As of r1964, a new functionality has been added to JPCSP: the ability to load encrypted EBOOT's.
This comes up as a result from the recent findings about KIRK and the PSP's crypto functionalities.
As you can see, a CryptoEngine has been added to JPCSP, and it's final goal is to act as a KIRK emulator.
Currently, the CryptoEngine is capable of emulating KIRK's commands 1, 4, 7, 10 and 11 (10 still has a few issues to sort out) and it also has a partial implementation of PRXDecrypter's main routine.
Thanks to this, it should now be possible to load ISO/CSO images that previously contained encrypted EBOOT.BIN files.
There're already more additions being worked on, and the task list already counts with:
- PRX decryption version 1 (for firmware 1.00 to 2.80 EBOOTs);
- Savedata decryption;
- PGD decryption.
Please feel free to post any suggestions or test reports as a reply to this post.
Code:
Running Jpcsp 32bit...
java.lang.ArrayIndexOutOfBoundsException: -2069361408
at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
at jpcsp.format.PSP.decrypt(PSP.java:149)
at jpcsp.Loader.LoadPSP(Loader.java:273)
at jpcsp.Loader.LoadModule(Loader.java:135)
at jpcsp.Emulator.load(Emulator.java:140)
at jpcsp.Emulator.load(Emulator.java:133)
at jpcsp.MainGUI.loadUMD(MainGUI.java:1055)
at jpcsp.MainGUI.loadUMDGame(MainGUI.java:1153)
at jpcsp.MainGUI.loadUMD(MainGUI.java:1086)
at jpcsp.GUI.UmdBrowser.loadSelectedfile(UmdBrowser.java:569)
at jpcsp.GUI.UmdBrowser.access$1000(UmdBrowser.java:74)
at jpcsp.GUI.UmdBrowser$4.actionPerformed(UmdBrowser.java:339)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.Dialog$1.run(Unknown Source)
at java.awt.Dialog$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.Dialog.show(Unknown Source)
at java.awt.Component.show(Unknown Source)
at java.awt.Component.setVisible(Unknown Source)
at java.awt.Window.setVisible(Unknown Source)
at java.awt.Dialog.setVisible(Unknown Source)
at jpcsp.MainGUI.openUmdActionPerformed(MainGUI.java:1032)
at jpcsp.MainGUI.access$600(MainGUI.java:100)
at jpcsp.MainGUI$6.actionPerformed(MainGUI.java:321)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.AbstractButton.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(UnknownSource)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
i guess the prx decrypter breaks here, since the game runs on 6.00 firmware.
Great job
Report SPACE Invaders Evolution firmware 2.71
Crash arrayIndexOutOfBoundException "Loading screen".
Code:
java.lang.ArrayIndexOutOfBoundsException: -467140608
at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
at jpcsp.format.PSP.decrypt(PSP.java:149)
at jpcsp.Loader.LoadPSP(Loader.java:273)
at jpcsp.Loader.LoadModule(Loader.java:135)
at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
at _S1_2_8887FB8.s(_S1_2_8887FB8.java:4)
at _S1_2_8805C80.s(_S1_2_8805C80.java:72)
at _S1_2_8805DA4.s(_S1_2_8805DA4.java:24)
at _S1_2_881BA74.s(_S1_2_881BA74.java:56)
at _S1_2_881BAC0.s(_S1_2_881BAC0.java:100)
at _S1_2_881BD38.s(_S1_2_881BD38.java:16)
at _S1_2_885E004.s885e0f8(_S1_2_885E004.java:372)
at _S1_2_885E004.s(_S1_2_885E004.java:244)
at _S1_2_8806708.s88068f4(_S1_2_8806708.java:544)
at _S1_2_8806708.s(_S1_2_8806708.java:492)
at _S1_2_88044B8.s(_S1_2_88044B8.java:36)
at _S1_2_88041E4.s(_S1_2_88041E4.java:236)
at _S1_2_88041E4.exec(_S1_2_88041E4.java)
at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)
gripshift black screen and same error on cryptoEngine firmware1.52
Code:
java.lang.ArrayIndexOutOfBoundsException: -467140608
at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
at jpcsp.format.PSP.decrypt(PSP.java:149)
at jpcsp.Loader.LoadPSP(Loader.java:273)
at jpcsp.Loader.LoadModule(Loader.java:135)
at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
at _S1_2_8A697D4.s(_S1_2_8A697D4.java:4)
at _S1_2_8A10F48.s(_S1_2_8A10F48.java:304)
at _S1_2_8926E8C.s8926e8c(_S1_2_8926E8C.java:88)
at _S1_2_8926E8C.s(_S1_2_8926E8C.java:0)
at _S1_2_8926E8C.exec(_S1_2_8926E8C.java)
at jpcsp.Allegrex.compiler.RuntimeContext.jumpCall(RuntimeContext.java:1
14)
at jpcsp.Allegrex.compiler.RuntimeContext.call(RuntimeContext.java:193)
at _S1_2_8A19C9C.s(_S1_2_8A19C9C.java:68)
at _S1_2_898B0D0.s(_S1_2_898B0D0.java:200)
at _S1_2_898C1B0.s898c380(_S1_2_898C1B0.java:504)
at _S1_2_898C1B0.s(_S1_2_898C1B0.java:464)
at _S1_2_898C1B0.exec(_S1_2_898C1B0.java)
at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)
Need For Speed™ Underground Rivals firmware 1.00 black screen crash.
Code:
Running Jpcsp 32bit...
java.lang.ArrayIndexOutOfBoundsException: -98041856
at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
at jpcsp.format.PSP.decrypt(PSP.java:149)
at jpcsp.Loader.LoadPSP(Loader.java:273)
at jpcsp.Loader.LoadModule(Loader.java:135)
at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
at _S1_2_8ABECC4.s(_S1_2_8ABECC4.java:4)
at _S1_2_89875EC.s(_S1_2_89875EC.java:24)
at _S1_2_8987680.s(_S1_2_8987680.java:152)
at _S1_2_8987850.s(_S1_2_8987850.java:112)
at _S1_2_8804118.s(_S1_2_8804118.java:44)
at _S1_2_8804AC4.s8804ac4(_S1_2_8804AC4.java:28)
at _S1_2_8804AC4.s(_S1_2_8804AC4.java:0)
at _S1_2_8804AC4.exec(_S1_2_8804AC4.java)
at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)
The retsize calculation needs some work since it causes the ArrayIndexOutOfBoundsException errors. Other than that, the decryption routine does indeed work for games whose tag keys are available in the CryptoEngine. I can run the encrypted AngryBirds (firmware 6.20) after adding a workaround to avoid the ArrayIndexOutOfBoundsException. Kudos to Hykem for the great work!
Thanks for all the reports!
The retsize bug should now be fixed in r1965 (it was missing an Integer.reverseBytes).
I've also added an experimental implementation of PRX version 1 decryption routine for games ranging from firmware 1.00 to 2.80. This still needs some more testing, so any errors under this version are quite expected.
In Peggle using r1965, the PRX2 decryption seems to be successful, but the value of OFS_BASE in class jpcsp.Loader inside method relocateFromBuffer() line 629 eventually messes up with a value of 255 which causes IndexOutOfBoundsException in line 635.
By adding a line before 635 to work around it as follows:
if (OFS_BASE == 255) break;
so that the for loop exits early when OFS_BASE goes to la-la land, the game runs fine and I can complete the first level. However, when it tries to save my game progress, the game gets stuck. The autosave in this game causes failed malloc errors. I've attached the log.html file which shows this error.
Here's a game which uses PRX1 decryption: Ultimate Ghosts'n Goblins. I'm using r1965 and the game doesn't load because of IllegalArgumentException in jpcsp.format.Elf32 line 69. I'm guessing the DecryptPRX1() method did not properly decrypt it so the program header values (E_phnum, E_phoff, E_phentsize) are messed up. I've attached the log.html file for this game although it doesn't show the problem there.
As of r1971, a lot of things have been fixed. Could everyone please try testing again your encrypted games? Thanks!
Specially games like Dissidia or Kingdom Hearts which seem to be very prone to security trickery.