Stealth Server Research Notes
Hello,
So Ive spent the last 6 months researching about stealth servers. A few things that have interested me are Kv Life, Ip configurations, & cracking. About a few months ago, I ran into a couple of dudes online, slave-Eye & Lambo_Mods, owners of XbmoonLight. At first, I thought they were alright fellows, until they tried to leak my stealth source files, which wasn’t the correct ones. So I decided to start researching methods to crack a server.
I found a few methods that work: cracked.script & Ip Alteration. The cracked scripted I found online allows me to bypass their security check systems by utilizing the CPU key of another person already added in their database. A stealth server will check their SQL database for your xbox 360 rgh/jtag CPU key upon connection. This is usually used when they sell it as a service.
I found this youtube video online explaining how to make the script & what to do by utilizing it. To get back at Xbmoonlight dudes, I attempted this method on their server. I was successful in bypassing their security by utilizing this CPU key method. First before I could connect with my cracked.xex file, I needed a CPU key that was already on their system. After I accomplished this, I then needed only to run the script with the CPU key & make a cracked.xex. Renamed it to the stealth server xbmoonlight.xex & set in plugin 2. Before I knew it, I was connected to their service without paying for it. From my research though I learned there is a way to add an additional security measure that checks the CPU key. I remember seeing this code in one of the many free stealth services online, although I cannot remember which one.
Another method is IP Alteration. So basically, what this does is running someone’s stealth off your VPS by manipulating/changing the IP address in IDA. I tested this method on myself a month ago & found surprisingly it works. If a stealth owner doesn’t have their IP & port numbers encrypted very well, you can change these to your VPS. All you need is a compatible Listener source. These methods will work if the stealth server security is weak. I am continuing to research this & discover new methods as well as implementing defenses against it.
Everyone constantly is concerned over Kv life. Xbox live & Mircosoft haven’t change their security in years. Its always remained the same, probably a big reason why people can update their stealth servers so easily. Its hard to tell what the future holds for xbox 360. As far as I know, its 2019 & its as alive as ever. While researching Kv life, Ive learned about a few methods. Three of them I am confident about are: dumping cache, HV cleaning & Challenges/Responses.
About 4 months ago I came across some information about dumping the cache. They also refer to this as: “ECC Digest” The idea is, that a person’s 360 stores cache memory, including all the modded memory. While you’re online this memory can be detected by Mircosoft, which ends in a banned KV. So, programming your stealth server to dump the memory & clean it, essentially getting rid of that modded memory every time you connect to xbox live.
HV cleaning is the method of taking your hypervisor from the stealth server & cleaning regularly. I haven’t tried this method, but the claim is that it cleans the 100F0 offset to make your xbox 360 look more retail. The lingo I found online talks about doing it to your xbox 360, but it works for your stealth server as well. Understand, HV.bin loads from both your stealth server & 360. The only reason you would want to clean it for your 360 is to use offline files. As I continue to learn more, I do intend on trying this sometime in the future. But what I can say is that when I’ve looked at different Hv.bin’s from other stealth servers, the values are not the same. Some lines are the same while others are not. I updated a stealth source last year, occasionally, I will replace my Hv.bin with the fresh one I had updated.
The challenges/responses continue to vex me as hardly anyone online will explain these. But while reviewing the stealth servers I noticed similarities & differences. The MasterKey & HVPokeExp bytes across stealth servers are all the same. But the patch.h data bytes do vary a little bit. The patch data that people have coded can be found from the xamPatch.bin, which is somethings that’s dumped after up****** your Retail HV.bin(cleaning it). There was this nice chap that provided this code to be use with your stealth server, that just automatically cleans the HV.bin. I am wondering if the xamPatch.bin must be coded a certain way. I did do some trial and error with it, I took the values that’s just in the xamPatch.bin & inputted them into the patch.h. I was able to connect to xbox live. The xampatch.bin seems to be one of the things referred to as challenge & response, but I am unsure at this point. I won’t let this go but for future research I intend to spend more time around the HV.bin, because this seems to be universally used across all stealth servers. Someone gave me their release notes for the HV.bin to reference, it’s a valuable start. See below:
Challenge Response Release Notes:
0x28 | equals kernel check and the response is two bytes long and starts at 0x2A.
0x2E | equals Bldr Flag two bytes long starting at 0x2E.
0x30 | equals the BaseKernelVersion always stays at 0x07600000 from what I can tell. So the response starts at 0x30.
0x34 | equals your update sequence which is for micorsoft to see how many times they kv you're using has done a dashboard update. It is four bytes long starts at 0x34.
0x38 | equals your status flag it is four bytes long as well and it starts at 0x38.
0x3C | equals your cb flag which is four bytes long starts at 0x3C.
0x40 | equals RTOC not sure what it stands for but it's always the same it seems. It starts at 0x40 and is eight bytes long.
0x48 | equals HRMOR not sure what it stands for either it's always the same it seems as well. It starts at 0x48 and is also eight bytes long.
0x50 | equals 0x50 hash that everyone talks about that makes you last. It's at 0x50 and is fourteen bytes long.
0x64 | equals your cpuKeyDigest starts at 0x64 and is fourteen bytes long as well.
0x78 | equals your Hypervisor certificate / Signature it starts at 0x78 and is eighty bytes long.
0xF8 | equals your HVEX I don't know what it actually stands for yet. Starts at 0xF8 and is only two bytes long. Seems to stay at 0x01B1 - 0x01BF could be different most use a static response of 0x01B43.
0xFA | equals your Hypervisor hash it is only six bytes long. Starts at 0xFA and is six bytes long.
When most people talk about challenges & responses, they refer to HV.bin & xampatch.bin, but I believe there is more to it. If you look at systemHooks.Cpp within the stealth server, you will notice this code:
BOOL InitializeSystemXexHooks()
{
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 408, (DWORD)XexLoadExecutableHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 0x25F, (DWORD)XeKeysExecuteHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 409, (DWORD)XexLoadImageHook) != S_OK) returnS_FALSE;
PatchInJump((DWORD*)0x8169CCD0, (DWORD)XamLoaderExecuteAsyncChallengeHook, false);
PatchInJump((DWORD*)0x81A71414, (DWORD)SpoofXamChallenge, FALSE);//17526
returnTRUE;
}
BOOL InitializeSystemHooks()
{
DWORD ver = ((XboxKrnlVersion->Major & 0xF) << 28) | ((XboxKrnlVersion->Minor & 0xF) << 24) | (XboxKrnlVersion->Build << 8) | (XboxKrnlVersion->Qfe);
ZeroMemory(&xeExecutionIdSpoof, sizeof(XEX_EXECUTION_ID));
xeExecutionIdSpoof.Version = ver;
xeExecutionIdSpoof.BaseVersion = ver;
xeExecutionIdSpoof.TitleID = 0xFFFE07D1;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 0x12B, (DWORD)RtlImageXexHeaderFieldHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 404, (DWORD)XexCheckExecutablePrivilegeHook) != S_OK) returnS_FALSE;
returnTRUE;
}
Notice there are 7 Hooks which are: XexLoadExecutableHook, XeKeysExecuteHook, XexLoadImageHook, XamLoaderExecuteAsyncChallengeHook, spoofXamChallenge, RtlImageXexHeaderFieldHook, XexCheckExecutablePrivilegeHook. Specifically, XamLoaderExecuteAsyncChallengeHook & spoofXamChallenege. These 2 seem to hold code that spoofs your console, its ran through xam.xex. These sets of code seem to spoof more than just the HV.bin as most people seem to indicate. So, if I am spoofing contents on my xbox 360 to make it look like a retail console, wouldn’t this be the same as a challenge & response? Weather you consider it to be or not, the fact of the matter is that these functions as well as others work to conceal you online.
I was reviewing some old archive forums the other day from 2009 discussing research into XOSC. What was interesting about this code is that I noticed some of it was used within the current stealth server source files. XeCryptShaUpdate, can be found under the XamLoaderExecuteAsyncChallengeHook & spoofXamChallenege scripts. People that programmed these seem to have included values like what’s in this code. I saved it for a later date hoping maybe someone can shed some light into it.
Conclusion, I will continue to research stealth servers the best I can, I hope to provide for the community and hopefully the community will provide back. I really don’t like paying for these services.
Thanks,
-Silent
Links to Stealth Scripts(my collection)
Hello,
So Ive spent the last 6 months researching about stealth servers. A few things that have interested me are Kv Life, Ip configurations, & cracking. About a few months ago, I ran into a couple of dudes online, slave-Eye & Lambo_Mods, owners of XbmoonLight. At first, I thought they were alright fellows, until they tried to leak my stealth source files, which wasn’t the correct ones. So I decided to start researching methods to crack a server.
I found a few methods that work: cracked.script & Ip Alteration. The cracked scripted I found online allows me to bypass their security check systems by utilizing the CPU key of another person already added in their database. A stealth server will check their SQL database for your xbox 360 rgh/jtag CPU key upon connection. This is usually used when they sell it as a service.
I found this youtube video online explaining how to make the script & what to do by utilizing it. To get back at Xbmoonlight dudes, I attempted this method on their server. I was successful in bypassing their security by utilizing this CPU key method. First before I could connect with my cracked.xex file, I needed a CPU key that was already on their system. After I accomplished this, I then needed only to run the script with the CPU key & make a cracked.xex. Renamed it to the stealth server xbmoonlight.xex & set in plugin 2. Before I knew it, I was connected to their service without paying for it. From my research though I learned there is a way to add an additional security measure that checks the CPU key. I remember seeing this code in one of the many free stealth services online, although I cannot remember which one.
Another method is IP Alteration. So basically, what this does is running someone’s stealth off your VPS by manipulating/changing the IP address in IDA. I tested this method on myself a month ago & found surprisingly it works. If a stealth owner doesn’t have their IP & port numbers encrypted very well, you can change these to your VPS. All you need is a compatible Listener source. These methods will work if the stealth server security is weak. I am continuing to research this & discover new methods as well as implementing defenses against it.
Everyone constantly is concerned over Kv life. Xbox live & Mircosoft haven’t change their security in years. Its always remained the same, probably a big reason why people can update their stealth servers so easily. Its hard to tell what the future holds for xbox 360. As far as I know, its 2019 & its as alive as ever. While researching Kv life, Ive learned about a few methods. Three of them I am confident about are: dumping cache, HV cleaning & Challenges/Responses.
About 4 months ago I came across some information about dumping the cache. They also refer to this as: “ECC Digest” The idea is, that a person’s 360 stores cache memory, including all the modded memory. While you’re online this memory can be detected by Mircosoft, which ends in a banned KV. So, programming your stealth server to dump the memory & clean it, essentially getting rid of that modded memory every time you connect to xbox live.
HV cleaning is the method of taking your hypervisor from the stealth server & cleaning regularly. I haven’t tried this method, but the claim is that it cleans the 100F0 offset to make your xbox 360 look more retail. The lingo I found online talks about doing it to your xbox 360, but it works for your stealth server as well. Understand, HV.bin loads from both your stealth server & 360. The only reason you would want to clean it for your 360 is to use offline files. As I continue to learn more, I do intend on trying this sometime in the future. But what I can say is that when I’ve looked at different Hv.bin’s from other stealth servers, the values are not the same. Some lines are the same while others are not. I updated a stealth source last year, occasionally, I will replace my Hv.bin with the fresh one I had updated.
The challenges/responses continue to vex me as hardly anyone online will explain these. But while reviewing the stealth servers I noticed similarities & differences. The MasterKey & HVPokeExp bytes across stealth servers are all the same. But the patch.h data bytes do vary a little bit. The patch data that people have coded can be found from the xamPatch.bin, which is somethings that’s dumped after up****** your Retail HV.bin(cleaning it). There was this nice chap that provided this code to be use with your stealth server, that just automatically cleans the HV.bin. I am wondering if the xamPatch.bin must be coded a certain way. I did do some trial and error with it, I took the values that’s just in the xamPatch.bin & inputted them into the patch.h. I was able to connect to xbox live. The xampatch.bin seems to be one of the things referred to as challenge & response, but I am unsure at this point. I won’t let this go but for future research I intend to spend more time around the HV.bin, because this seems to be universally used across all stealth servers. Someone gave me their release notes for the HV.bin to reference, it’s a valuable start. See below:
Challenge Response Release Notes:
0x28 | equals kernel check and the response is two bytes long and starts at 0x2A.
0x2E | equals Bldr Flag two bytes long starting at 0x2E.
0x30 | equals the BaseKernelVersion always stays at 0x07600000 from what I can tell. So the response starts at 0x30.
0x34 | equals your update sequence which is for micorsoft to see how many times they kv you're using has done a dashboard update. It is four bytes long starts at 0x34.
0x38 | equals your status flag it is four bytes long as well and it starts at 0x38.
0x3C | equals your cb flag which is four bytes long starts at 0x3C.
0x40 | equals RTOC not sure what it stands for but it's always the same it seems. It starts at 0x40 and is eight bytes long.
0x48 | equals HRMOR not sure what it stands for either it's always the same it seems as well. It starts at 0x48 and is also eight bytes long.
0x50 | equals 0x50 hash that everyone talks about that makes you last. It's at 0x50 and is fourteen bytes long.
0x64 | equals your cpuKeyDigest starts at 0x64 and is fourteen bytes long as well.
0x78 | equals your Hypervisor certificate / Signature it starts at 0x78 and is eighty bytes long.
0xF8 | equals your HVEX I don't know what it actually stands for yet. Starts at 0xF8 and is only two bytes long. Seems to stay at 0x01B1 - 0x01BF could be different most use a static response of 0x01B43.
0xFA | equals your Hypervisor hash it is only six bytes long. Starts at 0xFA and is six bytes long.
When most people talk about challenges & responses, they refer to HV.bin & xampatch.bin, but I believe there is more to it. If you look at systemHooks.Cpp within the stealth server, you will notice this code:
BOOL InitializeSystemXexHooks()
{
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 408, (DWORD)XexLoadExecutableHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 0x25F, (DWORD)XeKeysExecuteHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 409, (DWORD)XexLoadImageHook) != S_OK) returnS_FALSE;
PatchInJump((DWORD*)0x8169CCD0, (DWORD)XamLoaderExecuteAsyncChallengeHook, false);
PatchInJump((DWORD*)0x81A71414, (DWORD)SpoofXamChallenge, FALSE);//17526
returnTRUE;
}
BOOL InitializeSystemHooks()
{
DWORD ver = ((XboxKrnlVersion->Major & 0xF) << 28) | ((XboxKrnlVersion->Minor & 0xF) << 24) | (XboxKrnlVersion->Build << 8) | (XboxKrnlVersion->Qfe);
ZeroMemory(&xeExecutionIdSpoof, sizeof(XEX_EXECUTION_ID));
xeExecutionIdSpoof.Version = ver;
xeExecutionIdSpoof.BaseVersion = ver;
xeExecutionIdSpoof.TitleID = 0xFFFE07D1;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 0x12B, (DWORD)RtlImageXexHeaderFieldHook) != S_OK) returnS_FALSE;
if (PatchModuleImport(NAME_XAM, NAME_KERNEL, 404, (DWORD)XexCheckExecutablePrivilegeHook) != S_OK) returnS_FALSE;
returnTRUE;
}
Notice there are 7 Hooks which are: XexLoadExecutableHook, XeKeysExecuteHook, XexLoadImageHook, XamLoaderExecuteAsyncChallengeHook, spoofXamChallenge, RtlImageXexHeaderFieldHook, XexCheckExecutablePrivilegeHook. Specifically, XamLoaderExecuteAsyncChallengeHook & spoofXamChallenege. These 2 seem to hold code that spoofs your console, its ran through xam.xex. These sets of code seem to spoof more than just the HV.bin as most people seem to indicate. So, if I am spoofing contents on my xbox 360 to make it look like a retail console, wouldn’t this be the same as a challenge & response? Weather you consider it to be or not, the fact of the matter is that these functions as well as others work to conceal you online.
I was reviewing some old archive forums the other day from 2009 discussing research into XOSC. What was interesting about this code is that I noticed some of it was used within the current stealth server source files. XeCryptShaUpdate, can be found under the XamLoaderExecuteAsyncChallengeHook & spoofXamChallenege scripts. People that programmed these seem to have included values like what’s in this code. I saved it for a later date hoping maybe someone can shed some light into it.
Conclusion, I will continue to research stealth servers the best I can, I hope to provide for the community and hopefully the community will provide back. I really don’t like paying for these services.
Thanks,
-Silent
Links to Stealth Scripts(my collection)
