Results 1 to 6 of 6
  1. #1
    Nooblet
    Join Date
    May 2012
    Posts
    11
    Points
    22
         User Info     Contact     Gamer ID
    Join Date
    May 2012
    Posts
    11
    Points
    22
    Gamer IDs

    Gamertag: HOX x Typh00n

    Default We should all work together to get rgh/dev online again :D

    so far all i have is the latest hypervisor for online: http://www.mediafire.com/?8x5bajffou2l4qg
    And kaines xedump code :| which i dont know how to decompress since it involves ida pro to complicated for a 16 year old lol. Also theres two methods for online from talking to kaine and james on involves keyvaults kaines method and the other one involves a server which paul aka madusa(and anthony) host but he wont let anyone else in rumor has it theres like 40 people online but only 9 you people really know about :|.

    Code:
    typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
    // Catching call to XeKeysExecute in XAM
    // Directing it to this function instead of actual Kernel function
    DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
    {
                    XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
                SYSTEMTIME LocalSysTime;
                    GetLocalTime( &LocalSysTime );
                    DbgPrint("Entering Xbox Live Challenge hook\n");
                    DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
                    DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
                                    chalData, size, HVSalt);
                    DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
                                    krnlBuild, r7, r8);
    
                    // Decrypt the challenge data
                    // Seems to share the same header as a bootloader
                    // char[2] Magic
                    // short Version
                    // int Flags
                    // int EntryPoint
                    // int Size
                    // byte[0x10] HMAC Hash -> RC4 Key
                    DWORD dataSize = *(DWORD*)(chalData + 0xC);
                    if(!DecryptChallenge(chalData, dataSize))
                    {
                                    DbgPrint("Error decrypting challenge  :(\n");
                                    HalReturnToFirmware(6);
                    }
    
                    // Create HV Salt file
                    HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
                    FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
                    if( hvSalt == INVALID_HANDLE_VALUE)
                    {
                                    DbgPrint("Error Creating HV Salt File\n");
                                    HalReturnToFirmware(6);
                    }
                    DbgPrint("File Created\n");
    
                    // Get the HV salt
                    DWORD saltOut = 0;
                    if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
                                    DbgPrint("Saved HV Salt\n");
                    else DbgPrint("Could not save HV Salt  :(\n");
    
                    // Close our HV Salt handle
                    CloseHandle( hvSalt );
    
                    DbgPrint("Dumping resp\n");
                    // Execute the challenge
                    BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
                    XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
    
                    HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
                    FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
                    if( chalResp == INVALID_HANDLE_VALUE)
                    {
                                    DbgPrint("Error Creating Response File\n");
                                    HalReturnToFirmware(6);
                    }
                    DbgPrint("Response File Created\n");
    
                    // Save the challenge response
                    DWORD respOut = 0;
                    if (WriteFile( chalResp, chalData, size, &respOut, NULL))
                                    DbgPrint("Saved response data\n");
                    else DbgPrint("Could not save response data  :(\n");
    
                    // Close our challange response dump
                    CloseHandle( chalResp );          
    
                    // We dumped the challange data -> reboot
                    DbgPrint("Dumped Challenge - Rebooting System\n");
                    HalReturnToFirmware(6);
                    return (0);
    }
    
    void patchPhysicalAddr()
    {
                    DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
                    UINT32* addr = (UINT32*)(0x81677EE4); // 14719
                    addr[0] = 0x60000000;
    }
    
    BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
    {
                    DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
                    XECRYPT_RC4_STATE rc4;
                    BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
                    memcpy(decChalData, data, fileSize);
                    BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
                    BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
                    XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
                    XeCryptRc4Key(&rc4, rc4Key, 0x10);
                    XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
                    HANDLE hFile;
                    DWORD size;
                    hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
                                    FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
                    if( hFile != INVALID_HANDLE_VALUE)
                    {
                                    DbgPrint("Created Challenge File\n");
                                    if(WriteFile(hFile, decChalData, fileSize, &size, NULL) ;)
                                    {
                                                    CloseHandle(hFile);
                                                    XPhysicalFree(decChalData);
                                                    XPhysicalFree(rc4Key);
                                                    DbgPrint("Decrypted challenge data saved\n");
                                                    return true;
                                    }
                                    else
                                                    return false;
                    }
    }
    
    //////////////////////////////////////////////////////////////////////////////////////////
    patchPhysicalAddr();
    patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);

    0 Not allowed! Not allowed!

  2. #2
    Diehard
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488
         User Info     Contact     Gamer ID
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488

    Default

    Im in, Ill give some theory if I know how to work Ida Pro, wait do you still have the steps kaine gave you?

    0 Not allowed! Not allowed!

  3. #3
    Nooblet
    Join Date
    May 2012
    Posts
    11
    Points
    22
         User Info     Contact     Gamer ID
    Join Date
    May 2012
    Posts
    11
    Points
    22
    Gamer IDs

    Gamertag: HOX x Typh00n

    Default

    so far this is all i have the earlier messages it wont show me
    Decrypt/Decompress xex
    Load into IDA as binary and PPC with load address of 0x82000000
    File->LoadFile and select PDB file...
    * Input file should be xex
    * Address should be 0x82000000
    * de-select "Types Only"
    (* If it doesn't work keep trying *)


    UPLOADED BY iHc Kaine/ Kaine7s/ XeKaine
    use xextool to decompress

    0 Not allowed! Not allowed!

  4. #4
    Diehard
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488
         User Info     Contact     Gamer ID
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488

    Default

    Are you on the latest dash, this is 14719 compatible, and what kinda message you get when trying to log into xboxlive just curious before start figuring this out?

    0 Not allowed! Not allowed!

  5. #5
    Nooblet
    Join Date
    May 2012
    Posts
    11
    Points
    22
         User Info     Contact     Gamer ID
    Join Date
    May 2012
    Posts
    11
    Points
    22
    Gamer IDs

    Gamertag: HOX x Typh00n

    Default

    yes this is the 14719 compatable one and i dont know i havent put the hv in as i dont know were to put it in lol jsut like i dont know how to decompress the xedump in ida :|.

    0 Not allowed! Not allowed!

  6. #6
    Diehard
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488
         User Info     Contact     Gamer ID
    Join Date
    May 2011
    Posts
    1,342
    Points
    3,488

    Default

    You can decompress the xex with xex tool but it would still leave a dead end when we have to input the checks in Ida pro.. But xextool can decompress and compress those xam.xex
    which will allow us to see the checks. Well at least we can pass the nand check easily by using flash360, ggbuild, or freeboot. Im confused on how im gonna build a new patch to write the decrypt infomation..

    0 Not allowed! Not allowed!

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -10. The time now is 07:20 AM.
Powered by vBulletin®
Copyright © 2016 vBulletin Solutions, Inc. All rights reserved.