Subj : TheDraw crack study pt.1
To   : All
From : AKAcastor
Date : Tue Apr 16 2024 02:47 am

I wrote up some notes from a first look at TheDraw and TDREGINC, if anyone is interested.  (spoiler: It may be a while before I have an updated crack - there's some unexpected challenge here, but it's unclear how difficult of a challenge.)


Chris/akacastor


TheDraw 4.61 registration crack study (part 1 of ???)
-------------------------------------
2024-04-15 akacastor [ AP Class ]


Taking a look at TDREGINC.ZIP to see how it patches TheDraw 4.61 registration.

TheDraw v4.60 Registration Utility by Fatal Hitman
International Network of Crackers Productions 1993

Running TDREGINC patches THEDRAW.EXE.

Part 1: looking at the .EXE files in hex editor and comparing binary contents.
For now we won't use a disassembler or debugger, first getting a more general
look at the what TDREGINC does to create THEDRAWR.EXE.

Comparing #1 = THEDRAW.EXE to #2 = THEDRAWR.EXE (patched version)


First observation: File sizes - THEDRAWR.EXE is 5984 bytes larger.

THEDRAW.EXE  144,624
THEDRAWR.EXE 150,608

Conclusion: Several KB of code (or data) is being patched into TheDraw.
It's hard to come up with a reason for a data patch like this, code seems
likely.

Directly comparing the binary files shows a lot of differences, but due to
the patches being inserted into the middle, the files become out of sync and
nothing matches.  Comparing the ends of the two files to each other, they 
match at the end - so the differences are in the middle.

Next step, looking at the .EXE headers:

THEDRAW.EXE:
exe_header.mz   = 0x5A4D
last_page_bytes = 0x00F0
num_pages       = 0x011B  144384 + 240 = 144624 bytes total size
num_reloc       = 0x0758
header_size     = 0x01D8  7552 bytes
min_memory      = 0x0EDD  60880 bytes
max_memory      = 0x0EDD  60880 bytes
initial_ss      = 0x2BD4
initial_sp      = 0x4800
checksum        = 0x0000
initial_csip    = 0x0000
reloc_table_ofs = 0x001C
overlay_num     = 0x0000

THEDRAWR.EXE:
exe_header.mz   = 0x5A4D
last_page_bytes = 0x0050
num_pages       = 0x0127  150528 + 80 = 150608 bytes total size
num_reloc       = 0x0758
header_size     = 0x01DC  7616 bytes
min_memory      = 0x0EDD  60880 bytes
max_memory      = 0x0EDD  60880 bytes
initial_ss      = 0x2D46
initial_sp      = 0x4800
checksum        = 0x0000
initial_csip    = 0x0000
reloc_table_ofs = 0x001C
overlay_num     = 0x0000

We can see that header_size is different, so if we are comparing code the
start addresses will be 0x1D80 in THEDRAW.EXE and 0x1DC0 in THEDRAWR.EXE.

Interestingly, THEDRAWR.EXE has the same number of relocation table entries
as THEDRAW.EXE but it has a larger header_size.  It looks like 68 bytes of
code(?) was stuffed into the header.  (64 bytes inserted and 4 bytes 
overwriting zeroes)

Comparing THEDRAW.EXE and THEDRAWR.EXE from the end of the .EXE headers, there
are a number of 2-byte patches throughout the code, until at offset 1BDF0
there is another binary patch inserted and the files become out of sync.

The 2-byte patches look like adjusted offsets for function calls to patched
functions.  There are a number of places where the following patches occur:
1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

The patch added to THEDRAWR.EXE at offset 0x1BDF0 (from .exe header) is 7488
bytes long.  (PAT1BDF0.BIN)

After the 7488 byte patch there are a few more of the 2-byte patches then at
0x1C6C0 (from .exe header) the files become out of sync again.  This time
1568 bytes are removed from THEDRAW.EXE.  (CUT1C6C0.BIN)

After removing 1568 bytes from 0x1C6C0 (from .exe header) and inserting 7488 
bytes at 0x1BDF0 (from .exe header), we have files of matching lengths.

The remaining differences are:

0x1E112: 1C6C 05D3 -> 1BDF 1D09

0x20EBB: 00 -> 01

0x20EFD: change "THEDRAW.EXE" to "THEDRAWR.EXE" (Pascal string)

0x210D9: change Pascal string "shareware" to 0A 00 0F FF 11 2B 01 2D 07 03 81
Is this a valid Pascal string?  I believe it is a valid 10-character
unprintable string.


Summary of changes made by TDREGINC:
------------------------------------

- removed 1568 bytes from offset 0x1C6C0 (from .exe header)

+ added 7488 bytes at offset 0x1BDF0

function calls patched (901 total):
1CCE -> 1E40, 1C0A -> 1DDE, 1E73 -> 1FE5, 1BDF -> 1DB3

change offset 0x1E112: 1C6C 05D3 -> 1BDF 1D09

change offset 0x20EBB: 00 -> 01

change "THEDRAW.EXE" to "THEDRAWR.EXE"

change "shareware" to "\x00\x0F\xFF\x11\x2B\x01\x2D\x07\x03\x81"


Conclusion of Part 1
--------------------

That's a lot more changes than I had expected for a registration crack.  It
looks like this will be an interesting challenge!

Next step will be to look deeper - loading the executable in a disassembler
to look at what was patched into THEDRAWR.EXE and which functions have had
calls patched.


--- Maximus 3.01
 * Origin: Another Millennium - Canada - another.tel (21:1/162)

.