PKLITE
PKLITE is an executable compression utility, from the makers of PKZIP (see ZIP). There was a free-for-noncommercial-use version, and a "Professional" version. There was a separate PKLITE32 product for 32-bit Windows.
It supports mainly DOS .EXE and .COM formats. Version 2.01 added the ability to compress Windows 3.x executables.
Many files compressed by PKLITE can be decompressed by PKLITE, using the -x
option. The main exception is files compressed with -e
, an option only available in the Professional version.
Contents |
Technical notes
Version number
For pristine PKLITE-compressed EXE files, the 16-bit little-endian integer at offset 28 characterizes, in broad terms, the version of PKLITE that was used, and the type of compression. The low 12 bits are the version number; for example, 0x10f means version 1.15. The 0x1000 bit is set if "extra" compression was used. The 0x2000 bit is another compression setting.
Version 1.20
There was no free v1.20 release, but legitimate files do exist with that version number. Most of them are self-extracting ZIP files made by PKZIP v2.04's ZIP2EXE utility.
There is also a fake version that claims to be v1.20, but is actually a hacked copy of v1.12 Professional. The files it creates are (correctly) labeled as v1.12.
Identification
Robust identification of PKLITE-compressed files is challenging, due to the many versions and options, and the fact that PKLITE files were often modified to make them more difficult to identify and/or decompress.
Note that PKLITE includes CHK4LITE, a utility that tries to identify PKLITE-compressed files, and the version of PKLITE they were created with. Different versions of CHK4LITE work differently, but it is fairly rudimentary, and never stood much chance in the arms race over disguising PKLITE files.
Identification of DOS COM
Based on the start of the copyright message near the beginning of the file...
- v1.00β has "
PK Copyr
" at offset 38. - v1.00 has "
PKlite
" at offset 44. - v1.03-1.14 has "
PKLITE
" at offset 44. - v1.15-2.01 has "
PKLITE
" at offset 46.
Identification of DOS EXE
There is a copyright message at offset 30 that starts with "PKlite
" (v2.01) or "PKLITE
" (all other versions).
It's likely that all files (except those from v1.00β) have bytes 00 00
or 01 00
at offset 6, and 00 01 f0 ff
at offset 20 (refer to MS-DOS EXE#Header structure). This is fairly distinctive, though false positives are possible.
Identification of Windows EXE
There is a copyright message at offset 66 that starts with "PKlite
".
Specifications
Software
- PKLITE freeware/shareware, for DOS
- PKLITE - other/various
- PKLite at old-dos.ru - various versions
- v1.00β (1990-05-29) (not an authorized release[1])
- fake v1.20 (1992-08-20): [2], [3], [4]
- XADIP201.ZIP (at vetusware.com) - Hacked "XADi" version of PKLITE 2.01-shareware. Claims to support the
-e
option, but it only does a little of what the real software does.
Decompression, general:
- depklite (Not a complete decompression utility, but maybe useful.)
- mz-explode
- Deark (with
-m pklite
option)
Decompression, for DOS:
- PKLITE (with
-x
option) - DISLITE by JohnPC & CV-Tassle: v1.17a · another copy · source code
- See Executable compression#Decompression software for some multi-format utilities that support PKLITE, e.g. UNP.
- UnPKLite (archived) by Tenth Planet Software / Clive Turvey
- PKUNLITE v1.00 by Montgomery Engineering
- PKUNLITE v3.00 by The Software Surgeon & Electronic Rats
- Universal PKLITE Unpacker (UNPKLITE.EXE) by PReDaTor 666: ANORMAL's DOSEXE collections → Executable Tools Pack → unpackers/universal pklite unpacker.*
- AVPACK
- ExLite by Inbar Raz (COM files only, includes source code)
Protectors (utilities that modify a PKLITE-compressed file to make it more difficult to identify and/or decompress):
- PKFOOL v1.0 (requires BRUN45.EXE, not included)
- PKLTEFIX
- UN²PACK v2.0
Other:
- LOWFIX - Patches v1.00-1.05 to fix bugs, and changes the version number to 1.06.
- pkla - Analyzer utility
- See also MEGALITE
- See also PKTINY
Sample files
Various:
By version, COM (mainly in archives that include extraneous files):
- 1.00-beta COM: GRFWK70F.ZIP
- 1.00 COM: COLDCUT.ZIP, HDIR21.ZIP
- 1.03 COM: SAMPLES.ZIP, MPLAY200.ZIP
- 1.05 COM: DLINKS10.ZIP
- 1.12 COM: NEED65.ZIP
- 1.13 COM: TEENFMT2.ZIP
- 1.14 COM: TIMERA01.ZIP
- 1.15 COM: 3DVIS10.ZIP
- 2.01 COM: TI101A.ZIP
By version, EXE:
- 1.00-beta EXE: ezwindo1.zip
- 1.00 EXE: DISKOR10.ZIP, UMAIL11I.ZIP
- 1.03 EXE: NWRTH210.ZIP
- 1.05 EXE: APPINST.ZIP
- 1.12 EXE: MPGP11.ZIP, DCP41.ZIP
- 1.13 EXE: FAQ12.ZIP, MD5SUM.ZIP
- 1.14 EXE: XSUM11.ZIP, CPDSK195.ZIP
- 1.15 EXE: RCD24.ZIP, BMP2TXT.ZIP, CDROK99C.ZIP
- 1.50 EXE: MMCMP132.ZIP
- 2.01 EXE: ML96OCT.ZIP, 4DIZZY96.ZIP
By version, EXE with "extra compression":
- 1.03 EXE (-e): QBBS275U.ZIP
- 1.05 EXE (-e): ZNR093B.ZIP
- 1.12 EXE (-e): GIFLT210.ZIP
- 1.13 EXE (-e): WNEWSP11.ZIP, MEDLIN5.ZIP
- 1.14 EXE (-e): KA9QDR21.ZIP, GMOD13.ZIP
- 1.15 EXE (-e): FLMAS350.ZIP, FB315.ZIP
- 1.50 EXE (-e): MM-804RU.ZIP
- 2.01 EXE (-e): RRAFT212.ZIP
- Most EXE files from PKLITE distributions up to v1.13.
Special versions, EXE (usually labeled as version "1.20"):
- Most EXE Files from PKLITE v1.14, 1.15, 2.01.
- Most EXE files from PKZIP 1.93a+ for DOS (see ZIP#Software).
- Self-extracting ZIP files made by ZIP2EXE from PKZIP v2.04c+ - see Self-extracting ZIP#Sample files.
- pk204c2g.zip → PKPATCH.EXE
- pkzm100.zip → PKZM100.EXE → PKZMENU.EXE - version "1.10"
- PKZM104.EXE → PKZMENU.EXE - version "1.10"
- PKZF15.ZIP
Oddities:
- sd_200.zip → SD.EXE - File from StupenDOS, a PKWARE spin-off product. Apparently made by a pre-release version of PKLITE, then apparently code-named "PKPACK" (but not to be confused with PKPAK).
- pkzm104.arj → PKZM104X.EXE → PKZMENU.EXE - Possibly a legitimate file made by unreleased PKLITE v1.11. Format seems the same as v1.12, except for the version number.
- There are two (and only two) unusual PKLITE-compressed files included with PC-DOS 6.3 (e.g. at WinWorld), suggesting that there was a special IBM version of PKLITE.
- PC-DOS 6.3 → Disk 1 → FORMAT.COM - Version "1.16"
- PC-DOS 6.3 → Disk 1 → XCOPY.EXE - Labeled "1.50", but different from the actual v1.50.
- DMAKER20.ZIP - Either a fake version number, or evidence that v2.00 existed.
Modified files - simple (Modification of the copyright message or other unimportant things. Such files are common -- these are just random examples.):
- glx212.zip - Probably via an EXE header optimizer.
- WNEWSP11.ZIP - Faked to make it look like it uses "extra compression", when it doesn't.
- COMMO70.ZIP - Wrong version descriptor.
- BLUEQ155.ZIP
- 10TK97EN.ZIP (beta)
- FLISEE3.ZIP
- SATFIND2.ZIP
- PGS099H.ZIP
- FHD210US.ZIP
- ZIP_GO52.ZIP (EXE, COM)
- CDM330.ZIP
- SBPV400B.ZIP (COM)
- UPTIM300.ZIP (COM)
Modified files - other:
- KWS144.ZIP
- LIQ100.ZIP
- 3220A.ZIP, 3220B.ZIP - Different encrypted literals scheme, "v1.23".
- W7V1.ZIP - Number of relocations > 1.
- ZPDISK21.ZIP