You are viewing our Forum Archives. To view or take place in current topics click here.
Anyone Good With Xbox Scripting +MONEY!
Posted:

Anyone Good With Xbox Scripting +MONEY!Posted:

Mods4Dworld
  • Challenger
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Hey any coders out there looking to get some money come help with Some
adding/editing
If you give out very helpful info or some rare files will receive $100
Any information can be helpful i really need peoples help on this.

My Understanding.

(1)Get all nand Files from your xbox (Done)
(2)create a Script to read the HV Salt reverse(Done)
(3)Crack the Hypervisor (from the newest Xbox Dashboard).(Need Help!!!)


Skype=Mods4Dworld AIM=Fetching Name...

This is all the info i have found so far.
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);

// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}

// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");

// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");

// Close our HV Salt handle
CloseHandle( hvSalt );

DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function

HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");

// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");

// Close our challange response dump
CloseHandle( chalResp );

// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}

void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}

BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL) ;)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}

//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);


Last edited by Mods4Dworld ; edited 4 times in total
#2. Posted:
GTC
  • TTG Addict
Status: Offline
Joined: Jun 02, 201212Year Member
Posts: 2,049
Reputation Power: 96
Status: Offline
Joined: Jun 02, 201212Year Member
Posts: 2,049
Reputation Power: 96
Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)
#3. Posted:
Mods4Dworld
  • Challenger
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
#4. Posted:
GTC
  • TTG Addict
Status: Offline
Joined: Jun 02, 201212Year Member
Posts: 2,049
Reputation Power: 96
Status: Offline
Joined: Jun 02, 201212Year Member
Posts: 2,049
Reputation Power: 96
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.
#5. Posted:
Mods4Dworld
  • V5 Launch
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
XeTemp wrote
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.


I just got a decrypted live HV for 16203 I'm serious I paid a lot for it as well it's from some one that has there own xbls like server, what to do now?
#6. Posted:
SSJ4_Dwack
  • Challenger
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
Status: Offline
Joined: Nov 11, 201113Year Member
Posts: 153
Reputation Power: 12
Mods4Dworld wrote
XeTemp wrote
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.


I just got a decrypted live HV for 16203 I'm serious I paid a lot for it as well it's from some one that has there own xbls like server, what to do now?


$1000 says you just got ripped off lmao

not even kidding!
#7. Posted:
ZoidbergAWAY
  • TTG Senior
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 1,026
Reputation Power: 43
Status: Offline
Joined: Jul 06, 201113Year Member
Posts: 1,026
Reputation Power: 43
I think you're in WAY over your head.
#8. Posted:
Mods4Dworld
  • Challenger
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
SSJ4_Dwack wrote
Mods4Dworld wrote
XeTemp wrote
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.


I just got a decrypted live HV for 16203 I'm serious I paid a lot for it as well it's from some one that has there own xbls like server, what to do now?


$1000 says you just got ripped off lmao

not even kidding!


Nahh didn't get ripped its legit, just what to do now...
#9. Posted:
CabooseSayzWTF
  • Prospect
Status: Offline
Joined: Jan 23, 201311Year Member
Posts: 655
Reputation Power: 28
Status: Offline
Joined: Jan 23, 201311Year Member
Posts: 655
Reputation Power: 28
Mods4Dworld wrote
XeTemp wrote
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.


I just got a decrypted live HV for 16203 I'm serious I paid a lot for it as well it's from some one that has there own xbls like server, what to do now?

kid you got ripped off, its not hard to get the hv for 16203
#10. Posted:
Mods4Dworld
  • Challenger
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
Status: Offline
Joined: Aug 03, 201212Year Member
Posts: 140
Reputation Power: 5
SkyDoesMods wrote
Mods4Dworld wrote
XeTemp wrote
Mods4Dworld wrote
XeTemp wrote Don't post this kind of stuff dude. Most won't help you since we have other things to worry about about plus you have no proof of paying. Figure it out your self ;)


Thanks man but all i need is some info to get started.
Well I understand that. But google might be able to help you out. I would help but I honestly have no clue my self.


I just got a decrypted live HV for 16203 I'm serious I paid a lot for it as well it's from some one that has there own xbls like server, what to do now?

kid you got ripped off, its not hard to get the hv for 16203


Yea its not hard to get a RGH/Jtag offline HV but it is almost impossible to get Online HV so i got one that someone uses on there XBL server.
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.