DRMLab
This commit is contained in:
Binary file not shown.
@@ -0,0 +1,206 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
PlayReady public key hash revocation checker.
|
||||
|
||||
- Fetches Microsoft's revocation XML.
|
||||
- Extracts the PlayReady Silverlight Runtime revocation list.
|
||||
- Prints all 32-byte public key hashes (Base64).
|
||||
- If a hash is provided (argv[1] or prompted), reports whether it's revoked.
|
||||
- If 'bgroupcert.dat' in directory, extract the hash and reports whether it's revoked.
|
||||
|
||||
Compatible with Python 3.8+.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
import base64
|
||||
import struct
|
||||
import sys
|
||||
import uuid
|
||||
from typing import Iterable, List, Optional
|
||||
|
||||
import requests
|
||||
import xmltodict
|
||||
|
||||
# --- Configuration ----------------------------------------------------------------
|
||||
|
||||
REV_URL = "https://go.microsoft.com/fwlink/?LinkId=110086"
|
||||
|
||||
# GUID for PlayReady Silverlight Runtime (as raw bytes like original code)
|
||||
GUID_PR_SILVERLIGHT_RUNTIME = bytes([
|
||||
0x4E, 0x9D, 0x8C, 0x8A, 0xB6, 0x52, 0x45, 0xA7,
|
||||
0x97, 0x91, 0x69, 0x25, 0xA6, 0xB4, 0x79, 0x1F
|
||||
])
|
||||
|
||||
# If construct is available, we’ll use it to parse the binary blob declaratively.
|
||||
try:
|
||||
from construct import Struct as CStruct, Bytes, Int32ub
|
||||
_HAS_CONSTRUCT = True
|
||||
except Exception:
|
||||
_HAS_CONSTRUCT = False
|
||||
|
||||
|
||||
# --- Helpers ----------------------------------------------------------------------
|
||||
|
||||
def _expected_guid_le_hex(guid_bytes: bytes) -> str:
|
||||
"""
|
||||
The source blob compares the first 16 bytes against UUID(...).bytes_le.
|
||||
Keep that exact behavior to match the original script.
|
||||
"""
|
||||
return uuid.UUID(guid_bytes.hex()).bytes_le.hex()
|
||||
|
||||
|
||||
def _parse_revocation_blob_with_construct(blob: bytes) -> Optional[List[bytes]]:
|
||||
"""
|
||||
Parse a revocation list blob using construct (if installed).
|
||||
Format per original code:
|
||||
[0:16] GUID
|
||||
[16:20] unknown / reserved
|
||||
[20:24] entries_count (u32 big-endian)
|
||||
[24: ] entries_count * 32-byte hashes
|
||||
"""
|
||||
if not _HAS_CONSTRUCT:
|
||||
return None
|
||||
|
||||
RevHeader = CStruct(
|
||||
"type_guid" / Bytes(16),
|
||||
"reserved" / Bytes(4),
|
||||
"entries_count" / Int32ub,
|
||||
)
|
||||
|
||||
# First parse header to get count
|
||||
if len(blob) < 24:
|
||||
return []
|
||||
|
||||
header = RevHeader.parse(blob[:24])
|
||||
|
||||
# Verify GUID (same logic/endianness as original)
|
||||
if blob[:16].hex() != _expected_guid_le_hex(GUID_PR_SILVERLIGHT_RUNTIME):
|
||||
return []
|
||||
|
||||
# Extract entries
|
||||
start = 24
|
||||
end = start + (header.entries_count * 32)
|
||||
if end > len(blob):
|
||||
# Truncated blob; be defensive
|
||||
end = min(len(blob), start + ((len(blob) - start) // 32) * 32)
|
||||
|
||||
entries = [blob[i:i+32] for i in range(start, end, 32)]
|
||||
return entries
|
||||
|
||||
|
||||
def _parse_revocation_blob_manually(blob: bytes) -> List[bytes]:
|
||||
"""
|
||||
Manual parser (no construct). Mirrors the original byte slicing exactly.
|
||||
"""
|
||||
if len(blob) < 24:
|
||||
return []
|
||||
|
||||
# GUID check with the same endianness trick as original
|
||||
if blob[:16].hex() != _expected_guid_le_hex(GUID_PR_SILVERLIGHT_RUNTIME):
|
||||
return []
|
||||
|
||||
# entries_count is big-endian u32 at offset 20
|
||||
entries_count = struct.unpack_from(">I", blob, 20)[0]
|
||||
cursor = 24
|
||||
out: List[bytes] = []
|
||||
for _ in range(entries_count):
|
||||
if cursor + 32 > len(blob):
|
||||
break
|
||||
out.append(blob[cursor:cursor+32])
|
||||
cursor += 32
|
||||
return out
|
||||
|
||||
|
||||
def _iter_revocation_lists(xml_root: dict) -> Iterable[bytes]:
|
||||
"""
|
||||
Yields each decoded revocation list (ListData) as raw bytes.
|
||||
Handles the cases where Revocation is a dict or a list of dicts.
|
||||
"""
|
||||
rev = xml_root.get("RevInfo", {}).get("Revocation")
|
||||
if rev is None:
|
||||
return
|
||||
|
||||
items = rev if isinstance(rev, list) else [rev]
|
||||
for item in items:
|
||||
data_b64 = item.get("ListData")
|
||||
if not data_b64:
|
||||
continue
|
||||
try:
|
||||
yield base64.b64decode(data_b64)
|
||||
except Exception:
|
||||
continue
|
||||
|
||||
|
||||
def _fetch_revocation_index(url: str = REV_URL) -> dict:
|
||||
resp = requests.get(url, timeout=20)
|
||||
resp.raise_for_status()
|
||||
# xmltodict produces nested OrderedDict-like structures; dict() is fine
|
||||
return xmltodict.parse(resp.text)
|
||||
|
||||
|
||||
def _collect_public_key_hashes(xml_root: dict) -> List[str]:
|
||||
"""
|
||||
Returns Base64-encoded 32-byte public key hashes from the
|
||||
PlayReady Silverlight Runtime revocation list.
|
||||
"""
|
||||
hashes_b64: List[str] = []
|
||||
|
||||
for blob in _iter_revocation_lists(xml_root):
|
||||
# Try construct first (if available), then fallback
|
||||
entries = _parse_revocation_blob_with_construct(blob) if _HAS_CONSTRUCT else None
|
||||
if entries is None:
|
||||
entries = _parse_revocation_blob_manually(blob)
|
||||
|
||||
if not entries:
|
||||
continue
|
||||
|
||||
for entry in entries:
|
||||
hashes_b64.append(base64.b64encode(entry).decode("ascii"))
|
||||
|
||||
return hashes_b64
|
||||
|
||||
|
||||
# --- CLI --------------------------------------------------------------------------
|
||||
|
||||
def main(argv: List[str]) -> int:
|
||||
try:
|
||||
xml_root = _fetch_revocation_index(REV_URL)
|
||||
except Exception as e:
|
||||
print(f"Failed to fetch or parse revocation index: {e}", file=sys.stderr)
|
||||
return 2
|
||||
|
||||
publickey_hashes = _collect_public_key_hashes(xml_root)
|
||||
|
||||
# Print the list (like the original)
|
||||
if publickey_hashes:
|
||||
print("\n".join(publickey_hashes))
|
||||
|
||||
# Determine the input hash
|
||||
pubkey_hash: Optional[str] = None
|
||||
if len(argv) > 1 and argv[1]:
|
||||
pubkey_hash = argv[1].strip()
|
||||
print()
|
||||
print("Provided hash:", pubkey_hash)
|
||||
|
||||
if not pubkey_hash:
|
||||
bcert = open("bgroupcert.dat", "rb").read()
|
||||
pubkey_hash = base64.b64encode(bcert[0x48:0x68]).decode()
|
||||
print()
|
||||
print("Calculated hash:", pubkey_hash)
|
||||
|
||||
if not pubkey_hash:
|
||||
print("No hash provided.")
|
||||
return 1
|
||||
|
||||
if pubkey_hash in publickey_hashes:
|
||||
print("one of hashes in CRL match the input hash.")
|
||||
print("PlayReady Cert is revoked.")
|
||||
return 0
|
||||
else:
|
||||
print("PlayReady Cert is valid.")
|
||||
return 0
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main(sys.argv))
|
||||
@@ -0,0 +1,99 @@
|
||||
import base64, json, requests
|
||||
from enum import Enum, IntEnum
|
||||
from hashlib import sha1
|
||||
from Cryptodome.Cipher import AES
|
||||
from Cryptodome.Util import Padding
|
||||
|
||||
class TrackType(str, Enum):
|
||||
SD = "SD"
|
||||
HD = "HD"
|
||||
AUDIO = "AUDIO"
|
||||
|
||||
|
||||
class WidevineError(IntEnum):
|
||||
DRM_DEVICE_CERTIFICATE_REVOKED = 127
|
||||
DRM_DEVICE_CERT_SERIAL_REVOKED = 175
|
||||
INVALID_PSSH = 152
|
||||
INVALID_LICENSE_CHALLENGE = 106
|
||||
|
||||
|
||||
# -------------------------------------------------------------------
|
||||
# Constants
|
||||
# -------------------------------------------------------------------
|
||||
|
||||
AES_KEY = bytes.fromhex(
|
||||
"1ae8ccd0e7985cc0b6203a55855a1034afc252980e970ca90e5202689f947ab9"
|
||||
)
|
||||
AES_IV = bytes.fromhex(
|
||||
"d58ce954203b7c9a9a9d467f59839249"
|
||||
)
|
||||
|
||||
PROVIDER = "widevine_test"
|
||||
CONTENT_ID = "ZmtqM2xqYVNkZmFsa3Izag==" # example content id
|
||||
|
||||
def build_request(challenge) -> dict:
|
||||
"""Build signed Widevine license request payload."""
|
||||
if not isinstance(challenge, str):
|
||||
challenge = base64.b64encode(challenge).decode()
|
||||
|
||||
payload = json.dumps(
|
||||
{
|
||||
"payload": challenge,
|
||||
"provider": PROVIDER,
|
||||
"content_id": CONTENT_ID,
|
||||
"content_key_specs": [{"track_type": t.value} for t in TrackType],
|
||||
},
|
||||
separators=(",", ":"),
|
||||
).encode()
|
||||
|
||||
request_b64 = base64.b64encode(payload).decode()
|
||||
|
||||
# Widevine-style signature
|
||||
digest = sha1(base64.b64decode(request_b64)).digest()
|
||||
cipher = AES.new(AES_KEY, AES.MODE_CBC, AES_IV)
|
||||
signature = base64.b64encode(cipher.encrypt(Padding.pad(digest, 16))).decode()
|
||||
|
||||
return {
|
||||
"request": request_b64,
|
||||
"signature": signature,
|
||||
"signer": PROVIDER,
|
||||
}
|
||||
|
||||
|
||||
def check_response(resp: dict):
|
||||
"""Check for error status and raise if needed."""
|
||||
code = resp.get("internal_status")
|
||||
if not code:
|
||||
return
|
||||
|
||||
try:
|
||||
error = WidevineError(code)
|
||||
raise RuntimeError(f"License error: {error.name} ({code})")
|
||||
except ValueError:
|
||||
# Unknown code, ignore
|
||||
return
|
||||
|
||||
if __name__ == "__main__":
|
||||
pssh = "CAESEFoHzpkm/EolkmbSIjR2qgkaCHVzcC1jZW5jIhhXZ2ZPbVNiOFNpV1NadElpTkhhcUNRPT0qADIA"
|
||||
challenge = "CAQ="
|
||||
|
||||
# 1. Request service certificate
|
||||
cert_resp = requests.post(
|
||||
"https://license.widevine.com/cenc/getlicense/widevine_test",
|
||||
json=build_request(challenge),
|
||||
).json()
|
||||
service_cert = cert_resp.get("license")
|
||||
|
||||
challenge = "" # use pywidevine to generate B64 challenge using pssh, service_cert
|
||||
|
||||
# 2. Issue real license request
|
||||
license_resp = requests.post(
|
||||
"https://license.widevine.com/cenc/getlicense/widevine_test",
|
||||
json=build_request(challenge),
|
||||
).json()
|
||||
|
||||
check_response(license_resp)
|
||||
|
||||
print("level:", license_resp.get("security_level"))
|
||||
print("systemID:", license_resp.get("system_id"))
|
||||
print("status:", license_resp.get("device_state"))
|
||||
Reference in New Issue
Block a user