mechanical-snail / bookguardpro Goto Github PK
View Code? Open in Web Editor NEWReverse-engineering Book Guard Pro
Reverse-engineering Book Guard Pro
I came across your research on Book Guard Pro when looking for more info about it, as I was contemplating buying an e-book that was protected with BGP and was annoyed by the apparent restriction on printing. I have some info to add that you might find very interesting...
As you say, it's not a very robust protection method for PDFs. I have figured out a way not only to fake the authorisation/authentication of the licence code, but also how to access the ACL-ed temp files extracted and how to de-obfuscate the supposedly invalid PDFs the bundled Sumatra reader opens.
Before I begin, one note about the unlocking EXE: it appears to have been developed using the macro utility AutoHotKey. When I scanned the sample file with my anti-virus, its detection report (yes, it flagged it as potentially nasty!) stated that the file was an AutoHotKey self-executing script archive. If one is able to somehow decompile it (I found a couple of utilities on Google, but didn't try them), getting the source code might be a possibility.
I started by capturing the network traffic of the unlocking application. Your assumptions were correct - it does not encrypt it in any way. It's simply a plain HTTP request to http://bookguardpro.com/sw/track.php. (Well, actually, it first tries www.bookguardpro.com
and gets redirected with a 301 response.) The product ID, seller ID and licence code all get passed as query string parameters (e.g. /sw/track.php?prodid=41&code=K5PHQCXS&seller=6
).
The server presumably verifies the code against purchase records for the seller and product IDs, and responds with one of two responses (as far as I tested, that is): for a valid code, the string ok
; and for an invalid code, the string wrong
. No HTML, no encoding - just that plain text!
So... all we need to do to fake a valid response is as follows:
hosts
file (resides in %WINDIR%\system32\drivers\etc\hosts
) and adding a couple of lines:# Fake auth server for Book Guard Pro
127.0.0.1 bookguardpro.com
127.0.0.1 www.bookguardpro.com
sw
, and within that create a file track.php
containing the short and simple PHP code:<?php echo "ok"; ?>
php -S localhost:80
(making sure the current working directory is the folder above, or use the -t
option to specify path to it). Alternatively, can use a local Apache, etc.Now we can run the BGP executable and enter any licence code we like! It doesn't appear to do any client-side checking first (e.g. length, checksum, etc.), so anything works - for example, XXXX
.
As you noted, it writes out a folder containing the PDF and Sumatra reader to a temporary location (seems to be %TEMP%
) and sets ACL permissions on the folder so that no-one can access. It appears to remove all ACL entries except for 'Everyone', for which it sets permission to 'None'.
This can easily be remedied by using the icacls
command-line utility on Windows 7 & 8, or cacls
on Windows XP. The syntax varies between versions, but the general procedure is to use options to grant 'Full' permission for your own user and to apply the changes to all sub files/folders.
You were on the right track by replacing %BGP-1.5
in the head of the file with %PDF-1.5
, but that turned out not to be the only obfuscation technique in use. Fortunately, one with a keen eye will quickly spot the other!
Objects within a PDF file (e.g. blocks of text, images, etc.) are delineated by the strings obj
and endobj
. BGP simply changes every instance of these to øbj
and endøbj
. Note the slashed 'o' character! Simply do a global search-and-replace in the file using an editor of your choice, replacing every instance of øbj
with obj
. The file should now happily open within Adobe Reader!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.