Looking inside your Windows 98
Finding an hidden incredible database inside your computer

Version 1.0
Our tools
Our tools
11 October 98
by TWD
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+
fra_00xx
981014
TWD
0100
OT
P9
Great stuff... I couldn't check nothing of this, because I (of course) have NOT installed windows'98 (I'm running Linux and I'm seriously thinking about "downgrading" my windoze machine to win 3.11 :-), yet I trust TWD enough to publish this text and I sincerely hope that this 'rolling snowball' will grow and grow -running downweb- and finally splash with a great "bum!" in the silly face of Micro$oft!
Note that TWD has produced his own tool in order to study these curious concealed activities...
M$_bashing
M$_Bashing

We're the ones who knew everything / still we did nothing
harvested everything, / planted nothing

But still we can't feed the strange hunger inside
greedy, restless and unsatisfied

Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert


This essay is for all people interested in what happens inside their computer... behind their back.

Looking inside your Windows 98
Tell me which applications you run and I'll tell you who you are
Written by TWD


Introduction
There is not much to say about the introduction. Some time ago I was searching for some 
remains of a program on my computer. I used the in build search program coming with Win98.
But it didn't only found the program, but also a file with a .lgc extension. It was 
located in the Win98/applog directory. I had a deeper look inside, and I found some 
interesting things.


Tools required
No SoftICE today, guys. I'm sorry
No IDA 3.74 today (sorry again)

Any good Hex Editor (I prefer UltraEdit 5.X)
FileMon
Any programming environment (VC++ or Delphi or something else) (not really needed)
And - last but not least - a lot of brain...

Target's URL/FTP
http://on.your.computer.com
or
http://in.your.pcstore.com

Program History
The first buggy version is for sale since June this year.

Essay

After having read the introduction, you know how I found the applog directory (I had 
never before looked inside it). Inside the directory there are a lot of files, mainly 
with extensions like this --> *.lg*
And there is also a file called applog.ind (sounds interesting, doesn't it ??)

The lg* files are all plain text, but the applog.ind is much more difficult.
After some time of analyzing, I discovered the most important parts of it.

The Header (Part I)
~~~~~~~~~~~~~~~~~~~
It starts with a ten byte long string, named "APPLOG1.1" followed by six bytes with 
unknown contents. Then there is the number of entries in this file, a four byte integer.

The rest of the 64 byte large header is still unknown to me, but there a some dates in it,
I know, because the change every time a program is run and the look similar to the normal
dates stored in your computer (FILETIME or SYSTEMTIME (look inside win32.hlp)).


The Header (Part ][)
~~~~~~~~~~~~~~~~~~~~

Then there is a second part, I call it the second header. It's size is about 344 bytes or
86 4-byte integers. I don't know what for this part is, but I guess it is for sorting or
something like this, because the values of the integers are increasing from to to bottom.


The Data
~~~~~~~~

After the two headers, the data entries follow. The number is defined in the first header.

The data entry structure looks like this :

      the name of the exe file                  (8 bytes)
      the offset to the path                    (4 byte integer)   <<-- explained later
      the number of runs since the last defrag  (4 byte integer)
      the total number of runs                  (4 byte integer)
      the fileDataTme of the file               (FILETIME - STRUC  8 bytes)
      the file size                             (4 byte integer)
      some flags ???? unknown                   (4 byte integer)
      
      
The only thing which is to be explained is the second entry (offset to path).

Did ever anyone of you messed around with the fuckin' PE-FILE structure ???
I did it and that's the only reason why I figured out how this value works.
There these kind of fuck is done all the time.

This value describes the distance from the end of the headers to the first char
of the path, related to the application.

Let me explain a bit more detailed:
The total size of the headers is 408 (344 + 64), and if we have a value of 1234 for 
example, then the offset to the path is 1234 + 408 = 1642. Set the File Pointer to
1642 and read till the next #0.

You wanna know how I figured out all this shit, why I know the sizes of the header 
and all this fuck ???

No problem, I used the good old FileMon to see when the explorer writes into the 
file (yes, it's the explorer). The explorer writes four times into the file, the 
first time he writes 64 bytes, then 344 bytes and then the data entries and last but 
not least the paths.
When knowing these basic values, it's now problem the get the size of every entry by
looking of the distance between two strings, and so on.

After having explained the structure of the applog.ind file, I will explain the 
other (*.lg*) files.
Basically the look like this (explorer.lgc) :

{
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"
R c1507870 0 40
R c1507870 80 f8
R c1507870 80 198
R c1507870 16000 1000
r c1507870 13000 1000
o c1505fb0 1665 "C:\WIN98\WIN.INI"
R c1505fb0 0 1665
C c1505fb0
r c1507870 3000 1000

The remaining 680 lines are on your own computer (if you own win98) so I don't have to
put them here.

Again I used FileMon to look what the explorer does while starting. That's why I know how
this file is structured.
First there is a character. That's very simple, 

            o   -->>  open
            r   -->>  read (the file pointer was moved to the left) 
            R   -->>  read (the file pointer was moved to the right)
            c   -->>  close
            

The open command is structured as follows :

o   <"filename">

example :
o c1507870 2c000 "C:\WIN98\EXPLORER.EXE"

The handle is used throughout the file, so if a read command is done it 
looks like this :

r   

example :
C c1505fb0



These few commands are enough to keep track of all file accesses of the program. 
Something like FileMon but already implemented in your OS.


That's all,

bye till next time...


            TWD
            
            
P.S.: Comments, suggestions, bug reports are always welcomed. Send them to




twd(dot)rulez(at)gmx(dot)net






Final Notes
Some of you will ask why evil Bill Gates hides such nice proggies in your OS (yeah, the
directory has the hidden attribute). Why doesn't he improve the performance of his fuckin'
OS instead if spying what the users do ???

There is one simple answer (maybe there are more) : This pile of information is used 
by defrag to sort the files according to their use.

It is NOT send to Microsoft via the Internet when you are connected (I think so, I 
checked it, but not for 1oo percent). But any evil hacker can use BO or any other 
utility like BO to access you computer and get these information.


This is only the first version of this essay. It's growing like the program I wrote.
In the moment, the applog.ind file is read and processed and a beautifull tree is 
created, where you can browse and look for the information you wnat to know.
But it is not ready, I'm still working on it, so be patient and come back and look 
if it was enhanced once more.

Download the tool created by TWD: twdapplo.zip, 151 Kb.


Ob Duh
Our Ob duh doesn't apply, we're investigating Billy's concealed activities here.

You are deep inside reverser's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?