EmuNewz Network

Full Version: EBOOT.BIN Decryption
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5 6
As of r1964, a new functionality has been added to JPCSP: the ability to load encrypted EBOOT's.
This comes up as a result from the recent findings about KIRK and the PSP's crypto functionalities.

As you can see, a CryptoEngine has been added to JPCSP, and it's final goal is to act as a KIRK emulator.
Currently, the CryptoEngine is capable of emulating KIRK's commands 1, 4, 7, 10 and 11 (10 still has a few issues to sort out) and it also has a partial implementation of PRXDecrypter's main routine.
Thanks to this, it should now be possible to load ISO/CSO images that previously contained encrypted EBOOT.BIN files.

There're already more additions being worked on, and the task list already counts with:
- PRX decryption version 1 (for firmware 1.00 to 2.80 EBOOTs);
- Savedata decryption;
- PGD decryption.

Please feel free to post any suggestions or test reports as a reply to this post. Smile
Code:
Running Jpcsp 32bit...
java.lang.ArrayIndexOutOfBoundsException: -2069361408
        at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
        at jpcsp.format.PSP.decrypt(PSP.java:149)
        at jpcsp.Loader.LoadPSP(Loader.java:273)
        at jpcsp.Loader.LoadModule(Loader.java:135)
        at jpcsp.Emulator.load(Emulator.java:140)
        at jpcsp.Emulator.load(Emulator.java:133)
        at jpcsp.MainGUI.loadUMD(MainGUI.java:1055)
        at jpcsp.MainGUI.loadUMDGame(MainGUI.java:1153)
        at jpcsp.MainGUI.loadUMD(MainGUI.java:1086)
        at jpcsp.GUI.UmdBrowser.loadSelectedfile(UmdBrowser.java:569)
        at jpcsp.GUI.UmdBrowser.access$1000(UmdBrowser.java:74)
        at jpcsp.GUI.UmdBrowser$4.actionPerformed(UmdBrowser.java:339)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Window.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.Dialog$1.run(Unknown Source)
        at java.awt.Dialog$3.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.awt.Dialog.show(Unknown Source)
        at java.awt.Component.show(Unknown Source)
        at java.awt.Component.setVisible(Unknown Source)
        at java.awt.Window.setVisible(Unknown Source)
        at java.awt.Dialog.setVisible(Unknown Source)
        at jpcsp.MainGUI.openUmdActionPerformed(MainGUI.java:1032)
        at jpcsp.MainGUI.access$600(MainGUI.java:100)
        at jpcsp.MainGUI$6.actionPerformed(MainGUI.java:321)
        at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
        at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
        at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
        at javax.swing.AbstractButton.doClick(Unknown Source)
        at javax.swing.plaf.basic.BasicMenuItemUI.doClick(Unknown Source)
        at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(UnknownSource)
        at java.awt.Component.processMouseEvent(Unknown Source)
        at javax.swing.JComponent.processMouseEvent(Unknown Source)
        at java.awt.Component.processEvent(Unknown Source)
        at java.awt.Container.processEvent(Unknown Source)
        at java.awt.Component.dispatchEventImpl(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
        at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
        at java.awt.Container.dispatchEventImpl(Unknown Source)
        at java.awt.Component.dispatchEvent(Unknown Source)
        at java.awt.EventQueue.dispatchEvent(Unknown Source)
        at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
        at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
        at java.awt.EventDispatchThread.run(Unknown Source)
i guess the prx decrypter breaks here, since the game runs on 6.00 firmware.
Great job

Report SPACE Invaders Evolution firmware 2.71

Crash arrayIndexOutOfBoundException "Loading screen".

Code:
java.lang.ArrayIndexOutOfBoundsException: -467140608
        at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
        at jpcsp.format.PSP.decrypt(PSP.java:149)
        at jpcsp.Loader.LoadPSP(Loader.java:273)
        at jpcsp.Loader.LoadModule(Loader.java:135)
        at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
        at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
        at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
        at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
        at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
        at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
        at _S1_2_8887FB8.s(_S1_2_8887FB8.java:4)
        at _S1_2_8805C80.s(_S1_2_8805C80.java:72)
        at _S1_2_8805DA4.s(_S1_2_8805DA4.java:24)
        at _S1_2_881BA74.s(_S1_2_881BA74.java:56)
        at _S1_2_881BAC0.s(_S1_2_881BAC0.java:100)
        at _S1_2_881BD38.s(_S1_2_881BD38.java:16)
        at _S1_2_885E004.s885e0f8(_S1_2_885E004.java:372)
        at _S1_2_885E004.s(_S1_2_885E004.java:244)
        at _S1_2_8806708.s88068f4(_S1_2_8806708.java:544)
        at _S1_2_8806708.s(_S1_2_8806708.java:492)
        at _S1_2_88044B8.s(_S1_2_88044B8.java:36)
        at _S1_2_88041E4.s(_S1_2_88041E4.java:236)
        at _S1_2_88041E4.exec(_S1_2_88041E4.java)
        at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
        at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)

gripshift black screen and same error on cryptoEngine firmware1.52

Code:
java.lang.ArrayIndexOutOfBoundsException: -467140608
        at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
        at jpcsp.format.PSP.decrypt(PSP.java:149)
        at jpcsp.Loader.LoadPSP(Loader.java:273)
        at jpcsp.Loader.LoadModule(Loader.java:135)
        at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
        at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
        at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
        at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
        at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
        at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
        at _S1_2_8A697D4.s(_S1_2_8A697D4.java:4)
        at _S1_2_8A10F48.s(_S1_2_8A10F48.java:304)
        at _S1_2_8926E8C.s8926e8c(_S1_2_8926E8C.java:88)
        at _S1_2_8926E8C.s(_S1_2_8926E8C.java:0)
        at _S1_2_8926E8C.exec(_S1_2_8926E8C.java)
        at jpcsp.Allegrex.compiler.RuntimeContext.jumpCall(RuntimeContext.java:1
14)
        at jpcsp.Allegrex.compiler.RuntimeContext.call(RuntimeContext.java:193)
        at _S1_2_8A19C9C.s(_S1_2_8A19C9C.java:68)
        at _S1_2_898B0D0.s(_S1_2_898B0D0.java:200)
        at _S1_2_898C1B0.s898c380(_S1_2_898C1B0.java:504)
        at _S1_2_898C1B0.s(_S1_2_898C1B0.java:464)
        at _S1_2_898C1B0.exec(_S1_2_898C1B0.java)
        at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
        at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)

Need For Speed™ Underground Rivals firmware 1.00 black screen crash.

Code:
Running Jpcsp 32bit...
java.lang.ArrayIndexOutOfBoundsException: -98041856
        at jpcsp.crypto.CryptoEngine.DecryptPRX2(CryptoEngine.java:819)
        at jpcsp.format.PSP.decrypt(PSP.java:149)
        at jpcsp.Loader.LoadPSP(Loader.java:273)
        at jpcsp.Loader.LoadModule(Loader.java:135)
        at jpcsp.HLE.modules150.ModuleMgrForUser.hleKernelLoadModule(ModuleMgrFo
rUser.java:280)
        at jpcsp.HLE.modules150.ModuleMgrForUser.sceKernelLoadModule(ModuleMgrFo
rUser.java:360)
        at jpcsp.HLE.modules150.ModuleMgrForUser$2.execute(ModuleMgrForUser.java
:743)
        at jpcsp.HLE.modules.HLEModuleManager.handleSyscall(HLEModuleManager.jav
a:333)
        at jpcsp.HLE.SyscallHandler.syscall(SyscallHandler.java:93)
        at jpcsp.Allegrex.compiler.RuntimeContext.syscall(RuntimeContext.java:66
8)
        at _S1_2_8ABECC4.s(_S1_2_8ABECC4.java:4)
        at _S1_2_89875EC.s(_S1_2_89875EC.java:24)
        at _S1_2_8987680.s(_S1_2_8987680.java:152)
        at _S1_2_8987850.s(_S1_2_8987850.java:112)
        at _S1_2_8804118.s(_S1_2_8804118.java:44)
        at _S1_2_8804AC4.s8804ac4(_S1_2_8804AC4.java:28)
        at _S1_2_8804AC4.s(_S1_2_8804AC4.java:0)
        at _S1_2_8804AC4.exec(_S1_2_8804AC4.java)
        at jpcsp.Allegrex.compiler.RuntimeContext.runThread(RuntimeContext.java:
699)
        at jpcsp.Allegrex.compiler.RuntimeThread.run(RuntimeThread.java:51)
The retsize calculation needs some work since it causes the ArrayIndexOutOfBoundsException errors. Other than that, the decryption routine does indeed work for games whose tag keys are available in the CryptoEngine. I can run the encrypted AngryBirds (firmware 6.20) after adding a workaround to avoid the ArrayIndexOutOfBoundsException. Kudos to Hykem for the great work!
Thanks for all the reports! Smile
The retsize bug should now be fixed in r1965 (it was missing an Integer.reverseBytes).
I've also added an experimental implementation of PRX version 1 decryption routine for games ranging from firmware 1.00 to 2.80. This still needs some more testing, so any errors under this version are quite expected.
(01-22-2011 08:54 PM)Hykem Wrote: [ -> ]Thanks for all the reports! Smile
The retsize bug should now be fixed in r1965 (it was missing an Integer.reverseBytes).
I've also added an experimental implementation of PRX version 1 decryption routine for games ranging from firmware 1.00 to 2.80. This still needs some more testing, so any errors under this version are quite expected.

support
Got this in God of War: Chains of Olympus - USA - UCUS98653 [Encrypted] (r1965)
Code:
36014 [user_main] INFO  compiler - Replacing CodeSequence at 0x08A8875C-0x08A88814 by Native Code 'memcpySequence'
36015 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36015 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36015 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36015 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36015 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36016 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36016 [user_main] ERROR compiler - Not implemented: branching to an unknown address
36017 [user_main] ERROR compiler - Catched exception 'java.lang.NullPointerException' while compiling 0x08A887A4 (0x08A8875C-0x08A888D4)
36017 [user_main] INFO  compiler - Compiling for Interpreter _S1_2_8A887A4
In Peggle using r1965, the PRX2 decryption seems to be successful, but the value of OFS_BASE in class jpcsp.Loader inside method relocateFromBuffer() line 629 eventually messes up with a value of 255 which causes IndexOutOfBoundsException in line 635.

By adding a line before 635 to work around it as follows:

if (OFS_BASE == 255) break;

so that the for loop exits early when OFS_BASE goes to la-la land, the game runs fine and I can complete the first level. However, when it tries to save my game progress, the game gets stuck. The autosave in this game causes failed malloc errors. I've attached the log.html file which shows this error.
Here's a game which uses PRX1 decryption: Ultimate Ghosts'n Goblins. I'm using r1965 and the game doesn't load because of IllegalArgumentException in jpcsp.format.Elf32 line 69. I'm guessing the DecryptPRX1() method did not properly decrypt it so the program header values (E_phnum, E_phoff, E_phentsize) are messed up. I've attached the log.html file for this game although it doesn't show the problem there.
Prince of Persia - Revelations - USA - ULUS10063 (r1965)
Code:
...
24458     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
24660     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
24661     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
24692     user_main     INFO     hle.IoFileMgrForUser     hleIoOpen filename = disc0:/PSP_GAME/USRDIR/VIDEOS/LOADOUT0.PMF flags = 1 permissions = 01204
24704     user_main     INFO     hle.scePsmf     scePsmfSetPsmf (psmf=0x9fbee48 buffer_addr=0x9fbee70)
24704     user_main     WARN     hle.sceMpeg     sceMpegQueryStreamOffset bad magic 0x00000000
24704     user_main     WARN     hle.sceMpeg     sceMpegFreeAvcEsBuf(mpeg=0x8ce10b8, esBuf=0x0) bad esBuf handle
24705     user_main     WARN     hle.sceMpeg     sceMpegUnRegistStream unknown stream=0x0
24705     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
24706     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
24793     user_main     INFO     hle.IoFileMgrForUser     hleIoOpen filename = disc0:/PSP_GAME/USRDIR/MENU/ENGLISH/P5MAIN.MGM flags = 1 permissions = 00
26049     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26049     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26062     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26062     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26062     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26063     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26063     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26063     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26063     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26064     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26064     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26064     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26064     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26064     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26065     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26065     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26065     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26065     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26066     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26066     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26066     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26067     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26067     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26067     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26067     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26067     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26068     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26068     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26068     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26069     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26069     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26069     user_main     ERROR     emu     Problem using intBitsToFloat: 0xFF999B9C != 0xFFD99B9C
26142     user_main     INFO     compiler     Replacing CodeSequence at 0x08B7AEAC-0x08B7AEB8 by Native Code 'bzeroSequence'
26142     user_main     INFO     compiler     Replacing CodeSequence at 0x08B7AED8-0x08B7AEE4 by Native Code 'bzeroSequence'
26203     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26204     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26215     GUI     WARN     ge     Invalid texture address 0x04710000 for texture level 0
26320     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26321     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26337     GUI     WARN     ge     Invalid texture address 0x04710000 for texture level 0
26404     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26405     user_main     WARN     hle.ThreadManForUser     sceKernelSetEventFlag unknown uid=0x0
26450     GUI     WARN     ge     Invalid texture address 0x04710000 for texture level 0
...
As of r1971, a lot of things have been fixed. Could everyone please try testing again your encrypted games? Thanks! Smile
Specially games like Dissidia or Kingdom Hearts which seem to be very prone to security trickery. Tongue
Pages: 1 2 3 4 5 6
Reference URL's