[oakhead69]

Originally Posted by baargle Has virtually nothing to do with CPU power, the batch file is just a very dirty way of getting the correct key, a properly made application would find it in a couple of seconds. The limiting factor is the msdos prompt shell, it's not designed for this and won't be using the power of your cpu, no matter how fast or slow it is. No disrespect to Asure, nobody else has done anything about this except him and in due course someone will code something that is optimized to extract the key, which isn't even hidden. It's in an easily locatable place and that place is possible to be worked out in an application and algorithm used to find it instantly or in seconds.

I have my own program written in C to do the brute force attack, it is quicker than the dos script, but the limiting factor is the calls out to scetool. If we had the source code for the scetool we could do this much more quickly, but it would never be seconds.

Here is the code if you are interested, I am sure it could be optimized more, but I just knocked it up very quickly.

Code:

#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <conio.h>
#include <time.h>

#include "windows.h"

//#define FALSE (1 == 0)
//#define TRUE (!FALSE)

#define KEY_LENGTH 16

static int hexKey(char *hexString, const unsigned char *key) 
{
    int i;
    int ok = FALSE;

    for (i = 0; i < KEY_LENGTH; i++)
    {
        if (*key != 0)
        {
            ok = TRUE;
        }
        sprintf(hexString, "%02x", *key++);
        hexString +=2;
    }

    return ok;
}

int main(int argc, char* argv[])
{
    char *pElfFilename;
    char *pSelfFilename;
    char elfTestFilename[512];
    unsigned char keystr[(KEY_LENGTH * 2) + 1] ="01020304050607080910111213141516";
    char command[1024];
    FILE *pElfFile;
    char * buffer;
    int found = FALSE;
    size_t startOffset = 0;
    size_t endOffset;
    size_t i = 0;
    size_t fileLength;
    size_t length;
    HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
    time_t startTime;
    double diff;
    double rate = 10;
    int display;
    int remaining;
    COORD coord;

    coord.X = 0; 
    coord.Y = 0;

    if (argc >= 3 && argc <= 5)
    {
        pElfFilename = argv[1];
        pSelfFilename = argv[2];

        if (argc >= 4)
        {
            startOffset = atol(argv[3]);
        }

        sprintf(elfTestFilename, "%s.elf", pSelfFilename);
        
        pElfFile = fopen(pElfFilename, "rb");
        if (pElfFile == NULL)
        {
            exit(0);
        }

        fseek(pElfFile, 0L, SEEK_END);
        fileLength = ftell(pElfFile);
        fseek(pElfFile, startOffset, SEEK_SET);

        if (argc == 5)
        {
            endOffset = atol(argv[4]);
            if (endOffset > fileLength - 1)
            {
                printf("End offset to large\n");
                exit(0);
            }
        }
        else
        {
            endOffset = fileLength - 1;
        }

        length = endOffset - startOffset;

        buffer = (char*)malloc(length);
        if (buffer == NULL)
        {
            printf("Can not allocate %d: try smaller chunk\n", length);
            exit(0);
        }

        if (fread(buffer, 1, length, pElfFile) != length)
        {
            printf("Read failed\n");
            fclose(pElfFile);
            exit(0);
        }

        fclose(pElfFile);

        if (length < KEY_LENGTH)
        {
            printf("Search range too small\n");
            exit(0);
        }

        length -= KEY_LENGTH;

        startTime = time(0);
        system("cls");

        for (i = 0; !found && i < length; i++)
        {
            /* 0.5 second updates */
            if (((int)rate) < 2 || (i % (((int)rate) / 2)) == 0)
            {
                display = TRUE;
            }
            else
            {
                display = FALSE;
            }

            if (display)
            {
                SetConsoleCursorPosition(h, coord);

                diff = difftime(time(0), startTime);

                rate = i / diff;
                if (rate == 0)
                {
                    rate = 1;
                }
                remaining = (int)((length - i) / rate);
            }

            if (hexKey(keystr, buffer + i))
            {
                if (display)
                {
                    printf("%03.03f %02d:%02d:%02d %06x: %02d%%: %s    \n", rate, remaining / 3600, (remaining % 3600) / 60, remaining % 60, startOffset + i, (i * 100) / length, keystr);
                    sprintf(command, "scetool -l %s -d %s %s", keystr, pSelfFilename, elfTestFilename);
                }
                else
                {
                    sprintf(command, "scetool -l %s -d %s %s > nul", keystr, pSelfFilename, elfTestFilename);
                }
                if (system(command) != 0)
                {
                    printf("ERROR at offset 0x%x in %s: key:%s   \n", startOffset + i, pElfFilename, keystr);
                    system("pause");
                    system("cls");
                }
                if (fopen(elfTestFilename, "rb") != NULL)
                {
                    printf("Found it at offset 0x%x in %s: key:%s   \n", startOffset + i, pElfFilename, keystr);
                    found = TRUE;
                }
            }
            else
            {
                if (display)
                {
                    printf("%03.03f %02d:%02d:%02d %06x: %02d%%: Skip\n", rate, remaining / 3600, (remaining % 3600) / 60, remaining % 60, startOffset + i, (i * 100) / length);
                }
                i+=7;
            }
        }
        if (!found)
        {
            printf("Not Found it between 0x%x and 0x%x in %s\n", startOffset, endOffset, pElfFilename);
        }
    }
    else
    {
        printf("brute elfFile selfFile optionalStartOffset optionalEndOffset\n");
    }
    free(buffer);
    system("pause");
    return 0;
}

[christos]

how do we encrypt elf with the same klic we decrypted?
i saw that this method was used from EXEtrimALL.

EDIT: nevermind i found it :P --np-klicensee=

[Viral Doom]

Originally Posted by christos how do we encrypt elf with the same klic we decrypted? i saw that this method was used from EXEtrimALL. EDIT: nevermind i found it :P --np-klicensee=

This one I use to Encrypt the .self files? Can you show me a script for it?

[CaptainCPS-X]

Just for reference to those who are experimenting, here is my personal CMD / BAT / Script file to decrypt and fix Call of Duty Modern Warfare 3 (BLES-01428)

Usage: Save this file as "decrypt_360_fix_341_EP0002-BLES01428.cmd" into the root of SceTool directory (im using SceTool v0.2.8 with the latest "data" / keys / etc).

This could be easily modified for other games as well, I have many scripts for personal use already . I just don't have a PS3 to test them right now LOL xD

EDIT: I've attached SceTool v0.2.8 + script.

Note 1: This was not ripped from any other place, this is my own 'test' script.
Note 2: I know this file can be much simpler, but I was lazy when I did it xD.
Note 3: The "SELF_KEY" (klic) was obtained by using @aldostools brute-force application, it is not explained here to keep the post simple.

Code:

@Echo
 OFF
ECHO -----------------------------------------------
ECHO CALL OF DUTY: MODERN WARFARE 3 (BLES01428)
ECHO -----------------------------------------------
ECHO BATCH BY: CaptainCPS-X
ECHO .

PAUSE
ECHO .

:: -------------------------------------------------
:: PREPARE MAIN VARIABLES
:: -------------------------------------------------

SET DIR_NAME="EP0002-BLES01428"

SET CONTENT_ID="EP0002-BLES01428_00-MW3P000000000010"

SET SELF_KEY=496E66696E697479576172644B657900

:: -------------------------------------------------
:: VERIFY REQUIRED FILES
:: -------------------------------------------------

IF NOT EXIST "EBOOT.BIN" (
GOTO ERROR_NO_F
)

IF NOT EXIST "default.self" (
GOTO ERROR_NO_F
)

IF NOT EXIST "default_mp.self" (
GOTO ERROR_NO_F
)

:: -------------------------------------------------
:: PREPARE OUTPUT DIRECTORIES
:: -------------------------------------------------

IF NOT EXIST "EBOOTS" (
MD "EBOOTS"
MD "EBOOTS/%DIR_NAME%"
MD "EBOOTS/%DIR_NAME%/DECRYPTED"
MD "EBOOTS/%DIR_NAME%/FIXED"
)

IF NOT EXIST "EBOOTS/%DIR_NAME%" (
MD "EBOOTS/%DIR_NAME%"
MD "EBOOTS/%DIR_NAME%/DECRYPTED"
MD "EBOOTS/%DIR_NAME%/FIXED"
)

IF NOT EXIST "EBOOTS/%DIR_NAME%/DECRYPTED" (
MD "EBOOTS/%DIR_NAME%/DECRYPTED"
)

IF NOT EXIST "EBOOTS/%DIR_NAME%/FIXED" (
MD "EBOOTS/%DIR_NAME%/FIXED"
)

:: -------------------------------------------------
:: EBOOT.BIN
:: -------------------------------------------------

SET ENC_EBOOT="EBOOT.BIN"
SET DEC_EBOOT="EBOOTS/%DIR_NAME%/DECRYPTED/EBOOT.ELF"
SET FIX_EBOOT="EBOOTS/%DIR_NAME%/FIXED/EBOOT.BIN"

ECHO -----------------------------------------------
ECHO Decrypting [EBOOT.BIN]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --verbose --decrypt %ENC_EBOOT% %DEC_EBOOT%
ECHO .

ECHO -----------------------------------------------
ECHO Fixing [EBOOT.BIN]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --sce-type=SELF --compress-data=FALSE --skip-sections=TRUE --key-revision=0001 --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003004100000000 --np-license-type=FREE --np-content-id=%CONTENT_ID% --np-app-type=EXEC --np-real-fname=EBOOT.BIN --encrypt %DEC_EBOOT% %FIX_EBOOT%
ECHO .

:: -------------------------------------------------
:: default.self 
:: -------------------------------------------------

SET ENC_SELF="default.self"
SET DEC_SELF="EBOOTS/%DIR_NAME%/DECRYPTED/default.elf"
SET FIX_SELF="EBOOTS/%DIR_NAME%/FIXED/default.self"
SET SELF_NAME=default.self

ECHO -----------------------------------------------
ECHO Decrypting [%SELF_NAME%]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --verbose --np-klicensee %SELF_KEY% --decrypt %ENC_SELF% %DEC_SELF%
ECHO .

ECHO -----------------------------------------------
ECHO Fixing [%SELF_NAME%]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --sce-type=SELF --compress-data=FALSE --skip-sections=TRUE --key-revision=0001 --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003004100000000 --np-license-type=FREE --np-content-id=%CONTENT_ID% --np-app-type=EXEC --np-real-fname=%SELF_NAME% --encrypt %DEC_SELF% %FIX_SELF%
ECHO .

:: -------------------------------------------------
:: default_mp.self 
:: -------------------------------------------------

SET ENC_SELF="default_mp.self"
SET DEC_SELF="EBOOTS/%DIR_NAME%/DECRYPTED/default_mp.elf"
SET FIX_SELF="EBOOTS/%DIR_NAME%/FIXED/default_mp.self"
SET SELF_NAME=default_mp.self

ECHO -----------------------------------------------
ECHO Fixing [%SELF_NAME%]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --verbose --np-klicensee %SELF_KEY% --decrypt %ENC_SELF% %DEC_SELF%
ECHO .

ECHO -----------------------------------------------
ECHO Fixing [%SELF_NAME%]...
ECHO -----------------------------------------------
ECHO .

scetool.exe --sce-type=SELF --compress-data=FALSE --skip-sections=TRUE --key-revision=0001 --self-auth-id=1010000001000003 --self-vendor-id=01000002 --self-type=NPDRM --self-fw-version=0003004100000000 --np-license-type=FREE --np-content-id=%CONTENT_ID% --np-app-type=EXEC --np-real-fname=%SELF_NAME% --encrypt %DEC_SELF% %FIX_SELF%
ECHO .

explorer ".\EBOOTS\%DIR_NAME%\FIXED"

PAUSE
EXIT

:ERROR_NO_F
ECHO -----------------------------------------------
ECHO "Cannot find required file(s): [EBOOT.BIN], [default.self], and [default_mp.self]"
ECHO -----------------------------------------------
ECHO .
PAUSE
EXIT

PARAM.SFO must be edited by other means (hex edit for example) to a lower FW like 3.41.

Hope this helps some!

EDIT: Here you have the script log when it is run...

Code:

CALL OF DUTY: MODERN WARFARE 3 (BLES01428)
-----------------------------------------------
BATCH BY: CaptainCPS-X
.
Press any key to continue . . .
.
-----------------------------------------------
Decrypting [EBOOT.BIN]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] Loaded keysets.
[ * ] Loaded loader curves.
[ * ] Loaded vsh curves.
[ * ] Using keyset [appldr 0x0010 03.60]
[ * ] Header decrypted.
[ * ] Data decrypted.
[ * ] ELF written to EBOOTS/EP0002-BLES01428/DECRYPTED/EBOOT.ELF.
.
-----------------------------------------------
Fixing [EBOOT.BIN]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] SELF built.
[ * ] Data encrypted.
[ * ] EBOOTS/EP0002-BLES01428/FIXED/EBOOT.BIN written.
.
-----------------------------------------------
Decrypting [default.self]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] Loaded keysets.
[ * ] Loaded loader curves.
[ * ] Loaded vsh curves.
[ * ] Using keyset [appldr 0x0010 03.60]
[ * ] Header decrypted.
[ * ] Data decrypted.
[ * ] ELF written to EBOOTS/EP0002-BLES01428/DECRYPTED/default.elf.
.
-----------------------------------------------
Fixing [default.self]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] SELF built.
[ * ] Data encrypted.
[ * ] EBOOTS/EP0002-BLES01428/FIXED/default.self written.
.
-----------------------------------------------
Fixing [default_mp.self]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] Loaded keysets.
[ * ] Loaded loader curves.
[ * ] Loaded vsh curves.
[ * ] Using keyset [appldr 0x0010 03.60]
[ * ] Header decrypted.
[ * ] Data decrypted.
[ * ] ELF written to EBOOTS/EP0002-BLES01428/DECRYPTED/default_mp.elf.
.
-----------------------------------------------
Fixing [default_mp.self]...
-----------------------------------------------
.
scetool 0.2.8 <public build> (C) 2011-2012 by naehrwert
NP local license handling (C) 2012 by flatz

[ * ] SELF built.
[ * ] Data encrypted.
[ * ] EBOOTS/EP0002-BLES01428/FIXED/default_mp.self written.

SeeYa!

[Otkon]

Originally Posted by Asure The required version is stored by vsh when you install a package (update). So when you build the pkg with the update, you must edit the sfo to say 3.55 or 3.41. Then, when you install that package, all will be fine. There are many broken eboots (param not fixed) and broken packages out there that do not have the param or sfo fixed. I prefer to make my own fixes & pkgs for private use.

Having the same issue. I edited the sfo to say 3.55 and no longer get the prompt to update to 3.60 but now it kicks out to an 80010017 error and the log gives the reason as a PARAM.SFO: PS3_System_VER < SDK version.

[JonahUK]

@Asure ,

The required version is stored in the "dev_hdd0/mms/db/metadata_db_hdd" file and can be edited post install along with the SFO.

Once both are edited, restart the PS3 and then it should work.

But I do agree that ANYONE making fixes should edit the SFO correctly.

[lolilolz]

hi, here are batch scripts to simplify the cracking (resigning) of applications and npdrm applications, which include the support for cracking the klicense, or using the default klicense (for eboot), unpacking pkg, creating pkg and patching param.sfo :

http://www.ps3-infos.fr/forum/applic...ila-t3343.html

[baargle]

CONFIRMED *WORKING* ON RESISTANCE 3 BLES PATCH 1.05.

Originally Posted by lolilolz hi, here are batch scripts to simplify the cracking (resigning) of applications and npdrm applications, which include the support for cracking the klicense, or using the default klicense (for eboot), unpacking pkg, creating pkg and patching param.sfo : http://www.ps3-infos.fr/forum/applic...ila-t3343.html

You have to sign up and make an introductions post at that site to download, here's a mediafire link for the archive to save others the pain I went through lol.

http://www.mediafire.com/?bct9cc98kx8h75j


Here's what I did...

1. Take your patch pkg, (latest version of patch to be installed)
2. Drag on top of "extract_pkg.bat"
3. A folder with extracted pkg will be created, get the eboot.bin and param.sfo from the extracted pkg folder and put in the Attila... folder
4. drag eboot.bin onto "eboot_self_sprx_decrypter_recrypter.bat"
5. drag param.sfo onto "patch_paramsfo.bat"
6. put fixed eboot.bin and param.sfo back where you copied them from in the created pkg folder from step 3.
7. drag the folder created in step 3. onto "create_pkg.bat"


And here's a google translate of the steps on the site since my steps only work if your game DOESN'T have any sprx files that need sorting out....

Take your game or your bluray pkg. If it's a pkg, drag the file to extract_pkg.bat pkg. You have your file with the game files Drag the file on PARAM.SFO patch_paramsfo.bat Drag the file on EBOOT.BIN eboot_self_sprx_decrypter_recrypter.bat. If it tells you: The File can not be decrypted. Maybe it is unknown with a key, gold klicense You Should add a key (for self / sprx). Key Revision = [3.65] (3.65 or more), it is not worth continuing with these files, they are not decrypting. If you see:[*] SELF built.[*] Data encrypted. continue as a result. If you see files or self sprx, on a slide in eboot_self_sprx_decrypter_recrypter.bat If you see: "The File can not be decrypted. Maybe it is unknown with a key, gold klicense You Should add a key (for self / sprx). Key Revision = [3.60 - 3.61]" You know we possess the keys 3.60-3.61 and therefore it lacks the klicense file. Try to crack the key, the next step (Step only if required to do) Take the file EBOOT.BIN.elf (EBOOT.BIN decrypted) file and your self / srpx that you have not managed to decrypt and copy both the folder or is klicense_cracker . bat. Rename the self / sprx in patch.self. Double click klicense_cracker.bat and wait until the key is found. If error messages (popups) open, close them. If you're lucky, you will see a message like: Done! Key Used was: 496e66696e697479576172644b657900 (Example here with the key of Modern Warfare 3). Take a notepad and open the file eboot_self_sprx_decrypter_recrypter.bat and change the line with "set KLICENSE1 19089cbaf948487f9530832bf477b369 =" to put the key klicense found in place of 19089cbaf948487f9530832bf477b369. For each file self / sprx the game drag on the eboot_self_sprx_decrypter_recrypter.bat. If everything is configured correctly, you should see:[*] SELF built.[*] Data encrypted. If you just patch a game bluray (not PSN content), you can replace files EBOOT.BIN, PARAM.SFO, and self / sprx the game and start the game Otherwise, if the game files from the PSN (PKG file), you can redo a PKG to simplify installation. Drag the folder you extracted in step 2 to create_pkg.bat (attention, you will find yourself on the internet psn_package_npdrm.exe the file to make it work). Pkg file is created and you can install with install package file. Asure I thank for his tool as well as cracking of klicense opoisso893 sys_proc_param for change.

I had to do some extra bits as the SFO fixer wasn't working rename your PARAM.SFO to tempparam.sfo and change the "patch_paramsfo.bat" to the following...

binmay.exe -i "tempparam.sfo" -o "PARAM.SFO" -s "h:00 00 00 30 33 2E 36 30 30 30" -r "h:00 00 00 30 33 2E 33 30 30 30"

then drag the .sfo onto "patch_paramsfo.bat", you should get a PARAM.SFO file appearing, copy that back to the pkg folder and continue the steps I wrote from the point mentioning dragging the param.sfo onto "patch_paramsfo.bat"




...Maybe you won't need to do that, try it out first.
************* [ - Post Merged - ] *************
Does anyone know if it's possible to keep the game rip clean though?

Like Portal 2 for example, the update has some sprx files that need decrypting but not all that are in main game are in update so I assume the ones from the game folder are still used therefore need decrypting too. This will make the rip not clean.

Is there a way to incorporate the sprx from the game and put them in the update along with the updated ones?

Will the game automatically use them if I just package them in with the game update (unlikely I know, not sure how things work in that way).

Cheers.

[Vallachia]

Thankyou baargle, lolilolz, JonahUK, Otkon and CaptainCPS-X. There is a lot of useful info there. (CaptainCPS-X did you miss the step of patching sys_proc_param before you re-encrypt your .selfs?)

I am messing about in my spare time with the 105 patch for SOCOM 4. I've managed to get the eboot, self and sprx fixed now (although i did it by converting the self and sprx to retail, but that is another story).

Unfortunately the update also contains an .sdat file (tpps.sparc.sdat). I've just started doing some research on this file. Seems it is an psarc archive that is signed with a static key. Anyone have info on decrypting/encrypting it?

Without modifying the .sdat or its contents there is still a version check not fixed. I'm pretty sure it is in the .sdat file. To test I replaced the .sdat with one from an earlier 3.50 patch v1.01 and it viola worked! Version check gone.

I'm certain there are other patches out there that have .sdats so any info would be a big help. Thanks

[CaptainCPS-X]

Originally Posted by Vallachia Thankyou baargle, lolilolz, JonahUK, Otkon and CaptainCPS-X. There is a lot of useful info there. (CaptainCPS-X did you miss the step of patching sys_proc_param before you re-encrypt your .selfs?) I am messing about in my spare time with the 105 patch for SOCOM 4. I've managed to get the eboot, self and sprx fixed now (although i did it by converting the self and sprx to retail, but that is another story). Unfortunately the update also contains an .sdat file (tpps.sparc.sdat). I've just started doing some research on this file. Seems it is an psarc archive that is signed with a static key. Anyone have info on decrypting/encrypting it? Without modifying the .sdat or its contents there is still a version check not fixed. I'm pretty sure it is in the .sdat file. To test I replaced the .sdat with one from an earlier 3.50 patch v1.01 and it viola worked! Version check gone. I'm certain there are other patches out there that have .sdats so any info would be a big help. Thanks

Thanks, and well for now I'm just working on 'updates' patches, they should be packed into PKG and then installed as the regular update, so far the 'test' packages I posted in different thread have worked fine as reported by some users . Until I get my hands on my E3 Flasher to downgrade my slim I cant start experimenting with original game backups, so probably somewhere around this week I will be able to mess around with some new patches of my own =P.

SeeYa!