Okay, so you want to RE a vita game. Strap in, because the tooling's shit.
/home/dcnick3/trash/entergram_vita_games/)This is a zip file containing the useful structure, but having all the file contents encrypted.
To decrypt it you need an encryption key/license/whatever. It has two equivalent (?) forms: a work.bin file (official format, maybe called RIF?) and a zRIF string (a scene thing, some zlib-compressed data).
Fo NoNpDrm-formatted dumps the key is stored in sce_sys/package/work.bin. To decrypt it the tool wants a zRIF-formatted key, so I use rif2zrif.py from pkg2zip. Here's a copy just in case.
Unzip the encrypted zip, flattening the top-level app directory if it exists.
Then you would need to use psvpfstools for that. Building it a big pain in the ass because it's a C library with non-trivial dependencies.
I made an AUR package that builds Vita3K's fork of it. Vita3K doesn't really support our use-case, as they use it as a library. Recently they even removed cmake functionality for building the CLI entirely, so the AUR package uses a pinned version.
Then I use the following bash snippet to decrypt the PFS encryption on the game:
psvpfsparser -i $1/ -o $1_decrypted/ --zRIF $(python3 ~/git_cloned/pkg2zip/rif2zrif.py $1/sce_sys/package/work.bin | awk "{print \$2}") (where $1 is path to exctracted NoNpDrm dump).
eboot.bin into an ELF fileeboot.bin is the game executable. It's also encrypted (?) or at least packed idk..
You need convert it into an ELF. One tool that can do this is self2elf.py from sceutils (this is a fork of a fork). There's also vita-unmake-fself, but it never worked for me (and another person from CBPS Discord / backup).
sceutils is written in python 2 and needs pycrypto and enum34 pip packages installed.
For some games I needed this patch for sceutils to work:
diff --git a/scetypes.py b/scetypes.py
index 6fac4b3..78fe4fd 100644
--- a/scetypes.py
+++ b/scetypes.py
@@ -33,6 +33,7 @@ class KeyType(Enum):
class SelfPlatform(Enum):
PS3 = 0
VITA = 0x40
+ VITA2 = 0xC0
class SkpgType(Enum):
TYPE_0 = 0x0
@@ -65,6 +66,7 @@ class SkpgType(Enum):
PSPEMU_LIST = 0x1B
class ControlType(Enum):
+ ZERO = 0
CONTROL_FLAGS = 1
DIGEST_SHA1 = 2
NPDRM_PS3 = 3
The usage is as follows: python2 self2elf.py -i eboot.bin -o eboot.bin.elf -k work.bin (work.bin is the RIF file containing the license from sce_sys/package/work.bin)
Then, finally, you need to load it into ghidra.
This extension seems to be the most up-to-date one currently.
The imported file is mostly readable, but SDK imports are all messed up because PS Vita imports them by their hash (I think). The hash is called NID and there are databases that allow you to map it to symbolic name.
Here's a database a guy on Vita Hacking discord sent me.
You use it as outlined in the extension readme