Content: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Background: Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Pattern: Blank Waves Notes Sharp Wood Rockface Leather Honey Vertical Triangles

Welcome to the redesigned Xbox Chaos!  Click Here for more information.

iBotPeaches

Anniversary Modifying The Xex

28 posts in this topic

Sweet site with a sexy theme. I'm trying to learn this stuff, and I honestly just like looking through the xex files and wondering wtf is this.

EDIT: I'm an idiot. Disregard this.

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

Holy damn this theme is amazing. I barely looked it over last time you showed it to me.

Perfect shading of colours.

Share this post


Link to post
Share on other sites

hi peaches. im going to be looking at the xex as i have been slowly understanding parts of them. i plan to get a check removed xex made in abit. however ive been waiting on amd to get me the re-compressor so i can test it as i do it. although it should be fairly simple. locate xexcryptsha and break the function.

EDIT:

ok, upon quickly looking at the xex i found a few functions that call xecryptsha which we will likely need to break. however i see some problems that may arise with some cause they also call NTCreateFile and so forth. so maybe its putting checks on other things but ill figure it out.

Here are the offsets for what we will need to change. Im not sure exactly which ones will be needed.

What you do is go to the offset, find the float value that is located there and remove the decimal. this is the easiest way to break functions.

0x831190DC - calls NTCreateFile

0x8311B644 - alone, maybe just a check

0x8311C83C - alone

0x8311D6E4 - called lower in the function

0x8311EA1C - as well, called lower in the function

0x8311F81C - same as two above

personally i feel that the 2nd and 3rd offset would be likely to be plain checks in the xex. for when maps are loading. so those are my best guess to break the encryption.

as well peaches, i believe i have both of your msn's added so i could probably try to help you a little on there with ida

Share this post


Link to post
Share on other sites

I think aaron needs to have a look at this. Do the second and third functions look possibly related to eachother?

BTW peaches, welcome to Xbox Chaos!

Share this post


Link to post
Share on other sites

dont bother, now that i have the compressor i can check if we even need to null those functions for the .maps to load.

Share this post


Link to post
Share on other sites

With these images of the debug menu popping up. Its gotta be one of these things labeled debug in the xex.

HQuZe.jpg

Share this post


Link to post
Share on other sites

@Peaches, i'm sure that's a simple flag in the xex. I'm by no means great with IDA, but ill start disassembling the xex and see if I can achieve anything. I saw the "Matchmaking" option, and now I want to see what's inside it.

Share this post


Link to post
Share on other sites

Heres anything labeled debug. I'm one by one changing em and booting. Gotta go to class though. Haven't even tested one yet :(

0x820082AC = debugMode

0x820086C4 = isDebugMode

0x82027C80 = something about debug menus

0x82033570 = presence of debug?

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

Well, I found the functions that set/get debug variables. SO the sub they are in should be the one called by the menu.

0x82023B90 = "SetDbgVar(dbgVarName: string, dbgVarValue: string)"

0x82023BC4 = "GetDbgVar(dbgVarName: string): *"

e: Found something that sounds a bit more promising..

0x822FF638

c055eef022875e0b27e611bb185b577f.png

Share this post


Link to post
Share on other sites

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.

Share this post


Link to post
Share on other sites

well, i went into ida and looked abit at the offsets that peaches put down. those are just strings. but the full functions for the debug menu can be found. ill link their offsets and then ill fine a compaire that enables them for us.

lol. I'm still learning. I made about 10 different XEXs changing random things. About to go test em.

EDIT: Tell me if I'm interpreting this right.

n5j6gh.jpg

The loc up top is just a way to access this block of code. Much like I can use goto 1; and place 1: somewhere in my code?

mfspr - Moves that to some special register?

stw/std/swtu - Stores word/dword/store word w/ update

mr - I think is the same as OR

bl - I think is like branching into 2 ?

addi - addition?

lwz - load word and zero? (dunno what that means)

mtspr - Move to special registry

ld - load double word

blr - branching again (Maybe unconditionally)

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

I think I found the location where godmode is enabled/disabled. But due to lack of ppc/assembly knowlage, I have no idea how to enable it. (I tried sett the address at "beq" to both 0x40 and 0x41

997a030565162f35377cb005b6502abc.png

Share this post


Link to post
Share on other sites

yeeee my first ever progress.

28ugvn6.jpg

It just says On and Off over and over again. I honestly don't remember what I changed, but I'll run a diff on a normal xex and figure out.

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

peaches, why are you modding xex's all the time. depeding what your doing you can poke the xex to see the results faster. I simply use my advanced poker in ascension. as well it lets you save tags so you can share them with others.

Share this post


Link to post
Share on other sites

I'm in class :/

When I'm back I'll figure out how to use that poker. Im tired of moving a harddribe back n forth.

That offset didn't work tho, it only flipped it on and off every second, so i at least enabled the mode just not correctly. Either way, when I get back I'll get the offset.

Share this post


Link to post
Share on other sites

0x822FF970 IDA offset of what I changed to 1.

Now a question. When I look for offsets in my decompressed unencrypted XEX. There always like 0x3FE4 away from the actual data location. When using this poker do I use the location from IDA?

EDIT: cannot get the xex poker to load.

************** Exception Text **************
System.IO.FileNotFoundException: Could not load file or assembly 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The system cannot find the file specified.
File name: 'Newtonsoft.Json, Version=3.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed'

Neighborhood sees my console fine, if that could be a problem.

I somehow lost that DLL. I redownload. All good.

EDIT3: These thing is sexy. I click poke. Boom enabled. Then fatal crash :(

EDIT4: I'm on msn.

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

mfspr - Moves that to some special register?

stw/std/swtu - Stores word/dword/store word w/ update

mr - I think is the same as OR

bl - I think is like branching into 2 ?

addi - addition?

lwz - load word and zero? (dunno what that means)

mtspr - Move to special registry

ld - load double word

blr - branching again (Maybe unconditionally)

Close.

mfspr = Move From Special Purpose Register, copies a value from one of the special purpose registers.

stw/std = Store different sized values (w = 4-byte word, d = 8-byte dword).

stwu = Store word with update. This is a bit complicated to explain. stwu takes the form stwu reg1, off(reg2) where reg1 contains the value to be stored, reg2 contains a memory address, and off is the offset from that memory address to store to. It will first store the value in reg1 to the offset reg2 + off, and then store that offset back into reg2. So what that line is effectively doing is saving the stack pointer and allocating 0x60 bytes on the stack by setting sp to sp - 0x60 (the stack grows downward in memory, so that's why the 0x60 is negative).

mr = Move register, copies a value from one register into another.

bl = Branch and store next address into Link Register. AKA function call.

addi = Add immediate constant, adds a constant value to a register (in this case, adds 0x60 to sp to restore the space allocated earlier with stwu).

lwz = Load word and zero, loads a 4-byte value into a register and sets the upper 32-bits of the register to 0 (registers are 64-bit, so this ensures that they're set properly when loading something smaller).

mtspr = Move To Special Purpose Register, copies a value into a special purpose register (opposite of mfspr).

ld = Load double word, loads a 64-bit value from memory.

blr = Branch to Link Register, jumps to the location stored in the Link Register. AKA return from function.

iBotPeaches and 0xdeafcafe like this

Share this post


Link to post
Share on other sites

Thanks AMD. I think understanding more of ppc will help me instead of blindly changing vars.

Another question. I change a byte from 00 to 01. I save that XEX and boot it. No changes.

I change that same byte over real-time and it freezes.

soooo whats the difference? Can some things not be changed live?

Edited by iBotPeaches

Share this post


Link to post
Share on other sites

Wow AMD, thanks for that. Really will help me because i never knew what those names stood for (apart from addi/beq/bne).

Thanks AMD. I think understanding more of ppc will help me instead of blindly changing vars.

Another question. I change a byte from 00 to 01. I save that XEX and boot it. No changes.

I change that same byte over real-time and it freezes.

soooo whats the difference? Can some things not be changed live?

Memory always is temperamental (my guess is that the value you poked was in use or something like that, although Dead will know alot more about the reason than me).

Share this post


Link to post
Share on other sites

Quote

Thanks! Now this bunch of numbers starts to make sense. I still have to learn a lot.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now