Method 1 

This is a method my friend and I discovered. We were on a Windows 98 platform. 

1.Step one is preperation.  You need to enter the system's BIOS setup (usually by pressing DEL or F2, it will say on the boot 
screen) right away at startup.  Make sure that the computer reads from the A:\ drive 
before it goes to C:\. 

You will also need to aquire a Windows boot disk.  Put Edit.com on the 
boot disk as 
well.  It's available on my site. 

2.Boot up the computer with the boot disk in the disk drive.  Select 
start the 
computer without cd support.  Let the computer run its course, it will 
take about 
a minute.  Eventually you will get to a C: prompt.  Change to an A: 
prompt. 

3.Once you have the A: prompt, open up Edit.com. 

4.In Edit.com, go to open, then search in C:\Windows and find WIN.INI. 
Open it. 

5.Scroll down through the WIN.INI file and find a section that starts 
off: 
[Foolproof].  Delete that entire section.  This is the code that makes 
Foolproof open 
every time you boot windows.  By deleting it, you are preventing 
Foolproof from opening. 
MAKE SURE TO SAVE THE WIN.INI FILE BEFORE EXITING! 

6.From here you are free to do whatever you want in Windows.  I 
suggest going into C: 
and locating Unfool.exe.  It is Foolproof's uninstall program. 





~^AmnesiA^~ Method 2 
///////////////////// 

This is a method i discovered 
on my own a little later. 
I was working on a WIN98 platform once again. 

This time, security was damn strict on the 
machine.  The entire C:\ drive was masked and could 
not be accessed, not even in DOS!  Belive me, I tried 
everything, and nothing was working.  Security was so 
tight on this comp, it was pretty much a high tech 
paperweight. 

This was very frustrating, but I finally found a way around it. 

1. Step one is again preperation.  Make sure that the computer boots 
from A:\ first 
by going into the BIOS. 

Have a Win98 boot disk ready.  On this disk have Edit.com and 
CMOSKILLA, both downloadable 
from my site. 

2. Boot from the Win98 boot disk.  Select start computer without CD 
support.  Wait until 
you get your C:\ prompt, and again, revert to the A:\ prompt.  Run 
CMOS Killa. 

This will make the computer beep for a second, then it will restart 
itself. 

3. Again, boot up the computer from the boot disk and select no CD 
support.  This time 
at the C:\ promt, use the DIR command and see if the drives are still 
masked.  If they 
are, then CMOS Killa didn't help, and until I think of something new, 
you're S.O.L. 

If you can see the all of C:\, then refer to method one for further 
instructions on 
what to do with Edit.com 

OR!!!!! 

Try some other methods yourself.  Now that you can see the drives, you 
can try running 
C:\unfool.exe.  You might want to try booting in safe mode now, 
because it should work. 




NINJA Technique 1 
///////////////////// 

You can do these things as long as you have access 
to C:\.  Refer to my methods numbers 1 and 2. 

1.Go into the Autoexec.bat with edit.com and delete FPTSR.exe 

2.Go into Config.sys with edit.com and delete the line device=fp 

3.Run REGEDIT.EXE. You have to remove FoolProof from the Registry, 
too. Use the Regedit search feature to find references to Fool Proof. 
Find the Registry backup files and make copies with different names 
just in case. Making a mistake with the Registry can cause spectacular 
messes! 
Save the registry, and reboot. FoolProof won't load. 


_________________ 
I got these last two from another page...i don't remember 
which, but I don't want to make people think I thought of shit 
when it really wasn't me. 


~ShadoW^ Method 1 
////////////////// 

1) Boot up in Safe Mode bypasses FoolProof's TSR making it possible 
for the user to delete 
the FoolProof's directory. 

My comments: 
This can be tricky because many times FoolProof blocks hotkeys 
which allow 
you to boot in safe mode.  I have even tried turning off the 
computer halfway 
through a boot and then starting up again, and still I couldn't 
drop into safe 
mode.  So try this if you want, but I haven't had much success 
with it. 

2) Holding the key under Macintosh prevents FoolProof's 
module from loading. 

My comments: 
I have no experience with FoolProof on Macs so I have no idea if 
this works. 

3) Creating a copy of 'command.com' with the name of 'temp.txt' (for 
example), then opening 
it up with wordpad, and saving it as 'c:\windows\help\wordpad.hlp' 
(make sure you don't 
convert the file), then simply click on the HELP feature under the 
START menu, and you will 
be dropped into dos. 

My comments: 
This sounds all good and dandy, but I have never seen a system 
running FoolProof that 
actually allows the user to access the help option.  So if you 
have access to help, go 
ahead and try. 

4) Use the 'echo' command to overwrite FoolProof's files (i.e. 
execute the following command 
'echo Hi > c:\fool95\fooltsr.exe', 'fool95' stands for the 
directory FoolProof is installed in). 

My comments: 
I assume whoever came up with this idea wants this done in DOS or 
with a batch file.  The 
systems I have used haven't allowed batch files to be run, and 
have made it tricky to get 
into DOS. 

5) Grab the administrator password by locating it in the swap file 
crated by Windows 95. You 
can accomplish this by simply finding the string 'FOOLPROO', and 
the string after that will be 
the administrator password. 

My comments: 
You will need a hex editor.  Check for a link on the site. 





~ShadoW^ Method 2 
////////////////// 

I modified this text to save space.  I pretty much just cut 
it down to the main points.  Most of the stuff here pretains to 
Windows 3x versions.  Take a look and see if you see anything 
handy. 
_____________________________________________________________________ 

All my information pertains directly to 
versions 3.0 and 3.3 of both the 3.x and 
95 versions but should be good for all 
early versions if they exist. 

My first success with breaking FoolProof passwords came by using 
a hex editor to scan the windows swap file for anything that might be 
of 
interest.  In the swap file I found the password in plain text.  I was 
surprised but thought that it was something that would be simply 
unavoidable and unpredictable.  Later though I used a memory editor on 
the machine (95 loves it when I do that) and found that FoolProof 
stores 
a copy of the user password IN PLAIN TEXT inside its TSR's memory 
space. 

To find a FoolProof password, simply search through conventional 
memory for the string "FOOLPROO" (I don't knowwhat they did with that 
last "F") and the next 128 bytes or so should contain two plaintext 
passwords followed by the hot-key assignment.  For some reason 
FoolProof 
keeps two passwords on the machine, the present one and a 'legacy' 
password (the one you used before you _thought_ it was changed). 
There 
exist a few memory viewers/editors but it isn't much effort to write 
something. 

Getting to a point where you can execute something can be 
difficult but isn't impossible.  I found that it is more difficult to 
do 
this on the win3.x machines because FoolProof isn't compromised by the 
operating system it sits on top of; basicly getting a dos prompt is up 
to 
you (try file manager if you can).  95 is easier because it is very 
simple to convince 95 that it should start up into Safe-Mode and then 
creating a shortcut in the StartUp group to your editor and then 
rebooting the machine (FoolProof doesn't get a chance to load in safe 
mode). 

JohnWayne 



MISC Method 1 
/////////////// 

1. Launch a process viewing application (for example, Microsoft's 
pviewer) and kill 
FoolProof's running VXDs. Foolproof will now be disabled (although it 
will be loaded again on 
the next boot) 

My comments: 
Haven't tried it.  Again, the machines I have been on have had the 
security as 
tight as possible.  I don't see running a proccess viewing application 
as a 
plausible option.  But go for it if you want. 


2. To uninstall Foolproof, move all the files from the FoolProof 
directory (which is '\sss' by 
default) to a temporary directory. Be sure to move all the files 
except the two .VXD files. On 
the next boot only the VXDs will be loaded, but Foolproof will be 
disabled (since the other 
necessary files will not be in FoolProof's directory). Now move the 
FoolProof files back to 
their original directory, and run Unfool.exe (which is usually located 
in the Windows directory). 

My comments: 
Haven't tried this either.  Moving files has always been restricted 
for me too. 


3. The standard version of FoolProof does not block network file 
access. So if you have a 
network (as most schools do) then depending on the configuration of 
your 
account and the network itself, there are ways around certain aspects 
of FoolProof. 
For example, if you are using NetWare (4.11 is what this has been 
tested on) and NAL to 
manage access to network applications, there is a convenient way to 
get to browse drives that 
may be blocked, and to get to the explorer options menu (file types, 
view hidden files, etc..). 
Open your Server Apps folder (or Applications, or whatever your 
version of NAL calls it, it is 
the folder that is created on the desktop by NAL to provide access to 
NAL applications). 
Since the Server Apps folder is actually part of NAL, and therefore 
considered a network 
entity, FoolProof won't even attempt block it. Once it is open, you 
can view the explorer 
toolbar, or options menu and browse from there. That is assuming, of 
course, that they have 
been blocked on your system. 

My comments: 
The systems I cracked had blocked network access. 


4. Rename the executable you wish to run to .SCR extension. FoolProof 
does not block 
screen savers, so the executable can now be launched, masquerading as 
a screen saver. 

My comments: 
This sounds like it might be plausable.  I will try it in the future, 
but 
as it stands now, I have not tested this. 


5. Run the executable from a network drive 

My comments: 
I couldn't. 


6. Run Word, and open a shell session using the macro Shell 
Environ$("COMMAND"). 

My comments: 
Sounds money.  Haven't tried it. 


7. If the workstation is a Novell client, it's possible to hit 'F1' 
from the login screen, and when 
the help screen comes up, select the 'file' menu and then 'open'. Now 
you can browse the local 
drives, and rename FoolProof's directory. 

My comments: 
I didn't work under Novell client, but I am interested to know if this 
is 
legit. 


8. If a Virus Scanning utility is installed, right-click on a folder 
and select 'Scan for Viruses'. 
Now select the 'log' option, and change the location of the log file. 
Now you can browse 
around the local drive, again being able to rename the FoolProof 
folder. 

My comments: 
This is actually a really good way to go if possible.  I tried it on a 
computer 
that was running Mcaffe.  I went into the log option and then selected 
the "browse" 
option to decide where to place the log text.  You can then see things 
previously 
hidden by Foolproof.  By hitting F2 while selected on an object, you 
can rename it. 
So go ahead and try to rename the Foolproof directory or files.  My 
hotkeys (F2) were 
disabled, but yours may not be. 


9. In any application that has a standard file choosing dialog 
(usually under the 'file', 'open' 
menu), browse to the directory containing the desired application 
(good examples are 
c:\windows\explorer.exe or c:\command.com), right click the .exe and 
choose "Quick View". 
The program's icon appears in the upper left had corner of the window 
- click it and Voila! 
Your application is running. 

My comments: 
On the machines I cracked, the C: directory was shadowed, therefore 
when I went into a program's 
"open" command, opening something from C: was not an option. 


10. Start a DOS session (by running command.com), and trash the 
foolproof VXD file by 
typing: echo hi> c:\fp95\fpvxd.vxd 
Restart windows, and a screen will appear saying that 
c:\fp95\fpvxd.vxd is corrupt. Hit 
CTRL+ALT+DELETE and when windows will load you will be able to choose 
which mode 
to boot from. Select 'safe mode' and you'll be able to uninstall 
foolproof (or simply delete the 
entire foolproof directory). Alternatively, when in safe mode, just 
start a DOS session and 
type: echo hi> c:\fp95\fplw16.exe. Now you can restart your computer: 
Foolproof will be 
disabled. 

My comments: 
I couldn't run command.com, or open in safe mode.  This might prove 
difficult. 
Also note that this appears to apply to an early version of Foolproof. 
I say this 
because in later versions the Foolproof directory is C:\Sss, not 
C:\fp95. 


11. Run: c:\Windows\System\msconfig.exe or click on: Start -> Run -> 
msconfig 
Now go to the Startup tab, and uncheck everything that says 
"FoolProof". Restart, and 
foolproof will be disabled. 

My comments: 
Sounds old to me (at least versions of Foolproof on which this would 
work). My "Run" 
option was gone, and I couldnt run unauthorized .exe's. 


12. Reboot with a Win98 boot disk and select the second option (Start 
without CD-ROM 
support), type the command "rename c:\sss\foolstr.exe nfoolstr.exe" 
where c:\sss is 
FoolProof's directory, remove boot disk and restart. FoolProof should 
not start and you may 
get an error message. Click start --> find, and type nfoolstr.exe. 
Rename it to "foolstr.exe". 
Find the file unfool.exe and run it. Now do whatever you want! 

My comments: 
I haven't tried this exact method, but I have always found that the 
first half (using a boot 
disk) is the best way to get started.  From my experience this looks 
to be an ideal method 
as long as you have access to the Foolproof directory (C:\Sss) from 
DOS. 



MISC Method 2 
/////////////// 

FoolProof Security is a desktop security application for Windows 
95/98/ME. Its purpose is to block users from accessing all programs, 
except those which are intended by the administrator. Additionally, it 
is 
intended to allow the user to only save files to specific locations 
(usually the floppy disk drive). FoolProof Security is usually found 
in 
computer labs, or on publicly accessible systems. 

A vulnerability exsists in FoolProof Security, in that it restricts 
certain programs to be executed only by name. By renaming a restricted 
program, it can be successfuly executed. This vulnerability can be 
used to 
sucessfully circumvent the security measures put forth by FoolProof, 
and 
even remove it entirely from the system. 

The following is an example: 

On a system with FoolProof Security installed open an MS-DOS Shell 
(usually found in Start Menu -> Programs -> Accessories). 
['COMMAND.EXE' 
is not restricted by FoolProof.] At the command prompt issue the 'ftp' 
command and open a connection to an ftp server in which you have write 
access to. ['FTP.EXE' is not restricted by FoolProof.] Upload the 
restricted program in which you wish to run. [such as 'deltree', 
'xcopy', 'edit', 'fdisk', and 'format'.] Afterwords, download these 
programs under a different name. [Use names other than those of 
restricted 
programs. Names such as 'tmp001a.exe' work.] You will now be able to 
use 
these programs, just as if they were the restricted equivilant. 

Side Note: Although you can use this process to use 'regedit', the 
registry is still locked by FoolProof. 

Solution: 

A quick fix, would be the removal of the 'ftp' client (although it 
will 
still be possible to download a simple ftp client that will do the 
same 
job.) 

Additionally, any shortcuts to 'command' should be removed, as this 
method 
will not work without it.