Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • August 31, 2015, 10:24:40 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: NANY 2009 Release: PESplash  (Read 10212 times)

seedling

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 129
    • View Profile
    • Donate to Member
NANY 2009 Release: PESplash
« on: December 25, 2008, 10:08:03 PM »
NANY 2009 Entry Information

Application Name PESplash
Version v1.7.0.11
Short Description this tool will attempt to embed text information into a CODE section of
any PE file. it does so by finding valid opcode strings and replaces
them with "like-minded" opcodes therefore not changing the size or
operability of the file.
Supported OSes Windows 32-bit
Web Page http://seedling.dcmembers.com
Download Link http://seedling.dcme...m/other/PESplash.zip
not much, just Win32 OS
v1.7.0.11
  • v1.7.10
    -------
       fixed a bug that would randomly corrupt text in both embedding and
       retrieving process
       
       improved the retrieving routine and can now get watermark text
       much faster!

    v1.7
    ----
       inserts a default 'save as' filename once the 'open' file is
       selected.
       --------------------------------------------------------------
       this could possibly cause problems since the routine
       uses the '.' as a deliminator and renames the file. an example
       of a problem would be in a path with '.' used in the name:
       
       C:\stuff.i.like.a.lot\file.exe
       
       would result in:
       
       C:\stuffw.i
       
       since, by default, it simply adds a 'w' after the filename and
       then re-adds the extension
       --------------------------------------------------------------
       
       added drag & drop support
       
    v1.6 RTM
    --------
       added a group box around the progress bar with changing caption
       text explaining basically what the bar is keeping track of

    v1.5 beta
    ---------
       fixed 'ops.dat' reading code to allow for commented lines starting

       with '//'. this allows for easier management of this file.
       buttons are now disabled when performing a task

       Hidden Text edit box is now read only

       ProgressBar is half-way decent (could still use some better
       progression tho)

       inclusion of ProcessMessages to help the window stay focused on more
       than the ProgressBar when performing a task! (thanks guys :))

       LOTS of code cleanup!

       this build is practically a FINAL version and may be converted to
       FINAL once further testing proves its reliability

    v1.1 beta
    ---------
       now uses an external file 'ops.dat' which contains mask pairs for
       checking!

       created an icon

    v1.0 beta
    ---------
       first gui build and name changed to PESplash

    v0.1 beta
    ---------
       all 3 switches are operable(-e | -r | -c)
       embeds data and saves to "newfile.exe"
       can now retreive embedded data from watermarked file
       returns space available for watermarking

       do NOT try to use this with a packed file, it'll crash
       or at best, it'll make the packed file useless!

    v0.3 alpha
    ----------
       now takes text input for embedding

       converts text to a binary string and saves changes to "testbin.bin"

    v0.2 alpha
    ----------
       got rid of the temp file (now stores text bytes into memory
       directly)

       saves changed CODE section as a binary file "testbin.bin"

    v0.1 alpha
    ----------
       initial build

       uses one set of masks only, no table yet

       creates temp text representation of valid opcodes from CODE section
       of a PE file

       creates temp text representation of changed CODE section with ALL
       bytes found by mask0 or mask1
Seedling http://seedling.dcmembers.com/


Description
Executable code steganography

Features
I have submitted a rather unusual app that takes a different approach in steganography.  I (with the help of friends and Oleh Yuschuk's disassembly engine  ) developed this application way back in 2003-2004. The app is called PESplash.  It embeds text into windows exe files using interchangeable assembly opcodes.

With this app you can create your own 'keys' (ops.dat file) that will be able to embed/read hidden text via a binary stream based on the interchangeable codes you have in your ops.dat file.  So, it embeds this data into the CODE section of your executable file and will run just as originally compiled without error and yet contains hidden data.  Now, be warned, if you decide on interchangeable opcodes and you are wrong, then your application will most likely not run correctly. the default ops.dat file contains most zero flag, interchangeable codes that should not be a problem to swap (but it's not perfect).

So to summarize, it embeds text into your executable files.  This could be used in nefarious ways (and is the reason i never released it to the public).  Use with restraint, but it's a pretty cool way of tracking who is downloading your files (if released in the wild), send messages, etc.

Anyway, that's my submission, enjoy.

Also, please note that this is free and without protection, however, if you plan on using this in a corporate/commercial product, then you must contact me for proper compensation.

Screenshots
PES_SS.png

Usage
Installation
unzip this to a dir of your choice and run it :)

Using the Application
Select an unpacked app, have it scan for the amount of bytes available (per your ops.dat file keyfile) then write the text to the file, done. to retrieve the embedded text, just open the file and select retrieve, done. :)

Uninstallation
just delete the files that you unzipped, done :)

Known Issues
this will not work with already packed (compressed) executable files. that is, it will seem to work, but the file will not work.

« Last Edit: December 26, 2008, 12:13:30 AM by seedling »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 34,946
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #1 on: December 25, 2008, 10:41:36 PM »
Very cool  :up:

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 8,858
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #2 on: December 26, 2008, 05:58:44 AM »
Wicked :)
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,559
    • View Profile
    • App's Apps
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #3 on: December 28, 2008, 07:40:52 AM »
but it's a pretty cool way of tracking who is downloading your files (if released in the wild)

What exactly do you mean by that?

Codebyte

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 160
  • "Premature Optimization is the root of all evil."
    • View Profile
    • CodeByter.com
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #4 on: December 28, 2008, 12:30:08 PM »
Quote
but it's a pretty cool way of tracking who is downloading your files (if released in the wild)
Quote
What exactly do you mean by that?

Im interested as well; what did you mean?
CodeByter.com - http://www.codebyter.com

seedling

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 129
    • View Profile
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #5 on: December 28, 2008, 11:13:42 PM »
if you tag your exectuable with 'johnny noname 155-345' (if the space allows) and you find it out in 'the wild' without permisssion, then you'll be able to know exactly where the source came from 'i.e. johnny noname 155-345' simple as that. just use the app and see for yourself.

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,026
    • View Profile
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #6 on: December 29, 2008, 02:20:59 AM »
It sounds like a really neat idea .. is it similar in functionality to hydan?

seedling

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 129
    • View Profile
    • Donate to Member
Re: NANY 2009 Release: PESplash
« Reply #7 on: December 29, 2008, 03:34:01 PM »
It sounds like a really neat idea .. is it similar in functionality to hydan?

i never heard of this app, but reading a brief overview of their paper, the idea seems a lot the same (and perhaps even better in some aspects).  one key difference is that mine does not use a 'set' group of interchangable opcodes, but rather, reads them from a user created ops.dat file. which effectively is used as a key to encode/read what you're trying to hide.
« Last Edit: December 29, 2008, 03:35:52 PM by seedling »