Print

[RiceCake]

Basically, find a peice of information that generates the same SHA1 key as an Xbox XBE.

To do this its not just "crack the hash and we can add our code real easy", instead you'll need to take a long time carefully adding your code bit-by-bit so it still generates the same hash.

[John Hoek]

) from the developer itself for the program and subroutine-programs inside this .xbe.
This userkey (and or alternative userkey's) are enclosed into this header, and so yes, these custom hashes are MS signed too.
We can't change those, because then MS signing is no valid anymore, and the kernal just refuses to execute this file.


Back to the DATA inside an .xbe.
This data is put AFTER the MS signed headerinfo.
If you look at the data, it's just build up with the main program; signed with the main user SHA1 hash key.  And also much with extra programs; like DX8D3 routines, save/load etc. Those are also signed with SHA1 hash (the alternative ones)

An SHA1 hash is calculated by a certain databytes as a block. If you change the length of a datablock, the hash is also changed as well..... AND the MS signing is not  valid anymore also; because the total .xbe filelength is not the same anymore.

But if you manage to keep a block exact the same bytes lenght, it must be possible to generate a so called HASH collision. This means that the hash of the original datablock = the same as the altered datablock; including our program in to te startpart.  
Because there are always extra bytes available to get a block a certain length; theoreticly it should be possible to change those such that the HASH is the same again as the original (MS signed into the header!)


////
The methods described for MD5 (looks like SHA1 hashing protocol) it must be possible to generate such a hash collison, say in maximum 2^40 till 2^50 possible combinations to try.
This MUST be possible with common hardware. (MS hashing is 2^1024 possibilities to give an idea!!!!). And within a few weeks, months max.


So yeh, i think it must be possible this way.


I'm starting to write a bootloader now. I like to get help here, because it is goiing my first Xbox program...
Alos I'm reading a lot about cryptology methods etc. just to learn and think how things exactly work.


Exploits are still very fine for the meantime; but those could be always circumvented by MS with a new kernal, new dash etc.
Above hack is very, very difficult for MS to get a workaraund for it...

I hope that in thge maentime new exploitable .xbe were found. The progframs on DVD's are interesting here

[BluhDeBluh]

I might not be correct here, but with my cynical hat on...

A 40 hex long SHA-1. That's 16^40, right?

So that's... 1461501637330902918203684832716283019655932542976 different potential combinations until you'd find a collision. Now, lets say calculating SHA1 takes one second. So... to my maths, it'd take 46343912903694283301740386628497051612631 years. Still talking billions and billions of years even at stupidly fast speeds.

But this doesn't make it impossible. This just means that it's currently impractical to bruteforce it.

I found this/this, which might intrest you.

The thing is, the people who find SHA-1 collisions use funky maths and they have the advantage that they can use ANY text or ANY key to find the solution. They can use the fact that some keys are weaker than others (and thus will occour more frequently) to their advantage. We can't.

[RiceCake]

Err, the SHA1 key is 128 bits...so have fun.
Or maybe 160 bits I can't remember quite.

But either way thats what I meant John Hoek, the data after the XBE header.

So, still, have some fun with that.

This DVD cracking is also pretty interesting, but would suffer from ROJ. If holes are found in the DVD stack I found out how to play burned DVD's on my Xbox and it might have some security holes that can be exploited (Maybe a crazy multiboot with a subtitles hack...?).

[John Hoek]

QUOTE (RiceCake @ Sep 24 2004, 12:02 AM)

Err, the SHA1 key is 128 bits...so have fun. John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm QUOTE (John Hoek @ Sep 24 2004, 09:06 AM) PedrosPad Archived User Hero Member Posts: 1277 Sha1 Hash Cracking Algoritm QUOTE (John Hoek @ Sep 24 2004, 09:06 AM) That's what i mean. With brutefroce you'll have maximum 2^128 prossible combinations to test. very huge. But with the new found techniques only 2^40 till 2^50 combinations at maximum! This is much more quicker to do with the common hardware.... John, I've found you some help : The World's Largest Xbox Cluster - and they're looking for an app to run   Oh, how ironic it would be if they computed the SHA1 hack using XBOXs - lol -   mckenn88 Recovered User Full Member Posts: 148 Sha1 Hash Cracking Algoritm fghjj Archived User Sr. Member Posts: 288 Sha1 Hash Cracking Algoritm QUOTE anyone kno where i can go to try to understand the stuff in this post. kinda somewhere where they put it into laemans terms. There are dozens of papers on cryptology/security on teh intarweb, Google is your friend QUOTE how is this going? IF there's made progress on this subject (optimized algorithm for finding SHA-1 collisions) it will likely be on every major IT-related newsfeed. Check out http://www.freedom-to-tinker.com/ daily if you want to be on the top of the newschain Kthulu Archived User Hero Member Posts: 787 Sha1 Hash Cracking Algoritm CODE Please do not throw sausage pizza away now let's say SHA1 hash for that sequence of characters is: CODE ej01h9r27gh56 the chances that we will find another sequence of characters with the same SHA1 hash are slim, but like John says it's not impossible.  however, the sequence of characters we started with were not JUST a sequence of characters.  it was a sentence, that communicated instructions.  the chances of finding another sequence of characters with the same SHA1 hash that ALSO communicate meaningful instructions is...well, close enough to impossible for me. a brute force approach to such a problem, would be like waiting for monkeys to randomly type out shakespears works in revised, modern english diction with same hash value as the original works!!! Kthulu Archived User Hero Member Posts: 787 Sha1 Hash Cracking Algoritm CODE Please eat sausage pizza02edfr4%6gh&*lsj4 if the SHA1 hash of that string matched the SHA1 hash of the original string AND our purpose was to make xbox eat sausage pizza, it would work!   still not going to hold my breath either.  if someone succeeds in this before they come out with Xbox 2000, i'd say that God himself is throwing pies in the face of Bill Gates as that would be so freakin lucky that it would eerie. EDIT: i take that back.  it shouldn't be too impossible to make an xbe that simply 'launch e:\default.xbe' and then just pad the rest of the file with a sequence of characters that make the resulting SHA1 hash = the original SHA1 hash, but what about e:\default.xbe?  it is going to need to be signed as well, is it not?  how will get a signed xbe that patches or replaces the kernel so that all xbes that are run afterwards don't have to be 'cooked up' like this?  the odds are too slim to merit the effort methinks. triggernum5 Archived User Hero Member Posts: 896 Sha1 Hash Cracking Algoritm John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm QUOTE (Kthulu @ Sep 29 2004, 04:45 AM) however, we could improve our odds of finding another sequence of characters with the same SHA1 hash and actually communicate meaningful instructions if we were willing to settle for a sequence of characters that looked something like this: triggernum5 Archived User Hero Member Posts: 896 Sha1 Hash Cracking Algoritm If you pull it off I'll give you free bananas for life... John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm I tought someone said that before..... HINT: <look at my sign below> Print Pages: 1 [2] 3 4 « previous next » xboxscene.org forums > OG Xbox Forums > No-Modchip Hacks (exploits) > XBE Exploits > Sha1 Hash Cracking Algoritm   SMF 2.0.19 | SMF © 2021, Simple Machines

[John Hoek]

QUOTE (John Hoek @ Sep 24 2004, 09:06 AM)

PedrosPad Archived User Hero Member Posts: 1277 Sha1 Hash Cracking Algoritm QUOTE (John Hoek @ Sep 24 2004, 09:06 AM) That's what i mean. With brutefroce you'll have maximum 2^128 prossible combinations to test. very huge. But with the new found techniques only 2^40 till 2^50 combinations at maximum! This is much more quicker to do with the common hardware.... John, I've found you some help : The World's Largest Xbox Cluster - and they're looking for an app to run   Oh, how ironic it would be if they computed the SHA1 hack using XBOXs - lol -   mckenn88 Recovered User Full Member Posts: 148 Sha1 Hash Cracking Algoritm fghjj Archived User Sr. Member Posts: 288 Sha1 Hash Cracking Algoritm QUOTE anyone kno where i can go to try to understand the stuff in this post. kinda somewhere where they put it into laemans terms. There are dozens of papers on cryptology/security on teh intarweb, Google is your friend QUOTE how is this going? IF there's made progress on this subject (optimized algorithm for finding SHA-1 collisions) it will likely be on every major IT-related newsfeed. Check out http://www.freedom-to-tinker.com/ daily if you want to be on the top of the newschain Kthulu Archived User Hero Member Posts: 787 Sha1 Hash Cracking Algoritm CODE Please do not throw sausage pizza away now let's say SHA1 hash for that sequence of characters is: CODE ej01h9r27gh56 the chances that we will find another sequence of characters with the same SHA1 hash are slim, but like John says it's not impossible.  however, the sequence of characters we started with were not JUST a sequence of characters.  it was a sentence, that communicated instructions.  the chances of finding another sequence of characters with the same SHA1 hash that ALSO communicate meaningful instructions is...well, close enough to impossible for me. a brute force approach to such a problem, would be like waiting for monkeys to randomly type out shakespears works in revised, modern english diction with same hash value as the original works!!! Kthulu Archived User Hero Member Posts: 787 Sha1 Hash Cracking Algoritm CODE Please eat sausage pizza02edfr4%6gh&*lsj4 if the SHA1 hash of that string matched the SHA1 hash of the original string AND our purpose was to make xbox eat sausage pizza, it would work!   still not going to hold my breath either.  if someone succeeds in this before they come out with Xbox 2000, i'd say that God himself is throwing pies in the face of Bill Gates as that would be so freakin lucky that it would eerie. EDIT: i take that back.  it shouldn't be too impossible to make an xbe that simply 'launch e:\default.xbe' and then just pad the rest of the file with a sequence of characters that make the resulting SHA1 hash = the original SHA1 hash, but what about e:\default.xbe?  it is going to need to be signed as well, is it not?  how will get a signed xbe that patches or replaces the kernel so that all xbes that are run afterwards don't have to be 'cooked up' like this?  the odds are too slim to merit the effort methinks. triggernum5 Archived User Hero Member Posts: 896 Sha1 Hash Cracking Algoritm John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm QUOTE (Kthulu @ Sep 29 2004, 04:45 AM) however, we could improve our odds of finding another sequence of characters with the same SHA1 hash and actually communicate meaningful instructions if we were willing to settle for a sequence of characters that looked something like this: triggernum5 Archived User Hero Member Posts: 896 Sha1 Hash Cracking Algoritm If you pull it off I'll give you free bananas for life... John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm I tought someone said that before..... HINT: <look at my sign below> Print Pages: 1 [2] 3 4 « previous next » xboxscene.org forums > OG Xbox Forums > No-Modchip Hacks (exploits) > XBE Exploits > Sha1 Hash Cracking Algoritm   SMF 2.0.19 | SMF © 2021, Simple Machines

[PedrosPad]

QUOTE (John Hoek @ Sep 24 2004, 09:06 AM)

That's what i mean. With brutefroce you'll have maximum 2^128 prossible combinations to test. very huge. But with the new found techniques only 2^40 till 2^50 combinations at maximum! This is much more quicker to do with the common hardware....

John, I've found you some help :
The World's Largest Xbox Cluster - and they're looking for an app to run  

Oh, how ironic it would be if they computed the SHA1 hack using XBOXs - lol -  

[mckenn88]

[fghjj]

QUOTE

anyone kno where i can go to try to understand the stuff in this post. kinda somewhere where they put it into laemans terms.

There are dozens of papers on cryptology/security on teh intarweb, Google is your friend

QUOTE

how is this going?

IF there's made progress on this subject (optimized algorithm for finding SHA-1 collisions) it will likely be on every major IT-related newsfeed. Check out http://www.freedom-to-tinker.com/ daily if you want to be on the top of the newschain

[Kthulu]

CODE

Please do not throw sausage pizza away

now let's say SHA1 hash for that sequence of characters is:

CODE

ej01h9r27gh56

the chances that we will find another sequence of characters with the same SHA1 hash are slim, but like John says it's not impossible.  however, the sequence of characters we started with were not JUST a sequence of characters.  it was a sentence, that communicated instructions.  the chances of finding another sequence of characters with the same SHA1 hash that ALSO communicate meaningful instructions is...well, close enough to impossible for me.

a brute force approach to such a problem, would be like waiting for monkeys to randomly type out shakespears works in revised, modern english diction with same hash value as the original works!!!

[Kthulu]

CODE

Please eat sausage pizza02edfr4%6gh&*lsj4

if the SHA1 hash of that string matched the SHA1 hash of the original string AND our purpose was to make xbox eat sausage pizza, it would work!  

still not going to hold my breath either.  if someone succeeds in this before they come out with Xbox 2000, i'd say that God himself is throwing pies in the face of Bill Gates as that would be so freakin lucky that it would eerie.

EDIT: i take that back.  it shouldn't be too impossible to make an xbe that simply 'launch e:\default.xbe' and then just pad the rest of the file with a sequence of characters that make the resulting SHA1 hash = the original SHA1 hash, but what about e:\default.xbe?  it is going to need to be signed as well, is it not?  how will get a signed xbe that patches or replaces the kernel so that all xbes that are run afterwards don't have to be 'cooked up' like this?  the odds are too slim to merit the effort methinks.

[triggernum5]

[John Hoek]

QUOTE (Kthulu @ Sep 29 2004, 04:45 AM)

however, we could improve our odds of finding another sequence of characters with the same SHA1 hash and actually communicate meaningful instructions if we were willing to settle for a sequence of characters that looked something like this: triggernum5 Archived User Hero Member Posts: 896 Sha1 Hash Cracking Algoritm If you pull it off I'll give you free bananas for life... John Hoek Archived User Jr. Member Posts: 84 Sha1 Hash Cracking Algoritm I tought someone said that before..... HINT: <look at my sign below> Print Pages: 1 [2] 3 4 « previous next » xboxscene.org forums > OG Xbox Forums > No-Modchip Hacks (exploits) > XBE Exploits > Sha1 Hash Cracking Algoritm   SMF 2.0.19 | SMF © 2021, Simple Machines

[triggernum5]

If you pull it off I'll give you free bananas for life...

[John Hoek]

I tought someone said that before.....

HINT: <look at my sign below>