Announcement

**Lazy Bastard** · 10-05-2006, 04:10:29 PM

Very cool; I grabbed both. Thanks. I shall have to do some dabbling, in this and a few other things, later tonight.

**misfire** · 10-12-2006, 03:44:39 AM

It took me some minutes to add the RSA fix to an already cracked CodeBreaker PS2 V9.2 ELF. All I used was:
- ps2dis to decompress the ELF
- WinHex and elfmaker to patch and recreate the ELF
- ps2-packer to compress the ELF again

Now it's even smaller than the original file.

**Lazy Bastard** · 10-12-2006, 08:12:04 AM

Nice; I figured that might be all required.

**Lazy Bastard** · 10-12-2006, 10:41:36 AM

I should note, I know which ELF you're talking about (and have a copy myself). Any idea who did that work originally? Also, it wasn't crunched originally?

[Edit]: PS2TG apparently cracked it originally.

**Lazy Bastard** · 10-12-2006, 10:48:07 AM

Nevermind, it doesn't seem to be crunched.

**GameMasterZer0** · 10-13-2006, 10:32:46 AM

Originally posted by misfire View Post

The original ELFs are well-protected. I don't know the details of V9, but the protection system is designed to detect the presence of modchips and prevent the application from working on a modified system.

After cracking the protection, some ISOs appeared on the Web without any "restrictions" but most likely compressed. If you can't determine the compression algorithm, try to uncrunch the ELF with the step function of ps2dis or use Pcsx2 and take a RAM dump. There's somewhere a tool called elfmaker which converts a binary file into an ELF.

That's basically what I've done.

You can run the codebreaker with a modchip on, your system has to be able to read the isc, im using a Magic 3.1 and my codebreaker v9.3 loads fine (aswell as all versions excluding v7.0 & 7.1)

**Lazy Bastard** · 10-13-2006, 11:32:50 AM

Hmm...I'm curious about a couple of things in ElfMaker...when producing an ELF from a binary, it asks for three things:

Program Entry Point
Virtual Address of Segment
ELF Filesize

I'm assuming the program entry point would be the same address that PS2Dis starts at when it opens the ELF from which you generated the binary.

I can't think of what the virtual address of the segment would be...

And I'm guessing you just slightly overshoot on filesize, just to be sure, taking into account the size of the original ELF, and whatever modifications you decided to make.

When creating the binary I'm toying with, I marked the program entry point (as I'm assuming it is) by hitting spacebar in PS2Dis, then jumped to the address that seemed to be the end of the application, and saved as a binary. These first and second addresses were 00400770 and 00430200.

Any info would be appreciated.

**Lazy Bastard** · 10-13-2006, 01:43:55 PM

Ah, I figured it out, it would seem.

I was correct about program entry point.

Virtual address of segment seems to be the first address you marked in PS2Dis, to set the starting point of the bin dump.

ELF filesize was fine with my overestimation.

Let me know if there's anything specific I should keep in mind.

**bfoos** · 10-26-2006, 09:33:22 AM

I'm interested in patching the CB 9.2 hacked elf. I have the same version you guys are talking about. I've got it open in ps2dis but I'm unclear on the exact steps I need to do to decompress it and save it as a binary. Any detailed info would be greatly appreciated.

**misfire** · 10-26-2006, 09:52:47 AM

You have to use the single-step feature of ps2dis (press CTRL+SHIFT+R). Search for the first JAL after EI, this is the main() function. Keep on pressing "Run" until all of the data is decompressed (you have to step over one branch to exit an infinite loop). Finally, you can dump the uncovered code.

**Lazy Bastard** · 10-26-2006, 09:56:11 AM

Once the ELF's been opened in PS2Dis, write down (or type somewhere) the address PS2Dis started at (the program entry point). This may come in handy later (though you can find it with a few other apps). In my uncrunched copy of the cracked CB 9.2, the program entry point is 01240008. Let me know if yours is different, as you may have a modified or crunched copy. Highlight this address by pressing the spacebar once. Next, Invoke the Analyzer (this may not be necessary, but it can't hurt as I'm not sure, heh), and either PageUp, CTRL+PageUp, or jump from address to address until you find the beginning of the ELF. You'll know when PS2Dis drops its sky-blue color to white, and you see "nop" (no operation) repeatedly. In my uncrunched copy of the cracked CB 9.2, this point lies at 01000000. Highlight that address by pressing the spacebar once. Now do the opposite, until you find the end of the ELF. In mine, it's 01331D94. Highlight this address, but don't press spacebar. Now select File -> Save As Binary, and save it.

**Lazy Bastard** · 10-26-2006, 09:57:12 AM

Wait...perhaps I'm unclear about what exactly you're trying to achieve...are you trying to save the entire ELF as a binary?

**bfoos** · 10-26-2006, 09:57:17 AM

Wow, I never even knew that function was there. lol Learn something new every day. Thanks for the info.

Well, perhaps I used the wrong terminology. Forgive me, I've been up all night and ate about 10 hydros. I'm just trying to decompress the ELF.

I have the same entrypoint, LB.

**Lazy Bastard** · 10-26-2006, 10:08:01 AM

Geh, I didn't realize this ELF was so obfusticated.

misfire: Are you referring to the jal at 012400D8 in this instance?

So would the process be Run, Step Over, Run, Step Over, and so forth? What would indicate all the data is uncovered?

**bfoos** · 10-26-2006, 10:27:16 AM

I believe that is the address.

Well, I just keep running into infinite loops. I really don't know what I'm doing with this step feature. It would be a zillion times less aggravating if I could just get my hands on an already RSA sig patched copy of the ELF. lol

Time for sleep. Thanks for the help guys.

Announcement

CB2crypt v1.2 - New Version (PS 2)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment