What's new

Xbox 360 Forza 4 and Forza Horizon Save Hash / AES Encryption check Bypass

JYSB59

JYSB59

Enthusiast
Messages
213
Reaction score
68
Points
95
Sin$
-7
Heyyyy guys, Here I was looking for stuff on Google and completely by chance I fall on this

This is a xex patch who remove the AES encrypt check of save game on forza 4 and forza horizon make by mojobojo

(if a make this thread it is because I see that the save modding services are still active and that this could be interested a person may, and then I found it a pity that this bypass are not very known then that there is a large research works, so I share lol)

Note : Is for JTAG or RGH only and the Tittle Update of games is not specify, so am not sure is work

Forza 4 Patch Bypass
Code:
#
# mojobojo 2011
# Forza 4 savegame crypto bypass
#

# Skip the savegames hash verification
.long 0x82962CC8
.long ( 1f - 0f ) / 4
0:
        # Original code
    nop # bne       loc_82962D24
1:

# Skip the decryption
.long 0x82962CEC
.long ( 1f - 0f ) / 4
0:
        # Original code
    nop # bl        XeKeysAesCbcUsingKey
    nop # cmpwi     r3, 0
    nop # blt       loc_82962D24
1:

# Skip the encryption
.long 0x82962E50
.long ( 1f - 0f ) / 4
0:
        # Original code
    nop # bl        XeKeysAesCbcUsingKey
    nop # cmpwi     r3, 0
    nop # blt       loc_82962F04
1:

.long 0xFFFFFFFF

Forza Horizon Bypass
Code:
# ============================================================================
#   Patches
# ============================================================================
# Add your patches here

        .globl _start

_start:

# ============================================================================
#   Remove Hash check
# ============================================================================

        .long 0x82C66548 - 0x8000
        .long (9f - 0f) / 4

0:
    nop
9:

# ============================================================================
#   Remove AES decrypt
# ============================================================================

        .long 0x82C6656C - 0x8000
        .long (9f - 0f) / 4

0:
    li        %r3, 0
9:

# ============================================================================
#   Remove AES encrypt
# ============================================================================

        .long 0x82C666D0 - 0x8000
        .long (9f - 0f) / 4

0:
    li        %r3, 0
9:


# DO NOT INSERT ANYTHING BELOW THIS POINT!!!
# ============================================================================
        .long 0xffffffff
        .end
# ============================================================================

How to use for kids :

XePatcher : http://www.logic-sunrise.com/forums/files/download/1671-xepatcher-v11/
Xextool : http://www.logic-sunrise.com/forums/files/download/4377-xextool-v63/

First how use this code ?

Take this code and copy in a text editor (notepad++, note....)

Save with the name "Patch.s"

Take the tool XePatcher (basically we just created a "patch" file, and XePatcher, will simply compile it and apply it to selected xex, like xextool patch game with xex and xexp, note: put xextool.exe and the Patch.s in the same folder of XePatcher)

Open cmd and (in xepatcher location) put this command : xepatcher -p Patch.s -x EXAMPLE.xex

After the xex is patched

Big thanx to Mojobojo for find this

Enjoy

Source : [Click here to view this link]
 
Last edited:
MoPar Magician

MoPar Magician

Enthusiast
Messages
705
Reaction score
191
Points
135
Sin$
0
being this is XEX stuffs, I can only assume is s jtag/rgh Only.

As a Hex Coder on Retail I sure nuff would love to be able to bypass security and do some engine swaps by code.
 
Top Bottom
Login
Register