PaulDotCom mailing list archives
SNOW stego
From: pauldotcom at grymoire.com (Grymoire)
Date: Thu, 1 Oct 2009 09:00:45 -0400
Let me ammend my last comment. I tried snow to verify things
So far, the email with stego has been sent 4 different ways:
1) Plain text
2) Content-Type: text/html;
charset=ISO-8859-1,
Content-Transfer-Encoding: base64
3) Content-Type: text/html;
charset=ISO-8859-1;
Content-Transfer-Encoding: quoted-printable
4) Content-Type: text/plain;
charset=US-ASCII;
Content-Transfer-Encoding: base64
snow only decodes #4.
Hidden information seems to be in #3 amd #2. However, it consists of
spaces with and without the parity bit set.
#4 has information that looks like this (using od -c)
0000400 p . h t m l \t \t \r \n \t \t
0000420 \t \t \t \t
0000440 \t \t \r \n L o v e
0000460 , \t \t \t
0000500 \t \t \t \t
0000520 \t \r \n I r o n g e
0000540 e k \t \t \t \t
0000560 \t \t
0000600 \t \r \n \t \t
0000620 \r \n 4 323 235 8 347 M 234 o 256 _ 337 336
0000640 370 337 N ; 341 306 335 { 255 334 261 266 254 { 256 ?
0000660 266 j 177 317 373 f 247 374 372
According to the home page, snow uses tabs as a delineator.
There are no tabs in the first 3 formats. perhaps gmail strips them out?
I don't understand why some spaces are converted into \040 and \240
(0x20 and 0xA0 in hex) but if there was a filter to convert
quoted-printable into a uniform format, and snow understood that
format, it could be adapted to work.
Current thread:
- SNOW stego Grymoire (Oct 01)