First essay: What's behind the mm256.dat and mm2048.dat files?
A small
contribution in order to damage Micro$oft
by Fravia+, 15 June 1998
Quite some time ago I started my studies of the two 'mysterious' files mm256.dat and mm2048.dat.
Apart from the funny names (and we should never underestimate
the importance of names on the web... a name like mm256.dat sounds MUCH more neutral and
uninteresting than, say "peeping.tom") there seem to be
very few serious material about these two files on the net. Both files contain, among other things
(for instance all the URL you visited in your lifetime) the complete directory structure of your bootdrive (!!)
The Mm256.dat file is used to store the identification numbers of Web
pages whose Web addresses are equal to or less than 256 characters. The
Mm2048.dat is used to store the identification numbers of Web pages whose
Web addresses are between 257 and 2048 characters.
Recently a German friend (Chiphead) wrote me asking why these two files
were not mentioned on my pages, since
they represent classical
examples of Micro$oft's 'concealed' activities. The simple answer is that I have NOT yet
finished my studies on these files. But, he is right, and the question deserves to be
cracked (in the BEST sense of this great word). Since I have "a lot of other cats to whip",
I have decided to publish this essay right now even if it is NOT ready.
Besides,
I publish this now also in the hope to damage a little more Micro$oft's current 'delicate'
legal situation.
Look
at this unfinished essay as a 'base of
discussion' for your own work on this area, I just hope to start a "rolling avalanche" of nice
reversing sessions: therefore, PLEASE, by all means, do
contribute and help, because I must confess that
the more I examine these files (and their "regenerating" behaviour), the more I'm
puzzled. This is either the definitive proof that Billgato is cheating or the definitive
proof that Billgato (and his minions) are absolute software lamers.
The fact is,
as you will read here, that
Micro$oft's
Windows 95, (in conjunction with Internet Explorer) slips
unwanted files (Mm2048.dat & Mm256.dat)
on your hard disk without your knowledge or permission (5 to 7 copies of each
for a total of 5 to 20 megabytes. No wonder your harddisk space is vanishing!)
MS tech support claims that you are not even supposed
to know that they exist and anyway you cannot delete them: here the only
explanations given -grudgingly- by Micro$oft itself:
The Mm256.dat and Mm2048.dat files are cache files used by Internet
Explorer. When you visit a Web page, Internet Explorer assigns the Web
address a unique identification number and searches the Mm256.dat and
Mm2048.dat files for that identification number. If the Web page's
identification number is found, the contents of the Web page are stored
locally on your computer's hard disk and Internet Explorer uses the
locally stored content instead of downloading the information from the
Internet. If the Web page's identification number is not found, the
contents of the Web page must be downloaded from the Internet. This occurs
if you have not visited the Web page before, the Web page has changed, or
the Web page's identification number has expired. When the Web page's
content has been downloaded to the hard disk, the Mm256.dat or Mm2048.dat
file is updated with the Web page's identification number.
The above words, if you apply the simplest "semanthical reversing"
techniques, do not
mean much... (ok, I'll concede that you know now that mm256.DAT is basically meant
for cookies,
and mm2048.dat, instead, for web-pages) and the same words for sure don't explain either
why these heavy monsters hyde the complete directory structure of your
bootdrive as well inside their mysterious guts.
Come to think of it, the words do
not seem to explain much why
these files pop up inside harddisks of people that is NOT USING M$IE at all
either.In my opinion the real interesting question therefore is: if this are the
concealed activities of Windows 95 (and NT)... what will Windows
98 with built-in Internet Explorer be able to do to your hard drive and
to your privacy?
Let's start with the facts
Let's have a look at mm256.dat and mm2048.dat, and see they are NOT THE SAME THING in
various copies: in fact they come in three "flavours" (each):
"small", "median" and "big" (in the case of mm2048.dat I would say "huge": more than a million
bytes for each copy in my computer, but if you really browse a lot you may have some overbloated
"3 millions bytes" beasts inside yours! (And this even if you may have set the
"number of days to keep history"
to "1"... Have a look for yourselves :-)
In fact you (yes, each one of you, my dear readers) have numerous copies
of these two files inside your harddisk.
There is a copy of both inside c:\windows\history ("big" mm256.dat around 200.000 bytes
and "middle" mm2048.dat, same size)
There is a copy of both inside c:\windows\cookies ("small" versions of both,
respectively 16.000 and 8.000 bytes)
There is a copy of mm256.dat inside c:\windows\temp ("big" version, same as the one
in c:\windows\history)
There is a copy of both inside each of the four cache subdirectories c:\windows\tempor~1\cache1~2~3~4
("middle" mm256.dat at 65.536 bytes,
"huge" mm2048.dat at more than a million bytes each... incidentally this takes 5 megabytes of your
hard disk space without neither asking nor even showing the culprits)
BTW, You will not see the huge files in the caches with explorer (in fact,
you won't see
the subdirectories of c:\windows\temporary internet files: cache1, cache2, cache3
and cache4 at all).
Good old dos, being MORE user friendly, even if it will still show
you an empty c:\windows\tempor~1 directory, will allow you to enter the command
cd c:\windows\tempor~1\cache1 (or cache2, or cache3 or cache4) and
will tehrefore allow you to have a look at the hidden cache goodies. Of course there are
thousand good utilities to sniff them nevertheless, (provided you know their names)
As I said, a couple of our targets dwells inside the 'history' folder as well. In
fact the History folder is not containing what you can see with Micro$oft's explorer. If
you use FindFirstFile... or if you go with a command line and use DIR, you
will find there 3 files: desktop.ini, mm256.dat ('big') and mm2048.dat ('median')
that contain the
information displayed by the explorer. History is in fact the junction
point of a namespace extension (a shell extension).
At first glance all this saga could look just like a sort of semi_automated database
storage and retrieval system for cookies
and cached pages and images (in fact inside these targets there are in extenso
ALL the URLs you have visited from
your childhood until a second ago) bizarre, yet somehow understandable...
The ones in the Temporary Internet Files Folder contain the mapping that associates files to actual web-page elements in the cache.
A cursory look at the contents of those in the Cookies folder show they
contain references to at least some (if not all)
the cookies set in the browser.
If all files except these two are deleted from the Cookies Folder
after M$IE has been shut down, no persistent cookies
will be reloaded into Internet Explorer the next time it is
launched.
It may be that these
files act as a database to store and retrieve cookies while the
browser is running... but they do not seem to be used to
reload cookies. Any other guesses?
They are most persistant files, difficult but not impossible to get rid of, even though they often regenerate. Usually you have 13 of them, at times some more. They can often be found in c:\windows\cookies c:\windows\history and c:\\windows\tempor~1\cache1 & cache 2 & cache3 & cache4, but they may appear also in your c:\windows\java\hist# folders.
FF-File Find, ZauberEdition 0.50 C:\WINDOWS\TEMPOR~1\CACHE1 mm256.dat 32.768 bytes 13:16 Fri12Jun98 -median C:\WINDOWS\TEMPOR~1\CACHE2 mm256.dat 40.960 bytes 13:16 Fri12Jun98 -median C:\WINDOWS\TEMPOR~1\CACHE3 mm256.dat 32.768 bytes 13:16 Fri12Jun98 -median C:\WINDOWS\TEMPOR~1\CACHE4 mm256.dat 32.768 bytes 13:16 Fri12Jun98 -median C:\WINDOWS\HISTORY mm256.dat 180.224 bytes 13:16 Fri12Jun98 -big C:\WINDOWS\COOKIES mm256.dat 8.192 bytes 13:16 Fri12Jun98 -small 6 files found oh great master! FF-File Find, ZauberEdition 0.50 C:\WINDOWS\TEMPOR~1\CACHE1 mm2048.dat 1.310.720 bytes 13:16 Fri12Jun98 -huge C:\WINDOWS\TEMPOR~1\CACHE2 mm2048.dat 1.253.376 bytes 13:16 Fri12Jun98 -huge C:\WINDOWS\TEMPOR~1\CACHE3 mm2048.dat 1.269.760 bytes 13:16 Fri12Jun98 -huge C:\WINDOWS\TEMPOR~1\CACHE4 mm2048.dat 1.187.840 bytes 13:16 Fri12Jun98 -huge C:\WINDOWS\HISTORY mm2048.dat 532.480 bytes 13:16 Fri12Jun98 -median C:\WINDOWS\COOKIES mm2048.dat 8.192 bytes 13:16 Fri12Jun98 -small 6 files found oh great master!
For the Cookies simply change the label in the Registry which will keep M$IE from writing into these 2 directories. If you don't clear M$IE's cache after these Registry changes you can still see all 'History' data in the history folder when using M$IE but if you check that directory, it should contain 3 files with more or less 17000 bytes. The History data will be shelled into this directory from M$IE's disk cache. I DO NOT know -honestly- if this will always work :-(
What if micro$oft secretly uploaded the contents of these files to an
invisible incoming folder when you access sites like hotmail or anything
on M$N and arranged them in database like form??
AN ERGONOMIC STUDY OF THE COMPUTING WORLD. That's what you would have.
That has to be part of the reasoning behing Micro$oft's secrecy behind
them. It makes sense to me. They can give people what they want by
spying on what they do and making that content readily accessible and
conviently commercialized.
That would be so sweet if that theory became public, don't you think?
Keep on Cracking....
~JaY~