You are viewing our Forum Archives. To view or take place in current topics click here.
Jtag online code from august needs update cpp and headers
Posted:
Jtag online code from august needs update cpp and headersPosted:
Status: Offline
Joined: Jun 15, 201211Year Member
Posts: 43
Reputation Power: 1
This Code Decompiled
//xbox 360 jtag online code - (Find the headers and the required cpp files yourselves!)
#include "stdafx.h"
#include "XeCrypt.h"
#include "HttpClient.h"
#include "Kernel.h"
#include
#include
DWORD (*launchStartSysModule)(char*);
typedef VOID (*XEKEYSHMACSHA)(DWORD KeyNum, const BYTE* pbInp1, DWORD cbInp1,
const BYTE* pbInp2, DWORD cbInp2,
const BYTE* pbInp3, DWORD cbInp3,
BYTE* pbOut, DWORD cbOut);
XEKEYSHMACSHA XeKeysHmacSha;
typedef VOID (*EXSETXCONFIGSETTING)(WORD SettingCategory, WORD settingIndex,
BYTE* cbOut, DWORD size);
EXSETXCONFIGSETTING ExSetXConfigSetting;
typedef DWORD (*XEKEYSEXEC)(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7); // ord 0x25F
XEKEYSEXEC XeKeysExecute;
typedef void (*XNotifyQueueUI)(u64 stringId, u64 playerIndex, u64 r5, WCHAR* displayText, u64 r7);
typedef struct _keysexec
{
USHORT magic;
USHORT ver;
USHORT qfe;
USHORT flags;
DWORD entry;
DWORD size;
// at 0x10... just an array start for the data in the challenge up to [size],
// resp seems to wind up at 0x20, so &data[0x10]
char data[1];
} keysexec , *Pkeysexec;
BYTE KVHash[0x14];
BYTE CPUKey[0x10];
BYTE XeTicket[0x14];
BYTE HV[0x40000];
BOOL OfflineMode;
VOID PatchInJump(DWORD* Address, DWORD Destination, BOOL Linked)
{
if(Destination & 0x8000)
Address[0] = 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1);
else
Address[0] = 0x3D600000 + ((Destination >> 16) & 0xFFFF);
Address[1] = 0x396B0000 + (Destination & 0xFFFF);
Address[2] = 0x7D6903A6;
if(Linked)
Address[3] = 0x4E800421;
else
Address[3] = 0x4E800420;
}
UINT32 resolveFunct(char* modname, UINT32 ord)
{
UINT32 ptr32 = 0, ret = 0, ptr2 = 0;
ret = XexGetModuleHandle(modname, (PHANDLE)&ptr32);
if(ret == 0){
ret = XexGetProcedureAddress((HANDLE)ptr32, ord, &ptr2);
if(ptr2 != 0)
return(ptr2);
}
return(0);
}
void ClearMachineAccount()
{
// Resolve XeKeysHmacSha
XeKeysHmacSha = (XEKEYSHMACSHA)resolveFunct("xboxkrnl.exe", 0x249);
ExSetXConfigSetting = (EXSETXCONFIGSETTING)resolveFunct("xboxkrnl.exe", 0x18);
int settingCategory = 4;
// Alloc our data
BYTE* macAccount = (BYTE*)XPhysicalAlloc(0x1D0, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(macAccount, 0, 0x1EC);
// Generate our confounder
XeCryptRandom(macAccount + 0x14, 0x8);
// XeCryptSha1
XeCryptSha(macAccount + 0x14, 0x8, macAccount + 0x1C, 0x1D0, NULL, NULL, macAccount, 0x14);
// Generate Rc4 key
BYTE key[0x14];
XeKeysHmacSha(0x17, macAccount + 0x14, 0x8, (BYTE*)&settingCategory, sizeof(int),
NULL, NULL, key, 0x14);
// RC4 data
XeCryptRc4(key, 0x14, macAccount + 0x1C, 0x1D0);
// Set our setting
ExSetXConfigSetting(settingCategory, 1, macAccount, 0x1EC);
}
void InitXNet()
{
DWORD dwResult;
XNetStartupParams xnsp;
XNADDR xna;
memset( &xnsp, 0, sizeof( xnsp ) );
xnsp.cfgSizeOfStruct = sizeof( XNetStartupParams );
xnsp.cfgFlags = XNET_STARTUP_BYPASS_SECURITY;
dwResult = XNetStartup( &xnsp );
do
{
dwResult = XNetGetTitleXnAddr( &xna );
} while( dwResult == XNET_GET_XNADDR_PENDING );
WORD wVersionRequested = MAKEWORD( 2, 2 );
WSADATA wsaData;
dwResult = WSAStartup( wVersionRequested, &wsaData );
}
if (((XboxKrnlVersion->Build >> 3) | ~0x5) == 0x15574)
{
XboxKrnlVersion->Build |= 0x3;
}
else
return -1;
DWORD XeKeysExecHook(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7)
{
XNotifyQueueUI xNotifyQueueUI = (XNotifyQueueUI)resolveFunct("xam.xex", 656);
if (OfflineMode)
{
// Output
DbgPrint("XeLiveChallenge: Reading challenge Response.\n");
// Open our challResp
HANDLE challResp = CreateFile("Hdd:\\XeLive\\chall_resp.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD bytesRead = 0;
// Alloc
BYTE* challResponse = (BYTE*)XPhysicalAlloc(0x200, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Read
ReadFile(challResp, challResponse, 0x200, &bytesRead, NULL);
// Close our file
CloseHandle(challResp);
// Output
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Reading HyperVisor..\n");
// Open our Hypervisor
HANDLE hyperVisor = CreateFile("Hdd:\\XeLive\\HV.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
// Read
ReadFile(hyperVisor, HV, 0x40000, &bytesRead, NULL);
// Close our file
CloseHandle(hyperVisor);
// Output
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Hashing HyperVisor..\n");
// Init Sha1
XECRYPT_SHA_STATE Sha1;
// XeCryptShaInit
XeCryptShaInit(&Sha1);
// XeCryptShaUpdate - SALT
XeCryptShaUpdate(&Sha1, (BYTE*)arg_r4, 0x10);
// XeCryptShaUpdate - 0x34/0x40
XeCryptShaUpdate(&Sha1, HV + 0x34, 0x40);
// XeCryptShaUpdate - 0x78/0xFF88
XeCryptShaUpdate(&Sha1, HV + 0x78, 0xFF88);
// XeCryptShaUpdate - 0x100C0/0x3C
XeCryptShaUpdate(&Sha1, HV + 0x100C0, 0x3C);
// XeCryptShaUpdate - 0x10320/0x5B40
XeCryptShaUpdate(&Sha1, HV + 0x10320, 0x5B40);
// XeCryptShaUpdate - 0x16A3C/0x95C4
XeCryptShaUpdate(&Sha1, HV + 0x16A3C, 0x95C4);
// XeCryptShaUpdate - 0x20000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x20000, 0xFFFC);
// XeCryptShaUpdate - 0x30000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x30000, 0xFFFC);
// XeCryptShaFinal
XeCryptShaFinal(&Sha1, challResponse + 0x50, 0x14);
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Preparing challenge response..\n");
// Memcpy
memcpy(challResponse + 0x64, KVHash, 0x14);
// Copy Challenge
memcpy(data, challResponse, 0x200);
DbgPrint("XeLiveChallenge: All Done.. \n");
DbgPrint("XeLiveChallenge: Returning execution to XAM..\n");
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
// Succeess
return 0;
}
while(true)
{
InitXNet();
// Resolve our func...
DbgPrint("\n\n ---------\n\n");
Pkeysexec pk = (Pkeysexec)data;
if(pk->magic == 0x4D4D && pk->ver == 0x397D)
{
// Create our data bufer
BYTE* dataBuff = (BYTE*)XPhysicalAlloc(0x38, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(dataBuff, 0, 0x38);
// Copy our ticket
memcpy(dataBuff, XeTicket, 0x14);
// Copy our salt
memcpy(dataBuff + 0x14, (BYTE*)arg_r4, 0x10);
// Copy our KV hash
memcpy(dataBuff + 0x24, KVHash, 0x14);
// Post data
HttpClient client(0);
client.POST("xedevteam.com", "/XeLiveLogon/70AC481F3F3F01A7CB44.aspx", (char*)dataBuff, 0x38);
// Copy response data to arg
BYTE* respData = client.GetResponseContentData();
// Check for success status...
if (*(DWORD*)respData == 1)
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
}
else
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Fail =(");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
continue;
}
// Copy our XeTicket
memcpy(XeTicket, respData + 0x4, 0x14);
// Copy our challenge response...
memcpy((void*)data, respData + 0x18, 0x200);
// Return
return 0;
}
else
{
HvxReadBytes(0, (LONG)(HV), 0x10000);
HvxReadBytes(0x200010000, (LONG)(HV + 0x10000), 0x10000);
HvxReadBytes(0x400020000, (LONG)(HV + 0x20000), 0x10000);
HvxReadBytes(0x600030000, (LONG)(HV + 0x30000), 0x10000);
DbgPrint("New Challenge...\n");
DWORD status = XeKeysExecute(data, size, arg_r4, arg_r5, arg_r6, arg_r7);
}
}
// Fail
return -1;
}
void SetupImportPatch()
{
// Alloc patch data
BYTE* patchData = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Check for RGH/JTAG
if (launchStartSysModule == 0)
{
// Patch call to XeKeysExecute
PatchInJump((DWORD*)patchData, (DWORD)XeKeysExecHook, false);
DmSetMemory((LPVOID)0x81CBD58C, 0x10, patchData, NULL);
}
else
{
// Patch jump
PatchInJump((DWORD*)0x81A30364, (DWORD)XeKeysExecHook, false);
}
// Free
XPhysicalFree(patchData);
}
void GenerateKVHash()
{
// Get our first XeTicket
BYTE* ticketPtr = (BYTE*)0x801F2000;
BYTE* cpuPtr = (BYTE*)0x801F2014;
memcpy(XeTicket, ticketPtr, 0x14);
memcpy(CPUKey, ticketPtr, 0x10);
//memset((void*)0x801F2000, 0, 0x14);
XeKeysExecute = (XEKEYSEXEC)0x80144488;
// CryptSha
XeCryptSha(CPUKey, 0x10, NULL, NULL, NULL, NULL, KVHash, 0x14);
}
HRESULT doMountPath(const char* szDrive, const char* szDevice)
{
STRING DeviceName, LinkName;
CHAR szDestinationDrive[MAX_PATH];
if(KeGetCurrentProcessType() == SYSTEM_PROC)
sprintf_s(szDestinationDrive, MAX_PATH, "\\System??\\%s']\\System??\\%s", szDrive);
else
sprintf_s(szDestinationDrive, MAX_PATH, "\\??\\%s']\\??\\%s", szDrive);
RtlInitAnsiString(&DeviceName, szDevice);
RtlInitAnsiString(&LinkName, szDestinationDrive);
ObDeleteSymbolicLink(&LinkName);
return (HRESULT)ObCreateSymbolicLink(&LinkName, &DeviceName);
}
//-------------------------------------------------------------------------------------
// Name: main()
// Desc: The application's entry point
//-------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HANDLE hInstDLL, DWORD reason, LPVOID lpReserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
// Setup Mount
doMountPath("Hdd:", "\\Device\\Harddisk0\\Partition1']\\Device\\Harddisk0\\Partition1");
// Open our file
HANDLE fileHandle = CreateFile("Hdd:\\XeLive\\KaitenServer.xex", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (fileHandle != INVALID_HANDLE_VALUE)
{
OfflineMode = TRUE;
// Close Handle
CloseHandle(fileHandle);
// Output
DbgPrint("XeLiveChallenge: Offline mode started... \n");
DbgPrint("XeLiveChallenge: Initializing..\n");
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
DbgPrint("XeLiveChallenge: Done! Continue Kaiten.Dll..\n");
return 0;
}
// Check if JTAG/RGH/Dev
if(launchStartSysModule == 0)
launchStartSysModule = (DWORD (__cdecl *)(char*))(resolveFunct("launch.xex", 2));
InitXNet();
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
}
}
With This Into A xex running on a http server connected to the kv
#this is the code for anyone interested
//xbox 360 jtag online code - (Find the headers and the required cpp files yourselves!)
#include "stdafx.h"
#include "XeCrypt.h"
#include "HttpClient.h"
#include "Kernel.h"
#include
#include
DWORD (*launchStartSysModule)(char*);
typedef VOID (*XEKEYSHMACSHA)(DWORD KeyNum, const BYTE* pbInp1, DWORD cbInp1,
const BYTE* pbInp2, DWORD cbInp2,
const BYTE* pbInp3, DWORD cbInp3,
BYTE* pbOut, DWORD cbOut);
XEKEYSHMACSHA XeKeysHmacSha;
typedef VOID (*EXSETXCONFIGSETTING)(WORD SettingCategory, WORD settingIndex,
BYTE* cbOut, DWORD size);
EXSETXCONFIGSETTING ExSetXConfigSetting;
typedef DWORD (*XEKEYSEXEC)(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7); // ord 0x25F
XEKEYSEXEC XeKeysExecute;
typedef void (*XNotifyQueueUI)(u64 stringId, u64 playerIndex, u64 r5, WCHAR* displayText, u64 r7);
typedef struct _keysexec
{
USHORT magic;
USHORT ver;
USHORT qfe;
USHORT flags;
DWORD entry;
DWORD size;
// at 0x10... just an array start for the data in the challenge up to [size],
// resp seems to wind up at 0x20, so &data[0x10]
char data[1];
} keysexec , *Pkeysexec;
BYTE KVHash[0x14];
BYTE CPUKey[0x10];
BYTE XeTicket[0x14];
BYTE HV[0x40000];
BOOL OfflineMode;
VOID PatchInJump(DWORD* Address, DWORD Destination, BOOL Linked)
{
if(Destination & 0x8000)
Address[0] = 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1);
else
Address[0] = 0x3D600000 + ((Destination >> 16) & 0xFFFF);
Address[1] = 0x396B0000 + (Destination & 0xFFFF);
Address[2] = 0x7D6903A6;
if(Linked)
Address[3] = 0x4E800421;
else
Address[3] = 0x4E800420;
}
UINT32 resolveFunct(char* modname, UINT32 ord)
{
UINT32 ptr32 = 0, ret = 0, ptr2 = 0;
ret = XexGetModuleHandle(modname, (PHANDLE)&ptr32);
if(ret == 0){
ret = XexGetProcedureAddress((HANDLE)ptr32, ord, &ptr2);
if(ptr2 != 0)
return(ptr2);
}
return(0);
}
void ClearMachineAccount()
{
// Resolve XeKeysHmacSha
XeKeysHmacSha = (XEKEYSHMACSHA)resolveFunct("xboxkrnl.exe", 0x249);
ExSetXConfigSetting = (EXSETXCONFIGSETTING)resolveFunct("xboxkrnl.exe", 0x18);
int settingCategory = 4;
// Alloc our data
BYTE* macAccount = (BYTE*)XPhysicalAlloc(0x1D0, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(macAccount, 0, 0x1EC);
// Generate our confounder
XeCryptRandom(macAccount + 0x14, 0x8);
// XeCryptSha1
XeCryptSha(macAccount + 0x14, 0x8, macAccount + 0x1C, 0x1D0, NULL, NULL, macAccount, 0x14);
// Generate Rc4 key
BYTE key[0x14];
XeKeysHmacSha(0x17, macAccount + 0x14, 0x8, (BYTE*)&settingCategory, sizeof(int),
NULL, NULL, key, 0x14);
// RC4 data
XeCryptRc4(key, 0x14, macAccount + 0x1C, 0x1D0);
// Set our setting
ExSetXConfigSetting(settingCategory, 1, macAccount, 0x1EC);
}
void InitXNet()
{
DWORD dwResult;
XNetStartupParams xnsp;
XNADDR xna;
memset( &xnsp, 0, sizeof( xnsp ) );
xnsp.cfgSizeOfStruct = sizeof( XNetStartupParams );
xnsp.cfgFlags = XNET_STARTUP_BYPASS_SECURITY;
dwResult = XNetStartup( &xnsp );
do
{
dwResult = XNetGetTitleXnAddr( &xna );
} while( dwResult == XNET_GET_XNADDR_PENDING );
WORD wVersionRequested = MAKEWORD( 2, 2 );
WSADATA wsaData;
dwResult = WSAStartup( wVersionRequested, &wsaData );
}
if (((XboxKrnlVersion->Build >> 3) | ~0x5) == 0x15574)
{
XboxKrnlVersion->Build |= 0x3;
}
else
return -1;
DWORD XeKeysExecHook(VOID* data, DWORD size, UINT64 arg_r4, UINT64 arg_r5, UINT64 arg_r6, UINT64 arg_r7)
{
XNotifyQueueUI xNotifyQueueUI = (XNotifyQueueUI)resolveFunct("xam.xex", 656);
if (OfflineMode)
{
// Output
DbgPrint("XeLiveChallenge: Reading challenge Response.\n");
// Open our challResp
HANDLE challResp = CreateFile("Hdd:\\XeLive\\chall_resp.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD bytesRead = 0;
// Alloc
BYTE* challResponse = (BYTE*)XPhysicalAlloc(0x200, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Read
ReadFile(challResp, challResponse, 0x200, &bytesRead, NULL);
// Close our file
CloseHandle(challResp);
// Output
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Reading HyperVisor..\n");
// Open our Hypervisor
HANDLE hyperVisor = CreateFile("Hdd:\\XeLive\\HV.bin", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
// Read
ReadFile(hyperVisor, HV, 0x40000, &bytesRead, NULL);
// Close our file
CloseHandle(hyperVisor);
// Output
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Hashing HyperVisor..\n");
// Init Sha1
XECRYPT_SHA_STATE Sha1;
// XeCryptShaInit
XeCryptShaInit(&Sha1);
// XeCryptShaUpdate - SALT
XeCryptShaUpdate(&Sha1, (BYTE*)arg_r4, 0x10);
// XeCryptShaUpdate - 0x34/0x40
XeCryptShaUpdate(&Sha1, HV + 0x34, 0x40);
// XeCryptShaUpdate - 0x78/0xFF88
XeCryptShaUpdate(&Sha1, HV + 0x78, 0xFF88);
// XeCryptShaUpdate - 0x100C0/0x3C
XeCryptShaUpdate(&Sha1, HV + 0x100C0, 0x3C);
// XeCryptShaUpdate - 0x10320/0x5B40
XeCryptShaUpdate(&Sha1, HV + 0x10320, 0x5B40);
// XeCryptShaUpdate - 0x16A3C/0x95C4
XeCryptShaUpdate(&Sha1, HV + 0x16A3C, 0x95C4);
// XeCryptShaUpdate - 0x20000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x20000, 0xFFFC);
// XeCryptShaUpdate - 0x30000/0xFFFC
XeCryptShaUpdate(&Sha1, HV + 0x30000, 0xFFFC);
// XeCryptShaFinal
XeCryptShaFinal(&Sha1, challResponse + 0x50, 0x14);
DbgPrint("XeLiveChallenge: Done..\n");
DbgPrint("XeLiveChallenge: Preparing challenge response..\n");
// Memcpy
memcpy(challResponse + 0x64, KVHash, 0x14);
// Copy Challenge
memcpy(data, challResponse, 0x200);
DbgPrint("XeLiveChallenge: All Done.. \n");
DbgPrint("XeLiveChallenge: Returning execution to XAM..\n");
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
// Succeess
return 0;
}
while(true)
{
InitXNet();
// Resolve our func...
DbgPrint("\n\n ---------\n\n");
Pkeysexec pk = (Pkeysexec)data;
if(pk->magic == 0x4D4D && pk->ver == 0x397D)
{
// Create our data bufer
BYTE* dataBuff = (BYTE*)XPhysicalAlloc(0x38, MAXULONG_PTR, NULL, PAGE_READWRITE);
memset(dataBuff, 0, 0x38);
// Copy our ticket
memcpy(dataBuff, XeTicket, 0x14);
// Copy our salt
memcpy(dataBuff + 0x14, (BYTE*)arg_r4, 0x10);
// Copy our KV hash
memcpy(dataBuff + 0x24, KVHash, 0x14);
// Post data
HttpClient client(0);
client.POST("xedevteam.com", "/XeLiveLogon/70AC481F3F3F01A7CB44.aspx", (char*)dataBuff, 0x38);
// Copy response data to arg
BYTE* respData = client.GetResponseContentData();
// Check for success status...
if (*(DWORD*)respData == 1)
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Success!");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
}
else
{
WCHAR buffer[0x256];
swprintf(buffer, L"XeLiveLogon Fail =(");
xNotifyQueueUI(0x22, 0x0, 2, buffer, 0);
continue;
}
// Copy our XeTicket
memcpy(XeTicket, respData + 0x4, 0x14);
// Copy our challenge response...
memcpy((void*)data, respData + 0x18, 0x200);
// Return
return 0;
}
else
{
HvxReadBytes(0, (LONG)(HV), 0x10000);
HvxReadBytes(0x200010000, (LONG)(HV + 0x10000), 0x10000);
HvxReadBytes(0x400020000, (LONG)(HV + 0x20000), 0x10000);
HvxReadBytes(0x600030000, (LONG)(HV + 0x30000), 0x10000);
DbgPrint("New Challenge...\n");
DWORD status = XeKeysExecute(data, size, arg_r4, arg_r5, arg_r6, arg_r7);
}
}
// Fail
return -1;
}
void SetupImportPatch()
{
// Alloc patch data
BYTE* patchData = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, NULL, PAGE_READWRITE);
// Check for RGH/JTAG
if (launchStartSysModule == 0)
{
// Patch call to XeKeysExecute
PatchInJump((DWORD*)patchData, (DWORD)XeKeysExecHook, false);
DmSetMemory((LPVOID)0x81CBD58C, 0x10, patchData, NULL);
}
else
{
// Patch jump
PatchInJump((DWORD*)0x81A30364, (DWORD)XeKeysExecHook, false);
}
// Free
XPhysicalFree(patchData);
}
void GenerateKVHash()
{
// Get our first XeTicket
BYTE* ticketPtr = (BYTE*)0x801F2000;
BYTE* cpuPtr = (BYTE*)0x801F2014;
memcpy(XeTicket, ticketPtr, 0x14);
memcpy(CPUKey, ticketPtr, 0x10);
//memset((void*)0x801F2000, 0, 0x14);
XeKeysExecute = (XEKEYSEXEC)0x80144488;
// CryptSha
XeCryptSha(CPUKey, 0x10, NULL, NULL, NULL, NULL, KVHash, 0x14);
}
HRESULT doMountPath(const char* szDrive, const char* szDevice)
{
STRING DeviceName, LinkName;
CHAR szDestinationDrive[MAX_PATH];
if(KeGetCurrentProcessType() == SYSTEM_PROC)
sprintf_s(szDestinationDrive, MAX_PATH, "\\System??\\%s']\\System??\\%s", szDrive);
else
sprintf_s(szDestinationDrive, MAX_PATH, "\\??\\%s']\\??\\%s", szDrive);
RtlInitAnsiString(&DeviceName, szDevice);
RtlInitAnsiString(&LinkName, szDestinationDrive);
ObDeleteSymbolicLink(&LinkName);
return (HRESULT)ObCreateSymbolicLink(&LinkName, &DeviceName);
}
//-------------------------------------------------------------------------------------
// Name: main()
// Desc: The application's entry point
//-------------------------------------------------------------------------------------
BOOL APIENTRY DllMain(HANDLE hInstDLL, DWORD reason, LPVOID lpReserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
// Setup Mount
doMountPath("Hdd:", "\\Device\\Harddisk0\\Partition1']\\Device\\Harddisk0\\Partition1");
// Open our file
HANDLE fileHandle = CreateFile("Hdd:\\XeLive\\KaitenServer.xex", GENERIC_READ,
FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (fileHandle != INVALID_HANDLE_VALUE)
{
OfflineMode = TRUE;
// Close Handle
CloseHandle(fileHandle);
// Output
DbgPrint("XeLiveChallenge: Offline mode started... \n");
DbgPrint("XeLiveChallenge: Initializing..\n");
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
DbgPrint("XeLiveChallenge: Done! Continue Kaiten.Dll..\n");
return 0;
}
// Check if JTAG/RGH/Dev
if(launchStartSysModule == 0)
launchStartSysModule = (DWORD (__cdecl *)(char*))(resolveFunct("launch.xex", 2));
InitXNet();
SetupImportPatch();
ClearMachineAccount();
GenerateKVHash();
}
}
With This Into A xex running on a http server connected to the kv
#this is the code for anyone interested
#2. Posted:
Status: Offline
Joined: Jul 26, 201211Year Member
Posts: 357
Reputation Power: 19
Status: Offline
Joined: Jul 26, 201211Year Member
Posts: 357
Reputation Power: 19
now you have no proof and you expect people to try this although this code has long been patched?
edit:
AND YOU ONLY HAVE 2 POSTS :wat:
edit:
AND YOU ONLY HAVE 2 POSTS :wat:
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Jun 15, 201211Year Member
Posts: 43
Reputation Power: 1
I'm new to these forum sites like ttg, xpg and se7insins. I am just trying to give a bit of a base to some people which can greatly help them although it is outdated, Microsoft has not completely re written there verification code, therefore this bypass code in the most part is quite valuable to the correct person and can save a day at least of coding. I cannot supply the proof as this is know outdated and did not of a method recording beforenthisnwas patched, sorry if I have mislead you or angered you.
- 0useful
- 0not useful
#4. Posted:
Status: Offline
Joined: Sep 11, 201211Year Member
Posts: 110
Reputation Power: 4
Status: Offline
Joined: Sep 11, 201211Year Member
Posts: 110
Reputation Power: 4
This is extremely old and no longer good for anything. The old method of getting online is nothing like getting online with the new dashboard, therefore nobody is going to be online anytime soon...
- 0useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Jun 15, 201211Year Member
Posts: 43
Reputation Power: 1
Yes I do realize that. I stated that this needs updating
- 0useful
- 0not useful
#6. Posted:
Status: Offline
Joined: Oct 15, 201211Year Member
Posts: 20
Reputation Power: 0
With This Into A xex running on a http server connected to the kv
?
?
?
???
WTF Are you talking about
- 0useful
- 1not useful
#7. Posted:
Status: Offline
Joined: Jun 15, 201211Year Member
Posts: 43
Reputation Power: 1
Sorry it is rather unclear, i don't really know how to explain it, its pretty much a http server running the xex so that you can connect to xbox live, and you do understand what a key vault is? Sorry it is still a bit ambiguous.
- 0useful
- 0not useful
#8. Posted:
Status: Offline
Joined: Sep 11, 201211Year Member
Posts: 110
Reputation Power: 4
Status: Offline
Joined: Sep 11, 201211Year Member
Posts: 110
Reputation Power: 4
daniel26 wrote Sorry it is rather unclear, i don't really know how to explain it, its pretty much a http server running the xex so that you can connect to xbox live, and you do understand what a key vault is? Sorry it is still a bit ambiguous.
this is useless, it doesn't work like this anymore. ask anyone who is trying to update. its pretty much impossible now
- 0useful
- 0not useful
#9. Posted:
Status: Offline
Joined: Jul 20, 201112Year Member
Posts: 1,256
Reputation Power: 52
Status: Offline
Joined: Jul 20, 201112Year Member
Posts: 1,256
Reputation Power: 52
well you copied this of se7en sins
- 1useful
- 0not useful
#10. Posted:
Status: Offline
Joined: Jun 15, 201211Year Member
Posts: 43
Reputation Power: 1
I blatently did not.either way this is outdated and has little use I just wanted to post it to give people a bit of an understanding of it.
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.