Activex help

Hello, I have a activex cab file and want to know how to read the files with in. Turn the gobbledygook inside the files into readable programming commands.


Thankyou

djrock

 

A cab file contains one or more compressed files (it's like a zip file). When you say "activex cab file", do you mean a cab file that contains activex files?

In the Windows Explorer, you should be able to double click on a cab file and see the contents. If the files are activex files, then they will indeed look like "gobbledygook" because they are binary executables.

Just what is it that you're trying/expecting to do?

 

I am trying to see if the activex is doing the authentication and if so is it easy to bypass.

I am helping a friend out who’s in the security trade. He has not done a lot of setting dvr’s to be accessed from the web. While helping him I have noticed some flaws eg java script checking the username and password field is not blank. This is fine except it gives you the link to the html page to view the images except it brings up username or password not correct.

Now I am trying to work out if its doing client side authentication (checking the username and password) using the activex.

Thankyou

djrock

 

There isn't any good way to determine just what the ActiveX control is doing.

I've already gotten in trouble once today with CookieGal for helping out with a question related to bypassing security, so there's not much more I can say here. The reason given by the TechGuys is that there is no way to determine if a request to bypass security is legitimate. Your request is essentially "how can i determine if there's a way to bypass security" and you should be able to see why this poses a problem.

 

I just realised that I could be someone wanting to break in to something I don’t have permission to. So I agree.

OK If the activex is doing the authentication, which would mean its client side scripting how easy would it be to bypass. 1 being easy to 10 being extremely hard.

 

If a bank has a safe door made of 10 inch thick steel, how easy is it to break in? Well, getting through the steel would be difficult but there's not enough information here about the bank to answer the real question.

Peforming a security assessment is hard to do without access to the web site and the ActiveX control. I suggest that you find a security professional (or a good hacker ;-) for a realistic assessment.

 

If you can decompile the file that handles the login check, change the part for the login so it does not matter what’s entered its always correct.

Recompile it and replace the unmodified activex cab installed in Internet Explorer with one with the modified file.

Would that work??

I have decompiled one of the dll’s and there is a part that mentions login. Which confirms it a bit more it does handle the login. I have made programs before in c++, java, .net but never done any sort of decompiling. I concentrate on the hardware side of computing.

If you don't install the activex the login does not work. You just get stuck at the login page.

I think I will phone the company who makes the dvr and see what they have to say. But I want to know myself because they might know that and not be 100% truthful about it.

I know that client side scripting really should not be used for checking login details since it can be bypassed very easy.

I can pm you the activex cab file if you want to look at the files with-in?

Thankyou

djrock

 

Sorry but I'll pass. This conversation is falling into the area of "Category I Offenses" (Circumventing Copy Protection) for TechGuys : http://www.techguy.org/rules.html

 

Hello, But I am not trying to Circumventing Copy Protection. When I said “I can pm you the activex cab file if you want to look at the files with-in?”

I did not expect you to hack the file(s) for me or tell me how to. All I wanted you to do if you wanted to, is to look at them and give me an idea if it was easy or hard to bypass.

e.g Easy

Download program x find part 4 change line 6



Very Hard

A good bit of experience in working with decompiled code.


CCTV cams can be used for all sorts of stuff. From keeping an eye on your property to watching the kids are ok when in the swimming pool. You don’t want the dvr’s security to be easily bypassed!! Especially if its used to keep an eye on your kids. There’s a lot of sick people about!!

If I 100% knew the login check is done on the client side in the activex and depending on your knowledge how easy it was to bypass. I can go back to the company and say I know its client side and with x knowledge can be bypassed. This is not good enough!!!

Thankyou

djrock

 

Don't want to leave you hanging here so I'm writing to let you know that I can't do any more than I've already done. Consider getting a security pro or a hacker to help you with your analysis.
Good luck!