EBOOT.BIN是PlayStation(portable)平臺上可執行程序,其實就是Linux下ELF(Executable and Linkable Format)的修改版,其中一項修改就是加入了加密機制,我們將此類格式稱為SELF。在執行該程序時,加載器根據該文件內的標志位以加密和非加密方式加載程序,對于加了密的需要根據key將加密段解密。因為新的游戲總是需要配合新的OS版本執行,這自然是SONY一項防盜措施,但自從大牛們制出了小狗和MOD系統后,為了讓新出游戲運行在老系統上,就有修改EBOOT.BIN的需求了。
一、對光盤版的修改
下面是從psx-scene上摘錄的修改流程:
1. Open EBOOT.BIN in a hex editor of your preference.
2. In EBOOT.BIN, look at the SELF control info, if you see anything resembling the game titleid, it's an NPDRM SELF and this guide won't work, give up.
3. Use readself on EBOOT.BIN to get information about the encrypted metadata sections.
4. Unself EBOOT.BIN eboot.elf
5. Open eboot.elf in a hex editor of your preference.
6. In eboot.elf, go to every encrypted metadata section (now decrypted), copy its data, and replace the encrypted data in EBOOT.BIN.
7. In EBOOT.BIN, change SELF header to indicate it's FSELF.
8. In EBOOT.BIN, change SELF section headers that are marked as encrypted to say they are not encrypted.
9. If the game is a newer SDK version (like GT5, which is 3.50), in EBOOT.BIN, find the .sys_proc_param segment and change the SDK version to something earlier, such as 3.41. This will probably cause crashes in games that actually use newer SDK features that are not available in earlier SDK versions.
10. Save EBOOT.BIN
11. Cross fingers, run game, hope it works.
其中第7、8、9步描述得很含糊,經過閱讀readself源代碼及對比實驗,發現第7步的意思實際上是將sdk_type設置為Devkit類型。
通過readeself的輸出,對理解8步很有幫助。在第6步將encrypted section復制到eboot.bin中后,需要將該段的加密標志置為NO。
.sys_proc_param其實對應著readself在Section headers中輸出的編號為14的那一段,其offset是減掉了header length的,version的位置應該在0x0d處。
我修改了readself源碼,使之能夠自動完成繁瑣的后面幾步(實際要手動做的就只有第4步),用Marvel vs. Capcom 3作為測試,順利運行。
二、對PSN版的修改(NPDRM SELF)
待續
說明:為了避免不必要的麻煩,在此不提供任何針對EBOOT.BIN修改的可執行程序及解密KEY。