THREAD: How to write an RPC for any game
  1. 12-20-2014, 08:06 AM
    XIUD's Avatar
    XIUD
    Banned
    XIUD's Avatar
    XIUD
    Banned
    132
    Posts
    772
    Reputation
    Feb 2014
    NextGenUpdate
    How to write an RPC


    Things required :

    Some PPC knowledge.
    A custom firmware PS3.
    Visual studio. So you can test your RPC by calling functions.



    Now let`s get started !

    First you wanna open up IDA Pro with your game`s ELF file. Once you have loaded the ELF file you want to look for an empty address.


    You find an empty address by finding a function that you dont think do anything. When you find the address you will have to go in debugger and put a breakpoint on the address. If you freeze that means the address is being used, if you dont freeze then it`s an empty address Smile


    We need an empty address because we need to store our PPC in the memory. Storing it in an address that is being used will overwrite the coding and most likely freeze you. That`s why we did this ^^


    Writing PowerPC



    Now we have to write our RPC, right?

    I will show you what to write and explain what it does.

    You will write this :

    stdu r1, r1, -0x70
    mfspr r0, LR
    std r0, r1, 0x80

    lis r6, 0x210
    lwz r3, r6, 0x04
    lwz r4, r6, 0x08
    lwz r5, r6, 0x0C
    lwz r6, r6

    mtctr r6
    li r6, 0
    bctrl
    lis r6, 0x210
    stw r3, r6, 0x10
    li r3, 0
    stw r3, r6

    ld r0, r1, 0x80
    mtspr LR, r0
    addi r1, r1, 0x70
    blr



    Now i will explain this.

    Line 1 : Allocate some space in the stack. So we can store some things.

    Line 2 : Receive the link register and set r0 to it.

    Line 3 : Stores link register in stack.

    Line 4 : Just a memory spot.

    Line 5 , 6, 7, 8 : If you know a little PowerPC i shouldn`t have to explain this.

    Line 9 : The count register is the address : 0x2100000.

    Line 10 : Stops r6 from being parsed as an argument.

    Line 11 : Call the address that you stored in the count register.

    Line 12 : Sets 0x210 to the register r6

    Line 13 : The returned value will be stored at : 0x2100010

    Line 14 : Gives the register r3 the value of 0

    Line 15 : Erases the function stored at 0x2100000. Important!! Keeps it from calling more than once.

    Line 16 : Get the link register.

    Line 17 : Set LR to the original link register.

    Line 18 : Unallocate the stack.

    Line 19 : Return



    How to use this.


    You would also have to know how to use this, else it`s pretty much useless right??



    Include the PS3 library in your projct ofcourse ^^

    Then you can use it like this :

    Calling an addres :
    Spoiler:

    PS3::WriteUInt32(0x2100000, 0xAFDCA);
    Spoiler:

    //0xAFDCA would be the address to call, you can use your own one.

    Writing a string :

    PS3::WriteString(0x2101000, "Writinga string");


    This will write the string at 0x2101000.

    Writing an integer :

    PS3::WriteInt32(0x210004, 5);


    Enjoy
    Credits to ItzEphdel
  2. The Following 4 Users Say Thank You to XIUD For This Useful Post:

    , , ,

  3. 12-28-2014, 11:28 AM
    TrpDnrs's Avatar
    TrpDnrs
    Haxor!
    TrpDnrs's Avatar
    TrpDnrs
    Haxor!
    35
    Posts
    70
    Reputation
    Apr 2014
    NextGenUpdate
    Thanks for sharing. Might be useful
  4. 02-09-2015, 08:00 AM
    Ephdel's Avatar
    Ephdel
    Keeper
    Ephdel's Avatar
    Ephdel
    Keeper
    11
    Posts
    10
    Reputation
    Dec 2014
    NextGenUpdate
    .............
    Last edited by Ephdel ; 11-26-2016 at 05:15 PM.

  5. 03-12-2015, 05:11 PM
    XxBlud23xX's Avatar
    XxBlud23xX
    < ^ > < ^ >
    XxBlud23xX's Avatar
    XxBlud23xX
    < ^ > < ^ >
    1,081
    Posts
    7,415
    Reputation
    Aug 2014
    NextGenUpdate
    Originally Posted by XIUD View Post
    How to write an RPC


    Things required :

    Some PPC knowledge.
    A custom firmware PS3.
    Visual studio. So you can test your RPC by calling functions.



    Now let`s get started !

    First you wanna open up IDA Pro with your game`s ELF file. Once you have loaded the ELF file you want to look for an empty address.


    You find an empty address by finding a function that you dont think do anything. When you find the address you will have to go in debugger and put a breakpoint on the address. If you freeze that means the address is being used, if you dont freeze then it`s an empty address Smile


    We need an empty address because we need to store our PPC in the memory. Storing it in an address that is being used will overwrite the coding and most likely freeze you. That`s why we did this ^^


    Writing PowerPC



    Now we have to write our RPC, right?

    I will show you what to write and explain what it does.

    You will write this :

    stdu r1, r1, -0x70
    mfspr r0, LR
    std r0, r1, 0x80

    lis r6, 0x210
    lwz r3, r6, 0x04
    lwz r4, r6, 0x08
    lwz r5, r6, 0x0C
    lwz r6, r6

    mtctr r6
    li r6, 0
    bctrl
    lis r6, 0x210
    stw r3, r6, 0x10
    li r3, 0
    stw r3, r6

    ld r0, r1, 0x80
    mtspr LR, r0
    addi r1, r1, 0x70
    blr



    Now i will explain this.

    Line 1 : Allocate some space in the stack. So we can store some things.

    Line 2 : Receive the link register and set r0 to it.

    Line 3 : Stores link register in stack.

    Line 4 : Just a memory spot.

    Line 5 , 6, 7, 8 : If you know a little PowerPC i shouldn`t have to explain this.

    Line 9 : The count register is the address : 0x2100000.

    Line 10 : Stops r6 from being parsed as an argument.

    Line 11 : Call the address that you stored in the count register.

    Line 12 : Sets 0x210 to the register r6

    Line 13 : The returned value will be stored at : 0x2100010

    Line 14 : Gives the register r3 the value of 0

    Line 15 : Erases the function stored at 0x2100000. Important!! Keeps it from calling more than once.

    Line 16 : Get the link register.

    Line 17 : Set LR to the original link register.

    Line 18 : Unallocate the stack.

    Line 19 : Return



    How to use this.


    You would also have to know how to use this, else it`s pretty much useless right??



    Include the PS3 library in your projct ofcourse ^^

    Then you can use it like this :

    Calling an addres :
    Spoiler:

    PS3::WriteUInt32(0x2100000, 0xAFDCA);
    Spoiler:

    //0xAFDCA would be the address to call, you can use your own one.

    Writing a string :

    PS3::WriteString(0x2101000, "Writinga string");


    This will write the string at 0x2101000.

    Writing an integer :

    PS3::WriteInt32(0x210004, 5);


    Enjoy
    Credits to ItzEphdel


    Awesome, thanks bro.