Editing PRX
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
scetool can decrypt SPRX's, producing an ELF... or is it? Not really. It has an ELF header but... | |||
' | First LOAD section, paddr points to what I'll call the module descriptor. | ||
Second LOAD section starts off with a list of the entry points for all the exposed functions and then some (more on that later). The remainder is garbage/padding. | |||
NOTE: All addresses inside the file assume the ELF header isn't there (basically add 0xE0 to all addresses.) | |||
{| | |||
! Offset | |||
! Type | |||
! Description | |||
|- | |||
| +0 | |||
| long | |||
| flags? Always 0x101 | |||
|- | |||
| +4 | |||
| char[always 16?] | |||
| Name of the module as a null-terminated string. | |||
|- | |||
| +20 | |||
| long | |||
| ????? Perhaps a unique module ID? | |||
|- | |||
| +24 | |||
| long | |||
| Points to start of symbol table header | |||
|- | |||
| +28 | |||
| long | |||
| Points to end of symbol table header | |||
|- | |||
| +32 | |||
| long | |||
| Points to start of first symbol defn | |||
|- | |||
| +36 | |||
| long | |||
| points to end of last symbol defn | |||
|} | |||
Symbol table header: | |||
{| | |||
! Offset | |||
! Type | |||
! Description | |||
|- | |||
| +0 | |||
| long[4] | |||
| ????? | |||
|- | |||
| +16 | |||
| quad or maybe a long preceded by zeroes? | |||
| Appears to point to a table of something crypto-looking... clearly in four-byte segments. The whole library gets six, and then each function gets ????? it varies. This pointer points to the first three. | |||
|- | |||
| +24 | |||
| long | |||
| ...and this points to the second three. | |||
|} | |||
Symbol defn: | |||
{| | |||
! Offset | |||
! Type | |||
! Description | |||
|- | |||
| +0 | |||
| quad | |||
| Always zeroes | |||
|- | |||
| +8 | |||
| long | |||
| Always(?) 0x2C000001 | |||
|- | |||
| +12 | |||
| long | |||
| ????? Probably flags... | |||
|- | |||
| +16 | |||
| long | |||
| ????? Usually 0, but "paf" gets 0x60000 instead. | |||
|- | |||
| +20 | |||
| (quad or maybe a long preceded by zeroes?) | |||
| Pointer to the name of the function! As a null/terminated ASCII string. | |||
|- | |||
| +28 | |||
| long | |||
| Pointer to this function's section of the Big Mystery Table. The values are always big and always in ascending order... very odd. | |||
|- | |||
| +32 | |||
| long | |||
| Pointer to the (long) pointer (in the second LOAD section) to the entry point of this function! | |||
|- | |||
| +36 | |||
| long[2] | |||
| Appears to be for overflow for the Big Mystery Table. Zeroes if not needed. | |||
|} | |||
Two functions are ALWAYS present: "paf" and "SysPrxForUser". What do they do? Not sure. They are real functions with legitimate entry points, so they can't be some kind of metadata. Hm. | |||