An historical protection scheme: Lotus SmartSuite-Millennium Edition
by +NetHack
courtesy of fravia's pages of reverse engineering
(published at fravia's in September 1999, slightly edited by fravia+)
I have received this
small essay by +NetHack in -sage und schreibe- December 1998 yet I have published it only now (September 1999) in order
to avoid damaging Lotus' downhill battle again Micro$oft.
I believe enough
time went by: Lotus 'Millennium' suite has been recently offered on magazines' covers
all over the world for next to free. It's a pity that this notwithstanding
so few people use a software that, as
+NetHack writes, "It's great... and beats
MickySoft Office hands down".
Moreover I checked for ready made cracks and the web
is so swamped with "lamers'cracks" and "lamers' patches" for all kind of
Lotus' suites that one wonders if anybody has ever bought this product.
To the Lotus
people I can only say that their future could be bright (yet non "directly" commercial in the
way they are used to...)
if the Millennium suite will be ported and given away for free to the Linux growing
world, like Staroffice.
I hope that this essay, even if published with a great delay,
will be useful to teach beginners an "historical" (and very easy to defeat) protection scheme.
Good essay for those of you that want to learn how to reverse a reverser's approach...
How to reverse Lotus SmartSuite-Millennium Edition
("Date check plus nag screens")
by +NetHack
(2 December 1998 ~ Based on another article by +Rcg, but updated for the
new version)
As I was perusing the net, I stopped by Lotus.com and signed up for
the trial edition CD of Smart Suite. It's great software, and beats
MickySoft Office hands down. Anyway, I like to take my time to evaluate demo
stuff, so I proceeded to search for a crack for it. I found five ready made
cracks, but then also
ran across an
essay on fravia.org for Smartsuite 97. That was far more inetersting that
simply "bruteforcing" the software, so I read it and tried to work on my own
target. But the code
wasn't matching up
as well, and it seemed like overkill to port everything instead of simply
reversing the
protection at hand. So,
what follows is a "condensed version" for Smartsuite 97
and the
Millinium edition.
How to reverse Lotus SmartSuite-Millennium Edition
NOTE: This is not a SOFTICE tutorial, we only use
HIEW (THE hex editor), there's no need to shoot with cannons at such a
simple scheme.
The protection is a classical 30 day trial scheme. When you
load any Smartsuite
app, it presents the usual annoying dialog box waiting
for you to
click the Trial button. I assumed, incorrectly, that
this was a
simple nut to crack.
It turned out to be a little
more challenging.
Thanks to +Rcg and his excellent essay on SS97, I got
pointed back in
the right direction :)
During the install, SS97 places a tiny DLL in the
windows directory
called LTSMKT02.DLL. It doesn't serve much of a
purpose other than
storage for the INSTALL DATE and LAST DATE USED. Keep
this in mind,
as this is what we're going after. Funny thing is,
this DLL is never
CALLED by anything, just read and written into.
Two other files of importance, LTSUITE.EXE, located in
\LOTUS\COMPNENT, and LTSMKT01.DLL, located in each of
the application
directories. Yes, that's right kiddies. There's one
DLL for each
app, and they are NOT the same. So, you'll have to
patch them all.
Tools you'll need for this job (and any reversing job!):
Hiew 5.56 (hex editor/disassember!)
NOTE: You could use SoftIce to figure out the
protection and then reverse it, but this is an "abbreviated" article, so if you
want to delve deeper, you will be able to do it by yourself!)
Once you have SmartSuite installed you're ready to
reverse this code!
The first protection we're going to break is the date
checking inside
LTSMKT01.DLL.
Load Hiew and the LTSMKT01.DLL file from the
LOTUS\ORGANIZER
directory. You'll need to switch to hex mode (F4 and
F2), then hit
ENTER to switch to ASM mode. We find the following snippet of code tracking for
the date check routine, of course. Alternatively just change the system time
on your machine and see what happens when you ran the target. Either way you'll
easily reverse until the following snippet. I'll spare you the work and put you
directly in the middle of the action... Do a search for
E83EFAFFFF and you should land
at the following location (1):
.0000161D: A1B8840110 mov eax,[0100184B8]
.00001622: 83C01E add eax,01E
.00001625: 50 push eax
.00001626: 6854920000 push 000009254
.0000162B: E83EFAFFFF (1) call .00000106E ----------
.00001630: 3D42380000 cmp eax,000003842
.00001635: 0F850F000000 jne .00000164A ----------
.0000163B: C7856CF8FFFF01000000 movd,[ebp][0FFFFF86C],000000001
.00001645: E954000000 jmp .00000169E ----------
.0000164A: 6804010000 push 000000104
(the important part is that you see the cmp eax, 000003842
The CALL just above the line (1) is the date check
routine. The CMP
(compare) looks for the flag set (3842). If this flag
is NOT set, we
get a dialog box warning about the fact that "the system
time has changed,
please change it back". We will do two things here.
Disable the date
check routine, and make it so that the 3842 flag is always
set. Make sure
you are on the line (1) and hit F3 to edit the code.
Once you are in
Edit mode, you can type in the hex directly:
3D42380000
Or, hit enter and type in the ASM:
MOV EAX, 00003842
Hit F9 to update the changes. You have removed the
date check call
AND set the correct flag, all in one step! Bravo!
That's it for that file! Next we will make
two more changes at
LTSUITE.EXE. It is located in the LOTUS\COMPNENT
directory. It is
the one that fires up the dialog box and runs the
desired application
(such as Word Pro or Organizer) when you click the
Launch Trial Copy
button. When the trial expires, the Launch button is
greyed out and
not clickable. For this reason, we have to fake the
program into
thinking that we have clicked the launch button
regardless of what we
do or not do (programs should obey humans, not the
other way round).
As usual I'll spare you some work (that you may easily
reconstruct all by yourself). Load LTSUITE.EXE into HIEW and do a search for
E8E3EFFFFF
We will be at line (2) below:
.000021AF: 6A00 push 000
.000021B1: FF15FCA14000 call GetModuleHandleA ;KERNEL32.dll
.000021B7: 50 push eax
.000021B8: E8E3EFFFFF call .0000011A0 ---------- (2)
.000021BD: 50 push eax
.000021BE: E8DD190000 call .000003BA0 ----------
.000021C3: EB27 jmps .0000021EC ----------
.000021C5: 8B45EC mov eax,[ebp][-0014]
The Call just above the PUSH shows the dialog box and
waits for the
button to be clicked.
Windows programs have a number assigned to each button
and menu item,
as well as other elements on a dialog box. When you
click the button,
this number gets stuffed into a memory address. Inside
the call, our
button value is stored into EAX and used in the next
call.
The PUSH EAX stuffs our button value onto the stack
for later use... remember: the stack is a temporary storage area since
the EAX
registry gets hosed all the time (as do all other
registers)
If you clicked the Launch Trial Copy button, our
"secret value" will be
00000010, if you clicked Cancel, this value would have been
00000230.
This should tell you that CANCEL=230 and OK=10, duh.
Now all we have to do is get the program to recognize
this all the
time without us clicking the button!
The approach I took was to wipe out the call just
above our PUSH EAX
instruction, and replace it with a MOV EAX, 00000010.
This tells the
program - instead of loading the dialog box - to always
assume that the Ok
(Trial) button had been pushed.
If you are on the line E8E3EFFFFF in Hiew, hit F3.
Now, just replace the E8E3EFFFFF with B810000000
Or, again, if you prefer to type in ASM instructions,
hit enter and type
in MOV EAX, 00000010. Either way...
...Hit F9 and save your changes.
Now, we'll work on removing the nag screen.
Search for 85F674098BCE and you should pop up into the
following code. Try to figure out yourself WHY we are
looking for that hex-string, eheh...
(We
want to muck
with these lines)
.0000125F: 8BF0 mov esi,eax
.00001261: 85F6 test esi,esi
.00001263: 7409 je .00000126E ----------(3)
.00001265: 8BCE mov ecx,esi
.00001267: E894FDFFFF call .000001000 ----------
Notice Line (3) where it says JE (jump if equal). We
are going to
replace this jump with one that goes right past the
DialogBoxParamA (ways below us) wich -surprise-
shows the dialog box we actually don't want to see.
So, edit this
line and make it :
JMPS 000006AA
That's it! We've simulated the Click on the Trial
button and we've
disabled the nag screen. We've also disabled the date
checking
routine for good measure.
Notes: I didn't make this a "Cracking with Softice"
tutorial because I
get bored when I read them. So I decided to skip the softice fishing and get
straight to
editing with Hiew. Much better if YOU do your homework using the
data I gave you above. Reverse my reversing approach :-)
You should use and get familiar
with Softice anyway, and this is a good example... provided
you understand a little assembly language.
Other
useful stuff is to
understand how windows programs work (Dialogboxparama
and
MessageBoxA), as well as common functions like
GetLocalTime,
GetDlgItemTextA, etc "playing" with the parameters. Just
dissect a target and start playing on the functions and
see what happen (or either read a good API-compendium :-).
This kind
of experimentation will lead you to solve 80
percent of your own targets' problems.
Have fun kiddies!
+NetHack
You'r deep inside fravia's pages of reverse engineering, choose your way out!
homepage
links
anonymity
+ORC
students' essays
academy database
bots wars
antismut
tools
cocktails
javascript wars
search_forms
mail_fravia
Is reverse engineering illegal?