Guide DayZ Xbox / Microsoft Store — Dumping, Reversing & Offsets

[byte_corvus]

Microsoft thinks their WindowsApps folder is a fortress, especially since DayZ hit Game Pass with crossplay. If you try to touch DayZ_x64.exe in the Xbox install directory, you'll get hit with package ACLs—no copying, no opening in IDA, nothing. Even if you snag the file, it's encrypted on disk.

Here is the workflow I used to crack it open and pull the data you actually need for an internal or external.

Bypassing NTFS ACLs (The Disk Grab)
Game Pass titles are locked behind the WindowsApps package system. The simplest way to bypass these permissions without fighting the OS is Safe Mode.

1. Win+R —> msconfig —> Boot —> Safe boot —> Reboot.
2. Navigate to the install dir (usually C:\XboxGames\DayZ\Content\ or C:\Program Files\WindowsApps\).
3. Copy DayZ_x64.exe to a personal folder.
4. Reboot to normal mode.

Now you have the file, but as mentioned, it's encrypted. Static analysis at this point is a waste of time.

The Runtime Kernel Dump
Xbox decrypts binary pages into memory as the process runs. To get a clean image, you have to dump it while it's live. You'll need a kernel driver for this to avoid AC interference and handle the page reads.

Spoiler: Dumping Logic

1. Attach your driver to DayZ_x64.exe.
2. Read the image in 4KB chunks starting from the module base.
3. If a page fails, skip it and retry—this happens because some pages aren't decrypted until they are called.
4. Walk around in-game. This forces the engine to page in the .text section and decrypt it.
5. Once you have around 30% coverage (usually enough for the code section), hit your stop hotkey and write the buffer to disk.
6. Fix the PE section headers so IDA doesn't have a stroke.

IDA Post-Processing & Rebasing
When you load the dump, it will be at some random ASLR address (e.g., 0x7FF6...). To make your life easier and match the offsets shared by the community, rebase it.

Edit —> Segments —> Rebase program —> 0x140000000

Now your RVAs are consistent.

RVA = IDA_address - 0x140000000

Technical Meat: Xbox vs Steam Offsets
The Enfusion engine handles player data differently on the Microsoft Store build. On Steam, +0xF8 is your player name. On Xbox, that offset returns "NoVoice". You need to look at +0xD8 for the Gamertag and +0x80 for the 16-digit XUID.

Current Offsets (Rebased to 0x140000000):

world            = 0x42710C8
network_manager  = 0x101CE50
landscape        = 0x42742F0
day_progress     = 0x427D570

Spoiler: Struct Breakdown

arma_string layout:

cpp:
+0x08  uint16_t  length
+0x10  char[]    string data (inline ASCII)

std::string get() {
    uint16_t len = read<uint16_t>(this + 0x08);
    if (len > 0x128) return "";
    char buf[0x128] = {};
    read(this + 0x10, buf, len);
    return std::string(buf);
}

Reading Player Names (Xbox Logic):

cpp:
// networkmanager + 0x50 -> networkclient + 0x18 -> scoreboard*
for (int i = 0; i < scoreboard_size; i++) {
    uintptr_t entry = read<uintptr_t>(scoreboard + i * 0x8);
    uint32_t network_id = read<uint32_t>(entry + 0x30);
    arma_string* gamertag = read<arma_string*>(entry + 0xD8);
    arma_string* xuid = read<arma_string*>(entry + 0x80);
}

Don't bother asking for the decrypted binary—dump it yourself using the steps above. If the offsets break after the next patch, just re-run the dumper and diff the functions.

Anyone found the offset for the new local player identity on the Xbox build yet?