You are viewing our Forum Archives. To view or take place in current topics click here.
Text file into XEX? Please help
Posted:
Text file into XEX? Please helpPosted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
Hey TTG,
I have a code in a .txt file and I need to make it into an .xex file. Do I just change the extension or do I need to do something in XeXTool. If XeXTool is the answer, what command do I use.
Yes I do realize im going to get a bunch of crap about myself not knowing how to do this. I did not make my bypass files! I am selling then for a guy who goes by Venom x Modz. I have very little knowledge of this stuff. I have two codes that can get you online.
Here they are:
Here's the other one:
I know this is off topic but here they are.
I have a code in a .txt file and I need to make it into an .xex file. Do I just change the extension or do I need to do something in XeXTool. If XeXTool is the answer, what command do I use.
Yes I do realize im going to get a bunch of crap about myself not knowing how to do this. I did not make my bypass files! I am selling then for a guy who goes by Venom x Modz. I have very little knowledge of this stuff. I have two codes that can get you online.
Here they are:
// XBLVenomChallenge.cpp : Defines the entry point for the application.
//
#include "stdafx.h"
#include "XeCrypt.h"
#include "HttpClient.h"
#include "Kernel.h"
#include <xbox.h>
#include <xconfig.h>
DWORD (*launchStartSysModule)(char*);
typedef VOID (*XEKEYSHMACSHA)(DWORD KeyNum, const BYTE* pbInp1, DWORD cbInp1,
const BYTE* pbInp2, DWORD cbInp2,
const BYTE* pbInp3, DWORD cbInp3,
BYTE* pbOut, DWORD cbOut);
XEKEYSHMACSHA XeKeysHmacSha;
typedef VOID (*EXSETXCONFIGSETTING)(WORD SettingCategory, WORD settingIndex,
BYTE* cbOut, DWORD size);
EXSETXCONFIGSETTING ExSetXConfigSetting;
typedef DWORD (*XEKEYSEXEC)(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7); // ord 0x25F
XEKEYSEXEC XeKeysExecute;
typedef void (*XNotifyQueueUI)(u64 stringId, u64 playerIndex, u64 r5, WCHAR* displayText, u64 r7);
typedef struct _keysexec
{
USHORT magic;
USHORT ver;
USHORT qfe;
USHORT flags;
DWORD entry;
DWORD size;
// at 0x10... just an array start for the data in the challenge up to [size],
// resp seems to wind up at 0x20, so &data[0x10]
char data[1];
} keysexec , *Pkeysexec;
BYTE KVHash[0x14];
BYTE CPUKey[0x10];
BYTE XeTicket[0x14];
BYTE HV[0x40000];
BOOL OfflineMode;
VOID PatchInJump(DWORD* Address, DWORD Destination, BOOL Linked)
{
if(Destination & 0x8000)
Address[0] = 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1);
else
Address[0] = 0x3D600000 + ((Destination >> 16) & 0xFFFF);
Address[1] = 0x396B0000 + (Destination & 0xFFFF);
Address[2] = 0x7D6903A6;
if(Linked)
Address[3] = 0x4E800421;
else
Address[3] = 0x4E800420;
}
UINT32 resolveFunct(char* modname, UINT32 ord)
{
UINT32 ptr32 = 0, ret = 0, ptr2 = 0;
ret = XexGetModuleHandle(modname, (PHANDLE)&ptr32);
if(ret == 0){
ret = XexGetProcedureAddress((HANDLE)ptr32, ord, &ptr2);
if(ptr2 != 0)
return(ptr2);
}
return(0);
}
void ClearMachineAccount()
{
// Resolve XeKeysHmacSha
XeKeysHmacSha = (XEKEYSHMACSHA)resolveFunct("xboxkrnl.exe", 0x249);
ExSetXConfigSetting = (EXSETXCONFIGSETTING)resolveFunct("xboxkrnl.exe", 0x18);
int settingCategory = 4;
// Alloc our data
BYTE* macAccount = (BYTE*)XPhysicalAlloc(0x1D0, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(macAccount, 0, 0x1EC);
// Generate our confounder
XeCryptRandom(macAccount + 0x14, 0x8);
// XeCryptSha1
XeCryptSha(macAccount + 0x14, 0x8, macAccount + 0x1C, 0x1D0, NULL, NULL, macAccount, 0x14);
// Generate Rc4 key
BYTE key[0x14];
XeKeysHmacSha(0x17, macAccount + 0x14, 0x8, (BYTE*)&settingCategory, sizeof(int),
NULL, NULL, key, 0x14);
// RC4 data
XeCryptRc4(key, 0x14, macAccount + 0x1C, 0x1D0);
// Set our setting
ExSetXConfigSetting(settingCategory, 1, macAccount, 0x1EC);
}
void InitXNet()
{
DWORD dwResult;
XNetStartupParams xnsp;
XNADDR xna;
memset( &xnsp, 0, sizeof( xnsp ) );
xnsp.cfgSizeOfStruct = sizeof( XNetStartupParams );
xnsp.cfgFlags = XNET_STARTUP_BYPASS_SECURITY;
dwResult = XNetStartup( &xnsp );
do
{
dwResult = XNetGetTitleXnAddr( &xna );
} while( dwResult == XNET_GET_XNADDR_PENDING );
WORD wVersionRequested = MAKEWORD( 2, 2 );
WSADATA wsaData;
dwResult = WSAStartup( wVersionRequested, &wsaData );
}
DWORD XeKeysExecHook(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7)
{
XNotifyQueueUI xNotifyQueueUI = (XNotifyQueueUI)resolveFunct("xam.xex", 656);
if (OfflineMode)
{
// Output
DbgPrint("XBLVenomChallenge: Reading challenge Response.\n");
// Open our challResp
HANDLE challResp = CreateFile("Hdd:\\XeLive\\chall_resp.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD bytesRead = 0;
// Alloc
BYTE* challResponse = (BYTE*)XPhysicalAlloc(0x200, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Read
ReadFile(challResp, challResponse, 0x200, &bytesRead, NULL);
// Close our file
CloseHandle(challResp);
// Output
DbgPrint("XBLVenomChallenge: Done..\n");
DbgPrint("XBLVenomChallenge: Reading HyperVisor..\n");
// Open our Hypervisor
HANDLE hyperVisor = CreateFile("Hdd:\\XeLive\\HV.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
// Read
ReadFile(hyperVisor, HV, 0x40000, &bytesRead, NULL);
// Close our file
CloseHandle(hyperVisor);
// Output
DbgPrint("XBLVenomChallenge: Done..\n");
DbgPrint("XBLVenomChallenge: Hashing HyperVisor..\n");
// Init Sha1
XECRYPT_SHA_STATE Sha1;
// XeCryptShaInit
XeCryptShaInit(&Sha1);
// XeCryptShaUpdate - SALT
XeCryptShaUpdate(&Sha1, (BYTE*)arg_r4, 0x10);
// XeCryptShaUpdate - 0x34/0x40
XeCryptShaUpdate(&Sha1, HV + 0x34, 0x40);
// XeCryptShaUpdate - 0x78/0xFF88
XeCryptShaUpdate(&Sha1, HV + 0x78, 0xFF88);
// XeCryptShaUpdate - 0x100C0/0x3C
XeCryptShaUpdate(&Sha1, HV + 0x100C0, 0x3C);
// XeCryptShaUpdate - 0x10320/0x5B40
XeCryptShaUpdate(&Sha1, HV + 0x10320, 0x5B40);
// XeCryptShaUpdate - 0x16A3C/0x95C4
XeCryptShaUpdate(&Sha1, HV + 0x16A3C, 0x95C4);
// XeCryptShaUpdate - 0x20000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x20000, 0xFFFC);
// XeCryptShaUpdate - 0x30000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x30000, 0xFFFC);
// XeCryptShaFinal
XeCryptShaFinal(&Sha1, challResponse + 0x50, 0x14);
DbgPrint("XBLVenomChallenge: Done..\n");
DbgPrint("XBLVenomChallenge: Preparing challenge response..\n");
// Memcpy
memcpy(challResponse + 0x64, KVHash, 0x14);
// Copy Challenge
memcpy(data, challResponse, 0x200);
DbgPrint("XBLVenomChallenge: All Done.. :)\n");
DbgPrint("XBLVenomChallenge: Returning execution to XAM..\n");
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
// Succeess
return 0;
}
while(true)
{
InitXNet();
// Resolve our func...
DbgPrint("\n\n ---------\n\n");
Pkeysexec pk = (Pkeysexec)data;
if(pk->magic == 0x4D4D && pk->ver == 0x397D)
{
// Create our data bufer
BYTE* dataBuff = (BYTE*)XPhysicalAlloc(0x38, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(dataBuff, 0, 0x38);
// Copy our ticket
memcpy(dataBuff, XeTicket, 0x14);
// Copy our salt
memcpy(dataBuff + 0x14, (BYTE*)arg_r4, 0x10);
// Copy our KV hash
memcpy(dataBuff + 0x24, KVHash, 0x14);
// Post data
HttpClient client(0);
client.POST("xedevteam.com", "/XeLiveLogon/70AC481F3F3F01A7CB44.aspx", (char*)dataBuff, 0x38);
// Copy response data to arg
BYTE* respData = client.GetResponseContentData();
// Check for success status...
if (*(DWORD*)respData == 1)
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
}
else
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Fail =(");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
continue;
}
// Copy our XeTicket
memcpy(XeTicket, respData + 0x4, 0x14);
// Copy our challenge response...
memcpy((void*)data, respData + 0x18, 0x200);
// Return
return 0;
}
else
{
HvxReadBytes(0, (LONG)(HV), 0x10000);
HvxReadBytes(0x200010000, (LONG)(HV + 0x10000), 0x10000);
HvxReadBytes(0x400020000, (LONG)(HV + 0x20000), 0x10000);
HvxReadBytes(0x600030000, (LONG)(HV + 0x30000), 0x10000);
DbgPrint("New Challenge...\n");
DWORD status = XeKeysExecute(data, size, arg_r4, arg_r5, arg_r6, arg_r7);
}
}
// Fail
return -1;
}
void SetupImportPatch()
{
// Alloc patch data
BYTE* patchData = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Check for RGH/JTAG
if (launchStartSysModule == 0)
{
// Patch call to XeKeysExecute
PatchInJump((DWORD*)patchData, (DWORD)XeKeysExecHook, false);
DmSetMemory((LPVOID)0x81CBD58C, 0x10, patchData, NULL);
}
else
{
// Patch jump
PatchInJump((DWORD*)0x81A30364, (DWORD)XeKeysExecHook, false);
}
// Free
XPhysicalFree(patchData);
}
void GenerateKVHash()
{
// Get our first XeTicket
BYTE* ticketPtr = (BYTE*)0x801F2000;
BYTE* cpuPtr = (BYTE*)0x801F2014;
memcpy(XeTicket, ticketPtr, 0x14);
memcpy(CPUKey, ticketPtr, 0x10);
//memset((void*)0x801F2000, 0, 0x14);
XeKeysExecute = (XEKEYSEXEC)0x80144488;
// CryptSha
XeCryptSha(CPUKey, 0x10, NULL, NULL, NULL, NULL, KVHash, 0x14);
}
HRESULT doMountPath(const char* szDrive, const char* szDevice)
{
STRING DeviceName, LinkName;
CHAR szDestinationDrive[MAX_PATH];
if(KeGetCurrentProcessType() == SYSTEM_PROC)
sprintf_s(szDestinationDrive, MAX_PATH, "\\System??\\%s", szDrive);
else
sprintf_s(szDestinationDrive, MAX_PATH, "\\??\\%s", szDrive);
RtlInitAnsiString(&DeviceName, szDevice);
RtlInitAnsiString(&LinkName, szDestinationDrive);
ObDeleteSymbolicLink(&LinkName);
return (HRESULT)ObCreateSymbolicLink(&LinkName, &DeviceName);
}
//-------------------------------------------------------------------------------------
// Name: main()
// Desc: The application's entry point
//-------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HANDLE hInstDLL, DWORD reason, LPVOID lpReserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
// Setup Mount
doMountPath("Hdd:", "\\Device\\Harddisk0\\Partition1");
// Open our file
HANDLE fileHandle = CreateFile("Hdd:\\XeLive\\XBLVenomChallenge.xex", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (fileHandle != INVALID_HANDLE_VALUE)
{
OfflineMode = TRUE;
// Close Handle
CloseHandle(fileHandle);
// Output
DbgPrint("XBLVenomChallenge: Offline mode started... :)\n");
DbgPrint("XBLVenomChallenge: Initializing..\n");
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
DbgPrint("XBLVenomChallenge: Done!..\n");
return 0;
}
// Check if JTAG/RGH
if(launchStartSysModule == 0)
launchStartSysModule = (DWORD (__cdecl *)(char*))(resolveFunct("launch.xex", 2));
InitXNet();
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
}
} Here's the other one:
typedef DWORD (* XEKEYSEXECUTE) (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64);
/ / Catching call to XeKeysExecute in XAM
/ / Directing it to this function instead of actual kernel function
DWORD XeKeysExecuteHook (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE) resolveFunct (XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime (& LocalSysTime);
DbgPrint ("Entering Xbox Live Challenge hook \ n");
DbgPrint ("System Time:% d% d% d \ t% d:% d:% d \ n", LocalSysTime.wMonth, LocalSysTime.wDay, LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond );
DbgPrint ("r3 = 0x% 08X, 0x% 08X = r4, r5 = 0x% 08X \ n",
chalData, size, HVSalt);
DbgPrint ("= 0x% 016I64x r6, r7 = 0x% 016I64x, r8 = 0x% 016I64x \ n",
krnlBuild, r7, r8);
/ / Decrypt the challenge data
/ / Seems to share the same header as a bootloader
/ / Char [2] Magic
/ / Short version
/ / Int flags
/ / Int EntryPoint
/ / Int Size
/ / Byte [0x10] HMAC hash -> RC4 Key
DWORD datasize = * (DWORD *) (chalData + 0xC);
if (DecryptChallenge (chalData, datasize))
{
DbgPrint ("Error decrypting challenge: (\ n");
HalReturnToFirmware (6);
}
/ / Create file HV Salt
HANDLE hvSalt = CreateFile ("hdd: \ \ XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating HV Salt File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("File Created \ n");
/ / Get the HV salt
DWORD saltOut = 0;
if (WriteFile (hvSalt, HVSalt, 0x10, & saltOut, NULL))
DbgPrint ("Saved HV Salt \ n");
else DbgPrint ("Could not save HV Salt: (\ n");
/ / Close our HV Salt handle
CloseHandle (hvSalt);
DbgPrint ("dumping respectively \ n");
/ / Execute the challenge
BYTE * physSalt = (BYTE *) MmGetPhysicalAddress (HVSalt) / / Do what we patched
XeKeysExecute (chalData, size, physSalt, krnlBuild, r7, r8) / / go to current kernel function
HANDLE chalResp = CreateFile ("hdd: \ \ XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating Response File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("Response File Created \ n");
/ / Save the challenge response
DWORD respOut = 0;
if (WriteFile (chalResp, chalData, size, & respOut, NULL))
DbgPrint ("Saved response data \ n");
else DbgPrint ("Could not save response data: (\ n");
/ / Close our challange response dump
CloseHandle (chalResp);
/ / We dumped the challange data -> reboot
DbgPrint ("Dumped Challenge - Rebooting system \ n");
HalReturnToFirmware (6);
return (0);
}
patchPhysicalAddr void ()
{
DbgPrint ("Patching MmGetPhysicalAddress function so we can challenge in the grave HV Salt \ n");
UINT32 * addr = (UINT32 *) (0x81677EE4) / / 14719
addr [0] = 0x60000000;
}
BOOL DecryptChallenge (BYTE * data, DWORD filesize)
{
DbgPrint ("Decrypting XeKeysExecute Challenge Data \ n");
XECRYPT_RC4_STATE rc4;
BYTE * decChalData = (BYTE *) XPhysicalAlloc (filesize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy (decChalData, data, filesize);
BYTE * rc4Key = (BYTE *) XPhysicalAlloc (0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key [0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA} / / found in HV
XeCryptHmacSha ((BYTE *) key, 0x10, 0x10 + decChalData, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key (& rc4 rc4Key, 0x10);
XeCryptRc4Ecb (& rc4 decChalData + 0x20, file size - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile ("hdd: \ \ XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile! = INVALID_HANDLE_VALUE)
{
DbgPrint ("Created Challenge File \ n");
if (WriteFile (hFile, decChalData, file size, & size, NULL ;))
{
CloseHandle (hFile);
XPhysicalFree (decChalData);
XPhysicalFree (rc4Key);
DbgPrint ("Decrypted challenge data saved \ n");
return true;
}
else
return false;
}
}
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
patchPhysicalAddr ();
patchInJump ((PDWORD) (0x81A30364), (DWORD) XeKeysExecuteHook, false); I know this is off topic but here they are.
#2. Posted:
Status: Offline
Joined: Feb 21, 201311Year Member
Posts: 668
Reputation Power: 25
Status: Offline
Joined: Feb 21, 201311Year Member
Posts: 668
Reputation Power: 25
Yea you will need a tool to change I over!
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
oH-Killcam-Sc wrote Yea you will need a tool to change I over!what tool do I need? I'm new to this stuff.
- 0useful
- 0not useful
#4. Posted:
Status: Offline
Joined: Sep 02, 201113Year Member
Posts: 2,730
Reputation Power: 150
Status: Offline
Joined: Sep 02, 201113Year Member
Posts: 2,730
Reputation Power: 150
You can build it in Visual Studios. Also it's not going to get you online, so why bother trying?
- 1useful
- 1not useful
#5. Posted:
Status: Offline
Joined: Nov 25, 201212Year Member
Posts: 165
Reputation Power: 7
Status: Offline
Joined: Nov 25, 201212Year Member
Posts: 165
Reputation Power: 7
Give up kid, You ain't close. Even though its worth trying, you are going to fail.
- 2useful
- 3not useful
#6. Posted:
Status: Offline
Joined: Oct 01, 201113Year Member
Posts: 2,921
Reputation Power: 162
Status: Offline
Joined: Oct 01, 201113Year Member
Posts: 2,921
Reputation Power: 162
SketchyVI wrote Give up kid, You ain't close. Even though its worth trying, you are going to fail.
who are you to say anything?
let the person do what they want. if it does not work (which it most likely wont) then they will know them selves. there is no need for such un-needed feedback. if anything you should be helping...
- 2useful
- 1not useful
#7. Posted:
Status: Offline
Joined: Feb 27, 201014Year Member
Posts: 30
Reputation Power: 1
XeXTwix wroteSketchyVI wrote Give up kid, You ain't close. Even though its worth trying, you are going to fail.
who are you to say anything?
let the person do what they want. if it does not work (which it most likely wont) then they will know them selves. there is no need for such un-needed feedback. if anything you should be helping...
He's being real about it. This kid doesn't know how to compile code he's not getting online.
- 1useful
- 1not useful
#8. Posted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
nickcas wroteI didnt make the bypass files I have! I am selling them for a guy who goes by "Venom x Mods".XeXTwix wroteSketchyVI wrote Give up kid, You ain't close. Even though its worth trying, you are going to fail.
who are you to say anything?
let the person do what they want. if it does not work (which it most likely wont) then they will know them selves. there is no need for such un-needed feedback. if anything you should be helping...
He's being real about it. This kid doesn't know how to compile code he's not getting online.
- 0useful
- 1not useful
#9. Posted:
Status: Offline
Joined: Aug 11, 201014Year Member
Posts: 689
Reputation Power: 32
If anything, this jackass should stop sending people SERVER.EXE and saying it's a 5 hour trial. Stop being a scamming scumbag, you're a bloody imbecile and will never, ever get online.
- 3useful
- 0not useful
#10. Posted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
jester wrote If anything, this jackass should stop sending people SERVER.EXE and saying it's a 5 hour trial. Stop being a scamming scumbag, you're a bloody imbecile and will never, ever get online.Im not sending people a .exe file? I didnt make the files, im just selling them
- 0useful
- 1not useful
You are viewing our Forum Archives. To view or take place in current topics click here.