You are viewing our Forum Archives. To view or take place in current topics click here.
SDK Online Source | Console App |
Posted:

SDK Online Source | Console App |Posted:

NoBanBO2
  • New Member
Status: Offline
Joined: Aug 25, 201311Year Member
Posts: 10
Reputation Power: 0
Status: Offline
Joined: Aug 25, 201311Year Member
Posts: 10
Reputation Power: 0
First You Need The Hypervisor and Challenge Response

Open spoiler for fun
[spoil]
]#include <xtl.h>
#include "stdafx.h"
#include "AtgConsole.h"//simple text output to screen
#include "AtgFont.h"
#include "AtgInput.h"//get input from controller
#include <string>
#define XBOX_KRNL
#define resolveFunct
#define XECRYPT_RC4_STATE
#define rc4
#define XeCryptRc4Ecb
#define XeCryptRc4Key
#define MmGetPhysicalAddress
#define XeCryptHmacSha
#define patchInJump
bool DecryptChallenge(BYTE* data, DWORD fileSize);
#include <string>

ATG::Console daConsole;
using namespace std;
void doConsole(string daText);
void __cdecl main()
{
doConsole("XeDumpChallenge");
doConsole("By ColdK1ller86");
doConsole("Thanks to Fuse, Kaine7s, teh1337 and Dwack");
doConsole("Press A to begin");
for(;;)
{
ATG::GAMEPAD* pGamepad = ATG::Input::GetMergedInput();//Get the Inputs ATM
if( pGamepad->wPressedButtons & XINPUT_GAMEPAD_A )//If buttons are pressed and the button pressed is the a button
{
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute=(XEKEYSEXECUTE)resolveFunct(XBOX_KRNL 607);
SYSTEMTIME LocalSysTime; GetLocalTime( &LocalSysTime);


doConsole("Entering Xbox Live Challenge hook\n");
doConsole.("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
doConsole("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
doConsole("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);

// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key


DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
doConsole("Error decrypting challenge \n");
int HalReturnToFirmware(6);
}

// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
doConsole("Error Creating HV Salt File\n");
int HalReturnToFirmware(6);
}
doConsole("File Created\n");



// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
doConsole("Saved HV Salt\n");
else doConsole("Could not save HV Salt \n");


// Close our HV Salt handle
CloseHandle( hvSalt );

doConsole("Dumping resp\n");


// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function

HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
doConsole("Error Creating Response File\n");
int HalReturnToFirmware(6);
}
doConsole("Response File Created\n");

// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
doConsole("Saved response data\n");
else doConsole("Could not save response data \n");

// Close our challange response dump
CloseHandle( chalResp );

// We dumped the challange data -> reboot
doConsole("Dumped Challenge - Rebooting System\n");
int HalReturnToFirmware(6);
return (0);
}

void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}

bool DecryptChallenge(BYTE* data, DWORD fileSize)

{
doConsole("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4 rc4Key, 0x10);
XeCryptRc4Ecb(&rc4 decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
doConsole("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL))
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
doConsole("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
}
}
}
}
void doConsole(string daText)
{
daConsole.Create( "game:\\Media\\Fonts\\Arial_16.xpr", D3DCOLOR_XRGB(0, 0, 0), D3DCOLOR_XRGB(0,200,0) );//First D3D is the Background and the second is the text color
daConsole.Format((" - "+daText+" - ").c_str());//The format function adds text to the console
//daConsole.Format("\ntest");
}
#2. Posted:
Softa
  • Prospect
Status: Offline
Joined: Aug 02, 201311Year Member
Posts: 640
Reputation Power: 25
Status: Offline
Joined: Aug 02, 201311Year Member
Posts: 640
Reputation Power: 25
i doubt it you don't know what your doing
#3. Posted:
HeadlessNoob
  • New Member
Status: Offline
Joined: Aug 07, 201311Year Member
Posts: 20
Reputation Power: 0
Status: Offline
Joined: Aug 07, 201311Year Member
Posts: 20
Reputation Power: 0
I am f****** Dumb......What am I looking at?

How to get online with a jtag/rgh?
#4. Posted:
NoBanBO2
  • New Member
Status: Offline
Joined: Aug 25, 201311Year Member
Posts: 10
Reputation Power: 0
Status: Offline
Joined: Aug 25, 201311Year Member
Posts: 10
Reputation Power: 0
yes sir it is but you need visual studio's to make the xex but that is the source!
#5. Posted:
-Define
  • Resident Elite
Status: Offline
Joined: Jul 28, 201311Year Member
Posts: 237
Reputation Power: 16
Status: Offline
Joined: Jul 28, 201311Year Member
Posts: 237
Reputation Power: 16
NoBanBO2 wrote yes sir it is but you need visual studio's to make the xex but that is the source!

Cider instead of leaving us at a road block here, could you possibly assist a little more, unless if you don't know what your doing. The main problem here is all of the build errors I can spot right off the bat. Pm me if you want to take this conversation further
#6. Posted:
IlIuminati
  • Comment King
Status: Offline
Joined: Jun 06, 201212Year Member
Posts: 2,663
Reputation Power: 67
Status: Offline
Joined: Jun 06, 201212Year Member
Posts: 2,663
Reputation Power: 67
-Define wrote
NoBanBO2 wrote yes sir it is but you need visual studio's to make the xex but that is the source!

Cider instead of leaving us at a road block here, could you possibly assist a little more, unless if you don't know what your doing. The main problem here is all of the build errors I can spot right off the bat. Pm me if you want to take this conversation further

Whats so hard to understand? Just create a .xex with visual studio :facepalm:
Its not like you'll be able to do anything with it anyways
#7. Posted:
xam
  • TTG Addict
Status: Offline
Joined: Mar 17, 201014Year Member
Posts: 2,665
Reputation Power: 430
Status: Offline
Joined: Mar 17, 201014Year Member
Posts: 2,665
Reputation Power: 430
u_u wrote
-Define wrote
NoBanBO2 wrote yes sir it is but you need visual studio's to make the xex but that is the source!

Cider instead of leaving us at a road block here, could you possibly assist a little more, unless if you don't know what your doing. The main problem here is all of the build errors I can spot right off the bat. Pm me if you want to take this conversation further

Whats so hard to understand? Just create a .xex with visual studio :facepalm:
Its not like you'll be able to do anything with it anyways


People on this forum make me laugh this has been "released" over like twenty different times.
Everyone is like "Oh I have a clean HV", or "Oh I have the 16537 server files" no you don't. Your HV is dirty as ****.
You have the old 16203 Titan server files that got leaked after the new dash was out. Even
before the dashboard came out people had their hands on those files and couldn't even figure out how to run the server.
#8. Posted:
-Define
  • Resident Elite
Status: Offline
Joined: Jul 28, 201311Year Member
Posts: 237
Reputation Power: 16
Status: Offline
Joined: Jul 28, 201311Year Member
Posts: 237
Reputation Power: 16
u_u wrote
-Define wrote
NoBanBO2 wrote yes sir it is but you need visual studio's to make the xex but that is the source!

Cider instead of leaving us at a road block here, could you possibly assist a little more, unless if you don't know what your doing. The main problem here is all of the build errors I can spot right off the bat. Pm me if you want to take this conversation further

Whats so hard to understand? Just create a .xex with visual studio :facepalm:
Its not like you'll be able to do anything with it anyways

*Cough* thanks captain obvious, that's what I was saying.... And if your using that in a derogatory manner, I highly doubt you will be able to do anything with it either...
#9. Posted:
IlIuminati
  • TTG Addict
Status: Offline
Joined: Jun 06, 201212Year Member
Posts: 2,663
Reputation Power: 67
Status: Offline
Joined: Jun 06, 201212Year Member
Posts: 2,663
Reputation Power: 67
-Define wrote
u_u wrote
-Define wrote
NoBanBO2 wrote yes sir it is but you need visual studio's to make the xex but that is the source!

Cider instead of leaving us at a road block here, could you possibly assist a little more, unless if you don't know what your doing. The main problem here is all of the build errors I can spot right off the bat. Pm me if you want to take this conversation further

Whats so hard to understand? Just create a .xex with visual studio :facepalm:
Its not like you'll be able to do anything with it anyways

*Cough* thanks captain obvious, that's what I was saying.... And if your using that in a derogatory manner, I highly doubt you will be able to do anything with it either...

You were asking how to make a .xex in virtual basic. Maybe if you used google Archives/t=4074548/tutorial-how-t...-2010.html you would learn something.
#10. Posted:
TEIR1plus2
  • Resident Elite
Status: Offline
Joined: Mar 09, 201212Year Member
Posts: 245
Reputation Power: 11
Status: Offline
Joined: Mar 09, 201212Year Member
Posts: 245
Reputation Power: 11
the code is really wrong. at first glance the #define macro is being used wrong. in a further look theres a function thats being defined in another function. on top of that its missing a lot of stuff and on top of that if you were to get this working, it would only dump the challenge and response.
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.