Topic: Ping Limit Bypass (Read 1543 times)

birdy57 · « **Reply #30 on:** December 20, 2009, 08:08:00 AM »

I have just looking for , it appear that all all frames follow the same structure.
The first 34 bytes are system link hearder:
- 4 bytes : CMD
- 2 bytes : option, .....
We can see a sequence number, a answer number ...

The CMD for ping is 00:00:00:00 00:58 and the answer 00:00:00:00 01:58.

But all bytes after 0x34 are encrypted, if we can found how is this bytes encrypted, we can fake a echo-replay.

ledjohnnyboy · « **Reply #31 on:** December 21, 2009, 11:37:00 PM »

so when you are talking about the line of code you found is this in the xex or packets the xbox sends out? thx

birdy57 · « **Reply #32 on:** December 22, 2009, 03:59:00 AM »

hi,

this CMD come out from packets the xbox sends out.
All system link use the same, and are generated by the M$ API.

Not exactly ALL, because some all game don't have this "ping limit", but use the same API.

I see now two possible solutions:
- Found in the nand the key used to encrypt the daya after 0x34 and than fake a echo-reply (the best because no need to have a hacked xbox).

- compare the API call in this old game and a new one. Than modify the XEX to disable this "ping test".

Ledjohnnyboy , you have make a good search, if you found now the call to this API, for sure you can disable this limit.

ledjohnnyboy · « **Reply #33 on:** December 22, 2009, 04:13:00 PM »

your idea of the NAND modifying sounds great that way we can just flash with a modified NAND and never worry about changing each XEX hopefully the key that has to be decrypted and sent back is exactly the same for all Xbox's (I think it is). by the way what method are you using to read the NAND data?
thanks for your help guys!

d0ct0r46 · « **Reply #34 on:** December 28, 2009, 12:35:00 PM »

This is great stuff

Iv'e said for ages someone needs to crack this ping limit in system link. It would be like the old days - xbox, xlink & halo 2...... rock on.

I would love to help but don't know enough but you guys rule, keep up the good work I'm sure you'll crack it.

full support given

maximilian0017 · « **Reply #35 on:** December 28, 2009, 01:00:00 PM »

QUOTE(d0ct0r46 @ Dec 28 2009, 08:35 PM)

This is great stuff

Looking at these kind of threads always makes me smile

ramaa · « **Reply #36 on:** December 29, 2009, 05:18:00 PM »

YESSS guys keep going
I got now frigging idea to what you are saying but i think you are close
u have my support

Cant wait to play with those european guys

zrs_guy · « **Reply #37 on:** December 30, 2009, 11:56:00 PM »

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms. Anyhow that is just a general idea as i know there is a lot involved. A good example of this can be found from Hak5 episode: http://www.hak5.org/...des/episode-405.

By the way, the episode basically shows how a device responds to windows computers that send a request out for their particular network. I was thinking if it was possible to use a device such as that, or simply a computer to sorta do the same concept. Basically the xbox game sends a packet with certain data to a host, and we just intercept the packet and send a reply packet that shows we are that particular host.

ledjohnnyboy · « **Reply #38 on:** December 31, 2009, 05:50:00 PM »

Yes this is also another idea that could work although this packet that is sent out may/may not be encrypted. ill look at it if it is encrypted the encryption may be a simple data scramble.

zrs_guy · « **Reply #39 on:** December 31, 2009, 09:50:00 PM »

http://img109.images...454/maxping.jpg

Take a look of the data in that blue selection, obviously those are variables for determining or storing the host name, now maybe by analyzing other files we might be able to find some examples of these Hosts. In my opinion if we can figure out what the packets being sent contain and what the packets being received contain, then we can send a reply packet that duplicates the reply packets being sent by a actual xbox server.

henno88 · « **Reply #40 on:** January 12, 2010, 12:33:00 PM »

anything new to bypass ping limit?

Cincinnatus · « **Reply #41 on:** January 13, 2010, 08:24:00 PM »

QUOTE(zrs_guy @ Dec 31 2009, 01:56 AM)

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms.

I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wo.../06/icmp-spoof/

Am I missing something more complicated?

I feel this would be much more easier than targetting each game.

xboxbman · « **Reply #42 on:** January 15, 2010, 02:30:00 PM »

QUOTE(Cincinnatus @ Jan 13 2010, 10:24 PM)

I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wordpress.com/2008/12/06/icmp-spoof/

Am I missing something more complicated?

I feel this would be much more easier than targetting each game.

last i checked all the network traffic to and from the 360 is encrypted. Ever try pinging a 360? They don't ping back. Because your ping is not encrypted.

Good luck though. This thread had me laughing. There is more people saying "i don't what is going on, but I support this" than any relevant information.

I am hoping someone will recommend bruteforcing the encryption. That always makes me laugh

Cincinnatus · « **Reply #43 on:** January 16, 2010, 04:48:00 PM »

QUOTE(xboxbman @ Jan 15 2010, 04:30 PM)

last i checked all the network traffic to and from the 360 is encrypted. Ever try pinging a 360? They don't ping back. Because your ping is not encrypted.

Good luck though. This thread had me laughing. There is more people saying "i don't what is going on, but I support this" than any relevant information.

I am hoping someone will recommend bruteforcing the encryption. That always makes me laugh

Judging by your response, it sounds like it is not sending out traditional ICMP packets. The console could have a simple firewall rule to block ICMP traffic, doesn't mean the consoles 'PING' requests are encrypted though. Although, it could be encrypting TCP/UDP packets at L4 and the console is just timing the other console's response (or sending it out unencrypted). I'm curious on how the boxes do key agreement, and whether or not it's built into the individual games, or consoles.

I can't image typical gameplay traffic being encrypted and decrypted at a software layer. Best way to see what's going on is to sniff the traffic I guess.

neo8222 · « **Reply #44 on:** January 19, 2010, 05:34:00 PM »

im not sure if it will help but i sniffed the packet sent when searching for a system link game
PIK-A-TURE!
next time someones online for the games i have ill sniff the packets sent when attempting connection.

Author Topic: Ping Limit Bypass (Read 1543 times)