|
Content
- ~^AmnesiA^~ Method 1
- ~^AmnesiA^~ Method 2
- NINJA Technique 1
- ~ShadoW^ Method 1
- ~ShadoW^ Method 2
- MISC Method 1
- MISC Method 2
There are various ways of HACKING or Over-riding FoolProof.
First off, let me give you a little bit of information about
FoolProof. FOo0l Pro0F was developed my SmartStuff and is a program
that is used by most schools in order to prvent unwanted users from
changing system files and to stop them from doing specific acts.
Such acts could include RIGHT-CLICKING, COPYING, RENAMING, USING
DOS, etc...
~^AmnesiA^~
Method 1
This is a method my friend and I discovered.
We were on a Windows 98 platform.
1.Step one is preperation. You need to enter the system's
BIOS setup (usually by pressing DEL or F2, it will say on the boot
screen) right away at startup. Make sure that the computer reads
from the A:\ drive before it goes to C:\.
You will also need to aquire a Windows boot disk. Put
Edit.com on the boot disk as well. It's available on my site.
2.Boot up the computer with the boot disk in the disk
drive. Select start the computer without cd support. Let the
computer run its course, it will take about a minute. Eventually you
will get to a C: prompt. Change to an A: prompt.
3.Once you have the A: prompt, open up Edit.com.
4.In Edit.com, go to open, then search in C:\Windows and
find WIN.INI.
Open it.
5.Scroll down through the WIN.INI file and find a section
that starts off: [Foolproof]. Delete that entire section. This is
the code that makes Foolproof open every time you boot windows. By
deleting it, you are preventing Foolproof from opening. MAKE SURE
TO SAVE THE WIN.INI FILE BEFORE EXITING!
6.From here you are free to do whatever you want in
Windows. I suggest going into C: and locating Unfool.exe. It is
Foolproof's uninstall program.
~^AmnesiA^~
Method 2
This is a method i discovered on my own a little later. I
was working on a WIN98 platform once again.
This time, security was damn strict on the machine. The
entire C:\ drive was masked and could not be accessed, not even in
DOS! Belive me, I tried everything, and nothing was working.
Security was so tight on this comp, it was pretty much a high tech
paperweight.
This was very frustrating, but I finally found a way around
it.
1. Step one is again preperation. Make sure that the
computer boots from A:\ first by going into the BIOS.
Have a Win98 boot disk ready. On this disk have Edit.com
and CMOSKILLA, both downloadable from my site.
2. Boot from the Win98 boot disk. Select start computer
without CD support. Wait until you get your C:\ prompt, and again,
revert to the A:\ prompt. Run CMOS Killa.
This will make the computer beep for a second, then it will
restart itself.
3. Again, boot up the computer from the boot disk and
select no CD support. This time at the C:\ promt, use the DIR
command and see if the drives are still masked. If they are, then
CMOS Killa didn't help, and until I think of something new, you're
S.O.L.
If you can see the all of C:\, then refer to method one for
further instructions on what to do with Edit.com
OR!!!!!
Try some other methods yourself. Now that you can see the
drives, you can try running C:\unfool.exe. You might want to try
booting in safe mode now, because it should work.
NINJA
Technique 1
You can do these things as long as you have access to C:\.
Refer to my methods numbers 1 and 2.
1.Go into the Autoexec.bat with edit.com and delete
FPTSR.exe
2.Go into Config.sys with edit.com and delete the line
device=fp
3.Run REGEDIT.EXE. You have to remove FoolProof from the
Registry, too. Use the Regedit search feature to find references to
Fool Proof. Find the Registry backup files and make copies with
different names just in case. Making a mistake with the Registry
can cause spectacular messes! Save the registry, and reboot.
FoolProof won’t load.
_________________
I got these last two from another page...i don't remember
which, but I don't want to make people think I thought of
shit
when it really wasn't me.
~ShadoW^
Method 1
1) Boot up in Safe Mode bypasses FoolProof's TSR making it
possible for the user to delete the FoolProof's directory.
My comments:
This can be tricky because many times FoolProof blocks
hotkeys which allow you to boot in safe mode. I have even tried
turning off the computer halfway through a boot and then starting up
again, and still I couldn't drop into safe mode. So try this if you
want, but I haven't had much success with it.
2) Holding the <SHIFT> key under Macintosh prevents
FoolProof's module from loading.
My comments:
I have no experience with FoolProof on Macs so I have no
idea if this works.
3) Creating a copy of 'command.com' with the name of
'temp.txt' (for example), then opening it up with wordpad, and
saving it as 'c:\windows\help\wordpad.hlp' (make sure you don't
convert the file), then simply click on the HELP feature under the
START menu, and you will be dropped into dos.
My comments:
This sounds all good and dandy, but I have never seen a
system running FoolProof that actually allows the user to access
the help option. So if you have access to help, go ahead and try.
4) Use the 'echo' command to overwrite FoolProof's files
(i.e. execute the following command 'echo Hi >
c:\fool95\fooltsr.exe', 'fool95' stands for the directory FoolProof
is installed in).
My comments:
I assume whoever came up with this idea wants this done in
DOS or with a batch file. The systems I have used haven't allowed
batch files to be run, and have made it tricky to get into DOS.
5) Grab the administrator password by locating it in the
swap file crated by Windows 95. You can accomplish this by simply
finding the string 'FOOLPROO', and the string after that will be the
administrator password.
My comments:
You will need a hex editor. Check for a link on the site.
~ShadoW^
Method 2
I modified this text to save space. I pretty much just cut
it down to the main points. Most of the stuff here pretains to
Windows 3x versions. Take a look and see if you see anything handy.
_____________________________________________________________________
All my information pertains directly to versions 3.0 and
3.3 of both the 3.x and 95 versions but should be good for all
early versions if they exist.
My first success with breaking FoolProof passwords came by
using a hex editor to scan the windows swap file for anything that
might be of interest. In the swap file I found the password in plain
text. I was surprised but thought that it was something that would
be simply unavoidable and unpredictable. Later though I used a
memory editor on the machine (95 loves it when I do that) and found
that FoolProof stores a copy of the user password IN PLAIN TEXT
inside its TSR's memory space.
To find a FoolProof password, simply search through
conventional memory for the string "FOOLPROO" (I don't knowwhat
they did with that last "F") and the next 128 bytes or so should
contain two plaintext passwords followed by the hot-key assignment.
For some reason FoolProof keeps two passwords on the machine, the
present one and a 'legacy' password (the one you used before you
_thought_ it was changed). There exist a few memory
viewers/editors but it isn't much effort to write something.
Getting to a point where you can execute something can be
difficult but isn't impossible. I found that it is more difficult
to do this on the win3.x machines because FoolProof isn't
compromised by the operating system it sits on top of; basicly
getting a dos prompt is up to you (try file manager if you can). 95
is easier because it is very simple to convince 95 that it should
start up into Safe-Mode and then creating a shortcut in the StartUp
group to your editor and then rebooting the machine (FoolProof
doesn't get a chance to load in safe mode).
JohnWayne
MISC Method 1
1. Launch a process viewing application (for example,
Microsoft's pviewer) and kill FoolProof's running VXDs. Foolproof
will now be disabled (although it will be loaded again on the next
boot)
My comments:
Haven't tried it. Again, the machines I have been on have
had the security as tight as possible. I don't see running a
proccess viewing application as a plausible option. But go for it if
you want.
2. To uninstall Foolproof, move all the files from the
FoolProof directory (which is '\sss' by default) to a temporary
directory. Be sure to move all the files except the two .VXD files.
On the next boot only the VXDs will be loaded, but Foolproof will
be disabled (since the other necessary files will not be in
FoolProof's directory). Now move the FoolProof files back to their
original directory, and run Unfool.exe (which is usually located in
the Windows directory).
My comments:
Haven't tried this either. Moving files has always been
restricted for me too.
3. The standard version of FoolProof does not block network
file access. So if you have a network (as most schools do) then
depending on the configuration of your account and the network
itself, there are ways around certain aspects of FoolProof. For
example, if you are using NetWare (4.11 is what this has been
tested on) and NAL to manage access to network applications, there
is a convenient way to get to browse drives that may be blocked,
and to get to the explorer options menu (file types, view hidden
files, etc..). Open your Server Apps folder (or Applications, or
whatever your version of NAL calls it, it is the folder that is
created on the desktop by NAL to provide access to NAL
applications). Since the Server Apps folder is actually part of
NAL, and therefore considered a network entity, FoolProof won't even
attempt block it. Once it is open, you can view the explorer
toolbar, or options menu and browse from there. That is assuming,
of course, that they have been blocked on your system.
My comments:
The systems I cracked had blocked network access.
4. Rename the executable you wish to run to .SCR extension.
FoolProof does not block screen savers, so the executable can now
be launched, masquerading as a screen saver.
My comments:
This sounds like it might be plausable. I will try it in
the future, but as it stands now, I have not tested this.
5. Run the executable from a network drive
My comments:
I couldn't.
6. Run Word, and open a shell session using the macro Shell
Environ$("COMMAND").
My comments:
Sounds money. Haven't tried it.
7. If the workstation is a Novell client, it's possible to
hit 'F1' from the login screen, and when the help screen comes up,
select the 'file' menu and then 'open'. Now you can browse the local
drives, and rename FoolProof's directory.
My comments:
I didn't work under Novell client, but I am interested to
know if this is legit.
8. If a Virus Scanning utility is installed, right-click on
a folder and select 'Scan for Viruses'. Now select the 'log'
option, and change the location of the log file. Now you can browse
around the local drive, again being able to rename the FoolProof
folder.
My comments:
This is actually a really good way to go if possible. I
tried it on a computer that was running Mcaffe. I went into the log
option and then selected the "browse" option to decide where to
place the log text. You can then see things previously hidden by
Foolproof. By hitting F2 while selected on an object, you can
rename it. So go ahead and try to rename the Foolproof directory
or files. My hotkeys (F2) were disabled, but yours may not be.
9. In any application that has a standard file choosing
dialog (usually under the 'file', 'open' menu), browse to the
directory containing the desired application (good examples are
c:\windows\explorer.exe or c:\command.com), right click the .exe
and choose "Quick View". The program's icon appears in the upper
left had corner of the window - click it and Voila! Your
application is running.
My comments:
On the machines I cracked, the C: directory was shadowed,
therefore when I went into a program's "open" command, opening
something from C: was not an option.
10. Start a DOS session (by running command.com), and trash
the foolproof VXD file by typing: echo hi> c:\fp95\fpvxd.vxd
Restart windows, and a screen will appear saying that
c:\fp95\fpvxd.vxd is corrupt. Hit CTRL+ALT+DELETE and when windows
will load you will be able to choose which mode to boot from.
Select 'safe mode' and you'll be able to uninstall foolproof (or
simply delete the entire foolproof directory). Alternatively, when
in safe mode, just start a DOS session and type: echo hi>
c:\fp95\fplw16.exe. Now you can restart your computer: Foolproof
will be disabled.
My comments:
I couldn't run command.com, or open in safe mode. This
might prove difficult. Also note that this appears to apply to an
early version of Foolproof. I say this because in later versions
the Foolproof directory is C:\Sss, not C:\fp95.
11. Run: c:\Windows\System\msconfig.exe or click on: Start
-> Run -> msconfig Now go to the Startup tab, and uncheck
everything that says "FoolProof". Restart, and foolproof will be
disabled.
My comments:
Sounds old to me (at least versions of Foolproof on which
this would work). My "Run" option was gone, and I couldnt run
unauthorized .exe's.
12. Reboot with a Win98 boot disk and select the second
option (Start without CD-ROM support), type the command "rename
c:\sss\foolstr.exe nfoolstr.exe" where c:\sss is FoolProof's
directory, remove boot disk and restart. FoolProof should not start
and you may get an error message. Click start --> find, and type
nfoolstr.exe. Rename it to "foolstr.exe". Find the file unfool.exe
and run it. Now do whatever you want!
My comments:
I haven't tried this exact method, but I have always found
that the first half (using a boot disk) is the best way to get
started. From my experience this looks to be an ideal method as long
as you have access to the Foolproof directory (C:\Sss) from DOS.
MISC Method 2
FoolProof Security is a desktop security application for
Windows 95/98/ME. Its purpose is to block users from accessing all
programs, except those which are intended by the administrator.
Additionally, it is intended to allow the user to only save files to
specific locations (usually the floppy disk drive). FoolProof
Security is usually found in computer labs, or on publicly
accessible systems.
A vulnerability exsists in FoolProof Security, in that it
restricts certain programs to be executed only by name. By renaming
a restricted program, it can be successfuly executed. This
vulnerability can be used to sucessfully circumvent the security
measures put forth by FoolProof, and even remove it entirely from
the system.
The following is an example:
On a system with FoolProof Security installed open an
MS-DOS Shell (usually found in Start Menu -> Programs ->
Accessories).
['COMMAND.EXE' is not restricted by FoolProof.] At the
command prompt issue the 'ftp' command and open a connection to an
ftp server in which you have write access to. ['FTP.EXE' is not
restricted by FoolProof.] Upload the restricted program in which
you wish to run. [such as 'deltree', 'xcopy', 'edit', 'fdisk', and
'format'.] Afterwords, download these programs under a different
name. [Use names other than those of restricted programs. Names
such as 'tmp001a.exe' work.] You will now be able to use these
programs, just as if they were the restricted equivilant.
Side Note: Although you can use this process to use
'regedit', the registry is still locked by FoolProof.
Solution:
A quick fix, would be the removal of the 'ftp' client
(although it will still be possible to download a simple ftp client
that will do the same job.)
Additionally, any shortcuts to 'command' should be removed,
as this method will not work without it.
FoolProof Security can be found at
http://www.smartstuff.com.
Sincerely,
Bryan A. Hughes
Credits
by K-Shadow <lemon07@yahoo.com>
http://www.amnesia.ftpurl.com/
|