Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
11th January 2007, 15:09 | #561 | Link |
Registered User
Join Date: Jan 2007
Posts: 6
|
Continuing CowBell's line of thought with what I understood from feizex's post:
Wouldnt it be, in theory, possible to create an HD-DVD image like the one Borbus created, with an MKB file that has empty DRL and HRL but a very high version number. Burn that image and play it in the HD-DVD drive (probably the XBOX drive as this is most popular). This would force the authentication process to be skipped in future as the system now thinks it has the highest versions of the DRL and HRL (but they are empty)??? @IsoChroma: Since you are the one who contacted Eclipse... would the above idea need a license from the AACS LA (to create a "valid" HD-DVD image I mean)?? |
11th January 2007, 15:11 | #562 | Link |
Registered User
Join Date: Jan 2007
Posts: 6
|
BackupHDDVD requires either the Volume Key or Title Keys... is having a player key of any use??? I mean, if I had a player key, where is the encrypted Volume Key on the Disc? so that it can be decrypted using the Player Key...
|
11th January 2007, 16:37 | #563 | Link | |
Registered User
Join Date: Dec 2006
Posts: 13
|
Quote:
At this point the player key is not interesting. Its only AACS LA that can create signed MKBs. |
|
11th January 2007, 16:39 | #564 | Link |
Registered User
Join Date: Jan 2007
Posts: 2
|
read chapter 3 of AACS_spec_common_0.91: they describe the algo Kd (you call it player key) , MKB (you read it on the dvd)-->Km: media key ; there is an example in java!
then you go to AACS-spec_prerecorded_0.91 and in §3.3 you see how to compute from media key the volume key and title key Have you got Kd keys? |
11th January 2007, 17:16 | #565 | Link |
Registered User
Join Date: Dec 2006
Posts: 202
|
Hi Neviens,
I have made a program which can log the input and output of any function in PowerDVD. I now used it to monitor the function you disassembled and commented in post #490. These are the results of the 4 input parameters: 33d1e40 300a520 30061dc 2190 33d1e40 30125e8 7e002e4 2190 33d1e40 301b008 2fd72cc 2190 33d1e40 2ff4148 2fefe04 2190 33d1e40 7eeb1e0 2fc77c4 2190 33d1e40 2ff1b38 2fed7f4 2190 33d1e40 2fc51e0 2fed7f4 2190 Obviously the 1st 3 parameters are pointers, so I might log the memory to which they point. Is this of any use to you? Do you want to see other results or logs of different function calls? P.S.: I can not play HD-DVD on my system, so these are the calls to the point that PowerDVD displays the error message that my system is not sufficient to play HD-DVD. Last edited by evdberg; 11th January 2007 at 19:27. |
11th January 2007, 18:45 | #566 | Link |
Registered User
Join Date: Oct 2006
Posts: 12
|
Rather off topic, but I thought a nice thing to... share.
"Many media content owners believe web surfers should pay to watch their material, just like other audiences, and protect their files with digital rights management (DRM) constraints that prevent people making copies. A recent Treasury report on intellectual property concluded that this kind of protection actually encourages innovation and creates the next big thing that consumers seek." Source : http://tinyurl.com/yxyoxq Please could I have some DRM, ohh please? And good job so far on the hunt, I'm enjoying the reading so far, wish I could join in. I do like the idea of re-writing the stored cache of banned keys - perhaps check with "the dangerous brothers" if they could look at a firmware hack? |
11th January 2007, 22:26 | #567 | Link | |
Registered User
Join Date: Nov 2005
Posts: 6
|
Quote:
that actually don't play a content. You see, there isn't any call with fourth argument = 10h, but most (all ?) AES operations on keys are exactly with 10h bytes of data. We need to cooperate with somebody who can play a HD-DVD. 2. What data output from your program is necessary. a) the key. Pointer to AES key is a 2nd argument of AES_KeyExpand(), and key length allways is 10h (16 decimal). b) input buffer (for operations with keys only). Pointer to input buffer is a 2nd arg of AES_SwitchFunc*() c) output buffer (for operations with keys only). Pointer to output buffer is a 3rd arg of AES_SwitchFunc*() length of buffers = 10h If we want to begin with title key, then it's necessary to hook the CBC decrypt function @100C34E8, I think. One call to this function decrypts device keys file 001.fcl with hexadecimal key 00010203000102030001020300010203 One of two remaining calls must be content decyphering! We need only 2nd arg of AES_KeyExpand(), the title key. Oh, it's so difficult to live without debugger ): |
|
11th January 2007, 22:52 | #568 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
Just a little comparison i made between PowerDVD and WinDVD,
i noticed the contents of the VTKF000.AACS file is there a few times in PowerDVD's memory, but it isn't at all in WinDVD's memory. I'm not sure if this means anything, just a thought. |
11th January 2007, 23:20 | #569 | Link |
Registered User
Join Date: Dec 2006
Posts: 202
|
I prepared below log earlier this evening. It is the 32 bytes of each of the 3 argument pointers before (Input) and after (Output) the function call. You can clearly see the key you mentioned in the 1st argument.
I will see tomorrow if I can log what you asked for ... What do you mean with your last sentence? Don't you have a debugger? Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 GenuineIntel 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 432ce9fe251ca30f 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 bb8027e98b198cc4 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 a0 e0 12 00 dc 03 2f 03 01 00 00 00 ac e0 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 90 2d 00 03 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 ac df 12 00 dc 03 2f 03 01 00 00 00 b8 df 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 88 ee 00 03 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 60 db 12 00 dc 03 2f 03 01 00 00 00 6c db 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 90 2d 00 03 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 6c da 12 00 dc 03 2f 03 01 00 00 00 78 da 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 70 d9 00 03 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 a0 db 12 00 dc 03 2f 03 01 00 00 00 ac db 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 90 2d 00 03 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b Input: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 43 2c e9 fe 25 1c a3 0f bb 80 27 e9 8b 19 8c c4 a4 d4 f4 91 ad c3 43 a2 8b db 29 52 d5 79 3f 07 34 33 32 63 65 39 66 65 32 35 31 63 61 33 30 66 62 62 38 30 32 37 65 39 38 62 31 39 38 63 63 34 Output: 00 01 02 03 00 01 02 03 00 01 02 03 00 01 02 03 47 65 6e 75 69 6e 65 49 6e 74 65 6c 00 00 00 00 ac da 12 00 dc 03 2f 03 01 00 00 00 b8 da 12 00 5c 0f 2f 03 00 00 00 00 00 00 00 00 e8 2f 00 08 46 43 4c 46 49 45 4c 44 78 4c f5 c3 63 97 a4 39 04 06 a4 9f 78 00 c7 7d e9 0c b3 4c 00 1d f3 6b |
12th January 2007, 02:40 | #570 | Link |
Registered User
Join Date: Dec 2006
Posts: 35
|
Problem with "In movie experience" (IME) feature
There is a problem with the playback of movies having the
"In movie experience" (IME) feature. This is not a BackupHDDVD problem but a PowerDVD problem PowerDVD cannot play decrypted content having the extra streams required for the IME feature. It simply Crash... In order to play the content, you have to remove these extra streams. I have identify: Audio substream 0xc8 and video substream 0xd3 I manage to get smooth audio playback, but not smooth video playback so far... If you want to experiment with BackupHDDVD, make sure your movie don't have the IME feature. or just use one of the movies I have listed I my first post. I hope we will have an open source player to play decrypted evob file soon. (VideoLan!) |
12th January 2007, 02:45 | #571 | Link |
Registered User
Join Date: Dec 2006
Posts: 35
|
Hint
Do you know about "known-plaintext attack"?
It takes only few seconds to my keyfinder tool to locate the key in the memory dump file using the known-plaintext attack. You don't have to mess with tracing/debugging the code. Just dump the memory... |
12th January 2007, 03:53 | #576 | Link | |
Registered User
Join Date: Dec 2006
Posts: 154
|
Quote:
On a different note, are the keys padded with 00 00 00? Are you talking about taking a some data from an unencrypted EVOB that is constant for all EVOBs and bruteforcing memory for a key that yields a result which contains that data? Last edited by noclip; 12th January 2007 at 04:00. |
|
12th January 2007, 04:23 | #577 | Link |
Registered User
Join Date: Dec 2006
Posts: 35
|
Yes my vacation went well, thanks DanITMan.
Ok, let's call it "guessed-plaintext attack" if you want. Get it? Take a look at actual packs in the stream. Anything special? Last edited by muslix64; 12th January 2007 at 04:29. Reason: Typo |
12th January 2007, 04:41 | #578 | Link |
Registered User
Join Date: Dec 2006
Posts: 154
|
The packs in the encrypted EVOBs on the HD-DVD? The packs of the unencrypted EVOB as it's decrypted for playback?
Is the known (guessed) data in the unencrypted portion of each pack? Edit: Also, could you please come to the #doom9 channel on efnet? Last edited by noclip; 12th January 2007 at 05:19. |
12th January 2007, 05:33 | #579 | Link |
Registered User
Join Date: Jan 2007
Posts: 55
|
Muslix64, without disrespect, i would like to know why you are giving us everything but precise information and how you believe this might help us out in the long run.
I am no assembly programmer myself, and have been following this thread since the beginning, but have found little if no help with the "clues" you have been providing. In my understanding, you are trying to make a riddle out of this, which is, in my opinion, throwing people on different tracks and not necessarily "helping" out. If you are trying to help with good intentions though, then i am simply not "wise" enough to connect with your clues or sayings. Memory locations, constants and key locations are what everybody is seeking here. I think many have been working really hard on this, but it seems to be going round and round for most. Furthermore, i do appreciate the work you have put in writing the code for BackupHDDVD and it will surely serve a purpose some day when we hopefully, and finally, get our hands on the keys. Last edited by Janvitos; 12th January 2007 at 05:35. |
12th January 2007, 06:34 | #580 | Link |
Registered User
Join Date: Dec 2006
Posts: 11
|
Uh... Plausible deniability.
As for the known plaintext, perhaps some header info? "The HD DVD-Video format is licensed by the DVD Forum, which publishes the HD DVD-Video Specifications." I haven't found that yet. Anyone want to post a link? Besides that, the same aproach could be used to find the volume key once you have the title key. |
Thread Tools | Search this Thread |
Display Modes | |
|
|