Print

[chilin_dude]

QUOTE (Kthulu @ Oct 20 2004, 10:57 PM)

actually, scanning 'xboxdash.xbe' and the font files seems alot simpler

Yes but its already been proven it's not just font people that are being banned, so they can't be doing that  

[lordz]

.  But I just find this strange.

[bikr]

QUOTE (lordz @ Oct 21 2004, 04:17 PM)

The theory of them banning IPs from halo 2 downloading, doesn't quite work because I wasn't downloading it "at the time. "

ROFFFFFLLLEEE LOLZZZZ      Sorry , I found that amuzing , anyone packet catching live connections now?

[PedrosPad]

QUOTE (bikr @ Oct 21 2004, 04:26 PM)

anyone packet catching live connections now?

Encountered the XBL logon packet with "[email protected]" packet yet?  The XBOXs serial number is used to log it on, using MS's Passport security engine, IIRC.

To enforce a ban, this is the simplest place to do it (and kind'a what the security/passport engine is for).

[xb0xb0y]

i think it is entirely plausible that M$ scans for files directories in the root of both C and E, and if anything is there that shouldn't be, then your banned from XBL.  think about it, every modded xbox has extra software, be it applications, game backups, boot straps, bios on a softmodded xbox, or at the very least on a chipped xbox ... an alternative dash residing on C or D.

There's only a limited amount of original M$ files and directories that reside on C for a STOCK hard drive.  And on E, there should be only TDATA and UDATA directories (if memory serves me correct).  And how many modded xboxes are in violation of that?  I would say almost 100% of them, if not all.  A simple scan like that would be easy as pie to do and quick.  And it's not like M$ can't find info on all the directories/files used in several softmod and dashboards that they could target so they would know what to look for.

Combine that with gametag flagging for ppl that have already been banned previously.  And maybe even add in the measures of harddrive hardware (serial number/model number) scan.  This could explain the ppl who try to get them unbanned by changing config/hardware, and being banned again after a day or less back on XBL.


I think if and when I decide to go on XBL when Halo 2 comes out, it's with my stock xbox hard drive with STOCK directories/files.

[BloodGulch v2.0]

if it because of downloading halo2, wont all the people caught be getting anally owned by M$ anytime now?a nice fat $100k fine landing at ur door step

[PedrosPad]

QUOTE (xb0xb0y @ Oct 21 2004, 05:38 PM)

And it's not like M$ can't find info on all the directories/files used in several softmod and dashboards that they could target so they would know what to look for.

There's two ways to perform the scan:

• Compare against a list of files that should be there, and look for exceptions
• or, target and check for specific files that shouldn't be there (evoxdash.xbe,etc.)

The problem is, even if M$ compiled a list of every valid file, from every game (and I've no doubt they already have access to this information from their certification/signing control system) - since many games allow the user to enter their own name, etc. - there is no way M$ can verify the contents of these files.

Targeting specific files, like evoxdash.xbe, is too weak - The programs can very simply be moved and hidden under Game Sav folders, and recomplied to change their length, checksum, etc.

The file that can't be moved is c:\xboxdash.xbe, of course

[total_ass]

so isn't this what the EEE on/off switch is for?

[BloodGulch v2.0]

why not just rename it to something else instea dof evoxdash.xbe name it to fuckyoums.xbe

[xb0xb0y]

QUOTE (PedrosPad @ Oct 21 2004, 12:02 PM)

There's two ways to perform the scan: Compare against a list of files that should be there, and look for exceptions or, target and check for specific files that shouldn't be there (evoxdash.xbe,etc.) The problem is, even if M$ compiled a list of every valid file, from every game (and I've no doubt they already have access to this information from their certification/signing control system) - since many games allow the user to enter their own name, etc. - there is no way M$ can verify the contents of these files. Targeting specific files, like evoxdash.xbe, is too weak - The programs can very simply be moved and hidden under Game Sav folders, and recomplied to change their length, checksum, etc. The file that can't be moved is c:\xboxdash.xbe, of course

i would say it's a combination of both.

going by memory, haven't modified much on the xbox lately.  for C ... there are only suppose to be dashboard files, and xbl files and any associated directories with files as well, depending on of course the version of the dashboard and xbl.  a quick and dirty way of checking is the NUMBER of files and directories that SHOULD be there, assuming the OS has the capabilities of doing that type of listing, which it should.

pre-live dash would have X number of dash files in root of C and then post-live dashes put these support files in a directory, or vice versa ...

so root of C should have X amount of files if pre-live dash, and Y amount of files in root if post-live dash.  Also should have W number of directories for pre-live and Z number of directories for post-live.

if they even went further and elaborated on this, they could cross reference the file names and directory names.

why they could implement this easily?  cuz the xbox is suppose to be a closed system and from the factory, there's only suppose to be a limited amount of files on C drive.  And I don't think M$ allowed one single game out there to do anything to the contrary.  Dashboard and XBL updates that effect the C drive would be done strictly to the file structure M$ has laid out.


all this could be easily embedded in the XBL sign in, so no info about your files are sent to M$ ... all M$ needs is to know if you should be banned or not.  and for ppl using XBL, this new version of XBL with this check would be updated on your xbox, like a trojan horse!  hmm ... i wanna play this game on XBL, so M$ forces you to update your XBL, that includes this check and ... BAM your caught!

this search could also be applied to E for the root directory, ie if you have files or directories on E that you shouldn't.  but if you were to hide all your files in the UDATA/TDATA directories, you'd be safer since there's so much more stuff to check for in there that I don't think it be feasible for M$ to check.  but i could be very well wrong.

and why would this work ... like i asked before, who doesn't have extra files/directories on C and in the root of E???

[PedrosPad]

QUOTE (PedrosPad @ Oct 21 2004, 05:02 PM)

Encountered the XBL logon packet with "[email protected]" packet yet?  The XBOXs serial number is used to log it on, using MS's Passport security engine, IIRC. To enforce a ban, this is the simplest place to do it (and kind'a what the security/passport engine is for).

This is the packet I was refering to (see red ink), packet 9, the Kerberos challenge, login packet.

QUOTE

No.     Time        Source                Destination           Protocol Info       9 23.027468   ..?.?           .??..?          KRB5     AS-REQ Frame 9 (455 bytes on wire, 455 bytes captured)     Arrival Time: Jul 19, 2004 23:25:28.041981000     Time delta from previous packet: 3.045735000 seconds     Time since reference or first frame: 23.027468000 seconds     Frame Number: 9     Packet Length: 455 bytes     Capture Length: 455 bytes Ethernet II, Src: ??:??:??:??:??:??, Dst: ??:??:??:??:??:??     Destination: ??:??:??:??:??:?? (192.168.0.1)     Source: ??:??:??:??:??:?? (..?.?)     Type: IP (0x0800) Internet Protocol, Src Addr: ..?.? (..?.?), Dst Addr: .??..? (.??..?)     Version: 4     Header length: 20 bytes     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)         0000 00.. = Differentiated Services Codepoint: Default (0x00)         .... ..0. = ECN-Capable Transport (ECT): 0         .... ...0 = ECN-CE: 0     Total Length: 441     Identification: 0xaa60 (43616)     Flags: 0x00         0... = Reserved bit: Not set         .0.. = Don't fragment: Not set         ..0. = More fragments: Not set     Fragment offset: 0     Time to live: 64     Protocol: UDP (0x11)     Header checksum: 0x47f4 (correct)     Source: ..?.? (..?.?)     Destination: .??..? (.??..?) User Datagram Protocol, Src Port: 1257 (1257), Dst Port: kerberos (88)     Source port: 1257 (1257)     Destination port: kerberos (88)     Length: 421     Checksum: 0x15a3 (correct) Kerberos     Pvno: 5     MSG Type: AS-REQ (10)     padata: Unknown:204 Unknown:206 PA-ENC-TIMESTAMP Unknown:131         Type: Unknown (204)             Value: 3AAF6F48DF6DC4017757319B2490EE17...         Type: Unknown (206)             Value: AFC2CE67F9294FD106F8F329BB2F4913...         Type: PA-ENC-TIMESTAMP (2)             Value: 303DA003020117A23604348AA1D730E1... rc4-hmac                 Encryption type: rc4-hmac (23)                 enc PA_ENC_TIMESTAMP: 8AA1D730E1A47F4E5F61A328C7DF4366...         Type: Unknown (131)             Value: 300FA0030101FFA108300602010D0201...     KDC_REQ_BODY         Padding: 0         KDCOptions: 00010000 (Canonicalize)             .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets             ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket             ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use proxiable tickets             .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied             .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated             .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated             .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable             .... .... ...0 .... .... .... .... .... = Opt HW Auth: False             .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket             .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled             .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets             .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey             .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket             .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket         Client Name  (Enterprise Name): SN.@xbox.com             Name-type: Enterprise Name (10)             Name: SN.@xbox.com         Realm: PASSPORT.NET         Server Name  (Service and Instance): krbtgt XBOX.COM             Name-type: Service and Instance (2)             Name: krbtgt             Name: XBOX.COM         till: 2037-09-13 02:48:05 (Z)         Nonce: 1712355469         Encryption Types: rc4-hmac             Encryption type: rc4-hmac (23) 0000  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   .......P [email protected]. 0010  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   ...`..@. G....... 0020  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   .....X.. ..j...0. 0030  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   ........ ........ 0040  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   0..0:... ....2.0: 0050  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   .oH.m..w W1.$.... 0060  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   ;..p...; ...;z... 0070  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   .f....u9 <......0 0080  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   X....... P.N...g. 0090  ?? ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? ?? ?? ??   )O....). /I.72..X 00a0  62 6f 78 20 56 65 72 73  69 6f 6e 3d 31 2e 30 30   box Vers ion=1.00 00b0  2e 34 39 32 38 2e 34 20  54 69 74 6c 65 3d 30 78   .4928.4  Title=0x 00c0  35 35 35 33 30 30 30 43  20 54 69 74 6c 65 56 65   5553000C  TitleVe 00d0  72 73 69 6f 6e 3d 31 30  00 30 48 a1 03 02 01 02   rsion=10 .0H..... 00e0  a2 41 04 3f 30 3d a0 03  02 01 17 a2 36 04 34 8a   .A.?0=.. ....6.4. 00f0  a1 d7 30 e1 a4 7f 4e 5f  61 a3 28 c7 df 43 66 f1   ..0...N_ a.(..Cf. 0100  74 b6 1a 66 e6 e8 af 35  5d 6b d6 c6 b3 50 c7 46   t..f...5 ]k...P.F 0110  00 ca 10 9d b3 43 c0 8b  54 f6 81 4d 43 ff 6b d4   .....C.. T..MC.k. 0120  14 80 51 30 1b a1 04 02  02 00 83 a2 13 04 11 30   ..Q0.... .......0 0130  0f a0 03 01 01 ff a1 08  30 06 02 01 0d 02 01 0e   ........ 0....... 0140  a4 81 84 30 81 81 a0 07  03 05 00 00 01 00 00 a1   ...0.... ........ 0150  25 30 23 a0 03 02 01 0a  a1 1c 30 1a 1b 18 53 4e   %0#..... ..0...SN 0160  2e ?? ?? ?? ?? ?? ?? ??  ?? ?? ?? ?? ?? 40 78 62   .? ??@xb 0170  6f 78 2e 63 6f 6d a2 0e  1b 0c 50 41 53 53 50 4f   ox.com.. ..PASSPO 0180  52 54 2e 4e 45 54 a3 1d  30 1b a0 03 02 01 02 a1   RT.NET.. 0....... 0190  14 30 12 1b 06 6b 72 62  74 67 74 1b 08 58 42 4f   .0...krb tgt..XBO 01a0  58 2e 43 4f 4d a5 11 18  0f ?? ?? ?? ?? ?? ?? ??   X.COM... .? 01b0  ?? ?? ?? ?? ?? ?? ?? 5a  a7 06 02 04 66 10 78 8d   ?Z ....f.x. 01c0  a8 05 30 03 02 01 17

Also, this capture was from an SC1PAL game, and the titleID, in blue ink, reveals this.  Presumably the HALO2 game would of too.  (Your XBOX Serial number, and the HALO2 titleID in the same network packet - convenient for M$.)

PS. Just to dispel a myth, the serial number in the captured packet matches the serial number on the sticker under my XBOX, and I replaced my HDD long ago - so it's not calculated, based on the HDD serial number, etc. - The HDD locking key is, the serial number isn't!.

[Kthulu]

QUOTE (chilin_dude @ Oct 21 2004, 09:17 AM)

Yes but its already been proven it's not just font people that are being banned, so they can't be doing that

i don't think anything has been proven

..at least not when we orignially posted these comments.

[total_ass]

that link is old.......... i bet eeprom flashing wasn't even known back then.

[xb0xb0y]

QUOTE (PedrosPad @ Oct 21 2004, 02:19 PM)

(Your XBOX Serial number, and the HALO2 titleID in the same network packet - convenient for M$.) PS. Just to dispel a myth, the serial number in the captured packet matches the serial number on the sticker under my XBOX, and I replaced my HDD long ago - so it's not calculated, based on the HDD serial number, etc. - The HDD locking key is, the serial number isn't!.

isn't that like a "no no" ... something on the lines of when Intel put unique IDs on there CPUs???

[southbark]

The facts are simple no one really knows how they get the info(except modchip on of course) they are using to ban people.Any post about it are just endless speculation.

My advice is to for anyone who has not been banned to wait until after Nov 9 to go on XBL.we all know why there  banning because only people with modded xboxes can use the info that was downloaded and played. so technically M$ can say anyone with a modded xbox has downloaded the game and used cause as far as they are concerned there is no reason for you to mod an xbox.