Jump to content

help me make sense of this

phonebooth

By phonebooth
in Questions

 Share

Recommended Posts

  • Replies 97
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Shaun Newbie

Shaun

Posted
Posted

I've hacked the exe a bit and I think I've removed most of the restrictions, although it's a bit hard to test because I don't have an institution ID.

You can download the new exe here if you trust executables posted on this forum.

Link to comment
Share on other sites
phonebooth Newbie

phonebooth

Posted
  • Author
Posted

holy crap. Horza u are a awesome, I trusted the file, should i not have? Now it doesn't lock my screen up, I can surf the internet with it open. IMO this is as good as getting the password because thats all I wanted to be able to do in the first place.

thanks man

Link to comment
Share on other sites
Shaun Newbie

Shaun

Posted
Posted
You might want to look at this nice site I found:

http://www.securiteam.com/windowsntfocus/5DP0X0055G.html

Have fun

Yeah, I saw that, but it doesn't really help in this situation, all it would help you do is login as someone else if you got on a PC they saved their password on, but he would still have the exact same problem that the machine is locked down and he can't do anything.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

If the browser is set to navigate through the schools network or proxy, the password is probably not stored in the program but he is being served with something like a squid login to the domain and when he authenticates with the correct password it lets him in.

As for it knowing your in a VM, I think there are probably ways around it, like not installing vmtools so it can't see the vmtools service in the system.

You mentioned Firefox. Does this browser use firefox as the base and is customized for the school? Assuming your running windows, are there any DLL files attached to the program. Maybe open one of them in something as simple as notepad and search through the file for plain text words. Often find things easily with half ass software that doesn't encrypt them during the compile and is sending open strings of text. Try to search for that hash in the program and see what there is in there.

Link to comment
Share on other sites
Shaun Newbie

Shaun

Posted
Posted
If the browser is set to navigate through the schools network or proxy, the password is probably not stored in the program but he is being served with something like a squid login to the domain and when he authenticates with the correct password it lets him in.

Nope.

As for it knowing your in a VM, I think there are probably ways around it, like not installing vmtools so it can't see the vmtools service in the system.

Nope. Well, that isn't how VMWare detection is usually done, and plus I had it running in VMWare 5 with VMTools installed anyway, so I have no idea why it wasn't working for him.

You mentioned Firefox. Does this browser use firefox as the base and is customized for the school?

No, this is professional software by these people. Actually it doesn't identify itself as Firefox, I guess he misread the user agent. It actually identifies itself as IE 6: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)".

Assuming your running windows, are there any DLL files attached to the program. Maybe open one of them in something as simple as notepad and search through the file for plain text words.

There is one DLL, TaskKeyHook.dll from which only 3 functions are imported, all of which are for restricting the system.

Often find things easily with half ass software that doesn't encrypt them during the compile and is sending open strings of text. Try to search for that hash in the program and see what there is in there.

Nope, the proctor password is produced by combining the name of the exam and a password selected by the instructor which she/he gives to the students which is then hashed (using javascript downloaded from the exam HTTP server as far as I can tell).

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Now that I am home and looking at it, there are a slew f programs it blockes. Open the LockDown.exe in notepad and scroll down to see a list of them Everything from camtasio to paint, etc. It even looks like it tries to ping dell.com just to see if it will get an internet connection and which sites it blocks. Looks like it will also prompt you, asking if you want it to kill the tasks.

Hell, the only place i would even consider testing the file he posted is in a VM. With all the hooks it puts into the system, it could have a rootkit in it. Haven't checked it for that yet, but I would look to see if you can still get a copy from sysinternals site and run it against it. I'm gonna keep playing with it though in the meantime.

Horza, you seem to know a lot about this program, what exactly did you remove from it, and from which file? Or did you recompile the LockDown.exe without all the reference to the other programs it was blocking?

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Here is something interesting: http://www.respondus4.com/ldbservers/

A list of logs the program creates? or checks against

I am guessing, but maybe the names are their user sessions, and the files are their pgp keys?

Link to comment
Share on other sites
Shaun Newbie

Shaun

Posted
Posted

I replaced most of the evil calls in Lockdown.exe with NOPs using OllyDbg and replaced the part of the program which sets the window to the entire size of the screen to make the window only 800x600 (actually I increased the size of the .text section so the VirtualSize was the same as SizeOfRawData using a hex editor and put the new code in the extra bit at the end because there wasn't enough room to fit it in otherwise).

Also I replaced the list of programs to disallow with a load of null characters using a hex editor. Actually I juest realised I uploaded the wrong version earlier in the thread - I have like 10 different versions of the EXE, that version still detects if you have prohibited programs running I think, although it only does it when it first starts up so you can just start the browser first - the proper version is here if you want to look at it. You can compare the original and my version using a hex editor or something to see what I did. Hex Workshop (which I use) has a compare function.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

ok. In the Lockdown.exe program there is a string "876543216". Now, on this site there is a file: http://www.respondus4.com/ldbservers/logs/...primary-log.csv

which contains the string. There are several other .csv files in this logs directory, but that specific one has the same string form the exe file posted in the zip. Anyone have an idea on what the relationship might be.

The exe file lists the following:

Proxy Server in use:  Yes No  

Connection type:  LAN Modem   Other   876543216   /ldbservers/    %s%s.txt    

Connection for Server Settings:

Connecting to www.Respondus.com ...  www.respondus.com   OK  failed (%d / %d)    Connection to www.Respondus.com     

  timed out   Connection to www.Respondus.com timed out - blocked?

   .  

Connecting to www.Respondus4.com ...  www.respondus4.com  OK  failed (%d / %d)    Connection to www.Respondus4.com    

  timed out   Connection to www.Respondus4.com timed out - blocked?

  .  

Connecting to Dell.com (blocking check) ...   /   www.dell.com    OK  failed (%d / %d)    Connection to Dell.com  

  timed out   Connection to Dell.com timed out - blocked?

    .  



Process list:

 %s

    Network Tests Complete - %d Error(s).   http://www.respondus.com/browser/ie.pl  iexplore.exe    Error launching Internet Explorer.  Please wait for tests to finish Please run the Network Connection tests first   Respondus LockDown Browser Diagnostics

I think it is dialing home and creates a log with the programs id "876543216" ???

There is also some info in there which will prompt you to check for a new version of the program and telling you that the license may be expired, etc...

Link to comment
Share on other sites
Shaun Newbie

Shaun

Posted
Posted

876543216 is the institution ID. It says Institution ID right there are the top of the CSV file. (Don't know if it's the default one or what though).

Edit: I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

I think it is the login id like you said but also the mac address of the actual pc that logged in. Space it out into 6 pairs, it looks like anic cards mac address.

LogDate, InstitutionId, PcId

"2006-01-25 02:21:35","876543216","0030bd635cb9"

0030bd635cb9 could be 00:30:bd:63:5c:b9

Link to comment
Share on other sites
DLSS Newbie

DLSS

Posted
Posted

wow this software is a bitch wot a load of f*cked up shit !!!

christ , WTF ?? , ....

i cant get my head around this , your sys admin must really hate you guys,...

if ours would do that i'd crash teh school server and while hey's fixing it strangle him with some cat5 tbh ....

Link to comment
Share on other sites
Shaun Newbie

Shaun

Posted
Posted

Uh, yeah, that's what I meant when I said "I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from.".

Edit: You can enter numbers anyway if you use the 1-0 keys above the letters on your keyboard. Or just se my version of the EXE with the restrictions removed.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
Uh, yeah, that's what I meant when I said "I've tried running the program with that institution ID and it seems to be a test institution or something, it has a lot e-learning systems with "test" or "demo" in their name to choose from.".

Edit: You can enter numbers anyway if you use the 1-0 keys above the letters on your keyboard. Or just se my version of the EXE with the restrictions removed.

Sorry, didn't see that you edited your previous post.

Also, when I try to run it, it disables ALL number keys. I am usng the original zip file he pointed to in his post, not yours.

One thing i noticed is the keys in the registry for the program. Maybe at his school he can get on one of the pcs that has the program but isnt running and see what the keys are and compare them. maybe one of the instructors or someone has access with something stored in the reg to unlock the passwor din the program.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
What password?
When you click the help button (the big I) you get a pop up and a prompt for a password.
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted
I have to use this special web browser that locks down my entire computer when I work on stuff for my online classes and its really annoying, I have realized that the only reason I has to be use is because there is a password built into the browser that the website requests and you cant continue with out it. Any ideas on finding it?

I tried to capture packets (from another computer you cant run password sniffers or packet capturing software with the browser running, there is a list of at least 30 page's long of things that cant be running including paint). I also tried cain but it only captures my password and not the second automatic password.

Anyways here is a cookie that was captured by ethereal

Cookie:lol=username%3Dheck.no%26password%3DtCr2DZDAbqWZo

%26expiry%3D1175033745

%26hash%3D52770e1a5f700cd6f020f815217c4dc9....

proctor=0d9ad48b34cd08911339.

I'm hoping that the 3DtCr2DZDAbqWZo or the D52770e1a5f700cd6f020f815217c4dc9 is a password hash, which would make 0d9ad48b34cd08911339 the hash of the automatic password. Or am I completely wrong and those are just session Id's or something else. If they are hashes does anyone recognize the hash?

Does by any chance the login contain a SS#?

Link to comment
Share on other sites
  • 1 year later...
Sparda Newbie

Sparda

Posted
Posted
Hey i Also have the same problem can you host that exe file that you hacked a year ago. I can get you the file so you can remove the restrictions. Its that stupid program "Respondus Lockdown browser "

The EXE i downloaded for the online class is Here

Check out the reverse engineering segments.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...