Work | Ps4pkgrom

The challenge gives you a single file named payload.pkg . The goal is to recover the hidden ROM image that is stored inside the package and to extract the flag that is embedded in the ROM.

DECIMAL HEXALIAS DESCRIPTION 0 0x0 Sony PS4 ROM image (custom)

FLAGPS4_4PKG_R0M_R34L_1S_H3R3

: Sites such as PKG-Zone host community-made utilities and homebrew applications in package format. ps4pkgrom

$ binwalk -e payload.bin

# The PKG format pads with PKCS#7, strip it pad_len = plain[-1] plain = plain[:-pad_len]

All of the above are freely available on any modern Linux distribution. The challenge gives you a single file named payload

# Load the private RSA key (the challenge gave us a PEM file) with open('ps4_private.pem', 'rb') as f: rsa_key = RSA.import_key(f.read())

(Reverse‑engineering / “ROM” extraction challenge)

# ---------------------------------------------------------------------- # 5. Locate the ROM (simple heuristic: look for a long sequence of 0xFF # followed by an ASCII flag) # ---------------------------------------------------------------------- # In practice the ROM starts right after a 0x00‑filled 0x200‑byte header. # We'll just scan the whole binary for the flag prefix. offset = plain.find(FLAG_PREFIX) if offset == -1: sys.exit('[-] Flag not found in decrypted payload') else: # Grab the full flag (ASCII up to the next '') end = plain.find(b'', offset) + 1 flag = plain[offset:end].decode() print(f"[+] Flag : flag") $ binwalk -e payload

: Users often format external hard drives as Extended Storage to house large libraries of installed packages.

Now we have everything required for the AES‑CBC decryption:

: Projects like shadPS4 allow these game packages to be installed and run on a PC, though compatibility varies significantly by title. Installation and Management