Deconstructing A Fortres
Hacking Fortres on a properly configured machine is all but impossible. Hacking Fortres on a poorly configured machine is incredibly easy. Hacking Fortres on any machine inconspicuously is tricky.
If you just want to break Fortres, stop reading this and do the standard "Reboot-boot disk-Edit system files-reboot- hack-fix system files-reboot" trick. And be thinking of a good excuse when the librarian or a teacher comes over and asks you what the hell you are doing. If you want to understand how this pretty cool program works then read on.
This article refers to Fortres 101 version 4 for Win 9x. It's the flagship product Fortres Grand Corp (www.fortres.com). This version also runs on NT/2000, however the test machine I installed Fortres on was Win98, so everything here refers to Win 9x unless said otherwise. Most systems you will find running Fortres will be low-end Pentiums used in libraries that will have Win 9x, Netscape, and maybe some anti-virus stuff. The good thing is they may have a permanent Internet connection through a network.
First of all, I'm going to discuss Fortres security: how it loads, how it works. Next, I'll tell you how to alter Fortres so you can run your programs, but still have it protected from script kiddies who want to change the boot screen. Finally, I'll mention some of the weird parts of Fortres and how they could be exploited.
Fortres 101 simply adds a layer to Windows that checks every action you try to do against a checklist of approved actions. That's it, very simple. There is no way to break this security layer once it is loaded. If an action wasn't allowed, you will not be able to do it. Actions include everything from copying or deleting files, to running certain program, altering icons, and more. There are two ways you can hack Fortres: you can prevent the security layer from loading (nearly impossible without drawing attention to yourself), or get into the privilege setup program and alter the settings. Since the core of Fortres is so simple, Fortres mainly consists of safeguards to preventing people from stopping this security layer from being loaded. Fortres also uses lies and fake files to hide what files truly do what. In fact, even in the Fortres 101 help file they lie to people who have legally purchased the software.
To protect the loading process, Fortres modifies MSDOS.SYS, AUTOEXEC.BAT, and CONFIG.SYS. It makes backups of the old files, renaming them with the DWF extension. MSDOS.SYS is appended with the following: BootMulti=0; BootWarn=0; BootSafe=0; BootKeys=0. These options disable using the function keys to either bring up the boot menu, or to boot to the previous OS. These settings force CONFIG.SYS to load. In CONFIG.SYS, the "SWITCHES= /F /N" statement is added. This removes the two second delay after it displays "Starting MS-DOS" and disables using the function keys to do a step by step loading. Also in CONFIG.SYS is a device named FGSL.SYS. All this file does is intercept every "Ctrl-C" and "Ctrl-Break" so the user can't halt AUTOEXEC.BAT. When AUTOEXEC.BAT loads, it calls a program named FGSA.EXE, which loads FGCFS.386, which is the called the Fortres Grand Corp File System. This is a trick. This is not the file that contains the security layer. I was unable to confirm the claims of Frost_byte, who says that FGCFS.386 is a device driver that keeps the Fortres layer on top, not losing priority inside Windows.
After this is loaded, the classic Fortres beep plays. This is a little tune of loud screeching sounds that plays through the PC speaker. This is why if you reboot the machine before properly hacking Fortres, everyone will know and you will get busted. (This can be turned off by adding "/Q" to the FGSA.EXE line in CONFIG.SYS.) If you hold down both Shift keys at this time, you will get a password prompt. This will let you disable Fortres for this boot, or put it in diagnostic mode. More on both of these later. Windows then begins to load, and I know for sure the security layer is loaded sometime after the network support is loaded. This is because you can configure Fortres to get its settings for the security layer from a NetWare or NT server. This next part is how I think it loads, and I am fairly certain of my research. KERNEL32.DLL is loaded, and that in turn loads and runs MSGSRV32.EXE. MSGSRV32.EXE runs FORTRES.EXE (the path to FORTRES.EXE was defined in the AUTOEXEC.BAT). This program is called the "Fortres 101 Loader" and this is not a lie this time. This contains the default file protection settings which can be copied to the settings file. FORTRES.EXE loads FORTRES.DLL, which loads the security layer, which is stored in FGCNWRK.DLL. Ahhh... this file is what we were looking for, the elusive security layer. One of these files, probably FORTRES.EXE loads the configuration settings from APPMGR.SET, which governs what FGCNWRK.DLL blocks. This ends the part that I'm not sure of. After this load is complete, FLOGO.EXE is executed, and the mouse arrow is homed to the top-left corner of the screen. This stand alone program simple draws a little animation of the FGC logo in the lower-right corner over the system tray. Every process started in Windows after MSGSVR32.EXE will have FORTRES.DLL and FGCNWRK.DLL. This is the basis on my theory. With these two DLLs, Fortres can screen your actions on every task running. This theory is dismisses what Frost_byte says about FGCFS.386 being used to monitor all the tasks. Whatever theory you want to believe, the truth is every task after MSGSVR32.EXE will have those two DLL files loaded as modules. Anyway, sometime after the security layer loads but before Windows loads EXPLORER.EXE, FGCPROXY.EXE is run. This program is the proxy server for the Bess Internet filtering part of Fortres (www.bess.com). This requires the Admin to pay for Bess as well, and I have never found a computer it is used on. Once this has finished loading, it runs FLOGO.EXE again. The final part of Fortres to load is FGCREPL.EXE, which is executed from the from the registry in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run key. One it is down, FLOGO.EXE runs a third and final time.
Fortres is now loaded and the machine is locked down. By default, Fortres disables the system on all drives so users can't:
- Access Explorer, or Find Files
- Access Start Menu
- Access My Computer on the Desktop
- Access Network Neighborhood
- Access Recycle Bin
- Access Shell Context Menus (right-click on items)
- Execute COMMAND.COM
- Save or Write EXE, SYS, BAT, PIF, DLL, INI, COM, VXD, DRV, 386, OVL, and LNK files
- Interrupt Boot Sequence
- Alter Icons
- Move Files
- Restart in DOS Mode
In addition, Fortres has a list of files/programs it will never ever run. By default this list is:
Fortres only checks the name. If I renamed REGEDIT.EXE to EDITREG.EXE, it would run. In addition, Fortres can be set up so there is no saving on a drive, or no executing on a drive. If a computer is in a cabinet, boots from C: only and has no saving on all drives and executing from only C:, it is basically impossible to do something they don't want you to. We have already shown that trying to prevent Fortres from loading is damn hard. Even rebooting the machine sets off an alarm.
Are you ready for some good news yet? Despite all this security, you can still run most programs. If you go and do the "File->Open" trick, you can browse the computer. For some reason when the "Open File" dialog box is open you can right-click on files, and run them. However, programs in the "Do Not Run" list can't be run this way. Something very useful to run is FTP, so you can send files off the machine. Plus, even though you can't get to "Network Neighborhood," you can still connect to computers on the network by typing "\\<computer name or IP>". However, to do things the security layer specific protects against, you need to reconfigure Fortres. This is done using APPMGR.EXE. You can run it from Win9x by holding down "Ctrl+Shift+Esc", or "Ctrl+Shift+F" for NT. Doing this causes a password prompt to pop up. This merely a graphical version of what FGSA.EXE makes when both shifts are held down on the boot, though APPMGR.EXE is creating it.
There is a backdoor password feature. When this is enabled (and it is by default), a number is generated by an unknown algorithm (well, it is based on the current time and possibly the date), producing numbers between 0-65532. I don't have the skills, but if anyone wants to try, the algorithm is stored in both APPMGR.EXE and FGSA.EXE. Anyway, you are supposed to call FGC Technical support at 1-800-331-0372 and tell them this number. FGC keeps a contact sheet for each company that owns a copy. This contact sheet contains all personal who can get the backdoor password. To add or remove someone from this list, you need to fax Fortres a memo on company letterhead authorizing the new user. While this might be fun and challenging if you like social engineering, there is an easier way. Now, Amatus did post the algorithm to get the backdoor password from this number, and here is the code again translated to work on a TI-85 (will also work on a TI-86, and probably the TI-82 and others). Most high school and college students have one of these. The decode algorithm mainly relies on using a short variable, with a limited range. When a large number is crammed in, the computer rolls it over and over until its in the range. On a TI, all variables have very large ranges. Thus two programs are needed: one that decodes, and one that converts a number to be within the bounds of a short integer. Here it is:
Program: Fortres :Disp "Acidus Fortres Cracker" :Input A :A*-1.2456->A :Fortres1 :(A+1)*65533->A :Fortres1 :((A/2)+7)*3->A :Fortres1 :A/2->A :Fortres1 :A*A->A :Disp "Password:",A Program: Fortres1 :iPart A->A :A/65536->B :iPart B->B :A-(B*65536)->A :If A>32767 :-32768+(A-32768)->A :If A<-32768 :32768+(A+32768)->A
Now if the backdoor password is disabled, a rarity, but possible none the less, you can FTP the password file APPMGR.SET out and crack it. Hell, you can make a fast Hotmail account and mail it off the machine! If there was a network install of Fortres, it gets its password file from a Novell NetWare or NT sever. If it's a local install, the file is in C:\FGC and Fortres makes the whole C:\FGC directory read only, and Fortres tells the admins not to mess with it. Props to the original Fortres hacker Frost_byte, who reverse-engineered the algorithm, and wrote a program to get the password out of APPMGR.SET.
After you run APPMGR.EXE it loads several DLLs like F101CFG.DLL (assists APPMGR.EXE) and FGCREG.DLL (registration utility, checks to see if you are using demo version, checks serial number). The Fortres 101 interface loads, and guess what. You now have full access to the machine. Yes, that's right, when APPMGR.EXE is running and the correct password has been entered, all security is disengaged. When you close the interface, security resumes. The APPMGR is a very cool interface. When I hack something, I don't want to destroy it, I want to set it up so I can come back and be able to use certain tools and program without having to open Fortres to temporarily disable security. First thing I do is set up a directory I can save things to. Now Fortres has a setting that are supposed to let temp directories be writable, but I haven't gotten this to work. In the "General File Protect" tab, there is an options that allows saves in a certain directory. I set this to make C:\WINDOWS\SPOOL or C:\WINDOWS\TEMP. That way, even if an admin every comes to modify the machine (which, if it is simply an Internet terminal, they won't), they won't notice it, but see that it's for Window's temp file, and assume it is O.K. I then copy WINFILE.EXE (you can't copy EXPLORER.EXE because it is in use by Windows) to that directory, and I rename it SPOOLER.EXE, or something that sounds like so it sounds like a Windows default program. This way you can run some kind of shell with Fortres still working. The final thing I like to put on a box is something to take advantage of its permanent Internet connection. If the computer has virus protection, don't even try BO2K. The goal here is to be able to run programs and save, but still protect the box from people who would destroy it. You can enable file sharing and share the folder, but this will probably set up big flares, and a firewall will most like be configured to block Window File Sharing ports anyway. You need a FTP server that can run in a hidden mood. By hidden, I mean it doesn't show in the task bar, and you can't use "Alt-Tab" to get to it. I have found one called A-FTP, written by Eirik Helgeland (firstname.lastname@example.org). My only gripe is no username or password is needed to log on, and you still get full access, and has no config options. This makes the box open for script kiddies with a scanner.
How would you like to have your very own copy of Fortres? So you can try and experiment all you want with it? I saw this and I couldn't believe it. Look in the C:\WINDOWS\TEMP directory, and you can find the the install files (they might be in a gibberish directory, but they a most likely there), including the ever important FORTINST.INI. This file contains the company the program is registered to, and the serial number. With this information, you can go to the FGC web page and sign up to access the "knowledge base." This is their online tech support. You can take all these files and install a full working version of Fortres on your own computer! The help file is incredibly good.
There's lots of stuff that is weird about Fortres 101. It is by far the best security software there is. Because of this, FGC is very secretive about how Fortres works. They don't even want the people who have legally purchased the software to even understand how it works. When Fortres fully loads, it hides several files including CONFIG.SYS, AUTOEXEC.BAT, MSDOS.SYS, and its help files. They aren't marked hidden, they simply aren't there. Fortres blocks any mention of them, as if they don't exist. Also, the Fortres Help file says that "Fortres 101 confines all of its files to a single directory on the hard drive (C:\FGC\F101)." This is a lie. The following is a list of all the files Fortres installs on the machine, and what they function as:
C:\FGC\ APPMGR.EXE......Setup Interface APPMGR.NET......Fake file, real purpose unknown APPMGR.SET......Global settings and password file APPMGR.DLL......Helps APPMGR.EXE DEFAULT.FG4.....Unknown settings DEFAULT.PXY.....Contains address to Bess Filtering Server FGCREPL.EXE.....Replication manager FGCREPLD.DLL....Helps FGCREPL.EXE UNINST.ISU......Install shield uninstall file USERLIST.FGU....Contains user privileges C:\FGC\F101\ (This is a hidden (attrib +H) directory) DEFAULT.FG4.....Unknown settings - different from C:\FGC DEFAULT.PXY.....Exact copy of C:\FGC\DEFAULT.PXY DENIED.HTM......HTML page shown when Bess blocks site F101CFG.DLL.....Unknown, seems to help APPMGR.EXE F101HELP.CNT....Help file F101HELP.HLP....Help file F101SK.FG4......Unknown FGCFS.386.......Unknown FGCFS.SYS.......Unknown FGCLO.EXE.......Stand alone Windows exiter (*) FGCPROXY.EXE....FGC proxy server - works with Bess FGSA.EXE........FORTRES.EXE loader, beep, password FGSL.SYS........Traps Ctrl+C/Break allows AUTOEXEC.BAT to load (*) FINST.DLL.......Used in install - contains many file references FLOGO.EXE.......Runs Logo animation (*) FORTRES.EXE.....Loader of the security layer NTNOTES.TXT.....Notes for a NT install PXYERROR.LOG....Log of errors connecting to Bess C:\WINDOWS\SYSTEM\ FGCLOCAL.DLL....Local calls for Windows 9x FGCLOCNT.DLL....Local calls for Windows NT FGCNETNT.DLL....Network settings for Central Control for NT FGCNETNW.DLL....Same as FGCNETNT but for Novell NetWare FGCNWRK.DLL.....The security layer - this is the biggie FGCREG.DLL......FGC registration calls FORTRES.DLL.....Loads itself and FGCNWRK.DLL into all tasks (*)
All the files above marked (*) are old Fortres 101 version 3 files. They were not rewritten and still say "Fortres Ver. 3" on boot. I guess FGC thinks they are as good as they are going to get. FGCLO.EXE and FLOGO.EXE are both stand alone programs; they can be run without Fortres being installed. One of the options you have in Fortres is to export your settings, to make it easier to setup other machines exactly the same. This was a mistake on FGC's part, because it shows what files actually hold the configuration info. When you update the configuration of Fortres, the file APPMGR.NET time/date stamp changes, while all others stay the same. However, when you export your settings, APPMGR.NET is not needed. This means Fortres is again trying to trick you. I don't know what APPMGR.NET does, but it does not hold the configuration info for Fortres. The four files that hold this info are USERLIST.FGU, APPMGR.SET, DEFAULT.FG4, DEFAULT.PXY.
Some words of warning: Fortres 101 logs attempts to access things it restricts. These are under the Diagnostics window. What the illegal action was and what program tried to do it is recorded. This is more of a way to see how you need to change Fortres to work with a program. This log is not stored to disk, and is reset when the system is rebooted or logs off. Before you leave simply clear the log using the Clear button in Diagnostics, just in case. Also in the Diagnostics window is the ability to unload Fortres until you reboot the machine. When this is clicked, FORTRES.DLL and FGCNWRK.DLL, which were loaded with every task are then removed from all tasks, and new task aren't binded to them. This further supports my theory that through these two DLLs and not FGCFS.386 that Fortres is able to check everything you are doing. Another thing to fear is an accessory product for Fortres 101 called Central Control. It is a remote admin tool, that manages several computer running Fortres 101. It runs on NetWare or NT server. Currently, there is a bug that will not let more than 15 computers be connected to a NetWare server. FGC has released a notice saying they don't know what causes the problem and that the hope to have it fixed by 2000. Needless to say they have not yet fixed it and to my knowledge shall discontinue the use of NetWare after version 4. Central Control allow the Admin to see what each user is doing, and issue two types of commands: Polite and Impolite commands. I'm serious - this is what FGC calls them. Polite commands include updating the system privileges on a machine, starting and stopping tasks, and other admin work. Please notice that unlike when APPMGR is running locally on the machine, if the configuration is being altered remotely while a person is using the machine, all restrictions are still enforced. The Impolite commands are things like immediate shutdown, logoff, and freezing the keyboard. I have also heard an unconfirmed rumor that it can freeze the mouse as well. If any of those things happen to you while you are hacking walk quickly but calmly away.
The following are a lot of things I found that were just weird about Fortres. First, Fortres always runs FLOGO.EXE after you close a component of it. This is a great way to make sure a program always runs (Sub7 server anyone?). Also, why does Fortres disable itself when APPMGR is run? There must be something APPMGR toggles that tells the security layer to take a break. You could easily write your own program that toggles this too. On a different note, FGSL.SYS traps Ctrl-breaks. Perhaps something could re-enable them before AUTOEXEC.BAT loads? Another little hole is in the FORTINST.INI file. To make installation faster, the file allows for a several tags, one of which is "Password=". Who knows, maybe someone was stupid enough to use it! With WinNT, simply logging in as "Administrator" will disable Fortres until you log out. Finally, what I view as the most likely exploit is using MSGSVR32.EXE. This file seems to be outside the security layer, since it is loaded after the kernel and itself loads Fortres. Perhaps it could be used to create a task before the security layer, and thus free to do what you want. (Again, a backdoor server that is password protected might be a good thing here.)
I hope you better understand Fortres. It really is a well written program. Any system admin out there who wants help on how they can configure Fortres 101 on their machines is welcome to email me and I will gladly help them. Rock on.