How to Reverse Lotus SmartSuite-97
("Date coding magic number galore")
by +Rcg
(26 September 1997)
Courtesy of fravia's page
of reverse engineering
Well, I decided to leave +Rcg's email to me... I'm leaving
for two weeks and have no time any more to search the archies. If
anybody has DDK-95, please contact +RcgHi Fravia, this is a small essay... nothing new but interesting.
BTW, I like the new style of your pages.
One more thing....I need the DDK-95 include files to create
the Vxd dinamically loaded, but I have not been capable to
find them...Could you help me with this inconvenience?
Thanks again for your dedication, +Rcg
Well, an interesting thought: cracking Lotus to
damage Microsoft... I'm not so sure, yet the reasoning by
+Rcg seems sound: read on
How to Reverse Lotus SmartSuite-97
Well this is another essay based on a ?? days trial scheme,
and of course you won't take profit of it because in Master
+ORC words is 'the same soup' as the other essays you
can read on these pages, but the main reason I'm writing
this is because it deals with micro$oft war, yes... you
could think we are supporting MS by Reversing the protections
of his (few) rivals... it could be possible, nevertheless I
consider that if we can move people to 'trial' these programs for
a long time, maybe in a future they (or we ourself) will buy
them (or at least buy them for our job computers :-)
Another reason is that, as you know, MS Office 97 modifies
the Kernel, fiddles with your desktop and does a lot of other
"internal" things that you and me can imagine and eventually
find out, but that zombies will never discover. They will never
think that during their 90 day "trial" of MS Office this Trojan
horse is possibly (and probably), sending to the MS-Internet site
quite a lot of information about the software inside their computers
and other kinds of datas (Read the "Trojan essay" on Fravia's great
site), so I will never install Micro$oft Trojan Horse in my computer
(at least not until I have fully reversed it :-), so I have
decided to install my 'unlimited' trial version of Lotus SmartSuite.
OK, I admit that it might sound funny... help Lotus cracking it, yet
that is EXACTLY WHAT THEY ARE THEMSELVES DOING!
The UNRESTRICTED full version of the COMPLETE Lotus smartsuite 97
has been PUBLISHED in hundred thousand copies by Lotus itself on
many Cd-Rom bundled with PC-reviews... just to name one:
PCPLUS n0 35A of May 1997: "SmartSuite complete"... yes, WITHOUT
any trial limit.
Since it's a nuisance to download uselessly million of bytes from
the web, let's teach everybody how to transform the trial version
in the (already published and given away for free) complete version.
Let's begin as usual firing the program... you will see a
'dialogboxparama' box telling you have 30 days.
Now as usual 'bpx getlocaltime' and fire again the program,
then after pressing f11 and f12 you will be at:
(inside the file LTSMKT01.DLL)
:1967 68C0F00010 push 1000F0C0
:196C 68E0ED0010 push 1000EDE0
:1971 FF1590120110 Call KERNEL32.MoveFileA
:1977 68E0ED0010 push 1000EDE0
:197C 68C0F00010 push 1000F0C0
:1981 FF1590120110 (0) Call KERNEL32.MoveFileA
:1987 6A00 push 00000000
:1989 6880000000 push 00000080
:198E 6A03 push 00000003
:1990 6A00 push 00000000
:1992 6A01 push 00000001
:1994 68000000C0 push C0000000
:1999 68E0ED0010 push 1000EDE0
:199E FF1588120110 (1) Call KERNEL32.CreateFileA
:19A4 8BF0 mov esi, eax
:19A6 83FEFF cmp esi, FFFFFFFF
:19A9 0F8454010000 je 10001B03
:19AF 8D442418 lea eax, dword ptr [esp+18]
:19B3 50 push eax
:19B4 E807090000 (2) call 100022C0 <-- Here you are :19B9 8B7C241C mov edi, dword ptr [esp+1C] :19BD 83C404 add esp, 00000004 :19C0 6820F60010 push 1000F620 :19C5 6828F60010 push 1000F628 :19CA 6818F60010 push 1000F618 :19CF 56 push esi :19D0 FF1594120110 (3) Call KERNEL32.GetFileTime :19D6 6A00 push 00000000 :19D8 6A00 push 00000000 :19DA 8B6C2430 mov ebp, dword ptr [esp+30] :19DE 55 push ebp :19DF E82C030000 call 10001D10 :19E4 83C404 add esp, 00000004 :19E7 50 push eax :19E8 56 push esi :19E9 FF154C120110 Call KERNEL32.SetFilePointer :19EF 8B1D48120110 mov ebx, KERNEL32.ReadFile :19F5 8D4C2414 lea ecx, dword ptr [esp+14] :19F9 6A00 push 00000000 :19FB 51 push ecx :19FC 8D542418 lea edx, dword ptr [esp+18] :1A00 6A04 push 00000004 :1A02 52 push edx :1A03 56 push esi :1A04 FFD3 (4) call ebx :1A06 8D442414 lea eax, dword ptr [esp+14] :1A0A 6A00 push 00000000 :1A0C 50 push eax :1A0D 8D4C2428 lea ecx, dword ptr [esp+28] :1A11 6A04 push 00000004 :1A13 51 push ecx :1A14 56 push esi :1A15 FFD3 (5) call ebx :1A17 8B442410 mov eax, dword ptr [esp+10] :1A1B 85C0 test eax, eax :1A1D 7528 jne 10001A47 :1A1F 57 push edi :1A20 55 push ebp :1A21 E82A010000 call 10001B50 :1A26 83C408 add esp, 00000008 :1A29 85C0 test eax, eax :1A2B 7420 je 10001A4D :1A2D 8B542424 mov edx, dword ptr [esp+24] :1A31 897C2410 mov dword ptr [esp+10], edi :1A35 81E2FFFF0000 and edx, 0000FFFF :1A3B 897C2420 mov dword ptr [esp+20], edi :1A3F 891548F10010 mov dword ptr [1000F148], edx :1A45 EB55 jmp 10001A9C :1A47 397C2420 cmp dword ptr [esp+20], edi :1A4B 760E (6) jbe 10001A5B :1A4D C70548F10010FFFFFFFF mov dword ptr [1000F148], 1 :1A57 33DB xor ebx, ebx :1A59 EB46 jmp 10001AA1 :1A5B 8B4C2424 mov ecx, dword ptr [esp+24] :1A5F 81E1FFFF0000 and ecx, 0000FFFF :1A65 8D1449 lea edx, dword ptr [ecx+2*ecx] :1A68 8D1492 lea edx, dword ptr [edx+4*edx] :1A6B 8D1492 lea edx, dword ptr [edx+4*edx] :1A6E 8D14D2 lea edx, dword ptr [edx+8*edx] :1A71 C1E207 shl edx, 07 :1A74 03D0 add edx, eax :1A76 3BD7 cmp edx, edi :1A78 730C (7) jnb 10001A86 :1A7A C70548F10010FFFFFFFF mov dword ptr [1000F148], 1 :1A84 EB16 jmp 10001A9C :1A86 8BD7 mov edx, edi :1A88 2BD0 sub edx, eax :1A8A B807452EC2 mov eax, C22E4507 :1A8F F7E2 mul edx :1A91 C1EA10 shr edx, 10 :1A94 2BCA (8) sub ecx, edx :1A96 890D48F10010 mov dword ptr [1000F148], ecx :1A9C BB01000000 (9) mov ebx, 00000001 :1AA1 85DB test ebx, ebx :1AA3 7E41 jle 10001AE6 :1AA5 6A00 push 00000000 :1AA7 6A00 push 00000000 :1AA9 55 push ebp :1AAA 897C242C mov dword ptr [esp+2C], edi :1AAE E85D020000 call 10001D10 :1AB3 83C404 add esp, 00000004 :1AB6 50 push eax :1AB7 56 push esi :1AB8 FF154C120110 Call KERNEL32.SetFilePointer :1ABE 8B3D44120110 mov edi, KERNEL32.WriteFile :1AC4 8D442414 lea eax, dword ptr [esp+14] :1AC8 6A00 push 00000000 :1ACA 50 push eax :1ACB 8D4C2418 (A) lea ecx, dword ptr [esp+18] :1ACF 6A04 push 00000004 :1AD1 51 push ecx :1AD2 56 push esi :1AD3 FFD7 call edi :1AD5 8D542414 lea edx, dword ptr [esp+14] :1AD9 6A00 push 00000000 :1ADB 52 push edx :1ADC 8D442428 (B) lea eax, dword ptr [esp+28] :1AE0 6A04 push 00000004 :1AE2 50 push eax :1AE3 56 push esi :1AE4 FFD7 call edi :1AE6 6820F60010 push 1000F620 :1AEB 6828F60010 push 1000F628 :1AF0 6818F60010 push 1000F618 :1AF5 56 push esi :1AF6 FF1558120110 (C) Call KERNEL32.SetFileTime :1AFC 56 push esi :1AFD FF153C120110 Call KERNEL32.CloseHandle :1B03 68C0F00010 push 1000F0C0 :1B08 68E0ED0010 push 1000EDE0 :1B0D FF1590120110 (D) Call KERNEL32.MoveFileA :1B13 8BC3 mov eax, ebx :1B15 5D pop ebp :1B16 48 dec eax :1B17 5F pop edi :1B18 F7D8 neg eax :1B1A 1BC0 sbb eax, eax :1B1C 25BEC7FFFF and eax, FFFFC7BE :1B21 0542380000 (E) add eax, 00003842 :1B26 5E pop esi :1B27 5B pop ebx :1B28 83C40C add esp, 0000000C :1B2B C20C00 ret 000C Now a brief description of how the protection works and how it can be removed easily. (0) Changes the name 'LTSMKT02.DLL' TO 'LTSMKTO2.LLL' (1) The program opens the file 'LTSMKT02.LLL' (2) Gets the 'LocalTime' to obtain with it the magic number. (3) Gets the File last use time. (4) Reads into the File the Install Date magic number. (5) Reads into the File the Last Use Date magic number. (6) Is Act. Date>Limit date?
(7) Is Act. Date <Inst. date?
(8) Stores 'days left'
(9) Sets a flag
(A) & (B) Stores magic numbers for future uses.
(C) Sets file time
(D) 'LLL' to 'DLL'
(E) If flag was set then return eax=3842
Now we are going to make the next changes on the file:
at (6) and (7) make a jmp always.
at (8) nop the sub ecx,edx.
at (A) put [esp+28] instead of [esp+18] so we will have
Install date=Act. date always.
Now, only is necessary (for aesthetical reasons) remove the
nagscreen, so 'bpx messageboxparama' then f11 as usual and
you will be at:
(inide the 'LTSUITE.EXE' file)
:128B E820FEFFFF call 004010B0
:1290 56 (F) push esi
:1291 68C0124000 push 004012C0
:1296 6A00 push 0
:1298 6A65 push 65
:129A 57 push edi
:129B FF1580C24000 Call USER32.DialogBoxParamA
:12A1 5F pop edi <-- Here you are :12A2 5E pop esi :12A3 8B8C2414010000 mov ecx, dword ptr [esp+114] :12AA 5B pop ebx :12AB 64890D00000000 mov dword ptr fs:[0], ecx :12B2 81C41C010000 add esp, 11C :12B8 C21000 ret 0010 Now if you press the 'OK' button you will get 10 as return code "or.class" tppabs="http://fravia.org/or.class" 230 if you press de 'CANCEL' button. So at 1290 we will put: :1290 B810000000 mov eax,10 :1295 EB0A jmp 004012A1 I presume that the protection schemes of the other components of this suite will be more or less similar, its your job to reverse them. +Rcg 1997
(c) +Rcg 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?