Taming Monsters, finding clowns
"Easter eggs galore"

by fravia+
hcu

(04 September 1997


Courtesy of fravia's page of reverse engineering (of course :-)

This is n° 100... the HUNDRETH ESSAY of the +HCU's academy
Well... I hope you won't be too deceived... there is no real "crack" in this essay, only some easy reverse engineering of some well known applications: those among you that have read my recent "filemon" essay series know already that I'm more interested in "general" reverse engineering than in specific protection cracking.

This said, I believe that for those of you that did not already know about the existence of "easter eggs" inside commercial application (I hope not too few) the following will open interesting perspectives for "another" reverse engineering approach to your targets, which can be useful as well in order to understand which "secrets" have been hidden there... even if said 'secrets' are -in this case- stupid clownish jokes.

Anyway I wanted to celebrate personally the 100th essay of our academy with a small, yet I hope interesting, contribution

Taming Monsters, finding clowns
by fravia+ (MSRE)
	Well, I don't know if you have ever been puzzled by two little strings 
inside Netscape.exe, the main executable of Navigator. I'm using netscape.exe, 
version 3.0, 2.980.864 bytes, a very stabile version.

	Anyway, I wanted to check if string 6698 and 6699... 

6698, "This pre-release copy of Netscape Navigator has expired\n
and can only be used to download a newer version of Navigator."

6699, "This copy of Netscape has expired.\n
This pre-release copy of Netscape Navigator has expired\n
and can only be used to download a newer version of Navigator."

 ...really corresponded to some weird eventual protection scheme or
 not. So I went on a session that dig out no protection scheme at all, 
 but eventually produced a monster text file and fished out a lot of clowns.
 I'll make it short about the protection scheme: 
 It seems to me that the trial strings above are obsolete, (yet anything 
 can happen inside a huge 4 millions bytes executable, and I may have 
 missed some no more connected vestige of a protection scheme :-) 
 	I reckon that they were foreseen for an "eventual" 90-days trial 
 limitation that was never implemented, as the hard struggle against 
 the "Net crusade" that Micro$oft started compelled Netscape to give its 
 navigator away for free.
 	So they gave it, nominally  to "students" "libraries" and "charitable 
 non-profit organisations"... de facto to every individual that cared, 
 without any limitation whatsoever, as you can read in the disclaimer 
 part, which carries the following rather amusing "scarecrow" message:
    
	You may not modify, translate, reverse engineer, 
	decompile or disassemble this software (except to 
	the extent applicable laws specifically prohibit 
	such restriction)
 
 	Note the text in parentheses, which in the reality negates completely 
 the preceding scarecrowing sentence... you may want to have a look at 
 my Is software reverse engineering illegal?" essay in order to 
 understand the reasons behind these "scarecrow" messages.
 	Software for free to any individual! A right and obvious choice in our
 eyes, since we all believe that software should be free... yet, clearly, it must 
 have been a suffered decision for Netscape, mad in the hope to keep enough hold 
 of the browser market to allow to compensate all lost revenues, from individual
 clients, through all "institution" and "industry" licenses. 
 I don't know if this worked (I doubt it), but they don't seem to have 
 had much of a choice, seen the might of Micro$oft's MSIE attack. 
 	Anyway I have examined the code (albeit only superficially) of 
 netscape.exe and there does not seem to be any real protection inside 
 Netscape now. 
 
 	Yet the point of this note is another... if you would like to 
 examine yourself the code you'll see what I mean... you are in 
 for a threat!
 	First of all you must produce your dead listing. The strings 
 above have been gathered through Borland Resource Workshop, which 
 works flawlessly and pretty quickly, yet to work on a target you 
 have to disassemble it. When you disassemble netscape.exe (I used 
 wdasm) you get a "dead listing" which is bigger than the hard disk 
 we used to have a couple of years ago: over 44 millions bytes of 
 text! 
 A real monster file! Try to load that inside Microsoft Word... 
 wont even accept it! 
 But even using better texteditors (which by the way are as usual 
 much cheaper, smaller and powerful than Micro$oft's abominations) 
 it will take you (and I'm using a Siemens Nixdorf P166 with 32 RAM) 
 two minutes just to load it, two and a half minutes just to search 
 it and four to five minutes to unload that monstrosity, 
 with  your hearth bleeding seeing all hard disk and memory leds 
 grinding their teeth and spitting their lights! You better give it 
 up... its' not worth it anyway, and go back to BRWing netscape. Have 
 a look at the strings. Should you want to find those strings inside netscape 
exe, remember that you would have to search for HEX bytes with interpolated
00s, and not for, say "expired", because, as usual, part of the strings have 
been "doublebyted" for compiler reasons... even if these string snippets look 
(to you) the same inside BRW:
"This pre-release copy of Netscape Navigator has expired\n..."
and
"...modify, translate, reverse engineer..."
They are NOT the same.
The first snipped, BRW string 6698, is at byte 29D71A and looks like this:
610069006E002E007600540068006900  a.i.n...v.T.h.i.
730020007000720065002D0072006500  s. .p.r.e.-.r.e.
6C006500610073006500200063006F00  l.e.a.s.e. .c.o.
(By the way, the second "expired" string, BRW string 6699, starts at 
byte 29D808)

The second snippet is at byte 2824C7 and looks like this:
3B0D0A20202A206D6F646966792C2074  .......modify, t
72616E736C6174652C20726576657273  ranslate, revers
6520656E67696E6565722C206465636F  e engineer, deco

I know that all "old hands" know this, but I remember how annoying it 
was for me, as a newbye, being unable to find soome strings inside my 
targets.
So, as you can see, in order to find such strings you'll have to load 
the target inside your hexeditor and then search for bytes with 
interpolated zeros.
	This has to do, as chown pointed out, with "Unicode" strings. Unicode 
is a 16-bit character standard to help developers intrenationalize their 
programs (8-bit hcracter sets have a mathematical limit of 256 characters, 
which is far too few for langiages like Japanese, Korean or Chinese, which 
have several thousand characters. Unicode, encompassing 65536 possible 
characters, takes care of that.
	Many tools, useful for us crackers, already support this standard:
- New versions of Hexworkshop can search for Unicode strings.
- Peek, a very useful extraction tool (peek11.zip will
  extratct all strings (included unicode) from any file.
- The Unix ported string program from our beloved NTInternals also has 
  an Unicode command line option.

 	Back to BRW resource editing... as +ORC always reminded us, it's 
 jolly worth to look at the "hidden guts" of an application, because 
 programmers leave behind, among many other wasted spaces, a lot of 
 information that can eventually be useful... Well, I did not find 
 anything useful at all, yet here are some interesting snippet from 
 the "guts" of Netscape: 

 "Sorry, there are legal restrictions on arithmetic coding"

 "Copyright (C) 1995, Thomas G. Lane"
 
 34004, "Uh, like check for new mail and stuff"
 
 34006, "Uh, like get new mail and stuff"
 
 34055, "Unscramble naughty jokes"

 60010, "Uhhhh....  Like see the license file and stuff."

 And here you have the names of all the clowns that produced this 
 target, with their respective official clown title:
  60030/1: "The Mozilla Team 1995
            Edit Alchemy
	Charley Manske - Coder Savant
	Jack Palevich - Sacrificial Lamb
	Robin Silberling -  Makeup
	lloyd tabb - Most Doomed Macintosh
	Chris Bingham - Basso Profundo
	Tim Craycroft - Creative Loner
	Tim McClarren - Beatnik Poetry
	Aleks Totic - Ambassador from the Home Planet MS Windows
	Garrett Blythe - Don't call him Gilbert
	Jim Everingham - The Barry Manilow of computer programming
	Scott Jones - His Royal Whoness
	Chris Houck - Prophet of Doom
	Ken Thomaston - Unplugged X Windows
	Suresh Duddi - The Man From U.N.C.L.E.
	Spence Murray - Fretless Bass
	
	Cross Platform Development
	Eric Bina - Pyrotechnic Coordinator
	Scott Furman - Photographic Analysis
	Hagan Heller - Gooey Stuff
	Phil Karlton - Curmudgeon
	Ari Luotonen - Alien On Tour
	Lou Montulli - Fishmonger
	Lisa Repka - Verifone Operator
	Jeff Weinstein - Electronic Munitions Specialist
	Terry Weissman - Assistant Clown			<-honest one :-)
	Jamie Zawinski - Levitation Engineer

	Java, Mocha, Latte and Cappucino
	Dan Clifford - Special Agent Cooper
	Brendan Eich - Barrista
	Warren Harris - Will work for food
	Bruce Jones - Guide de Montagne
	Kipp Hickman - Goalie
	Rick Potts - Square Peg Pounding
	
	Then, should you be interested, which I doubt, follow also all 
	the names of the people  working inside the  "Production" and 
	"Management" of Mozilla/Netscape. 
	Finally you'll get to this nice excerpt from the "Book of Mozilla":
	
 The Book of Mozilla, 12:10
"And the beast shall come forth surrounded by a roiling cloud of vengeance.
 The house of the unbelievers shall be razed and they shall be scorched to the earth.
 Their tags shall blink until the end of days"
                                    from The Book of Mozilla, 12:10
  
	C'mon, tell me the truth... you did not know that you were browsing 
the Net with this message inside your application, did you?
	Yes, "Easter eggs", as they call them, little snippets "hidden" 
inside the applications you use. Obviously you can get to the above 
clown names and Book of Mozilla "pages" through a link combination 
that I will let the interested reader find out. 
The same easteregging practices are (sadly) in use inside almost all 
windows95 applications. One of the most awful duties of a reverse 
engineer is to fish out such stupidity from these overbloated targets.
Here we go... sorry about this squalor, but I believe that everybody 
should know about this, at least in order to ridicule the Authors 
of such crap... a GOOD programmer will be recognised through his code, 
and these guys feel the need to stuff their photographs in the 
overbloated applications that we (don't :-) buy!
	In Excel '97 there is, for instance a sort of "doom" game hidden 
inside the spreadsheet, you can walk on a "ridge" until you arrive to 
a wall with the names (and photographs!) of all the clowns that worked 
on this "123 killer" Micro$oft product. Let's do it the other way round: 
I'll tell you how you get it and you'll have a look at the code (if 
interested in such crap): choose Create New doc/go to line 95/ select 
whole line 95 clicking left on the number 95 / tab / you are now in 95B / 
choose about MS-Excel / CTRL+SHIFT and click techincal support and now 
you'll see the "doom" window.
	In Word and in Windows 95 itself you'll find once more the same 
marmalades...(you probably already knew it, didn't you?).
Actually the clowns at Micro$oft seem to be the most fanatic (and the 
most prone to byte waste) eastereggers around... they probably believe 
firmly that, since they design anyway much too overbloated programs, 
a couple of million bytes more in order to show us the visages of 
such able programmers (it's ironic :-) would not damage nobody. Actually 
if I'm not mistaken they started this trend back in DOS with MSD.exe, 
a M$-diagnostic utility for dos 6.2... try the sequence help/about/F1 
there and try to fetch it back in the code... that's a good reverse 
engineering exercise. But easter eggs are now proliferating... you'll 
find them in Corel draw; in windows NT (scren saver easter eggs in 
"3D texts")... in windows NTv3.51 workstation tape "beer" and get a list 
of M$' clowns preferite beers (they don't understand nothing about beers 
btw)... inside Word 97 there is a whole silly 
flipper! (maybe the only reason to buy such a crappish product :-)
OK, i'll give you this one too... create new doc / tape "Blue" / double 
click on "blue" / bold it / choose color blue / unselect it / add a space 
after "blue" / select "about" /click icone... you'll be able to find 
easily most of the Easter eggs reversing the "about" routine... use the 
techniques I have explained in my "filemon" essay, for instance... if you 
do you are in for some (pretty sad) surprises: Quicken, Freehand, Cakewalk,
Flight Simulator 6 (here you must give the coordinates of Redmont to your 
plane) and so on and so on.

Such is the sad tragedy of software life under the talon of Micro$oft 
domination... even programmers who should hate anything 
vaguely microsoftish, like Netscape's ones, did "notscape" it.

(c) fravia+, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?