EE Runtime

Here's what BinText, Blobview, Memview, Peeper and X-tool find out about Evidence Eliminator v5.0.

Get It Try It

First off, the EXE size of EE is not 738KB. EE is compressed with Mark Adler's Inflate v1.0.4 from 1.53MB or 1,601,536 bytes.

Second, EE loads one library dynamically at runtime. This library is copied into your system directory on install. It is eemath64.dll, the 'Evidence Eliminator Maths DLL'. It contains four exported functions:

EEMATH64_Add
EEMATH64_Div
EEMATH64_Mul
EEMATH64_Neg (sic)

It uses the MSVC runtime which is baked in statically and it was most likely built with the MFC. It is not compressed.

Without Adler's compression tools handy, finding out what is going on inside EE can only be done runtime. Once EE is loaded, it can be selected within X-tool and its virtual memory map brought up in Memview. Once this image is on disk, it can be investigated with any number of tools.

EE loads at 0040000h (4MB) and all into one section. This section consumes 1.43MB of RAM. EE's dependencies and headers can now be read clearly.

Evidence Eliminator was built on Wednesday 18 October 2000 at 17:30:01 UTC. It references MFC functions, creates Registry keys, and accesses both WIN.INI and other INI files. It makes at least one low level disk API call (DeviceIoControl). It was built with Visual Studio 6 and Visual Basic installed on the development machine at

C:\Program Files\Microsoft Visual Studio\VB98

It is prepared to not be able to find either your Windows or your system directory, in which case it will recommend you reinstall your operating system (!). It is prepared to not be able to find your desktop either, or smartdrv.exe, or regedit.exe, in which case again it has but one remedy to suggest.

Unable to get WINDOWS location. Windows is corrupt. Please reinstall Windows.

Unable to get SYSTEM location. Windows is corrupt. Please reinstall Windows.

Unable to get DESKTOP location. Windows is corrupt. Please reinstall Windows.

Warning: The file SMARTDRV.EXE was not found in your Windows folder. Please re-install Windows to correct this problem. Evidence Eliminator will now stop.

Warning: Compacting the Windows registry is not possible because the file regedit.exe was not found in your Windows folder. Please re-install Windows to correct this problem.

It has a file in your Windows/COMMAND directory which it calls from time to time:

: Evidence Eliminator generates this file. Do not edit it!!
@ECHO OFF
CLS
C:\WINDOWS\COMMAND.COM /C C:\WINDOWS\COMMAND\EEMAIN.BAT
@ECHO Securing final temporary files...
C:\WINDOWS\COMMAND\ESDOSDEL.COM ,9 C:\WINDOWS\COMMAND\EEMAIN.BAT
ECHO.
ECHO.
ECHO                    …ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕª
ECHO      ⁄ƒƒƒƒƒƒƒƒƒƒƒƒƒ∫        Processing completed.         ∫ƒƒƒƒƒƒƒƒƒƒƒƒƒø
ECHO      ≥             »ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕº             ≥
ECHO      ≥                                                                  ≥
ECHO      ≥                       Evidence Eliminated                        ≥
ECHO      ≥                                                                  ≥
ECHO      ≥             …ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕª             ≥
ECHO      ¿ƒƒƒƒƒƒƒƒƒƒƒƒƒ∫  It is now safe to turn off your PC  ∫ƒƒƒƒƒƒƒƒƒƒƒƒƒŸ
ECHO                    »ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕº
ECHO.
CD\

It also has a power-down COM file in this directory (power.com), the file eedoscom.com, and amazingly enough manages to get two files with the same name in here as well (eedosdel.com, 646 bytes and 642 bytes respectively), something which has been rare since the old copy-protected DOS diskette days.

It also gets a PIF file in the PIF directory (EEPIF.pif) which issues the command '%COMSPEC% /K EECTRL.BAT' when needed.

When it's time for EE to start shredding slack, it creates the directory

C:\eetemp

And starts loading it with empty files 64MB in size until your disk is full; it then 'shreds' these files and then releases them. It attempts (unsuccessfully) to disable the 'low disk space broadcast' prior to the operation and is ready with news of that matter at any time:

NOTE: You can safely ignore any 'Disk Full' messages from the system.

Or can you?

A Disk Full Error occurred as EE was cleaning free space. Please run ScanDisk for Windows from your Start Menu to correct this error.

A Disk Full Error has occurred. Please run ScanDisk to fix this disk.

Error while eliminating free space.

It is also prepared to signal you when your product is growing whiskers:

SECURITY WARNING:

This version of Evidence Eliminator is more than six weeks old. To keep your protection up-to-date, please connect to the internet and check for the latest version at:

http://www.evidence-eliminator.com/downloads.shtml

Date warning: The last program you ran is now out-of-date. To keep your system running properly, please connect to the internet and obtain the latest software upgrades.

It is also prepared to act as an upgrade rather than a full new install.

Evidently protecting the Recycle Bin can lead to problems... And it is very adamant that we check the Windows Millennium section of its CHM file.

It also informs us that we who purchase the product do not actually own our KeyCodes, we're merely licensing them, and does so in a way guaranteed to warm our hearts:

By entering your KeyCodes you accept:

1. That these KeyCodes have been legitimately licensed from an authorized source.
2. That the software vendor maintains lists of stolen or banned KeyCodes.
3. That if stolen or banned KeyCodes are entered, the program may, silently, and without warning, at any time, cease to perform as advertised, even though it may appear to be working correctly.
4. Entering your KeyCodes signifies acceptance of these terms. To confirm that your KeyCodes are legitimate, please press OK.

Sorry, your KeyCodes have been reported fraudulent.

You will now be taken to the Technical Support page which will show you how to enter your KeyCodes properly. Please connect to the Internet and then press OK.

Ah, but this is only the beginning:

WARNING: You are about to be LOCKED-OUT of Evidence Eliminator.

WARNING: You will NEVER be able to run Evidence Eliminator again.

To quit safely now, you must press CANCEL. To go ahead with the LOCK-OUT, Press OK. To Quit and preserve your privacy, press Cancel.

WARNING: Your PC will probably slow down if you press OK. Every move you make on the Internet will be recorded forever and can be recovered to be used as EVIDENCE against you at a later date in a CRIMINAL COURT OF LAW.

FINAL WARNING: PRESS CANCEL TO STOP THIS PROCESS NOW.

LOCK-OUT COMPLETED. This program will now terminate. Restart the program for further instructions.

This machine has been officially LOCKED-OUT from running Evidence Eliminator.

Although the program claims to run under NT, there's a hitch - or two (nice to know):

In Windows NT, this program requires NT5 Windows 2000 or higher. Not for NT4.

Error: Unsupported operating system.

NT reports non FAT/FAT32 filesystem. NTFS is not supported by EE.

The program claims to scramble even file attributes:

Safety Message: Scrambling of Attributes has been enabled.

In case you're still fretting how EE overwrote your precious system files, there's a smooth answer:

To stop Windows displaying DLL Version notices on bootup, it is recommended that you also mark the checkbox: De-activate DLL Version messages.

It turns out EE even has a file in your system directory (eetransx.exe) described as 'Part of the Evidence Eliminator package.'

Also, some options can be disastrous, and the user must be duly warned:

This will delete ALL files in the named paths or drives! Please re-check your settings now.

Warning: You have selected to eliminate an entire drive.

Second warning: the entire of drive (sic) is about to be deleted. Are you sure?

It seems our VB gurus also take to DOS programs to accomplish a few things:

ATTRIB -R +A -S -H
RMDIR

All in all, EE seems a bit hot under the collar to have you reinstall Windows all the time:

Error: Evidence Eliminator has detected a blank path for your Internet Cache folder. Your Windows installation may be faulty. Please fully reinstall Windows immediately.

Sometimes EE can be hard even on itself:

win386.swp has been detected.

Evidence Eliminator has tried to delete it and FAILED to delete it.

This indicates that the file is IN-USE and LOCKED.

All in all, EE contains the string 'Evidence Eliminator' 73 times; the string 'Error' 263 times; and the string 'MS Sans Serif' 48 times.

Thanks to Robin Keir for his excellent BinText.

Prev | TOC | Next