RGH Retail Profile Fix

1. //Loaded a DLL to apply the hook to the call in XAM
2. //    *Could probably edit dashboard.xbx(?) to launch DLL then return to xshell*
3. //Branched to my custom function.
4. //Loads Dev/Retail profiles just fine
5. typedef struct {
6.     BYTE                S[256];
7.     BYTE                i,j;
8. } XECRYPT_RC4_STATE;
9. typedef DWORD (*XEKEYSUNOBFUSCATE)(DWORD r3, BYTE* r4, DWORD r5, BYTE* r6, DWORD* r7);
10. typedef void (*XECRYPTHMACSHA)(const BYTE * pbKey, DWORD cbKey, const BYTE * pbInp1, DWORD cbInp1, const BYTE * pbInp2, DWORD cbInp2, const BYTE * pbInp3, DWORD cbInp3, BYTE * pbOut, DWORD cbOut);
11. typedef void  (*XECRYPTRC4KEY)(XECRYPT_RC4_STATE * pRc4State, const BYTE * pbKey, DWORD cbKey);
12. typedef void  (*XECRYPTRC4ECB)(XECRYPT_RC4_STATE * pRc4State, BYTE * pbInpOut, DWORD cbInpOut);
13. #define PATCH_LOC_XEKEYSUNOBFUSCATE (0x81CBD5CC) // XAM call to XeKeysUnObfuscate Dev 14699
14. DWORD XeKeysUnObfuscateHook(DWORD r3, BYTE* r4, DWORD r5, BYTE* r6, DWORD* r7)
15. {
16.     /*
17.         r3 - ?
18.         r4 - account info start(buffer)
19.         r5 - data size
20.         r6 - decrypt buffer
21.         r7 - ?
22.     */
23.     XEKEYSUNOBFUSCATE XeKeysUnObfuscate = (XEKEYSUNOBFUSCATE)resolveFunct("xboxkrnl.exe", 597);
24.     if (r3 == 1) // From tests I did, profiles only called when set to 1
25.     {
26.         // Try with original key
27.         DWORD ret = XeKeysUnObfuscate(r3, r4, r5, r6, r7);
28.         if (ret == 1) // If pass: continue
29.             return ret;
30.         else // fail: swap key and try again
31.         {
32.             XECRYPTHMACSHA XeCryptHmacSha = (XECRYPTHMACSHA)resolveFunct("xboxkrnl.exe", 386);
33.             XECRYPTRC4KEY XeCryptRc4Key = (XECRYPTRC4KEY)resolveFunct("xboxkrnl.exe", 395);
34.             XECRYPTRC4ECB XeCryptRc4Ecb = (XECRYPTRC4ECB)resolveFunct("xboxkrnl.exe", 396);
35.             XECRYPT_RC4_STATE rc4State;
36.             BYTE HmacShaKey[0x10] = {0xE1, 0xBC, 0x15, 0x9C, 0x73, 0xB1, 0xEA, 0xE9, 0xAB, 0x31, 0x70, 0xF3, 0xAD, 0x47, 0xEB, 0xF3}; //retail key
37.             //BYTE HmacShaKey[0x10] = {0xDA, 0xB6, 0x9A, 0xD9, 0x8E, 0x28, 0x76, 0x4F, 0x97, 0x7E, 0xE2, 0x48, 0x7E, 0x4F, 0x3F, 0x68}; //devkit key
38.             BYTE hash[0x18];
39.             BYTE newHash[0x10];
40.             BYTE rc4Key[0x10];
41.             memcpy(hash, r4, 0x18);
42.             *r7 = r5 - 0x18;
43.             memcpy(r6, r4 + 0x18, r5 - 0x18);
44.             XeCryptHmacSha((const BYTE *)HmacShaKey, 0x10, hash, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
45.             XeCryptRc4Key(&rc4State, rc4Key, 0x10);
46.             XeCryptRc4Ecb(&rc4State, hash + 0x10, 0x8);
47.             XeCryptRc4Ecb(&rc4State, (BYTE *)r6, *r7 - 0x18);
48.             XeCryptHmacSha((const BYTE *)HmacShaKey, 0x10, hash+0x10, 8, (const BYTE *)r6, *r7, 0, 0, newHash, 0x10);
49.             int result = memcmp(hash, newHash, 0x10);
50.             if (result == 0)
51.                 return (1);
52.             else
53.                 return result;
54.         }
55.        
56.     }
57.     else
58.     {
59.         return XeKeysUnObfuscate(r3, r4, r5, r6, r7);
60.     }
61. }
62. // Un-tested
63. typedef DWORD (*XEKEYSOBFUSCATE)(DWORD r3, BYTE* r4, DWORD r5, BYTE* r6, DWORD* r7);
64. typedef void (*XECRYPTRANDOM)(BYTE * pb, DWORD cb);
65. typedef void (*XECRYPTRC4)(const BYTE * pbKey, DWORD cbKey, BYTE * pbInpOut, DWORD cbInpOut);
66. #define PATCH_LOC_XEKEYSOBFUSCATE (0x81CBD5BC) // XAM call to XeKeysObfuscate Dev 14699
67.  
68. DWORD XeKeysObfuscateHook(DWORD r3, BYTE* r4, DWORD r5, BYTE* r6, DWORD* r7)
69. {
70.     XEKEYSOBFUSCATE XeKeysObfuscate = (XEKEYSOBFUSCATE)resolveFunct("xboxkrnl.exe", 596);
71.     if (r3 == 1)
72.     {
73.         //Encrypt with retail Key
74.         BYTE retailKey[0x10] = {0xE1, 0xBC, 0x15, 0x9C, 0x73, 0xB1, 0xEA, 0xE9, 0xAB, 0x31, 0x70, 0xF3, 0xAD, 0x47, 0xEB, 0xF3}; //retail key
75.         //copy decrypted data to 0x18+ of buffer
76.         memcpy(r6 + 0x18, r4, r5);
77.         *r7 = r5 + 0x18;
78.         // Create random data then copy to 0x10
79.         XECRYPTRANDOM XeCryptRandom = (XECRYPTRANDOM)resolveFunct("xboxkrnl.exe", 394);
80.         XeCryptRandom(r6 + 0x10, 8);
81.         // create a Hmac-Sha hash of the random data & decrypted data
82.         XECRYPTHMACSHA XeCryptHmacSha = (XECRYPTHMACSHA)resolveFunct("xboxkrnl.exe", 386);
83.         XeCryptHmacSha((BYTE*)retailKey, 0x10, r6 + 0x10, *r7 - 0x10, 0, 0, 0, 0, r6, 0x10);
84.         BYTE rc4Key[0x10];
85.         // Hash previously created hash to make the RC4 key
86.         XeCryptHmacSha((BYTE*)retailKey, 0x10, r6, 0x10, 0, 0, 0, 0, (BYTE*)rc4Key, 0x10);
87.         // Encrypt the data
88.         XECRYPTRC4 XeCryptRc4 = (XECRYPTRC4)resolveFunct("xboxkrnl.exe", 397);
89.         XeCryptRc4((const BYTE*)rc4Key, 0x10, r6 + 0x10, *r7 - 0x10);
90.         return (0);
91.     }
92.     else
93.     {
94.         return XeKeysObfuscate(r3, r4, r5, r6, r7);    
95.     }
96. }
97. // Better solution ... should never need to be updated?
98. // hookImpStub found in DashLaunch source
99. hookImpStub("xam.xex", "xboxkrnl.exe", 597, (DWORD)XeKeysUnObfuscateHook);
100. hookImpStub("xam.xex", "xboxkrnl.exe", 596, (DWORD)XeKeysObfuscateHook);
101.  
102. // Other method
103. // patchInJump also found in DashLaunch source
104. patchInJump((PDWORD)PATCH_LOC_XEKEYSUNOBFUSCATE, (DWORD)XeKeysUnObfuscateHook, false);
105. patchInJump((PDWORD)PATCH_LOC_XEKEYSOBFUSCATE, (DWORD)XeKeysObfuscateHook, false);
106.  
107. // credit [c0z] for hook code