If your statement is correct, would this be possible:
1. Find a default.xex on the demo-kiosk disc that uses some unsigned dll-like file.
2. Hack the unsigned dll and make it execute a default.xex file from any retail game without changing the app-id - making the 360 think that it's still running the first app, when it's infact launching a retail backup game.
I don't know if something like this is even possible or if it's just another stupid suggestion.
Atleast I try
Well the exectuables are the files that are protected through signatures and media checks. That doesn't mean that all other files on the disc are unprotected too. There can be hash checks made by the executables themselves (like xboxdash.xbe checks a lot of it's supporting files)
If you can hack a supporting file that isn't hash checked and has vulnerabilities so you can make it turn off all other protections in the 360 (like the ram hashing naming one thing) and make it run an unsigned app then we would have an utopia disc. Unfortunately this seems rather imposible especially since we now nearly nothing about the xbox's cryptologie and protection circumventions at this point. this and the fact that it's rather unlikely that we can find flaws that can exploit the 360's major protections in these few rare discs is highly unlikely.
You cannot launch an xex and bypass the checks no matter what xex was loaded before that