Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 20th January 2007, 10:20   #1  |  Link
ape
Registered User
 
Join Date: Sep 2004
Posts: 16
hd-dvd volume key finder

hi, i've coded a little c++ app to grab the volume key from windvd memory.
this uses the same method as jokin's winhex script/bat files (searching for 200000003F00000080000000)
just run windvd and get a hd-dvd playing, then hit "get volume key" and it should find it.
i have posted the source as well incase anyone wants to improve it or fix incompatibilities.

binary:
hxxp://glib.name/hddvd_vukeyfinder.zip

source code (warning: this is a mess ):
hxxp://glib.name/hddvd_vukeyfinder_src.zip
some parts are from d2hackit v2.0 & hxxp://www.codeproject.com/threads/MDumpAll.asp
Attached Files
File Type: zip hddvd_vukeyfinder.zip (4.1 KB, 4147 views)
File Type: zip hddvd_vukeyfinder_src.zip (23.6 KB, 2549 views)

Last edited by ape; 22nd January 2007 at 23:54.
ape is offline   Reply With Quote
Old 20th January 2007, 11:08   #2  |  Link
jokin
Dwight Schrute's homeboy
 
Join Date: Jan 2007
Location: The Office
Posts: 136
Quote:
Originally Posted by ape View Post
hi, i've coded a little c++ app to grab the volume key from windvd memory.
this uses the same method as jokin's winhex script/bat files (searching for 0000003F00000080000000)
just run windvd and get a hd-dvd playing, then hit "get volume key" and it should find it.
i have posted the source as well incase anyone wants to improve it or fix incompatibilities.

binary:
hxxp://glib.name/hddvd_vukeyfinder.zip

source code (warning: this is a mess ):
hxxp://glib.name/hddvd_vukeyfinder_src.zip
some parts are from d2hackit v2.0 & hxxp://www.codeproject.com/threads/MDumpAll.asp
Nice going. I will try it in a bit.
jokin is offline   Reply With Quote
Old 20th January 2007, 11:22   #3  |  Link
He-Man
Guest
 
Posts: n/a
Thanks, great work ape, much nicer with a stand-alone app, I assume don't need any third party tools except WinDVD to use your app? I haven't got a HD-DVD drive yet to test your app.

Can you add functionality to grab the CMAC value, The Title name and the production date? All is available on the HD DVD discs. Look here: http://forum.doom9.org/showthread.ph...746#post939746
It would be nice to verify the extracted key based on the CMAC value too which is already implemented in BackupHDDVD.
In the long run I think the best thing would be to integrate your C++ app into BackupHDDVD to have a single application with a single GUI doing both key,CMAC, title and production date extraction, saving it to a database and decrypting the movies too.
  Reply With Quote
Old 20th January 2007, 11:51   #4  |  Link
ape
Registered User
 
Join Date: Sep 2004
Posts: 16
Quote:
Originally Posted by He-Man View Post
Thanks, great work ape, much nicer with a stand-alone app, I assume don't need any third party tools except WinDVD to use your app? I haven't got a HD-DVD drive yet to test your app.

Can you add functionality to grab the CMAC value, The Title name and the production date? All is available on the HD DVD discs. Look here: http://forum.doom9.org/showthread.ph...746#post939746
It would be nice to verify the extracted key based on the CMAC value too which is already implemented in BackupHDDVD.
In the long run I think the best thing would be to integrate your C++ app into BackupHDDVD to have a single application with a single GUI doing both key,CMAC, title and production date extraction, saving it to a database and decrypting the movies too.
yeah an all-in-one app would be cool, i don't have a drive though so i can't do much at this end. i only had 1 person test this so has anyone verified that it works for them?
ape is offline   Reply With Quote
Old 20th January 2007, 12:16   #5  |  Link
heman
Registered User
 
Join Date: Jan 2006
Posts: 6
tested on several discs your app is working
heman is offline   Reply With Quote
Old 20th January 2007, 12:17   #6  |  Link
ape
Registered User
 
Join Date: Sep 2004
Posts: 16
Quote:
Originally Posted by heman View Post
tested on several discs your app is working
thanks
ape is offline   Reply With Quote
Old 20th January 2007, 12:34   #7  |  Link
He-Man
Guest
 
Posts: n/a
Quote:
Originally Posted by ape View Post
yeah an all-in-one app would be cool, i don't have a drive though so i can't do much at this end. i only had 1 person test this so has anyone verified that it works for them?
I still think you will be able to get the TKF MAC (CMAC) value and movie title form the disc.
Here's where to find TKF MAC and Movie Title:

TKF MAC (CMAC):
The format of VTKF.AACS file can be found in paragraph 3.4 of AACS_Spec_HD_DVD_and_DVD_Prerecorded_0_912, more specifically in Table 3-5. The TKF MAC field (16 bytes) is bytes 2464-2479.
http://forum.doom9.org/showthread.ph...202#post938202

Movie Title:
The movie title is stored in the top of VPLST000.XPL like you can see here:
http://forum.doom9.org/showthread.ph...400#post939400 displayName="Batman Begins HD DVD"
http://forum.doom9.org/showthread.ph...661#post939661 displayName="V for Vendetta HD DVD"

Maybe you can get someone with a HD-DVD drive to uplad some VTKF.AACS and VPLST000.XPL files so you can test te funtions.
  Reply With Quote
Old 20th January 2007, 15:30   #8  |  Link
firewan
Registered User
 
Join Date: May 2003
Posts: 13
could you please upload the app to an alternative download source? I just can't download it from this URL.
firewan is offline   Reply With Quote
Old 20th January 2007, 15:33   #9  |  Link
He-Man
Guest
 
Posts: n/a
Quote:
Originally Posted by firewan View Post
could you please upload the app to an alternative download source? I just can't download it from this URL.
Try these links:
http://glib.name/hddvd_vukeyfinder.zip
http://glib.name/hddvd_vukeyfinder_src.zip
  Reply With Quote
Old 20th January 2007, 15:34   #10  |  Link
choiceltd
Registered User
 
Join Date: Jan 2007
Posts: 5
any chance you can work on the blue ray format, i know thats easyer said than done cheers
choiceltd is offline   Reply With Quote
Old 20th January 2007, 15:40   #11  |  Link
He-Man
Guest
 
Posts: n/a
Quote:
Originally Posted by choiceltd View Post
any chance you can work on the blue ray format, i know thats easyer said than done cheers
Read his post about that in the Blu-Ray topic here: http://forum.doom9.org/showthread.ph...973#post939973
It requires that someone (muslix64 or someone else who finds them too) reveals keys for Blu-Ray discs.
  Reply With Quote
Old 20th January 2007, 16:13   #12  |  Link
tonyp12
Registered User
 
Join Date: Oct 2002
Location: Florida, USA
Posts: 90
Could your program be modified to verify that the key is 100% correct?

I under stand that you have to cmac a title key with a volume key to check.

So what is the sure way to always find title keys in the mem dump too?

Last edited by tonyp12; 20th January 2007 at 16:20.
tonyp12 is offline   Reply With Quote
Old 20th January 2007, 16:32   #13  |  Link
guile
Registered User
 
Join Date: Oct 2002
Posts: 65
Just to confirm (because I have heard conflicting reports), the ONLY version of Windvd that currently will play these files/movies is the JAP version of Windvd 8?

I have tried it with the HD version of Windvd 8 and just keep getting error's. It is the us version however as I cannot locate the jap version.

Also, for those who have had success with the software, please post new keys in the sticky at the top of the page. I have quite a large library to back up myself and would like to help with this cause.
guile is offline   Reply With Quote
Old 20th January 2007, 16:39   #14  |  Link
noclip
Registered User
 
Join Date: Dec 2006
Posts: 154
I think it would be best not to integrate this app into BackupHDDVD. While the technique for finding keys is likely to need to be changed often, BackupHDDVD has an entirely different release schedule. This program is perfect as a standalone, and it could be bundled with every copy of BackupHDDVD.

Another thing to explore is a heuristic approach to finding keys. This would be incredibly useful because the program would work with any HD DVD playing application and always yield results.

Last edited by noclip; 20th January 2007 at 16:42.
noclip is offline   Reply With Quote
Old 20th January 2007, 18:33   #15  |  Link
Mistar Muffin
Registered User
 
Join Date: Sep 2002
Location: Right Here
Posts: 53
I actually modified BackupHDDVD a few days ago to get a memdump from pmdump and then scan it for the volume key. It works pretty well. The only reason I haven't released it yet is becuase I was trying to integrate it to the GUI version. I'll see if I can get to that today. And honestly, IMO the method for finding volume keys shouldn't change much for the time being. As long as we keep using the same version of WinDVD I don't see why that hex marker would cease to reveal the volume key. Worst case scenario is that they blacklist that device key, but that may never happen or at the least, not for a while.
__________________
mmm...muffins
Mistar Muffin is offline   Reply With Quote
Old 20th January 2007, 21:14   #16  |  Link
Mistar Muffin
Registered User
 
Join Date: Sep 2002
Location: Right Here
Posts: 53
Quote:
Originally Posted by Mistar Muffin View Post
I actually modified BackupHDDVD a few days ago to get a memdump from pmdump and then scan it for the volume key. It works pretty well. The only reason I haven't released it yet is becuase I was trying to integrate it to the GUI version. I'll see if I can get to that today. And honestly, IMO the method for finding volume keys shouldn't change much for the time being. As long as we keep using the same version of WinDVD I don't see why that hex marker would cease to reveal the volume key. Worst case scenario is that they blacklist that device key, but that may never happen or at the least, not for a while.
Although I wasn't able to integrate the GUI, I have posted this in the official BackupHDDVD thread here: http://forum.doom9.org/showthread.ph...266#post941266
__________________
mmm...muffins
Mistar Muffin is offline   Reply With Quote
Old 21st January 2007, 01:35   #17  |  Link
He-Man
Guest
 
Posts: n/a
Quote:
Originally Posted by ape View Post
(searching for 0000003F00000080000000)
Any particular reason to only search for 0000003F00000080000000 and not 200000003F00000080000000? Why leave out the first byte '20' in front of your pattern? Jokin also has '20' included in the beginning of his search pattern in his WinHex app and this seems to work fine for everyone.
The longer pattern you use the less risk there is to find the same pattern at another memory location, especially when there's so many zero bytes in the pattern.
From what has been posted on this forum all HD DVD memory dumps contains 200000003F00000080000000 in front of the VUK.
US titles looks like this: 06200000003F00000080000000
EU titles looks like this: 00200000003F00000080000000

http://forum.doom9.org/showthread.ph...144#post938144
Quote:
Originally Posted by MrDVD View Post
on the one screen me saw from an us hddvd it is "00 20 00 00 00 3F" and the format is like this:

all tested memdumps for euro:
06 20 00 00 00 3F 00 00 00 80 00 00 00 xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

where xx is the VK.

so maybe "00 20 00 00 00 3F 00 00 00 80 00 00 00" is in front of every us VK but me cant test this.

Last edited by He-Man; 21st January 2007 at 01:44.
  Reply With Quote
Old 21st January 2007, 01:39   #18  |  Link
ape
Registered User
 
Join Date: Sep 2004
Posts: 16
Quote:
Originally Posted by He-Man View Post
Any particular reason to only search for 0000003F00000080000000 and not 200000003F00000080000000? Why leave out the first byte '20' in front of your pattern? Jokin also has '20' included in the beginning of his search pattern in his WinHex app and this seems to work fine for everyone.
The longer pattern you use the less risk there is to find the same pattern at another memory location, especially when there's so many zero bytes in the pattern.
From what has been posted on this forum all HD DVD mem dumps contains 200000003F00000080000000 in front of the VUK.
US titles looks like this: 200000003F00000080000000
EU titles looks like this: 200000003F00000080000000

http://forum.doom9.org/showthread.ph...144#post938144
probably doesn't matter, if somebody finds a disc it doesn't work with i will fix it though.
ape is offline   Reply With Quote
Old 21st January 2007, 15:58   #19  |  Link
Mistar Muffin
Registered User
 
Join Date: Sep 2002
Location: Right Here
Posts: 53
ape, was wondering if you could modify the app to accept command line parameters and then return its output via stdio. If you could do this, we could bundle it with BackupHDDVD and use java to read the output. This is actually what I use pmdump for in my current version, it has 2 steps.

1) get process list using pmdump and read via stdio, find windvd.exe PID
2) dump windvd.exe mem using found PID

Then you have to search the memdump and this uses HD space and more time and then you have to clean up the files. If you could modify your app to do this, it would be the most elegant solution. In addition, if you could somehow combine your HD/BD Keyfinders so that they are the same app, then we could really make an All in one utility. Say, a command line switch such as -format HD or -format BD and then in the GUI just a radio button to select which one. Also, He-Man is right, when you modify the code you should have it search for the full string, including the "20" at the beginning. Just some thoughts.
__________________
mmm...muffins

Last edited by Mistar Muffin; 21st January 2007 at 16:03.
Mistar Muffin is offline   Reply With Quote
Old 22nd January 2007, 04:49   #20  |  Link
Galileo2000
Registered User
 
Join Date: Jan 2007
Posts: 224
Quote:
Originally Posted by noclip View Post
I think it would be best not to integrate this app into BackupHDDVD. While the technique for finding keys is likely to need to be changed often, BackupHDDVD has an entirely different release schedule. This program is perfect as a standalone, and it could be bundled with every copy of BackupHDDVD.

Another thing to explore is a heuristic approach to finding keys. This would be incredibly useful because the program would work with any HD DVD playing application and always yield results.
I do agree 100% that it is better NOT to integrate tis app into BackupHD DVD for the reasons too obvious to mention.

Ppl computer-literate enough to use those apps can go thru couple of extra clicks.

Last edited by Galileo2000; 22nd January 2007 at 05:25.
Galileo2000 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 18:35.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, vBulletin Solutions Inc.