PKLITE

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Sample files)
(Format details)
 
(One intermediate revision by one user not shown)
Line 9: Line 9:
 
It compresses [[MS-DOS EXE|DOS EXE]] files (to EXE), and [[DOS executable (.com)|COM]] files (to COM). Version 2.01 added the ability to compress [[New Executable|Windows 3.x executables]].
 
It compresses [[MS-DOS EXE|DOS EXE]] files (to EXE), and [[DOS executable (.com)|COM]] files (to COM). Version 2.01 added the ability to compress [[New Executable|Windows 3.x executables]].
  
Many files compressed by PKLITE can be decompressed by PKLITE, using the <code>-x</code> option. The main exception is files compressed with <code>-e</code>, an option only available in the Professional version.
+
Many files compressed by PKLITE can be decompressed by PKLITE, using the <code>-x</code> option. The main exception is files compressed with <code>-e</code> ("extra compression"), an option only available in the Professional version.
  
 
== Overview of PKLITE versions ==
 
== Overview of PKLITE versions ==
Line 40: Line 40:
  
 
This does not account for the relocation table, which is compressed in its own way, using one of several specialized schemes.
 
This does not account for the relocation table, which is compressed in its own way, using one of several specialized schemes.
 +
 +
=== Encrypted decompressor ===
 +
Files made by v1.14+ with the <code>-e</code> option, and "v1.20" (but not "v1.10") files, have an ''encrypted decompressor''. The bulk of the decompression code is obfuscated, presumably to make it harder to analyze and modify.
 +
 +
V1.14+ uses a fairly simple XOR-based algorithm. The "v1.20" algorithm is similar, but with modular addition instead of XOR.
 +
 +
The encryption is apparently done one "word" (two bytes) at a time, and in reverse order (last word first). ''Decryption'' can be done in either order.
 +
 +
The encryption algorithm is initialized with a key, but when decrypting, the key is only needed for very "first" (last) word. (And in most versions, the last word seems to be unused padding.) In files where it's relevant, the key appears early in the program code, following a <code>0xba</code> byte.
 +
 +
A decompression utility does not necessarily have to decrypt the decompressor in order to decompress the file. But doing so allows the compression parameters to be determined more reliably. And it ''is'' necessary for files with ''encrypted offsets'', because the offset decryption key is embedded in the encrypted decompressor.
  
 
== Identification ==
 
== Identification ==

Latest revision as of 18:00, 1 November 2024

File Format
Name PKLITE
Ontology
Released 1990

PKLITE is an executable compression utility, from the makers of PKZIP. There was a free-for-noncommercial-use version, and a "Professional" version. There was a separate PKLITE32 product for 32-bit Windows.

It compresses DOS EXE files (to EXE), and COM files (to COM). Version 2.01 added the ability to compress Windows 3.x executables.

Many files compressed by PKLITE can be decompressed by PKLITE, using the -x option. The main exception is files compressed with -e ("extra compression"), an option only available in the Professional version.

Contents

[edit] Overview of PKLITE versions

The nine free versions listed in the Software section are probably all there were.

It seems plausible that the official Pro versions correspond to the free versions, except that whether v1.00 Pro existed is unclear.

PKWARE maintained a special internal version of PKLITE, used to compress many of the files they distributed, and the executable part of many self-extracting ZIP files. Such files are usually labeled v1.20, with a few of the earliest labeled v1.10. "1.20" does not represent a single format version; it's a whole line of formats, independent of the released versions.

There is a widely-distributed fake v1.20, which is actually a hacked copy of v1.12 Pro. The files it creates are labeled v1.12. There's no evidence of any legitimate v1.20 release.

There's evidence of some other versions used by companies outside of PKWARE, perhaps as part of a private beta test program. Files made by such versions can sometimes be identified in one way or another, though not all of them have a unique version number. In particular, files labeled v1.11, v1.16, or v2.00 may have such an origin. Note that the existence of v2.00β is claimed by GetTyp.

[edit] Format details

[edit] Version descriptor

Immediately preceding the copyright string in a pristine PKLITE-compressed file is a 16-bit little-endian integer we'll call the version descriptor. In DOS EXE files, it's always at offset 28.

It characterizes, in broad terms, the version of PKLITE that was used, and the type of compression. The low 12 bits are the version number; for example, 0x10f means version 1.15. The 0x1000 bit is set if "extra" compression was used. The 0x2000 bit is for "large" compression mode.

[edit] Compression scheme

The compression scheme is a kind of LZ77 with Huffman coding, with pre-defined Huffman codebooks.

There are actually two different base compression schemes, sometimes called "small" and "large" mode. Large mode is used for larger files.

A different set of "small" and "large" schemes is used in version 1.10/1.20 files, so there are four base compression schemes total.

The base compression scheme can then be modified in two known ways:

  • Encrypted literals: A simple obfuscation method, used with "extra" compression.
  • Encrypted offsets: Another obfuscation method, used only in a few late-era v1.20 files.

This does not account for the relocation table, which is compressed in its own way, using one of several specialized schemes.

[edit] Encrypted decompressor

Files made by v1.14+ with the -e option, and "v1.20" (but not "v1.10") files, have an encrypted decompressor. The bulk of the decompression code is obfuscated, presumably to make it harder to analyze and modify.

V1.14+ uses a fairly simple XOR-based algorithm. The "v1.20" algorithm is similar, but with modular addition instead of XOR.

The encryption is apparently done one "word" (two bytes) at a time, and in reverse order (last word first). Decryption can be done in either order.

The encryption algorithm is initialized with a key, but when decrypting, the key is only needed for very "first" (last) word. (And in most versions, the last word seems to be unused padding.) In files where it's relevant, the key appears early in the program code, following a 0xba byte.

A decompression utility does not necessarily have to decrypt the decompressor in order to decompress the file. But doing so allows the compression parameters to be determined more reliably. And it is necessary for files with encrypted offsets, because the offset decryption key is embedded in the encrypted decompressor.

[edit] Identification

Robust identification of PKLITE-compressed files is challenging, due to the many versions and options, and the fact that PKLITE files were often modified to make them more difficult to identify and/or decompress.

Note that PKLITE includes CHK4LITE, a utility that tries to identify PKLITE-compressed files, and the version of PKLITE they were created with. Different versions of CHK4LITE work differently, but it is fairly rudimentary, and never stood much chance in the arms race over disguising PKLITE files.

[edit] Identification of DOS COM

Based on the start of the copyright message near the beginning of the file...

  • v1.00β has "PK Copyr" at offset 38.
  • v1.00 has "PKlite" at offset 44.
  • v1.03-1.14 has "PKLITE" at offset 44.
  • v1.15-2.01 has "PKLITE" at offset 46.

[edit] Identification of DOS EXE

There is a copyright message at offset 30 that starts with "PKlite" (v2.01) or "PKLITE" (all other versions).

It's likely that all files (except those from v1.00β) have bytes 00 00 or 01 00 at offset 6, and 00 01 f0 ff at offset 20 (refer to MS-DOS EXE#Header structure). This is fairly distinctive, though false positives are possible.

[edit] Identification of Windows EXE

There is a copyright message at offset 66 that starts "PKlite" or "Pklite". In files made by PKLITE 2.01, the "K" in this string is capitalized. In most files distributed directly by PKWARE, including relevant self-extracting ZIP files, it's lowercase.

There is a possible signature, "TNT4", starting 8 bytes after the start of the standard "NE" signature. That is, at offset {8 + {the 4-byte integer at offset 60}}.

[edit] Specifications

[edit] Software

  • PKLITE freeware/shareware, for DOS
  • PKLITE - other/various
    • PKLite at old-dos.ru - various versions
    • v1.00β (1990-05-29) (not an authorized release[1])
    • fake v1.20 (1992-08-20): [2], [3], [4]
    • XADIP201.ZIP (at vetusware.com) - Hacked "XADi" version of PKLITE 2.01-shareware. Claims to support the -e option, but it only does a little of what the real software does.

Decompression, general:

Decompression, for DOS:

Protectors (utilities that modify a PKLITE-compressed file to make it more difficult to identify and/or decompress):

Other:

  • LOWFIX - Patches v1.00-1.05 to fix bugs, and changes the version number to 1.06.
  • pkla - Analyzer utility
  • See also MEGALITE
  • See also PKTINY

[edit] Sample files

Various:

By version, COM (mainly in archives that include extraneous files):

By version, EXE:

By version, EXE with "extra compression":

Special versions, EXE (usually labeled as version "1.20"):

  • Most EXE Files from PKLITE v1.14, 1.15, 2.01.
  • Most EXE files from PKZIP 1.93a+ for DOS (see ZIP#Software).
  • Self-extracting ZIP files made by ZIP2EXE from PKZIP v2.04c+ - see Self-extracting ZIP#Sample files.
  • DOS format self-extracting ZIP files made by some versions of PKZIP for Windows (e.g. v2.63). These report "PKSFX 2.49" when executed. (Refer to PKZIP#Software.)
  • Self-extracting ZIP files made by ZIP2EXE from PKZIP 2.50 DOS shareware. (Refer to PKZIP#Software.)
  • pk204c2g.zip → PKPATCH.EXE
  • pkzm100.zip → PKZM100.EXE → PKZMENU.EXE - version "1.10"
  • PKZM104.EXE → PKZMENU.EXE - version "1.10"
  • PKZF15.ZIP

EXE for Windows 3.x:

  • pk263w16.exe (this file, and the PKZIPW.EXE file contained in it)

Oddities:

  • sd_200.zip → SD.EXE - File from StupenDOS, a PKWARE spin-off product. Apparently made by a pre-release version of PKLITE, then apparently code-named "PKPACK" (but not to be confused with PKPAK).
  • Version "1.11" (File structure looks identical to v1.12.)
  • There are two unusual PKLITE-compressed files included with PC-DOS 6.3 (e.g. at WinWorld), apparently made by a beta or special version of PKLITE.
    • PC-DOS 6.3 → Disk 1 → FORMAT.COM - Version "1.16"
    • PC-DOS 6.3 → Disk 1 → XCOPY.EXE - Labeled "1.50", but different from the actual v1.50.
  • DMAKER20.ZIP - Version "2.00"

Modified files - simple (Modification of the copyright message or other unimportant things. Such files are common -- these are just random examples.):

Modified files - other:

[edit] Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox