• TheDraw crack study pt.1

    From AKAcastor@21:1/162 to All on Tue Apr 16 02:47:10 2024
    I wrote up some notes from a first look at TheDraw and TDREGINC, if anyone is interested. (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)


    Chris/akacastor


    TheDraw 4.61 registration crack study (part 1 of ???) -------------------------------------
    2024-04-15 akacastor [ AP Class ]


    Taking a look at TDREGINC.ZIP to see how it patches TheDraw 4.61 registration.

    TheDraw v4.60 Registration Utility by Fatal Hitman
    International Network of Crackers Productions 1993

    Running TDREGINC patches THEDRAW.EXE.

    Part 1: looking at the .EXE files in hex editor and comparing binary contents. For now we won't use a disassembler or debugger, first getting a more general look at the what TDREGINC does to create THEDRAWR.EXE.

    Comparing #1 = THEDRAW.EXE to #2 = THEDRAWR.EXE (patched version)


    First observation: File sizes - THEDRAWR.EXE is 5984 bytes larger.

    THEDRAW.EXE 144,624
    THEDRAWR.EXE 150,608

    Conclusion: Several KB of code (or data) is being patched into TheDraw.
    It's hard to come up with a reason for a data patch like this, code seems likely.

    Directly comparing the binary files shows a lot of differences, but due to
    the patches being inserted into the middle, the files become out of sync and nothing matches. Comparing the ends of the two files to each other, they match at the end - so the differences are in the middle.

    Next step, looking at the .EXE headers:

    THEDRAW.EXE:
    exe_header.mz = 0x5A4D
    last_page_bytes = 0x00F0
    num_pages = 0x011B 144384 + 240 = 144624 bytes total size
    num_reloc = 0x0758
    header_size = 0x01D8 7552 bytes
    min_memory = 0x0EDD 60880 bytes
    max_memory = 0x0EDD 60880 bytes
    initial_ss = 0x2BD4
    initial_sp = 0x4800
    checksum = 0x0000
    initial_csip = 0x0000
    reloc_table_ofs = 0x001C
    overlay_num = 0x0000

    THEDRAWR.EXE:
    exe_header.mz = 0x5A4D
    last_page_bytes = 0x0050
    num_pages = 0x0127 150528 + 80 = 150608 bytes total size
    num_reloc = 0x0758
    header_size = 0x01DC 7616 bytes
    min_memory = 0x0EDD 60880 bytes
    max_memory = 0x0EDD 60880 bytes
    initial_ss = 0x2D46
    initial_sp = 0x4800
    checksum = 0x0000
    initial_csip = 0x0000
    reloc_table_ofs = 0x001C
    overlay_num = 0x0000

    We can see that header_size is different, so if we are comparing code the
    start addresses will be 0x1D80 in THEDRAW.EXE and 0x1DC0 in THEDRAWR.EXE.

    Interestingly, THEDRAWR.EXE has the same number of relocation table entries
    as THEDRAW.EXE but it has a larger header_size. It looks like 68 bytes of code(?) was stuffed into the header. (64 bytes inserted and 4 bytes overwriting zeroes)

    Comparing THEDRAW.EXE and THEDRAWR.EXE from the end of the .EXE headers, there are a number of 2-byte patches throughout the code, until at offset 1BDF0
    there is another binary patch inserted and the files become out of sync.

    The 2-byte patches look like adjusted offsets for function calls to patched functions. There are a number of places where the following patches occur: 1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

    The patch added to THEDRAWR.EXE at offset 0x1BDF0 (from .exe header) is 7488 bytes long. (PAT1BDF0.BIN)

    After the 7488 byte patch there are a few more of the 2-byte patches then at 0x1C6C0 (from .exe header) the files become out of sync again. This time
    1568 bytes are removed from THEDRAW.EXE. (CUT1C6C0.BIN)

    After removing 1568 bytes from 0x1C6C0 (from .exe header) and inserting 7488 bytes at 0x1BDF0 (from .exe header), we have files of matching lengths.

    The remaining differences are:

    0x1E112: 1C6C 05D3 -> 1BDF 1D09

    0x20EBB: 00 -> 01

    0x20EFD: change "THEDRAW.EXE" to "THEDRAWR.EXE" (Pascal string)

    0x210D9: change Pascal string "shareware" to 0A 00 0F FF 11 2B 01 2D 07 03 81 Is this a valid Pascal string? I believe it is a valid 10-character unprintable string.


    Summary of changes made by TDREGINC:
    ------------------------------------

    - removed 1568 bytes from offset 0x1C6C0 (from .exe header)

    + added 7488 bytes at offset 0x1BDF0

    function calls patched (901 total):
    1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

    change offset 0x1E112: 1C6C 05D3 -> 1BDF 1D09

    change offset 0x20EBB: 00 -> 01

    change "THEDRAW.EXE" to "THEDRAWR.EXE"

    change "shareware" to "\x00\x0F\xFF\x11\x2B\x01\x2D\x07\x03\x81"


    Conclusion of Part 1
    --------------------

    That's a lot more changes than I had expected for a registration crack. It looks like this will be an interesting challenge!

    Next step will be to look deeper - loading the executable in a disassembler
    to look at what was patched into THEDRAWR.EXE and which functions have had calls patched.


    --- Maximus 3.01
    * Origin: Another Millennium - Canada - another.tel (21:1/162)
  • From fusion@21:1/616 to AKAcastor on Tue Apr 16 11:03:58 2024
    On 16 Apr 2024, AKAcastor said the following...

    The 2-byte patches look like adjusted offsets for function calls to patched functions. There are a number of places where the following patches occur: 1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

    these are either 172 or 1D4 apart. probably everything shifted that much in two sections?

    would be interesting if the author had the original registered version and mostly patched in the differences.

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi (21:1/616)
  • From paulie420@21:2/150 to AKAcastor on Tue Apr 16 17:42:12 2024
    I wrote up some notes from a first look at TheDraw and TDREGINC, if
    anyone is interested. (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)

    Next step will be to look deeper - loading the executable in a disassembler to look at what was patched into THEDRAWR.EXE and which functions have had calls patched.

    I enjoy reading these and appreciate all the infoz - prolly valuable for working on different softwarez, anyway; I hope you keep sharing them. Kudos!



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A48 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)