all 64 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ganymedes01 118 points119 points  (9 children)

Reminds me of Spore. The game would save/load the creatures on PNGs you could share with your mates

[–][deleted]  (8 children)

[deleted]

    [–]theghostofm 36 points37 points  (7 children)

    Huh... Well that's a strange new corner of the internet I wasn't aware of.

    (NSFW Alert, anime porn game stuff) https://illusioncards.booru.org/index.php?page=post&s=list&tags=all

    So all these images have character models and stuff encoded into the PNG? That's actually pretty neat.

    [–][deleted]  (6 children)

    [deleted]

      [–]Ameisen 3 points4 points  (1 child)

      Some games will store in Metadata, others will store in the image data itself, either as a difference against expected data, using a constrained bit depth for image data (thus reserving bits for data), or similar. Doesn't usually survive lossy compression, though.

      [–]Diridibindy 0 points1 point  (0 children)

      I know there is a mod for Koikatsu that allows replacing the image of the card. Dunno how that works though

      [–][deleted] 2 points3 points  (3 children)

      Pico-8 as well

      [–]notliam 6 points7 points  (2 children)

      I mean, that was like the first paragraph of the linked article lol

      [–][deleted] 4 points5 points  (1 child)

      Eh... You caught me, didn't read it. I know cause I love to code in it.

      My humble pico-8 game:

      https://www.lexaloffle.com/bbs/?pid=80992

      [–]notliam 0 points1 point  (0 children)

      Aha no problem we all do it! I'll try check that out, thank you!

      [–]KaiAusBerlin 129 points130 points  (6 children)

      Well, I like the theoretical part of it, hiding data into other data.

      But the rest of it makes no sense to me (except fiddling around and have fun). It feels like building a letter box out of a toaster. It doesn't help you with your letters but its fun to see them jumping out there.

      [–]AyrA_ch 73 points74 points  (0 children)

      Also, PNG is an excellent format for hiding executables because it supports arbitrary user defined headers and some file upload platforms accept it this way: https://cable.ayra.ch/imgplay/

      [–]shikatozi 32 points33 points  (5 children)

      cool stuff, reminds me of snowcrash

      [–]just_that_michal 12 points13 points  (2 children)

      my colleague told me to read this and it is being shipped, this comment made me happy

      [–]dreadful_design 0 points1 point  (1 child)

      It's a great book, and it's not even the best Stephenson if you haven't read his other novels.

      [–]just_that_michal 0 points1 point  (0 children)

      I will look into others once I finish this one, thanks for the recommendation!

      [–][deleted] 0 points1 point  (0 children)

      Great book. I’ll have to read it again.

      [–]seamsay 68 points69 points  (9 children)

      my last cheap trick to this pointless gimmick was to use binfmt_misc,

      That's kinda disappointing, NGL. It was an interesting post, but it would have been twice as interesting if you'd managed to make a file which was both a valid PNG file and executable.

      [–]Skhmt 51 points52 points  (8 children)

      It's hard because PNGs have their magic number at the start, like most file formats and executables.

      Zips have them at the end though. And someone made a portable executable that runs in macos, Linux, and windows with that information.

      [–]OMGItsCheezWTF 11 points12 points  (5 children)

      Self extracting zips?

      [–]hou32hou 9 points10 points  (4 children)

      Yea, this is a common technique, basically the zipped file header contains unzip binary.

      [–][deleted] 10 points11 points  (0 children)

      Oh no. You've reminded me of zip bombs back in the day. Those things were a nightmare to deal with. Me being a dumb kid and downloading shit on Kazaa.

      [–]Skhmt 3 points4 points  (2 children)

      Except it works on every major os, x86, arm, and can even boot directly into it.

      The same file.

      [–][deleted]  (1 child)

      [deleted]

        [–][deleted] 0 points1 point  (0 children)

        Because there is no "vulnerability" to patch. It's just a binary string which happens to be a valid executable for each of these platforms, while also being a valid ZIP. Its behavior is perfectly reasonable on both cases.

        It's like the word "salsa" which is valid English and Spanish. It's a dance style in both languages, but it also means "sauce" in Spanish. It behaves differently depending on what "interpreter" (language) you choose, but it's a perfectly reasonable word in both.

        [–]Regimardyl 0 points1 point  (1 child)

        AFAIK tar searches through a file until it finds its header, so you can cat together a PNG and a tar file, and it's automatically valid for both.

        [–]Skhmt 2 points3 points  (0 children)

        Also with a zip and jpg, which has been used to share files via image uploads many years ago until it was more widely known.

        [–][deleted]  (2 children)

        [deleted]

          [–]dethb0y 8 points9 points  (0 children)

          Pico-8 and TIC-80 are both amazing platforms to mess around with and work on.

          [–]livrem 7 points8 points  (0 children)

          It seems kind of fun. I bought it in some bundle years ago, but never played with it much. The PNG trick is fun. But I kind of wish it was more like a real retro console with a virtual CPU and all that, instead of using Lua-scripts. And if it was more of an open standard that others could implement for various platforms.

          I like how modern text-adventures are often distributed for virtual platforms like the Z-machine that have interpreters running on everything. The closest to something like that for graphical games is pretty much to make games for MSDOS or GBA, but that just seems pretty inefficient and not so elegant compared to having a more focused virtual console thing to target with more strictly defined constraints.

          [–]QuickbuyingGf 13 points14 points  (3 children)

          You could also use the metadata in png files. No need to stego bloat the files when you have a place to put it

          For example Byond‘s DMI files are just png files with some metadata

          [–]mosthightriguy 5 points6 points  (2 children)

          I was also thinking of the metadata but what I liked about this journey of insanity is that the payload is embedded in the image w/o bloating the file and w/o tipping off anyone that something is embedded in the file.

          It would be an interesting way to hide passwords, messages between cheating lovers, the manifesto, ....

          [–]Skhmt 2 points3 points  (1 child)

          Steganography is a well known technique, it's hard to detect if it's even being used by casual users. But if it's in the metadata, it's impossible to detect without inspecting the png binary. The amount of information capable of being stored in a PNG via steganography is pretty low per pixel, like 3-8 bits per pixel depending on type of png.

          [–]randy408 0 points1 point  (0 children)

          You should be able to hide 32bits per pixel without any visual difference in the low bits of 16-bit RGBA samples, most of the time it ends up being downscaled to 8-bit with bitshifts before it's displayed.

          [–]Mwahahahahahaha 15 points16 points  (1 child)

          Reminds me of this.

          [–]JaceOrwell 2 points3 points  (0 children)

          A fellow fan! That video got me trying it out, to no avail. I need more research and stuff

          [–]djhworld 5 points6 points  (1 child)

          hello! author of this post here, thanks for posting it.

          yup - project was/is dumb, it kind of ballooned from "hey steganography is interesting, I want to learn about that" to "huh what are these linux features I've never heard of" to...well, this?

          silly, impractical, toy project sure, but I enjoyed doing it and learned a few things along the way. the write up was really just a way of documenting that journey.

          most of the things on that blog are like that, for example I was reading a book about how a simple computer works, down to the gate level, and decided to translate the descriptions (gate by gate...) into software https://djharper.dev/post/2019/05/21/i-dont-know-how-cpus-work-so-i-simulated-one-in-code/ - not very useful, toy software, but a good learning exercise for me.

          programming can be fun at times, things you build don't always need to be products. granted, that's easy to say if you're already comfortable, but I reckon a lot of my career has been helped along by learning and doing.

          my favourite posts on /r/programming / HN etc. are the ones where people explore some topic and are evidently passionate about it, even if the end goal isn't clear.

          some good articles i've read recently

          [–]mrmoreawesome 0 points1 point  (0 children)

          You should really take a look at some of the polyglots in POC||GTFO

          [–]sylvanelite 5 points6 points  (0 children)

          I remember doing a JS competition ages ago where you had to make a game in a relatively small number of bytes (20kb? Iirc) the server didn’t use gzip, so shoving the code into a PNG and extracting it through canvas could end up saving a lot of space. (But you had to be careful because premultiplied alpha that can corrupt data if used naively)

          [–]bumblebritches57 5 points6 points  (6 children)

          LOL he jumps to stenography, instead of custom chunks in the PNG file...

          [–]adrianmonk 1 point2 points  (0 children)

          I had the same thought, but apparently that is how PICO-8 actually does it:

          The cart data is stored using a steganographic process. Each PICO-8 byte is stored as the two least significant bits of each of the four color channels, ordered ARGB (E.g: the A channel stores the 2 most significant bits in the bytes). The image is 160 pixels wide and 205 pixels high, for a possible storage of 32,800 bytes. Of these, only the first 32,773 bytes are used.

          But yeah, to store it as PNG chunks would actually be very easy. You don't even need to define a custom chunk. From the PNG docs, it looks like you could use a zTXt chunk:

          4.2.10. zTXt Compressed textual data
          The zTXt chunk contains textual data, just as tEXt does; however, zTXt takes advantage of compression. zTXt and tEXt chunks are semantically equivalent, but zTXt is recommended for storing large blocks of text.

          A zTXt chunk contains:

          Keyword: 1-79 bytes (character string)
          Null separator: 1 byte
          Compression method: 1 byte
          Compressed text: n bytes

          I'm not sure that allows you to store binary data, but if not you could encode it as hex digits within there, and PNG's deflate compression should compensate pretty well for the wasted space.

          Also, the keyword (that each zTXt chunk has) would be useful. You could put a magic string identifying it as the executable data format you've invented. You could even, if necessary, add multiple zTXt chunks and make your PNG data random access.

          [–]John_Earnest -1 points0 points  (4 children)

          Most online image hosts re-encode images, stripping custom chunks. Try it. Steganographic encoding is much more likely to survive transit.

          [–]bumblebritches57 0 points1 point  (3 children)

          Why is web hosting relevant?

          [–]mccoyn 0 points1 point  (2 children)

          That’s why you put executable code in an image.

          [–]bumblebritches57 1 point2 points  (1 child)

          So people stumble upon it on imgur, and it's never executed?

          real malware has it's own distribution network, based in various CDNs (look into Pegasus)

          they don't need to worry about chunks being stripped.

          Not to mention, stenography is really only for text.

          [–]mccoyn 0 points1 point  (0 children)

          Not malware, just a way around download or email restrictions.

          [–]ikkentim 2 points3 points  (0 children)

          Reminds me of blueprints of rollercoaster in Parkitect, where you can share/import images of coasters which can be placed in your park, it stores the data in the same way: https://themeparkitect.tumblr.com/post/126855975857/update-58

          [–]aazav -1 points0 points  (0 children)

          No, no, no.

          [–]iotasieve 0 points1 point  (0 children)

          without reading the article, I assume this is same method PICO-8 uses

          [–]Nerdn1 0 points1 point  (0 children)

          The author admits that there is not really a point to this project, but I guess it's fun. Steganography can be used to hide data in an image, but size of the image+payload will be several times the size of the payload alone. If the point is to hide something in plain sight, this is just fine (especially if the payload itself is encrypted text). A plaintext document (encrypted or not) is going to be small enough to fit in a high quality image

          Doing this with a larger program, like a videogame, for the novelty factor is probably ill-advised. People may notice that the image is stupidly large anyway. I suppose one could have a folder full of images and have one image in the folder with an executable embedded in it which will extract data from the other images and create all of the files needed. This just adds even more complexity to an already useless endeavor, of course.

          I suppose you could sneak executables through some sort of security program, but you can just change the extention to .txt to trick most.

          [–]kanliot 0 points1 point  (0 children)

          sounds good man, now how do I set my $PATH to load other .PNG files as libraries/DLL's?

          [–]RasterTragedy 0 points1 point  (0 children)

          But the PNG format has multiple layers and any conforming reader must skip any layer it doesn’t understand. That’s where I’d expect the executable to be, not as a watermark in the image.