Content
///////////////
- ~^AmnesiA^~ Method 1
- ~^AmnesiA^~ Method 2
- NINJA Technique 1
- ~ShadoW^ Method 1
- ~ShadoW^ Method 2
- MISC Method 1
- MISC Method 2
There are various ways of HACKING or Over-riding FoolProof. First
off,
let me give you a little bit of information about FoolProof. FOo0l
Pro0F was developed my SmartStuff and is a program that is used
by
most schools in order to prvent unwanted users from changing system
files and to stop them from doing specific acts. Such acts could
include RIGHT-CLICKING, COPYING, RENAMING, USING DOS, etc...
~^AmnesiA^~ Method 1
/////////////////////
This is a method my friend and I discovered.
We were on a Windows 98 platform.
1.Step one is preperation. You need to enter the system's
BIOS setup (usually by pressing DEL or F2, it will say on the boot
screen)
right away at startup. Make sure that the computer reads from the
A:\
drive
before it goes to C:\.
You will also need to aquire a Windows boot disk. Put Edit.com
on the
boot disk as
well. It's available on my site.
2.Boot up the computer with the boot disk in the disk drive. Select
start the
computer without cd support. Let the computer run its course, it
will
take about
a minute. Eventually you will get to a C: prompt. Change to an A:
prompt.
3.Once you have the A: prompt, open up Edit.com.
4.In Edit.com, go to open, then search in C:\Windows and find WIN.INI.
Open it.
5.Scroll down through the WIN.INI file and find a section that
starts
off:
[Foolproof]. Delete that entire section. This is the code that makes
Foolproof open
every time you boot windows. By deleting it, you are preventing
Foolproof from opening.
MAKE SURE TO SAVE THE WIN.INI FILE BEFORE EXITING!
6.From here you are free to do whatever you want in Windows. I
suggest going into C:
and locating Unfool.exe. It is Foolproof's uninstall program.
~^AmnesiA^~ Method 2
/////////////////////
This is a method i discovered
on my own a little later.
I was working on a WIN98 platform once again.
This time, security was damn strict on the
machine. The entire C:\ drive was masked and could
not be accessed, not even in DOS! Belive me, I tried
everything, and nothing was working. Security was so
tight on this comp, it was pretty much a high tech
paperweight.
This was very frustrating, but I finally found a way around it.
1. Step one is again preperation. Make sure that the computer boots
from A:\ first
by going into the BIOS.
Have a Win98 boot disk ready. On this disk have Edit.com and
CMOSKILLA, both downloadable
from my site.
2. Boot from the Win98 boot disk. Select start computer without
CD
support. Wait until
you get your C:\ prompt, and again, revert to the A:\ prompt. Run
CMOS Killa.
This will make the computer beep for a second, then it will restart
itself.
3. Again, boot up the computer from the boot disk and select no
CD
support. This time
at the C:\ promt, use the DIR command and see if the drives are
still
masked. If they
are, then CMOS Killa didn't help, and until I think of something
new,
you're S.O.L.
If you can see the all of C:\, then refer to method one for further
instructions on
what to do with Edit.com
OR!!!!!
Try some other methods yourself. Now that you can see the drives,
you
can try running
C:\unfool.exe. You might want to try booting in safe mode now,
because it should work.
NINJA Technique 1
/////////////////////
You can do these things as long as you have access
to C:\. Refer to my methods numbers 1 and 2.
1.Go into the Autoexec.bat with edit.com and delete FPTSR.exe
2.Go into Config.sys with edit.com and delete the line device=fp
3.Run REGEDIT.EXE. You have to remove FoolProof from the Registry,
too. Use the Regedit search feature to find references to Fool Proof.
Find the Registry backup files and make copies with different names
just in case. Making a mistake with the Registry can cause spectacular
messes!
Save the registry, and reboot. FoolProof wont load.
_________________
I got these last two from another page...i don't remember
which, but I don't want to make people think I thought of shit
when it really wasn't me.
~ShadoW^ Method 1
//////////////////
1) Boot up in Safe Mode bypasses FoolProof's TSR making it possible
for the user to delete
the FoolProof's directory.
My comments:
This can be tricky because many times FoolProof blocks hotkeys
which allow
you to boot in safe mode. I have even tried turning off the
computer halfway
through a boot and then starting up again, and still I couldn't
drop into safe
mode. So try this if you want, but I haven't had much success
with it.
2) Holding the <SHIFT> key under Macintosh prevents FoolProof's
module from loading.
My comments:
I have no experience with FoolProof on Macs so I have no idea if
this works.
3) Creating a copy of 'command.com' with the name of 'temp.txt'
(for
example), then opening
it up with wordpad, and saving it as 'c:\windows\help\wordpad.hlp'
(make sure you don't
convert the file), then simply click on the HELP feature under the
START menu, and you will
be dropped into dos.
My comments:
This sounds all good and dandy, but I have never seen a system
running FoolProof that
actually allows the user to access the help option. So if you
have access to help, go
ahead and try.
4) Use the 'echo' command to overwrite FoolProof's files (i.e.
execute the following command
'echo Hi > c:\fool95\fooltsr.exe', 'fool95' stands for the
directory FoolProof is installed in).
My comments:
I assume whoever came up with this idea wants this done in DOS or
with a batch file. The
systems I have used haven't allowed batch files to be run, and
have made it tricky to get
into DOS.
5) Grab the administrator password by locating it in the swap
file
crated by Windows 95. You
can accomplish this by simply finding the string 'FOOLPROO', and
the string after that will be
the administrator password.
My comments:
You will need a hex editor. Check for a link on the site.
~ShadoW^ Method 2
//////////////////
I modified this text to save space. I pretty much just cut
it down to the main points. Most of the stuff here pretains to
Windows 3x versions. Take a look and see if you see anything
handy.
_____________________________________________________________________
All my information pertains directly to
versions 3.0 and 3.3 of both the 3.x and
95 versions but should be good for all
early versions if they exist.
My first success with breaking FoolProof passwords came by using
a hex editor to scan the windows swap file for anything that might
be
of
interest. In the swap file I found the password in plain text. I
was
surprised but thought that it was something that would be simply
unavoidable and unpredictable. Later though I used a memory editor
on
the machine (95 loves it when I do that) and found that FoolProof
stores
a copy of the user password IN PLAIN TEXT inside its TSR's memory
space.
To find a FoolProof password, simply search through conventional
memory for the string "FOOLPROO" (I don't knowwhat they
did with that
last "F") and the next 128 bytes or so should contain
two plaintext
passwords followed by the hot-key assignment. For some reason
FoolProof
keeps two passwords on the machine, the present one and a 'legacy'
password (the one you used before you _thought_ it was changed).
There
exist a few memory viewers/editors but it isn't much effort to write
something.
Getting to a point where you can execute something can be
difficult but isn't impossible. I found that it is more difficult
to
do
this on the win3.x machines because FoolProof isn't compromised
by the
operating system it sits on top of; basicly getting a dos prompt
is up
to
you (try file manager if you can). 95 is easier because it is very
simple to convince 95 that it should start up into Safe-Mode and
then
creating a shortcut in the StartUp group to your editor and then
rebooting the machine (FoolProof doesn't get a chance to load in
safe
mode).
JohnWayne
MISC Method 1
///////////////
1. Launch a process viewing application (for example, Microsoft's
pviewer) and kill
FoolProof's running VXDs. Foolproof will now be disabled (although
it
will be loaded again on
the next boot)
My comments:
Haven't tried it. Again, the machines I have been on have had the
security as
tight as possible. I don't see running a proccess viewing application
as a
plausible option. But go for it if you want.
2. To uninstall Foolproof, move all the files from the FoolProof
directory (which is '\sss' by
default) to a temporary directory. Be sure to move all the files
except the two .VXD files. On
the next boot only the VXDs will be loaded, but Foolproof will be
disabled (since the other
necessary files will not be in FoolProof's directory). Now move
the
FoolProof files back to
their original directory, and run Unfool.exe (which is usually located
in the Windows directory).
My comments:
Haven't tried this either. Moving files has always been restricted
for me too.
3. The standard version of FoolProof does not block network file
access. So if you have a
network (as most schools do) then depending on the configuration
of
your
account and the network itself, there are ways around certain aspects
of FoolProof.
For example, if you are using NetWare (4.11 is what this has been
tested on) and NAL to
manage access to network applications, there is a convenient way
to
get to browse drives that
may be blocked, and to get to the explorer options menu (file types,
view hidden files, etc..).
Open your Server Apps folder (or Applications, or whatever your
version of NAL calls it, it is
the folder that is created on the desktop by NAL to provide access
to
NAL applications).
Since the Server Apps folder is actually part of NAL, and therefore
considered a network
entity, FoolProof won't even attempt block it. Once it is open,
you
can view the explorer
toolbar, or options menu and browse from there. That is assuming,
of
course, that they have
been blocked on your system.
My comments:
The systems I cracked had blocked network access.
4. Rename the executable you wish to run to .SCR extension. FoolProof
does not block
screen savers, so the executable can now be launched, masquerading
as
a screen saver.
My comments:
This sounds like it might be plausable. I will try it in the future,
but
as it stands now, I have not tested this.
5. Run the executable from a network drive
My comments:
I couldn't.
6. Run Word, and open a shell session using the macro Shell
Environ$("COMMAND").
My comments:
Sounds money. Haven't tried it.
7. If the workstation is a Novell client, it's possible to hit
'F1'
from the login screen, and when
the help screen comes up, select the 'file' menu and then 'open'.
Now
you can browse the local
drives, and rename FoolProof's directory.
My comments:
I didn't work under Novell client, but I am interested to know if
this
is
legit.
8. If a Virus Scanning utility is installed, right-click on a folder
and select 'Scan for Viruses'.
Now select the 'log' option, and change the location of the log
file.
Now you can browse
around the local drive, again being able to rename the FoolProof
folder.
My comments:
This is actually a really good way to go if possible. I tried it
on a
computer
that was running Mcaffe. I went into the log option and then selected
the "browse"
option to decide where to place the log text. You can then see things
previously
hidden by Foolproof. By hitting F2 while selected on an object,
you
can rename it.
So go ahead and try to rename the Foolproof directory or files.
My
hotkeys (F2) were
disabled, but yours may not be.
9. In any application that has a standard file choosing dialog
(usually under the 'file', 'open'
menu), browse to the directory containing the desired application
(good examples are
c:\windows\explorer.exe or c:\command.com), right click the .exe
and
choose "Quick View".
The program's icon appears in the upper left had corner of the window
- click it and Voila!
Your application is running.
My comments:
On the machines I cracked, the C: directory was shadowed, therefore
when I went into a program's
"open" command, opening something from C: was not an option.
10. Start a DOS session (by running command.com), and trash the
foolproof VXD file by
typing: echo hi> c:\fp95\fpvxd.vxd
Restart windows, and a screen will appear saying that
c:\fp95\fpvxd.vxd is corrupt. Hit
CTRL+ALT+DELETE and when windows will load you will be able to choose
which mode
to boot from. Select 'safe mode' and you'll be able to uninstall
foolproof (or simply delete the
entire foolproof directory). Alternatively, when in safe mode, just
start a DOS session and
type: echo hi> c:\fp95\fplw16.exe. Now you can restart your computer:
Foolproof will be
disabled.
My comments:
I couldn't run command.com, or open in safe mode. This might prove
difficult.
Also note that this appears to apply to an early version of Foolproof.
I say this
because in later versions the Foolproof directory is C:\Sss, not
C:\fp95.
11. Run: c:\Windows\System\msconfig.exe or click on: Start ->
Run ->
msconfig
Now go to the Startup tab, and uncheck everything that says
"FoolProof". Restart, and
foolproof will be disabled.
My comments:
Sounds old to me (at least versions of Foolproof on which this would
work). My "Run"
option was gone, and I couldnt run unauthorized .exe's.
12. Reboot with a Win98 boot disk and select the second option
(Start
without CD-ROM
support), type the command "rename c:\sss\foolstr.exe nfoolstr.exe"
where c:\sss is
FoolProof's directory, remove boot disk and restart. FoolProof should
not start and you may
get an error message. Click start --> find, and type nfoolstr.exe.
Rename it to "foolstr.exe".
Find the file unfool.exe and run it. Now do whatever you want!
My comments:
I haven't tried this exact method, but I have always found that
the
first half (using a boot
disk) is the best way to get started. From my experience this looks
to be an ideal method
as long as you have access to the Foolproof directory (C:\Sss) from
DOS.
MISC Method 2
///////////////
FoolProof Security is a desktop security application for Windows
95/98/ME. Its purpose is to block users from accessing all programs,
except those which are intended by the administrator. Additionally,
it
is
intended to allow the user to only save files to specific locations
(usually the floppy disk drive). FoolProof Security is usually found
in
computer labs, or on publicly accessible systems.
A vulnerability exsists in FoolProof Security, in that it restricts
certain programs to be executed only by name. By renaming a restricted
program, it can be successfuly executed. This vulnerability can
be
used to
sucessfully circumvent the security measures put forth by FoolProof,
and
even remove it entirely from the system.
The following is an example:
On a system with FoolProof Security installed open an MS-DOS Shell
(usually found in Start Menu -> Programs -> Accessories).
['COMMAND.EXE'
is not restricted by FoolProof.] At the command prompt issue the
'ftp'
command and open a connection to an ftp server in which you have
write
access to. ['FTP.EXE' is not restricted by FoolProof.] Upload the
restricted program in which you wish to run. [such as 'deltree',
'xcopy', 'edit', 'fdisk', and 'format'.] Afterwords, download these
programs under a different name. [Use names other than those of
restricted
programs. Names such as 'tmp001a.exe' work.] You will now be able
to
use
these programs, just as if they were the restricted equivilant.
Side Note: Although you can use this process to use 'regedit',
the
registry is still locked by FoolProof.
Solution:
A quick fix, would be the removal of the 'ftp' client (although
it
will
still be possible to download a simple ftp client that will do the
same
job.)
Additionally, any shortcuts to 'command' should be removed, as
this
method
will not work without it.
FoolProof Security can be found at http://www.smartstuff.com.
Sincerely,
Bryan A. Hughes
|