SlideShare a Scribd company logo

BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re

C
Chandra Pratap

This document summarizes a presentation about reversing the DRM on Kobo ebooks. It discusses how Kobo supports open standards but still encrypts ebooks. It then goes through the process of decompiling the Android app with apktool, analyzing the smali code to find encryption keys and algorithms, and putting the pieces together to create a tool called Kobopier that can decrypt and remove DRM from Kobo ebooks. The presentation provides information to demonstrate the process while also noting the legal risks of using the tool to share decrypted ebooks.

TechnologyEducation
1 of 37
Download to read offline
Your money, your media A DRMtastic (reverse|re)engineering tutorial
Who dat dude with the mic? ● Hi, I'm Manuel. An academic researcher without academic title.
What's this talk about
Kobo ● Global eBook retailer ● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice” ● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
No problem, then!
fbreader
I AM DISAPPOINT
trollface.jpg
● I BUY books. I don't “lend them under certain terms”. ● $10 for a digital copy, and you restrict how I use it?
NOTICE ● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER ● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE ● DON'T PIRATE XOR DON'T GET CAUGHT
Whoo, look at my ePeni...nsula!
Android reversing ● Dalvik ● Smali ● Can haz apktool?
smali example code
Workflow example ● adb pull /data/app/com.MyLittlePony.apk /tmp/ ● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk ● OR apktool d MyLittlePony.apk /tmp/pony ● vim /tmp/pony/smali/com/mylilpony/Main.smali
MOAR DATA ● adb pull /data/data/com.kobobooks.android/ kobothings
OMG Obfuscation
OMG Obfuscation
Your reaction: Anger
Your reaction: Resignation
Your reaction: The Right One
Java/smali is hard to obfuscate ● MADE to be readable ● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
The search begins grep -Ri javax.crypto...? ...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- cbc"/> ...so I'm searching for “AES”.
Bingo!...FAIL. ● Found a decryption! ● sqlite3 <kobo datadir>/databases/Kobo ● '.tables' + '.headers on ' ● ParentContentID|...| DecryptKey|...
BUT I WANNA!!!!! ;_;
Moar reversing ● Who's calling my decryption? ● What other methods is it calling? ● Learn to read smali. It's a somewhat neat language. ● What data is it using? ● ...remote Dalvik debugging?
apktool ● Disassemble ● Modify (theme, patch, break...) ● Build (apktool b...) ● Sign (jarsigner) ● adb install hax.apk ● Uninstall the old version first
Bingo!...FAIL...ish.
On the right track! ● Then: “Is it possible?” ● Now: “How to make it practical?” ● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
Key parts /OzEca8ESalQNvd/xknj8g== ee13373-bb8a-5a09-ccdd-af9c4fbgf844 503668452247539 May the logs be with you.
Hashing IDs && Base64 decode ● H(DeviceID || UserID).substring(16); ● Algorithms (hardcoded arrays/tables) look intimidating in smali ● Public Domain Base64.java :)
Part Three: WTF Crypto?
Part Three: WTF Crypto Hardcoded Strings, again!
Part Three: WTF Crypto ● Rijndael ● BouncyCastle AND own implementation ● I'm here to break, not question it. ● encrypt() and decrypt() have the same signature...
Putting the parts together ● Read chapter (cp /sdcard/Kobo/epubs ...) ● H(DeviceID || UserID) ● base64_decode(DecryptKey) ● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective ● D(chapter, decrypted_key)
BINGO!
Result: Kobopier http://sporkbomb.eu/kobopier/ * Kobopier - a Kobo Android ePub DRM stripper * * You can reach the author at kobopier@acanthephyra.net. * New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/. * * Important note: Kobopier is not made for piracy. It does not break any encryption, * it simply replicates a few steps the original Android Kobo reader does. * Please read the license below. Also, consider that it is YOUR responsibility to deal * with any legal issues that arise from YOU using this tool. * If you buy one copy of an ebook, decrypt it with this tool and then give it away, * that's fine with me - but you alone are responsible if Kobo sues you. * * Copyright (C) 2011 sporkbomb
● Questions? ● Complaints? ● Compliments? ● Suggestions? @__sporkbomb

Recommended

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
Security BSides London
 
Top 10+ Things .NET Developers Should Know About Ruby
Top 10+ Things .NET Developers Should Know About RubyTop 10+ Things .NET Developers Should Know About Ruby
Top 10+ Things .NET Developers Should Know About RubyJeff Cohen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar
 
Building reusable components with generics and protocols
Building reusable components with generics and protocolsBuilding reusable components with generics and protocols
Building reusable components with generics and protocols
Donny Wals
 
Look beyond PHP
Look beyond PHPLook beyond PHP
Look beyond PHPFabien Potencier
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
Greg Hendricks
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorial
Ánh Nguyễn
 

Recommended

Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Security BSides London
 
Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDP
Security BSides London
 
Top 10+ Things .NET Developers Should Know About Ruby
Top 10+ Things .NET Developers Should Know About RubyTop 10+ Things .NET Developers Should Know About Ruby
Top 10+ Things .NET Developers Should Know About RubyJeff Cohen
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar
 
Building reusable components with generics and protocols
Building reusable components with generics and protocolsBuilding reusable components with generics and protocols
Building reusable components with generics and protocols
Donny Wals
 
Look beyond PHP
Look beyond PHPLook beyond PHP
Look beyond PHPFabien Potencier
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
Greg Hendricks
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorial
Ánh Nguyễn
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
Ivo Roberto Batistela
 
Emacs talk
Emacs talkEmacs talk
Emacs talk
Agam Brahma
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorialknoppix
 
Clean Code: Stop wasting my time
Clean Code: Stop wasting my timeClean Code: Stop wasting my time
Clean Code: Stop wasting my time
Edorian
 
Ruby
RubyRuby
RubyAizat Faiz
 
Javascriptbootcamp
JavascriptbootcampJavascriptbootcamp
Javascriptbootcamposcon2007
 
Ruby Programming Introduction
Ruby Programming IntroductionRuby Programming Introduction
Ruby Programming Introduction
Anthony Brown
 
MySafe
MySafeMySafe
MySafe
Serkan Özal
 
Introduction about type script
Introduction about type scriptIntroduction about type script
Introduction about type script
Binh Quan Duc
 
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Alexandre Morgaut
 
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Codemotion
 
TypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript applicationTypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript application
Andrea Paciolla
 
Javascript 2009
Javascript 2009Javascript 2009
Javascript 2009
borkweb
 
Life Sciences 2011
Life Sciences 2011 Life Sciences 2011
Life Sciences 2011
Calman1981
 
Natalie Campfire Nps
Natalie Campfire NpsNatalie Campfire Nps
Natalie Campfire Nps
Kalalight
 
Presentazione progetto smm
Presentazione progetto smmPresentazione progetto smm
Presentazione progetto smmGeosnews.com
 
Xii mo-a 2011(1)
Xii mo-a 2011(1)Xii mo-a 2011(1)
Xii mo-a 2011(1)Tonay Aprielz
 
Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)AndreSSMartins
 
Classement T 2011
Classement T 2011Classement T 2011
Classement T 2011
redaction-mobcustom
 
Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
Opersys inc.
 
Headless Android
Headless AndroidHeadless Android
Headless Android
Opersys inc.
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Joxean Koret
 

More Related Content

What's hot

Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
Ivo Roberto Batistela
 
Emacs talk
Emacs talkEmacs talk
Emacs talk
Agam Brahma
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorialknoppix
 
Clean Code: Stop wasting my time
Clean Code: Stop wasting my timeClean Code: Stop wasting my time
Clean Code: Stop wasting my time
Edorian
 
Javascriptbootcamp
JavascriptbootcampJavascriptbootcamp
Javascriptbootcamposcon2007
 
Ruby Programming Introduction
Ruby Programming IntroductionRuby Programming Introduction
Ruby Programming Introduction
Anthony Brown
 
MySafe
MySafeMySafe
MySafe
Serkan Özal
 
Introduction about type script
Introduction about type scriptIntroduction about type script
Introduction about type script
Binh Quan Duc
 
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Alexandre Morgaut
 
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Codemotion
 
TypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript applicationTypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript application
Andrea Paciolla
 
Javascript 2009
Javascript 2009Javascript 2009
Javascript 2009
borkweb
 

What's hot (13)

Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
 
Emacs talk
Emacs talkEmacs talk
Emacs talk
 
Ruby tutorial
Ruby tutorialRuby tutorial
Ruby tutorial
 
Clean Code: Stop wasting my time
Clean Code: Stop wasting my timeClean Code: Stop wasting my time
Clean Code: Stop wasting my time
 
Ruby
RubyRuby
Ruby
 
Javascriptbootcamp
JavascriptbootcampJavascriptbootcamp
Javascriptbootcamp
 
Ruby Programming Introduction
Ruby Programming IntroductionRuby Programming Introduction
Ruby Programming Introduction
 
MySafe
MySafeMySafe
MySafe
 
Introduction about type script
Introduction about type scriptIntroduction about type script
Introduction about type script
 
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
Lint, coverage, doc, autocompletion, transpilation, minification... powered b...
 
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
Dear JavaScript... - Alessandro Cinelli - Codemotion Amsterdam 2018
 
TypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript applicationTypeScript introduction to scalable javascript application
TypeScript introduction to scalable javascript application
 
Javascript 2009
Javascript 2009Javascript 2009
Javascript 2009
 

Viewers also liked

Life Sciences 2011
Life Sciences 2011 Life Sciences 2011
Life Sciences 2011
Calman1981
 
Natalie Campfire Nps
Natalie Campfire NpsNatalie Campfire Nps
Natalie Campfire Nps
Kalalight
 
Presentazione progetto smm
Presentazione progetto smmPresentazione progetto smm
Presentazione progetto smmGeosnews.com
 
Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)AndreSSMartins
 
Classement T 2011
Classement T 2011Classement T 2011
Classement T 2011
redaction-mobcustom
 

Viewers also liked (6)

Life Sciences 2011
Life Sciences 2011 Life Sciences 2011
Life Sciences 2011
 
Natalie Campfire Nps
Natalie Campfire NpsNatalie Campfire Nps
Natalie Campfire Nps
 
Presentazione progetto smm
Presentazione progetto smmPresentazione progetto smm
Presentazione progetto smm
 
Xii mo-a 2011(1)
Xii mo-a 2011(1)Xii mo-a 2011(1)
Xii mo-a 2011(1)
 
Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)Apresentação unos life oficial 2.0 (portugues)
Apresentação unos life oficial 2.0 (portugues)
 
Classement T 2011
Classement T 2011Classement T 2011
Classement T 2011
 

Similar to BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re

Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
Opersys inc.
 
Headless Android
Headless AndroidHeadless Android
Headless Android
Opersys inc.
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Joxean Koret
 
Super lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanSuper lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik Mukelyan
Drew Malone
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
Joxean Koret
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
Daniel Garcia (a.k.a cr0hn)
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Pirates
ripeapps
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
Daniel Garcia (a.k.a cr0hn)
 
Beginning Kindle Hackery
Beginning Kindle HackeryBeginning Kindle Hackery
Beginning Kindle Hackery
Jesse Vincent
 
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojoDesign and Evolution of cyber-dojo
Design and Evolution of cyber-dojo
Jon Jagger
 
Scottish Ruby Conference 2014
Scottish Ruby Conference 2014Scottish Ruby Conference 2014
Scottish Ruby Conference 2014michaelag1971
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.
Aodrulez
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It!
St. Petersburg College
 
Effective entrepreneurship for developers
Effective entrepreneurship for developersEffective entrepreneurship for developers
Effective entrepreneurship for developersCarlos Ble
 
Writing a Ruby Gem for beginners
Writing a Ruby Gem for beginnersWriting a Ruby Gem for beginners
Writing a Ruby Gem for beginnersConFoo
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Introduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talkIntroduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talk
Roel Palmaers
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLEAN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
Gavin Pickin
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
Ortus Solutions, Corp
 

Similar to BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re (20)

Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
 
Headless Android
Headless AndroidHeadless Android
Headless Android
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
Super lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanSuper lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik Mukelyan
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Pirates
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Beginning Kindle Hackery
Beginning Kindle HackeryBeginning Kindle Hackery
Beginning Kindle Hackery
 
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojoDesign and Evolution of cyber-dojo
Design and Evolution of cyber-dojo
 
Scottish Ruby Conference 2014
Scottish Ruby Conference 2014Scottish Ruby Conference 2014
Scottish Ruby Conference 2014
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It!
 
Effective entrepreneurship for developers
Effective entrepreneurship for developersEffective entrepreneurship for developers
Effective entrepreneurship for developers
 
Writing a Ruby Gem for beginners
Writing a Ruby Gem for beginnersWriting a Ruby Gem for beginners
Writing a Ruby Gem for beginners
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Introduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talkIntroduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talk
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLEAN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
 

Recently uploaded

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 

Recently uploaded (20)

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 

BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re

  • 1. Your money, your media A DRMtastic (reverse|re)engineering tutorial
  • 2. Who dat dude with the mic? ● Hi, I'm Manuel. An academic researcher without academic title.
  • 4. Kobo ● Global eBook retailer ● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice” ● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
  • 9. I BUY books. I don't “lend them under certain terms”. ● $10 for a digital copy, and you restrict how I use it?
  • 10. NOTICE ● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER ● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE ● DON'T PIRATE XOR DON'T GET CAUGHT
  • 11. Whoo, look at my ePeni...nsula!
  • 12. Android reversing ● Dalvik ● Smali ● Can haz apktool?
  • 14. Workflow example ● adb pull /data/app/com.MyLittlePony.apk /tmp/ ● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk ● OR apktool d MyLittlePony.apk /tmp/pony ● vim /tmp/pony/smali/com/mylilpony/Main.smali
  • 15. MOAR DATA ● adb pull /data/data/com.kobobooks.android/ kobothings
  • 20. Your reaction: The Right One
  • 21. Java/smali is hard to obfuscate ● MADE to be readable ● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
  • 22. The search begins grep -Ri javax.crypto...? ...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- cbc"/> ...so I'm searching for “AES”.
  • 23. Bingo!...FAIL. ● Found a decryption! ● sqlite3 <kobo datadir>/databases/Kobo ● '.tables' + '.headers on ' ● ParentContentID|...| DecryptKey|...
  • 25. Moar reversing ● Who's calling my decryption? ● What other methods is it calling? ● Learn to read smali. It's a somewhat neat language. ● What data is it using? ● ...remote Dalvik debugging?
  • 26. apktool ● Disassemble ● Modify (theme, patch, break...) ● Build (apktool b...) ● Sign (jarsigner) ● adb install hax.apk ● Uninstall the old version first
  • 28. On the right track! ● Then: “Is it possible?” ● Now: “How to make it practical?” ● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
  • 30. Hashing IDs && Base64 decode ● H(DeviceID || UserID).substring(16); ● Algorithms (hardcoded arrays/tables) look intimidating in smali ● Public Domain Base64.java :)
  • 31. Part Three: WTF Crypto?
  • 32. Part Three: WTF Crypto Hardcoded Strings, again!
  • 33. Part Three: WTF Crypto ● Rijndael ● BouncyCastle AND own implementation ● I'm here to break, not question it. ● encrypt() and decrypt() have the same signature...
  • 34. Putting the parts together ● Read chapter (cp /sdcard/Kobo/epubs ...) ● H(DeviceID || UserID) ● base64_decode(DecryptKey) ● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective ● D(chapter, decrypted_key)
  • 36. Result: Kobopier http://sporkbomb.eu/kobopier/ * Kobopier - a Kobo Android ePub DRM stripper * * You can reach the author at kobopier@acanthephyra.net. * New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/. * * Important note: Kobopier is not made for piracy. It does not break any encryption, * it simply replicates a few steps the original Android Kobo reader does. * Please read the license below. Also, consider that it is YOUR responsibility to deal * with any legal issues that arise from YOU using this tool. * If you buy one copy of an ebook, decrypt it with this tool and then give it away, * that's fine with me - but you alone are responsible if Kobo sues you. * * Copyright (C) 2011 sporkbomb
  • 37. Questions? ● Complaints? ● Compliments? ● Suggestions? @__sporkbomb