Author Topic: The secrets about .xmpskin  (Read 10617 times)

Torkell

  • Posts: 1169
The secrets about .xmpskin
« on: 15 Jun '03 - 21:12 »
Right, now I've got one on the dissecting table, let's see what's inside...

I've been supicious about them ever since I saw the fabled words "This program does not run in DOS mode" hidden inside Wood.xmpskin, so it's time to find out more.

First up is Visual C++. Open victim volunteer no. 1, "Windows Classic.xmpskin" up as a resource, and I get a listing of images and data resources. Try to open, and Visual C++ self-destructs. Oh.

Next is the Dependency Viewer. Load up the file, and it get recognised as a valid 32-bit windows executable. Interestingly enough, it imports 6 functions from KERNEL32.DLL (ExitProcess, LoadLibraryA, GetProcAddress, VirtualProtect, GlobalAlloc and GlobalFree) and 2 from user32.dll (MessageBoxA and wsprintfA). This implies that there is some executable code, other than the anti-DOS message. But attempting to run it under Win2k pro give the message along the lines of "This is not a valid windows program", so the code obviously is not executable.

Also available are some version numbers. The linker used was version 6.0, which implies Visual C++ 6.0, and the operationg system is version 4.0 (NT4/95/98 - I think ME is 5.0). But no file version.

There are some other things of note: "Windows Classic.xmpskin" is about a tenth of the size of "Wood.xmpskin" (about 500KB), and contains the message "ERROR! Corrupt Data!". Maybe it has integreity-checking code inside it? This could explain the imported functions (which are enough to run a program), or the dialog boxes that appear when a font is not available. The data ia all encoded in binary, so it has already been processed and compressed.

Conclusion: .xmpskin files are not just binary data, they are programs in disguise. But for what end? Is this a sign of some plan by Ian to take over all users of XMPlay? Or is it simply an efficient use of standard Windows API functions? Only Ian knows.

Next up is the truth about the ZIP plugin and what it really does ;D ;D ;D

Haze

  • Guest
Re: The secrets about .xmpskin
« Reply #1 on: 16 Jun '03 - 09:46 »
/me whistles X-files theme  :D

Olego

  • Posts: 557
XMPskin
« Reply #2 on: 16 Jun '03 - 10:16 »
Here are my conclusions:

The first giveaway is the first 2 bytes, and they are MZ.  Therefore, it's a Win32 executable.  It's not an application, but a DLL.  If you open it with a resource editor (that is slightly more sophisticated than VC, I use ResHack), then you see that it has Bitmap, and Data.  While I don't know what Data is (code), Bitmap is just the Bitmap.  VC crashes, but a sophisticated resource editor would let you know that it can't access them because they have been compressed.  So the solution is that Ian used something like VC to make a DLL that has all the stuff, and a few functions that are stored in Data that are the code to access the different Bitmaps.  And then he used something like Petite to compress them, because Bitmaps are very compressable.  And that's why it's hard to release a tool that would make a generic XMPskin.

Now, I would like to know what the functions are so that I can LoadLibrary and try to access them.  Or to make a skin on my own.  :)

~Olego~

Torkell

  • Posts: 1169
Re: The secrets about .xmpskin
« Reply #3 on: 16 Jun '03 - 11:31 »
There aren't any exported functions in the file (which is suprising, as you'd expect DllMain to be exported). This implies that the DATA section is probably compression headers and skin layout information. Any comments, Ian?

Ian @ un4seen

  • Administrator
  • Posts: 20721
Re: The secrets about .xmpskin
« Reply #4 on: 16 Jun '03 - 13:18 »
Shhhh! don't make me blank your HD, Boggy ;) ;D

Anyway, the reason they're DLL files is that they decompress themselves when loaded (ie. XMPlay doesn't decompress them). That's it :)

Torkell

  • Posts: 1169
Re: The secrets about .xmpskin
« Reply #5 on: 16 Jun '03 - 17:03 »
Lets see... to blank my HD you would need to bypass Windows security permissions (and I'm running 2000, so it's serious security unlike the joke that's in 9x/ME/XPhome)

Anyway... my next task is to download Petite and run that on the files (after renaming hem) to see what happens. I might try that on XMPlay too just for the sake of it ;D

Torkell

  • Posts: 1169
Re: The secrets about .xmpskin
« Reply #6 on: 16 Jun '03 - 17:09 »
Code: [Select]

Decompression?
==============
There is no Petite decompressor. So if it is not possible for you to
re-install or re-compile a file, then you should keep a backup of the
original incase you should want to go back to it at any time.

Oh. Time for plan B. Anyone know of a program to generate pusedo-code from MS executables/dlls?

Fraggie

  • Posts: 714
Re: The secrets about .xmpskin
« Reply #7 on: 16 Jun '03 - 18:54 »
You can use ProcDump to "decompress" Petite'd exes.

Torkell

  • Posts: 1169
Re: The secrets about .xmpskin
« Reply #8 on: 16 Jun '03 - 19:43 »
Well lets have a look on Google...
Site no. 1 didn't like me.
Why it's listed in the BeOS category is beyond me.
Found a site and downloaded it.
It didn't like xmplay.exe (tried "*unknown*" and "Petite 2.0") - anyone else want to try?

Olego

  • Posts: 557
Heh
« Reply #9 on: 17 Jun '03 - 11:47 »
Well, on Petite's website, it was (c) 1999-2000.  So it's been 3 years, and Ian's probably made a change or 2 for himself.  Now, old XMPlays (i.e. 1.7) can be uncompressed, but as resources they only have icons.  The newest one can't be.  And I guess that's that.

~Olego~

Torkell

  • Posts: 1169
Re: The secrets about .xmpskin
« Reply #10 on: 17 Jun '03 - 16:48 »
Looks like I'll just have to do it the old-fashioned way: step through it with a debugger and debug info for all the MS libs