PRX

From PS3 Developer wiki
Revision as of 11:08, 23 June 2013 by Roothorick (talk | contribs)
Jump to navigation Jump to search

scetool can decrypt SPRX's, producing an ELF... or is it? Not really. It has an ELF header but...

First LOAD segment, paddr points to the descriptor for the "dependency table" or "deptable" for short:

NOTE: All addresses inside the file assume the ELF header isn't there (basically add 0xE0 to all addresses.)

Offset Type Description
+0 long Always(?) 0x101
+4 char[28] Name of this PRX, padded out with zeroes. Doesn't necessarily match the file name(why?)
+32 long A unique module ID? Gets used a lot later...
+36 long Points to the deptable header
+40 long Points to the END of the deptable header
+44 long Points to the start of first deptable entry
+48 long points to the end of the LAST deptable entry

Deptable header:

Offset Type Description
+0 long[5] Always(?) 0x1C000000, 0x80000002, 0x10000, 0, 0
+20 long Points to three longs which are always(?) 0xBC9A0086, 0xAB779874, 0xD7F43016. The start of the mystery table.
+24 long Points to three pointers in the mystery table. Two go to pointers to subroutines in the funcpointer table, the third goes back to the deptable descriptor.

Entry in the deptable:

Offset Type Description
+0 short[2] Always(?) 0x2C00, 1
+4 short Flags? 0x1 is always set, 0x8 often, 0x2000 seems to indicate a non-PRX library (like "stdc" or "allocator") that comes from somewhere else (LV2?)
+6 short The number of functions the depending PRX needs from the depended PRX. There is this many function pointers in the stubtable (see below) for this PRX. Most of the time, there's also this many entries in the Mystery Table for that PRX. But not always? "allocator" in particular seems to get strange stuff.
+8 short Usually 0, but "paf" gets sometimes 5, sometimes 6, sometimes 0. More flags maybe?
+10 short[3] Always(?) 0. Probably for alignment.
+16 long Pointer to the ASCII string of the depended PRX's name. These don't seem to consistently map with the PRX's file name in dev_flash.
+20 long Pointer to this library's entries in the mystery table.
+24 long Pointer to the the pointers to function wrappers for this library in the wrapper list.
+28 long[2] 0, 0 for every PRX except paf, which gets two more sets in the mystery table, pointed to by these, unless +8 is 0.

Second LOAD segment is all the relocation and symbol data, save for the names (as ASCII strings) of the exposed functions (which are in the first LOAD segment along with all the other strings the PRX uses).

At EOF-20 is a pointer to the start of the funcpointer table. After 0xFFFFFFFF and a handful of pointers into itself, it goes into a list of pointers to subroutines (as longs) each followed by a long containing the unique ID from the deptable descriptor.

At the start of this section is the wrapper list, just a flat array of pointers to subroutines that appear to be wrappers for calling functions in other PRXes. This combined with the deptable maps those wrappers to PRXes.

Table number two: All longs(?) The very first is a pointer to the very start of the funcpointer table.

There is a table that's a listing of the functions exposed to apps/other PRXes. This table is usually referenced by a function; how exactly it is reached remains to be seen.

Offset Type Description
+12n long Pointer to the ASCII string name of this function
+12n +4 long Pointer to this function's entry in the funcpointer table.
+12n +8 long Always(?) zero.