[Asure]

Someone more skilled than me could probably do it. As i'm told, IDA could be used to debug the decrypted eboot.bin and see what it hands over as it calls the npdrm function(s) in the ps3. I don't know powerpc assembly, or C for that matter, so it's not really for me. Maybe someone else will pick up where i left.

[xxmcvapourxx]

49 6E 66 69 6E 69 74 79 57 61 72 64 4B 65 79 00 there you go!!! infinity ward key its all the same from 1.06 -1.17 Just do the rest

[Asure]

Originally Posted by xxmcvapourxx 49 6E 66 69 6E 69 74 79 57 61 72 64 4B 65 79 00 there you go!!! infinity ward key its all the same from 1.06 -1.17 Just do the rest

That actually spells 'InfinityWardKey' and it is in the binary (around 0xD490).. and it was bruteforceable, but the batch file never found it, because scetool expects it to be at the _start_ of the command line.

Updated bruteforcer to find keys faster. Can probably be expanded to skip more stuff with lots of zeroes and such.

Code:

@Echo
 off
SET OFFSET=0
:START
FOR /F "tokens=*" %%i in ('"od -j%OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c 8- |sed 's/ //g'"') do SET KEY=%%i
if %KEY% == 00000000000000000000000000000000 (
echo Skipped 10 bytes of blank/useless key at %OFFSET%
set /a OFFSET+=10
) else (
ECHO Trying Key: %KEY% from decimal offset: %OFFSET%
scetool.exe -l %KEY% -d default.self selfout.elf >nul
set /a OFFSET+=1
)
IF EXIST selfout.elf GOTO END
goto START
:end
echo Done! Key used was: %KEY%

Those testing and using it, please try to duplicate the result

(testing w/ portal 2 / sprx's now..)

BINGO, portal 2 fell prey to this approach as well. Start around offset 608600
If you're looking for the key and want it found faster, it seems to help if you search for the strings and start from there.
Ex. portal2 has text strings around 0x94992 = offset 608658, key found in a few seconds.
Ex2. Rage has this around 0x197C038 = 26722360.. ah crap, cut doesn't cut it.. (need to update bat for this, or split into smaller parts.)

Reposting link to tools, you'll need to edit the bat file with the new one though.

Code:

http://www.sendspace.com/file/g9syfd

[schraube]

3 keys per seconds using an 6-core cpu and ssd. what i'm doing wrong?

[Asure]

Originally Posted by schraube 3 keys per seconds using an 6-core cpu and ssd. what i'm doing wrong?

Get rid of the virusscanner for say, 3-4 hours

Once i pause kaspersky, it went to say, ~10+ keys/sec.
This is just crude ms-dos code.. could be faster if someone ported it to C or similar..

[deeptrap]

Originally Posted by Asure That actually spells 'InfinityWardKey' and it is in the binary (around 0xD490).. and it was bruteforceable, but the batch file never found it, because scetool expects it to be at the _start_ of the command line. Updated bruteforcer to find keys faster. Can probably be expanded to skip more stuff with lots of zeroes and such. Code: @Echo off SET OFFSET=0 :START FOR /F "tokens=*" %%i in ('"od -j%OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c 8- |sed 's/ //g'"') do SET KEY=%%i if %KEY% == 00000000000000000000000000000000 ( echo Skipped 10 bytes of blank/useless key at %OFFSET% set /a OFFSET+=10 ) else ( ECHO Trying Key: %KEY% from decimal offset: %OFFSET% scetool.exe -l %KEY% -d default.self selfout.elf >nul set /a OFFSET+=1 ) IF EXIST selfout.elf GOTO END goto START :end echo Done! Key used was: %KEY% Those testing and using it, please try to duplicate the result (testing w/ portal 2 / sprx's now..) BINGO, portal 2 fell prey to this approach as well. Start around offset 608600 If you're looking for the key and want it found faster, it seems to help if you search for the strings and start from there. Ex. portal2 has text strings around 0x94992 = offset 608658, key found in a few seconds. Ex2. Rage has this around 0x197C038 = 26722360.. ah crap, cut doesn't cut it.. (need to update bat for this, or split into smaller parts.) Reposting link to tools, you'll need to edit the bat file with the new one though. Code: http://www.sendspace.com/file/g9syfd

i see what we are doing.
thing that i dont understand is this. If we now the correct key then this should be the commando to extract it.

scetool.exe -d default.self selfout.elf -l 496E66696E697479576172644B657900


scetool 0.2.7 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz
[*] Error: Could not decrypt header.

And now going to sleep

[Asure]

Originally Posted by deeptrap scetool.exe -d default.self selfout.elf -l 496E66696E697479576172644B657900

I (we?) wasted a day the -l comes before, not after.

Code:

scetool.exe -l 496E66696E697479576172644B657900 -d default.self selfout.elf

[deeptrap]

Originally Posted by Asure I (we?) wasted a day the -l comes before, not after. Code: scetool.exe -l 496E66696E697479576172644B657900 -d default.self selfout.elf

LOL

btw stil not sleeping ..

[haz367]

haha..strong batch..my pc can't handle = crash/blue screen..haven't seen that one in awhile hehe i'm leaving this alone..to much brainpain, although made a couple, others would fail same method, like F11, fix = 6mb file, fail to get working file, i'm gonna lurk for awhile and have fun with the rest

[Asure]

This one in reverse, and for handling big files, like Rage:

Code:

@Echo
 off
for %%S in (eboot.elf) do SET /a LAST_OFFSET=%%~zS-16
for %%S in (eboot.elf) do SET /a MAX_OFFSET=%%~zS-16
:START
set CUT=8
if %LAST_OFFSET% gtr 1000000 (
set /a CUT+=1
)
rem echo Cut val: %CUT%
FOR /F "tokens=*" %%i in ('"od -j%LAST_OFFSET% -N16 -w16 -t x1 eboot.elf | cut -c %CUT%- |sed 's/ //g'"') do SET KEY=%%i
if %KEY% == 00000000000000000000000000000000 (
echo Skipped 10 bytes of blank/useless key at %LAST_OFFSET%
set /a LAST_OFFSET-=10
) else (
ECHO Trying Key: %KEY% from decimal offset: %LAST_OFFSET% / %MAX_OFFSET%
scetool.exe -l %KEY% -d patch.self selfout.elf -l %KEY% >nul
set /a LAST_OFFSET-=1
)
IF EXIST selfout.elf GOTO END
goto START
:end
echo Done! Key used was: %KEY%