What is the structure of .rodata.sceResident?

[steddy]

I have noticed that the .rodata.sceResident section of .prx modules contains the SHA1 hash of the contained function names. It also contains other stuff too like the list of modules it relies on (I think).

Is the binary format of this entire section documented anywhere? If I can get it I have a pretty good way to reverse all the function names.

Cheers
Steddy

[djhuevo]

.rodata.sceResident section have a list of magic words and his memory offsets

A PRX (PSP module) can have

module_start (0xD632ACDB)
module_stop (0xCEE8593C)
module_info (0xF01D73A7)

If only have 0xD632ACDB,0xF01D73A7
then the next two 32bit words are respectively "module_start", "module_info" offsets

If you wanna figure more about the format see startup.s of nem hello_world. Or just play with any elf dumper and an hex editor.

Also I think that section names are no needed at all, can be striped, and the ELF will run as always (I have not confirmed that).

Import stubs hashes come in the section named .rodata.sceNid

[steddy]

Thanks, but that doesn't quite match what I am seeing. Looking at the mpeg.prx module I find:-

Code: Select all

Contents of section .rodata.sceResident:
 7718 00000000 54687265 61644d61 6e466f72  ....ThreadManFor
 7728 55736572 00000000 00000000 5574696c  User........Util
 7738 73466f72 55736572 00000000 00000000  sForUser........
 7748 73636556 6964656f 636f6465 63000000  sceVideocodec...
 7758 00000000 73636541 7564696f 636f6465  ....sceAudiocode
 7768 63000000 00000000 7363654d 70656762  c.......sceMpegb
 7778 61736500 dbac32d6 3c59e8ce a7731df0  ase...2.<Y...s..
 7788 20640000 54640000 e4760000 7363654d   d..Td...v..sceM
 7798 70656700 e480ff21 119e1e61 9b612a68  peg....!...a.a*h
 77a8 d6244687 2fe232c1 21f1c5d8 49466a60  .$F./.2.!...IFj`
 77b8 230f5642 a24a1a59 7ecf80a7 b170b8ce  #.VB.J.Y~....p..
 77c8 79b6dcf8 b5f62cc0 9efd7a16 ae864523  y.....,...z...E#
 77d8 eab7cf9d 286724fe 7d021e8c a783cee1  ....&#40;g$.&#125;.......
 77e8 29040f50 29767b70 9d2e3c0e d7186c0f  &#41;..P&#41;v&#123;p..<...l.
 77f8 26701ca1 d1cc0f74 df440c80 469fa2d7  &p.....t.D..F...
 7808 d85e2937 137f4013 9ea540b2 87dcf6b5  .^&#41;7..@...@.....
 7818 34100000 3c110000 3c030000 e0030000  4...<...<.......
 7828 18090000 50040000 24080000 5c020000  ....P...$...\...
 7838 a4010000 a0510000 28520000 e4520000  .....Q..&#40;R...R..
 7848 34530000 d0080000 a4580000 84590000  4S.......X...Y..
 7858 c8490000 fc3f0000 f8450000 00000000  .I...?...E......
 7868 14010000 ec0b0000 540b0000 ac0a0000  ........T.......
 7878 e00d0000 8c0f0000 383d0000 503d0000  ........8=..P=..
 7888 203e0000 0c3a0000 f83b0000            >...&#58;...;..    

As you can see, this starts with 0x00000000 then some other Module names. Its not until 0xe480ff21 at 0x779c that we start with the SHA1 hashes and the module_start (0xD632ACDB) appears at offset 0x777C.

The module names also have a varying number of zeros between them and are of varying lengths. I did look at nems code, but couldn't match this to the format I am seeing in the PRX modules.

Thanks
Steddy

[djhuevo]

well, then don't trust in section names, they are not usefull to lacate the info that you need....

first got module info (at paddr of first program in the ELF)
next get offset of lib_stub from module info and read the stubs records.

[steddy]

Actually I think I have the format completely understood now.

Do you have a list of all the other magic numbers like the ones you listed above?

[djhuevo]

these hashes are in msgdialog_plugin.prx in the section called .rodata.sceVstub

0x3e7114af
0x7c94404d

I don't have bruteforced those yet.

[steddy]

Sorry, I meant the magic numbers for flags such as Module_Start and Module_End.

Steddy