CB Code: Difference between revisions

From Xenon Wiki
Jump to navigation Jump to search
imported>TEIR1plus2
(Created page with "=Dump CB= <syntaxhighlight lang="c"> // BLKey = 1BL Key // Hvx methods are meant to be proxies to read HV memory from user mode. #define SPACE_NAND 0x80000200C8000000ULL voi...")
 
imported>TEIR1plus2
Line 1: Line 1:
=Dump CB=
=Dump CB=


<syntaxhighlight lang="c">
<code>
// BLKey = 1BL Key
// BLKey = 1BL Key
// Hvx methods are meant to be proxies to read HV memory from user mode.
// Hvx methods are meant to be proxies to read HV memory from user mode.
Line 68: Line 68:
XPhysicalFree(cbb);
XPhysicalFree(cbb);
}
}
</syntaxhighlight>
</code>

Revision as of 06:48, 21 October 2017

Dump CB

// BLKey = 1BL Key // Hvx methods are meant to be proxies to read HV memory from user mode.

  1. define SPACE_NAND 0x80000200C8000000ULL

void getCB_AKey(PBYTE Keybuf) { QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8); BYTE cbSalt[0x10]; Hvx::HvPeekBytes(cbAddy+0x10, cbSalt, 0x10); XeCryptHmacSha(BLKey, 0x10, cbSalt, 0x10, 0, 0, 0, 0, Keybuf, 0x10); }

void getCB_BKey(PBYTE Keybuf) { DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8); DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs + 0xC) + 0xF) & 0xFFFFFFF0; QWORD cbbAddy = SPACE_NAND + cbbOffs;

BYTE cbbSalt[0x10]; BYTE cbKey[0x10]; BYTE CPUKey[0x10]; getCB_AKey(cbKey); getCPUKey(CPUKey); Hvx::HvPeekBytes(cbbAddy+0x10, cbbSalt, 0x10); XeCryptHmacSha(cbKey, 0x10, cbbSalt, 0x10, CPUKey, 0x10, 0, 0, Keybuf, 0x10); }

void DumpCB_A() { DbgOut("Dumping CB_A....\n"); QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8); DWORD size = Hvx::HvPeekDWORD(cbAddy+0xC); printf("cbAddy: %016llX\nSize: %X\n", cbAddy, size); PBYTE cb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE); Hvx::HvPeekBytes(cbAddy, cb, size); CWriteFile("Hdd:\\cb_enc.bin", cb, size);

BYTE rc4key[0x10]; getCB_AKey(rc4key); XECRYPT_RC4_STATE rc4; XeCryptRc4Key(&rc4, rc4key, 0x10); XeCryptRc4Ecb(&rc4, cb + 0x20, size - 0x20); CWriteFile("Hdd:\\cb_dec.bin", cb, size); XPhysicalFree(cb); }

void DumpCB_B() { DbgOut("Dumping CB_B....\n"); DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8); DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs+0xC) + 0xF) & 0xFFFFFFF0; QWORD cbbAddy = SPACE_NAND + cbbOffs; DWORD size = Hvx::HvPeekDWORD(cbbAddy + 0xC); printf("cbbOffs: 0x%08X\ncbbAddy: 0x%016llX\nSize: 0x%X\n", cbbOffs, cbbAddy, size); PBYTE cbb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE); Hvx::HvPeekBytes(cbbAddy, cbb, size); CWriteFile("Hdd:\\cbb_enc.bin", cbb, size);

BYTE cbbKey[0x10]; getCB_BKey(cbbKey); XECRYPT_RC4_STATE rc4; XeCryptRc4Key(&rc4, cbbKey, 0x10); XeCryptRc4Ecb(&rc4, cbb + 0x20, size - 0x20); CWriteFile("Hdd:\\cbb_dec.bin", cbb, size); XPhysicalFree(cbb); }

Retrieved from "https://www.xenonwiki.com/index.php?title=CB_Code&oldid=3666"