THREAD: PowerPC Assembly basics [part 1]
  1. 11-01-2013, 01:11 PM
    68
    Posts
    5,751
    Reputation
    Nov 2013
    NextGenUpdate
    Hi everyone today I wanted to make a tutorial on PowerPC Smile

    SETTING A REGISTERS [SMALL VALUES]

    First of all we will learn to mess with the registers. We use them as variables. (r1,r2,r3,r4,r5,r6,r7.... it goes up to r31)


    IMPORTANT: When loading a value in a register it always store it as 4 bytes (for the basics)


    Load Immediate("li") : this will load a value into a register
    Example: li r3, 0x64 (in memory it would be 00 00 00 64 (remember its 4 bytes))

    Load Immediate Shifted: same as li but it will shift it.
    Example: lis r3, 0x64 would be: 00 64 00 00

    Tips about li/lis:
    imagine your 4 bytes like this: XX XX YY YY
    lis can write in the XX XX and li can write in the YY YY
    lis/li || X/Y

    Now here is some exercises on lis/li using the register r3

    Spoiler:


    I want my 4 bytes to look like this: 00 00 00 12
    Solution:
    Spoiler:
    li r3, 0x12


    Now I want my 4 bytes to look like this: 00 00 12 00
    Solution:
    Spoiler:
    li r3, 0x1200


    Now I Want my 4 bytes to look like this: 00 12 00 00
    Solution:
    Spoiler:
    lis r3, 0x12


    Now I Want my 4 bytes to look like this: 12 00 00 00
    Solution:
    Spoiler:
    lis r3, 0x1200





    SETTING A REGISTERS [BIG VALUES]

    Now its cool we can write in our 4 bytes this way: XX XX YY YY
    but what if we want to write at both parts X AND Y?

    we will use addic which means addition immediate carrying

    addic is used this way: addic RESULT, REGISTER, Value

    Result = register that will HOLD the result from the addition
    REGISTER = the register that will be added to the Value
    Value = Value to add to the REGISTER

    Exemple: li r3, 0x01
    addic r4,r3, 0x04

    r4 is now equal to 0x05 (0x01 + 0x04 = 0x05)

    Exemple 2: lis r3, 0x06 (r3 = 00 06 00 00 )
    addic r3,r3 0x3000

    r3 is now equal to: 00 06 30 00 (0x063000)

    Now lets load an address, 0x2005000
    we would first split it in bytes starting from the RIGHT

    0x2005000
    2005000
    20050 00
    200 50 00
    2 00 50 00
    02 00 50 00 <-final bytes, we added a 0 to 2 so it can be a bytes ! 2 00 50 00 is not valid because of the "2" and 02 is the same as 2 so 02 00 50 00

    now how would we load it in a register ? its simple, first we will compare it to my XX XX YY YY format

    02 00 50 00
    XX XX YY YY

    I always start with the XX XX values

    lis r3, 0x0200 (r3 =02000000, don't forget its shifted)

    then i add the YY YY to it
    addic r3,r3 0x5000

    so this will add 0x5000 to 0x02000000 (0x02005000)

    final form:
    lis r3, 0x200
    addic r3,r3 0x5000
    so r3 is now equal to 0x02005000 or 0x2005000 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)


    Now let's do some exercises Smile

    Spoiler:

    Exercise 1: I want you to set r3 to: 0xFCA280
    Solution:
    Spoiler:

    0xFCA280
    first we will split it from the RIGHT as always !

    fca280
    fca2 80
    fc a2 80

    Now we only have 3 bytes, we always work with 4 bytes so we add zeros BEFORE the number
    00 fc a2 80

    now we start with XX XX then after we add the YY YY

    lis r3, 0x00fc
    addic r3,r3 0xA280

    *r3 is now equal to 0x00FCA280 or 0xFCA280 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)




    Exercise 2: now i want you to set r3 to 0x110d60c
    Solution:
    Spoiler:

    first we split the address into 4 bytes starting from the right.

    110d60c
    110d6 0c
    110 d6 0c
    1 10 d6 0c

    now there is a "1" that is alone, thats not a byte, lets put a zero before it

    01 10 d6 0c

    don't forget, putting zeros BEFORE a number doesn't affect it ! 000001 = 1 but 10000 = 10000... zeros before a n7umber doesnt change it.

    so now we have 01 10 d6 0c (0x0110d60c)

    now lets set the XX XX YY YY

    lis for XX and li for YY

    lis r3, 0x0110
    addic r3,r3 0xd60c

    r3 is now equal to 0x0110d60c or 0x110d60c







    STORING A REGISTER IN THE MEMORY

    STW: Store Word
    what does stw? it stores 4 bytes somewhere in the memory, its writing in the memory in other words.
    Usage: STW VALUE, ADDRESS, ADD

    Exemple:
    li r3, 0x64
    lis r4, 0x0110
    stw r3, r4, 0xd60c (0x110d60c)

    now r4 (0x110d60c) will look like this in the memory: 00 00 00 64

    Explanation:
    STW VALUE, ADDRESS, ADD

    VALUE: Value to store at the address, its a register
    ADDRESS: address in the memory where we will store our VALUE
    ADSad Awesome with stw we can add a value to the ADRESS without the use of addic, its OPTIONAL we can just set it to 0 if we dont want to add something to the address

    here is an exemple of the ADD value

    lis r3, 0x0200 (r3 is now equal to 02 00 00 00, 0x02000000)
    li r4, 0x64 (r4 is equal to 00 00 00 64)
    stw r3, r4 , 0x5000

    *stw r3, r4 , 0x5000 * -> we add 0x5000 to r3 just like with addic so now r4 is equal to 0x02005000 (02 00 50 00)

    Exercises:
    Spoiler:


    Exercise 1: I want you to set your value to (12 34 56 7Cool Man (aka Tustin) and i want you to send it to this address: 0xFCA280, you can use any registers from r3 to r8
    Solution:
    Spoiler:

    alright so i will start with setting r4 with the value

    lis r4, 0x1234
    addic r4,r4, 0x5678 (now r4 is equal to 12 34 56 7Cool Man (aka Tustin)

    now lets set the address for r3 (00 FC A2 80)

    lis r3, 0x00FC

    alright i will set the rest in the stw instead of using another addic

    stw r4, r3, 0xA280 (FCA280)

    final form:
    lis r4, 0x1234
    addic r4,r4, 0x5678
    lis r3, 0x00FC
    stw r4, r3, 0xA280



    Exercise 2: I want you to send these bytes(A2 00 f8 19) to this address: 0x277208
    Solution:
    Spoiler:

    I will set my address to r3, then my value to r4

    value:
    lis r4, 0xA200
    addic r4,r4, 0xF819

    address: (00 27 72 0Cool Man (aka Tustin) how I did it: (0x277208 > 277208 > 2772 08 > 27 72 08 > 00 27 72 08 || dont forget, zeros before a value doesn't affect it and we need 4 bytes)
    lis r3, 0x0027

    STW:

    stw r4, r3, 0x7208

    FINAL:

    lis r4, 0xA200
    addic r4,r4, 0xF819
    lis r3, 0x0027
    stw r4, r3, 0x7208

    now the address 0x277208 looks like this in the memory: A2 00 FB 19






    REal SSituations

    Now we learned how to set a register and how to store it, reading memory and finding 'offsets' will come in the next tutorial.
    But with setting a register and storing it what can we do ? A lot already.

    writing in the memory is an exxclusive priviledge for dex users but with ppc we can do it for CEX users using an eboot

    now lets imagine this situation:

    the address for UAV offhost is 0xFe167C4 (its fake of course)

    we want to set this value to 00 00 ff ff to enable it permanently on any game

    How would you do it in ppc ?

    Solution:

    i will set my address to r3 and my value to r4

    VALUE:
    li r4, 0xFFFF
    Address:
    lis r3, 0x0FE1

    Store:

    stw r4, r3, 0x67C4


    Final Result:

    li r4, 0xFFFF
    lis r3, 0x0FE1
    stw r4, r3, 0x67C4



    Alright this will conclude my part 1 on ppc basics, i will teach the rest in another tutorial such as how to fin offsets in IDA by reading ppc


    Skype: KevTseDeja
  2. The Following 23 Users Say Thank You to Bad Luck Kevin For This Useful Post:

    , , , , , , , , , , , , , , , , , , , ,

  3. 02-10-2014, 04:02 PM
    27
    Posts
    452
    Reputation
    Mar 2011
    NextGenUpdate
    good joob
  4. 02-28-2014, 06:52 PM
    27
    Posts
    452
    Reputation
    Mar 2011
    NextGenUpdate
    party 2 =3 ?
    <3