In our work to bypass Windows licensing checks, we uncovered an effective DRM bypass known as “Keyhole.” By exploiting the vulnerabilities in the Client Licensing Platform (CLiP), we were able to create licenses for any Microsoft Store app or Windows edition seamlessly. The process involved manipulating license blocks and utilizing an unobfuscated ECDSA key in the clipup.exe binary. This bug allowed us to activate Windows Enterprise LTSC and KMS servers with ease. However, Cisco TALOS reported this bug to Microsoft as a “privilege escalation,” leading to its subsequent patching in the August 2024 update. We shared our findings and tools for further analysis, uncovering the ties between CLiP and the Xbox One’s DRM system.
https://massgrave.dev/blog/keyhole