Right, now I've got one on the dissecting table, let's see what's inside...
I've been supicious about them ever since I saw the fabled words "This program does not run in DOS mode" hidden inside Wood.xmpskin, so it's time to find out more.
First up is Visual C++. Open
victim volunteer no. 1, "Windows Classic.xmpskin" up as a resource, and I get a listing of images and data resources. Try to open, and Visual C++ self-destructs. Oh.
Next is the Dependency Viewer. Load up the file, and it get recognised as a valid 32-bit windows executable. Interestingly enough, it imports 6 functions from KERNEL32.DLL (ExitProcess, LoadLibraryA, GetProcAddress, VirtualProtect, GlobalAlloc and GlobalFree) and 2 from user32.dll (MessageBoxA and wsprintfA). This implies that there is some executable code, other than the anti-DOS message. But attempting to run it under Win2k pro give the message along the lines of "This is not a valid windows program", so the code obviously is not executable.
Also available are some version numbers. The linker used was version 6.0, which implies Visual C++ 6.0, and the operationg system is version 4.0 (NT4/95/98 - I think ME is 5.0). But no file version.
There are some other things of note: "Windows Classic.xmpskin" is about a tenth of the size of "Wood.xmpskin" (about 500KB), and contains the message "ERROR! Corrupt Data!". Maybe it has integreity-checking code inside it? This could explain the imported functions (which are enough to run a program), or the dialog boxes that appear when a font is not available. The data ia all encoded in binary, so it has already been processed and compressed.
Conclusion: .xmpskin files are not just binary data, they are programs in disguise. But for what end? Is this a sign of some plan by Ian to take over all users of XMPlay? Or is it simply an efficient use of standard Windows API functions? Only Ian knows.
Next up is the truth about the ZIP plugin and what it really does