Cool; at first I didn't notice the date. Good to see misfire's still alive and well, heh. I've added this to the Downloads section. I'll move the topic to Current Gen Hacking and Discussion...

---======================================---
CB2crypt - CodeBreaker PS2 Crypto Program
Copyright (C) 2006 misfire
---=========================================---

Welcome to CB2crypt! This program will decrypt and encrypt _any_ cheat code for
CodeBreaker PS2, including version 7 or higher.
---===========---
About CB2crypt
---==============---

Well, the CB V7 code encryption is by far the most complex scheme I've ever
cracked. Reliable encryption algorithms like ARCFOUR(*) or RSA are being used to
obfuscate the cheat codes in an evil manner -- cf. source code for more details.

However, it's still a proprietary encryption scheme with keys built into
software, and thus has been broken like all its predecessors. Will the
manufacturers of cheat devices ever learn this lesson? I don't think so.

(*) Alleged RC4. The algorithm is still the intellectual property of RSADSI.
I hope Pelican obtained a license for using RC4 in a commercial product...

---=====---
GUI help
---========---

Let's start with what each button does:

"Clear" (left site) - Clears the input dialog box.

"Clear" (right site) - Clears the output dialog box.

"Decrypt" - Reformats the text and decrypts all codes from the input box. The
result is displayed in the output box.

"Encrypt" - Reformats the text and encrypts all codes from the input box. The
result is displayed in the output box.

"Reformat only" - Only reformats the text from the input box. The result is
displayed in the output box.

"Close" - Exits the program.

Enable the check box "Use common V7 encryption" to set the seed code
B4336FA9 4DFEFB79, see chapter "Beefcode" for more details.

Selecting the system menu "About" will display some general program information.

---=====---
Beefcode
---========---

By default, CB2crypt processes codes using the old, crappy CB V1 encryption.
In order to switch to the new V7 scheme, there must be a special seed code
-- "Beefcode" -- at the top of the code list.

There are 3 different code types that affect the encryption:

[1] Change encryption seeds

BEEFC0DE vvvvvvvv

v = seed value

[2] Change encryption seeds (extended)

BEEFC0DF vvvvvvvv
wwwwwwww wwwwwwww

v = seed value
w = extra seed value

[1] and [2] affect _all_ following codes in the code list! Also, they go
together very well. You can even use them several times in any order.

For example:
BEEFC0DE 00000000
BEEFC0DF B16B00B5
01234567 89ABCDEF
BEEFC0DE DEADFACE
(normal code)

So far, the only seed code I've seen is B4336FA9 4DFEFB79 which decrypts to
BEEFC0DE 00000000. But this may change.

[3] Change encryption options (NOT SUPPORTED!!)
(Must be used with BEEFC0DE/BEEFC0DF!)

FFFFFFFF 000xnnnn

x = options:
0 - V7 encryption off, use no/V1 encryption
1 - V7 encryption on (pretty useless)
2 - ?
3 - ?
n = number of code lines

This type changes the encryption options to x for the next n code lines.
If n = 0, then _all_ following codes are affected; this can't be cancelled!

For example, FFFFFFFF 00000000 will allow you to use raw codes after using V7-
encrypted codes, see "Use of unofficial codes along with official codes."

However, CB2crypt does _not_ support this kind of code, as it would only
complicate matters. Looking at the original ASM coding, it appears to be not
even implemented properly in CB.

You might still use the code FFFFFFFF 00000000. With a code value of 0, it seems
to work right, exceptionally.

---===========================---
Simple code encrypting example
---==============================---

First, without any seed code:
(CB V1 encryption)

2033BA10 FFFFFFFF -> 2ABB1147 FFFFFFFF
2033BA14 FFFFFFFF -> 2AA71147 FFFFFFFF

After putting Beefcode in front of the codes:
(CB V7 encryption)

BEEFC0DE 00000000 -> B4336FA9 4DFEFB79
2033BA10 FFFFFFFF -> AE17E302 4AE8B74D
2033BA14 FFFFFFFF -> E8466F61 F9A3B3A8

It's not hard to notice the vast difference.
Decryption works the other way round.

IMPORTANT:

With V7, always remember to put the seed code at the top of the codes you want
decrypted/encrypted! Alternatively, enable the check box "Use common V7
encryption."

---==============================================---
Use of unofficial codes along with official codes
---=================================================---

To add user/competitor created codes to existing official V7 codes, you must do
the following:

Let's say you want to add a code to the game "Tiger Woods PGA Tour 2006," e.g.

Always Full Gamebreaker P1 (GS2V3-encrypted)
2857957C FCE87A65

The first thing to do is to convert the code into raw format, i.e., decrypt it.
(Skip this step if the code isn't encrypted.) Using MAXConvert by Pyriel, this
code decrypts to

Always Full Gamebreaker P1 (raw)
204D98B0 3F800000

Then, determine the seed code by decrypting the official CB "Enable Code."
(It's most likely the first code line.)

"Tiger Woods PGA Tour 2006"
Enable Code
B4336FA9 4DFEFB79
410C34B6 663C5B57
1C4D0A53 7FE27DE4
C81AC878 32FCD351

Decrypted:
BEEFC0DE 00000000 ; This is the seed code, see chapter "Beefcode."
000FFFFE 0000015A
000FFFFF 0000015A
903DD9F8 00832021

Now that you know the seed code, perform one of the following two steps:

[1] Encrypt code with given seed code

BEEFC0DE 00000000
204D98B0 3F800000

Encrypted:
B4336FA9 4DFEFB79
13896CD2 EF2FA92B

Add to code list:
Always Full Gamebreaker P1
13896CD2 EF2FA92B

[2] Change encryption options

Alternatively, you can change the encryption options to use raw codes after
using V7-encrypted codes.

BEEFC0DE 00000000
FFFFFFFF 00000000 ; V7 encryption off

Encrypted:
B4336FA9 4DFEFB79
0CF49BDF A4E29C32

Append these codes to the very end of the V7 code list:
V7 encryption off
0CF49BDF A4E29C32
Always Full Gamebreaker P1
204D98B0 3F800000

I think the rest of the program is pretty much self-explanatory.
Let's get hacking!

-misfire

---=======---
Disclaimer
---==========---

THIS PROGRAM IS NOT LICENSED, ENDORSED, NOR SPONSORED BY SONY COMPUTER
ENTERTAINMENT, INC. NOR PELICAN ACCESSORIES, INC.
ALL TRADEMARKS ARE PROPERTY OF THEIR RESPECTIVE OWNERS.

CB2crypt comes with ABSOLUTELY NO WARRANTY. It is covered by the GNU General
Public License. Please see file COPYING for further information.

---===========---
Special thanks
---==============---

I want to thank Parasyte for the MAXcrypt/GCNcrypt sources.
Alexander Valyalkin for his great BIG_INT library.
Steve Balogh for his Icon Library.
DataRescue for IDA, the best disassembler around!
hanimar for ps2dis.
ps2dev.org for PS2SDK and the other open source projects.
Deutsche Bank AG for CrypTool.
O. Forster for the arithmetic interpreter ARIBAS.
Prof. Dr. J. Seelaender for his lecture/thoughts on number theory.
Bruce Schneier for his best seller book "Applied Cryptography."
Charles Petzold for his excellent book "Programming Windows."
Thanks to CMX for challenging me.

Greets to Nachbrenner and all the _real_ code hackers out there!

And of course, many thanks to the people that donated so far. You rock!

---====---
Contact
---=======---

misfire [AT] xploderfreax [DOT] de

---=====---
Donation
---========---

If you enjoy this software, please consider a PayPal donation to the e-mail
address above. Thank you.

More information can be found in the file "donate.txt".

---===---
Job
---======---

If you or your company are looking for a PS2 code hacker/low-level programmer,
I am available for immediate contract work or other offers. My e-mail is the
best way to contact me.

---======================---
HACKING NEEDS TO BE FREE!
---=========================---

If anybody has ideas about other features I could implement, don't hesitate to post them.

How about the .cbc hack to talked about

Actually, I'm working on a program called CBCreator with the following features:
- Import CBC (decrypt file and display cheats)
- Compile CBC (translates text with codes into a CBC file)
- Decrypt/encrypt CodeBreaker PS2 upgrade files (*.bin)

I haven't implemented the Compile feature yet. I know how to patch the CodeBreaker ELF to allow the use of unsigned CBC files, but I'll search for a way to do the same thing with cheat codes.

That could be quite useful...but probably not for large groups of people, considering the need for swapping/modchip.

Simply apply this generic patch:

Disable RSA signature check, by misfire
4003BFDF0100422C ; Original hex string
4003BFDF01000224 ; Patched hex string

Note: Allows you to use counterfeit CBC (*.cbc) and upgrade files (*.bin) with your CodeBreaker PS2 V7+.
The CodeBreaker runtime core must be decompressed in order to apply this patch!

Have fun!

An uncrunch and a simple hex edit? I could possibly mod and host that, though the legal implications are a bit...hazy.

Basically, yes. But uncrunching and recreating the ELF isn't a trivial process. I've done it once with the CodeBreaker V8.0. Fortunately, all CodeBreaker versions use the same RSA library...

Hmm...what problems would one run into when recreating? It wouldn't just be a simple two-way use of SJCrunch/Uncrunch or such? Or...does CB use checksums to make sure it hasn't been modified?

The original ELFs are well-protected. I don't know the details of V9, but the protection system is designed to detect the presence of modchips and prevent the application from working on a modified system.

After cracking the protection, some ISOs appeared on the Web without any "restrictions" but most likely compressed. If you can't determine the compression algorithm, try to uncrunch the ELF with the step function of ps2dis or use Pcsx2 and take a RAM dump. There's somewhere a tool called elfmaker which converts a binary file into an ELF.

That's basically what I've done.

I see. I shall have to go find a copy of "elfmaker"...if nothing else, just to have around for other uses.

I've uploaded the program for you:
ELF MAKER by Jaytee

Another small update: CB2crypt v1.21