Extraction of OEM LockDown Browsers via Powershell commands is not possible

[bluesangheili]

I have recently been testing these LockDown Browsers:

1. https://www.webassign.net/user_support/student/lockdown_browser.html
2. https://www.aleks.com/support/lockdown_system_requirements

It appears to me they are the same, as you can download one or the other and run both as if it were the original; however, I have noticed line 26 of sandbox_run.ps1 does not seem to work as intended. The contents of the InstallShield never extract to Windows\Temp. I also downloaded universal extractor and 7-zip to extract the OEM Browser, to no avail.

I set it up like this:

I have tried recording the InstallShield installation process, but it is the same deal. I hope someone knowledgeable in Powershell can create a workaround, definitely not me.

[bluesangheili]

You can do this manually if you want to use any similar LockDown:

1. Navigate to the Sandbox runtime_directory -- cd "C:\Users\WDAGUtilityAccount\Desktop\runtime_directory"
2. ./withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL" -- done!

You do not need to change rldb:// URL protocol, mistake on my end. The URL has to include ldb, ldb1, etc. It should be a button with a similar protocol, as shown below.

ldb:dh%7BKS6poDqwsi1SHVGEJ+KMYaelPZ56lqcNzohRRiV1bzFj3Hjq8lehqEug88UjowG1mK1Q8h2Rg6j8kFZQX0FdyA==%7D

[ghostpanda63]

Did you ever get it to work? If you did how did you get it to extract in to the temp folder?

[bluesangheili]

No, I could not get it to extract to the temp folder. You only need to install it with the /x command (which is supposed to extract the files but only runs the installation process on some browsers). After you have installed it, search for the "launch lockdown browser" button of your institution's webpage. You should find an URL to execute LockDown Browser, copy it and paste it in /withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL" alongside the other lines I posted above, in order. If you cannot find the URL by dragging your cursor to the button, you can view the page's source code with your browser, and it should be there around somewhere.

So anyway, all you need to do is to open Powershell, paste these lines of code:

cd "C:\Users\WDAGUtilityAccount\Desktop\runtime_directory"
./withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL"    # done!

$lockdown_runtime is the variable of where LockDown Browser files are. You may need to tweak it a little.

[gucci-on-fleek]

@bluesangheili

No, I could not get it to extract to the temp folder. You only need to install it with the /x command (which is supposed to extract the files but only runs the installation process on some browsers). After you have installed it, search for the "launch lockdown browser" button of your institution's webpage. You should find an URL to execute LockDown Browser, copy it and paste it in /withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL" alongside the other lines I posted above, in order. If you cannot find the URL by dragging your cursor to the button, you can view the page's source code with your browser, and it should be there around somewhere.

So anyway, all you need to do is to open Powershell, paste these lines of code:

cd "C:\Users\WDAGUtilityAccount\Desktop\runtime_directory"
./withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL"    # done!

$lockdown_runtime is the variable of where LockDown Browser files are. You may need to tweak it a little.

These OEM versions seem to be quite tricky to make work, so I'm glad that someone finally figured out a solution. Thanks!

I have tried recording the InstallShield installation process, but it is the same deal. I hope someone knowledgeable in Powershell can create a workaround, definitely not me.

From some other comments that I've seen, I think that these OEM versions are “preextracted”, so maybe you can try deleting the extraction step

https://github.com/gucci-on-fleek/lockdown-browser/blob/7248e2999c70bd913345483873cfc8e623bc99a0/runtime_directory/sandbox_run.ps1#L26-L32

and changing setup.exe to the installer file name at

https://github.com/gucci-on-fleek/lockdown-browser/blob/7248e2999c70bd913345483873cfc8e623bc99a0/runtime_directory/sandbox_run.ps1#L34

If that doesn't work, you might need a different setup.iss file, which you can generate by changing the /s above to /r..

[bluesangheili]

@bluesangheili

No, I could not get it to extract to the temp folder. You only need to install it with the /x command (which is supposed to extract the files but only runs the installation process on some browsers). After you have installed it, search for the "launch lockdown browser" button of your institution's webpage. You should find an URL to execute LockDown Browser, copy it and paste it in /withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL" alongside the other lines I posted above, in order. If you cannot find the URL by dragging your cursor to the button, you can view the page's source code with your browser, and it should be there around somewhere.

So anyway, all you need to do is to open Powershell, paste these lines of code:

cd "C:\Users\WDAGUtilityAccount\Desktop\runtime_directory"
./withdll /d:GetSystemMetrics-Hook.dll $lockdown_runtime "URL"    # done!

$lockdown_runtime is the variable of where LockDown Browser files are. You may need to tweak it a little.

These OEM versions seem to be quite tricky to make work, so I'm glad that someone finally figured out a solution. Thanks!

I have tried recording the InstallShield installation process, but it is the same deal. I hope someone knowledgeable in Powershell can create a workaround, definitely not me.

From some other comments that I've seen, I think that these OEM versions are “preextracted”, so maybe you can try deleting the extraction step

https://github.com/gucci-on-fleek/lockdown-browser/blob/7248e2999c70bd913345483873cfc8e623bc99a0/runtime_directory/sandbox_run.ps1#L26-L32

and changing setup.exe to the installer file name at

https://github.com/gucci-on-fleek/lockdown-browser/blob/7248e2999c70bd913345483873cfc8e623bc99a0/runtime_directory/sandbox_run.ps1#L34

If that doesn't work, you might need a different setup.iss file, which you can generate by changing the /s above to /r..

I cannot recall what I exactly tried to troubleshoot back then, but my general understanding is you cannot extract the exe anywhere. I tried the /s command, bunch of others I found in Stack Overflow. Finally, I joined a pwsh discord and their recommendation was that some installshields were impossible to break without reverse engineering, then I experimented quite a bit until I found this. I cannot remember pretty much anything of what I did but it works, somehow.

[gucci-on-fleek]

@bluesangheili

Ok, I downloaded the Aleks file that you linked to above, and I can confirm that it is “pre-extracted”. For the regular Lockdown Browser installers, the provided file is just a “pre-installer” that you have to run to unpack the “real” installer into the temp folder; but for the “OEM” installer, the provided file is already the “real” installer, so the initial unpacking step is both unnecessary and impossible.

Now, the “real” installer ultimately unpacks its files into C:\Program Files\…, but it also does some registry stuff, so you can't just manually unpack it into C:\Program Files\… and expect it to work. So the best way to automatically install it would be to convince it to do a “silent install”—the /s "…\setup.iss" command does that for the regular Browser, but I have no idea how (or if it's even possible) for the “OEM” version.

But if you really want to unpack the installer, it's not that hard. Inside the installer .exe there are three “InstallShield Cabinet” headers. The easiest way to get their offsets is with binwalk, but you can search the file for 4953 6328 f00a 0004 if you prefer. Next, extract <header 2 offset> -- <header 3 offset> into out1.cab and extract <header 3 offset> -- EOF into out2.cab. Install unshield, then run unshield -g DefaultComponent x out1.cab. And that’s it—all of the Lockdown Browser's runtime files should now be inside the DefaultComponent/ folder.

[bluesangheili]

@bluesangheili

Ok, I downloaded the Aleks file that you linked to above, and I can confirm that it is “pre-extracted”. For the regular Lockdown Browser installers, the provided file is just a “pre-installer” that you have to run to unpack the “real” installer into the temp folder; but for the “OEM” installer, the provided file is already the “real” installer, so the initial unpacking step is both unnecessary and impossible.

Now, the “real” installer ultimately unpacks its files into C:\Program Files\…, but it also does some registry stuff, so you can't just manually unpack it into C:\Program Files\… and expect it to work. So the best way to automatically install it would be to convince it to do a “silent install”—the /s "…\setup.iss" command does that for the regular Browser, but I have no idea how (or if it's even possible) for the “OEM” version.

But if you really want to unpack the installer, it's not that hard. Inside the installer .exe there are three “InstallShield Cabinet” headers. The easiest way to get their offsets is with binwalk, but you can search the file for 4953 6328 f00a 0004 if you prefer. Next, extract <header 2 offset> -- <header 3 offset> into out1.cab and extract <header 3 offset> -- EOF into out2.cab. Install unshield, then run unshield -g DefaultComponent x out1.cab. And that’s it—all of the Lockdown Browser's runtime files should now be inside the DefaultComponent/ folder.

Thanks, I'll give it a try sometime.