Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 4th September 2017, 08:53   #221  |  Link
candela
Registered User
 
Join Date: Jun 2005
Posts: 101
Quote:
Originally Posted by m4tthi4s View Post
Do you have more information? How did you find out that it is encrypted?
I think "encrypted" is the wrong choice of words. The keys are no longer available at fixed offsets and the presence of keys also seems to depends on the timing of the dump. It doesn't seem like they are actively trying to hide keys though. Even a simple xor would make us find nothing. I don't remember if previously the unitkeys were present but now they are. So possibly they just changed some code which has some bad side effects for us. Judging from a couple of tests, most if not all keys are still present when the dump is taken at the right time but at semi-random locations.

Brute force is a way to get keys from the dump but each key requires a different kind of verification and is obviously more time consuming then dumping data at fixed offsets. However, such a general implementation would also work with dumps from other rippers/players that have at least title keys (Leawo, etc.) so the effort seems worthwhile
candela is offline   Reply With Quote
Old 4th September 2017, 20:31   #222  |  Link
nalor
Registered User
 
Join Date: Dec 2013
Posts: 243
I think the memory area we're usually searching for is a c-structure - and that the relevant information (volumeid, mediakey, vuk) is still there, but not in plaintext any longer... I also noticed that the beginning of the structure is different now, so basically it might be possible to detect if it's a plaintext structure or an obfuscated one without even validating the vuk, but for the moment I'll just check the version of DVDfab and Passkey and exit in case an unsupported version is discovered.

If anyone is interested: I already created a brute-force application that is simply searching for a valid VUK in a memory dump - using 4 threads that check simultaneously it takes about 2min to check all possible combinations in a 100mb binary file and personally I've no idea how I could optimize this any further (AES encoding / decoding is already done with libgcrypt because the internal purebasic methods are way too slow) and with 4 threads my cpu is already on it's limit.

So for the moment it's easier to use an older release of the dvdfab applications (and I can install different releases without restarting windows - so I think it's no problem at all to switch to an older release for FindVUK and install the current one again afterwards).
nalor is offline   Reply With Quote
Old 3rd November 2017, 21:00   #223  |  Link
ErichV
Registered User
 
Join Date: Dec 2012
Posts: 9
Quote:
Originally Posted by nalor View Post
Already implemented it a while ago - but as nobody complained I resigned to release it.
Will try to create a new release this weekend.
FYI:
A new version of DVDFab Media Player has been released: 3.2.0.0
ErichV is offline   Reply With Quote
Old 5th December 2017, 02:37   #224  |  Link
spotter
Registered User
 
Join Date: Jan 2002
Posts: 249
recently upgraded to 17.09 windows 10 release, and findvuk is now failing on the dump

Quote:
2017-12-04 17:35:43 # 173312 # DiscID found >607675E3ECDCC36202EADC0BC85A5B34337D1C33<
2017-12-04 17:35:44 # 174627 # DVDfab got VUK - create memdump now!
2017-12-04 17:35:44 # 174734 # DUMP >>>
2017-12-04 17:35:44 # 174740 # DUMP >>> ProcDump v9.0 - Sysinternals process dump utility
2017-12-04 17:35:44 # 174745 # DUMP >>> Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
2017-12-04 17:35:44 # 174752 # DUMP >>> Sysinternals - www.sysinternals.com
2017-12-04 17:35:44 # 174757 # DUMP >>>
2017-12-04 17:35:44 # 174762 # DUMP >>> [17:35:44] Multiple processes match the specified name.
2017-12-04 17:35:44 # 174769 # ERROR!! Exitcode >-2< - Dump failed! - Program >C:\Users\spott\Downloads\FindVUK_1.02\tool\procdump.exe< Parameter > -ma -o DVDFab.exe "C:\Users\spott\Downloads\FindVUK_1.02\dump\607675E3ECDCC36202EADC0BC85A5B34337D1C33_HOUSE_OF_CARDS_TRILOGY_D1.dmp"<
2017-12-04 17:35:44 # 174775 # Error during process memory dump - please report in the doom9 forum!
2017-12-04 17:35:44 # 174785 # ERROR! Couldn't create memory dump! Exit application!
2017-12-04 17:35:44 # 174795 # CloseAtTheEnd is active, close DVDfab now
2017-12-04 17:35:44 # 174805 # There are >1< DVDfab processes running
spotter is offline   Reply With Quote
Old 5th December 2017, 02:46   #225  |  Link
spotter
Registered User
 
Join Date: Jan 2002
Posts: 249
if I run procdump manually, the same thing happens, but if I run it with the pid of the dvdfab process, it works.

It be nice if findvuk could be updated to use pid instead of just the exe name.
spotter is offline   Reply With Quote
Old 5th December 2017, 07:39   #226  |  Link
nalor
Registered User
 
Join Date: Dec 2013
Posts: 243
Quote:
Originally Posted by spotter View Post
if I run procdump manually, the same thing happens, but if I run it with the pid of the dvdfab process, it works.

It be nice if findvuk could be updated to use pid instead of just the exe name.
Interesting, upgraded my Computer also to 1709 on saturday and used findvuk yesterday without any problems.
Will check tonight which exact version of procdump I am using and will also check with your version.

Gesendet von meinem E5823 mit Tapatalk
nalor is offline   Reply With Quote
Old 5th December 2017, 17:36   #227  |  Link
spotter
Registered User
 
Join Date: Jan 2002
Posts: 249
Quote:
Originally Posted by nalor View Post
Interesting, upgraded my Computer also to 1709 on saturday and used findvuk yesterday without any problems.
Will check tonight which exact version of procdump I am using and will also check with your version.

Gesendet von meinem E5823 mit Tapatalk
I was able to run procdump by name on notepad.exe, maybe a function of something else, but as I said, pid worked fine. if you exec the dvdfab product, you should have the pid, right?
spotter is offline   Reply With Quote
Old 6th December 2017, 23:18   #228  |  Link
hajj_3
Registered User
 
Join Date: Mar 2004
Posts: 765
DVDFab Media Player 3.2.0.1 has been released.
hajj_3 is offline   Reply With Quote
Old 7th December 2017, 21:19   #229  |  Link
nalor
Registered User
 
Join Date: Dec 2013
Posts: 243
Quote:
Originally Posted by spotter View Post
2017-12-04 17:35:44 # 174762 # DUMP >>> [17:35:44] Multiple processes match the specified name.
Just noticed this line and I think it explains why it didn't work -> it seems as if 2 dvdfab processes were running at the same time?

Unfortunately I don't get the PID when I start something with FindVUK - so all I could do is to retrieve it later and would also fail because I couldn't identify the correct process in case there are multiple running with the same name.

So for the moment I think I'll just keep it as it is.
nalor is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 04:25.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.