You are viewing our Forum Archives. To view or take place in current topics click here.
Is this topic useful?
Yes
25.53% (12 votes)
25.53% (12 votes)
No
48.94% (23 votes)
48.94% (23 votes)
Kinda
25.53% (12 votes)
25.53% (12 votes)
Total Votes: 47
Online Method help + Why cracking XBLS is nearly Impossible!
Posted:
Online Method help + Why cracking XBLS is nearly Impossible!Posted:
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Hello TTG,
I'm going to explain how to make an online method and why XBLS is almost impossible to crack. Please feel free to correct me if I'm wrong on anything. Please keep in mind this is extremely hard to do and I don't think many people are capable of doing this including myself, Although I fully understand the concept of it. Please keep in mind I'm a 13 year old kid so I would rather people not use swear words on my post. Thank you!
Ok so first off i'm going to explain why it is practically impossible to crack Xbox Live Stealth's files. So the way XBLS works is after you purchase the files from them, your cpu key will be authenticated on the server which will enable your xbox to go through the process of connecting to xbox live via XBLS. When you are authenticated on their server, your xbox will be able to accept the HV.bin from the XBLS server. The HV.bin is needed to connect to xbox live along with some other files. I have read many topics saying people are going to remove the server and authentication from the XBLS files but all that will do is nothing. Removing the server is basically doing nothing because the files needed to connect are downloaded to your xboxes memory through the server. The reason for that is because ricky, XBLS owner, doesn't want his method stolen. So just to sum things up, removing the server is actually pointless and it shouldn't even be tested.
(UPDATE: jester has told me nothing is actually downloaded to the consoles memory because it would be to easy for a person to steal the files that way. Thanks jester!)
My theory is if you create a file to run at the startup of your console that automatically downloads the HV( that is supplied by the XBLS files) to your hdd then you will have the HV. I think there is a problem with that but I'm not 100% sure. So the HV is saved to your xboxes memory for about a few seconds, so you can connect to xbox live, then it is deleted from the memory. If the plugin/file you make can save the HV in that short period of time, your golden.
Ok so in the creation of an online method you will need a few things. You will need the HV.bin, I think the XAM.xex (correct me if I'm wrong), a plugin made to run those two files, and finally you need to patch the challenges. A server is only needed if you want to sell your files and have a method of authenticating your clients. So in order to obtain the HV.bin, you will need to create a .XEX file that will download the HV. You will also need to do so with the XAM.bin then make a file to patch the challenges. Yes, this is a lot of work and it is very difficult to accomplish.
Last edited by XboxLiveUnban ; edited 2 times in total
I'm going to explain how to make an online method and why XBLS is almost impossible to crack. Please feel free to correct me if I'm wrong on anything. Please keep in mind this is extremely hard to do and I don't think many people are capable of doing this including myself, Although I fully understand the concept of it. Please keep in mind I'm a 13 year old kid so I would rather people not use swear words on my post. Thank you!
Why XBLS is nearly impossible to crack
Ok so first off i'm going to explain why it is practically impossible to crack Xbox Live Stealth's files. So the way XBLS works is after you purchase the files from them, your cpu key will be authenticated on the server which will enable your xbox to go through the process of connecting to xbox live via XBLS. When you are authenticated on their server, your xbox will be able to accept the HV.bin from the XBLS server. The HV.bin is needed to connect to xbox live along with some other files. I have read many topics saying people are going to remove the server and authentication from the XBLS files but all that will do is nothing. Removing the server is basically doing nothing because the files needed to connect are downloaded to your xboxes memory through the server. The reason for that is because ricky, XBLS owner, doesn't want his method stolen. So just to sum things up, removing the server is actually pointless and it shouldn't even be tested.
(UPDATE: jester has told me nothing is actually downloaded to the consoles memory because it would be to easy for a person to steal the files that way. Thanks jester!)
My theory on using his files to get the hv.bin
My theory is if you create a file to run at the startup of your console that automatically downloads the HV( that is supplied by the XBLS files) to your hdd then you will have the HV. I think there is a problem with that but I'm not 100% sure. So the HV is saved to your xboxes memory for about a few seconds, so you can connect to xbox live, then it is deleted from the memory. If the plugin/file you make can save the HV in that short period of time, your golden.
How to make an online method
Ok so in the creation of an online method you will need a few things. You will need the HV.bin, I think the XAM.xex (correct me if I'm wrong), a plugin made to run those two files, and finally you need to patch the challenges. A server is only needed if you want to sell your files and have a method of authenticating your clients. So in order to obtain the HV.bin, you will need to create a .XEX file that will download the HV. You will also need to do so with the XAM.bin then make a file to patch the challenges. Yes, this is a lot of work and it is very difficult to accomplish.
Here's a start to your online method
#include "stdafx.h"
#include "X360Tools.h"
typedef struct {
BYTE S[256];
BYTE i,j;
} XECRYPT_RC4_STATE;
typedef void (*XECRYPTRC4ECB) (XECRYPT_RC4_STATE * pRC4State, byte * PBInpOut);
XECRYPTRC4ECB XeCryptRc4Ecb = (XECRYPTRC4ECB)resolveFunct("xboxkrnl.exe", 396);
XECRYPT_RC4_STATE rc4State;
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge :(\n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt :(\n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data :(\n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL);)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
//This is just a start to the online method
//I did not create this
//lots more coding will need to be done to make this code useful
// - Xbox Live Unban
Last edited by XboxLiveUnban ; edited 2 times in total
The following 2 users thanked XboxLiveUnban for this useful post:
FlashysLobbies (06-03-2013), MyHtcXbox (06-03-2013)
#2. Posted:
Status: Offline
Joined: Aug 11, 201014Year Member
Posts: 689
Reputation Power: 32
Nothing is downloaded little buddy, I explained that here:
jester wrote-Peacee wrote No, because everyone above me is completely wrong with there reasoning. You can not crack XBLS because the HV is loaded into memory upon connecting to Live.
lol you're actually comically wrong. That would be insecure as hell. They do response generation on the server, meaning without compromising all of the server code (and the servers copy of the HV) it cannot be reproduced.
Putting the entire HV into memory and hashing it on the buyers xbox is a great way to let someone steal the method
- 10useful
- 0not useful
#3. Posted:
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
jester wrote Nothing is downloaded little buddy, I explained that here:Oh ok thank for informing me about that. I appreciate your help.
jester wrote-Peacee wrote No, because everyone above me is completely wrong with there reasoning. You can not crack XBLS because the HV is loaded into memory upon connecting to Live.
lol you're actually comically wrong. That would be insecure as hell. They do response generation on the server, meaning without compromising all of the server code (and the servers copy of the HV) it cannot be reproduced.
Putting the entire HV into memory and hashing it on the buyers xbox is a great way to let someone steal the method
- 3useful
- 4not useful
#4. Posted:
Status: Offline
Joined: Sep 27, 201212Year Member
Posts: 97
Reputation Power: 6
Status: Offline
Joined: Sep 27, 201212Year Member
Posts: 97
Reputation Power: 6
XboxLiveUnban wrotejester wrote Nothing is downloaded little buddy, I explained that here:Oh ok thank for informing me about that. I appreciate your help.
jester wrote-Peacee wrote No, because everyone above me is completely wrong with there reasoning. You can not crack XBLS because the HV is loaded into memory upon connecting to Live.
lol you're actually comically wrong. That would be insecure as hell. They do response generation on the server, meaning without compromising all of the server code (and the servers copy of the HV) it cannot be reproduced.
Putting the entire HV into memory and hashing it on the buyers xbox is a great way to let someone steal the method
dont know if this will help but here it is any way dont know who made it
#include "stdafx.h"
#include "X360Tools.h"
typedef struct {
BYTE S[256];
BYTE i,j;
} XECRYPT_RC4_STATE;
typedef void (*XECRYPTRC4ECB) (XECRYPT_RC4_STATE * pRC4State, byte * PBInpOut);
XECRYPTRC4ECB XeCryptRc4Ecb = (XECRYPTRC4ECB)resolveFunct("xboxkrnl.exe", 396);
XECRYPT_RC4_STATE rc4State;
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hookn");
DbgPrint("SystemTime: %d-%d-%dt%d:%d:%dn", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08Xn",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64Xn",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt Filen");
HalReturnToFirmware(6);
}
DbgPrint("File Createdn");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Saltn");
else DbgPrint("Could not save HV Salt n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping respn");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response Filen");
HalReturnToFirmware(6);
}
DbgPrint("Response File Createdn");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response datan");
else DbgPrint("Could not save response data n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting Systemn");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Saltn");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Datan");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge Filen");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL);)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data savedn");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
- 0useful
- 5not useful
#5. Posted:
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
HaarisK wroteXboxLiveUnban wrotejester wrote Nothing is downloaded little buddy, I explained that here:Oh ok thank for informing me about that. I appreciate your help.
jester wrote-Peacee wrote No, because everyone above me is completely wrong with there reasoning. You can not crack XBLS because the HV is loaded into memory upon connecting to Live.
lol you're actually comically wrong. That would be insecure as hell. They do response generation on the server, meaning without compromising all of the server code (and the servers copy of the HV) it cannot be reproduced.
Putting the entire HV into memory and hashing it on the buyers xbox is a great way to let someone steal the method
dont know if this will help but here it is any way dont know who made it
#include "stdafx.h"
#include "X360Tools.h"
This code is already on the post. Thank you thoughtypedef struct {
BYTE S[256];
BYTE i,j;
} XECRYPT_RC4_STATE;
typedef void (*XECRYPTRC4ECB) (XECRYPT_RC4_STATE * pRC4State, byte * PBInpOut);
XECRYPTRC4ECB XeCryptRc4Ecb = (XECRYPTRC4ECB)resolveFunct("xboxkrnl.exe", 396);
XECRYPT_RC4_STATE rc4State;
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hookn");
DbgPrint("SystemTime: %d-%d-%dt%d:%d:%dn", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08Xn",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64Xn",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt Filen");
HalReturnToFirmware(6);
}
DbgPrint("File Createdn");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Saltn");
else DbgPrint("Could not save HV Salt n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping respn");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response Filen");
HalReturnToFirmware(6);
}
DbgPrint("Response File Createdn");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response datan");
else DbgPrint("Could not save response data n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting Systemn");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Saltn");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Datan");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge Filen");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL);)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data savedn");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
- 1useful
- 0not useful
#6. Posted:
Status: Offline
Joined: May 18, 201311Year Member
Posts: 765
Reputation Power: 53
Wait we already know we cant crack this
- 1useful
- 0not useful
#7. Posted:
Status: Offline
Joined: Feb 27, 201014Year Member
Posts: 30
Reputation Power: 1
It's actually much easier to do the research yourself and create a clean hypervisor then to try and steal it from someone else. Why not work on that?
- 7useful
- 0not useful
#8. Posted:
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
nickcas wrote It's actually much easier to do the research yourself and create a clean hypervisor then to try and steal it from someone else. Why not work on that?Well yah, your 100% right on that but I'm not trying to steal what XBLS has done. I'm simply informing the the users of TTG.
- 1useful
- 0not useful
#9. Posted:
Status: Offline
Joined: Dec 15, 201211Year Member
Posts: 11
Reputation Power: 0
I have no idea if this helps or works. But I got this file ages ago, and supposedly it was supposed to update your hv, and chal_resp.
And it was intended for the 15574 Dash...
And it was intended for the 15574 Dash...
Copying custom response.....HV Salt Physical Addr: 0x%016I64X...xboxkrnl.exe....Buffer: %p..HV Salt: %p.....New Challenge Version...Dumping.....Xbox Live Challenge Version: %d.....SystemTime: %d-%d-%d.%d:%d:%d...Failed to resolve ExExpansionInstall....Fail...Error Code: 0x%08X...Success! Expansion Installed!...xam.xex.setup PatchInJump...Install Expansion...XeLive:.\Device\Harddisk0\Partition1\...MountPath...XeLiveBypass built for challenge version: 14717
\??\%s..\System??\%s....Missing retail HV!..Done....memcpy2.....XeCryptShaFinal.....XeCryptShaUpdate....XeCryptShaInit..Alloc memory for retail HV..XeLive:\XeLive\HV_15574.bin.Missing chal_resp.bin...Read chal_resp..XeLive:\XeLive\chal_resp.bin....Decrypted challenge data saved..XeLive:\XeLive\XeKeysExecute_Payload.bin....returning to XAM
\??\%s..\System??\%s....Missing retail HV!..Done....memcpy2.....XeCryptShaFinal.....XeCryptShaUpdate....XeCryptShaInit..Alloc memory for retail HV..XeLive:\XeLive\HV_15574.bin.Missing chal_resp.bin...Read chal_resp..XeLive:\XeLive\chal_resp.bin....Decrypted challenge data saved..XeLive:\XeLive\XeKeysExecute_Payload.bin....returning to XAM
- 0useful
- 0not useful
#10. Posted:
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: May 31, 201311Year Member
Posts: 20
Reputation Power: 0
-CHEMO wroteYah im sorry to say but this is a little outdated.I have no idea if this helps or works. But I got this file ages ago, and supposedly it was supposed to update your hv, and chal_resp.
And it was intended for the 15574 Dash...
Copying custom response.....HV Salt Physical Addr: 0x%016I64X...xboxkrnl.exe....Buffer: %p..HV Salt: %p.....New Challenge Version...Dumping.....Xbox Live Challenge Version: %d.....SystemTime: %d-%d-%d.%d:%d:%d...Failed to resolve ExExpansionInstall....Fail...Error Code: 0x%08X...Success! Expansion Installed!...xam.xex.setup PatchInJump...Install Expansion...XeLive:.\Device\Harddisk0\Partition1\...MountPath...XeLiveBypass built for challenge version: 14717
\??\%s..\System??\%s....Missing retail HV!..Done....memcpy2.....XeCryptShaFinal.....XeCryptShaUpdate....XeCryptShaInit..Alloc memory for retail HV..XeLive:\XeLive\HV_15574.bin.Missing chal_resp.bin...Read chal_resp..XeLive:\XeLive\chal_resp.bin....Decrypted challenge data saved..XeLive:\XeLive\XeKeysExecute_Payload.bin....returning to XAM
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.