Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include "stdafx.h"
- #include "kernel.h"
- #include <stdio.h>
- #include <ctime>
- #define XNOTIFY
- #define XNOTIFY_TYPE 0xE
- HANDLE thread;
- DWORD threadID;
- bool bInitialized = false;
- typedef unsigned __int64 QWORD;
- UINT32 resolveFunct(char* modname, UINT32 ord)
- {
- UINT32 ptr32 = 0, ret = 0, ptr2 = 0;
- ret = XexGetModuleHandle(modname, (PHANDLE)&ptr32);
- if(ret == 0){
- ret = XexGetProcedureAddress((HANDLE)ptr32, ord, &ptr2);
- if(ptr2 != 0)
- return(ptr2);
- }
- return(0);
- }
- BYTE Challenge[] = { // Challenge using random data // Using Full Challenge resp clean
- 0x00, 0x00, 0x00, 0x00, //IPAddress
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Machine ID
- 0x00, 0x1D, 0xD8, //macCheck
- 0x00, 0x00, 0x00, //abEnet
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x82, //Unknown
- 0x12, //Retail Flag
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Console Serial
- 0x00, //Padding
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Console ID
- 0x41, 0x74, //Kernel Version
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3A //Sizeof(Challenge)
- };
- #pragma region XNotify
- // Define Some XNotify Stuff.
- VOID (__cdecl * XNotifyQueueUI)(DWORD dwType, DWORD dwUserIndex, DWORD dwPriority, LPCWSTR pwszStringParam, ULONGLONG qwParam) = (VOID (__cdecl * )(DWORD, DWORD, DWORD, LPCWSTR, ULONGLONG))resolveFunct("xam.xex", 0x290);
- // XNotify For telling user Success.
- VOID XNQUI(LPCWSTR pwszStringParam) { XNotifyQueueUI(XNOTIFY_TYPE, 0, 2, pwszStringParam, NULL); }
- VOID XNotify(LPCWSTR pwszStringParam)
- {
- // Check if KeGetCurrentProcessType() != 1 and if so then we make the XNotify in a new thread, else we just call it normally.
- if(KeGetCurrentProcessType() != 1) { CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)XNQUI, (LPVOID)pwszStringParam, NULL, NULL); }
- else { XNQUI(pwszStringParam); }
- }
- #pragma endregion
- VOID __declspec(****d) GLPR(VOID)
- {
- __asm
- {
- std r14, -0x98(sp)
- std r15, -0x90(sp)
- std r16, -0x88(sp)
- std r17, -0x80(sp)
- std r18, -0x78(sp)
- std r19, -0x70(sp)
- std r20, -0x68(sp)
- std r21, -0x60(sp)
- std r22, -0x58(sp)
- std r23, -0x50(sp)
- std r24, -0x48(sp)
- std r25, -0x40(sp)
- std r26, -0x38(sp)
- std r27, -0x30(sp)
- std r28, -0x28(sp)
- std r29, -0x20(sp)
- std r30, -0x18(sp)
- std r31, -0x10(sp)
- stw r12, -0x8(sp)
- blr
- }
- }
- DWORD RelinkGPLR(DWORD SFSOffset, PDWORD SaveStubAddress, PDWORD OriginalAddress)
- {
- DWORD Instruction = 0, Replacing;
- PDWORD Saver = (PDWORD)GLPR;
- if(SFSOffset & 0x2000000)
- {
- SFSOffset = SFSOffset | 0xFC000000;
- }
- Replacing = OriginalAddress[SFSOffset / 4];
- for(int i = 0; i < 20; i++)
- {
- if(Replacing == Saver[i])
- {
- DWORD NewOffset = (DWORD)&Saver[i]-(DWORD)SaveStubAddress;
- Instruction = 0x48000001 | (NewOffset & 0x3FFFFFC);
- }
- }
- return Instruction;
- }
- __declspec(****d) INT answerChallenges(__int64 r3, __int64 r4, DWORD ChallengeResponse)
- {
- __asm
- {
- nop
- nop
- nop
- nop
- nop
- nop
- nop
- blr
- }
- }
- VOID PatchInJump(DWORD* Address, DWORD Destination, BOOL Linked) {
- if(Destination & 0x8000)
- {
- Address[0] = 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1);
- }
- else
- {
- Address[0] = 0x3D600000 + ((Destination >> 16) & 0xFFFF);
- }
- Address[1] = 0x396B0000 + (Destination & 0xFFFF);
- Address[2] = 0x7D6903A6;
- if(Linked)
- {
- Address[3] = 0x4E800421;
- }
- else
- {
- Address[3] = 0x4E800420;
- }
- }
- VOID HookFunctionStart(PDWORD Address, PDWORD SaveStub, DWORD Destination)
- {
- if((SaveStub != NULL) && (Address != NULL)) // Make sure they are not nothing.
- {
- DWORD AddressRelocation = (DWORD)(&Address[4]); // Replacing 4 instructions with a jump, this is the stub return address
- if(AddressRelocation & 0x8000)
- {
- SaveStub[0] = 0x3D600000 + (((AddressRelocation >> 16) & 0xFFFF) + 1); // lis r11, 0 | Load Immediate Shifted
- }
- else
- {
- SaveStub[0] = 0x3D600000 + ((AddressRelocation >> 16) & 0xFFFF); // lis r11, 0 | Load Immediate Shifted
- }
- SaveStub[1] = 0x396B0000 + (AddressRelocation & 0xFFFF); // addi r11, r11, (value of AddressRelocation & 0xFFFF) | Add Immediate
- SaveStub[2] = 0x7D6903A6; // mtspr CTR, r11 | Move to Special-Purpose Register CTR
- // Instructions [3] through [6] are replaced with the original instructions from the function hook
- // Copy original instructions over, relink stack frame saves to local ones
- for(int i = 0; i < 4; i++)
- {
- if((Address[i] & 0x48000003) == 0x48000001)
- {
- SaveStub[i + 3] = RelinkGPLR((Address[i] & ~0x48000003), &SaveStub[i + 3], &Address[i]);
- }
- else
- {
- SaveStub[i + 3] = Address[i];
- }
- }
- SaveStub[7] = 0x4E800420; // Branch unconditionally
- __dcbst(0, SaveStub); // Data Cache Block Store | Allows a program to copy the contents of a modified block to main memory.
- __sync(); // Synchronize | Ensure the dcbst instruction has completed.
- __isync(); // Instruction Synchronize | Refetches any instructions that might have been fetched prior to this instruction.
- PatchInJump(Address, Destination, FALSE); // Redirect Function to ours
- }
- }
- VOID randomizedata()
- {
- // Randomizing data PART //
- srand(time(NULL));
- // Define Arrays for randomizing them
- BYTE IPAddress[4], MachineID[8], abEnet[3], ConsoleSerialNumber[12], ConsoleID[12];
- // Randomizing BYTE Array Data
- for(int i = 0; i < 4; i++) { IPAddress[i] = rand() % 90; }
- for(int i = 0; i < 3; i++){ abEnet[i] = rand() % 90; }
- for(int i = 0; i < 8; i++) { MachineID[i] = rand() % 90; }
- for(int i = 0; i < 12; i++) { ConsoleSerialNumber[i] = rand() % 90; ConsoleID[i] = rand() % 90; }
- //Setting random data in the Challenge BYTE Array
- memcpy((PVOID)Challenge, &IPAddress, 4);
- memcpy((PVOID)(Challenge + 0x04), &MachineID, 8);
- memcpy((PVOID)(Challenge + 0x0F), &abEnet, 3);
- memcpy((PVOID)(Challenge + 0x1F), &ConsoleSerialNumber, 12);
- memcpy((PVOID)(Challenge + 0x2C), &ConsoleID, 12);
- }
- void answerChallengesHook(__int64 r3, __int64 r4, DWORD ChallengeResponse) // r3, r4, r5 --> ChallengeResponse is the third argument (r5).
- {
- // Set our Random Data
- memcpy((PVOID)(ChallengeResponse + 0x1E), &Challenge, sizeof(Challenge));
- // XNotify
- // #ifdef XNOTIFY
- // XNotify(L"Ghosts - Hook Success !");
- // #endif
- // return r3, r4 and r5
- answerChallenges(r3, r4, ChallengeResponse);
- }
- DWORD Launch()
- {
- UINT32 (*XamGetCurrentTitleId)(void) = XamGetCurrentTitleId = (UINT32 (__cdecl *)(void))(resolveFunct("xam.xex", 0x1CF));
- for(;;)
- {
- if(XamGetCurrentTitleId() == 0x415608FC )
- {
- if ( bInitialized == false) // Init once Hook, it avoids freeze
- {
- randomizedata();
- HookFunctionStart((PDWORD)0x827BE020, (PDWORD)answerChallenges, (DWORD)answerChallengesHook);
- Sleep(5000);
- #ifdef XNOTIFY
- XNotify(L"Ghosts - Demon Success !");
- #endif
- bInitialized = true;
- }
- }
- else
- {
- bInitialized = false;
- }
- }
- }
- BOOL APIENTRY DllMain( HANDLE hModule, DWORD dwReason, LPVOID lpReserved )
- {
- if ( dwReason == DLL_PROCESS_ATTACH )
- {
- HANDLE hThread;
- DWORD dwThreadId;
- ExCreateThread( &hThread, 0, &dwThreadId, ( PVOID )XapiThreadStartup , ( LPTHREAD_START_ROUTINE )Launch, 0, 0x2 );
- ResumeThread( hThread );
- CloseHandle( hThread );
- }
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement