I honestly didn't expect at ALL to get anywhere near the kind of post you provided. I've done a ton of work on reversing loaders, reactivating third-party controllers on 3.55 (and higher..), but never really ventured into this kind of thing. I've been playing with the Brute force tool for maybe an hour now, and was curious how much of a strain do you see on your CPU from it? Bruteforce.exe is seeming to use about 1.8% of CPU resources at the moment.
PS My first post quote will be changed to "Your a gentlemen and a scholar (...and a Psychiatrist), PatrickBatman.
I'll be having some fun with this tools. Credits and gratitude to everyone involved for giving somebody sitting in a hospital bed for 20 hours a day something to do. I've had so many great conversations with Doctors who try to talk down to you, than ask if I'm playing some mindless game on my laptop or desktop while laying here. The look on their faces when they see the Bruteforce.exe running, decrypted eboots shown on my screen, and of course the mess of hexadecimal code they see as gibberish is priceless. About 10 minutes ago:
DR: "Jeremy, stop wasting your time playing solitaire, we need to recheck the implants from your prostate surgery" Jeremy: "Does this look like solitaire? you know you can use your computer for more than facebook and solitaire" DR: "Oh I know, is Bruteforce there some kind of word and number challenge game? Do you need to fill it in like a crossword?" Jeremy: "Close enough."
The doctor actually looked over my screen, and of course tried to act like he understood everything he saw. He said it looks like some stuff he did in high school. But congratulations to you Aldostools, as of now my Cancer Treatment doctor thinks you developed a program to solve crossword puzzles. He is interested in knowing if theres a similar program on IOS to help him with Words with Friends. You have a pretty kick ass crossword puzzle solver. By all means please provide instructions so my doctor will understand how you solve crossword puzzles. In the mean time I'll be delighted with another team of nurses cutting a radioactive seed out of my prostate. I've had more fingers and objects shoved in my ass than your average porn star. They could of at least romanced me before having a laser knife fuck me in the ass.
It should work - it is the same procedure like Rock Band 3 (1.05/1.06 updates). I don't have the game so I can't test, but I'm confident it is ok. If someone can confirm - it will be better. Someone should create a update package using this self and the eboot (which has to be re-selfed for 3.55).
If you like multiMAN or multiAVCHD, support the development with a small donation. Click here.
Yes, once i get home from work
I have obtained a JAP release copy of the game which should be on my doorstep by now, or perhaps tomorrow. My friend who sent it, said it's 3.56. hope i didn't waste Deank's time on it.. But, more interesting.. How does the encryption/decryption on ogrez.self work then ?..
How does the encryption/decryption on ogrez.self work then ?..
It is pretty simple once you figure it out
You will notice that in some game updates you have:
EBOOT.BIN
blabla.self
where both files are "the same". They are not 1:1 the same, because they're encrypted with different keys, but if you look at the prog/data sections and the offsets - you will see what I mean. Also the sizes are the same. I noticed this 'update' approach back in 2010 with "Prince of Persia TFS" and with some other games, so I decided to try that. Both in this game and Rock Band there are no references to the .self and no k_lic... either.
What you have to do is:
1) Decrypt the EBOOT.BIN to .elf
2) Use scetool to create NPDRM NPTYPE=UPDATE with key 00, contentID=game-update-content-id, and np-original-name=name_of_the_self.
3) You get the new blabla.self and use it
There is no universal approach. Sizes must be equal (not more or less) and to be sure that there is no k_license involved you can either check if the .self is referenced in the eboot.bin or you'll have to use IDA to make sure that NP functions use NULL k_lic... (or find the k_license location in IDA using the NP functions).
If you like multiMAN or multiAVCHD, support the development with a small donation. Click here.
You will notice that in some game updates you have:
EBOOT.BIN
blabla.self
..
Both in this game and Rock Band there are no references to the .self and no k_lic... either.
This reference from eboot.bin had me looking in the wrong direction, so i had assumed that ogrez.self would be like 'rage' which has a similar approach.
Rage has the exact same 'thing' where EBOOT.BIN and patch.self appear to be the same files, signed differently, but we can find a klic in the eboot..
(Edit: Compared the two eboot/patch decrypted files from rage, they are indeed identical.)
Yes, you're right - rock band didn't have reference to the band_s.self. But in yakuza there was only one usage of the k_license and it was for a sprx (as I posted the other day). I guess you can apply this method to rage and compare the results to the working patch.self. Both methods should work.
(Edit: Compared the two eboot/patch decrypted files from rage, they are indeed identical.)
Nice.
As I said - it is not a universal method, but since it takes 1 min to test anyone can check it before trying the brute force method.
Last edited by deank; 08-14-2012 at 05:25 AM.
If you like multiMAN or multiAVCHD, support the development with a small donation. Click here.
Reply With Quote
Originally Posted by andreus
