Bruteforce KLicense Tools Discussion

[aldostools]

removed post

[catalinnc]

i finally found a relative small update for a psn npdrm type local content with multiple selfs...this will help me expose a big diff between npdrm type free updates with multiple selfs and psn npdrm type local content with multiple selfs...

Supersonic Acrobatic Rocket-Powered Battle-Cars NPUB30035 update 1.04 (80mb)

UP2002-NPUB30035_00-SARBATTLECARS001.rap

4A 91 DF 05 04 ED 58 04 58 A9 5A D1 89 B8 F0 24

relevant files:

USRDIR\EBOOT.BIN
USRDIR\SARB\BINARIES\PS3\SPU\SPUJOBS.SPRX

using scetool + rap both selfs can be decrypted to valid elfs...this is the big diff - for npdrm type free updates a klic is needed for decrypting the additional selfs...here comes to the rescue the bruteforce tool...

now back to the subject...

for reencrypting as npdrm type free the klic is still needed for the additional selfs...the problem is how to find it now as all the selfs can be decrypted with the rap?...there is nothing left to bruteforce!!!

a possible workaround is to reencrypt as npdrm type local content and use reactPSN to play it...

i tried this with this line:

scetool.exe --np-content-id=UP2002-NPUB30035_00-SARBATTLECARS001 --key-revision=01 --self-app-version 0001000000000000 --self-fw-version=0003004000000000 --sce-type=SELF --compress-data=FALSE --skip-sections=FALSE --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --np-license-type=LOCAL --np-app-type=EXEC --np-real-fname=EBOOT.BIN --verbose --encrypt EBOOT.ELF EBOOT.BIN

but for some reason scetool will screw the signature and i get 80029530 error...

any ideas?
_

L.E. the klic for Supersonic Acrobatic Rocket-Powered Battle-Cars NPUB30035 is:

Decrypt: SPUJOBS.SPRX
Content ID: EP2002-NPEB00062_00-SARBATTLECARS001
Done! Offset: 21318596 -> 0x01454BC4
Key found: 89CC36FC34B1D7DEB23D6744A9D05A51

it can be found after you fix the game with reactPSN (triangle mode)...the selfs become free and free+klic and can be bruteforced...
_

[Asure]

I'm understanding your post, but what's the goal exactly?

[catalinnc]

I'm understanding your post, but what's the goal exactly?

how to find klic for paid psn content...
_

new klics:

Dungeons And Dragons Daggerdale NPUB30318

Decrypt: DND.SELF
Content ID: UP0182-NPUB30318_00-0000111122223332
Done!
Key found: 00000000000000000000000000000000

Tom Clancy's Rainbow Six Vegas 2 NPUB30503

Decrypt: libdcp_ps3.sprx
Content ID: UP0001-NPUB30503_00-VEGAS2PS3REMPKG1
Done! Offset: 24717072 -> 0x01792710
Key found: 584244534F204E3D575882205FF54C5A

Homefront NPUB30572

Decrypt: SPUJOBS.SPRX
Content ID: UP1005-NPUB30572_00-HFDIGITAL0000001
Done!
Key found: 00000000000000000000000000000000

_

[aldostools]

removed post

[Omnomnom]

Klic key for Ghostbusters v1.03

Decrypt: ghost_ps3_disc_eu.self
Content ID: EP9000-BCES00642_00-PROTON103PATCH01
Done!
Key found: 96F4F8047346EB130E78933C3D1BDBBB

[catalinnc]

klic for Dragon Age Origins BLUS30415:

Decrypt: eclipse.self
Content ID: UP0006-BLUS30415_00-DAOPATCH106POST0
Done! Offset: 133676 -> 0x00020A2C
Key found: 0D381309CBF64D8DC3B411EFBFD4648B

_

L.E. @aldo did you remove the sound played when the klic is found? i run the bruteforce on a second PC so the sound was a good way to know when the job was done!
_

[aldostools]

removed post

[JLM]

B0B05AD0B173 = bobo the clown is sad (when he looks in the) mirror

B0B0 = bobo (a clown)
5AD0 =
B = be, is
173 = mirror (hex 173 = 371 decimal)

[catalinnc]

@aldo could you add the DEBUG keys to scetool keys so we can decrypt DEBUG selfs too? HERE is an example of DEBUG pkg...
_

new klic: Arcana Heart 3 BLJM60248

Decrypt: DFEngine.sprx
Content ID: JP0036-BLJM60248_00-AH30UPDATEDATA01
Done! Offset: 7305232 -> 0x006F7810
Key found: 01255725585727598445648785573384

_