BaSs_HaXoR

Advanced PPC Tutorial [PowerPC}

Jun 25th, 2014
354
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.55 KB | None | 0 0
  1. Modding Tutorials: Advanced [PowerPC]
  2. Author: Bad Luck Brian
  3. PowerPC Lessons
  4. By: Bad Luck Brian
  5.  
  6.  
  7. Download: http://adf.ly/rt6Z7
  8.  
  9.  
  10. Powered by: Bad Luck Modders
  11. Who are Bad Luck Modders [BLM*] ?
  12. We are modders who mainly wants to teach anyone who is willing to learn about modding, Programming and reversing. We only have a Skype chat as of now and getting famous is not a priority nor is modding online.
  13. Side note: I've learned most of what I know about PPC (PowerPC) using IDA and the Prodg debugger to understand what most of the instructions were doing and used IBM's site and Google to understand their meanings. Of course I might make some mistakes but the most important part will be there.
  14. 1
  15. Modding Tutorials: Advanced [PowerPC]
  16. Author: Bad Luck Brian
  17. Table Of Contents
  18. 1.Presentation
  19. 2.Table Of Contents
  20. 3.Disclaimer
  21. 4.Requirements
  22. 5.Setting-up your PC
  23. 6.Variables
  24. 7.Set a variable
  25. 8.Jumping
  26. 9.Read in the memory 10. Write in the memory 11. Creating a Function
  27. 12. Creating a small Remote Procedure Call
  28. 13. Writing our PPC in the memory
  29. 14. Conclusion
  30. 2
  31. Modding Tutorials: Advanced [PowerPC]
  32. Author: Bad Luck Brian
  33. Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for fair use for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use.
  34. 3
  35. Modding Tutorials: Advanced [PowerPC]
  36. Author: Bad Luck Brian
  37. Requirements
  38. Note: (Red: It's a must | Orange: Recommended | Green: Optional) Note2: These requirements are made so you can start modding after this tutorial.
  39. 1.COMMON SENSE (in other terms, use your brain..)
  40. 2.IDA PRO ADVANCED(With the PS3 plugins)
  41. 3.SN Systems tools (Prodg debugger and Target Manager)
  42. 4.A PS3 on DEX
  43. 5.Visual Studio | Or anything similar to compile your projects
  44. 6.Some programming skills
  45. 7.HxD Editor
  46. 8.A good understanding of how a computer works
  47. 9.Notepad++ (really useful)
  48. I also recommend viewing this PDF in Google Chrome and using the zoom feature to view the images.
  49. Some of the required files are included at the following link:
  50. https://anonfiles.com/file/4bcbd74e16c3274 03cdb12e136010479
  51. 4
  52. Modding Tutorials: Advanced [PowerPC]
  53. Author: Bad Luck Brian
  54. Setting up your PC (1/5)
  55. NOTE: Everything in this tutorial will be made on Windows 8 using the update 1.13 of Call of Duty Ghosts. (It works with windows 7 too).
  56. First of all you will need to install everything from this package. -Sn systems tools
  57. -IDA PRO (you don't need to install it's portable) -Visual studio
  58. -HxD Editor -Notepad++
  59. This will require you to use your brain. I really hope you can install a few softwares without the need to be assisted. Just remember where you installed SN System and IDA.
  60. NOTE: In IDA Pro there is a file named 'ida6x.dll' or something similar and it might show up as a virus or something. Just exclude it from your anti-virus or do everything in a virtual machine. Remember it's a cracked version.
  61. My directories:
  62. SN Systems:
  63. C:\Program Files (x86)\SN Systems
  64. IDA:
  65. C:\Users\BLB\Desktop\modding\Coding\IDA
  66. 5
  67.  
  68. Modding Tutorials: Advanced [PowerPC]
  69. Author: Bad Luck Brian
  70. Setting up your PC (2/5)
  71. Now that everything is installed we want to make it a bit more simple and faster to use.
  72. Get an .elf file and right click on it, then select properties. Click on 'Open with' and select 'idaq.exe' in your IDA folder. This way you will be able to open .elf files directly with IDA.
  73. Now open IDA and it should look like this(Don't mind the theme): Close every tabs except IDA-view and Hex-View so it will look like this:
  74. 6
  75.  
  76. Modding Tutorials: Advanced [PowerPC]
  77. Author: Bad Luck Brian
  78. Setting up your PC (3/5)
  79. Now click on Windows > Save Desktop > Check 'default' and press OK. Now you can close IDA.
  80. Now it's time to make a Modding folder/partition.
  81. Personally i've made a dedicated partition for modding using diskmgmt. Google on how to make a partition. Else you can just make a folder.
  82. Now go in your SN Systems files. It should be “C:\Program Files (x86)\SN Systems” by default. Then go in the PS3\bin folder and copy the ps3tmapi.dll and paste it into your modding folder. This way it will be easier to get it when needed to make files.
  83. Now it's time to set up your PRODG debugger correctly. Load a game using a debug eboot and open up target manager. Add your target PS3 and open PRODG debugger, it should look like this.
  84. 7
  85.  
  86. Modding Tutorials: Advanced [PowerPC]
  87. Author: Bad Luck Brian
  88. Setting up your PC (4/5)
  89. Now we want to close every tabs by going in Window > Close all. And exit every other tabs that stays open in prod debugger.
  90. Now every tabs should be closed. Go in Window > New view. Add a tab for:
  91. - Memory (Change the columns to 16) -Registers
  92. -Breakpoints -Dissasembly
  93. Here is my layout:
  94. 8
  95.  
  96. Modding Tutorials: Advanced [PowerPC]
  97. Author: Bad Luck Brian
  98. Setting up your PC (5/5)
  99. I also like to change the colors of my windows in Prodg Debugger to make it easier to read/organize. To change the colors of a window just go in tools > Options > Fonts and colors.
  100. Now close Prodg Debugger to make it save the layout.
  101. That's it for the setting-up chapter of this tutorial.
  102. 9
  103. Modding Tutorials: Advanced [PowerPC]
  104. Author: Bad Luck Brian
  105. Variables
  106. Time to talk about the variables in PowerPC ! In C++ to declare a variable we do it like this:
  107. int blb = 0x15;
  108. In PowerPC we use registers. Those are the variables which can hold up to 8 bytes. We will mainly use the last 4 bytes.
  109. There is 32 registers that we can use. (not counting the link register and count register etc)
  110. r0: Mostly used for the link register r1: Stack pointer
  111. r2: (read-only) We won't use it
  112. r3: First argument of a function and also the 1st returned value from it ! r4: Second argument of a function and also the 2nd returned value from it ! r5-r10: Other parameters
  113. r11-r31: General registers
  114. Note:
  115. r11: Used for syscalls r13: its the same as r2
  116. There is also the link register which is really important since it's a pointer that tells the program where to go after finishing a function.
  117. When a function is called, a link register is generated. This register will point to the address that called the function + 0x4. Why +0x4 ? Because each instructions is 4 bytes and the program has to return to the next line else it will make an infinite loop which will call the same function over and over...
  118. Example:
  119. 0x00: bl NullSub
  120. //call NullSub and the link register will be 0x04 (next line)
  121. 0x04: li r3, 0
  122. //this will be executed after the function returns.
  123. 10
  124.  
  125. Modding Tutorials: Advanced [PowerPC]
  126. Author: Bad Luck Brian
  127. Set a variable(1/2)
  128. So now we need to know how to use these variables right ? Else it's pretty much useless.
  129. So we will mainly use the register r3 To r10.
  130. As I said we will also mainly focus on the last 4 bytes of the registers.
  131. Try to imagine them like this:
  132. XX XX YY YY
  133. We will use li and lis.
  134. Li: Load Immediate
  135. (YY YY)
  136. Lis: Load Immediate Shifted (XX XX)
  137. We can only set 2 bytes at once in PPC.
  138.  
  139.  
  140.  
  141. Examples:
  142.  
  143.  
  144.  
  145. XX XX YY YY
  146.  
  147. –- –- -- --
  148. li r3, 0x15
  149. //r3: 00 00 00 15
  150. li r3, 0x1500
  151. //r3: 00 00 15 00
  152. lis r3, 0x15
  153. //r3: 00
  154. 15
  155. 00
  156. 00
  157. lis r3, 0x1500
  158. //r3: 15
  159. 00
  160. 00
  161. 00
  162. li r3, 0x1234
  163. //r3: 00
  164. 00
  165. 12
  166. 34
  167. lis r3, 0x1234
  168. //r3: 12
  169. 34
  170. 00
  171. 00
  172. 11
  173.  
  174. Modding Tutorials: Advanced [PowerPC]
  175. Author: Bad Luck Brian
  176. Set a variable(2/2)
  177. So now we can set 2 bytes in a register. What if we want to set a register up to 4 bytes? We will use addic and addis.
  178. Addic will add a value to the YY YY part while Addis will add a value to the XX XX part.
  179. Addic: Add immediate carrying
  180. Addis: Add immediate Shifted
  181. I will only use addic in this tutorial though but it was just so you know addis also exists which can turn out to be useful in some case.
  182.  
  183.  
  184.  
  185.  
  186. Examples:
  187.  
  188.  
  189.  
  190.  
  191.  
  192. lis r3, 0x210
  193. //r3: 02
  194. 10
  195. 00
  196. 00
  197. addic
  198. r3,
  199. r3, 0x12
  200. //r3: 02
  201. 10
  202. 00
  203. 12
  204. li r3, 0x10
  205. //r3:
  206. 00
  207. 00
  208. 00
  209. 10
  210. addic
  211. r3,
  212. r3, 0x10
  213. //r3:
  214. 00
  215. 00
  216. 00
  217. 20
  218. Exercise:
  219. I want r3 to be equal to 0xFCA280
  220. Answer:
  221. First we have to separate it in multiple bytes to make it easier. (start to separate from the right to the left)
  222. 0xFCA280 → FCA280 → FCA2 80 → FC A2
  223. 80 → 00 FC A2 80 (we add a 00
  224. before it to reach the 4 bytes format)
  225.  
  226.  
  227.  
  228. Final Answer:
  229.  
  230.  
  231.  
  232.  
  233. lis r3, 0xFC
  234. //r3: 00
  235. FC
  236. 00
  237. 00
  238. addic r3, r3, 0xA280
  239. //r3: 00
  240. FC
  241. A2
  242. 80
  243. 12
  244. Modding Tutorials: Advanced [PowerPC]
  245. Author: Bad Luck Brian
  246. Jumping
  247. Now we can set variables like we want but what if we want to use jump in our codes? We will use cmpwi, b, beq, bne, ble, bgt.
  248.  
  249. Cmpwi: Compare with immediate
  250.  
  251. b: Branch (no conditions, it jumps !)
  252.  
  253. beq: branch if equal
  254.  
  255. bne: Branch if not equal
  256.  
  257. ble: branch if less or equal
  258.  
  259. bgt: branch if greater of equal
  260.  
  261. C++ Version:
  262. int BLBisHere = 1;
  263.  
  264. if (BLBisHere == 1)
  265.  
  266. {
  267.  
  268. Welcome();
  269.  
  270. return;
  271.  
  272. }
  273.  
  274. else
  275.  
  276. {
  277.  
  278. return;
  279.  
  280. }
  281. PPC Version:
  282.  
  283. li r3, 0x1
  284. //BLBisHere
  285. cmpwi r3, 0x1 //compares r3 with 1
  286. beq 0x08
  287. //jumps 2 lines forward if equal (bl Welcome)
  288. blr
  289. //return
  290. bl Welcome
  291. //calls Welcome()
  292. blr
  293. //return
  294. That's pretty much it with the conditions.
  295. 13
  296. Modding Tutorials: Advanced [PowerPC]
  297. Author: Bad Luck Brian
  298. Reading in the memory(1/2)
  299. Now we can do many things with PowerPC :) ! But what if we want to retrieve some data in the memory ? Well it's simple.
  300.  
  301. There is these instructions that we can use:
  302.  
  303. lbz | lhz | lwz | ld
  304. Before explaining them let me show you the data formats on the PS3.
  305. BYTE
  306. = 1 byte (BYTE)
  307.  
  308.  
  309. HALF-WORD
  310. = 2 bytes (INT16)
  311.  
  312.  
  313. WORD
  314. = 4 bytes (INT32)
  315.  
  316.  
  317.  
  318. DWORD
  319. = 8 bytes (INT64)
  320.  
  321.  
  322.  
  323. lbz: loads a byte
  324. lhz: loads a half-word lwz: loads a word
  325. ld: loads a dword Examples(for lbz, lwz and ld):
  326. //lets say 0x2100000 contains: 12 34 56 78 00 00 00 00
  327. lis r3, 0x210 //r3: 0x2100000
  328. lbz r4, r3 //r4 = 00 00 00 12 lwz r5, r3 //r5: 12 34 56 78
  329. ld r6, r3 //r6: 12 34 56 78 00 00 00 00
  330. 14
  331. Modding Tutorials: Advanced [PowerPC]
  332. Author: Bad Luck Brian
  333. Reading in the memory(2/2)
  334. Now something really useful with there instructions is that we can use an a TEMPORARY addic in them. Why is it temporary? Because after the instruction read the memory, it will remove the addic that we used in the instruction.
  335. Lets say we want to read the memory at: 0x12345678 (12 34 56 78)
  336. lis r3, 0x1234 //r3 = 0x12340000
  337. lwz r4, r3, 0x5678 //r4 is reading 4 bytes at: 0x12345678 lwz r5, r3 //r5 is reading 4 bytes at:0x12340000 (remember it was temporary)
  338. This is a good way to save some lines and in modding when you're coding in PPC you WANT to save lines !!
  339. Now, lets say we want to read a structure.
  340. struct{
  341. int Age; //4 bytes int Money; //4bytes int NumberOfHouses;
  342. }UserInfos;
  343. Lets say this structure is located at 0x2100000.
  344. lis r3, 0x210
  345. //r3: 0x2100000
  346.  
  347.  
  348. lwz r4, r3
  349. //r4: Age
  350. ||
  351. 0x2100000
  352. lwz
  353. r5,
  354. r3, 0x04
  355. //r5: Money
  356. || 0x2100004
  357. lwz
  358. r6,
  359. r3, 0x08
  360. //r6: NumberOfHouses
  361. ||
  362. 0x2100008
  363. 15
  364. Modding Tutorials: Advanced [PowerPC]
  365. Author: Bad Luck Brian
  366. Writing in the memory
  367. It is the same as reading in the memory !
  368. We will use stb, sth, stw, std
  369. stb: store byte
  370. sth: store half-word stw: store word std: store dword
  371. Examples:
  372. We want to write the byte 0x01 at: 0x2100000
  373. lis r3, 0x2100000 li r4, 0x01
  374. stb r4, r3
  375. We can also use the temporary addic with these.
  376. Lets say r3 is the address to write, r4 the age, r5 the money and r6 the NumberOfHouses.
  377. lis r3, 0x210
  378. //r3: 0x2100000
  379. li
  380. r4,
  381. 0x13
  382. //r4: age (0x13 is 19, remember those are HEX values)
  383. li
  384. r5,
  385. 0x539
  386. //r5: money (0x539 is 1337)
  387. li r6, 0x2
  388. //r6: NumberOfHouses(2 houses)
  389. stw r4, r3 //store age at: 0x2100000 stw r5, r3, 0x4 //store age at: 0x2100004 stw r6, r3, 0x8 //store age at: 0x2100008
  390. 16
  391. Modding Tutorials: Advanced [PowerPC]
  392. Author: Bad Luck Brian
  393. Creating our own Function
  394. Now we can do a lot of things in PowerPC. But what about creating a function ? Well it's simple, remember the link register in the 'variable' chapter ? It's time to use it.
  395. stdu
  396. r1, r1, -0x70
  397. //allocate some space in the stack to store our stuff
  398. mfspr
  399. r0, LR
  400. //get the link register and set r0 with it (r0 = LR)
  401. std
  402. r0, r1, 0x80
  403. //store the link register in the stack
  404. …......................
  405. //Do everything you want here :)
  406. ld
  407. r0, r1, 0x80
  408. //retrieve the link register
  409. mtspr
  410. LR, r0
  411. //Set LR to the original link register
  412. addi
  413. r1, r1, 0x70
  414. //Unallocate the stack
  415. blr
  416.  
  417. //Jump to the link register (return)
  418. Now we have the base of our function. Lets make something simple.
  419. C++:
  420. int Add10(int a)
  421. {
  422. return a + 0x10;
  423. }
  424.  
  425.  
  426. PPC:
  427. stdu
  428. r1, r1, -0x70
  429. //allocate some space in the stack to store our stuff
  430. mfspr
  431. r0, LR
  432. //get the link register and set r0 with it (r0 = LR)
  433. std
  434. r0, r1, 0x80
  435. //store the link register in the stack
  436. addic r3, r3, 0x10
  437. //a + 0x10
  438. ld
  439. r0, r1, 0x80
  440. //retrieve the link register
  441. mtspr
  442. LR, r0
  443. //Set LR to the original link register
  444. addi
  445. r1, r1, 0x70
  446. //Unallocate the stack
  447. blr
  448.  
  449. //Jump to the link register (return)
  450. Of course in this case we don't need the stack and the link register stuff as we don't touch it or we don't call any other functions that could mess with it but this is how a function normally looks.
  451. 17
  452. Modding Tutorials: Advanced [PowerPC]
  453. Author: Bad Luck Brian
  454. Remote Procedure Call(1/2)
  455. Well with everything you've learned you can make a RPC for any games on PS3! I will tell you about 2 instructions in PowerPC.
  456. mtctr: Move to count register
  457. bctr | bctrl: Branch to the count register || Call the count register
  458. So lets say we will work at 0x2100000 and our RPC will take 3 args. (As I said it's a small RPC).
  459. The RPC works like this:
  460. -Read the 3 arguments
  461. {
  462. r3 at: 0x2100004
  463. r4 at: 0x2100008
  464. r5 at: 0x210000C
  465. }
  466. -Read the function to call
  467. {
  468. r6 at: 0x2100000
  469. }
  470. So the function will read the arguments and parse them in r3, r4 and r5. Then it will read the address to the function to call. (The function to call is stored as bytes at 0x2100000)
  471. 18
  472.  
  473. Modding Tutorials: Advanced [PowerPC]
  474. Author: Bad Luck Brian
  475. Remote Procedure Call(2/2)
  476. Lets make the function :) !
  477. stdu
  478. r1, r1,
  479. -0x70
  480. mfspr
  481. r0,
  482. LR
  483. std
  484. r0,
  485. r1, 0x80
  486. lis r6, 0x210
  487. lwz
  488. r3,
  489. r6,
  490. 0x04
  491. lwz
  492. r4,
  493. r6,
  494. 0x08
  495. lwz
  496. r5,
  497. r6, 0x0C
  498. lwz
  499. r6,
  500. r6
  501. mtctr r6 li r6, 0 bctrl
  502. lis r6, 0x210 stw r3, r6, 0x10 li r3, 0
  503. stw r3, r6
  504. //allocate some space in the stack to store our stuff //get the link register and set r0 with it (r0 = LR) //store the link register in the stack
  505.  
  506. //Our memory spot
  507.  
  508.  
  509.  
  510.  
  511.  
  512.  
  513. //r3: the value at
  514. 0x2100004
  515.  
  516.  
  517.  
  518.  
  519. //r4: the value at
  520. 0x2100008
  521.  
  522.  
  523.  
  524.  
  525. //r5: the value at
  526. 0x210000C
  527.  
  528.  
  529.  
  530.  
  531. //r6: the function
  532. address at: 0x2100000
  533.  
  534.  
  535.  
  536.  
  537. //count register = the address at: 0x2100000
  538.  
  539. //we don't want r6
  540. to ber parsed as an argument..
  541. //Call the address stored in the count register
  542. //store the returned value at: 0x2100010
  543. //ERASE the function at:0x2100000 so it won't be called again !!
  544. ld
  545. r0, r1, 0x80
  546. //retrieve the link register
  547.  
  548.  
  549. mtspr
  550. LR, r0
  551. //Set LR to the original link
  552. register
  553. addi
  554. r1, r1, 0x70
  555. //Unallocate the stack
  556.  
  557.  
  558. blr
  559.  
  560.  
  561.  
  562.  
  563.  
  564. //Jump to the link register (return)
  565.  
  566. Okay let's make make an example.
  567. We have to call the function 'Welcome'. Welcome is located at: 0xFCA280.
  568. It takes 2 arguments.
  569. 1st arg: int client
  570. 2nd arg: string WelcomeText
  571. PS3::WriteInt32(0x2100004, 1);
  572. //client
  573. 1 at: 0x2100004
  574. PS3::WriteString(0x2101000, "Hey BLB :D !");
  575. //we write our string at: 0x2101000
  576. PS3::WriteUInt32(0x2100008,
  577. 0x2101000);
  578. //We write
  579. the
  580. address
  581. of the string at: 0x2100008
  582. PS3::WriteUInt32(0x2100000,
  583. 0xFCA280);
  584. //The address
  585. to call
  586. !!!
  587. //there is nothing returned, so end of this mini RPC :D
  588. 19
  589.  
  590. Modding Tutorials: Advanced [PowerPC]
  591. Author: Bad Luck Brian
  592. Writing our PPC codes(1/7)
  593. Now this is the long/hard part. We can write our stuff in PowerPC but we need to convert it to bytes now. You can either Google a PowerPC compiler or you can follow this tutorial.
  594. Each instruction as an opcode, an opcode is the hex value of the instruction.
  595. i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.
  596. li = 0x38 lis = 0x3C addic = 0x30 stb = 0x98 stw = 0x90 std = 0xF8 lbz = 0x88 lwz = 0x80 ld = 0xE8 cmpwi = 0x2C
  597. b = 0x48 or 0x4B bl = 0x48 or 0x4B beq = 0x41, 0x82 bne = 0x40, 0x82 blt = 0x41, 0x80 bgt = 0x41, 0x81
  598. mtctr = 0x7C, 0x69, 0x03, 0xA6 bctrl = 0x4E, 0x80, 0x04, 0x21
  599. i will write the usage for all of them.
  600. 20
  601.  
  602. Modding Tutorials: Advanced [PowerPC]
  603. Author: Bad Luck Brian
  604. Writing our PPC codes(2/7)
  605. Li/Lis
  606. li
  607. Code:
  608. 38 XX VV VV
  609. 38 = opcode
  610. XX = Register to load the value into VV VV = value to load in the register
  611. Now i will explain the XX
  612. you have to add 0x20 for each register Code:
  613. r0: 38 00 VV VV r1: 38 20 VV VV r2: 38 40 VV VV r3: 38 60 VV VV r4: 38 80 VV VV r5: 38 A0 VV VV r6: 38 C0 VV VV r7: 38 E0 VV VV
  614. Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
  615. Code:
  616. r8: 39 00 VV VV r9: 39 20 VV VV r10: 39 40 VV VV r11: 39 60 VV VV r12: 39 80 VV VV
  617. i will stop at r12 , if you need to go higher just add +1 again
  618. 21
  619.  
  620. Modding Tutorials: Advanced [PowerPC]
  621. Author: Bad Luck Brian
  622. Writing our PPC codes(3/7)
  623. lis:
  624. lis is the same thing but with the opcode 3C, and 3D for r8+
  625. Code:
  626. r0: 3C 00 VV VV r1: 3C 20 VV VV r2: 3C 40 VV VV r3: 3C 60 VV VV r4: 3C 80 VV VV r5: 3C A0 VV VV r6: 3C C0 VV VV r7: 3C E0 VV VV
  627. Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
  628. Code:
  629. r8: 3D 00 VV VV r9: 3D 20 VV VV r10: 3D 40 VV VV r11: 3D 60 VV VV r12: 3D 80 VV VV
  630. ---------------------------
  631. addic:
  632. Code:
  633. 30 XY VV VV
  634. 38 = opcode
  635. X = Register that will contain the result of the addition Y = Register that were going to add to the value
  636. VV VV = value to add to Y
  637. Now for X, the register system is that same as li/lis we add 0x20 and at r8 we change the opcode 30 to 31
  638. but for Y, we just put the real number of the register
  639.  
  640.  
  641.  
  642.  
  643. examples:
  644.  
  645.  
  646.  
  647.  
  648. addic r3, r4, 0xFF ||
  649. 30 64 00
  650. FF
  651.  
  652.  
  653.  
  654.  
  655.  
  656.  
  657. addic
  658. r12, r4, 0xFF ||
  659. 31 84 00
  660. FF
  661.  
  662.  
  663.  
  664.  
  665. addic
  666. r3, r10, 0xFF || 30 6A 00 FF
  667. || 10 = 0x0A (hexadecimal)
  668.  
  669.  
  670.  
  671.  
  672.  
  673. 22
  674.  
  675. Modding Tutorials: Advanced [PowerPC]
  676. Author: Bad Luck Brian
  677. Writing our PPC codes(4/7)
  678. stb,stw,std
  679. Code:
  680. stb = 0x98 // 0x99 for r8+ stw = 0x90 // 0x91 for r8+ std = 0xF8 // 0xF9 for r8+
  681. i will use stw for the example.
  682. They work like addis for the XY !
  683. Code:
  684. 90 XY VV VV
  685. X = register
  686. that
  687. will be sent
  688. in the
  689. memory
  690. (VALUE)
  691. Y = register
  692. of the address that will
  693. receive the VALUE (X)
  694. VV VV = Temporary
  695. value to add
  696. to the
  697. address
  698. (Y)
  699. Code:
  700.  
  701.  
  702.  
  703. example:
  704.  
  705.  
  706.  
  707.  
  708. lis r3, 0x2100000
  709. ||
  710. 3C
  711. 60 02
  712. 10
  713. li r4, 0x15
  714. ||
  715. 38
  716. 80 00
  717. 15
  718. stw r4, r3, 0x2101234
  719. ||
  720. 90
  721. 83 12
  722. 34
  723. //ON THIS LINE, r3 RESETS
  724. BACK TO:
  725. 0x2100000 !!!
  726. ---------------------------
  727. Code:
  728. lbz = 0x88 // 0x89 for r8+ lwz = 0x80 // 0x81 for r8+ ld = 0xE8 // 0xE9 for r8+
  729. usage (i will use lwz): Code:
  730. 80 XY VV VV
  731. It works like stw !!!
  732. X = register that will contain the value read from the memory
  733. Y = register of the address that will be read
  734. VV VV = Temporary value to add to the address (Y)
  735. 23
  736.  
  737. Modding Tutorials: Advanced [PowerPC]
  738. Author: Bad Luck Brian
  739. Writing our PPC codes(5/7)
  740. Example:
  741. Code:
  742. lis r3, 0x2100000
  743. ||
  744. 3C
  745. 60 02
  746. 10
  747. li r4, 0x15
  748. ||
  749. 38
  750. 80 00
  751. 15
  752. lwz r4, r3, 0x2101234
  753. ||
  754. 80
  755. 83 12
  756. 34
  757. //ON THIS LINE, r3 RESETS
  758. BACK TO:
  759. 0x2100000 AND r4 = the first bytes that was at:
  760. 0x2101234 !!!
  761.  
  762.  
  763.  
  764.  
  765. -----------------------------------------
  766. Code:
  767. cmpwi = 0x2C 2c 0Y VV VV
  768. 0 = keep it as 0
  769. Y = Register to compare, we just put its number in hex VV VV = value that the register will be compared with
  770. Code:
  771. example:
  772.  
  773. cmpwi r3, 0x55 || 2c 03 00 55
  774.  
  775. Code:
  776. other example:
  777.  
  778. cmwpi r12, 0x55 || 2c 0C 00 55
  779. //0x0C = 12 in hexadecimal
  780. Code:
  781. Branching
  782.  
  783. b = 0x48 or 0x4B
  784.  
  785. bl = 0x48 or 0x4B
  786.  
  787. beq = 0x41, 0x82
  788.  
  789. bne = 0x40, 0x82
  790.  
  791. blt = 0x41, 0x80
  792.  
  793. bgt = 0x41, 0x81
  794.  
  795. Alright b and bl are tricky.
  796. //current address = address where we are jumping from
  797. 24
  798.  
  799. Modding Tutorials: Advanced [PowerPC]
  800. Author: Bad Luck Brian
  801. Writing our PPC codes(6/7)
  802. we use 48 when jumping to a location that is located AFTER the current address we use 4B when jumping to a location that is located BEFORE the current address
  803. Code:
  804. 48/4B XX XX XX
  805. XX XX XX = difference between current position and the location we want to jump to
  806. 41 82 XX XX
  807. XX XX = difference between current position and the location we want to jump to also, to use bl we add +1 to the difference !!
  808. example:
  809. Code:
  810. 0x11010: bl 0x11050 || 48 00 00 41
  811. ...
  812. 0x11050: //function...
  813. // why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add
  814. +1
  815. 0x40 + 1 = 0x41
  816. so 48 00 00 41
  817. and we use 48 because it is AFTER the current location (0x11010)
  818. MTCTR/BCTRL
  819. Now the last one, more complex
  820. mtctr = 7C X9 03 A6
  821. X = register to move to the count register, if r8+, 7C becomes 7D we keep the rest as it is
  822. Example
  823. Code:
  824. mtctr r4 || 7C 89 03 A6 mtctr r12 || 7D 89 03 A6
  825. 25
  826. Modding Tutorials: Advanced [PowerPC]
  827. Author: Bad Luck Brian
  828. Writing our PPC codes(7/7)
  829. bctrl = 4E 80 04 21 we keep it like this, BUT
  830. bctrl is like bl, but we can also transform it to bctr , which is like b
  831. Code:
  832. bctr
  833. 4E
  834. 80 04 20
  835. bctrl
  836. 4E
  837. 80 04 21
  838. 26
  839. Modding Tutorials: Advanced [PowerPC]
  840. Author: Bad Luck Brian
  841. End of lesson
  842. So that was it for my PowerPC lessons. Try some stuff in the debugger and don't worry if you crash your ps3 20 times a day. It's normal :) We learn by our errors !
  843. Also I would like to say a big thank you to: aerosoul94
  844. Choco
  845. BadChoicesZ
  846. Add me on Skype to check out my new clan who will help you with this lesson and more ! :)
  847. Skype: BadLuckDobby
  848. 27
Add Comment
Please, Sign In to add comment