where. Thanks and enjoy!

--==[  St0rmer  ]==--

_______________________________________________________________


Greets to all my fellow hackers/crackers. This is my
first essay written for Fravia, and I doubt it'll be
my last.

This essay is intended for both hackers (interested in
hacking a computer with Fortres
(http://www.fortres.com for more info)) and crackers
(interested in using "real-time" patches). I myself
used to be a beginner with all of this, so I'll go
slowly and try to explain as much as possible.

First, a little background. My high school uses
Fortres to "protect" (haha) the Windows95 computers to
stop students from writing to the hard-drives,
deleting things, etc. I'm always up to a good
challenge, so I began to look for ways to get around
Fortres. I found literally dozens of "holes" in the
security, due to a combination of ignorant
administrators who didn't know how to configure it
correctly and the fact that Fortres just can't protect
a computer 100%, no matter how well it's configured.
However, there was one slight problem to all the holes
I found... they all required rebooting each time I
wanted to deactivate/reactivate Fortres because the
security is run through a VxD (Virtual Device Driver).
If you don't know what that is, it's simply a process
that can't easily be halted while it's running), and
the methods I used to disable Fortres only removed it
from boot-up. Keep in mind, all this time I was
reporting each hole I found to the network
administrator, even though he really didn't care.

A friend of mine who's a programmer by trade (not a
cracker) was also interested in getting around
Fortres, since he knew I had done it. However, instead
of turning the protection off by rebooting, he said,
"if Fortres can disable the security itself (with a
correct password), then it's possible to make a
program to disable the security". Of course, he wasn't
a cracker, so he wouldn't really know how to go about
doing this kind of stuff. But I thought about what he
said, and realized he was right.

When I got home that day I downloaded Fortres 4.0 (the
newest version at the time) from
http://www.fortres.com, cracked the Installshield
installer so I didn't need a password to install it,
and got to work. But before I go into that, let me
start with version 2.0, build 51, and version 3.0,
build 204 (both of which were given to me AFTER I made
a program to crack 4.0). In this case, I'll pretend
like I cracked 2.0 and 3.0 first since they're a bit
simpler. I'll then go on to explain how to crack 4.0,
and any other versions that you find laying around.


Here's the "walkthrough"...

All right, I assume you have Fortres 2.0 installed (I
tested on build 51). If you're using a different
version or build, don't worry; it's still similar.
Make sure you have Softice installed too and running.
Hackers: Softice is a program that allows debugging of
programs so us crackers can see how they work and how
to crack them. Beginner Crackers: if you're not very
proficient with Softice and/or Assembly, read up at Fravia's site. Just make sure you have USER32.DLL
loaded in your winice.dat and that when you go into
Softice you type 'wd' (to enable the Data Window) and
'wf' twice (to enable the floating-point stack window
(list of registers and their values)).

Let's press Ctrl-Shift-Esc to bring up the Fortres
password dialog box. Type in some random characters
and click OK. The box disappeared. Doh, no error
message to search for with a disassembler. We'll have
to take another approach. Ctrl-Shift-Esc again and
enter some random characters. But this time, before
clicking OK, go into Softice by pressing Ctrl-D and
set breakpoints on the common API functions that
retrieve data from text boxes (bpx <command>, where
<command> = GetWindowText, GetWindowTextA,
GetDlgItemText, and GetDlgItemTextA). You should now
have 4 breakpoints set (you usually don't need to use
the API calls without A's since most modern programs
are 32-bit and only use +A's). Press F5 to get out of
Softice, and click OK in the Fortres password box.
Aww... the box disappeared again and Softice didn't
pop up. It must not be using one of the
above-mentioned API calls. Go back into Softice
(Ctrl-D) and do "bc *" to clear all your breakpoints.
I used Dependency Walker on fortres.exe (comes with
Microsoft Visual Studio Enterprise edition) and found
that it uses GetDlgItem. I just wanted to save you the
trouble of having to disassemble it unnecessarily. OK,
do same thing as above, but instead of bpx'ing the
above functions, bpx GetDlgItem (don't worry, it's not
case sensitive). This time Softice should pop up.

Of course we're in user32.dll when Softice comes up
because that's what GetDlgItem is from. So press F11
to fast-forward out of the GetDlgItem function. Keep
F11'ing (should only be once or twice) until you get
into FORTRES!.text. To save you the time, I'll tell
you now that it does GetDlgItem three times; we are
only going to concentrate on the last time. You'll
have to press F11 eight times until you get to the
section of FORTRES!.text we want. Look down at the
code, and what do we see? CALL [KERNEL32!lstrcmp].
lstrcmp compares two strings. Hmmmmmm... could the two
strings be our guessed password and the REAL one???
Let's go line by line (F10) until we get to the first
'push eax' BEFORE lstrcmp. Once we're on 'push eax',
type "d ds:eax" to see what the first string is that's
being pushed. Gee... that looks like a real password!
Go to 'push ecx' and type "d ds:ecx". Gee... that's
our guessed password! Now we know it's possible to
extract the password from an Fset file (the file that
contains the password for Fortres 2.0). Don't get too
excited though, Fortres 4.0 doesn't make it this easy.

Now for a quick run-through for 3.0 (I tested on build
204), don't worry, it's VERY similar to 2.0. Same
deal... set a break point on GetDlgItem. 3.0 runs
GetDlgItem twice, we're interested in the second time.
Press F11 five times until we get to the section of
FORTRES!.text we want, the part with CALL
[KERNEL32!lstrcmp] right below it. This time the first
'push eax' is the correct password. Once you're on the
first 'push eax' line approaching lstrcmp, do "d
ds:eax" as above. There's the password.

Here we go for 4.0 (I tested on build 94). We can keep
using GetDlgItem for our breakpoint, but I prefer
GetWindowTextA for 4.0 since it supports it. OK, let's
Ctrl-Shift-Esc and type in a bogus password. Ctrl-D
and 'bpx GetWindowTextA'. F5 out of Softice, and press
enter to submit your bogus password. Hello Softice!
Let's start looking for that good ol'
[KERNEL32!lstrcmp] we saw in Fortres 2.0 and 3.0.
It'll hopefully come up before any conditional jumps.
Hmm... no luck. It must be inside one of those CALL's.
Again, you COULD trace through the two CALL's below,
but it'd be easier for me just to tell you where to go
and what to look for (if you want to trace through it
for the challenge, go for it!). The first call is to
capitalize your bogus password. We don't care about
this. So we're going to go into the second call. F10
down to it and press F8 to go into the CALL. Blech...
looks like a bunch of yucky code. Looks like we'll
have to trace through everything... that is, unless we
get lucky with the first CALL down there. Let's go
right up to the 'push eax' and since we want to know
what it's pushing into the CALL (as a parameter),
we'll "d ds:eax". Hmm... nothing good, it's probably a
dead end... unless it's a memory location for the
return value of the CALL. Only one way to find out!
F10 past the CALL and what do we get where EAX was?
Four bytes of 00's and the correct password! Kick ass!


Implementation...

Now it would be great if the computers you were trying
to hack in school or wherever had Softice running on
it. Chances are though, they don't. So let's analyze
some options. Most computers in high schools in
Computer Science classes should have some form of
programming language on them. Whether it be C++,
Visual Basic, Delphi, TASM, etc., you should be able
to write a program to reveal the password as long as
you have access. I'll include the source code for the
password revealer I wrote for Version 4.0 build 94
which I wrote in Visual Basic (the primary reason I
used VB instead of C++ was because it's easier to use
Shell() than CreateProcess()). The only thing we need
to know beforehand is the hex offset of the location
the decrypted password is stored in memory. For 4.0,
build 94, the value with the four 00's and password is
&H68E138 (&H<hex value> is used for Hex values in VB;
in C++, 0x<hex value> is used). Just to be clear,
&H68E138 is the value of EAX right before the CALL
that returns the password, described above for 4.0.
Keep in mind, each version is different, and each
build uses different offsets. Here's the VB source
code for revealing a password for Fortres 4.0, build
94 (I'm not the best coder, so this is in no way
"optimized", but it does the trick):

'--------------------------------------------------------
Private Declare Function OpenProcess Lib "kernel32"
(ByVal dwDesiredAccess As Long, ByVal bInheritHandle
As Long, ByVal dwProcessId As Long) As Long
Private Declare Function ReadProcessMemory Lib
"kernel32" (ByVal hProcess As Long, lpBaseAddress As
Any, lpBuffer As Any, ByVal nSize As Long,
lpNumberOfBytesWritten As Long) As Long
Private Declare Function TerminateProcess Lib
"kernel32" (ByVal hProcess As Long, ByVal uExitCode As
Long) As Long

Public ProcessID As Long
Public processhandle As Long
'--------------------------------------------------------
Private Sub Form_Load()
ProcessID = Shell("c:\fgc\appmgr.exe", vbHide)
	'Running appmgr.exe is equivalent to Ctrl-Shift-Esc
(in versions 2.0 and 3.0, it's fortres.exe)
	'We're keeping the password box hidden just for
aesthetics
	'We're saving the Process ID (PID) in variable
ProcessID for use in OpenProcess
processhandle = OpenProcess(PROCESS_VM_READ, False,
ProcessID)
	'This finds the handle (hwnd) of the appmgr.exe
process we loaded
	'We make sure to open it as "PROCESS_VM_READ" so that
we can do the
	'equivalent of "d ds:..."
Dim mylong As Long
Dim mystring(20) As String
Dim myhexaddr As Long
For z = 1 To 20 'Maximum number of characters in
Fortres password is 20
	myhexaddr = &H68E138 + z * 4 'Prepare to receive the
first two bytes in password
	'&H68E138 is the hex address that varies from build
to build
	x = ReadProcessMemory(ByVal processhandle, ByVal
myhexaddr, mylong, &H4, 0)
	'This will do the equivalent of "d ds:myhexaddr"
	mystring(z) = Hex(mylong)
	'Put the 2 bytes of the password into an array for
string conversion later
	If mylong = 0 Then z = 20
	'If no characters left to receive, stop loop
Next z
x = TerminateProcess(processhandle, 0)
	'We're all done with appmgr.exe, so this terminates
it
Dim entirestring As String
For z = 20 To 1 Step -1
	entirestring = entirestring & mystring(z)
	'Traverse the array and put it into a string
Next z
For z = 1 To 20
	mystring(z) = Mid(entirestring, z * 2, 2)
	'Finish up sorting the array of characters
Next z
Dim realpass As String
realpass = ""
For z = 1 To 20
	On Error Resume Next
	realpass = realpass & Chr(CLng("&H" & mystring(21 -
z)))
	'Convert HEX values into ASCII characters
Next z
x = MsgBox(realpass, vbOKOnly, "Fortres password")
	'Display the Fortres password
End
	'Terminate this VB program
End Sub
'--------------------------------------------------------

And that's it! I hope my code is somewhat readable. If
you don't understand it 100%, play around with it.
Like I said, I didn't really go for optimization, I
just wanted to make sure it worked.


Plans for the future...

Well, the whole "secret" on how to "decrypt" Fortres
passwords has now been "revealed". What's next? If
someone wanted to, they could make a standalone
program to import the Fset and/or *.fg* files (the
encypted password files) and have the program decrypt
the password. This shouldn't be too difficult, all
that's required is stripping the code out of
appmgr.exe or fortres.exe (depending on version of
Fortres) that decrypts the password; this is very
similar to how key generators are made.

Another idea I had was that everyone who was
interested in this could find the respective hex
offsets for the version and build of Fortres they have
and submit it to me (st0rmer@hotmail.com). I could
thus make a database of offsets, and incorporate each
offset into a Fortres Password Revealer program that
would let you specify the version you wanted cracked.


Final comments...

I hope this helped all hackers and crackers interested
in breaking through Fortres via reverse engineering.
I'd be happy to receive all comments and questions
(st0rmer@hotmail.com) you might have; however I'd like
to request that you don't e-mail me on "where can I
get the full version of Fortres" or "how do I crack
Fortres so it doesn't give me an UNREGISTERED nag
screen". As of now, you can get the full version of
Fortres from http://www.fortres.com, and you can
install it with WinZip and Windows Installshield
Decompiler. I DO NOT endorse doing this, because this
IS software piracy, which IS illegal.

I implore you to use all the information you gained
from this essay "for good, not evil". Hack Fortres for
the challenge, not to be malicious and delete all the
files on your school's computers. Always report any
security holes you find to the network administrator
(YES, using Fortres to secure the computer is a
security hole in itself, as I'm sure I made evident
from this essay). If you are a system administrator,
just make sure you understand that no matter what you
do, there will always be SOME WAY to get around
security in a Windows95/98 environment. Either use a
different operating system or better system
protection.

Thank you for spending your time reading my work. I
hope it was as enjoyable and insightful for you to
read as it was for me to write.


Greets go out to Fravia+, +ORC, HarvestR, Iczelion, Lord
Caligo, __y, Filer, Fourteen, Toxic, TooBad, Santa,
Compudaze, Zio, TDC, Jimmy Jam, Lithium2, VBRunner,
Coinman415, Xcalibur, and Wrexen (in no specific order)