Friday, May 28, 2010

Unswindle.PYW Script (v.06)

Unswindle.pyw no longer appears to be working, at least with as of May 20th, with the latest K4PC update.

Try Unskindle, with the step by step.






Below the **** line is the script for Unswindle.pyw (version 6), the decrypter necessary to turn .AZW [kindle] files into .mobi files.

You'll need Python 2.6 installed and K4PC installed with an amazon account set up. [Kindle for PC]. You will also need Mobidedrm.py in the same directory as the Unswindle.pyw to remove the DRM.

1: Save this script as Unswindle.pyw in your Python directory

2: VERY IMPORTANT-double click [or single if you have your setup to emulate a webpage] the Unswindle.pyw file. Do NOT open and run it with the Python Gui [IDLE].

3: K4PC will open.

4: Select the book you want to unlock and actually open it.

5: Close K4PC

6: After closing, a new window will pop up with the title "Select Unencrypted Mobipocket File to produce". This is where you type in what you want the new unencrypted file to be called. Default location is your python directory.

7: Type in the title, and bam, you have a new .mobi file, fully ready to be changed to whatever format you desire. I recommend Calibre, a fantastic free piece of software.


So there you go. Oh, yeah. Doesn't work on .TPZ[Topaz] files. When I find the stuff for that, I'll be posting it here too.


I am not 100% sure this script will work with a copy and paste because some of the indents might have been impacted when I copied them here to blogger. But the page size is the same as the python gui page, so it "should" be ok. If you have a problem, email me and I'll email the actual Unswindle.pyw file to you.

Elfenknight@juno.com

ps,
don't forget to click on the label "code" at the bottom right of the post to see my other script posts

*************************************************************************************

# Revision history:
# 1 - Initial release
# 2 - Fixes to work properly on Windows versions >XP
# 3 - Fix minor bug in path extraction
# 4 - Fix error opening threads; detect Topaz books;
# detect unsupported versions of K4PC
# 5 - Work with new (20091222) version of K4PC
# 6 - Detect and just copy DRM-free books

"""
Decrypt Kindle For PC encrypted Mobipocket books.
"""

__license__ = 'GPL v3'

import sys
import os
import re
import tempfile
import shutil
import subprocess
import struct
import hashlib
import ctypes
from ctypes import *
from ctypes.wintypes import *
import binascii
import _winreg as winreg
import Tkinter
import Tkconstants
import tkMessageBox
import tkFileDialog
import traceback

#
# _extrawintypes.py

UBYTE = c_ubyte
ULONG_PTR = POINTER(ULONG)
PULONG = ULONG_PTR
PVOID = LPVOID
LPCTSTR = LPTSTR = c_wchar_p
LPBYTE = c_char_p
SIZE_T = c_uint
SIZE_T_p = POINTER(SIZE_T)

#
# _ntdll.py

NTSTATUS = DWORD

ntdll = windll.ntdll

class PROCESS_BASIC_INFORMATION(Structure):
_fields_ = [('Reserved1', PVOID),
('PebBaseAddress', PVOID),
('Reserved2', PVOID * 2),
('UniqueProcessId', ULONG_PTR),
('Reserved3', PVOID)]

# NTSTATUS WINAPI NtQueryInformationProcess(
# __in HANDLE ProcessHandle,
# __in PROCESSINFOCLASS ProcessInformationClass,
# __out PVOID ProcessInformation,
# __in ULONG ProcessInformationLength,
# __out_opt PULONG ReturnLength
# );
NtQueryInformationProcess = ntdll.NtQueryInformationProcess
NtQueryInformationProcess.argtypes = [HANDLE, DWORD, PVOID, ULONG, PULONG]
NtQueryInformationProcess.restype = NTSTATUS

#
# _kernel32.py

INFINITE = 0xffffffff

CREATE_UNICODE_ENVIRONMENT = 0x00000400
DEBUG_ONLY_THIS_PROCESS = 0x00000002
DEBUG_PROCESS = 0x00000001

THREAD_GET_CONTEXT = 0x0008
THREAD_QUERY_INFORMATION = 0x0040
THREAD_SET_CONTEXT = 0x0010
THREAD_SET_INFORMATION = 0x0020

EXCEPTION_BREAKPOINT = 0x80000003
EXCEPTION_SINGLE_STEP = 0x80000004
EXCEPTION_ACCESS_VIOLATION = 0xC0000005

DBG_CONTINUE = 0x00010002L
DBG_EXCEPTION_NOT_HANDLED = 0x80010001L

EXCEPTION_DEBUG_EVENT = 1
CREATE_THREAD_DEBUG_EVENT = 2
CREATE_PROCESS_DEBUG_EVENT = 3
EXIT_THREAD_DEBUG_EVENT = 4
EXIT_PROCESS_DEBUG_EVENT = 5
LOAD_DLL_DEBUG_EVENT = 6
UNLOAD_DLL_DEBUG_EVENT = 7
OUTPUT_DEBUG_STRING_EVENT = 8
RIP_EVENT = 9

class DataBlob(Structure):
_fields_ = [('cbData', c_uint),
('pbData', c_void_p)]
DataBlob_p = POINTER(DataBlob)

class SECURITY_ATTRIBUTES(Structure):
_fields_ = [('nLength', DWORD),
('lpSecurityDescriptor', LPVOID),
('bInheritHandle', BOOL)]
LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)

class STARTUPINFO(Structure):
_fields_ = [('cb', DWORD),
('lpReserved', LPTSTR),
('lpDesktop', LPTSTR),
('lpTitle', LPTSTR),
('dwX', DWORD),
('dwY', DWORD),
('dwXSize', DWORD),
('dwYSize', DWORD),
('dwXCountChars', DWORD),
('dwYCountChars', DWORD),
('dwFillAttribute', DWORD),
('dwFlags', DWORD),
('wShowWindow', WORD),
('cbReserved2', WORD),
('lpReserved2', LPBYTE),
('hStdInput', HANDLE),
('hStdOutput', HANDLE),
('hStdError', HANDLE)]
LPSTARTUPINFO = POINTER(STARTUPINFO)

class PROCESS_INFORMATION(Structure):
_fields_ = [('hProcess', HANDLE),
('hThread', HANDLE),
('dwProcessId', DWORD),
('dwThreadId', DWORD)]
LPPROCESS_INFORMATION = POINTER(PROCESS_INFORMATION)

EXCEPTION_MAXIMUM_PARAMETERS = 15
class EXCEPTION_RECORD(Structure):
pass
EXCEPTION_RECORD._fields_ = [
('ExceptionCode', DWORD),
('ExceptionFlags', DWORD),
('ExceptionRecord', POINTER(EXCEPTION_RECORD)),
('ExceptionAddress', LPVOID),
('NumberParameters', DWORD),
('ExceptionInformation', ULONG_PTR * EXCEPTION_MAXIMUM_PARAMETERS)]

class EXCEPTION_DEBUG_INFO(Structure):
_fields_ = [('ExceptionRecord', EXCEPTION_RECORD),
('dwFirstChance', DWORD)]

class CREATE_THREAD_DEBUG_INFO(Structure):
_fields_ = [('hThread', HANDLE),
('lpThreadLocalBase', LPVOID),
('lpStartAddress', LPVOID)]

class CREATE_PROCESS_DEBUG_INFO(Structure):
_fields_ = [('hFile', HANDLE),
('hProcess', HANDLE),
('hThread', HANDLE),
('dwDebugInfoFileOffset', DWORD),
('nDebugInfoSize', DWORD),
('lpThreadLocalBase', LPVOID),
('lpStartAddress', LPVOID),
('lpImageName', LPVOID),
('fUnicode', WORD)]

class EXIT_THREAD_DEBUG_INFO(Structure):
_fields_ = [('dwExitCode', DWORD)]

class EXIT_PROCESS_DEBUG_INFO(Structure):
_fields_ = [('dwExitCode', DWORD)]

class LOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [('hFile', HANDLE),
('lpBaseOfDll', LPVOID),
('dwDebugInfoFileOffset', DWORD),
('nDebugInfoSize', DWORD),
('lpImageName', LPVOID),
('fUnicode', WORD)]

class UNLOAD_DLL_DEBUG_INFO(Structure):
_fields_ = [('lpBaseOfDll', LPVOID)]

class OUTPUT_DEBUG_STRING_INFO(Structure):
_fields_ = [('lpDebugStringData', LPSTR),
('fUnicode', WORD),
('nDebugStringLength', WORD)]

class RIP_INFO(Structure):
_fields_ = [('dwError', DWORD),
('dwType', DWORD)]

class _U(Union):
_fields_ = [('Exception', EXCEPTION_DEBUG_INFO),
('CreateThread', CREATE_THREAD_DEBUG_INFO),
('CreateProcessInfo', CREATE_PROCESS_DEBUG_INFO),
('ExitThread', EXIT_THREAD_DEBUG_INFO),
('ExitProcess', EXIT_PROCESS_DEBUG_INFO),
('LoadDll', LOAD_DLL_DEBUG_INFO),
('UnloadDll', UNLOAD_DLL_DEBUG_INFO),
('DebugString', OUTPUT_DEBUG_STRING_INFO),
('RipInfo', RIP_INFO)]

class DEBUG_EVENT(Structure):
_anonymous_ = ('u',)
_fields_ = [('dwDebugEventCode', DWORD),
('dwProcessId', DWORD),
('dwThreadId', DWORD),
('u', _U)]
LPDEBUG_EVENT = POINTER(DEBUG_EVENT)

CONTEXT_X86 = 0x00010000
CONTEXT_i386 = CONTEXT_X86
CONTEXT_i486 = CONTEXT_X86

CONTEXT_CONTROL = (CONTEXT_i386 | 0x0001) # SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = (CONTEXT_i386 | 0x0002) # AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = (CONTEXT_i386 | 0x0004) # DS, ES, FS, GS
CONTEXT_FLOATING_POINT = (CONTEXT_i386 | 0x0008L) # 387 state
CONTEXT_DEBUG_REGISTERS = (CONTEXT_i386 | 0x0010L) # DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS = (CONTEXT_i386 | 0x0020L)
CONTEXT_FULL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS)
CONTEXT_ALL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS |
CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS |
CONTEXT_EXTENDED_REGISTERS)

SIZE_OF_80387_REGISTERS = 80
class FLOATING_SAVE_AREA(Structure):
_fields_ = [('ControlWord', DWORD),
('StatusWord', DWORD),
('TagWord', DWORD),
('ErrorOffset', DWORD),
('ErrorSelector', DWORD),
('DataOffset', DWORD),
('DataSelector', DWORD),
('RegisterArea', BYTE * SIZE_OF_80387_REGISTERS),
('Cr0NpxState', DWORD)]

MAXIMUM_SUPPORTED_EXTENSION = 512
class CONTEXT(Structure):
_fields_ = [('ContextFlags', DWORD),
('Dr0', DWORD),
('Dr1', DWORD),
('Dr2', DWORD),
('Dr3', DWORD),
('Dr6', DWORD),
('Dr7', DWORD),
('FloatSave', FLOATING_SAVE_AREA),
('SegGs', DWORD),
('SegFs', DWORD),
('SegEs', DWORD),
('SegDs', DWORD),
('Edi', DWORD),
('Esi', DWORD),
('Ebx', DWORD),
('Edx', DWORD),
('Ecx', DWORD),
('Eax', DWORD),
('Ebp', DWORD),
('Eip', DWORD),
('SegCs', DWORD),
('EFlags', DWORD),
('Esp', DWORD),
('SegSs', DWORD),
('ExtendedRegisters', BYTE * MAXIMUM_SUPPORTED_EXTENSION)]
LPCONTEXT = POINTER(CONTEXT)

class LDT_ENTRY(Structure):
_fields_ = [('LimitLow', WORD),
('BaseLow', WORD),
('BaseMid', UBYTE),
('Flags1', UBYTE),
('Flags2', UBYTE),
('BaseHi', UBYTE)]
LPLDT_ENTRY = POINTER(LDT_ENTRY)

kernel32 = windll.kernel32

# BOOL WINAPI CloseHandle(
# __in HANDLE hObject
# );
CloseHandle = kernel32.CloseHandle
CloseHandle.argtypes = [HANDLE]
CloseHandle.restype = BOOL

# BOOL WINAPI CreateProcess(
# __in_opt LPCTSTR lpApplicationName,
# __inout_opt LPTSTR lpCommandLine,
# __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
# __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
# __in BOOL bInheritHandles,
# __in DWORD dwCreationFlags,
# __in_opt LPVOID lpEnvironment,
# __in_opt LPCTSTR lpCurrentDirectory,
# __in LPSTARTUPINFO lpStartupInfo,
# __out LPPROCESS_INFORMATION lpProcessInformation
# );
CreateProcess = kernel32.CreateProcessW
CreateProcess.argtypes = [LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES,
LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR,
LPSTARTUPINFO, LPPROCESS_INFORMATION]
CreateProcess.restype = BOOL

# HANDLE WINAPI OpenThread(
# __in DWORD dwDesiredAccess,
# __in BOOL bInheritHandle,
# __in DWORD dwThreadId
# );
OpenThread = kernel32.OpenThread
OpenThread.argtypes = [DWORD, BOOL, DWORD]
OpenThread.restype = HANDLE

# BOOL WINAPI ContinueDebugEvent(
# __in DWORD dwProcessId,
# __in DWORD dwThreadId,
# __in DWORD dwContinueStatus
# );
ContinueDebugEvent = kernel32.ContinueDebugEvent
ContinueDebugEvent.argtypes = [DWORD, DWORD, DWORD]
ContinueDebugEvent.restype = BOOL

# BOOL WINAPI DebugActiveProcess(
# __in DWORD dwProcessId
# );
DebugActiveProcess = kernel32.DebugActiveProcess
DebugActiveProcess.argtypes = [DWORD]
DebugActiveProcess.restype = BOOL

# BOOL WINAPI GetThreadContext(
# __in HANDLE hThread,
# __inout LPCONTEXT lpContext
# );
GetThreadContext = kernel32.GetThreadContext
GetThreadContext.argtypes = [HANDLE, LPCONTEXT]
GetThreadContext.restype = BOOL

# BOOL WINAPI GetThreadSelectorEntry(
# __in HANDLE hThread,
# __in DWORD dwSelector,
# __out LPLDT_ENTRY lpSelectorEntry
# );
GetThreadSelectorEntry = kernel32.GetThreadSelectorEntry
GetThreadSelectorEntry.argtypes = [HANDLE, DWORD, LPLDT_ENTRY]
GetThreadSelectorEntry.restype = BOOL

# BOOL WINAPI ReadProcessMemory(
# __in HANDLE hProcess,
# __in LPCVOID lpBaseAddress,
# __out LPVOID lpBuffer,
# __in SIZE_T nSize,
# __out SIZE_T *lpNumberOfBytesRead
# );
ReadProcessMemory = kernel32.ReadProcessMemory
ReadProcessMemory.argtypes = [HANDLE, LPCVOID, LPVOID, SIZE_T, SIZE_T_p]
ReadProcessMemory.restype = BOOL

# BOOL WINAPI SetThreadContext(
# __in HANDLE hThread,
# __in const CONTEXT *lpContext
# );
SetThreadContext = kernel32.SetThreadContext
SetThreadContext.argtypes = [HANDLE, LPCONTEXT]
SetThreadContext.restype = BOOL

# BOOL WINAPI WaitForDebugEvent(
# __out LPDEBUG_EVENT lpDebugEvent,
# __in DWORD dwMilliseconds
# );
WaitForDebugEvent = kernel32.WaitForDebugEvent
WaitForDebugEvent.argtypes = [LPDEBUG_EVENT, DWORD]
WaitForDebugEvent.restype = BOOL

# BOOL WINAPI WriteProcessMemory(
# __in HANDLE hProcess,
# __in LPVOID lpBaseAddress,
# __in LPCVOID lpBuffer,
# __in SIZE_T nSize,
# __out SIZE_T *lpNumberOfBytesWritten
# );
WriteProcessMemory = kernel32.WriteProcessMemory
WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T_p]
WriteProcessMemory.restype = BOOL

# BOOL WINAPI FlushInstructionCache(
# __in HANDLE hProcess,
# __in LPCVOID lpBaseAddress,
# __in SIZE_T dwSize
# );
FlushInstructionCache = kernel32.FlushInstructionCache
FlushInstructionCache.argtypes = [HANDLE, LPCVOID, SIZE_T]
FlushInstructionCache.restype = BOOL


#
# debugger.py

FLAG_TRACE_BIT = 0x100

class DebuggerError(Exception):
pass

class Debugger(object):
def __init__(self, process_info):
self.process_info = process_info
self.pid = process_info.dwProcessId
self.tid = process_info.dwThreadId
self.hprocess = process_info.hProcess
self.hthread = process_info.hThread
self._threads = {self.tid: self.hthread}
self._processes = {self.pid: self.hprocess}
self._bps = {}
self._inactive = {}

def read_process_memory(self, addr, size=None, type=str):
if issubclass(type, basestring):
buf = ctypes.create_string_buffer(size)
ref = buf
else:
size = ctypes.sizeof(type)
buf = type()
ref = byref(buf)
copied = SIZE_T(0)
rv = ReadProcessMemory(self.hprocess, addr, ref, size, byref(copied))
if not rv:
addr = getattr(addr, 'value', addr)
raise DebuggerError("could not read memory @ 0x%08x" % (addr,))
if copied.value != size:
raise DebuggerError("insufficient memory read")
if issubclass(type, basestring):
return buf.raw
return buf

def set_bp(self, addr, callback, bytev=None):
hprocess = self.hprocess
if bytev is None:
byte = self.read_process_memory(addr, type=ctypes.c_byte)
bytev = byte.value
else:
byte = ctypes.c_byte(0)
self._bps[addr] = (bytev, callback)
byte.value = 0xcc
copied = SIZE_T(0)
rv = WriteProcessMemory(hprocess, addr, byref(byte), 1, byref(copied))
if not rv:
addr = getattr(addr, 'value', addr)
raise DebuggerError("could not write memory @ 0x%08x" % (addr,))
if copied.value != 1:
raise DebuggerError("insufficient memory written")
rv = FlushInstructionCache(hprocess, None, 0)
if not rv:
raise DebuggerError("could not flush instruction cache")
return

def _restore_bps(self):
for addr, (bytev, callback) in self._inactive.items():
self.set_bp(addr, callback, bytev=bytev)
self._inactive.clear()

def _handle_bp(self, addr):
hprocess = self.hprocess
hthread = self.hthread
bytev, callback = self._inactive[addr] = self._bps.pop(addr)
byte = ctypes.c_byte(bytev)
copied = SIZE_T(0)
rv = WriteProcessMemory(hprocess, addr, byref(byte), 1, byref(copied))
if not rv:
raise DebuggerError("could not write memory")
if copied.value != 1:
raise DebuggerError("insufficient memory written")
rv = FlushInstructionCache(hprocess, None, 0)
if not rv:
raise DebuggerError("could not flush instruction cache")
context = CONTEXT(ContextFlags=CONTEXT_FULL)
rv = GetThreadContext(hthread, byref(context))
if not rv:
raise DebuggerError("could not get thread context")
context.Eip = addr
callback(self, context)
context.EFlags |= FLAG_TRACE_BIT
rv = SetThreadContext(hthread, byref(context))
if not rv:
raise DebuggerError("could not set thread context")
return

def _get_peb_address(self):
hthread = self.hthread
hprocess = self.hprocess
try:
pbi = PROCESS_BASIC_INFORMATION()
rv = NtQueryInformationProcess(hprocess, 0, byref(pbi),
sizeof(pbi), None)
if rv != 0:
raise DebuggerError("could not query process information")
return pbi.PebBaseAddress
except DebuggerError:
pass
try:
context = CONTEXT(ContextFlags=CONTEXT_FULL)
rv = GetThreadContext(hthread, byref(context))
if not rv:
raise DebuggerError("could not get thread context")
entry = LDT_ENTRY()
rv = GetThreadSelectorEntry(hthread, context.SegFs, byref(entry))
if not rv:
raise DebuggerError("could not get selector entry")
low, mid, high = entry.BaseLow, entry.BaseMid, entry.BaseHi
fsbase = low | (mid << 16) | (high << 24) pebaddr = self.read_process_memory(fsbase + 0x30, type=c_voidp) return pebaddr.value except DebuggerError: pass return 0x7ffdf000 def get_base_address(self): addr = self._get_peb_address() + (2 * 4) baseaddr = self.read_process_memory(addr, type=c_voidp) return baseaddr.value def main_loop(self): event = DEBUG_EVENT() finished = False while not finished: rv = WaitForDebugEvent(byref(event), INFINITE) if not rv: raise DebuggerError("could not get debug event") self.pid = pid = event.dwProcessId self.tid = tid = event.dwThreadId self.hprocess = self._processes.get(pid, None) self.hthread = self._threads.get(tid, None) status = DBG_CONTINUE evid = event.dwDebugEventCode if evid == EXCEPTION_DEBUG_EVENT: first = event.Exception.dwFirstChance record = event.Exception.ExceptionRecord exid = record.ExceptionCode flags = record.ExceptionFlags addr = record.ExceptionAddress if exid == EXCEPTION_BREAKPOINT: if addr in self._bps: self._handle_bp(addr) elif exid == EXCEPTION_SINGLE_STEP: self._restore_bps() else: status = DBG_EXCEPTION_NOT_HANDLED elif evid == LOAD_DLL_DEBUG_EVENT: hfile = event.LoadDll.hFile if hfile is not None: rv = CloseHandle(hfile) if not rv: raise DebuggerError("error closing file handle") elif evid == CREATE_THREAD_DEBUG_EVENT: info = event.CreateThread self.hthread = info.hThread self._threads[tid] = self.hthread elif evid == EXIT_THREAD_DEBUG_EVENT: hthread = self._threads.pop(tid, None) if hthread is not None: rv = CloseHandle(hthread) if not rv: raise DebuggerError("error closing thread handle") elif evid == CREATE_PROCESS_DEBUG_EVENT: info = event.CreateProcessInfo self.hprocess = info.hProcess self._processes[pid] = self.hprocess elif evid == EXIT_PROCESS_DEBUG_EVENT: hprocess = self._processes.pop(pid, None) if hprocess is not None: rv = CloseHandle(hprocess) if not rv: raise DebuggerError("error closing process handle") if pid == self.process_info.dwProcessId: finished = True rv = ContinueDebugEvent(pid, tid, status) if not rv: raise DebuggerError("could not continue debug") return True # # unswindle.py KINDLE_REG_KEY = \ r'Software\Classes\Amazon.KindleForPC.content\shell\open\command' class UnswindleError(Exception): pass class PC1KeyGrabber(object): HOOKS = { 'b9f7e422094b8c8966a0e881e6358116e03e5b7b': { 0x004a719d: '_no_debugger_here', 0x005a795b: '_no_debugger_here', 0x0054f7e0: '_get_pc1_pid', 0x004f9c79: '_get_book_path', }, 'd5124ee20dab10e44b41a039363f6143725a5417': { 0x0041150d: '_i_like_wine', 0x004a681d: '_no_debugger_here', 0x005a438b: '_no_debugger_here', 0x0054c9e0: '_get_pc1_pid', 0x004f8ac9: '_get_book_path', }, } @classmethod def supported_version(cls, hexdigest): return (hexdigest in cls.HOOKS) def _taddr(self, addr): return (addr - 0x00400000) + self.baseaddr def __init__(self, debugger, hexdigest): self.book_path = None self.book_pid = None self.baseaddr = debugger.get_base_address() hooks = self.HOOKS[hexdigest] for addr, mname in hooks.items(): debugger.set_bp(self._taddr(addr), getattr(self, mname)) def _i_like_wine(self, debugger, context): context.Eax = 1 return def _no_debugger_here(self, debugger, context): context.Eip += 2 context.Eax = 0 return def _get_book_path(self, debugger, context): addr = debugger.read_process_memory(context.Esp, type=ctypes.c_voidp) try: path = debugger.read_process_memory(addr, 4096) except DebuggerError: pgrest = 0x1000 - (addr.value & 0xfff) path = debugger.read_process_memory(addr, pgrest) path = path.decode('utf-16', 'ignore') if u'\0' in path: path = path[:path.index(u'\0')] if path[-4:].lower() not in ('.prc', '.pdb', '.mobi'): return self.book_path = path def _get_pc1_pid(self, debugger, context): addr = context.Esp + ctypes.sizeof(ctypes.c_voidp) addr = debugger.read_process_memory(addr, type=ctypes.c_char_p) pid = debugger.read_process_memory(addr, 8) pid = self._checksum_pid(pid) print pid self.book_pid = pid def _checksum_pid(self, s): letters = "ABCDEFGHIJKLMNPQRSTUVWXYZ123456789" crc = (~binascii.crc32(s,-1))&0xFFFFFFFF crc = crc ^ (crc >> 16)
res = s
l = len(letters)
for i in (0,1):
b = crc & 0xff
pos = (b // l) ^ (b % l)
res += letters[pos%l]
crc >>= 8
return res

class MobiParser(object):
def __init__(self, data):
self.data = data
header = data[0:72]
if header[0x3C:0x3C+8] != 'BOOKMOBI':
raise UnswindleError("invalid file format")
self.nsections = nsections = struct.unpack('>H', data[76:78])[0]
self.sections = sections = []
for i in xrange(nsections):
offset, a1, a2, a3, a4 = \
struct.unpack('>LBBBB', data[78+i*8:78+i*8+8])
flags, val = a1, ((a2 << 16) | (a3 << 8) | a4) sections.append((offset, flags, val)) sect = self.load_section(0) self.crypto_type = struct.unpack('>H', sect[0x0c:0x0c+2])[0]

def load_section(self, snum):
if (snum + 1) == self.nsections:
endoff = len(self.data)
else:
endoff = self.sections[snum + 1][0]
off = self.sections[snum][0]
return self.data[off:endoff]

class Unswindler(object):
def __init__(self):
self._exepath = self._get_exe_path()
self._hexdigest = self._get_hexdigest()
self._exedir = os.path.dirname(self._exepath)
self._mobidedrmpath = self._get_mobidedrm_path()

def _get_mobidedrm_path(self):
basedir = sys.modules[self.__module__].__file__
basedir = os.path.dirname(basedir)
for basename in ('mobidedrm', 'mobidedrm.py', 'mobidedrm.pyw'):
path = os.path.join(basedir, basename)
if os.path.isfile(path):
return path
raise UnswindleError("could not locate MobiDeDRM script")

def _get_exe_path(self):
path = None
for root in (winreg.HKEY_CURRENT_USER, winreg.HKEY_LOCAL_MACHINE):
try:
regkey = winreg.OpenKey(root, KINDLE_REG_KEY)
path = winreg.QueryValue(regkey, None)
break
except WindowsError:
pass
else:
raise UnswindleError("Kindle For PC installation not found")
if '"' in path:
path = re.search(r'"(.*?)"', path).group(1)
return path

def _get_hexdigest(self):
path = self._exepath
sha1 = hashlib.sha1()
with open(path, 'rb') as f:
data = f.read(4096)
while data:
sha1.update(data)
data = f.read(4096)
hexdigest = sha1.hexdigest()
if not PC1KeyGrabber.supported_version(hexdigest):
raise UnswindleError("Unsupported version of Kindle For PC")
return hexdigest

def _check_topaz(self, path):
with open(path, 'rb') as f:
magic = f.read(4)
if magic == 'TPZ0':
return True
return False

def _check_drm_free(self, path):
with open(path, 'rb') as f:
crypto = MobiParser(f.read()).crypto_type
return (crypto == 0)

def get_book(self):
creation_flags = (CREATE_UNICODE_ENVIRONMENT |
DEBUG_PROCESS |
DEBUG_ONLY_THIS_PROCESS)
startup_info = STARTUPINFO()
process_info = PROCESS_INFORMATION()
path = pid = None
try:
rv = CreateProcess(self._exepath, None, None, None, False,
creation_flags, None, self._exedir,
byref(startup_info), byref(process_info))
if not rv:
raise UnswindleError("failed to launch Kindle For PC")
debugger = Debugger(process_info)
grabber = PC1KeyGrabber(debugger, self._hexdigest)
debugger.main_loop()
path = grabber.book_path
pid = grabber.book_pid
finally:
if process_info.hThread is not None:
CloseHandle(process_info.hThread)
if process_info.hProcess is not None:
CloseHandle(process_info.hProcess)
if path is None:
raise UnswindleError("failed to determine book path")
if self._check_topaz(path):
raise UnswindleError("cannot decrypt Topaz format book")
return (path, pid)

def decrypt_book(self, inpath, outpath, pid):
if self._check_drm_free(inpath):
shutil.copy(inpath, outpath)
else:
self._mobidedrm(inpath, outpath, pid)
return

def _mobidedrm(self, inpath, outpath, pid):
# darkreverser didn't protect mobidedrm's script execution to allow
# importing, so we have to just run it in a subprocess
if pid is None:
raise UnswindleError("failed to determine book PID")
with tempfile.NamedTemporaryFile(delete=False) as tmpf:
tmppath = tmpf.name
args = [sys.executable, self._mobidedrmpath, inpath, tmppath, pid]
mobidedrm = subprocess.Popen(args, stderr=subprocess.STDOUT,
stdout=subprocess.PIPE,
universal_newlines=True)
output = mobidedrm.communicate()[0]
if not output.endswith("done\n"):
try:
os.remove(tmppath)
except OSError:
pass
raise UnswindleError("problem running MobiDeDRM:\n" + output)
shutil.move(tmppath, outpath)
return

class ExceptionDialog(Tkinter.Frame):
def __init__(self, root, text):
Tkinter.Frame.__init__(self, root, border=5)
label = Tkinter.Label(self, text="Unexpected error:",
anchor=Tkconstants.W, justify=Tkconstants.LEFT)
label.pack(fill=Tkconstants.X, expand=0)
self.text = Tkinter.Text(self)
self.text.pack(fill=Tkconstants.BOTH, expand=1)
self.text.insert(Tkconstants.END, text)

def gui_main(argv=sys.argv):
root = Tkinter.Tk()
root.withdraw()
progname = os.path.basename(argv[0])
try:
unswindler = Unswindler()
inpath, pid = unswindler.get_book()
outpath = tkFileDialog.asksaveasfilename(
parent=None, title='Select unencrypted Mobipocket file to produce',
defaultextension='.mobi', filetypes=[('MOBI files', '.mobi'),
('All files', '.*')])
if not outpath:
return 0
unswindler.decrypt_book(inpath, outpath, pid)
except UnswindleError, e:
tkMessageBox.showerror("Unswindle For PC", "Error: " + str(e))
return 1
except Exception:
root.wm_state('normal')
root.title('Unswindle For PC')
text = traceback.format_exc()
ExceptionDialog(root, text).pack(fill=Tkconstants.BOTH, expand=1)
root.mainloop()
return 1

def cli_main(argv=sys.argv):
progname = os.path.basename(argv[0])
args = argv[1:]
if len(args) != 1:
sys.stderr.write("usage: %s OUTFILE\n" % (progname,))
return 1
outpath = args[0]
unswindler = Unswindler()
inpath, pid = unswindler.get_book()
unswindler.decrypt_book(inpath, outpath, pid)
return 0

if __name__ == '__main__':
sys.exit(gui_main())

No comments:

Followers