[redcfw]

ALL TB2LV2 DUMPs posted before were FAKE!!

tb2.51 lv2 dumped on Mar 2012.
folks,feel free to study it.

http://www.sendspace.com/file/feuu9h

some IDA list

Code:

pl2:8000000000528EFC getKeyV5_:                              # DATA XREF: pl2:off_8000000000539F78o
pl2:8000000000528EFC
pl2:8000000000528EFC .set var_358, -0x358
pl2:8000000000528EFC .set var_310, -0x310
pl2:8000000000528EFC .set var_308, -0x308
pl2:8000000000528EFC .set var_300, -0x300
pl2:8000000000528EFC .set var_2F0, -0x2F0
pl2:8000000000528EFC .set var_2E0, -0x2E0
pl2:8000000000528EFC .set var_2D0, -0x2D0
pl2:8000000000528EFC .set var_2BC, -0x2BC
pl2:8000000000528EFC .set var_264, -0x264
pl2:8000000000528EFC .set var_200, -0x200
pl2:8000000000528EFC .set var_1FC, -0x1FC
pl2:8000000000528EFC .set var_1F8, -0x1F8
pl2:8000000000528EFC .set var_1E8, -0x1E8
pl2:8000000000528EFC .set var_140, -0x140
pl2:8000000000528EFC
pl2:8000000000528EFC                 mflr      r0
pl2:8000000000528F00                 bl        save_r24_r31r0
pl2:8000000000528F04                 ld        r30, off_8000000000538F08 # byte_8000000000537C88
pl2:8000000000528F08                 .using byte_8000000000537C88, r30
pl2:8000000000528F08                 stdu      r1, -0x380(r1) # ver  == 5 getkey
pl2:8000000000528F0C                 mr        r31, r3       # r31 ptr = copy from sce+0x980 len =0x100
pl2:8000000000528F10                 addi      r29, r1, 0x240
pl2:8000000000528F14                 mr        r3, r30
pl2:8000000000528F18                 mr        r27, r4       # r4 = 0x100
pl2:8000000000528F1C                 mr        r28, r5       # r5 qword_8000000000538670
pl2:8000000000528F20                 mr        r4, r30
pl2:8000000000528F24                 li        r5, 0x10
pl2:8000000000528F28                 bl        encKey        # in byte_8000000000537C88:.byte 0x8A, 0x97, 0xB7, 0x2C, 0xC1, 0x10, 0x62, 0x22, 0x7B, 0x33, 0x39, 0xCB, 0x61, 0x2E, 0x80, 0xE9
pl2:8000000000528F28                                         # out 00000470h: 4C 79 E1 8F 34 A9 D6 7D 74 33 9C D7 5D 09 20 B7 ; 
pl2:8000000000528F2C                 nop
pl2:8000000000528F30                 mr        r5, r29       # r1+0x240
pl2:8000000000528F34                 mr        r3, r30       # 4c 79 ..
pl2:8000000000528F38                 li        r4, 0x80
pl2:8000000000528F3C                 bl        sub_800000000052F278
pl2:8000000000528F40                 nop
pl2:8000000000528F44                 mr        r3, r30
pl2:8000000000528F48                 mr        r4, r30       # restore key
pl2:8000000000528F4C                 li        r5, 0x10
pl2:8000000000528F50                 addi      r30, r31, 0x10 # in r3+0x10
pl2:8000000000528F54                 bl        encKey        # 000007b0h: 4C 79 E1 8F 34 A9 D6 7D 74 33 9C D7 5D 09 20 B7
pl2:8000000000528F54                                         # 000007f0h: 8A 97 B7 2C C1 10 62 22 7B 33 39 CB 61 2E 80 E9
pl2:8000000000528F58                 nop
pl2:8000000000528F5C                 addi      r5, r27, -0x10 # r5 = 0x100 -0x10
pl2:8000000000528F60                 mr        r6, r29       # r1+0x240
pl2:8000000000528F64                 mr        r3, r30       # r30=byte_8000000000537C88
pl2:8000000000528F68                 mr        r4, r30
pl2:8000000000528F6C                 extsw     r5, r5        # r5=0xf0
pl2:8000000000528F70                 mr        r7, r31       # in r3+0x10

how to hook decKey?

Code:

#####################patch tb2 lv2 plugin##########################
.set jb2pBASE, 0x8000000000700000
.set jb2pTOC , 0x7000
.set hookDNum, 0
.align 4
hookT:
		#patchtbl
		.quad jb2pBASE,hooks-hookT,hook_data-hooks
		.quad 0x8000000000520568,pt520568-hookT,8
		.quad 0x80000000005205e8,pt5205e8-hookT,8
		.quad 0
pt520568:
		bl pt520568+((hook_520568-hooks)+jb2pBASE-0x8000000000520568)
		#.long 0x48000001 | ((hook_520568-hooks)+jb2pBASE-0x8000000000520568)
		lwz       r4, 8(r11)
pt5205e8:
		bl pt5205e8+((hook_520568-hooks)+jb2pBASE-0x80000000005205e8)
		#.long 0x48000001 | ((hook_520568-hooks)+jb2pBASE-0x80000000005205e8)
		lwz       r4, 8(r11)
		

#jb2pBASE
.align 4
hooks:
hookDNum_ptr:
		.quad hookDNum
hook_data_ptr:
		.quad hook_data-hooks+jb2pBASE

hook_encKey_ptr:		
		.quad 0x8000000000533470
hook_encKey_callin_ptr:		
		.quad 0x800000000052056C
		
hook_encKey_ptr_n0:		
		.quad 0x8000000000523f14
hook_encKey_ptr_n1:		
		.quad 0x8000000000524004
hook_encKey_ptr_n2:		
		.quad 0x8000000000523fc0 # newcode
hook_encKey_ptr_tl0:		
		.quad 0x80000000005243e4
hook_encKey_ptr_tl1:		
		.quad 0x8000000000524428

hook_TEA_dec_ptr:
		.quad 0x8000000000533450
hook_encTEA2_dec_ptr:
		.quad 0x8000000000533220
		
encKeySi:.string "encKeyI"
encKeySo:.string "encKeyO"
TEAdecS: .string "TEAdec "
encTEA2S:.string "encTEA2"
				
		# secret prg run before
hook_520568:
		lis	r8,-0x8000
		sldi    r8, r8, 32
		oris	r8, r8,(jb2pBASE+jb2pTOC)@h
		ori 	r8, r8,(jb2pBASE+jb2pTOC)@l
		
		ld	r10, (hook_data_ptr-hooks-jb2pTOC)(r8)
		ld	r9,  (hookDNum_ptr-hooks-jb2pTOC)(r8)
		add	r10, r10, r9
		
		lis	r11,0xc #r11 0xc00000
		
		cmpld	cr7,r9,r11		
		bgt	cr7,hook_520568_exit
		
		ld      r11, 0x70(r1)

.if 0	# dis all call
		std	r11, 0(r10)
		addi	r10,r10,8
		addi	r9,r9,8
		b 	hook_520568_exit
.endif
#####################################################		
hook_encKey:
		ld	r4, (hook_encKey_ptr-hooks-jb2pTOC)(r8)
		cmpld	cr7,r4,r11
		bne	cr7,hook_TEA_dec
.if 1
################dis normal
		ld	r4,(hook_encKey_ptr_n0-hooks-jb2pTOC)(r8)
		ld	r5,0xa0(r1)
		cmpld	cr7,r4,r5  #dont hook hook_encKey_ptr_n0
		beq	cr7,hook_TEA_dec
	.if 1
		ld	r4,(hook_encKey_ptr_n1-hooks-jb2pTOC)(r8)
		ld	r5,0xa0(r1)
		cmpld	cr7,r4,r5  #dont hook hook_encKey_ptr_n0
		beq	cr7,hook_TEA_dec
	.endif
	.if 1
		ld	r4,(hook_encKey_ptr_n2-hooks-jb2pTOC)(r8)
		ld	r5,0xa0(r1)
		cmpld	cr7,r4,r5  #dont hook hook_encKey_ptr_n0
		beq	cr7,hook_TEA_dec
	.endif
		
.endif
...
		b	hook_520568_exit
#######################################################
hook_TEA_dec:
		ld	r4, (hook_TEA_dec_ptr-hooks-jb2pTOC)(r8)
		cmpld	cr7,r4,r11
		bne	cr7,hook_encTEA2
		# wname
...				
		b	hook_520568_exit
############################################################
hook_encTEA2:
		ld	r4, (hook_encTEA2_dec_ptr-hooks-jb2pTOC)(r8)
		cmpld	cr7,r4,r11
		bne	cr7,hook_520568_exit
		# wname
......
hook_520568_exit:
		std	r9,  (hookDNum_ptr-hooks-jb2pTOC)(r8)
		ld	r11, 0x70(r1)
		blr
		
.align	4
hook_data:	
hookTe:

[Dolnor]

I wonder where this thread will end up :<

[xxmcvapourxx]

http://www.screensnapz.com/v/?i=NDKmtzVRA.png looks like it i compared it with 3.55

[dayayz]

take a seat.

[nookupeous]

Now that all the eboots are cracked and the method is released we should study this as a community to attempt to finally crack the DRM method TB used so if (heaven forbid) another dongle pops up we can crack it via that route rather than waiting to crack the initial base hack (CEX2DEX currently) or in our case waiting for it to be thrown in our lap.

[DEFAULTDNB]

Interesting info @redcfw .. And interesting name...

[baargle]

Originally Posted by nookupeous Now that all the eboots are cracked and the method is released we should study this as a community to attempt to finally crack the DRM method TB used so if (heaven forbid) another dongle pops up we can crack it via that route rather than waiting to crack the initial base hack (CEX2DEX currently) or in our case waiting for it to be thrown in our lap.

Well "we" don't even know if DEX has anything at all to do with Trueblue.

[tjhooker73]

Originally Posted by baargle Well "we" don't even know if DEX has anything at all to do with Trueblue.

Of course it does, They would need a DEX system to get Eboots. They would also need a Test system.

[TheWhiteTyger]

Now if anyone can come up with a lvl2 dump of Cobra, we will have it made in the shade!

[Abkarino]

Any body had downloaded this IDA file already?
Link is down right now?
I hope that anybody here could upload it again.