You are viewing our Forum Archives. To view or take place in current topics click here.
HV SALT REVERSE HELP
Posted:
HV SALT REVERSE HELPPosted:
Status: Offline
Joined: Jan 18, 201410Year Member
Posts: 2
Reputation Power: 0
Status: Offline
Joined: Jan 18, 201410Year Member
Posts: 2
Reputation Power: 0
Has anyw=one got the script for the Hv salt reverse?
#2. Posted:
Status: Offline
Joined: Oct 03, 201311Year Member
Posts: 1,409
Reputation Power: 64
You mean something like this?
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge :(\n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt :(\n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data :(\n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL) ;)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false); - 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.