====== WindowsDLLs ======
----
+ Checkout(file)
- Checkin(file)
-----------------------------------------------
NetMD.dll COM (AVLib) c++ code
-----------------------------------------------
| |
| v (This equivalent functionality as libnetmd)
| ----------------------------------
| NetMDAPI.dll / NetMDUSB.sys c++ code
| -----------------------------------
+ IOmgNetMD::AttemptCheckout, CompleteCheckout...
|
---------------------------------------------- COM
OmgNetMD.dll c++ code
-----------------------------------------------
|
| salExec0 ( A procedure in netmd.ocm would implement first step in checkout...)
|---------------------------------------------------------- netmd.ocm (encrypted bytecode and c code)
|
---------------------------------------------- DLL
salwrap.dll c++ code
--------------------------------
Application VM
-------------------------------- <--------------- init.ocm (interpeter, and runtime c libraries)
----------------------------------------------
=== Virtual Machine overview ===
----------------------------------
OpenMG Module
----------------------------------
|
----------------------------------
ocm_module_proc_X()
----------------------------------
|
salExec0
...............................................................
Secure Application Loader
...............................................................
|
----------------------------------
Secure Application
----------------------------------
^
|
v
---------------------------------- Virtual ISA + Virtual ABI (library calls.)
virtual machine
---------------------------------- ISA
salwrap (host)
---------------------------------- ISA + ABI
Windows
---------------------------------- ISA
Hardware
----------------------------------
* ISA: Instruction Set Architecture.
* Virtual ISA: bytecode architecture.
* ABI: Application Binary Interface: Interface to OS System Calls.
* Virtual ISA: library calls to runtime libraries.
=== C++ interface to the virtual machine (application loader) ===
#include
#include
using namespace std;
class SalBytecode
{
SalBytecode(unsigned int);
clear();
dataType();
SalBytecode & operator=(class SalBytecode const &);
~SalBytecode();
// Input stream operators
operator<<(SalBytecode &, long &);
operator<<(SalBytecode &, SalPointer const &);
operator<<(SalBytecode &, SalNonConstPointer const &);
operator<<(SalBytecode &, OmgString const &);
operator<<(SalBytecode &, SalString const &);
operator<<(SalBytecode &, SalFileContent const &);
operator<<(SalBytecode &, SalExtrinsicsProg const &);
operator<<(SalBytecode &, SalLoadableModule const &);
operator<<(SalBytecode &, std::vector &)
operator<<(SalBytecode &, SalOmgId const &);
operator<<(SalBytecode &, OmgMmap const &);
operator<<(SalBytecode &, SalKey const &);
// Output stream operators
operator>>(SalBytecode &, std::string &);
operator>>(SalBytecode &, std::vector &);
operator>>(SalBytecode &, SalAsnSeqBegin);
operator>>(SalBytecode &, SalAsnSeqEnd &);
operator>>(SalBytecode &, SalNonConstPointer &);
operator>>(SalBytecode &, OmgString &);
private:
SalBytecode::SalByteCode_impl_constr(var_size_512);
// 10 vars
// var 0
uchar *StreamBuf; // var 1
int StreamPos; // var 2
long int lenStreamBuf; // var 3h
int inArgSize; // var10: 512
};
void salExec0(SalBytecode& input, SalBytecode& output, int, int, int);
===== OpenMG Secure Module - Implementation Architecture =====
* References:
Sony Patent EP1 496 439 A1, Fig.6 there is a diagram illustrating the functional structure of the client.
Note: Patent diagram says following:
Security Module:
[0047] A security module 53 performs processing relating
to data security, such as encryption of the modules.
A request for the security-related processing generated
in the modules is sent to the security module 53,
and the security module 53 performs encryption or the like
in response to the request.
DRM Module:
[0043] Fig. 6 shows an example of the functional
structure of the client 1. A DRM (Digital Right Management)
module 51 communicates the content, right data,
etc., or manages the right data.
Comparision with the implementation:
Playback module, write module, read module, lcm module all communicate directly to
the DRM module or Security Module. These modules would be OmgNetMD.dll, MemStick.dll, omgconv2.dll etc, they have connectors to pfcom/salwrap using DLL linkage.
Modules in the plugin-layer at the top would communicate with these "Content using" modules. In the implementation
they never directly communicate with salwrap/pfcom. Plug-in modules uses these modules using COM.
There are tough, exceptions, a couple of functions can be used in pfcom trough COM. Its also possible to use SAL (salExec0) using COM (omgmisc.dll DLL link to salwrap.dll salExec0).
.................................................................................................... + UI
SonicStage omgjukebox.exe
....................................................................................................
^ ^
| |
| COM | COM
v v
.................................................................................................... Plug-in layer (AVLib)
+ CheckOut +Playback + PlayBack
+ CheckIn +Convert + Convert
--------------------- ------------------------ ------------------------
| NetMD.dll | | OpcOmg.dll | | OpcWMA.dll |
--------------------- ------------------------ ------------------------
---------------------
NetMDAPI.dll
---------------------
---------------------
NetMDUSB.dll
---------------------
.................................................................................................... OpenMG
^
| COM
DLL v DLL
----------------------- ----------------------- --------------------------------------------
pfcom.dll | <-> OmgNetMD.dll <-> | salwrap.dll
| ----------------------- |
| ----------------------- | - EkbCapabilityTable
createInstanceForMp3 | <-> omgconv2.dll <-> | - OmgEkb
| ----------------------- |
| ----------------------- | - salExec0
| <-> MemStick.dll <-> | ----------------------
| ----------------------- | SAL VM
| | ----------------------
----------------------- --------------------------------------------
^
|
v
+++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
License repository/Management Area song file storage section icv.dat
maclist1.dat, maclist2.dat
[License information] [header | music data ] ekb\version.ekb
OMGKEY\salomgid.dat
\procfile\ \Sonicstage OMGRIGHT\.icv
+++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++
.................................................................................................... Secure Applications
------------------ ----------------- ------------------- ------------------ ------------------
device.sal init.ocm netmd.ocm icv.ocm maclist.ocm ...
------------------ ----------------- ------------------- ------------------ ------------------
-------------------
SAL Runtime
-------------------
....................................................................................................
===== The ocm-files =====
OCM-Interpretor:
* [[http://users.physik.fu-berlin.de/~glaubitz/linux-minidisc/ocm.tgz]]
* [[http://users.physik.fu-berlin.de/~glaubitz/linux-minidisc/dis-09-02-01.rar]] - latest version as of May, 2nd 2009
OCM handling code is stored in a private git repository (run using [[http://eagain.net/gitweb/?p=gitosis.git|gitosis]]). Access is only possible by ssh with public key authentication. To get access, your need to have your ssh public key (either a role-specific one or your standard personal key, doesn't matter) added into the list of authorized keys, just ask in the IRC channel. When your key is added, and you use a role-specific key, add something like this to your .ssh/config
Hostname z6.physik.fu-berlin.de
IdentityFile ~/.ssh/id-rsa-minidisc
After that, you can clone the repo by using
git-clone gitosis@z6.physik.fu-berlin.de:/ocm
The OCM files (except for init.ocm which contains an extra layer of packing) are interpreted as [[OCMBytecode]]
Here is a decoder for native code blocks from OCM files. It is severe works-for-me-quality, having at least the following issues:
* It does not name imports from salwrap, it just puts offsets into the import table into a generic name. Check here for some name [[OCMSalwrapExports]]
* It is unable to parse named exports
* It does only support the relocation types (mostly direct imports of compiler helper functions) I needed.
The output of the program is an assembler source file (completely unreadable) that is intended to be compiled by the GNU assembler (Win32 port or cross-assembler in linux) and then loaded into a good disassembler, like IDA 4.9 Freeware for example.
[[codeblockparser]] (the format of the codeblocks is in [[codeblockformat]])
Some info about analysing an OCM file can be found in this part of chat log:
[[ocmchatlog1]]
These pages show internals of some modules (internal access only)
* Netmd.ocm: [[netmdocm]]
* Device.sal: [[devicesal]]
* Trkinf: [[trkinfocm]]
===== Links =====
* [[http://newgre.net/antire]] - Anti-Reverse Engineering Techniques in DRM Code