Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 11th February 2007, 08:54   #101  |  Link
Adub
Fighting spam with a fish
 
Adub's Avatar
 
Join Date: Sep 2005
Posts: 2,685
Excellent job!
This is really great as it provides another manner of attack, thus preventing, well, "prevention".
Now, how the heck did you do it?
__________________
FAQs:Bond's AVC/H.264 FAQ
Site:Adubvideo
Adub is offline   Reply With Quote
Old 11th February 2007, 13:17   #102  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Wooow. I think I did it .

Processing Key found!!!



More info later.

To be sure I need to confirm my finding. I need the following (from anybody with a HD DVD disc):

1) - Movie Title (not King Kong please )

2) - The Verify Media Key Record in the MKBROM.AACS file. It starts with 81 00 00 14 followed by the 16 byte Record. In my case this it at Offset 00000120h. Here is mine:
Code:
81 00 00 14 87 B8 A2 B7 C1 0B 9F AD F8 C4 36 1E 23 86 59 E5 7F 00 00 xx
3) - The first C-Value in the MKBROM.AACS file (also called Media Key Data). It starts with 05 00 20 14 (the 20 14 could be different but is probably the same) followed by the first 16 byte C-Value. In my case this it at Offset 00004376h. Here is mine:
Code:
05 00 20 14 6D 02 CA C6 7B 1A 7E 95 C2 16 EF D4 C9 28 09 CF D3 CE 9A DC
If you react quickly I can check if the Processing Key is really valid (for multiple discs).



Yeah I'm happy...

arnezami
arnezami is offline   Reply With Quote
Old 11th February 2007, 13:38   #103  |  Link
hajj_3
Registered User
 
Join Date: Mar 2004
Posts: 744
im confused with all these keys lol. hopefully all the keys will be found on the disc soon, rather than in memory, so we can scan the disc and find all the keys.
hajj_3 is offline   Reply With Quote
Old 11th February 2007, 14:01   #104  |  Link
Eeknay
Registered User
 
Join Date: Jul 2005
Posts: 54
1.) The Departed
2.)
Quote:
FF 29 11 E9 96 16 5D 97 29 2D BB A0 3C A9 0D E0
3.)
Quote:
68 07 C3 23 7E 18 6F 7F BC 78 E2 DC 26 C5 84 0B
Hope that helps.

EDIT: Here's another disc just for kicks.

1.) Spy Game
2.)
Quote:
7C AD 1D 65 D5 9E C1 67 A7 96 E5 C2 13 23 08 22
3.)
Quote:
59 28 94 3F 5C 09 19 2C 8D 54 0A 77 45 BE 3E 6D

Last edited by Eeknay; 11th February 2007 at 14:06.
Eeknay is offline   Reply With Quote
Old 11th February 2007, 14:09   #105  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Eeknay View Post
1.) The Departed
2.)
3.)

Hope that helps.

EDIT: Here's another disc just for kicks.

1.) Spy Game
2.)
3.)
YES YES YES!! It works!

I'm going to take some rest now (I need it ). But will tell all later.

Here is the Processing Key which should work on all HD DVD discs (and maybe even Blu-Ray discs) released so far:

Code:
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Save it. Store it.

Regards,

arnezami

PS. As explained before in order to get a VUK you now only need a Volume ID (which should be fairly easy to get or even to guess...).

Last edited by arnezami; 11th February 2007 at 14:11.
arnezami is offline   Reply With Quote
Old 11th February 2007, 14:53   #106  |  Link
hd1080p
Registered User
 
Join Date: Jan 2007
Posts: 21
Indeed a real breakthrough!!

Congrats everybody for the thrill of witnessing how DRM was defeated. February 11, 2007 is a day to be remembered.
I predict that movies will one day be liberated without DRM and we are all going to loose all the fun and excitement.
Fairuse wins!!


PS. As in LOR, this is the KEY(RING) to conquer all!!
Now, we have to find the processing key for blueray to help out HD-DVD market position. Movie studios may just stop releasing new movies on HD-DVDs. There should be a level playing field for the competing formats.

Last edited by hd1080p; 11th February 2007 at 15:45. Reason: Comment
hd1080p is offline   Reply With Quote
Old 11th February 2007, 14:54   #107  |  Link
blutach
Country Member
 
blutach's Avatar
 
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
Nice work arnezami

Regards
__________________
Les

Only use genuine Verbatim or Taiyo Yuden media.
blutach is offline   Reply With Quote
Old 11th February 2007, 17:12   #108  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Thanks you all . Its been a pleasure.

As I can understand some of you are interested in how I retrieved the Media and Processing Keys. I will tell what i did.

Most of the time I spend studying the AACS papers. A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something). I may write an explanation of (my understanding) of how AACS works in particular the subset-difference technique (which is by far the hardest to understand) at a later date if you guys want to.

But anyway. Since the moment I found the Volume ID (which was much simpler than I had thought) my thought was to try to find the Media Key. But after some discussion I thought it might be better to go directly for the Device Keys (bad mistake). After looking at files created and changed by software player and trying to recognize Device Keys in memory dumps I was starting to get worried a bit. I wasn't making any progress.

So I went back to my original idea: do a bottom-up approach. So first I tried to find the Media Key. One of the logical things to do even before that was to search for the Verify Media Key Record in memory. But it wasn't there. I then started to work on a little proggy that would scan a memdump and see everything as a Media Key: thus trying to verify it with the Verify Media Key Record. No luck.

This was frustrating: all kinds of information was in the memdump but not the Media Key (I sort of assumed/hoped it would). I made several memdumps at different moments but nada, nothing. After throwing it all away I remembered I still had a "corrupt" memdump from WinHex (it failed to finish it because WinHex said the memory had changed). It was really small compared to the others so I didn't have much hope. But when running it with my proggy: voila! I found it. Which finally gave me hope I was going in the right direction.

There were just two major problems left: how do you detect the Processing Key and if its not in memory how do you find it at all? Well since I now knew how things worked I knew the Processing Key had to be combined with a C-value to produce the Media Key. The problem was there are 513 C-values in the MKB! Searching the memory (several megabytes) for a Processing Key and assuming just one C-value would take minutes (if not hours depending on the size of the dump). So doing them all would take very long. And that while I didn't even know for sure there was a Processing Key in memory to begin with. I made a proggy that did this but using my favorite "corrupt" memdump I didn't find any Processing Key in the first megabyte (not for any C-value). It didn't look good.

But then I realized why I first didn't find the Media Key: it was removed from memory after the Volume ID was retrieved and the VUK calculated. I also saw that in my "corrupt" memdump the VUK, Vol ID, Media Key and the Title Key MAC were all closely clustered in memory: in the first 50kb (of the entire multi megabyte file!) but there were large empty parts around it. Almost as if it was cleaned up.

This gave me an idea: what I wanted to do is "record" all changes in this part of memory during startup of the movie. Hopefully I would catch something insteresting. In the end I did something a little more effiecient: I used the hd dvd vuk extractor (thanks ape!) and adapted it to slow down the software player (while scanning its memory continously) and at the very moment the Media Key (which I now knew: my bottom-up approach really paid off here) was detected it halted the player. I then made a memdump with WinHex. I now had the feeling I had something.

And I did. Not suprisingly the very first C-value was a hit. I then checked if everyting was correct, asked for confirmation and here we are.

Hope you enjoyed the ride. I'm thinking about a concept of proof proggy which does all the steps (from Processing Key to C-value to Media Key to Volume ID to VUK). It would require a Volume ID as input (which might be retrieved/guessed in another program or extension whatever). But the most important part is done: we have a Processing Key.

I'm also thinking about doing a full explanation of the AACS protection system (or at least the subset-difference technique). But only if there is any demand for it .

Regards,

arnezami

PS. For the keen observer: I'm not telling which player I used (well you can guess but you might guess wrong) to retrieve the Processing Key because I don't want to give the AACS LA any extra legal ammunition against any player company. Nothing was hacked, cracked or even reverse engineered btw: I only had to watch the "show" in my own memory. No debugger was used, no binaries changed.

Last edited by arnezami; 11th February 2007 at 19:21.
arnezami is offline   Reply With Quote
Old 11th February 2007, 17:18   #109  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Awesome awesome work.

And when you have time please explain the subset-difference technique.

Thanks again.
jokin is offline   Reply With Quote
Old 11th February 2007, 17:22   #110  |  Link
hd1080p
Registered User
 
Join Date: Jan 2007
Posts: 21
What a show!!

It is better than the real movie show. You are a genius!!
Please continue the work with blueray.
hd1080p is offline   Reply With Quote
Old 11th February 2007, 17:24   #111  |  Link
zeroprobe
Registered User
 
Join Date: Jan 2002
Posts: 155
great stuff. More write ups of the whole process would be greatly appreciated. More information the better.

How about one for bluray
zeroprobe is offline   Reply With Quote
Old 11th February 2007, 17:25   #112  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by hd1080p View Post
It is better than the real movie show. You are a genius!!
Please continue the work with blueray.
If somebody can give the same info Eeknay gave above (but for a Blu-Ray disc) I could see if this Processing Key works for Blu-Ray aswell.

Last edited by arnezami; 11th February 2007 at 17:42.
arnezami is offline   Reply With Quote
Old 11th February 2007, 17:29   #113  |  Link
pacman2006
Registered User
 
Join Date: Dec 2006
Posts: 11
Amazing work Arnezami!

I'm trying to understand the full aspect of having a processing key. Will this work for future discs too, or is this key also revokable?
pacman2006 is offline   Reply With Quote
Old 11th February 2007, 17:40   #114  |  Link
hd1080p
Registered User
 
Join Date: Jan 2007
Posts: 21
Unfortunately, they (MPAA) can change the keys for future releases. At least now all current HD-DVD releases are deemed DRM free.
Fortunately, using ARNEZAMI's methodology, we can find them again using the particular player. Of course, they (player vendor) can change the way they implement the AACS DRM or even MPAA people can even change the AACS specs.





Quote:
Originally Posted by pacman2006 View Post
Amazing work Arnezami!

I'm trying to understand the full aspect of having a processing key. Will this work for future discs too, or is this key also revokable?

Last edited by hd1080p; 11th February 2007 at 18:13. Reason: Error
hd1080p is offline   Reply With Quote
Old 11th February 2007, 18:14   #115  |  Link
LokiHD
Registered User
 
Join Date: Dec 2006
Posts: 48
nice!

too funny..
LokiHD is offline   Reply With Quote
Old 11th February 2007, 18:15   #116  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
@arnezami - Amazing work!!! I'd really like to hear your in-depth take on AACS as well.
mb2696 is offline   Reply With Quote
Old 11th February 2007, 18:18   #117  |  Link
madshi
Registered Developer
 
Join Date: Sep 2006
Posts: 8,914
That sounds very nice!

But what happens if Volume IDs are created with real random numbers in the future? Will a Processing Key then still help?

Thanks!
madshi is offline   Reply With Quote
Old 11th February 2007, 19:33   #118  |  Link
buttfacepoop
Registered User
 
Join Date: Feb 2005
Posts: 13
Quote:
Regards,

arnezami

PS. For the keen observer: I'm not telling which player I used (well you can guess but you might guess wrong) to retrieve the Processing Key because I don't want to give the AACS LA any extra legal ammunition against any player company. Nothing was hacked, cracked or even reverse engineered btw: I only had to watch the "show" in my own memory. No debugger was used, no binaries changed.
arnezami,

thanks for your fantastic work.

i think by describing your exact method in finding the key, however, may lead people/MPAA to the exact player that is being used. perhaps when you in the future crack the player just post the key, no explanation?
buttfacepoop is offline   Reply With Quote
Old 11th February 2007, 20:40   #119  |  Link
SBeaver
Registered User
 
Join Date: Dec 2002
Posts: 86
I wasn't expecting this so soon.
You really did a great job, and whomever made the software player f**ked up serverely.

You shouldn't give up on the device keys though, we should steal all the keys they have.

btw is it possible to find the processing key with the usb sniffer, now that you know what the key is?
or is it moved over in encrypted form?
and finding it on the disk would be great, even if it's encrypted in several layers.

Anyway, you rock
SBeaver is offline   Reply With Quote
Old 11th February 2007, 21:53   #120  |  Link
tonyp12
Registered User
 
Join Date: Oct 2002
Location: Florida, USA
Posts: 90
So now that we have a Processing key,
How time consuming would it be to guess the VID (instead of USB sniffing)?

For example a decrypter that says
"please wait, I'm trying 2million possible keys"
And do that in about 30 seconds.

Last edited by tonyp12; 11th February 2007 at 22:01.
tonyp12 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 16:28.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.