Posts Tagged code

Kindle DRM Cracked

Posted by on Wednesday, 23 December, 2009

Looks like somebody had a little free time and decided to crack the kindle code. They have amusingly called the python code to do so ‘swindle’

On a side note, here is an excellent website pointed out to me who does what with your privacy on e-book readers http://www.eff.org/deeplinks/2009/12/e-book-privacy

You can find the original code here http://pastie.org/753699

In case it disappears, here it is

#! /usr/bin/python
 
# unswindle.pyw, version 5-rc1
 
# To run this program install a 32-bit version of Python 2.6 from
# <http://www.python.org/download/>.  Save this script file as unswindle.pyw.
# Find and save in the same directory a copy of mobidedrm.py.  Double-click on
# unswindle.pyw.  It will run Kindle For PC.  Open the book you want to
# decrypt.  Close Kindle For PC.  A dialog will open allowing you to select the
# output file.  And you're done!
 
# Revision history:
#   1 - Initial release
#   2 - Fixes to work properly on Windows versions >XP
#   3 - Fix minor bug in path extraction
#   4 - Fix error opening threads; detect Topaz books;
#       detect unsupported versions of K4PC
#   5 - Work on new (20091222) version of K4PC
 
"""
Decrypt Kindle For PC encrypted Mobipocket books.
"""
 
__license__ = 'GPL v3'
 
import sys
import os
import re
import tempfile
import shutil
import subprocess
import struct
import hashlib
import ctypes
from ctypes import *
from ctypes.wintypes import *
import binascii
import _winreg as winreg
import Tkinter
import Tkconstants
import tkMessageBox
import tkFileDialog
import traceback
 
#
# _extrawintypes.py
 
UBYTE = c_ubyte
ULONG_PTR = POINTER(ULONG)
PULONG = ULONG_PTR
PVOID = LPVOID
LPCTSTR = LPTSTR = c_wchar_p
LPBYTE = c_char_p
SIZE_T = c_uint
SIZE_T_p = POINTER(SIZE_T)
 
#
# _ntdll.py
 
NTSTATUS = DWORD
 
ntdll = windll.ntdll
 
class PROCESS_BASIC_INFORMATION(Structure):
    _fields_ = [('Reserved1', PVOID),
                ('PebBaseAddress', PVOID),
                ('Reserved2', PVOID * 2),
                ('UniqueProcessId', ULONG_PTR),
                ('Reserved3', PVOID)]
 
# NTSTATUS WINAPI NtQueryInformationProcess(
#   __in       HANDLE ProcessHandle,
#   __in       PROCESSINFOCLASS ProcessInformationClass,
#   __out      PVOID ProcessInformation,
#   __in       ULONG ProcessInformationLength,
#   __out_opt  PULONG ReturnLength
# );
NtQueryInformationProcess = ntdll.NtQueryInformationProcess
NtQueryInformationProcess.argtypes = [HANDLE, DWORD, PVOID, ULONG, PULONG]
NtQueryInformationProcess.restype = NTSTATUS
 
#
# _kernel32.py
 
INFINITE = 0xffffffff
 
CREATE_UNICODE_ENVIRONMENT = 0x00000400
DEBUG_ONLY_THIS_PROCESS = 0x00000002
DEBUG_PROCESS = 0x00000001
 
THREAD_GET_CONTEXT = 0x0008
THREAD_QUERY_INFORMATION = 0x0040
THREAD_SET_CONTEXT = 0x0010
THREAD_SET_INFORMATION = 0x0020
 
EXCEPTION_BREAKPOINT = 0x80000003
EXCEPTION_SINGLE_STEP = 0x80000004
EXCEPTION_ACCESS_VIOLATION = 0xC0000005
 
DBG_CONTINUE = 0x00010002L
DBG_EXCEPTION_NOT_HANDLED = 0x80010001L
 
EXCEPTION_DEBUG_EVENT = 1
CREATE_THREAD_DEBUG_EVENT = 2
CREATE_PROCESS_DEBUG_EVENT = 3
EXIT_THREAD_DEBUG_EVENT = 4
EXIT_PROCESS_DEBUG_EVENT = 5
LOAD_DLL_DEBUG_EVENT = 6
UNLOAD_DLL_DEBUG_EVENT = 7
OUTPUT_DEBUG_STRING_EVENT = 8
RIP_EVENT = 9
 
class DataBlob(Structure):
    _fields_ = [('cbData', c_uint),
                ('pbData', c_void_p)]
DataBlob_p = POINTER(DataBlob)
 
class SECURITY_ATTRIBUTES(Structure):
    _fields_ = [('nLength', DWORD),
                ('lpSecurityDescriptor', LPVOID),
                ('bInheritHandle', BOOL)]
LPSECURITY_ATTRIBUTES = POINTER(SECURITY_ATTRIBUTES)
 
class STARTUPINFO(Structure):
    _fields_ = [('cb', DWORD),
                ('lpReserved', LPTSTR),
                ('lpDesktop', LPTSTR),
                ('lpTitle', LPTSTR),
                ('dwX', DWORD),
                ('dwY', DWORD),
                ('dwXSize', DWORD),
                ('dwYSize', DWORD),
                ('dwXCountChars', DWORD),
                ('dwYCountChars', DWORD),
                ('dwFillAttribute', DWORD),
                ('dwFlags', DWORD),
                ('wShowWindow', WORD),
                ('cbReserved2', WORD),
                ('lpReserved2', LPBYTE),
                ('hStdInput', HANDLE),
                ('hStdOutput', HANDLE),
                ('hStdError', HANDLE)]
LPSTARTUPINFO = POINTER(STARTUPINFO)
 
class PROCESS_INFORMATION(Structure):
    _fields_ = [('hProcess', HANDLE),
                ('hThread', HANDLE),
                ('dwProcessId', DWORD),
                ('dwThreadId', DWORD)]
LPPROCESS_INFORMATION = POINTER(PROCESS_INFORMATION)
 
EXCEPTION_MAXIMUM_PARAMETERS = 15
class EXCEPTION_RECORD(Structure):
    pass
EXCEPTION_RECORD._fields_ = [
    ('ExceptionCode', DWORD),
    ('ExceptionFlags', DWORD),
    ('ExceptionRecord', POINTER(EXCEPTION_RECORD)),
    ('ExceptionAddress', LPVOID),
    ('NumberParameters', DWORD),
    ('ExceptionInformation', ULONG_PTR * EXCEPTION_MAXIMUM_PARAMETERS)]
 
class EXCEPTION_DEBUG_INFO(Structure):
    _fields_ = [('ExceptionRecord', EXCEPTION_RECORD),
                ('dwFirstChance', DWORD)]
 
class CREATE_THREAD_DEBUG_INFO(Structure):
    _fields_ = [('hThread', HANDLE),
                ('lpThreadLocalBase', LPVOID),
                ('lpStartAddress', LPVOID)]
 
class CREATE_PROCESS_DEBUG_INFO(Structure):
    _fields_ = [('hFile', HANDLE),
                ('hProcess', HANDLE),
                ('hThread', HANDLE),
                ('dwDebugInfoFileOffset', DWORD),
                ('nDebugInfoSize', DWORD),
                ('lpThreadLocalBase', LPVOID),
                ('lpStartAddress', LPVOID),
                ('lpImageName', LPVOID),
                ('fUnicode', WORD)]
 
class EXIT_THREAD_DEBUG_INFO(Structure):
    _fields_ = [('dwExitCode', DWORD)]
 
class EXIT_PROCESS_DEBUG_INFO(Structure):
    _fields_ = [('dwExitCode', DWORD)]
 
class LOAD_DLL_DEBUG_INFO(Structure):
    _fields_ = [('hFile', HANDLE),
                ('lpBaseOfDll', LPVOID),
                ('dwDebugInfoFileOffset', DWORD),
                ('nDebugInfoSize', DWORD),
                ('lpImageName', LPVOID),
                ('fUnicode', WORD)]
 
class UNLOAD_DLL_DEBUG_INFO(Structure):
    _fields_ = [('lpBaseOfDll', LPVOID)]
 
class OUTPUT_DEBUG_STRING_INFO(Structure):
    _fields_ = [('lpDebugStringData', LPSTR),
                ('fUnicode', WORD),
                ('nDebugStringLength', WORD)]
 
class RIP_INFO(Structure):
    _fields_ = [('dwError', DWORD),
                ('dwType', DWORD)]
 
class _U(Union):
    _fields_ = [('Exception', EXCEPTION_DEBUG_INFO),
                ('CreateThread', CREATE_THREAD_DEBUG_INFO),
                ('CreateProcessInfo', CREATE_PROCESS_DEBUG_INFO),
                ('ExitThread', EXIT_THREAD_DEBUG_INFO),
                ('ExitProcess', EXIT_PROCESS_DEBUG_INFO),
                ('LoadDll', LOAD_DLL_DEBUG_INFO),
                ('UnloadDll', UNLOAD_DLL_DEBUG_INFO),
                ('DebugString', OUTPUT_DEBUG_STRING_INFO),
                ('RipInfo', RIP_INFO)]
 
class DEBUG_EVENT(Structure):
    _anonymous_ = ('u',)
    _fields_ = [('dwDebugEventCode', DWORD),
                ('dwProcessId', DWORD),
                ('dwThreadId', DWORD),
                ('u', _U)]
LPDEBUG_EVENT = POINTER(DEBUG_EVENT)
 
CONTEXT_X86 = 0x00010000
CONTEXT_i386 = CONTEXT_X86
CONTEXT_i486 = CONTEXT_X86
 
CONTEXT_CONTROL = (CONTEXT_i386 | 0x0001) # SS:SP, CS:IP, FLAGS, BP
CONTEXT_INTEGER = (CONTEXT_i386 | 0x0002) # AX, BX, CX, DX, SI, DI
CONTEXT_SEGMENTS = (CONTEXT_i386 | 0x0004) # DS, ES, FS, GS
CONTEXT_FLOATING_POINT = (CONTEXT_i386 | 0x0008L) # 387 state
CONTEXT_DEBUG_REGISTERS =  (CONTEXT_i386 | 0x0010L) # DB 0-3,6,7
CONTEXT_EXTENDED_REGISTERS =  (CONTEXT_i386 | 0x0020L)
CONTEXT_FULL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS)
CONTEXT_ALL = (CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_SEGMENTS |
               CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS |
               CONTEXT_EXTENDED_REGISTERS)
 
SIZE_OF_80387_REGISTERS = 80
class FLOATING_SAVE_AREA(Structure):
    _fields_ = [('ControlWord', DWORD),
                ('StatusWord', DWORD),
                ('TagWord', DWORD),
                ('ErrorOffset', DWORD),
                ('ErrorSelector', DWORD),
                ('DataOffset', DWORD),
                ('DataSelector', DWORD),
                ('RegisterArea', BYTE * SIZE_OF_80387_REGISTERS),
                ('Cr0NpxState', DWORD)]
 
MAXIMUM_SUPPORTED_EXTENSION = 512
class CONTEXT(Structure):
    _fields_ = [('ContextFlags', DWORD),
                ('Dr0', DWORD),
                ('Dr1', DWORD),
                ('Dr2', DWORD),
                ('Dr3', DWORD),
                ('Dr6', DWORD),
                ('Dr7', DWORD),
                ('FloatSave', FLOATING_SAVE_AREA),
                ('SegGs', DWORD),
                ('SegFs', DWORD),
                ('SegEs', DWORD),
                ('SegDs', DWORD),
                ('Edi', DWORD),
                ('Esi', DWORD),
                ('Ebx', DWORD),
                ('Edx', DWORD),
                ('Ecx', DWORD),
                ('Eax', DWORD),
                ('Ebp', DWORD),
                ('Eip', DWORD),
                ('SegCs', DWORD),
                ('EFlags', DWORD),
                ('Esp', DWORD),
                ('SegSs', DWORD),
                ('ExtendedRegisters', BYTE * MAXIMUM_SUPPORTED_EXTENSION)]
LPCONTEXT = POINTER(CONTEXT)
 
class LDT_ENTRY(Structure):
    _fields_ = [('LimitLow', WORD),
                ('BaseLow',  WORD),
                ('BaseMid', UBYTE),
                ('Flags1', UBYTE),
                ('Flags2', UBYTE),
                ('BaseHi', UBYTE)]
LPLDT_ENTRY = POINTER(LDT_ENTRY)
 
kernel32 = windll.kernel32
 
# BOOL WINAPI CloseHandle(
#   __in  HANDLE hObject
# );
CloseHandle = kernel32.CloseHandle
CloseHandle.argtypes = [HANDLE]
CloseHandle.restype = BOOL
 
# BOOL WINAPI CreateProcess(
#   __in_opt     LPCTSTR lpApplicationName,
#   __inout_opt  LPTSTR lpCommandLine,
#   __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
#   __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
#   __in         BOOL bInheritHandles,
#   __in         DWORD dwCreationFlags,
#   __in_opt     LPVOID lpEnvironment,
#   __in_opt     LPCTSTR lpCurrentDirectory,
#   __in         LPSTARTUPINFO lpStartupInfo,
#   __out        LPPROCESS_INFORMATION lpProcessInformation
# );
CreateProcess = kernel32.CreateProcessW
CreateProcess.argtypes = [LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES,
                          LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR,
                          LPSTARTUPINFO, LPPROCESS_INFORMATION]
CreateProcess.restype = BOOL
 
# HANDLE WINAPI OpenThread(
#   __in  DWORD dwDesiredAccess,
#   __in  BOOL bInheritHandle,
#   __in  DWORD dwThreadId
# );
OpenThread = kernel32.OpenThread
OpenThread.argtypes = [DWORD, BOOL, DWORD]
OpenThread.restype = HANDLE
 
# BOOL WINAPI ContinueDebugEvent(
#   __in  DWORD dwProcessId,
#   __in  DWORD dwThreadId,
#   __in  DWORD dwContinueStatus
# );
ContinueDebugEvent = kernel32.ContinueDebugEvent
ContinueDebugEvent.argtypes = [DWORD, DWORD, DWORD]
ContinueDebugEvent.restype = BOOL
 
# BOOL WINAPI DebugActiveProcess(
#   __in  DWORD dwProcessId
# );
DebugActiveProcess = kernel32.DebugActiveProcess
DebugActiveProcess.argtypes = [DWORD]
DebugActiveProcess.restype = BOOL
 
# BOOL WINAPI GetThreadContext(
#   __in     HANDLE hThread,
#   __inout  LPCONTEXT lpContext
# );
GetThreadContext = kernel32.GetThreadContext
GetThreadContext.argtypes = [HANDLE, LPCONTEXT]
GetThreadContext.restype = BOOL
 
# BOOL WINAPI GetThreadSelectorEntry(
#   __in   HANDLE hThread,
#   __in   DWORD dwSelector,
#   __out  LPLDT_ENTRY lpSelectorEntry
# );
GetThreadSelectorEntry = kernel32.GetThreadSelectorEntry
GetThreadSelectorEntry.argtypes = [HANDLE, DWORD, LPLDT_ENTRY]
GetThreadSelectorEntry.restype = BOOL
 
# BOOL WINAPI ReadProcessMemory(
#   __in   HANDLE hProcess,
#   __in   LPCVOID lpBaseAddress,
#   __out  LPVOID lpBuffer,
#   __in   SIZE_T nSize,
#   __out  SIZE_T *lpNumberOfBytesRead
# );
ReadProcessMemory = kernel32.ReadProcessMemory
ReadProcessMemory.argtypes = [HANDLE, LPCVOID, LPVOID, SIZE_T, SIZE_T_p]
ReadProcessMemory.restype = BOOL
 
# BOOL WINAPI SetThreadContext(
#   __in  HANDLE hThread,
#   __in  const CONTEXT *lpContext
# );
SetThreadContext = kernel32.SetThreadContext
SetThreadContext.argtypes = [HANDLE, LPCONTEXT]
SetThreadContext.restype = BOOL
 
# BOOL WINAPI WaitForDebugEvent(
#   __out  LPDEBUG_EVENT lpDebugEvent,
#   __in   DWORD dwMilliseconds
# );
WaitForDebugEvent = kernel32.WaitForDebugEvent
WaitForDebugEvent.argtypes = [LPDEBUG_EVENT, DWORD]
WaitForDebugEvent.restype = BOOL
 
# BOOL WINAPI WriteProcessMemory(
#   __in   HANDLE hProcess,
#   __in   LPVOID lpBaseAddress,
#   __in   LPCVOID lpBuffer,
#   __in   SIZE_T nSize,
#   __out  SIZE_T *lpNumberOfBytesWritten
# );
WriteProcessMemory = kernel32.WriteProcessMemory
WriteProcessMemory.argtypes = [HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T_p]
WriteProcessMemory.restype = BOOL
 
# BOOL WINAPI FlushInstructionCache(
#   __in  HANDLE hProcess,
#   __in  LPCVOID lpBaseAddress,
#   __in  SIZE_T dwSize
# );
FlushInstructionCache = kernel32.FlushInstructionCache
FlushInstructionCache.argtypes = [HANDLE, LPCVOID, SIZE_T]
FlushInstructionCache.restype = BOOL
 
#
# debugger.py
 
FLAG_TRACE_BIT = 0x100
 
class DebuggerError(Exception):
    pass
 
class Debugger(object):
    def __init__(self, process_info):
        self.process_info = process_info
        self.pid = process_info.dwProcessId
        self.tid = process_info.dwThreadId
        self.hprocess = process_info.hProcess
        self.hthread = process_info.hThread
        self._threads = {self.tid: self.hthread}
        self._processes = {self.pid: self.hprocess}
        self._bps = {}
        self._inactive = {}
 
    def read_process_memory(self, addr, size=None, type=str):
        if issubclass(type, basestring):
            buf = ctypes.create_string_buffer(size)
            ref = buf
        else:
            size = ctypes.sizeof(type)
            buf = type()
            ref = byref(buf)
        copied = SIZE_T(0)
        rv = ReadProcessMemory(self.hprocess, addr, ref, size, byref(copied))
        if not rv:
            addr = getattr(addr, 'value', addr)
            raise DebuggerError("could not read memory @ 0x%08x" % (addr,))
        if copied.value != size:
            raise DebuggerError("insufficient memory read")
        if issubclass(type, basestring):
            return buf.raw
        return buf
 
    def set_bp(self, addr, callback, bytev=None):
        hprocess = self.hprocess
        if bytev is None:
            byte = self.read_process_memory(addr, type=ctypes.c_byte)
            bytev = byte.value
        else:
            byte = ctypes.c_byte(0)
        self._bps[addr] = (bytev, callback)
        byte.value = 0xcc
        copied = SIZE_T(0)
        rv = WriteProcessMemory(hprocess, addr, byref(byte), 1, byref(copied))
        if not rv:
            addr = getattr(addr, 'value', addr)
            raise DebuggerError("could not write memory @ 0x%08x" % (addr,))
        if copied.value != 1:
            raise DebuggerError("insufficient memory written")
        rv = FlushInstructionCache(hprocess, None, 0)
        if not rv:
            raise DebuggerError("could not flush instruction cache")
        return
 
    def _restore_bps(self):
        for addr, (bytev, callback) in self._inactive.items():
            self.set_bp(addr, callback, bytev=bytev)
        self._inactive.clear()
 
    def _handle_bp(self, addr):
        hprocess = self.hprocess
        hthread = self.hthread
        bytev, callback = self._inactive[addr] = self._bps.pop(addr)
        byte = ctypes.c_byte(bytev)
        copied = SIZE_T(0)
        rv = WriteProcessMemory(hprocess, addr, byref(byte), 1, byref(copied))
        if not rv:
            raise DebuggerError("could not write memory")
        if copied.value != 1:
            raise DebuggerError("insufficient memory written")
        rv = FlushInstructionCache(hprocess, None, 0)
        if not rv:
            raise DebuggerError("could not flush instruction cache")
        context = CONTEXT(ContextFlags=CONTEXT_FULL)
        rv = GetThreadContext(hthread, byref(context))
        if not rv:
            raise DebuggerError("could not get thread context")
        context.Eip = addr
        callback(self, context)
        context.EFlags |= FLAG_TRACE_BIT
        rv = SetThreadContext(hthread, byref(context))
        if not rv:
            raise DebuggerError("could not set thread context")
        return
 
    def _get_peb_address(self):
        hthread = self.hthread
        hprocess = self.hprocess
        try:
            pbi = PROCESS_BASIC_INFORMATION()
            rv = NtQueryInformationProcess(hprocess, 0, byref(pbi),
                                           sizeof(pbi), None)
            if rv != 0:
                raise DebuggerError("could not query process information")
            return pbi.PebBaseAddress
        except DebuggerError:
            pass
        try:
            context = CONTEXT(ContextFlags=CONTEXT_FULL)
            rv = GetThreadContext(hthread, byref(context))
            if not rv:
                raise DebuggerError("could not get thread context")
            entry = LDT_ENTRY()
            rv = GetThreadSelectorEntry(hthread, context.SegFs, byref(entry))
            if not rv:
                raise DebuggerError("could not get selector entry")
            low, mid, high = entry.BaseLow, entry.BaseMid, entry.BaseHi
            fsbase = low | (mid << 16) | (high << 24)
            pebaddr = self.read_process_memory(fsbase + 0x30, type=c_voidp)
            return pebaddr.value
        except DebuggerError:
            pass
        return 0x7ffdf000
 
    def get_base_address(self):
        addr = self._get_peb_address() + (2 * 4)
        baseaddr = self.read_process_memory(addr, type=c_voidp)
        return baseaddr.value
 
    def main_loop(self):
        event = DEBUG_EVENT()
        finished = False
        while not finished:
            rv = WaitForDebugEvent(byref(event), INFINITE)
            if not rv:
                raise DebuggerError("could not get debug event")
            self.pid = pid = event.dwProcessId
            self.tid = tid = event.dwThreadId
            self.hprocess = self._processes.get(pid, None)
            self.hthread = self._threads.get(tid, None)
            status = DBG_CONTINUE
            evid = event.dwDebugEventCode
            if evid == EXCEPTION_DEBUG_EVENT:
                first = event.Exception.dwFirstChance
                record = event.Exception.ExceptionRecord
                exid = record.ExceptionCode
                flags = record.ExceptionFlags
                addr = record.ExceptionAddress
                if exid == EXCEPTION_BREAKPOINT:
                    if addr in self._bps:
                        self._handle_bp(addr)
                elif exid == EXCEPTION_SINGLE_STEP:
                    self._restore_bps()
                else:
                    status = DBG_EXCEPTION_NOT_HANDLED
            elif evid == LOAD_DLL_DEBUG_EVENT:
                hfile = event.LoadDll.hFile
                if hfile is not None:
                    rv = CloseHandle(hfile)
                    if not rv:
                        raise DebuggerError("error closing file handle")
            elif evid == CREATE_THREAD_DEBUG_EVENT:
                info = event.CreateThread
                self.hthread = info.hThread
                self._threads[tid] = self.hthread
            elif evid == EXIT_THREAD_DEBUG_EVENT:
                hthread = self._threads.pop(tid, None)
                if hthread is not None:
                    rv = CloseHandle(hthread)
                    if not rv:
                        raise DebuggerError("error closing thread handle")
            elif evid == CREATE_PROCESS_DEBUG_EVENT:
                info = event.CreateProcessInfo
                self.hprocess = info.hProcess
                self._processes[pid] = self.hprocess
            elif evid == EXIT_PROCESS_DEBUG_EVENT:
                hprocess = self._processes.pop(pid, None)
                if hprocess is not None:
                    rv = CloseHandle(hprocess)
                    if not rv:
                        raise DebuggerError("error closing process handle")
                if pid == self.process_info.dwProcessId:
                    finished = True
            rv = ContinueDebugEvent(pid, tid, status)
            if not rv:
                raise DebuggerError("could not continue debug")
        return True
 
#
# unswindle.py
 
KINDLE_REG_KEY = \
    r'Software\Classes\Amazon.KindleForPC.content\shell\open\command'
 
class UnswindleError(Exception):
    pass
 
class PC1KeyGrabber(object):
    HOOKS = {
        'b9f7e422094b8c8966a0e881e6358116e03e5b7b': {
            0x004a719d: '_no_debugger_here',
            0x005a795b: '_no_debugger_here',
            0x0054f7e0: '_get_pc1_pid',
            0x004f9c79: '_get_book_path',
        },
        'd5124ee20dab10e44b41a039363f6143725a5417': {
            0x0041150d: '_i_like_wine',
            0x004a681d: '_no_debugger_here',
            0x005a438b: '_no_debugger_here',
            0x0054c9e0: '_get_pc1_pid',
            0x004f8ac9: '_get_book_path',
        },
    }
 
    @classmethod
    def supported_version(cls, hexdigest):
        return (hexdigest in cls.HOOKS)
 
    def _taddr(self, addr):
        return (addr - 0x00400000) + self.baseaddr
 
    def __init__(self, debugger, hexdigest):
        self.book_path = None
        self.book_pid = None
        self.baseaddr = debugger.get_base_address()
        hooks = self.HOOKS[hexdigest]
        for addr, mname in hooks.items():
            debugger.set_bp(self._taddr(addr), getattr(self, mname))
 
    def _i_like_wine(self, debugger, context):
        context.Eax = 1
        return
 
    def _no_debugger_here(self, debugger, context):
        context.Eip += 2
        context.Eax = 0
        return
 
    def _get_book_path(self, debugger, context):
        addr = debugger.read_process_memory(context.Esp, type=ctypes.c_voidp)
        try:
            path = debugger.read_process_memory(addr, 4096)
        except DebuggerError:
            pgrest = 0x1000 - (addr.value & 0xfff)
            path = debugger.read_process_memory(addr, pgrest)
        path = path.decode('utf-16', 'ignore')
        if u'\0' in path:
            path = path[:path.index(u'\0')]
        if path[-4:].lower() not in ('.prc', '.pdb', '.mobi'):
            return
        self.book_path = path
 
    def _get_pc1_pid(self, debugger, context):
        addr = context.Esp + ctypes.sizeof(ctypes.c_voidp)
        addr = debugger.read_process_memory(addr, type=ctypes.c_char_p)
        pid = debugger.read_process_memory(addr, 8)
        pid = self._checksum_pid(pid)
        self.book_pid = pid
 
    def _checksum_pid(self, s):
        letters = "ABCDEFGHIJKLMNPQRSTUVWXYZ123456789"
        crc = (~binascii.crc32(s,-1))&0xFFFFFFFF
        crc = crc ^ (crc >> 16)
        res = s
        l = len(letters)
        for i in (0,1):
            b = crc & 0xff
            pos = (b // l) ^ (b % l)
            res += letters[pos%l]
            crc >>= 8
        return res
 
class Unswindler(object):
    def __init__(self):
        self._exepath = self._get_exe_path()
        self._hexdigest = self._get_hexdigest()
        self._exedir = os.path.dirname(self._exepath)
        self._mobidedrmpath = self._get_mobidedrm_path()
 
    def _get_mobidedrm_path(self):
        basedir = sys.modules[self.__module__].__file__
        basedir = os.path.dirname(basedir)
        for basename in ('mobidedrm', 'mobidedrm.py', 'mobidedrm.pyw'):
            path = os.path.join(basedir, basename)
            if os.path.isfile(path):
                return path
        raise UnswindleError("could not locate MobiDeDRM script")
 
    def _get_exe_path(self):
        path = None
        for root in (winreg.HKEY_CURRENT_USER, winreg.HKEY_LOCAL_MACHINE):
            try:
                regkey = winreg.OpenKey(root, KINDLE_REG_KEY)
                path = winreg.QueryValue(regkey, None)
                break
            except WindowsError:
                pass
        else:
            raise UnswindleError("Kindle For PC installation not found")
        if '"' in path:
            path = re.search(r'"(.*?)"', path).group(1)
        return path
 
    def _get_hexdigest(self):
        path = self._exepath
        sha1 = hashlib.sha1()
        with open(path, 'rb') as f:
            data = f.read(4096)
            while data:
                sha1.update(data)
                data = f.read(4096)
        hexdigest = sha1.hexdigest()
        if not PC1KeyGrabber.supported_version(hexdigest):
            raise UnswindleError("Unsupported version of Kindle For PC")
        return hexdigest
 
    def _is_topaz(self, path):
        with open(path, 'rb') as f:
            magic = f.read(4)
        if magic == 'TPZ0':
            return True
        return False
 
    def get_book(self):
        creation_flags = (CREATE_UNICODE_ENVIRONMENT |
                          DEBUG_PROCESS |
                          DEBUG_ONLY_THIS_PROCESS)
        startup_info = STARTUPINFO()
        process_info = PROCESS_INFORMATION()
        path = pid = None
        try:
            rv = CreateProcess(self._exepath, None, None, None, False,
                               creation_flags, None, self._exedir,
                               byref(startup_info), byref(process_info))
            if not rv:
                raise UnswindleError("failed to launch Kindle For PC")
            debugger = Debugger(process_info)
            grabber = PC1KeyGrabber(debugger, self._hexdigest)
            debugger.main_loop()
            path = grabber.book_path
            pid = grabber.book_pid
        finally:
            if process_info.hThread is not None:
                CloseHandle(process_info.hThread)
            if process_info.hProcess is not None:
                CloseHandle(process_info.hProcess)
        if path is None:
            raise UnswindleError("failed to determine book path")
        if self._is_topaz(path):
            raise UnswindleError("cannot decrypt Topaz format book")
        if pid is None:
            raise UnswindleError("failed to determine book PID")
        return (path, pid)
 
    def decrypt_book(self, inpath, outpath, pid):
        # darkreverser didn't protect mobidedrm's script execution to allow
        # importing, so we have to just run it in a subprocess
        with tempfile.NamedTemporaryFile(delete=False) as tmpf:
            tmppath = tmpf.name
        args = [sys.executable, self._mobidedrmpath, inpath, tmppath, pid]
        mobidedrm = subprocess.Popen(args, stderr=subprocess.STDOUT,
                                     stdout=subprocess.PIPE,
                                     universal_newlines=True)
        output = mobidedrm.communicate()[0]
        if not output.endswith("done\n"):
            try:
                os.remove(tmppath)
            except OSError:
                pass
            raise UnswindleError("problem running MobiDeDRM:\n" + output)
        shutil.move(tmppath, outpath)
        return
 
class ExceptionDialog(Tkinter.Frame):
    def __init__(self, root, text):
        Tkinter.Frame.__init__(self, root, border=5)
        label = Tkinter.Label(self, text="Unexpected error:",
                              anchor=Tkconstants.W, justify=Tkconstants.LEFT)
        label.pack(fill=Tkconstants.X, expand=0)
        self.text = Tkinter.Text(self)
        self.text.pack(fill=Tkconstants.BOTH, expand=1)
        self.text.insert(Tkconstants.END, text)
 
def gui_main(argv=sys.argv):
    root = Tkinter.Tk()
    root.withdraw()
    progname = os.path.basename(argv[0])
    try:
        unswindler = Unswindler()
        inpath, pid = unswindler.get_book()
        outpath = tkFileDialog.asksaveasfilename(
            parent=None, title='Select unencrypted Mobipocket file to produce',
            defaultextension='.mobi', filetypes=[('MOBI files', '.mobi'),
                                                 ('All files', '.*')])
        if not outpath:
            return 0
        unswindler.decrypt_book(inpath, outpath, pid)
    except UnswindleError, e:
        tkMessageBox.showerror("Unswindle For PC", "Error: " + str(e))
        return 1
    except Exception:
        root.wm_state('normal')
        root.title('Unswindle For PC')
        text = traceback.format_exc()
        ExceptionDialog(root, text).pack(fill=Tkconstants.BOTH, expand=1)
        root.mainloop()
        return 1
 
def cli_main(argv=sys.argv):
    progname = os.path.basename(argv[0])
    args = argv[1:]
    if len(args) != 1:
        sys.stderr.write("usage: %s OUTFILE\n" % (progname,))
        return 1
    outpath = args[0]
    unswindler = Unswindler()
    inpath, pid = unswindler.get_book()
    unswindler.decrypt_book(inpath, outpath, pid)
    return 0
 
if __name__ == '__main__':
    sys.exit(gui_main())

Become an IT Rockstar King! – Competition

Posted by on Thursday, 30 April, 2009

Found at http://www.itrockstar.co.nz/

The Search for NZ’s IT Rockstar is a competition created by Ninetwenty Career Agents with the aim of recognizing and acknowledging achievement within the IT industry of New Zealand. We like to think of it as New Zealand Idol but for the IT geek!

To be involved in the competition, a potential IT Rockstar can be nominated or nominate themselves. The criteria is simple – you could have developed a snappy piece of code, fixed a nasty bug that no one else could fix or delivered a multi-million dollar project on time and on budget and then be in the running for the big prize!

Entries close 22nd of May so don’t miss out!

Im guessing somebody clearly forgot to let them in on the secret that there are FEMALES in the IT industry (you can only be crowned King), and that IT is more than just Programming…. but still, you may win something, why not give it a shot!


Abusive and fun comments in source code

Posted by on Wednesday, 29 April, 2009

From time to time I have noticed you get some interesting comments in various programs. I thought I would share some of the more amusing comments I’ve found.

In http://code.google.com/p/xee/source/browse/trunk/XeePhotoshopLoader.m?spec=svn28&r=11 .  Clearly a programmer whos had a bad day.

Change log

r11 by paracelsus on Sep 11, 2007   Diff
Photoshop loader is DONE for now, fuck you
Adobe

// At this point, I’d like to take a moment to speak to you about the Adobe PSD format.
// PSD is not a good format. PSD is not even a bad format. Calling it such would be an
// insult to other bad formats, such as PCX or JPEG. No, PSD is an abysmal format. Having
// worked on this code for several weeks now, my hate for PSD has grown to a raging fire
// that burns with the fierce passion of a million suns.
// If there are two different ways of doing something, PSD will do both, in different
// places. It will then make up three more ways no sane human would think of, and do those
// too. PSD makes inconsistency an art form. Why, for instance, did it suddenly decide
// that *these* particular chunks should be aligned to four bytes, and that this alignement
// should *not* be included in the size? Other chunks in other places are either unaligned,
// or aligned with the alignment included in the size. Here, though, it is not included.
// Either one of these three behaviours would be fine. A sane format would pick one. PSD,
// of course, uses all three, and more.
// Trying to get data out of a PSD file is like trying to find something in the attic of
// your eccentric old uncle who died in a freak freshwater shark attack on his 58th
// birthday. That last detail may not be important for the purposes of the simile, but
// at this point I am spending a lot of time imagining amusing fates for the people
// responsible for this Rube Goldberg of a file format.
// Earlier, I tried to get a hold of the latest specs for the PSD file format. To do this,
// I had to apply to them for permission to apply to them to have them consider sending
// me this sacred tome. This would have involved faxing them a copy of some document or
// other, probably signed in blood. I can only imagine that they make this process so
// difficult because they are intensely ashamed of having created this abomination. I
// was naturally not gullible enough to go through with this procedure, but if I had done
// so, I would have printed out every single page of the spec, and set them all on fire.
// Were it within my power, I would gather every single copy of those specs, and launch
// them on a spaceship directly into the sun.
//
// PSD is not my favourite file format.

Heres another amusing one.

*       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
* !!!!!!!IF YOU CHANGE TABS TO SPACES, YOU WILL BE KILLED!!!!!!!
*       !!!!!!!!!!!!!!DOING SO FUCKS THE BUILD PROCESS!!!!!!!!!!!!!!!!
*       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
*       !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

At the top of a particularly convoluted and otherwise completely uncommented code:
// Abandon all hope, ye who enter here.
In some PHP code for a webpage :

// Since this file is loaded on every page, and since
// I want the following function on every page, I’m going to
// cheat and include it here even though it has nothing to
// do with the other things in this file.
// If you don’t like it, bite me!

Seen, and believed…

[some long and messy code] # too drubnk to make this workkkkj. debugg latter.

The source code of PerlLanguage’s Net::IRC modules has numerous chunks of funny conversation from the #perl IRC channel in it. My favorite:

# — #perl was here! —
# Larry Wall is a lot sexier than Richard Stallman
# But I’ve heard Stallman is better in bed.
# Does he leave the halo on?
# * aether cocks her head at skrew…uh…whatever?
# Stallman’s beard is a sex magnet.
# Larry’s moustache is moreso, Fimm.
# oh yeah…women all over the world are hot for stallman….
# Moustaches make my heart melt.
# I dunno, there’s something about a man in hawaiian shirts…

Spotted this in the source code for one of the ApacheAnt tasks:

: /*
: * build notes
: * The reference CD to listen to while editing this file is
: * Underworld Everything, Everything
: * variable naming policy from Fowler’s refactoring book.
: */

/usr/src/linux is full of fun.

/*
** “seek and ye shall find”…praying never hurts either…
** ggg sacrafices another 710 to the computer gods.
*/

* These chips are basically fucked by design, and getting this driver
* to work on every motherboard design that uses this screwed chip seems
* bloody well impossible. However, we’re still trying.
* skb to avoid No=0 (choose one: Ugly [ ] Tasteless [ ] VMS [ ]).

For an illuminating experience, try grep -ir word /usr/src/linux, where word is one of the following: fuck, shit, damn, hack, kludge, “:-(“, “no idea”, awful, stupid, and of course XXX… I’m sure you can think of your own candidates.

One could probably make some significant contributions to the Linux codebase simply by doing this, then seeing if they can figure out how to fix the problem the coder was griping about. Hell, there are probably several Linux kernel hackers who do just that, though admittedly a lot of the problems are related to bizarre hardware or outside software which the system has to interface with, which the coders can do much about. Even so, it would probably be a useful thing to do. KiboDebugging??

* Found at the beginning of a loop that could run forever:
/* And now, ladies and gentlemen, the chord from HELL! */

* Found near a particularly nasty fix for a fencepost error:

/* There are dumber f**ks than me out there, but not many */

* Found near a piece of code that handled memory resizing, it made the new generation of neural nets inside the space for the previous failures. If it didn’t have to realloc at all the branch that executed was labeled:

/* These clothes are a little tight, but the price was right */

* Finally, there was an error message in some of a test code that said:

“Nostradamus told me this would happen. Smug bastard.”

Here are excerpts from some code found whilst doing an upgrade to a new server structure.

#include <wchar.h> //I hate strings.
#include <tchar.h> //I HATE STRINGS!!!
#include <string> //I HAT TEH STRINGES!!! DIE! DIEDIE! DIE!!!!!!

/// A class for interfacing dotnet code with (product)’s plugin API.
/// As you may have noticed, making .NET code work with API code is a
/// pain in the ass, because it never occurred to Microsoft that .NET code
/// might one day have to exist on the same computer as API code. As
/// unbelievable as it is, programmers need to have their non-.NET software
/// [use] functions that were written in managed code. So, to better the meet the
/// needs of their developers, Microsoft made the process as inconvienient
/// as they possibly could. Enjoy.

/// This function converts stuff from a .NET String to an LPTSTR.
/// May whoever decided it should be this complicated be required to
/// write it 20,000 times on a tiny whiteboard with perfect penmanship,
/// rot in jail for two years, then have to try clean it all off using
/// nothing but his own saliva and a toilet brush without getting any
/// ink on his gloves.

Found in a depracated .c file:

/* fit round peg into square hole, if necessary… */
/* well, actually any damn peg into whatever hole we have to work with… */
/* use (the) force, if necessary */