Cracking At Ease 3.0 In this article, I will try to explain the basic way At Ease works. I hope this is of use to sysops and admins who have forgotten their passwords, or simply want to learn more about their security program. First off, this program is solely for Macintosh, if you run a PC-based network you don’t really need to read on, although you are perfectly welcome to. The Architecture of At Ease What the program basically does is this: it fools (or instructs it to be fooled, whatever) your Macintosh into thinking that it is the Finder, or in essence replaces it. At startup the At Ease extension tells the computer to not start up with the Finder and instead bring up the At Ease login sequence, or the body of At ease. From there you have several to no choices, depending on the administrator. Each choice is an identity to login under, each identity is either assigned to the At Ease OS (as I like to call it) or goes directly to the Finder. If the identity (we’ll call them users... because they are!) is assigned to the At Ease OS it is also assigned a set of applications and documents, told whether or not you can save to the hard disk, where you can save on the hard disk, how many Apple Menu items you can have, and so on. One of the many things I dislike about At Ease is that even if you are in the Finder, At Ease is still looming there, in the file menu waiting to suck you in again. However, a good thing about it (a slight flaw, probably intentional) is once you’re in the Finder, you have access to EVERYTHING in it, including At Ease. I’ll talk more about what to do once in the Finder later. The Glitch Now that we’ve become familiar with the system, let’s examine it for weaknesses. A little toying around, reveals that HyperCard allows you to launch programs from within. A little more snooping and we find that At Ease actually lets you launch applications directly from disks! So what, you may ask, I can run Brickles from a disk how the heck does that get me out of At Ease? Simple. The Finder is actually an application in disguise. it covers its self up by telling us it is a FNDR, not an APPL (application). Wrong, the Finder may say it’s unique but it’s only unique in name. The System treats it just like any other Application. A rose by any other name... So we fix this by changing the type to: APPL. Now we are just about ready to copy it to a floppy and try it out. we’ve changed the type, but the creator is still MACS. That poses a problem, there isn’t one Application I know of that has a MACS creator. This means simply enough, the macintosh will not know how to handle it and may end up crashing. This is bad. So lets fix the problem, what creator can we use that generally is thought of as a generic application? what about HyperCard? You can make custom apps in that. Let’s see, open a custom app in HyperCard and the creator is WILD. How fitting,that’s exactly what we want. So, now we open up (a duplicate of course) the Finder in ResEdit another program like it and choose get file info. The window lets us change FNDR, MACS to APPL, WILD. Now we quit, save, and copy the finished product onto a disk*. Let’s test it out, go to At Ease if you have it installed and launch a User that is in the At Ease OS. Once you are in insert the disk you copied your hacked version of the Finder to and wait for it to appear on the screen (it should be it’s own folder and tab). If the program shows up in the screen good job! You’re all done, and ready to freely enter the Finder by simply clicking on the hacked Finder! Before you use it on any of your other computers though, check for the version number of its At Ease. If it is different and it doesn’t show up follow Plan B. Plan B. On some older versions of At Ease, the type of app you made isn’t openable by At Ease. So now you need to create a HyperCard stack to launch it. 1. Enter HyperCard and create a new stack. 2. Choose new button from the object menu. 3. Double click on it to bring up it’s info window. 4. If you have version 2.3 or up of HyperCard follow this step, otherwise skip it. Click the “tasks” button at the bottom of the window. Once there click on the icon that looks like a generic App. Click “Choose App” or something of the like in the widow at the right. Choose your altered Finder. 5. If you have a lesser ver⁄sion than 2.4 that doesn’t have a “tasks” button at the bottom of the window follow this step, if not skip it. Click “script” at the bottom of the window. When you have entered the scripting area you should see something like this: on mouseUp | end mouseUp (the | is representing the insertion point) Say your hacked Finder is named “ƒinder” then you would write, where the insertion point is blinking: open “ƒinder” Your script should now look like this: on mouseUp open “ƒinder”| end mouseUp (again the | is the insertion point) Close, and save. 6. After choosing the browser tool click on the button you just made. You should probably see a file window saying “Where is ‘ƒinder’?” if it is there open it, and you are done! If it isn’t follow plan C: Plan C. If none of the above methods work here are a couple of tricks to get you out of At Ease. Be warned, these kraks probably only work on older versions of At Ease because the back doors mentioned were sealed up in the new versions (3.0-4.0 about). Method #1: Force Quit. On very old versions of At Ease you can simply Force-Quit the program. The way you force quit is: command-control-esc. Method #2: Exit to the debugger. This method usually incorporates apples standard debugger which is a simple dialog box with a > symbol. If you are lucky this method will jump you into MacsBug and you will see a large white screen filled with lines of code and a small text-area at the bottom. The way you exit to the debugger on anything except certain types of SE’s and Classics is this: command-restartkey -or- cammand-powerkey whatever you want to call it. On the SE and some Classics there will be button on the side or in the front with a > under it. Push that to exit to the debugger. Once you are in type: "G FINDER". (Without quotes) If you miraculously jump to MacsBug, type: es Or if you want to get back to At Ease for some reason: g Method #3: Find File. I have never witnessed this work, but I am told it does. What you do is you do a find file on something in the system folder like: Finder, at ease blah blah blah. If you have the 7.5 find file you can simply double click on the system folder, drag at ease out, and restart. Method #4: Boot from an external. This is a fool-proof way of exiting At Ease, but it takes a considerable amount of time. All you do is stick in the disk you got with your comp. Either a floppy disk that says: Disk Tools on it, or a CD that says system software version 7.X.X. If you are using the CD hold down the “c” key when you start up. The floppy should boot on it s own if you restart with it in. Once in the Finder go to the system folder, open the “At Ease” folder, then drag the file called “At Ease Preferences” to the trash. Now, go into the At Ease setup and create a new user for yourself that quits to the Finder, turn on at ease, and create a new administrators password. It’s that easy! However, this method takes a while (you have to reboot) and it is very obvious. How to fix these problems If any of the command-key or debugger methods worked, I would recommend updating your version of At Ease, as these problems are fixed in newer releases. To prevent troublemakers from inserting a disk with the hacked Finder on it, I recommend an extension called “Disk Ejector 1.0”. This is a wonderful extension that immediately spits out a disk once it is inserted. This would work well if you are in a crowded office setting and can’t keep an eye on every machine. I don’t think this works with CDs so the only remedy for that is to keep a watchful eye for troublemakers. I hope this document is useful to Administrators and Hackers, Crackers, the Average Joe, and etc. Just remember, the best security is no security†! * In an additional article I might explain how to put a “Quit” feature on the Finder, to fully render it as an application. Look for Bad ease at The Syndicte! † Jeez, who is gonna try to crash a system that has a special feature made just for crashing itself? Where’s the fun in that? Red D Karateguy