Didier Stevens

Monday 9 November 2009

Quickpost: “Hiding” a PDF Document

Filed under: Entertainment,My Software,PDF,Quickpost — Didier Stevens @ 15:00

Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.



__description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07'

Source code put in public domain by Didier Stevens, no Copyright
Use at your own risk

 2009/11/07: start



import mPDF
import time
import zlib
import optparse

def Main():
    oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__)
    oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World')
    (options, args) = oParser.parse_args()

    if len(args) != 1:
        print ''
        print '  %s' % __description__
        print '  Source code put in the public domain by Didier Stevens, no Copyright'
        print '  Use at your own risk'
        print '  https://DidierStevens.com'

        pdffile = args[0]
        oPDF = mPDF.cPDF(pdffile)
        oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line)
        oPDF.xrefAndTrailer('1 0 R')

if __name__ == '__main__':

Quickpost info


Wednesday 21 October 2009

A Windows 7 Launch Party Trick!

Filed under: Entertainment,Forensics,My Software,Windows 7 — Didier Stevens @ 17:19

In search of a new trick for that Windows 7 Launch Party you’re invited to? 😉

Here’s one:


You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.

Tuesday 1 September 2009

Link: case of the tweep abduction

Filed under: Entertainment,Uncategorized — Didier Stevens @ 20:15

I know, I love a bit of mischief 😉

Wim renamed his “old” Twitter account @domgingelom to the “new” @wimremes. And then I promptly registered @domdingelom… 😉

Did some Tweeting under an assumed name…

And then gave the “new” @domdingelom to Wim.

Monday 13 July 2009

Quickpost: TrueCrypt’s Boot Loader Screen Options

Filed under: Encryption,Entertainment,Quickpost — Didier Stevens @ 0:26

Ready for some Security Through Obscurity fun?
I’ve been playing with TrueCrypt‘s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption.


It’s probably enough to be misleading during a casual inspection of your laptop:


The screen doesn’t even display asterisks when you type your TrueCrypt password.
It’s just as unresponsive as the original “NTLDR is missing” screen.
The only difference with the Windows XP NT Loader missing message, is that the original is just a bit longer:


Or you can just let it display gibberish, like this:



And if challenged, say your laptop was infected with a virus from that damned hotel’s WiFi network.

Quickpost info

Tuesday 9 June 2009

Quickpost: Make Your Own Corrupted PDFs For Free

Filed under: Entertainment,Nonsense,PDF,Quickpost — Didier Stevens @ 14:37

In response to Bruce Schneier’s latest post, let me explain how you can corrupt your own PDF documents for free. Open your PDF document with a binary editor, search for references to the root object (/Root), and overwrite the reference (36 in my example) with a non-existing reference, like 00.


Of course, be careful and make backups first.

Tested on several PDF readers:




Sunday 18 January 2009

Quickpost: Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!

Filed under: Encryption,Entertainment,Forensics,Quickpost,Windows 7 — Didier Stevens @ 23:17

Remember that the UserAssist keys are encrypted with ROT13?

In Windows 7 Beta, not anymore! Weak ROT13 crypto has been replaced with “stronger” Vigenère crypto!

The Vigenère key I found through some basic cryptanalysis is BWHQNKTEZYFSLMRGXADUJOPIVC.

To the Microsoft developer who designed this: great joke! You really made me laugh. Seriously. 😎

And I thought Easter Eggs were banned in Microsoft products. Maybe you don’t think of it as an Easter Egg, but as a programmer, I do. 😉


Quickpost info

Saturday 13 December 2008

Identifying Garbage Men

Filed under: Entertainment — Didier Stevens @ 15:23

My guest post over at Pauldotcom:

“Tis the season for tipping garbage men. Here in Brussels, at the end of the year, garbage men would ring your doorbell during their round, presenting you their best wishes for the new year.

This tradition came to an end several years ago. Nowadays, they present you their best wishes when they’re off-duty. And in came a new ID problem…

Monday 8 December 2008


Filed under: Announcement,Entertainment,Hardware — Didier Stevens @ 20:07

I won’t produce an anti-virus related Season’s Greetings movie, like I did in 2006 and 2007.

But this time, I’ve made you an Xmas Tree you can control via Twitter. However, you’ll have to find out yourself how to control it. 😉

Happy New Year!


Tuesday 23 September 2008

CALL -151

Filed under: Entertainment,Nonsense,Puzzle — Didier Stevens @ 10:22

A quiz question for today: what is CALL -151?

Shout-outs to everyone who ever used CALL -151!


The answer:

Friday 12 September 2008

Second YAISC cartoon

Filed under: Entertainment — Didier Stevens @ 14:13

It’s silly to post this now, but I forgot to mention in my YAISC post that I wouldn’t post my cartoons in this feed.

« Previous PageNext Page »

Blog at WordPress.com.