#!/usr/bin/env python
"""
tcsteg -- TrueCrypt real steganography tool
version 1.0 (2011-02-24)
by Martin J. Fiedler <martin.fiedler@gmx.net>

This software is published under the terms of KeyJ's Research License,
version 0.2. Usage of this software is subject to the following conditions:
0. There's no warranty whatsoever. The author(s) of this software can not
   be held liable for any damages that occur when using this software.
1. This software may be used freely for both non-commercial and commercial
   purposes.
2. This software may be redistributed freely as long as no fees are charged
   for the distribution and this license information is included.
3. This software may be modified freely except for this license information,
   which must not be changed in any way.
4. If anything other than configuration, indentation or comments have been
   altered in the code, the original author(s) must receive a copy of the
   modified code.

To generate a steganographic TrueCrypt/QuickTime hybrid using the script, do the following:

    Find a good candidate QuickTime or MP4 file to use as a disguise, let’s say SomeVideo.mp4. The file should be encoded in a very efficient way so that an increase in filesize is believable in relation to the length and quality of the video. Estimate how much larger the file may become without becoming suspicious.
    Use TrueCrypt’s Volume Creating Wizard to create a new hidden(!) TrueCrypt volume.
        Use the name of the final hybrid file as the container file name, e.g. InnocentLookingVideo.mp4.
        As the outer volume size, enter the estimated maximum enlargment from step 1.
        Don’t bother entering a good password for the outer volume, it will be destroyed anyway.
        Use the maximum possible size for the hidden volume. Enter the size in KB instead of MB and do a bit of number guessing – the »Next« button in the wizard is disabled when the size is too large. Find the maximum size where the button is still clickable. (Technically, you could enter lower values, but why should you? Every byte left to the outer volume is a wasted byte!)
        Use your real ultra-secret password or keyfile for the hidden volume.
        Do not mount the outer volume! You will likely destroy the hidden volume otherwise.
    Use the script:

        python tcsteg.py SomeVideo.mp4 InnocentLookingVideo.mp4

    This will modify the TrueCrypt container file in-place. It might still take a while to process, since the disguise file is basically copied over into the container file.
    If everything worked, you will now have a file that
        looks like a video file in every way
        can be played as a video file using normal video player applications
        can still be mounted in TrueCrypt as a hidden volume
        is very hard to detect as a hybrid file

"""
import sys, os, array

def r_u32(s, offs=0):
    return (ord(s[offs]) << 24) | (ord(s[offs+1]) << 16) | (ord(s[offs+2]) << 8) | ord(s[offs+3])
def w_u32(i):
    return chr((i >> 24) & 0xFF) + chr((i >> 16) & 0xFF) + chr((i >> 8) & 0xFF) + chr(i & 0xFF)

LITTLE_ENDIAN = array.array('h', "\x00\x01").tolist()[0] - 1

def copy_block(f_src, f_dest, size):
    BLOCKSIZE = 65536
    while size > 0:
        bytes = size
        if bytes > BLOCKSIZE:
            bytes = BLOCKSIZE
        block = f_src.read(bytes)
        if not block:
            break
        f_dest.write(block)
        size -= len(block)
    return size

class ProcessingError(RuntimeError):
    pass

################################################################################

class QTFileAtom:
    def __init__(self, atom_or_file=None, offset=0, size=0):
        self.offset = offset
        if isinstance(atom_or_file, basestring):
            self.atom = atom_or_file
            self.size = size
        else:
            atom_or_file.seek(offset)
            s = atom_or_file.read(8)
            if len(s) < 8:
                raise EOFError("end of file reached")
            self.size = r_u32(s)
            self.atom = s[4:]
            if not self.size:
                atom_or_file.seek(0, 2)
                self.size = atom_or_file.tell() - offset
            elif self.size == 1:
                raise ValueError("64-bit files are not supported")
        self.end = self.offset + self.size

    def read(self, f):
        f.seek(self.offset)
        data = f.read(self.size)
        if len(data) != self.size:
            raise IOError("unexpected end of file")
        return data

    def copy(self, f_src, f_dest, payload_only=False):
        offset = self.offset
        size = self.size
        if payload_only:
            offset += 8
            size -= 8
        f_src.seek(offset)
        if copy_block(f_src, f_dest, size):
            raise IOError("unexpected end of file")

    def copy_moov(self, f_src, f_dest, offset_adjust=0):
        moov = self.read(f_src)
        stco_pos = 0
        while True:
            stco_pos = moov.find("stco\0\0\0\0", stco_pos + 5) - 4
            if stco_pos <= 0:
                break
            stco_size = r_u32(moov, stco_pos)
            stco_count = r_u32(moov, stco_pos + 12)
            if stco_size < (stco_count * 4 + 16):
                continue  # invalid stco size, maybe a false positive
            start = stco_pos + 16
            end = start + stco_count * 4
            data = array.array('I', moov[start:end])
            if LITTLE_ENDIAN: data.byteswap()
            try:
                data = array.array('I', [x + offset_adjust for x in data])
            except OverflowError:
                continue  # invalid offset, maybe a false positive
            if LITTLE_ENDIAN: data.byteswap()
            moov = moov[:start] + data.tostring() + moov[end:]
        f_dest.write(moov)

    def __repr__(self):
        return "QTFileAtom(%r, %d, %d)" % (self.atom, self.offset, self.size)

def AnalyzeQT(f):
    relevant_atoms = ('ftyp', 'moov', 'mdat')
    atoms = {}
    offset = 0
    while True:
        try:
            atom = QTFileAtom(f, offset)
        except EOFError:
            break
        if atom.atom in relevant_atoms:
            if atom.atom in atoms:
                raise ValueError("duplicate %r atom" % atom.atom)
            atoms[atom.atom] = atom
        elif not(atom.atom in ('free', 'wide', 'uuid')):
            print >>sys.stderr, "WARNING: unknown atom %r, ignoring" % atom.atom
        offset = atom.end
    try:
        return tuple([atoms[a] for a in relevant_atoms])
    except KeyError:
        raise ValueError("missing '%s' atom" % atom)

def TCSteg_Embed_QT(f_src, f_dest):
    "QuickTime / ISO MPEG-4 ### mov,qt,mp4,m4v,m4a"
    try:
        ftyp, moov, mdat = AnalyzeQT(f_src)
    except (IOError, ValueError), e:
        print >>sys.stderr, "Error reading the source file:", e
        return 1
    if ftyp.size > (65536 - 8):
        raise ProcessingError("'ftyp' atom too long")

    # copy main data
    f_dest.seek(0, 2)
    eof_pos = f_dest.tell() - 131072
    if eof_pos <= 131072:
        raise ProcessingError("TrueCrypt file too small")
    f_dest.seek(eof_pos)
    if (eof_pos + mdat.size - 8 + moov.size) >= (2L**32):
        raise ProcessingError("files too large (must be less than 4 GiB)")
    mdat.copy(f_src, f_dest, payload_only=True)
    mdat_end = f_dest.tell()
    moov.copy_moov(f_src, f_dest, eof_pos - mdat.offset - 8)

    # re-generate first 64 KiB
    head = ftyp.read(f_src) + "\0\0\0\x08free"
    head += w_u32(mdat_end - len(head)) + "mdat"
    f_dest.seek(0)
    f_dest.write(head)
    remain = 65536 - len(head)
    if remain >= 0:
        f_src.seek(mdat.offset + 8)
        f_dest.write(f_src.read(remain))

    return 0

################################################################################

def __get_fmts():
    return [item for name, item in globals().iteritems() if name.lower().startswith('tcsteg_embed_')]
FORMATS = __get_fmts()

if __name__ == "__main__":
    try:
        f_src = sys.argv[1]
        f_dest = sys.argv[2]
    except IndexError:
        print "Usage:", sys.argv[0], "<INPUT> <OUTPUT>"
        print "Embeds a file into a TrueCrypt container so that both are still readable."
        print
        print "<INPUT> is a file in one of the following formats:"
        fmtlist = []
        for fmt in FORMATS:
            name, exts = fmt.__doc__.split("###", 1)
            exts = exts.strip().lower().split(',')
            exts.sort()
            fmtlist.append((name.strip(), exts))
        maxlen = max([len(name) for name, exts in fmtlist])
        for name, exts in fmtlist:
            print "    %s  (%s)" % (name.ljust(maxlen), ", ".join(["*."+ext for ext in exts]))
        print
        print "<OUTPUT> is a TrueCrypt container containing a hidden volume. The file will be"
        print "modified in-place so that it seems like a copy of the input file that can be"
        print "opened in an appropriate viewer/player. However, the hidden TrueCtype volume"
        print "will also be preserved and can be used."
        print

    main = None
    ext = os.path.splitext(f_src)[-1][1:].lower()
    for fmt in FORMATS:
        if ext in fmt.__doc__.split("###", 1)[-1].strip().lower().split(','):
            main = fmt
    if not main:
        print >>sys.stderr, "Error: input file format is not supported"
        sys.exit(1)

    try:
        f_src = open(f_src, "rb")
    except IOError, e:
        print >>sys.stderr, "Error opening the input file:", e
        sys.exit(1)
    try:
        f_dest = open(f_dest, "r+b")
    except IOError, e:
        print >>sys.stderr, "Error opening the output file:", e
        sys.exit(1)

    try:
        sys.exit(main(f_src, f_dest))
    except ProcessingError, e:
        print >>sys.stderr, "Error:", e
        sys.exit(1)