Print

[Angerwound]

Well, of course you all know by now that backups on live is not possible. I'm not commenting on it's current state however it once was! In fact, it was quite simple and out of boredom and knowledge of this flaw being fixed already (your welcome MS!), I've decided to post about it.

First of all, XBOX Live authenticates your console by checksumming the kernel. If it is not retail, you are denied acces and your eeprom is banned. Therefore, if one could have a backup running, and return the kernel to retail.. One might be able to access the live features of a piece of software! This is what FuckMS allows... or ALLOWED.. before.

Basically FuckMS works in a way like XBEDump...Inputs the xbe and makes a few changes to it's structure. FuckMS after input, places the 'Return Kernel to Retail' payload right at the end of the last section in the XBE, extends the section if necessary, and modifies it's flags for execution. The Return to Kernel routine returns a kernel with ONLY THE MODIFIED PUBLIC KEY to RETAIL! For example, it won't return a kernel running nkpatcher back to its original state. Once finished with that routine, it adds a 'JMP' to the Entry Point of the xbe, so that when finished executing our code, the game continues to execute.

Once the payload is inserted and the correct entry point is recorded in the 'JMP', the original entry point is edited to point at our code. So when the XBE is executed, our code is executed first to return the kernel to retail and then the game continues to run thanks to our inserted 'JMP'.

In the end, you can setup a simple uxe font setup without any PBL or NKPatcher and a HABIBI signed Dashboard. Then execute your 'FUCKMS'ed backup from HDD or Disc. The kernel gets wiped and your backup continues to play!  

Of course, this was never made public for obvious reasons. A few of my XBE's made it around to people they shouldn't have back in the day and I contacted MS and had the flaw fixed. Therefore, now you may all bask in whats left of it's glory.

This will also only work with RETAIL xbe's. Not DEBUG executables.. Firstly, because Debug XBE's will not attempt to contact XBOX Live servers, but also because of their structure..

I found it quite useful however, as it allowed me grab DLC for any game on command, 'downloader.xbe' but also use XBOX Live with titles on the HDD. Cuts down on those load times.  

I wouldn't suggest 'attempting' to use this now and signing into live. There is a check to automatically TERMINATE your XBL account (not just ban the eeprom) and Blacklist the Credit Cad. So, use at your own risk. I take no responsibility for your stupidity. You've been warned!   And yes, it's got quite a naming scheme don't you think?

Who knowz.. Maybe the NDURE gurus might find a use for it for returning to a retail XBOX Live Dashboard?!?  Or maybe it will lead you into your own XBOX Live adventures!

Download FuckMS v0.3

[kingroach]

iiinteresting..   but dont xbox live does some kind of .xbe hash to make sure its authentic?.. or there was no check before?..

[globe_guyx]

Awesome.  I guess I was on the right track.  I made a feeble attempt at that EXACT strategy..  Unfortunately my more feeble asm skills killed the idea pretty fast.  Glad to hear I'm not a concept goon atleast.
BTW I LOVE your appname!!  Coincidentally, thats the same project name I was using while flirting with the idea..

[Angerwound]

QUOTE(kingroach @ Oct 19 2005, 10:15 AM)

iiinteresting..   but dont xbox live does some kind of .xbe hash to make sure its authentic?.. or there was no check before?..

[kingroach]

QUOTE(Angerwound @ Oct 19 2005, 05:19 PM)

XBE Hash was put in place to block FuckMs.

lol.. I have a few ideas of getting things on live  <_<  but I am sure other gurus already playing *backups* on live.. so far I only knew putting halo .xbe in root of C:\ to play halo.. but I heard that was fixed too..

[Angerwound]

QUOTE(kingroach @ Oct 19 2005, 10:26 AM)

lol.. I have a few ideas of getting things on live  <_<  but I am sure other gurus already playing *backups* on live.. so far I only knew putting halo .xbe in root of C:\ to play halo.. but I heard that was fixed too..

Ahh yes.. The old HDD Xbe trick. That used to work as well. Set the HDD Flagged XBE as xboxdash.xbe - reboot - and place the backup in the drive. But, once again.. Fixed already.  

[PedrosPad]

QUOTE(Angerwound @ Oct 19 2005, 05:19 PM)

XBE Hash was put in place to block FuckMs.

So, if the payload removed the itself from the xbe during execution......

[Angerwound]

QUOTE(PedrosPad @ Oct 19 2005, 10:27 AM)

So, if the payload removed the itself from the xbe during execution......

The Xbe must be habibi signed after run through FuckMS, therefore it would take a great deal of data moving...

[Olipro]

QUOTE(PedrosPad @ Oct 19 2005, 05:27 PM)

So, if the payload removed the itself from the xbe during execution......

or rather than have the XBE compute a hash of itself, replace it with the hash that it should compute, so the correct hash is returned regardless of modifications to the XBE itself.

or alternately, assuming that the procedure for computing the kernel and XBE hash is a local routine, patch both, and play games whilst running NKPatcher

This post has been edited by Olipro: Oct 19 2005, 05:04 PM

[PedrosPad]

QUOTE(Angerwound @ Oct 19 2005, 05:31 PM)

QUOTE(PedrosPad @ Oct 19 2005, 10:27 AM)

So, if the payload removed the itself from the xbe during execution......

The Xbe must be habibi signed after run through FuckMS, therefore it would take a great deal of data moving...

The payload could simply contain a backup of the first 200-or-so bytes of the XBE (it’s certificate), and write them back when run (and chop the payload from the other end obviously).

This post has been edited by PedrosPad: Oct 19 2005, 09:48 PM

[Tp21]

i like this idea...
and it's a shame it doesn't work (anymore)
... if we could fix it... hmmmm

[kingroach]

no it does not work..

if there is two copies of .xbe , one is untouched andother patched.. once you execute the patched copy..after loading.. it would replace itself with the untouched one.. since the main .xbe still would be in RAM and probably some game trailer would be playing..

[Tp21]

so... something like:
you run fuckms.xbe, it patches the bios back and runs halo2.xbe
halo2.xbe is an "retail" version that is not patched....?

This post has been edited by Tp21: Oct 19 2005, 08:29 PM

[krayzie]

QUOTE(Tp21 @ Oct 19 2005, 08:58 PM)

so... something like:
you run fuckms.xbe, it patches the bios back and runs halo2.xbe
halo2.xbe is an "retail" version that is not patched....?

no you patch the halo2 xbe (the xbe needs to be a retail source so no homebrew apps)with fuckms and it will patch back the public key and load the xbe when you run it

[Tp21]

yes, that does fuckms.xbe
but that doesn't work anymore because live! scans the xbe hash (can someone confirm this?)
so this was my idea: fuckms.xbe patches the kernel back and runs the xbe you want...
it *should* work