AW Ban Bypass TU5

AW Ban Bypass TU5

if(XamGetCurrentTitleId() == AW)
{
   BuildResponse();
   HookFunctionStart((PDWORD)0x821E3C78, (PDWORD)SaveStub, (DWORD)answerChallengesHook);
}

void PatchInJump(unsigned long* Address, unsigned long Destination, bool Linked)
{
   Address[0] = ((Destination & 0x8000) ? 0x3D600000 + (((Destination >> 16) & 0xFFFF) + 1) : 0x3D600000 + ((Destination >> 16) & 0xFFFF));
    Address[1] = 0x396B0000 + (Destination & 0xFFFF);
    Address[2] = 0x7D6903A6;
   Address[3] = ((Linked) ? 0x4E800421 : 0x4E800420);
}

void __declspec(****d) GLPR(VOID)
{
    __asm
    {
        std     r14, -0x98(sp)
        std     r15, -0x90(sp)
        std     r16, -0x88(sp)
        std     r17, -0x80(sp)
        std     r18, -0x78(sp)
        std     r19, -0x70(sp)
        std     r20, -0x68(sp)
        std     r21, -0x60(sp)
        std     r22, -0x58(sp)
        std     r23, -0x50(sp)
        std     r24, -0x48(sp)
        std     r25, -0x40(sp)
        std     r26, -0x38(sp)
        std     r27, -0x30(sp)
        std     r28, -0x28(sp)
        std     r29, -0x20(sp)
        std     r30, -0x18(sp)
        std     r31, -0x10(sp)
        stw     r12, -0x8(sp)
      blr
   }
}

DWORD RelinkGPLR(DWORD SFSOffset, PDWORD SaveStubAddress, PDWORD OriginalAddress)
{
    DWORD Instruction = 0, Replacing; PDWORD Saver = (PDWORD)GLPR;
   if(SFSOffset & 0x2000000){ SFSOffset = SFSOffset | 0xFC000000; }
    Replacing = OriginalAddress[SFSOffset / 4];
    for(int i = 0; i < 20; i++){
        if(Replacing == Saver[i]){
                int NewOffset = (int)&Saver[i]-(int)SaveStubAddress;
            Instruction = 0x48000001 | (NewOffset & 0x3FFFFFC);
        }
    }
    return Instruction;
}

void HookFunctionStart(PDWORD Address, PDWORD SaveStub, DWORD Destination)
{
    if((SaveStub != NULL) && (Address != NULL))
    {
        DWORD AddressRelocation = (DWORD)(&Address[4]);

        if(AddressRelocation & 0x8000)
            SaveStub[0] = 0x3D600000 + (((AddressRelocation >> 16) & 0xFFFF) + 1);
        else
            SaveStub[0] = 0x3D600000 + ((AddressRelocation >> 16) & 0xFFFF);

        SaveStub[1] = 0x396B0000 + (AddressRelocation & 0xFFFF);
        SaveStub[2] = 0x7D6903A6;

        for(int i = 0; i < 4; i++)
            if((Address[i] & 0x48000003) == 0x48000001)
            SaveStub[i + 3] = RelinkGPLR((Address[i] & ~0x48000003), &SaveStub[i + 3], &Address[i]);
            else
                SaveStub[i + 3] = Address[i];

        SaveStub[7] = 0x4E800420;
        __dcbst(0, SaveStub);
        __emit(0x7c0004ac);
        __emit(0x4C00012C);

        PatchInJump(Address, Destination, FALSE);
    }
}

inline __declspec(****d) int SaveStub(int r3, int r4, int r5)
{
    __asm
    {
        nop
        nop
        nop
        nop
        nop
        nop
        nop
        blr
    }
}

byte Response[] = {
   0x00, 0x00, 0x00, 0x00, //IP Address
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Machine Id
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Enet
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Unknown1
   0x00, 0x00, //Unknown2
   0x2, //Retail Flag
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //Console Key
   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, //Console Index
   0x42, 0xFE //Kernel
};

void answerChallengesHook(int r3, int r4, int r5)
{
   memcpy((void*)(r5 + 0x22), Response, 0x3A);
   SaveStub(r3, r4, r5);
   0x2//Retail
}

void BuildResponse()
{
   srand((unsigned int)time(NULL));
   BYTE IPAddress[4], MachineId[8], Enet[8], ConsoleKey[13], ConsoleIndex[12];
   for(int i = 0; i < 4; i++)IPAddress[i] = rand() % 90;
   for(int i = 0; i < 8; i++){ MachineId[i] = rand() % 90; Enet[i] = rand() % 90; }
   for(int i = 0; i < 12; i++)ConsoleIndex[i] = rand() % 90;
   for(int i = 0; i < 13; i++)ConsoleKey[i] = rand() % 90;

   memcpy(Response, IPAddress, 4);
   memcpy(Response + 0x4, &MachineId, 8);
   memcpy(Response + 0xC, &Enet, 8);
   memcpy(Response + 0x1F, &ConsoleKey, 13);
   memcpy(Response + 0x2C, &ConsoleIndex, 12);
}