Hacking Windows Media DRM
by Alt229
Like vegetables being thrust into the face of an unsuspecting child, I was recently pushed into the middle of the Digital Rights Management (DRM) debate.
I wish I could say that I was doing something as noble as recreating Star Wars in ASCII format, hacking Microsoft, or leveling up my level 36 night elf druid. No, I was doing nothing of the sort when I got a first-hand taste of DRM. I was looking for naked girls.
My "research" started last month while my girlfriend was out of town for the third week in a row and I'd grown seriously tired of the same drunken college girls making out on the same couch with same drunken frat boys watching. It seemed like I'd seen everything on the net when I happened to stumble across a site that allowed unlimited downloads of their DVDs for only $30 a month. Unlimited downloads? I'd never paid for porn online and hadn't bought printed porn since I was 18, but this seemed like a good deal, so I signed up. Little did I know, but these guys used some serious DRM.
Here's what you should know about the possibilities of Windows Media DRM:
You have to type in your username and password into Windows Media Player every time that you play a video.
You have to be online so that Windows Media Player can connect with the licensing server.
You can only play the videos in the Windows version of Windows Media Player. Macintosh and Linux are not supported.
You will be unable to play any files you've previously downloaded once your account is deleted from the licensing server.
Of course, I didn't learn of these philistine restrictions until after I'd handed over the money, but after I did, the hacker in me knew that there must be a way to unlock these files. The following is a guide to decoding Windows Media DRM protected video files.
In order to decrypt a Windows Media DRM file, you first need to have rightful access to the file in question. If you don't know the username and password to play the file, you won't be able to decrypt it with the tools here. You also need a computer capable of running Windows Media Player in debug mode and copies of two decoding tools named DRM2WMV and DRMDBG to decrypt the data.
Before we get into decrypting a WMV file, let's look at how Windows Media DRM works.
Each WMV file with DRM has two keys associated with it.
One is called a KID and is basically a public key that identifies the file. The other is the SID, which acts more like a private key. You'll need both of these to play the file but the hard one to get is the SID. It's the protected private key that, if in the wrong hands, allows the user to do just about anything to the encrypted content.
The secret to getting this key is to use a little known feature of Windows Media Player: debug mode.
While Windows Media Player is in debug mode, other programs can access variables that are normally hidden away from prying eyes. The newest Windows Media Player as of this writing is version 10.00.00.3990, which will not work for our purposes. Microsoft realized that debug mode was the proverbial weak link in the DRM chain so they disabled the use of it when playing a file which is DRM enabled.
The latest version of Windows Media Player that I've seen working is version 9.000.000.3344. It should be noted that if you've ever installed WMP10 and then revert back to WMP9, this hack will not work.
Now, let's get to implementing the hack.
First, I recommend starting with a fresh copy of Windows XP. You can do this without having a clean install, but there are various DLLs that need to be a specific version for our little scheme to work properly. Some graphics and video programs will overwrite these files we depend on, and this will prohibit us from stripping the DRM. Again, updating to WMP10 will ruin your decrypting efforts.
So, assuming you've got a clean XP install and Windows Media Player 9, we can continue. First, make sure that you can actually play the video you're trying to decrypt. If you can't play the file, then you need to troubleshoot why; our tools will not work until the video plays properly. There was one DRM-related update I had to run for WMP9 to get the video file working in the first place. Running the update that allowed me to play the video didn't impair my ability to decrypt the file later. You may have to do the same.
The next step in our decoding process is to get the decoding tools.
There are two programs we'll need. One is called DRMDBG, which opens Windows Media Player in debug mode and extracts the SID.
The other program, which is called DRM2WMV, decrypts the WMV file with the SID from DRMDBG.
There are different versions of both of these programs, and different versions will work better in different situations. There are two versions of DRM2WMV. One is written in Japanese and has cryptic error messages; the other, DRM2WMV_E, is translated into English and has more sensible error messages. I recommend the English version as it worked much better for me.
As far as DRMDBG goes, there are three versions that I've found: DRMDBG-031, DRMDBG-527, and DRMDBG-621
They all extract the SID from the WMV file, but I've had the best luck with DRMDBG Version 527. Normally, you have to scour Winny, Ares, or Gnutella for these files, but I've made an archive of all three versions of DRMDBG and both versions of DRM2WMV to make your life easier. You can find the archive at www.megaupload.com/?d=5014MCK2.
Once you get and extract this file, you'll notice a bunch of different files and folders. We'll get to those in a bit.
For now, just run any version of DRMDBG. It will open up Windows Media Player and wait. This is when you should open up your protected video file. The player should contact the licensing server as usual, but then it should quit, and you should see a message saying that the KID and SID were copied to the clipboard. If the file doesn't play or if the file just plays normally, then DRMDBG is having trouble getting the SID. Try using a different version of DRMDBG. If none of the versions you have work, check for a newer version online, or install VMware and get a clean install of XP to work with.
Once the SID is copied to the clipboard, you need to put it into a file in the DRM2 folder. The name of the file you create doesn't matter, but the extension has to be: .key
We'll call the file nodrm.key in our example. So, make the nodrm.key file and paste the contents of the clipboard into it.
A sample key follows:
When you paste the key, it will all be on one long line and contain weird carriage returns.
I replaced those strange characters with actual carriage returns here but you don't have to worry about doing so yourself; the program will work fine with the badly formatted text as it is. You can also place multiple keys into one file; just place each of them on a new line. Now save the file.
Now it's time to run the main decrypting tool, DRM2WMV.
This part, if you've made it this far, is the easiest. Simply run the DRM2WMV command on the file you want to decrypt. In our example, this will look like this: drm2wmv_e Z:\Movies\Pr0n\video_with_drm.wmv
You should then see a progress bar move across the screen, and a new file will be created called: [nodrm] - video_with_drm.wmv
Notice that when you open the new file, it won't run through any of the authentication techniques and the file is now playable on a Mac! Sweet!
This isn't the only way to unlock a DRM-protected WMV file. There is a graphical tool that attempts to decrypt these files (which is included in the ZIP file) more seamlessly, but it didn't work all of the time for me. Also, there are, and always will be, tools that record the raw output of the media player, but since we lose a generation, I chose not to use this method here.
Thanks! And happy downloading!