+HCU Papers
"DIVX and DVD reversing"
by Dr. Fuhrball's
23 September 1998
(slightly edited by reverser+)
Well, this is a very interesting essay. Dr. Fuhrball joins a sound reversing approach (and protection busting) with a broader analysis that borders to reality cracking. I have included it into the +HCU papers, because I believe that 'domestic appliances' cracking will be more and more a fundamental part of any applied reverse engineering study... "
[Zoran Softdvd] [The Zenith DIVX player] [Get remoteselector 131 emailed to you]


   Zoran Softdvd, Creative Pc-Dvd Encore, Zenith 2100 DIVX player...

   By Dr. Fuhrball

   (Some of this is not done yet, i just do not have the time i used to!)
   (No Reverser+... its not because i am watching too much TV, these days i
   watch less than two hours a week!)

   This weeks cocktail:   Cadenheads Longmorn Glenlivet. Delivered at
   full cask strength of 120 proof. Whoaboy is this stuff good. And along
   with it a monte-cristo from Havana (¡Que linda es Cuba!). (What you say? 
   Havana cigars are illegal in USA? Really?)

   How the motion picture industry wants to screw your butt,
   over and over and over and over.....

   DVD, the Digital Versatile disk. Used to be Digital Video disk, but
   they found a bunch more uses for it. Up to 4 layers on a dual sided
   disk the same size as a cd, with up to about 18GB.

   But could they leave this alone, no way. First they had to find a way
   to protect their valuable films. Along came "regional" control. Now this
   really pisses me off, because when i buy a video disk, i want to be
   able to play it. When I go to Japan and buy a "region 2 disk", then bring
   it back to the Usa, it will not play, because a region 2 disk generates
   an authentication error on a "region 1" player. Will I tolerate this,
   of course not. Lots of ways to go about it.

   The first way is Zoran Softdvd.
   This is a software only product that with appropriate hardware
   in this case a pII/400 and an ATI AGP video card, this software product
   plays DVD's at full frame rate with stereo sound. Kind of slick
   Kind of buggy really. This version is 1.61. One small exe file and
   a bunch of huge dll's. Take a look at the following segment.


   Area 1

   :1000448B 8B7C2464          	mov edi, dword ptr [esp+64]
   :1000448F 57        		push edi
   :10004490 E82B0E0000        	call 100052C0
   :10004495 83C404    		add esp, 00000004
   :10004498 33C9      		xor ecx, ecx
   :1000449A 85C0      		test eax, eax
   :1000449C 745C      		je 100044FA
   :1000449E 83F803    		cmp eax, 00000003
   :100044A1 7525      		jne 100044C8
   :100044A3 B801000000        	mov eax, 00000001
   :100044A8 89BE1C020000      	mov dword ptr [esi+0000021C], edi
   :100044AE 5F        		pop edi
   :100044AF 898E14020000      	mov dword ptr [esi+00000214], ecx
   :100044B5 898E10020000      	mov dword ptr [esi+00000210], ecx
   :100044BB 898E18020000      	mov dword ptr [esi+00000218], ecx
   :100044C1 5E        		pop esi
   :100044C2 83C450    		add esp, 00000050
   :100044C5 C20C00    		ret 000C

   * Referenced by a Jump at Address:100044A1(C)
   :100044C8 50        		push eax
   :100044C9 57        		push edi
   :100044CA 8D442410          	lea eax, dword ptr [esp+10]

   * Possible StringData Ref from Data Obj ->"Could not authenticate disk %d "
   :100044CE 68A4D00010        	push 1000D0A4
   :100044D3 50        		push eax

   * Reference To: MSVCRT.sprintf, Ord:02ADh
   :100044D4 E88D280000         Call 10006D66
   :100044D9 8D442418           lea eax, dword ptr [esp+18]
   :100044DD 83C410    		add esp, 00000010
   :100044E0 6A30      		push 00000030

   area 2

   :10004581 33C0      		xor eax, eax
   :10004583 8B7C2464          	mov edi, dword ptr [esp+64]

   * Referenced by a Jump at Address:1000457F(U)
   :10004587 85C0      		test eax, eax
   :10004589 7432      		je 100045BD
   :1000458B 50        		push eax
   :1000458C 57        		push edi
   :1000458D 8D442410          	lea eax, dword ptr [esp+10]

   * Possible StringData Ref from Data Obj ->"Could not authenticate title %d "
   :10004591 686CD00010        	push 1000D06C
   :10004596 50        		push eax

   * Reference To: MSVCRT.sprintf, Ord:02ADh
   :10004597 E8CA270000        	Call 10006D66
   :1000459C 8D442418          	lea eax, dword ptr [esp+18]
   :100045A0 83C410    		add esp, 00000010
   :100045A3 6A30      		push 00000030

   I think you all know what to do with the two jumps at
   44A1 and 4589

   But there is still one little detail. Even though we have now
   got rid of all authentication control, The ntsc video output on the
   ATI video card has macrovision applied to it, courtesy of the
   impacTV2 ntsc output chip. Now this is buried in the code somewhere,
   that i have yet to be able to find.

   Is macrovision a problem. Do not think so.
   I was going to include a schematic for a macrovision decoder, but
   with numerous outfits on the net selling them for $60 USD, its not
   worth building one.

   check out videotek.net

   However soon, there will be players with a newer version of the macrovision
   circuit thats much harder to defeat. But here is the best part, not
   only is the new encoding circuit patented, but macrovision also patented
   the decoding circuit, so that anyone producing macrovision decoder boxes
   could (and most likely will be) sued. Nasty people aren't they. After
   obtaining a copy of the patent, its obvious that the newest idea is to not 
   only to mess with the sync signals, but to slowly and rhythmitically modify
   slightly the frequency and phase of the color burst signal. Does not affect
   standard viewing (Bullshit it don't) but drives VCR's nuts.

   Lots of tapes and DVD's and PPV events on DSS have macrovision enabled.
   People start voting on this with your pocket book. Are you going to
   spend 5K on an HDTV monitor, only to have the picture screwed with by

   Here is the same think for the pc-dvd encore unit.
   This uses a dedicated mpeg video decoder board with the Ccube chipset
   on it.

   I could dissasemble and patch this mess, but someone else has already
   done a really good job of creating a universal gizmotron to do it.

   Check this out and support this guy


In january 1998 I (Erwin van den Berg) made a small utility that could change the region code of the Creative DVD Encore Dxr2. This program was called the Creative DVD Region Selector (REGION.EXE). Later, when the program also could change the color carrier of the tv output and disable MacroVision, the name was changed in Creative DVD Selector (SELECTOR.EXE).
If you want this program right now (version 1.31), just email getweb@usa.healthnet.org and write the following inside the BODY of your email (no subject needed):
get http://www.xs4all.nl/%7Eevdberg/remoteselector131.zip
(where %7E corresponds to the "tilde" ~ of the above URL)
Whats really slick about this method, is that it touches NONE of the
   original code. It just intercepts things...

   There are most certainly other ways.

   Modify the drive itself to always spit back the non-copyrighted, multi
   region label. On some drives this could be slightly tough.

   For most panasonic and pioneer players there are already numerous
   outfits out there selling what amounts to new firmware that disables
   all regional controls and macrovision. Prices are currently a little 
   high but will definitely come down as volume increases.

   Modify the operating system DVD device driver.
   Now this one is a bit of work. With windows98 its built into the
   operating system. One patch will fix most drives.

   This is what i will be spending much time on in the future.

Now on to more fun. The Zenith DIVX player. Now I really hope that DIVX actually fails BIGTIME real soon. Absolutely everything about DIVX is bad. quoting from various sources... Under Divx, consumers would pay about $5 for a DVD-quality movie - a far lower price than today's standard DVDs, which often retail for up to $26. But unlike today's DVDs, the Divx movie could be played for only two days, and only on a Divx-equipped player. After that, the movie would be scrambled. For additional viewings, consumers would pay additional fees which could vary from film to film. Divx-equipped players, connected to phone lines, would unscramble the film and pass information along to a central office that would bill the consumer. Sounds like a good idea, think again. Whats the average life of a CD player. In my house its ready for the trash can in 4 years. That means that if you spend the full price for the movie, you can ONLY watch that movie in THAT player. When the player breaks, your investment goes away. If i take a movie over to a friends house which i now legally own, it will NOT play in his player. What else would you expect from a bunch of lawyers working for Circuit City corporate. Others have listed the disadvantages much more accurately. Some of this should go in under the reality cracking section. 1. The Divx players will cost 100-200$ more than ordinary DVD players and thus putting them even more out of reach for those preferring to rent and not to buy. 2. You will also have the extra expense of installing permanent telephone lines to all your Divx players. No other electonic devices used in the homes needs a permanent telephone connection. 3. The rental fee will be higher than that of ordinary DVDs. 4. Many people will throw away the Divx disc after the first wieving as the plastic disc is then worthless. This in not exactly environmentally safe. 5. Divx will mean that several hundred thousand DVD players are outdated just a few months after the DVD launch. 6. Launching a competing format will confuse the consumers and confused consumers will not buy anything. The entire launch of DVD will be delayed worldwide. The delay may be so long that it comes too close too the launch of the next DVD generation with HDTV resolution. 7. Many average consumers will not understand that the Divx disc they buy can't be played in any DVD player and they will also have problems understanding the rental system. Less honest people will take advantage of the confusion and sell Divx discs as used DVDs. 8. Paying full price to get an unlimited rental period will not be possible with all titles. Try to calculate what 1 year of Lion King would cost and try to imagine explaining to the kids that they can't see the title even if it's on your bookshelf. 9. You can't sell your Divx movies even if you have paid Divx full price to "own" the titles. 10. If you take a Divx disc you "own" over to a friend not only does he need to have a Divx player, he will also have to pay a 48 hour rental fee to play the disc. 11. It will not be possible to show a part of a scene on a Divx disc to demo the new digital video format without having to pay a full 48 hour period for it. 12. Imagine if the babysitter would take a short peek (Looking for cool menus and extras) at 50 of the movies in your collection that you do not yet "own". 13. "Hey, this is the wrong film!" How many times have you put the wrong VHS or CD into a player? That error will now cost you a 48 hour rental. 14. If another company buys the rights to a movie or if Disney again put one title on moratorium expect that a Divx disc you have paid full price for can suddenly become unwatchable. 15. Divx claims that their system will survey the consumer no more than that of an ordinary video rental store will do. This is not true. With Divx they will have to keep track every title you (or anyone else) put into your video player from the day you open the Divx account and that no matter the origin of the disc. They will even know what time of day you are viewing the title. 16. The Divx discs will be numerated so if you take your disc over to a friend who also happends to have a Divx player the Divx central will know it. Divx have already said they will use this information. Maybe you don't care about being surveyed, but imagine getting a call from a pizza company every time a Divx is put into a player it don't "belong" to.(In case you don't understand this: When a Divx disc in put into another player chances are that several friends are gathered to watch a movie. A pizza company may be willing to pay Divx for this information). 17. Only the manufacturers selling the lowest quality players supports Divx. 18. You will not be able of using the cool extras that many titles will have on a computer with a DVD-ROM player. 19. With Divx you will only be able of renting from one company. If the format gets accepted among the consumers they will have a monopoly and can set the prices without any competition. 20. If Divx is accepted they will take over the market from specialised video stores who will have to close. The profit margin they can get from selling Divx discs are simply not enough for them. How many rare movie titles do you expect to find at the local grocery store if they start to sell Divx there? Contrary to the claims Divx will mean that the consumers will have less titles to choose from as it will kill nearly all specialzed video stores. Apart from less choice many jobs would also be lost. 21. If Divx is accepted they could also offer rentals at higher price at the same time as the movies passes at the movie theatres. Divx could kill your local cinema. 22. No information system is without errors. What if you find that you are charged for viewing a disc you know you have not seen the last month. How can you prove it to them? If you refuse to pay they may simply disable your Divx account. 23. What will you do when they start charging you a monthly fee for having a Divx account? Will you pay whatever they ask or will you throw away the film collection they claimed you "owned"? 24. No credit card or no phone? Forget it! 25. If your check account is not ballanced then Divx may stop your Divx account and you will suddenly find yourself unable of viewing the entire movie collection you have already paid full price for. 26. What will happend if your phone line is down for several days, if angry DVD owners are blocking the tollfree numbers or simply if you go on vacation for a week or more and you are not willing to leave the player connected? 27. The system could also be used to monitor all DVD and CD titles you play on the Divx player. 28. If you move to another country your entire movie collection would become worthless. 29. People will simply not accept paying each time they view a title they have in their house. They would simply copy it to VHS using a macrovision buster. It would even be fully legal for the consumers to do this. How do you expect the studios to cover their loss? 30. What will you do with the collection of Divx discs you "own" if/when the whole Divx project is stopped? Do you expect that you can still watch a Divx disc you "own" 15 year from now just as you can with VHS, Laserdisc and ordinary DVD? 31. If Divx succeeds expect similar systems to be used for DVD-ROM and DVD-Audio. By releasing software only on a Divx system they hope to push the consumers into supporting this more expensive rental system. 32. In a few years DVD-RAM could be used to record TV programmes and replace the VCR completely. If the player also has Divx don't expect the studios not to take advantage of having control of your player. 33. No matter how impressive the encryption is there will always be a loophole. To modify a Divx player so it "forgets" it has played a disc should not be too big a challenge for many crackers. Expect such players to become mainstream in the USA and the rest of the world if Divx by any chance takes off in the USA. Remember that the Circuit City chairman Richard Sharp warned that early adopters were taking a risk. This is indeed true with Divx. If Divx is not killed right after the launch expect a new system called something like Divx-2 soon to be launched rendering the old Divx players outdated. Now lets pay attention to #33. Lets take a DIVX disk and stick it in a regular computer DVD player. Lets open the disk with explorer. Oh, lookie it looks just like a regular dvd disk. Lets open softdvd and try to play the disk. "Not a MPEG data stream". So its encrypted. I do not believe that cracking this is gonna be that tough. It cannot be tough, there is just barely enough time to run the mpeg decoder anyway. If anything its a masking or rotating bit shifting thing. Now lets crack open that Zenith DIVX player i have gotten my hands on. Make no mistake about it, the only thing Zenith owns about the entire thing is the logo on the front. Its actually made by Goldstar. Zenith engineers would be incapable of designing anything like this anyway, thats if there were any engineers left after the recent chapter 11 filing.... Oh, look a 32,768 khz watch crystal. Naw, can't be that easy. First never ever hook this thing to the phone line. Without being on the phone line, it can never update the time. Now either short the two wires of the crystal together, or tie one wire to ground. The clock stops. Turn the unit back on, beep, beep ,beep. Turn the unit back off, install a switch. Turn the unit back on, comes up fine. Now turn on the switch stoping the clock. If you leave the unit in this condition, you can play DIVX disks, damm near forever. Now one would normally think that there is got to be a hidden gotcha here, like the player timing out after not being able to reach the authorization center for a week, But this now 3+ weeks running, and no problem yet. (Of course this is a BETA player, and they will probably fix it, then again maybe not.) On the other hand it may be that they use the clock to determine cheaper times to call in, and since the clock never advances then the player does not call in. Given #10 above, it would seem that they are not worried about the ocassional possibility of one person watching a movie, then immediately taking it over to another persons house so that he can watch it... Actually the phone company will probably love divx, think of all that additional revenue from all those boxes calling in all the time. Its now 5 weeks later, and the divx player continues to play disks that have not been paid for. Sears a large retailer in the USA has dropped selling divx, saying that they do not want consumer backash to divx to affect other parts of their store.

You'r deep inside reverser's pages of reverse engineering, choose your way out
+HCU Papers

homepage links redanonymity +ORC tools counter measures
students' essays cocktails search_forms antismut mail_reverser
Is reverse engineering legal?