in this post I will try to explain how to Decode Encrypted Viaccess Word
For now I will use SOLTV Example, beacause last byte of the Key is Even (94).

key09=06 E8 27 3B 2F C3 24 94

so you do not need to change the crypted word
I will post later how to change the crypted word after I explain the

Signture chack Algo.

Example of SLOTV
-----------------
Incoming ECM Instruction
CA 88 00 09 21
ACK 88
Received Encrypted Data
E2 03 2B 28 01 EA 10 B0 BD D8 4D 71 77 CF DD C4
27 54 7A 9F 30 1A B5 F0 08 6F 06 0A C1 02 1D B7 7F
90 00
Signature OK!!
Request Decrypted CW
CA C0 00 00 12
Reply Decrypted CW
C0 EA 10 EF 30 66 85 5A B0 88 92 2A 72 94 30 7E 15 EC 7F
90 00
--------------------------------------------------------

CA 88 instruction send to the card the encrypted word
The P2 byte (09 in the example) is the key number to be used to decode the encrypted data obtained shortly.
The P3 byte indicates the number of bytes to be received by the card, in this example hex 21 decimal 33.
In the 21 byte string are two encrypted 8 byte words which have to be decrypted using the 7 byte of the key.
The card must send 88 ACK to the Reseiver in order to receive the P3 21 bytes.
Finally the card sends 90 00 if the Signature ok.

21 bytes breaks down to:-
-------------------------------------------------------
E2 03 :date nano & length
2B 28 01 :date 2001-09-08 (third byte unknown)
EA 10 :encrypted words nano & length
B0 BD D8 4D 71 77 CF DD :encrypted 1
C4 27 54 7A 9F 30 1A B5 :encrypted 2
F0 08 :Signature nano & length
6F 06 0A C1 02 1D B7 7F :Signature word

then the card send the 2 decrypted words
decrypted 1 =EF 30 66 85 5A B0 88 92
decrypted 2 =2A 72 94 30 7E 15 EC 7F
----------------------------------------------------------

before decoding first 7 keybytes are rotated left by 2 bytes.
key(k1 k2 k3 k4 k5 k6 k7 k8 ) -> key(k3 k4 k5 k6 k7 k1 k2 k8 )
key09=06 E8 27 3B 2F C3 24 94 -> 27 3B 2F C3 24 06 E8 94

to decode do folowing steps 16 times
-key preparation
-data manipulation
-Viaccess mode
-Expansion or E-Table
-Substitution or S-Boxes
-Permutation or P Table
-PROCESS ITERATION



KEY PREPARATION
****************
We use only 7 byte or 56 bit of the key which we split into two 28 bit halves and we rotate each half 1 or 2 bits to the left depending on which of the 16 rounds we're on then put the two halves together.

A single rotation left means that the first (most significant or left hand) bit moves to the last (least significant or right hand) position and all the other bits move one to the left.

The exact number of left rotations is determined by the table:

Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
No of rotations 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

We then create a new 48 bit key by reordering 48 of the bits in the 56 bit shifted key according to the pattern:

14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32

This means that the new 1st bit is the 14th old bit, new 2nd bit is old 17th and so on with the new 48th bit being the old 32nd bit.
The old bits 9, 18, 22, 25, 35, 38, 43, 54 are not used.
This operation is called a Permutation and the table is called Permuted Choice 2 or PC-2 in DES terminology.

then we split the result up into eight 6-bit blocks
Preparation of the key is now complete for a single round.
Note that the net result is that we have a new 48 bit in form eight 6-bit blocks key for use later on.

DATA WORD MANIPULATION
**********************

The encrypted word is 8 bytes or 64 bits long.
The first thing to do is to split this into two halves each 32 bits
long or 4 byte called L and R.

Example:
encrypted word =B0 BD D8 4D 71 77 CF DD
L=B0 BD D8 4D
R=71 77 CF DD




Viaccess mode
**************

to change the first byte of R
1-8th byte of key multiplied by the first byte of R
(to get 2 byte or 16 bits word).
2-the first byte of R is added to result
(add 1 to upper byte if there was a carry with the lower byte).
3-8th byte of key is added to result on the same way.
4-the upper byte is subtracted from the lower byte.
(If there was a carry in this subtract then add 1)


Example:
--------
key(7)=94 // 8th byte of key
R(0)=71 // the first byte of R
1)- 94 * 71 = 4154
2)- 94 * 71 + 94 = 41E8
3)- 94 * 71 + 94 + 71 = 4259 (upper byte = 42 lower byte=59)
4)- 59 - 42 = 17
-------------------with carry
key(7)=94
R(0)=AB
1)- 94 * AB =62DC
2)- 94 * AB + 94=6370
3)- 94 * AB + 94 + AB=641B (upper byte = 64 lower byte = 1B)
4)- 1B - 64 = B7 with carry 1
B7 + 1=B8
---------





Expansion or E-Table
********************

Then we build a new R called R1 of length 48 bits by using the pattern:

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

This means our R1 has its 1st bit as old R's last bit,
its 2nd bit as old R's 1st bit and so on with its last bit being the ols R's 1st bit.
As you can see, some of old R's bits are used more than once.
The table is called the Expansion or E-Table.
then we split the result up into eight 6-bit blocks



Substitution or S-Boxes
*************************

We now XOR one block of R1 with one block of key we prepared earlier,
Each of these blocks is used to locate an entry in one of the eight tables below, called Substitution or S-Boxes.



Substitution Box 1
E0 00 40 F0 D0 70 10 40
20 E0 F0 20 B0 D0 80 10
30 A0 A0 60 60 C0 C0 B0
50 90 90 50 00 30 70 80
40 F0 10 C0 E0 80 80 20
D0 40 60 90 20 10 B0 70
F0 50 C0 B0 90 30 70 E0
30 A0 A0 00 50 60 00 D0


Substitution Box 2
0F 03 01 0D 08 04 0E 07
06 0F 0B 02 03 08 04 0E
09 0C 07 00 02 01 0D 0A
0C 06 00 09 05 0B 0A 05
00 0D 0E 08 07 0A 0B 01
0A 03 04 0F 0D 04 01 02
05 0B 08 06 0C 07 06 0C
09 00 03 05 02 0E 0F 09


Substitution Box 3
A0 D0 00 70 90 00 E0 90
60 30 30 40 F0 60 50 A0
10 20 D0 80 C0 50 70 E0
B0 C0 40 B0 20 F0 80 10
D0 10 60 A0 40 D0 90 00
80 60 F0 90 30 80 00 70
B0 40 10 F0 20 E0 C0 30
50 B0 A0 50 E0 20 70 C0

Substitution Box 4
07 0D 0D 08 0E 0B 03 05
00 06 06 0F 09 00 0A 03
01 04 02 07 08 02 05 0C
0B 01 0C 0A 04 0E 0F 09
0A 03 06 0F 09 00 00 06
0C 0A 0B 01 07 0D 0D 08
0F 09 01 04 03 05 0E 0B
05 0C 02 07 08 02 04 0E


Substitution Box 5
20 E0 C0 B0 40 20 10 C0
70 40 A0 70 B0 D0 60 10
80 50 50 00 30 F0 F0 A0
D0 30 00 90 E0 80 90 60
40 B0 20 80 10 C0 B0 70
A0 10 D0 E0 70 20 80 D0
F0 60 90 F0 C0 00 50 90
60 A0 30 40 00 50 E0 30


Substitution Box 6
0C 0A 01 0F 0A 04 0F 02
09 07 02 0C 06 09 08 05
00 06 0D 01 03 0D 04 0E
0E 00 07 0B 05 03 0B 08
09 04 0E 03 0F 02 05 0C
02 09 08 05 0C 0F 03 0A
07 0B 00 0E 04 01 0A 07
01 06 0D 00 0B 08 06 0D


Substitution Box 7
40 D0 B0 00 20 B0 E0 70
F0 40 00 90 80 10 D0 A0
30 E0 C0 30 90 50 70 C0
50 20 A0 F0 60 80 10 60
10 60 40 B0 B0 D0 D0 80
C0 10 30 40 70 A0 E0 70
A0 90 F0 50 60 00 80 F0
00 E0 50 20 90 30 20 C0


Substitution Box 8
0D 01 02 0F 08 0D 04 08
06 0A 0F 03 0B 07 01 04
0A 0C 09 05 03 06 0E 0B
05 00 00 0E 0C 09 07 02
07 02 0B 01 04 0E 01 07
09 04 0C 0A 0E 08 02 0D
00 0F 06 0C 0A 09 0D 00
0F 03 03 05 05 06 08 0B



we now form a new R called R2 from
the 1st block uses Box-1 + the 2nd Box-2 to form frist byte of R2
the 3rd block uses Box-3 + the 4th Box-4 to form second byte of R2
the 5th block uses Box-5 + the 6th Box-6 to form third byte of R2
the 7th block uses Box-7 + the 8th Box-8 to form forth byte of R2

Example:
---------
1st block of key = 2D
1st block of R1 = 22
2D xor 22 = 0F (decimal 15)
this is the location 15 in the frist box (which is = 10)

2nd block of key = 0F
2nd block of R1 = 2E
0F xor 2E = 21 (decimal 33 )
this is the location 33 in the second box (which is = 0D)

so frist byte of R2 is 10 + 0D =1D
----------



Permutation or P Table
************************
The last operation is to create a (third and final) R called R3 from

R2 by using the following Permutation or P Table:


16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25

This means that the 1st bit of R3 is the 16th of R2, the 2nd is the
7th and
so on, with the 32nd being the 25th bit of R2.




PROCESS ITERATION
******************
The net result of the previous sections was to split the encrypted
word into
two halves, ignore the left-hand one L and eventually create a new
right-hand one R3.

Now we XOR L and R3 together, and we've finished a decryption round.


For the next round, we treat old R (before applay viaccess mode)
as the left-hand half of a new data word and the result of
the XOR operation as the right-hand half and
**************************************************
*******************




We do this 16 times and we end up with a last left-right pair of 32
bits
each. Put these together and we have a decrypted 8 byte word.

Continue the whole decryption process for the second encrypted word
obtained
from the 88 instruction dialogue and then both can be sent to the
Receiver
via the C0 instruction dialogue and the TV picture is unscrambled!


-----------------------------------
complete decode log for 16 rounds
DECODING START
----------------------------------------

DES_Round=0
**********
(L)=B0 BD D8 4D (R)=71 77 CF DD
Shift Key=4E 76 5F 86 48 0D D0
PC2= 2D 0F 28 15 1C 25 12 28 //6 bits only in evry byte
R(0)=17 //applay viaccess mode
R1=22 2E 2E 2F 39 1F 3B 3A //6 bits only in evry byte
Key Xor R1=0F 21 06 3A 25 3A 29 12 //6 bits only in evry byte
R2=1D E2 CD 19
R3= 1B 4D 69 1E
L xor R3=AB F0 B1 53
new R=AB F0 B1 53


DES_Round=1
**********
(L)=71 77 CF DD (R)=AB F0 B1 53
Shift Key=9C EC BF 0C 90 1B A0
PC2= 3F 07 34 06 02 2F 30 06
R(0)=B8
R1=37 31 1E 21 16 22 2A 27
Key Xor R1=08 36 2A 27 14 0D 1A 21
R2=26 F6 39 A2
R3= 74 43 37 95
L xor R3=05 34 F8 48
new R=05 34 F8 48


DES_Round=2
**********
(L)=AB F0 B1 53 (R)=05 34 F8 48
Shift Key=73 B2 FC 22 40 6E 83
PC2= 18 2A 1D 1D 0B 04 16 30
R(0)=7A
R1=0F 34 06 29 1F 30 09 10
Key Xor R1=17 1E 1B 34 14 34 1F 20
R2=BA B3 34 67
R3= E4 DA 0F AE
L xor R3=4F 2A BE FD
new R=4F 2A BE FD


DES_Round=3
**********
(L)=05 34 F8 48 (R)=4F 2A BE FD
Shift Key=CE CB F0 99 01 BA 0C
PC2= 13 1D 10 37 22 14 21 03
R(0)=61
R1=2C 02 25 15 17 3D 1F 3A
Key Xor R1=3F 1F 35 22 35 29 3E 39
R2=D5 E6 09 23
R3= 10 C3 FD 16
L xor R3=15 F7 05 5E
new R=15 F7 05 5E


DES_Round=4
**********
(L)=4F 2A BE FD (R)=15 F7 05 5E
Shift Key=3B 2F C2 74 06 E8 32
PC2= 39 38 27 3A 31 2C 08 10
R(0)=C1
R1=18 03 3E 2E 20 0A 2B 3D
Key Xor R1=21 3B 19 14 11 26 23 2D
R2=F5 C8 55 B8
R3= 2A 85 E7 5B
L xor R3=65 AF 59 A6
new R=65 AF 59 A6


DES_Round=5
**********
(L)=15 F7 05 5E (R)=65 AF 59 A6
Shift Key=EC BF 09 C0 1B A0 C9
PC2= 2F 2E 0A 23 24 10 1D 0C
R(0)=22
R1=04 05 15 1E 2B 33 34 0C
Key Xor R1=2B 2B 1F 3D 0F 23 29 00
R2=9F 12 13 1D
R3= 6E E8 68 32
L xor R3=7B 1F 6D 6C
new R=7B 1F 6D 6C


DES_Round=6
**********
(L)=65 AF 59 A6 (R)=7B 1F 6D 6C
Shift Key=B2 FC 27 30 6E 83 24
PC2= 2E 31 3C 1A 26 09 0A 00
R(0)=E4
R1=1C 08 03 3E 2D 1A 2D 19
Key Xor R1=32 39 3F 24 0B 13 27 19
R2=C0 C9 71 80
R3= A0 85 A1 C1
L xor R3=C5 2A F8 67
new R=C5 2A F8 67


DES_Round=7
**********
(L)=7B 1F 6D 6C (R)=C5 2A F8 67
Shift Key=CB F0 9C E1 BA 0C 90
PC2= 1B 03 0B 1D 14 06 18 25
R(0)=CB
R1=39 16 25 15 1F 30 0C 0F
Key Xor R1=22 15 2E 08 0B 36 14 2A
R2=11 00 7A 9C
R3= 3A 24 40 A3
L xor R3=41 3B 2D CF
new R=41 3B 2D CF


DES_Round=8
**********
(L)=C5 2A F8 67 (R)=41 3B 2D CF
Shift Key=97 E1 39 D3 74 19 20
PC2= 0E 17 17 34 08 0D 22 05
R(0)=43
R1=28 06 27 36 25 1B 39 1E
Key Xor R1=26 11 30 02 2D 16 1B 1B
R2=8C BD 24 FE
R3= 8E 9A 15 FD
L xor R3=4B B0 ED 9A
new R=4B B0 ED 9A


DES_Round=9
**********
(L)=41 3B 2D CF (R)=4B B0 ED 9A
Shift Key=5F 84 E7 6D D0 64 80
PC2= 35 04 37 19 00 22 12 37
R(0)=0F
R1=01 1F 36 21 1D 1B 33 34
Key Xor R1=34 1B 01 38 1D 39 21 03
R2=99 D5 86 6F
R3= 8D BB 5D 2A
L xor R3=CC 80 70 E5
new R=CC 80 70 E5


DES_Round=10
**********
(L)=4B B0 ED 9A (R)=CC 80 70 E5
Shift Key=7E 13 9D 97 41 92 03
PC2= 15 3E 0C 35 2B 30 26 01
R(0)=DA
R1=3B 35 10 00 0E 21 1C 0B
Key Xor R1=2E 0B 1C 35 25 11 3A 0A
R2=B2 25 C6 5F
R3= CB B6 1A 2E
L xor R3=80 06 F7 B4
new R=80 06 F7 B4


DES_Round=11
**********
(L)=CC 80 70 E5 (R)=80 06 F7 B4
Shift Key=F8 4E 76 5D 06 48 0D
PC2= 23 39 36 07 00 24 0D 13
R(0)=CA
R1=19 14 00 0D 1E 2F 36 29
Key Xor R1=3A 2D 36 0A 1E 0B 3B 3A
R2=A4 C6 9C 23
R3= 31 C3 1F 18
L xor R3=FD 43 6F FD
new R=FD 43 6F FD


DES_Round=12
**********
(L)=80 06 F7 B4 (R)=FD 43 6F FD
Shift Key=E1 39 D9 74 19 20 37
PC2= 1E 32 0B 2F 15 38 04 04
R(0)=42
R1=28 04 08 06 2D 1F 3F 3A
Key Xor R1=36 36 03 29 38 27 3B 3E
R2=76 7A 6C 28
R3= 5C 45 86 DE
L xor R3=DC 43 71 6A
new R=DC 43 71 6A


DES_Round=13
**********
(L)=FD 43 6F FD (R)=DC 43 71 6A
Shift Key=84 E7 65 F0 64 80 DD
PC2= 2E 1D 12 28 30 00 17 08
R(0)=20
R1=04 00 08 06 2E 22 2D 14
Key Xor R1=2A 1D 1A 2E 1E 22 3A 1C
R2=6B 4D 9E 5C
R3= FB 39 D2 68
L xor R3=06 7A BD 95
new R=06 7A BD 95


DES_Round=14
**********
(L)=DC 43 71 6A (R)=06 7A BD 95
Shift Key=13 9D 97 E1 92 03 74
PC2= 34 00 2F 3E 12 0B 08 0D
R(0)=0E
R1=21 1C 0F 35 17 3B 32 2A
Key Xor R1=15 1C 20 0B 05 30 3A 27
R2=C5 DF 27 57
R3= 86 F3 F9 F8
L xor R3=5A B0 88 92
new R=5A B0 88 92


DES_Round=15
**********
(L)=06 7A BD 95 (R)=5A B0 88 92
Shift Key=27 3B 2F C3 24 06 E8
PC2= 0C 2E 3B 32 0A 08 11 29
R(0)=C2
R1=18 05 16 21 11 11 12 25
Key Xor R1=14 2B 2D 13 1B 19 03 0C
R2=6F 87 90 0B
R3= E9 4A DB 10
L xor R3=EF 30 66 85
new R=EF 30 66 85

Final Result=EF 30 66 85 5A B0 88 92
----------------------------------------
DECODING END

Exemplul asta nu putea sa fie cu Max....
La ora asta sunt in ceata totala... sper sa il deslusesc pana la capat :lol:

@eugennico

ala e algorithmul obtinerii cuvantului de control (CW) pt vechiul sist viaccess 2.3 (sau via 1 cum ii spunem noi).Via 2.5 foloseste alt algorithm.

deci sa nu i-mi sparg creieri ca asta?
Apropo nu exista nici un soft care sa faca toata treaba asta?

deci sa nu i-mi sparg creieri ca asta?
Apropo nu exista nici un soft care sa faca toata treaba asta?

pai la ce te ajuta ?? ....chiar daca sa presupunem prin absurd ca acest algorithm ar fi folosit si de generatiile mai noi ale sist (2.5 si 2.6 ) cunoasterea lui nu inseamna hack!!!!!! ......pt a obtine CW-ul corect este necesara cunoasterea cheii operationale ....sau incercarea tuturor celor peste 16 mil de combinatii de key(in cazul unui key de 8 biti)!!!!!!!! .....pt ca atata timp cat in algorithm nu se gaseste o "bresa matematica" prin care aplicand anumite ecuatii sa se limiteze nr posibil de combinatii nu se poate face nimic.

In spargerea sistemelor de codare se foloseste alte tipuri de procedee ce exploateaza bug-urile de proiectare si slabiciunile sistemelor ce protejeaza soft-ul cartelei.

deci sa nu i-mi sparg creieri ca asta?
Apropo nu exista nici un soft care sa faca toata treaba asta?



Exista un soft pentru via2 dar dureaza mult (dupa calculul meu peste 5.000 de zile) . Foloseste ECM-ul , DW cardului si verifica cheia de 32biti aleator sau la rand .L-am testat pe Via2 019410 ntv sirus si e OK,merge cu aprox. 18.000 -25.000 key/sec , bine ar fi sa-l folosim mai multi pentru a reduce timpul :

-unul sa inceapa de la key 00000000000000000000000000000001
-altul de la 10000000000000000000000000000001
...............................................................................................
F0000000000000000000000000000001
Bine ar fi ca operatorul siteului sa gestioneze acest program si sa faca inscrieri
Cu cat santem mai multi cu atat putem afla cheia mai repede ,softul are posibilitatea de a intrerupe si continua cautarea si nu incetineste calculatorul.


http://img490.imageshack.us/img490/2634/image2jn3.jpg[/img]

Ok eu unul sunt interesat, despre ce soft este vorba? da si tu mai multe detalii....

Ok eu unul sunt interesat, despre ce soft este vorba? da si tu mai multe detalii....


LASATI email sa trimit programul si cateva ecm+dw ale cardului MAX
sau contactati pe SKYPE eugennico@k.ro

am primit mail-ul, o sa vad diseara cand ajung acasa...

Sunteti siguri ca programelu' ala stie via 2.5 si 2.6 ?? :roll: