API tools faq
paste
Advertisement
itsRegicide

17511 0x50 (NGCheats)

itsRegicide
Dec 6th, 2016
1,077
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 12.23 KB | None | 0 0
raw download clone embed print report
  1. // hBootLoaders Dirty Needed << to boot kernel kk
  2. #include "stdafx.h"
  3.  
  4. // Update here is the sendspace for the patches & scripts - credits to john doe & me for getting the shit together and making it
  5.  
  6. // I got the new shit to work on my source ill be giving that out later this week
  7.  
  8. MemoryBuffer BootLoader;
  9.  
  10. void CreateSecurityResponse()
  11. {
  12.         memcpy(MemoryBuffer + 0xC20, BootLoader + 0xA, 0x15); //Level 0.1
  13.         memcpy(MemoryBuffer + 0xC11, BootLoader + 0xA, 0x16); //Level 0.2
  14.         memcpy(MemoryBuffer + 0xCF2, BootLoader + 0xB, 0x1A); //MmAddressTypes
  15.         memcpy(MemoryBuffer + 0xC23, BootLoader + 0xB, 0x1B); //CounterELCConfigs
  16.         memcpy(MemoryBuffer + 0xC48, BootLoader + 0xC, 0x1C); //HV Privleges
  17.         memcpy(MemoryBuffer + 0xC4A, BootLoader + 0xC, 0x1D); //HV Fix
  18.         memcpy(MemoryBuffer + 0xCA0, BootLoader + 0xD, 0x1E); //0x50 map TransferBlock
  19. }
  20.  
  21. void CreateIndexResponseLookout()
  22. {
  23.         memccpy(MemoryBuffer + 0x5555AAA, BootParts + 0xAA, 0x1AA); // [Intro]
  24.         memccpy(MemoryBuffer + 0x5555BBB, BootParts + 0xBB, 0x1BB); // Transfer Block 1
  25.         memccpy(MemoryBuffer + 0x5555CCC, BootParts + 0xCC, 0x1CC); // Transfer Block 2
  26.         memccpy(MemoryBuffer + 0x5555DDD, BootParts + 0xDD, 0x1DD); // Transfer Block 3
  27.         memccpy(MemoryBuffer + 0x5555EEE, BootParts + 0xEE, 0x1EE); // Transfer Block 4
  28.         memccpy(MemoryBuffer + 0x5555FFF, BootParts + 0xFF, 0x1FF); // Transfer Block 5
  29.         memccpy(MemoryBuffer + 0x5555111, BootParts + 0x11, 0x111); // Transfer Block 6
  30.         memccpy(MemoryBuffer + 0x5555222, BootParts + 0x22, 0x222); // Transfer Block 7
  31.         memccpy(MemoryBuffer + 0x5555333, BootParts + 0x33, 0x333); // Transfer Block 8
  32.         memccpy(MemoryBuffer + 0x5555444, BootParts + 0x44, 0x444); // Transfer Block 9
  33.         memccpy(MemoryBuffer + 0x5555555, BootParts + 0x55, 0x555); // Transfer Block 10
  34.         memccpy(MemoryBuffer + 0x5555666, BootParts + 0x66, 0x666); // Transfer Block 11
  35.         memccpy(MemoryBuffer + 0x5555777, BootParts + 0x77, 0x777); // Transfer Block 12
  36.         memccpy(MemoryBuffer + 0x5555888, BootParts + 0x88, 0x888); // Transfer Block 13
  37.         memccpy(MemoryBuffer + 0x5555999, BootParts + 0x99, 0x999); // Transfer Block 14
  38.         memccpy(MemoryBuffer + 0x5555AAAA, BootParts + 0xAAA, 0xAAA); // Transfer Block 15
  39.         memccpy(MemoryBuffer + 0x5555BBBB, BootParts + 0xBBB, 0xBBB); // Transfer Block 16
  40. }
  41.  
  42. void CreateSecurityResponse(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, MemoryBuffer* pBuffer, DWORD cbBuffer) {
  43.     memcpy(MemoryBuffer + 0xC20, BootLoader + 0xA, 0x15); //Level 0.1
  44.     memcpy(MemoryBuffer + 0xC11, BootLoader + 0xA, 0x16); //Level 0.2
  45.     memcpy(MemoryBuffer + 0xCF2, BootLoader + 0xB, 0x1A); //MmAddressTypes
  46.     memcpy(MemoryBuffer + 0xC23, BootLoader + 0xB, 0x1B); //CounterELCConfigs
  47.     memcpy(MemoryBuffer + 0xC48, BootLoader + 0xC, 0x1C); //HV Privleges
  48.     memcpy(MemoryBuffer + 0xC4A, BootLoader + 0xC, 0x1D); //HV Fix
  49.     memcpy(MemoryBuffer + 0xCA0, BootLoader + 0xD, 0x1E); //0x50 map TransferBlock
  50. }
  51.  
  52. void CreateIndexResponseLookout(DWORD dwTaskParam2, BYTE* Bootfixtransferblocks, DWORD zeromem, MemoryBuffer* pBuffer, DWORD cbBuffer) {
  53.     memccpy(MemoryBuffer + 0x5555AAA, BootParts + 0xAA, 0x1AA); // [Intro]
  54.     memccpy(MemoryBuffer + 0x5555BBB, BootParts + 0xBB, 0x1BB); // Transfer Block 1
  55.     memccpy(MemoryBuffer + 0x5555CCC, BootParts + 0xCC, 0x1CC); // Transfer Block 2
  56.     memccpy(MemoryBuffer + 0x5555DDD, BootParts + 0xDD, 0x1DD); // Transfer Block 3
  57.     memccpy(MemoryBuffer + 0x5555EEE, BootParts + 0xEE, 0x1EE); // Transfer Block 4
  58.     memccpy(MemoryBuffer + 0x5555FFF, BootParts + 0xFF, 0x1FF); // Transfer Block 5
  59.     memccpy(MemoryBuffer + 0x5555111, BootParts + 0x11, 0x111); // Transfer Block 6
  60.     memccpy(MemoryBuffer + 0x5555222, BootParts + 0x22, 0x222); // Transfer Block 7
  61.     memccpy(MemoryBuffer + 0x5555333, BootParts + 0x33, 0x333); // Transfer Block 8
  62.     memccpy(MemoryBuffer + 0x5555444, BootParts + 0x44, 0x444); // Transfer Block 9
  63.     memccpy(MemoryBuffer + 0x5555555, BootParts + 0x55, 0x555); // Transfer Block 10
  64.     memccpy(MemoryBuffer + 0x5555666, BootParts + 0x66, 0x666); // Transfer Block 11
  65.     memccpy(MemoryBuffer + 0x5555777, BootParts + 0x77, 0x777); // Transfer Block 12
  66.     memccpy(MemoryBuffer + 0x5555888, BootParts + 0x88, 0x888); // Transfer Block 13
  67.     memccpy(MemoryBuffer + 0x5555999, BootParts + 0x99, 0x999); // Transfer Block 14
  68.     memccpy(MemoryBuffer + 0x5555AAAA, BootParts + 0xAAA, 0xAAA); // Transfer Block 15
  69.     memccpy(MemoryBuffer + 0x5555BBBB, BootParts + 0xBBB, 0xBBB); // Transfer Block 16
  70. }
  71.  
  72. // Fix Xecrypt Even tho its dead we need to transfer the SpoofXamChallange with the ecc salt + data to print it ok!
  73.  
  74. // works with nuclear live source but need to fix the CpuKeySpoof to make authing work for tools that work with like paid shit
  75.  
  76. //######### Running that dank memes #########// - inspired by anony lmao
  77.  
  78. BYTE RandomData[0x80];
  79. BYTE HVEXADDR[2] = { 0x01, 0xB5 };
  80. BYTE fHash[0x14] = { 0x2E, 0x58, 0xCE, 0xB4, 0x99, 0x04, 0xF6, 0x5B, 0xDD, 0x3B, 0x08, 0xD9, 0x9F, 0xB8, 0xFA, 0x84, 0x86, 0x5F, 0x38, 0xE9 };
  81. BYTE ECCHash[0x14] = { 0x8A, 0x5C, 0xDF, 0x9D, 0x4C, 0xED, 0xCC, 0xE3, 0x86, 0x0C, 0x7B, 0xB5, 0x09, 0xBC, 0x50, 0x0C, 0x0F, 0x4C, 0xD5, 0xEE };
  82. BYTE SecCleanHash[] = { 0x68, 0x61, 0x68, 0x61, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x64, 0x75, 0x6D, 0x62, 0x20, 0x21, 0x21 }; //new dash
  83.  
  84. DWORD HVSF() {
  85.     DWORD HV_STATUS_FLAG = 0x23289D3;
  86.     HV_STATUS_FLAG = (crl == 1) ? (HV_STATUS_FLAG | 0x10000) : HV_STATUS_FLAG;
  87.     HV_STATUS_FLAG = (fcrt == 1) ? (HV_STATUS_FLAG | 0x1000000) : HV_STATUS_FLAG;
  88.     return HV_STATUS_FLAG;
  89. }
  90.  
  91. EXTERN_C  DWORD ExecuteSpoofedSupervisorChallenge(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, BYTE* pBuffer, DWORD cbBuffer) {
  92.     return CreateXOSCBuffer(dwTaskParam1, pbDaeTableName, cbDaeTableName, (XOSC*)pBuffer, cbBuffer);
  93. }
  94.  
  95. typedef DWORD(*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
  96. HRESULT DoRandomData() {
  97.     return HvPeekBytes(0x0000000200010040, hvRandomData, 0x80) == 0 ? ERROR_SUCCESS : E_FAIL;
  98. }
  99. QWORD SpoofXamChallenge(BYTE* pBuffer, DWORD dwFileSize, BYTE* Salt, QWORD Input2, QWORD Input3, QWORD Input4) {
  100.  
  101.     // Make sure we are even good to go first
  102.     while (!XBLSInitialized) { Sleep(1); }
  103.  
  104.     XeKeysExecute((BYTE*)pBuffer, (DWORD)dwFileSize, MmGetPhysicalAddress(Salt), (PVOID)Input2, (PVOID)Input3, (PVOID)Input4);
  105.  
  106.     DWORD status;
  107.     SERVER_CHAL_REQUEST   chalRequest;
  108.     SERVER_CHAL_RESPONCE* pChalResponce = (SERVER_CHAL_RESPONCE*)pBuffer;
  109.     XAM_CHAL_RESP* resp = (XAM_CHAL_RESP*)(pBuffer + 0x20);
  110.  
  111.     memcpy(chalRequest.SessionKey, seshKey, 16);
  112.     memcpy(chalRequest.Salt, Salt, 16);
  113.  
  114.     chalRequest.Crl = crl;
  115.     chalRequest.Fcrt = fcrt;
  116.     chalRequest.Type1Kv = type1KV;
  117.  
  118.     DbgPrint("Collected Our Xam Responce in Our Xam Challenges");
  119.  
  120.     HvPokeWORD(0x6, fcrt ? 0xD81E : 0xD83E);
  121.     HvPokeDWORD(0x14, dwUpdateSequence);
  122.     HvPokeDWORD(0x30, HVSF());
  123.     HvPokeBytes(0x20, cpuKey, 0x10);
  124.    
  125.    
  126.     hModule(0x0000000200010040, HVChallengeDump);
  127.    
  128.     challenges(0x00000167, Xam"0x108"); // Clean Collected Shit
  129.  
  130.     DbgPrint("Entering Xam Challenges");
  131.  
  132.     if (isOffline) {
  133.  
  134.         DbgPrint("Spoofing challenges offline!");
  135.         XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)ResolveFunction("xboxkrnl.exe", 607);
  136.         BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(Salt);
  137.         XeKeysExecute((BYTE*)pBuffer, (DWORD)dwFileSize, physSalt, (UINT64)Input2, (UINT64)Input3, (UINT64)Input4);
  138.  
  139.         extern BOOL RunningFromUSB;
  140.  
  141.         //MemoryBuffer mbCpu;
  142.         //CReadFile(RunningFromUSB ? "Usb:\\HV.bin" : "Hdd:\\HV.bin", mbCpu);
  143.         //PBYTE mbHv = mbCpu.GetData();
  144.  
  145.         MemoryBuffer mbHV;
  146.         CReadFile("HDD:\\HV.bin", mbHV);
  147.         PBYTE HV = mbHV.GetData();
  148.  
  149.         MemoryBuffer mbCACHE;
  150.         CReadFile("HDD:\\CACHE.bin", mbCACHE);
  151.         PBYTE CACHE = mbCACHE.GetData();
  152.  
  153.         //XeKeysExecute(pBuffer, (WORD)((((DWORD)MmGetPhysicalAddress(Salt) + 0x400) & 0xFFFF0000) >> 16);
  154.        
  155.         BYTE ECCSalt[0x02];
  156.         HvPeekBytes(0x800002000001F810, ECCSalt, 0x02);
  157.  
  158.         XECRYPT_SHA_STATE sha;
  159.         XeCryptShaInit(&sha);
  160.         XeCryptShaUpdate(&sha, ECCSalt, 0x02);
  161.         XeCryptShaUpdate(&sha, pBuffer + 0x34, 0x0C);
  162.         XeCryptShaUpdate(&sha, pBuffer + 0x40, 0x30);
  163.         XeCryptShaUpdate(&sha, pBuffer + 0x70, 0x04);
  164.         XeCryptShaUpdate(&sha, pBuffer + 0x78, 0x08);
  165.         XeCryptShaUpdate(&sha, CACHE + 0x02, 0x3FE);
  166.         XeCryptShaUpdate(&sha, pBuffer + 0x100C0, 0x40);
  167.         XeCryptShaUpdate(&sha, pBuffer + 0x10350, 0x30);
  168.         XeCryptShaUpdate(&sha, CACHE + 0x40E, 0x176);
  169.         XeCryptShaUpdate(&sha, pBuffer + 0x16100, 0x40);
  170.         XeCryptShaUpdate(&sha, pBuffer + 0x16D20, 0x60);
  171.         XeCryptShaUpdate(&sha, CACHE + 0x5B6, 0x24A);
  172.         XeCryptShaUpdate(&sha, CACHE + 0x800, 0x400);
  173.         XeCryptShaUpdate(&sha, CACHE + 0xC00, 0x400);
  174.  
  175.         XeCryptShaFinal(&sha, pBuffer + 0x50, 0x14);
  176.         XeCryptShaUpdate(&sha, Salt, 0x10);
  177.         XeCryptShaUpdate(&sha, pBuffer + 0x34, 0x40);
  178.         XeCryptShaUpdate(&sha, pBuffer + 0x78, 0xF88);
  179.         XeCryptShaUpdate(&sha, pBuffer + 0x100C0, 0x40);
  180.         XeCryptShaUpdate(&sha, pBuffer + 0x10350, 0xDF0);
  181.         XeCryptShaUpdate(&sha, pBuffer + 0x16D20, 0x2E0);
  182.         XeCryptShaUpdate(&sha, pBuffer + 0x20000, 0xFFC);
  183.         XeCryptShaUpdate(&sha, pBuffer + 0x30000, 0xFFC);
  184.         XeCryptShaFinal(&sha, pBuffer + 0xEC, 0x14);
  185.  
  186.         pChalResponce->Status = 0;
  187.  
  188.         *(short*)(pBuffer + 0xF8) = (WORD)((((DWORD)MmGetPhysicalAddress(pBuffer) + 0x400) & 0xFFFF0000) >> 16);
  189.  
  190.         memcpy(resp->bRandomData, hvRandomData, 0x80);
  191.         (memcpy(pBuffer + 0x70, SecCleanHash, 0x10));
  192.         memcpy(pBuffer + 0x68, eccAR, 0x14);
  193.         memcpy(pBuffer + 0x65, Membo, 0x14);
  194.  
  195.         memcpy(pBuffer + 0x50, ECCHash, 0x14);
  196.         memcpy(pBuffer + 0x64, cpuKeyDigest, 0x14);
  197.         HvPeekBytes(0x0000000200010040, pBuffer + 0x78, 0x80);
  198.  
  199.         XeCryptSha(cpuKey, 0x10, NULL, NULL, NULL, NULL, pBuffer + 0x64, XECRYPT_SHA_DIGEST_SIZE);
  200.  
  201.         DoRandomData(); //Get Random Data from Current HV
  202.         BYTE Flags[2] = { 0x07, 0x60 };
  203.         BYTE HVEXADDR[2] = { 0x01, 0xB5 };
  204.         memset(pBuffer + 0x100, 0, 0xF00);//Clear all random junk from buffer
  205.         memcpy(pBuffer + 0x2E, pBuffer + 0x30, 2); //Copy our BLDR Flags from Original Postion @ 0x30, to 0x2E
  206.         memcpy(pBuffer + 0x30, Flags, 2);//Copy Correct Flags for 0x30 (Static)
  207.         memcpy(pBuffer + 0x78, hvRandomData, 0x80);//Copy Correct HV Random Data
  208.         memcpy(pBuffer + 0xF8, HVEXADDR, 2); //Copy our HVEXAddress (Static for now, how da fuq do they even check that)
  209.  
  210.         crl = TRUE;
  211.  
  212.         DbgPrint("Xam Challenges Passed and Online");
  213.  
  214.         if (!didnotify) {
  215.             didnotify = true;
  216.             //xNotify(xamNotify);
  217.             XNotifyUI(L"OGStealth - aSync Spoofed");
  218.         }
  219.         CWriteFile("HDD:\\HVChallengeDump.bin", pBuffer, dwFileSize);
  220.     }
  221.  
  222.     if (SendCommand(XSTL_SERVER_COMMAND_ID_GET_CHAL_RESPONCE, &chalRequest, sizeof(SERVER_CHAL_REQUEST), pChalResponce, sizeof(SERVER_CHAL_RESPONCE)) != ERROR_SUCCESS) {
  223.         DbgPrint("- SendCommand Failed");
  224.         HalReturnToFirmware(HalFatalErrorRebootRoutine);
  225.         return 0;
  226.     }
  227.  
  228.     if (pChalResponce->Status != XSTL_STATUS_SUCCESS && pChalResponce->Status != XSTL_STATUS_STEALTHED) {
  229.         DbgPrint("Size of Xam Challenge did not match ours, Shutting down console!");
  230.         HalReturnToFirmware(HalFatalErrorRebootRoutine);
  231.         return 0;
  232.     }
  233.  
  234.     pChalResponce->Status = 0;
  235.  
  236.     *(short*)(pBuffer + 0xF8) = (WORD)((((DWORD)MmGetPhysicalAddress(pBuffer) + 0x400) & 0xFFFF0000) >> 16);
  237.  
  238.     memcpy(resp->bRandomData, hvRandomData, 0x80);
  239.     memcpy(pBuffer + 0x70, SecCleanHash, 0x10);
  240.     memcpy(pBuffer + 0x51, eccAR, 0x14);
  241.     memcpy(pBuffer + 0x65, Membo, 0x14);
  242.  
  243.     memcpy(pBuffer + 0x50, ECCHash, 0x14);
  244.     memcpy(pBuffer + 0x64, cpuKeyDigest, 0x14);
  245.     HvPeekBytes(0x0000000200010040, pBuffer + 0x78, 0x80);
  246.  
  247.     XeCryptSha(cpuKey, 0x10, NULL, NULL, NULL, NULL, pBuffer + 0x64, XECRYPT_SHA_DIGEST_SIZE);
  248.  
  249.     DoRandomData(); //Get Random Data from Current HV
  250.     BYTE Flags[2] = { 0x07, 0x60 };
  251.     BYTE HVEXADDR[2] = { 0x01, 0xB5 };
  252.     memset(pBuffer + 0x100, 0, 0xF00);//Clear all random junk from buffer
  253.     memcpy(pBuffer + 0x2E, pBuffer + 0x30, 2); //Copy our BLDR Flags from Original Postion @ 0x30, to 0x2E
  254.     memcpy(pBuffer + 0x30, Flags, 2);//Copy Correct Flags for 0x30 (Static)
  255.     memcpy(pBuffer + 0x78, hvRandomData, 0x80);//Copy Correct HV Random Data
  256.     memcpy(pBuffer + 0xF8, HVEXADDR, 2); //Copy our HVEXAddress (Static for now, how da fuq do they even check that)
  257.  
  258.     crl = TRUE;
  259.  
  260.     DbgPrint("Xam Challenges Passed and Online");
  261.  
  262.     if (!didnotify) {
  263.         didnotify = true;
  264.         //xNotify(xamNotify);
  265.         XNotifyUI(L"OGStealth - aSync Spoofed");
  266.     }
  267.  
  268.     CWriteFile("HDD:\\HVChallengeDump.bin", pBuffer, dwFileSize);
  269.  
  270.     return 0;
  271. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!