default.xex

[th0mas]

hrm.. if it's not a sig, then there doesn't appear to be a signed sig in the file (unless it's just the start or end of the data at 0x2000).

Which is unlikely.  Unless I'm just not seeing it.

Anyways this is still conjecture and shouldn't really be the focus just yet

[oskie]

I'm starting to think that the table that you th0mas found at 0x000108-0x00070b must contain the signatures... The original xbox had 1+16 signature keys (main + alternate). Here we have 47 plus one, filled with zeroes. I think that the 48th key, which is all zero, could be the LAN key (also used by the original xbox, and mentioned in the dump posted by SiliconIce). My guess is that the dword that precedes the 20byte key specifies what the key is for. If that is true, we would have the following specifier dwords:

35 * 0x00000103
 9 * 0x00000101
 1 * 0x00000041
 1 * 0x00000072
 2 * 0x00000053

Oskar

[th0mas]

the sig keys you speak of in the original xbe were for syslink and live encryption.  There would be no need for 47 of them.

Also, this table is not in all XEX's it seems.  Or at least, not a 48 entry table.  It seems to be related to size of encrypted data in the XEX instead.

[xbox7887]

Has anyone tried disassembling the .xex to see what they can come up with?

[pablot]

did you dissasseble that using the correct architecture? Otherwise it's pretty much bogus..

EDIT:
hmm.. missed that whole thing about the comments.. where did you get those from?

[xbox7887]

Heh, mistakes happen ;p

[pablot]

what I am confused about is: Why would the compiler leave comments in the machine code? Isn't that just something that the dissassembler comes up with?

[xbox7887]

lol yes I did a hex search for some of the comments in the disassembler I'm using and they were all in the ida.int file...sorry to get your hopes up, all of that is almost certain bogus commenting .  I'll edit my posts to avoid confusion.

[th0mas]

Yeah.  The assembly is bogus too..  it's just interpreting the bytes, it doesn't mean that you've got meaning.

[xbox7887]

Well that's not necessarily true, if it was disassembled correctly you would be able to see many different things...maybe even hook to code of your own to load

[th0mas]

Well that's not necessarily true, if it was disassembled correctly you would be able to see many different things...maybe even hook to code of your own to load

the assembly is bogus.  You were attempting to read it as x86 opcodes (hence the "286" references, the int xxh calls & associated comments, etc).  The actual image at 0x2000 is encrypted/compressed (now looking more likely encrypted).  the actual assembly is in a PPC format.

Anyways, the news on the frontpage right now jives more with the concept that XEX files are containers. that's by guessing the meaning of functions such as XexpLoadFile and XexpCompleteImageLoad.

[xbox7887]

Yeah theres no way in hell to disassemble a decrypted archive file ;x.  The info in the front page is very interesting, hopefully some more will be figured out.