11-28-2009, 11:24 AM | #16 |
reader
Posts: 6,975
Karma: 5183568
Join Date: Mar 2006
Location: Mississippi, USA
Device: Kindle 3, Kobo Glo HD
|
The output is from a modified kindlepid.py, so the PID isn't actually from a iPhone UUID but rather from a PC serial number.
|
11-28-2009, 02:24 PM | #17 |
Fully Converged
Posts: 18,163
Karma: 14021202
Join Date: Oct 2002
Location: Switzerland
Device: Too many to count here.
|
To adhere to our guidelines, please make sure you don't post any proprietary code, or code that can be used to directly break DRM, or tools or how-tos that can be used to break DRM.
I can see nobody has done anything like this here, so please consider this just as a friendly reminder. |
Advert | |
|
11-28-2009, 11:35 PM | #18 | |
Junior Member
Posts: 6
Karma: 10
Join Date: Nov 2009
Device: none
|
Quote:
|
|
11-29-2009, 05:04 PM | #19 |
Resident Curmudgeon
Posts: 73,957
Karma: 128903250
Join Date: Nov 2006
Location: Roslindale, Massachusetts
Device: Kobo Libra 2, Kobo Aura H2O, PRS-650, PRS-T1, nook STR, PW3
|
If anyone knows how to get the PID that does work, please PM. Thanks.
|
12-01-2009, 05:52 PM | #20 |
ZCD BombShel
Posts: 4,793
Karma: 8293322
Join Date: Jan 2009
Location: The Frozen North (aka Illinois, USA)
Device: iPad, STB Kindle Oasis
|
|
Advert | |
|
12-01-2009, 05:56 PM | #21 | |
Leafy greens connoisseur
Posts: 49
Karma: 21271
Join Date: Feb 2009
Device: PRS-505
|
Quote:
So far all the books I've purchased are using the "atv:kin:1" method, although it looks like clarknova has also reported one book which decrypted with a single layer of M/PC1 decryption. Multiple schemes would be annoying, but not fatal. |
|
12-01-2009, 07:04 PM | #22 | |
Junior Member
Posts: 6
Karma: 10
Join Date: Nov 2009
Device: none
|
Quote:
|
|
12-01-2009, 07:06 PM | #23 |
Junior Member
Posts: 6
Karma: 10
Join Date: Nov 2009
Device: none
|
(and yep, the book has atv:kin:1)
|
12-01-2009, 08:33 PM | #24 |
Addict
Posts: 241
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
|
All Kindle books now have the EXTH 208 record (atv:kin1:base64:base64), regardless of platform (K1, K2/i/DX or K4PC). Again, the length of that record seems to be what determines the scheme -- the first base64 string is always a multiple of 16 bytes (the first 32 are always unique, the next 16 are always the same per book, and then the rest seem to vary between being the same per platform and unique) and the second base64 string is a unique 20 bytes. The books using the new scheme have a longer base64 string than the books using the original mobipocket scheme.
|
12-01-2009, 10:45 PM | #25 | |
Guru
Posts: 713
Karma: 1001739
Join Date: Apr 2005
Location: Nashville, TN
Device: SGS3/PW2/Nexus72
|
Quote:
|
|
12-02-2009, 01:52 AM | #26 |
Wizard
Posts: 4,538
Karma: 264065402
Join Date: Jun 2009
Location: Taiwan
Device: HP Touchpad, Sony Duo 13, Lumia 920, Kobo Aura HD
|
Not at this moment, because you don't have the KindleID for the PC app. How to get it, that is being discussed.
|
12-02-2009, 04:17 AM | #27 | |
Addict
Posts: 241
Karma: 2617
Join Date: Mar 2009
Location: Greenwood, SC
Device: Kindle 2
|
Quote:
I'm assuming that with the roll-out of the 2.3.0 Kindle version that this will change, but I honestly don't know and have no reason to believe so other than paranoia. |
|
12-02-2009, 08:25 AM | #28 | |
Guru
Posts: 713
Karma: 1001739
Join Date: Apr 2005
Location: Nashville, TN
Device: SGS3/PW2/Nexus72
|
Quote:
|
|
12-08-2009, 06:08 PM | #29 |
Member
Posts: 23
Karma: 752
Join Date: Dec 2009
Device: none
|
Progress
Kindle for PC version 1.0 Beta 1 (25338):
i have compared so far 2 type of running one without DRM and the other with DRM i have found that the behavior that decides if to continue or to show an error message is in this sub: Code:
.text:00414270 sub_414270 proc near ; CODE XREF: sub_414240:loc_41425Bp .text:00414270 ; sub_4197F0:loc_4199C1p ... .text:00414270 .text:00414270 var_30 = dword ptr -30h .text:00414270 var_2C = dword ptr -2Ch .text:00414270 var_28 = dword ptr -28h .text:00414270 var_24 = byte ptr -24h .text:00414270 var_20 = byte ptr -20h .text:00414270 var_C = dword ptr -0Ch .text:00414270 var_4 = dword ptr -4 .text:00414270 .text:00414270 push ebp .text:00414271 mov ebp, esp .text:00414273 and esp, 0FFFFFFF8h .text:00414276 mov eax, large fs:0 .text:0041427C push 0FFFFFFFFh .text:0041427E push offset sub_A01580 .text:00414283 push eax .text:00414284 mov large fs:0, esp .text:0041428B sub esp, 28h .text:0041428E push ebx .text:0041428F push esi .text:00414290 push edi .text:00414291 mov edi, ecx .text:00414293 mov ecx, [edi+3Ch] .text:00414296 xor ebx, ebx .text:00414298 cmp ecx, ebx .text:0041429A jz short loc_4142A4 .text:0041429C mov eax, [ecx] .text:0041429E mov edx, [eax+2Ch] .text:004142A1 push ebx .text:004142A2 call edx .text:004142A4 .text:004142A4 loc_4142A4: ; CODE XREF: sub_414270+2Aj .text:004142A4 mov eax, dword_D1CB60 .text:004142A9 mov [esp+40h+var_30], eax .text:004142AD mov ecx, 1 .text:004142B2 lock xadd [eax], ecx .text:004142B6 mov [esp+40h+var_4], ebx .text:004142BA mov eax, [edi+20h] .text:004142BD cmp eax, ebx .text:004142BF jz loc_41443B .text:004142C5 cmp [eax+1Dh], bl .text:004142C8 jnz loc_41443B .text:004142CE cmp [eax+14h], ebx .text:004142D1 jz loc_4143C4 .text:004142D7 lea esi, [esp+40h+var_20] .text:004142DB call sub_46BFF0 .text:004142E0 mov byte ptr [esp+40h+var_4], 1 .text:004142E5 mov edx, [edi+20h] .text:004142E8 mov ecx, [edx+14h] .text:004142EB mov eax, [ecx] .text:004142ED mov eax, [eax+8] .text:004142F0 mov edx, esi .text:004142F2 push edx .text:004142F3 lea edx, [esp+44h+var_2C] .text:004142F7 push edx .text:004142F8 call eax .text:004142FA lea ecx, [esp+40h+var_28] .text:004142FE push ecx .text:004142FF mov byte ptr [esp+44h+var_4], 2 .text:00414304 call sub_43EC40 .text:00414309 add esp, 4 .text:0041430C push eax .text:0041430D lea ecx, [esp+44h+var_30] .text:00414311 mov byte ptr [esp+44h+var_4], 3 .text:00414316 call sub_904EE0 .text:0041431B mov byte ptr [esp+40h+var_4], 2 .text:00414320 mov edx, [esp+40h+var_28] .text:00414324 or eax, 0FFFFFFFFh .text:00414327 lock xadd [edx], eax .text:0041432B jnz short loc_41433A .text:0041432D mov ecx, [esp+40h+var_28] .text:00414331 push ecx ; void * .text:00414332 call j_free .text:00414337 add esp, 4 .text:0041433A .text:0041433A loc_41433A: ; CODE XREF: sub_414270+BBj .text:0041433A mov ecx, [esp+40h+var_2C] .text:0041433E cmp ecx, ebx .text:00414340 jz short loc_4143B7 .text:00414342 push 1 .text:00414344 push ecx .text:00414345 mov eax, esp .text:00414347 mov [eax], ecx .text:00414349 mov ecx, [esp+48h+var_2C] .text:0041434D mov [esp+48h+var_28], esp .text:00414351 cmp ecx, ebx .text:00414353 jz short loc_41435B .text:00414355 mov edx, [ecx] .text:00414357 mov eax, [edx] .text:00414359 call eax .text:0041435B .text:0041435B loc_41435B: ; CODE XREF: sub_414270+E3j .text:0041435B mov byte ptr [esp+48h+var_4], 4 .text:00414360 mov ecx, [edi+20h] .text:00414363 mov eax, [ecx+14h] .text:00414366 push eax .text:00414367 call sub_402AD0 .text:0041436C push eax .text:0041436D mov byte ptr [esp+50h+var_4], 2 .text:00414372 call sub_403FA0 .text:00414377 mov byte ptr [esp+40h+var_4], 1 .text:0041437C mov ecx, [esp+40h+var_2C] .text:00414380 cmp ecx, ebx .text:00414382 jz short loc_41438B .text:00414384 mov edx, [ecx] .text:00414386 mov eax, [edx+4] .text:00414389 call eax .text:0041438B .text:0041438B loc_41438B: ; CODE XREF: sub_414270+112j .text:0041438B lea edi, [esp+40h+var_20] .text:0041438F call sub_403F60 .text:00414394 mov [esp+40h+var_4], 0FFFFFFFFh .text:0041439C mov ecx, [esp+40h+var_30] .text:004143A0 or edx, 0FFFFFFFFh .text:004143A3 lock xadd [ecx], edx .text:004143A7 jnz loc_41445D .text:004143AD mov eax, [esp+40h+var_30] .text:004143B1 push eax .text:004143B2 jmp loc_414455 .text:004143B7 ; --------------------------------------------------------------------------- .text:004143B7 .text:004143B7 loc_4143B7: ; CODE XREF: sub_414270+D0j .text:004143B7 lea edi, [esp+40h+var_20] .text:004143BB mov byte ptr [esp+40h+var_4], bl .text:004143BF call sub_403F60 .text:004143C4 .text:004143C4 loc_4143C4: ; CODE XREF: sub_414270+61j .text:004143C4 lea ecx, [esp+40h+var_28] .text:004143C8 push ecx .text:004143C9 call sub_401500 .text:004143CE add esp, 4 .text:004143D1 push offset aCouldNotOpenBo ; "Could not open book, shoot!" .text:004143D6 mov ecx, eax .text:004143D8 mov byte ptr [esp+44h+var_4], 5 .text:004143DD call sub_401410 .text:004143E2 lea ecx, [esp+40h+var_28] .text:004143E6 mov byte ptr [esp+40h+var_4], bl .text:004143EA call sub_401340 .text:004143EF mov edx, dword_D1FD6C .text:004143F5 push ecx ; void * .text:004143F6 mov eax, esp .text:004143F8 mov [eax], edx .text:004143FA mov [esp+44h+var_2C], esp .text:004143FE mov eax, edx .text:00414400 mov ecx, 1 .text:00414405 lock xadd [eax], ecx .text:00414409 mov edx, [esp+44h+var_30] .text:0041440D push ecx ; void * .text:0041440E mov eax, esp .text:00414410 mov [eax], edx .text:00414412 mov eax, [esp+48h+var_30] .text:00414416 mov dword ptr [esp+48h+var_24], esp .text:0041441A mov ecx, 1 .text:0041441F lock xadd [eax], ecx .text:00414423 mov byte ptr [esp+48h+var_4], 7 .text:00414428 call sub_408980 .text:0041442D mov eax, [eax+40h] .text:00414430 mov edi, eax .text:00414432 mov byte ptr [esp+48h+var_4], bl .text:00414436 call BadBoy .text:0041443B .text:0041443B loc_41443B: ; CODE XREF: sub_414270+4Fj .text:0041443B ; sub_414270+58j .text:0041443B mov [esp+40h+var_4], 0FFFFFFFFh .text:00414443 mov edx, [esp+40h+var_30] .text:00414447 or eax, 0FFFFFFFFh .text:0041444A lock xadd [edx], eax .text:0041444E jnz short loc_41445D .text:00414450 mov ecx, [esp+40h+var_30] .text:00414454 push ecx ; void * .text:00414455 .text:00414455 loc_414455: ; CODE XREF: sub_414270+142j .text:00414455 call j_free .text:0041445A add esp, 4 .text:0041445D .text:0041445D loc_41445D: ; CODE XREF: sub_414270+137j .text:0041445D ; sub_414270+1DEj .text:0041445D mov ecx, [esp+40h+var_C] .text:00414461 pop edi .text:00414462 pop esi .text:00414463 mov large fs:0, ecx .text:0041446A pop ebx .text:0041446B mov esp, ebp .text:0041446D pop ebp .text:0041446E retn 00414340 JE SHORT if all is good the the jump shouldn't be taken if its bad then it is taken and then we will get to the private error string: "Could not open book, shoot!" thats all for now.. Regards, LaBBa. |
12-10-2009, 07:36 AM | #30 |
Member
Posts: 23
Karma: 752
Join Date: Dec 2009
Device: none
|
hi all news:
i have looked a littel on the source code of : MobiDeDRM and from what i have seen there is a vector like this: Code:
def parseDRM(self, data, count, pid): pid = pid.ljust(16,'\0') keyvec1 = "\x72\x38\x33\xB0\xB4\xF2\xE3\xCA\xDF\x09\x01\xD6\xE2\xE0\x3F\x96" temp_key = PC1(keyvec1, pid, False) temp_key_sum = sum(map(ord,temp_key)) & 0xff \x72\x38\x33\xB0\xB4\xF2\xE3\xCA\xDF\x09\x01\xD6\x E2\xE0\x3F\x96 and yes i found it! Code:
005709AA mov ecx, ds:dword_BFC5A8 ; keyvec1 like in - MobiDeDRM .text:005709B0 mov edx, ds:dword_BFC5AC .text:005709B6 mov eax, ds:dword_BFC5B0 .text:005709BB mov [esp+0C4h+var_AC], ecx .text:005709BF mov ecx, ds:dword_BFC5B4 .text:005709C5 mov [esp+0C4h+var_98], 3 .text:005709CD mov [esp+0C4h+var_A8], edx .text:005709D1 mov [esp+0C4h+var_A4], eax .text:005709D5 mov [esp+0C4h+var_A0], ecx .text:005709D9 jz loc_570ABC .text:005709DF mov dword ptr [ebp+4], 1 .text:005709E6 jmp loc_570ABC Regards, LaBBa. Last edited by labba; 12-10-2009 at 07:57 AM. |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
discovering and loving this fb.2 reader.. | oncdoc | Astak EZReader | 2 | 04-19-2010 06:05 PM |
K4 Mac or PC Where are K4PC files? | lmittell | Amazon Kindle | 3 | 01-06-2010 01:04 AM |
Where is the PID on Pocket Pro, ADE and K4PC? | rxsz | Astak EZReader | 7 | 12-20-2009 05:29 AM |
Free on Kindle - Discovering Dani | koland | Deals and Resources (No Self-Promotion or Affiliate Links) | 0 | 09-28-2009 09:57 AM |
Kindle PID from Mobi PID - can anyone do it? | delphidb96 | Workshop | 2 | 04-27-2009 04:42 PM |