Remove copy-protection from HD-DVD disc. Decrypt AACS and Rip HD DVD to hard disk.

AnyDVD HD has been released recently. It is the first easy to use HD DVD ripper.

It can decrypt AACS protection from HD-DVD disc so now you can

• watch HD-DVD without the need to buy an expensive monitor and HDCP compliant grapchics card.

• playback your HD-DVD discs on your PC with PowerDVD Ultra, which otherwise do not run

And all this can be done with a few mouse clicks!!!

News on breaking AACS content protection that is used on HD DVD and Blu-Ray are coming almost every day. It seems like "unbreakable" AACS protection is falling apart.

The AACS Device Key of the WinDVD 8 was found by doom9 member called ATARI Vampire. The AACS Device Key allows any movie playable by it to be decrypted.

The new discovery by ATARI Vampire is based on previous research of two other doom9 members: muslix64 (who created BackupHDDVD, a tool to decrypt a AACS protected movie) and arnezami (who extracted the Processing Key, Media Key and Volume ID from WinDVD player).

Quote:

Originally Posted by ATARI Vampire

Although this is my first post, I have been actively sitting in the shadows for the last 6-8 weeks reading every Doom9 thread that I could find on HD DVD and Blu-Ray decryption. I have followed the postings of muslix64, Janvitos, and Arnezami, trying my best to recreate their steps to learn even more about the under workings of AACS. I even printed out all 70 pages of the AACS Introduction and Common Cryptographic Elements document, painfully reading through this material.

A few nights ago, something that Arnezami had written about slowing WinDVD 8 down though intensive memory dumps had started me thinking. So, I brought up my favorite Java IDE and begun writing code. Using a combination of VUK Finder (by Jokin), pmdump, psuspened (Sys Internals) and WinHex I was able to get enough data to find the VID, Media Key, and Processing Key by using the "bottom up" approach that Arnezami spoke about.

As soon as I had the processing key in a memory dump I knew that I was close to a Device Key. I then quickly implemented a version of AES-128G(k, d), where k = key and d = the data to be decrypted, however in this case I seeded d with the constant 0x7B103C5DCB08C4E51A27B01799053BD9 + 1, or 0x7B103C5DCB08C4E51A27B01799053BDA (per page 13 of the AACS Common Crypto doc), and ran the entire contents of my memory dump through decryption at 1 byte incremental offsets.

About 35,000 bytes into the file I extracted a 16 byte value that was able, using the constant as the d value, to create the processing key. If my interpretation of the AACS specification is correct, I have found a device key. Here is the device key, along with the memory offset where it can be re-discovered assuming that you dump memory in WinDVD 8 early enough in the runtime process. By the way, psuspened helps tremendously with slowing processes down so that pmdump can accurately dump memory!

[WinDVD 8]

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0x000089EC

Device Key: AA856A1BA814AB99FFDEBA6AEFBE1C04
Found at memory location: 0x00008A20

An interesting thing to note is that the device key is found only a few bytes before the location where Arnezami found the processing key, and in contiguous memory! It is also interesting to note that WinDVD8 keeps the device key in 2 difference memory locations, very close by each other. My guess is that this would be the result of some sort of deep copy, maybe even the result of a function call.

Anyway, this is what information I have been able to pull together with 3-4 hours of free time this week. I'd like the Doom9 decryption forum to validate my findings since I have not had the time to step through any MKB's with this device key yet. Be that as it may, I am pretty sure that I have found a device key.