------------------------------------------------------ FoolProof and the subsequent Destruction thus thereof.... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ FoolProof is an admirable attempt at securing the Mac, and many of the ways around are due not to SmartStuff's incompetancy, but rather to the method (and competancy) in which it was set up. As a prospective hacker of FoolProof, (loathe as I am to use the word 'hacker' as everyone seems to have thier own idea as to the definition of the word) and most probably not that familiar with the ins and outs of the MacOS (most of those who read this will probably be merely interested in getting past the bastard, and wreaking havoc on the staff server...) I will endeavour to outline the basic steps you will have to take. There are many different ways to get round it, and you will have to try them until you find the one that the admin at your institution forgot to fix. As always, its not my problem if you get busted/arrested/shot/have your bodily parts chopped off by silly women and then go and make cheap music videos and porn movies. However, if you find anything new, please tell me... Okay - several things you should be aware of: FoolProof has several components: the extension/init (ver 2.0 has the superInit, more on that below) the control panel the preferences the admin tools I have seen and played with two versions of FP: Ver 2.0 Ver 2.5 2.0 was the System 7 release, and 2.5 was the one to work with 7.5. One of the main differences between 2.5 and 2.0 is the SuperInit, and possibly the format of the Preferences. (I havn't done much with 2.0, mostly my experience is with 2.5) Some ancronynms/abbreviations that I may use: FP - FoolProof ADL - Advanced Disk Locking Prefs - Preferences -------------------------------------------------------------- How FP works ~~~~~~~~~~~~ FP, as far as I can tell, works by doing somthing scary with the event handling, and filtering out various events. How it actually achieves this is not our problem. Our problem is to stop it. FP installs itself, and then allows configuration of its event filtering through the use of its Control Panel. This control panel has configurable password protection (ie, when you first install it, it doesnt ask you for a password, but you then turn that feature on when you have configured it.) amongst its many other features. The control panel allows you to configure such things as Drag and Rename control, Get Info control, Temporary Save folder control and lots of other features. The big one to take notice of is the On/Off switch - this turns all FP protection on or off. These are then all written to the Preferences file, along with the password and some other junk. The init reads the prefs at bootup, or when the control panel changes them. FoolProof 2.0 has a feature which will modify the actual System to load foolproof, without needing the init, and this makes life a pain in the arse to hack it. This however, is only compatible with System 7.0, and not 7.5... I think 2.5 will do it to System 7 as well, but System 7.5 is far more common. ADL, or Advanced Disk Locking is another bane of our existance. This little bastard is a feature which installs some code into the SCSI driver partitions, and it locks the drive on shutdown. This means, that when you disable FP, or whack the drive in another machine, or boot off a disk, it will ask you for a password to mount the drive (make it appear on the desktop) - a right pain in the arse. However, many sys admin types cant be bothered doing this, as its a pain in the arse to do, and theyre not expecting that much trouble anyway.. (I mean, you're only mac users - what sort of hacker is going to be a mac user?) -------------------------------------------------------------------- The Aim ~~~~~~~ To get full un-foolproofed access to the machine. Finding out the password is not straightforward - it is encrypted in the preferences, and if anyone is anygood at cryptology, drop me a line... Anyway, all we have to do is either stop FP from loading at all, or letting it load, but having the protection turned off. Steps to take: 1. Determine what you can and cant do. 2. Use the easiest method to disable FP 3. Do whatever you want to the machine. 4. Install a key grabber to get the password (optional) 5. Remove traces of your escapade 6. Re-FP the machine --------------------------------------------------------------------- Step 1: Determine what you can and cant do. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Can you drag stuff round? (grab the hard drive, and move it round the desktop? does it stay where you put it?) Yes: Wihey. Go to Step 2:1. No: Go to 1:2. 2. Does 2:2 work? Yes: You're a happy camper then, arnt you? No: Oh well. 1:3 for you. 3. Are you running System 7.5? Yes: Go past go, collect $200, got to 1:4 No: Buggery. Go to 1:8 4. Is Extensions Manager installed? Yes: Coolies. Go to 1:5 No: Bugger. Go to 1:6. 5. Can you use control panels? (if their icons are rogered, and they just bring up alert boxes, then obviously not) Yes: Go to 2:3 No: Okay, not a problem. Go to 2:4 6. Is Launcher on the machine (you know, the System 7.5 launcher...) Yes: Go to 1:7 No: Poos. Go to 1:8 7: If you drag an icon onto the launcher, does the mouse pointer change to a little hand? Yes: I love drag and drop, dont you? 2:5 is the answer. No: Bugger, must have the old version. Go to 1:8 8. Do you have a boot disk (either a floppy or an external SCSI drive) Yes: Go to 2:6 No: 1:9 9. Can you be fucked making one? (its a real bitch booting 7.5 off a floppy) Yes: Well, do it, and go back to 1:8! No: Next question... 10. Can you run applications off disk? (if you dbl click and it beeps like buggery and flashes at you, then obviously not) Yes: Go to 1:11 No: Go to 1:13 11. Do you have a copy of Norton Disk Edit? (or anything that will allow you to edit the data fork of a file, in hex, preferably...) Yes: Go to 1:12 No: Go to 1:14 12. Can you Get Info about a file? (Apple-I) Yes: 2:8 No: 2:9 13. Can you get write access to a file server at all? (File share a machine that is unlocked or something) Yes: Go to 1:11 No: Go to 1:14 14. Can you write code? (C, BASIC, Pascal, anything?) Yes: Number 2:10 for you... No: 1:15 15. Can you run a program at all? (Any sneaky method - external drives, floppies, zip drives, filesharing) Yes: 2:11 No: 1:16 16. Do you have access to the FP original disks/documentation? Yes: 12:13 No: 1:17 17. Okay, youre pretty fucked now.. Theyve done a good job... Try 2:12. If that sounds to complex, or doesnt work, then try 12:14... ------------------------------------------------------------------- Step 2: Disable it! ~~~~~~~~~~~~~~~~~~~ 1. Open up the System Folder, and move the FP Init somewhere else (like into the Claris Works folder or somthing.) Then reboot. 2. Hold down Shift while you boot up - should disable all extensions (including the network, unfortunatly) Do 2:1. 3. Use Extensions Manager to disable the Init and the Control Panel, reboot. 4. Hold down the Space Bar while you boot up, and Extension Manager should load. Then do 2:2. 5. Okay, drag the Claris Works folder or some folder onto the launcher, it will make an alias for it on the launcher. Then open the system folder, and drag the FP Init and the FP Control Panel onto the alias you just made on the launcher. They should nip across into that folder. Reboot, and you're a happy camper. Just dont forget to go into System Folder:Launcher Items and get rid of that alias, so they dont know how you did it! 6. Boot off the disk - just shove the floppy in, or if its an external SCSI hard drive then hold down Apple-Option-Shift-Delete (I think - I cant remember) and let it boot. If it boots, and mounts the drive then you're happy. If it brings up a dialog box asking for the ADL Password, then you're nowhere near done yet, and should go back to 1:8, and say no to the boot disk question. If it did work, then just do 2:1. 7. Get Info about the Fool Proof Prefs, in System Folder:Preferences. Make sure the file is not locked. Then do 2:8. 8. Run Norton Disk Edit, open the FoolProof Prefs, and change byte 15 of the prefs from 01 to 00. Save it, and reboot. (Of course, this might not work with 2.0... Ive only tried it with 2.5...) 9. Use ResEdit or somting to unlock the FoolProof Prefs, and then do 2:8... 10. Write a program that will twiddle byte 15 in the FoolProof Prefs from 01 to 00... just remember that you will have to unlock the file to save it... Use GetInfo or resEdit, or any number of PD/Shareware (or WaReZ...) file attribute editors... then reboot. 11. What you need is a program that will twiddle the bytes of the Prefs. What you need is FP/LMS by Slayer (thats me!) This little gem of a proggie will turn FP on or off, as well as many of the other FP features - such as drag/rename, password protection and other things. It also will dump files, and compare them, in hex or ASCII. It should (I think I've foxed that problem) even unlock the file for you if you cant Get Info or resEdit it... Email me to see if I've finished it... (its still development, and Ive had exams and all, and I haven't had much time, and I dont have a Mac at home, so I dont do much mac coding outside of school time...) Just in case you're interested, FP/LMS is an ancronym for 'Fool Proof can Lick My Sack.' Any commercial interest in this proggie should be addressed to me at DivInt, or my net address... ;-) 12. Okay, this is getting desparate. Pop the lid off the machine, change the SCSI ID jumper on the drive (to somthing other than what it is) (remembering to note where it was orignally) and whack it into another machine that isnt fool proofed. Boot the machine, when it asks you for the ADL password, ignore it and press cancel, or get it wrong or something, and then use something like HDT or SilverLining to nuke the driver... That should fuck ADL... Then whack the drive back in the