#799495 - Pastie

Theme:
#! /usr/bin/python

"""

Comprehensive Mazama Book DRM with Topaz Cryptography V2.2

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdBHJ4CNc6DNFCw4MRCw4SWAK6
M8hYfnNEI0yQmn5Ti+W8biT7EatpauE/5jgQMPBmdNrDr1hbHyHBSP7xeC2qlRWC
B62UCxeu/fpfnvNHDN/wPWWH4jynZ2M6cdcnE5LQ+FfeKqZn7gnG2No1U9h7oOHx
y2/pHuYme7U1TsgSjwIDAQAB
-----END PUBLIC KEY-----

"""

from __future__ import with_statement

import csv
import sys
import os
import getopt
import zlib
from struct import pack
from struct import unpack
from ctypes import windll, c_char_p, c_wchar_p, c_uint, POINTER, byref, \
    create_unicode_buffer, create_string_buffer, CFUNCTYPE, addressof, \
    string_at, Structure, c_void_p, cast
import _winreg as winreg
import Tkinter
import Tkconstants
import tkMessageBox
import traceback
import hashlib

MAX_PATH = 255

kernel32 = windll.kernel32
advapi32 = windll.advapi32
crypt32 = windll.crypt32

global kindleDatabase
global bookFile
global bookPayloadOffset
global bookHeaderRecords
global bookMetadata
global bookKey
global command

#
# Various character maps used to decrypt books. Probably supposed to act as obfuscation
#

charMap1 = "n5Pr6St7Uv8Wx9YzAb0Cd1Ef2Gh3Jk4M"
charMap2 = "AaZzB0bYyCc1XxDdW2wEeVv3FfUuG4g-TtHh5SsIiR6rJjQq7KkPpL8lOoMm9Nn_"
charMap3 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
charMap4 = "ABCDEFGHIJKLMNPQRSTUVWXYZ123456789"

#
# Exceptions for all the problems that might happen during the script
#

class CMBDTCError(Exception):
    pass

class CMBDTCFatal(Exception):
    pass

#
# Stolen stuff
#

class DataBlob(Structure):
    _fields_ = [('cbData', c_uint),
                ('pbData', c_void_p)]
DataBlob_p = POINTER(DataBlob)

def GetSystemDirectory():
    GetSystemDirectoryW = kernel32.GetSystemDirectoryW
    GetSystemDirectoryW.argtypes = [c_wchar_p, c_uint]
    GetSystemDirectoryW.restype = c_uint
    def GetSystemDirectory():
        buffer = create_unicode_buffer(MAX_PATH + 1)
        GetSystemDirectoryW(buffer, len(buffer))
        return buffer.value
    return GetSystemDirectory
GetSystemDirectory = GetSystemDirectory()


def GetVolumeSerialNumber():
    GetVolumeInformationW = kernel32.GetVolumeInformationW
    GetVolumeInformationW.argtypes = [c_wchar_p, c_wchar_p, c_uint,
                                      POINTER(c_uint), POINTER(c_uint),
                                      POINTER(c_uint), c_wchar_p, c_uint]
    GetVolumeInformationW.restype = c_uint
    def GetVolumeSerialNumber(path):
        vsn = c_uint(0)
        GetVolumeInformationW(path, None, 0, byref(vsn), None, None, None, 0)
        return vsn.value
    return GetVolumeSerialNumber
GetVolumeSerialNumber = GetVolumeSerialNumber()


def GetUserName():
    GetUserNameW = advapi32.GetUserNameW
    GetUserNameW.argtypes = [c_wchar_p, POINTER(c_uint)]
    GetUserNameW.restype = c_uint
    def GetUserName():
        buffer = create_unicode_buffer(32)
        size = c_uint(len(buffer))
        while not GetUserNameW(buffer, byref(size)):
            buffer = create_unicode_buffer(len(buffer) * 2)
            size.value = len(buffer)
        return buffer.value.encode('utf-16-le')[::2]
    return GetUserName
GetUserName = GetUserName()


def CryptUnprotectData():
    _CryptUnprotectData = crypt32.CryptUnprotectData
    _CryptUnprotectData.argtypes = [DataBlob_p, c_wchar_p, DataBlob_p,
                                   c_void_p, c_void_p, c_uint, DataBlob_p]
    _CryptUnprotectData.restype = c_uint
    def CryptUnprotectData(indata, entropy):
        indatab = create_string_buffer(indata)
        indata = DataBlob(len(indata), cast(indatab, c_void_p))
        entropyb = create_string_buffer(entropy)
        entropy = DataBlob(len(entropy), cast(entropyb, c_void_p))
        outdata = DataBlob()
        if not _CryptUnprotectData(byref(indata), None, byref(entropy),
                                   None, None, 0, byref(outdata)):
            raise CMBDTCFatal("Failed to Unprotect Data")
        return string_at(outdata.pbData, outdata.cbData)
    return CryptUnprotectData
CryptUnprotectData = CryptUnprotectData()

#
# Returns the MD5 digest of "message"
#

def MD5(message):
    ctx = hashlib.md5()
    ctx.update(message)
    return ctx.digest()

#
# Returns the MD5 digest of "message"
#

def SHA1(message):
    ctx = hashlib.sha1()
    ctx.update(message)
    return ctx.digest()

#
# Open the book file at path
#

def openBook(path):
    try:
        return open(path,'rb')
    except:
        raise CMBDTCFatal("Could not open book file: " + path)
#
# Encode the bytes in data with the characters in map
#

def encode(data, map):
    result = ""
    for char in data:
        value = ord(char)
        Q = (value ^ 0x80) // len(map)
        R = value % len(map)
        result += map[Q]
        result += map[R]
    return result

#
# Hash the bytes in data and then encode the digest with the characters in map
#

def encodeHash(data,map):
    return encode(MD5(data),map)

#
# Decode the string in data with the characters in map. Returns the decoded bytes
#

def decode(data,map):
    result = ""
    for i in range (0,len(data),2):
        high = map.find(data[i])
        low = map.find(data[i+1])
        value = (((high * 0x40) ^ 0x80) & 0xFF) + low
        result += pack("B",value)
    return result

#
# Locate and open the Kindle.info file (Hopefully in the way it is done in the Kindle application)
#

def openKindleInfo():
    regkey = winreg.OpenKey(winreg.HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\")
    path = winreg.QueryValueEx(regkey, 'Local AppData')[0] 
    return open(path+'\\Amazon\\Kindle For PC\\{AMAwzsaPaaZAzmZzZQzgZCAkZ3AjA_AY}\\kindle.info','r')

#
# Parse the Kindle.info file and return the records as a list of key-values
#

def parseKindleInfo():
    DB = {}
    infoReader = openKindleInfo()
    infoReader.read(1)
    data = infoReader.read()
    items = data.split('{')

    for item in items:
        splito = item.split(':')
        DB[splito[0]] =splito[1]
    return DB

#
# Find if the original string for a hashed/encoded string is known. If so return the original string othwise return an empty string. (Totally not optimal)
#

def findNameForHash(hash):
    names = ["kindle.account.tokens","kindle.cookie.item","eulaVersionAccepted","login_date","kindle.token.item","login","kindle.key.item","kindle.name.info","kindle.device.info", "MazamaRandomNumber"]
    result = ""
    for name in names:
        if hash == encodeHash(name, charMap2):
           result = name
           break
    return name

#
# Print all the records from the kindle.info file (option -i)
#

def printKindleInfo():
    for record in kindleDatabase:
        name = findNameForHash(record)
        if name != "" :
            print (name)
            print ("--------------------------\n")
        else :
            print ("Unknown Record")
        print getKindleInfoValueForHash(record)
        print "\n"
#
# Get a record from the Kindle.info file for the key "hashedKey" (already hashed and encoded). Return the decoded and decrypted record
#

def getKindleInfoValueForHash(hashedKey):
    global kindleDatabase
    encryptedValue = decode(kindleDatabase[hashedKey],charMap2)
    return CryptUnprotectData(encryptedValue,"")

#
#  Get a record from the Kindle.info file for the string in "key" (plaintext). Return the decoded and decrypted record
#

def getKindleInfoValueForKey(key):
    return getKindleInfoValueForHash(encodeHash(key,charMap2))

#
# Get a 7 bit encoded number from the book file
#

def bookReadEncodedNumber():
    flag = False
    data = ord(bookFile.read(1))

    if data == 0xFF:
       flag = True
       data = ord(bookFile.read(1))

    if data >= 0x80:
        datax = (data & 0x7F)
        while data >= 0x80 :
            data = ord(bookFile.read(1))
            datax = (datax <<7) + (data & 0x7F)
        data = datax 

    if flag:
       data = -data
    return data

#
# Encode a number in 7 bit format
#

def encodeNumber(number):
   result = ""
   negative = False
   flag = 0

   if number < 0 :
       number = -number + 1
       negative = True

   while True:
       byte = number & 0x7F
       number = number >> 7
       byte += flag
       result += chr(byte)
       flag = 0x80
       if number == 0 : 
           if (byte == 0xFF and negative == False) :
               result += chr(0x80)
           break

   if negative:
       result += chr(0xFF)

   return result[::-1]

#
# Get a length prefixed string from the file 
#

def bookReadString():
    stringLength = bookReadEncodedNumber()
    return unpack(str(stringLength)+"s",bookFile.read(stringLength))[0]  

#
# Returns a length prefixed string
#

def lengthPrefixString(data):
    return encodeNumber(len(data))+data


#
# Read and return the data of one header record at the current book file position [[offset,compressedLength,decompressedLength],...]
#

def bookReadHeaderRecordData():
    nbValues = bookReadEncodedNumber()
    values = []
    for i in range (0,nbValues):
        values.append([bookReadEncodedNumber(),bookReadEncodedNumber(),bookReadEncodedNumber()])
    return values

#
# Read and parse one header record at the current book file position and return the associated data [[offset,compressedLength,decompressedLength],...]
#

def parseTopazHeaderRecord():
    if ord(bookFile.read(1)) != 0x63:
        raise CMBDTCFatal("Parse Error : Invalid Header")

    tag = bookReadString()
    record = bookReadHeaderRecordData()
    return [tag,record]

#
# Parse the header of a Topaz file, get all the header records and the offset for the payload
#

def parseTopazHeader():
    global bookHeaderRecords
    global bookPayloadOffset
    magic = unpack("4s",bookFile.read(4))[0]

    if magic != 'TPZ0':
        raise CMBDTCFatal("Parse Error : Invalid Header, not a Topaz file")

    nbRecords = bookReadEncodedNumber()
    bookHeaderRecords = {}

    for i in range (0,nbRecords):
        result = parseTopazHeaderRecord()
        bookHeaderRecords[result[0]] = result[1]

    if ord(bookFile.read(1))  != 0x64 :
        raise CMBDTCFatal("Parse Error : Invalid Header")

    bookPayloadOffset = bookFile.tell()

#
# Get a record in the book payload, given its name and index. If necessary the record is decrypted. The record is not decompressed
#

def getBookPayloadRecord(name, index):   
    encrypted = False

    try: 
        recordOffset = bookHeaderRecords[name][index][0]
    except:
        raise CMBDTCFatal("Parse Error : Invalid Record, record not found")

    bookFile.seek(bookPayloadOffset + recordOffset)

    tag = bookReadString()
    if tag != name :
        raise CMBDTCFatal("Parse Error : Invalid Record, record name doesn't match")

    recordIndex = bookReadEncodedNumber()

    if recordIndex < 0 :
        encrypted = True
        recordIndex = -recordIndex -1

    if recordIndex != index :
      raise CMBDTCFatal("Parse Error : Invalid Record, index doesn't match")

    if bookHeaderRecords[name][index][2] != 0 :
        record = bookFile.read(bookHeaderRecords[name][index][2])
    else:
        record = bookFile.read(bookHeaderRecords[name][index][1])

    if encrypted:
       ctx = topazCryptoInit(bookKey)
       record = topazCryptoDecrypt(record,ctx)

    return record

#
# Extract, decrypt and decompress a book record indicated by name and index and print it or save it in "filename"
#

def extractBookPayloadRecord(name, index, filename):
    compressed = False

    try:
        compressed = bookHeaderRecords[name][index][2] != 0
        record = getBookPayloadRecord(name,index)
    except:
        print("Could not find record")

    if compressed:
        try:
            record = zlib.decompress(record)
        except:
            raise CMBDTCFatal("Could not decompress record")

    if filename != "":
        try:
            file = open(filename,"wb")
            file.write(record)
            file.close()
        except:
            raise CMBDTCFatal("Could not write to destination file")
    else:
        print(record)

#
# return next record [key,value] from the book metadata from the current book position
#  

def readMetadataRecord():
    return [bookReadString(),bookReadString()]

#
# Parse the metadata record from the book payload and return a list of [key,values]
#

def parseMetadata():
    global bookHeaderRecords
    global bookPayloadAddress
    global bookMetadata
    bookMetadata = {}
    bookFile.seek(bookPayloadOffset + bookHeaderRecords["metadata"][0][0])
    tag = bookReadString()
    if tag != "metadata" :
        raise CMBDTCFatal("Parse Error : Record Names Don't Match")

    flags = ord(bookFile.read(1))
    nbRecords = ord(bookFile.read(1))

    for i in range (0,nbRecords) :
        record =readMetadataRecord()
        bookMetadata[record[0]] = record[1]

#
# Returns two bit at offset from a bit field
#

def getTwoBitsFromBitField(bitField,offset):
    byteNumber = offset // 4
    bitPosition = 6 - 2*(offset % 4)

    return ord(bitField[byteNumber]) >> bitPosition & 3

#
# Returns the six bits at offset from a bit field
#    

def getSixBitsFromBitField(bitField,offset):
     offset *= 3
     value = (getTwoBitsFromBitField(bitField,offset) <<4) + (getTwoBitsFromBitField(bitField,offset+1) << 2) +getTwoBitsFromBitField(bitField,offset+2)
     return value

#
# 8 bits to six bits encoding from hash to generate PID string
#

def encodePID(hash):
    global charMap3
    PID = ""
    for position in range (0,8):
        PID += charMap3[getSixBitsFromBitField(hash,position)]
    return PID

#
# Context initialisation for the Topaz Crypto
#

def topazCryptoInit(key):
    ctx1 = 0x0CAFFE19E

    for keyChar in key:
        keyByte = ord(keyChar)
        ctx2 = ctx1 
        ctx1 = ((((ctx1 >>2) * (ctx1 >>7))&0xFFFFFFFF) ^ (keyByte * keyByte * 0x0F902007)& 0xFFFFFFFF )
    return [ctx1,ctx2]

#
# decrypt data with the context prepared by topazCryptoInit()
#

def topazCryptoDecrypt(data, ctx):
    ctx1 = ctx[0]
    ctx2 = ctx[1]

    plainText = ""

    for dataChar in data:
        dataByte = ord(dataChar)
        m = (dataByte ^ ((ctx1 >> 3) &0xFF) ^ ((ctx2<<3) & 0xFF)) &0xFF
        ctx2 = ctx1
        ctx1 = (((ctx1 >> 2) * (ctx1 >> 7)) &0xFFFFFFFF) ^((m * m * 0x0F902007) &0xFFFFFFFF)
        plainText += chr(m)

    return plainText

#
# Decrypt a payload record with the PID
#

def decryptRecord(data,PID):
    ctx = topazCryptoInit(PID)
    return topazCryptoDecrypt(data, ctx)

#
# Try to decrypt a dkey record (contains the book PID)
#

def decryptDkeyRecord(data,PID):
    record = decryptRecord(data,PID)
    fields = unpack("3sB8sB8s3s",record)

    if fields[0] != "PID" or fields[5] != "pid" :
        raise CMBDTCError("Didn't find PID magic numbers in record")
    elif fields[1] != 8 or fields[3] != 8 :
        raise CMBDTCError("Record didn't contain correct length fields")
    elif fields[2] != PID :
        raise CMBDTCError("Record didn't contain PID")

    return fields[4]

#
# Decrypt all the book's dkey records (contain the book PID)
#

def decryptDkeyRecords(data,PID):
    nbKeyRecords = ord(data[0])
    records = []
    data = data[1:]
    for i in range (0,nbKeyRecords):
        length = ord(data[0])
        try:
            key = decryptDkeyRecord(data[1:length+1],PID)
            records.append(key)
        except CMBDTCError:
            pass
        data = data[1+length:]

    return records

#
# Encryption table used to generate the device PID
#

def generatePidEncryptionTable() :
    table = []
    for counter1 in range (0,0x100):
        value = counter1
        for counter2 in range (0,8):
            if (value & 1 == 0) :
                value = value >> 1
            else :
                value = value >> 1
                value = value ^ 0xEDB88320
        table.append(value)
    return table

#
# Seed value used to generate the device PID
#

def generatePidSeed(table,dsn) :
    value = 0
    for counter in range (0,4) :
       index = (ord(dsn[counter]) ^ value) &0xFF
       value = (value >> 8) ^ table[index]
    return value

#
# Generate the device PID
#

def generateDevicePID(table,dsn,nbRoll):
    seed = generatePidSeed(table,dsn)
    pidAscii = ""
    pid = [(seed >>24) &0xFF,(seed >> 16) &0xff,(seed >> 8) &0xFF,(seed) & 0xFF,(seed>>24) & 0xFF,(seed >> 16) &0xff,(seed >> 8) &0xFF,(seed) & 0xFF]
    index = 0

    for counter in range (0,nbRoll):
        pid[index] = pid[index] ^ ord(dsn[counter])
        index = (index+1) %8

    for counter in range (0,8):
        index = ((((pid[counter] >>5) & 3) ^ pid[counter]) & 0x1f) + (pid[counter] >> 7)
        pidAscii += charMap4[index]
    return pidAscii

#
# Create decrypted book payload
#

def createDecryptedPayload(payload):

   # store data to be able to create the header later 
    headerData= []
    currentOffset = 0

    # Add social DRM to decrypted files

    try:
        data = getKindleInfoValueForKey("kindle.name.info")+":"+ getKindleInfoValueForKey("login")
        if payload!= None:
            payload.write(lengthPrefixString("sdrm"))
            payload.write(encodeNumber(0))
            payload.write(data)
        else:
            currentOffset += len(lengthPrefixString("sdrm"))
            currentOffset += len(encodeNumber(0))
            currentOffset += len(data)
    except:
        pass

    for headerRecord in bookHeaderRecords:
       name = headerRecord
       newRecord = []

       if name != "dkey" :

           for index in range (0,len(bookHeaderRecords[name])) :
               offset = currentOffset

               if payload != None: 
                   # write tag
                   payload.write(lengthPrefixString(name))
                   # write data
                   payload.write(encodeNumber(index))
                   payload.write(getBookPayloadRecord(name, index))

               else :
                   currentOffset += len(lengthPrefixString(name))
                   currentOffset += len(encodeNumber(index))
                   currentOffset += len(getBookPayloadRecord(name, index))
                   newRecord.append([offset,bookHeaderRecords[name][index][1],bookHeaderRecords[name][index][2]])

       headerData.append([name,newRecord])



    return headerData    

#
# Create decrypted book
#

def createDecryptedBook(outputFile):
    outputFile = open(outputFile,"wb")
    # Write the payload in a temporary file
    headerData = createDecryptedPayload(None)
    outputFile.write("TPZ0")
    outputFile.write(encodeNumber(len(headerData)))

    for header in headerData :
        outputFile.write(chr(0x63))
        outputFile.write(lengthPrefixString(header[0]))
        outputFile.write(encodeNumber(len(header[1])))
        for numbers in header[1] :
            outputFile.write(encodeNumber(numbers[0]))
            outputFile.write(encodeNumber(numbers[1]))
            outputFile.write(encodeNumber(numbers[2]))

    outputFile.write(chr(0x64))
    createDecryptedPayload(outputFile)
    outputFile.close()

#
# Set the command to execute by the programm according to cmdLine parameters
#

def setCommand(name) :
    global command
    if command != "" :
         raise CMBDTCFatal("Invalid command line parameters")
    else :
        command = name

# 
# Program usage
#

def usage():
    print("\nUsage:")
    print("\nCMBDTC.py [options] bookFileName\n")
    print("-p Adds a PID to the list of PIDs that are tried to decrypt the book key (can be used several times)")
    print("-d Saves a decrypted copy of the book")
    print("-r Prints or writes to disk a record indicated in the form name:index (e.g \"img:0\")")
    print("-o Output file name to write records and decrypted books")
    print("-v Verbose (can be used several times)")
    print("-i Prints kindle.info database")

#
# Main
#   

def main(argv=sys.argv):
    global kindleDatabase
    global bookMetadata
    global bookKey
    global bookFile
    global command

    progname = os.path.basename(argv[0])

    verbose = 0
    recordName = ""
    recordIndex = 0
    outputFile = ""
    PIDs = []
    kindleDatabase = None
    command = ""


    try:
        opts, args = getopt.getopt(sys.argv[1:], "vdir:o:p:")
    except getopt.GetoptError, err:
        # print help information and exit:
        print str(err) # will print something like "option -a not recognized"
        usage()
        sys.exit(2)

    if len(opts) == 0 and len(args) == 0 :
        usage()
        sys.exit(2) 

    for o, a in opts:
        if o == "-v":
            verbose+=1
        if o == "-i":
            setCommand("printInfo")
        if o =="-o":
            if a == None :
                raise CMBDTCFatal("Invalid parameter for -o")
            outputFile = a
        if o =="-r":
            setCommand("printRecord")
            try:
                recordName,recordIndex = a.split(':')
            except:
                raise CMBDTCFatal("Invalid parameter for -r")
        if o =="-p":
            PIDs.append(a)
        if o =="-d":
            setCommand("doit")

    if command == "" :
        raise CMBDTCFatal("No action supplied on command line")

    #
    # Read the encrypted database
    #

    try:
        kindleDatabase = parseKindleInfo()
    except Exception as message:
        if verbose>0:
            print(message)

    if kindleDatabase != None :
        if command == "printInfo" :
            printKindleInfo()

    #
    # Compute the DSN
    #

    # Get the Mazama Random number
        MazamaRandomNumber = getKindleInfoValueForKey("MazamaRandomNumber")

    # Get the HDD serial
        encodedSystemVolumeSerialNumber = encodeHash(str(GetVolumeSerialNumber(GetSystemDirectory().split('\\')[0] + '\\')),charMap1)

    # Get the current user name
        encodedUsername = encodeHash(GetUserName(),charMap1)

    # concat, hash and encode
        DSN = encode(SHA1(MazamaRandomNumber+encodedSystemVolumeSerialNumber+encodedUsername),charMap1)

        if verbose >1:
            print("DSN: " + DSN)

    #
    # Compute the device PID
    #

        table =  generatePidEncryptionTable()
        devicePID = generateDevicePID(table,DSN,4)
        PIDs.append(devicePID)

        if verbose > 0:
            print("Device PID: " + devicePID)

    #
    # Open book and parse metadata
    #

    if len(args) == 1:

        bookFile = openBook(args[0])
        parseTopazHeader()
        parseMetadata()

    #
    # Compute book PID
    # 

    # Get the account token

        if kindleDatabase != None:
            kindleAccountToken = getKindleInfoValueForKey("kindle.account.tokens")

            if verbose >1:
                print("Account Token: " + kindleAccountToken)

            keysRecord = bookMetadata["keys"]
            keysRecordRecord = bookMetadata[keysRecord]

            pidHash = SHA1(DSN+kindleAccountToken+keysRecord+keysRecordRecord)

            bookPID = encodePID(pidHash)
            PIDs.append(bookPID)

            if verbose > 0:
                print ("Book PID: " + bookPID )

    #
    #  Decrypt book key
    #

        dkey = getBookPayloadRecord('dkey', 0) 

        bookKeys = []
        for PID in PIDs :
            bookKeys+=decryptDkeyRecords(dkey,PID)

        if len(bookKeys) == 0 :
            if verbose > 0 :
                print ("Book key could not be found. Maybe this book is not registered with this device.")
        else :
            bookKey = bookKeys[0]
            if verbose > 0:
                print("Book key: " + bookKey.encode('hex'))



            if command == "printRecord" :
                extractBookPayloadRecord(recordName,int(recordIndex),outputFile)
                if outputFile != "" and verbose>0 :
                    print("Wrote record to file: "+outputFile) 
            elif command == "doit" :
                if outputFile!="" :
                    createDecryptedBook(outputFile)
                    if verbose >0 :
                        print ("Decrypted book saved. Don't pirate!")
                elif verbose > 0:
                    print("Output file name was not supplied.")

    return 0

if __name__ == '__main__':
    sys.exit(main())