Advertising (This ad goes away for registered users. You can Login or Register)

Finding the memory layout of the vita?

Open discussions on programming specifically for the PS Vita.
Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
DeadlyData
Posts: 14
Joined: Thu Jul 19, 2012 8:44 pm

Re: Finding the memory layout of the vita?

Post by DeadlyData »

That was an approach I was considering taking most people see PSM as just a jailed development environment only capable of C#/.net but breaking into mono could lead to code execution in the actual vita environment.
Advertising
celcodioc
Posts: 131
Joined: Sat Jun 09, 2012 8:50 am
Location: Sweden

Re: Finding the memory layout of the vita?

Post by celcodioc »

hoinzy wrote:Thats another approach i should consider. I forgot to mention that, thanks to LGPL, you can get a copy of the Mono modifications made for the Vita. Just send them an Email (found on the License site). Got my Copy yesterday, there seem to be some interesting stuff in the io.c implementation for the Vita. Crypto context, a "bridge" header file and all that stuff. Definatly worth a look. And of course you can take a look at the debug interface :)

[EDIT:] For those who want to join my Path. The registration ist at:

http://www.scei.co.jp/psvita-license/mono.html
In compliance with the LGPL, the source code of the open source software is made available to you. For request, please send e-mail to: pss_opensource_info@scei.co.jp with “Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address. The personal information provided will be used only to answer your request.
Btw a synonym worked for me. The Response came after 5 days so be patient.
viewtopic.php?f=54&t=12724
Advertising
hoinzy
Posts: 16
Joined: Mon Jul 09, 2012 1:49 pm

Re: Finding the memory layout of the vita?

Post by hoinzy »

celcodioc wrote:
hoinzy wrote:Thats another approach i should consider. I forgot to mention that, thanks to LGPL, you can get a copy of the Mono modifications made for the Vita. Just send them an Email (found on the License site). Got my Copy yesterday, there seem to be some interesting stuff in the io.c implementation for the Vita. Crypto context, a "bridge" header file and all that stuff. Definatly worth a look. And of course you can take a look at the debug interface :)

[EDIT:] For those who want to join my Path. The registration ist at:

http://www.scei.co.jp/psvita-license/mono.html
In compliance with the LGPL, the source code of the open source software is made available to you. For request, please send e-mail to: pss_opensource_info@scei.co.jp with “Mono LGPL Request” in the subject line. In the body of the e-mail include your name and e-mail address. The personal information provided will be used only to answer your request.
Btw a synonym worked for me. The Response came after 5 days so be patient.
viewtopic.php?f=54&t=12724
Yeah actually thanks, but please take a look at the timestamps :)
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Finding the memory layout of the vita?

Post by yifanlu »

The most interesting thing in the mono source is libSceMonoBridge_stub.a, which is ARM compiled code containing the memory address of native functions on the vita for stuff like pthreads and sockets. It's what the mono runtime hooks on to (smart, since you don't need the Vita Platform SDK to compile the runtime). Now, I don't know if the memory addresses are different outside of the PSSuite app, but that doesn't seem likely (why? just a guess). When I get time, I'm going to try my exploit again with the known function locations and see if I can get a response.
hoinzy
Posts: 16
Joined: Mon Jul 09, 2012 1:49 pm

Re: Finding the memory layout of the vita?

Post by hoinzy »

File Name : _SceLibMonoBridge-0001_F00_f52a345b.o
Format : ELF for ARM (Relocatable)
Well i don't think this will work, since the functions will be most probably mapped randomly by the Kernel. Still it's not a direct implication.
I know how long it took for Apple and Google to implement the Kernel ASLR properly, so there might be a chance Sony did a loosy job there :)
But i don't get where you can actually see adresses, those are just object files yet to be linked, right?
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Finding the memory layout of the vita?

Post by yifanlu »

hoinzy wrote:
File Name : _SceLibMonoBridge-0001_F00_f52a345b.o
Format : ELF for ARM (Relocatable)
Well i don't think this will work, since the functions will be most probably mapped randomly by the Kernel. Still it's not a direct implication.
I know how long it took for Apple and Google to implement the Kernel ASLR properly, so there might be a chance Sony did a loosy job there :)
But i don't get where you can actually see adresses, those are just object files yet to be linked, right?
No, what I'm saying is that we have absolute memory locations. This is the only way sony can make linkable source code without giving us the linker from the offical SDK. These functions are called indirectly by Mono through bridge.h (notice there's no bridge.c). The .a static library contains a separate object for each of these functions. They contain placeholders to always return -1, BUT after linking, will redirect the call to another address. We have memory addresses to common and some interesting functions.

Code: Select all

abs:00000004 ; Segment type: Absolute symbols
abs:00000004 _NID_pss_alloc_mem = 0x1A2E441F
abs:00000008 _NID_pss_alloc_raw = 0x599AEA5E
abs:0000000C _NID_pss_code_mem_alloc = 0xF466ABEC
abs:00000010 _NID_pss_code_mem_flush_icache = 0x110F567B
abs:00000014 _NID_pss_code_mem_free = 0xB468C313
abs:00000018 _NID_pss_code_mem_initialize = 0xD67BC7AB
abs:0000001C _NID_pss_code_mem_lock = 0x53D03181
abs:00000020 _NID_pss_code_mem_terminate = 0x6899C39C
abs:00000024 _NID_pss_code_mem_unlock = 0x50E8F8FF
abs:00000028 _NID_pss_crypto_close = 0x37483E03
abs:0000002C _NID_pss_crypto_fread = 0x184E21BC
abs:00000030 _NID_pss_crypto_open = 0x6B4125E4
abs:00000034 _NID_pss_crypto_read = 0x32BA8444
abs:00000038 _NID_pss_create_semaphore = 0x5F969729
abs:0000003C _NID_pss_delay_thread = 0x18524DD
abs:00000040 _NID_pss_delete_semaphore = 0x6148DE4D
abs:00000044 _NID_pss_disable_ftz = 0x2E9C2A4B
abs:00000048 _NID_pss_free_mem = 0x1C59A84B
abs:0000004C _NID_pss_free_prng_provider = 0xBBCF4B04
abs:00000050 _NID_pss_free_raw = 0xB9EFB986
abs:00000054 _NID_pss_get_errnoloc = 0x617F673C
abs:00000058 _NID_pss_get_prng_provider = 0x88496636
abs:0000005C _NID_pss_get_thread_context = 0x6ABAA310
abs:00000060 _NID_pss_get_ticks_32 = 0xEC94BFCF
abs:00000064 _NID_pss_get_ticks_64 = 0xBE8FF7BE
abs:00000068 _NID_pss_get_ticks_since_111 = 0x98E48D48
abs:0000006C _NID_pss_get_win32_filetime = 0x440F10FA
abs:00000070 _NID_pss_getpagesize = 0xB5135219
abs:00000074 _NID_pss_getpid = 0xF90E4DD2
abs:00000078 _NID_pss_gettimeofday = 0xE65366F3
abs:0000007C _NID_pss_io_chstat = 0x827A135
abs:00000080 _NID_pss_io_close = 0xA201DB2A
abs:00000084 _NID_pss_io_dclose = 0x5528F7F1
abs:00000088 _NID_pss_io_dopen = 0x1D93AA23
abs:0000008C _NID_pss_io_getstat = 0x5C2090C1
abs:00000090 _NID_pss_io_lseek = 0x295FF99D
abs:00000094 _NID_pss_io_mkdir = 0xE9C00064
abs:00000098 _NID_pss_io_open = 0xEA977352
abs:0000009C _NID_pss_io_read = 0x37F6EDC2
abs:000000A0 _NID_pss_io_remove = 0x70FD542F
abs:000000A4 _NID_pss_io_rename = 0xB673FE93
abs:000000A8 _NID_pss_io_rmdir = 0x1F1764AD
abs:000000AC _NID_pss_io_write = 0xAF972DF7
abs:000000B0 _NID_pss_nanosleep = 0x7FFBD866
abs:000000B4 _NID_pss_net_accept = 0xD3F85D07
abs:000000B8 _NID_pss_net_bind = 0xD1E93EEF
abs:000000BC _NID_pss_net_connect = 0xB635E419
abs:000000C0 _NID_pss_net_epoll_create = 0xB18343A4
abs:000000C4 _NID_pss_net_epoll_ctl = 0x335C5433
abs:000000C8 _NID_pss_net_epoll_destroy = 0xCFFBBBF8
abs:000000CC _NID_pss_net_epoll_wait = 0x1942AA03
abs:000000D0 _NID_pss_net_gethostname = 0xB34921E5
abs:000000D4 _NID_pss_net_getpeername = 0xB46F9AEC
abs:000000D8 _NID_pss_net_getsockname = 0x92AB54A3
abs:000000DC _NID_pss_net_getsockopt = 0xBEA8F2D8
abs:000000E0 _NID_pss_net_htonl = 0x1C2F65E7
abs:000000E4 _NID_pss_net_htons = 0xFD3EF366
abs:000000E8 _NID_pss_net_init = 0x96D8FAE6
abs:000000EC _NID_pss_net_listen = 0x86CE8C7D
abs:000000F0 _NID_pss_net_ntohl = 0xF8DDBAF5
abs:000000F4 _NID_pss_net_ntohs = 0xD48BC6B5
abs:000000F8 _NID_pss_net_recv = 0xB508B0F
abs:000000FC _NID_pss_net_recvfrom = 0x71FFC585
abs:00000100 _NID_pss_net_resolver_create = 0x8FFCD9A4
abs:00000104 _NID_pss_net_resolver_start_aton = 0x5E72FC36
abs:00000108 _NID_pss_net_resolver_start_ntoa = 0x51B4211B
abs:0000010C _NID_pss_net_send = 0xDFAF1FB3
abs:00000110 _NID_pss_net_sendto = 0x4A101C16
abs:00000114 _NID_pss_net_setsockopt = 0xD3FED467
abs:00000118 _NID_pss_net_shutdown = 0xDEDBF700
abs:0000011C _NID_pss_net_socket = 0xCAB1666C
abs:00000120 _NID_pss_net_socket_close = 0x64DD5EB6
abs:00000124 _NID_pss_prng_fill = 0x7EA1D46F
abs:00000128 _NID_pss_resume_thread = 0x15C51A57
abs:0000012C _NID_pss_set_thread_context = 0x5E5A5A9C
abs:00000130 _NID_pss_set_win32_filetime = 0xF981589B
abs:00000134 _NID_pss_signal_semaphore = 0xB9A41171
abs:00000138 _NID_pss_supports_fast_tls = 0xDF2BE54B
abs:0000013C _NID_pss_suspend_thread = 0xC42D2F9E
abs:00000140 _NID_pss_threads_initialize = 0x406453D4
abs:00000144 _NID_pss_usb_transport_close1 = 0xF7FB1E6F
abs:00000148 _NID_pss_usb_transport_close2 = 0x2FDCC52
abs:0000014C _NID_pss_usb_transport_connect = 0x971CB35B
abs:00000150 _NID_pss_usb_transport_recv = 0xBC46D569
abs:00000154 _NID_pss_usb_transport_send = 0xFBC177AA
abs:00000158 _NID_pss_wait_semaphore = 0x755D09D8
abs:0000015C _NID___sce_aeabi_idiv0 = 0x1EBF97CC
abs:00000160 _NID___sce_aeabi_ldiv0 = 0x2AB3B87C
abs:00000164 _NID_environ = 0x97F0181A
abs:00000168 _NID_getenv = 0x2AEBA06E
abs:0000016C _NID_g_ascii_strcasecmp = 0xC653C249
abs:00000170 _NID_g_file_vita_get_current_dir = 0x545F9DA8
abs:00000174 _NID_g_file_vita_get_full_path = 0xC1F77924
abs:00000178 _NID_g_file_vita_set_current_dir = 0x1EE0837
abs:0000017C _NID_monoeg_assertion_message = 0xA0D78B57
abs:00000180 _NID_monoeg_g_array_append_vals = 0x38EC545B
abs:00000184 _NID_monoeg_g_array_free = 0x75935E0
abs:00000188 _NID_monoeg_g_array_insert_vals = 0xEDCCA472
abs:0000018C _NID_monoeg_g_array_new = 0x5EDBCA5
abs:00000190 _NID_monoeg_g_ascii_strdown = 0x3B76B55A
abs:00000194 _NID_monoeg_g_ascii_strncasecmp = 0x7CDD24DB
abs:00000198 _NID_monoeg_g_ascii_tolower = 0xF5C20E95
abs:0000019C _NID_monoeg_g_ascii_xdigit_value = 0x522CF60A
abs:000001A0 _NID_monoeg_g_build_path = 0x85453290
abs:000001A4 _NID_monoeg_g_convert = 0xB27101E2
abs:000001A8 _NID_monoeg_g_dir_close = 0x52E9FEB1
abs:000001AC _NID_monoeg_g_dir_open = 0x6F92241A
abs:000001B0 _NID_monoeg_g_dir_read_name = 0x4600943C
abs:000001B4 _NID_monoeg_g_direct_equal = 0x8148B339
abs:000001B8 _NID_monoeg_g_direct_hash = 0xD8811B19
abs:000001BC _NID_monoeg_g_error_free = 0x47C11F1D
abs:000001C0 _NID_monoeg_g_file_get_contents = 0x5AE6764
abs:000001C4 _NID_monoeg_g_file_open_tmp = 0x6B74C816
abs:000001C8 _NID_monoeg_g_file_test = 0xCF8DCED3
abs:000001CC _NID_monoeg_g_filename_from_uri = 0x8AD58AF
abs:000001D0 _NID_monoeg_g_filename_from_utf8 = 0xDB1AD82A
abs:000001D4 _NID_monoeg_g_filename_to_uri = 0xB8A330FA
abs:000001D8 _NID_monoeg_g_find_program_in_path = 0xAA9C90DE
abs:000001DC _NID_monoeg_g_free = 0xFDB0CDD
abs:000001E0 _NID_monoeg_g_get_charset = 0xF6BEC9D3
abs:000001E4 _NID_monoeg_g_get_current_dir = 0xB6243709
abs:000001E8 _NID_monoeg_g_get_home_dir = 0x7DF9817E
abs:000001EC _NID_monoeg_g_get_tmp_dir = 0x60DDC771
abs:000001F0 _NID_monoeg_g_get_user_name = 0x93FF7030
abs:000001F4 _NID_monoeg_g_getenv = 0xA4ADADF
abs:000001F8 _NID_monoeg_g_hash_table_destroy = 0x931C06A1
abs:000001FC _NID_monoeg_g_hash_table_foreach = 0xC23C4881
abs:00000200 _NID_monoeg_g_hash_table_foreach_remove = 0x4977120A
abs:00000204 _NID_monoeg_g_hash_table_foreach_steal = 0x9324F0E1
abs:00000208 _NID_monoeg_g_hash_table_insert_replace = 0xC466869
abs:0000020C _NID_monoeg_g_hash_table_iter_init = 0x8FF97526
abs:00000210 _NID_monoeg_g_hash_table_iter_next = 0xA1F2C7E0
abs:00000214 _NID_monoeg_g_hash_table_lookup = 0xA9AD9AEF
abs:00000218 _NID_monoeg_g_hash_table_lookup_extended = 0x8CBE093B
abs:0000021C _NID_monoeg_g_hash_table_new = 0x378448E9
abs:00000220 _NID_monoeg_g_hash_table_new_full = 0xFABF5E38
abs:00000224 _NID_monoeg_g_hash_table_remove = 0x4A9D45E3
abs:00000228 _NID_monoeg_g_hash_table_size = 0x2DB584C2
abs:0000022C _NID_monoeg_g_list_alloc = 0xEB6A82FC
abs:00000230 _NID_monoeg_g_list_append = 0x2BEBDAED
abs:00000234 _NID_monoeg_g_list_copy = 0x35E0AE9D
abs:00000238 _NID_monoeg_g_list_delete_link = 0xE05B869F
abs:0000023C _NID_monoeg_g_list_find = 0xB52FC668
abs:00000240 _NID_monoeg_g_list_foreach = 0xF6A02E4F
abs:00000244 _NID_monoeg_g_list_free = 0x3240185B
abs:00000248 _NID_monoeg_g_list_insert_before = 0x75BD1C5D
abs:0000024C _NID_monoeg_g_list_length = 0xDFA458D2
abs:00000250 _NID_monoeg_g_list_nth = 0x1A2AD677
abs:00000254 _NID_monoeg_g_list_nth_data = 0xA53BD200
abs:00000258 _NID_monoeg_g_list_prepend = 0x1BCA4E9C
abs:0000025C _NID_monoeg_g_list_remove = 0x26E6587C
abs:00000260 _NID_monoeg_g_list_remove_link = 0x1CCAF27B
abs:00000264 _NID_monoeg_g_list_reverse = 0x67095A4A
abs:00000268 _NID_monoeg_g_list_sort = 0xC15FBB62
abs:0000026C _NID_monoeg_g_locale_from_utf8 = 0xE84A2EED
abs:00000270 _NID_monoeg_g_locale_to_utf8 = 0x68463D0C
abs:00000274 _NID_monoeg_g_log = 0xCA6DB761
abs:00000278 _NID_monoeg_g_log_set_always_fatal = 0x8E19519B
abs:0000027C _NID_monoeg_g_log_set_fatal_mask = 0x3F109D66
abs:00000280 _NID_monoeg_g_logv = 0xACC0E109
abs:00000284 _NID_monoeg_g_markup_parse_context_end_parse = 0xF357A07C
abs:00000288 _NID_monoeg_g_markup_parse_context_free = 0x828CA4F4
abs:0000028C _NID_monoeg_g_markup_parse_context_new = 0x3472AD12
abs:00000290 _NID_monoeg_g_markup_parse_context_parse = 0xCAAB6479
abs:00000294 _NID_monoeg_g_memdup = 0x3BF53203
abs:00000298 _NID_monoeg_g_path_get_basename = 0x3858FDD0
abs:0000029C _NID_monoeg_g_path_get_dirname = 0x760267A0
abs:000002A0 _NID_monoeg_g_path_is_absolute = 0x37BD3E1B
abs:000002A4 _NID_monoeg_g_print = 0x2A5C197D
abs:000002A8 _NID_monoeg_g_printerr = 0xA7A44394
abs:000002AC _NID_monoeg_g_ptr_array_add = 0xDB4852CA
abs:000002B0 _NID_monoeg_g_ptr_array_free = 0x66743D4C
abs:000002B4 _NID_monoeg_g_ptr_array_new = 0x33A7FA42
abs:000002B8 _NID_monoeg_g_ptr_array_remove = 0x9D8A3F8
abs:000002BC _NID_monoeg_g_ptr_array_remove_fast = 0xC551D9F7
abs:000002C0 _NID_monoeg_g_ptr_array_remove_index = 0x2BD1603F
abs:000002C4 _NID_monoeg_g_ptr_array_remove_index_fast = 0x9CB8D947
abs:000002C8 _NID_monoeg_g_ptr_array_sized_new = 0x20464DB5
abs:000002CC _NID_monoeg_g_queue_free = 0x3D41FF7E
abs:000002D0 _NID_monoeg_g_queue_is_empty = 0x26A85739
abs:000002D4 _NID_monoeg_g_queue_new = 0x75D3CADA
abs:000002D8 _NID_monoeg_g_queue_pop_head = 0x8D16FC46
abs:000002DC _NID_monoeg_g_queue_push_head = 0x30F35337
abs:000002E0 _NID_monoeg_g_set_prgname = 0xEBF04548
abs:000002E4 _NID_monoeg_g_setenv = 0x9E6BFE8B
abs:000002E8 _NID_monoeg_g_shell_quote = 0x91944CB3
abs:000002EC _NID_monoeg_g_slist_append = 0x1DCD3771
abs:000002F0 _NID_monoeg_g_slist_concat = 0x569A32C4
abs:000002F4 _NID_monoeg_g_slist_copy = 0x7966B92E
abs:000002F8 _NID_monoeg_g_slist_delete_link = 0xF745BBBD
abs:000002FC _NID_monoeg_g_slist_find = 0x91EF3384
abs:00000300 _NID_monoeg_g_slist_foreach = 0xC4178ED9
abs:00000304 _NID_monoeg_g_slist_free = 0x3FBE8990
abs:00000308 _NID_monoeg_g_slist_free_1 = 0xFF75E8C2
abs:0000030C _NID_monoeg_g_slist_insert_sorted = 0x96D0944D
abs:00000310 _NID_monoeg_g_slist_last = 0x9E82ACA3
abs:00000314 _NID_monoeg_g_slist_length = 0x3C4FA9AB
abs:00000318 _NID_monoeg_g_slist_nth = 0xE319844D
abs:0000031C _NID_monoeg_g_slist_nth_data = 0x38665E1F
abs:00000320 _NID_monoeg_g_slist_prepend = 0xAA813145
abs:00000324 _NID_monoeg_g_slist_remove = 0x2ACD677F
abs:00000328 _NID_monoeg_g_slist_reverse = 0xF1985656
abs:0000032C _NID_monoeg_g_snprintf = 0xC3BE1A9A
abs:00000330 _NID_monoeg_g_spaced_primes_closest = 0xDC3FEE9
abs:00000334 _NID_monoeg_g_spawn_async_with_pipes = 0xB9C960E3
abs:00000338 _NID_monoeg_g_str_equal = 0x343BBAEC
abs:0000033C _NID_monoeg_g_str_has_prefix = 0xA3BAF580
abs:00000340 _NID_monoeg_g_str_hash = 0x475CAF76
abs:00000344 _NID_monoeg_g_strchomp = 0x45EF6509
abs:00000348 _NID_monoeg_g_strchug = 0x87433486
abs:0000034C _NID_monoeg_g_strconcat = 0xB1550CDA
abs:00000350 _NID_monoeg_g_strdup_printf = 0x4E6EE5A0
abs:00000354 _NID_monoeg_g_strdup_vprintf = 0xA7042BC2
abs:00000358 _NID_monoeg_g_strerror = 0x980BB6C3
abs:0000035C _NID_monoeg_g_strfreev = 0x3EB1E49C
abs:00000360 _NID_monoeg_g_string_append = 0x84305AEE
abs:00000364 _NID_monoeg_g_string_append_c = 0x5B130D35
abs:00000368 _NID_monoeg_g_string_append_len = 0xDE912E45
abs:0000036C _NID_monoeg_g_string_append_printf = 0x9067DA1C
abs:00000370 _NID_monoeg_g_string_free = 0x8CAF3F55
abs:00000374 _NID_monoeg_g_string_new = 0x4A9791FF
abs:00000378 _NID_monoeg_g_string_printf = 0xACA22DB3
abs:0000037C _NID_monoeg_g_strjoin = 0xF9A3EF51
abs:00000380 _NID_monoeg_g_strlcpy = 0x29426056
abs:00000384 _NID_monoeg_g_strndup = 0x11E3A3A4
abs:00000388 _NID_monoeg_g_strreverse = 0x5EA4F9C0
abs:0000038C _NID_monoeg_g_strsplit = 0x7EA1C500
abs:00000390 _NID_monoeg_g_timer_destroy = 0xB133D2A
abs:00000394 _NID_monoeg_g_timer_elapsed = 0x9D0017DA
abs:00000398 _NID_monoeg_g_timer_new = 0xB3C99F9F
abs:0000039C _NID_monoeg_g_timer_start = 0x6358F60
abs:000003A0 _NID_monoeg_g_timer_stop = 0xD2C1FCA7
abs:000003A4 _NID_monoeg_g_ucs4_to_utf16 = 0x33FA7A53
abs:000003A8 _NID_monoeg_g_unichar_tolower = 0x1B7586C3
abs:000003AC _NID_monoeg_g_unichar_type = 0x4F9A3D81
abs:000003B0 _NID_monoeg_g_unichar_xdigit_value = 0x61F79239
abs:000003B4 _NID_monoeg_g_unsetenv = 0x2B391E9F
abs:000003B8 _NID_monoeg_g_usleep = 0x591EDE3E
abs:000003BC _NID_monoeg_g_utf16_to_ucs4 = 0x19420152
abs:000003C0 _NID_monoeg_g_utf16_to_utf8 = 0xB4610791
abs:000003C4 _NID_monoeg_g_utf8_strdown = 0x6ED9113B
abs:000003C8 _NID_monoeg_g_utf8_to_utf16 = 0x5627BFFE
abs:000003CC _NID_monoeg_g_utf8_validate = 0xC80A22F9
abs:000003D0 _NID_monoeg_malloc = 0x2D8238B7
abs:000003D4 _NID_monoeg_malloc0 = 0x608D5D6D
abs:000003D8 _NID_monoeg_realloc = 0x8FA807B1
abs:000003DC _NID_monoeg_try_malloc = 0xA59B6183
abs:000003E0 _NID_monoeg_try_realloc = 0xB1006CCC
abs:000003E4 _NID_pthread_attr_init = 0x27417DD
abs:000003E8 _NID_pthread_attr_setstacksize = 0xF33D87CE
abs:000003EC _NID_pthread_cleanup_pop_ = 0x57B0ED8C
abs:000003F0 _NID_pthread_cleanup_push_ = 0x8774E2F3
abs:000003F4 _NID_pthread_cond_broadcast = 0x5296E752
abs:000003F8 _NID_pthread_cond_destroy = 0x4B570B63
abs:000003FC _NID_pthread_cond_init = 0x250A81B8
abs:00000400 _NID_pthread_cond_signal = 0x4B212329
abs:00000404 _NID_pthread_cond_timedwait = 0x7F7610EE
abs:00000408 _NID_pthread_cond_wait = 0x397C681E
abs:0000040C _NID_pthread_create = 0xCBB5464C
abs:00000410 _NID_pthread_detach = 0x2A6A6980
abs:00000414 _NID_pthread_equal = 0x88C5C1DC
abs:00000418 _NID_pthread_exit = 0x48B49C9D
abs:0000041C _NID_pthread_getspecific = 0x30835413
abs:00000420 _NID_pthread_getspecific_for_thread = 0x6581D5BB
abs:00000424 _NID_pthread_join = 0xB90F817A
abs:00000428 _NID_pthread_key_create = 0xCC79246F
abs:0000042C _NID_pthread_key_delete = 0xA7992EEF
abs:00000430 _NID_pthread_mutex_destroy = 0x11A10230
abs:00000434 _NID_pthread_mutex_init = 0xBD7EAD04
abs:00000438 _NID_pthread_mutex_lock = 0xEB44087F
abs:0000043C _NID_pthread_mutex_trylock = 0xF52A345B
abs:00000440 _NID_pthread_mutex_unlock = 0x1B6BDBB3
abs:00000444 _NID_pthread_mutexattr_destroy = 0x623CDEF8
abs:00000448 _NID_pthread_mutexattr_init = 0x3A3B7447
abs:0000044C _NID_pthread_mutexattr_settype = 0xD2A744DF
abs:00000450 _NID_pthread_self = 0xE1DE206E
abs:00000454 _NID_pthread_setspecific = 0xED99821B
abs:00000458 _NID_pthread_vita_tls_create_np = 0x7E433BEA
abs:0000045C _NID_pthread_vita_tls_get_np = 0xD479D238
abs:00000460 _NID_pthread_vita_tls_set_np = 0x483C96B2
abs:00000464 _NID_sched_yield = 0x473829B5
abs:00000468 _NID_unlink = 0x7BBCA340
abs:0000046C _NID___aeabi_unwind_cpp_pr0 = 0xD172A1F6
abs:00000470 _NID___aeabi_unwind_cpp_pr1 = 0x6B008191
abs:00000474 _NID___ashldi3 = 0x3FF08624
abs:00000478 _NID___divdi3 = 0xC9DBA402
abs:0000047C _NID___divsi3 = 0x48A5D6B6
abs:00000480 _NID___lshrdi3 = 0x69B23762
abs:00000484 _NID___moddi3 = 0x9A2906FE
abs:00000488 _NID___modsi3 = 0x3F8F26A3
abs:0000048C _NID___udivdi3 = 0xD7F019CF
abs:00000490 _NID___udivsi3 = 0xFF10AAE9
abs:00000494 _NID___umoddi3 = 0x66FCF225
abs:00000498 _NID___umodsi3 = 0x35BC7C65
abs:00000498
abs:00000498                 END
Here's the same list cleaned up and ordered by memory address.

Code: Select all

0x018524DD = pss_delay_thread
0x01EE0837 = g_file_vita_set_current_dir
0x027417DD = pthread_attr_init
0x02FDCC52 = pss_usb_transport_close2
0x05AE6764 = monoeg_g_file_get_contents
0x05EDBCA5 = monoeg_g_array_new
0x06358F60 = monoeg_g_timer_start
0x075935E0 = monoeg_g_array_free
0x0827A135 = pss_io_chstat
0x08AD58AF = monoeg_g_filename_from_uri
0x09D8A3F8 = monoeg_g_ptr_array_remove
0x0A4ADADF = monoeg_g_getenv
0x0B133D2A = monoeg_g_timer_destroy
0x0B508B0F = pss_net_recv
0x0C466869 = monoeg_g_hash_table_insert_replace
0x0DC3FEE9 = monoeg_g_spaced_primes_closest
0x0FDB0CDD = monoeg_g_free
0x110F567B = pss_code_mem_flush_icache
0x11A10230 = pthread_mutex_destroy
0x11E3A3A4 = monoeg_g_strndup
0x15C51A57 = pss_resume_thread
0x184E21BC = pss_crypto_fread
0x19420152 = monoeg_g_utf16_to_ucs4
0x1942AA03 = pss_net_epoll_wait
0x1A2AD677 = monoeg_g_list_nth
0x1A2E441F = pss_alloc_mem
0x1B6BDBB3 = pthread_mutex_unlock
0x1B7586C3 = monoeg_g_unichar_tolower
0x1BCA4E9C = monoeg_g_list_prepend
0x1C2F65E7 = pss_net_htonl
0x1C59A84B = pss_free_mem
0x1CCAF27B = monoeg_g_list_remove_link
0x1D93AA23 = pss_io_dopen
0x1DCD3771 = monoeg_g_slist_append
0x1EBF97CC = __sce_aeabi_idiv0
0x1F1764AD = pss_io_rmdir
0x20464DB5 = monoeg_g_ptr_array_sized_new
0x250A81B8 = pthread_cond_init
0x26A85739 = monoeg_g_queue_is_empty
0x26E6587C = monoeg_g_list_remove
0x29426056 = monoeg_g_strlcpy
0x295FF99D = pss_io_lseek
0x2A5C197D = monoeg_g_print
0x2A6A6980 = pthread_detach
0x2AB3B87C = __sce_aeabi_ldiv0
0x2ACD677F = monoeg_g_slist_remove
0x2AEBA06E = getenv
0x2B391E9F = monoeg_g_unsetenv
0x2BD1603F = monoeg_g_ptr_array_remove_index
0x2BEBDAED = monoeg_g_list_append
0x2D8238B7 = monoeg_malloc
0x2DB584C2 = monoeg_g_hash_table_size
0x2E9C2A4B = pss_disable_ftz
0x30835413 = pthread_getspecific
0x30F35337 = monoeg_g_queue_push_head
0x3240185B = monoeg_g_list_free
0x32BA8444 = pss_crypto_read
0x335C5433 = pss_net_epoll_ctl
0x33A7FA42 = monoeg_g_ptr_array_new
0x33FA7A53 = monoeg_g_ucs4_to_utf16
0x343BBAEC = monoeg_g_str_equal
0x3472AD12 = monoeg_g_markup_parse_context_new
0x35BC7C65 = __umodsi3
0x35E0AE9D = monoeg_g_list_copy
0x37483E03 = pss_crypto_close
0x378448E9 = monoeg_g_hash_table_new
0x37BD3E1B = monoeg_g_path_is_absolute
0x37F6EDC2 = pss_io_read
0x3858FDD0 = monoeg_g_path_get_basename
0x38665E1F = monoeg_g_slist_nth_data
0x38EC545B = monoeg_g_array_append_vals
0x397C681E = pthread_cond_wait
0x3A3B7447 = pthread_mutexattr_init
0x3B76B55A = monoeg_g_ascii_strdown
0x3BF53203 = monoeg_g_memdup
0x3C4FA9AB = monoeg_g_slist_length
0x3D41FF7E = monoeg_g_queue_free
0x3EB1E49C = monoeg_g_strfreev
0x3F109D66 = monoeg_g_log_set_fatal_mask
0x3F8F26A3 = __modsi3
0x3FBE8990 = monoeg_g_slist_free
0x3FF08624 = __ashldi3
0x406453D4 = pss_threads_initialize
0x440F10FA = pss_get_win32_filetime
0x45EF6509 = monoeg_g_strchomp
0x4600943C = monoeg_g_dir_read_name
0x473829B5 = sched_yield
0x475CAF76 = monoeg_g_str_hash
0x47C11F1D = monoeg_g_error_free
0x483C96B2 = pthread_vita_tls_set_np
0x48A5D6B6 = __divsi3
0x48B49C9D = pthread_exit
0x4977120A = monoeg_g_hash_table_foreach_remove
0x4A101C16 = pss_net_sendto
0x4A9791FF = monoeg_g_string_new
0x4A9D45E3 = monoeg_g_hash_table_remove
0x4B212329 = pthread_cond_signal
0x4B570B63 = pthread_cond_destroy
0x4E6EE5A0 = monoeg_g_strdup_printf
0x4F9A3D81 = monoeg_g_unichar_type
0x50E8F8FF = pss_code_mem_unlock
0x51B4211B = pss_net_resolver_start_ntoa
0x522CF60A = monoeg_g_ascii_xdigit_value
0x5296E752 = pthread_cond_broadcast
0x52E9FEB1 = monoeg_g_dir_close
0x53D03181 = pss_code_mem_lock
0x545F9DA8 = g_file_vita_get_current_dir
0x5528F7F1 = pss_io_dclose
0x5627BFFE = monoeg_g_utf8_to_utf16
0x569A32C4 = monoeg_g_slist_concat
0x57B0ED8C = pthread_cleanup_pop_
0x591EDE3E = monoeg_g_usleep
0x599AEA5E = pss_alloc_raw
0x5B130D35 = monoeg_g_string_append_c
0x5C2090C1 = pss_io_getstat
0x5E5A5A9C = pss_set_thread_context
0x5E72FC36 = pss_net_resolver_start_aton
0x5EA4F9C0 = monoeg_g_strreverse
0x5F969729 = pss_create_semaphore
0x608D5D6D = monoeg_malloc0
0x60DDC771 = monoeg_g_get_tmp_dir
0x6148DE4D = pss_delete_semaphore
0x617F673C = pss_get_errnoloc
0x61F79239 = monoeg_g_unichar_xdigit_value
0x623CDEF8 = pthread_mutexattr_destroy
0x64DD5EB6 = pss_net_socket_close
0x6581D5BB = pthread_getspecific_for_thread
0x66743D4C = monoeg_g_ptr_array_free
0x66FCF225 = __umoddi3
0x67095A4A = monoeg_g_list_reverse
0x68463D0C = monoeg_g_locale_to_utf8
0x6899C39C = pss_code_mem_terminate
0x69B23762 = __lshrdi3
0x6ABAA310 = pss_get_thread_context
0x6B008191 = __aeabi_unwind_cpp_pr1
0x6B4125E4 = pss_crypto_open
0x6B74C816 = monoeg_g_file_open_tmp
0x6ED9113B = monoeg_g_utf8_strdown
0x6F92241A = monoeg_g_dir_open
0x70FD542F = pss_io_remove
0x71FFC585 = pss_net_recvfrom
0x755D09D8 = pss_wait_semaphore
0x75BD1C5D = monoeg_g_list_insert_before
0x75D3CADA = monoeg_g_queue_new
0x760267A0 = monoeg_g_path_get_dirname
0x7966B92E = monoeg_g_slist_copy
0x7BBCA340 = unlink
0x7CDD24DB = monoeg_g_ascii_strncasecmp
0x7DF9817E = monoeg_g_get_home_dir
0x7E433BEA = pthread_vita_tls_create_np
0x7EA1C500 = monoeg_g_strsplit
0x7EA1D46F = pss_prng_fill
0x7F7610EE = pthread_cond_timedwait
0x7FFBD866 = pss_nanosleep
0x8148B339 = monoeg_g_direct_equal
0x828CA4F4 = monoeg_g_markup_parse_context_free
0x84305AEE = monoeg_g_string_append
0x85453290 = monoeg_g_build_path
0x86CE8C7D = pss_net_listen
0x87433486 = monoeg_g_strchug
0x8774E2F3 = pthread_cleanup_push_
0x88496636 = pss_get_prng_provider
0x88C5C1DC = pthread_equal
0x8CAF3F55 = monoeg_g_string_free
0x8CBE093B = monoeg_g_hash_table_lookup_extended
0x8D16FC46 = monoeg_g_queue_pop_head
0x8E19519B = monoeg_g_log_set_always_fatal
0x8FA807B1 = monoeg_realloc
0x8FF97526 = monoeg_g_hash_table_iter_init
0x8FFCD9A4 = pss_net_resolver_create
0x9067DA1C = monoeg_g_string_append_printf
0x91944CB3 = monoeg_g_shell_quote
0x91EF3384 = monoeg_g_slist_find
0x92AB54A3 = pss_net_getsockname
0x931C06A1 = monoeg_g_hash_table_destroy
0x9324F0E1 = monoeg_g_hash_table_foreach_steal
0x93FF7030 = monoeg_g_get_user_name
0x96D0944D = monoeg_g_slist_insert_sorted
0x96D8FAE6 = pss_net_init
0x971CB35B = pss_usb_transport_connect
0x97F0181A = environ
0x980BB6C3 = monoeg_g_strerror
0x98E48D48 = pss_get_ticks_since_111
0x9A2906FE = __moddi3
0x9CB8D947 = monoeg_g_ptr_array_remove_index_fast
0x9D0017DA = monoeg_g_timer_elapsed
0x9E6BFE8B = monoeg_g_setenv
0x9E82ACA3 = monoeg_g_slist_last
0xA0D78B57 = monoeg_assertion_message
0xA1F2C7E0 = monoeg_g_hash_table_iter_next
0xA201DB2A = pss_io_close
0xA3BAF580 = monoeg_g_str_has_prefix
0xA53BD200 = monoeg_g_list_nth_data
0xA59B6183 = monoeg_try_malloc
0xA7042BC2 = monoeg_g_strdup_vprintf
0xA7992EEF = pthread_key_delete
0xA7A44394 = monoeg_g_printerr
0xA9AD9AEF = monoeg_g_hash_table_lookup
0xAA813145 = monoeg_g_slist_prepend
0xAA9C90DE = monoeg_g_find_program_in_path
0xACA22DB3 = monoeg_g_string_printf
0xACC0E109 = monoeg_g_logv
0xAF972DF7 = pss_io_write
0xB1006CCC = monoeg_try_realloc
0xB1550CDA = monoeg_g_strconcat
0xB18343A4 = pss_net_epoll_create
0xB27101E2 = monoeg_g_convert
0xB34921E5 = pss_net_gethostname
0xB3C99F9F = monoeg_g_timer_new
0xB4610791 = monoeg_g_utf16_to_utf8
0xB468C313 = pss_code_mem_free
0xB46F9AEC = pss_net_getpeername
0xB5135219 = pss_getpagesize
0xB52FC668 = monoeg_g_list_find
0xB6243709 = monoeg_g_get_current_dir
0xB635E419 = pss_net_connect
0xB673FE93 = pss_io_rename
0xB8A330FA = monoeg_g_filename_to_uri
0xB90F817A = pthread_join
0xB9A41171 = pss_signal_semaphore
0xB9C960E3 = monoeg_g_spawn_async_with_pipes
0xB9EFB986 = pss_free_raw
0xBBCF4B04 = pss_free_prng_provider
0xBC46D569 = pss_usb_transport_recv
0xBD7EAD04 = pthread_mutex_init
0xBE8FF7BE = pss_get_ticks_64
0xBEA8F2D8 = pss_net_getsockopt
0xC15FBB62 = monoeg_g_list_sort
0xC1F77924 = g_file_vita_get_full_path
0xC23C4881 = monoeg_g_hash_table_foreach
0xC3BE1A9A = monoeg_g_snprintf
0xC4178ED9 = monoeg_g_slist_foreach
0xC42D2F9E = pss_suspend_thread
0xC551D9F7 = monoeg_g_ptr_array_remove_fast
0xC653C249 = g_ascii_strcasecmp
0xC80A22F9 = monoeg_g_utf8_validate
0xC9DBA402 = __divdi3
0xCA6DB761 = monoeg_g_log
0xCAAB6479 = monoeg_g_markup_parse_context_parse
0xCAB1666C = pss_net_socket
0xCBB5464C = pthread_create
0xCC79246F = pthread_key_create
0xCF8DCED3 = monoeg_g_file_test
0xCFFBBBF8 = pss_net_epoll_destroy
0xD172A1F6 = __aeabi_unwind_cpp_pr0
0xD1E93EEF = pss_net_bind
0xD2A744DF = pthread_mutexattr_settype
0xD2C1FCA7 = monoeg_g_timer_stop
0xD3F85D07 = pss_net_accept
0xD3FED467 = pss_net_setsockopt
0xD479D238 = pthread_vita_tls_get_np
0xD48BC6B5 = pss_net_ntohs
0xD67BC7AB = pss_code_mem_initialize
0xD7F019CF = __udivdi3
0xD8811B19 = monoeg_g_direct_hash
0xDB1AD82A = monoeg_g_filename_from_utf8
0xDB4852CA = monoeg_g_ptr_array_add
0xDE912E45 = monoeg_g_string_append_len
0xDEDBF700 = pss_net_shutdown
0xDF2BE54B = pss_supports_fast_tls
0xDFA458D2 = monoeg_g_list_length
0xDFAF1FB3 = pss_net_send
0xE05B869F = monoeg_g_list_delete_link
0xE1DE206E = pthread_self
0xE319844D = monoeg_g_slist_nth
0xE65366F3 = pss_gettimeofday
0xE84A2EED = monoeg_g_locale_from_utf8
0xE9C00064 = pss_io_mkdir
0xEA977352 = pss_io_open
0xEB44087F = pthread_mutex_lock
0xEB6A82FC = monoeg_g_list_alloc
0xEBF04548 = monoeg_g_set_prgname
0xEC94BFCF = pss_get_ticks_32
0xED99821B = pthread_setspecific
0xEDCCA472 = monoeg_g_array_insert_vals
0xF1985656 = monoeg_g_slist_reverse
0xF33D87CE = pthread_attr_setstacksize
0xF357A07C = monoeg_g_markup_parse_context_end_parse
0xF466ABEC = pss_code_mem_alloc
0xF52A345B = pthread_mutex_trylock
0xF5C20E95 = monoeg_g_ascii_tolower
0xF6A02E4F = monoeg_g_list_foreach
0xF6BEC9D3 = monoeg_g_get_charset
0xF745BBBD = monoeg_g_slist_delete_link
0xF7FB1E6F = pss_usb_transport_close1
0xF8DDBAF5 = pss_net_ntohl
0xF90E4DD2 = pss_getpid
0xF981589B = pss_set_win32_filetime
0xF9A3EF51 = monoeg_g_strjoin
0xFABF5E38 = monoeg_g_hash_table_new_full
0xFBC177AA = pss_usb_transport_send
0xFD3EF366 = pss_net_htons
0xFF10AAE9 = __udivsi3
0xFF75E8C2 = monoeg_g_slist_free_1
Davee
Guru
Posts: 278
Joined: Mon Jan 10, 2011 1:24 am

Re: Finding the memory layout of the vita?

Post by Davee »

Those aren't memory addresses, they are NIDs (Name IDentification(?)). Addresses are resolved on runtime to the correct process space address or syscall.
Follow me on twitter: @DaveeFTW
yifanlu
Guru
Posts: 760
Joined: Sun Mar 11, 2012 6:42 am
Contact:

Re: Finding the memory layout of the vita?

Post by yifanlu »

Davee wrote:Those aren't memory addresses, they are NIDs (Name IDentification(?)). Addresses are resolved on runtime to the correct process space address or syscall.
Then I'm an idiot :oops: I should have realized that those "addresses" span way too much and have no particular order (usually functions from one object are next to each other)

Ignore my post then.
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Finding the memory layout of the vita?

Post by m0skit0 »

Yes, those are not addresses, as Davee correctly points out. I doubt the Mono VM would have the system function addresses hardcoded since those system calls are most likely relocatable, and thus will not reside always in the same address. The Mono VM itself is most likely also a relocatable executable as well.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
uwee
Posts: 1
Joined: Sat Aug 18, 2012 8:35 pm

Re: Finding the memory layout of the vita?

Post by uwee »

Sorry to dig up a semi old thread but its on topic. I was doing some reading and came across these posts. They talk about figuring out the memory layout for the DSi based off information gathered from the Wii.

http://scanlime.org/2009/09/dsi-ram-tracing/
http://hackmii.com/2009/09/dsi-ram-hax/
Locked

Return to “Programming and Security”