PDF: Create PDF documents for free
reversing Adobe PDF Writer
(You know how to create .pdf documents? No? I will -shortly- explain it)

by zeezee

(31 October 1997)

Courtesy of Reverser's page of reverse engineering

Well, a nice contribution by zeezee, it's the 'lazy' way, yet it's interesting indeed, and can be useful for all those following the 'harder' way...

   The last +ORC idea to crack .pdf is pretty cool. I thought about it several
   months ago, having a need to produce .pdf documents without Acrobat.
   I'm too lazy to even think about writing a txt -> pdf converter myself.

   First (and not so bad) idea was to go to Adobe site and look through.
   Bingo! (say 'small bingo'). I found an update to PdfWriter for NT. 
   Seems that they have not released the correct PDFWriter on the Exchange 
   D/L it and tried to install. Wanted serial# to install.
   1/2 hour reversing and it worked fine (I had lost my serial).

   So, now I'm able to produce .pdf documents from, say, Word using PDFWriter
   as one of the printers (exactly like Ghiribizzo does, see File/Doc Info/
   This should solve the "txt -> pdf converter" problem for all the lazy ones. 
   Download PDFWriter update from Adobe site, do some minor cracking, and 
   you're able to produce full-blown .pdf files.

   The approach I used is somewhat original. No IDA, no SoftICE, HIEW only.

   A short description of my work is here:

                Create PDF documents for free using Adobe PDF Writer
                               (for NT-ers only)
                                   by zeezee

You know Acrobat Reader and .pdf documents. Everyone knows them.
You know how to create .pdf document? No? I - shortly - explain it.

There are many ways.
First, you can buy Adobe Exchange. Simple but not so elegant for real crackers.
  You would then get Acrobat Distiller, which converts PostScript to PDF and
  PDFWriter, which is a printer driver allowing making PDF documents from all
  Windoze programs that can print. You simply print to PDF Writer and your PDF
  document is ready.
Second, you can write a nice txt->pdf converter if you wish. Not-so-simple, 
  but interesting and formative work (+orc will thank you personally on his 
  new recyclable bits).
And, third: look for our target! Adobe is giving it for free on its web site!

So, let's focus on this third variant.

Files needed:
- PWNT302.EXE (or maybe newer version) from adobe or mirror
- HIEW.EXE as usual.

The smart people at Adobe released NT version of Acrobat Exchange before the
final version of PDFWriter was released. So they released update version 3.02
on their web site. PWNT302.EXE it's the name and ca. 1.2M is the length.
But this version asks for our beloved serial# during setup and does not install
when it's not correct.
First I tried to disassemble setup program. It is compressed InstallShield
image using setup.ins as a compiled script file. I had no idea how to find
serial# screen.
So I tried to find other way. How to change the script (common to 80% of
installed software for '95 or NT) so that it skips this screen.

When you have PWNT302.EXE and HIEW ready go this way.

Steps marked '-' are essential, steps marked '*' are informational only.

- start Windows Explorer
- clear the contents of your Windows temp directory (c:\temp or something like
  that), just to avoid copying junk
- start PWNT302.EXE and press Next until serial# screen is shown
- then press Alt-Tab to go to Explorer
- copy all files from temp folder to, say, c:\t1
  You have uncompressed setup program there.

* go to _ISTMP0.DIR (the digit may vary if temp dir wasn't empty)
* open ACROINST.INI with notepad
  Nice script, isn't it?
  Look at keys starting with Display - there are dialogs setup shows.
  DisplaySVAL is the key to success. It controls displaying of serial# valida-
  tion (surprise???)
  But we can't simply change it to NO because setup _creates_ this file always
  and it's locked during setup so we can't edit it.
  I used grep to find 'DisplaySVAL' in all setup files and found 2 occurrences
  in SETUP.INS. It's a kind of compiled setup script and I have no idea how to
  patch it to assume 'NO' to this question. But there is another possibility.
  SETUP.INS wants to find DisplaySVAL string in ACROINST.INI. So we can change
  one letter in this string inside SETUP.INS and it will search for DisplayXVAL
  which it definitely doesn't find. Now all depends on default behaviour when
  DisplaySVAL key isn't found but - to our luck - it is good.
  Close Notepad. You now know what to do.

- switch back to setup and close it. Files from temp will be deleted.

- open copied SETUP.INS with hiew. Search for DisplaySVAL
  Edit it so (offsets may vary in next versions of setup)
  20A0B: 53 -> 58
  20CAD: 53 -> 58
  This changes DisplaySVAL to DisplayXVAL 2 times.

- run setup.exe and - voila! no serial# validation. Other installation goes

- happy PDF writing.

Greets to +orc and all in the cracking universe.

3. Conclusion: InstallShield SETUP.INS cracking is a challenge. I will work on
   this target as time allows.  

zeezee (zee_zee@hotmail.com)  

(c) zeezee 1997. All rights reserved
You are deep inside reverser's page of reverse engineering, choose your way out:

red Back to the PDF-Project
homepage links red anonymity +ORC students' essays Academy database
tools cocktails antismut CGI-scripts search_forms mail_Reverser
Is reverse engineering illegal?