XBox Executable Documentation by Caustik (caustik@caustik.com)
This document is, afaik, the most precise .XBE documentation out there (other than official Microsoft documentation). The reason for this is the simple fact that I have done a lot of work with this type of file, and I am very familiar with the format. .XBE files are very similar to .EXE, so you won't have much of a problem using them if you have any sort of experience with .EXE files. Well, here we go..
Note: The author of this document is not responsible for anything you do with this information. This information is solely for entertainment purposes, and the author does not condone any illegal goals you may decide to use this information to achieve.
Image Header | Certificate | Section Header | Library Version | TLS | Logo Bitmap | C Source .XBE Image Header Field Name Description Size Offset Magic Number This field must always equal 0x48454258 ("XBEH") 0x0004 0x0000 Digital Signature 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. 0x0100 0x0004 Base Address Address at which to load this .XBE. Typically this will be 0x00010000. 0x0004 0x0104 Size of Headers Number of bytes that should be reserved for headers. 0x0004 0x0108 Size of Image Number of bytes that should be reserved for this image. 0x0004 0x010C Size of Image Header Number of bytes that should be reserved for image header. 0x0004 0x0110 TimeDate Time and Date when this image was created. Standard windows format. 0x0004 0x0114 Certificate Address Address to a Certificate structure, after the .XBE is loaded into memory. 0x0004 0x0118 Number of Sections Number of sections contained in this .XBE. 0x0004 0x011C Section Headers Address Address to an array of SectionHeader structures, after the .XBE is loaded into memory. 0x0004 0x011C Initialization Flags Various flags for this .XBE file. Known flags are:
  MountUtilityDrive  = 0x00000001
  FormatUtilityDrive = 0x00000002
  Limit64Megabytes   = 0x00000004
  DontSetupHarddisk  = 0x00000008
0x0004 0x0124 Entry Point Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:
  Debug = 0x94859D4B, Retail = 0xA8FC57AB
To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.
To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key.
Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.
0x0004 0x0128 TLS Address Address to a TLS (Thread Local Storage) structure.
0x0004 0x012C PE Stack Commit Copied from the PE file this .XBE was created from.
0x0004 0x0130 PE Heap Reserve Copied from the PE file this .XBE was created from.
0x0004 0x0134 PE Heap Commit Copied from the PE file this .XBE was created from.
0x0004 0x0138 PE Base Address Copied from the PE file this .XBE was created from.
0x0004 0x013C PE Size of Image Copied from the PE file this .XBE was created from.
0x0004 0x0140 PE Checksum Copied from the PE file this .XBE was created from.
0x0004 0x0144 PE TimeDate Copied from the PE file this .XBE was created from.
0x0004 0x0148 Debug PathName Address Address to the debug pathname (i.e. "D:Nightlybuilds)
Related URL: [You must be registered and logged in to see this link.]
This document is, afaik, the most precise .XBE documentation out there (other than official Microsoft documentation). The reason for this is the simple fact that I have done a lot of work with this type of file, and I am very familiar with the format. .XBE files are very similar to .EXE, so you won't have much of a problem using them if you have any sort of experience with .EXE files. Well, here we go..
Note: The author of this document is not responsible for anything you do with this information. This information is solely for entertainment purposes, and the author does not condone any illegal goals you may decide to use this information to achieve.
Image Header | Certificate | Section Header | Library Version | TLS | Logo Bitmap | C Source .XBE Image Header Field Name Description Size Offset Magic Number This field must always equal 0x48454258 ("XBEH") 0x0004 0x0000 Digital Signature 256 Bytes. This is where a game is signed. Only on officially signed games is this field worthwhile. 0x0100 0x0004 Base Address Address at which to load this .XBE. Typically this will be 0x00010000. 0x0004 0x0104 Size of Headers Number of bytes that should be reserved for headers. 0x0004 0x0108 Size of Image Number of bytes that should be reserved for this image. 0x0004 0x010C Size of Image Header Number of bytes that should be reserved for image header. 0x0004 0x0110 TimeDate Time and Date when this image was created. Standard windows format. 0x0004 0x0114 Certificate Address Address to a Certificate structure, after the .XBE is loaded into memory. 0x0004 0x0118 Number of Sections Number of sections contained in this .XBE. 0x0004 0x011C Section Headers Address Address to an array of SectionHeader structures, after the .XBE is loaded into memory. 0x0004 0x011C Initialization Flags Various flags for this .XBE file. Known flags are:
  MountUtilityDrive  = 0x00000001
  FormatUtilityDrive = 0x00000002
  Limit64Megabytes   = 0x00000004
  DontSetupHarddisk  = 0x00000008
0x0004 0x0124 Entry Point Address to the Image entry point, after the .XBE is loaded into memory. This is where execution starts.
This value is encoded with an XOR key. Considering this is far too weak to be considered security, I assume this XOR is a clever method for discerning between Debug/Retail .XBE files without adding another field to the .XBE header. The XOR key is dependant on the build:
  Debug = 0x94859D4B, Retail = 0xA8FC57AB
To encode an entry point, you simply XOR the real entry point with either Debug or Retail key, depending on if you want the XBox to see this as a Debug or Retail executable.
To decode an entry point, you XOR with the debug key, then check if it is a valid entry point. If it is not, then you try again with the retail key.
Note: The Kernel Image Thunk Address member of this header must also be encoded as described later in this document.
0x0004 0x0128 TLS Address Address to a TLS (Thread Local Storage) structure.
0x0004 0x012C PE Stack Commit Copied from the PE file this .XBE was created from.
0x0004 0x0130 PE Heap Reserve Copied from the PE file this .XBE was created from.
0x0004 0x0134 PE Heap Commit Copied from the PE file this .XBE was created from.
0x0004 0x0138 PE Base Address Copied from the PE file this .XBE was created from.
0x0004 0x013C PE Size of Image Copied from the PE file this .XBE was created from.
0x0004 0x0140 PE Checksum Copied from the PE file this .XBE was created from.
0x0004 0x0144 PE TimeDate Copied from the PE file this .XBE was created from.
0x0004 0x0148 Debug PathName Address Address to the debug pathname (i.e. "D:Nightlybuilds)
Related URL: [You must be registered and logged in to see this link.]