Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
8th January 2007, 02:03 | #441 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
The biggest bottleneck in the player vulnerability discovery process is that we are searching for two unknowns. The first is the title key, and the second is the location in memory, registers, files, etc. where the software player might store it. The logical option would be to eliminate as many unknowns as possible.
There is a much easier method to determine whether PowerDVD or any other software 'leaks' title keys, and to also test BackupHDDVD's ability to properly decrypt HD-DVD content, given a correct title key, than to try playing commercial HD-DVDs with unknown title keys on a drive few have and which requires a hacked UDF 2.5 driver to work. First, rather than have to acquire a commercial HD-DVD movie disc and HD-DVD drive to enable reading of its contents, it might be easier to just make some HD-DVD content. Sonic Scenarist can author HD-DVD content, and also provides the ability to protect the content using standard AACS encryption:
For other softwares which require an actual HD-DVD drive for playback, there are two options: 1. The Sonic Scenarist software already includes a drive emulator ("Multiplexed software emulation of HD DVD Advanced Content Volumes").Now we can make up a tiny 1920x1080 MPEG-2, H264 or VC-1 file, and using Scenarist create the HD-DVD fileset. Most importantly, we now know the title key - in both its encrypted and unencrypted forms, since we authored the files. Should our authoring package not provide the facility, the 'HD-DVD Authoring to DVD --+ Media' thread on the AVS forum provides the required method to convert the HD-DVD fileset to an ISO image, which has been tested and found compatible with at least one hardware player; thus it should be compatible with software players also. At this point, the player software can be tested on the files, either by direct playback (PowerDVD) or by emulation. With either the Microsoft or Sonic emulator installed, the ISO file can be mounted and read by software players which cannot play raw filesets. It now becomes a trivial task to search memory and other places for the keys. It also becomes easy to find if and where in the player code vulnerabilities exist; since we know what the original keys are, we can simply search for them. Last edited by Isochroma; 8th January 2007 at 07:08. |
8th January 2007, 02:14 | #442 | Link |
Registered User
Join Date: Apr 2005
Posts: 18
|
..dang Isochroma that is a very good idea lol.. I'm doing that right now.. I'll report my results if any.. Also Ulead does have ISO ability but I'm not seeing the encryption ability anywhere..
Last edited by Jerky_san; 8th January 2007 at 02:31. |
8th January 2007, 02:50 | #444 | Link | ||
Registered User
Join Date: Jan 2003
Posts: 26
|
Quote:
Quote:
Secondly I take Cyberlink's statement with a very large grain of salt, obviously their software plays HD-DVDs, so the Title key must be stored somewhere in unecrypted form, at least for a short while. If it's stored somewhere, then it can be read from this location. Perhaps Cyberlink discovered some new programming method, which allowes them to access data which does not exist, but this would be the first I've heard of it.
__________________
Fresco, the next Generation X windows www.fresco.org |
||
8th January 2007, 02:53 | #445 | Link |
Solaris: burnt by the Sun
Join Date: Oct 2004
Location: /etc/default/moo
Posts: 1,923
|
the only way I could think of that they could even say that the key wasn't in memory would to do something very simple with it
fragment it in memory have the first 8 bits at location 4 second 8 bits at location 65535 next 8 bits at 217 so on and so forth so it would be rather easy to reconstitute the key but more difficult to track it down |
8th January 2007, 03:00 | #446 | Link | |
Registered User
Join Date: Jan 2003
Posts: 26
|
Quote:
BTW: Is it possible to dump the values stored in CPU registers? Because at some point the key would need to be reconstituted so it can be used for decryption. Afterall, you can divide something up, but you still have to remember what all the parts together are at some point.
__________________
Fresco, the next Generation X windows www.fresco.org |
|
8th January 2007, 03:23 | #447 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
Even better, using the method in my previous post, multiple copies of the exact same content can be authored, with the only difference being the title key.
Then each can be played in turn, and dumps of the suspected key storage areas made (memory, registers, files, etc.). Comparing the dumps, the differences between them will point to the location(s) where key information is stored. This process will significantly increase the ease, speed and reliability of software player vulnerability testing, while decreasing its costs and implementation complexity. Furthermore, by running a player capable of non-emulated (direct file) playback within a debugger environment, the process may be automated. First, a set of small test filesets authored from the same content is created, with the only difference being title key. Next, these sets are segregated each in its own folder at a known location on hard drive. Next, the player application, provided it is capable of commandline specification of source fileset for playback, is fed the parameters on its virtual commandline within the debugger environment. After a preset time period determined by the tested initialization time, the debugger does a total or partial memory or register dump to a file, and terminates the running debug environment. Next, the debugger either exits as specified or is terminated by scheduled task, using third party software if necessary. The next scheduled task restarts the debugger with different commandline parameters, which are passed into the player's commandline within the new debug environment. These parameters sequentially specify the various authored HD-DVD filesets and debug dump files. When the sequence has run to completion, a binary compare utility can be launched interactively or via commandline or scheduled task with parameters specifying the debugger's memory dump files. The binary compare utility will produce a difference file or files which highlight differences between the test runs, which can be examined by the user to rapidly narrow and finally discover key locations. Finally, even if the authoring software does not provide the end user with either or both the encrypted or unencrypted title key, and even if the player software encrypts or scrambles the title key in memory, this method will at least pinpoint the location(s) used by the player software to store the key data. If the authoring software provides either the encrypted or plaintext key, then it is also possible to, using different keys and repeated test runs, discover the relationship between encrypted key and scrambled encrypted/decrypted key in the player application's memory space, or alternately, find the code responsible for key storage allocation and/or scrambling. Knowing the location(s) used and also knowing the player's scrambling algorithm (if any), it will be possible to, for a given player, write a software which runs concurrently and, provided the operating system does not enforce protected memory space, snoop the values for any real disc which the software player plays. Finally, the scrambling can be undone to provide the plaintext title key, which can be provided to secondary decryption software, such as BackupHDDVD. Last edited by Isochroma; 8th January 2007 at 04:08. |
8th January 2007, 03:25 | #448 | Link | |
Registered User
Join Date: Jan 2003
Posts: 26
|
Quote:
__________________
Fresco, the next Generation X windows www.fresco.org |
|
8th January 2007, 04:09 | #450 | Link | |
Solaris: burnt by the Sun
Join Date: Oct 2004
Location: /etc/default/moo
Posts: 1,923
|
Quote:
so they must have done some sort of obfuscation or something on the key so that they key itself is not in memory as a whole, but parts, cyphered etc... could exist and not be readable unless you know where and how it was done |
|
8th January 2007, 05:45 | #452 | Link | |
Registered User
Join Date: Apr 2002
Posts: 306
|
Quote:
I suggest that sensitive or perhaps even speculatiive brainstorming, that might be considered off-topic here, be conducted offline in an anonymous forum. Install I2P and join the discussion: http://forum.i2p/viewtopic.php?p=9157#9157 (The link doesn't work unless you've installed I2P) Dear mods: if you've not ever used I2P and visited the I2P forum, I must assure you that it's not a warez site. It is simply a public site where users may speak freely with a high degree of anonymity. It is available to anyone who installs I2P software. New I2P users: Let's keep it that way! This is about exercising Fair Use rights and no more/less! Last edited by calinb; 8th January 2007 at 08:57. |
|
8th January 2007, 06:14 | #453 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
@calinb: There is no need for secrecy: what was done in secret by the making of the HD-DVD and Blu-Ray copy protection schemes, will be undone in public.
Like good encryption, good decryption will not die by being exposed for all the world to see. In this case, the hardware standard is already set in stone, with thousands of players and lots of discs already sold, so that's not going to change. As far as player software, that will always change, but it will be reverse-engineered too, using the same or better methods. Fundamentally, there is no way to keep the system closed as long as PC playback is a possibility. The possibilities mentioned in my last two posts have no doubt already been thought of or are soon to be seen by player developers. The ideas are general, and apply to a wide range of possible cases; more like a sample guide for security auditing. Perhaps most importantly, there is nothing player developers can do but issue an ever-growing stream of updates and new versions with ever more convoluted protection schemes, that will all be reverse engineered. The only real threat to this kind of attack is a protective operating system, like Vista. But like russian dolls, cracks will be found and made at all layers, so even that will not stand long. As for personal risk, I won't post anything here that is illegal in my country, or against forum rules, so I have nothing to fear. I hope this is the case for all posters, because all that needs to be accomplished can be done right here without any problems from either local policies or enforcement agencies, if users think carefully before posting. |
8th January 2007, 07:29 | #454 | Link | |
Registered User
Join Date: Apr 2002
Posts: 306
|
Quote:
|
|
8th January 2007, 07:39 | #455 | Link |
Registered User
Join Date: Sep 2006
Posts: 52
|
I have tried to make a HD-DVD image with Scenarist. I can't test it because it's obviously UDF2.5 and mounting with Daemon Tools doesn't work. I can't find UDF 2.5 drivers. It's only 4.5MB so if it's not right it doesn't waste much bandwidth.
http://www.filehost.gr/643076 If anyone can get it to work, the keys should be: C29E56D1E80EA92B010733C46A73DECA 6ACF5ADFCFD8A3D404D0DB6155229D36 I think the second one is for the main video. Not sure what the other one is for. It's the first time I've used Scenarist so it probably is wrong... By the way id anyone's interested I just made a blank 1920x1080 video with AVISynth and encoded it with Mainconcept h264. x264 doesn't work for creating compliant elementary h264 streams. edit: the first one is the volume key, the second one is the title key for the single title in the ISO. Last edited by Borbus; 8th January 2007 at 08:20. |
8th January 2007, 08:00 | #456 | Link |
Registered User
Join Date: Apr 2005
Location: Spain
Posts: 181
|
Daemon 4.0 works, I've just do it.
Played with windvd 8. 7 seconds clip. Edit: extracting files with isobuster 2, plays same way. No aacs proteccion in that iso. ?? Remains in memory ?? Last edited by Susana; 8th January 2007 at 08:09. |
8th January 2007, 08:02 | #457 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
Returning to the topic at hand - which in this case is the BackupHDDVD application - I'd like to extend my congratulations to Muslix64, who not only chose a username corresponding with my favorite cereal, but also made good effort to build an application which may help the cause of fair use.
The most valuable thing Muslix64 has provided by establishing this thread is not an application called BackupHDDVD, but an idea called YouCanBackupYourHDDVD. Just by building an application which may or may not decrypt HD-DVDs, and dropping hints and clues in his posts and release notes, his ideas are now making lots of people think about how to make applications which can do the same or better. Perhaps the YouTube video itself was the best inspiration; even if it was an utter fraud it provided and still provides a glimmer of the light at the end of the tunnel for fair use in the twenty-first century. The hardest step to take is always the first one, but as soon as someone does, many more are both informed and inspired to follow. Of course, often that first step is over a cliff or into a deep quicksand, but that doesn't really matter. What matters is that such an event changes many people's thought patterns from "we are victims" to "we can change this". The holdup is almost always a lack of will and faith in capability, not in intelligence per se., manpower, technology or money. |
8th January 2007, 08:08 | #458 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
@Borbus: excellent work! I've downloaded the file but don't yet have the player to test with. Also it is late at night right now; I will write more tomorrow.
I can confirm that the ISO mounts fine with Daemon Tools, but Windows cannot recognize the filesystem; I don't have the UDF 2.5 driver installed (yet). I'd hoped that Scenarist might come with the driver, since it should also include the emulator. @Borbus: can you confirm if anywhere in the package, is located the emulator? Also, it is likely that the Microsoft HD DVD Interactivity Jumpstart includes a UDF 2.5 driver, since it would be rather pointless for a development kit of this type to not have it, hopefully? I will install a UDF 2.5 driver tomorrow and report on further findings. Last edited by Isochroma; 8th January 2007 at 08:12. |
8th January 2007, 08:10 | #459 | Link | |
Registered User
Join Date: Sep 2006
Posts: 52
|
Quote:
Here's a screenshot of me enabling AACS: Last edited by Borbus; 8th January 2007 at 08:18. |
|
8th January 2007, 08:16 | #460 | Link |
Registered User
Join Date: Dec 2006
Posts: 1
|
http://www.macfergus.com/niels/dmca/cia.html
Finally, 5 days, that's really, really @$@^$% up. I found that link. It's good reading, old though. |
Thread Tools | Search this Thread |
Display Modes | |
|
|