Patching an exe to block 3rd party extractors

**jmprox** · 09-23-2008

Hi,

A little background information. I'm intermediate level in both C, C++ and advanced Java.
I want to improve my C++ programming skills right now, and also fix this issue I am having.

Background information on my problem
*******************************
I have created a software, and am packing it and all the supporting files with iExpress to make an easy installer. So the result is a nice single .exe that when ran by the user will present them with a pretty interface to extract/install the application to their PCs. What I want is to block the file from simply being able to be extracted by 3rd party extractors. I have noticed if I right-click on my install file winRAR gives me the option of Extracting it.

I think it makes my install file look ridiculous and very unprofessional. I have so far just ignored the issue, but many people who have used my application have noticed this and commented on it, and so I want to fix that now as I feel it cheapens my application!

Solution I have thought up, but need help implementing
*******************************************
I figure I need to patch the final exe to somehow change the part of the file that shows it can be extracted with wextract, (which is the standard application that extracts an iExpress file). Since the file itself knows to call wextract to start the installation process, then the file will still work as normal. It will just remove the indicator to other applications that this file is just packed and can be unpacked.

I have searched high and low for information on patching exe files, but have trouble with searches on google
I have tried these, and many MANY more similar

"how to patch a file"
"how to patch a PE file in C++"
etc.

They all turn up nothing useful... Can anyone help me? The concept is so simple I don't think this is very difficult, I just don't know where to start.

Thank you for your time

**abachler** · 09-23-2008

If you are using Visual Studio, it has options for creating an installer package. WinRAR can still extract it though, its a feature of WinRAR, not a failing of you program. If you absotively posilutely need to prevent this, just write a custom installer.

**Elysia** · 09-24-2008

I don't think it makes the program look unprofessional or cheap.
It can be used to circumvent bad installers in some cases, so I vote that it's a good feature and not something you should disable.

**jmprox** · 09-24-2008

Thank you for your feeback.
I am still hellbent on this though, and am trying to figure out what exactly in the binary file indicates to winRAR and other extractors that it is a compress archive.

If anyone knows what indicates this, or any ways I can figure this out? (using debugger, etc.)
please let me know

Thanks!

**matsp** · 09-24-2008

The winrar executable will contain the winrar archive itself. This contains some "magic words" to indicate that it is a winrar archive. You probably can not patch those (unless you ALSO patch the executable side of the winrar executable) to match.

Looking at this:

Originally Posted by Wiki RAR

RAR files can be embedded in other file types, probably the most common being JPEG. Image handling programs, browsers, and other utilities usually ignore any additional data after the end of the image, while RAR ignores anything before the RAR header. The procedure to create such a file is to append a RAR file to a JPEG. (e.g.: in DOS/Windows command-line: copy /b image1.jpg+something.rar image2.jpg, other variant: type something.rar >> image.jpg, in UNIX: cat something.rar >> image.jpg)

(from http://en.wikipedia.org/wiki/RAR_(file_format))

it appears that the my above statement on "you can't trivially change it" is correct. You would have to change both the decompression component (which is the actual executable part) and the actual RAR header to not match the common RAR format.

--
Mats

**jmprox** · 09-24-2008

Thanks for your reply matsp

I'm actually not using winRAR to create the exe files, it is created with iExpress.

winRAR detects that the produced exe is an archive of some kind, and provides options to unextract the information.

I am looking for a way to obfuscate the binary slightly so that winRAR cannot detect my iExpress exe file is an archive of some type.

I am trying to figure out
1. how winRAR or any Extracting program detects an archive
2. how to edit a binary file in C++ to obfuscate it slightly

**matsp** · 09-24-2008

WinRAR (and other such products) look for "markers" or "magic words" in the file to see that it is some sort of archive that it can handle.

You can of course fool it into thinking it is not an archive by changing those markers. However, that also means that the part that looks in the installer .exe for those markers (which is most likely how that works) will not find the archive, so you would then have to modify those as well.

As to how you modify the binary, you would have to identify the markers, find all references to the markers, and then modify those markers to something else, both in the decompression component and the payload data.

--
Mats

**matsp** · 09-24-2008

Just to give an example, here's what Rar looks for (from unrarsrc-3.7.8.tar.gz):

Code:

bool Archive::IsSignature(byte *D)
{
  bool Valid=false;
  if (D[0]==0x52)
#ifndef SFX_MODULE
    if (D[1]==0x45 && D[2]==0x7e && D[3]==0x5e)
    {
      OldFormat=true;
      Valid=true;
    }
    else
#endif
      if (D[1]==0x61 && D[2]==0x72 && D[3]==0x21 && D[4]==0x1a && D[5]==0x07 && D[6]==0x00)
      {
        OldFormat=false;
        Valid=true;
      }
  return(Valid);
}

**abachler** · 09-24-2008

iExpress uses ZIP technology, WinRAR recognizes this very old outdated compression method as do all other modern compression applications. The only solution is to stop using iExpress.

NO there is no way to majically touch up the executable to make it both executable and un-recognizeable to decompressors.

Either deal with the fact you are using a kludge, use Visual Studio's installation generator, or write your own installation program. Those are the ONLY 3 choices you have.

I once said years ago (on the compuserve BBS) that any concept that a human being could fully concieve can be implimented on a computer. This still holds true, its just that most people don't fully concieve an idea before they expect you to impliment it.

**matsp** · 09-24-2008

So, if the file is a zip-file, then this specification shoudl be useful:
http://www.pkware.com/documents/casestudies/APPNOTE.TXT

The format for a header specifies the beginning of a zip-file. I'm pretty sure that the header is the first part of the payload. Of course, disfiguring just that will not work, you will also have to patch the extractor part of the executable to match. Which may not be trivial.

Whilst I don't think it's impossible to do this, I do think that abachler's point is correct: You probably shouldn't be "fixing" the problem this way - either live with the fact that iExpress is a fancy version of a zip-selfexracting archive, or use a different installer. I doubt many users will care which of those two you choose.

--
Mats

Thread: Patching an exe to block 3rd party extractors

Thread Tools

Search Thread

Display

Patching an exe to block 3rd party extractors

Similar Threads

problems addign 3rd party source to VS

Parsing XML with C without 3rd party libs

About aes

HUGE fps jump

Manipulating the Windows Clipboard