Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BYTE * BuildSupervisorChallenge(BYTE * KeyVault, BYTE * CPUKEY)//(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, BYTE* pBuffer, DWORD cbBuffer) {
- {
- unsigned int HV_KEYS_STATUS_FLAGS = 0x23289d3;
- unsigned short BLDR_FLAGS = 0xd83e, BLDR_FLAGS_KV1 = (~0x20);
- QWORD HvProtectedFlags = *(QWORD*)0x8E038678;
- HV_KEYS_STATUS_FLAGS = (crl == 1) ? (HV_KEYS_STATUS_FLAGS | 0x10000) : HV_KEYS_STATUS_FLAGS;
- HV_KEYS_STATUS_FLAGS = (fcrt == 1) ? (HV_KEYS_STATUS_FLAGS | 0x1000000) : HV_KEYS_STATUS_FLAGS;
- BLDR_FLAGS = (type1KV == 1) ? ((WORD)(BLDR_FLAGS & BLDR_FLAGS_KV1)) : BLDR_FLAGS;
- int XOSC_FLAG_BASE = 0x2bf;
- int HV_PROTECTED_FLAGS_NONE = 0;
- int HV_PROTECTED_FLAGS_NO_EJECT_REBOOT = 1;
- int HV_PROTECTED_FLAGS_AUTH_EX_CAP = 4;
- QWORD HV_PROTECTED_FLAGS = HV_PROTECTED_FLAGS_AUTH_EX_CAP | (((HvProtectedFlags & HV_PROTECTED_FLAGS_NO_EJECT_REBOOT) == HV_PROTECTED_FLAGS_NO_EJECT_REBOOT) ? HV_PROTECTED_FLAGS_NO_EJECT_REBOOT : HV_PROTECTED_FLAGS_NONE);
- BYTE drive_phase_level,
- drive_data[0x24],
- console_id[5],
- console_serial[12];
- WORD xam_region, xam_odd;
- drive_phase_level = *(BYTE*)(KeyVault + 0xc89);
- memcpy(drive_data, KeyVault + 0xC8A, 0x24);
- xam_region = *(WORD*)(KeyVault + 0xC8);
- xam_odd = *(WORD*)(KeyVault + 0x1C);
- memcpy(drive_data, KeyVault + 0xc8a, 0x24);
- memcpy(console_id, KeyVault + 0x9CA, 5);
- memcpy(console_serial, KeyVault + 0xB0, 12);
- BYTE * XoscBuff = (BYTE*)malloc(0x2E0);
- memset(XoscBuff, 0, 0x2e0);
- *(DWORD*)(XoscBuff + 0x04) = 0x90002;
- *(QWORD*)(XoscBuff + 0x08) = XOSC_FLAG_BASE;
- *(DWORD*)(XoscBuff + 0x20) = 0xC8003003;
- memset(XoscBuff + 0x24, 0xAA,0x10);
- *(QWORD*)(XoscBuff + 0x70) = 0x527A5A4BD8F505BB;
- *(QWORD*)(XoscBuff + 0x78) = 0x94305A1779729F3B;
- *(BYTE*)(XoscBuff + 0x83) = drive_phase_level;
- memset(XoscBuff + 0x8C, 0xAA,0x64);
- memcpy(XoscBuff + 0xF0, drive_data, 36);
- memcpy(XoscBuff + 0x114, drive_data, 36);
- memcpy(XoscBuff + 0x138, console_serial, 12);
- *(WORD*)(XoscBuff + 0x144) = 0xAA;
- *(WORD*)(XoscBuff + 0x146) = BLDR_FLAGS;
- *(WORD*)(XoscBuff + 0x148) = xam_region;
- *(WORD*)(XoscBuff + 0x14A) = xam_odd;
- *(WORD*)(XoscBuff + 0x154) = 7;
- *(DWORD*)(XoscBuff + 0x158) = HV_KEYS_STATUS_FLAGS;
- memset(XoscBuff + 0x15C, 0xAA, 0x4);
- memset(XoscBuff + 0x16C, 0xAA, 0x4);
- *(DWORD*)(XoscBuff + 0x170) = 0xD0008;
- *(WORD*)(XoscBuff + 0x176) = 8;
- *(QWORD*)(XoscBuff + 0x198) = HV_PROTECTED_FLAGS;
- memcpy((XoscBuff + 0x1A0), console_id, 0x5);
- *(DWORD*)(XoscBuff + 0x1D0) = 0x40000207;
- memset(XoscBuff + 0x21C, 0xAA, 0xA4);
- *(WORD*)(XoscBuff + 0x2B8) = 0x20;
- *(WORD*)(XoscBuff + 0x2C6) = 0x6;
- memset(XoscBuff + 0x2C8, 0xAA, 0x10);
- *(DWORD*)(XoscBuff + 0x2D8) = 0x5F534750;
- memset(XoscBuff + 0x2DC, 0xAA, 4);
- //add execution id
- XEX_EXECUTION_ID* exeId;
- DWORD ExeResult = XamGetExecutionId(&exeId);
- BYTE * exeID = (BYTE*)malloc(0x18);
- *(DWORD*)exeID = exeId->MediaID;//0-4
- *(DWORD*)(exeID + 4) = exeId->Version;
- *(DWORD*)(exeID + 8) = exeId->BaseVersion;
- *(DWORD*)(exeID + 12) = exeId->TitleID;
- *(BYTE*)(exeID + 16) = exeId->Platform;//12-13
- *(BYTE*)(exeID + 17) = exeId->ExecutableType;//13-14
- *(BYTE*)(exeID + 18) = exeId->Platform;//14-15
- *(BYTE*)(exeID + 19) = exeId->ExecutableType;//19-20
- *(DWORD*)(exeID + 20) = exeId->SaveGameID;
- //if your gonna spoof execution data do it here
- if (ExeResult == 0){//ExeResult
- memcpy(XoscBuff+0x38, exeID, 0x18);
- memset(XoscBuff+0x84, 0, 0x8);
- }
- else
- {
- memset(XoscBuff + 0x38, 0xAA, 0x18);//err this one
- memset(XoscBuff + 0x84, 0xAA, 8);//
- XOSC_FLAG_BASE &= -5;
- *(QWORD*)(XoscBuff + 8) = XOSC_FLAG_BASE;
- }
- *(DWORD*)(XoscBuff + 0x18) = ExeResult;//ExeResult;
- //your 'kvHash' and 'cpukey' may be a different name
- memcpy(XoscBuff + 0x60, kvHash, 0x10);
- XeCryptSha(CpuKeyFile, 0x10, NULL, NULL, NULL, NULL, (XoscBuff + 0x50), 0x10);
- return XoscBuff;
- }
Add Comment
Please, Sign In to add comment