A bit of help with assembler in H.BIN

m0skit0 · Post by **m0skit0** » Tue Jun 16, 2009 10:11 pm

Hi guys!

I'm trying to make my own h.bin for the MaTiaZ TIFF loader, but I can't get it to succeed writing some data to a file. I've done the code in assembler, so here's how I do it:

Code: Select all

	# a0 = SCEPAF_MODULE	
	# pc = 0x08800000
	
	# SCEPAF_MODULE &#40;$s3&#41; 
	addu $s3,$zero,$a0 
	
	# sceIoOpen&#40;&#41;
	lui $t0,0x15       
	ori $t0,$t0,0xee70
	addu $t0,$t0,$s3
	# file path
	lui $a0,0x880      
	ori $a0,$a0,0x200
	# flags write & create
	addiu $a1,$zero,0x602 
	jalr $ra,$t0
	# mode 0777
	addiu $a2,$zero,0x1ff 
	
	# file descriptor &#40;$s2&#41;	
	or $s2,$zero,$v0   

	# sceIoWrite&#40;&#41;
	lui $s1,0x880
	ori $s1,$s1,0x200
	lui $t0,0x15       
	ori $t0,$t0,0xee40
	addu $t0,$t0,$s3
	# file descriptor
	addu $a0,$zero,$s2 
	# size
	addiu $a2,$zero,0x10 
	jalr $ra,$t0
	# pointer to data
	addu $a1,$zero,$s1 
	
	# sceIoClose&#40;&#41;
	lui $t0, 0x15      
	ori $t0,$t0,0xee60
	jalr $ra,$t0
	# file descriptor
	addu $a0,$zero,$s2 
	nop
	
	# Loop forever
	lui $t0,0x880
	ori $t0,$t0,0x60
	jr $t0
	nop

With the string ms0:/regdump at address 0x08800200.

Doesn't work, well at least not the write procedure, or maybe the close, because it creates the file but it is just empty.

Anyone sees anything wrong in here? Thanks in advance!

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 17, 2009 12:34 am

Lol, why dont you make an sdk so you dont have to use assembly? In the readme file of the hello world exploit, it given instructions on how to make the sdk.

You can then trick out function imports, like for example sceDisplayWaitVblankStart:

sceDisplayWaitVblankStart = (void*)(paf_addr+0x15F068);

EDIT:

The zero variable ONLY contain zeros, and nothing else, so that could be the problem. I havent look completely at your code.

m0skit0 · Post by **m0skit0** » Wed Jun 17, 2009 1:27 am

Dariusc123456 wrote:why dont you make an sdk so you dont have to use assembly?

Just want to write it in assembly. Each one does the job as he pleases, right? ;)

Dariusc123456 wrote:You can then trick out function imports

That's exactly what I'm doing. As I said, the sceIoOpen() function works, as the file is created, but nothing happens next (besides freeze and power off, of course)

Dariusc123456 wrote:The zero variable ONLY contain zeros

I guess you mean the $zero register. I know that, which is pretty obvious anyway, but I don't understand how this can be the problem. I think I use it in the right way. This is not my first assembly program, anyway ;)

Thanks anyway

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 17, 2009 7:20 am

I dont use MIPS Assembly as much anymore, but when I use it, its only when reverse enginnering programs. But when I do want to, I write in C, then use the psp-gcc and convert it to assembly and work from there.

But when I have time, ill look over your code, and debug it to see if there any problems when outputing the data. Does it fill the file with the size of the data being outputed? It so after the sceIoOpen, you should use the beq, so it its dont equal to NULL, or ZERO, then jump to the next address to finish the output of the data.

Let me guess, you have a PSP 3000 or a PSP Slim with TA-88v3?

Post by **jbit** » Wed Jun 17, 2009 10:14 am

Are you assembling with .set noreorder? If you're not then you can't use the branch delay slot like you are..
For example with this code:

Code: Select all

lui $a0,0x880     
ori $a0,$a0,0x200
addiu $a1,$zero,0x602
jalr $ra,$t0
addiu $a2,$zero,0x1ff

With reordering (default) a2 will not get set before the jump. (For open this is fine, but your write looks like it'll lose its data pointer, which might be causing your bug?) This is what the assembler generates:

Code: Select all

   0&#58;   3c040880        lui     a0,0x880
   4&#58;   34840200        ori     a0,a0,0x200
   8&#58;   0100f809        jalr    t0
   c&#58;   24050602        li      a1,1538
  10&#58;   240601ff        li      a2,511

With ".set noreorder" the assembler generates this:

Code: Select all

   0&#58;   3c040880        lui     a0,0x880
   4&#58;   34840200        ori     a0,a0,0x200
   8&#58;   24050602        li      a1,1538
   c&#58;   0100f809        jalr    t0
  10&#58;   240601ff        li      a2,511

(edit: also Dariusc123456, I really wish you wouldn't comment on threads when you clearly have no idea)

Dariusc123456 · Post by **Dariusc123456** » Wed Jun 17, 2009 11:17 am

jbit, I am very busy with alot of things. I can focus on two things at one time. Sorry if it sound like im confuse, but I am serious

m0skit0 · Post by **m0skit0** » Wed Jun 17, 2009 6:52 pm

Does it fill the file with the size of the data being outputed? It so after the sceIoOpen, you should use the beq, so it its dont equal to NULL, or ZERO, then jump to the next address to finish the output of the data.

I still don't understand what you're trying to tell me, sorry... If you can explain a little more...

Also, thanks for the reply jbit, but here's how I get it assembled myself:

Code: Select all

	0000001c&#58;    3c080015	lui	$t0,0x15		
	00000020&#58;    3508ee70	ori	$t0,$t0,0xee70		
	00000024&#58;    01134021	addu	$t0,$t0,$s3		
	00000028&#58;    3c040880	lui	$a0,0x880		
	0000002c&#58;    34840200	ori	$a0,$a0,0x200		
	00000030&#58;    24050602	addiu	$a1,$zero,1538=0x0602	
	00000034&#58;    0100f809	jalr	$ra,$t0			
	00000038&#58;    240601ff	addiu	$a2,$zero,511=0x01ff

My assembler really uses addiu and don't replace it with li, and also it doesn't change the order. So $a1 & $a2 get loaded before the jump actually takes place, right?

I'm used to use (:P) add, or and and to load values in registers. You think this is correct? Should I use li instead? I really see no difference if the register gets loaded properly.

Post by **jbit** » Wed Jun 17, 2009 9:46 pm

m0skit0 wrote:My assembler really uses addiu and don't replace it with li, and also it doesn't change the order. So $a1 & $a2 get loaded before the jump actually takes place, right?

Ah, okay, GNU AS reordering things by default has screwed me up a few times, but if you're using a different assembler then I guess it's not a problem. (and yes, with that disasm a1 and a2 both get loaded before the jump is executed)

m0skit0 wrote:I'm used to use (:P) add, or and and to load values in registers. You think this is correct? Should I use li instead? I really see no difference if the register gets loaded properly.

Ah, sorry for the confusion, I used your assembly (and assembled with gnu as) and disassembled with objdump... objdump will show instructions as pseudo instructions if it can. li/la/etc are pseudo, so they're not real instructions but a macro in the assembler, the actual instructions would be the same as the input. I'm so used to just converting them in my head when I see them that I didn't notice, hehe :) http://en.wikipedia.org/wiki/MIPS_archi ... structions

Anyway other than that the asm itself looks fine to me, assuming your indexes into the jump table are correct. I'm not really a PSP guy so I'm not sure about other details.

m0skit0 · Post by **m0skit0** » Thu Jun 18, 2009 12:33 am

jbit wrote:Anyway other than that the asm itself looks fine to me, assuming your indexes into the jump table are correct. I'm not really a PSP guy so I'm not sure about other details

Well I'm pretty sure the jumps are correct because I used the same that MaTiaZ's TIFF loader and ChickHEN use, and reviewed them a few times. And I also don't see why this is not working, because I already tried this code (or something very similar) as a function inside the ChickHEN and it worked...

This is annoying...

Thank you very much for your time!