A Winamp Skin Detective Story
A little Winamp skin detective story played out in the Webamp Discord today. Figured I’d write up the story as it played out as a thread.
Someone reported a skin as NSFW (it wasn’t) but while I was reviewing it, I noticed something odd. The background colors of the numbers was off.
Maybe a Webamp rendering bug…? 🧵
Nope, Eris checked, and the bug reproduced in real Winamp. Something was wrong with the skin. But what? Upon closer inspection he noticed it included both numbers.bmp AND nums_ex.bmp. Winamp prefers the later, but the nums_ex.bmp didn’t match the rest of the skin.
How did that file it end up in this skin…?
Maybe the designer of the skin was testing on an old version of Winamp that didn’t check for nums_ex.bmp? Eris checked v2.666, and it still used the _ex file. Then he checked v2.0 and it rendered something very odd.
What was going on…?
It turns out the skin had a BUNCH of other files inside it! Files from another skin it seemed. Some file names differed only by case. But how did they get there? At this point, I noticed something interesting. The skin had an advertisement file embedded in it.
Could this be related…?
Some site that offered the skin for download had inserted an additional file into the archive. This spawned a new hypothesis: Inserting the ad file would mean repacking the archive. Maybe the repacking was done by some kind of script that used the temporary directory and didn’t correctly clean up between skins?
How could we test this hypothesis… ?
If this guess was correct, we could expect that there was an “original” skin out there which contained a strict subset of the files in this archive. No ad file, and no files from other skins. A quick search on the Winamp Skin Museum turned up this.
And look, the background color on the numbers looks right!
But were the files the same…?
https://skins.webamp.org/skin/527dc3dadc9bb32843928a3e5f717075/Fanta_LS.wsz/
Yes! The new skin contained a strict subset of what was in the corrupt skin, and no ad file!
Next question. Does this generalize? Did this site serve up other corrupt skins? If so, maybe we could find those too… ?
We head back to the museum, and search for “http://www.winampskins.info”, and look, lot of skins!
Are any others corrupt…?
Found one! https://skins.webamp.org/skin/b6a1eaf8779c3f923dfdec212d4a5e29/Knight_Test.wsz/ looks a bit off. Why is the playlist red? Looking for a skin with the same name, we see https://skins.webamp.org/skin/afd0e0215273f506da2091a85154cea7/Knight_Test.wsz/ which has the same red playlist!