You are viewing our Forum Archives. To view or take place in current topics click here.
some of theOnline Method Hv/salt
Posted:
some of theOnline Method Hv/saltPosted:
Status: Offline
Joined: Nov 26, 201013Year Member
Posts: 756
Reputation Power: 50
Status: Offline
Joined: Nov 26, 201013Year Member
Posts: 756
Reputation Power: 50
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL);)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
well you guys are on your own steezyiz1337<3
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL);)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
well you guys are on your own steezyiz1337<3
#2. Posted:
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
steezyiz1337 wrote typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
-snip-
well you guys are on your own steezyiz1337<3
Please don't claim other's work. I doubt you even know what half that code does.
[ Register or Signin to view external links. ]
- 1useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
m0j0j0_j0 wrotesteezyiz1337 wrote typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
-snip-
well you guys are on your own steezyiz1337<3
Please don't claim other's work. I doubt you even know what half that code does.
[ Register or Signin to view external links. ]
LMAO .. ask Kaine anything about that and you will get an answer that is SSSSSSSSSSOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO wrong. He knows nothing on the subject.
- 0useful
- 0not useful
#4. Posted:
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
SSJ4_Dwack wrotem0j0j0_j0 wrotesteezyiz1337 wrote typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
-snip-
well you guys are on your own steezyiz1337<3
Please don't claim other's work. I doubt you even know what half that code does.
[ Register or Signin to view external links. ]
LMAO .. ask Kaine anything about that and you will get an answer that is SSSSSSSSSSOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO wrong. He knows nothing on the subject.
Not saying he knows more about it just saying it's an obvious repost where he is trying act like know what he is doing.
- 0useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
m0j0j0_j0 wroteSSJ4_Dwack wrotem0j0j0_j0 wrotesteezyiz1337 wrote typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
-snip-
well you guys are on your own steezyiz1337<3
Please don't claim other's work. I doubt you even know what half that code does.
[ Register or Signin to view external links. ]
LMAO .. ask Kaine anything about that and you will get an answer that is SSSSSSSSSSOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO wrong. He knows nothing on the subject.
Not saying he knows more about it just saying it's an obvious repost where he is trying act like know what he is doing.
Kaine and anyone else posting this is doing the same thing as OP.
- 0useful
- 0not useful
#6. Posted:
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 74
Reputation Power: 2
Which is what I said more explained.
- 1useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.