Fortres 4.0, An Overview.
By: Frost_Byte [S/I]
Date: April 11, 2000
-----------------------------

Introduction:

This is my first formal document, so please excuse the crudity of the
wording and grammar.

<disclaimer>    This document is soley for the purpose of informing
individuals of a flaw within a program herin explained. By no means is
this to deface or harm the company in any way, but to rather initiate
further work to create a much more secure program. People should be
held accountable for their own actions, and this is only a descriptive
document. </disclaimer>

-----------------------------

Program Description (a brief look):

Fortres is a program used to secure the Shell of a Windows based system.
The program has since it's initial release into a widely used security
medium. Schools, librarys, and other such institutions use it as a means
of stopping problems before they start. (Personally, I think that if it
were properly configured..to allow access throughout the system but to
not allow modifications, the average user would not even know of it's
presence and it would be a much more effective tool. One of the major
problems is that when people are first associated with Windows, they
associate the "Start" button with [as the little arrow says in Windows]
"begin by clicking here". Most users feel very ill t'wards the software
simply because they cannot use the "Start" button). The program initially
loads from within the Autoexec.bat by executing "FGSA.EXE" which loads
the "fgcfs.386" Virtual Device Driver info memory (allowing Fortres to
operate throught Windows without losing priority). FGSA.EXE contains
a flaw in which when a password is entered (a prompt is produced when
both Shift keys are pressed when FGSA executes), even if an incorrect
password is typed the correct password is left in memory, in plaintext.
After Windows has begun, Fortres.exe is executed and the "protecting"
has begun. Fortres.exe (in 4.0) is merely a loader for the file
"FGCNWRK.DLL". This Dynamic Link Library houses the password dialog, the
actual "blocking" code restricting users, and several other Fortres-related
features. If the DLL is unloaded, security is no longer instated. When
Control-Shift-Escape is pressed, several things happen. First, a logo
appears in the lower right of the screen. Then a dialog box appears with
a 5 or so character number (if the Backdoor password feature is enabled).
This number allows people whom have lost their passwords to call Fortres
Tech Support and get the correct backdoor key. If the backdoor key is 
entered
(either +(number) or -(number) ) and deemed valid, the Appmanager opens and
you are prompted with "The password file is corrupt, enter a new password" 
even
though you do not have to place in another password. If the person enters
the actual password, the appmgr.set and appmgr.net files are opened, 
decoded,
and the passwords are compared. Finally, a commonly used option is where
clicking upon the "Start" button brings up a dialog to shutdown the 
computer.


-----------------------------

Flaw Explination:

The flaw is simply the fact that the encoding method that is used is weak
and not hidden very well. Anyone can rip assembly code but I feel it is
best to understand exactly what the program is doing and "put it in your
own words". To illustrate this point, I have included the decoding routine
as not assembly, but rather Quick Basic code. I simply hope that FGC
puts more effort into their encoding methods. (the Backdoor numberics
is a rather good routine simply because of my lack of knowledge with
floating point operations. Granted, I could simply rip out the code,
but I'm not trying to get my name out and harm FGC, I just continue
learning as time progresses, and hope that by releasing this and anything
further that the company makes further efforts for protection and
that people continue learning and analysing products with great
attention to detail.

-----------------------------

Closing Arguments:

Enclosed is the source code in which can be used to decode Fortres 4.0
passwords. The only real flaw with the code is the Password length (as
it stands, it decodes characters until either 25 characters have been
decoded or the ASCII of the character >= 128 or <=13). I have this code
for quite some time, thought I haven't worked on it for about 4 months now.
I simply assumed that I'd release it seeing as how if I don't someone
else will.

(I started working on the Backdoor Numberic password(s) awhile back but 
stopped.
I'll probly start back on it when I'm not working on anything else. I have
the code that generates the code, but I'm having alittle difficulty on the
Floating Point operands. When I get it all worked out, I'll come up with
a pen-to-paper shortcut). I would like to conclude by stating that I applied
to FGC to Beta test their MasterLock program. Therein seems to reside a
terrible concept of putting absolutely all of your personal information
into a/some file(s)...apparently not considering the probability that it 
could
be compromised. If I did obtain a Beta, I would have tried to circumvent 
that flaw and
I would have promptly notified them. They didn't allow me to Beta test, 
however, and
I shall simply say that it was quite a disappointment.

----------------------------------------

The Source:

Here is the sourcecode. It isn't really documented, but who doesn't
know BASIC? I have dubbed this code "Project Ashley" (for various
reasons)...and I hope by reading this document you have carried away
some bit of information that will come in handy in the future. After
all, "Ashley" was quite a learning experience. "Ashley" is still one
of the greatest things I've had a privlegde to take part in, and I
wish it could be done again.

--------------------------------------------------------------------------------------------------
DC.BAS - QBasic Sourcecode (very easily changed to VB)
--------------------------------------------------------------------------------------------------
PRINT "Frost_Byte FGC4 Decoder..."
IF COMMAND$ = "" THEN PRINT "You Must Specify a Filename": PRINT "(ex. 'dc 
appmgr.set')": END
ON ERROR GOTO nono
OPEN COMMAND$ FOR BINARY AS #1
edx$ = "."
edi$ = "."
q = 5
DO
GET #1, q, edi$
GET #1, 455 - a, edx$
a = a + 1
q = q + 18
cx = (a - 1)
ax = ASC(edi$)
ax = (cx * 3) MOD 256
ax = ax - ASC(edx$)
IF ax < 0 THEN ax = 256 + ax
ax = (ax + ASC(edi$)) MOD 256
t = t + 1
IF ax <= 13 THEN GOTO nada
IF ax >= 128 THEN GOTO nada
IF CHR$(ax) <> UCASE$(CHR$(ax)) THEN GOTO nada
code$ = code$ + CHR$(ax)
LOOP UNTIL t >= 25
nada:
PRINT "Your code is -> "; code$
nono:
END
-----------------------------------------