Post: PowerPC Tutorials [UPDATED]
Options
02-17-2014, 04:03 PM
#1
Bad Luck Brian
< ^ > < ^ >
If you need any help in PPC pm me on NGU or on skype !
Skype: BadLuckDobby
Screenshots:
You must login or register to view this content.
You must login or register to view this content.
You must login or register to view this content.
Download for more
Download: You must login or register to view this content.
Virus scan: You must login or register to view this content.
The following 87 users say thank you to Bad Luck Brian for this useful post:
-SuperMan, Eddie Mac, AlexNGU, ALI ALHILFI, Asian, awesometuts, Azus, B777x, bAdReQuEsT, BaSs_HaXoR, BFoGvDo, Cenetic, Cien, Claww1337-, Cyb3r, Dan Dactyl, ErasedDev, elgolumm, esc0rtd3w, FBML, flynhigh09, FusionIsDaName, g9g__BASHA__g9g, Gabberhard, Geo, GFM, Im Not Boobdidas, ImAzazel, iMoDz-Baptiste, iNDMx, ItsLollo1000, Jack PPCX, ResistTheJamsha, Jannik007, Joren, jp187187, KareraHekku, KranK, Kronoaxis, Kryptus, LilBad, lucasaf01, Luphox, M320, M4K3VELi7-, Mango_Knife, Mc3942, Mx444, Nana, network10, Norway-_-1999, John, NotALegitPlayer, Notorious, Nug, OhCorzo, Vince, Prime Gaming, Pseudo_Soldier, RatchetBooty, RouletteBoi, Shark, ShutTheCrunchUp, Smoky420, SnaY, suspect0, Swifter, TheRichSlut, Teenage Modz, TheModedHacker, TheSaltCracka, TheUnknown21, TotalModzHD, tryme, Turk_Warrior, MysteryLovesYou, val26, Hash847, witchery, x_action_x, xKrazy SicknesS, Xx_GANG_xX, Xx-GIPPI-xX, XxBlud23xX, zZHackzZ
07-06-2014, 09:28 AM
#57
Mango_Knife
In my man cave
Originally posted by Bad
SUPPORT: add me on skype for PowerPC questions: BadLuckDobby i will give you extra examples/questions and i will try to make it more clear for you if you have difficulties
*********Credits for introducing me powerpc**********
- aerosoul94
-Choco
-BadChoicesZ
*********************************************
Chapter 1: Set-up
Before learning PowerPC, we need the tools and the files to be able to test our stuff. In this tutorial i will show you how to setup IDA PRO
and how to get your own self files to edit them !
Step 1: You will need to search on google and download:
-IDA PRO ADVANCED 6.1 with the PS3 plugins
-a self decryptor (True Ancestor)
-a PKG Extractor
If admins are okay with this i can post the download links with virus scan but i need their authorization.
Step 2: Extract IDA PRO somewhere and add idaq.exe to your taskbar, it's your new best friend now!
step 3: Now we need a .ELF file to open it with IDA.
There is a special link that you will bookmark. You must login or register to view this content.
BLUS30838 is the region for MW3, i will change the two 'BLUS30838' for ANY regions, in this case i will get the Ghosts
region 'BLES01945'. You can find the region of your game by googling the name of your game followed by 'BLUS'. Example: 'Ghosts BLUS' and by
navigating in the results, you will find your region
so now i will transform the url we bookmarked by changing both regions to my new region
OL
You must login or register to view this content.
NEW: You must login or register to view this content.
so now in the new link i will get the link of the updates for GHOSTS. I will get the 1.07 one
You must login or register to view this content.
See the PKG Link ? in my case it's "https://b0.ww.np.dl.playstation.net/tppkg/np/BLES01945/BLES01945_T6/45702fb12894e2a7/EP0002-BLES01945_00-CALLDUTYGHOSTTU1-A0107-V0100-PE.pkg"
So now go on your PKG link and the pkg should be downloading, when done, run the pkg decryptor in the download section.
drag your pkg on the application and extract it.
you should now have a folder of your PKG.
You must login or register to view this content.
Go in the folders and search for default_mp.self
copy it to your SELF Decryptor folder. (Download Section).
now put the default_mp.self in the self folder
You must login or register to view this content.
You must login or register to view this content.
now run resigner.exe in the SELF decryptor folder and type '4' to decrypt a self file
then type the number of the self file, in my case it's 1
You must login or register to view this content.
Now in your self folder you should have an ELF file [default_mp.elf]
right click on it and click on properties, now click on 'open with' and browse to your IDA PRO Folder and select idaq.exe
You must login or register to view this content.
Then click on apply and OK.
now double click the default_mp.elf and IDA should load it up
Step 4:
you should see this:
You must login or register to view this content.
just press OK
Now you should have this screen:
You must login or register to view this content.
Close every tabs except IDA-View and Hex-View
like this:
You must login or register to view this content.
now click on Windows>Save Desktop> Check '
efault' and press OK
Now your layout is optimized for what we will do
End of Lesson1. Yeah this lesson was short and not very helpful in PowerPC but i had to show you how to setup everything correctly so we
could learn using the same stuff !
On the next tutorial i will start teaching the PowerPC language !
Chapter 2: Load a value in a register
In this tutorial i will show you how to set a register.
first, what is a register ?
A register is a variable which contains a value.
there is 32 registers (for us)
r0 - r31, we count the register 0 too so its 32 registers in total, there is also some other registers but i won't talk about them for now.
In PowerPC we will notice them like this: r0, r1, r2, r3 etc
Don't worry we won't use them all, we will focus on r3, r4 and r5 for now
so in C# we can load values in variables like this:
in powerpc we use li and lis
registers are 4 bytes, 11 22 33 44
try to imagine them like this: XX XX YY YY
li - load imediate, it sets a register in the YY YY region
example: li r3, 0x15 ::: r3 = 00 00 00 15 (0x15 is the same as 0x0015)
now lis is the same but with the XX XX region
Now we can set 2 bytes in a register, either the XX XX or the YY YY Region. We need to include some maths to set 4 bytes, its simple.
we will use addic and addis, addic adds something to the YY YY part and addis adds something to the XX XX Part.
we use them like this:
Result = register containing the result of the addition
Register = register to be added to the value
Value = value to be added to the register
in english it would translater to this: Result = Register + Value
lets use some examples:
r3 is now equal to: 0x16 (0x15 + 0x01)
now lets set r3 to: 0xFCA2801
first of all, lets put it in a XX XX YY YY format.
we start from the RIGHT separating them bytes after bytes
we add a zero before the last value ('F'
to reach the XX XX YY YY format
now i will use lis to set the XX XX part and addic to set the YY YY Part
lets do another example:
lets set r3 to: 0x1d60c
set it to the XX XX YY YY format to make it easier
add the zeros before it to reach XX XX YY YY
now i will use lis to set the XX XX part and addic to set the YY YY Part
its simple !
in the next lesson i will teach you how to write in the memory
Chapter 3: Read/Write in the memory
In this tutorial i will show you how Read and Write in the memory.
It's the same as 'PS3.GetMemory' and 'PS3.SetMemory' but it works a bit differently. Not really but its for the sake of understanding how it works !
Reading memory
We can read memory with 4 instructions.
we use them like this:
example:
OR
another example
reading the first 4 bytes at: 0x110d60c
OR
Writing in the memory is as easy as reading it.
we will use:
we use them like this:
example, i want to write 0x15 at: 0x2100000
Another example would bwe to write 0x15 at: 0xFCA280
Chapter 4: Conditions
Now we can set vartiables, assign them by reading the memory and store them in the memory too.
but what if we want to do some actions depending on a condition ?
in programming we use the 'if' and 'else if' statements
in powerpc it's different. We use 'locations'.
Let's check an example in IDA.
You must login or register to view this content.
See all these boxes of codes ? let's call them 'code location'.
to make a if/else you need to compare two value.
we will use cmpwi.
we use it like this:
CMPWI REGISTER, VALUE
this will compare the register and the value and will use a comparison register called 'CR'.
it will return one of these:
-eq (equal)
-gt (greater)
-lt (lesser)
they will have either a '1' or a '0'.
1 = true
0 = false
lets use an example:
lets use another example:
Now what ? Now we will use 'jump' and 'conditional jumps'.
Here is a list:
Lets use an example, lines will be included for the locations. i will use ' // ' to make a comment , BTW
each lines in ppc has a size of 4 bytes, that's why its 0, 4, 8 , C and NOTE: it's in hexadecimal
Here is the IDA pricture of this:
You must login or register to view this content.
That's it for the if/else on powerpc !
Chapter 5: Pointers
Pointers
This lesson will be short but it is very important to understand what is a pointer !
A pointer is an address containing an address as bytes.
I know it sounds weird at first but lets make an example.
we can't use 'strings' in registers so we need to use pointers to use strings !
in the memory:
here is how i would load the pointer in powerpc
the lis will set r3 to: 12 34 00 00 (0x12340000)
and the lwz will read the memory at 0x12340000(pointer) and store it in r3
so r3 = 0x55550000 (55 55 00 00)
now r3 will contain the address of the string , of course in this case we could just use lis r3, 0x5500
but sometimes we have to use pointers like in RPC where the address of the function to call will be stored as bytes at our address
example of rpc:
that's why pointers are important !
Chapter 6: Calling a function
Calling a function
in C# we call our functions like this: Example(arg1, arg2, arg3);
example: MessageBox.Show("Bad Luck Brian", "title here");
in powerpc its a bit more complicated but its still simple ^^
we will use 'bl'
bl is like 'b', it jumps to a location but bl will continue to the next line with the returned value
example of 'b'
:0 li r3, 0x15
:1 b 6
:2 //Not executed
:3 //Not executed
:4 //Not executed
:5 //Not executed
:6 //stuff goes here, its a function..executed
:0 li r3, 0x15
:1 bl :6 //goto :6 and when done with it continue at :2
:2 // executed
:3 // executed
:4 // executed
:5 // executed
:6 //executed
calling functions in powerpc is a must and we will use it really often.
i will make some examples later on calling functions
There is another way of calling functions, we will use pointers.
we use mtctr and bctrl
we use mtctr like this:
mtctr REGISTER
Register = register containing the address to call
and to call it we just use bctrl
example:
Chapter 7: Writing PowerPC in IDA PRO
Writing PPC in IDA
So now we learned these things:
-setting a value
-Read/Write in memory
-Code location (Conditional jumps)
-Calling a function
So what about we start writing in our ELF file in IDA Pro ?
This tutorial will also include a video tutorial but not for now
Each line of ppc is 4 bytes in length !
example:
each instruction as an opcode, an opcode is the hex value of the instruction.
i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.
Now this is the hard part.
i will write the usage for all of them.
******* li / lis **********
li:
Now i will explain the XX
you have to add 0x20 for each register
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
i will stop at r12
lis is the same thing but with the opcode 3C, and 3D for r8+
lis:
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
---------------------------
addic:
Now for X, the register system is that same as li/lis
we add 0x20 and at r8 we change the opcode 30 to 31
but for Y, we just put the real number of the register
examples:
***
***
---------------------------
i will use stw for the example.
They work like addis for the XY !
example:
---------------------------
usage (i will use lwz):
Example:
-----------------------------------------
example:
other example:
------------------------------------------
Alright b and bl are tricky.
//current address = address where we are jumping from
we use 48 when jumping to a location that is located AFTER the current address
we use 4B when jumping to a location that is located BEFORE the current address
example:
// why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add +1
0x40 + 1 = 0x41
so 48 00 00 41
and we use 48 because it is AFTER the current location (0x11010)
----------------------------------------------
Now the last one, more complex
mtctr = 7C X9 03 A6
X = register to move to the count register, if r8+, 7C becomes 7D
we keep the rest as it is
Example
bctrl = 4E 80 04 21
we keep it like this, BUT
bctrl (bl) is like bl, but we can also transform it
to bctr , which is like b
---------------------------------------------
End of lesson, i would advise keeping this in a .txt file for future reference, it is a LOT of information !
also, there is a LOT more instructions, to understand them just get in ida, search for the wanted
instruction and go in hex view and try to find its usage.
*********Credits for introducing me powerpc**********
- aerosoul94
-Choco
-BadChoicesZ
*********************************************
Chapter 1: Set-up
Before learning PowerPC, we need the tools and the files to be able to test our stuff. In this tutorial i will show you how to setup IDA PRO
and how to get your own self files to edit them
!Step 1: You will need to search on google and download:
-IDA PRO ADVANCED 6.1 with the PS3 plugins
-a self decryptor (True Ancestor)
-a PKG Extractor
If admins are okay with this i can post the download links with virus scan but i need their authorization.
Step 2: Extract IDA PRO somewhere and add idaq.exe to your taskbar, it's your new best friend now
!step 3: Now we need a .ELF file to open it with IDA.
There is a special link that you will bookmark. You must login or register to view this content.
BLUS30838 is the region for MW3, i will change the two 'BLUS30838' for ANY regions, in this case i will get the Ghosts
region 'BLES01945'. You can find the region of your game by googling the name of your game followed by 'BLUS'. Example: 'Ghosts BLUS' and by
navigating in the results, you will find your region
so now i will transform the url we bookmarked by changing both regions to my new region
OL
You must login or register to view this content.NEW: You must login or register to view this content.
so now in the new link i will get the link of the updates for GHOSTS. I will get the 1.07 one
You must login or register to view this content.
See the PKG Link ? in my case it's "https://b0.ww.np.dl.playstation.net/tppkg/np/BLES01945/BLES01945_T6/45702fb12894e2a7/EP0002-BLES01945_00-CALLDUTYGHOSTTU1-A0107-V0100-PE.pkg"
So now go on your PKG link and the pkg should be downloading, when done, run the pkg decryptor in the download section.
drag your pkg on the application and extract it.
you should now have a folder of your PKG.
You must login or register to view this content.
Go in the folders and search for default_mp.self
copy it to your SELF Decryptor folder. (Download Section).
now put the default_mp.self in the self folder
You must login or register to view this content.
You must login or register to view this content.
now run resigner.exe in the SELF decryptor folder and type '4' to decrypt a self file
then type the number of the self file, in my case it's 1
You must login or register to view this content.
Now in your self folder you should have an ELF file
[default_mp.elf]right click on it and click on properties, now click on 'open with' and browse to your IDA PRO Folder and select idaq.exe
You must login or register to view this content.
Then click on apply and OK.
now double click the default_mp.elf and IDA should load it up
Step 4:
you should see this:
You must login or register to view this content.
just press OK
Now you should have this screen:
You must login or register to view this content.
Close every tabs except IDA-View and Hex-View
like this:
You must login or register to view this content.
now click on Windows>Save Desktop> Check '
efault' and press OKNow your layout is optimized for what we will do
End of Lesson1. Yeah this lesson was short and not very helpful in PowerPC but i had to show you how to setup everything correctly so we
could learn using the same stuff
!On the next tutorial i will start teaching the PowerPC language !
Chapter 2: Load a value in a register
In this tutorial i will show you how to set a register.
first, what is a register ?
A register is a variable which contains a value.
there is 32 registers (for us)
r0 - r31, we count the register 0 too so its 32 registers in total, there is also some other registers but i won't talk about them for now.
In PowerPC we will notice them like this: r0, r1, r2, r3 etc
r0 = old link register, i won't talk about it for now
r1 = stack pointer, i won't talk about it for now
r2 = table of contents pointer, i won't talk about it for now
r3 = it can be used as the first argument of a function OR as the returned value from a function
r4–r10 = Used as the 2nd to the 8th arguments of a function.
r11 = used for the PS3 Syscalls
r12 = local var
r13-r31 = global var, we use them to store a value and being able to use it later on another function.
Don't worry we won't use them all, we will focus on r3, r4 and r5 for now
so in C# we can load values in variables like this:
int a = 10;
string b = "Bad Luck Brian";
byte[] c = new byte[] {0x05, 0x02, 0xFF};
in powerpc we use li and lis
registers are 4 bytes, 11 22 33 44
try to imagine them like this: XX XX YY YY
li - load imediate, it sets a register in the YY YY region
example: li r3, 0x15 ::: r3 = 00 00 00 15 (0x15 is the same as 0x0015)
li r3, 0x1500 ::: r3 = 00 00 15 00
now lis is the same but with the XX XX region
lis r3, 0x26 ::: r3 = 00 26 00 00
lis r3, 0x2600 ::: r3 = 26 00 00 00
lis r3, 0x216 ::: r3 = 02 16 00 00
Now we can set 2 bytes in a register, either the XX XX or the YY YY Region. We need to include some maths to set 4 bytes, its simple.
we will use addic and addis, addic adds something to the YY YY part and addis adds something to the XX XX Part.
we use them like this:
addic RESULT, REGISTER, VALUE
Result = register containing the result of the addition
Register = register to be added to the value
Value = value to be added to the register
in english it would translater to this: Result = Register + Value
lets use some examples:
li r3, 0x15
addic r3, r3, 0x01
r3 is now equal to: 0x16 (0x15 + 0x01)
now lets set r3 to: 0xFCA2801
first of all, lets put it in a XX XX YY YY format.
we start from the RIGHT separating them bytes after bytes
FCA2801
FCA28 01
FCA 28 01
F CA 28 01
we add a zero before the last value ('F'
to reach the XX XX YY YY format
*************
*XX XX YY YY*
*0F CA 28 01*
*************
now i will use lis to set the XX XX part and addic to set the YY YY Part
lis r3, 0x0FCA //r3 = 0F CA 00 00
addic r3, r3, 0x2801 //r3 = 0F CA 00 00 + 00 00 28 01 (0F CA 28 01)
lets do another example:
lets set r3 to: 0x1d60c
set it to the XX XX YY YY format to make it easier
1d60c
1d6 0c
1 d6 0c
add the zeros before it to reach XX XX YY YY
01 d6 0c
00 01 d6 0c
*************
*XX XX YY YY*
*00 01 d6 0c*
*************
now i will use lis to set the XX XX part and addic to set the YY YY Part
lis r3, 0x0001 //r3 = 00 01 00 00
addic r3, r3, 0xD60C //r3 = 00 01 00 00 + 00 00 D6 0C (00 01 D6 0C )
r3 = 0x0001D60c or 0x1D60c
its simple !
in the next lesson i will teach you how to write in the memory
Chapter 3: Read/Write in the memory
In this tutorial i will show you how Read and Write in the memory.
It's the same as 'PS3.GetMemory' and 'PS3.SetMemory' but it works a bit differently. Not really but its for the sake of understanding how it works !
Reading memory
We can read memory with 4 instructions.
lbz (1 byte)
lhz (2 bytes)
lwz (4 bytes)
ld (8 bytes)
we use them like this:
lwz RESULT, ADDRESS, TEMP_VAL
Result = register containing the byte at the address
ADDRESS = register containing the address to read from
TEMP_VAL= we can use it as a temporary 'addic'
example:
lis r3, 0xff r3 = 00 ff 00 00 (0xff0000)
addic r3, r3, 0x1234 r3 = 00 ff 12 34 (0xff1234)
lwz r4, r3, 0 r4 = the first 4 bytes at 0xff1234
OR
lis r3, 0xff
lwz r4, r3, 0x1234 <- we use it as a temporary addic to save a line !!! but WARNING: on the next line r3 will be restored to 00 ff 00 00 while
using addic make it permanent !!!!
another example
reading the first 4 bytes at: 0x110d60c
lis r3, 0x0110
lwz r4, r3, 0xd60c
OR
lis r3, 0x0110
addic r3,r3, 0xd60c
lwz r4, r3, 0
Writing in the memory is as easy as reading it.
we will use:
stb (1 byte)
sth (2 bytes)
stw (4 bytes)
std (8 bytes)
we use them like this:
stw VALUE, ADDRESS, TEMP_VAL
example, i want to write 0x15 at: 0x2100000
lis r3, 0x210 (0x2100000) || 02 10 00 00
li r4, 0x15
stw r4, r3, 0
Another example would bwe to write 0x15 at: 0xFCA280
lis r3, 0xFC (r3 = 00 FC 00 00)
li r4. 0x15
stw r4, r3, 0xA280 (0xFCA280)
Chapter 4: Conditions
Now we can set vartiables, assign them by reading the memory and store them in the memory too.
but what if we want to do some actions depending on a condition ?
in programming we use the 'if' and 'else if' statements
in powerpc it's different. We use 'locations'.
Let's check an example in IDA.
You must login or register to view this content.
See all these boxes of codes ? let's call them 'code location'.
to make a if/else you need to compare two value.
we will use cmpwi.
we use it like this:
CMPWI REGISTER, VALUE
this will compare the register and the value and will use a comparison register called 'CR'.
it will return one of these:
-eq (equal)
-gt (greater)
-lt (lesser)
they will have either a '1' or a '0'.
1 = true
0 = false
lets use an example:
li r3, 0x15
cmpwi r3, 0x19
-eq = 0 (false, they're not equal)
-lt = 1 (true, 0x15 is lesser than 0x19 )
-gt = 0 (false, 0x15 is not greater than 0x19)
lets use another example:
li r3, 0x15
cmpwi r3, 0x15
-eq = 1 (true, they're equal)
-lt = 0 (false, 0x15 is not lesser than 0x15 )
-gt = 0 (false, 0x15 is not greater than 0x15)
Now what ? Now we will use 'jump' and 'conditional jumps'.
Here is a list:
b - jumps no matter what
beq - jumps if -eq = 1
bne - jumps if -eq = 0
bgt - jumps if -gt = 1
blt - jumps if -lt = 1
Lets use an example, lines will be included for the locations. i will use ' // ' to make a comment , BTW
each lines in ppc has a size of 4 bytes, that's why its 0, 4, 8 , C and NOTE: it's in hexadecimal
0: li r3, 0x20 //set r3 to: 00 00 00 15
4: cmpwi r3, 0x30 // -eq:0 -gt:0 -lt:1
8: beq 28 //it will not jump to :28 because -eq is false, so the program will continue to the next line ( :C)
C: bgt 28 //it will not jump to :28 because -lt is false, so the program will continue to the next line ( :10 )
10: b 14 // jump to :14
14: bne 1C //will jump to 1C because -eq = 0
18: b 28 //this will never be executed
1C: b 28 //it will jump to :28
20: li r3, 0x1234 //not executed
24: li r3, 0x1234 //not executed
28: b 0 //jump back to 0 for an infinite loop, yeah
Here is the IDA pricture of this:
You must login or register to view this content.
That's it for the if/else on powerpc
!Chapter 5: Pointers
Pointers
This lesson will be short but it is very important to understand what is a pointer !
A pointer is an address containing an address as bytes.
I know it sounds weird at first but lets make an example.
we can't use 'strings' in registers so we need to use pointers to use strings !
0x12340000 = my string
0x55550000 = pointer
in the memory:
*ADDRESS | *BYTES* | ASCII
0x12340000: 55 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
0x55550000: 42 61 64 20 4C 75 63 6B 20 42 72 69 61 6E 00 00 Bad Luck Brian..
here is how i would load the pointer in powerpc
lis r3, 0x1234
lwz r3, 0x12340000(r3)
the lis will set r3 to: 12 34 00 00 (0x12340000)
and the lwz will read the memory at 0x12340000(pointer) and store it in r3
so r3 = 0x55550000 (55 55 00 00)
now r3 will contain the address of the string , of course in this case we could just use lis r3, 0x5500
but sometimes we have to use pointers like in RPC where the address of the function to call will be stored as bytes at our address
example of rpc:
//0x2100000 = pointer to call
//read memory to get your arguments using lwz
lis r9, 0x210 (0x2100000) //time to load the address
mtctr r9 //this will save the address in a special register (count register), will talk about it in the next lesson
bctrl //this will call the address in the count register, will talk about it in the next lesson
that's why pointers are important !
Chapter 6: Calling a function
Calling a function
in C# we call our functions like this: Example(arg1, arg2, arg3);
example: MessageBox.Show("Bad Luck Brian", "title here");
in powerpc its a bit more complicated but its still simple ^^
we will use 'bl'
bl is like 'b', it jumps to a location but bl will continue to the next line with the returned value
example of 'b'
:0 li r3, 0x15
:1 b 6
:2 //Not executed
:3 //Not executed
:4 //Not executed
:5 //Not executed
:6 //stuff goes here, its a function..executed
:0 li r3, 0x15
:1 bl :6 //goto :6 and when done with it continue at :2
:2 // executed
:3 // executed
:4 // executed
:5 // executed
:6 //executed
calling functions in powerpc is a must and we will use it really often.
i will make some examples later on calling functions
There is another way of calling functions, we will use pointers.
we use mtctr and bctrl
we use mtctr like this:
mtctr REGISTER
Register = register containing the address to call
and to call it we just use bctrl
example:
//0x2100000 contains: 00 12 34 56 (0x123456),
//0x123456 = function i wanna call
lis r3, 0x210 //loads the address: 0x2100000 in r3
lwz r3, r3 //read at: 0x2100000 and store the value in r3 (4 bytes)
mtctr r3 //store r3 in the count register
bctrl //call the value in the count register
Chapter 7: Writing PowerPC in IDA PRO
Writing PPC in IDA
So now we learned these things:
-setting a value
-Read/Write in memory
-Code location (Conditional jumps)
-Calling a function
So what about we start writing in our ELF file in IDA Pro ?
This tutorial will also include a video tutorial but not for now
Each line of ppc is 4 bytes in length !
example:
lis r3, 0xFF1 <- it will be written in 4 bytes (3c 60 0f f1) <- will explain soon
each instruction as an opcode, an opcode is the hex value of the instruction.
i will make a list of some opcodes, to find any opcodes, just go in ida, click on an instruction and go to hex view.
li = 0x38
lis = 0x3C
addic = 0x30
stb = 0x98
stw = 0x90
std = 0xF8
lbz = 0x88
lwz = 0x80
ld = 0xE8
cmpwi = 0x2C
b = 0x48 or 0x4B
bl = 0x48 or 0x4B
beq = 0x41, 0x82
bne = 0x40, 0x82
blt = 0x41, 0x80
bgt = 0x41, 0x81
mtctr = 0x7C, 0x69, 0x03, 0xA6
bctrl = 0x4E, 0x80, 0x04, 0x21
Now this is the hard part.
i will write the usage for all of them.
******* li / lis **********
li:
38 XX VV VV
38 = opcode
XX = Register to load the value into
VV VV = value to load in the register
Now i will explain the XX
you have to add 0x20 for each register
r0: 38 00 VV VV
r1: 38 20 VV VV
r2: 38 40 VV VV
r3: 38 60 VV VV
r4: 38 80 VV VV
r5: 38 A0 VV VV
r6: 38 C0 VV VV
r7: 38 F0 VV VV
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
r8: 39 00 VV VV
r9: 39 20 VV VV
r10: 39 40 VV VV
r11: 39 60 VV VV
r12: 39 80 VV VV
i will stop at r12
lis is the same thing but with the opcode 3C, and 3D for r8+
lis:
r0: 3C 00 VV VV
r1: 3C 20 VV VV
r2: 3C 40 VV VV
r3: 3C 60 VV VV
r4: 3C 80 VV VV
r5: 3C A0 VV VV
r6: 3C C0 VV VV
r7: 3C F0 VV VV
Now for r8+ we need to add +1 to the opcode (0x38 + 0x1 = 0x39)
r8: 3D 00 VV VV
r9: 3D 20 VV VV
r10: 3D 40 VV VV
r11: 3D 60 VV VV
r12: 3D 80 VV VV
---------------------------
addic:
30 XY VV VV
38 = opcode
X = Register that will contain the result of the addition
Y = Register that were going to add to the value
VV VV = value to add to Y
Now for X, the register system is that same as li/lis
we add 0x20 and at r8 we change the opcode 30 to 31
but for Y, we just put the real number of the register
examples:
addic r3, r4, 0xFF || 30 64 00 FF
***
addic r12, r4, 0xFF || 31 84 00 FF
***
addic r3, r10, 0xFF || 30 6A 00 FF || 10 = 0x0A (hexadecimal)
---------------------------
stb = 0x98 // 0x99 for r8+
stw = 0x90 // 0x91 for r8+
std = 0xF8 // 0xF9 for r8+
i will use stw for the example.
They work like addis for the XY !
90 XY VV VV
X = register that will be sent in the memory (VALUE)
Y = register of the address that will receive the VALUE (X)
VV VV = Temporary value to add to the address (Y)
example:
lis r3, 0x2100000 || 3C 60 02 10
li r4, 0x15 || 38 80 00 15
stw r4, r3, 0x2101234 || 90 83 12 34
//ON THIS LINE, r3 RESETS BACK TO: 0x2100000 !!!
---------------------------
lbz = 0x88 // 0x89 for r8+
lwz = 0x80 // 0x81 for r8+
ld = 0xE8 // 0xE9 for r8+
usage (i will use lwz):
80 XY VV VV
It works like stw !!!
X = register that will contain the value read from the memory
Y = register of the address that will be read
VV VV = Temporary value to add to the address (Y)
Example:
lis r3, 0x2100000 || 3C 60 02 10
li r4, 0x15 || 38 80 00 15
lwz r4, r3, 0x2101234 || 80 83 12 34
//ON THIS LINE, r3 RESETS BACK TO: 0x2100000 AND r4 = the first bytes that was at: 0x2101234 !!!
-----------------------------------------
cmpwi = 0x2C
2c 0Y VV VV
0 = keep it as 0
Y = Register to compare, we just put its number in hex
VV VV = value that the register will be compared with
example:
cmpwi r3, 0x55 || 2c 03 00 55
other example:
cmwpi r12, 0x55 || 2c 0C 00 55 //0x0C = 12 in hexadecimal
------------------------------------------
b = 0x48 or 0x4B
bl = 0x48 or 0x4B
beq = 0x41, 0x82
bne = 0x40, 0x82
blt = 0x41, 0x80
bgt = 0x41, 0x81
Alright b and bl are tricky.
//current address = address where we are jumping from
we use 48 when jumping to a location that is located AFTER the current address
we use 4B when jumping to a location that is located BEFORE the current address
48/4B XX XX XX
XX XX XX = difference between current position and the location we want to jump to
41 82 XX XX
XX XX = difference between current position and the location we want to jump to
also, to use bl we add +1 to the difference !!
example:
0x11010: bl 0x11050 || 48 00 00 41
...
0x11050: //function...
// why 84 00 00 41 ? because 0x11050 - 0x11010 = 0x40 and to make it into a bl we need to add +1
0x40 + 1 = 0x41
so 48 00 00 41
and we use 48 because it is AFTER the current location (0x11010)
----------------------------------------------
Now the last one, more complex
mtctr = 7C X9 03 A6
X = register to move to the count register, if r8+, 7C becomes 7D
we keep the rest as it is
Example
mtctr r4 || 7C 89 03 A6
mtctr r12 || 7D 89 03 A6
bctrl = 4E 80 04 21
we keep it like this, BUT
bctrl (bl) is like bl, but we can also transform it
to bctr , which is like b
bctr 4E 80 04 20
bctrl 4E 80 04 21
---------------------------------------------
End of lesson, i would advise keeping this in a .txt file for future reference, it is a LOT of information !
also, there is a LOT more instructions, to understand them just get in ida, search for the wanted
instruction and go in hex view and try to find its usage.
Many images links are down.
The following user thanked Mango_Knife for this useful post:
07-15-2014, 10:34 AM
#58
Bad Luck Brian
< ^ > < ^ >
08-13-2014, 04:21 PM
#60
TheSaltCracka
League Champion
08-30-2014, 05:00 PM
#61
Bad Luck Brian
< ^ > < ^ >
The following 3 users say thank you to Bad Luck Brian for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
