PES 2009 Gamesave decryption possibility

[SCE]

Hi, a dude has done some investigation and found something interesting that i think the devs here should look into:

Quote:

Originally Posted by stadicon I am a PES and NBA 2K modder for PC. Last few weeks i did a research conserning the possibilities of Game Saves editing on PS3 and i tried to find a way to read the Option File of PES 2009 comparing the PC save and the PS3 one. So, i came accross some interested clues: 1) The size of PC and PS3 save file is identical (kind of). 2) Through the simple process of editing (in-game), saving and comparing i found out that OF of PS3 is almost identical to the one on PC but encrypted. For instance, every time i change a player's data, an 128-bit section changes in the PS3 save file. This section, is in the same position of the file, as the position of this player data on the PC save! So here is my though: If we have a default Option File for PES 2009 (didn't test for 2010, yet) we can be almost sure it will be identical to the default on PC (which is unencrypted). So, knowing the original data and the final encrypted data, and having the ability to change a byte of the original data and compare the change on the encrypted, is it possible to find the encryption method and the key? I know, it's not easy. But there is a possibility here: the enryption block is just 128-bit size. So, that means we can compare many 16-byte blocks to each other and we can focus on decrypting just 16-bytes, instead of the whole file! We know 16 original bytes and the 16 encrypted bytes. If we find the method for those 16 bytes, we can do it for all the file and maybe we find the method for many other game saves of PS3! So, anyone who knows about encryption and stuff, could help about this subject?

He has uploaded the save files: http://rapidshare.com/files/299802561/PES2009save.rar

Credist to: stadicon

Attached Files

PES2009save.rar (4.04 MB, 6 views)

[CJPC]

Quote:

Originally Posted by stadicon So here is my though: If we have a default Option File for PES 2009 (didn't test for 2010, yet) we can be almost sure it will be identical to the default on PC (which is unencrypted). So, knowing the original data and the final encrypted data, and having the ability to change a byte of the original data and compare the change on the encrypted, is it possible to find the encryption method and the key? I know, it's not easy. But there is a possibility here: the enryption block is just 128-bit size. So, that means we can compare many 16-byte blocks to each other and we can focus on decrypting just 16-bytes, instead of the whole file! We know 16 original bytes and the 16 encrypted bytes. If we find the method for those 16 bytes, we can do it for all the file and maybe we find the method for many other game saves of PS3!

The biggest problem with this is - its still nearly impossible. Assuming we knew the algo that was used (which, we don't), not to mention any possible signing on the save file itself (a hash check), and Sony's fondness of HMAC+SHA1 - on top of all that is - we don't have the key.

For all we know, part of the save key in these cases could be based off the PSID, Mac, Serial # - whatever. Although it is quite interesting that the files are just about the same, trying to compare and crack with today's modern encryption techniques is not feasible - at least not with todays current computing power.

[xhugox]

I think the biggest problem is not to find a way to run a piece of code by some kind of exploit, but to encrypt the code we want to run.

Think about it like this; even if we find a way to run our own code, it is not encrypted/signed, so the PS3 will try to decrypt it again and thus creating jibberish. I'm even pretty sure the devs already found a way to run random signed code, the problem is, they do not have signed code they can run.

So, being able to run code is useless as long as we do not have anything we can run.

[hosmy]

Quote:

Originally Posted by xhugox I think the biggest problem is not to find a way to run a piece of code by some kind of exploit, but to encrypt the code we want to run. Think about it like this; even if we find a way to run our own code, it is not encrypted/signed, so the PS3 will try to decrypt it again and thus creating jibberish. I'm even pretty sure the devs already found a way to run random signed code, the problem is, they do not have signed code they can run. So, being able to run code is useless as long as we do not have anything we can run.

If its about savegames like the title says then get some games with unsigned/unencrypted data and forget about "biggest problem to encrypt the code"

[xhugox]

Oh there are unencrypted/unsigned games?

Why don't we just replace the game's executeable with our executeable?

[Arnie Pie]

Quote:

Originally Posted by xhugox Oh there are unencrypted/unsigned games?

The poster was referring to there being games whose saved game data is unencrypted/not-machine-locked..

[DSpider]

Quote:

Originally Posted by xhugox Oh there are unencrypted/unsigned games? Why don't we just replace the game's executeable with our executeable?

Even if there were (and BluRay burners were affordable) the homebrew burned discs would have to be written with extra sectors for the copy-protection system in the PS3 to recognize them as "legit".

HIDDEN sectors which retail burners don't have access. It's not new technology.

[hosmy]

Hidden? Every blank (bluray,dvd,cd) is pre-pressed and contains a so called "header" with information such dye, blank type (ex: dvd-r or dvd+r), writing speed, space (650mb cd or 700mb), ID, manufacture, and so on which every console read them at boot.

The point is we can't delete or owerwrite these informations, and if we could, dvd-rw would reconize as nothing or no disc so they are vital for burners. We already have DAO96 to write subchannels but no luck. I don't think is about hidden sectors

[SCE]

There are unencrypted files on the HDD, so why can't we replace them? Hash protection?

http://www.ps3news.com/PS3-Dev/unenc...-demo-for-ps3/