Your money, your mediaA DRMtastic (reverse|re)engineering tutorial

Who dat dude with the mic?

● Hi, I'm Manuel. An academic researcher without

academic title.

What's this talk about

Kobo

● Global eBook retailer

● “We believe consumers should be able to read any book, anytime,

anywhere, and on the device of their choice”

● “We believe open standards for eBooks are best for consumers,

publishers, retailers and hardware manufacturers. Closed systems

stifle innovation and growth. Kobo proudly supports EPUB and

encourages our users to read a Kobo-purchased eBook on their

smartphone, Sony Reader, laptop, or whichever device they

choose.”

No problem, then!

fbreader

I AM DISAPPOINT

trollface.jpg

● I BUY books. I don't

“lend them under

certain terms”.

● $10 for a digital copy,

and you restrict how I

use it?

NOTICE

● I ONLY WANTED TO ACHIEVE

INTEROPABILITY WITH OTHER PROGRAMS

● THAT ARE NOT COMPETING WITH THE KOBO

READER

● KOBOPIER ONLY REPRODUCES THE

DECRYPTION INTERFACE

● DON'T PIRATE XOR DON'T GET CAUGHT

Whoo, look at my ePeni...nsula!

Android reversing

● Dalvik

● Smali

● Can haz apktool?

smali example code

Workflow example

● adb pull /data/app/com.MyLittlePony.apk /tmp/

● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk

● OR apktool d MyLittlePony.apk /tmp/pony

● vim /tmp/pony/smali/com/mylilpony/Main.smali

MOAR DATA

● adb pull /data/data/com.kobobooks.android/ kobothings

OMG Obfuscation

OMG Obfuscation

Your reaction: Anger

Your reaction: Resignation

Your reaction: The Right One

Java/smali is hard to obfuscate

● MADE to be readable

● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;-

> a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B

The search begins

grep -Ri javax.crypto...?

...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-

cbc"/>

...so I'm searching for “AES”.

Bingo!...FAIL.

● Found a decryption!

● sqlite3 <kobo

datadir>/databases/Kobo

● '.tables' + '.headers on'

● ParentContentID|...|

DecryptKey|...

BUT I WANNA!!!!! ;_;

Moar reversing

● Who's calling my decryption?

● What other methods is it calling?

● Learn to read smali. It's a somewhat neat language.

● What data is it using?

● ...remote Dalvik debugging?

apktool

● Disassemble

● Modify (theme, patch, break...)

● Build (apktool b...)

● Sign (jarsigner)

● adb install hax.apk

● Uninstall the old version first

Bingo!...FAIL...ish.

On the right track!

● Then: “Is it possible?”

● Now: “How to make it practical?”

● More patching: Dumping all parts of the key

● Caller of the decryption method creates the key

● Three strings as input

● Does some weirdass stuff, more on that later

Key parts

/OzEca8ESalQNvd/xknj8g==

ee13373-bb8a-5a09-ccdd-af9c4fbgf844

503668452247539

May the logs be with you.

Hashing IDs && Base64 decode

● H(DeviceID || UserID).substring(16);

● Algorithms (hardcoded arrays/tables) look

intimidating in smali

● Public Domain Base64.java :)

Part Three: WTF Crypto?

Part Three: WTF Crypto

Hardcoded Strings, again!

Part Three: WTF Crypto

● Rijndael

● BouncyCastle AND own implementation

● I'm here to break, not question it.

● encrypt() and decrypt() have the same signature...

Putting the parts together

● Read chapter (cp /sdcard/Kobo/epubs ...)

● H(DeviceID || UserID)

● base64_decode(DecryptKey)

● D(encoded_decryptkey, hash_part)

● Clever (and common) from a DRM perspective

● D(chapter, decrypted_key)

BINGO!

Result: Kobopier

* Kobopier - a Kobo Android ePub DRM stripper

*

* You can reach the author at kobopier@acanthephyra.net.

* New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/.

*

* Important note: Kobopier is not made for piracy. It does not break any encryption,

* it simply replicates a few steps the original Android Kobo reader does.

* Please read the license below. Also, consider that it is YOUR responsibility to deal

* with any legal issues that arise from YOU using this tool.

* If you buy one copy of an ebook, decrypt it with this tool and then give it away,

* that's fine with me - but you alone are responsible if Kobo sues you.

*

* Copyright (C) 2011 sporkbomb

http://sporkbomb.eu/kobopier/

@__sporkbomb

● Questions?

● Complaints?

● Compliments?

● Suggestions?