Matthieu Suiche’s blog !

Waldo!!

by Matthieu Suiche on Aug.14, 2007, under Windows

As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings.

The following sample is from Windows 2000 Kernel.

.text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric
.text:004054B0 46 2E 4E 65 6C 73 6F 6E DE B0 FE 50 6A 59 D2 11 F.Nelson

But who is Eric. F. Nelson? :)

Moreover, in NtSetVolumeInformationFile() a guy named Jess put his fingerprint too :p

PAGE:004D71BD                 mov     esi, offset KernelConspiration
PAGE:004D71C2                 lea     edi, [ebp+UnusedString]
PAGE:004D71C5                 movsd
PAGE:004D71C6                 movsd
PAGE:004D71C7                 movsd
PAGE:004D71C8                 movsd

As we guess, the four bytes are the name of the person, but what means the three additional dwords?

.text:00405338 KernelConspiration db 'Jess'
.text:0040533C                          dd 11D0812Ah
.text:00405340                          dd 8C7BEh
.text:00405344                          dd 2F09E22Bh


typedef struct _KERNEL_CONSPIRATION {
BYTE    szName[4];
DWORD HarryKilledVoldemort;
DWORD HarryGetMarriedWithGinny;
DWORD AndRonWithHermione;
} KERNEL_CONSPIRATION, *PKERNEL_CONSPIRATION;

Oops! I’m not a spoiler !! hahaha

Save the trees, stop Harry Potter’s publication!

1 comment for this entry:
  1. Bichon
    August 14th, 2007 on 1:47 pm

    / ! \ SPOILER / ! \
    mais bien trippant ;)

Leave a Reply

Powered by WP Hashcash

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...