Luigi Auriemma (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:57

All times are UTC [ DST ]

Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
 Post subject: Xlive Security
PostPosted: 03 Sep 2008 23:25 

Joined: 15 Jul 2008 01:38
Posts: 12
Microsoft has finally gotten smart on us. The Halo 2 Vista executable ("halo2.exe") and the XLive module ("xlive.dll") are digitally signed with SHA-1 (Secure Hash Algorithm 1) with a relative ".cat" file (Advanced Disk Catalog Database). Changing any of the binary memory of these files is nearly impossible. SHA-1 is not encrypted, so there is no way to decrypt it. I'm not in this field of computers anyway. There is a public key and a private key. The private key is only known by the signer which was used to create the hash and Digital Signature. The public key is used along with the Digital Signature and a independently computed hash to verify the integrity of the file. The public key is at the user end. So basically, this is what is protecting the executable.

Attaching a debugger to Halo 2 Vista will only lead to possible slamming of the keyboard in to the wall after the game crashes several times. There are several possibilities of detecting a debugger, but the specific methods used by Halo 2 Vista are unknown at this time. It is possible to still attach a debugger and set breakpoints to get what you need, but you will only have around 5-10 seconds to do so until it finally crashes. I prefer to use Tsearch's debugger, since it has a quick attach and break point system going. However, your end results will pretty much be useless. Attempting to modify game instructions during run time will also cause the game to blow up in your face. The crash is random, but will usually happen within 30 seconds of the change.

There is however a way to get around this if you need to execute an instruction. You can write a code cave outside of the executable memory page or create a DLL with a DetourFunction or something similar. For example, there is an instruction that refill's your ammo in the current gun you're holding. You can detour that function to your custom created function that gives you a ton of ammo, call it, then write the original bytes back. Doing this only takes a split second, so it will not be detected. There is always a risk of crashing though.

There was an old trick where you could change the ("xlive.cfg") file, but this is not the case for Halo 2 Vista. Any modifications to xlive files will not let you start the game.

Xbox Security Concept
Xbox Security Concept

by Franz Lehner , 8 December 2002

In Basic, the XBE consists of 2 major parts.

1. The Header

2. The Sections

The Sections containing the "program", and the header holds the security information like signature, pointers ...

As the Xbox loads sections "on demand" only, the "normal" signing process has been enhanced.

First, when loading the XBE, the Xbox does the following:


When the Xbox loads an XBE file, it first checks whether the header is "valid".
This is done by comparing the calculated SHA-1 hash against the decrypted RSA signature.
The RSA signature is "padded" in the format 01FFFFFFFFFFFFFF.......FF00(HASH 20bytes)

When the hash (20 bytes) matches, the Xbox starts loading the sections.

When loading the section, the section first one is loaded into memory. The values (size, position) is coming out of the header, where each section is described exactly.

Then, the section is hashed again and compared to the hash value in the header again.

Additional info:

The SHA-1 hash is modified in a little way. Exactly, it does this

SHA1_Update(&sha_ctx, (unsigned char *)&len, 4);
SHA1_Update(&sha_ctx, data, len);
SHA1_Final(result, &sha_ctx);

This means, the first 4 bytes are the lenght of the section. This task is indeed senseless, as the lenght of the complete SHA-1 block is appended to the last block in the sha-1 already. Maybe this was part of a confusion thing.

I have researched to only find that Halo 2 Vista calls these API functions. I have yet to play with them, but plan to do so in the future. These functions are part of the SSL Library which can be found here:

I believe this is part of the scanning routine they are doing during runtime, but I am not absolutely sure. There are several other API's that get called during runtime, several hundred times a minute: InterlockedExchange, InterlockedCompareExchange, and InterlockedIncrement. For more information, visit MSDN.

Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: