Lets take a look at EOF: Taskmgr.exe in WinXP SP2:
language="*"
/dependentassembly
/dependency
/assembly
This is the perfect peace of mind "end of a windows file". No further investigation interests.
Now lets take a look at EOF: taskmgr.exe Vista:
PFq
PFq
wwwww
wpwwww
wpwwwp
... many lines later I use ..... to skip some lines .....
AUA
EYE
NWN
RRR
cDU
.....
PSSM
~JFB5
'+FB6s}FPUS
$jmw44-RU
JHB6
........
'/6_g+2dc
\bb?e@p
%$!SV"_FhjlFx
YAMlnnHv
NLKiC@>
YZ*46@BfKLq
...........
DDDDDDDDD@
DDDDDDDDDGpw
DDDDDDDDDGpw
DDDDDDDDDDDDDD
wwwwwwwwwwwwww
...................
R_GYn
T\O:g~O
buG
..............
586D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
5"6C6N6Z6}6
<4<>B>i>m>q>u>y>}>
4+4D4^4f4l4
8&8@8+9A9P9V9\9d9~9
="=/=8=A=N=[=b=
>&>/>6>;>I>O>U>[>g>m>x>~>
010I0R0X0x0
4&5G5L5W5i5
7&7G7Y7q7
=/===D=J=x=
3%3/393C3M3W3
4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
6I7O7h7
:R:n:t:
;-;3;8;C;I;`;m;};
0I0e0q0}0
1:1E1R1X1`1i1t1z1
2%3.3C3e3n3w3
3-4E4e4r4
8;8D8l8y8
98:D:V:a:
;@;G;T;k;t;
...
6?6I6V6\6b6m6
6&757<7H7N7T7_7l7r7{7
9B9H9S9Y9
;);.;R;m;s;
=%=-=H=V=g=l=
>;>D>U>u>
5X5d5p5|5
6$606<6H6T6`6l6x6
>.>4>T>h>v>
272@2K2V2h2n2u2
3 3%3*3>3G3L3Y3j3p3{3
4I4U4[4b4k4q4y4
5S5Y5a5g5
6<6B6I6V6
;/;M;Z;f;
262O2Z2m2y2
353V3b3j3r3~3
3@4N4_4p4x4
8%838C8J8Z8n8w8
0!010?0P0b0h0
3-3A3H3V3`3j3v3
3'41494B4M4X4a4l4
6(7=7C7I7O7f7
7$8L8W8j8q8
9>9J9Q9g9
>#?H?O?_?m?
0+030P0V0\0d0
....
?J?Q?i?
7_7g7p7v7~7
<%=;=A=O=g=|=
1'1/1K1X1j1r1}1
2%2-282E2R2Z2d2l2w2
3R3o3z3
5!525;5P5a5j5u5
6#60696B6Y6g6l6r6x6
>e?l?s?z?
:,:C:a:i:o:
>!>%>)>->D>M>Y>i>z>
242Z2n2t2
9)9F9P9g9t9
<0<9
5+575I5Z5_5v5
9S9X9d9
1 1'1N1T1_1e1
414>4S4Y4a4g4
;/;E;U;g;m;
=)=2=C=M=V=y=
?#?J?_?f?l?
2J3Q3\3h3
6"6(6=6N6`6k6q6w6
:":B:P:a:j:
;1;7;=;E;N;Y;_;p;v;};
6.6U6[6h6n6
:M:T:l:v:|:
=K=S=d=o=
0D1V1\1d1n1
2$2+242:2H2U2h2o2
93:`:d:h:l:p:t:
<.<3
0 0$0(00040<0D0H0L0P0T0X0
7 7(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
The Original Subhack mostly starts with DHLPTX.
You have to extract the letters to see the real meaning.
Most striking here is =D=J=x= DJ X and gmx >g>m>x>~>
as well as :,:C:a:i:o: or Caio probably it means also Ciao (anagram style)
Now lets take a look at EOF: taskmgr.exe Win7 Beta:
/assembly
CRIM
WEVTd
CHAN|
TTBL
TEMP
OPCOT
LEVL@
.....
AUA
EYE
NWN
....
7 7$7(7,7074787<7@7D7H7L7P7T7_7d7h7l7p7t7x7|7
:5;>;J;R;_;e;
3J4U4e4o4
8?8J8V8y8
2#2'2+2/23272;2?2C2G2K2O2S2W2[2
8M8U8e8
909C9Y9`9g9
091M1d1x1
393G3N3T3
525H5R5l5
9#:4:A:R:Z:g:}:
;%;4;<;V;p;v;
<)<=
3O3Z3g3m3u3
666U6e6y6
8*888J8S8s8|8
:3;C;S;Y;_;g;p;|;
=(=U=p=v=
> >&>,>7>C>I>O>X>^>d>n>y>
0@1L1X1d1p1|1
2$202<2H2T2`2l2x2
7#7.7E7U7m7
8 818F8U8Z8`8e8j8o8t8z8
;F;n;z;
>$>->2>?>P>V>a>
>0?0@0F0N0T0
1M1g1s1
2'2@2V2d2t2{2
4-494Y4d4u4
7Q7r7w7
8;9I9Z9k9s9|9
:a:j:r:x:
0:0F0]0b0s0
1(101C1U1]1c1
2$2*2K2V2]2c2i2n2t2z2
3F4g4s4{4
:>:E:V:u:{:
;9;O;T;^;g;v;
4#454;4L4Z4l4r4
9$9,9<9T9f9l9q9
:$:6:M:W:j:p:v:
;+<5<=
1*141I1U1Z1`1n1t1~1
3$393D3L3r3
4P4W4k4
7I7T7k7v7
8&818H8S8j8u8
<9
051H1O1]1p1z1
3C3L3\3v3
4P5V5u5{5
5<6D6P6j6
6!7,72787A7j7q7
8 8*8?8E8K8m8|8
9S9\9f9n9
9-:4:A:H:`:g:
:&;O;V;g;
0D1P1o1
6/6;6N6h6v6}6
8I9R9i9
94:J:P:^:y:
:5;>;G;^;d;o;
<1
>&>J>a>m>
#0T0e0p0
1F1f1m1{1
5S5y5F6]6u6
:,;0;G;V;h;};
6#656=6T6f6x6
7Z7n7y7
878K8c8r8z8
:):2:=:J:U:`:m:}:
;:
080E0K0m0r0
6-636@6F6Q6W6d6
8"9.9:9b9n9z9
=S>r>y>
0L0l0r0
0K1h1m1x1
2B3I3h3u3
8&8J9&=*=.=2=6=:=>=B=F=J=N=R=V=Z=^=b=f=j=n=r=v=z=~=
6-7175797=7A7E7I7]7i7u7
94:F:d:s:
1)1>1T1[1d1j1y1
6,6H6Q6_6u6{6
6 7I7o7v7
8"8l8s8y9
9$:;:Y:a:g:
4)414A4J4U4\4b4l4w4
:1:8:F:P:r:U;\;c;j;q;x;
0.0S0n0y0
1E1Z1g1m1
="=4=<=H=N=c=i=
>J>P>[>a>;?S?
3:4W4f4m4
4(5F5M5b5m5
>"?.?=?I?R?c?m?v?
8*8D8J8f8m8{8
:D:L:R:]:t:}:
<:
1*1H1X1t1{1
2,22282@2I2T2Z2k2q2x2
5"5,5>5D5U5\5q5x5~5
6I7i7y7
9/:E:f:m:
;G;V;c;k;s;z;
161A1V1j1
6F6M6Z6a6g6
7$7)7I7W7h7q7
=5=<=J=X=d=q=w=}=
>%>2>E>L>R>Y>g>u>
=!='=.=6=>=F=R=[=`=f=p=y=
? ?*?>?C?M?[?b?i?p?w?
0$0(0,00080<0D0L0P0T0X0\0`0
3 3(30383@3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
The Original Subhack mostly starts with DHLPTX.
You have to extract the letters to see the real meaning.
Most striking here is Q
and F
64 bit files in Windows have no more DHLPTX Style instead of this they use some short code lines in following order:
Services.exe Vista 64 bit:
/requestedPrivileges
/security
/trustinfo
/assembly
CRIM8?
RobinL
WEVT,
CHANl
TTBL
TEMP
TEMP
OPCO
LEVL@
TASK
KEYW
EVNT
WEVT
CHAN|
TTBL
TEMP
OPCOT
LEVL@
or Wininit.exe 64 bit Vista
/requestedprivileges
/security
/trustinfo
/assembly
CRIM
WEVT
CHANl
TTBLx
TEMP
TEMP
TEMP
TEMP
OPCOx
LEVL@
TASK
KEYW
EVNT$
PFq
PFq
Most significant here CRIM and CHAN, whereas CRIM could have several meanings e.g.:
CRIMINAL INTENT, CRIMINAL JUSTICE, CENTER OF CRIMINOLOGY?
Centre de recherche informatique de Montréal (CRIM)
Even in non native 32 bit executables you can find subhack strings, one example is Firefox 3.0.6
5JEw%Xg
w0/1I1a1p1
303P3X3b3g3l3
4&4,464V4\4f4l4u4
5&5.53595?5G5M5T5\5l5t5z5
6&6+6=6Q6X6o6
8M9b9r9
:&:-:4:;:B:I:Q:Y:a:m:v:{:
=B=U=[=d=
2,303P3l3p3
MBR BUD Q OX FLU
