Post: [TUT] using system calls through rtm
Options
11-02-2014, 05:12 PM
#1
milky4444
Banned
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
unsigned char buffer[] = {(ppc here)};
or
unsigned char buffer[size] = {(ppc here)};
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
#define FUNC_ADDR 0x0000
#define INIT_ADDR 0x00000
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(nop),nop);
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(ppc),ppc);
char* txt = "milky\n";
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,0x2200000,strlen(txt) + 1,(unsigned char*)txt);
unsigned char init[2] = {0x41, 00};
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,INIT_ADDR,2,init);
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
The following 7 users say thank you to milky4444 for this useful post:
btw, in case you weren't aware, you can share images a little better by using 
11-30-2014, 07:26 PM
#6
Black Panther
Guest
11-30-2014, 10:52 PM
#7
Connerg123
Brute
Originally posted by milky4444
What is a system call? :
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
or
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
a system call is the fundamental interface between an application and the Lv2 kernel
What can i do with system calls? :
you can do allot... from setting the led light to setting a console id
(You must login or register to view this content.)
How to use system calls through rtm:
1: make your ppc code:
to make your ppc code your obviously going to need to know some ppc,
also remeber that the instruction to make a system call is "sc" but for some reason this instruction will not work with chocos ppc compiler so the bytes for it are: 0x44,0x00,0x00,0x02.
it will look somthing like this:
You must login or register to view this content.
remeber to load r11 with the syscall index you want, then add the system call instruction (in bytes) to your compiled ppc code.
You must login or register to view this content.
2: finding a function/location to write into:
i always use the fps function but the fog function should work fine to.
go into ida-> load elf -> view ->sub views-> strings -> alt + t (search) -> "fps:" -> click on the string -> click on its x ref -> goto the top of location + put in text view -> copy address.
now your also going to know how big the location is. becuase you need to write a certin amount of nop instructions to write.
your also going to need the init ppc code you can do this by either changing the compare value or changing the branch function, example: if its bne -> bge (bne = branch if not equal, bge = branch if greater or equal)
3: Writing the ppc (c++)
how to make a "byte" in c++:
unsigned char buffer[] = {(ppc here)};
or
unsigned char buffer[size] = {(ppc here)};
once you have that your going to need to make your nop byte array (this is where size comes in)
i recommend goin into the location in ida and fill it up with nop until the end of the location.
once you have that you just need to write it:
#define FUNC_ADDR 0x0000
#define INIT_ADDR 0x00000
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(nop),nop);
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,FUNC_ADDR,sizeof(ppc),ppc);
char* txt = "milky\n";
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,0x2200000,strlen(txt) + 1,(unsigned char*)txt);
unsigned char init[2] = {0x41, 00};
SNPS3InitTargetComms();
SNPS3ProcessSetMemory(targ,0,pid,0,INIT_ADDR,2,init);
have fun, also i know this can be kind of confusing so tell me if u would like a video tutorial
also here is my source(c++): You must login or register to view this content.
NOTICE: if you decide to use this method for a cid stealer you will be easily caught
credits:
blb - showing me abit how to use system calls in ppc
choco - ppc compiler
Amazing Job Mike
12-01-2014, 02:05 AM
#9
Black Panther
Guest
Copyright © 2024, NextGenUpdate.
All Rights Reserved.
