Your money, your mediaA DRMtastic (reverse|re)engineering tutorial
Who dat dude with the mic?●   Hi, Im Manuel. An academic researcher without    academic title.
Whats this talk about
Kobo●   Global eBook retailer●   “We believe consumers should be able to read any book, anytime,    anywhere, and on the d...
No problem, then!
fbreader
I AM DISAPPOINT
trollface.jpg
●   I BUY books. I dont    “lend them under    certain terms”.●   $10 for a digital copy,    and you restrict how I    use...
NOTICE●   I ONLY WANTED TO ACHIEVE    INTEROPABILITY WITH OTHER PROGRAMS    ●   THAT ARE NOT COMPETING WITH THE KOBO      ...
Whoo, look at my ePenis!
Android reversing●   Dalvik●   Smali    ●   Can haz apktool?
smali example code
Workflow example●   adb pull /data/app/com.MyLittlePony.apk /tmp/●   java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk●...
MOAR DATA●   adb pull /data/data/com.kobobooks.android/ kobothings
OMG Obfuscation
OMG Obfuscation
Your reaction: Anger
Your reaction: Resignation
Your reaction: The Right One
Java/smali is hard to obfuscate●   MADE to be readable●   invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;-    > a(...
The search beginsgrep -Ri javax.crypto...?...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>...so Im searching f...
Bingo!...FAIL.●   Found a decryption!●   sqlite3 <kobo    datadir>/databases/Kobo●   .tables + .headers   on   ●   ParentC...
BUT I WANNA!!!!! ;_;
Moar reversing●   Whos calling my decryption?●   What other methods is it calling?    ●   Learn to read smali. Its a somew...
apktool●   Disassemble●   Modify (theme, patch, break...)●   Build (apktool b...)●   Sign (jarsigner)●   adb install hax.a...
Bingo!...FAIL...ish.
On the right track!●   Then: “Is it possible?”●   Now: “How to make it practical?”●   More patching: Dumping all parts of ...
Key parts/OzEca8ESalQNvd/xknj8g==ee13373-bb8a-5a09-ccdd-af9c4fbgf844503668452247539May the logs be with you.
Hashing IDs && Base64 decode●   H(DeviceID || UserID).substring(15);●   Algorithms (hardcoded arrays/tables) look    intim...
Part Three: WTF Crypto?
Part Three: WTF CryptoHardcoded Strings, again!
Part Three: WTF Crypto●   Rijndael●   BouncyCastle AND own implementation    ●   Im here to break, not question it.●    en...
Putting the parts together●   Read chapter    (cp /sdcard/Kobo/epubs ...)●   H(DeviceID || UserID)●   base64_decode(Decryp...
BINGO!
Result: Kobopier           http://sporkbomb.eu/kobopier/* Kobopier - a Kobo Android ePub DRM stripper** You can reach the ...
●   Questions?●   Complaints?●   Compliments?●   Suggestions?      @__sporkbomb
Upcoming SlideShare
Loading in …5
×

Your money, your media a DRMtastic (reverse|re) eng. tutorial

1,071 views
948 views

Published on

BSidesLondon 20th April 2011 - Manuel
--
This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface.
--- for more about Manuel
http://sporkbomb.eu and Kobo http://sporkbomb.eu/kobopier/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,071
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Your money, your media a DRMtastic (reverse|re) eng. tutorial

  1. 1. Your money, your mediaA DRMtastic (reverse|re)engineering tutorial
  2. 2. Who dat dude with the mic?● Hi, Im Manuel. An academic researcher without academic title.
  3. 3. Whats this talk about
  4. 4. Kobo● Global eBook retailer● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice”● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
  5. 5. No problem, then!
  6. 6. fbreader
  7. 7. I AM DISAPPOINT
  8. 8. trollface.jpg
  9. 9. ● I BUY books. I dont “lend them under certain terms”.● $10 for a digital copy, and you restrict how I use it?
  10. 10. NOTICE● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE● DONT PIRATE XOR DONT GET CAUGHT
  11. 11. Whoo, look at my ePenis!
  12. 12. Android reversing● Dalvik● Smali ● Can haz apktool?
  13. 13. smali example code
  14. 14. Workflow example● adb pull /data/app/com.MyLittlePony.apk /tmp/● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk● OR apktool d MyLittlePony.apk /tmp/pony● vim /tmp/pony/smali/com/mylilpony/Main.smali
  15. 15. MOAR DATA● adb pull /data/data/com.kobobooks.android/ kobothings
  16. 16. OMG Obfuscation
  17. 17. OMG Obfuscation
  18. 18. Your reaction: Anger
  19. 19. Your reaction: Resignation
  20. 20. Your reaction: The Right One
  21. 21. Java/smali is hard to obfuscate● MADE to be readable● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
  22. 22. The search beginsgrep -Ri javax.crypto...?...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>...so Im searching for “AES”.
  23. 23. Bingo!...FAIL.● Found a decryption!● sqlite3 <kobo datadir>/databases/Kobo● .tables + .headers on ● ParentContentID|...| DecryptKey|...
  24. 24. BUT I WANNA!!!!! ;_;
  25. 25. Moar reversing● Whos calling my decryption?● What other methods is it calling? ● Learn to read smali. Its a somewhat neat language.● What data is it using? ● ...remote Dalvik debugging?
  26. 26. apktool● Disassemble● Modify (theme, patch, break...)● Build (apktool b...)● Sign (jarsigner)● adb install hax.apk ● Uninstall the old version first
  27. 27. Bingo!...FAIL...ish.
  28. 28. On the right track!● Then: “Is it possible?”● Now: “How to make it practical?”● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
  29. 29. Key parts/OzEca8ESalQNvd/xknj8g==ee13373-bb8a-5a09-ccdd-af9c4fbgf844503668452247539May the logs be with you.
  30. 30. Hashing IDs && Base64 decode● H(DeviceID || UserID).substring(15);● Algorithms (hardcoded arrays/tables) look intimidating in smali● Public Domain Base64.java :)
  31. 31. Part Three: WTF Crypto?
  32. 32. Part Three: WTF CryptoHardcoded Strings, again!
  33. 33. Part Three: WTF Crypto● Rijndael● BouncyCastle AND own implementation ● Im here to break, not question it.● encrypt() and decrypt() have the same signature...
  34. 34. Putting the parts together● Read chapter (cp /sdcard/Kobo/epubs ...)● H(DeviceID || UserID)● base64_decode(DecryptKey)● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective● D(chapter, decrypted_key)
  35. 35. BINGO!
  36. 36. Result: Kobopier http://sporkbomb.eu/kobopier/* Kobopier - a Kobo Android ePub DRM stripper** You can reach the author at kobopier@acanthephyra.net.* New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/.** Important note: Kobopier is not made for piracy. It does not break any encryption,* it simply replicates a few steps the original Android Kobo reader does.* Please read the license below. Also, consider that it is YOUR responsibility to deal* with any legal issues that arise from YOU using this tool.* If you buy one copy of an ebook, decrypt it with this tool and then give it away,* thats fine with me - but you alone are responsible if Kobo sues you.** Copyright (C) 2011 sporkbomb
  37. 37. ● Questions?● Complaints?● Compliments?● Suggestions? @__sporkbomb

×