Taming Monsters, finding clowns
"Easter eggs galore"
(04 September 1997
Courtesy of fravia's page of reverse engineering (of course :-)
This is n° 100... the HUNDRETH ESSAY of the +HCU's academy
Well... I hope you won't be too deceived... there is no real "crack" in
this essay, only some easy reverse engineering of some well known applications: those among you that have read my recent "filemon" essay series know already
that I'm more interested in "general" reverse engineering than in specific protection
This said, I believe that for those of you that did not already know about the existence
of "easter eggs" inside commercial application (I hope not too few) the following
will open interesting perspectives for "another" reverse engineering approach to
your targets, which can be useful as well in order to understand which "secrets"
have been hidden there... even if said 'secrets' are -in this case- stupid clownish jokes.
Anyway I wanted to celebrate personally the 100th essay of our academy with a small, yet I hope interesting, contribution
Taming Monsters, finding clowns
by fravia+ (MSRE)
Well, I don't know if you have ever been puzzled by two little strings
inside Netscape.exe, the main executable of Navigator. I'm using netscape.exe,
version 3.0, 2.980.864 bytes, a very stabile version.
Anyway, I wanted to check if string 6698 and 6699...
6698, "This pre-release copy of Netscape Navigator has expired\n
and can only be used to download a newer version of Navigator."
6699, "This copy of Netscape has expired.\n
This pre-release copy of Netscape Navigator has expired\n
and can only be used to download a newer version of Navigator."
...really corresponded to some weird eventual protection scheme or
not. So I went on a session that dig out no protection scheme at all,
but eventually produced a monster text file and fished out a lot of clowns.
I'll make it short about the protection scheme:
It seems to me that the trial strings above are obsolete, (yet anything
can happen inside a huge 4 millions bytes executable, and I may have
missed some no more connected vestige of a protection scheme :-)
I reckon that they were foreseen for an "eventual" 90-days trial
limitation that was never implemented, as the hard struggle against
the "Net crusade" that Micro$oft started compelled Netscape to give its
navigator away for free.
So they gave it, nominally to "students" "libraries" and "charitable
non-profit organisations"... de facto to every individual that cared,
without any limitation whatsoever, as you can read in the disclaimer
part, which carries the following rather amusing "scarecrow" message:
You may not modify, translate, reverse engineer,
decompile or disassemble this software (except to
the extent applicable laws specifically prohibit
Note the text in parentheses, which in the reality negates completely
the preceding scarecrowing sentence... you may want to have a look at
my Is software reverse engineering illegal?" essay in order to
understand the reasons behind these "scarecrow" messages.
Software for free to any individual! A right and obvious choice in our
eyes, since we all believe that software should be free... yet, clearly, it must
have been a suffered decision for Netscape, mad in the hope to keep enough hold
of the browser market to allow to compensate all lost revenues, from individual
clients, through all "institution" and "industry" licenses.
I don't know if this worked (I doubt it), but they don't seem to have
had much of a choice, seen the might of Micro$oft's MSIE attack.
Anyway I have examined the code (albeit only superficially) of
netscape.exe and there does not seem to be any real protection inside
Yet the point of this note is another... if you would like to
examine yourself the code you'll see what I mean... you are in
for a threat!
First of all you must produce your dead listing. The strings
above have been gathered through Borland Resource Workshop, which
works flawlessly and pretty quickly, yet to work on a target you
have to disassemble it. When you disassemble netscape.exe (I used
wdasm) you get a "dead listing" which is bigger than the hard disk
we used to have a couple of years ago: over 44 millions bytes of
A real monster file! Try to load that inside Microsoft Word...
wont even accept it!
But even using better texteditors (which by the way are as usual
much cheaper, smaller and powerful than Micro$oft's abominations)
it will take you (and I'm using a Siemens Nixdorf P166 with 32 RAM)
two minutes just to load it, two and a half minutes just to search
it and four to five minutes to unload that monstrosity,
with your hearth bleeding seeing all hard disk and memory leds
grinding their teeth and spitting their lights! You better give it
up... its' not worth it anyway, and go back to BRWing netscape. Have
a look at the strings. Should you want to find those strings inside netscape
exe, remember that you would have to search for HEX bytes with interpolated
00s, and not for, say "expired", because, as usual, part of the strings have
been "doublebyted" for compiler reasons... even if these string snippets look
(to you) the same inside BRW:
"This pre-release copy of Netscape Navigator has expired\n..."
"...modify, translate, reverse engineer..."
They are NOT the same.
The first snipped, BRW string 6698, is at byte 29D71A and looks like this:
730020007000720065002D0072006500 s. .p.r.e.-.r.e.
6C006500610073006500200063006F00 l.e.a.s.e. .c.o.
(By the way, the second "expired" string, BRW string 6699, starts at
The second snippet is at byte 2824C7 and looks like this:
3B0D0A20202A206D6F646966792C2074 .......modify, t
72616E736C6174652C20726576657273 ranslate, revers
6520656E67696E6565722C206465636F e engineer, deco
I know that all "old hands" know this, but I remember how annoying it
was for me, as a newbye, being unable to find soome strings inside my
So, as you can see, in order to find such strings you'll have to load
the target inside your hexeditor and then search for bytes with
This has to do, as chown pointed out, with "Unicode" strings. Unicode
is a 16-bit character standard to help developers intrenationalize their
programs (8-bit hcracter sets have a mathematical limit of 256 characters,
which is far too few for langiages like Japanese, Korean or Chinese, which
have several thousand characters. Unicode, encompassing 65536 possible
characters, takes care of that.
Many tools, useful for us crackers, already support this standard:
- New versions of Hexworkshop can search for Unicode strings.
- Peek, a very useful extraction tool (peek11.zip will
extratct all strings (included unicode) from any file.
- The Unix ported string program from our beloved NTInternals also has
an Unicode command line option.
Back to BRW resource editing... as +ORC always reminded us, it's
jolly worth to look at the "hidden guts" of an application, because
programmers leave behind, among many other wasted spaces, a lot of
information that can eventually be useful... Well, I did not find
anything useful at all, yet here are some interesting snippet from
the "guts" of Netscape:
"Sorry, there are legal restrictions on arithmetic coding"
"Copyright (C) 1995, Thomas G. Lane"
34004, "Uh, like check for new mail and stuff"
34006, "Uh, like get new mail and stuff"
34055, "Unscramble naughty jokes"
60010, "Uhhhh.... Like see the license file and stuff."
And here you have the names of all the clowns that produced this
target, with their respective official clown title:
60030/1: "The Mozilla Team 1995
Charley Manske - Coder Savant
Jack Palevich - Sacrificial Lamb
Robin Silberling - Makeup
lloyd tabb - Most Doomed Macintosh
Chris Bingham - Basso Profundo
Tim Craycroft - Creative Loner
Tim McClarren - Beatnik Poetry
Aleks Totic - Ambassador from the Home Planet MS Windows
Garrett Blythe - Don't call him Gilbert
Jim Everingham - The Barry Manilow of computer programming
Scott Jones - His Royal Whoness
Chris Houck - Prophet of Doom
Ken Thomaston - Unplugged X Windows
Suresh Duddi - The Man From U.N.C.L.E.
Spence Murray - Fretless Bass
Cross Platform Development
Eric Bina - Pyrotechnic Coordinator
Scott Furman - Photographic Analysis
Hagan Heller - Gooey Stuff
Phil Karlton - Curmudgeon
Ari Luotonen - Alien On Tour
Lou Montulli - Fishmonger
Lisa Repka - Verifone Operator
Jeff Weinstein - Electronic Munitions Specialist
Terry Weissman - Assistant Clown <-honest one :-)
Jamie Zawinski - Levitation Engineer
Java, Mocha, Latte and Cappucino
Dan Clifford - Special Agent Cooper
Brendan Eich - Barrista
Warren Harris - Will work for food
Bruce Jones - Guide de Montagne
Kipp Hickman - Goalie
Rick Potts - Square Peg Pounding
Then, should you be interested, which I doubt, follow also all
the names of the people working inside the "Production" and
"Management" of Mozilla/Netscape.
Finally you'll get to this nice excerpt from the "Book of Mozilla":
The Book of Mozilla, 12:10
"And the beast shall come forth surrounded by a roiling cloud of vengeance.
The house of the unbelievers shall be razed and they shall be scorched to the earth.
Their tags shall blink until the end of days"
from The Book of Mozilla, 12:10
C'mon, tell me the truth... you did not know that you were browsing
the Net with this message inside your application, did you?
Yes, "Easter eggs", as they call them, little snippets "hidden"
inside the applications you use. Obviously you can get to the above
clown names and Book of Mozilla "pages" through a link combination
that I will let the interested reader find out.
The same easteregging practices are (sadly) in use inside almost all
windows95 applications. One of the most awful duties of a reverse
engineer is to fish out such stupidity from these overbloated targets.
Here we go... sorry about this squalor, but I believe that everybody
should know about this, at least in order to ridicule the Authors
of such crap... a GOOD programmer will be recognised through his code,
and these guys feel the need to stuff their photographs in the
overbloated applications that we (don't :-) buy!
In Excel '97 there is, for instance a sort of "doom" game hidden
inside the spreadsheet, you can walk on a "ridge" until you arrive to
a wall with the names (and photographs!) of all the clowns that worked
on this "123 killer" Micro$oft product. Let's do it the other way round:
I'll tell you how you get it and you'll have a look at the code (if
interested in such crap): choose Create New doc/go to line 95/ select
whole line 95 clicking left on the number 95 / tab / you are now in 95B /
choose about MS-Excel / CTRL+SHIFT and click techincal support and now
you'll see the "doom" window.
In Word and in Windows 95 itself you'll find once more the same
marmalades...(you probably already knew it, didn't you?).
Actually the clowns at Micro$oft seem to be the most fanatic (and the
most prone to byte waste) eastereggers around... they probably believe
firmly that, since they design anyway much too overbloated programs,
a couple of million bytes more in order to show us the visages of
such able programmers (it's ironic :-) would not damage nobody. Actually
if I'm not mistaken they started this trend back in DOS with MSD.exe,
a M$-diagnostic utility for dos 6.2... try the sequence help/about/F1
there and try to fetch it back in the code... that's a good reverse
engineering exercise. But easter eggs are now proliferating... you'll
find them in Corel draw; in windows NT (scren saver easter eggs in
"3D texts")... in windows NTv3.51 workstation tape "beer" and get a list
of M$' clowns preferite beers (they don't understand nothing about beers
btw)... inside Word 97 there is a whole silly
flipper! (maybe the only reason to buy such a crappish product :-)
OK, i'll give you this one too... create new doc / tape "Blue" / double
click on "blue" / bold it / choose color blue / unselect it / add a space
after "blue" / select "about" /click icone... you'll be able to find
easily most of the Easter eggs reversing the "about" routine... use the
techniques I have explained in my "filemon" essay, for instance... if you
do you are in for some (pretty sad) surprises: Quicken, Freehand, Cakewalk,
Flight Simulator 6 (here you must give the coordinates of Redmont to your
plane) and so on and so on.
Such is the sad tragedy of software life under the talon of Micro$oft
domination... even programmers who should hate anything
vaguely microsoftish, like Netscape's ones, did "notscape" it.
(c) fravia+, 1997. All rights reversed.
You are deep inside fravia's page of reverse
engineering, choose your way out:
+ORC students' essays tools
antismut search_forms mail_fravia
is reverse engineering legal?