Post: [TUT] using system calls through rtm
Options
11-02-2014, 05:12 PM
#1
milky4444
Banned
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
unsigned char buffer[] = {(ppc here)};
or
unsigned char buffer[size] = {(ppc here)};
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
#define FUNC_ADDR 0x0000
#define INIT_ADDR 0x00000
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(nop),nop);
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(ppc),ppc);
char* txt = "milky\n";
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,0x2200000,strlen(txt) + 1,(unsigned char*)txt);
unsigned char init[2] = {0x41, 00};
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,INIT_ADDR,2,init);
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
The following 7 users say thank you to milky4444 for this useful post:
12-01-2014, 10:46 AM
#11
ELITE xxmcvapourxx
Guest
Originally posted by milky4444
What is a system call? :
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
or
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
unsigned char buffer[] = {(ppc here)};
or
unsigned char buffer[size] = {(ppc here)};
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
#define FUNC_ADDR 0x0000
#define INIT_ADDR 0x00000
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(nop),nop);
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(ppc),ppc);
char* txt = "milky\n";
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,0x2200000,strlen(txt) + 1,(unsigned char*)txt);
unsigned char init[2] = {0x41, 00};
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,INIT_ADDR,2,init);
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
Be very careful when using system call's via lv2 it also uses lv1 and appldr,isoldr,bootldr if you make a mistake you could damage your ps3 cause a brick or full brick
if you know ppc very well then yes go ahead but if you're not and your a beginner and wanting to learn this use a old ps3 you dont want to break and use it for testing
Best person to speak to use MIRC OR hex chat sign into efnet server go and ask either MYSIS or EussNL in room PS3DEV! or PS3DEV
theses two are the best for ps3 as they own ps3devwiki and they are updating system calls.
Just a warning for you
but good work on this tutorial for others to use,.
Also look at Hypervisor by graff on the front page of ps3devwiki there is much more info on PPC .
12-25-2014, 03:26 PM
#12
optantic
Pokemon Trainer
Originally posted by Doctor
Why would you try this way with a sprx? You can just call the system call...
system call on works on DEX? seems to have no effect on CEX
I am using write_process to poke breakpoints
Last edited by
optantic ; 12-25-2014 at 03:32 PM.
The following user thanked optantic for this useful post:
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
