Jump to content


Photo

Ping Limit Bypass


  • Please log in to reply
137 replies to this topic

#31 ledjohnnyboy

ledjohnnyboy

    X-S Young Member

  • Members
  • Pip
  • 30 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 13 December 2009 - 08:10 PM

can someone explain how i add ppc support to IDA?

#32 kotix

kotix

    X-S X-perience

  • Members
  • PipPip
  • 460 posts

Posted 13 December 2009 - 08:22 PM

QUOTE(ledjohnnyboy @ Dec 13 2009, 07:24 PM) View Post

on my default_mp.exe it doesnt have MZ at ox4000 MZ starts at the very first line

Look at offset 0x4000 of default_mp.xex not "exe".
Idapro already have support for ppc.


#33 ledjohnnyboy

ledjohnnyboy

    X-S Young Member

  • Members
  • Pip
  • 30 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 13 December 2009 - 08:32 PM

you just downloaded yours from hex rays right because when i try to load the idc i am unable to load it or do i have to install the xex tool plugin?

#34 birdy57

birdy57

    X-S Enthusiast

  • Members
  • 2 posts

Posted 20 December 2009 - 04:08 PM

I have just looking for , it appear that all all frames follow the same structure.
The first 34 bytes are system link hearder:
- 4 bytes : CMD
- 2 bytes : option, .....
We can see a sequence number, a answer number ...

The CMD for ping is 00:00:00:00 00:58 and the answer 00:00:00:00 01:58.

But all bytes after 0x34 are encrypted, if we can found how is this bytes encrypted, we can fake a echo-replay.


#35 ledjohnnyboy

ledjohnnyboy

    X-S Young Member

  • Members
  • Pip
  • 30 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 22 December 2009 - 07:37 AM

so when you are talking about the line of code you found is this in the xex or packets the xbox sends out? thx

#36 birdy57

birdy57

    X-S Enthusiast

  • Members
  • 2 posts

Posted 22 December 2009 - 11:59 AM

hi,

this CMD come out from packets the xbox sends out.
All system link use the same, and are generated by the M$ API.

Not exactly ALL, because some all game don't have this "ping limit", but use the same API.

I see now two possible solutions:
- Found in the nand the key used to encrypt the daya after 0x34 and than fake a echo-reply (the best because no need to have a hacked xbox).

- compare the API call in this old game and a new one. Than modify the XEX to disable this "ping test".

Ledjohnnyboy , you have make a good search, if you found now the call to this API, for sure you can disable this limit.


#37 ledjohnnyboy

ledjohnnyboy

    X-S Young Member

  • Members
  • Pip
  • 30 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 23 December 2009 - 12:13 AM

your idea of the NAND modifying sounds great that way we can just flash with a modified NAND and never worry about changing each XEX hopefully the key that has to be decrypted and sent back is exactly the same for all Xbox's (I think it is). by the way what method are you using to read the NAND data?
thanks for your help guys!

#38 d0ct0r46

d0ct0r46

    X-S Young Member

  • Members
  • Pip
  • 45 posts

Posted 28 December 2009 - 08:35 PM

This is great stuff pop.gif

Iv'e said for ages someone needs to crack this ping limit in system link. It would be like the old days - xbox, xlink & halo 2...... rock on.

I would love to help but don't know enough but you guys rule, keep up the good work I'm sure you'll crack it.

full support given beerchug.gif

#39 maximilian0017

maximilian0017

    X-S Senior Member

  • Members
  • PipPip
  • 161 posts

Posted 28 December 2009 - 09:00 PM

QUOTE(d0ct0r46 @ Dec 28 2009, 08:35 PM) View Post

This is great stuff pop.gif


muhaha.gif Looking at these kind of threads always makes me smile muhaha.gif

#40 ramaa

ramaa

    X-S Enthusiast

  • Members
  • 15 posts

Posted 30 December 2009 - 01:18 AM

YESSS guys keep going
I got now frigging idea to what you are saying but i think you are close
u have my support

Cant wait to play with those european guys

#41 zrs_guy

zrs_guy

    X-S Enthusiast

  • Members
  • 25 posts

Posted 31 December 2009 - 07:56 AM

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms. Anyhow that is just a general idea as i know there is a lot involved. A good example of this can be found from Hak5 episode: http://www.hak5.org/...des/episode-405.

By the way, the episode basically shows how a device responds to windows computers that send a request out for their particular network. I was thinking if it was possible to use a device such as that, or simply a computer to sorta do the same concept. Basically the xbox game sends a packet with certain data to a host, and we just intercept the packet and send a reply packet that shows we are that particular host.

Edited by zrs_guy, 31 December 2009 - 08:01 AM.


#42 ledjohnnyboy

ledjohnnyboy

    X-S Young Member

  • Members
  • Pip
  • 30 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 01 January 2010 - 01:50 AM

Yes this is also another idea that could work although this packet that is sent out may/may not be encrypted. ill look at it if it is encrypted the encryption may be a simple data scramble.

#43 zrs_guy

zrs_guy

    X-S Enthusiast

  • Members
  • 25 posts

Posted 01 January 2010 - 05:50 AM


http://img109.images...454/maxping.jpg

Take a look of the data in that blue selection, obviously those are variables for determining or storing the host name, now maybe by analyzing other files we might be able to find some examples of these Hosts. In my opinion if we can figure out what the packets being sent contain and what the packets being received contain, then we can send a reply packet that duplicates the reply packets being sent by a actual xbox server.

#44 henno88

henno88

    X-S Enthusiast

  • Members
  • 5 posts

Posted 12 January 2010 - 08:33 PM

anything new to bypass ping limit?

#45 Cincinnatus

Cincinnatus

    X-S Enthusiast

  • Members
  • 2 posts
  • Xbox Version:unk
  • 360 version:v3.0 (falcon)

Posted 14 January 2010 - 04:24 AM

QUOTE(zrs_guy @ Dec 31 2009, 01:56 AM) View Post

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms.


I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wo.../06/icmp-spoof/

Am I missing something more complicated?

I feel this would be much more easier than targetting each game.







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users