File Hider
Hide any file inside another file (JPEG, PNG, MP3, PDF). Creates polyglot files that open normally but contain hidden payloads. AES-256 encrypted.
Drop carrier file or click to browse
JPEG, PNG, MP3, PDF, or any file (max 500MB)
jpeg
png
mp3
How to Hide a File Inside Another File (4 steps)
- Upload a carrier file (JPEG, PNG, MP3, PDF, or any file)
- Add the file or files you want to hide inside it
- Pick a method (EOF append for everything · PNG chunk injection for hardened CTFs)
- Optionally encrypt with AES-256, choose a redundancy level, or set a custom marker
- Click Encode — download a polyglot file that opens normally yet carries your payload
File Hiding Methods — How This Tool Works
| Method | Technique | Advantage | Best For |
|---|---|---|---|
| EOF Append | Adds payload after the carrier's natural end-of-file marker | Carrier opens normally in any viewer · unlimited capacity | Default — JPEG/PNG/MP3/PDF/anything |
| PNG Chunk Injection (stEG) | Inserts payload as a custom 'stEG' chunk before IEND with a valid CRC32 | Survives some PNG re-saves · invisible to file-size checks | Hardened CTF challenges, archival images |
| Multi-file ZIP | JSZip-bundles multiple input files before embedding | Same wire format · transparent to the user | Hiding 2+ files at once |
| AES-256-GCM | Encrypts the payload before appending | Wrong password silently rejected · plausible deniability | Encrypted exfil / CTF challenges |
| Reed-Solomon Redundancy | Wraps the payload in shard-based redundancy (RS-10/20/30) | Survives 10–30% trailing-data corruption | Unreliable transfer / archival storage |
| EP_STEGO marker | 8-byte magic header + 1B flags + 4B BE length | Decoder auto-locates and extracts | Round-trip with this decoder |
Frequently Asked Questions
What file types can I use as a carrier?
JPEG, PNG, MP3, PDF, or any file. Image/audio/PDF carriers stay viewable in their normal apps because those parsers stop at the format's own EOF marker. Generic carriers also work — they just won't have a 'nice' viewer.
Will the carrier still open normally after embedding?
Yes. Image viewers stop reading at FF D9 (JPEG) or IEND (PNG); MP3 players stop at the last audio frame; PDF readers stop at %%EOF. The appended payload sits past those markers and is invisible to those parsers.
What does the Carrier Integrity Test do?
After embedding, the tool re-parses the output and runs format-specific checks (JPEG SOI/EOI, PNG signature + CRC32 per chunk, PDF %%EOF, MP3 frame sync). It tells you immediately whether the carrier still opens normally — no tool currently does this.
What's the Polyglot Validator?
For images, the validator decodes the output through the browser's ImageBitmap (the same code path used by ⟨img⟩) and scans for a ZIP signature in the trailing data. A green light means the file is genuinely valid as both formats simultaneously.
Can I hide more than one file?
Yes. Use the 'Add another file' button in the Configure step — multiple files are zipped automatically before embedding, and the decoder unpacks them on the other side.
What is PNG Chunk Injection (stEG) and when should I use it?
Instead of appending after IEND, the payload is inserted as a custom 'stEG' chunk inside the PNG with a valid CRC32. Image viewers ignore unknown chunks (PNG spec) so the image still renders, but the file size scan and binwalk's basic mode won't flag trailing garbage. Best for CTF challenges where standard tools should miss the payload.
What does Reed-Solomon redundancy add?
RS-10 / RS-20 / RS-30 wrap the payload in error-correction shards so the hidden file can be recovered even if 10/20/30% of the trailing data is corrupted (partial download, transit error, etc.). Overhead: ~11/25/43%. Recommended: RS-20.
Is my file uploaded anywhere?
Never. Everything runs in this browser tab using ArrayBuffer manipulation, JSZip, and the Web Crypto API. Files don't leave the device — encoding heavy lifting runs in a WebWorker, and large outputs stream directly to disk via StreamSaver.
How is the hidden payload found again?
An 8-byte magic header ("EP_STEGO\0") + 1 flags byte + 4 length bytes are appended just before the payload. The decoder scans for that marker and extracts exactly the declared number of bytes.