From: asb@cs.nott.ac.uk (Andrew Brown) Newsgroups: sci.crypt Subject: Hiding things in gzip files (source) Date: 28 Apr 94 12:49:02 GMT The attached patches will allow you to hide information inside GZIP compressed files. APPLYING THE PATCHES You need the gzip source code distribution. At the time of writing this is version 1.2.4. The patches are context diffs so you stand a good chance of them working on versions other than 1.2.4. Firstly unpack the gzip source tree, then unpack the attached patches into the main source directory. Now apply the patches thus: patch -c < patch1 patch -c < patch2 patch -c < patch3 Now all you need to do is follow the normal procedure for making gzip. USER INTERFACE A new option is added to gzip, "-s" or "--steg", that provides for the hiding/revealing of files. You hide files during compression and reveal them during decompression. e.g. gzip -s file-to-hide file-to-compress This will hide "file-to-hide" inside file-to-compress as it is compressed. Extracting a file could be done like this: gunzip -s file-to-extract-to compressed-file This will simultaneously decompress the compressed file and extract the hidden file to file-to-extract-to. To extract the hidden file without uncompressing you might do the following: gzip -cds file-to-extract-to compressed-file > /dev/null HOW IT'S DONE gzip uses LZ77 which compresses data by storing length/offset pairs that refer back in the uncompressed data stream to previous occurrences of the information being compressed. gzip considers a length of 3 to be the shortest acceptable length. We allow gzip to find the length/offset pairs and then do the following. If the length is at least 5 then we subtract 1 and set bit 0 to the value of the bit that we need to hide. We have now hidden information in the length without pushing it beyond a valid value. Drawbacks are a slight decrease in compression (very slight) since we have to disallow lengths of 4 and some of our meddling will decrease the actual matched length by 1. The hidden file is totally invisible to the normal operation of gzip, gunzip et al and (if encrypted) will only be visible to those in the know. When the "-s" flag is not used gzip performs as normal. Testing was performed on a 486/33 running Linux, using a 1Mb tar file to hide the test information inside. The patched files (inflate.c, deflate.c, gzip.c) should compile OK on any system that can compile gzip, although non-Unix users may have trouble applying the patches in the first place. My tests have shown that you can hide about 1 Kbyte in every 100 Kbytes of uncompressed data. This ratio would be considerably better if gzip wasn't so damned efficient :) Regards, - Andy From: ken@chinook.halcyon.com (Ken Pizzini) Newsgroups: sci.crypt Subject: Re: Hiding things in gzip files (source) Date: 29 Apr 1994 09:19:00 GMT In article <1994Apr28.124902.5107@cs.nott.ac.uk>, Andrew Brown wrote: >The attached patches will allow you to hide information inside GZIP >compressed files. The code has an amusing bug in that uncompressing a file will output the steganographied file to file descriptor 0. If you just use "gunzip foo.gz" you won't notice this, as the file foo.gz gets opened read only as fd 0; but if you use "gzip -dc foo.gz >foo" it is quite apparent. Here is a patch to fix this (apply to gzip source after Andrew's patches): ***begin patch*** --- inflate.c-stegbug Fri Apr 29 01:36:47 1994 +++ inflate.c Fri Apr 29 02:07:38 1994 @@ -592,7 +592,7 @@ * gzsteg: bit 0 of n is ours, so long as n>3 (MIN_MATCH) */ - if(n>3) + if(n>3 && steg) steg_wbit(n&1); /* do the copy */ ***end patch*** --Ken Pizzini