Log in

View Full Version : Getting IBX keys and a way to defeat MS WM-DRM 11.0.6000.7000


Pages : [1] 2 3 4 5 6 7

sectroyer
23rd September 2007, 13:05
Hi.
Wanted to start a talk how we can extract (an how it is already done) IBX keys. According to technical details of freeme:
Since the
IndivBox.key file is shuffled in a random way for each client, these
keys would be extremely difficult to extract from the file itself.
Fortunately, we don't have to: these keys are part of the object state
that is maintained by this library, and since the offset within this
object of these secret keys is known, we can let the library itself
extract the secret keys! The code for this simply loads up the "black
box" library, has it initialize an instance of the object, and then
reads the keys right out of that object.
As I belive now it should not be that easy to extract keys from this object and probably this is not what FairUse4WM/mirakagi does. But I believe it gets IBX public key (It can be found for instance in license database file) and then tries to find it in IndivBox.key. As we may suspect somewhere "near" this key should be private key. This would explain why it outputs something like this:
AES: 4e 68 d7 2b c6 01 cf 5a 1e f3 3f ee 1f 73 a3 45
Decoding secondary keys
Please wait for 19587 attempts.
It is finished.
As I suspect these "19587 attempts" are just tries to check whether some set of bytes is the private key or not. But does anyone know how we can perform this check? I think about taking one license from the license file and trying to decode content key. It should be "short" and (not sure of this) begin with 7.
Regards.

Ajax_Undone
24th September 2007, 16:28
Is it a random access AES key generator...

It might search for the the key that unlocks the file to gain access to the data contained in the IBX... (ie Brute force attack)...

sectroyer
24th September 2007, 17:54
Is it a random access AES key generator...

It might search for the the key that unlocks the file to gain access to the data contained in the IBX... (ie Brute force attack)...
No it isn't I have found viodentias post that explains what is really going on :)
The AES key displayed in new key extraction
For the v11 individualization, v2ksndv.bla (or v2ks###.bla) is now an XML file. There are two tags of particular interest, the first 40 bytes of "c:PKCert" is the public key for ECC encryption and the "Keys" which stores all the secondary keys.

Each time you re-individualize, the DLL sends "escrowed" key information to Microsoft's servers which decrypts it and re-encrypts it inside this secondary key table. These are all the keys for previous individualizations.

The <Keys> tag is encrypted with AES in Counter mode using the displayed key. To decrypt, create a 16-byte BIG-ENDIAN counter (that is, 16 bytes of 0, next would be 15-bytes of 0's and one 1 byte, and so forth). Encrypt that with the AES key. XOR the output with the next 16-bytes from the tag.

Once decrypted, the Keys tag holds a XML document which in turn has both the old ECC keys (which v1.3 happily extracts for you), and some RSA keys - the RSA keys are apparently new for v11, and I don't know what they're for.

By the way, if one looks at the individualization process in Wireshark, it's conceivable that future individualizations can be handled with the assistence of Microsoft's own servers.
Now I just have to understand it and implement :D

Ajax_Undone
25th September 2007, 06:26
LOL well good luck he confused me...

sectroyer
26th September 2007, 22:34
I think I understand what he meant. I will just need to implement and test it :) Unfortunately he didn't explain how to get this AES key :( But it's a piece of code less to reverse engineer :D

Ajax_Undone
29th September 2007, 06:13
You might try getting a Copy of the Microsoft digital rights management SDK 10.1.2... After all thats how Viodentia did his program... I know that you have to register with MS and buy a licence to use it I think... or find it on a Bittorrent Site...

ANyhow good luck unlocking the secrets of the empire...

sectroyer
29th September 2007, 10:08
I want to crack wm-drm without using any ms code and without linking with any ms drm libraries :)

people are pork
29th September 2007, 22:03
There is much confusion, of which I will try and resolve. This information is my own fabrication. It may not represent actual reality. Nor do I speak for any employers, past or present.

The IBX or Individual Black-boX is a method of practical implementation of access control. The goal is to entangle decryption capability with policy enforcement in a manner that resists separation.

Concretely: The IBX only decrypts video for a blesssed player application.

An IBX is just a DLL (renamed to .key), that contains two assymmetric keypairs (1 - Elliptic Curve Cryptosystem, see freeme doc. 2 - RSA, not documented) and one symmetric key (explained later). It also contains the code to parse licenses, checks that the system clock hasn't been moved backwards, verifications that it is running on the same hardware, and signature validation for the players. When things work perfectly, the application gives the IBX the XML licenses + encrypted file data, and gets back fresh clean multimedia data.

In theory, this is doomed - all the keys are in the hands of the attacking parties. In practice, the inevitable is delayed by layers of obfuscation and renewability. As long as each version lasts long enough for the next to be prepared, then the system is reasonably secure.

For WM11, IBX files are obfuscated by a tool called "warbird", which is more of an ineffectual surrender chicken. The process likely goes like this, for a large number of IBX components.
1. Generate random key data
2. create source from templates + key data
3. Compile into object files
4. apply "warbird" obfuscations
5. link (shuffling the order of object files)
6. sign

Warbird uses the linkage information in the object files to make certain alterations.
It encrypts certain whole routines, some randomly picked, others based on configuration.
Other routines are seperated into basic blocks (a flow of asssembly statements without a branch), each block is encrypted individually, and the branches are removed (stored in a seperate table).

The encryption is a home grown, weak cipher that uses two 24 bit keys (one for even bytes, the other for odd bytes). The keys are either stored in the IBX, or are calculated in code based on hashing other parts of the IBX to ensure integrity.

To further protect the valuable asymmetric keys, the keys are stored in a mutated form. They are transformed by XORring with a random value, as well as being rotated.

One problem in this scenario is that each IBX has a key, but it is impossible to handle upgrades. If you have IBX v0, and software upgrades you to IBX v1, you want to play all your old files! We handle this in both directions with an associated file (XML, ending in .bla). This file contains your current asymmetric keys, encrypted to a secret private key that only the individualization servers have. When you go to upgrade, this "escrowed" data is encrypted with the new IBX's symmetric key, and stored in the XML file.

Recap:
.key - Obfuscated: ECC key pair, RSA key pair, AES key
.bla - Encrypted to Microsoft key: ECC keypair, RSA keypair, AES key. Encrypted to AES key: ECC/RSA keypairs for PREVIOUS IBX files.

c0redump's method used in fairuse4wm and mirakagi worked by extracting the private ECC key data and AES key from the IBX due to the weak obfuscation. Since the key data is mutated, instead of executing IBX code to undo the mutation, the attack just tried every possible mutation on the ECC key data.

The new IBX tries to prevent these issues by increasing the number of mutations to make the attack infeasible, using more instructions and better checking to make emulation difficult, and improving slightly improving some microobfuscation. Some of the code that came from cloakware can't be rewritten at this time, so some weaknesses remain.

However, this new version complexifies the simple scanning attacks that worked on the prior versions.

people are pork
29th September 2007, 22:10
To answer an unasked question - what can you do?

it is feasible for a moderately skilled attacker to get the keys from any single IBX. Preventing this is impractical. Obfuscation only aims to prevent tools from working over the long term.

The easiest attack to mount, then, is to figure out what registry keys are involved in preventing an IBX downloaded on machine A from being moved to machine B. When you can do this, you can distribute IBX files with the associated keypairs.

This strategy will also cause more grief for the obfuscation team, as the exact methods used will no longer become public.

people are pork
29th September 2007, 22:16
You might try getting a Copy of the Microsoft digital rights management SDK 10.1.2... After all thats how Viodentia did his program... I know that you have to register with MS and buy a licence to use it I think... or find it on a Bittorrent Site


I am unaware of this file being on a bittorrent site. Since each version includes information that will link it to the leaking party, it is unlikely to be leaked.

fairuse4wm did not use this sdk. It used the freely available windows media sdk, however, it used an undocumented API, probably by guessing the parameters. This undocumented API was used to open and walk the hashed datastore (HDS file).
This API will probably be removed from future versions of the public SDK.


As I suspect these "19587 attempts" are just tries to check whether some set of bytes is the private key or not. But does anyone know how we can perform this check? I think about taking one license from the license file and trying to decode content key. It should be "short" and (not sure of this) begin with 7.
It is actually much simpler. The public key is, well, public. The parameters are public now in the freeme doc. The secret key is just an integer.
In ECC, the public key is (IIRC) (Secret Key)*(Generator Point).
So the code does an scalar multiply then does a compare.
There are some optimizations involving projective transforms and other cases, but you will not find the bytes of the key in the IBX (see above post). This isn't AACS stuff.

Ajax_Undone
30th September 2007, 03:31
:cool:My point exactly


Tu kool Now we know where to look... :devil: Thanks bro...

Ajax_Undone
30th September 2007, 03:32
OMG are you Viodentia...

Ajax_Undone
30th September 2007, 04:34
either way I am not writing the decipher and still have no idea what the hell even he has said so its all yours sectroyer...

sectroyer
30th September 2007, 10:05
The point is that I believe he knows what he is saying :) Of course I don't say that I get everything clear but I am starting to see trough the clouds:)

abudara
30th September 2007, 13:04
drmdbg for IndivBox.key v11.0.6000.7000
http://sky.advenbbs.net/bbs/DRMdbg2005.htm

sectroyer
30th September 2007, 21:23
drmdbg for IndivBox.key v11.0.6000.7000
http://sky.advenbbs.net/bbs/DRMdbg2005.htm
Be careful since some versions on this site doesn't work and some do. In other words we can say that it is cracked :)

Aratar
30th September 2007, 23:35
hmm.. I don't really get that drmdbg to work tho

sectroyer
1st October 2007, 01:02
hmm.. I don't really get that drmdbg to work tho I spent two hours trying to install sp2 and validating product key. Then 15 minutes to install (without WGA) WMP 11 and individualize to 11.0.6000.7000 so you can trust when I say that it is cracked :) Just learn japanese or spent some time with google language_tool :D

ssj4android
1st October 2007, 02:55
Why don't you post some instructions for those of us who know no Japanese? It doesn't seem to be working on Vista English for me. Just closes wmp11 shortly after it tries to open.

sectroyer
1st October 2007, 09:12
Why don't you post some instructions for those of us who know no Japanese? It doesn't seem to be working on Vista English for me. Just closes wmp11 shortly after it tries to open.
The problem is that I don't know japanese :) You should consider uninstalling Vista I don't know if it will ever work with Vista :)

ssj4android
1st October 2007, 19:12
Probably :(. Did you just double click the June 4 version and open a file? How did you get the key?
Hm..Does seem to be at least opening now, but it gives me an error when I try to play a DRM'd file. I do get a string followed by an = sign in the debug file on the desktop, but that doesn't seem to work in freeme.

Ajax_Undone
1st October 2007, 19:44
OK maybe i wasnt clear A direct link not a japanese page full of redirects that get me no where... LOL

Aratar
1st October 2007, 21:03
My debug file just contains "1,2,3," that's it. I don't really know if I need any other tools for getting the SID/KID information (I know how I could use them IF that tool would read them out properly, but it doesn't).

sectroyer
1st October 2007, 21:54
As I explained before there is a lot of links on that page. I downloaded all of them and tried. Some are test versions and DO NOT WORK and some are release versions and DO WORK. Please don't ask my which ones since I don't have an idea :) I just did spent some time using google language tool translating part of page to english and I can confirm that AT LEAST ONE of the versions published on this site IS WORKING (at least on my virtual machine :D)! If it is really an import issue for you to have 11.0.6000.7000 cracked just spent some time on finding the right version :)

HD-DVD±RW
2nd October 2007, 02:17
As I explained before there is a lot of links on that page. I downloaded all of them and tried. Some are test versions and DO NOT WORK and some are release versions and DO WORK. ... I can confirm that AT LEAST ONE of the versions published on this site IS WORKING (at least on my virtual machine :D)!

How about posting the WORKING version up on a free file sharing site? The links over there are 404.

sectroyer
2nd October 2007, 14:25
How about posting the WORKING version up on a free file sharing site? The links over there are 404.
Some of them are 404 and some do work :) You just need to choose correct one. First of all I did uninstall my vm with the working version and second I don't intend to help spread tools that are created by other people since I am not anonymous and I want to only be responsible for the code that I write.

abudara
3rd October 2007, 07:20
drmdbg 2007/10/03 08:55
http://ranobe.com/up/src/up227224.zip
zip-pass:6s80W7fl1K1r9XpmTTKlD5733WB983

Schrade
3rd October 2007, 10:09
drmdbg 2007/10/03 08:55
http://ranobe.com/up/src/up227224.zip
zip-pass:6s80W7fl1K1r9XpmTTKlD5733WB983

What language is the readme in that archive? I tried using Google Translate on it from Japanese to English and Chinese to English and it couldn't do anything to it.

SvT
3rd October 2007, 10:22
What language is the readme in that archive? I tried using Google Translate on it from Japanese to English and Chinese to English and it couldn't do anything to it.

The language is Japanese !

I didn't use the readme to get me started, but goodluck !

sectroyer
3rd October 2007, 10:23
Yeah I can confirm that this is the version I was using. It works with my 11.0.6000.7000. I don't know about readme file but in order to make it work you can do as fallows:
1) Run program
2) Choose a directory where you have your asf/wmv/wma files
Be careful since open dialog box on my machine was showing default file name as: ????????????. Just change it to *.*. Select one of the files and hit open.
3) Hit MultiScan.
drmdbg should now show you combination of KID/SID you can then copy this to some text file (drmdbg also makes a copy ) and use it with i.e. FreeMe2.
BTW on this japanese site there is some kind of forum, which unfortunatelly I don't know how to use :D So I have a question to ask. Can someone (who knows japanese) ask taku/inoyan to contact with me. I would like to ask them about few things regarding wm drm in order to improve FreeMe2.

a040900
3rd October 2007, 11:58
drmdbg 2007/10/03 08:55
http://ranobe.com/up/src/up227224.zip
zip-pass:6s80W7fl1K1r9XpmTTKlD5733WB983

I have a question, does it support on vista?

abudara
3rd October 2007, 13:46
I have a question, does it support on vista?

It is not supported.

Aratar
3rd October 2007, 16:32
Ok, this version works flawlessly under WinXP. Thanks for posting.

If you tell it where the tool 'drm2wmv' is located (you can actually specify the directory), it will also modify automatically it's key db file.

P.S.: It doesn't read out any keys on a Vista installation as it seems...

ssj4android
3rd October 2007, 22:34
Nope, doesn't work with Vista. :(

Ajax_Undone
4th October 2007, 01:08
Much thanks

Ajax_Undone
4th October 2007, 01:11
What language is the readme in that archive? I tried using Google Translate on it from Japanese to English and Chinese to English and it couldn't do anything to it.

You have to open it with the Japanese version of Wordpad
(ie have the Japanese support files installed in order to view there alphabet clearly enough to translate it)...:devil:

HyperHacker
4th October 2007, 04:44
I'm pretty sure the English version can view Japanese text as long as you have Asian language support installed. Notepad can, so why not?

Of course it's possible the file isn't in Unicode, so you'd have to set your codepage to Japanese to view it properly.

Ajax_Undone
4th October 2007, 06:07
set its directory to drm2 in the install folder of automate undrm v2.0 it will find the keys and and decryptit will do the rest

DreckSoft
12th October 2007, 23:12
drmdbg 2007/10/03 08:55
http://ranobe.com/up/src/up227224.zip
zip-pass:6s80W7fl1K1r9XpmTTKlD5733WB983

That link is dead :-(
Any mirrors?

noonehome
13th October 2007, 02:23
Ok, I got drmbdg to work. :) I've got a file with the KID/SID info, but I haven't gotten past that. I have tried FreeMe2, but get errors. I was hoping to try the automate undrm v2.0, but haven't had any luck finding them. All the links and torrents I found have been dead (they seemed to have gone out of favor when FairUse4WM came out). Can anyone post or PM me with a working link for automate undrm v2.0?

Thanks

nosun27
13th October 2007, 03:07
it took me forever to find it a few days ago and now I can't find the link again but I kept the setup files. I couldn't get it working w/ IBX 11.0.6000.7000 though. Every time I run it through freeme2 and drm2wmv after getting the keys from drmdbg, my file just came out as nothing but jumbled high pitched noise. But here you go anyway (I also but the latest drmdbg because DreckSoft said the old link was dead):

http://rapidshare.com/files/62172045/undrm.zip

EDIT: I have the new drmdbg now working with drm2wmv, still not with freeme2. I will see if I can get it working with automate undrm. Also, my above link include automate undrm 2.0 as well as the new drmdbg so now there are two mirrors for automate undrm and hopefully that lasts a while.

Wilbert
13th October 2007, 14:18
automate undrm v2.0:

http://www.zshare.net/download/41918547d761bb/

password: ary9tLSM4V5y01NC6hkSiJ0V3PEnSP

mysekurity
14th October 2007, 00:22
Wilbert: One of the files in the ZIP is password protected. Do you have the password?

Schrade
14th October 2007, 03:53
That link is dead :-(
Any mirrors?

http://www.sendspace.com/file/ycv3t3

Krymzon40
16th October 2007, 14:30
I just posted this in another thread, and i think it should go here also:

Ok, I got it to work using Automate unDRM.
FreeMe2 was giving me those corrupt files that sound messed up and only play for a few seconds.
This is with Windows Media Player 11.0.5721.5145 and IndivBox,key v11.0.6000.7000.
I'm also doing it as i'm typing this.

1. So I open up drmdbg 2007/10/03 and in the WMV DIR I browse to where i have my files, i change the ???????????????? to *.*, press enter and open up any one of those files.
2. In the DRM2 DIR I put the directory of the drm2wmv folder located in the automate unDRM directory, "C:\Program Files\Automate unDRM\drm2wmv\".
3. Then I hit multiscan and wait for it to do its thing, you'll know when its done when the last track starts playing. Now you can close drmdbg.
4. Now I open up Automate unDRM Decryptit and select all the files in the folder, I check Delete Original and Decrypt Only and then hit start and wait for that to do its thing.

And finally, like magic, i'm DRM free!

If this works for everyone, then i think I did a good job for my first post

sectroyer
16th October 2007, 15:46
I just posted this in another thread, and i think it should go here also:

To all those that had problems with new drmdbg and FreeMe2 combination did you try latest version of drmdgb (the one with 20 bytes fix?) and latest version of FreeMe2 (the one that shows size of SID)?

nosun27
17th October 2007, 01:23
http://rapidshare.com/files/63080546/DRM_Tools.zip

password = password123

Here's a little C# prog I made just to make it a little easier for multiple files. It uses drm2mv.exe and the LATEST drmdbg.exe so make sure you have those files. It's my first C# prog so it will be buggy or it may not even work at all for you so please use at your own risk. I will not take the blame if it messes up anything on your computer. If you believe this is some form of malware then don't download it.

The program, called DRMHelper, finds drm protected media in a directory you specify, including subdirectories, and lists them and give you options on what to do with them. It's similar to FairUseCommander and what it does with FU4WM.

All the instructions are in the Readme.txt so please read that first before you do anything. Again this prog may not work correctly for you as at first I built this program for myself and myself only but then I decided to try and make it work for anyone, but no promises on that.

ALSO, only use drmdbg, drm2wmv, and my prog on media that you legally own and not just files you have "rented." I am not responsible for any of the actions you take

Krymzon40
17th October 2007, 02:00
http://rapidshare.com/files/63080546/DRM_Tools.zip

password = password123

Here's a little C# prog I made just to make it a little easier for multiple files. It uses drm2mv.exe and the LATEST drmdbg.exe so make sure you have those files. It's my first C# prog so it will be buggy or it may not even work at all for you so please use at your own risk. I will not take the blame if it messes up anything on your computer. If you believe this is some form of malware then don't download it.

The program, called DRMHelper, finds drm protected media in a directory you specify, including subdirectories, and lists them and give you options on what to do with them. It's similar to FairUseCommander and what it does with FU4WM.

All the instructions are in the Readme.txt so please read that first before you do anything. Again this prog may not work correctly for you as at first I built this program for myself and myself only but then I decided to try and make it work for anyone, but no promises on that.

ALSO, only use drmdbg, drm2wmv, and my prog on media that you legally own and not just files you have "rented." I am not responsible for any of the actions you take

This works great, the only two improvements i'd like would be having drmdbg multiscan and close automatically like automate unDRM and for it to rename the files and remove the [NoDRM] from the names, thanks

Ajax_Undone
17th October 2007, 02:29
Is there a source for this project...

nosun27
17th October 2007, 16:14
This works great, the only two improvements i'd like would be having drmdbg multiscan and close automatically like automate unDRM and for it to rename the files and remove the [NoDRM] from the names, thanks

http://rapidshare.com/files/63212741/DRMHelper_w._Rename.zip
password: password123

only added the rename thing for now because it was easy. In order to rename you must have the delete option enabled and I'm not really sure how stable the delete option is so backup whatever you test it on. It worked for me but I can't say it'll work for everyone.

Automating the whole process I'll look into when I have time.