Remove copy-protection from HD-DVD disc. Decrypt AACS and Rip HD DVD to hard disk. [Archive]

Stream Recorder

02-25-2007, 04:17 AM

News on breaking AACS content protection that is used on HD DVD and Blu-Ray are coming almost every day. It seems like "unbreakable" AACS protection is falling apart.

The AACS Device Key of the WinDVD 8 was found by doom9 member called ATARI Vampire (http://forum.doom9.org/showthread.php?t=122664). The AACS Device Key allows any movie playable by it to be decrypted.

The new discovery by ATARI Vampire is based on previous research of two other doom9 members: muslix64 (who created BackupHDDVD (http://forum.doom9.org/showthread.php?t=119871), a tool to decrypt a AACS protected movie) and arnezami (who extracted the Processing Key, Media Key and Volume ID from WinDVD player (http://forum.doom9.org/showthread.php?t=121866)).

Although this is my first post, I have been actively sitting in the shadows for the last 6-8 weeks reading every Doom9 thread that I could find on HD DVD and Blu-Ray decryption. I have followed the postings of muslix64, Janvitos, and Arnezami, trying my best to recreate their steps to learn even more about the under workings of AACS. I even printed out all 70 pages of the AACS Introduction and Common Cryptographic Elements document, painfully reading through this material.

A few nights ago, something that Arnezami had written about slowing WinDVD 8 down though intensive memory dumps had started me thinking. So, I brought up my favorite Java IDE and begun writing code. Using a combination of VUK Finder (by Jokin), pmdump, psuspened (Sys Internals) and WinHex I was able to get enough data to find the VID, Media Key, and Processing Key by using the "bottom up" approach that Arnezami spoke about.

As soon as I had the processing key in a memory dump I knew that I was close to a Device Key. I then quickly implemented a version of AES-128G(k, d), where k = key and d = the data to be decrypted, however in this case I seeded d with the constant 0x7B103C5DCB08C4E51A27B01799053BD9 + 1, or 0x7B103C5DCB08C4E51A27B01799053BDA (per page 13 of the AACS Common Crypto doc), and ran the entire contents of my memory dump through decryption at 1 byte incremental offsets.

About 35,000 bytes into the file I extracted a 16 byte value that was able, using the constant as the d value, to create the processing key. If my interpretation of the AACS specification is correct, I have found a device key. Here is the device key, along with the memory offset where it can be re-discovered assuming that you dump memory in WinDVD 8 early enough in the runtime process. By the way, psuspened helps tremendously with slowing processes down so that pmdump can accurately dump memory!

[WinDVD 8]

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0x000089EC

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0x00008A20

An interesting thing to note is that the device key is found only a few bytes before the location where Arnezami found the processing key, and in contiguous memory! It is also interesting to note that WinDVD8 keeps the device key in 2 difference memory locations, very close by each other. My guess is that this would be the result of some sort of deep copy, maybe even the result of a function call.

Anyway, this is what information I have been able to pull together with 3-4 hours of free time this week. I'd like the Doom9 decryption forum to validate my findings since I have not had the time to step through any MKB's with this device key yet. Be that as it may, I am pretty sure that I have found a device key.

Audio/video stream recording forums > Media file management > Removing copy-protection (like DRM, AACS) > Remove copy-protection from HD-DVD disc. Decrypt AACS and Rip HD DVD to hard disk.

View Full Version : Remove copy-protection from HD-DVD disc. Decrypt AACS and Rip HD DVD to hard disk.