Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-27-2024, 20:32
nulli nulli is offline
VIP
 
Join Date: Nov 2003
Posts: 173
Rept. Given: 42
Rept. Rcvd 22 Times in 12 Posts
Thanks Given: 57
Thanks Rcvd at 78 Times in 54 Posts
nulli Reputation: 22
Post Microsoft PlayReady Developer / Warbird Libraries Leak

On June 11, 2024, a Microsoft engineer accidentally posted a 771MB file on a public forum, leaking over 260 internal files related to Microsoft PlayReady. This leak includes Warbird configuration, obfuscation code, and static libraries with symbolic information, enough to reverse engineer the PlayReady system. Despite removing the forum post, Microsoft has yet to fully address the leak.

For more details, you can read the original communication from Security Explorations: Security Explorations Original Communication

Additional resources and downloads:
- Detailed Analysis and Report
- Reverse engineered code for Microsoft's Warbird on GitHub
- Download Link for leaked files
- Download Link for warbird.pdb for warbird.dll

Last edited by nulli; 06-29-2024 at 21:01.
Reply With Quote
The Following 5 Users Say Thank You to nulli For This Useful Post:
jump (06-28-2024), sendersu (06-28-2024), WhoCares (06-28-2024), Windoze (07-01-2024), wx69wx2023 (07-01-2024)
  #2  
Old 06-28-2024, 01:49
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 421
Rept. Given: 10
Rept. Rcvd 20 Times in 16 Posts
Thanks Given: 46
Thanks Rcvd at 171 Times in 69 Posts
WhoCares Reputation: 20
search for "ice_repro.zip", another link:
https://www.xn--ijanec-9jb.org/dir/?C=M&O=D


public pdb still available from MS:
"C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\symchk.exe" -v warbird.dll
__________________
AKA Solomon/blowfish.

Last edited by WhoCares; 06-28-2024 at 13:12.
Reply With Quote
The Following 3 Users Say Thank You to WhoCares For This Useful Post:
blue_devil (06-28-2024), jump (06-28-2024), KNARZ (08-13-2024)
  #3  
Old 06-28-2024, 10:58
wx69wx2023 wx69wx2023 is offline
Friend
 
Join Date: Sep 2023
Posts: 128
Rept. Given: 2
Rept. Rcvd 28 Times in 13 Posts
Thanks Given: 127
Thanks Rcvd at 400 Times in 86 Posts
wx69wx2023 Reputation: 28
June 11th a Microsoft engineer accidentally leaked 4GB of Microsoft PlayReady internal code. It was leaked on the Microsoft Developer Community. The leak includes:

- WarBird configurations
- WarBird libraries for code obfuscation functionality
- Libraries with symbolic information related to PlayReady

Researchers from AG Security Research Lab were able to successfully build the Windows PlayReady dll library from the leaked code. Interestingly, they were assisted because on the Microsoft Developer Community forum a user also provided step-by-step instructions on how to begin the build process.

Also, interestingly, interestingly, the Microsoft Symbol Server doesn't block requests for PDB files corresponding to Microsoft WarBird libraries, which inadvertently leaks more information.

Adam Gowdiak of AG Security Research Lab reported the issue and Microsoft removed the forum post. However, as of this writing, the download link is still active.

File listing is below. Forums screenshots are attached. All information discovered by AG Security Research Lab

File listing: https://pastebin.com/raw/i65qfd2z

Download:
B0cde770200a945109437927ba3fe4d67638537352993712632_ICE_REPRO.zip
Reply With Quote
  #4  
Old 06-30-2024, 20:08
th3tuga th3tuga is offline
Friend
 
Join Date: Oct 2023
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 16 Times in 10 Posts
th3tuga Reputation: 0
Quote:
Originally Posted by nulli View Post
On June 11, 2024, a Microsoft engineer accidentally posted a 771MB file on a public forum, leaking over 260 internal files related to Microsoft PlayReady. This leak includes Warbird configuration, obfuscation code, and static libraries with symbolic information, enough to reverse engineer the PlayReady system. Despite removing the forum post, Microsoft has yet to fully address the leak.

For more details, you can read the original communication from Security Explorations: Security Explorations Original Communication

Additional resources and downloads:
- Detailed Analysis and Report
- Reverse engineered code for Microsoft's Warbird on GitHub
- Download Link for leaked files
- Download Link for warbird.pdb for warbird.dll
Can confirm that the techniques to extract Netflix and Disney TV keys given here still working:
Quote:
https://security-explorations.com/microsoft-warbird-pmp.html
Tested on Windows 11 23H2.
Reply With Quote
The Following User Says Thank You to th3tuga For This Useful Post:
niculaita (10-02-2024)
  #5  
Old 10-01-2024, 21:08
thuglifeDRE thuglifeDRE is offline
Guest
 
Join Date: Oct 2024
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
thuglifeDRE Reputation: 0
Quote:
Originally Posted by th3tuga View Post
Can confirm that the techniques to extract Netflix and Disney TV keys given here still working:


Tested on Windows 11 23H2.
Hi. Can you share a bit more how did you test the POC of Security Explorations?
Reply With Quote
Reply

Tags
dataleak, drm, microsoft, playready, warbird

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 13:20.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )