SETTING A REGISTERS [SMALL VALUES]
First of all we will learn to mess with the registers. We use them as variables. (r1,r2,r3,r4,r5,r6,r7.... it goes up to r31)
IMPORTANT: When loading a value in a register it always store it as 4 bytes (for the basics)
Load Immediate("li") : this will load a value into a register
Example: li r3, 0x64 (in memory it would be 00 00 00 64 (remember its 4 bytes))
Load Immediate Shifted: same as li but it will shift it.
Example: lis r3, 0x64 would be: 00 64 00 00
Tips about li/lis:
imagine your 4 bytes like this: XX XX YY YY
lis can write in the XX XX and li can write in the YY YY
lis/li || X/Y
Now here is some exercises on lis/li using the register r3
Spoiler:
SETTING A REGISTERS [BIG VALUES]
Now its cool we can write in our 4 bytes this way: XX XX YY YY
but what if we want to write at both parts X AND Y?
we will use addic which means addition immediate carrying
addic is used this way: addic RESULT, REGISTER, Value
Result = register that will HOLD the result from the addition
REGISTER = the register that will be added to the Value
Value = Value to add to the REGISTER
Exemple: li r3, 0x01
addic r4,r3, 0x04
r4 is now equal to 0x05 (0x01 + 0x04 = 0x05)
Exemple 2: lis r3, 0x06 (r3 = 00 06 00 00 )
addic r3,r3 0x3000
r3 is now equal to: 00 06 30 00 (0x063000)
Now lets load an address, 0x2005000
we would first split it in bytes starting from the RIGHT
0x2005000
2005000
20050 00
200 50 00
2 00 50 00
02 00 50 00 <-final bytes, we added a 0 to 2 so it can be a bytes ! 2 00 50 00 is not valid because of the "2" and 02 is the same as 2 so 02 00 50 00
now how would we load it in a register ? its simple, first we will compare it to my XX XX YY YY format
02 00 50 00
XX XX YY YY
I always start with the XX XX values
lis r3, 0x0200 (r3 =02000000, don't forget its shifted)
then i add the YY YY to it
addic r3,r3 0x5000
so this will add 0x5000 to 0x02000000 (0x02005000)
final form:
lis r3, 0x200
addic r3,r3 0x5000
so r3 is now equal to 0x02005000 or 0x2005000 (the zeros BEFORE the address can be removed, its the same as 000010... 000010 = 10)
Now let's do some exercises
Spoiler:
STORING A REGISTER IN THE MEMORY
STW: Store Word
what does stw? it stores 4 bytes somewhere in the memory, its writing in the memory in other words.
Usage: STW VALUE, ADDRESS, ADD
Exemple:
li r3, 0x64
lis r4, 0x0110
stw r3, r4, 0xd60c (0x110d60c)
now r4 (0x110d60c) will look like this in the memory: 00 00 00 64
Explanation:
STW VALUE, ADDRESS, ADD
VALUE: Value to store at the address, its a register
ADDRESS: address in the memory where we will store our VALUE
AD
with stw we can add a value to the ADRESS without the use of addic, its OPTIONAL we can just set it to 0 if we dont want to add something to the addresshere is an exemple of the ADD value
lis r3, 0x0200 (r3 is now equal to 02 00 00 00, 0x02000000)
li r4, 0x64 (r4 is equal to 00 00 00 64)
stw r3, r4 , 0x5000
*stw r3, r4 , 0x5000 * -> we add 0x5000 to r3 just like with addic so now r4 is equal to 0x02005000 (02 00 50 00)
Exercises:
Spoiler:
and i want you to send it to this address: 0xFCA280, you can use any registers from r3 to r8REal SSituations
Now we learned how to set a register and how to store it, reading memory and finding 'offsets' will come in the next tutorial.
But with setting a register and storing it what can we do ? A lot already.
writing in the memory is an exxclusive priviledge for dex users but with ppc we can do it for CEX users using an eboot
now lets imagine this situation:
the address for UAV offhost is 0xFe167C4 (its fake of course)
we want to set this value to 00 00 ff ff to enable it permanently on any game
How would you do it in ppc ?
Solution:
i will set my address to r3 and my value to r4
VALUE:
li r4, 0xFFFF
Address:
lis r3, 0x0FE1
Store:
stw r4, r3, 0x67C4
Final Result:
li r4, 0xFFFF
lis r3, 0x0FE1
stw r4, r3, 0x67C4
Alright this will conclude my part 1 on ppc basics, i will teach the rest in another tutorial such as how to fin offsets in IDA by reading ppc
Skype: KevTseDeja