Top 10 Protected PDF Hacks

Top 10 ways to unlock secure, protected PDF files, such as college eBooks, for easy offline viewing on mobile devices. Convert images to PDF, and more.

What are PDF Files?

According to Wikipedia, the Portable Document Format (PDF) format is a subset of the PostScript format that concentrates on layouts and graphics, including compression, encryption, and embedded fonts. This makes sense having read somewhere that there is usually no problem with renaming .pdf files to .ps and treating them as PostScript for programs and scripts that operate on those types of files. Furthermore, one could surmise that renaming .ps files to .pdf is probably a bad idea because .ps files may contain additional capabilities not found in the PDF specifications. Adobe graciously allows royalty-free hacking of their patented PDF format by lowly software developers like us.

Why Cracking is Necessary

If somebody creates a PDF and then forgets the password, they need some way to recover the lost password.

Some school or company eBooks can not be opened or viewed without an active Internet connection to unlock content. This presents a problem for students and professionals who travel, or are otherwise not always online.

Once unlocked, some PDFs can be viewed offline, but only from within Adobe Reader Reader, and only if they reside in the same folder in which they were decrypted. This presents problems for readers who don't like Adobe, and those who use removable drives or habitually organize their folders.

The remote host required by the protected PDF plugin will not be there forever. Hence, remotely-locked and protected PDF files will eventually quit working. They are like books that must be returned to the library. If they were purchased they should be converted into a plain, unencrypted format ASAP!

Once opened, most remotely-locked and protected PDFs allow printing. A clever person might try printing to a PostScript file, but the resulting PostScript file is still protected against ps2pdf converting it back to PDF.

ps2pdf output.ps
This PostScript file was created from an encrypted PDF file.
Redistilling encrypted PDF is not permitted.

Why Cracking is Not Necessary

This information is provided for personal, professional, and educational use only! Illegally distributing Copyrighted material is illegal in most parts of the world. Depending on the locale, there could be additional penalties for cracking PDF passwords, or removing digital rights management (DRM) restrictions in connection with distribtion. We advocate asserting our own digital rights, including the right to decrypt and remove restrictions from Copyrighted material that we created, bargained for, or purchased. We expect to be able to modify our digital assets for our own uses, such as for offline presentation on other devices. We also expect to be able to gift, donate, loan, and even re-sell our dog-eared eBooks to friends as one would anything else, such as "books." That said, even asserting ones own digital rights these days could lead one into trouble. Many companies and schools have policies against using their computers for resource-intensive tasks such as cracking passwords. These are risks we take. For any other uses, seek professional legal counsel.

Why Use Free and Open Source Tools?

Most PDF unlocker programs found on the Internet today are proprietary. That is they are programs for which no source code can be viewed. It is not good practice to go around downloading and running proprietary software. These programs could contain anything. Just because they pass a virus scan, or cost a lot, does not mean they are safe. New viruses, bugs, and backdoors are made all the time. At least with open source there are many eyes presumably reviewing the code. The mere presence of source code does not guarantee absolute safety. Therefore, the best security practice is to review and compile the code for oneself, or rely on a trusted software distribution center, or distro, to review and compile the code and provide signed binaries for download.

PDF Encryption

Our research indicates that there are at least three broad, general types of protections for PDF files.

PDF unlocker programs found on the Internet today only deal with user password and owner passwords. None of these programs deal with PDF files that encrypt the content using 3rd party plug-ins (but we can remove the plugins using free and open source tools, provided that we can use the password first to unlock and permit the plugin to download the secret content).

PDF files with 3rd party plug-ins, such as Vitrium's ProtectedPDF have a login page on page 1, where the viewer enters their username and password. The remaining pages appear blank until they are unlocked.

3rd party plug-ins employ JavaScript (JS) on the password page to send the password or certificate to a 3rd party server. This requires an active Internet connection. If the computer is offline, Adobe Reader will respond with a not-so-friendly "unknown error" and can't open the PDF. Once connected and the unlock request finally gets through, the 3rd party server verifies the login and either responds with the actual content, or exchanges a certificate to unlock the file contents for viewing. From that point on, Adobe's reader may prevent access if the file has been copied to another device, or even to another location on the same PC. Additional JS may track the file whenever and wherever it is opened, reporting potential Copyright violations.

Usually a document that uses 3rd party JS is also restricted using one or more of the following security signatures as well.

Security Signatures

According to PDF Rights Management, Adobe's questionable implementation of Digital rights management (DRM) controls and security signatures started with allowing the creation of documents with any of the following restrictions:

Later PDF restriction possibilities were refined to include restricting assembly, extraction for accessibility, commenting, filling in form fields, signing, or template creation. Starting with PDF 1.5 these permissions are managed by usage rights (UR) signatures (Wikipedia).

Now on to the hacks.

Top Ten Protected PDF Hacks

Hack Number 1

Tools: Web Browser, Bookshelf
Target: All

Students using the popular Bookshelf online ebook viewer web page can print copies using "print frame" or "save frame" techniques. Bookshelf's print button may say something like, "printing of this title is restricted to two pages at a time," with restrictions set by publisher. Simply open the book in Bookshelf's online viewer, right-click on the frame containing the book or chapter, choose "this frame", and either "print frame", or "save frame". Voila! All pages are printed or saved. This is confirmed to work on Firefox and Chrome web browsers, printing, or saving to any of HTML, PostScript, or PDF formats.

Not using Bookshelf? Find an unencrypted copy of the ebook viewable or downloadable online. With so many file sharing sites, ebook readers, and search engines out there, one can find earlier versions, or unencrypted copies of just about anything free or cheap. Dig through Google Books, Amazon, Pastebin, Bearshare, Pirate Bay, The Dark Web. Gopher. FTP it. Usenet still exists...

Caution: Proprietary Viewers. The installable Bookshelf app (not to be confused with the Bookshelf web page we just used) purports to download ebooks for offline viewing on Windows, iOS, OSX, Android, and Kindle. This requires purchase and activation of Bookshelf app on up to two machines. It is doubtful that the resulting downloads can be copied or shared as they would remain encrypted and controlled within the Bookshelf downloads folder where they can spy on users and report on their whereabouts when opened. Bookshelf apps appear to be proprietary and not recommended.

Hack Number 2

Tools: Adobe Reader, qpdf and Ghostscript's ps2pdf
Target: 3rd party JS, content restrictions.

This method entails first downloading the PDF ebook, and running qpdf on the download using the --qdf option to normalize and uncompress the data. Once normalized and uncompressed, the PDF may be unlocked from within Adobe Reader and printed to file. The resulting PostScript file is unprotected and may be freely redistilled (converted) back to PDF with Ghostscript's ps2pdf. Presto. No more "Redistilling encrypted PDF is not permitted" message!

qpdf --qdf input.pdf output.pdf
acroread output.pdf # unlock, print-to-file output.ps
ps2pdf output.ps    # output.pdf is now unlocked

Hack Number 3

Tools: Adobe Reader, sed, and Ghostscript's ps2pdf
Target: 3rd party JS, content restrictions.

This method entails using Adobe Reader to unlock the file via the Internet in the usual way and then print to file. The resulting PostScript file is protected and has to be hacked with sed before it can be redistilled (converted) back to PDF with Ghostscript's ps2pdf. The conversion process runs very slowly because of PostScript errors introduced from the sed hack, but it is good for small chapters when technique #1 does not work, or when qpdf can not be installed on the system.

acroread output.pdf # unlock, print-to-file output.ps
sed "/mark currentfile eexec/,/cleartomark/ d" output.ps | \
 ps2pdf - output.pdf

Hack Number 4

Tools: pdfcrack
Target: password-protected PDF
Bonus: Free and Open Source
Drawback: Not for 3rd party JS

If somebody creates a PDF and then loses the password, they can recover the password with the pdfcrack command line password recovery tool. The tool leverages a brute force attack against the PDF password until it opens. The attack proceeds offline and nothing is exchaned via the Internet. Owner passwords can be found with the -o switch. Password cracking of longer passwords can take days or weeks to crack, so we limit the password length to 9 characters. This hack can not and does not work over the Internet with content locked by a 3rd party JS plugin. How could it? It would have to hack into the 3rd party server to do that!

pdfcrack -n 9 input.pdf

Hack Number 5

Tools: Google Drive
Target: password-protected PDF
Drawbacks: 2Mb file size, Not for 3rd party JS

Upload the owner password protected PDF to Google Drive. Google will convert the PDF for viewing online. Google Drive limits uploads to 2Mb.

Hack Number 6

Tools: Foxit Reader, CutePDF
Target: 3rd party JS, content restrictions
Drawbacks: Proprietary software. Relies on bugs.

Download Foxit Reader and CutePDF Writer. Unlocked PDF files can currently be printed to PDF from within Foxit Reader by selecting the CutePDF device from the list of available printers. This hole may become patched in later versions.

Hack Number 7

Tools: Adobe Reader, Microsoft XPS Viewer, CutePDF
Target: 3rd party JS, content restrictions
Drawbacks: Proprietary software. Relies on bugs.

Install Microsoft XPS Document Writer. Open the protected PDF in Adobe Reader reader. Print the file choosing the Microsoft XPS Document Writer from the list of available printers. Use XPS Viewer to open the resulting XPS file. Now print to PDF using CutePDF. This hole may become patched in later versions.

Hack Number 8

Tools: Ghostscript, GSView
Target: content restrictions

Install Ghostscript and GSView. Change the extension of the PDF file to .ps and open with GSView. If .ps file can be opened and viewed, it can be saved as a PDF file. Resulting PDF is free of restrictions, including restrictions on printing.

Hack Number 9

Tools: Web browser
Target: password-protected PDF

Visit the PDF Unlocker web site. Select the PDF file to unlock and let it upload to the server. Click the Download button to obtain the unlocked PDF file.

Hack Number 10

Tools: Web browser
Target: password-protected PDF
Drawbacks: Proprietary software. Not for 3rd party JS

Various "unlocker" programs exist on the Internet. Search for PDF password recovery. Proprietary software alert. Caveat emptor (buyer beware). These programs do not really unlock 3rd party JS plugins. Some demos available online even spend a minute conducting a fake test that pretends to open the file. They say the PDF can be unlocked, but then, after purchase, these programs unlock file passwords only. They do not actually work against 3rd party JS server passwords. How could they? They would have to hack the server to do that. While server hacking is certainly possible, it is beyond the scope of this howto.

Summary

Many of these techniques involve opening a PDF file from within Adobe Reader, allowing JavaScript to unlock it, and then printing it to file. There are many ways to print to PostScript or PDF, and literally hundreds of ways to break the restrictions on the resulting files. Earlier methods that no longer work include using Ghostscript to convert the PDF (or PostScript) file to earlier versions of PostScript, and then back to PDF. Those earlier PostScript drivers have been deprecated, but older versions of Ghostscript still provide them.

Convert to PDF When All Else Fails

Tools: Web browser
Target: content restrictions

Some PDFs won't allow printing or saving, and some of them are timed access. If it can be viewed, it can be screen captured. Simply open it up, preferably on a large desktop that can be tilted to where it shows the whole page, and take a screenshot of each page. It might be a good idea to empty out the screenshots folder first! Hopefully this will create a series of numbered images there. Then use something like imagemagick to convert the series of numbered images into a PDF file. The result might be great, or not so pretty depending on the desktop resolution, page dimensions, and other factors. The document can not be text searched because it is composed out of images, but there are programs that can optically recognize the text, and create a searchable index for PDF files. Hope this helps!

Links

Adobe Reader
Foxit Reader
CutePDF
pdfcrack command line password recovery tool
How to Unlock a Secure PDF File
PDF Rights Management
Portable Document Format


CCBY Copyright © 2016 Henry Kroll III, thenerdshow.com This web page is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.