EBOOT.BIN是PlayStation(portable)平臺(tái)上可執(zhí)行程序,其實(shí)就是Linux下ELF(Executable and Linkable Format)的修改版,其中一項(xiàng)修改就是加入了加密機(jī)制,我們將此類格式稱為SELF。在執(zhí)行該程序時(shí),加載器根據(jù)該文件內(nèi)的標(biāo)志位以加密和非加密方式加載程序,對(duì)于加了密的需要根據(jù)key將加密段解密。因?yàn)樾碌挠螒蚩偸切枰浜闲碌腛S版本執(zhí)行,這自然是SONY一項(xiàng)防盜措施,但自從大牛們制出了小狗和MOD系統(tǒng)后,為了讓新出游戲運(yùn)行在老系統(tǒng)上,就有修改EBOOT.BIN的需求了。
一、對(duì)光盤版的修改
下面是從psx-scene上摘錄的修改流程:
1. Open EBOOT.BIN in a hex editor of your preference.
2. In EBOOT.BIN, look at the SELF control info, if you see anything resembling the game titleid, it's an NPDRM SELF and this guide won't work, give up.
3. Use readself on EBOOT.BIN to get information about the encrypted metadata sections.
4. Unself EBOOT.BIN eboot.elf
5. Open eboot.elf in a hex editor of your preference.
6. In eboot.elf, go to every encrypted metadata section (now decrypted), copy its data, and replace the encrypted data in EBOOT.BIN.
7. In EBOOT.BIN, change SELF header to indicate it's FSELF.
8. In EBOOT.BIN, change SELF section headers that are marked as encrypted to say they are not encrypted.
9. If the game is a newer SDK version (like GT5, which is 3.50), in EBOOT.BIN, find the .sys_proc_param segment and change the SDK version to something earlier, such as 3.41. This will probably cause crashes in games that actually use newer SDK features that are not available in earlier SDK versions.
10. Save EBOOT.BIN
11. Cross fingers, run game, hope it works.
其中第7、8、9步描述得很含糊,經(jīng)過閱讀readself源代碼及對(duì)比實(shí)驗(yàn),發(fā)現(xiàn)第7步的意思實(shí)際上是將sdk_type設(shè)置為Devkit類型。
通過readeself的輸出,對(duì)理解8步很有幫助。在第6步將encrypted section復(fù)制到eboot.bin中后,需要將該段的加密標(biāo)志置為NO。
.sys_proc_param其實(shí)對(duì)應(yīng)著readself在Section headers中輸出的編號(hào)為14的那一段,其offset是減掉了header length的,version的位置應(yīng)該在0x0d處。
我修改了readself源碼,使之能夠自動(dòng)完成繁瑣的后面幾步(實(shí)際要手動(dòng)做的就只有第4步),用Marvel vs. Capcom 3作為測試,順利運(yùn)行。
二、對(duì)PSN版的修改(NPDRM SELF)
待續(xù)
說明:為了避免不必要的麻煩,在此不提供任何針對(duì)EBOOT.BIN修改的可執(zhí)行程序及解密KEY。