Silly | Hexacorn

Update

Found one more 🙂

   L   I   S   T   A   S
   I   M   P   O   R   T
   S   P   U   L   E   R
   T   O   L   O   S   E
   A   R   E   S   E   S
   S   T   R   E   S   S

Old post
As a kid I loved to solve cross-words, I also published my own (together with various riddles).

I was very fond especially of magic squares e.g. a classic one:

S     A     T     O     R
A     R     E     P     O
T     E     N     E     T
O     P     E     R     A
R     O     T     A     S

and palindromes e.g.

malayalam

and anything that would be a bit unusual (e.g. 7-letter words with 4 As, partially overlapping words, etc.).

When I learned programming I wrote various cross-word generators including one for magic squares.

Finding magic squares is very easy for 3-, 4-, 5- letters. It gets a bit more challenging with 6-, but it’s still quite easy and it gets really tough with 7-, 8-, 9- letters.

Having nothing else to do, today I tried to see how my old code would perform taking a small database of malware-related keywords as a base. To my surprise, it actually found a few magic squares for 6 characters!

Here they are:

G   A   G   G   L   E
A   P   R   O   O   L
G   R   O   O   V   E
G   O   O   B   E   R
L   O   V   E   N   A
E   L   E   R   A   D

H   A   L   E   S   S
A   T   O   M   I   C
L   O   O   P   E   R
E   M   P   I   R   E
S   I   E   R   R   A
S   C   R   E   A   M

I   S   T   B   A   R
S   P   A   R   S   E
T   A   R   A   P   A
B   R   A   B   A   N
A   S   P   A   D   E
R   E   A   N   E   T

If you google these words, you will find out that all of them are actual names of a malware.

Bonus

How often do you see a code like this nowadays? Addressing via seg:ofs was a real pain in a 16-bit real-mode 😉

               xor dx,dx
               mov ax,word ptr fs:[si]
               add ax,ax
               adc dx,0
               add ax,ax
               adc dx,0
               shl dx,12
               add dx,CS:DSegm0
               mov es,dx
               mov bx,ax

              [...]

The title of this post is not a secret message and I am not intoxicated.

UVWATAUAVAWH happens to be the most popular string extracted from all .exe, .dll and .sys OS files on my 64-bit Windows. The string is so popular and at the same time suspicious that if you google it you will find people theorizing about it having something to do with BSODs / being a part of some internal ZeroAccess secret language.

If you convert the characters into hex:

UVWATAUAVAWH

you will get a string of bytes like these:

55 56 57 41 54 41 55 41 56 41 57 48

and these can be also represented as opcodes:

U  - push    rbp

V  - push    rsi

W  - push    rdi

AT - push    r12

AU - push    r13

AV - push    r14

AW - push    r15

H  - part of sub rsp, xxx opcode

The sequence is a very typical prologue for functions (64-bit code) – so typical that it is all over the place together with its variants (see below); the ‘vowelized’ properties of these strings remind me an interesting paper about shellcodes that look like English text.

UVWATAUAVAWH
WATAUH
WATAUAVAWH
SUVWATAUAVAWH
SUVWATH
VWATAUAVH
SUVWATAUH
ATAUAVH
USVWATAUAVAWH
UVWATAUH
SUVWATAUAVH
SVWATAUAVAWH
USVWATH
USVWATAUH
USVWATAUAVH
VWATAUAVAWH
WAVAWH
ATAUAVAWH
VWATAUAWH
WATAVH
UVWATAUAVH

Hexacorn

Hexacorn

Category Archives: Silly

“Malicious” Magic Squares

UVWATAUAVAWH – Meet The Pushy String