Announcement

Collapse
No announcement yet.

Help with a hook - PS2

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Help with a hook - PS2

    Edit, I apologize for the incorrect terms, I was up late last night and wasn't thinking correctly. The 'hook' I specified below is actually the engine and the jalr is actually the hook. I will now fix them.

    Note: With my dump of the kernel, the address 80078000 is all nops.

    The following code is written in Code Designer, so the 'call' operations are just jals to the specified part of the function. The address at the top marks the address that the whole code will start with. What I am wondering is why it freezes when I launch the game. The hook is in the kernel and replaces a jalr k0. When I run the code without the jalr k0 (that was included in my engine) in CodeMajic, it operates perfectly. However, with my app, it doesn't work with or without the jalr k0 from my hook. This makes me feel that the fault is not behind the jalr k0, but rather the engine placement. I believe that the jal $80078000 (Where my engine is installed), doesn't jump to my engine, it instead jumps to another address. The result is the freezing of the game. My question is, is there something I am doing wrong with the actual hook, or is it the jal $80078000? Thank you.

    Here is the engine code, along with the hook in the main.c.

    Code:
    address $80078000

_init:
addiu sp, sp, $FFF0
sq ra, $0000(sp)
jalr k0
nop
call _start
lq ra, $0000(sp)
jr ra
addiu sp, sp, $0010

_start:
addiu sp, sp, $FE00
sq at, $0000(sp)
sq v0, $0010(sp)
sq v1, $0020(sp)
sq a0, $0030(sp)
sq a1, $0040(sp)
sq a2, $0050(sp)
sq a3, $0060(sp)
sq t0, $0070(sp)
sq t1, $0080(sp)
sq t2, $0090(sp)
sq t3, $00a0(sp)
sq t4, $00b0(sp)
sq t5, $00c0(sp)
sq t6, $00d0(sp)
sq t7, $00e0(sp)
sq s0, $00f0(sp)
sq s1, $0100(sp)
sq s2, $0110(sp)
sq s3, $0120(sp)
sq s4, $0130(sp)
sq s5, $0140(sp)
sq s6, $0150(sp)
sq s7, $0160(sp)
sq t8, $0170(sp)
sq t9, $0180(sp)
sq k0, $0190(sp)
sq k1, $01a0(sp)
sq fp, $01b0(sp)
sq gp, $01c0(sp)
sq ra, $01d0(sp)

lui t1, $0034 //The code for rapid fire that I will test
sw zero, $7e8c(t1)

lq at, $0000(sp)
lq v0, $0010(sp)
lq v1, $0020(sp)
lq a0, $0030(sp)
lq a1, $0040(sp)
lq a2, $0050(sp)
lq a3, $0060(sp)
lq t0, $0070(sp)
lq t1, $0080(sp)
lq t2, $0090(sp)
lq t3, $00a0(sp)
lq t4, $00b0(sp)
lq t5, $00c0(sp)
lq t6, $00d0(sp)
lq t7, $00e0(sp)
lq s0, $00f0(sp)
lq s1, $0100(sp)
lq s2, $0110(sp)
lq s3, $0120(sp)
lq s4, $0130(sp)
lq s5, $0140(sp)
lq s6, $0150(sp)
lq s7, $0160(sp)
lq t8, $0170(sp)
lq t9, $0180(sp)
lq k0, $0190(sp)
lq k1, $01a0(sp)
lq fp, $01b0(sp)
lq gp, $01c0(sp)
lq ra, $01d0(sp)
jr ra
addiu sp, sp, $0200
    jal hook and installation of the engine inside the main.c. The engine is loaded from a *.c file that specifies Engine with all its values in hexadecimal.

    Code:
    //Install the engine in memory

u32 EngineStore = 0x80078000;
u32 EngineRead = (void*)Engine;
for (i = 0; i < sizeof(Engine); i += 4)
{
        scr_printf("A"); //So I know it successfully installed the hook
	ee_kmode_enter();
	*(u32*)EngineStore = *(u32*)EngineRead;
	ee_kmode_exit();
	EngineStore += 4;
        EngineRead += 4;
}


//Install hook in memory, (main.c).
ee_kmode_enter();
*(u32*)0x800002FC = 0xEC01E000; //jal $80078000
ee_kmode_exit();
    Last edited by dnawrkshp; 07-24-2012, 06:01:10 PM. Reason: I was tired when I wrote this, leading my writing to mean jibberish.
    Tags: None
  • #2
    A couple of things, and maybe I missed something here.

    1. I see where you have a JALR $k0, but not where anything is put on $k0. How is that controlled? Are you just replicating a syscall's code with modifications?
    2. JAL is limited to a 256 MB region (0x10000000). Your comment says the value being stored at 0x800002FC is meant to be a JAL to 0x80078000, but that operation is nothing as far as I can tell. If you did this in code designer, I think it must have a bug when you provide a target that's out of range. By definition, the most significant four bits of a JAL should always be zeroes. I'm guessing code designer always assumes the PC is referencing user-mode addresses. That said, I can't see how it would take JAL 0x80078000 and get 0xE in the first nibble. I think changing it to 0x0C01E000 will fix whatever problem you're having, though.
    Last edited by Pyriel; 07-24-2012, 09:50:28 AM.

    Comment

    • #3
      I have considered adding in what k0 should be from my kernel dump, and now I realize that should have been done from the beginning.
      I have tried using it as 0C01E000, it still freezes.
      I have also used an actual hook for the game I am using. The game does load with the hook, but nothing happens.
      So what I am doing now is changing the address from 'address $80078000' to 'address $00078000'
      Then changing the hook from ...EC.. to ...0C...
      Then changing the _init function to:
      '
      _init:
      addiu sp, sp, $FFF0
      sq ra, $0000(sp)
      subu v1, zero, v1
      sll v1, v1, 2
      lui k0, $8001
      addu k0, k0, v1
      lw k0, $5500(k0)
      jalr k0
      nop
      call _start
      lq ra, $0000(sp)
      jr ra
      addiu sp, sp, $0010
      '
      because k0 was undefined previously. That was taken from my kernel dump. v1 is never defined in the kernel. I am making the assumption it is always the same.

      I am going to reword my initial question. I was working on a sleepy mind, and did not word it correctly.
      Last edited by dnawrkshp; 07-24-2012, 03:51:58 PM.

      Comment

      • #4
        What are you hooking? With what you've provided, it just looks like you're just writing a bunch of op codes into kernel memory that will never be executed.

        Comment

        • #5
          With all that done, it freezes.

          Comment

          • #6
            I am hooking 800002FC.

            Comment

            • #7
              Durr. Somehow I forgot the entire bottom segment of code you posted.

              Code:
              for (i = 0; i < sizeof(Engine); i += 4)
{
        scr_printf("A"); //So I know it successfully installed the hook
	ee_kmode_enter();
	*(u32*)EngineStore = *(u32*)EngineRead;
	ee_kmode_exit();
	HookStore += 4;
        HookRead += 4;
}
              Are HookStore and HookRead actual variables? Because this snippet looks like you never increment EngineStore or EngineRead, so you'd just end up with the $sp increment as your entire engine at the end.

              Comment

              • #8
                Well what I had meant by 'Hook' was really the engine. The hook is the kernel modification above. That was a typo from me fixing what I had written last night, quite stupid of me to forget. So the code is actually this,

                Code:
                u32 EngineStore = 0x80078000;
u32 EngineRead = (void*)Engine;
for (i = 0; i < sizeof(Engine); i += 4)
{
        scr_printf("A"); //So I know it successfully installed the hook
	ee_kmode_enter();
	*(u32*)EngineStore = *(u32*)EngineRead;
	ee_kmode_exit();
	EngineStore += 4;
        EngineRead += 4;
}
                Which increments it by 4. The actual data it is writing is the following,

                Code:
                /*

 CodeDesigner v2.0 C Export

 Created by: Gtlcpimp

 Copyright ©

*/



u32 Engine[82] = { 



	0x27BDFFF0,

	0x7FBF0000,

	0x00031823,

	0x00031880,

	0x3C1A8001,

	0x0343D021,

	0x8F5A5500,

	0x0340F809,

	0x00000000,

	0x0C01E00E,

	0x00000000,

	0x7BBF0000,

	0x03E00008,

	0x27BD0010,

	0x27BDFE00,

	0x7FA10000,

	0x7FA20010,

	0x7FA30020,

	0x7FA40030,

	0x7FA50040,

	0x7FA60050,

	0x7FA70060,

	0x7FA80070,

	0x7FA90080,

	0x7FAA0090,

	0x7FAB00A0,

	0x7FAC00B0,

	0x7FAD00C0,

	0x7FAE00D0,

	0x7FAF00E0,

	0x7FB000F0,

	0x7FB10100,

	0x7FB20110,

	0x7FB30120,

	0x7FB40130,

	0x7FB50140,

	0x7FB60150,

	0x7FB70160,

	0x7FB80170,

	0x7FB90180,

	0x7FBA0190,

	0x7FBB01A0,

	0x7FBE01B0,

	0x7FBC01C0,

	0x7FBF01D0,

	0x3C090034,

	0xAD207E8C,

	0x7BA10000,

	0x7BA20010,

	0x7BA30020,

	0x7BA40030,

	0x7BA50040,

	0x7BA60050,

	0x7BA70060,

	0x7BA80070,

	0x7BA90080,

	0x7BAA0090,

	0x7BAB00A0,

	0x7BAC00B0,

	0x7BAD00C0,

	0x7BAE00D0,

	0x7BAF00E0,

	0x7BB000F0,

	0x7BB10100,

	0x7BB20110,

	0x7BB30120,

	0x7BB40130,

	0x7BB50140,

	0x7BB60150,

	0x7BB70160,

	0x7BB80170,

	0x7BB90180,

	0x7BBA0190,

	0x7BBB01A0,

	0x7BBE01B0,

	0x7BBC01C0,

	0x7BBF01D0,

	0x3C08E000,

	0x3C090012,

	0xAD28715C,

	0x03E00008,

	0x27BD0200,



};
                The spaces are just how this site reads the text. It doesn't actually have a space between each line. That's an export of Code Designer.
                Last edited by dnawrkshp; 07-24-2012, 06:04:36 PM.

                Comment

                • #9
                  Can you post the disassembly of the routine you're hooking?

                  Comment

                  • #10
                    That's the first code I posted initially. Starts with _init:

                    I will convert it to what you would use for PS2Dis in a sec.

                    Comment

                    • #11
                      Okay, did my best and hope it is an accurate conversion. Only needed to change the call to jal, and rename a few things.

                      Code:
                      addiu sp, sp, $FFF0 //This address is 00078000 because the kernel operates within itself (from what I understand)
sq ra, $0000(sp)
jalr k0
nop
jal $00078020
lq ra, $0000(sp)
jr ra
addiu sp, sp, $0010

addiu sp, sp, $FE00 //Increase to stack pointer, 00078020
sq at, $0000(sp) //Store the registers
sq v0, $0010(sp)
sq v1, $0020(sp)
sq a0, $0030(sp)
sq a1, $0040(sp)
sq a2, $0050(sp)
sq a3, $0060(sp)
sq t0, $0070(sp)
sq t1, $0080(sp)
sq t2, $0090(sp)
sq t3, $00a0(sp)
sq t4, $00b0(sp)
sq t5, $00c0(sp)
sq t6, $00d0(sp)
sq t7, $00e0(sp)
sq s0, $00f0(sp)
sq s1, $0100(sp)
sq s2, $0110(sp)
sq s3, $0120(sp)
sq s4, $0130(sp)
sq s5, $0140(sp)
sq s6, $0150(sp)
sq s7, $0160(sp)
sq t8, $0170(sp)
sq t9, $0180(sp)
sq k0, $0190(sp)
sq k1, $01a0(sp)
sq fp, $01b0(sp)
sq gp, $01c0(sp)
sq ra, $01d0(sp)

lui t1, $0034 //Code, Rapid fire
sw zero, $7e8c(t1)

lq at, $0000(sp) //Load the registers
lq v0, $0010(sp)
lq v1, $0020(sp)
lq a0, $0030(sp)
lq a1, $0040(sp)
lq a2, $0050(sp)
lq a3, $0060(sp)
lq t0, $0070(sp)
lq t1, $0080(sp)
lq t2, $0090(sp)
lq t3, $00a0(sp)
lq t4, $00b0(sp)
lq t5, $00c0(sp)
lq t6, $00d0(sp)
lq t7, $00e0(sp)
lq s0, $00f0(sp)
lq s1, $0100(sp)
lq s2, $0110(sp)
lq s3, $0120(sp)
lq s4, $0130(sp)
lq s5, $0140(sp)
lq s6, $0150(sp)
lq s7, $0160(sp)
lq t8, $0170(sp)
lq t9, $0180(sp)
lq k0, $0190(sp)
lq k1, $01a0(sp)
lq fp, $01b0(sp)
lq gp, $01c0(sp)
lq ra, $01d0(sp)

jr ra
addiu sp, sp, $0200 //Decrease stack pointer

                      Comment

                      • #12
                        http://gamehacking.org/vb/threads/48...al-Kernal-Hook

                        Relevant since I am using Gtlcpimp's hook. Not sure if that helps at all.

                        Comment

                        • #13
                          That doesn't make any sense. I'm asking to see the code around 0x800002FC. If you cloned it entirely as _init, that's probably not good.

                          Edit: Also, it's usually better to execute hooked operations last, but I don't know if there's a specific reason why it has to be first here.
                          Last edited by Pyriel; 07-24-2012, 10:04:54 PM.

                          Comment

                          • #14
                            Oh you want to see the region the hook is placed in. Hold on, PS2Dis isn't very copy paste friendly. In fact, do you just want my dump?

                            Comment

                            • #15
                              Yeah, the dump would probably make things easier overall.

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X