Flag: Tornado!
Hurricane!
|
|
 No blog entries found for specified user.
Topic created on: by  .
|
Try hooking sub_54F7E0, then dumping the buffer pointed to by arg_0. You will get 8 PID characters, you need to add the two checksum chars yourself. See the checksumPid function in the mobidedrm scripts you referenced.
|
i did that and i got 5 times BP and each time i get different string..
Your are saying that the PID can be one of those 5 or all 5 and i can just fix them by adding 2 chars to make from them valid (because of checksum) ?
|
|
I hit BP 4 times and the PID that worked was the last one. I don't know if other values from first three BP do work. Adding 2 checksum chars to found pid allowed mobidedrm.py to work. mobidedrm005.py would not works, it seems needing to many checksums
|
|
when you say that it work you mean that you where able to decrypt a PRC file ? or that the application just work until the checksum sub ?
|
|
The PID worked for decrypting a PRC file
|
ok so i just send the last PID (less 2 last chars) to the function :
def checksumPid(s):
letters = "ABCDEFGHIJKLMNPQRSTUVWXYZ123456789"
crc = (~binascii.crc32(s ,-1))&0xFFFFFFFF
crc = crc ^ (crc >> 16)
res = s
l = len(letters)
for i in (0,1):
b = crc & 0xff
pos = (b // l) ^ (b % l)
res += letters[pos%l]
crc >>= 8
return res
and the rerurn value will return me the good PID with needed 2 fixed chars.
i will let you know how it go..
thanks,
LaBBa.
|
|
Maybe i have't konw what's your meaning.
|
> damo: Maybe i have\'t konw what\'s your meaning.
never mind .. i figure it out.. and someone already posted a tool that does it all for ya:
http://i-u2665-cabbages.blogspot.com/
Thanks
LaBBa.
|
In an effort to contribute to the state of knowledge on KindleForPC, I just posted an all in one tool I am calling skindle to rapidshare:
http://rapidshare.com/files/329403401/skindle-06.tgz
This tool reads your kindle.info file and an input Mobi DRM'ed file to produce a dedrm'ed file. Thre is no dependency on mobidedrm and no use of the windows debugging api. This tool does not need to run KindleForPC in order to work. This tool derives the book specific PID in the same manner that K4PC does, then uses that PID in the same way that mobidedrm does to produce an output file.
C source and a compiled binary are included.
EDIT: 01/02/10 1903GMT updated link to new version
|
I wanted to learn Python during the holidays, so I wrote a little script. It might not be very useful, but it is my first script, so don't be too harsh :
http://www.pastie.org/760591
Happy New Year !
|
you have a bug in your script at line 300 it should read
nbValues = bookReadEncodedNumber()
Also, as written, you dump single decrypted records, do you intend to update this to dump the entire decrypted file?
|
Here is a new version.
http://www.pastie.org/761169
It should fix the problem with "invalid header" that people have, thanks to BartSimpson's fix. (I think there was the same problem on line 330).
It also tries to decrypt the book key with the Device PID as well as other PIDs that can be entered on the command line.
Well, it would be possible to rewrite a book with all the records decrypted, but as far as I can tell, the application still expects to have correct key and dkey data.
|
|
I've been able to identify the .prc file containing the topaz formatted book but need some detailed instructions on how to make this script work. I've opened a CMD window in Windows 7, run the script but haven't been able to figure out the correct syntax to make it dump a decrypted book. Is it ./script.py -o "output file" "input file" ? ./script.py -o "input file" "output file" ? I'm a bit confused as nothing seems to dump a decrypted book. It acts like it runs for a second or two and then drops back to prompt. Any help would be appreciated. Thanks.
|
|
Yeah, it no longer gives the error, but how do we know what records to output? Does this not actually decode the Topaz format, just the encryption?
|
OK, by doing the following:
cmbdtc11.py -r img:0 -o img1.jpg ebook.prc
I was able to get a working image file of the book cover out. So that's one interesting thing...
|
> CMBDTC:
> Well, it would be possible to rewrite a book with all the records decrypted, but as far as I can tell, the application still expects to have correct key and dkey data.
If I understand your script correctly, the only thing that indicates a section is encoded is the recordIndex extracted in getBookPayloadRecord. When you rewrite the decrypted sections are you flipping the sign of recordIndex as well?
|
Here is version 2.0 :
http://www.pastie.org/761657
It can output decrypted versions of books, since apparently for many people, a proof of concept that totally exposes the Topaz DRM is worth nothing. A few special cases have not been implemented, but I have never seen them in the books I own.
There is a catch though. The script has a little typo and won't decrypt books as is.
I would also strongly advise against using it script for piracy.
@Smabbage Have you noticed this is a reverse engineering forum, not a helpline for morons who want to be spoon fed one-click scripts that do all the work?
|
|
Dude, you ROCK. I can't believe this is finally cracked! I want to buy you a beer.
|
Although I see why you're so concerned about people using it for piracy: since it outputs an un-DRMed Topaz file, only Kindles or Amazon's Kindle apps can read it, and since the Kindle/Kindle apps can already read legally-acquired Topaz files, right now the only thing the average user can do with it is share their formerly-DRM-locked Topaz files with others ... in other words, spread pirated books.
But hopefully this will let us understand the structure of the Topaz file, and then it'll be useful for doing what most of us really want: converting Topaz to normal ePub, HTML, or other files so we can read ALL of our Kindle books on other devices. I like to read them on my Windows Mobile phone, for instance, and until Amazon comes out with a Kindle for Windows Mobile app, I'm only able to read Mobipocket files on there.
|
|
It's always refreshing for a end user to be referred to as a Moron. Thanks for that. :) I wish you success in your efforts.
|
|
CMBDTC, you may want to look at the length of your output records, you appear to be writing too much data. After further study, I think that the actual field length is the third value in the header 3 tuples which represents the compressed length if the record is compressed. I think the second value in each tuple is the uncompressed field length
|
Here is a new version that should fix the problem of record length:
http://www.pastie.org/763115
Thanks to all who have brought this issue to my attention.
This will probably be the last version of CMBDTC I release.
|
|
I'd like to modify CMBDTC, replacing the windll.crypt functions with something that would work cross-platform. I'm guessing that PyCrypto has something that would replace CryptUnprotectData(). Can anyone point me in the right direction?
|
|
MS claims that CryptProtect/UnprotectData tie an encrypted blob to a specific user and machine. Not sure you can make this cross-platform unless there is a machine independent break for these functions
|
|
The unencrypt worked for sure, interestingly my topaz book was a .prc file? I was under the (obviously wrong) assumption that topaz either came in azw1 via whisper or .tpz via the internet download. I downloaded it via whisper for kindle for PC so perhaps that was different, but unswindle would not do it and CMBDTC's stuff did decrypt it. Still cant read it on anything else obviously since its topaz, but that just struck me as odd.
|
There is a really tiny bug in CMBDTC's encodeNumber function that will accidentally encode some numbers as negatives (16256-16383, 2080768-2097151, etc...).
I've made a quick fix to CMBDTC here: http://pastie.org/799495
Bart/skindle, the same for skindle -- it should just be a matter of adding a check after the do/while loop in the encodeNumber function in tpz.c to pad the output with an 0x80:
if ((*(b-1) == 0xFF) && (! neg)) *b++ = 0x80;
Or something... I dunno, my C is rusty.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}