-
Steam recently changed the default privacy settings for all users. This may impact tracking. Ensure your profile has the correct settings by following the guide on our forums.
- Thread starter Ben-to-b-free
- Start date
explosions
Member
Ahhh. That makes sense. Good work. :tup:
A question, however, NoEffex found 0x43EFFF70 somewhere in there, and you did not. Can either of you explain why that happened?
SilverSpring
New Member
+0x43EFFF70 is -0xBC100090 in 32bit 2's complement
explosions
Member
Are you a machine?... or a god?.... a combination, perhaps?
Yeah, that's what I figured. The compiler used that (I had disassembled the compiled thing to make sure). I knew it wasn't correct, but I figure it would cause someone who really knew what they were talking about do it. I was close though, I think I was missing the lw at the return.
E.
explosions
Member
I do not understand this one letter reply.
SilverSpring
New Member
There's nothing in their code that'll tell us how to sign like they did, even if 100% reversed. That'd be equivalent of assuming we could figure out how to sign like Sony by 100% reversing Sony prxs.
explosions
Member
You have to decrypt the DATA.PSP in the eboot, so I'm guessing the most we can hope for from reversing it is the ability to write our own code into memory. (This is what I understand from this thread, at least.)
LocutusEstBorg
Active Member
Why do they use the UPDATE folder? Is the signature different there? What exactly must they have found out to encrypt/hash the modules? (See my above post). And why do people keep saying 'sign'? This is nothing like a signature. A signature is basically a hash encrypted with a private key, while the data need not even be encrypted. A signature is UNCRACKABLE short of brute force/leak or exploit in the client side verification process. Under no circumstances can you ever 'sign' your own anything. The PSP was inherently insecure since they just hid the keys (the same keys used by them for encrypting/hashing). It was just security through obscurity, a lot of obscurity.
---------- Post added at 09:54 AM ---------- Previous post was at 09:41 AM ----------
Sorry for double post, on my phone.
Does the PS3 use a public/private key system or is it also just hidden symmetric keys? If it's the latter then Datel could potentially hack the PS3 as well.
---------- Post added at 09:54 AM ---------- Previous post was at 09:41 AM ----------
Sorry for double post, on my phone.
Does the PS3 use a public/private key system or is it also just hidden symmetric keys? If it's the latter then Datel could potentially hack the PS3 as well.
Traditionally on tests, E is the letter for "All of the above", so I picked "All of the above".
Nope, because they signed it much the same way sony did, using external tools. The most we could do is use our own codes.
Correctomundo.
Loads it in update mode. Different PARAM.SFO and various imports, and the module type is..something else that I forgot.
explosions
Member
Datel signed their own program.
Hellcat
Contributor
Yes, either that (getting own code via "cheatcodes" into mem) or finding an exploit in AR that lets us run own code.
AR might have more voulnrabilities than current FWs, I'd say....
explosions
Member
Yeah, it looks like it was rushed.
How do you see that?
Also, I tried the obvious things on the Demo, and their stuff seems pretty solid to me. Basically, all the useful information is inside the EBOOT and therefore cannot be influenced easily from the outside. But I only have the Demo version...
Even with a completely changed settings file, the Demo seems to load fine...so...
But of course, they didn't go through sony's verification process. Plus, they won't force you to update if someone finds a leak in that software, which makes it much more interesting than any other vulnerability.
explosions
Member
Just by the installer app/user manual/broken links. The eboot may have been in the works for a while. It seems strange that the code lists are stored inside of it.
here's a little AR license key generator i worked on, it may become handy later on.
Code:
int main(void)
{
char tmpbuf[256];
char lickey[24];
while(1)
{
printf("\nEnter a 18 character string\n");
scanf("%s",tmpbuf);
if(strlen(tmpbuf) >= 18)
{
strncpy(lickey, tmpbuf, 18);
prep_chars(lickey);
gen_key(lickey);
printf("\nLicense Key: %s", lickey);
}
}
return 0;
}
void gen_key(char lickey[])
{
short sum = 0, tmp, x;
for(x = 0; x < 18; x++)
{
tmp = (short)(lickey[x] + sum);
if((tmp & 1) != 0){sum = (short)((tmp / 2) | 0x1000);}
else{sum = (short)(tmp / 2);}
}
sprintf(&lickey[18], "%04X", (sum ^ 0x17D2));
}
void prep_chars(char srcbuf[])
{
int x;
for(x = 0; srcbuf[x]; x++)srcbuf[x] = toupper(srcbuf[x]);
replace_char(srcbuf, 'O', '0');
replace_char(srcbuf, 'I', '1');
replace_char(srcbuf, 'Z', '2');
replace_char(srcbuf, 'S', '5');
replace_char(srcbuf, 'G', '6');
replace_char(srcbuf, 'T', '7');
}
void replace_char(char srcbuf[], char fndchar, char repchar)
{
int x;
for(x = 0; x<18;x++)
{
if(srcbuf[x] == fndchar)
{
srcbuf[x] = repchar;
}else if(srcbuf[x] == 0)break;
}
}
Bubbletune
Member
You can't just load any kernel module you like from game mode, unlike VSH mode, where they can load them using vshKernelLoadModuleBuffer, which is what they do with updater mode. It being an updater has nothing to do with a difference in encryption, even the kernel PRX's inside are encrypted.
biscottealacreve
New Member
sorry about val0 , ive readed #133 and not the last version.
> suposition about the "twins" functions :
maybe datel have prepared the hack of they key/serial so the main.prx load Uhura.prx , it make his job (return the value) , and main.prx reload uhura and use the seconde function to verify the returned value. so if you patch only the first function , the main.prx will be aware about it (so it start a WLAN connection to the FBI.gov , send us your PSP's UID , pic of your gf etc...)
> suposition about the "twins" functions :
maybe datel have prepared the hack of they key/serial so the main.prx load Uhura.prx , it make his job (return the value) , and main.prx reload uhura and use the seconde function to verify the returned value. so if you patch only the first function , the main.prx will be aware about it (so it start a WLAN connection to the FBI.gov , send us your PSP's UID , pic of your gf etc...)
Lachrymose
smokeMeth();
I can picture Datel leaving an exploit in there to increase sales and keep Sony off their back, because if they released their own custom firmware, Sony would probably get after them for it.