Sparda Posted March 28, 2007 Share Posted March 28, 2007 Have you tried running this thing as a limited user? Or even as a different user that also has administrator access. You could also try running teatimer when you run it and denie every registry change. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 29, 2007 Share Posted March 29, 2007 I've hacked the exe a bit and I think I've removed most of the restrictions, although it's a bit hard to test because I don't have an institution ID. You can download the new exe here if you trust executables posted on this forum. Quote Link to comment Share on other sites More sharing options...
ShadowHax Posted March 29, 2007 Share Posted March 29, 2007 You might want to look at this nice site I found: http://www.securiteam.com/windowsntfocus/5DP0X0055G.html Have fun Quote Link to comment Share on other sites More sharing options...
phonebooth Posted March 29, 2007 Author Share Posted March 29, 2007 holy crap. Horza u are a awesome, I trusted the file, should i not have? Now it doesn't lock my screen up, I can surf the internet with it open. IMO this is as good as getting the password because thats all I wanted to be able to do in the first place. thanks man Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 29, 2007 Share Posted March 29, 2007 No, you should since I made the EXE myself, but for all you knew I could have infected it with a virus or something. Quote Link to comment Share on other sites More sharing options...
Shaun Posted March 29, 2007 Share Posted March 29, 2007 You might want to look at this nice site I found:http://www.securiteam.com/windowsntfocus/5DP0X0055G.html Have fun Yeah, I saw that, but it doesn't really help in this situation, all it would help you do is login as someone else if you got on a PC they saved their password on, but he would still have the exact same problem that the machine is locked down and he can't do anything. Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 If the browser is set to navigate through the schools network or proxy, the password is probably not stored in the program but he is being served with something like a squid login to the domain and when he authenticates with the correct password it lets him in. As for it knowing your in a VM, I think there are probably ways around it, like not installing vmtools so it can't see the vmtools service in the system. You mentioned Firefox. Does this browser use firefox as the base and is customized for the school? Assuming your running windows, are there any DLL files attached to the program. Maybe open one of them in something as simple as notepad and search through the file for plain text words. Often find things easily with half ass software that doesn't encrypt them during the compile and is sending open strings of text. Try to search for that hash in the program and see what there is in there. Quote Link to comment Share on other sites More sharing options...
Shaun Posted April 3, 2007 Share Posted April 3, 2007 If the browser is set to navigate through the schools network or proxy, the password is probably not stored in the program but he is being served with something like a squid login to the domain and when he authenticates with the correct password it lets him in. Nope. As for it knowing your in a VM, I think there are probably ways around it, like not installing vmtools so it can't see the vmtools service in the system. Nope. Well, that isn't how VMWare detection is usually done, and plus I had it running in VMWare 5 with VMTools installed anyway, so I have no idea why it wasn't working for him. You mentioned Firefox. Does this browser use firefox as the base and is customized for the school? No, this is professional software by these people. Actually it doesn't identify itself as Firefox, I guess he misread the user agent. It actually identifies itself as IE 6: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)". Assuming your running windows, are there any DLL files attached to the program. Maybe open one of them in something as simple as notepad and search through the file for plain text words. There is one DLL, TaskKeyHook.dll from which only 3 functions are imported, all of which are for restricting the system. Often find things easily with half ass software that doesn't encrypt them during the compile and is sending open strings of text. Try to search for that hash in the program and see what there is in there. Nope, the proctor password is produced by combining the name of the exam and a password selected by the instructor which she/he gives to the students which is then hashed (using javascript downloaded from the exam HTTP server as far as I can tell). Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 Now that I am home and looking at it, there are a slew f programs it blockes. Open the LockDown.exe in notepad and scroll down to see a list of them Everything from camtasio to paint, etc. It even looks like it tries to ping dell.com just to see if it will get an internet connection and which sites it blocks. Looks like it will also prompt you, asking if you want it to kill the tasks. Hell, the only place i would even consider testing the file he posted is in a VM. With all the hooks it puts into the system, it could have a rootkit in it. Haven't checked it for that yet, but I would look to see if you can still get a copy from sysinternals site and run it against it. I'm gonna keep playing with it though in the meantime. Horza, you seem to know a lot about this program, what exactly did you remove from it, and from which file? Or did you recompile the LockDown.exe without all the reference to the other programs it was blocking? Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 Here is something interesting: http://www.respondus4.com/ldbservers/ A list of logs the program creates? or checks against I am guessing, but maybe the names are their user sessions, and the files are their pgp keys? Quote Link to comment Share on other sites More sharing options...
Shaun Posted April 3, 2007 Share Posted April 3, 2007 I replaced most of the evil calls in Lockdown.exe with NOPs using OllyDbg and replaced the part of the program which sets the window to the entire size of the screen to make the window only 800x600 (actually I increased the size of the .text section so the VirtualSize was the same as SizeOfRawData using a hex editor and put the new code in the extra bit at the end because there wasn't enough room to fit it in otherwise). Also I replaced the list of programs to disallow with a load of null characters using a hex editor. Actually I juest realised I uploaded the wrong version earlier in the thread - I have like 10 different versions of the EXE, that version still detects if you have prohibited programs running I think, although it only does it when it first starts up so you can just start the browser first - the proper version is here if you want to look at it. You can compare the original and my version using a hex editor or something to see what I did. Hex Workshop (which I use) has a compare function. Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 ok. In the Lockdown.exe program there is a string "876543216". Now, on this site there is a file: http://www.respondus4.com/ldbservers/logs/...primary-log.csv which contains the string. There are several other .csv files in this logs directory, but that specific one has the same string form the exe file posted in the zip. Anyone have an idea on what the relationship might be. The exe file lists the following: Proxy Server in use:  Yes No  Connection type:  LAN Modem  Other  876543216  /ldbservers/    %s%s.txt    Connection for Server Settings: Connecting to www.Respondus.com ...  www.respondus.com  OK  failed (%d / %d)    Connection to www.Respondus.com      timed out  Connection to www.Respondus.com timed out - blocked?   .  Connecting to www.Respondus4.com ...  www.respondus4.com  OK  failed (%d / %d)    Connection to www.Respondus4.com      timed out  Connection to www.Respondus4.com timed out - blocked?   .  Connecting to Dell.com (blocking check) ...  /  www.dell.com    OK  failed (%d / %d)    Connection to Dell.com    timed out  Connection to Dell.com timed out - blocked?     .  Process list: %s     Network Tests Complete - %d Error(s).  http://www.respondus.com/browser/ie.pl  iexplore.exe    Error launching Internet Explorer.  Please wait for tests to finish Please run the Network Connection tests first  Respondus LockDown Browser Diagnostics I think it is dialing home and creates a log with the programs id "876543216" ??? There is also some info in there which will prompt you to check for a new version of the program and telling you that the license may be expired, etc... Quote Link to comment Share on other sites More sharing options...
Shaun Posted April 3, 2007 Share Posted April 3, 2007 876543216 is the institution ID. It says Institution ID right there are the top of the CSV file. (Don't know if it's the default one or what though). Edit: I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from. Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 I think it is the login id like you said but also the mac address of the actual pc that logged in. Space it out into 6 pairs, it looks like anic cards mac address. LogDate, InstitutionId, PcId "2006-01-25 02:21:35","876543216","0030bd635cb9" 0030bd635cb9 could be 00:30:bd:63:5c:b9 Quote Link to comment Share on other sites More sharing options...
DLSS Posted April 3, 2007 Share Posted April 3, 2007 wow this software is a bitch wot a load of f*cked up shit !!! christ , WTF ?? , .... i cant get my head around this , your sys admin must really hate you guys,... if ours would do that i'd crash teh school server and while hey's fixing it strangle him with some cat5 tbh .... Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 --edit-- Quote Link to comment Share on other sites More sharing options...
Shaun Posted April 3, 2007 Share Posted April 3, 2007 Uh, yeah, that's what I meant when I said "I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from.". Edit: You can enter numbers anyway if you use the 1-0 keys above the letters on your keyboard. Or just se my version of the EXE with the restrictions removed. Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 Uh, yeah, that's what I meant when I said "I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from.".Edit: You can enter numbers anyway if you use the 1-0 keys above the letters on your keyboard. Or just se my version of the EXE with the restrictions removed. Sorry, didn't see that you edited your previous post. Also, when I try to run it, it disables ALL number keys. I am usng the original zip file he pointed to in his post, not yours. One thing i noticed is the keys in the registry for the program. Maybe at his school he can get on one of the pcs that has the program but isnt running and see what the keys are and compare them. maybe one of the instructors or someone has access with something stored in the reg to unlock the passwor din the program. Quote Link to comment Share on other sites More sharing options...
Shaun Posted April 3, 2007 Share Posted April 3, 2007 What password? Quote Link to comment Share on other sites More sharing options...
digip Posted April 3, 2007 Share Posted April 3, 2007 What password?When you click the help button (the big I) you get a pop up and a prompt for a password. Quote Link to comment Share on other sites More sharing options...
digip Posted April 4, 2007 Share Posted April 4, 2007 I have to use this special web browser that locks down my entire computer when I work on stuff for my online classes and its really annoying, I have realized that the only reason I has to be use is because there is a password built into the browser that the website requests and you cant continue with out it. Any ideas on finding it? I tried to capture packets (from another computer you cant run password sniffers or packet capturing software with the browser running, there is a list of at least 30 page's long of things that cant be running including paint). I also tried cain but it only captures my password and not the second automatic password. Anyways here is a cookie that was captured by ethereal Cookie:lol=username%3Dheck.no%26password%3DtCr2DZDAbqWZo %26expiry%3D1175033745 %26hash%3D52770e1a5f700cd6f020f815217c4dc9.... proctor=0d9ad48b34cd08911339. I'm hoping that the 3DtCr2DZDAbqWZo or the D52770e1a5f700cd6f020f815217c4dc9 is a password hash, which would make 0d9ad48b34cd08911339 the hash of the automatic password. Or am I completely wrong and those are just session Id's or something else. If they are hashes does anyone recognize the hash? Does by any chance the login contain a SS#? Quote Link to comment Share on other sites More sharing options...
-dark-phaze- Posted September 21, 2008 Share Posted September 21, 2008 Hey i Also have the same problem can you host that exe file that you hacked a year ago. I can get you the file so you can remove the restrictions. Its that stupid program "Respondus Lockdown browser " The EXE i downloaded for the online class is Here Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 21, 2008 Share Posted September 21, 2008 Hey i Also have the same problem can you host that exe file that you hacked a year ago. I can get you the file so you can remove the restrictions. Its that stupid program "Respondus Lockdown browser " The EXE i downloaded for the online class is Here Check out the reverse engineering segments. Quote Link to comment Share on other sites More sharing options...
-dark-phaze- Posted September 21, 2008 Share Posted September 21, 2008 Check out the reverse engineering segments. What im saying is can anyone re upload the file because the url is dead and i can't download the reverse engineering app. Quote Link to comment Share on other sites More sharing options...
Sparda Posted September 21, 2008 Share Posted September 21, 2008 What im saying is can anyone re upload the file because the url is dead and i can't download the reverse engineering app. Have you tried running it in a VM? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.