Page 1 of 1

Are loaded modules on 3.60 obfuscated?

Posted: Thu Aug 25, 2016 2:52 am
by 173210
Hi! Now I'm facing a problem.

https://github.com/173210/vita-analyze/ ... 47430574b6
This tool has functionalities almost same with ones vitadump has, but
intended to be compatible with various tools which can handle ELF. So it
is for poor people who cannot afford to buy IDA Pro.

Unfortunately, it doesn't give any correct result with dump of modules
loaded on 3.61. As far as I see, the export table and the import table are
intact but library names, nids, and entry pointers look obfuscated.

Code: Select all

$ readelf -s SceBgAppUtil.elf

Symbol table '.symtab' contains 15 entries:
   Num:    Value  Size Type    Bind   Vis      Ndx Name
     0: 81097834    92 OBJECT  GLOBAL DEFAULT  UND module_info
     1: 81097715     0 THUMB_FUNC GLOBAL DEFAULT  UND module_start
     2: 8109771d     0 THUMB_FUNC GLOBAL DEFAULT  UND module_stop
     3: 00000001     0 THUMB_FUNC GLOBAL DEFAULT  UND export_00000000
     4: 00000000     0 FUNC    GLOBAL DEFAULT  UND export_00000000
     5: cae9ace6     0 FUNC    GLOBAL DEFAULT  UND export_00000000
     6: 81097944     4 OBJECT  GLOBAL DEFAULT  UND export_00050034
     7: 00000000     4 OBJECT  GLOBAL DEFAULT  UND export_00020000
     8: 00000000     0 FUNC    GLOBAL DEFAULT  UND `y^I�xy^I�hy^I��y^I�_0000
     9: 00000000    16 FUNC    GLOBAL DEFAULT  UND ��\����y��4�x�l��$"l^Uw^I
    10: 7c3525b5    16 FUNC    GLOBAL DEFAULT  UND ��\����y��4�x�l��$"l^Uw^I
    11: 81097691    16 FUNC    GLOBAL DEFAULT  UND ��\����y��4�x�l��$"l^Uw^I
    12: 53656353    16 FUNC    GLOBAL DEFAULT  UND x�l��$"l^Uw^I�^Yw^I�^]w^I
    13: 6c6c6568    16 FUNC    GLOBAL DEFAULT  UND x�l��$"l^Uw^I�^Yw^I�^]w^I
    14: 00637653     0 OBJECT  GLOBAL DEFAULT  UND x�l��$"l^Uw^I�^Yw^I�^]w^I
Are they really obfuscated?