FoolProof Hack

From Higher Intellect Wiki
Jump to: navigation, search


FoolProof and the subsequent Destruction thus thereof....
FoolProof is an admirable attempt at securing the Mac, and many of the ways 
around are due not to SmartStuff's incompetancy, but rather to the method 
(and competancy) in which it was set up.

As a prospective hacker of FoolProof, (loathe as I am to use the word 'hacker' 
as everyone seems to have thier own idea as to the definition of the word) and 
most probably not that familiar with the ins and outs of the MacOS (most of 
those who read this will probably be merely interested in getting past the 
bastard, and wreaking havoc on the staff server...) I will endeavour to 
outline the basic steps you will have to take. There are many different ways 
to get round it, and you will have to try them until you find the one  
that the admin at your institution forgot to fix.

As always, its not my problem if you get busted/arrested/shot/have your  
bodily parts chopped off by silly women and then go and make cheap music  
videos and porn movies. However, if you find anything new, please tell me...

Okay - several things you should be aware of:

FoolProof has several components:

the extension/init (ver 2.0 has the superInit, more on that below)
the control panel
the preferences
the admin tools

I have seen and played with two versions of FP:

Ver 2.0
Ver 2.5

2.0 was the System 7 release, and 2.5 was the one to work with 7.5. One  
of the main differences between 2.5 and 2.0 is the SuperInit, and possibly the 
format of the Preferences. (I havn't done much with 2.0, mostly my  
experience is with 2.5)

Some ancronynms/abbreviations that I may use:

FP      - FoolProof
ADL     - Advanced Disk Locking
Prefs   - Preferences


How FP works
FP, as far as I can tell, works by doing somthing scary with the event 
handling, and filtering out various events. How it actually achieves  
this is not our problem. Our problem is to stop it.

FP installs itself, and then allows configuration of its event  
filtering through the use of its Control Panel. This control panel has  
configurable password protection (ie, when you first install it, it doesnt ask you  
for a password, but you then turn that feature on when you have configured  
it.) amongst its many other features. The control panel allows you to  
configure such things as Drag and Rename control, Get Info control, Temporary  
Save folder control and lots of other features. The big one to take notice of is  
the On/Off switch - this turns all FP protection on or off. These are then  
all written to the Preferences file, along with the password and some other  
junk. The init reads the prefs at bootup, or when the control panel changes  

FoolProof 2.0 has a feature which will modify the actual System to load 
foolproof, without needing the init, and this makes life a pain in the  
arse to hack it. This however, is only compatible with System 7.0, and not  
7.5... I think 2.5 will do it to System 7 as well, but System 7.5 is far more 

ADL, or Advanced Disk Locking is another bane of our existance. This  
little bastard is a feature which installs some code into the SCSI driver  
partitions, and it locks the drive on shutdown. This means, that when you disable  
FP, or whack the drive in another machine, or boot off a disk, it will ask you for a 
password to mount the drive (make it appear on the desktop) - a right pain in 
the arse. However, many sys admin types cant be bothered doing this, as  
its a pain in the arse to do, and theyre not expecting that much trouble  
anyway.. (I mean, you're only mac users - what sort of hacker is going to be a  
mac user?)


The Aim
To get full un-foolproofed access to the machine. Finding out the  
password is not straightforward - it is encrypted in the preferences, and if anyone  
is anygood at cryptology, drop me a line...

Anyway, all we have to do is either stop FP from loading at all, or  
letting it load, but having the protection turned off.

Steps to take:

1. Determine what you can and cant do.
2. Use the easiest method to disable FP
3. Do whatever you want to the machine.
4. Install a key grabber to get the password (optional)
5. Remove traces of your escapade
6. Re-FP the machine


Step 1: Determine what you can and cant do.

1. Can you drag stuff round? (grab the hard drive, and move it round  
the desktop? does it stay where you put it?)
        Yes: Wihey. Go to Step 2:1.
        No: Go to 1:2.

2. Does 2:2 work?
        Yes: You're a happy camper then, arnt you?
        No: Oh well. 1:3 for you.

3. Are you running System 7.5?
        Yes: Go past go, collect $200, got to 1:4
        No: Buggery. Go to 1:8

4. Is Extensions Manager installed?
        Yes: Coolies. Go to 1:5
        No: Bugger. Go to 1:6.

5. Can you use control panels? (if their icons are rogered, and they  
just bring up alert boxes, then obviously not)
        Yes: Go to 2:3
        No: Okay, not a problem. Go to 2:4

6. Is Launcher on the machine (you know, the System 7.5 launcher...)
        Yes: Go to 1:7
        No: Poos. Go to 1:8

7: If you drag an icon onto the launcher, does the mouse pointer change  
to a little hand?
        Yes: I love drag and drop, dont you? 2:5 is the answer.
        No: Bugger, must have the old version. Go to 1:8

8. Do you have a boot disk (either a floppy or an external SCSI drive)
        Yes: Go to 2:6
        No: 1:9

9. Can you be fucked making one? (its a real bitch booting 7.5 off a  
        Yes: Well, do it, and go back to 1:8!
        No: Next question...

10. Can you run applications off disk? (if you dbl click and it beeps  
like buggery and flashes at you, then obviously not)
        Yes: Go to 1:11
        No: Go to 1:13

11. Do you have a copy of Norton Disk Edit? (or anything that will  
allow you to edit the data fork of a file, in hex, preferably...)
        Yes: Go to 1:12
        No: Go to 1:14

12. Can you Get Info about a file? (Apple-I)
        Yes: 2:8
        No: 2:9

13. Can you get write access to a file server at all? (File share a  
machine that is unlocked or something)
        Yes: Go to 1:11
        No: Go to 1:14

14. Can you write code? (C, BASIC, Pascal, anything?)
        Yes: Number 2:10 for you...
        No: 1:15

15. Can you run a program at all? (Any sneaky method - external drives, 
    floppies, zip drives, filesharing)
        Yes: 2:11
        No: 1:16

16. Do you have access to the FP original disks/documentation?
        Yes: 12:13
        No: 1:17

17. Okay, youre pretty fucked now.. Theyve done a good job... Try 2:12. 
    If that sounds to complex, or doesnt work, then try 12:14...

Step 2: Disable it!

1. Open up the System Folder, and move the FP Init somewhere else (like  
into the Claris Works folder or somthing.) Then reboot.

2. Hold down Shift while you boot up - should disable all extensions 
   (including the network, unfortunatly) Do 2:1.

3. Use Extensions Manager to disable the Init and the Control Panel,  

4. Hold down the Space Bar while you boot up, and Extension Manager  
should load. Then do 2:2.

5. Okay, drag the Claris Works folder or some folder onto the launcher,  
it will make an alias for it on the launcher. Then open the system  
folder, and drag the FP Init and the FP Control Panel onto the alias you  
just made on the launcher. They should nip across into that folder. Reboot,  
and you're a happy camper. Just dont forget to go into System  
Folder:Launcher Items and get rid of that alias, so they dont know how you did it!

6. Boot off the disk - just shove the floppy in, or if its an external  
SCSI hard drive then hold down Apple-Option-Shift-Delete (I think - I  
cant remember) and let it boot. If it boots, and mounts the drive then  
you're happy. If it brings up a dialog box asking for the ADL Password,  
then you're nowhere near done yet, and should go back to 1:8, and say no  
to the boot disk question. If it did work, then just do 2:1.

7. Get Info about the Fool Proof Prefs, in System Folder:Preferences.  
Make sure the file is not locked. Then do 2:8.

8. Run Norton Disk Edit, open the FoolProof Prefs, and change byte 15  
of the prefs from 01 to 00. Save it, and reboot. (Of course, this might not  
work with 2.0... Ive only tried it with 2.5...)

9. Use ResEdit or somting to unlock the FoolProof Prefs, and then do  

10. Write a program that will twiddle byte 15 in the FoolProof Prefs  
from 01  to 00... just remember that you will have to unlock the file to  
save it... Use GetInfo or resEdit, or any number of PD/Shareware (or <giggles> 
    WaReZ...) file attribute editors... then reboot.

11. What you need is a program that will twiddle the bytes of the  
Prefs. What you need is FP/LMS by Slayer (thats me!) This little gem of a  
proggie will turn FP on or off, as well as many of the other FP features - such  
as drag/rename, password protection and other things. It also will  
dump files,  and compare them, in hex or ASCII. It should (I think I've foxed  
that problem) even unlock the file for you if you cant Get Info or  
resEdit it... Email me to see if I've finished it... (its still development, and  
Ive had exams and all, and I haven't had much time, and I dont have a Mac  
at home, so I dont do much mac coding outside of school time...) Just  
in case you're interested, FP/LMS is an ancronym for 'Fool Proof can  
Lick My Sack.' Any commercial interest in this proggie should be addressed  
to me at DivInt, or my net address... ;-)

12. Okay, this is getting desparate. Pop the lid off the machine,  
change the SCSI ID jumper on the drive (to somthing other than what it is) 
(remembering to note where it was orignally) and whack it into  
another machine that isnt fool proofed. Boot the machine, when it asks you  
for the ADL password, ignore it and press cancel, or get it wrong or something, and then use something like HDT or SilverLining to nuke  
the driver... That should fuck ADL... Then whack the drive back in the  
normal machine with the jumper back where it should be, and do 2:6...

13. Well, try the FP Administrator program - it might be helpful. If it  
asks for the serial number, then try clicking on 'Version Information'  
in the  opening screen of the FP Control Panel.

14. Make somone else do it... break a machine and watch them when they  
come to fix it (preferably with a handycam!)...

Step 3 - Do what you like...

I suggest that you don't actually do anything to the machine, other than  
maybe play a few network games, or install Broadcast or somthing...

I suggest that you do Step 4....


Step 4 - Get the passwoid...

Okey, what you need to do is install a key grabbing program that logs  
all the key strokes into a hidden file. There are several of these availble and  
but they all do much the same... So, install one of the key grabbers, and  
then lock the machine up again.. (but break somthing obvious, like the  
network - trash appleshare or the printer extension or somthing) When they come  
along to fix it, they'll type in the passwoid.. then, all you have to do is  
come back later, do whatever you did again, copy off the log file, and dig  
thru it till you find the magic word... If youre really lucky, youll get  
some other interesting stuff - Internet passwords are good... or maybe the  
staff email system passwords... or somthing. Anyway, once you know the  
passwoid, life is much easier....


Step 5 - Clean up!

Make sure you get rid of anything you have done - moved files, aliases  
- and for gods sake make sure you go into (in System 7.5, anyway) the Recent 
Documents, Recent Applications and Recent Servers folders, and trash  
any aliases to FP/LMS or Norton or whatever you used...


Step 6 - Lock it up again..

Just do whatever you did in reverse - move FP back into the System  
Folder, re-twiddle byte 15, copy the prefs back or whatever..


Some Info, in case youre interested...

The FoolProof Prefs are interesting. The booleans for the states for  
all the controls (On/off, Drag/rename, password protection, etc) are all stored  
as 2 byte shorts in the prefs - either 00 00 or 00 01. They are a breeze to 
twiddle on or off.. The Password starts at byte 130, but its encrypted,  
and I cant be fucked figuring it out. I will get around to mapping out the  
entire pref sometime, and I cant remeber which byte toggles Password  
Protection - all my notes on it are at school, and Im not, 'cos Im at home, and I'm  
doing this all from memory... Ill update this sometime when I get round to  

Just remember - a hint for all Mac based hacking of anything - if  
something is just installed, it has no Pref.. so, if you want to nuke something  
back to first installed state, ie default passwords etc, then NUKE THE  
PREFS! Its that simple... the more subtle poeple will twiddle them, but remember,  
he who controls the prefs, controls the program, and he who controls the  
program, controls the UNIVERSE <meglomaniac cackle>...


Politics, propaganda and self trumpet blowing...

I think that what this 'freedom of information' thing that the internet  
is supposed to bring us all needs a little modification - If the  
information is not at all helpful, and only directed at the peers of the author, and  
not at the masses who are seeking education then the information may as well  
not be there.

When I started writing this, I thought 'who really wants to know  
exactly what byte 15 of the prefs do anyway? All the average reader wants is a cheap  
and easy way to fuck fool proof, without having to construct multicoloured  
boxes, without having to go and change the red wire on the local telephone  
pill box, and without having to find obscure things from radio shack, when lots  
of us dont even live in the bloody US.... ' Sooo, here it is, a cheap, easy, 
straightforward step by step guide to bugger FP. With the emphasis on  
the _easy_ solutions, not the technically most advanced.

So, if you like it, next time you write somthing for the good of the  
rest of the 'net, then think of the plebes who are questing for knowledge, not  
of your fellow techno-weenies...

Refuse/Resist, and bring Chaos AD to your opressors, whoever they may  

'Why stand on a silent platform?
 Fight the war, fuck the norm!'
        -Zack De La Rocha, Rage Against the Machine...

'Cry havoc, and let slip the dogs of war.'
        -William Shakespeare

'So they can lick my sack!'
        -Phil Anselmo, Pantera

'Expendable youth, fighting for posession,
 Having control their principle obsession.
 Rivalry, and retribution,
 Death the only solution.'
        -Tom Araya, Slayer

'No! Dont believe what you read!'
        -Max Cavalera, Sepultura


Greets / Messages

This is dedicated to the memory of RKS - what was, and what could have  
been. I'll get the bastards.

Whiplash        - 'I still think that she's got creamy thighs!'
Amber Dragonfly - As salient as ever
Blitzkrieg      - She's special, and dont let her forget that...
Sparrow         - You owe me a hug!
Satch           - At least somone doesnt read the private mail... ;-)
Mercury         - Information wants to be free, man... No point in all            
                  that work, if I dont tell people what i find...
                  Besides, its not your problem anymore...
Some Sort of Dog- You are the single funniest person on the face of the                   
                  planet. Shan for President!
Drew Barrymore  - Check out your fetish www page!
Mr Bobo         - Lick my sack, monkey boy!
HHHO            - 'Just because your paranoid, dont mean were not after you...'
Nuclear Wasted  - I've still got your Sepultura tape...
Anna            - <schmergen>
Sawah           - The cutest nose on the planet
Celia           - Whoa baby, thats gotta be a custom build... Yin Yang baby...
The Fonz        - At least some one understands me... bad hair day,  man... 
                  (did I mention your cousin's a lesbian?)


Share your opinion