Print 46 comment(s) - last by SGWB.. on Feb 16 at 3:45 PM

The tool that arnezami and muslix64 used to defeat AACS

The HD DVD that gave up its Processing Key for all to use
One key to decrypt them all

Last December, a hacker named “Muslix64” circumvented HD DVD copy protection, resulting in the release of pirated copies on the Internet. Less than one month later, the same Muslix64, with the help of another hacker, was able to crack the encryption on Blu-ray Discs.

On Sunday, another Doom9 forum poster named “arnezami” presented the next great breakthrough in HD DVD and Blu-ray Disc decryption. Previously, every HD movie needed its own unique key in order to be decrypted; but with arnezami’s discovery, there is one key to rule them all -- at least for now, until the Advanced Access Content System Licensing Administrator gets on it.

What arnezami found was the Processing Key, which appears to be the silver bullet in decrypting all existing HD DVD and Blu-ray Discs. Arnezami was armed only with an Xbox 360 HD DVD player and the bundled King Kong movie. Other Doom9 forum contributors posted their keys to HD DVD movies such as The Departed and Spy Game, which were proved decryptable using the Processing Key.

Figuring that the copy protection schemes on Blu-ray Disc are similar to HD DVD, other posters reported data from Talladega Nights and House of Flying Daggers, which were also decrypted using the Processing Key found from King Kong.

Arnezami unlocked the secrets to HD DVD and Blu-ray Disc encryption without the use of any hacked software or hardware. “Most of the time I spend studying the AACS papers,” he wrote. “A good understanding of how things worked have helped me greatly in knowing what to find in the first place (and how to recognize something).”

Arnezami started his quest by finding the Volume ID to King Kong, which motivated him to find the Media Key. After a few trial and error attempts, arnezami had the idea to of watching the data move from the HD DVD drive to the memory on his computer. “What I wanted to do is ‘record’ all changes in this part of memory during startup of the movie,” he wrote in his explanation. “Hopefully I would catch something interesting.”

“In the end I did something a little more efficient: I used the HD DVD VUK extractor and adapted it to slow down the software player (while scanning its memory continuously) and at the very moment the Media Key was detected it halted the player,” arnezami continued. “I then made a memdump with WinHex.”

Using this method, arnezami found that his first C-value was a hit, leading to the discovery of the Processing Key. “I now had the feeling I had something,” he said.

Arnezami isn’t revealing which software player he used to expose the key information for fear that the Advanced Access Content System Licensing Administrator would crackdown on the software developer. What he did want to say, however, is that he made his discovery simply by watching the data as it passed through his system.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By Oobu on 2/14/2007 5:10:48 AM , Rating: 2
I find it interesting that both HD DVD and Bluray use the same key like that. It seems like two competing technologies wouldn't be using the exact same primary key like that. I have no idea how any of it works though.

RE: Wow...
By darkfoon on 2/14/2007 5:39:19 AM , Rating: 2
If I recall correctly, the organization that defines the copy-protection on all HD disc media (the AACS?) specified one particular copy-protection scheme that HAS to be used.

However, Sony went and developed their own copy-protection (BD+ if I remember?) to go on top of what is already required, supposedly making Blu-ray more secure against content theft, and thus the studios would pick them as the winning format.

However, I have no idea if the Blu-ray discs cracked so far have had BD+ enabled on them, or if they just used the copy-protection already required.

Its all moot anyways, because as soon as Penryn comes along the hardware and the compatible OS (e.g. Vista, and later) will lock users out of DRM protected memory pages, so hacks like this will "become a thing of the past". Then the only way to get a mem dump would be to force the entire OS to halt and dump the entire memory, then reboot. That would slow things down considerably. And by then, the OS will probably not dump the special DRM memory pages anyways.

Welcome to the new world where your computer is controlled by somebody else.

RE: Wow...
By penter on 2/14/2007 6:14:03 AM , Rating: 2
Who forces you to use vista. Everybody is still happy with XP, just do your hacking in xp, or just anything except vista.
Ans penryn will do nothing for drm protection, its just a processor.

RE: Wow...
By Gothmoth88 on 2/14/2007 8:22:11 AM , Rating: 2
some day software will only run under vista.
like it or not.
i don´t see much people using win3.1 these days. ;)

penryn will not change much but intel will put TPM into the southbridges by 2008. :(

it will maybe possible to disable TPM in the bios but the devil is already knocking on your door.

RE: Wow...
By edge929 on 2/14/2007 9:52:22 AM , Rating: 3
Windows 3.1 is exaggerating a little bit. Many people still use/live-by/swear-by Windows 2000 and last I checked, everything that runs on Win2K will run on XP and vice versa.

Is the future bleak for cracking stuff on Vista? Probably. Will they eventually circumvent Vista's security "enhancements"? Most certainly. It's all just a matter of time.

If it's digital, it WILL be cracked, just a matter of time.

RE: Wow...
By Gothmoth88 on 2/14/2007 10:02:19 AM , Rating: 2
that was true for software protection.

but it takes a lot more work to break these new hardware protections.
and im not speaking about the FLEX ... dongle suff.

of course nothing is 100% bulletproof, but i depends on how much time your willing to spend cracking a application.

it´s not done with softice + a few tools anymore.

i bet that the cracking sceen will be a lot smaller in a few years. as not only coding knowledge is needed.

and you can already see so many fucked cracks because the companys using code that SEEM to with a crack .... but produce unwanted results (3d software plugins for example).

RE: Wow...
By CollegeTechGuy on 2/14/2007 10:46:58 AM , Rating: 2
Microsoft has to be able to see whats going on in the memory when their debugging their OS' if they wanted to stop people from doing this they would more than likely just turn it off..seeing how they are continually debugging XP or Vista. So anyone wanting to watch their memory would just have to figure out how to enable it...once again just need time to find it.

RE: Wow...
By thebrown13 on 2/14/2007 12:50:57 PM , Rating: 1
Wrong. .NET 3.0 programs will not run at ALL under W2K. Which also happens to be the future of any quality program.

RE: Wow...
By Kaix on 2/14/2007 3:32:49 PM , Rating: 3
A "quality program" is a non-dotNet program.

RE: Wow...
By thebrown13 on 2/14/07, Rating: 0
RE: Wow...
By msva124 on 2/14/2007 8:02:53 PM , Rating: 2
Okay, then tell all your friends to stop asking me what SendMessage is.

RE: Wow...
By leexgx on 2/14/2007 10:23:52 PM , Rating: 2
.NET programs are buggy norm (ATI Driver , Game monitors or admin programs , Stuped errors just coes i clicked on it agane so on)

allso it needs more cpu and ram for it to work (my laptop hates it)

you probly find Most users do not like Dot net more so if you make an program out of it (probly more the users fault when makeing the program)

hopefully .net 3 will have some Extra debugging to weed out the errors that happens

RE: Wow...
By NoSoftwarePatents on 2/14/2007 4:20:56 PM , Rating: 3
Well, .NET 2.0 has made my life a lot easier, thanks to highly useful namespaces like SYSTEM.MANAGEMENT and XML web services.

If you've got something better that doesn't use .NET 2.0 and has fewer lines of code and is easier to deploy while using Visual Studio 2005 for a Microsoft shop, I'd like to see your code.

RE: Wow...
By msva124 on 2/14/2007 7:58:09 PM , Rating: 2
Someone give this man an award.

RE: Wow...
By drwho9437 on 2/14/2007 2:55:22 PM , Rating: 2
There are softwares that only run on XP and not win2k. If you are very cleaver you might be able to crack the installers so that they don't check and everything would be ok, but things like Adobe Lightroom and Pixmantec Rawshooter (at first before that) only install on XP. Rawshooter was later released to work on Win2k as well, but vendors are starting to lock out 2k because they don't want to support 3 flavors of windows.

RE: Wow...
By FrankM on 2/14/2007 2:46:21 PM , Rating: 2
O rly?
Then here are two words, might be new to you:
1.) Linux
2.) Virtualization.

RE: Wow...
By Oobu on 2/14/2007 3:42:13 PM , Rating: 2
I actually know of some people still running 98SE, and one older lady who runs 95!

RE: Wow...
By Samus on 2/14/2007 12:52:15 PM , Rating: 3
Most PC's sold now only come with Vista, and have no correctly functioning WindowsXP drivers. So basically new PC's force you to use Vista. Gateway and Hp/Compaq have gone far enough to change hardware ID's of internal components for Vista-loaded Laptops and Desktops so installing drivers for XP on the XP OS won't detect the hardware correctly.

Just waiting for the anti-trust lawsuits. I fear Microsoft is giving out kickbacks for this tactic, just so Vista doesn't flop like ME did.

RE: Wow...
By FrankM on 2/14/07, Rating: 0
RE: Wow...
By VaultDweller on 2/14/2007 7:58:25 AM , Rating: 3
Its all moot anyways, because as soon as Penryn comes along the hardware and the compatible OS (e.g. Vista, and later) will lock users out of DRM protected memory pages, so hacks like this will "become a thing of the past". Then the only way to get a mem dump would be to force the entire OS to halt and dump the entire memory, then reboot.

Nope. If the Trusted Computing OS is run in a virtual machine, there's no way it can protect it's memory space from the host operating system.

RE: Wow...
By ToeCutter on 2/14/2007 11:42:27 AM , Rating: 2

You beat me to it!

Virtualization will eventually play a large part in hacking DRM.

Many of the x86 Mac OS X were initally cracked using VMs. Because VMs are presented hardware by the virtualization software, I anticipate it would be possible to offer "faux" TPM hooks so the Vm "thinks" it's using legit TPM.

Perhaps most important: VM apps are reasonably affordable.

RE: Wow...
By dude on 2/15/2007 2:16:32 AM , Rating: 2
Unless the program is written to detect that a virtual machine is running. However, I'm sure a "bug" fix to the VM program will be released shortly after to aleviate this "feature".

RE: Wow...
By livelouddiefast on 2/16/2007 12:17:55 PM , Rating: 1
there will be hacks to counter drm, and drm within vista, etc. Or OS's without DRM will start to gain market share. people will find a way to break whatever encryption is on anything.

"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins
Related Articles
Blu-ray Encryption Defeated
January 23, 2007, 6:49 PM
First Pirated HD DVDs Released
January 17, 2007, 4:30 PM
Hackers Claim HD DVD Encryption Circumvented
December 28, 2006, 12:24 PM

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki