Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
8th January 2007, 08:41 | #464 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
@Borbus: Excellent work! I had only hoped that this step would be fairly feasible; you've proven this supposition correct. However, it would be good if you can generate one more sample ISO, this time with two items different:
1. It should have a few frames of visible content, so we can see that the player is actually working.The reason why Susana had no problem playing the file is because the title key was generated from a portion of the available keyspace assigned to Scenarist's application license. The disc key was undoubtedly also added but not displayed; it is only required when the player supports and requires disc authentication, which daemon tools and isobuster do not, of course. Because of that, any player with a licensed unrevoked decryption key will be able to play the files in his ISO. The important part of the AACS is not in the ISO volume structure; it is the files themselves that are encrypted, just like regular DVD VOBs. And it is their encryption which BackupHDDVD is purportedly capable of removing, provided the correct Title Key. Now, getting those files off a real HD-DVD disc requires the player to authenticate the disc, or vice-versa. That step should be automatic, ie. people have been able to copy the EVOBs from HD-DVDs with only the UDF 2.5 driver and drive installed. Last edited by Isochroma; 8th January 2007 at 08:53. |
8th January 2007, 08:48 | #465 | Link | |
Registered User
Join Date: Sep 2006
Posts: 52
|
I just read this in the documentation, so actually it probably isn't feasible:
Quote:
edit 1: Daemon Tools does mount PlantDirect images somehow... now uploading the image... Last edited by Borbus; 8th January 2007 at 08:52. |
|
8th January 2007, 08:57 | #466 | Link |
Registered User
Join Date: Mar 2005
Posts: 468
|
The AACS they are referring to is probably the Disc Key system. What makes me think this is in the AACS Settings dialog, the Enable AACS checkbox and associated settings are in their own separate area.
Something to test: if you uncheck Enable AACS, do the Title Settings below go gray? |
8th January 2007, 09:06 | #468 | Link |
Registered User
Join Date: Sep 2006
Posts: 52
|
Ok, here's the PlantDirect image. The AACS stuff makes it much bigger:
http://www.filehost.gr/276912 I'm still not sure if the video is encrypted though because it's exactly the same size but I don't have a registered version of ISOBuster to extract the files with. The keys are the same as before: Volume: C29E56D1E80EA92B010733C46A73DECA Title: 6ACF5ADFCFD8A3D404D0DB6155229D36 |
8th January 2007, 09:35 | #470 | Link | |
Country Member
Join Date: Sep 2004
Location: is everything!
Posts: 6,499
|
Another totally off topic post. Posters have been warned enough. Keep to the topic please! Strike issued.
Regards Quote:
Regards
__________________
Les Only use genuine Verbatim or Taiyo Yuden media. |
|
8th January 2007, 11:12 | #471 | Link | |
Registered User
Join Date: Mar 2006
Location: Grand StrateGuerre
Posts: 362
|
Quote:
with a specific software from AACS (with yours keys, like CSS with Scenarist SD).... The video file in movie stream is a H264 encoded by MainConcept 2.0.1889 HP@L4.1 (1920x1084 ?), there is no audio stream. Golgot13 Last edited by Golgot13; 8th January 2007 at 11:31. |
|
8th January 2007, 11:17 | #472 | Link |
Registered User
Join Date: Jan 2002
Posts: 155
|
Damn it was a nice idea. Back to square one.
Quote from sonopress.co.uk "The Content owner provides the authored HD DVD data to a licensed replicator, the authoring project needs to be set up or “flagged” for subsequent processing. The AACS Licensing Authority provides the replicator with keys and a Content Certificate that allows the blocking of content to be copied from the playback device or even put settings to the output of a player that allows the downscaling of HD signals at the analogue output in order to prevent copying of the analogue signal. The replicator then manufactures the HD DVDs, which carry the encrypted content and the AACS data, and they are shipped to the customers. AACS LA also supplies Device Keys and the Public Key to licensed player manufacturers, which will allow legally produced discs to play without problem" Last edited by zeroprobe; 8th January 2007 at 11:41. |
8th January 2007, 12:19 | #476 | Link |
Registered User
Join Date: Dec 2006
Posts: 11
|
If the "the information in AACS folder is good". (IE, you have encrypted title key and other info in there)
Are you saying that you have everything but the encrypted video? Why not just encrypt it with your title key? There may be other requirements though... "A Player shall decide that a Disc to be played back is an AACS Disc if the AACS-Compliant drive for the Player is able to read the PMSN or if the drive is able to read the Volume ID." Page105 - content binding diagram shows requirements for Media Key Block (MKB), VolumeID and Encrypted Title key. Last edited by feizex; 8th January 2007 at 13:16. |
8th January 2007, 14:18 | #477 | Link |
Registered User
Join Date: Nov 2001
Posts: 24
|
question: why write your own crypto implementation, when there exist off-the-shelf libraries? random example: http://www.cryptopp.com/.
answer: obscurity. cheers, -- pete |
8th January 2007, 19:01 | #478 | Link |
Registered User
Join Date: Jan 2007
Posts: 45
|
Alright, for those who are interested.
Nothing is loaded into memory when PowerDVD is running. It is only when you press the play button. The code that first loads the AACS files into memory is from the HDDVDAdvNav.dll file. From here the following DLL's are used: CBS.dll, and FileSystemMgr.dll Here is the code that loads the AACS files: Code:
1009D460 /$ 56 PUSH ESI ; Loads Files into Memory 1009D461 |. 8BF1 MOV ESI,ECX 1009D463 |. E8 A8F7FFFF CALL HDDVDAdv.1009CC10 1009D468 |. 68 C8B71D10 PUSH HDDVDAdv.101DB7C8 ; /Arg3 = 101DB7C8 1009D46D |. 8D86 A0000000 LEA EAX,DWORD PTR DS:[ESI+A0] ; |AACS/MKBROM.AACS 1009D473 |. 50 PUSH EAX ; |Arg2 1009D474 |. 8D8E 9C000000 LEA ECX,DWORD PTR DS:[ESI+9C] ; | 1009D47A |. 51 PUSH ECX ; |Arg1 1009D47B |. 8BCE MOV ECX,ESI ; | 1009D47D |. E8 FEFBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D482 |. 8D8E 24010000 LEA ECX,DWORD PTR DS:[ESI+124] 1009D488 |. FF15 18031A10 CALL DWORD PTR DS:[<&MSVCP71.?c_str@?$ba>; MSVCP71.?data@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ 1009D48E |. 50 PUSH EAX ; /Arg3 1009D48F |. 8D96 A8000000 LEA EDX,DWORD PTR DS:[ESI+A8] ; |AACS/VTKF000.AACS 1009D495 |. 52 PUSH EDX ; |Arg2 1009D496 |. 8D86 A4000000 LEA EAX,DWORD PTR DS:[ESI+A4] ; | 1009D49C |. 50 PUSH EAX ; |Arg1 1009D49D |. 8BCE MOV ECX,ESI ; | 1009D49F |. E8 DCFBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D4A4 |. 68 74B81D10 PUSH HDDVDAdv.101DB874 ; /Arg3 = 101DB874 1009D4A9 |. 8D8E C8000000 LEA ECX,DWORD PTR DS:[ESI+C8] ; |AACS/CONTENT_HASH_TABLE2..AACS 1009D4AF |. 51 PUSH ECX ; |Arg2 1009D4B0 |. 8D96 C4000000 LEA EDX,DWORD PTR DS:[ESI+C4] ; | 1009D4B6 |. 52 PUSH EDX ; |Arg1 1009D4B7 |. 8BCE MOV ECX,ESI ; | 1009D4B9 |. E8 C2FBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D4BE |. 68 38B81D10 PUSH HDDVDAdv.101DB838 ; /Arg3 = 101DB838 1009D4C3 |. 8D86 D0000000 LEA EAX,DWORD PTR DS:[ESI+D0] ; |AACS/CONTENT_HASH_TABEL1.AACS 1009D4C9 |. 50 PUSH EAX ; |Arg2 1009D4CA |. 8D8E CC000000 LEA ECX,DWORD PTR DS:[ESI+CC] ; | 1009D4D0 |. 51 PUSH ECX ; |Arg1 1009D4D1 |. 8BCE MOV ECX,ESI ; | 1009D4D3 |. E8 A8FBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D4D8 |. 68 08B81D10 PUSH HDDVDAdv.101DB808 ; /Arg3 = 101DB808 1009D4DD |. 8D96 D8000000 LEA EDX,DWORD PTR DS:[ESI+D8] ; |AACS/CONTENT_CERT.AACS 1009D4E3 |. 52 PUSH EDX ; |Arg2 1009D4E4 |. 8D86 D4000000 LEA EAX,DWORD PTR DS:[ESI+D4] ; | 1009D4EA |. 50 PUSH EAX ; |Arg1 1009D4EB |. 8BCE MOV ECX,ESI ; | 1009D4ED |. E8 8EFBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D4F2 |. 68 B0B81D10 PUSH HDDVDAdv.101DB8B0 ; /Arg3 = 101DB8B0 1009D4F7 |. 8D8E E0000000 LEA ECX,DWORD PTR DS:[ESI+E0] ; |AACS/CONTENT_REVOCATION_LIST.AACS 1009D4FD |. 51 PUSH ECX ; |Arg2 1009D4FE |. 8D96 DC000000 LEA EDX,DWORD PTR DS:[ESI+DC] ; | 1009D504 |. 52 PUSH EDX ; |Arg1 1009D505 |. 8BCE MOV ECX,ESI ; | 1009D507 |. E8 74FBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D50C |. 8D8E 40010000 LEA ECX,DWORD PTR DS:[ESI+140] 1009D512 |. FF15 18031A10 CALL DWORD PTR DS:[<&MSVCP71.?c_str@?$ba>; MSVCP71.?data@?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@QBEPB_WXZ 1009D518 |. 50 PUSH EAX ; /Arg3 1009D519 |. 8D86 C0000000 LEA EAX,DWORD PTR DS:[ESI+C0] ; |AACS/VTUF000.AACS 1009D51F |. 50 PUSH EAX ; |Arg2 1009D520 |. 8D8E BC000000 LEA ECX,DWORD PTR DS:[ESI+BC] ; | 1009D526 |. 51 PUSH ECX ; |Arg1 1009D527 |. 8BCE MOV ECX,ESI ; | 1009D529 |. E8 52FBFFFF CALL HDDVDAdv.1009D080 ; \HDDVDAdv.1009D080 1009D52E |. 5E POP ESI 1009D52F \. C3 RETN The magic call to remove the AACS stuff is here: Code:
028D4D4B /74 09 JE SHORT FileSyst.028D4D56 ; force this jump 028D4D4D . |50 PUSH EAX 028D4D4E |E8 87320000 CALL <JMP.&MSVCR71.??_V@YAXPAX@Z> ; clears heap ... file info is gone This should get you started.... enjoy P.S. After it's loaded might want to break into the RSAENH.dll (windows\system32 directory) and you'll notice it's doing the Cryptography (SHA1 too). And remember to stop the HeapFree command when you are tracing to stop it from hiding it's tracks. Last edited by Bystander; 8th January 2007 at 19:22. |
8th January 2007, 19:27 | #479 | Link |
Registered User
Join Date: Apr 2005
Posts: 18
|
1009D48F |. 8D96 A8000000 LEA EDX,DWORD PTR DS:[ESI+A8] ; |AACS/VTKF000.AACS so it loads the all talked about file just after it loads
1009D46D |. 8D86 A0000000 LEA EAX,DWORD PTR DS:[ESI+A0] ; |AACS/MKBROM.AACS Then it loads up 2 sets of hash tables along with the Revocation list along with a 1009D4DD |. 8D96 D8000000 LEA EDX,DWORD PTR DS:[ESI+D8] ; |AACS/CONTENT_CERT.AACS (wonder what this file has) and then 1009D519 |. 8D86 C0000000 LEA EAX,DWORD PTR DS:[ESI+C0] ; |AACS/VTUF000.AACS VTKF000.AACS and VTUF000.AACS The Change in the K and U are these the K and U that they are talking about in the specs? You add them together you get the key? Also perhpas they are right they didn't use the RAM but instead kept it all in the registers of the CPU? .. I dunno though Me + Assembly = Bad grade last semester so I dunno if I reading it right.. Last edited by Jerky_san; 8th January 2007 at 19:29. |
8th January 2007, 19:41 | #480 | Link |
Registered User
Join Date: Jan 2007
Posts: 45
|
The code does exist in memory. Regardless if it's in the drive or the computer it must reside in the memory before it gets to the processor. Most protections will mask/overwrite the code once it does what it needs to do which literally removes it from memory.
Nothing magical about that. |
Thread Tools | Search this Thread |
Display Modes | |
|
|