238
edits
Changes
basic installer reversing
<code>776344933.exe</code>The ID code is not preceded by a hyphen<br>
<code>Lockdown.exe</code>The ID code simply isn't in the file name<br>
To pull down VT's executable with the default name, try
<code>
curl -LO $(curl -L "https://download.respondus.com/lockdown/$(curl -L "https://download.respondus.com/lockdown/download.php?ID=776344933" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.3" 2>/dev/null | grep -ioE "download[0-9].php\?id=[0-9]*")" 2>/dev/null| grep -ioE "https.*.exe" | uniq)
</code>
===Wine===
== Analysis ==
The initially downloaded .exe is an InstallShield self-extracting installer. The 9-digit ID is not checked by this installer during the extraction process whatsoever -- it is simply copied from the filename into a temporary file in the extraction working directory (on Wine, <code>c/users/hokietux/AppData/Local/Temp/ldz<some string>/id.txt</code>, though this is dynamically generated using winapi's <code>GetTempPathA</code> then <code>GetTempFileNameA</code>).
Only cursory analysis has been done thus far, as the author of this article doesn't have a native windows box to run Respondus on. It appears that on launch, it first connects to an unencrypted http server running in AWS, presumably to check if the version is current, then it checks if it is in a virtualized environment.