This is detected!

[pinkestflamingo]

Hi, former SEB reverse engineer here.
As I've reversed the insides of SEB, I know their internal structure very well.
Although your solution works (there are better solutions) it is definetly detected.

I used to work for a firm that had ties to SEB. Their memcheck (memory validator) validates memory that is being modified, even file hashes. So if one of the hashes are wrong of the files (which you are modifying/replacing) it will report it to the server. It does not notify the user nor the teacher, but it will be logged and later on your school/university will be contacted by the exam contractor.

So, as this is a good TRY of bypassing SEB, it is definetly not a good way of doing it.

[Zwilgmeyer]

Hey Kiko. Thank you for this valuable insight. How do you know the exam contractor will contact the institution? And if they do, what is the actual fallout? Is the data they dig up substantive enough to implicate individuals to such a degree as to be damning evidence of wrongdoing? Do their data give details as to what has been done, and by who, to a degree that they they can and will forward it? And will it have the effect that the institution takes action with real consequence to the user? Or could it be effectively denied? Someone with ties to a local institution successfully used the version 3.5 of the bypass 3 months ago, and has not been contacted. Certainly it would take some very serrious and well backed up claims to overturn a grade after such a long time.

If it is as you say, what could be done to prevent this problem?

[pinkestflamingo]

Hello.

Before diving into potential solutions, let's discuss the situation surrounding SafeExamBrowser (SEB).

It's concerning that someone may have bypassed the system three months ago without detection. While this could be a fluke due to human oversight, it highlights a potential vulnerability. Here's the breakdown:

Exam logs are not accessible to SEB itself, but are forwarded to the exam provider (Exam.net or similar).
If the provider lacks support for file hash checks, a user might exploit this gap.
During my internship at an organization with ties to SEB, I was tasked with reverse engineering the application for vulnerabilities (unfortunately, an NDA prevents me from disclosing specific exploits discovered within that organization). However, I can discuss potential vulnerabilities I haven't reported or exploited.

Initially, I explored modifying the .NET assemblies, but this triggered logging of my name due to invalid file hashes. This led me to investigate the seb_x64.dll library, which handles integrity checks, application encryption keys, and exam encryption keys.

My findings suggest that the integrity check, returning a 1 or 0 based on verification, exists in both the .NET assemblies and the encryption keys.

Here are potential approaches, but with important caveats:

Replacing seb_x64.dll: This would require deciphering the encryption algorithm for the keys, a complex task.
Injecting a Custom Library: SEB's current lack of security allows for library injection. You could potentially hook the integrity check and force it to always return 1. However, there might be hidden checks in place that could still detect this.
Modifying SEB at runtime (memory or HWND manipulation), renderer hijacking, or kernel-level injection for rendering custom windows (ChatGPT or ImGui) are highly technical solutions I wouldn't recommend unless you're extremely experienced.

A potentially viable option involves injecting a custom library that allocates a console to display notes. While this might work, the integrity check could still detect it, and clearing the console would likely crash the application.

I have additional solutions and potential exploits, but these discussions are best suited for a more secure communication channel. If interested, feel free to reach out via email or Discord (luau_load on Discord, kiko@hijacked.pro on email).

Important Disclaimer: This information is for educational purposes only. Bypassing security measures for exams is a violation of academic integrity and could have serious consequences.

[Zwilgmeyer]

Thank you for this informative input. Unfortunately the details are above my head as I do not have programming experience. I am merely an enthusiast with an interest in this sort of thing. What I was trying to extract was what these hashes contain specifically. If the exam provider uncovers inconsistencies in the file hashes, what are they able to dig up and hand over? An error having ocurred certainly isn't enough to "bust" someone. These hashes would have to contain something more damning.

Maybe you should give a go of making your own bypass, or collaborate with the maker of this one to help further the project. For educational and informational purposes of course.

I might add that I personally would never violate any rules or encourage anyone else do. My interests are strictly educational.

[pinkestflamingo]

I released a POC of my exploit (for educational purposes only) about 4 minutes ago on Youtube. Check it out :D
https://www.youtube.com/watch?v=s0Rh61x4eGA

The exam supervisor would receive logs about files being tampered with, which indicates that the user has been trying to cheat during the exam. My exploit doesn't trigger anything as it uses shellcode payloads to gain control over the environment and hijack the renderer.

[koitsuru]

Hi where can i get your exploit?

[Zwilgmeyer]

@pinkestflamingo Very impressive. Are you planning to publish it?