SystemHooks.cpp

1. No on#include "stdafx.h"
2. #include "SystemHooks.h"
3. #include "Utilities.h"
4. #include "TitleSpecificHooks.h"
5. #include "SECRETNiNJACONFIGFILES.h"
6. #include "XamChallengeResponse.h"
7. #include "Xosc.h"
8. #include "Xam.h"
9. #include "ServComm.h"
10. #include <string>
11. #include <stdio.h>
12. #include <bitset>
13. #include "KeyVault.h"
14.  
15. /**
16. * SystemHook.cpp
17. * @author ZZ9 x iCaLZz
18. * @description System Hooks - KV Same as NiNJA
19. * @date 06/02/2016 23:17 LONDON TIME
20. */
21.  
22. int msgDisplayed = 0;
23. extern BYTE cpuKeyDigest[];
24. extern BYTE hvRandomData[];
25. BYTE HvECCDigest[20];
26. extern BYTE seshKey[];
27. extern BYTE cpuKeySpoofedHash[XECRYPT_SHA_DIGEST_SIZE];
28. extern HANDLE hXeLinx;
29. extern BOOL IsDevkit;
30. extern DWORD dwUpdateSequence;
31. extern BOOL crl;
32. extern BOOL fcrt;
33. BYTE DriveLevel;
34. BYTE DriveData[0x24];
35. BYTE ConsoleID[5];
36. WORD xam_region, xam_odd;
37. BYTE XOSC_CPUKEY[0x10];
38. BYTE bCpuKeyHash[0x10];
39. BYTE XOSC_KVHASH[0x14];
40. BYTE Buffer[0x14];
41. BYTE ConsoleKey[0x10];
42. BYTE r6[0x2E0];
43. BYTE MediaShit[] = { 0x04 };
44. BYTE * bCPUKey;
45. DWORD bCPUKeySize;
46. BYTE bKV[0x4000];
47. BYTE XoscHash[0x10];
48. BYTE VoidBuff[0x10]; // r1 + 0x60;
49. BYTE VoidBuff2[0x10]; // r1 + 0x70;
50. BYTE VoidBuff3[0x10]; // r1 + 0x80;
51. UINT32 ModuleResult = 0; // r1 + 0x54;
52. QWORD Temp11 = 0;
53. BYTE input[0x10] = { 0 };
54. BYTE output[0x10] = { 0 };
55. QWORD Temp8 = 0;
56. QWORD Temp7 = 0;
57. QWORD Temp3 = 0;
58. QWORD Temp4 = 0;
59. QWORD Temp9 = 0;
60. QWORD Temp28 = 0;
61. QWORD Temp29 = 0;
62. QWORD Temp30 = 0;
63. QWORD Temp10 = 0;
64. BOOL XOSC_CRL = FALSE;
65. BOOL XOSC_FCRT = FALSE;
66. BOOL XOSC_KV1 = FALSE;
67. extern BOOL fcrt;
68. extern BOOL type1KV;
69. extern BOOL ZZ9StealthInit;
70. extern wchar_t challengeNotify[XSTL_BUFFER_CHALLENGENOTIFYLEN];
71. extern HANDLE dllHandle;
72. extern HANDLE hXam;
73. bool didnotify = false;
74. MESSAGEBOX_RESULT result;
75. XOVERLAPPED overlapped;
76. XEX_EXECUTION_ID xeExecutionIdSpoof;
77. XEX_EXECUTION_ID XamLoaderID;
78. BYTE XeKeysCPU[0x10];
79. BYTE SecCleanHash[] = { 0x21 };
80.  
81.  
82. EXTERN_C DWORD ExecuteSpoofedSupervisorChallenge(DWORD dwTaskParam1, BYTE* pbDaeTableName, DWORD cbDaeTableName, XOSC* pBuffer, DWORD cbBuffer) {
83. return 0;
84. }
85.  
86. typedef DWORD(*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
87. QWORD SpoofXamChallenge(BYTE* pBuffer, DWORD dwFileSize, BYTE* Salt, QWORD Input2, QWORD Input3, QWORD Input4) {
88. return NiNJA_SPOOFXAMCHALLENGEJNHGWOJQEWIFEqweqwjqnfijkweqnfwe();
89. }
90.  
91. VOID HalSendSMCMessageHook(LPVOID pCommandBuffer, LPVOID pRecvBuffer) {
92. NiNJA_HALSHETINGHISTEANBQHIKFW();
93. }
94.  
95. QWORD XeKeysExecuteHook(VOID* pBuffer, DWORD dwFileSize, QWORD Input1, QWORD Input2, QWORD Input3, QWORD Input4) {
96. return XBLSNiNJABULLSHITSpoofXamChallenge((BYTE*)pBuffer, dwFileSize, (BYTE*)Input1, Input2, Input3, Input4);
97. }
98.  
99. VOID* RtlImageXexHeaderFieldHook(VOID* headerBase, DWORD imageKey) {
100. return JUSTANOTHERTNiNJAFUCKINGVALUETHING(headerBase, imageKey);
101. }
102.  
103. typedef DWORD(*ExecuteSupervisorChallenge_t)(DWORD dwTaskParam1, PBYTE pbDaeTableName, DWORD szDaeTableName, PBYTE pbBuffer, DWORD cbBuffer);
104. DWORD XamLoaderExecuteAsyncChallengeHook(DWORD ExecuteSupervisorChallengeAddress, DWORD dwTaskParam1, PBYTE pbDaeTableName, DWORD cbDaeTableName, PBYTE pbBuffer, DWORD cbBuffer) {
105. return NiNJASFUCKINGAWESOMEXAMHOOKSTHATYOUWILLNEVERKNOWABOUT();
106. }
107.  
108. NTSTATUS XexLoadImageHook(LPCSTR szXexName, DWORD dwModuleTypeFlags, DWORD dwMinimumVersion, PHANDLE pHandle) {
109. return NiNJASXexLoadImageHook(szXexName, dwModuleTypeFlags, dwMinimumVersion, pHandle);
110. }
111.  
112. NTSTATUS XexLoadExecutableHook(PCHAR szXexName, PHANDLE pHandle, DWORD dwModuleTypeFlags, DWORD dwMinimumVersion) {
113. return NiNJASXexLoadExecutableHook(szXexName, pHandle, dwModuleTypeFlags, dwMinimumVersion);
114. }
115.  
116. BOOL XexCheckExecutablePrivilegeHook(DWORD priv) {
117. return NiNJASXexCheckExecutablePrivilegeHook(priv);
118. }
119.  
120. void patchXamQosHang() {
121. NiNJASpatchXamQosHang();
122. }
123.  
124. VOID __declspec(naked) NetDll_XnpSaveMachineAccountSaveVar(VOID) {
125. NiNJASNetDll_XnpSaveMachineAccountSaveVar();
126. }
127.  
128. typedef HRESULT(*pNetDll_XnpSaveMachineAccount)(DWORD xamDebugLvl, PBYTE machineAcct);
129. pNetDll_XnpSaveMachineAccount NetDll_XnpSaveMachineAccount = (pNetDll_XnpSaveMachineAccount)NetDll_XnpSaveMachineAccountSaveVar;
130. static DWORD NetDll_XnpSaveMachineAccountOld[4];
131.  
132. HRESULT NetDll_XnpSaveMachineAccountHook(DWORD xamDebugLvl, PBYTE machineAcct) {
133. return NiNJASNetDll_XnpSaveMachineAccountHook(xamDebugLvl, machineAcct);
134. }
135.  
136. typedef VOID(*myWprintf)(PWCHAR _Dest, INT64 _Count, const PWCHAR _Format, ...);
137. typedef VOID(*XAMBUILDRESOURCELOCATOR)(HANDLE hModule, PWCHAR wModuleName, PWCHAR const cdModule, HMODULE hdRes, ULONG ddSize);
138. VOID XamBuildXamResourceLocatorhook(PWCHAR const cModule, HMODULE hRes, ULONG dSize) {
139. NiNJASXamBuildXamResourceLocatorhook(cModule, hRes, dSize);
140. }
141.  
142. HRESULT InitializeXamBuildResourceHook() {
143. return NiNJASInitializeXamBuildResourceHook();
144. }
145.  
146.  
147. BOOL InitializeSystemXexHooks() {
148. return STARTNiNJASECRETXEXHOOKS();
149. }
150.  
151. BOOL InitializeSystemHooks() {
152. return STARTNiNJASECRETHOOKS();
153. }