Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 8th January 2007, 08:26   #461  |  Link
Susana
Registered User
 
Susana's Avatar
 
Join Date: Apr 2005
Location: Spain
Posts: 181


Thinking about it, aacs can be in the iso ?

Last edited by Susana; 8th January 2007 at 08:29.
Susana is offline   Reply With Quote
Old 8th January 2007, 08:35   #462  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
It doesn't seem to have worked at all. The AACS stuff isn't in the ISO at all. It's in the output directory, but even the EVO file in there plays in PowerDVD fine. I don't know what's wrong...
Borbus is offline   Reply With Quote
Old 8th January 2007, 08:40   #463  |  Link
Pomyk
Registered User
 
Join Date: Oct 2005
Posts: 34
The stream doesn't look encrypted at all. After compression it's only 16kB.
Pomyk is offline   Reply With Quote
Old 8th January 2007, 08:41   #464  |  Link
Isochroma
Registered User
 
Join Date: Mar 2005
Posts: 468
@Borbus: Excellent work! I had only hoped that this step would be fairly feasible; you've proven this supposition correct. However, it would be good if you can generate one more sample ISO, this time with two items different:
1. It should have a few frames of visible content, so we can see that the player is actually working.

2. In your AACS Settings dialog, the last dropdown box is called ICT. You must select none, or disabled, rather than the current constrained. Reason why is because if the ICT is enabled, only those with a valid HDCP output chain (videocard, monitor) can test your sample. Remember, the purpose of this investigation is to help reverse-engineer an AACS implementation, not HDCP.
The reason why Susana had no problem playing the file is because the title key was generated from a portion of the available keyspace assigned to Scenarist's application license.

The disc key was undoubtedly also added but not displayed; it is only required when the player supports and requires disc authentication, which daemon tools and isobuster do not, of course.

Because of that, any player with a licensed unrevoked decryption key will be able to play the files in his ISO.

The important part of the AACS is not in the ISO volume structure; it is the files themselves that are encrypted, just like regular DVD VOBs. And it is their encryption which BackupHDDVD is purportedly capable of removing, provided the correct Title Key.

Now, getting those files off a real HD-DVD disc requires the player to authenticate the disc, or vice-versa. That step should be automatic, ie. people have been able to copy the EVOBs from HD-DVDs with only the UDF 2.5 driver and drive installed.

Last edited by Isochroma; 8th January 2007 at 08:53.
Isochroma is offline   Reply With Quote
Old 8th January 2007, 08:48   #465  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
I just read this in the documentation, so actually it probably isn't feasible:
Quote:
Note: When outputting a project, AACS is only written to DLTs and PlantDirect images. AACS is not written when burning discs.
Unless there is some software that can burn or mount PlantDirect images...

edit 1: Daemon Tools does mount PlantDirect images somehow... now uploading the image...

Last edited by Borbus; 8th January 2007 at 08:52.
Borbus is offline   Reply With Quote
Old 8th January 2007, 08:57   #466  |  Link
Isochroma
Registered User
 
Join Date: Mar 2005
Posts: 468
The AACS they are referring to is probably the Disc Key system. What makes me think this is in the AACS Settings dialog, the Enable AACS checkbox and associated settings are in their own separate area.

Something to test: if you uncheck Enable AACS, do the Title Settings below go gray?
Isochroma is offline   Reply With Quote
Old 8th January 2007, 08:59   #467  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
Quote:
Originally Posted by Isochroma View Post
Something to test: if you uncheck Enable AACS, do the Title Settings below go gray?
Yes, everything below goes grey.
Borbus is offline   Reply With Quote
Old 8th January 2007, 09:06   #468  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
Ok, here's the PlantDirect image. The AACS stuff makes it much bigger:

http://www.filehost.gr/276912

I'm still not sure if the video is encrypted though because it's exactly the same size but I don't have a registered version of ISOBuster to extract the files with. The keys are the same as before:
Volume: C29E56D1E80EA92B010733C46A73DECA
Title: 6ACF5ADFCFD8A3D404D0DB6155229D36
Borbus is offline   Reply With Quote
Old 8th January 2007, 09:29   #469  |  Link
Susana
Registered User
 
Susana's Avatar
 
Join Date: Apr 2005
Location: Spain
Posts: 181
Same as before, windvd plays mounted .dat and extracted files.

Susana is offline   Reply With Quote
Old 8th January 2007, 09:35   #470  |  Link
blutach
Country Member
 
blutach's Avatar
 
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
Quote:
Originally Posted by Gradius View Post
Magic Memory = pure BS, don't believe on them!
Another totally off topic post. Posters have been warned enough. Keep to the topic please! Strike issued.

Regards


Quote:
Originally Posted by calinb View Post
Well--in the U.S. we have the DMCA. Other coutries have vairous "exported" versions if it. The DMCA contradicts Fair Use. As far as I can tell, this has not been resolved through either legislative or judicial process. Not everyone wants to risk becoming case law.
If you read Doom9's very good synopsis of DMCA, you will see provision for Fair Use. It's the reason you can backup your DVD. Should you wish to discuss this further, a separate thread would be more appropriate.

Regards
__________________
Les

Only use genuine Verbatim or Taiyo Yuden media.
blutach is offline   Reply With Quote
Old 8th January 2007, 11:12   #471  |  Link
Golgot13
Registered User
 
Join Date: Mar 2006
Location: Grand StrateGuerre
Posts: 361
Quote:
Originally Posted by Borbus View Post
Ok, here's the PlantDirect image. The AACS stuff makes it much bigger:

http://www.filehost.gr/276912

I'm still not sure if the video is encrypted though because it's exactly the same size but I don't have a registered version of ISOBuster to extract the files with. The keys are the same as before:
Volume: C29E56D1E80EA92B010733C46A73DECA
Title: 6ACF5ADFCFD8A3D404D0DB6155229D36
Your image is not crypted but it is ready to be crypted by HD DVD replicator manufactory
with a specific software from AACS (with yours keys, like CSS with Scenarist SD)....
The video file in movie stream is a H264 encoded by MainConcept 2.0.1889

HP@L4.1 (1920x1084 ?), there is no audio stream.







Golgot13

Last edited by Golgot13; 8th January 2007 at 11:31.
Golgot13 is offline   Reply With Quote
Old 8th January 2007, 11:17   #472  |  Link
zeroprobe
Registered User
 
Join Date: Jan 2002
Posts: 155
Damn it was a nice idea. Back to square one.

Quote from sonopress.co.uk

"The Content owner provides the authored HD DVD data to a licensed replicator, the authoring project needs to be set up or “flagged” for subsequent processing. The AACS Licensing Authority provides the replicator with keys and a Content Certificate that allows the blocking of content to be copied from the playback device or even put settings to the output of a player that allows the downscaling of HD signals at the analogue output in order to prevent copying of the analogue signal.
The replicator then manufactures the HD DVDs, which carry the encrypted content and the AACS data, and they are shipped to the customers. AACS LA also supplies Device Keys and the Public Key to licensed player manufacturers, which will allow legally produced discs to play without problem"

Last edited by zeroprobe; 8th January 2007 at 11:41.
zeroprobe is offline   Reply With Quote
Old 8th January 2007, 11:33   #473  |  Link
Golgot13
Registered User
 
Join Date: Mar 2006
Location: Grand StrateGuerre
Posts: 361
But the information in AACS folder is good, the AACS key of HDDVD replicator is missing....



Golgot13
Golgot13 is offline   Reply With Quote
Old 8th January 2007, 11:46   #474  |  Link
zeroprobe
Registered User
 
Join Date: Jan 2002
Posts: 155
without the replicator key would the whole decryption process take place with powerdvd??

would it still grab the title keys etc.

Last edited by zeroprobe; 8th January 2007 at 12:06.
zeroprobe is offline   Reply With Quote
Old 8th January 2007, 11:55   #475  |  Link
Golgot13
Registered User
 
Join Date: Mar 2006
Location: Grand StrateGuerre
Posts: 361
This schema is the AACS chain from HD DVD White Paper (pdf file from
public web site of DVD Forum).







Golgot13
Golgot13 is offline   Reply With Quote
Old 8th January 2007, 12:19   #476  |  Link
feizex
Registered User
 
Join Date: Dec 2006
Posts: 11
If the "the information in AACS folder is good". (IE, you have encrypted title key and other info in there)

Are you saying that you have everything but the encrypted video?

Why not just encrypt it with your title key?

There may be other requirements though...
"A Player shall decide that a Disc to be played back is an AACS Disc if the AACS-Compliant drive for the
Player is able to read the PMSN or if the drive is able to read the Volume ID."

Page105 - content binding diagram shows requirements for Media Key Block (MKB), VolumeID and Encrypted Title key.

Last edited by feizex; 8th January 2007 at 13:16.
feizex is offline   Reply With Quote
Old 8th January 2007, 14:18   #477  |  Link
suxen_drol
Registered User
 
Join Date: Nov 2001
Posts: 24
question: why write your own crypto implementation, when there exist off-the-shelf libraries? random example: http://www.cryptopp.com/.

answer: obscurity.

cheers,
-- pete
suxen_drol is offline   Reply With Quote
Old 8th January 2007, 19:01   #478  |  Link
Bystander
Registered User
 
Join Date: Jan 2007
Posts: 45
Alright, for those who are interested.

Nothing is loaded into memory when PowerDVD is running. It is only when you press the play button.

The code that first loads the AACS files into memory is from the HDDVDAdvNav.dll file. From here the following DLL's are used:

CBS.dll, and FileSystemMgr.dll

Here is the code that loads the AACS files:
Code:
1009D460  /$  56              PUSH ESI                                 ;  Loads Files into Memory
1009D461  |.  8BF1            MOV ESI,ECX
1009D463  |.  E8 A8F7FFFF     CALL HDDVDAdv.1009CC10
1009D468  |.  68 C8B71D10     PUSH HDDVDAdv.101DB7C8                   ; /Arg3 = 101DB7C8
1009D46D  |.  8D86 A0000000   LEA EAX,DWORD PTR DS:[ESI+A0]            ; |AACS/MKBROM.AACS
1009D473  |.  50              PUSH EAX                                 ; |Arg2
1009D474  |.  8D8E 9C000000   LEA ECX,DWORD PTR DS:[ESI+9C]            ; |
1009D47A  |.  51              PUSH ECX                                 ; |Arg1
1009D47B  |.  8BCE            MOV ECX,ESI                              ; |
1009D47D  |.  E8 FEFBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D482  |.  8D8E 24010000   LEA ECX,DWORD PTR DS:[ESI+124]
1009D488  |.  FF15 18031A10   CALL DWORD PTR DS:[<&MSVCP71.?c_str@?$ba>;  MSVCP71.?data@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
1009D48E  |.  50              PUSH EAX                                 ; /Arg3
1009D48F  |.  8D96 A8000000   LEA EDX,DWORD PTR DS:[ESI+A8]            ; |AACS/VTKF000.AACS
1009D495  |.  52              PUSH EDX                                 ; |Arg2
1009D496  |.  8D86 A4000000   LEA EAX,DWORD PTR DS:[ESI+A4]            ; |
1009D49C  |.  50              PUSH EAX                                 ; |Arg1
1009D49D  |.  8BCE            MOV ECX,ESI                              ; |
1009D49F  |.  E8 DCFBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D4A4  |.  68 74B81D10     PUSH HDDVDAdv.101DB874                   ; /Arg3 = 101DB874
1009D4A9  |.  8D8E C8000000   LEA ECX,DWORD PTR DS:[ESI+C8]            ; |AACS/CONTENT_HASH_TABLE2..AACS
1009D4AF  |.  51              PUSH ECX                                 ; |Arg2
1009D4B0  |.  8D96 C4000000   LEA EDX,DWORD PTR DS:[ESI+C4]            ; |
1009D4B6  |.  52              PUSH EDX                                 ; |Arg1
1009D4B7  |.  8BCE            MOV ECX,ESI                              ; |
1009D4B9  |.  E8 C2FBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D4BE  |.  68 38B81D10     PUSH HDDVDAdv.101DB838                   ; /Arg3 = 101DB838
1009D4C3  |.  8D86 D0000000   LEA EAX,DWORD PTR DS:[ESI+D0]            ; |AACS/CONTENT_HASH_TABEL1.AACS
1009D4C9  |.  50              PUSH EAX                                 ; |Arg2
1009D4CA  |.  8D8E CC000000   LEA ECX,DWORD PTR DS:[ESI+CC]            ; |
1009D4D0  |.  51              PUSH ECX                                 ; |Arg1
1009D4D1  |.  8BCE            MOV ECX,ESI                              ; |
1009D4D3  |.  E8 A8FBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D4D8  |.  68 08B81D10     PUSH HDDVDAdv.101DB808                   ; /Arg3 = 101DB808
1009D4DD  |.  8D96 D8000000   LEA EDX,DWORD PTR DS:[ESI+D8]            ; |AACS/CONTENT_CERT.AACS
1009D4E3  |.  52              PUSH EDX                                 ; |Arg2
1009D4E4  |.  8D86 D4000000   LEA EAX,DWORD PTR DS:[ESI+D4]            ; |
1009D4EA  |.  50              PUSH EAX                                 ; |Arg1
1009D4EB  |.  8BCE            MOV ECX,ESI                              ; |
1009D4ED  |.  E8 8EFBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D4F2  |.  68 B0B81D10     PUSH HDDVDAdv.101DB8B0                   ; /Arg3 = 101DB8B0
1009D4F7  |.  8D8E E0000000   LEA ECX,DWORD PTR DS:[ESI+E0]            ; |AACS/CONTENT_REVOCATION_LIST.AACS
1009D4FD  |.  51              PUSH ECX                                 ; |Arg2
1009D4FE  |.  8D96 DC000000   LEA EDX,DWORD PTR DS:[ESI+DC]            ; |
1009D504  |.  52              PUSH EDX                                 ; |Arg1
1009D505  |.  8BCE            MOV ECX,ESI                              ; |
1009D507  |.  E8 74FBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D50C  |.  8D8E 40010000   LEA ECX,DWORD PTR DS:[ESI+140]
1009D512  |.  FF15 18031A10   CALL DWORD PTR DS:[<&MSVCP71.?c_str@?$ba>;  MSVCP71.?data@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ
1009D518  |.  50              PUSH EAX                                 ; /Arg3
1009D519  |.  8D86 C0000000   LEA EAX,DWORD PTR DS:[ESI+C0]            ; |AACS/VTUF000.AACS
1009D51F  |.  50              PUSH EAX                                 ; |Arg2
1009D520  |.  8D8E BC000000   LEA ECX,DWORD PTR DS:[ESI+BC]            ; |
1009D526  |.  51              PUSH ECX                                 ; |Arg1
1009D527  |.  8BCE            MOV ECX,ESI                              ; |
1009D529  |.  E8 52FBFFFF     CALL HDDVDAdv.1009D080                   ; \HDDVDAdv.1009D080
1009D52E  |.  5E              POP ESI
1009D52F  \.  C3              RETN
Also the program uses HeapFree which is a Kernal32 command to overwrite the data it uses. A simple patch would allow the code to remain in memory if you know what you are looking for.

The magic call to remove the AACS stuff is here:
Code:
028D4D4B     /74 09         JE SHORT FileSyst.028D4D56               ;  force this jump
028D4D4D   . |50            PUSH EAX
028D4D4E     |E8 87320000   CALL <JMP.&MSVCR71.??_V@YAXPAX@Z>        ;  clears heap ... file info is gone
In this section forcing the JE to JMP would bypass it without corrupting the stack.

This should get you started.... enjoy

P.S. After it's loaded might want to break into the RSAENH.dll (windows\system32 directory) and you'll notice it's doing the Cryptography (SHA1 too). And remember to stop the HeapFree command when you are tracing to stop it from hiding it's tracks.

Last edited by Bystander; 8th January 2007 at 19:22.
Bystander is offline   Reply With Quote
Old 8th January 2007, 19:27   #479  |  Link
Jerky_san
Registered User
 
Join Date: Apr 2005
Posts: 18
1009D48F |. 8D96 A8000000 LEA EDX,DWORD PTR DS:[ESI+A8] ; |AACS/VTKF000.AACS so it loads the all talked about file just after it loads

1009D46D |. 8D86 A0000000 LEA EAX,DWORD PTR DS:[ESI+A0] ; |AACS/MKBROM.AACS

Then it loads up 2 sets of hash tables along with the Revocation list along with a
1009D4DD |. 8D96 D8000000 LEA EDX,DWORD PTR DS:[ESI+D8] ; |AACS/CONTENT_CERT.AACS (wonder what this file has)

and then

1009D519 |. 8D86 C0000000 LEA EAX,DWORD PTR DS:[ESI+C0] ; |AACS/VTUF000.AACS

VTKF000.AACS and VTUF000.AACS The Change in the K and U are these the K and U that they are talking about in the specs? You add them together you get the key?

Also perhpas they are right they didn't use the RAM but instead kept it all in the registers of the CPU? .. I dunno though Me + Assembly = Bad grade last semester so I dunno if I reading it right..

Last edited by Jerky_san; 8th January 2007 at 19:29.
Jerky_san is offline   Reply With Quote
Old 8th January 2007, 19:41   #480  |  Link
Bystander
Registered User
 
Join Date: Jan 2007
Posts: 45
The code does exist in memory. Regardless if it's in the drive or the computer it must reside in the memory before it gets to the processor. Most protections will mask/overwrite the code once it does what it needs to do which literally removes it from memory.

Nothing magical about that.
Bystander is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 16:15.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.