Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
23rd November 2008, 20:51 | #441 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
I've restructured our documentation so please have a look at the table of contents. We need more people working on this if possible. Fixing grammar/bad English expressions and typos will help too. Has anyone written a description of the conversion table yet? Would you suggest to move the detailed trap descriptions to the appendix?
|
24th November 2008, 14:34 | #442 | Link | ||
Registered User
Join Date: Sep 2008
Posts: 189
|
I saw you committed a few updates including a patch to add diffarchive support. I would like to comment on this.
Quote:
Once this is done you can start the virtual machine and let it run until the first trap. In the meantime (different thread maybe?) you can apply the first chunk of patches to the (zeroed) 4MB reference memory which gives you the memory state after the first trap execution. Now when the first trap has been executed you compare both 4MB memories and if they should differ you overwrite the virtual machine memory with the reference memory. After this is done you apply the second chunk of patches to update the reference memory to the state after the second trap execution... and so on. I believe you made it far to complicated. Have a look at the snapshots.java file and see how simple this actually is if you can afford the extra 4MB of memory. (the register snapshots are threated the same way) Quote:
Last edited by loo3aem3ON; 24th November 2008 at 14:40. |
||
25th November 2008, 00:09 | #443 | Link | ||
Registered User
Join Date: Aug 2002
Posts: 111
|
Quote:
Quote:
But either way, disregard my rantings, they weren't supposed to be checked in, I did so a little bit quickly to have it committed before the end of the weekend. Also, I read your documentation, nicely done. Edit: I re-did the cleaning of fake repair descriptors to be done at segment-decrypt time, so they are not in the way for all the functions using conv_tab. I will work on Win32 build today, and all issues that brings. Otherwise, libbluray-0.0.6 should be working with the known titles. libbluray-0.0.6.tar.gz If you intend to try it against Jumper, don't forget you need the two shablocks, or the original encrypted 00005.m2ts file. Last edited by Accident; 25th November 2008 at 09:37. |
||
25th November 2008, 12:42 | #444 | Link |
coffee addict
Join Date: Apr 2007
Posts: 9
|
My math guy doesn't reply ... So I'll post it here. Prove me wrong if you like
The signature for some data is calculated as follows: Code:
m = c^d mod n Code:
m = c^d - k*n we know m (the signature), n = p*q (where p and q are the primes we want to get in the end) and c (which is obviously needed the check a signature) but we want to know d Code:
m + k*n = c^d d = log_c (m + k*n) Code:
d = (log_2 (m + k*n))/(log_2(c)) some k has to be found to satisfy Code:
| d' - ((log_2 (m + k*n))/(log_2(c))) | <= 2 * square_root( N ) I'm looking into some math libs to see if we could make the whole calculation streamable to save even more computation time if k is wrong, which it will be most of the time I will add some pseudo code in the evening... Got to go to work now. |
25th November 2008, 14:48 | #445 | Link | |||||
Registered User
Join Date: Sep 2008
Posts: 189
|
Quote:
Quote:
It's far from finished. I'm trying to attract some volunteers to help me. Quote:
@all: Please run some tests with the movies you have and report back with the titles of those Movies which don't work. Thank you. Quote:
He probably crashed due to a memory overflow. Quote:
My suggestion for you is to experiment on a mini rsa example with small numbers and a public exponent of e = 3. Use maple/mathematica/matlab or whatever you have access to. Last edited by loo3aem3ON; 25th November 2008 at 14:52. |
|||||
26th November 2008, 01:17 | #447 | Link | |
Registered User
Join Date: Aug 2002
Posts: 111
|
Quote:
(+addr is libbluray, -addr is snapshots) Code:
[dlx] Sha(003DFD8C, 00002E58, 00002000, 00000002 SHA_FINAL 'post_trap_snapshots/post_trap_mem_000973.bin' +003DFEE0 00 00 00 00 00 00 00 00 00 00 00 00 15 0D EC C7 |................| -003DFEE0 00 00 00 00 00 00 00 00 00 80 00 00 15 0D EC C7 |................| [dlx] Sha(003DEB1C, 003DED1C, 00000001, 00000001 SHA_INIT 'post_trap_snapshots/post_trap_mem_003145.bin' +003DEB30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -003DEB30 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |a...............| [dlx] Sha(003DEB1C, 003DED1D, 00000002, 00000002 SHA_FINAL [bdtest] comparing with 'post_trap_snapshots/post_trap_mem_003146.bin' +003DEB30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -003DEB30 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |a...............| +003DEC70 00 00 00 00 00 00 00 00 00 00 00 00 E1 E1 E1 E1 |................| -003DEC70 01 00 00 00 00 00 00 00 08 00 00 00 E1 E1 E1 E1 |................| Edit: I think I have SHA_UPDATE just fine. But SHA_FINAL is harder. It is like they accidentally run one extra turn after final. Code:
+003DEB30 64 63 62 61 68 67 66 65 6C 6B 6A 69 70 6F 6E 00 |dcbahgfelkjipon.| -003DEB30 64 63 62 61 68 67 66 65 6C 6B 6A 69 6F 6E 6D 00 |dcbahgfelkjionm.| Both SHA_UPDATE and SHA_FINAL will process all of Jumper without mismatch. A couple of things are worth noting; There is sha_ctxt_len set from last update, and then there is the "len" passed to SHA_FINAL. The logic in SHA_FINAL for the reference player leaves "dst" with length from "sha_ctxt_len" only. So "len" is not added on. The bytes left in "dst" are also in "sha_ctxt_len" (without len) in length. However, this is only true if that length is 44 bytes or less. If longer, it is cleared. Secondly, OpenSSL's SHA_CTXT after SHA_FINAL, when sha_ctxt_len + len is (a multiple of) "56", is cleared. Which means I do not clear "dst", but leave it untouched. This makes for some ugly code, and really it isn't required, but it kept me entertained at work. Completely breaks if you change endian. Code:
uint32_t sha_reference(uint8_t *dst, SHA_CTX *sha, uint32_t len, uint32_t total_len) { uint32_t xlen, i; memcpy(&dst[ 0 ], &sha->h0, sizeof(sha->h0) ); memcpy(&dst[ 4 ], &sha->h1, sizeof(sha->h1) ); memcpy(&dst[ 8 ], &sha->h2, sizeof(sha->h2) ); memcpy(&dst[ 12 ], &sha->h3, sizeof(sha->h3) ); memcpy(&dst[ 16 ], &sha->h4, sizeof(sha->h4) ); // Move all 4 bytes first: debugf("reference: copying all even 4s from %u\n", len); i = 0; xlen = len; while(xlen >= 4) { xlen -= 4; // Refence is big-endian. memcpy(&dst[ 20+i ], &sha->data[i/4], sizeof(sha->data[0])); i += 4; } debugf("reference: dealing with half-words: %u\n", len-i); // Deal with the remainder. switch(len - i) { case 0: break; case 3: dst[20 + i ] = (sha->data[i/4] & 0xFF00) >> 8; dst[20 + i + 1] = (sha->data[i/4] & 0xFF0000) >> 16; dst[20 + i + 2] = (sha->data[i/4] & 0xFF000000) >> 24; break; case 2: dst[20 + i ] = (sha->data[i/4] & 0xFF0000) >> 16; dst[20 + i + 1] = (sha->data[i/4] & 0xFF000000) >> 24; break; case 1: dst[20 + i] = (sha->data[i/4] & 0xFF000000) >> 24; break; } // Update len field, if needed if (total_len) { debugf("reference: updating total size %u\n", total_len); dst[340] = (uint8_t) ( total_len & 0xFF ); dst[348] = (uint8_t) (( total_len * 8 ) & 0xFF ); dst[349] = (uint8_t) ((( total_len * 8 ) & 0xFF00 ) >> 8 ); } return 0; } ..skip skip... case SHA_UPDATE: sha_ctxt_len += len; SHA1_Update(&osha, src, len); sha_reference(dst, &osha, osha.num, sha_ctxt_len); break; case SHA_FINAL: trap_Sha(dst, src, len, SHA_UPDATE); // Call above UPDATE to add in "len" bytes. SHA1_Final(digest, &osha); i = sha_ctxt_len - len; // Compute size before UPDATE added "len". if (!(sha_ctxt_len%56)) { memset(&dst[20+i], 0, 352-20-i); // Clear after "i". sha_reference(dst, &osha, 0, sha_ctxt_len - len); } else if (i > 44) { memset(&dst[0], 0, 352); // Clear all sha_reference(dst, &osha, 0, sha_ctxt_len - len); i = 0; } else { memset(&dst[0], 0, 352); // Clear all, rebuild all. sha_reference(dst, &osha, i, sha_ctxt_len - len); } // Copy over the digest memcpy(dst, digest, sizeof(digest)); sha_ctxt_len = 0; break; Last edited by Accident; 27th November 2008 at 04:53. |
|
26th November 2008, 20:58 | #448 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
Thanks.
We will forgive you if you can't tell us the factorization of N or the private exponent. I've studied a few papers and it is still unknown if factoring is more difficult than the rsa problem. There is some evidence that at least for small public exponents like e=3 it might be easier to solve m^(1/3) mod N than factoring N (or equivalently calculating the private exponent d). But currently nobody knows how to do that without the trapdoor 'd'. A different approach to forge the certificates returned by TRAP_DeviceDiscovery would be to intervene with the subsequent SHA-1 hash calculation or the encryption of the signature part of the certificate. The interesting data paths (data dependencies) for a given content code program can be found among all automatically recorded data dependencies from the certificate. |
26th November 2008, 21:24 | #449 | Link | |
Registered User
Join Date: Aug 2002
Posts: 221
|
what about this paper:
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf it describes timing attack on RSA: Quote:
Last edited by xkodi; 26th November 2008 at 21:32. |
|
26th November 2008, 21:52 | #450 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
I don't have access to any device that contains the private exponent. If i had one i wouldn't be sitting here writing postings
Those certificates are probably created on a pc without a network connection to rule out any side channel attacks. |
27th November 2008, 09:06 | #451 | Link |
Registered User
Join Date: Sep 2004
Posts: 3
|
About RSA attack I can give you following information:
A 512 Bit RSA done with GGNFS: Code:
with GGNFS on 2 A64 X2 4800+ in less then 2 month... latsieve 11.10. to 14.11. matbuild/matprune 14.11. to 16.11. matsolve 16.11. to 30.11. sqrt 30.11. to 01.12. GGNFS adjusted for Intel Core2Duo :Rapidshare Needed libgmp-3.dll DLL May it helps... |
27th November 2008, 20:29 | #452 | Link | |
Registered User
Join Date: Jul 2004
Posts: 40
|
Quote:
|
|
27th November 2008, 22:46 | #453 | Link |
Registered User
Join Date: Aug 2008
Posts: 7
|
How about starting work on the newest batch of BD+ titles?
Here's a list of titles that confirmedly employ the newest version of BD+ (which AnyDVD-HD cannot handle yet): Code:
Futurama: Bender's Game (USA) Firefly, The Complete Series (USA) Planet of the Apes (1968) (USA) Planet of the Apes (all of the series) (USA) Space Chimps (USA) Meet Dave (USA) X-Files 2 (USA) X-Files 1 (USA) Home Alone (USA) The Day The Earth Stood Still: Special Edition (USA) Horton Hears A Who (Hong Kong) Predator 2 (1990) (UK) Shine a Light (UK) |
27th November 2008, 22:49 | #454 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
The general number field sieve has a subexponential runtime (brute force is exponential). It's the latest and asymptotically fastest algorithm publicly known algorithm for integer factorization. Like all the other previous version (like the quadratic sieve) it is based on fermat factorization. That is finding a pair (x, y) with x>1,y>1 and x!=y which satisfies x^2 = y^2 (mod N). If such a pair is found the factorization of N can be obtained easily (in most cases). Now the gnfs employs very sophisticated techniques to find such pairs which are hard to understand (for me at least). A brute force search is hopeless even for a 160-bit rsa modulus.
Our N (public modulus N = p*q) is 1280 bit long: Code:
N = 8B169F529C28B5D45DB5D1607B831BED31381D38AEF561A43E744326DD00765E E7A47F353D4A8C507752B08A6671259AAF140E86EEB1D05D344EF801A5AFB150 3A82BE089DCF25618852199D26CC79AE99466A231999AAC6C26E7DDA662304A7 72D1B304C9CD0C724434D640E29BE64FBBE1E7993A30939D6FB925AE0C350896 14F89FBAE9B931FC01D4D10732EB62CA8878E1894BD82F3007806D75CE172B57 People have stopped reporting results so it's probably better to work on the documentation to improve the public understanding of BD+. Thanks for the list. Btw. there is only one version of BD+ but each disc can have a unique content code. Every time a content code doesn't run properly on SlySofts emulator they just call it a new version of BD+ but it's not. Last edited by loo3aem3ON; 27th November 2008 at 23:03. |
29th November 2008, 22:57 | #459 | Link |
Registered User
Join Date: Oct 2006
Posts: 19
|
Ok so i uploaded this to rapidshare. http://rapidshare.de/files/41026609/..._java.rar.html
Hope you can use this . Greets |
30th November 2008, 00:49 | #460 | Link |
Registered User
Join Date: Sep 2008
Posts: 189
|
Thank you. I am getting a conversion table which means the key set is accepted. The segment keys are wrong though this is usually due to bugs or more likely in this case the wrong SHA-1 hashes of the files i don't have:
Code:
[I] TRAP_MediaSHAFileHash: Hashing AACS/MKB_RO.inf [I] TRAP_MediaSHAFileHash: Hashing BDMV/STREAM/00008.m2ts I am confident that you will get the correct conversion table. You can test it's integrity using ConvTableView which is available from the Dump HD thread. And it's not java opcode (like your filename suggests you think it is) but DLX like opcode. The content code runs on a DLX like processor. This processor is simulated by our emulator which is implemented in java. Accident has implemented the same emulator in C which runs several times faster. Last edited by loo3aem3ON; 30th November 2008 at 00:51. |
Thread Tools | Search this Thread |
Display Modes | |
|
|