Adobe Digital Editions DRM [Archive] - RCE Messageboard's Regroupment

View Full Version : Adobe Digital Editions DRM

SHaG

June 7th, 2007, 06:25

Hey,
Just ran into a new kind of DRM-protected PDF. Instead of opening in Acrobat as usual it sent me to a page to download Adobe Digital Editions Beta. After trying to load the pdf into that (which of course didnt work) I'm thinking this might turn out to be an interesting reversing project. So before I start I just want to know if anyone else has been checking this out?

LLXX

June 8th, 2007, 13:05

The only experience I have with PDFs is having to reconstruct partially corrupted files, but I have gained quite a bit of knowledge about the file structure in the process.

If the content stream hasn't been encrypted (just "protected" by some lame JavaScript, who would've thought PDFs could have JS!) it's possible to rip it verbatim into another PDF and rebuild the rest of the file around it... and even if it has been encrypted with the standard security methods then it is equally easy.

squidge

June 9th, 2007, 18:37

I've reconstructed encrypted PDFs before when a manufacturer has sent us a password protected PDF, with the password in the same email as the PDF, and with the "print/copy parts" security enabled so we had to screengrab everything rather than just copy and paste.

As you can imagine, that got boring real quick, and since we could read the pdf on screen anyway, we eventually created another PDF with no such restrictions and no password

I would assume that DRM'd PDFs would be similar - not that bad to hack if you can already read them and just want to make non-DRM'd versions. Could be a complete bitch (or almost impossible?) if you can't already read them however.

LLXX

June 9th, 2007, 19:58

+F has some interesting info here:

http://www.searchlores.org/pdffing.htm

5aLIVE

June 10th, 2007, 03:30

I can't say I've ever heard of Adobe Digital Editions DRM until now. In the past, I have seen PDFs which have passwords that are tied to a specific machine and are only active for a specified amount of time depending on the license which in itself is DRM at it's best/worst, delete as appropriate.

I remember once trying to dump an pasword protected PDF from memory to use in it unencrypted form. I couldn't find the file in Acrobat memory space or anywhere else for that matter.

Has anyone else had success in this approach?

disavowed

June 11th, 2007, 00:14

The PDF file format is fully documented by Adobe -- http://www.adobe.com/devnet/pdf/pdf_reference.html

iPixel

June 17th, 2007, 12:41

If you open the ebx.etd file that loads the book, you'll see that it gives you a bunch of information on the file (order number, authentication server, and the URL of the actual PDF file).

Code:

<?xml version="1.0" encoding="UTF-8" ?>

<ebx-transfer-data>

<x-ebx-version>0.7</x-ebx-version>

<minversion>

 <glassbook>152</glassbook>

</minversion>

<entries>

 <entry>

  <voucherurl>http://207.54.136.76/fulfill/ebx.etd</voucherurl>

  <orderid>412150971403023</orderid>

  <bookid>ContentReserveID:329D695B-399A-47C9-A12F-7E75C731F5C3-50</bookid>

  <title>101 Best Tech Resumes</title>

  <nonce>vGhgs0kwFeGc04qIIqH3PMmFS17IsjaQmi2nJ8OIQTyXmdwJEJkpOR3eZxV8</nonce>

  <type>ContentReserveID</type>

  <identifier>329D695B-399A-47C9-A12F-7E75C731F5C3-50</identifier>

  <bookfileurl>http://acs.contentreserve.com/ACSStore1/18/101BestTechResumes.pdf</bookfileurl>

 </entry>

 <etd-entry>

  <fulfillurl>

   <baseurl>http://207.54.136.76/fulfill/ebx.etd</baseurl>

   <param>action=lend</param>

   <param>orderid=412150971403023</param>

   <param>bookid=ContentReserveID:329D695B-399A-47C9-A12F-7E75C731F5C3-50</param>

  </fulfillurl>

 </etd-entry>

</entries>

</ebx-transfer-data>

You can't open the PDF directly, but when you're authenticated, the server sends the following page (url: http://207.54.136.76/fulfill/ebx.etd?action=lend&orderid=412150971403022&bookid=ContentReserveID:329D695B-399A-47C9-A12F-7E75C731F5C3-50):

Code:

HTTP/1.1 200 OK



Date: Sun, 17 Jun 2007 17:14:21 GMT



Server: Microsoft-IIS/6.0



X-Powered-By: ASP.NET



x-EBX-Version: 0.7



x-EBX-Authenticationinfo: voucher="PEVCWC1Wb3VjaGVyIHZlcnNpb249IjAuOSI+CjxJRCB0eXBlPSJDb250ZW50UmVzZXJ2ZUlEIj5Db250ZW50UmVzZXJ2ZUlEOjMy OUQ2OTVCLTM5OUEtNDdDOS1BMTJGLTdFNzVDNzMxRjVDMy01MDwvSUQ+CjxDb250ZW50S2V5IEVuY3J5cHRlZFdpdGg9IlJTQTEw MjQiIHR5cGU9IlJDNCI+SWJaZ2dSQm5tN3NSb3d0UmtaTEVTZVhwWHRvVlY2K0VlUER0a1dTYy9rOW9yN0k3d1ZNSzd6QlhZbUJV QTBhQzBYQnNRYkZrOTVtTmQvVFJWMktFeGVYQnptcEN3M1hiNFNuczhuTTB1RGZPNUUzUG5JTC81a2Qwb0Y2Q1hJMGdFTjFIbW5q aUpEem90WUk5WHZMd2kxMElJQ2FTS1pRZ2NGZ2hNK0xBUDNNPTwvQ29udGVudEtleT4KPENvcHlDb3VudD4xPC9Db3B5Q291bnQ+ CjxSaWdodHMgdmVyc2lvbj0iMC45IiB0eXBlPSJFQlgiPgo8VG90PjExODIxMDA0NjA8L1RvdD4KPENvcHlUb0NsaXAgRmlyc3Q9 IjAiIEludGVydmFsPSIwIiBNYXg9IjAiPjA8L0NvcHlUb0NsaXA+CjxQcmludCBGaXJzdD0iMCIgSW50ZXJ2YWw9Ii0xIiBNYXg9 Ii0xIj4wPC9QcmludD4KPExlbmQgSG9wcz0iLTEiIElEPSJqQ0pkZXFzRXBWTitnMjR2SzB6Rk9HVENwWDg0IiBSZXR1cm5VUkw9 Imh0dHA6Ly8yMDcuNTQuMTM2Ljc2L2Z1bGZpbGwvZWJ4LmV0ZCIgU3RhdGU9IkJvcnJvd2VkIiBXaGVuPSIxMTgyMTAwNDYwIj4x"



x-EBX-Authinfo2: voucher="ODEzOTYyPC9MZW5kPgo8VXNlIEV4cGlyZVR5cGU9IlVubGltaXRlZCI+MDwvVXNlPgo8TW9kaWZ5UmlnaHRzIEZpcnN0PSIwIiBJ bnRlcnZhbD0iMCIgTWF4PSIwIj4wPC9Nb2RpZnlSaWdodHM+CjxSZWFkQWxvdWQgRmlyc3Q9IjAiIEludGVydmFsPSItMSIgTWF4 PSItMSI+MDwvUmVhZEFsb3VkPgo8RGV2aWNlQ291bnQ+LTE8L0RldmljZUNvdW50Pgo8L1JpZ2h0cz4KPE1BQyB0eXBlPSJTSEEx Ij5HQ3loTk5VcDZRWURmcTAvZjRSL1d6aDhyUGM9PC9NQUM+CjwvRUJYLVZvdWNoZXI+



Content-Length: 0



Content-Type: text/html



Cache-control: private

That's the info for http://acs.contentreserve.com/ACSStore1/18/101BestTechResumes.pdf, anyone have an idea as to how to open the PDF with this info?

LLXX

June 17th, 2007, 21:55

I am missing an EBX_HANDLER (de/en)cryption filter.

The only two other pieces of important information I can gather are:

- /V 3 : (PDF 1.4) An unpublished algorithm allowing encryption key lengths ranging from 40 to 128 bits. (This algorithm is unpublished as an export requirement of the U.S. Department of Commerce.)

- /Length 128 : 128-bit key.

Those "keys" that you've managed to post look a whole lot longer than 128 bits. I feel RSA is somehow involved in this.

Either Google is squelching results or noone has published any public information about this. Looks like it's time to get out the debugger...

I might as well post this relevant link: http://www.gnu.org/philosophy/right-to-read.html

iPixel

June 20th, 2007, 00:04

The one thing I notice that is different about this file is that the headers are different than that of a regular PDF. It has much more. It looks to be in plain text, but almost all of it is a stream object, and that may be encrypted.

I'll run it through a debugger when I get a chance, and see if I can figure out this encryption... =/

LLXX

June 20th, 2007, 16:47

Quote:

[Originally Posted by iPixel;66518]but almost all of it is a stream object, and that may be encrypted.

It sure is, since the flate decoder couldn't decompress it. This is just a standard PDF file encrypted with a new security handler.

P.S. be careful so you don't become the next Dmitry Sklyarov

squidge

June 20th, 2007, 16:55

Wasn't Dmitry Sklyarov eventually released without charge? In which case, it doesn't really matter

jzburn12

August 6th, 2007, 13:31

In either case, has anyone made any headway on getting past this new DRM?

LLXX

August 7th, 2007, 03:28

Quote:

[Originally Posted by jzburn12;67620]In either case, has anyone made any headway on getting past this new DRM?

No, the question here is, have YOU made any effort toward that?

joblack

September 8th, 2010, 17:24

It's solved - ineptpdf handles the problem