TheDraw crack study pt.1
From
AKAcastor@21:1/162 to
All on Tuesday, April 16, 2024 02:47:10
I wrote up some notes from a first look at TheDraw and TDREGINC, if anyone is interested. (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)
Chris/akacastor
TheDraw 4.61 registration crack study (part 1 of ???) -------------------------------------
2024-04-15 akacastor [ AP Class ]
Taking a look at TDREGINC.ZIP to see how it patches TheDraw 4.61 registration.
TheDraw v4.60 Registration Utility by Fatal Hitman
International Network of Crackers Productions 1993
Running TDREGINC patches THEDRAW.EXE.
Part 1: looking at the .EXE files in hex editor and comparing binary contents. For now we won't use a disassembler or debugger, first getting a more general look at the what TDREGINC does to create THEDRAWR.EXE.
Comparing #1 = THEDRAW.EXE to #2 = THEDRAWR.EXE (patched version)
First observation: File sizes - THEDRAWR.EXE is 5984 bytes larger.
THEDRAW.EXE 144,624
THEDRAWR.EXE 150,608
Conclusion: Several KB of code (or data) is being patched into TheDraw.
It's hard to come up with a reason for a data patch like this, code seems likely.
Directly comparing the binary files shows a lot of differences, but due to
the patches being inserted into the middle, the files become out of sync and nothing matches. Comparing the ends of the two files to each other, they match at the end - so the differences are in the middle.
Next step, looking at the .EXE headers:
THEDRAW.EXE:
exe_header.mz = 0x5A4D
last_page_bytes = 0x00F0
num_pages = 0x011B 144384 + 240 = 144624 bytes total size
num_reloc = 0x0758
header_size = 0x01D8 7552 bytes
min_memory = 0x0EDD 60880 bytes
max_memory = 0x0EDD 60880 bytes
initial_ss = 0x2BD4
initial_sp = 0x4800
checksum = 0x0000
initial_csip = 0x0000
reloc_table_ofs = 0x001C
overlay_num = 0x0000
THEDRAWR.EXE:
exe_header.mz = 0x5A4D
last_page_bytes = 0x0050
num_pages = 0x0127 150528 + 80 = 150608 bytes total size
num_reloc = 0x0758
header_size = 0x01DC 7616 bytes
min_memory = 0x0EDD 60880 bytes
max_memory = 0x0EDD 60880 bytes
initial_ss = 0x2D46
initial_sp = 0x4800
checksum = 0x0000
initial_csip = 0x0000
reloc_table_ofs = 0x001C
overlay_num = 0x0000
We can see that header_size is different, so if we are comparing code the
start addresses will be 0x1D80 in THEDRAW.EXE and 0x1DC0 in THEDRAWR.EXE.
Interestingly, THEDRAWR.EXE has the same number of relocation table entries
as THEDRAW.EXE but it has a larger header_size. It looks like 68 bytes of code(?) was stuffed into the header. (64 bytes inserted and 4 bytes overwriting zeroes)
Comparing THEDRAW.EXE and THEDRAWR.EXE from the end of the .EXE headers, there are a number of 2-byte patches throughout the code, until at offset 1BDF0
there is another binary patch inserted and the files become out of sync.
The 2-byte patches look like adjusted offsets for function calls to patched functions. There are a number of places where the following patches occur: 1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3
The patch added to THEDRAWR.EXE at offset 0x1BDF0 (from .exe header) is 7488 bytes long. (PAT1BDF0.BIN)
After the 7488 byte patch there are a few more of the 2-byte patches then at 0x1C6C0 (from .exe header) the files become out of sync again. This time
1568 bytes are removed from THEDRAW.EXE. (CUT1C6C0.BIN)
After removing 1568 bytes from 0x1C6C0 (from .exe header) and inserting 7488 bytes at 0x1BDF0 (from .exe header), we have files of matching lengths.
The remaining differences are:
0x1E112: 1C6C 05D3 -> 1BDF 1D09
0x20EBB: 00 -> 01
0x20EFD: change "THEDRAW.EXE" to "THEDRAWR.EXE" (Pascal string)
0x210D9: change Pascal string "shareware" to 0A 00 0F FF 11 2B 01 2D 07 03 81 Is this a valid Pascal string? I believe it is a valid 10-character unprintable string.
Summary of changes made by TDREGINC:
------------------------------------
- removed 1568 bytes from offset 0x1C6C0 (from .exe header)
+ added 7488 bytes at offset 0x1BDF0
function calls patched (901 total):
1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3
change offset 0x1E112: 1C6C 05D3 -> 1BDF 1D09
change offset 0x20EBB: 00 -> 01
change "THEDRAW.EXE" to "THEDRAWR.EXE"
change "shareware" to "\x00\x0F\xFF\x11\x2B\x01\x2D\x07\x03\x81"
Conclusion of Part 1
--------------------
That's a lot more changes than I had expected for a registration crack. It looks like this will be an interesting challenge!
Next step will be to look deeper - loading the executable in a disassembler
to look at what was patched into THEDRAWR.EXE and which functions have had calls patched.
--- Maximus 3.01
* Origin: Another Millennium - Canada - another.tel (21:1/162)