Add Support For Non-Standard Windows Based Executables.
mariaWitch opened this issue · 6 comments
Currently, OOAnalyzer only supports Standard Windows Based Executables, however, there exists a subset of executables that were created for a Windows Based Enviroment, but can not be analyzed by OOAnalyzer, even though they should meet the specifications for receiving support. I am specifically referring to .XBE files, developed by Microsoft for the Original Xbox. As the Original Xbox runs a modified version of the Windows NT Kernel, these are true Windows Binaries that were compiled with VS C++, and should be supported for those that are doing Investigative work into Applications on these systems.
However, given that the error given when trying to analyze one of these files is coming from ROSE, I'm not sure how much could be done to support this. Additionally, from what I can tell, even if I was to take this Upstream and have it fixed in ROSE, it most certainly won't make it back due to the current incompatibility issues between Pharos and ROSE at the moment.
Therefore, if the maintainers could look into potentially adding in hardcoded support for this Windows Based Executable format, that would be immensely helpful. There are some example xbe executables located here: https://github.com/rizinorg/rizin-testbins/tree/master/xbe
Additionally, there are other XBE loading tools that have been created for Ghidra, that could be used for reference, here: https://github.com/mborgerson/ghidra-xbe
I understand that this most likely out of scope for this project, but given that there are almost no other tools like OOAnalysis available, I hope that perhaps support could be added.
I'm not shocked that ROSE was unable to load the XBE files. Nor do I have any easy suggestions for adding XBE support. My suggestion is to fake up a PE header and repackage the XBE executable as a PE executable. I'm not familiar enough with the XBE file format to know what's really involved, but one presumes that it contains memory segments with base addresses, permissions, and so forth. You won't need for it to be a very sophisticated fake, and it certainly doesn't have to execute or anything like that. ;-) Simply getting it into the right file format and mapping the segments to the right addresses should be sufficient. I'd probably use pefile to help build the modified executable. Is there any Python code for reading the XBE format? Setting the correct permissions on the executable segment will be helpful for restricting code analysis to the correct segment, but you can also specify --mark-executable to work around needing correct permissions. If you set the "entry point" correctly, that will automatically mark that segment as executable for code discovery. The data segment is not as critical, but there is some detection around global variables, but you should get most of the analysis from just mapping the code segment.
Good luck!
I don't believe there is a python implementation, however, there is pretty extensive documentation of the structure, and a Rust Parser that you could look at.
The rust parser is here: https://github.com/jonas-schievink/xbe and the information that it is based on is here: http://www.caustik.com/cxbx/download/xbe.htm
@sei-ccohen Actually, I misspoke earlier. There is in fact a python parser for XBE files that you should be able to find here: https://github.com/mborgerson/pyxbe
We're not able to prioritize adding XBE support to Pharos or ROSE at this time, so if you want to be able to analyze your executable, you'll need to hobble together a script to convert the XBE executable to a PE executable.
Also, so be clear, OOAnalyzer only supports 32-bit executables at the present time, and I strongly suspect that your XBE file is likely to be 64-bit. There are substantial differences between the 32-bit and 64-bit ABIs that make 64-bit support non-trivial.
The original Xbox ran on a custom Intel Pentium III Coppermine-based processor so it's full x86, so it should be fine. And like I said before, the Original Xbox did run a modified version of the Windows NT Kernel (It's based on Windows 2000) so I'm fully expecting that if the Header was fuzzed, that it should work.
Sorry I missed the "original" part. Yeah, you should be in good shape then if you can format the executable as a PE file. Let me know if you get any strange errors from ROSE/Pharos about the modified PE file. I may be able to figure out what's wrong more easily since I have some experience with the PE code and Pharos.