DOCKY99 Posté(e) le 7 mars 2004 Posté(e) le 7 mars 2004 hop hop : seg000:00000000; File Name : xboxlive2.binseg000:00000000; Format : Binary Fileseg000:00000000; Base Address: 0000h Range: 0000h - 03D4h Loaded length: 03D4hseg000:00000000 seg000:00000000; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍseg000:00000000 seg000:00000000; Segment type: Pure codeseg000:00000000 seg000 segment byte public 'CODE' use32seg000:00000000 assume cs:seg000seg000:00000000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothingseg000:00000000 db XXh, XXhseg000:00000002 dw 3D4h ; Length of this packetseg000:00000004 db 0; seg000:00000005 db 0; seg000:00000006 db 0; seg000:00000007 db 0; seg000:00000008 db 0; seg000:00000009 db 0; seg000:0000000A db 0; seg000:0000000B db 0; seg000:0000000C db 0XXh; ; These bytes and the ones atseg000:0000000C ; 00000000 very likely uniquelyseg000:0000000C ; identify the user. Therefore,seg000:0000000C ; for privacy reasons, we omitseg000:0000000C ; these bytes.seg000:0000000D db 0XXh;seg000:0000000E db 0XXh;seg000:0000000F db 0XXh;seg000:00000010 db 0XXh;seg000:00000011 db 0XXh;seg000:00000012 db X; ; 12-1B are either 00 or 01 only, butseg000:00000012 ; it's still unsafe to show them.seg000:00000013 db X; seg000:00000014 db X; seg000:00000015 db X; seg000:00000016 db X; seg000:00000017 db X; seg000:00000018 db X; seg000:00000019 db X; seg000:0000001A db X; seg000:0000001B db X; ; RSA-2048 digital signatureseg000:0000001B ; of this code using theseg000:0000001B ; standard Xbox public key.seg000:0000001C DigitalSignature db 4Bh, 0B8h, 0DEh, 0B1h, 2, 0C0h, 0Ah, 99h, 0E1h, 5Dhseg000:0000001C db 0Bh, 31h, 2Bh, 97h, 0C6h, 0A4h, 35h, 74h, 89h, 44hseg000:0000001C db 0F2h, 56h, 4Bh, 15h, 30h, 56h, 2Eh, 9Ah, 67h, 18h, 29hseg000:0000001C db 24h, 30h, 60h, 0F5h, 3Bh, 69h, 0B7h, 97h, 96h, 23hseg000:0000001C db 0DEh, 5Bh, 0F8h, 3, 0F7h, 6, 6Dh, 0FDh, 0C8h, 0CBhseg000:0000001C db 95h, 64h, 5Fh, 0A4h, 0F2h, 44h, 83h, 0A4h, 0B4h, 6seg000:0000001C db 57h, 93h, 7Dh, 25h, 12h, 73h, 54h, 36h, 57h, 0D7h, 4Dhseg000:0000001C db 76h, 10h, 16h, 7Ch, 98h, 76h, 4Dh, 39h, 0DCh, 0E1hseg000:0000001C db 47h, 69h, 52h, 0BEh, 0A4h, 0CDh, 4Dh, 79h, 8Bh, 0BFhseg000:0000001C db 0F1h, 7, 9Ah, 0DCh, 3Fh, 68h, 0FCh, 12h, 0A6h, 0D1hseg000:0000001C db 4Ah, 2Ah, 6Ch, 9Bh, 69h, 9Ch, 42h, 25h, 0A2h, 5Ah, 0DAhseg000:0000001C db 6Eh, 0AEh, 0AAh, 90h, 0EEh, 0FBh, 0D2h, 3Ch, 0E5h, 96hseg000:0000001C db 3Eh, 30h, 0BAh, 7Dh, 0ABh, 0FBh, 0FCh, 2Eh, 78h, 7Dhseg000:0000001C db 0B5h, 46h, 0BBh, 8Eh, 49h, 0C5h, 0D6h, 0CEh, 0BAh, 5seg000:0000001C db 0BFh, 5Fh, 0EAh, 56h, 0D9h, 94h, 0DBh, 8Ch, 4Ch, 4Bhseg000:0000001C db 19h, 8Ch, 0F7h, 10h, 0EAh, 85h, 0C4h, 65h, 33h, 96hseg000:0000001C db 75h, 5Ch, 0EBh, 32h, 0DAh, 0AEh, 69h, 5Fh, 0C2h, 2Fhseg000:0000001C db 0F6h, 79h, 0CAh, 0D2h, 55h, 28h, 51h, 0F9h, 0F8h, 0ABhseg000:0000001C db 0F1h, 0C4h, 8Fh, 88h, 8Eh, 0B7h, 8Fh, 0C8h, 0CEh, 0ADhseg000:0000001C db 19h, 0F4h, 0ABh, 7Bh, 68h, 85h, 0Eh, 8Bh, 4, 44h, 6Chseg000:0000001C db 8Ah, 0E2h, 36h, 8Fh, 5Dh, 0EFh, 3Dh, 57h, 7Bh, 2Dhseg000:0000001C db 0F6h, 23h, 0C8h, 67h, 0Fh, 72h, 0BBh, 0BAh, 3, 0A8hseg000:0000001C db 11h, 5Bh, 67h, 0D1h, 5Eh, 95h, 0DAh, 5Eh, 0Dh, 4Bhseg000:0000001C db 91h, 0B9h, 34h, 7Ch, 9, 78h, 0CEh, 0E6h, 85h, 33h, 0E9hseg000:0000001C db 99h, 0B7h, 52h, 0F3h, 11h, 0D8h, 82h, 3Fh, 0FDh, 31hseg000:0000001C db 21hseg000:0000011C seg000:0000011C; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛseg000:0000011C seg000:0000011C; On entry, ebp=EntryPoint. That is important.seg000:0000011C; edi=data to be sent to Microsoftseg000:0000011C; edx=data received from Microsoftseg000:0000011C; seg000:0000011C; Note to Microsoft: This routine runs atseg000:0000011C; DISPATCH_LEVEL... You should not call theseg000:0000011C; Nt* functions from that level.seg000:0000011C; seg000:0000011C; Attributes: bp-based frameseg000:0000011C seg000:0000011C EntryPoint proc nearseg000:0000011C seg000:0000011C import_table = dword ptr -34hseg000:0000011C var_30 = dword ptr -30hseg000:0000011C var_2C = dword ptr -2Chseg000:0000011C var_28 = dword ptr -28hseg000:0000011C var_24 = dword ptr -24hseg000:0000011C object_attributes= OBJECT_ATTRIBUTES ptr -20hseg000:0000011C ansi_string = ANSI_STRING ptr -14hseg000:0000011C handle = dword ptr -0Chseg000:0000011C var_8 = byte ptr -8seg000:0000011C var_4 = dword ptr -4seg000:0000011C arg_0 = dword ptr 4seg000:0000011C seg000:0000011C mov ax, cs ; Check whether the CPU is runningseg000:0000011C ; in user mode (Xbox is normallyseg000:0000011C ; in kernel mode). This probablyseg000:0000011C ; is here to detect emulators.seg000:0000011F test ax, 3seg000:00000123 jz short loc_130seg000:00000125 mov dword ptr [edi], 'GNIR'; "ring" can mean user/kernel modeseg000:0000012B mov [edi+4], axseg000:0000012F retnseg000:00000130; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:00000130 seg000:00000130 loc_130: ; CODE XREF: EntryPoint+7jseg000:00000130 push ediseg000:00000131 sub [esp+4+var_4], 10hseg000:00000135 push ebp ; After this, [ebp+0] = old ebpseg000:00000135 ; Also, [ebp+4] = old ediseg000:00000136 mov ebp, espseg000:00000138 sub esp, 34hseg000:0000013B mov esi, edx; Not sure what this isseg000:0000013D movsdseg000:0000013E movsdseg000:0000013F mov eax, 80010000h; Find the kernel exportseg000:0000013F ; directory (80010000 =seg000:0000013F ; start address of kernel)seg000:00000144 mov ebx, [eax+3Ch]; IMAGE_DOS_HEADER::e_lfanewseg000:00000147 add ebx, eaxseg000:00000149 mov edx, [ebx+78h]; [IMAGE_DIRECTORY_ENTRY_EXPORT]seg000:0000014C add edx, eaxseg000:0000014E mov edx, [edx+1Ch]; IMAGE_EXPORT_DIRECTORY::AddressOfFunctionsseg000:00000151 add edx, eaxseg000:00000153 mov ecx, 2A6h; 2A6 + EntryPoint = 3C2, the import tableseg000:00000158 add ecx, [ebp+0]; [ebp+0] = EntryPointseg000:0000015B mov [ebp+import_table], ecxseg000:0000015E seg000:0000015E import_loop: ; CODE XREF: EntryPoint+57jseg000:0000015E mov eax, [ecx]; This code reads the DWORDs atseg000:0000015E ; 3C2, which are indexes intoseg000:0000015E ; the kernel import table. Itseg000:0000015E ; then resolves each one, untilseg000:0000015E ; it sees a zero entry.seg000:00000160 cmp eax, 0seg000:00000163 jz short import_doneseg000:00000165 dec eaxseg000:00000166 mov eax, [edx+eax*4]; Look up entry in tableseg000:00000169 add eax, 80010000h; Add base address of kernelseg000:0000016E mov [ecx], eaxseg000:00000170 add ecx, 4seg000:00000173 jmp short import_loopseg000:00000175; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:00000175 seg000:00000175 import_done: ; CODE XREF: EntryPoint+47jseg000:00000175 movzx ecx, word ptr [ebx+14h]seg000:00000179 lea ecx, [ecx+ebx+18h]seg000:0000017D mov edx, 80010000hseg000:00000182 add edx, [ecx+8]seg000:00000185 add edx, [ecx+0Ch]seg000:00000188 mov ecx, [ebp+arg_0]seg000:0000018B mov eax, [ecx]seg000:0000018D movzx ebx, word ptr [ecx+4]seg000:00000191 xor eax, 0CCF0E0A2h; Seed values for TEA. Apparentlyseg000:00000191 ; Microsoft varies what the legalseg000:00000191 ; hash is by sending random seedseg000:00000191 ; values to the client (the previousseg000:00000191 ; values of eax and ebx). Thisseg000:00000191 ; prevents simply always sendingseg000:00000191 ; back a hard-coded hash.seg000:00000196 xor ebx, 0EB111D39hseg000:0000019C mov ecx, 80010000hseg000:000001A1 call TEAHash ; Hashes a range of memory with the TEA algorithm.seg000:000001A1 ; I don't know if Microsoft bothered to fix theseg000:000001A1 ; 31/63 bit XOR problem. (See MCPX 1.1 disassembly)seg000:000001A1 ; ecx=start address, edx=end address (exclusive)seg000:000001A6 mov esi, 0seg000:000001AB call WeirdHash; This function is apparentlyseg000:000001AB ; hashing the currently runningseg000:000001AB ; XBE's code/data.seg000:000001B0 mov esi, 1seg000:000001B5 call WeirdHash; This function is apparentlyseg000:000001B5 ; hashing the currently runningseg000:000001B5 ; XBE's code/data.seg000:000001BA push 20h; ' ' ; FILE_SYNCHRONOUS_IO_NONALERTseg000:000001BC push 1 ; CreateDisposition = FILE_OPENseg000:000001BE push 3 ; ShareAccess = read | writeseg000:000001C0 push 80h; '€' ; FileAttributes = normalseg000:000001C5 push 0 ; AllocationSize = NULLseg000:000001C7 lea eax, [ebp+var_8]seg000:000001CA push eax ; IoStatusBlockseg000:000001CB mov word ptr [ebp+ansi_string.Buffer], 1Ch; seg000:000001CB ; Build OBJECT_ATTRIBUTES for theseg000:000001CB ; \Device\Harddisk0\Partition0seg000:000001CB ; string (1C = its length)seg000:000001D1 mov word ptr [ebp+ansi_string.Buffer+2], 1Chseg000:000001D7 mov eax, 28Ah; Get address of that stringseg000:000001DC add eax, [ebp+0]seg000:000001DF mov dword ptr [ebp+ansi_string.Length], eaxseg000:000001E2 lea eax, [ebp+ansi_string]seg000:000001E5 mov [ebp+object_attributes.RootDirectory], 0; NULLseg000:000001EC mov [ebp+object_attributes.ObjectName], eaxseg000:000001EF mov [ebp+object_attributes.Attributes], 40h; case insensitiveseg000:000001F6 lea eax, [ebp+object_attributes]seg000:000001F9 push eax ; ObjectAttributesseg000:000001FA push 80100000h; DesiredAccessseg000:000001FF lea eax, [ebp+handle]seg000:00000202 push eax ; FileHandleseg000:00000203 mov eax, [ebp+import_table]seg000:00000206 call dword ptr [eax]; NtCreateFileseg000:00000208 stosdseg000:00000209 cmp eax, 0seg000:0000020C jnz open_error; MS: This should be jns or jlseg000:00000212 mov ebx, 2B6h; 2B6 + EntryPoint = 3D2seg000:00000217 add ebx, [ebp+0]seg000:0000021A mov [ebp+var_30], 0seg000:00000221 mov [ebp+var_2C], 0; seg000:00000221 ; This nasty chunk of code readsseg000:00000221 ; the hard drive's identificationseg000:00000221 ; information (model name, serialseg000:00000221 ; number) and prepares it to beseg000:00000221 ; sent back to Microsoft.seg000:00000228 mov byte ptr [ebp+var_2C+2], 0ECh; EC = IDENTIFY DEVICEseg000:0000022C mov [ebp+var_28], 200h; Length of data to returnseg000:00000233 mov [ebp+var_24], ebxseg000:00000236 lea eax, [ebp+var_30]seg000:00000239 push 10hseg000:0000023B push eaxseg000:0000023C push 10hseg000:0000023E push eaxseg000:0000023F push 4D028h ; IOCTL_IDE_PASS_THROUGHseg000:00000244 lea eax, [ebp+var_8]seg000:00000247 push eaxseg000:00000248 push 0seg000:0000024A push 0seg000:0000024C push 0seg000:0000024E push [ebp+handle]seg000:00000251 mov eax, [ebp+import_table]seg000:00000254 call dword ptr [eax+8]; NtDeviceIoControlseg000:00000257 stosdseg000:00000258 push [ebp+handle]seg000:0000025B mov eax, [ebp+import_table]seg000:0000025E call dword ptr [eax+4]; NtCloseseg000:00000261 stosdseg000:00000262 push ediseg000:00000263 mov ebx, 2B6hseg000:00000268 add ebx, [ebp+0]; The below structure isseg000:00000268 ; IDE_IDENTIFY_DATA from theseg000:00000268 ; Windows 2000 DDK.seg000:0000026B lea esi, [ebx+36h]; Copy HD model numberseg000:0000026E mov ecx, 0Ahseg000:00000273 rep movsdseg000:00000275 lea esi, [ebx+2Eh]; Copy HD firmware revisionseg000:00000278 mov ecx, 2seg000:0000027D rep movsdseg000:0000027F lea esi, [ebx+14h]; Copy HD serial numberseg000:00000282 mov ecx, 5seg000:00000287 rep movsdseg000:00000289 pop ediseg000:0000028A mov esi, ediseg000:0000028C mov ecx, 22h; '"'seg000:00000291 seg000:00000291 loc_291: ; CODE XREF: EntryPoint+17Djseg000:00000291 lodsw ; Swap around every pair of bytes.seg000:00000291 ; This is because IDE protocol isseg000:00000291 ; reversed like this.seg000:00000293 rol ax, 8 ; MS: Try xchg al, ahseg000:00000297 stoswseg000:00000299 loop loc_291seg000:0000029B mov eax, [ebx+78h]; Send the size of the hard disk!!!seg000:0000029E stosdseg000:0000029F seg000:0000029F open_error: ; CODE XREF: EntryPoint+F0jseg000:0000029F add esp, 3Chseg000:000002A2 retnseg000:000002A2 EntryPoint endp; sp = -50hseg000:000002A2 seg000:000002A3 seg000:000002A3; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛseg000:000002A3 seg000:000002A3; This function is apparentlyseg000:000002A3; hashing the currently runningseg000:000002A3; XBE's code/data.seg000:000002A3 seg000:000002A3 WeirdHash proc near ; CODE XREF: EntryPoint+8Fpseg000:000002A3 ; EntryPoint+99pseg000:000002A3 mov ecx, [ebp+4]; Get original edi (buffer to send to MS)seg000:000002A6 movzx edx, byte ptr [esi+ecx+6]; esi is 0 or 1seg000:000002AB mov ecx, [ecx+esi*4+8]seg000:000002AF cmp ecx, 0seg000:000002B2 jz short return_zeroseg000:000002B4 mov esi, ecxseg000:000002B6 and esi, 3seg000:000002B9 and ecx, 0FFFFFFFChseg000:000002BC cmp esi, 0 ; 0 mod 4seg000:000002BF jz short loc_2FEseg000:000002C1 cmp esi, 1 ; 1 mod 4seg000:000002C4 jz short hash_headerseg000:000002C6 mov esi, 10000h; XBE header addressseg000:000002CB mov edx, ecx; Multiply by 7. ecx is apparentlyseg000:000002CB ; already a QWORD multiple (theseg000:000002CB ; round size of TEA), making thisseg000:000002CB ; effectively a multiply by 0x38,seg000:000002CB ; the size of a section header.seg000:000002CD add edx, ecx; To Microsoft:seg000:000002CF add edx, ecx; Try this next time:seg000:000002D1 add edx, ecx; lea edx, [ecx*8]seg000:000002D3 add edx, ecx; sub edx, ecxseg000:000002D5 add edx, ecxseg000:000002D7 add ecx, edxseg000:000002D9 add ecx, [esi+120h]; Pointer to section headersseg000:000002DF mov edx, [ecx+8]; Virtual size of sectionseg000:000002E2 mov ecx, [ecx+4]; Virtual address of sectionseg000:000002E5 jmp short loc_309seg000:000002E7; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:000002E7 seg000:000002E7 hash_header: ; CODE XREF: WeirdHash+21jseg000:000002E7 mov ecx, 10000h; XBE header start addressseg000:000002EC cmp edx, 0seg000:000002EF jz short unknownseg000:000002F1 mov edx, [ecx+108h]; Length of XBE headerseg000:000002F7 jmp short loc_309seg000:000002F9; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:000002F9 seg000:000002F9 unknown: ; CODE XREF: WeirdHash+4Cjseg000:000002F9 mov edx, 6Eh; 'n'seg000:000002FE seg000:000002FE loc_2FE: ; CODE XREF: WeirdHash+1Cjseg000:000002FE cmp ecx, 0CFFFF800hseg000:00000304 jnb short return_zeroseg000:00000306 shl edx, 3seg000:00000309 seg000:00000309 loc_309: ; CODE XREF: WeirdHash+42jseg000:00000309 ; WeirdHash+54jseg000:00000309 add edx, ecx; edx points to end - it's not length.seg000:0000030B call TEAHash ; Hashes a range of memory with the TEA algorithm.seg000:0000030B ; I don't know if Microsoft bothered to fix theseg000:0000030B ; 31/63 bit XOR problem. (See MCPX 1.1 disassembly)seg000:0000030B ; ecx=start address, edx=end address (exclusive)seg000:00000310 retnseg000:00000311; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:00000311 seg000:00000311 return_zero: ; CODE XREF: WeirdHash+Fjseg000:00000311 ; WeirdHash+61jseg000:00000311 push eax ; This looks like some kind ofseg000:00000311 ; error handler to tell MS thatseg000:00000311 ; something went wrong.seg000:00000312 xor eax, eaxseg000:00000314 stosdseg000:00000315 stosdseg000:00000316 pop eaxseg000:00000317 retnseg000:00000317 WeirdHash endpseg000:00000317 seg000:00000318 seg000:00000318; ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ S U B R O U T I N E ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛseg000:00000318 seg000:00000318; Hashes a range of memory with the TEA algorithm.seg000:00000318; I don't know if Microsoft bothered to fix theseg000:00000318; 31/63 bit XOR problem. (See MCPX 1.1 disassembly)seg000:00000318; ecx=start address, edx=end address (exclusive)seg000:00000318 seg000:00000318 TEAHash proc near ; CODE XREF: EntryPoint+85pseg000:00000318 ; WeirdHash+68pseg000:00000318 seg000:00000318 var_14 = dword ptr -14hseg000:00000318 var_10 = dword ptr -10hseg000:00000318 var_C = dword ptr -0Chseg000:00000318 var_8 = dword ptr -8seg000:00000318 var_4 = dword ptr -4seg000:00000318 seg000:00000318 push eaxseg000:00000319 push ebxseg000:0000031A push ebpseg000:0000031B push ediseg000:0000031C mov ebp, ecxseg000:0000031E mov edi, edxseg000:00000320 sub esp, 14hseg000:00000323 seg000:00000323 loc_323: ; CODE XREF: TEAHash+80jseg000:00000323 mov [esp+14h+var_10], eaxseg000:00000327 mov [esp+14h+var_C], ebxseg000:0000032B mov edx, [ebp+0]seg000:0000032E mov esi, [ebp+4]seg000:00000331 prefetchnta byte ptr [ebp+8]seg000:00000335 lea ebp, [ebp+8]seg000:00000338 mov [esp+14h+var_8], edxseg000:0000033C mov [esp+14h+var_4], esiseg000:00000340 mov [esp+14h+var_14], 0seg000:00000347 mov ecx, 10hseg000:0000034C seg000:0000034C loc_34C: ; CODE XREF: TEAHash+7Cjseg000:0000034C mov edx, ebxseg000:0000034E mov esi, ebxseg000:00000350 shl edx, 4seg000:00000353 shr esi, 5seg000:00000356 xor edx, esiseg000:00000358 add edx, ebxseg000:0000035A mov esi, [esp+14h+var_14]seg000:0000035D and esi, 3seg000:00000360 mov esi, [esp+esi*4+14h+var_10]seg000:00000364 add esi, [esp+14h+var_14]seg000:00000367 xor edx, esiseg000:00000369 add eax, edxseg000:0000036B add [esp+14h+var_14], 9E3779B9hseg000:00000372 mov edx, eaxseg000:00000374 mov esi, eaxseg000:00000376 shl edx, 4seg000:00000379 shr esi, 5seg000:0000037C xor edx, esiseg000:0000037E add edx, eaxseg000:00000380 mov esi, [esp+14h+var_14]seg000:00000383 shr esi, 0Bhseg000:00000386 and esi, 3seg000:00000389 mov esi, [esp+esi*4+14h+var_10]seg000:0000038D add esi, [esp+14h+var_14]seg000:00000390 xor edx, esiseg000:00000392 add ebx, edxseg000:00000394 loop loc_34Cseg000:00000396 cmp ebp, ediseg000:00000398 jb short loc_323seg000:0000039A add esp, 14hseg000:0000039D pop ediseg000:0000039E pop ebpseg000:0000039F stosdseg000:000003A0 mov eax, ebxseg000:000003A2 stosdseg000:000003A3 pop ebxseg000:000003A4 pop eaxseg000:000003A5 retnseg000:000003A5 TEAHash endpseg000:000003A5 seg000:000003A5; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄseg000:000003A6 aDeviceHarddisk db '\Device\Harddisk0\Partition0'; Name of the "file" to openseg000:000003C2 NtCreateFile dd 0BEh ; This is the kernel importseg000:000003C2 ; table. These fields getseg000:000003C2 ; replaced with the actualseg000:000003C2 ; address.seg000:000003C6 NtClose dd 0BBhseg000:000003CA NtDeviceIoControlFile dd 0C4hseg000:000003CE dd 0seg000:000003D2 db 0; ; This is where the identify data isseg000:000003D2 ; written to (512 bytes long)seg000:000003D3 db 0; ; Last byte checked by digitalseg000:000003D3 ; signatureseg000:000003D4 db 0;
gorgole Posté(e) le 8 mars 2004 Posté(e) le 8 mars 2004 Salut, c'est quoi exactement? ça peut débannir?
ImUrGoD Posté(e) le 12 mars 2004 Posté(e) le 12 mars 2004 oui ckoi au juste c tu pour debannir ou kek chose comme sa?pcq depuis que g vu que ya une nouvelle protection jvais meme plus sur le xboxlive et je comprend pas koi faire exactement
Messages recommandés
Créer un compte ou se connecter pour commenter
Vous devez être membre afin de pouvoir déposer un commentaire
Créer un compte
Créez un compte sur notre communauté. C’est facile !
Créer un nouveau compteSe connecter
Vous avez déjà un compte ? Connectez-vous ici.
Connectez-vous maintenant