WARNING : You can also use libgourou and its utils to do the same thing from your platform (standard Linux PC), see this article
I finally did it ! After a long time looking for software that can download EPUB from ACSM file on Linux without need to install WINE software (and an old ADE version), I found the right breach to exploit.
As every Linux user knows, Adobe doesn't provide any support for ADE software on Linux, so we can't download EPUB files protected with Adobe ADEPT DRM because when you buy an ebook you get some ACSM file which is a request file for an ACS server (Adobe Content Server) that encrypts your ebook before returning it. My goal is not to have them decrypted, but just get the EPUB and put it on my eReader (an old Cybook Odyssey) to read it without rebooting on Windows. I can do it easily if I use the integrated bookshop, but :
- I got a notification it will not work anymore (no support from Bookeen) even if it's still works...
- I can't easily buy books from other shops
Time to time I look for resources on ADEPT DRM, Linux support, try to reverse protocol, exploit some binaries... I found my way thanks to Kobo firmware updates which include a precompiled version of librmsdk.so (Adobe Reader Mobile SDK) for Linux/ARMv7. I worked a lot with ARMv7 platforms, so it's not a problem for me to reverse it, plus my own server is ARMv7 compatible (iMX6) !
The shared library doesn't contains debug symbols (it's stripped). But it's a shared library, so it needs to expose all entry points in clear. Using readelf util we can find all of them and start to call it without Adobe headers. I first tried to exploit libnickel.so which is implemented by Kobo. It's an upper layer and I hoped it'll be easier to access high level functions. It was not and I decided to directly call librmsdk.so (which is lighter and has few dependencies).
RMSDK is written in C++ which is nice for application developers but a bit more tricky for reverse engineers, especially with virtual functions. Thanks for me the library is compiled without optimization options which make it more human readable.
It was a nice start but I lost a lot of time trying to find API by hand using readelf. So I developed SOAD (SO Advanced Dissector) a Python script which helps me to find automatically the full SO exported C++ API and generate (almost) ready to build C++ headers. It took me some time, but in the end helps me a lot. I was first doubtful this script can produce something interesting and I shouldn't ! I was impressed with the first simple version that produced very nice results ! So I decided to continue to work on it to handle more and more complex cases. One interesting thing was vtable discovery. The script statically parses vtables entries, but code compiled with fPIC option (which is the case here) has these entries filled with 0 which doesn't helps us. Fortunately, Andrey Ponomarenko created vtable-dumper which is a runtime vtable dumper (need to be executed on target platform). I used its output to find all zeroed vtable entries, but I also improved it to display class hierarchy !
I had to go in depth with C++ ABI and some C++ mechanism that are most of the time transparent for user (copy constructor, = operator, implicit cast, virtual tables and so on). Now the hard (and interesting) part is done, I'll make a little web app that will manage ACSM download and EPUB storage for an easy access from my eReader (avoid SSH, command line call and USB copy).
Sources are available in my forge here. I cannot embbed librmsdk.so as I don't have any Adobe license, but there is a script to retrieve it. The only license I got is GPLv3 !