CodeWizard PS3 1.2.1 (PPC Assembler) by Dnawrkshp is Released


18w ago - Following up on his NetCheat for PS3 updates, today PlayStation 3 homebrew developer Dnawrkshp has released what he calls CodeWizard PS3 1.2.1 (PPC Assembler) followed by v1.2.4 with details below.

Download: CodeWizard PS3 1.2.1 (PPC Assembler) / CodeWizard PS3 1.2.4 (PPC Assembler)

To quote: CodeWizard PS3 is a makeshift PowerPC Assembly assembler, disassembler, and emulator (emulates the supported instructions).

It allows you to write the assembly and assemble it into NetCheat format, byte array (C#), and a hex string array. It allows for multiple tabs, coloring, labels, custom psuedo instructions, and an auto complete menu.

Assembly:

Format:

Instructions must be lowercase (addi, not ADDI).
Psuedo instructions must be laid out like so:

Registers prefixes are % and $, but you can have no prefix. Registers must be lowercase.
Decimal values must have no prefix.
Hexadecimal values must have a 0x or $ prefix.
Single line comments start with //
Multiline comments start with /* and end with */
Label declarations must end with : and label referring is just the label name

CodeWizard supports a limited number of operations (this is why it is in beta):

Conditional branches use labels or offsets. The offsets are relative to the current address. Unconditional branches use labels or addresses. The addresses are not relative.

label1:

beq 0x4 //Branches if cr0 is equal to the next line
bl 0x001ADCC0

beq label1
bl label1

Instructions like stw (stw rA, 0xXXXX(rD)) must be laid out like shown. You can't write "stw rA, rD, 0xXXXX" or anything similar.

Special Instructions:

"address 0xXXXXXXXX" - Sets the current address in the assembler.
"hook 0xXXXXXXXX" - One time use, sets the passed address to a *branch* to the first "address" instruction (hooks the beginning of the sub to the passed argument).
"hookl 0xXXXXXXXX" - One time use, sets the passed address to a *branch and link* to the first "address" instruction (hooks the beginning of the sub to the passed argument).
"setreg rD, 0xXXXXXXXX" - Sets the register rD to the passed 32 bit immediate. Doesn't have to be hexadecimal.
"hexcode 0xXXXXXXXX" - In the assembled code, the value will be equal to the passed 32 bit value. This is great for unsupported instructions.
"import [PATH]" - Imports the file at [PATH] into the subroutine at assemble time. Puts it after the already loaded imports.
"float [FLOAT]" - Inserts into the assembled code as assemble time the hexadecimal version of the float specified. Ex: float 1.23 => 3F9D70A4
"string [STRING]" - Converts the string into a hex version and inserts it into the code at assemble time. Ex: string aBbCcd => 61426243 :: 63640000

Output Type:

NetCheat format; 2 ADDR8 VAL8.
Byte array: byte[] NAME = { 0xBYTES ... }
Hex string array: BYTES ...

Disassembly:

The format must be in NetCheat PS3 format. If it is not then you must use the Conversion form under Tools. Labels and address instructions will be used as much as possible. Only other thing is that it erases the currently open tab if you accept the prompt.

Emulation:

Images:

Please understand that the emulator is very basic and is just to find errors in the assembly. It only emulates the assembly.

Registers are completely modifiable during execution and turn red when they are modified by the code. You may switch between the register types by clicking on the lable above the register list. The stack pointer (register 1) is set in the options menu and is defaulted to 02000000.

Controls are fairly simple. Aside from the buttons, you may press F11 to step into. The debug box just displays any errors that occur like unsupported op or invalid memory access.




So I am releasing this as beta to get some feedback as to what instructions should be added. Also if you have find any bugs or have questions please don't be afraid to reply.

1.2.4 Changelog:

Fixed a bunch of assembling bugs that were caused by new NC format
Fixed bug where new tab wouldn't have autocomplete
Fixed bug caused when a pseudo instruction has no arguments can't be used
Cleaned up emulator and assembler a bit
Added AutoIndent
Added tab support (cleaner formatting)
Added new instructions: divw, lwzx, stwx, ldx, stdx, lfd, stfd
Added Updater (identical to NetCheat PS3)

Finally, below is a Hooking Methods Guide from therifboy, as follows:

Note: you will need some knowledge of ppc for this. I'll try to explain some methods of hooking as good as possible. But it still can be hard without knowledge of ppc since you will need to reverse the number of arguments and also the type. I will not explain this process.

Download: vsh.elf

METHOD 1: Intercepting calls of separate functions

This method is really simple. All it does is edit the call to make it branch to a subroutine you have written inside the .self. Note that the difference between the address of the call and your subroutine can't be bigger than 0x1FFFFFC. That's the range of a 'bl'.

If I press X on that call I can see that subroutine is referenced multiple times, but we will be intercepting only the calls coming from the subroutine i'm currently in. In this case sub_23286C. The function I will be hooking is cellHttpSendRequest btw.

This method is not the best one. You will either need to write the subroutine by hand and then copy it somewhere into memory where it can be executed, or write it in C/C++, compile the code and then edit the addresses by hand. Your code should look like this:

What I mean by edit addresses by hand is that you will need to edit the opcodes for the call to printf to make it call the printf function inside the .self.

METHOD 2: Intercepting calls of separate functions using a sprx and a stub. (I will explain this using the same subroutine as previous method.)

This method is I think the easiest one. I will make it branch to a stub which will then branch to a function inside my sprx. This method has 4 arguments: r3 - r6. The first thing to do in the stub is to save these arguments and the link register.

Copy this code in your plugin. This code willl replace the call on the first image to make it branch to our stub.

Copy this code aswell. It will replace the nops inside your stub to make it branch to your sprx. This is done at runtime because the sprx has no fixed address.

When our hook_function returns to the stub, we will then need to forward the call to the original subroutine. For me it is sub_56FA7.

This is our stub. You can write it into vsh.elf and then encrypt it back to .self or just write it in asm and copy it into memory using our sprx. (You will need to calculate the size yourself)

Everything is now setup. All we need to do now is write the code inside our sprx.

PS: you can forward other functions calling 0x0056FA74 to the stub too.

Download: VS2010 Project

METHOD 3: Intercepting every call to a function.

This method will require some hand edits but it can also be tricky sometimes. It overwrites the 4 beginning opcodes of a function (often the stack setup) to branch to our own code. This subroutine is an example of when it won't work.

I'll explain this method using this subroutine.

You will need these scripts.

This is how the function you hook to should look like. The function has 5 arguments. So we will need to move those 5 arguments back to r3, r4, r5, r6 and r7 before we can return to the function we hooked. The asm is where we will do our edits.

We then need to copy the 4 beginning opcodes of the function we're hooking and load the address we're branching back into CTR using r11. For me it is 0x0063983C

Now add this line somewhere in your plugin to enable the hook.

This is how it looks like when compiled. Using HxD we will move the opcodes generated by the compiler on top of the beginning opcodes we copied.

Decrypt your plugin to .prx and open it up using HxD. Then locate the address inside HxD by adding 0xF0 to the address in IDA. For me it is 0x1F4 + 0xF0 = 0x2E4.

Go to that address by pressing CTRL + G or Search->Goto. Cut the bytes and paste them at the right address. Also change the blr (4E 80 00 20) to bctr (4E 80 04 20). When that is done save your file, you should end up with this.

Download VS2010 Project: Hook Method 3.zip

METHOD 4: Intercepting every call to a function using a stub and a sprx.

From Flat_z: Nice reading, I've used similar methods to dump SSL premaster secrets from PS3.








Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!

Comments 15 Comments - Go to Forum Thread »

Quick Reply Quick Reply

StanSmith's Avatar
#15 - StanSmith - 7w ago
Can I installed CCAPI with Cobra CFW? I read somewhere it would brick if I did that?

And I've never got an answer last time I asked.

PS3 News's Avatar
#14 - PS3 News - 7w ago
Today PlayStation 3 homebrew developer Nercore has released a Thief CCAPI (ControlConsole API) RTM (Real Time Modding) Tool for PS3 with details below.

Download: Thief-CCAPI-Tool By Nercore.rar

Usage:

1. Download the attached files.
2. Requires CCAPI 2.00 to be installed on your PS3.
3. Unrar the files.
4. Launch Thief CCAPI.exe.
5. Press on the Connect Button and type in your PS3 IP and click ok.
6. Now press the associate Hotkey to Enable or Disable the Options.

More PlayStation 3 News...

fadestyle's Avatar
#13 - fadestyle - 15w ago
not available. do we have a mirror?

nevermind, it works now.

Brenza's Avatar
#12 - Brenza - 15w ago
very nice work guys

oVERSoLDiER's Avatar
#11 - oVERSoLDiER - 15w ago
Following up on the previous update, PlayStation 3 developer MaDetho has now released CCAPI (ControlConsole API) Debugger 2.1 followed by v2.2 with the changes outlined below.

Download: CcApi_2.00_package.rar by Enstone / CCAPIDebugger2_1.rar / CCAPIDebugger2_2.rar

This application will let you debug the PS3 memory and search values/changes.

Features:

  • Connection via CCAPI (CEX) and TMAPI (DEX - Not tested).
  • Set/Get offset value (1 byte, 2 bytes, 4 bytes and text).
  • Debugging: Show current PS3 memory, starting at a specific address.
  • Auto update PS3 Memory in a specified interval time (Changes will be shown red in Hex).
  • Search for a value (Hex or Dec) in a specific range of memory. Results will be shown in a table. Refresh searched results to get current values of memory.
  • Search in Result for specific changes like ammo changing from 345 to 344.
  • Single click on result: Offset and current value will be shown in Offset Box to edit. Double click: Same as single click + PS3 memory at clicked offset will be shown.
  • Dump memory: Dumps PS3 Memory in specific range to a binary file.
  • Find Offset ranges for your game.

Shortcuts:

  • CTRL + D - Dump memory
  • F6 - Reload debug PS3 memory
  • F5 - Refresh search results

Changelog:

Version 2.2

  • Bugfix: "[...] is not a parameter-less method, property or field of type '????????'"
  • Bugfix: small searching performance fix

Version 2.1

  • Optimized the layout for people with lower resolutions.
  • Finding game ranges (Credits to Dnawrkshp).
  • Search in Result performance update (For 53,000 results: Old algorithm = 9:48 mins / New algorithm = 39 secs!).
  • Added time counter for Search/Refresh

Version 2.0

  • Added search features.
  • Added a dump feature.
  • Added shortcuts.

Version 1.1

  • When a byte is clicked in hex view, it will automatically set the offset + byte to the inputs and focus on them, so it’s very close to live editing.

Version 1.0

  • Thanks ccarlsen for the design.
  • Initial release.

Credits:

  • ccarlsen Design Concept and Thread
  • byDaan for testing
  • Enstone CCAPI
  • iMCSx PS3Lib
  • Dnawrkshp NetCheat idea

More PlayStation 3 News...













Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News