(adsbygoogle = window.adsbygoogle || []).push({});
Hi everyone today I wanted to make a tutorial on PowerPC
SETTING A REGISTERS [SMALL VALUES]
First of all we will learn to mess with the registers. We use them as variables. (r1,r2,r3,r4,r5,r6,r7.... it goes up to r31)
IMPORTANT: When loading a value in a register it always store it as 4 bytes (for the basics)
Load Immediate("li") : this will load a value into a register
Example: li r3, 0x64 (in memory it would be 00 00 00 64 (remember its 4 bytes))
Load Immediate Shifted: same as li but it will shift it.
Example: lis r3, 0x64 would be: 00 64 00 00
Tips about li/lis:
imagine your 4 bytes like this: XX XX YY YY
lis can write in the XX XX and li can write in the YY YY
lis/li || X/Y
Now here is some exercises on lis/li using the register r3
I want my 4 bytes to look like this: 00 00 00 12
Solution:
li r3, 0x12
Now I want my 4 bytes to look like this: 00 00 12 00
Solution:
li r3, 0x1200
Now I Want my 4 bytes to look like this: 00 12 00 00
Solution:
lis r3, 0x12
Now I Want my 4 bytes to look like this: 12 00 00 00
Solution:
lis r3, 0x1200
SETTING A REGISTERS [BIG VALUES]
Now its cool we can write in our 4 bytes this way: XX XX YY YY
but what if we want to write at both parts X AND Y?
we will use addic which means addition immediate carrying
addic is used this way: addic RESULT, REGISTER, Value
Result = register that will HOLD the result from the addition
REGISTER = the register that will be added to the Value
Value = Value to add to the REGISTER
Exemple: li r3, 0x01
addic r4,r3, 0x04
r4 is now equal to 0x05 (0x01 + 0x04 = 0x05)
Exemple 2: lis r3, 0x06 (r3 = 00 06 00 00 )
addic r3,r3 0x3000
r3 is now equal to: 00 06 30 00 (0x063000)
Now lets load an address, 0x2005000
we would first split it in bytes starting from the RIGHT
0x2005000
2005000
20050 00
200 50 00
2 00 50 00
02 00 50 00 <-final bytes, we added a 0 to 2 so it can be a bytes ! 2 00 50 00 is not valid because of the "2" and 02 is the same as 2 so 02 00 50 00
now how would we load it in a register ? its simple, first we will compare it to my XX XX YY YY format
02 00 50 00
XX XX YY YY
I always start with the XX XX values
lis r3, 0x0200 (r3 =02000000, don't forget its shifted)
then i add the YY YY to it
addic r3,r3 0x5000
so this will add 0x5000 to 0x02000000 (0x02005000)
final form:
lis r3, 0x200
addic r3,r3 0x5000
so r3 is now equal to 0x02005000 or 0x2005000 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)
Now let's do some exercises
Exercise 1: I want you to set r3 to: 0xFCA280
Solution:
0xFCA280
first we will split it from the RIGHT as always !
fca280
fca2 80
fc a2 80
Now we only have 3 bytes, we always work with 4 bytes so we add zeros BEFORE the number
00 fc a2 80
now we start with XX XX then after we add the YY YY
lis r3, 0x00fc
addic r3,r3 0xA280
*r3 is now equal to 0x00FCA280 or 0xFCA280 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)
Exercise 2: now i want you to set r3 to 0x110d60c
Solution:
first we split the address into 4 bytes starting from the right.
110d60c
110d6 0c
110 d6 0c
1 10 d6 0c
now there is a "1" that is alone, thats not a byte, lets put a zero before it
01 10 d6 0c
don't forget, putting zeros BEFORE a number doesn't affect it ! 000001 = 1 but 10000 = 10000... zeros before a n7umber doesnt change it.
so now we have 01 10 d6 0c (0x0110d60c)
now lets set the XX XX YY YY
lis for XX and li for YY
lis r3, 0x0110
addic r3,r3 0xd60c
r3 is now equal to 0x0110d60c or 0x110d60c
STORING A REGISTER IN THE MEMORY
STW: Store Word
what does stw? it stores 4 bytes somewhere in the memory, its writing in the memory in other words.
Usage: STW VALUE, ADDRESS, ADD
Exemple:
li r3, 0x64
lis r4, 0x0110
stw r3, r4, 0xd60c (0x110d60c)
now r4 (0x110d60c) will look like this in the memory: 00 00 00 64
Explanation:
STW VALUE, ADDRESS, ADD
VALUE: Value to store at the address, its a register
ADDRESS: address in the memory where we will store our VALUE
AD
with stw we can add a value to the ADRESS without the use of addic, its OPTIONAL we can just set it to 0 if we dont want to add something to the address
here is an exemple of the ADD value
lis r3, 0x0200 (r3 is now equal to 02 00 00 00, 0x02000000)
li r4, 0x64 (r4 is equal to 00 00 00 64)
stw r3, r4 , 0x5000
*stw r3, r4 , 0x5000 * -> we add 0x5000 to r3 just like with addic so now r4 is equal to 0x02005000 (02 00 50 00)
Exercises:
Exercise 1: I want you to set your value to (12 34 56 7 and i want you to send it to this address: 0xFCA280, you can use any registers from r3 to r8
Solution:
alright so i will start with setting r4 with the value
lis r4, 0x1234
addic r4,r4, 0x5678 (now r4 is equal to 12 34 56 7
now lets set the address for r3 (00 FC A2 80)
lis r3, 0x00FC
alright i will set the rest in the stw instead of using another addic
stw r4, r3, 0xA280 (FCA280)
final form:
lis r4, 0x1234
addic r4,r4, 0x5678
lis r3, 0x00FC
stw r4, r3, 0xA280
Exercise 2: I want you to send these bytes(A2 00 f8 19) to this address: 0x277208
Solution:
I will set my address to r3, then my value to r4
value:
lis r4, 0xA200
addic r4,r4, 0xF819
address: (00 27 72 0 how I did it: (0x277208 > 277208 > 2772 08 > 27 72 08 > 00 27 72 08 || dont forget, zeros before a value doesn't affect it and we need 4 bytes)
lis r3, 0x0027
STW:
stw r4, r3, 0x7208
FINAL:
lis r4, 0xA200
addic r4,r4, 0xF819
lis r3, 0x0027
stw r4, r3, 0x7208
now the address 0x277208 looks like this in the memory: A2 00 FB 19
REal SSituations
Now we learned how to set a register and how to store it, reading memory and finding 'offsets' will come in the next tutorial.
But with setting a register and storing it what can we do ? A lot already.
writing in the memory is an exxclusive priviledge for dex users but with ppc we can do it for CEX users using an eboot
now lets imagine this situation:
the address for UAV offhost is 0xFe167C4 (its fake of course)
we want to set this value to 00 00 ff ff to enable it permanently on any game
How would you do it in ppc ?
Solution:
i will set my address to r3 and my value to r4
VALUE:
li r4, 0xFFFF
Address:
lis r3, 0x0FE1
Store:
stw r4, r3, 0x67C4
Final Result:
li r4, 0xFFFF
lis r3, 0x0FE1
stw r4, r3, 0x67C4
Alright this will conclude my part 1 on ppc basics, i will teach the rest in another tutorial such as how to fin offsets in IDA by reading ppc
Skype: KevTseDeja