Crypt8 Searching

The crypt8 is just duplicate packets in the stream or packets that are the same and reoccur in the stream. The rainbow table method is based on an assumption. This assumption is that there will be packets consisting entirely of filling bytes to pad the video or audio streams to a certain bitrate. So searching for the crypt8 is merely a matter of looking for duplicate packets that are repeated in the stream from time to time. As others have already said, you don't need a GPU to do this.

Now for the bad news. The assumption that this whole method is based on does not have to be true and in some transport streams it isn't true. If the video encoders are configured in a certain way and the intended authorized receivers don't have to have fixed bitrate streams, the uplinker doesn't have to include these packets filled with filling bytes to pad the stream and if they are aware of this attack vector and care about it, they probably won't. They'll use variable bitrate video in the program stream and leave the null packets used to pad the transport stream unencrypted. If they do this, the rainbow table is useless because they will either be no crypt8 to find or the ones you do find will not really be a crypt8 but will only be a coincidence instead. In that case only a true brute force method will be able to find the control word and for that you need some pretty serious hardware and about 24 to 48 hours.

dvlajkovic said:

There is no home computer that can BF the CW while the sat-feeds are up, so forget CW FINDER for the feeds.

Click to expand...

And what do you suggest to users of this forum if we have only fake C8 after multiple recording? or do not have any C8 at all...
may be again back to cw finder ?

Take notes of where the feed goes.. i.e. if it's a regular one, note down which sat's and frequncies feed uses, how often, and what time the uplink starts..
Next time, try catching it as soon as it is available.. DSNG crews do not take ad-hoc approach to an event that is planned weeks, or even months ahead..
So, find the dates, mark the official time of K.O. and soon enough you'll be prepared.. With time and practice, you'll learn many habits of DSNG crews for each event..
As an example, turkish sport events do have C8, but that is only during first 10-15 min of uplinked feed..
After that, there is no c8, or just a few that look like them, but ain't the ones.. People wrongly refer to them as 'fake'. There are no fake c8, as the system is not made to fool piracy - it's just that caught bytes are not the right ones.
If you're not there to record feed when the uplink started, you can forget turkish sport sat-feed.
As simple as that.
And one more thing.. save much longer log files, often this is the only way to grab correct c8. The popular tool is limited to 4GB, so pay attention to that.
It does not have to be on VPID.. it can be on any PID.

There are no fake c8, as the system is not made to fool piracy - it's just that caught bytes are not the right ones.

Click to expand...

This is true. It's just coincidence. However, there are ways they can thwart the rainbow table attack and I do believe that some feeds are using techniques to do just that. For example you mention catching the feed earlier when it first comes up when they will usually just have a test pattern or blank screen as video. However, what they can do is leave the feed unecrypted at that point and turn on encryption at a later time when there will be no stuffed packets in the stream. Also since it is possible to sometimes find a crypt8 in the audio stream, they can simply leave the audio stream unencrypted. So, there are definitely ways they can defeat this attack vector and it doesn't require much effort on their part. In the western hemisphere there are feeds that seem to be using these methods. So, clearly they are very much aware of this and are taking measure to thwart it. Of course there are also biss feeds where the uplinker doesn't seem to care too much and a crypt8 is easy to find and sometimes when you find the CW, it's a pretty obvious CW, that you could almost have guessed.

@Stefan2k16 please note that my next comment is not personal to you. I know you are doing what many do here. But I will use your comment as an example. Please forgive me.

As a few of the previous post state: users knows provider read this and many threads. He know provider are aware of details of hack attacks. users know providers are actively seeking contra attack measurements.

Still in the open the user give Ideas to the provider of how to improve his contra attack to the hack! I just do not understand the point vs the risk.

To all I strongly suggest we do not do this as we are on the side of the hack. It make it safer for all. Please see that this is my personal opinion and has nothing to do with SU forum rules.

Regards the latest discussion point. RBT vs cwfinder vs who knows. What is better, what is fastest. It does not matters. They are all tools for you to use. One works for one condition others do better job under other circumstances. Just imagine a Soldier. He has his main weapon The Rifle. But he has a knives, hand gun, grenade, grenade launcher. He only has to use best tool he has for the next encounter type.

Hallo,

i have CSA RTT V 1.23 with 3 tables:
B8hx03000h, B8hx00h and B8hxFFh (full/merge from Colibry site)

I search Crypt8 in TS

Search Crypt8 in TS Start
TS file: E:\TSRecords\FTS-EIB_VS_ATH_D50_11439_H_15000_20170424_1913_VPID-101.ts
Using PID: 101
Using file limit: 4096 MByte
File length: 3315 MByte
UsingFileLen: 3476543000 bytes
Reading file ...
Searching ...
Using payload size: 184
PID: 65h B8h-Crypt83 DD B2 61 04 F6 A9 32 [E] Count:1594
PID: 65h B8h-Crypt8:F5 FE 8F 67 92 59 AB 8E [E] Count:1594
PID: 65h B8h-Crypt8:00 B4 CD 0A 90 C2 C2 0A [E] Count:736
PID: 65h B8h-Crypt8:00 F7 1C 1F B4 6E 6E C5 [E] Count:736
PID: 65h B8h-Crypt8:01 BB 37 01 02 F6 10 85 [E] Count:736
PID: 65h B8h-Crypt8:01 D3 7A 30 42 FF C2 5E [E] Count:736
PID: 65h B8h-Crypt8:06 FF 63 DC FC 23 FA F0 [E] Count:736
PID: 65h B8h-Crypt8:07 81 B0 F5 EB 69 CF 09 [E] Count:736
...

Time for searching Crypt8 = 0 sec.

But my problem is with indetify right Crypt8 for Search CW. WHICH Crypt8 is right and WHY please?

I use for search CW B8hx3000h table.....

PetoBB said:

Hallo,

i have CSA RTT V 1.23 with 3 tables:
B8hx03000h, B8hx00h and B8hxFFh (full/merge from Colibry site)

I search Crypt8 in TS

Search Crypt8 in TS Start
TS file: E:\TSRecords\FTS-EIB_VS_ATH_D50_11439_H_15000_20170424_1913_VPID-101.ts
Using PID: 101
Using file limit: 4096 MByte
File length: 3315 MByte
UsingFileLen: 3476543000 bytes
Reading file ...
Searching ...
Using payload size: 184
PID: 65h B8h-Crypt83 DD B2 61 04 F6 A9 32 [E] Count:1594
PID: 65h B8h-Crypt8:F5 FE 8F 67 92 59 AB 8E [E] Count:1594
PID: 65h B8h-Crypt8:00 B4 CD 0A 90 C2 C2 0A [E] Count:736
PID: 65h B8h-Crypt8:00 F7 1C 1F B4 6E 6E C5 [E] Count:736
PID: 65h B8h-Crypt8:01 BB 37 01 02 F6 10 85 [E] Count:736
PID: 65h B8h-Crypt8:01 D3 7A 30 42 FF C2 5E [E] Count:736
PID: 65h B8h-Crypt8:06 FF 63 DC FC 23 FA F0 [E] Count:736
PID: 65h B8h-Crypt8:07 81 B0 F5 EB 69 CF 09 [E] Count:736
...

Time for searching Crypt8 = 0 sec.

But my problem is with indetify right Crypt8 for Search CW. WHICH Crypt8 is right and WHY please?

I use for search CW B8hx3000h table.....

Click to expand...

Using payload size 8 control please

@ViaHussun

Please explain me "payload size 8 control".
What advantage it has to be 9 or anything else?
Thanks in advance.

ViaHussun said:

Using payload size 8 control please

Click to expand...

Hm.. make no sense since RBT are made over payload of 184
I do think it might be in some rare cases where you want to be able to look for 188

From V1
WARNING: The payload size 8 isn't 184. The crypt8 can't be used to calculate the CW with this tool

In V2 you are not able to set the Payload length

So what does Search Crypt8 do?
It does look for repeated equal 184 bytes og encrypted payload
This will happens if eg the stuffing bytes all are FF or 00
OR if a still image are send like black or colorbars or something total different but same images encoded over and over.

The RBT will only works for Crypt where you have a table which does fit like for FF or 00 and a payload length of 184

You can't know for sure what clean data makes the repeated pattern since it's encoded

dale_para_bajo said:

@ViaHussun

Please explain me "payload size 8 control".
What advantage it has to be 9 or anything else?
Thanks in advance.

Click to expand...

You must download all 08 tables from colibri web site and merge. So you will have 6 tables: 3 B8HX and 3 08HX. Then in CSA RBT try to select one of 08 tables and payoload of 8 and search for Crypt8.

K2TSET said:

Hm.. make no sense since RBT are made over payload of 184
I do think it might be in some rare cases where you want to be able to look for 188

From V1
WARNING: The payload size 8 isn't 184. The crypt8 can't be used to calculate the CW with this tool

In V2 you are not able to set the Payload length

So what does Search Crypt8 do?
It does look for repeated equal 184 bytes og encrypted payload
This will happens if eg the stuffing bytes all are FF or 00
OR if a still image are send like black or colorbars or something total different but same images encoded over and over.

The RBT will only works for Crypt where you have a table which does fit like for FF or 00 and a payload length of 184

You can't know for sure what clean data makes the repeated pattern since it's encoded

Click to expand...

http://colibri.bplaced.net/csa_rainbow_table.htm

ViaHussun said:

Click to expand...

Motogato said:

Click to expand...

That's great!
So you aren't gonna lose a single c8 success nor in 08xxx table :thum:

HEHEHEHE Still many thing I do not understand.

You show a Picture of V1.23? And you show use of *
But there are ONLY tables of B8 & 08 in V1.

But more important, do you understand the logic in the creation of the 08hx00 and 08hxFF?

Is that crypt8 the 1rst 8 or the last 8 bytes. I guess I can just run a test and check what show up vs what is in the TS file.

dvlajkovic said:

Take notes of where the feed goes.. i.e. if it's a regular one, note down which sat's and frequncies feed uses, how often, and what time the uplink starts..
Next time, try catching it as soon as it is available.. DSNG crews do not take ad-hoc approach to an event that is planned weeks, or even months ahead..
So, find the dates, mark the official time of K.O. and soon enough you'll be prepared.. With time and practice, you'll learn many habits of DSNG crews for each event..
As an example, turkish sport events do have C8, but that is only during first 10-15 min of uplinked feed..
After that, there is no c8, or just a few that look like them, but ain't the ones.. People wrongly refer to them as 'fake'. There are no fake c8, as the system is not made to fool piracy - it's just that caught bytes are not the right ones.
If you're not there to record feed when the uplink started, you can forget turkish sport sat-feed.
As simple as that.
And one more thing.. save much longer log files, often this is the only way to grab correct c8. The popular tool is limited to 4GB, so pay attention to that.
It does not have to be on VPID.. it can be on any PID.

Click to expand...

If you know so much, then you would understand now about what satellite and about what transponder - ok? I in the years on many satellites have found such FEEDs that the key can only be written or if the brodkaster has given you, or CWattaklist...
I agree that it is necessary long record of a stream for good result and what it is necessary to look for not only VIDEO PID but what you would recommend to our forum about that CSA V1 to read more than 4 GB?

srijan20 said:

Pls Tell Me where I can Get the Correct .DLL ?

Click to expand...

You need download vcredist_x86.exe and install the Package.