PRX
scetool can decrypt SPRX's, producing an ELF... or is it? Not really. It has an ELF header but...
First LOAD segment, paddr points to the descriptor for the "dependency table" or "deptable" for short:
NOTE: All addresses inside the file assume the ELF header isn't there (basically add 0xE0 to all addresses.)(ELF64 header size is 0x40, no?)
Offset | Type | Description |
---|---|---|
+0 | long | Always(?) 0x101 |
+4 | char[28] | Name of this module, padded out with zeroes. Doesn't necessarily match the file name(why?)(it not matching the file name is the norm, why should it?)(Strange..for fw sprx I couldn't find anywhere near this the prx name, for Engine.BuildInfo_Ps3_Retail.sprx it's at 0x1FC(from the start)) |
+32 | long | A unique module ID? Gets used a lot later... |
+36 | long | Points to the deptable header |
+40 | long | Points to the END of the deptable header |
+44 | long | Points to the start of first deptable entry |
+48 | long | points to the end of the LAST deptable entry |
Exports:
Offset | Type | Description |
---|---|---|
+0 | long[5] | Always(?) 0x1C000000(entry size(0x1c)), 0x80000002(, 0x10000, 0, 0 |
+20 | long | Points to three longs which are always(?) 0xBC9A0086, 0xAB779874, 0xD7F43016.... Export FNID's |
+24 | long | Stubtable Export FNID Functions. The first entry here corresponds to the function whose FNID is the first FNID table entry and so forth |
Imports:
Offset | Type | Description |
---|---|---|
+0 | short[2] | Always(?) 0x2C00, 1 |
+4 | short | Flags? 0x1 is always set, 0x8 often, 0x2000 seems to indicate a non-PRX library (like "stdc" or "allocator") that comes from somewhere else (LV2?) |
+6 | short | The number of functions the depending PRX needs from the depended PRX. There is this many function pointers in the stubtable (see below) for this PRX. Most of the time, there's also this many entries in the Mystery Table for that PRX. But not always? "allocator" in particular seems to get strange stuff. |
+8 | short | Usually 0, but "paf" gets sometimes 5, sometimes 6, sometimes 0. More flags maybe? |
+10 | short[3] | Always(?) 0. Probably for alignment. |
+16 | long | Pointer to the ASCII string of the depended PRX's name. These don't seem to consistently map with the PRX's file name in dev_flash. |
+20 | long | Pointer to this library's entries in the mystery table. |
+24 | long | Pointer to the the pointers to function wrappers for this library in the wrapper list. |
+28 | long[2] | 0, 0 for every PRX except paf, which gets two more sets in the mystery table, pointed to by these, unless +8 is 0. |
Second LOAD segment is all the relocation and symbol data, save for the names (as ASCII strings) of the exposed functions (which are in the first LOAD segment along with all the other strings the PRX uses).
At the start of this section is the wrapper list, just a flat array of pointers to subroutines that appear to be wrappers for calling functions in other PRXes. This combined with the deptable maps those wrappers to PRXes.
At EOF-20 is a pointer to the start of the funcpointer table. After 0xFFFFFFFF and a handful of pointers into itself, it goes into a list of pointers to subroutines (as longs) each followed by a long containing the unique ID from the deptable descriptor.
Table number two: All longs(?) The very first is a pointer to the very start of the funcpointer table.
There is a table that's a listing of the functions exposed to apps/other PRXes. This table is usually referenced by a function; how exactly it is reached remains to be seen.
Offset | Type | Description |
---|---|---|
+12n | long | Pointer to the ASCII string name of this function |
+12n +4 | long | Pointer to this function's entry in the funcpointer table. |
+12n +8 | long | Always(?) zero. |
FNID generation
symbol name suffix
symbol_name_suffix: 6759659904250490566427499489741A
To calculate FNID value of exported/imported symbol from .PRX you need to take SHA-1 hash over concatenation of symbol's name and symbol_name_suffix and then grab first 4 bytes from it and reverse these bytes (because of little-endian). Let's take, for example, _sys_sprintf:
SHA1('_sys_sprintf' + '\x67\x59\x65\x99\x04\x25\x04\x90\x56\x64\x27\x49\x94\x89\x74\x1A') = FEEAF9A123D7D1A7619B40CD52500F9735A852A4 FNID('_sys_sprintf') = swap_uint32(0xFEEAF9A1) = 0xA1F9EAFE.
For C++ functions you should use mangled representation of symbol's name. For example, mangled name of std::runtime_error::what() const is _ZNKSt13runtime_error4whatEv and FNID('_ZNKSt13runtime_error4whatEv') = 0x5333bdc9.