[Asure]

I got some usefull info. As we know the eboot.bin loads the sprx/self files. For example, EBOOT.BIN from Rage patch, loads patch.self. As i've been told, the patch.self is encrypted with a klicensee key, which is used by EBOOT.BIN when it loads patch.self & decrypts it.

So, our needed key is unique, and in EBOOT.BIN once we decrypt it.
We can use the decrypted EBOOT.BIN as source to bruteforce decryption of patch.self.
I've made another batch file to try just this, if it works, i'll share it as well. It's using some tools from cygwin to get 16 byte chunks, and feeds them to scetool untill it detects a file exists. (our decrypted patch.self).

It's testing with the portal eboot/sprx now to see what happens.

[longhornx]

Originally Posted by Asure I got some usefull info. As we know the eboot.bin loads the sprx/self files. For example, EBOOT.BIN from Rage patch, loads patch.self. As i've been told, the patch.self is encrypted with a klicensee key, which is used by EBOOT.BIN when it loads patch.self & decrypts it. So, our needed key is unique, and in EBOOT.BIN once we decrypt it. We can use the decrypted EBOOT.BIN as source to bruteforce decryption of patch.self. I've made another batch file to try just this, if it works, i'll share it as well. It's using some tools from cygwin to get 16 byte chunks, and feeds them to scetool untill it detects a file exists. (our decrypted patch.self). It's testing with the portal eboot/sprx now to see what happens.

you can do that work also in batch, with a for command you create a variable which can sum 16 every loop, set this var in the offset your last used CLI sofware (the one you used to replace the 34 hex of sys_param), and so on...

just one question, are you sure that this klicense is decrypted after you decode a self?

[Asure]

Originally Posted by longhornx you can do that work also in batch, with a for command you create a variable which can sum 16 every loop, set this var in the offset your last used CLI sofware (the one you used to replace the 34 hex of sys_param), and so on... just one question, are you sure that this klicense is decrypted after you decode a self?

That's indeed what the batch file is doing (using some tools from cygwin. i'm more of a linux guy)

I've been told the value for klicensee is inside the decrypted eboot, yes.

This is what's running now: http://pastie.org/4402268
(Didn't decrypt anything yet, no key found so far, can take some time to complete!)
I'm off for tonight.. need my 8hrs sleep

[doc81]

Need help with EBOOT/SFO or just EBOOT tot play the BLES01548 (DiRT 3 Complete Edition).
Who can help me?
I can provide the original sfo and eboot from this version of the game so i can test it if somebody knows how to fix it.

Contact me if you want these files!!!
Email: jackson_latino2002 @hotmail .com

Peaceout man

[opoisso893]

Originally Posted by doc81 Need help with EBOOT/SFO or just EBOOT tot play the BLES01548 (DiRT 3 Complete Edition). Who can help me? I can provide the original sfo and eboot from this version of the game so i can test it if somebody knows how to fix it. Contact me if you want these files!!! Email: jackson_latino2002 @hotmail .com Peaceout man

BLES01548 = FW 3.73 !
Dirt 3 (not complete EDITION) = BLES01287 and use fw3.60

[longhornx]

@Asure , thats what I'm talking about :D

I bet that klincense have some common prefix in every self, so its possible to speedup this process, I don't have any game which requeries a self, could you tell me the one you tested?

and thanks for your wip sharing

[Asure]

Originally Posted by longhornx @Asure , thats what I'm talking about :D I bet that klincense have some common prefix in every self, so its possible to speedup this process, I don't have any game which requeries a self, could you tell me the one you tested? and thanks for your wip sharing

Well, i left it running overnight, and OD.exe crashed after ~19000 tries.

I started calculating how long things will take. Currently my pc does ~10 key/sec from eboot.elf, and there's ~700000KBytes in the file. I'm shifting one byte at a time, so that's roughly 20 hours we're looking at to try all the possible options. (It can do ~600keys / minute. For a 700KB file, shifting one byte at a time, that's 700.000/600=roughly 20 hours)

There must be better ways. Perhaps once we get a few decrypted samples.

I'm testing with a SPRX and ELF (portal2) now, since the eboot.elf is only ~700kb. You can do the math for the 33MB elf/self combination for Rage if you want

[DEFAULTDNB]

Originally Posted by Asure Well, i left it running overnight, and OD.exe crashed after ~19000 tries. I started calculating how long things will take. Currently my pc does ~10 key/sec from eboot.elf, and there's ~700000KBytes in the file. I'm shifting one byte at a time, so that's roughly 20 hours we're looking at to try all the possible options. (It can do ~600keys / minute. For a 700KB file, shifting one byte at a time, that's 700.000/600=roughly 20 hours) There must be better ways. Perhaps once we get a few decrypted samples. I'm testing with a SPRX and ELF (portal2) now, since the eboot.elf is only ~700kb. You can do the math for the 33MB elf/self combination for Rage if you want

TL:DR

What are you saying: they keys used on portal 2 are different, or the method of patching those pesky self/sprx's is different?

[Asure]

Originally Posted by DEFAULTDNB TL:DR What are you saying: they keys used on portal 2 are different, or the method of patching those pesky self/sprx's is different?

If all adds up, each EBOOT.BIN (that uses external sprx/self files) holds a unique klicensee key inside.
This klicensee key is used to decrypt sprx/self's that this eboot loads dynamically.

Which means, we need a lot of time. 20 hours for 700KB eboot.
That means 3300/700 = 4.7*20= 94 hours to brute force the self for Rage.

Once the key is correct, the header of the self/sprx will be decodable, and scetool will decrypt it into the current folder. Look at the pastie code
And once the batch detects it decrypted (file exists) it will stop. Just takes ages.

[deeptrap]

Originally Posted by Asure Well, i left it running overnight, and OD.exe crashed after ~19000 tries. I started calculating how long things will take. Currently my pc does ~10 key/sec from eboot.elf, and there's ~700000KBytes in the file. I'm shifting one byte at a time, so that's roughly 20 hours we're looking at to try all the possible options. (It can do ~600keys / minute. For a 700KB file, shifting one byte at a time, that's 700.000/600=roughly 20 hours) There must be better ways. Perhaps once we get a few decrypted samples. I'm testing with a SPRX and ELF (portal2) now, since the eboot.elf is only ~700kb. You can do the math for the 33MB elf/self combination for Rage if you want

Im also trying your pastie bat to see what will happen.

I get the following error .

od does not recognised, it think this is a typo and must be do, but it will still not work.
Maybe something wrong with the quotes ?