Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.


Go Back   Doom9's Forum > General > Decrypting

Thread Tools Search this Thread Display Modes
Old 4th September 2017, 08:53   #221  |  Link
Registered User
Join Date: Jun 2005
Posts: 96
Originally Posted by m4tthi4s View Post
Do you have more information? How did you find out that it is encrypted?
I think "encrypted" is the wrong choice of words. The keys are no longer available at fixed offsets and the presence of keys also seems to depends on the timing of the dump. It doesn't seem like they are actively trying to hide keys though. Even a simple xor would make us find nothing. I don't remember if previously the unitkeys were present but now they are. So possibly they just changed some code which has some bad side effects for us. Judging from a couple of tests, most if not all keys are still present when the dump is taken at the right time but at semi-random locations.

Brute force is a way to get keys from the dump but each key requires a different kind of verification and is obviously more time consuming then dumping data at fixed offsets. However, such a general implementation would also work with dumps from other rippers/players that have at least title keys (Leawo, etc.) so the effort seems worthwhile
candela is offline   Reply With Quote
Old 4th September 2017, 20:31   #222  |  Link
Registered User
Join Date: Dec 2013
Posts: 235
I think the memory area we're usually searching for is a c-structure - and that the relevant information (volumeid, mediakey, vuk) is still there, but not in plaintext any longer... I also noticed that the beginning of the structure is different now, so basically it might be possible to detect if it's a plaintext structure or an obfuscated one without even validating the vuk, but for the moment I'll just check the version of DVDfab and Passkey and exit in case an unsupported version is discovered.

If anyone is interested: I already created a brute-force application that is simply searching for a valid VUK in a memory dump - using 4 threads that check simultaneously it takes about 2min to check all possible combinations in a 100mb binary file and personally I've no idea how I could optimize this any further (AES encoding / decoding is already done with libgcrypt because the internal purebasic methods are way too slow) and with 4 threads my cpu is already on it's limit.

So for the moment it's easier to use an older release of the dvdfab applications (and I can install different releases without restarting windows - so I think it's no problem at all to switch to an older release for FindVUK and install the current one again afterwards).
nalor is offline   Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +1. The time now is 17:38.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.