Microsoft has finally gotten smart on us. The Halo 2 Vista executable ("halo2.exe") and the XLive module ("xlive.dll") are digitally signed with SHA-1 (Secure Hash Algorithm 1) with a relative ".cat" file (Advanced Disk Catalog Database). Changing any of the binary memory of these files is nearly impossible. SHA-1 is not encrypted, so there is no way to decrypt it. I'm not in this field of computers anyway. There is a public key and a private key. The private key is only known by the signer which was used to create the hash and Digital Signature. The public key is used along with the Digital Signature and a independently computed hash to verify the integrity of the file. The public key is at the user end. So basically, this is what is protecting the executable.
Attaching a debugger to Halo 2 Vista will only lead to possible slamming of the keyboard in to the wall after the game crashes several times. There are several possibilities of detecting a debugger, but the specific methods used by Halo 2 Vista are unknown at this time. It is possible to still attach a debugger and set breakpoints to get what you need, but you will only have around 5-10 seconds to do so until it finally crashes. I prefer to use Tsearch's debugger, since it has a quick attach and break point system going. However, your end results will pretty much be useless. Attempting to modify game instructions during run time will also cause the game to blow up in your face. The crash is random, but will usually happen within 30 seconds of the change.
There is however a way to get around this if you need to execute an instruction. You can write a code cave outside of the executable memory page or create a DLL with a DetourFunction or something similar. For example, there is an instruction that refill's your ammo in the current gun you're holding. You can detour that function to your custom created function that gives you a ton of ammo, call it, then write the original bytes back. Doing this only takes a split second, so it will not be detected. There is always a risk of crashing though.
There was an old trick where you could change the ("xlive.cfg") file, but this is not the case for Halo 2 Vista. Any modifications to xlive files will not let you start the game.
Xbox Security Concept
Source:
http://www.xbox-linux.org/docs/xbesecurity.htmlQuote:
Xbox Security Concept
by Franz Lehner , 8 December 2002
In Basic, the XBE consists of 2 major parts.
1. The Header
2. The Sections
The Sections containing the "program", and the header holds the security information like signature, pointers ...
As the Xbox loads sections "on demand" only, the "normal" signing process has been enhanced.
First, when loading the XBE, the Xbox does the following:
Explanation:
When the Xbox loads an XBE file, it first checks whether the header is "valid".
This is done by comparing the calculated SHA-1 hash against the decrypted RSA signature.
The RSA signature is "padded" in the format 01FFFFFFFFFFFFFF.......FF00(HASH 20bytes)
When the hash (20 bytes) matches, the Xbox starts loading the sections.
When loading the section, the section first one is loaded into memory. The values (size, position) is coming out of the header, where each section is described exactly.
Then, the section is hashed again and compared to the hash value in the header again.
Additional info:
The SHA-1 hash is modified in a little way. Exactly, it does this
SHA1_Init(&sha_ctx);
SHA1_Update(&sha_ctx, (unsigned char *)&len, 4);
SHA1_Update(&sha_ctx, data, len);
SHA1_Final(result, &sha_ctx);
This means, the first 4 bytes are the lenght of the section. This task is indeed senseless, as the lenght of the complete SHA-1 block is appended to the last block in the sha-1 already. Maybe this was part of a confusion thing.
I have researched to only find that Halo 2 Vista calls these API functions. I have yet to play with them, but plan to do so in the future. These functions are part of the SSL Library which can be found here:
http://www.openssl.org/source/.
I believe this is part of the scanning routine they are doing during runtime, but I am not absolutely sure. There are several other API's that get called during runtime, several hundred times a minute: InterlockedExchange, InterlockedCompareExchange, and InterlockedIncrement. For more information, visit MSDN.
