private byte[] GetXMACsLogonKey(KVInfo KVI) { RSACryptoServiceProvider Provider = LoadXMACs(); byte[] TimeTick = new byte[0x10]; new Random(Environment.TickCount).NextBytes(TimeTick); byte[] EncryptedTick = Provider.Encrypt(TimeTick, true); Array.Reverse(EncryptedTick); byte[] DestBuffer = Keys.XMACS_REQ; Array.Copy(EncryptedTick, 0, DestBuffer, 0x2C, 0x100); byte[] InputBuffer = FileEx.ReadBytes(KVI.Location, 0xB0, 12); byte[] Source = FileEx.ReadBytes(KVI.Location, 0x9C8, 0x1A8); byte[] Exponent = FileEx.ReadBytes(KVI.Location, 0x29C, 4); byte[] KeyParams = FileEx.ReadBytes(KVI.Location, 0x2A8, 0x1C0); byte[] ConsoleID = FileEx.ReadBytes(KVI.Location, 0x9CA, 5); byte[] ClientName = ComputeClientName(ConsoleID); byte[] UTCTime = BitConverter.GetBytes(DateTime.UtcNow.ToFileTime()); Array.Reverse(UTCTime); KVI.Serial = Conversion.BytesToHexString(ConsoleID); byte[] TimeStamp = Conversion.HexStringToBytes("301aa011180f32303132313231323139303533305aa10502030b3543"); Array.Copy(Encoding.ASCII.GetBytes(DateTime.Now.ToUniversalTime().ToString("yyyyMMddHHmmssZ")), 0, TimeStamp, 6, 15); byte[] EncryptedHMAC = RC4HMACEncrypt(TimeTick, 0x10, TimeStamp, TimeStamp.Length, 1); byte[] TickChecksum = SHA1.Create().ComputeHash(TimeTick); SHA1CryptoServiceProvider SHAProvider = new SHA1CryptoServiceProvider(); SHAProvider.TransformBlock(TimeTick, 0, 8, null, 0); SHAProvider.TransformBlock(InputBuffer, 0, 12, null, 0); SHAProvider.TransformFinalBlock(TickChecksum, 0, 20); byte[] HeaderChecksum = SHAProvider.Hash; RSACryptoServiceProvider Key = LoadConsolePrivateKey(Exponent, KeyParams); RSAPKCS1SignatureFormatter Formatter = new RSAPKCS1SignatureFormatter(Key); Formatter.SetHashAlgorithm("SHA1"); byte[] Signature = Formatter.CreateSignature(HeaderChecksum); Array.Reverse(Signature); // Build the final packet Array.Copy(TimeTick, 0, DestBuffer, 300, 8); Array.Copy(InputBuffer, 0, DestBuffer, 0x134, 12); Array.Copy(Signature, 0, DestBuffer, 320, 0x80); Array.Copy(Source, 0, DestBuffer, 0x1C0, 0x1A8); Array.Copy(EncryptedHMAC, 0, DestBuffer, 0x3E0, 0x34); Array.Copy(ClientName, 0, DestBuffer, 0x430, 15); // Connect and send packet UdpClient XEAS = new UdpClient(); XEAS.Connect("XEAS.XBOXLIVE.COM", 0x58); XEAS.Send(DestBuffer, DestBuffer.Length); IPEndPoint RemoteEP = new IPEndPoint(0L, 0); int Wait = 0; while (true) { try { Thread.Sleep(10); if (XEAS.Available > 0) { byte[] RecBuffer = XEAS.Receive(ref RemoteEP); byte[] Buffer = new byte[0x6C]; Array.Copy(RecBuffer, 0x35, Buffer, 0, 0x6C); byte[] DecryptNoonce = RC4HMACDecrypt(ComputeKdcNoonce(TimeTick, 0x10), 0x10, RecBuffer, 0x6C, 0x4B3); byte[] SecondaryBuffer = new byte[0x10]; Array.Copy(DecryptNoonce, 0x4C, SecondaryBuffer, 0, 0x10); return(SecondaryBuffer); } Thread.Sleep(500); if (Wait++ == 10) { return(null); } } catch { } } }
public void CheckKV(KVInfo KVI) { byte[] XMACsLogonKey = null; for (int i = 0; i < 2; i++) { XMACsLogonKey = GetXMACsLogonKey(KVI); KVI.LastLog = "Getting XMACsLogonKey... Try " + i.ToString() + "/2"; if (XMACsLogonKey != null) { break; } if (i >= 2 && XMACsLogonKey == null) { KVI.LastLog = "Failed to get XMACs... Skipping."; return; } } byte[] ConsoleID = FileEx.ReadBytes(KVI.Location, 0x9CA, 5); byte[] SourceArray = SHA1.Create().ComputeHash(FileEx.ReadBytes(KVI.Location, 0x9C8, 0xA8)); byte[] Destination = Keys.APReq1; byte[] ClientName = ComputeClientName(ConsoleID); KVI.LastLog = "Creating Kerberos AS-REQ..."; Array.Copy(ClientName, 0, Destination, 0x102, 0x18); Array.Copy(SourceArray, 0, Destination, 0x24, 20); byte[] TimeStamp = GenerateTimeStamp(); Array.Copy(RC4HMACEncrypt(XMACsLogonKey, 0x10, ClientName, ClientName.Length, 1), 0, Destination, 0xB0, 0x34); UdpClient Client = new UdpClient(); Client.Connect("XEAS.gtm.XBOXLIVE.COM", 0x58); Client.Send(Destination, Destination.Length); KVI.LastLog = "Sending Kerberos AS-REQ..."; IPEndPoint RemoteEP = new IPEndPoint(0L, 0); byte[] ResponseBuff = null; try { for (int i = 0; i < 2; i++) { Thread.Sleep(10); if (Client.Available > 0) { ResponseBuff = Client.Receive(ref RemoteEP); break; } else { if (i >= 2) { KVI.LastLog = "Couldn't get response from M$! S******g myself..."; return; } else { Client.Send(Destination, Destination.Length); } } } } catch { KVI.LastLog = "We hit an exception. What log? Oh dis one. Skipping..."; return; } Client.Close(); KVI.LastLog = "Creating Pre-Auth Kerberos AS-REQ..."; Destination = Keys.APReq2; byte[] TempBuffer = new byte[0x10]; Array.Copy(ResponseBuff, ResponseBuff.Length - 0x10, TempBuffer, 0, 0x10); Array.Copy(TempBuffer, 0, Destination, 0x44, 0x10); Array.Copy(ClientName, 0, Destination, 0x11E, 0x18); Array.Copy(SourceArray, 0, Destination, 0x24, 20); TimeStamp = GenerateTimeStamp(); Array.Copy(RC4HMACEncrypt(XMACsLogonKey, 0x10, TimeStamp, TimeStamp.Length, 1), 0, Destination, 0xCC, 0x34); Client = new UdpClient(); Client.Connect("XEAS.XBOXLIVE.COM", 0x58); Client.Send(Destination, Destination.Length); KVI.LastLog = "Sending Kerberos Pre-Auth..."; try { for (int i = 0; i < 2; i++) { Thread.Sleep(10); if (Client.Available > 0) { ResponseBuff = Client.Receive(ref RemoteEP); break; } else { if (i >= 2) { KVI.LastLog = "Couldn't get response from M$! S******g myself..."; return; } else { Client.Send(Destination, Destination.Length); } } } } catch { KVI.LastLog = "We hit an exception. What log? Oh dis one. Skipping..."; return; } Client.Close(); KVI.LastLog = "Creating Kerberos TGS-REQ..."; TempBuffer = new byte[210]; Array.Copy(ResponseBuff, ResponseBuff.Length - 210, TempBuffer, 0, 210); byte[] DecryptedRep = RC4HMACDecrypt(XMACsLogonKey, 0x10, TempBuffer, 210, 8); TempBuffer = new byte[0x10]; Array.Copy(DecryptedRep, 0x1B, TempBuffer, 0, 0x10); KVI.LastLog = "Setting TGS ticket..."; byte[] ACutOfResp = new byte[0x159]; Array.Copy(ResponseBuff, 0xA8, ACutOfResp, 0, 0x159); byte[] PreAuthDest = Destination; Destination = Keys.TGSReq; Array.Copy(ACutOfResp, 0, Destination, 0x1B5, 0x159); byte[] Authenticator = Keys.Authenticator; Array.Copy(ResponseBuff, 0, Authenticator, 40, 15); Array.Copy(Encoding.ASCII.GetBytes(DateTime.Now.ToUniversalTime().ToString("yyyyMMddHHmmssZ")), 0, Authenticator, 0x6D, 15); Array.Copy(MD5.Create().ComputeHash(Destination, 0x3BA, 0x4B), 0, Authenticator, 0x37, 150); Array.Copy(RC4HMACEncrypt(TempBuffer, 0x10, Authenticator, Authenticator.Length, 7), 0, Destination, 0x31F, 0x99); byte[] Noonce = ComputeKdcNoonce(TempBuffer, 0x10); Array.Copy(RC4HMACEncrypt(Noonce, 0x10, Keys.ServiceReq, Keys.ServiceReq.Length, 0x4B1), 0, Destination, 0x37, 150); byte[] TitleAuthData = new byte[0x42]; Array.Copy(PreAuthDest, 0x74, TitleAuthData, 0, 0x42); Array.Copy(GetTitleAuthData(TempBuffer, 0x10, TitleAuthData), 0, Destination, 0xDD, 0x52); Client = new UdpClient(); Client.Connect("XETGS.XBOXLIVE.COM", 0x58); Client.Send(Destination, Destination.Length); KVI.LastLog = "Sending TGS-REQ"; try { for (int i = 0; i < 2; i++) { Thread.Sleep(10); if (Client.Available > 0) { ResponseBuff = Client.Receive(ref RemoteEP); break; } else { if (i >= 2) { KVI.LastLog = "Couldn't get response from M$! S******g myself..."; return; } else { Client.Send(Destination, Destination.Length); } } } } catch { KVI.LastLog = "We hit an exception. What log? Oh dis one. Skipping..."; return; } KVI.LastLog = "Decrypting logon status..."; byte[] EncryptedLogonStatus = new byte[0x54]; Array.Copy(ResponseBuff, 50, EncryptedLogonStatus, 0, 0x54); byte[] DecryptedLogonStatus = RC4HMACDecrypt(TempBuffer, 0x10, EncryptedLogonStatus, 0x54, 0x4B2); uint ZStatus = BitConverter.ToUInt32(DecryptedLogonStatus, 8); KVI.LastLog = "ZStatus: " + ZStatus.ToString("X2"); switch (ZStatus) { case 0x8015190D: // Banned KVI.Banned = true; KVI.ZStatus = "Banned"; return; case 0x80150000: KVI.ZStatus = "Error"; break; case 0x80151907: // Unknown KVI.ZStatus = "Unknown Error"; break; case 0x80151904: // NODNS KVI.ZStatus = "No DNS"; break; case 0x80151007: // Update Required KVI.ZStatus = "Update Required"; break; default: KVI.ZStatus = "Unknown ZStatus: " + ZStatus.ToString("X2"); break; } KVI.Banned = false; }