Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Franklin Bookman devices were early eBook readers. Early on, these used ROM cards then a licensing model with memory cards. Eventually they landed on a connectivity kit with a serial/USB transfer cable, a memory card and a CD-ROM with the Bookman Desktop Manager Software. This talk is about cracking the CD-ROM with this on it.

To install the Bookman Desktop Manager (BDM), the user must enter a valid CD key. This key was used to generate a Peripheral Identifier (PID) number that was bound to a consumer around. As a result, a user could buy and download the data from the DRM servers to ensure only a single user could write the content of the eBook to their eBook. This is the process documented in the post.

The main goal was to reverse engineer the BDM application for this logic. The BDM program was installing using InstallShield. Using a tool such as unshield, they were able to see the raw application DLLs. Within the DLLs was the file installbm3.dll, which contained the logic for the PID and CD-key logic. By owning this up in Ghidra, there are two valid shared libraries. Luckily for the author, the error messages are quite verbose, making it easy to identify what function performs each action.

Since we know that CD-keys should always contain a dash between 4 digits and 4 rear digits, the string error message with this indicates that this is where the CD-key information must be processed at. Now, there is a cryptic looking function with many steps to decode all everything. This is done as following from a C string which has the code:

1. Apply a function to each character in the string (excluding the dash).
2. Generate a check digit from the inputted values.
3. Validate that the check digit matches the input keys check digit from the data in step 1.
4. Bitwise OR operations on the

From reading the source code, it appears that there is a checksum check derived from the actual values. The first 7 characters were the actual value while the final (8th) character was the checksum. In order to defeat the DRM, all we have to do is be able to generate checksums are arbitrary values!

While trying to recreate the checksum in JavaScript, they were having some troubles. Then the author noticed something strange: they were using integer overflows as a feature! Since JavaScript did not have the same functionality, this was causing a problem. By adding in this functionality manually into JavaScript via the js-cuint package they were able to replicate the code.

Overall, this was a fun post on beating DRM. Even though this was definitely insecure by today's standards, it probably stood up well at the time. Good article!