Print

[triggernum5]

Sorry, I'm a physics guy..  I gotta go at things atleast half ass systematically..  They made it alot of bits for a reason...  If you're gonna try that atleast write a program to do it..  Don't waste your own time..

[Kthulu]

[fghjj]

QUOTE

But to be sure; i don't know that the total sise of this block is enough to compensate the data in such a way that the correct hash is calculated.... Maybe i need a much bigger data-block to start with. I can imagine that a very huge block has more changes to find a colliosion then a short one. But really?! I just don't know.

"If your hash is 2^160 bit long, you have 2^160 different possible outputs. So in theory, if you hash (2^160)+1 messages, you should get a minimal of 1 collision, shouldn't you?"

The above is a quote I adapted a bit as it says exactly what I think.

Program entry point is given in the XBE header and points to code in one of the sections, right? So we need an XBE with an entry point section of a minimal of (length habibi patcher code + 40 bytes). I think the smaller, the better if the above quote is true. Oh and second thing you must think of when selecting an XBE is one with optimal media flags and game regions.

[John Hoek]

In the meantime my pc is working on the holy grail....
almost 2^7 calculations of hashes done... and still no sign of a collision....
I hope not that you're statement is true; I selected a base .xbe from MS, which ends to be 100% unique , so that basiscly only 1 hash exists... We'll have to wait to find out.....

[triggernum5]

2^7 = 128
2^160 = more than that..

[Angerwound]

I have no interest myself in cracking the algorithm however I do wish you a good luck! If collisions are possible your bound to find them. Have fun.

[BluhDeBluh]

To extend your chances to something a little bit more reasonable, I'd get hold of all the MS signed XBEs you can find to increase the chances.

I would still shoot with "this is currently impossible". I'd love to be corrected though.

The main chance we have is if someone cracks SHA-1 via a loophole in the algorithm that significantly reduces the processing time. And, as it was designed by the US government, you can be sure there is one in there somewhere...

[Kthulu]

QUOTE (John Hoek @ Oct 4 2004, 04:31 AM)

quote: "The Titanic was designed by professionals. The Arc of Noah was designed by The Professional" unquote: Noach did'nt make the famous boat for his living... So basicly, my statement is fully right; he was a amateur.  But yeh; treu, a very professional amateur... or an amatuer with very professional skills   In the meantime my pc is working on the holy grail.... almost 2^7 calculations of hashes done... and still no sign of a collision.... I hope not that you're statement is true; I selected a base .xbe from MS, which ends to be 100% unique , so that basiscly only 1 hash exists... We'll have to wait to find out.....

The Arc of Noah was designed by THE PROFESIONAL...not Noah, but GOD...if you believe in such...

anyways, good luck!  i hope you succeed!

[Kthulu]

but hey, since angerwound stopped by, this reminds me of something that i've been wondering...

concerning UDE2...
there was a patcher that would take any old update.xbe and turn it into the UDE2 update.xbe, right?  how was this done?  seems like it would be something similar to this...

NOTE: i'm not asking for a UDE2 installation tut.  i'm asking how that patcher worked.  how does it turn an un-exploitable xbe into an exploitable one?  a pm with directions to the source would be great as i'm very curious.

[JimmyGoon]

QUOTE (Kthulu @ Oct 4 2004, 09:57 PM)

but hey, since angerwound stopped by, this reminds me of something that i've been wondering... concerning UDE2... there was a patcher that would take any old update.xbe and turn it into the UDE2 update.xbe, right?  how was this done?  seems like it would be something similar to this... NOTE: i'm not asking for a UDE2 installation tut.  i'm asking how that patcher worked.  how does it turn an un-exploitable xbe into an exploitable one?  a pm with directions to the source would be great as i'm very curious.

Wouldn't that just be a simple as having the program check the file size and then patch it with one of 5 patches depending on the size    Just a thought.

[EthanHunt_IMF]

my understanding of how the "patcher" works is as follows...

we have 2 files, one readily available, the other the one we want to reproduce.

we compare the 2 files, where ever there is a difference, we take note of the location and what the new value should be in reference to the original file.

store these changes to a file.  when we go to "patch" the file, it's just basicly find and replace.

so since the file we wanted to reproduce was already signed when we made the comparison it will be when the "patch" is done.

[Kthulu]

sounds a bit like taking the nucleus out of one cell and transplanting it into another cell, while discarding the original nucleus...would that be a good analogy?

if that's really the way it works, is it possible to transplant the code of 4920 xboxdash.xbe into the code of 5960 xboxdash.xbe?  if not, why?  i'm not real sure if there would be any benefit to that since we already have the UDEs and UXE, i'm just curious if it's possible.  really, i just ask out of curiousity/understanding sake, but if it were possible to transplant the code of 4920 dash into the 5960 dash, we could have an exploitable (4920) dash running on an xbox with kernel >5317.  it would also mean (hopefully) that when something like the SW bonus disc forced a dash upgrade, it would think we had the latest dash already installed and abort...

...maybe?

[John Hoek]

===========
At this moment it don't help me to use other dashes.xbe to start with.
because my pc is calculating as hard to hell on this only file i chose. But it will take some (long?, very long??, extreme long???)time still.... it's full busy with it now.


===========
If someone can help with a algoritm which makes live easer on SHA1 hash cracking;  a backhole anyone?! please let me know!


>>  The holy grail is near then ever! <<

[Kthulu]

i understand about the signing of the header and that the header contains the userhash of the code and how changing any of that voids the sig...that's why i'd like to know how the UDE2/UXE xbe 'patchers' can 'grow' a 'better' update.xbe from another update.xbe...

[BluhDeBluh]

QUOTE

If someone can help with a algoritm which makes live easer on SHA1 hash cracking;  a backhole anyone?! please let me know!

If someone could do that, they could make a lot of money and wouldn't be here on an Xbox forum...

QUOTE

At this moment it don't help me to use other dashes.xbe to start with. because my pc is calculating as hard to hell on this only file i chose. But it will take some (long?, very long??, extreme long???)time still.... it's full busy with it now.

Erm, surely it will increase you chances by a huge amount and reduce the potential processing time if you have several possible "clash" victims. You work out the SHA once, and then compare with all the signed stuff. Check if there's a match. Oh, and it doesn't have to be a dash - it can be any MS signed XBE surely?

QUOTE

i understand about the signing of the header and that the header contains the userhash of the code and how changing any of that voids the sig...that's why i'd like to know how the UDE2/UXE xbe 'patchers' can 'grow' a 'better' update.xbe from another update.xbe...

Both Update.XBEs came from an Xbox HDD and are officially signed MS updaters. MS just update them every so often, and we stumbled on an unpatched one both times.

The patchers just compare the two files, check for differences, and then store the differences in a file so you can recreate the second just from the first. You can do this for ANY two files and it will work. For example, you could potentially create a patch that turns a update.xbe into explorer.exe...