The hex stories – hex wordsmiths playing with the hex words in the hex world

I was wondering what is the longest meaningful phrase made out of words containing only letters A..F – the only letters that are allowed in a hexadecimal system. After downloading some word lists I came up with the following:

  • facaded facade –  a double facade
  • defaced deface – when a hacked entity that was already hacked is hacked again before recovery (i.e. double defaced)
  • beefed beef – the beef that is very juicy, or with a lot of marble, or it’s stinky
  • be deaf be deaf, be dead, be dead – probably part of some lyrics
  • decaffaced – to be overdecaffeinated

And the short story about the little deaf bee that discovered that her dad is a hated fed abusing decaffeinated coffee (probably both attended the Defcon):

a deaf baffed babe bee faced decaffaced dad: a fed! 
be dead, facaded face! bad dad!

After playing with it and wondering what the heck am I doing I decided to google around, and.. turns out I was not the first one to think of it. There are actually more similar efforts.

Beyond good ol’ Run key, Part 40

And here we are… another round anniversary…

To celebrate this special event, I have prepared a special dish for Windows 10 lovers 🙂

To inaugurate the celebration:

  • Create C:\Program Files\Internet Explorer\suspend.dll
  • Profit

Yup. It will launch anytime user starts IE. And when they exit it (the life of a DLL…).

To continue the festivities:

  • Create phoneinfo.dll anywhere the PATH points to, or inside the c:\windows\system, C:\Windows\System32\wbem or on the Desktop – IE will try really hard to load it:
    phoneinfo
  • Profit

Yup. It will launch anytime user starts IE too. And yup, when they exit it too.

It does work for 64-bit processes too.

And the final fanfares…

When your program crashes on Windows 10, werfault.exe will attempt to load loads of non-existing debugging extensions.:

  • C:\Windows\SYSTEM32\WINXP\uext.dll
  • C:\Windows\SYSTEM32\winext\uext.dll
  • C:\Windows\SYSTEM32\winext\arcade\uext.dll
  • C:\Windows\SYSTEM32\pri\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\SYSTEM32\winext\arcade\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\SYSTEM32\WINXP\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\arcade\ntsdexts.dll
  • C:\Windows\SYSTEM32\pri\ntsdexts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\SYSTEM32\winext\arcade\ntsdexts.dll
  • C:\Windows\System32\ntsdexts.dll

Bonus #1:

The phoneinfo.dll DLL seems to be used by a lot of processes (it is actually loaded by urlmon.dll, so lots of processes are affected).

Bonus #2:

Cursory analysis of code that is responsible for loading this DLL indicates that it’s most likely code used on Windows phones-only and it’s just the DLL is not present on Desktop Windows (yet the code loading the phantom DLL remained). The DLL is responsible for telling the urlmon what Phone Manufacturer and Model to add to one of the internal User Agent strings inside the urlmon library