For typing long commands (with lots of options at the command line), the up arrow key is very handy. If you made a mistake typing and scetool says error, just push the up arrow key, the last command you typed will appear, then use the left arrow key to go to the mistake and fix it. Sometimes easier than re-typing the whole line.
For typing long commands (with lots of options at the command line), the up arrow key is very handy. If you made a mistake typing and scetool says error, just push the up arrow key, the last command you typed will appear, then use the left arrow key to go to the mistake and fix it. Sometimes easier than re-typing the whole line.
So its the same as when I manually modded eboots, thats the sys_proc_param yeah and that 35 hex is the SDK version 3.50 same old shit. You just change that to whatever the hell firmware you want usually 34 for lowest jailbreak 3.41 and with every eboot at least back when I did it to find its that same string of bytes everytime 13 BC C5 F6 (but it has to be the .elf obviously, the .self is encrypted so those bytes dont exist)
You can use readself in cygwin on EBOOT.BIN (encrypted) to get this info here's Deus Ex for example:
if you copy the offsets say like the first one is 00000000_00000a80 00000000_00f667e8 then takes out the underscores and spaces
to make 0000000000000a800000000000f667e8. You then search this hexvalue in a hexeditor the line directly below will have all zeros
except there will 2 that are not those toggle the compression and encryption flags. The first non zero is the compression and the at the end is the encryption. change the numbers from 01 to 02 or vice versa to toggle yes and no on compression and encryption. then save check readself and you will (I just toggled the first 2 offsets but back then I'd have to do all of them compression didnt matter that just changed the size of the eboot) to get:
and I had to some other shit once I got good I could "crack" an eboot in 5 minutes or so.
Last edited by PatrickBatman; 08-05-2012 at 08:20 PM.
PS3 Slim w/ Rebug Rex 4.30.2, 500GB Internal, 1TB/3TB External; PS2 Fat McBoot w/ Hard Drive; Windows 7 x64 Ultimate
Last game finished: Crysis 3 | Currently Playing: Dead Space 3
With some help from devs i made a small .bat file that can bruteforce the klic key from eboots that use/load self/sprx files.
Code:
@Echo
off
SET OFFSET=0
:START
FOR /F "tokens=*" %%i in ('"od -j%OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c 8- |sed 's/ //g'"') do SET KEY=%%i
if %KEY% == 00000000000000000000000000000000 (
echo Skipped 10 bytes of blank/useless key at %OFFSET%
set /a OFFSET+=10
) else (
ECHO Trying Key: %KEY% from decimal offset: %OFFSET%
scetool.exe -l %KEY% -d default.self selfout.elf >nul
set /a OFFSET+=1
)
IF EXIST selfout.elf GOTO END
goto START
:end
echo Done! Key used was: %KEY%
You need to put this into a folder with scetool, data / keys etc. working.
Then drop an eboot.bin and decrypt it with scetool into eboot.elf
The drop an encrypted self, or sprx and modify the bat file a little perhaps.
The needed linux tools like od.exe, sed.exe, can all be found in this package: http://www.sendspace.com/file/g9syfd
If you want to test with say, portal 2 sprx files, you can try starting at offset 608600. MW3 around offset 54272..
The batch file is not perfect. On large files, the CUT command starts to malfunction as i don't take this into account with the sed/cut combo.
Note: This is just a proof-of-concept, i wanted to know how the whole self/sprx stuff worked. It doesn't contain keys or any proprietary tools from Sony, and as far as i know, it's not doing anything illegal.
I didn't uncover it all by myself, i got a few hints and suggestions from devs, and made the batch file.
Lost a day because of my own stupidity, when i had -l %KEY% at the end of the scetool command, otherwise it would have found a key much sooner.
A user on hax posted MW3 key, i found it in hexeditor, figured out i must be doing something wrong in my the bat file.. corrected the bat file => bingo!
Should be better if someone codes a proper C app to do this which would be lots faster. we're looking at 20 hours for the portal 2 eboot, unless you cheat, and start at a higher offset, where the game has its strings located.
Bat file also can't handle big files >9.9mb, unless someone mods it and changes the od/cut/sed command once %OFFSET%> 9.9mb etc etc.
Try it for fun with mw3 and portal
For what you're sayin normaly you found them at the end of the elf, so the batch would be more efficient if it was in reverse, i.e, start looking form the end to the beggining, don't you think?
i think you can get the last dec offset
Also i think that elf files must have a structure of some kind and with that you can know the offset to start looking
Originally Posted by opoisso893
, i did that and i resolve that error
Reply With Quote
