Is it normal to find assembler code in png files?

1
xchg    [ebp-0xA], esp
mov eax, [0x57C49B84]
mov ch, 0xB9
xchg    [eax-0x13], dl
push    ebp
jle 0x00000035
mov esp, 0xA6BC800F
pop ebx
inc esi
fcmovb  st(0), st(5)
pop 

Image of Eigenfaces.png open in wxHexeditor:

Some of the disassambled hex code:

opencv
hex
asked on Stack Overflow Sep 5, 2018 by NoVThanks • edited Sep 6, 2018 by Djib2011

1 Answer

2

I think the comments above pretty much give the answer, but let's consolidate.

To answer the actual question, it is not normal for a PNG file to contain executable code that someone put there intentionally.

But any sequence of bytes (like a PNG file) could be interpreted or viewed in many different ways: for example as a sound, as an image, as human-readable text, or even as executable code. In just about all cases, it does not make sense to interpret the bytes as something other than what they were created to be. You could play the PNG data as a waveform, but it would sound awful. You can read the PNG data as text (which you're actually doing with your hex editor), but it does not contain any readable words. Similarly you can treat the PNG data as executable code (which your hex editor is also doing in the Disassembleranzeige pane), but again, the code is meaningless and wouldn't do anything useful except crash the program that was trying to execute it.

But when you read the PNG data with a PNG viewer, you see a picture. Because that is how the human or device who created the PNG file intended for it to be used.

As Dan said, there is a very small chance that a PNG file might contain executable code that someone put there intentionally. That someone may have known about a specific PNG viewing program that had a bug, which caused the program to try to execute part of the PNG data. That someone could then create a PNG file which, when opened with that program, would infect someone else's computer with a virus or trojan. But any other correctly-functioning program would not execute the code.

answered on Stack Overflow Sep 6, 2018 by Chungzuwalla

User contributions licensed under CC BY-SA 3.0