💾 Archived View for spam.works › mirrors › textfiles › hacking › unp.txt captured on 2023-06-14 at 16:58:44.
View Raw
More Information
-=-=-=-=-=-=-
?? ? ???? ? ????? ????? ????? ??
?? ? ?? ? ? ?? ? ?? ?? ???
?? ? ?? ? ? ????? ???? ???? ??
?? ? ?? ? ? ?? ?? ?? ?? ??
????? ?? ??? ?? ????? ?? ????? ????
?????????????????????????????????????????????
Written by Ben Castricum
April 15, 1994
This is the documentation belonging to and explaining the use of:
UNP V3.31
Compressed executable file expander
TOPICS covered in this document:
DISCLAIMER
PURPOSE OF UNP
REQUIREMENTS
GENERAL INFO
HOW TO USE UNP
UNP IN ACTION
MESSAGES
WHAT UNP CAN HANDLE
NOTES ON COMPRESSORS
ERRORLEVEL VALUES
WHERE TO FIND UNP
HOW TO REGISTER
CONTACTING ME
DISCLAIMER:
-----------
Although UNP has been tested on several systems, I cannot guarantee that
UNP will be without bugs. Therefore, I do not take responsibility for any
damage directly or indirectly caused by UNP as a result of known or
unknown errors in it.
PURPOSE OF UNP:
---------------
UNP tries to reverse the action which programs like PKLITE and LZEXE
perform. In case you don't know, those programs use data compression on
executable files. Yet they leave these compressed files in a state such
that they can still be normally executed. This is great if you want to
save disk space, but it has its disadvantages. Anyone can now spread a
virus; just compress an infected file and the virus is invisible!
Debugging also becomes a lot more difficult since the code has become
unreadable. These are the primary reasons behind my writing UNP. I
could make up some story about loading/decompressing time, but we are
probably talking about a few 100ths of a second. Well, at least I don't
notice any delay on my 66Mhz...
Not only can UNP expand compressed executable files, it is also able to
remove other kinds of routines from such programs. For instance,
Central Point's Anti-virus (tm) Immunize codes can be safely removed.
Though this removal is currently limited to only a few routines, in the
future this ability might be greatly expanded.
REQUIREMENTS:
-------------
To run UNP you need at least a 8086 microprocessor. However if you want
to take full advantage of UNP, MS-DOS 5.0 (or higher) is recommended since
UNP tries to allocate UMBs. Lower versions of DOS will work without much
difference since UNP only uses base memory and UMBs. It requires about
15k of memory, with the additional amount of memory required depending on
the program being processed.
GENERAL INFO:
-------------
Before you start using UNP, I would like to point out a few things which
you might take into consideration.
Compressed EXE files containing an overlay may not work correctly after
they have been decompressed. Decompression expands the code size of the
EXE file which also means that the overlay moves up. Some programs do not
check where the overlay currently is but just use a constant to get the
overlay. If this is the case, most anything can happen.
When you use UNP to convert a file to another structure, please take
into consideration that the converted program never runs under the exact
same conditions as it did before. Though these differences are likely
not to cause any problems with most programs, there are always programs
which expect just that what is changed by conversion.
One way to protect yourself against problems caused by such problems is
to use UNP's -b which is .BAK backup file creation option to create a
copy of the original compressed file. If, after running the
uncompressed program you find an error, you can simply delete the bad
copy and rename the .BAK file.
HOW TO USE UNP:
---------------
To get help type UNP on the command line without parameters or use the
'-?' switch. The first line of the help screen is a short line
describing how to pass information to UNP. Let's analyze this step by
step.
usage: UNP command [options] [d:][/path]Infile [[d:][/path]Outfile]
e = expand compressed file (default)
This command expands the compressed file. If you do not specify a
command, UNP will use this by default. Using this command without a
wildcard will result in unpacking all files in the current directory.
c = convert to COM file
Some .EXE files can be converted to .COM files. You can do this by
using this command. You should only convert a file when you know
exactly what you are doing (see general info section).
i = info only
If you just want some information about the file, this is the command
to use. UNP will show all information like the E command but will
will not decompress or write the file back.
l = load and save, no decompressing (only for EXE files).
This command loads an .EXE file but does not expand it. It will be
written back just like a decompressed file would be written back. This
is useful in case you want to remove an overlay or remove irrelevant
header data.
s = search for compressed files
When you use this command, only a small list of compressed files
matching the Infile wildcard will be generated. The list created will
be in the form of "filename.ext (compressor)".
x = convert to EXE file
Some compressors can only compress .EXE files (like LZEXE). With this
command you can convert a .COM file to an .EXE file. The resulting
file will be written back with an .EXE extension by default.
-? = help (this screen)
For a list of UNP commands or options use this switch. Any other
switch or command used on the same line will be ignored.
-a = automatic retry
Some files have been altered more than once. This switch will make
UNP to process the file again when it was changed. Useful when you
want to uncompress a file which also has been Immunized by CPAV.
-b = make backup .BAK file of original
If you want to keep a backup of your original file (very wise) use this
switch. The original file will be renamed to a file with a .BAK
extension.
-c = ask for confirmation before decompressing
This will force UNP to ask you if you want to decompress the file each
time it has found a new compressed file.
-h = remove irrelevant header data
Most linkers add useless data to the .EXE header. This switch removes
all such useless information, thus shrinking the header size.
-i = do not intercept INT 21h calls
By default UNP watches the DOS interrupt (21h) to check if the program
is running as expected. Any unexpected call to INT 21h will make UNP
abort the process. If you have any weird TSRs resident you might have
to use this switch. I had to use it while debugging with Turbo
Debugger.
-k = pklite signature; - = don't add, + = add always, ? = ask
With this switch you can handle the pklite signature. There are 3
possibilities :
-k- = the pklite signature will not be added, this will also be the
case if you only use -k (to stay dislite compatible)
-k+ = always add the pklite signature, this is the default of UNP so
you can just as well leave the -k switch away if you want this
-k? = when you use this, UNP will ask you each time it has found a
signature (like UNP V3.01 or earlier did)
-l = allways use loadfix
Starting with V3.12, UNP will not fill the first 64k of base memory.
(this allows larger files to be processed) When UNP detects a file
which does requires such a loadfix, it will reload the program with the
first 64k allocated. If you are planning to unpack several EXEPACKed
files you might want to use this switch to avoid reloading. This
switch can only improve UNP's processing speed, it does not add
anything new.
-o = overwrite output file if it exists
If you want to have the destination file overwritten, you can avoid
the question for permission by specifying this switch on the command
line.
-p = align header data on a page
It is said that .EXE files with a header size that is a multiple of
512 bytes load faster (this could make sense since a sector is also
512 bytes). This switch will expand the header to the nearest
multiple of 512 bytes.
-r = remove overlay data
If something is appended to an .EXE it is called an overlay. This
switch will let the file size of the outfile be the same as the load
image. So anything that was appended to the file will be thrown away.
An overlay can be used for all kinds of data, so removing this can
result in throwing away something useful.
-u = update file time/date to current time/date
By default UNP sets the time/date of the destination file to the same
time/date as the original source file. If you want to have it updated
to the current time/date use this switch
-v = verbose
When you use this switch UNP will give you some additional information.
I added this switch for debugging purposes.
The wildcard UNP uses for selecting the files it will process can be
found as follows:
if you have specified a command but no Infile the wildcard '*.*' will
be used. If you have specified an Infile ofcourse this will be used
except for wildcards without an extension; those will get '.*' appended
and a flag will be set to select only .COM and .EXE files. If your
Infile ends with a '\', '*.*' will be appended.
The destination file is optional. If you don't specify one, the source
file will be overwritten. You cannot use wildcards in this. Also, you
should not specify a destination file when you want to decompress more
than one file.
UNP IN ACTION:
--------------
When you execute UNP you can get several lines of information. Following
is an explanation of what those lines mean:
processing file : [D:][PATH\]FILENAME.EXT
This shows the name of the file being processed as specified on the
command line.
file size : X
The file size reported by DOS will be shown here.
file structure :
UNP recognizes 4 file structures:
- executable (EXE)
If the file starts with the 'MZ' or 'ZM' signature and does not
contain the 'NE' signature then this structure is assumed. With EXE
files there are two options UNP recognizes:
- convertible
The file can be converted to a COM file structure.
- loads into high memory
The program is loaded as high as possible in the allocated memory
block (this requires some other loading routines).
- Windows or OS/2 1.x new executable
The file starts with the 'MZ' or 'ZM' signature and contains the
'NE' signature.
- data file
The file does not contain the 'MZ' or 'ZM' signature but is too
large to be a COM file.
- binary (COM)
This is shown in all other cases.
EXE part sizes : header X bytes, code Y bytes, overlay Z bytes
Of course you will only get this line if you are processing an EXE file.
This shows how the file is built up. If you add X Y and Z you should
get the file size reported by DOS.
processed with :
If UNP recognizes some program's work in the file, it will try to tell
you what program it recognizes and when possible what version of that
program. If UNP does not really know what program has changed your
file but recognizes some programs work then that programs name will be
displayed between brackets (e.g. [EXEPACK]). If you have got such a
file then there are two possibilities, UNP knows about this program but
it is just unsure about the name/version or UNP doesn't know about it
at all. To find out if UNP knows about it, use the -v switch on this
program. If you got a message about breakpoints (see MESSAGES) then
UNP doesn't know this routine, I appreciate it if you would send me
that program or tell me where to find it.
action :
UNP not only decompress files it has the ability to do other
things as well. There can only be one action performed at a time.
This is a list of actions UNP reports:
- decompressing... done
This is the decompression action, probably the most used action.
- removing immunize code... done
When a file has been immunized with Central Point Anti-Virus, a
piece of code is added to the file. UNP has the ability to remove
this code.
- removing scrambling... done
UNP recognizes a few scrambling routines. When you see this message
you have got a program which contains one.
- removing 'XX' signature
Starting with UNP V3.02, the PKLITE signature added to fake PKLITE
decompression can be removed. This message will be shown if UNP has
found a removable signature and is trying to remove it.
- converting to EXE file structure
The file will be converted to one with an .EXE file structure
- converting to COM file structure
The file will be converted to one with an .COM file structure
new size : X
When the file has been written back UNP reports the new file size to
you in this line.
All other messages are explained in the section below.
MESSAGES:
---------
UNP has 6 kinds of messages other than the usual information it can display:
- Questions. Although I tried to make this program as smart as possible,
it still can't read minds and things like that. So sometimes it will
ask you for something it wants to know.
Add 'pk'/'PK' signature to fake PKLITE decompression (y/n)?
This question will only appear if you use -k? on the command line.
Answering 'Y' to this question will add 14 bytes of code that fakes
PKLITE decompression. The correct signature will be displayed and used
automatically ('pk' for V1.20 and others 'PK').
File FILENAME.EXT already exists. Overwrite (y/n)?
The filename that UNP wants to write the resulting file to already
exists. If you haven't specified the -o switch it will ask if it can
overwrite it. Answering 'N' will proceed to the next file.
Program is protected, please enter password:
This question will appear when you are trying to decompress a program
which is compressed with TINYPROG with the password option. You are
asked to type the password used. This is not to verify whether you are
the rightful owner or not, but I just couldn't find a way around it.
Remove this routine from file (y/n)?
You have specified the -c switch and UNP has found a file it
recognizes as being processed with something. Now it wants to know
if you like to remove the routine it has found.
- INFO messages, these messages are only displayed when you have specified
the -V switch. I've added them for debugging purposes.
INFO- Attempting to increase available memory for decompression.
This only shows up if you are trying to decompress PKLITE V1.00? (2).
When this happens, UNP uses some other strategy to calculate the memory
it allocates for decompressing. By default UNP only allocates as less
memory as possible. This strategy allocates 15/16 of the memory block
the program is currently loaded in.
INFO - command line = " ... "
This message shows how UNP has interpreted the things you typed on the
command line. Great for debugging purposes!
INFO - First 64K of base memory has been fully allocated.
Some compressors use the segment below their own code. Since it is
possible to load the operating system in upper/high memory there might
not be a complete segment available. This message tells you there has
been memory allocated to ensure there is a complete segment below.
Note that this is the same thing that the program LOADFIX.COM supplied
with MS-DOS 5 does.
INFO - Overlay copy overruled, overlay not copied to destination file.
Normally UNP copies any overlay found on the original program to the
destination. This is one of the exceptions. CRUNCHER and SEA-AXE use
the overlay to store the compressed data for the file. Copying the
overlay would result in a program containing twice its code, once in
compressed and once in the decompressed form. This message indicates
that UNP has removed the overlay to avoid this problem.
INFO - Program loaded at XXXXh, largest free memory block: X bytes.
Pretty obvious. The address where UNP is loaded is displayed along
with the largest block it can allocate.
INFO - Unknown program, breakpoints are : GS-XXXX, GI-XXXX, QT-XXXX.
Some routines that I am using are a bit better than the rest because
they try to determine offsets rather than comparing signatures. If
such a smart routine has found breakpoints but can not find any
identification string belonging to these, this message is shown with
the breakpoints it has found.
INFO - Using FILENAME.EXT as temp file.
UNP tells you what it will be using as temporary file. This name is
composed of the TEMP variable and the default temporary name.
INFO - Wildcard matches X filename(s), stored at XXXXh.
This tells you how many filenames UNP has found that match the wildcard
and where it has stored the names found.
- WARNING messages. UNP sometimes takes actions the user should be
notified of. In those cases a warning message is displayed.
WARNING - Adding 'XX' signature to fake PKLITE decompression.
The program you are decompressing was compressed by PKLITE V1.14 or
higher with extra compression. By default UNP adds 14 bytes of code
that will let the program think it is still compressed. To remove
this piece of code you can use UNP E on it.
WARNING - File adds 'XX' signature (added by UNP V3.01 or earlier).
WARNING - File adds 'XX' signature (added by DISLITE V1.15 or higher).
Your file has already been decompressed and has the signature to fake
PKLITE decompression appended. This signature is ignored to continue
the search for more decompression routines.
All signatures added by UNP V3.02 or higher and the DISLITE signatures
which do not use a relocation item will act as a decompression routine,
so UNP E will remove them.
WARNING - File already has .BAK extension, no backup created.
UNP has just unpacked a .BAK file and you have specified the -B switch.
Creating a .BAK file of a file which already has a .BAK extension is
impossible so the source file will be overwritten and there will be no
backup created.
WARNING - File loaded too low in memory to decompress, reloading.
Files compressed with EXEPACK require one segment (64k) below their own
code to successfully decompress. When there is no complete segment
available, UNP displays this message and reloads the file higher in
memory. (also see msg. 'INFO - First 64K...' and -L switch)
WARNING - Infile and Outfile are same, Outfile ignored.
You have specified the file twice on the command line, meaning that the
destination file is the same as the source file. Since this is the
default situation the second name is ignored.
WARNING - Invalid or missing stored header information.
Normally the compressor used on the program you are trying to
decompress stores a part of the original header. UNP has compared
this information with the data it thinks it should be and has come to
the conclusion that these mismatch. If this happens the default UNP
header will be used.
WARNING - Missing last byte, unable to completely restore file.
The SHRINK compressor does not correctly compresses files containing
all 256 characters. When this has happened the last byte of the
program is thrown away. It's not possible to get that byte back so the
decompressed file is mismatching in 1 or more bytes at the end with the
original file.
WARNING - Outfile specified, -B option ignored.
You have specified a destination file and the -B switch. Because I see
no sense in this, the -B option will then be ignored.
- ERROR messages. In some cases the desired action cannot be performed or
has failed. These messages tell you why this is so and what has
happened. UNP will continue with the next file.
ERROR - Cannot handle this decompression routine.
UNP has recognized the way your program has been compressed but is not
(yet) able to decompress it.
ERROR - File already is a .COM file.
You are trying to convert a .COM file to a .COM file.
ERROR - File already is an .EXE file.
You are trying to convert a .EXE file to a .EXE file.
ERROR - File contains overlay.
One thing you can't have with .COM files is overlays. If you want to
convert anyway first remove the overlay.
ERROR - File has invalid entrypoint (CS:IP <> FFF0h:0100h)
To have a converted .EXE file start at the right place, the programs
initial CS:IP should point to FFF0:0100h. If this is not true you get
this error message.
ERROR - File has relocation items.
You tried to convert an .EXE file with relocation items to a .COM file.
A .COM file cannot handle relocation items.
ERROR - File is too large for .COM file.
The maximum size for a .COM file is much shorter than the one for an
.EXE file. So it can happen that the .EXE file is too large to be
converted to a .COM file.
ERROR - Unexpected call to INT 21h, decompression failed.
When decompressing, UNP passes control to the program. When it does
not get control back it is very likely that an interrupt 21h will take
place sooner or later (INT 21h is the most important interrupt). UNP
checks for unexpected calls to this interrupt to ensure it's still in
control. To disable this checking use the -i switch.
- DOS ERROR messages, these errors are things UNP tried to do but for some
reason your Operating System didn't allowed it. UNP will quit and will
have the I/O ERROR exit code. If you find any use for UNP you are
probably an experienced DOS user and know how to solve the problem so I
will only give you the messages.
DOS ERROR - unable to create file
DOS ERROR - unable to open file
DOS ERROR - unable to read from file
DOS ERROR - unable to write to file
- FATAL ERROR messages. When one of those messages appear something is
really wrong and UNP cannot continue its work. It will quit and
probably have an exitcode for the situation occurred.
FATAL ERROR - Decompressing many files into one.
You have specified a destination file, but there is more than one
source file.
FATAL ERROR - Divide overflow (INT 00h) generated by CPU.
This means that an invalid DIV instruction has been executed.
Normally this will cause DOS to terminate the program. UNP hooks this
so it can set the interrupt's pointers back before the program quits.
FATAL ERROR - No files found matching FILENAME.EXT
UNP could not find any files to decompress.
FATAL ERROR - Not enough memory ...
UNP tried to allocated some memory but it got an error back. This
message tells you what it needed the memory for.
FATAL ERROR - Output path/file must not contain '*' or '?'.
You have used wildcards in the destination file. This is not allowed.
FATAL ERROR - User abort, ^C/^Break pressed (INT 23h).
Interrupt 23h is called when DOS detects that Ctrl-C or Ctrl-Break is
pressed. UNP hooks this to be able to restore the interrupts it uses.
WHAT UNP CAN HANDLE:
--------------------
Of course you would like to know what programs UNP can currently handle.
Well, here is a list of routines that UNP V3.15 is known to remove:
- routines found in .COM files
CENTRAL POINT ANTI-VIRUS V1 ; immunize code
COMPACK V4.4
COMPACK V4.5
DIET V1.00
DIET V1.02b or V1.10a
DIET V1.20
ICE V1.00
PKLITE V1.00?
PKLITE V1.03
PKLITE V1.05
PKLITE V1.12
PKLITE V1.13
PKLITE V1.14
PKLITE V1.15
PROTECT! COM/EXE V1.0 or V1.1
PROTECT! COM/EXE V2.0
PROTECT! COM/EXE V3.0
PROTECT! COM/EXE V3.1
PRO-PACK V2.08, emphasis on packed size
PRO-PACK V2.08, emphasis on packed size, locked
PRO-PACK V2.08, emphasis on unpacking speed
PRO-PACK V2.08, emphasis on unpacking speed, locked
SCRNCH V1.00
SHRINK V1.00
- routines found in .EXE files
CENTRAL POINT ANTI-VIRUS V1 ; immunize code
COMPACK V4.4
COMPACK V4.5
CRUNCHER V1.0 ; +.COM files
DIET V1.01
DIET V1.00d ; small & large, with & without items
DIET V1.02b, V1.10a or V1.20 ; small & large, with & without items
DIET V1.44 ; small, large + .COM files
DIET V1.44, choose great SFX routine ; small, large + .COM files
DIET V1.45f ; small, large + .COM files
DIET V1.45f choose great SFX routine ; small, large + .COM files
DISLITE V1.15 or higher ; small signatures (no items in sig)
EXEPACK V4.00
EXEPACK V4.05 or V4.06
EXEPACK patched with EXPAKFIX V1.0
LINK /EXEPACK V3.60 or V3.64
LINK /EXEPACK V5.31.009
KVETCH V1.02?
LZEXE V0.90
LZEXE V0.91 or V1.00a
PGMPAK V0.14
PKLITE V1.00? 0,1,2
PKLITE V1.03 0,1,2,3
PKLITE V1.05 0,1,2
PKLITE V1.10 3
PKLITE V1.12 0,1,2,3
PKLITE V1.13 0,1,2,3
PKLITE V1.14 0,1,2,3
PKLITE V1.15 0,1,2,3
PKLITE V1.20 1
PKLITE V1.20 1,3
PRO-PACK V2.08, emphasis on packed size
PRO-PACK V2.08, emphasis on packed size, locked
PRO-PACK V2.08, emphasis on unpacking speed
PRO-PACK V2.08, emphasis on unpacking speed, locked
PROTECT! COM/EXE V1.0
PROTECT! COM/EXE V1.1
PROTECT! COM/EXE V2.0
PROTECT! COM/EXE V3.0
PROTECT! COM/EXE V3.1
SEA-AXE
TINYPROG V1.0
TINYPROG V3.3
TINYPROG V3.6
TINYPROG V3.8
TINYPROG V3.9
UNP V3.02 or higher ; fake PKLITE signature
(Sorry, I lost count. Who cares about statistics anyway?)
NOTES ON COMPRESSORS:
---------------------
LZEXE V1.00a:
Several people have contacted me about this one. This utility is the
same as LZEXE V0.91, except for some minor options. It is offered
to the readers of INFO PC by IS2 France Diffusion (at least that's what
I think the text says). Unfortunately I don't know where it's
available.
PGMPAK V0.14:
When you compress a file with this compressor, an overlay of 12 bytes
will be added. To be exactly, the name and version number is added.
In this case: "PGMPAK V0.14". This overlay is not automatically removed
when you decompress it. To remove it, use the -R switch.
PKLITE:
PKLITE V1.00? seems to have a bug in it. While testing it, I found
that with some files an overlay of 512 bytes was added. Needless to
say that when this happened the compressed file did not run correctly.
Since UNP writes the file back as it would be run in memory the file
decompressed with UNP wouldn't run either. However extracting with
PKLITE -X resulted in the original file! Since this version of pklite
is hardly used and even more unlikely is that someone wants to
decompress such a file I didn't bother to write a new routine that
fixes that bug.
PKLITE V1.14 and up (according to the documentation) add the 'PK'
signature with extra compressed files to let the program check if it is
still compressed with PKLITE. To avoid that the program detects it has
been decompressed UNP adds by default 14 bytes of code that places the
signature in the PSP like PKLITE does.
SCRUNCH:
In most cases, UNPs decompression routines are created when using
test files. Unfortunately I don't have a copy of scrunch so this is
a bit difficult to ensure it works. Of course there are other
decompression routines built the same way but the file I received
compressed with this compressor looked like it was converted to a
.COM file before it was compressed (it contained relocation items),
but this conversion could just as well be a part of the scrunch
compression. If I receive more files compressed with this one I will
improve and adjust the routine when needed.
SHRINK V1.00:
This compressor is a bad implementation of Run Length compression. It
contains two bugs one of which is in the decompression routine. The
bugs are triggered when the file to be compressed contains all 256
bytes. I have written my own decompression routine for this compressor
that is able to avoid one bug. The other bug is that the last byte of
the compressed file is thrown away making it impossible to fully
rebuild the file. If this is the case, UNP will display a warning. It
is always better to decompress it, even if the last byte is missing.
ERRORLEVEL VALUES:
------------------
0 no error occurred
1 help text is displayed
2 no files found to process
3 decompressing many files into 1 / Outfile contains wildcards
4 some I/O error occurred
5 could not allocate enough memory
6 CPU generated divide overflow
7 user pressed ^C or ^Break
WHERE TO FIND UNP:
------------------
Latest version of unp will be uploaded to Garbo (garbo.uwasa.fi) as long
as I have access to Internet. Also this BBS below will have the latest
version.
MegaVolt BBS (support site of unp)
tel. +31-30-211143
speeds up to 14k4
HOW TO REGISTER:
----------------
I have decided to release UNP as freewhere (cardware). You are allowed to
test this program freely for a period of two weeks. If you decide to
continue using UNP you are expected to let me (the author) know where you
are using my program. To do this, send a postcard with some picture of
your city or something in the neighbourhood to the adress found at the end
of the document. I would appreciate if you would mention your full name
and version you are using. Ofcourse if you have got any suggestions you
can put them on it as well!
Please don't feel offended by all of this, I just want to how much people
find any use for UNP. And hey, it beats sending money!
CONTACTING ME:
--------------
My address: E-Mail (atleast valid till June-95):
Ben Castricum benc@solist.htsa.aha.nl
Van Loenenlaan 10
1945 TX Beverwijk
The Netherlands
- ** end of UNP V3.31 documentation ***