mechanical-snail / bookguardpro Goto Github PK

I came across your research on Book Guard Pro when looking for more info about it, as I was contemplating buying an e-book that was protected with BGP and was annoyed by the apparent restriction on printing. I have some info to add that you might find very interesting...

As you say, it's not a very robust protection method for PDFs. I have figured out a way not only to fake the authorisation/authentication of the licence code, but also how to access the ACL-ed temp files extracted and how to de-obfuscate the supposedly invalid PDFs the bundled Sumatra reader opens.

Before I begin, one note about the unlocking EXE: it appears to have been developed using the macro utility AutoHotKey. When I scanned the sample file with my anti-virus, its detection report (yes, it flagged it as potentially nasty!) stated that the file was an AutoHotKey self-executing script archive. If one is able to somehow decompile it (I found a couple of utilities on Google, but didn't try them), getting the source code might be a possibility.

Faking the Licence Code Check

I started by capturing the network traffic of the unlocking application. Your assumptions were correct - it does not encrypt it in any way. It's simply a plain HTTP request to http://bookguardpro.com/sw/track.php. (Well, actually, it first tries www.bookguardpro.com and gets redirected with a 301 response.) The product ID, seller ID and licence code all get passed as query string parameters (e.g. /sw/track.php?prodid=41&code=K5PHQCXS&seller=6).

The server presumably verifies the code against purchase records for the seller and product IDs, and responds with one of two responses (as far as I tested, that is): for a valid code, the string ok; and for an invalid code, the string wrong. No HTML, no encoding - just that plain text!

So... all we need to do to fake a valid response is as follows:

• Redirect any network traffic to the BGP server to the local machine by editing the hosts file (resides in %WINDIR%\system32\drivers\etc\hosts) and adding a couple of lines:

# Fake auth server for Book Guard Pro
127.0.0.1   bookguardpro.com
127.0.0.1   www.bookguardpro.com

• Create a folder somewhere containing a single sub-folder named sw, and within that create a file track.php containing the short and simple PHP code:

<?php echo "ok"; ?>

• Set up a local web server running PHP. I used the built-in server available in PHP version 5.4 and above - start it with php -S localhost:80 (making sure the current working directory is the folder above, or use the -t option to specify path to it). Alternatively, can use a local Apache, etc.

Now we can run the BGP executable and enter any licence code we like! It doesn't appear to do any client-side checking first (e.g. length, checksum, etc.), so anything works - for example, XXXX.

Accessing ACL-ed Temp Files

As you noted, it writes out a folder containing the PDF and Sumatra reader to a temporary location (seems to be %TEMP%) and sets ACL permissions on the folder so that no-one can access. It appears to remove all ACL entries except for 'Everyone', for which it sets permission to 'None'.

This can easily be remedied by using the icacls command-line utility on Windows 7 & 8, or cacls on Windows XP. The syntax varies between versions, but the general procedure is to use options to grant 'Full' permission for your own user and to apply the changes to all sub files/folders.

De-obfuscating the PDF File

You were on the right track by replacing %BGP-1.5 in the head of the file with %PDF-1.5, but that turned out not to be the only obfuscation technique in use. Fortunately, one with a keen eye will quickly spot the other!

Objects within a PDF file (e.g. blocks of text, images, etc.) are delineated by the strings obj and endobj. BGP simply changes every instance of these to øbj and endøbj. Note the slashed 'o' character! Simply do a global search-and-replace in the file using an editor of your choice, replacing every instance of øbj with obj. The file should now happily open within Adobe Reader!