informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/programming/foolproofhack.txt

399 lines
17 KiB
Plaintext
Raw Permalink Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
------------------------------------------------------
FoolProof and the subsequent Destruction thus thereof....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FoolProof is an admirable attempt at securing the Mac, and many of the ways
around are due not to SmartStuff's incompetancy, but rather to the method
(and competancy) in which it was set up.
As a prospective hacker of FoolProof, (loathe as I am to use the word 'hacker'
as everyone seems to have thier own idea as to the definition of the word) and
most probably not that familiar with the ins and outs of the MacOS (most of
those who read this will probably be merely interested in getting past the
bastard, and wreaking havoc on the staff server...) I will endeavour to
outline the basic steps you will have to take. There are many different ways
to get round it, and you will have to try them until you find the one
that the admin at your institution forgot to fix.
As always, its not my problem if you get busted/arrested/shot/have your
bodily parts chopped off by silly women and then go and make cheap music
videos and porn movies. However, if you find anything new, please tell me...
Okay - several things you should be aware of:
FoolProof has several components:
the extension/init (ver 2.0 has the superInit, more on that below)
the control panel
the preferences
the admin tools
I have seen and played with two versions of FP:
Ver 2.0
Ver 2.5
2.0 was the System 7 release, and 2.5 was the one to work with 7.5. One
of the main differences between 2.5 and 2.0 is the SuperInit, and possibly the
format of the Preferences. (I havn't done much with 2.0, mostly my
experience is with 2.5)
Some ancronynms/abbreviations that I may use:
FP - FoolProof
ADL - Advanced Disk Locking
Prefs - Preferences
--------------------------------------------------------------
How FP works
~~~~~~~~~~~~
FP, as far as I can tell, works by doing somthing scary with the event
handling, and filtering out various events. How it actually achieves
this is not our problem. Our problem is to stop it.
FP installs itself, and then allows configuration of its event
filtering through the use of its Control Panel. This control panel has
configurable password protection (ie, when you first install it, it doesnt ask you
for a password, but you then turn that feature on when you have configured
it.) amongst its many other features. The control panel allows you to
configure such things as Drag and Rename control, Get Info control, Temporary
Save folder control and lots of other features. The big one to take notice of is
the On/Off switch - this turns all FP protection on or off. These are then
all written to the Preferences file, along with the password and some other
junk. The init reads the prefs at bootup, or when the control panel changes
them.
FoolProof 2.0 has a feature which will modify the actual System to load
foolproof, without needing the init, and this makes life a pain in the
arse to hack it. This however, is only compatible with System 7.0, and not
7.5... I think 2.5 will do it to System 7 as well, but System 7.5 is far more
common.
ADL, or Advanced Disk Locking is another bane of our existance. This
little bastard is a feature which installs some code into the SCSI driver
partitions, and it locks the drive on shutdown. This means, that when you disable
FP, or whack the drive in another machine, or boot off a disk, it will ask you for a
password to mount the drive (make it appear on the desktop) - a right pain in
the arse. However, many sys admin types cant be bothered doing this, as
its a pain in the arse to do, and theyre not expecting that much trouble
anyway.. (I mean, you're only mac users - what sort of hacker is going to be a
mac user?)
--------------------------------------------------------------------
The Aim
~~~~~~~
To get full un-foolproofed access to the machine. Finding out the
password is not straightforward - it is encrypted in the preferences, and if anyone
is anygood at cryptology, drop me a line...
Anyway, all we have to do is either stop FP from loading at all, or
letting it load, but having the protection turned off.
Steps to take:
1. Determine what you can and cant do.
2. Use the easiest method to disable FP
3. Do whatever you want to the machine.
4. Install a key grabber to get the password (optional)
5. Remove traces of your escapade
6. Re-FP the machine
---------------------------------------------------------------------
Step 1: Determine what you can and cant do.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Can you drag stuff round? (grab the hard drive, and move it round
the desktop? does it stay where you put it?)
Yes: Wihey. Go to Step 2:1.
No: Go to 1:2.
2. Does 2:2 work?
Yes: You're a happy camper then, arnt you?
No: Oh well. 1:3 for you.
3. Are you running System 7.5?
Yes: Go past go, collect $200, got to 1:4
No: Buggery. Go to 1:8
4. Is Extensions Manager installed?
Yes: Coolies. Go to 1:5
No: Bugger. Go to 1:6.
5. Can you use control panels? (if their icons are rogered, and they
just bring up alert boxes, then obviously not)
Yes: Go to 2:3
No: Okay, not a problem. Go to 2:4
6. Is Launcher on the machine (you know, the System 7.5 launcher...)
Yes: Go to 1:7
No: Poos. Go to 1:8
7: If you drag an icon onto the launcher, does the mouse pointer change
to a little hand?
Yes: I love drag and drop, dont you? 2:5 is the answer.
No: Bugger, must have the old version. Go to 1:8
8. Do you have a boot disk (either a floppy or an external SCSI drive)
Yes: Go to 2:6
No: 1:9
9. Can you be fucked making one? (its a real bitch booting 7.5 off a
floppy)
Yes: Well, do it, and go back to 1:8!
No: Next question...
10. Can you run applications off disk? (if you dbl click and it beeps
like buggery and flashes at you, then obviously not)
Yes: Go to 1:11
No: Go to 1:13
11. Do you have a copy of Norton Disk Edit? (or anything that will
allow you to edit the data fork of a file, in hex, preferably...)
Yes: Go to 1:12
No: Go to 1:14
12. Can you Get Info about a file? (Apple-I)
Yes: 2:8
No: 2:9
13. Can you get write access to a file server at all? (File share a
machine that is unlocked or something)
Yes: Go to 1:11
No: Go to 1:14
14. Can you write code? (C, BASIC, Pascal, anything?)
Yes: Number 2:10 for you...
No: 1:15
15. Can you run a program at all? (Any sneaky method - external drives,
floppies, zip drives, filesharing)
Yes: 2:11
No: 1:16
16. Do you have access to the FP original disks/documentation?
Yes: 12:13
No: 1:17
17. Okay, youre pretty fucked now.. Theyve done a good job... Try 2:12.
If that sounds to complex, or doesnt work, then try 12:14...
-------------------------------------------------------------------
Step 2: Disable it!
~~~~~~~~~~~~~~~~~~~
1. Open up the System Folder, and move the FP Init somewhere else (like
into the Claris Works folder or somthing.) Then reboot.
2. Hold down Shift while you boot up - should disable all extensions
(including the network, unfortunatly) Do 2:1.
3. Use Extensions Manager to disable the Init and the Control Panel,
reboot.
4. Hold down the Space Bar while you boot up, and Extension Manager
should load. Then do 2:2.
5. Okay, drag the Claris Works folder or some folder onto the launcher,
it will make an alias for it on the launcher. Then open the system
folder, and drag the FP Init and the FP Control Panel onto the alias you
just made on the launcher. They should nip across into that folder. Reboot,
and you're a happy camper. Just dont forget to go into System
Folder:Launcher Items and get rid of that alias, so they dont know how you did it!
6. Boot off the disk - just shove the floppy in, or if its an external
SCSI hard drive then hold down Apple-Option-Shift-Delete (I think - I
cant remember) and let it boot. If it boots, and mounts the drive then
you're happy. If it brings up a dialog box asking for the ADL Password,
then you're nowhere near done yet, and should go back to 1:8, and say no
to the boot disk question. If it did work, then just do 2:1.
7. Get Info about the Fool Proof Prefs, in System Folder:Preferences.
Make sure the file is not locked. Then do 2:8.
8. Run Norton Disk Edit, open the FoolProof Prefs, and change byte 15
of the prefs from 01 to 00. Save it, and reboot. (Of course, this might not
work with 2.0... Ive only tried it with 2.5...)
9. Use ResEdit or somting to unlock the FoolProof Prefs, and then do
2:8...
10. Write a program that will twiddle byte 15 in the FoolProof Prefs
from 01 to 00... just remember that you will have to unlock the file to
save it... Use GetInfo or resEdit, or any number of PD/Shareware (or <giggles>
WaReZ...) file attribute editors... then reboot.
11. What you need is a program that will twiddle the bytes of the
Prefs. What you need is FP/LMS by Slayer (thats me!) This little gem of a
proggie will turn FP on or off, as well as many of the other FP features - such
as drag/rename, password protection and other things. It also will
dump files, and compare them, in hex or ASCII. It should (I think I've foxed
that problem) even unlock the file for you if you cant Get Info or
resEdit it... Email me to see if I've finished it... (its still development, and
Ive had exams and all, and I haven't had much time, and I dont have a Mac
at home, so I dont do much mac coding outside of school time...) Just
in case you're interested, FP/LMS is an ancronym for 'Fool Proof can
Lick My Sack.' Any commercial interest in this proggie should be addressed
to me at DivInt, or my net address... ;-)
12. Okay, this is getting desparate. Pop the lid off the machine,
change the SCSI ID jumper on the drive (to somthing other than what it is)
(remembering to note where it was orignally) and whack it into
another machine that isnt fool proofed. Boot the machine, when it asks you
for the ADL password, ignore it and press cancel, or get it wrong or something, and then use something like HDT or SilverLining to nuke
the driver... That should fuck ADL... Then whack the drive back in the
normal machine with the jumper back where it should be, and do 2:6...
13. Well, try the FP Administrator program - it might be helpful. If it
asks for the serial number, then try clicking on 'Version Information'
in the opening screen of the FP Control Panel.
14. Make somone else do it... break a machine and watch them when they
come to fix it (preferably with a handycam!)...
--------------------------------------------------------------------
Step 3 - Do what you like...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I suggest that you don't actually do anything to the machine, other than
maybe play a few network games, or install Broadcast or somthing...
I suggest that you do Step 4....
------------------------------------------------------------------
Step 4 - Get the passwoid...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Okey, what you need to do is install a key grabbing program that logs
all the key strokes into a hidden file. There are several of these availble and
but they all do much the same... So, install one of the key grabbers, and
then lock the machine up again.. (but break somthing obvious, like the
network - trash appleshare or the printer extension or somthing) When they come
along to fix it, they'll type in the passwoid.. then, all you have to do is
come back later, do whatever you did again, copy off the log file, and dig
thru it till you find the magic word... If youre really lucky, youll get
some other interesting stuff - Internet passwords are good... or maybe the
staff email system passwords... or somthing. Anyway, once you know the
passwoid, life is much easier....
--------------------------------------------------------------------
Step 5 - Clean up!
~~~~~~~~~~~~~~~~~~
Make sure you get rid of anything you have done - moved files, aliases
- and for gods sake make sure you go into (in System 7.5, anyway) the Recent
Documents, Recent Applications and Recent Servers folders, and trash
any aliases to FP/LMS or Norton or whatever you used...
--------------------------------------------------------------------
Step 6 - Lock it up again..
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Just do whatever you did in reverse - move FP back into the System
Folder, re-twiddle byte 15, copy the prefs back or whatever..
------------------------------------------------------------------
Some Info, in case youre interested...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The FoolProof Prefs are interesting. The booleans for the states for
all the controls (On/off, Drag/rename, password protection, etc) are all stored
as 2 byte shorts in the prefs - either 00 00 or 00 01. They are a breeze to
twiddle on or off.. The Password starts at byte 130, but its encrypted,
and I cant be fucked figuring it out. I will get around to mapping out the
entire pref sometime, and I cant remeber which byte toggles Password
Protection - all my notes on it are at school, and Im not, 'cos Im at home, and I'm
doing this all from memory... Ill update this sometime when I get round to
it.
Just remember - a hint for all Mac based hacking of anything - if
something is just installed, it has no Pref.. so, if you want to nuke something
back to first installed state, ie default passwords etc, then NUKE THE
PREFS! Its that simple... the more subtle poeple will twiddle them, but remember,
he who controls the prefs, controls the program, and he who controls the
program, controls the UNIVERSE <meglomaniac cackle>...
-----------------------------------------------------------------
Politics, propaganda and self trumpet blowing...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I think that what this 'freedom of information' thing that the internet
is supposed to bring us all needs a little modification - If the
information is not at all helpful, and only directed at the peers of the author, and
not at the masses who are seeking education then the information may as well
not be there.
When I started writing this, I thought 'who really wants to know
exactly what byte 15 of the prefs do anyway? All the average reader wants is a cheap
and easy way to fuck fool proof, without having to construct multicoloured
boxes, without having to go and change the red wire on the local telephone
pill box, and without having to find obscure things from radio shack, when lots
of us dont even live in the bloody US.... ' Sooo, here it is, a cheap, easy,
straightforward step by step guide to bugger FP. With the emphasis on
the _easy_ solutions, not the technically most advanced.
So, if you like it, next time you write somthing for the good of the
rest of the 'net, then think of the plebes who are questing for knowledge, not
of your fellow techno-weenies...
Refuse/Resist, and bring Chaos AD to your opressors, whoever they may
be...
'Why stand on a silent platform?
Fight the war, fuck the norm!'
-Zack De La Rocha, Rage Against the Machine...
'Cry havoc, and let slip the dogs of war.'
-William Shakespeare
'So they can lick my sack!'
-Phil Anselmo, Pantera
'Expendable youth, fighting for posession,
Having control their principle obsession.
Rivalry, and retribution,
Death the only solution.'
-Tom Araya, Slayer
'No! Dont believe what you read!'
-Max Cavalera, Sepultura
--------------------------------------------------------------------
Greets / Messages
~~~~~~~~~~~~~~~~~
This is dedicated to the memory of RKS - what was, and what could have
been. I'll get the bastards.
Whiplash - 'I still think that she's got creamy thighs!'
Amber Dragonfly - As salient as ever
Blitzkrieg - She's special, and dont let her forget that...
Sparrow - You owe me a hug!
Satch - At least somone doesnt read the private mail... ;-)
Mercury - Information wants to be free, man... No point in all
that work, if I dont tell people what i find...
Besides, its not your problem anymore...
Some Sort of Dog- You are the single funniest person on the face of the
planet. Shan for President!
Drew Barrymore - Check out your fetish www page!
Mr Bobo - Lick my sack, monkey boy!
HHHO - 'Just because your paranoid, dont mean were not after you...'
Nuclear Wasted - I've still got your Sepultura tape...
Anna - <schmergen>
Sawah - The cutest nose on the planet
Celia - Whoa baby, thats gotta be a custom build... Yin Yang baby...
The Fonz - At least some one understands me... bad hair day, man...
(did I mention your cousin's a lesbian?)
-----------------------------------------------------------------------