Copy Link
Add to Bookmark
Report

XBE File Format

xbox's profile picture
Published in 
xbox
 · 10 months ago

written by Robin Hood, 5 May 2002

!!IMPORTANT!!! READ THIS FIRST: This document is for educational purpose only. In no event author of this document will be liable for any damage arising out of the use of any information on this document. You assume total legal responsibility and risk for use of any information on this document. If you don’t agree on these terms you must stop reading and discard this document immediately.

Image Header Structure, size=178h
OffsetTypeDescription
0 DWORD Magic Number 48454258h – Represents string XBEH
4 BYTE[265] Digital Signature – I am not very sure, but seems like a message digest of the image headers
encrypted with RSA 1024 bit private key.
104 DWORD base address for XBE image (Usually 10000h)
108 DWORD size of headers
10C DWORD size of image
110 DWORD size of image header (Usually 178h)
114 DWORD time date stamp
118 POINTER certificate address (see Certificate below)
11C DWORD number of sections
120 POINTER section headers address (see Section Header Structure below)
124 DWORD initialization flags:
bit 0 - Mount utility drive
bit 1 - Format utility drive
bit 2 - Limit development kit runtime memory to 64MB
bit 3 - Don't setup hard disk
128 POINTER entry point address XOR PUBKEY[80h] XOR PUBKEY[90h]
12C POINTER thread local storage directory address (see Thread Local Storage Directory Structure below)
130 DWORD size of stack commit (PE copy)
134 DWORD size of heap reserve (PE copy)
138 DWORD size of heap commit (PE copy)
13C POINTER original base address (PE copy)
140 DWORD original size of image (PE copy)
144 DWORD original checksum (PE copy)
148 DWORD original time date stamp (PE copy)
14C char* debug path name address
150 char* debug file name address
154 BSTR* debug Unicode file name address
158 POINTER kernel image thunk address XOR PUBKEY[84h] XOR PUBKEY[88h]
15C POINTER non-kernel import directory address
160 DWORD number of library versions
164 POINTER library versions address (see Library Version Structure below)
168 POINTER kernel library version address
16C POINTER XAPI library version address
170 POINTER logo bitmap address
174 DWORD logo bitmap size

Comments: Entry point and kernel thunk addresses are XORed with two DWORDs taken from RSA1 public key.

These are the values taken from imagebld.exe:

  • PUBKEY[80h] = 1B103FE6h, PUBKEY[90h] = 8F95A2ADh
  • PUBKEY[84h] = 14A34FA8h, PUBKEY[88h] = FB12BEFAh

Certificate Structure, size=1D0h
OffsetTypeDescription
0 DWORD Size of certificate
4 DWORD Time date stamp
8 DWORD Title id
0C WCHAR[40] Title name – Unicode String
5C Title alternate title id (1) These IDs are terminated by 0.
60 Title alternate title id (2)
-//- -//- -//-
94 Title alternate title id (16)
9C DWORD Allowed media types
A0 DWORD Game region
A4 DWORD Game ratings
A8 DWORD Disk number
AC DWORD Version
B0 BYTE[16] LAN Key
C0 BYTE[16] Signature Key
D0 BYTE[16] Title alternate Signature Key (1)
E0 BYTE[16] Title alternate Signature Key (2)
-//- -//- -//-
1C0 BYTE[16] Title alternate Signature Key (16)

Section Header Structure – size 38h
OffsetTypeDescription
0 DWORD Flags
Bit 0 - Writeable
Bit 1 - Preload
Bit 2 - Executable
Bit 3 - Inserted file
Bit 4 - Head page read-only
Bit 5 - Tail page read-only
4 DWORD Virtual address
8 DWORD Virtual size
C DWORD File pointer to raw data
10 DWORD Size of raw data
14 BYTE[8] Section Name (Zero terminated string)
1C DWORD Head shared page reference count address
20 DWORD Tail shared page reference count address
24-37 ??? Unknown
... ... ...

Thread Local Storage Directory Structure, size=18h
OffsetTypeDescription
0 POINTER raw data start address
4 POINTER raw data end address
8 POINTER TLS index address
C POINTER TLS callbacks address
10 DWORD size of zero fill
14 BYTE[8] Characteristics

Library Version Structure, size=10h
OffsetTypeDescription
0 BYTE[8] Library Name
8 WORD Major Version
A WORD Middle Version
C WORD Minor Version
E WORD Flags
Bits: ZZZ????? D???????
ZZZ=0 unapproved
ZZZ=1 possibly approved
ZZZ=2 approved
D = Debug version of library

Versions Below 1.0.3911 are always unapproved.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT