PKLITE

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
 
(26 intermediate revisions by 2 users not shown)
Line 5: Line 5:
 
|released=1990
 
|released=1990
 
}}
 
}}
'''PKLITE''' is an executable compression utility, from the makers of PKZIP (see [[ZIP]]). There was a free-for-noncommercial-use version, and a "Professional" version. There was a separate [[PKLITE32]] product for 32-bit Windows.
+
'''PKLITE''' is an executable compression utility, from the makers of [[PKZIP]]. There was a free-for-noncommercial-use version, and a "Professional" version. There was a separate [[PKLITE32]] product for 32-bit Windows.
  
It supports mainly DOS [[MS-DOS EXE|.EXE]] and [[DOS executable (.com)|.COM]] formats. Version 2.01 added the ability to compress [[New Executable|Windows 3.x executables]].
+
It compresses [[MS-DOS EXE|DOS EXE]] files (to EXE), and [[DOS executable (.com)|COM]] files (to COM). Version 2.01 added the ability to compress [[New Executable|Windows 3.x executables]].
  
Many files compressed by PKLITE can be decompressed by PKLITE, using the <code>-x</code> option. The main exception is files compressed with <code>-e</code>, an option only available in the Professional version.
+
Many files compressed by PKLITE can be decompressed by PKLITE, using the <code>-x</code> option. The main exception is files compressed with <code>-e</code> ("extra compression"), an option only available in the Professional version.
 +
 
 +
== Overview of PKLITE versions ==
 +
The nine free versions listed in the Software section are probably all there were.
 +
 
 +
It seems plausible that the official Pro versions correspond to the free versions, except that whether v1.00 Pro existed is unclear.
 +
 
 +
PKWARE maintained a special internal version of PKLITE, used to compress many of the files they distributed, and the executable part of many [[self-extracting ZIP]] files. Such files are usually labeled v1.20, with a few of the earliest labeled v1.10. "1.20" does not represent a single format version; it's a whole line of formats, independent of the released versions.
 +
 
 +
There is a widely-distributed fake v1.20, which is actually a hacked copy of v1.12 Pro. The files it creates are labeled v1.12. There's no evidence of any legitimate v1.20 release.
 +
 
 +
There's evidence of some other versions used by companies outside of PKWARE, perhaps as part of a private beta test program. Files made by such versions can sometimes be identified in one way or another, though not all of them have a unique version number. In particular, files labeled v1.11, v1.16, or v2.00 may have such an origin. Note that the existence of v2.00β is claimed by [[GetTyp]].
 +
 
 +
== Format details ==
 +
=== Version descriptor ===
 +
Immediately preceding the copyright string in a pristine PKLITE-compressed file is a 16-bit little-endian integer we'll call the ''version descriptor''. In DOS EXE files, it's always at offset 28.
 +
 
 +
It characterizes, in broad terms, the version of PKLITE that was used, and the type of compression. The low 12 bits are the version number; for example, 0x10f means version 1.15. The 0x1000 bit is set if "extra" compression was used. The 0x2000 bit is for "large" compression mode.
 +
 
 +
=== Compression scheme ===
 +
The compression scheme is a kind of [[LZ77 with Huffman coding]], with pre-defined Huffman codebooks.
 +
 
 +
There are actually two different ''base'' compression schemes, sometimes called "small" and "large" mode. Large mode is used for larger files.
 +
 
 +
A different set of "small" and "large" schemes is used in version 1.10/1.20 files, so there are four base compression schemes total.
 +
 
 +
The base compression scheme can then be modified in two known ways:
 +
* ''Encrypted literals'': A simple obfuscation method, used with "extra" compression.
 +
* ''Encrypted offsets'': Another obfuscation method, used only in a few late-era v1.20 files.
 +
 
 +
This does not account for the relocation table, which is compressed in its own way, using one of several specialized schemes.
 +
 
 +
=== Encrypted decompressor ===
 +
Files made by v1.14+ with the <code>-e</code> option, and "v1.20" files, have an ''encrypted decompressor''. The bulk of the decompression code is obfuscated, to make it harder to analyze and modify.
 +
 
 +
V1.14+ uses a fairly simple XOR-based algorithm. The "v1.20" algorithm is similar, but with modular addition instead of XOR.
 +
 
 +
The decryption normally happens one "word" (two bytes) at a time, and in reverse order (last word first). The algorithm is initialized with a decryption key, but due to an apparent design error, the key is only needed for very "first" (last) word. In most or all relevant files, the key appears early in the program code, following a <code>0xba</code> byte.
 +
 
 +
A decompression utility does not necessarily have to decrypt the decompressor in order to decompress the file. But doing so allows the compression parameters to be determined more reliably. And it ''is'' necessary for files with ''encrypted offsets'', because the offset decryption key is embedded in the encrypted decompressor.
  
 
== Identification ==
 
== Identification ==
The PKLITE software includes ''CHK4LITE'', a utility that tries to identify PKLITE-compressed files, and the version of PKLITE they were created with.
+
Robust identification of PKLITE-compressed files is challenging, due to the many versions and options, and the fact that PKLITE files were often modified to make them more difficult to identify and/or decompress.
  
PKLITE-compressed files normally contain a copyright message near the beginning of the file (though this is not a very robust way to identify them). Based on limited testing, the message starts with either "{{magic|PKLITE}}" or "{{magic|PKlite}}". It is at offset 46 or 48 for COM files, 30 for DOS EXE files, 66 for Windows EXE files. Exception: COM files from v1.00β have "{{magic|PK&nbsp;Copyr}}" at offset 38.
+
Note that PKLITE includes ''CHK4LITE'', a utility that tries to identify PKLITE-compressed files, and the version of PKLITE they were created with. Different versions of CHK4LITE work differently, but it is fairly rudimentary, and never stood much chance in the arms race over disguising PKLITE files.
  
It's likely that all DOS EXE files made by v1.00 through v2.01 (though not the leaked v1.00β) have bytes {{magic|00 00}} or {{magic|01 00}} at offset 6, and {{magic|00 01 f0 ff}} at offset 20. This is fairly distinctive, though false positives are possible.
+
=== Identification of DOS COM ===
 +
Based on the start of the copyright message near the beginning of the file...
  
== Technical notes ==
+
* v1.00β has "{{magic|PK&nbsp;Copyr}}" at offset 38.
=== Version number ===
+
* v1.00 has "{{magic|PKlite}}" at offset 44.
For pristine PKLITE-compressed EXE files, the 16-bit little-endian integer at offset 28 characterizes, in broad terms, the version of PKLITE that was used, and the type of compression. The low 12 bits are the version number; for example, 0x10f means version 1.15. The 0x1000 bit is set if "extra" compression was used. The 0x2000 bit is another compression setting.
+
* v1.03-1.14 has "{{magic|PKLITE}}" at offset 44.
 +
* v1.15-2.01 has "{{magic|PKLITE}}" at offset 46.
  
=== Version 1.20 ===
+
=== Identification of DOS EXE ===
There was no free v1.20 release, but legitimate files do exist with that version number. Most of them are [[self-extracting ZIP]] files made by PKZIP v2.04's ZIP2EXE utility.
+
There is a copyright message at offset 30 that starts with "{{magic|PKlite}}" (v2.01) or "{{magic|PKLITE}}" (all other versions).
  
There is also a fake version that claims to be v1.20, but is actually a hacked copy of v1.12 Professional. The files it creates are (correctly) labeled as v1.12.
+
It's likely that all files (except those from v1.00β) have bytes {{magic|00 00}} or {{magic|01 00}} at offset 6, and {{magic|00 01 f0 ff}} at offset 20 (refer to [[MS-DOS EXE#Header structure]]). This is fairly distinctive, though false positives are possible.
 +
 
 +
=== Identification of Windows EXE ===
 +
There is a copyright message at offset 66 that starts "{{magic|PKlite}}" or "{{magic|Pklite}}". In files made by PKLITE 2.01, the "<code>K</code>" in this string is capitalized. In most files distributed directly by PKWARE, including relevant self-extracting ZIP files, it's lowercase.
 +
 
 +
There is a possible signature, "{{magic|TNT4}}", starting 8 bytes after the start of the standard "<code>NE</code>" signature. That is, at offset {8 + {the 4-byte integer at offset 60}&#x7d;.
  
 
== Specifications ==
 
== Specifications ==
Line 33: Line 79:
 
== Software ==
 
== Software ==
 
* PKLITE freeware/shareware, for DOS
 
* PKLITE freeware/shareware, for DOS
** v1.00 1990-12-01: [{{CdTextfilesURL|gigabytesw/027b/pklte10.exe}}]
+
** {{CdTextfiles|gigabytesw/027b/pklte10.exe|v1.00}} (1990-12-01)
** v1.03 1990-12-20: [{{CdTextfilesURL|californiacollect/his992/pklte103.exe}}]
+
** {{CdTextfiles|californiacollect/his992/pklte103.exe|v1.03}} (1990-12-20)
** v1.05 1991-03-20: [{{CdTextfilesURL|originalsw/25/pklte105.exe}}]
+
** {{CdTextfiles|originalsw/25/pklte105.exe|v1.05}} (1991-03-20)
** v1.12 1991-06-15: [{{CdTextfilesURL|originalsw/25/pklte112.exe}}]
+
** {{CdTextfiles|originalsw/25/pklte112.exe|v1.12}} (1991-06-15)
** v1.13 1991-08-01: [{{CdTextfilesURL|megademo2/UTILITY/ARCHIVE/PKLTE113.EXE}}]
+
** {{CdTextfiles|megademo2/UTILITY/ARCHIVE/PKLTE113.EXE|v1.13}} (1991-08-01)
** v1.14 1992-06-01: [{{CdTextfilesURL|ftp.wwiv.com/pub/COMPRESS/PKLTE114.ZIP}}]
+
** {{CdTextfiles|ftp.wwiv.com/pub/COMPRESS/PKLTE114.ZIP|v1.14}} (1992-06-01)
** v1.15 1992-07-30: [{{CdTextfilesURL|20mnn/ARCHIVE/PKLTE115.EXE}}]
+
** {{CdTextfiles|20mnn/ARCHIVE/PKLTE115.EXE|v1.15}} (1992-07-30)
** v1.50 1995-04-10: [{{CdTextfilesURL|dfeno1/ARCHIVER/PKLTE150.EXE}}]
+
** {{CdTextfiles|dfeno1/ARCHIVER/PKLTE150.EXE|v1.50}} (1995-04-10)
** v2.01 1996-03-15: [{{CdTextfilesURL|darkdomain/programs/dos/archivers/pklts201.exe}}]
+
** {{CdTextfiles|darkdomain/programs/dos/archivers/pklts201.exe|v2.01}} (1996-03-15)
 
* PKLITE - other/various
 
* PKLITE - other/various
 
** [http://old-dos.ru/index.php?page=files&mode=files&do=show&id=720 PKLite at old-dos.ru] - various versions
 
** [http://old-dos.ru/index.php?page=files&mode=files&do=show&id=720 PKLite at old-dos.ru] - various versions
** v1.00β 1990-05-29: [{{CdTextfilesURL|swinnund/disk3/FILEUTIL/PKLITE.ZIP}}] (not an authorized release[http://cd.textfiles.com/simtel/simtel20/MSDOS/INFO/PKLITE.WRN])
+
** {{CdTextfiles|swinnund/disk3/FILEUTIL/PKLITE.ZIP|v1.00β}} (1990-05-29) (not an authorized release[http://cd.textfiles.com/simtel/simtel20/MSDOS/INFO/PKLITE.WRN])
 
** fake v1.20 (1992-08-20): [{{CdTextfilesURL|thegreatunsorted/old_apps/dosutils/pklite.zip}}], [http://www.dcee.net/Files/Archiver/pklt120r.arj], [http://pub.agrarix.net/DOS/COMPRESS/PKLT120R.ARJ]
 
** fake v1.20 (1992-08-20): [{{CdTextfilesURL|thegreatunsorted/old_apps/dosutils/pklite.zip}}], [http://www.dcee.net/Files/Archiver/pklt120r.arj], [http://pub.agrarix.net/DOS/COMPRESS/PKLT120R.ARJ]
 +
** [https://vetusware.com/download/PKLite%202.01%20-e%20enabled/?id=9762 XADIP201.ZIP] (at vetusware.com) - Hacked "XADi" version of PKLITE 2.01-shareware. Claims to support the <code>-e</code> option, but it only does a little of what the real software does.
  
Static decompression:
+
Decompression, general:
* PKLITE (with <code>-x</code> option)
+
 
* [https://github.com/hackerb9/depklite depklite] (Not a complete decompression utility, but maybe useful.)
 
* [https://github.com/hackerb9/depklite depklite] (Not a complete decompression utility, but maybe useful.)
 
* [https://github.com/virginwidow/mz-explode mz-explode]
 
* [https://github.com/virginwidow/mz-explode mz-explode]
 
* {{Deark}} (with <code>-m pklite</code> option)
 
* {{Deark}} (with <code>-m pklite</code> option)
  
Dynamic decompression:
+
Decompression, for DOS:
* DISLITE (notable because its source code was released)
+
* PKLITE (with <code>-x</code> option)
** v1.17a: [{{CdTextfilesURL|pdos9606/ARCHIVER/EXECOMP/DISLT117.ZIP}}], [https://johnpc.home.xs4all.nl/dislite/dislt117.zip]
+
* DISLITE by JohnPC & CV-Tassle: {{CdTextfiles|pdos9606/ARCHIVER/EXECOMP/DISLT117.ZIP|v1.17a}} · [https://johnpc.home.xs4all.nl/dislite/dislt117.zip another copy] · [https://johnpc.home.xs4all.nl/dislite/dislite.zip source code]
** [https://johnpc.home.xs4all.nl/dislite/dislite.zip Source code]
+
* See [[Executable compression#Decompression software]] for some multi-format utilities that support PKLITE, e.g. UNP.
* A number of other DOS utilities exist to decompress PKLITE files; a few are at [{{CdTextfilesURL|pdos9606/ARCHIVER/EXECOMP/}}].
+
* UnPKLite ([https://web.archive.org/web/20070101000000*/http://www.tbcnet.com/~clive/unpklite.zip archived]) by Tenth Planet Software / Clive Turvey
 +
* {{CdTextfiles|somuch/smsharew2/UTIL2/PKUN10.ZIP|PKUNLITE v1.00}} by Montgomery Engineering
 +
* {{CdTextfiles|sv/svplatinum/CDR31/UNLITE30.ZIP|PKUNLITE v3.00}} by The Software Surgeon & Electronic Rats
 +
* Universal PKLITE Unpacker (UNPKLITE.EXE) by PReDaTor 666: {{OldskoolDOSEXE}} → Executable Tools Pack → unpackers/universal pklite unpacker.*
 +
* [[AVPACK]]
 +
* {{CdTextfiles|simtel/simtel20/MSDOS/EXECOMP/EXLITE2.ZIP|ExLite}} by Inbar Raz (COM files only, includes source code)
 +
 
 +
Protectors (utilities that modify a PKLITE-compressed file to make it more difficult to identify and/or decompress):
 +
* {{CdTextfiles|nightowl/nopv09/018A/PKFOOL10.ZIP|PKFOOL v1.0}} (requires BRUN45.EXE, not included)
 +
* {{CdTextfiles|silvercollection/disc2/ARCHIVE/PKLTEFIX.ARJ|PKLTEFIX}}
 +
* [{{SACFTPURL|pack|un2pack2.zip}} UN²PACK v2.0]
 +
 
 +
Other:
 +
* {{CdTextfiles|simtel/simtel20/MSDOS/EXECOMP/LOWFIX.ZIP|LOWFIX}} - Patches v1.00-1.05 to fix bugs, and changes the version number to 1.06.
 +
* [https://github.com/jsummers/pkla pkla] - Analyzer utility
 +
* See also [[MEGALITE]]
 +
* See also [[PKTINY]]
  
 
== Sample files ==
 
== Sample files ==
 +
Various:
 
* https://github.com/camoto-project/testexe/tree/master/compress
 
* https://github.com/camoto-project/testexe/tree/master/compress
 +
* {{DexvertSamples|archive/pklitePacked}}
 +
 +
By version, COM (mainly in archives that include extraneous files):
 +
* 1.00-beta COM: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/GRAPHICS/GRFWK70F.ZIP|GRFWK70F.ZIP}}
 +
* 1.00 COM: {{CdTextfiles|smsharew/MUSIC/COLDCUT.ZIP|COLDCUT.ZIP}}, {{CdTextfiles|smsharew/UTIL1/HDIR21.ZIP|HDIR21.ZIP}}
 +
* 1.03 COM: {{CdTextfiles|smsharew/PASCAL/SAMPLES.ZIP|SAMPLES.ZIP}}, {{CdTextfiles|smsharew/MUSIC/MPLAY200.ZIP|MPLAY200.ZIP}}
 +
* 1.05 COM: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DIRUTL/DLINKS10.ZIP|DLINKS10.ZIP}}
 +
* 1.12 COM: {{CdTextfiles|simtel/stmsdos9709/disk2/DISC2/SYSINFO/NEED65.ZIP|NEED65.ZIP}}
 +
* 1.13 COM: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DISKUTIL/TEENFMT2.ZIP|TEENFMT2.ZIP}}
 +
* 1.14 COM: {{CdTextfiles|simtel/stmsdos9709/disk2/DISC2/SYSUTL/TIMERA01.ZIP|TIMERA01.ZIP}}
 +
* 1.15 COM: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/GRAPHICS/3DVIS10.ZIP|3DVIS10.ZIP}}
 +
* 2.01 COM: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DISKUTIL/TI101A.ZIP|TI101A.ZIP}}
 +
 +
By version, EXE:
 +
* 1.00-beta EXE: {{CdTextfiles|wildcatgold/util/ezwindo1.zip|ezwindo1.zip}}
 +
* 1.00 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DIRUTL/DISKOR10.ZIP|DISKOR10.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MAILNEWS/UMAIL11I.ZIP|UMAIL11I.ZIP}}
 +
* 1.03 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MAILNEWS/NWRTH210.ZIP|NWRTH210.ZIP}}
 +
* 1.05 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/INSTAL/APPINST.ZIP|APPINST.ZIP}}
 +
* 1.12 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/SECURITY/MPGP11.ZIP|MPGP11.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DISKUTIL/DCP41.ZIP|DCP41.ZIP}}
 +
* 1.13 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/TXTUTL/FAQ12.ZIP|FAQ12.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FILEUTIL/MD5SUM.ZIP|MD5SUM.ZIP}}
 +
* 1.14 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FILEUTIL/XSUM11.ZIP|XSUM11.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DISKUTIL/CPDSK195.ZIP|CPDSK195.ZIP}}
 +
* 1.15 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DIRUTL/RCD24.ZIP|RCD24.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/GRAPHICS/BMP2TXT.ZIP|BMP2TXT.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/CDROM/CDROK99C.ZIP|CDROK99C.ZIP}}
 +
* 1.50 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MUSIC/MMCMP132.ZIP|MMCMP132.ZIP}}
 +
* 2.01 EXE: {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/INFO/ML96OCT.ZIP|ML96OCT.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/4DOS/4DIZZY96.ZIP|4DIZZY96.ZIP}}
 +
 +
By version, EXE with "extra compression":
 +
* 1.03 EXE (-e): {{CdTextfiles|640swstudio/BBS/QBBS275U.ZIP|QBBS275U.ZIP}}
 +
* 1.05 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MAILNEWS/ZNR093B.ZIP|ZNR093B.ZIP}}
 +
* 1.12 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/GIF/GIFLT210.ZIP|GIFLT210.ZIP}}
 +
* 1.13 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/WAFFLE/WNEWSP11.ZIP|WNEWSP11.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/BUSINESS/MEDLIN5.ZIP|MEDLIN5.ZIP}}
 +
* 1.14 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk2/DISC2/TCPIP/KA9QDR21.ZIP|KA9QDR21.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MUSIC/GMOD13.ZIP|GMOD13.ZIP}}
 +
* 1.15 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/CATALOG/FLMAS350.ZIP|FLMAS350.ZIP}}, {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FILEUTIL/FB315.ZIP|FB315.ZIP}}
 +
* 1.50 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FOODS/MM-804RU.ZIP|MM-804RU.ZIP}}
 +
* 2.01 EXE (-e): {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/HAMRADIO/RRAFT212.ZIP|RRAFT212.ZIP}}
 +
* Most EXE files from PKLITE distributions up to v1.13.
 +
 +
Special versions, EXE (usually labeled as version "1.20"):
 +
* Most EXE Files from PKLITE v1.14, 1.15, 2.01.
 +
* Most EXE files from PKZIP 1.93a+ for DOS (see [[ZIP#Software]]).
 +
* Self-extracting ZIP files made by ZIP2EXE from PKZIP v2.04c+ - see [[Self-extracting ZIP#Sample files]].
 +
* DOS format self-extracting ZIP files made by some versions of PKZIP for Windows (e.g. v2.63). These report "PKSFX 2.49" when executed. (Refer to [[PKZIP#Software]].)
 +
* Self-extracting ZIP files made by ZIP2EXE from PKZIP 2.50 DOS shareware. (Refer to [[PKZIP#Software]].)
 +
* {{CdTextfiles|swextrav4/swextrav4-3/arch/pk204c2g.zip|pk204c2g.zip}} → PKPATCH.EXE
 +
* {{CdTextfiles|californiacollect/his008/pkzm100.zip|pkzm100.zip}} → PKZM100.EXE → PKZMENU.EXE - version "1.10"
 +
* {{CdTextfiles|simtel/simtel20/MSDOS/ZIP/PKZM104.EXE|PKZM104.EXE}} → PKZMENU.EXE - version "1.10"
 +
* {{CdTextfiles|simtel/simtel9703/disk2/DISC2/ARCUTILS/PKZF15.ZIP|PKZF15.ZIP}}
 +
 +
EXE for Windows 3.x:
 +
* [{{SACFTPURL|pack|pk263w16.exe}} pk263w16.exe] (this file, and the PKZIPW.EXE file contained in it)
 +
 +
Oddities:
 +
* {{CdTextfiles|swextrav1993/disk3/diskutil/sd_200.zip|sd_200.zip}} → SD.EXE - File from StupenDOS, a PKWARE spin-off product. Apparently made by a pre-release version of PKLITE, then apparently code-named "PKPACK" (but not to be confused with [[PKARC/PKPAK|PKPAK]]).
 +
* Version "1.11" (File structure looks identical to v1.12.)
 +
** {{CdTextfiles|bbox4/archiver/pkzm104.arj|pkzm104.arj}} → PKZM104X.EXE → PKZMENU.EXE
 +
** Some of the EXE files in this package (said to be an update to PC Tools 7 by Central Point Software): {{CdTextfiles|californiacollect/his041/cpb0701a.zip|cpb0701a.zip}}, {{CdTextfiles|californiacollect/his041/cpb0701b.zip|cpb0701b.zip}}, {{CdTextfiles|californiacollect/his041/cpb0701c.zip|cpb0701c.zip}} (e.g. CPBQ3.EXE, CPBQ5.EXE)
 +
** Many of the EXE files from OnNet16 v2.5 by FTP Software: [https://archive.org/details/pcwk-4a-98 PC World Komputer 04A/98] → Wtestowe/OnNet16/*.EXE (e.g. FTPVER.EXE)
 +
* There are two unusual PKLITE-compressed files included with PC-DOS 6.3 (e.g. [https://winworldpc.com/product/pc-dos/6x at WinWorld]), apparently made by a beta or special version of PKLITE.
 +
** PC-DOS 6.3 → Disk 1 → FORMAT.COM - Version "1.16"
 +
** PC-DOS 6.3 → Disk 1 → XCOPY.EXE - Labeled "1.50", but different from the actual v1.50.
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FILEUTIL/DMAKER20.ZIP|DMAKER20.ZIP}} - Version "2.00"
 +
 +
Modified files - simple (Modification of the copyright message or other unimportant things. Such files are common -- these are just random examples.):
 +
* {{CdTextfiles|cream05/sound/glx212.zip|glx212.zip}} - Probably via an EXE header optimizer.
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/WAFFLE/WNEWSP11.ZIP|WNEWSP11.ZIP}} - Faked to make it look like it uses "extra compression", when it doesn't.
 +
* {{CdTextfiles|simtel/stmsdos9709/disk2/DISC2/COMMPROG/COMMO70.ZIP|COMMO70.ZIP}} - Wrong version descriptor.
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/MAILNEWS/BLUEQ155.ZIP|BLUEQ155.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/EDUCATE/10TK97EN.ZIP|10TK97EN.ZIP}} (beta)
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/ANIMATE/FLISEE3.ZIP|FLISEE3.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/SATELITE/SATFIND2.ZIP|SATFIND2.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/SECURITY/PGS099H.ZIP|PGS099H.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/FILEUTIL/FHD210US.ZIP|FHD210US.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/DISKUTIL/ZIP_GO52.ZIP|ZIP_GO52.ZIP}} (EXE, COM)
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/CDROM/CDM330.ZIP|CDM330.ZIP}}
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/SOUND/SBPV400B.ZIP|SBPV400B.ZIP}} (COM)
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/CLOCKS/UPTIM300.ZIP|UPTIM300.ZIP}} (COM)
 +
 +
Modified files - other:
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/TXTUTL/KWS144.ZIP|KWS144.ZIP}}
 +
* {{CdTextfiles|pdos9606/SOUND/MODPLAY/LIQ100.ZIP|LIQ100.ZIP}}
 +
* {{CdTextfiles|librisbritannia/COMMUNIC/BULLETIN/3220A.ZIP|3220A.ZIP}}, {{CdTextfiles|librisbritannia/COMMUNIC/BULLETIN/3220B.ZIP|3220B.ZIP}} - Different ''encrypted literals'' scheme, "v1.23".
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/ANIMATE/W7V1.ZIP|W7V1.ZIP}} - Number of relocations &gt; 1.
 +
* {{CdTextfiles|simtel/stmsdos9709/disk1/DISC1/ARCUTILS/ZPDISK21.ZIP|ZPDISK21.ZIP}}
  
 
== Links ==
 
== Links ==

Latest revision as of 15:28, 12 October 2024

File Format
Name PKLITE
Ontology
Released 1990

PKLITE is an executable compression utility, from the makers of PKZIP. There was a free-for-noncommercial-use version, and a "Professional" version. There was a separate PKLITE32 product for 32-bit Windows.

It compresses DOS EXE files (to EXE), and COM files (to COM). Version 2.01 added the ability to compress Windows 3.x executables.

Many files compressed by PKLITE can be decompressed by PKLITE, using the -x option. The main exception is files compressed with -e ("extra compression"), an option only available in the Professional version.

Contents

[edit] Overview of PKLITE versions

The nine free versions listed in the Software section are probably all there were.

It seems plausible that the official Pro versions correspond to the free versions, except that whether v1.00 Pro existed is unclear.

PKWARE maintained a special internal version of PKLITE, used to compress many of the files they distributed, and the executable part of many self-extracting ZIP files. Such files are usually labeled v1.20, with a few of the earliest labeled v1.10. "1.20" does not represent a single format version; it's a whole line of formats, independent of the released versions.

There is a widely-distributed fake v1.20, which is actually a hacked copy of v1.12 Pro. The files it creates are labeled v1.12. There's no evidence of any legitimate v1.20 release.

There's evidence of some other versions used by companies outside of PKWARE, perhaps as part of a private beta test program. Files made by such versions can sometimes be identified in one way or another, though not all of them have a unique version number. In particular, files labeled v1.11, v1.16, or v2.00 may have such an origin. Note that the existence of v2.00β is claimed by GetTyp.

[edit] Format details

[edit] Version descriptor

Immediately preceding the copyright string in a pristine PKLITE-compressed file is a 16-bit little-endian integer we'll call the version descriptor. In DOS EXE files, it's always at offset 28.

It characterizes, in broad terms, the version of PKLITE that was used, and the type of compression. The low 12 bits are the version number; for example, 0x10f means version 1.15. The 0x1000 bit is set if "extra" compression was used. The 0x2000 bit is for "large" compression mode.

[edit] Compression scheme

The compression scheme is a kind of LZ77 with Huffman coding, with pre-defined Huffman codebooks.

There are actually two different base compression schemes, sometimes called "small" and "large" mode. Large mode is used for larger files.

A different set of "small" and "large" schemes is used in version 1.10/1.20 files, so there are four base compression schemes total.

The base compression scheme can then be modified in two known ways:

  • Encrypted literals: A simple obfuscation method, used with "extra" compression.
  • Encrypted offsets: Another obfuscation method, used only in a few late-era v1.20 files.

This does not account for the relocation table, which is compressed in its own way, using one of several specialized schemes.

[edit] Encrypted decompressor

Files made by v1.14+ with the -e option, and "v1.20" files, have an encrypted decompressor. The bulk of the decompression code is obfuscated, to make it harder to analyze and modify.

V1.14+ uses a fairly simple XOR-based algorithm. The "v1.20" algorithm is similar, but with modular addition instead of XOR.

The decryption normally happens one "word" (two bytes) at a time, and in reverse order (last word first). The algorithm is initialized with a decryption key, but due to an apparent design error, the key is only needed for very "first" (last) word. In most or all relevant files, the key appears early in the program code, following a 0xba byte.

A decompression utility does not necessarily have to decrypt the decompressor in order to decompress the file. But doing so allows the compression parameters to be determined more reliably. And it is necessary for files with encrypted offsets, because the offset decryption key is embedded in the encrypted decompressor.

[edit] Identification

Robust identification of PKLITE-compressed files is challenging, due to the many versions and options, and the fact that PKLITE files were often modified to make them more difficult to identify and/or decompress.

Note that PKLITE includes CHK4LITE, a utility that tries to identify PKLITE-compressed files, and the version of PKLITE they were created with. Different versions of CHK4LITE work differently, but it is fairly rudimentary, and never stood much chance in the arms race over disguising PKLITE files.

[edit] Identification of DOS COM

Based on the start of the copyright message near the beginning of the file...

  • v1.00β has "PK Copyr" at offset 38.
  • v1.00 has "PKlite" at offset 44.
  • v1.03-1.14 has "PKLITE" at offset 44.
  • v1.15-2.01 has "PKLITE" at offset 46.

[edit] Identification of DOS EXE

There is a copyright message at offset 30 that starts with "PKlite" (v2.01) or "PKLITE" (all other versions).

It's likely that all files (except those from v1.00β) have bytes 00 00 or 01 00 at offset 6, and 00 01 f0 ff at offset 20 (refer to MS-DOS EXE#Header structure). This is fairly distinctive, though false positives are possible.

[edit] Identification of Windows EXE

There is a copyright message at offset 66 that starts "PKlite" or "Pklite". In files made by PKLITE 2.01, the "K" in this string is capitalized. In most files distributed directly by PKWARE, including relevant self-extracting ZIP files, it's lowercase.

There is a possible signature, "TNT4", starting 8 bytes after the start of the standard "NE" signature. That is, at offset {8 + {the 4-byte integer at offset 60}}.

[edit] Specifications

[edit] Software

  • PKLITE freeware/shareware, for DOS
  • PKLITE - other/various
    • PKLite at old-dos.ru - various versions
    • v1.00β (1990-05-29) (not an authorized release[1])
    • fake v1.20 (1992-08-20): [2], [3], [4]
    • XADIP201.ZIP (at vetusware.com) - Hacked "XADi" version of PKLITE 2.01-shareware. Claims to support the -e option, but it only does a little of what the real software does.

Decompression, general:

Decompression, for DOS:

Protectors (utilities that modify a PKLITE-compressed file to make it more difficult to identify and/or decompress):

Other:

  • LOWFIX - Patches v1.00-1.05 to fix bugs, and changes the version number to 1.06.
  • pkla - Analyzer utility
  • See also MEGALITE
  • See also PKTINY

[edit] Sample files

Various:

By version, COM (mainly in archives that include extraneous files):

By version, EXE:

By version, EXE with "extra compression":

Special versions, EXE (usually labeled as version "1.20"):

  • Most EXE Files from PKLITE v1.14, 1.15, 2.01.
  • Most EXE files from PKZIP 1.93a+ for DOS (see ZIP#Software).
  • Self-extracting ZIP files made by ZIP2EXE from PKZIP v2.04c+ - see Self-extracting ZIP#Sample files.
  • DOS format self-extracting ZIP files made by some versions of PKZIP for Windows (e.g. v2.63). These report "PKSFX 2.49" when executed. (Refer to PKZIP#Software.)
  • Self-extracting ZIP files made by ZIP2EXE from PKZIP 2.50 DOS shareware. (Refer to PKZIP#Software.)
  • pk204c2g.zip → PKPATCH.EXE
  • pkzm100.zip → PKZM100.EXE → PKZMENU.EXE - version "1.10"
  • PKZM104.EXE → PKZMENU.EXE - version "1.10"
  • PKZF15.ZIP

EXE for Windows 3.x:

  • pk263w16.exe (this file, and the PKZIPW.EXE file contained in it)

Oddities:

  • sd_200.zip → SD.EXE - File from StupenDOS, a PKWARE spin-off product. Apparently made by a pre-release version of PKLITE, then apparently code-named "PKPACK" (but not to be confused with PKPAK).
  • Version "1.11" (File structure looks identical to v1.12.)
  • There are two unusual PKLITE-compressed files included with PC-DOS 6.3 (e.g. at WinWorld), apparently made by a beta or special version of PKLITE.
    • PC-DOS 6.3 → Disk 1 → FORMAT.COM - Version "1.16"
    • PC-DOS 6.3 → Disk 1 → XCOPY.EXE - Labeled "1.50", but different from the actual v1.50.
  • DMAKER20.ZIP - Version "2.00"

Modified files - simple (Modification of the copyright message or other unimportant things. Such files are common -- these are just random examples.):

Modified files - other:

[edit] Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox