But yeah it would help
Advertising
i am a little bit skeptical.kgsws wrote:It is properly signed, but it uses precalculated header from existing demo game(s)
Code: Select all
// Encrypt
ENCRYPT_CBC(0x0003F000, 0x0003E000, 4096, unkkey, 128, stack + 784 + 32);
ENCRYPT_CBC(0x0003F000, 0x0003E000, calcsize, stack + 768, 128, stack + 784 + 32);
ENCRYPT_CBC(stack + 1792 + 32, stack + 1648 + 32, 32, 59312, 128, stack + 1616 + 32);
HMAC(stack + 1824 + 32, stack + 1648 + 96, 48, stack + 1792 + 16, 128);
// Decrypt
DECRYPT_CBC(0x0003F000, 0x0003E000, 4096, stack + 1792 + 32 + 16, 128, stack + 1616 + 32);
DECRYPT_CBC(0x0003F000, 0x0003E000, calcsize, stack + 1792 + 32 + 16, 128, stack + 1616 + 32);
DECRYPT_CBC(0x0003F000, 0x0003E000, 4096, stack + 1792 + 32, 128, stack + 1616 + 32);
DECRYPT_CBC(0x0003F000, 0x0003E000, calcsize, stack + 1792 + 32, 128, stack + 1616 + 32);
HMAC(stack + 1824 + 32, 0x0003E000, 16, stack + 1792 + 32 + 16, 128);
That's something else entirely, it's used to determine which file type and where if it can be run depending on where it's located (it's also linked to the mod_attribute field).is the decryptMode supposed to match the last param passed to sceUtilsBufferCopyWithRange, or is it something else?
I don't understand either yet but congratulations if you succeeded, i can see how the rest of the header can be re-used but bypassing the data hash doesn't seem to be possible to me as we can't encrypt it so we can't modify it to match our own made data (it's double-checked with a SHA1 but the CMAC hash can be encrypted so is the SHA1's), unless they forgot to check something and there's a hole in the firmware that can be exploited ? But in that case it'll be closed very soon after the exploit is made public. (I didn't check the "locoroco" 2.7 like demos files yet (just noticed they're less tricky to decode), only the newer ones. Did you use one of those ?)chapix wrote: kgsws wrote:It is properly signed, but it uses precalculated header from existing demo game(s)
i am a little bit skeptical.
First we don't have any keys for demos.And in my investigation, in order to encrypt and sign code we need to :
1)Encrypt aes_game key and cmac key with kirk key ->ok
2)Xor aes_game_enckey, cmac_enckey, cmac_header_hash and cmac_header_data ->ok
3)Encrypt these datas with kirk7_keydemo -> fail we don't have kirk7_keydemo
...
So i do some test with eboot.bin 2.xx . I can decrypt eboot.bin and encrypt my own code with these keys but sign failed.
kgsws wrote:Right now it might not be good idea to release it. I guess sony will do something against it as soon as possible.
I don't know how Sony can protect itself from these two issues, they have to maintain compatibility with existing releases. The algorithm & keys cannot be changed.Mathieulh wrote:You "just" need to encrypt a "store"/npdrm iso with your homebrew in it as EBOOT.BIN and it'll work.