Difference between revisions of "Xbe"
(→Title ID: add missing publishers that are listed on redump) |
m (Specify hashing algorithm used to check each section) |
||
Line 583: | Line 583: | ||
= Sections = | = Sections = | ||
− | The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections. | + | The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections. |
At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. | At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc. |
Revision as of 11:18, 24 September 2023
XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft.
The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources.
Contents
Image Header
The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian):
Offset | Size | Name | Description |
---|---|---|---|
0x0000 | 0x0004 | Magic Number | This field must always equal 0x48454258 ("XBEH") |
0x0004 | 0x0100 | Digital Signature | 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. |
0x0104 | 0x0004 | Base Address | Address at which to load this .XBE. Typically this will be 0x00010000. |
0x0108 | 0x0004 | Size of Headers | Number of bytes that should be reserved for headers. |
0x010C | 0x0004 | Size of Image | Number of bytes that should be reserved for this image. |
0x0110 | 0x0004 | Size of Image Header | Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178. |
0x0114 | 0x0004 | TimeDate | Time and Date when this image was created. UNIX timestamp format. |
0x0118 | 0x0004 | Certificate Address | Address to a Certificate structure, after the .XBE is loaded into memory. |
0x011C | 0x0004 | Number of Sections | Number of sections contained in this .XBE. |
0x0120 | 0x0004 | Section Headers Address | Address to an array of SectionHeader structures, after the .XBE is loaded into memory. |
0x0124 | 0x0004 | Initialization Flags | Various flags for this .XBE file. Known flags are:
MountUtilityDrive = 0x00000001 FormatUtilityDrive = 0x00000002 Limit64Megabytes = 0x00000004 DontSetupHarddisk = 0x00000008 |
0x0128 | 0x0004 | Entry Point | Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0xE682F45B, Debug = 0x94859D4B, Retail = 0xA8FC57AB To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key. Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document. |
0x012C | 0x0004 | TLS Address | Address to a TLS (Thread Local Storage) structure. |
0x0130 | 0x0004 | Stack Size | Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit! |
0x0134 | 0x0004 | PE Heap Reserve | Copied from the PE file this .XBE was created from. |
0x0138 | 0x0004 | PE Heap Commit | Copied from the PE file this .XBE was created from. |
0x013C | 0x0004 | PE Base Address | Copied from the PE file this .XBE was created from. |
0x0140 | 0x0004 | PE Size of Image | Copied from the PE file this .XBE was created from. |
0x0144 | 0x0004 | PE Checksum | Copied from the PE file this .XBE was created from. |
0x0148 | 0x0004 | PE TimeDate | Copied from the PE file this .XBE was created from (UNIX timestamp format). |
0x014C | 0x0004 | Debug PathName Address | Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe"). |
0x0150 | 0x0004 | Debug FileName Address | Address to the debug filename (i.e. "simpsons.exe") |
0x0154 | 0x0004 | Address to the UTF-16 debug filename (i.e. L"simpsons.exe") | UTF-16 Debug FileName Address |
0x0158 | 0x0004 | Kernel Image Thunk Address | Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data.
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build: Beta = 0x46437DCD, Debug = 0xEFB1F152, Retail = 0x5B6D40B6 To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable. To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key. The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula: KernelThunkTable[v] = ImportThunk + 0x80000000; so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be... KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF) When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function). Note: The Entry Point member of this header must also be encoded as described earlier in this document. |
0x015C | 0x0004 | Non-Kernel Import Directory Address | Address to the Non-Kernel Import Directory. It is typically safe to set this to zero. |
0x0160 | 0x0004 | Number of Library Versions | Number of Library Versions pointed to by Library Versions Address. |
0x0164 | 0x0004 | Library Versions Address | Address to an array of LibraryVersion structures, after the .XBE is loaded into memory. |
0x0168 | 0x0004 | Kernel Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |
0x016C | 0x0004 | XAPI Library Version Address | Address to a LibraryVersion structure, after the .XBE is loaded into memory. |
0x0170 | 0x0004 | Logo Bitmap Address | Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present. |
0x0174 | 0x0004 | Logo Bitmap Size | Size (in bytes) of the Logo Bitmap data. The format of this image is described here. |
0x0178 | 0x0008 | Unknown1 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028. |
0x0180 | 0x0004 | Unknown2 | The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455. |
LibraryVersion Table
Offset | Size | Name | Description |
---|---|---|---|
0x0000 | 0x0008 | Library Name | 8-byte ASCII-name of this library. (i.e. "XAPILIB") |
0x0008 | 0x0002 | Major Version | Major version for this library (2-byte WORD). |
0x000A | 0x0002 | Minor Version | Minor version for this library (2-byte WORD). |
0x000C | 0x0002 | Build Version | Build version for this library (2-byte WORD). |
0x000E | 0x0002 | Library Flags | Various flags for this library. The fields are:
QFEVersion = 0x1FFF (13-Bit Mask) Approved = 0x6000 (02-Bit Mask) Debug Build = 0x8000 (01-Bit Mask) |
TLS Table
The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files[1], and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero.
Offset | Size | Name | Description |
---|---|---|---|
0x0000 | 0x0004 | Raw Data Start | Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image. |
0x0004 | 0x0004 | Raw Data End | Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image. |
0x0008 | 0x0004 | Address of Index | Absolute (i.e. not an RVA) address of the TLS Index variable. |
0x000C | 0x0004 | Address of Callbacks | Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table. |
0x0010 | 0x0004 | Size of Zero Fill | The number of bytes following the raw data that should be set to zero in memory. |
0x0014 | 0x0004 | Characteristics | Describes alignment. |
Certificate
Each Xbox executable has a certificate that contains information about the title.
- Time and date when the certificate was created
- Title ID
- Title name
- Alternative title IDs
- Allowed types of media that the executable can be run from (HD, DVD, CD, etc.)
- Game region
- Game ratings
- Disk number
- Version
- LAN key raw data used for System Link
- Signature key raw data (used to sign savegames)
- Alternate signature keys
- Original size of the certificate
- Online service name (not present in early executables)
- Run time security flags (not present in early executables)
Title ID
A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games)
Publisher ID | Name |
---|---|
AC | Acclaim Entertainment |
AH | ARUSH Entertainment |
AP | Aquaplus |
AQ | Aqua System |
AS | ASK |
AT | Atlus |
AV | Activision |
AY | Aspyr Media |
BA | Bandai |
BL | Black Box |
BM | BAM! Entertainment |
BR | Broccoli Co. |
BS | Bethesda Softworks |
BU | Bunkasha Co. |
BV | Buena Vista Games |
BW | BBC Multimedia |
BZ | Blizzard |
CC | Capcom |
CK | Kemco Corporation [citation needed] |
CM | Codemasters |
CT | CTO S.p.A. |
CV | Crave Entertainment |
DC | DreamCatcher Interactive |
DX | Davilex |
EA | Electronic Arts (EA) |
EC | Encore inc |
EL | Enlight Software |
EM | Empire Interactive |
ES | Eidos Interactive |
FI | Fox Interactive |
FS | From Software |
GE | Genki Co. |
GV | Groove Games |
HE | Tru Blu (Entertainment division of Home Entertainment Suppliers) |
HP | Hip games |
HU | Hudson Soft |
HW | Highwaystar |
IA | Mad Catz Interactive |
IF | Idea Factory |
IG | Infogrames |
IL | Interlex Corporation |
IM | Imagine Media |
IO | Ignition Entertainment |
IP | Interplay Entertainment |
IX | InXile Entertainment [citation needed] |
JA | Jaleco |
JW | JoWooD |
KB | Kemco [citation needed] |
KI | Kids Station Inc. [citation needed] |
KK | KiKi |
KN | Konami |
KO | KOEI |
KT | Konami Tokyo |
KU | Kobi and/or GAE (formerly Global A Entertainment)[citation needed] |
LA | LucasArts |
LS | Black Bean Games (publishing arm of Leader S.p.A.) |
MD | Metro3D |
ME | Medix |
MI | Microïds |
MJ | Majesco Entertainment |
MM | Myelin Media |
MP | MediaQuest [citation needed] |
MS | Microsoft Game Studios |
MW | Midway Games |
MX | Empire Interactive [citation needed] |
NK | NewKidCo |
NL | NovaLogic |
NM | Namco |
OX | Oxygen Interactive |
PC | Playlogic Entertainment |
PL | Phantagram Co., Ltd. |
RA | Rage |
SA | Sammy |
SC | SCi Games |
SE | SEGA |
SN | SNK |
SS | Simon & Schuster |
SU | Success Corporation |
SW | Swing! Deutschland |
TA | Takara |
TC | Tecmo |
TD | The 3DO Company (or just 3DO) |
TK | Takuyo |
TM | TDK Mediactive |
TQ | THQ |
TS | Titus Interactive |
TT | Take-Two Interactive Software |
US | Ubisoft |
VC | Victor Interactive Software |
VN | Vivendi Universal (just took Interplays publishing rights) [citation needed] |
VU | Vivendi Universal Games |
VV | Vivendi Universal Games [citation needed] |
WE | Wanadoo Edition |
WR | Warner Bros. Interactive Entertainment [citation needed] |
XD | Xbox demo disk? (Japan?) |
XI | XPEC Entertainment and Idea Factory |
XK | Xbox kiosk disk? [citation needed] |
XL | Xbox special bundled or live demo disk? [citation needed] |
XM | Evolved Games [citation needed] |
XP | XPEC Entertainment |
XR | Panorama |
XX | Microsoft Windows Media Center Extender for Xbox |
YB | YBM Sisa (South-Korea) |
ZD | Zushi Games (formerly Zoo Digital Publishing) |
The title ID seems to double the information from the Xbox Game Disc mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000.
Examples:
- DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe)
- Title ID: 45410017 [EA-023]
- DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America)
- Title ID: 4D530004 [MS-004]
- DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe)
- Title ID: 4D530004 [MS-004]
Allowed media types
Allowed media types off which the executable is allowed to be run from. The following values are known:
Media type | Value |
---|---|
HARD_DISK | 0x00000001 |
DVD_X2 | 0x00000002 |
DVD_CD | 0x00000004 |
CD | 0x00000008 |
DVD_5_RO | 0x00000010 |
DVD_9_RO | 0x00000020 |
DVD_5_RW | 0x00000040 |
DVD_9_RW | 0x00000080 |
DONGLE | 0x00000100 |
MEDIA_BOARD | 0x00000200 |
NONSECURE_HARD_DISK | 0x40000000 |
NONSECURE_MODE | 0x80000000 |
MEDIA_MASK | 0x00FFFFFF |
Sections
The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a 20 byte SHA-1 hash of the section that is checked by the Xbox to ensure the integrity of the sections.
At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc.
.text
The .text section contains all x86 subroutines to be executed by the processor.
.rdata
The .rdata section contains the kernel thunk table. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded.
Xbox Alpha executable format
Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.[citation needed]