Revision as of 11:31, 4 July 2015
Library
Known NIDs
Version |
Name |
World |
Privilege |
NID
|
1.69 |
SceNpDrm |
Non-secure |
Kernel |
0xACCB4845
|
Modules
Known NIDs
SceNpDrm
_sceNpDrmCheckDrmReset
Version |
NID
|
1.69 |
0x4458812B
|
_sceNpDrmRemoveActData
Version |
NID
|
1.69 |
0x507D06A6
|
_sceNpDrmGetRifName
Version |
NID
|
1.69 |
0xB8C5DA7C
|
_sceNpDrmGetRifNameForInstall
Version |
NID
|
1.69 |
0xD312424D
|
_sceNpDrmGetRifInfo
Version |
NID
|
1.69 |
0xE8343660
|
_sceNpDrmGetFixedRifName
Version |
NID
|
1.69 |
0xE935B0FC
|
_sceNpDrmCheckActData
Version |
NID
|
1.69 |
0xFEEBCD62
|
SceNpDrmForDriver
SceNpDrmPackage
_sceNpDrmPackageTransform
Version |
NID
|
1.69 |
0x567DCA1
|
_sceNpDrmPackageInstallFinished
Version |
NID
|
1.69 |
0x6896EAF2
|
_sceNpDrmPackageCheck
Version |
NID
|
1.69 |
0xA1D885FA
|
sceNpDrmPackageIsGameExist
Version |
NID
|
1.69 |
0xB9337914
|
_sceNpDrmPackageInstallStarted
Version |
NID
|
1.69 |
0xCEC18DA4
|
_sceNpDrmPackageDecrypt
Version |
NID
|
1.69 |
0xD6F05ACC
|
sceNpDrmPackageInstallOngoing
Version |
NID
|
1.69 |
0xED0471FE
|
Package integrity checks
Disable hash/signature verification
To find the function responsible for package verification search for immediate 0x7F504B47 ('.PKG'). Inside it does a lot of stuff including determining the function that will do signature checks. Find the condition that looks like if ( (v62 & 7) == 3 )
; below you will see the assignment check_func = &off_81009CFC;
. To bypass signature checks you need to patch two functions located at this offset and offset+4, making them behave as "return 1" is enough. For reference, on 1.60 the functions are sub_81000310 and sub_81000AA4. sub_81000310 is the only function in this module that calls SceSblGcAuthMgrPkgForDriver_E459A9A8_imp.
Note that on 1.60 this module sometimes is loaded at different addresses between reboots.
Allow debug packages to be installed
Find the function that calls SceSblAIMgrForDriver_D78B04A2; patch it to always return 1. On 1.60 it's at 0x81002d64.
Search for immediate 0x80870003, there should be two matches. Replace both with "MOV Reg, #0". On 1.60 the locations are 0x810035fe and 0x81004856.