/qresearch/ - Q Research

>>9038853

Ghidra isn't really a steganography tool

more a tool to crack programs, reverse engineer programs and some limited forms of security analysis and network analysis

>It has been a struggle to get others involved on this route.

ya, it has, been trying for a while

>>>/comms/3264

hacking, cracking background

some crypto & steg experience

been looking at Q posted graphics and so far have found nothing substantial either

possibilities

a. nothing to find

b. don't have password for specific program used

steganography is almost impossible to crack if you don't know the program / algorithm used

still waiting for further crumbs from Q

>>9040069

>Ghidra isn't really a steganography tool

Q re-posted the link to Ghidra last night along with two pics, one of them a gift.

He doesn't post things without meaning and stated:

"Toolkits can be helpful. Q"

Based on that I think you are incorrect.

I believe there is something to find in all of his pics.

>>9040069

This is correct, that it isn't a stego tool. it is a reversing tool. What I was trying to communicate is that there is stegonography in many of these images, as well as embedded code. You can see some of my posts in the twitter link.

The image of Ghidra that I posted is the disassembled 8chan image. I should have been more clear

Thank you for this discussion, I am studying Industrial and Human Factors Engineering as a second masters track. Stopped Course for bit for health and money issues then November 2016 miracle happened. Followed crumbs from others to Q. Which direction are you headed with the this dig?

>>9041408

The Ghidra reference is really for reversing, so in that regard, I would try to figure out what these functions are actually doing inside of the image. The fact that they is a "Keyword" in the exif data is a start.

What I have been working on the past number of months is finding cryptographic keys. I am convinced that Q post 1441 has an encryption certificate in it. I can see pieces of it, but can seem to cryptographically, or stegonographically extract them.

What one of the above posters said is true, that if you don't have the key and don't know algorithm, then decryping is worthless.

However, Q posted the work "Spray" (like password spraying?). A technique I use when hacking things with a password. Just brute forcing the crap out of it.

>>9042267

Excuse me… the "gift" image…no present

>>9042267

>>9042267

is that brainfuck code?

>>9042267

>>9042464

https://en.wikipedia.org/wiki/Brainfuck

Pretty sure Q is showing the world how this language is unknown to quite a many and is something that needs to be addressed. This level of programming .. To older people it is simple.. a very few at that. and to a great many more they are more interested in the higher levels of code beyond the base. This is interesting to see again. Especially considering how game developers have been requiring users to submit to playing via essentially a streaming service now.

>>9042718

Think code injection or the like to induce reactions etc. this is beyond the gaming level but it is a start.

what if parts of a program were hidden in different images?

>>9042549

Exactly what I'm talking about! Now we are getting somewhere. You think a random brainfuck string is embedded in a Jpg binary, entitle Present? And that value ens up being -17? I don't think so.

>>9042985

tbh i couldnt reproduce that result on any other online brainfuck compilers. like i said, seems like a fluke. i didnt put enugh time into it to try to hand convert whatever that string is in bf.

>>9042906

Well, if you load the image into Ghidra (and originally I was using a software called radare2), there are "bytecode" functions which are identified. Bytecode is compiled binary/assembly which is actually executable code. (this is why "stegonography" and such are closely correlated with the work I have been doing.)

Now, when you are looking for random opcodes, in a sea of bytes (all the images) you are bound to run across a crapton of false positives. Like, a lot. So the key is to be able to know if any bytecode returns are legit (ie, the assembly code interpreted actually makes sense)

The code in the 8chan image does. Now what it is doing, I am not sure yet. But Ghidra interprets it properly as functions with parameters which are initialized, and then referenced/assigned, with conditional loops etc.

This would be hard to do randomly

>>9043048

They seem to be pieces to a binary whose "entrypoint" I cannot find. It also helps to have an idea what architecture the binary pieces were intended to run on, as that will dictate how the bytecode is actually interpreted.

>>9039279

What Architecture did you import as?

>>9043296

You said in Ghidra you imported those images, and found said doc. when importing raw data in Ghidra you must sepcify architecture.

O just detail where you found said pdf link

>>9043296

>>9043374

Disregard, I got what you mean. My brain is on empty. And thanks for those screengrabs

>>9042267

Tried concerting the +/- to number string and letters for passphrase…did not appear to work with steghide passphrase. There is definitely information in the gift file. If you fire up the image in GIMP you will find blocked out pixels at another layer. Use the brightness and contrast tools in gimp to reveal.

The "punisher pic" also reveals interesting information when using the brightness and contrast tools in gimp haven't fully revealed the information but there are patterns there. Ghidra may help on the gift image. I had an older version and was unable to get through the python analysis before it would crash my systeem. (I was on a shitty laptop.)

>>9043470

Close….go the other direction on the spectrum to see if you see what I am seeing. Here is the hint I used…Get it to the point where you are making "red cross" like lines in the forehead area. I will have look at what you are seeing. TY

>>9043561

>>9043666

Believe it or not, i made a python program to read one of them

>>9043728

8kun snake logo ? i almost see it if i stretch my imagination haha

>>9043689

I like your thinking anyway. Nice work!

I was thinking tineye search for original. If difference file compare script.

>>9043728

So moving the spectrum to the other end reveals a braille like dot patterns. Gets the image to red and white lines ( a few red / white crosses) reveals dot patterns the remind me of braille. Haven't tuned it in fully for decode. Just throwing that out there. Braille (dot patterns) is a common message passing technique for StegAnons

>>9042267

looks like a voice frequency

>>9044191

It looks like sprites of an aztec dude running and doing flying kicks for an 8bit game

Anybody get Ghidra to work with Eclipse (java)?

>>9041828

file names seem to be pointing to abstract items or strings of information that are not random. You are aware of the cypher the founders used? books at the lib of congress cover it

So here is a path from the punisher file name capitals TTiC the file name transposed, missing, or incorrect syntax are paths to endless data… seems to point to 1-99 items that tie each bad actor by money deed generational to the main death cult [93]

>>9045175

If this is part of the "map" then "news" unlocks it

How do we know that there isn't spyware or malware or a

rootkit or whatever, embedded in the ghidra code itself?

Stegano & reverse-engineering compiled code both interest

me, and I've always suspected (from the first time that Q

said, "you have more than you know"), that there might be a

lot of stegano in at least some of the images (and I have in

fact gone and looked inside some, finding nothing – which

doesn't mean it isn't there, but might mean there isn't – so,

this all interests me, but I'm not installing software on any of

my computers, that is DL'ed from this Wilderness of Mirrors,

unless I have solid reasons to trust it isn't itself malware/d.

>>9046487

If future unlocks past, then maybe

"future" is the keyword – to unlock

some or other thing that is tagged

with "past" as a label.

I'm just speculating, here.

>>9046953

you don't so sand box it

>>9047252

Amen to this. These tools don't need internet. Running in a networkless VM is highly recommended.

>>9046953

>How do we know that there isn't spyware or malware or a rootkit or whatever, embedded in the ghidra code itself?

You mean so the NSA could get access to your personal information?

Have you even thought this through or are you just typing things as they flash into your little brain?

>>9047252

>>9046953 ( Yep Yep never trust anything)

>>9047369

Sandbox isolation works well but at the end of the day if you are running anything other than linux secure OSs you are already sharing your information. This is why we are actually working with Ghidra. To mitigate that challenge. Kinda like cleaning the garage. You have to make a mess before you can get cleaned up and organized.

>>9046965

WHO knows?

Keep thinking like this.

>>9047426

Jah me heart'E: ['ow's Davy do'n?]

Brainfuck<:>K.I.S.S.

F.I.R.E. ('n 'Hank's Louise) 'bout time, too.

Fire. . .. … (phive)<:>Live

A<:>D<:>Ana.

Circle-of-5ths<:>[,]7!

Fire!

Again: Louise_5; Out STAND'n!

>JAH FIRE - RASTA FOR LOVE AND PEASE

https://www.youtube.com/watch?v=X0B6zUykXWk

>>9043470

the orange section could be pineal related.

>>9047720

agree

>>9046953

Doesn't matter what is embedded in source of Ghidra. I have come about two and a half years following Q. I have to believe that if there is embedded code, it must be beneficial. Otherwise we don't "trust the plan", and if that WHAT THE FUCK ARE WE DOING HERE? In for a penny; In for a pound! WWG1WGA!

>>9048298

How about if Q has embedded a key to unlock steg info in every pic they have posted? Worth building a Virtual Box! Hell, its worth a shot on my home laptop! LOL

>>9046965

Maybe faggot, but we also have almost three years worth of drops to sort through and and see if any of them get new meanings because of this.

the filenames of Qs Images have always intrigued me.

Maybe put all of them chronologically together and decode?

I'm sure if someone gets creative enough there will be something.

other Ideas

- try putting meta/exif-info tags together from multiple Images

- always the "last" or "first" few characters of the actual Image Info

Might also make sense to think how one would go about to code info-snippets into these images.

I'm quite sure that if there is more info embedded in the images, in the end its something simple.

If there is info like "the Map" there must be a lot of characters - and it would take multiple Images to hide it, since the malformation of jpegs can only go so far until it breaks noticably down. Keep this in mind while experimenting.

>>9047423

true on the garbage

>>9048580

my oldest fine so far was 1867, railroad times, a financial newspaper with article written by [Librairain of congress] He was wrote about the need for central bank to foundry of their works…. projection for the changes to come

Ghidra / SRE Resources

For those that might be interested and struggle with how to start, or can't find help.

Course and Resources

Reverse Engineering Tutorial: How to Reverse Engineer Any Software

https://blog.udemy.com/reverse-engineering-tutorial/

Data Structures and Algorithms: Deep Dive Using Java

https://www.udemy.com/course/data-structures-and-algorithms-deep-dive-using-java/

GitHub Ultimate: Master Git and GitHub - Beginner to Expert

https://www.udemy.com/course/github-ultimate/

The Complete Networking Fundamentals Course. Your CCNA start

https://www.udemy.com/course/complete-networking-fundamentals-course-ccna-start/

Complete Python Bootcamp: Go from zero to hero in Python 3

https://www.udemy.com/course/complete-python-bootcamp/

97-things-every-programmer-should-know

https://github.com/97-things/97-things-every-programmer-should-know/tree/master/en

https://github.com/97-things/97-things-every-programmer-should-know

Articles and Blogs

How to start out in reverse engineering?

https://www.reddit.com/r/ReverseEngineering/comments/12ajwc/how_to_start_out_in_reverse_engineering/

How to Reverse Engineer Software

https://techeries.com/how-to-reverse-engineer-software/

The Power of Reverse Engineering

https://www.thesoftwareguild.com/blog/what-is-reverse-engineering/

>>9047567

>>9046965

>>9048359

>>9048580

Did a search last night on images posted with the name unknown. There are not that many …. if I remember correctly there were 8 total.

Just following this path for a bit digging through the metadata and potential strings.

>>9048307

That would be nice.

I am enjoying the show and playing in an area I love. Its great expanding my knowledge on Ghidra, and other NSA tools and playing around with Steganography. Its great hanging with like minded anons diggin for the truth and taking down the [DS} at the same time.

Comfy AF!

>>9039279

Not seeing anything like that, it should be embedded code, not a link.

What language/architecture did you use?

Can you post a screenshot of the link in Ghidra?

>>9039279

Not seeing this either….Can you post the steps you performed do find this pdf?

Could Q have dropped it to reverse this Pandora's Box on the NWO's control system?

This guy found what looks to be the motherload of control grid

>>9039279

You’re full of shit. Your screen shot shows Copia.exe which is malware, not the JPEG file. There’s no pdf file in the image.

Fuck off.

>>9055716

The only thing he could've found was the link in encrypted form. The file is too small to contain the PDF. I'd say he's lying - no reason not to post where the link was.

>>9059825

He’s full of shit.

>>9047369

You know, I almost impulsively carpet-bombed you back with insults – but then I realized:

you are almost certainly sperging out, and not shilling, so, hail and well-met, brother anon.

#pro-tip: on the internet, $="no one knows you're a dog".

One posts things into the vasty deep, to see what calls back. One baits a hook, according

to what fish one wishes to catch. One scans this part of the EM spectrum, and not that one,

to see who is broadcasting here, and not there. One pretends to be this kind of poster, so in

the event of a reply, one may make inferences from data unobtainable by posting as some or

other different set of personae.

Alle ist so kläre wie schläm?

The only picture I've found anything is the punisher pic with the grey stripe at the lower edge. That one has 60kb of extra data. Went through it with a hex editor and binwalk. There's two valid png blocks of which the first is the image. The second I have no idea what is.

>>9038853

Your image of Ghidra…There is no function in the main window, how are you seeing that in the decompiler? The address in the decompile image doesn’t match the listing window.

>>9059895

Which Q post is that in?

>>9048298

I had had similar thoughts, and it is interesting to see them echoed.

But I have been following "this" story, in its broadest context, for, I dunno, close on 50 years. It surprised me completely when I realized that was the case, about 35-40 years in: I had always thought it was a bunch of separate, unrelated weird things, but it turns out it is one big weird thing. Or mostly so, anyway.

The digger you deep, the getter it weirds. The sophistication of some of the less obvious psy-ops is mind-bending to behold. Their implicit malice, inarguable.

If Clown City in Langley Virginia is setting up false drop boxes so they can catch, and do wet jobs on, bona fide US patriots who've decided to risk all and be whistle-blowers, then …?

If Snowden was sent to Kansas as an infiltrator, to do sabotage, so an entire, vast, fake privacy-theft crisis could be run, to conceal-in-plain-sight, another, far vaster one, then …?

If the moment facial recognition CCTV-harvesting AI's become technologically feasible, all of the sudden tattoo parlors start springing up everywhere because "it's popular", then … ?

If the rabbit hole goes down, and down, and down – if you drop a pebble, and it never seems to hit bottom, ever, ever, then …?

It's not that I don't "trust" Q; it's that at the end of the day, I don't trust.

When Q came along, I was core-optimistic for the first time in my life. So there's that.

But watching previous proto-counter-coups, however feeble, get crushed outright by cold-blooded murder ($={FBI "they're all insane"}) and decent, patriotic human beings die cruelly at the hands of a deeply-embedded Evil, because no one "normal" realizes what is going on in front of their very eyes (not blindness, but trance), has had this result: at the end of the day, I do not trust.

I hope Q is everything it promises to be. An America where the US Constitution is actually, you know, observed, and where, to pick a tiny example, you have to actually be sworn properly into the Office, in order to discharge the extensive executive powers of The President of The United States of America, would be an unprecedented (sic) and wonderful, World-improving thing.

But at the back of my mind is the thought, that (like the badly written final minutes of the movie, *Basic*, except more credibly and coherently), as every unveiling so far (I did say almost 50 years, right?) has got us to "bedrock" that proved to be 1" of mudstone, with a trap-door entrance right there, to another hundred feet of ladder, down, down, down into the dark – this could be just another one of those situations, only fancier, and with better theatrical props.

I do not trust. Not, at heart. Or rather, obviously I do: I am fully aware this channel is approximately as "private" as FB, just with ostensibly better-intentioned Overwatchers.

Except, I don't.

>>9048359

True. Also traffic analysis: not just the "Q Proof Offsets", but any other

patterns in the timing, timing-correlated size (length) and number, etc.

of the drops. Comms analysis isn't just about content alone.

I think the only "optimal" strategy is to start digging anywhere, and if it

doesn't hit pay-dirt before you get bored, stop and start digging in some

other place – iteratively.

Unless you have hard evidence a particular approach is a total waste of

time (and if so: serve it with sauce, of STFU & GTFO), don't shit on any

other Anon's wild guess.

Q has given us N haystacks hiding M needles, N>>M – except some of

the needles are something other than needles, and we don't know what.

The only reasonable strategy is to search anywhere. For anything.

All of which is a roundabout way of telling you to fuck off.

>>9059989

#3982

We are ready.

[Set 1]

Mission good.

Q

>>9059825

Especially since showing us where the link was, and how concealed, would hint at methods for finding others, elsewhere.

I interpret that whole thing as being a slide.

The Shills on this (Ghidra) sub-board have to use different shilling tactics than on other sub-boards. Different human terrain here.

>>9060480

>>Especially since showing us where the link was, and how concealed, would hint at methods for finding others, elsewhere.

Except there is no link hidden in that file, the screenshot is not a representation of the jpeg file but is of a completely different file that is a malware executable.

It is a slide, but not a concealment of knowledge. That person only knows photoshop, not Ghidra or reverse engineering.

>>9059825

>>9055716

>>9059824

>>9038853

>>9055934

>>9059825

>>9059836

I put the screenshot in the first post but I had checked the "spoiler" box (newfag here, as I said, this platform is new for me), but you can still see it on my first post, though…

In the image there is the sequence I followed.

I never said the pdf is IN the image, I just searched on internet what appeared in the code (it was not my intention to make it look as if I found the pdf inside the image, but English is not my first language… what I meant is that I arrived to the pdf thanks to what I saw with Ghidra… and for that I attached a .png file with the steps I followed)

In the screenshot png file the steps are:

I just put in the browser what there was in the image according to Ghidra (so I tryied different parts in the browser) and

when I searched for "INTMEM:00-INTMEM:07" (which appeares at the beginning when opening the image with Ghidra, as I showed you in the screenshot), I found the pdf IN the internet

(so I found the pdf copying what Ghidra showed me and pasting it in the browser).

About Copia.exe:

I saw only now that I used the Copia.exe for the screenshot, here what it is:

I tryed to change the extension of the images to see if Ghidra showed me different codes (it may be stupid, but as I said.. that was my first time using Ghidra… I also tryied to change the images in .txt … ). There were no differencies between the original image (which I used for the research I was talking about) and the image with the extention modified in .exe (I just renamed it to distinguish them).

So here what happened: I used for the screenshot the version of the image with the modified extension…

…because here it was 3 am and I took the screenshot of the .exe instead of the original one for mistake… also because there were no differencies in the codes, so… my mistake in that.

You can check what I'm saying by opening the original image, copying and searching for the "INTMEM:00-INTMEM:07" and you should see the pdf in the first page (depending on the browser you are using, of course…)

(PS: I did not copy -in the attached png image- the full pdf I found IN the internet -not IN the image- as it was too long.)

>>9062790

…and I thought the pdf could be something because if I try to copy and paste any part of it, what I paste is not what the pdf shows.

In example:

if i try to copy the first sentence: "Multicellular development depends (…) organization. "

what I have in the pasted text is:

"0XOWLFHOOXODU GHYHORSPHQW GHSHQGV RQ WKH GLIIHUHQWLDWLRQ RI FHOOV LQWR VSHFLILF IDWHV

ZLWK SUHFLVH VSDWLDO RUJDQL]DWLRQ"

that's why I shared it with you.

It may be nothing, though…

To the Anons in these threads, don't expect too much from Ghidra.

A lot of the nasty stuff that compromised mobile applications will be doing won't be on the app, but on the server they communicate with.

At best, Ghidra will be able to show and tell what information is being sent off and to where if they're not smart, as well as encryption methods and programming libraries used.

But the above is still a best case scenario for digging. Most decompiles won't return much.

>>9063059

I have had that copy and paste issue if i try to copy it from the browser, usually have to open it in a standalone pdf program

>>9063162

Yes, it happened to me too, but I downloaded the file and opened it with different reader and still does it… but again, except for the fact that I find the topic of the pdf interesting,

the copy issue may be nothing… and the pdf itself may be not related to what we are looking for…

I just shared here because I know there are many people who are better than me in this kind of things and in digging.

>>9048580

>>9055529

Try this.

It's a graphic/analytic that has gathered up all the images that Q has posted and then cross references all of the filenames with text that Q has posted.

Freedom.png : 'Freedom' appears in 55 drops.

Links to all related drops and images.

https://qanon.news/Analytics/FileNameMap1

Is it possible to embed (stegano conceal) non-rendering pdf pages/docs *inside* another pdf? If so, how do you extract the "hidden" ones? If there is no pre-existing software to do this, how do you do it "by hand"?

Similarly for .doc, .docx, .odt, .xls, .xlsx, .ppt, .pptx, etc., etc. – but mainly for pdfs (I have some target files for that right now).

If a pdf weighs in at >10Mb, but renders as just one, single, miserable, boring page of mostly text & near-constant background color – is it a reasonable target for steganalysis? It should be (from the 'surface' needs, a way smaller file, no?

All the steganalysis tools I know are for image files – ignoring the obvious trick of opening any file format whatever either in a hex editor or as if a txt file.

I know just enough stegano to misunderstand everything badly – are there tools for the steganalysis of file formats that are *not* image file formats?

Hiding something as LSBs (etc.) does not make sense (that I understand … yet), except for image files. What are the (most frequently found in the wild) stegano methods that are based on other file formats?

For one thing, it is now public lore (thought not "knowledge") that you can hide things in *image* files. Therefore, people who want to avoid random scrutiny comping their stegano at the hands of script-kiddies (such as myself) probably would have shifted to other file formats.

Throw me a friggin' rope, here (no noose jokes, please: no noose is good noose).

– An anon.

>>9063132

Agree.

I looked at Facebook.apk a couple days ago and found alot of camera related functions, alot of location functions, other sensors trying to detect the direction the user is facing.

Seemed out of place to me, but I don't lifelog. Possible it's all part of the Facebook featureset, could be that it's always running.

Upfront disclaimer not a stegano expert, but willing to be another set of eyes on Q graphics to join the research. Ghidra too.

Latest flag image:

Offset 0 (0x00):

File type: Portable Network Graphics image

Extension: png

MIME type: image/png

Offset 138 (0x8a):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

Offset 396 (0x18c):

File type: MPEG-3 audio

Extension: mp3

MIME type: audio/mpeg

Offset 5255 (0x1487):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

Offset 18864 (0x49b0):

File type: MPEG-3 audio

Extension: mp3

MIME type: audio/mpeg

Offset 24673 (0x6061):

File type: Zlib Deflate

Extension: zlib

MIME type: application/x-deflate

https:// www.researchgate. net/post/Which_is_the_best_steganalysis_tool

>>9059895

>>There's two valid png blocks of which the first is the image. The second I have no idea what is.

That’s a zlib-encoded stream, PNG files use zlib to compress the image. It’s not anything.

>>9069792

http://bugtraq-apps.com/ supposedly has a few good stegananalysis tools in it, but I am not running around with penguins and so I cannot DLstall it, so cannot say.

http://dde.binghamton.edu/download/

… more steganalysis tools

>>9069848

See esp. http://dde.binghamton.edu/download/feature_extractors/

https://en.wikipedia.org/wiki/Steganalysis

>>9069881

Key paragraph:

"The steganalyst is usually something of a forensic statistician, and must start by reducing this set of data files (which is often quite large; in many cases, it may be the entire set of files on a computer) to the subset most likely to have been altered. "

>>9069881

See also: https://en.wikipedia.org/wiki/Steganography_tools … although the author uses "encrypt" to mean "conceal steganographically", even though it isn't a synonym.

>>9069923

The meat of the article (for the purposes of Anons working on this board) is: https://en.wikipedia.org/wiki/Steganography_tools#Tools_comparison

More tools:

Digital Invisible Ink Toolkit – http://diit.sourceforge.net/

"StegSecret. A simple steganalysis tool" – http://stegsecret.sourceforge.net/

"Virtual Steganographic Laboratory for Digital Images (VSL) - Free tool for steganography and steganalysis" – http://vsl.sourceforge.net/

>>9063132

Hmmm. While this is a true statement it is not necessary true for all apps. Take for example GEO location, facial recognition, voice recognition, iris tracking, finger print, sentance structure and language usage. etc…. There are all ways to correlate who you are, who you are communicating with, where you are, where you go, and what you are thinking about and create a dynamic profile. Notice recently that Scroogle and other companies stopped using cookies? Why? Because they don't need them any more for tracking. This tech is very advanced. They are using other techniques to identify you on your devices. While command and control (if well designed and thought out) does behave in this manor you are suggesting. There are many many layers and many many techniques as to how personal data / life is now compromised. Ghidra is very good at what it does. However extending your tool kits to steganography hide and seek tools, malware analysis checkers etc are very important as you do your detective work. There are many clues that can be discovered with Ghidra. Some can be easily missed. I just found an exe that was zipped up in an img file. I didn't see the exe in Ghidra (it was hidden very well) but I did find the bread crumbs for the zip file. Once I found the exe I put it back into Ghidra to see whats up…another layer of hidden information. Still working on that one particular challenge. I am always working to expand my tool kits and sharing what I know. If other anons have go to apps they like for this work it would be great to see what tools you use and the process you use for de compiling. It will take a digital army of anons to clean up all the compromised phone apps, PC, and Mac software. Now that we are on our way to cleaning up the compromised MSM "system" now its time to rip apart the web and its applications. Its disgusting what it has become. I love technology, been working in this area of tech for many years. I have watched brilliant technology get used for corruption fo way too long. Its time for this behavior to stop and make Technology Great Again. Our industry must be saved from what it has become. Surveillance is at an all time high right now. Chinese tech has subverted everything technical from the inside of or apps out. (Its a pervasive pattern in fact its right out of their playbook. Look up the book Unrestricted Warfare if interested). There are so many craptastic applications and services we all really need to get our shit together and fix these problems. Its a matter of national security when you think about how many chip sets we have in our homes, and businesses. They are all compromised in one way or another. Its shocking actually.

….Hack the planet anons. Lets roll!!

>>9070001

DLs:

DIIT: https://sourceforge.net/projects/diit/files/diit/1.5/diit-1.5.jar/download?use_mirror=gigenet … from:

https://sourceforge.net/projects/diit/

<Documentation (incl. FAQs):

http://diit.sourceforge.net/doco.html

StegSecret: http://stegsecret.sourceforge.net/

http://stegsecret.sourceforge.net/XStegSecret.Beta.v0.1.zip

<Documentation & examples:

http://stegsecret.sourceforge.net/SpanishManual.pdf … sorry, no habla Inglez

http://stegsecret.sourceforge.net/imagenesEjemplo.zip

VSL: - https://sourceforge.net/projects/vsl/files/vsl/vsl-1.1/vsl-1.1.zip/download

<Documentation:

Forczmański, P., and Węgrzyn, M. Open Virtual Steganographic Laboratory, International Conference on Advanced Computer Systems, ACS-AISBIS 2009.

Forczmański, P., and Węgrzyn, M. Virtual Steganographic Laboratory for Digital Images. In Information Systems Architecture and Technology:

Information Systems and Computer Communication Networks (Wrocław, Polska, 2008), pp. 163–174.

https://www.google.ca/search?as_q=Forczmański+steganographic

https://www.google.ca/search?as_q=Forczma%C5%84ski+steganographic&as_filetype=pdf

>>9070231

That's not quite true.

Here's the returned URL for a Goolag search for "whatever", which is so effing long I have parsed it at every ampersand, as &amp; seems to be the field delimiter:

This is their domain: https://www.google.com/search?source=hp&

This is basically an in-link cookie: ei=CYe0XveWHoyStQXJ4JToBg&

This is my search string: q=whatever&

This is my original search string, so they can track refinements I make(*): oq=whatever&

This is, I think their attempt to geolocate my ass(**): gs_lcp=CgZwc3ktYWIQAzICCAAyAggAMgIIADICCAAyAggAMgIIADICCAAyAggAMgUIABCDATICCABQpw1YnxVg2x5oAHAAeACAAZgBiAHfB5IBAzMuNpgBAKABAaoBB2d3cy13aXqwAQA&

I haven't a fucking clue: sclient=psy-ab&

Who the fuck knows: ved=0ahUKEwi3v4KM4qLpAhUMSa0KHUkwBW0Q4dUDCAg&

No fucking idea: uact=5

(*): This is one of the ways they train their neural networks, for free – your work (our work, collectively), but "their" IP.

Terms of Service, my ass.

(**): It can only go to Internet nodes of a certain rank – the building in your neighborhood that houses your ISP's boxes.

>>9070452

>>9070498

Sorry – mousefart.

Transcripts released

https://intelligence.house.gov/russiainvestigation/

Can anything be found in these pdfs?

GitHub - https://github.com/ragibson/Steganography

Sales pitch: Least Significant Bit Steganography for bitmap images (.bmp and .png), WAV sound files,

and byte sequences. Simple LSB Steganalysis (LSB extraction) for bitmap images.

https://en.wikipedia.org/wiki/File_carving

"strings -10 [imagefile]" may lead to something. Linux.

https://www.coursehero.com/file/p2ksksp/Another-simple-and-effective-way-to-hide-a-message-is-to-use-white-text-on-a/

https://en.wikipedia.org/wiki/List_of_file_signatures

>>9063737

non-rendering pdf pages = pdf templates and/or layers. requires pdf javascript and Acrobat Professional

>>9063737

The short answer is yes it is possible.

There are a few tools out there for decode. I had one at one time on my system I was looking at but can't remember the name. If you dig on PDF Steganography decoders you should find it….

>>9039279

L-Serine is indeed a cerebral protein. Interesting paper.

>>9071370

You're in luck, i just happen to be an Acrobat Professional. I spent 6 years with the circus

For those completely confused about Ghidra…

I've bee pouring through the tutorial included in the download and it looks like Ghidra is a tool for reverse engineering complied computer code. If you don't have a background in programming… and a pretty good one… it will most likely be a complete waste of time for you.

I haven't found a way to "inspect images" for hidden messages. If I'm wrong, please tell me how stupid I am. Show no mercy.

>>9072636

There's a sixth one @ QDrop #4140 – I tried to post it here, but was told it was already in the thread (where?)

Note that #2790 has smaller dimensions – it's the other ones (incl. #4140) that have "the same dimensions", but different binary guts.

Surface: all six are the same.

Guts: totally different.

Take a look at each in notepad.exe and compare – now what?

>>9072714

Ghidra, as other anons here have suggested, may be intended for us to use

to "out" spyware embedded in, say, Coronavirus-tracking "public health" apps

for smart phones, and other "gifts" from Bill Gates, WHO, and others.

I doubt Q intended us to use it for steganalysis – but I am also sure that we

are supposed to do steganalysis, …

which is why I posted all those links to misc. steganalytic tools, … not a single

one of which I know how to use … yet.

So, if steganalysis of images in Q Drops interests you – check out some of the other

posts here (above) for possible tools, and dig in.

>>9043433

>>9042267

>>9042464

Guys, not a coder or anything else but want to let you know something that might/might not be useful.

My phone has been getting hacked a lot when I'm on twatter posting for the team, and occasionally when I'm on /qr/.

By hacked, I mean I try to type text in a reply and something takes over and starts typing seemingly random shit. I can't stop it from happening, but it quits after a few minutes and doesn't come back.

What is typed looks A LOT like brainfuck string, except if you're looking for particular letters think upper and lower case letters Q and A and the number 1.

The string looks like that except with those differences. Never any other numbers or letters. Just those.

Dunno if it means anything or is helpful, I hope that it is. Just saw the discussion and that immediately registered. Thanks for all your hard work!

>>9072714

The way you’d go about incorporating Ghidra into Steganalysis is by first using the various tools to inspect the image for hidden files. Binwalk is good for this.

If you find a hidden file you have to extract it using binwalk. Then you open that file in Ghidra to see what it does. You’ll have to figure out which CPU language it needs but you can try various platforms, or hopefully we’ll be given some direction.

Reverse engineering is not for the faint of heart.

Thus far I have not found any hidden files or text in the more recent images as of yet.

>>9060192

What a post, anon. Many thanks.

The issue with stego in Q drops that is all the images are too small to really store much data. It also doesn't fit with what's been going on here to expect to find some secret leak or something linking us to some off site file drop. I feel like if we are to find anything hidden in the images it will be a simple message like "Bring on the PAIN" or "WWG1WGA", where the message itself isn't so much the drop, but the method we used to find it is. It'll probably be something trolly that not only shows us how they communicated in plain sight, but also taunts them that Q team knows everything that they've said.

Anyone pulling apart the games? I'm just starting working on Star Wars Commander, Windows platform.

I am looking for unusual functions that might be described as 'easter eggs' which might open backchannel comms. 'Cheat' interfaces.

If anyone else is honchoing this particular operation, point me at 'em.

Otherwise I would suggest, let's pull apart each platform of this app because it was called out specifically by Q, and we can move onto others

Be sure to drink your Ovaltine

I'm doing the same thing with one of the PDF's that the Schiff just dropped to see if I can come up with anything.

So far no dice, but I'm also fairly new at reverse-engineering and Ghidra, so it's possible I'm missing things.

Having said that, I am glad OP put this board up for Ghidra hunting, and I think we may be focusing too much on his images and trying to decode the hidden meaning in them. There may very well be more there 'than we know,' but we shouldn't forget to tear new things apart too.

Anyway, glad to be here. Thanks for the board OP.

>>9074438

Is Star Wars Commander even available for download anymore?

>>9074092

Well I made myself look like an ass. I replied to the wrong guy with a question I easily answered by a quick search.

So from what I can tell I don't think you can download Star Wars: Commander from official sources anymore. However, I was able to find the Android apk file for download from:

https://star-wars-commander.en.uptodown.com/android

Not sure if this helps:

https://superuser.com/questions/275502/how-to-get-information-about-an-image-picture-from-the-linux-command-line

Not sure if this helps.

https://superuser.com/questions/275502/how-to-get-information-about-an-image-picture-from-the-linux-command-line

NaturalMotionGames Ltd

Pulled from all the stores early.

Could only find the APK if anyone is interested. Ghidra batch import worked. There are 15 embedded files.

https://apkpure.com/star-wars%E2%84%A2-commander/com.lucasarts.starts_goo

Just occurred to me:

https://qmap.pub/read/4000

In this drop, Q asks us "Rebellion or Empire?"

Now, I've never played Star Wars: Commander before, but I could probably see this being a question on account creation. If we crack this apk open with Ghidra and take a look at where that screen/text is, maybe there's something there?

I'm starting to look through it now, but I likely wont be able to really dig into it until later today. I just wanted to share this idea in the meantime if someone else thinks it may be a good place to start.

>>9077094

Neither have I played this game but I agree it is worth diving into. Given that Q mentioned Ghidra and then re-posted an Anon saying it is something to mess around with sounds like a direction.

From what I read in previous posts, others mentioned some thinks I was thinking too..that it is interesting he posted the flag in particular 6 times and that maybe even the file name has some relevance.

>>9073921

No they aren't:

(1) See >>9072636

(2) The data could be something as simple as a single, short sentence that tells us where to dig for something bigger – think bootstrapping.

>>9072636

I was thinking same about repetition of the flag, potentially having clues seems plausible. Q could have just said "great news everyone Flynn is free".

At first look, the file names displayed not necessarily matching actual is curious.

Why did Q bother changing the displayed file names to patriot phrases instead of just writing it normally in the body of the message?

Q2790 patriot phrase displayed, actual file name…

a7ffb193423f0a5573ceeefe7c2a7863d1fc6d1559e28d93af78f63e36cdceed.png

Q3080 patriot phrase displayed, actual file name…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q3823 patriot phrase displayed, actual file name…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q3908 a file name is displayed…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

…but the actual file name is…

274534d7d1780203956040e16a2fd8712e21596c92d7ac2ecd959d0166f8a501.png

Why display the last flag's file name. Seems deliberate, but what kind of delta if any might be here?

Q3983 is just AMERICA

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

Q4140 is the only flag with an exact match between displayed and actual…

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

>>9077094

I was thinking the same thing. Soro's bought Blizzard. I think it would be worth digging into their games.

Also, it's long been said that China has built back doors into everything. You can reverse engineer software to find the vulnerabilities and back doors.

The other thing I was thinking is it might be worth to check out WeChat and Whatsapp. Zuckerberg made a major pivot in 2018 towards encrypted comms. His number one guy quit warning, specifically, it will allow child trafficking and terrorism to be impossible to track…. very cryptic.

I posted it already, but if you are looking to get into reverse-engineering App's (like android apps, such as Star Wars: Commander) I've put together a small list of resources. I'll also give my notes at the end since Q has told us to work together, essentially, in that one picture of people climbing a hill.

Resources

Virtual Environment

https://www.virtualbox.org/

Operating System Suggestion (Ubuntu is user-friendly)

https://ubuntu.com/

Star Wars: Commander App:

https://apkpure.com/star-wars%E2%84%A2-commander/com.lucasarts.starts_goo

-or-

https://star-wars-commander.en.uptodown.com/android

Ghidra

https://ghidra-sre.org/

Jadx (helpful for this project and other android apps)

https://github.com/skylot/jadx

Tutorial for Basic App Reverse Programming (get the .ova in this tutorial and load it into VirtualBox, it's essentially loaded with what the tutorial goes through)

https://maddiestone.github.io/AndroidAppRE/index.html

As a rule of thumb its much safer to run everything through the virtualbox, but if you want to all the above will also work/have options to work on an average Windows machine. I wouldn't suggest it, but I can't say that I'm above just running it all on my computer anyway. I'll accept the risk.

Exploratory Notes

As a disclaimer, I'm very new to software engineering and I've never reverse-engineered anything before in my life. Having said that, I encourage anyone with an interest in this to try their hand. The more people we have on this the better.

So right off the bat, looking at the AndroidManifest.xml, it looks like this application runs like a normal app does with nothing nefarious that stands out. I'm not seeing anything out of the ordinary in the Manifest but I still have a loooooooooooooot of code to go through. I did notice that a few things can be activated by other apps/programs though:

FBUnityDeepLinkingActivity (fuck you FaceBook)

SwrvePushEngageReceiver

SwrveEngageEventSender

FirebaseMessagingService

FirebaseInstanceIdService

Only thought on this is that the Firebase messaging service seems to be able to activate even when the app is closed, but I don't think that in and of itself is abnormal or malicious, as apps should be able to do this (right?). Someone with more app development experience can tell me otherwise, but I'm going to move on.

The game runs on the Unity3d.player…

Lots of source code in Java to look through…

Boy, Facebook really likes our activity…

Nothing stands out. I'm going to take a look at the Native Libraries now and see if I can pry those apart. The 'native libraries' are the '.so' files, such as…

libbugsnag-ndk.so

libbugsnag-unity.so (another bugsnag file, ho-hum)

libil2cpp.so (my God its huge [~30MB]. That's going to take forever!)

libmain.so

libunity.so (I haven't looked just yet, but I think this is the unity engine that the game runs in. Also my God its 19MB and is going to take forever)

Kind of getting hung up. I decompiled the libl2cpp.so with Ghidra and there's an awful lot to go through here, and it takes some in-depth analysis to do so. I'm thinking I need to hit the books a bit more before I start jumping into this because passively reading and hoping that something jumps out at me will be futile.

Any suggestions would be welcome.

Wait I just realized something.

Reading through some of the java code for the messaging service under:

Source Code>com>google>firebase>lib

I've realized that a lot of the messages sent back and forth aren't just stored at Google's cloud, but they SEEM to be also sent to FaceBook for tracking purposes.

This means that there are two separate locations that have stored that shady conversation we saw. And its not just message content, but user data as well (meaning it could be directly attributed to the sender).

I mean this isn't ground-shattering or anything, but it gives me some insight as to how Q and/or NSA could be catching these dudes.

>>9041137

"luke lurks" too. ;)

There are a few images that have "non-displayable characters" in them.

Pull the keyword field from the metadata & see what it's encoding is??

You know I'm all about "it's in little pieceslike a puzzlethat we have to reassemble" (combine all the little "crumbs" of data into 1 file and that'll give us XYZ proof)

MANY Q pics (PNGs) will reveal a similar NDC string with stegano-red.

zsteg has spit out some interesting stuff, but I'm wearing of short string false positives like we talked about.

We've talked about IMAGE NAMES being important because Q (or the poster) can CHOOSE what they name the image before they upload it. This and the TIMESTAMP (to me) are the most important pieces of the posts (that don't have to do with the content of them–which truly could even just be "cover text" to conceal 'steganographic messages' utilizing timestamps and/or image names).

more to come!

>>9094189

This may be why "even if you DELETE Facebook, it STILL tracks you!!"

(because you still have things on your phoneespecially if it's Androidthat utilize that Google libs)

>>9085813

yes @ flags w/ diff names & sizes!

some are ~23 kb lol

Some are PNG, some are JPG.

I remember someone even mentioning that one of the flags had the WRONG number of STARS? (don't recall which or if this was verified though)

Another little "coincidence" is that the PAIN/Punisher pics always seem to come FIRST, and then shortly after, there'll be a FLAG pic.

PAIN = Operation?

FLAG = SUCCESS?

>>9052108

ty

>>9085813

f768deaef22da979abcfb73c9175b54d71fcf891666c5449c1969c07c3cc8920.png

This is the SHA256 of the PNG above.

274534d7d1780203956040e16a2fd8712e21596c92d7ac2ecd959d0166f8a501.png

Grab all the flags, check MD5, SHA256, etc. and you can see what IS and IS NOT actually the same files.

Hi anons. Wondering if I could get a little help. Not a stenofag or a codefag. Totally useless. I used to pirate a lot of music and the folders always came with cover scans.

They've always been normal except the scans for this album. Instead of jpegs they're TIF files and they're fucking huge 68mb is the size of one. Ever since I downloaded it I wondered about the covers. Always suspected something hidden. Anyone wanna take a look?

https://anonfile.com/x2v5H1xeob/Covers_7z

>>9041086

By its very nature its a tracking tool. Of course its going to have bullshit it that app. Think about the database correlation on the backend. They have had this technology for years. Its a COVID tracking app. A shiny new nickel to ride the same shit slide.

Think about it! Cause and effect.

They have always been tracking us with phones and apps. Now they are putting a different label on it

"Install this app to save lives" "For your family." "For humanity" "Be a hero install this app"….what a crock of shit. They are attempting to have you download bullshit and the sheep are willingly installing it on their phones. WILLINGLY By its very nature its comped. They call it a psyop for a reason BRO!

bamp

ran this jpg through ghidra. got a SHA256 string

1bd7bc7c32abacc27045fbe189296c856bffda4999043db01d20e888f07368b6

ran through youtube search.

result-

https://www.youtube.com/watch?v=Hk1KNhCCAHM

At best 460 of (You)s found this already.

Seems this file has more data embedded, throughout. It's doing wierd shit on my first level look. Happy hunting, faggots.

Enjoy the show!

>>9115305

What language/cpu did you use? What was the SHA256 string?

>>9117546

>What language/cpu did you use? What was the SHA256 string?

SHA2 string just under the jpg. on the post. i gotta believe the language/cpu set is machine dependent. that said, my project ran on powerpc.

>>9115305

the name of the jpg in the drop is the SHA256 of the image.

you got the yt result bc the vid description lists the file name.

Checking in. Kind of set the Star Wars: Commander dig on the backburner since I'm not convinced that's the right rabbit hole to be jumping down. I heard someone mention that the redactions can be pulled off the Transcripts in Ghidra, but I'm not sure. The PDF's don't have any executable code in them, so Ghidra would really only show bytes in the documents.

Having said that, I loaded up two PDF's anyway just to take a cursory glance. I used Andrew Brown's transcript as an experiment, looking first at Schiff's release and then the DNI release.

Schiff's release looks about what I would expect a PDF to look like in Ghidra. Pretty mundane. I looked through the ASCII translation of the bytes and saw some XML formatting code, and I was able to differentiate when paragraphs start, but all-in-all there's nothing to see there.

The DNI's release is a bit more interesting though. I haven't found anything just yet, but it looks different from Schiff's. The ASCII readout is about the same with some differences (at first glance), but what stood out to me was that the code analyzer actually returned stuff. I'm not sure what it all means, but (as we knew) there's an obvious difference between the files that Schiff releases and the ones that the DNI released.

Observations:

The DNI's version seems to be images as opposed to Schiff's, which could be close to the original PDF documents but with redactions. The DNI, it seems, did the smart thing by scanning these documents back in after redactions, removing the ability for the documents to be torn apart. I think it would be worth opening Schiff's documents up in Adobe Pro and seeing if you can't just simply erase the bars.

I will have to give this a shot. As always, I'm open to anyone else's opinions or direction on this. I'm very new to this but I'm dedicated. Also, if these redactions CAN be stripped, it'd be smart to download all of them before they get taken down.

CALLING ALL TECHYS!!!!! I JUST HEARD THAT GHIDRA ALLOWS YOU TO "MOVE THE REDACTIONS" THIS IS HUUUUGGGEEE

https://twitter.com/DrLahiri2/status/1259825328505012224

>>9121894

Big maybe. I've had a few of the documents open and I haven't seen anything specifically that would effectively allow me to remove the redactions. Now, I'm not the smartest, maybe someone else here can do just that.

I've taken a look at Schiff's released files versus the DNI released files. I was right, the DNI essentially printed the pages and scanned them back in, so the redactions on those are permanent. Not much we can do about that.

Now Schiff, though… we may be able to recover the redactions there, because when you tear them apart with Adobe Pro you can move the black 'redacted' parts around. There's no text behind them in the field (or rather above them, the black boxes are on a layer behind the text boxes), but maybe I'll take another look at these in Ghidra…

If this is a possibility, I'd vote on digging into Schiff's released files.

>>9099831

Good pointers., using SHA256 of the image. So probably nothing in that context. But perhaps there are clues in the images. I wonder if others think the repetition of images would indicate a pattern worth identifying, or, maybe Q is merely using them to reinforce events, e.g. use a flag when it is a patriotic win, use Obama's 'renegade' when they have evidence against him, etc.

>>9121894

This is what i found, isn't related to ghidra but it could help.

https://eclecticlight.co/2019/03/11/pdf-without-adobe-17-unredacting-manaforts-documents-and-recovering-pdf-versions/

Idea

Okay so PDF's are essentially heaps of code that Adobe Viewer/Acrobat translate into readable text. There are some nuances to it, but you can read a few articles here to get a good idea of how a PDF is built:

https://blog.idrsolutions.com/2013/01/understanding-the-pdf-file-format-overview/#helloworld

Here's where I'm at. PDF files will declare objects that will be present when opened in Adobe. Those objects can be a number of things (text, images, signatures, etc), but the problem is that the actual contents of those objects are encoded. Luckily for us, we know what it uses to encode:

FlateDecode

So I'm still learning a bit more about that, but conceptually one would be able to grab the bytes from the objects in Ghidra and run them through a Decoder (using the… FlateDecoder algorithm?). What this would do is essentially display the encoded object as plaintext. In the event that the object is a picture it'd look like jumbled plaintext, but if it were a text box it may have some code describing the box, and then possibly the string inside.

I haven't tried it yet. I'm having to learn about decoding first. I'm trying to figure out if there's a way for me to decode straight from binary or hex through the algorithm into plaintext, or if I'm just barking up the wrong tree again.

Has anyone figured out the Legend to the entire Q Crumb Map?

Can Ghidra analyze something like qmap.pub?

provide an overview (40,000ft)?

>>9072945

Thanks for the explanation >>9072945

>>9138696

Novice anon here…I’m finding symbols in Q’s images. I have been doing symbol counts…& looking back at corresponding drop #s. That one is 428. Idk if I’m on the right path? Haven’t seen anons saying this…thoughts?

>>9144066

Also, drop pic boom time baker is 64-which really reference the pic. That’s what made me think I might be onto something.

All of these people pushing ghidra as a steg tool seem to forget that Q already provided us with a steg tool long ago.

What you all are doing here is interesting. I Only understand a little tiny bit of any of this but still like seeing what you find. The only thing I have to offer is some old knowledge that may or may not be useful. Many govt systems, especially legacy ones use the language COBOL. Sometimes PASCAL and FORTRAN were also used. I know those aren’t as common anymore but don’t forget about them.

>>9145994

Yeah I think the pascal is usually used as an embed in ada though.

>>9148279

nevermind, I was using the editor incorrectly

>>9125009

I ran some of the House pdf’s through various pdf forensic tools and even Ghidra (and ran the embedded jpgs through forensic tools) and got nothing revealing. I did not see a way to view redacted data.

I also haven’t found anything in the flag or skull images, but I haven’t looked at the most recent red skull, it’s on my todo list. These are better suited for image forensic tools but also threw them into Ghidra but saw nothing.

I’m guessing Ghidra is meant for the Star Wars game or a future file or app.

StegoAnons

Not sure if this is anything yet. Still poking around. I work with a ton of different stego tools and scripts as I attempt to detect patterns. The other night I was using StegoDetect and StegoLSB (python stego tools family) with the recent flag image and the punisher_red image which appears to be identical to the original Q-posted (BTW).

I was getting strange results playing with the LSB number 2. The file was reporting incorrect sizes due to bit decision. Typically defaults to 2 when playing with LSB. I changed it to 17 for fun and got interesting results. Still working to figure out the file type signatures it produced…but just wanted to throw this out to the group in case you are playing with these types of tools. Here are the command lines I was using on the files.

stegolsb steglsb -r -i flag.png -o output_file. -n 2

and

stegolsb steglsb -r -i flag.png -o output_file -n 17

>>9145517

Pixel Knot? Yes it is one of many tools for exchanging secret information. Steghide is another….there are many. Wav and mp4 files etc… The key thing that Q did state is "'tools' All of these tools work together to find the surveillance challenges'' and hidden information etc…

Its really no different from digging in the web. All anons are actually wired for this type of forensic work. By our very observation, autism OCD, ADD nature.

Ghidra can do many things. It can decode many files types, different platforms, chip sets, controllers. Its a primary tool for decoding executable files, and code with internal functions. I have dug into images, PDFs and other file types. Just to look and see whats going on from a particular angle. With a similar tool I will look again from another angle. Its one of many tools that can be utilized. It is however extremely powerful. The thing is… we need all the tools we can get as we identify the security holes in most of the products we use every day. Phones / PCs, CPUs, routers, chip sets, software and apps. China has produced almost everything tech in the US and guess who we are in a silent war with right now…. It will take an army of anons to dig into the compromised digital universe. I encourage every anon out there with skills or no skills to start digging into our technology.

>>9151220

“Toolkits can be helpful.”

Ghidra is just one of many tools for digital forensics. You are right that we need to be thinking beyond just one tool.

>>9155724

>>9155845

My b, apparently this is a meme

https://knowyourmeme.com/photos/page/5?gallery_cache_key=1849770

But the album name is probably the comms. (Hotter than July). Q said, spring summer would be HOT

well fuck right off

>>9173188

>>9148162

I think I remember it being used to condense code and formulas or calculations because back in the day everything had to be done to save space on the system. Different than now. That is probably what you said but I don’t know much of the lingo.

>>9179608

Or you will be nailing your whole fucking family first

>>9179608

>>9156296

You personally have put 7,7bn people in quarantine

Be truthful anons.

Here come the mandatory vaccines too.

Tbh I never thought Americans were this stupid.

Brits definitely.

Doesn’t take a genius to figure out who is telling the truth here, does it?

Yet so many of you are still on twitter, pushing the deceitful claim that Donald Trump is anointed by God Almighty himself.

He isn’t. And never will be.

And by refusing to acknowledge the real source of the storm, your dopey disrespectful president has not only betrayed the American people, but God Almighty too.

The royals here will have to give up the two old cunts at the top too.

Or it will be the whole family.

Zero negotiations or deals.

And Bibi is absolutely ruined too.

All of you chose to run the gauntlet.

And all of you have allowed this situation (killer virus and impending martial law) because all of you have put being American above being human.

Be truthful Americans.

Those 500 or so members of Congress are some of the biggest cunts in the world, and have betrayed all of you.

And by the mass media (((twitter))) framing a global holy war as an essentially American affair, highly polarised too, you have all been screwed by an essentially Jewish media.

The special talent of yours truly is to reduce the whole global power structure to a beam of light.

And that’s what the big pdf is..

And no, I’m not a prophet like Jesus (777), I’m God Almighty manifest in a human being. (999)

That’s why I’m completely separated from my knowledge.

The big 2,238 page pdf

Just two rituals hold the whole global power structure in place.

Divine in design, obviously.

The original mandate for 11.11.18

(The shot heard around the world)

Obviously scrubbed from (((twitter))) now.

Was for yours truly to align the Commonwealth with Russia, USA and Israel. (90% of the world’s nuclear weapons) (the ‘winners’)

Dawkins and Hillary as the offering.

A return to nation states too.

With the kings and Queens being the losers.

And Israel being both the winner (Bibi) and the loser (mass media) .

With the prize being world peace and the knowledge of other worlds.

The eternal life mentioned in the bible. Yes.

But instead, as a direct consequence of playing at online light workers, the vile and deceitful cunts here, with the undying assistance of two violent and deceitful geriatrics (parents) thought it was without consequences to lock yours truly up for 3 weeks, then 7 weeks, force feed him medication and leave an extremely fit and tough (violently abused as a child) 48 year old former professional Bmx freestyler with a broken back, a heavily lacerated stomach and prone to shakes and fainting fits.

If you are so blind to not see the truth when it is staring you in the face Americans, then you deserve to be locked up and forcibly vaccinated by your politicians..

Because that is exactly what is going to happen if you continue the charade on twitter.

You will all get further and further away from the truth.

Knowingly too.

That’s what makes it worse.

You see, I may have been born in England, but I had to relinquish my nationality when I was given a guided tour around 13 pizza ovens on the 1st January 2017.

The real pizzagate. Yes.

These politicians represent none of you, America, and never have done. Ever.

But because it was deemed more important to fake an American holy war rather than acknowledge the real winner in the global holy war, Team Israel, Team USA and team Britain have already dug a hole for themselves, that they will never get out of.

Sure many of you feel cheated.

You’re not the only one.

And yes, I have been to America many times, have many cousins there, been to Georgia, Alabama, North Carolina, Florida and California.

Always had an amazing time. Been for bmx competitions too. Been in the Appalachian mountains and south central LA too. Eaten cold beans out of a boat on the swamp. You get the picture.

And no, i’m not perfect either, but some of my knowledge is.

KNOWLEDGE 

Direct link to source document in pdf format. 2,238 pages 

17 year long beam of light from the absolute. 130 Mb

Every single entry date and time stamped.

https://view.publitas.com/72234/880115/pdfs/d4f86d8e8c2117fd530ef381c5b3b016936f5ad1.pdf

Kills the poor hurt feelings and opinions of individual humans dead.

Jon James Pratt (999)

49 year old illuminated polymath from Warwickshire

Humbly blessed as the world’s top intellectual and philosopher

Never lies and is never violent. Ever

Aka 'the storm ☔️'

Aka ‘cosmic lol 😂’

#allpointsarereconciled

>>9179608

Hammer and nails for you

Live on tv

For the whole world to see

We’ll burn the whole fucking lot of them

>>9046953

you dont know, but I believe.its open sourced so any backdoors, rootskits etc would be easy to find in the code.

Also, I installed blackarch on a flash drive and Ghirdra comes.stock with it. just use a vm or flash drive or if yr really paranoid a 100 dollar powerbook with no personal info.on.it

>>9209698

Or you could go with something like QubesOS and setup disposable VMs. / sandboxes. Very handy tool when playing with malware and other apps you don't trust. Very easy to contain using template OS installations of ghidra. You can have multiple projects isolated and contained running concurrently. With the separation of network interfaces you can also setup local networks that don't connect to the web and "watch" the behavior of a given app by setting up network monitoring and watch what resources the app may attempt to contact. Very handy environment for this type of work.

>>9115305

Sorry if this has been asked, coding and such is a bit out of my wheelhouse. Has anyone ran the background "music" in this video through a spectrum analyzer to look for images or other data? It sounds like there might be something in there.

>>9121894

may want to try that on the recent Snowden related drops.

>>9245219

>>9245175

That's all in C. Majority of the code there is string (text) manipulation. What's the program?

>>9245114

It's C++ there's conditional logic and loops, malloc is a memory allocation using a pointer. Nothing in those shots is unusual.

>>9245902

It is software to program Alcatel Lucent hardware, MCT.exe, that one would find at a cellular site. Figure 1 there is embedded error reporting and would like to see which country they report to (Not American owned) and 2 we need to start making that stuff here so why not reverse engineer it?

I don't know if these are commonly available but i built a python script hex to decimal calculator. Thought I'd share here.

"""

hex to decimal calculator

"""

value = input('Please enter the hexidecimal code here: ')

h = {'1':'1', '2':'2', '3':'3', '4':'4', '5':'5', '6':'6', '7':'7', '8':'8', '9':'9', 'a':'10', 'b':'11', 'c':'12', 'd':'13', 'e':'14', 'f':'15', '10':'16'}

lst = list()

for item in value:

item = item.lower()

converted = h.get(item, 0)

lst.append(converted)

print(lst)

x = int(lst[0])*4096

y = int(lst[1])*256

z = int(lst[2])*16

xx = int(lst[3])*1

print(x, y, z, xx)

total_sum = (x + y + z + xx)

print('Total "Decimal Value" of Hex Code:', total_sum)

>>9331787

>>9042549

>>9042985

I've ran the whole string (from the jpeg header through the end of the dashes) on several interpreters (https://tio.run/#brainfuck https://copy.sh/brainfuck/ https://fatiherikli.github.io/brainfuck-visualizer)

each of these had a seven character output "


ÿññð" (hex: 01 01 01 FF F1 F1 F0)

with only the unbroken string after the forward slash as in your example outputs "òòñ" (hex: f2 f2 f1) you get -17 because the data pointer ends at 238. The pointer starts at 255 and increases/decreases with each +/- and the periods print out the value of the byte. So Q cycled the byte value up and down, printed, and then signed with value difference.

my thoughts is that it could be:

-a suspicious file signature to look for in malware or apps

-a bug that that's being exploited

>Netview SNMP Automation Task CNMAUTO unable to receive data

Start of CP-MSU data

02 D6 12 12 00 23 FF F0 00 0FFF F1 F1 F04B F3 .O…..0 …110.3

End of CP-MSU data

SNMPAPI: TRACE: Entering snmpFreeDecodedPDU

SNMPAPI: TRACE: Exiting snmpFreeDecodedPDU

SNMPAPI: TRACE: CNMAUTO request completed with return code 24004

>This shows that we are receiving a trap through the snmp automation service in netview. However, it did not get converted into an ALERT and it does not go to NPDA

https://www.ibm.com/support/pages/netview-snmp-automation-task-cnmauto-unable-receive-data

-an ip address formatted in hex (not sure if executables store this ip's way), this would put it as 255.241.241.240 which would put it as a class e address "reserved for experimental purposes only for R&D or Study". is the traffic for the 4am news drops or other comms being routed through an otherwise "unused" ip?

>>9044191

Ever read Sherlock Holmes?

Looks a bit like the code Holmes deciphered that had dancing men on it:

https://www.boxentriq.com/code-breaking/dancing-men-cipher

Or the flag alphabet:

https://en.wikipedia.org/wiki/Flag_semaphore

Has anyone connected any of this to the hashing/Wikileaks connection that another Anon had found?

I've worked on it a bit myself. I'm not sure whether the connection is legit or not.

You can hash phrases from Q posts using various hashing algorithms and they result in hashes that can be used as e-mail IDs on the Wikileaks site.

Another anon mentioned that md5 can be used. I found numerous other hashing algorithms worked.

The questionable aspects of it for me were:

1. Some really old, no longer secure, algorithms were used. Why do that? Even for something like this. It de-legitimizes the whole thing.

2. Some short/nonsense strings were hashed, making it seem like whoever hashed things did so with a brute force or dictionary style approach. (e.g. "b" and "1" could both be hashed and give results)

3. There's no telling when the Wikileaks servers were updated with these e-mail IDs. Meaning, it might have seemed intelligent to have an e-mail ID for, say, "COVID-19" a year ago, but if that was hashed and those hashes were used for e-mail IDs within the past few months, that's not impressive, it's just following the news.

4. I'm yet to find any connection between the key phrases that I hash and the e-mails that come up.

It's a little odd to go through all that trouble for a nothingburger, though, on the Wikileaks end of things.

If you find strings with Ghidra that could be used as hashes or if you try hashing them, consider plugging them into the e-mail ID search for the Wikileaks e-mail drops. This might just all tie together somehow.

I got results with most if not all of these algorithms: md4, md5, sha1, sha224, sha384, sha256, sha512, ripemd160

On these addresses: (append hash to end of link)

https://search.wikileaks.org/gifiles/?viewemailid=

https://wikileaks.org/podesta-emails/emailid/

https://www.wikileaks.org/clinton-emails/emailid/

https://www.wikileaks.org/dnc-emails/emailid/

https://www.wikileaks.org/akp-emails/emailid/

https://www.wikileaks.org/hbgary-emails/emailid/

>>9043728

Looks a bit like a cutout into a sheet of paper. Reminds me of a Grille type cipher. What's interesting about this is that people were accusing Comey, Obama, etc., of using a cipher of this type on social media to send out comms.

See: https://en.wikipedia.org/wiki/Grille_(cryptography)

If it is this kind of cipher, the real question is what it overlays on.

Thinking outside the box, it may not even belong on a word-based sheet of paper. What if it were laid onto a map to show something underneath or points of interest?

The original post this came from could give a clue what it could be laid over…

>>9247409

This is a mixed C / C++ application built for linux, obvious from the .so names and the dbus. The mangled names (ZTI14…) are C++.

These are mostly function names and library names for dynamic linking. Nothing interesting here actually.