Hacking Getting symbols from arbitrary RPLs?

[BullyWiiPlaza]

I tried to get the function addresses from functions defined outside of coreinit.rpl (e.g. in a game's RPL) but getting their addresses does not work with the "usual way". It keeps returning an invalid address. Is there something I'm doing wrong or is it currently not possible?

JGecko U code snippet:

Connector.getInstance().connect("192.168.178.35");
        RemoteProcedureCall remoteProcedureCall = new RemoteProcedureCall();
        ExportedSymbol exportedSymbol = remoteProcedureCall.getSymbol("some-game.rpl",
                "some-function-from-it");
        System.out.println(new Hexadecimal(exportedSymbol.getAddress(), 8)); // Prints: 0023493C (which is invalid)
        Connector.getInstance().closeConnection();

It works fine with coreinit.rpl functions though:

Connector.getInstance().connect("192.168.178.35");
RemoteProcedureCall remoteProcedureCall = new RemoteProcedureCall();
ExportedSymbol exportedSymbol = remoteProcedureCall.getSymbol("coreinit.rpl",
    "OSGetSystemTime");
System.out.println(new Hexadecimal(exportedSymbol.getAddress(), 8)); // Prints: 0104337C (which is correct)
Connector.getInstance().closeConnection();

Thank you

 

[NexoCube]

sneaky sneaky

Are trying to get the function adresses while you are in the game (I think here, you are trying to get black ops 2 mp rpl), be sure you are in the multiplayer menu, if it doesn't work try to find some rpl/rpx related function in coreinit

 

[shinyquagsire23]

RPLs and RPXs are relocated at runtime, as long as the result isn't negative it should be valid.

 

[NexoCube]

RPLs and RPXs are relocated at runtime, as long as the result isn't negative it should be valid.

Yeah i think they are set in RAM (Random Access Memory) at runtime but i'm not sure

 

[BullyWiiPlaza]

RPLs and RPXs are relocated at runtime, as long as the result isn't negative it should be valid.

How to use the result then? 2 different functions both had the same address returned which is invalid, sorry...

 

[NWPlayer123]

How to use the result then? 2 different functions both had the same address returned which is invalid, sorry...

That means you probably need to pass isData as 1

 

[BullyWiiPlaza]

That means you probably need to pass isData as 1

That indeed produces a valid address now but it doesn't look right in memory: 0123493C
Again two different functions produce the same result.

 

[NWPlayer123]

That indeed produces a valid address now but it doesn't look right in memory: 0123493C
Again two different functions produce the same result.

it is, 01 is where all the libraries are in virtual, 0x01000000 to whatever, 0x01800000 in the browser ending at JIT, is that chunk for all system RPLs

 

[BullyWiiPlaza]

it is, 01 is where all the libraries are in virtual, 0x01000000 to whatever, 0x01800000 in the browser ending at JIT, is that chunk for all system RPLs

But I checked in the disassembler and it's not right

 

[BullyWiiPlaza]

Getting the symbol does NOT work. However, if you find the function address manually you can indeed call it using the RPC system. The offset between in-memory function addresses and the ones in IDA is constant