A9VG电玩部落论坛

 找回密码
 注册
搜索
楼主: pkchan1013

liquidzigong大請進 有關god eater update(ver 1.01)

[复制链接]

精华
0
帖子
620
威望
5 点
积分
895 点
种子
2 点
注册时间
2007-2-5
最后登录
2021-1-5
发表于 2010-5-17 21:55  ·  四川 | 显示全部楼层
麻烦啊,0x2E5E10F0这个密码目前不能解密。老外说可能是用了不同与游戏加密的算法。可能要等一段时间了。

精华
0
帖子
121
威望
0 点
积分
183 点
种子
0 点
注册时间
2005-8-18
最后登录
2023-12-22
 楼主| 发表于 2010-5-17 21:59  ·  香港 | 显示全部楼层
idolmaster sp  download plus
minimum ver: psp 5.50
是去年這個時候的

高深

精华
0
帖子
95
威望
0 点
积分
101 点
种子
0 点
注册时间
2008-5-25
最后登录
2011-2-8
发表于 2010-5-17 22:42  ·  广东 | 显示全部楼层
link  ifile:
1) GOD EATER 1.01
http://ifile.it/47gj386/GOD_EATER_1.01.rar

2) IMAS SP DOWNLOAD+ (=IMAS SP 1.01)
http://ifile.it/vwdcag6/IMAS_SP_DOWNLOAD%2B.rar

3) IMAS SP Missing Moon Original EBOOT.BIN from ISO
http://ifile.it/eksh9x2/EBOOT.BIN

楼主介绍下这个是啥 ..

精华
0
帖子
121
威望
0 点
积分
183 点
种子
0 点
注册时间
2005-8-18
最后登录
2023-12-22
 楼主| 发表于 2010-5-17 22:46  ·  香港 | 显示全部楼层
(1) GOD EATER 1.01版更新   (Playstation Network)
(2) Idolm@ster SP Download Plus (=1.01版更新)    (Playstation Network)
(3) Idolm@ster SP Missing Moon 版原始EBOOT.BIN

精华
0
帖子
537
威望
0 点
积分
923 点
种子
12 点
注册时间
2008-8-20
最后登录
2024-11-19
发表于 2010-5-17 22:54  ·  陕西 | 显示全部楼层
下面是引用夏小岚于2010-05-17 19:44发表的:

你可以导出 620的激活ACT,DAT,然后回到 550替换掉F2的 ACT.DAT
就不破损了。

我就是这么用500玩 GE的 V1.4+特典的。
游戏进入~版本号不变........无解决...真诡异~

精华
0
帖子
620
威望
5 点
积分
895 点
种子
2 点
注册时间
2007-2-5
最后登录
2021-1-5
发表于 2010-5-18 02:54  ·  四川 | 显示全部楼层
yes I just meant in sce modules, I've only seen 0 & 1 used, but I dont know the meanings.

EDIT:

Well anyway, as long as we're on the topic of undocumented flags, here are some the u8 flag in the prx compression header (compression header - first 0x80 bytes of prx):

u8 at offset 0x7C of prx: ~PSP executable type flag

0x00 - not executable file (ie. not ~PSP file)
0x01 - 1.00 bogus module (module attr flag of 0x1000)
0x02 - Kernel module (module attr flag of 0x1000)
0x03 - vshmain module (module attr flag of 0x0800)
0x04 - user module (module attr flag of 0x0000)
0x05-0x08 not used (returns 0x80020148 error if try to load)
0x09 - UMD game executable (module attr flag of 0x0000)
0x0A - gamesharing executable (module attr flag of 0x0400)
0x0B - unknown (module attr flag of 0x0400)
0x0C - MS updater (module attr flag of 0x0800)
0x0D - Demo executable (module attr flag of 0x0200)
0x0E - unknown (module attr flag of 0x0600)
0x0F-0x11 not used (returns 0x80020148 error if try to load)
0x12 - unknown (no attr flag)
0x13 - unknown (no attr flag)
0x14 - POPS executable (module attr flag of 0x0200)
0x15 - unknown (module attr flag of 0x0200)
0x16 - unknown (module attr flag of 0x0600)

Each exe type can be decrypted by a corresponding mesg_led function.

Which are:

0x00 - N/A
0x01 - (not decrypted with mesg_led)
0x02 - (not decrypted with mesg_led)
0x03 - sceMesgLed_driver_55E4F665
0x04 - sceMesgLed_driver_DFF0F308
0x05-0x08 - N/A
0x09 - sceMesgLed_driver_3702348B
0x0A - sceMesgLed_driver_8F096FEC
0x0B - sceMesgLed_driver_4A680E6B
0x0C - sceMesgLed_driver_AA59DE09
0x0D - sceMesgLed_driver_5FDB29F3
0x0E - sceMesgLed_driver_28BC34E1
0x0F-0x11 - N/A
0x12 - sceMesgLed_driver_739D8E56
0x13 - sceMesgLed_driver_ED47F024
0x14 - sceMesgLed_driver_418BC5CF
0x15 - sceMesgLed_driver_07037789
0x16 - sceMesgLed_driver_7EDF7F6E

==========================================================
SilverSpring的介绍,我们要攻破的为0x19,一种新的加密格式。prxdecryptor2.4b等都不能解密。

精华
0
帖子
121
威望
0 点
积分
183 点
种子
0 点
注册时间
2005-8-18
最后登录
2023-12-22
 楼主| 发表于 2010-5-18 18:27  ·  香港 | 显示全部楼层
http://my.malloc.us/silverspring/2009/01/prx-decryption-nids/

I never thought these would ever be cracked but finally here are the sceMesgLed NID’s (these are only valid upto 2.00 since the NID’s were later ‘randomised’ the following update in 2.50):

•0×84a04017 sceUtilsGetLoadModuleCLength
•0xa86d5005 sceUtilsGetLoadModuleCLengthByPolling
•0xa4547df1 sceUtilsGetLoadModuleDLength
•0×94eb1072 sceUtilsGetLoadModuleDLengthByPolling
•0×198fd3be sceUtilsGetLoadModuleILength
•0xfbc694c7 sceUtilsGetLoadModuleILengthByPolling
•0×07e152be sceUtilsGetLoadModuleJLength
•0×9906f33a sceUtilsGetLoadModuleJLengthByPolling
•0×46ac0e78 sceUtilsGetLoadModuleKLength
•0×55c8785e sceUtilsGetLoadModuleKLengthByPolling
•0×67a5ecdf sceUtilsGetLoadModuleLLength
•0×85b9d9f3 sceUtilsGetLoadModuleLLengthByPolling
•0×951f4a5b sceUtilsGetLoadModuleMLength
•0×58999d8e sceUtilsGetLoadModuleMLengthByPolling
•0×9fc926a0 sceUtilsGetLoadModuleNLength
•0×7a922276 sceUtilsGetLoadModuleNLengthByPolling

As you can see the naming is very cryptic, but the names do make a little bit of sense (more than some other crypto functions & libs). Each of these functions decrypts a particular ~PSP encrypted executable.

The executable type is at offset 0×7C of a ~PSP file, and the executable type number corresponds to the letter listed in the above functions.

For example, Type3 exe’s (vshmain modules) use the ‘C’ function to decrypt, Type4 exe’s (user modules) use the ‘D’ function, etc. There are no types 5,6,7,8 exe’s so those letters are missing. Other exe types that use the above functions include:

•Type09 UMD games (use ‘I’ to decrypt)
•Type10 Gamesharing games (use ‘J’ to decrypt)
•Type11 Debug Gamesharing games (use ‘K’ to decrypt)
•Type12 MS Updater (use ‘L’ to decrypt)
•Type13 MS Demo games (use ‘M’ to decrypt)
•Type14 Flash application eboots (use ‘N’ to decrypt)

Later fw added extra exe types also (such as POPS executables – Type20). So as you can see the numbering of the executable type corresponds to the letter of the alphabet used in the decryption functions naming.

Type1 exe’s are internal debug modules while Type2 exe’s are kernel modules, they are both decrypted the same way hence the ‘A’ and ‘B’ in the function sceUtilsGetLoadModuleABLength of memlmd.prx.

Here are also 2 more NID’s from memlmd (these ONLY exist in 2.00 which was when these functions were added into the fw, they were later ‘randomised’ the following update in 2.50):

•0xc3a6f784 sceUtilsPrepareGetLoadModuleABLength
•0xdf76975e sceUtilsPrepareGetLoadModuleABLengthByPolling

This function is similar to the ’sigcheck’ functions in that they take an encrypted ~PSP file and ’scrambles’ the ’sig’ area (0xD0 Bytes from offset 0×80-0×150 of ~PSP binaries). The only difference is that this scrambling is not unique per PSP, whereas the normal sigchecking IS unique per PSP (using each PSP’s FuseID to flash the unique prxs, which is why files from different PSP’s are not compatible and therefore cannot be shared).

精华
0
帖子
620
威望
5 点
积分
895 点
种子
2 点
注册时间
2007-2-5
最后登录
2021-1-5
发表于 2010-5-19 01:55  ·  四川 | 显示全部楼层
原来是sceMesgLed_driver_0A443BB4
临时文件下载:

newkey.rar (提取码:bd048f6783c34e7ff05113d8f462cf99

精华
0
帖子
620
威望
5 点
积分
895 点
种子
2 点
注册时间
2007-2-5
最后登录
2021-1-5
发表于 2010-5-19 03:01  ·  四川 | 显示全部楼层
补丁加密已经被破解,已经在psp3000 5.03 gen-c成功安装1.01游戏补丁,大家期待吧

精华
0
帖子
198
威望
0 点
积分
206 点
种子
5 点
注册时间
2010-5-8
最后登录
2016-2-5
发表于 2010-5-19 03:19  ·  英国 | 显示全部楼层
这个5月真是破解的月份啊……各种喜讯

具体应用是不是和你之前说的那样,把1.01的data.psp当eboot.bin解密后和param.sfo弄到iso里?
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|A9VG电玩部落 川公网安备 51019002005286号

GMT+8, 2024-11-19 16:32 , Processed in 0.189408 second(s), 14 queries , Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

返回顶部