Hacking Getting symbols from arbitrary RPLs?

  • Thread starter Thread starter BullyWiiPlaza
  • Start date Start date
  • Views Views 1,643
  • Replies Replies 9
  • Likes Likes 1

BullyWiiPlaza

Nintendo Hacking <3
Member
Joined
Aug 2, 2014
Messages
1,932
Reaction score
1,584
Trophies
0
XP
2,522
Country
Germany
I tried to get the function addresses from functions defined outside of coreinit.rpl (e.g. in a game's RPL) but getting their addresses does not work with the "usual way". It keeps returning an invalid address. Is there something I'm doing wrong or is it currently not possible?

JGecko U code snippet:
Code:
Connector.getInstance().connect("192.168.178.35");
        RemoteProcedureCall remoteProcedureCall = new RemoteProcedureCall();
        ExportedSymbol exportedSymbol = remoteProcedureCall.getSymbol("some-game.rpl",
                "some-function-from-it");
        System.out.println(new Hexadecimal(exportedSymbol.getAddress(), 8)); // Prints: 0023493C (which is invalid)
        Connector.getInstance().closeConnection();
It works fine with coreinit.rpl functions though:
Code:
Connector.getInstance().connect("192.168.178.35");
RemoteProcedureCall remoteProcedureCall = new RemoteProcedureCall();
ExportedSymbol exportedSymbol = remoteProcedureCall.getSymbol("coreinit.rpl",
    "OSGetSystemTime");
System.out.println(new Hexadecimal(exportedSymbol.getAddress(), 8)); // Prints: 0104337C (which is correct)
Connector.getInstance().closeConnection();
Thank you :)
 
Last edited by BullyWiiPlaza,
  • Like
Reactions: fraret
sneaky sneaky

Are trying to get the function adresses while you are in the game (I think here, you are trying to get black ops 2 mp rpl), be sure you are in the multiplayer menu, if it doesn't work try to find some rpl/rpx related function in coreinit ;)
 
  • Like
Reactions: BullyWiiPlaza
That indeed produces a valid address now but it doesn't look right in memory: 0123493C
Again two different functions produce the same result. :(
it is, 01 is where all the libraries are in virtual, 0x01000000 to whatever, 0x01800000 in the browser ending at JIT, is that chunk for all system RPLs
 
Getting the symbol does NOT work. However, if you find the function address manually you can indeed call it using the RPC system. The offset between in-memory function addresses and the ones in IDA is constant :)
 
Last edited by BullyWiiPlaza,

Site & Scene News

Popular threads in this forum