Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
General
GeneralPortable MacsHardwareNetworking
Applications
Mac ApplicationsEudoraFirefox / MozillaInternet ExplorerOutlook ExpressMS OfficeEntourageExcelPowerPointWordVirtual PCMedia PlayerOther MS Products
Programming
Mac ProgrammingCodeWarriorPerl
Country Specific
Australian Mac GroupUK Mac Group

Mac Forum / Programming / Mac Programming / December 2005


Tip: Looking for answers? Try searching our database.

how to play a fairplay drm'ed file?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Mark Haase - 26 Dec 2005 04:39 GMT
I think iTunes' movie player really stinks, so I'm trying to write a
replacement player that plays files from the itunes library. (That way,
I don't have to worry about managing ipod syncing.)

Is there an approved way to play a Fairplay mp4 file? I'm talking about
playing it from a computer thats registered to play it, of course. I
tried playing it with QTKit but it just gives me an error. Non-DRM'ed
files play fine.

Failing that, is there an unapproved way?

|\/|  /|  |2  |<
mehaase(at)gmail(dot)com
Reply to this Message
Michael Ash - 26 Dec 2005 12:28 GMT
> I think iTunes' movie player really stinks, so I'm trying to write a
> replacement player that plays files from the itunes library. (That way,
[quoted text clipped - 6 lines]
>
> Failing that, is there an unapproved way?

QTAmateur plays FairPlay'd files just fine. I didn't have to do anything
special to get that capability, either, it just happened. Of course, I get
errors when I try to export them to a different format, but playback Just
Works. It uses QTKit and doesn't do anything tricky.

Signature

Michael Ash
Rogue Amoeba Software

Reply to this Message
Mark Haase - 26 Dec 2005 18:35 GMT
> QTAmateur plays FairPlay'd files just fine. I didn't have to do anything
> special to get that capability, either, it just happened. Of course, I get
> errors when I try to export them to a different format, but playback Just
> Works. It uses QTKit and doesn't do anything tricky.

Michael,

I actually downloaded QTAmateur by chance yesterday before reading your
reply. I haven't gotten the same results. When I open a protected .mv4
file I get the error message "The document '01 The Dundies.mv4' could
not be opened." I can, however, play a Fairplay AAC file. Is 1.0 the
most recent version?

According to this site, I'm not the only one with this problem:

http://www.oreillynet.com/pub/wlg/8075

What's most interesting is that QuickTime, like iTunes, has hooks to
prevent debugging. These hooks offer strange, vague error codes in order
to throw would-be hackers off the trail. I can understand why, but it
slowed me down a bit trying to figure out how QT Player works.

Michael, is your source for QTAmateur available? Can you tell me what
specific selectors you use to initialize the QTMovie object? I'm using
the factory constructor:

[QTMovie movieWithURL:aFile error:&nsErr];

It looks like QTP might not be doing anything tricky either, it simply
makes a call to

[QTMovie movieWithAttributes:attributesDict error&nsErr];

I haven't figured out all the attributes it passes yet, but i have
figured out these:

QTMovieDataReferenceAttribute -> *QTDataReference
QTMovieDelegateAttribute -> NSObject
QTMovieUsesPreferredLanguageAttribute -> NSNumber (bool?)

The last one is apparently undocumented. It looks like there might be at
least one more attribute, but I'm not savvy enough with PPC hardware and
GDB to figure out what it is. I gave up last night but I'm going to try
playing around with the movieWithAttributes constructor today and see
what I can do.

|\/|  /|  |2  |<
mehaase(at)gmail(dot)com
Reply to this Message
tim lindner - 26 Dec 2005 19:34 GMT
> I actually downloaded QTAmateur by chance yesterday before reading your
> reply. I haven't gotten the same results.

I've heard rumors that installing certian Quicktime plugins will disable
playing protected content outside of iTunes.

http://docs.info.apple.com/article.html?artnum=300456

Signature

The ears are too length.
--------------------------------------------------------------
tim lindner:  First initial last name at ix dot netcom dot com

Reply to this Message
Michael Ash - 26 Dec 2005 19:43 GMT
>> QTAmateur plays FairPlay'd files just fine. I didn't have to do anything
>> special to get that capability, either, it just happened. Of course, I get
[quoted text clipped - 8 lines]
> not be opened." I can, however, play a Fairplay AAC file. Is 1.0 the
> most recent version?

It's not the most recent version that *I* have access to, but the
differences aren't big.

The reason we get different results is because I tried a music file, and
you tried a video file. Apparently the DRM on these two types of files is
different as far as what capabilities it allows. When I try a video file
(which I didn't think of before), I get the exact same error you do.

> According to this site, I'm not the only one with this problem:
>
[quoted text clipped - 4 lines]
> to throw would-be hackers off the trail. I can understand why, but it
> slowed me down a bit trying to figure out how QT Player works.

This is annoying, but the last time I checked it was relatively trivial.
It boiled down to a simple call to ptrace() with PT_DENY_ATTACH. I'm not
going to go into how to defeat it for obvious reasons, but it's not
extremely hard. It's possible that this has been strengthened since I last
looked.

> Michael, is your source for QTAmateur available? Can you tell me what
> specific selectors you use to initialize the QTMovie object?

It's not, although I could provide bits of it (or all of it, I'm not
picky) if it would be helpful. But since it doesn't actually work here,
I don't think it would be.

[snip various details]

I hope you'll keep us posted on this if/when you figure out more about
what's going on. I'd be very interested to know more.

Signature

Michael Ash
Rogue Amoeba Software

Reply to this Message
Mark Haase - 27 Dec 2005 02:26 GMT
> I hope you'll keep us posted on this if/when you figure out more about
> what's going on. I'd be very interested to know more.

Thanks for the feedback (in the other post as well). I received this
response from Apple today:

======================================
This is the expected behavior and has nothing to do with QTKit. You
would get the exact same behavior if you build a QuickTime application
using Carbon APIs. QuickTime Player knows the magic incantation to
recite to get DRM'd video to open and play. There is, to my knowledge,
no workaround.

Tim Monroe
QuickTime Engineering
======================================

I'm still stumped.

|\/|  /|  |2  |<
mehaase(at)gmail(dot)com
Reply to this Message
Michael Ash - 27 Dec 2005 11:37 GMT
>> I hope you'll keep us posted on this if/when you figure out more about
>> what's going on. I'd be very interested to know more.
[quoted text clipped - 14 lines]
>
> I'm still stumped.

Very interesting information indeed.

I'd still like to discover what this magic incantation is, even if just to
prove that it can be done. I did a little research today, then got stuck.
I thought I'd post what I have so far in case anybody else can jump in. Or
maybe I'll unstick myself.

I got a listing of symbols in QuickTime Player (using 'nm -g') and trolled
around searching for interesting ones. One of them stood out rather
clearly:

000a9764 S _sDRMEnableExportData6

Poking around some more, I believe that this is pretty conclusively part
of what's needed. When I manually zero out the first four bytes of
sDRMEnableExportData6 at the beginning of main() in gdb, QT Player can no
longer open DRM'd video files, returning an error of -2126. This is
"notAllowedToSaveMovieErr", which looks like a DRM-related thing to me.
Other movies still work fine.

But now I'm stuck, because it's just a chunk of data. I don't even know
how long it is! :) More importantly, I don't know how it's used to tell QT
that it's allowed to read these files. I also don't know how I can get gdb
(or any other tool) to tell me what's accessing it.

I thought that maybe something in the frameworks was looking for a symbol
with that name and reading it directly, but apparently not. If I edit the
binary to change the symbol name to something else, everything still works
as expected, including DRM'd video.

That's where I am now. I'll post more if I come up with anything else.

Signature

Michael Ash
Rogue Amoeba Software

Reply to this Message
Michael Ash - 27 Dec 2005 18:02 GMT
More investigating, more information, and even a little tiny bit of
progress. For this part of things, I worked with Rosyna, and he should get
most of the credit here.

The critical function call, or at least *a* critical function call is to
QTSetProcessProperty(). If this is stubbed out in the debugger (*), DRM
videos no longer play. It appears to take four parameters, type, creator,
size, value, with the last two pointing to some chunk of seemingly-random
data. QT Player passes 'dmmc' and 'play' as the type and creator, and a
312-byte piece of data for the last bits. This is tied into some kind of
information about the program calling it, because when I replicated the
exact call in QTAmateur, it made no difference.

This function is doing something with MD5, and I'm guessing there's some
layer of crypto happening here. Since it's all in software then clearly
any key can be recovered and used to authorize an arbitrary application,
but that's hard. We started looking into the authentication checker side
of things. Even if the app isn't authorized, maybe it's possible to patch
whatever function checks that to always return "yes".

There is a DoCheck function in QuickTime somewhere which gets called in a
long chain of functions including DRM stuff, and a function called
QTGetProcessProperty, an obvious counterpart to QTSetProcessProperty from
above. None of the return values tested (0, 1, 0x64767062, and 0xa46a37a4)
changed anything, but since that only covers about one billionth of the
possible values, maybe there's one which works.

The chain of functions which calls that includes a function called
CheckPlayability. I tried that one too, stubbing it and making it always
return 0, at which point the file opens! The bad news is that the video is
a featureless gray, but the sound plays as usual. This is at least more
than anything before, so I feel at least somewhat encouraged.

* For anyone wondering how to stub out a function in gdb, here's how.
First, you set a breakpoint on it, like:

(gdb) break WhateverFunction

Then you set up some automatic commands to run when the breakpoint is hit.
We want to return a value without ever executing the function, and then
continue execution:

(gdb) commands
>return 0
>cont
>end

If you're using the Xcode debugger, then you can open the breakpoints
window and add a symbolic breakpoint there. Then you can toggle down the
disclosure triangle in the list, add a breakpoint action, and add the
commands there.

Signature

Michael Ash
Rogue Amoeba Software

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.