Post: PowerPC Assembly basics [part 1]
11-01-2013, 01:11 PM #1
(adsbygoogle = window.adsbygoogle || []).push({}); Hi everyone today I wanted to make a tutorial on PowerPC Smile

SETTING A REGISTERS [SMALL VALUES]

First of all we will learn to mess with the registers. We use them as variables. (r1,r2,r3,r4,r5,r6,r7.... it goes up to r31)


IMPORTANT: When loading a value in a register it always store it as 4 bytes (for the basics)


Load Immediate("li") : this will load a value into a register
Example: li r3, 0x64 (in memory it would be 00 00 00 64 (remember its 4 bytes))

Load Immediate Shifted: same as li but it will shift it.
Example: lis r3, 0x64 would be: 00 64 00 00

Tips about li/lis:
imagine your 4 bytes like this: XX XX YY YY
lis can write in the XX XX and li can write in the YY YY
lis/li || X/Y

Now here is some exercises on lis/li using the register r3



I want my 4 bytes to look like this: 00 00 00 12
Solution: li r3, 0x12

Now I want my 4 bytes to look like this: 00 00 12 00
Solution: li r3, 0x1200

Now I Want my 4 bytes to look like this: 00 12 00 00
Solution: lis r3, 0x12

Now I Want my 4 bytes to look like this: 12 00 00 00
Solution: lis r3, 0x1200




SETTING A REGISTERS [BIG VALUES]

Now its cool we can write in our 4 bytes this way: XX XX YY YY
but what if we want to write at both parts X AND Y?

we will use addic which means addition immediate carrying

addic is used this way: addic RESULT, REGISTER, Value

Result = register that will HOLD the result from the addition
REGISTER = the register that will be added to the Value
Value = Value to add to the REGISTER

Exemple: li r3, 0x01
addic r4,r3, 0x04

r4 is now equal to 0x05 (0x01 + 0x04 = 0x05)

Exemple 2: lis r3, 0x06 (r3 = 00 06 00 00 )
addic r3,r3 0x3000

r3 is now equal to: 00 06 30 00 (0x063000)

Now lets load an address, 0x2005000
we would first split it in bytes starting from the RIGHT

0x2005000
2005000
20050 00
200 50 00
2 00 50 00
02 00 50 00 <-final bytes, we added a 0 to 2 so it can be a bytes ! 2 00 50 00 is not valid because of the "2" and 02 is the same as 2 so 02 00 50 00

now how would we load it in a register ? its simple, first we will compare it to my XX XX YY YY format

02 00 50 00
XX XX YY YY

I always start with the XX XX values

lis r3, 0x0200 (r3 =02000000, don't forget its shifted)

then i add the YY YY to it
addic r3,r3 0x5000

so this will add 0x5000 to 0x02000000 (0x02005000)

final form:
lis r3, 0x200
addic r3,r3 0x5000
so r3 is now equal to 0x02005000 or 0x2005000 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)


Now let's do some exercises Smile


Exercise 1: I want you to set r3 to: 0xFCA280
Solution:
0xFCA280
first we will split it from the RIGHT as always !

fca280
fca2 80
fc a2 80

Now we only have 3 bytes, we always work with 4 bytes so we add zeros BEFORE the number
00 fc a2 80

now we start with XX XX then after we add the YY YY

lis r3, 0x00fc
addic r3,r3 0xA280

*r3 is now equal to 0x00FCA280 or 0xFCA280 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)




Exercise 2: now i want you to set r3 to 0x110d60c
Solution:

first we split the address into 4 bytes starting from the right.

110d60c
110d6 0c
110 d6 0c
1 10 d6 0c

now there is a "1" that is alone, thats not a byte, lets put a zero before it

01 10 d6 0c

don't forget, putting zeros BEFORE a number doesn't affect it ! 000001 = 1 but 10000 = 10000... zeros before a n7umber doesnt change it.

so now we have 01 10 d6 0c (0x0110d60c)

now lets set the XX XX YY YY

lis for XX and li for YY

lis r3, 0x0110
addic r3,r3 0xd60c

r3 is now equal to 0x0110d60c or 0x110d60c







STORING A REGISTER IN THE MEMORY

STW: Store Word
what does stw? it stores 4 bytes somewhere in the memory, its writing in the memory in other words.
Usage: STW VALUE, ADDRESS, ADD

Exemple:
li r3, 0x64
lis r4, 0x0110
stw r3, r4, 0xd60c (0x110d60c)

now r4 (0x110d60c) will look like this in the memory: 00 00 00 64

Explanation:
STW VALUE, ADDRESS, ADD

VALUE: Value to store at the address, its a register
ADDRESS: address in the memory where we will store our VALUE
ADSad Awesome with stw we can add a value to the ADRESS without the use of addic, its OPTIONAL we can just set it to 0 if we dont want to add something to the address

here is an exemple of the ADD value

lis r3, 0x0200 (r3 is now equal to 02 00 00 00, 0x02000000)
li r4, 0x64 (r4 is equal to 00 00 00 64)
stw r3, r4 , 0x5000

*stw r3, r4 , 0x5000 * -> we add 0x5000 to r3 just like with addic so now r4 is equal to 0x02005000 (02 00 50 00)

Exercises:


Exercise 1: I want you to set your value to (12 34 56 7Cool Man (aka Tustin) and i want you to send it to this address: 0xFCA280, you can use any registers from r3 to r8
Solution:

alright so i will start with setting r4 with the value

lis r4, 0x1234
addic r4,r4, 0x5678 (now r4 is equal to 12 34 56 7Cool Man (aka Tustin)

now lets set the address for r3 (00 FC A2 80)

lis r3, 0x00FC

alright i will set the rest in the stw instead of using another addic

stw r4, r3, 0xA280 (FCA280)

final form:
lis r4, 0x1234
addic r4,r4, 0x5678
lis r3, 0x00FC
stw r4, r3, 0xA280



Exercise 2: I want you to send these bytes(A2 00 f8 19) to this address: 0x277208
Solution:

I will set my address to r3, then my value to r4

value:
lis r4, 0xA200
addic r4,r4, 0xF819

address: (00 27 72 0Cool Man (aka Tustin) how I did it: (0x277208 > 277208 > 2772 08 > 27 72 08 > 00 27 72 08 || dont forget, zeros before a value doesn't affect it and we need 4 bytes)
lis r3, 0x0027

STW:

stw r4, r3, 0x7208

FINAL:

lis r4, 0xA200
addic r4,r4, 0xF819
lis r3, 0x0027
stw r4, r3, 0x7208

now the address 0x277208 looks like this in the memory: A2 00 FB 19






REal SSituations

Now we learned how to set a register and how to store it, reading memory and finding 'offsets' will come in the next tutorial.
But with setting a register and storing it what can we do ? A lot already.

writing in the memory is an exxclusive priviledge for dex users but with ppc we can do it for CEX users using an eboot

now lets imagine this situation:

the address for UAV offhost is 0xFe167C4 (its fake of course)

we want to set this value to 00 00 ff ff to enable it permanently on any game

How would you do it in ppc ?

Solution:

i will set my address to r3 and my value to r4

VALUE:
li r4, 0xFFFF
Address:
lis r3, 0x0FE1

Store:

stw r4, r3, 0x67C4


Final Result:

li r4, 0xFFFF
lis r3, 0x0FE1
stw r4, r3, 0x67C4



Alright this will conclude my part 1 on ppc basics, i will teach the rest in another tutorial such as how to fin offsets in IDA by reading ppc


Skype: KevTseDeja

The following 23 users say thank you to Bad Luck Kevin for this useful post:

-SuperMan, AbouImran, Ansity., Asian, BrinkerzHD, Diversify, Gendjisan, ImPiffHD, InfinityISB4CK, M-alShammary, MegaMister, John, O-H, ResistTheMofo, RuszXMC, Sal, SC58, SnaY, The_Urban_Ninja, TheFallen, x_action_x
02-10-2014, 04:02 PM #11
good joob
02-28-2014, 06:52 PM #12
party 2 =3 ?
<3
06-08-2019, 12:55 AM #13
Joshii
Rookie
Nice Tut!

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo