Announcement

Collapse
No announcement yet.

Hello. Please help me about PS1 and PS2

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #16
    Originally posted by luc-ita View Post
    Yes! I'm trying to do exactly that you have wrote.
    What do you prefer? Dump of the RAM or a link with the ELF via PM? As you prefer. Or I could send you all two in a PM.
    That's easy then. I put some comments in this code but it should be easy to follow:



    Code:
    [COLOR="#008000"]// Obtain data from s4[/COLOR]

address $20255C48 [COLOR="#008000"]//address starts out as "2" so my compiler output is in 32 bit constant write format.[/COLOR]
jal $a0000[COLOR="#008000"] //jump and link to our Code Cave[/COLOR]


[COLOR="#008000"]/////////////////////////////////////////////////////
// Code Cave Start
/////////////////////////////////////////////////////[/COLOR]
address $200a0000
[COLOR="#008000"]
// original code stored at 0x255C48 because we hi-jacked that address.[/COLOR]
daddu s4, a0, zero


[COLOR="#008000"]// load data from s4 in to t0
// t0 now contains the data stored at the addresss of s4[/COLOR]
lw t0, $0000(s4)



[COLOR="#008000"]/* 

You can now alter the data stored at s4 or any data of the addresses that start at s4.

*/[/COLOR]




[COLOR="#008000"]// return to original function[/COLOR]
jr ra
nop

[COLOR="#008000"]/////////////////////////////////////////////////////
// Code Cave End
/////////////////////////////////////////////////////[/COLOR]
    RAW format of the same code for PS2:

    Code:
    20255C48 0C028000
200A0000 0080A02D
200A0004 8E880000
200A0008 03E00008
200A000C 00000000

    Comment

    • #17
      Wow. Your code and method of using the t0 register is very interesting! I thought that the t0 register was a temporary register. But I was wrong!
      Going to test your code

      EDIT:
      I made two changes otherwise the game crashes. The jal and jr ra jumps, at the end of the code, to a wrong place, but there was not a problem. I've changed all two with two jumps and the code works very well!!! Many thanks!!
      But...now I have another problem. I'm sorry. s4, and therefore the t0, holds two addresses. One time 00711180 and a second time 00705AC0. And I need only 00711180. It's possible make a check in your script that checks what and what not store to the t0 address? like a compare...I'm able to do this in x86 asm but not in mips, for now. My idea is to have only what I need stored in the t0 register.

      Could I ask you another little help on find a solution? Thanks to your code I'm almost at my goal!

      Another question: How can I put t0 to an address so it's possible to modify the data and then write back into the t0?
      Last edited by luc-ita; 12-22-2015, 02:33:07 PM.
      Learning how to hack real life

      Comment

      • #18
        Originally posted by luc-ita View Post
        Wow. Your code and method of using the t0 register is very interesting! I thought that the t0 register was a temporary register. But I was wrong!
        Going to test your code
        It is a temp register. I used it for this code because that function is not using it until later and you aren't calling any functions so using the temp registers is fine.

        Comment

        • #19
          NOW I undestood!!! Hope you help me on the other questions. But I won't abuse of your time. Maybe I could write my idea of script in X86 asm and you could translate it to mips asm...It would be an idea.

          EDIT:
          Prior to load s4 in t0 I may check what else is loaded in other registers and with a beq opcode I may say to the system to load s4 in t0 ONLY when a defined condition in other registers are met. So I may resolve the two addresses problem explained in the previous post.
          I'm just thinking. Once again damn my poor knowledge.
          Last edited by luc-ita; 12-22-2015, 07:39:08 PM.
          Learning how to hack real life

          Comment

          • #20
            Originally posted by luc-ita View Post
            NOW I undestood!!! Hope you help me on the other questions. But I won't abuse of your time. Maybe I could write my idea of script in X86 asm and you could translate it to mips asm...It would be an idea.

            EDIT:
            Prior to load s4 in t0 I may check what else is loaded in other registers and with a beq opcode I may say to the system to load s4 in t0 ONLY when a defined condition in other registers are met. So I may resolve the two addresses problem explained in the previous post.
            I'm just thinking. Once again damn my poor knowledge.
            You can do that but it requires a lot more work and there isn't a good way to tell the differences between the addresses. Tell me exactly what code(s) you want to make and I'll create them as examples so you can better understand mips. Once you see how it works then you will be able to create the codes you want in mips assembly.

            Comment

            • #21
              "Temporary" just refers to how it's intended to be used by convention. Some of the other hardware registers may be volatile in strange ways because they get data and requests from multiple sources, but all the general purpose registers are essentially the same with regard to how you can use them. There are obvious exceptions due to use conventions. Although, if not for conventions, you could realistically use $sp like it was $s0 and vice-versa.

              For hacking purposes, the main question is, "what can I get away with?" Hell, I'd stick values on $ra if it came to it, and it saved me an op because I didn't have to preserve its value.

              Comment

              • #22
                Finally I've reached my goal!

                Huge thanks to Pyriel and Harry62 for your help!!

                Code:
                000A0000  daddu	s4,a0,zero
000A0004  lui	t0,0xB90D
000A0008  addi	t0,t0,0x2BBC
000A000C  bne	t0,t3,000A002C
000A0010  lw	t0,0x4(a3)
000A0014  lw	t1,0x0(t0)
000A001C  lui	t1,0x3F00
000A0018  sw	t1,0x0(t0)
000A0020  sw	t1,0x14(t0)
000A0024  sw	t1,0x28(t0)
000A0028  sw	t1,0x3C(t0)
000A002C  j	00255C4C
                Learning how to hack real life

                Comment

                • #23
                  Originally posted by luc-ita View Post
                  Finally I've reached my goal!

                  Huge thanks to Pyriel and Harry62 for your help!!

                  Code:
                  000A0000  daddu	s4,a0,zero
000A0004  lui	t0,0xB90D
000A0008  addi	t0,t0,0x2BBC
000A000C  bne	t0,t3,000A002C
000A0010  lw	t0,0x4(a3)
000A0014  lw	t1,0x0(t0)
000A001C  lui	t1,0x3F00
000A0018  sw	t1,0x0(t0)
000A0020  sw	t1,0x14(t0)
000A0024  sw	t1,0x28(t0)
000A0028  sw	t1,0x3C(t0)
000A002C  j	00255C4C
                  Just a heads up,

                  I checked the file you sent me since I was puzzled by the gaming freezing using a jal to your code cave. The reason it froze is because the hook to your code cave is above this address: 00255c64

                  That address is preserving the return address so the game is jumping back to a previous function without executing the rest of the original function. You should be able to use this address(00255c68) if you really wanted to use a jal instead of a j.

                  Either way works as long as the game doesn't crash.

                  Comment

                  • #24
                    Originally posted by Harry62 View Post
                    Just a heads up,

                    I checked the file you sent me since I was puzzled by the gaming freezing using a jal to your code cave. The reason it froze is because the hook to your code cave is above this address: 00255c64

                    That address is preserving the return address so the game is jumping back to a previous function without executing the rest of the original function. You should be able to use this address(00255c68) if you really wanted to use a jal instead of a j.

                    Either way works as long as the game doesn't crash.
                    I'm opening now PCSX2 and the debugger to look and understand concretely your explanation. I'm really interested!!
                    Learning how to hack real life

                    Comment

                    • #25
                      Originally posted by luc-ita View Post
                      I'm opening now PCSX2 and the debugger to look and understand concretely your explanation. I'm really interested!!
                      This address is storing the return address in to something called the stack pointer: 00255c64

                      Code:
                      Code:
                      Address: 0x00255c64
Data: sd ra, $0000(sp)
                      The data translates to: Store doubleword of "ra" in to offset "0000" of "sp".

                      If you look at the end of that function you will see this address: 00255d9c. That address is loading the return address from the stack pointer offset of 0000 back in to register ra.

                      So using 0x00255c68 should work fine for a jal as long as you insert the original code found at 0x00255c68 in to your code cave.

                      Comment

                      • #26
                        I've re-read yours previous posts and have undestood your explanation.

                        Pardon me but...what's the difference between jal opcode and the simple j opcode? I only know taht jal stands for jump and link, and j stands for jump. How it's the best for hacking purposes?
                        Last edited by luc-ita; 12-24-2015, 12:27:25 PM.
                        Learning how to hack real life

                        Comment

                        • #27
                          Originally posted by luc-ita View Post
                          I've re-read yours previous posts and have undestood your explanation.

                          Pardon me but...what's the difference between jal opcode and the simple j opcode? I only know taht jal stands for jump and link, and j stands for jump. How it's the best for hacking purposes?
                          The only difference between a JAL and J is that a JAL will set register RA to the address that contains the JAL+0x8 (aka two addresses down if you are looking at it in ps2dis or pcsx2dis). A JAL is used so you can jump to another function and then jump back to the original function by using the command JR RA (jump to the address stored in register RA).

                          It just makes it easier than having to know the exact location to jump to.

                          Comment

                          • #28
                            Finally it's more clear to me! At the end asm x86 and MIPS aren't so different, for some things. Thanks again
                            Learning how to hack real life

                            Comment

                            • #29
                              I'm sorry! If you had tested my function and seen a strange result that's because I've inverted two lines.
                              I wrote 000A001C under 000A0014 and then 000A0018! The opcodes are correct. Only the numbers of the lines was inverted.
                              After edited the function wroks well.
                              Learning how to hack real life

                              Comment

                              • #30
                                Well, "easier", sort of undersells it. Using J or JR to execute something like memcpy would be nigh impossible without a lot of spaghetti or boilerplate code all over the place. Although, if you're only talking about game hackers—who usually aren't trying to write a function that can be called 2,000 times in the same executable so linking is often optional—saying it's easier does mostly cover it.
                                Last edited by Pyriel; 12-24-2015, 04:50:46 PM.

                                Comment

                                Previous 1 2 3 template Next
                                Working...
                                X