Courtesy of Fravia's page
of reverse engineering
Not Assigned
Reinitializing Lotus 1-2-3 DOS versions 2.01, 2.3, and 3.1
by: Tomboy
date: 31 March 1998
Introduction
As much pleasure as one gets from completing a successful crack
(especially if it was difficult), I find it even more exciting to
"entice" a program into doing the hard work for me. This paper
demonstrates how several programs can be reinitialized with new owner
information with a minimum of effort. In each case, it was possible to
automate the process using a DOS batch file.
Situation
I like and use Lotus 1-2-3 for a number of reasons. The reason most
relevant to this discussion is the presence of copy protection in early
versions (up to 2.01) which was followed in later versions (2.2 and up)
by having to initialize the original system disk with your name and
company information prior to using the program. Over the years I have
obtained (primarily at local computer shows) every version of Lotus
1-2-3 from 1A through 2.3 as well as an odd copy of 3.1. Regrettably,
some of these copies were used and had been previously initialized with
the old owner's personal information. This was unsatisfactory to me and
I wanted to change the information to my own name. Of course, the
manuals for these programs state that once initialized, the name and
company information cannot be changed. Challenge accepted!
Discussion
Target 1: Lotus 1-2-3 version 2.01
Need: valuepk1.zip (or unused value pack diskette from original software
package, very rare!)
Available from: Lotus ftp site.
This version of 1-2-3 was shipped as a copy protected product. With the
demise of disk based copy protection in the late 1980's, Lotus started
including a copy protection removal program in the package. It was
placed on the value pack diskette along with some extra screen and
printer drivers. Running this program would remove the copy protection
by creating a new loader program, 123.EXE, and deleting some of the
files associated with the Softguard protection scheme (the original
loader 123.COM, SGS0300.SUP, AND CML0300.FCL). In the process of
removing the copy protection and creating the new loader, it was
necessary to provide a user name and optionally company information.
This information was written inside the new loader in an encrypted
form. Each time the loader is executed, the initialization information
is displayed for several seconds and then the spreadsheet finally comes
up. Interestingly, the value pack diskette can only be initialized
once. Several important files are erased (and thoroughly destroyed by
overwriting with garbage before deleting) during the creation of the new
loader. While the value pack diskette and be used to remove the copy
protection from multiple copies of the Lotus 1-2-3 system diskette, the
initialized information remains the same. The following value pack
files are associated with the initialization process:
File Size Fate after initialization
-------------------------------------------------
INIT.EXE 6994 Unchanged
INIT.RI 4022 Unchanged
INPUT.EXE 19376 Overwritten, then Deleted
NAME.EXE 21590 Overwritten, then Deleted
REMOVE.EXE 73408 Modified
I wasted a lot of time analyzing the 123.EXE loader and its encryption
scheme in the hope of understanding the algorithm and then changing the
information. It was during an examination of the remaining files on an
initialized value pack diskette that I had a breakthrough. One file,
REMOVE.EXE, was found to contain the image of the initialized 123.EXE
loader. In fact, it contains two images, one for 1-2-3 version 2.0 and
the other for version 2.01. It appears that the loader is initialized
inside REMOVE.EXE and is then extracted during the copy protection
removal process. Based on this information, I obtained an unused value
pack diskette and as expected found that the original REMOVE.EXE
contained an UNINITIALIZED copy of the loader.
** Can't find an unused value pack diskette? Fortunately, Lotus has an
archive, valuepk1.zip, on their ftp site containing the needed files.
Just unzip it to a floppy and you are ready to go. **
OK, by now you are probably getting the same idea I had. Lets
initialize an unused value pack disk (a copy! not the original) and then
manually extract the new 123.EXE loader. The copy protection removal is
done in two distinct steps: 1) provide initialization information, and
2) update system diskette. The first step initializes the 123.EXE
images in REMOVE.EXE. The second step is optional and can be aborted;
just don't put your 1-2-3 system diskette in the drive when prompted.
In any case, only the first step is needed for our purposes. Using
debug, the 123.EXE image can be located in REMOVE.EXE and extracted
(version 2.0 loader starts at offset 5856h and is 29A8h bytes long,
version 2.01 loader starts at offset 820Eh and is 2C31h bytes long). I
have created a batch file, 123v201.bat, to do the extraction
automatically. The source is given below, ?BTW can DOS batch files
actually be considered source code? ;-).
@echo off
cls
echo *** LOTUS 1-2-3 version 2.01 ***
echo *** Reinitialization Program ***
echo
echo This program creates an initialized (personalized) copy of 123.EXE
echo version 2.01. It does this by taking advantage of the programs that
echo LOTUS issued to remove the disk based copy protection from this version
echo of LOTUS 1-2-3. LOTUS stores the initialization information inside
echo 123.EXE in an encrypted form. While it would be possible to reverse
echo engineer LOTUS's encryption alogorithm and create a program that would
echo directly update the executable with new information, this is a lot of
echo unnecessary work. It turns out that an initialized copy of 123.EXE is
echo created inside of REMOVE.EXE during the copy protection removal process.
echo All that has to be done is run REMOVE.EXE, input the initialization
echo data and using this program extract the initialized copy of 123.EXE.
echo To prevent REMOVE.EXE from being reused, several helper files are
echo intentional destroyed after the initialization procedure is completed.
echo This program protects these files by keeping master copies of them
echo in a ZIP archive and restores them at the end of the process.
echo
echo Note: You must have PKUNZIP 2.04g and DEBUG installed and in your
echo path for this program to work properly.
echo
echo Press CTRL+C to abort.
pause
init
ren remove.exe remove.zap
echo> reinit.scr rbx
echo>> reinit.scr 0
echo>> reinit.scr rcx
echo>> reinit.scr 2c31
echo>> reinit.scr n 123.zap
echo>> reinit.scr w 820e
echo>> reinit.scr q
debug remove.zap < reinit.scr
del remove.zap
if exist 123.exe del 123.exe
ren 123.zap 123.exe
pkunzip valuepk1 -o
echo *** Initialization completed ***
echo
echo Please find initialized copy of 123.EXE on your diskette
Challenge met!, now I can reinitialize the 123.EXE loader any time I
want.
The intermediate years....
Lotus "almost" dropped disk based copy protection in version 2.2 of
Lotus 1-2-3. The program required the user to initial the 123.EXE
loader with owner information before the program would run. However,
this initialization could only be performed on the original system
disk. It turns out that the system disk contains a specially formatted
track which must be present for the initialization process to proceed
(this track is completely trashed by the install program after the disk
is initialized making it impossible to reverse the process). Of course,
you couldn't initialize a copy unless it were made with a really good
bit copier or a deluxe option board. This version was simply cracked by
nop-ing the call that displays the initialization information. Nothing
really interesting here so I will not discuss it any further.
Target 2: Lotus 1-2-3 version 2.3
Need: Lotus 1-2-3 version 2.3 system disk
Available from: ?
Again, Lotus required the user to initialize the 123.EXE loader before
it would run. However, they did not put any special tracks on the
system disk this time so you could initialize a copy instead of using
the original (but Lotus sort of forgot to mention this in their
manual). In this particular case, Lotus added some code to kill program
execution if the display initialization information routine was tampered
with. Examining an initialized loader and using a little ZEN, I found
the data area that the install program uses to determine if the loader
has been initialized. It is a six byte string that starts at offset
1A24h and contains the following information: " CONAN". The
initialization information itself and the program serial number are
stored as encrypted strings at offsets 1A2Bh to 1A88h. The bytes at
1A2Bh-1A2Ch and 1A87h-1A88h are a checksum for the name and serial
information. Changing any bytes in the initialization or checksum
fields gives a program error and a quick return to DOS.
Just for grins the encryption scheme used for the initialization and
serial number strings was analyzed and found to be:
encrypted byte = FFh - starting byte
Unfortunately, the algorithm for calculating the checksum bytes was not
as straight forward and could not be determined. Otherwise, we could
make a program to reinitialize the loader directly.
Changing any one of the six bytes in the " CONAN" string caused the
install program to prompt for new owner information and write it to the
loader. This is GREAT!, but oh no!!! the %^&*$ install program wrote
the new information at offset 1B24h instead of 1A2Bh (overwriting some
program code in the process). I do not know why the install program
does this, but it sure was aggravating. Despite this minor setback, the
new encrypted initialization information was found to be correct. It
can be easily moved from 1B24h to its proper location at 1A2Bh using
debug. Fixing the overwritten code at 1B24h and saving the result gives
a new reinitialized loader that works perfectly. The batch file below
does it all automatically for you.
@echo off
c:
md\temp
cd\temp
cls
if exist 123.zap goto stage2
echo *** Important Please Read ***
echo *** Work only on a COPY of the INSTALL disk! ***
echo
echo This program reinitializes the 123 release 2.3 INSTALL disk with new
echo Name and Company information. The LOTUS documentation statesthat
echo once the INSTALL disk is initialized during the first installation,
echo this information cannot be changed. In fact, the INSTALL.EXE program
echo can be tricked into reinitializing the disk, but regretably it places
echo the new encrypted initialization information in the wrong place. This
echo program automates the reinitialition process by copying, changing, and
echo fixing the files involved.
echo
echo There are two stages: 1) 123R23.BAT makes a small change to the 123.EXE
echo file to get the INSTALL.EXE program to reinitialize the disk. The user
echo then runs the INSTALL program which prompts for new User and Company
echo information. After confirming the information and allowing it to be
echo written to disk, abort the rest of the install. 2) Rerun 123R23.BAT to
echo fixup the newly reinitialized 123.EXE file.
echo
echo To reinitialize a !COPY! of the INSTALL disk, place it in Drive A now.
echo *** To ABORT 123R23.BAT press CTRL+C ***
pause
cls
echo *** Starting Stage 1 ***
echo
echo + WORKING +
echo
copy a:\123.exe 123.zap
echo> reinit.scr e 1b24
echo>> reinit.scr 00
echo>> reinit.scr/
echo>> reinit.scr w
echo>> reinit.scr q
debug 123.zap < reinit.scr
copy 123.zap a:\123.exe
echo *** Stage 1 completed ***
echo
echo Now run Install program to reinitialize the INSTALL disk
echo
echo Note: Abort the install after the new Name and Company information
echo has been written to disk (i.e. do not complete the install)!
goto end
:stage2
echo *** Starting Stage 2 ***
echo
copy a:123.exe 123.chg
echo> reinit.scr n reinit.dat
echo>> reinit.scr rcx
echo>> reinit.scr 5e
echo>> reinit.scr w 2811
echo>> reinit.scr q
debug 123.chg < reinit.scr
copy /b 123.zap+reinit.dat 123.dat
echo> reinit.scr e 1b24
echo>> reinit.scr 20
echo>> reinit.scr/
echo>> reinit.scr m 48c0 l5e 1b2b
echo>> reinit.scr rcx
echo>> reinit.scr 47c0
echo>> reinit.scr w
echo>> reinit.scr q
debug 123.dat < reinit.scr
copy 123.dat a:123.exe
del 123.zap
del reinit.scr
del 123.chg
del reinit.dat
del 123.dat
echo *** Stage 2 Completed ***
:end
Challenge #2 completed.
Target 3: Lotus 1-2-3 version 3.1
Need: Lotus 1-2-3 version 3.1 system disk
Available from: You will need to find your own copy of this one.
Lotus decided to change things a little and put the initialization
information in INSTEXT.RI instead of the 123.EXE loader. Using some
more ZEN, the bytes that indicate whether or not the program has been
initialized were found at offsets 9952h-9955h. Simply hex edit these
bytes to 00h and save. The install program will now prompt you for new
user information and update INSTEXT.RI. This time everything is put in
the right place. Now that was easy! This was trivial that a batch file
is unnecessary.
Challenge #3 completed.
Conclusions
Often the first impulse when tackling a new program is to jump into the
code and start tracing away. As the above examples show, this may not
always be necessary. Getting a program to do the hard work for you can
save a lot of time and brain power for those really difficult projects
on your "to do" list. Think it through before you start wacking at the
code and you may find a more enlightened path.
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_Fravia
Is reverse engineering legal?