CB Code

From Xenon Wiki
Revision as of 06:49, 21 October 2017 by imported>TEIR1plus2 (→‎Dump CB)
Jump to navigation Jump to search

Dump CB

// BLKey = 1BL Key
// Hvx methods are meant to be proxies to read HV memory from user mode.
#define SPACE_NAND 0x80000200C8000000ULL

void getCB_AKey(PBYTE Keybuf)
{
	QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8);
	BYTE cbSalt[0x10];
	Hvx::HvPeekBytes(cbAddy+0x10, cbSalt, 0x10);
	XeCryptHmacSha(BLKey, 0x10, cbSalt, 0x10, 0, 0, 0, 0, Keybuf, 0x10);
}

void getCB_BKey(PBYTE Keybuf)
{
	DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8);
	DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs + 0xC) + 0xF) & 0xFFFFFFF0;
	QWORD cbbAddy = SPACE_NAND + cbbOffs;

	BYTE cbbSalt[0x10];
	BYTE cbKey[0x10];
	BYTE CPUKey[0x10];
	getCB_AKey(cbKey);
	getCPUKey(CPUKey);
	Hvx::HvPeekBytes(cbbAddy+0x10, cbbSalt, 0x10);
	XeCryptHmacSha(cbKey, 0x10, cbbSalt, 0x10, CPUKey, 0x10, 0, 0, Keybuf, 0x10);
}

void DumpCB_A()
{
	DbgOut("Dumping CB_A....\n");
	QWORD cbAddy = SPACE_NAND + Hvx::HvPeekDWORD(SPACE_NAND + 8);
	DWORD size = Hvx::HvPeekDWORD(cbAddy+0xC);
	printf("cbAddy: %016llX\nSize: %X\n", cbAddy, size);
	PBYTE cb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE);
	Hvx::HvPeekBytes(cbAddy, cb, size);
	CWriteFile("Hdd:\\cb_enc.bin", cb, size);

	BYTE rc4key[0x10];
	getCB_AKey(rc4key);
	XECRYPT_RC4_STATE rc4;
	XeCryptRc4Key(&rc4, rc4key, 0x10);
	XeCryptRc4Ecb(&rc4, cb + 0x20, size - 0x20);
	CWriteFile("Hdd:\\cb_dec.bin", cb, size);
	XPhysicalFree(cb);
}

void DumpCB_B()
{
	DbgOut("Dumping CB_B....\n");
	DWORD cbOffs = Hvx::HvPeekDWORD(SPACE_NAND + 8);
	DWORD cbbOffs = cbOffs + (Hvx::HvPeekDWORD(SPACE_NAND + cbOffs+0xC) + 0xF) & 0xFFFFFFF0;
	QWORD cbbAddy = SPACE_NAND + cbbOffs;
	DWORD size = Hvx::HvPeekDWORD(cbbAddy + 0xC);
	printf("cbbOffs: 0x%08X\ncbbAddy: 0x%016llX\nSize: 0x%X\n", cbbOffs, cbbAddy, size);
	PBYTE cbb = (PBYTE)XPhysicalAlloc(size, MAXULONG_PTR, NULL, PAGE_READWRITE);
	Hvx::HvPeekBytes(cbbAddy, cbb, size);
	CWriteFile("Hdd:\\cbb_enc.bin", cbb, size);

	BYTE cbbKey[0x10];
	getCB_BKey(cbbKey);
	XECRYPT_RC4_STATE rc4;
	XeCryptRc4Key(&rc4, cbbKey, 0x10);
	XeCryptRc4Ecb(&rc4, cbb + 0x20, size - 0x20);
	CWriteFile("Hdd:\\cbb_dec.bin", cbb, size);
	XPhysicalFree(cbb);
}