Hi all!

I don't know C very much, I've only read part of a book a year and a half ago, but still I am trying to understand the source code of the “cracksome” file of the the Morris worm, which you can find here (It's a .txt file so no it won't run on the computer) : http://www.foo.be/docs-free/morris-worm/worm/cracksome.c.txt

I think it is relevant for you to know that this worm was made in 1988, so it's not recent. I wish to know what some kind of function called XS() is. I'll start by that.



In the source code, I sometimes see this XS function, I guess it has something to do with the characters included in a file, but I can't then understand the meaning of XS("r") in lines like this one :
hosteq = fopen(XS("/etc/hosts.equiv"), XS("r"));

This line and the following ones aim to search for hostnames in the "/etc/hosts.equiv" file inside the infected host. “hosteq” is defined as FILE *hosteq;. It must be some kind of pointer to a file.

Sometimes I see XS("x") but I can't figure this out either...
strcpy(&user->passwd[0], XS("x"));

passwd is an array of 15 characters inside a structure called “usr” and is defined as char passwd[14];. user seems to be a pointer to the structure usr

That's all folks! Can you help me? I'd appreciate it a lot. :-)

I'm going to guess it is a macro similar to Microsoft's _T(). Normally it just expands to the string, but in Unicode it would expand with an L in front of the string to make it a wide string literal:

XS() was actually the decryption function that Morris used to hide plain-text strings in the compiled code. see: http://spaf.cerias.purdue.edu/tech-reps/823.pdf
(the source code you found has the strings pre-decrypted for readability)

Thanks to you both! (especially you, Cubbi)