XCK and CRK file formats for binary patching in Windows.

Mon 22 May 2017 in Reversing

#Reversing

Do not bother Googling these file types as they belong with the era before Google even existed. In these pre-Google Dark Ages there were people taking pride in circumventing software protections or cracking in other words, and believe or not – absolutely for free. Yep, even DMCA didn’t exist back then. But this post is about technical side anyway. So, in these days of distributing software via BBS and floppies disk space played an important role and to save bytes, the crackers were distributing not the cracked software but the patch instructions to be applied to the original software to remove the protection. These patching instructions were placed in the XCK/CRK text files to be supplied to the dedicated binary patchers. You can still find those patchers on the Net even though they are DOS programs: Cracker by Corner Crackers, 1991; Cracker Advanced by Professor Nimnull ; Program Cracker by Dr.Stein's labs, 1993; Crack Studio by Turansoft, 1997 . You can download them for example from (http://old-dos.ru/) website. The process was simple – a cracker was removing in some way the protection, then he/she run a software that compared the differences between the original file and the patched one (most popular being C2U.exe), and dumped them in hex format to the text file .CRK or .XCK to be later supplied to a patcher. The binary diff is still around as part of Windows 10, the good old fc \B <original file> <patched file>> patchme.crk . Here is example:

HIEW\PROJECTS>fc /B serial_orig.exe serial1.exe

Comparing files serial_orig.exe and SERIAL1.EXE
00003F08: 74 EB
00003F09: EB 16

The CRK / CRA / XCK files basically contained the same information enclosed inside [BeginCRK] and [EndCRK] tags – 1st comes byte offset into the file, next is byte value in the original unpatched file at this location to be changed, followed by the new byte value to be placed at this location. That is it. In the above example the instruction JZ (0x74) is to be changed to plain JMPS (EB). This example is part of the tutorial series I record about HIEW hex editor, later to be posted on the Youtube. The rest of the CRK/CRA/XCK file was mostly dedicated to bragging and self-promotion. For the history I will list the fields that were usually found in the complete CRK/CRA/XCK file along with my comments after //:

[BeginXCK]   //Beginning of the file
Description:  // Description of the targeted software
Crack [subject]: // What is being cracked (serial/time limit/floppy protection/etc)
Crack by: // Author of the crack
Crack made at:  // Date of the crack
Used packer: // Whether some packer was used
Target OS:  // Target OS ,   e.g. DOS/Win95
URL:  // if the program had a website
Protection: // level of the software protection difficulty in percent, subjective to the cracker of course
Language:  // Guessed programming language of the original software
Size: // software size in bytes
Type of Hack: // type of crack , e.g. JMP correction
Used Tools: // tools used to beat the protection, e.g. HIEW/Soft-Ice
Under Music: // Music being listened to while cracking, in those days it should have been HMR of some kind to sound cool
[BeginCRK]   // actual patch information starts here
Original_software_name
Filename.exe // file to be patched
00003F08: 74 EB

[EndCRK]
[EndXCK]

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.