Lotus 1-2-3 R3 copy protection

Release 3 of Lotus 1-2-3 (1989) utilized a mild form of copy protection which relied partially on technology but primarily on shaming would-be pirates. 1-2-3 installed from copied disks prominently showed the name of the original owner every time the spreadsheet was started. Several other Lotus programs of that era (such as Freelance Graphics) used the same technique.

Lotus shipped “virgin” installation media to users. All except for the first floppy were regular diskettes. The first one, so-called Install disk, was special. The Install disk could not be used or even copied until it was “signed”, i.e. the user’s name, company name, and the serial number were entered.

The way the copy protection worked was quite ingenious. The Install disk was shipped with a bad sector belonging to a special hidden file which was only used for copy protection purposes. What’s so clever about a bad sector? First, a bad sector is surprisingly difficult to reproduce (copy). Second, a bad sector can be checked for in an OS-independent manner, without relying on direct floppy controller access or any other trickery.

The second point was important because 1-2-3 R3 supported both DOS and OS/2. On OS/2, direct floppy controller access was highly undesirable, but detecting a bad sector was easy using the standard system-provided APIs.

The first point had to do with the PC floppy disk controller (FDC). The FDC, a NEC-µPD765A derivative, is a relatively intelligent device. It works on the basis of complete sectors and doesn’t provide direct byte/bit access. When a sector is written, the FDC will automatically calculate and write the appropriate CRC (checksum). And that’s what the Lotus copy protection relied on.

The original factory-delivered Install disk was mastered such that there was a track with deliberately written invalid sectors, although the magnetic medium itself was not damaged in any way. However, because the standard FDC can’t write such invalid data, the disk could not be copied without custom hardware.

When the Lotus install program was launched, it would check whether the disk was signed with the user’s name and serial number. The install program would not allow signing the disk unless it also found the magic unreadable sector. It would also not allow installing the software without signing the disk. Once the disk was signed, the track containing the bad sector (or rather the entire track) was reformatted, again a standard operation which can be safely performed on both DOS and OS/2.

At this point, the user had a signed install disk which was a standard floppy, not unusual in any way. The disk could be backed up without any trouble, which was a big advantage of the 1-2-3 R3 copy protection scheme. Many earlier copy protection schemes prevented backup copies, which led to protests from legitimate users.

The signed Install disk could of course be copied… but the signature could not be changed anymore, because the magic bad sector wasn’t present. Users running illegal copies of 1-2-3 exposed themselves to embarrassment and potential prosecution for copyright infringement.

Could the copy protection be defeated? Yes and no. I’m not aware of any way to copy the original Install disk without special hardware. It was not possible to remove the signature from a previously used Install disk because the installer detected that but refused to continue (or change the signature) without also finding the bad sector. The installer just printed a nicely vague “the diskette in the drive is not the original Install Disk” message in such case and refused to continue.

However, the copy protection was implemented in software and as such could be disabled or worked around. There were at least two vectors of attack: Disabling the bad sector checks in the installer, or changing the user signature in an installed 1-2-3 R3 copy. Luckily for Lotus, neither was something the typical 1-2-3 user would have been capable of. The first method required analyzing and patching the installer code, the second involved deconstructing and modifying the INSTEXT.RI file which contained the signature.

The user data in INSTEXT.RI was of course encrypted, although from a modern perspective the encryption was laughably insecure. Not so much because the algorithm itself was bad, but rather because the code to decipher the data, including the encryption key, was included in the INSTALL.EXE executable which was shipped with the product.

The signature data was protected with a checksum to discourage tampering, and encrypted with a symmetric cipher which could decrypt the data in one pass and encrypt it again in second pass. But as mentioned above, both the algorithm and the key were provided on the installation media, hence a sufficiently determined attacker had everything he or she needed to defeat the encryption.

This copy protection scheme was unquestionably quite benign compared to many other techniques. One of its advantages was that it allowed legal users to create backup copies without trouble, and it didn’t rely on any characteristics of a particular PC model.

Yet even this scheme soon fell by the wayside. Its strength was also its weakness: it relied on floppies. In the 1990s, customers increasingly demanded network-enabled installs and copy protection based on floppies wasn’t viable anymore. Some companies also perhaps realized that most people pirating their software were in fact not potential customers. They simply weren’t going to pay several hundred dollars for the software and any effort expended on preventing them from using the software risked being a net loss for the developer.

This entry was posted in DOS, OS/2, PC history. Bookmark the permalink.

8 Responses to Lotus 1-2-3 R3 copy protection

  1. heh you have to be the best x86 debugger out there…! .. I thought I was slick once for finding the MS-DOS date/time call in a product and just NOPing it out.. good times!

  2. michaln says:

    The tools available these days make it so much easier… against virtual machines and IDA, old software doesn’t stand a chance. That said, Lotus didn’t really try to obscure their code.

  3. Very true, even a good ICE is no comparison for something like a good emulator that lets you inspect the entire system state…

  4. Yuhong Bao says:

    Win95 setup would try to write similar registration info on disk 2, which is a DMF disk. DMF was not originally intended as a copy protection scheme, but it took a while before tools to write DMF disks was widely available.

  5. Sean McDonough says:

    >It was not possible to remove the signature from a previously used Install disk because the installer detected that but refused to continue (or change the signature) without also finding the bad sector.

    If one removed the signature from a previously-used Install disk and then wrote in a new signature before popping the floppy in and running the installer, would the installer still have been able to detect that the signature on the disk was not the original one?

  6. Michal Necasek says:

    Probably not. Of course you’d have to know exactly how the signature was encoded, and that required much better than average skill and tools.

  7. Sean McDonough says:

    But once it was figured out, one could have written a program that would enable anyone to easily change the signature on a previously-used 1-2-3 installation disk…

  8. Michal Necasek says:

    Yes, but that needs two things. You’d need somebody who is both clever enough to write such a tool and at the same time wants to hurt Lotus.

    I am fairly certain it would have been possible to de-sign existing floppies (create a bad sector) with a bit of clever programming, though I have not tried it out.

Leave a Reply

Your email address will not be published. Required fields are marked *