Post: [Release] SPRX Call functions for any games !
Options
07-19-2014, 04:11 AM
#1
Bad Luck Brian
< ^ > < ^ >
Everything should works..
INCLUDES NEEDED (many might be useless for the calls but cba checking which one is good/not good)
#include "stdafx.h"
#include <cellstatus.h>
#include <sys/prx.h>
#include <sys/timer.h>
#include <sys/syscall.h>
#include <sys/ppu_thread.h>
#include <stdarg.h>
#include <stddef.h>
#include <string.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/memory.h>
#include <typeinfo>
Some functions required(Thanks to shark and sony
)
int console_write(const char * s)
{
uint32_t len;
system_call_4(403, 0, (uint64_t) s, 32, (uint64_t) &len);
return_to_user_prog(int);
}
void sleep(usecond_t time)
{
sys_timer_usleep(time * 1000);
}
sys_ppu_thread_t create_thread(void (*entry)(uint64_t), int priority, size_t stacksize, const char* threadname,sys_ppu_thread_t id)
{
if(sys_ppu_thread_create(&id, entry, 0, priority , stacksize, 0, threadname) == CELL_OK)
{
console_write("\n\nINJECTED !\n\n");
}
return id;
}
void writeString(const char* str, int len, unsigned int addr)
{
for(int i = 0; i < len; i++)
{
if(*str == 0x00) {break;}
*(char*)(addr+i) = *(str+i);
}
}
The threading:
sys_ppu_thread_t thrd_mainstart;
sys_ppu_thread_t thrd_Calls;
void StartThreads()
{
create_thread(StartMenu, 0x4AA, 0x6000, "blb_Main", thrd_mainstart);
create_thread(Calls_thread, 0x4AB, 0x6000, "blb_Calls", thrd_Calls);
}
The Calls functions
! THE TOC IS IN THE ASM INLINE STUFF !!!!!!!!!
int CALL(int numOfArgs, int addr, ...)
{
int i,val;
va_list vl;
va_start(vl,numOfArgs);
va_arg(vl,int);//skip one
for (i=1;i<(numOfArgs+1);i++)
{
val=va_arg(vl,int);
*(int*)(0x2100000+i*4) = val;
}
va_end(vl);
sleep(50);
*(int*)0x2100000 = addr;
return *(int*)(0x210004C);
}
void Calls_thread(std::uint64_t nothing)
{
for(;
{
__asm(
"lis 3, 0x210;"
"lwz 3, 0(3);"
"cmpwi 3, 0x00;"
"beq end;"
/*save the general registers !*/
"mflr 0;"
"std 0, -0x520-0x10(1);"
"std 31, -0x520-0x18(1);"
"std 30, -0x520-0x20(1);"
"std 29, -0x520-0x28(1);"
"std 28, -0x520-0x30(1);"
"std 27, -0x520-0x38(1);"
"std 26, -0x520-0x40(1);"
"std 2, -0x520-0x48(1);"
/*emulate the Ghosts POC registers*/
"lis 2, 0xA7;"
"ori 2, 2, 0xF3F8;"
"lis 26, 0;"
"lis 27, 0;"
"li 28, 0x0C800;"
"lis 29, 0;"
"lis 30, 0xD00D;"
"addic 30,30, 0x9DF0;"
"lis 31, 0x157;"
"addic 31,31, 0x059C;"
/*Loading args*/
"lis 12, 0x210;"
"lwz 3, 0x4(12);"
"lwz 4, 0x8(12);"
"lwz 5, 0xC(12);"
"lwz 6, 0x10(12);"
"lwz 7, 0x14(12);"
"lwz 8, 0x18(12);"
"lwz 9, 0x1C(12);"
"lwz 10, 0x20(12);"
"lwz 11, 0x24(12);"
"lfs 1, 0x28(12);"
"lfs 2, 0x2C(12);"
"lfs 3, 0x30(12);"
"lfs 4, 0x34(12);"
"lfs 5, 0x38(12);"
"lfs 6, 0x3C(12);"
"lfs 7, 0x40(12);"
"lfs 8, 0x44(12);"
"lfs 9, 0x48(12);"
/*Calling*/
"lwz 12, 0(12);"
"mtctr 12;"
"bctrl;"
/*returns*/
"lis 4, 0x210;"
"stw 3, 0x4C(4);"
"stfs 1, 0x50(4);"
"li 3, 0;"
"stw 3, 0(4);"
"ld 0, -0x520-0x10(1);"
"mtlr 0;"
"ld 26, -0x520-0x40(1);"
"ld 27, -0x520-0x38(1);"
"ld 28, -0x520-0x30(1);"
"ld 29, -0x520-0x28(1);"
"ld 30, -0x520-0x20(1);"
"ld 31, -0x520-0x18(1);"
"ld 2, -0x520-0x48(1);"
);
__asm("end:;");
sleep(5);
}
}
Example on how to call something:
if(*(int*)0x00cbcce4 == 1) //button monitoring for square
{
CALL(3, 0x5720C0, 0, 0, "c test" ); //number of args in the function, address of the function and the args..
*(int*)0x00cbcce4 = 0; //avoid calling it 42836423946 times..
}
OTHER GAMES FIX
Black ops2 1.18
int CALL(int numOfArgs, int addr, ...)
{
int i,val;
va_list vl;
va_start(vl,numOfArgs);
va_arg(vl,int);//skip one
for (i=1;i<(numOfArgs+1);i++)
{
val=va_arg(vl,int);
*(int*)(0x2200000+i*4) = val;
}
va_end(vl);
sleep(50);
*(int*)0x2200000 = addr;
return *(int*)(0x220004C);
}
void Calls_thread(std::uint64_t nothing)
{
for(;
{
__asm(
"lis 3, 0x220;"
"lwz 3, 0(3);"
"cmpwi 3, 0x00;"
"beq end;"
/*save the general registers !*/
"mflr 0;"
"std 0, -0x520-0x10(1);"
"std 31, -0x520-0x18(1);"
"std 30, -0x520-0x20(1);"
"std 29, -0x520-0x28(1);"
"std 28, -0x520-0x30(1);"
"std 27, -0x520-0x38(1);"
"std 26, -0x520-0x40(1);"
"std 2, -0x520-0x48(1);"
/*emulate the registers*/
"lis 2, 0xD6;"
"ori 2, 2, 0x7E98;"
"li 26, 0;"
"li 27, 0;"
"li 28, 0;"
"lis 29, 0xD5;"
"ori 29, 29, 0x3D88;"
"lis 30, 0xD014;"
"addic 30, 30, 0x7080;"
"li 31, 0;"
/*Loading args*/
"lis 12, 0x220;"
"lwz 3, 0x4(12);"
"lwz 4, 0x8(12);"
"lwz 5, 0xC(12);"
"lwz 6, 0x10(12);"
"lwz 7, 0x14(12);"
"lwz 8, 0x18(12);"
"lwz 9, 0x1C(12);"
"lwz 10, 0x20(12);"
"lwz 11, 0x24(12);"
"lfs 1, 0x28(12);"
"lfs 2, 0x2C(12);"
"lfs 3, 0x30(12);"
"lfs 4, 0x34(12);"
"lfs 5, 0x38(12);"
"lfs 6, 0x3C(12);"
"lfs 7, 0x40(12);"
"lfs 8, 0x44(12);"
"lfs 9, 0x48(12);"
/*Calling*/
"lwz 12, 0(12);"
"mtctr 12;"
"bctrl;"
/*returns*/
"lis 4, 0x220;"
"stw 3, 0x4C(4);"
"stfs 1, 0x50(4);"
"li 3, 0;"
"stw 3, 0(4);"
"ld 0, -0x520-0x10(1);"
"mtlr 0;"
"ld 26, -0x520-0x40(1);"
"ld 27, -0x520-0x38(1);"
"ld 28, -0x520-0x30(1);"
"ld 29, -0x520-0x28(1);"
"ld 30, -0x520-0x20(1);"
"ld 31, -0x520-0x18(1);"
"ld 2, -0x520-0x48(1);"
);
__asm("end:;");
sleep(5);
}
}
Adding another game:
Credits:
Bad Luck Brian
Shark
theriftboy
Bad Luck Modders
The following 54 users say thank you to Bad Luck Brian for this useful post:
Absolute Zero, aleeeex, ALI ALHILFI, anxify, Ariel R., BaSs_HaXoR, basshead4ever, Bucko, Chinx Drugz, Dan Dactyl, Sabotage, elgolumm, esc0rtd3w, flynhigh09, forktu, JLM, Beats, Im Not Boobdidas, iMoDz-Baptiste, iRnZ, iTпDM, Welsh, Jannik007, kainer wainer, KareraHekku, KranK, lahyene77, Loxy, MegaMister, milky4444, moxl, Norway-_-1999, John, NotALegitPlayer, Notorious, OLDSCHOOLMODZHD, Pyro577, RaYRoD, RTE, ryu_hayabusa80, Shark, Dacoco, Smoky420, SNMT| Havoc, Sticky, Swaqq, Taylors Bish, TheModedHacker, Turk_Warrior, Hash847, xballox, xPAQz, Xx_GANG_xX
07-19-2014, 04:26 AM
#5
Black Panther
Guest
07-19-2014, 06:27 AM
#8
BaSs_HaXoR
Hurah!
Originally posted by Bad
First of all, only thing you need to do is to change the TOC wich is commented and maybe the address where my RPC is writing/reading to (0x2100000).
THE CALL FUNCTION IS NOT WORKING, IM FIXING IT tomorrow
INCLUDES NEEDED (many might be useless for the RPC but cba checking which one is good/not good)
Some functions required(Thanks to shark and sony)
The threading:
The RPC functions ! THE TOC IS IN THE ASM INLINE STUFF !!!!!!!!!
v
Example on how to call something:
Credits:
Bad Luck Brian
Shark
theriftboy
Bad Luck Modders
THE CALL FUNCTION IS NOT WORKING, IM FIXING IT tomorrow
INCLUDES NEEDED (many might be useless for the RPC but cba checking which one is good/not good)
#include "stdafx.h"
#include <cellstatus.h>
#include <sys/prx.h>
#include <sys/timer.h>
#include <sys/syscall.h>
#include <sys/ppu_thread.h>
#include <stdarg.h>
#include <stddef.h>
#include <string.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/memory.h>
#include <typeinfo>
Some functions required(Thanks to shark and sony
)
int console_write(const char * s)
{
uint32_t len;
system_call_4(403, 0, (uint64_t) s, 32, (uint64_t) &len);
return_to_user_prog(int);
}
void sleep(usecond_t time)
{
sys_timer_usleep(time);
}
sys_ppu_thread_t create_thread(void (*entry)(uint64_t), int priority, size_t stacksize, const char* threadname,sys_ppu_thread_t id)
{
if(sys_ppu_thread_create(&id, entry, 0, priority , stacksize, 0, threadname) == CELL_OK)
{
console_write("\n\nINJECTED !\n\n");
}
return id;
}
void writeString(const char* str, int len, unsigned int addr)
{
for(int i = 0; i < len; i++)
{
if(*str == 0x00) {break;}
*(char*)(addr+i) = *(str+i);
}
}
The threading:
sys_ppu_thread_t thrd_mainstart;
sys_ppu_thread_t thrd_rpc;
void StartThreads()
{
create_thread(StartMenu, 0x4AA, 0x6000, "blb_Main", thrd_mainstart);
create_thread(RPC_thread, 0x4AB, 0x6000, "blb_RPC", thrd_rpc);
}
The RPC functions
! THE TOC IS IN THE ASM INLINE STUFF !!!!!!!!!
int CALL(int addr, int numOfArgs, ...)
{
if(numOfArgs > 11){return -1;}
int i, val;
va_list vl;
va_start(vl, numOfArgs);
for (i = 0; i<numOfArgs; i++)
{
val = va_arg(vl, int);
*(typeof(val)*)(0x2100004 + i*0x4) = val;
}
va_end(vl);
sleep(5);
*(int*)0x2100000 = addr;
sleep(5);
return *(int*)0x210004C;
}
void RPC_thread(std::uint64_t nothing)
{
for(;
{
__asm(
"lis 3, 0x210;"
"lwz 3, 0(3);"
"cmpwi 3, 0x00;"
"beq end;"
/*save the general registers !*/
"mflr 0;"
"std 0, -0x520-0x10(1);"
"std 31, -0x520-0x18(1);"
"std 30, -0x520-0x20(1);"
"std 29, -0x520-0x28(1);"
"std 28, -0x520-0x30(1);"
"std 27, -0x520-0x38(1);"
"std 26, -0x520-0x40(1);"
"std 2, -0x520-0x48(1);"
/*emulate the Ghosts TOCregisters*/ <-----------HERE !!!!!!!!!!!!!!!!!!!!
"lis 2, 0xA7;"
"ori 2, 2, 0xF3F8;"
/*Loading args*/
"lis 12, 0x210;"
"lwz 3, 0x4(12);"
"lwz 4, 0x8(12);"
"lwz 5, 0xC(12);"
"lwz 6, 0x10(12);"
"lwz 7, 0x14(12);"
"lwz 8, 0x18(12);"
"lwz 9, 0x1C(12);"
"lwz 10, 0x20(12);"
"lwz 11, 0x24(12);"
"lfs 1, 0x28(12);"
"lfs 2, 0x2C(12);"
"lfs 3, 0x30(12);"
"lfs 4, 0x34(12);"
"lfs 5, 0x38(12);"
"lfs 6, 0x3C(12);"
"lfs 7, 0x40(12);"
"lfs 8, 0x44(12);"
"lfs 9, 0x48(12);"
/*Calling*/
"lwz 12, 0(12);"
"mtctr 12;"
"bctrl;"
/*returns*/
"lis 4, 0x210;"
"stw 3, 0x4C(4);"
"stfs 1, 0x50(4);"
"li 3, 0;"
"stw 3, 0(4);"
"ld 0, -0x520-0x10(1);"
"mtlr 0;"
"ld 26, -0x520-0x40(1);"
"ld 27, -0x520-0x38(1);"
"ld 28, -0x520-0x30(1);"
"ld 29, -0x520-0x28(1);"
"ld 30, -0x520-0x20(1);"
"ld 31, -0x520-0x18(1);"
"ld 2, -0x520-0x48(1);"
"end:;"
);
for(int i = 0; i < 0x48; i++)
*(char*)(0x2100000+i) = 0x00;
sleep(5);
}
}
v
Example on how to call something:
if(*(int*)0x00cbcce4 == 1) //button monitoring for square
{
CALL(0x05720C0 , 3, 0, 0, "c test"); //SV_GameSendServerCommand for GHOSTS 1.14
}
Credits:
Bad Luck Brian
Shark
theriftboy
Bad Luck Modders
Woop, woop!
07-19-2014, 10:09 AM
#9
SC58
Former Staff
Originally posted by Bad
First of all, only thing you need to do is to change the TOC wich is commented and maybe the address where my RPC is writing/reading to (0x2100000).
THE CALL FUNCTION IS NOT WORKING, IM FIXING IT tomorrow
INCLUDES NEEDED (many might be useless for the RPC but cba checking which one is good/not good)
Some functions required(Thanks to shark and sony)
The threading:
The RPC functions ! THE TOC IS IN THE ASM INLINE STUFF !!!!!!!!!
v
Example on how to call something:
Credits:
Bad Luck Brian
Shark
theriftboy
Bad Luck Modders
THE CALL FUNCTION IS NOT WORKING, IM FIXING IT tomorrow
INCLUDES NEEDED (many might be useless for the RPC but cba checking which one is good/not good)
#include "stdafx.h"
#include <cellstatus.h>
#include <sys/prx.h>
#include <sys/timer.h>
#include <sys/syscall.h>
#include <sys/ppu_thread.h>
#include <stdarg.h>
#include <stddef.h>
#include <string.h>
#include <wchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/memory.h>
#include <typeinfo>
Some functions required(Thanks to shark and sony
)
int console_write(const char * s)
{
uint32_t len;
system_call_4(403, 0, (uint64_t) s, 32, (uint64_t) &len);
return_to_user_prog(int);
}
void sleep(usecond_t time)
{
sys_timer_usleep(time);
}
sys_ppu_thread_t create_thread(void (*entry)(uint64_t), int priority, size_t stacksize, const char* threadname,sys_ppu_thread_t id)
{
if(sys_ppu_thread_create(&id, entry, 0, priority , stacksize, 0, threadname) == CELL_OK)
{
console_write("\n\nINJECTED !\n\n");
}
return id;
}
void writeString(const char* str, int len, unsigned int addr)
{
for(int i = 0; i < len; i++)
{
if(*str == 0x00) {break;}
*(char*)(addr+i) = *(str+i);
}
}
The threading:
sys_ppu_thread_t thrd_mainstart;
sys_ppu_thread_t thrd_rpc;
void StartThreads()
{
create_thread(StartMenu, 0x4AA, 0x6000, "blb_Main", thrd_mainstart);
create_thread(RPC_thread, 0x4AB, 0x6000, "blb_RPC", thrd_rpc);
}
The RPC functions
! THE TOC IS IN THE ASM INLINE STUFF !!!!!!!!!
int CALL(int addr, int numOfArgs, ...)
{
if(numOfArgs > 11){return -1;}
int i, val;
va_list vl;
va_start(vl, numOfArgs);
for (i = 0; i<numOfArgs; i++)
{
val = va_arg(vl, int);
*(typeof(val)*)(0x2100004 + i*0x4) = val;
}
va_end(vl);
sleep(5);
*(int*)0x2100000 = addr;
sleep(5);
return *(int*)0x210004C;
}
void RPC_thread(std::uint64_t nothing)
{
for(;
{
__asm(
"lis 3, 0x210;"
"lwz 3, 0(3);"
"cmpwi 3, 0x00;"
"beq end;"
/*save the general registers !*/
"mflr 0;"
"std 0, -0x520-0x10(1);"
"std 31, -0x520-0x18(1);"
"std 30, -0x520-0x20(1);"
"std 29, -0x520-0x28(1);"
"std 28, -0x520-0x30(1);"
"std 27, -0x520-0x38(1);"
"std 26, -0x520-0x40(1);"
"std 2, -0x520-0x48(1);"
/*emulate the Ghosts TOCregisters*/ <-----------HERE !!!!!!!!!!!!!!!!!!!!
"lis 2, 0xA7;"
"ori 2, 2, 0xF3F8;"
/*Loading args*/
"lis 12, 0x210;"
"lwz 3, 0x4(12);"
"lwz 4, 0x8(12);"
"lwz 5, 0xC(12);"
"lwz 6, 0x10(12);"
"lwz 7, 0x14(12);"
"lwz 8, 0x18(12);"
"lwz 9, 0x1C(12);"
"lwz 10, 0x20(12);"
"lwz 11, 0x24(12);"
"lfs 1, 0x28(12);"
"lfs 2, 0x2C(12);"
"lfs 3, 0x30(12);"
"lfs 4, 0x34(12);"
"lfs 5, 0x38(12);"
"lfs 6, 0x3C(12);"
"lfs 7, 0x40(12);"
"lfs 8, 0x44(12);"
"lfs 9, 0x48(12);"
/*Calling*/
"lwz 12, 0(12);"
"mtctr 12;"
"bctrl;"
/*returns*/
"lis 4, 0x210;"
"stw 3, 0x4C(4);"
"stfs 1, 0x50(4);"
"li 3, 0;"
"stw 3, 0(4);"
"ld 0, -0x520-0x10(1);"
"mtlr 0;"
"ld 26, -0x520-0x40(1);"
"ld 27, -0x520-0x38(1);"
"ld 28, -0x520-0x30(1);"
"ld 29, -0x520-0x28(1);"
"ld 30, -0x520-0x20(1);"
"ld 31, -0x520-0x18(1);"
"ld 2, -0x520-0x48(1);"
"end:;"
);
for(int i = 0; i < 0x48; i++)
*(char*)(0x2100000+i) = 0x00;
sleep(5);
}
}
v
Example on how to call something:
if(*(int*)0x00cbcce4 == 1) //button monitoring for square
{
CALL(0x05720C0 , 3, 0, 0, "c test"); //SV_GameSendServerCommand for GHOSTS 1.14
}
Credits:
Bad Luck Brian
Shark
theriftboy
Bad Luck Modders
RPC in .sprx Ewww
The following 3 users say thank you to SC58 for this useful post:
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
