- 精华
- 0
- 帖子
- 62
- 威望
- 0 点
- 积分
- 62 点
- 种子
- 0 点
- 注册时间
- 2010-10-15
- 最后登录
- 2020-1-10
|
本帖最后由 kanon411 于 2011-1-27 09:09 编辑
其实这个工具使用了一个游戏DEMO的签名文件,替换ISO中的没有签名的文件,然后这个伪装后的游戏便可以运行,而这个方法最早就是第一个签名成功者kgsws在实验过程中发现的,理论原文连接
http://wololo.net/talk/viewtopic.php?f=5&t=1381&start=150
Well ok, here it comes. Try this one.
tested on fat PSP with OFW 6.35
How?
Simple, notice it contains ~PSP header from demo game (UCES00206), it is exactly same header.
It is easy to craft last 16 bytes of encrypted data block to match header CMAC - yes, that's the trick
There are some strange thigs, it can't run homebrews with bigger executable block (data block does not matter), and because of ~PSP header, it has to match exact size of original game.
This trick might be possible on firmware kernel modules to get permanent HEN on non-pandrorable PSPs, i was not able to do it but i was not trying that much.
PS: i am not only one who found this trick
这就是那个三维图像签名的DEMO的原理,他使用了个UCES00206的游戏DEMO,替换掉了一些头文件,然后把三维的程序合进去就得到了签名。 |
|