good to know that i'm not alone in this :-)
i'm currently continuing alos the RE on this target i hope we can share the info to get a faster results..
as for now i found that this is the main sub:
Code:
00414270 $ 55 PUSH EBP
00414271 . 8BEC MOV EBP,ESP
00414273 . 83E4 F8 AND ESP,FFFFFFF8
00414276 . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0041427C . 6A FF PUSH -1
0041427E . 68 8015A000 PUSH KindleFo.00A01580
00414283 . 50 PUSH EAX
00414284 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0041428B . 83EC 28 SUB ESP,28
0041428E . 53 PUSH EBX
0041428F . 56 PUSH ESI
00414290 . 57 PUSH EDI
00414291 . 8BF9 MOV EDI,ECX
00414293 . 8B4F 3C MOV ECX,DWORD PTR DS:[EDI+3C]
00414296 . 33DB XOR EBX,EBX
00414298 . 3BCB CMP ECX,EBX
0041429A . 74 08 JE SHORT KindleFo.004142A4 ; taken
0041429C . 8B01 MOV EAX,DWORD PTR DS:[ECX]
0041429E . 8B50 2C MOV EDX,DWORD PTR DS:[EAX+2C]
004142A1 . 53 PUSH EBX
004142A2 . FFD2 CALL EDX
004142A4 > A1 60CBD100 MOV EAX,DWORD PTR DS:[D1CB60]
004142A9 . 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
004142AD . B9 01000000 MOV ECX,1
004142B2 . F0:0FC108 LOCK XADD DWORD PTR DS:[EAX],ECX ; LOCK prefix
004142B6 . 895C24 3C MOV DWORD PTR SS:[ESP+3C],EBX
004142BA . 8B47 20 MOV EAX,DWORD PTR DS:[EDI+20]
004142BD . 3BC3 CMP EAX,EBX
004142BF . 0F84 76010000 JE KindleFo.0041443B ; not taken
004142C5 . 3858 1D CMP BYTE PTR DS:[EAX+1D],BL
004142C8 . 0F85 6D010000 JNZ KindleFo.0041443B ; not taken
004142CE . 3958 14 CMP DWORD PTR DS:[EAX+14],EBX
004142D1 . 0F84 ED000000 JE KindleFo.004143C4 ; not taken
004142D7 . 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20]
004142DB . E8 107D0500 CALL KindleFo.0046BFF0
004142E0 . C64424 3C 01 MOV BYTE PTR SS:[ESP+3C],1
004142E5 . 8B57 20 MOV EDX,DWORD PTR DS:[EDI+20]
004142E8 . 8B4A 14 MOV ECX,DWORD PTR DS:[EDX+14]
004142EB . 8B01 MOV EAX,DWORD PTR DS:[ECX]
004142ED . 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
004142F0 . 8BD6 MOV EDX,ESI
004142F2 . 52 PUSH EDX
004142F3 . 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
004142F7 . 52 PUSH EDX
004142F8 . FFD0 CALL EAX ; Need Analysis: Encryption/Decryption Sub
004142FA . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004142FE . 51 PUSH ECX
004142FF . C64424 40 02 MOV BYTE PTR SS:[ESP+40],2
00414304 . E8 37A90200 CALL KindleFo.0043EC40
00414309 . 83C4 04 ADD ESP,4
0041430C . 50 PUSH EAX
0041430D . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00414311 . C64424 40 03 MOV BYTE PTR SS:[ESP+40],3
00414316 . E8 C50B4F00 CALL KindleFo.00904EE0
0041431B . C64424 3C 02 MOV BYTE PTR SS:[ESP+3C],2
00414320 . 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
00414324 . 83C8 FF OR EAX,FFFFFFFF
00414327 . F0:0FC102 LOCK XADD DWORD PTR DS:[EDX],EAX ; LOCK prefix
0041432B . 75 0D JNZ SHORT KindleFo.0041433A ; taken
0041432D . 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
00414331 . 51 PUSH ECX
00414332 . E8 990B4F00 CALL KindleFo.00904ED0
00414337 . 83C4 04 ADD ESP,4
0041433A > 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0041433E . 3BCB CMP ECX,EBX
00414340 . 74 75 JE SHORT KindleFo.004143B7 ; PROBLEM: need no jump
so all the start of the decryption is here :
Code:
004142F8 . FFD0 CALL EAX ;Need Analysis: Encryption/Decryption Sub
and in there it get a littel complicated..
still working on it..