f

1.  
2.  
3. //RANDOM STUFF WITHIN SYS HOOKS
4.  
5. //Cx000000
6.  
7.  
8.  
9. //my research, totally not finished
10.  
11. {
12. 1d r9, -0x7988(r11)
13. cmplwi cr6, r9, 0
14. bne cr6, loc_abc
15. li r9, 1
16. loc_abc:
17. std r9, 0x198(r31)
18. lwz r9, -0x78FC(r11)
19. std r9, 0x160(r31)
20. blr
21. }
22. }
23.  
24. DWORD XeKeysExecuteHook(PBYTE pBuffer, DWORD cbBuffer, BYTE * pbSalt, PXBOX_KRNL_VERSION pKernelVersion, PVOID r7, PVOID r8)
25. {
26. MemoryBuffer mbHv;
27. CReadFile("Hdd:\\XBLS\\HV.bin", mbHv_;
28. PBYTE cHv = mbHv.GetData();
29.  
30. MemoryBuffer mbCache;
31. CReadfile("Hdd:\\XBLS\\Cache.bin", mbCache);
32. PBYTE pbCache = mbCache.GetData();
33.  
34.  
35.  
36. // HV Header
37. HvPokeWORD(0x6, hasFcrt ? 0xD81E : 0xD83E);
38. HvPokeDWORD(0x14, updateSequence);
39. HvPokeDWORD(0x30, HVSF());
40. HvPokeBytes(0x20, keyVaultCpuKey, 0x10);
41.  
42. //Keep dem hax
43. BYTE hvData[0x80];
44. HvPeekBytes(0x0000000200010040, hvData, 0x80);
45. }
46.  
47.  
48. ////////////////////////////////////////////////////////////////////////////////
49.  
50.  
51.  
52. //my research, totally not finished
53. union MERGER
54. {
55. BYTE byte1[4];
56. DWORD num1;
57.  
58. };
59.  
60. DWORD HVSF() {
61. DWORD HV_STATUS_FLAG = 0x023289D3
62. HV-STATUS_FLAG = (cr1 == 1) ? (HV_STATUS-FLAG | 0x10000) : HV_STATUS_FLAG;
63. HV_STATUS_FLAG = (hasFcrt == 1) ? (HV_STATUS_FLAG | 0x1000000) : HV_STATUS_FLAG; //will finish this bit, I have it planned out.
64. return HV_STATUS_FLAG;
65. }
66.  
67.  
68. BOOL EncryptChallenge(BTYE * pBuffer, DWORD fileSize)
69. {
70. DBGPRINT("Encrypting XeKeysExecute Challenge Data/n");
71. XECRYPT_RC4_STATE rc4;
72. MemoryBuffer mbChal;
73. BYTE* decChalData - (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRIRE);
74. if (!CReadFile(RunningFromUSB ? "Usb:\\Zenith\\XeKeysExecute_Custom_Challenge.bin" : "Hdd:\\Zenith\\XeKeysExecute_Custom_Challenge.bin",mbChal // add more plez
75. PBYTE data = mbChal.GetData();
76. memcpy(decChalData, data, fileSize);
77. BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
78. BYTE key[0x10] - (0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA); // found in hypervisor (HV)
79. XeCryptHmcSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
80. XeCryptRc4Key(&rc4, rc4Key, 0x10);
81. XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
82. HANDLE hFile;
83. DWORD size;
84. hFile = CreateFile("Hdd:\\Zenith\\XeKeysExecute_chalData_enc.bin",GENERIC_WRITE,
85. FILE_SHARP_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
86.  
87.  
88.  
89. }