Wednesday, February 28, 2007

Unprotecting DRM v2-protected WMV files

Some WMV files r protected using a microsoft DRM version 2, however this version is not the only one out there and one must check whether its this version or not before attempting to crack it...

first of all, u have to have the key, since u cannot simply crack any protected content whereever its found...
if u r using WMP version 10 u should switch to 9, this is done by removing it from add/revome progs, u could also download wmp version 9 from microsoft...
if u system comes with wmp 10+ u should use xplite or something similar to strip wmp out of windows...
when u run the movie for the first time it would attempt to connect to the internet, once done it might ask u about the username/password for playing this protected content. upon enetering the correct data, the movie will play even if u disconnect from the internet since a version of the key is stored cached in \Documents and settings\all users\DRM i think...however this need not to concern us now.
download undrm from http://bradleybeast.com/sec/unDRM.zip, it will also explain this stuff in addition to the real prog which we need...Automate unDRM
copy the dlls from step2 in the mentioned zip file to windows\system32, (overwrite if prompted)
automate unDRM didnt work with its script to i had to use the commands separately...ie run
drmdbg.exe from wherever u installed automate undrm. it'll show the wmp, open the encrypted file and obtain the key and put it one ur desktop
copy drm2-i.key from ur desktop to drm2wmv_e\drm2 and drag and drop the protected content to drm2wmv_e.exe it'll extract the unprotected content for u and place it in the same folder where the protected contetn reside...
njoy...

Labels: ,

Smilar pages

Tuesday, February 27, 2007

Worm Hunting!!

I use YMSGR rarily ..cause I hate it , but once I recieved this message from a friend ,it was a link to Miss world something picture donno, I knew from the first glance(smart me) it was a stupid yahoo messenger now adays worms :)
The funny thing the attacker used a registered domain with .info .And again used a .jpg contained html to redirect the page to the index,where a series of decrypting and script constructing is done which was a javascript then the result will be in VB script to be executed using Microsoft.XMLHTTP vulnerability (not sure about it ,since it a scripting thing) to download and execute "YMworm.exe" and "worm2007.exe" files , well I adownloaded these files from that apparently doomed site :) lately ,and used :
http://virusscan.jotti.org/
to scan for these files resulted in some kind of this:


well after googling W32/Sohand.A I found a description on pspl.com , which seemd that the one I caught was some sort of another variant of it ,for me I regard it as a stupid worm cause it was obviousily programmed useing VB ... although I shouldnt call any worm that was able to reach me through spreading as stupid ,maybe the ppl were stupid clicked on that link I dont know about that too.
I put it in OllyDbg,but hey..I am having mid-year exams these days ,and another thing seriously debugging VB coded stuff is just a pian in the ass thingie :(

To remove the worm ,this link might help Click .

Labels: ,

Smilar pages

Saturday, February 03, 2007

Code execution in stack

It's been a while since the last time I submit a post. Life getting ugly day by day...Things are changing ,so I am some how busy more than ever before, but wait,I always do have time to code even if the apocolypse is right now :)

Remember my previous post on using stack instead of data section, well here I use stack to put my code there and call it as a function ,see next:

;-----------------------code
.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib



.data
text_1 db "hello there!",0

.code
start:
mov edi,esp
add edi,4
push edi
lea esi,[espcode]
mov ecx,(endesp-espcode)
rep movsb
pop edi
mov ecx,MessageBoxA ;here we need the actual address of that api.
call edi

exit:
invoke ExitProcess,0

espcode:
push eax
mov eax,edx
pop eax
xor eax,eax ;
dec eax ;was some rabbish code!!
push 0
push 0
push offset text_1
push 0
call ecx
ret
endesp:

end start
;-----------------------end of code

As you may see the only thing was we needed either to change esp or make our code beyond esp value so as our executed code will not get corrupted while execution, I used "add edi,4" so as my code will not get overlapped with stack.

I think the code is self explanatory...

bye for now
------------------------

Labels:

Smilar pages