Sie sind auf Seite 1von 7

XexTool - xorloser This tool is for research purposes only. It must not be used for commercial/illegal/pirate uses.


:: Overview This is a tool to extract information on an xex file. It will print out xex information to the console, alter xex attributes, extract executable code and other basefiles and create idc scripts files to help with disassembling the extracted executable code. Note: Any altered or created retail xex files will not be correctly signed.

:: Install If you wish to run xextool from anywhere, copy the xextool.exe file to a location in your path that is used for exe files. If you are not sure you can check the %PATH% environment variable (type "echo %PATH%" from the command line) or just copy it into your windows directory. If you use the "Create IDC" feature of xex tool then you need to copy x360_imports.idc into your "IDA\idc" directory so that it will be found by any IDC script that you run.

:: Xex Format Basics An xex file consists of a basefile that the xex is built around and headers which contain various attributes to be used with the basefile. Usually the basefile is an executable file, however it can also be data file, as seen with ximedic.xex from the xbox360 flash. When the basefile is an executable file it is either an exe or dll, however it is not stored in its normal exe or dll format but instead as a binary file. Some of the xex header attributes are required, and others are optional. Some of these attributes are things such as the regions the xex is made for and the media the xex is allowed to boot from. The basefile can be optionally encrypted using aes encryption. All contents of the basefile are hashed and then rsa signed. Microsoft is the only one with access to the private key required to sign xexs in order to allow them to boot on a retail xbox360. A different key is used to sign xex files in order to allow them to boot on a development xbox360 (aka devkit).

:: Usage -l -p -b -i -d -o -a -u -s = print extended info list about xex file <xexp filename> = patch xex with xexp <base filename> = dump basefile from xex <idc filename> = dump basefile info to idc file <res. dirname> = dump all resources to a dir (can be '.') <xex filename> = output altered xex to a new file <bounding path> = add bounding path to xex location = fix patch updated xex to not require separate patch file = do special xex specific patches (0/1/2/4/8/10/.../80000000) bitflags are used to select one or more patches at a time 0 = list all patches for an xex -1 = do all possible patches 1 = patch #1 2 = patch #2 4 = patch #3 (yes #3, not 4, because its a bitflag) = remove xex limitations (a/m/r/b/d/i/y/v/k/l/c/z) a = remove all limits (same as "mrbdiyvklcz") m = remove media limits (all media) r = remove region limits (all regions) b = remove bounding pathname d = remove bounding device id i = remove console id restriction y = remove dates restriction v = remove keyvault privileges restriction k = remove signed keyvault only limitation l = remove minimum library version limitations c = remove required revocation check z = zero the media id = force output xex machine format (d/r) (0=d, 1=r) d = force output xex to be devkit r = force output xex to be retail = force output xex compression format (u/c/b) (0=u, 1=c) u = force output xex to be uncompressed (no zeroed data) c = force output xex to be compressed b = force output xex to be binary (has zeroed data) = force output xex encryption format (u/e) (0=u, 1=e) u = force output xex to be uncrypted e = force output xex to be encrypted = xml output options (a/b/d/i/m/n/p/r/t/x) a = extract everything b = extract basefile type (ie dll, exe, patch, other) d = extract media id i = extract game icon m = extract game supported medias n = extract game name p = extract bounding path r = extract game supported regions t = extract title id x = extract xex machine format (retail or devkit xbox360)


-m -c

-e -x

If "-o" is not used, the original xex file will be altered. Multiple options can be given at once, eg: "-m d -r mrl". If no options are given, a shortened xex info list will be printed. * * * * Media limits limit what media the xex can be booted from. Region limits limit what console regions an xex can be booted on. Bounding pathname limits a xex to being executed from a specified path only. Signed keyvault limits an xex to running from an xbox360 which has a signed ke

yvault. * Minimum library versions require system dlls to be of a specified version of higher. The usual imports are from xboxkrnl.exe and xam.exe. * Required revocation check requires the xex to be checked against a list of revocated xexs before allowing it to boot. * A media id can be used to block an xex from running if it matches known "banned" media ids. This is the case for xexs from the famous "kiosk disc". * Xml output enables usage of XexTool inside other programs

:: Usage Examples * Print basic info about an xex file to console: xextool default.xex * Print extended info about an xex file to console: xextool -l default.xex * Extract the executable basefile from default.xex into default.exe: xextool -b default.exe default.xex * Extract the executable file and create an idc script file from default.xex: xextool -b default.exe -i default.idc default.xex * Convert a retail xex into a development xex: xextool -m d default.xex * Convert a retail xex into a seperate development xex: xextool -m d -o devkit.xex retail.xex * Remove all region and media limits from an xex: xextool -r mr default.xex * Remove all limits and convert a retail xex into a devkit xex: xextool -r a -m d default.xex * Convert an xex into an unencrypted binary format: xextool -e u -c b -o default-binary.xex default.xex * Convert unencrypted binary xex back into an encrypted compressed xex: xextool -e e -c c -o default.xex default-binary.xex

:: Specifics This tool enables you to do many things with an xex file if you understand how to do so. Some usage examples are given above, but here is some more detailed information on a few specific cases.

How to make a retail xexs work on a development xbox360 This is quite easy with this tool, just do the following: xextool -r a -m d default.xex

Not only will the xex work on a devkit, it will also now work from any media and run region independently.

How to patch an xex file with an xexp patch file. Updates to games and system files are provided over xbox live in the form of patch files. These updates are stored inside package files in the Cache folder on you hard drive. A system update usually has "SU" as part of the filename, and a title update (game update) usually has a "TU" as part of the filename. Note: As of around November 2010 it seems that games are storing their updates on the internal hdd in the folder "Content\0000000000000000\xxxxxxxx\000B0000\". A patch file will only work when used with an untouched version of the original xex file it was created for. When you have the original xex file and the patch file you want to use with it, do the following to create the updated xex: xextool -u -p patch.xexp -o output.xex input.xex Note: A retail xex requires a retail patch file, a devkit xex requires a devkit patch file. If an xex has been converted from a retail to a devkit xex, you need to use the retail patch file with the original retail xex, then convert the resultant xex file into a devkit xex file.

How to reverse engineer and alter the code in an xex file. Note: While the following still works, it has been superceeded by the separate Xex IDA Loader which will load the xex file directly into IDA. First extract the executable base file and idc script file as follows: xextool -b default.exe -i default.idc default.xex Xextool will tell you how to load the file into ida. If you don't have ida, then load it into the disassembler you are using with the same parameters. An example of the load info xextool gives you is as follows: Load basefile into IDA with the following details DO NOT load as a PE or EXE file as the format is not valid File Type: Binary file Processor Type: PowerPC: ppc Load Address: 0x92000000 Entry Point: 0x9201DD38 Note: even though this file seems to be a normal exe or dll file it is not! You MUST load this file as a binary file, not a pe, exe or dll. Once the file has been loaded into ida, run the idc script file. It will expect the "x360_imports.idc" file included with xextool to be in your "ida/idc" directory. Once you have found any areas you want to change or patch, make these changes to the exe basefile you extracted above (default.exe). Now you need to insert the basefile (default.exe) back into your xex file. So do the following to get a fully decrypted and decompressed xex: xextool -e u -c b -o default-hack.xex default.xex

Now open default-hack.xex in a hex editor and find where the basefile starts. You can search for the "MZ" present in the exe header to find this. (Often its around the 0x2000 byte offset mark.) Now copy the contents of default.exe into default-hack.xex over the top of the basefile that is inside default.xex. It should exactly fill the rest of the default-hack.xex file from where you start inserting default.exe. Now do: xextool -o default-done.xex default-hack The default-done.xex file will now be resigned and ready to use, unless its retail in which case it won't get resigned correctly. When creating the default-done.xex file you can also specify encryption and compression options for the output file if you wish.

:: History v6.3 * fixed an issue where some xex files would not boot such as kinect xex files. * changed the special patching to list and let you select which patches to apply. patches are done via bitflags so that multiple patches can be selected in one go. * changed the internal search and patch data for special patching of xam and xbdm to support all known versions of these files. v6.1 * changed update patching to patch multiple device strings as well as supporting unicode patching. * updated IDC creation to produce similar results as when using the xex loaders for IDA. * updated the IDC creation to check if the file was loaded as a ppc bina ry and to stop and warn the user if not. v6.0 * finally fixed the patching ability where the target file is smaller th an the source file. hopefully it is fixed properly :) * fixed handling of bitfields in version structs (only affected big endi an systems) + added support for natal/kinect related flags + added support for xex date restrictions + added support for xex console id restrictions + added support for xex device id restrictions + added support for xex keyvault privileges restrictions

+ added support for extra debug memory entry + added support for a few new xex flags and system partitions v5.5 * i forget what changes were made... :P v5.4 + added the ability to alter a patched xex file to use files from it's g ame directory rather than requiring them to be inside a patch package file . + added special xex specific patches for use on certain xex files * finally fixed the compression problem that has existed since the first release of this tool. (this only affected a very small number of xex f iles) v5.3 + added xml output to stdout to make using XexTool from inside other programs easier + added the ability to add a "bounding path" to an xex v5.2 * fixed and updated the idc file creation v5.1 * fixed struct changes that caused invalid library imports v5.0 + added patching ability, lets you do: source.xex + patch.xexp = target. xex + added the ability to dump resources from an xex file + added "exports" and "exports by name" to idc file creation + added "sections" and "resources" to idc file creation * fixed handling of unknown image entries * fixed dumping of unknown basefiles * fixed handling of dlls with no execution entrypoint v4.3 + added support for loading/saving register blocks to idc creation + added support for a few new xex flags, eg ramdrive and iptv stuff + added support for encrypting/decrypting retail "manufacturing" xexs * fixed a memory leak that occurred while encrypting/decrypting xexs * fixed delta compression problem that occurred when a block size was the same size as the maximum allowed block size

v4.2 + added remove required revocation check option * fixed delta compression problem where it was possible for the last blo ck to be oversized v4.1 * fixed checking of revocation flag when selecting signature salt v4.0 + official release that supports retail xexs * fixed raw compression problem where it was possible for the last block to be left off no log was kept of earlier history - but there were lots of addition and fixes : ) + = added feature - = removed feature * = fixed or changed feature

:: Greets xor37h, for his initial version of xextool that started me working on this one and gave me the first hints into the structure and layout of the xex file format. tmbinc for also providing info that helped me get started and all the others who tested, reported bugs, gave encouragement and provided info to further improve this tool.