Upload
chandra-pratap
View
686
Download
1
Embed Size (px)
Citation preview
Your money, your mediaA DRMtastic (reverse|re)engineering tutorial
Who dat dude with the mic?
● Hi, I'm Manuel. An academic researcher without
academic title.
What's this talk about
Kobo
● Global eBook retailer
● “We believe consumers should be able to read any book, anytime,
anywhere, and on the device of their choice”
● “We believe open standards for eBooks are best for consumers,
publishers, retailers and hardware manufacturers. Closed systems
stifle innovation and growth. Kobo proudly supports EPUB and
encourages our users to read a Kobo-purchased eBook on their
smartphone, Sony Reader, laptop, or whichever device they
choose.”
No problem, then!
fbreader
I AM DISAPPOINT
trollface.jpg
● I BUY books. I don't
“lend them under
certain terms”.
● $10 for a digital copy,
and you restrict how I
use it?
NOTICE
● I ONLY WANTED TO ACHIEVE
INTEROPABILITY WITH OTHER PROGRAMS
● THAT ARE NOT COMPETING WITH THE KOBO
READER
● KOBOPIER ONLY REPRODUCES THE
DECRYPTION INTERFACE
● DON'T PIRATE XOR DON'T GET CAUGHT
Whoo, look at my ePeni...nsula!
Android reversing
● Dalvik
● Smali
● Can haz apktool?
smali example code
Workflow example
● adb pull /data/app/com.MyLittlePony.apk /tmp/
● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk
● OR apktool d MyLittlePony.apk /tmp/pony
● vim /tmp/pony/smali/com/mylilpony/Main.smali
MOAR DATA
● adb pull /data/data/com.kobobooks.android/ kobothings
OMG Obfuscation
OMG Obfuscation
Your reaction: Anger
Your reaction: Resignation
Your reaction: The Right One
Java/smali is hard to obfuscate
● MADE to be readable
● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;-
> a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
The search begins
grep -Ri javax.crypto...?
...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-
cbc"/>
...so I'm searching for “AES”.
Bingo!...FAIL.
● Found a decryption!
● sqlite3 <kobo
datadir>/databases/Kobo
● '.tables' + '.headers on'
● ParentContentID|...|
DecryptKey|...
BUT I WANNA!!!!! ;_;
Moar reversing
● Who's calling my decryption?
● What other methods is it calling?
● Learn to read smali. It's a somewhat neat language.
● What data is it using?
● ...remote Dalvik debugging?
apktool
● Disassemble
● Modify (theme, patch, break...)
● Build (apktool b...)
● Sign (jarsigner)
● adb install hax.apk
● Uninstall the old version first
Bingo!...FAIL...ish.
On the right track!
● Then: “Is it possible?”
● Now: “How to make it practical?”
● More patching: Dumping all parts of the key
● Caller of the decryption method creates the key
● Three strings as input
● Does some weirdass stuff, more on that later
Key parts
/OzEca8ESalQNvd/xknj8g==
ee13373-bb8a-5a09-ccdd-af9c4fbgf844
503668452247539
May the logs be with you.
Hashing IDs && Base64 decode
● H(DeviceID || UserID).substring(16);
● Algorithms (hardcoded arrays/tables) look
intimidating in smali
● Public Domain Base64.java :)
Part Three: WTF Crypto?
Part Three: WTF Crypto
Hardcoded Strings, again!
Part Three: WTF Crypto
● Rijndael
● BouncyCastle AND own implementation
● I'm here to break, not question it.
● encrypt() and decrypt() have the same signature...
Putting the parts together
● Read chapter (cp /sdcard/Kobo/epubs ...)
● H(DeviceID || UserID)
● base64_decode(DecryptKey)
● D(encoded_decryptkey, hash_part)
● Clever (and common) from a DRM perspective
● D(chapter, decrypted_key)
BINGO!
Result: Kobopier
* Kobopier - a Kobo Android ePub DRM stripper
*
* You can reach the author at [email protected].
* New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/.
*
* Important note: Kobopier is not made for piracy. It does not break any encryption,
* it simply replicates a few steps the original Android Kobo reader does.
* Please read the license below. Also, consider that it is YOUR responsibility to deal
* with any legal issues that arise from YOU using this tool.
* If you buy one copy of an ebook, decrypt it with this tool and then give it away,
* that's fine with me - but you alone are responsible if Kobo sues you.
*
* Copyright (C) 2011 sporkbomb
http://sporkbomb.eu/kobopier/
@__sporkbomb
● Questions?
● Complaints?
● Compliments?
● Suggestions?