Graf Chokolo Releases PS3 SELF Decrypter PSGroove Payload

[Preceptor]

As a follow-up to his previous work, today graf_chokolo has done it again and posted his code for decryption of PS3 SELF files using appldr.

Looks like he still can't decrypt game or NPDRMs selfs but soon pehaps.

Download: Graf Chokolo PS3 SELF Decrypter PSGroove Payload

To quote from xorloser's blog (linked above): Guys, i promised to you to make my SELF decrypter public. I just uploaded it Let me first explain how it works.

I used only HV calls in my code because i wanted to learn how to decrypt SELFs without GameOS. The decryption and decompression of SELFs is done by isolated module appldr which is prepared and loaded by lv1_undocumented_function_99. After appldr is loaded it sends a message and waits for your instructions to decrypt some encrypted segments. When the message arrives i pass encrypted segment data to appldr through shared memory and it decrypts the passed data. When the decryption is done the payload sends the decrypted data over network to my PC and i capture it with tcpdump

I’m using IDA to analyze the decrypted code. First i extract the decrypted segments from pcap dump and load them at right addresses into IDA. I created a shell script to make segment extraction from pcap dumps easier. Virtual addresses of decrypted segments you will find in ELF header.

The target group of this release are again advanced programers among you. The goal of this release is not to give you a tool for SELF decryption but to show you how it can be done So, feel free to ask me any questions about my code. I will support everyone who wants to port my code and create more user-friendly GameOS applications for SELF decryption because i do not intend to write any GameOS tools I’m more interested in HV reversing.

My SELF decrypter is not able to decrypt games and NPDRMs yet but i’m working on it I think you will have enough SELFs now to reverse

I will document my findings about SELF decryption on my HV page in the next days.


More PlayStation 3 News...

[PS3 News]

Thanks for the news Preceptor and +Rep!

[DeViL303]

Damn, lol had similar article nearly written up, then just went looking for a link and seen this, nice one preceptor, you beat me to it!

[tjay17]

very nice, I can't wait untill it can do games then hopefully I can play my 3.50 games.

[solrac1974]

Yeah, Graf Chokolo is running the show right now, keep up the great work!

[cfwprophet]

German Quality product

That's one of the interesting things the last days have come out. It's highly possible that this could leak in some intersting modds.

[corolla0305]

graf_chokolo says: Guys, EBOOT.BINs are SELFs

Looks like he can decrypt more than Just selfs!!!!

[cfwprophet]

Thats the problem. Self´s and EBOOT´s are the same. Just renamed from .self to .bin.

[PS3 News]

More graf_chokolo updates: http://xorloser.com/?p=297&cpage=11#comment-1986

The hardware doesn’t use these ProtectionPages. It’s used only by HV.
There is still a page table for HV procs that is used by hardware when HV procs accesses memory.

HV uses these ProtectionPages to copy data to/from HV procs, to translate HV proc address to physical memory addresses because HV procs use virtual memory. HV doesn’t use HTAB of LPAR 1, it’s only used by hardware.

HV procs use HV syscalls and pass LPAR 1 addresses to HV. But HV use a different memory address apce, so it have to translate passed addresses in order to be able to use it.

It’s just like copy_from_user on Linux Or copyin and copyout on BSD. Unix rules

I also extracted all segments from HV dump and imported them at right addresses into IDA.

The RTOC can be found very easily in code
E.g. Process 6, look at this snippet of code, RTOC is loaded here

Code:

ROM:8000002C start:
ROM:8000002C lis %rtoc, 0
ROM:80000030 mr %rtoc, %rtoc
ROM:80000034 rldicr %rtoc, %rtoc, 32,31
ROM:80000038 oris %rtoc, %rtoc, -0×4000
ROM:8000003C ori %rtoc, %rtoc, 0x26E8 # 0xC00026E8
ROM:80000040 ld %rtoc, 8(%rtoc)
ROM:80000044 subf %sp, %r3, %sp
ROM:80000048 ld %r3, 0(%sp)
ROM:8000004C ld %r4, -8(%sp)
ROM:80000050 ld %r5, -0×10(%sp)
ROM:80000054 ld %r6, -0×18(%sp)
ROM:80000058 ld %r7, -0×20(%sp)
ROM:8000005C addi %sp, %sp, -0×30
ROM:80000060 li %r0, 0
ROM:80000064 std %r0, 0(%sp)
ROM:80000068 stdu %r0, -0×70(%sp)
ROM:8000006C bl main

I don’t know if you know it or not but you can set RTOC in IDA and IDA calculates all the references automatically for you

[Mantagtj]

Reading xorloser's blog tonight this has just appeared: http://xorloser.com/?p=297&cpage=13#comment-2069

graf_chokolo says:

Guys, i’m able now to decrypt games, EBOOT.bins I will make my findings public very soon

Here is a snippet of a game i decrypted:

http://pastie.org/1347337

Guys, how can i install NP-DRMs on my PS3, i have no clue

This weekend is just sooo good Congratulations Dude