Want to Join Us ?

you'll be able to discuss, share and send private messages.

section labels?

Discussion in 'Reverse engineering' started by Rip Cord, Sep 27, 2014.

Share This Page

  1. Rip Cord

    Administrator Staff Member Admin Developer

    While reversing a ps3 game elf, ida displayed some unusual section labels. Is this just garbage?
    elf extracted with scetool:
    Code (Text):
    gow.i64
    seg013:00000000004F7680
    seg013:00000000004F7680 # Segment type: Pure data
    seg013:00000000004F7680              .section "seg013"
    seg013:00000000004F7680              .byte  0
    seg013:00000000004F7681              .byte  0
    seg013:00000000004F7682              .byte  0
    seg013:00000000004F7683              .byte 0x20
    seg013:00000000004F7684              .byte 0x13
    seg013:00000000004F7685              .byte 0xBC # +
    seg013:00000000004F7686              .byte 0xC5 # +
    seg013:00000000004F7687              .byte 0xF6 # ÷
    same elf extracted with self dissector and hex editor:
    Code (Text):

    gow_dissected.i64
     
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680 # ===========================================================================
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680 # Segment type: Pure data
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680                .section "__V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?"
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680                .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7681                .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7682                .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7683                .byte 0x20
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7684                .byte 0x13
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7685                .byte 0xBC # +
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7686                .byte 0xC5 # +
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7687                .byte 0xF6 # ÷
     
    the elfs are the exact same size, only difference is that scetool zero fills the area between sections when it extracts the elf.
    encrypted sections are not adjacent:
    Code (Text):

    [*] Metadata Section Headers:
    Idx Offset   Size    Type Index Hashed SHA1 Encrypted Key IV Compressed
    000 00000980 004E76E0 02   00   [YES]  00   [YES]    06  07 [NO ]
    001 004F0980 000430C0 02   01   [YES]  08   [YES]    0E  0F [NO ]
    beginning of area zero filled by scetool:
    gow.elf
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    004E7680  00 00 00 20 13 BC C5 F6 00 00 90 00 00 31 00 01  ... .¼Åö.....1..
    004E7690  00 00 03 E8 00 01 00 00 00 10 00 00 00 00 00 00  ...è............
    004E76A0  00 00 00 40 1B 43 4C EC 00 00 00 04 00 31 00 01  ...@.CLì.....1..
    004E76B0  00 3C AB BC 00 3C AB BC 00 3C AB C4 00 3C AE 00  .<«¼.<«¼.<«Ä.<®.
    004E76C0  01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E76D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E76E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E76F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E7700  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E7710  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E7720  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E7730  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    gow_dissected.elf
    Code (Text):

    Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
    004E7680  00 00 00 20 13 BC C5 F6 00 00 90 00 00 31 00 01  ... .¼Åö.....1..
    004E7690  00 00 03 E8 00 01 00 00 00 10 00 00 00 00 00 00  ...è............
    004E76A0  00 00 00 40 1B 43 4C EC 00 00 00 04 00 31 00 01  ...@.CLì.....1..
    004E76B0  00 3C AB BC 00 3C AB BC 00 3C AB C4 00 3C AE 00  .<«¼.<«¼.<«Ä.<®.
    004E76C0  01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E76D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    004E76E0  BC 3F 7A 48 AF 45 EF 28 3A 05 98 10 3F E8 79 3A  ¼?zH¯Eï(:.˜.?èy:
    004E76F0  DA 48 D5 2C 75 E5 4D 70 57 A4 1E B5 AE 32 16 6E  ÚHÕ,uåMpW¤.µ®2.n
    004E7700  57 5C 26 D6 4F C4 90 0B 9A 87 4F 85 43 68 76 CA  W\&ÖOÄ..š‡O…ChvÊ
    004E7710  8B E0 0F FD 68 EB 4B DE E0 2D 3F 4E 8D 02 CE A2  ‹à.ýhëKÞà-?N..΢
    004E7720  37 A5 16 9A CC 90 1F F5 5A C7 CD 98 4F AC CC E9  7¥.šÌ..õZÇ͘O¬Ìé
    004E7730  41 65 72 29 DC 98 4F 49 37 A2 9F 4E 65 D1 22 A7  Aer)ܘOI7¢ŸNeÑ"§
     
  2. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Code (Text):
    gow_dissected.i64
     
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680 # ===========================================================================
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680 # Segment type: Pure data
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680               .section "__V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?"
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7680               .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7681               .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7682               .byte  0
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7683               .byte 0x20
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7684               .byte 0x13
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7685               .byte 0xBC # +
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7686               .byte 0xC5 # +
    __V#_<____?_____W_I_____9_02_______Ca_z:z________m;0,_`_/_fKf_r)______{________=___t_eb,__mD__V_Y__x__z5V_x____]_QR______o__*_z_^:@__`_?:00000000004F7687               .byte 0xF6 # ÷
     
    the same type of labels are in the ps3swu.elf in the update pup.
    And are also seens in the BDMV.elf if i remmember correct.

    Not sure why it shows as a mile long string, maybe its due to special compiler uses, or maybe embedded code.
     
    Rip Cord likes this.
  3. Rip Cord

    Administrator Staff Member Admin Developer

    would have been nice if they were mangled function names
     
Top