netkas.org

Here is a little, noob-unfriendly howto about recreating ps3 apps after you have decrypted it

as example, I will talk about vsh.self, which everyone on jb ps3 can find in /dev_flash/

1) decrypt it with graf_chokolo’s payload, you will get two files after all, lets call them vsh.0 and vsh.1

2) compress these files with zlib, I use zpipe for it

cat vsh.0 | ./zpipe > vsh.0z
cat vsh.1 | ./zpipe > vsh.1z

size of files:

6951464 2010-12-05 02:06 vsh.0
2930941 2010-12-05 04:04 vsh.0z
338832 2010-12-05 02:06 vsh.1
133356 2010-12-05 04:04 vsh.1z

3) going into vsh.self
look at 64-bit big endian value at 0x290 – 0x0000000000000900 (2304 decimal), its start of first segment (vsh0) in vsh.self, next 64bit BE value at 0x298 is size of this section – 0x00000000002cb8fd (2930941 decimal) , perfectly matched to size of out vsh.0z 😉
same for vsh1, start at 0x2b0 – 0x00000000002dafe0 (2994144 decimal), size at 0x2b8 – 0x00000000000208ec == 133356 (size of vsh.1z)

4) now we need to copy decrypted and inflated sections to the vsh.self

dd if=./vsh.0z of=./vsh.self bs=1 seek=2304 conv=notrunc

dd if=./vsh.1z of=./vsh.self bs=1 seek=2994144 conv=notrunc

5) need to edit some headers –

0x08 big endian 0004 to 8000

0x2af, 0x2cf, 0x2ef, 0x30f, 0x32f – change 0x01 to 0x02.

6) now u have this pseudo-debug self, and can use usual three steps to make it run on jb ps3, where EBOOT.BIN is our final self after 5th step

Selftool.exe -o EBOOT2.BIN -c0 EBOOT.BIN
unfself.exe EBOOT2.BIN EBOOT3.BIN
make_fself.exe EBOOT3.BIN EBOOT4.BIN

EBOOT3.BIN is a nice to analyze elf, EBOOT4.BIN is a ready to run SELF.

Comments(6)