

A simultaneous OS X binary, PDF file, jar file, and HTML page - jm3
http://mix.corkami.com

======
DHowett

        They serve no purpose, except proving that file formats not starting at offset
        0 are a bad idea.
    

Au contraire–they are a wonderful idea. If, say, a polyglot pdf+executable
could gain code execution enough to execute itself as a binary, it could just
as easily execute far more dangerous code while being far less likely to tip
off an automated scanner. So it goes for many of the other stackable formats.

The benefits seem to far outweigh the drawbacks. As an example, look at the
concept behind ext[234]fs migration in btrfs (which is not fixed to block 0 in
a volume)–Take an ext4 filesystem, generate new inodes pointing at the
original b-trees, and away you go! You get a filesystem that is valid ext4
(retaining the old data), and valid btrfs (which, being copy-on-write, doesn't
destroy the old data.)

~~~
Someone
Also, these aren't all "file formats not starting at offset 0". For example,
PDF files must start with %PDF. The problem is that several tools are happy
with a PDF prefixed by noise. That probably is because PDF, originally, was a
text format (just as PostScript still is). Compression of content was added
later, but the structure still is pure ASCII (for example, the table of
contents at the end of a file has file offsets in ASCII, and you can find the
start of the table of contents as an ASCII string, too).

------
ange4771_
I also did the same with PE or ELF instead of Mach-O.

I recommend also checking my latest slides @
[https://corkami.googlecode.com/files/44CON2013-Messing%20wit...](https://corkami.googlecode.com/files/44CON2013-Messing%20with%20binary%20formats.zip)
where the 'inception' slides contain the PDF slides and the actual PDF viewer
Sumatra, and an alternate PDF to be viewed under Chrome ;)

------
iuguy
BTW, if you're interested, Ange also built a really awesome pair of posters on
the Windows PE binary format for you to print out:

[https://code.google.com/p/corkami/wiki/PE101](https://code.google.com/p/corkami/wiki/PE101)

[https://code.google.com/p/corkami/wiki/PE102](https://code.google.com/p/corkami/wiki/PE102)

------
iuguy
Ange was at 44CON[1] this month and did a great talk about Windows PE binary
formats. He also ran a workshop on the PE binary format. Awesome guy to talk
to, just make sure you don't have any fez's lying around ;)

[1] - [http://www.44con.com/](http://www.44con.com/)

~~~
Ygg2
I'm intriguied by his fez obsession. Does he toss/eat/steal/stomp them?

~~~
ange4771_
Fezzes are cool.

~~~
laumars
Was that an intended Doctor Who reference or am I just showing my nerdiness
now?

reference:
[http://www.youtube.com/watch?v=bvWYw0CnuSI](http://www.youtube.com/watch?v=bvWYw0CnuSI)

~~~
sanderjd
Ha, don't worry, I read it that way too.

------
est
ELF and PE hybrid

[http://stackoverflow.com/a/2083161/41948](http://stackoverflow.com/a/2083161/41948)

Now someone could just add Mach-O to it...

~~~
ange4771_
it's not a PE, it's a (headerless) COM.

PE, ELF, and Mach-O all enforce a different signature at offset 0. Thus it's
impossible to combine them - otherwise, I'd have done it already ;)

~~~
est
Getting around the offset 0 is always the hardest part in all hybrid format
hacks.

I tried .vbs+.bat hybrid and .bat+.com hybrid.

------
TheZenPsycho
Is it possible to do the (somewhat) simpler (in concept, not process) task of
making gif or png that is also a valid HTML file? It might be kind of tricky
given they both have magic numbers at the head...but perhaps there is some way
to trick a browser into ignoring the "garbagey" bits?

~~~
ygra
You mean like this?

[http://demoseen.com/windowpane/magister.png.html](http://demoseen.com/windowpane/magister.png.html)

(I'm not the creator, I just happen to share an IRC channel with them.) There
is a description of how it works at [http://daeken.com/superpacking-js-
demos](http://daeken.com/superpacking-js-demos)

~~~
TheZenPsycho
Thanks! yes that's what I mean

------
yiedyie
I remember that the NE executable files had hardly any virus I always wondered
why? Is it the format or the fact that they where not used that much (due to
the short presence of Win3)?

~~~
ange4771_
I might be wrong, but IMO: short lifespan (16 bits), complex format while
standard DOS executables could still run...

------
chrisdew
What's the font used in the top-right image (begins "db 'MZ'")?

~~~
ange4771_
Envy Code R: [http://damieng.com/blog/2008/05/26/envy-code-r-
preview-7-cod...](http://damieng.com/blog/2008/05/26/envy-code-r-
preview-7-coding-font-released)

