Jump to content





Photo
Anniversary

Modifying The Xex



  • Please log in to reply
27 replies to this topic

#1 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 15 November 2011 - 09:06 AM

Sweet site with a sexy theme. I'm trying to learn this stuff, and I honestly just like looking through the xex files and wondering wtf is this.

EDIT: I'm an idiot. Disregard this.

Edited by iBotPeaches, 15 November 2011 - 10:55 AM.


#2 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 15 November 2011 - 10:55 AM

Oh hello peaches :)

shots fired


#3 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 15 November 2011 - 10:57 AM

Holy damn this theme is amazing. I barely looked it over last time you showed it to me.

Perfect shading of colours.

#4 DeadCanadian

DeadCanadian
  • Moderators
  • 1329 posts
  • LocationAlberta, Canada

Posted 15 November 2011 - 03:13 PM

hi peaches. im going to be looking at the xex as i have been slowly understanding parts of them. i plan to get a check removed xex made in abit. however ive been waiting on amd to get me the re-compressor so i can test it as i do it. although it should be fairly simple. locate xexcryptsha and break the function.

EDIT:
ok, upon quickly looking at the xex i found a few functions that call xecryptsha which we will likely need to break. however i see some problems that may arise with some cause they also call NTCreateFile and so forth. so maybe its putting checks on other things but ill figure it out.

Here are the offsets for what we will need to change. Im not sure exactly which ones will be needed.
What you do is go to the offset, find the float value that is located there and remove the decimal. this is the easiest way to break functions.

0x831190DC - calls NTCreateFile
0x8311B644 - alone, maybe just a check
0x8311C83C - alone
0x8311D6E4 - called lower in the function
0x8311EA1C - as well, called lower in the function
0x8311F81C - same as two above

personally i feel that the 2nd and 3rd offset would be likely to be plain checks in the xex. for when maps are loading. so those are my best guess to break the encryption.

as well peaches, i believe i have both of your msn's added so i could probably try to help you a little on there with ida
sigx5.png?t=1298045637

#5 Thunder

Thunder

    Wind Guide You

  • Administrators
  • 2043 posts
  • Location127.0.0.1

Posted 15 November 2011 - 05:26 PM

I think aaron needs to have a look at this. Do the second and third functions look possibly related to eachother?

BTW peaches, welcome to Xbox Chaos!

               thunder.png


#6 Zythara

Zythara
  • Members
  • 92 posts

Posted 15 November 2011 - 09:38 PM

dont bother, now that i have the compressor i can check if we even need to null those functions for the .maps to load.
Posted Image

#7 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 16 November 2011 - 09:40 PM

With these images of the debug menu popping up. Its gotta be one of these things labeled debug in the xex.

Posted Image

#8 DeadCanadian

DeadCanadian
  • Moderators
  • 1329 posts
  • LocationAlberta, Canada

Posted 17 November 2011 - 01:08 AM

thats a cool debug menu, are you actually able to do anything in it?
sigx5.png?t=1298045637

#9 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 17 November 2011 - 08:50 AM

@Peaches, i'm sure that's a simple flag in the xex. I'm by no means great with IDA, but ill start disassembling the xex and see if I can achieve anything. I saw the "Matchmaking" option, and now I want to see what's inside it.

shots fired


#10 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 17 November 2011 - 09:03 AM

Heres anything labeled debug. I'm one by one changing em and booting. Gotta go to class though. Haven't even tested one yet :(

0x820082AC = debugMode
0x820086C4 = isDebugMode
0x82027C80 = something about debug menus
0x82033570 = presence of debug?

Edited by iBotPeaches, 17 November 2011 - 09:05 AM.


#11 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 17 November 2011 - 09:30 AM

Well, I found the functions that set/get debug variables. SO the sub they are in should be the one called by the menu.

0x82023B90 = "SetDbgVar(dbgVarName: string, dbgVarValue: string)"
0x82023BC4 = "GetDbgVar(dbgVarName: string): *"

e: Found something that sounds a bit more promising..

0x822FF638
Posted Image

shots fired


#12 DeadCanadian

DeadCanadian
  • Moderators
  • 1329 posts
  • LocationAlberta, Canada

Posted 17 November 2011 - 09:48 AM

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.
sigx5.png?t=1298045637

#13 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 17 November 2011 - 10:24 AM

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.


lol. I'm still learning. I made about 10 different XEXs changing random things. About to go test em.

EDIT: Tell me if I'm interpreting this right.

Posted Image

The loc up top is just a way to access this block of code. Much like I can use goto 1; and place 1: somewhere in my code?

mfspr - Moves that to some special register?
stw/std/swtu - Stores word/dword/store word w/ update
mr - I think is the same as OR
bl - I think is like branching into 2 ?
addi - addition?
lwz - load word and zero? (dunno what that means)
mtspr - Move to special registry
ld - load double word
blr - branching again (Maybe unconditionally)

Edited by iBotPeaches, 17 November 2011 - 11:22 AM.


#14 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 17 November 2011 - 12:21 PM

I think I found the location where godmode is enabled/disabled. But due to lack of ppc/assembly knowlage, I have no idea how to enable it. (I tried sett the address at "beq" to both 0x40 and 0x41

Posted Image

shots fired


#15 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 17 November 2011 - 01:00 PM

yeeee my first ever progress.

Posted Image

It just says On and Off over and over again. I honestly don't remember what I changed, but I'll run a diff on a normal xex and figure out.

Edited by iBotPeaches, 17 November 2011 - 01:01 PM.


#16 DeadCanadian

DeadCanadian
  • Moderators
  • 1329 posts
  • LocationAlberta, Canada

Posted 17 November 2011 - 01:10 PM

peaches, why are you modding xex's all the time. depeding what your doing you can poke the xex to see the results faster. I simply use my advanced poker in ascension. as well it lets you save tags so you can share them with others.
sigx5.png?t=1298045637

#17 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 17 November 2011 - 01:10 PM

What's the offset? ;o

shots fired


#18 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 17 November 2011 - 01:34 PM

I'm in class :/

When I'm back I'll figure out how to use that poker. Im tired of moving a harddribe back n forth.

That offset didn't work tho, it only flipped it on and off every second, so i at least enabled the mode just not correctly. Either way, when I get back I'll get the offset.

#19 Xerax

Xerax

    IXboxChaosUser

  • Administrators
  • 852 posts
  • LocationApplication.Current

Posted 17 November 2011 - 01:57 PM

Still, if you can find it. It can get us closer to finding the menu.

shots fired


#20 iBotPeaches

iBotPeaches

    GIT Gatekeeper

  • Members
  • 47 posts
  • LocationArkansas

Posted 17 November 2011 - 02:25 PM

0x822FF970 IDA offset of what I changed to 1.

Now a question. When I look for offsets in my decompressed unencrypted XEX. There always like 0x3FE4 away from the actual data location. When using this poker do I use the location from IDA?

EDIT: cannot get the xex poker to load.


************** Exception Text **************
System.IO.FileNotFoundException: Could not load file or assembly 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The system cannot find the file specified.
File name: 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'

Neighborhood sees my console fine, if that could be a problem.

I somehow lost that DLL. I redownload. All good.

EDIT3: These thing is sexy. I click poke. Boom enabled. Then fatal crash :(
EDIT4: I'm on msn.

Edited by iBotPeaches, 17 November 2011 - 02:40 PM.




Also tagged with one or more of these keywords: Anniversary

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users