Print

[Angerwound]

QUOTE (crackh34d @ Nov 11 2004, 09:44 AM)

this conversation has gotten more interesting, starting with angerwounds recent post about using backups on live - neat hack, that was.  i'm sure there are more ways, too, since there always are. anyway, right now i'm curious about EEE. whats EEE?

The only reason I posted this information was because the hole was already patched. If it was still open, I would never have detailed the exploit.

[eh.]

QUOTE (Angerwound @ Nov 10 2004, 11:13 AM - "XBL exploit")

Well, turns out if you place a backup of the game in the dvd-rom and then place this XBE as 'xboxdash.xbe' the xbe will be launched due to the correct signatures and then the files willl be accessed from the DVD-Rom. In conclusion, what do you have? A backup running on live.  I wouldn't advise anyone to attempt this because it will result in a ban and will not connect to the service any longer because of what is being checked. You can verify this was working at one time via the link in the first post of this thread.

That would have been a HDD media type XBE initiating the connection to XBL then (which is entirely different to the XBL connection's origin for almost everyone else) eh...

From what you're aware of, does it seem to be primarily those using this method that have had their account/s terminated (which has been rarely reported, compared to the more general box bans) eh?

[Angerwound]

Well, anyone that owns a Live-Enabled game and the game has an updated engine sent out then these users will be connecting via the HDD Flagged XBE. Therefore, they cannot prevent this by checking the Media Type of the XBE otherwise all those games with updated engines will not be allowed to login to the service. This is what leads me to believe the check on xboxdash.xbe. There are other *possibilities* of checks that could be done to prevent this such as Launch Partition, File Name etc.

I'm unsure on how the XBE is actually launched from the gamesave DIR however. Anyhow, it could just check for a default.xbe within the gamesave DIR on boot of the game, if it exists - launch it.

I know this because if you attempt to go live with the outdated XBE it will ask for the update. If you connect with the HDD-Flagged (Updated XBE) - it will not ask for this - even if the gamesave doesn't exist. I assume it detects the difference between the two based upon Version Numbers.

On to your other question. Yes, this is why users had their accounts terminated rather than banned. Anyone who was seen using this Flaw was flagged and terminated. They were flagging people for almost 2 months prior to the actual termination.

*EDIT* Someone might try placing another HDD Flagged *VALID* XBE within the gamesave DIR of a Live game that already has the updated engine downloaded. Rename whichever XBE you have chosen (settings_adoc.xip would be an excellent choice due to it's valid signature and lack of support files) and place it as the default.xbe within this DIR. Boot the retail copy of the game and see if it attempts to launch the default.xbe you have placed there. If it doesn't I need to look into exactly how these updated engines are being launched.

*EDIT2* If they are actually executing the XBE's in this manner, what would prevent one from placing a UXE Bootstrap here and launching your custom dashboard with a live game of your choice?   A setup valid even under the new security measures...

[eh.]

QUOTE (Angerwound @ Nov 11 2004, 12:03 PM - launch mechanism)

I'm unsure on how the XBE is actually launched from the gamesave DIR however. Anyhow, it could just check for a default.xbe within the gamesave DIR on boot of the game, if it exists - launch it.

I suspect it compares the certificate version of the default.xbe in the $u directory with that of the initiator (in memory, superceding if necessary) and the XBL connection thereafter peeks at the version in memory to see if an update's needed.

Also in memory, at least the non-secure state indicator would be different for HDD booted XBE's (compared to what XBL knows should be the case booted via DVD's) which I suspect would be easy for the connection applet to validate eh...
____
Edit: corrected re "booted".

[eh.]

QUOTE (Angerwound @ Nov 11 2004, 12:03 PM)

*EDIT* Someone might try placing another HDD Flagged *VALID* XBE within the gamesave DIR of a Live game that already has the updated engine downloaded. Rename whichever XBE you have chosen (settings_adoc.xip would be an excellent choice due to it's valid signature and lack of support files) and place it as the default.xbe within this DIR. Boot the retail copy of the game and see if it attempts to launch the default.xbe you have placed there. If it doesn't I need to look into exactly how these updated engines are being launched. *EDIT2* If they are actually executing the XBE's in this manner, what would prevent one from placing a UXE Bootstrap here and launching your custom dashboard with a live game of your choice?  A setup valid even under the new security measures...

I've tried these kinds of things on more than one occasion before, without success.  They no doubt validate things like the $u default.xbe's title id too, alas eh.

[Angerwound]

Ah, well that kills that idea. But it still would be of great interest to see exactly how these XBE's are being executed.  In other words, what is needed for it to okay it to be launched.

[eh.]

QUOTE (Angerwound @ Nov 11 2004, 01:01 PM)

Ah, well that kills that idea. But it still would be of great interest to see exactly how these XBE's are being executed.  In other words, what is needed for it to okay it to be launched.

It doesn't kill the idea entirely though; someone with real skillz might be able to make something of it.  For example, it potentially just validates via the associated contentmeta.xbx (such as a checksum) eh.

____
Edit: Hmm, by "real skillz" I just meant compared to my stare at it, think, try things, stare at it more, ponder, try other things (interative approach) ... so I should have said "any skillz" eh!

[mkjones]

Ahh the old boot disk dream

Will it ever come true, who knows  

[DaddyJ]

I think the answer is closer then we think.

[MasterChief B]

QUOTE (EthanHunt_IMF @ Oct 19 2004, 08:48 PM)

Thanks for the heads up... Fortunately I use a virgin box for live, so MS can go to hell.

MS's counter measure arguably worked if you had to buy two boxes.

[awal]

QUOTE (alarre1 @ Nov 10 2004, 11:21 PM)

I got banned today also trying to play Halo 2 with my mod chip off. Think it would work if I try out my friends xbox at my house using my xbox live name?

i was banned, then i bought a "new" virgin xbox for $50  and i transfered the xbl account to a memory card. And i have been playing on Live for 3 days. I have just been leaving the memory card in when i want to use live, but i am almost positive it will work off the hdd, but i am not going to do that yet. ( if it isnt broke dont fix it )

[The_Truth]

as for the "boot disk".. eh and I were discussing it in a post... and the idea came about... that a dvd+r disk's book type can be changed from dvd+r to DVD-ROM
if it can be changed.. if we could find the specific "settings" for XBOX-DVD... anyone feel free to smack me down.. but neither eh nor I knew where to go with it...

[EthanHunt_IMF]

QUOTE (MasterChief B @ Nov 12 2004, 02:10 PM)

MS's counter measure arguably worked if you had to buy two boxes.

I got it way before this current live banning thing started.  It would have cost me more out of pocket to get a mod chip then the 2nd box.  I didn't "have" to buy another box, but now I'm sure glad I did.

[Angerwound]

[shishtawoo]

ok i got banned and my c drive was completly clean i know this for a fact but my e dive had a saved game hack i was messing with and a couple daves from dvd2xbox