realizzazione siti internet ed e-commerce mugello

Risultati da 1 a 2 di 2
Like Tree1Likes
  • 1 Post By DrSchottky

Discussione: [X360 Reversing] Chapter 4: Kernel patches

  1. #1
    Moderatore L'avatar di DrSchottky
    Data Registrazione
    Sep 2014
    Messaggi
    151
    Post Thanks / Like

    [X360 Reversing] Chapter 4: Kernel patches


    << Previuos Chapter <<

    Chapter 4: Kernel Patches


    Ok, things start to get interesting. I originally planned to write a single thread for HV + Kernel pacthes, but i realized that there would be too many things to write, making the thread chaotic.
    In this chapter i'll try to understand and explain Kernel pacthes that, in brief, remove XEXs' security measures and (some) DVD drive checks.

    How can we split HV and Kernel? Take your CE+CG (decompressed, decrypted etc etc):

    HV: begin - 0x3FFFF (the first 256KB)
    Kernel: 0x40000 - end

    Patches mainly spoofs value returned by functions, so i'll not go into details.

    This is the patchset for Kernel 16574


    Patch #1
    00 07 B1 50 00 00 00 02 38 60 00 00 4E 80 00 20

    Forces XexpConvertError to return 0, whatever r3's value is.


    Patch #2
    00 07 BC E8 00 00 00 01 38 60 00 01

    Replace XexpVerifyMediaType call with li r3, 1, allowing XEX booting from any media.


    Patch #3
    00 07 BD F8 00 00 00 01 38 60 00 00

    Replace RtlImageXexHeaderString call with li r3, 0.


    Patch #4
    00 07 BE 60 00 00 00 01 39 60 00 00


    li r11, 0


    Patch #5
    00 07 BE B0 00 00 00 01 39 60 00 00


    li r11, 0


    Patch #6
    00 07 A7 38 00 00 00 02 38 60 00 00 4E 80 00 20

    XexpVerifyMinimumVersion returns immediatly 0.


    Patch #7
    00 09 44 28 00 00 00 01 3A E0 00 10


    Modifies the value of a register in SfcxInspectLargeDataBlock. Maybe something related to flash layout(dunno).


    Patch #8
    00 09 8D 80 00 00 00 01 2B 0B 00 FF

    In SataCdRomAuthenticationExInitialize compares r11 with FF instead of 1, altering branch path.


    Patch #9
    00 09 87 64 00 00 00 05 38 60 00 00 60 00 00 00 60 00 00 00 60 00 00 00 60 00 00 00

    Removes E66 from SataCdRomActivateHCDFRuntimePatch.


    Patches #10,#11...,#20

    They all do the same thing: after stack frame init they set r3 (0 or 1) and return.
    Target functions are:

    XeKeysVerifyRSASignature
    XeKeysSecurityConvertError
    XeKeysDvdAuthExConvertError
    _XeKeysRevokeIsValid
    XeKeysRevokeIsRevoked
    _XeKeysRevokeIsRevoked
    XeKeysRevokeIsDeviceRevoked
    XeKeysRevokeConvertError
    XeKeysConsoleSignatureVerification (for this one the patch is a little different, but nevermind)
    XeCryptBnQwBeSigVerify
    SataDiskAuthenticateDevice



    Patch #21

    It's a payload placed into the almost "dead" body of SataDiskAuthenticateDevice. This code will be called by subsequent patches.


    Patch #22
    00 06 13 D0 00 00 00 01 48 0F 8F 01
    After XAM init branches to the first chunk of the payload which loads launch.xex


    Patch #23
    00 07 CF 68 00 00 00 01 48 0D D3 A5

    XexLoadExecutable is patched to bl to the second chunk of the payload. TBH i don't know what kind of black magic it does.


    Patch #24
    00 10 9C 78 00 00 00 01 48 05 06 BC

    XeKeysGetKeyProperties is a wrapper for HvxKeysGetKeyProperties.
    It branches to the third chunk of our payload (instead of HvxKeysGetKeyProperties) and, if function's argument is equal to 0x14 it does the same black magic of Patch #23 (keeps reading data at 0x12345678 until it's 0, dunno why).
    Ultima modifica di DrSchottky; 26-10-2015 alle 17:52
    Pa0l0ne likes this.

  2. Thanks zeruel85 Ha ringraziato per questo post
  3. #2
    Moderatore L'avatar di DrSchottky
    Data Registrazione
    Sep 2014
    Messaggi
    151
    Post Thanks / Like
    Published

Tag per Questa Discussione

Segnalibri

Permessi di Scrittura

  • Tu non puoi inviare nuove discussioni
  • Tu non puoi inviare risposte
  • Tu non puoi inviare allegati
  • Tu non puoi modificare i tuoi messaggi
  •