View Single Post
Old 29th September 2008, 00:19   #182  |  Link
Oopho2ei
Guest
 
Posts: n/a
Thanks.

TRAP_PrivateKey: I was able to trace both the obfuscated key (~ 96 byte) and the hash result to the heavily obfuscated code (virtualized, lot's of garbage,...). Not sure if i can do it. You would probably kill me if i convert this mess to c code.

Looks like i have to record a instruction trace and then somehow analyze it automatically. I need to think about it.

Edit: Any idea of how the result of TRAP_PrivateKey is verified? It's obviously a 320-bit signature which is probably not created by the RSA algorithm. The footer of every section of in the 0000?.svm files is 40 bytes long too. Note that the signatures used in the AACS authentication process are 40 bytes long as well. The way the result of of TRAP_PrivateKey is verified would give us a vital clue of what algorithm created the signature.

Edit: When the hash is all zero the resulting signature is also all zero. If i overwrite the key with zeros i get stack overflows (wtf?)

Last edited by Oopho2ei; 29th September 2008 at 20:42.
  Reply With Quote