Onion 4: Data dump and analysis

1. ===============================================================================
2. ONION 4 Main data dump and all things tested so far
3. ===============================================================================
4.  
5. onion4 data downlodaded as onion4.hex (https://infotomb.com/vnq3e)
6. onion4.hex has no GPG signature
7.  
8. xxd -r -p onion4.hex onion4.bin
9.  
10. file onion4.bin:
11. onion4.bin: gzip compressed data, was "data.out", from Unix, last modified: Fri Jan 24 21:10:12 2014
12.  
13. mv onion4.bin onion4.gz
14. gunzip onion4.gz --> onion4
15.  
16. mv onion4 onion4.bin
17.  
18. ../scripts/DetectJPG_v2.py -i onion4.bin
19.  
20. --------------------------------------------------------
21. DETECT_JPG: SEARCHING FOR JPGS IN BINARY DATA
22. --------------------------------------------------------
23.  
24. Read onion4.bin with 3010703 bytes
25.  
26. --- scanning data ---
27.  
28. Detected jpg. Begin: 0 End 823807
29. Saving as onion4.image00.jpg
30. Detected jpg. Begin: 823807 End 1647321
31. Saving as onion4.image01.jpg
32.  
33. --- reversing byte order ---
34.  
35. --- scanning data ---
36.  
37. Detected jpg. Begin: 0 End 638805
38. Saving as onion4.image02.jpg
39. Detected jpg. Begin: 638805 End 1363382
40. Saving as onion4.image03.jpg
41.  
42. --- looking for bytes not used in jpegs ---
43.  
44.  
45. --- Done ---
46.  
47. JPGs uploaded:
48. https://infotomb.com/qjiqh --> onion4.image00
49. https://infotomb.com/3vw2u --> onion4.image01
50. https://infotomb.com/609xy --> onion4.image02
51. https://infotomb.com/8do0b --> onion4.image03
52.  
53.  
54. -------------------------------------------------------------------------------
55. OUTGUESS
56. -------------------------------------------------------------------------------
57.  
58. We try outguess of the following images (see above where they come from):
59. outguess -r onion4.image00.jpg outguess00.dat --> binary data (58152 bytes)
60. outguess -r onion4.image01.jpg outguess01.dat --> binary data (58152 bytes)
61. outguess -r onion4.image02.jpg outguess02.dat --> ASCII/text (140 bytes)
62. outguess -r onion4.image03.jpg outguess03.dat --> binary data (58152 bytes)
63.  
64. onion4.image02.jpg has ASCII outguess:
65.  
66. For those who have fallen behind:
67.  
68. TL BE IE OV UT HT RE ID TS EO ST PO SO YR
69. SL BT II IY T4 DG UQ IM NU 44 2I 15 33 9M
70.  
71. Good luck.
72.  
73. 3301
74.  
75.  
76. Note that this is _NOT_ signed with GPG/PGP
77. Letter frequency very similar to english plaintext
78. trying caesar ... no decryption
79. trying columnar transposition ... Decryption:
80.  
81. TLBEIEO TOBELIE
82. VUTHTRE VETRUTH
83. IDTSEOS ISTODES
84. TPOSOYR reordering columns TROYPOS
85. SLBTIII --------------------> SIBILIT
86. YT4DGUQ YQ4UTGD
87. IMNU442 I2N4M4U
88. I15339M IM59133
89.  
90. TO BELIEVE TRUTH IS TO DESTROY POSSIBILITY Q4UTGDI2N4M4UIM59133
91.  
92. removing the last 4 digits from the last 'word' we get ONION 5:
93.  
94. http://q4utgdi2n4m4uim5.onion/
95.  
96. -------------------------------------------------------------------------------
97. Runepages translated
98. -------------------------------------------------------------------------------
99. Others were faster (thanks sibilance):
100.  
101. Translation of rune pages: https://gist.github.com/anonymous/ab917b4c225859c8c2b2
102.  
103. -------------------------------------------------------------------------------
104. Testing outguess00,01 and 02 (each 58152 bytes binary data)
105. -------------------------------------------------------------------------------
106.  
107. Note: In the following I will use the names onionX.string with X in {2,3,4} for
108. the three 256 byte strings from these onions.
109.  
110. No useable (as in images/text/compressed data/mp3) file headers found in
111. outguess00.dat (58152 bytes) at any offset
112. No useable (as in images/text/compressed data/mp3) file headers found in
113. outguess01.dat (58152 bytes) at any offset
114. No useable (as in images/text/compressed data/mp3) file headers found in
115. outguess03.dat (58152 bytes) at any offset
116.  
117. outguess00.dat --> Entropy: 7.99
118. outguess01.dat --> Entropy: 7.99
119. outguess03.dat --> Entropy: 7.99
120.  
121. outguess00.dat --> Frequency analysis: http://imgur.com/z7BdNnz
122. outguess01.dat --> Frequency analysis: http://imgur.com/xgFA9i0
123. outguess03.dat --> Frequency analysis: http://imgur.com/RkgEpfb
124.  
125. outguess00.dat --> Fourier analysis: http://imgur.com/yD2GFTA
126. outguess01.dat --> Fourier analysis: http://imgur.com/7g5RaJK
127. outguess03.dat --> Fourier analysis: http://imgur.com/koOqixA
128.  
129. -------------------------------------------------------------------------------
130. XOR the outguesses (all three non-ASCII outguesses have the same size):
131. -------------------------------------------------------------------------------
132.  
133. file: outguess00_XOR_outguess01.dat: data
134. file: outguess00_XOR_outguess03.dat: data
135. fiel: outguess01_XOR_outguess03.dat: data
136. file: outguess00_XOR_outguess01_XOR_outguess03.dat: data
137. --> Only binary data, no readable files
138. --> No file legit file headers found at any offset in these files.
139.  
140. I find no legit headers for images/text/compressed files/mp3 in any combination
141. in which the three 58152 byte outguess binary blobs from onion4 can be XORed at
142. any offset.
143.  
144. outguess00 XOR onion2.string at all offsets --> min. entropy 6.96
145. outguess00 XOR onion3.string at all offsets --> min. entropy 6.94
146. outguess00 XOR onion3.string at all offsets --> min. entropy 6.94
147. outguess00 XOR onion2.string_reversed at all offsets --> min. entropy 6.94
148. outguess00 XOR onion3.string_reversed at all offsets --> min. entropy 6.95
149. outguess00 XOR onion3.string_reversed at all offsets --> min. entropy 6.93
150. No readable files (of types text/image/gzip/zip/bzip2/mp3) found at any offset
151.  
152. outguess01 XOR onion2.string at all offsets --> min. entropy 6.95
153. outguess01 XOR onion3.string at all offsets --> min. entropy 6.92
154. outguess01 XOR onion3.string at all offsets --> min. entropy 6.94
155. outguess01 XOR onion2.string_reversed at all offsets --> min. entropy 6.94
156. outguess01 XOR onion3.string_reversed at all offsets --> min. entropy 6.97
157. outguess01 XOR onion3.string_reversed at all offsets --> min. entropy 6.95
158. No readable files (of types text/image/gzip/zip/bzip2/mp3) found at any offset
159.  
160. outguess03 XOR onion2.string at all offsets --> min. entropy 6.95
161. outguess03 XOR onion3.string at all offsets --> min. entropy 6.95
162. outguess03 XOR onion3.string at all offsets --> min. entropy 6.94
163. outguess03 XOR onion2.string_reversed at all offsets --> min. entropy 6.96
164. outguess03 XOR onion3.string_reversed at all offsets --> min. entropy 6.94
165. outguess03 XOR onion3.string_reversed at all offsets --> min. entropy 6.94
166. No readable files (of types text/image/gzip/zip/bzip2/mp3) found at any offset
167.  
168.  
169. -------------------------------------------------------------------------------
170. XORing the three 256 byte strings from onion 2,3,4 against the onion4 jpgs
171. (Entropy and scan for file header)
172. -------------------------------------------------------------------------------
173.  
174. No useable file headers (for images/text/compressed data/mp3) found in
175. onion4.image00.jpg (823807 bytes) XORed with any of the 256 byte strings or
176. their byte-order reversed copies at all possible offsets.
177. Minimum entropy is 6.89
178.  
179. No useable file headers (for images/text/compressed data/mp3) found in
180. onion4.image01.jpg (823514 bytes) XORed with any of the 256 byte strings or
181. their byte-order reversed copies at all possible offsets.
182. Minimum entropy is 6.89
183.  
184. No useable file headers (for images/text/compressed data/mp3) found in
185. onion4.image02.jpg (638805 bytes) XORed with any of the 256 byte strings or
186. their byte-order reversed copies at all possible offsets.
187. Minimum entropy is 6.88
188.  
189. No useable file headers (for images/text/compressed data/mp3) found in
190. onion4.image03.jpg (724577 bytes) XORed with any of the 256 byte strings or
191. their byte-order reversed copies at all possible offsets.
192. Minimum entropy is 6.88
193.  
194. -------------------------------------------------------------------------------
195. NON ASCII OUTGUESSES vs. onion5.mp3
196. -------------------------------------------------------------------------------
197.  
198. XORed all three 58152 byte non ascii outguesses from onion4 with the onion5.mp3
199. at all possible offsets. I scanned for file headers but found no readable
200. files. The minimum entropy is around 7.9 in all cases.
201.  
202. -------------------------------------------------------------------------------
203. List of uploaded data from onion4
204. -------------------------------------------------------------------------------
205.  
206. https://infotomb.com/vnq3e --> onion4.hex
207. https://infotomb.com/qjiqh --> onion4.image00.jpg
208. https://infotomb.com/3vw2u --> onion4.image01.jpg
209. https://infotomb.com/609xy --> onion4.image02.jpg
210. https://infotomb.com/8do0b --> onion4.image03.jpg
211. http://pastebin.com/kqfUPAvV --> onion4.image02.outguess.dat
212. _______________________________________________________________________________