ASCII safe binaries

I found it, I touched it, I scratched it, I sniffed it...and my head exploded. In that instance, being detached from the concepts called space and time, I was always and everywhere. Released from restrictions, I saw it all and understood. But the realization was a concept alien to that world, and returning to my own reality, the images slowly fleeted out of my memory. Attracted to the beauty, was a vision I was able to hold, but from the here and now, it seems no more than a memory of a dream. In the weeks thereafter I have used the energy of my essence to capture and forge, using the virtual world as playground. So much goodness has been uncovered in the process, that it has transformed the word coincidence into destiny. What has come is something I would like to share.

The trigger of this all was the W++ language which is affiliated to the Love Shack OS. It popped a bubble about a thing that has been nagging me since the beginning of time being that executables do not display well when viewed. Even worse, they contain byte values called non-displayable that are most likely associated with special handling depending on operating system and viewing/transporting program. Opening a exe in a text editor and saving it will most likely kill it. The revelation would be an executable that consists solely of byte values from the ASCII subset of displayable characters.

Pushing the limits even further, I proudly present ASCII safe binaries. This is an executable that consists of exclusively ASCII numerals and lowercase letters. You can view it as text, process it with a text editor, post on a message board, send using a mail program, *AND* run it as an executable. However, there is one snag that saddens me deeply: it is a 16-bit DOS executable. I truly wish I figured this out 10 years earlier.

To share in the goodness, here are some of technical specs.

- The binary has a strict preference towards numerals and the lowercase letters "acemnorsuvwxz". This creates a visual tone difference between the letters and digits making it possible to embed images. My xterm windows clearly reveals an image, so does the DOS box, but my firefox uses a font which makes it less clear.
- The binary is 77 characters wide, which is considered a safe line length.
- The binary includes a three staged loader. Each stage has its own specifically designed compression scheme, encoder, decoder and test suite.
- The three stages unpack the final code. As a tribute to the Love Shack OS, I have used the program that popped the bubble.
- The 'payload' was originally written in assembly. I have rewritten it onto C and compiled it using GCC. And yes, you can use GCC to generate 16-bit DOS apps, and yes, you can even use far pointers.
- The limited variety of byte values demonically reduces CPU instructions and addressing modes. In effect there are only three instructions available.
- The original program is 6404 bytes large, the refurbished ASCII safe binary is 2730 bytes.


k7c17k7z17k7l17khbqkxbqk7c1va1vpk7i1vf1vn1nx7iuyzzwxnz0dc0ey1uyohuquy2fzu2a6e
ooaafauzxrsrveavvvznazuazrvmakoaauovowwrmaernnuuztxwoxnevasezsoarmccwranazacm
raemxuaaaevscazoraaxaeauaxnarv300452202150015540rvuaranwaeaxaczamzsawvcaaxvwa
zzaausmanaavoaraocnamuawa900002290824908062310190152wannasamaaazanemrmoaamrre
cwrnzzzvrraxsnzwcnzaec121742986134758361928630489694115mnunezsmonosevxzuzxwrs
norananoeunueenvewcc41485784445599098383793681726891857689oumzrcwoxnnuenvezrz
svrunvmuvmnrvxmnw6004852811249598931137939716870178587305652awurownxnnezsmusn
oznoczzrererecow902421561218828076491780505661280126222351281ennuowaascwanzwv
axxezaaszsczwv5684137573751377519030698587327774619188275793177srxsexcoexamne
mouvmcrzsxmve5725sewro43023514572780562573162zsmazo0457277372955osmowscvraxxr
uarnosaooaov2762xxcxv2051557877313763893378vcvexrr595718425714945xcrxeawsxvnv
rzuvwvcurce534xervxvx257891379190761548970acmaneaz1759375037904690mvwvcoocxnx
xrenvowvvv2114rxrzzouaa86ue94235334067761sevnvrvawrc39rwr2805103874mvssmumsro
corosaxrzz6023vzusvvnwrecav71757914126224vcvzsowxszsvuexz1717368031urncvauzuu
nruazaevc83795mvzmuuoxvxreo10246117873177ozmvzancczrcvzrv42467171457xsmmvzmnz
zrzzxzzaz26716560973925575559632775777270593355157029545171357606059rvnwrvesn
mwxeounrx094555151959282029559531059215855597927781749171028864961377rxxowmuv
osxwsseac335545995168217157739190933357913774995147757970933036386322ecnenuvr
xwccazxso354785590674520927059472588846255653987292654046668311232632wecswoms
cvssxcuum28217254577918565683988357882709539089024003596725201048111onecrxrax
zeaarncam998502336aczeusnvxwzxusveoseexeuoncxmwncoummncv365214704538rezxmoacc
ucaeceacrx18223899rwaxocwsaswxxmcevzornmxcrsanzvaeuurmze91201872223nvvxveemvo
xassoeasoc941246117zzwvssevswccwaemnwwwzneeaxevnzausanzx81361777533oxcozemrvu
emzxvezwcvn13612613xswzceavwwucnvnrxssuownsvwwxawveusnae7589704333mxvazxvxzor
assamvueozoc051666027cuxscxnauvsavxunnwxewvnourronxzrxc1235071681mmsuoncvreao
xrazoucovnenm17339741aonunusvnoevsrumsammoocnvonwwmnozr765395755sawswwmwcesaw
scscnunsmrcazz919447837rocrrwrneanrv2916052938487vcnea689387762xxzunzmanosrna
ooomcwreeuncuxov52905183wmscwnawex68126745140441901x436377777exvasccsesmsuxrn
rrmuunezrwcsevccn35770015ocvunoou335740944703940131204421751saauceswarrcncmno
exrsarxxesmcnzaveeae11236793srzw03337155350258056676211518xuxcmeoorrwrxvvaxwn
nvanozaeraozxnvwucoxew707183413104659013133651355212327wrmmvmvamaxwommuzzwcez
awzaozamozusaxzvnznwwosna159487312534173311353508785cmeneaeexcvnrxraxzcnvecsr
exmnzzenxzmxewoxcaexewxuvrvaao394905445007195490ovnazwevvcsnncasvxunmceaurccc
anecuwscrxxaszoozaswvnzzwwrnzswaoxnr106110xrwczsvnemzmazmvuxaacamrrcczsuccvxs
cocosavecocsxnvnraarsmwmmecauanenazrrnueracnrraerxoevuravnwurcroexnam16bitexe


Just save the data grid in a file, make sure it starts with k7c17k7z17k7.... (no leading spaces), save it, rename the extension to .com (or .exe) and fire it up. I have tested it with WinXP/DOS, Win98/DOS, FreeDOS and on two different hardware rigs. Just think of it, what you are looking at is actual 80386 code. If you were able to 'jump' to it, it would really do something without crashing. This is to my knowledge, the first of its kind.

If you are into assembly, then before you pull it through the reverse engineering, just let your thoughts wander off imagining how one would construct such code. And perhaps you might hit the same mental roller-coaster ride I did. For example, the stage1 loader (first line) has evolved and mutated 720 times before it became stable, and encoding stage2 takes about 30 minutes.

wait...only three intructions?

This was on 420chan

Glad to see you here too. Yes, I am the same author. I waited for the responses so I could post a improved version here.

So is the joke that it's that "awesome face"?
I was hoping it would be a "troll face".

>>2
There are a couple more, but not useful. But yes, stage 1 just uses imul and xor (which are two different instructions).

>>5
This is the real thing. Troll face would imply the opposite. I have tested it with WinXP/DOS, Win98/DOS, FreeDos and on two different hardware rigs. My aim is to surprise positively, not negatively.

Awesome face was chosen to reflect all the goodness I uncovered in the making. You have no idea how much time and energy was spent into crafting this.

This is pretty cool.
lol at the 420chan people pointing out MZ on a COM file.

Someone did this years ago, Google "ZRYPQIQDYLRQRQRRAQX".

>>10
Thanks, didn't know that. There are differences like I am using a much smaller character set, but besides that, the essence is the same.

>>11
And yours doesn't work on older CPUs. ('k' is not a valid instruction.)

>>12
Guess it depends on what you define under 'old'. The 'k' is imul. Stage 1 is this:


x100:    imul    $'c',(%bx),%si        // 0xaf47
    xorw    %si,(%bx)        // 0x8f8a
    imul    $'z',(%bx),%si        // 0x67c4
    xorw    %si,(%bx)        // 0xe84e
    imul    $'l',(%bx),%si        // 0x00e8
    xorw    %si,(%bx)        // 0xe8a6

x10f:    imul    $'q','b'(%bx,%si),%bp    // 0x00d1
    imul    $'q','b'(%bx,%si),%di    // 0x00d1

x117:    imul    $'c',(%bx),%si        // 0xf832
    xorw    %si,'a'(%bp)
    xorw    %si,'p'(%bp)
    imul    $'i',(%bx),%si        // 0x6c16
    xorw    %si,'f'(%bp)
    xorw    %si,'n'(%bp)
    xorw    %bp,'x'(%bp)        // filler

    aaa

Stage1Start:

x12d:    .byte    0x69,0x75,0x79,'z','z'        // 69 75 30 'z' 'z'    imul    $0x38??,0x79(%di),%si
    .byte    'w'                // 45            inc    %bp
    .byte    'x',0x6e,0x7a,0x30        // 80 6e 7a 30        subb    $0x30,0x7a(%bp)
    .byte    'd','c'                // 72 0f        jb    x148
    .byte    0x30,0x65,0x79            // 30 65 30        xor    %ah,0x79(%di)
    .byte    0x31,0x75,0x79            // 31 75 30        xor    %si,0x79(%di)
    .byte    'o','h'                // 79 04        jns    x145
    .byte    'u'                // 47            inc    %di
    .byte    'q',0x75,0x79            // 89 75 30        movw    %si,0x79(%di)
x145:    .byte    0x32,0x66,0x7a            // 32 66 7a        xorb    0x7a(%bp),%ah
x148:    .byte    0x75,'2'            // 75 e3        jne    x12d

x14a:    .byte    'a','6'
x14c:

Stage1End:

This is awesome, I can't wait to ru-

The program or feature "\??\C:\Users\Owner\desktop\a.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

>>11
EICAR Anti-Virus Test File used that method (printable characters that form a valid COM file) for years. There were even batch files that echoed characters to form COM files and then executed them.
>>13
In 16-bit x86, imul is a one-argument instruction that uses the accumulator and the data register to form a 32-bit number. The abominable 386 added the three-argument imul (but didn't do that for div, idiv, mul, add, or any of the other instructions). The 386 is when x86 began to change from a simple 16-bit accumulator architecture into a bloated non-orthogonal pseudo-general purpose mixed 16/32-bit piece of shit. If you think of x86 as a general purpose register machine like the PDP-11, VAX, 68k, MIPS, SPARC, ARM, etc. and use the registers to cache arbitrary values, x86 is incredibly ugly and hard to work with. The opcodes and instruction formats make no sense. The instructions have strange limitations and change sizes depending on what registers are used. Since the 386, prefixes, multi-byte opcodes, and irregular extensions are everywhere. However, if you think of x86 the way it was meant to be used, as a 16-bit octal accumulator architecture in the vein of the Z80 with some added bonuses, it actually isn't that bad. Even the FPU opcodes and some 386 and later extensions are quite sensible in octal.
http://tnovelli.net/ref/opx86.html
http://reocities.com/SiliconValley/heights/7052/opcode.txt

>>14
Install DOSBox.

Holy fuck. This is awesome.

Bump

>>13
Please use sane Intel syntax. I can't read that shit.

>>15
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

inb4 retards running web page scanners start screaming "/prog/ has a virus!!!"

Wow. That is truly amazing.

sorry, meant to bump