ڿ � ��Ŀ � ���Ŀ ���¿ ���¿ ڿ �� � �� � � �� � �� �� Ĵ� �� � �� � � ����� �Ĵ� �Ĵ� �� �� � �� � � �� �� ڿ �� �� ����� �� ��� �� ����� �� ����� ���� ��������������������������������������������� Written by Ben Castricum April 15, 1994 This is the documentation belonging to and explaining the use of: UNP V3.31 Compressed executable file expander TOPICS covered in this document: DISCLAIMER PURPOSE OF UNP REQUIREMENTS GENERAL INFO HOW TO USE UNP UNP IN ACTION MESSAGES WHAT UNP CAN HANDLE NOTES ON COMPRESSORS ERRORLEVEL VALUES WHERE TO FIND UNP HOW TO REGISTER CONTACTING ME DISCLAIMER: ----------- Although UNP has been tested on several systems, I cannot guarantee that UNP will be without bugs. Therefore, I do not take responsibility for any damage directly or indirectly caused by UNP as a result of known or unknown errors in it. PURPOSE OF UNP: --------------- UNP tries to reverse the action which programs like PKLITE and LZEXE perform. In case you don't know, those programs use data compression on executable files. Yet they leave these compressed files in a state such that they can still be normally executed. This is great if you want to save disk space, but it has its disadvantages. Anyone can now spread a virus; just compress an infected file and the virus is invisible! Debugging also becomes a lot more difficult since the code has become unreadable. These are the primary reasons behind my writing UNP. I could make up some story about loading/decompressing time, but we are probably talking about a few 100ths of a second. Well, at least I don't notice any delay on my 66Mhz... Not only can UNP expand compressed executable files, it is also able to remove other kinds of routines from such programs. For instance, Central Point's Anti-virus (tm) Immunize codes can be safely removed. Though this removal is currently limited to only a few routines, in the future this ability might be greatly expanded. REQUIREMENTS: ------------- To run UNP you need at least a 8086 microprocessor. However if you want to take full advantage of UNP, MS-DOS 5.0 (or higher) is recommended since UNP tries to allocate UMBs. Lower versions of DOS will work without much difference since UNP only uses base memory and UMBs. It requires about 15k of memory, with the additional amount of memory required depending on the program being processed. GENERAL INFO: ------------- Before you start using UNP, I would like to point out a few things which you might take into consideration. Compressed EXE files containing an overlay may not work correctly after they have been decompressed. Decompression expands the code size of the EXE file which also means that the overlay moves up. Some programs do not check where the overlay currently is but just use a constant to get the overlay. If this is the case, most anything can happen. When you use UNP to convert a file to another structure, please take into consideration that the converted program never runs under the exact same conditions as it did before. Though these differences are likely not to cause any problems with most programs, there are always programs which expect just that what is changed by conversion. One way to protect yourself against problems caused by such problems is to use UNP's -b which is .BAK backup file creation option to create a copy of the original compressed file. If, after running the uncompressed program you find an error, you can simply delete the bad copy and rename the .BAK file. HOW TO USE UNP: --------------- To get help type UNP on the command line without parameters or use the '-?' switch. The first line of the help screen is a short line describing how to pass information to UNP. Let's analyze this step by step. usage: UNP command [options] [d:][/path]Infile [[d:][/path]Outfile] * commands: e = expand compressed file (default) This command expands the compressed file. If you do not specify a command, UNP will use this by default. Using this command without a wildcard will result in unpacking all files in the current directory. c = convert to COM file Some .EXE files can be converted to .COM files. You can do this by using this command. You should only convert a file when you know exactly what you are doing (see general info section). i = info only If you just want some information about the file, this is the command to use. UNP will show all information like the E command but will will not decompress or write the file back. l = load and save, no decompressing (only for EXE files). This command loads an .EXE file but does not expand it. It will be written back just like a decompressed file would be written back. This is useful in case you want to remove an overlay or remove irrelevant header data. s = search for compressed files When you use this command, only a small list of compressed files matching the Infile wildcard will be generated. The list created will be in the form of "filename.ext (compressor)". x = convert to EXE file Some compressors can only compress .EXE files (like LZEXE). With this command you can convert a .COM file to an .EXE file. The resulting file will be written back with an .EXE extension by default. * options: -? = help (this screen) For a list of UNP commands or options use this switch. Any other switch or command used on the same line will be ignored. -a = automatic retry Some files have been altered more than once. This switch will make UNP to process the file again when it was changed. Useful when you want to uncompress a file which also has been Immunized by CPAV. -b = make backup .BAK file of original If you want to keep a backup of your original file (very wise) use this switch. The original file will be renamed to a file with a .BAK extension. -c = ask for confirmation before decompressing This will force UNP to ask you if you want to decompress the file each time it has found a new compressed file. -h = remove irrelevant header data Most linkers add useless data to the .EXE header. This switch removes all such useless information, thus shrinking the header size. -i = do not intercept INT 21h calls By default UNP watches the DOS interrupt (21h) to check if the program is running as expected. Any unexpected call to INT 21h will make UNP abort the process. If you have any weird TSRs resident you might have to use this switch. I had to use it while debugging with Turbo Debugger. -k = pklite signature; - = don't add, + = add always, ? = ask With this switch you can handle the pklite signature. There are 3 possibilities : -k- = the pklite signature will not be added, this will also be the case if you only use -k (to stay dislite compatible) -k+ = always add the pklite signature, this is the default of UNP so you can just as well leave the -k switch away if you want this -k? = when you use this, UNP will ask you each time it has found a signature (like UNP V3.01 or earlier did) -l = allways use loadfix Starting with V3.12, UNP will not fill the first 64k of base memory. (this allows larger files to be processed) When UNP detects a file which does requires such a loadfix, it will reload the program with the first 64k allocated. If you are planning to unpack several EXEPACKed files you might want to use this switch to avoid reloading. This switch can only improve UNP's processing speed, it does not add anything new. -o = overwrite output file if it exists If you want to have the destination file overwritten, you can avoid the question for permission by specifying this switch on the command line. -p = align header data on a page It is said that .EXE files with a header size that is a multiple of 512 bytes load faster (this could make sense since a sector is also 512 bytes). This switch will expand the header to the nearest multiple of 512 bytes. -r = remove overlay data If something is appended to an .EXE it is called an overlay. This switch will let the file size of the outfile be the same as the load image. So anything that was appended to the file will be thrown away. An overlay can be used for all kinds of data, so removing this can result in throwing away something useful. -u = update file time/date to current time/date By default UNP sets the time/date of the destination file to the same time/date as the original source file. If you want to have it updated to the current time/date use this switch -v = verbose When you use this switch UNP will give you some additional information. I added this switch for debugging purposes. *[d:][/path]Infile The wildcard UNP uses for selecting the files it will process can be found as follows: if you have specified a command but no Infile the wildcard '*.*' will be used. If you have specified an Infile ofcourse this will be used except for wildcards without an extension; those will get '.*' appended and a flag will be set to select only .COM and .EXE files. If your Infile ends with a '\', '*.*' will be appended. *[[d:][/path]Outfile] The destination file is optional. If you don't specify one, the source file will be overwritten. You cannot use wildcards in this. Also, you should not specify a destination file when you want to decompress more than one file. UNP IN ACTION: -------------- When you execute UNP you can get several lines of information. Following is an explanation of what those lines mean: processing file : [D:][PATH\]FILENAME.EXT This shows the name of the file being processed as specified on the command line. file size : X The file size reported by DOS will be shown here. file structure : UNP recognizes 4 file structures: - executable (EXE) If the file starts with the 'MZ' or 'ZM' signature and does not contain the 'NE' signature then this structure is assumed. With EXE files there are two options UNP recognizes: - convertible The file can be converted to a COM file structure. - loads into high memory The program is loaded as high as possible in the allocated memory block (this requires some other loading routines). - Windows or OS/2 1.x new executable The file starts with the 'MZ' or 'ZM' signature and contains the 'NE' signature. - data file The file does not contain the 'MZ' or 'ZM' signature but is too large to be a COM file. - binary (COM) This is shown in all other cases. EXE part sizes : header X bytes, code Y bytes, overlay Z bytes Of course you will only get this line if you are processing an EXE file. This shows how the file is built up. If you add X Y and Z you should get the file size reported by DOS. processed with : If UNP recognizes some program's work in the file, it will try to tell you what program it recognizes and when possible what version of that program. If UNP does not really know what program has changed your file but recognizes some programs work then that programs name will be displayed between brackets (e.g. [EXEPACK]). If you have got such a file then there are two possibilities, UNP knows about this program but it is just unsure about the name/version or UNP doesn't know about it at all. To find out if UNP knows about it, use the -v switch on this program. If you got a message about breakpoints (see MESSAGES) then UNP doesn't know this routine, I appreciate it if you would send me that program or tell me where to find it. action : UNP not only decompress files it has the ability to do other things as well. There can only be one action performed at a time. This is a list of actions UNP reports: - decompressing... done This is the decompression action, probably the most used action. - removing immunize code... done When a file has been immunized with Central Point Anti-Virus, a piece of code is added to the file. UNP has the ability to remove this code. - removing scrambling... done UNP recognizes a few scrambling routines. When you see this message you have got a program which contains one. - removing 'XX' signature Starting with UNP V3.02, the PKLITE signature added to fake PKLITE decompression can be removed. This message will be shown if UNP has found a removable signature and is trying to remove it. - converting to EXE file structure The file will be converted to one with an .EXE file structure - converting to COM file structure The file will be converted to one with an .COM file structure new size : X When the file has been written back UNP reports the new file size to you in this line. All other messages are explained in the section below. MESSAGES: --------- UNP has 6 kinds of messages other than the usual information it can display: * Questions. Although I tried to make this program as smart as possible, it still can't read minds and things like that. So sometimes it will ask you for something it wants to know. Add 'pk'/'PK' signature to fake PKLITE decompression (y/n)? This question will only appear if you use -k? on the command line. Answering 'Y' to this question will add 14 bytes of code that fakes PKLITE decompression. The correct signature will be displayed and used automatically ('pk' for V1.20 and others 'PK'). File FILENAME.EXT already exists. Overwrite (y/n)? The filename that UNP wants to write the resulting file to already exists. If you haven't specified the -o switch it will ask if it can overwrite it. Answering 'N' will proceed to the next file. Program is protected, please enter password: This question will appear when you are trying to decompress a program which is compressed with TINYPROG with the password option. You are asked to type the password used. This is not to verify whether you are the rightful owner or not, but I just couldn't find a way around it. Remove this routine from file (y/n)? You have specified the -c switch and UNP has found a file it recognizes as being processed with something. Now it wants to know if you like to remove the routine it has found. * INFO messages, these messages are only displayed when you have specified the -V switch. I've added them for debugging purposes. INFO- Attempting to increase available memory for decompression. This only shows up if you are trying to decompress PKLITE V1.00� (2). When this happens, UNP uses some other strategy to calculate the memory it allocates for decompressing. By default UNP only allocates as less memory as possible. This strategy allocates 15/16 of the memory block the program is currently loaded in. INFO - command line = " ... " This message shows how UNP has interpreted the things you typed on the command line. Great for debugging purposes! INFO - First 64K of base memory has been fully allocated. Some compressors use the segment below their own code. Since it is possible to load the operating system in upper/high memory there might not be a complete segment available. This message tells you there has been memory allocated to ensure there is a complete segment below. Note that this is the same thing that the program LOADFIX.COM supplied with MS-DOS 5 does. INFO - Overlay copy overruled, overlay not copied to destination file. Normally UNP copies any overlay found on the original program to the destination. This is one of the exceptions. CRUNCHER and SEA-AXE use the overlay to store the compressed data for the file. Copying the overlay would result in a program containing twice its code, once in compressed and once in the decompressed form. This message indicates that UNP has removed the overlay to avoid this problem. INFO - Program loaded at XXXXh, largest free memory block: X bytes. Pretty obvious. The address where UNP is loaded is displayed along with the largest block it can allocate. INFO - Unknown program, breakpoints are : GS-XXXX, GI-XXXX, QT-XXXX. Some routines that I am using are a bit better than the rest because they try to determine offsets rather than comparing signatures. If such a smart routine has found breakpoints but can not find any identification string belonging to these, this message is shown with the breakpoints it has found. INFO - Using FILENAME.EXT as temp file. UNP tells you what it will be using as temporary file. This name is composed of the TEMP variable and the default temporary name. INFO - Wildcard matches X filename(s), stored at XXXXh. This tells you how many filenames UNP has found that match the wildcard and where it has stored the names found. * WARNING messages. UNP sometimes takes actions the user should be notified of. In those cases a warning message is displayed. WARNING - Adding 'XX' signature to fake PKLITE decompression. The program you are decompressing was compressed by PKLITE V1.14 or higher with extra compression. By default UNP adds 14 bytes of code that will let the program think it is still compressed. To remove this piece of code you can use UNP E on it. WARNING - File adds 'XX' signature (added by UNP V3.01 or earlier). WARNING - File adds 'XX' signature (added by DISLITE V1.15 or higher). Your file has already been decompressed and has the signature to fake PKLITE decompression appended. This signature is ignored to continue the search for more decompression routines. All signatures added by UNP V3.02 or higher and the DISLITE signatures which do not use a relocation item will act as a decompression routine, so UNP E will remove them. WARNING - File already has .BAK extension, no backup created. UNP has just unpacked a .BAK file and you have specified the -B switch. Creating a .BAK file of a file which already has a .BAK extension is impossible so the source file will be overwritten and there will be no backup created. WARNING - File loaded too low in memory to decompress, reloading. Files compressed with EXEPACK require one segment (64k) below their own code to successfully decompress. When there is no complete segment available, UNP displays this message and reloads the file higher in memory. (also see msg. 'INFO - First 64K...' and -L switch) WARNING - Infile and Outfile are same, Outfile ignored. You have specified the file twice on the command line, meaning that the destination file is the same as the source file. Since this is the default situation the second name is ignored. WARNING - Invalid or missing stored header information. Normally the compressor used on the program you are trying to decompress stores a part of the original header. UNP has compared this information with the data it thinks it should be and has come to the conclusion that these mismatch. If this happens the default UNP header will be used. WARNING - Missing last byte, unable to completely restore file. The SHRINK compressor does not correctly compresses files containing all 256 characters. When this has happened the last byte of the program is thrown away. It's not possible to get that byte back so the decompressed file is mismatching in 1 or more bytes at the end with the original file. WARNING - Outfile specified, -B option ignored. You have specified a destination file and the -B switch. Because I see no sense in this, the -B option will then be ignored. * ERROR messages. In some cases the desired action cannot be performed or has failed. These messages tell you why this is so and what has happened. UNP will continue with the next file. ERROR - Cannot handle this decompression routine. UNP has recognized the way your program has been compressed but is not (yet) able to decompress it. ERROR - File already is a .COM file. You are trying to convert a .COM file to a .COM file. ERROR - File already is an .EXE file. You are trying to convert a .EXE file to a .EXE file. ERROR - File contains overlay. One thing you can't have with .COM files is overlays. If you want to convert anyway first remove the overlay. ERROR - File has invalid entrypoint (CS:IP <> FFF0h:0100h) To have a converted .EXE file start at the right place, the programs initial CS:IP should point to FFF0:0100h. If this is not true you get this error message. ERROR - File has relocation items. You tried to convert an .EXE file with relocation items to a .COM file. A .COM file cannot handle relocation items. ERROR - File is too large for .COM file. The maximum size for a .COM file is much shorter than the one for an .EXE file. So it can happen that the .EXE file is too large to be converted to a .COM file. ERROR - Unexpected call to INT 21h, decompression failed. When decompressing, UNP passes control to the program. When it does not get control back it is very likely that an interrupt 21h will take place sooner or later (INT 21h is the most important interrupt). UNP checks for unexpected calls to this interrupt to ensure it's still in control. To disable this checking use the -i switch. * DOS ERROR messages, these errors are things UNP tried to do but for some reason your Operating System didn't allowed it. UNP will quit and will have the I/O ERROR exit code. If you find any use for UNP you are probably an experienced DOS user and know how to solve the problem so I will only give you the messages. DOS ERROR - unable to create file DOS ERROR - unable to open file DOS ERROR - unable to read from file DOS ERROR - unable to write to file * FATAL ERROR messages. When one of those messages appear something is really wrong and UNP cannot continue its work. It will quit and probably have an exitcode for the situation occurred. FATAL ERROR - Decompressing many files into one. You have specified a destination file, but there is more than one source file. FATAL ERROR - Divide overflow (INT 00h) generated by CPU. This means that an invalid DIV instruction has been executed. Normally this will cause DOS to terminate the program. UNP hooks this so it can set the interrupt's pointers back before the program quits. FATAL ERROR - No files found matching FILENAME.EXT UNP could not find any files to decompress. FATAL ERROR - Not enough memory ... UNP tried to allocated some memory but it got an error back. This message tells you what it needed the memory for. FATAL ERROR - Output path/file must not contain '*' or '?'. You have used wildcards in the destination file. This is not allowed. FATAL ERROR - User abort, ^C/^Break pressed (INT 23h). Interrupt 23h is called when DOS detects that Ctrl-C or Ctrl-Break is pressed. UNP hooks this to be able to restore the interrupts it uses. WHAT UNP CAN HANDLE: -------------------- Of course you would like to know what programs UNP can currently handle. Well, here is a list of routines that UNP V3.15 is known to remove: * routines found in .COM files CENTRAL POINT ANTI-VIRUS V1 ; immunize code COMPACK V4.4 COMPACK V4.5 DIET V1.00 DIET V1.02b or V1.10a DIET V1.20 ICE V1.00 PKLITE V1.00� PKLITE V1.03 PKLITE V1.05 PKLITE V1.12 PKLITE V1.13 PKLITE V1.14 PKLITE V1.15 PROTECT! COM/EXE V1.0 or V1.1 PROTECT! COM/EXE V2.0 PROTECT! COM/EXE V3.0 PROTECT! COM/EXE V3.1 PRO-PACK V2.08, emphasis on packed size PRO-PACK V2.08, emphasis on packed size, locked PRO-PACK V2.08, emphasis on unpacking speed PRO-PACK V2.08, emphasis on unpacking speed, locked SCRNCH V1.00 SHRINK V1.00 * routines found in .EXE files CENTRAL POINT ANTI-VIRUS V1 ; immunize code COMPACK V4.4 COMPACK V4.5 CRUNCHER V1.0 ; +.COM files DIET V1.01 DIET V1.00d ; small & large, with & without items DIET V1.02b, V1.10a or V1.20 ; small & large, with & without items DIET V1.44 ; small, large + .COM files DIET V1.44, choose great SFX routine ; small, large + .COM files DIET V1.45f ; small, large + .COM files DIET V1.45f choose great SFX routine ; small, large + .COM files DISLITE V1.15 or higher ; small signatures (no items in sig) EXEPACK V4.00 EXEPACK V4.05 or V4.06 EXEPACK patched with EXPAKFIX V1.0 LINK /EXEPACK V3.60 or V3.64 LINK /EXEPACK V5.31.009 KVETCH V1.02� LZEXE V0.90 LZEXE V0.91 or V1.00a PGMPAK V0.14 PKLITE V1.00� 0,1,2 PKLITE V1.03 0,1,2,3 PKLITE V1.05 0,1,2 PKLITE V1.10 3 PKLITE V1.12 0,1,2,3 PKLITE V1.13 0,1,2,3 PKLITE V1.14 0,1,2,3 PKLITE V1.15 0,1,2,3 PKLITE V1.20 1 PKLITE V1.20 1,3 PRO-PACK V2.08, emphasis on packed size PRO-PACK V2.08, emphasis on packed size, locked PRO-PACK V2.08, emphasis on unpacking speed PRO-PACK V2.08, emphasis on unpacking speed, locked PROTECT! COM/EXE V1.0 PROTECT! COM/EXE V1.1 PROTECT! COM/EXE V2.0 PROTECT! COM/EXE V3.0 PROTECT! COM/EXE V3.1 SEA-AXE TINYPROG V1.0 TINYPROG V3.3 TINYPROG V3.6 TINYPROG V3.8 TINYPROG V3.9 UNP V3.02 or higher ; fake PKLITE signature (Sorry, I lost count. Who cares about statistics anyway?) NOTES ON COMPRESSORS: --------------------- LZEXE V1.00a: Several people have contacted me about this one. This utility is the same as LZEXE V0.91, except for some minor options. It is offered to the readers of INFO PC by IS2 France Diffusion (at least that's what I think the text says). Unfortunately I don't know where it's available. PGMPAK V0.14: When you compress a file with this compressor, an overlay of 12 bytes will be added. To be exactly, the name and version number is added. In this case: "PGMPAK V0.14". This overlay is not automatically removed when you decompress it. To remove it, use the -R switch. PKLITE: PKLITE V1.00� seems to have a bug in it. While testing it, I found that with some files an overlay of 512 bytes was added. Needless to say that when this happened the compressed file did not run correctly. Since UNP writes the file back as it would be run in memory the file decompressed with UNP wouldn't run either. However extracting with PKLITE -X resulted in the original file! Since this version of pklite is hardly used and even more unlikely is that someone wants to decompress such a file I didn't bother to write a new routine that fixes that bug. PKLITE V1.14 and up (according to the documentation) add the 'PK' signature with extra compressed files to let the program check if it is still compressed with PKLITE. To avoid that the program detects it has been decompressed UNP adds by default 14 bytes of code that places the signature in the PSP like PKLITE does. SCRUNCH: In most cases, UNPs decompression routines are created when using test files. Unfortunately I don't have a copy of scrunch so this is a bit difficult to ensure it works. Of course there are other decompression routines built the same way but the file I received compressed with this compressor looked like it was converted to a .COM file before it was compressed (it contained relocation items), but this conversion could just as well be a part of the scrunch compression. If I receive more files compressed with this one I will improve and adjust the routine when needed. SHRINK V1.00: This compressor is a bad implementation of Run Length compression. It contains two bugs one of which is in the decompression routine. The bugs are triggered when the file to be compressed contains all 256 bytes. I have written my own decompression routine for this compressor that is able to avoid one bug. The other bug is that the last byte of the compressed file is thrown away making it impossible to fully rebuild the file. If this is the case, UNP will display a warning. It is always better to decompress it, even if the last byte is missing. ERRORLEVEL VALUES: ------------------ 0 no error occurred 1 help text is displayed 2 no files found to process 3 decompressing many files into 1 / Outfile contains wildcards 4 some I/O error occurred 5 could not allocate enough memory 6 CPU generated divide overflow 7 user pressed ^C or ^Break WHERE TO FIND UNP: ------------------ Latest version of unp will be uploaded to Garbo (garbo.uwasa.fi) as long as I have access to Internet. Also this BBS below will have the latest version. MegaVolt BBS (support site of unp) tel. +31-30-211143 speeds up to 14k4 HOW TO REGISTER: ---------------- I have decided to release UNP as freewhere (cardware). You are allowed to test this program freely for a period of two weeks. If you decide to continue using UNP you are expected to let me (the author) know where you are using my program. To do this, send a postcard with some picture of your city or something in the neighbourhood to the adress found at the end of the document. I would appreciate if you would mention your full name and version you are using. Ofcourse if you have got any suggestions you can put them on it as well! Please don't feel offended by all of this, I just want to how much people find any use for UNP. And hey, it beats sending money! CONTACTING ME: -------------- My address: E-Mail (atleast valid till June-95): Ben Castricum benc@solist.htsa.aha.nl Van Loenenlaan 10 1945 TX Beverwijk The Netherlands *** end of UNP V3.31 documentation ***