BackupHDDVD, a tool to decrypt AACS protected movies

[Beastie Boy]

Just a thought...
If BackupHDDVD is able to take an encrypted video and a key, and from that write an unencrypted video, can it be modded to take an unencrypted video with key and produce encrypted video?

There seem to be quite a few posts around claiming that BackupHDDVD is very simple Java code that pulls together standard encryption packages and writes the output. I'm assuming that if packages exist to decode AACS encryption, then they also exist to encode.

If this is the case, then it would be possible to produce encrypted content for which the key is known.

Cheers, Beastie.

[Pomyk]

For the video stream it would be possible, but not for the keys (they are encrypted differently).

Quote:

Originally Posted by The_ByteMaster

I've noticed in the FAQ.txt for 0.99 and 1.00, Muslix64 uses the following example TITLE key:

12-08A3DC61910280F2...

None of the example discs in the .cfg files use key # 12, but so far I haven't seen confirmed nor denied that this is part of an actual title key (instead of some random hex gibberish). Did Muslix leave this there on purpose -without mentioning which disc it is- so people can look for this string in memory/registers?

(I don't own a HDDVD drive so I can't help out).

If looking for the the FAQ.txt key snippet doesn't work, maybe the easiest would be playing the movie "Van Helsing" and only look for memory locations starting with 19 to find the title key.
Maybe try to first play Van Helsing and then play for example Tomb Raider 1 and then look for memory locations changing from 19 to 6 (is it 06 ??).

Code:

CE6339246F34087AB355681DEB656D23DCD5BD86=Full Metal Jacket        | 1-00000000000000000000000000000000
486198E3855B57CD40F6DC0C60645BDE8E1E9AC5=Van Helsing              |19-00000000000000000000000000000000
B5A8E784B83E793AB246D0C5F7C148A39D7F4856=Tomb Raider 1            | 6-00000000000000000000000000000000
4ACABE525F5CBF77DAA43EA2B83E04918D5FA6D4=Apollo 13                | 1-00000000000000000000000000000000
3D357B0653A66176583C5218FD0149EAF8832FB0=The Last Samurai         | 1-00000000000000000000000000000000
610CF1EB362D40050123E92F063D51AC05676F37=The Fugitive             | 1-00000000000000000000000000000000

Field 1 is the SHA1 Hash of the VTKF000.AACS file on your HDDVD disk, you can use this to make sure you got the same movie version as used above.

[crashd]

Perhaps a "side channel" attack could be implemented, similar to the one described in Adi Shamir's Cache Timing Attack? Just throwing it out there

[inurenegade]

just curious what are the unencrypted keys supposed to be in
hex, decimal, octal, binary?

[Gradius]

Looks like to be decimals.

19-A8249382FD7237CA etc, would looks odd !

Anyway it should to be HEX ! (doh!)

[Warren]

Just so you know, the XX- is not a part of the key (it's the key #) and the textual representation of the keys that you see is not what would be in memory. You would have to convert that Hex string to actual hex values which would be half the length of the string, ie 16 bytes.

[Janvitos]

I wonder why he didn't put the king kong movie in there.
After all, it does come free with the Xbox 360 HD-DVD drive.

[Frank Kao]

To see Muslix64's java code, I noticed that Muslix64 did not do a very complex task. But now, so many people start dump PowerDVD's memory and trace PowerDVD's code, but we still cannot do the same thing as Muslix64. why ?

In the FAQ, Muslix64 said he has two players and he found the key in the memory. So I give up trace PowerDVD's code and try to dump WinDVD's memory. Wa, I can found the title key in the WinDVD's memory and use this key to rip the movie. You should be curious about why I know this is a title key. ^Q^ I just put the value into backupHDDVD.

Now, I realize the whole Muslix64's story. Why did Muslix64 play the video with PowerDVD? ^Q^ That is because WinDVD cannot play .evo file. We waste too much time is just we chosen a wrong player.

[Warren]

Care to enlighten us on how to find keys in WinDVD then Frank? Breakpoint addresses and instructions on how to find the key from there would be nice.

[cyber1]

Quote:

Originally Posted by Frank Kao

To see Muslix64's java code, I noticed that Muslix64 did not do a very complex task. But now, so many people start dump PowerDVD's memory and trace PowerDVD's code, but we still cannot do the same thing as Muslix64. why ?

In the FAQ, Muslix64 said he has two players and he found the key in the memory. So I give up trace PowerDVD's code and try to dump WinDVD's memory. Wa, I can found the title key in the WinDVD's memory and use this key to rip the movie. You should be curious about why I know this is a title key. ^Q^ I just put the value into backupHDDVD.

Now, I realize the whole Muslix64's story. Why did Muslix64 play the video with PowerDVD? ^Q^ That is because WinDVD cannot play .evo file. We waste too much time is just we chosen a wrong player.

Yes, but every software-player will have the key in memory at some time, however some may be easier to debug. And when they revoke WinDVDs player key, we still need to find another player, so its good to have several players memory "debugged".

[Janvitos]

Can anybody enlighten me as to what WinDVD version plays HD-DVDs ?
I got my hands on WinDVD 8 but it wont play any HD-DVD movies i feed it.

[Frank Kao]

Quote:

Originally Posted by cyber1

Yes, but every software-player will have the key in memory at some time, however some may be easier to debug. And when they revoke WinDVDs player key, we still need to find another player, so its good to have several players memory "debugged".

Yes, you are right. After we finding a key in a player, then AACS will revoke the device key of the player. So we must do again and again the same thing. And of course the player will try to make it stronger than previous version. So we will very tired always.
This is also the purpose of AACS, it knows it is impossible to do a un-crackable device or software, so it designs a way to revoke the device key. Finally, we will give up to crack it. Because it is too tired and too bored.

[Frank Kao]

Quote:

Originally Posted by Warren

Care to enlighten us on how to find keys in WinDVD then Frank? Breakpoint addresses and instructions on how to find the key from there would be nice.

Sorry, I do not trace the WinDVD code by Ollydbg or Idapro. I just search the memory and call backupHDDVD. If the value can rip a short segment of video header, I think I find it. It mays take a long time but it works.

[feizex]

Hi Frank,

Sounds like you found the key.

Send it in a private message to blutach

Quick Links > Private Messages > Send New Message

If you can, send him the complete line out of the BACKUPHDDVD TKDB.cfg file.

Regards,
Feizex.

[Warren]

Frank, so have you successfully found a key yet using this technique or is this just what you're planning on doing?

[Frank Kao]

Quote:

Originally Posted by Warren

Frank, so have you successfully found a key yet using this technique or is this just what you're planning on doing?

Now, I can realize why Muslix64 do not talk any more. This topic is too sensitive. I just want to say "Muslix64 did not lie". You can do it by yourself, and then you will find everything you want.

[DerKönig]

@Frank:

The latest version of WinDVD i.e. ver 8 does not play HD-DVD or bluray discs yet (says so on Intervideo's website also). So Im wondering what version of WinDVD did you use to play while you dumped the memory...

[DerKönig]

Muslix64 had stated that the reason he got to write BackupHDDVD is because (from his Saga.txt):

"But when I realized the 2 software
players on windows don't allowed me to play the movie at all, because my video card is not HDCP compliant and because I
have a HD monitor plugged with DVI interface, I started to get mad..."

Notice that he said he had 2 software players. He also repeatedly stated that "as long as there are weak players, key extraction will be possible" He used PowerDVD in the video and Cyberlink stated many times that PowerDVD is secure.... leads me to think that the other player that Muslix64 had was the weak one from which key extraction from memory was possible. Perhaps the reason why he chose not to mention the name of the player or show it in the video is because once the player is known, the device key would be revoked....

Could people who know please post all the makes and versions of software players out there that are currently capable of HD-DVD playback....

[tonyp12]

Only Windvd-8 Japanese version can play HD-DVD

The $26 upgrade HD pack is very close to be released.

If you could get a free trail download of this pack to
go with the free trial of WinDVD 8 Platinum you could tinker around for awhile.

But no news when the HD pack is coming out.