSB hiding challenge as crypto challenge part 5. today i am releasing tools i used to encoding and decoding such values.

The basic prremise behind the tool is the simplest Image based Stegnographic technique where data is hidden in the least significant bit of the Pixel. Here we implemented the same principle on a normal text. The difference in both is in case of the image there is very less distortion and original image is looks pretty much the same however in text implementation the text looks a lot different.


text to hide = a

binary of text to hide = 01000001

So for this we need a cover of size = 8char

lets assume the cover is abcdefgh

We will replace the LSB of each character with one bit of the text which we need to hide. starting from HSB to LSB of text.

S.NoTextbinaryconverted BinaryFinal Text

now this new text could be send across

final text becomes `ccddffi

Now as we can see the text is changed a lot however the important thing to remember is first and formost the cover is extracted and is most easily available.

by just random variation of 1 and 0 you can get the actual value.

Here is an funny tip

Make your envelop text something interesting so that focus shifts on the envelope rather then the variation in data.

For the above task to be simplified i wrote simple encode and decode scripts as listed below. (Scripts are at there crude level’s right now may improve on them if the need arises.)


#License : GPL2
#License File :
import sys
Cover="Secret is hidden at /home/anant/"
if (len(Key) * 8) == len(Cover):
	print "Original : " + Cover
	for k in Key:
		km += bin(ord(k))[2:].zfill(8)
	sys.stdout.write("Conceled : ")
	for c in Cover:
		s = list(y)
		sys.stdout.write(chr(int('0b' + "".join(s),2)))
	print ""
	print "Invalid Cover Size : " + str(len(Cover)) + " : " + str((len(Key) * 8))


#License : GPLv2
#License URL :
import sys
crypt="Rebrdt!ir!iheeeo at .inld/an`ot/"
#print len(crypt)
if (len(crypt) % 8) == 0:
	for c in crypt:
		cnt = cnt + 1
		if (cnt % 8 == 0):
			sys.stdout.write(chr(int('0b' + "".join(decode),2)))
			decode = []
	print "Invalid Input"
print " "

Hope people might find some use of this somewhere..

Do you like what you read, What to share it

Standalone Perl on Android

In simmilar lines to standalone python this is the code that could be used for running standalone perl applications.

This script again tries to address some very basic issues.

1) non availability of direct perl calling mechanism while using terminal emulator.

2) Environmental limitations.

3) you can’t pass command-line arguments.

Script enclosed Here

#License: GPLv2 or later
#License URI:
cd $PW
export PERL5LIB="/sdcard/haxdroid/perllib"
/data/data/com.googlecode.perlforandroid/files/perl/perl "$@"

this script allows for following things

1) allow us to use this shell script to call perl directly.

2) allows for command line argument passing.

3) relative path references are now working


I have named this script as py and placed it in /system/bin/pl location

so basically copying this script in a text file say pl.txt

adb push pl.txt /system/bin/pl

adb shell chmod 04755 /system/bin/pl


As always this depends on perl4aandroid project for running properly, you can download from here

Do you like what you read, What to share it

DroidCAT – Android Application collection for Security professionals

After a gap of 1 month finally releasing the droidcat application.

DroidCAT application is developed as part of HaXdroiD project which is right now in closed tested status.

Lets talk about DroidCat today.

What is Cat-Droid?
DroidCat is inspired by firecat and aims to be a one stop solution to finding all
ethical hacking / information security related application published in android domain.
This Application is also a part of HaXdroiD suite which aims to empower the
Android handset for Penetration Testing purposes.

So now lets not wait head over to the android market and download the application.


Do you like what you read, What to share it

Whitepaper : Security Issues in Android Custom ROM's

Today i am releasing the paper which i presented recently at C0C0N conference at ernakulam. this paper outlines where security misconfiguration that can lead to device compromise, data theft and so on.
Hope this helps in secure development and deployment of custom ROM’s.

The link contains download for both my slidepack as well as the complete whitepaper.

also a crude application is created and uploaded on android market which can help in identifying the issue.

Do you like what you read, What to share it

Android : Running Standalone Python

This is not yet another post on  android-scripting project or SL4A or python for android.

This post is for a specific purpose to empower the terminal again and make users again feel the power of terminal.

Current state we can run perl, python, PHP, ruby, beanshell in SL4A interface or as a standalone apk with modifications.

so here is the bad part

1) you can’t run applications on console directly.

2) you have environmental limitations.

3) you can’t pass command-line arguments.

for a normal person these could be some limitations however for some including myself THESE are the limitations.

so while searching for solution i have came across this script

Here is a modified version of the same making sure the awesomeness embedded

#License: GPLv2 or later
#License URI:
export EXTERNAL_STORAGE=/mnt/sdcard
export LANG=en
export TEMP=/mnt/storage/com.googlecode.pythonforandroid/extras/python/tmp
export PYTHONHOME=/data/data/com.googlecode.pythonforandroid/files/python
export LD_LIBRARY_PATH=/data/data/com.googlecode.pythonforandroid/files/python/lib
cd $PW
/data/data/com.googlecode.pythonforandroid/files/python/bin/python "$@"

Line no 1,3,11 are the changes that i made.

These changes allow for following things.

1) allow us to use this shell script to call python.

2) allows for command line argument passing.

3) relative path references are now working

however we also need to understand the importance of Sl4A style project these project provide native applications a direct option to interact / create native UI. (dialog box, button, texts etc)

I have named this script as py and placed it in /system/bin/py location

so basically copying this script in a text file say py.txt

adb push py.txt /system/bin/py

adb shell chmod 04755 /system/bin/py

gives you python shell on your android terminal.

Right now i am working towards making various tools of trade available on terminal.

I will be keeping a track my progress at XDA developer forum thread linked here.


Do you like what you read, What to share it

MyLife : Hack : Yahoo Open HackDay 2011

Open Hack India
Open Hack India 2011

This was my first time attending Yahoo open hackday the event is all fun and a quick way to hacking onto the yahoo api’s.

I specifically focused on one API YQL, which basically claims to do the following

select * from internet

now that raises an eyebrow, in simpler term this is what is we can call a content scrapper’s dream, we get as less as 1000+ data tables which allow us to interact with various websites using well known sql standards.

here we can keep adding more and more tables if needed otherwise we can always revert back to generic tablees like

select * from rss where url =””

the thing that i like the most was they have given a direct access in the form of yql console you can check that by clicking the above link

I have been trying my luck to brew something for my self and a long lasting itch came back to me and i thought lets try solving the etch here.

so my hack for open hackday 2011 was : MY Life : a social content feed aggregation widget.

basically what i am doing is listed here in simplest terms.

1) take simple userid/username from users for various social networking sites.

2) create a unified feed based on user inputs

3) provide widget (HTML/JS) and PHP code to be used on site based on the user need.

So here is the hosted version of Hack

Note : YQL has rate limit and hence will only be able to fetch content for 10000 times a day. so if you do find output missing then its a good news for me basically my site has crossed 10000 users .

Do you like what you read, What to share it