------------------------------------------------------ FoolProof and the subsequent Destruction thus thereof.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FoolProof is an admirable attempt at securing the Mac, and many of the ways around are due not to SmartStuff's incompetancy, but rather to the method (and competancy) in which it was set up. As a prospective hacker of FoolProof, (loathe as I am to use the word 'hacker' as everyone seems to have thier own idea as to the definition of the word) and most probably not that familiar with the ins and outs of the MacOS (most of those who read this will probably be merely interested in getting past the bastard, and wreaking havoc on the staff server...) I will endeavour to outline the basic steps you will have to take. There are many different ways to get round it, and you will have to try them until you find the one that the admin at your institution forgot to fix. As always, its not my problem if you get busted/arrested/shot/have your bodily parts chopped off by silly women and then go and make cheap music videos and porn movies. However, if you find anything new, please tell me... Okay - several things you should be aware of: FoolProof has several components: the extension/init (ver 2.0 has the superInit, more on that below) the control panel the preferences the admin tools I have seen and played with two versions of FP: Ver 2.0 Ver 2.5 2.0 was the System 7 release, and 2.5 was the one to work with 7.5. One of the main differences between 2.5 and 2.0 is the SuperInit, and possibly the format of the Preferences. (I havn't done much with 2.0, mostly my experience is with 2.5) Some ancronynms/abbreviations that I may use: FP - FoolProof ADL - Advanced Disk Locking Prefs - Preferences -------------------------------------------------------------- How FP works ~~~~~~~~~~~~ FP, as far as I can tell, works by doing somthing scary with the event handling, and filtering out various events. How it actually achieves this is not our problem. Our problem is to stop it. FP installs itself, and then allows configuration of its event filtering through the use of its Control Panel. This control panel has configurable password protection (ie, when you first install it, it doesnt ask you for a password, but you then turn that feature on when you have configured it.) amongst its many other features. The control panel allows you to configure such things as Drag and Rename control, Get Info control, Temporary Save folder control and lots of other features. The big one to take notice of is the On/Off switch - this turns all FP protection on or off. These are then all written to the Preferences file, along with the password and some other junk. The init reads the prefs at bootup, or when the control panel changes them. FoolProof 2.0 has a feature which will modify the actual System to load foolproof, without needing the init, and this makes life a pain in the arse to hack it. This however, is only compatible with System 7.0, and not 7.5... I think 2.5 will do it to System 7 as well, but System 7.5 is far more common. ADL, or Advanced Disk Locking is another bane of our existance. This little bastard is a feature which installs some code into the SCSI driver partitions, and it locks the drive on shutdown. This means, that when you disable FP, or whack the drive in another machine, or boot off a disk, it will ask you for a password to mount the drive (make it appear on the desktop) - a right pain in the arse. However, many sys admin types cant be bothered doing this, as its a pain in the arse to do, and theyre not expecting that much trouble anyway.. (I mean, you're only mac users - what sort of hacker is going to be a mac user?) -------------------------------------------------------------------- The Aim ~~~~~~~ To get full un-foolproofed access to the machine. Finding out the password is not straightforward - it is encrypted in the preferences, and if anyone is anygood at cryptology, drop me a line... Anyway, all we have to do is either stop FP from loading at all, or letting it load, but having the protection turned off. Steps to take: 1. Determine what you can and cant do. 2. Use the easiest method to disable FP 3. Do whatever you want to the machine. 4. Install a key grabber to get the password (optional) 5. Remove traces of your escapade 6. Re-FP the machine --------------------------------------------------------------------- Step 1: Determine what you can and cant do. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Can you drag stuff round? (grab the hard drive, and move it round the desktop? does it stay where you put it?) Yes: Wihey. Go to Step 2:1. No: Go to 1:2. 2. Does 2:2 work? Yes: You're a happy camper then, arnt you? No: Oh well. 1:3 for you. 3. Are you running System 7.5? Yes: Go past go, collect $200, got to 1:4 No: Buggery. Go to 1:8 4. Is Extensions Manager installed? Yes: Coolies. Go to 1:5 No: Bugger. Go to 1:6. 5. Can you use control panels? (if their icons are rogered, and they just bring up alert boxes, then obviously not) Yes: Go to 2:3 No: Okay, not a problem. Go to 2:4 6. Is Launcher on the machine (you know, the System 7.5 launcher...) Yes: Go to 1:7 No: Poos. Go to 1:8 7: If you drag an icon onto the launcher, does the mouse pointer change to a little hand? Yes: I love drag and drop, dont you? 2:5 is the answer. No: Bugger, must have the old version. Go to 1:8 8. Do you have a boot disk (either a floppy or an external SCSI drive) Yes: Go to 2:6 No: 1:9 9. Can you be fucked making one? (its a real bitch booting 7.5 off a floppy) Yes: Well, do it, and go back to 1:8! No: Next question... 10. Can you run applications off disk? (if you dbl click and it beeps like buggery and flashes at you, then obviously not) Yes: Go to 1:11 No: Go to 1:13 11. Do you have a copy of Norton Disk Edit? (or anything that will allow you to edit the data fork of a file, in hex, preferably...) Yes: Go to 1:12 No: Go to 1:14 12. Can you Get Info about a file? (Apple-I) Yes: 2:8 No: 2:9 13. Can you get write access to a file server at all? (File share a machine that is unlocked or something) Yes: Go to 1:11 No: Go to 1:14 14. Can you write code? (C, BASIC, Pascal, anything?) Yes: Number 2:10 for you... No: 1:15 15. Can you run a program at all? (Any sneaky method - external drives, floppies, zip drives, filesharing) Yes: 2:11 No: 1:16 16. Do you have access to the FP original disks/documentation? Yes: 12:13 No: 1:17 17. Okay, youre pretty fucked now.. Theyve done a good job... Try 2:12. If that sounds to complex, or doesnt work, then try 12:14... ------------------------------------------------------------------- Step 2: Disable it! ~~~~~~~~~~~~~~~~~~~ 1. Open up the System Folder, and move the FP Init somewhere else (like into the Claris Works folder or somthing.) Then reboot. 2. Hold down Shift while you boot up - should disable all extensions (including the network, unfortunatly) Do 2:1. 3. Use Extensions Manager to disable the Init and the Control Panel, reboot. 4. Hold down the Space Bar while you boot up, and Extension Manager should load. Then do 2:2. 5. Okay, drag the Claris Works folder or some folder onto the launcher, it will make an alias for it on the launcher. Then open the system folder, and drag the FP Init and the FP Control Panel onto the alias you just made on the launcher. They should nip across into that folder. Reboot, and you're a happy camper. Just dont forget to go into System Folder:Launcher Items and get rid of that alias, so they dont know how you did it! 6. Boot off the disk - just shove the floppy in, or if its an external SCSI hard drive then hold down Apple-Option-Shift-Delete (I think - I cant remember) and let it boot. If it boots, and mounts the drive then you're happy. If it brings up a dialog box asking for the ADL Password, then you're nowhere near done yet, and should go back to 1:8, and say no to the boot disk question. If it did work, then just do 2:1. 7. Get Info about the Fool Proof Prefs, in System Folder:Preferences. Make sure the file is not locked. Then do 2:8. 8. Run Norton Disk Edit, open the FoolProof Prefs, and change byte 15 of the prefs from 01 to 00. Save it, and reboot. (Of course, this might not work with 2.0... Ive only tried it with 2.5...) 9. Use ResEdit or somting to unlock the FoolProof Prefs, and then do 2:8... 10. Write a program that will twiddle byte 15 in the FoolProof Prefs from 01 to 00... just remember that you will have to unlock the file to save it... Use GetInfo or resEdit, or any number of PD/Shareware (or WaReZ...) file attribute editors... then reboot. 11. What you need is a program that will twiddle the bytes of the Prefs. What you need is FP/LMS by Slayer (thats me!) This little gem of a proggie will turn FP on or off, as well as many of the other FP features - such as drag/rename, password protection and other things. It also will dump files, and compare them, in hex or ASCII. It should (I think I've foxed that problem) even unlock the file for you if you cant Get Info or resEdit it... Email me to see if I've finished it... (its still development, and Ive had exams and all, and I haven't had much time, and I dont have a Mac at home, so I dont do much mac coding outside of school time...) Just in case you're interested, FP/LMS is an ancronym for 'Fool Proof can Lick My Sack.' Any commercial interest in this proggie should be addressed to me at DivInt, or my net address... ;-) 12. Okay, this is getting desparate. Pop the lid off the machine, change the SCSI ID jumper on the drive (to somthing other than what it is) (remembering to note where it was orignally) and whack it into another machine that isnt fool proofed. Boot the machine, when it asks you for the ADL password, ignore it and press cancel, or get it wrong or something, and then use something like HDT or SilverLining to nuke the driver... That should fuck ADL... Then whack the drive back in the normal machine with the jumper back where it should be, and do 2:6... 13. Well, try the FP Administrator program - it might be helpful. If it asks for the serial number, then try clicking on 'Version Information' in the opening screen of the FP Control Panel. 14. Make somone else do it... break a machine and watch them when they come to fix it (preferably with a handycam!)... -------------------------------------------------------------------- Step 3 - Do what you like... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I suggest that you don't actually do anything to the machine, other than maybe play a few network games, or install Broadcast or somthing... I suggest that you do Step 4.... ------------------------------------------------------------------ Step 4 - Get the passwoid... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Okey, what you need to do is install a key grabbing program that logs all the key strokes into a hidden file. There are several of these availble and but they all do much the same... So, install one of the key grabbers, and then lock the machine up again.. (but break somthing obvious, like the network - trash appleshare or the printer extension or somthing) When they come along to fix it, they'll type in the passwoid.. then, all you have to do is come back later, do whatever you did again, copy off the log file, and dig thru it till you find the magic word... If youre really lucky, youll get some other interesting stuff - Internet passwords are good... or maybe the staff email system passwords... or somthing. Anyway, once you know the passwoid, life is much easier.... -------------------------------------------------------------------- Step 5 - Clean up! ~~~~~~~~~~~~~~~~~~ Make sure you get rid of anything you have done - moved files, aliases - and for gods sake make sure you go into (in System 7.5, anyway) the Recent Documents, Recent Applications and Recent Servers folders, and trash any aliases to FP/LMS or Norton or whatever you used... -------------------------------------------------------------------- Step 6 - Lock it up again.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Just do whatever you did in reverse - move FP back into the System Folder, re-twiddle byte 15, copy the prefs back or whatever.. ------------------------------------------------------------------ Some Info, in case youre interested... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The FoolProof Prefs are interesting. The booleans for the states for all the controls (On/off, Drag/rename, password protection, etc) are all stored as 2 byte shorts in the prefs - either 00 00 or 00 01. They are a breeze to twiddle on or off.. The Password starts at byte 130, but its encrypted, and I cant be fucked figuring it out. I will get around to mapping out the entire pref sometime, and I cant remeber which byte toggles Password Protection - all my notes on it are at school, and Im not, 'cos Im at home, and I'm doing this all from memory... Ill update this sometime when I get round to it. Just remember - a hint for all Mac based hacking of anything - if something is just installed, it has no Pref.. so, if you want to nuke something back to first installed state, ie default passwords etc, then NUKE THE PREFS! Its that simple... the more subtle poeple will twiddle them, but remember, he who controls the prefs, controls the program, and he who controls the program, controls the UNIVERSE ... ----------------------------------------------------------------- Politics, propaganda and self trumpet blowing... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I think that what this 'freedom of information' thing that the internet is supposed to bring us all needs a little modification - If the information is not at all helpful, and only directed at the peers of the author, and not at the masses who are seeking education then the information may as well not be there. When I started writing this, I thought 'who really wants to know exactly what byte 15 of the prefs do anyway? All the average reader wants is a cheap and easy way to fuck fool proof, without having to construct multicoloured boxes, without having to go and change the red wire on the local telephone pill box, and without having to find obscure things from radio shack, when lots of us dont even live in the bloody US.... ' Sooo, here it is, a cheap, easy, straightforward step by step guide to bugger FP. With the emphasis on the _easy_ solutions, not the technically most advanced. So, if you like it, next time you write somthing for the good of the rest of the 'net, then think of the plebes who are questing for knowledge, not of your fellow techno-weenies... Refuse/Resist, and bring Chaos AD to your opressors, whoever they may be... 'Why stand on a silent platform? Fight the war, fuck the norm!' -Zack De La Rocha, Rage Against the Machine... 'Cry havoc, and let slip the dogs of war.' -William Shakespeare 'So they can lick my sack!' -Phil Anselmo, Pantera 'Expendable youth, fighting for posession, Having control their principle obsession. Rivalry, and retribution, Death the only solution.' -Tom Araya, Slayer 'No! Dont believe what you read!' -Max Cavalera, Sepultura -------------------------------------------------------------------- Greets / Messages ~~~~~~~~~~~~~~~~~ This is dedicated to the memory of RKS - what was, and what could have been. I'll get the bastards. Whiplash - 'I still think that she's got creamy thighs!' Amber Dragonfly - As salient as ever Blitzkrieg - She's special, and dont let her forget that... Sparrow - You owe me a hug! Satch - At least somone doesnt read the private mail... ;-) Mercury - Information wants to be free, man... No point in all that work, if I dont tell people what i find... Besides, its not your problem anymore... Some Sort of Dog- You are the single funniest person on the face of the planet. Shan for President! Drew Barrymore - Check out your fetish www page! Mr Bobo - Lick my sack, monkey boy! HHHO - 'Just because your paranoid, dont mean were not after you...' Nuclear Wasted - I've still got your Sepultura tape... Anna - Sawah - The cutest nose on the planet Celia - Whoa baby, thats gotta be a custom build... Yin Yang baby... The Fonz - At least some one understands me... bad hair day, man... (did I mention your cousin's a lesbian?) -----------------------------------------------------------------------