1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120

121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180

181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240

241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300

301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360

361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 #! /usr/bin/python # -*- coding: utf-8 -*# ineptkey.pyw, version 5 # Copyright 2009-2010 i cabbages # Released under the terms of the GNU General Public Licence, version 3 or # later. <http://www.gnu.org/licenses/> # Windows users: Before running this program, you must first install Python 2.6 # from <http://www.python.org/download/> and PyCrypto from # <http://www.voidspace.org.uk/python/modules.shtml#pycrypto> (make certain # to install the version for Python 2.6). Then save this script file as # ineptkey.pyw and double-click on it to run it. It will create a file named # adeptkey.der in the same directory. This is your ADEPT user key. # # Mac OS X users: Save this script file as ineptkey.pyw. You can run this # program from the command line (pythonw ineptkey.pyw) or by double-clicking # it when it has been associated with PythonLauncher. It will create a file # named adeptkey.der in the same directory. This is your ADEPT user key. # Revision history: # 1 - Initial release, for Adobe Digital Editions 1.7 # 2 - Better algorithm for finding pLK; improved error handling # 3 - Rename to INEPT # 4 - Series of changes by joblack (and others?) -# 4.1 - quick beta fix for ADE 1.7.2 (anon) # 4.2 - added old 1.7.1 processing # 4.3 - better key search # 4.4 - Make it working on 64-bit Python # 5 - Clean up and improve 4.x changes; # Clean up and merge OS X support by unknown """ Retrieve Adobe ADEPT user key. """ from __future__ import with_statement __license__ = 'GPL v3' import sys import os

import import import import import

struct Tkinter Tkconstants tkMessageBox traceback

class ADEPTError(Exception): pass if sys.platform.startswith('win'): from ctypes import windll, c_char_p, c_wchar_p, c_uint, POINTER, byref, \ create_unicode_buffer, create_string_buffer, CFUNCTYPE, addressof, \ string_at, Structure, c_void_p, cast, c_size_t, memmove from ctypes.wintypes import LPVOID, DWORD, BOOL import _winreg as winreg try: from Crypto.Cipher import AES except ImportError: AES = None DEVICE_KEY_PATH = r'Software\Adobe\Adept\Device' PRIVATE_LICENCE_KEY_PATH = r'Software\Adobe\Adept\Activation' MAX_PATH = 255 kernel32 = windll.kernel32 advapi32 = windll.advapi32 crypt32 = windll.crypt32 def GetSystemDirectory(): GetSystemDirectoryW = kernel32.GetSystemDirectoryW GetSystemDirectoryW.argtypes = [c_wchar_p, c_uint] GetSystemDirectoryW.restype = c_uint def GetSystemDirectory(): buffer = create_unicode_buffer(MAX_PATH + 1) GetSystemDirectoryW(buffer, len(buffer)) return buffer.value return GetSystemDirectory GetSystemDirectory = GetSystemDirectory() def GetVolumeSerialNumber(): GetVolumeInformationW = kernel32.GetVolumeInformationW GetVolumeInformationW.argtypes = [c_wchar_p, c_wchar_p, c_uint, POINTER(c_uint), POINTER(c_uint), POINTER(c_uint), c_wchar_p, c_uint] GetVolumeInformationW.restype = c_uint def GetVolumeSerialNumber(path): vsn = c_uint(0) GetVolumeInformationW( path, None, 0, byref(vsn), None, None, None, 0) return vsn.value return GetVolumeSerialNumber GetVolumeSerialNumber = GetVolumeSerialNumber() def GetUserName(): GetUserNameW = advapi32.GetUserNameW GetUserNameW.argtypes = [c_wchar_p, POINTER(c_uint)] GetUserNameW.restype = c_uint def GetUserName():

buffer = create_unicode_buffer(32) size = c_uint(len(buffer)) while not GetUserNameW(buffer, byref(size)): buffer = create_unicode_buffer(len(buffer) * 2) size.value = len(buffer) return buffer.value.encode('utf-16-le')[::2] return GetUserName GetUserName = GetUserName() PAGE_EXECUTE_READWRITE = 0x40 MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 def VirtualAlloc(): _VirtualAlloc = kernel32.VirtualAlloc _VirtualAlloc.argtypes = [LPVOID, c_size_t, DWORD, DWORD] _VirtualAlloc.restype = LPVOID def VirtualAlloc(addr, size, alloctype=(MEM_COMMIT MEM_RESERVE), protect=PAGE_EXECUTE_READWRITE): return _VirtualAlloc(addr, size, alloctype, protect) return VirtualAlloc VirtualAlloc = VirtualAlloc() MEM_RELEASE = 0x8000 def VirtualFree(): _VirtualFree = kernel32.VirtualFree _VirtualFree.argtypes = [LPVOID, c_size_t, DWORD] _VirtualFree.restype = BOOL def VirtualFree(addr, size=0, freetype=MEM_RELEASE): return _VirtualFree(addr, size, freetype) return VirtualFree VirtualFree = VirtualFree() class NativeFunction(object): def __init__(self, restype, argtypes, insns): self._buf = buf = VirtualAlloc(None, len(insns)) memmove(buf, insns, len(insns)) ftype = CFUNCTYPE(restype, *argtypes) self._native = ftype(buf) def __call__(self, *args): return self._native(*args) def __del__(self): if self._buf is not None: VirtualFree(self._buf) self._buf = None if struct.calcsize("P") == CPUID0_INSNS = ( "\x53" "\x31\xc0" "\x0f\xa2" "\x8b\x44\x24\x08" "\x89\x18" "\x89\x50\x04" "\x89\x48\x08" "\x5b" "\xc3" 4: # # # # # # # # # push xor cpuid mov mov mov mov pop ret %ebx %eax,%eax 0x8(%esp),%eax %ebx,0x0(%eax) %edx,0x4(%eax) %ecx,0x8(%eax) %ebx

) CPUID1_INSNS = ( "\x53" "\x31\xc0" "\x40" "\x0f\xa2" "\x5b" "\xc3" ) else: CPUID0_INSNS = ( "\x49\x89\xd8" "\x49\x89\xc9" "\x48\x31\xc0" "\x0f\xa2" "\x4c\x89\xc8" "\x89\x18" "\x89\x50\x04" "\x89\x48\x08" "\x4c\x89\xc3" "\xc3" ) CPUID1_INSNS = ( "\x53" "\x48\x31\xc0" "\x48\xff\xc0" "\x0f\xa2" "\x5b" "\xc3" )

# # # # # #

push xor inc cpuid pop ret

%ebx %eax,%eax %eax %ebx

# # # # # # # # # # # # # # # #

mov mov xor cpuid mov mov mov mov mov retq push xor inc cpuid pop retq

%rbx,%r8 %rcx,%r9 %rax,%rax %r9,%rax %ebx,0x0(%rax) %edx,0x4(%rax) %ecx,0x8(%rax) %r8,%rbx

%rbx %rax,%rax %rax %rbx

def cpuid0(): _cpuid0 = NativeFunction(None, [c_char_p], CPUID0_INSNS) buf = create_string_buffer(12) def cpuid0(): _cpuid0(buf) return buf.raw return cpuid0 cpuid0 = cpuid0() cpuid1 = NativeFunction(c_uint, [], CPUID1_INSNS) class DataBlob(Structure): _fields_ = [('cbData', c_uint), ('pbData', c_void_p)] DataBlob_p = POINTER(DataBlob) def CryptUnprotectData(): _CryptUnprotectData = crypt32.CryptUnprotectData _CryptUnprotectData.argtypes = [DataBlob_p, c_wchar_p, DataBlob_p, c_void_p, c_void_p, c_uint, DataBlob_p] _CryptUnprotectData.restype = c_uint def CryptUnprotectData(indata, entropy): indatab = create_string_buffer(indata) indata = DataBlob(len(indata), cast(indatab, c_void_p)) entropyb = create_string_buffer(entropy) entropy = DataBlob(len(entropy), cast(entropyb, c_void_p)) outdata = DataBlob() if not _CryptUnprotectData(byref(indata), None, byref(entropy), None, None, 0, byref(outdata)):

raise ADEPTError("Failed to decrypt user key key (sic)") return string_at(outdata.pbData, outdata.cbData) return CryptUnprotectData CryptUnprotectData = CryptUnprotectData() def retrieve_key(keypath): if AES is None: tkMessageBox.showerror( "ADEPT Key", "This script requires PyCrypto, which must be installed " "separately. Read the top-of-script comment for details.") return False root = GetSystemDirectory().split('\\')[0] + '\\' serial = GetVolumeSerialNumber(root) vendor = cpuid0() signature = struct.pack('>I', cpuid1())[1:] user = GetUserName() entropy = struct.pack('>I12s3s13s', serial, vendor, signature, user) cuser = winreg.HKEY_CURRENT_USER try: regkey = winreg.OpenKey(cuser, DEVICE_KEY_PATH) except WindowsError: raise ADEPTError("Adobe Digital Editions not activated") device = winreg.QueryValueEx(regkey, 'key')[0] keykey = CryptUnprotectData(device, entropy) userkey = None try: plkroot = winreg.OpenKey(cuser, PRIVATE_LICENCE_KEY_PATH) except WindowsError: raise ADEPTError("Could not locate ADE activation") for i in xrange(0, 16): try: plkparent = winreg.OpenKey(plkroot, "%04d" % (i,)) except WindowsError: break ktype = winreg.QueryValueEx(plkparent, None)[0] if ktype != 'credentials': continue for j in xrange(0, 16): try: plkkey = winreg.OpenKey(plkparent, "%04d" % (j,)) except WindowsError: break ktype = winreg.QueryValueEx(plkkey, None)[0] if ktype != 'privateLicenseKey': continue userkey = winreg.QueryValueEx(plkkey, 'value')[0] break if userkey is not None: break if userkey is None: raise ADEPTError('Could not locate privateLicenseKey') userkey = userkey.decode('base64') userkey = AES.new(keykey, AES.MODE_CBC).decrypt(userkey) userkey = userkey[26:-ord(userkey[-1])] with open(keypath, 'wb') as f: f.write(userkey) return True elif sys.platform.startswith('darwin'):

import import import import import

xml.etree.ElementTree as etree Carbon.File Carbon.Folder Carbon.Folders MacOS

ACTIVATION_PATH = 'Adobe/Digital Editions/activation.dat' NSMAP = {'adept': 'http://ns.adobe.com/adept', 'enc': 'http://www.w3.org/2001/04/xmlenc#'} def find_folder(domain, dtype): try: fsref = Carbon.Folder.FSFindFolder(domain, dtype, False) return Carbon.File.pathname(fsref) except MacOS.Error: return None def find_app_support_file(subpath): dtype = Carbon.Folders.kApplicationSupportFolderType for domain in Carbon.Folders.kUserDomain, Carbon.Folders.kLocalDomain: path = find_folder(domain, dtype) if path is None: continue path = os.path.join(path, subpath) if os.path.isfile(path): return path return None def retrieve_key(keypath): actpath = find_app_support_file(ACTIVATION_PATH) if actpath is None: raise ADEPTError("Could not locate ADE activation") tree = etree.parse(actpath) adept = lambda tag: '{%s}%s' % (NSMAP['adept'], tag) expr = '//%s/%s' % (adept('credentials'), adept('privateLicenseKey')) userkey = tree.findtext(expr) userkey = userkey.decode('base64') userkey = userkey[26:] with open(keypath, 'wb') as f: f.write(userkey) return True elif sys.platform.startswith('cygwin'): def retrieve_key(keypath): tkMessageBox.showerror( "ADEPT Key", "This script requires a Windows-native Python, and cannot be run " "under Cygwin. Please install a Windows-native Python and/or " "check your file associations.") return False else: def retrieve_key(keypath): tkMessageBox.showerror( "ADEPT Key", "This script only supports Windows and Mac OS X. For Linux " "you should be able to run ADE and this script under Wine (with " "an appropriate version of Windows Python installed).") return False

class ExceptionDialog(Tkinter.Frame): def __init__(self, root, text): Tkinter.Frame.__init__(self, root, border=5) label = Tkinter.Label(self, text="Unexpected error:", anchor=Tkconstants.W, justify=Tkconstants.LEFT) label.pack(fill=Tkconstants.X, expand=0) self.text = Tkinter.Text(self) self.text.pack(fill=Tkconstants.BOTH, expand=1) self.text.insert(Tkconstants.END, text) def main(argv=sys.argv): root = Tkinter.Tk() root.withdraw() progname = os.path.basename(argv[0]) keypath = 'adeptkey.der' success = False try: success = retrieve_key(keypath) except ADEPTError, e: tkMessageBox.showerror("ADEPT Key", "Error: " + str(e)) except Exception: root.wm_state('normal') root.title('ADEPT Key') text = traceback.format_exc() ExceptionDialog(root, text).pack(fill=Tkconstants.BOTH, expand=1) root.mainloop() if not success: return 1 tkMessageBox.showinfo( "ADEPT Key", "Key successfully retrieved to %s" % (keypath)) return 0 if __name__ == '__main__': sys.exit(main