Adventures in discovering the K4PC PID.

[wallcraft]

Quote:

Originally Posted by delphidb96

Neither of those look like the serial number *I* got by following the instructions to generate my PID using the k*fix python script. When I extracted my UDID/Serial info from iTunes (my iPod Touch was connected), I got a standard-length Mobipocket-style PID.

The output is from a modified kindlepid.py, so the PID isn't actually from a iPhone UUID but rather from a PC serial number.

[Alexander Turcic]

To adhere to our guidelines, please make sure you don't post any proprietary code, or code that can be used to directly break DRM, or tools or how-tos that can be used to break DRM.

I can see nobody has done anything like this here, so please consider this just as a friendly reminder.

[scancode]

Quote:

Originally Posted by delphidb96

Neither of those look like the serial number *I* got by following the instructions to generate my PID using the k*fix python script. When I extracted my UDID/Serial info from iTunes (my iPod Touch was connected), I got a standard-length Mobipocket-style PID.

Derek

I scrambled the PIDs, they're 8 letters long, normal mobipocket PIDs. They just don't match.

[JSWolf]

If anyone knows how to get the PID that does work, please PM. Thanks.

[phenomshel]

Quote:

Originally Posted by JSWolf

If anyone knows how to get the PID that does work, please PM. Thanks.

I'll add my pleadings here. When y'all figure it out, please PM me and let me know...

[i♥cabbages]

Quote:

Originally Posted by scancode

FWIW, I found that the PID actually IS used to decrypt books (only tried on www.amazon.com/gp/product/B002ENBM7G , prc format)

Do you mean that you downloaded this book as directly Mobipocket/PC1 encrypted with your K4PC "device" PID? Can you register your account on a different computer and verify that this is still the case? Does this book file contain the string "atv:kin:1:"? Could you purchase/download a different book and see if it is encrypted with the same PID?

So far all the books I've purchased are using the "atv:kin:1" method, although it looks like clarknova has also reported one book which decrypted with a single layer of M/PC1 decryption. Multiple schemes would be annoying, but not fatal.

[scancode]

Quote:

Originally Posted by i♥cabbages

Do you mean that you downloaded this book as directly Mobipocket/PC1 encrypted with your K4PC "device" PID? Can you register your account on a different computer and verify that this is still the case? Does this book file contain the string "atv:kin:1:"? Could you purchase/download a different book and see if it is encrypted with the same PID?

So far all the books I've purchased are using the "atv:kin:1" method, although it looks like clarknova has also reported one book which decrypted with a single layer of M/PC1 decryption. Multiple schemes would be annoying, but not fatal.

I think that a possible solution would be to dump the unencrypted data after the app itself decrypts it. I'll return working on that once I get my PC back. No, unfortunately, I can't test on another PC for now, all I have is my netbook.

[scancode]

(and yep, the book has atv:kin:1)

[clarknova]

Quote:

Originally Posted by i♥cabbages

So far all the books I've purchased are using the "atv:kin:1" method, although it looks like clarknova has also reported one book which decrypted with a single layer of M/PC1 decryption. Multiple schemes would be annoying, but not fatal.

All Kindle books now have the EXTH 208 record (atv:kin1:base64:base64), regardless of platform (K1, K2/i/DX or K4PC). Again, the length of that record seems to be what determines the scheme -- the first base64 string is always a multiple of 16 bytes (the first 32 are always unique, the next 16 are always the same per book, and then the rest seem to vary between being the same per platform and unique) and the second base64 string is a unique 20 bytes. The books using the new scheme have a longer base64 string than the books using the original mobipocket scheme.

[volwrath]

Quote:

Originally Posted by clarknova

All Kindle books now have the EXTH 208 record (atv:kin1:base64:base64), regardless of platform (K1, K2/i/DX or K4PC). Again, the length of that record seems to be what determines the scheme -- the first base64 string is always a multiple of 16 bytes (the first 32 are always unique, the next 16 are always the same per book, and then the rest seem to vary between being the same per platform and unique) and the second base64 string is a unique 20 bytes. The books using the new scheme have a longer base64 string than the books using the original mobipocket scheme.

Im out of my league here, but it sounds like you are saying that a new book purchased from amazon for the kindle and/or iphone will not be 'undrmed' through the use of the latest mobidedrm, is that correct?

[HansTWN]

Quote:

Originally Posted by volwrath

Im out of my league here, but it sounds like you are saying that a new book purchased from amazon for the kindle and/or iphone will not be 'undrmed' through the use of the latest mobidedrm, is that correct?

Not at this moment, because you don't have the KindleID for the PC app. How to get it, that is being discussed.

[clarknova]

Quote:

Originally Posted by volwrath

Im out of my league here, but it sounds like you are saying that a new book purchased from amazon for the kindle and/or iphone will not be 'undrmed' through the use of the latest mobidedrm, is that correct?

No. AFAIK Kindle(1,2,iPod) books can still use mobidedrm to strip DRM. However, they also contain the new EXTH 208 (and 209) records that many of us are presuming to be tied to the new scheme that the K4PC uses (which cannot currently make use of mobidedrm, regardless of PID knowledge).

I'm assuming that with the roll-out of the 2.3.0 Kindle version that this will change, but I honestly don't know and have no reason to believe so other than paranoia.

[volwrath]

Quote:

Originally Posted by clarknova

No. AFAIK Kindle(1,2,iPod) books can still use mobidedrm to strip DRM. However, they also contain the new EXTH 208 (and 209) records that many of us are presuming to be tied to the new scheme that the K4PC uses (which cannot currently make use of mobidedrm, regardless of PID knowledge).

I'm assuming that with the roll-out of the 2.3.0 Kindle version that this will change, but I honestly don't know and have no reason to believe so other than paranoia.

Ahh thanks. I thought that if this were the case there would be a massive outcry here at mobiread

[labba]

Kindle for PC version 1.0 Beta 1 (25338):
i have compared so far 2 type of running one without DRM and the other with DRM i have found that the behavior that decides if to continue or to show an error message is in this sub:

Code:

.text:00414270 sub_414270      proc near               ; CODE XREF: sub_414240:loc_41425Bp
.text:00414270                                         ; sub_4197F0:loc_4199C1p ...
.text:00414270
.text:00414270 var_30          = dword ptr -30h
.text:00414270 var_2C          = dword ptr -2Ch
.text:00414270 var_28          = dword ptr -28h
.text:00414270 var_24          = byte ptr -24h
.text:00414270 var_20          = byte ptr -20h
.text:00414270 var_C           = dword ptr -0Ch
.text:00414270 var_4           = dword ptr -4
.text:00414270
.text:00414270                 push    ebp
.text:00414271                 mov     ebp, esp
.text:00414273                 and     esp, 0FFFFFFF8h
.text:00414276                 mov     eax, large fs:0
.text:0041427C                 push    0FFFFFFFFh
.text:0041427E                 push    offset sub_A01580
.text:00414283                 push    eax
.text:00414284                 mov     large fs:0, esp
.text:0041428B                 sub     esp, 28h
.text:0041428E                 push    ebx
.text:0041428F                 push    esi
.text:00414290                 push    edi
.text:00414291                 mov     edi, ecx
.text:00414293                 mov     ecx, [edi+3Ch]
.text:00414296                 xor     ebx, ebx
.text:00414298                 cmp     ecx, ebx
.text:0041429A                 jz      short loc_4142A4
.text:0041429C                 mov     eax, [ecx]
.text:0041429E                 mov     edx, [eax+2Ch]
.text:004142A1                 push    ebx
.text:004142A2                 call    edx
.text:004142A4
.text:004142A4 loc_4142A4:                             ; CODE XREF: sub_414270+2Aj
.text:004142A4                 mov     eax, dword_D1CB60
.text:004142A9                 mov     [esp+40h+var_30], eax
.text:004142AD                 mov     ecx, 1
.text:004142B2                 lock xadd [eax], ecx
.text:004142B6                 mov     [esp+40h+var_4], ebx
.text:004142BA                 mov     eax, [edi+20h]
.text:004142BD                 cmp     eax, ebx
.text:004142BF                 jz      loc_41443B
.text:004142C5                 cmp     [eax+1Dh], bl
.text:004142C8                 jnz     loc_41443B
.text:004142CE                 cmp     [eax+14h], ebx
.text:004142D1                 jz      loc_4143C4
.text:004142D7                 lea     esi, [esp+40h+var_20]
.text:004142DB                 call    sub_46BFF0
.text:004142E0                 mov     byte ptr [esp+40h+var_4], 1
.text:004142E5                 mov     edx, [edi+20h]
.text:004142E8                 mov     ecx, [edx+14h]
.text:004142EB                 mov     eax, [ecx]
.text:004142ED                 mov     eax, [eax+8]
.text:004142F0                 mov     edx, esi
.text:004142F2                 push    edx
.text:004142F3                 lea     edx, [esp+44h+var_2C]
.text:004142F7                 push    edx
.text:004142F8                 call    eax
.text:004142FA                 lea     ecx, [esp+40h+var_28]
.text:004142FE                 push    ecx
.text:004142FF                 mov     byte ptr [esp+44h+var_4], 2
.text:00414304                 call    sub_43EC40
.text:00414309                 add     esp, 4
.text:0041430C                 push    eax
.text:0041430D                 lea     ecx, [esp+44h+var_30]
.text:00414311                 mov     byte ptr [esp+44h+var_4], 3
.text:00414316                 call    sub_904EE0
.text:0041431B                 mov     byte ptr [esp+40h+var_4], 2
.text:00414320                 mov     edx, [esp+40h+var_28]
.text:00414324                 or      eax, 0FFFFFFFFh
.text:00414327                 lock xadd [edx], eax
.text:0041432B                 jnz     short loc_41433A
.text:0041432D                 mov     ecx, [esp+40h+var_28]
.text:00414331                 push    ecx             ; void *
.text:00414332                 call    j_free
.text:00414337                 add     esp, 4
.text:0041433A
.text:0041433A loc_41433A:                             ; CODE XREF: sub_414270+BBj
.text:0041433A                 mov     ecx, [esp+40h+var_2C]
.text:0041433E                 cmp     ecx, ebx
.text:00414340                 jz      short loc_4143B7
.text:00414342                 push    1
.text:00414344                 push    ecx
.text:00414345                 mov     eax, esp
.text:00414347                 mov     [eax], ecx
.text:00414349                 mov     ecx, [esp+48h+var_2C]
.text:0041434D                 mov     [esp+48h+var_28], esp
.text:00414351                 cmp     ecx, ebx
.text:00414353                 jz      short loc_41435B
.text:00414355                 mov     edx, [ecx]
.text:00414357                 mov     eax, [edx]
.text:00414359                 call    eax
.text:0041435B
.text:0041435B loc_41435B:                             ; CODE XREF: sub_414270+E3j
.text:0041435B                 mov     byte ptr [esp+48h+var_4], 4
.text:00414360                 mov     ecx, [edi+20h]
.text:00414363                 mov     eax, [ecx+14h]
.text:00414366                 push    eax
.text:00414367                 call    sub_402AD0
.text:0041436C                 push    eax
.text:0041436D                 mov     byte ptr [esp+50h+var_4], 2
.text:00414372                 call    sub_403FA0
.text:00414377                 mov     byte ptr [esp+40h+var_4], 1
.text:0041437C                 mov     ecx, [esp+40h+var_2C]
.text:00414380                 cmp     ecx, ebx
.text:00414382                 jz      short loc_41438B
.text:00414384                 mov     edx, [ecx]
.text:00414386                 mov     eax, [edx+4]
.text:00414389                 call    eax
.text:0041438B
.text:0041438B loc_41438B:                             ; CODE XREF: sub_414270+112j
.text:0041438B                 lea     edi, [esp+40h+var_20]
.text:0041438F                 call    sub_403F60
.text:00414394                 mov     [esp+40h+var_4], 0FFFFFFFFh
.text:0041439C                 mov     ecx, [esp+40h+var_30]
.text:004143A0                 or      edx, 0FFFFFFFFh
.text:004143A3                 lock xadd [ecx], edx
.text:004143A7                 jnz     loc_41445D
.text:004143AD                 mov     eax, [esp+40h+var_30]
.text:004143B1                 push    eax
.text:004143B2                 jmp     loc_414455
.text:004143B7 ; ---------------------------------------------------------------------------
.text:004143B7
.text:004143B7 loc_4143B7:                             ; CODE XREF: sub_414270+D0j
.text:004143B7                 lea     edi, [esp+40h+var_20]
.text:004143BB                 mov     byte ptr [esp+40h+var_4], bl
.text:004143BF                 call    sub_403F60
.text:004143C4
.text:004143C4 loc_4143C4:                             ; CODE XREF: sub_414270+61j
.text:004143C4                 lea     ecx, [esp+40h+var_28]
.text:004143C8                 push    ecx
.text:004143C9                 call    sub_401500
.text:004143CE                 add     esp, 4
.text:004143D1                 push    offset aCouldNotOpenBo ; "Could not open book, shoot!"
.text:004143D6                 mov     ecx, eax
.text:004143D8                 mov     byte ptr [esp+44h+var_4], 5
.text:004143DD                 call    sub_401410
.text:004143E2                 lea     ecx, [esp+40h+var_28]
.text:004143E6                 mov     byte ptr [esp+40h+var_4], bl
.text:004143EA                 call    sub_401340
.text:004143EF                 mov     edx, dword_D1FD6C
.text:004143F5                 push    ecx             ; void *
.text:004143F6                 mov     eax, esp
.text:004143F8                 mov     [eax], edx
.text:004143FA                 mov     [esp+44h+var_2C], esp
.text:004143FE                 mov     eax, edx
.text:00414400                 mov     ecx, 1
.text:00414405                 lock xadd [eax], ecx
.text:00414409                 mov     edx, [esp+44h+var_30]
.text:0041440D                 push    ecx             ; void *
.text:0041440E                 mov     eax, esp
.text:00414410                 mov     [eax], edx
.text:00414412                 mov     eax, [esp+48h+var_30]
.text:00414416                 mov     dword ptr [esp+48h+var_24], esp
.text:0041441A                 mov     ecx, 1
.text:0041441F                 lock xadd [eax], ecx
.text:00414423                 mov     byte ptr [esp+48h+var_4], 7
.text:00414428                 call    sub_408980
.text:0041442D                 mov     eax, [eax+40h]
.text:00414430                 mov     edi, eax
.text:00414432                 mov     byte ptr [esp+48h+var_4], bl
.text:00414436                 call    BadBoy
.text:0041443B
.text:0041443B loc_41443B:                             ; CODE XREF: sub_414270+4Fj
.text:0041443B                                         ; sub_414270+58j
.text:0041443B                 mov     [esp+40h+var_4], 0FFFFFFFFh
.text:00414443                 mov     edx, [esp+40h+var_30]
.text:00414447                 or      eax, 0FFFFFFFFh
.text:0041444A                 lock xadd [edx], eax
.text:0041444E                 jnz     short loc_41445D
.text:00414450                 mov     ecx, [esp+40h+var_30]
.text:00414454                 push    ecx             ; void *
.text:00414455
.text:00414455 loc_414455:                             ; CODE XREF: sub_414270+142j
.text:00414455                 call    j_free
.text:0041445A                 add     esp, 4
.text:0041445D
.text:0041445D loc_41445D:                             ; CODE XREF: sub_414270+137j
.text:0041445D                                         ; sub_414270+1DEj
.text:0041445D                 mov     ecx, [esp+40h+var_C]
.text:00414461                 pop     edi
.text:00414462                 pop     esi
.text:00414463                 mov     large fs:0, ecx
.text:0041446A                 pop     ebx
.text:0041446B                 mov     esp, ebp
.text:0041446D                 pop     ebp
.text:0041446E                 retn

the critical point of good and bad jump is in this place
00414340 JE SHORT

if all is good the the jump shouldn't be taken if its bad then it is taken
and then we will get to the private error string:
"Could not open book, shoot!"

thats all for now..

Regards,
LaBBa.

[labba]

hi all news:
i have looked a littel on the source code of : MobiDeDRM
and from what i have seen there is a vector like this:

Code:

def parseDRM(self, data, count, pid):
	pid = pid.ljust(16,'\0')
	keyvec1 = "\x72\x38\x33\xB0\xB4\xF2\xE3\xCA\xDF\x09\x01\xD6\xE2\xE0\x3F\x96"
	temp_key = PC1(keyvec1, pid, False)
	temp_key_sum = sum(map(ord,temp_key)) & 0xff

i looked this bytes in the Kindle for PC:
\x72\x38\x33\xB0\xB4\xF2\xE3\xCA\xDF\x09\x01\xD6\x E2\xE0\x3F\x96

and yes i found it!

Code:

005709AA                 mov     ecx, ds:dword_BFC5A8 ; keyvec1 like in - MobiDeDRM
.text:005709B0                 mov     edx, ds:dword_BFC5AC
.text:005709B6                 mov     eax, ds:dword_BFC5B0
.text:005709BB                 mov     [esp+0C4h+var_AC], ecx
.text:005709BF                 mov     ecx, ds:dword_BFC5B4
.text:005709C5                 mov     [esp+0C4h+var_98], 3
.text:005709CD                 mov     [esp+0C4h+var_A8], edx
.text:005709D1                 mov     [esp+0C4h+var_A4], eax
.text:005709D5                 mov     [esp+0C4h+var_A0], ecx
.text:005709D9                 jz      loc_570ABC
.text:005709DF                 mov     dword ptr [ebp+4], 1
.text:005709E6                 jmp     loc_570ABC

currently i'm starting to debug to see when it is used...

Regards,
LaBBa.