PowerPC Tutorials [UPDATED]

02-17-2014, 04:03 PM #1

Bad Luck Brian

< ^ > < ^ >

1,322

Posts

48,634

Reputation

53

Credits

Premium

Jun 2010

NextGenUpdate

(adsbygoogle = window.adsbygoogle || []).push({}); Here is my updated tutorial on PowerPC. Smile

If you need any help in PPC pm me on NGU or on skype !

Skype: BadLuckDobby

Screenshots:

You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.

Download for more Happy

Download: You must login or register to view this content.

Virus scan: You must login or register to view this content.

(adsbygoogle = window.adsbygoogle || []).push({});

The following 87 users say thank you to Bad Luck Brian for this useful post:

-SuperMan, Eddie Mac, AlexNGU, ALI ALHILFI, Asian, awesometuts, Azus, B777x, bAdReQuEsT, BaSs_HaXoR, BFoGvDo, Cenetic, Cien, Claww1337-, Cyb3r, Dan Dactyl, ErasedDev, elgolumm, esc0rtd3w, FBML, flynhigh09, FusionIsDaName, g9g__BASHA__g9g, Gabberhard, Geo, GFM, Im Not Boobdidas, ImAzazel, iMoDz-Baptiste, iNDMx, ItsLollo1000, Jack PPCX, ResistTheJamsha, Jannik007, Joren, jp187187, KareraHekku, KranK, Kronoaxis, Kryptus, LilBad, lucasaf01, Luphox, M320, M4K3VELi7-, Mango_Knife, Mc3942, Mx444, Nana, network10, Norway-_-1999, John, NotALegitPlayer, Notorious, Nug, OhCorzo, Vince, Prime Gaming, Pseudo_Soldier, RatchetBooty, RouletteBoi, Shark, ShutTheCrunchUp, Smoky420, SnaY, suspect0, Swifter, TheRichSlut, Teenage Modz, TheModedHacker, TheSaltCracka, TheUnknown21, TotalModzHD, tryme, Turk_Warrior, MysteryLovesYou, val26, Hash847, witchery, x_action_x, xKrazy SicknesS, Xx_GANG_xX, Xx-GIPPI-xX, XxBlud23xX, zZHackzZ

02-22-2014, 03:22 AM #11

-Blackout-

Keeper

22

Posts

30

Reputation

0

Credits

Member

Feb 2014

NextGenUpdate

Great TUT man Smile

awesome to see this kind of stuff still going around Smile

02-22-2014, 10:26 AM #12

LilBad

Haxor!

32

Posts

669

Reputation

10

Credits

Member

Dec 2013

NextGenUpdate

Great tutorials, thanks for these they are really helpful. I also appreciate your work on these topics. Hope to see more from you

02-22-2014, 11:13 AM #13

-SuperMan

Krazy Weed

843

Posts

8,498

Reputation

8

Credits

Premium

Dec 2009

NextGenUpdate

Thanks Man For The TUT will help a bunch of people who want to learn new things in the PS3 modding community.

02-22-2014, 11:56 AM #14

SnaY

Former Lead of GS

1,764

Posts

87,630

Reputation

62

Credits

NextGenUpdate Elite

May 2008

NextGenUpdate

Originally posted by Bad

SUPPORT: add me on skype for PowerPC questions: BadLuckDobby i will give you extra examples/questions and i will try to make it more clear for you if you have difficulties Smile

*********Credits for introducing me powerpc**********
- aerosoul94
-Choco
-BadChoicesZ
*********************************************

Chapter 1: Set-up
Before learning PowerPC, we need the tools and the files to be able to test our stuff. In this tutorial i will show you how to setup IDA PRO
and how to get your own self files to edit them Smile

!

Step 1: You will need to search on google and download:
-IDA PRO ADVANCED 6.1 with the PS3 plugins
-a self decryptor (True Ancestor)
-a PKG Extractor

If admins are okay with this i can post the download links with virus scan but i need their authorization.

Step 2: Extract IDA PRO somewhere and add idaq.exe to your taskbar, it's your new best friend now Smile

!

step 3: Now we need a .ELF file to open it with IDA.

There is a special link that you will bookmark. You must login or register to view this content.

BLUS30838 is the region for MW3, i will change the two 'BLUS30838' for ANY regions, in this case i will get the Ghosts
region 'BLES01945'. You can find the region of your game by googling the name of your game followed by 'BLUS'. Example: 'Ghosts BLUS' and by
navigating in the results, you will find your region

so now i will transform the url we bookmarked by changing both regions to my new region

OL Sad Awesome

You must login or register to view this content.

NEW: You must login or register to view this content.

so now in the new link i will get the link of the updates for GHOSTS. I will get the 1.07 one

You must login or register to view this content.

See the PKG Link ? in my case it's "https://b0.ww.np.dl.playstation.net/tppkg/np/BLES01945/BLES01945_T6/45702fb12894e2a7/EP0002-BLES01945_00-CALLDUTYGHOSTTU1-A0107-V0100-PE.pkg"

So now go on your PKG link and the pkg should be downloading, when done, run the pkg decryptor in the download section.
drag your pkg on the application and extract it.
you should now have a folder of your PKG.
You must login or register to view this content.

Go in the folders and search for default_mp.self

copy it to your SELF Decryptor folder. (Download Section).

now put the default_mp.self in the self folder
You must login or register to view this content.
You must login or register to view this content.

now run resigner.exe in the SELF decryptor folder and type '4' to decrypt a self file
then type the number of the self file, in my case it's 1
You must login or register to view this content.

Now in your self folder you should have an ELF file Smile

[default_mp.elf]
right click on it and click on properties, now click on 'open with' and browse to your IDA PRO Folder and select idaq.exe
You must login or register to view this content.
Then click on apply and OK.
now double click the default_mp.elf and IDA should load it up

Step 4:
you should see this:
You must login or register to view this content.

just press OK

Now you should have this screen:
You must login or register to view this content.

Close every tabs except IDA-View and Hex-View
like this:
You must login or register to view this content.

now click on Windows>Save Desktop> Check ' Awesome face

efault' and press OK

Now your layout is optimized for what we will do Smile

End of Lesson1. Yeah this lesson was short and not very helpful in PowerPC but i had to show you how to setup everything correctly so we
could learn using the same stuff Smile

!

On the next tutorial i will start teaching the PowerPC language !

Chapter 2: Load a value in a register
In this tutorial i will show you how to set a register.

first, what is a register ?
A register is a variable which contains a value.

there is 32 registers (for us)

r0 - r31, we count the register 0 too so its 32 registers in total, there is also some other registers but i won't talk about them for now.
In PowerPC we will notice them like this: r0, r1, r2, r3 etc

    

r0 = old link register,  i won't talk about it for now

r1 = stack pointer, i won't talk about it for now

r2 = table of contents pointer, i won't talk about it for now



r3 = it can be used as the first argument of a function OR as the returned value from a function

r4–r10 = Used as the 2nd to the 8th arguments of a function.

r11 = used for the PS3 Syscalls

r12 = local var

r13-r31 = global var, we use them to store a value and being able to use it later on another function.

Don't worry we won't use them all, we will focus on r3, r4 and r5 for now

so in C# we can load values in variables like this:

    

int a = 10;

string b = "Bad Luck Brian";

byte[] c = new byte[] {0x05, 0x02, 0xFF};

in powerpc we use li and lis

registers are 4 bytes, 11 22 33 44
try to imagine them like this: XX XX YY YY

li - load imediate, it sets a register in the YY YY region

example: li r3, 0x15 ::: r3 = 00 00 00 15 (0x15 is the same as 0x0015)

    

li r3, 0x1500   ::: r3 = 00 00 15 00

now lis is the same but with the XX XX region

    

lis r3, 0x26   ::: r3 = 00 26 00 00

lis r3, 0x2600 ::: r3 = 26 00 00 00

lis r3, 0x216 ::: r3 = 02 16 00 00

Now we can set 2 bytes in a register, either the XX XX or the YY YY Region. We need to include some maths to set 4 bytes, its simple.

we will use addic and addis, addic adds something to the YY YY part and addis adds something to the XX XX Part.

we use them like this:

    

addic RESULT, REGISTER, VALUE

Result = register containing the result of the addition
Register = register to be added to the value
Value = value to be added to the register

in english it would translater to this: Result = Register + Value

lets use some examples:

    

li r3, 0x15

addic r3, r3, 0x01

r3 is now equal to: 0x16 (0x15 + 0x01)

now lets set r3 to: 0xFCA2801

first of all, lets put it in a XX XX YY YY format.

we start from the RIGHT separating them bytes after bytes

    

FCA2801

FCA28 01

FCA 28 01

F CA 28 01

we add a zero before the last value ('F' Winky Winky

to reach the XX XX YY YY format

    

*************

*XX XX YY YY*

*0F CA 28 01*

*************

now i will use lis to set the XX XX part and addic to set the YY YY Part

    

lis r3, 0x0FCA            //r3 = 0F CA 00 00

addic r3, r3, 0x2801      //r3 = 0F CA 00 00  + 00 00 28 01   (0F CA 28 01)

lets do another example:

lets set r3 to: 0x1d60c

set it to the XX XX YY YY format to make it easier

    

1d60c

1d6 0c

1 d6 0c

add the zeros before it to reach XX XX YY YY

    

01 d6 0c

00 01 d6 0c



*************

*XX XX YY YY*

*00 01 d6 0c*

*************

now i will use lis to set the XX XX part and addic to set the YY YY Part

    

lis r3, 0x0001           //r3 = 00 01 00 00

addic r3, r3, 0xD60C     //r3 = 00 01 00 00  + 00 00 D6 0C  (00 01 D6 0C )



r3 = 0x0001D60c  or  0x1D60c

its simple ! Smile

in the next lesson i will teach you how to write in the memory

Chapter 3: Read/Write in the memory
In this tutorial i will show you how Read and Write in the memory.

It's the same as 'PS3.GetMemory' and 'PS3.SetMemory' but it works a bit differently.

Reading memory

We can read memory with 4 instructions.

    

lbz  (1 byte)

lhz  (2 bytes)

lwz  (4 bytes)

ld   (8 bytes)

we use them like this:

    

lwz RESULT, ADDRESS, TEMP_VAL



Result = register containing the byte at the address

ADDRESS = register containing the address to read from

TEMP_VAL= we can use it as a temporary 'addic'

example:

    

lis r3, 0xff           r3 = 00 ff 00 00   (0xff0000) 

addic r3, r3, 0x1234    r3 = 00 ff 12 34  (0xff1234)

lwz r4, r3, 0            r4 = the first 4 bytes at 0xff1234

OR

    

lis r3, 0xff

lwz r4, r3, 0x1234       <- we use it as a temporary addic to save a line !!! but WARNING: on the next line r3 will be restored to 00 ff 00 00 while 

using addic make it permanent !!!!

another example

reading the first 4 bytes at: 0x110d60c

    

lis r3, 0x0110

lwz r4, r3, 0xd60c

OR

    

lis r3, 0x0110

addic r3,r3, 0xd60c

lwz r4, r3, 0

Writing in the memory is as easy as reading it.

we will use:

    

stb   (1 byte)

sth   (2 bytes)

stw   (4 bytes)

std   (8 bytes)

we use them like this:

    

stw VALUE, ADDRESS, TEMP_VAL

example, i want to write 0x15 at: 0x2100000

    

lis r3, 0x210      (0x2100000) || 02 10 00 00

li r4, 0x15

stw r4, r3, 0

Another example would bwe to write 0x15 at: 0xFCA280

    

lis r3, 0xFC      (r3 = 00 FC 00 00)

li r4. 0x15

stw r4, r3, 0xA280   (0xFCA280)

Chapter 4: Conditions
Now we can set vartiables, assign them by reading the memory and store them in the memory too.
but what if we want to do some actions depending on a condition ?

in programming we use the 'if' and 'else if' statements
in powerpc it's different. We use 'locations'.

Let's check an example in IDA.

You must login or register to view this content.

See all these boxes of codes ? let's call them 'code location'.
to make a if/else you need to compare two value.

we will use cmpwi.

we use it like this:

CMPWI REGISTER, VALUE

this will compare the register and the value and will use a comparison register called 'CR'.
it will return one of these:
-eq (equal)
-gt (greater)
-lt (lesser)

they will have either a '1' or a '0'.

1 = true
0 = false

lets use an example:

     

li r3, 0x15

cmpwi r3, 0x19



-eq = 0        (false, they're not equal)

-lt = 1   (true, 0x15 is lesser than 0x19 )

-gt = 0 (false, 0x15 is not greater than 0x19)

lets use another example:

     

li r3, 0x15

cmpwi r3, 0x15



-eq = 1       (true, they're equal)

-lt = 0   (false, 0x15 is not lesser than 0x15 )

-gt = 0 (false, 0x15 is not greater than 0x15)

Now what ? Now we will use 'jump' and 'conditional jumps'.
Here is a list:

     

b        - jumps no matter what

beq   - jumps if -eq = 1

bne   - jumps if -eq = 0

bgt    - jumps if -gt = 1

blt     - jumps if -lt = 1

Lets use an example, lines will be included for the locations. i will use ' // ' to make a comment , BTW
each lines in ppc has a size of 4 bytes, that's why its 0, 4, 8 , C and NOTE: it's in hexadecimal

     

0:  li r3, 0x20         //set r3 to: 00 00 00 15

4: cmpwi r3, 0x30          // -eq:0 -gt:0  -lt:1

8: beq 28                       //it will not jump to :28  because -eq is false, so the program will continue to the next line ( :C) 

C: bgt 28                         //it will not jump to :28  because -lt is false, so the program will continue to the next line ( :10 )                      

10: b 14                         // jump to :14 

14: bne 1C          //will jump to 1C because -eq = 0

18:  b 28                      //this will never be executed

1C: b 28                   //it will  jump to :28 

20:  li r3, 0x1234          //not executed

24:   li r3, 0x1234          //not executed

28:  b 0           //jump back to 0 for an infinite loop, yeah

Here is the IDA pricture of this:

You must login or register to view this content.

That's it for the if/else on powerpc Smile

!

Chapter 5: Pointers

Pointers

This lesson will be short but it is very important to understand what is a pointer !

A pointer is an address containing an address as bytes.

I know it sounds weird at first but lets make an example.

we can't use 'strings' in registers so we need to use pointers to use strings !

    

0x12340000 = my string

0x55550000 = pointer

in the memory:

    

*ADDRESS  |                               *BYTES*                                  |  ASCII

0x12340000: 55 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

...

0x55550000: 42 61 64 20 4C 75 63 6B 20 42 72 69 61 6E 00 00  Bad Luck Brian..

here is how i would load the pointer in powerpc

    

lis r3, 0x1234

lwz r3, 0x12340000(r3)

the lis will set r3 to: 12 34 00 00 (0x12340000)
and the lwz will read the memory at 0x12340000(pointer) and store it in r3

so r3 = 0x55550000 (55 55 00 00)

now r3 will contain the address of the string , of course in this case we could just use lis r3, 0x5500
but sometimes we have to use pointers like in RPC where the address of the function to call will be stored as bytes at our address

example of rpc:

    

//0x2100000 = pointer to call



//read memory to get your arguments using lwz

lis r9, 0x210   (0x2100000)   //time to load the address

mtctr r9  //this will save the address in a special register (count register), will talk about it in the next lesson

bctrl  //this will call the address in the count register, will talk about it in the next lesson

that's why pointers are important ! Smile

Chapter 6: Calling a function

Calling a function

in C# we call our functions like this: Example(arg1, arg2, arg3);
example: MessageBox.Show("Bad Luck Brian", "title here");

in powerpc its a bit more complicated but its still simple ^^

we will use 'bl'

bl is like 'b', it jumps to a location but bl will continue to the next line with the returned value

example of 'b'

:0 li r3, 0x15
:1 b 6
:2 //Not executed
:3 //Not executed
:4 //Not executed
:5 //Not executed
:6 //stuff goes here, its a function..executed

:0 li r3, 0x15
:1 bl :6 //goto :6 and when done with it continue at :2
:2 // executed
:3 // executed
:4 // executed
:5 // executed
:6 //executed

calling functions in powerpc is a must and we will use it really often.
i will make some examples later on calling functions

There is another way of calling functions, we will use pointers.

we use mtctr and bctrl

we use mtctr like this:

mtctr REGISTER

Register = register containing the address to call

and to call it we just use bctrl

example:

    

//0x2100000 contains:  00 12 34 56   (0x123456),  

//0x123456 = function i wanna call



lis r3, 0x210   //loads the address: 0x2100000 in r3

lwz r3, r3        //read at: 0x2100000  and store the value in r3 (4 bytes)

mtctr r3           //store r3 in the count register

bctrl               //call the value in the count register

Chapter 7: Writing PowerPC in IDA PRO

Writing PPC in IDA

So now we learned these things:

-setting a value
-Read/Write in memory
-Code location (Conditional jumps)
-Calling a function

So what about we start writing in our ELF file in IDA Pro ?

This tutorial will also include a video tutorial but not for now

Each line of ppc is 4 bytes in length !

example:

    

lis r3, 0xFF1    <- it will be written in 4 bytes   (3c 60 0f f1)  <- will explain soon

each instruction as an opcode, an opcode is the hex value of the instruction.

i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.

    

li = 0x38

lis = 0x3C

addic = 0x30

stb = 0x98

stw = 0x90

std = 0xF8

lbz = 0x88

lwz = 0x80

ld = 0xE8

cmpwi = 0x2C

b = 0x48 or 0x4B  

bl = 0x48 or 0x4B

beq = 0x41, 0x82

bne = 0x40, 0x82

blt = 0x41, 0x80

bgt = 0x41, 0x81

mtctr = 0x7C, 0x69, 0x03, 0xA6

bctrl = 0x4E, 0x80, 0x04, 0x21

Now this is the hard part.

i will write the usage for all of them.

******* li / lis **********
li:

    

38 XX VV VV



38 = opcode

XX = Register to load the value into

VV VV = value to load in the register

Now i will explain the XX

you have to add 0x20 for each register

    

r0:  38 00 VV VV

r1:  38 20 VV VV

r2:  38 40 VV VV

r3:  38 60 VV VV

r4:  38 80 VV VV

r5:  38 A0 VV VV

r6:  38 C0 VV VV

r7:  38 F0 VV VV

Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)

    

r8:  39 00 VV VV

r9:  39 20 VV VV

r10: 39 40 VV VV

r11: 39 60 VV VV

r12: 39 80 VV VV

i will stop at r12

lis is the same thing but with the opcode 3C, and 3D for r8+

lis:

    

r0:  3C 00 VV VV

r1:  3C 20 VV VV

r2:  3C 40 VV VV

r3:  3C 60 VV VV

r4:  3C 80 VV VV

r5:  3C A0 VV VV

r6:  3C C0 VV VV

r7:  3C F0 VV VV

Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)

    

r8:  3D 00 VV VV

r9:  3D 20 VV VV

r10: 3D 40 VV VV

r11: 3D 60 VV VV

r12: 3D 80 VV VV

---------------------------

addic:

    

30 XY VV VV



38 = opcode

X = Register that will contain the result of the addition

Y = Register that were going to add to the value

VV VV = value to add to Y

Now for X, the register system is that same as li/lis
we add 0x20 and at r8 we change the opcode 30 to 31

but for Y, we just put the real number of the register

examples:

    

addic r3, r4, 0xFF ||   30 64 00 FF

***

    

addic r12, r4, 0xFF ||  31 84 00 FF

***

    

addic r3, r10, 0xFF || 30 6A 00 FF     ||  10 = 0x0A  (hexadecimal)

---------------------------

    

stb = 0x98    // 0x99 for r8+

stw = 0x90    // 0x91 for r8+

std = 0xF8    // 0xF9 for r8+

i will use stw for the example.

They work like addis for the XY !

    

90 XY VV VV



X = register that will be sent in the memory   (VALUE)

Y = register of the address that will receive the VALUE (X)

VV VV = Temporary value to add to the address  (Y)

example:

    

lis r3, 0x2100000      || 3C 60 02 10

li r4, 0x15            || 38 80 00 15

stw r4, r3, 0x2101234  || 90 83 12 34

//ON THIS LINE, r3 RESETS BACK TO: 0x2100000 !!!

---------------------------

    

lbz = 0x88  // 0x89 for r8+

lwz = 0x80  // 0x81 for r8+

ld = 0xE8   // 0xE9 for r8+

usage (i will use lwz):

    

80 XY VV VV



It works like stw !!!



X = register that will contain the value read from the memory 

Y = register of the address that will be read

VV VV = Temporary value to add to the address (Y)

Example:

    

lis r3, 0x2100000      || 3C 60 02 10

li r4, 0x15            || 38 80 00 15

lwz r4, r3, 0x2101234  || 80 83 12 34

//ON THIS LINE, r3 RESETS BACK TO: 0x2100000  AND r4 = the first bytes that was at: 0x2101234 !!!

-----------------------------------------

    

cmpwi = 0x2C 



2c 0Y VV VV



0 = keep it as 0

Y = Register to compare, we just put its number in hex

VV VV = value that the register will be compared with

example:

    

cmpwi r3, 0x55  || 2c 03 00 55

other example:

    

cmwpi r12, 0x55 || 2c 0C 00 55    //0x0C = 12 in hexadecimal

------------------------------------------

    

b = 0x48 or 0x4B    

bl = 0x48 or 0x4B

beq = 0x41, 0x82

bne = 0x40, 0x82

blt = 0x41, 0x80

bgt = 0x41, 0x81

Alright b and bl are tricky.
//current address = address where we are jumping from

we use 48 when jumping to a location that is located AFTER the current address
we use 4B when jumping to a location that is located BEFORE the current address

    

48/4B XX XX XX



XX XX XX = difference between current position and the location we want to jump to





41 82 XX XX 



XX XX = difference between current position and the location we want to jump to



also, to use bl we add +1 to the difference !!

example:

    

0x11010:  bl 0x11050   || 48 00 00 41     

...

0x11050: //function...

// why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add +1

0x40 + 1 = 0x41

so 48 00 00 41

and we use 48 because it is AFTER the current location (0x11010)

----------------------------------------------

Now the last one, more complex

mtctr = 7C X9 03 A6

X = register to move to the count register, if r8+, 7C becomes 7D
we keep the rest as it is

Example

    

mtctr r4   || 7C 89 03 A6

mtctr r12  || 7D 89 03 A6

bctrl = 4E 80 04 21
we keep it like this, BUT
bctrl (bl) is like bl, but we can also transform it
to bctr , which is like b

    

bctr    4E 80 04 20

bctrl   4E 80 04 21

---------------------------------------------

End of lesson, i would advise keeping this in a .txt file for future reference, it is a LOT of information !

also, there is a LOT more instructions, to understand them just get in ida, search for the wanted
instruction and go in hex view and try to find its usage. Smile

Great job m8 :wub:

The following user thanked SnaY for this useful post:

Bad Luck Brian

02-23-2014, 05:11 AM #15

Bad Luck Brian

< ^ > < ^ >

1,322

Posts

48,634

Reputation

53

Credits

Premium

Jun 2010

NextGenUpdate

Originally posted by SnaY

Great job m8 :wub:

Thanks bro Happy

03-01-2014, 12:55 PM #16

Jannik007

Do a barrel roll!

111

Posts

2,487

Reputation

61

Credits

Member

Mar 2013

NextGenUpdate

Nice Tutorial man Smile

but i miss the relation to a game maybe CoD Ghosts. Would be awesome when you would explain how to find some offsets or so Smile

)

Keep going on with this Smile

03-01-2014, 07:46 PM #17

Bad Luck Brian

< ^ > < ^ >

1,322

Posts

48,634

Reputation

53

Credits

Premium

Jun 2010

NextGenUpdate

Originally posted by Jannik007

Nice Tutorial man Smile

but i miss the relation to a game maybe CoD Ghosts. Would be awesome when you would explain how to find some offsets or so Smile

)

Keep going on with this Smile

This is the language you need to learn if you want to mod any games on the PS3 like GTA V, COD, FIFA etc. I might make a tutorial on how to find addresses/functions soon but not atm, too busy with school/life ^^

03-01-2014, 09:08 PM #18

Jannik007

Do a barrel roll!

111

Posts

2,487

Reputation

61

Credits

Member

Mar 2013

NextGenUpdate

Ok thanks mate :-)

03-17-2014, 02:20 PM #19

zZHackzZ

Climbing up the ladder

460

Posts

3,710

Reputation

26

Credits

Member

May 2012