- Just so you want to know why i made this
- I wanted to give some definitions of what you might find in psplink, so next time you see a crash, you know if it's exploitable or not. I also thought of making some instruction definitions, to help the general understanding of PSP's Allegrex Processor

Basics

- CPU Registers
- $zr -> Zero Register, always contains 0x00000000

$at -> Assembler temporary, can generally ignore this

$v0-v1 -> Function return values, these tend to be easily changed from loading functions

$a0-a3 -> Function arguments, if you have control of these you will need to look into the following functions

$t0-t9 -> Temporaries, usually useless, may be useful depending how they are used

$s0-s7 -> Saved temporaries, should keep an eye on these in complex sections of code, can be useful

$k0-k1 -> Kernel registers, defines the exception handling

$gp -> Global data Pointer, name kind of says it all

$sp -> Stack Pointer, VERY useful in more complex sections of code, contain old $ra values and $s# values

$fp -> Frame Pointer, points to somewhere in the stack, only used by some(usually large) functions

$ra -> Return Address, easiest register to exploit if you have control

- LOAD AND STORE
- la: load address

lb: load byte

lbu: load byte unsigned

ld: load double

lh: load halfword

lhu: load halfword unsigned

lw: load word

lwl: load word left

lwr: load word right

ulh: unaligned load halfword

ulhu: unaligned load halfword unsigned

ulw: unaligned load word

lui: load upper immediate

sb: store byte

sd: store double

sh: store halfword

sw: store word

swl: store word left

swr: store word right

ush: unaligned store halfword

usw: unaligned store word

- COMPUTE
- Nymphaea's note: "Unsigned" in MIPS is kind of a misnomer from what I've seen/heard

add: add (with overflow)

addu: add unsigned

and : AND

div: divide (signed)

divu: divide unsigned

xor: exclusive OR

mul(t): multiply

mulo: multiply (with overflow)

mulou: multiply (with overflow unsigned)

nor: NOR

or: OR

seq: set equal

sge: set on greater than or equal

sgeu: set on greater than or equal unsigned

sgt: set on greater than

sgtu: set on greater than unsigned

sle: set on less than or equal

sleu: set on less than or equal unsigned

slt: set on less than

slt: set on less than unsigned

sne: set on not equal

sub: subtract

subu: subtract unsigned

rem: remainder

remu: remainder unsigned

rol: rotate left

ror: rotate right

sll: shift left logical

srl: shift right logical

sra: shift left logical variable

abs: absolute value

neg: negate (with overflow)

negu: negate (without overflow)

not: NOT

multu: multiply unsigned

teq: trap if equal

tge: trap if greater than or equal

tgeu: trap if greater than or equal unsigned

tlt: trap if less than

tltu: trap if less than unsigned

tne: trap if not equal

- JUMP AND BRANCH
- Nymphaea's first note: Jumps and branches(basically the same thing) usually happen within a single function, except jr $ra (end of function), jal (jumps to function/subroutine), and jalr(jumps to smaller functions, sometimes exploitable)

Nymphaea's second note: All jumps and branches have a "delay slot", a function that is placed right after it, but happens at the same time as the jump. Branches can also have a "likely" added to them(by adding an "l" to the end of the name), which makes the delay slot be executed ONLY if the condition is true.

j: Jump

jr: Jump to Register value

jal: Jump And Link

jalr: Jump And Link Register

beq: Branch on EQual

bge: Branch on Greater than or Equal

bgeu: Branch on Greater than or Equal Unsigned

bgtu: branch on greater than unsigned

bleu: branch on less than or equal

bltu: branch on less than unsigned

bne: branch on not equal

beqz: branch on equal to zero

bnez: branch on not equal to zero

bgezal: branch on greater than or equal to zero and link

bgtz: branch on greater than zero

blez: branch on less than or equal to zero

bltz:branch on less than zero

bltzal branch on less than zero and link

- SPECIAL
- break: break

mfhi: move from high

mflo: move from low

mthi: move to high

mtlo: move to low

nop: no operation

rfe: restore from exception

syscall:system call

- Original Post
- CPU Registers:CoProcessor Registers:
Code: Select all

`$zr -> Constant zero $at -> Assembler temporary $v0-v1 -> Function return $a0-a3 -> Incoming arguments $t0-t9 -> Temporaries $s0-s7 -> Saved temporaries $k0-k1 -> Exception handling <- Defines the exception handling $gp -> Global data pointer $sp -> Stack pointer $fp -> Saved temporary $ra -> Return address <- GOAL`

Code: Select all

`BADVAddr -> Bad Virtual Address Status -> Status Register Cause -> Cause Register EPC -> Exception Program Counter Register`

Exception Types:Instruction Syntax (for those who asked) :Code: Select all

`0->External Interrupt (useless) 1-3->Reserved (most likely FPU exception) (useless) 4->Address error (load or instruction fetch)(BINGO!!! Available in Davee's Tiff Exploit) 5->Address error (data store) (useless, unless you control some registers' values) 6->Bus error (instruction fetch) (BINGO!!! Available in ALL game exploits) 7->Bus error (data load or store) (useless, unless you control some register's values) 8-Syscall instruction (useless) 9-Breakpoint (useless, BUT a very rare case where $ra was totally overwritten appeared, still it's very very rare that this happens) 10-Reserved instruction (useless) 11- Coprocessor unusable (useless) 12- Arithmetic overflow (useless) 13-15- Not used`

Code: Select all

`LOAD AND STORE la: load address lb: load byte lbu: load byte unsigned ld: load double lh: load halfword lhu: load halfword unsigned lw: load word lwl: load word left lwr: load word right ulh: unaligned load halfword ulhu: unaligned load halfword unsigned ulw: unaligned load word li: load immediate lui: load upper immediate sb: store byte sd: store double sh: store halfword sw: store word swl: store word left swr: store word right ush: unaligned store halfword usw: unaligned store word COMPUTE add: add (with overflow) addu: add unsigned and : AND div: divide (signed) divu: divide unsigned xor: exclusive OR mul(t): multiply mulo: multiply (with overflow) mulou: multiply (with overflow unsigned) nor: NOR or: OR seq: set equal sge: set on greater than or equal sgeu: set on greater than or equal unsigned sgt: set on greater than sgtu: set on greater than unsigned sle: set on less than or equal sleu: set on less than or equal unsigned slt: set on less than slt: set on less than unsigned sne: set on not equal sub: subtract subu: subtract unsigned rem: remainder remu: remainder unsigned rol: rotate left ror: rotate right sll: shift left logical srl: shift right logical sra: shift left logical variable abs: absolute value neg: negate (with overflow) negu: negate (without overflow) not: NOT move: move multu: multiply unsigned teq: trap if equal tge: trap if greater than or equal tgeu: trap if greater than or equal unsigned tlt: trap if less than tltu: trap if less than unsigned tne: trap if not equal JUMP AND BRANCH j: jump jal: jump and link beq: branch on equal bge: branch on greater than or equal bgeu: brach on greater than or equal unsigned bgt: branch on greater than bgtu: branch on greater than unsigned ble: branch on less than or equal bleu: branch on less than or equal blt: branch on less than bltu: branch on less than unsigned bne: branch on not equal beqz: branch on equal to zero bnez: branch on not equal to zero bgezal: branch on greater than or equal to zero and link bgtz: branch on greater than zero blez: branch on less than or equal to zero bltz:branch on less than zero bltzal branch on less than zero and link b: branch bal: branch and link SPECIAL break: break mfhi: move from high mflo: move from low mthi: move to high mtlo: move to low nop: no operation rfe: restore from exception syscall:system call`

Advertising