Post under the black flag, or As I did not put your video course on the tracker
Hello, Habr! In difficult times, we live, don’t you? People are selfish, do not recognize the value of other people's works, like to come to everything ready at once. Intellectual property for many in general looks like no more than a bureaucratic joke: “How is it that information should be free, because this is IN-FOR-MA-QI-I !!! 11”. I agree, ideally this is so. These anarchies of yours, the rebellious moods and philosophies of underground hackers / pirates, who guard the rights of ordinary people, are not alien to me. But the paradox is that true justice is also to repay everyone for their work and merits, so in most cases piracy is an antagonistic enterprise. But here the policy of providing services for the protection of intellectual property, proposed by such a wonderful vendor as InfoProtector, caused me righteous anger.
Under the cut, the story of how I purchased a paid video course fell into precipitate after realizing that I could not save the videos from it for re-viewing in the future, I got angry at those who had hidden this quasi-protective software (which, among other things, is merciless lags and eats a lot of machine resources) and decided to restore justice a little ... Without breaking the law, of course. Amen.
DISCLAIMER. All of the following has been published for research purposes and is intended to fulfill an exclusively educational function. The author is not responsible for the unlawful use of information from this post and in no case does not urge to perceive it as a "guide to action."
How was it
It was a free weekend, and I decided to lay out the honestly earned XXXX p. at a five-hour video course. We will call it the “Refresher course for the catering worker” so that there are no parallels. In general, I am not a supporter of the perception of information through video lessons (oh, very counterproductive), but I couldn’t directly resist it - I fell victim to colorful advertising banners.
I paid, a letter flew into the mail containing links to download materials invented (links) by the InfoProtector randomizer and spit out to a nearby CDN. In the body of the letter is the author’s gratitude for the purchase and the registration key, which proposed to activate the purchase.
Download the archive. The archive folder. The executable file is in the folder.
InfoProtector, a digital information protection mechanism, has been applied to this video course; for the first launch (read “product activation”) you need Internet access; watching videos is possible only from our program, from our player; installation of the video course is possible only on two computers (the video course is tied to the configuration of the OS / hardware environment, as it turns out later).
At this point, I was a little upset. That is, not only did they call me right from the door a dishonest person who would only be deprived of someone else’s labor of monetization, but the rate for which I paid a decent amount would be available to me only until the system was reinstalled.
“It won’t work,” I decided and began a series of experiments.
InfoProtector restrictions
In order not to waste time in vain, for a start I turned to the World Wide Web to find out that people had already figured out about the protection mechanism of these guys (all the subtleties of the protection work, of course, were not disclosed).
What I managed to find out:
- The activation key is generated randomly when paying for the course and is used to be an authenticated server, which, if successful, sends the client an AES key to decrypt the video materials available from the company's custom player. Reversing the application is long and time consuming (i.e., impractical for this kind of task), so I decided to leave this path.
- The use of screen recording tools is ruthlessly blocked in a number of directions: you cannot simultaneously launch the player and any screen capturer on the same host, because the program detects running processes with their metadata: window title names; description of executable files; names of vendors sewn into exe'shniki capture applications; even a browser opened on a page whose name contains the word "Fraps", for example, is also the subject of an alert and shutdown of the player.
- Sandboxes, virtual machines, and streaming content from remote connections (rdesktop, RAdmin, TeamViewer) are also not an option - smart software can detect them over the years, killing itself at every opportunity.
But despite the last two points, the most real attack vector remains the screen recording, which can be implemented in several ways:
- Find a capture program that does not contain beacon words in its name / producer / description that InfoProtector does not know, and which, therefore, the latter will not trigger. Cons: long, boring and not a fact, which in principle is doable.
- Find an open source product that has the necessary functionality and compile your version of the screen capture, replacing in the source everything that might seem suspicious to InfoProtector in theory. Cons: long, boring, time-consuming (usually such projects are rather cumbersome, consist of hundreds (?) Files and have heaps of dependencies in the sources, so just Ctrl-H doesn’t work, you don’t need to edit it so mimikatz doesn’t cut Windows Defender).
- Write your decision on something script so as not to risk with a compiled executable file of unknown nature (it is not known what this infection will say) that implements the trivial functionality of quickly taking screenshots from a selected area of the screen (fortunately, InfoProtector allows it) and write it down separately sound track, which also turned out to be legitimate and as simple as possible.
The minuses of the third paragraph were not found, so you can proceed.
Screenshot the Planet!
First: let's figure out how to automate the process of creating a cloud of screenshots using a script. Of course, these are: Python, and more OpenCV , and more MSS , and more PIL .
The process is extremely simple:
- Set the player window size equal to the resolution of the output video that we would like to have (it’s logical to take into account the place for the script controls - a window with a terminal, for example, which should not fall into the recording area). This can be done with such a wonderful software.
- We position the player window in such a position as to find which it would be easiest to explain to the script - the lower right corner of the screen (I think the reference system associated with the borders of the screen is the most convenient option).
- Let's set already written script (which will be a little lower) to take screenshots of this area.
- We don’t touch this awkward system during the whole video playback.
Script under the spoiler:
fckInfoprotector.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Usage: python3 fckInfoprotector.py
import sys
import numpy as np
import cv2
from mss.windows import MSS as mss
from PIL import Image
class Capturer:
def __init__(self, w, h, resolution='1080p', fps=24.975):
if resolution == '1080p':
self.monitor = {
'top': 1080 - h,
'left': 1920 - w,
'width': w,
'height': h
}
elif resolution == '1440p':
self.monitor = {
'top': 1440 - h,
'left': 2560 - w,
'width': w,
'height': h
}
else:
raise ValueError('Unsupported monitor resolution')
self.sct = mss()
self.vid = cv2.VideoWriter(
'output.avi',
cv2.VideoWriter_fourcc(*'XVID'),
fps=fps,
frameSize=(
self.monitor['width'],
self.monitor['height']
)
)
def mainloop(self):
while True:
sct_img = self.sct.grab(self.monitor)
sct_img_size = (sct_img.width, sct_img.height)
img = Image.frombytes(
'RGB',
sct_img_size,
sct_img.rgb
)
frame = cv2.cvtColor(
np.array(img),
cv2.COLOR_BGR2RGB
)
self.vid.write(frame)
if __name__ == '__main__':
if len(sys.argv) != 3:
print(f'Usage: {sys.argv[0]} ')
sys.exit()
w, h = (int(x) for x in sys.argv[1:3])
capturer = Capturer(w, h, fps=50.0)
try:
capturer.mainloop()
except KeyboardInterrupt:
print('Interrupted')
Record audio track
Well, here it’s quite elementary: Windows allows you to do this with built-in tools.
For Windows 7: Start -> Control Panel -> Hardware and Sound -> Sound -> Record -> Show disabled devices and select “Stereo Mixer”:
Now, at the beginning of recording, a button is added to our already awkward design, which you also need to click on:
Combine the two halves of the whole
After the video and sound are ready, it remains to glue this design. We will do this in a wonderful video editor called VirtualDub .
Let's open the video:
Add an audio track:
Change the frame rate of the video, because in the original player it turned out to be unstable. Therefore, so that the video and audio have the same length, we will reduce the frame rate from 50 (we specially took it with a margin when we recorded) towhere calculated by the formula:
Yes, with this approach, there may be insignificant differences of voice and picture, but these are forced victims.
Add video compression at will and F7 ! Got a video from the video course.
Under the curtain
Why is this post filled with such indignation? I will try to explain.
Firstly, when buying a course, I never found mention that I would be limited in its use in all possible ways. I specifically returned to the store’s page and tried to find at least something in the offer agreement that would indicate to me that in order to use the course I would be forced to be tied to a specific personal computer. No, the agreement contains only standard words.
Secondly, I don’t understand the logic of friends from InfoProtector: why so much effort and curve software (which even complained about NVIDIA firewood as a means of recording a screen!), If, in the end, an attacker who is too lazy to deal with the nonsense that he described here I just have the opportunity to make a “screen” by placing a camera on a tripod in front of the monitor?
Thirdly, many will say: “So the DVDs were also copy protected!” Yes, that’s it. Only now I could take the disk anywhere, watch it as many times as I need (I have the right), and it would work just as well as many computers I would not change.
Therefore, I offer InfoProtector a more effective solution: not only to cut down the player if an instance of the script language interpreter process is detected, but also to make it mandatory for the person who bought the course to have a webcam to which an employee (albeit a lower level) will be attached, eagerly fixing whether the viewer performs illegal actions. I think this will solve many problems with piracy (no).
I did not violate the Law and the Great Treaty, I did not upload materials to the Internet and am not going to, my only crime is curiosity.
Yo-ho, loud the hell!