XEX: Difference between revisions
Jump to navigation
Jump to search
imported>Uberfry (Created page with 'XEX files are the default executable format. File-offset Description 0 "XEX2" 0x4 (module flags?) 0x10 File header offset 0x14 Definition count (see below) 0x18 Definition[…') |
imported>Offnfopt No edit summary |
||
| Line 1: | Line 1: | ||
== File Format Speculation == | |||
XEX is the executable file format used by the Xbox 360 operating system. It seems to be a crypto and packing container for PPC PE executable files, comparable to UPX [http://upx.sourceforge.net/ [1]] or TEEE Burneye. This would give more creedence to reports of .xex's being gigs large. Such speculation is also fueled by the presence of what appear to be clear text file and folder names. If games are Gigabyte sized .xex files then it's likely the 360 knows how to grab the section it needs into memory and decrypt/decompress on demand, instead of traditional all at once extraction. | |||
== Cryptography == | |||
The executable code seems to be crypted, though, there exists some uncrypted XEX files in the wild. | |||
The following program dumps what is supposed to be a hash table. Actually it has been reported to work with the first official "Backward Compatibility" .XEX File from Microsoft. It takes the XEX file as argument. | |||
<nowiki>// default.xex table dumper | |||
// only works with the default.xex from the xbox360 emulator update package. | |||
// - th0mas, th0mas.sixbit.org [at] gmail.com | |||
#include <stdio.h> | |||
#include <string.h> | |||
#define TABLE_START 0x288 | |||
struct table { | |||
unsigned int unknown[6]; | |||
}; | |||
unsigned int ByteSwap (unsigned int nInt) | |||
{ | |||
union u {unsigned int vi; unsigned char c[sizeof(unsigned int)];}; | |||
union v {unsigned int ni; unsigned char d[sizeof(unsigned int)];}; | |||
union u un; | |||
union v vn; | |||
un.vi = nInt; | |||
vn.d[0]=un.c[3]; | |||
vn.d[1]=un.c[2]; | |||
vn.d[2]=un.c[1]; | |||
vn.d[3]=un.c[0]; | |||
return (vn.ni); | |||
} | |||
void printTable(struct table *t) | |||
{ | |||
int i; | |||
for (i = 0; i < 6; i ) { | |||
int j = ByteSwap(t->unknown[i]); | |||
printf("0x%08x ", j); | |||
} | |||
printf("\n"); | |||
} | |||
int main(int argc, char **argv) | |||
{ | |||
FILE *fp = fopen(argv[1], "rb"); | |||
struct table tmp; | |||
int numEntries = 0; | |||
int i; | |||
fseek(fp, TABLE_START, SEEK_SET); | |||
fread(&numEntries, sizeof(unsigned int), 1, fp); | |||
numEntries = ByteSwap(numEntries); | |||
for (i = 0; i < numEntries; i ) { | |||
fread(&tmp, sizeof(struct table), 1, fp); | |||
printTable(&tmp); | |||
} | |||
} | |||
</nowiki> | |||
== Structure of the XEX File == | |||
A XEX file is composed of the following: | |||
* A 32 bytes XEX Header | |||
* Variable-length program/section headers | |||
* Program/Section content | |||
=== XEX Header === | |||
Total length: 24 bytes. Byte ordering is Big-Endian. | |||
{| border="1" cellpadding="2" | |||
| Address | |||
| Length (bytes) | |||
| Contains | |||
| Description | |||
|- | |||
| 0x0000 | |||
| 4 | |||
| { 'X', 'E', 'X', '2' } (0x58455832) | |||
| '''X'''360 '''EX'''ecutable Magic bytes (or: '''Xe'''non E'''x'''ecetuable format.) struct IMAGE_XEX_HEADER { ULONG Magic; | |||
|- | |||
| 0x0004 | |||
| 4 | |||
| 0x00000001 | |||
| Flags // ULONG ModuleFlags; | |||
|- | |||
| 0x0008 | |||
| 4 | |||
| 0x00002000 | |||
| Physical address of the code to unpack/decipher // ULONG SizeOfHeaders; | |||
|- | |||
| 0x000C | |||
| 4 | |||
| 0x00000000 | |||
| Unknown. Reserved // ULONG SizeOfDiscardableHeaders; | |||
|- | |||
| 0x0010 | |||
| 4 | |||
| 0x00000108 | |||
| Pointer to the beginning of the certificate, 256 bytes (2048bit) // struct XEX_SECURITY_INFO { ULONG Size; | |||
|- | |||
| 0x0014 | |||
| 4 | |||
| 0x0000000E | |||
| Number of entries in the general info table // ULONG ImageSize;... | |||
|} | |||
== Executable Format == | |||
XEX files are the default executable format. | XEX files are the default executable format. | ||
<pre><nowiki> | |||
File-offset Description | File-offset Description | ||
0 "XEX2" | 0 "XEX2" | ||
| Line 68: | Line 180: | ||
0x180 ImageDataCount[4] | 0x180 ImageDataCount[4] | ||
0x184...0x184+(IDC*24) ImageData0[8], ImageData1[8], ImageData2[8] | 0x184...0x184+(IDC*24) ImageData0[8], ImageData1[8], ImageData2[8] | ||
</nowiki></pre> | |||
Revision as of 02:51, 26 March 2010
File Format Speculation
XEX is the executable file format used by the Xbox 360 operating system. It seems to be a crypto and packing container for PPC PE executable files, comparable to UPX [1] or TEEE Burneye. This would give more creedence to reports of .xex's being gigs large. Such speculation is also fueled by the presence of what appear to be clear text file and folder names. If games are Gigabyte sized .xex files then it's likely the 360 knows how to grab the section it needs into memory and decrypt/decompress on demand, instead of traditional all at once extraction.
Cryptography
The executable code seems to be crypted, though, there exists some uncrypted XEX files in the wild.
The following program dumps what is supposed to be a hash table. Actually it has been reported to work with the first official "Backward Compatibility" .XEX File from Microsoft. It takes the XEX file as argument.
// default.xex table dumper
// only works with the default.xex from the xbox360 emulator update package.
// - th0mas, th0mas.sixbit.org [at] gmail.com
#include <stdio.h>
#include <string.h>
#define TABLE_START 0x288
struct table {
unsigned int unknown[6];
};
unsigned int ByteSwap (unsigned int nInt)
{
union u {unsigned int vi; unsigned char c[sizeof(unsigned int)];};
union v {unsigned int ni; unsigned char d[sizeof(unsigned int)];};
union u un;
union v vn;
un.vi = nInt;
vn.d[0]=un.c[3];
vn.d[1]=un.c[2];
vn.d[2]=un.c[1];
vn.d[3]=un.c[0];
return (vn.ni);
}
void printTable(struct table *t)
{
int i;
for (i = 0; i < 6; i ) {
int j = ByteSwap(t->unknown[i]);
printf("0x%08x ", j);
}
printf("\n");
}
int main(int argc, char **argv)
{
FILE *fp = fopen(argv[1], "rb");
struct table tmp;
int numEntries = 0;
int i;
fseek(fp, TABLE_START, SEEK_SET);
fread(&numEntries, sizeof(unsigned int), 1, fp);
numEntries = ByteSwap(numEntries);
for (i = 0; i < numEntries; i ) {
fread(&tmp, sizeof(struct table), 1, fp);
printTable(&tmp);
}
}
Structure of the XEX File
A XEX file is composed of the following:
- A 32 bytes XEX Header
- Variable-length program/section headers
- Program/Section content
XEX Header
Total length: 24 bytes. Byte ordering is Big-Endian.
| Address | Length (bytes) | Contains | Description |
| 0x0000 | 4 | { 'X', 'E', 'X', '2' } (0x58455832) | X360 EXecutable Magic bytes (or: Xenon Execetuable format.) struct IMAGE_XEX_HEADER { ULONG Magic; |
| 0x0004 | 4 | 0x00000001 | Flags // ULONG ModuleFlags; |
| 0x0008 | 4 | 0x00002000 | Physical address of the code to unpack/decipher // ULONG SizeOfHeaders; |
| 0x000C | 4 | 0x00000000 | Unknown. Reserved // ULONG SizeOfDiscardableHeaders; |
| 0x0010 | 4 | 0x00000108 | Pointer to the beginning of the certificate, 256 bytes (2048bit) // struct XEX_SECURITY_INFO { ULONG Size; |
| 0x0014 | 4 | 0x0000000E | Number of entries in the general info table // ULONG ImageSize;... |
Executable Format
XEX files are the default executable format.
File-offset Description 0 "XEX2" 0x4 (module flags?) 0x10 File header offset 0x14 Definition count (see below) 0x18 Definition[] Definition Description 0x2FF Module Sections 0x3FF 0x5FF Delta patch descriptor 0x4004 0x4104 0x42FF 0x80FF Binding path(s) 0x8105 0x10001 Load Address 0x10100 Entry Point 0x10201 Base Address 0x103FF Import Libraries 0x18002 Checksum[4], Filetime[4] 0x18102 (something debug related) 0x183FF PE Name 0x200FF Static Libraries UINT32 Total size entries[total size / 0x10] 0x20104 TLS UINT32 Number of Slots UINT32 Raw Data Address UINT32 Data Size UINT32 Raw Data Size 0x20200 Get Stack Size 0x20301 Cache Element Count 0x30000 0x40006 MediaID[4], Version[4], Baseversion[4], TitleID[4] 0x40310 Game Ratings UINT8 ESRB UINT8 PEGI UINT8 PEGI-FI UINT8 PEGI-PT UINT8 PEGI_BBFC UINT8 CERO UINT8 USK UINT8 OFLCAU UINT8 OFLCNZ UINT8 KMRB UINT8 BRASIL UINT8 FPB 0x40404 Lan Key (16 Bytes) 0x406FF Multidisc, accepted Media IDs 0x40801 FileHeaderOffset Description 0 HeaderSize[4] 0x4 Image Size[4] 0x8 RSA Signature 0x10C (resulting Image size?)[4] 0x110 LoadAddress 0x140 MediaID[16] 0x150 (AES key seed?)[16] 0x164 (Input to SHA)[0x14] 0x178 Region[4] 0x17C SHA Hash[0x14] 0x180 ImageDataCount[4] 0x184...0x184+(IDC*24) ImageData0[8], ImageData1[8], ImageData2[8]