Ghost Ban Bypass

1. #include "stdafx.h"
2. #include "kernel.h"
3. #include <stdio.h>
4. #include <ctime>
5.  
6. #define XNOTIFY
7. #define XNOTIFY_TYPE 0xE
8.  
9. HANDLE thread;
10. DWORD threadID;
11. bool bInitialized = false;
12.  
13. typedef unsigned __int64 QWORD;
14.  
15. UINT32 resolveFunct(char* modname, UINT32 ord)
16. {
17.     UINT32 ptr32 = 0, ret = 0, ptr2 = 0;
18.     ret = XexGetModuleHandle(modname, (PHANDLE)&ptr32);
19.     if(ret == 0){
20.         ret = XexGetProcedureAddress((HANDLE)ptr32, ord, &ptr2);
21.         if(ptr2 != 0)
22.             return(ptr2);
23.     }
24.     return(0);
25. }
26.  
27. BYTE Challenge[] = {    // Challenge using random data    // Using Full Challenge resp clean
28.     0x00, 0x00, 0x00, 0x00,    //IPAddress
29.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    //Machine ID
30.     0x00, 0x1D, 0xD8,    //macCheck
31.     0x00, 0x00, 0x00,    //abEnet
32.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x82,    //Unknown
33.     0x12,    //Retail Flag
34.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    //Console Serial
35.     0x00,    //Padding
36.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    //Console ID
37.     0x41, 0x74,    //Kernel Version
38.     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3A    //Sizeof(Challenge)
39. };
40.  
41. #pragma region XNotify
42. // Define Some XNotify Stuff.
43. VOID (__cdecl * XNotifyQueueUI)(DWORD dwType, DWORD dwUserIndex, DWORD dwPriority, LPCWSTR pwszStringParam, ULONGLONG qwParam) = (VOID (__cdecl * )(DWORD, DWORD, DWORD, LPCWSTR, ULONGLONG))resolveFunct("xam.xex", 0x290);
44. // XNotify For telling user Success.
45. VOID XNQUI(LPCWSTR pwszStringParam) { XNotifyQueueUI(XNOTIFY_TYPE, 0, 2, pwszStringParam, NULL); }
46. VOID XNotify(LPCWSTR pwszStringParam)
47. {
48.         // Check if KeGetCurrentProcessType() != 1 and if so then we make the XNotify in a new thread, else we just call it normally.
49.         if(KeGetCurrentProcessType() != 1) { CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)XNQUI, (LPVOID)pwszStringParam, NULL, NULL); }
50.         else { XNQUI(pwszStringParam); }
51. }
52. #pragma endregion
53.  
54. VOID __declspec(****d) GLPR(VOID)
55. {
56.             __asm
57.             {
58.                     std     r14, -0x98(sp)
59.                     std     r15, -0x90(sp)
60.                     std     r16, -0x88(sp)
61.                     std     r17, -0x80(sp)
62.                     std     r18, -0x78(sp)
63.                     std     r19, -0x70(sp)
64.                     std     r20, -0x68(sp)
65.                     std     r21, -0x60(sp)
66.                     std     r22, -0x58(sp)
67.                     std     r23, -0x50(sp)
68.                     std     r24, -0x48(sp)
69.                     std     r25, -0x40(sp)
70.                     std     r26, -0x38(sp)
71.                     std     r27, -0x30(sp)
72.                     std     r28, -0x28(sp)
73.                     std     r29, -0x20(sp)
74.                     std     r30, -0x18(sp)
75.                     std     r31, -0x10(sp)
76.                     stw     r12, -0x8(sp)
77.                     blr
78.             }
79. }
80. DWORD RelinkGPLR(DWORD SFSOffset, PDWORD SaveStubAddress, PDWORD OriginalAddress)
81. {
82.     DWORD Instruction = 0, Replacing;
83.     PDWORD Saver = (PDWORD)GLPR;
84.     if(SFSOffset & 0x2000000)
85.     {
86.             SFSOffset = SFSOffset | 0xFC000000;
87.     }
88.     Replacing = OriginalAddress[SFSOffset / 4];
89.     for(int i = 0; i < 20; i++)
90.     {
91.             if(Replacing == Saver[i])
92.             {
93.                     DWORD NewOffset = (DWORD)&Saver[i]-(DWORD)SaveStubAddress;
94.                     Instruction = 0x48000001 | (NewOffset & 0x3FFFFFC);
95.             }
96.     }
97.     return Instruction;
98. }
99.  
100. __declspec(****d) INT answerChallenges(__int64 r3, __int64 r4, DWORD ChallengeResponse)
101. {
102.     __asm
103.     {
104.         nop
105.         nop
106.         nop
107.         nop
108.         nop
109.         nop
110.         nop
111.         blr
112.     }
113. }
114.  
115. VOID PatchInJump(DWORD* Address, DWORD Destination, BOOL Linked) {
116.  
117.         if(Destination & 0x8000)
118.         {
119.                 Address[0] = 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1);
120.         }
121.         else
122.         {
123.                 Address[0] = 0x3D600000 + ((Destination >> 16) & 0xFFFF);
124.         }
125.         Address[1] = 0x396B0000 + (Destination & 0xFFFF);
126.         Address[2] = 0x7D6903A6;
127.  
128.         if(Linked)
129.         {
130.                 Address[3] = 0x4E800421;
131.         }
132.         else
133.         {
134.                 Address[3] = 0x4E800420;
135.         }
136. }
137. VOID HookFunctionStart(PDWORD Address, PDWORD SaveStub, DWORD Destination)
138. {
139.     if((SaveStub != NULL) && (Address != NULL)) // Make sure they are not nothing.
140.     {
141.         DWORD AddressRelocation = (DWORD)(&Address[4]); // Replacing 4 instructions with a jump, this is the stub return address
142.         if(AddressRelocation & 0x8000)
143.         {
144.             SaveStub[0] = 0x3D600000 + (((AddressRelocation >> 16) & 0xFFFF) + 1); // lis r11, 0 | Load Immediate Shifted
145.         }
146.         else
147.         {
148.             SaveStub[0] = 0x3D600000 + ((AddressRelocation >> 16) & 0xFFFF); // lis r11, 0 | Load Immediate Shifted
149.         }
150.         SaveStub[1] = 0x396B0000 + (AddressRelocation & 0xFFFF); // addi r11, r11, (value of AddressRelocation & 0xFFFF) | Add Immediate
151.         SaveStub[2] = 0x7D6903A6; // mtspr CTR, r11 | Move to Special-Purpose Register CTR
152.         // Instructions [3] through [6] are replaced with the original instructions from the function hook
153.         // Copy original instructions over, relink stack frame saves to local ones
154.         for(int i = 0; i < 4; i++)
155.         {
156.             if((Address[i] & 0x48000003) == 0x48000001)
157.             {
158.                 SaveStub[i + 3] = RelinkGPLR((Address[i] & ~0x48000003), &SaveStub[i + 3], &Address[i]);
159.             }
160.             else
161.             {
162.                 SaveStub[i + 3] = Address[i];
163.             }
164.         }
165.         SaveStub[7] = 0x4E800420; // Branch unconditionally
166.         __dcbst(0, SaveStub); // Data Cache Block Store | Allows a program to copy the contents of a modified block to main memory.
167.         __sync(); // Synchronize | Ensure the dcbst instruction has completed.
168.         __isync(); // Instruction Synchronize | Refetches any instructions that might have been fetched prior to this instruction.
169.         PatchInJump(Address, Destination, FALSE); // Redirect Function to ours
170.  
171.                 }
172. }
173.  
174. VOID randomizedata()
175. {
176. // Randomizing data PART //
177.     srand(time(NULL));
178.  
179. // Define Arrays for randomizing them
180.     BYTE IPAddress[4], MachineID[8], abEnet[3], ConsoleSerialNumber[12], ConsoleID[12];
181. // Randomizing BYTE Array Data
182.  
183.     for(int i = 0; i < 4; i++) { IPAddress[i] = rand() % 90; }
184.     for(int i = 0; i < 3; i++){ abEnet[i] = rand() % 90; }
185.     for(int i = 0; i < 8; i++) { MachineID[i] = rand() % 90; }
186.     for(int i = 0; i < 12; i++) { ConsoleSerialNumber[i] = rand() % 90; ConsoleID[i] = rand() % 90; }
187. //Setting random data in the Challenge BYTE Array
188.  
189.     memcpy((PVOID)Challenge, &IPAddress, 4);
190.     memcpy((PVOID)(Challenge + 0x04), &MachineID, 8);
191.     memcpy((PVOID)(Challenge + 0x0F), &abEnet, 3);
192.     memcpy((PVOID)(Challenge + 0x1F), &ConsoleSerialNumber, 12);
193.     memcpy((PVOID)(Challenge + 0x2C), &ConsoleID, 12);
194. }
195.  
196. void answerChallengesHook(__int64 r3, __int64 r4, DWORD ChallengeResponse) // r3, r4, r5 --> ChallengeResponse is the third argument (r5).
197. {
198. // Set our Random Data
199.     memcpy((PVOID)(ChallengeResponse + 0x1E), &Challenge, sizeof(Challenge));
200.  
201. // XNotify
202.     //     #ifdef XNOTIFY
203.     //        XNotify(L"Ghosts - Hook Success !");
204.     //     #endif
205.  
206. // return r3, r4 and r5
207.    answerChallenges(r3, r4, ChallengeResponse);
208. }
209.  
210. DWORD Launch()
211. {
212.     UINT32 (*XamGetCurrentTitleId)(void) = XamGetCurrentTitleId = (UINT32 (__cdecl *)(void))(resolveFunct("xam.xex", 0x1CF));
213.  
214.  
215.     for(;;)
216.     {
217.  
218.         if(XamGetCurrentTitleId() == 0x415608FC )
219.         {
220.             if ( bInitialized == false)  // Init once Hook, it avoids freeze
221.             {
222.                  randomizedata();
223.                  HookFunctionStart((PDWORD)0x827BE020, (PDWORD)answerChallenges, (DWORD)answerChallengesHook);
224.                  Sleep(5000);
225.                  #ifdef XNOTIFY
226.                      XNotify(L"Ghosts - Demon Success !");
227.                  #endif
228.                  bInitialized = true;
229.             }
230.         }
231.         else
232.         {
233.             bInitialized = false;
234.         }
235.     }
236. }
237.  
238. BOOL APIENTRY DllMain( HANDLE hModule, DWORD dwReason, LPVOID lpReserved )
239. {
240.     if ( dwReason == DLL_PROCESS_ATTACH )
241.     {
242.         HANDLE hThread;
243.         DWORD dwThreadId;
244.         ExCreateThread( &hThread, 0, &dwThreadId, ( PVOID )XapiThreadStartup , ( LPTHREAD_START_ROUTINE )Launch, 0, 0x2 );
245.         ResumeThread( hThread );
246.         CloseHandle( hThread );
247.     }
248.     return TRUE;
249. }