Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 9th January 2007, 05:46   #501  |  Link
Susana
Registered User
 
Susana's Avatar
 
Join Date: Apr 2005
Location: Spain
Posts: 181
You can burn a hd-dvd in a standard dvd. Indeed, you can already demux a hd-dvd (dvdlogic has a demuxer), compress video to avc lowering bitrate and reauthor.

Last edited by Susana; 9th January 2007 at 05:51.
Susana is offline   Reply With Quote
Old 9th January 2007, 05:56   #502  |  Link
Bystander
Registered User
 
Join Date: Jan 2007
Posts: 45
The file 001.fcl is loaded by Cyberlink and is used in the computation.

If you bp where neviens suggests you will get a chance to see where the 001.fcl code is used in the calculations. This leads me to believe this is the number that is unique to Cyberlink for future changes/updates.
Bystander is offline   Reply With Quote
Old 9th January 2007, 06:02   #503  |  Link
Ábudos
Suspended for forum rule violations
 
Join Date: Jan 2007
Posts: 35
Working to find a Title Key is all good and dandy, but shouldn't more effort be placed on getting ahold of a Volume Unique Key as the AACS specifications say that some videos could require the use of multiple Title Keys.
Ábudos is offline   Reply With Quote
Old 9th January 2007, 08:30   #504  |  Link
neviens
Registered User
 
Join Date: Nov 2005
Posts: 6
Quote:
Originally Posted by Bystander View Post
The file 001.fcl is loaded by Cyberlink and is used in the computation.

If you bp where neviens suggests you will get a chance to see where the 001.fcl code is used in the calculations. This leads me to believe this is the number that is unique to Cyberlink for future changes/updates.
It's very unique! Device keys are stored in this file.


Quote:
Originally Posted by Jerky_san View Post
...
My version of WinDVD HD crashes when I load the file..
WinDVD is attempting to use some antidebugging techniques.
You can estimate which player is less secure now
neviens is offline   Reply With Quote
Old 9th January 2007, 10:29   #505  |  Link
zeroprobe
Registered User
 
Join Date: Jan 2002
Posts: 155
still no method of us non hd-dvd owners can test this?
zeroprobe is offline   Reply With Quote
Old 9th January 2007, 11:26   #506  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
You could try using the images I put up a few posts ago. The video isn't encrypted but PowerDVD might still load the volume/title key.

I can't get them to work without a UDF 2.5 filesystem driver though. The Toshiba one won't install, probably because I have no HD-DVD drive. Anyone know how to get UDF 2.5 to work with a Daemon Tools drive?
Borbus is offline   Reply With Quote
Old 9th January 2007, 11:59   #507  |  Link
troubler
Registered User
 
Join Date: Sep 2006
Posts: 1
*cough* virtualisation *cough*

maybe take a little look at debugging a virtual machine, giving you access to the complete memory structure ( whether windows tries to protect or not ) at all times. you wont have native hdcp support, but should be able to view downscaled, and therefore grab the neccesary title keys.

*walks away quickly*

Last edited by troubler; 9th January 2007 at 12:02.
troubler is offline   Reply With Quote
Old 9th January 2007, 12:02   #508  |  Link
tjf
Registered User
 
Join Date: Apr 2005
Posts: 50
Borbus: It worked fine on my system without HD-DVD. Make sure you have the latest Daemon Tools and this http://rapidshare.com/files/3149367/...Print.rar.html UDF driver.
tjf is offline   Reply With Quote
Old 9th January 2007, 14:17   #509  |  Link
JK1974
Registered User
 
Join Date: Mar 2005
Posts: 75
What about Neros InCD? I heard that this one also does the UDF 2.5 stuff.
JK1974 is offline   Reply With Quote
Old 9th January 2007, 15:54   #510  |  Link
kolak
Registered User
 
Join Date: Nov 2004
Location: UK
Posts: 2,121
All what you need is Deamon tools (I have old 3.47v.) and installed Nero InCD. Works perfectly.
kolak is offline   Reply With Quote
Old 9th January 2007, 19:29   #511  |  Link
Borbus
Registered User
 
Join Date: Sep 2006
Posts: 52
Daemon Tools + that Toshiba driver posted by tjf works. Thanks.
Borbus is offline   Reply With Quote
Old 9th January 2007, 21:53   #512  |  Link
Janvitos
Registered User
 
Join Date: Jan 2007
Posts: 55
Hey people, i'm glad i can post now.

Just to let you guys know, i've been playing around with a debugger (OllyDbg), a plugin to hide the debugger (IsDebuggerPresent) and PowerDVD. I've been reading through this thread for the passed few days and have gone through many trials and errors to try and find the mystery keys.

Here is a link to the debugger: http://www.kongoo.com/odbg110.zip
Here is a link to the plugin: http://www.kongoo.com/SV_IsDebug14.zip

By the way, if the debugger crashes sometime after you pushed the "play" button, give it the Shift + F7 command, press "play" again, if the movie doesn't start playing, give it the Shift + F7 command and push "play" one last time. When ever the movie crashes, you can do this and it worked for me all the times.

Now that we know that we can't encrypt our own AACS content, i guess we'll have to debug the hard way.

In OllyDbg, i've been looking at patterns of the PowerDVD memory while HD-DVD content is being played. I'm not sure if it has anything to do with the keys, but anyone that has OllyDbg with PowerDVD will notice that some memory at particular addresses change every few seconds or so.

Here are the changing addresses:

02690000
02772000
0277E000

02C69000
02C88000

732F0000 mscat32
732F1000 mscat32 .text
732F2000 mscat43 .data
732F3000 mscat32 .rsrc
732F4000 mscat32 .reloc

Now, since i am no ASM guru, i am not able to do much with these.
There might be other changing addresses as well, some of them are hard to grasp.

If this might help anybody, maybe we can get more clues and get closer to these keys.
Janvitos is offline   Reply With Quote
Old 9th January 2007, 22:16   #513  |  Link
ilaps
Registered User
 
Join Date: Jan 2007
Posts: 2
• You perhaps could try a brutal and simple way : with a dump you can reduce tremendously the exhaustive search of the media key (verification values are described in the AACS specs). With 128 bits keys, 2^128=10^37 trials are necessary with AES: if we take one ms per test, you need 3 10^26 years! Forget it. But if you locate key somewhere in a 1 MB space in the RAM of the PC, and simply stored as a 16 bytes array, you only need 10^6 tests, or 17 minutes!
• Does SO know if the Hollywood content Providers have or will have some policy to accept HD on PC only if they can be trusted, ie not only with OS like VISTA but more over with the stuff defined in TCG (old name TCPA) based on a trusted module called TPM and a lot of other features? Does it require VISTA "ultimate" and not the "basic / premium/ business" versions?
More over are these new approaches really trustable? ie it is likely that executing a player under the control of a debug program will be impossible, but is it possible to prevent to force a crash and perform afterwards a dump of RAM memory, for example?
ilaps is offline   Reply With Quote
Old 9th January 2007, 22:33   #514  |  Link
Janvitos
Registered User
 
Join Date: Jan 2007
Posts: 55
I laso noticed that some code is written / deleted at the following address:

02735000

The code is:

02735000 42 INC EDX
02735001 0100 ADD DWORD PTR DS:[EAX],EAX
02735003 00EE ADD DH,CH
02735005 04 EE ADD AL,0EE
02735007 0108 ADD DWORD PTR DS:[EAX],ECX
02735009 0075 02 ADD BYTE PTR SS:[EBP+2],DH
0273500C 8837 MOV BYTE PTR DS:[EDI],DH
0273500E 76 02 JBE SHORT 02735012

Btw, PowerDVD DOES check for a debugger on "play".

Last edited by Janvitos; 9th January 2007 at 22:47.
Janvitos is offline   Reply With Quote
Old 9th January 2007, 23:01   #515  |  Link
Janvitos
Registered User
 
Join Date: Jan 2007
Posts: 55
I also wanted to note that some constants of the AES-128 encryption / decryption can be found in a few places in memory such as:

- Rcon from the Rijndael key schedule
- Rijndael's S-box
- Inversed S-box
- Iv0 which is the initialisation vector for AES-128CBCE and AES-128CBCD

If you want to find these constants in the memory yourselves, simply load up your debugger with PowerDVD, push the "play" button and then do a search for these constants:

- Rcon: 63 7c 77 7b
- S-box: 01 00 00 00 02 00 00 00 04 00 00 00 08 00 00 00
- Inversed S-box: 52 09 6A D5
- Iv0: 0B A0 F8 DD

Like noted previously, these would have to be used at some point for encrypting / decrypting the keys.

Last edited by Janvitos; 9th January 2007 at 23:04.
Janvitos is offline   Reply With Quote
Old 10th January 2007, 00:02   #516  |  Link
honai
Guest
 
Posts: n/a
Yes, I pointed that out previously, but didn't think that anyone actually noticed.

Basically, you'll only need to hook into the key schedule function since that one is being fed the raw decryption key. The AES-128 decryption function itself uses that computed key schedule later on, so hooking into that would be too late already.

Pseudo-code for the key schedule looks something like this:

Quote:
for i from 0 to Nk-1 {
w[i] = word (key[4*i], key[4*i+1], key[4*i+2], key[4*i+3])
}

for i from Nk to Nb(Nr+1) -1 {
if (i is multiple of Nk) then {
w[i] = SubstituteBytes( PermuteWord(w[i-1]) ) XOR RoundConstant[i/Nk]
} else if (Nk = 8 and i - 4 is multiple of Nk) then {
w[i] = SubstituteBytes( w[i-1] )
}
w[i] = w[i] XOR w[i-Nk]
}

Last edited by honai; 10th January 2007 at 00:06. Reason: added pseudo-code
  Reply With Quote
Old 10th January 2007, 00:05   #517  |  Link
MickeyNumberEight
Registered User
 
Join Date: Jan 2007
Posts: 3
Hi

My first post here, so I would like to tell what software I use to manipulate and dump memory, debug and so on. There is very good debugger IDA PRO http://www.datarescue.com/ and file/disk/memory editor http://www.x-ways.net/winhex/ which helped me a lot with weird protections. I don't have HD-DVD drive yet, but soon I will buy one, and I will join you.

Greetings for all.
MickeyNumberEight is offline   Reply With Quote
Old 10th January 2007, 00:23   #518  |  Link
Janvitos
Registered User
 
Join Date: Jan 2007
Posts: 55
If anyone is interested to live chat, we could all gather up on IRC on EFNet on the #doom9 channel. We can then share ideas live and maybe progress quicker.

Just a thought.
Janvitos is offline   Reply With Quote
Old 10th January 2007, 00:44   #519  |  Link
cyberpass
Registered User
 
Join Date: Jan 2007
Posts: 15
Sounds like a lot of fun...I would like to create a bulletin bored with your up to the minute updates on finding a key/crack at http://www.aacskeys.com . What do you guys think?
cyberpass is offline   Reply With Quote
Old 10th January 2007, 05:17   #520  |  Link
The_ByteMaster
(Trial period expired!)
 
Join Date: Jan 2007
Location: Halifax, NS, CANADA
Posts: 17
Quote:
Originally Posted by blutach View Post
After discussion with Doom9, it has been decided to allow publication of decryption keys
I've noticed in the FAQ.txt for 0.99 and 1.00, Muslix64 uses the following example TITLE key:

12-08A3DC61910280F2...

None of the example discs in the .cfg files use key # 12, but so far I haven't seen confirmed nor denied that this is part of an actual title key (instead of some random hex gibberish). Did Muslix leave this there on purpose -without mentioning which disc it is- so people can look for this string in memory/registers?

(I don't own a HDDVD drive so I can't help out).

Last edited by The_ByteMaster; 10th January 2007 at 05:20. Reason: fixed typos
The_ByteMaster is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 06:01.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.