Muslix64 Returns: Blu-ray Disc This Time

[Specialist]

Link to Doom9 thread: http://tinyurl.com/2cftqs

Janvitos and muslix64 turn their attention to Blu-ray Disc.

Jerry Jones
http://www.jonesgroup.net

[Specialist]

Quote from muslix64

In less than 24 hours, without any Blu-ray equipment, but with the help of Janvitos, I managed to decrypt and play a Blu-ray media file using my known-plaintext attack...

The file from the movie "Lord of war", play well with VideoLan.

Janvitos gave me few files on the BD disc and a memory dump...

Amazing.

Jerry Jones
http://www.jonesgroup.net

[Specialist]

The muslix64 character explains more here:

Many people ask me more details about the known-plaintext attack. This is a very basic, but powerfull crypto attack that I have used to decrypt both format.

After reading posts of people trying to get the keys in memory, I realized, I have a different way of looking into the problem.

A lot of people try to attack the software, I'm attacking the data!

So I spent more time analysing the data, to look for patterns or something special to mount my known-plaintext attack. Because I know the keys are unprotected in memory, I can skip all the painfull process of code reversal.

I don't have any Blu-Ray equipment but I was able to recover the keys anyways... because I had access to a memory dump file and a media file.

To give you an example, let's take the Blu-Ray case.

First, I had to read the documentation about the media file format.

In the case of Blu-Ray, the media files are divided in blocks called "Aligned unit". Let's simply call them "Unit" for short. A Unit is a block of 6144 bytes. The first 16 bytes are unencrypted, and the rest are encrypted using AES in CBC mode.

A unit is composed of 32 blocks called "MPEG source packet". Each packet is 192 bytes long. The first 16 bytes of the first MPEG source packet of a Unit are decrypted.

Just to see the decrypted part of the packet, I have printed a few. Have a look:

D13BF428474000100000B0110000C100
D13C5DE84710111C6E3468D1861B8D1A
D13CC7A84710111CE3468D1861B8D1A3
D13D31684710111C1A346186E3468D18
D13D9B284710111C6186E3468D1861B8
D13E04E84710111C8D1861B8D1A34618
D13E6EA84710111CD1861B8D1A346186
D13ED8684710111C186E3468D1861B8D
D14D57924710111CFCC810FE80107F08
D14DC1524710111C1007647E401C002E
D14E2B124710111C8001880350400300
D14E94D24710111C007690DE581426A3
D14EFE924710111C80800E8081F9E081
D14F68524710111CA01300C007408C00
D14FD2124710111C005200B002E00D49

Do you see something special? Do you see any pattern?

The first byte is always D1 and the 5th byte is always 47. Can we use that to mount the known-plaintext attack? Of course!

Because we know we have multiple MPEG source packet inside a Unit, we know the decrypted version of the unit at position 192 will probably look like the sequences shown above.

In most cases, the know-plaintext attack is in fact a guessed-plaintext attack. We "assume" the data will look like something we "guessed" when decrypted. Most of the time, it works!

Knowing that, all you have to do, is to write a small program that scan a memory dump file, that comes from of a software player while it was playing the movie. The key is in that file, you have to locate it.

You just have to decrypt the first 2 MPEG source packets of the first unit until, you find a key that decrypt to something like:

D1??????47?????????????????????? at position 192.

That's it!

I also do something similar for the HD-DVD format.

Once you know the value and the position of the key in memory, you can do like people are doing here. Use "memory landmark" to locate the key.

Any questions?

Doom9 thread link: http://tinyurl.com/2labaq

Jerry Jones
http://www.jonesgroup.net

[yoda313]

Hmmm....... It might finally be worth it to buy bluray/hddvd now. I know that bluray is mpeg2 just enhanced so that should be really straight forward for downconversion to dvd. I don't know how you would convert the hddvd format to dvd. That is not mpeg so I am not familiar with that codec.

[Specialist]

Actually, both "HD DVD" and "Blu-ray Disc" support MPEG-2, H.264 MPEG-4, and VC1 (Microsoft's Windows Media HD).

Jerry Jones
http://www.jonesgroup.net

[InXess]

Hmmm....... It might finally be worth it to buy bluray/hddvd now. I know that bluray is mpeg2 just enhanced so that should be really straight forward for downconversion to dvd. I don't know how you would convert the hddvd format to dvd. That is not mpeg so I am not familiar with that codec.

and what would be the point of that, to buy HD to downconvert to DVD... and possibly shrink it on top...?

[FulciLives]

Hmmm....... It might finally be worth it to buy bluray/hddvd now. I know that bluray is mpeg2 just enhanced so that should be really straight forward for downconversion to dvd. I don't know how you would convert the hddvd format to dvd. That is not mpeg so I am not familiar with that codec.

and what would be the point of that, to buy HD to downconvert to DVD... and possibly shrink it on top...?

Well I guess you can start buying movies now and down convert to DVD to watch them ... wait until the hardware gets cheap ... then when it does you already have a bunch of movies.

A bit retarded though I agree LOL

- John "FulciLives" Coleman

[yoda313]

To inexss and fulcilives - haven't you ever heard the phrase 'because I can"???

Its just interesting to think that it is now almost possible to do that. Also why do we downconvert hdtv to dvd? For the same reason - recordable hdtv media is prohibitively expensive to a large portion of users and dvd is an immediate solution.

The only possiblity I'd look into is someday buying a xbox360 hddvd drive and hooking it up the computer. But I would want to buy a widescreen monitor before I did that - and invest in a 7.1 soundcard and 7.1 speaker set to take full advantage of hddvd.

[InXess]

To inexss and fulcilives - haven't you ever heard the phrase 'because I can"???

thst would be a valid reason, sorry

[yoda313]

To inexss and fulcilives - haven't you ever heard the phrase 'because I can"???

thst would be a valid reason, sorry

No prob - just thought I'd point out people do things just becuase you can do them not becuase they make any sense to other people

[MJA]

when they make a $100 or less HD burner for pc I will buy HD movies.no burner.no movies