PDA

View Full Version : Weird...



cboard_member
07-14-2005, 11:10 AM
Purely in the interest of science, I conducted an interesting experiment today.

I wrote a very simple XOR encryption program.

I then proceeded to encrypt windows notepad (c:\windows\notepad.exe) to see what would happen.

I encrypted another executable i wrote a while ago and it became unusable until it was decrypted, but this is not what happened to notepad, oh no...

After it was encrypted, it's icon changed to the infamous 'misc program' icon (the plain white window). Then, about 3 seconds later, it changed back to the notepad icon, as if windows had somehow detected and reversed my encryption... :confused:

I'm thinking of doing it to my kernel32.dll file, but I haven't got the guts. I reckon windows will stop me anyway, but you never know.

Any comments on the anomaly?

ober
07-14-2005, 11:36 AM
You have spyware. It's called "windows"... it is self-healing and self-replicating.

cboard_member
07-14-2005, 11:59 AM
So how would it detect something like that? Does it constantly monitor all of it's system files?

Ahh however it does it I guess it's pretty cool.

Fordy
07-14-2005, 01:09 PM
I seem to remember that windows scans certain files and restores them if they have been tampered with

Windows File Protection?

cboard_member
07-14-2005, 01:44 PM
Well it certainly seems like a novel idea; seems to work too.

Microsoft products working? Doesn't that break like all the laws of everything?


(Joke)

;)

lightatdawn
07-14-2005, 06:14 PM
Wanna see something really funny? Go into your windows directory and delete solitare (sol.exe). Seriously, go ahead (XP users only... unless you really hate solitare or something...).

I fail to see how solitare is a critical file.

jverkoey
07-14-2005, 06:46 PM
Surely, without solitaire, the system would become completely unstable and more than likely not boot anymore :rolleyes:

Zach L.
07-14-2005, 07:16 PM
Don't want your computer getting bored while you're away, now do you?

ILoveVectors
07-14-2005, 07:30 PM
Solitare is a very important file!!
2/3rd of all people who own a computer
would not need a computer if it wasnt for solitare!!

MadCow257
07-14-2005, 07:44 PM
:)
However, this applies to anything in system32, not just solitare.

cboard_member
07-15-2005, 12:49 AM
Riiiight. I suck at solitaire anyhows, and my poor computer? She prefers a good game of Half Life while I'm away :D

major_small
07-15-2005, 01:20 AM
I have to disagree... delete half-life and what happens? HL just dissapears... windows has no love for it :*(

cboard_member
07-15-2005, 01:23 AM
Noooooooooo. HL Rocks. Soon I'll have a system good enough to rape *ahem* i mean play HL2..

Excellent *evil mr. burns thinking face*

nickname_changed
07-15-2005, 04:18 AM
Notepad and lots of the other standard Windows executables and DLL's have a copy in the System32\DllCache (I believe) folder. When you stuff around with these files, Windows detects it and restores the version from the DLLCache folder. Try and replace notepad.exe with another executable - it'll be restored. Delete it - it'll be restored.

To get around it I believe you have to replace the version in DLLCache first, then replace the file you want.

nickname_changed
07-15-2005, 04:24 AM
Microsoft products working? Doesn't that break like all the laws of everything?
"The day Microsoft make a product that doesn't suck is the day they bring out a vaccuum cleaner". But see my previous posts on why Microsoft doesn't "sux0rz".

To those joking about how solitare isn't a critical system file - seriously, imagine the huge number of support calls made because Aunt Edna can't play solitaire after her 10 year old nephew decided to "clean up" her computer.

cboard_member
07-15-2005, 04:31 AM
True, very true. I'll have a look at the DllCache folder now. If I break something, well, that'll give me something to do.

*3 minutes later*

Hey you were right. I found notepad and solitaire in c:\windows\system32\dllcache; they're all compressed too, yay.

Stan100
07-15-2005, 09:35 AM
Disable Windows File Protection (http://www.winguides.com/registry/display.php/790/)

Hehe, now try XORing your kernel :p

VOX
07-15-2005, 07:03 PM
Maybe windows doesn't want you to delete solitare because you can't download it elsewhere if you lose it? Maybe? I don't know.

cboard_member
07-16-2005, 01:57 AM
Who would want to download it if they lost it :D. Sucky sucky suck suck suck. (Jk)