How to Reverse Lotus SmartSuite-97
("Date coding magic number galore")
by +Rcg
(26 September 1997)
Courtesy of fravia's page
of reverse engineering
Well, I decided to leave +Rcg's email to me... I'm leaving
for two weeks and have no time any more to search the archies. If
anybody has DDK-95, please contact +Rcg
Hi Fravia, this is a small essay... nothing new but interesting.
BTW, I like the new style of your pages.
One more thing....I need the DDK-95 include files to create
the Vxd dinamically loaded, but I have not been capable to
find them...Could you help me with this inconvenience?
Thanks again for your dedication, +Rcg
Well, an interesting thought: cracking Lotus to
damage Microsoft... I'm not so sure, yet the reasoning by
+Rcg seems sound: read on
How to Reverse Lotus SmartSuite-97
Well this is another essay based on a ?? days trial scheme,
and of course you won't take profit of it because in Master
+ORC words is 'the same soup' as the other essays you
can read on these pages, but the main reason I'm writing
this is because it deals with micro$oft war, yes... you
could think we are supporting MS by Reversing the protections
of his (few) rivals... it could be possible, nevertheless I
consider that if we can move people to 'trial' these programs for
a long time, maybe in a future they (or we ourself) will buy
them (or at least buy them for our job computers :-)
Another reason is that, as you know, MS Office 97 modifies
the Kernel, fiddles with your desktop and does a lot of other
"internal" things that you and me can imagine and eventually
find out, but that zombies will never discover. They will never
think that during their 90 day "trial" of MS Office this Trojan
horse is possibly (and probably), sending to the MS-Internet site
quite a lot of information about the software inside their computers
and other kinds of datas (Read the "Trojan essay" on Fravia's great
site), so I will never install Micro$oft Trojan Horse in my computer
(at least not until I have fully reversed it :-), so I have
decided to install my 'unlimited' trial version of Lotus SmartSuite.
OK, I admit that it might sound funny... help Lotus cracking it, yet
that is EXACTLY WHAT THEY ARE THEMSELVES DOING!
The UNRESTRICTED full version of the COMPLETE Lotus smartsuite 97
has been PUBLISHED in hundred thousand copies by Lotus itself on
many Cd-Rom bundled with PC-reviews... just to name one:
PCPLUS n0 35A of May 1997: "SmartSuite complete"... yes, WITHOUT
any trial limit.
Since it's a nuisance to download uselessly million of bytes from
the web, let's teach everybody how to transform the trial version
in the (already published and given away for free) complete version.
Let's begin as usual firing the program... you will see a
'dialogboxparama' box telling you have 30 days.
Now as usual 'bpx getlocaltime' and fire again the program,
then after pressing f11 and f12 you will be at:
(inside the file LTSMKT01.DLL)
:1967 68C0F00010 push 1000F0C0
:196C 68E0ED0010 push 1000EDE0
:1971 FF1590120110 Call KERNEL32.MoveFileA
:1977 68E0ED0010 push 1000EDE0
:197C 68C0F00010 push 1000F0C0
:1981 FF1590120110 (0) Call KERNEL32.MoveFileA
:1987 6A00 push 00000000
:1989 6880000000 push 00000080
:198E 6A03 push 00000003
:1990 6A00 push 00000000
:1992 6A01 push 00000001
:1994 68000000C0 push C0000000
:1999 68E0ED0010 push 1000EDE0
:199E FF1588120110 (1) Call KERNEL32.CreateFileA
:19A4 8BF0 mov esi, eax
:19A6 83FEFF cmp esi, FFFFFFFF
:19A9 0F8454010000 je 10001B03
:19AF 8D442418 lea eax, dword ptr [esp+18]
:19B3 50 push eax
:19B4 E807090000 (2) call 100022C0 Limit date?
(7) Is Act. Date <Inst. date?
(8) Stores 'days left'
(9) Sets a flag
(A) & (B) Stores magic numbers for future uses.
(C) Sets file time
(D) 'LLL' to 'DLL'
(E) If flag was set then return eax=3842
Now we are going to make the next changes on the file:
at (6) and (7) make a jmp always.
at (8) nop the sub ecx,edx.
at (A) put [esp+28] instead of [esp+18] so we will have
Install date=Act. date always.
Now, only is necessary (for aesthetical reasons) remove the
nagscreen, so 'bpx messageboxparama' then f11 as usual and
you will be at:
(inide the 'LTSUITE.EXE' file)
:128B E820FEFFFF call 004010B0
:1290 56 (F) push esi
:1291 68C0124000 push 004012C0
:1296 6A00 push 0
:1298 6A65 push 65
:129A 57 push edi
:129B FF1580C24000 Call USER32.DialogBoxParamA
:12A1 5F pop edi
(c) +Rcg 1997. All rights reversed
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering legal?