Print 46 comment(s) - last by SGWB.. on Feb 16 at 3:45 PM

The tool that arnezami and muslix64 used to defeat AACS

The HD DVD that gave up its Processing Key for all to use
One key to decrypt them all

Last December, a hacker named “Muslix64” circumvented HD DVD copy protection, resulting in the release of pirated copies on the Internet. Less than one month later, the same Muslix64, with the help of another hacker, was able to crack the encryption on Blu-ray Discs.

On Sunday, another Doom9 forum poster named “arnezami” presented the next great breakthrough in HD DVD and Blu-ray Disc decryption. Previously, every HD movie needed its own unique key in order to be decrypted; but with arnezami’s discovery, there is one key to rule them all -- at least for now, until the Advanced Access Content System Licensing Administrator gets on it.

What arnezami found was the Processing Key, which appears to be the silver bullet in decrypting all existing HD DVD and Blu-ray Discs. Arnezami was armed only with an Xbox 360 HD DVD player and the bundled King Kong movie. Other Doom9 forum contributors posted their keys to HD DVD movies such as The Departed and Spy Game, which were proved decryptable using the Processing Key.

Figuring that the copy protection schemes on Blu-ray Disc are similar to HD DVD, other posters reported data from Talladega Nights and House of Flying Daggers, which were also decrypted using the Processing Key found from King Kong.

Arnezami unlocked the secrets to HD DVD and Blu-ray Disc encryption without the use of any hacked software or hardware. “Most of the time I spend studying the AACS papers,” he wrote. “A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something).”

Arnezami started his quest by finding the Volume ID to King Kong, which motivated him to find the Media Key. After a few trial and error attempts, arnezami had the idea to of watching the data move from the HD DVD drive to the memory on his computer. “What I wanted to do is ‘record’ all changes in this part of memory during startup of the movie,” he wrote in his explanation. “Hopefully I would catch something interesting.”

“In the end I did something a little more efficient: I used the HD DVD VUK extractor and adapted it to slow down the software player (while scanning its memory continuously) and at the very moment the Media Key was detected it halted the player,” arnezami continued. “I then made a memdump with WinHex.”

Using this method, arnezami found that his first C-value was a hit, leading to the discovery of the Processing Key. “I now had the feeling I had something,” he said.

Arnezami isn’t revealing which software player he used to expose the key information for fear that the Advanced Access Content System Licensing Administrator would crackdown on the software developer. What he did want to say, however, is that he made his discovery simply by watching the data as it passed through his system.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Oobu on 2/14/2007 5:10:48 AM , Rating: 2
I find it interesting that both HD DVD and Bluray use the same key like that. It seems like two competing technologies wouldn't be using the exact same primary key like that. I have no idea how any of it works though.

RE: Wow...
By darkfoon on 2/14/2007 5:39:19 AM , Rating: 2
If I recall correctly, the organization that defines the copy-protection on all HD disc media (the AACS?) specified one particular copy-protection scheme that HAS to be used.

However, Sony went and developed their own copy-protection (BD+ if I remember?) to go on top of what is already required, supposedly making Blu-ray more secure against content theft, and thus the studios would pick them as the winning format.

However, I have no idea if the Blu-ray discs cracked so far have had BD+ enabled on them, or if they just used the copy-protection already required.

Its all moot anyways, because as soon as Penryn comes along the hardware and the compatible OS (e.g. Vista, and later) will lock users out of DRM protected memory pages, so hacks like this will "become a thing of the past". Then the only way to get a mem dump would be to force the entire OS to halt and dump the entire memory, then reboot. That would slow things down considerably. And by then, the OS will probably not dump the special DRM memory pages anyways.

Welcome to the new world where your computer is controlled by somebody else.

RE: Wow...
By penter on 2/14/2007 6:14:03 AM , Rating: 2
Who forces you to use vista. Everybody is still happy with XP, just do your hacking in xp, or just anything except vista.
Ans penryn will do nothing for drm protection, its just a processor.

RE: Wow...
By Gothmoth88 on 2/14/2007 8:22:11 AM , Rating: 2
some day software will only run under vista.
like it or not.
i don´t see much people using win3.1 these days. ;)

penryn will not change much but intel will put TPM into the southbridges by 2008. :(

it will maybe possible to disable TPM in the bios but the devil is already knocking on your door.

RE: Wow...
By edge929 on 2/14/2007 9:52:22 AM , Rating: 3
Windows 3.1 is exaggerating a little bit. Many people still use/live-by/swear-by Windows 2000 and last I checked, everything that runs on Win2K will run on XP and vice versa.

Is the future bleak for cracking stuff on Vista? Probably. Will they eventually circumvent Vista's security "enhancements"? Most certainly. It's all just a matter of time.

If it's digital, it WILL be cracked, just a matter of time.

RE: Wow...
By Gothmoth88 on 2/14/2007 10:02:19 AM , Rating: 2
that was true for software protection.

but it takes a lot more work to break these new hardware protections.
and im not speaking about the FLEX ... dongle suff.

of course nothing is 100% bulletproof, but i depends on how much time your willing to spend cracking a application.

it´s not done with softice + a few tools anymore.

i bet that the cracking sceen will be a lot smaller in a few years. as not only coding knowledge is needed.

and you can already see so many fucked cracks because the companys using code that SEEM to with a crack .... but produce unwanted results (3d software plugins for example).

RE: Wow...
By CollegeTechGuy on 2/14/2007 10:46:58 AM , Rating: 2
Microsoft has to be able to see whats going on in the memory when their debugging their OS' if they wanted to stop people from doing this they would more than likely just turn it off..seeing how they are continually debugging XP or Vista. So anyone wanting to watch their memory would just have to figure out how to enable it...once again just need time to find it.

RE: Wow...
By thebrown13 on 2/14/2007 12:50:57 PM , Rating: 1
Wrong. .NET 3.0 programs will not run at ALL under W2K. Which also happens to be the future of any quality program.

RE: Wow...
By Kaix on 2/14/2007 3:32:49 PM , Rating: 3
A "quality program" is a non-dotNet program.

RE: Wow...
By thebrown13 on 2/14/07, Rating: 0
RE: Wow...
By msva124 on 2/14/2007 8:02:53 PM , Rating: 2
Okay, then tell all your friends to stop asking me what SendMessage is.

RE: Wow...
By leexgx on 2/14/2007 10:23:52 PM , Rating: 2
.NET programs are buggy norm (ATI Driver , Game monitors or admin programs , Stuped errors just coes i clicked on it agane so on)

allso it needs more cpu and ram for it to work (my laptop hates it)

you probly find Most users do not like Dot net more so if you make an program out of it (probly more the users fault when makeing the program)

hopefully .net 3 will have some Extra debugging to weed out the errors that happens

RE: Wow...
By NoSoftwarePatents on 2/14/2007 4:20:56 PM , Rating: 3
Well, .NET 2.0 has made my life a lot easier, thanks to highly useful namespaces like SYSTEM.MANAGEMENT and XML web services.

If you've got something better that doesn't use .NET 2.0 and has fewer lines of code and is easier to deploy while using Visual Studio 2005 for a Microsoft shop, I'd like to see your code.

RE: Wow...
By msva124 on 2/14/2007 7:58:09 PM , Rating: 2
Someone give this man an award.

RE: Wow...
By drwho9437 on 2/14/2007 2:55:22 PM , Rating: 2
There are softwares that only run on XP and not win2k. If you are very cleaver you might be able to crack the installers so that they don't check and everything would be ok, but things like Adobe Lightroom and Pixmantec Rawshooter (at first before that) only install on XP. Rawshooter was later released to work on Win2k as well, but vendors are starting to lock out 2k because they don't want to support 3 flavors of windows.

RE: Wow...
By FrankM on 2/14/2007 2:46:21 PM , Rating: 2
O rly?
Then here are two words, might be new to you:
1.) Linux
2.) Virtualization.

RE: Wow...
By Oobu on 2/14/2007 3:42:13 PM , Rating: 2
I actually know of some people still running 98SE, and one older lady who runs 95!

RE: Wow...
By Samus on 2/14/2007 12:52:15 PM , Rating: 3
Most PC's sold now only come with Vista, and have no correctly functioning WindowsXP drivers. So basically new PC's force you to use Vista. Gateway and Hp/Compaq have gone far enough to change hardware ID's of internal components for Vista-loaded Laptops and Desktops so installing drivers for XP on the XP OS won't detect the hardware correctly.

Just waiting for the anti-trust lawsuits. I fear Microsoft is giving out kickbacks for this tactic, just so Vista doesn't flop like ME did.

RE: Wow...
By FrankM on 2/14/07, Rating: 0
RE: Wow...
By VaultDweller on 2/14/2007 7:58:25 AM , Rating: 3
Its all moot anyways, because as soon as Penryn comes along the hardware and the compatible OS (e.g. Vista, and later) will lock users out of DRM protected memory pages, so hacks like this will "become a thing of the past". Then the only way to get a mem dump would be to force the entire OS to halt and dump the entire memory, then reboot.

Nope. If the Trusted Computing OS is run in a virtual machine, there's no way it can protect it's memory space from the host operating system.

RE: Wow...
By ToeCutter on 2/14/2007 11:42:27 AM , Rating: 2

You beat me to it!

Virtualization will eventually play a large part in hacking DRM.

Many of the x86 Mac OS X were initally cracked using VMs. Because VMs are presented hardware by the virtualization software, I anticipate it would be possible to offer "faux" TPM hooks so the Vm "thinks" it's using legit TPM.

Perhaps most important: VM apps are reasonably affordable.

RE: Wow...
By dude on 2/15/2007 2:16:32 AM , Rating: 2
Unless the program is written to detect that a virtual machine is running. However, I'm sure a "bug" fix to the VM program will be released shortly after to aleviate this "feature".

RE: Wow...
By livelouddiefast on 2/16/2007 12:17:55 PM , Rating: 1
there will be hacks to counter drm, and drm within vista, etc. Or OS's without DRM will start to gain market share. people will find a way to break whatever encryption is on anything.

That was fast!
By Anosh on 2/14/2007 5:07:15 AM , Rating: 2
Well.. it didn't take long..
I believe we need to change the way we look at things cause this DRM infesting of all kinds of media obviously doesn't work very well.

There is a need for a new approach that doesn't necessarily mean DRM built into everything enjoyable. Any ideas?

RE: That was fast!
By Dustin25 on 2/14/2007 11:27:16 AM , Rating: 2
No, software and media companies have full faith in drm still. They know with the advent of full blown trusted computing, hacking, cracking, and piracy will be severely limited. All they have to do is wait it out a couple more years.

RE: That was fast!
By TheDoc9 on 2/14/2007 2:43:21 PM , Rating: 2
I agree completly. And although i'm glad these hacks keep comming it in no way sways the companies from removing DRM. In fact if it does anything in their eyes it provides an argument for even more content protection.

I can't wait for the day when we have those 80 core processors that are really only as fast as a pentium 2 because of all the DRM.

By Gothmoth88 on 2/14/2007 8:01:06 AM , Rating: 2

i don´t understand the fuss about this doom 9 guys.
there IS a comercial HD-DVD backup software already from slysoft.

ANYDVD HD (look at the slysoft forum).

you can download a beta already.

while other fiddle around with windvd etc. keys and hexdumps these guys have a full application. but the press seems not to notice.


RE: ???
By therealnickdanger on 2/14/2007 8:44:43 AM , Rating: 2
I believe they are still beta-testing, it's not available for DL yet... unless you are approved for testing, that is.

RE: ???
By Gothmoth88 on 2/14/2007 8:48:56 AM , Rating: 2
it is.. just check the slysoft forum there is a download link.

thought it is still beta.
but it works well afaik.

Too easy
By estaffer on 2/14/2007 11:43:20 AM , Rating: 2
it's all too easy! these people (who makes the encryptions) should make it harder so 'other' people will not break them easily. once you see a copy of those movies on the market (not black, just plain market that you see everyday) then you know you failed.

RE: Too easy
By Kragoth on 2/14/2007 7:33:56 PM , Rating: 2
I don't think you fully understand how things work inside computers. And as long as decryption is handled by software keys will always be able to be found. Even with Intel and Vista producing all these security tools you cannot expect them to stop people who know how to hack. Virtual machines make it impossible to stop people reading memory as the host machine is not limited by the security of the virtual machine. Hardware decryption is a much more secure way of doing this but also increases costs 10 times. The fact still remains that if these companies spent less money on security and brought down the price of their goods more items would sell. They will never stop hackers and piracy (at least not in the next 10 years). There is always someone smarter or someone that will hand out the information for the right price. Software can be reverse engineered with ease these days so even if the memory dumps are stopped there are so many other ways of bypassing security.

I have no sympathy for these companies as they think that some piece of software encryption is going to stop piracy. They need to look at the facts and realize that they need a NEW strategy... maybe look at rewarding customers who buy the genuine disc instead of wasting time and money on a "no piracy dream"

RE: Too easy
By SGWB on 2/16/2007 3:45:50 PM , Rating: 2
You are correct. If it can play on a PC, it can be cracked on a PC.

I predict that when the BluRay/HD-DVD successor comes about, it will either dispense with DRM entirely or it will not be playable on general purpose computers.

say goodbye to non-Vista playback solutions
By hellokeith on 2/14/2007 10:45:08 AM , Rating: 2
All these guys are doing is speeding the end of HD DVD & BD playback solutions for non-Vista Windows PC's. Vista's protected path for media will make it significantly more difficult (though I dare not say impossible) to do memory scans like this.

In a way, they are helping Microsoft tout Vista as a more secure platform, and they are likely causing severe headaches for companies WinDVD and the like who will be forced to delist these software players and perhaps even give refunds to those on non-Vista PC's.

RE: say goodbye to non-Vista playback solutions
By thebrown13 on 2/14/2007 1:36:56 PM , Rating: 1
Yeah really, now media companies will require the HDCP flag a lot sooner than before. Thanks guys!

By leexgx on 2/14/2007 10:36:05 PM , Rating: 2
the protection will most likey be broken on both XP and Vista

any one with an High speed line and lots of disk space is most likey going to just download HD stuff so thay not to bother with the HDCP stuff sooner or later BD and HD-DVD disk will get alot cheaper, but the speed of that will mst likey be an little slower then what the indistry wants

for me thats probly 5-10 yrs off before HD takes off any way i quite happy with my 700mb(1.4gb) video files

There i alot in vista tho thats there be intresting how long it take to brake it or if it even needs to be

incomplete captions
By masteraleph on 2/14/2007 8:01:09 AM , Rating: 4
While he may have used the Xbox360 HDDVD drive, it was on his PC, and the vulnerable part was the software player, not the hardware. The drive has no particular issues that allowed him to do what he did- it acts the exact same as any other drive, but happens to be significantly cheaper.

I know this is a small thing but...
By samuraiBX on 2/14/2007 9:59:22 AM , Rating: 2
There's a movie called "King King"?

By therealnickdanger on 2/14/2007 10:20:09 AM , Rating: 1

Yes, King King is a sweeping epic about Jesus and how he climbed the Sears Tower.

By therealnickdanger on 2/14/2007 9:21:16 AM , Rating: 2
Now I just need a set of those facny 1TB HDDs and I can start ripping my HD movie collection! Next step - figure out how to stream the 24GB+ files to my Xbox360...

Processing... key?
By Magnadoodle on 2/14/2007 10:21:12 AM , Rating: 2
I think there's been a lot of bad reporting on the web about this particular bit of news. Everyone seems confused about what exactly this processing key does.

This is from a staff member on the Slysoft forums one of you mentioned. It seems they deserve more attention after all:

The processing key still will not decrypt all HD-DVDs by itself. Another information is required: the Volume-ID.
This still either has to be fetched out of the memory of some weakly programmed HDDVD-software or read directly from the drive. The drive will only reveal it with proper authentication - and for that you need a Player-Key (often confused with the device key, but they are two distinct secrets).

Also: this processing key will most certainly only work with HD-DVDs mastered with an MKB version 1. As soon as any device gets revoked, the MKB version will change and a different processing key will be valid.

The way I see it, the processing key didn't bring them much closer to their final goal. Previously, you had to fumble VUKs out of WinDVDs memory, now it's the Volume ID - admittedly, a little easier to identify, as it always starts with 0x40 00.
When WinDVDs keys get revoked, you can bet on Intervideo not being so stupid to leave this hole open.

Sad thing: we already had the whole AACS done, when the boys from doom9 were still gathering title-keys from WinDVDs memory - but they're getting all the press... (hey, no offence, guys, you're doing the right thing )

Can they really change anything?
By FITCamaro on 2/14/2007 11:19:55 AM , Rating: 2
Can the AACS Licensing Administrator really change anything? I mean if this key is used in every Blu-ray movie and HD-DVD movie, if they were to change it, on a player without an ethernet port and active ethernet connection, the player would no longer function.

I haven't looked at all the players out there but I don't think they all have ethernet ports. Or am I incorrect?

I know the new protection scheme was supposed to allow them to change keys but did that go in yet? And I highly doubt they're going to outlaw playback software on non-Vista systems. What about Macs? Not that I'm a fan of them or anything, but I think the Mac owners would be pissed if they couldn't watch high def movies on their systems. And they'd also be pushing non-acceptance since it'll probably be 2009 before a majority of people are running Vista.

By hstewarth on 2/14/2007 1:22:40 PM , Rating: 2
I think its important that BD+ comes out so that studios will make big titles like Star Wars on Blu-ray.

There already some rumors that Star Wars are coming to Blu-ray because of 30th Anniversary of Star Wars. Lucas probably will not do it until BD+. Star Wars is done by Fox and Fox is exclusive to Blu-ray. There is already signs that fox is re-avaluately there schedule - most of disks are BD25 - likely all will be BD50 and with BD+.

Here is link to some of the fumores of Star Wars on Blu-ray.

By Quryous on 2/14/2007 9:37:30 PM , Rating: 2
Despite the many so-called advances in Vista, a topic of major concern for many users is not what it will enable you to do, but what it could prevent you from doing. Vista has been designed from the ground up to support Digital Rights Management (DRM) in ways never before possible under Windows. New output content protection mechanisms are designed to protect premium’ (usually meaning paid-for) content against physical interception and copying. Outputs that do not support DRM, or are deemed insecure, must be turned off before playback can proceed. This is called Protected Video Path — Output Protection Management (PVP-OPM). Device drivers must agree to switch off these outputs at the request of the operating system and have to undergo a certification process to verify their compliance. Protected Video Path — User-Accessible Bus (PVP-UAB) ensures that premium content, such as HD video, is encrypted as it passes over the PCI Express bus to your graphics card. This prevents any electronic snooping on the data by hardware devices. Protected User Mode Audio (PUMA) provides similar protection for audio content, again allowing for content producers to insist that insecure outputs be disabled before playback.

The practical application of these technologies is highly complex and well beyond what a typical consumer could be expected to understand. DRM adds a whole layer of potential incompatibilities, with few perceived end-user benefits. For this reason, many users are justifiably wary of installing Vista and buying new hardware, especially displays, that may prevent them accessing content in the future, It’s an area that’s seeing a lot of activity at the moment, and HD content providers are certainly being wary of implementing DRM fully for now. The impact of these technologies remains to be seen, but unless they work transparently without inconveniencing users, only the pirates will benefit.

By jiulemoigt on 2/14/2007 11:52:19 PM , Rating: 2
As to vista, ya that protected path is not working as intended, since no one has gotten a hdmi cable to work under vista, and despite the fact analog devices are supposed to be supported they have issues as well. So I'm not worried about vista replacing xp anytime soon as far as movies go.

HD cracked!
By AlmostExAMD on 2/15/2007 1:23:24 AM , Rating: 1
Ummmm, Who cares?
Unless your a pirate, Just buy the movie.
They are not that expensive anymore!
If you people can afford the true High Definition TV's(1080p) which cost a fortune, Then surely you can afford a $10-20 movie!

Genuine sarcasm?
By outsider on 2/14/07, Rating: -1
"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad
Related Articles
Blu-ray Encryption Defeated
January 23, 2007, 6:49 PM
First Pirated HD DVDs Released
January 17, 2007, 4:30 PM
Hackers Claim HD DVD Encryption Circumvented
December 28, 2006, 12:24 PM

Latest Headlines
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki