this is great news
i just think there are other ways also to do it like full game debugging.
I research this option myself , and i can see also there are ways to to optain the decrypted eboot several ways.
I really played around today, and i manages to get full game debugging.
And that havent been done as yet
It always have frustrateted me that you couldent debugg retail eboots/games
Normally when loading just fself in debugger, is just nothinh happends.
So i played around.
here is an small tut.
First reset in debugger mode.
locate the eboot.bin decrypt it, and resign with Fself one.
then in target manager set app_home to the BLES or BLUS folder.
reset target
Then load executable then locate the eboot.bin
load it
then open Tuner from the SDK.
then load executable there also .
when you do this you get kicked to the ps3 debugger.
then in debugger you press go under options ..
concrats you are debugging full game .
movie intro
gameplay
also on the ps3 you can play the game under debugger mode .
since eboots stays in ram to the next is loaded the intire game can be debugged.
so there for only the eboot have to be decrypted and not the sprx if the game os needed off that
just since an monkey like me can figure it out so can you.
PS when the debugging starts you can sniff with “software.”
even works on 4.11 games but prepare for huge files like 1 gb when sniffing, so hope for any good suggestions.
really dont care about war on sites, just help eachother
funny **** is that you can debugg both TB and cobra this way, all the updates an dongle updaters, just wised that dex was around before 
regards
09-17-2012
11:55 AM
Wow. Just wow. I'm almost speechless.
It's a shame Zadow28 left us here at PS3hax
Another question, what does debuggin a game mean?
Sorry of being a noob in this stuff
Great news!
Sayonara Cobra. And sayonara all other drm sh*t!
09-17-2012
11:56 AM
very , very interesting....gonna have to try this out
09-17-2012
12:20 PM
i been doing this since dex leak.. lol so have some people at CMP
09-17-2012
12:21 PM
lol
/10char
09-17-2012
12:23 PM
09-17-2012
12:25 PM
09-17-2012
12:29 PM
Eboots will flood. You'll see. Together with decrypted cobra dongle.
09-17-2012
12:31 PM
I admire zadow28 perseverance...he was almost burned alive here in the forum and did not give up what he does, regardless of the results.
09-17-2012
12:31 PM
09-17-2012
12:34 PM
09-17-2012
12:44 PM
go ahead and obtain the decrypted eboot then
good nite
09-17-2012
12:46 PM
night*
Don't have dex, I will let the good work to the good people. Good night*!
I am the one that trusts zadow when he says something.
09-17-2012
02:06 PM
LOL to trust Zadow is like trusting a homeless man to hold on to your house key and not use it.
09-17-2012
02:16 PM
This is intriguing to say the least. Hope this decimates DRM for good.
09-17-2012
02:36 PM
************* [ - Post Merged - ] *************
09-17-2012
02:38 PM
Lets see what the future will bring us...but zadow left a few details...
e.g how to get the decrypted eboot^^
09-17-2012
03:03 PM
Thank you Zadow
Very happy to see someone is sharing Infos
09-17-2012
03:22 PM
i can't acces this tutorial -please help
First reset in debugger mode.... where is debugger mode???
locate the eboot.bin decrypt it, and resign with Fself one. what this mean ??
please --answer my question
09-17-2012
03:26 PM
09-17-2012
04:43 PM
finally something to upload
09-17-2012
05:07 PM
Congrats, you miss just a little part to decrypt retail self :P
You "just" jave to build a fself that run an external retail self, than you can read it from ram (decrypted) via core dump, via debugger or directly using the fself itself!
SDK samples explain how to do that, you just have to read them! :P
09-17-2012
05:21 PM
Well this is good to maybe get decrypted sprx files but as is we can only debug the game if you can already decrypt the eboot to change it to a fself file. So only 3.55 games or 3.60+ games with fixes can be dumped.
Of course if this works with 3.60+ games then it could show some promise.
I´ve gotten coredumps on my DEX but it was for games with fixes that crashed. so not much use, plus I have no idea what to do with a 180mb.elf file. You do get a log of the dump that has alot of HEX values in it. Maybe that would allow someone with the knowledge and skills to extract the Eboot.elf?
I have no idea.
Credits to zadow for his persistence in trying out things.
edit
just read another_anon´s post. interesting
09-17-2012
05:50 PM
Is it not possible to use the Debug Station Launcher (part of the SDK)?
That will launch whatever is mapped to app_home via LAN.
Also, its an fself that will launch a retail self.
09-17-2012
06:02 PM
09-17-2012
06:12 PM
09-17-2012
06:19 PM
So how about this, possible?
make a homebrew that launches an original BD 4.11 game and then somehow cause a crash.
I guess that theoretical homebrew could also work with a game mounted in BD EMU.
lol, this all sounds good in theory. so what do some solid DEVS have to say about all this.
The last I heard noone had any idea what to do with core dumps but who know whats going on underground.
09-17-2012
06:25 PM
i have no understanding of this whatsoever... as a noob, i'll wait for someone to make a noob friendly guide, or wait for an easier method to do this...
09-17-2012
06:28 PM
09-17-2012
06:28 PM
There is a lot to this method that can actialy be used for many things and cobra uses a battery to switch to debugger mode for emu to kick the eboot file
09-17-2012
06:54 PM
Amazing how the TrueBlue dildo team's secrets are still secret.
Did I say amazing? I meant annoying.
09-17-2012
07:00 PM
"funny **** is that you can debugg both TB and cobra this way, all the updates an dongle updaters, just wished that dex was around before
regards"
You are my hero for sharing the info with us, many thanks [MENTION=210007]zadow28[/MENTION]
09-17-2012
07:13 PM
...Firmly inserted butt plugs aren't removed. GaryOPA's gape remains visible from distant shores...
Maybe I'm wrong and it's just stretched beyond repair.
09-17-2012
07:14 PM
Problem with revealing tb method is Sony can exploite it with higher firmware methods. I know they use core dumps with retail games then rebuild the structure with there own keys signed for 3.40 n up n the dongle only searches for the USB functions as it is present in the unit.
09-17-2012
07:44 PM
It's in the "101 on being an intelligent internet user"
....I mean how vague can one be!!!!!? "higher firmware methods" lol.
09-17-2012
08:41 PM
Then you and any others are not true sceners and worth-less as far as sharing important information that could be used for progress. By that admission, CMP is definitely only out for themselves and are most likely upset as other dongle makers in that their DRM userCheat was cracked and made open to the scene.
Why are you even here boasting about this unless you are trying to inflate your ego?
Trolls like you are what keep the scene from moving forward. Thanks for nothing, Arsehole.
09-17-2012
08:42 PM
I was talking about Sony exploiting it with higher firmware methods shesh some ppl dnt get the point I'm no idiot. So let's see you do it then tenuous!
************* [ - Post Merged - ] *************
I won't waste any of my time talking to ppl who are rude cuz I won't sink down to that level I like this site and have bin on here for a long time n followed it since 3.55 cfw came out. I do my own programming n understand it along with the internet very well n have spent many hours of my own research
09-17-2012
09:29 PM
^^that's nothing
I have been in the PS3 scene since the Commodore 64 came out. I was the first to decrypt Uncharted 3 using nothing but duct tape and a screwdriver.
Also, my dad can beat up your dad.
09-17-2012
09:34 PM
What could exactly this do ? Seems promising tho
09-17-2012
09:46 PM
09-17-2012
10:16 PM
mathieullah had this already
he is like the chuck norris of PS3 Scene
09-17-2012
10:24 PM
09-18-2012
12:21 AM
i can't acces this tutorial -please help
First reset in debugger mode.... where is debugger mode???
locate the eboot.bin decrypt it, and resign with Fself one. what this mean ??
please --answer my question
my console is dex
09-18-2012
12:49 AM
I love to be the party crasher on this
neat job but sadly this was posted on a DRM lovers board....
Oh the irony...xD
09-18-2012
01:00 AM
i wnat help.......
not anyone help me??????
09-18-2012
01:12 AM
I had 4 PS3 1 over heated 2 i activated the last PSN wont let me share account so i CFW it with Rebug so i hope all Games get Decrypted ya ya ya i know im dreaming oh well great work some things to keep the scene alive
09-18-2012
01:22 AM
09-18-2012
01:48 AM
locate the eboot.bin decrypt it, and resign with Fself one. what this mean ????what msut i do???
where is target manager?????
09-18-2012
01:54 AM
calm down and i am not boasting that zadow guy is and he is totally misleading people with that, why share something if it wont give you any progress? this won't bring you any closer to decrypted eboots and sorry to disappoint you but i don't owe any dongle nor will ever(also those f*ckt*rds prevented me from making codes for games with their dildo) and let me give you a few details.
you can only DUMP a Attached EBOOT(*fself) everything else will not be dumped and completely ignored by the core dump process you will probably get more results by modifying the liblv2coredump.sprx (size etc is same of 3.55 & 4.21) or the target manager/debug agent which get's updated in each FW.. and you can swap them out
by picking the option at MFW builder without the need of newer keys.
and how the hell am i a troll? i wrote a guide for noobs for cex2dex also supported them over PM/IRC if i was upset about any dongle crack or whatever else i wouldn't be helping people with cex2dex
this is all i got to say
09-18-2012
01:56 AM
i went debugger mode . how i return to normal mode???
please help
09-18-2012
01:59 AM
Hint:
Next time do some research before enter to something that you don't know how to get out.
09-18-2012
02:04 AM
i can
thank so much
09-18-2012
02:08 AM
(About the beeps)
I meant the second beep, not 2 beeps close together. The first beep is when you power on your PS3, there's a delay of a few seconds, then the second beep. Recovery menu should only come up after the third beep.
09-18-2012
02:14 AM
If u got newer keys why decrypt the eboot and make an fself? Only to the make an core dump to get the same elf that u would get if u can decrypt it???
Thx for sharing ur infos
09-18-2012
02:18 AM
[MENTION=235910]uncharted angel[/MENTION] u could use target manger and use the option to reset in to system software mode
************* [ - Post Merged - ] *************
09-18-2012
02:23 AM
I think too that this is informative and confusing at the same time, Zadow's approach to certain things could be troublesome.
[MENTION=177621]DjPelle[/MENTION] Zadow always played the *passive* part on this type of info/methods. Puzzled/Passive = Erratic tought.
09-18-2012
02:34 AM
thanks but i have question :
locate the eboot.bin decrypt it, and resign with Fself one.
what this mean ????what msut i do???
this tutorial is very confusing .
09-18-2012
02:43 AM
Sniff game - YouTube
09-18-2012
03:27 AM
zadow is the man, always knew it..those lamers back then telling its a fake, nah he just shares for all to njoy.not the priv elites only or atleast thats what they think of themself hehe
good job again keep on sharing!
09-18-2012
03:31 AM
Obviously we're assuming you are on say 4.11 dex for example to be able to decrypt 4.11 games running BDEMU method after applying an game update to make BDEMU work.
************* [ - Post Merged - ] *************
09-18-2012
03:39 AM
Remember all this is still in the testing face.
I managed to sniff local network. via the app_home folder from pc.
Yes you get decrypted eboot also this way
the goal here is offcouse to do the same with and 4.2+ game with the update trick.
im on 4.2 dex some could try sniff local on 3.55 dex see if any info get out that way.
Also
This is an theory, may work, may not.
Only test will show.
The thing is when an game is loaded, the eboot stays in the ram, until next is loaded.
this would also happend to the 4.2 games via update trick.
the eboot is in ram, just have to get to it.
Regards
09-18-2012
03:51 AM
Great work [MENTION=210007]zadow28[/MENTION], look forward to seeing what comes from this.
09-18-2012
04:35 AM
i have some question ----please answer them
locate the eboot.bin decrypt it, and resign with Fself one ---what this mean??? what must i do???
where is target manager???
how i open tuner from the sdk????
what debugging full game ??? what changes???
09-18-2012
04:35 AM
You need to understand a few things:
1. Coredump is by design, meant not to trigger when a process flagged as "not debuggable" (that's a capability flag in the EBOOT's metadata) is running.
2. It's easy to run an actual disc eboot in debug mode, it usually doesn't require anything more than using a static path for the eboot (and to have the original disc in the drive because the self is flagged with "discbind" capabilities), the thing is if it is flagged as not debuggable, even though you can run it, you cannot attach to the process and thus dump it, and coredump will be disabled.
3. The only thing that can trigger a coredump on a not debuggable process is an exception, but to have any process flagged as not debuggable copied to ram, you need to run it (you cannot load and not start a process flagged as not debuggable, unlike ones issued from fself or regular processes) The issue is that once the said process is running, since it's obviously loaded from a signed and encrypted executable, you do not have any control of what runs there, you also cannot have your own process running on the background while this one gets started because all the sprx/processes you would have had loaded get unloaded as soon as the new executable starts (they don't have the proper cflags to stay loaded)
This means you cannot trigger the exception on your own, you have to rely on an existing bug in the actual game code (good luck with that)
Finally I don't see what wireshark has to do with this.
For your intel, all 2.20+ game selfs are flagged as "not debugable"
Oh ! and even on DECR-1000A, if you are running a process as "not debugable" the foot switch coredump will not work/trigger.
Sorry to disapoint you all.
09-18-2012
04:45 AM
thx for clearing it up
but any suggestions then mathieulh
The Damage Inc Pacific Squadron WWII PS3 3.55/3.41 EBOOT Fix
was done with hardware
But if loaded as an fself, it contains core dump, handles that havent been removed proberly,
when rebuilding the elf.
is there some way to inject the liblv2dbg library that handles the coredump.?
09-18-2012
04:48 AM
If you have so many questions... this may not be for you
09-18-2012
05:51 AM
09-18-2012
05:58 AM
thank math, always clear
I think u are able to play all 4.xx games, isn't it?
09-18-2012
08:31 AM
Math is correct on this and I found a thread on this that was fixed by Sony so its kinda old. Unles zadow28 did something else to some files
************* [ - Post Merged - ] *************
It is possible for this to work with dongles and have been tryn my own methods with lots of research and editing. Havnt got an exploit to work but got a kick back cuz the files DRM prevent from doin a dump
09-18-2012
08:55 AM
@uncharted angel maybe you should just hold on a bit and wait until things get a little easier instead of going balls deep right away.
This is all work in progress so everybody will run into some bumps.
Obviously these procedures are a bit too advanced for you (at the moment perhaps), so you should just be a bit patient and wait for some easier steps.
Chill, play some games
09-18-2012
09:31 AM
I am not doing this the same way as zadow is I'm taking a different aproach. But I'm on the right path n know I am. It may be advanced n using a Sony cfw but I will manage it fine n will post when I do manage it. I am a very chill person n like my games but I do beleave this shod be a clean DRM scene
09-18-2012
09:46 AM
That was always to beef I had with Math, if it wasn't for information being withheld, then cobra and true blue would have never existed in the first place and we could possibly have moved the scene along much faster and had more info to go by than just now catching up the scene to what is available to do.
I'm tired of whining and so forth, because when sceners feel an injustice is done, someone gets their feelings hurt when that concern is voiced and good devs disappear and withhold information.
BTW, seems a big slap in the face when someone claims to never help out ever again, then shows up when something new is uncovered and tries to explain it further.
You know who I am talking about, you refused to help us a year ago, now you are giving guidelines to something which you swore you wouldn't release yourself due to Piracy + Warez. This is the primary reason why this specific method was released to help aid in that quest. Have you turned Pirate now?
If this offends anyone, then just simply reply with "Shutup" instead of abandoning ship. I can be a little humiliated and rattle off an apology easier than for the scene to lose valuable information. Opinions are like Arseholes, everyone has one and they ALL stink.
09-18-2012
09:53 AM
[MENTION=8731]math[/MENTION]
i read that TB dumps eboot from RAM ,so why they dosn't just dump keys and decrypt everything ?
09-18-2012
05:04 PM
...All a load of rubbish then.
/end another load of rubbish thread
Not being critical, sure this research is useful as some piece to something, but clearly not what it was implied as.
09-18-2012
08:22 PM
Way back this was used to copy games and to decrypt them in SDK 1.6 I seen a thread online bot this and was done thro debugger mode . Yes typically it could be used to dump the dongles nut not like he is explaining. Tb elf dumped may aid in that somehow but not sure havnt tried it with cobra
09-30-2012
02:52 PM
If you havent figured it out yet you can debugg patches also.Like nodrm ones, or games.
When you get the patches. you have to set the folders strait.
Make Ps3_Game folder , copy the USRDIR inside ,put the app_home ,then debugg as normal. the nodrm patch would show up as any other patch for an game. ( remember to Fself the EBOOT)
if you want dump as nodrm did it(memory crash),then run with full game,then rebuild eboot.elf the elf would get decrypted right this time.and off coause this eboot work on any rip games.
************* [ - Post Merged - ] *************
i manages to dump sdat packed files also
Mini Debug Agent Version 4.2.1 (62) (Built - Jun 29 2012 21:23:18) [TM] Load: /app_home/C:\Users\Zadow\Downloads\EP9000-BCES00818_00-MAGPATCH00000001-A0212-V0100-PE\BCES00818\PS3_GAME\USRDIR\E BOOT.BIN Available memory (pre-allocation of pools) 212819968 out of 221249536 ###Running in Retail mode. 8 M 8429568 bytes taken for code/PRXs.### [NP Debug] NpBasic: NPWR00380_00 cellGameGetParamString(TITLE_ID) failed; err=0x8002cb21 cellGameGetParamString(TITLE) failed; err=0x8002cb21 cellGameGetParamString(VERSION) failed; err=0x8002cb21 System title ID: 'NPUA70052' System boot type: kSystemBootTypeDebugger System paths: kBootContentInfoPath '/app_home' * kBootUserDirPath '/app_home' kGameDataContentInfoPath '/dev_hdd0/game/NPUA70052' kGameDataUserDirPath '/dev_hdd0/game/NPUA70052/USRDIR' System boot attribute: kSystemBootAttrDebugger PatchLoader:: looking for patch files in '/app_home/patches' FileManager::LoadVolumes: loading run/mag/ps3/game.psarc.sdat only wanna turn one to isolate it. FileManager::LoadVolumes: failed to find run/mag/ps3/main.psarc MAPS ip mag.ps3.online.scea.com MAPS tcp port **** MAPS udp port ***** got this error at first FileManager error cant loacte run/mag/ps3/game.psarc.sdat so rename another *.sdat and made the folder run/mag/ps3/ then it decrypts it :) got it from here *********************************np/BCES00818/BCES00818-ver.xmlit gave an error sinse it wasent there.
so i replaced the game.psarc.sdat with files that was finallyzes encrypted , just rename the files i wanted to game.psarc.sdat then in debugger,do core dump extract the sdat decrypted.
And to math flags explaination, that you cant dump files without prober flags.
I havent come agross and game or app that i havent been able to dump yet, maybe you can elaborate on that, since maybe the core isent visible but, if stepping one by one into memory you are able to just dump the last executable one.
ive made an video sometime ago on another topic. but this would go for all the sdk.
new quick video.
Sdat debugg - YouTube
i was looking at the sequenze from make self, making fself,making E/Adat to examin the different algorytmes.
This is the way to debugg and reverse it in ida pro,now this stuff is to hard for me to calculate the algorytme. now i highlight on video on right mouse what to look for, so if you get the video you get the point.
i admit this is to hardcore for me.
actuelly you would need some one like math to calcualte the sequnse,even with it beeing wide open.
10-05-2012
06:14 AM
The games that needs to run as emu, actully dont.
After you build the emu in ps3gen, press verify
Then select emu you just build. then select all files and folders, then decrypt.
Now in Target manager set app _home. to the folder you created.
IN release mode play via xmb.
10-05-2012
06:51 AM
Thanks for the info [MENTION=210007]zadow28[/MENTION]