Tech Insider					   Technology and Trends

			   USENET Archives

Electronic mail:			      World Wide Web:	

From Thu, 28 Oct 1999 12:57:37 +0200 (CEST)
Date: Thu, 28 Oct 1999 12:57:37 +0200 (CEST)
From: Frank Andrew Stevenson
Subject: [Livid-dev] Working PlayerKey cracker

In response to feedback from yesterdays post I have now refined
my attack in the following ways:

The CSSdecrypt key can now be recoverd with only 5 bytes of
known output. Sometimes multiple keys will be found to a
single output, due to colissions in the mixing stage. But
this is not a problem when recovering KEKs ( Key encryption
Keys ), as all keys found will be equivalent / interchangable.

There has been some debate around the 'hash function'. I choose
to view it as a very simple encryption function. With 5 byte
input, 5 byte output and 5 byte key. When searching for a
player key, the input / output is known. The cipher can then be
attacked with a complexity of 2^8. Code for the key recovery
is given below. This cipher has many colissions, and some
input outup pairs have no keys, while others have multiple.
The latter is a concern when searching for Player keys, as
they have to be eliminted by checking agains other discs.

I have attached a program that works as follows:

hippopotamus:~/tmp> time ./keyrec 22 e1 67 83 72 0f c1 7a 96 98
Recovering Key
Possible mangling key: af c9 07 42 1f
  Possible Player key 51 67 67 c5 e0
  Possible Player key 69 d2 e3 92 ae
5.000u 0.010s 0:05.44 92.0%     0+0k 0+0io 87pf+0w

Here 2 equivalent player keys are recovered from the
input:  22 e1 67 83 72   - Disc key
output: 0f c1 7a 96 98   - intermediate key, common for all player keys

The process takes 5.5 seconds on a PPro200, somewhat slower
now that only 5 bytes are known in the keystream. 

If this works, as I hope it will, I will leave it as an exersice
to the reader to recover all player keys :-)


-------------- This is how to recover the 'hashing key' --------

[Code Removed]

----------- The following is the complete sourec for  ------
---------------- player key cracker ------------------------ 

[Compressed File Removed]

This sentence is unique in this respect; it can safely
be attributed to my employer, Funcom Oslo AS.
E3D2BCADBEF8C82F A5891D2B6730EA1B PGPmail preferred, finger for key
There is no place like N59 50.558' E010 50.870'. (WGS84)

			   USENET Archives


The materials and information included in this website may only be used
for purposes such as criticism, review, private study, scholarship, or 

Electronic mail:			      World Wide Web: