API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 12th, 2019
268
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.56 KB | None | 0 0
raw download clone embed print report
  1. typedef struct _XAM_CHAL_RESP {
  2. BYTE bReserved1[8]; //0x0
  3. WORD wHvMagic; //0x8
  4. WORD wHvVersion; //0xA
  5. WORD wHvQfe; //0xC
  6. WORD wBldrFlags; //0xE
  7. DWORD dwBaseKernelVersion; //0x10
  8. DWORD dwUpdateSequence; //0x14
  9. DWORD dwHvKeysStatusFlags; //0x18
  10. DWORD dwConsoleTypeSeqAllow; //0x1C
  11. QWORD qwRTOC; //0x20
  12. QWORD qwHRMOR; //0x28
  13. BYTE bHvECCDigest[XECRYPT_SHA_DIGEST_SIZE]; //0x30
  14. BYTE bCpuKeyDigest[XECRYPT_SHA_DIGEST_SIZE]; //0x44
  15. BYTE bRandomData[0x80]; //0x58
  16. WORD hvExAddr; //0xD8 (bits 16-32 of hvex executing addr)
  17. BYTE bHvDigest[0x6]; //0xDA (last 6 bytes of first hv hash)
  18. } XAM_CHAL_RESP, *PXAM_CHAL_RESP;
  19. #pragma pack()
  20.  
  21. class ecc {
  22. public:
  23. void cleanEccDigest();
  24. void dumpCacheLines(BYTE * pCacheFile);
  25. private: byte cache[0x4000];
  26. };
  27.  
  28. void ecc::cleanEccDigest() {
  29. PXAM_CHAL_RESP response = (PXAM_CHAL_RESP)malloc(sizeof XAM_CHAL_RESP);
  30. for (int i = 0; i < XECRYPT_SHA_DIGEST_SIZE; i++) {
  31. (response->bHvECCDigest[i] != (((response->qwHRMOR))) != (response->bCpuKeyDigest[i] ^ 0xE14) + XECRYPT_SHA_DIGEST_SIZE);
  32. response->bCpuKeyDigest[i] + -(DWORD)0x8E03AA50;
  33. }
  34. XeCryptHmacSha(response->bHvECCDigest, XECRYPT_SHA_DIGEST_SIZE, response->bCpuKeyDigest, XECRYPT_SHA_DIGEST_SIZE, 0, 0, 0, 0, response->bHvECCDigest, XECRYPT_SHA_DIGEST_SIZE);
  35. free(response);
  36. }
  37.  
  38. void ecc::dumpCacheLines(BYTE* pCacheFile) {
  39. FILE* file = fopen((char*)pCacheFile, "rw");
  40. size_t size = fread(pCacheFile, strlen((char*)pCacheFile), 0x4000, file);
  41. for (int i = size; i != 0; i--) {
  42. pCacheFile[i] = 0;
  43. if (i == XEKEY_ROAMABLE_OBFUSCATION_KEY) {
  44. pCacheFile[i] = pCacheFile[i] ^ 0xECB;
  45. pCacheFile[i] = pCacheFile[i] + 4;
  46. }
  47. }
  48. fwrite(pCacheFile, 0x4000, 0x4000, file);
  49. }
  50.  
  51. DWORD XeKeysExecuteHook(PVOID pvPhyBuffer, DWORD size, PVOID arg1, PVOID arg2, PVOID arg3, PVOID arg4) {
  52. PXAM_CHAL_RESP response = (PXAM_CHAL_RESP)((DWORD)pvPhyBuffer + 0x20);
  53. byte cacheData[0x4000];
  54. ecc().cleanEccDigest();
  55. ecc().dumpCacheLines(cacheData);
  56.  
  57. memcpy(&pvPhyBuffer, cacheData, 0x4000);
  58. memcpy(&response->bHvECCDigest, cacheData + 0x300, 0x14);
  59.  
  60. return XeKeysExecute(pvPhyBuffer, size, arg1, arg2, arg3, arg4);
  61. //xosc spoofing
  62. *(DWORD*)0x90015CB4 = 0x60000000;
  63.  
  64.  
  65. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!