Created
May 13, 2012 00:06
-
-
Save landaire/2669789 to your computer and use it in GitHub Desktop.
Decrypt XVal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# XVal.py By Redline99 | |
# Decrpyts the "X:" Value from the Xbox 360 dashboard | |
# This can indicate if the console has been flagged | |
# for some types of security violations | |
# Originally posted at XboxHacker: http://www.xboxhacker.org/index.php?topic=16401.0 | |
import sha, hmac, struct, sys | |
FLAG_SSB_NONE = 0x0000 | |
FLAG_SSB_AUTH_EX_FAILURE = 0x0001 | |
FLAG_SSB_AUTH_EX_NO_TABLE = 0x0002 | |
FLAG_SSB_AUTH_EX_RESERVED = 0x0004 | |
FLAG_SSB_INVALID_DVD_GEOMETRY = 0x0008 | |
FLAG_SSB_INVALID_DVD_DMI = 0x0010 | |
FLAG_SSB_DVD_KEYVAULT_PAIR_MISMATCH = 0x0020 | |
FLAG_SSB_CRL_DATA_INVALID = 0x0040 | |
FLAG_SSB_CRL_CERTIFICATE_REVOKED = 0x0080 | |
FLAG_SSB_UNAUTHORIZED_INSTALL = 0x0100 | |
FLAG_SSB_KEYVAULT_POLICY_VIOLATION = 0x0200 | |
FLAG_SSB_CONSOLE_BANNED = 0x0400 | |
FLAG_SSB_ODD_VIOLATION = 0x0800 | |
try: | |
import Crypto.Cipher.DES as DES | |
except ImportError: | |
print "Error importing Crypto.Cipher.DES - please install python-crypto!" | |
print "You can get it from http://www.dlitz.net/software/pycrypto/" | |
print "Win32 version from http://www.voidspace.org.uk/python/modules.shtml" | |
sys.exit(-1) | |
def ByteToHex( byteStr ): | |
return ''.join( [ "%02X " % ord( x ) for x in byteStr ] ).strip() | |
def HexToByte( hexStr ): | |
bytes = [] | |
hexStr = ''.join( hexStr.split(" ") ) | |
for i in range(0, len(hexStr), 2): | |
bytes.append( chr( int (hexStr[i:i+2], 16 ) ) ) | |
return ''.join( bytes ) | |
def DecryptXVal(console_serial, console_xval): | |
# convert to bytes in needed | |
if console_xval.find("-") or console_xval.hexdigits: | |
console_xval = HexToByte(console_xval.replace("-","")) | |
# get our decrypt key | |
assert len(console_serial) == 0xC | |
des_key = hmac.new(console_serial + "\0", "XBOX360SSB", sha).digest()[0:8] | |
# set our decrypt key | |
assert len(des_key) == 8 | |
des = DES.new(des_key) | |
# decrypt | |
assert len(console_xval) == 8 | |
decrypted_data = des.decrypt(console_xval) | |
DisplayResults(decrypted_data) | |
print "Data:", ByteToHex(decrypted_data) | |
def DisplayResults(xval): | |
(xval_h, xval_l) = struct.unpack(">LL", xval) # extract our integers formt the buffer | |
if(xval_h == 0 and xval_l == 0): # nothing is flagged in secdata.bin, all is good from this standpoint | |
print "Secdata is Clean" | |
elif(xval_h == 0xFFFFFFFF and xval_l == 0xFFFFFFFF): # secdata was prob tampered with | |
print "Secdata is invalid" | |
elif (xval_h != 0 and xval_l != 0): # most likely the serial or xval is incorrect | |
print "Secdata decryption error" | |
else: # the high dword = 0 and low dword not 0 | |
# afaik best check. have to look at disassembly more | |
if(xval_l & FLAG_SSB_AUTH_EX_FAILURE): | |
print "AuthEx Challenge Failure" # AP25 related | |
if(xval_l & FLAG_SSB_AUTH_EX_NO_TABLE): | |
print "AuthEx Table missing" # AP25 related | |
if(xval_l & FLAG_SSB_AUTH_EX_RESERVED): | |
print "AuthEx Reserved Flag" # AP25 related | |
if(xval_l & FLAG_SSB_INVALID_DVD_GEOMETRY): | |
print "Invalid DVD Geometry" | |
if(xval_l & FLAG_SSB_INVALID_DVD_DMI): | |
print "Invalid DVD DMI" | |
if(xval_l & FLAG_SSB_DVD_KEYVAULT_PAIR_MISMATCH): | |
print "DVD Keyvault Pair Mismatch" | |
if(xval_l & FLAG_SSB_CRL_DATA_INVALID): | |
print "Invalid CRL Data" | |
if(xval_l & FLAG_SSB_CRL_CERTIFICATE_REVOKED): | |
print "CRL Certificate Revoked" | |
if(xval_l & FLAG_SSB_UNAUTHORIZED_INSTALL): | |
print "Unauthorized Install" | |
if(xval_l & FLAG_SSB_KEYVAULT_POLICY_VIOLATION): | |
print "Keyvault Policy Violation" | |
if(xval_l & FLAG_SSB_CONSOLE_BANNED): | |
print "Console Banned" | |
if(xval_l & FLAG_SSB_ODD_VIOLATION): | |
print "ODD Violation" | |
if(xval_l & 0xFFFFF000): # mask for bits we dont have a description for, | |
# note: we are not looking at the hi dword yet | |
print "Unknown Violation(s)" | |
return |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment