Difference between revisions of "Xbe"

From xboxdevwiki
Jump to: navigation, search
m (Title ID: Jay supplied 2 of these)
m
 
(31 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
{{DISPLAYTITLE:XBE}}
 
{{DISPLAYTITLE:XBE}}
XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft.
+
XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft.  
 +
 
 +
The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources.
 +
 
 +
= Image Header =
 +
 
 +
The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian):
 +
 
 +
{| class="wikitable
 +
|-
 +
! Offset
 +
! Size
 +
! Name
 +
! Description
 +
|-
 +
! 0x0000
 +
! 0x0004
 +
| Magic Number
 +
| This field must always equal 0x48454258 ("XBEH")
 +
|-
 +
! 0x0004
 +
! 0x0100
 +
| Digital Signature
 +
| 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile.
 +
|-
 +
! 0x0104
 +
! 0x0004
 +
| Base Address
 +
| Address at which to load this .XBE. Typically this will be 0x00010000.
 +
|-
 +
! 0x0108
 +
! 0x0004
 +
| Size of Headers
 +
| Number of bytes that should be reserved for headers.
 +
|-
 +
! 0x010C
 +
! 0x0004
 +
| Size of Image
 +
| Number of bytes that should be reserved for this image.
 +
|-
 +
! 0x0110
 +
! 0x0004
 +
| Size of Image Header
 +
| Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178.
 +
|-
 +
! 0x0114
 +
! 0x0004
 +
| TimeDate
 +
| Time and Date when this image was created. UNIX timestamp format.
 +
|-
 +
! 0x0118
 +
! 0x0004
 +
| Certificate Address
 +
| Address to a [[#Certificate|Certificate]] structure, after the .XBE is loaded into memory.
 +
|-
 +
! 0x011C
 +
! 0x0004
 +
| Number of Sections
 +
| Number of sections contained in this .XBE.
 +
|-
 +
! 0x0120
 +
! 0x0004
 +
| Section Headers Address
 +
| Address to an array of SectionHeader structures, after the .XBE is loaded into memory.
 +
|-
 +
! 0x0124
 +
! 0x0004
 +
| Initialization Flags
 +
| Various flags for this .XBE file. Known flags are:
 +
 
 +
  MountUtilityDrive  = 0x00000001
 +
  FormatUtilityDrive = 0x00000002
 +
  Limit64Megabytes  = 0x00000004
 +
  DontSetupHarddisk  = 0x00000008
 +
|-
 +
! 0x0128
 +
! 0x0004
 +
| Entry Point
 +
| Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.
 +
 
 +
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:
 +
 
 +
  Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB
 +
 
 +
To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.
 +
 
 +
To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key.
 +
 
 +
<span style="color:red">Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.</span>
 +
|-
 +
! 0x012C
 +
! 0x0004
 +
| TLS Address
 +
| Address to a [[#TLS Table|TLS]] (Thread Local Storage) structure.
 +
|-
 +
! 0x0130
 +
! 0x0004
 +
| Stack Size
 +
| Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit!
 +
|-
 +
! 0x0134
 +
! 0x0004
 +
| PE Heap Reserve
 +
| Copied from the PE file this .XBE was created from.
 +
|-
 +
! 0x0138
 +
! 0x0004
 +
| PE Heap Commit
 +
| Copied from the PE file this .XBE was created from.
 +
|-
 +
! 0x013C
 +
! 0x0004
 +
| PE Base Address
 +
| Copied from the PE file this .XBE was created from.
 +
|-
 +
! 0x0140
 +
! 0x0004
 +
| PE Size of Image
 +
| Copied from the PE file this .XBE was created from.
 +
|-
 +
! 0x0144
 +
! 0x0004
 +
| PE Checksum
 +
| Copied from the PE file this .XBE was created from.
 +
|-
 +
! 0x0148
 +
! 0x0004
 +
| PE TimeDate
 +
| Copied from the PE file this .XBE was created from (UNIX timestamp format).
 +
|-
 +
! 0x014C
 +
! 0x0004
 +
| Debug PathName Address
 +
| Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe").
 +
|-
 +
! 0x0150
 +
! 0x0004
 +
| Debug FileName Address
 +
| Address to the debug filename (i.e. "simpsons.exe")
 +
|-
 +
! 0x0154
 +
! 0x0004
 +
| Address to the UTF-16 debug filename (i.e. L"simpsons.exe")
 +
| UTF-16 Debug FileName Address
 +
|-
 +
! 0x0158
 +
! 0x0004
 +
| Kernel Image Thunk Address
 +
| Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data.
 +
 
 +
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:
 +
 
 +
  Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6
 +
 
 +
To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.
 +
 
 +
To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key.
 +
 
 +
The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula:
 +
 
 +
  KernelThunkTable[v] = ImportThunk + 0x80000000;
 +
 
 +
so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be...
 +
 
 +
  KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF)
 +
 
 +
When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function).
 +
 
 +
<span style="color:red">Note: The Entry Point member of this header must also be encoded as described earlier in this document.</span>
 +
|-
 +
! 0x015C
 +
! 0x0004
 +
| Non-Kernel Import Directory Address
 +
| Address to the Non-Kernel Import Directory. It is typically safe to set this to zero.
 +
|-
 +
! 0x0160
 +
! 0x0004
 +
| Number of Library Versions
 +
| Number of Library Versions pointed to by Library Versions Address.
 +
|-
 +
! 0x0164
 +
! 0x0004
 +
| Library Versions Address
 +
| Address to an array of LibraryVersion structures, after the .XBE is loaded into memory.
 +
|-
 +
! 0x0168
 +
! 0x0004
 +
| Kernel Library Version Address
 +
| Address to a LibraryVersion structure, after the .XBE is loaded into memory.
 +
|-
 +
! 0x016C
 +
! 0x0004
 +
| XAPI Library Version Address
 +
| Address to a LibraryVersion structure, after the .XBE is loaded into memory.
 +
|-
 +
! 0x0170
 +
! 0x0004
 +
| Logo Bitmap Address
 +
| Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present.
 +
|-
 +
! 0x0174
 +
! 0x0004
 +
| Logo Bitmap Size
 +
| Size (in bytes) of the Logo Bitmap data. The format of this image is described here.
 +
|-
 +
! 0x0178
 +
! 0x0008
 +
| Unknown1
 +
| The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028.
 +
|-
 +
! 0x0180
 +
! 0x0004
 +
| Unknown2
 +
| The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455.
 +
|}
 +
 
 +
== LibraryVersion Table ==
 +
{| class="wikitable
 +
|-
 +
! Offset
 +
! Size
 +
! Name
 +
! Description
 +
|-
 +
! 0x0000
 +
! 0x0008
 +
| Library Name
 +
| 8-byte ASCII-name of this library. (i.e. "XAPILIB")
 +
|-
 +
! 0x0008
 +
! 0x0002
 +
| Major Version
 +
| Major version for this library (2-byte WORD).
 +
|-
 +
! 0x000A
 +
! 0x0002
 +
| Minor Version
 +
| Minor version for this library (2-byte WORD).
 +
|-
 +
! 0x000C
 +
! 0x0002
 +
| Build Version
 +
| Build version for this library (2-byte WORD).
 +
|-
 +
! 0x000E
 +
! 0x0002
 +
| Library Flags
 +
| Various flags for this library. The fields are:
 +
 
 +
  QFEVersion  = 0x1FFF (13-Bit Mask)
 +
  Approved    = 0x6000 (02-Bit Mask)
 +
  Debug Build = 0x8000 (01-Bit Mask)
 +
|}
 +
 
 +
== TLS Table ==
 +
 
 +
The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files<ref>https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section</ref>, and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero.
 +
 
 +
{| class="wikitable
 +
|-
 +
! Offset
 +
! Size
 +
! Name
 +
! Description
 +
|-
 +
! 0x0000
 +
! 0x0004
 +
| Raw Data Start
 +
| Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image.
 +
|-
 +
! 0x0004
 +
! 0x0004
 +
| Raw Data End
 +
| Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image.
 +
|-
 +
! 0x0008
 +
! 0x0004
 +
| Address of Index
 +
| Absolute (i.e. not an RVA) address of the TLS Index variable.
 +
|-
 +
! 0x000C
 +
! 0x0004
 +
| Address of Callbacks
 +
| Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table.
 +
|-
 +
! 0x0010
 +
! 0x0004
 +
| Size of Zero Fill
 +
| The number of bytes following the raw data that should be set to zero in memory.
 +
|-
 +
! 0x0014
 +
! 0x0004
 +
| Characteristics
 +
| Describes alignment.
 +
|}
 +
 
 +
 
 +
= Certificate =
 +
 
 +
Each Xbox executable has a certificate that contains information about the title.
 +
 
 +
* Time and date when the certificate was created
 +
* Title ID
 +
* Title name
 +
* Alternative title IDs
 +
* Allowed types of media that the executable can be run from (HD, DVD, CD, etc.)
 +
* Game region
 +
* Game ratings
 +
* Disk number
 +
* Version
 +
* LAN key raw data used for [[System Link]]
 +
* Signature key raw data (used to sign [[Xbox Savegame System|savegames]])
 +
* Alternate signature keys
 +
* Original size of the certificate
 +
* Online service name (not present in early executables)
 +
* Run time security flags (not present in early executables)
  
 
=== Title ID ===
 
=== Title ID ===
Line 12: Line 327:
 
|-
 
|-
 
| AH || ARUSH Entertainment
 
| AH || ARUSH Entertainment
 +
|-
 +
| AP || Aquaplus
 
|-
 
|-
 
| AQ || Aqua System
 
| AQ || Aqua System
 +
|-
 +
| AS || ASK
 
|-
 
|-
 
| AT || Atlus
 
| AT || Atlus
Line 19: Line 338:
 
| AV || Activision
 
| AV || Activision
 
|-
 
|-
| AY || Aspyr Media, Inc.
+
| AY || Aspyr Media
 
|-
 
|-
 
| BA || Bandai
 
| BA || Bandai
 +
|-
 +
| BL || Black Box
 
|-
 
|-
 
| BM || BAM! Entertainment
 
| BM || BAM! Entertainment
 
|-
 
|-
| BR || Broccoli Co., Ltd.
+
| BR || Broccoli Co.
 
|-
 
|-
 
| BS || Bethesda Softworks
 
| BS || Bethesda Softworks
 
|-
 
|-
| BU || Bunkasha Co Ltd
+
| BU || Bunkasha Co.
 
|-
 
|-
 
| BV || Buena Vista Games
 
| BV || Buena Vista Games
 
|-
 
|-
 
| BW || BBC Multimedia
 
| BW || BBC Multimedia
 +
|-
 +
| BZ || Blizzard
 
|-
 
|-
 
| CC || Capcom
 
| CC || Capcom
 
|-
 
|-
| CK || Kemco Corporation {{citation needed}}
+
| CK || Kemco Corporation {{citation needed|reason=Did they realy swapped the ASCII letters? is KC a curced acroniem in Japan? Just want to be sure its Kemco|date=May 2017}}
 
|-
 
|-
 
| CM || Codemasters
 
| CM || Codemasters
 +
|-
 +
| CT || CTO S.p.A.
 
|-
 
|-
 
| CV || Crave Entertainment
 
| CV || Crave Entertainment
Line 61: Line 386:
 
| FS || From Software
 
| FS || From Software
 
|-
 
|-
| GE || Genki Co., Ltd
+
| GE || Genki Co.
 
|-
 
|-
 
| GV || Groove Games
 
| GV || Groove Games
 
|-
 
|-
| HE || Tru Blu Entertainment division of Home Entertainment Suppliers
+
| HE || Tru Blu (Entertainment division of Home Entertainment Suppliers)
 
|-
 
|-
| HP ||  
+
| HP || Hip games
 
|-
 
|-
| HU ||  
+
| HU || Hudson Soft
 
|-
 
|-
| IA ||  
+
| HW || Highwaystar
 
|-
 
|-
| IF ||  
+
| IA || Mad Catz Interactive
 +
|-
 +
| IF || Idea Factory
 
|-
 
|-
 
| IG || Infogrames
 
| IG || Infogrames
 
|-
 
|-
| IL ||  
+
| IL || [[Interlex Corporation]]
 
|-
 
|-
| IM ||  
+
| IM || Imagine Media
 
|-
 
|-
| IO ||  
+
| IO || Ignition Entertainment
 
|-
 
|-
| IP ||  
+
| IP || Interplay Entertainment
 
|-
 
|-
| IX ||  
+
| IX || InXile Entertainment {{citation needed}}
 
|-
 
|-
| JA ||  
+
| JA || Jaleco
 
|-
 
|-
| JW ||  
+
| JW || JoWooD
 
|-
 
|-
| KB ||  
+
| KB || Kemco {{citation needed|reason=CK is also Kemco, is this a diferent subsidairy or country based? Just want to be sure its Kemco|date=May 2017}}
 
|-
 
|-
| KI ||  
+
| KI || Kids Station Inc. {{citation needed|reason=Games info page was in japanese, I dont read japanese. but this seemed very logicaly the publisher, can a japanese reader confirm?|date=May 2017}}
 +
|-
 +
| KK || KiKi
 
|-
 
|-
 
| KN || Konami
 
| KN || Konami
 
|-
 
|-
| KO ||  
+
| KO || KOEI
 
|-
 
|-
| KU ||  
+
| KT || Konami Tokyo
 +
|-
 +
| KU || Kobi and/or GAE (formerly Global A Entertainment){{citation needed|reason=What name did the publisher use at the time of release?|date=May 2017}}
 
|-
 
|-
 
| LA || LucasArts
 
| LA || LucasArts
 
|-
 
|-
| LS ||  
+
| LS || Black Bean Games (publishing arm of Leader S.p.A.)
 
|-
 
|-
| MD ||  
+
| MD || Metro3D
 
|-
 
|-
| ME ||  
+
| ME || Medix
 
|-
 
|-
 
| MI || Microïds
 
| MI || Microïds
 
|-
 
|-
| MJ ||  
+
| MJ || Majesco Entertainment
 
|-
 
|-
| MM ||  
+
| MM || Myelin Media
 
|-
 
|-
| MP ||  
+
| MP || MediaQuest {{citation needed|reason=Where is the P? I dont trust my source yet... but seems close|date=May 2017}}
 
|-
 
|-
 
| MS || Microsoft Game Studios
 
| MS || Microsoft Game Studios
Line 121: Line 452:
 
| MW || Midway Games
 
| MW || Midway Games
 
|-
 
|-
| MX ||  
+
| MX || Empire Interactive {{citation needed|reason=What happend to the publisher, who published this game?|date=May 2017}}
 
|-
 
|-
| NK ||  
+
| NK || NewKidCo
 
|-
 
|-
| NL ||  
+
| NL || NovaLogic
 
|-
 
|-
| NM ||  
+
| NM || Namco
 
|-
 
|-
| OX ||  
+
| OX || Oxygen Interactive
 
|-
 
|-
| PC ||  
+
| PC || Playlogic Entertainment
 
|-
 
|-
| PL ||  
+
| PL || Phantagram Co., Ltd.
 
|-
 
|-
| RA ||  
+
| RA || Rage
 
|-
 
|-
| SA ||  
+
| SA || Sammy
 
|-
 
|-
 
| SC || SCi Games
 
| SC || SCi Games
Line 143: Line 474:
 
| SE || SEGA
 
| SE || SEGA
 
|-
 
|-
| SN ||  
+
| SN || SNK
 
|-
 
|-
| SS ||  
+
| SS || Simon & Schuster
 
|-
 
|-
| SU ||  
+
| SU || Success Corporation
 
|-
 
|-
| SW ||  
+
| SW || Swing! Deutschland
 
|-
 
|-
| TA ||  
+
| TA || Takara
 
|-
 
|-
| TC ||  
+
| TC || Tecmo
 
|-
 
|-
| TD ||  
+
| TD || The 3DO Company (or just 3DO)
 
|-
 
|-
| TK ||  
+
| TK || Takuyo
 
|-
 
|-
 
| TM || TDK Mediactive
 
| TM || TDK Mediactive
 
|-
 
|-
| TQ ||  
+
| TQ || THQ
 
|-
 
|-
| TS ||  
+
| TS || Titus Interactive
 
|-
 
|-
 
| TT || Take-Two Interactive Software
 
| TT || Take-Two Interactive Software
Line 169: Line 500:
 
| US || Ubisoft
 
| US || Ubisoft
 
|-
 
|-
| VC ||  
+
| VC || Victor Interactive Software
 
|-
 
|-
| VN ||  
+
| VN || Vivendi Universal (just took Interplays publishing rights) {{citation needed}}
 
|-
 
|-
| VU ||  
+
| VU || Vivendi Universal Games
 
|-
 
|-
| VV || Vivendi Universal Games
+
| VV || Vivendi Universal Games {{citation needed}}
 
|-
 
|-
 
| WE || Wanadoo Edition
 
| WE || Wanadoo Edition
 
|-
 
|-
| WR ||  
+
| WR || Warner Bros. Interactive Entertainment {{citation needed}}
 +
|-
 +
| XD || ''Xbox demo disk? (Japan?)''
 +
|-
 +
| XI || XPEC Entertainment and Idea Factory
 +
|-
 +
| XK || ''Xbox kiosk disk?'' {{citation needed}}
 
|-
 
|-
| XI ||  
+
| XL || ''Xbox special bundled or live demo disk?'' {{citation needed}}
 
|-
 
|-
| XK ||  
+
| XM || Evolved Games {{citation needed|reason=Probably not, game "Malice"|date=May 2017}}
 
|-
 
|-
| XL ||  
+
| XP || XPEC Entertainment
 
|-
 
|-
| XM ||  
+
| XR || Panorama
 
|-
 
|-
| XP ||  
+
| XX || Microsoft Windows Media Center Extender for Xbox
 
|-
 
|-
| YB ||  
+
| YB || YBM Sisa (South-Korea)
 
|-
 
|-
| ZD || Zushi Games, formerly Zoo Digital Publishing
+
| ZD || Zushi Games (formerly Zoo Digital Publishing)
 
|}
 
|}
  
Line 203: Line 540:
 
[[FIFA Soccer 2003]]:
 
[[FIFA Soccer 2003]]:
 
* DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe)
 
* DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe)
* Title ID:  
+
* Title ID: 45410017 [EA-023]
  
 
[[Halo: Combat Evolved]]:
 
[[Halo: Combat Evolved]]:
Line 213: Line 550:
 
* Title ID: 4D530004 [MS-004]
 
* Title ID: 4D530004 [MS-004]
  
== Resources and links ==
+
== Allowed media types ==
 +
Allowed media types off which the executable is allowed to be run from. The following values are known:
 +
{| class=wikitable
 +
! Media type !! Value
 +
|-
 +
|HARD_DISK        || 0x00000001
 +
|-
 +
|DVD_X2          || 0x00000002
 +
|-
 +
|DVD_CD          || 0x00000004
 +
|-
 +
|CD              || 0x00000008
 +
|-
 +
|DVD_5_RO        || 0x00000010
 +
|-
 +
|DVD_9_RO        || 0x00000020
 +
|-
 +
|DVD_5_RW        || 0x00000040
 +
|-
 +
|DVD_9_RW        || 0x00000080
 +
|-
 +
|DONGLE          || 0x00000100
 +
|-
 +
|MEDIA_BOARD      || 0x00000200
 +
|-
 +
|NONSECURE_HARD_DISK || 0x40000000
 +
|-
 +
|NONSECURE_MODE  || 0x80000000
 +
|-
 +
|MEDIA_MASK      || 0x00FFFFFF
 +
|}
 +
 
 +
= Sections =
 +
The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections.
 +
 
 +
The SHA-1 hash is computed by prepending the length of the section (excluding any padding) as an unsigned 32-bit integer followed by the contents of the section itself.
 +
 
 +
At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc.
 +
 
 +
== .text ==
 +
 
 +
The .text section contains all x86 subroutines to be executed by the [[CPU|processor]].
 +
 
 +
== .rdata ==
 +
 
 +
The .rdata section contains the [[Kernel|kernel thunk table]]. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded.
 +
 
 +
 
 +
= Xbox Alpha executable format =
 +
 
 +
Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them.
 +
Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.{{citation needed}}
 +
 
 +
= Resources and links =
 
* [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1]
 
* [http://www.caustik.com/cxbx/download/xbe.htm .XBE File Format 1.1]
 +
 +
[[Category:Fileformats]]

Latest revision as of 07:32, 26 September 2023

XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft.

The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources.

Image Header

The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian):

Offset Size Name Description
0x0000 0x0004 Magic Number This field must always equal 0x48454258 ("XBEH")
0x0004 0x0100 Digital Signature 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile.
0x0104 0x0004 Base Address Address at which to load this .XBE. Typically this will be 0x00010000.
0x0108 0x0004 Size of Headers Number of bytes that should be reserved for headers.
0x010C 0x0004 Size of Image Number of bytes that should be reserved for this image.
0x0110 0x0004 Size of Image Header Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178.
0x0114 0x0004 TimeDate Time and Date when this image was created. UNIX timestamp format.
0x0118 0x0004 Certificate Address Address to a Certificate structure, after the .XBE is loaded into memory.
0x011C 0x0004 Number of Sections Number of sections contained in this .XBE.
0x0120 0x0004 Section Headers Address Address to an array of SectionHeader structures, after the .XBE is loaded into memory.
0x0124 0x0004 Initialization Flags Various flags for this .XBE file. Known flags are:
 MountUtilityDrive  = 0x00000001
 FormatUtilityDrive = 0x00000002
 Limit64Megabytes   = 0x00000004
 DontSetupHarddisk  = 0x00000008
0x0128 0x0004 Entry Point Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.

This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:

 Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB

To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.

To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key.

Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.

0x012C 0x0004 TLS Address Address to a TLS (Thread Local Storage) structure.
0x0130 0x0004 Stack Size Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit!
0x0134 0x0004 PE Heap Reserve Copied from the PE file this .XBE was created from.
0x0138 0x0004 PE Heap Commit Copied from the PE file this .XBE was created from.
0x013C 0x0004 PE Base Address Copied from the PE file this .XBE was created from.
0x0140 0x0004 PE Size of Image Copied from the PE file this .XBE was created from.
0x0144 0x0004 PE Checksum Copied from the PE file this .XBE was created from.
0x0148 0x0004 PE TimeDate Copied from the PE file this .XBE was created from (UNIX timestamp format).
0x014C 0x0004 Debug PathName Address Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe").
0x0150 0x0004 Debug FileName Address Address to the debug filename (i.e. "simpsons.exe")
0x0154 0x0004 Address to the UTF-16 debug filename (i.e. L"simpsons.exe") UTF-16 Debug FileName Address
0x0158 0x0004 Kernel Image Thunk Address Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data.

This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:

 Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6

To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.

To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key.

The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula:

 KernelThunkTable[v] = ImportThunk + 0x80000000;

so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be...

 KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF)

When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function).

Note: The Entry Point member of this header must also be encoded as described earlier in this document.

0x015C 0x0004 Non-Kernel Import Directory Address Address to the Non-Kernel Import Directory. It is typically safe to set this to zero.
0x0160 0x0004 Number of Library Versions Number of Library Versions pointed to by Library Versions Address.
0x0164 0x0004 Library Versions Address Address to an array of LibraryVersion structures, after the .XBE is loaded into memory.
0x0168 0x0004 Kernel Library Version Address Address to a LibraryVersion structure, after the .XBE is loaded into memory.
0x016C 0x0004 XAPI Library Version Address Address to a LibraryVersion structure, after the .XBE is loaded into memory.
0x0170 0x0004 Logo Bitmap Address Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present.
0x0174 0x0004 Logo Bitmap Size Size (in bytes) of the Logo Bitmap data. The format of this image is described here.
0x0178 0x0008 Unknown1 The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028.
0x0180 0x0004 Unknown2 The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455.

LibraryVersion Table

Offset Size Name Description
0x0000 0x0008 Library Name 8-byte ASCII-name of this library. (i.e. "XAPILIB")
0x0008 0x0002 Major Version Major version for this library (2-byte WORD).
0x000A 0x0002 Minor Version Minor version for this library (2-byte WORD).
0x000C 0x0002 Build Version Build version for this library (2-byte WORD).
0x000E 0x0002 Library Flags Various flags for this library. The fields are:
 QFEVersion  = 0x1FFF (13-Bit Mask)
 Approved    = 0x6000 (02-Bit Mask)
 Debug Build = 0x8000 (01-Bit Mask)

TLS Table

The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files[1], and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero.

Offset Size Name Description
0x0000 0x0004 Raw Data Start Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image.
0x0004 0x0004 Raw Data End Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image.
0x0008 0x0004 Address of Index Absolute (i.e. not an RVA) address of the TLS Index variable.
0x000C 0x0004 Address of Callbacks Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table.
0x0010 0x0004 Size of Zero Fill The number of bytes following the raw data that should be set to zero in memory.
0x0014 0x0004 Characteristics Describes alignment.


Certificate

Each Xbox executable has a certificate that contains information about the title.

  • Time and date when the certificate was created
  • Title ID
  • Title name
  • Alternative title IDs
  • Allowed types of media that the executable can be run from (HD, DVD, CD, etc.)
  • Game region
  • Game ratings
  • Disk number
  • Version
  • LAN key raw data used for System Link
  • Signature key raw data (used to sign savegames)
  • Alternate signature keys
  • Original size of the certificate
  • Online service name (not present in early executables)
  • Run time security flags (not present in early executables)

Title ID

A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games)

Publisher ID Name
AC Acclaim Entertainment
AH ARUSH Entertainment
AP Aquaplus
AQ Aqua System
AS ASK
AT Atlus
AV Activision
AY Aspyr Media
BA Bandai
BL Black Box
BM BAM! Entertainment
BR Broccoli Co.
BS Bethesda Softworks
BU Bunkasha Co.
BV Buena Vista Games
BW BBC Multimedia
BZ Blizzard
CC Capcom
CK Kemco Corporation [citation needed]
CM Codemasters
CT CTO S.p.A.
CV Crave Entertainment
DC DreamCatcher Interactive
DX Davilex
EA Electronic Arts (EA)
EC Encore inc
EL Enlight Software
EM Empire Interactive
ES Eidos Interactive
FI Fox Interactive
FS From Software
GE Genki Co.
GV Groove Games
HE Tru Blu (Entertainment division of Home Entertainment Suppliers)
HP Hip games
HU Hudson Soft
HW Highwaystar
IA Mad Catz Interactive
IF Idea Factory
IG Infogrames
IL Interlex Corporation
IM Imagine Media
IO Ignition Entertainment
IP Interplay Entertainment
IX InXile Entertainment [citation needed]
JA Jaleco
JW JoWooD
KB Kemco [citation needed]
KI Kids Station Inc. [citation needed]
KK KiKi
KN Konami
KO KOEI
KT Konami Tokyo
KU Kobi and/or GAE (formerly Global A Entertainment)[citation needed]
LA LucasArts
LS Black Bean Games (publishing arm of Leader S.p.A.)
MD Metro3D
ME Medix
MI Microïds
MJ Majesco Entertainment
MM Myelin Media
MP MediaQuest [citation needed]
MS Microsoft Game Studios
MW Midway Games
MX Empire Interactive [citation needed]
NK NewKidCo
NL NovaLogic
NM Namco
OX Oxygen Interactive
PC Playlogic Entertainment
PL Phantagram Co., Ltd.
RA Rage
SA Sammy
SC SCi Games
SE SEGA
SN SNK
SS Simon & Schuster
SU Success Corporation
SW Swing! Deutschland
TA Takara
TC Tecmo
TD The 3DO Company (or just 3DO)
TK Takuyo
TM TDK Mediactive
TQ THQ
TS Titus Interactive
TT Take-Two Interactive Software
US Ubisoft
VC Victor Interactive Software
VN Vivendi Universal (just took Interplays publishing rights) [citation needed]
VU Vivendi Universal Games
VV Vivendi Universal Games [citation needed]
WE Wanadoo Edition
WR Warner Bros. Interactive Entertainment [citation needed]
XD Xbox demo disk? (Japan?)
XI XPEC Entertainment and Idea Factory
XK Xbox kiosk disk? [citation needed]
XL Xbox special bundled or live demo disk? [citation needed]
XM Evolved Games [citation needed]
XP XPEC Entertainment
XR Panorama
XX Microsoft Windows Media Center Extender for Xbox
YB YBM Sisa (South-Korea)
ZD Zushi Games (formerly Zoo Digital Publishing)

The title ID seems to double the information from the Xbox Game Disc mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000.

Examples:

FIFA Soccer 2003:

  • DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe)
  • Title ID: 45410017 [EA-023]

Halo: Combat Evolved:

  • DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America)
  • Title ID: 4D530004 [MS-004]

Halo: Combat Evolved:

  • DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe)
  • Title ID: 4D530004 [MS-004]

Allowed media types

Allowed media types off which the executable is allowed to be run from. The following values are known:

Media type Value
HARD_DISK 0x00000001
DVD_X2 0x00000002
DVD_CD 0x00000004
CD 0x00000008
DVD_5_RO 0x00000010
DVD_9_RO 0x00000020
DVD_5_RW 0x00000040
DVD_9_RW 0x00000080
DONGLE 0x00000100
MEDIA_BOARD 0x00000200
NONSECURE_HARD_DISK 0x40000000
NONSECURE_MODE 0x80000000
MEDIA_MASK 0x00FFFFFF

Sections

The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections.

The SHA-1 hash is computed by prepending the length of the section (excluding any padding) as an unsigned 32-bit integer followed by the contents of the section itself.

At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc.

.text

The .text section contains all x86 subroutines to be executed by the processor.

.rdata

The .rdata section contains the kernel thunk table. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded.


Xbox Alpha executable format

Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.[citation needed]

Resources and links

  • https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section