API tools faq
paste
Advertisement
ScriptzMoDz

[PowerPC] Writing PPC in IDA PRO

ScriptzMoDz
Aug 29th, 2014
959
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.72 KB | None | 0 0
raw download clone embed print report
  1. //Tutorial by Bad Luck Brian
  2.  
  3. Writing PPC in IDA
  4.  
  5.  
  6. So now we learned these things:
  7.  
  8. -setting a value
  9. -Read/Write in memory
  10. -Code location (Conditional jumps)
  11. -Calling a function
  12.  
  13. So what about we start writing in our ELF file in IDA Pro ?
  14.  
  15. This tutorial will also include a video tutorial but not for now :P
  16.  
  17. Each line of ppc is 4 bytes in length !
  18.  
  19. example:
  20. Code:
  21. lis r3, 0xFF1 <- it will be written in 4 bytes (3c 60 0f f1) <- will explain soon
  22.  
  23. each instruction as an opcode, an opcode is the hex value of the instruction.
  24.  
  25. i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.
  26.  
  27. Code:
  28. li = 0x38
  29. lis = 0x3C
  30. addic = 0x30
  31. stb = 0x98
  32. stw = 0x90
  33. std = 0xF8
  34. lbz = 0x88
  35. lwz = 0x80
  36. ld = 0xE8
  37. cmpwi = 0x2C
  38. b = 0x48 or 0x4B
  39. bl = 0x48 or 0x4B
  40. beq = 0x41, 0x82
  41. bne = 0x40, 0x82
  42. blt = 0x41, 0x80
  43. bgt = 0x41, 0x81
  44. mtctr = 0x7C, 0x69, 0x03, 0xA6
  45. bctrl = 0x4E, 0x80, 0x04, 0x21
  46. Now this is the hard part.
  47.  
  48. i will write the usage for all of them.
  49.  
  50.  
  51. ******* li / lis **********
  52. li:
  53. Code:
  54. 38 XX VV VV
  55.  
  56. 38 = opcode
  57. XX = Register to load the value into
  58. VV VV = value to load in the register
  59. Now i will explain the XX
  60.  
  61. you have to add 0x20 for each register
  62.  
  63. Code:
  64. r0: 38 00 VV VV
  65. r1: 38 20 VV VV
  66. r2: 38 40 VV VV
  67. r3: 38 60 VV VV
  68. r4: 38 80 VV VV
  69. r5: 38 A0 VV VV
  70. r6: 38 C0 VV VV
  71. r7: 38 F0 VV VV
  72.  
  73. Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
  74. Code:
  75. r8: 39 00 VV VV
  76. r9: 39 20 VV VV
  77. r10: 39 40 VV VV
  78. r11: 39 60 VV VV
  79. r12: 39 80 VV VV
  80. i will stop at r12 :P
  81.  
  82. lis is the same thing but with the opcode 3C, and 3D for r8+
  83.  
  84. lis:
  85.  
  86. Code:
  87. r0: 3C 00 VV VV
  88. r1: 3C 20 VV VV
  89. r2: 3C 40 VV VV
  90. r3: 3C 60 VV VV
  91. r4: 3C 80 VV VV
  92. r5: 3C A0 VV VV
  93. r6: 3C C0 VV VV
  94. r7: 3C F0 VV VV
  95.  
  96. Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
  97. Code:
  98. r8: 3D 00 VV VV
  99. r9: 3D 20 VV VV
  100. r10: 3D 40 VV VV
  101. r11: 3D 60 VV VV
  102. r12: 3D 80 VV VV
  103. ---------------------------
  104.  
  105. addic:
  106.  
  107. Code:
  108. 30 XY VV VV
  109.  
  110. 38 = opcode
  111. X = Register that will contain the result of the addition
  112. Y = Register that were going to add to the value
  113. VV VV = value to add to Y
  114. Now for X, the register system is that same as li/lis
  115. we add 0x20 and at r8 we change the opcode 30 to 31
  116.  
  117. but for Y, we just put the real number of the register
  118.  
  119. examples:
  120.  
  121. Code:
  122. addic r3, r4, 0xFF || 30 64 00 FF
  123. ***
  124.  
  125. Code:
  126. addic r12, r4, 0xFF || 31 84 00 FF
  127. ***
  128.  
  129. Code:
  130. addic r3, r10, 0xFF || 30 6A 00 FF || 10 = 0x0A (hexadecimal)
  131. ---------------------------
  132. Code:
  133. stb = 0x98 // 0x99 for r8+
  134. stw = 0x90 // 0x91 for r8+
  135. std = 0xF8 // 0xF9 for r8+
  136.  
  137. i will use stw for the example.
  138.  
  139. They work like addis for the XY !
  140.  
  141. Code:
  142. 90 XY VV VV
  143.  
  144. X = register that will be sent in the memory (VALUE)
  145. Y = register of the address that will receive the VALUE (X)
  146. VV VV = Temporary value to add to the address (Y)
  147.  
  148. example:
  149.  
  150. Code:
  151. lis r3, 0x2100000 || 3C 60 02 10
  152. li r4, 0x15 || 38 80 00 15
  153. stw r4, r3, 0x2101234 || 90 83 12 34
  154. //ON THIS LINE, r3 RESETS BACK TO: 0x2100000 !!!
  155.  
  156. ---------------------------
  157.  
  158. Code:
  159. lbz = 0x88 // 0x89 for r8+
  160. lwz = 0x80 // 0x81 for r8+
  161. ld = 0xE8 // 0xE9 for r8+
  162. usage (i will use lwz):
  163.  
  164. Code:
  165. 80 XY VV VV
  166.  
  167. It works like stw !!!
  168.  
  169. X = register that will contain the value read from the memory
  170. Y = register of the address that will be read
  171. VV VV = Temporary value to add to the address (Y)
  172.  
  173. Example:
  174.  
  175. Code:
  176. lis r3, 0x2100000 || 3C 60 02 10
  177. li r4, 0x15 || 38 80 00 15
  178. lwz r4, r3, 0x2101234 || 80 83 12 34
  179. //ON THIS LINE, r3 RESETS BACK TO: 0x2100000 AND r4 = the first bytes that was at: 0x2101234 !!!
  180.  
  181. -----------------------------------------
  182. Code:
  183. cmpwi = 0x2C
  184.  
  185. 2c 0Y VV VV
  186.  
  187. 0 = keep it as 0
  188. Y = Register to compare, we just put its number in hex
  189. VV VV = value that the register will be compared with
  190.  
  191. example:
  192. Code:
  193. cmpwi r3, 0x55 || 2c 03 00 55
  194. other example:
  195. Code:
  196. cmwpi r12, 0x55 || 2c 0C 00 55 //0x0C = 12 in hexadecimal
  197. ------------------------------------------
  198. Code:
  199. b = 0x48 or 0x4B
  200. bl = 0x48 or 0x4B
  201. beq = 0x41, 0x82
  202. bne = 0x40, 0x82
  203. blt = 0x41, 0x80
  204. bgt = 0x41, 0x81
  205.  
  206. Alright b and bl are tricky.
  207. //current address = address where we are jumping from
  208.  
  209. we use 48 when jumping to a location that is located AFTER the current address
  210. we use 4B when jumping to a location that is located BEFORE the current address
  211.  
  212. Code:
  213. 48/4B XX XX XX
  214.  
  215. XX XX XX = difference between current position and the location we want to jump to
  216.  
  217.  
  218. 41 82 XX XX
  219.  
  220. XX XX = difference between current position and the location we want to jump to
  221.  
  222. also, to use bl we add +1 to the difference !!
  223.  
  224. example:
  225.  
  226. Code:
  227. 0x11010: bl 0x11050 || 48 00 00 41
  228. ...
  229. 0x11050: //function...
  230. // why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add +1
  231.  
  232. 0x40 + 1 = 0x41
  233.  
  234. so 48 00 00 41
  235.  
  236. and we use 48 because it is AFTER the current location (0x11010)
  237.  
  238. ----------------------------------------------
  239.  
  240. Now the last one, more complex
  241.  
  242.  
  243. mtctr = 7C X9 03 A6
  244.  
  245. X = register to move to the count register, if r8+, 7C becomes 7D
  246. we keep the rest as it is
  247.  
  248.  
  249. Example
  250. Code:
  251. mtctr r4 || 7C 89 03 A6
  252. mtctr r12 || 7D 89 03 A6
  253.  
  254. bctrl = 4E 80 04 21
  255. we keep it like this, BUT
  256. bctrl (bl) is like bl, but we can also transform it
  257. to bctr , which is like b
  258. Code:
  259. bctr 4E 80 04 20
  260. bctrl 4E 80 04 21
  261. ---------------------------------------------
  262.  
  263. End of lesson, i would advise keeping this in a .txt file for future reference, it is a LOT of information !
  264.  
  265. also, there is a LOT more instructions, to understand them just get in ida, search for the wanted
  266. instruction and go in hex view and try to find its usage.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!