This Operating System is also a Picture

Polyglots: Entertaining and Educational

Some time ago, I had the pleasure to read the articles on PoC||GTFO [1] where I learned about file polyglots. These incorporate multiple formats into one file and, depending on the interpreter or execution environment, behave differently. As an example, it is quite common for installers to be a ZIP archive and an executable that decompresses this archive (itself) at the same time. Instead of running such an installer, you could also decompress it using unzip.

Creating uncommon polyglots is a lot of fun but also very instructive. To create a polyglot you have to know the particulars of at least two file formats in great detail. In many cases you have to be creative and think outside the box. Take for example this code from the obfuscated C contest [2]:

#include <stdio.h>
#define  true
true /*:all
false :
	make -f $0 $1
	exit 0
all: $(PROG)
	$(CC) $< -o $@
	rm $(PROG)
.PHONY: /* true clean */
	int main() {return!printf("Hello, world\n");}

This is a language polyglot, it is a shell script that executes itself as a Makefile which builds itself as C source code and the resulting binary prints „Hello, world“, all in one file. You have to know these languages and be imaginative to build such a polyglot.

Let’s Boot a PNG

My educational background is heavily influenced by operating-system research [3], so I instantly had the idea to build a polyglot involving an operating system. I thought I could go down in history making a polyglot with my profile picture, maybe booting my picture to show some text… it escalated to be far more.

If you have access to qemu the machine emulator and virtualizer [4] you may easily boot my profile picture at [3] with the shell command:

qemu-system-x86_64 -kernel gabor.png

It displays the animation show here inside the virtual qemu monitor.
It is really an operating-system image, bootable with a Multiboot-conforming bootloader [5] like GRUB or the one built into qemu. Obviously, it is also a PNG picture displaying my face. To explain the details of this polyglot we need to know the PNG format and how operating systems boot in the Multiboot standard.

PNG files have an 8 byte signature that must be the first bytes in the file, a list of chunks follow thereafter, all with the same structure:


Where size means the size of the chunk, id is a 4 byte ASCII identifier and the checksum at the end of a chunk assures its consistency. In short, there are predefined mandatory chunk IDs, that each PNG must have and optional ones. Optional chunks are denoted by small letters in the ID and a PNG viewer is obliged to ignore chunk IDs that it does not know. This mechanism may be used for metadata, comments or other information not essential for display. Our operating system is located in such an optional chunk called deAL at file offset 0x25, you can take a look at it utilizing a hex editor like Ghex [6].

Within this chunk we implement the Multiboot header. The standard grants the possibility for this header to be in the first 8 KiB of the file, which is plenty. In fact, this is the key feature that makes it possible to mix these two file formats. In the Multiboot header we provide the offset to the entry function of the operating system and instruct the bootloader to load all of the file into memory. Actually, there are two more PNGs embedded, one for the glasses and one for the final text. The bootloader takes care of loading the image and jumping into the operating-system code. At this point we already could do anything. To show pictures we initialize a simple graphical VESA mode [7] where we can draw RGB pixels. With the help of the tiny PNG library uPNG [8] decoding of the PNGs into RGB values is easy (it also ignores optional chunks) and finally a programmed animation moves the glasses over the screen.

The deed is done… but what is the use of this? The same as with all gimmicks and polyglots: you gained knowledge, this time about the PNG file format, the Multiboot standard and maybe some more tools, all in all in an entertaining way. I recommend everyone to give it a try, gain experience and come up with some fancy polyglots, these neat diagrams from Ange Albertini regarding file formats may help [9].


[7]: Thanks to Benjamin Oechslein for the VESA initialization code.

Gabor Drescher
Letzte Artikel von Gabor Drescher (Alle anzeigen)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.