Skip to content

Instantly share code, notes, and snippets.

@LunarN0v4

LunarN0v4/corruptfn.md

Created December 6, 2023 11:41
Show Gist options
  • Save LunarN0v4/45753e8fc6345a83864a8f1b72f5f667 to your computer and use it in GitHub Desktop.
Save LunarN0v4/45753e8fc6345a83864a8f1b72f5f667 to your computer and use it in GitHub Desktop.
Download ZIP
Corrupt Filename Bug (Recycle Bin, win10 amd64 22H2)
Raw
corruptfn.md

After watching the latest Endermanch video and using my basic knowledge of hex, I've found a bug with the Recycle Bin on Windows 10 (amd64, 22H2).
I have found out partially why it seems to happen, but I'm mostly unsure, and therefore, the cause is merely a theory.
Here's how to do it:

  1. Open a hex editor, hopefully you know how to get to the "secret" Recycle Bin files already after watching Endermanch's video
  2. Open the "$I" file for your recycled file (not deleted) in your hex editor
  3. Remove all the data from your "$I" file and replace it with the following (FILE SIZE CHANGES ARE INTENDED):
    02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 D8 61 13 5A C8 24 05 00 00 00 5E 00 5E 00 5E 00 3A 00 5C 00 00 00
  4. Save the file
  5. Open the Recycle Bin and refresh (CTRL+R), every time that you refresh, you'll see a new string for the name (yes, the date being set that way is part of the hex I provided)
  6. Profit!
    Oh, so you want to do this yourself and have your own file? Here's how to do it from scratch:
  7. Open the "$I" file in your hex editor
  8. Figure out a name you want for your fake drive/path, and once you have that name, delete every byte after byte 24 (Offset(h) 00000018)
  9. Change byte 18 to the number of characters that your fake drive/path has in UInt8, then add 00 00 00
    For this part, I hope your hex editor has a tool to let you convert text to hex automatically since you'll need to type the entire drive/path in hex.
  10. Write your fake drive/path in hex and between each character, add a 00, then at the end, you should add 00 00 00 to complete the path
  11. Save and look to see if it shows in the Recycle Bin, and if it doesn't, read the guide again to see where you might've gone wrong
    The first 23 bytes of the file are not neccesary to modify in order to achieve this bug, only byte 24 (Offset(h) 00000018) and onwards need to modified.

Congrats on making a bugged Recycle Bin file!
The reason why this appears to happen is because of the location being in somewhere which should be impossible to store to and causes Windows to start taking random strings from random places, since it exhibits the behaviour of taking strings that are used in other places of the system and sometimes you get the same string twice, which means it has to be pulling from somewhere in the operating system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment