- 精华
- 0
- 帖子
- 121
- 威望
- 0 点
- 积分
- 183 点
- 种子
- 0 点
- 注册时间
- 2005-8-18
- 最后登录
- 2023-12-22
|
楼主 |
发表于 2010-5-18 18:27 · 香港
|
显示全部楼层
http://my.malloc.us/silverspring/2009/01/prx-decryption-nids/
I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):
•0×84a04017 sceUtilsGetLoadModuleCLength
•0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
•0xa4547df1 sceUtilsGetLoadModuleDLength
•0×94eb1072 sceUtilsGetLoadModuleDLengthByPolling
•0×198fd3be sceUtilsGetLoadModuleILength
•0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
•0×07e152be sceUtilsGetLoadModuleJLength
•0×9906f33a sceUtilsGetLoadModuleJLengthByPolling
•0×46ac0e78 sceUtilsGetLoadModuleKLength
•0×55c8785e sceUtilsGetLoadModuleKLengthByPolling
•0×67a5ecdf sceUtilsGetLoadModuleLLength
•0×85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
•0×951f4a5b sceUtilsGetLoadModuleMLength
•0×58999d8e sceUtilsGetLoadModuleMLengthByPolling
•0×9fc926a0 sceUtilsGetLoadModuleNLength
•0×7a922276 sceUtilsGetLoadModuleNLengthByPolling
As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable.
The executable type is at offset 0×7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions.
For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:
•Type09 UMD games (use ‘I’ to decrypt)
•Type10 Gamesharing games (use ‘J’ to decrypt)
•Type11 Debug Gamesharing games (use ‘K’ to decrypt)
•Type12 MS Updater (use ‘L’ to decrypt)
•Type13 MS Demo games (use ‘M’ to decrypt)
•Type14 Flash application eboots (use ‘N’ to decrypt)
Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.
Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.
Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):
•0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
•0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling
This function is similar to the ’sigcheck’ functions in that they take an encrypted ~PSP file and ’scrambles’ the ’sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared). |
|
楼主: pkchan1013
川公网安备 51019002005286号
发表于 2010-5-17 21:55 · 四川
