How to Write a two code Subroutine!
108 Coders :: General :: Tutorials
Page 1 of 1
How to Write a two code Subroutine!
How to Write a two Code Subroutine.
===================================
What you Need to know:
-Basic understanding of Mips
-UnderStanding of registers
-How to find a Hook
-How to find a hook value
-Negative rule
~~The Mips you need to know~~
__________________________
lui - load upper immediate
lw - Load Word
ori- Bitwise or immediate
addiu-Add immediate unsigned
sw- Store word
Jr ra- Jump Register Return address
~~Registers~~
______________
Basically a Register Holds something. ie.
lui t0 $1234
lw t0 $5678(t0)
Thos would load the current value at address 0x12345678 into t0
t0-t9 Temperary Registers
~~How to find a hook~~
_____________________
To find a hook:
-- You First Search 03e00008 in exact value
-- You can either Let it Search for about 4-6 min Or when it hits 1%, just stop it.
-- Now that You've got your searches Add them to your database.
-- You can either change the hex to 03e00007 or nop it (00000000).
-- What ever ones freeze can be used as a hook.
--For the hook value, Put the first part of your routine in Real using the following command. J $first address of routine in Real.
~~Negative rule~~
__________________
The Negative Rule:
If the Last 16 bits of your address is over 7FFF then You have to add 0x0001 to the address in real. i.e- 0x1234[8000] is over 7FFF so u add 0x0001 [12358000 in fake].
Now lets get started with our Routine.
The template We will be using
Our code Were gonna use :
#This code does Nothing
0x00023454 0x00000001
0x00023458 0x00000002
First: Put the codes in Real addressing
0x00023454 +08800000
0x00023458 +08800000
_____________________
0x08823454 0x00000001
0x08823458 0x00000002
Second:
Put the codes in the template.
-Hook
lui t0 $0882
lui t1 $0000
addiu t1 t1 $0001
sw t1 $3454(t0)
lui t2 $0882
lui t3 $0000
addiu t3 t3 $0002
sw t3 $3458(t2)
Jr Ra
Now We use ps2dis to Plugin the commands and get our Values.
Load Ps2dis from 08800000
Press control F select as hex string and hold zero for 45 seconds. Now we found our Area of Nops we will be working in.
Since we have our area of Nops its time to Start Plugging in the Commands. Im using area 08803000
hook=0x00000098 0x0a200c00
Lui t0 $0882= 0x08803000 0x3c080882
lui t1 $0000= 0x08803004 0x3c090000
addiu t1 t1 $0001= 0x08803008 0x25290001
sw t1 $3454(t0)= 0x0880300C 0xad093454
lui t2 $0882= 0x08803010 0x3c0a0882
lui t3 $0000= 0x08803014 0x3c0b0000
addiu t3 t3 $0002 = 0x08803018 0x256b0002
sw t3 $3458(t2) = 0x08800301c 0xad4b3458
jr ra = 0x08803020 0x03e00008
#Not done yet
0x00000098 0x0a200c00
0x08803000 0x3c080882
0x08803004 0x3c090000
0x08803008 0x25290001
0x0880300C 0xad093454
0x08803010 0x3c0a0882
0x08803014 0x3c0b0000
0x08803018 0x256b0002
0x0880301c 0xad4b3458
0x08803020 0x03e00008
;Now we have to Subtract 0880 from each address.
Done!
#Finished code
0x00000098 0x0a200c00
0x00003000 0x3c080882
0x00003004 0x3c090000
0x00003008 0x25290001
0x0000300C 0xad093454
0x00003010 0x3c0a0882
0x00003014 0x3c0b0000
0x00003018 0x256b0002
0x0000301c 0xad4b3458
0x00003020 0x03e00008
~~Recap~~
___________
#Fake addressing
0x00023454 0x00000001
0x00023458 0x00000002
#Real addressing
0x08823454 0x00000001
0x08823458 0x00000002
#Finished code
0x00000098 0x0a200c00 -hook
0x00003000 0x3c080882 0x0882- First half of First address
0x00003004 0x3c090000 0x0000- First half of first value
0x00003008 0x25290001 0x00000001- Second half of Value
0x0000300C 0xad093454 0x00003454-Second half of Address 1
0x00003010 0x3c0a0882 0x0882 -First half of address 2
0x00003014 0x3c0b0000 0x0000 First half of Value 2
0x00003018 0x256b0002 0x00000002 - Second half of Value 2
0x0000301c 0xad4b3458 0x000003458 - Second half of Address 2
0x00003020 0x03e00008 jr ra
~Architect
===================================
What you Need to know:
-Basic understanding of Mips
-UnderStanding of registers
-How to find a Hook
-How to find a hook value
-Negative rule
~~The Mips you need to know~~
__________________________
lui - load upper immediate
lw - Load Word
ori- Bitwise or immediate
addiu-Add immediate unsigned
sw- Store word
Jr ra- Jump Register Return address
~~Registers~~
______________
Basically a Register Holds something. ie.
lui t0 $1234
lw t0 $5678(t0)
Thos would load the current value at address 0x12345678 into t0
t0-t9 Temperary Registers
~~How to find a hook~~
_____________________
To find a hook:
-- You First Search 03e00008 in exact value
-- You can either Let it Search for about 4-6 min Or when it hits 1%, just stop it.
-- Now that You've got your searches Add them to your database.
-- You can either change the hex to 03e00007 or nop it (00000000).
-- What ever ones freeze can be used as a hook.
--For the hook value, Put the first part of your routine in Real using the following command. J $first address of routine in Real.
~~Negative rule~~
__________________
The Negative Rule:
If the Last 16 bits of your address is over 7FFF then You have to add 0x0001 to the address in real. i.e- 0x1234[8000] is over 7FFF so u add 0x0001 [12358000 in fake].
Now lets get started with our Routine.
The template We will be using
- Code:
-Hook
lui t0 $First half of Address
lui t1 $first half of value
addiu t1 t1 $Second half of value
sw t1 $Second half of Address(t0)
lui t2 $First half of code 2
lui t3 $First half of value
addiu t3 t3 $Second half of value
sw t3 $Last half of Address
Jr Ra
Our code Were gonna use :
#This code does Nothing
0x00023454 0x00000001
0x00023458 0x00000002
First: Put the codes in Real addressing
0x00023454 +08800000
0x00023458 +08800000
_____________________
0x08823454 0x00000001
0x08823458 0x00000002
Second:
Put the codes in the template.
-Hook
lui t0 $0882
lui t1 $0000
addiu t1 t1 $0001
sw t1 $3454(t0)
lui t2 $0882
lui t3 $0000
addiu t3 t3 $0002
sw t3 $3458(t2)
Jr Ra
Now We use ps2dis to Plugin the commands and get our Values.
Load Ps2dis from 08800000
Press control F select as hex string and hold zero for 45 seconds. Now we found our Area of Nops we will be working in.
Since we have our area of Nops its time to Start Plugging in the Commands. Im using area 08803000
hook=0x00000098 0x0a200c00
Lui t0 $0882= 0x08803000 0x3c080882
lui t1 $0000= 0x08803004 0x3c090000
addiu t1 t1 $0001= 0x08803008 0x25290001
sw t1 $3454(t0)= 0x0880300C 0xad093454
lui t2 $0882= 0x08803010 0x3c0a0882
lui t3 $0000= 0x08803014 0x3c0b0000
addiu t3 t3 $0002 = 0x08803018 0x256b0002
sw t3 $3458(t2) = 0x08800301c 0xad4b3458
jr ra = 0x08803020 0x03e00008
#Not done yet
0x00000098 0x0a200c00
0x08803000 0x3c080882
0x08803004 0x3c090000
0x08803008 0x25290001
0x0880300C 0xad093454
0x08803010 0x3c0a0882
0x08803014 0x3c0b0000
0x08803018 0x256b0002
0x0880301c 0xad4b3458
0x08803020 0x03e00008
;Now we have to Subtract 0880 from each address.
Done!
#Finished code
0x00000098 0x0a200c00
0x00003000 0x3c080882
0x00003004 0x3c090000
0x00003008 0x25290001
0x0000300C 0xad093454
0x00003010 0x3c0a0882
0x00003014 0x3c0b0000
0x00003018 0x256b0002
0x0000301c 0xad4b3458
0x00003020 0x03e00008
~~Recap~~
___________
#Fake addressing
0x00023454 0x00000001
0x00023458 0x00000002
#Real addressing
0x08823454 0x00000001
0x08823458 0x00000002
#Finished code
0x00000098 0x0a200c00 -hook
0x00003000 0x3c080882 0x0882- First half of First address
0x00003004 0x3c090000 0x0000- First half of first value
0x00003008 0x25290001 0x00000001- Second half of Value
0x0000300C 0xad093454 0x00003454-Second half of Address 1
0x00003010 0x3c0a0882 0x0882 -First half of address 2
0x00003014 0x3c0b0000 0x0000 First half of Value 2
0x00003018 0x256b0002 0x00000002 - Second half of Value 2
0x0000301c 0xad4b3458 0x000003458 - Second half of Address 2
0x00003020 0x03e00008 jr ra
~Architect
Architect- Posts : 82
Join date : 2010-08-05
Age : 30
Location : NY
108 Coders :: General :: Tutorials
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum