| libModKey2Key | ||
| icon.ico | ||
| LICENSE | ||
| main.cpp | ||
| ModKey2Key.rc | ||
| ModKey2Key.sln | ||
| ModKey2Key.vcxproj | ||
| ModKey2Key.vcxproj.filters | ||
| ModKey2Key.vcxproj.user | ||
| README.md | ||
| resource.h | ||
ModKey2Key
Simple C++ library to decrypt ModKey values used to authorize StreamFab API requests.
Background
The team behind DVDFab, a software that does everything you could imagine with DVDs and Blu-rays, later released a new tool called StreamFab. StreamFab lets you download online videos that are protected by DRM from places like Netflix, Prime Video, Disney+, Hulu, and more.
It worked by sending video and audio decryption jobs to an API they control. Their API would internally send a Widevine license request to the relevant streaming platform to obtain the video and audio decryption keys. These keys would then be sent back by the API to the StreamFab client for decryption.
The DVDFab team did not want to allow their API to be used by other software or groups, understandably so it cannot be abused, overused, or re-sold. The API would ask for a certain key to be provided during API calls as authorization.
So, how was the API authorized?
I don't fully remember anymore, as this project was written years before I created this README. However, generally from what I remember, at a high level, it would send you a relatively large amount of data. This data contained various information including an 'encrypted' key. These were referred to as 'modkeys'.
How was it reversed?
This was relatively trivial to reverse engineer, thanks to the DVDFab team making a large mistake in one of the StreamFab releases. One of them had way less obfuscation then it typically has, including no virtualization or any kind of anti-debugging tricks. It had some obfuscation, but very very little.
Because the encryption/decryption algorithm used is a typicall memory jumping bitwise operation, translating the code to another language was not possible.
This is why I made it as a DLL that could be easily imported and used by other software, even Python 64-bit.
Simply pass the ModKey to the modkey2key function, and voila it returns the real key you can use to authorize StreamFab API requests and decrypt responses.
I simply took the function from the StreamFab.exe client, looked for the relevant function, had ghidra generate pseudocode, and made small changes to rework it as a new project in Visual Studio as a library. I also had to make some small changes to do with memory addressing to operate correctly when compiled as a 64-bit library.