Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // hBootLoaders Dirty Needed << to boot kernel kk
- #include "stdafx.h"
- // Update here is the sendspace for the patches & scripts - credits to john doe & me for getting the shit together and making it
- // I got the new shit to work on my source ill be giving that out later this week
- MemoryBuffer BootLoader;
- void CreateSecurityResponse()
- {
- memcpy(MemoryBuffer + 0xC20, BootLoader + 0xA, 0x15); //Level 0.1
- memcpy(MemoryBuffer + 0xC11, BootLoader + 0xA, 0x16); //Level 0.2
- memcpy(MemoryBuffer + 0xCF2, BootLoader + 0xB, 0x1A); //MmAddressTypes
- memcpy(MemoryBuffer + 0xC23, BootLoader + 0xB, 0x1B); //CounterELCConfigs
- memcpy(MemoryBuffer + 0xC48, BootLoader + 0xC, 0x1C); //HV Privleges
- memcpy(MemoryBuffer + 0xC4A, BootLoader + 0xC, 0x1D); //HV Fix
- memcpy(MemoryBuffer + 0xCA0, BootLoader + 0xD, 0x1E); //0x50 map TransferBlock
- }
- void CreateIndexResponseLookout()
- {
- memccpy(MemoryBuffer + 0x5555AAA, BootParts + 0xAA, 0x1AA); // [Intro]
- memccpy(MemoryBuffer + 0x5555BBB, BootParts + 0xBB, 0x1BB); // Transfer Block 1
- memccpy(MemoryBuffer + 0x5555CCC, BootParts + 0xCC, 0x1CC); // Transfer Block 2
- memccpy(MemoryBuffer + 0x5555DDD, BootParts + 0xDD, 0x1DD); // Transfer Block 3
- memccpy(MemoryBuffer + 0x5555EEE, BootParts + 0xEE, 0x1EE); // Transfer Block 4
- memccpy(MemoryBuffer + 0x5555FFF, BootParts + 0xFF, 0x1FF); // Transfer Block 5
- memccpy(MemoryBuffer + 0x5555111, BootParts + 0x11, 0x111); // Transfer Block 6
- memccpy(MemoryBuffer + 0x5555222, BootParts + 0x22, 0x222); // Transfer Block 7
- memccpy(MemoryBuffer + 0x5555333, BootParts + 0x33, 0x333); // Transfer Block 8
- memccpy(MemoryBuffer + 0x5555444, BootParts + 0x44, 0x444); // Transfer Block 9
- memccpy(MemoryBuffer + 0x5555555, BootParts + 0x55, 0x555); // Transfer Block 10
- memccpy(MemoryBuffer + 0x5555666, BootParts + 0x66, 0x666); // Transfer Block 11
- memccpy(MemoryBuffer + 0x5555777, BootParts + 0x77, 0x777); // Transfer Block 12
- memccpy(MemoryBuffer + 0x5555888, BootParts + 0x88, 0x888); // Transfer Block 13
- memccpy(MemoryBuffer + 0x5555999, BootParts + 0x99, 0x999); // Transfer Block 14
- memccpy(MemoryBuffer + 0x5555AAAA, BootParts + 0xAAA, 0xAAA); // Transfer Block 15
- memccpy(MemoryBuffer + 0x5555BBBB, BootParts + 0xBBB, 0xBBB); // Transfer Block 16
- }
- void CreateSecurityResponse(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, MemoryBuffer* pBuffer, DWORD cbBuffer) {
- memcpy(MemoryBuffer + 0xC20, BootLoader + 0xA, 0x15); //Level 0.1
- memcpy(MemoryBuffer + 0xC11, BootLoader + 0xA, 0x16); //Level 0.2
- memcpy(MemoryBuffer + 0xCF2, BootLoader + 0xB, 0x1A); //MmAddressTypes
- memcpy(MemoryBuffer + 0xC23, BootLoader + 0xB, 0x1B); //CounterELCConfigs
- memcpy(MemoryBuffer + 0xC48, BootLoader + 0xC, 0x1C); //HV Privleges
- memcpy(MemoryBuffer + 0xC4A, BootLoader + 0xC, 0x1D); //HV Fix
- memcpy(MemoryBuffer + 0xCA0, BootLoader + 0xD, 0x1E); //0x50 map TransferBlock
- }
- void CreateIndexResponseLookout(DWORD dwTaskParam2, BYTE* Bootfixtransferblocks, DWORD zeromem, MemoryBuffer* pBuffer, DWORD cbBuffer) {
- memccpy(MemoryBuffer + 0x5555AAA, BootParts + 0xAA, 0x1AA); // [Intro]
- memccpy(MemoryBuffer + 0x5555BBB, BootParts + 0xBB, 0x1BB); // Transfer Block 1
- memccpy(MemoryBuffer + 0x5555CCC, BootParts + 0xCC, 0x1CC); // Transfer Block 2
- memccpy(MemoryBuffer + 0x5555DDD, BootParts + 0xDD, 0x1DD); // Transfer Block 3
- memccpy(MemoryBuffer + 0x5555EEE, BootParts + 0xEE, 0x1EE); // Transfer Block 4
- memccpy(MemoryBuffer + 0x5555FFF, BootParts + 0xFF, 0x1FF); // Transfer Block 5
- memccpy(MemoryBuffer + 0x5555111, BootParts + 0x11, 0x111); // Transfer Block 6
- memccpy(MemoryBuffer + 0x5555222, BootParts + 0x22, 0x222); // Transfer Block 7
- memccpy(MemoryBuffer + 0x5555333, BootParts + 0x33, 0x333); // Transfer Block 8
- memccpy(MemoryBuffer + 0x5555444, BootParts + 0x44, 0x444); // Transfer Block 9
- memccpy(MemoryBuffer + 0x5555555, BootParts + 0x55, 0x555); // Transfer Block 10
- memccpy(MemoryBuffer + 0x5555666, BootParts + 0x66, 0x666); // Transfer Block 11
- memccpy(MemoryBuffer + 0x5555777, BootParts + 0x77, 0x777); // Transfer Block 12
- memccpy(MemoryBuffer + 0x5555888, BootParts + 0x88, 0x888); // Transfer Block 13
- memccpy(MemoryBuffer + 0x5555999, BootParts + 0x99, 0x999); // Transfer Block 14
- memccpy(MemoryBuffer + 0x5555AAAA, BootParts + 0xAAA, 0xAAA); // Transfer Block 15
- memccpy(MemoryBuffer + 0x5555BBBB, BootParts + 0xBBB, 0xBBB); // Transfer Block 16
- }
- // Fix Xecrypt Even tho its dead we need to transfer the SpoofXamChallange with the ecc salt + data to print it ok!
- // works with nuclear live source but need to fix the CpuKeySpoof to make authing work for tools that work with like paid shit
- //######### Running that dank memes #########// - inspired by anony lmao
- BYTE RandomData[0x80];
- BYTE HVEXADDR[2] = { 0x01, 0xB5 };
- BYTE fHash[0x14] = { 0x2E, 0x58, 0xCE, 0xB4, 0x99, 0x04, 0xF6, 0x5B, 0xDD, 0x3B, 0x08, 0xD9, 0x9F, 0xB8, 0xFA, 0x84, 0x86, 0x5F, 0x38, 0xE9 };
- BYTE ECCHash[0x14] = { 0x8A, 0x5C, 0xDF, 0x9D, 0x4C, 0xED, 0xCC, 0xE3, 0x86, 0x0C, 0x7B, 0xB5, 0x09, 0xBC, 0x50, 0x0C, 0x0F, 0x4C, 0xD5, 0xEE };
- BYTE SecCleanHash[] = { 0x68, 0x61, 0x68, 0x61, 0x20, 0x79, 0x6F, 0x75, 0x20, 0x64, 0x75, 0x6D, 0x62, 0x20, 0x21, 0x21 }; //new dash
- DWORD HVSF() {
- DWORD HV_STATUS_FLAG = 0x23289D3;
- HV_STATUS_FLAG = (crl == 1) ? (HV_STATUS_FLAG | 0x10000) : HV_STATUS_FLAG;
- HV_STATUS_FLAG = (fcrt == 1) ? (HV_STATUS_FLAG | 0x1000000) : HV_STATUS_FLAG;
- return HV_STATUS_FLAG;
- }
- EXTERN_C DWORD ExecuteSpoofedSupervisorChallenge(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, BYTE* pBuffer, DWORD cbBuffer) {
- return CreateXOSCBuffer(dwTaskParam1, pbDaeTableName, cbDaeTableName, (XOSC*)pBuffer, cbBuffer);
- }
- typedef DWORD(*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
- HRESULT DoRandomData() {
- return HvPeekBytes(0x0000000200010040, hvRandomData, 0x80) == 0 ? ERROR_SUCCESS : E_FAIL;
- }
- QWORD SpoofXamChallenge(BYTE* pBuffer, DWORD dwFileSize, BYTE* Salt, QWORD Input2, QWORD Input3, QWORD Input4) {
- // Make sure we are even good to go first
- while (!XBLSInitialized) { Sleep(1); }
- XeKeysExecute((BYTE*)pBuffer, (DWORD)dwFileSize, MmGetPhysicalAddress(Salt), (PVOID)Input2, (PVOID)Input3, (PVOID)Input4);
- DWORD status;
- SERVER_CHAL_REQUEST chalRequest;
- SERVER_CHAL_RESPONCE* pChalResponce = (SERVER_CHAL_RESPONCE*)pBuffer;
- XAM_CHAL_RESP* resp = (XAM_CHAL_RESP*)(pBuffer + 0x20);
- memcpy(chalRequest.SessionKey, seshKey, 16);
- memcpy(chalRequest.Salt, Salt, 16);
- chalRequest.Crl = crl;
- chalRequest.Fcrt = fcrt;
- chalRequest.Type1Kv = type1KV;
- DbgPrint("Collected Our Xam Responce in Our Xam Challenges");
- HvPokeWORD(0x6, fcrt ? 0xD81E : 0xD83E);
- HvPokeDWORD(0x14, dwUpdateSequence);
- HvPokeDWORD(0x30, HVSF());
- HvPokeBytes(0x20, cpuKey, 0x10);
- hModule(0x0000000200010040, HVChallengeDump);
- challenges(0x00000167, Xam"0x108"); // Clean Collected Shit
- DbgPrint("Entering Xam Challenges");
- if (isOffline) {
- DbgPrint("Spoofing challenges offline!");
- XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)ResolveFunction("xboxkrnl.exe", 607);
- BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(Salt);
- XeKeysExecute((BYTE*)pBuffer, (DWORD)dwFileSize, physSalt, (UINT64)Input2, (UINT64)Input3, (UINT64)Input4);
- extern BOOL RunningFromUSB;
- //MemoryBuffer mbCpu;
- //CReadFile(RunningFromUSB ? "Usb:\\HV.bin" : "Hdd:\\HV.bin", mbCpu);
- //PBYTE mbHv = mbCpu.GetData();
- MemoryBuffer mbHV;
- CReadFile("HDD:\\HV.bin", mbHV);
- PBYTE HV = mbHV.GetData();
- MemoryBuffer mbCACHE;
- CReadFile("HDD:\\CACHE.bin", mbCACHE);
- PBYTE CACHE = mbCACHE.GetData();
- //XeKeysExecute(pBuffer, (WORD)((((DWORD)MmGetPhysicalAddress(Salt) + 0x400) & 0xFFFF0000) >> 16);
- BYTE ECCSalt[0x02];
- HvPeekBytes(0x800002000001F810, ECCSalt, 0x02);
- XECRYPT_SHA_STATE sha;
- XeCryptShaInit(&sha);
- XeCryptShaUpdate(&sha, ECCSalt, 0x02);
- XeCryptShaUpdate(&sha, pBuffer + 0x34, 0x0C);
- XeCryptShaUpdate(&sha, pBuffer + 0x40, 0x30);
- XeCryptShaUpdate(&sha, pBuffer + 0x70, 0x04);
- XeCryptShaUpdate(&sha, pBuffer + 0x78, 0x08);
- XeCryptShaUpdate(&sha, CACHE + 0x02, 0x3FE);
- XeCryptShaUpdate(&sha, pBuffer + 0x100C0, 0x40);
- XeCryptShaUpdate(&sha, pBuffer + 0x10350, 0x30);
- XeCryptShaUpdate(&sha, CACHE + 0x40E, 0x176);
- XeCryptShaUpdate(&sha, pBuffer + 0x16100, 0x40);
- XeCryptShaUpdate(&sha, pBuffer + 0x16D20, 0x60);
- XeCryptShaUpdate(&sha, CACHE + 0x5B6, 0x24A);
- XeCryptShaUpdate(&sha, CACHE + 0x800, 0x400);
- XeCryptShaUpdate(&sha, CACHE + 0xC00, 0x400);
- XeCryptShaFinal(&sha, pBuffer + 0x50, 0x14);
- XeCryptShaUpdate(&sha, Salt, 0x10);
- XeCryptShaUpdate(&sha, pBuffer + 0x34, 0x40);
- XeCryptShaUpdate(&sha, pBuffer + 0x78, 0xF88);
- XeCryptShaUpdate(&sha, pBuffer + 0x100C0, 0x40);
- XeCryptShaUpdate(&sha, pBuffer + 0x10350, 0xDF0);
- XeCryptShaUpdate(&sha, pBuffer + 0x16D20, 0x2E0);
- XeCryptShaUpdate(&sha, pBuffer + 0x20000, 0xFFC);
- XeCryptShaUpdate(&sha, pBuffer + 0x30000, 0xFFC);
- XeCryptShaFinal(&sha, pBuffer + 0xEC, 0x14);
- pChalResponce->Status = 0;
- *(short*)(pBuffer + 0xF8) = (WORD)((((DWORD)MmGetPhysicalAddress(pBuffer) + 0x400) & 0xFFFF0000) >> 16);
- memcpy(resp->bRandomData, hvRandomData, 0x80);
- (memcpy(pBuffer + 0x70, SecCleanHash, 0x10));
- memcpy(pBuffer + 0x68, eccAR, 0x14);
- memcpy(pBuffer + 0x65, Membo, 0x14);
- memcpy(pBuffer + 0x50, ECCHash, 0x14);
- memcpy(pBuffer + 0x64, cpuKeyDigest, 0x14);
- HvPeekBytes(0x0000000200010040, pBuffer + 0x78, 0x80);
- XeCryptSha(cpuKey, 0x10, NULL, NULL, NULL, NULL, pBuffer + 0x64, XECRYPT_SHA_DIGEST_SIZE);
- DoRandomData(); //Get Random Data from Current HV
- BYTE Flags[2] = { 0x07, 0x60 };
- BYTE HVEXADDR[2] = { 0x01, 0xB5 };
- memset(pBuffer + 0x100, 0, 0xF00);//Clear all random junk from buffer
- memcpy(pBuffer + 0x2E, pBuffer + 0x30, 2); //Copy our BLDR Flags from Original Postion @ 0x30, to 0x2E
- memcpy(pBuffer + 0x30, Flags, 2);//Copy Correct Flags for 0x30 (Static)
- memcpy(pBuffer + 0x78, hvRandomData, 0x80);//Copy Correct HV Random Data
- memcpy(pBuffer + 0xF8, HVEXADDR, 2); //Copy our HVEXAddress (Static for now, how da fuq do they even check that)
- crl = TRUE;
- DbgPrint("Xam Challenges Passed and Online");
- if (!didnotify) {
- didnotify = true;
- //xNotify(xamNotify);
- XNotifyUI(L"OGStealth - aSync Spoofed");
- }
- CWriteFile("HDD:\\HVChallengeDump.bin", pBuffer, dwFileSize);
- }
- if (SendCommand(XSTL_SERVER_COMMAND_ID_GET_CHAL_RESPONCE, &chalRequest, sizeof(SERVER_CHAL_REQUEST), pChalResponce, sizeof(SERVER_CHAL_RESPONCE)) != ERROR_SUCCESS) {
- DbgPrint("- SendCommand Failed");
- HalReturnToFirmware(HalFatalErrorRebootRoutine);
- return 0;
- }
- if (pChalResponce->Status != XSTL_STATUS_SUCCESS && pChalResponce->Status != XSTL_STATUS_STEALTHED) {
- DbgPrint("Size of Xam Challenge did not match ours, Shutting down console!");
- HalReturnToFirmware(HalFatalErrorRebootRoutine);
- return 0;
- }
- pChalResponce->Status = 0;
- *(short*)(pBuffer + 0xF8) = (WORD)((((DWORD)MmGetPhysicalAddress(pBuffer) + 0x400) & 0xFFFF0000) >> 16);
- memcpy(resp->bRandomData, hvRandomData, 0x80);
- memcpy(pBuffer + 0x70, SecCleanHash, 0x10);
- memcpy(pBuffer + 0x51, eccAR, 0x14);
- memcpy(pBuffer + 0x65, Membo, 0x14);
- memcpy(pBuffer + 0x50, ECCHash, 0x14);
- memcpy(pBuffer + 0x64, cpuKeyDigest, 0x14);
- HvPeekBytes(0x0000000200010040, pBuffer + 0x78, 0x80);
- XeCryptSha(cpuKey, 0x10, NULL, NULL, NULL, NULL, pBuffer + 0x64, XECRYPT_SHA_DIGEST_SIZE);
- DoRandomData(); //Get Random Data from Current HV
- BYTE Flags[2] = { 0x07, 0x60 };
- BYTE HVEXADDR[2] = { 0x01, 0xB5 };
- memset(pBuffer + 0x100, 0, 0xF00);//Clear all random junk from buffer
- memcpy(pBuffer + 0x2E, pBuffer + 0x30, 2); //Copy our BLDR Flags from Original Postion @ 0x30, to 0x2E
- memcpy(pBuffer + 0x30, Flags, 2);//Copy Correct Flags for 0x30 (Static)
- memcpy(pBuffer + 0x78, hvRandomData, 0x80);//Copy Correct HV Random Data
- memcpy(pBuffer + 0xF8, HVEXADDR, 2); //Copy our HVEXAddress (Static for now, how da fuq do they even check that)
- crl = TRUE;
- DbgPrint("Xam Challenges Passed and Online");
- if (!didnotify) {
- didnotify = true;
- //xNotify(xamNotify);
- XNotifyUI(L"OGStealth - aSync Spoofed");
- }
- CWriteFile("HDD:\\HVChallengeDump.bin", pBuffer, dwFileSize);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement