Fortres 4.0, An Overview. By: Frost_Byte [S/I] Date: April 11, 2000 ----------------------------- Introduction: This is my first formal document, so please excuse the crudity of the wording and grammar. This document is soley for the purpose of informing individuals of a flaw within a program herin explained. By no means is this to deface or harm the company in any way, but to rather initiate further work to create a much more secure program. People should be held accountable for their own actions, and this is only a descriptive document. ----------------------------- Program Description (a brief look): Fortres is a program used to secure the Shell of a Windows based system. The program has since it's initial release into a widely used security medium. Schools, librarys, and other such institutions use it as a means of stopping problems before they start. (Personally, I think that if it were properly configured..to allow access throughout the system but to not allow modifications, the average user would not even know of it's presence and it would be a much more effective tool. One of the major problems is that when people are first associated with Windows, they associate the "Start" button with [as the little arrow says in Windows] "begin by clicking here". Most users feel very ill t'wards the software simply because they cannot use the "Start" button). The program initially loads from within the Autoexec.bat by executing "FGSA.EXE" which loads the "fgcfs.386" Virtual Device Driver info memory (allowing Fortres to operate throught Windows without losing priority). FGSA.EXE contains a flaw in which when a password is entered (a prompt is produced when both Shift keys are pressed when FGSA executes), even if an incorrect password is typed the correct password is left in memory, in plaintext. After Windows has begun, Fortres.exe is executed and the "protecting" has begun. Fortres.exe (in 4.0) is merely a loader for the file "FGCNWRK.DLL". This Dynamic Link Library houses the password dialog, the actual "blocking" code restricting users, and several other Fortres-related features. If the DLL is unloaded, security is no longer instated. When Control-Shift-Escape is pressed, several things happen. First, a logo appears in the lower right of the screen. Then a dialog box appears with a 5 or so character number (if the Backdoor password feature is enabled). This number allows people whom have lost their passwords to call Fortres Tech Support and get the correct backdoor key. If the backdoor key is entered (either +(number) or -(number) ) and deemed valid, the Appmanager opens and you are prompted with "The password file is corrupt, enter a new password" even though you do not have to place in another password. If the person enters the actual password, the appmgr.set and appmgr.net files are opened, decoded, and the passwords are compared. Finally, a commonly used option is where clicking upon the "Start" button brings up a dialog to shutdown the computer. ----------------------------- Flaw Explination: The flaw is simply the fact that the encoding method that is used is weak and not hidden very well. Anyone can rip assembly code but I feel it is best to understand exactly what the program is doing and "put it in your own words". To illustrate this point, I have included the decoding routine as not assembly, but rather Quick Basic code. I simply hope that FGC puts more effort into their encoding methods. (the Backdoor numberics is a rather good routine simply because of my lack of knowledge with floating point operations. Granted, I could simply rip out the code, but I'm not trying to get my name out and harm FGC, I just continue learning as time progresses, and hope that by releasing this and anything further that the company makes further efforts for protection and that people continue learning and analysing products with great attention to detail. ----------------------------- Closing Arguments: Enclosed is the source code in which can be used to decode Fortres 4.0 passwords. The only real flaw with the code is the Password length (as it stands, it decodes characters until either 25 characters have been decoded or the ASCII of the character >= 128 or <=13). I have this code for quite some time, thought I haven't worked on it for about 4 months now. I simply assumed that I'd release it seeing as how if I don't someone else will. (I started working on the Backdoor Numberic password(s) awhile back but stopped. I'll probly start back on it when I'm not working on anything else. I have the code that generates the code, but I'm having alittle difficulty on the Floating Point operands. When I get it all worked out, I'll come up with a pen-to-paper shortcut). I would like to conclude by stating that I applied to FGC to Beta test their MasterLock program. Therein seems to reside a terrible concept of putting absolutely all of your personal information into a/some file(s)...apparently not considering the probability that it could be compromised. If I did obtain a Beta, I would have tried to circumvent that flaw and I would have promptly notified them. They didn't allow me to Beta test, however, and I shall simply say that it was quite a disappointment. ---------------------------------------- The Source: Here is the sourcecode. It isn't really documented, but who doesn't know BASIC? I have dubbed this code "Project Ashley" (for various reasons)...and I hope by reading this document you have carried away some bit of information that will come in handy in the future. After all, "Ashley" was quite a learning experience. "Ashley" is still one of the greatest things I've had a privlegde to take part in, and I wish it could be done again. -------------------------------------------------------------------------------------------------- DC.BAS - QBasic Sourcecode (very easily changed to VB) -------------------------------------------------------------------------------------------------- PRINT "Frost_Byte FGC4 Decoder..." IF COMMAND$ = "" THEN PRINT "You Must Specify a Filename": PRINT "(ex. 'dc appmgr.set')": END ON ERROR GOTO nono OPEN COMMAND$ FOR BINARY AS #1 edx$ = "." edi$ = "." q = 5 DO GET #1, q, edi$ GET #1, 455 - a, edx$ a = a + 1 q = q + 18 cx = (a - 1) ax = ASC(edi$) ax = (cx * 3) MOD 256 ax = ax - ASC(edx$) IF ax < 0 THEN ax = 256 + ax ax = (ax + ASC(edi$)) MOD 256 t = t + 1 IF ax <= 13 THEN GOTO nada IF ax >= 128 THEN GOTO nada IF CHR$(ax) <> UCASE$(CHR$(ax)) THEN GOTO nada code$ = code$ + CHR$(ax) LOOP UNTIL t >= 25 nada: PRINT "Your code is -> "; code$ nono: END -----------------------------------------