Topic: Xna Exploitation Research (Read 132 times)

grimdoomer · « **on:** April 06, 2009, 09:02:00 PM »

I've been working on some stuff in Xna, and I've found some interesting stuff that has to do with making calls to the kernel.

Intro
First off there is a class called KernelMethods, and in it, you can make kernel calls. But you can only make some restricted calls for things like Guide interfacing, and some network stuff. But it could be used to write small scripts to do some neat things once figured out. Basically it adds all the data that is needed for the call to a script in a PacketBuffer object, it then uses a dll import in a library called Net, to send the packet to the xbox itself and execute it.

My Work
After extracting the Xna Framework from my HDD, and decompiling it, I was able to disect it. While doing that I found some classes that make dll imports to Xam, Xact, D3D, Storage, and Net librarys. I've been able to take advantage of this and make some calls to interface with the guide. I've also been able to edit some values of my GamerProfile object in memory, and the changes stay too. I've written some classes that can make the restricted kernel calls, and get a blank packet buffer object from the GamerServicesDispatcher class. The only problem is, we can not make our own PacketBuffer and send it out. The class which does that is internal, and the dll import gives me a null reference exception when I localize it to my project. Although this is not unsigned code, or booting linux, it's a start, or maybe and end....

How to Use
To use any of the classes I have provided, add the following line to your games constructor:

CODE

this.Components.Add(new GamerServicesComponent(this));

To use the Kernel class, simply create a new Kernel object after the initialization code and call ExecuteKernelCall. That goes for the rest too, just create an instance of the class after the initialization code, and use the methods in them. The PacketBuffer object is a binary script that tells the kernel what to execute, and any data that is needed. The first int is always 0, the second int is the Calling Type Index, the rest can vary depending on the call you are making, but the next byte is ussually the player index.

CODE

int Zero;
int KernelCallType;
byte PlayerIndex;

Below is a list of the restricted calls you can make, although some do not work due to missing data in the packetbuffer:

CODE

BeginCheckStrings = 15,
DrawGuide = 3,
EndCheckStrings = 0x10,
FriendCollection_Dispose = 0x12,
FriendCollection_GetFriends = 0x11,
Gamer_AwardAchievement = 11,
Gamer_AwardPicture = 12,
Gamer_BeginGetAchievements = 13,
Gamer_BeginGetProfile = 9,
Gamer_EndGetAchievements = 14,
Gamer_EndGetProfile = 10,
Gamer_IsFriend = 8,
GamerServices_SetTitleName = 5,
GamerServices_Update = 6,
Guide_BeginShowKeyboardInput = 0x15,
Guide_BeginShowMessageBox = 0x13,
Guide_BeginShowStorageDeviceSelector = 0x17,
Guide_DelayNotifications = 0x23,
Guide_EnableScreenSaver = 0x22,
Guide_EndShowKeyboardInput = 0x16,
Guide_EndShowMessageBox = 20,
Guide_EndShowStorageDeviceSelector = 0x18,
Guide_SetNotificationPosition = 0x21,
Guide_ShowAchievements = 0x24,
Guide_ShowComposeMessage = 0x20,
Guide_ShowFriendRequest = 0x1d,
Guide_ShowFriends = 0x1b,
Guide_ShowGameInvite = 0x25,
Guide_ShowGamerCard = 0x1f,
Guide_ShowMarketplace = 0x26,
Guide_ShowMessages = 0x1a,
Guide_ShowPlayerReview = 30,
Guide_ShowPlayers = 0x1c,
Guide_ShowSignIn = 0x19,
KernelAsyncDispatcher_CleanUpAsyncOperation = 7,
Leaderboard_BeginPage = 0x39,
Leaderboard_BeginReadByRank = 0x37,
Leaderboard_BeginReadGamerList = 0x35,
Leaderboard_BeginReadPivotGamer = 0x36,
Leaderboard_Dispose = 0x34,
Leaderboard_EndPage = 0x3a,
Leaderboard_EndRead = 0x38,
NetworkSession_AddLocalGamer = 0x2d,
NetworkSession_BeginCreate = 0x27,
NetworkSession_BeginJoinInvited = 0x29,
NetworkSession_Destroy = 0x2c,
NetworkSession_EndCreate = 40,
NetworkSession_EndJoinInvited = 0x2a,
NetworkSession_Update = 0x2b,
RunUnitTest = 1,
SessionFinder_BeginFindSessions = 0x2e,
SessionFinder_BeginJoin = 0x30,
SessionFinder_Destroy = 50,
SessionFinder_EndFindSessions = 0x2f,
SessionFinder_EndJoin = 0x31,
SessionFinder_GetQualityOfService = 0x33,
TellKernelToCallManagedUnitTestFunction = 2,
WindowsMessage = 4

Download
All the classes and methods are documented so anyone should be able to figure them out eassily. If anyone can figure out how to send a custom packet buffer, or how to get the dll import to work, please let me know.

ianbborg · « **Reply #1 on:** April 14, 2009, 08:53:00 AM »

OK can you explain to me how this all works with some answers on these questions pls?

So... Where exactly did you find this Class, in the Kernel... Which was stored where on the HDD?
Is all the extracted kernel in the rar file you supplied?
Are these properties ? BeginCheckStrings = 15 etc etc..

If I understand correctly you are trying to find the method that sends to the drive if there is a Game DVD in there right?

If someone would succeed in finding it, what then we can play xbox 360 games from the hard disk but the DVD's firmware has to be hacked to send a 'hacked' return to the kernel right?

What Exactly is XNA?

Is GamerServicesComponent a class you created?

Sorry for this... but I am kinda new at this kernel stuff and would really like to learn. I really would like to help you out with this when I have the chance( Have to finish school assignments first hehe).

BannedX360 · « **Reply #2 on:** April 15, 2009, 11:17:00 PM »

Looks interesting!

could any of this memory dump info be used to unlock/sign a trial arcade game offline?.
i downloaded Peggle, Feeding Frenzy 2, Heavy Weapon trials from XBL.

when i put my popcap arcade volume 2 disc in the trials suddenly become full games.
whats on the disc to tell my x360 to unlock/play?
Aegis Wing shows as full in game browser off/online was only released in america includes achievements.

Do you have an XNA subsciption?, can you hack XNA to make/transfer games?.

Meethatguy · « **Reply #3 on:** April 16, 2009, 10:02:00 PM »

Awesome finds man. Any way of contacting the Kernal is always a plus.

Sad that the only 2 people that acknowledged this before were reading it for piracy reasons.
Im wanting An XBMC 360 and would love to see the homebrew games that could be made for 360 along with the xna.

Thanks for taking the time to find ll this and I hope that others not interested in piracy start some new finds.

stuntpenguin007 · « **Reply #4 on:** May 09, 2009, 12:34:00 AM »

more so to spice up your game I assume... add achievments and such?

I just got the 12 month trial for xna and I'm going through a tutorial for making 2d games, I'll try this out sometime when I know more what I'm doing.

stuntpenguin007 · « **Reply #5 on:** May 09, 2009, 09:50:00 PM »

I tried debugging the project you uploaded and it works. It automatically asks me to sign in, and I'm already signed in.

But what changes to your profile were you talking about? I've gathered that I need to change the code a little to do it, but what exactly were you able to change and how?

xxteknolustxx · « **Reply #6 on:** May 13, 2009, 09:20:00 PM »

also are you sure all the constants in KernelCallType are correct?

I see kernel.ExecuteKernelCall(KernelCallType.Guide_ShowMessages, PlayerIndex.One);

Guide_ShowMessages = 0x1a,

this represents its constant memory location correct? or am I false?

sorry if I sound stupid, still learning c#

for the dll importer, we could just write a custom import processor to handle what types of dll we want it to handle, ya kno?

grimdoomer · « **Reply #7 on:** May 22, 2009, 09:16:00 AM »

QUOTE(xxteknolustxx @ May 13 2009, 06:41 PM)

1)he decompiled it using tight leet hacker shit
2)I dont think hes looking for a method for game dvd, but more or less controlling how packets are sent to and from,
3)XNA is a free framework to develop 360 games
4)GamerServicesComponent is a class in the XNA framework

by the way grim, what exactly are you trying to accomplish by these kernal calls?

GamerServicesHacker hacker = new GamerServicesHacker();
PacketBuffer packet = hacker.GetPacketBuffer();
packet.DumpToString();
try
{
kernel.ExecuteKernelCall(KernelCallType.Guide_ShowMessages, PlayerIndex.One);
}
catch (Exception e)
{
}

Here is where the exceptions are thrown?

First off the kernel is stored in flash. Second off all I did was use Reflector to decompile the framework. Thats not where the exception is being thrown, because that is my own code........

Yes I'm sure the constants are right, I pulled them out of the framework. No they are not memory address, they are simply an index....

Why would we need a dll importer?

Seeing as people are only interested in this for piracy, and now that I've finished all my tests and ventured as far as I could into memory and the xbox, I'm closing this project.

fatvince · « **Reply #8 on:** June 23, 2009, 08:32:00 AM »

QUOTE(grimdoomer @ May 22 2009, 04:16 PM)

First off the kernel is stored in flash. Second off all I did was use Reflector to decompile the framework. Thats not where the exception is being thrown, because that is my own code........

Yes I'm sure the constants are right, I pulled them out of the framework. No they are not memory address, they are simply an index....

Why would we need a dll importer?

Seeing as people are only interested in this for piracy, and now that I've finished all my tests and ventured as far as I could into memory and the xbox, I'm closing this project.

Thanks for your contribution, hopefully someone will be able to use it and continue. BTW 'piracy' is sometimes the only door to homebrew. If you can hack official releases, games and DLC, the doors are already wide open.

.ISO · « **Reply #9 on:** June 23, 2009, 08:02:00 PM »

@grimdoomer

Hey I remember this thread on XBH

I thought we settled that this is not possible, due to the hypervisor being a large roadblock.

Author Topic: Xna Exploitation Research (Read 132 times)