MS DRM is pure smoke

		Print
		Email weblog link
		Blog this

Lucas Gonze
Jul. 15, 2003 08:21 AM
Permalink

Update July 22

Security through obscurity crumbles yet again: Mr. or Mrs. Anonymous posts the exploit below:

The tool being used is GraphEdit, a part of Microsoft's SDK for DirectShow. It show's the underlying encoders/decoders/stream splitters used to get from a file to an output device such as a soundcard, your monitor, or (and this is the 'crack' bit) another encoder's input and a subsequent file. It generally is lossy, because you are reencoding the decoded stream = generational loss. But it's possible that the bits could be caught before decoding, and shunted into a custom-written filter that instead of decoding the bitstream, just writes it to a file after decryption.

Update #2

Followup info is that the exploit Anonymous documented is a different one than I was originally looking for, meaning that there are two, and that the one which is not yet known does produce listenable audio.

Secondly, the issue is not whether the re-encoding is lossy, which some people have been microfocused on, but whether it's listenable. As long as you either re-encode with the same encoder used originally or re-encode without compression, the exploit given by Anonymous should sound the same as the file with DRM. (I'm just restating the point made by Tom below.)

Update July 19

Score one for security through obscurity. I haven't found a detailed explanation of the exploit, and I'm out of time for looking. The best documentation I have is mails from the wm-talk list, which I have archived here in mbox format -- you'll need to import these into your mailer to make the file readable.

Worth pointing out: check out the post below titled "Digital becomes Analog."

Update July 15

The crack turns out to be lossy. It grabs the audio stream at rendering time, so doesn't have access to the unencrypted bytes.

That said, this is all gossip. I still don't have access to either the details of the exploit or technical documentation, so can't judge for myself. There's no public documentation on the design of WM9 DRM (or iTunes DRM, for that matter).

If any regulars on AVSForums run across the original reference, I'd be grateful for a pointer.

Folks on AVSforums say they have successfully used tools from the Microsoft software development kit to rip and re-encode audio protected by Microsoft DRM in the WindowsMedia 9 format. This is only a rumor at this point -- I haven't seen the crack myself, but WM9 developers seem to be taking it as gospel.

How did these criminal masterminds pull off this incredible feat? Did they crack an encryption key? Did they beat an MS employee with a rubber hose? Did they heat a CPU in a microwave oven? Was it a buffer overflow? An underflow? What was this remarkable feat?

Incredibly, there was no exploit needed. These wily crackers merely had to write a program using well documented 100% aboveboard functions provided by Microsoft. It was not hard, involved no breakthroughs, did not depend on reverse engineering, and did not need a key. All they did was build the right DirectShow graph, and since DirectShow is a tool for third party software developers to build shipping software, ISVs can easily offer an all-in-one solution to strip DRM from content without fear of the DMCA.

What this means is that the DRM on which both Microsoft and their many partners in the RIAA and MPAA are counting on is nothing but a sham. There is no DRM in MS DRM.

Lucas Gonze works on Webjay, XSPF, and a survey of playlist formats.

Comments on this weblog

Showing messages 1 through 28 of 28.

and?
2004-09-21 22:05:57 Lucas Gonze | [View]

So what is it?

drm cracked
2004-09-21 18:38:18 terra99 [View]

i have an easy work around using microsoft products to fully unprotect drm files.

took me 15 mins tweaking to do it

drm cracked
2007-06-13 09:13:31 rj007 [View]

I have some video clips with DRM protection and i don't have the license also when i try to open that file in media player it will automatically going to internet for license anybody can help me how to open these files without DRM license file .is there any way to open this file or convert to another format to open plzzzz help me

reply to me sololoewe_007@hotmail.com

drm cracked
2007-06-13 09:13:07 rj007 [View]

I have some video clips with DRM protection and i don't have the license also when i try to open that file in media player it will automatically going to internet for license anybody can help me how to open these files without DRM license file .is there any way to open this file or convert to another format to open plzzzz help me

drm cracked
2006-01-24 00:53:24 Trend [View]

did u manage to crack wmp 10???

drm cracked
2004-10-05 01:24:10 bmeola [View]

care to share?

DSPlay or PlayWndAsf
2003-11-17 01:59:22 anonymous2 [View]

In DirectX 9 there a sample code to
play DRM content, PlayWndAsf. And in Media SDK there is sample code for DSPlay. A good coder
should be able to save movie after DRM has
opened the file.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmform/htm/sampleapplications.asp

DSPlay or PlayWndAsf
2004-01-16 18:54:03 anonymous2 [View]

sorry, but I don't understand..
What I have to do to play a video that is protected by DRM?
Can someone explain well please?
Thanks

DSPlay or PlayWndAsf
2003-11-18 12:20:00 Lucas Gonze | [View]

Well, this is what I don't understand about DRM and the the Windows Media Framework. To keep you away from the decrypted bytes, they have to keep you out of the filter graph, and if they keep you out of the filter graph then you can't write plugins. The whole architecture becomes useless.

Do not have "Secure Audio Path" Enabled?
2003-07-22 15:04:44 anonymous2 [View]

Perhaps the license rights for the files did not have the flag set that requires the PC to have a Secure Audio Path?

Very few MSDRM licenses will have this set as it only works (sometimes) on Windows ME and Windows XP with (I believe) certified audio drivers.

i.e. if you use the flag you remove a large percentage of your potential audience.

The facility is there in the DRM to remove the chance of this "exploit", but PCs aren't at that stage yet to fully support it, and at the end of the day you can *always* do LINE OUT->LINE IN if you really want to rip off some music and stop the artists/labels from getting paid.

> Chaz <

Do not have "Secure Audio Path" Enabled?
2003-09-17 23:18:44 anonymous2 [View]

Nope. With watermarks embedded in the audio signal, connecting line out to line in doesn't work. The sound card (either the hardware directly or the software driver) will refuse to accept the signal from line in, and just become silent once it detects the watermark. The newest drivers for some sound cards already have this "feature", and in the future it will likely be everywhere (it may be even required by law).

So what if it's lossy?
2003-07-22 11:52:38 anonymous2 [View]

There is so much whining about lossy here, but I think it's overblown since it only has to be lossy one time. It's not like everytime every user ever hums the freakin' tune it's going to lose some more quality.
A little lossy one time doesn't seem like a very solid DRM program to me even if it is a little lossy one freakin' time.
Boy what a bunch of whiners.

Lucas Is Pure Smoke
2003-07-22 10:33:28 anonymous2 [View]

He got this info from the WMTALK list last week and recirculated it. Credit should be given to Brandon Wirtz for exposing this flaw to MS.

Lucas I think your a punk.

__________________________________________________
Christopher Levy, CEO and Founder // NFA Group Inc.

[q] 150595707
[c] 619.838.3840
[a] streamOG
[e] clevy@nfagroup.com
[2] streamOG@vztext.com

You Are Pure Smoke
2003-07-22 14:00:11 anonymous2 [View]

This isn't a flaw or an exploit... the most secure audio/video files simply won't play at all on the PC. All of the rest can be "ripped" via lossy re-encoding.

Lucas Is Pure Smoke
2003-07-22 11:47:43 Lucas Gonze | [View]

For those who don't follow wm-talk, Christopher was one of those attempting to keep this a secret. Read this wonderful great excellent message from him as "Drat! You haven't heard the last of me!"

Digital becomes Analog
2003-07-19 10:40:21 anonymous2 [View]

The DRM decoding and re-encoding is a regression back to analog re-recording degeneration. Thanks Microsoft, MPAA, RIAA, etc., for turning the technological clock back.

Unless you control the hardware, too . . .
2003-07-15 17:57:53 anonymous2 [View]

. . . nothing will be uncrackable. Hence the NGSCB or "Palladium" efforts.

this article is smoke
2003-07-15 15:40:47 anonymous2 [View]

re-encode == LOSS of quality
2003-07-15 11:12:23 anonymous2 [View]

there is a quality loss, you will always be able to re-encode DRM protected music, but there is a loss.

cracking the DRM would be getting to the encoded code out of the "encryption", without a re-encode.

there a numerous ways to re-encode a AAC file purchased from the iTunes Music Store.

re-encode == LOSS of quality
2003-07-15 12:47:31 Lucas Gonze | [View]

depends on how the re-encode works. Putting a microphone up to the speaker is one thing, picking up bits direct from the original is another. Can't say I know enough about this yet to say which one it is, but I'm inclined to believe it's direct bits because it happens within WM9, so there's no analog conversion.

re-encode == LOSS of quality
2003-07-15 13:46:41 anonymous2 [View]

If you use a lossy encoding there is a loss of quality every time you re-encode (in theory I think this need not be true in some cases, but in practice it is).

Take any JPG picture you have, save it as a non-JPG format, reload it, and save it as a JPG again. Then compair the two images pixel for pixel. They will no longer be identical. The new one will in fact be worse. Even if you used the same quality level. (this doesn't apply to "lossless JPG"...but nobody uses that)

The effect is worse if you use compresison methods that make diffrent asumptions about what things can be lost without noticing (converting a MP3 to a WAV and back 10 times will do less damage then converting the MP3 to an OGG and back 5 times...not because OGG is worse then MP3's, but because it makes a diffrent set of choices about which set of frequencies mask alterations in other sets of frequencies and other similar things).

If the "re-encode" is to a lossless form though, then the re-encode doesn't hurt things. If the "re-encode" isn't really a re-encode, but some sort of clever minuplation of the bit stream it can also be harmless (for example JPG was designed so that you could rotate it 90 degreese without rencoding it...and that you can rencode a 8x8 (or 16x16?) block without altering the rest of the image)...but those are special cases. It is possiable that the "remove DRM" trick also doesn't re-encode the bit stream but strips of a DRM header, or even strips said header and unencrypts the bits, but it doesn't seem all that likely.

re-encode == LOSS of quality
2003-07-22 12:15:10 anonymous2 [View]

Similarly to how JPG has "lossless re-encode," there isn't really any good reason that you couldn't reencode an MP3 or MPEG-4 video. The point is that the original encode suffers loss, but in doing so puts the image in an easily-compressible form (by blocking it and removing high-frequency noise, etc.). After decoding it's still in this form, and so if you were to compress using the same parameters, you should get essentially the same file out.
(This gets less and less likely the more complicated the input format is, but I think at least it would work for MP3.)

- Tom 7

re-encode == LOSS of quality
2003-07-15 16:10:16 Lucas Gonze | [View]

There are two reasons to believe this isn't a lossy re-encoding. One, the way that WM9 works is that your code is inserted into a set of filters, and you have access to just about anything given that you insert yourself in the right spot. (That's based on limited understanding -- I'm a newbie with WM9 development). Two, WM9 DRM hackers are taking this seriously. So the most likely situation is that you can get access to highest-resolution bits available.

On the other hand, I'm having a hard time finding details of the crack. The WM9 folks have decided I'm a script kiddie, and the AVSForums search is not the greatest, so I'm stuck crawling AVSForums manually.

re-encode == LOSS of quality
2003-07-22 09:58:55 anonymous2 [View]

The tool being used is GraphEdit, a part of Microsoft's SDK for DirectShow.

It show's the underlying encoders/decoders/stream splitters used to get from a file to an output device such as a soundcard, your monitor, or (and this is the 'crack' bit) another encoder's input and a subsequent file.

It generally is lossy, because you are reencoding the decoded stream = generational loss.

But it's possible that the bits could be caught before decoding, and shunted into a custom-written filter that instead of decoding the bitstream, just writes it to a file after decryption.

re-encode == LOSS of quality
2003-07-22 14:33:06 anonymous2 [View]

Does this apply equally to video, or to audio only?

Pathetic
2003-07-22 13:58:12 anonymous2 [View]

Try connecting the Line Out of your soundcard back to the Line In of the same PC... poof, no DRM!

You're just doing exactly the same thing in software... next time try catching the stream before it hits the audio renderer and we'll have something to talk about.

re-encode == LOSS of quality
2003-07-22 10:07:11 Lucas Gonze | [View]

Anonymous, you are the rockest man alive. Huge props to you.

re-encode == LOSS of quality
2005-04-11 04:54:22 ccnz2 [View]

im trying to use graphedit with a .wmv file....
basically even though i have it saved on my hard drive whenever it opens in media player it acquires the licence everytime i play it.
I downloaded it from a sports site that shows games footage and think it is rubbish that you cant open it or save it without it doing this.
Its sports clips not a damn feature film DVD!! this licensing media is a joke...i thought my subscription paid for my rights to the file but obviously not.anyone know of a easy way round this?

Showing messages 1 through 28 of 28.

Return to weblogs.oreilly.com.

Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.

This work is licensed under a Creative Commons License.

View All RSS Feeds >

800-889-8969 or 707-827-7019
Monday-Friday 7:30am-5pm PT
©2011, O'Reilly Media, Inc.
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.