Adventures in discovering the K4PC PID.

[kennyc]

I have no idea what any of that means or even if it's relevant to the issue at hand.

Seems you'd be looking at the KindleforPC software or a downloaded Kindle book rather than in the MobideDRM software.

[delphidb96]

Quote:

Originally Posted by kennyc

I have no idea what any of that means or even if it's relevant to the issue at hand.

Seems you'd be looking at the KindleforPC software or a downloaded Kindle book rather than in the MobideDRM software.

Because the internal structure of the .AZW version of Kindle ebooks is 'essentially' the same as that of a Mobipocket ebook. Now the .AZW1/TOPAZ *is* different, substantially so, but if you can find the Kindle S/N (Kindle, Kindle4iPhone versions) you can run the ebook in question through certain Mobi DRM-removing software and have an 'unlocked' version you can read not just on your Kindle and iPhone, but also on your Cybook Gen3, BeBook or other ebook reading device that accepts Mobipocket, such as a Dell Axim X51V... As I own an iPod Touch (K4iPhone compatible), Axim X51V, Cybook, Dell Mini 12, BeBook, Netronix EB100 (Cybook Gen3 hardware) and HP iPaq 110, this is a very relevant issue.



Derek

[kennyc]

Quote:

Originally Posted by delphidb96

Because the internal structure of the .AZW version of Kindle ebooks is 'essentially' the same as that of a Mobipocket ebook. Now the .AZW1/TOPAZ *is* different, substantially so, but if you can find the Kindle S/N (Kindle, Kindle4iPhone versions) you can run the ebook in question through certain Mobi DRM-removing software and have an 'unlocked' version you can read not just on your Kindle and iPhone, but also on your Cybook Gen3, BeBook or other ebook reading device that accepts Mobipocket, such as a Dell Axim X51V... As I own an iPod Touch (K4iPhone compatible), Axim X51V, Cybook, Dell Mini 12, BeBook, Netronix EB100 (Cybook Gen3 hardware) and HP iPaq 110, this is a very relevant issue.



Derek

I understand that, what I'm not following is why labba is looking in the source code of mobidedrm? The serial number is going to be in the KindlePC application or in the encoded book or both.

[labba]

the Kindle for PC knows to load PRC file format and the MobiDeDRM contains code of decrypting a DRM PRC file i looked in this code and found the rutine that is responsible to decrypt a DRM PRC file have the same use like in the MobiDeDRM...
now i need to find out what\where is the PID that is used to decrypt the PRC file
so we could use it to extract this and will be able to do this on every computer.

[kennyc]

Quote:

Originally Posted by labba

the Kindle for PC knows to load PRC file format and the MobiDeDRM contains code of decrypting a DRM PRC file i looked in this code and found the rutine that is responsible to decrypt a DRM PRC file have the same use like in the MobiDeDRM...
now i need to find out what\where is the PID that is used to decrypt the PRC file
so we could use it to extract this and will be able to do this on every computer.

So you are looking at the kindle4pc code. That's what I was not understanding from your previous message.

[clarknova]

Quote:

Originally Posted by labba

now i need to find out what\where is the PID that is used to decrypt the PRC file
so we could use it to extract this and will be able to do this on every computer.

I give up.

On the plus side, i-heart-cabbages knows what's up and seems to be working on this, hopefully he'll come through again like he did with Adobe Adept.

[i♥cabbages]

Quote:

Originally Posted by clarknova

On the plus side, i-heart-cabbages knows what's up and seems to be working on this, hopefully he'll come through again like he did with Adobe Adept.

Thanks for the vote of confidence . I am working on it, but haven't had much free time lately, and it turned out to be more complicated than I thought it would be at first glance. What labba describes is essentially what I did to get to the point of being able to decrypt individual books, but there are several layers of encryption and obfuscation separating the kindle.info file from the per-book PID used for the final pass of Mobipocket/PC1 decryption which actually decrypts the book. In any case, I'll post when I finish, or if I give up.

[kennyc]

Quote:

Originally Posted by i♥cabbages

Thanks for the vote of confidence . I am working on it, but haven't had much free time lately, and it turned out to be more complicated than I thought it would be at first glance. What labba describes is essentially what I did to get to the point of being able to decrypt individual books, but there are several layers of encryption and obfuscation separating the kindle.info file from the per-book PID used for the final pass of Mobipocket/PC1 decryption which actually decrypts the book. In any case, I'll post when I finish, or if I give up.

Thank you sir!

[labba]

good to know that i'm not alone in this :-)
i'm currently continuing alos the RE on this target i hope we can share the info to get a faster results..

as for now i found that this is the main sub:

Code:

00414270   $ 55             PUSH EBP
00414271   . 8BEC           MOV EBP,ESP
00414273   . 83E4 F8        AND ESP,FFFFFFF8
00414276   . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041427C   . 6A FF          PUSH -1
0041427E   . 68 8015A000    PUSH KindleFo.00A01580
00414283   . 50             PUSH EAX
00414284   . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0041428B   . 83EC 28        SUB ESP,28
0041428E   . 53             PUSH EBX
0041428F   . 56             PUSH ESI
00414290   . 57             PUSH EDI
00414291   . 8BF9           MOV EDI,ECX
00414293   . 8B4F 3C        MOV ECX,DWORD PTR DS:[EDI+3C]
00414296   . 33DB           XOR EBX,EBX
00414298   . 3BCB           CMP ECX,EBX
0041429A   . 74 08          JE SHORT KindleFo.004142A4                              ;  taken
0041429C   . 8B01           MOV EAX,DWORD PTR DS:[ECX]
0041429E   . 8B50 2C        MOV EDX,DWORD PTR DS:[EAX+2C]
004142A1   . 53             PUSH EBX
004142A2   . FFD2           CALL EDX
004142A4   > A1 60CBD100    MOV EAX,DWORD PTR DS:[D1CB60]
004142A9   . 894424 10      MOV DWORD PTR SS:[ESP+10],EAX
004142AD   . B9 01000000    MOV ECX,1
004142B2   . F0:0FC108      LOCK XADD DWORD PTR DS:[EAX],ECX                        ;  LOCK prefix
004142B6   . 895C24 3C      MOV DWORD PTR SS:[ESP+3C],EBX
004142BA   . 8B47 20        MOV EAX,DWORD PTR DS:[EDI+20]
004142BD   . 3BC3           CMP EAX,EBX
004142BF   . 0F84 76010000  JE KindleFo.0041443B                                    ;  not taken
004142C5   . 3858 1D        CMP BYTE PTR DS:[EAX+1D],BL
004142C8   . 0F85 6D010000  JNZ KindleFo.0041443B                                   ;  not taken
004142CE   . 3958 14        CMP DWORD PTR DS:[EAX+14],EBX
004142D1   . 0F84 ED000000  JE KindleFo.004143C4                                    ;  not taken
004142D7   . 8D7424 20      LEA ESI,DWORD PTR SS:[ESP+20]
004142DB   . E8 107D0500    CALL KindleFo.0046BFF0
004142E0   . C64424 3C 01   MOV BYTE PTR SS:[ESP+3C],1
004142E5   . 8B57 20        MOV EDX,DWORD PTR DS:[EDI+20]
004142E8   . 8B4A 14        MOV ECX,DWORD PTR DS:[EDX+14]
004142EB   . 8B01           MOV EAX,DWORD PTR DS:[ECX]
004142ED   . 8B40 08        MOV EAX,DWORD PTR DS:[EAX+8]
004142F0   . 8BD6           MOV EDX,ESI
004142F2   . 52             PUSH EDX
004142F3   . 8D5424 18      LEA EDX,DWORD PTR SS:[ESP+18]
004142F7   . 52             PUSH EDX
004142F8   . FFD0           CALL EAX						; Need Analysis: Encryption/Decryption Sub
004142FA   . 8D4C24 18      LEA ECX,DWORD PTR SS:[ESP+18]
004142FE   . 51             PUSH ECX
004142FF   . C64424 40 02   MOV BYTE PTR SS:[ESP+40],2
00414304   . E8 37A90200    CALL KindleFo.0043EC40
00414309   . 83C4 04        ADD ESP,4
0041430C   . 50             PUSH EAX
0041430D   . 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
00414311   . C64424 40 03   MOV BYTE PTR SS:[ESP+40],3
00414316   . E8 C50B4F00    CALL KindleFo.00904EE0
0041431B   . C64424 3C 02   MOV BYTE PTR SS:[ESP+3C],2
00414320   . 8B5424 18      MOV EDX,DWORD PTR SS:[ESP+18]
00414324   . 83C8 FF        OR EAX,FFFFFFFF
00414327   . F0:0FC102      LOCK XADD DWORD PTR DS:[EDX],EAX                        ;  LOCK prefix
0041432B   . 75 0D          JNZ SHORT KindleFo.0041433A                             ;  taken
0041432D   . 8B4C24 18      MOV ECX,DWORD PTR SS:[ESP+18]
00414331   . 51             PUSH ECX
00414332   . E8 990B4F00    CALL KindleFo.00904ED0
00414337   . 83C4 04        ADD ESP,4
0041433A   > 8B4C24 14      MOV ECX,DWORD PTR SS:[ESP+14]
0041433E   . 3BCB           CMP ECX,EBX
00414340   . 74 75          JE SHORT KindleFo.004143B7                              ;  PROBLEM: need no jump

so all the start of the decryption is here :

Code:

004142F8   . FFD0           CALL EAX	;Need Analysis: Encryption/Decryption Sub

and in there it get a littel complicated..
still working on it..

[labba]

Hi! Progress:
if i set a BP on the sub_54F7E0, then dumping the buffer pointed to by arg_0. You will get 8 PID characters,
i think i need to add the two checksum chars my self accurding to the checksumPid function in the mobidedrm scripts.
the BP will stop 5 time and will give 5 different strings... i will let you know if this could be the answer..

c ya for now..
LaBBa.

[wallcraft]

Quote:

Originally Posted by i♥cabbages

I am working on it, but haven't had much free time lately, and it turned out to be more complicated than I thought it would be at first glance.

If you want a change of pace, there is a new DRM scheme for ePubs. It is password-based and is on the latest B&N ebooks, see Customer FAQ: Adobe and Barnes & Noble. Older B&N ebooks were in eReader format and both eReader and ePub ebooks from B&N use your credit card number as the password. EPubs with passwords will be available for many more devices and from all Adobe content servers next year.

[labba]

let's finish first with this one before moving to the next...

[JSWolf]

Quote:

Originally Posted by labba

let's finish first with this one before moving to the next...

Let's move onto B&N and then deal with this. I think more people will be interested in having the B&N ePub DRM stripped then this. And even if I am wrong, stripping the DRM from B&N ePub will still be a better thing to start work on.

[kennyc]

Quote:

Originally Posted by JSWolf

Let's move onto B&N and then deal with this. I think more people will be interested in having the B&N ePub DRM stripped then this. And even if I am wrong, stripping the DRM from B&N ePub will still be a better thing to start work on.

Except that there is nothing to work with yet. Not even example/sample epubs from B&N as far as I know.

[labba]

Quote:

Originally Posted by JSWolf

Let's move onto B&N and then deal with this. I think more people will be interested in having the B&N ePub DRM stripped then this. And even if I am wrong, stripping the DRM from B&N ePub will still be a better thing to start work on.

you can use your reversing skills to start doing it... like i do for kindle4pc..