XEX

From Free60

Jump to: navigation, search

Contents

[edit] File Format Speculation

XEX is the executable file format used by the Xbox 360 operating system. It seems to be a crypto and packing container for PPC PE executable files, comparable to UPX [1] or TEEE Burneye. This would give more creedence to reports of .xex's being gigs large. Such speculation is also fueled by the presence of what appear to be clear text file and folder names. If games are Gigabyte sized .xex files then it's likely the 360 knows how to grab the section it needs into memory and decrypt/decompress on demand, instead of traditional all at once extraction.


[edit] Cryptography

The executable code seems to be crypted, though, there exists some uncrypted XEX files in the wild.

The following program dumps what is supposed to be a hash table. Actually it has been reported to work with the first official "Backward Compatibility" .XEX File from Microsoft. It takes the XEX file as argument. 

// default.xex table dumper
// only works with the default.xex from the xbox360 emulator update package.
// - th0mas, th0mas.sixbit.org [at] gmail.com

#include <stdio.h>
#include <string.h>

#define TABLE_START 0x288

struct table {
   unsigned int unknown[6];
};

unsigned int ByteSwap (unsigned int nInt)
{
   union u {unsigned int vi; unsigned char c[sizeof(unsigned int)];};
   union v {unsigned int ni; unsigned char d[sizeof(unsigned int)];};
   union u un;
   union v vn;
   un.vi = nInt;
   vn.d[0]=un.c[3];
   vn.d[1]=un.c[2];
   vn.d[2]=un.c[1];
   vn.d[3]=un.c[0];
   return (vn.ni);
}

void printTable(struct table *t)
{
   int i;
   for (i = 0; i < 6; i++) {
      int j = ByteSwap(t->unknown[i]);
      printf("0x%08x ", j);
   }
   printf("\n");
}

int main(int argc, char **argv)
{
   FILE *fp = fopen(argv[1], "rb");
   struct table tmp;
   int numEntries = 0;
   int i;

   fseek(fp, TABLE_START, SEEK_SET);
   fread(&numEntries, sizeof(unsigned int), 1, fp);
   numEntries = ByteSwap(numEntries);
   for (i = 0; i < numEntries; i++) {
        fread(&tmp, sizeof(struct table), 1, fp);
        printTable(&tmp);
   }
}


[edit] Structure of the XEX File

A XEX file is composed of the following:

  • A 32 bytes XEX Header
  • Variable-length program/section headers
  • Program/Section content

[edit] XEX Header

Total length: 24 bytes. Byte ordering is Big-Endian.

Address Length (bytes) Contains Description
0x0000 4 { 'X', 'E', 'X', '2' } (0x58455832) X360 EXecutable Magic bytes (or: Xenon Execetuable format.) struct IMAGE_XEX_HEADER { ULONG Magic;
0x0004 4 0x00000001 Flags ? // ULONG ModuleFlags;
0x0008 4 0x00002000 Physical address of the code to unpack/decipher // ULONG SizeOfHeaders;
0x000C 4 0x00000000 Unknown. Reserved ? // ULONG SizeOfDiscardableHeaders;
0x0010 4 0x00000108 Pointer to the beginning of the certificate, 256 bytes (2048bit) // struct XEX_SECURITY_INFO { ULONG Size;
0x0014 4 0x0000000E Number of entries in the general info table // ULONG ImageSize;...

[edit] General info table

Total length: variable
Byte ordering is Big-Endian.

This table holds a list of pointers and flags describing the different sections of information needed to load and run the executable.

Every entry in this table is composed of two dwords, the first one is a bitfield and the other one is either an address, an offset or some value.

Here's the description of the flag dword:

First byte Second byte Third byte Fourth byte
Unused/Reserved Info class Info type Size byte

[edit] Unused/Reserved byte

The first byte seems to be unused or reserved, we didn't have a XEX file with this byte set already.

[edit] Info class

Value Name
0x00 Initialization info
0x02 Execution info
0x03 Library loading and mapping info
0x04 Unknown

[edit] Info type byte

Info class types

Value Description
0x02 Content mapping
0x03 Offsets or checksums
0x80 Executable path

Execution class types

Value Description
0x00 Original base address
0x01 Entry point
0x02 Address Where to load the text (execution data)
0x03 Unknown address table, probably some kind of PLT.
0x80 IDs
0x83 Original PE Filename

Library loading and mapping info class types

Value Description
0x00 Libraries to load
0x01 Default stack size
0x02 Unknown value

Unknown class types

Value Description
0x00 Unknown value
0x04 Unknown value

[edit] Size byte

The size byte holds the size of the data that is pointed by the offset dword, in number of dwords. If this byte is 0xFF the size will be stored in the first dword pointed by the offset. If it is 0x00 or 0x01 the second dword will be a memory offset or a size value or something similar.

[edit] Program / Section content

The program holds a PE file which is crypted/packed, usually starting at offset 0x2000 (described in the XEX header). It's possible to have this PE uncrypted/unpacked on debug XEX files. Section contents are encrypted with CBC AES, with the key changing for each file. It's probably derived from the RSA(?) block at the beginning and a "secret" public key in the box. Contents are compressed with microsoft's proprietary LDIC compression (hello, xbox1!).

[edit] Miscellaneous

[edit] Strings found in some XEX Files

These appear to be important strings found in the update file

  • Directories?
    • XAdu
    • $UPDATES
    • MEDIA
  • \Device\CdRom0\default.xex
  • installupdate.exe
  • The xboxkrnl is updated using the updates.
  • xam.xex
  • xboxkrnl.exe
  • Library includes:
    • XUIRNDR
    • XAUD
    • XGRAPHC
    • XRTLLIB
    • XAPILIB
    • LIBCMT
    • XBOXKRNL
    • D3D9
    • XUIRUN
    • XUIRNDR

[edit] Availability of XEX files

There are currently at least four XEX files freely available on the net:

[edit] Programs

xextools[2] -- A library and tools for manipulating xex files (xexread replacement).

xexdump[3] -- Dumps information about xex files (perl)

xexdump[4] -- Dumps information about xex files (windows)

Retrieved from "http://www.free60.org/XEX"
Personal tools