For what you're sayin normaly you found them at the end of the elf, so the batch would be more efficient if it was in reverse, i.e, start looking form the end to the beggining, don't you think?
i think you can get the last dec offset with:
Also i think that elf files must have a structure of some kind and with that you can know the offset to start looking
Nice one, i didn't know that it was (for most files i tested so far) near the end of the file.
Now we just need to handle big files as well (e.g. Rage with it 33MB elf..)
Since no one mention it, the key to decrypt the sprx is in the eboot. His batch file cycles through all the bytes in the eboot, trying each set of bytes in turn as a key, which is then input into scetool to decrypt the sprx until one of the "keys" enables scetool to decrypt the sprx.
This one works in reverse and can handle big files like Rage:
Code:
@echo off
for %%S in (eboot.elf) do SET /a LAST_OFFSET=%%~zS-16
for %%S in (eboot.elf) do SET /a MAX_OFFSET=%%~zS-16
:START
set CUT=8
if %LAST_OFFSET% gtr 1000000 (
set /a CUT+=1
)
rem echo Cut val: %CUT%
FOR /F "tokens=*" %%i in ('"od -j%LAST_OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c %CUT%- |sed 's/ //g'"') do SET KEY=%%i
if %KEY% == 00000000000000000000000000000000 (
echo Skipped 10 bytes of blank/useless key at %LAST_OFFSET%
set /a LAST_OFFSET-=10
) else (
ECHO Trying Key: %KEY% from decimal offset: %LAST_OFFSET% / %MAX_OFFSET%
scetool.exe -l %KEY% -d patch.self selfout.elf -l %KEY% >nul
set /a LAST_OFFSET-=1
)
IF EXIST selfout.elf GOTO END
goto START
:end
echo Done! Key used was: %KEY%
@Asure if you don't want to hardcode the self/sprx name in the batch and enable drag and drop
That way you only need to have the eboot.elf and the sprx/self file in the directory and them drag and drop the sprx/self file over the batch file
Oh and put a pause in the end since tou will not use command prompt you have to make a pause or you will not see the the results
Yeah I already knew this if you dont want to wait 20 hours heres the CODMW3 klic key
Code:
496E66696E697479576172644B657900
bahahhaha InfinityWardKey
Usually its good to start with the offsets in ELF64 section headers, I was going to write a tutorial when I found an easier way to obtain the key than brute forcing the override klicensee (-l)
EDIT: I cracked the Rage 1.01 patch already its on ps3scenefiles i think propositionjoe cracked it as well, I wish I would of known we were cracking it at the same time so I could of done a different game. Oh well whatever
Last edited by PatrickBatman; 08-07-2012 at 07:16 PM.
PS3 Slim w/ Rebug Rex 4.30.2, 500GB Internal, 1TB/3TB External; PS2 Fat McBoot w/ Hard Drive; Windows 7 x64 Ultimate
Last game finished: Crysis 3 | Currently Playing: Dead Space 3
Yeah I already knew this if you dont want to wait 20 hours heres the CODMW3 klic key
Code:
496E66696E697479576172644B657900
bahahhaha InfinityWardKey
Usually its good to start with the offsets in ELF64 section headers, I was going to write a tutorial when I found an easier way to obtain the key than brute forcing the override klicensee (-l)
EDIT: I cracked the Rage 1.01 patch already its on ps3scenefiles i think propositionjoe cracked it as well, I wish I would of known we were cracking it at the same time so I could of done a different game. Oh well shit happens
PS3 Slim w/ Rebug Rex 4.30.2, 500GB Internal, 1TB/3TB External; PS2 Fat McBoot w/ Hard Drive; Windows 7 x64 Ultimate
Last game finished: Crysis 3 | Currently Playing: Dead Space 3
Originally Posted by andreus
(e.g. Rage with it 33MB elf..)
Reply With Quote
