Waldo!!

As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings.

The following sample is from Windows 2000 Kernel.

.text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric
.text:004054B0 46 2E 4E 65 6C 73 6F 6E DE B0 FE 50 6A 59 D2 11 F.Nelson

But who is Eric. F. Nelson? :)

Moreover, in NtSetVolumeInformationFile() a guy named Jess put his fingerprint too :p

PAGE:004D71BD                 mov     esi, offset KernelConspiration
PAGE:004D71C2                 lea     edi, [ebp+UnusedString]
PAGE:004D71C5                 movsd
PAGE:004D71C6                 movsd
PAGE:004D71C7                 movsd
PAGE:004D71C8                 movsd

As we guess, the four bytes are the name of the person, but what means the three additional dwords?

.text:00405338 KernelConspiration db 'Jess'
.text:0040533C                          dd 11D0812Ah
.text:00405340                          dd 8C7BEh
.text:00405344                          dd 2F09E22Bh

typedef struct _KERNEL_CONSPIRATION {
BYTE    szName[4];
DWORD HarryKilledVoldemort;
DWORD HarryGetMarriedWithGinny;
DWORD AndRonWithHermione;
} KERNEL_CONSPIRATION, *PKERNEL_CONSPIRATION;

Oops! I’m not a spoiler !! hahaha

Save the trees, stop Harry Potter’s publication!