Respondus LockDown Browser

Print Friendly

The Respondus LockDown Browser is an application designed to “lock down” a system for the duration of an exam. It claims to display a full screen browser that cannot be minimized, prevents task switching, stops “over 400 screen capture, messaging, screen-sharing and network monitoring applications” from running, blocks external links to avoid compromising the “locked testing environment”, and so forth. The application is intended to (1) stop students from accessing external material while taking the exam, (2) stop students from recording the examination quesitons, and (3) stop students from communicating with others – all in an effort to stop cheating.

I learned about this application over the weekend when an online exam for a class I am taking this semester required its use. I was quite annoyed to learn it did not have a linux client and relied on Internet Explorer. Using linux as my primary OS, I naturally loaded it into a VMWare copy of Windows XP only to discover it refuses to run in a virtual machine. Not wanting to go all the way to campus to take the exam, I fired up IDAPro and decided to take a look at the VM detection mechanisms – needless to say I was unimpressed.

VirtualMachineErrorString

First I searched for the error message I received when I tried running LockDown in VMWare. I found it here, showing its address as 0x49BE08. I note this for later.

VMWareStrings

Wondering about the detection mechanism I next search for strings containing VMWare. If you notice these strings are all located near each other in the data section which made me suspect an array of device information the LockDown browser was searching for. These are located near 0x4988F8.

VirtualMachineErrorString_Location

Here at 0x49BE08 we find the error string. Using IDAPro we can examine what areas of the program references this location.

VirtualMachineErrorString_ReferencingSubroutine

The error string we are interested in is only referenced one time by a subroutine at 0x40AC25. We navigate to this area to analyze it further.

VirtualMachineErrorString_ReferencingSubroutine_code

Here is the beginning of the referencing subroutine. We scan down the instructions looking for where it jump to the kill.

VirtualMachineErrorString_Referenced

Here at 0x40AEEB the address for the error string is pushed onto the stack before calling to another subroutine. Without analyzing too deeply we can guess the call generates the error before exiting. Let’s look up a little to see how we get to this section of code.

VMTest

Here at 0x40AEBD and 0x40AECB we find two Jump on Not Zero (jnz or opcode 75) instructions which jump to the section of code that generates our error. We can assume, therefore, the subroutines and tests performed prior to these determine if (on zero) a VM is not present or (on non-zero) if a VM is present. Take note of 0x40AEDB, this instruction jumps over the kill section to what looks like another test. Let’s clean up the labels a little before we plan our attack.

VMTest_Renamed

So now we have what seems to be two tests looking for virtualization, an exit if VM found section, and a PostVMTest section testing for other things. We saw earlier what looked like VMWare device names in what seemed to be an array, this indicates LockDown may be using the detection mechanism of relying on known names of VM devices. There are more complicated detection methods out there, see all the research on detecting Blue Pill for details on that, but all indications are none of these more advanced techniques are used in LockDown.

OllyDbg

Next I switch to OllyDbg to edit the jump statements. There are a lot of possible ways to defeat the virtualization detection, mangling the device info strings might work for example, but I instead chose a more elegant solution. Instead of stopping the detection, I alter the jnz addresses to be the next test thats jumped to by the last jz instruction. The jnz will now jump to 0x40AF1C instead of 0x40AEDB. The virtualization is detected, but the error/exit section is never reached.

This video is recorded in VMWare. It shows me opening the LockDown browser and getting the error message, then editing the executable, resaving it, and launching the modified version. The modified browser launches and brings me to UNO’s blackboard login page ready to take my exam. Half an hour of poking around and changing 2 bytes of data saved me a trip to campus and exposed the LockDown browser as a joke. Once in a virtual environment everything they claimed to prevent is null and void.

What’s the moral of the story? First, if you don’t provide a linux version, and you refuse to work in a virtual machine someone is going to break your flimsy protections to make it work. Second, don’t post this on your website:

Hacker Tested, Market Approved – Hundreds of universities and schools around the world use Respondus LockDown Browser. It seems that at least one person (or team) at each institution makes it a quest to “break out” or beat the system. Some of the best minds have taken our software to task over the years, and we’ve addressed each issue that’s been raised. (Yes, you have our blessing…go ahead and see if you can break it.)” http://www.respondus.com/update/2009-1-b.shtml

I give this product a resounding FAIL.

Posted in Computer Science, Hacks, Cracks, and Attacks Tagged with: , , ,
6 comments on “Respondus LockDown Browser
  1. David says:

    Hey this stuff is great ! i recently signed up for a course in which i require to use this shitty browser, but im not that familiar with doing all the stuff you just did, do you mind sharing your modified version of the program ?

  2. Brian says:

    Thank you for reading it, it is always nice to know someone is getting something out of my writing. Unfortunately my work is for research purposes only and because I am a strong proponent of academic honesty I do not provide modified clients for general consumption, only for proof of concept with other researchers. Even if I was not bound ethically, the client is going to have information specific to your university so the client for my university would not work for you. I do, however, strongly oppose the use of this type of software due to its ineffective nature and the difficulty it presents for Linux users – feel free to forward this page to your instructor as it may prove informative for him or her.

  3. Joey Glass says:

    i cant get it to run properly on win7. it will open, but it freezes half the time, and it kills my start menu. it wont come back up after i close it. i’m a 4th semester programming student. what do you thing about a firefox plugin to change ff to report itself as being respondus?

  4. Brian says:

    I have not examined how respondus interacts specifically with IE mainly because my issue was getting it to run in a VM plus some other poking around for a presentation on how terrible it is. I’m not sure how blackboard identifies respondus is running – if you could sniff the respondus-to-blackboard communication (probably from memory since most blackboard setups are SSL) you should be able to construct a firefox plugin to emulate the appropriate response. I have some further information I didn’t get around to posting on how to get firefox and other banned programs running by hiding them in the process tree with the fu rootkit among other things. If it’s of interest I could dig up my slides. Honestly, I’d just contact your professor to explain it simply does not work and it should not be that difficult to take an exam.

  5. Chris Pickett says:

    My situation is similar to the one you described; I use linux, and I don’t want to drive 45 minutes to campus at 1:00 in the morning to take a Spanish quiz.I tried searching for the same error message in ida pro, but ida was unable to find anything. I am not sure if the developers of the Lockdown Browser have changed the way they verify for a vm, or if I am doing something wrong. I am very new to reverse engineering, but I would really like to learn (it seems like a lot more fun than learning Spanish). Do you think you could look at the program again to see if they have changed anything, or perhaps give me a couple pointers to reproduce your results?

  6. Yet another thank you for this article. Ironically, I’ll be a journalism major, and my Intro to Journalism course requires that quizes and tests be taken using this obnoxious browser. Like you, I’m a Linux user, and only “acquired” a copy of Windows to run under VMWare for the express purpose of using this browser. At the risk of taking a 0% on the first quiz of the year, I am not following these methods to take the quiz on time, and instead emailed my instructor (prior to finding this article) about my difficulties. Like yourself, I am an academically honest person. I am going to forward this article to her, however, as she might be interested. Perhaps there’s an article in your, well, in your article.

    Kudos,
    LiamC