4dsdev
Views: 614,262 Main | Rules/FAQ | Memberlist | Active users | Last posts | Calendar | Stats | Online users | Search 11-25-17 06:29 AM
Guest:

0 users reading What is this file's format? | 1 bot

Main - Reverse-engineering - What is this file's format? New reply


Mikle0x
Posted on 12-06-15 04:02 PM (rev. 4 of 12-06-15 04:21 PM) Link | #811
[image]

Someone found this file (.plugin extension) , where there is supposedly interesting stuff. Most of the file's contents are encrypted, and I don't know how to decrypt it (the decryption process is probably related to the dev keys, which I have).

Bond697
Posted on 12-06-15 04:15 PM Link | #812
where did you find it?

StapleButter
Posted on 12-06-15 04:16 PM Link | #813
ahem

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

einstein95
Posted on 12-06-15 04:21 PM Link | #814
Perhaps it'd be better to upload said file and not black out the first 0x10 bytes.

StapleButter
Posted on 12-06-15 04:23 PM Link | #815
this reeks of SDK crap

____________________
blargSNES -- SNES emu for 3DS
More cool stuff

Mikle0x
Posted on 12-06-15 04:26 PM Link | #816
Yeah sorry, someone who wants to stay anon., got this file I-don't-know-where, and had no clue about it either. Thus the "I".

Anyways there were another file that came with it, a .debugger file, containing some function-name-related symbols, such as "update_firmware()", "note_new()", "//DevMenuCTR"

einstein95
Posted on 12-06-15 04:28 PM Link | #817
Telling us about said file is not the same as uploading the file for others to tell you what it is.

Mikle0x
Posted on 12-06-15 04:42 PM Link | #818
http://s000.tinyupload.com/index.php?file_id=49063689152813464337

plutoo
Posted on 12-06-15 04:45 PM (rev. 2 of 12-06-15 04:48 PM) Link | #819
Looks like it contains some form of bytecode, maybe Lua or something. Edit: Or maybe it's just some encryption throwing me off.

Mikle0x
Posted on 12-06-15 04:53 PM Link | #820
Posted by plutoo
Looks like it contains some form of bytecode, maybe Lua or something. Edit: Or maybe it's just some encryption throwing me off.


I believe there is too few zeroes for it to be bytecode. Moreover, I think signature-like data is located just after "PROCESS" (compare UiT.plugin with UiT (1).plugin; the encrypted data is EXACTLY the same between the two files, but the signature is totally different due to a modification in the header)

Syphurith
Posted on 12-07-15 12:06 AM (rev. 2 of 12-07-15 12:17 AM) Link | #821
Posted by Mikle0x
I believe there is too few zeroes for it to be bytecode. Moreover, I think signature-like data is located just after "PROCESS" (compare UiT.plugin with UiT (1).plugin; the encrypted data is EXACTLY the same between the two files, but the signature is totally different due to a modification in the header)

1.The most content of the file should be encrypted. Just try load it into a IDA (you can find 6.6).
2.No those Dev Cert marks such as "CP00000004" or "XS0000000A" is involved. Oh this is only for those NCCHs.
3.There are dev keys leaked very long ago, including AES and RSA types. The amount of those is finite.
4.This file isn't found in NW4C:NW4F, or leaked 4.2.8 SDK.
Since i don't find any clue about where this file comes from, i don't know what it belongs.
You may just want to write a tiny program to try all those keys for you, but this may be not enough.
If you have a dev console, write a program to let it try all its keyslots.
Even i do want the SDK to generate new version of libraries' signatures, i won't ask it publicly.
Let me guess. If a file is designed to be used inside a system with many keys, it may at least tell the system which key should be used.
Otherwise it could not be decrypted well. I don't know if the 0x31=49 is a slot number.

Good luck. Hope you could eventually play with it.

54634564
Posted on 12-07-15 01:20 PM Link | #822
Posted by Mikle0x
Yeah sorry, someone who wants to stay anon., got this file I-don't-know-where, and had no clue about it either.


They have to know where they got the file from. I seriously doubt it just poofed into existence on their hard drive.


Main - Reverse-engineering - What is this file's format? New reply

Page rendered in 0.018 seconds. (2048KB of memory used)
MySQL - queries: 28, rows: 87/87, time: 0.012 seconds.
[powered by Acmlm] Acmlmboard 2.064 (2017-11-20)
© 2005-2008 Acmlm, Xkeeper, blackhole89 et al.