0

I found this tool and when I downloaded it is a bash executable that contains binary code.
First of all I didn't know this is possible. Does anyone know who this can be done? Also I am not sure how safe generally this is since I can't really be sure what the bash file contains

Improve this question
10
  • That looks like a Java program to me. What do you mean by "bash file"? Do you mean "script"? What file in that repository are you actually referring to?
    – Kusalananda
    CommentedAug 28, 2019 at 20:06
  • @Kusalananda: The tool is here github.com/sterlp/svg2png/releases I am referring to the svg2png. Download it and view it with an editor. The first line is exec java -Xmx1G -jar "$0" "$@" and the rest is binary data
    – Jim
    CommentedAug 28, 2019 at 20:09
  • Don't post information like that in comments; edit your question to make it clearer and more complete.
    – G-Man Says 'Reinstate Monica'
    CommentedAug 28, 2019 at 20:12
  • That's a combined file which is both a valid shell script and a zip (jar) file. The java command in it will just unpack it. You can also try with unzip -l svg2png to see its content ;-)
    – user313992
    CommentedAug 28, 2019 at 20:13
  • I don't see anything strange with that. That's a Java program provided as a JAR file with a shell wrapper. The alternative way of doing it would have been to have a separate shell script that does the exec but using the other file (which would be a .jar file). No difference.
    – Kusalananda
    CommentedAug 28, 2019 at 20:13

1 Answer 1

Reset to default
2

This is a self-contained Java program which relies on a few “tricks”:

  • Java programs can be packaged as JAR files, which are ZIP files containing a manifest (META-INF/MANIFEST.MF) which specifies the Java class to start;
  • java -jar, given a JAR file, will look at the manifest and start the corresponding class, loading any other required resources from the JAR file and the Java runtime (one can also specify another class to run, but that’s not relevant here);
  • ZIP files can start with arbitrary data; this is how self-extracting executables work (executable ZIP files which will extract themselves when run).

So svg2png is a JAR file, but with a prepended shell script:

#!/bin/sh exec java -Xmx1G -jar "$0" "$@"

When run, this will run a shell, which will then replace itself with java -Xmx1G -jar and the name of the “script” (svg2png with whatever path was used), and any arguments. -Xmx1G sets the heap size, and -jar tells the JVM to “run” the given JAR file, svg2png in this case. The rest of svg2png is the JAR file; in particular, it contains the following manifest:

Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Built-By: sterlp X-Compile-Target-JDK: 1.8 X-Compile-Source-JDK: 1.8 Created-By: Apache Maven 3.3.3 Build-Jdk: 1.8.0_51 Main-Class: org.sterl.svg2png.Main

This instructs the JVM to run the org.sterl.svg2png.Main class, which starts the program.

You’ll find more details about the ZIP format on Wikipedia, in particular the structure description which shows how the format allows arbitrary data at the start of the file (and in other positions). ZIP files are identified by their “central directory”, which resides at the end of the file.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.