flat assembler
Message board for the users of flat assembler.

Index > Linux > Polyglot file (ELF64 + PDF?)

Author
Thread Post new topic Reply to topic
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 08 Aug 2021, 21:27
So I am joining a contest to create polyglot file, with multiple file format overlapping with host binary file.
Then I created this ELF64 program, by inserting PDF file content right in the data segment, as shown below:
Code:
format ELF64 executable 3

segment readable executable

entry $

        mov     edx,len
        lea     rsi,[num]
        mov     edi,1           ; STDOUT
        mov     eax,1           ; sys_write
        syscall

        mov     edi,2
        mov     eax,60          ; sys_exit
        syscall

segment readable writeable

num db "Just For You",0xA
len = $ - num
pdf1 db "%PDF-1.",0xA
pdf2 db "1 0 obj<</Kids[<</Resources<<>>/Contents 2 0 R/Parent 1 0 R/Type/Page/MediaBox[0 0 99 99]>>]/Type/Pages/Count 1>>endobj",0xA
pdf3 db "2 0 obj<<>>stream",0xA
pdf4 db "BT/ 9 Tf(Just For You)' ET",0xA
pdf5 db "endstream",0xA
pdf6 db "endobj",0xA
pdf7 db "3 0 obj<</Type/Catalog/Pages 1 0 R>>endobj",0xA
pdf8 db "trailer<</Info<</Author(FlierMate)>>/Root 3 0 R>>",0xA
    


Surprisingly, after I compile this justforyou.asm to justforyou, it is identified as both executable and PDF file.
If renaming it with .pdf extension, and enabling "Execute" permission, ewww, it can be opened by PDF reader (Firefox, Chrome, Adobe Reader) and run in terminal window:

Code:
boo@boo-K40IN:~/fasm$ ./justforyou.pdf
Just For You
    


I do not understand how it is identified as PDF despite the ELF header at the beginning of the file?
[/code]
Post 08 Aug 2021, 21:27
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8360
Location: Kraków, Poland
Tomasz Grysztar 08 Aug 2021, 21:54
I would recommend the works of Ange Albertini as a valuable reference. I found this remark in the "This PDF is a JPEG" article:
Ange Albertini wrote:
The PDF format officially requires its %PDF-1.x signature to be at offset 0x00, but in practice most interpreters only require its presence within the first 1,024 bytes of the files.
Post 08 Aug 2021, 21:54
View user's profile Send private message Visit poster's website Reply with quote
FlierMate



Joined: 21 Jan 2021
Posts: 219
FlierMate 08 Aug 2021, 22:18
Tomasz Grysztar wrote:
I would recommend the works of Ange Albertini as a valuable reference. I found this remark in the "This PDF is a JPEG" article:
Ange Albertini wrote:
The PDF format officially requires its %PDF-1.x signature to be at offset 0x00, but in practice most interpreters only require its presence within the first 1,024 bytes of the files.


A mind-boggling source of information, with many useful hacks in file format. Now I know why.

Thank you, Tomasz, for the quick and accurate response. Smile
Post 08 Aug 2021, 22:18
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.