├── pymyool ├── pdftk.exe ├── libiconv2.dll └── pymyool.py ├── oldmyool ├── page.pdf ├── myool2.sh ├── myool3.sh ├── myool.sh ├── myool5.sh └── myool4.sh ├── README.md └── myool.sh /pymyool/pdftk.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cle0n/myool/HEAD/pymyool/pdftk.exe -------------------------------------------------------------------------------- /pymyool/libiconv2.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cle0n/myool/HEAD/pymyool/libiconv2.dll -------------------------------------------------------------------------------- /oldmyool/page.pdf: -------------------------------------------------------------------------------- 1 | %PDF-1.4 2 | 1 0 obj <> 3 | endobj 4 | 2 0 obj <> 5 | endobj 6 | 3 0 obj<> 7 | endobj 8 | 4 0 obj<>>> 9 | endobj 10 | 5 0 obj<> 11 | endobj 12 | 6 0 obj 13 | <> 14 | stream 15 | endstream 16 | endobj 17 | xref 18 | 0 7 19 | 0000000000 65535 f 20 | 0000000009 00000 n 21 | 0000000056 00000 n 22 | 0000000111 00000 n 23 | 0000000212 00000 n 24 | 0000000250 00000 n 25 | 0000000317 00000 n 26 | trailer <> 27 | startxref 28 | 406 29 | %%EOF 30 | -------------------------------------------------------------------------------- /oldmyool/myool2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # # 5 | # NAME : myool # 6 | # AUTHOR : cle0n # 7 | # VERSION : v2.0 # 8 | # PURPOSE : Hide a file in PDF # 9 | # without a blank page. # 10 | # # 11 | #========================================# 12 | 13 | # NOTE: MUST HAVE >> pdftk << INSTALLED 14 | 15 | # USAGE hide : myool.sh hide [file to hide] [targetpdf] 16 | # USAGE reveal : myool.sh reveal [targetpdf] 17 | 18 | if [ "$1" == "hide" ]; then 19 | 20 | # get the filename which includes the extension 21 | filetohide=$(basename "$2") 22 | targetpdf=$(basename "$3") 23 | 24 | #uncompress 25 | pdftk $targetpdf output uncomp.pdf uncompress 26 | 27 | sed -i '0,/endstream/s//72656269727468/' uncomp.pdf 28 | xxd -p $filetohide | sed -i -e '/^72656269727468/ r /dev/stdin' -i -e '// a endstream' uncomp.pdf 29 | 30 | #fix xref 31 | pdftk uncomp.pdf output fixref.pdf 32 | 33 | #compress 34 | pdftk fixref.pdf output final.pdf compress 35 | 36 | rm uncomp.pdf 37 | rm fixref.pdf 38 | 39 | elif [ "$1" == "reveal" ]; then 40 | 41 | targetpdf=$(basename "$2") 42 | 43 | #uncompress 44 | pdftk $targetpdf output uncomp.pdf uncompress 45 | 46 | sed -e '1,/72656269727468/d' -e '/endstream/,$d' uncomp.pdf | xxd -r -p > outfile 47 | 48 | rm uncomp.pdf 49 | 50 | else 51 | 52 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 53 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 54 | 55 | fi 56 | -------------------------------------------------------------------------------- /oldmyool/myool3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # # 5 | # NAME : myool # 6 | # AUTHOR : cle0n # 7 | # VERSION : v2.02 # 8 | # PURPOSE : Hide an encrypted file # 9 | # in a PDF # 10 | # # 11 | #========================================# 12 | 13 | # NOTE: MUST HAVE >> pdftk << INSTALLED 14 | 15 | 16 | ########################--> LOCATE ENTRY POINT <--######################## 17 | 18 | function locate_entry_point { 19 | local i=0 20 | local fire 21 | 22 | local image=(`grep -an '/Subtype /Image' uncomp.pdf | cut -d ':' -f1 `) 23 | fire=$image 24 | 25 | if [ -z $image ]; then 26 | local typec=(`grep -an '/Subtype /Type1C' uncomp.pdf | cut -d ':' -f1 `) 27 | fire=$typec 28 | if [ -z $typec ]; then 29 | local bits=(`grep -an '/BitsPerSample' uncomp.pdf | cut -d ':' -f1 `) 30 | fire=$bits 31 | if [ -z $bits ]; then 32 | echo 1 33 | return 34 | fi 35 | fi 36 | fi 37 | 38 | local endstream=(`grep -an 'endstream' uncomp.pdf | cut -d ':' -f1 `) 39 | 40 | while true; do 41 | if [ "${fire[0]}" -lt "${endstream[$i]}" ]; then 42 | break 43 | else 44 | i=$((i + 1)) 45 | fi 46 | done 47 | echo ${endstream[$i]} 48 | } 49 | 50 | ########################################################################### 51 | # - BEGIN - # 52 | ########################################################################### 53 | if [ "$1" == "hide" ]; then 54 | 55 | # get the filename which includes the extension 56 | filetohide=$(basename "$2") 57 | targetpdf=$(basename "$3") 58 | 59 | echo "[*] Encrypting data" 60 | gpg --output enc.data --symmetric --cipher-algo AES256 $filetohide 2> /dev/null 61 | 62 | if [ $? != 0 ]; then 63 | echo "[-] Passwords don't match." 64 | exit 65 | fi 66 | 67 | echo "[*] Uncompressing target pdf" 68 | pdftk $targetpdf output uncomp.pdf uncompress 69 | 70 | echo "[*] Finding entry point ..." 71 | entrypoint=$(locate_entry_point) 72 | 73 | if [ "$entrypoint" == 1 ]; then 74 | echo "[-] No safe entrypoint found. Injecting into first stream..." 75 | sed -i '0,/endstream/s//firefirefire/' uncomp.pdf 76 | xxd -p enc.data | tr -d '\n' | sed -i -e '/firefirefire/ r /dev/stdin' -i -e '// a endstream' uncomp.pdf 77 | else 78 | echo "[+] Entry point located. Injecting..." 79 | xxd -p enc.data | sed -i -e ''"${entrypoint}"'s/endstream/firefirefire/' -i -e '/firefirefire/ r /dev/stdin' -i -e '// a endstream' uncomp.pdf 80 | fi 81 | 82 | rm enc.data 83 | 84 | echo "[*] Fixing the XREF. This may take while..." 85 | pdftk uncomp.pdf output fixref.pdf 86 | rm uncomp.pdf 87 | 88 | echo "[*] Compressing" 89 | pdftk fixref.pdf output enc-$targetpdf compress 90 | rm fixref.pdf 91 | 92 | 93 | elif [ "$1" == "reveal" ]; then 94 | 95 | targetpdf=$(basename "$2") 96 | 97 | echo "[*] Uncompressing target pdf" 98 | pdftk $targetpdf output uncomp.pdf uncompress 99 | 100 | echo "[*] Attemping data extraction" 101 | #sed -e '1,/72656269727468/d' -e '/endstream/,$d' uncomp.pdf | sed -e "s/.\{60\}/&\n/g" | xxd -r -p > unenc.data 102 | sed -e '1,/firefirefire/d' -e '/endstream/,$d' uncomp.pdf | xxd -r -p > unenc.data 103 | rm uncomp.pdf 104 | 105 | echo "[*] Decrypting data" 106 | gpg --output outfile --decrypt unenc.data 2> /dev/null 107 | 108 | if [ $? != 0 ]; then 109 | echo "[-] You entered the wrong password. Nothing decrypted" 110 | else 111 | rm unenc.data 112 | fi 113 | 114 | else 115 | 116 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 117 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 118 | 119 | fi 120 | -------------------------------------------------------------------------------- /oldmyool/myool.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # # 5 | # NAME : myool # 6 | # AUTHOR : cle0n # 7 | # VERSION : v1.01 # 8 | # PURPOSE : Hide a file in PDF # 9 | # # 10 | #========================================# 11 | 12 | # NOTE: MUST HAVE >> pdftk << INSTALLED 13 | 14 | # USAGE hide : myool.sh hide [file to hide] [targetpdf] 15 | # USAGE reveal : myool.sh reveal [targetpdf] 16 | 17 | if [ "$1" == "hide" ]; then 18 | file=$2 19 | attachpdf=$3 20 | 21 | # get the filename which includes the extension 22 | filename=$(basename "$file") 23 | 24 | # create temporary template based on PAGE.PDF 25 | cp "/usr/local/bin/page.pdf" insert.pdf 26 | 27 | # attach the file to PAGE.PDF and output the result to a new PDF (ATTACHEDTEMP.PDF) 28 | pdftk "/usr/local/bin/page.pdf" attach_files "$file" output attachedtemp.pdf 29 | # uncompress ATTACHEDTEMP.PDF and output the result to a new PDF (UNCOMP.PDF) (the file needs to be uncompressed for editing) 30 | pdftk attachedtemp.pdf output uncomp.pdf uncompress 31 | 32 | rm attachedtemp.pdf 33 | 34 | # extract everything between "stream" and "endstream" (i.e. the data) from UNCOMP.PDF and redirect it to a temporary txt file 35 | # in addition, the following command replaces all "('s" with BLEEEEEP and all ")'s" with BLOOOOORP in order to prevent unbalanced parentheses 36 | sed -e '1,/stream/d' -e '/endstream/,$d' -e 's/(/BLEEEEEP/g' -e 's/)/BLOOOOORP/g' uncomp.pdf > holdme.txt 37 | 38 | rm uncomp.pdf 39 | 40 | # insert the data from holdme.txt (stdout) into the temporary template INSERT.PDF after "stream" 41 | # ( BT ) begin text stream 42 | # ( /F1 1 ) sets the font and font size 43 | # ( Tf 9999 9999 ) sets the cursor position at x and y, which you can tell is way off the page 44 | # ( Td (... ) begins the text block 45 | # 46 | # ( '"\n$filename\n"'HIDDENFILE' -i -e '// r /dev/stdin' -i -e '// a HIDDENEND) Tj ET ) : 47 | # 1. inserts a newline, adds the filename, inserts a newline, 48 | # 2. inserts "HIDDENFILE" (identifier), 49 | # 3. inserts the data from "cat holdme.txt" (i.e. stdin), 50 | # 4. lastly inserts "HIDDENEND) Tj ET". (Tj - ends the text block, ET - ends the text stream) 51 | # 52 | cat holdme.txt | sed -i -e '/^stream/ a BT /F1 1 Tf 9999 9999 Td ('"\n$filename\n"'HIDDENFILE' -i -e '// r /dev/stdin' -i -e '// a HIDDENEND) Tj ET' insert.pdf 53 | 54 | rm holdme.txt 55 | 56 | # need to correct the XREF table, then compress it. 57 | pdftk insert.pdf output temp.pdf 58 | pdftk temp.pdf output comp.pdf compress 59 | 60 | # the last step is to append the the compressed PDF to another PDF as the last page. 61 | pdftk "$attachpdf" comp.pdf cat output /home/${USER}/Desktop/ayy.pdf 62 | 63 | rm insert.pdf 64 | rm temp.pdf 65 | rm comp.pdf 66 | elif [ "$1" == "reveal" ]; then 67 | pdffile=$2 68 | 69 | # uncompress PDF and output result to a temporary PDF (need to uncompress inorder to edit text properly) 70 | pdftk $pdffile output $pdffile.tmp uncompress 71 | 72 | # the following command removes all the pages but the last and outputs the result to NEW.PDF 73 | pdftk $pdffile.tmp cat end output new.pdf 74 | 75 | # get the filename that was inserted before "HIDDENFILE" identifier 76 | filename=$(grep -ia -B 1 'HIDDENFILE' new.pdf | sed 's/HIDDENFILE.*//') 77 | 78 | # extract text(data) between "HIDDENFILE" and "HIDDENEND", return the brackets, and finally redirect that to the filename. 79 | sed -e '1,/HIDDENFILE/d' -e '/HIDDENEND/,$d' -e 's/BLEEEEEP/(/g' -e 's/BLOOOOORP/)/g' new.pdf > "/home/${USER}/Desktop/${filename}" 80 | 81 | rm $pdffile.tmp 82 | rm new.pdf 83 | else 84 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 85 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 86 | fi 87 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # myool 2 | 3 | The Python version of myool for both Windows and Linux. It is much faster since it doesn't hit disk a bunch of times. While functional(not really), it is not fully done yet. See pymyool.py for TODO list and usage. 4 | 5 | Encrypt a file(archive) using AES-256 and hide it in any pdf document. \**requires pdftk for PDF compression*\* 6 | 7 | ### To hide a file: 8 | ```bash 9 | ./myool.sh hide [filetohide] [targetpdf] 10 | ``` 11 | ### To reveal a file: 12 | ```bash 13 | ./myool.sh reveal [enc-targetpdf] 14 | ``` 15 | ### Timed Example (with 297Mb zip archive) 16 | 17 | ![alt text](https://cloud.githubusercontent.com/assets/23404638/21740196/0ec15d9a-d467-11e6-8b00-c83d2b18ae45.png "largefile") 18 | 19 | *note: pdftk may issue a warning when re-compressing* 20 | 21 | ### How it works 22 | These object parameters: **"/Subtype /Type1C", "/Subtype /Image", or "/BitsPerSample"**, define streams which can hold raw binary data. *myool* looks for these parameters and their corresponding "endstream"'s which are recorded into an array of entrypoints. The entrypoints are shuffled randomly, then iterated through, copying chunks of data into each. Chunks are prepended with a secret key and an order number for easier extraction. The filesignature of the encrypted data is also overwritten so any attempt to look for it will fail unless the secret key is known and the chunks are recovered and re-ordered. 23 | ``` 24 | 592 0 obj 25 | << 26 | /Subtype /Image <--- Safe entrypoint 27 | /Name /Im1 28 | /Type /XObject 29 | /Filter /DCTDecode 30 | /Width 700 31 | /Height 901 32 | /BitsPerComponent 8 33 | /Length 82894 <--- Size of image in bytes. Our appended data size will be added after recompression 34 | /ColorSpace /DeviceRGB 35 | >> 36 | stream 37 | ÿØÿà^@^PJFIF^@^A^B^A^@È^@È^@^@ÿá^S_Exif^@^@MM^@*^@^@^@^H^@^G^A^R^@^C^@^@^@^A^@^A^@^@^A^Z^@^E^@^@^@ 38 | ^A^@^@^@b^A^[^@^E^@^@^@^A^@^@^@j^A(^@^C^@^@^@^A^@^B^@^@^A1^@^B^@^@^@^T^@^@^@r^A2^@^B^@^@^@^T^@^@^@ 39 | <86><87>i^@^D^@^@^@^A^@^@^@<9c>^@^@^@È^@^@^@È^@^@^@^A^@^@^@È^@^@^@^AAdobe Photoshop 7.0^@2010:06:0 40 | 413:27:46^@^@^@^@^C ^A^@^C^@^@^@^Aÿÿ^@^@ ^B^@^D^@^@^@^A^@^@^B¼ ^C^@^D^@^@^@^A^@^@^C<85>^@^@^@^@^@ 41 | ^@^@^F^A^C^@^C^@^@^@^A^@^F^@^@^A^Z^@^E^@^@^@^A^@^@^A^V^A^[^@^E^@^@^@^A^@^@^A^^^A(^@^C^@^@^@^A^@^B^ 42 | @^@^B^A^@^D^@^@^@^A^@^@^A&^B^B^@^D^@^@^@^A^@^@^R1^@^@^@^@^@^@^@H^@^@^@^A^@^@^@H^@^@^@^AÿØÿà^@^PJFI 43 | F^@^A^B^A^@H^@H^@^@ÿí^@^LAdobe_CM^@^Bÿî.......raw binary data 44 | 6d796f6f6c7 <--- Identifier = "6d796f6f6c" + ordernumber(7) 45 | encrypted data chunk goes here <--- Appended data 46 | endstream 47 | ``` 48 | 49 | When it comes time to recompress the $targetpdf to $enc-targetpdf, *pdftk* will correct the objects and the XREF table to accomodate the increase in size. The result of this injection should not affect the quality of images, fonts, pages, loading times, etc. But that isn't guaranteed! Results may vary! 50 | 51 | If no parameters are found, the $targetpdf will still contain some stream in it that may be used for injection. Most of the time it is a text stream *see below*. However, the stream may not be meant to hold raw binary data. 52 | ``` 53 | 5 0 obj 54 | << 55 | /Length 98 <--- Gets fixed after recompression 56 | >> 57 | stream 58 | q 0.1 0 0 0.1 0 0 cm 59 | 0 g 60 | q 61 | 10 0 0 10 0 0 cm BT 62 | /R7 40 Tf 63 | 1 0 0 1 150 550 Tm 64 | (Hello World)Tj <--- Prints "Hello World" on the page 65 | ET 66 | Q 67 | Q 68 | 6d796f6f6c <--- Identifier 69 | encrypted data goes here <--- Appended data 70 | endstream 71 | ``` 72 | If thats the case, then theres a good chance you will run into warnings regarding the format or data on the page where the data was injected into. The page could raise an error and or not display anything at all. And lastly, depending on the size of the encrypted data, the resultant pdf may spend some time loading when you open it, before displaying the pages (regardless of which reader you use). 73 | -------------------------------------------------------------------------------- /oldmyool/myool5.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # __ # 5 | # .--------.--.--.-----.-----.| | # 6 | # | | | | _ | _ || | # 7 | # |__|__|__|___ |_____|_____||__| # 8 | # |_____| # 9 | # # 10 | #========================================# 11 | # Version 2.4 12 | # AUTHOR: cle0n 13 | # Description: Encrypt a file and hide it in any PDF 14 | # Dependancies: pdftk 15 | 16 | # ISSUE: The EOF on enc.data and unenc.data are different. gpg therefore issues a warning before it decrypts. 17 | 18 | # Faster than current version (3?) because it doesn't have multiple entry points. thus multiples sed invocations. 19 | 20 | ########################--> USAGE <--######################## 21 | 22 | usage() { 23 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 24 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 25 | } 26 | 27 | ########################--> LOCATE ENTRY POINT <--######################## 28 | 29 | locate_entry_point() { 30 | 31 | local array 32 | 33 | local image=(`grep -an '/Subtype /Image' uncomp.pdf | cut -d ':' -f1 `) 34 | array=(${image[*]}) 35 | 36 | if [ -z $image ]; then 37 | local typec=(`grep -an '/Subtype /Type1C' uncomp.pdf | cut -d ':' -f1 `) 38 | array=(${typec[*]}) 39 | if [ -z $typec ]; then 40 | local bits=(`grep -an '/BitsPerSample' uncomp.pdf | cut -d ':' -f1 `) 41 | array=(${bits[*]}) 42 | if [ -z $bits ]; then 43 | echo 1 44 | return 45 | fi 46 | fi 47 | fi 48 | 49 | local endstream=(`grep -an 'endstream' uncomp.pdf | cut -d ':' -f1 `) 50 | local es_count=0 51 | 52 | local arrayc=`wc -w <<< ${array[*]}` 53 | let local count="$arrayc - 1" 54 | 55 | while true; do 56 | if [ "${array[$count]}" -lt "${endstream[$es_count]}" ]; then 57 | break 58 | fi 59 | es_count=$((es_count + 1)) 60 | done 61 | 62 | echo ${endstream[$es_count]} 63 | } 64 | 65 | ########################--> HIDE <--######################## 66 | 67 | hide() { 68 | filetohide=$(basename "$2") 69 | targetpdf=$(basename "$3") 70 | 71 | echo "[*] Encrypting data" 72 | gpg --output enc.data --symmetric --cipher-algo AES256 $filetohide 2> /dev/null 73 | 74 | if [ "$?" != 0 ]; then 75 | echo "[-] Passwords don't match." 76 | exit 77 | fi 78 | 79 | echo "[*] Uncompressing target pdf" 80 | pdftk $targetpdf output uncomp.pdf uncompress 81 | 82 | echo "[*] Finding entry point ..." 83 | entrypoint=$(locate_entry_point) 84 | 85 | if [ "$entrypoint" == 1 ]; then 86 | echo "[-] No safe entrypoint found. Injecting into first stream..." 87 | sed -i '0,/endstream/s//6d796f6f6c/' uncomp.pdf 88 | sed -i -e '/6d796f6f6c/ r enc.data' -e '// a endstream' uncomp.pdf 89 | else 90 | echo "[+] Entry point located. Injecting..." 91 | sed -i -e ''"${entrypoint}"'s/endstream/6d796f6f6c/' -e '/6d796f6f6c/ r enc.data' -e '// a endstream' uncomp.pdf 92 | fi 93 | 94 | rm enc.data 95 | 96 | echo "[*] Compressing. This may take while..." 97 | pdftk uncomp.pdf output enc-$targetpdf compress 98 | 99 | rm uncomp.pdf 100 | } 101 | 102 | ########################--> REVEAL <--######################## 103 | 104 | reveal() { 105 | targetpdf=$(basename "$2") 106 | 107 | echo "[*] Uncompressing target pdf" 108 | pdftk $targetpdf output uncomp.pdf uncompress 109 | 110 | echo "[*] Attemping data extraction" 111 | sed -e '1,/6d796f6f6c/d' -e '/endstream/,$d' uncomp.pdf > unenc.data 112 | rm uncomp.pdf 113 | 114 | echo "[*] Decrypting data" 115 | gpg --output outfile --decrypt unenc.data 2> /dev/null 116 | 117 | rm unenc.data 118 | } 119 | 120 | ########################--> MAIN <--######################## 121 | 122 | main() { 123 | if [ "$1" == "hide" ]; then hide $@; 124 | elif [ "$1" == "reveal" ]; then reveal $@; 125 | else usage; fi 126 | } 127 | 128 | main $@ 129 | -------------------------------------------------------------------------------- /pymyool/pymyool.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | import sys 4 | import random 5 | from subprocess import Popen 6 | 7 | # TODO: error checking 8 | # TODO: payload encryption/encoding 9 | # TODO: patch xref 10 | # TODO: usage 11 | 12 | # usage: python myool.py [hide|reveal] [datatohide] targetpdf 13 | 14 | # uncompress -> compress -> package -> patch xref ? 15 | 16 | KEY = 'Blu3ceLL' 17 | 18 | def ProcessContraband(datafile, arraysize): 19 | 20 | dataSize = os.stat(datafile).st_size 21 | BUFFER = dataSize / arraysize 22 | print ' Entrypoints\t : %d' % arraysize 23 | print ' Input Data Size : %d' % dataSize 24 | print ' Chunk Size\t : %d\n' % BUFFER 25 | 26 | with open(datafile, 'r+b') as data: 27 | d_array = [] 28 | while True: 29 | chunk = data.read(BUFFER) 30 | if not chunk: break 31 | d_array.append(chunk) 32 | 33 | if len(d_array) > arraysize: 34 | d_array[arraysize - 1] += d_array[arraysize] 35 | del d_array[arraysize] 36 | 37 | r_array = [0 + n for n in xrange(arraysize)] 38 | random.shuffle(r_array) 39 | 40 | return d_array, r_array 41 | 42 | def Packager(datafile, target): 43 | Pdftk_UncompressPDF(target) 44 | 45 | with open('uncomp.pdf', 'r+b') as pdf: 46 | src = pdf.read() 47 | 48 | os.remove('uncomp.pdf') 49 | array = re.findall('(/Subtype /Image|/Subtype /Type1C|/BitsPerSample)', src) 50 | 51 | if not array: 52 | print '[-] No entrypoints found. Aborting.' 53 | exit 54 | 55 | count = 0 56 | arraysize = len(array) 57 | d_array, r_array = ProcessContraband(datafile, arraysize) 58 | 59 | temp = '' 60 | if arraysize == 1: 61 | print '[+] Only one entrypoint located. Inserting Data...' 62 | temp += src.split(array[0])[0] + array[0] 63 | temp += (src.split(array[0])[1].split('endstream')[0] + KEY + '0_' + d_array[0] + 'endstream') 64 | temp += src.split(array[0])[1].split('endstream', 1)[1] 65 | WriteFile('enc-file.pdf', temp) 66 | else: 67 | print ' [+] Inserting DATA CHUNK 1' 68 | temp += src.split(array[0])[0] + array[0] 69 | temp += ((src.split(array[0])[1] + array[0]).split(array[1])[0]).split('endstream')[0] + KEY + str(r_array[0]) + '_' + d_array[r_array[0]] + '\nendstream' 70 | temp += src.split(array[0])[1].split(array[1])[0].split('endstream')[1] + array[1] 71 | 72 | for index in xrange(1, arraysize - 1): 73 | print ' [+] Inserting DATA CHUNK %d' % (index+1) 74 | count = len(temp.split(array[index])) - 1 75 | temp += src.split(array[index])[count].split(array[index+1])[0].split('endstream', 1)[0] + KEY + str(r_array[index]) + '_' + d_array[r_array[index]] + '\nendstream' 76 | temp += src.split(array[index])[count].split(array[index+1])[0].split('endstream', 1)[1] + array[index+1] 77 | 78 | print ' [+] Inserting DATA CHUNK %d' % arraysize 79 | temp += src.split(array[arraysize-1])[count+1].split('endstream')[0] + KEY + str(r_array[arraysize - 1]) + '_' + d_array[r_array[arraysize - 1]] + '\nendstream' 80 | temp += src.split(array[arraysize-1])[count+1].split('endstream', 1)[1] 81 | 82 | WriteFile('enc-file.pdf', temp) 83 | 84 | # TOO DAMN SLOW 85 | Pdftk_CompressPDF('enc-file.pdf') 86 | os.remove('enc-file.pdf') 87 | 88 | def WriteFile(filename, data): 89 | with open(filename, 'wb') as outfile: 90 | outfile.write(data) 91 | 92 | def ItsChristmas(target): 93 | print '[*] Retrieving Package.' 94 | with open(target, 'r+b') as pdf: 95 | src = pdf.read() 96 | 97 | REGEX1 = KEY + '(.*?)\nendstream' 98 | DataChunks = re.findall(REGEX1, src, re.DOTALL) 99 | DataChunks.sort() 100 | 101 | Data = '' 102 | for chunk in DataChunks: 103 | Data += chunk.split('_', 1)[1] 104 | 105 | with open('outfile', 'w+b') as outfile: 106 | outfile.write(Data) 107 | 108 | def Pdftk_UncompressPDF(target): 109 | proc = Popen(['pdftk.exe', target, 'output', 'uncomp.pdf']) 110 | print '\n[*] Uncompressing target PDF.\n' 111 | proc.wait() 112 | 113 | def Pdftk_CompressPDF(target): 114 | proc = Popen(['pdftk.exe', target, 'output', 'compressed.pdf']) 115 | print '\n[*] Compressing target PDF. This may take a looong time.' 116 | proc.wait() 117 | 118 | if __name__ == "__main__": 119 | if sys.argv[1] == 'hide': 120 | Packager(sys.argv[2], sys.argv[3]) 121 | if sys.argv[1] == 'reveal': 122 | ItsChristmas(sys.argv[2]) 123 | -------------------------------------------------------------------------------- /oldmyool/myool4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # # 5 | # NAME : myool # 6 | # AUTHOR : cle0n # 7 | # VERSION : v2.02 # 8 | # PURPOSE : Hide an encrypted file # 9 | # in a PDF # 10 | # # 11 | #========================================# 12 | 13 | # NOTE: MUST HAVE >> pdftk << INSTALLED 14 | 15 | # This version of myool attempts to fix the XREF table of the pdf without pdftk. It works but takes too long. Might as well just use pdftk 16 | 17 | 18 | # patching the xref is one line 19 | # fix problem with object not inserting into the last stream 20 | # use wc -m not wc -c 21 | # probably don't even need to fix the xref table... 22 | 23 | ############################--> PATCH XREF <--############################ 24 | 25 | function patch_xref { 26 | 27 | local line=`grep -an 'xref' uncomp.pdf` 28 | local xref=`echo $line | awk '{print $1}' | cut -d ':' -f1` 29 | local startxref=`echo $line | awk '{print $2}' | cut -d ':' -f1` 30 | local off=$1 31 | local size=$2 32 | local xrefsize=`sed -e '1,/xref/d' -e '/trailer/,$d' uncomp.pdf | wc -l` 33 | #local xrefsize=`sed -e '1,/xref/d' -e '/trailer/,$d' data | cat -n | tail -n 1 | awk '{ print $1}'` 34 | 35 | 36 | while [ "$off" -le "$xrefsize" ]; do 37 | sed -i -e ''"$((xref + off))"'s/0*//' -i -e ''"$((xref + off))"'s/[0-9]*/echo $((&+'"$size"'))/e' uncomp.pdf 38 | sed -i -r -e ''"$((xref + off))"'s/[0-9]/000000000&/' -i -e ''"$((xref + off))"'s/0*([0-9]{10}[^0-9])/\1/' uncomp.pdf 39 | off=$((off + 1)) 40 | done 41 | 42 | #local val=`sed -n '/startxref/{n:p}' uncomp.pdf` 43 | sed -i '/startxref/{n;s/.*/echo $((& + '"$size"'))/e}' uncomp.pdf 44 | 45 | 46 | } 47 | 48 | 49 | ########################--> LOCATE OBJ NUMBER <--######################### 50 | 51 | function get_obj { 52 | 53 | local i=0 54 | local dope=(`grep -an '.*[0-9] obj' uncomp.pdf | awk '{print $1}'`) 55 | 56 | while true; do 57 | if [ `cut -d ':' -f1 <<< ${dope[$i]}` -gt "$1" ]; then 58 | i=$((i - 1)) 59 | cut -d ':' -f2 <<< ${dope[$i]} 60 | break 61 | fi 62 | i=$((i + 1)) 63 | done 64 | 65 | } 66 | 67 | 68 | ########################--> LOCATE ENTRY POINT <--######################## 69 | 70 | function locate_entry_point { 71 | local fire 72 | 73 | local image=(`grep -an '/Subtype /Image' uncomp.pdf | cut -d ':' -f1 `) 74 | fire=$image 75 | 76 | if [ -z $image ]; then 77 | local typec=(`grep -an '/Subtype /Type1C' uncomp.pdf | cut -d ':' -f1 `) 78 | fire=$typec 79 | if [ -z $typec ]; then 80 | local bits=(`grep -an '/BitsPerSample' uncomp.pdf | cut -d ':' -f1 `) 81 | fire=$bits 82 | if [ -z $bits ]; then 83 | echo 1 84 | return 85 | fi 86 | fi 87 | fi 88 | 89 | local endstream=(`grep -an 'endstream' uncomp.pdf | cut -d ':' -f1 `) 90 | 91 | # es_count=`echo ${endstream[*]} | wc -w` 92 | # let es_count="$es_count - 1" 93 | local es_count=0 94 | 95 | fire_count=`echo ${fire[*]} | wc -w` 96 | let fire_count="$fire_count - 1" 97 | 98 | local obj 99 | 100 | while true; do 101 | if [ "${fire[$fire_count]}" -lt "${endstream[$es_count]}" ]; then 102 | break 103 | else 104 | es_count=$((es_count + 1)) 105 | fi 106 | done 107 | 108 | obj=$(get_obj ${fire[$fire_count]}) 109 | 110 | echo ${endstream[$es_count]} $obj 111 | } 112 | 113 | ########################################################################### 114 | # - BEGIN - # 115 | ########################################################################### 116 | if [ "$1" == "hide" ]; then 117 | 118 | # get the filename which includes the extension 119 | filetohide=$(basename "$2") 120 | targetpdf=$(basename "$3") 121 | 122 | echo "[*] Encrypting data" 123 | gpg --output enc.data --symmetric --cipher-algo AES256 $filetohide 2> /dev/null 124 | 125 | if [ $? != 0 ]; then 126 | echo "[-] Passwords don't match." 127 | exit 128 | fi 129 | 130 | echo "[*] Uncompressing target pdf" 131 | pdftk $targetpdf output uncomp.pdf uncompress 132 | 133 | echo "[*] Finding entry point ..." 134 | entrypoint=$(locate_entry_point) 135 | entrypoint=`cut -d ' ' -f1 <<< $entrypoint` 136 | obj=`cut -d ' ' -f2 <<< $entrypoint` 137 | 138 | if [ "$entrypoint" == 1 ]; then 139 | echo "[-] No safe entrypoint found. Injecting into first stream..." 140 | sed -i '0,/endstream/s//firefirefire/' uncomp.pdf 141 | xxd -p enc.data | tr -d '\n' | sed -i -e '/firefirefire/ r /dev/stdin' -i -e '// a endstream' uncomp.pdf 142 | else 143 | echo "[+] Entry point located. Injecting..." 144 | xxd -p enc.data | sed -i -e ''"${entrypoint}"'s/endstream/firefirefire/' -i -e '/firefirefire/ r /dev/stdin' -i -e '// a endstream' uncomp.pdf 145 | fi 146 | 147 | rm enc.data 148 | 149 | echo "[*] Fixing the XREF." 150 | size=`wc -c $filetohide` 151 | patch_xref $obj $size 152 | #pdftk uncomp.pdf output fixref.pdf 153 | #rm uncomp.pdf 154 | 155 | echo "[*] Compressing. This may take while..." 156 | pdftk uncomp.pdf output enc-$targetpdf compress 157 | rm uncomp.pdf 158 | #pdftk fixref.pdf output enc-$targetpdf compress 159 | #rm fixref.pdf 160 | 161 | 162 | elif [ "$1" == "reveal" ]; then 163 | 164 | targetpdf=$(basename "$2") 165 | 166 | echo "[*] Uncompressing target pdf" 167 | pdftk $targetpdf output uncomp.pdf uncompress 168 | 169 | echo "[*] Attemping data extraction" 170 | #sed -e '1,/72656269727468/d' -e '/endstream/,$d' uncomp.pdf | sed -e "s/.\{60\}/&\n/g" | xxd -r -p > unenc.data 171 | sed -e '1,/firefirefire/d' -e '/endstream/,$d' uncomp.pdf | xxd -r -p > unenc.data 172 | rm uncomp.pdf 173 | 174 | echo "[*] Decrypting data" 175 | gpg --output outfile --decrypt unenc.data 2> /dev/null 176 | 177 | if [ $? != 0 ]; then 178 | echo "[-] You entered the wrong password. Nothing decrypted" 179 | else 180 | rm unenc.data 181 | fi 182 | 183 | else 184 | 185 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 186 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 187 | 188 | fi 189 | -------------------------------------------------------------------------------- /myool.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #========================================# 4 | # __ # 5 | # .--------.--.--.-----.-----.| | # 6 | # | | | | _ | _ || | # 7 | # |__|__|__|___ |_____|_____||__| # 8 | # |_____| # 9 | # # 10 | #========================================# 11 | # Version: 3 ? 12 | # AUTHOR: cle0n 13 | # Description: Encrypt a file. Split it up. Scramble the chunks and hide it in any PDF 14 | # Requires: pdftk 15 | # Tested on Ubuntu, Debian 16 | 17 | # : The EOF on enc.data and unenc.data are different. gpg issues a warning before it decrypts. 18 | 19 | ########################--> USAGE <--######################## 20 | 21 | usage() { 22 | echo "USAGE hide : myool.sh hide [file to hide] [targetpdf]" 23 | echo "USAGE reveal : myool.sh reveal [targetpdf]" 24 | } 25 | 26 | ##########################--> GET INCREMENTOR <--######################### 27 | 28 | get_incrementor() { 29 | local e_count=$1 30 | local newlines=$2 31 | 32 | incrementor=$((newlines / e_count)) 33 | 34 | if [ $newlines -lt $e_count ]; then 35 | # return 1 = no split. 36 | echo 1 37 | return 38 | fi 39 | 40 | echo $incrementor 41 | } 42 | 43 | 44 | ########################--> LOCATE ENTRY POINTS <--######################## 45 | 46 | locate_entry_points() { 47 | 48 | local array 49 | 50 | array+=(`grep -an '/Subtype /Image' uncomp.pdf | cut -d ':' -f1 `) 51 | array+=(`grep -an '/Subtype /Type1C' uncomp.pdf | cut -d ':' -f1 `) 52 | array+=(`grep -an '/BitsPerSample' uncomp.pdf | cut -d ':' -f1 `) 53 | if [ -z $array ]; then 54 | echo 1 55 | return 56 | fi 57 | 58 | local endstream=(`grep -an 'endstream' uncomp.pdf | cut -d ':' -f1 `) 59 | local es_count=0 60 | 61 | local arrayc=${#array[*]} 62 | local index=0 63 | 64 | array=(`echo ${array[*]} | tr ' ' '\n' | sort -n | tr '\n' ' '`) 65 | 66 | while [ $index -lt $arrayc ]; do 67 | if [ ${array[$index]} -lt ${endstream[$es_count]} ]; then 68 | newerarray+=(${endstream[$es_count]}) 69 | index=$((index + 1)) 70 | fi 71 | es_count=$((es_count + 1)) 72 | done 73 | 74 | newerarray=(`shuf -e ${newerarray[*]} | tr "\n" " "`) 75 | 76 | local newlines=`wc -l enc.data | cut -d ' ' -f1` 77 | incrementor=$(get_incrementor $arrayc $newlines) 78 | 79 | for (( i=0; i<${arrayc}-1; i++ )); 80 | do 81 | for (( j=${i}; j<${arrayc}-1; j++ )); 82 | do 83 | if [ ${newerarray[$j+1]} -gt ${newerarray[$i]} ]; then 84 | ((newerarray[$j+1]+=$incrementor+1)) 85 | fi 86 | done 87 | done 88 | 89 | echo $incrementor $arrayc $newlines ${newerarray[*]} 90 | } 91 | 92 | ########################--> HIDE <--######################## 93 | 94 | hide() { 95 | filetohide=$(basename "$2") 96 | targetpdf=$(basename "$3") 97 | key="6d796f6f6c" 98 | 99 | echo "[*] Encrypting data" 100 | gpg --output enc.data --symmetric --cipher-algo AES256 $filetohide 2> /dev/null 101 | 102 | if [ "$?" != 0 ]; then 103 | echo "[-] Passwords don't match." 104 | exit 105 | fi 106 | 107 | echo "[*] Overwriting gpg file signature" 108 | ranbytes=`xxd -l 6 /dev/urandom | cut -d ' ' -f2,3,4 | tr -d ' '` 109 | echo -n "0: $ranbytes" | xxd -r - enc.data 110 | 111 | echo "[*] Uncompressing target pdf" 112 | pdftk $targetpdf output uncomp.pdf uncompress 113 | 114 | echo "[*] Calculating entry points..." 115 | read incrementor e_count newlines entrypoints < <(locate_entry_points) 116 | entrypoints=($entrypoints) 117 | 118 | if [ $entrypoints -eq 1 ]; then 119 | echo "[-] No safe entrypoints found. Injecting everything into first stream..." 120 | sed -i '0,/endstream/s//'"$key"'/' uncomp.pdf 121 | sed -i -e '/'"$key"'/ r enc.data' -e '// a endstream' uncomp.pdf 122 | else 123 | echo "[+] Entry points located. Injecting..." 124 | 125 | index=0 126 | startblock=1 127 | endblock=$((startblock+incrementor-1)) 128 | entry=${entrypoints[$index]} 129 | 130 | # faster way to use sed here? 131 | while [ $index -lt $e_count ]; do 132 | sed -i \ 133 | ''"$entry"' { 134 | s/endstream/'"$key"''"$index"'/ 135 | a endstream 136 | p 137 | s/'"$key"''"$index"'/sed '"$startblock"','"$endblock"'!d enc.data/e 138 | }' uncomp.pdf 139 | 140 | ((index++)) 141 | ((entry=entrypoints[index])) 142 | ((startblock=endblock+1)) 143 | ((endblock=endblock+incrementor)) 144 | 145 | if [ $index -eq $((e_count-1)) ]; then 146 | ((endblock+=99999)) 147 | fi 148 | done 149 | fi 150 | 151 | rm enc.data 152 | 153 | echo "[*] Compressing. This may take while..." 154 | pdftk uncomp.pdf output enc-$targetpdf compress 155 | 156 | rm uncomp.pdf 157 | } 158 | 159 | ########################--> REVEAL <--######################## 160 | 161 | reveal() { 162 | targetpdf=$(basename "$2") 163 | key="6d796f6f6c" 164 | index=0 165 | 166 | echo "[*] Uncompressing target pdf" 167 | pdftk $targetpdf output uncomp.pdf uncompress 168 | 169 | count=`grep -a $key uncomp.pdf | wc -l` 170 | 171 | echo "[*] Attemping data extraction" 172 | while [ $index -lt $count ]; do 173 | sed '1,/'"$key"''"$index"' /d;/endstream/,$d' uncomp.pdf >> unenc.data 174 | ((index++)) 175 | truncate -s -1 unenc.data 176 | done 177 | 178 | echo "[*] Rewriting gpg file signature" 179 | gpgsig="8c0d04090302" 180 | echo -n "0: $gpgsig" | xxd -r - unenc.data 181 | 182 | rm uncomp.pdf 183 | 184 | echo "[*] Decrypting data" 185 | gpg --output outfile --decrypt unenc.data 2> /dev/null 186 | 187 | rm unenc.data 188 | } 189 | 190 | ########################--> MAIN <--######################## 191 | 192 | main() { 193 | if [ "$1" == "hide" ]; then hide $@; 194 | elif [ "$1" == "reveal" ]; then reveal $@; 195 | else usage; fi 196 | } 197 | 198 | main $@ 199 | --------------------------------------------------------------------------------