API tools faq
paste
iAmHooker

Xosc for a xex

iAmHooker
Sep 25th, 2014
3,810
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 3.83 KB | None | 0 0
raw download clone embed print report
  1. BYTE * BuildSupervisorChallenge(BYTE * KeyVault, BYTE * CPUKEY)//(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, BYTE* pBuffer, DWORD cbBuffer) {
  2. {
  3.     unsigned int HV_KEYS_STATUS_FLAGS = 0x23289d3;
  4.     unsigned short BLDR_FLAGS = 0xd83e, BLDR_FLAGS_KV1 = (~0x20);
  5.     QWORD HvProtectedFlags = *(QWORD*)0x8E038678;
  6.     HV_KEYS_STATUS_FLAGS = (crl == 1) ? (HV_KEYS_STATUS_FLAGS | 0x10000) : HV_KEYS_STATUS_FLAGS;
  7.     HV_KEYS_STATUS_FLAGS = (fcrt == 1) ? (HV_KEYS_STATUS_FLAGS | 0x1000000) : HV_KEYS_STATUS_FLAGS;
  8.     BLDR_FLAGS = (type1KV == 1) ? ((WORD)(BLDR_FLAGS & BLDR_FLAGS_KV1)) : BLDR_FLAGS;
  9.  
  10.     int XOSC_FLAG_BASE = 0x2bf;
  11.     int HV_PROTECTED_FLAGS_NONE = 0;
  12.     int HV_PROTECTED_FLAGS_NO_EJECT_REBOOT = 1;
  13.     int HV_PROTECTED_FLAGS_AUTH_EX_CAP = 4;
  14.     QWORD HV_PROTECTED_FLAGS = HV_PROTECTED_FLAGS_AUTH_EX_CAP | (((HvProtectedFlags & HV_PROTECTED_FLAGS_NO_EJECT_REBOOT) == HV_PROTECTED_FLAGS_NO_EJECT_REBOOT) ? HV_PROTECTED_FLAGS_NO_EJECT_REBOOT : HV_PROTECTED_FLAGS_NONE);
  15.  
  16.     BYTE drive_phase_level,
  17.         drive_data[0x24],
  18.         console_id[5],
  19.         console_serial[12];
  20.  
  21.     WORD xam_region, xam_odd;
  22.  
  23.     drive_phase_level = *(BYTE*)(KeyVault + 0xc89);
  24.  
  25.     memcpy(drive_data, KeyVault + 0xC8A, 0x24);
  26.     xam_region = *(WORD*)(KeyVault + 0xC8);
  27.     xam_odd = *(WORD*)(KeyVault + 0x1C);
  28.     memcpy(drive_data, KeyVault + 0xc8a, 0x24);
  29.     memcpy(console_id, KeyVault + 0x9CA, 5);
  30.     memcpy(console_serial, KeyVault + 0xB0, 12);
  31.  
  32.     BYTE * XoscBuff = (BYTE*)malloc(0x2E0);
  33.     memset(XoscBuff, 0, 0x2e0);
  34.     *(DWORD*)(XoscBuff + 0x04) = 0x90002;
  35.     *(QWORD*)(XoscBuff + 0x08) = XOSC_FLAG_BASE;
  36.     *(DWORD*)(XoscBuff + 0x20) = 0xC8003003;
  37.     memset(XoscBuff + 0x24, 0xAA,0x10);
  38.  
  39.     *(QWORD*)(XoscBuff + 0x70) = 0x527A5A4BD8F505BB;
  40.     *(QWORD*)(XoscBuff + 0x78) = 0x94305A1779729F3B;
  41.     *(BYTE*)(XoscBuff + 0x83) = drive_phase_level;
  42.     memset(XoscBuff + 0x8C, 0xAA,0x64);
  43.     memcpy(XoscBuff + 0xF0, drive_data, 36);
  44.     memcpy(XoscBuff + 0x114, drive_data, 36);
  45.     memcpy(XoscBuff + 0x138, console_serial, 12);
  46.     *(WORD*)(XoscBuff + 0x144) = 0xAA;
  47.     *(WORD*)(XoscBuff + 0x146) = BLDR_FLAGS;
  48.     *(WORD*)(XoscBuff + 0x148) = xam_region;
  49.     *(WORD*)(XoscBuff + 0x14A) = xam_odd;
  50.     *(WORD*)(XoscBuff + 0x154) = 7;
  51.     *(DWORD*)(XoscBuff + 0x158) = HV_KEYS_STATUS_FLAGS;
  52.     memset(XoscBuff + 0x15C, 0xAA, 0x4);
  53.     memset(XoscBuff + 0x16C, 0xAA, 0x4);
  54.     *(DWORD*)(XoscBuff + 0x170) = 0xD0008;
  55.     *(WORD*)(XoscBuff + 0x176) = 8;
  56.     *(QWORD*)(XoscBuff + 0x198) = HV_PROTECTED_FLAGS;
  57.     memcpy((XoscBuff + 0x1A0), console_id, 0x5);
  58.     *(DWORD*)(XoscBuff + 0x1D0) = 0x40000207;
  59.     memset(XoscBuff + 0x21C, 0xAA, 0xA4);
  60.     *(WORD*)(XoscBuff + 0x2B8) = 0x20;
  61.     *(WORD*)(XoscBuff + 0x2C6) = 0x6;
  62.     memset(XoscBuff + 0x2C8, 0xAA, 0x10);
  63.     *(DWORD*)(XoscBuff + 0x2D8) = 0x5F534750;
  64.     memset(XoscBuff + 0x2DC, 0xAA, 4);
  65.  
  66.     //add execution id
  67.     XEX_EXECUTION_ID* exeId;
  68.     DWORD ExeResult = XamGetExecutionId(&exeId);
  69.     BYTE * exeID = (BYTE*)malloc(0x18);
  70.     *(DWORD*)exeID = exeId->MediaID;//0-4
  71.     *(DWORD*)(exeID + 4) = exeId->Version;
  72.     *(DWORD*)(exeID + 8) = exeId->BaseVersion;
  73.     *(DWORD*)(exeID + 12) = exeId->TitleID;
  74.     *(BYTE*)(exeID + 16) = exeId->Platform;//12-13
  75.     *(BYTE*)(exeID + 17) = exeId->ExecutableType;//13-14
  76.     *(BYTE*)(exeID + 18) = exeId->Platform;//14-15
  77.     *(BYTE*)(exeID + 19) = exeId->ExecutableType;//19-20
  78.     *(DWORD*)(exeID + 20) = exeId->SaveGameID;
  79.     //if your gonna spoof execution data do it here
  80.     if (ExeResult == 0){//ExeResult
  81.         memcpy(XoscBuff+0x38, exeID, 0x18);
  82.         memset(XoscBuff+0x84, 0, 0x8);
  83.     }
  84.     else
  85.     {
  86.         memset(XoscBuff + 0x38, 0xAA, 0x18);//err this one
  87.         memset(XoscBuff + 0x84, 0xAA, 8);//
  88.         XOSC_FLAG_BASE &= -5;
  89.         *(QWORD*)(XoscBuff + 8) = XOSC_FLAG_BASE;
  90.     }
  91.     *(DWORD*)(XoscBuff + 0x18) = ExeResult;//ExeResult;
  92.  
  93.     //your 'kvHash' and 'cpukey' may be a different name
  94.     memcpy(XoscBuff + 0x60, kvHash, 0x10);
  95.     XeCryptSha(CpuKeyFile, 0x10, NULL, NULL, NULL, NULL, (XoscBuff + 0x50), 0x10);
  96.  
  97.     return XoscBuff;
  98. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!