
This file's a Win Executable, PDF, Java executable (or Python script), and HTML - Swizec
http://code.google.com/p/corkami/downloads/detail?name=CorkaMIX.zip
======
gph
Anyone more knowledgeable in assembly and file formats care to expand on this:

>It serves no purpose, except proving that files format not starting at offset
0 are a bad idea

What exactly does it mean to start at offset 0 and why don't these file
formats do that? Is there an advantage in not starting at offset 0 or is it
simply oversight/indifference? Any kind of background on the problem would be
appreciated, I'm really quite intrigued.

~~~
Dinoguy1000
When a file format starts at offset 0, it simply means that it starts at the
first byte of the file.

Other than that, I can't provide any information on file formats allowed to
start at offsets other than 0, or why this may or may not be a good idea (I
suppose maybe it would allow an enterprising programmer to hide a malicious
file by embedding it in an otherwise-innocuous format?), though I am certainly
curious as well.

~~~
pyre
I've seen files have been distributed on 4chan before via a .rar file embedded
in an image.

~~~
385668
That's kind of a different issue though, my understanding is that .jpeg has an
unlimited size footer and .rar has an unlimited size header. It gets similar
results, though.

------
pforpal
Did you test how different antivirus programs respond to this?

~~~
dchest
Here you go
[https://www.virustotal.com/file/1fc14ab461828afd34f92c69e34d...](https://www.virustotal.com/file/1fc14ab461828afd34f92c69e34dd05270c73b744de09ea97170c07616a78384/analysis/1343862855/)

Edit: someone posted results for .exe file inside the .zip, which are a bit
different (it seems like some antiviruses don't try to unpack it?), but then
deleted the comment. Here's the link for .exe:
[https://www.virustotal.com/file/2a9c7a16cdb3c3f2285afaf61072...](https://www.virustotal.com/file/2a9c7a16cdb3c3f2285afaf61072dd5e7cc022e97f351cad6234a13e5216f389/analysis/1343862883/)

~~~
Zenst
Given what its doing and how it's doing it then those virus alerts listed are
understandable and if anything I'd have to say kudo to panda AV for being the
most honest about it. Probably breaking the PE and the CRC checksum aspects
would get it flagged as it has in some and the html/exe flagging is also
explained as well having read thru how it works.

Still impressive stuff and also given the use of undocumented opcodes and x86
foo it does raise a new question:

Given some VM's will fail on some of the instructions instead of running on
bare metal, is it possible to have a virus that will only trigger on bare
metal or VM machines thru use of undocumented op codes and the like.

Non the less a wonderful definition in hacking in its truest sence and
educational on undocumented OP codes and how for some things you cant beat
pure assembly for fun and jollys.

~~~
voltagex_
My corporate proxy chokes on it too.

An error occurred while performing an ICAP operation: File
decompression/decode error; File: CorkaMIX.zip; Sub File: No file name
available; Vendor: Kaspersky Labs; Engine error code: 0x00050000; Engine
version: 8.1.8.79; Pattern version: 120801.124000.8311194; Pattern date:
2012.08.01 12:40:00

------
peeters
It being an .exe and a JAR file doesn't surprise me at all. JAR files follow
the ZIP format, and self-extracting ZIP files have always worked by being
simultaneously a valid EXE and ZIP file.

------
wycats
You could make this a valid Ruby script without the "extra byte" problem with
making it a Python script.

------
majmun
Why is this a bad thing? and not a good thing

------
motiejus
Below is a valid program of:

* perl * ruby * python2 * python3 * lua

In fact, they all return the same result![1]

== the program ==

print ("howdy")

[1] visually. If you ignore the newline.

------
snw
.rar also has this issue.

What other formats don't need to start at offset 0?

~~~
est
it's not RAR don't need to start at offset 0, it's Self-extract RAR could be
an exe. And WinRAR accept files like these.

