What's new

PPC - Basics Tutorial

Const

Const

Übermensch
Messages
575
Reaction score
758
Points
205
Sin$
0
8hHpu.png
You have to know C/C++ to understand most of this. You also will need a good understanding of how memory works, this includes the stack and heap; a good understanding of pointers will help a ton too.

If you want to learn C/C++ here are some good tutorials, that I learned from.


http://www.xboxmb.com/forum/52-programming/95554-programming-tutorials.html

http://www.youtube.com/view_play_list?p=FE6E58F856038C69

http://www.cplusplus.com/doc/tutorial/

Basics
PowerPC is a assembly language, so each line or instruction is a opertation that the processor performs. So unlike high level languages that are compiled into an assembly language. PPC will only run on a processor that uses PowerPc (Old macs, mainframes, Xbox360, Ps3). Unless you have a computer with linux you will have to have a jtag or a XDK. Even if you don't have ethier you can still read code in Xbox executables (xex's), with a dissasembler. PowerPC or Performance Optimization With Enhanced RISC – Performance Computing, was created by Apple, IBM and Motorola it supports both endians but it's most common in big endian 32-bit mode, most can switch endians with changes to the MSR. That is one of the downfalls that has caused PPC to be phased out by x84 & x64. It's also used for almost every gaming console out at this time (Xbox, Ps3, Wii, Wiiu). This tutorial will focus on the 32 bit version seeing this is for Xbox 360 development and reverse engineering.

Registers
There are 32 GPR (General Purpose Registers), r0-r31 this is what you will be mainly using. r1 is used as a stack pointer, r2 table of contents pointer, r3 is used as the return value of a function and also the first argument, r4-r10 are used as arguments 2-8 and the rest are mostly used for anything else. They are similar to variables but are stored on the processor. This means you can access these values fast. Registers are also not addressable meaning you can't have anything pointing to them. Each register is 64 bits (8 bytes but on the xbox we can only use the lower 32 bits), so you can store most data types in one register. They also can be used to hold any sort of data type, they can store ints, chars, pointers, uints, etc. To perform an operation on a value, we have to use a register to hold the value first. So if we wanted to add two immediate values, we would first have to put one into a register or both. Ther are also FPR (Floating Point Registers) f0-f31 they are similar to the GPR but contain floats, f1-f8 are used as params or the return of a function. The rest are used for anything.

Instructions
All PPC instrutions are 32 bits (4 bytes) in size. I'm not really going to go indepth into how to deterimine instructions by there bits, because I honestly don't know how that works. I believe the first 4 bits determine the instruction but after that I don't know I belive IBM has info on there website about it. I'm just going to list some common instructions an label how to use them and what they do. CTRL+F is gonna come in handy when this is done.

Basic Math Instructions

Li - Load Immediate
li gpr1, SI16
Example:
li r3, 20
This example just sets r3 to 20, SI16 = (Signed int 16).

Lis - Load Immediate Shifted
lis gpr1, SI16
Example:
lis r3, 20
In this example r3 is set to 20 then shifted left by 41.

Add - Add
add gpr1, gpr2, gpr3
Example:
add r3, r4, r10
In this r4 is added with r10 and the sum is stored in r3.

Addi - Add Immediate
addi gpr1, gpr2, SI16
Example:
addi r3, r4, 20
In this r4 is added with SI16 and then the sum is stored in r3.

Addis - Add Immediate Shifted
addis gpr1, gpr2, SI16
Example:
addis gpr3, gpr3, 4
In this r3 is added with 4 then the sum is stored in r3, then r3 is shifted by 32 minus 4 bits left.

Subf - Subtract From
subf gpr1, gpr2, gpr3
Example:
subf, r3, r4, r5
This is subtracting r4 from r5 then storing the difference in r3.

Mul - Multiply
mul gpr1, gpr2, gpr3
Example:
mul r3, r4, r6
This will multiply r4 with r6 and store the product in r3.

Mullw - Multiply Low Word
mullw gpr1, gpr2, gpr3
Example:
mullw r3, r5, r10
In this will multiply r5 with r10 and place the product in the lowwer 32 bits of r3.

Mullh - Multiply High Word
mullh gpr1, gpr2, gpr3
Example:
mullh r5, r6, r31
This will multiply r6 with r31 and place the product in the higher 32 bits of r5.

Mulli - Multiply Low Immidiate
mulli gpr1, gpr2, SI16
Example:
mulli r4, r5, 0x20
This will multiply r5 with 0x20 and place the product in the lowwer 32 bits.

Div - Divide
divw gpr1, gpr2, gpr3
Example:
divw r4, r23, r7
This will multiply r23 with r7 and put the quotient in r4.

Condition and Compare Instructions

First I need to give you a bit of info on how condition/logical instructions work. Like GPRs and FPRs there are also Condition registers cr0-cr7, cr1 is for floating point registers. So untill you understand how floats work in ppc I suggest using cr0 and cr1-cr7. Each cr is 4 bits in size and each one is a different flag.
Flags
Bit 0 - LT (Less Than)
Bit 1 - GT (Greater Than)
Bit 2 - EQ (Equal)
Bit 3 - Summary Overview (Copy of XER I believe)

First we are going to look at cmp, I would just show code examples but this is more complex then most. cmp takes 3 'args' you can either specify what cr to use or if we leave it blank it will use cr0.

Cmp - Compare
cmp cr1, 0(Set this for 32 bit architechture), grp1, gpr2
Example:
cmp cr2, 0, r4, r6
In this example cr2 will contain a bit flag depending on if r4 is greater than, less than or equal.

Cmpi - Compare Immediate
cmpi cr1, 0(Same as above), grp1, SI16
Example:
cmpi cr2, 0, r5, 20
This will compare r5 to 20, and place the bit flag in cr2.

Cmpwi - Compare Word Immediate
cmpwi cr1, gpr1, SI16
Example:
Cmpwi cr4, r6, 300
This compares r6 to 300, then places the bit flag in cr4.

Bit Wise Operations

I will be adding some of the more complex ones later like rlwinm.

Or - OR
or gpr1, gpr2, gpr3
Example:
or r3, r5, r6
This will OR2 r5 and r6 then place the results in r3.

Ori - OR Immediate
ori gpr1, gpr2, SI16
Example:
ori r5, r28, 4
This will OR2 r28 with 4 and then store the results in r5.

Oris - OR Immediate Shifted
oris gpr1, gpr2, SI16
Example:
oris r26, r14, 16
This will OR2 the upper 16 bits of r14 with 16 and place the results in r26.

Mr - Move (to) Register
mr gpr1, gpr2
Example:
mr r4, r30
This will place r30 in r4.

And - AND
and gpr1, gpr2, gpr3
Example:
and r5, r6, r25
This will AND r6 with r25 then place the results in r5.

Andi - And Immediate
andi gpr1, gpr2, SI16
Example:
andi r7, r9, 8
This will AND r9 with 8 and place the results in r7.

Andis - And Immediate Shifted
andis gpr1, gpr2, SI16
Example:
andis r5, r18, 1
This will AND the upper 16 bits of r18 with 1 and place the results in r5.

Slw - Shift left word
slw gpr1, gpr2, gpr3
Example:
slw r6, r5, r7
Thiw will shift r5 left by 32 minus the lowwer six bits of r7 and place the results in r6.

Srw - Shift right word
srw gpr1, gpr2, gpr3
Example:
srw r4, r18, r23
This will shift r18 right by 32 minus the lowwer six bits of r23 then place the results in r4.

Branching

Branching will execute code from a different function, or area of code.

B - Branch
b address
Example:
b Func1
This will execute the code at Func1.

Beq - Branch if equal
beq cr1, address
Example:
beq cr4, Some_Function
This will execute the code at Some_Function if cr4 contains the bit for equal.

Bne - Branch if not equal
bne cr1, address
Example:
bne cr0, For_Loop1
This will execute the code at For_Loop1 if cr0 contains any bit besides the one for equal.

Blt - Branch if less than
blt cr1, address
Example:
blt cr7, Test4
This will execute the code at Test4 if cr1 contains the bit for less than.

Bgt - Branch if greater than
bgt cr1, address
Example:
bgt cr6, Func2
This will execute the code at Func2 if cr6 contains the bit for greater than.

Ble - Branch if less than or equal
ble cr1, address
Example:
ble cr5, Derping9
This will execute the code at Derping9 if cr5 contains the bits for less than or the equal bits.

Bge - Branch if greater than or equal
bge cr1, address
Example:
bge cr3, UnlockAll_Cod4
This will execute the code at UnlockAll_Cod4 if cr3 contains the bits for greater than or equal.

What to Expect
I will be adding more functions that I feel you need but this should be a good start to get you making some cool mods for different games. I also think I will add info about IDA and how to use it to its full potential. I will also be covering more of the syntax of ppc later, if you have any questions feel free to pm me.

Where to learn
http://www.ibm.com/developerworks/library/l-ppc/
http://publib.boulder.ibm.com/infoc...ic=/com.ibm.aix.aixassem/doc/alangref/abs.htm
https://www.power.org/wp-content/uploads/2012/07/PowerISA_V2.06B_V2_PUBLIC.pdf
http://www.xboxmb.com/forum/52-programming/99929-powerpc-beginners-tutorial.html
 
Last edited:
Da Botch

Da Botch

Enthusiast
Messages
254
Reaction score
109
Points
85
Sin$
7
Finally! I've heard so many people say "Learn PPC" and I've never been able to find anything referencing to it.
Thanks for this man!
 
Z61

Z61

Some times our saints are sinners
Retired
Programmer Forum Addict Odysseus' Summit
Messages
5,468
Reaction score
3,429
Points
1,042
Sin$
0
looked like a copypasta from Experiment's tutorial at first then I went back and checked, nice job.
 
Const

Const

Übermensch
Messages
575
Reaction score
758
Points
205
Sin$
0
looked like a copypasta from Experiment's tutorial at first then I went back and checked, nice job.
I used his as a reference, he seemed to cover more of the syntax of ppc and how to do simple stuff. I think it's harder to learn what every instruction does, seeing IBM's site can be a bit hard to understand sometimes.
 
Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
Lis - Load Immediate Shifted
lis gpr1, SI16
Example:
lis r3, 20
In this example r3 is set to 20 then shifted left by 41.


Addis - Add Immediate Shifted
addis gpr1, gpr2, SI16
Example:
addis gpr3, gpr3, 4
In this r3 is added with 4 then the sum is stored in r3, then r3 is shifted 4 bits left1.

So given your example:

Code:
lis r3, 0x20
// start r3 == 0
// set r3 to 0x20(same as li r3, 0x20)
// r3 == 0x0000.0000.0000.0020
//then r3 is shifted left 4 bits
// r3 == 0x0000.0000.0000.0200
// That doesn't seem right o.O

Lets try this the right way:
Code:
lis r3, 0x20
// start r3 == 0
// set r3 to 0x20(same as li r3, 0x20)
// r3 == 0x0000.0000.0000.0020
//then r3 is shifted left 16 bits
// r3 == 0x0000.0000.0020.0000

Hmmm...that one looks much better!

The same thing applies to addis

Code:
li r3, 0x1234
addis r4, r3, 2
// r4 == 0x0000.0000.0002.1234
// 2  << 16 then add to r3
 
Dwack

Dwack

Now employed at Dominoes!
Experienced Veteran Hardened Veteran
Messages
4,551
Reaction score
2,949
Points
685
Sin$
0
rlwinm
Code:
rlwinm    r5, r3, 16,20,23
 
// r5 = register to store result in
// r3 = register to use to compute result
// 16 = the # of bits to rotate left
// 20 = the start bit for the mask
// 23 = the end bit for the mask


Lets assume r3 == 0x12345678

so now we rotate:
Remember this is a rotate instruction not a shift. So when we do shift we have to catch the bits that fall off
Code:
r3 = (r3 << 16) | (r3 >> (32-16))
r3 << 16 gives us 0x56780000
r3 >> (32-16) gives us 0x00001234
OR them and you get the result of 0x56781234

So now lets generate our mask:
this is a 32 bit mask, all bits 0 except mask start through mask end. So our mask would look like this:
Code:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0
which gives us 0x0F00

So we've rotated and generated our mask. Now apply it
Code:
0x56781234 & 0x0F00 == 0x200
 
r5 = 0x200
 
Top Bottom
Login
Register