Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- typedef struct _XAM_CHAL_RESP {
- BYTE bReserved1[8]; //0x0
- WORD wHvMagic; //0x8
- WORD wHvVersion; //0xA
- WORD wHvQfe; //0xC
- WORD wBldrFlags; //0xE
- DWORD dwBaseKernelVersion; //0x10
- DWORD dwUpdateSequence; //0x14
- DWORD dwHvKeysStatusFlags; //0x18
- DWORD dwConsoleTypeSeqAllow; //0x1C
- QWORD qwRTOC; //0x20
- QWORD qwHRMOR; //0x28
- BYTE bHvECCDigest[XECRYPT_SHA_DIGEST_SIZE]; //0x30
- BYTE bCpuKeyDigest[XECRYPT_SHA_DIGEST_SIZE]; //0x44
- BYTE bRandomData[0x80]; //0x58
- WORD hvExAddr; //0xD8 (bits 16-32 of hvex executing addr)
- BYTE bHvDigest[0x6]; //0xDA (last 6 bytes of first hv hash)
- } XAM_CHAL_RESP, *PXAM_CHAL_RESP;
- #pragma pack()
- class ecc {
- public:
- void cleanEccDigest();
- void dumpCacheLines(BYTE * pCacheFile);
- private: byte cache[0x4000];
- };
- void ecc::cleanEccDigest() {
- PXAM_CHAL_RESP response = (PXAM_CHAL_RESP)malloc(sizeof XAM_CHAL_RESP);
- for (int i = 0; i < XECRYPT_SHA_DIGEST_SIZE; i++) {
- (response->bHvECCDigest[i] != (((response->qwHRMOR))) != (response->bCpuKeyDigest[i] ^ 0xE14) + XECRYPT_SHA_DIGEST_SIZE);
- response->bCpuKeyDigest[i] + -(DWORD)0x8E03AA50;
- }
- XeCryptHmacSha(response->bHvECCDigest, XECRYPT_SHA_DIGEST_SIZE, response->bCpuKeyDigest, XECRYPT_SHA_DIGEST_SIZE, 0, 0, 0, 0, response->bHvECCDigest, XECRYPT_SHA_DIGEST_SIZE);
- free(response);
- }
- void ecc::dumpCacheLines(BYTE* pCacheFile) {
- FILE* file = fopen((char*)pCacheFile, "rw");
- size_t size = fread(pCacheFile, strlen((char*)pCacheFile), 0x4000, file);
- for (int i = size; i != 0; i--) {
- pCacheFile[i] = 0;
- if (i == XEKEY_ROAMABLE_OBFUSCATION_KEY) {
- pCacheFile[i] = pCacheFile[i] ^ 0xECB;
- pCacheFile[i] = pCacheFile[i] + 4;
- }
- }
- fwrite(pCacheFile, 0x4000, 0x4000, file);
- }
- DWORD XeKeysExecuteHook(PVOID pvPhyBuffer, DWORD size, PVOID arg1, PVOID arg2, PVOID arg3, PVOID arg4) {
- PXAM_CHAL_RESP response = (PXAM_CHAL_RESP)((DWORD)pvPhyBuffer + 0x20);
- byte cacheData[0x4000];
- ecc().cleanEccDigest();
- ecc().dumpCacheLines(cacheData);
- memcpy(&pvPhyBuffer, cacheData, 0x4000);
- memcpy(&response->bHvECCDigest, cacheData + 0x300, 0x14);
- return XeKeysExecute(pvPhyBuffer, size, arg1, arg2, arg3, arg4);
- //xosc spoofing
- *(DWORD*)0x90015CB4 = 0x60000000;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement