Wikipedia:Reference desk/Archives/Computing/2010 December 23

= December 23 =

file headers(?) / embedding a file into an image
Hi All,

I happen to recall back when IRC was still very popular (~late 90's I think?) there was a virus which spread an image (gif/jpg) which when viewed only had the words 'rename this to .com', and when you do so it would in fact be a valid .com executable. I'd like to read up on an article which discusses the technique involved, I am intrigued how the headers(?) and overall file composition would be valid as both file types.

On a related note, there was also a way to embed other files into an image, which involved using the dos/cmd prompt 'echo -B <..>' (forgot the actual part, but it was like a binary echo thingy).

It was quite a bit too advanced for me at the time, but know I wanna look into it :D

Thanks in advance PrinzPH (talk) 00:35, 23 December 2010 (UTC)


 * The technique is probably something similar to polyglot. 118.96.165.178 (talk) 00:48, 23 December 2010 (UTC)


 * Here's a partial solution to your "related note" question - if you concatenate a ZIP archive onto the end of a JPG file, the result will be a valid image and a valid ZIP, depending on what program you use to open it. On Unix the syntax is cat foo.jpg bar.zip > output.jpg ; off the top of my head the same in DOS/cmd.exe is copy /b foo.jpg+bar.zip output.jpg Most programs that read a given file rely on file magic to confirm that a file is of the approved type, which they mostly take from the opening; the JPG/ZIP thing works because unzippers are a bit more flexible about finding the ZIP header. -- Finlay McWalter ☻ Talk 00:49, 23 December 2010 (UTC)
 * The ZIP header is at the end of the file. However, ZIP files have lots of internal pointers that are stored as byte offsets from the beginning of the file, so I don't see how this trick could lead to a viable ZIP file. You would need special steganographic-ZIP software (which probably does exist). Even then, it wouldn't be a valid ZIP file, though many decompressors might accept it. -- BenRG (talk) 08:38, 23 December 2010 (UTC)
 * Never mind. I forgot about self-extracting ZIP files, which are executables with ZIP files tacked onto the end. Software that can handle those will probably also handle JPEG files with ZIP files tacked onto the end. -- BenRG (talk) 18:53, 23 December 2010 (UTC)


 * A .com file is simply a dump of memory, so it won't hurt anything to stick any extra information you like at the end (the program won't be looking there anyway, since it believes it's uninitialised). It has no header.  A JPEG also has no header; it's a series of segments in a particular form.  The segments have a particular (simple) structure.  So it looks pretty feasible to create a file which goes:


 * 1) a block which looks to a JPEG decoder like the start of a block, but if interpreted as X86 machine code is ignored (or starts with an instruction to skip over the rest of it)
 * 2) a block of X86 machine code which is accepted by the JPEG decoder as part of an unknown block (but is executed when the file is considered as a .com)
 * 3) anything else you like, which in practice will be the image data segments from the JPEG.


 * I'd like to see this file if you can find it. Marnanel (talk) 00:59, 23 December 2010 (UTC)


 * As to the .com file thing - COM files are loaded by DOS' own loader, which is very inflexible about how it does so. GIF and JPEG files have characteristic fields in their file headers that distinguish them, and unlike ZIP the readers for them don't (in my limited experience) tolerate some random unknown data prepending the image header. Unless the malware was targetting some reader that did tolerate a nonsense prefix, I guess the secret was for the malware author to find an x86 instruction sequence that satisfied the GIF header validator (which would be very basic, probably just checking the six byte characteristic) and that was also an executable sequence - that is, that it executed through the GIF file header without downright crashing the machine or jumping off into some unwanted space - it doesn't have to actually do anything, as long as execution can run through to a point in the header that the malware author can add working code without it failing the GIF file checker. I don't know the specifics, but I guess if you find a book on real-mode Intel machine code and figure out what the bytes GIF87a actually do (when treated as 16 bit 8086 real mode machine code loaded at 0x100), you'll be somewhere along to figuring out what the malware author actually did.  I think I've seen one if these executable-images before, and it was evident that there was something weird about it - the colours were all mangled, suggesting that there was executable code stored in a location where the GIF reader expected colour or pixel data to be.  Note that .COMs don't execute (natively) on later Windows OSes; I haven't thought about how easily the MZ (win32) and PE (winNT) file formats can be gamed - they're a lot more complex that .COM's format-less braindump, so this attack is probably a lot harder to pull of on a modern Windows install. -- Finlay McWalter ☻ Talk 01:07, 23 December 2010 (UTC)


 * A slight correction to the above: MZ is DOS (whereas .COM was CP/M and early DOS but didn't die when it should have), NE is windows, and PE is NT3 onwards.   -- Finlay McWalter ☻ Talk 01:37, 23 December 2010 (UTC)


 * In a slightly related vein, I can't help but be weirded-out when I compile a C# program with Mono on Linux to get a .EXE file, only it's none of the above executable-loadable binary formats, but a .NET assembly. The same platform will load "genuine" executables like PEs with the Wine binary loader but will run the .NET assemblies with the Mono runtime.-- Finlay McWalter ☻ Talk 01:37, 23 December 2010 (UTC)


 * It's pretty easy to make a GIF/COM hybrid. "GIF87a" translates into INC DI; DEC CX; INC SI; CMP [BX],DH; POPA, and these are basically no-ops when executed before anything else. This is immediately followed by two 2-byte fields giving the screen/image width and height. If you don't care much about the exact image size, you could encode a control-transfer instruction of your choice in there. Then you put the rest of the x86 code in an application-specific header block or an unused part of the color palette.


 * Making a GIF/EXE hybrid is impossible because GIFs must start with "GIF" while EXEs must start with "MZ" or "ZM". Most other formats also put strong restrictions on the first few bytes. ZIP files must start with "PK" [oops, see above], but many implementations only look at the end-of-central-directory header at the end of the file. The original JPEG standard actually didn't define a file format, but software that reads so-called "JPEG" files usually expects a JFIF or EXIF header at the beginning and will reject anything else.


 * Windows portable executable files don't start with "PE"; they start with an MS-DOS EXE stub (starting with "MZ") that can be a complete MS-DOS program (allowing for hybrid executables). Usually it just prints "this program requires Microsoft Windows", or words to that effect, and then exits. Likewise, .NET executables start with a PE header (which starts with an MS-DOS header, which starts with "MZ"), allowing for three-way MS-DOS/Win32/.NET hybrids.


 * The EICAR test file is an "ASCII/COM" hybrid. -- BenRG (talk) 08:38, 23 December 2010 (UTC)
 * And so is this:

XPPPYZIQD[L-f6-g41GDSXu'@,~P^P_O,!(GU(GZ(Gnu5____AEFK= CFFFRX,`,`2$F=@!t-rQ0%IuL0%(%(%GERYAARX2%(%t8|(c)1995.JIM.TUCKER 1v1v0m1TQ-11kP-0&0Oy#080Br#i#0_Q+G#000Cx# 081/0$P#0$0X1$K#1Y0)0Ts#1u0T1&0X18N#1XQ)0XP)0_0019P+F#1m0<Q/1F1C 0<w#081C0<1#F#1C1<0x1Y0l0i0p17|Email:jtucker@byron.apana.org.au! (D<)%U0qRVGY%UtZ;W6dlZ6e%k5u1)0QGd(fSh)V+kPR#U1'K8C,_89q\5dm_2Eq x^MUwg[}.ZPm\-@(1lVM)S?<^NYd=F7l^J)N:KVF/%7S^o=&?t9^XY?9_$ocS3He Y]XlrsQ*4{[['+/DEsYZjK.Z7v[['+/D2#m*p2@74|VfS3KL$)<nuV:e48dwS3KZ 9^B(jG:l7'jU^JHa2=C9ia:j8$lPStJf$0&ws'x[48m;^JEu<`YWC/:[.ZdwS3KZ Xlp9ubfrb'Q-SvF$4%B(jOrza9VcjS2AJf,?:bQB51YV<`KT$;=YShEba9VkjRE- KZp9uafr5&T$&2/D\Ep<gi@5b24|PR.DESYZp)9qdwd(jLHq@89^lT?u5)r.HaKT Hp:iRx.^7yQ8\RF$=Fp('%\GP1[_^vE{MU,dp3r.5,Vi[BEQ/Bp3jO:d(|Pr:eE4 =J,W:dwn5#Vw_=%tGafvXV9u7|mE_DE-NLC5,b9X(f=<1j=3&`SZo?#h)emCjUE- KZYf)e9^(cr.HaKTK_T+tx/.dm\W_AF&o^?Oe&:dU}?|_$EQ/B,_Sxr.5,239^&6 7i,U:_$6##GW<@B'#*##########9Q-O(]nbJH'zQJz8{:84%+$I;GaUNN7ykx5F -y3ujqB49S9#$<%%&OU*%'Jd$:'Z;uep=-6cl4%o$''q$/g|Ye(Oh\smqS{5?8%A %&#)w:sYo8#}#,;a*e%@%&DoAl2B^3ur*`:]%V%<*Z*RMo{Q004RC:?*EG7}l+5F G=tZu7FvGR#g<?&NF&G\u9Ug<;&HG5T{(zhvO7##5vJ0`.iJ?PQ;$k]m1.RwN}fT mJG]l_+M#nY|MSRp(r<&ZJj4XmP&:j)=:jd%K-1*Qq%U#Z$|G$9gwg[wQ=ll=SfD =`z8(vGXJ\wI080Q,b^=Ll1+Q&%U9a+3n{q#%o6JDi'qs1yzl01)mc%o%fZYkscc Eg1.u9g\..frp:%czjz:K`(?(|.b+#R3[8Xy%q<>#WboUah$Qu5G[d(4J*]iZhf\ %U$7wE]R;\3U5i3C0\9#]U`\RVFvksz6D52BCMU?H%>;B$(@8pAaXL}#p9|kbU#} )7RL-XZPwI1n(\rL
 * `:3%Vs4QTUGM7UP(zhx'q#}R&Pdt%$:A@6h#%[;q,\^6d$(/jd>M7/j%S>Br,3@
 * _##%U[R#_x`[JKK#%'gs]w)0>^,(E`t+Xbhe8d>+M&HG9')%U#Enqz<M7.9/STd


 * -- 78.43.71.155 (talk) 16:06, 27 December 2010 (UTC)

Laptop Graphics vs Cost
Hello there. I'm a 20 year old Indian student, and I'm planning to buy a laptop for me to use in my hostel. I won't be doing much besides surfing the net,listening to music, and watching movies every now and then, so my budget's pretty small (not more than 34000 Indian rupees, approx 753 US Dollars). I've been going around looking at laptops in different shops, and my preferences are Dell, HP, and Lenovo. Specifications: 2 or 3 gb RAM (2 would be just fine,though 3 would be better), i3-370 processor, a decent graphics card that can handle high-definition movies, 320 or 500 gb hard disk (whichever,doesn't really matter because I don't mind compromising a bit on disk space). Now, on my trips to different outlets, I've tested the graphics quality of each model by playing a high-definition version of Howl's Moving Castle that I have. It's a nice matroska (.mkv) file, and when I play it in my PC, the outlines of each object in each frame is perfectly smooth. However, most of the laptops that fall within my budget+specs cannot offer a perfect rendition of the file. Most of the times, the lines would be broken and jerky. It's like the difference between raster and vector graphics. While the original file has perfect clarity, the movie looks pixellated when I play it on these laptops. I was wondering whether this was because they have poor graphic cards, or because of something else. So, my questions are: Thanks in advance117.194.236.225 (talk) 05:10, 23 December 2010 (UTC)
 * Why does the movie look pixellated,and why is there a loss of quality when I play this file on these laptops?
 * Are there any cheap laptops within the price range mentioned that can play HD movies without letting me down?
 * In case it's because of the graphics card,is it a good idea to buy a cheap lap and then replace the graphics card with a superior one?


 * The problem might be as simple as not using the same screen size as the recorded image. Is it 1080p ?  If so, you need the display set to 1920×1080, and the image must use the full screen (no frame around it).  If you use any resolution other than the native resolution in the file, you can expect some reduction in quality.  Exactly how much reduction depends on the actual display resolution and the down-converter (or up-converter) software used to make the image fit.  StuRat (talk) 06:40, 23 December 2010 (UTC)


 * If you wait for the right deals you can get an i5 laptop with 4gb of ram and a dedicated graphics card, for less than $700 (US) in the U.S. If you don't care about the graphics card then you can go even cheaper. Shadowjams (talk) 10:28, 23 December 2010 (UTC)


 * I'm almost sure that the movie pixelation you saw is caused by either misconfigured software or a slow CPU (not GPU). Probably it's the software. If you don't play modern video games or use other high-end 3D software, you should notice no difference between an expensive ATI/Nvidia GPU and a cheap Intel GPU (except that the Intel GPU will give you longer battery life). You would have no trouble getting a better laptop than you need for $750 in the US; I don't know how the buying power of 34,000 rupees compares. Note that it's usually impossible to upgrade a laptop GPU or CPU. It might make sense to buy a better GPU than you need right now, if you think you might want it in the future. -- BenRG (talk) 18:42, 23 December 2010 (UTC)
 * It could be the screen, 75% of the laptops in that price range has cheap 1366*768 resolution screens. --Gr8xoz (talk) 19:51, 23 December 2010 (UTC)
 * But that shouldn't cause obvious jagginess in the video, because modern GPUs (including the cheap Intel GPUs) can easily scale the video to any screen resolution without jaggies. Jaggies could be caused by software that's not using the GPU's hardware scaling support. That could happen for a variety of reasons, but lack of GPU capability isn't one of them (in this day and age). -- BenRG (talk) 21:21, 23 December 2010 (UTC)

What are these: ಠ_ಠ
I found this "ಠ_ಠ" on Reddit, mentioned above. What are the two round things? Thanks 92.24.186.101 (talk) 11:11, 23 December 2010 (UTC)


 * Symbols from the Kannada script roughly voiced as "ṭha", and used as a contemporary internet meme meaning disapproval. --Tagishsimon (talk) 11:16, 23 December 2010 (UTC)

Are BSD & MIT licenses copyleft?
There's something that I don't understand about the MIT License and the BSD licenses. They both contain conditions like "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software." or "Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer." In other words, does that mean that you have to re-use the same license, making it copyleft? Or does it just mean that you have to retain the "Copyright (c) " notices? —  Waterfox ~talk~ 20:01, 23 December 2010 (UTC)


 * These two licenses don't contain any provision demanding that derivative works based on such licensed software must be distributed under an identical license, which is the key to copyleft. The copyleft article goes out of its way to specifically mention that BSD isn't a copyleft type of license.  Comet Tuttle (talk) 20:22, 23 December 2010 (UTC)
 * See the 2nd quoted condition, from the BSD license. Isn't that a specific demand that redistributions retain the same license? I'm confused. —  Waterfox ~talk~ 22:59, 23 December 2010 (UTC)
 * The same license, but that license places few requirements. In particular there is no requirement to release the source code of even the original code let alone the modified code (which is a requirement for copyleft as our article states). Note also there's nothing to stop anyone putting additional licensing requirements of their own although it's a moot point when the code hasn't changed (since you can just go to the original source), but once it has changed that's no longer the case. (I.E. The BSD license isn't viral.) Plenty of software do of course include some parts of BSD licensed code and you find the license somewhere if you look hard enough. E.g. Windows . Nil Einne (talk) 06:54, 24 December 2010 (UTC)
 * But can you add more restrictions? They both demand that you include the corresponding license's copyright and permission notices. If you distributed a non-decompilable binary with [modified] code which was originally licensed under the BSD license (and is directly in the binary, together with proprietary code), and you put the whole package under full copyright (all rights reserved), do you still have to say something like "This includes code licensed under the BSD license.", and include the whole thing, even though nobody will know what part of the code is BSD-licensed, and they can't extract it anyway? Because, if you added restrictions, you would effectively be erasing a part of the permission notice, which is not allowed. What's confusing is that the jQuery (MIT-licensed) license page says that you only need to retain the header, which I presume is the "Copyright (c) 2010 John Resig, http://jquery.com/". —  Waterfox ~talk~ 14:29, 24 December 2010 (UTC)
 * This is not exactly my area of expertise, but I don't see why adding restrictions would conflict with the original licence. The original licence simply says you have to include the notice etc, it doesn't say anything about not being able to include additional restrictions. This links for example discusses including BSD code with GPL.
 * About the binary thing, the licence says "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution", so most providers of proprietary software do incluce the entire notice somewhere AFAIK. I'm not sure how this works as the code is changed and considering the difficulty of working out whether any of the code can be said to originate from the solely BSD licensed code (with the MIT licence usually specifies substanial portion). Unlike with GPL, I think it's usually considered a moot point since dumping it somewhere in the documentation or materials is basically free.
 * The other thing is although some developers using such licenses sometimes express displeasure, particularly when their code is licensed under GPL so they can't use it anymore, their intention usually is that anyone can use the code without any real restrictions so they don't tend to test what theoretical violations may occur. As for the Jquery thing my guess is by license header they mean:


 * Which is part of the header of Jquery . This includes links to the licence pages which I guess is thought of as a way of reproducing the permission notice. Theoretically if the page dies in the future, perhaps you could have problems but you could probably also argue what the page said was permission to use that method even if it wasn't explicitly specified in the licence, and the death of the page doesn't affect that.
 * Nil Einne (talk) 10:50, 25 December 2010 (UTC)

Hard Drive
SMART on one of my hard drives has reported a "Ultra DMA CRC Error Count" warning. I googled and it something to do with a faulty cable causing a "flipped bit". What exactly does that mean for someone who doesn't understand really technical computer jargon. Is the drive about to fail? 82.44.55.25 (talk) 20:54, 23 December 2010 (UTC)


 * A flipped bit is a bit that was sent into one end of the cable as a 0 and came out the other end as a 1, or vice versa. In order to detect this, a checksum is also sent, specifically a type of checksum called CRC. If the checksum doesn't match the data, the recipient requests that the same data be sent again. If this happens a lot, it probably means that the cable (between the drive and the rest of the computer) is failing, but it might also be a connection inside the drive or the rest of the computer. It's not the disk itself that's failing (that would also be a CRC error, but not "Ultra DMA"). The data on the drive is almost certainly fine, but if the problem is in the drive and it gets worse, you might have a hard time getting that data out without paying a lot of money to a data-recovery company. So back up anything you don't want to lose. -- BenRG (talk) 21:15, 23 December 2010 (UTC)


 * I would think that data written since this problem began would have higher than normal error rate since CRC is not guaranteed to detect 100% of the errors.
 * Also be aware that data you read before this problem is solved could have errors in it.
 * I would backup everything important, check the sata or pata cable (disconnect and reconnect in both ends) and then check that the backup are identical to the data on the disk.--Gr8xoz (talk) 00:41, 24 December 2010 (UTC)

Automated queries
When I tried to google something, it gave me a message that automated queries had been detected. I ran a couple of anti-virus/malware programs (F-Secure and a free one from PC Tools) and got a clean bill of health. However, I have been noticing that my PC every once in a while bogs down. Should I be worried? Clarityfiend (talk) 21:55, 23 December 2010 (UTC)
 * Are you on a shared ip? Lots of people sharing the same ip might be detected by google as unusually high traffic 82.44.55.25 (talk) 22:05, 23 December 2010 (UTC)
 * I don't think so. How do I tell? I was home when I got the message. Clarityfiend (talk) 23:01, 23 December 2010 (UTC)
 * The only people sharing your (public) IP address at any given moment would be the people attached to your router. The culprit might be another user (authorized or unauthorized) of your Internet connection, but that seems unlikely to me. It could be malware running on your computer (or theirs), but that seems even less likely. If your ISP assigns you a dynamic IP address, it could be that another customer of your ISP ticked Google off, then disconnected (possibly so they could do the same thing again with a different IP address), and you happened to get their old address before Google's block timed out. I think that's the most likely. In that case disconnecting and reconnecting (like they did) would solve your problem, at the expense of some other hapless customer. -- BenRG (talk) 00:08, 24 December 2010 (UTC)
 * Thanks. It's only happened once (so far), so hopefully I'm okay. Clarityfiend (talk) 03:44, 24 December 2010 (UTC)
 * Nobody has yet brought up the unspeakable possibility: perhaps Google is incorrect! They may have misidentified one or more of your recent searches as a "spam-like" query, based on some invalid heuristic algorithm; or a Google programmers' error (!!!) might have mis-categorized your IP address through no fault of your own; or so on.  Google usually fixes such errors quickly.  Nimur (talk) 17:01, 25 December 2010 (UTC)