Difference between revisions of "CRO0"
Jump to navigation
Jump to search
| Line 80: | Line 80: | ||
| 0xD0 | | 0xD0 | ||
| 0x04 | | 0x04 | ||
| − | | Export Table | + | | Named Export Table offset |
|- | |- | ||
| 0xD4 | | 0xD4 | ||
| 0x04 | | 0x04 | ||
| − | | Export Table | + | | Named Export Table num (size = num * 8) |
|- | |- | ||
| 0xD8 | | 0xD8 | ||
| 0x04 | | 0x04 | ||
| − | | Export Table | + | | Indexed Export Table offset |
|- | |- | ||
| 0xDC | | 0xDC | ||
| 0x04 | | 0x04 | ||
| − | | Export Table | + | | Indexed Export Table num (size = num * 4) |
|- | |- | ||
| 0xE0 | | 0xE0 | ||
| Line 104: | Line 104: | ||
| 0xE8 | | 0xE8 | ||
| 0x04 | | 0x04 | ||
| − | | Export Tree offset (fast lookups based on | + | | Export Tree offset (fast lookups based on a trie-like structure) |
|- | |- | ||
| 0xEC | | 0xEC | ||
| Line 128: | Line 128: | ||
| 0x100 | | 0x100 | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Named Import Table offset |
|- | |- | ||
| 0x104 | | 0x104 | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Named Import Table num (size = num * 8) |
|- | |- | ||
| 0x108 | | 0x108 | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Indexed Import Table offset |
|- | |- | ||
| 0x10C | | 0x10C | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Indexed Import Table num (size = num * 8) |
|- | |- | ||
| 0x110 | | 0x110 | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Anonymous Import Table offset |
|- | |- | ||
| 0x114 | | 0x114 | ||
| 0x04 | | 0x04 | ||
| − | | Import Table | + | | Anonymous Import Table num (size = num * 8) |
|- | |- | ||
| 0x118 | | 0x118 | ||
| Line 212: | Line 212: | ||
| 0x8 | | 0x8 | ||
| 0x4 | | 0x4 | ||
| − | | Segment id (0, 1, 2..) | + | | Segment id (0 = .text, 1 = .rodata, 2 = .data, 3 = .bss) |
|} | |} | ||
| − | Export Table entry (8 bytes) | + | Named Export Table entry (8 bytes) |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
! Offset | ! Offset | ||
| Line 230: | Line 230: | ||
|} | |} | ||
| − | Import Table entry (8 bytes) | + | Named Import Table entry (8 bytes) |
{| class="wikitable" border="1" | {| class="wikitable" border="1" | ||
! Offset | ! Offset | ||
| Line 265: | Line 265: | ||
| 0x6 | | 0x6 | ||
| 0x1 | | 0x1 | ||
| − | | 1 is written to | + | | 1 is written to first entry if all symbols loaded successfully. |
|- | |- | ||
| 0x7 | | 0x7 | ||
| Line 288: | Line 288: | ||
The first hash-table entry hashes the 0x100-byte header following the hash-table. The following hash-table entries hash the sections specified in the header. | The first hash-table entry hashes the 0x100-byte header following the hash-table. The following hash-table entries hash the sections specified in the header. | ||
| − | When the RO module loads the entire CRO into process memory(mapped in the 0x00100000-0x04000000 region), it modifies the mapped CRO data. The magic field is also changed to "FIXD". | + | When the RO module loads the entire CRO into process memory(mapped in the 0x00100000-0x04000000 region), it modifies the mapped CRO data. The magic field is also changed to "FIXD" if fix level is not 0. |
Upon loading, the RO module will look for symbol "__aeabi_atexit" or "nnroAeabiAtexit_". | Upon loading, the RO module will look for symbol "__aeabi_atexit" or "nnroAeabiAtexit_". | ||
For dumping symbols and loading a CRO into IDA, see [https://github.com/plutooo/ctr/]. | For dumping symbols and loading a CRO into IDA, see [https://github.com/plutooo/ctr/]. | ||
Revision as of 20:37, 23 July 2016
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x80 | SHA-256 hash-table, verified by CRR |
| 0x80 | 0x04 | Magic "CRO0" |
| 0x84 | 0x04 | Name offset |
| 0x88 | 0x04 | Next loaded CRO pointer, set by RO during loading (Usually zero when the CRO is being loaded) |
| 0x8C | 0x04 | Previous loaded CRO pointer, set by RO during loading |
| 0x90 | 0x04 | File size |
| 0x94 | 0x10 | Unknown |
| 0xA4 | 0x04 | "Segment offset" for "OnLoad" function, which will be called when the module is initialized. Set to 0xFFFFFFFF if not exists. |
| 0xA8 | 0x04 | "Segment offset" for "OnExit" function, which will be called when the module is finalized. Set to 0xFFFFFFFF if not exists. |
| 0xAC | 0x04 | "Segment offset" for "OnUnresolved" function, which will be called when an unresolved function is called. Set to 0xFFFFFFFF if not exists. |
| 0xB0 | 0x04 | Code offset |
| 0xB4 | 0x04 | Code size |
| 0xB8 | 0x04 | unk1 offset |
| 0xBC | 0x04 | unk1 size |
| 0xC0 | 0x04 | Module Name offset |
| 0xC4 | 0x04 | Module Name size |
| 0xC8 | 0x04 | Segment Table offset |
| 0xCC | 0x04 | Segment Table num (size = num*12) |
| 0xD0 | 0x04 | Named Export Table offset |
| 0xD4 | 0x04 | Named Export Table num (size = num * 8) |
| 0xD8 | 0x04 | Indexed Export Table offset |
| 0xDC | 0x04 | Indexed Export Table num (size = num * 4) |
| 0xE0 | 0x04 | Export Strings offset |
| 0xE4 | 0x04 | Export Strings size |
| 0xE8 | 0x04 | Export Tree offset (fast lookups based on a trie-like structure) |
| 0xEC | 0x04 | Export Tree num (size = num * 8) |
| 0xF0 | 0x04 | Import Modules offset |
| 0xF4 | 0x04 | Import Modules num (size = num * 20) |
| 0xF8 | 0x04 | Import Patches offset |
| 0xFC | 0x04 | Import Patches num (size = num * 12) |
| 0x100 | 0x04 | Named Import Table offset |
| 0x104 | 0x04 | Named Import Table num (size = num * 8) |
| 0x108 | 0x04 | Indexed Import Table offset |
| 0x10C | 0x04 | Indexed Import Table num (size = num * 8) |
| 0x110 | 0x04 | Anonymous Import Table offset |
| 0x114 | 0x04 | Anonymous Import Table num (size = num * 8) |
| 0x118 | 0x04 | Import Strings offset |
| 0x11C | 0x04 | Import Strings size |
| 0x120 | 0x04 | unk8 offset |
| 0x124 | 0x04 | unk8 num |
| 0x128 | 0x04 | Relocation Patches offset |
| 0x12C | 0x04 | Relocation Patches num (size = num * 12) |
| 0x130 | 0x04 | unk9 offset |
| 0x134 | 0x04 | unk9 num |
Segment offset (4 bytes)
| Bits | Description |
|---|---|
| 0-3 | Segment index for table |
| 4-31 | Offset into segment |
Segment Table entry (12 bytes)
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Segment offset |
| 0x4 | 0x4 | Segment size |
| 0x8 | 0x4 | Segment id (0 = .text, 1 = .rodata, 2 = .data, 3 = .bss) |
Named Export Table entry (8 bytes)
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Name offset |
| 0x4 | 0x4 | "Segment offset" for export |
Named Import Table entry (8 bytes)
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | Name offset |
| 0x4 | 0x4 | Offset of the head of a linear list that contains the patches for this import |
Patch entry (12 bytes)
| Offset | Size | Description |
|---|---|---|
| 0x0 | 0x4 | "Segment offset" for output. |
| 0x4 | 0x1 | Patch type (0=nothing/ignore, 2=38=write u32 absolute (base+X), 3=write u32 relative (base+X-in_ptr), 10=THUMB branch, 28=ARM32 branch, 29=modify ARM32 branch offset, 42=write u32 relative (((signed int)base*2)/2+X-in_ptr), otherwise err) |
| 0x5 | 0x1 | Non-zero if last entry. |
| 0x6 | 0x1 | 1 is written to first entry if all symbols loaded successfully. |
| 0x7 | 0x1 | Unknown |
| 0x8 | 0x4 | X (00's in file, probably set by dynamic linker) |
ARM32 branch instruction is constructed as follows:
If X > 0x2000000 or X < 0xFE000000, then skip. If (X&1) == 1 then write "b +4" (nop). Else write as normal.
CRO with extension .cro is used for "DLLs". CRS with extension .crs can be used for storing "DLL" symbols as well. The end of the file is aligned to a 0x1000-byte boundary with 0xCC bytes. CRO0 files are usually stored under "romfs:/cro/".
The first hash-table entry hashes the 0x100-byte header following the hash-table. The following hash-table entries hash the sections specified in the header.
When the RO module loads the entire CRO into process memory(mapped in the 0x00100000-0x04000000 region), it modifies the mapped CRO data. The magic field is also changed to "FIXD" if fix level is not 0.
Upon loading, the RO module will look for symbol "__aeabi_atexit" or "nnroAeabiAtexit_".
For dumping symbols and loading a CRO into IDA, see [1].