I wrote up some notes from a first look at TheDraw and TDREGINC, if anyone is interested. (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)


Chris/akacastor


TheDraw 4.61 registration crack study (part 1 of ???) -------------------------------------
2024-04-15 akacastor [ AP Class ]


Taking a look at TDREGINC.ZIP to see how it patches TheDraw 4.61 registration.

TheDraw v4.60 Registration Utility by Fatal Hitman
International Network of Crackers Productions 1993

Running TDREGINC patches THEDRAW.EXE.

Part 1: looking at the .EXE files in hex editor and comparing binary contents. For now we won't use a disassembler or debugger, first getting a more general look at the what TDREGINC does to create THEDRAWR.EXE.

Comparing #1 = THEDRAW.EXE to #2 = THEDRAWR.EXE (patched version)


First observation: File sizes - THEDRAWR.EXE is 5984 bytes larger.

THEDRAW.EXE 144,624
THEDRAWR.EXE 150,608

Conclusion: Several KB of code (or data) is being patched into TheDraw.
It's hard to come up with a reason for a data patch like this, code seems likely.

Directly comparing the binary files shows a lot of differences, but due to
the patches being inserted into the middle, the files become out of sync and nothing matches. Comparing the ends of the two files to each other, they match at the end - so the differences are in the middle.

Next step, looking at the .EXE headers:

THEDRAW.EXE:
exe_header.mz = 0x5A4D
last_page_bytes = 0x00F0
num_pages = 0x011B 144384 + 240 = 144624 bytes total size
num_reloc = 0x0758
header_size = 0x01D8 7552 bytes
min_memory = 0x0EDD 60880 bytes
max_memory = 0x0EDD 60880 bytes
initial_ss = 0x2BD4
initial_sp = 0x4800
checksum = 0x0000
initial_csip = 0x0000
reloc_table_ofs = 0x001C
overlay_num = 0x0000

THEDRAWR.EXE:
exe_header.mz = 0x5A4D
last_page_bytes = 0x0050
num_pages = 0x0127 150528 + 80 = 150608 bytes total size
num_reloc = 0x0758
header_size = 0x01DC 7616 bytes
min_memory = 0x0EDD 60880 bytes
max_memory = 0x0EDD 60880 bytes
initial_ss = 0x2D46
initial_sp = 0x4800
checksum = 0x0000
initial_csip = 0x0000
reloc_table_ofs = 0x001C
overlay_num = 0x0000

We can see that header_size is different, so if we are comparing code the
start addresses will be 0x1D80 in THEDRAW.EXE and 0x1DC0 in THEDRAWR.EXE.

Interestingly, THEDRAWR.EXE has the same number of relocation table entries
as THEDRAW.EXE but it has a larger header_size. It looks like 68 bytes of code(?) was stuffed into the header. (64 bytes inserted and 4 bytes overwriting zeroes)

Comparing THEDRAW.EXE and THEDRAWR.EXE from the end of the .EXE headers, there are a number of 2-byte patches throughout the code, until at offset 1BDF0
there is another binary patch inserted and the files become out of sync.

The 2-byte patches look like adjusted offsets for function calls to patched functions. There are a number of places where the following patches occur: 1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

The patch added to THEDRAWR.EXE at offset 0x1BDF0 (from .exe header) is 7488 bytes long. (PAT1BDF0.BIN)

After the 7488 byte patch there are a few more of the 2-byte patches then at 0x1C6C0 (from .exe header) the files become out of sync again. This time
1568 bytes are removed from THEDRAW.EXE. (CUT1C6C0.BIN)

After removing 1568 bytes from 0x1C6C0 (from .exe header) and inserting 7488 bytes at 0x1BDF0 (from .exe header), we have files of matching lengths.

The remaining differences are:

0x1E112: 1C6C 05D3 -> 1BDF 1D09

0x20EBB: 00 -> 01

0x20EFD: change "THEDRAW.EXE" to "THEDRAWR.EXE" (Pascal string)

0x210D9: change Pascal string "shareware" to 0A 00 0F FF 11 2B 01 2D 07 03 81 Is this a valid Pascal string? I believe it is a valid 10-character unprintable string.


Summary of changes made by TDREGINC:
------------------------------------

- removed 1568 bytes from offset 0x1C6C0 (from .exe header)

+ added 7488 bytes at offset 0x1BDF0

function calls patched (901 total):
1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

change offset 0x1E112: 1C6C 05D3 -> 1BDF 1D09

change offset 0x20EBB: 00 -> 01

change "THEDRAW.EXE" to "THEDRAWR.EXE"

change "shareware" to "\x00\x0F\xFF\x11\x2B\x01\x2D\x07\x03\x81"


Conclusion of Part 1
--------------------

That's a lot more changes than I had expected for a registration crack. It looks like this will be an interesting challenge!

Next step will be to look deeper - loading the executable in a disassembler
to look at what was patched into THEDRAWR.EXE and which functions have had calls patched.


--- Maximus 3.01
* Origin: Another Millennium - Canada - another.tel (21:1/162)

On 16 Apr 2024, AKAcastor said the following...

The 2-byte patches look like adjusted offsets for function calls to patched functions. There are a number of places where the following patches occur: 1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

these are either 172 or 1D4 apart. probably everything shifted that much in two sections?

would be interesting if the author had the original registered version and mostly patched in the differences.

--- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
* Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)

I wrote up some notes from a first look at TheDraw and TDREGINC, if
anyone is interested. (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)

Next step will be to look deeper - loading the executable in a disassembler to look at what was patched into THEDRAWR.EXE and which functions have had calls patched.

I enjoy reading these and appreciate all the infoz - prolly valuable for working on different softwarez, anyway; I hope you keep sharing them. Kudos!



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)