XEX: Difference between revisions
imported>Gamewizard71 |
|||
Line 71: | Line 71: | ||
== XEX Header == | == XEX Header == | ||
Total length: 24 bytes | Total length: 24 bytes. | ||
{| border= | Byte ordering: [[Big Endian]]. | ||
{| border=1 | |||
|- | |- | ||
! Offset | |||
! Length | |||
! Type | |||
! Information | |||
|- | |- | ||
| | | 0x0 | ||
| | | 0x4 | ||
| | | ascii string | ||
| | | "XEX2" magic | ||
|- | |- | ||
| | | 0x4 | ||
| | | 0x8 | ||
| | | module flags (see below) | ||
| | | Flags | ||
|- | |- | ||
| | | 0x8 | ||
| | | 0xC | ||
| | | unsigned int | ||
| | | PE data offset | ||
|- | |- | ||
| | | 0xC | ||
| | | 0x10 | ||
| | | unsigned int | ||
| | | Reserved | ||
|- | |- | ||
| | | 0x10 | ||
| | | 0x14 | ||
| | | unsigned int | ||
| | | Security Info Offset | ||
|- | |||
| 0x14 | |||
| 0x18 | |||
| unsigned int | |||
| Optional Header Count | |||
|} | |} | ||
The Flags field is a bitfield, as shown below: | |||
bit 0 - Title Module | |||
bit 1 - Exports To Title | |||
bit 2 - System Debugger | |||
bit 3 - DLL Module | |||
bit 4 - Module Patch | |||
bit 5 - Patch Full | |||
bit 6 - Patch Delta | |||
bit 7 - User Mode | |||
== General info table == | == General info table == |
Revision as of 14:48, 11 August 2010
This page needs to be cleaned up, because its either hard to read or contains very little information. You can help Free60 by editing this page and cleaning it up. |
File Format Speculation
XEX is the executable file format used by the Xbox 360 operating system. It seems to be a crypto and packing container for PPC PE executable files, comparable to UPX [1] or TEEE Burneye. This would give more creedence to reports of .xex's being gigs large. Such speculation is also fueled by the presence of what appear to be clear text file and folder names. If games are Gigabyte sized .xex files then it's likely the 360 knows how to grab the section it needs into memory and decrypt/decompress on demand, instead of traditional all at once extraction.
Cryptography
The executable code seems to be crypted, though, there exists some uncrypted XEX files in the wild.
The following program dumps what is supposed to be a hash table. Actually it has been reported to work with the first official "Backward Compatibility" .XEX File from Microsoft. It takes the XEX file as argument.
// default.xex table dumper // only works with the default.xex from the xbox360 emulator update package. // - th0mas, th0mas.sixbit.org [at] gmail.com #include <stdio.h> #include <string.h> #define TABLE_START 0x288 struct table { unsigned int unknown[6]; }; unsigned int ByteSwap (unsigned int nInt) { union u {unsigned int vi; unsigned char c[sizeof(unsigned int)];}; union v {unsigned int ni; unsigned char d[sizeof(unsigned int)];}; union u un; union v vn; un.vi = nInt; vn.d[0]=un.c[3]; vn.d[1]=un.c[2]; vn.d[2]=un.c[1]; vn.d[3]=un.c[0]; return (vn.ni); } void printTable(struct table *t) { int i; for (i = 0; i < 6; i ) { int j = ByteSwap(t->unknown[i]); printf("0x%08x ", j); } printf("\n"); } int main(int argc, char **argv) { FILE *fp = fopen(argv[1], "rb"); struct table tmp; int numEntries = 0; int i; fseek(fp, TABLE_START, SEEK_SET); fread(&numEntries, sizeof(unsigned int), 1, fp); numEntries = ByteSwap(numEntries); for (i = 0; i < numEntries; i ) { fread(&tmp, sizeof(struct table), 1, fp); printTable(&tmp); } }
Structure of the XEX File
A XEX file is composed of the following:
- A 32 bytes XEX Header
- Variable-length program/section headers
- Program/Section content
XEX Header
Total length: 24 bytes.
Byte ordering: Big Endian.
Offset | Length | Type | Information |
---|---|---|---|
0x0 | 0x4 | ascii string | "XEX2" magic |
0x4 | 0x8 | module flags (see below) | Flags |
0x8 | 0xC | unsigned int | PE data offset |
0xC | 0x10 | unsigned int | Reserved |
0x10 | 0x14 | unsigned int | Security Info Offset |
0x14 | 0x18 | unsigned int | Optional Header Count |
The Flags field is a bitfield, as shown below:
bit 0 - Title Module bit 1 - Exports To Title bit 2 - System Debugger bit 3 - DLL Module bit 4 - Module Patch bit 5 - Patch Full bit 6 - Patch Delta bit 7 - User Mode
General info table
Total length: variable
Byte ordering is Big-Endian.
This table holds a list of pointers and flags describing the different sections of information needed to load and run the executable.
Every entry in this table is composed of two dwords, the first one is a bitfield and the other one is either an address, an offset or some value.
Here's the description of the flag dword:
First byte | Second byte | Third byte | Fourth byte |
Unused/Reserved | Info class | Info type | Size byte |
Unused/Reserved byte
The first byte seems to be unused or reserved, we didn't have a XEX file with this byte set already.
Info class
Value | Name |
0x00 | Initialization info |
0x02 | Execution info |
0x03 | Library loading and mapping info |
0x04 | Unknown |
Info type byte
Value | Description |
0x02 | Content mapping |
0x03 | Offsets or checksums |
0x80 | Executable path |
Execution class types
Value | Description |
0x00 | Original base address |
0x01 | Entry point |
0x02 | Address Where to load the text (execution data) |
0x03 | Unknown address table, probably some kind of PLT. |
0x80 | IDs |
0x83 | Original PE Filename |
Library loading and mapping info class types
Value | Description |
0x00 | Libraries to load |
0x01 | Default stack size |
0x02 | Unknown value |
Unknown class types
Value | Description |
0x00 | Unknown value |
0x04 | Unknown value |
Size byte
The size byte holds the size of the data that is pointed by the offset dword, in number of dwords. If this byte is 0xFF the size will be stored in the first dword pointed by the offset. If it is 0x00 or 0x01 the second dword will be a memory offset or a size value or something similar.
Program / Section content
The program holds a PE file which is crypted/packed, usually starting at offset 0x2000 (described in the XEX header). It's possible to have this PE uncrypted/unpacked on debug XEX files. Section contents are encrypted with CBC AES, with the key changing for each file. It's probably derived from the RSA(?) block at the beginning and a "secret" public key in the box. Contents are compressed with microsoft's proprietary LDIC compression (hello, xbox1!).
Miscellaneous
Strings found in some XEX Files
These appear to be important strings found in the update file
- Directories?
- XAdu
- $UPDATES
- MEDIA
- \Device\CdRom0\default.xex
- installupdate.exe
- The xboxkrnl is updated using the updates.
- xam.xex
- xboxkrnl.exe
- Library includes:
- XUIRNDR
- XAUD
- XGRAPHC
- XRTLLIB
- XAPILIB
- LIBCMT
- XBOXKRNL
- D3D9
- XUIRUN
- XUIRNDR
Availability of XEX files
There are currently at least four XEX files freely available on the net:
- Original Xbox Game Support November 2005 update found on http://www.xbox.com/en-US/games/backwardscompatibility.htm.
- Original Xbox Game Support December 2005 update found on http://www.xbox.com/en-US/games/backwardscompatibility.htm.
- Windows XP Media Center Edition Update Rollup 2 from http://www.xbox.com/en-US/pcsetup/alldownloads.htm. Use cabextract to extract the executable file, then do the same on mcrdinstaller/ehd.cab inside the archive. This cabinet file contains XboxMcx.xex.
- XBOX 360 HD DVD Update found on http://www.xbox.com/en-us/hardware/x/xbox360hddvdplayer/download.htm#disc
Programs
- xextools[2] -- A library and tools for manipulating xex files (xexread replacement).
- xexdump[3] -- Dumps information about xex files (perl)
- xexdump[4] -- Dumps information about xex files (windows)
Executable Format
XEX files are the default executable format.
File-offset Description 0 "XEX2" 0x4 (module flags?) 0x10 File header offset 0x14 Definition count (see below) 0x18 Definition[] Definition Description 0x2FF Module Sections 0x3FF 0x5FF Delta patch descriptor 0x4004 0x4104 0x42FF 0x80FF Binding path(s) 0x8105 0x10001 Load Address 0x10100 Entry Point 0x10201 Base Address 0x103FF Import Libraries 0x18002 Checksum[4], Filetime[4] 0x18102 (something debug related) 0x183FF PE Name 0x200FF Static Libraries UINT32 Total size entries[total size / 0x10] 0x20104 TLS UINT32 Number of Slots UINT32 Raw Data Address UINT32 Data Size UINT32 Raw Data Size 0x20200 Get Stack Size 0x20301 Cache Element Count 0x30000 0x40006 MediaID[4], Version[4], Baseversion[4], TitleID[4] 0x40310 Game Ratings UINT8 ESRB UINT8 PEGI UINT8 PEGI-FI UINT8 PEGI-PT UINT8 PEGI_BBFC UINT8 CERO UINT8 USK UINT8 OFLCAU UINT8 OFLCNZ UINT8 KMRB UINT8 BRASIL UINT8 FPB 0x40404 Lan Key (16 Bytes) 0x406FF Multidisc, accepted Media IDs 0x40801 FileHeaderOffset Description 0 HeaderSize[4] 0x4 Image Size[4] 0x8 RSA Signature 0x10C (resulting Image size?)[4] 0x110 LoadAddress 0x140 MediaID[16] 0x150 (AES key seed?)[16] 0x164 (Input to SHA)[0x14] 0x178 Region[4] 0x17C SHA Hash[0x14] 0x180 ImageDataCount[4] 0x184...0x184+(IDC*24) ImageData0[8], ImageData1[8], ImageData2[8]