Xbe

From xboxdevwiki
Revision as of 17:13, 6 October 2021 by Thrimbor (talk | contribs) (Add info about the LibraryVersion Table)
Jump to: navigation, search

XBE files (XBox Executable) are the main files that are executed in the Xbox System. In official games, these files are created by game developers, and then signed by Microsoft.

The file structure is adapted from Windows PE files. It is very similar, however it has important changes for the Xbox. The file is composed of an image header, a certificate, a collection of section headers, a collection of library versions, thread local storage data, a Microsoft bitmap, and the sections that contain the code and resources.

Image Header

The image header contains the information that describes where the other parts of the executable are located within the file, and how the executable should be treated and loaded. It has the following layout (all fields are little-endian):

Offset Size Name Description
0x0000 0x0004 Magic Number This field must always equal 0x48454258 ("XBEH")
0x0004 0x0100 Digital Signature 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile.
0x0104 0x0004 Base Address Address at which to load this .XBE. Typically this will be 0x00010000.
0x0108 0x0004 Size of Headers Number of bytes that should be reserved for headers.
0x010C 0x0004 Size of Image Number of bytes that should be reserved for this image.
0x0110 0x0004 Size of Image Header Number of bytes that should be reserved for the image header. The header size varies by XDK version, but is at least 0x178.
0x0114 0x0004 TimeDate Time and Date when this image was created. Standard windows format.
0x0118 0x0004 Certificate Address Address to a Certificate structure, after the .XBE is loaded into memory.
0x011C 0x0004 Number of Sections Number of sections contained in this .XBE.
0x0120 0x0004 Section Headers Address Address to an array of SectionHeader structures, after the .XBE is loaded into memory.
0x0124 0x0004 Initialization Flags Various flags for this .XBE file. Known flags are:
 MountUtilityDrive  = 0x00000001
 FormatUtilityDrive = 0x00000002
 Limit64Megabytes   = 0x00000004
 DontSetupHarddisk  = 0x00000008
0x0128 0x0004 Entry Point Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.

This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:

 Debug = 0x94859D4B, Retail = 0xA8FC57AB

To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.

To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key.

Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.

0x012C 0x0004 TLS Address Address to a TLS (Thread Local Storage) structure.
0x0130 0x0004 Stack Size Default stack size. As the Xbox does not allow for stacks to grow, this needs to be copied from the SizeOfStackReserve PE field, not SizeOfStackCommit!
0x0134 0x0004 PE Heap Reserve Copied from the PE file this .XBE was created from.
0x0138 0x0004 PE Heap Commit Copied from the PE file this .XBE was created from.
0x013C 0x0004 PE Base Address Copied from the PE file this .XBE was created from.
0x0140 0x0004 PE Size of Image Copied from the PE file this .XBE was created from.
0x0144 0x0004 PE Checksum Copied from the PE file this .XBE was created from.
0x0148 0x0004 PE TimeDate Copied from the PE file this .XBE was created from.
0x014C 0x0004 Debug PathName Address Address to the debug pathname (i.e. "D:\Nightlybuilds\011026.0\code\build\xbox\Release\simpsons.exe").
0x0150 0x0004 Debug FileName Address Address to the debug filename (i.e. "simpsons.exe")
0x0154 0x0004 Address to the UTF-16 debug filename (i.e. L"simpsons.exe") UTF-16 Debug FileName Address
0x0158 0x0004 Kernel Image Thunk Address Address to the Kernel Image Thunk Table, after the .XBE is loaded into memory. This is how .XBE files import kernel functions and data.

This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:

 Debug = 0xEFB1F152, Retail = 0x5B6D40B6

To encode a kernel thunk address, you simply XOR the real address with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.

To decode a kernel thunk address, you XOR with the debug key, then check if it is a valid address. If it is not, then you try again with the retail key.

The Kernel Thunk Table itself is simply an array of pointers to Kernel imports. There are 366 possible imports, and the table is terminated with a zero dword (0x00000000). Typically the values in this table can be generated with the following formula:

 KernelThunkTable[v] = ImportThunk + 0x80000000;

so, for example, the import PsCreateSystemThreadEx, which has a thunk value of 255 (0xFF) would be...

 KernelThunkTable[v] = 0xFF + 0x80000000; // (0x800000FF)

When the .XBE is loaded by the OS (or the CXBX Emulator), all kernel imports are replaced by a valid function or data type address. In the case of CXBX, the import table entry at which (KernelThunkTable[v] & 0x1FF == 0xFF) will be replaced by &cxbx_PsCreateSystemThreadEx (which is a wrapper function).

Note: The Entry Point member of this header must also be encoded as described earlier in this document.

0x015C 0x0004 Non-Kernel Import Directory Address Address to the Non-Kernel Import Directory. It is typically safe to set this to zero.
0x0160 0x0004 Number of Library Versions Number of Library Versions pointed to by Library Versions Address.
0x0164 0x0004 Library Versions Address Address to an array of LibraryVersion structures, after the .XBE is loaded into memory.
0x0168 0x0004 Kernel Library Version Address Address to a LibraryVersion structure, after the .XBE is loaded into memory.
0x016C 0x0004 XAPI Library Version Address Address to a LibraryVersion structure, after the .XBE is loaded into memory.
0x0170 0x0004 Logo Bitmap Address Address to the Logo Bitmap (Typically a "Microsoft" logo). The format of this image is described here. This field can be set to zero, meaning there is no bitmap present.
0x0174 0x0004 Logo Bitmap Size Size (in bytes) of the Logo Bitmap data. The format of this image is described here.
0x0178 0x0008 Unknown1 The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5028.
0x0180 0x0004 Unknown2 The meaning of this field hasn't been figured out yet. It only exists on XBEs built with an XDK version >= 5455.

LibraryVersion Table

Offset Size Name Description
0x0000 0x0008 Library Name 8-byte ASCII-name of this library. (i.e. "XAPILIB")
0x0008 0x0002 Major Version Major version for this library (2-byte WORD).
0x000A 0x0002 Minor Version Minor version for this library (2-byte WORD).
0x000C 0x0002 Build Version Build version for this library (2-byte WORD).
0x000E 0x0002 Library Flags Various flags for this library. The fields are:
 QFEVersion  = 0x1FFF (13-Bit Mask)
 Approved    = 0x6000 (02-Bit Mask)
 Debug Build = 0x8000 (01-Bit Mask)

TLS Table

The TLS Table contains all the information needed by the XBE to properly set up thread-local storage. It is structurally identical to the TLS Directory found in PE32 files[1], and can be directly copied from there. If the XBE does not use any thread-local storage, this table may be omitted, and the respective field in the image header set to zero.

Offset Size Name Description
0x0000 0x0004 Raw Data Start Absolute (i.e. not an RVA) address of start of the TLS variable data in the program image.
0x0004 0x0004 Raw Data End Absolute (i.e. not an RVA) address of end of the TLS variable data in the program image.
0x0008 0x0004 Address of Index Absolute (i.e. not an RVA) address of the TLS Index variable.
0x000C 0x0004 Address of Callbacks Absolute (i.e. not an RVA) address of the null-terminated TLS callback functions table.
0x0010 0x0004 Size of Zero Fill The number of bytes following the raw data that should be set to zero in memory.
0x0014 0x0004 Characteristics Describes alignment.


Certificate

Each Xbox executable has a certificate that contains information about the title.

  • Time and date when the certificate was created
  • Title ID
  • Title name
  • Alternative title IDs
  • Allowed types of media that the executable can be run from (HD, DVD, CD, etc.)
  • Game region
  • Game ratings
  • Disk number
  • Version
  • LAN key raw data used for System Link
  • Signature key raw data (used to sign savegames)
  • Alternate signature keys
  • Original size of the certificate
  • Online service name (not present in early executables)
  • Run time security flags (not present in early executables)

Title ID

A title ID is usually 2 ASCII letters for the publisher, followed by a u16 integer game number (Above 2000 for non-original Xbox games)

Publisher ID Name
AC Acclaim Entertainment
AH ARUSH Entertainment
AQ Aqua System
AS ASK
AT Atlus
AV Activision
AY Aspyr Media
BA Bandai
BL Black Box
BM BAM! Entertainment
BR Broccoli Co.
BS Bethesda Softworks
BU Bunkasha Co.
BV Buena Vista Games
BW BBC Multimedia
BZ Blizzard
CC Capcom
CK Kemco Corporation [citation needed]
CM Codemasters
CV Crave Entertainment
DC DreamCatcher Interactive
DX Davilex
EA Electronic Arts (EA)
EC Encore inc
EL Enlight Software
EM Empire Interactive
ES Eidos Interactive
FI Fox Interactive
FS From Software
GE Genki Co.
GV Groove Games
HE Tru Blu (Entertainment division of Home Entertainment Suppliers)
HP Hip games
HU Hudson Soft
HW Highwaystar
IA Mad Catz Interactive
IF Idea Factory
IG Infogrames
IL Interlex Corporation
IM Imagine Media
IO Ignition Entertainment
IP Interplay Entertainment
IX InXile Entertainment [citation needed]
JA Jaleco
JW JoWooD
KB Kemco [citation needed]
KI Kids Station Inc. [citation needed]
KN Konami
KO KOEI
KU Kobi and/or GAE (formerly Global A Entertainment)[citation needed]
LA LucasArts
LS Black Bean Games (publishing arm of Leader S.p.A.)
MD Metro3D
ME Medix
MI Microïds
MJ Majesco Entertainment
MM Myelin Media
MP MediaQuest [citation needed]
MS Microsoft Game Studios
MW Midway Games
MX Empire Interactive [citation needed]
NK NewKidCo
NL NovaLogic
NM Namco
OX Oxygen Interactive
PC Playlogic Entertainment
PL Phantagram Co., Ltd.
RA Rage
SA Sammy
SC SCi Games
SE SEGA
SN SNK
SS Simon & Schuster
SU Success Corporation
SW Swing! Deutschland
TA Takara
TC Tecmo
TD The 3DO Company (or just 3DO)
TK Takuyo
TM TDK Mediactive
TQ THQ
TS Titus Interactive
TT Take-Two Interactive Software
US Ubisoft
VC Victor Interactive Software
VN Vivendi Universal (just took Interplays publishing rights) [citation needed]
VU Vivendi Universal Games
VV Vivendi Universal Games [citation needed]
WE Wanadoo Edition
WR Warner Bros. Interactive Entertainment [citation needed]
XI XPEC Entertainment and Idea Factory
XK Xbox kiosk disk? [citation needed]
XL Xbox special bundled or live demo disk? [citation needed]
XM Evolved Games [citation needed]
XP XPEC Entertainment
XR Panorama
YB YBM Sisa (South-Korea)
ZD Zushi Games (formerly Zoo Digital Publishing)

The title ID seems to double the information from the Xbox Game Disc mastering code etched into the ring or readable from the DMI. The game number is expressed in 3 decimal digits here which suggests that it will always be below 1000.

Examples:

FIFA Soccer 2003:

  • DMI and mastering code: EA02302E (Meaning: publisher EA, game number 023, version 02, region Europe)
  • Title ID: [FIXME]

Halo: Combat Evolved:

  • DMI and mastering code: MS00402A (Meaning: publisher Microsoft, game number 004, version 02, region America)
  • Title ID: 4D530004 [MS-004]

Halo: Combat Evolved:

  • DMI and mastering code: MS00404E (Meaning: publisher Microsoft, game number 004, version 04, region Europe)
  • Title ID: 4D530004 [MS-004]

Allowed media types

Allowed media types off which the executable is allowed to be run from. The following values are known:

Media type Value
HARD_DISK 0x00000001
DVD_X2 0x00000002
DVD_CD 0x00000004
CD 0x00000008
DVD_5_RO 0x00000010
DVD_9_RO 0x00000020
DVD_5_RW 0x00000040
DVD_9_RW 0x00000080
DONGLE 0x00000100
MEDIA_BOARD 0x00000200
NONSECURE_HARD_DISK 0x40000000
NONSECURE_MODE 0x80000000
MEDIA_MASK 0x00FFFFFF

Sections

The sections are described by the section headers. The section headers start right after the certificate and contain describe where in the file the actual sections reside. Each header contains a hash of the section that is checked by the Xbox to ensure the integrity of the sections.

At least two sections are always present in an Xbox executable: .text and .rdata. There might be more sections that contain either executable code or resources such as images, text, etc.

.text

The .text section contains all x86 subroutines to be executed by the processor.

.rdata

The .rdata section contains the kernel thunk table. The ordinals in the table are to be resolved to the kernel's actual calling routine, when loaded.


Xbox Alpha executable format

Binaries from early Xbox development (Alpha units), are using a different binary format. There are no known public tools that can read them. Known differences include that the first bytes of the file are 'XE' instead the 'XBEH' from the final XBE format. The format is rumored to be more like the Windows PE format.[citation needed]

Resources and links

  • https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-tls-section