SoftIce v. 4.XX, Hiew v6.XX, tasty strong coffee, vodka and lemon slices with sugar.
I guess, everybody know and use Acrobat Reader. So, I'll not concern it's features.
I'll show, how to bypass some restrictions, while working with PDF-docoments in this program.
To make reading of this essay not only useful, but interesting you can download PDF-specification from
Adobe site.
This
file describes versions of PDF upto 1.2
And this
one - upto 1.3, but filesize is larger.
There is no need to read the whole document, that's enough to understand PDF file structure
(taking a look at the examples) and, to read paragraphs about security more carefully.
(here is the moment for coffee).
For lazy, but curious boys and girlz, I'll say some words about security.
Canonical PDF file consists of four parts (just in such sequence)
1. Header.
2. Body.
3. Cross References Table(x-ref table).
4. Trailer.
In header (it is the first line of the file) version of the PDF is underlined. The body is a set of different
objects - purely document. X-ref table is for fast access to objects of the file.
The trailer (BTW, reading of PDF file starts from trailer) - contains the information of location x-ref table
and some special objects in the file, in particular, number of the object, responding for protection and
encryption of a body of the file.
This object is named
Encryption Dictionary. Let's stop on it hardly more in detail.
It contains the only necessary parameter - Filter, which value - title of a method with which
all the datas encoded in the file. The built-in method is named Standard. And in this case are used
additional keys with their values, namely:
V - its value (digital) - type of algorithm used at encryption.
R - its value (digital) - version number of a method of encryption.
O - its value (string) - the enciphered password (is more exact - hash of the password),
necessary for complete access to the file (including change of parameters of protection).
U - its value (string) - the enciphered password (is more exact - hash of the password),
necessary for opening of the file.
P - its value (digital) - set of flags circumscribing allowed operations with the file,
when user opens the file with the user's password.
If we'll transform its value into 32bit equivalent, the set of bits / flags will look like so:
1-2 - Is reserved (should be equalled 0).
3 - If 1, printing the document is allowed.
4 - If 1, the change of the document is authorized.
5 - If 1, copying a graphics and text from the document is authorized.
6 - If 1, the addition and change of text notes is authorized.
7 - 32 - Is reserved (should be equalled 1).
So, for a complete control above the file, the following sequence of bits in value of a key P is necessary:
1-2 - 0
3-32 - 1
Hexadecimal value will be FFFFFFFÑ, and at last ASCII/digital - ...in common - much.
What we are waiting for ? We must start Hiew immediatly, enter the Edit mode and ...
But !
Problem is that the objects of a body of the document are ciphered with involvement of a key P...
Take a look at the simplified process of creation of a key for encryption of the document
(according to the specification - algorithm 6.3):
1. We completing, or truncating the password, so that its length becomes 32 bytes.
2. We give it on an input of hashing function MD5.
3. We give on an input of hashing function MD5 value of a key O (32 bytes).
4. We give on an input of hashing function MD5 value of a key P.
5. We give on an input of hashing function MD5 the first unit of value of a key ID (is in a trailer).
6. The output of hashing function MD5 (first 5 bytes) is a key, with which the objects
of the file are ciphered.
( I want to note, that I'll not explain in this paper, how are gained values of keys O and U,
how checks the validation of the password for opening of the document,
and in common, how to break password protection in PDF files. It is
a subject by separate, though also of not so major paper, which will be published some later).
So, its clear now, that with Hiew we can't do anything. We'll need SoftIce and...
In common - here is an idea. We'll let the program to decrypt contents with a normal key P, and there,
where this key is used for applying restrictions, we'll organize replacement of true value with value
" it is possible all ".
I have made the following.
I have created (with the help of Adobe Acrobat 4.0) a file with a minimum contents, and prohibited
all operations with the file, except for addition of the text notices.
The file, with a size about 3kb, has turned out. (I have put it here).
I have opened it in Hiew and scrolled down to a trailer, there was:
trailer
<<
/Size 29
/Info 3 0 R
/Encrypt 28 0 R
/Root 1 0 R
/ID[<767b7443e4abb9bc496cc18bc0f95184><767b7443e4abb9bc496cc18bc0f95184>]
>>
startxref
2606
%%EOF
I've noticed this string - /Encrypt 28. 28 - is the number of the object responding for
encryption and protection.
I have scrolled some up, to object 28, and have saw the following:
28 0 obj
<<
/Filter /Standard
/V 1
/R 2
/O (some-unprintable-stuff)
/U (some-unprintable-stuff too)
/P -32
>>
endobj
Here is our key /P with value -32, or unsigned 65504, or hexadecimal FFE0,
or binary 11100000. Yes, really, 5 bits are reset, as well as should be!
Now it's time for SoftIce. I've set breakpoint onto ReadFile, after that opened the file,
and...nothing happens.
The 16bit habit for Adobe programmers is probably strong, therefore I've cleared this bpx, and set
it on _lread.
From here, I'll begin to write more oblate and less understandable, as there is no special
sense to feature my wanderings on the code and to interpose a heap of screen dumps of SoftIce.
_lread called from here:
.text:0048B883 push eax
.text:0048B884 push [ebp+arg_0] ; <- buffer address
.text:0048B887 push [ebp+arg_C]
.text:0048B88A call ds:_lread
I've cleared the _lread bpx, opened and closed file, and set bpx at 0048B884.
It was necessary to know the address of the buffer, where the datas are read out.
The program was interrupted six times, and sixth time is necessary to us.
(In penultimate two times, necessary part of file, though was read out, but was not used,
I've clarified it by change of a key already in the buffer - only in last time my change has resulted,
that Acrobat Reader could not open the file).
Stepping through _lread, I have looked up the buffer, and has set bpm on the address in memory,
where our value -32 layed.
The program has interrupted here:
.text:004ED604 movzx eax, byte ptr [ecx] ; in EAX now 2D or "-" in ASCII
.text:004ED607 inc ecx
.text:004ED608 mov [esi+4], ecx
Further, the dreadful part of the code follows, where the buffer understands by the program.
I'll not write anything about it, because don't want to tangle you.
Main, that ours ASCII value -32 transforms in FFFFFFE0,
by the function called from 004EDA8 address. Also it copies on a new place in memory.
After that happen completely terrible things, and when I followed the value, it was necessary to use
up to four of bpm simultaneously and one more to hold in (my own) memory, tracing all code through F8 -
and as a result, I have stopped here:
.text:00457FB6 pop ecx
.text:00457FB7 mov [esi+26Ch], eax ; in EAX - FFFFFFE0
.text:00457FBD pop ecx
I've made substitution of value at [esi+26Ch], and Acrobat Reader asks for the password,
it has meant that the value at this location has used also for decryption.
Let's dig further.
I have removed all of bpm, and have set the only one on the address [esi+26Ch],
Program was interrupted some times (it was some uninteresting parts of code),
and at last, it has interrupted here:
.text:00458502 mov eax, [esi+26Ch]
.text:00458508 and ah, 7Fh
.text:0045850B or [ebp+var_4], eax
.text:0045850E mov [esi+20Ch], eax
.text:00458514 mov eax, [ebp+var_4]
Some conversions happened here with our value, in the result of them the value has became equal to FFFF7FE0
(it is necessary for us FFFF7FFC), and it was copied to the new address [esi+20Ch],
and also to the address [ebp+var_4], incremented in 1 (in [ebp+var_4] was 1,
(so it is necessary for us FFFF7FFD)) and remained in EAX on an exit from the function.
I've substituted value at [esi+20Ch] - Acrobat Reader has decrypted the document without problems,
but nothing has happened with protection (i.e. the prohibitions remained). It means, that I've passed a stage
of decoding. I have began to trace the code step-by-step.
I have understood, that the value at the address [ebp+var_4] was not copied anywhere else
and was not used at all and already have despaired, when again have interrupted at the address
.text:00458502 mov eax, [esi+26Ch]
Now, value has stayed on an exit from the function (the function call happened from other place)
was used as follows:
.text:0048C115 call dword ptr [edi+4]; - we get in .text:00458502 from here
.text:0048C118 mov ecx, [esi+7Ch] ; - in ECX - 0
.text:0048C11B or eax, [esi+78h] ;- in EAX - FFFF7FE1, in [esi+78h] - 0
.text:0048C11E not ecx ; - in ECX - FFFFFFFF
.text:0048C120 add esp, 0Ch ;- stack correction
.text:0048C123 and eax, ecx ; -in EAX - FFFF7FE1
.text:0048C125 mov [esi+78h], eax ; - in [esi+78h] - FFFF7FE1
I have tried to write FFFF7FFD at [esi+78h] - and, a miracle!, all restrictions have disappeared!
And, I've noticed that in properties of the document that all
restrictions were presented.
It's not bad, since allows to see what wanted to prohibit the writer.
Here now it is pleasure to drink some vodka and eat leamon!
But it's early to relax. I have set bpm on [esi + 78h], and have hitted in an infinite loop here
.text:0048C006 mov eax, [esp+arg_0]
.text:0048C00A mov eax, [eax+78h] ;in EAX - FFFF7FE1
.text:0048C00D retn
It seems, that our value is not used anywhere!
It is good!
Patch may look like following:
Instead of
.text:0048C123 and eax, ecx
put
.text:0048C123 or eax, ecx
In common - simply change the byte in the location
.text:0048C123 to 0b.
Although, the resulting value will be not equal to FFFF7FFD,
it is not terrible, as the only necessary bits are checked .
I have constructed patch program for lazies, which is in section Crackz, of
my site.
I want to note, that though all circumscribed here were happened in segments of Acrobat Reader,
the completely similar parts of the code/data are and in Acrobat. I.e. - mine patch will work there too!
BTW, sometimes you will see, that when you open PDF document ToolBar and MenuBar will disappear.
To avoid this, just find these -
HideToolBar, HideMenuBar, HideWindowUI strings in Acrobat/Acobat Reader and
change some symbols in them.
And now I'm going away, because I'm very tired.
Very.
See you in the next essay, because passwords are still the problem.