Advanced PPC Tutorial [PowerPC}

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
PowerPC Lessons
By: Bad Luck Brian


Download: http://adf.ly/rt6Z7


Powered by: Bad Luck Modders
Who are Bad Luck Modders [BLM*] ?
We are modders who mainly wants to teach anyone who is willing to learn about modding, Programming and reversing. We only have a Skype chat as of now and getting famous is not a priority nor is modding online.
Side note: I've learned most of what I know about PPC (PowerPC) using IDA and the Prodg debugger to understand what most of the instructions were doing and used IBM's site and Google to understand their meanings. Of course I might make some mistakes but the most important part will be there.
1
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Table Of Contents
1.Presentation
2.Table Of Contents
3.Disclaimer
4.Requirements
5.Setting-up your PC
6.Variables
7.Set a variable
8.Jumping
9.Read in the memory 10. Write in the memory 11. Creating a Function
12. Creating a small Remote Procedure Call
13. Writing our PPC in the memory
14. Conclusion
2
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for fair use for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.
3
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Requirements
Note: (Red: It's a must | Orange: Recommended | Green: Optional) Note2: These requirements are made so you can start modding after this tutorial.
1.COMMON SENSE (in other terms, use your brain..)
2.IDA PRO ADVANCED(With the PS3 plugins)
3.SN Systems tools (Prodg debugger and Target Manager)
4.A PS3 on DEX
5.Visual Studio | Or anything similar to compile your projects
6.Some programming skills
7.HxD Editor
8.A good understanding of how a computer works
9.Notepad++ (really useful)
I also recommend viewing this PDF in Google Chrome and using the zoom feature to view the images.
Some of the required files are included at the following link:
https://anonfiles.com/file/4bcbd74e16c3274 03cdb12e136010479
4
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Setting up your PC (1/5)
NOTE: Everything in this tutorial will be made on Windows 8 using the update 1.13 of Call of Duty Ghosts. (It works with windows 7 too).
First of all you will need to install everything from this package. -Sn systems tools
-IDA PRO (you don't need to install it's portable) -Visual studio
-HxD Editor -Notepad++
This will require you to use your brain. I really hope you can install a few softwares without the need to be assisted. Just remember where you installed SN System and IDA.
NOTE: In IDA Pro there is a file named 'ida6x.dll' or something similar and it might show up as a virus or something. Just exclude it from your anti-virus or do everything in a virtual machine. Remember it's a cracked version.
My directories:
SN Systems:
C:\Program Files (x86)\SN Systems
IDA:
C:\Users\BLB\Desktop\modding\Coding\IDA
5

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Setting up your PC (2/5)
Now that everything is installed we want to make it a bit more simple and faster to use.
Get an .elf file and right click on it, then select properties. Click on 'Open with' and select 'idaq.exe' in your IDA folder. This way you will be able to open .elf files directly with IDA.
Now open IDA and it should look like this(Don't mind the theme): Close every tabs except IDA-view and Hex-View so it will look like this:
6

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Setting up your PC (3/5)
Now click on Windows > Save Desktop > Check 'default' and press OK. Now you can close IDA.
Now it's time to make a Modding folder/partition.
Personally i've made a dedicated partition for modding using diskmgmt. Google on how to make a partition. Else you can just make a folder.
Now go in your SN Systems files. It should be “C:\Program Files (x86)\SN Systems” by default. Then go in the PS3\bin folder and copy the ps3tmapi.dll and paste it into your modding folder. This way it will be easier to get it when needed to make files.
Now it's time to set up your PRODG debugger correctly. Load a game using a debug eboot and open up target manager. Add your target PS3 and open PRODG debugger, it should look like this.
7

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Setting up your PC (4/5)
Now we want to close every tabs by going in Window > Close all. And exit every other tabs that stays open in prod debugger.
Now every tabs should be closed. Go in Window > New view. Add a tab for:
- Memory (Change the columns to 16) -Registers
-Breakpoints -Dissasembly
Here is my layout:
8

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Setting up your PC (5/5)
I also like to change the colors of my windows in Prodg Debugger to make it easier to read/organize. To change the colors of a window just go in tools > Options > Fonts and colors.
Now close Prodg Debugger to make it save the layout.
That's it for the setting-up chapter of this tutorial.
9
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Variables
Time to talk about the variables in PowerPC ! In C++ to declare a variable we do it like this:
int blb = 0x15;
In PowerPC we use registers. Those are the variables which can hold up to 8 bytes. We will mainly use the last 4 bytes.
There is 32 registers that we can use. (not counting the link register and count register etc)
r0: Mostly used for the link register r1: Stack pointer
r2: (read-only) We won't use it
r3: First argument of a function and also the 1st returned value from it ! r4: Second argument of a function and also the 2nd returned value from it ! r5-r10: Other parameters
r11-r31: General registers
Note:
r11: Used for syscalls r13: its the same as r2
There is also the link register which is really important since it's a pointer that tells the program where to go after finishing a function.
When a function is called, a link register is generated. This register will point to the address that called the function + 0x4. Why +0x4 ? Because each instructions is 4 bytes and the program has to return to the next line else it will make an infinite loop which will call the same function over and over...
Example:
0x00: bl NullSub
//call NullSub and the link register will be 0x04 (next line)
0x04: li r3, 0
//this will be executed after the function returns.
10

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Set a variable(1/2)
So now we need to know how to use these variables right ? Else it's pretty much useless.
So we will mainly use the register r3 To r10.
As I said we will also mainly focus on the last 4 bytes of the registers.
Try to imagine them like this:
XX XX YY YY
We will use li and lis.
Li: Load Immediate
(YY YY)
Lis: Load Immediate Shifted (XX XX)
We can only set 2 bytes at once in PPC.


Examples:


XX XX YY YY

–- –- -- --
li r3, 0x15
//r3: 00 00 00 15
li r3, 0x1500
//r3: 00 00 15 00
lis r3, 0x15
//r3: 00
15
00
00
lis r3, 0x1500
//r3: 15
00
00
00
li r3, 0x1234
//r3: 00
00
12
34
lis r3, 0x1234
//r3: 12
34
00
00
11

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Set a variable(2/2)
So now we can set 2 bytes in a register. What if we want to set a register up to 4 bytes? We will use addic and addis.
Addic will add a value to the YY YY part while Addis will add a value to the XX XX part.
Addic: Add immediate carrying
Addis: Add immediate Shifted
I will only use addic in this tutorial though but it was just so you know addis also exists which can turn out to be useful in some case.


Examples:


lis r3, 0x210
//r3: 02
10
00
00
addic
r3,
r3, 0x12
//r3: 02
10
00
12
li r3, 0x10
//r3:
00
00
00
10
addic
r3,
r3, 0x10
//r3:
00
00
00
20
Exercise:
I want r3 to be equal to 0xFCA280
Answer:
First we have to separate it in multiple bytes to make it easier. (start to separate from the right to the left)
0xFCA280 → FCA280 → FCA2 80 → FC A2
80 → 00 FC A2 80 (we add a 00
before it to reach the 4 bytes format)


Final Answer:


lis r3, 0xFC
//r3: 00
FC
00
00
addic r3, r3, 0xA280
//r3: 00
FC
A2
80
12
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Jumping
Now we can set variables like we want but what if we want to use jump in our codes? We will use cmpwi, b, beq, bne, ble, bgt.

Cmpwi: Compare with immediate

b: Branch (no conditions, it jumps !)

beq: branch if equal

bne: Branch if not equal

ble: branch if less or equal

bgt: branch if greater of equal

C++ Version:
int BLBisHere = 1;

if (BLBisHere == 1)

{

Welcome();

return;

}

else

{

return;

}
PPC Version:

li r3, 0x1
//BLBisHere
cmpwi r3, 0x1 //compares r3 with 1
beq 0x08
//jumps 2 lines forward if equal (bl Welcome)
blr
//return
bl Welcome
//calls Welcome()
blr
//return
That's pretty much it with the conditions.
13
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Reading in the memory(1/2)
Now we can do many things with PowerPC :) ! But what if we want to retrieve some data in the memory ? Well it's simple.

There is these instructions that we can use:

lbz | lhz | lwz | ld
Before explaining them let me show you the data formats on the PS3.
BYTE
= 1 byte (BYTE)


HALF-WORD
= 2 bytes (INT16)


WORD
= 4 bytes (INT32)


DWORD
= 8 bytes (INT64)


lbz: loads a byte
lhz: loads a half-word lwz: loads a word
ld: loads a dword Examples(for lbz, lwz and ld):
//lets say 0x2100000 contains: 12 34 56 78 00 00 00 00
lis r3, 0x210 //r3: 0x2100000
lbz r4, r3 //r4 = 00 00 00 12 lwz r5, r3 //r5: 12 34 56 78
ld r6, r3 //r6: 12 34 56 78 00 00 00 00
14
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Reading in the memory(2/2)
Now something really useful with there instructions is that we can use an a TEMPORARY addic in them. Why is it temporary? Because after the instruction read the memory, it will remove the addic that we used in the instruction.
Lets say we want to read the memory at: 0x12345678 (12 34 56 78)
lis r3, 0x1234 //r3 = 0x12340000
lwz r4, r3, 0x5678 //r4 is reading 4 bytes at: 0x12345678 lwz r5, r3 //r5 is reading 4 bytes at:0x12340000 (remember it was temporary)
This is a good way to save some lines and in modding when you're coding in PPC you WANT to save lines !!
Now, lets say we want to read a structure.
struct{
int Age; //4 bytes int Money; //4bytes int NumberOfHouses;
}UserInfos;
Lets say this structure is located at 0x2100000.
lis r3, 0x210
//r3: 0x2100000


lwz r4, r3
//r4: Age
||
0x2100000
lwz
r5,
r3, 0x04
//r5: Money
|| 0x2100004
lwz
r6,
r3, 0x08
//r6: NumberOfHouses
||
0x2100008
15
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing in the memory
It is the same as reading in the memory !
We will use stb, sth, stw, std
stb: store byte
sth: store half-word stw: store word std: store dword
Examples:
We want to write the byte 0x01 at: 0x2100000
lis r3, 0x2100000 li r4, 0x01
stb r4, r3
We can also use the temporary addic with these.
Lets say r3 is the address to write, r4 the age, r5 the money and r6 the NumberOfHouses.
lis r3, 0x210
//r3: 0x2100000
li
r4,
0x13
//r4: age (0x13 is 19, remember those are HEX values)
li
r5,
0x539
//r5: money (0x539 is 1337)
li r6, 0x2
//r6: NumberOfHouses(2 houses)
stw r4, r3 //store age at: 0x2100000 stw r5, r3, 0x4 //store age at: 0x2100004 stw r6, r3, 0x8 //store age at: 0x2100008
16
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Creating our own Function
Now we can do a lot of things in PowerPC. But what about creating a function ? Well it's simple, remember the link register in the 'variable' chapter ? It's time to use it.
stdu
r1, r1, -0x70
//allocate some space in the stack to store our stuff
mfspr
r0, LR
//get the link register and set r0 with it (r0 = LR)
std
r0, r1, 0x80
//store the link register in the stack
…......................
//Do everything you want here :)
ld
r0, r1, 0x80
//retrieve the link register
mtspr
LR, r0
//Set LR to the original link register
addi
r1, r1, 0x70
//Unallocate the stack
blr

//Jump to the link register (return)
Now we have the base of our function. Lets make something simple.
C++:
int Add10(int a)
{
return a + 0x10;
}


PPC:
stdu
r1, r1, -0x70
//allocate some space in the stack to store our stuff
mfspr
r0, LR
//get the link register and set r0 with it (r0 = LR)
std
r0, r1, 0x80
//store the link register in the stack
addic r3, r3, 0x10
//a + 0x10
ld
r0, r1, 0x80
//retrieve the link register
mtspr
LR, r0
//Set LR to the original link register
addi
r1, r1, 0x70
//Unallocate the stack
blr

//Jump to the link register (return)
Of course in this case we don't need the stack and the link register stuff as we don't touch it or we don't call any other functions that could mess with it but this is how a function normally looks.
17
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Remote Procedure Call(1/2)
Well with everything you've learned you can make a RPC for any games on PS3! I will tell you about 2 instructions in PowerPC.
mtctr: Move to count register
bctr | bctrl: Branch to the count register || Call the count register
So lets say we will work at 0x2100000 and our RPC will take 3 args. (As I said it's a small RPC).
The RPC works like this:
-Read the 3 arguments
{
r3 at: 0x2100004
r4 at: 0x2100008
r5 at: 0x210000C
}
-Read the function to call
{
r6 at: 0x2100000
}
So the function will read the arguments and parse them in r3, r4 and r5. Then it will read the address to the function to call. (The function to call is stored as bytes at 0x2100000)
18

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Remote Procedure Call(2/2)
Lets make the function :) !
stdu
r1, r1,
-0x70
mfspr
r0,
LR
std
r0,
r1, 0x80
lis r6, 0x210
lwz
r3,
r6,
0x04
lwz
r4,
r6,
0x08
lwz
r5,
r6, 0x0C
lwz
r6,
r6
mtctr r6 li r6, 0 bctrl
lis r6, 0x210 stw r3, r6, 0x10 li r3, 0
stw r3, r6
//allocate some space in the stack to store our stuff //get the link register and set r0 with it (r0 = LR) //store the link register in the stack

//Our memory spot


//r3: the value at
0x2100004


//r4: the value at
0x2100008


//r5: the value at
0x210000C


//r6: the function
address at: 0x2100000


//count register = the address at: 0x2100000

//we don't want r6
to ber parsed as an argument..
//Call the address stored in the count register
//store the returned value at: 0x2100010
//ERASE the function at:0x2100000 so it won't be called again !!
ld
r0, r1, 0x80
//retrieve the link register


mtspr
LR, r0
//Set LR to the original link
register
addi
r1, r1, 0x70
//Unallocate the stack


blr


//Jump to the link register (return)

Okay let's make make an example.
We have to call the function 'Welcome'. Welcome is located at: 0xFCA280.
It takes 2 arguments.
1st arg: int client
2nd arg: string WelcomeText
PS3::WriteInt32(0x2100004, 1);
//client
1 at: 0x2100004
PS3::WriteString(0x2101000, "Hey BLB :D !");
//we write our string at: 0x2101000
PS3::WriteUInt32(0x2100008,
0x2101000);
//We write
the
address
of the string at: 0x2100008
PS3::WriteUInt32(0x2100000,
0xFCA280);
//The address
to call
!!!
//there is nothing returned, so end of this mini RPC :D
19

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(1/7)
Now this is the long/hard part. We can write our stuff in PowerPC but we need to convert it to bytes now. You can either Google a PowerPC compiler or you can follow this tutorial.
Each instruction as an opcode, an opcode is the hex value of the instruction.
i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.
li = 0x38 lis = 0x3C addic = 0x30 stb = 0x98 stw = 0x90 std = 0xF8 lbz = 0x88 lwz = 0x80 ld = 0xE8 cmpwi = 0x2C
b = 0x48 or 0x4B bl = 0x48 or 0x4B beq = 0x41, 0x82 bne = 0x40, 0x82 blt = 0x41, 0x80 bgt = 0x41, 0x81
mtctr = 0x7C, 0x69, 0x03, 0xA6 bctrl = 0x4E, 0x80, 0x04, 0x21
i will write the usage for all of them.
20

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(2/7)
Li/Lis
li
Code:
38 XX VV VV
38 = opcode
XX = Register to load the value into VV VV = value to load in the register
Now i will explain the XX
you have to add 0x20 for each register Code:
r0: 38 00 VV VV r1: 38 20 VV VV r2: 38 40 VV VV r3: 38 60 VV VV r4: 38 80 VV VV r5: 38 A0 VV VV r6: 38 C0 VV VV r7: 38 E0 VV VV
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
Code:
r8: 39 00 VV VV r9: 39 20 VV VV r10: 39 40 VV VV r11: 39 60 VV VV r12: 39 80 VV VV
i will stop at r12 , if you need to go higher just add +1 again
21

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(3/7)
lis:
lis is the same thing but with the opcode 3C, and 3D for r8+
Code:
r0: 3C 00 VV VV r1: 3C 20 VV VV r2: 3C 40 VV VV r3: 3C 60 VV VV r4: 3C 80 VV VV r5: 3C A0 VV VV r6: 3C C0 VV VV r7: 3C E0 VV VV
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
Code:
r8: 3D 00 VV VV r9: 3D 20 VV VV r10: 3D 40 VV VV r11: 3D 60 VV VV r12: 3D 80 VV VV
---------------------------
addic:
Code:
30 XY VV VV
38 = opcode
X = Register that will contain the result of the addition Y = Register that were going to add to the value
VV VV = value to add to Y
Now for X, the register system is that same as li/lis we add 0x20 and at r8 we change the opcode 30 to 31
but for Y, we just put the real number of the register


examples:


addic r3, r4, 0xFF ||
30 64 00
FF


addic
r12, r4, 0xFF ||
31 84 00
FF


addic
r3, r10, 0xFF || 30 6A 00 FF
|| 10 = 0x0A (hexadecimal)


22

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(4/7)
stb,stw,std
Code:
stb = 0x98 // 0x99 for r8+ stw = 0x90 // 0x91 for r8+ std = 0xF8 // 0xF9 for r8+
i will use stw for the example.
They work like addis for the XY !
Code:
90 XY VV VV
X = register
that
will be sent
in the
memory
(VALUE)
Y = register
of the address that will
receive the VALUE (X)
VV VV = Temporary
value to add
to the
address
(Y)
Code:


example:


lis r3, 0x2100000
||
3C
60 02
10
li r4, 0x15
||
38
80 00
15
stw r4, r3, 0x2101234
||
90
83 12
34
//ON THIS LINE, r3 RESETS
BACK TO:
0x2100000 !!!
---------------------------
Code:
lbz = 0x88 // 0x89 for r8+ lwz = 0x80 // 0x81 for r8+ ld = 0xE8 // 0xE9 for r8+
usage (i will use lwz): Code:
80 XY VV VV
It works like stw !!!
X = register that will contain the value read from the memory
Y = register of the address that will be read
VV VV = Temporary value to add to the address (Y)
23

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(5/7)
Example:
Code:
lis r3, 0x2100000
||
3C
60 02
10
li r4, 0x15
||
38
80 00
15
lwz r4, r3, 0x2101234
||
80
83 12
34
//ON THIS LINE, r3 RESETS
BACK TO:
0x2100000 AND r4 = the first bytes that was at:
0x2101234 !!!


-----------------------------------------
Code:
cmpwi = 0x2C 2c 0Y VV VV
0 = keep it as 0
Y = Register to compare, we just put its number in hex VV VV = value that the register will be compared with
Code:
example:

cmpwi r3, 0x55 || 2c 03 00 55

Code:
other example:

cmwpi r12, 0x55 || 2c 0C 00 55
//0x0C = 12 in hexadecimal
Code:
Branching

b = 0x48 or 0x4B

bl = 0x48 or 0x4B

beq = 0x41, 0x82

bne = 0x40, 0x82

blt = 0x41, 0x80

bgt = 0x41, 0x81

Alright b and bl are tricky.
//current address = address where we are jumping from
24

Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(6/7)
we use 48 when jumping to a location that is located AFTER the current address we use 4B when jumping to a location that is located BEFORE the current address
Code:
48/4B XX XX XX
XX XX XX = difference between current position and the location we want to jump to
41 82 XX XX
XX XX = difference between current position and the location we want to jump to also, to use bl we add +1 to the difference !!
example:
Code:
0x11010: bl 0x11050 || 48 00 00 41
...
0x11050: //function...
// why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add
+1
0x40 + 1 = 0x41
so 48 00 00 41
and we use 48 because it is AFTER the current location (0x11010)
MTCTR/BCTRL
Now the last one, more complex
mtctr = 7C X9 03 A6
X = register to move to the count register, if r8+, 7C becomes 7D we keep the rest as it is
Example
Code:
mtctr r4 || 7C 89 03 A6 mtctr r12 || 7D 89 03 A6
25
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
Writing our PPC codes(7/7)
bctrl = 4E 80 04 21 we keep it like this, BUT
bctrl is like bl, but we can also transform it to bctr , which is like b
Code:
bctr
4E
80 04 20
bctrl
4E
80 04 21
26
Modding Tutorials: Advanced [PowerPC]
Author: Bad Luck Brian
End of lesson
So that was it for my PowerPC lessons. Try some stuff in the debugger and don't worry if you crash your ps3 20 times a day. It's normal :) We learn by our errors !
Also I would like to say a big thank you to: aerosoul94
Choco
BadChoicesZ
Add me on Skype to check out my new clan who will help you with this lesson and more ! :)
Skype: BadLuckDobby
27