|
cyberhegs tutorial is actually based on kashmirs work with dvd maestro a long time ago. The key to both approaches is simple, that the 2nd dword is always valid due to a flaw in the design of the algorithm. Essentially the second dword always decrypts correctly. So make sure the 2nd dword is consistant with the section beginning of the first dword you are assuming to be 00000000. I would double check the 0000000 assumption based on looking at the data in the 2nd dword. i.e if you see some opcodes in the 2nd dword its very possible your first dword might not be what you think it is due to a incorrect assumpting. Your bruteforce looks approach looks fine (i cannot guarantee the code i didnt analyze), but the jist of the idea is just bruteforce the 32bit range while monitoring some chosen dword of your assumption. Also, one note, make sure the algorithm in C matches the algorithm in asm, I recall they had changed the algorithm slightly at some point, so you might be using a ready made algorithm which does not match your asm. Although, at a glance it looks correct. Good luck.
|