Re: Portable Executable Format
the APE format leverages that by embedding a binary structure that can alternately be interpreted as a script loader or as an executable container
Yes, plus some other goodies.
Basically, PEs are recognized on Windows by the magic number in the first two bytes, which happens to be "MZ" (for good historical reasons) in ASCII. There are similar magic numbers for various binary executable formats used by many other OSes. (Claiming "any x86 OS" is clearly a little broad, because who knows how many people have implemented their own experimental OSes with crazy formats and conventions.)
Bourne shell scripts have to contain legal Bourne shell commands, but don't have to start with anything in particular, because when they were introduced the interpreter ("hash-bang") line concept hadn't been introduced.
So, when a POSIX OS is asked to execute a file, it sees if it starts with the magic number of any of the executable formats it knows how to run. If not, it has to try to run it as a Bourne shell script. (It can't really apply any heuristics except that if the first byte is binary 0, it can't be a valid Bourne shell script. Otherwise, in POSIX land, even a 2-byte file could be a valid script, because you can use any character other than NUL or / in a filename, and the script might just execute another file. But I digress.)
So, I can start a Bourne shell script with "MZ" and it looks like a PE to Windows. If I write that script carefully, I can actually make it both a valid Bourne script and a valid PE, because they're both pretty forgiving. In the case of APE, the script starts off by turning that MZ into the beginning of a variable name, as you can see if you follow the link in the article.
Then, if it's running as a PE, great; you just stick in the various PE sections after redirecting around the script stuff. If it's running as a script, it can do various things to get itself re-executed as the proper sort of file.
And then there's the web-app zip trick, which is one of the first tricks you learn when writing polyglots, and one that was used by Phil Karn's original PKZip (in the pksfx utility). A zip file has its metadata at the end, and the directory in the metadata contains offsets to the compressed contents. So anything can come before the zip data; decompressors will start at the end of the file and then jump into the middle of it. So you just take your executable and append the zip data to it, and you have both an executable and a zip archive.
I do this occasionally with a PNG image and a zip archive. The PNG image is of text that reads "This is a zip file. Rename it with a zip extension and open it again." It's handy for sending zips to people whose email clients block them, for example.
Biting the hand that feeds IT
