SlideShare una empresa de Scribd logo

Your money, your media a DRMtastic (reverse|re) eng. tutorial

Security BSides London
Security BSides London

BSidesLondon 20th April 2011 - Manuel -- This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface. --- for more about Manuel http://sporkbomb.eu and Kobo http://sporkbomb.eu/kobopier/

Tecnología
1 de 37
Your money, your media A DRMtastic (reverse|re)engineering tutorial
Who dat dude with the mic? ● Hi, I'm Manuel. An academic researcher without academic title.
What's this talk about
Kobo ● Global eBook retailer ● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice” ● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
No problem, then!
fbreader
I AM DISAPPOINT
trollface.jpg
● I BUY books. I don't “lend them under certain terms”. ● $10 for a digital copy, and you restrict how I use it?
NOTICE ● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER ● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE ● DON'T PIRATE XOR DON'T GET CAUGHT
Whoo, look at my ePenis!
Android reversing ● Dalvik ● Smali ● Can haz apktool?
smali example code
Workflow example ● adb pull /data/app/com.MyLittlePony.apk /tmp/ ● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk ● OR apktool d MyLittlePony.apk /tmp/pony ● vim /tmp/pony/smali/com/mylilpony/Main.smali
MOAR DATA ● adb pull /data/data/com.kobobooks.android/ kobothings
OMG Obfuscation
OMG Obfuscation
Your reaction: Anger
Your reaction: Resignation
Your reaction: The Right One
Java/smali is hard to obfuscate ● MADE to be readable ● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
The search begins grep -Ri javax.crypto...? ...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- cbc"/> ...so I'm searching for “AES”.
Bingo!...FAIL. ● Found a decryption! ● sqlite3 <kobo datadir>/databases/Kobo ● '.tables' + '.headers on ' ● ParentContentID|...| DecryptKey|...
BUT I WANNA!!!!! ;_;
Moar reversing ● Who's calling my decryption? ● What other methods is it calling? ● Learn to read smali. It's a somewhat neat language. ● What data is it using? ● ...remote Dalvik debugging?
apktool ● Disassemble ● Modify (theme, patch, break...) ● Build (apktool b...) ● Sign (jarsigner) ● adb install hax.apk ● Uninstall the old version first
Bingo!...FAIL...ish.
On the right track! ● Then: “Is it possible?” ● Now: “How to make it practical?” ● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
Key parts /OzEca8ESalQNvd/xknj8g== ee13373-bb8a-5a09-ccdd-af9c4fbgf844 503668452247539 May the logs be with you.
Hashing IDs && Base64 decode ● H(DeviceID || UserID).substring(15); ● Algorithms (hardcoded arrays/tables) look intimidating in smali ● Public Domain Base64.java :)
Part Three: WTF Crypto?
Part Three: WTF Crypto Hardcoded Strings, again!
Part Three: WTF Crypto ● Rijndael ● BouncyCastle AND own implementation ● I'm here to break, not question it. ● encrypt() and decrypt() have the same signature...
Putting the parts together ● Read chapter (cp /sdcard/Kobo/epubs ...) ● H(DeviceID || UserID) ● base64_decode(DecryptKey) ● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective ● D(chapter, decrypted_key)
BINGO!
Result: Kobopier http://sporkbomb.eu/kobopier/ * Kobopier - a Kobo Android ePub DRM stripper * * You can reach the author at kobopier@acanthephyra.net. * New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/. * * Important note: Kobopier is not made for piracy. It does not break any encryption, * it simply replicates a few steps the original Android Kobo reader does. * Please read the license below. Also, consider that it is YOUR responsibility to deal * with any legal issues that arise from YOU using this tool. * If you buy one copy of an ebook, decrypt it with this tool and then give it away, * that's fine with me - but you alone are responsible if Kobo sues you. * * Copyright (C) 2011 sporkbomb
● Questions? ● Complaints? ● Compliments? ● Suggestions? @__sporkbomb

Recomendados

Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDPSecurity BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar
 
Clean code
Clean code Clean code
Clean code Achintya Kumar
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990Sam Bellen
 
Clean code
Clean codeClean code
Clean codeDuc Nguyen Quang
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990Sam Bellen
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990Sam Bellen
 

Recomendados

Breaking out of restricted RDP
Breaking out of restricted RDPBreaking out of restricted RDP
Breaking out of restricted RDPSecurity BSides London
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - Craftworkz
Openbar 5 - Leuven - Correctly using js debug tools - Karel Kremer - CraftworkzOpenbar
 
Clean code
Clean code Clean code
Clean code Achintya Kumar
 
Passwords are so 1990
Passwords are so 1990Passwords are so 1990
Passwords are so 1990Sam Bellen
 
Clean code
Clean codeClean code
Clean codeDuc Nguyen Quang
 
DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990DevFest Porto - Passwords are so 1990
DevFest Porto - Passwords are so 1990Sam Bellen
 
sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990sthlm.js - Passwords are so 1990
sthlm.js - Passwords are so 1990Sam Bellen
 
Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from JavaIvo Roberto Batistela
 
Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi Ito
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs HowtoGreg Hendricks
 
Vim week
Vim weekVim week
Vim weekRookieOne
 
TagLoops
TagLoopsTagLoops
TagLoopstagloops
 
Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3Opersys inc.
 
Headless Android
Headless AndroidHeadless Android
Headless AndroidOpersys inc.
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
Super lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanSuper lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanDrew Malone
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CDDaniel Garcia (a.k.a cr0hn)
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Piratesripeapps
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Daniel Garcia (a.k.a cr0hn)
 
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojoDesign and Evolution of cyber-dojo
Design and Evolution of cyber-dojoJon Jagger
 
Writing a Ruby Gem for beginners
Writing a Ruby Gem for beginnersWriting a Ruby Gem for beginners
Writing a Ruby Gem for beginnersConFoo
 
Scottish Ruby Conference 2014
Scottish Ruby Conference 2014Scottish Ruby Conference 2014
Scottish Ruby Conference 2014michaelag1971
 
Beginning Kindle Hackery
Beginning Kindle HackeryBeginning Kindle Hackery
Beginning Kindle HackeryJesse Vincent
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Effective entrepreneurship for developers
Effective entrepreneurship for developersEffective entrepreneurship for developers
Effective entrepreneurship for developersCarlos Ble
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.Aodrulez
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! St. Petersburg College
 

Más contenido relacionado

La actualidad más candente

Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi Ito
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 

La actualidad más candente (6)

Moving to PHP from Java
Moving to PHP from JavaMoving to PHP from Java
Moving to PHP from Java
 
Joi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative CommonsJoi ETech 2009 - Creative Commons
Joi ETech 2009 - Creative Commons
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
 
Extjs Howto
Extjs HowtoExtjs Howto
Extjs Howto
 
Vim week
Vim weekVim week
Vim week
 
TagLoops
TagLoopsTagLoops
TagLoops
 

Similar a Your money, your media a DRMtastic (reverse|re) eng. tutorial

Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3Opersys inc.
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
Super lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanSuper lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanDrew Malone
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Piratesripeapps
 
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojoDesign and Evolution of cyber-dojo
Design and Evolution of cyber-dojoJon Jagger
 
Writing a Ruby Gem for beginners
Writing a Ruby Gem for beginnersWriting a Ruby Gem for beginners
Writing a Ruby Gem for beginnersConFoo
 
Scottish Ruby Conference 2014
Scottish Ruby Conference 2014Scottish Ruby Conference 2014
Scottish Ruby Conference 2014michaelag1971
 
Beginning Kindle Hackery
Beginning Kindle HackeryBeginning Kindle Hackery
Beginning Kindle HackeryJesse Vincent
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...Hafez Kamal
 
Effective entrepreneurship for developers
Effective entrepreneurship for developersEffective entrepreneurship for developers
Effective entrepreneurship for developersCarlos Ble
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.Aodrulez
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLEAN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLEGavin Pickin
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017Ortus Solutions, Corp
 
Introduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talkIntroduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talkRoel Palmaers
 

Similar a Your money, your media a DRMtastic (reverse|re) eng. tutorial (20)

Headless Android at AnDevCon3
Headless Android at AnDevCon3Headless Android at AnDevCon3
Headless Android at AnDevCon3
 
Headless Android
Headless AndroidHeadless Android
Headless Android
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
Super lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik MukelyanSuper lazy side projects - Hamik Mukelyan
Super lazy side projects - Hamik Mukelyan
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
 
Resisting App Pirates
Resisting App PiratesResisting App Pirates
Resisting App Pirates
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Design and Evolution of cyber-dojo
Design and Evolution of cyber-dojoDesign and Evolution of cyber-dojo
Design and Evolution of cyber-dojo
 
Writing a Ruby Gem for beginners
Writing a Ruby Gem for beginnersWriting a Ruby Gem for beginners
Writing a Ruby Gem for beginners
 
Scottish Ruby Conference 2014
Scottish Ruby Conference 2014Scottish Ruby Conference 2014
Scottish Ruby Conference 2014
 
Beginning Kindle Hackery
Beginning Kindle HackeryBeginning Kindle Hackery
Beginning Kindle Hackery
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Effective entrepreneurship for developers
Effective entrepreneurship for developersEffective entrepreneurship for developers
Effective entrepreneurship for developers
 
My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.My solution to malware.lu HackGyver's challenges.
My solution to malware.lu HackGyver's challenges.
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It!
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLEAN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE
 
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
AN EXERCISE IN CLEANER CODE - FROM LEGACY TO MAINTAINABLE - CFObjective() 2017
 
Introduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talkIntroduction to google chromebooks and chromeboxes presentation tech-talk
Introduction to google chromebooks and chromeboxes presentation tech-talk
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 

Más de Security BSides London

You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information SecuritySecurity BSides London
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Security BSides London
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programsSecurity BSides London
 

Más de Security BSides London (11)

Security YMCA
Security YMCASecurity YMCA
Security YMCA
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...You built a security castle and forgot the bridge…now users are climbing your...
You built a security castle and forgot the bridge…now users are climbing your...
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
The Funny Thing About Information Security
The Funny Thing About Information SecurityThe Funny Thing About Information Security
The Funny Thing About Information Security
 
Breaking, Entering and Pentesting
Breaking, Entering and Pentesting Breaking, Entering and Pentesting
Breaking, Entering and Pentesting
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications
Practical Crypto Attacks Against Web Applications
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Cloud computing due diligence WTF?
Cloud computing due diligence WTF?Cloud computing due diligence WTF?
Cloud computing due diligence WTF?
 

Último

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Último (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Your money, your media a DRMtastic (reverse|re) eng. tutorial

  • 1. Your money, your media A DRMtastic (reverse|re)engineering tutorial
  • 2. Who dat dude with the mic? ● Hi, I'm Manuel. An academic researcher without academic title.
  • 4. Kobo ● Global eBook retailer ● “We believe consumers should be able to read any book, anytime, anywhere, and on the device of their choice” ● “We believe open standards for eBooks are best for consumers, publishers, retailers and hardware manufacturers. Closed systems stifle innovation and growth. Kobo proudly supports EPUB and encourages our users to read a Kobo-purchased eBook on their smartphone, Sony Reader, laptop, or whichever device they choose.”
  • 9. I BUY books. I don't “lend them under certain terms”. ● $10 for a digital copy, and you restrict how I use it?
  • 10. NOTICE ● I ONLY WANTED TO ACHIEVE INTEROPABILITY WITH OTHER PROGRAMS ● THAT ARE NOT COMPETING WITH THE KOBO READER ● KOBOPIER ONLY REPRODUCES THE DECRYPTION INTERFACE ● DON'T PIRATE XOR DON'T GET CAUGHT
  • 11. Whoo, look at my ePenis!
  • 12. Android reversing ● Dalvik ● Smali ● Can haz apktool?
  • 14. Workflow example ● adb pull /data/app/com.MyLittlePony.apk /tmp/ ● java -jar baksmali.jar -o /tmp/pony MyLittlePony.apk ● OR apktool d MyLittlePony.apk /tmp/pony ● vim /tmp/pony/smali/com/mylilpony/Main.smali
  • 15. MOAR DATA ● adb pull /data/data/com.kobobooks.android/ kobothings
  • 20. Your reaction: The Right One
  • 21. Java/smali is hard to obfuscate ● MADE to be readable ● invoke-static {p0, v1, v0}, Lcom/kobobooks/android/f/i;- > a([BLjavax/crypto/Cipher;Ljavax/crypto/SecretKey;)[B
  • 22. The search begins grep -Ri javax.crypto...? ...Algorithm="http://www.w3.org/2001/04/xmlenc#aes128- cbc"/> ...so I'm searching for “AES”.
  • 23. Bingo!...FAIL. ● Found a decryption! ● sqlite3 <kobo datadir>/databases/Kobo ● '.tables' + '.headers on ' ● ParentContentID|...| DecryptKey|...
  • 25. Moar reversing ● Who's calling my decryption? ● What other methods is it calling? ● Learn to read smali. It's a somewhat neat language. ● What data is it using? ● ...remote Dalvik debugging?
  • 26. apktool ● Disassemble ● Modify (theme, patch, break...) ● Build (apktool b...) ● Sign (jarsigner) ● adb install hax.apk ● Uninstall the old version first
  • 28. On the right track! ● Then: “Is it possible?” ● Now: “How to make it practical?” ● More patching: Dumping all parts of the key ● Caller of the decryption method creates the key ● Three strings as input ● Does some weirdass stuff, more on that later
  • 30. Hashing IDs && Base64 decode ● H(DeviceID || UserID).substring(15); ● Algorithms (hardcoded arrays/tables) look intimidating in smali ● Public Domain Base64.java :)
  • 31. Part Three: WTF Crypto?
  • 32. Part Three: WTF Crypto Hardcoded Strings, again!
  • 33. Part Three: WTF Crypto ● Rijndael ● BouncyCastle AND own implementation ● I'm here to break, not question it. ● encrypt() and decrypt() have the same signature...
  • 34. Putting the parts together ● Read chapter (cp /sdcard/Kobo/epubs ...) ● H(DeviceID || UserID) ● base64_decode(DecryptKey) ● D(encoded_decryptkey, hash_part) ● Clever (and common) from a DRM perspective ● D(chapter, decrypted_key)
  • 36. Result: Kobopier http://sporkbomb.eu/kobopier/ * Kobopier - a Kobo Android ePub DRM stripper * * You can reach the author at kobopier@acanthephyra.net. * New versions of Kobopier will be made available at http://sporkbomb.eu/kobopier/. * * Important note: Kobopier is not made for piracy. It does not break any encryption, * it simply replicates a few steps the original Android Kobo reader does. * Please read the license below. Also, consider that it is YOUR responsibility to deal * with any legal issues that arise from YOU using this tool. * If you buy one copy of an ebook, decrypt it with this tool and then give it away, * that's fine with me - but you alone are responsible if Kobo sues you. * * Copyright (C) 2011 sporkbomb
  • 37. Questions? ● Complaints? ● Compliments? ● Suggestions? @__sporkbomb