NGU Profile: http://www.nextgenupdate.com/forums/members/238769-bad-luck-brian.html
CLICK MORE FOR THE WRITTEN TUTORIAL:
Welcome to my first tutorial on PowerPC, my name is Bad Luck brian
and today i will show you the basics of ppc wich is used in every self
files on the ps3 like on mw3.
first, assuming you have IDA pro and the ps3 loaders installed, load mw3 eboot.elf
in your hex editor and in IDA pro.
now in your hex editor search for “fps:” and press enter(we will search for this text because it will give us the
function for the frame per second wich is called ever frame so if we edit it then it will get executed every frame),
then press control + E and copy the offset. (0x2671EC)
now open you dissasembler(IDA) and press “G” and put in your offset plus 10000. (0x2671EC + 10000 = 0x2771EC)
You will now see the fps: string and his “XREF”. Those are called the X references. You use them to see where this code
is called in the game. Double-click on the xref and it will bring you to the fps function.
PS: words with ** will be more detailed at the end of this text.
Now its time to talk about the main instructions that you need to understand.
First there is *load imidiate* wich loads a value into a variable called the *register*.
then there is *load imidiate shifted* wich loads a value but shift it.
here is an exemple: 0x12
li 0x12 = 00 00 00 12
lis 0x12 = 12 00 00 00
Next, lets talk about the branch instructions. a branch simply jump to a code location and execute it.
the branch can be conditional for exemple there is branch if equal and branch in not equal.
cmpwi r3, 0
In this case the code will compare r3 with 0 and if r3 equal to zero than it will execute the code at 277290.
Third, There is the store function wich store a value in the memory. there is a store word wich stores four bytes and
store byte wich store only 1 byte. the is also some other store instructions but i will talk about them in the
next tutorials. Here is an exemple.
li r3 0x12 (00 00 00 12)
lis r4 0x1234 (12 34 00 00)
stw r3, r4
This will send the register 3(0x12) to the offset stored at the register 4(0x12340000).
now i will talk about the last two ones that are really important.
the addition and the compare instructions.
the addition will just add a value to the register
addi = add a value to the register
addic = add two values to the register
and the compare instruction will compare a value or a register to another register.
cmpwi = compare register with value
cmpw = compare register with another register
and the last one is the NOP function wich is doing nothing at all, when this code is executed it does nothing,
its like a null instruction
alright these instructions are the basics one, but how do we change the instruction ? using the hex editor that is
included in your dissasembler ! i put a list of the basic opcodes in the description of this video.
opcodes are just hex values that define the instructions here is some exemples.
HEX CODES FOR THE INTRUCTIONS
li = 38 XX YY YY (XX = register, 60 = r3, 80 = r4, a0 = r5, c0 = r6 etc) (YY = the value)
lis = 3C XX YY YY (XX = register, 60 = r3, 80 = r4, a0 = r5, c0 = r6 etc) (YY = the value)
b = 48 XX XX XX (XX = difference between the two locations, you must adjust it a bit using ida)
beq = 41 82 XX XX (XX = difference between the two locations, you must adjust it a bit using ida)
bne = 40 82 XX XX (XX = difference between the two locations, you must adjust it a bit using ida)
stb = 98 XY ZZ ZZ (check stw below, stb only sends 1 byte and stw sends 4 bytes)
stw = 90 XY ZZ ZZ (X = Register containing the value,60 = r3, 80 = r4, a0 = r5, c0 = r6 etc || Y = Register containing the value,3 = r3, 4 = r4, 5 = r5, 6 = r6 etc || Z = if you want to add a value to the offset)
EXEMPLE FOR STW
lis r4, dword_881234@h || HEX: 3c 80 00 88 || NOTE: it shows 881234 but it is because of the stw that adds 1234 below !
li r3, 0x12 || HEX: 38 60 00 12
stw r3, dword_881234@l(r4) || HEX: 90 64 12 34
So this will send 00 00 00 12 @The offset 0x881234 🙂
NOP = 60 00 00 00