Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Your money, your mediaA DRMtastic (reverse|re)engineering tutorial
Who dat dude with the mic?●   Hi, Im Manuel. An academic researcher without    academic title.
Whats this talk about
Kobo●   Global eBook retailer●   “We believe consumers should be able to read any book, anytime,    anywhere, and on the d...
No problem, then!
fbreader
I AM DISAPPOINT
trollface.jpg
●   I BUY books. I dont    “lend them under    certain terms”.●   $10 for a digital copy,    and you restrict how I    use...
NOTICE●   I ONLY WANTED TO ACHIEVE    INTEROPABILITY WITH OTHER PROGRAMS    ●   THAT ARE NOT COMPETING WITH THE KOBO      ...
Whoo, look at my ePenis!
Android reversing●   Dalvik●   Smali    ●   Can haz apktool?
smali example code
Workflow example●   adb pull /data/app/com.MyLittlePony.apk /tmp/●   java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk●...
MOAR DATA●   adb pull /data/data/com.kobobooks.android/ kobothings
OMG Obfuscation
OMG Obfuscation
Your reaction: Anger
Your reaction: Resignation
Your reaction: The Right One
Java/smali is hard to obfuscate●   MADE to be readable●   invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;-    > a(...
The search beginsgrep -Ri javax.crypto...?...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>...so Im searching f...
Bingo!...FAIL.●   Found a decryption!●   sqlite3 <kobo    datadir>/databases/Kobo●   .tables + .headers   on   ●   ParentC...
BUT I WANNA!!!!! ;_;
Moar reversing●   Whos calling my decryption?●   What other methods is it calling?    ●   Learn to read smali. Its a somew...
apktool●   Disassemble●   Modify (theme, patch, break...)●   Build (apktool b...)●   Sign (jarsigner)●   adb install hax.a...
Bingo!...FAIL...ish.
On the right track!●   Then: “Is it possible?”●   Now: “How to make it practical?”●   More patching: Dumping all parts of ...
Key parts/OzEca8ESalQNvd/xknj8g==ee13373-bb8a-5a09-ccdd-af9c4fbgf844503668452247539May the logs be with you.
Hashing IDs && Base64 decode●   H(DeviceID || UserID).substring(15);●   Algorithms (hardcoded arrays/tables) look    intim...
Part Three: WTF Crypto?
Part Three: WTF CryptoHardcoded Strings, again!
Part Three: WTF Crypto●   Rijndael●   BouncyCastle AND own implementation    ●   Im here to break, not question it.●    en...
Putting the parts together●   Read chapter    (cp /sdcard/Kobo/epubs ...)●   H(DeviceID || UserID)●   base64_decode(Decryp...
BINGO!
Result: Kobopier           http://sporkbomb.eu/kobopier/* Kobopier - a Kobo Android ePub DRM stripper** You can reach the ...
●   Questions?●   Complaints?●   Compliments?●   Suggestions?      @__sporkbomb
Upcoming SlideShare
Loading in …5
×

Your money, your media a DRMtastic (reverse|re) eng. tutorial

1,249 views

Published on

BSidesLondon 20th April 2011 - Manuel
--
This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface.
--- for more about Manuel
http://sporkbomb.eu and Kobo http://sporkbomb.eu/kobopier/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Your money, your media a DRMtastic (reverse|re) eng. tutorial

  1. 1. Your money, your mediaA DRMtastic (reverse|re)engineering tutorial
  2. 2. Who dat dude with the mic?● Hi, Im Manuel. An academic researcher without academic title.
  3. 3. Whats this talk about
  4. 4. Kobo● Global eBook retailer● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice”● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
  5. 5. No problem, then!
  6. 6. fbreader
  7. 7. I AM DISAPPOINT
  8. 8. trollface.jpg
  9. 9. ● I BUY books. I dont “lend them under certain terms”.● $10 for a digital copy, and you restrict how I use it?
  10. 10. NOTICE● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE● DONT PIRATE XOR DONT GET CAUGHT
  11. 11. Whoo, look at my ePenis!
  12. 12. Android reversing● Dalvik● Smali ● Can haz apktool?
  13. 13. smali example code
  14. 14. Workflow example● adb pull /data/app/com.MyLittlePony.apk /tmp/● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk● OR apktool d MyLittlePony.apk /tmp/pony● vim /tmp/pony/smali/com/mylilpony/Main.smali
  15. 15. MOAR DATA● adb pull /data/data/com.kobobooks.android/ kobothings
  16. 16. OMG Obfuscation
  17. 17. OMG Obfuscation
  18. 18. Your reaction: Anger
  19. 19. Your reaction: Resignation
  20. 20. Your reaction: The Right One
  21. 21. Java/smali is hard to obfuscate● MADE to be readable● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
  22. 22. The search beginsgrep -Ri javax.crypto...?...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>...so Im searching for “AES”.
  23. 23. Bingo!...FAIL.● Found a decryption!● sqlite3 <kobo datadir>/databases/Kobo● .tables + .headers on ● ParentContentID|...| DecryptKey|...
  24. 24. BUT I WANNA!!!!! ;_;
  25. 25. Moar reversing● Whos calling my decryption?● What other methods is it calling? ● Learn to read smali. Its a somewhat neat language.● What data is it using? ● ...remote Dalvik debugging?
  26. 26. apktool● Disassemble● Modify (theme, patch, break...)● Build (apktool b...)● Sign (jarsigner)● adb install hax.apk ● Uninstall the old version first
  27. 27. Bingo!...FAIL...ish.
  28. 28. On the right track!● Then: “Is it possible?”● Now: “How to make it practical?”● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
  29. 29. Key parts/OzEca8ESalQNvd/xknj8g==ee13373-bb8a-5a09-ccdd-af9c4fbgf844503668452247539May the logs be with you.
  30. 30. Hashing IDs && Base64 decode● H(DeviceID || UserID).substring(15);● Algorithms (hardcoded arrays/tables) look intimidating in smali● Public Domain Base64.java :)
  31. 31. Part Three: WTF Crypto?
  32. 32. Part Three: WTF CryptoHardcoded Strings, again!
  33. 33. Part Three: WTF Crypto● Rijndael● BouncyCastle AND own implementation ● Im here to break, not question it.● encrypt() and decrypt() have the same signature...
  34. 34. Putting the parts together● Read chapter (cp /sdcard/Kobo/epubs ...)● H(DeviceID || UserID)● base64_decode(DecryptKey)● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective● D(chapter, decrypted_key)
  35. 35. BINGO!
  36. 36. Result: Kobopier http://sporkbomb.eu/kobopier/* Kobopier - a Kobo Android ePub DRM stripper** You can reach the author at kobopier@acanthephyra.net.* New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/.** Important note: Kobopier is not made for piracy. It does not break any encryption,* it simply replicates a few steps the original Android Kobo reader does.* Please read the license below. Also, consider that it is YOUR responsibility to deal* with any legal issues that arise from YOU using this tool.* If you buy one copy of an ebook, decrypt it with this tool and then give it away,* thats fine with me - but you alone are responsible if Kobo sues you.** Copyright (C) 2011 sporkbomb
  37. 37. ● Questions?● Complaints?● Compliments?● Suggestions? @__sporkbomb

×