此文章由原博客迁移而来。

原文地址:https://blog.betaworld.cn/672

原作者:BetaRookie

以下为本文正文部分。

672-1-Windows-1.0-Easter-Egg.png

Update: Sorry, was meant to publish this ages ago but didn’t get the time to film a proper video for it. You’ve probably read about it from somewhere else by now – but hey, at least this is the only article about the Easter egg written by the person who discovered it. Also that image up there is ugly lol.

我发现了 Windows 1.x 和 2.x 的彩蛋。是的,你没听错,Windows 1.x 和 2.x 的彩蛋。微软在隐藏这个彩蛋的方面做得非常出色,我们花了37年才找到它。那这个彩蛋到底是什么呢?它其就是一个显示 Windows 1.0 和 2.0 开发人员名单的滚动列表。

他们是怎么把这个彩蛋藏得这么好的呢?加密和混淆。人员列表只是一个 null 结尾的字符串列表,但他们没有将其存储在数据段中,也没有将其存储为字符串表或二进制资源,而是对其进行加密并将其附加到了一个位图的末尾。当时没有任何工具可以查看可执行文件中的位图资源,即使有,人们也只会将位图视为图像,从而忽略最后的二进制数据。

这个彩蛋的加密也是微软所有的彩蛋中最强的。它使用链式异或对数据进行加密和解密。要解密它,需要用密钥对一个字节进行异或解密,用解密后的字节对密钥进行异或,然后对下一个字节重复以上操作,直到达到 EOF 标记。这会让人们无法辨认它为加密文本,更不用说,破解起来更困难。即使你得到了初始密钥,在不知道链式异或操作的情况下,你也只能解密一个字节——没有啥用。

现在让我们来谈谈混淆。这其实并不是我们今天所熟悉的那种混淆,但我之所以称其为混淆是因为它用于防止人们从代码中获得任何有用信息的作用是相同的。微软是怎么做的呢?在 80 年代,混淆代码会严重影响性能,并可能产生各种未知后果,因此他们决定混淆函数名。非常简单,所有的彩蛋函数都被赋予了极具误导性的名称,因此如果你在寻找彩蛋,当你看到它们时你会自动跳过它们。他们还非常仔细地编写了所有函数,使它们也有其他用途,例如在检查彩蛋的按键时同时处理系统消息。

触发这个彩蛋到底有多难呢?非常难。如果你不知道按键,你不可能意外触发它。必须敲击以下按键才能触发它:按 Alt 键、按 Esc 键、抬 Alt 键、抬 Esc 键、点击 Esc(按抬)、点击 Esc(按抬),最后按退格键。敲击的时候必须要快,否则它们将被视为连按。在 Windows 2.x 中它变成了 F1、F5、F9、F4 和退格,但依然不是什么可以被轻易误敲的键。

有趣的问题来了,为什么他们要花这么多精力来隐藏一个制作者名单?行了,下面是完整的故事。其实它在一开始并没有被很好地隐藏,你只需要轻易点击几个键它就会弹出。一天,微软的创始人之一,比尔·盖茨决定来查看 Windows 的进展,他按了几个键或许来测试输入,然后彩蛋就冒了出来。他命令写彩蛋的那个程序员将其去掉,因为这浪费了很多内存和机器周期(每个输入都会被检查是否是彩蛋的输入,即每次鼠标点击和按键就会浪费几百个周期)。他遵守比尔·盖茨的命令了吗?当然没有。他不仅没有去掉那个彩蛋,恰恰相反,他把它埋得更深了——导致更多的内存被使用和机器周期被浪费。当时 Windows 的性能非常差,消耗了大量内存,这是比尔·盖茨最担心的问题之一,因此他知道如果被发现后果会有多严重,所以他让找到/触发这个彩蛋几乎不可能。我可以想象他或许让即使有源代码的情况下也很难发现这个彩蛋,因为有很大可能比尔·盖茨在 Windows 1.0 发布前的某个时候也阅读了它的源代码。

我在 Twitter 公布了这个彩蛋后,一位了解这个彩蛋的 Windows 1.0 开发者把写彩蛋的那个人给卖了。真倒霉。我不会透露任何姓名,但应该不难找到。

关于彩蛋的故事还没完呢。这只是 Windows 1.x 和 2.x 的彩蛋。当我有时间的时候我会写一下 Windows 3.0、3.1 和 Windows 95 的彩蛋。

672-1-Windows-1.0-Easter-Egg.png

Update: Sorry, was meant to publish this ages ago but didn’t get the time to film a proper video for it. You’ve probably read about it from somewhere else by now – but hey, at least this is the only article about the Easter egg written by the person who discovered it. Also that image up there is ugly lol.

I have discovered the Windows 1.x and 2.x Easter egg. Yep, you heard it right, Windows 1.x and 2.x Easter egg. Microsoft did a fantastic job at hiding the Easter egg, it took us 37 years to find it. So what is the Easter egg? It is basically a credits screen that displays a scrolling list of Windows 1.x and 2.x developers.

So how did they hide it so well? Encryption and obfuscation. The name list is just a list of null-terminated strings, but instead of storing it in the data segment or as a string table or binary resource, they encrypted it and appended it to the end of a bitmap. Back then there were no tools to view bitmap resources from executables, even if there were, people would’ve simply viewed the bitmap as an image and neglected the binary data at the end.

The encryption is also the strongest out of all of Microsoft’s Easter eggs. It encrypts and decrypts the data with chained XOR. To decrypt it, you need to decrypt a byte by XORing it with the key, XOR the key with the decrypted byte, and repeat for the next byte until the EOF mark is reached. This makes it impossible to recognize the data as encrypted text and needless to say, extremely hard to crack. Even if you were given the initial key, without knowing about the chained XOR operation, you can only decrypt a single byte – not going to be useful.

Now let’s talk about the obfuscation. It isn’t really the obfuscation we know today, but I call it obfuscation because it serves the same purpose of preventing people from getting anything useful out of the code. How did Microsoft do it? Back in the 80s obfuscating the code can severely impact the performance and potentially have all sorts of consequences, so they decided to obfuscate the function names instead. Very simple, all the Easter egg functions were given highly misleading names, so if you’re searching for Easter eggs, when you see them you’ll automatically skip them. They also wrote all the functions very carefully so that they have other purposes as well, for example to process system messages while checking for the Easter egg keystrokes.

How hard is it to trigger the Easter egg? Extremely hard. If you don’t already know the keystrokes, there is no way you can trigger it by accident. You must do the following to trigger it: Alt key down, Esc key down, Alt key up, Esc key up, Esc (down and up), Esc (down and up) and finally hit the Backspace key. You also have to press them fast, otherwise they’ll be treated as multiple keypresses. In Windows 2.x, it became F1, F5, F9, F4 and Backspace, but still, not something you can type by accident.

Now the interesting part, why did they put in so much effort just to hide a credits list? Well, here is the full story. It wasn’t well-hidden at all in the beginning, you only needed to hit a few commonly-used keys for it to pop up. One day the co-founder of Microsoft, Bill Gates, decided to take a look at the progress of Windows, he pressed a few keys to test the input or something, and the Easter egg popped up. He ordered the person who wrote the Easter egg to remove it, as it was a waste of memory and machine cycles (every input event needs to be checked for the sequence, that’s a few hundred cycles per mouse click and keypress). Did he obey Bill Gates’ order? Nope. Instead of removing it, he did the direct opposite, he buried it deeper – causing more memory to be used and machine cycles to be wasted. Windows back then performed very poorly and consumed huge amounts of memory, and that was one of Bill Gates’ biggest concerns, so knowing about the potential severe consequences, he made it almost impossible to find/trigger. I can imagine that he probably also made it very hard to find even with source code access, because I wouldn’t be surprised if Bill Gates also read over the Windows 1.0 source code some time before its release.

Well, a Windows 1.0 developer who knew about the Easter egg sold him out after I posted about it on Twitter. Unlucky. I’m not going to disclose names but it shouldn’t be too hard to find out.

Anyway, we’re not done with Easter eggs yet. This is only the Windows 1.x and 2.x Easter egg. I’ll write about the Windows 3.0, 3.1 and Windows 95 Easter eggs when I get time.

标签: Windows, Easter egg, Windows 1.0