/oversite

decrypt lskdata.bin (InSight Student, LanSchool) files

Primary LanguageJavaScriptMIT LicenseMIT

OverSite

OverSite is a tool for browsers supporting the HTML5 File API to decrypt LanSchool/Faronics InSight Student keylogger files.

Faronics and LanSchool are the same program (there are likely other programs that have the same name), that monitor student's activities and allow a teacher to view the screens of students in their classroom. Unfortunately, this also has a keylogger, which most people are unaware about.

For some reason, the keylogger only stores the last 50,000 keypresses, after which the old keystrokes at the beginning of the file are removed.

Format

The lskdata.bin file stores its data in a binary representation, encrypted using a substitution cipher, based on the byte's absolute position in the file, mod 4. I've encountered two "variants".

Old format

Character pos % 4 == 0 pos % 4 == 1 pos % 4 == 2 pos % 4 == 3
0x9e 0x9a 0x8d 0x2b
! 0x9f 0x9b 0x8c 0x2a
" 0x9c 0x98 0x8f 0x29
# 0x9d 0x99 0x8e 0x28
$ 0x9a 0x9e 0x89 0x2f
% 0x9b 0x9f 0x88 0x2e
& 0x98 0x9c 0x8b 0x2d
' 0x99 0x9d 0x8a 0x2c
' 0x99 0x9d 0x8a 0x2c
( 0x96 0x92 0x85 0x23
) 0x97 0x93 0x84 0x22
* 0x94 0x90 0x87 0x21
+ 0x95 0x91 0x86 0x20
, 0x92 0x96 0x81 0x27
- 0x93 0x97 0x80 0x26
. 0x90 0x94 0x83 0x25
/ 0x91 0x95 0x82 0x24
0 0x8e 0x8a 0x9d 0x3b
1 0x8f 0x8b 0x9c 0x3a
2 0x8c 0x88 0x9f 0x39
3 0x8d 0x89 0x9e 0x38
4 0x8a 0x8e 0x99 0x3f
5 0x8b 0x8f 0x98 0x3e
6 0x88 0x8c 0x9b 0x3d
7 0x89 0x8d 0x9a 0x3c
8 0x86 0x82 0x95 0x33
9 0x87 0x83 0x94 0x32
: 0x84 0x80 0x97 0x31
; 0x85 0x81 0x96 0x30
< 0x82 0x86 0x91 0x37
= 0x83 0x87 0x90 0x36
> 0x80 0x84 0x93 0x35
? 0x81 0x85 0x92 0x34
@ 0xfe 0xfa 0xed 0x4b
A 0xff 0xfb 0xec 0x4a
B 0xfc 0xf8 0xef 0x49
C 0xfd 0xf9 0xee 0x48
D 0xfa 0xfe 0xe9 0x4f
E 0xfb 0xff 0xe8 0x4e
F 0xf8 0xfc 0xeb 0x4d
G 0xf9 0xfd 0xea 0x4c
H 0xf6 0xf2 0xe5 0x43
I 0xf7 0xf3 0xe4 0x42
J 0xf4 0xf0 0xe7 0x41
K 0xf5 0xf1 0xe6 0x40
L 0xf2 0xf6 0xe1 0x47
M 0xf3 0xf7 0xe0 0x46
N 0xf0 0xf4 0xe3 0x45
O 0xf1 0xf5 0xe2 0x44
P 0xee 0xea 0xfd 0x5b
Q 0xef 0xeb 0xfc 0x5a
R 0xec 0xe8 0xff 0x59
S 0xed 0xe9 0xfe 0x58
T 0xea 0xee 0xf9 0x5f
U 0xeb 0xef 0xf8 0x5e
V 0xe8 0xec 0xfb 0x5d
W 0xe9 0xed 0xfa 0x5c
X 0xe6 0xe2 0xf5 0x53
Y 0xe7 0xe3 0xf4 0x52
Z 0xe4 0xe0 0xf7 0x51
[ 0xe5 0xe1 0xf6 0x50
\ 0xe2 0xe6 0xf1 0x57
] 0xe3 0xe7 0xf0 0x56
^ 0xe0 0xe4 0xf3 0x55
_ 0xe1 0xe5 0xf2 0x54
a 0xdf 0xdb 0xcc 0x6a
b 0xdc 0xd8 0xcf 0x69
c 0xdd 0xd9 0xce 0x68
d 0xda 0xde 0xc9 0x6f
e 0xdb 0xdf 0xc8 0x6e
f 0xd8 0xdc 0xcb 0x6d
g 0xd9 0xdd 0xca 0x6c
h 0xd6 0xd2 0xc5 0x63
i 0xd7 0xd3 0xc4 0x62
j 0xd4 0xd0 0xc7 0x61
k 0xd5 0xd1 0xc6 0x60
l 0xd2 0xd6 0xc1 0x67
m 0xd3 0xd7 0xc0 0x66
n 0xd0 0xd4 0xc3 0x65
o 0xd1 0xd5 0xc2 0x64
p 0xce 0xca 0xdd 0x7b
q 0xcf 0xcb 0xdc 0x7a
r 0xcc 0xc8 0xdf 0x79
s 0xcd 0xc9 0xde 0x78
t 0xca 0xce 0xd9 0x7f
u 0xcb 0xcf 0xd8 0x7e
v 0xc8 0xcc 0xdb 0x7d
w 0xc9 0xcd 0xda 0x7c
x 0xc6 0xc2 0xd5 0x73
y 0xc7 0xc3 0xd4 0x72
z 0xc4 0xc0 0xd7 0x71
{ 0xc5 0xc1 0xd6 0x70
} 0xc3 0xc7 0xd0 0x76

New Format

Character pos % 4 == 0 pos % 4 == 1 pos % 4 == 2 pos % 4 == 3
0x68 0x22 0xc1 0x26
! 0x69 0x23 0xc0 0x27
" 0x6a 0x20 0xc3 0x24
# 0x6b 0x21 0xc2 0x25
$ 0x6c 0x26 0xc5 0x22
% 0x6d 0x27 0xc4 0x23
& 0x6e 0x24 0xc7 0x20
' 0x6f 0x25 0xc6 0x21
' 0x6f 0x25 0xc6 0x21
( 0x60 0x2a 0xc9 0x2e
) 0x61 0x2b 0xc8 0x2f
* 0x62 0x28 0xcb 0x2c
+ 0x63 0x29 0xca 0x2d
, 0x64 0x2e 0xcd 0x2a
- 0x65 0x2f 0xcc 0x2b
. 0x66 0x2c 0xcf 0x28
/ 0x67 0x2d 0xce 0x29
0 0x78 0x32 0xd1 0x36
1 0x79 0x33 0xd0 0x37
2 0x7a 0x30 0xd3 0x34
3 0x7b 0x31 0xd2 0x35
4 0x7c 0x36 0xd5 0x32
5 0x7d 0x37 0xd4 0x33
6 0x7e 0x34 0xd7 0x30
7 0x7f 0x35 0xd6 0x31
8 0x70 0x3a 0xd9 0x3e
9 0x71 0x3b 0xd8 0x3f
: 0x72 0x38 0xdb 0x3c
; 0x73 0x39 0xda 0x3d
< 0x74 0x3e 0xdd 0x3a
= 0x75 0x3f 0xdc 0x3b
> 0x76 0x3c 0xdf 0x38
? 0x77 0x3d 0xde 0x39
@ 0x08 0x42 0xa1 0x46
A 0x09 0x43 0xa0 0x47
B 0x0a 0x40 0xa3 0x44
C 0x0b 0x41 0xa2 0x45
D 0x0c 0x46 0xa5 0x42
E 0x0d 0x47 0xa4 0x43
F 0x0e 0x44 0xa7 0x40
G 0x0f 0x45 0xa6 0x41
H 0x00 0x4a 0xa9 0x4e
I 0x01 0x4b 0xa8 0x4f
J 0x02 0x48 0xab 0x4c
K 0x03 0x49 0xaa 0x4d
L 0x04 0x4e 0xad 0x4a
M 0x05 0x4f 0xac 0x4b
N 0x06 0x4c 0xaf 0x48
O 0x07 0x4d 0xae 0x49
P 0x18 0x52 0xb1 0x56
Q 0x19 0x53 0xb0 0x57
R 0x1a 0x50 0xb3 0x54
S 0x1b 0x51 0xb2 0x55
T 0x1c 0x56 0xb5 0x52
U 0x1d 0x57 0xb4 0x53
V 0x1e 0x54 0xb7 0x50
W 0x1f 0x55 0xb6 0x51
X 0x10 0x5a 0xb9 0x5e
Y 0x11 0x5b 0xb8 0x5f
Z 0x12 0x58 0xbb 0x5c
[ 0x13 0x59 0xba 0x5d
\ 0x14 0x5e 0xbd 0x5a
] 0x15 0x5f 0xbc 0x5b
^ 0x16 0x5c 0xbf 0x58
_ 0x17 0x5d 0xbe 0x59
a 0x29 0x63 0x80 0x67
b 0x2a 0x60 0x83 0x64
c 0x2b 0x61 0x82 0x65
d 0x2c 0x66 0x85 0x62
e 0x2d 0x67 0x84 0x63
f 0x2e 0x64 0x87 0x60
g 0x2f 0x65 0x86 0x61
h 0x20 0x6a 0x89 0x6e
i 0x21 0x6b 0x88 0x6f
j 0x22 0x68 0x8b 0x6c
k 0x23 0x69 0x8a 0x6d
l 0x24 0x6e 0x8d 0x6a
m 0x25 0x6f 0x8c 0x6b
n 0x26 0x6c 0x8f 0x68
o 0x27 0x6d 0x8e 0x69
p 0x38 0x72 0x91 0x76
q 0x39 0x73 0x90 0x77
r 0x3a 0x70 0x93 0x74
s 0x3b 0x71 0x92 0x75
t 0x3c 0x76 0x95 0x72
u 0x3d 0x77 0x94 0x73
v 0x3e 0x74 0x97 0x70
w 0x3f 0x75 0x96 0x71
x 0x30 0x7a 0x99 0x7e
y 0x31 0x7b 0x98 0x7f
z 0x32 0x78 0x9b 0x7c
{ 0x33 0x79 0x9a 0x7d
} 0x35 0x7f 0x9c 0x7b

Thanks to

"Creative Commons Disguise" by Andrew Anguiano licensed under CC 3.0 from The Noun Project normalize.css v3.0.2