当前位置: > PSV > PSV破解 > 正文内容

PSV 3.60 HENkaku自制系统下解密游戏文件的方法

发表时间:2016-08-03 11:36 来源:多玩 作者:飞过海的风格 我要评论

转至Major_Tom Ill be refering to mr.gas old trick for bypassing pfs protection on old fw. Old instructions : 首先放一个mr.gas在老版本下绕过pfs的方法。 most of the work are going to be in app.db 1- ad


转至Major_Tom

I'll be refering to mr.gas' old trick for bypassing pfs protection on old fw. Old instructions :
首先放一个mr.gas在老版本下绕过pfs的方法。

"most of the work are going to be in app.db
1- add a value in table tbl_uri like the following
NPXS10000;1;ux0;
2- modify NPXS10000 eboot.bin path in tbl_appinfo to vs0:app/NPXS10027/eboot.bin
3- overwrite the modified app.db using email app and reboot
4- now use the browser to call the new uri with your target game . example :
ux0:app/PCSA00017
apparently near app will open the game manual.
5- minimize near then dump the game using the psp pboot trick and QCMA (while the near app still open)
6- end of th story .. and have fun

此方法主要需要操作app.db
1.在app.db的tbl_uri一栏里新建一个空行并添加如下数据:
NPXS10000;1;ux0;
2.在app.db的tbl_appinfo一栏中修改NPXS10000的eboot.bin的路径,修改为vs0:app/NPXS10027/eboot.bin
3.使用邮件漏洞将修改过的app.db覆盖回去
4.使用浏览器,在地址栏填上地址,地址中包含你想dump游戏的title id,例如ux0:app/PCSA00017,
然后near就会启动,并打开该游戏的说明书文件
5.最小化near程序(不要关掉),然后使用pboot把戏(气泡漏洞)和QCMA把游戏文件传输出来
6教程结束。

.
tested in fw 3.18 and above
测试3.18和以前版本有效(飞过海的风格:352也是有效的)
"

Make these modifications in app.db before following this guide.
If you want to decrypt cartridges as well, you can also add "NPXS10000;1;gro0;" at step 1.
如果你想要获取游戏卡带的解密文件,第一步里填写的是 "NPXS10000;1;gro0;"

* PSVita Digital Game/Cartridge Game/DLC/Savedata decryption on 3.60*
PSV数字游戏/卡带的游戏/DLC/存档在3.60解密方法

It has been reported many times that mr.gas' trick to dump unencrypted files from ux0:app was patched in 3.60, but it's not actually exact.
What has been patched is the PBOOT.PBP dumper trick. MolecularShell can't access other applications files, that is why applying mr.gas' trick doesn't seem to work on 3.60.
很多消息说mr.gas的解密方法在3.60被修复,这不完全正确。仅仅只是pboot.pbp的 dumper trick被封堵,而MolecularShell 无法进入其他的应用文件目录中。所以导致无法使用。


So, how to do it again ? Well, we'll be taking advantage of how the vita handles game updates.
Game updates are installed in ux0:patch/[TITLEID]. They have the very same structure as ux0:app/[TITLEID].
那么,如何再次使用此方法。我们可以利用psv的游戏升级文件。
游戏升级文件被安装在 ux0:patch/[TITLEID]下( [TITLEID]为游戏的title id)。这个跟 ux0:app/[TITLEID].有着相同的结构

Thanks to HENkaku, we can run unsigned eboot.bin. We will basically be hijacking the main game binary with our dumper.
Install MolecularShell in ux0:patch/[TITLEID] (exact same files as if they were in ux0:app/MLCL00001), where [TITLEID] is the game you want to decrypt (same for cartridges game).

感谢HENkaku,我们可以运行未签名的eboot.bin。我们可以劫持主要的游戏二进制文件来运行我们的dump程序
安装MolecularShell(原始版本)在ux0:patch/[TITLEID]下。(MolecularShell 的文件在ux0:app/MLCL00001可以找到,[TITLEID]为你想dump的游戏id)

Now, using mr.gas' old trick, open the URI "ux0:app/[TITLEID]" (or gro0:app/[TITLEID] for cartridges) in the webbrowser, minimize the newly opened near app.
Run the game you want to decrypt, MolecularShell will boot instead.

现在,仍然使用mr.gas的方法,浏览器打开"ux0:app/[TITLEID]"(或者gro0:app/[TITLEID] 这是卡带的地址)。然后最小化near。
然后运行你想要解密的游戏,MolecularShell 会被启动。

You can now access ux0:app/[TITLEID], your decrypted game files will be present (or gro0:app/[TITLEID] if you want to decrypt a cartridge).
此时你可以进入ux0:app/[TITLEID],你的游戏文件将会被解密。卡带的地址 gro0:app/[TITLEID] 

You can also access the following locations, where you can find unencrypted files :
- app0: (basically the same as ux0:app/[TITLEID], but with mixed files from ux0:patch as well)
- addcont0: (DLC Content)
- savedata0: (That's where the fun is, unencrypted savegame, you can edit it directly, it should encrypt it back automatically)

你可能需要其他的文件,提供地址:
- app0: 跟ux0:app/[TITLEID]差不多,但是这里很容易混淆文件
- addcont0: dlc的目录
- savedata0: 这里恐怕是最有趣的,你可以直接编辑存档文件,它应该会被自动加密回去

* HOW CAN I MOD MY GAME ???! I WANT 18+ PATCHES *
如何修改我的游戏文件??我想要和谐补丁

Hehehe, very easy. If you paid attention, you may have noticed we already managed to mod our game, indeed, we replaced its main binary with MolecularShell.
So, following the same process, you can basically put your modded files in ux0:patch/[TITLEID], FOLLOWING THE SAME STRUCTURE as the original one from ux0:app/[TITLEID].
Put the modded files, unencrypted, in ux0;patch/[TITLEID]. If the directory already exists, delete it (or back it up, as you wish). 
Make sure you're not using mr.gas trick here, or the directory won't be writable. Also use the original MolecularShell, you must not be running the game at this point.
Don't put any sce_pfs directory in ux0:patch/[TITLEID]. You can use sce_sys from MolecularShell.

呵呵,这非常简单,如果你留心点,会发现我们在之前的步骤中,已经替换游戏的主要二进制文件了,没错,我们将eboot替换成了MolecularShell。
所以,用相同的手段,你可以将你的修改文件放在ux0:patch/[TITLEID],当然,要跟ux0:app/[TITLEID]里面的结构一样
放入修改文件,未加密的,在ux0;patch/[TITLEID]下,如果这个目录已经存在,删除它(或者备份一下,随你的心意)
请只使用原始的MolecularShell,如果那个目录仍然不可写。请确保你至少运行过此游戏一次

* Wait, if we hijack the patch directory from our game, doesn't it mean the updates won't be installed anymore ? *
等等,如果我们利用升级目录劫持我们游戏,是否意味着我们更新游戏也不需要安装任何东西?

Indeed. To install your updates back, you need to dump an unencrypted version of ux0:patch/[TITLEID], and basically put the unencrypted files as well in your mod.
Decrypting the ux0:patch/[TITLEID] is really a PAIN IN THE ASS, so I won't explain how to do it here. I managed to do it, if no one figures it out, I'll eventually explain it later.

是的,如果想这样做,你需要首先从ux0:patch/[TITLEID]dump出未加密的文件,然后将文件放到你的mod中。
加密 ux0:patch/[TITLEID]是一个让人蛋疼的玩意,所以我暂时不会解释这里怎么做到的,我正在研究,如果有结果了,我在以后解释的。

相关推荐

热门推荐

推荐

最新推荐

更多美图欣赏

    《光明勇士》超萌公测
    《光明勇士》超萌公测

    《光明勇士》是盛大游戏研发首款3D萌系超自由冒险手游,Q萌的画风一秒融化你的心!装备组装的沙盒玩法,打造独一无二的专属武器;抓鱼、烤肉、跳一跳,趣味玩法乐翻天,快来Pick你的伙伴,一起冒险吧!...

    2018全球数娱未来高峰论坛
    2018全球数娱未来高峰论坛

    聚焦游戏产业创新发展,链接游戏行业无限可能,以“创新·游戏·科技”为主题的2018全球数娱未来高峰论坛于11月13日——11月15日在中国澳门威尼斯人酒店隆重举行。...

    《新密传》游戏截图
    《新密传》游戏截图

    《新密传》游戏截图...

    《江山英雄》游戏壁纸
    《江山英雄》游戏壁纸

    《江山英雄》游戏壁纸...

    《江山英雄》游戏原画
    《江山英雄》游戏原画

    《江山英雄》游戏原画...

关于我们手机客户端隐私版权广告服务友情链接联系我们网站地图文章归档在线留言
Copyright © 2009-2013 WwW.Slieny.CoM, All Rights Reserved.