PRX Module File Research Results (not Encrypted)

[steddy]

I have been researching the structure of unencrypted PRX modules and have so far uncovered quite a bit of information. A lot of this is already known as demonstrated by nem, but I think a lot of this is also new or not very well documented.

Apologies if this isn't useful, but I found it interesting to uncover so thought somebody else might. The data representations in the value column are in standard MIPS endian notation hence the different value for magic numbers. I performed this against mpeg.prx on Ridge Racers but have cross referenced about 20 other modules to validate it.

Code: Select all

Analysis of mpeg.prx module.  Results apply to most other PRX modules (little endian notation as per hex dump)

.rodata.sceStub.text section description (2 DWORD entries for every import in sceNid)			
Value    	 Type       	Description                                                 Extra
0x0800E003	32bit Value	DWORD Value 1	
0x00000000	32bit Value	DWORD Value 2	
……..	    	x QQ (31) Entries specified in .lib.ent Section	
			
.lib.ent.top section description			
Value    	 Type       	Description                                                 Extra
0x00000000	32bit Value	.lib.ent.top entry marker	

.lib.ent section description			
Value    	 Type       	Description                                                 Extra
0x00000000	32bit Value	Maybe offset to first section (0) like below	
0x00000080	32bit Value	??	
0x04010200	32bit Value	?? 0x02 is maybe some sort of function count as below		
0x7C770000	32bit Offset	Offset to Module_Start Magic word	Offset in sceResident table	
The following entries are only present for PRX modules exporting functions via sceResident (TT=0x06)
0x94770000	32bit Offset	Offset to Library Prefix in sceResident table	0x7794 = sceMpeg	
0x00000100	32bit Value	??		
0x40001F00	0x4000QQ00	QQ=Number of exported functions defined	0x1F (31) Functions Exported	
0x9C770000	32bit Offset	Offset to exported function table entries	Offset in sceResident table to first function hash	
				
.lib.stub.top section description				
Value    	 Type       	Description                                                 Extra
0x00000000	32bit Value	.lib.stub entry marker		

.lib.stub section description (describes Import modules and functions)				
Value    	 Type       	Description                                                 Extra
0x1C770000	32bit Offset	Offset into sceResident for LibraryName	0x771C = ThreadManForUser	Lib 1
0x00000140	32bit Value	??		
0x05000600	0xXX00NN00	XX=Record length in 32bit words, NN=Number of Module imports	6 Function Entries in sceNid	
0x94780000	32bit Offset	Offset into sceNid table (for table of imported functions)	0x7894 -> 0x78AB	
0x90750000	32bit Offset	Offset into sceStub.text	0x7590	
0x34770000	32bit Offset	Offset into sceResident for LibraryName	0x7734 = UtilsForUser	Lib 2
0x00000140	32bit Value	??		
0x05000100	0xXX00NN00	XX=Record length in 32bit words, XX=32bit record length, NN=Number of Module imports	1 Function Entries in sceNid	
0xAC780000	32bit Offset	Offset into sceNid table (for table of imported functions)	0x78AC -> 0x78AF	
0xC0750000	32bit Offset	Offset into sceStub.text	0x75C0	
0x48770000	32bit Offset	Offset into sceResident for LibraryName	0x7748 = sceVideocodec	Lib 3
0x00000140	32bit Value	??		
0x05000800	0xXX00NN00	XX=Record length in 32bit words, XX=32bit record length, NN=Number of Module imports	8 Function Entries in sceNid	
0xD4780000	32bit Offset	Offset into sceNid table (for table of imported functions)	0x78D4 -> 0x78F3	
0x10760000	32bit Offset	Offset into sceStub.text	0x7610	
0x5C770000	32bit Offset	Offset into sceResident for LibraryName	0x775C = sceAudiocodec	Lib 4
0x00000140	32bit Value	??		
0x05000500	0xXX00NN00	XX=Record length in 32bit words, NN=Number of Module imports	5 Function Entries in sceNid	
0xB0780000	32bit Offset	Offset into sceNid table (for table of imported functions)	0x78B0 -> 0x78C3	
0xC8750000	32bit Offset	Offset into sceStub.text	0x75C8	
0x70770000	32bit Offset	Offset into sceResident for LibraryName	0x7770 = sceMpegbase	Lib 5
0x00000140	32bit Value	??		
0x05000400	0xXX00NN00	XX=Record length in 32bit words, NN=Number of Module imports	4 Function Entries in sceNid	
0xC4780000	32bit Offset	Offset into sceNid table (for table of imported functions)	0x78C4 -> 0x78D3	
0xF0760000	32bit Offset	Offset into sceStub.text	0x76F0	
				
.lib.stub.btm section description				
Value    	 Type       	Description                                                 Extra
0x00000000	32bit Value	.lib.stub exit marker		

.rodata.sceModuleInfo section description				
Value    	 Type       	Description                                                 Extra
0x06000101	0xTT00VVVV	Start Bytes.  TT = Elf Type, VV = Version
                    TT=0x00 - Plugin - function Hashes in sceVStub
                    TT=0x06 - Module - function Hashes in sceResident	
0xTEXT	    TextZ    	Module Name (e.g. sceMpeg_Library)	Padded to 28 bytes in length
0x80800000	32bit Address	Initial $GP register value	
0x54760000	32bit Offset	Offset to .lib.ent section	32 bits
0x74760000	32bit Offset	Offset to .lib.ent.bottom section	32 bits
0x7C760000	32bit Offset	Offset to .lib.stub section	32 bits
0xE0760000	32bit Offset	Offset to .lib.stub.bottom section	32 bits

.rodata.sceResident section description (Lists imported modules, Module description and Exported Functions (if TT=0x06))			
Value    	 Type       	Description                                                 Extra
0x00000000	32bit Value	Import Module Start Marker	
0xTEXT	    TextZ    	Imported Module Name (32bit aligned, 0 terminated)	ThreadManForUser
0x00000000	32bit Value	Import Module Start Marker	
0xTEXT	    TextZ    	Imported Module Name (32bit aligned, 0 terminated)	UtilsForUser
0x00000000	32bit Value	Import Module Start Marker	
0xTEXT	    TextZ    	Imported Module Name (32bit aligned, 0 terminated)	sceVideocodec
0x00000000	32bit Value	Import Module Start Marker	
0xTEXT	    TextZ    	Imported Module Name (32bit aligned, 0 terminated)	sceAudiocodec
0x00000000	32bit Value	Import Module Start Marker	
0xTEXT	    TextZ    	Imported Module Name (32bit aligned, 0 terminated)	sceMpegbase
0xDBAC32D6	32bit Value	Module_Start Magic word	
0x3C59E8CE	32bit Value	Module_End Magic word	
0xA7731DF0	32bit Value	Module_Info Magic word	
0x20640000	32bit Offset	Offset into .text module (value 0xF0FFBD27)	??
0x54640000	32bit Offset	Offset into .text module (value 0xF0FFBD27)	Only present if TT=0x06
0xE4760000	32bit Offset	Offset to .rodata.sceModuleInfo	
The following entries are only present for PRX modules exporting functions directly via sceResident (TT=0x06)			
0xTEXT	    TextZ    	Exported Module Prefix Name	sceMpeg
0x2FE232C1	32bit SHA1	SHA-1 32bit LSB Function Name	Exported Function 1
0x21F1C5D8	32bit SHA1	SHA-1 32bit LSB Function Name	Exported Function 2
……..	    	x QQ (31) Entries specified in .lib.ent Section	
0x34100000	32bit Offset	Exported Function Entrypoint Offset	Exported Function 1
0x3c110000	32bit Offset	Exported Function Entrypoint Offset	Exported Function 2

.rodata.sceNid section description (Lists imported function SHA1 hashes)			
Value    	 Type       	Description                                                 Extra
0xA14BDAD6	32bit SHA1	Import function SHA1 Hash	
……..	    	x NN1 + NN2 + NN3 + NN4 + NN5 (5 Import modules)	One entry for every imported module function

.rodata.sceVstub section description (Exported Functions if TT=0x00)) - Sample from msgdialog_plugin.prx - Mainly guesswork			
Value    	 Type       	Description                                                 Extra
0x680F0000	32bit Offset	Exported Function Entrypoint Offset	
0xAF14713E	32bit SHA1	SHA-1 32bit LSB Function Name	Exported Function 1
……..    		Repeated for each exported function 	
0xF9000014		?? Flags?	
0xFA000018		?? Flags?	
0x00000000	32bit Value	End exported function offset/hash	
0x8C020014	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x028C / Flags 0x0014?
0x8E020018	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x028E / Flags 0x0018?
0xDF020014	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x02DF / Flags 0x0014?
0xE0020018	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x02E0 / Flags 0x0018?
0xFF020014	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x02FF / Flags 0x0014?
0x00030018	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x0300 / Flags 0x0018?
0x0E030018	2 x 16bit Values	16bit Offset and Flags combined?	Offset 0x030E / Flags 0x0018?
0x00000000

With a few more holes filled in and a couple more files examined this should be complete. Maybe it could help with uncovering the library functions and should allow developers to code their own PRX modules :)

Suggestion: How about using Strings against all modules, then hashing every value and comparing them to the hashes in the export tables? Now more UMD's have been released we have plently of source ELF's and modules to look through and match against.

Steddy

[mrbrown]

Why did you note little endian when you wrote every value in big endian format?

[fashidus]

good stuff, steddy...

[steddy]

Why did you note little endian when you wrote every value in big endian format?

All the values down the left are in little endian format, ie LSB first. The translated values in the descriptions are in big endian format.

Steddy

[mrbrown]

Why did you note little endian when you wrote every value in big endian format?

All the values down the left are in little endian format, ie LSB first. The translated values in the descriptions are in big endian format.

Steddy

Ah so those are byte values along the left side. Because it looked as if they were supposed to be 32-bit values, because you wrote them as 0xXXXXXXXX. If they were 32-bit values, then they would be big endian the way you wrote them. I suppose the translated values are byte values too, which is why you say they are big endian?

[steddy]

Sort of.

They are 32 bit values in most cases (offsets). For example the first entry in .lib.stub is shown as 0x1C770000 in the Value column. This is a 32bit offset which translates to 0x0000771C in reality. The 0x is just standard notation for showing hex values. Its little endian on the left (0x1c is the LSB of the 32 bit value) and big endian on the right (0x00 is the MSB). So yes, the values on the left are in byte order found in the file.

Steddy

[mrbrown]

http://en.wikipedia.org/wiki/Endian

I'm afraid you've got it backwords :).

[steddy]

Emmm.... not according to this:-

http://www.unixpapa.com/incnote/byteorder.html

I guess its unimportant anyway, the message of what this contains is more important :)

[djhuevo]

0x05000600 0x0500NN00 NN=Number of Module imports 6 Function Entries in sceNid

0x05000600 0xXX00NN00 XX=number of (32bits) words of each stub record. (in msgdialog_plugin.prx XX==6)

[Guest]

Sort of.

They are 32 bit values in most cases (offsets). For example the first entry in .lib.stub is shown as 0x1C770000 in the Value column. This is a 32bit offset which translates to 0x0000771C in reality. The 0x is just standard notation for showing hex values. Its little endian on the left (0x1c is the LSB of the 32 bit value) and big endian on the right (0x00 is the MSB). So yes, the values on the left are in byte order found in the file.

Steddy

Standard practice is, show integer values always in big-endian format prefixed with 0x to denote hex.

Showing a sequence of byte values, which would be analogous to showing in little-endian format, on the other hand, is more commonly done by leaving off the 0x and placing a space between the "bytes". (see any hex dump program).

But anyhow, you are consistantly doing good research. keep it up! ;)

[steddy]

0x05000600 0xXX00NN00 XX=number of (32bits) words of each stub record. (in msgdialog_plugin.prx XX==6)

Updated. Thanks :)