This tool is for research purposes only.

It must not be used for commercial/illegal/pirate uses.

THIS WILL NOT MAGICALLY ALLOW YOU PLAY COPIED GAMES.
XexTool - xorloser
This tool is for research purposes only.
It must not be used for commercial/illegal/pirate uses.
THIS W
:: OverviewILL NOT MAGICALLY ALLOW YOU PLAY COPIED GAMES.

:: Overview
This is a tool to extract information on an xex file. It will print out
xex information to the console, alter xex attributes, extract executable code
and other basefiles and create idc scripts files to help with disassembling
the extracted executable code.
Note: Any altered or created retail xex files will not be correctly signed.

:: Install
If you wish to run xextool from anywhere, copy the xextool.exe file to
a location in your path that is used for exe files. If you are not sure
you can check the %PATH% environment variable (type "echo %PATH%" from
the command line) or just copy it into your windows directory.
If you use the "Create IDC" feature of xex tool then you his tool is for researc
h purposes only.
It must not be used for commercial/illegal/pirate uses.
THIS WILL NOT MAGICALLY ALLOW YOU PLAY COPIED GAMES.
XexTool - xorloser
This tool is for research purposes only.
It must not be used for commercial/illegal/pirate uses.
THIS Wneed to copy
x360_imports.idc into your "IDA\idc" directory so that it will be found
by any IDC script that you run.

:: Xex Format Basics

An xex file consists of a basefile that the xex is built around and headers
which contain various attributes to be used with the basefile.

Usually the basefile is an executable file, however it can also be data file,
as seen with ximedic.xex from the xbox360 flash. When the basefile is an
executable file it is either an exe or dll, however it is not stored in its
normal exe or dll format but instead as a binary file.
Some of the xex header attributes are required, and others are optional. Some
of these attributes are things such as the regions the xex is made for and the
media the xex is allowed to boot from.
The basefile can be optionally encrypted using aes encryption. All contents
of the basefile are hashed and then rsa signed. Microsoft is the only one with
access to the private key required to sign xexs in order to allow them to boot
on a retail xbox360. A different key is used to sign xex files in order to
allow them to boot on a development xbox360 (aka devkit).

:: Usage
-l
-p
-b
-i
-d
-o
-a
-u
-s

-r

-m
-c

-e
-x

= print extended info list about xex file

<xexp filename> = patch xex with xexp
<base filename> = dump basefile from xex
<idc filename> = dump basefile info to idc file
<res. dirname> = dump all resources to a dir (can be '.')
<xex filename> = output altered xex to a new file
<bounding path> = add bounding path to xex location
= fix patch updated xex to not require separate patch file
= do special xex specific patches (0/1/2/4/8/10/.../80000000)
bitflags are used to select one or more patches at a time
0 = list all patches for an xex
-1 = do all possible patches
1 = patch #1
2 = patch #2
4 = patch #3 (yes #3, not 4, because its a bitflag)
= remove xex limitations (a/m/r/b/d/i/y/v/k/l/c/z)
a = remove all limits (same as "mrbdiyvklcz")
m = remove media limits (all media)
r = remove region limits (all regions)
b = remove bounding pathname
d = remove bounding device id
i = remove console id restriction
y = remove dates restriction
v = remove keyvault privileges restriction
k = remove signed keyvault only limitation
l = remove minimum library version limitations
c = remove required revocation check
z = zero the media id
= force output xex machine format (d/r) (0=d, 1=r)
d = force output xex to be devkit
r = force output xex to be retail
= force output xex compression format (u/c/b) (0=u, 1=c)
u = force output xex to be uncompressed (no zeroed data)
c = force output xex to be compressed
b = force output xex to be binary (has zeroed data)
= force output xex encryption format (u/e) (0=u, 1=e)
u = force output xex to be uncrypted
e = force output xex to be encrypted
= xml output options (a/b/d/i/m/n/p/r/t/x)
a = extract everything

b
d
i
m
n
p
r
t
x

=
=
=
=
=
=
=
=
=

extract
extract
extract
extract
extract
extract
extract
extract
extract

basefile type (ie dll, exe, patch, other)

media id
game icon
game supported medias
game name
bounding path
game supported regions
title id
xex machine format (retail or devkit xbox360)

If "-o" is not used, the original xex file will be altered.

Multiple options can be given at once, eg: "-m d -r mrl".
If no options are given, a shortened xex info list will be printed.
* Media limits limit what media the xex can be booted from.
* Region limits limit what console regions an xex can be booted on.
* Bounding pathname limits a xex to being executed from a specified path only.
* Signed keyvault limits an xex to running from an xbox360 which has a signed ke
yvault.
* Minimum library versions require system dlls to be of a specified
version of higher. The usual imports are from xboxkrnl.exe and xam.exe.
* Required revocation check requires the xex to be checked against
a list of revocated xexs before allowing it to boot.
* A media id can be used to block an xex from running if it matches known
"banned" media ids. This is the case for xexs from the famous "kiosk disc".
* Xml output enables usage of XexTool inside other programs

:: Usage Examples
* Print basic info about an xex file to console:
xextool default.xex
* Print extended info about an xex file to console:
xextool -l default.xex
* Extract the executable basefile from default.xex into default.exe:
xextool -b default.exe default.xex
* Extract the executable file and create an idc script file from default.xex:
xextool -b default.exe -i default.idc default.xex
* Convert a retail xex into a development xex:
xextool -m d default.xex
* Convert a retail xex into a seperate development xex:
xextool -m d -o devkit.xex retail.xex
* Remove all region and media limits from an xex:
xextool -r mr default.xex
* Remove all limits and convert a retail xex into a devkit xex:
xextool -r a -m d default.xex
* Convert an xex into an unencrypted binary format:
xextool -e u -c b -o default-binary.xex default.xex
* Convert unencrypted binary xex back into an encrypted compressed xex:

xextool -e e -c c -o default.xex default-binary.xex

:: Specifics
This tool enables you to do many things with an xex file if you understand
how to do so. Some usage examples are given above, but here is some more
detailed information on a few specific cases.

How to make a retail xexs work on a development xbox360

This is quite easy with this tool, just do the following:
xextool -r a -m d default.xex
Not only will the xex work on a devkit, it will also now work from any media
and run region independently.

How to patch an xex file with an xexp patch file.

Updates to games and system files are provided over xbox live in the form of
patch files. These updates are stored inside package files in the Cache folder
on you hard drive. A system update usually has "SU" as part of the filename,
and a title update (game update) usually has a "TU" as part of the filename.
Note: As of around November 2010 it seems that games are storing their updates
on the internal hdd in the folder "Content\0000000000000000\xxxxxxxx\000B0000\".
A patch file will only work when used with an untouched version of the original
xex file it was created for. When you have the original xex file and the patch
file you want to use with it, do the following to create the updated xex:
xextool -u -p patch.xexp -o output.xex input.xex
Note: A retail xex requires a retail patch file, a devkit xex requires a devkit
patch file. If an xex has been converted from a retail to a devkit xex, you need
to use the retail patch file with the original retail xex, then convert the
resultant xex file into a devkit xex file.

How to reverse engineer and alter the code in an xex file.

Note: While the following still works, it has been superceeded by the separate
Xex IDA Loader which will load the xex file directly into IDA.
First extract the executable base file and idc script file as follows:
xextool -b default.exe -i default.idc default.xex
Xextool will tell you how to load the file into ida. If you don't have ida,
then load it into the disassembler you are using with the same parameters.
An example of the load info xextool gives you is as follows:
Load basefile into IDA with the following details
DO NOT load as a PE or EXE file as the format is not valid
File Type:
Binary file

Processor Type: PowerPC: ppc

Load Address:
0x92000000
Entry Point:
0x9201DD38
Note: even though this file seems to be a normal exe or dll file it is not!
You MUST load this file as a binary file, not a pe, exe or dll.
Once the file has been loaded into ida, run the idc script file. It will
expect the "x360_imports.idc" file included with xextool to be in your
"ida/idc" directory.
Once you have found any areas you want to change or patch, make these
changes to the exe basefile you extracted above (default.exe).
Now you need to insert the basefile (default.exe) back into your xex file.
So do the following to get a fully decrypted and decompressed xex:
xextool -e u -c b -o default-hack.xex default.xex
Now open default-hack.xex in a hex editor and find where the basefile starts.
You can search for the "MZ" present in the exe header to find this.
(Often its around the 0x2000 byte offset mark.)
Now copy the contents of default.exe into default-hack.xex over the top of
the basefile that is inside default.xex. It should exactly fill the rest of
the default-hack.xex file from where you start inserting default.exe.
Now do:
xextool -o default-done.xex default-hack
The default-done.xex file will now be resigned and ready to use, unless its
retail in which case it won't get resigned correctly. When creating the
default-done.xex file you can also specify encryption and compression options
for the output file if you wish.

:: History
v6.3
* fixed an issue where some xex files would not boot such as kinect xex
files.
* changed the special patching to list and let you select which patches
to apply.
patches are done via bitflags so that multiple patches can be selected
in one go.
* changed the internal search and patch data for special patching of xam
and xbdm
to support all known versions of these files.
v6.1
* changed update patching to patch multiple device strings as well
as supporting unicode patching.
* updated IDC creation to produce similar results as when using the
xex loaders for IDA.
* updated the IDC creation to check if the file was loaded as a ppc bina
ry
and to stop and warn the user if not.

v6.0
* finally fixed the patching ability where the target file is smaller th
an
the source file. hopefully it is fixed properly :)
* fixed handling of bitfields in version structs (only affected big endi
an systems)
+ added support for natal/kinect related flags
+ added support for xex date restrictions
+ added support for xex console id restrictions
+ added support for xex device id restrictions
+ added support for xex keyvault privileges restrictions
+ added support for extra debug memory entry
+ added support for a few new xex flags and system partitions
v5.5
* i forget what changes were made... :P
v5.4
+ added the ability to alter a patched xex file to use files from it's g
ame
directory rather than requiring them to be inside a patch package file
.
+ added special xex specific patches for use on certain xex files
* finally fixed the compression problem that has existed since the first
release of this tool. (this only affected a very small number of xex f
iles)
v5.3
+ added xml output to stdout to make using XexTool from inside other
programs easier
+ added the ability to add a "bounding path" to an xex
v5.2
* fixed and updated the idc file creation
v5.1
* fixed struct changes that caused invalid library imports
v5.0
+ added patching ability, lets you do: source.xex + patch.xexp = target.
xex
+ added the ability to dump resources from an xex file
+ added "exports" and "exports by name" to idc file creation
+ added "sections" and "resources" to idc file creation

* fixed handling of unknown image entries

* fixed dumping of unknown basefiles
* fixed handling of dlls with no execution entrypoint
v4.3
+ added support for loading/saving register blocks to idc creation
+ added support for a few new xex flags, eg ramdrive and iptv stuff
+ added support for encrypting/decrypting retail "manufacturing" xexs
* fixed a memory leak that occurred while encrypting/decrypting xexs
* fixed delta compression problem that occurred when a block size was
the same size as the maximum allowed block size
v4.2
+ added remove required revocation check option
* fixed delta compression problem where it was possible for the last blo
ck
to be oversized
v4.1
* fixed checking of revocation flag when selecting signature salt
v4.0
+ official release that supports retail xexs
* fixed raw compression problem where it was possible for the last block
to
be left off
no log was kept of earlier history - but there were lots of addition and fixes :
)
+ = added feature
- = removed feature
* = fixed or changed feature

:: Greets
xor37h, for his initial version of xextool that started me working on this one
and gave me the first hints into the structure and layout of the xex file
format. tmbinc for also providing info that helped me get started and all the
others who tested, reported bugs, gave encouragement and provided info to
further improve this tool.
www.xorloser.com