Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
8th January 2007, 20:51 | #481 | Link |
Registered User
Join Date: Oct 2002
Location: Florida, USA
Posts: 90
|
Is Bystander = Muslix64.
Just joined and pretty much tells how to get the keys but without telling all of it. Sounds like Muslix, and using a second screen name will lessen the chance of getting traced and sued. I think Muslix is from Germany, where the cereal is from and a land where Commodore 64 was a hackers first toy. This is just speculations, and Mods can delete this post if it's out of bound/irrelevant. Last edited by tonyp12; 8th January 2007 at 21:03. |
8th January 2007, 21:05 | #482 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
Good morning all! I see there's been much activity since yesterday...
There is no need to bring the keyed but unencrypted files to a licensed HD-DVD replicator to get them encrypted... here is one example of software on the market : Eclipse Data Releases High-Speed Blu-ray AACS Encryption Software "We knew that we needed to minimize the impact of moving encryption into the premastering process"Premastering is what you do with the Sonic package. This means you can get secondary software which will take the fileset made by Sonic and convert it to a fully AACS-encrypted fileset or ISO image. Sonic only adds AACS information to DDP images, also known as PlantDirect: "A powerful add-on option for Scenarist Studio (SEN-3101), PlantDirect Tapeless Premastering allows DDP file sets to be written to hard disk, rather than to DLT, enabling delivery of DVD masters for replication via the Internet saving time and money on physical shipments."DDP is the industry standard for disc imaging, and was established by a company known as DCA Inc. They established the standard, so it should surprise nobody that they also make a product called Blazer: Blazer is an application designed to encrypt a DDP V3.0 HD ROM image with the Advanced Access Content System (AACS) encryption. Blazer automatically recalculates the HCRC in the AACS encrypted image.I contacted the company by phone this morning, and found out that the software, while it runs on XP (screenshot), only comes bundled with a workstation machine with RAID, etc. The cost is probably high, I didn't ask, but will do so later today and report my findings. Other than this it seems the Sonic product "DVDit Pro HD" can author AACS protected Blu-Ray DDP filesets, but it doesn't have HD-DVD functionality. Finally, an email was sent to Eclipse requesting a price quote for their EclipseSuite + AACS addon software. It runs on any hardware (ie. software-only); the specifications page states that it will run on Windows NT 4.0, 2000 and XP. It also seems to need an Adaptec SCSI controller, but those are cheap. Last edited by Isochroma; 8th January 2007 at 21:24. |
8th January 2007, 21:11 | #485 | Link | |
Registered User
Join Date: Feb 2002
Posts: 44
|
Quote:
Yes it is speculation and you should use your own judgement and delete it yourself if you think it is out of line.
__________________
Sometimes I sit and think... and sometimes I just sit... |
|
8th January 2007, 21:40 | #487 | Link |
Registered User
Join Date: Sep 2006
Posts: 52
|
There were actually other files with the PlantDirect image, they might be important if anyone manages to get hold of Blazer or an equivalent. Note how small it all is when RARed, I suppose it's the blank revocation files.
http://www.filehost.gr/883400 The IMAGE.DAT is the same as before. I was going to make a short video with more than just a blank screen and maybe audio too, but, this sounds really stupid, I couldn't think of a way to encode just a few seconds of video with MainConcept... Any idea how to make a short animated clip with AVISynth? |
8th January 2007, 22:18 | #489 | Link |
Registered User
Join Date: Nov 2005
Posts: 6
|
Some observations for those with HDDVD drive and know, what OllyDbg is.
Seems, HDDVDAdvNav.dll is a module where stuff is located. Here are all AES function calls: Code:
;----------------------------------------------------------- ... .text:100C350F push 1 ; crypto mode .text:100C3511 lea ecx, [ebp+var_40] .text:100C3514 call CryptoModeSelector ; 1 == CBC decrypt .text:100C3519 mov [ebp+var_4], 0 .text:100C3520 lea eax, [ebp+var_40] .text:100C3523 push 80h ; int .text:100C3528 push [ebp+arg_0] ; KEY! .text:100C352B push eax ; int .text:100C352C call AES_KeyExpand .text:100C3531 mov ebx, eax .text:100C3533 test ebx, ebx .text:100C3535 jl short loc_100C355F .text:100C3537 push offset CBC_InitVector ; ==0BA0F8DD.. .text:100C353C lea eax, [ebp+var_40] .text:100C353F push eax ; int .text:100C3540 call _initCBC .text:100C3545 mov ebx, eax .text:100C3547 test ebx, ebx .text:100C3549 jl short loc_100C355F .text:100C354B push [ebp+arg_C] ; data len .text:100C354E push [ebp+arg_8] ; output .text:100C3551 push [ebp+arg_4] ; input .text:100C3554 lea eax, [ebp+var_40] .text:100C3557 push eax ; expanded switch .text:100C3558 call AES_SwitchFunc2 .text:100C355D mov ebx, eax .text:100C355F .text:100C355F loc_100C355F: ; CODE XREF: CBC_decrypt+4Dj .text:100C355F ; CBC_decrypt+61j .text:100C355F mov [ebp+var_4], 0FFFFFFFFh .text:100C3566 lea ecx, [ebp+var_40] .text:100C3569 call ClearExpandedKey ... It was CBC mode, most likely content decryption, Title key?? ;----------------------------------------------------------- .text:100C35E8 push 21h ; crypto mode .text:100C35EA lea ecx, [ebp+var_54] .text:100C35ED mov [ebp+var_14], edx .text:100C35F0 call CryptoModeSelector ; 21== ECB decrypt .text:100C35F5 mov edx, [ebp+var_14] .text:100C35F8 mov [ebp+var_4], 0 .text:100C35FF mov ecx, [ebp+var_1C] .text:100C3602 lea ebx, [ebp+var_54] .text:100C3605 push 80h ; int .text:100C360A mov [ebp+var_14], edx .text:100C360D push ecx ; KEY! .text:100C360E push ebx ; int .text:100C360F call AES_KeyExpand .text:100C3614 mov edx, [ebp+var_14] .text:100C3617 mov ebx, eax .text:100C3619 test ebx, ebx .text:100C361B jl loc_100C36AE .text:100C3621 mov ecx, [ebp+var_20] .text:100C3624 lea ebx, [ebp+var_54] .text:100C3627 push 10h ; data len .text:100C3629 mov [ebp+var_14], edx .text:100C362C push ecx ; output .text:100C362D push edx ; input .text:100C362E push ebx ; expanded key .text:100C362F call AES_SwitchFunc2 ... This one was Triple AES Generator (AES-G3) ;----------------------------------------------------------- .text:100C3C47 push 21h .text:100C3C49 lea ecx, [ebp+var_40] .text:100C3C4C call CryptoModeSelector ; 21== ECB decrypt .text:100C3C51 mov [ebp+var_4], 0 .text:100C3C58 lea eax, [ebp+var_40] .text:100C3C5B push 80h ; int .text:100C3C60 push [ebp+arg_0] ; KEY! .text:100C3C63 push eax ; int .text:100C3C64 call AES_KeyExpand .text:100C3C69 mov ebx, eax .text:100C3C6B test ebx, ebx .text:100C3C6D jl short loc_100C3C82 .text:100C3C6F lea eax, [ebp+var_40] .text:100C3C72 push 10h ; data len .text:100C3C74 push [ebp+arg_8] ; output .text:100C3C77 push [ebp+arg_4] ; input .text:100C3C7A push eax ; expanded key .text:100C3C7B call AES_SwitchFunc2 .text:100C3C80 mov ebx, eax .text:100C3C82 .text:100C3C82 loc_100C3C82: ; CODE XREF: sub_100C3C20+4Dj .text:100C3C82 mov [ebp+var_4], 0FFFFFFFFh .text:100C3C89 lea ecx, [ebp+var_40] .text:100C3C8C call ClearExpandedKey ... ECB stuff ;----------------------------------------------------------- .text:100DBFE6 push 21h ; crypt mode .text:100DBFE8 lea ecx, [ebp+var_54] .text:100DBFEB call CryptoModeSelector ; 21== ECB decrypt .text:100DBFF0 mov [ebp+var_4], 0 .text:100DBFF7 mov eax, [ebp+var_20] .text:100DBFFA lea edx, [ebp+var_54] .text:100DBFFD push 80h ; int .text:100DC002 push eax ; KEY! .text:100DC003 push edx ; int .text:100DC004 call AES_KeyExpand .text:100DC009 mov eax, [ebp+var_1C] .text:100DC00C mov edx, [ebp+var_24] .text:100DC00F lea ecx, [ebp+var_54] .text:100DC012 push 10h ; data len .text:100DC014 push eax ; output .text:100DC015 push edx ; input .text:100DC016 push ecx ; expanded key .text:100DC017 call AES_SwitchFunc .text:100DC01C mov eax, [ebp+var_1C] .text:100DC01F movzx edx, byte ptr [eax] .text:100DC022 test edx, 80h .text:100DC028 jnz short loc_100DC084 ... This one looks interesting! Chapter 3.2.4, Calculation of Processing Key? ;----------------------------------------------------------- .text:100DC49C call CryptoModeSelector ; 1 == CBC decrypt .text:100DC4A1 mov edx, [ebp+var_18] .text:100DC4A4 mov [ebp+var_4], 1 .text:100DC4AB mov eax, [ebp+var_24] .text:100DC4AE lea ecx, [ebp+var_C0] .text:100DC4B4 push 80h ; int .text:100DC4B9 mov [ebp+var_18], edx .text:100DC4BC push eax ; KEY! .text:100DC4BD push ecx ; int .text:100DC4BE call AES_KeyExpand .text:100DC4C3 mov edx, [ebp+var_18] .text:100DC4C6 lea ebx, [ebp+var_C0] .text:100DC4CC lea ecx, [ebp+var_78] .text:100DC4CF lea eax, [ebp+var_68] .text:100DC4D2 push 10h ; data len .text:100DC4D4 mov [ebp+var_18], edx .text:100DC4D7 push eax ; output .text:100DC4D8 push ecx ; input .text:100DC4D9 push ebx ; expanded key .text:100DC4DA call AES_SwitchFunc .text:100DC4DF mov edx, [ebp+var_18] .text:100DC4E2 mov [ebp+var_4], 0FFFFFFFFh .text:100DC4E9 lea ecx, [ebp+var_C0] .text:100DC4EF mov [ebp+var_18], edx .text:100DC4F2 call ClearExpandedKey CBC decrypt again. ;----------------------------------------------------------- .text:100DC79C call CryptoModeSelector ; 1 == CBC decrypt .text:100DC7A1 mov eax, [ebp+var_14] .text:100DC7A4 mov [ebp+var_4], 0 .text:100DC7AB mov edx, [ebp+var_24] .text:100DC7AE lea ecx, [ebp+var_9C] .text:100DC7B4 push 80h ; int .text:100DC7B9 mov [ebp+var_14], eax .text:100DC7BC push edx ; KEY! .text:100DC7BD push ecx ; int .text:100DC7BE call AES_KeyExpand .text:100DC7C3 mov eax, [ebp+var_14] .text:100DC7C6 lea ebx, [ebp+var_9C] .text:100DC7CC lea ecx, [ebp+var_58] .text:100DC7CF lea edx, [ebp+var_48] .text:100DC7D2 push 10h ; data len .text:100DC7D4 mov [ebp+var_14], eax .text:100DC7D7 push edx ; output .text:100DC7D8 push ecx ; input .text:100DC7D9 push ebx ; expanded key .text:100DC7DA call AES_SwitchFunc .text:100DC7DF mov eax, [ebp+var_14] .text:100DC7E2 mov [ebp+var_4], 0FFFFFFFFh .text:100DC7E9 lea ecx, [ebp+var_9C] .text:100DC7EF mov [ebp+var_14], eax .text:100DC7F2 call ClearExpandedKey ... CBC decrypt with xoring... Last edited by neviens; 8th January 2007 at 22:25. |
8th January 2007, 22:50 | #490 | Link | |
Registered User
Join Date: Sep 2006
Posts: 52
|
Quote:
edit: Nevermind, did it with Trim() Last edited by Borbus; 8th January 2007 at 22:59. |
|
8th January 2007, 23:30 | #491 | Link | ||
Country Member
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
|
Quote:
Quote:
Regards
__________________
Les Only use genuine Verbatim or Taiyo Yuden media. Last edited by blutach; 8th January 2007 at 23:47. |
||
8th January 2007, 23:34 | #492 | Link |
Registered User
Join Date: Sep 2006
Posts: 52
|
Ok, here's another image with Colorbars and a Framecount instead of nothing. Analogue output is now allowed instead of constrained.
http://www.filehost.gr/73129 The volume and title keys are in the discinfo.dat file (volume key first, then title key). Now there's probably not much else to play around with until someone can get hold of Blazer of figure out how to encrypt the video. |
8th January 2007, 23:39 | #493 | Link |
Registered User
Join Date: Dec 2006
Posts: 1
|
I'm designing a GUI for the HDDVD backup and attempting to make an easy way to enter the keys in as you get them.
Since I don't have an HDDVD player it makes it impossible for me to change any of the source that muslix provides and guarantee it works, and as such I will simply make a wrapping gui for the backup classes. If he continues to put up future releases it should be easy to plug in the new version into the gui. This is a 30 second design in java, but it makes it easier to use. I'll be posting it soon for those who want an interface rather than command line. |
8th January 2007, 23:48 | #494 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
@Borbus: Thank you!
I haven't yet receive a reply from Eclipse. It seems that for now, the best way to verify BackupHDDVD's functionality is to obtain an HD-DVD drive, AACS-protected HD-DVD disc, and player software. The Title Key must be available in the clear during the entire playback process, as it is needed to decrypt each chunk of data as it is read. Keeping the Title Key scrambled using the player software's algorithm or encrypted from disc would place a heavy burden on the CPU during playback, as it would have to be repeatedly decrypted to be used for chunk decryption, throughout playback. Considering that most machines are only just able to decode 1080p content alone, it seems unlikely that software authors would cripple their product's performance using such a method. |
9th January 2007, 00:06 | #495 | Link |
Registered User
Join Date: Mar 2004
Posts: 1,120
|
if you guys want some hd-dvd's to test you can get 2 for £2.86 delivered from a mis-price on play-asia: http://www.hotukdeals.com/forums/showthread.php?t=42021
@ polly - great work, release the sourcecode when your done. also change the image of the dvd to this: Last edited by hajj_3; 9th January 2007 at 00:18. |
9th January 2007, 00:48 | #496 | Link | |
Registered User
Join Date: Apr 2002
Posts: 306
|
Quote:
The CPU load is enormous and regenerating keys whenever necessary, on the fly, could easily be accomplished, within the high load. Besides, compared to decrypting the content, decrypting the keys should not result in much additional load. I have a computer that plays high profile AVC HD with CoreAVC nicely. The computer can't even come close to decoding a VC-1 HD-DVD without dropping frames all over the place. The developers were probably more concerned with implementing DRM than realizing performance. Bystander's suggestions are useful, based on the behavior I've captured. Last edited by calinb; 9th January 2007 at 00:55. |
|
9th January 2007, 00:55 | #497 | Link |
Registered User
Join Date: Apr 2005
Posts: 18
|
So basically we can either add the steps in that were suggested or create a breakpoint JUST before the heap clears and instead dump the memory. What are you all using to play this.. My version of WinDVD HD crashes when I load the file..
Last edited by Jerky_san; 9th January 2007 at 01:04. |
9th January 2007, 02:05 | #498 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
I just received an email reply from the folks at Eclipse, regarding the costs for an AACS license (required before Eclipse will sell you their product):
"It's pretty expense. You can find more information at: http://www.aacsla.com/home I think the adopter agreement costs about $20,000 per year, and then AACS collects about $2,000 per title, and $0.04 per disc." Last edited by Isochroma; 9th January 2007 at 03:46. |
9th January 2007, 02:57 | #499 | Link |
Registered User
Join Date: Apr 2002
Posts: 306
|
Sounds like a reasonable approach to try. I suspect that most people are following Muslix64's suggestion to use PowerDVD 6.5 but he said other players may yield keys too. Try launching or enabling your debugger after a title is playing and remember that the AACS spec says stuff must be cleared when the player is stopped. I don't know about pausing play.
Last edited by calinb; 9th January 2007 at 05:18. |
Thread Tools | Search this Thread |
Display Modes | |
|
|