Ping Limit Bypass, Looking for people who can work on ping limit Options

[ledjohnnyboy]

can someone explain how i add ppc support to IDA?

[kotix]

on my default_mp.exe it doesnt have MZ at ox4000 MZ starts at the very first line

Look at offset 0x4000 of default_mp.xex not "exe".
Idapro already have support for ppc.

[ledjohnnyboy]

you just downloaded yours from hex rays right because when i try to load the idc i am unable to load it or do i have to install the xex tool plugin?

[birdy57]

I have just looking for , it appear that all all frames follow the same structure.
The first 34 bytes are system link hearder:
- 4 bytes : CMD
- 2 bytes : option, .....
We can see a sequence number, a answer number ...

The CMD for ping is 00:00:00:00 00:58 and the answer 00:00:00:00 01:58.

But all bytes after 0x34 are encrypted, if we can found how is this bytes encrypted, we can fake a echo-replay.

[ledjohnnyboy]

so when you are talking about the line of code you found is this in the xex or packets the xbox sends out? thx

[birdy57]

hi,

this CMD come out from packets the xbox sends out.
All system link use the same, and are generated by the M$ API.

Not exactly ALL, because some all game don't have this "ping limit", but use the same API.

I see now two possible solutions:
- Found in the nand the key used to encrypt the daya after 0x34 and than fake a echo-reply (the best because no need to have a hacked xbox).

- compare the API call in this old game and a new one. Than modify the XEX to disable this "ping test".

Ledjohnnyboy , you have make a good search, if you found now the call to this API, for sure you can disable this limit.

[ledjohnnyboy]

your idea of the NAND modifying sounds great that way we can just flash with a modified NAND and never worry about changing each XEX hopefully the key that has to be decrypted and sent back is exactly the same for all Xbox's (I think it is). by the way what method are you using to read the NAND data?
thanks for your help guys!

[d0ct0r46]

This is great stuff

Iv'e said for ages someone needs to crack this ping limit in system link. It would be like the old days - xbox, xlink & halo 2...... rock on.

I would love to help but don't know enough but you guys rule, keep up the good work I'm sure you'll crack it.

full support given

[maximilian0017]

This is great stuff

Looking at these kind of threads always makes me smile

[ramaa]

YESSS guys keep going
I got now frigging idea to what you are saying but i think you are close
u have my support

Cant wait to play with those european guys

[zrs_guy]

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms. Anyhow that is just a general idea as i know there is a lot involved. A good example of this can be found from Hak5 episode: http://www.hak5.org/episodes/episode-405.

By the way, the episode basically shows how a device responds to windows computers that send a request out for their particular network. I was thinking if it was possible to use a device such as that, or simply a computer to sorta do the same concept. Basically the xbox game sends a packet with certain data to a host, and we just intercept the packet and send a reply packet that shows we are that particular host.

This post has been edited by zrs_guy: Dec 31 2009, 08:01 AM

[ledjohnnyboy]

Yes this is also another idea that could work although this packet that is sent out may/may not be encrypted. ill look at it if it is encrypted the encryption may be a simple data scramble.

[zrs_guy]

http://img109.imageshack.us/img109/9454/maxping.jpg

Take a look of the data in that blue selection, obviously those are variables for determining or storing the host name, now maybe by analyzing other files we might be able to find some examples of these Hosts. In my opinion if we can figure out what the packets being sent contain and what the packets being received contain, then we can send a reply packet that duplicates the reply packets being sent by a actual xbox server.

[henno88]

anything new to bypass ping limit?

[Cincinnatus]

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms.

I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wordpress.com/2008/12/06/icmp-spoof/

Am I missing something more complicated?

I feel this would be much more easier than targetting each game.