You are viewing our Forum Archives. To view or take place in current topics click here.
#11. Posted:
Status: Offline
Joined: Apr 13, 201212Year Member
Posts: 628
Reputation Power: 36
droseum20 wrote Yes, and you created your own online method. Please tell me more, I'm interested.
I was thinking " codes own online method but , doesn't know how To add XNotify , seems legit "
- 1useful
- 0not useful
#12. Posted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
TLH-Hugh wrotedroseum20 wrote Yes, and you created your own online method. Please tell me more, I'm interested.
I was thinking " codes own online method but , doesn't know how To add XNotify , seems legit "
typedef DWORD (* XEKEYSEXECUTE) (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64);
/ / Catching call to XeKeysExecute in XAM
/ / Directing it to this function instead of actual kernel function
DWORD XeKeysExecuteHook (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE) resolveFunct (XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime (& LocalSysTime);
DbgPrint ("Entering Xbox Live Challenge hook \ n");
DbgPrint ("System Time:% d% d% d \ t% d:% d:% d \ n", LocalSysTime.wMonth, LocalSysTime.wDay, LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond );
DbgPrint ("r3 = 0x% 08X, 0x% 08X = r4, r5 = 0x% 08X \ n",
chalData, size, HVSalt);
DbgPrint ("= 0x% 016I64x r6, r7 = 0x% 016I64x, r8 = 0x% 016I64x \ n",
krnlBuild, r7, r8);
/ / Decrypt the challenge data
/ / Seems to share the same header as a bootloader
/ / Char [2] Magic
/ / Short version
/ / Int flags
/ / Int EntryPoint
/ / Int Size
/ / Byte [0x10] HMAC hash -> RC4 Key
DWORD datasize = * (DWORD *) (chalData + 0xC);
if (DecryptChallenge (chalData, datasize))
{
DbgPrint ("Error decrypting challenge: (\ n");
HalReturnToFirmware (6);
}
/ / Create file HV Salt
HANDLE hvSalt = CreateFile ("hdd: \ \ XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating HV Salt File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("File Created \ n");
/ / Get the HV salt
DWORD saltOut = 0;
if (WriteFile (hvSalt, HVSalt, 0x10, & saltOut, NULL))
DbgPrint ("Saved HV Salt \ n");
else DbgPrint ("Could not save HV Salt: (\ n");
/ / Close our HV Salt handle
CloseHandle (hvSalt);
DbgPrint ("dumping respectively \ n");
/ / Execute the challenge
BYTE * physSalt = (BYTE *) MmGetPhysicalAddress (HVSalt) / / Do what we patched
XeKeysExecute (chalData, size, physSalt, krnlBuild, r7, r8) / / go to current kernel function
HANDLE chalResp = CreateFile ("hdd: \ \ XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating Response File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("Response File Created \ n");
/ / Save the challenge response
DWORD respOut = 0;
if (WriteFile (chalResp, chalData, size, & respOut, NULL))
DbgPrint ("Saved response data \ n");
else DbgPrint ("Could not save response data: (\ n");
/ / Close our challange response dump
CloseHandle (chalResp);
/ / We dumped the challange data -> reboot
DbgPrint ("Dumped Challenge - Rebooting system \ n");
HalReturnToFirmware (6);
return (0);
}
patchPhysicalAddr void ()
{
DbgPrint ("Patching MmGetPhysicalAddress function so we can challenge in the grave HV Salt \ n");
UINT32 * addr = (UINT32 *) (0x81677EE4) / / 14719
addr [0] = 0x60000000;
}
BOOL DecryptChallenge (BYTE * data, DWORD filesize)
{
DbgPrint ("Decrypting XeKeysExecute Challenge Data \ n");
XECRYPT_RC4_STATE rc4;
BYTE * decChalData = (BYTE *) XPhysicalAlloc (filesize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy (decChalData, data, filesize);
BYTE * rc4Key = (BYTE *) XPhysicalAlloc (0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key [0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA} / / found in HV
XeCryptHmacSha ((BYTE *) key, 0x10, 0x10 + decChalData, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key (& rc4 rc4Key, 0x10);
XeCryptRc4Ecb (& rc4 decChalData + 0x20, file size - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile ("hdd: \ \ XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile! = INVALID_HANDLE_VALUE)
{
DbgPrint ("Created Challenge File \ n");
if (WriteFile (hFile, decChalData, file size, & size, NULL ;))
{
CloseHandle (hFile);
XPhysicalFree (decChalData);
XPhysicalFree (rc4Key);
DbgPrint ("Decrypted challenge data saved \ n");
return true;
}
else
return false;
}
}
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
patchPhysicalAddr ();
patchInJump ((PDWORD) (0x81A30364), (DWORD) XeKeysExecuteHook, false); - 0useful
- 5not useful
#13. Posted:
Status: Offline
Joined: Apr 25, 201113Year Member
Posts: 1,601
Reputation Power: 116
Status: Offline
Joined: Apr 25, 201113Year Member
Posts: 1,601
Reputation Power: 116
XBLVenom wroteTLH-Hugh wrotedroseum20 wrote Yes, and you created your own online method. Please tell me more, I'm interested.
I was thinking " codes own online method but , doesn't know how To add XNotify , seems legit "Trust me i know a little coding.typedef DWORD (* XEKEYSEXECUTE) (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64);
/ / Catching call to XeKeysExecute in XAM
/ / Directing it to this function instead of actual kernel function
DWORD XeKeysExecuteHook (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE) resolveFunct (XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime (& LocalSysTime);
DbgPrint ("Entering Xbox Live Challenge hook \ n");
DbgPrint ("System Time:% d% d% d \ t% d:% d:% d \ n", LocalSysTime.wMonth, LocalSysTime.wDay, LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond );
DbgPrint ("r3 = 0x% 08X, 0x% 08X = r4, r5 = 0x% 08X \ n",
chalData, size, HVSalt);
DbgPrint ("= 0x% 016I64x r6, r7 = 0x% 016I64x, r8 = 0x% 016I64x \ n",
krnlBuild, r7, r8);
/ / Decrypt the challenge data
/ / Seems to share the same header as a bootloader
/ / Char [2] Magic
/ / Short version
/ / Int flags
/ / Int EntryPoint
/ / Int Size
/ / Byte [0x10] HMAC hash -> RC4 Key
DWORD datasize = * (DWORD *) (chalData + 0xC);
if (DecryptChallenge (chalData, datasize))
{
DbgPrint ("Error decrypting challenge: (\ n");
HalReturnToFirmware (6);
}
/ / Create file HV Salt
HANDLE hvSalt = CreateFile ("hdd: \ \ XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating HV Salt File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("File Created \ n");
/ / Get the HV salt
DWORD saltOut = 0;
if (WriteFile (hvSalt, HVSalt, 0x10, & saltOut, NULL))
DbgPrint ("Saved HV Salt \ n");
else DbgPrint ("Could not save HV Salt: (\ n");
/ / Close our HV Salt handle
CloseHandle (hvSalt);
DbgPrint ("dumping respectively \ n");
/ / Execute the challenge
BYTE * physSalt = (BYTE *) MmGetPhysicalAddress (HVSalt) / / Do what we patched
XeKeysExecute (chalData, size, physSalt, krnlBuild, r7, r8) / / go to current kernel function
HANDLE chalResp = CreateFile ("hdd: \ \ XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating Response File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("Response File Created \ n");
/ / Save the challenge response
DWORD respOut = 0;
if (WriteFile (chalResp, chalData, size, & respOut, NULL))
DbgPrint ("Saved response data \ n");
else DbgPrint ("Could not save response data: (\ n");
/ / Close our challange response dump
CloseHandle (chalResp);
/ / We dumped the challange data -> reboot
DbgPrint ("Dumped Challenge - Rebooting system \ n");
HalReturnToFirmware (6);
return (0);
}
patchPhysicalAddr void ()
{
DbgPrint ("Patching MmGetPhysicalAddress function so we can challenge in the grave HV Salt \ n");
UINT32 * addr = (UINT32 *) (0x81677EE4) / / 14719
addr [0] = 0x60000000;
}
BOOL DecryptChallenge (BYTE * data, DWORD filesize)
{
DbgPrint ("Decrypting XeKeysExecute Challenge Data \ n");
XECRYPT_RC4_STATE rc4;
BYTE * decChalData = (BYTE *) XPhysicalAlloc (filesize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy (decChalData, data, filesize);
BYTE * rc4Key = (BYTE *) XPhysicalAlloc (0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key [0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA} / / found in HV
XeCryptHmacSha ((BYTE *) key, 0x10, 0x10 + decChalData, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key (& rc4 rc4Key, 0x10);
XeCryptRc4Ecb (& rc4 decChalData + 0x20, file size - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile ("hdd: \ \ XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile! = INVALID_HANDLE_VALUE)
{
DbgPrint ("Created Challenge File \ n");
if (WriteFile (hFile, decChalData, file size, & size, NULL ;))
{
CloseHandle (hFile);
XPhysicalFree (decChalData);
XPhysicalFree (rc4Key);
DbgPrint ("Decrypted challenge data saved \ n");
return true;
}
else
return false;
}
}
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
patchPhysicalAddr ();
patchInJump ((PDWORD) (0x81A30364), (DWORD) XeKeysExecuteHook, false);
Trust me, I can copy and paste
- 3useful
- 0not useful
#14. Posted:
Status: Offline
Joined: Mar 27, 201311Year Member
Posts: 17
Reputation Power: 1
droseum20 wrotehaha looks like you got me... It still worksXBLVenom wroteTLH-Hugh wrotedroseum20 wrote Yes, and you created your own online method. Please tell me more, I'm interested.
I was thinking " codes own online method but , doesn't know how To add XNotify , seems legit "Trust me i know a little coding.typedef DWORD (* XEKEYSEXECUTE) (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64);
/ / Catching call to XeKeysExecute in XAM
/ / Directing it to this function instead of actual kernel function
DWORD XeKeysExecuteHook (BYTE * chalData, DWORD size, BYTE * HVSalt, krnlBuild UINT64, UINT64 r7, r8 UINT64)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE) resolveFunct (XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime (& LocalSysTime);
DbgPrint ("Entering Xbox Live Challenge hook \ n");
DbgPrint ("System Time:% d% d% d \ t% d:% d:% d \ n", LocalSysTime.wMonth, LocalSysTime.wDay, LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond );
DbgPrint ("r3 = 0x% 08X, 0x% 08X = r4, r5 = 0x% 08X \ n",
chalData, size, HVSalt);
DbgPrint ("= 0x% 016I64x r6, r7 = 0x% 016I64x, r8 = 0x% 016I64x \ n",
krnlBuild, r7, r8);
/ / Decrypt the challenge data
/ / Seems to share the same header as a bootloader
/ / Char [2] Magic
/ / Short version
/ / Int flags
/ / Int EntryPoint
/ / Int Size
/ / Byte [0x10] HMAC hash -> RC4 Key
DWORD datasize = * (DWORD *) (chalData + 0xC);
if (DecryptChallenge (chalData, datasize))
{
DbgPrint ("Error decrypting challenge: (\ n");
HalReturnToFirmware (6);
}
/ / Create file HV Salt
HANDLE hvSalt = CreateFile ("hdd: \ \ XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating HV Salt File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("File Created \ n");
/ / Get the HV salt
DWORD saltOut = 0;
if (WriteFile (hvSalt, HVSalt, 0x10, & saltOut, NULL))
DbgPrint ("Saved HV Salt \ n");
else DbgPrint ("Could not save HV Salt: (\ n");
/ / Close our HV Salt handle
CloseHandle (hvSalt);
DbgPrint ("dumping respectively \ n");
/ / Execute the challenge
BYTE * physSalt = (BYTE *) MmGetPhysicalAddress (HVSalt) / / Do what we patched
XeKeysExecute (chalData, size, physSalt, krnlBuild, r7, r8) / / go to current kernel function
HANDLE chalResp = CreateFile ("hdd: \ \ XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint ("Error Creating Response File \ n");
HalReturnToFirmware (6);
}
DbgPrint ("Response File Created \ n");
/ / Save the challenge response
DWORD respOut = 0;
if (WriteFile (chalResp, chalData, size, & respOut, NULL))
DbgPrint ("Saved response data \ n");
else DbgPrint ("Could not save response data: (\ n");
/ / Close our challange response dump
CloseHandle (chalResp);
/ / We dumped the challange data -> reboot
DbgPrint ("Dumped Challenge - Rebooting system \ n");
HalReturnToFirmware (6);
return (0);
}
patchPhysicalAddr void ()
{
DbgPrint ("Patching MmGetPhysicalAddress function so we can challenge in the grave HV Salt \ n");
UINT32 * addr = (UINT32 *) (0x81677EE4) / / 14719
addr [0] = 0x60000000;
}
BOOL DecryptChallenge (BYTE * data, DWORD filesize)
{
DbgPrint ("Decrypting XeKeysExecute Challenge Data \ n");
XECRYPT_RC4_STATE rc4;
BYTE * decChalData = (BYTE *) XPhysicalAlloc (filesize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy (decChalData, data, filesize);
BYTE * rc4Key = (BYTE *) XPhysicalAlloc (0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key [0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA} / / found in HV
XeCryptHmacSha ((BYTE *) key, 0x10, 0x10 + decChalData, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key (& rc4 rc4Key, 0x10);
XeCryptRc4Ecb (& rc4 decChalData + 0x20, file size - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile ("hdd: \ \ XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile! = INVALID_HANDLE_VALUE)
{
DbgPrint ("Created Challenge File \ n");
if (WriteFile (hFile, decChalData, file size, & size, NULL ;))
{
CloseHandle (hFile);
XPhysicalFree (decChalData);
XPhysicalFree (rc4Key);
DbgPrint ("Decrypted challenge data saved \ n");
return true;
}
else
return false;
}
}
/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /
patchPhysicalAddr ();
patchInJump ((PDWORD) (0x81A30364), (DWORD) XeKeysExecuteHook, false);
Trust me, I can copy and paste
- 0useful
- 4not useful
#15. Posted:
Status: Offline
Joined: Aug 27, 201211Year Member
Posts: 140
Reputation Power: 6
Status: Offline
Joined: Aug 27, 201211Year Member
Posts: 140
Reputation Power: 6
GUys, this guy was already proven fake. When he claimed to have a online method, he used soem random code from pastebin from october. This guy is fake and cannot make his own online method.
- 0useful
- 1not useful
#16. Posted:
Status: Offline
Joined: Jul 05, 201211Year Member
Posts: 668
Reputation Power: 29
This made me laugh...
So you claim you can bypass Xbox live servers but not do a simple notify command LOL FAIL'
So you claim you can bypass Xbox live servers but not do a simple notify command LOL FAIL'
- 0useful
- 0not useful
#17. Posted:
Status: Offline
Joined: Aug 11, 201013Year Member
Posts: 689
Reputation Power: 32
Same idiot, different day.
The XBLVenom forums (the two threads there) are so interesting to read! I like how everyone who wanted a 5 hour trial had to run an exe you gave them.
The XBLVenom forums (the two threads there) are so interesting to read! I like how everyone who wanted a 5 hour trial had to run an exe you gave them.
- 1useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.