Geekly Articles each Day
📜 ⬆️ ⬇️

Under the black flag post, or As I did not put your video course on the tracker

captain_flint.jpg

Hi, Habr! In difficult times we live, do not you? People are selfish, do not recognize the value of other people's work, they like to come to everything at once ready. Intellectual property for many in general looks like nothing more than a bureaucratic joke: “How can this be so? Information should be free, because this is IN-FOR-MA-CI-I !!! 11”. I agree, ideally it is. These are your anarchies, the rebel sentiments and the philosophy of underground hackers / pirates, guarding the rights of the common people, are not alien to me. But the paradox is that true justice is also to repay everyone for their work and services, so in most cases piracy is an antagonistic enterprise. But here the policy of providing services for the protection of intellectual property, offered by such a wonderful vendor as InfoProtector, caused me righteous anger.

Under the cut, the story of how I acquired a paid video course, fell into the sediment after realizing that I could not save videos from it for re-viewing in the future, I got angry at those who scrapped this quasi-protective software (which, ruthlessly lays and eats a lot of machine resources) and decided to restore justice a little ... Without breaking the law, of course. Amen.
DISCLAIMER. All of the following is published for research purposes and is intended to perform an educational function only. The author is not responsible for the misuse of information from this post and in no case does not call to perceive it as a "guide to action."

How it was


I had a free weekend, and I decided to post honestly earned XXXX p. at 5-hour video course. We call it the “Refresher course for the catering worker” so that there are no parallels. In general, I am not a supporter of perception of information through video tutorials (oh, very counterproductive), but I could not resist right here - I fell victim to colorful advertising banners.

I paid for it, I received a letter to the mail containing links to download materials, invented (links) by the randomizer of InfoProtector and spat out onto a nearby CDN. In the body of the letter - thanks to the author for the acquisition and registration key, which offered to activate the purchase.
')
Download the archive. In the archive folder. In the folder executable file. In the executable file is an egg. I run exe'shnik - here I have been given the whole truth, which in a free retelling sounds something like this (read in a nasal voice):
The video information protection mechanism of InfoProtector Company has been applied to this video course; Internet access is required for the first launch (read “product activation”) ; viewing videos is only possible from our program, from our player; video course installation is possible only on two computers (the video course is tied to the OS / hardware environment configuration, as it turns out later).

Here at this moment I was a little upset. That is, not only did they call me a dishonest person, who would just be able to deprive someone else's work of monetization, but also the course for which I had laid out a decent amount would be available to me only before reinstalling the system.

"That will not do," I decided, and began a series of experiments.

Restrictions imposed by InfoProtector


In order not to waste time, for a start I turned to the world wide web to find out what people had already dug up about the mechanism of protection of these guys (all the details of the work of protection, of course, are not disclosed).

What was possible to learn:

  1. The activation key is generated randomly when paying for the course and is used to be an authenticated server, which, if successful, sends the client an AES key to decrypt the video materials available from under the company's custom player. Reversing the application for a long time and the most time-consuming (that is, it is inappropriate for this kind of task), so I decided to leave this way.
  2. The use of screen recording tools is mercilessly blocked in a number of areas: the player and any screen capturer cannot be simultaneously launched on the same host, since the program will detect running processes with their metadata: window title names; description of executable files; names of vendors embedded in exe's capture apps; even the browser opened on the page, in the title of which there is the word “Fraps”, for example, is also subject to alert and shutdown of the player.
  3. Sandboxes, virtual machines and streaming of content from remote connections (rdesktop, RAdmin, TeamViewer) is also not an option - not for years does clever software know how to identify them, suicide at every opportunity.

But despite the last two points, the screen recording remains the most realistic attack vector, which can be implemented in several ways:

  1. Find a capture program that does not contain beacon words in its name / manufacturer / description that InfoProtector does not know, and which, therefore, the latter will not trigger. Cons: long, boring and not a fact that, in principle, doable.
  2. Find an open-source product with the necessary functionality, and compile your version of the screen hijacker, replacing in the source code all that the protection of InfoProtector in theory may seem suspicious. Cons: long, boring, time consuming (usually such projects are rather cumbersome, consist of hundreds (?) Of files and have heaps of dependencies in the source code, so just Ctrl-H does not roll, you don’t need to edit mimikatz so that Windows Defender will not be trimmed).
  3. Write your solution on something scripted so as not to risk with a compiled executable file of unknown nature (it is not known what this infection will say), implementing the trivial functionality of quickly taking screenshots from the selected screen area (good, InfoProtector allows it), and separately write sound track, which also turned out to be legitimate and as simple as possible.

Minuses of the third item was not found, so you can proceed.

Screenshot the whole world


First: let's figure out how to automate the process of creating a cloud of screenshots using a script. Of course, this: Python, and more OpenCV , and more MSS , and more PIL .

The process is extremely simple:

  1. Set the size of the player window equal to the resolution of the output video that we would like to have (it is logical to take into account the space for the script controls - a window with a terminal, for example, which should not fall into the recording area). This can be done with such a wonderful software.
  2. Place the player window in such a position as to find which it would be easiest to explain to the script - the lower right corner of the screen (I think the reference system associated with the screen borders is the most convenient option).
  3. Let's add a script already written (which will be a little lower) to take screenshots of this area.
  4. Do not touch this clumsy system during the whole video playback.

Script under spoiler:

fckInfoprotector.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# Usage: python3 fckInfoprotector.py <WIDTH> <HEIGHT>

import sys

import numpy as np
import cv2
from mss.windows import MSS as mss
from PIL import Image


class Capturer:

	def __init__(self, w, h, resolution='1080p', fps=24.975):
		if resolution == '1080p':
			self.monitor = {
				'top': 1080 - h,
				'left': 1920 - w,
				'width': w,
				'height': h
			}

		elif resolution == '1440p':
			self.monitor = {
				'top': 1440 - h,
				'left': 2560 - w,
				'width': w,
				'height': h
			}

		else:
			raise ValueError('Unsupported monitor resolution')

		self.sct = mss()

		self.vid = cv2.VideoWriter(
			'output.avi',
			cv2.VideoWriter_fourcc(*'XVID'),
			fps=fps,
			frameSize=(
				self.monitor['width'],
				self.monitor['height']
			)
		)

	def mainloop(self):
		while True:
			sct_img = self.sct.grab(self.monitor)
			sct_img_size = (sct_img.width, sct_img.height)

			img = Image.frombytes(
				'RGB',
				sct_img_size,
				sct_img.rgb
			)

			frame = cv2.cvtColor(
				np.array(img),
				cv2.COLOR_BGR2RGB
			)

			self.vid.write(frame)


if __name__ == '__main__':
	if len(sys.argv) != 3:
		print(f'Usage: {sys.argv[0]} <WIDTH> <HEIGHT>')
		sys.exit()

	w, h = (int(x) for x in sys.argv[1:3])
	capturer = Capturer(w, h, fps=50.0)

	try:
		capturer.mainloop()
	except KeyboardInterrupt:
		print('Interrupted')



: Windows .

Windows 7: -> -> -> -> -> « »:

1.png

, :

2.png



, , . VirtualDub.

:

3.png

:

4.png

, . . . , , 50- ( , ) $X$, $X$ :

$X=captured\_video\_duration\times 50\div original\_video\_duration$


5.png

, , .

F7! .


? .

-, , . -, , . , .

-, : ( NVIDIA, !), , , , , «», ?

-, : « DVD- !». , . , , ( ), , .

: , , -, (, ), , . , ().

, , – .

-, !

Source: https://habr.com/ru/post/449970/

More articles:


All Articles