From bb3baa6ce09442df0421669ccf496e13c2a2cb00 Mon Sep 17 00:00:00 2001 From: Michael Bucari-Tovo Date: Tue, 22 Jun 2021 16:36:23 -0600 Subject: [PATCH] Added explanation of avformat-58 hack. --- AaxDecrypter/AaxToM4bConverter.cs | 74 +++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/AaxDecrypter/AaxToM4bConverter.cs b/AaxDecrypter/AaxToM4bConverter.cs index 3f43b5c1..fca91bad 100644 --- a/AaxDecrypter/AaxToM4bConverter.cs +++ b/AaxDecrypter/AaxToM4bConverter.cs @@ -227,6 +227,80 @@ namespace AaxDecrypter private int ngDecrypt(object tempFileNameObj) { + #region avformat-58.dll HACK EXPLANATION + /* avformat-58.dll HACK EXPLANATION + * + * FFMPEG refused to copy the aac stream from AAXC files with 44kHz sample rates + * with error "Scalable configurations are not allowed in ADTS". The adts encoder + * can be found on github at: + * https://github.com/FFmpeg/FFmpeg/blob/master/libavformat/adtsenc.c + * + * adtsenc detects scalable aac by a flag in the aac metadata and throws an error if + * it is set. It appears that all aaxc files contain aac streams that can be written + * to adts, but either the codec is parsing the header incorrectly or the aaxc + * header is incorrect. + * + * As a workaround, i've modified avformat-58.dll to allow adtsenc to ignore the + * scalable flag and continue. To modify: + * + * Open ffmpeg.exe in x64dbg (https://x64dbg.com) + * + * Navigate to the avformat module and search for the error string "Scalable + * configurations are not allowed in ADTS". (00007FFE16AA5899 in example below). + * + * 00007FFE16AA587B | 4C:8D05 DE5E6900 | lea r8,qword ptr ds:[7FFE1713B760] | 00007FFE1713B760:"960/120 MDCT window is not allowed in ADTS\n" + * 00007FFE16AA5882 | BA 10000000 | mov edx,10 | + * 00007FFE16AA5887 | 4C:89F1 | mov rcx,r14 | + * 00007FFE16AA588A | E8 697A1900 | call | + * 00007FFE16AA588F | B8 B7B1BBBE | mov eax,BEBBB1B7 | + * 00007FFE16AA5894 | E9 D5F8FFFF | jmp avformat-58.7FFE16AA516E | + * 00007FFE16AA5899 | 4C:8D05 F05E6900 | lea r8,qword ptr ds:[7FFE1713B790] | 00007FFE1713B790:"Scalable configurations are not allowed in ADTS\n" + * 00007FFE16AA58A0 | BA 10000000 | mov edx,10 | + * 00007FFE16AA58A5 | 4C:89F1 | mov rcx,r14 | + * 00007FFE16AA58A8 | E8 4B7A1900 | call | + * 00007FFE16AA58AD | B8 B7B1BBBE | mov eax,BEBBB1B7 | + * 00007FFE16AA58B2 | E9 B7F8FFFF | jmp avformat-58.7FFE16AA516E | + * 00007FFE16AA58B7 | 4C:8D05 4A5E6900 | lea r8,qword ptr ds:[7FFE1713B708] | 00007FFE1713B708:"MPEG-4 AOT %d is not allowed in ADTS\n" + * 00007FFE16AA58BE | BA 10000000 | mov edx,10 | + * 00007FFE16AA58C3 | 4C:89F1 | mov rcx,r14 | + * 00007FFE16AA58C6 | E8 2D7A1900 | call | + * 00007FFE16AA58CB | B8 B7B1BBBE | mov eax,BEBBB1B7 | + * 00007FFE16AA58D0 | E9 99F8FFFF | jmp avformat-58.7FFE16AA516E | + * 00007FFE16AA58D5 | 4C:8D05 EC5E6900 | lea r8,qword ptr ds:[7FFE1713B7C8] | 00007FFE1713B7C8:"Extension flag is not allowed in ADTS\n" + * 00007FFE16AA58DC | BA 10000000 | mov edx,10 | + * 00007FFE16AA58E1 | 4C:89F1 | mov rcx,r14 | + * 00007FFE16AA58E4 | E8 0F7A1900 | call | + * 00007FFE16AA58E9 | B8 B7B1BBBE | mov eax,BEBBB1B7 | + * 00007FFE16AA58EE | E9 7BF8FFFF | jmp avformat-58.7FFE16AA516E | + * 00007FFE16AA58F3 | 4C:8D05 365E6900 | lea r8,qword ptr ds:[7FFE1713B730] | 00007FFE1713B730:"Escape sample rate index illegal in ADTS\n" + * 00007FFE16AA58FA | BA 10000000 | mov edx,10 | + * 00007FFE16AA58FF | 4C:89F1 | mov rcx,r14 | + * 00007FFE16AA5902 | E8 F1791900 | call | + * 00007FFE16AA5907 | B8 B7B1BBBE | mov eax,BEBBB1B7 | + * 00007FFE16AA590C | E9 5DF8FFFF | jmp avformat-58.7FFE16AA516E | + * + * Select the instruction that loads the error string's address, and search for all + * references. You should only find one referance, a conditional jump + * (00007FFE16AA513C example below). + * + * 00007FFE16AA511D | 89C2 | mov edx,eax | + * 00007FFE16AA511F | 89C1 | mov ecx,eax | + * 00007FFE16AA5121 | 83C0 01 | add eax,1 | + * 00007FFE16AA5124 | C1EA 03 | shr edx,3 | + * 00007FFE16AA5127 | 83E1 07 | and ecx,7 | + * 00007FFE16AA512A | 41:8B1414 | mov edx,dword ptr ds:[r12+rdx] | + * 00007FFE16AA512E | 0FCA | bswap edx | + * 00007FFE16AA5130 | D3E2 | shl edx,cl | + * 00007FFE16AA5132 | C1EA FF | shr edx,FF | + * 00007FFE16AA5135 | 39F8 | cmp eax,edi | + * 00007FFE16AA5137 | 0F47C7 | cmova eax,edi | + * 00007FFE16AA513A | 85D2 | test edx,edx | + * 00007FFE16AA513C | 0F85 57070000 | jne avformat-58.7FFE16AA5899 | + * + * Edit that jump with six nop instructions and save the patched assembly. + */ + #endregion + var tempFileName = tempFileNameObj as string; string args = "-audible_key "