executable

3 Articles

Fitting Snake Into A QR Code

August 17, 2020 by 18 Comments

QR codes are usually associated with ASCII text like URLs or serial numbers, but did you know you can also encode binary data into them? To demonstrate this concept, [MattKC] embarked on a journey to create a QR code that holds an executable version of Snake. Video after the break.

As you might expect, the version 40 QR code he ended up using is much larger than the ones you normally see. Consisting of a 171 by 171 grid, it’s the largest version that can still be read by most software. This gave [MattKC] a whopping 2,953 bytes to work with. Not a lot of space, but still bigger than some classic video games of the past.

To start, he first wrote Snake to run in a web browser using HTML, CSS, and JavaScript, which was able to fit in the available space. Modern browsers do a lot of the lifting with built-in features, and [MattKC] wanted more of a challenge, so he decided to instead create a Windows executable file. His first attempts with compiled C code were too large, which led down the rabbit trail of x86 Assembly. Here he found that his knowledge of Assembly was too limited to create a small enough program without investing months into the project. He went back to C and managed to compress his executable using Crinkler, a compressing linker commonly used in the demoscene. This shrunk the file down to 1,478 bytes.

Zbar, a command-line barcode reader for Windows was used to test the final Snake QR code. [MattKC] discovered a bug in Zbarcam that prevented it from reading binary data via a webcam input, so through the power of open source, he submitted a bug fix which is now integrated into the official release.

All the files are available for anyone to play with on [MattKC]’s website. The video below goes into a lot of detail on the entire journey. Since this project proves software can be embedded in QR codes, it means that malware could also be hidden in a QR code, if there is an exploitable bug somewhere in a smartphone QR reader app.

QR codes are an interesting tool with a variety of uses. Take a deep dive into how they work, generate a 3D printable version, or build a QR jukebox, if you want to learn more.

Continue reading “Fitting Snake Into A QR Code”

Bespoke, Artisanal, Hand Made Executables

October 12, 2015 by 69 Comments

Programmers and software engineers will always use the latest development environments, the trendiest frameworks, and languages they learned only 21 days ago. What if this weren’t the case? What if developers put care into their craft and wrote programs with an old world charm? What if Windows executables were made with the same patience as artisanal firewood, or free range granola? [Steve] has done it. He’s forging a path into the wilds of truly hand crafted executables.

The simplest executable you could run on a Windows box is just a simple .COM file. This is an extremely simple file format that just contains code and data loaded into 0100h, and a jump to another point in the code. The DOS .EXE file format is slightly more complicated, but not by much. [Steve]’s goal was to build a proper Windows executable without a compiler, assembler, linker, or anything else.

Continue reading “Bespoke, Artisanal, Hand Made Executables”

Decoding ZeuS Malware Disguised As A .DOC

March 6, 2015 by 30 Comments

[Ronnie] recently posted about his adventures in decoding malware. One of his users reported a phishy email, which did indeed turn out to contain a nasty attachment. The process that [Ronnie] followed in order to figure out what this malware was trying to do is quite fascinating and worth the full read.

[Ronnie] started out by downloading the .doc attachment in a virtual machine. This would isolate any potential damage to a junk system that could be restored easily. When he tried to open the .doc file, he was presented with an error stating that he did not have either enough memory or disk space to proceed. With 45GB of free space and 2GB of RAM, this should not have been an issue. Something was definitely wrong.

The next step was to open the .doc file in Notepad++ for analysis. [Ronnie] quickly noticed that the file was actually a .rtf disguised as a .doc. [Ronnie] scanned through large chunks of data in an attempt to guess what the malware was trying to do. He noticed that one data chunk ended with the bytes “FF” and D9″, which are also found as the ending two bytes of .gif files.

[Ronnie] copied this data into a new document and removed all new line and return characters. He then converted the hex to ASCII, revealing some more signs that this was actually image data. He saved this file as a .gif and opened it up for viewing. It was a 79KB image of a 3D rendered house. He also found another chunk of data that was the same picture, but 3MB in size. Strange to say the least.

After finding a few other weird bits of data, [Ronnie] finally started to see more interesting sections. First he noticed some strings with mixed up capital and lowercase letters, a tactic sometimes used to avoid antivirus signatures. A bit lower he found a section of data that was about the size of typical shellcode. He decoded this data and found what he was looking for. The shellcode contained a readable URL. The URL pointed to a malicious .exe file that happened to still be available online.

Of course [Ronnie] downloaded the .exe and monitored it to see how it acted. He found that it set a run key in the registry to ensure that it would persist later on. The malware installed itself to the user’s appdata folder and also reached out repeatedly to an IP address known to be affiliated with ZeuS malware. It was a lot of obfuscation, but it was still no match for an experienced malware detective.